From 7e2d48f695acbda56cab3224353f8d9334f26d48 Mon Sep 17 00:00:00 2001 From: drumleytx <216058183+drumleytx@users.noreply.github.com> Date: Wed, 4 Mar 2026 11:23:26 -0600 Subject: [PATCH 1/9] Archive all v1 files to Archive/ directory for Version 2 --- {AppIT => Archive/AppIT}/AppIT_Process.adoc | 0 {AppIT => Archive/AppIT}/images/AppIT1.jpeg | Bin LICENSE => Archive/LICENSE | 0 .../.asciidoctor/diagram/FCO_CPC_EXT.png.cache | 0 .../Modules}/Agent/SD-MOD-Agent.adoc | 0 .../Modules}/Agent/appSW_PP_Config_ServerAgent.adoc | 0 .../Modules}/Agent/cPP_MOD-Agent.adoc | 0 .../Modules}/Agent/images/FCO_CPC_EXT.png | Bin .../Agent/images/fpt_aex_ext_componentlevel.jpg | Bin {Modules => Archive/Modules}/Agent/images/tbd.jpg | Bin .../.asciidoctor/diagram/FCO_CPC_EXT.png.cache | 0 .../.asciidoctor/diagram/FMT_MEC_EXT.png.cache | 0 .../.asciidoctor/diagram/FPT_AEX_EXT.png.cache | 0 .../Modules}/Server/SD-MOD-Server.adoc | 0 .../Modules}/Server/appSW_PP_Config_Server.adoc | 0 .../Modules}/Server/cPP_MOD-Server.adoc | 0 .../Modules}/Server/images/FCO_CPC_EXT.png | Bin .../Modules}/Server/images/FMT_MEC_EXT.png | Bin .../Modules}/Server/images/FPT_AEX_EXT.png | Bin .../Server/images/fpt_aex_ext_componentlevel.jpg | Bin {Modules => Archive/Modules}/Server/images/tbd.jpg | Bin README.adoc => Archive/README.adoc | 0 .../cPP}/.asciidoctor/diagram/FCS_CKM_EXT.png.cache | 0 .../.asciidoctor/diagram/FCS_HTTPS_EXT.png.cache | 0 .../cPP}/.asciidoctor/diagram/FCS_RBG_EXT.png.cache | 0 .../cPP}/.asciidoctor/diagram/FCS_STO_EXT.png.cache | 0 .../cPP}/.asciidoctor/diagram/FDP_NET_EXT.png.cache | 0 .../cPP}/.asciidoctor/diagram/FIA_EIP_EXT.png.cache | 0 .../cPP}/.asciidoctor/diagram/FIA_UAU_EXT.png.cache | 0 .../cPP}/.asciidoctor/diagram/FIA_UIA_EXT.png.cache | 0 .../.asciidoctor/diagram/FIA_X509_EXT.png.cache | 0 .../cPP}/.asciidoctor/diagram/FMT_CFG_EXT.png.cache | 0 .../cPP}/.asciidoctor/diagram/FPT_AEX_EXT.png.cache | 0 .../cPP}/.asciidoctor/diagram/FPT_TUD_EXT.png.cache | 0 .../cPP}/.asciidoctor/diagram/FTP_DIT_EXT.png.cache | 0 .../cPP}/AppSW cPP allowed-with list.docx | Bin {cPP => Archive/cPP}/SD_APP_SW.adoc | 0 {cPP => Archive/cPP}/cPP_APP_SW.adoc | 0 {cPP => Archive/cPP}/images/FCS_CKM_EXT.png | Bin {cPP => Archive/cPP}/images/FCS_HTTPS_EXT.png | Bin {cPP => Archive/cPP}/images/FCS_RBG_EXT.png | Bin {cPP => Archive/cPP}/images/FCS_STO_EXT.png | Bin {cPP => Archive/cPP}/images/FDP_NET_EXT.png | Bin {cPP => Archive/cPP}/images/FIA_EIP_EXT.png | Bin {cPP => Archive/cPP}/images/FIA_UAU_EXT.png | Bin {cPP => Archive/cPP}/images/FIA_UIA_EXT.png | Bin {cPP => Archive/cPP}/images/FIA_X509_EXT.png | Bin {cPP => Archive/cPP}/images/FMT_CFG_EXT.png | Bin {cPP => Archive/cPP}/images/FPT_AEX_EXT.png | Bin {cPP => Archive/cPP}/images/FPT_TUD_EXT.png | Bin {cPP => Archive/cPP}/images/FTP_DIT_EXT.png | Bin {cPP => Archive/cPP}/images/ccLogo.png | Bin {cPP => Archive/cPP}/images/toe.png | Bin {cPP => Archive/cPP}/images/toeruntime.png | Bin .../cPP}/v2/.github/workflows/quick_build.yml | 0 .../cPP}/v2/.github/workflows/quick_build_pdf.yml | 0 .../cPP}/v2/.github/workflows/validate.yml | 0 {cPP => Archive/cPP}/v2/.gitignore | 0 {cPP => Archive/cPP}/v2/.gitmodules | 0 {cPP => Archive/cPP}/v2/Dictionary.txt | 0 {cPP => Archive/cPP}/v2/LICENSE | 0 {cPP => Archive/cPP}/v2/Makefile | 0 {cPP => Archive/cPP}/v2/README.md | 0 {cPP => Archive/cPP}/v2/Readme.adoc | 0 {cPP => Archive/cPP}/v2/input/.gitignore | 0 {cPP => Archive/cPP}/v2/input/application.xml | 0 {cPP => Archive/cPP}/v2/input/cc.xml | 0 {cPP => Archive/cPP}/v2/input/esr.xml | 0 {cPP => Archive/cPP}/v2/input/tds/README.md | 0 .../cPP}/v2/output/images/appdiagram.png | Bin {cPP => Archive/cPP}/v2/output/images/cclogo.png | Bin {cPP => Archive/cPP}/v2/output/images/collapsed.png | Bin {cPP => Archive/cPP}/v2/output/images/expanded.png | Bin {cPP => Archive/cPP}/v2/output/images/niaplogo.png | Bin .../cPP}/v2/output/images/niaplogodraft.png | Bin {cPP => Archive/cPP}/v2/output/images/toe.png | Bin .../cPP}/v2/output/images/toeruntime.png | Bin {cPP => Archive/cPP}/v2/transforms/.gitignore | 0 {cPP => Archive/cPP}/v2/transforms/ConfigAnnex.make | 0 {cPP => Archive/cPP}/v2/transforms/Helper.make | 0 {cPP => Archive/cPP}/v2/transforms/LICENSE | 0 {cPP => Archive/cPP}/v2/transforms/Makefile | 0 {cPP => Archive/cPP}/v2/transforms/README.md | 0 {cPP => Archive/cPP}/v2/transforms/cPP.make | 0 .../v2/transforms/dictionaries/CommonCriteria.txt | 0 .../cPP}/v2/transforms/dictionaries/Computer.txt | 0 .../cPP}/v2/transforms/dictionaries/Crypto.txt | 0 .../cPP}/v2/transforms/module/Module.make | 0 .../cPP}/v2/transforms/package/Package.make | 0 .../cPP}/v2/transforms/py/anchorize-periods.py | 0 .../cPP}/v2/transforms/py/bp-documentor.py | 0 .../cPP}/v2/transforms/py/cc_apply_tds.py | 0 .../cPP}/v2/transforms/py/get_spell_allowlist.py | 0 .../cPP}/v2/transforms/py/post-process.py | 0 .../cPP}/v2/transforms/py/retrieve-included-docs.py | 0 {cPP => Archive/cPP}/v2/transforms/py/show_xpath.py | 0 .../cPP}/v2/transforms/schemas/CCModule.rng | 0 .../cPP}/v2/transforms/schemas/CCPackage.rng | 0 .../v2/transforms/schemas/CCProtectionProfile.rng | 0 .../cPP}/v2/transforms/schemas/Commons.rng | 0 .../cPP}/v2/transforms/schemas/ConfigAnnex.rng | 0 .../v2/transforms/schemas/LaxProtectionProfile.rng | 0 {cPP => Archive/cPP}/v2/transforms/schemas/Makefile | 0 .../cPP}/v2/transforms/schemas/SecurityTarget.rng | 0 .../cPP}/v2/transforms/schemas/Selection.rng | 0 .../cPP}/v2/transforms/schemas/StrictCommons.rng | 0 .../v2/transforms/schemas/TechnicalDecisions.rng | 0 .../schemas/rng-to-html/bin/rng-resolve-includes.py | 0 .../transforms/schemas/rng-to-html/bin/rng-to-html | 0 .../schemas/rng-to-html/lib/RngToHtml.xsl | 0 {cPP => Archive/cPP}/v2/transforms/xsl/SFRs.xml | 0 .../xsl/add-element-index-as-comments.xsl | 0 {cPP => Archive/cPP}/v2/transforms/xsl/audit.xsl | 0 .../cPP}/v2/transforms/xsl/boilerplates.xml | 0 .../cPP}/v2/transforms/xsl/boilerplates.xsl | 0 .../cPP}/v2/transforms/xsl/comma-splitter.xsl | 0 .../cPP}/v2/transforms/xsl/configannex2html.xsl | 0 .../cPP}/v2/transforms/xsl/css-content.xsl | 0 {cPP => Archive/cPP}/v2/transforms/xsl/debug.xsl | 0 {cPP => Archive/cPP}/v2/transforms/xsl/esr2html.xsl | 0 .../cPP}/v2/transforms/xsl/ext-comp-defs.xsl | 0 .../cPP}/v2/transforms/xsl/functions.xsl | 0 .../cPP}/v2/transforms/xsl/js-content.xsl | 0 {cPP => Archive/cPP}/v2/transforms/xsl/make-ref.xsl | 0 .../cPP}/v2/transforms/xsl/module-commons.xsl | 0 .../cPP}/v2/transforms/xsl/module2html.xsl | 0 .../cPP}/v2/transforms/xsl/module2sd.xsl | 0 {cPP => Archive/cPP}/v2/transforms/xsl/pp2html.xsl | 0 .../cPP}/v2/transforms/xsl/pp2simplified.xsl | 0 {cPP => Archive/cPP}/v2/transforms/xsl/pp2table.xsl | 0 .../cPP}/v2/transforms/xsl/ppcommons.xsl | 0 .../cPP}/v2/transforms/xsl/sanity_checks.xsl | 0 {cPP => Archive/cPP}/v2/transforms/xsl/use-case.xsl | 0 133 files changed, 0 insertions(+), 0 deletions(-) rename {AppIT => Archive/AppIT}/AppIT_Process.adoc (100%) rename {AppIT => Archive/AppIT}/images/AppIT1.jpeg (100%) rename LICENSE => Archive/LICENSE (100%) rename {Modules => Archive/Modules}/Agent/.asciidoctor/diagram/FCO_CPC_EXT.png.cache (100%) rename {Modules => Archive/Modules}/Agent/SD-MOD-Agent.adoc (100%) rename {Modules => Archive/Modules}/Agent/appSW_PP_Config_ServerAgent.adoc (100%) rename {Modules => Archive/Modules}/Agent/cPP_MOD-Agent.adoc (100%) rename {Modules => Archive/Modules}/Agent/images/FCO_CPC_EXT.png (100%) rename {Modules => Archive/Modules}/Agent/images/fpt_aex_ext_componentlevel.jpg (100%) rename {Modules => Archive/Modules}/Agent/images/tbd.jpg (100%) rename {Modules => Archive/Modules}/Server/.asciidoctor/diagram/FCO_CPC_EXT.png.cache (100%) rename {Modules => Archive/Modules}/Server/.asciidoctor/diagram/FMT_MEC_EXT.png.cache (100%) rename {Modules => Archive/Modules}/Server/.asciidoctor/diagram/FPT_AEX_EXT.png.cache (100%) rename {Modules => Archive/Modules}/Server/SD-MOD-Server.adoc (100%) rename {Modules => Archive/Modules}/Server/appSW_PP_Config_Server.adoc (100%) rename {Modules => Archive/Modules}/Server/cPP_MOD-Server.adoc (100%) rename {Modules => Archive/Modules}/Server/images/FCO_CPC_EXT.png (100%) rename {Modules => Archive/Modules}/Server/images/FMT_MEC_EXT.png (100%) rename {Modules => Archive/Modules}/Server/images/FPT_AEX_EXT.png (100%) rename {Modules => Archive/Modules}/Server/images/fpt_aex_ext_componentlevel.jpg (100%) rename {Modules => Archive/Modules}/Server/images/tbd.jpg (100%) rename README.adoc => Archive/README.adoc (100%) rename {cPP => Archive/cPP}/.asciidoctor/diagram/FCS_CKM_EXT.png.cache (100%) rename {cPP => Archive/cPP}/.asciidoctor/diagram/FCS_HTTPS_EXT.png.cache (100%) rename {cPP => Archive/cPP}/.asciidoctor/diagram/FCS_RBG_EXT.png.cache (100%) rename {cPP => Archive/cPP}/.asciidoctor/diagram/FCS_STO_EXT.png.cache (100%) rename {cPP => Archive/cPP}/.asciidoctor/diagram/FDP_NET_EXT.png.cache (100%) rename {cPP => Archive/cPP}/.asciidoctor/diagram/FIA_EIP_EXT.png.cache (100%) rename {cPP => Archive/cPP}/.asciidoctor/diagram/FIA_UAU_EXT.png.cache (100%) rename {cPP => Archive/cPP}/.asciidoctor/diagram/FIA_UIA_EXT.png.cache (100%) rename {cPP => Archive/cPP}/.asciidoctor/diagram/FIA_X509_EXT.png.cache (100%) rename {cPP => Archive/cPP}/.asciidoctor/diagram/FMT_CFG_EXT.png.cache (100%) rename {cPP => Archive/cPP}/.asciidoctor/diagram/FPT_AEX_EXT.png.cache (100%) rename {cPP => Archive/cPP}/.asciidoctor/diagram/FPT_TUD_EXT.png.cache (100%) rename {cPP => Archive/cPP}/.asciidoctor/diagram/FTP_DIT_EXT.png.cache (100%) rename {cPP => Archive/cPP}/AppSW cPP allowed-with list.docx (100%) rename {cPP => Archive/cPP}/SD_APP_SW.adoc (100%) rename {cPP => Archive/cPP}/cPP_APP_SW.adoc (100%) rename {cPP => Archive/cPP}/images/FCS_CKM_EXT.png (100%) rename {cPP => Archive/cPP}/images/FCS_HTTPS_EXT.png (100%) rename {cPP => Archive/cPP}/images/FCS_RBG_EXT.png (100%) rename {cPP => Archive/cPP}/images/FCS_STO_EXT.png (100%) rename {cPP => Archive/cPP}/images/FDP_NET_EXT.png (100%) rename {cPP => Archive/cPP}/images/FIA_EIP_EXT.png (100%) rename {cPP => Archive/cPP}/images/FIA_UAU_EXT.png (100%) rename {cPP => Archive/cPP}/images/FIA_UIA_EXT.png (100%) rename {cPP => Archive/cPP}/images/FIA_X509_EXT.png (100%) rename {cPP => Archive/cPP}/images/FMT_CFG_EXT.png (100%) rename {cPP => Archive/cPP}/images/FPT_AEX_EXT.png (100%) rename {cPP => Archive/cPP}/images/FPT_TUD_EXT.png (100%) rename {cPP => Archive/cPP}/images/FTP_DIT_EXT.png (100%) rename {cPP => Archive/cPP}/images/ccLogo.png (100%) rename {cPP => Archive/cPP}/images/toe.png (100%) rename {cPP => Archive/cPP}/images/toeruntime.png (100%) rename {cPP => Archive/cPP}/v2/.github/workflows/quick_build.yml (100%) rename {cPP => Archive/cPP}/v2/.github/workflows/quick_build_pdf.yml (100%) rename {cPP => Archive/cPP}/v2/.github/workflows/validate.yml (100%) rename {cPP => Archive/cPP}/v2/.gitignore (100%) rename {cPP => Archive/cPP}/v2/.gitmodules (100%) rename {cPP => Archive/cPP}/v2/Dictionary.txt (100%) rename {cPP => Archive/cPP}/v2/LICENSE (100%) rename {cPP => Archive/cPP}/v2/Makefile (100%) rename {cPP => Archive/cPP}/v2/README.md (100%) rename {cPP => Archive/cPP}/v2/Readme.adoc (100%) rename {cPP => Archive/cPP}/v2/input/.gitignore (100%) rename {cPP => Archive/cPP}/v2/input/application.xml (100%) rename {cPP => Archive/cPP}/v2/input/cc.xml (100%) rename {cPP => Archive/cPP}/v2/input/esr.xml (100%) rename {cPP => Archive/cPP}/v2/input/tds/README.md (100%) rename {cPP => Archive/cPP}/v2/output/images/appdiagram.png (100%) rename {cPP => Archive/cPP}/v2/output/images/cclogo.png (100%) rename {cPP => Archive/cPP}/v2/output/images/collapsed.png (100%) rename {cPP => Archive/cPP}/v2/output/images/expanded.png (100%) rename {cPP => Archive/cPP}/v2/output/images/niaplogo.png (100%) rename {cPP => Archive/cPP}/v2/output/images/niaplogodraft.png (100%) rename {cPP => Archive/cPP}/v2/output/images/toe.png (100%) rename {cPP => Archive/cPP}/v2/output/images/toeruntime.png (100%) rename {cPP => Archive/cPP}/v2/transforms/.gitignore (100%) rename {cPP => Archive/cPP}/v2/transforms/ConfigAnnex.make (100%) rename {cPP => Archive/cPP}/v2/transforms/Helper.make (100%) rename {cPP => Archive/cPP}/v2/transforms/LICENSE (100%) rename {cPP => Archive/cPP}/v2/transforms/Makefile (100%) rename {cPP => Archive/cPP}/v2/transforms/README.md (100%) rename {cPP => Archive/cPP}/v2/transforms/cPP.make (100%) rename {cPP => Archive/cPP}/v2/transforms/dictionaries/CommonCriteria.txt (100%) rename {cPP => Archive/cPP}/v2/transforms/dictionaries/Computer.txt (100%) rename {cPP => Archive/cPP}/v2/transforms/dictionaries/Crypto.txt (100%) rename {cPP => Archive/cPP}/v2/transforms/module/Module.make (100%) rename {cPP => Archive/cPP}/v2/transforms/package/Package.make (100%) rename {cPP => Archive/cPP}/v2/transforms/py/anchorize-periods.py (100%) rename {cPP => Archive/cPP}/v2/transforms/py/bp-documentor.py (100%) rename {cPP => Archive/cPP}/v2/transforms/py/cc_apply_tds.py (100%) rename {cPP => Archive/cPP}/v2/transforms/py/get_spell_allowlist.py (100%) rename {cPP => Archive/cPP}/v2/transforms/py/post-process.py (100%) rename {cPP => Archive/cPP}/v2/transforms/py/retrieve-included-docs.py (100%) rename {cPP => Archive/cPP}/v2/transforms/py/show_xpath.py (100%) rename {cPP => Archive/cPP}/v2/transforms/schemas/CCModule.rng (100%) rename {cPP => Archive/cPP}/v2/transforms/schemas/CCPackage.rng (100%) rename {cPP => Archive/cPP}/v2/transforms/schemas/CCProtectionProfile.rng (100%) rename {cPP => Archive/cPP}/v2/transforms/schemas/Commons.rng (100%) rename {cPP => Archive/cPP}/v2/transforms/schemas/ConfigAnnex.rng (100%) rename {cPP => Archive/cPP}/v2/transforms/schemas/LaxProtectionProfile.rng (100%) rename {cPP => Archive/cPP}/v2/transforms/schemas/Makefile (100%) rename {cPP => Archive/cPP}/v2/transforms/schemas/SecurityTarget.rng (100%) rename {cPP => Archive/cPP}/v2/transforms/schemas/Selection.rng (100%) rename {cPP => Archive/cPP}/v2/transforms/schemas/StrictCommons.rng (100%) rename {cPP => Archive/cPP}/v2/transforms/schemas/TechnicalDecisions.rng (100%) rename {cPP => Archive/cPP}/v2/transforms/schemas/rng-to-html/bin/rng-resolve-includes.py (100%) rename {cPP => Archive/cPP}/v2/transforms/schemas/rng-to-html/bin/rng-to-html (100%) rename {cPP => Archive/cPP}/v2/transforms/schemas/rng-to-html/lib/RngToHtml.xsl (100%) rename {cPP => Archive/cPP}/v2/transforms/xsl/SFRs.xml (100%) rename {cPP => Archive/cPP}/v2/transforms/xsl/add-element-index-as-comments.xsl (100%) rename {cPP => Archive/cPP}/v2/transforms/xsl/audit.xsl (100%) rename {cPP => Archive/cPP}/v2/transforms/xsl/boilerplates.xml (100%) rename {cPP => Archive/cPP}/v2/transforms/xsl/boilerplates.xsl (100%) rename {cPP => Archive/cPP}/v2/transforms/xsl/comma-splitter.xsl (100%) rename {cPP => Archive/cPP}/v2/transforms/xsl/configannex2html.xsl (100%) rename {cPP => Archive/cPP}/v2/transforms/xsl/css-content.xsl (100%) rename {cPP => Archive/cPP}/v2/transforms/xsl/debug.xsl (100%) rename {cPP => Archive/cPP}/v2/transforms/xsl/esr2html.xsl (100%) rename {cPP => Archive/cPP}/v2/transforms/xsl/ext-comp-defs.xsl (100%) rename {cPP => Archive/cPP}/v2/transforms/xsl/functions.xsl (100%) rename {cPP => Archive/cPP}/v2/transforms/xsl/js-content.xsl (100%) rename {cPP => Archive/cPP}/v2/transforms/xsl/make-ref.xsl (100%) rename {cPP => Archive/cPP}/v2/transforms/xsl/module-commons.xsl (100%) rename {cPP => Archive/cPP}/v2/transforms/xsl/module2html.xsl (100%) rename {cPP => Archive/cPP}/v2/transforms/xsl/module2sd.xsl (100%) rename {cPP => Archive/cPP}/v2/transforms/xsl/pp2html.xsl (100%) rename {cPP => Archive/cPP}/v2/transforms/xsl/pp2simplified.xsl (100%) rename {cPP => Archive/cPP}/v2/transforms/xsl/pp2table.xsl (100%) rename {cPP => Archive/cPP}/v2/transforms/xsl/ppcommons.xsl (100%) rename {cPP => Archive/cPP}/v2/transforms/xsl/sanity_checks.xsl (100%) rename {cPP => Archive/cPP}/v2/transforms/xsl/use-case.xsl (100%) diff --git a/AppIT/AppIT_Process.adoc b/Archive/AppIT/AppIT_Process.adoc similarity index 100% rename from AppIT/AppIT_Process.adoc rename to Archive/AppIT/AppIT_Process.adoc diff --git a/AppIT/images/AppIT1.jpeg b/Archive/AppIT/images/AppIT1.jpeg similarity index 100% rename from AppIT/images/AppIT1.jpeg rename to Archive/AppIT/images/AppIT1.jpeg diff --git a/LICENSE b/Archive/LICENSE similarity index 100% rename from LICENSE rename to Archive/LICENSE diff --git a/Modules/Agent/.asciidoctor/diagram/FCO_CPC_EXT.png.cache b/Archive/Modules/Agent/.asciidoctor/diagram/FCO_CPC_EXT.png.cache similarity index 100% rename from Modules/Agent/.asciidoctor/diagram/FCO_CPC_EXT.png.cache rename to Archive/Modules/Agent/.asciidoctor/diagram/FCO_CPC_EXT.png.cache diff --git a/Modules/Agent/SD-MOD-Agent.adoc b/Archive/Modules/Agent/SD-MOD-Agent.adoc similarity index 100% rename from Modules/Agent/SD-MOD-Agent.adoc rename to Archive/Modules/Agent/SD-MOD-Agent.adoc diff --git a/Modules/Agent/appSW_PP_Config_ServerAgent.adoc b/Archive/Modules/Agent/appSW_PP_Config_ServerAgent.adoc similarity index 100% rename from Modules/Agent/appSW_PP_Config_ServerAgent.adoc rename to Archive/Modules/Agent/appSW_PP_Config_ServerAgent.adoc diff --git a/Modules/Agent/cPP_MOD-Agent.adoc b/Archive/Modules/Agent/cPP_MOD-Agent.adoc similarity index 100% rename from Modules/Agent/cPP_MOD-Agent.adoc rename to Archive/Modules/Agent/cPP_MOD-Agent.adoc diff --git a/Modules/Agent/images/FCO_CPC_EXT.png b/Archive/Modules/Agent/images/FCO_CPC_EXT.png similarity index 100% rename from Modules/Agent/images/FCO_CPC_EXT.png rename to Archive/Modules/Agent/images/FCO_CPC_EXT.png diff --git a/Modules/Agent/images/fpt_aex_ext_componentlevel.jpg b/Archive/Modules/Agent/images/fpt_aex_ext_componentlevel.jpg similarity index 100% rename from Modules/Agent/images/fpt_aex_ext_componentlevel.jpg rename to Archive/Modules/Agent/images/fpt_aex_ext_componentlevel.jpg diff --git a/Modules/Agent/images/tbd.jpg b/Archive/Modules/Agent/images/tbd.jpg similarity index 100% rename from Modules/Agent/images/tbd.jpg rename to Archive/Modules/Agent/images/tbd.jpg diff --git a/Modules/Server/.asciidoctor/diagram/FCO_CPC_EXT.png.cache b/Archive/Modules/Server/.asciidoctor/diagram/FCO_CPC_EXT.png.cache similarity index 100% rename from Modules/Server/.asciidoctor/diagram/FCO_CPC_EXT.png.cache rename to Archive/Modules/Server/.asciidoctor/diagram/FCO_CPC_EXT.png.cache diff --git a/Modules/Server/.asciidoctor/diagram/FMT_MEC_EXT.png.cache b/Archive/Modules/Server/.asciidoctor/diagram/FMT_MEC_EXT.png.cache similarity index 100% rename from Modules/Server/.asciidoctor/diagram/FMT_MEC_EXT.png.cache rename to Archive/Modules/Server/.asciidoctor/diagram/FMT_MEC_EXT.png.cache diff --git a/Modules/Server/.asciidoctor/diagram/FPT_AEX_EXT.png.cache b/Archive/Modules/Server/.asciidoctor/diagram/FPT_AEX_EXT.png.cache similarity index 100% rename from Modules/Server/.asciidoctor/diagram/FPT_AEX_EXT.png.cache rename to Archive/Modules/Server/.asciidoctor/diagram/FPT_AEX_EXT.png.cache diff --git a/Modules/Server/SD-MOD-Server.adoc b/Archive/Modules/Server/SD-MOD-Server.adoc similarity index 100% rename from Modules/Server/SD-MOD-Server.adoc rename to Archive/Modules/Server/SD-MOD-Server.adoc diff --git a/Modules/Server/appSW_PP_Config_Server.adoc b/Archive/Modules/Server/appSW_PP_Config_Server.adoc similarity index 100% rename from Modules/Server/appSW_PP_Config_Server.adoc rename to Archive/Modules/Server/appSW_PP_Config_Server.adoc diff --git a/Modules/Server/cPP_MOD-Server.adoc b/Archive/Modules/Server/cPP_MOD-Server.adoc similarity index 100% rename from Modules/Server/cPP_MOD-Server.adoc rename to Archive/Modules/Server/cPP_MOD-Server.adoc diff --git a/Modules/Server/images/FCO_CPC_EXT.png b/Archive/Modules/Server/images/FCO_CPC_EXT.png similarity index 100% rename from Modules/Server/images/FCO_CPC_EXT.png rename to Archive/Modules/Server/images/FCO_CPC_EXT.png diff --git a/Modules/Server/images/FMT_MEC_EXT.png b/Archive/Modules/Server/images/FMT_MEC_EXT.png similarity index 100% rename from Modules/Server/images/FMT_MEC_EXT.png rename to Archive/Modules/Server/images/FMT_MEC_EXT.png diff --git a/Modules/Server/images/FPT_AEX_EXT.png b/Archive/Modules/Server/images/FPT_AEX_EXT.png similarity index 100% rename from Modules/Server/images/FPT_AEX_EXT.png rename to Archive/Modules/Server/images/FPT_AEX_EXT.png diff --git a/Modules/Server/images/fpt_aex_ext_componentlevel.jpg b/Archive/Modules/Server/images/fpt_aex_ext_componentlevel.jpg similarity index 100% rename from Modules/Server/images/fpt_aex_ext_componentlevel.jpg rename to Archive/Modules/Server/images/fpt_aex_ext_componentlevel.jpg diff --git a/Modules/Server/images/tbd.jpg b/Archive/Modules/Server/images/tbd.jpg similarity index 100% rename from Modules/Server/images/tbd.jpg rename to Archive/Modules/Server/images/tbd.jpg diff --git a/README.adoc b/Archive/README.adoc similarity index 100% rename from README.adoc rename to Archive/README.adoc diff --git a/cPP/.asciidoctor/diagram/FCS_CKM_EXT.png.cache b/Archive/cPP/.asciidoctor/diagram/FCS_CKM_EXT.png.cache similarity index 100% rename from cPP/.asciidoctor/diagram/FCS_CKM_EXT.png.cache rename to Archive/cPP/.asciidoctor/diagram/FCS_CKM_EXT.png.cache diff --git a/cPP/.asciidoctor/diagram/FCS_HTTPS_EXT.png.cache b/Archive/cPP/.asciidoctor/diagram/FCS_HTTPS_EXT.png.cache similarity index 100% rename from cPP/.asciidoctor/diagram/FCS_HTTPS_EXT.png.cache rename to Archive/cPP/.asciidoctor/diagram/FCS_HTTPS_EXT.png.cache diff --git a/cPP/.asciidoctor/diagram/FCS_RBG_EXT.png.cache b/Archive/cPP/.asciidoctor/diagram/FCS_RBG_EXT.png.cache similarity index 100% rename from cPP/.asciidoctor/diagram/FCS_RBG_EXT.png.cache rename to Archive/cPP/.asciidoctor/diagram/FCS_RBG_EXT.png.cache diff --git a/cPP/.asciidoctor/diagram/FCS_STO_EXT.png.cache b/Archive/cPP/.asciidoctor/diagram/FCS_STO_EXT.png.cache similarity index 100% rename from cPP/.asciidoctor/diagram/FCS_STO_EXT.png.cache rename to Archive/cPP/.asciidoctor/diagram/FCS_STO_EXT.png.cache diff --git a/cPP/.asciidoctor/diagram/FDP_NET_EXT.png.cache b/Archive/cPP/.asciidoctor/diagram/FDP_NET_EXT.png.cache similarity index 100% rename from cPP/.asciidoctor/diagram/FDP_NET_EXT.png.cache rename to Archive/cPP/.asciidoctor/diagram/FDP_NET_EXT.png.cache diff --git a/cPP/.asciidoctor/diagram/FIA_EIP_EXT.png.cache b/Archive/cPP/.asciidoctor/diagram/FIA_EIP_EXT.png.cache similarity index 100% rename from cPP/.asciidoctor/diagram/FIA_EIP_EXT.png.cache rename to Archive/cPP/.asciidoctor/diagram/FIA_EIP_EXT.png.cache diff --git a/cPP/.asciidoctor/diagram/FIA_UAU_EXT.png.cache b/Archive/cPP/.asciidoctor/diagram/FIA_UAU_EXT.png.cache similarity index 100% rename from cPP/.asciidoctor/diagram/FIA_UAU_EXT.png.cache rename to Archive/cPP/.asciidoctor/diagram/FIA_UAU_EXT.png.cache diff --git a/cPP/.asciidoctor/diagram/FIA_UIA_EXT.png.cache b/Archive/cPP/.asciidoctor/diagram/FIA_UIA_EXT.png.cache similarity index 100% rename from cPP/.asciidoctor/diagram/FIA_UIA_EXT.png.cache rename to Archive/cPP/.asciidoctor/diagram/FIA_UIA_EXT.png.cache diff --git a/cPP/.asciidoctor/diagram/FIA_X509_EXT.png.cache b/Archive/cPP/.asciidoctor/diagram/FIA_X509_EXT.png.cache similarity index 100% rename from cPP/.asciidoctor/diagram/FIA_X509_EXT.png.cache rename to Archive/cPP/.asciidoctor/diagram/FIA_X509_EXT.png.cache diff --git a/cPP/.asciidoctor/diagram/FMT_CFG_EXT.png.cache b/Archive/cPP/.asciidoctor/diagram/FMT_CFG_EXT.png.cache similarity index 100% rename from cPP/.asciidoctor/diagram/FMT_CFG_EXT.png.cache rename to Archive/cPP/.asciidoctor/diagram/FMT_CFG_EXT.png.cache diff --git a/cPP/.asciidoctor/diagram/FPT_AEX_EXT.png.cache b/Archive/cPP/.asciidoctor/diagram/FPT_AEX_EXT.png.cache similarity index 100% rename from cPP/.asciidoctor/diagram/FPT_AEX_EXT.png.cache rename to Archive/cPP/.asciidoctor/diagram/FPT_AEX_EXT.png.cache diff --git a/cPP/.asciidoctor/diagram/FPT_TUD_EXT.png.cache b/Archive/cPP/.asciidoctor/diagram/FPT_TUD_EXT.png.cache similarity index 100% rename from cPP/.asciidoctor/diagram/FPT_TUD_EXT.png.cache rename to Archive/cPP/.asciidoctor/diagram/FPT_TUD_EXT.png.cache diff --git a/cPP/.asciidoctor/diagram/FTP_DIT_EXT.png.cache b/Archive/cPP/.asciidoctor/diagram/FTP_DIT_EXT.png.cache similarity index 100% rename from cPP/.asciidoctor/diagram/FTP_DIT_EXT.png.cache rename to Archive/cPP/.asciidoctor/diagram/FTP_DIT_EXT.png.cache diff --git a/cPP/AppSW cPP allowed-with list.docx b/Archive/cPP/AppSW cPP allowed-with list.docx similarity index 100% rename from cPP/AppSW cPP allowed-with list.docx rename to Archive/cPP/AppSW cPP allowed-with list.docx diff --git a/cPP/SD_APP_SW.adoc b/Archive/cPP/SD_APP_SW.adoc similarity index 100% rename from cPP/SD_APP_SW.adoc rename to Archive/cPP/SD_APP_SW.adoc diff --git a/cPP/cPP_APP_SW.adoc b/Archive/cPP/cPP_APP_SW.adoc similarity index 100% rename from cPP/cPP_APP_SW.adoc rename to Archive/cPP/cPP_APP_SW.adoc diff --git a/cPP/images/FCS_CKM_EXT.png b/Archive/cPP/images/FCS_CKM_EXT.png similarity index 100% rename from cPP/images/FCS_CKM_EXT.png rename to Archive/cPP/images/FCS_CKM_EXT.png diff --git a/cPP/images/FCS_HTTPS_EXT.png b/Archive/cPP/images/FCS_HTTPS_EXT.png similarity index 100% rename from cPP/images/FCS_HTTPS_EXT.png rename to Archive/cPP/images/FCS_HTTPS_EXT.png diff --git a/cPP/images/FCS_RBG_EXT.png b/Archive/cPP/images/FCS_RBG_EXT.png similarity index 100% rename from cPP/images/FCS_RBG_EXT.png rename to Archive/cPP/images/FCS_RBG_EXT.png diff --git a/cPP/images/FCS_STO_EXT.png b/Archive/cPP/images/FCS_STO_EXT.png similarity index 100% rename from cPP/images/FCS_STO_EXT.png rename to Archive/cPP/images/FCS_STO_EXT.png diff --git a/cPP/images/FDP_NET_EXT.png b/Archive/cPP/images/FDP_NET_EXT.png similarity index 100% rename from cPP/images/FDP_NET_EXT.png rename to Archive/cPP/images/FDP_NET_EXT.png diff --git a/cPP/images/FIA_EIP_EXT.png b/Archive/cPP/images/FIA_EIP_EXT.png similarity index 100% rename from cPP/images/FIA_EIP_EXT.png rename to Archive/cPP/images/FIA_EIP_EXT.png diff --git a/cPP/images/FIA_UAU_EXT.png b/Archive/cPP/images/FIA_UAU_EXT.png similarity index 100% rename from cPP/images/FIA_UAU_EXT.png rename to Archive/cPP/images/FIA_UAU_EXT.png diff --git a/cPP/images/FIA_UIA_EXT.png b/Archive/cPP/images/FIA_UIA_EXT.png similarity index 100% rename from cPP/images/FIA_UIA_EXT.png rename to Archive/cPP/images/FIA_UIA_EXT.png diff --git a/cPP/images/FIA_X509_EXT.png b/Archive/cPP/images/FIA_X509_EXT.png similarity index 100% rename from cPP/images/FIA_X509_EXT.png rename to Archive/cPP/images/FIA_X509_EXT.png diff --git a/cPP/images/FMT_CFG_EXT.png b/Archive/cPP/images/FMT_CFG_EXT.png similarity index 100% rename from cPP/images/FMT_CFG_EXT.png rename to Archive/cPP/images/FMT_CFG_EXT.png diff --git a/cPP/images/FPT_AEX_EXT.png b/Archive/cPP/images/FPT_AEX_EXT.png similarity index 100% rename from cPP/images/FPT_AEX_EXT.png rename to Archive/cPP/images/FPT_AEX_EXT.png diff --git a/cPP/images/FPT_TUD_EXT.png b/Archive/cPP/images/FPT_TUD_EXT.png similarity index 100% rename from cPP/images/FPT_TUD_EXT.png rename to Archive/cPP/images/FPT_TUD_EXT.png diff --git a/cPP/images/FTP_DIT_EXT.png b/Archive/cPP/images/FTP_DIT_EXT.png similarity index 100% rename from cPP/images/FTP_DIT_EXT.png rename to Archive/cPP/images/FTP_DIT_EXT.png diff --git a/cPP/images/ccLogo.png b/Archive/cPP/images/ccLogo.png similarity index 100% rename from cPP/images/ccLogo.png rename to Archive/cPP/images/ccLogo.png diff --git a/cPP/images/toe.png b/Archive/cPP/images/toe.png similarity index 100% rename from cPP/images/toe.png rename to Archive/cPP/images/toe.png diff --git a/cPP/images/toeruntime.png b/Archive/cPP/images/toeruntime.png similarity index 100% rename from cPP/images/toeruntime.png rename to Archive/cPP/images/toeruntime.png diff --git a/cPP/v2/.github/workflows/quick_build.yml b/Archive/cPP/v2/.github/workflows/quick_build.yml similarity index 100% rename from cPP/v2/.github/workflows/quick_build.yml rename to Archive/cPP/v2/.github/workflows/quick_build.yml diff --git a/cPP/v2/.github/workflows/quick_build_pdf.yml b/Archive/cPP/v2/.github/workflows/quick_build_pdf.yml similarity index 100% rename from cPP/v2/.github/workflows/quick_build_pdf.yml rename to Archive/cPP/v2/.github/workflows/quick_build_pdf.yml diff --git a/cPP/v2/.github/workflows/validate.yml b/Archive/cPP/v2/.github/workflows/validate.yml similarity index 100% rename from cPP/v2/.github/workflows/validate.yml rename to Archive/cPP/v2/.github/workflows/validate.yml diff --git a/cPP/v2/.gitignore b/Archive/cPP/v2/.gitignore similarity index 100% rename from cPP/v2/.gitignore rename to Archive/cPP/v2/.gitignore diff --git a/cPP/v2/.gitmodules b/Archive/cPP/v2/.gitmodules similarity index 100% rename from cPP/v2/.gitmodules rename to Archive/cPP/v2/.gitmodules diff --git a/cPP/v2/Dictionary.txt b/Archive/cPP/v2/Dictionary.txt similarity index 100% rename from cPP/v2/Dictionary.txt rename to Archive/cPP/v2/Dictionary.txt diff --git a/cPP/v2/LICENSE b/Archive/cPP/v2/LICENSE similarity index 100% rename from cPP/v2/LICENSE rename to Archive/cPP/v2/LICENSE diff --git a/cPP/v2/Makefile b/Archive/cPP/v2/Makefile similarity index 100% rename from cPP/v2/Makefile rename to Archive/cPP/v2/Makefile diff --git a/cPP/v2/README.md b/Archive/cPP/v2/README.md similarity index 100% rename from cPP/v2/README.md rename to Archive/cPP/v2/README.md diff --git a/cPP/v2/Readme.adoc b/Archive/cPP/v2/Readme.adoc similarity index 100% rename from cPP/v2/Readme.adoc rename to Archive/cPP/v2/Readme.adoc diff --git a/cPP/v2/input/.gitignore b/Archive/cPP/v2/input/.gitignore similarity index 100% rename from cPP/v2/input/.gitignore rename to Archive/cPP/v2/input/.gitignore diff --git a/cPP/v2/input/application.xml b/Archive/cPP/v2/input/application.xml similarity index 100% rename from cPP/v2/input/application.xml rename to Archive/cPP/v2/input/application.xml diff --git a/cPP/v2/input/cc.xml b/Archive/cPP/v2/input/cc.xml similarity index 100% rename from cPP/v2/input/cc.xml rename to Archive/cPP/v2/input/cc.xml diff --git a/cPP/v2/input/esr.xml b/Archive/cPP/v2/input/esr.xml similarity index 100% rename from cPP/v2/input/esr.xml rename to Archive/cPP/v2/input/esr.xml diff --git a/cPP/v2/input/tds/README.md b/Archive/cPP/v2/input/tds/README.md similarity index 100% rename from cPP/v2/input/tds/README.md rename to Archive/cPP/v2/input/tds/README.md diff --git a/cPP/v2/output/images/appdiagram.png b/Archive/cPP/v2/output/images/appdiagram.png similarity index 100% rename from cPP/v2/output/images/appdiagram.png rename to Archive/cPP/v2/output/images/appdiagram.png diff --git a/cPP/v2/output/images/cclogo.png b/Archive/cPP/v2/output/images/cclogo.png similarity index 100% rename from cPP/v2/output/images/cclogo.png rename to Archive/cPP/v2/output/images/cclogo.png diff --git a/cPP/v2/output/images/collapsed.png b/Archive/cPP/v2/output/images/collapsed.png similarity index 100% rename from cPP/v2/output/images/collapsed.png rename to Archive/cPP/v2/output/images/collapsed.png diff --git a/cPP/v2/output/images/expanded.png b/Archive/cPP/v2/output/images/expanded.png similarity index 100% rename from cPP/v2/output/images/expanded.png rename to Archive/cPP/v2/output/images/expanded.png diff --git a/cPP/v2/output/images/niaplogo.png b/Archive/cPP/v2/output/images/niaplogo.png similarity index 100% rename from cPP/v2/output/images/niaplogo.png rename to Archive/cPP/v2/output/images/niaplogo.png diff --git a/cPP/v2/output/images/niaplogodraft.png b/Archive/cPP/v2/output/images/niaplogodraft.png similarity index 100% rename from cPP/v2/output/images/niaplogodraft.png rename to Archive/cPP/v2/output/images/niaplogodraft.png diff --git a/cPP/v2/output/images/toe.png b/Archive/cPP/v2/output/images/toe.png similarity index 100% rename from cPP/v2/output/images/toe.png rename to Archive/cPP/v2/output/images/toe.png diff --git a/cPP/v2/output/images/toeruntime.png b/Archive/cPP/v2/output/images/toeruntime.png similarity index 100% rename from cPP/v2/output/images/toeruntime.png rename to Archive/cPP/v2/output/images/toeruntime.png diff --git a/cPP/v2/transforms/.gitignore b/Archive/cPP/v2/transforms/.gitignore similarity index 100% rename from cPP/v2/transforms/.gitignore rename to Archive/cPP/v2/transforms/.gitignore diff --git a/cPP/v2/transforms/ConfigAnnex.make b/Archive/cPP/v2/transforms/ConfigAnnex.make similarity index 100% rename from cPP/v2/transforms/ConfigAnnex.make rename to Archive/cPP/v2/transforms/ConfigAnnex.make diff --git a/cPP/v2/transforms/Helper.make b/Archive/cPP/v2/transforms/Helper.make similarity index 100% rename from cPP/v2/transforms/Helper.make rename to Archive/cPP/v2/transforms/Helper.make diff --git a/cPP/v2/transforms/LICENSE b/Archive/cPP/v2/transforms/LICENSE similarity index 100% rename from cPP/v2/transforms/LICENSE rename to Archive/cPP/v2/transforms/LICENSE diff --git a/cPP/v2/transforms/Makefile b/Archive/cPP/v2/transforms/Makefile similarity index 100% rename from cPP/v2/transforms/Makefile rename to Archive/cPP/v2/transforms/Makefile diff --git a/cPP/v2/transforms/README.md b/Archive/cPP/v2/transforms/README.md similarity index 100% rename from cPP/v2/transforms/README.md rename to Archive/cPP/v2/transforms/README.md diff --git a/cPP/v2/transforms/cPP.make b/Archive/cPP/v2/transforms/cPP.make similarity index 100% rename from cPP/v2/transforms/cPP.make rename to Archive/cPP/v2/transforms/cPP.make diff --git a/cPP/v2/transforms/dictionaries/CommonCriteria.txt b/Archive/cPP/v2/transforms/dictionaries/CommonCriteria.txt similarity index 100% rename from cPP/v2/transforms/dictionaries/CommonCriteria.txt rename to Archive/cPP/v2/transforms/dictionaries/CommonCriteria.txt diff --git a/cPP/v2/transforms/dictionaries/Computer.txt b/Archive/cPP/v2/transforms/dictionaries/Computer.txt similarity index 100% rename from cPP/v2/transforms/dictionaries/Computer.txt rename to Archive/cPP/v2/transforms/dictionaries/Computer.txt diff --git a/cPP/v2/transforms/dictionaries/Crypto.txt b/Archive/cPP/v2/transforms/dictionaries/Crypto.txt similarity index 100% rename from cPP/v2/transforms/dictionaries/Crypto.txt rename to Archive/cPP/v2/transforms/dictionaries/Crypto.txt diff --git a/cPP/v2/transforms/module/Module.make b/Archive/cPP/v2/transforms/module/Module.make similarity index 100% rename from cPP/v2/transforms/module/Module.make rename to Archive/cPP/v2/transforms/module/Module.make diff --git a/cPP/v2/transforms/package/Package.make b/Archive/cPP/v2/transforms/package/Package.make similarity index 100% rename from cPP/v2/transforms/package/Package.make rename to Archive/cPP/v2/transforms/package/Package.make diff --git a/cPP/v2/transforms/py/anchorize-periods.py b/Archive/cPP/v2/transforms/py/anchorize-periods.py similarity index 100% rename from cPP/v2/transforms/py/anchorize-periods.py rename to Archive/cPP/v2/transforms/py/anchorize-periods.py diff --git a/cPP/v2/transforms/py/bp-documentor.py b/Archive/cPP/v2/transforms/py/bp-documentor.py similarity index 100% rename from cPP/v2/transforms/py/bp-documentor.py rename to Archive/cPP/v2/transforms/py/bp-documentor.py diff --git a/cPP/v2/transforms/py/cc_apply_tds.py b/Archive/cPP/v2/transforms/py/cc_apply_tds.py similarity index 100% rename from cPP/v2/transforms/py/cc_apply_tds.py rename to Archive/cPP/v2/transforms/py/cc_apply_tds.py diff --git a/cPP/v2/transforms/py/get_spell_allowlist.py b/Archive/cPP/v2/transforms/py/get_spell_allowlist.py similarity index 100% rename from cPP/v2/transforms/py/get_spell_allowlist.py rename to Archive/cPP/v2/transforms/py/get_spell_allowlist.py diff --git a/cPP/v2/transforms/py/post-process.py b/Archive/cPP/v2/transforms/py/post-process.py similarity index 100% rename from cPP/v2/transforms/py/post-process.py rename to Archive/cPP/v2/transforms/py/post-process.py diff --git a/cPP/v2/transforms/py/retrieve-included-docs.py b/Archive/cPP/v2/transforms/py/retrieve-included-docs.py similarity index 100% rename from cPP/v2/transforms/py/retrieve-included-docs.py rename to Archive/cPP/v2/transforms/py/retrieve-included-docs.py diff --git a/cPP/v2/transforms/py/show_xpath.py b/Archive/cPP/v2/transforms/py/show_xpath.py similarity index 100% rename from cPP/v2/transforms/py/show_xpath.py rename to Archive/cPP/v2/transforms/py/show_xpath.py diff --git a/cPP/v2/transforms/schemas/CCModule.rng b/Archive/cPP/v2/transforms/schemas/CCModule.rng similarity index 100% rename from cPP/v2/transforms/schemas/CCModule.rng rename to Archive/cPP/v2/transforms/schemas/CCModule.rng diff --git a/cPP/v2/transforms/schemas/CCPackage.rng b/Archive/cPP/v2/transforms/schemas/CCPackage.rng similarity index 100% rename from cPP/v2/transforms/schemas/CCPackage.rng rename to Archive/cPP/v2/transforms/schemas/CCPackage.rng diff --git a/cPP/v2/transforms/schemas/CCProtectionProfile.rng b/Archive/cPP/v2/transforms/schemas/CCProtectionProfile.rng similarity index 100% rename from cPP/v2/transforms/schemas/CCProtectionProfile.rng rename to Archive/cPP/v2/transforms/schemas/CCProtectionProfile.rng diff --git a/cPP/v2/transforms/schemas/Commons.rng b/Archive/cPP/v2/transforms/schemas/Commons.rng similarity index 100% rename from cPP/v2/transforms/schemas/Commons.rng rename to Archive/cPP/v2/transforms/schemas/Commons.rng diff --git a/cPP/v2/transforms/schemas/ConfigAnnex.rng b/Archive/cPP/v2/transforms/schemas/ConfigAnnex.rng similarity index 100% rename from cPP/v2/transforms/schemas/ConfigAnnex.rng rename to Archive/cPP/v2/transforms/schemas/ConfigAnnex.rng diff --git a/cPP/v2/transforms/schemas/LaxProtectionProfile.rng b/Archive/cPP/v2/transforms/schemas/LaxProtectionProfile.rng similarity index 100% rename from cPP/v2/transforms/schemas/LaxProtectionProfile.rng rename to Archive/cPP/v2/transforms/schemas/LaxProtectionProfile.rng diff --git a/cPP/v2/transforms/schemas/Makefile b/Archive/cPP/v2/transforms/schemas/Makefile similarity index 100% rename from cPP/v2/transforms/schemas/Makefile rename to Archive/cPP/v2/transforms/schemas/Makefile diff --git a/cPP/v2/transforms/schemas/SecurityTarget.rng b/Archive/cPP/v2/transforms/schemas/SecurityTarget.rng similarity index 100% rename from cPP/v2/transforms/schemas/SecurityTarget.rng rename to Archive/cPP/v2/transforms/schemas/SecurityTarget.rng diff --git a/cPP/v2/transforms/schemas/Selection.rng b/Archive/cPP/v2/transforms/schemas/Selection.rng similarity index 100% rename from cPP/v2/transforms/schemas/Selection.rng rename to Archive/cPP/v2/transforms/schemas/Selection.rng diff --git a/cPP/v2/transforms/schemas/StrictCommons.rng b/Archive/cPP/v2/transforms/schemas/StrictCommons.rng similarity index 100% rename from cPP/v2/transforms/schemas/StrictCommons.rng rename to Archive/cPP/v2/transforms/schemas/StrictCommons.rng diff --git a/cPP/v2/transforms/schemas/TechnicalDecisions.rng b/Archive/cPP/v2/transforms/schemas/TechnicalDecisions.rng similarity index 100% rename from cPP/v2/transforms/schemas/TechnicalDecisions.rng rename to Archive/cPP/v2/transforms/schemas/TechnicalDecisions.rng diff --git a/cPP/v2/transforms/schemas/rng-to-html/bin/rng-resolve-includes.py b/Archive/cPP/v2/transforms/schemas/rng-to-html/bin/rng-resolve-includes.py similarity index 100% rename from cPP/v2/transforms/schemas/rng-to-html/bin/rng-resolve-includes.py rename to Archive/cPP/v2/transforms/schemas/rng-to-html/bin/rng-resolve-includes.py diff --git a/cPP/v2/transforms/schemas/rng-to-html/bin/rng-to-html b/Archive/cPP/v2/transforms/schemas/rng-to-html/bin/rng-to-html similarity index 100% rename from cPP/v2/transforms/schemas/rng-to-html/bin/rng-to-html rename to Archive/cPP/v2/transforms/schemas/rng-to-html/bin/rng-to-html diff --git a/cPP/v2/transforms/schemas/rng-to-html/lib/RngToHtml.xsl b/Archive/cPP/v2/transforms/schemas/rng-to-html/lib/RngToHtml.xsl similarity index 100% rename from cPP/v2/transforms/schemas/rng-to-html/lib/RngToHtml.xsl rename to Archive/cPP/v2/transforms/schemas/rng-to-html/lib/RngToHtml.xsl diff --git a/cPP/v2/transforms/xsl/SFRs.xml b/Archive/cPP/v2/transforms/xsl/SFRs.xml similarity index 100% rename from cPP/v2/transforms/xsl/SFRs.xml rename to Archive/cPP/v2/transforms/xsl/SFRs.xml diff --git a/cPP/v2/transforms/xsl/add-element-index-as-comments.xsl b/Archive/cPP/v2/transforms/xsl/add-element-index-as-comments.xsl similarity index 100% rename from cPP/v2/transforms/xsl/add-element-index-as-comments.xsl rename to Archive/cPP/v2/transforms/xsl/add-element-index-as-comments.xsl diff --git a/cPP/v2/transforms/xsl/audit.xsl b/Archive/cPP/v2/transforms/xsl/audit.xsl similarity index 100% rename from cPP/v2/transforms/xsl/audit.xsl rename to Archive/cPP/v2/transforms/xsl/audit.xsl diff --git a/cPP/v2/transforms/xsl/boilerplates.xml b/Archive/cPP/v2/transforms/xsl/boilerplates.xml similarity index 100% rename from cPP/v2/transforms/xsl/boilerplates.xml rename to Archive/cPP/v2/transforms/xsl/boilerplates.xml diff --git a/cPP/v2/transforms/xsl/boilerplates.xsl b/Archive/cPP/v2/transforms/xsl/boilerplates.xsl similarity index 100% rename from cPP/v2/transforms/xsl/boilerplates.xsl rename to Archive/cPP/v2/transforms/xsl/boilerplates.xsl diff --git a/cPP/v2/transforms/xsl/comma-splitter.xsl b/Archive/cPP/v2/transforms/xsl/comma-splitter.xsl similarity index 100% rename from cPP/v2/transforms/xsl/comma-splitter.xsl rename to Archive/cPP/v2/transforms/xsl/comma-splitter.xsl diff --git a/cPP/v2/transforms/xsl/configannex2html.xsl b/Archive/cPP/v2/transforms/xsl/configannex2html.xsl similarity index 100% rename from cPP/v2/transforms/xsl/configannex2html.xsl rename to Archive/cPP/v2/transforms/xsl/configannex2html.xsl diff --git a/cPP/v2/transforms/xsl/css-content.xsl b/Archive/cPP/v2/transforms/xsl/css-content.xsl similarity index 100% rename from cPP/v2/transforms/xsl/css-content.xsl rename to Archive/cPP/v2/transforms/xsl/css-content.xsl diff --git a/cPP/v2/transforms/xsl/debug.xsl b/Archive/cPP/v2/transforms/xsl/debug.xsl similarity index 100% rename from cPP/v2/transforms/xsl/debug.xsl rename to Archive/cPP/v2/transforms/xsl/debug.xsl diff --git a/cPP/v2/transforms/xsl/esr2html.xsl b/Archive/cPP/v2/transforms/xsl/esr2html.xsl similarity index 100% rename from cPP/v2/transforms/xsl/esr2html.xsl rename to Archive/cPP/v2/transforms/xsl/esr2html.xsl diff --git a/cPP/v2/transforms/xsl/ext-comp-defs.xsl b/Archive/cPP/v2/transforms/xsl/ext-comp-defs.xsl similarity index 100% rename from cPP/v2/transforms/xsl/ext-comp-defs.xsl rename to Archive/cPP/v2/transforms/xsl/ext-comp-defs.xsl diff --git a/cPP/v2/transforms/xsl/functions.xsl b/Archive/cPP/v2/transforms/xsl/functions.xsl similarity index 100% rename from cPP/v2/transforms/xsl/functions.xsl rename to Archive/cPP/v2/transforms/xsl/functions.xsl diff --git a/cPP/v2/transforms/xsl/js-content.xsl b/Archive/cPP/v2/transforms/xsl/js-content.xsl similarity index 100% rename from cPP/v2/transforms/xsl/js-content.xsl rename to Archive/cPP/v2/transforms/xsl/js-content.xsl diff --git a/cPP/v2/transforms/xsl/make-ref.xsl b/Archive/cPP/v2/transforms/xsl/make-ref.xsl similarity index 100% rename from cPP/v2/transforms/xsl/make-ref.xsl rename to Archive/cPP/v2/transforms/xsl/make-ref.xsl diff --git a/cPP/v2/transforms/xsl/module-commons.xsl b/Archive/cPP/v2/transforms/xsl/module-commons.xsl similarity index 100% rename from cPP/v2/transforms/xsl/module-commons.xsl rename to Archive/cPP/v2/transforms/xsl/module-commons.xsl diff --git a/cPP/v2/transforms/xsl/module2html.xsl b/Archive/cPP/v2/transforms/xsl/module2html.xsl similarity index 100% rename from cPP/v2/transforms/xsl/module2html.xsl rename to Archive/cPP/v2/transforms/xsl/module2html.xsl diff --git a/cPP/v2/transforms/xsl/module2sd.xsl b/Archive/cPP/v2/transforms/xsl/module2sd.xsl similarity index 100% rename from cPP/v2/transforms/xsl/module2sd.xsl rename to Archive/cPP/v2/transforms/xsl/module2sd.xsl diff --git a/cPP/v2/transforms/xsl/pp2html.xsl b/Archive/cPP/v2/transforms/xsl/pp2html.xsl similarity index 100% rename from cPP/v2/transforms/xsl/pp2html.xsl rename to Archive/cPP/v2/transforms/xsl/pp2html.xsl diff --git a/cPP/v2/transforms/xsl/pp2simplified.xsl b/Archive/cPP/v2/transforms/xsl/pp2simplified.xsl similarity index 100% rename from cPP/v2/transforms/xsl/pp2simplified.xsl rename to Archive/cPP/v2/transforms/xsl/pp2simplified.xsl diff --git a/cPP/v2/transforms/xsl/pp2table.xsl b/Archive/cPP/v2/transforms/xsl/pp2table.xsl similarity index 100% rename from cPP/v2/transforms/xsl/pp2table.xsl rename to Archive/cPP/v2/transforms/xsl/pp2table.xsl diff --git a/cPP/v2/transforms/xsl/ppcommons.xsl b/Archive/cPP/v2/transforms/xsl/ppcommons.xsl similarity index 100% rename from cPP/v2/transforms/xsl/ppcommons.xsl rename to Archive/cPP/v2/transforms/xsl/ppcommons.xsl diff --git a/cPP/v2/transforms/xsl/sanity_checks.xsl b/Archive/cPP/v2/transforms/xsl/sanity_checks.xsl similarity index 100% rename from cPP/v2/transforms/xsl/sanity_checks.xsl rename to Archive/cPP/v2/transforms/xsl/sanity_checks.xsl diff --git a/cPP/v2/transforms/xsl/use-case.xsl b/Archive/cPP/v2/transforms/xsl/use-case.xsl similarity index 100% rename from cPP/v2/transforms/xsl/use-case.xsl rename to Archive/cPP/v2/transforms/xsl/use-case.xsl From 9db177baa35bb445566df3ba9f1563691e7747af Mon Sep 17 00:00:00 2001 From: drumleytx <216058183+drumleytx@users.noreply.github.com> Date: Wed, 4 Mar 2026 11:42:48 -0600 Subject: [PATCH 2/9] Set up Version 2 build system based on NIAP Application Software PP - Copy NIAP commoncriteria/application XML source and build infrastructure - Add commoncriteria/transforms as git submodule - Add GitHub Actions workflows (quick_build, quick_build_pdf, validate) - Update all URLs and references to appswcpp/repository - Create PP-Module directories (Agent, Server) with Makefile using Module.make - Workflow builds modules when XML input is present and deploys to gh-pages - Add README.md and Readme.adoc with links to built documents and modules - Archive directory contains previous v1.0e cPP, SD, and PP-Modules --- .github/workflows/quick_build.yml | 301 + .github/workflows/quick_build_pdf.yml | 277 + .github/workflows/validate.yml | 26 + .gitignore | 11 +- .gitmodules | 3 + Dictionary.txt | 178 + LICENSE | 25 + Makefile | 13 + Modules/Agent/.gitignore | 10 + Modules/Agent/Dictionary.txt | 1 + Modules/Agent/Makefile | 6 + Modules/Agent/input/.gitignore | 2 + Modules/Agent/input/tds/README.md | 4 + Modules/Agent/output/images/cclogo.png | Bin 0 -> 32411 bytes Modules/Agent/output/images/niaplogo.png | Bin 0 -> 22727 bytes Modules/Server/.gitignore | 10 + Modules/Server/Dictionary.txt | 1 + Modules/Server/Makefile | 6 + Modules/Server/input/.gitignore | 2 + Modules/Server/input/tds/README.md | 4 + Modules/Server/output/images/cclogo.png | Bin 0 -> 32411 bytes Modules/Server/output/images/niaplogo.png | Bin 0 -> 22727 bytes README.md | 62 + Readme.adoc | 107 + input/.gitignore | 3 + input/application.xml | 2261 + input/cc.xml | 53805 ++++++++++++++++++++ input/esr.xml | 505 + input/tds/README.md | 9 + output/images/appdiagram.png | Bin 0 -> 33393 bytes output/images/cclogo.png | Bin 0 -> 32411 bytes output/images/collapsed.png | Bin 0 -> 952 bytes output/images/expanded.png | Bin 0 -> 1206 bytes output/images/niaplogo.png | Bin 0 -> 22727 bytes output/images/niaplogodraft.png | Bin 0 -> 33372 bytes output/images/toe.png | Bin 0 -> 30908 bytes output/images/toeruntime.png | Bin 0 -> 41733 bytes transforms | 1 + 38 files changed, 57632 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/quick_build.yml create mode 100644 .github/workflows/quick_build_pdf.yml create mode 100644 .github/workflows/validate.yml create mode 100644 .gitmodules create mode 100644 Dictionary.txt create mode 100644 LICENSE create mode 100644 Makefile create mode 100644 Modules/Agent/.gitignore create mode 100644 Modules/Agent/Dictionary.txt create mode 100644 Modules/Agent/Makefile create mode 100644 Modules/Agent/input/.gitignore create mode 100644 Modules/Agent/input/tds/README.md create mode 100644 Modules/Agent/output/images/cclogo.png create mode 100644 Modules/Agent/output/images/niaplogo.png create mode 100644 Modules/Server/.gitignore create mode 100644 Modules/Server/Dictionary.txt create mode 100644 Modules/Server/Makefile create mode 100644 Modules/Server/input/.gitignore create mode 100644 Modules/Server/input/tds/README.md create mode 100644 Modules/Server/output/images/cclogo.png create mode 100644 Modules/Server/output/images/niaplogo.png create mode 100644 README.md create mode 100644 Readme.adoc create mode 100644 input/.gitignore create mode 100644 input/application.xml create mode 100755 input/cc.xml create mode 100644 input/esr.xml create mode 100644 input/tds/README.md create mode 100644 output/images/appdiagram.png create mode 100644 output/images/cclogo.png create mode 100644 output/images/collapsed.png create mode 100644 output/images/expanded.png create mode 100644 output/images/niaplogo.png create mode 100644 output/images/niaplogodraft.png create mode 100644 output/images/toe.png create mode 100644 output/images/toeruntime.png create mode 160000 transforms diff --git a/.github/workflows/quick_build.yml b/.github/workflows/quick_build.yml new file mode 100644 index 0000000..7d51bfe --- /dev/null +++ b/.github/workflows/quick_build.yml @@ -0,0 +1,301 @@ +name: QuickBuild v4.6 20251010 + +on: + push: + branches: + - '*' + - '!gh-pages' + workflow_dispatch: + inputs: + environment: + type: string + default: DEV + required: true + +jobs: + test: + runs-on: ubuntu-latest + name: Quick Build + steps: + - name: Checkout project and transforms + uses: actions/checkout@v3 + with: + submodules: true + + - name: Install Build Packages +# run: "sudo apt-get update && sudo apt-get install -y xsltproc hunspell pandoc" + run: "sudo apt-get update && sudo apt-get install -y hunspell python3-lxml xsltproc" + + - name: Install Jing + run: wget -O - https://github.com/relaxng/jing-trang/releases/download/V20181222/jing-20181222.zip | jar -x + + - name: Set branch name + run: echo "action_branch=$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_ENV + + - name: Set base URL + run: echo "action_projname=${PWD##*/}" >> $GITHUB_ENV + + - name: Quick Build + run: WARN_PATH="output/SanityChecksOutput.md" make + + - name: Build PP-Modules + run: | + for moddir in Modules/*/; do + if ls ${moddir}input/*.xml 1>/dev/null 2>&1; then + echo "Building module in ${moddir}..." + cd ${moddir} + WARN_PATH="output/SanityChecksOutput.md" make || true + cd $GITHUB_WORKSPACE + else + echo "No XML input in ${moddir}, skipping." + fi + done + + + - name: Branch Test + run: | + branchname=$(echo ${GITHUB_REF#refs/heads/}) + if [[ $branchname =~ [0-9] ]]; then + echo "action_is_release=YES" >> $GITHUB_ENV + else + echo "action_is_release=NO" >> $GITHUB_ENV + fi + + # PDFify + - name: PDFify + if: ${{ env.action_is_release == 'YES' }} + run: | + sudo apt install -y chromium + cd output + for aa in *.html; do + chromium --no-sandbox --headless --disable-gpu --no-pdf-header-footer --timeout=10000 \ + --print-to-pdf=${aa}.pdf \ + file://${PWD}/${aa} + done + + - id: validate + run: | + RNG_OUT="output/ValidationReport.txt" make validate || true + + - name: Set valerrors + run: echo "action_valerrors=$(wc -l output/ValidationReport.txt | { read first rest ; echo $first ; } )" >> $GITHUB_ENV + + - id: spellcheck + run: | + SPELL_OUT="output/SpellCheckReport.txt" make spellcheck + + - name: Set spellerrors + run: echo "action_spellerrors=$(wc -l output/SpellCheckReport.txt | { read first rest ; echo $first ; } )" >> $GITHUB_ENV + + - name: Get Transforms Date +# run: echo "action_tdate=2002222" >> $GITHUB_ENV + run: echo "action_tdate=$(cd transforms && git log -1 --format=%cs; cd ->/dev/null)" >> $GITHUB_ENV + + - name: Get DaisyDiff + run: | + wget -O- https://github.com/AndroidKitKat/ExecuteDaisy/archive/master.zip | jar -x + [ -d "output/images" ] || mkdir "output/images"; + cp -u -r ExecuteDaisy-master/js ExecuteDaisy-master/css output; + cp -u ExecuteDaisy-master/images/* output/images; + + + - name: Make tmp dir + run: mkdir tmp + + - name: diff + run: TMP=tmp make diff || true; + # Little diff depends on having a git history. + # The current checkout has depth=1 and has no history + #- name: little diff + # run: make little-diff || true + + - name: Outstanding TDs + id: tds + run: | + if [ "${{steps.extract_branch.outputs.branch}}" == "master" ] && + ls input/tds/*.xml ; then + echo "Master branch should not have TDs" >> output/TDValidationReport.txt + fi + # make effective + # PP_XML=output/effective.xml RNG_OUT=output/TDValidationReport.txt make validate || true + # IF STATEMENT HERE + # PP_XML=output/effective.xml PP_RELEASE_HTML=output/AppliedTDs.html make release + # java -jar ExecuteDaisy-master/*.jar output/*-release.html output/AppliedTDs.html --file=output/AppliedTDs-Diff.html + + - name: Set TD badge attributes + run: | + NUM=$(ls input/tds/*.xml | wc -l) + if [ $NUM == 0 ]; then + echo "action_tdcolor=gray" >> $GITHUB_ENV + echo "action_tdwarns=N/A" >> $GITHUB_ENV + echo "GOING THROUGH HERE $NUM" + else + echo "action_tdcolor=$(if [ -s output/TDValidationReport.txt ]; then echo orange; else echo green; fi)" >> $GITHUB_ENV + echo "action_tdwarns=$NUM:$(wc -l output/TDValidationReport.txt | { read first rest ; echo $first;})" >> $GITHUB_ENV + echo "THERE ARE TDs $NUM" + + fi + # Not sure what the point of this is + - name: Validate Effective + run: | + echo "action_effvalcolor=$(if [ -s output/TDValidationReport.txt ]; then echo orange; else echo green; fi)" >> $GITHUB_ENV + echo "action_effvalwarns=$(wc -l output/TDValidationReport.txt | { read first rest ; echo $first;} )" >> $GITHUB_ENV + + + - name: Prepare environment + run: | + # Generates a GitHub Workflow output named `lines` with a coverage value + echo "action_spellcolor=$(if [ 0 = ${{ env.action_spellerrors }} ]; then echo green; else echo red; fi)" >> $GITHUB_ENV + echo "action_valcolor=$(if [ 0 = ${{ env.action_valerrors }} ]; then echo green; else echo red; fi)" >> $GITHUB_ENV + echo "action_sanitystatus=$(if [ -s output/SanityChecksOutput.md ]; then echo some; else echo none; fi)" >> $GITHUB_ENV + echo "action_sanitycolor=$(if [ -s output/SanityChecksOutput.md ]; then echo red; else echo green; fi )" >> $GITHUB_ENV + + + + - name: Generate the spelling badge SVG image + uses: emibcn/badge-action@v2.0.2 + with: + label: 'Misspellings' + status: ${{ env.action_spellerrors }} + color: ${{ env.action_spellcolor }} + path: output/spell-badge.svg + + + + - name: Generate the validation badge SVG image + uses: emibcn/badge-action@v2.0.2 + with: + label: 'Validation' + status: ${{ env.action_valerrors }} + color: ${{ env.action_valcolor }} + path: output/validation.svg + + + - name: Generate the warnings badge + uses: emibcn/badge-action@v2.0.2 + with: + label: 'Warnings' + status: ${{ env.action_sanitystatus }} + color: ${{ env.action_sanitycolor }} + path: output/warnings.svg + + + - name: Generate the transforms badge + uses: emibcn/badge-action@v2.0.2 + with: + label: 'Transforms' + status: ${{ env.action_tdate }} + color: gray + path: output/transforms.svg + + - name: TD Badge + uses: emibcn/badge-action@v2.0.2 + with: + label: 'TDs' + status: ${{ env.action_tdwarns }} + color: ${{ env.action_tdcolor }} + path: output/tds.svg + + - name: Make Dashboard Snippet + run: | + rurl="https://raw.githubusercontent.com/appswcpp/${{env.action_projname}}/gh-pages/${{env.action_branch}}" + surl="https://appswcpp.github.io/${{env.action_projname}}/${{env.action_branch}}" + gurl="https://github.com/appswcpp/${{env.action_projname}}/blob/gh-pages/${{env.action_branch}}" + ( + echo '[cols="1,1,1,1,1,1,1,1"]' + echo '|===' + echo "8+|${{ env.action_projname }} " + echo "| https://github.com/appswcpp/${{env.action_projname}}/tree/${{env.action_branch}}[${{ env.action_branch }}] " + echo "a| $surl/${{env.action_projname}}-release.html[📄]" + echo "a|[link=$gurl/ValidationReport.txt]" + echo "image::$rurl/validation.svg[Validation]" + echo "a|[link=$gurl/SanityChecksOutput.md]" + echo "image::$rurl/warnings.svg[SanityChecks]" + echo "a|[link=$gurl/SpellCheckReport.txt]" + echo "image::$rurl/spell-badge.svg[SpellCheck]" + echo "a|[link=$gurl/TDValidationReport.txt]" + echo "image::$rurl/tds.svg[TDs]" + echo "a|image::$rurl/transforms.svg[transforms,150]" + echo "a| [link=$gurl/HTMLs.adoc]" + echo "image::$rurl/html_count.svg[HTML Count]" + echo "[link=$gurl/PDFs.adoc]" + echo "image::$rurl/pdf_count.svg[PDF Count]" + echo '|===' + ) > output/Minidash.adoc + + + - name: HTML List + run: | + surl="https://appswcpp.github.io/${{env.action_projname}}/${{env.action_branch}}" + ( for aa in output/*.html ; do + echo "* $surl/${aa#*/}[${aa#*/}]" + done ) > output/HTMLs.adoc + HTML_COUNT=$(wc -l < output/HTMLs.adoc) + echo "action_html_count=$HTML_COUNT" >> $GITHUB_ENV + + - name: PDF List + run: | + surl="https://appswcpp.github.io/${{env.action_projname}}/${{env.action_branch}}" + cd output + (for aa in $(find . -name '*.pdf') ; do + echo "* $surl/${aa#*/}[${aa#*/}]" + done ) > PDFs.adoc + PDF_COUNT=$(wc -l < PDFs.adoc) + echo "action_pdf_count=$PDF_COUNT" >> $GITHUB_ENV + + + - name: HTML Badge + uses: emibcn/badge-action@v2.0.2 + with: + label: 'HTMLs' + status: ${{ env.action_html_count }} + color: gray + path: output/html_count.svg + + - name: PDF Badge + uses: emibcn/badge-action@v2.0.2 + with: + label: 'PDFs' + status: ${{ env.action_pdf_count }} + color: gray + path: output/pdf_count.svg + + + - name: Prepare checkout + run: | + mkdir gh-pages + + - uses: actions/checkout@v3 + with: + ref: gh-pages + path: gh-pages + + + - name: Move output to branch + run: | + rm -rf gh-pages/${{ env.action_branch }} + mv output gh-pages/${{ env.action_branch }} + for moddir in Modules/*/; do + modname=$(basename ${moddir}) + if [ -d "${moddir}output" ]; then + mkdir -p gh-pages/${{ env.action_branch }}/Modules/${modname} + cp -r ${moddir}output/* gh-pages/${{ env.action_branch }}/Modules/${modname}/ 2>/dev/null || true + fi + done + + - name: Make listing + run: | + cd gh-pages + (echo "Listing"; + date; + echo "
    "; + for aa in $(find . -name '*.*'); do + echo "
  1. $aa
    2. "; + done; + echo "
") > index.html + + - name: Deploy 🚀 + uses: JamesIves/github-pages-deploy-action@v4 + with: + branch: gh-pages # The branch the action should deploy to. + folder: gh-pages # The folder the action should deploy. diff --git a/.github/workflows/quick_build_pdf.yml b/.github/workflows/quick_build_pdf.yml new file mode 100644 index 0000000..0d3b76c --- /dev/null +++ b/.github/workflows/quick_build_pdf.yml @@ -0,0 +1,277 @@ +name: QuickBuild v4.6pdf 20251010 +# Run only on demand to do quick build with both pdf and html output + +on: + workflow_dispatch: + inputs: + environment: + type: string + default: DEV + required: true + +jobs: + test: + runs-on: ubuntu-latest + name: Quick Build + steps: + - name: Checkout project and transforms + uses: actions/checkout@v3 + with: + submodules: true + + - name: Install Build Packages +# run: "sudo apt-get update && sudo apt-get install -y xsltproc hunspell pandoc" + run: "sudo apt-get update && sudo apt-get install -y hunspell python3-lxml xsltproc" + + - name: Install Jing + run: wget -O - https://github.com/relaxng/jing-trang/releases/download/V20181222/jing-20181222.zip | jar -x + + - name: Set branch name + run: echo "action_branch=$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_ENV + + - name: Set base URL + run: echo "action_projname=${PWD##*/}" >> $GITHUB_ENV + + - name: Quick Build + run: WARN_PATH="output/SanityChecksOutput.md" make + + + - name: Branch Test + run: | + branchname=$(echo ${GITHUB_REF#refs/heads/}) + if [[ $branchname =~ [0-9] ]]; then + echo "action_is_release=YES" >> $GITHUB_ENV + else + echo "action_is_release=NO" >> $GITHUB_ENV + fi + + # PDFify + - name: PDFify + run: | + sudo apt install -y chromium + cd output + for aa in *.html; do + chromium --no-sandbox --headless --disable-gpu --no-pdf-header-footer --timeout=10000 \ + --print-to-pdf=${aa}.pdf \ + file://${PWD}/${aa} + done + + - id: validate + run: | + RNG_OUT="output/ValidationReport.txt" make validate || true + + - name: Set valerrors + run: echo "action_valerrors=$(wc -l output/ValidationReport.txt | { read first rest ; echo $first ; } )" >> $GITHUB_ENV + + - id: spellcheck + run: | + SPELL_OUT="output/SpellCheckReport.txt" make spellcheck + + - name: Set spellerrors + run: echo "action_spellerrors=$(wc -l output/SpellCheckReport.txt | { read first rest ; echo $first ; } )" >> $GITHUB_ENV + + - name: Get Transforms Date +# run: echo "action_tdate=2002222" >> $GITHUB_ENV + run: echo "action_tdate=$(cd transforms && git log -1 --format=%cs; cd ->/dev/null)" >> $GITHUB_ENV + +# - name: Get DaisyDiff +# run: | +# wget -O- https://github.com/AndroidKitKat/ExecuteDaisy/archive/master.zip | jar -x +# [ -d "output/images" ] || mkdir "output/images"; +# cp -u -r ExecuteDaisy-master/js ExecuteDaisy-master/css output; +# cp -u ExecuteDaisy-master/images/* output/images; + + + - name: Make tmp dir + run: mkdir tmp + +# - name: diff +# run: TMP=tmp make diff || true; + # Little diff depends on having a git history. + # The current checkout has depth=1 and has no history + #- name: little diff + # run: make little-diff || true + + - name: Outstanding TDs + id: tds + run: | + if [ "${{steps.extract_branch.outputs.branch}}" == "master" ] && + ls input/tds/*.xml ; then + echo "Master branch should not have TDs" >> output/TDValidationReport.txt + fi + # make effective + # PP_XML=output/effective.xml RNG_OUT=output/TDValidationReport.txt make validate || true + # IF STATEMENT HERE + # PP_XML=output/effective.xml PP_RELEASE_HTML=output/AppliedTDs.html make release + # java -jar ExecuteDaisy-master/*.jar output/*-release.html output/AppliedTDs.html --file=output/AppliedTDs-Diff.html + + - name: Set TD badge attributes + run: | + NUM=$(ls input/tds/*.xml | wc -l) + if [ $NUM == 0 ]; then + echo "action_tdcolor=gray" >> $GITHUB_ENV + echo "action_tdwarns=N/A" >> $GITHUB_ENV + echo "GOING THROUGH HERE $NUM" + else + echo "action_tdcolor=$(if [ -s output/TDValidationReport.txt ]; then echo orange; else echo green; fi)" >> $GITHUB_ENV + echo "action_tdwarns=$NUM:$(wc -l output/TDValidationReport.txt | { read first rest ; echo $first;})" >> $GITHUB_ENV + echo "THERE ARE TDs $NUM" + + fi + # Not sure what the point of this is + - name: Validate Effective + run: | + echo "action_effvalcolor=$(if [ -s output/TDValidationReport.txt ]; then echo orange; else echo green; fi)" >> $GITHUB_ENV + echo "action_effvalwarns=$(wc -l output/TDValidationReport.txt | { read first rest ; echo $first;} )" >> $GITHUB_ENV + + + - name: Prepare environment + run: | + # Generates a GitHub Workflow output named `lines` with a coverage value + echo "action_spellcolor=$(if [ 0 = ${{ env.action_spellerrors }} ]; then echo green; else echo red; fi)" >> $GITHUB_ENV + echo "action_valcolor=$(if [ 0 = ${{ env.action_valerrors }} ]; then echo green; else echo red; fi)" >> $GITHUB_ENV + echo "action_sanitystatus=$(if [ -s output/SanityChecksOutput.md ]; then echo some; else echo none; fi)" >> $GITHUB_ENV + echo "action_sanitycolor=$(if [ -s output/SanityChecksOutput.md ]; then echo red; else echo green; fi )" >> $GITHUB_ENV + + + + - name: Generate the spelling badge SVG image + uses: emibcn/badge-action@v2.0.2 + with: + label: 'Misspellings' + status: ${{ env.action_spellerrors }} + color: ${{ env.action_spellcolor }} + path: output/spell-badge.svg + + + + - name: Generate the validation badge SVG image + uses: emibcn/badge-action@v2.0.2 + with: + label: 'Validation' + status: ${{ env.action_valerrors }} + color: ${{ env.action_valcolor }} + path: output/validation.svg + + + - name: Generate the warnings badge + uses: emibcn/badge-action@v2.0.2 + with: + label: 'Warnings' + status: ${{ env.action_sanitystatus }} + color: ${{ env.action_sanitycolor }} + path: output/warnings.svg + + + - name: Generate the transforms badge + uses: emibcn/badge-action@v2.0.2 + with: + label: 'Transforms' + status: ${{ env.action_tdate }} + color: gray + path: output/transforms.svg + + - name: TD Badge + uses: emibcn/badge-action@v2.0.2 + with: + label: 'TDs' + status: ${{ env.action_tdwarns }} + color: ${{ env.action_tdcolor }} + path: output/tds.svg + + - name: Make Dashboard Snippet + run: | + rurl="https://raw.githubusercontent.com/appswcpp/${{env.action_projname}}/gh-pages/${{env.action_branch}}" + surl="https://appswcpp.github.io/${{env.action_projname}}/${{env.action_branch}}" + gurl="https://github.com/appswcpp/${{env.action_projname}}/blob/gh-pages/${{env.action_branch}}" + ( + echo '[cols="1,1,1,1,1,1,1,1"]' + echo '|===' + echo "8+|${{ env.action_projname }} " + echo "| https://github.com/appswcpp/${{env.action_projname}}/tree/${{env.action_branch}}[${{ env.action_branch }}] " + echo "a| $surl/${{env.action_projname}}-release.html[📄]" + echo "a|[link=$gurl/ValidationReport.txt]" + echo "image::$rurl/validation.svg[Validation]" + echo "a|[link=$gurl/SanityChecksOutput.md]" + echo "image::$rurl/warnings.svg[SanityChecks]" + echo "a|[link=$gurl/SpellCheckReport.txt]" + echo "image::$rurl/spell-badge.svg[SpellCheck]" + echo "a|[link=$gurl/TDValidationReport.txt]" + echo "image::$rurl/tds.svg[TDs]" + echo "a|image::$rurl/transforms.svg[transforms,150]" + echo "a| [link=$gurl/HTMLs.adoc]" + echo "image::$rurl/html_count.svg[HTML Count]" + echo "[link=$gurl/PDFs.adoc]" + echo "image::$rurl/pdf_count.svg[PDF Count]" + echo '|===' + ) > output/Minidash.adoc + + + - name: HTML List + run: | + surl="https://appswcpp.github.io/${{env.action_projname}}/${{env.action_branch}}" + ( for aa in output/*.html ; do + echo "* $surl/${aa#*/}[${aa#*/}]" + done ) > output/HTMLs.adoc + HTML_COUNT=$(wc -l < output/HTMLs.adoc) + echo "action_html_count=$HTML_COUNT" >> $GITHUB_ENV + + - name: PDF List + run: | + surl="https://appswcpp.github.io/${{env.action_projname}}/${{env.action_branch}}" + cd output + (for aa in $(find . -name '*.pdf') ; do + echo "* $surl/${aa#*/}[${aa#*/}]" + done ) > PDFs.adoc + PDF_COUNT=$(wc -l < PDFs.adoc) + echo "action_pdf_count=$PDF_COUNT" >> $GITHUB_ENV + + + - name: HTML Badge + uses: emibcn/badge-action@v2.0.2 + with: + label: 'HTMLs' + status: ${{ env.action_html_count }} + color: gray + path: output/html_count.svg + + - name: PDF Badge + uses: emibcn/badge-action@v2.0.2 + with: + label: 'PDFs' + status: ${{ env.action_pdf_count }} + color: gray + path: output/pdf_count.svg + + + - name: Prepare checkout + run: | + mkdir gh-pages + + - uses: actions/checkout@v3 + with: + ref: gh-pages + path: gh-pages + + + - name: Move output to branch + run: | + rm -rf gh-pages/${{ env.action_branch }} + mv output gh-pages/${{ env.action_branch }} + + - name: Make listing + run: | + cd gh-pages + (echo "Listing"; + date; + echo "
    "; + for aa in $(find . -name '*.*'); do + echo "
  1. $aa
    2. "; + done; + echo "
") > index.html + + - name: Deploy 🚀 + uses: JamesIves/github-pages-deploy-action@v4 + with: + branch: gh-pages # The branch the action should deploy to. + folder: gh-pages # The folder the action should deploy. diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml new file mode 100644 index 0000000..95e8d02 --- /dev/null +++ b/.github/workflows/validate.yml @@ -0,0 +1,26 @@ +# This is a the Common Criteria build workflow that is triggered on push + +name: Validate + +# Controls when the action will run. Workflow runs when manually triggered using the UI +# or API. +on: [push, workflow_dispatch] + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + build-project: + + # The type of runner that the job will run on + runs-on: ubuntu-latest + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + - name: Checkout project and transforms + uses: actions/checkout@v4 + with: + submodules: true + + - name: Install Jing + run: wget -O - https://github.com/relaxng/jing-trang/releases/download/V20181222/jing-20181222.zip | jar -x + + - name: Schema Validation + run: JING_JAR=jing*/bin/jing.jar make validate diff --git a/.gitignore b/.gitignore index 9bea433..508efe3 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,11 @@ - +output/*.* +output/css +output/js +*~ +input/*.html +input/schemas.xml +*.rnc +tmp +LocalUser.make +output/images/diff-*.gif .DS_Store diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..c6fee0c --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "transforms"] + path = transforms + url = https://github.com/commoncriteria/transforms.git diff --git a/Dictionary.txt b/Dictionary.txt new file mode 100644 index 0000000..d97de56 --- /dev/null +++ b/Dictionary.txt @@ -0,0 +1,178 @@ +10C +11C +131A +1C +1D +1E +2C +2D +2E +38A +38C +38D +38E +3C +3E +4C +56A +56B +57A +5C +6C +7C +8C +90A +90B +9C +AAD +ANO +ASE +AndroidManifest +AppArmor +AppContainer +AppPP +ApplicationSettings +AppxManifest +Authenticode +BCryptGenRandom +BinScope +BinSkim +BitLocker +CAVP +CC2022 +CCEVS +CCTL +CEM +CFG +CNSA +CoreOS +CryptGenRandom +DataStore +DCCP +DoD +EAF +ECB +EFS +EKU +enquiries +EXE +eXtended +evaluator’s +Electrotechnical +FIA +ffdhe +ffdhe3072 +FPR +FPT +FSP +H5 +H10 +H15 +H25 +href +IAF +IDV +ISV +IUT +IsolatedStorage +IsolatedStorageSettings +KAT +KATs +KDF +KeyStores +Latice +LMS +M24 +M32 +MACTag +MACed +MACs +MACtag +Merkle +Micali +MEC +MEDIALIB +MacKey +MacTag +NSAllowsArbitraryLoads +NSExceptionAllowsInsecureHTTPLoads +NVLAP +NXCheck +o365 +OSP +OSPs +OtherInfo +parties’ +PBKDF +PBKDF2 +PreferenceActivity +PRF +PROT +PRT +PTR +ProcMon +ProtectData +QWORD +RBGs +RNGCryptoServiceProvider +RandomNumberGenerator +RangeChecking +RtlGenRandom +SCAP +SELinux +SHAVS +SKC +SMF +SP800 +STO +Sig +Silverlight +SharedPreferences +SoftwareIdentity +Solaris +Stateful +SysInternals +syslog +TDs +TSU +TUD +VMMap +VVoIP +Validator +WMAppManifest +X9 +XMSS +aspx +caSigning +cleartext +connectionless +decompilation +decompile +decompiled +decompiler +dtrace +exe +exploitations +iPhones +icacls +invocable +keyrings +macOS +microarchitecture +mmap +mov +mprotect +namespace +plist +rcx +rsp +sdk +strace +supersets +swidtag +uninstallation +v1 +validator +virtualized +xml +FFC diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..a84c395 --- /dev/null +++ b/LICENSE @@ -0,0 +1,25 @@ +This is free and unencumbered software released into the public domain. + +Anyone is free to copy, modify, publish, use, compile, sell, or +distribute this software, either in source code form or as a compiled +binary, for any purpose, commercial or non-commercial, and by any +means. + +In jurisdictions that recognize copyright laws, the author or authors +of this software dedicate any and all copyright interest in the +software to the public domain. We make this dedication for the benefit +of the public at large and to the detriment of our heirs and +successors. We intend this dedication to be an overt act of +relinquishment in perpetuity of all present and future rights to this +software under copyright law. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR +OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +OTHER DEALINGS IN THE SOFTWARE. + +For more information, please refer to + diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..19b4cd4 --- /dev/null +++ b/Makefile @@ -0,0 +1,13 @@ +DIFF_TAGS=v1.4 +TRANS?=transforms + +# Let user's include their own makefiles (if they exist) +-include User.make +-include ~/commoncriteria/User.make +include $(TRANS)/Helper.make + +#APP_RECIPROCITY_WORKSHEET=$(OUT)/application-vetting-report-sample.html +#all: $(APP_RECIPROCITY_WORKSHEET) +#$(APP_RECIPROCITY_WORKSHEET): schema/results2vettingreport.xsl schema/results-example.xml +# xsltproc -o $(APP_RECIPROCITY_WORKSHEET) schema/results2vettingreport.xsl schema/results-example.xml + diff --git a/Modules/Agent/.gitignore b/Modules/Agent/.gitignore new file mode 100644 index 0000000..44c2625 --- /dev/null +++ b/Modules/Agent/.gitignore @@ -0,0 +1,10 @@ +output/*.* +output/css +output/js +*~ +input/*.html +input/schemas.xml +*.rnc +tmp +LocalUser.make +output/images/diff-*.gif diff --git a/Modules/Agent/Dictionary.txt b/Modules/Agent/Dictionary.txt new file mode 100644 index 0000000..b93e11e --- /dev/null +++ b/Modules/Agent/Dictionary.txt @@ -0,0 +1 @@ +Agent diff --git a/Modules/Agent/Makefile b/Modules/Agent/Makefile new file mode 100644 index 0000000..e58b690 --- /dev/null +++ b/Modules/Agent/Makefile @@ -0,0 +1,6 @@ +TRANS?=../../transforms + +# Let user's include their own makefiles (if they exist) +-include User.make +-include ~/commoncriteria/User.make +include $(TRANS)/module/Module.make diff --git a/Modules/Agent/input/.gitignore b/Modules/Agent/input/.gitignore new file mode 100644 index 0000000..329ef01 --- /dev/null +++ b/Modules/Agent/input/.gitignore @@ -0,0 +1,2 @@ +*.html +schemas.xml diff --git a/Modules/Agent/input/tds/README.md b/Modules/Agent/input/tds/README.md new file mode 100644 index 0000000..9d19f35 --- /dev/null +++ b/Modules/Agent/input/tds/README.md @@ -0,0 +1,4 @@ +# Technical Decisions + +Place TD XML files in this directory for the Agent PP-Module. +On the main development branch, TDs should be incorporated into the module XML directly. diff --git a/Modules/Agent/output/images/cclogo.png b/Modules/Agent/output/images/cclogo.png new file mode 100644 index 0000000000000000000000000000000000000000..84648693e5197d94f16f682fb26013ab77c2c602 GIT binary patch literal 32411 zcmdSAhdW%~7cV^eM2SK4I=W~<^a#;|kPt>6C3=lsM{gm71PRfiL?68~M3m@l^e%eu z48uG5{_cDKhda-D&U5xT`>eJ1Dtmp_K67GTYpReC(h&jx0FsxgirN4G9uxq;Dg@$S zu2^$eeF6Y*0IxOPDq)&H3;}^441q8NqQMXi2uy=H(tv4bcrXN}5dzalf@#42emoo; z95ggSY@9+gH1c4uB$z{ zQxJ^w!Gqd1&%D z>9aZb%lJ52!8EO4a4QeER+K|oR{Eu!rm42Lk(R~_8ACZ~J3}pfeKiMf%cozg1iyxH ze-9IPHZ%x%_cqE+H_iV|t(s7+gHTx@L;;d@FgtvYQ>ITpZ0cg4b;BElV5D+v30u9lChQOd99#A(A&5#gi5<`-pNqNwu z8fZ}s)U8G{qz#(X1}*+O(kvPR7Y#v+mcT_z(4qry(E-%$K(px%9C8P3V#puZ{sXT& zAJCl-Y|RIC=Yxjw0Ymw~p?uJ0IPRuD<_J0r2W`dy4_aiHT&{KGGx!|$NOd{ApX zO?N)cP(Dp-KDhe}xcfV}8*}oVr~A85>v!$$@7k^34O_p*4V7a}R^cs{0Tyd zesWF2K{FLJtBruYdcbBk;IJF8+Vt>mJ^f`F=nz41*$uevB)l8~+_sZncGKK<(_D6g z?=dt4xE})E4}mU+Xzqt-E++x^7+S=PT&O!=Z75%8C|`aEb5h1LR3JtJa;bJ(REAns3;hZ`hjurMoPDvbA=yyLEGM z@o;nT^78Wj9z*v~JYp?O3=nu|YwBQ{m>+;n9Y+~+3CluVMG+8<$Eb>F;M%-Yw!y{( ziiD}+8KzBa>Gb-wnu3$-6LBG7OdCfP;NAiN_&3*w|qw&-?PJPf@oX;#l ze01A`0)7L(O)Xvpf$WQar+iopf7QMAgSh&`5BAS-*6hf#rl|` ztYzuVNrP+PsMW;9=x9@4x&1K7iECPq_>U0dW4)p}xk4TbdRvxW4HvJv(Xj2_B)on9 zp~j`n@0g>fpuxLV-8!qpdgq0kdH1Z-`OOyQBB?eImLh;m4mU}TCHc4J`>bdHYcP-n z+jDt}?*G5FsuFy}+eY@kewfD2)RlLvzalQ?$?RP+IrQwg0^lbE!$lQ{H35Hs6rKvbe6HFK|I2;UGD58mK~b4%2Pq9K(Ab z1rDYl#tfZ393wV7SZP)n)2&$@3dtSn%RSWaBNF)>Ux4;c*aW*Bf8Hw-h@ z2jF0oDA+8q4l~LBJ0&if|F@@95q0jc|F?+Zr{=)GCg;M`#K2yW4woj?r>Fm!a@rI3 zA`@0NIG~}m!Ra@?efHu?JdkBQFfprQDQ=VVr;Rm5T8bCCX~h?eF-#BJ>p2Bftyo6- z-Y!SWj^#uJB5zzqrnQx#F(79Rjw}36se9767vZpsKU%Md&(7_~A0y0N4%-!-{hXIf zo_`nn=PqGnTOMe_i8T5xyD)=5X2!2y`-U@imit2}{<+;A8?KZAV(4!|!mdBoEW}AK#w1oxoD8${=%;5 zD!Pl@K2wC%P3DZ7CZ#f5{&Pp^aJioCso8ls7q?%ca)|B4d17Hcj7%2n7#6v;YN;(5 znUUQD8{||jS^cwV=}(7z#8TUS%a#AQ(*r${U>S6Wv8qY?fqQcIxXRA8LXlFou9St?a_R0x9K$b@n93n}d8a;VKovt^Uo*E$&Bf47f`@grkCR8D#&H@Zk^7f;nX;@P0_^5O z=q9;Fu+wMXah!1)3i_U-UxAp&{McT;J+;lQR$ue7Br|~`a(^cz#3lhVEGM=Kb(E-V zx`}(wPD1Xky?#EqeTKQ=!GkSb26bnoJ}h=)9a}r4 zQ3rXVx`#0WKDH0-Oa(~G5b7#^ojxShT$YEV_9c{W;J0k-vsHXXd6rizRLNg8x)cZI zy(j$__D;aPY}kVTWN_5`p3M<1%Gq#~L^W^`m^9)-$8%jY2-}Y#7VO25hNnp-$ThckR!P(Ayx9Ui$Vb;Bu z$$ToI!ip^&A$NijU91T4xWD@SPC#5nr!WekIk4{b`7^~DT8L}y!eaeb23`7-5s86K2@Xn2Fm&)<@D1{N2wuv>+lz)UtxhD(lwM@amrdU&BR zH0XDgG*&cNc;udKnAX;JH~a_t=t((x<=4RRoqoW~(*k!pjRk38*s%mC{(DK z*<-TIy~d@<9Hui}>R(!jy67_Mjd-mZ?*I^Czk@Y$boub#3Y`v8RYOe9exTn<59a1p zDWBE4hlS~K7)Ky%nk{NFvi2OJEJ*(*eZE_GihXQM77`dMr+v2@KtGY})tfwC^4^4? z4}NrbrYIfLyk38TUU~CWnOQkp6Uo1Ae*$B3OJZMgEj<_J8I=~_W zvV01^m!eEG8OPCk7?K>AyxeudZD}?=(<|9Ra5^o8&qIZg&JJYHhO%)|=DG7-A`RA- zXg4gN;-3@fDkDmaeOxf>Z!k^B)f$v-!_jvJ>F28Ty3Mb>!YNe#ZDdA!Wdz3Uqk};q z4d=TWdF>%*dF#Y`an|dfvK>sg3Vzs4$KdKMyVkH`N4GDkusCD9jAzkq{@BDj23lkh zdH=xx(*qo>S>#_F92YLxx)zfSKR{q%Cg?>J zqJLVyF;ELlv!c)!!a*g>{Is^-%vMu}x}fA{hog>gY#GPJF^mW@ML9V}D&APfz)Bli zjTC4Q)MQ)6xE2#|Uw6OSI7mr*HWh7VTK^_KYK%bit+mvG^z-)tL;6OUeT+}zml6dfEUr-4FF zGtg9gHm97z_HckVa)2zdEGo|yt5*C6mx2jGe9m^`%#C4mRTrY)rzD@? z#X-_0m{m!)Uh}<;5*<{cpQ7lI0Q|FvG$>jLk;d62zwox?muIxhldRZByYK=?mD2F< z_n?uSRGNU5P&*2Iji>D@3Yb~Cl0_>ZGKD96M*@(Kj~{b1%&a{~;>}$?`&+|W@ZqV% zlQYf=Dy&6gj5mOO-Wxv2gE*MSc0B|xT^olhK9O13nJXq$bc~MV$RR19MSPa1`%iaf zz~7$`R#%_}g;uN*h1f0OfeixI*H*t1@_KUA%i=7yai2JBk!h@r$p3?l!Qhd$d;7`F zv|4U6{(7ZDgVXl$=n4CvQX9jz$9Pftf*NT)xOQW8^h=mg1OoxsPB(B#Hb0yo;osDS z!y24qg4t5PGK(ra@BPpXFh>{C2h!s)+g%<1EONsf;&s0Jp3>JhC@Yh2kmu{mfLH2X z6*7|7+Nm$QQr{Qq;lz5YR@~focZewBJ_Xt8AT-lQc3=2-rKHk-RcD{ny}a_{?0i~k z4WNtNLCP^Q;{L;|*toN2(2r`@=b+u>aO;@A3jKRxGNaZdhztBYPOzj9`4{v1!tw>c#JlfaA%{LpFCh>A=53cic!gmv>>t7oyz%~lb(8RK>0KHB@@iqO*MK}fh@ z06l z+B0LMHnFI!57Q7iR$UoR|H7{50665u^jro-8_M>#2SlWeYqa9G&9{Jm@Vu<6l_~9g z@M=0c6mK`#F-lA6KbOHJi!Owo4?@%z@n&kp%(at?`3vH%%x$Y!*!7`bsa{#UsHDFYXs%~sMrs#G)pu>%EFYn2H7MFFftvk*>=YnRmSqYK>j|ffN zwHbx;zZ|XyotsE~o?rHm;J3l6H#&r4IE}Z@)}QXKqk~XvKdY(Hb1~Q37isMBqOMHe z{RWc`JywPop6fKc_s3{qIv1!o3ZFdyAiWs^vxIq!mK$)kkBt}0L6*m9l+;T8gB7U? zl~m)}Ng3&B(R}a5$LISf4f%pjb!WiK{Ou)JY*&iu|t*p5}+NJDGu01Qj zMxv;lop_&oaAn~w|Mgg3h}Hp}>gEWmf*N_;5JS18dI?M>cGrrY%4Apks8p4~XnJHF z_;nYup9Z&UMy8Oi+F53*Uv7SNJ#WS;jY=JaWgb>|lpeAjjW+&yz6R%fn@%z4E<$nk z7gPUT?^mgDHNz)DoR0dQ^!CJXjM1Zmfmk}|VtVOzi_}}vBQDW2ecwWtc?-y# zS8XU6D|vcX!tcs5T56^64I;JYJ^cSmENo^NATF93jVe3m7UUh=QiJ}gw2L*_wn#qp zaFN+lX^1{hQ4M|pb}2OXR|=_6ZT!!N!@*_+P|w)50{-po!17Fy90+iax^$?=gXckK z=97tv5mVj*mmc)L3Z7%$Kw54-x3Z!cutlK)2we_^q|(QArI>R70@!#!3MX% z8>=a`b?YYcQu$E9lBK>0wHABPXOpq) zwjYqNb#KwC)8)Sr2M341kpA6=)ni!CaEprkb@FJ;!u^U7r{}UEmyq2E?9})YPpqAB zItLdSMg9K+{sM7{Zy|3S>=!>-CBmQo7@vqLdT!pzf8BU{3J=`hh2EpGmfBihLhFsn zCimxpuw_vw$Y3A-q)jq*GwCy{8iKPPO6PxtT{|rbr7I|7_CaRFzgM;1VlrG;z-YJX z`(4@nez!{cC3oeopu@_0r;hZt=cuhYD0=76c0VS1%c2tJ(Y2KO^&Pyg57G+vTW)a;#L^yK@*-XyvcLbg@=j9&w{{?{%UJ!4u8E@qS7Uio z<8TH>f%~qxER=lFi&t2&8npRih}oc~S+CRFpwnh4NU;E~iGp6;Ys8LR^xVJ5Va9re zE>2zStBozQ>t+bv(>47%Wg6(~=*Xut+wgW~+O~0G$Hp+-VH-c?gHzxcS0A2W1@QNI zE57DY?V|~TSR)J*0BbhAY&HkfZZG&y$WYKDc+~Cc=1e`@q(?ZGI{h+@e*pKa?)qgSVbIud9#eJ+%unV;hPb49T9# zPsR^77ou*zz%ISd2_iw^mPcpfasM55o_eB3CtrpW$q+@)V;)KBbVlG-EjbQ1hOY*o8;FIekf4nY2-v_36-L z#$gf*`8Y*G$*IVg#UE;o|=MoKaN)W_5E&C9>?eUAg zykPzg?CCo<6Ag&%tyok1w>w}G9Gr4r-1%jsx;^U-Zq=65G7dtcW=kvuXBPpL(AdKT z^CDdD$zkf)uCdi#@>`qZb!uVt%|(5?r}YPp1OeF6jbXk*#=KKz_c(x~_p{(2zoTIJBP#>J0L8Dou&ET1o!X@`vSv1Zfsg3a6*PeUVz$SlLpHa1A z^??4y^offAqe<)BH23pHKcYu`A8C&oD(jLW-r;O>91c|m+x#oQj#;xO;D(y^+5R7X z&;yPimU1r2pYPO~Qd5VRRj)@N`$m7N->+|to3809S9N}ht}wh#=88o$j(L3Olqw>~ z9GG$GiRCyT`A?aG*lK90GB0hNn!pb?lZDb|Wlk|v-%L-(9O{f2uE`kJqAdZ*86a)|wyb_um4bs4SNc)v|v?wv}^GqFzB4 z|Lc7}>uhgz`RMwif7u-KQ}EIGfp@Csm8i6Far-WH<|MvmP0Bv$NSdHI zr{g<~(F#oZ_y=yX$KdWwC&&n$Tn^%|@S60TVAF(aJiCIc^!1%?u?hC@AaU{f^yFOo z&_O06nD5!QoUx|lUMqtN%}V*?@omJGy;Zee3NFfB29Imivc}=F=W_r7XZ-DfE@K z*^24EjkSEJr#&(GC6Y~1l-Q_ujvVsf@0O>dqtEu3iE7^uxPSWGuDSt|98!RSc+=lI zd-~SYV6PkJ9pmT`{PwR8B8|erpaB-_mn_*MaH){e-|C**RRv;>FaMT|WRQ*U@~HVN zlHk}n@sT_}<5ldq+n2rlaXfVxPb{!tW@p@i!da}Cp4`~4(7^FX{12K%e+d2+gyh~I z+a&FV^iMrEP;(qK+C^H8?u}EDTPtOqrMoa&{xLL%kB+XaBa!x!{$I$eO^oLb9P9GX_e%DR5Xt6wi251h2~bagq^YJ#z_ zn;)z_C&M5R7GuQY8R6v6@<=9U?bN^sH6!_JKf{AU>)4=oy1!=cKq>XYVWuR!Q`IvA zBNmlo)7G%y`fo3GAM#V|-fb;9d7e7IGy5-7#({u`&?oRwGkQaiPbk5cN;r#mgoq*9 zN)ln6($+QW?BpzVZ|&>aNXSa%*EvGUa2=5HC~WZPjnPbQSF-nGE!~$%A+^t}$($T^ zTaBDK`1NkqbCL@?;NNXymyn^;$;wCBdg*KevDh0i9`I!VB0Z|96@eNR^P zV!ND$>do9whZWM@w&h~}0T@g%tH3f5q}z?1r+xPpivv8a_5{0#T^tGqTx{8Y?j{{! zFF!x2JarKeyhlp$D1JiE2Q}P4h}hP5=#y7%eFvQAL{bEm{5g`e!P~TN_x+AI;xjci!YyYU?rwK>d=I6W z`<*Rm%gj-_*EL#m`u=+LZ~ZO-+dWQO59MHc&9Bl;#19u5J-7M?_nDKkxDMnhtBzZD zwjPV>8x6YWX7(9|L&c3`BgUR+n#-?Ze?rv2Zntf63LU*bNubF2i8+5KDclGV2)ZfR za`wiI>bKjdtKbb;$ZR=rcK`g71^2MCfTKrDowV0@w^p}p^>bBuSIQpkdu7f6t+a^ z+_HeguD&8}eOu50kyZi&6D=J*J)b0PO?vvs5Q{JxIa%KSrDSuHR8ZwUa)?&Mhy4M| z>*;(f_EkvNHsvIfCpp0s1n-vaS~>oDEE4ld2B)|uaIB%7MS_B8lIrPtSV287) zY@xB={lco5^%1RBOz6Fga9xCm)Sg;ohr&cf;+umn{+uCeh5NIB)oWctrf?Gpzrr@F zRNSK{bZq`_5%%moN$;>W%O;wWehK_k&^FCEog|z-;U=E|ecNmSBQu#BOd zvly>d20Wl(Ec<)k)y!lCfAn}$qg%B(Jm|&Aes@mlyIQhez3{q%Ba^VdvE)>nqe2qTGZkMd`C^6=do%={bTRl2SH$k8~2QCOdDB~jiXq_4I4jU0_75Tz}ej1rn3+hA` zJ{P?$zRuz@;pU4A8V1w>V(knS9|Zbk=0gxEK&(}Q3Qav_YMGKm(bQ& z;tWMN#tj}bU+VDqEPHba>7D@$7KGyl`ks=?^KIOFNr7H^lc=cJj_m!)!Pfs_C*?N>84<>gGCy=Cy6-q3ia@DRQD%muHW(LRu zn%?goG}`pJ%%DjbK6e!F{EDvgwae3IdL~Tl`R*XFN3LBNAw9w>=jRk_YDq6A4M3{n>ZRma)X2z8gY0B zI+zb_5kFw+6)?50WBJg>s-)ggCs&n1n#z0s;D_0;xEMWk0*Qd$9V4!-6CA3~Gypre z^`@uvPj>LBtnu4|WcuxVtM7;=X=>1`pz8m+(B$iWzNflPHR8JqwIiA~G}9Ijm@wMS z=9u=`!oIYKl*_@v{}hj@SUaq3nARq1TWRl$$8xisTe}Fp~xOv}Dh$5MCXEwt$x()B+~(7Qis?Gv)@uHP?TRLp5*U;OkIb+q&R5pSLuHIzo&;H6!}eGd4t&L@bKn=^l+02KgpZ*$K zwea%Ee;|tgxTjZ8xF?e@=~u)N>UMN5v2w36f`~du^`zc5JcX;z!Tn}|RDY2=b~@A~ zSU>V3-F?{N>!Rb_A*(rpDfp)y_*8jRK9d=ZBSecKLnzqe7Q*;&u~ofM{JccUzuyK? zEcWvPaG6r>OafWLezOzVW=NQFwpnmsZ|&iEy`A4TQ+-swvP$Ag(x*4yo=BWKwRf^4 zC`%f|R6cJ-Lj0W@?(f|TtEX4`$y@fS@=HklJ*iBX+)jo}6RN4Yg)kyXu%8)wI9nlG zJaxanOv)0l{p@Df^+>?viNh&E9vi3Zj1idw;@&a!l^(43K$w+y~bxVR2T zHnTgdYwzakNc^L!DCt;}eIYdq*I;vWM_BpCU~D}c`-~aqL#OdZoM?zV;{ifja?RIs ztSYkfuEfuGH#k*T_righBdxue(`cbDWidB0m{DXoX4Jk-2S3Zx7HjgyWGa3P769I* zoxk^&a{AHD$qDohalg5<*^zH`^8-!1l0cf8Sv*bdR#)yti+b*_bJ-|nsK7`ZTDw@TZJ7S!gI=;phwe;e;>ZsX+J zkx!~BWCJzy{#BU@ztrJc@8H%lj1qIDm%+W50PMKlBlVm;06IVRzl!g>a7)o4{d7M( z8g`Q{`~W*YPpp*XswL=4Rs98UH^u3{`$XrzZR=I2CT~f9m?3RV$#CQk4|gZHKY`!h ztp^2pyJHRLRh3vN;4JvVpcWb(baX&%`o@$cC!lsK zIjNLXN4Vqz<=%Qc9ZBE#!PocAn+YCTB-uk3(ES%PiI(yOP=YTj1|YI!;p!jB106c7 zOuhy`pi$uW?FPuIcO{l&HFftD#^twh@322<&W){B&a4Mr%?;mIZwOL7&*mW<>0h3D zjxNbUomC^V91$lsF@ z4VIb@+Fu5rF^4 zC{7$jep2EZQM~6smQ4m-shh%y*4~e>Y%MplNh;OUHeHp5UnKjP{y z{{A8|;Qo&mH6mzjtna7DjLl=v0Nx*y5eDm=t1L!8)RfxNy``;?!c^l& zq=4=6_?yRu0~AITkT2Tb($pgSLX<}24#U3s^(T%PpM-KWfBJTd8XB)n_7X7Oe_%u(QJ9@v;`uinTq7!^f6fC zER#lcS;SpgvVs=L!$9-=2bFkoTXTb_VU{z3k@8%uYCx-eL8>UOjVUwYj@(_y5V!Mh z5lGj0Ds$l>~psBGCLDsPu(F|Z81iw#Zx)Y3<{X;iP= zPR0xr@<}t6`KDNHouI|UjMxs7=v;!bGRkzAe|#cd#{44$fF z^P+7xz0@MuW;CYUZK3sOTR}E54#4}+E2rsoQOYpW1G_^KZBN(jpOcszu*!^2J27nl#5y$x1~;f4FvEd?vT zBU99Jq?0s>_O7~a4S~DFd?7D(tsi}N(!f#eg+s}^Orbd{k0;^8k3@^ld`;SuBbp@U z=Op8w9EGEj4RJcCx%J($XHm6Y20zD7!^D_11K8w#K#{kzyWc`KDDA!F^2YOS)A;Yg zBTMm%n*r+2ZwBCRVSRrcN-CcSOG!yJy!EA>EY5=uRPL0OO?De-8}Z(JgUbF|eMg{P z|5cz4GEyg|_WLW^@z}b$@?>DScW{Yl93J{pTHE21M*asCW*SdY+jDAfehsmNsYwqy zk%+_uRRsQQ04{zh1wSVR+|l2BlGatKniM}|{GscPDobr363Qs7*?fg{B8&XGU%=HT%;(c|Vca!}sezj3G4;pcX8kr3d zK-g11Y8@+RJ&+WNf$6SW=4(@AW)#}Lzmd1vA8zGl>&iiXB>nChWD`+>*HO-vtbph% z{=~o4guNlkDIEvmgP=?EKVE)Ksb?(4%+%Mo9ilf>N zU;VQiB5Et|M(|??vVNYIs?2HL_=n&Ya;(U8Nub!C{?t8Gg|}=IbgoB^E;e3N^X-J{ zI`Z|!CwoWIqF1gzWFXdKSf^3h`i(|@r_QGesMkyOi-t_k>PBquJVkl)cc}Xg=>itEpY=0jIV3sJ(t!fspDP<@HpnZ!QpU1<0+Z^JBHB%=IR zI^~4Li>k8+8Yftv>uN@9ls`iqc1&0QeluC?$0O9s#*E~lIPD6gwiL)F{4v+_s~#cc zFx)VMAeY=R^q)zWsATDxcAK;9ccriQ9x zP^ltf=eQ&g_~D2T$h`bb(V3K?xkf{pN;|flLa73MTDEV*OI>1P{&82cx^lFTiI(2P z^sf0-uooRNip1Xr`@i4X?o-Z1HW?K=--d^e`ms68h&u(k9ycEb1m(PCc-%P#*>wOP z5zdRCqZxbXfNy%~h9Q|`T=YL%WV1)(alHyeK)y)65%@~N)ETiE!|r^%Sy-?2kJk=h zAE?^yHg088c?9-$4%Ld-qgU?lNmw$W9AcmO@&8$F8=a=ef@(v=7Xf&A+4b5vsOY0 z+&OVrgCQ#Y)U3ri>wZ3n?I%Q^H|*2Q#^sPK8gHyL_$+gQ9Sc}<9G7JY{*+zYigcVe zybcbyMtoV42%S$SP}@XewHM`5o!}{dKfV$&;a**0K-iD$uJyoUdBgBjST+k!QMzHK zFH?JB=12TkLO2y>zC9%@TrIR*q>xl*0PrC@(x&jwfs)8hJ-KBah_AxZQ z#`d4k$ryR{v;hs66oTnP)Bn3u^Eo8+SGB1GX?Zi-$f1syMpJ#Hvy`w^n| z?1jV4L!S1ks@LI9NKGro1V=nW%;ly=BsgdSJ`6;*$gv#;=^WJ=6RHmN#a&P1M; zZ*W^PEL=4Iv$qd0Lhh4DO|*u8F3ZZcjE4Q;^M)M#_HI1NpU~O_5w!@9Q9#mqo^2d8 zb8>HQwEx|w(-L!=h64Qq`8iu>~~Q6sREd zPYAwS5Y*+NRRvz)zL|P+AiQlg&H!zbR({9F*$;={hUw4KwwkZMBN*ihIV9!xJ5&|B%dt#2*y^k=(PWhdJRV(#E< zKc?ioqAtpD|FNLaeeM@CyvrYT(%EgX6D8a7@#Mge*F!#Mstz>$;zZ9XrykuFqXUKU zspJ@#-x8wfypG5OT3rD}Dv?7}Kb~@t{fKYo9$K;(d+E}5)`jRR&wTVE1ez=Q#Kd3j z3ltRa^$WjkyZIjk|F7hA!9;xo)dUJzy(|e|hLGRU1*mrtbXUdNq#9u9_fwp!kUfP^ zm6bmM_ZwzH6L0nVK^0Ghbl{(%Aj}Le#qrYvHj6UxS2bjjg9R-W>mSgY*-W-f*1!UqiR{) za$Y{habXN!5trX$_sY`HQ70i~7T-vJwc}Ws*-D3!AEZq3dn4eaK3qg%RA?;f$r*Vf;Jp z-VmAsDSO|TuJkDK{Br{dFvp5!s@R|Qqz!b~mMhe21^1Afn682x7SVaKr_vPXfb6NH z(aZkYC?B7c|A?{B$BMP%Ln*yqys5`~U@OgH)NQKDRZ3i4}(l5 z4eL~&&kJ~cijY$*A%vUVvdL8V%W&Cw%lF1a(^0M&pC5fc`lt;~elIUKKs(vSP{~ae zLd8Fu{vayr{(IML--Uu#XJi%o!5_NAp*P1g?mwsS-#&F3xTLbQdMOAAA`;8(vHJZn z^lBT(&QI$q471Xrcg@bzUQxI_>%4_rVEM#cBO41Za)5t%o68SUu$k5bO2eVd86jbk zFTGTX58AOaP8o7PFfSuRboPgsQd#kK$u^Xyro63wqjVFX`;0|b=Mu71rk^hcStnGL zxX8YE(59SWA|4?;AUzO>TI{V^EV@vs`=SHZb;=@tk-hwh2Qt%R!g63iJuI}J8K`lB)aw- z?8EaaAQ%m!AzJqI+l@Z7?Tg7gq@c2m2I{_wqdZGFV%9ZzRMGyv)}CDz|MfGGns8{0 zS$@LpQICtv*~HYtQ)t<~(tF&t>%}I%P$BZy@YNjpfHctQZjadW@bf9AVZUYVZ3v9> zVwckEo8*-8TN({dr^cn89H{QLkq9=7B&c^-Zcy)64E?5xh~>9oenuwDY#rZ5eZ(gC z8a>EYK4uoq0$1b1zUldh$76HyA>oT~%=$$k(ZoBsSs@`7a+eO8fJDx)A9T-Uz}tiu zBYwi+PIiYzBgFHGc)Of2SIOJBMr|Xq5q>iQng; zt=Zi4tRb?0u-G@Img*iRYM0)-cJ4TcQ0qOSTWu{Ln%*3WC1HcKjv?N&@qB`Da|_^0 z-%YzmRraq03k(PznI?)rTG3o)Htfa=2VXX~fSR^I!mw{9HdUU)DBW6`jgsF^IVXlb zqm!Gep;+M-y86d^j$$GW0o4Yqy7(l}Z|mN4dbL=KAdms>p3U5@lJG+%AHwx0$)jId zz~Ah&fnG{9UcBRoSfCgSE<0&;{F&KDs_<|Et@BBf4l(j$i=#%(-|#Qu2FXu$dm|zR z*OfNK@}NC%EWC1+($^2pOQO!oQXc)<4l#Z7c{l4XfV{`1W4&gA7p-$V-9gKgL|1ts zS2dh*Iay}@cOY$#&YkLw*~X(CNP;PeMcL32t3$yE#YRZ0jZs^bdJm`8B5n*v7%x7$ zxVW68sAm3(Xme@+X!Hf;%Cq~M@ZFHYx}1U=-Z^SslFPk+E^?Ak6NpRNAmx37zYbY3 z;+7@mi1Qi#VZ}b2OU%I&d!(p-j0I*{hM;~sP|z~!%fmR-zP3(_g-2e$VQwJByH(r7 zZ#Iwjw26INd&y9?sSgtgYLS2S2}aNOm<*wPz2k9X&K+&W^3+itF500$$jo3~r{e99 z2n#e5D$Z9%H$Niqn|$Hd-7XDhQdQ(i zh=-}Rf`-f)kvsaksUQ2)g>{p%Z$TWIet8*XKehr{S1d?}usN$~qlHBMZz&w{bFfn0 zd3pB;YT$*Z2SZo7&F9x1YP`|lD2iVL2ll;ddFDAAHJb4!yDEMj^q34d)ZriHoRLt! zjN?u@|8*HaUiZeAVV3Ag-d%7Y@;6f%ZwxH&Gg`m*#Fj0SDGUF@85qQzF`&PoB;BuD`8Q0$=o-$2zN{ILrRrWFpv21fP z{ROhV;l8&o-Rh%QB>EEpru;9Xcm;8o2rL$SSKld}&|d0KDK^yLBn{AoAGGuy@;}+Y zyR{do@JB15&zP!jKKTMK3T_t#Zj{M}5t*XG5HAOLjuWWTFq*aIwgtYd=f}l$3BbhJ z>zVvB=t`C9)AAt1ZQN#tNSQ$jj9uajHW2|f3~g12mpcI$t2Yv!teaDXotjvJN#Q=MAsG51r2oMyb;PXOuVccmp+_Sn5`FEx23pF9;>mh#ckCdR?~kja zaxyVHdLx3oA{vT&wj0--R-_B|QkCCME>&4VDY7}DS&s;84Nht$d>l8=OMFJ>>40~- z58OC>A8dO6^&Mi7Po#fxTZOA=YViGF=IfHiHX^BFnPnxq$)h6iz|#HytL-e~qWYqK zPp3$?bf^p^B}g~Y-7s_wDP2Q{G)RfkAkEMXLka>)2}4SWl1lf$J@|iK-21%0ug~oH zti8_OYwxqy+TWivW1R*(T54;RnD&^X9OF8}>y~)gl*6n>x=!>ftT02B{0KI_GBpkR z7$#@$3B|yX(T_#l>jCN@YAFOys{|o8L3kaNLqC904pwMSt$K!w;w|c(3)y|8@oLc> zWUXcrDEG8|HagwaCM=w7R?GR=K3T7lWuRK5@C!&(8J$?kw5p8Sh4JUC8%+w_#q7zK zaA?Lds0(^F2x;{czkJF`A;w68>h2s)gvPLin;GkuMuEB7n`o(%7x-$_n+S^jCc=Yk zs49 z$+5Pz+(E<9{ABb>l7QT9=4lfZuV%4chBZ zoST~%eZOBn%g|+DCZJch@brE=>8W2Yacz)k=GnW?ql8SxJ~y8W3yZPtq&QRGcuS`$ zliaZ6%IiTEipZZs-Emy$4eO8I7m^SZpMr-*lW4!@@F7}XLa8OmI8dAJY(u6@S-Vm( z1d609?#vun?`i(d++mr+qs#m`b_qvLL6SNr8ai2!5+@4e)5FJTYaw@=>sqRomA72P z+3wC+u;)3tu|H#XqKNkpT}4*$u%7rN$zHn5Ch>&EJV9eqq`7C{-nVYTDvMq_M#8;r z1}>z5-J=giT@HF1Z>F33e}bA&?q~6+@Rky-C^i~d4e@T7`m9rSqCyXbm_AJ#=@PlF zsj$XZgXO!*=Xi6zv1(|_K({Ctf?vLW!m<99mDd89^IDklEsnm2sqqGTJu2%db`MF% zIsJ!w4p2V3UQ8bN@(h=7Vi8j4`>q1YMvm)!eLv`75P!D!+%|-&T*D!mtrS{%CuQ-o zyQoR4@%>b3#?oQk-N1l=GDy_8>$KP@v)0EE&bM_@cpWO-C}lAq6qjF-HXi+JR0lR1 zU0QNuzm)n04SUQejGT}sY;#B6XdL#Dbm*`Ap#$ew>Zz$dRMI{&=Ie@kUD}|eT=bsY z+qa;Q0@C*bKX_(8#IFf&PQtn_*@ws%8KizrA79VvIETXNi}pt8;(*M(0Z3n=MIwCd z%3CPiJn%zlSqno((u#g^a#NaX6%PG=`|8}v?oebJbgqBqPb2Kk z+GtpjuCkSYJJ64o#RF$tW_BiRaInl@UbSf$cq-%a? zGZ7d@C@U^+`QCUPof-b5pl4VP-@>@IUN|%zeV`0ns`<8_@>Kd%n(eIwsYUH!RP!lB z8(nD}M#AzQjjd_5eb|aCS-;A}9S7bqgFgX_qg4jODdzk(&AID#N)W$Hs)55^JaNlh znEvcU4vFeFnp}zrs2Nb{EZPS)!HE-=1`ut4n%$w#mU)3X%uUp}q z8d*APTreo@#dFH0`F*(kT-36w@(H$2^b3{3wU{0hT+%wA|>Rb-nXcq$PQX#!2=HJCh$4#Jq`n(Ne?mI zred&*lkUsK z>ka1C7#Dk+ht9y~#)@PMLJA(Y3mLniy?(|o+I6dMT{UakjA-V|m+WvLQINXS>uQ-L z>1dct#QKpqJ?U7%#2yR7&BRJyF^|G7$$e+jhI1t-aGXs0wkORAm{&a}-R?sYBusbB zbV!c17ZZiFvZX24Xh@FsTaRr-306urnEZ3?=ce-W=(XvlAz06%_!9yNyw*>^FgQr) zJ=0f3`7%W4aGET>wJWM86s`oH(;c08%VJpFvugTW^vZm|`g%9xXRy}&ECCS;)12cr z+DCpSe56>V0+18V1;30HF!>uhl(XXKZS^D9@Ig}F|dbT zgtA@>ie0_7HvaxL)x`iFP-}i!PEjpVxe1;<#VdMx*26la5HN zC{iGWfMcmJDzQjQ#dY;@bk*+y=_1BrVfEgLv2DY~lr$shKa`<_CX51-7n}eyocX#^N6r!5_lZXY?xw=t& zR`z9g>n5P=aN7OX{0LA2IrFz}ZgpAP03UjM!&FEeWcuA&99_r{_qDy>#G8zrUTqBT zKlb-}Kc}L^acGC(qYcX5TfXHv>JBJFC192z_~&wPJLG1}2Wg;HV-s)2U>1}4npIP( zALbHmKg)WpM^2Jbbn65U?8kIY#>qGECNN~2pZzd9Q2d@#V8ht>m5}zgoZ073o^aI& zw1)AUOvar5234sn)IZv1(&>;64D!frZ=sQ@TYcRADg5m1a7tbUw=H`cjNWgq&3_ul zcRs3Q-8{qR6coY->`xN0)dHLYus$(E8STn_4B_kop^>+h&s>Or^@Az_(F}(C*op0I z0XyyH@?lf&6mHL^PyUvMs4{?2lS`4KWTKo5fM1zpR1=0a+4ITXc`EKyQXN4DIa zcbx7-COcfgtZr6HVUzbKN7+C~bLH~B4Rv7KV-gc>pu8fzQ%eG4V(05nFdnjwRFbqk z#*;lvayr?Y$KO(JJbL%iK|9mT&$t!6Q=pCiO3w~q~S zCSOI52|EZ@<%=vi1an1l$$xzveo!pWK-n%eNjngh|9fn*i?>fFna7}v4mnDQTPmi9 zw=BGgZ58blb5_Neo1oBG^)t;01+^cj)U$l*y`0;1SLN1v+erP$d?m|GLku2`mz7f) zQeB`vyr~G|_tD!iD7Dje}x^xwZBIBhZ2|WgR`HIi?61Ba$L8-zaDru z;&dS^ChNbDwbaQtK73P9@P+ynT69n|pO_T2MX$OpqW4iE1JM&TQBB;Um!xOlC^a@~ zDygGwgu`9cc8Bp9_~4t#v1G8dNiS^uWhOIJ%DvUtCF@zI@>2Mawt)5q{M&Q%rU3P} znS)4~gI{vv#qeHv{gxyf#R5{!igyG%Ra}1eHkMO^%v57y44ft@BKpC}pGYs|_U%q; z>=i=Je{YOtoO@FYae(LyQ?C#89&fzFF%#M(k0=TWbMGyG`!2UhJC6g?_2admUHRZ$ zsC&=%#$>$)_V=h{AE0LpJ^HsG$t7?`*4(40VNLj)-gO3CWBG368-Ij_rPO+LIrobj zAot7xu_{$UxZH@>tRZlxl*DV?dP%0<`)3}3cI2hZmuTJmJAC&73G%oaWlJv#Xe@h~ z=R5RnzhB%V4yPZ7M{(HVgt-&HOKG8@5M}i^`mb&&auT-0~0%Ipi7&b zuU5wsS6R=hu;6JJ=zHR2K-~}1IF_w36+A6(g_AP=e8vgt_8k4lIJG<@_?c*z*V}{d zwDNV{>&qH&3Ok@QyS7|&a8@%$sw?(&rA()Fe6navjKTs6xn@F*tP;|INC&d@S7|G^E4{q8e#F^V4*{!xXoSQ4~mx`@UTnMT0xQU2Su=gGlm*U=G zd5x_6W#EQp(5*pS!1jodm(PO#JGA+okrBn7-N`WJ-QjKdmsbXw`_ovlreuA;@+*IF zP2o{?OR{b%v{|X{VfjlkxjU3viiW#<>3TBPI3Wf13An9#wq8$A?qdqa+x2=U(y)Tc z`gQ`3iNEi(;+p_ zWza%3y7f%1$(<WE)j3(;sdGY|B(C*@+CexE`3(3Lg_vv+`* z3Q@CIz!|_7-x8%q9XsCo`RGb-2ac!Dnv3Ph4LTC|SPs>T!YI+MbJ%*48<&`j53B2u zPBH3o2kv6~QxumgqLdnPbJMVU`M*9_!X53p6!miZakCvcDqJ}`NDxHd?@nx}oVM|2 zE$jNNX;ZFWa@Ugl!lG#W!S72%PC@b9=5T7^qCYZc5{2Y9CDopREfSU3^VoJEYMo~} z0>Kgj61em45x>uP`VE4Syk<5!79j`JqM`@|_jfxFlV3N3M_|`jeGXf-%?(>`s<()n zjK7Y?v$tbGaX(PE_Y%Kk9j-)(+p@9L%D`3c7v|{~>~C8{Wgt|$x)Ig`Um5r+4w!gmMZGWe=VO;=IRr%pZ=5G6cS{J1aRfyC>< z3^~LVJj)ma;zq)IW$7rH-_L#%%8jJd?3IlqWxBrbWh@tXE#+MN%ISOB7~HwV@3ECd z@C)M$q5Ed#p0p{p?c=^Yx!TlaqQFaONkPXd<&B=};R;^NKJZFzC^xr0na!ThDP;Ht zc4k;O{V{&TFZt;m`8n%YoEzj}mw-HFIppib*?gv)ey2uq8%!HV!HkBCBeBB^D(i zA%R_EF|iEb$I;w^n*bAHaVeM@SIM)9%{>E$lZ)%Esv@a3dlYPYFQn;7<8vSqYNjTn zLLH%JX!kz=+(-8seDoA7Q0~)lhY~EMW`n|}9U^sTxOHgP_d+u&laDUrkBMQdVDD`B zWi?R*`gzUB>c-#9nZoFN*cT~egg)H7PZ=(^208; zYa(v~d)u=ojZpHMbc`Nt?XJwu;&i7BxC;&(Z?!TdRCl*6hF*8fvShHO_jFSA1yyZr z<1@V;W0cnd!WT82zO=NI-?Atw<0GOUiH^^;c2P+0UFc1rtM)2qhGuj*xky2Zj|hz# zk|iE1zCNbjl!!`Ker%Qn+q3jzyN1azw`c)g)FVh^#<5iV}JJDrVV zLi>?eJj&C>nBYpU0xW-0mt}#!@w<=pX1L!4W;L!mx^!-DkJ@bXxrd5Yu1~x zro|kF4Pfy7zJW1r4N1Fc6)ch?b4F0&6yaEIvzn?dFG;^Cj^x|)qdU4^Wo_7+bH{#8 z0qfmW37_7EZ9R&qNxqz68W6`@a4WsmV+loRz}jD_4hP+ed$fg&dXai4+-1W>^xy7~l!F{fs?DbzG$lkMj(p+5yZF zJNGtA0CI#ertj~Kb+Cy_j_E%b&K^pAFQ$ELq|Tfc?O_*wU5C*XncE$0h$(sCT z#ao0!!0QJC;L}v$BN!lBsTbP@eV2rS{k6iIRO-X0so{f^7+AGTaE`MoR!XC`-E zX;w7WG+ZSL@aywtcP9`PDd!4ZYpc)cp7|jdwX3aQk?ua@`Me*trr5QhFgIKBd_qyJ zsL8vT7lGHzd#Zg)UsJ%d*Lw7h)oX^{R9$J$ORn{1(@`jzx`JCXyf|Orcr88Y;nfb) zuIVX-hSY|gwdz}Ye=o6FpCs`TIXzE7k_KNXlPg8u3{>WE7as+zC-C;_2~jzeCs;h& z54_JPU?9}(+=LtB&3&|x#nJ>aQKy$ApL2c;JIIE!g_ZZEf+{trdRj_iLo(7yx7?n( zA`iUTf;lL=OMnUs-I5A=ZM3;NEInMb=@Jt!fev|`g2@avUGy#E13{j1d(X4Fupm0x zK+7f>e#-q2r5#ij-91dLAIkHCBh1*5gzKDt@S)UcnMBLY!HphkEyduA$ooDv99ebHnEp+~2c)V$K%9eIt?FMgSP8rlW>&@NUp0(`}I>c1wuk-Q2i#o|z>>ss5 z^#s{aP*s>M4qD%MdL(A$)S`c&^N%5}9*OXt>uI@j@tCZplD5N@AvHBX^ahufsVk;y zeau`UH59r^HB)YMi#Q$4tCO>n1(r15TZ1_0Bh7<6XsJX{!oxh_2%x}=XY?auR5D7Z zC=;2V+~RW~K%zF^SCWrn^F>{3l`t!rgugz6m|2HGrui?*1E?mWe}wxYvwysi1flHN zP-7h1aN(0Xb!X2lMH8WAc1nqy7ZX`N?@ND_+RroVDzX&rm^}GSPE#yV?9%B=sA57* zRGx?EwRiF*O!dB*aQ4rR0VF!f1!brhd_^m0qsD01s^rVLXJD4Y=`RwNA|g_1mi7 zIYUCB8&j~`?P>%#Oa0;_s}`YIj)d(hZdg5J1orAWqhtBlUUkWOQ^atA%viqX4YE?J zi0F~wg@UdEQ3`hq+HR%e#S1^zrtK2+OBI(TCjGCiqejSWgQ_o}|BR)XX-l zmKlsrGSs=c#ar&kze10yt(`&4j!jy`uDlYePwOie0U0x3Bz518?GZAhQtEPbI1}L7 z$9zYpP&Zp1nORcaesxrweX`Po-SL@V@Gt1Je~>Waat|Yh+){?ZoZCLTi9fXZoAwV$ zvf-yi{s^G24io%1szX3Xl-tU_i&jKwnrzihS2%@n8vyj%tuEf znhUM@_IzpdnSmP9HO;@2bG77a6TL}*0@Pd>K@#!K^LhfaY%>{>ub=Y@$0W9=;?B1- zr0wZi=BD;G{}vlMnG??p(D3Eajt;cDfLDl+#uK0pCsg>S?%Hg=@ZP0{F`l3%y72Ys zjt`%=X6u(~4)jlC7EIwuw#hX?I6wLo;j-Ax>?gQSoj<%>;92>CNX3c1U|GozMu;@Y z{gr_f%-~9UjML8%yEp|$)V!QmV_9SqCCX2R)s21*X!Z5xNW9Z2S(mWXB}?YU{S=9Ij!N}|&DEyq2@ZyPCZOqZrLFMi%G z`D5X9u8KSFx>v_|eyyc%^^S$s!)oXT49Xy zHG~L+#LG}EWVXL-q#vb!oGSerfPJRtbEeu#gk<(x~jPE zIA(*g1GQfpXJaU4-48jnqS3p49MrF3r|P)hztj$*6SQ5?GoRW>bMG{G37mB}X_V_c z3i58u5GVYJcCOdm6uR#Ta-~LlSw)@>IeQszPgz{IH$Sh58RvW-W{g9Vh=uw$nouFJ z`^Le3PMT;-nLZJ#|6h^vShg!3~JoQR(;@6A4LmL5d1uSl*9L=3V z8rt}0^Q!o6SAFH`3SyV4@bB!6hKc0pkq2rKq*2~Obg!D-FlSEiT^WAC=VrwpX(OMC z1%A}QGp`7p9p?)@;{vJ7xtO9DxA<3x2?Pz6yJwb-_*{K3`4F=BN3PU^sp++hH5f~F z^v8!g#r__!w5jS#g?t(NRGYuA8P+N+y8JtRj`3nygBR;`B zqdHXNs7zx{)xgw8RE7G1(tF3O@q!XJs%6Os5F9hw@tuiof0YVR$+fyaX7x4t3<*~) zWy#hIEK`26!}qt$RQWcf&I&Q+p|G&OF}pl)B32ZQvoDF!zX{%ZrS|wWB{wCNZLEH! zhBBIWq98XSr|h`^5Mwbe~uXB>X@j@buOBs6STe5*r@?r-+*k`CTTz}E z-BE4-OrF5NXu4!5vYZrv86Xe+N9lQhydV)B3Z&dQED(6%ljK)+KBhi2bt9$BhW#*3 zNc?9)DdXN>a{*tPSPLgYR4}17+(;9_5G3!D z38rkRmcQ#n-X+?3b~jvxo5xeH>zA8v<~MsJ1AUSr#<>7Pyls^!zB3*UHC4W|(RmXi zRb$Zz04hLbl)e>hZ)yb=)%Q`RK|gSS-=~nF;UO#6%RXt7N{Cc4S=`9JdD&0dUO*AA zXYs+^+1lH~#-^Ii7iCAVA}s3Wp;H;q8b`7P^)o4)>f!L&SdkPm4psz<*kd7`+fOTM zALJf8r(-p`RJ(Lva&WsG5YXZ$lMv6pdteNy6NG<{bSu&}U{Wd#vb98;F*OvNcRr%^ z-FIDFs;NnAbeY<790$$6i=gl(X0B5t(!7KRhn6%QJzX;=wDLW{t<^X|52zw zraw50dvnSJitMCMMvE=h4Pf-764!(VZp7#<-jG58id?hdq})$uCtFV@@SaDiqPcv7 zjN(V!C<1ga@#IirI8dI8sx5wJ@5nWyuZ=es-o*X*`)E>i8XCseR)s|igESI+FsWUS zF@<7&>;2a}_`K5Y!>BICDL;d#6@O*Y3XnLTauENJCKO+Y(koep$?g0LNS_zneEV9u zP2LQC44!8O|M_mD`a1)Op6UZog;0ozm;uz6U}8eGZY6@p!rohdD4@I4TD~z(s^5;# z(466+k@#9N~uak~!E}jzW?%$5wHnv6&eT#r{{Q2a7}2 z&F;s@ubd>vj&Ad~#k#dp#P`iUxCA2E14Hy$skBF;4U@UIsEfv z!%i^VLPs-D#b4`|M#wXpjIph?yC+@nB~JNKOSs6lm(8X z+q|R)6fCa=(~Z5kB|LkvNdb5p(8JgUj@vr^3h`=!L%V-9bIyMc<%kRQutEx$?2dAp zwO#%~V;y$l-&cXjRGg2g<%5Ew&$EY@O4(A@&RiuFNkeb>Io)l$lgRuUq zQKrVQce}E7$L}=vLDmb$QJ+hX%Z+<`jz=9ok7owyl^fWa(S(#?ok{;^{Z|}^9Rn1l zv6KgKK-l)J>`PfTyc|2ggv zK$tY1;Xwa@_k9X&rAp^DzL&Fxp=`ujGn$Ao%FFYNEHK5~dNc$4m?NIT0$MfgZTqnz z<5Q+Y62?CriBNj9j%z)g-g7KO}gSRyOPC0qrkHa1F-+jykz|Y5@kMEkS4{~w6x zOrG@(6(>nHQikw%mn?e8&RZ*(y4nMJO^QGf+193d-HUX^d zYa@*cb%9UyjT^?fXoYR}v~{G+#)^c^;q3#1jTF`Fo_s`2CszFuPQ9)1q5H8a^>bN} zb*NS~GENG10?-^QaFdQ_x0xN2WS5^Z*D(-JB4FOF{I&#p7 z9_U`ro#1J6cbIN~`b#QQN6de8JanWn!nAUu;gOSIaJZTxl}HQ1U(9~xQ-5xDo<14`;nKyjrg{_r!RCMd(z>ZlfSXa0G+gaW zCI#`h>*Trx^DO#xdU*2n328tn+-Jk)P!tHq1)D^?Q!veGJO z&;EirP7pyGy8e$r;Q$OXp9v~ls=-fH#Jt~u^O2R9-6w>53EUz})e6)?cVqnaWCBuz zSa{E{c4l9_WCsvww@Ca|q=l+gClD~?|CJw85)oqwm( zP27_U>{-GShAV~1>s}?O%uuO2t-PQ*;sm4^qC?xEv%WYMU&Kf1&aRud#RJdQ`+7DH zgzVnG-;Y23>Q1IPo!KMyyZ`BJxMFDf15-CPln~Vum{5+24aY9c37bt%GR5aVe2DLu z^X8L0l9PL*R@!UYd^wA${*y)HV}Id)f(VphIM;fT(TuZ{7IKSALvCg{tmWtDYTw?Q z_q10W^*qa~@;04xi*HAF)xj{Lq0Q2@3@C4V2qXJE02&+7VaLPWuNiKqmx5`RnYC-b z_9N`*OIN0m`y1|;FMco>wNAs-WFx80%)2%28)Vw36zkxB2*haR3e+%|fn(!OQ%Ovr zWsp0Zu!1G)Zru(y3oE{t8IoF})Ho?Mv+Cb|{(g`FL3e>-69h(8qm9=7aC@Jr^5@8p zVq>wZd>aE8W>WTyMDp;tUH)s0Wzt*!a7AAG94E$KO^1rhUbuKf=svI;Zz#i_-GO+2H9-qV5n2?z7|FfDvy4J>-&eG9bZ1(a z!7Hc*uRIf2=HV~#^Qf6EVxt`BcV8#W78+E}7n|bUK1ew2^J4%P zYn2B1EMC@!N12)+r7$AgAR#kfj1)UbN?jz67!cmM*iC37=L?!LY6(DBQ6Cx%7;}XS z8-C_KP;hFVD7~dG$PPUz^2V5U!!dXjnpYX=t~amdX}&VArfdiHxy zfZ$`|V-Dy)^%-0=mmLEmw&%DPVtw8M7MyZ*+x;;IvcD5pRfQ>-Vx4_h7=oF*8UV8BAB0{vZsl3`1ST&3IJ6t$GRk$j7I z<8VDLKC&cQI;EV*$7_oeqrO16w7_Yq0l(e;$UjcF{Z8-79%NQGtTUYNVDg^Bmlwcd z+SE%K^u_YVCn-ti@+OS;)8Yeue1fq!2lLX{t(<{2pchgG5QHA#ortg;l-tboVg-v# zcT74FfFyFd-Z!d>`m2=sw~AA(UjYt~;=ImyW~jp*saoM49hIAxE$aFc>ZIcwz?fCm zY*LNJ-7hQhp1)dMWt;pA4?5V4$?x4;A4YKRX*>ZcZvwd7lFn~Z>mG7SGn}r*&jdDbD>t1gKUkj zru8Flu@qph{D3{zKe?MrsmpK(svAq{xc4{f90n|^0M$Rguv zO3o#>Dt%E&j~QTPN3Y+*j+KYva-H1e19=sEXwgv?Vqw9Tm7g!N#apFEGxo~jLk%Wk zLEzb#5O#|B#do#h9zl0}fXVBgs5Bd}0_lY|=vR?y1*#=#23=K0+7%C{+H%`EgWPPgXp|cU~hdy&XWBuQ&OKocu-vrK%ZixIPp*S&= zUx4Y7+^kM%(>&{zd4jh4@?rbnh9mW}7hQ(z4h5~qv=7)^nR>m|fs@3&e@mvEk*8fk z>*t?B(ry5qW)SA-u(2iP| znxyIs*&qfexPF?*V!l&9 zlg8b2nYpmOIrlKJuW(S_^F8*yY;I8~;k=?2Zsb5!L9}iJp_fw67W*JRO~1pU$rQEm zB_F>c|1dP!Qp@0=r;AsvwD`Dncdkg$?QSw?6WT4b^rb5#bb-ra6IUF+qT=XXUa z3v=a=U~mZ^4UL$(LFRhBr#e+nv^?DdIRj>Gjz;Xud}-Rqfmk#choYnl8lT-Va2lF+ zL&es&B^s;&ubUMA95v<>60dz$O%C!)_@n--r~y(LqQ4p<<@&(z?~X>{-6r=L=Z2?+ za@h@;YdxiAEd&>S)Q=SAinki}9Cfb|e(mGRcU>rhikUDLcVe{$nEOozWgj8vBPS3O z-{tTejopNY6kRB2R7nb+#`DponB1B0Iei-o>B_BFy1Ri1gu&htUGzEwmW@jMgFl9C_RjTO=kIVScS)%R=X6tU!eRRTT;*sh4K>0N0?}wp(5Otj!lS@hhEHv5z;`_H z;SM4ui|1VfcXGisO5op5P&TAlQ7MgI8z*wmZ`s@#+SRJqnVMiTK)*{+5U}#D^^udc zoD?nU>NN!}O#ucZIq>Tl*MS>DE5U(s zy_fz>OhI33v0NXx-=A<&E;-MsLC>nxm0gxHz^{WcKVN6=WYIWFGE_W4eM%cR{8XtE zu?;zEzWq4}Tu|p+MKu~S$KAzJV*K);n`JH=I>CdY9(+4Lx;Q<~1FW!nTJPE~6;JNo znz}mu5b%Q71#r9+Atr6^mww^K_-clQ4cNc+noEcN8V)#v)TkR%)}f%~FjNV@i`)Ry zjn+25gD}=f&g|SRfA@lNhZGU@dpyODx@r%iFK^Z;n+gkK5LNfYO98+8_|9WBR;rA# z7vYOKb9S^@_486-x097pa_#uq`9qB%*E#f)^^xsN|%OgTdA%-z?nWpOI_NHWQm#fsmMJvG-SRdc= zSPS{HEqN}FBABn6X|XBt_<=b|guxBIxmOLC|Ta?RHAu0r1BM=`O{yE`(ad|8e>t~kr`!l zuNRO1)9sQ|u%J8xZNZG8mBr5C5$z(PR*Za~Mn-|a{?JVy9XKCa)x?v(>HQekSV@g3 zsF`(9|MhH9`l00}4~V%1eU$S29Yvf^7f8XTnZNR|5oj$n??QQ2#Rjh7E#EmZYqkm; z_SDCvWGnR*!W;?RS*`y$7X!yD5?cBuRe4?pIe4qf*A0#;G!-ZHtPYJY zHF}?|fLt7kLw7_YjwK9BnuKLWHo-gayvxsfk_?~JpYU_d zX<@B1LpA-{Z-NGNEKRCl;IvBKJ5xsrt-f!Z7L)oLnCm(1H= z3ddJR{d)ds276|a4S%}M`>)NnDkGy55Ed@$iyZd{ZQwQe0+zEXIt>e3`nrPWWy{`$ z?s%#ZK%wote|G-=>cYJwzG*Vqb0>QfKp`9DwY<7qt&BzZ{{gohOd9|I literal 0 HcmV?d00001 diff --git a/Modules/Agent/output/images/niaplogo.png b/Modules/Agent/output/images/niaplogo.png new file mode 100644 index 0000000000000000000000000000000000000000..2de1b0584be1c6d5776fb0fffe6e17c64b3243d6 GIT binary patch literal 22727 zcmXtA1ymI8+XVqZT1rZg?nb)1mfR(zOS(G+>6DP}?pC_HYw47hh6M=;zv1^k9~{^{ zusiR}J5SzwpN&vemc>9NMumfe!;qJgQip?sX9S*~qPzxvqvZ0X01vNC6lJC0{=IzX zc9bLne|h65r{e+#hlcy|0}q#;NeKKA*;O7SjlA)O7@qy3foXaI9NY&uc`0$Q=gLWk zj-%c|TJinkLFPE37&cQK_6Ip^xHo5o^zn1nNi<{0=4~f1b=Fk~*I9aYc;s1jY<6mE zdP`Yq%kP%dh~L%O5ohIRv1RUFEUO93I{D0M+q6yyDA*6#BynlOQm-Nqou?Yc2jl~C zLGpNS;{3&+Tbk1ZS&aO>P7$F#Hr%8-G) zGMK-@+P^d$lP8=c>WUc8T(~^;3^}fkO>o-Wn#mf5YK-S4{eFpat+A!lJZE`FX{cAn zlg4`KqrA$Ez<(p*s6q0!0*7>Ub-DDY$>w!&la6+j-3~s349?a+7BnwqPkmH_#ZV{; z7$Y784PiKPl?1b1Sy)4~Edpd8_=Lj**%iNujyuvv+J72*n-UyM%@`5(B^(tIPhSbP zWAo(dDVb|!B%b1s&g(NMf8geoM@_9JFGP$&A%;SU_GS{xr-kFKkvjzvCI)xX<*?8} znBSenK?+U&|Bj>x4yno7z^+**r65!cFwe6_jntq@Q-BH*<@MoGld7!I^1gW^55~dT zyP!ucM#@`y^)A$}o%c75g$_y>LglN7HzA&kV-BrDzq2CO#O-l#5=yDbP-pLjx=!C8 z^v%etN1zkr(leFHX^arkY7HW|dP`7qdEArzcTgLAP+*7!?O+A3Eb#WP#m|A28W1E6 zF*El-WrsM{O>X}6IH#nSEB+|Ljl@ZeHRRdmk*V8hl~9Hr+2^$Qm{^+@L-r+@*FGkG zbpNC)MURFeLcxT^NbA14Ua7hbp?yJEfjbRe+P5+j7savE(-cjQEW^aio1l*!TO$5{ zhyF>yxc-AME!Np-Zs=#k2Z2`uTX##bPO^ybkvG}wGll^@ijKW6E&Z5W@sPOV);SpqZA>py*&NqKcJ`Y$?*My!y|Fd&3|Fv6qd@fn35*a}n*&XHeZ8 z5TMP>1(B2FF%l*ZSXw44dxY0rFt=JMQ(OeQ?hUOdT)TT~4dd*D%TT1tv$LOJ9>n$w^=Gi5fc7ZAC2%Sc}fPwER#2H zl(F@dSQVB3Gq)UK5WLdl36xitslxcZiID6eZ0)Cs+tHOUbdoiJH z++lDX^s98tIHPQ{S%#Wb~-cJ(I#TU+%~qcYf_o$bH*+g%PRW$c6iS5*$16IM3DY! zPDObt0iwmb-`9vOhZym^pu@@!FK2M3Eob3X^5yF{nG!kHLNOF>H@k?@8_jn{sn>T@ zkJX!f5(0D%p)WUCG`hIEmn7ygDwe|g6_={zi7(-54AQGiWf_ZoFOTlNIX&NjgO`n^ zz!DcXi3zdrs<4ReDI=;sB#kT=;{HQ}NM9}?l4vR}6w6jGz8n<(1D^N>_u&o5#eaARWSAaHlLr$uj6SBT@D%ZMg#K zVOqvf2 z6HED$PIC4^qptaMo|P#8FjyX5`8O1)ip9-BM+XIU@)DPbd~9e_UfTHmm?Y zi-%%(QPBWP+xJ)$tiId-bN1G^!HIqRW6quryE77ZQqMHA#lxBuK>`v^;;oBIr&3D= zc^Y+j6--7QPsxZiejBi`roU@uN@$rYl4*NBx%AU{9Bpy=eYm^HU(!7p5hUUx{(wAW zkn$Z3L$E!-UNmZU6lPZf4!0mjtGOu&p^y-&)@}oVV$fI3~SlLs#!(+t8c86TW01O zre1CtT$km>M1tQBcbK*`%pq+cJ+G1Hg;JmLCK(GDK8I_ zv^C2u57yl~MOu22dm^)M4(i9X!Ygr+yq{%A2XbL_*#2)vWUp$wcMl$C-FfBO$)t5U zQ_g4hbq+#FgCtoNeB83%M04MsMRG9>)(B1NzABdRZ(U3#qVR)&!oBUN!zpbDuAo6>>>}bv(O&wxA1Kr%>JgP{jlKm z>gfzNrCgehiCnNn*mZn+FrkkE`iEdKr_#b%qSvpu^hh%D^P9u}MxJ6#M1Z#w&DZrP2OKSvH_C{- zODNG*ra1UXEZjMy8RI41eN8Vv^*!G8?{ut9Ebl0E!X$-01%wHLI z;J39vTxTal8Fy^-__}pSXn7RMcF6Qf$%rRy|J0usBshvDMU!}B<6nG2TO#-@l0Ax@ zYS_=)7C zgB(`Ge2mEej)o5NSgRS&(6~ut-Jy;*ZJ+C1@gbH}T4s#tXXl$$DGi_oJ6Wm=LckF8 zJXGakBeUJ_KNFb42Myj*t^z*M=;(VNV{y6ln_9F(M2<5BIjnI@-ug|s^+DlhlPFgp zCV22(m>sj~VS+*-HuR_U-Y*4%{omrl>)_v6^%ZVcW#~HVA1t&}i_JF?!W8t~h}eFd z??;8*!hm-jjVdy*IOkW#dEPQE0;}~}j7Be{u9UyJqFHQbf=$j8QN#~aJe`JdtIWHr#Rk5aPYT@S#n5=BqFTCK@lMXEmh%9 zF@k)JZOMr~?y#jZZ%p2k+%wDw3%~tgt&L?+vMgLUt$O>0@Ti*y98(PycZwZLyZl!S z!4byVOiZB}q)DuYyPF;4(iKf+rhr@dzltzrUQoSPP-Zo5ILj<~>eh->07>=-gghMr z0u7_oT>8c@X_Aso{ElzL=Nl<+PAm7(!qUBfeWkmdD=1sBNbm%1y}un`wPxh9h8 z7+PujJoBA!%9yRz#hRFdp~e+9(BMqW$lQ7pk}q=`{VAAD7p|+U?wZMU9m65+8E)a+4i)X`Y%PDKw%k=;Sgw-d!LM)O zY#)DlK}xly6B?uzD%qeUwf}~taM;2{@eNbku61fa$dT*x0=RER|7WIc^#NeEq*j%A zdG#l;IZdAiFyz4*TNezk#=hE$OaUp?;U+q9!EGAM^Jm98aGD#IJn+#Yu0%J;_qp4i zF)|7}@+%F^FX!twCSF#u%DlrQv{#4drdv7!YvR?>$iFW_QThoeDpu>2HB|L(R=9Do zwVS~)^(OCF+>+Wojj#-bW_!yzFz^K5S5RJ3tJ%SnBsCZLd4KKq#-(&Ck#5Z`Ea(iiitj(AntZ z(ubQY!Z@{|+!QIuWBF!298*8ewiUy4@AMw*Z%#^c^ZU&o(y9{r6QzEpNqT+Y?i#Mp zFIc+{aZnWRNuCy!2%tgq3#7Mr5Efc)jT-D-si{h>_>17o>DoSnB-7`D{<`2=IfMvv zayw!$g0)z@$pvKjDNn%GcppP|-wGA<5g!NwTbCVz{PSzwb^1TK&*{5%EGpgprBj#3 zWT)VKZIOy3$%Z3Ge@Km`!5(Y7Z=4P~oI{zQYvv>~qQ)~HYBbSP9y*PWu5x~#OhuPy zYe1K*u#=T`FuH`7B13n0p^Tem$Q&0JIn9kH`_{-leOfA*IJ z7gA+A`GXnP&^1<(N<)wI4|Fes7Edv5cz;BPpf@iNYJaI6*$%?3Y`4Fa!sq8(0gt7` z{u6by#wWXEu$ zBfwsxi0|E)V9se>dR{3{{@{5D4lCA7=az+jU}0-uRdxa{{z(k)79oKVUuO6L>C*D0 zdZ4qk`kgF&ZWf%8jSWOGV=Xs+>%ckQf%DLIef z?^}a~5ur<6PO!v*4s1QdA<_)ZrmTCvmBxBUm$|&k6${L@Fz7OlJnO3h>C#E~mTH5J zW)s}-rRDQix{d$g{MVI!9JQsyh_qv2)~$1>S&U>W{ta9p(AdPz;xIPhudWl51XpVQ z6-_Iam*JKB3`19uy?3-t@OW5vz3*f0*9cj7gB4!5>9Qsgo0#eAQ(RH{$rHYtFDD80^{ee} zD;+Bv@UQeLhTYbC$nKqb2{C7kFK|Qv3mVCp)xTtwupRi-PtC(E##JGUc;yNTyv=+^ z2WBq97N0z}Rp;DT;FIui*s{iUvLj}A@$<%bK`CtGs+P${LdIAK6(Oh_`k&O$*Wvo$ z5FzF?q#HUDhsiR^O+1c(xj$GlIUKYuIN{MmSO@Jhp!b=Xc_(kK5u4I;BP*w+{MF8$ z1*1dz$+HW9_Txis6jh8HAJ|Pl?YQc@XQ)-e2njW(&fj86J<`j|Hh5k?4K>b)XyLZ9 zGV<`MPu-lX-A`dUQjvAg4obCu(Epf zhLLIi-2Y!68pX8R`dJt!%aJvsXQ$u0FV6K@LpLXddCr2;AqMng3!Wsb8XqF85q5Q% zKhzup-O+%94{hqy?#X@!%SNmto0O3i<5?QtyU?e{%ZR7UCH>psEPPFcc3XoXVcY@> z#$J#^_}SN6Pfv*LNR7RP%c@NFWs(sM;kEeIz|2EEmz zFj>w|rn0I=pY~y>SApH=?_?ieuJ?RyyuKe76aS}FTa|iM63)51Sz$TqK(z_rSFn># z+Rl4V!IB%ET04f7jSu|vKm-tj4QLQOUw#q=9C}PGxxeEeKoy?=%I^;q9y}{Y%_t>v zW^d(;j4YYe%R+&z>J|VG+u3P!iCr4o%TnGcLU>IiJRuqdKRdtHt z@t8F*1l2)Xlq`x{T6*o|!N>eKaNcxO?aRWUf9iMgo@P)F(J0A*ALw14g^O#-iC!HyHULru}OU zJQ^9ftYtW$75fu5ddWk!sxhUo7(C(4O|4cX$;?kxSg*qx^VhS(B0AdYt41QV+vW^L zYNW)JS?Z?iH|O@USjw=*Ba&n-8MT&n<$vH*UhhFZQK1nrb_K>nI*WAG6N#-InvL0m zdh_hqJy%Cx6&6F`nZYsHPgZ3W`Spe2MTcfKi4XSj`JYOFdgUC`vzdFFPM`^e^`LlV z;uhrxHy@bRw6SGF)iJbQla6%)ej(@&-qUlfqfkz==WVg^yi^bv-v1eyTga)vupL9dYZ7V}TfQg(~Jj4KJJe%JhnM3rPp$vGABR`jF!DqnNMekW7FnBXO9QoGWIkwA9tqUZ$4x~VVw z_RzcRhAs^aHO0)F)E>j~eI4!6bO|>n4rCIWyU{wHPH$gwWD<`x+6I=!W(l16R`0{r zdSijk;gGj%u(~S zUxOSc-cz^6Q5KPmK@q;H5D~w7-7CC_s@VsJpr|g5o-IwTXM@YZD8ov=G@#f zXaE#4>iL{3QE8rE6{!;2MRz56SsX1B3N;wwq=|E8HOts_;u-`b!`n4hzZp&zTkei7)=Mx@amogy%{jA0@lws|4KWxx>)lYG= zsKwUR+{h^o*htv$uA9G`OKKFA2B*8)RX5NLvWTp_OPB$g3;;(RB zAWi1k(*MB04IQ|T_T3Y5mdP#P6t0(Dofl0z6sL-QoR($mUr z?)0HP*p+o^_?r2B_6PD<(99tQ2U%?V*uLGqi{&jhhY_9`S$XfqU&d@(yI=PRKA!HI ztT&60ooRb4tT9bIz_pL^;4db}0obb#h!0YnG3qB0!!E7vY{-zF;UmNY8~{bCZ7_L> zaZB>&`1lL$#+(^)GotugryFlJ&N6@!^=B3;uzwPGf2=a=rG!v_F}l}T$nw{a+HGZg zJ3mPC11*vD>ei$K6-z<;GMdz%nL9kuPM%>CTI6y@dFv`;c+8|9#ux56DSa_NGgnrP znn>_EX(|rxEyvGjMR|V@@V1EwlmwM8>xQHV_KH3YrG@d}bWY7Adz@4^Z`8^m=|Fm#& zjLZYAn4hswgVQvqE#ZKE7^Y&&TbsD2DSnh>$F}dOfx-6PdJEV$zRtE-*mi!Aqm5!C zDFBR!r7C{*Eb#eWfeU|aOQv>`5JgP39o73oY1j~&gLX2gtIEFkHVI5py zo_lv9ql%Fnpr{DB=rT*vJo;N-73Q&IZwZJM^XA|?EZ!^NRbH2lW6s>PZxnFmWfY?0 z<}pNwFI|j>zxfD+I$D-;26pbVGox`f2KB@XyZIhOAoxDjxu=(p(KE63_HHu`tq`J4 zIIok?IuNHWl<<{DN;rJC|7zv@`5)`^$+&o@e|}c+5q|Ozrw(xDJC5J|epwLUw6A%W3N|o+UWy)%r7DOZms;S|=@#^lR=k#qGQpN_2_&pg6mK zr2_N}kW+Tfsxt^u`QI}~m7mhII~wuUkUH#yAWWPrtJUFIk2E3xUL92!jLrO+)Ahc@ z%VWB4_oQ7P^q268I|4Zj66dWPCIhnKFceuB^-v+-4hiy6?LWjs&fgx`4Hm@T7eL3@}~BT z6dI?kAJGB!gJu%Tl6YKbeR2JIu$r+9WR5tOrj7w5_iT9-aa}unL%ts=i)}-xAPWw3 zTxqpr+4Nv+!jM8Q7dxac&vS46FLvL$Yo%zMxDIy$H4X``;zF-W6a&!C@rj;LCGnn2 zG~rZ`OT&M@asPAba@yv#r%l2}W?fuYZ>y8A9;2iLr7i0CnAGm*h}96my%R`ONl6!3 zTV)h&OO~Rs9db*$iE=-Fo|F6o=^zHb}+Sz7i;ugGxrf4PK=~ee3n>Bn75mJ zxtJJWD)eky0CWfoqWcEx&Fk=pn<>frF+9Q~t4oA6#X%PR6%rSo+`+u9t--SCy$$#8 z(dC;O#PZj7bpS;fj44L-rod6TNCa3%?~Z3RM;(imNJF9EbNkW zM6q^|ng+3F>D4)gXY*kiZMGa0w-rmfH9a?sq%|;Uk%7qxmPEI5Po5*%)0EBEy^&sS ze&|;-&kL;=3y{>{pKni`YC3OR#lj0QZL_%_JBYp7E3mU=bEcq{9|^Z^_!UamU*iyq zZ6F6HF$t?Gp5sb6(Le;EAs=+MyUTNndg^R-;)e3wZCf<7zDjZY)pNcw{s2ns91GvD)#QfU)syjanFTKJCW90LE#p)Bb*V>b+K?%!YB z@vcWh*0QWBe{Rn=_bB7NpU%lrXUqZC*_N)w%Cd%j&!S3WLx+(rvpnFh#bS&Z2Qj(@ zzI;5=tXY!HneN;)m)-12XwLkRk)))nkiHzDjma_DRlWuAkUH0J5O@>M$C)%B(_URu zPs+xQ#>a+H3p*_sXi&&N#yZim`<@*(-vh<)%nYpE!_Y|3P{QRzZL*A1k>9TRf6_%g4oe-c)(Y) zd7pt=LL6xOs!`>ueuTu*K=p`nwzabQeA!Rv_;8W+OQ7%eZF9o>+you12VliOf@zjY z;zbXA^%g);f8T_P&8w28Qd~^1_oixYsi9-$fbz?9f z#WVB}MCR}97O;8KGGbAGqgt=gC*0QU6J+pw*Du1T7&l)#ddPh2|ovg{`wrSH&LbP2NMmoe%Dr zCcV#$b+jG>+$tAkAF8u)<^omMHOIxTUzGwb!>d%go*)*cImOqP#~+;;tGWF>;atQR zj~W7ix5`Z)FZwLL0r_>+sdR<2MF{0P{@V*V`cakYo6820AgO)a4~U=Yu43gz7_Ync zSfZG4;U|A^Upzk3GAcwCA%2(o`CNCcIe93MBK!1sw2wk0iCi+SD2y#%n zkMjpA&aPT4m=N70j9$e85ZWO+dF=iDs!Nt@vt+-zPOzk8c$?NW9tAtgFm(gKNCO2G zY##T4!D&<;poU1`4)wCHBn?>6A5f%rP{KmA$~ldoWQ$KL}y<&GM9~gY*~a?<>y(xSIN9iqgfLLy-8$Rb$}SJ zz*Hlwle2J%4$TMJSx(_LBdvUN1dUSXyF0Qv+bNUZLVk`|UoPj~c6ytLV&Jc8r4{C` zzT37~M7}SHHGXu7YTS#Z6akjVUm~gQy8;&HQl7uTQ9iYci*N%9B8_4cWAc^IQO?eP zyT+{^np_;Xrp%lwoJl`rg-IDDAZCBgO^qBJIhHiHx37>t-S3aMcX}3@rxlX%SsBDR zr?pSYn)(}@6K~m`BX<54O3meaf4eA>&p>@8a1h!~x(*rJ@i|HnUNi^)d>t70Q@N)6 zr+A|W^ZRiy>y+4s-l95r;06I8FOH5}JO?`Zu{$2^!4v9jO3}{)T6`K-<&TS34h8}f zE)O0J9ZPPjWmo>^id$b-(LOr6J`~@7**O0dB+k}QCr$6Pd{2KYF47f|#CvBkmGi5{ zP-Nn{^}S_zC0zB*6-_YUH|g)V9nz^Ay!HtaU#e90?Sr+rl)6Jg8Cqmzj68XH&o;ocbFr1N`4y>6 z^?{Gd`+dXC3%=DTJ)lw!C@s9!9Y8w*Lo#U?lW3&DNyz|RI2p0-=6YXzcnQFR6K@p@ z?OJxgYI9XT-+Pro*M|4smP^>^<8ONUiW+{g75&D0u2+4s-V}!C9w>=|RC@t{kp-*v z+wEtV2_r2w4 zn)Yt>R)8ogyWu>lPdu~sxjIANvlr=S94i)JFcs@#Y(AcCbzCqiB zAY&=Z>R?pZ&FtZu%Z-3AfH?Q%y3%e9+;h$^9o?s8qG0Fp3TE`IY{@1Uafv?96p)+0 zNq|t46-ilN3;4>^@)ZG6{4&*WYQG*V$6^NyyJVgO3$SQyu*j)xZ(xn#y)Ny9riYbTv) zzcF%~BQOro6QwL{9Xp?@WJHca1&61qZ?86TQ+`znJ1~IF?VJnuW~ntSpk$fD3Y^I4WN?tm2$+A2n!tcVW*DFyE|2p569#ZI`M zK@QcY=r3Temj^2Ew|p!xH9Gu~*7(ps={oDXFn}p+Ss0qKM}M28iFh+JG zazF73NA02NouSyreX87Xmj z@yZ)r8-zqKkF1mY+f8A&fOBE5R8fKH=!RMf@1NdL;ihpkukarmx%6<$w96)3-9_=C3uF z;>7+8;w*YG*?+g{@;>u4%ZQn@k9qu9_^3TQ@7S_j!N(8(%Tp28J;C91kkMjuu6^r$*+>dziGNkL6p;alM?;)n3Sf{M#M&D z^=sFme7w7R4|}T&Z0;intVNr&?Ho*G)0M`YISK&YF;*iG=2fu>qD`x#VghZcxxGU* z2Be!x+4+=oCA#jgu6Ez_lGXI3I=>9Re`K|?)(qEEyH|Q1$ah^EEj{y>a1A5e5^C6^ ze~*uvn9($Nmo#^GTW)BdZ+zJ5YO1{J3L)RLlWngkw)6%r=(xBD>!s~J^_&qo{ zxAjLb0Q}e0G$#CosrxVUkKbLBM(C0C{UEc3OtUN18Ud|&j$myVxrk3R5HLL+TttoB zR9GHaXQUz(`$V3%3Pd)Jh?@S*TplL(e9Npvg(A&_;8{G-T2?X^oT-+PR>jXcLTGY;EKUjX}thjdl^p6bZccIf$MGl9_fDXL7&1qpnefV8nd>>nTJFNVII?yQzzvg&5k zGE$r4Rsjl4hgR8p^8;*Q4K85kw_I&Y>nNom?4YRSd&Ku=*npTzsIBXbY|o^OghJPZ zq9z_=kc8^CGi*DL;ApH-&0rg-SHc`+cL<9kiYo0@;>`oC(sCJ3s+nKbxp<<(a>t z-`XUfUd&t-R@ZPrYj<}^B{w9=^$~(ori&bF+2T=t=bmix2~ZHez-NHyBK;#>73wV9jKtVq*!`p@;<;p!A^t0F1ZknpUQlqjJ`K ze0@_jSg_6N>#Zz(IO$xJkQkvHyHwiVuS4#Om*k!QZ~%~E8tewCv@5($T*6kLu4l%R z&dW0q1aOAXVn*=yWfwu1ChpkgWIX+ue^~=rOQEakJuTa3=W9^tJzI+Xzh*sMVPa$1egPn|G?4Ef16N}*u~zguT<=_=zW}kYzms18APPx~r4tXAh#J`U zmS>PK(l#=4cJ==HQv8>cV5x0`cYBg%&nX)IC1ls>?8FOM7h6#x@^L3kk=qtKXGB?2 zPVCLd=SLl?RKBd&S6|A=v{lyl`gs72jvrbdMHyxa$zP*M7$uUSI6B^6_s8OLiBfI< zVdLN;GaCt~p+Sf`33ES31i*yP4j`IHZ08^Q(CVyq#0oiZr1Po(#LIOx-Y&^FpAj{T z*!teE>o5AIr>!V!Sfo{|d%x?uR~&8#iU3;Se6bEaeVka#*@@U6gitYfwRiwTLPknKow_6 zDGl^d5X4VCH9mU^%*Pa>gqV<`YFiQ-R*bRwi}C)E&sXjby|bv!wHB`fg#}0NujsHY zOG+@EtR1LW!y1{H$ioZqkb*xXj$J8lA_5i46d zR@Y5a%U|)oM?9&h*?y@kfP|=HFRG1^pq^}j#R3RPFLK!2UEG+vC1}Icch?d+q{@p; z(g^~Gg%*bp008UPr7%WgPCGTDJlG}#EHXqQY}zh*V#-R4454U^GXcaxfV!-;odUph z`R7#o@& zn`#zoZI{nbONcpnaX#th2o;QBMO28##Y58PO*K^7!W#OW7U^iiC}CvZGih9giV2d| zz$ZmQ;9ID58D?C9Ya_)3qy_~HU$?r^CqCl)9*k2w-ye__l(qWma8_&DQ^b!r_r3qM z+2s**)#sm3#vBO^EVuiU4vV+7vsb!81`2>mdp7#<;;%+(#T1@>_t|+|53#pbLX_Ks>1v*>vy`htkc1OW zO}t}ok%hnGw^>$IB`nG+bj{P0wcB3+Oi7K~H;#<)6{ck^utT!5T8J7CI+QvCI`Y{? zN`vS#u2p-ym-i!7XnAEAAd##a9dw`n)kqK3Tdgz%f*|I;e|G%=ZB{9>pQG%gXq?Y7 zsfEwb-QhfZb?hp2Nd6M$8yJNiYPlH7z6SrsQATc2W4Rdk#w%V+9%mk*3)7`ld~=uk zAk23SrWB+h>165g5dgBU!+i=e6>f+`b2^O%BO;0F%{-uW!CbLoB%=314B>BTs z6R#RX-BwYI{}Yu97^^((0LSY2sYMx3@PwCeqJW;1FtR1y<}#o_Xfk*Sqxu0!*~R$y z&Meqn%V8+b+J+XPa&yeEO6Gfu6xiWUH0*ri_}8FkfRwWAvQel9)`O5vK=$O8v*mXO zru?7PsA1&__jJHI?lb!uL?WcOF2+ky4({+GRPrpcPe_J#eYL~pFhGT!Ik6AOx(L&< zcS3?DNLN|_1^1!z&!S(}!YI9s;vW*HuIzI%a`Z`dN44`>OHhd9*Cjhg)e-%A0Lj?8 z5VSFBeIB1vi>7GvsRR$s9;AHby@-MvPe}MWz2WyW=3D|b7=KzXwOF37aoEB1jd$_q za6p>B67h7yscvE1Q{2*-9K<$tb|}#F2z@+IT-PH`qmCcX$KyxEsD>Fo%-Q^Q#g3qB z79h(72x&K~H>-M+5WhUR!zLtPPKOp-vDg-Qv;u+p>NWFTg645|Ib(7;AmBQ@ktX~$ z9zSt>Qc+d7)Y8fLxe0XsYb`hI--SPNO6XHRR0l8RyHAeJt9^{3%!5 z-?PFZQ~8!VDuOvuQrE}IROe>O$ujs|;^S`x(SNHotgxQk3~f$*LP@VXn6;IzQVH+y zm&aeU=hw>E3~}EnH=nU?UWo<312Ynj`wN7Jz6J(_^57iSKI~Ue?iNmw0bndBRle|a zf*vd4LolWN!4QGEUK$E4XVT;9iUh&)vq`|yIaXA4a{gG4Sg@f7`V~;0#1CAfS|~># zi@2nZdYWZph5Cm0*jD|%NtspIW(}itAOvu>O!6CNH{a2ltLNsy$&V4`Cu~5tFMkoG zZmttkrOPFb9Qr=YiKmy3qO!o*91rH=;T&iHngb`(I3T#CWyVq{=#{ExSI(v(4CEy! zTO4MjZyiYm9L?eY2u7o8H2~(*bu0%AC?%8YpB?~^Kq^5m1=(^ezcdOns0W<2b{z)f ze_R7O*h}SGS=Oljv5r+xy;vfNW3+q_1aPPAg`ZB7kfeMRXz%VhK|80aZz3Q zI4vXM0zno0sP>booV69~-`{?`gV*g!na`?lwNqMa+>EUIfgR7N{~2EIsN0BJn{u8z}a+^F6YbZl_u|83?a zp612hn$R@`T2KxbuepSLw;5v=xcS3=b`WiG{-aPyL)=K+#NIDQNsM&sCbmkM?+vaj z+lR~tVI2VW9~?U)Pw$-HOgcQX{BfHB)WgoaZ~8`HouXO=@xB1Thu&SFaraMLO<$W7 z7D1exMKk;E&LXcYFd@eG{@511Ujl+?k`bjUG~&=Ib1%Bt+Iw%j`Ce@+XkRfnAMbT- z-{XTz7BI;5Dy%R2G;zqB#i3^XIp1n6J$>uvnHmA-vfwNZfLv`4AHF`nZsQl-roz!h zEV&9?$gerf&{CV`0KyU=kR8Y?-^ECLhsCqwYuQ1ipQ~y3fD$J6X?zv@YC;PU zB-g^N9ROFzuhrZ9NC48;uBE^AyFb&W0Sc|f&SSL$FbPDLrYlF0x$^fL8FL$B37%k@ zig^pLb(@`TAud7L4+(*an{9EE7q=;`_or1(1PMgJ`IW1~&QL}%G)K!qx5O80=`h1! zVNaK#Jn8K`EXY>$a&b-LvD_y3!lWGA+>SH~M_P?NWW-lsY~Zcvs=hLq!t+v=O zBx{;7NH?Ol^PTMc^S>odkVCYF2pAjb zz9x0Ji3NOc3G0F&!nw&+>gVpOxRE_z1`F2a&sz|G5BZboUC61*k)~)47)wEADN2gu z&f$W-JKEs+>07o)bLiK}&&PC#BlnvN`$CHu z8dA5>7a zYgDz6EEJ>oW?0NN-q0O=X6wyzhumm^i;VX1u!5U_7{pOU+N;Xu`(kV88#Y?_;iK0n zvX6jz8aH;ZF8J$F9MYB>!$11y1#JT1#J3w~Ss#+e0lv?bx78?=S2*X_V_eD=m4ELg zwF#7ss`kWJBR(p-jOh7z51@#AMs{I^&R+gA{8A}w=*m^KWm=l|3x9~*`5mWNFM0s@ z?2x`SPZW$W5QbrAvu>13Rg9?;2b?5sx(bV|Musqzl}{ZLVH&AvyqCYfX?TchGG&-d z7@ZVznz-%P$OFxQ@}=7uk{AGM4g>N4Cik4}CzlQu88B+GIZpHdzv#){69rqVRn7c{ zf;~;|p%^dA2FW#cIE!jWRjScia$w|j%8Hz=G-t-asR-}Gv4>-Bo(uq`dcCobSHEl9Mt{Tt59a9|xq3^s^X^hq90Or< zT7`xkCwnKW^G)lcF(B7EBDjU9;{}$Nm11Vpn*a3;BC`XTvvZHFcHjo5P(RWNE{`f%n#&kB#Pfkv)HaR8sA#_h|Oy{p9=1_1V7jaSr?GmR6M zlpM^$6c*UMz6{Hj@P=0(kA+48oQ#hgGh#yoH9#N&1YaN6_O06P4@r}2{ys7)M%Ek3|gj&whQlEwx)Fn^q<)s{(x$= zmp)NNSa)pv_$qBf4e0-j$@)Qu~sQD?-#nm zb@a@;XaWM<;UMNZ{3TRX#7m{vrU$y;Ixw;z4B^`LvT*CeDqzIN36R7A!bvmEn4{U< z+^T+pnSh%UYoHN0!<^lE!_g4e{e!vxb#g#PXsKp3VHYrAD6566J-#bGZx*6rqA1Q_ zw$M<<{Qm3%AhH<#4XA7tD9H4|jb4UyWC=CqO&{p{3=&Hh_im4r9 zO**@G_l--yFz21vj-=GS?}O5JnfS zTNjRZt*N5jT50Lv;)Jv^dA(#)o%o`DP3A-#X(wE9NB9Uo8|IjwBpulzt9qF-8r*gf zvvCT%uGtwfd4UF z8LaP)o}jX!dvMLpL>3P}gj-K}{7j#8wl@jv5*C%|)Z5qA63iju>sHN=u$&GvUSTeA ziDs?5{JVswQD&DQsAJLtM-|cBMn{gIGvARvi;<`$L&q;DqTPN^$-NFMG2+?${ z{Jne#7^ow(fkDQWpY7thlBws}WLvl2ZsOTU+PysDrA)u?=vP^m!-hu`7LL0Sm~GAZ zd_1x}ijzl92;%%F&`z#@Z3RBPQrDozceSVG_3{vqcec3g?D!7FFlghLu%;b?BD@DC zDY0jAbI_n;dZ{|J`ph$A{}*l*k?IT66b^EIX`R1$=LYAemNFWh3csDr9_?Z-WM_y7|SMUpF)d3kh_?&b!%;;|}G zWr`&(&MgxQ`uN82K{Q2@D;fAyl_$E|_@gIB`2I6T0ceYb`SF!;Mi)~Y>uP79HO}#_ zRP)4!8C_UoY$?U$+BVy{67g`5SjbPv zr!m;ph~qd+t?yu%pK@pVo?_a{75Uk(rDxH7lO zyEDst=}12TO{G{iF)W*arqUP+xPR~Vj%Q^j%Y~^WvPGTET#=d74h;bxPxp7y6>q?> zY+52AX55W@85ot13}Fc<}I$`$$t*&E&W=v%=V73fs163I_>kDtX;tJzD_4 zuB64ZM1wpt(8=#VF~C4;BdU~?42wv>=MtLZu$<0e**0y_@M8%Ns*7DNrNnU{U(z`@ zvB;~}rzjdGXr5ongNKg_RS{sAENrHEV|%Yp=2~4FNyL zy4v~r@ge^0(}xfUesOD#^-7}iZc%44wT+?(4tK`!sgHhN){Pv|O^erVO!MaLIo7sz zac~RTd+^}lBU*qCps5s1i=SPe=JMPMk$}dR4)szhoBZSG6eYtTpei`FO-?V9E|dWH zlc$f+90~F-<8$0hrdUnyGQP6G)Y=v;kr2Oku#2Gf=w08+i!Z+TVy&wwfa&#Z{`=Wc z-kDBPEE`Bw@mgMa@bLd(0@{wlR<=M#EX={SCi+{OSlr5Rb$*qgPeoHCUGXSgO;L__ zw~>fN2nT!wRE4Ntqcsxb{M0h9-I&3rD180+LB4Rf&#k8L2tTI~qP7*)o?mJuz03Kj zMb1quv6ac+3+(h9=pH@67X^QzQJ|a5sf=nJaTE zENtzP+}dSzCySKsO`vJp;J_CT_i?Hx!E;019Ee8&_xZ=+kf~{DvYjvT>ev+TOf69^ zlpq-J{8An~JYqrM0NdFDuZ>M}ps9hc9vkHACx&_UU>Dcs*SIvh!s6C0yTvk!B4~?- zInvR>3nM-BwKP@>1lW%K*wWZ)mZ0|z&2`=cweqG3`p@4uyR90#AO5YQCVI!bmHfK~ZU zhGkte5h$G5J)Ldq(G4pO-fWLs%olM$EaqB>L16Z_#bCSt3>5EfMfH*P&eOw zYJ|@p>UTry1rHrpB`e*OGsP0Wx--w)lS!naAcQ+X<+90%?lwL*+{MB6X8fx9SUPGv zYLXICk}nkb>9xB|uI-R7o2XJ^+BTXZ=!rLQW~7&sJqh@PoS&bhvd)#t{METp&P^<_ zmd>MTDy6bPYb3xAo;}J}jvb`GwQ1kD4ff`Iw^-!P$_B5F&9Gh2@oVY>RJC_lNdcNv z2xuy?kVZ=+NJlI}Uvnef@dkXF=Dx1rV;%mVTB2IZx_`)RhwXfc^<06iyw3B( z-LyAE9{!5dWh6>vlk1D?yma+0e#PykY}*ccsZ3EXb1>1wKx@3N7O!qvT%29y!sHT} zypF0Wn5IQglN{}C<6wK7lRXLcOLWJc@1jsHb9H`&*Kf>lb$$)ov_X+zn9TV#e5yiA zLxld;rYf=3Jy})0hi+OdZSV5WW78yea)c^nS472hGfk^{&`JTSl=w82NI)YJ@DU3I zX^VvzY-{3)1Ff9y?Qr)~r9YqJ5!FLZ#&4Qm(jmE?=B0F=tz3~@N#~m#6jY8S1yUlD_4lC&b)2TG2Y{BhqXqZS%AsPx)3#9EA zrrJ{u<13rIc5|BB%bVD`fe83<1RyjF8{V2sa=fdZXZkxi(A0pGV&5oA%XZi;>ddBg z*xB5LkpI59l>(IaDJ#1Ylu4z?9YTOAX=(`ZRBwXsKXZgLhk6-oi`U#bsac|uf(Ht4 zISA~4565wMYhsC1CeQ8VP5#pto@B5sUO6$H552UILbx?^d>W_{Au7!nZ5vfnQG~3! z7%d^duPONb8l|#^&{P~LP&I{sPpvDT+lTw5+}SZqlk<~H{N(B+CCdW8R(%e|RmqlK z=AEe}`dVWA`R7j&_WSnFI0(1AuRK67~2qV>4UCwjECQbQ5eUV-IGRdr z^VVdNFCQJODfKDqZCa!ds6yb_R^>WFQZy`H9-ZXB{`4$Ay)w@7PPTH|c%75?6I}Hm zNf(M-noaVn@p+OvS@3H(wnZ%9<48v{FAR0k(-^@no36T26|$u=e}DN7mu6P(z1F^6 z94-kL41+@1c!1aj+nYJr(?M@@3>9!J+daV)g>2a(l`UYH=6$|EkElKZY}-wz>4=5+ zqbG+r)z=Qf0mGz_Ei$^a&i_1rgTFaH#9S=!Em zZM(lWOnT!{zIl9*KYjKXCwtq#sl=2i3Wn`)V`-hYCl|T9vW``0WxhY*RNQm|MabW9 zo>WXJDKIR%+G*zf1m}kP)YjOjbv5)AsooKb@Mq5*V|-P55HIot*x4%t$Xw8$srDPHnWn+ z@y7T9ySh<%T2LVb4(?k;1#S><*|OYF1=}Sc!?ehjbSBrf*vu8M z0fcm29=1h8K%=7}j8PhgGqka5*bc&*GApJfpzmMCi+q`^jiZdg zJx!Cmd1s#Fb`A`a4b$T6#3F{}u%0dO2ge8LYiUH0vRW+6%c`#*H3hJ=mEo1qDMptz zs<*X{ZsH4QoEh$_k`%!4?l!)4;viRNSD9N+yKVzTV(4Y=u5R)AjcKAmA0vsDYRb*N zfvQk6EMC1a!?nc}0Zqj;EsA=X&1`|G^)&0b0vM)y4`JJ&Dh%|r^Oa)*d~Ud#K#jGc zt2?4{dyP31%dWGpF%;yFPamc|8Y1LV`T5u^%ey%o$03s|@%qgf=C;yUj?Gt}7^ElO zP>CfKUO}t6@JqRql*;6|IGyC}$tAWkIYjkF%Aq9^;A=+*INI4-{lC^|m=}h7IN96I zc2Osj*AbcmQnFht@yh5Vy)7|D63tcr*M8wDRZ%Dz7U%CQxFqD*VBd3{pehJeLGx*7 z2oy!q-Q2);P7U$Rlf(44#@&jYHKa86O_zk{hPvr$iZR$0=SP>vd2cG|`Y!}bZ>0He zKfl1l>K5OB<}ib8O@w`##{zXkRF`I#`9JU8VkcLEiYm5Ei*Pu=v92~=815m_7`^X* zI~$|?$~lb|IU0;oBKsqTwuaX<=5Uuz@Zed-X=fR98& zh_|MaWOGFf(;`(ec=g5%>0*iJhq{>GN+b6CR-Or1vnHSII4o|Zd23>ki!&>fEE}OJ z)$%QhlSb3&R01R&;Xv8s;_M3j*Qe--$7tF| zj&;kl2nT(fInqa8ON?m1=N82i5>=4|HHC(NkEU>d)`l>>%`tl74b`}*TJ+he`+=uy z#{tJdO36TL6aVhBN9l@3uyD9Kx5jp^gpFV!wM{aeWoA81x~QWm64P?_P5#?{#BNdN zm$zm)Kb0hx%_D*Vq#|&|k3csqCf2t3;Tu;F-0y1=xG5&tl7UcU^-vQ+;P_Q0*S2|W zY=*BM>F0ERCrS+_<9;ld7C}wr8^;Iv@{v9|Vqr|v0U=OTiCJ`?>c$9HP+opI@z572jbxXKf5-`jpPQULJ3_} zKvht@K+xJGsmkdwv%byiH>bIk+@Mq_SCein%OdF0cygeVrceMOaC7|bBdV&m22E8c zn-){+X;w2i@_HFXRX~xXOJ!aio1wq8iNhT&s8a5OTR^Ak-`flLyf2Q>aca6q-o7EK z54)_Z*5HwnQ@tJZw!{efHT+j6xIDLlZr5Jq?Z4V!)$qr?IJ?Zt*CyD>m)xXVA+RhP zO;H$XYvKpbKEYtSTW8AtU3r}X0;)=;p!4fH3;godEVq*>97Q5E70b4{wV2}V$t9lY z@8rk<*Rft7SAgPo{@wvB+s3MV52wxxCaQI}jD>jU-RIagLQ3M{5PxyzNk-b^{OHm+ zKY4G0LcWCM(<;3J_gRr9LEZAOkP_3fnONQ6?43m}&#r+KNT2Ge9Nl2Jx1H}jIn1|C z4%5*XK{u@roIOPf%BICgqKSfGaC>zV+i~;9q!8G^#hGRP{?a)AN+re4dGwEiB8r z7er&2Sf<-(vECM`Tldc(SJI)VW1AKjCc3Fo(90NB?O(m`nJ261EdT4mO@47}24^=9 zL0?tiC_atn4j$k;r-tcla>Ee<4-rM}Qxt|1Ej&Nm&9#L!u1qgumkm%AuxzH5)_Fz1 zvxA+SIn+yICAKqL)I{-DxDHpe-7tFWx}f z??Y-TreP7*6gpxNLVIyzPHhvFZQE?-3XCnKFf5z)&K88?mQ@ZYlK%E4zIddM<2?!X ziX=YFW|YEJ<4^T<@V(O`?B+_OvIPQu4TKo+=|;&yW5o|LUFNQdS~kk1Zv5f2Ak+xsJI1c7_= zm)yy4adw6OdwH7GOaUPTdfDI$BM105r-wM*m%y*7b&&@qrK>V8&#sb6=P?YYS_fW{ zf~IJIBb_buwKmqYuR=;mv23uiljXg+HS)UQ`ipSOM{BC2yE)2GqKS@J^dahvJ^1>% zVX~HXUw^k~R7`)@8Lvt~do0XwM>9Pwv6>E5aK}n#d1sf=`E_z7^WIol7Gb}}iM|8} znxcgLTHWR|)_eofT(L~HSiY~G)LsPzO_jt#0aWFq-P$>o8$l{Qsnl+sOLH5fEAL}k zHoZ*|MiPy*$HJ(UjQx7>Ntl++Zc)cDZ5;c3DIo$hMH2RF1btdf7X}o<^(7T_qgvx# zl?vcy{!1x{27Ls5YNesa$5(CJxe{g5EfKS)oA%~98uSqf`f6K!;wB#JhDo+$U|CM} zw$ygq11b{mB9d587W8x2;21^00000NkvXXu0mjfhS^Zk literal 0 HcmV?d00001 diff --git a/Modules/Server/.gitignore b/Modules/Server/.gitignore new file mode 100644 index 0000000..44c2625 --- /dev/null +++ b/Modules/Server/.gitignore @@ -0,0 +1,10 @@ +output/*.* +output/css +output/js +*~ +input/*.html +input/schemas.xml +*.rnc +tmp +LocalUser.make +output/images/diff-*.gif diff --git a/Modules/Server/Dictionary.txt b/Modules/Server/Dictionary.txt new file mode 100644 index 0000000..8d31306 --- /dev/null +++ b/Modules/Server/Dictionary.txt @@ -0,0 +1 @@ +Server diff --git a/Modules/Server/Makefile b/Modules/Server/Makefile new file mode 100644 index 0000000..e58b690 --- /dev/null +++ b/Modules/Server/Makefile @@ -0,0 +1,6 @@ +TRANS?=../../transforms + +# Let user's include their own makefiles (if they exist) +-include User.make +-include ~/commoncriteria/User.make +include $(TRANS)/module/Module.make diff --git a/Modules/Server/input/.gitignore b/Modules/Server/input/.gitignore new file mode 100644 index 0000000..329ef01 --- /dev/null +++ b/Modules/Server/input/.gitignore @@ -0,0 +1,2 @@ +*.html +schemas.xml diff --git a/Modules/Server/input/tds/README.md b/Modules/Server/input/tds/README.md new file mode 100644 index 0000000..5701d72 --- /dev/null +++ b/Modules/Server/input/tds/README.md @@ -0,0 +1,4 @@ +# Technical Decisions + +Place TD XML files in this directory for the Server PP-Module. +On the main development branch, TDs should be incorporated into the module XML directly. diff --git a/Modules/Server/output/images/cclogo.png b/Modules/Server/output/images/cclogo.png new file mode 100644 index 0000000000000000000000000000000000000000..84648693e5197d94f16f682fb26013ab77c2c602 GIT binary patch literal 32411 zcmdSAhdW%~7cV^eM2SK4I=W~<^a#;|kPt>6C3=lsM{gm71PRfiL?68~M3m@l^e%eu z48uG5{_cDKhda-D&U5xT`>eJ1Dtmp_K67GTYpReC(h&jx0FsxgirN4G9uxq;Dg@$S zu2^$eeF6Y*0IxOPDq)&H3;}^441q8NqQMXi2uy=H(tv4bcrXN}5dzalf@#42emoo; z95ggSY@9+gH1c4uB$z{ zQxJ^w!Gqd1&%D z>9aZb%lJ52!8EO4a4QeER+K|oR{Eu!rm42Lk(R~_8ACZ~J3}pfeKiMf%cozg1iyxH ze-9IPHZ%x%_cqE+H_iV|t(s7+gHTx@L;;d@FgtvYQ>ITpZ0cg4b;BElV5D+v30u9lChQOd99#A(A&5#gi5<`-pNqNwu z8fZ}s)U8G{qz#(X1}*+O(kvPR7Y#v+mcT_z(4qry(E-%$K(px%9C8P3V#puZ{sXT& zAJCl-Y|RIC=Yxjw0Ymw~p?uJ0IPRuD<_J0r2W`dy4_aiHT&{KGGx!|$NOd{ApX zO?N)cP(Dp-KDhe}xcfV}8*}oVr~A85>v!$$@7k^34O_p*4V7a}R^cs{0Tyd zesWF2K{FLJtBruYdcbBk;IJF8+Vt>mJ^f`F=nz41*$uevB)l8~+_sZncGKK<(_D6g z?=dt4xE})E4}mU+Xzqt-E++x^7+S=PT&O!=Z75%8C|`aEb5h1LR3JtJa;bJ(REAns3;hZ`hjurMoPDvbA=yyLEGM z@o;nT^78Wj9z*v~JYp?O3=nu|YwBQ{m>+;n9Y+~+3CluVMG+8<$Eb>F;M%-Yw!y{( ziiD}+8KzBa>Gb-wnu3$-6LBG7OdCfP;NAiN_&3*w|qw&-?PJPf@oX;#l ze01A`0)7L(O)Xvpf$WQar+iopf7QMAgSh&`5BAS-*6hf#rl|` ztYzuVNrP+PsMW;9=x9@4x&1K7iECPq_>U0dW4)p}xk4TbdRvxW4HvJv(Xj2_B)on9 zp~j`n@0g>fpuxLV-8!qpdgq0kdH1Z-`OOyQBB?eImLh;m4mU}TCHc4J`>bdHYcP-n z+jDt}?*G5FsuFy}+eY@kewfD2)RlLvzalQ?$?RP+IrQwg0^lbE!$lQ{H35Hs6rKvbe6HFK|I2;UGD58mK~b4%2Pq9K(Ab z1rDYl#tfZ393wV7SZP)n)2&$@3dtSn%RSWaBNF)>Ux4;c*aW*Bf8Hw-h@ z2jF0oDA+8q4l~LBJ0&if|F@@95q0jc|F?+Zr{=)GCg;M`#K2yW4woj?r>Fm!a@rI3 zA`@0NIG~}m!Ra@?efHu?JdkBQFfprQDQ=VVr;Rm5T8bCCX~h?eF-#BJ>p2Bftyo6- z-Y!SWj^#uJB5zzqrnQx#F(79Rjw}36se9767vZpsKU%Md&(7_~A0y0N4%-!-{hXIf zo_`nn=PqGnTOMe_i8T5xyD)=5X2!2y`-U@imit2}{<+;A8?KZAV(4!|!mdBoEW}AK#w1oxoD8${=%;5 zD!Pl@K2wC%P3DZ7CZ#f5{&Pp^aJioCso8ls7q?%ca)|B4d17Hcj7%2n7#6v;YN;(5 znUUQD8{||jS^cwV=}(7z#8TUS%a#AQ(*r${U>S6Wv8qY?fqQcIxXRA8LXlFou9St?a_R0x9K$b@n93n}d8a;VKovt^Uo*E$&Bf47f`@grkCR8D#&H@Zk^7f;nX;@P0_^5O z=q9;Fu+wMXah!1)3i_U-UxAp&{McT;J+;lQR$ue7Br|~`a(^cz#3lhVEGM=Kb(E-V zx`}(wPD1Xky?#EqeTKQ=!GkSb26bnoJ}h=)9a}r4 zQ3rXVx`#0WKDH0-Oa(~G5b7#^ojxShT$YEV_9c{W;J0k-vsHXXd6rizRLNg8x)cZI zy(j$__D;aPY}kVTWN_5`p3M<1%Gq#~L^W^`m^9)-$8%jY2-}Y#7VO25hNnp-$ThckR!P(Ayx9Ui$Vb;Bu z$$ToI!ip^&A$NijU91T4xWD@SPC#5nr!WekIk4{b`7^~DT8L}y!eaeb23`7-5s86K2@Xn2Fm&)<@D1{N2wuv>+lz)UtxhD(lwM@amrdU&BR zH0XDgG*&cNc;udKnAX;JH~a_t=t((x<=4RRoqoW~(*k!pjRk38*s%mC{(DK z*<-TIy~d@<9Hui}>R(!jy67_Mjd-mZ?*I^Czk@Y$boub#3Y`v8RYOe9exTn<59a1p zDWBE4hlS~K7)Ky%nk{NFvi2OJEJ*(*eZE_GihXQM77`dMr+v2@KtGY})tfwC^4^4? z4}NrbrYIfLyk38TUU~CWnOQkp6Uo1Ae*$B3OJZMgEj<_J8I=~_W zvV01^m!eEG8OPCk7?K>AyxeudZD}?=(<|9Ra5^o8&qIZg&JJYHhO%)|=DG7-A`RA- zXg4gN;-3@fDkDmaeOxf>Z!k^B)f$v-!_jvJ>F28Ty3Mb>!YNe#ZDdA!Wdz3Uqk};q z4d=TWdF>%*dF#Y`an|dfvK>sg3Vzs4$KdKMyVkH`N4GDkusCD9jAzkq{@BDj23lkh zdH=xx(*qo>S>#_F92YLxx)zfSKR{q%Cg?>J zqJLVyF;ELlv!c)!!a*g>{Is^-%vMu}x}fA{hog>gY#GPJF^mW@ML9V}D&APfz)Bli zjTC4Q)MQ)6xE2#|Uw6OSI7mr*HWh7VTK^_KYK%bit+mvG^z-)tL;6OUeT+}zml6dfEUr-4FF zGtg9gHm97z_HckVa)2zdEGo|yt5*C6mx2jGe9m^`%#C4mRTrY)rzD@? z#X-_0m{m!)Uh}<;5*<{cpQ7lI0Q|FvG$>jLk;d62zwox?muIxhldRZByYK=?mD2F< z_n?uSRGNU5P&*2Iji>D@3Yb~Cl0_>ZGKD96M*@(Kj~{b1%&a{~;>}$?`&+|W@ZqV% zlQYf=Dy&6gj5mOO-Wxv2gE*MSc0B|xT^olhK9O13nJXq$bc~MV$RR19MSPa1`%iaf zz~7$`R#%_}g;uN*h1f0OfeixI*H*t1@_KUA%i=7yai2JBk!h@r$p3?l!Qhd$d;7`F zv|4U6{(7ZDgVXl$=n4CvQX9jz$9Pftf*NT)xOQW8^h=mg1OoxsPB(B#Hb0yo;osDS z!y24qg4t5PGK(ra@BPpXFh>{C2h!s)+g%<1EONsf;&s0Jp3>JhC@Yh2kmu{mfLH2X z6*7|7+Nm$QQr{Qq;lz5YR@~focZewBJ_Xt8AT-lQc3=2-rKHk-RcD{ny}a_{?0i~k z4WNtNLCP^Q;{L;|*toN2(2r`@=b+u>aO;@A3jKRxGNaZdhztBYPOzj9`4{v1!tw>c#JlfaA%{LpFCh>A=53cic!gmv>>t7oyz%~lb(8RK>0KHB@@iqO*MK}fh@ z06l z+B0LMHnFI!57Q7iR$UoR|H7{50665u^jro-8_M>#2SlWeYqa9G&9{Jm@Vu<6l_~9g z@M=0c6mK`#F-lA6KbOHJi!Owo4?@%z@n&kp%(at?`3vH%%x$Y!*!7`bsa{#UsHDFYXs%~sMrs#G)pu>%EFYn2H7MFFftvk*>=YnRmSqYK>j|ffN zwHbx;zZ|XyotsE~o?rHm;J3l6H#&r4IE}Z@)}QXKqk~XvKdY(Hb1~Q37isMBqOMHe z{RWc`JywPop6fKc_s3{qIv1!o3ZFdyAiWs^vxIq!mK$)kkBt}0L6*m9l+;T8gB7U? zl~m)}Ng3&B(R}a5$LISf4f%pjb!WiK{Ou)JY*&iu|t*p5}+NJDGu01Qj zMxv;lop_&oaAn~w|Mgg3h}Hp}>gEWmf*N_;5JS18dI?M>cGrrY%4Apks8p4~XnJHF z_;nYup9Z&UMy8Oi+F53*Uv7SNJ#WS;jY=JaWgb>|lpeAjjW+&yz6R%fn@%z4E<$nk z7gPUT?^mgDHNz)DoR0dQ^!CJXjM1Zmfmk}|VtVOzi_}}vBQDW2ecwWtc?-y# zS8XU6D|vcX!tcs5T56^64I;JYJ^cSmENo^NATF93jVe3m7UUh=QiJ}gw2L*_wn#qp zaFN+lX^1{hQ4M|pb}2OXR|=_6ZT!!N!@*_+P|w)50{-po!17Fy90+iax^$?=gXckK z=97tv5mVj*mmc)L3Z7%$Kw54-x3Z!cutlK)2we_^q|(QArI>R70@!#!3MX% z8>=a`b?YYcQu$E9lBK>0wHABPXOpq) zwjYqNb#KwC)8)Sr2M341kpA6=)ni!CaEprkb@FJ;!u^U7r{}UEmyq2E?9})YPpqAB zItLdSMg9K+{sM7{Zy|3S>=!>-CBmQo7@vqLdT!pzf8BU{3J=`hh2EpGmfBihLhFsn zCimxpuw_vw$Y3A-q)jq*GwCy{8iKPPO6PxtT{|rbr7I|7_CaRFzgM;1VlrG;z-YJX z`(4@nez!{cC3oeopu@_0r;hZt=cuhYD0=76c0VS1%c2tJ(Y2KO^&Pyg57G+vTW)a;#L^yK@*-XyvcLbg@=j9&w{{?{%UJ!4u8E@qS7Uio z<8TH>f%~qxER=lFi&t2&8npRih}oc~S+CRFpwnh4NU;E~iGp6;Ys8LR^xVJ5Va9re zE>2zStBozQ>t+bv(>47%Wg6(~=*Xut+wgW~+O~0G$Hp+-VH-c?gHzxcS0A2W1@QNI zE57DY?V|~TSR)J*0BbhAY&HkfZZG&y$WYKDc+~Cc=1e`@q(?ZGI{h+@e*pKa?)qgSVbIud9#eJ+%unV;hPb49T9# zPsR^77ou*zz%ISd2_iw^mPcpfasM55o_eB3CtrpW$q+@)V;)KBbVlG-EjbQ1hOY*o8;FIekf4nY2-v_36-L z#$gf*`8Y*G$*IVg#UE;o|=MoKaN)W_5E&C9>?eUAg zykPzg?CCo<6Ag&%tyok1w>w}G9Gr4r-1%jsx;^U-Zq=65G7dtcW=kvuXBPpL(AdKT z^CDdD$zkf)uCdi#@>`qZb!uVt%|(5?r}YPp1OeF6jbXk*#=KKz_c(x~_p{(2zoTIJBP#>J0L8Dou&ET1o!X@`vSv1Zfsg3a6*PeUVz$SlLpHa1A z^??4y^offAqe<)BH23pHKcYu`A8C&oD(jLW-r;O>91c|m+x#oQj#;xO;D(y^+5R7X z&;yPimU1r2pYPO~Qd5VRRj)@N`$m7N->+|to3809S9N}ht}wh#=88o$j(L3Olqw>~ z9GG$GiRCyT`A?aG*lK90GB0hNn!pb?lZDb|Wlk|v-%L-(9O{f2uE`kJqAdZ*86a)|wyb_um4bs4SNc)v|v?wv}^GqFzB4 z|Lc7}>uhgz`RMwif7u-KQ}EIGfp@Csm8i6Far-WH<|MvmP0Bv$NSdHI zr{g<~(F#oZ_y=yX$KdWwC&&n$Tn^%|@S60TVAF(aJiCIc^!1%?u?hC@AaU{f^yFOo z&_O06nD5!QoUx|lUMqtN%}V*?@omJGy;Zee3NFfB29Imivc}=F=W_r7XZ-DfE@K z*^24EjkSEJr#&(GC6Y~1l-Q_ujvVsf@0O>dqtEu3iE7^uxPSWGuDSt|98!RSc+=lI zd-~SYV6PkJ9pmT`{PwR8B8|erpaB-_mn_*MaH){e-|C**RRv;>FaMT|WRQ*U@~HVN zlHk}n@sT_}<5ldq+n2rlaXfVxPb{!tW@p@i!da}Cp4`~4(7^FX{12K%e+d2+gyh~I z+a&FV^iMrEP;(qK+C^H8?u}EDTPtOqrMoa&{xLL%kB+XaBa!x!{$I$eO^oLb9P9GX_e%DR5Xt6wi251h2~bagq^YJ#z_ zn;)z_C&M5R7GuQY8R6v6@<=9U?bN^sH6!_JKf{AU>)4=oy1!=cKq>XYVWuR!Q`IvA zBNmlo)7G%y`fo3GAM#V|-fb;9d7e7IGy5-7#({u`&?oRwGkQaiPbk5cN;r#mgoq*9 zN)ln6($+QW?BpzVZ|&>aNXSa%*EvGUa2=5HC~WZPjnPbQSF-nGE!~$%A+^t}$($T^ zTaBDK`1NkqbCL@?;NNXymyn^;$;wCBdg*KevDh0i9`I!VB0Z|96@eNR^P zV!ND$>do9whZWM@w&h~}0T@g%tH3f5q}z?1r+xPpivv8a_5{0#T^tGqTx{8Y?j{{! zFF!x2JarKeyhlp$D1JiE2Q}P4h}hP5=#y7%eFvQAL{bEm{5g`e!P~TN_x+AI;xjci!YyYU?rwK>d=I6W z`<*Rm%gj-_*EL#m`u=+LZ~ZO-+dWQO59MHc&9Bl;#19u5J-7M?_nDKkxDMnhtBzZD zwjPV>8x6YWX7(9|L&c3`BgUR+n#-?Ze?rv2Zntf63LU*bNubF2i8+5KDclGV2)ZfR za`wiI>bKjdtKbb;$ZR=rcK`g71^2MCfTKrDowV0@w^p}p^>bBuSIQpkdu7f6t+a^ z+_HeguD&8}eOu50kyZi&6D=J*J)b0PO?vvs5Q{JxIa%KSrDSuHR8ZwUa)?&Mhy4M| z>*;(f_EkvNHsvIfCpp0s1n-vaS~>oDEE4ld2B)|uaIB%7MS_B8lIrPtSV287) zY@xB={lco5^%1RBOz6Fga9xCm)Sg;ohr&cf;+umn{+uCeh5NIB)oWctrf?Gpzrr@F zRNSK{bZq`_5%%moN$;>W%O;wWehK_k&^FCEog|z-;U=E|ecNmSBQu#BOd zvly>d20Wl(Ec<)k)y!lCfAn}$qg%B(Jm|&Aes@mlyIQhez3{q%Ba^VdvE)>nqe2qTGZkMd`C^6=do%={bTRl2SH$k8~2QCOdDB~jiXq_4I4jU0_75Tz}ej1rn3+hA` zJ{P?$zRuz@;pU4A8V1w>V(knS9|Zbk=0gxEK&(}Q3Qav_YMGKm(bQ& z;tWMN#tj}bU+VDqEPHba>7D@$7KGyl`ks=?^KIOFNr7H^lc=cJj_m!)!Pfs_C*?N>84<>gGCy=Cy6-q3ia@DRQD%muHW(LRu zn%?goG}`pJ%%DjbK6e!F{EDvgwae3IdL~Tl`R*XFN3LBNAw9w>=jRk_YDq6A4M3{n>ZRma)X2z8gY0B zI+zb_5kFw+6)?50WBJg>s-)ggCs&n1n#z0s;D_0;xEMWk0*Qd$9V4!-6CA3~Gypre z^`@uvPj>LBtnu4|WcuxVtM7;=X=>1`pz8m+(B$iWzNflPHR8JqwIiA~G}9Ijm@wMS z=9u=`!oIYKl*_@v{}hj@SUaq3nARq1TWRl$$8xisTe}Fp~xOv}Dh$5MCXEwt$x()B+~(7Qis?Gv)@uHP?TRLp5*U;OkIb+q&R5pSLuHIzo&;H6!}eGd4t&L@bKn=^l+02KgpZ*$K zwea%Ee;|tgxTjZ8xF?e@=~u)N>UMN5v2w36f`~du^`zc5JcX;z!Tn}|RDY2=b~@A~ zSU>V3-F?{N>!Rb_A*(rpDfp)y_*8jRK9d=ZBSecKLnzqe7Q*;&u~ofM{JccUzuyK? zEcWvPaG6r>OafWLezOzVW=NQFwpnmsZ|&iEy`A4TQ+-swvP$Ag(x*4yo=BWKwRf^4 zC`%f|R6cJ-Lj0W@?(f|TtEX4`$y@fS@=HklJ*iBX+)jo}6RN4Yg)kyXu%8)wI9nlG zJaxanOv)0l{p@Df^+>?viNh&E9vi3Zj1idw;@&a!l^(43K$w+y~bxVR2T zHnTgdYwzakNc^L!DCt;}eIYdq*I;vWM_BpCU~D}c`-~aqL#OdZoM?zV;{ifja?RIs ztSYkfuEfuGH#k*T_righBdxue(`cbDWidB0m{DXoX4Jk-2S3Zx7HjgyWGa3P769I* zoxk^&a{AHD$qDohalg5<*^zH`^8-!1l0cf8Sv*bdR#)yti+b*_bJ-|nsK7`ZTDw@TZJ7S!gI=;phwe;e;>ZsX+J zkx!~BWCJzy{#BU@ztrJc@8H%lj1qIDm%+W50PMKlBlVm;06IVRzl!g>a7)o4{d7M( z8g`Q{`~W*YPpp*XswL=4Rs98UH^u3{`$XrzZR=I2CT~f9m?3RV$#CQk4|gZHKY`!h ztp^2pyJHRLRh3vN;4JvVpcWb(baX&%`o@$cC!lsK zIjNLXN4Vqz<=%Qc9ZBE#!PocAn+YCTB-uk3(ES%PiI(yOP=YTj1|YI!;p!jB106c7 zOuhy`pi$uW?FPuIcO{l&HFftD#^twh@322<&W){B&a4Mr%?;mIZwOL7&*mW<>0h3D zjxNbUomC^V91$lsF@ z4VIb@+Fu5rF^4 zC{7$jep2EZQM~6smQ4m-shh%y*4~e>Y%MplNh;OUHeHp5UnKjP{y z{{A8|;Qo&mH6mzjtna7DjLl=v0Nx*y5eDm=t1L!8)RfxNy``;?!c^l& zq=4=6_?yRu0~AITkT2Tb($pgSLX<}24#U3s^(T%PpM-KWfBJTd8XB)n_7X7Oe_%u(QJ9@v;`uinTq7!^f6fC zER#lcS;SpgvVs=L!$9-=2bFkoTXTb_VU{z3k@8%uYCx-eL8>UOjVUwYj@(_y5V!Mh z5lGj0Ds$l>~psBGCLDsPu(F|Z81iw#Zx)Y3<{X;iP= zPR0xr@<}t6`KDNHouI|UjMxs7=v;!bGRkzAe|#cd#{44$fF z^P+7xz0@MuW;CYUZK3sOTR}E54#4}+E2rsoQOYpW1G_^KZBN(jpOcszu*!^2J27nl#5y$x1~;f4FvEd?vT zBU99Jq?0s>_O7~a4S~DFd?7D(tsi}N(!f#eg+s}^Orbd{k0;^8k3@^ld`;SuBbp@U z=Op8w9EGEj4RJcCx%J($XHm6Y20zD7!^D_11K8w#K#{kzyWc`KDDA!F^2YOS)A;Yg zBTMm%n*r+2ZwBCRVSRrcN-CcSOG!yJy!EA>EY5=uRPL0OO?De-8}Z(JgUbF|eMg{P z|5cz4GEyg|_WLW^@z}b$@?>DScW{Yl93J{pTHE21M*asCW*SdY+jDAfehsmNsYwqy zk%+_uRRsQQ04{zh1wSVR+|l2BlGatKniM}|{GscPDobr363Qs7*?fg{B8&XGU%=HT%;(c|Vca!}sezj3G4;pcX8kr3d zK-g11Y8@+RJ&+WNf$6SW=4(@AW)#}Lzmd1vA8zGl>&iiXB>nChWD`+>*HO-vtbph% z{=~o4guNlkDIEvmgP=?EKVE)Ksb?(4%+%Mo9ilf>N zU;VQiB5Et|M(|??vVNYIs?2HL_=n&Ya;(U8Nub!C{?t8Gg|}=IbgoB^E;e3N^X-J{ zI`Z|!CwoWIqF1gzWFXdKSf^3h`i(|@r_QGesMkyOi-t_k>PBquJVkl)cc}Xg=>itEpY=0jIV3sJ(t!fspDP<@HpnZ!QpU1<0+Z^JBHB%=IR zI^~4Li>k8+8Yftv>uN@9ls`iqc1&0QeluC?$0O9s#*E~lIPD6gwiL)F{4v+_s~#cc zFx)VMAeY=R^q)zWsATDxcAK;9ccriQ9x zP^ltf=eQ&g_~D2T$h`bb(V3K?xkf{pN;|flLa73MTDEV*OI>1P{&82cx^lFTiI(2P z^sf0-uooRNip1Xr`@i4X?o-Z1HW?K=--d^e`ms68h&u(k9ycEb1m(PCc-%P#*>wOP z5zdRCqZxbXfNy%~h9Q|`T=YL%WV1)(alHyeK)y)65%@~N)ETiE!|r^%Sy-?2kJk=h zAE?^yHg088c?9-$4%Ld-qgU?lNmw$W9AcmO@&8$F8=a=ef@(v=7Xf&A+4b5vsOY0 z+&OVrgCQ#Y)U3ri>wZ3n?I%Q^H|*2Q#^sPK8gHyL_$+gQ9Sc}<9G7JY{*+zYigcVe zybcbyMtoV42%S$SP}@XewHM`5o!}{dKfV$&;a**0K-iD$uJyoUdBgBjST+k!QMzHK zFH?JB=12TkLO2y>zC9%@TrIR*q>xl*0PrC@(x&jwfs)8hJ-KBah_AxZQ z#`d4k$ryR{v;hs66oTnP)Bn3u^Eo8+SGB1GX?Zi-$f1syMpJ#Hvy`w^n| z?1jV4L!S1ks@LI9NKGro1V=nW%;ly=BsgdSJ`6;*$gv#;=^WJ=6RHmN#a&P1M; zZ*W^PEL=4Iv$qd0Lhh4DO|*u8F3ZZcjE4Q;^M)M#_HI1NpU~O_5w!@9Q9#mqo^2d8 zb8>HQwEx|w(-L!=h64Qq`8iu>~~Q6sREd zPYAwS5Y*+NRRvz)zL|P+AiQlg&H!zbR({9F*$;={hUw4KwwkZMBN*ihIV9!xJ5&|B%dt#2*y^k=(PWhdJRV(#E< zKc?ioqAtpD|FNLaeeM@CyvrYT(%EgX6D8a7@#Mge*F!#Mstz>$;zZ9XrykuFqXUKU zspJ@#-x8wfypG5OT3rD}Dv?7}Kb~@t{fKYo9$K;(d+E}5)`jRR&wTVE1ez=Q#Kd3j z3ltRa^$WjkyZIjk|F7hA!9;xo)dUJzy(|e|hLGRU1*mrtbXUdNq#9u9_fwp!kUfP^ zm6bmM_ZwzH6L0nVK^0Ghbl{(%Aj}Le#qrYvHj6UxS2bjjg9R-W>mSgY*-W-f*1!UqiR{) za$Y{habXN!5trX$_sY`HQ70i~7T-vJwc}Ws*-D3!AEZq3dn4eaK3qg%RA?;f$r*Vf;Jp z-VmAsDSO|TuJkDK{Br{dFvp5!s@R|Qqz!b~mMhe21^1Afn682x7SVaKr_vPXfb6NH z(aZkYC?B7c|A?{B$BMP%Ln*yqys5`~U@OgH)NQKDRZ3i4}(l5 z4eL~&&kJ~cijY$*A%vUVvdL8V%W&Cw%lF1a(^0M&pC5fc`lt;~elIUKKs(vSP{~ae zLd8Fu{vayr{(IML--Uu#XJi%o!5_NAp*P1g?mwsS-#&F3xTLbQdMOAAA`;8(vHJZn z^lBT(&QI$q471Xrcg@bzUQxI_>%4_rVEM#cBO41Za)5t%o68SUu$k5bO2eVd86jbk zFTGTX58AOaP8o7PFfSuRboPgsQd#kK$u^Xyro63wqjVFX`;0|b=Mu71rk^hcStnGL zxX8YE(59SWA|4?;AUzO>TI{V^EV@vs`=SHZb;=@tk-hwh2Qt%R!g63iJuI}J8K`lB)aw- z?8EaaAQ%m!AzJqI+l@Z7?Tg7gq@c2m2I{_wqdZGFV%9ZzRMGyv)}CDz|MfGGns8{0 zS$@LpQICtv*~HYtQ)t<~(tF&t>%}I%P$BZy@YNjpfHctQZjadW@bf9AVZUYVZ3v9> zVwckEo8*-8TN({dr^cn89H{QLkq9=7B&c^-Zcy)64E?5xh~>9oenuwDY#rZ5eZ(gC z8a>EYK4uoq0$1b1zUldh$76HyA>oT~%=$$k(ZoBsSs@`7a+eO8fJDx)A9T-Uz}tiu zBYwi+PIiYzBgFHGc)Of2SIOJBMr|Xq5q>iQng; zt=Zi4tRb?0u-G@Img*iRYM0)-cJ4TcQ0qOSTWu{Ln%*3WC1HcKjv?N&@qB`Da|_^0 z-%YzmRraq03k(PznI?)rTG3o)Htfa=2VXX~fSR^I!mw{9HdUU)DBW6`jgsF^IVXlb zqm!Gep;+M-y86d^j$$GW0o4Yqy7(l}Z|mN4dbL=KAdms>p3U5@lJG+%AHwx0$)jId zz~Ah&fnG{9UcBRoSfCgSE<0&;{F&KDs_<|Et@BBf4l(j$i=#%(-|#Qu2FXu$dm|zR z*OfNK@}NC%EWC1+($^2pOQO!oQXc)<4l#Z7c{l4XfV{`1W4&gA7p-$V-9gKgL|1ts zS2dh*Iay}@cOY$#&YkLw*~X(CNP;PeMcL32t3$yE#YRZ0jZs^bdJm`8B5n*v7%x7$ zxVW68sAm3(Xme@+X!Hf;%Cq~M@ZFHYx}1U=-Z^SslFPk+E^?Ak6NpRNAmx37zYbY3 z;+7@mi1Qi#VZ}b2OU%I&d!(p-j0I*{hM;~sP|z~!%fmR-zP3(_g-2e$VQwJByH(r7 zZ#Iwjw26INd&y9?sSgtgYLS2S2}aNOm<*wPz2k9X&K+&W^3+itF500$$jo3~r{e99 z2n#e5D$Z9%H$Niqn|$Hd-7XDhQdQ(i zh=-}Rf`-f)kvsaksUQ2)g>{p%Z$TWIet8*XKehr{S1d?}usN$~qlHBMZz&w{bFfn0 zd3pB;YT$*Z2SZo7&F9x1YP`|lD2iVL2ll;ddFDAAHJb4!yDEMj^q34d)ZriHoRLt! zjN?u@|8*HaUiZeAVV3Ag-d%7Y@;6f%ZwxH&Gg`m*#Fj0SDGUF@85qQzF`&PoB;BuD`8Q0$=o-$2zN{ILrRrWFpv21fP z{ROhV;l8&o-Rh%QB>EEpru;9Xcm;8o2rL$SSKld}&|d0KDK^yLBn{AoAGGuy@;}+Y zyR{do@JB15&zP!jKKTMK3T_t#Zj{M}5t*XG5HAOLjuWWTFq*aIwgtYd=f}l$3BbhJ z>zVvB=t`C9)AAt1ZQN#tNSQ$jj9uajHW2|f3~g12mpcI$t2Yv!teaDXotjvJN#Q=MAsG51r2oMyb;PXOuVccmp+_Sn5`FEx23pF9;>mh#ckCdR?~kja zaxyVHdLx3oA{vT&wj0--R-_B|QkCCME>&4VDY7}DS&s;84Nht$d>l8=OMFJ>>40~- z58OC>A8dO6^&Mi7Po#fxTZOA=YViGF=IfHiHX^BFnPnxq$)h6iz|#HytL-e~qWYqK zPp3$?bf^p^B}g~Y-7s_wDP2Q{G)RfkAkEMXLka>)2}4SWl1lf$J@|iK-21%0ug~oH zti8_OYwxqy+TWivW1R*(T54;RnD&^X9OF8}>y~)gl*6n>x=!>ftT02B{0KI_GBpkR z7$#@$3B|yX(T_#l>jCN@YAFOys{|o8L3kaNLqC904pwMSt$K!w;w|c(3)y|8@oLc> zWUXcrDEG8|HagwaCM=w7R?GR=K3T7lWuRK5@C!&(8J$?kw5p8Sh4JUC8%+w_#q7zK zaA?Lds0(^F2x;{czkJF`A;w68>h2s)gvPLin;GkuMuEB7n`o(%7x-$_n+S^jCc=Yk zs49 z$+5Pz+(E<9{ABb>l7QT9=4lfZuV%4chBZ zoST~%eZOBn%g|+DCZJch@brE=>8W2Yacz)k=GnW?ql8SxJ~y8W3yZPtq&QRGcuS`$ zliaZ6%IiTEipZZs-Emy$4eO8I7m^SZpMr-*lW4!@@F7}XLa8OmI8dAJY(u6@S-Vm( z1d609?#vun?`i(d++mr+qs#m`b_qvLL6SNr8ai2!5+@4e)5FJTYaw@=>sqRomA72P z+3wC+u;)3tu|H#XqKNkpT}4*$u%7rN$zHn5Ch>&EJV9eqq`7C{-nVYTDvMq_M#8;r z1}>z5-J=giT@HF1Z>F33e}bA&?q~6+@Rky-C^i~d4e@T7`m9rSqCyXbm_AJ#=@PlF zsj$XZgXO!*=Xi6zv1(|_K({Ctf?vLW!m<99mDd89^IDklEsnm2sqqGTJu2%db`MF% zIsJ!w4p2V3UQ8bN@(h=7Vi8j4`>q1YMvm)!eLv`75P!D!+%|-&T*D!mtrS{%CuQ-o zyQoR4@%>b3#?oQk-N1l=GDy_8>$KP@v)0EE&bM_@cpWO-C}lAq6qjF-HXi+JR0lR1 zU0QNuzm)n04SUQejGT}sY;#B6XdL#Dbm*`Ap#$ew>Zz$dRMI{&=Ie@kUD}|eT=bsY z+qa;Q0@C*bKX_(8#IFf&PQtn_*@ws%8KizrA79VvIETXNi}pt8;(*M(0Z3n=MIwCd z%3CPiJn%zlSqno((u#g^a#NaX6%PG=`|8}v?oebJbgqBqPb2Kk z+GtpjuCkSYJJ64o#RF$tW_BiRaInl@UbSf$cq-%a? zGZ7d@C@U^+`QCUPof-b5pl4VP-@>@IUN|%zeV`0ns`<8_@>Kd%n(eIwsYUH!RP!lB z8(nD}M#AzQjjd_5eb|aCS-;A}9S7bqgFgX_qg4jODdzk(&AID#N)W$Hs)55^JaNlh znEvcU4vFeFnp}zrs2Nb{EZPS)!HE-=1`ut4n%$w#mU)3X%uUp}q z8d*APTreo@#dFH0`F*(kT-36w@(H$2^b3{3wU{0hT+%wA|>Rb-nXcq$PQX#!2=HJCh$4#Jq`n(Ne?mI zred&*lkUsK z>ka1C7#Dk+ht9y~#)@PMLJA(Y3mLniy?(|o+I6dMT{UakjA-V|m+WvLQINXS>uQ-L z>1dct#QKpqJ?U7%#2yR7&BRJyF^|G7$$e+jhI1t-aGXs0wkORAm{&a}-R?sYBusbB zbV!c17ZZiFvZX24Xh@FsTaRr-306urnEZ3?=ce-W=(XvlAz06%_!9yNyw*>^FgQr) zJ=0f3`7%W4aGET>wJWM86s`oH(;c08%VJpFvugTW^vZm|`g%9xXRy}&ECCS;)12cr z+DCpSe56>V0+18V1;30HF!>uhl(XXKZS^D9@Ig}F|dbT zgtA@>ie0_7HvaxL)x`iFP-}i!PEjpVxe1;<#VdMx*26la5HN zC{iGWfMcmJDzQjQ#dY;@bk*+y=_1BrVfEgLv2DY~lr$shKa`<_CX51-7n}eyocX#^N6r!5_lZXY?xw=t& zR`z9g>n5P=aN7OX{0LA2IrFz}ZgpAP03UjM!&FEeWcuA&99_r{_qDy>#G8zrUTqBT zKlb-}Kc}L^acGC(qYcX5TfXHv>JBJFC192z_~&wPJLG1}2Wg;HV-s)2U>1}4npIP( zALbHmKg)WpM^2Jbbn65U?8kIY#>qGECNN~2pZzd9Q2d@#V8ht>m5}zgoZ073o^aI& zw1)AUOvar5234sn)IZv1(&>;64D!frZ=sQ@TYcRADg5m1a7tbUw=H`cjNWgq&3_ul zcRs3Q-8{qR6coY->`xN0)dHLYus$(E8STn_4B_kop^>+h&s>Or^@Az_(F}(C*op0I z0XyyH@?lf&6mHL^PyUvMs4{?2lS`4KWTKo5fM1zpR1=0a+4ITXc`EKyQXN4DIa zcbx7-COcfgtZr6HVUzbKN7+C~bLH~B4Rv7KV-gc>pu8fzQ%eG4V(05nFdnjwRFbqk z#*;lvayr?Y$KO(JJbL%iK|9mT&$t!6Q=pCiO3w~q~S zCSOI52|EZ@<%=vi1an1l$$xzveo!pWK-n%eNjngh|9fn*i?>fFna7}v4mnDQTPmi9 zw=BGgZ58blb5_Neo1oBG^)t;01+^cj)U$l*y`0;1SLN1v+erP$d?m|GLku2`mz7f) zQeB`vyr~G|_tD!iD7Dje}x^xwZBIBhZ2|WgR`HIi?61Ba$L8-zaDru z;&dS^ChNbDwbaQtK73P9@P+ynT69n|pO_T2MX$OpqW4iE1JM&TQBB;Um!xOlC^a@~ zDygGwgu`9cc8Bp9_~4t#v1G8dNiS^uWhOIJ%DvUtCF@zI@>2Mawt)5q{M&Q%rU3P} znS)4~gI{vv#qeHv{gxyf#R5{!igyG%Ra}1eHkMO^%v57y44ft@BKpC}pGYs|_U%q; z>=i=Je{YOtoO@FYae(LyQ?C#89&fzFF%#M(k0=TWbMGyG`!2UhJC6g?_2admUHRZ$ zsC&=%#$>$)_V=h{AE0LpJ^HsG$t7?`*4(40VNLj)-gO3CWBG368-Ij_rPO+LIrobj zAot7xu_{$UxZH@>tRZlxl*DV?dP%0<`)3}3cI2hZmuTJmJAC&73G%oaWlJv#Xe@h~ z=R5RnzhB%V4yPZ7M{(HVgt-&HOKG8@5M}i^`mb&&auT-0~0%Ipi7&b zuU5wsS6R=hu;6JJ=zHR2K-~}1IF_w36+A6(g_AP=e8vgt_8k4lIJG<@_?c*z*V}{d zwDNV{>&qH&3Ok@QyS7|&a8@%$sw?(&rA()Fe6navjKTs6xn@F*tP;|INC&d@S7|G^E4{q8e#F^V4*{!xXoSQ4~mx`@UTnMT0xQU2Su=gGlm*U=G zd5x_6W#EQp(5*pS!1jodm(PO#JGA+okrBn7-N`WJ-QjKdmsbXw`_ovlreuA;@+*IF zP2o{?OR{b%v{|X{VfjlkxjU3viiW#<>3TBPI3Wf13An9#wq8$A?qdqa+x2=U(y)Tc z`gQ`3iNEi(;+p_ zWza%3y7f%1$(<WE)j3(;sdGY|B(C*@+CexE`3(3Lg_vv+`* z3Q@CIz!|_7-x8%q9XsCo`RGb-2ac!Dnv3Ph4LTC|SPs>T!YI+MbJ%*48<&`j53B2u zPBH3o2kv6~QxumgqLdnPbJMVU`M*9_!X53p6!miZakCvcDqJ}`NDxHd?@nx}oVM|2 zE$jNNX;ZFWa@Ugl!lG#W!S72%PC@b9=5T7^qCYZc5{2Y9CDopREfSU3^VoJEYMo~} z0>Kgj61em45x>uP`VE4Syk<5!79j`JqM`@|_jfxFlV3N3M_|`jeGXf-%?(>`s<()n zjK7Y?v$tbGaX(PE_Y%Kk9j-)(+p@9L%D`3c7v|{~>~C8{Wgt|$x)Ig`Um5r+4w!gmMZGWe=VO;=IRr%pZ=5G6cS{J1aRfyC>< z3^~LVJj)ma;zq)IW$7rH-_L#%%8jJd?3IlqWxBrbWh@tXE#+MN%ISOB7~HwV@3ECd z@C)M$q5Ed#p0p{p?c=^Yx!TlaqQFaONkPXd<&B=};R;^NKJZFzC^xr0na!ThDP;Ht zc4k;O{V{&TFZt;m`8n%YoEzj}mw-HFIppib*?gv)ey2uq8%!HV!HkBCBeBB^D(i zA%R_EF|iEb$I;w^n*bAHaVeM@SIM)9%{>E$lZ)%Esv@a3dlYPYFQn;7<8vSqYNjTn zLLH%JX!kz=+(-8seDoA7Q0~)lhY~EMW`n|}9U^sTxOHgP_d+u&laDUrkBMQdVDD`B zWi?R*`gzUB>c-#9nZoFN*cT~egg)H7PZ=(^208; zYa(v~d)u=ojZpHMbc`Nt?XJwu;&i7BxC;&(Z?!TdRCl*6hF*8fvShHO_jFSA1yyZr z<1@V;W0cnd!WT82zO=NI-?Atw<0GOUiH^^;c2P+0UFc1rtM)2qhGuj*xky2Zj|hz# zk|iE1zCNbjl!!`Ker%Qn+q3jzyN1azw`c)g)FVh^#<5iV}JJDrVV zLi>?eJj&C>nBYpU0xW-0mt}#!@w<=pX1L!4W;L!mx^!-DkJ@bXxrd5Yu1~x zro|kF4Pfy7zJW1r4N1Fc6)ch?b4F0&6yaEIvzn?dFG;^Cj^x|)qdU4^Wo_7+bH{#8 z0qfmW37_7EZ9R&qNxqz68W6`@a4WsmV+loRz}jD_4hP+ed$fg&dXai4+-1W>^xy7~l!F{fs?DbzG$lkMj(p+5yZF zJNGtA0CI#ertj~Kb+Cy_j_E%b&K^pAFQ$ELq|Tfc?O_*wU5C*XncE$0h$(sCT z#ao0!!0QJC;L}v$BN!lBsTbP@eV2rS{k6iIRO-X0so{f^7+AGTaE`MoR!XC`-E zX;w7WG+ZSL@aywtcP9`PDd!4ZYpc)cp7|jdwX3aQk?ua@`Me*trr5QhFgIKBd_qyJ zsL8vT7lGHzd#Zg)UsJ%d*Lw7h)oX^{R9$J$ORn{1(@`jzx`JCXyf|Orcr88Y;nfb) zuIVX-hSY|gwdz}Ye=o6FpCs`TIXzE7k_KNXlPg8u3{>WE7as+zC-C;_2~jzeCs;h& z54_JPU?9}(+=LtB&3&|x#nJ>aQKy$ApL2c;JIIE!g_ZZEf+{trdRj_iLo(7yx7?n( zA`iUTf;lL=OMnUs-I5A=ZM3;NEInMb=@Jt!fev|`g2@avUGy#E13{j1d(X4Fupm0x zK+7f>e#-q2r5#ij-91dLAIkHCBh1*5gzKDt@S)UcnMBLY!HphkEyduA$ooDv99ebHnEp+~2c)V$K%9eIt?FMgSP8rlW>&@NUp0(`}I>c1wuk-Q2i#o|z>>ss5 z^#s{aP*s>M4qD%MdL(A$)S`c&^N%5}9*OXt>uI@j@tCZplD5N@AvHBX^ahufsVk;y zeau`UH59r^HB)YMi#Q$4tCO>n1(r15TZ1_0Bh7<6XsJX{!oxh_2%x}=XY?auR5D7Z zC=;2V+~RW~K%zF^SCWrn^F>{3l`t!rgugz6m|2HGrui?*1E?mWe}wxYvwysi1flHN zP-7h1aN(0Xb!X2lMH8WAc1nqy7ZX`N?@ND_+RroVDzX&rm^}GSPE#yV?9%B=sA57* zRGx?EwRiF*O!dB*aQ4rR0VF!f1!brhd_^m0qsD01s^rVLXJD4Y=`RwNA|g_1mi7 zIYUCB8&j~`?P>%#Oa0;_s}`YIj)d(hZdg5J1orAWqhtBlUUkWOQ^atA%viqX4YE?J zi0F~wg@UdEQ3`hq+HR%e#S1^zrtK2+OBI(TCjGCiqejSWgQ_o}|BR)XX-l zmKlsrGSs=c#ar&kze10yt(`&4j!jy`uDlYePwOie0U0x3Bz518?GZAhQtEPbI1}L7 z$9zYpP&Zp1nORcaesxrweX`Po-SL@V@Gt1Je~>Waat|Yh+){?ZoZCLTi9fXZoAwV$ zvf-yi{s^G24io%1szX3Xl-tU_i&jKwnrzihS2%@n8vyj%tuEf znhUM@_IzpdnSmP9HO;@2bG77a6TL}*0@Pd>K@#!K^LhfaY%>{>ub=Y@$0W9=;?B1- zr0wZi=BD;G{}vlMnG??p(D3Eajt;cDfLDl+#uK0pCsg>S?%Hg=@ZP0{F`l3%y72Ys zjt`%=X6u(~4)jlC7EIwuw#hX?I6wLo;j-Ax>?gQSoj<%>;92>CNX3c1U|GozMu;@Y z{gr_f%-~9UjML8%yEp|$)V!QmV_9SqCCX2R)s21*X!Z5xNW9Z2S(mWXB}?YU{S=9Ij!N}|&DEyq2@ZyPCZOqZrLFMi%G z`D5X9u8KSFx>v_|eyyc%^^S$s!)oXT49Xy zHG~L+#LG}EWVXL-q#vb!oGSerfPJRtbEeu#gk<(x~jPE zIA(*g1GQfpXJaU4-48jnqS3p49MrF3r|P)hztj$*6SQ5?GoRW>bMG{G37mB}X_V_c z3i58u5GVYJcCOdm6uR#Ta-~LlSw)@>IeQszPgz{IH$Sh58RvW-W{g9Vh=uw$nouFJ z`^Le3PMT;-nLZJ#|6h^vShg!3~JoQR(;@6A4LmL5d1uSl*9L=3V z8rt}0^Q!o6SAFH`3SyV4@bB!6hKc0pkq2rKq*2~Obg!D-FlSEiT^WAC=VrwpX(OMC z1%A}QGp`7p9p?)@;{vJ7xtO9DxA<3x2?Pz6yJwb-_*{K3`4F=BN3PU^sp++hH5f~F z^v8!g#r__!w5jS#g?t(NRGYuA8P+N+y8JtRj`3nygBR;`B zqdHXNs7zx{)xgw8RE7G1(tF3O@q!XJs%6Os5F9hw@tuiof0YVR$+fyaX7x4t3<*~) zWy#hIEK`26!}qt$RQWcf&I&Q+p|G&OF}pl)B32ZQvoDF!zX{%ZrS|wWB{wCNZLEH! zhBBIWq98XSr|h`^5Mwbe~uXB>X@j@buOBs6STe5*r@?r-+*k`CTTz}E z-BE4-OrF5NXu4!5vYZrv86Xe+N9lQhydV)B3Z&dQED(6%ljK)+KBhi2bt9$BhW#*3 zNc?9)DdXN>a{*tPSPLgYR4}17+(;9_5G3!D z38rkRmcQ#n-X+?3b~jvxo5xeH>zA8v<~MsJ1AUSr#<>7Pyls^!zB3*UHC4W|(RmXi zRb$Zz04hLbl)e>hZ)yb=)%Q`RK|gSS-=~nF;UO#6%RXt7N{Cc4S=`9JdD&0dUO*AA zXYs+^+1lH~#-^Ii7iCAVA}s3Wp;H;q8b`7P^)o4)>f!L&SdkPm4psz<*kd7`+fOTM zALJf8r(-p`RJ(Lva&WsG5YXZ$lMv6pdteNy6NG<{bSu&}U{Wd#vb98;F*OvNcRr%^ z-FIDFs;NnAbeY<790$$6i=gl(X0B5t(!7KRhn6%QJzX;=wDLW{t<^X|52zw zraw50dvnSJitMCMMvE=h4Pf-764!(VZp7#<-jG58id?hdq})$uCtFV@@SaDiqPcv7 zjN(V!C<1ga@#IirI8dI8sx5wJ@5nWyuZ=es-o*X*`)E>i8XCseR)s|igESI+FsWUS zF@<7&>;2a}_`K5Y!>BICDL;d#6@O*Y3XnLTauENJCKO+Y(koep$?g0LNS_zneEV9u zP2LQC44!8O|M_mD`a1)Op6UZog;0ozm;uz6U}8eGZY6@p!rohdD4@I4TD~z(s^5;# z(466+k@#9N~uak~!E}jzW?%$5wHnv6&eT#r{{Q2a7}2 z&F;s@ubd>vj&Ad~#k#dp#P`iUxCA2E14Hy$skBF;4U@UIsEfv z!%i^VLPs-D#b4`|M#wXpjIph?yC+@nB~JNKOSs6lm(8X z+q|R)6fCa=(~Z5kB|LkvNdb5p(8JgUj@vr^3h`=!L%V-9bIyMc<%kRQutEx$?2dAp zwO#%~V;y$l-&cXjRGg2g<%5Ew&$EY@O4(A@&RiuFNkeb>Io)l$lgRuUq zQKrVQce}E7$L}=vLDmb$QJ+hX%Z+<`jz=9ok7owyl^fWa(S(#?ok{;^{Z|}^9Rn1l zv6KgKK-l)J>`PfTyc|2ggv zK$tY1;Xwa@_k9X&rAp^DzL&Fxp=`ujGn$Ao%FFYNEHK5~dNc$4m?NIT0$MfgZTqnz z<5Q+Y62?CriBNj9j%z)g-g7KO}gSRyOPC0qrkHa1F-+jykz|Y5@kMEkS4{~w6x zOrG@(6(>nHQikw%mn?e8&RZ*(y4nMJO^QGf+193d-HUX^d zYa@*cb%9UyjT^?fXoYR}v~{G+#)^c^;q3#1jTF`Fo_s`2CszFuPQ9)1q5H8a^>bN} zb*NS~GENG10?-^QaFdQ_x0xN2WS5^Z*D(-JB4FOF{I&#p7 z9_U`ro#1J6cbIN~`b#QQN6de8JanWn!nAUu;gOSIaJZTxl}HQ1U(9~xQ-5xDo<14`;nKyjrg{_r!RCMd(z>ZlfSXa0G+gaW zCI#`h>*Trx^DO#xdU*2n328tn+-Jk)P!tHq1)D^?Q!veGJO z&;EirP7pyGy8e$r;Q$OXp9v~ls=-fH#Jt~u^O2R9-6w>53EUz})e6)?cVqnaWCBuz zSa{E{c4l9_WCsvww@Ca|q=l+gClD~?|CJw85)oqwm( zP27_U>{-GShAV~1>s}?O%uuO2t-PQ*;sm4^qC?xEv%WYMU&Kf1&aRud#RJdQ`+7DH zgzVnG-;Y23>Q1IPo!KMyyZ`BJxMFDf15-CPln~Vum{5+24aY9c37bt%GR5aVe2DLu z^X8L0l9PL*R@!UYd^wA${*y)HV}Id)f(VphIM;fT(TuZ{7IKSALvCg{tmWtDYTw?Q z_q10W^*qa~@;04xi*HAF)xj{Lq0Q2@3@C4V2qXJE02&+7VaLPWuNiKqmx5`RnYC-b z_9N`*OIN0m`y1|;FMco>wNAs-WFx80%)2%28)Vw36zkxB2*haR3e+%|fn(!OQ%Ovr zWsp0Zu!1G)Zru(y3oE{t8IoF})Ho?Mv+Cb|{(g`FL3e>-69h(8qm9=7aC@Jr^5@8p zVq>wZd>aE8W>WTyMDp;tUH)s0Wzt*!a7AAG94E$KO^1rhUbuKf=svI;Zz#i_-GO+2H9-qV5n2?z7|FfDvy4J>-&eG9bZ1(a z!7Hc*uRIf2=HV~#^Qf6EVxt`BcV8#W78+E}7n|bUK1ew2^J4%P zYn2B1EMC@!N12)+r7$AgAR#kfj1)UbN?jz67!cmM*iC37=L?!LY6(DBQ6Cx%7;}XS z8-C_KP;hFVD7~dG$PPUz^2V5U!!dXjnpYX=t~amdX}&VArfdiHxy zfZ$`|V-Dy)^%-0=mmLEmw&%DPVtw8M7MyZ*+x;;IvcD5pRfQ>-Vx4_h7=oF*8UV8BAB0{vZsl3`1ST&3IJ6t$GRk$j7I z<8VDLKC&cQI;EV*$7_oeqrO16w7_Yq0l(e;$UjcF{Z8-79%NQGtTUYNVDg^Bmlwcd z+SE%K^u_YVCn-ti@+OS;)8Yeue1fq!2lLX{t(<{2pchgG5QHA#ortg;l-tboVg-v# zcT74FfFyFd-Z!d>`m2=sw~AA(UjYt~;=ImyW~jp*saoM49hIAxE$aFc>ZIcwz?fCm zY*LNJ-7hQhp1)dMWt;pA4?5V4$?x4;A4YKRX*>ZcZvwd7lFn~Z>mG7SGn}r*&jdDbD>t1gKUkj zru8Flu@qph{D3{zKe?MrsmpK(svAq{xc4{f90n|^0M$Rguv zO3o#>Dt%E&j~QTPN3Y+*j+KYva-H1e19=sEXwgv?Vqw9Tm7g!N#apFEGxo~jLk%Wk zLEzb#5O#|B#do#h9zl0}fXVBgs5Bd}0_lY|=vR?y1*#=#23=K0+7%C{+H%`EgWPPgXp|cU~hdy&XWBuQ&OKocu-vrK%ZixIPp*S&= zUx4Y7+^kM%(>&{zd4jh4@?rbnh9mW}7hQ(z4h5~qv=7)^nR>m|fs@3&e@mvEk*8fk z>*t?B(ry5qW)SA-u(2iP| znxyIs*&qfexPF?*V!l&9 zlg8b2nYpmOIrlKJuW(S_^F8*yY;I8~;k=?2Zsb5!L9}iJp_fw67W*JRO~1pU$rQEm zB_F>c|1dP!Qp@0=r;AsvwD`Dncdkg$?QSw?6WT4b^rb5#bb-ra6IUF+qT=XXUa z3v=a=U~mZ^4UL$(LFRhBr#e+nv^?DdIRj>Gjz;Xud}-Rqfmk#choYnl8lT-Va2lF+ zL&es&B^s;&ubUMA95v<>60dz$O%C!)_@n--r~y(LqQ4p<<@&(z?~X>{-6r=L=Z2?+ za@h@;YdxiAEd&>S)Q=SAinki}9Cfb|e(mGRcU>rhikUDLcVe{$nEOozWgj8vBPS3O z-{tTejopNY6kRB2R7nb+#`DponB1B0Iei-o>B_BFy1Ri1gu&htUGzEwmW@jMgFl9C_RjTO=kIVScS)%R=X6tU!eRRTT;*sh4K>0N0?}wp(5Otj!lS@hhEHv5z;`_H z;SM4ui|1VfcXGisO5op5P&TAlQ7MgI8z*wmZ`s@#+SRJqnVMiTK)*{+5U}#D^^udc zoD?nU>NN!}O#ucZIq>Tl*MS>DE5U(s zy_fz>OhI33v0NXx-=A<&E;-MsLC>nxm0gxHz^{WcKVN6=WYIWFGE_W4eM%cR{8XtE zu?;zEzWq4}Tu|p+MKu~S$KAzJV*K);n`JH=I>CdY9(+4Lx;Q<~1FW!nTJPE~6;JNo znz}mu5b%Q71#r9+Atr6^mww^K_-clQ4cNc+noEcN8V)#v)TkR%)}f%~FjNV@i`)Ry zjn+25gD}=f&g|SRfA@lNhZGU@dpyODx@r%iFK^Z;n+gkK5LNfYO98+8_|9WBR;rA# z7vYOKb9S^@_486-x097pa_#uq`9qB%*E#f)^^xsN|%OgTdA%-z?nWpOI_NHWQm#fsmMJvG-SRdc= zSPS{HEqN}FBABn6X|XBt_<=b|guxBIxmOLC|Ta?RHAu0r1BM=`O{yE`(ad|8e>t~kr`!l zuNRO1)9sQ|u%J8xZNZG8mBr5C5$z(PR*Za~Mn-|a{?JVy9XKCa)x?v(>HQekSV@g3 zsF`(9|MhH9`l00}4~V%1eU$S29Yvf^7f8XTnZNR|5oj$n??QQ2#Rjh7E#EmZYqkm; z_SDCvWGnR*!W;?RS*`y$7X!yD5?cBuRe4?pIe4qf*A0#;G!-ZHtPYJY zHF}?|fLt7kLw7_YjwK9BnuKLWHo-gayvxsfk_?~JpYU_d zX<@B1LpA-{Z-NGNEKRCl;IvBKJ5xsrt-f!Z7L)oLnCm(1H= z3ddJR{d)ds276|a4S%}M`>)NnDkGy55Ed@$iyZd{ZQwQe0+zEXIt>e3`nrPWWy{`$ z?s%#ZK%wote|G-=>cYJwzG*Vqb0>QfKp`9DwY<7qt&BzZ{{gohOd9|I literal 0 HcmV?d00001 diff --git a/Modules/Server/output/images/niaplogo.png b/Modules/Server/output/images/niaplogo.png new file mode 100644 index 0000000000000000000000000000000000000000..2de1b0584be1c6d5776fb0fffe6e17c64b3243d6 GIT binary patch literal 22727 zcmXtA1ymI8+XVqZT1rZg?nb)1mfR(zOS(G+>6DP}?pC_HYw47hh6M=;zv1^k9~{^{ zusiR}J5SzwpN&vemc>9NMumfe!;qJgQip?sX9S*~qPzxvqvZ0X01vNC6lJC0{=IzX zc9bLne|h65r{e+#hlcy|0}q#;NeKKA*;O7SjlA)O7@qy3foXaI9NY&uc`0$Q=gLWk zj-%c|TJinkLFPE37&cQK_6Ip^xHo5o^zn1nNi<{0=4~f1b=Fk~*I9aYc;s1jY<6mE zdP`Yq%kP%dh~L%O5ohIRv1RUFEUO93I{D0M+q6yyDA*6#BynlOQm-Nqou?Yc2jl~C zLGpNS;{3&+Tbk1ZS&aO>P7$F#Hr%8-G) zGMK-@+P^d$lP8=c>WUc8T(~^;3^}fkO>o-Wn#mf5YK-S4{eFpat+A!lJZE`FX{cAn zlg4`KqrA$Ez<(p*s6q0!0*7>Ub-DDY$>w!&la6+j-3~s349?a+7BnwqPkmH_#ZV{; z7$Y784PiKPl?1b1Sy)4~Edpd8_=Lj**%iNujyuvv+J72*n-UyM%@`5(B^(tIPhSbP zWAo(dDVb|!B%b1s&g(NMf8geoM@_9JFGP$&A%;SU_GS{xr-kFKkvjzvCI)xX<*?8} znBSenK?+U&|Bj>x4yno7z^+**r65!cFwe6_jntq@Q-BH*<@MoGld7!I^1gW^55~dT zyP!ucM#@`y^)A$}o%c75g$_y>LglN7HzA&kV-BrDzq2CO#O-l#5=yDbP-pLjx=!C8 z^v%etN1zkr(leFHX^arkY7HW|dP`7qdEArzcTgLAP+*7!?O+A3Eb#WP#m|A28W1E6 zF*El-WrsM{O>X}6IH#nSEB+|Ljl@ZeHRRdmk*V8hl~9Hr+2^$Qm{^+@L-r+@*FGkG zbpNC)MURFeLcxT^NbA14Ua7hbp?yJEfjbRe+P5+j7savE(-cjQEW^aio1l*!TO$5{ zhyF>yxc-AME!Np-Zs=#k2Z2`uTX##bPO^ybkvG}wGll^@ijKW6E&Z5W@sPOV);SpqZA>py*&NqKcJ`Y$?*My!y|Fd&3|Fv6qd@fn35*a}n*&XHeZ8 z5TMP>1(B2FF%l*ZSXw44dxY0rFt=JMQ(OeQ?hUOdT)TT~4dd*D%TT1tv$LOJ9>n$w^=Gi5fc7ZAC2%Sc}fPwER#2H zl(F@dSQVB3Gq)UK5WLdl36xitslxcZiID6eZ0)Cs+tHOUbdoiJH z++lDX^s98tIHPQ{S%#Wb~-cJ(I#TU+%~qcYf_o$bH*+g%PRW$c6iS5*$16IM3DY! zPDObt0iwmb-`9vOhZym^pu@@!FK2M3Eob3X^5yF{nG!kHLNOF>H@k?@8_jn{sn>T@ zkJX!f5(0D%p)WUCG`hIEmn7ygDwe|g6_={zi7(-54AQGiWf_ZoFOTlNIX&NjgO`n^ zz!DcXi3zdrs<4ReDI=;sB#kT=;{HQ}NM9}?l4vR}6w6jGz8n<(1D^N>_u&o5#eaARWSAaHlLr$uj6SBT@D%ZMg#K zVOqvf2 z6HED$PIC4^qptaMo|P#8FjyX5`8O1)ip9-BM+XIU@)DPbd~9e_UfTHmm?Y zi-%%(QPBWP+xJ)$tiId-bN1G^!HIqRW6quryE77ZQqMHA#lxBuK>`v^;;oBIr&3D= zc^Y+j6--7QPsxZiejBi`roU@uN@$rYl4*NBx%AU{9Bpy=eYm^HU(!7p5hUUx{(wAW zkn$Z3L$E!-UNmZU6lPZf4!0mjtGOu&p^y-&)@}oVV$fI3~SlLs#!(+t8c86TW01O zre1CtT$km>M1tQBcbK*`%pq+cJ+G1Hg;JmLCK(GDK8I_ zv^C2u57yl~MOu22dm^)M4(i9X!Ygr+yq{%A2XbL_*#2)vWUp$wcMl$C-FfBO$)t5U zQ_g4hbq+#FgCtoNeB83%M04MsMRG9>)(B1NzABdRZ(U3#qVR)&!oBUN!zpbDuAo6>>>}bv(O&wxA1Kr%>JgP{jlKm z>gfzNrCgehiCnNn*mZn+FrkkE`iEdKr_#b%qSvpu^hh%D^P9u}MxJ6#M1Z#w&DZrP2OKSvH_C{- zODNG*ra1UXEZjMy8RI41eN8Vv^*!G8?{ut9Ebl0E!X$-01%wHLI z;J39vTxTal8Fy^-__}pSXn7RMcF6Qf$%rRy|J0usBshvDMU!}B<6nG2TO#-@l0Ax@ zYS_=)7C zgB(`Ge2mEej)o5NSgRS&(6~ut-Jy;*ZJ+C1@gbH}T4s#tXXl$$DGi_oJ6Wm=LckF8 zJXGakBeUJ_KNFb42Myj*t^z*M=;(VNV{y6ln_9F(M2<5BIjnI@-ug|s^+DlhlPFgp zCV22(m>sj~VS+*-HuR_U-Y*4%{omrl>)_v6^%ZVcW#~HVA1t&}i_JF?!W8t~h}eFd z??;8*!hm-jjVdy*IOkW#dEPQE0;}~}j7Be{u9UyJqFHQbf=$j8QN#~aJe`JdtIWHr#Rk5aPYT@S#n5=BqFTCK@lMXEmh%9 zF@k)JZOMr~?y#jZZ%p2k+%wDw3%~tgt&L?+vMgLUt$O>0@Ti*y98(PycZwZLyZl!S z!4byVOiZB}q)DuYyPF;4(iKf+rhr@dzltzrUQoSPP-Zo5ILj<~>eh->07>=-gghMr z0u7_oT>8c@X_Aso{ElzL=Nl<+PAm7(!qUBfeWkmdD=1sBNbm%1y}un`wPxh9h8 z7+PujJoBA!%9yRz#hRFdp~e+9(BMqW$lQ7pk}q=`{VAAD7p|+U?wZMU9m65+8E)a+4i)X`Y%PDKw%k=;Sgw-d!LM)O zY#)DlK}xly6B?uzD%qeUwf}~taM;2{@eNbku61fa$dT*x0=RER|7WIc^#NeEq*j%A zdG#l;IZdAiFyz4*TNezk#=hE$OaUp?;U+q9!EGAM^Jm98aGD#IJn+#Yu0%J;_qp4i zF)|7}@+%F^FX!twCSF#u%DlrQv{#4drdv7!YvR?>$iFW_QThoeDpu>2HB|L(R=9Do zwVS~)^(OCF+>+Wojj#-bW_!yzFz^K5S5RJ3tJ%SnBsCZLd4KKq#-(&Ck#5Z`Ea(iiitj(AntZ z(ubQY!Z@{|+!QIuWBF!298*8ewiUy4@AMw*Z%#^c^ZU&o(y9{r6QzEpNqT+Y?i#Mp zFIc+{aZnWRNuCy!2%tgq3#7Mr5Efc)jT-D-si{h>_>17o>DoSnB-7`D{<`2=IfMvv zayw!$g0)z@$pvKjDNn%GcppP|-wGA<5g!NwTbCVz{PSzwb^1TK&*{5%EGpgprBj#3 zWT)VKZIOy3$%Z3Ge@Km`!5(Y7Z=4P~oI{zQYvv>~qQ)~HYBbSP9y*PWu5x~#OhuPy zYe1K*u#=T`FuH`7B13n0p^Tem$Q&0JIn9kH`_{-leOfA*IJ z7gA+A`GXnP&^1<(N<)wI4|Fes7Edv5cz;BPpf@iNYJaI6*$%?3Y`4Fa!sq8(0gt7` z{u6by#wWXEu$ zBfwsxi0|E)V9se>dR{3{{@{5D4lCA7=az+jU}0-uRdxa{{z(k)79oKVUuO6L>C*D0 zdZ4qk`kgF&ZWf%8jSWOGV=Xs+>%ckQf%DLIef z?^}a~5ur<6PO!v*4s1QdA<_)ZrmTCvmBxBUm$|&k6${L@Fz7OlJnO3h>C#E~mTH5J zW)s}-rRDQix{d$g{MVI!9JQsyh_qv2)~$1>S&U>W{ta9p(AdPz;xIPhudWl51XpVQ z6-_Iam*JKB3`19uy?3-t@OW5vz3*f0*9cj7gB4!5>9Qsgo0#eAQ(RH{$rHYtFDD80^{ee} zD;+Bv@UQeLhTYbC$nKqb2{C7kFK|Qv3mVCp)xTtwupRi-PtC(E##JGUc;yNTyv=+^ z2WBq97N0z}Rp;DT;FIui*s{iUvLj}A@$<%bK`CtGs+P${LdIAK6(Oh_`k&O$*Wvo$ z5FzF?q#HUDhsiR^O+1c(xj$GlIUKYuIN{MmSO@Jhp!b=Xc_(kK5u4I;BP*w+{MF8$ z1*1dz$+HW9_Txis6jh8HAJ|Pl?YQc@XQ)-e2njW(&fj86J<`j|Hh5k?4K>b)XyLZ9 zGV<`MPu-lX-A`dUQjvAg4obCu(Epf zhLLIi-2Y!68pX8R`dJt!%aJvsXQ$u0FV6K@LpLXddCr2;AqMng3!Wsb8XqF85q5Q% zKhzup-O+%94{hqy?#X@!%SNmto0O3i<5?QtyU?e{%ZR7UCH>psEPPFcc3XoXVcY@> z#$J#^_}SN6Pfv*LNR7RP%c@NFWs(sM;kEeIz|2EEmz zFj>w|rn0I=pY~y>SApH=?_?ieuJ?RyyuKe76aS}FTa|iM63)51Sz$TqK(z_rSFn># z+Rl4V!IB%ET04f7jSu|vKm-tj4QLQOUw#q=9C}PGxxeEeKoy?=%I^;q9y}{Y%_t>v zW^d(;j4YYe%R+&z>J|VG+u3P!iCr4o%TnGcLU>IiJRuqdKRdtHt z@t8F*1l2)Xlq`x{T6*o|!N>eKaNcxO?aRWUf9iMgo@P)F(J0A*ALw14g^O#-iC!HyHULru}OU zJQ^9ftYtW$75fu5ddWk!sxhUo7(C(4O|4cX$;?kxSg*qx^VhS(B0AdYt41QV+vW^L zYNW)JS?Z?iH|O@USjw=*Ba&n-8MT&n<$vH*UhhFZQK1nrb_K>nI*WAG6N#-InvL0m zdh_hqJy%Cx6&6F`nZYsHPgZ3W`Spe2MTcfKi4XSj`JYOFdgUC`vzdFFPM`^e^`LlV z;uhrxHy@bRw6SGF)iJbQla6%)ej(@&-qUlfqfkz==WVg^yi^bv-v1eyTga)vupL9dYZ7V}TfQg(~Jj4KJJe%JhnM3rPp$vGABR`jF!DqnNMekW7FnBXO9QoGWIkwA9tqUZ$4x~VVw z_RzcRhAs^aHO0)F)E>j~eI4!6bO|>n4rCIWyU{wHPH$gwWD<`x+6I=!W(l16R`0{r zdSijk;gGj%u(~S zUxOSc-cz^6Q5KPmK@q;H5D~w7-7CC_s@VsJpr|g5o-IwTXM@YZD8ov=G@#f zXaE#4>iL{3QE8rE6{!;2MRz56SsX1B3N;wwq=|E8HOts_;u-`b!`n4hzZp&zTkei7)=Mx@amogy%{jA0@lws|4KWxx>)lYG= zsKwUR+{h^o*htv$uA9G`OKKFA2B*8)RX5NLvWTp_OPB$g3;;(RB zAWi1k(*MB04IQ|T_T3Y5mdP#P6t0(Dofl0z6sL-QoR($mUr z?)0HP*p+o^_?r2B_6PD<(99tQ2U%?V*uLGqi{&jhhY_9`S$XfqU&d@(yI=PRKA!HI ztT&60ooRb4tT9bIz_pL^;4db}0obb#h!0YnG3qB0!!E7vY{-zF;UmNY8~{bCZ7_L> zaZB>&`1lL$#+(^)GotugryFlJ&N6@!^=B3;uzwPGf2=a=rG!v_F}l}T$nw{a+HGZg zJ3mPC11*vD>ei$K6-z<;GMdz%nL9kuPM%>CTI6y@dFv`;c+8|9#ux56DSa_NGgnrP znn>_EX(|rxEyvGjMR|V@@V1EwlmwM8>xQHV_KH3YrG@d}bWY7Adz@4^Z`8^m=|Fm#& zjLZYAn4hswgVQvqE#ZKE7^Y&&TbsD2DSnh>$F}dOfx-6PdJEV$zRtE-*mi!Aqm5!C zDFBR!r7C{*Eb#eWfeU|aOQv>`5JgP39o73oY1j~&gLX2gtIEFkHVI5py zo_lv9ql%Fnpr{DB=rT*vJo;N-73Q&IZwZJM^XA|?EZ!^NRbH2lW6s>PZxnFmWfY?0 z<}pNwFI|j>zxfD+I$D-;26pbVGox`f2KB@XyZIhOAoxDjxu=(p(KE63_HHu`tq`J4 zIIok?IuNHWl<<{DN;rJC|7zv@`5)`^$+&o@e|}c+5q|Ozrw(xDJC5J|epwLUw6A%W3N|o+UWy)%r7DOZms;S|=@#^lR=k#qGQpN_2_&pg6mK zr2_N}kW+Tfsxt^u`QI}~m7mhII~wuUkUH#yAWWPrtJUFIk2E3xUL92!jLrO+)Ahc@ z%VWB4_oQ7P^q268I|4Zj66dWPCIhnKFceuB^-v+-4hiy6?LWjs&fgx`4Hm@T7eL3@}~BT z6dI?kAJGB!gJu%Tl6YKbeR2JIu$r+9WR5tOrj7w5_iT9-aa}unL%ts=i)}-xAPWw3 zTxqpr+4Nv+!jM8Q7dxac&vS46FLvL$Yo%zMxDIy$H4X``;zF-W6a&!C@rj;LCGnn2 zG~rZ`OT&M@asPAba@yv#r%l2}W?fuYZ>y8A9;2iLr7i0CnAGm*h}96my%R`ONl6!3 zTV)h&OO~Rs9db*$iE=-Fo|F6o=^zHb}+Sz7i;ugGxrf4PK=~ee3n>Bn75mJ zxtJJWD)eky0CWfoqWcEx&Fk=pn<>frF+9Q~t4oA6#X%PR6%rSo+`+u9t--SCy$$#8 z(dC;O#PZj7bpS;fj44L-rod6TNCa3%?~Z3RM;(imNJF9EbNkW zM6q^|ng+3F>D4)gXY*kiZMGa0w-rmfH9a?sq%|;Uk%7qxmPEI5Po5*%)0EBEy^&sS ze&|;-&kL;=3y{>{pKni`YC3OR#lj0QZL_%_JBYp7E3mU=bEcq{9|^Z^_!UamU*iyq zZ6F6HF$t?Gp5sb6(Le;EAs=+MyUTNndg^R-;)e3wZCf<7zDjZY)pNcw{s2ns91GvD)#QfU)syjanFTKJCW90LE#p)Bb*V>b+K?%!YB z@vcWh*0QWBe{Rn=_bB7NpU%lrXUqZC*_N)w%Cd%j&!S3WLx+(rvpnFh#bS&Z2Qj(@ zzI;5=tXY!HneN;)m)-12XwLkRk)))nkiHzDjma_DRlWuAkUH0J5O@>M$C)%B(_URu zPs+xQ#>a+H3p*_sXi&&N#yZim`<@*(-vh<)%nYpE!_Y|3P{QRzZL*A1k>9TRf6_%g4oe-c)(Y) zd7pt=LL6xOs!`>ueuTu*K=p`nwzabQeA!Rv_;8W+OQ7%eZF9o>+you12VliOf@zjY z;zbXA^%g);f8T_P&8w28Qd~^1_oixYsi9-$fbz?9f z#WVB}MCR}97O;8KGGbAGqgt=gC*0QU6J+pw*Du1T7&l)#ddPh2|ovg{`wrSH&LbP2NMmoe%Dr zCcV#$b+jG>+$tAkAF8u)<^omMHOIxTUzGwb!>d%go*)*cImOqP#~+;;tGWF>;atQR zj~W7ix5`Z)FZwLL0r_>+sdR<2MF{0P{@V*V`cakYo6820AgO)a4~U=Yu43gz7_Ync zSfZG4;U|A^Upzk3GAcwCA%2(o`CNCcIe93MBK!1sw2wk0iCi+SD2y#%n zkMjpA&aPT4m=N70j9$e85ZWO+dF=iDs!Nt@vt+-zPOzk8c$?NW9tAtgFm(gKNCO2G zY##T4!D&<;poU1`4)wCHBn?>6A5f%rP{KmA$~ldoWQ$KL}y<&GM9~gY*~a?<>y(xSIN9iqgfLLy-8$Rb$}SJ zz*Hlwle2J%4$TMJSx(_LBdvUN1dUSXyF0Qv+bNUZLVk`|UoPj~c6ytLV&Jc8r4{C` zzT37~M7}SHHGXu7YTS#Z6akjVUm~gQy8;&HQl7uTQ9iYci*N%9B8_4cWAc^IQO?eP zyT+{^np_;Xrp%lwoJl`rg-IDDAZCBgO^qBJIhHiHx37>t-S3aMcX}3@rxlX%SsBDR zr?pSYn)(}@6K~m`BX<54O3meaf4eA>&p>@8a1h!~x(*rJ@i|HnUNi^)d>t70Q@N)6 zr+A|W^ZRiy>y+4s-l95r;06I8FOH5}JO?`Zu{$2^!4v9jO3}{)T6`K-<&TS34h8}f zE)O0J9ZPPjWmo>^id$b-(LOr6J`~@7**O0dB+k}QCr$6Pd{2KYF47f|#CvBkmGi5{ zP-Nn{^}S_zC0zB*6-_YUH|g)V9nz^Ay!HtaU#e90?Sr+rl)6Jg8Cqmzj68XH&o;ocbFr1N`4y>6 z^?{Gd`+dXC3%=DTJ)lw!C@s9!9Y8w*Lo#U?lW3&DNyz|RI2p0-=6YXzcnQFR6K@p@ z?OJxgYI9XT-+Pro*M|4smP^>^<8ONUiW+{g75&D0u2+4s-V}!C9w>=|RC@t{kp-*v z+wEtV2_r2w4 zn)Yt>R)8ogyWu>lPdu~sxjIANvlr=S94i)JFcs@#Y(AcCbzCqiB zAY&=Z>R?pZ&FtZu%Z-3AfH?Q%y3%e9+;h$^9o?s8qG0Fp3TE`IY{@1Uafv?96p)+0 zNq|t46-ilN3;4>^@)ZG6{4&*WYQG*V$6^NyyJVgO3$SQyu*j)xZ(xn#y)Ny9riYbTv) zzcF%~BQOro6QwL{9Xp?@WJHca1&61qZ?86TQ+`znJ1~IF?VJnuW~ntSpk$fD3Y^I4WN?tm2$+A2n!tcVW*DFyE|2p569#ZI`M zK@QcY=r3Temj^2Ew|p!xH9Gu~*7(ps={oDXFn}p+Ss0qKM}M28iFh+JG zazF73NA02NouSyreX87Xmj z@yZ)r8-zqKkF1mY+f8A&fOBE5R8fKH=!RMf@1NdL;ihpkukarmx%6<$w96)3-9_=C3uF z;>7+8;w*YG*?+g{@;>u4%ZQn@k9qu9_^3TQ@7S_j!N(8(%Tp28J;C91kkMjuu6^r$*+>dziGNkL6p;alM?;)n3Sf{M#M&D z^=sFme7w7R4|}T&Z0;intVNr&?Ho*G)0M`YISK&YF;*iG=2fu>qD`x#VghZcxxGU* z2Be!x+4+=oCA#jgu6Ez_lGXI3I=>9Re`K|?)(qEEyH|Q1$ah^EEj{y>a1A5e5^C6^ ze~*uvn9($Nmo#^GTW)BdZ+zJ5YO1{J3L)RLlWngkw)6%r=(xBD>!s~J^_&qo{ zxAjLb0Q}e0G$#CosrxVUkKbLBM(C0C{UEc3OtUN18Ud|&j$myVxrk3R5HLL+TttoB zR9GHaXQUz(`$V3%3Pd)Jh?@S*TplL(e9Npvg(A&_;8{G-T2?X^oT-+PR>jXcLTGY;EKUjX}thjdl^p6bZccIf$MGl9_fDXL7&1qpnefV8nd>>nTJFNVII?yQzzvg&5k zGE$r4Rsjl4hgR8p^8;*Q4K85kw_I&Y>nNom?4YRSd&Ku=*npTzsIBXbY|o^OghJPZ zq9z_=kc8^CGi*DL;ApH-&0rg-SHc`+cL<9kiYo0@;>`oC(sCJ3s+nKbxp<<(a>t z-`XUfUd&t-R@ZPrYj<}^B{w9=^$~(ori&bF+2T=t=bmix2~ZHez-NHyBK;#>73wV9jKtVq*!`p@;<;p!A^t0F1ZknpUQlqjJ`K ze0@_jSg_6N>#Zz(IO$xJkQkvHyHwiVuS4#Om*k!QZ~%~E8tewCv@5($T*6kLu4l%R z&dW0q1aOAXVn*=yWfwu1ChpkgWIX+ue^~=rOQEakJuTa3=W9^tJzI+Xzh*sMVPa$1egPn|G?4Ef16N}*u~zguT<=_=zW}kYzms18APPx~r4tXAh#J`U zmS>PK(l#=4cJ==HQv8>cV5x0`cYBg%&nX)IC1ls>?8FOM7h6#x@^L3kk=qtKXGB?2 zPVCLd=SLl?RKBd&S6|A=v{lyl`gs72jvrbdMHyxa$zP*M7$uUSI6B^6_s8OLiBfI< zVdLN;GaCt~p+Sf`33ES31i*yP4j`IHZ08^Q(CVyq#0oiZr1Po(#LIOx-Y&^FpAj{T z*!teE>o5AIr>!V!Sfo{|d%x?uR~&8#iU3;Se6bEaeVka#*@@U6gitYfwRiwTLPknKow_6 zDGl^d5X4VCH9mU^%*Pa>gqV<`YFiQ-R*bRwi}C)E&sXjby|bv!wHB`fg#}0NujsHY zOG+@EtR1LW!y1{H$ioZqkb*xXj$J8lA_5i46d zR@Y5a%U|)oM?9&h*?y@kfP|=HFRG1^pq^}j#R3RPFLK!2UEG+vC1}Icch?d+q{@p; z(g^~Gg%*bp008UPr7%WgPCGTDJlG}#EHXqQY}zh*V#-R4454U^GXcaxfV!-;odUph z`R7#o@& zn`#zoZI{nbONcpnaX#th2o;QBMO28##Y58PO*K^7!W#OW7U^iiC}CvZGih9giV2d| zz$ZmQ;9ID58D?C9Ya_)3qy_~HU$?r^CqCl)9*k2w-ye__l(qWma8_&DQ^b!r_r3qM z+2s**)#sm3#vBO^EVuiU4vV+7vsb!81`2>mdp7#<;;%+(#T1@>_t|+|53#pbLX_Ks>1v*>vy`htkc1OW zO}t}ok%hnGw^>$IB`nG+bj{P0wcB3+Oi7K~H;#<)6{ck^utT!5T8J7CI+QvCI`Y{? zN`vS#u2p-ym-i!7XnAEAAd##a9dw`n)kqK3Tdgz%f*|I;e|G%=ZB{9>pQG%gXq?Y7 zsfEwb-QhfZb?hp2Nd6M$8yJNiYPlH7z6SrsQATc2W4Rdk#w%V+9%mk*3)7`ld~=uk zAk23SrWB+h>165g5dgBU!+i=e6>f+`b2^O%BO;0F%{-uW!CbLoB%=314B>BTs z6R#RX-BwYI{}Yu97^^((0LSY2sYMx3@PwCeqJW;1FtR1y<}#o_Xfk*Sqxu0!*~R$y z&Meqn%V8+b+J+XPa&yeEO6Gfu6xiWUH0*ri_}8FkfRwWAvQel9)`O5vK=$O8v*mXO zru?7PsA1&__jJHI?lb!uL?WcOF2+ky4({+GRPrpcPe_J#eYL~pFhGT!Ik6AOx(L&< zcS3?DNLN|_1^1!z&!S(}!YI9s;vW*HuIzI%a`Z`dN44`>OHhd9*Cjhg)e-%A0Lj?8 z5VSFBeIB1vi>7GvsRR$s9;AHby@-MvPe}MWz2WyW=3D|b7=KzXwOF37aoEB1jd$_q za6p>B67h7yscvE1Q{2*-9K<$tb|}#F2z@+IT-PH`qmCcX$KyxEsD>Fo%-Q^Q#g3qB z79h(72x&K~H>-M+5WhUR!zLtPPKOp-vDg-Qv;u+p>NWFTg645|Ib(7;AmBQ@ktX~$ z9zSt>Qc+d7)Y8fLxe0XsYb`hI--SPNO6XHRR0l8RyHAeJt9^{3%!5 z-?PFZQ~8!VDuOvuQrE}IROe>O$ujs|;^S`x(SNHotgxQk3~f$*LP@VXn6;IzQVH+y zm&aeU=hw>E3~}EnH=nU?UWo<312Ynj`wN7Jz6J(_^57iSKI~Ue?iNmw0bndBRle|a zf*vd4LolWN!4QGEUK$E4XVT;9iUh&)vq`|yIaXA4a{gG4Sg@f7`V~;0#1CAfS|~># zi@2nZdYWZph5Cm0*jD|%NtspIW(}itAOvu>O!6CNH{a2ltLNsy$&V4`Cu~5tFMkoG zZmttkrOPFb9Qr=YiKmy3qO!o*91rH=;T&iHngb`(I3T#CWyVq{=#{ExSI(v(4CEy! zTO4MjZyiYm9L?eY2u7o8H2~(*bu0%AC?%8YpB?~^Kq^5m1=(^ezcdOns0W<2b{z)f ze_R7O*h}SGS=Oljv5r+xy;vfNW3+q_1aPPAg`ZB7kfeMRXz%VhK|80aZz3Q zI4vXM0zno0sP>booV69~-`{?`gV*g!na`?lwNqMa+>EUIfgR7N{~2EIsN0BJn{u8z}a+^F6YbZl_u|83?a zp612hn$R@`T2KxbuepSLw;5v=xcS3=b`WiG{-aPyL)=K+#NIDQNsM&sCbmkM?+vaj z+lR~tVI2VW9~?U)Pw$-HOgcQX{BfHB)WgoaZ~8`HouXO=@xB1Thu&SFaraMLO<$W7 z7D1exMKk;E&LXcYFd@eG{@511Ujl+?k`bjUG~&=Ib1%Bt+Iw%j`Ce@+XkRfnAMbT- z-{XTz7BI;5Dy%R2G;zqB#i3^XIp1n6J$>uvnHmA-vfwNZfLv`4AHF`nZsQl-roz!h zEV&9?$gerf&{CV`0KyU=kR8Y?-^ECLhsCqwYuQ1ipQ~y3fD$J6X?zv@YC;PU zB-g^N9ROFzuhrZ9NC48;uBE^AyFb&W0Sc|f&SSL$FbPDLrYlF0x$^fL8FL$B37%k@ zig^pLb(@`TAud7L4+(*an{9EE7q=;`_or1(1PMgJ`IW1~&QL}%G)K!qx5O80=`h1! zVNaK#Jn8K`EXY>$a&b-LvD_y3!lWGA+>SH~M_P?NWW-lsY~Zcvs=hLq!t+v=O zBx{;7NH?Ol^PTMc^S>odkVCYF2pAjb zz9x0Ji3NOc3G0F&!nw&+>gVpOxRE_z1`F2a&sz|G5BZboUC61*k)~)47)wEADN2gu z&f$W-JKEs+>07o)bLiK}&&PC#BlnvN`$CHu z8dA5>7a zYgDz6EEJ>oW?0NN-q0O=X6wyzhumm^i;VX1u!5U_7{pOU+N;Xu`(kV88#Y?_;iK0n zvX6jz8aH;ZF8J$F9MYB>!$11y1#JT1#J3w~Ss#+e0lv?bx78?=S2*X_V_eD=m4ELg zwF#7ss`kWJBR(p-jOh7z51@#AMs{I^&R+gA{8A}w=*m^KWm=l|3x9~*`5mWNFM0s@ z?2x`SPZW$W5QbrAvu>13Rg9?;2b?5sx(bV|Musqzl}{ZLVH&AvyqCYfX?TchGG&-d z7@ZVznz-%P$OFxQ@}=7uk{AGM4g>N4Cik4}CzlQu88B+GIZpHdzv#){69rqVRn7c{ zf;~;|p%^dA2FW#cIE!jWRjScia$w|j%8Hz=G-t-asR-}Gv4>-Bo(uq`dcCobSHEl9Mt{Tt59a9|xq3^s^X^hq90Or< zT7`xkCwnKW^G)lcF(B7EBDjU9;{}$Nm11Vpn*a3;BC`XTvvZHFcHjo5P(RWNE{`f%n#&kB#Pfkv)HaR8sA#_h|Oy{p9=1_1V7jaSr?GmR6M zlpM^$6c*UMz6{Hj@P=0(kA+48oQ#hgGh#yoH9#N&1YaN6_O06P4@r}2{ys7)M%Ek3|gj&whQlEwx)Fn^q<)s{(x$= zmp)NNSa)pv_$qBf4e0-j$@)Qu~sQD?-#nm zb@a@;XaWM<;UMNZ{3TRX#7m{vrU$y;Ixw;z4B^`LvT*CeDqzIN36R7A!bvmEn4{U< z+^T+pnSh%UYoHN0!<^lE!_g4e{e!vxb#g#PXsKp3VHYrAD6566J-#bGZx*6rqA1Q_ zw$M<<{Qm3%AhH<#4XA7tD9H4|jb4UyWC=CqO&{p{3=&Hh_im4r9 zO**@G_l--yFz21vj-=GS?}O5JnfS zTNjRZt*N5jT50Lv;)Jv^dA(#)o%o`DP3A-#X(wE9NB9Uo8|IjwBpulzt9qF-8r*gf zvvCT%uGtwfd4UF z8LaP)o}jX!dvMLpL>3P}gj-K}{7j#8wl@jv5*C%|)Z5qA63iju>sHN=u$&GvUSTeA ziDs?5{JVswQD&DQsAJLtM-|cBMn{gIGvARvi;<`$L&q;DqTPN^$-NFMG2+?${ z{Jne#7^ow(fkDQWpY7thlBws}WLvl2ZsOTU+PysDrA)u?=vP^m!-hu`7LL0Sm~GAZ zd_1x}ijzl92;%%F&`z#@Z3RBPQrDozceSVG_3{vqcec3g?D!7FFlghLu%;b?BD@DC zDY0jAbI_n;dZ{|J`ph$A{}*l*k?IT66b^EIX`R1$=LYAemNFWh3csDr9_?Z-WM_y7|SMUpF)d3kh_?&b!%;;|}G zWr`&(&MgxQ`uN82K{Q2@D;fAyl_$E|_@gIB`2I6T0ceYb`SF!;Mi)~Y>uP79HO}#_ zRP)4!8C_UoY$?U$+BVy{67g`5SjbPv zr!m;ph~qd+t?yu%pK@pVo?_a{75Uk(rDxH7lO zyEDst=}12TO{G{iF)W*arqUP+xPR~Vj%Q^j%Y~^WvPGTET#=d74h;bxPxp7y6>q?> zY+52AX55W@85ot13}Fc<}I$`$$t*&E&W=v%=V73fs163I_>kDtX;tJzD_4 zuB64ZM1wpt(8=#VF~C4;BdU~?42wv>=MtLZu$<0e**0y_@M8%Ns*7DNrNnU{U(z`@ zvB;~}rzjdGXr5ongNKg_RS{sAENrHEV|%Yp=2~4FNyL zy4v~r@ge^0(}xfUesOD#^-7}iZc%44wT+?(4tK`!sgHhN){Pv|O^erVO!MaLIo7sz zac~RTd+^}lBU*qCps5s1i=SPe=JMPMk$}dR4)szhoBZSG6eYtTpei`FO-?V9E|dWH zlc$f+90~F-<8$0hrdUnyGQP6G)Y=v;kr2Oku#2Gf=w08+i!Z+TVy&wwfa&#Z{`=Wc z-kDBPEE`Bw@mgMa@bLd(0@{wlR<=M#EX={SCi+{OSlr5Rb$*qgPeoHCUGXSgO;L__ zw~>fN2nT!wRE4Ntqcsxb{M0h9-I&3rD180+LB4Rf&#k8L2tTI~qP7*)o?mJuz03Kj zMb1quv6ac+3+(h9=pH@67X^QzQJ|a5sf=nJaTE zENtzP+}dSzCySKsO`vJp;J_CT_i?Hx!E;019Ee8&_xZ=+kf~{DvYjvT>ev+TOf69^ zlpq-J{8An~JYqrM0NdFDuZ>M}ps9hc9vkHACx&_UU>Dcs*SIvh!s6C0yTvk!B4~?- zInvR>3nM-BwKP@>1lW%K*wWZ)mZ0|z&2`=cweqG3`p@4uyR90#AO5YQCVI!bmHfK~ZU zhGkte5h$G5J)Ldq(G4pO-fWLs%olM$EaqB>L16Z_#bCSt3>5EfMfH*P&eOw zYJ|@p>UTry1rHrpB`e*OGsP0Wx--w)lS!naAcQ+X<+90%?lwL*+{MB6X8fx9SUPGv zYLXICk}nkb>9xB|uI-R7o2XJ^+BTXZ=!rLQW~7&sJqh@PoS&bhvd)#t{METp&P^<_ zmd>MTDy6bPYb3xAo;}J}jvb`GwQ1kD4ff`Iw^-!P$_B5F&9Gh2@oVY>RJC_lNdcNv z2xuy?kVZ=+NJlI}Uvnef@dkXF=Dx1rV;%mVTB2IZx_`)RhwXfc^<06iyw3B( z-LyAE9{!5dWh6>vlk1D?yma+0e#PykY}*ccsZ3EXb1>1wKx@3N7O!qvT%29y!sHT} zypF0Wn5IQglN{}C<6wK7lRXLcOLWJc@1jsHb9H`&*Kf>lb$$)ov_X+zn9TV#e5yiA zLxld;rYf=3Jy})0hi+OdZSV5WW78yea)c^nS472hGfk^{&`JTSl=w82NI)YJ@DU3I zX^VvzY-{3)1Ff9y?Qr)~r9YqJ5!FLZ#&4Qm(jmE?=B0F=tz3~@N#~m#6jY8S1yUlD_4lC&b)2TG2Y{BhqXqZS%AsPx)3#9EA zrrJ{u<13rIc5|BB%bVD`fe83<1RyjF8{V2sa=fdZXZkxi(A0pGV&5oA%XZi;>ddBg z*xB5LkpI59l>(IaDJ#1Ylu4z?9YTOAX=(`ZRBwXsKXZgLhk6-oi`U#bsac|uf(Ht4 zISA~4565wMYhsC1CeQ8VP5#pto@B5sUO6$H552UILbx?^d>W_{Au7!nZ5vfnQG~3! z7%d^duPONb8l|#^&{P~LP&I{sPpvDT+lTw5+}SZqlk<~H{N(B+CCdW8R(%e|RmqlK z=AEe}`dVWA`R7j&_WSnFI0(1AuRK67~2qV>4UCwjECQbQ5eUV-IGRdr z^VVdNFCQJODfKDqZCa!ds6yb_R^>WFQZy`H9-ZXB{`4$Ay)w@7PPTH|c%75?6I}Hm zNf(M-noaVn@p+OvS@3H(wnZ%9<48v{FAR0k(-^@no36T26|$u=e}DN7mu6P(z1F^6 z94-kL41+@1c!1aj+nYJr(?M@@3>9!J+daV)g>2a(l`UYH=6$|EkElKZY}-wz>4=5+ zqbG+r)z=Qf0mGz_Ei$^a&i_1rgTFaH#9S=!Em zZM(lWOnT!{zIl9*KYjKXCwtq#sl=2i3Wn`)V`-hYCl|T9vW``0WxhY*RNQm|MabW9 zo>WXJDKIR%+G*zf1m}kP)YjOjbv5)AsooKb@Mq5*V|-P55HIot*x4%t$Xw8$srDPHnWn+ z@y7T9ySh<%T2LVb4(?k;1#S><*|OYF1=}Sc!?ehjbSBrf*vu8M z0fcm29=1h8K%=7}j8PhgGqka5*bc&*GApJfpzmMCi+q`^jiZdg zJx!Cmd1s#Fb`A`a4b$T6#3F{}u%0dO2ge8LYiUH0vRW+6%c`#*H3hJ=mEo1qDMptz zs<*X{ZsH4QoEh$_k`%!4?l!)4;viRNSD9N+yKVzTV(4Y=u5R)AjcKAmA0vsDYRb*N zfvQk6EMC1a!?nc}0Zqj;EsA=X&1`|G^)&0b0vM)y4`JJ&Dh%|r^Oa)*d~Ud#K#jGc zt2?4{dyP31%dWGpF%;yFPamc|8Y1LV`T5u^%ey%o$03s|@%qgf=C;yUj?Gt}7^ElO zP>CfKUO}t6@JqRql*;6|IGyC}$tAWkIYjkF%Aq9^;A=+*INI4-{lC^|m=}h7IN96I zc2Osj*AbcmQnFht@yh5Vy)7|D63tcr*M8wDRZ%Dz7U%CQxFqD*VBd3{pehJeLGx*7 z2oy!q-Q2);P7U$Rlf(44#@&jYHKa86O_zk{hPvr$iZR$0=SP>vd2cG|`Y!}bZ>0He zKfl1l>K5OB<}ib8O@w`##{zXkRF`I#`9JU8VkcLEiYm5Ei*Pu=v92~=815m_7`^X* zI~$|?$~lb|IU0;oBKsqTwuaX<=5Uuz@Zed-X=fR98& zh_|MaWOGFf(;`(ec=g5%>0*iJhq{>GN+b6CR-Or1vnHSII4o|Zd23>ki!&>fEE}OJ z)$%QhlSb3&R01R&;Xv8s;_M3j*Qe--$7tF| zj&;kl2nT(fInqa8ON?m1=N82i5>=4|HHC(NkEU>d)`l>>%`tl74b`}*TJ+he`+=uy z#{tJdO36TL6aVhBN9l@3uyD9Kx5jp^gpFV!wM{aeWoA81x~QWm64P?_P5#?{#BNdN zm$zm)Kb0hx%_D*Vq#|&|k3csqCf2t3;Tu;F-0y1=xG5&tl7UcU^-vQ+;P_Q0*S2|W zY=*BM>F0ERCrS+_<9;ld7C}wr8^;Iv@{v9|Vqr|v0U=OTiCJ`?>c$9HP+opI@z572jbxXKf5-`jpPQULJ3_} zKvht@K+xJGsmkdwv%byiH>bIk+@Mq_SCein%OdF0cygeVrceMOaC7|bBdV&m22E8c zn-){+X;w2i@_HFXRX~xXOJ!aio1wq8iNhT&s8a5OTR^Ak-`flLyf2Q>aca6q-o7EK z54)_Z*5HwnQ@tJZw!{efHT+j6xIDLlZr5Jq?Z4V!)$qr?IJ?Zt*CyD>m)xXVA+RhP zO;H$XYvKpbKEYtSTW8AtU3r}X0;)=;p!4fH3;godEVq*>97Q5E70b4{wV2}V$t9lY z@8rk<*Rft7SAgPo{@wvB+s3MV52wxxCaQI}jD>jU-RIagLQ3M{5PxyzNk-b^{OHm+ zKY4G0LcWCM(<;3J_gRr9LEZAOkP_3fnONQ6?43m}&#r+KNT2Ge9Nl2Jx1H}jIn1|C z4%5*XK{u@roIOPf%BICgqKSfGaC>zV+i~;9q!8G^#hGRP{?a)AN+re4dGwEiB8r z7er&2Sf<-(vECM`Tldc(SJI)VW1AKjCc3Fo(90NB?O(m`nJ261EdT4mO@47}24^=9 zL0?tiC_atn4j$k;r-tcla>Ee<4-rM}Qxt|1Ej&Nm&9#L!u1qgumkm%AuxzH5)_Fz1 zvxA+SIn+yICAKqL)I{-DxDHpe-7tFWx}f z??Y-TreP7*6gpxNLVIyzPHhvFZQE?-3XCnKFf5z)&K88?mQ@ZYlK%E4zIddM<2?!X ziX=YFW|YEJ<4^T<@V(O`?B+_OvIPQu4TKo+=|;&yW5o|LUFNQdS~kk1Zv5f2Ak+xsJI1c7_= zm)yy4adw6OdwH7GOaUPTdfDI$BM105r-wM*m%y*7b&&@qrK>V8&#sb6=P?YYS_fW{ zf~IJIBb_buwKmqYuR=;mv23uiljXg+HS)UQ`ipSOM{BC2yE)2GqKS@J^dahvJ^1>% zVX~HXUw^k~R7`)@8Lvt~do0XwM>9Pwv6>E5aK}n#d1sf=`E_z7^WIol7Gb}}iM|8} znxcgLTHWR|)_eofT(L~HSiY~G)LsPzO_jt#0aWFq-P$>o8$l{Qsnl+sOLH5fEAL}k zHoZ*|MiPy*$HJ(UjQx7>Ntl++Zc)cDZ5;c3DIo$hMH2RF1btdf7X}o<^(7T_qgvx# zl?vcy{!1x{27Ls5YNesa$5(CJxe{g5EfKS)oA%~98uSqf`f6K!;wB#JhDo+$U|CM} zw$ygq11b{mB9d587W8x2;21^00000NkvXXu0mjfhS^Zk literal 0 HcmV?d00001 diff --git a/README.md b/README.md new file mode 100644 index 0000000..806ae23 --- /dev/null +++ b/README.md @@ -0,0 +1,62 @@ +# collaborative Protection Profile for Application Software + +[![Build](https://github.com/appswcpp/repository/actions/workflows/quick_build.yml/badge.svg)](https://github.com/appswcpp/repository/actions/workflows/quick_build.yml) +[![GitHub issues](https://img.shields.io/github/issues/appswcpp/repository.svg?maxAge=2592000)](https://github.com/appswcpp/repository/issues) + +This repository hosts the collaborative Protection Profile (cPP) for Application Software, maintained by the Application Software international Technical Community (AppSW-iTC). + +## Draft Version + +- [collaborative Protection Profile for Application Software](https://appswcpp.github.io/repository/Version-2/repository-release.html) (HTML) + +## Archived Versions + +The previous version (v1.0e) of the cPP, Supporting Document, and PP-Modules (Agent and Server) are available in the [Archive](Archive/) directory. + +## PP-Modules + +The following PP-Modules extend the base cPP: + +- **Agent** — PP-Module for Application Software Agent (`Modules/Agent/`) + - [PP-Module for Agent](https://appswcpp.github.io/repository/Version-2/Modules/Agent/Agent-release.html) (HTML) + - [SD for Agent](https://appswcpp.github.io/repository/Version-2/Modules/Agent/Agent-sd.html) (HTML) +- **Server** — PP-Module for Application Software Server (`Modules/Server/`) + - [PP-Module for Server](https://appswcpp.github.io/repository/Version-2/Modules/Server/Server-release.html) (HTML) + - [SD for Server](https://appswcpp.github.io/repository/Version-2/Modules/Server/Server-sd.html) (HTML) + +## Quickstart + +Clone with the transforms submodule: + +``` +git clone --recursive git@github.com:appswcpp/repository.git +``` + +Update the transforms submodule: + +``` +git submodule update --remote transforms +git add transforms +git commit +``` + +## Repository Content + +| Directory | Description | +|-----------|-------------| +| `input/` | Source XML content that gets transformed to HTML | +| `output/` | Generated HTML output | +| `transforms/` | Shared Common Criteria build transforms (submodule) | +| `Modules/` | PP-Module directories (Agent, Server) | +| `Archive/` | Previous version (v1.0e) of the cPP, SD, and PP-Modules | +| `.templates/` | Document authoring templates | + +## Links + +- [AppSW-iTC Website](https://appswcpp.github.io/) +- [National Information Assurance Partnership (NIAP)](https://www.niap-ccevs.org/) +- [Common Criteria Portal](https://www.commoncriteriaportal.org/) + +## License + +See [LICENSE](LICENSE) diff --git a/Readme.adoc b/Readme.adoc new file mode 100644 index 0000000..f67a35a --- /dev/null +++ b/Readme.adoc @@ -0,0 +1,107 @@ +== collaborative Protection Profile for Application Software + +[cols="1,1,1,1,1,1,1,1"] +|=== +8+|repository +| https://github.com/appswcpp/repository/tree/Version-2[Version-2] +a| https://appswcpp.github.io/repository/Version-2/repository-release.html[📄] +a|[link=https://github.com/appswcpp/repository/blob/gh-pages/Version-2/ValidationReport.txt] +image::https://raw.githubusercontent.com/appswcpp/repository/gh-pages/Version-2/validation.svg[Validation] +a|[link=https://github.com/appswcpp/repository/blob/gh-pages/Version-2/SanityChecksOutput.md] +image::https://raw.githubusercontent.com/appswcpp/repository/gh-pages/Version-2/warnings.svg[SanityChecks] +a|[link=https://github.com/appswcpp/repository/blob/gh-pages/Version-2/SpellCheckReport.txt] +image::https://raw.githubusercontent.com/appswcpp/repository/gh-pages/Version-2/spell-badge.svg[SpellCheck] +a|[link=https://github.com/appswcpp/repository/blob/gh-pages/Version-2/TDValidationReport.txt] +image::https://raw.githubusercontent.com/appswcpp/repository/gh-pages/Version-2/tds.svg[TDs] +a|image::https://raw.githubusercontent.com/appswcpp/repository/gh-pages/Version-2/transforms.svg[transforms,150] +a| [link=https://github.com/appswcpp/repository/blob/gh-pages/Version-2/HTMLs.adoc] +image::https://raw.githubusercontent.com/appswcpp/repository/gh-pages/Version-2/html_count.svg[HTML Count] +[link=https://github.com/appswcpp/repository/blob/gh-pages/Version-2/PDFs.adoc] +image::https://raw.githubusercontent.com/appswcpp/repository/gh-pages/Version-2/pdf_count.svg[PDF Count] +|=== + +https://github.com/appswcpp/repository/issues[image:https://img.shields.io/github/issues/appswcpp/repository.svg?maxAge=2592000[GitHub +issues Open]] + +This repository hosts the draft version of the collaborative Protection Profile for +Application Software developed by the AppSW-iTC. This +repository is used to facilitate collaboration and development on the +draft document. See the link:#Release-Version[release] section if you +are looking for the officially released version for evaluations. + +=== Draft Version + +* https://appswcpp.github.io/repository/Version-2/repository-release.html[collaborative +Protection Profile for Application Software] (html) + +=== PP-Modules + +==== Agent PP-Module +* https://appswcpp.github.io/repository/Version-2/Modules/Agent/Agent-release.html[PP-Module for Application Software Agent] (html) +* https://appswcpp.github.io/repository/Version-2/Modules/Agent/Agent-sd.html[Supporting Document for Agent PP-Module] (html) + +==== Server PP-Module +* https://appswcpp.github.io/repository/Version-2/Modules/Server/Server-release.html[PP-Module for Application Software Server] (html) +* https://appswcpp.github.io/repository/Version-2/Modules/Server/Server-sd.html[Supporting Document for Server PP-Module] (html) + +=== Previous Versions (Archived) + +The previous version (v1.0e) of the cPP, Supporting Document, and PP-Modules +(Agent and Server) are available in the link:Archive/[Archive] directory. + +=== Contributing + +If you are interested in contributing directly to future versions of +this collaborative Protection Profile, please consider joining the +AppSW-iTC. Visit https://appswcpp.github.io/ for more information. + +=== Feedback + +Questions, comments, and fixes can be submitted to the +https://github.com/appswcpp/repository/issues[repository issue +tracker] + +=== Quickstart + +To clone this project along with its _transforms_ submodule run: + +.... + git clone --recursive git@github.com:appswcpp/repository.git +.... + +To pull updates from the upstream _transforms_ submodule and commit them +run: + +.... + git submodule update --remote transforms + git add transforms + git commit +.... + +==== Development Info + +* https://github.com/commoncriteria/transforms/wiki/Working-with-Transforms-as-a-Submodule[Help +working with Transforms Submodule] + +=== Repository Content + +* input - Contains the `meat' of the project. It's the input content (in +XML form) that gets transformed to readable html. +* output - The output directory where the html is placed after +transformation. +* output/images - The directory where images are stored +* transforms - Points to the transform subproject which is really a +repository for resources shared amongst many Common Criteria projects. +* Archive - Contains the previous version (v1.0e) of the cPP, SD, and PP-Modules. +* Modules - PP-Module directories (Agent, Server) for future XML-based builds. + +=== Links + +* https://appswcpp.github.io/[AppSW-iTC Website] +* https://www.niap-ccevs.org/[National Information Assurance Partnership +(NIAP)] +* https://www.commoncriteriaportal.org/[Common Criteria Portal] + +=== License + +See link:./LICENSE[License] diff --git a/input/.gitignore b/input/.gitignore new file mode 100644 index 0000000..a7d52fd --- /dev/null +++ b/input/.gitignore @@ -0,0 +1,3 @@ +# files not to track in git +.DS_Store +schemas.xml diff --git a/input/application.xml b/input/application.xml new file mode 100644 index 0000000..9da9840 --- /dev/null +++ b/input/application.xml @@ -0,0 +1,2261 @@ + + + + + + + Protection Profile for Application Software + 2.0 + National Information Assurance Partnership + 2025-06-16 + application; software + + + + + v 1.0 + 2014-10-20 + Initial release + + + v 1.1 + 2014-11-05 + Addition to TLS cipher suite selections + + + v 1.2 + 2016-04-22 + Added server-side TLS requirements (selection-based)Multiple clarification based on NIAP TRRT inquiriesRefactored FDP_DEC_EXT.1 into separate components + + + v 1.3 + 2019-03-01 + Incorporated available Technical DecisionsRefactored FPT_TUDAdded a selection to FTP_DITMoved SWID Tags requirementLeveraged TLS PackageAdded equivalency section + + + v 1.4 + 2021-10-07 + Incorporated applicable Technical DecisionsUpdated to TLS FP + 2.1Incorporated SSH FP 2.0 + + + v 2.0 + 2025-06-16 + CC:2022 conversionUpdating for TLS FP, SSH FP, and X.509 FPTDs and GitHub IssuesCNSA 2.0 updatesALC FLR Updates + + + + + https://github.com/commoncriteria/ssh + release-2.0 + + https://www.niap-ccevs.org/protectionprofiles/515 + + + + + https://github.com/commoncriteria/tls + release-2.1 + + https://www.niap-ccevs.org/Profile/Info.cfm?PPID=439&id=439 + + + + + + + + https://github.com/commoncriteria/x509 + release-1.0 + + https://www.niap-ccevs.org/protectionprofiles/511 + + + + https://github.com/commoncriteria/vpnclient + release-3.0 + + https://commoncriteria.github.io/vpnclient/master/vpnclient.html + + + + The scope of this Protection Profile (PP) is to describe the security functionality of application software in terms of and to define functional and assurance requirements for such software. In recent years, software attacks have shifted from targeting operating systems to targeting applications. This has been the natural response to improvements in operating system security and development processes. As a result, it is paramount that the security of applications be improved to reduce the risk of compromise. + + An anti-exploitation feature which loads memory mappings into unpredictable locations. ASLR makes it more difficult for an attacker to redirect control to code that they have introduced into the address space of an application process. + Software that runs on a platform and performs tasks on behalf of the user or owner of the platform, as well as its supporting documentation. The terms TOE and application are interchangeable in this document. + A specification of routines, data structures, object classes, and variables that allows an application to make use of services provided by another software component, such as a library. APIs are often provided for a set of libraries included with the platform. + Data that establishes the identity of a user, e.g. a cryptographic key or password. + An anti-exploitation feature of modern operating systems executing on modern computer hardware, which enforces a non-execute permission on pages of memory. DEP prevents pages of memory from containing both data and instructions, which makes it more difficult for an attacker to introduce and execute code. + An entity that writes application software. For the purposes of this document, vendors and developers are the same. + Software transmitted from a remote system for execution within a limited execution environment on the local system. Typically, there is no persistent installation and execution begins without the user's consent or even notification. Examples of mobile code technologies include JavaScript, Java applets, Adobe Flash, and Microsoft Silverlight. + Software that manages hardware resources and provides services for applications. + Any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual's identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual. + The environment in which application software runs. The platform can be an operating system, hardware environment, a software based execution environment, or some combination of these. These types of platforms may also run atop other platforms. + Sensitive data may include all user or enterprise data or may be specific application data such as emails, messaging, documents, calendar items, and contacts. Sensitive data must minimally include PII, credentials, and keys. Sensitive data shall be identified in the application’s TSS by the ST author. + An anti-exploitation feature that places a value on the stack at the start of a function call, and checks that the value is the same at the end of the function call. This is also referred to as Stack Guard, or Stack Canaries. + An entity that sells application software. For purposes of this document, vendors and developers are the same. Vendors are responsible for maintaining and updating application software. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ The requirements in this document apply to application software which runs on any type of platform. Some application types are covered by more specific PPs, which may be expressed as PP-Modules of this PP. Such applications are subject to the requirements of both this PP and the PP-Module that addresses their special functionality. PPs for some particularly specialized applications may not be expressed as PP-Modules at this time, though the requirements in this document should be seen as objectives for those highly specialized applications.Although the requirements in this document apply to a wide range of application software, consult guidance from the relevant national schemes to determine when formal Common Criteria evaluation is expected for a particular type of application. This may vary depending upon the nature of the security functionality of the application. + The application, which consists of the software provided by its vendor, is installed onto the platform(s) it operates on. It executes on the platform, which may be an operating system (), hardware environment, a software based execution environment, or some combination of these (). Those platforms may themselves run within other environments, such as virtual machines or operating systems, that completely abstract away the underlying hardware from the application. The TOE is not accountable for security functionality that is implemented by platform layers that are abstracted away. Some evaluation activities are specific to the particular platform on which the application runs, in order to provide precision and repeatability. The only platforms currently recognized by this PP are those specified in SFR Evaluation Activities. To test on a platform for which there are no EAs, a Vendor should contact NIAP with recommended EAs. NIAP will determine if the proposed platform is appropriate for the PP and accept, reject, or develop EAs as necessary in coordination with the technical community.Applications include a diverse range of software such as office suites, thin clients, PDF readers, downloadable smartphone apps, and apps running in a cloud container. The TOE includes any software in the application installation package, even those pieces that may extend or modify the functionality of the underlying platform, such as kernel drivers. Many platforms come bundled with applications such as web browsers, email clients and media players and these too should be considered subject to the requirements defined in this document although the expectation of formal Common Criteria evaluation depends upon the national scheme. BIOS and other firmware, the operating system kernel, and other systems software (and drivers) provided as part of the platform are outside the scope of this document.
+
+ + + Requirements in this PP are designed to address the security problem in the following use cases. These use cases are intentionally very broad, as many specific use cases exist for application software. Many applications may be used in combinations of these broad use cases, and evaluation against PP-Modules of this PP, when available, may be most appropriate for some application types. + + + + The application allows a user to create content, saving it to either local or + remote storage. Example content includes text documents, presentations, and images. + + + + The application allows a user to consume content, retrieving it from either + local or remote storage. Example content includes web pages and video. + + + The application allows for communication interactively or + non-interactively with other users or applications over a communications channel. + Example communications include instant messages, email, and voice. + + + + +
+ This PP includes platform-specific EAs for the below-listed operating system platforms. For "bare-metal" applications, + applications that run on other OS platforms, and applications that run in software-based execution environments, + contact the Technical Community for guidance. + + Android: Mobile operating systems based on Google Android + Microsoft Windows: Microsoft Windows operating systems + Apple iOS and iPadOS: Apple's mobile operating system for iPhones and iPads + Linux: Linux-based operating systems other than Android + Oracle Solaris: Oracle's enterprise operating system + Apple macOS: Apple's operating system for Mac devices +
+ + + + exact + extended + extended + + + Protection Profile for Mobile Device Management, Version 5.0 + PP-Module for Email Clients, Version 1.0 + PP-Module for Endpoint Detection and Response (EDR), Version 2.0 + PP-Module for File Encryption, Version 2.0 + PP-Module for File Encryption Enterprise Management, Version 2.0 + PP-Module for Host Agent, Version 2.0 + PP-Module for Redaction Tools, Version 1.0 + PP-Module for Voice and Video over IP (VVoIP), Version 2.0 + PP-Module for VPN Client, Version 3.0 + PP-Module for Web Browsers, Version 1.0 + + + Functional Package for Secure Shell Version 2.0 + Functional Package for Transport Layer Security Version 2.1 + Functional Package for X.509 Version 1.0 + + + + + + + The security problem is described in terms of the threats that the TOE is expected to address, assumptions about the operational environment, and any organizational security policies that the TOE is expected to enforce. + + + An attacker can act through unprivileged software on the same computing platform on which the application executes. Attackers may provide maliciously formatted input to the application in the form of files or other local communications.FCS_CKM_EXT.1The PP includes FCS_CKM_EXT.1 to specify that the TSF may rely on platform-provided key generation services.FCS_RBG_EXT.1The PP includes FCS_RBG_EXT.1 to specify that the TSF may rely on platform-provided random bit generation services.FCS_STO_EXT.1The PP includes FCS_STO_EXT.1 to specify that the TSF may rely on platform-provided credential storage services.FDP_DAR_EXT.1The PP includes FDP_DAR_EXT.1 to specify that the TSF may rely on platform-provided data-at-rest protection services.FDP_DEC_EXT.1The PP includes FDP_DEC_EXT.1 to limit access to platform hardware resources, which limits the methods by which an attacker can attempt to locally compromise the integrity of the TOE.FMT_CFG_EXT.1The PP includes FMT_CFG_EXT.1 for the TSP to limit unauthorized access to itself by preventing the use of default authentication credentials and by ensuring that the TOE uses appropriately restrictive platform permissions on its binaries and dataFMT_MEC_EXT.1The PP includes FMT_MEC_EXT.1 to ensure that the TOE can use platform services to store and set configuration options.FPT_AEX_EXT.1The PP includes FPT_AEX_EXT.1 to add complexity to the task of compromising systems by ensuring that the TOE implements various platform security features and can operate on a platform that is configured securely.FPT_API_EXT.1The PP includes FPT_API_EXT.1 to require the TOE to leverage platform functionality by using only documented and supported APIs.FPT_LIB_EXT.1The PP includes FPT_LIB_EXT.1 to ensure that the TOE does not include any unnecessary or unexpected third-party libraries which could present a privacy threat or vulnerability.FPT_TUD_EXT.1The PP includes FPT_TUD_EXT.1 to ensure that the TOE can be patched and that any updates to the TOE have appropriate integrity protection.FPT_API_EXT.2 (Objective)The PP includes FPT_API_EXT.2 to permit the TOE to use platform-provided libraries for parsing IANA MIME media formats.FCS_CKM.1/AK (Selection-based)The PP includes FCS_CKM.1/AK to specify that the TSF may rely on platform-provided asymmetric key generation services.FCS_CKM.2 (Selection-based)The PP includes FCS_CKM.2 to specify that the TSF may rely on platform-provided key establishment services.FPT_TUD_EXT.2 (Selection-based)The PP includes FPT_TUD_EXT.2 to ensure that TOE updates are packaged in a certain format, provide certain integrity protections, and remove residual data.An attacker is positioned on a communications channel or elsewhere on the network infrastructure. Attackers may engage in communications with the application software or alter communications between the application software and other endpoints in order to compromise it.FCS_CKM_EXT.1The PP includes FCS_CKM_EXT.1 to specify whether the TOE or the platform is responsible for generation of any asymmetric keys that may be used for establishing trusted communications.FCS_RBG_EXT.1The PP includes FCS_RBG_EXT.1 to define whether the random bit generation services used in establishing trusted communications are implemented by the TSF or by the platform.FDP_DEC_EXT.1The PP includes FDP_DEC_EXT.1 to limit access to platform hardware resources, which limits the methods by which an attacker can attempt to remotely compromise the integrity of the TOE.FDP_NET_EXT.1The PP includes FDP_NET_EXT.1 to define the TOE’s usage of network communications, which may include the transmission or receipt of data over a trusted channel.FMT_CFG_EXT.1The PP includes FMT_CFG_EXT.1 for the TSP to limit unauthorized access to itself by preventing the use of default authentication credentials and by ensuring that the TOE uses appropriately restrictive platform permissions on its binaries and dataFMT_SMF.1The PP includes FMT_SMF.1 to define the security-relevant management functions that are supported by the TOE, which may include configuration of network behavior.FPR_ANO_EXT.1The PP includes FPR_ANO_EXT.1 to define how the TSF provides control to the user regarding the disclosure of any PII.FPT_AEX_EXT.1The PP includes FPT_AEX_EXT.1 to add complexity to the task of compromising systems by ensuring that the TOE implements various platform security features and can operate on a platform that is configured securely.FPT_TUD_EXT.1The PP includes FPT_TUD_EXT.1 to ensure that updates to the TOE have integrity protection and cannot be altered via network attack.FTP_DIT_EXT.1The PP includes FTP_DIT_EXT.1 to define the trusted channels used to protect data in transit, the data that is protected, and whether the trusted channels are implemented by the TSF or the platform.FPT_IDV_EXT.1 (Objective)The PP includes FPT_IDV_EXT.1 to provide a mechanism to identify the TOE version so that it can be determined whether a vulnerability is present on the system based on the installed version.FCS_CKM.1/AK (Selection-based)The PP includes FCS_CKM.1/AK to define whether the TSF or the platform generates asymmetric keys that are used in support of trusted communications.FCS_CKM.1/SK (Selection-based)The PP includes FCS_CKM.1/SK to define the mechanism used to generate symmetric keys when the TOE performs this function.FCS_CKM.2 (Selection-based)The PP includes FCS_CKM.2 to define whether the TSF or the platform performs key establishment for trusted communications.FCS_COP.1/Hash (Selection-based)The PP includes FCS_COP.1/Hash to define the hash algorithms used in support of trusted communications.FCS_COP.1/KeyedHash (Selection-based)The PP includes FCS_COP.1/KeyedHash to define the HMAC algorithms used in support of trusted communications.FCS_COP.1/SigGen (Selection-based)The PP includes FCS_COP.1/SigGen to define the digital signature algorithms used in support of trusted communications.FCS_COP.1/SigVer (Selection-based)The PP includes FCS_COP.1/SigVer to define the digital signature algorithms used in support of trusted communications and trusted updates.FCS_COP.1/SKC (Selection-based)The PP includes FCS_COP.1/SKC to define the symmetric encryption algorithms used in support of trusted communications.FCS_HTTPS_EXT.1 (Selection-based)The PP includes FCS_HTTPS_EXT.1 to define the TOE’s support for the HTTPS trusted communications protocol.FCS_HTTPS_EXT.2 (Selection-based)The PP includes FCS_HTTPS_EXT.2 to define the TOE’s handling of X.509 certificates in the context of HTTPS communications.FCS_RBG.1 (Selection-based)The PP includes FCS_RBG.1 to define the DRBG algorithms used in support of trusted communications.FCS_RBG.2 (Selection-based)The PP includes FCS_RBG.2 to define how entropy is obtained for secure DRBG seeding.FCS_RBG.3 (Selection-based)The PP includes FCS_RBG.3 to define how entropy is obtained for secure DRBG seeding.FCS_RBG.4 (Selection-based)The PP includes FCS_RBG.4 to define how entropy is obtained for secure DRBG seeding.FCS_RBG.5 (Selection-based)The PP includes FCS_RBG.5 to define how entropy is obtained for secure DRBG seeding.FCS_SNI_EXT.1 (Selection-based)The PP includes FCS_SNI_EXT.1 to define the proper salt, nonce, and initialization vector usage to ensure proper cryptographic operation.FPT_FLS.1 (Selection-based)The PP includes FPT_FLS.1 to ensure that the TSF will not operate when it is in a state where it is unable to generate secure random numbers.FPT_TST.1 (Selection-based)The PP includes FPT_TST.1 to ensure that the TSF can determine whether or not it is capable of generating secure random numbers.FPT_TUD_EXT.2 (Selection-based)The PP includes FPT_TUD_EXT.2 to define specific integrity protections for certain types of updates.An attacker is positioned on a communications channel or elsewhere on the network infrastructure. Attackers may monitor and gain access to data exchanged between the application and other endpoints.FCS_CKM_EXT.1The PP includes FCS_CKM_EXT.1 to specify whether the TOE or the platform is responsible for generation of any asymmetric keys that may be used for establishing trusted communications.FCS_RBG_EXT.1The PP includes FCS_RBG_EXT.1 to define whether the random bit generation services used in establishing trusted communications are implemented by the TSF or by the platform.FCS_STO_EXT.1The PP includes FCS_STO_EXT.1 to specify that the TSF may rely on platform-provided credential storage services.FDP_DAR_EXT.1The PP includes FDP_DAR_EXT.1 to specify that the TSF may rely on platform-provided data-at-rest protection services.FDP_NET_EXT.1The PP includes FDP_NET_EXT.1 to define the TOE’s usage of network communications, which may include the transmission or receipt of data over a trusted channel.FMT_MEC_EXT.1The PP includes FMT_MEC_EXT.1 to ensure that the TOE can use platform services to store and set configuration options.FMT_SMF.1The PP includes FMT_SMF.1 to define the security-relevant management functions that are supported by the TOE.FPR_ANO_EXT.1The PP includes FPR_ANO_EXT.1 to define how the TSF provides control to the user regarding the disclosure of any PII.FPT_API_EXT.1The PP includes FPT_API_EXT.1 to require the TOE to leverage platform functionality by using only documented and supported APIs.FPT_LIB_EXT.1The PP includes FPT_LIB_EXT.1 to ensure that the TOE does not include any unnecessary or unexpected third-party libraries which could present a privacy threat or vulnerability.FTP_DIT_EXT.1The PP includes FTP_DIT_EXT.1 to define the trusted channels used to protect data in transit, the data that is protected, and whether the trusted channels are implemented by the TSF or the platform.FPT_API_EXT.2 (Objective)The PP includes FPT_API_EXT.2 to permit the TOE to use platform-provided libraries for parsing IANA MIME media formats.FPT_IDV_EXT.1 (Objective)The PP includes FPT_IDV_EXT.1 to provide a mechanism to identify the TOE version so that it can be determined whether a vulnerability is present on the system based on the installed version.FCS_CKM.1/AK (Selection-based)The PP includes FCS_CKM.1/AK to define whether the TSF or the platform generates asymmetric keys that are used in support of trusted communications.FCS_CKM.1/SK (Selection-based)The PP includes FCS_CKM.1/SK to define the mechanism used to generate symmetric keys when the TOE performs this function.FCS_CKM.2 (Selection-based)The PP includes FCS_CKM.2 to define whether the TSF or the platform performs key establishment for trusted communications.FCS_COP.1/Hash (Selection-based)The PP includes FCS_COP.1/Hash to define the hash algorithms used in support of trusted communications.FCS_COP.1/KeyedHash (Selection-based)The PP includes FCS_COP.1/KeyedHash to define the HMAC algorithms used in support of trusted communications.FCS_COP.1/SigVer (Selection-based)The PP includes FCS_COP.1/SigVer to define the mechanism used to verify TOE updates if the TOE implements this functionality rather than the underlying platform.FCS_COP.1/SKC (Selection-based)The PP includes FCS_COP.1/SKC to define the symmetric encryption algorithms used in support of trusted communications.FCS_HTTPS_EXT.1 (Selection-based)The PP includes FCS_HTTPS_EXT.1 to define the TOE’s support for the HTTPS trusted communications protocol.FCS_HTTPS_EXT.2 (Selection-based)The PP includes FCS_HTTPS_EXT.2 to define the TOE’s handling of X.509 certificates in the context of HTTPS communications.FCS_RBG.1 (Selection-based)The PP includes FCS_RBG.1 to define the DRBG algorithms used in support of trusted communications.FCS_RBG.2 (Selection-based)The PP includes FCS_RBG.2 to define how entropy is obtained for secure DRBG seeding.FCS_RBG.3 (Selection-based)The PP includes FCS_RBG.3 to define how entropy is obtained for secure DRBG seeding.FCS_RBG.4 (Selection-based)The PP includes FCS_RBG.4 to define how entropy is obtained for secure DRBG seeding.FCS_RBG.5 (Selection-based)The PP includes FCS_RBG.5 to define how entropy is obtained for secure DRBG seeding.FPT_FLS.1 (Selection-based)The PP includes FPT_FLS.1 to ensure that the TSF will not operate when it is in a state where it is unable to generate secure random numbers.FPT_TST.1 (Selection-based)The PP includes FPT_TST.1 to ensure that the TSF can determine whether or not it is capable of generating secure random numbers.An attacker may try to access sensitive data at rest.FCS_RBG_EXT.1The PP includes FCS_RBG_EXT.1 to define whether random bit generation services are implemented by the TSF or the platform. Depending on how data at rest is protected, the TOE may rely on the use of a random bit generator to create keys that are subsequently used for data protection.FCS_STO_EXT.1The PP includes FCS_STO_EXT.1 to define the mechanism that the TSF uses or relies upon to protect stored credential data.FDP_DAR_EXT.1The PP includes FDP_DAR_EXT.1 to define the mechanism that the TSF uses or relies upon to protect sensitive data at rest.FPT_IDV_EXT.1 (Objective)The PP includes FPT_IDV_EXT.1 to provide a mechanism to identify the TOE version so that it can be determined whether a vulnerability is present on the system based on the installed version.FCS_CKM.1/SK (Selection-based)The PP includes FCS_CKM.1/SK to define the TOE’s capability to generate symmetric keys. These keys may subsequently be used to encrypt stored credential data based on the claims made in FCS_STO_EXT.1.FCS_COP.1/Hash (Selection-based)The PP includes FCS_COP.1/Hash to define integrity mechanisms that may be used by the TOE as part of ensuring that data at rest is protected.FCS_COP.1/KeyedHash (Selection-based)The PP includes FCS_COP.1/KeyedHash to define HMAC mechanisms that may be used by the TOE as part of ensuring that data at rest is protected.FCS_COP.1/SKC (Selection-based)The PP includes FCS_COP.1/SKC to define the AES cryptographic algorithm that may be used to encrypt stored credential data based on the claims made in FCS_STO_EXT.1.FCS_PBKDF_EXT.1 (Selection-based)The PP includes FCS_PBKDF_EXT.1 to define the password-based key derivation function that may be used to encrypt stored credential data based on the claims made in FCS_STO_EXT.1.FCS_RBG.1 (Selection-based)The PP includes FCS_RBG.1 to define the DRBG algorithms used in support of trusted communications.FCS_RBG.2 (Selection-based)The PP includes FCS_RBG.2 to define how entropy is obtained for secure DRBG seeding.FCS_RBG.3 (Selection-based)The PP includes FCS_RBG.3 to define how entropy is obtained for secure DRBG seeding.FCS_RBG.4 (Selection-based)The PP includes FCS_RBG.4 to define how entropy is obtained for secure DRBG seeding.FCS_RBG.5 (Selection-based)The PP includes FCS_RBG.5 to define how entropy is obtained for secure DRBG seeding.FPT_FLS.1 (Selection-based)The PP includes FPT_FLS.1 to ensure that the TSF will not operate when it is in a state where it is unable to generate secure random numbers.FPT_TST.1 (Selection-based)The PP includes FPT_TST.1 to ensure that the TSF can determine whether or not it is capable of generating secure random numbers. + + + + + The TOE relies upon a trustworthy computing platform with a reliable time clock for + its execution. This includes the underlying platform and whatever runtime environment + it provides to the TOE. + + The operational environment objective OE.PLATFORM is realized through + A.PLATFORM. + + + + The administrator of the application software is not careless, willfully + negligent or hostile, and administers the software in compliance with the applied + enterprise security policy. + + The operational environment objective OE.PROPER_ADMIN + is realized through A.PROPER_ADMIN. + + + + + The user of the application software is not willfully negligent or hostile, + and uses the software in compliance with the applied enterprise security policy. + + + The operational environment objective OE.PROPER_USER + is realized through A.PROPER_USER. + + + + + + + + + + + + + + + The following security objectives for the operational environment assist the TOE in correctly providing its security functionality. These track with the assumptions about the environment. + + + The TOE relies upon a trustworthy computing platform for + its execution. This includes the underlying operating system and any discrete execution + environment provided to the TOE. + + + The administrator of the application software is not careless, willfully + negligent or hostile, and administers the software within compliance of the applied + enterprise security policy. + + + The user of the application software is not willfully negligent or hostile, + and uses the software within compliance of the applied enterprise security + policy. + + + + + + + + + + + +
+ + This family defines requirements for management of cryptographic keys that are not addressed by FCS_CKM in CC Part 2. + + + This family defines requirements for implementation of the HTTPS protocol. + + + This family defines requirements for implementation of password-based key derivation functions. + + + This family defines requirements for the generation of random bits. + + + This family defines requirements for the secure storage of credential data. + + + + + + + The <h:b>application</h:b> shall <h:b> <selectables linebreak="yes"><selectable id="fcs_ckm.1.1_AK_1" >invoke platform-provided functionality</selectable><selectable id="fcs_ckm.1.1_AK_2" >implement functionality</selectable> </selectables> </h:b> to generate <h:b>asymmetric</h:b> cryptographic keys in accordance with a specified cryptographic key generation algorithm <selectables linebreak="yes"><selectable id="fcs_ckm.1.1_AK_3">CNSA 2.0 Compliant Algorithms: <selectables linebreak="yes"><selectable id="fcs_ckm.1.1_AK_4"><h:b>Leighton-Micali Signature Algorithm</h:b> using the parameter sets <selectables><selectable id="fcs_ckm.1.1_AK_5" >LMS_SHAKE_M24_H5</selectable><selectable id="fcs_ckm.1.1_AK_6" >LMS_SHAKE_M24_H10</selectable><selectable id="fcs_ckm.1.1_AK_7" >LMS_SHAKE_M24_H15</selectable><selectable id="fcs_ckm.1.1_AK_8" >LMS_SHAKE_M24_H25</selectable><selectable id="fcs_ckm.1.1_AK_9" >LMS_SHAKE_M32_H5</selectable><selectable id="fcs_ckm.1.1_AK_10" >LMS_SHAKE_M32_H10</selectable><selectable id="fcs_ckm.1.1_AK_11" >LMS_SHAKE_M32_H15</selectable><selectable id="fcs_ckm.1.1_AK_12" >LMS_SHAKE_M32_H25</selectable><selectable id="fcs_ckm.1.1_AK_13" >LMS_SHA256_M24_H5</selectable><selectable id="fcs_ckm.1.1_AK_14" >LMS_SHA256_M24_H10</selectable><selectable id="fcs_ckm.1.1_AK_15" >LMS_SHA256_M24_H15</selectable><selectable id="fcs_ckm.1.1_AK_16" >LMS_SHA256_M24_H25</selectable><selectable id="fcs_ckm.1.1_AK_17" >LMS_SHA256_M32_H5</selectable><selectable id="fcs_ckm.1.1_AK_18" >LMS_SHA256_M32_H10</selectable><selectable id="fcs_ckm.1.1_AK_19" >LMS_SHA256_M32_H15</selectable><selectable id="fcs_ckm.1.1_AK_20" >LMS_SHA256_M32_H25</selectable></selectables> that meet the following [NIST SP 800-208, "Recommendation for Stateful Hash-Based Signature Schemes"]</selectable><selectable id="fcs_ckm.1.1_AK_21"><h:b>eXtended Merkle Signature Scheme Algorithm</h:b> using the parameter sets <selectables><selectable id="fcs_ckm.1.1_AK_22" >XMSS-SHA2_10_192</selectable><selectable id="fcs_ckm.1.1_AK_23" >XMSS-SHA2_16_192</selectable><selectable id="fcs_ckm.1.1_AK_24" >XMSS-SHA2_20_192</selectable><selectable id="fcs_ckm.1.1_AK_25" >XMSS-SHA2_10_256</selectable><selectable id="fcs_ckm.1.1_AK_26" >XMSS-SHA2_16_256</selectable><selectable id="fcs_ckm.1.1_AK_27" >XMSS-SHA2_20_256</selectable><selectable id="fcs_ckm.1.1_AK_28" >XMSS-SHAKE_10_192</selectable><selectable id="fcs_ckm.1.1_AK_29" >XMSS-SHAKE_16_192</selectable><selectable id="fcs_ckm.1.1_AK_30" >XMSS-SHAKE_20_192</selectable><selectable id="fcs_ckm.1.1_AK_31" >XMSS-SHAKE_10_256</selectable><selectable id="fcs_ckm.1.1_AK_32" >XMSS-SHAKE_16_256</selectable><selectable id="fcs_ckm.1.1_AK_33" >XMSS-SHAKE_20_256</selectable></selectables> that meets the following: [NIST SP 800-208, "Recommendation for Stateful Hash-Based Signature Schemes"]</selectable><selectable id="fcs_ckm.1.1_AK_34" ><h:b>Module-Lattice-Based Key-Encapsulation Mechanism Standard</h:b> using the parameter set ML-KEM-1024 that meets the following: [FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard]</selectable><selectable id="fcs_ckm.1.1_AK_35" ><h:b>Module-Lattice-Based Digital Signature Standard</h:b> using the parameter set ML-DSA-87 that meets the following [FIPS 204, Module-Lattice-Based Digital Signature Standard]</selectable></selectables> </selectable><selectable id="fcs_ckm.1.1_AK_36">CNSA 1.0 Compliant Algorithms: <selectables linebreak="yes"><selectable id="fcs_ckm.1.1_AK_37" ><h:b>[RSA schemes]</h:b> using cryptographic key sizes of [<h:i>3072-bit or greater</h:i>] that meet the following: [<h:i>FIPS PUB 186-5, "Digital Signature Standard (DSS)," Appendix A.1</h:i>]</selectable><selectable id="fcs_ckm.1.1_AK_38"><h:b>[ECC schemes]</h:b> using [<h:i>“NIST curves” P-384 and <selectables><selectable id="fcs_ckm.1.1_AK_39" >P-521</selectable><selectable id="fcs_ckm.1.1_AK_40" >no other curves</selectable></selectables> </h:i>] that meet the following: [<h:i>FIPS PUB 186-5, “Digital Signature Standard (DSS),” Appendix A.2</h:i>]</selectable><selectable id="fcs_ckm.1.1_AK_41"><h:b>[FFC Schemes]</h:b> using [<h:i>“safe-prime” groups</h:i>] <selectables><selectable id="fcs_ckm.1.1_AK_42" >MODP-3072</selectable><selectable id="fcs_ckm.1.1_AK_43" >MODP-4096</selectable><selectable id="fcs_ckm.1.1_AK_44" >MODP-6144</selectable><selectable id="fcs_ckm.1.1_AK_45" >MODP-8192</selectable><selectable id="fcs_ckm.1.1_AK_46" >ffdhe-3072</selectable><selectable id="fcs_ckm.1.1_AK_47" >ffdhe-4096</selectable><selectable id="fcs_ckm.1.1_AK_48" >ffdhe-6144</selectable><selectable id="fcs_ckm.1.1_AK_49" >ffdhe-8192</selectable></selectables> that meet the following: [<h:i>NIST Special Publication 800-56A Revision 3, “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography” and <selectables><selectable id="fcs_ckm.1.1_AK_50" >RFC 3526</selectable><selectable id="fcs_ckm.1.1_AK_51" >RFC 7919</selectable></selectables> </h:i>]</selectable></selectables> </selectable> </selectables>. + The ST should claim all key generation schemes used for key establishment and entity authentication. When key generation is used for key establishment, the schemes in FCS_CKM.2.1 and selected cryptographic protocols must match the selection. When key generation is used for entity authentication, the public key is expected to be associated with an X.509v3 certificate.If the TOE acts as a receiver in the RSA key establishment scheme, the TOE does not need to implement RSA key generation.Note that ML-DSA and ML-KEM are not usable in any functions at the time of initial publication, they are added to this requirement in support of future protocol updates. As support is expanded for CNSA 2.0, CNSA 1.0 will be removed as an selection in a future update. + + The evaluator shall ensure that the TSS identifies the key sizes supported by the TOE. If the ST specifies more than one scheme, the evaluator shall examine the TSS to verify that it identifies the usage for each schemeIf the ST selects "invoke platform-provided functionality," then the evaluator shall examine the TSS to verify that it describes how the key generation functionality is invoked and that the invocation matches the algorithm and size selections for each supported platform. The evaluator shall confirm the invocation of the platform is using non-deprecated functions provided by the platform(s). + The evaluator shall verify that the operational guidance instructs the administrator how to configure the TOE to use the selected key generation scheme(s) and key size(s) for all uses defined in this PP if any configuration is required. + If the ST selects "implement functionality," then the following test activities shall be carried out. Evaluation Activity Note: The following tests may require the developer to provide access to a developer environment that provides the evaluator with tools that are not typically available to end-users of the application Key Generation for FIPS PUB 186-5 RSA Schemes The evaluator shall verify the implementation of RSA Key Generation by the TOE using the Key Generation test. This test verifies the ability of the TSF to correctly produce values for the key components including the public verification exponent e, the private prime factors p and q, the public modulus n and the calculation of the private signature exponent d. Key Pair generation specifies 5 ways (or methods) to generate the primes p and q. These include:Random Primes:Provable primesProbable primesPrimes with Conditions:Primes p1, p2, q1, q2, p, and q shall all be provable primesPrimes p1, p2, q1, and q2 shall be provable primes, and p and q shall be probable primesPrimes p1, p2, q1, q2, p, and q shall all be probable primes To test the key generation method for the Random Provable primes method and for all the Primes with Conditions methods, the evaluator must seed the TSF key generation routine with sufficient data to deterministically generate the RSA key pair. This includes the random seed(s), the public exponent of the RSA key, and the desired key length. For each key length supported, the evaluator shall have the TSF generate 25 key pairs. The evaluator shall verify the correctness of the TSF’s implementation by comparing values generated by the TSF with those generated from a known good implementation. If possible, the Random Probable primes method should also be verified against a known good implementation as described above. Otherwise, the evaluator shall have the TSF generate 10 keys pairs for each supported key length nlen and verify:n = p⋅q,p and q are probably prime according to Miller-Rabin tests,GCD(p-1, e) = 1,GCD(q-1, e) = 1,2 16≤ e ≤ 2 256 and e is an odd integer,|p-q| > 2 nlen/2 - 100,p ≥ 2 nlen/2 -1/2,q ≥ 2 nlen/2 -1/2,2 (nlen/2)< d < LCM(p-1, q-1),e⋅d = 1 mod LCM(p-1, q-1). Key Generation for Elliptic Curve Cryptography (ECC) FIPS 186-5 ECC Key Generation Test- For each supported NIST curve, i.e., P-384 and P-521, the evaluator shall require the implementation under test (IUT) to generate 10 private/public key pairs. The private key shall be generated using an approved random bit generator (RBG). To determine correctness, the evaluator shall submit the generated key pairs to the public key verification (PKV) function of a known good implementation. FIPS 186-5 Public Key Verification (PKV) Test- For each supported NIST curve, i.e., P-384 and P-521, the evaluator shall generate 10 private/public key pairs using the key generation function of a known good implementation and modify five of the public key values so that they are incorrect, leaving five values unchanged (i.e., correct). The evaluator shall obtain in response a set of 10 PASS/FAIL values. Key Generation for Finite-Field Cryptography (FFC) The evaluator shall verify the implementation of the Parameters Generation and the Key Generation for FFC by the TOE using the Parameter Generation and Key Generation test. This test verifies the ability of the TSF to correctly produce values for the field prime p, the cryptographic prime q (dividing p-1), the cryptographic group generator g, and the calculation of the private key x and public key y. The Parameter generation specifies two ways (or methods) to generate the cryptographic prime q and the field prime p: Cryptographic and Field Primes:Primes q and p shall both be provable primesPrimes q and field prime p shall both be probable primes and two ways to generate the cryptographic group generator g: Cryptographic Group Generator:Generator g constructed through a verifiable processGenerator g constructed through an unverifiable process. The Key generation specifies 2 ways to generate the private key x: Private Key:len(q) bit output of RBG where 1 ≤ x ≤ q-1len(q) + 64 bit output of RBG, followed by a mod q-1 operation where 1≤ x ≤q-1. The security strength of the RBG must be at least that of the security offered by the FFC parameter set. To test the cryptographic and field prime generation method for the provable primes method and/or the group generator g for a verifiable process, the evaluator must seed the TSF parameter generation routine with sufficient data to deterministically generate the parameter set. For each key length supported, the evaluator shall have the TSF generate 25 parameter sets and key pairs. The evaluator shall verify the correctness of the TSF’s implementation by comparing values generated by the TSF with those generated from a known good implementation. Verification must also confirm g ≠ 0,1q divides p-1g q mod p = 1g x mod p = y for each FFC parameter set and key pair. Testing for FFC Schemes using safe-prime groups is done as part of testing in FCS_CKM.2.1 Key Generation for LMS/XMSS For each supported LMS/LMSOTS pair, the evaluator will provide 1, 2, 3, 4, 5 seeds for H = 25, 20, 15, 10, 5 respectively where H = the height of the LMS tree. For each seed, the TOE will generate the corresponding public key which is to be verified by the evaluator using a known good implementation. Key Generation for ML-DSA The evaluator shall 10x input to the internal KeyGen function a 32-byte random seed. Verify the returned public-private key pair is correct using a known good implementation. Here internal KeyGen refers to the TOE’s implementation of the function ML-DSA.KeyGen_internal(-) as described in FIPS.204. Key Generation for ML-KEM The evaluator shall 10x input to the internal KeyGen function a pair of 32-byte random string. Verify the returned encapsulation and decapsulation key pair is correct using a known good implementation. Here internal KeyGen refers to the TOE’s implementation of the function ML-KEM.KeyGen_internal(-,-) as described in FIPS.203. + + + + + + + + + + + + The <h:b>application</h:b> shall <selectables><selectable id="fcs_ckm.1.1_SK_1" >invoke platform-provided functionality</selectable><selectable id="fcs_ckm.1.1_SK_2" >implement functionality</selectable> </selectables> to generate <h:b>symmetric</h:b> cryptographic keys <h:b>using a Random Bit Generator as specified in FCS_RBG_EXT.1</h:b> and specified cryptographic key sizes <h:i>256-bit</h:i> + This requirement is dependent on selecting any AES selection in FCS_COP.1.1/SKC. Symmetric keys may be used to generate keys along the key chain. + + The evaluator shall review the TSS to determine that it describes how the functionality described by FCS_RBG_EXT.1 is invoked.If the application is relying on random bit generation from the host platform, the evaluator shall verify the TSS includes the name/manufacturer of the external RBG and describes the function call and parameters used when calling the external DRBG function. If different external RBGs are used for different platforms, the evaluator shall verify the TSS identifies each RBG for each platform. Also, the evaluator shall verify the TSS includes a short description of the vendor's assumption for the amount of entropy seeding the external DRBG. The evaluator uses the description of the RBG functionality in FCS_RBG_EXT or documentation available for the operational environment to determine that the key size being requested is identical to the key size and mode to be used for the encryption/decryption of the user data. + The evaluator shall verify the guidance documentation contains any information necessary to configure key sizes. + None. + + + + + + + + + + + <h:p>The application shall <selectables><selectable id="fcs_ckm.2.1_1" >invoke platform-provided functionality</selectable><selectable id="fcs_ckm.2.1_2" >implement functionality</selectable> </selectables> to perform cryptographic key establishment in accordance with a specified cryptographic key establishment method:</h:p> <h:p> <selectables linebreak="yes"><selectable id="fcs_ckm.2.1_3" >CNSA 2.0 Compliant Algorithm:<h:ul><h:b>Module-Lattice-Based Key-Encapsulation Mechanism Standard</h:b> using the <h:b>parameter set ML-KEM-1024</h:b> that meets the following: [FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard]</h:ul></selectable><selectable id="fcs_ckm.2.1_4">CNSA 1.0 Compliant Algorithms: <selectables linebreak="yes"><selectable id="fcs_ckm.2.1_5" ><h:b>[RSA-based key establishment schemes]</h:b> that meet the following: <h:b>[NIST Special Publication 800-56B, “Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography”]</h:b></selectable><selectable id="fcs_ckm.2.1_6" ><h:b>[Elliptic curve-based key establishment schemes]</h:b> that meets the following: <h:b>[NIST Special Publication 800-56A, “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography”]</h:b></selectable><selectable id="fcs_ckm.2.1_7"><h:b>[FFC Schemes using “safe-prime” groups]</h:b> that meet the following: <h:b>‘NIST Special Publication 800-56A Revision 3, “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography”</h:b> and <selectables><selectable id="fcs_ckm.2.1_8" >RFC 3526</selectable><selectable id="fcs_ckm.2.1_9" >RFC 7919</selectable></selectables> </selectable></selectables> </selectable> </selectables> </h:p> . + The ST author shall select all key establishment schemes used for the selected cryptographic protocols. TLS requires cipher suites that use RSA-based key establishment schemes.The RSA-based key establishment schemes are described in Section 9 of NIST SP 800-56B; however, Section 9 relies on implementation of other sections in SP 800-56B. If the TOE acts as a receiver in the RSA key establishment scheme, the TOE does not need to implement RSA key generation.The elliptic curves used for the key establishment scheme shall correlate with the curves specified in FCS_CKM.1.1/AK.The domain parameters used for the finite field-based key establishment scheme are specified by the key generation according to FCS_CKM.1.1/AK.As support is expanded for CNSA 2.0, CNSA 1.0 will be removed as an selection in a future update. + + The evaluator shall ensure that the supported key establishment schemes claimed in the TSS correspond to the key generation schemes identified in FCS_CKM.1.1/AK. If the ST specifies more than one scheme, the evaluator shall examine the TSS to verify that it identifies the usage for each scheme.If the ST selects "invoke platform-provided functionality," then the evaluator shall examine the TSS to verify that it describes how the key establishment functionality is invoked and that the invocation matches the algorithm selection for each supported platform. The evaluator shall confirm the invocation of the platform is using non-deprecated functions provided by the platform(s). + The evaluator shall verify that the operational guidance instructs the administrator how to configure the TOE to use the selected key establishment scheme(s) if configuration is required. + Evaluation Activity Note: The following tests require the developer to provide access to a test platform that provides the evaluator with tools that are typically not found on factory products. Key Establishment Schemes The evaluator shall verify the implementation of the key establishment schemes supported by the TOE using the applicable tests below. SP800-56A Key Establishment Schemes The evaluator shall verify a TOE's implementation of SP800-56A key agreement schemes using the following Function and Validity tests. These validation tests for each key agreement scheme verify that a TOE has implemented the components of the key agreement scheme according to the specifications in the Recommendation. These components include the calculation of the DLC primitives (the shared secret value Z) and the calculation of the derived keying material (DKM) via the Key Derivation Function (KDF). If key confirmation is supported, the evaluator shall also verify that the components of key confirmation have been implemented correctly, using the test procedures described below. This includes the parsing of the DKM, the generation of MACdata and the calculation of MACtag. Function Test The Function test verifies the ability of the TOE to implement the key agreement schemes correctly. To conduct this test the evaluator shall generate or obtain test vectors from a known good implementation of the TOE supported schemes. For each supported key agreement scheme-key agreement role combination, KDF type, and if supported, key confirmation role and type combination, the tester shall generate 10 sets of test vectors. The data set consists of one set of domain parameter values (FFC) or the NIST approved curve (ECC) per 10 sets of public keys. These keys are static, ephemeral or both depending on the scheme being tested. The evaluator shall obtain the DKM, the corresponding TOE’s public keys (static and/or ephemeral), the MAC tag(s), and any inputs used in the KDF, such as the Other Information (OtherInfo) and TOE ID fields. If the TOE does not use a KDF defined in SP 800-56A, the evaluator shall obtain only the public keys and the hashed value of the shared secret. The evaluator shall verify the correctness of the TSF’s implementation of a given scheme by using a known good implementation to calculate the shared secret value, derive the keying material DKM, and compare hashes or MAC tags generated from these values. If key confirmation is supported, the TSF shall perform the above for each implemented approved MAC algorithm. Validity Test The Validity test verifies the ability of the TOE to recognize another party’s valid and invalid key agreement results with or without key confirmation. To conduct this test, the evaluator shall obtain a list of the supporting cryptographic functions included in the SP800-56A key agreement implementation to determine which errors the TOE should be able to recognize. The evaluator generates a set of 24 (FFC) or 30 (ECC) test vectors consisting of data sets including domain parameter values or NIST approved curves, the evaluator’s public keys, the TOE’s public/private key pairs, MACTag, and any inputs used in the KDF, such as the OtherInfo and TOE ID fields. The evaluator shall inject an error in some of the test vectors to test that the TOE recognizes invalid key agreement results caused by the following fields being incorrect: the shared secret value Z, the DKM, the OtherInfo field, the data to be MACed, or the generated MACTag. If the TOE contains the full or partial (only ECC) public key validation, the evaluator will also individually inject errors in both parties’ static public keys, both parties’ ephemeral public keys and the TOE’s static private key to ensure that the TOE detects errors in the public key validation function and/or the partial key validation function (in ECC only). At least two of the test vectors shall remain unmodified and therefore should result in valid key agreement results (they should pass). The TOE shall use these modified test vectors to emulate the key agreement scheme using the corresponding parameters. The evaluator shall compare the TOE’s results with the results obtained by using a known good implementation verifying that the TOE detects these errors. SP800-56B Key Establishment Schemes The evaluator shall verify that the TSS describes whether the TOE acts as a sender, a recipient, or both for RSA-based key establishment schemes. If the TOE acts as a sender, the following evaluation activity shall be performed to ensure the proper operation of every TOE supported combination of RSA-based key establishment scheme: To conduct this test the evaluator shall generate or obtain test vectors from a known good implementation of the TOE supported schemes. For each combination of supported key establishment scheme and its options (with or without key confirmation if supported, for each supported key confirmation MAC function if key confirmation is supported, and for each supported mask generation function if KTS-OAEP is supported), the tester shall generate 10 sets of test vectors. Each test vector shall include the RSA public key, the plaintext keying material, any additional input parameters if applicable, the MacKey and MacTag if key confirmation is incorporated, and the outputted ciphertext. For each test vector, the evaluator shall perform a key establishment encryption operation on the TOE with the same inputs (in cases where key confirmation is incorporated, the test shall use the MacKey from the test vector instead of the randomly generated MacKey used in normal operation) and ensure that the outputted ciphertext is equivalent to the ciphertext in the test vector. If the TOE acts as a receiver, the following evaluation activities shall be performed to ensure the proper operation of every TOE supported combination of RSA-based key establishment scheme: To conduct this test the evaluator shall generate or obtain test vectors from a known good implementation of the TOE supported schemes. For each combination of supported key establishment scheme and its options (with or without key confirmation if supported, for each supported key confirmation MAC function if key confirmation is supported, and for each supported mask generation function if KTS-OAEP is supported), the tester shall generate 10 sets of test vectors. Each test vector shall include the RSA private key, the plaintext keying material (KeyData), any additional input parameters if applicable, the MacTag in cases where key confirmation is incorporated, and the outputted ciphertext. For each test vector, the evaluator shall perform the key establishment decryption operation on the TOE and ensure that the outputted plaintext keying material (KeyData) is equivalent to the plaintext keying material in the test vector. In cases where key confirmation is incorporated, the evaluator shall perform the key confirmation steps and ensure that the outputted MacTag is equivalent to the MacTag in the test vector. The evaluator shall ensure that the TSS describes how the TOE handles decryption errors. In accordance with NIST Special Publication 800-56B, the TOE must not reveal the particular error that occurred, either through the contents of any outputted or logged error message or through timing variations. If KTS-OAEP is supported, the evaluator shall create separate contrived ciphertext values that trigger each of the three decryption error checks described in NIST Special Publication 800-56B section 7.2.2.3, ensure that each decryption attempt results in an error, and ensure that any outputted or logged error message is identical for each. If KTS-KEM-KWS is supported, the evaluator shall create separate contrived ciphertext values that trigger each of the three decryption error checks described in NIST Special Publication 800-56B section 7.2.3.3, ensure that each decryption attempt results in an error, and ensure that any outputted or logged error message is identical for each. FFC Schemes using “safe-prime” groups The evaluator shall verify the correctness of the TSF’s implementation of safe-prime groups by using a known good implementation for each protocol selected in FTP_DIT_EXT.1 that uses safe-prime groups. This test must be performed for each safe-prime group that each protocol uses. ML-KEM Key Establishment Schemes To test encapsulation the evaluator shall 10x input to the internal Encaps function a random 32-byte string and an encapsulation key. Verify the returned cipher text and shared secret is correct using a known good implementation. Here internal refers to the TOE’s implementation of the function ML-KEM.Encaps_internal(-,-) as described in FIPS.203.To test decapsulation the evaluator shall 10x input to the internal Decaps function a cipher text and decapsulation key. Verify the returned shared secret is correct using a known good implementation. The tests should include a mix of valid and invalid/garbled cipher texts. Here internal refers to the TOE’s implementation of the function ML-KEM.Decaps_internal(-,-) as described in FIPS.203. + + + + + + requires the TSF to specify whether asymmetric key generation is implemented by the TSF, invoked from the operational environment, or not used by the TOE. + No specific management functions are identified. + There are no auditable events foreseen. + No dependencies. + + The application shall <selectables linebreak="yes"><selectable id="fcs_ckm_ext.1.1_1" exclusive="yes">generate no asymmetric cryptographic keys</selectable><selectable id="sel_invoke_genkey" >invoke platform-provided functionality for asymmetric key generation</selectable><selectable id="sel_impl_genkey" >implement asymmetric key generation</selectable> </selectables>. + If "implement asymmetric key generation" or "invoke platform-provided functionality for asymmetric key generation" is selected, then FCS_CKM.1/AK must be claimed in the ST. + + The evaluator shall examine the TSS to verify that it describes whether the TSF has functions that require the use of asymmetric key generation services, and whether these services are implemented within the TOE boundary or invoked by the TSF from its operational environment.Conditional: If the ST claims "generate no asymmetric keys," the evaluator shall ensure that the TOE does not have any functions that would require asymmetric key generation (for example, because it does not use asymmetric keys for any purpose or because the keys that it does use are generated elsewhere and imported into it as part of initial setup). + None. + None. + + + + + + + + + + + The <h:b>application</h:b> shall perform [<h:i>cryptographic hashing services</h:i>] in accordance with a specified cryptographic algorithm <selectables linebreak="yes"><selectable id="fcs_cop.1.1_Hash_1" >SHA-256</selectable><selectable id="fcs_cop.1.1_Hash_2" >SHA-384</selectable><selectable id="fcs_cop.1.1_Hash_3" >SHA-512</selectable> </selectables> and <h:b>message digest</h:b> sizes <selectables linebreak="yes"><selectable id="fcs_cop.1.1_Hash_4" >256</selectable><selectable id="fcs_cop.1.1_Hash_5" >384</selectable><selectable id="fcs_cop.1.1_Hash_6" >512</selectable> </selectables> <h:b>bits</h:b> that meet the following: [<h:i>FIPS Pub 180-4, "Secure Hash Standard"</h:i>]. + This is dependent on implementing cryptographic functionality, as in FTP_DIT_EXT.1.The intent of this requirement is to specify the hashing function. The hash selection must support the message digest size selection. + + The evaluator shall check that the association of the hash function with other application cryptographic functions (for example, the digital signature verification function) is documented in the TSS. + The evaluator shall verify the guidance documentation contains any information required for configuring the algorithm or size. + + The TSF hashing functions can be implemented in one of two modes. The first mode is the byte-oriented mode. In this mode the TSF hashes only messages that are an integral number of bytes in length; i.e., the length (in bits) of the message to be hashed is divisible by 8. The second mode is the bit-oriented mode. In this mode the TSF hashes messages of arbitrary length. As there are different tests for each mode, an indication is given in the following sections for the bit-oriented vs. the byte-oriented test MACs. The evaluator shall perform all of the following tests for each hash algorithm implemented by the TSF and used to satisfy the requirements of this PP. The following tests require the developer to provide access to a test application that provides the evaluator with tools that are typically not found in the production application. + + Short Messages Test - Bit-oriented Mode. The evaluators devise an input set consisting of m+1 messages, where m is the block length of the hash algorithm. The length of the messages range sequentially from 0 to m bits. The message text shall be pseudorandomly generated. The evaluators compute the message digest for each of the messages and ensure that the correct result is produced when the messages are provided to the TSF. + Short Messages Test - Byte-oriented Mode. The evaluators devise an input set consisting of m/8+1 messages, where m is the block length of the hash algorithm. The length of the messages range sequentially from 0 to m/8 bytes, with each message being an integral number of bytes. The message text shall be pseudorandomly generated. The evaluators compute the message digest for each of the messages and ensure that the correct result is produced when the messages are provided to the TSF. + Selected Long Messages Test - Bit-oriented Mode. The evaluators devise an input set consisting of m messages, where m is the block length of the hash algorithm. The length of the ith message is 512 + 99*i, where 1 ≤ i ≤ m. The message text shall be pseudorandomly generated. The evaluators compute the message digest for each of the messages and ensure that the correct result is produced when the messages are provided to the TSF. + Selected Long Messages Test - Byte-oriented Mode. The evaluators devise an input set consisting of m/8 messages, where m is the block length of the hash algorithm. The length of the ith message is 512 + 8*99*i, where 1 ≤ i ≤ m/8. The message text shall be pseudorandomly generated. The evaluators compute the message digest for each of the messages and ensure that the correct result is produced when the messages are provided to the TSF. + Pseudorandomly Generated Messages Test. This test is for byte-oriented implementations only. The evaluators randomly generate a seed that is n bits long, where n is the length of the message digest produced by the hash function to be tested. The evaluators then formulate a set of 100 messages and associated digests by following the algorithm provided in Figure 1 of [SHAVS]. The evaluators then ensure that the correct result is produced when the messages are provided to the TSF. + + + + + + + + + + + + + The <h:b>application</h:b> shall perform [<h:i>keyed-hash message authentication</h:i>] in accordance with a specified cryptographic algorithm <selectables linebreak="yes"><selectable id="fcs_cop.1.1_KeyedHash_1" >HMAC-SHA-256</selectable><selectable id="fcs_cop.1.1_KeyedHash_2" >HMAC-SHA-384</selectable><selectable id="fcs_cop.1.1_KeyedHash_3" >HMAC-SHA-512</selectable> </selectables> <h:b>with</h:b> key sizes <assignable>key size (in bits) used in HMAC</assignable> <h:b>and message digest sizes</h:b> <selectables><selectable id="fcs_cop.1.1_KeyedHash_5" >256</selectable><selectable id="fcs_cop.1.1_KeyedHash_6" >384</selectable><selectable id="fcs_cop.1.1_KeyedHash_7" >512</selectable> </selectables> <h:b>bits</h:b> that meet the following: [<h:i>FIPS Pub 198-1, "The Keyed-Hash Message Authentication Code," and FIPS Pub 180-4, "Secure Hash Standard"</h:i>]. + This is dependent on implementing cryptographic functionality, as in FTP_DIT_EXT.1.The intent of this requirement is to specify the keyed-hash message authentication function used for key establishment purposes for the various cryptographic protocols used by the application (e.g., trusted channel). The hash selection must support the message digest size selection. + + + The evaluator shall perform the following activities based on the selections in the ST: + + None. + The evaluator shall verify the guidance documentation contains any information required for configuring the algorithm or size. + For each of the supported parameter sets, the evaluator shall compose 15 sets of test data. Each set shall consist of a key and message data. The evaluator shall have the TSF generate HMAC tags for these sets of test data. The resulting MAC tags shall be compared to the result of generating HMAC tags with the same key and IV using a known-good implementation. + + + + + + + + + + + The <h:b>application</h:b> shall perform [<h:i>cryptographic signature services (generation)</h:i>] in accordance with a specified cryptographic algorithm <selectables linebreak="yes"><selectable id="fcs_cop.1.1_SigGen_1" >CNSA 2.0 Compliant Algorithm:<h:ul><h:b>Module-Lattice-Based Digital Signature Standard</h:b> using the parameter set ML-DSA-87 that meets the following [FIPS 204, Module-Lattice-Based Digital Signature Standard]</h:ul></selectable><selectable id="fcs_cop.1.1_SigGen_2">CNSA 1.0 Compliant Algorithms: <selectables linebreak="yes"><selectable id="fcs_cop.1.1_SigGen_3" ><h:b>RSA schemes</h:b> using cryptographic key sizes of [3072-bit or greater] that meet the following: [FIPS PUB 186-5, “Digital Signature Standard (DSS),” Section 5]</selectable><selectable id="fcs_cop.1.1_SigGen_4"><h:b>ECDSA schemes</h:b> using [“NIST curves” <selectables><selectable id="fcs_cop.1.1_SigGen_5" >P-384</selectable><selectable id="fcs_cop.1.1_SigGen_6" >P-521</selectable></selectables> ] that meet the following: [FIPS PUB 186-5, “Digital Signature Standard (DSS),” Section 6]</selectable></selectables> </selectable> </selectables>. + This is dependent on implementing cryptographic functionality, as in FTP_DIT_EXT.1.The ST author should choose the algorithm implemented to perform digital signatures; if more than one algorithm is available, this requirement should be iterated to specify the functionality. For the algorithm chosen, the ST author should make the appropriate assignments/selections to specify the parameters that are implemented for that algorithm.Note ML-DSA is not able to be used in any functions at the time of publication, it is being added for future support. As support is expanded for CNSA 2.0, CNSA 1.0 will be removed as an selection in a future update. + + + The evaluator shall perform the following activities based on the selections in the ST. + + + The evaluator shall verify the guidance documentation contains any information required for configuring the algorithm or size. + + The following tests require the developer to provide access to a test application that provides the evaluator with tools that are typically not found in the production application. + + ECDSA Algorithm Test + ECDSA FIPS 186-5 Signature Generation Test. For each supported NIST curve (i.e., P-384 and P-521) and SHA function pair, the evaluator shall generate 10 1024-bit long messages and obtain for each message a public key and the resulting signature values R and S. To determine correctness, the evaluator shall use the signature verification function of a known good implementation. + + + RSA Signature Algorithm Test + Signature Generation Test. The evaluator shall verify the implementation of RSA Signature Generation by the TOE using the Signature Generation Test. To conduct this test the evaluator must generate or obtain 10 messages from a trusted reference implementation for each modulus size/SHA combination supported by the TSF. The evaluator shall have the TOE use their private key and modulus value to sign these messages. The evaluator shall verify the correctness of the TSF’s signature using a known good implementation and the associated public keys to verify the signatures. + + + ML-DSA Test + The evaluator shall 10x input to the internal Sign function a 32-byte random string, private key, and a randomly generated message. Check and confirm the value of the returned signature using a known good implementation. Here internal Sign refers to the TOE’s implementation of the function ML-DSA.Sign_internal(-,-,-) as described in NIST FIPS PUB 204. + + + + + + + + + + + + + + + The <h:b>application</h:b> shall perform [<h:i>cryptographic signature services (verification)</h:i>] in accordance with a specified cryptographic algorithm <selectables linebreak="yes"><selectable id="fcs_cop.1.1_SigVer_1">CNSA 2.0 Compliant Algorithms: <selectables linebreak="yes"><selectable id="fcs_cop.1.1_SigVer_2"><h:b>Leighton-Micali Signature Algorithm</h:b> for verification using cryptographic key sizes of <selectables><selectable id="fcs_cop.1.1_SigVer_3" >192</selectable><selectable id="fcs_cop.1.1_SigVer_4" >256</selectable></selectables> bits that meet the following [NIST SP 800-208, "Recommendation for Stateful Hash-Based Signature Schemes"]</selectable><selectable id="fcs_cop.1.1_SigVer_5"><h:b>eXtended Merkle Signature Scheme Algorithm</h:b> for verification using cryptographic key sizes of <selectables><selectable id="fcs_cop.1.1_SigVer_6" >192</selectable><selectable id="fcs_cop.1.1_SigVer_7" >256</selectable></selectables> bits that meets the following: [NIST SP 800-208, "Recommendation for Stateful Hash-Based Signature Schemes"]</selectable><selectable id="fcs_cop.1.1_SigVer_8" ><h:b>Module-Lattice-Based Digital Signature Standard</h:b> using the parameter set ML-DSA-87 that meets the following [FIPS 204, Module-Lattice-Based Digital Signature Standard]</selectable></selectables> </selectable><selectable id="fcs_cop.1.1_SigVer_9">CNSA 1.0 Compliant Algorithms: <selectables linebreak="yes"><selectable id="fcs_cop.1.1_SigVer_10" ><h:b>RSA schemes</h:b> using cryptographic key sizes of [3072-bit or greater] that meet the following: [FIPS PUB 186-5, “Digital Signature Standard (DSS),” Section 5]</selectable><selectable id="fcs_cop.1.1_SigVer_11"><h:b>ECDSA schemes</h:b> using [“NIST curves” <selectables><selectable id="fcs_cop.1.1_SigVer_12" >P-384</selectable><selectable id="fcs_cop.1.1_SigVer_13" >P-521</selectable></selectables> ] that meet the following: [FIPS PUB 186-5, “Digital Signature Standard (DSS),” Section 6]</selectable></selectables> </selectable> </selectables>. + This is dependent on implementing cryptographic functionality, as in FTP_DIT_EXT.1.The ST author should choose the algorithm implemented to perform digital signatures; if more than one algorithm is available, this requirement should be iterated to specify the functionality. For the algorithm chosen, the ST author should make the appropriate assignments/selections to specify the parameters that are implemented for that algorithm.Note ML-DSA is not able to be used in any functions at the time of publication, it is being added for future support. As support is expanded for CNSA 2.0, CNSA 1.0 will be removed as an selection in a future update. + + + The evaluator shall perform the following activities based on the selections in the ST. + + None. + The evaluator shall verify the guidance documentation contains any information required for configuring the algorithm or size. + + The following tests require the developer to provide access to a test application that provides the evaluator with tools that are typically not found in the production application. + + ECDSA Algorithm Test + ECDSA FIPS 186-5 Signature Verification Test. For each supported NIST curve (i.e., P-384 and P-521) and SHA function pair, the evaluator shall generate a set of 10 1024-bit message, public key and signature tuples and modify one of the values (message, public key or signature) in five of the 10 tuples. The evaluator shall obtain in response a set of 10 PASS/FAIL values. + + + RSA Signature Algorithm Test + Signature Verification Test. The evaluator shall perform the Signature Verification test to verify the ability of the TOE to recognize another party’s valid and invalid signatures. The evaluator shall inject errors into the test vectors produced during the Signature Verification Test by introducing errors in some of the public keys, e, messages, IR format, and/or signatures. The TOE attempts to verify the signatures and returns success or failure. + + + LMS/XMSS Signature Algorithm Test + For each supported LMS/LMSOTS pair, the evaluator generates a private/public key pair. With the private key, the evaluator generates 4 messages of length 1024 bits. The messages and public key are provided to the TOE. The signature for each message is generated with the following error types "none", “modify message”, “modify signature”, “modify header”. For "none" the message is unmodified and the signature is correct. For "modify message" the signature is for a modified message where a single bit is flipped. For "modify signature", one bit of the signature is flipped. For "modify header" the signature uses a different LMS/LMSOTS pair. Each error type is represented. For each message, signature pair the TOE returns "true" or "false" depending on whether the signature verifies or not. + + + ML-DSA Test + The evaluator shall 10x input to the internal SigVer function, a public key, message and signature. Verify the signature. Tests should involve a mix of good and bad signatures generated using different messages, keys, etc. Here internal SigVer refers to the TOE’s implementation of the function ML-DSA.Verify_internal(-,-,-) as described in FIPS.204. + + + + + + + + + + + + + + The <h:b>application</h:b> shall <selectables><selectable id="fcs_cop.1.1_SKC_1" >perform</selectable><selectable id="fcs_cop.1.1_SKC_2" >invoke the platform to perform</selectable> </selectables> [<h:i>encryption and decryption</h:i>] in accordance with a specified cryptographic algorithm <selectables linebreak="yes"><selectable id="sel_aes_cbc" >AES-CBC (as defined in NIST SP 800-38A) mode</selectable><selectable id="sel_aes_gcm" >AES-GCM (as defined in NIST SP 800-38D) mode</selectable><selectable id="sel_aes_xts" >AES-XTS (as defined in NIST SP 800-38E) mode</selectable><selectable id="sel_aes_ccm" >AES-CCM (as defined in NIST SP 800-38C) mode</selectable><selectable id="sel_aes_ctr" >AES-CTR (as defined in NIST SP 800-38A) mode</selectable> </selectables> and cryptographic key size of [<h:i>256-bits</h:i>]. + This is dependent on implementing cryptographic functionality, as in FTP_DIT_EXT.1.For the selection, the ST author should choose the mode or modes in which AES operates.It is expected that symmetric keys will be generated or imported by the TSF as a dependency on this function, so FCS_CKM.1/SK must be claimed when this SFR is claimed. FCS_SNI_EXT.1 must also be claimed to define what, if any, salts the cryptographic algorithm implementation uses. + + Conditional: If AES-GCM is selected, the evaluator shall verify the tag length is described in the TSS and that a tag length of at least 128 is used unless the following "Appendix C: Requirements and Guidelines for Using Short Tags" is being followed from NIST SP 800-38D. + The evaluator checks the guidance documents to determine that any configuration that is required to be done to configure the functionality for the required modes and key size is present. + The evaluator shall perform all of the following tests for each algorithm implemented by the TSF and used to satisfy the requirements of this PP: AES-CBC Known Answer Tests There are four Known Answer Tests (KATs), described below. In all KATs, the plaintext, ciphertext, and IV values shall be 128-bit blocks. The results from each test may either be obtained by the evaluator directly or by supplying the inputs to the implementer and receiving the results in response. To determine correctness, the evaluator shall compare the resulting values to those obtained by submitting the same inputs to a known good implementation. KAT-1. To test the encrypt functionality of AES-CBC, the evaluator shall supply a set of 5 plaintext values and obtain the ciphertext value that results from AES-CBC encryption of the given plaintext using a key value of all zeros and an IV of all zeros. Five plaintext values shall be encrypted with a 256-bit all- zeros key. To test the decrypt functionality of AES-CBC, the evaluator shall perform the same test as for encrypt, using 10 ciphertext values as input and AES-CBC decryption.KAT-2. To test the encrypt functionality of AES-CBC, the evaluator shall supply a set of 5 key values and obtain the ciphertext value that results from AES-CBC encryption of an all-zeros plaintext using the given key value and an IV of all zeros. The keys shall be 256-bit keys. To test the decrypt functionality of AES-CBC, the evaluator shall perform the same test as for encrypt, using an all-zero ciphertext value as input and AES-CBC decryption.KAT-3. To test the encrypt functionality of AES-CBC, the evaluator shall supply the set of key values described below and obtain the ciphertext value that results from AES encryption of an all-zeros plaintext using the given key value and an IV of all zeros. The set of keys shall have 256-bit keys. Key i in each set shall have the leftmost i bits be ones and the rightmost N-i bits be zeros, for i in [1,N]. To test the decrypt functionality of AES-CBC, the evaluator shall supply the sets of key and ciphertext value pairs described below and obtain the plaintext value that results from AES-CBC decryption of the given ciphertext using the given key and an IV of all zeros. The set of key/ciphertext pairs shall have 256-bit key/ciphertext pairs. Key i in each set shall have the leftmost i bits be ones and the rightmost N-i bits be zeros, for i in [1,N]. The ciphertext value in each pair shall be the value that results in an all-zeros plaintext when decrypted with its corresponding key.KAT-4. To test the encrypt functionality of AES-CBC, the evaluator shall supply the set of 128 plaintext values described below and obtain the ciphertext values that result from AES-CBC encryption of the given plaintext using a 256-bit key value of all zeros with an IV of all zeros. Plaintext value i in each set shall have the leftmost i bits be ones and the rightmost 128-i bits be zeros, for i in [1,128]. To test the decrypt functionality of AES-CBC, the evaluator shall perform the same test as for encrypt, using ciphertext values of the same form as the plaintext in the encrypt test as input and AES-CBC decryption. AES-CBC Multi-Block Message Test The evaluator shall test the encrypt functionality by encrypting an i-block message where 1 < i ‌‌<= 10. The evaluator shall choose a key, an IV and plaintext message of length i blocks and encrypt the message, using the mode to be tested, with the chosen key and IV. The ciphertext shall be compared to the result of encrypting the same plaintext message with the same key and IV using a known good implementation. The evaluator shall also test the decrypt functionality for each mode by decrypting an i-block message where 1 < i ‌‌<=10. The evaluator shall choose a key, an IV and a ciphertext message of length i blocks and decrypt the message, using the mode to be tested, with the chosen key and IV. The plaintext shall be compared to the result of decrypting the same ciphertext message with the same key and IV using a known good implementation. AES-CBC Monte Carlo Tests The evaluator shall test the encrypt functionality using a set of 100 plaintext, IV, and key 3-tuples. 100 of these shall use shall use 256-bit keys. The plaintext and IV values shall be 128-bit blocks. For each 3-tuple, 1000 iterations shall be run as follows: # Input: PT, IV, Key +for i = 1 to 1000: + if i == 1: + CT[1] = AES-CBC-Encrypt(Key, IV, PT) + PT = IV + else: + CT[i] = AES-CBC-Encrypt(Key, PT) + PT = CT[i-1] The ciphertext computed in the 1000th iteration (i.e., CT[1000]) is the result for that trial. This result shall be compared to the result of running 1000 iterations with the same values using a known good implementation. The evaluator shall test the decrypt functionality using the same test as for encrypt, exchanging CT and PT and replacing AES-CBC-Encrypt with AES-CBC-Decrypt. AES-GCM Monte Carlo Tests The evaluator shall test the authenticated encrypt functionality of AES-GCM for each combination of the following input parameter lengths: 256-bit keysTwo plaintext lengths. One of the plaintext lengths shall be a non-zero integer multiple of 128 bits, if supported. The other plaintext length shall not be an integer multiple of 128 bits, if supported.Three AAD lengths. One AAD length shall be 0, if supported. One AAD length shall be a non-zero integer multiple of 128 bits, if supported. One AAD length shall not be an integer multiple of 128 bits, if supported.Two IV lengths. If 96 bit IV is supported, 96 bits shall be one of the two IV lengths tested. The evaluator shall test the encrypt functionality using a set of 10 key, plaintext, AAD, and IV tuples for each combination of parameter lengths above and obtain the ciphertext value and tag that results from AES-GCM authenticated encrypt. Each supported tag length shall be tested at least once per set of 10. The IV value may be supplied by the evaluator or the implementation being tested, as long as it is known. The evaluator shall test the decrypt functionality using a set of 10 key, ciphertext, tag, AAD, and IV 5-tuples for each combination of parameter lengths above and obtain a Pass/Fail result on authentication and the decrypted plaintext if Pass. The set shall include five tuples that Pass and five that Fail. The results from each test may either be obtained by the evaluator directly or by supplying the inputs to the implementer and receiving the results in response. To determine correctness, the evaluator shall compare the resulting values to those obtained by submitting the same inputs to a known good implementation. AES-XTS Tests The evaluator shall test the encrypt functionality of XTS-AES for each combination of the following input parameter lengths: 512 bit (for AES-256) keys Three data unit (i.e., plaintext) lengths. One of the data unit lengths shall be a non-zero integer multiple of 128 bits, if supported. One of the data unit lengths shall not be an integer multiple of 128 bits, if supported. The third data unit length shall be either the longest supported data unit length or 216 bits, whichever is smaller. Using a set of 100 (key, plaintext and 128-bit random tweak value) 3-tuples, the evaluator shall obtain the ciphertext that results from XTS-AES encrypt. The evaluator may supply a data unit sequence number instead of the tweak value if the implementation supports it. The data unit sequence number is a base-10 number ranging between 0 and 255 that implementations convert to a tweak value internally. The evaluator shall test the decrypt functionality of XTS-AES using the same test as for encrypt, replacing plaintext values with ciphertext values and XTS-AES encrypt with XTS-AES decrypt. AES-CCM Tests It is not recommended that evaluators use values obtained from static sources such as http://csrc.nist.gov/groups/STM/cavp/documents/mac/ccmtestvectors.zip or use values not generated expressly to exercise the AES-CCM implementation. The evaluator shall test the generation-encryption and decryption-verification functionality of AES-CCM for the following input parameter and tag lengths: Keys: All supported and selected key sizes (e.g., 256 bits).Associated Data: Two or three values for associated data length: The minimum (≥ 0 bytes) and maximum (≤ 32 bytes) supported associated data lengths, and 2^16 (65536) bytes, if supported.Payload: Two values for payload length: The minimum (≥ 0 bytes) and maximum (≤ 32 bytes) supported payload lengths.Nonces: All supported nonce lengths (7, 8, 9, 10, 11, 12, 13) in bytes.Tag: All supported tag lengths (4, 6, 8, 10, 12, 14, 16) in bytes. The testing for CCM consists of five tests. To determine correctness in each of the below tests, the evaluator shall compare the ciphertext with the result of encryption of the same inputs with a known good implementation. Variable Associated Data Test For each supported key size and associated data length, and any supported payload length, nonce length, and tag length, the evaluator shall supply one key value, one nonce value, and 10 pairs of associated data and payload values, and obtain the resulting ciphertext. Variable Payload Test For each supported key size and payload length, and any supported associated data length, nonce length, and tag length, the evaluator shall supply one key value, one nonce value, and 10 pairs of associated data and payload values, and obtain the resulting ciphertext. Variable Nonce Test For each supported key size and nonce length, and any supported associated data length, payload length, and tag length, the evaluator shall supply one key value, one nonce value, and 10 pairs of associated data and payload values, and obtain the resulting ciphertext. Variable Tag Test For each supported key size and tag length, and any supported associated data length, payload length, and nonce length, the evaluator shall supply one key value, one nonce value, and 10 pairs of associated data and payload values, and obtain the resulting ciphertext. Decryption-Verification Process Test To test the decryption-verification functionality of AES-CCM, for each combination of supported associated data length, payload length, nonce length, and tag length, the evaluator shall supply a key value and 15 sets of input plus ciphertext, and obtain the decrypted payload. Ten of the 15 input sets supplied should fail verification and five should pass. AES-CTR Tests Test 1: Known Answer Tests (KATs) There are four Known Answer Tests (KATs) described below. For all KATs, the plaintext, IV, and ciphertext values shall be 128-bit blocks. The results from each test may either be obtained by the validator directly or by supplying the inputs to the implementer and receiving the results in response. To determine correctness, the evaluator shall compare the resulting values to those obtained by submitting the same inputs to a known good implementation. KAT-1. To test the encrypt functionality, the evaluator shall supply a set of 5 plaintext values and obtain the ciphertext value that results from encryption of the given plaintext using a key value of all zeros and an IV of all zeros. Five plaintext values shall be encrypted with a 256-bit all zeros key. To test the decrypt functionality, the evaluator shall perform the same test as for encrypt, using 5 ciphertext values as input.KAT-2. To test the encrypt functionality, the evaluator shall supply a set of 5 key values and obtain the ciphertext value that results from encryption of an all zeros plaintext using the given key value and an IV of all zeros. Five of the key values shall be 256-bit keys. To test the decrypt functionality, the evaluator shall perform the same test as for encrypt, using an all zero ciphertext value as input.KAT-3. To test the encrypt functionality, the evaluator shall supply the key values described below and obtain the ciphertext values that result from AES encryption of an all zeros plaintext using the given key values an an IV of all zeros. The set of keys shall have 256 256-bit keys. Key_i shall have the leftmost i bits be ones and the rightmost N-i bits be zeros, for i in [1, N]. To test the decrypt functionality, the evaluator shall supply the key and ciphertext value pairs described below and obtain the plaintext value that results from decryption of the given ciphertext using the given key values and an IV of all zeros. The first set of key/ciphertext pairs shall have 256 256-bit pairs. Key_i shall have the leftmost i bits be ones and the rightmost N-i bits be zeros for i in [1, N]. The ciphertext value in each pair shall be the value that results in an all zeros plaintext when decrypted with its corresponding key.KAT-4. To test the encrypt functionality, the evaluator shall supply the set of 128 plaintext values described below and obtain the ciphertext values that result from encryption of the given plaintext using a 256-bit key value of all zeros, and an IV of all zeros. Plaintext value i in each set shall have the leftmost bits be ones and the rightmost 128-i bits be zeros, for i in [1, 128]. To test the decrypt functionality, the evaluator shall perform the same test as for encrypt, using ciphertext values of the same form as the plaintext in the encrypt test as input. Test 2: Multi-Block Message Test The evaluator shall test the encrypt functionality by encrypting an i-block message where 1 less-than i less-than-or-equal to 10. For each i the evaluator shall choose a key, IV, and plaintext message of length i blocks and encrypt the message, using the mode to be tested, with the chosen key. The ciphertext shall be compared to the result of encrypting the same plaintext message with the same key and IV using a known good implementation. The evaluator shall also test the decrypt functionality by decrypting an i-block message where 1 less-than i less-than-or-equal to 10. For each i the evaluator shall choose a key and a ciphertext message of length i blocks and decrypt the message, using the mode to be tested, with the chosen key. The plaintext shall be compared to the result of decrypting the same ciphertext message with the same key using a known good implementation. Test 3: Monte-Carlo Test For AES-CTR mode, perform the Monte Carlo Test for ECB Mode on the encryption engine of the counter mode implementation. There is no need to test the decryption engine. The evaluator shall test the encrypt functionality using 100 plaintext/key pairs. 100 of these shall use 256-bit keys. The plaintext values shall be 128-bit blocks. For each pair, 1000 iterations shall be run as follows: + For AES-ECB mode + # Input: PT, Key + for i = 1 to 1000: + CT[i] = AES-ECB-Encrypt(Key, PT) + PT = CT[i] + The ciphertext computed in the 1000th iteration is the result for that trial. This result shall be compared to the result of running 1000 iterations with the same values using a known good implementation. + + + + + + + + + defines the capability of the TOE to implement HTTPS. + No specific management functions are identified. + There are no auditable events foreseen. + FCS_TLS_EXT.1 TLS Protocol + + The application shall implement the HTTPS protocol as a <selectables><selectable id="https_client" >client</selectable><selectable id="https_server_noauth" >server</selectable><selectable id="https_server_auth" >server with mutual authentication</selectable> </selectables> that complies with RFC 2818. + + The evaluator shall examine the TSS to verify that it describes the TSF's HTTPS implementation as a client, server, or both, and that if the TSF implements an HTTPS server, whether this supports mutual authentication. Additionally, the evaluator shall examine the TSS to verify that it includes enough detail is provided to explain how the implementation complies with RFC 2818. + The evaluator shall review the operational guidance to ensure that it includes any information necessary for configuring HTTPS in alignment with RFC 2818, or whether this is the default behavior of the TOE. + + + Conditional: If the TOE implements HTTPS as a client, for each HTTPS client interface, the evaluator shall attempt to establish an HTTPS connection from the TOE to an external server, observe the traffic with a packet analyzer, and verify that the connection succeeds and that the traffic is identified as TLS or HTTPS. + Conditional: If the TOE implements HTTPS as a server, for each HTTPS server interface, the evaluator shall attempt to establish an HTTPS connection to the TOE using a client, observe the traffic with a packet analyzer, and verify that the connection succeeds and that the traffic is identified as TLS or HTTPS. + + + + + + The application shall implement HTTPS using TLS as defined in the Functional Package for TLS. + This SFR is claimed when FTP_DIT_EXT.1 specifies the TOE's use + of HTTPS as a trusted protocol. If the TSF implements HTTPS as a client, or if it implements HTTPS as a server with mutual authentication, then FCS_HTTPS_EXT.2 must be claimed to specify the TSF's behavior when presented with an invalid peer certificate. + + + + + + + + + defines the TSF's response when an invalid certificate is presented as part of HTTPS connection establishment. + The following actions could be considered for the management functions in FMT:Configuration of HTTPS behavior in response to receipt of invalid certificate. + There are no auditable events foreseen. + FCS_HTTPS_EXT.1 HTTPS ProtocolFIA_X509_EXT.1 X.509 Certificate Validation + + The application shall <selectables><selectable id="fcs_https_ext.2.1_1" >establish the connection</selectable><selectable id="fcs_https_ext.2.1_2" >not establish the connection</selectable><selectable id="fcs_https_ext.2.1_3" >establish or not establish the connection based on an administrative or user setting</selectable> </selectables> if the peer certificate is deemed invalid when attempting to establish a HTTPS connection. + This SFR is claimed when the TOE implements HTTPS as a client, or when the TOE implements HTTPS as a server with support for mutual authentication. + + The evaluator shall verify that the TSS describes the TOE's behavior when an invalid peer certificate is presented to it during establishment of an HTTPS connection. + If the TOE's response to being presented with an invalid certificate is configurable, the evaluator shall verify that the operational guidance includes instructions for configuring this behavior and what the configurable options are. If this includes configuration to a permissive setting where an invalid certificate may be accepted without administrator intervention, the evaluator shall verify that the operational guidance includes sufficient warning of the potential security risks of applying this setting. + The evaluator shall attempt to establish an HTTPS connection using the + TOE, present an invalid peer certificate, and verify that the TSF behaves in the manner specified in the TSF in response. If this behavior is configurable, the evaluator shall iterate this test as necessary to exercise each configuration option and verify that the TSF behaves in the configured manner. Other tests are performed in conjunction with the Functional Package for Transport Layer Security (TLS), version 2.1 and the + Functional Package for X.509. + + + + + + + defines the capability of the TOE to implement PBKDF2 for key derivation. + No specific management functions are identified. + There are no auditable events foreseen. + FCS_COP.1 Cryptographic OperationFCS_RBG_EXT.1 Random Bit Generation Services + + The application shall condition passwords/passphrases with <assignable>Password-based Key Derivation Functions</assignable> in accordance with a specified cryptographic algorithm as specified in FCS_COP.1 <h:b>/KeyedHash</h:b>, with <selectables><selectable id="fcs_pbkdf_ext.1.1_2" ><assignable>positive integer between 1,000 and 9,999</assignable></selectable><selectable id="fcs_pbkdf_ext.1.1_3" ><assignable>positive integer between 1,0000 and 199,999</assignable></selectable><selectable id="fcs_pbkdf_ext.1.1_4" ><assignable>positive integer greater than 200,000</assignable></selectable> </selectables> iterations, and output size of <assignable>positive integer of 256 or greater</assignable> bits that meet the following [<h:i>NIST SP 800-132</h:i>]. + The application shall condition passwords/passphrases with + <assignable>Password-based Key Derivation Functions </assignable> in accordance with a specified cryptographic algorithm as specified in FCS_COP.1, with <assignable>positive integer of 1,000 or greater </assignable> iterations, and output cryptographic key sizes <assignable>positive integer of 256 of greater </assignable> bits that meet the following <assignable>applicable standard </assignable>. + + Support for PBKDF: The evaluator shall examine the password hierarchy described in the TSS to ensure that the formation of all password based derived keys is described and that the key sizes match that described by the ST author. The evaluator shall check that the TSS describes the method by which the password/passphrase is first encoded and then fed to the SHA algorithm. The settings for the algorithm (padding, blocking, etc.) shall be described, and the evaluator shall verify that these are supported by the selections in this component as well as the selections concerning the hash function itself. The evaluator shall verify that the TSS contains a description of how the output of the hash function is used to form the submask that will be input into the function. For the NIST SP 800-132-based conditioning of the password/passphrase, the required evaluation activities will be performed when doing the evaluation activities for the appropriate requirements (FCS_COP.1.1/KeyedHash). No explicit testing of the formation of the submask from the input password is required. FCS_PBKDF_EXT.1: The evaluator shall verify the TSS describes the salt size and verify that the salt size aligns with NIST SP 800-132 with a minimum random length of 128 bits. + The evaluator shall confirm the guidance documentation contains any information necessary for configuring the password conditioning if any configuration is supported. + None. + + + + The TSF shall generate salts in accordance with FCS_SNI_EXT.1 and with entropy corresponding to the security strength selected for PBKDF in FCS_PBKDF_EXT.1. + This should be included if selected in FCS_STO_EXT.1.Conditioning can be performed using one of the identified hash functions or the process described in NIST SP 800-132; the method used is selected by the ST Author. SP 800-132 requires the use of a pseudorandom function (PRF) consisting of HMAC with an approved hash function. The ST author selects the hash function used, including the appropriate requirements for HMAC and the hash function.Appendix A of SP800-132 recommends setting the number of iterations as high as can be tolerated for the environment, while maintaining acceptable performance. For unconstrained environments, this could be 200,000 or much higher. The larger the iteration count, the greater protection is against a password recovery attack due to the increase computation needed to a derive a key. This value is expected to increase to a minimum of 10,000 in a future iteration based on NIST SP 800-63. + + + + + + + The TSF shall perform deterministic random bit generation services using <selectables linebreak="yes"><selectable id="fcs_rbg.1.1_1" >Hash_DRBG (any)</selectable><selectable id="fcs_rbg.1.1_2" >HMAC_DRBG (any)</selectable><selectable id="fcs_rbg.1.1_3" >CTR_DRBG (AES)</selectable> </selectables> in accordance with [<h:i>NIST SP 800-90A</h:i>] after initialization with a seed. + NIST SP 800-90A contains three different methods of generating random numbers; each of these, in turn, depends on underlying cryptographic primitives (hash functions/ciphers). The ST author will select the function used and include the specific underlying cryptographic primitives used in the requirement or in the TSS. While any of the identified hash functions (SHA-224, SHA-256, SHA-384, SHA-512) are allowed for Hash_DRBG or HMAC_DRBG, only AES-based implementations for CTR_DRBG are allowed. + + The evaluator shall verify that the TSS identifies the DRBGs used by the TOE. + If the DRBG functionality is configurable, the evaluator shall verify that the operational guidance includes instructions on how to configure this behavior. + The evaluator shall perform the following tests: The evaluator shall perform 15 trials for the DRBG implementation. If the DRBG is configurable, the evaluator shall perform 15 trials for each configuration. The evaluator shall also confirm that the operational guidance contains appropriate instructions for configuring the DRBG functionality. If the DRBG has prediction resistance enabled, each trial consists of (1) instantiate DRBG, (2) generate the first block of random bits (3) generate a second block of random bits (4) uninstantiate. The evaluator verifies that the second block of random bits is the expected value. The evaluator shall generate eight input values for each trial. The first is a count (0 – 14). The next three are entropy input, nonce, and personalization string for the instantiate operation. The next two are additional input and entropy input for the first call to generate. The final two are additional input and entropy input for the second call to generate. These values are randomly generated. "generate one block of random bits" means to generate random bits with number of returned bits equal to the Output Block Length (as defined in NIST SP 800-90A). If the DRBG does not have prediction resistance, each trial consists of (1) instantiate DRBG, (2) generate the first block of random bits (3) reseed, (4) generate a second block of random bits (5) uninstantiate. The evaluator verifies that the second block of random bits is the expected value. The evaluator shall generate eight input values for each trial. The first is a count (0 – 14). The next three are entropy input, nonce, and personalization string for the instantiate operation. The fifth value is additional input to the first call to generate. The sixth and seventh are additional input and entropy input to the call to reseed. The final value is additional input to the second generate call. The following list contains more information on some of the input values to be generated/selected by the evaluator.Entropy input: The length of the entropy input value must equal the seed length.Nonce: If a nonce is supported (CTR_DRBG with no Derivation Function does not use a nonce), the nonce bit length is one-half the seed length.Personalization string: The length of the personalization string must be less than or equal to seed length. If the implementation only supports one personalization string length, then the same length can be used for both values. If more than one string length is support, the evaluator shall use personalization strings of two different lengths. If the implementation does not use a personalization string, no value needs to be supplied.Additional input: The additional input bit lengths have the same defaults and restrictions as the personalization string lengths. + + + + The TSF shall use a <selectables><selectable id="internal-seed">TSF noise source <assignable>name of noise source</assignable> </selectable><selectable id="internal-seeds"><h:b>multiple TSF noise sources <assignable>names of noise sources</assignable> </h:b></selectable><selectable id="external-seed" >TSF interface for seeding</selectable> </selectables> for initialized seeding. + For the selection in this requirement, the ST author selects "TSF noise source" if a single noise source is used as input to the DRBG. The ST author selects "multiple TSF noise sources" if a seed is formed from a combination of two or more noise sources within the TOE boundary. If the TSF implements two or more separate DRBGs that are seeded in separate manners, this SFR should be iterated for each DRBG. If multiple distinct noise sources exist such that each DRBG only uses one of them, then each iteration would select "TSF noise source"; "multiple TSF noise sources" is only selected if a single DRBG uses multiple noise sources for its seed. The ST author selects "TSF interface for seeding" if noise source data is generated outside the TOE boundary.If "TSF noise source" is selected, FCS_RBG.3 must be claimed.If "multiple TSF noise sources" is selected, FCS_RBG.4 and FCS_RBG.5 must be claimed.If "TSF interface for seeding" is selected, FCS_RBG.2 must be claimed. + + + Documentation will be produced - and the evaluator shall perform the activities - in accordance with Appendix D - Entropy Documentation and Assessment appendix and the Clarification to the Entropy Documentation and Assessment Annex. + + + + + + + + The TSF shall update the RBG state by <selectables><selectable id="fcs_rbg.1.3_1" >reseeding</selectable><selectable id="fcs_rbg.1.3_2" >uninstantiating and reinstantiating</selectable> </selectables> using a <selectables><selectable id="fcs_rbg.1.3_3">TSF noise source <assignable>name of noise source</assignable> </selectable><selectable id="fcs_rbg.1.3_5" >TSF interface for seeding</selectable> </selectables> in the following situations: <selectables linebreak="yes"><selectable id="fcs_rbg.1.3_6" >on demand</selectable><selectable id="fcs_rbg.1.3_7">on the condition: <assignable>condition</assignable> </selectable><selectable id="fcs_rbg.1.3_9">after <assignable>time</assignable> </selectable> </selectables> in accordance with <assignable>list of standards</assignable>. + + The evaluator shall verify that the TSS identifies how the DRBG state is updated, and the situations under which this may occur. + If the ST claims that the DRBG state can be updated on demand, the evaluator shall verify that the operational guidance has instructions for how to perform this operation. + + + + + + + + + The TSF shall be able to accept a minimum input of <assignable>minimum input length, in bits, greater than zero</assignable> from a TSF interface for the purpose of seeding. + This requirement is claimed when a DRBG is seeded with entropy from one or more noise sources that are outside the TOE boundary. Typically the entropy produced by an environmental noise source is conditioned such that the input length has full entropy and is therefore usable as the seed. However, if this is not the case, it should be noted what the minimum entropy rate of the noise source is so that the TSF can collect a sufficiently large sample of noise data to be conditioned into a seed value. + + + The evaluator shall examine the entropy documentation required by FCS_RBG.1.2 to verify that it identifies, for each DRBG function implemented by the TOE, the TSF external interface used to seed the TOE's DRBG. The evaluator shall verify that this includes the amount of sampled data and the min-entropy rate of the sampled data such that it can be determined that sufficient entropy can be made available for the highest strength keys that the TSF can generate (e.g., 256 bits). If the seed data cannot be assumed to have full entropy (e.g., the min-entropy of the sampled bits is less than 1), the evaluator shall ensure that the entropy documentation describes the method by which the TOE estimates the amount of entropy that has been accumulated to ensure that sufficient data is collected and any conditioning that the TSF applies to the output data to create a seed of sufficient size with full entropy. + + + + + + + + + + + + The TSF shall be able to seed the RBG using a TSF software-based noise source with a minimum of <assignable>number of bits</assignable> bits of min-entropy. + This requirement is claimed when a DRBG is seeded with entropy from a single noise source that is within the TOE boundary. Min-entropy should be expressed as a ratio of entropy bits to sampled bits so that the total amount of data needed to ensure full entropy is known, as well as the conditioning function by which that data is reduced in size to the seed. + + + The evaluator shall examine the entropy documentation required by FCS_RBG.1.2 to verify that it identifies, for each DRBG function implemented by the TOE, the TSF noise source used to seed the TOE's DRBG. The evaluator shall verify that this includes the amount of sampled data and the min-entropy rate of the sampled data such that it can be determined that sufficient entropy can be made available for the highest strength keys that the TSF can generate (e.g., 256 bits). If the seed data cannot be assumed to have full entropy (e.g., the min-entropy of the sampled bits is less than 1), the evaluator shall ensure that the entropy documentation describes the method by which the TOE estimates the amount of entropy that has been accumulated to ensure that sufficient data is collected and any conditioning that the TSF applies to the output data to create a seed of sufficient size with full entropy. + + + + + + + + + + + + The TSF shall be able to seed the RBG using <assignable>number</assignable> TSF software-based noise source(s). + This requirement is claimed when a DRBG is seeded with entropy from multiple noise sources that are within the TOE boundary. FCS_RBG.5 defines the mechanism by which these sources are combined to ensure sufficient minimum entropy. + + + The evaluator shall examine the entropy documentation required by FCS_RBG.1.2 to verify that it identifies, for each DRBG function implemented by the TOE, each TSF noise source used to seed the TOE's DRBG. The evaluator shall verify that this includes the amount of sampled data and the min-entropy rate of the sampled data from each data source. + + + + + + + + + + + + The TSF shall <assignable>combining operation</assignable> + <selectables><selectable id="fcs_rbg.5.1_2" >output from TSF noise source(s)</selectable><selectable id="fcs_rbg.5.1_3" >input from TSF interface(s) for seeding</selectable> </selectables> to create the entropy input into the derivation function as defined in <assignable>list of standards</assignable>, resulting in a minimum of <assignable>number of bits</assignable> bits of min-entropy. + Examples of typical combining operations include, but are not limited to, XORing or hashing. + + + Using the entropy sources specified in FCS_RBG.4, the evaluator shall examine the entropy documentation required by FCS_RBG.1.2 to verify that it describes the method by which the various entropy sources are combined into a single seed. This should include an estimation of the rate at which each noise source outputs data and whether this is dependent on any system-specific factors so that each source's relative contribution to the overall entropy is understood. The evaluator shall verify that the resulting combination of sampled data and the min-entropy rate of the sampled data is described in sufficient detail to determine that sufficient entropy can be made available for the highest strength keys that the TSF can generate (e.g., 256 bits). If the seed data cannot be assumed to have full entropy (e.g., the min-entropy of the sampled bits is less than 1), the evaluator shall ensure that the entropy documentation describes the method by which the TOE estimates the amount of entropy that has been accumulated to ensure that sufficient data is collected and any conditioning that the TSF applies to the output data to create a seed of sufficient size with full entropy. + + + + + + + + + + requires the TSF to specify whether random bit generation is implemented by the TSF, invoked from the operational environment, or not used by the TOE. + No specific management functions are identified. + There are no auditable events foreseen. + No dependencies. + + The application shall <selectables linebreak="yes"><selectable id="fcs_rbg_ext.1.1_1" exclusive="yes">use no DRBG functionality</selectable><selectable id="fcs_rbg_ext.1.1_2" >invoke platform-provided DRBG functionality</selectable><selectable id="drbg" >implement DRBG functionality</selectable> </selectables> for its cryptographic operations. + The selection "invoke platform-provided DRBG functionality" should only be chosen for direct invocations of the platform DRBG by the TSF.The selection "use no DRBG functionality" is chosen when the TSF calls a platform implementation of a function that subsequently calls a platform-provided DRBG itself, because this is not a direct invocation of the platform DRBG by the TSF.If "implement DRBG functionality" is selected, FCS_RBG.1 must be claimed for the DRBG mechanism, and FPT_TST.1 and FPT_FLS.1 must be claimed for the self-testing and error handling of this mechanism.In this requirement, cryptographic operations include all cryptographic key generation/derivation/agreement, IVs (for certain modes), as well as protocol-specific random values. Cryptographic operations in this requirement refer to the other cryptographic requirements in this PP, not additional functionality that is not in scope. + + If "use no DRBG functionality" is selected, the evaluator shall inspect the application and its developer documentation and verify that the application needs no random bit generation services.If "implement DRBG functionality" is selected, the evaluator shall ensure that FCS_RBG.1 is claimed.If "invoke platform-provided DRBG functionality" is selected, the evaluator performs the following activities. The evaluator shall examine the TSS to confirm that it identifies all functions (as described by the SFRs included in the ST) that obtain random numbers from the platform RBG. The evaluator shall determine that for each of these functions, the TSS states which platform interface (API) is used to obtain the random numbers. The evaluator shall confirm that each of these interfaces corresponds to the acceptable interfaces listed for each platform below.It should be noted that there is no expectation that the evaluators attempt to confirm that the APIs are being used correctly for the functions identified in the TSS; the activity is to list the used APIs and then do an existence check via decompilation. + The evaluator shall verify the guidance documentation contains any information required for configuring the DRBG. + + If "invoke platform-provided DRBG functionality" is selected, the following tests shall be performed: The evaluator shall decompile the application binary using a decompiler suitable for the application (TOE). The evaluator shall search the output of the decompiler to determine that, for each API listed in the TSS, that API appears in the output. If the representation of the API does not correspond directly to the strings in the following list, the evaluator shall provide a mapping from the decompiled text to its corresponding API, with a description of why the API text does not directly correspond to the decompiled text and justification that the decompiled text corresponds to the associated API. The following are the per-platform list of acceptable APIs: + + + + + The evaluator shall verify that the application uses at least one of javax.crypto.KeyGenerator class or the java.security.SecureRandom class or /dev/random or /dev/urandom. + + + + + + + + The evaluator shall verify that rand_s, RtlGenRandom, BCryptGenRandom, or CryptGenRandom API is used for classic desktop applications. The evaluator shall verify the application uses the RNGCryptoServiceProvider class or derives a class from System.Security.Cryptography.RandomNumberGenerator API for Windows Universal Applications. It is only required that the API is called/invoked, there is no requirement that the API be used directly. In future versions of this document, CryptGenRandom may be removed as an option as it is no longer the preferred API per vendor documentation. + + + + + + + + The evaluator shall verify that the application invokes either SecRandomCopyBytes, CCRandomGenerateBytes, or CCRandomCopyBytes, or uses /dev/random directly to acquire random. + + + + + + + + The evaluator shall verify that the application collects random from /dev/random or /dev/urandom. + + + + + + + + The evaluator shall verify that the application collects random from /dev/random. + + + + + + + + The evaluator shall verify that the application invokes either CCRandomGenerateBytes or CCRandomCopyBytes, or collects random from /dev/random. + + + + If invocation of platform-provided functionality is achieved in another way, the evaluator shall ensure the TSS describes how this is carried out, and how it is equivalent to the methods listed here (e.g. higher-level API invokes identical low-level API). + + + + + + + + + + + + + requires the application to define how to generate salt, nonces, and initialization vectors + No specific management functions are identified. + There are no auditable events foreseen. + No dependencies. + + The application shall <selectables><selectable id="fcs_sni_ext.1.1_1" >use no salts</selectable><selectable id="fcs_sni_ext.1.1_2" >use salts that are generated by a DRBG as specified in FCS_RBG_EXT.1</selectable> </selectables> + + If salts are used, the evaluator shall ensure the TSS describes how salts are generated. The evaluator shall confirm that the salt is generating using an RBG described in FCS_RBG_EXT.1.If nonces are used the evaluator shall ensure the TSS describes how nonces are created verify they are a minimum of 64 bits in size.If initialization vectors (IV) are used the evaluator shall ensure the TSS describes how IVs and tweaks are handled based on the AES mode. The evaluator shall confirm that the IVs and tweaks meet the stated requirements for each AES mode.If using a GCM IV, the evaluator shall confirm the TSS describes the GCM IV construction and that it matches one of two allowed construction methods given in Section 8.2 of SP800-38D. + None. + None. + + + + The application shall use <selectables><selectable id="fcs_sni_ext.1.2_1" >no nonces</selectable><selectable id="fcs_sni_ext.1.2_2" >unique nonces with a minimum size of [<h:i>64</h:i>] bits.</selectable> </selectables> + + + The application shall <selectables><selectable id="fcs_sni_ext.1.3_1" >use no IVs</selectable><selectable id="fcs_sni_ext.1.3_2">create IVs in the following manner <selectables linebreak="yes"><selectable id="fcs_sni_ext.1.3_3" >CBC: IVs shall be non-repeating and unpredictable;</selectable><selectable id="fcs_sni_ext.1.3_4" >CCM: Nonce shall be non-repeating;</selectable><selectable id="fcs_sni_ext.1.3_5" >CTR: "Initial Counter" shall be non-repeating. No counter value shall be repeated across multiple messages with the same secret key.</selectable><selectable id="fcs_sni_ext.1.3_6" >XTS: No IV. Tweak values shall be non-negative integers, assigned consecutively, and starting at an arbitrary non-negative integer;</selectable><selectable id="fcs_sni_ext.1.3_7" >GCM: IV shall be non-repeating. The number of invocations of GCM shall not exceed 2^32 for a given secret key. The IV constructed using one of two allowed construction methods given in Section 8.2 of NIST SP 800-38D.</selectable></selectables> </selectable> </selectables> + This requirement ensures that salts, nonces, and initialization vectors are properly implemented. If the application is implementing a salt, nonce, or initialization vector they must select the corresponding selection. If the platform implements these functions, the corresponding "use no..." options are selected.This requirement is dependent on selecting "implement functionality to securely store..." in FCS_STO_EXT.1.1 or any AES selection in FCS_COP.1.1/SKC. + + + + + requires the application to define how to store credentials to non-volatile memory. + No specific management functions are identified. + There are no auditable events foreseen. + No dependencies. + + The application shall <selectables linebreak="yes"><selectable id="fcs_sto_ext.1.1_1" exclusive="yes">not store any credentials</selectable><selectable id="fcs_sto_ext.1.1_2">invoke the functionality provided by the platform to securely store <assignable>list of credentials</assignable> </selectable><selectable id="sel_plat_sto">securely store <assignable>list of credentials</assignable> with platform provided <selectables><selectable id="fcs_sto_ext.1.1_5"> <selectables linebreak="yes"><selectable id="fcs_sto_ext.1.1_6" >AES-CBC (as defined in NIST SP 800-38A) mode</selectable><selectable id="fcs_sto_ext.1.1_7" >AES-GCM (as defined in NIST SP 800-38D) mode</selectable><selectable id="fcs_sto_ext.1.1_8" >AES-XTS (as defined in NIST SP 800-38E) mode</selectable></selectables> and cryptographic key size of 256-bits.</selectable><selectable id="fcs_sto_ext.1.1_9">PBKDF2 function that uses <selectables linebreak="yes"><selectable id="fcs_sto_ext.1.1_10" >HMAC-SHA256</selectable><selectable id="fcs_sto_ext.1.1_11" >HMAC-SHA384</selectable><selectable id="fcs_sto_ext.1.1_12" >HMAC-SHA512</selectable></selectables> with <assignable>positive integer of 1,000 or greater</assignable> iterations and output cryptographic key size of <assignable>positive integer of 256 of greater</assignable> bits that meet the following [<h:i>NIST SP 800-132</h:i>].</selectable></selectables> </selectable><selectable id="sel_impl_sto">implement functionality to securely store <assignable>list of credentials</assignable> according to <selectables><selectable id="sel-fcs-sto-skc" >FCS_COP.1/SKC</selectable><selectable id="sel-fcs-sto-pbkdf" >FCS_PBKDF_EXT.1</selectable></selectables> </selectable> </selectables> to non-volatile memory. + The application shall <selectables linebreak="yes"><selectable exclusive="yes">not store any credentials </selectable> <selectable>invoke the functionality provided by the platform to securely store <assignable>list of credentials </assignable> </selectable> <selectable>implement functionality to securely store <assignable>list of credentials </assignable> according to <assignable>cryptographic mechanisms </assignable> </selectable> </selectables> to non-volatile memory. + This requirement ensures that persistent credentials (secret keys, PKI private keys, passwords, etc) are stored securely, and never persisted in cleartext form. Application developers are encouraged to use platform mechanisms for the secure storage of credentials. Depending on the platform that may include hardware-backed protection for credential storage. Application developers must choose a selection, or multiple selections, based on all credentials that the application stores. If "not store any credentials" is selected, then the application must not store any credentials. If "invoke the functionality provided by the platform to securely store" is selected, then the application developer must closely review the EA for their platform and provide documentation indicating which platform mechanisms are used to store credentials. If "securely store" is selected, the application shall leverage platform cryptographic APIs to implement storage of credentials. If "implement functionality to securely store credentials" is selected, then the following components must be included in the ST: (FCS_COP.1/SKC and FCS_SNI_EXT.1) or FCS_PBKDF_EXT.1. If the OS is Linux and Java KeyStores are used to store credentials, "implement functionality to securely store credentials" must be selected. + + The evaluator shall check the TSS to ensure that it lists all persistent credentials (secret keys, PKI private keys, or passwords) needed to meet the requirements in the ST. For each of these items, the evaluator shall confirm that the TSS lists for what purpose it is used, and how it is stored.If not store any credentials is selected, the evaluator shall verify the TSS describes the behavior of the TOE in sufficient detail to verify that the TSF does not have any behavior that would require any credentials to be stored (e.g., because the TOE does not have any functionality requiring authentication).If securely store is selected, the evaluator shall verify the TSS contains the platform functions utilized and verify those functions are documented by the platform to be non-deprecated functions meeting the specifications in the requirement.If invoke the functionality provided by the platform to securely store is selected, the evaluator shall confirm the TSS describes how the platform storage is invoked for each supported platform. The evaluator shall confirm the invocation of the platform is using non-deprecated functions provided by the platform(s). + None. + + For all credentials for which the application implements functionality, the evaluator shall verify credentials are encrypted according to FCS_COP.1/SKC or conditioned according to FCS_PBKDF_EXT.1. For all credentials for which the application invokes platform-provided functionality, the evaluator shall perform the following actions which vary per platform. + + + + + The evaluator shall verify that the application uses the Android KeyStore or the Android KeyChain to store certificates. + + + + + + + + The evaluator shall verify that all certificates are stored in the Windows Certificate Store. The evaluator shall verify that other credentials, like passwords, are stored in the Windows Credential Manager or stored using the Data Protection API (DPAPI). For Windows Universal Applications, the evaluator shall verify that the application is using the ProtectData class and storing credentials in IsolatedStorage. + + + + + + + + The evaluator shall verify that all credentials are stored within a Keychain. + + + + + + + + The evaluator shall verify that all keys are stored using Linux keyrings. + + + + + + + + The evaluator shall verify that all keys are stored using Solaris Key Management Framework (KMF). + + + + + + + + The evaluator shall verify that all credentials are stored within Keychain. + + + + + + + +
+ +
+ + This family defines requirements for implementation of data-at-rest protection. + + + This family defines requirements for accessing platform resources. + + + This family defines requirements for the TOE’s use of network connectivity. + + + + requires the application to be able to protect all data with a chosen method of encryption. + No specific management functions are identified. + There are no auditable events foreseen. + No dependencies. + + The application shall <selectables linebreak="yes"><selectable id="fdp_dar_ext.1.1_1" >leverage platform-provided functionality to encrypt sensitive data</selectable><selectable id="fdp_dar_ext.1.1_2" >implement functionality to encrypt sensitive data as defined in the PP-Module for File Encryption</selectable><selectable id="fdp_dar_ext.1.1_3" >protect sensitive data in accordance with FCS_STO_EXT.1</selectable><selectable id="fdp_dar_ext.1.1_4" exclusive="yes">not store any sensitive data</selectable> </selectables> in non-volatile memory. + If "implement functionality to encrypt sensitive data + as defined in the PP-Module for File Encryption" is selected, the TSF must claim + conformance to a PP-Configuration that includes the PP-Module for File Encryption.Any file that may potentially contain sensitive data (to include temporary files) shall be protected. The only exception is if the user intentionally exports the sensitive data to non-protected files. ST authors should select "protect sensitive data in accordance with FCS_STO_EXT.1" for the sensitive data that is covered by the FCS_STO_EXT.1 SFR. + + If any selection other than not store any sensitive data is + selected the evaluator shall examine the TSS to ensure that it describes the sensitive data processed by the application. The evaluator shall then ensure that the following activities cover all of the sensitive data identified in the TSS.If not store any sensitive data is selected, the evaluator shall inspect the TSS to ensure that it describes how sensitive data cannot be written to non-volatile memory. The evaluator shall also ensure that this is consistent with the file system test below.If implement functionality to encrypt sensitive data is selected the evaluator shall confirm the TSS describes how the application ensures all sensitive data is protected by the file encryption functions. If protect sensitive data in accordance with FCS_STO_EXT.1 is selected the evaluator shall confirm the TSS describes which data is protected via this mechanism and the selections within FCS_STO_EXT.1 that are leveraged. If multiple selections are included the evaluator shall ensure the TSS describes which sensitive data is captured by which selection.If "leverage platform-provided functionality..." is selected, the evaluation activities will be performed as stated in the following requirements, which vary on a per-platform basis. The evaluator shall inspect the TSS and verify that it describes how files containing sensitive data are stored with the MODE_PRIVATE flag set. The Windows platform currently does not provide data-at-rest encryption services which depend upon invocation by application developers. The evaluator shall inspect the TSS and ensure that it describes how the application uses the Complete Protection, Protected Unless Open, or Protected Until First User Authentication Data Protection Class for each data file stored locally. The Linux platform currently does not provide data-at-rest encryption services which depend upon invocation by application developers. The Solaris platform currently does not provide data-at-rest encryption services which depend upon invocation by application developers. The macOS platform currently does not provide data-at-rest encryption services which depend upon invocation by application developers. + The evaluator shall confirm the operational guidance contains any instructions necessary for configuring the storage and protection of any sensitive data.If leverage platform-provided functionality to encrypt sensitive data is selected the evaluator shall confirm the operational guidance contains the list of supported operational environments and any steps necessary to ensure the platform captures any sensitive data that is stored. + If "implement functionality to encrypt sensitive data as defined in the PP-Module for File Encryption" or "protect sensitive data in accordance with FCS_STO_EXT.1" is selected, the evaluator shall inventory the file system locations where the application may write data. The evaluator shall run the application and attempt to store sensitive data. The evaluator shall then inspect those areas of the file system to note where data was stored (if any), and verify it has been encrypted. If "leverage platform-provided functionality..." is selected no additional testing is required. + + + + + + requires the application to restrict access to hardware sources and sensitive information repositories. + The following action could be considered for the management functions in FMT:Enabling and disabling the transmission of any information describing the system’s hardware, software, or configuration. + There are no auditable events foreseen. + FCS_TLS_EXT.1 TLS ProtocolFIA_X509_EXT.1 X.509 Certificate Validation + + The application shall restrict its access to only <selectables linebreak="yes"><selectable id="fdp_dec_ext.1.1_1" exclusive="yes">no hardware resources</selectable><selectable id="fdp_dec_ext.1.1_2" >network connectivity</selectable><selectable id="fdp_dec_ext.1.1_3" >camera</selectable><selectable id="fdp_dec_ext.1.1_4" >microphone</selectable><selectable id="fdp_dec_ext.1.1_5" >location services</selectable><selectable id="fdp_dec_ext.1.1_6" >NFC</selectable><selectable id="fdp_dec_ext.1.1_7" >USB</selectable><selectable id="fdp_dec_ext.1.1_8" >Bluetooth</selectable><selectable id="fdp_dec_ext.1.1_1" ><assignable>list of additional hardware resources</assignable></selectable> </selectables>. + The intent is for the evaluator to ensure that the selection captures all hardware resources which the application accesses, and that these are restricted to those which are justified. On some platforms, the application must explicitly solicit permission in order to access hardware resources. Seeking such permissions, even if the application does not later make use of the hardware resource, should still be considered access. Selections should be expressed in a manner consistent with how the application expresses its access needs to the underlying platform. For example, the platform may provide location services which implies the potential use of a variety of hardware resources (e.g. satellite receivers, WiFi, cellular radio) yet "location services" is the proper selection. This is because use of these resources can be inferred, but also because the actual usage may vary based on the particular platform. Resources that do not need to be explicitly identified are those which are ordinarily used by any application such as central processing units, main memory, displays, input devices (e.g. keyboards, mice), and persistent storage devices provided by the platform. + + None. + The evaluator shall perform the platform-specific actions below and inspect user documentation to determine the application's access to hardware resources. The evaluator shall ensure that this is consistent with the selections indicated. The evaluator shall review documentation provided by the application developer and for each resource which it accesses, identify the justification as to why access is required. + + + + + + The evaluator shall verify that each uses-permission entry in the AndroidManifest.xml file for access to a hardware resource is reflected in the selection. + + + + + + + + For Windows Universal Applications the evaluator shall check the AppxManifest.xml file for a list of required hardware capabilities. The evaluator shall verify that the user is made aware of the required hardware capabilities when the application is first installed. This includes permissions such as ID_CAP_ISV_CAMERA, ID_CAP_LOCATION, ID_CAP_NETWORKING, ID_CAP_MICROPHONE, ID_CAP_PROXIMITY and so on. A complete list of Windows App permissions can be found at: + http://msdn.microsoft.com/en-US/library/windows/apps/jj206936.aspx For Windows Desktop Applications the evaluator shall identify in either the application software or its documentation the list of the required hardware resources. + + + + + + + + The evaluator shall verify that either the application or the documentation provides a list of the hardware resources it accesses. + + + + + + + + The evaluator shall verify that either the application software or its documentation provides a list of the hardware resources it accesses. + + + + + + + + The evaluator shall verify that either the application software or its documentation provides a list of the hardware resources it accesses. + + + + + + + + The evaluator shall verify that either the application software or its documentation provides a list of the hardware resources it accesses. + + + + + + + + The application shall restrict its access to only <selectables linebreak="yes"><selectable id="fdp_dec_ext.1.2_1" exclusive="yes">no sensitive information repositories</selectable><selectable id="fdp_dec_ext.1.2_2" >address book</selectable><selectable id="fdp_dec_ext.1.2_3" >calendar</selectable><selectable id="fdp_dec_ext.1.2_4" >call lists</selectable><selectable id="fdp_dec_ext.1.2_5" >system logs</selectable><selectable id="fdp_dec_ext.1.2_1" ><assignable>list of additional sensitive information repositories</assignable></selectable> </selectables>. + "Sensitive information repositories" are defined as those collections of sensitive data that could be expected to be shared among some applications, users, or user roles, but to which not all of these would ordinarily require access. + + None. + The evaluator shall perform the platform-specific actions below and inspect user documentation to determine the application's access to sensitive information repositories. The evaluator shall ensure that this is consistent with the selections indicated. The evaluator shall review documentation provided by the application developer and for each sensitive information repository which it accesses, identify the justification as to why access is required. + + + + + + The evaluator shall verify that each uses-permission entry in the AndroidManifest.xml file for access to a sensitive information repository is reflected in the selection. + + + + + + + + For Windows Universal Applications the evaluator shall check the AppxManifest.xml file for a list of required capabilities. The evaluator shall identify the required information repositories when the application is first installed. This includes permissions such as ID_CAP_CONTACTS,ID_CAP_APPOINTMENTS,ID_CAP_MEDIALIB and so on. A complete list of Windows App permissions can be found at: + http://msdn.microsoft.com/en-US/library/windows/apps/jj206936.aspx For Windows Desktop Applications the evaluator shall identify in either the application software or its documentation the list of sensitive information repositories it accesses. + + + + + + + + The evaluator shall verify that either the application software or its documentation provides a list of the sensitive information repositories it accesses. + + + + + + + + The evaluator shall verify that either the application software or its documentation provides a list of sensitive information repositories it accesses. + + + + + + + + The evaluator shall verify that either the application software or its documentation provides a list of sensitive information repositories it accesses. + + + + + + + + The evaluator shall verify that either the application software or its documentation provides a list of sensitive information repositories it accesses. + + + + + + + + + + identifies the purpose for each network interface used by the TOE and how that interface is invoked. + No specific management functions are identified. + There are no auditable events foreseen. + No dependencies. + + The application shall restrict network communication to <selectables linebreak="yes"><selectable id="fdp_net_ext.1.1_1" exclusive="yes">no network communication</selectable><selectable id="fdp_net_ext.1.1_2">user-initiated communication for <assignable>list of functions for which the user can initiate network communication</assignable> </selectable><selectable id="fdp_net_ext.1.1_4">respond to <assignable>list of remotely initiated communication</assignable> </selectable><selectable id="fdp_net_ext.1.1_3" ><assignable>list of application-initiated network communication</assignable></selectable> </selectables>. + This requirement is intended to restrict both inbound and outbound network communications to only those required, or to network communications that are user initiated. It does not apply to network communications in which the application may generically access the file system which may result in the platform accessing remotely mounted drives/shares. + + None. + The evaluator shall verify the guidance documents contain any instructions necessary to configure the restriction of network communications. + + The evaluator shall perform the following tests: + + The evaluator shall run the application. While the application is running, the evaluator shall sniff network traffic ignoring all non-application associated traffic and verify that any network communications witnessed are documented in the TSS or are user-initiated. + The evaluator shall run the application. After the application initializes, the evaluator shall run network port scans to verify that any ports opened by the application have been captured in the ST for the third selection and its assignment. This includes connection-based protocols (e.g. TCP, DCCP) as well as connectionless protocols (e.g. UDP). + + + + + + If "no network communication" is selected, the evaluator shall ensure that the application's AndroidManifest.xml file does not contain a uses-permission or uses-permission-sdk-23 tag containing android:name="android.permission.INTERNET". In this case, it is not necessary to perform the above Tests 1 and 2, as the platform will not allow the application to perform any network communication. + + + + + + + +
+ +
+ + This family defines requirements for authorization to manage the behavior of the application. + + + This family defines requirements for the TOE’s use of mechanisms for the storage of configuration data. + + + + requires the application to define how to set new credentials and protect the application from modification by unprivileged users. + No specific management functions are identified. + There are no auditable events foreseen. + No dependencies. + + The application shall <selectables><selectable id="fmt_cfg_ext.1.1_1" >not use credentials</selectable><selectable id="fmt_cfg_ext.1.1_2" >use platform-provided credentials</selectable><selectable id="fmt_cfg_ext.1.1_3" >provide only enough functionality to set new credentials when configured with default credentials or no credentials for application provided credentials</selectable> </selectables>. + Default credentials are credentials (e.g., passwords, keys) that are automatically (without user interaction) loaded onto the platform during application installation. Credentials that are generated during installation using requirements laid out in FCS_RBG_EXT.1 or established by leveraging platform accounts are not by definition default credentials. + + The evaluator shall check that the TSS describes whether the application requires any type of application provided credentials and whether the application is pre-configured with default values for these credentials. If credentials are required, the evaluator shall verify that the TSS details how use of the TOE is restricted until new credentials are set (which includes the replacement of default credentials if any are present). + The evaluator shall verify the guidance documentation details regarding any default or null application provided credentials being used and how they would be updated. + + If the application uses any default credentials the evaluator shall run the following tests. + + For any application provided credentials the evaluator shall install and run the application without generating or loading new credentials and verify that only the minimal application functionality required to set new credentials is available. + For any application provided credentials the evaluator shall attempt to clear all credentials and verify that only the minimal application functionality required to set new credentials is available. + For any application provided credentials the evaluator shall run the application, establish new credentials and verify that the original default credentials no longer provide access to the application. + + + + + + The application shall be configured by default with file permissions which protect the application binaries and data files from modification by normal unprivileged users. + The precise expectations for file permissions vary per platform but the general intention is that a trust boundary protects the application and its data. + + None. + None. + + The evaluator shall install and run the application. The evaluator shall inspect the file system of the platform (to the extent possible) for any files created by the application and ensure that their permissions are adequate to protect them. The method of doing so varies per platform. + + + + + The evaluator shall run the command find -L. -perm /002 inside the application's data directories to ensure that all files are not world-writable. The command should not print any files (for this test, directories are not considered to be files). + + + + + + + + The evaluator shall run the SysInternals tools Process Monitor and Access Check (or tools of equivalent capability, like icacls.exe) for Classic Desktop applications to verify that files written to disk during an application's installation have the correct file permissions, such that a standard user cannot modify the application or its data files. For Windows Universal Applications the evaluator shall consider the requirement met because of the AppContainer sandbox. + + + + + + + + The evaluator shall determine whether the application leverages the appropriate Data Protection Class for each data file stored locally. + + + + + + + + The evaluator shall run the command find -L. -perm /002 inside the application's data directories to ensure that all files are not world-writable. The command should not print any files. + + + + + + + + The evaluator shall run the command find. \( -perm -002 \) inside the application's data directories to ensure that all files are not world-writable. The command should not print any files. + + + + + + + + The evaluator shall run the command find. -perm +002 inside the application's data directories to ensure that all files are not world-writable. The command should not print any files. + + + + + + + + + + requires the application to store configuration data either through the use of an appropriate environmental mechanism or through its own file encryption capability. + No specific management functions are identified. + There are no auditable events foreseen. + No dependencies. + + The application shall <selectables><selectable id="fmt_mec_ext.1.1_1" >invoke the mechanisms recommended by the platform vendor for storing and setting configuration options</selectable><selectable id="fmt_mec_ext.1.1_2" >implement functionality to encrypt and store configuration options as defined by FDP_PRT_EXT.1 in the PP-Module for File Encryption</selectable> </selectables>. + Configuration options that are stored remotely are not subject to this requirement. Sensitive Data is generally not considered part of configuration options and should be stored according to FDP_DAR_EXT.1 or FCS_STO_EXT.1.If “implement functionality to encrypt and store configuration options as defined by FDP_PRT_EXT.1 in the PP-Module for File Encryption" is selected, the TSF must claim conformance to a PP-Configuration that includes the PP-Module for File Encryption. + + The evaluator shall review the TSS to identify the application's configuration options (e.g., settings) and determine whether these are stored and set using the mechanisms supported by the platform or implemented by the application in accordance with the PP-Module for File Encryption. At a minimum the TSS shall list settings related to any SFRs and any settings that are mandated in the operational guidance in response to an SFR.Conditional: If "implement functionality to encrypt and store configuration options as defined by FDP_PRT_EXT.1 in the PP-Module for File Encryption" is selected, the evaluator shall ensure that the TSS identifies those options, as well as indicates where the encrypted representation of these options is stored. + The evaluator shall verify the guidance documentation contains any information necessary to configure the protection of configuration settings. + + If " invoke the mechanisms recommended by the platform vendor for storing and setting configuration options" is selected, the method of testing varies per platform as follows: + + + + The evaluator shall inspect the TSS and verify that it describes what Android API is used (and provides a link to the documentation of the API) when storing configuration data. The evaluator shall run the application and verify that the behavior of the TOE is consistent with where and how the API documentation says the configuration data will be stored.For SharedPreferences, the evaluator shall examine the XML file to make sure it reflects the changes made to the configuration to verify that the application used SharedPreferences or PreferenceActivity to store the configuration data. For DataStore, the evaluator shall use a protocol buffer analyzer to examine the file to make sure it reflects the changes made to the configuration to verify that the application used DataStore to store the configuration data. + + + + + + The evaluator shall determine and verify that Windows Universal Applications use either the Windows.Storage namespace, Windows.UI.ApplicationSettings namespace, or the IsolatedStorageSettings namespace for storing application specific settings. For .NET applications, the evaluator shall determine and verify that the application uses one of the locations listed in + https://docs.microsoft.com/en-us/dotnet/framework/configure-apps/ or + https://learn.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/zzdt0e7f(v=vs.100) or + https://learn.microsoft.com/en-us/aspnet/core/fundamentals/configuration/ or + https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/web-config for storing application specific (whether application-wide or user-specific) settings.For Classic Desktop applications, the evaluator shall run the application while monitoring it with the SysInternals tool Process Monitor and make changes to its configuration. The evaluator shall verify that Process Monitor logs show corresponding changes to the Windows Registry or C:\ProgramData\ directory. + + + + + + + The evaluator shall verify that the app uses the user defaults system or key-value store for storing all settings. + + + + + + + + The evaluator shall run the application while monitoring it with the utility strace. The evaluator shall make security-related changes to its configuration. The evaluator shall verify that strace logs corresponding changes to configuration files that reside in /etc (for system-specific configuration), in the user's home directory (for user-specific configuration), or /var/lib/ (for configurations controlled by UI and not intended to be directly modified by an administrator). + + + + + + + + The evaluator shall run the application while monitoring it with the utility dtrace. The evaluator shall make security-related changes to its configuration. The evaluator shall verify that dtrace logs corresponding changes to configuration files that reside in /etc (for system-specific configuration) or in the user's home directory (for user-specific configuration). + + + + + + + + The evaluator shall verify that the application stores and retrieves settings using the NSUserDefaults class. + + + + If " implement functionality to encrypt and store configuration options as defined by FDP_PRT_EXT.1 in the PP-Module for File Encryption" is selected, for all configuration options listed in the TSS as being stored and protected using encryption, the evaluator shall examine the contents of the configuration option storage (identified in the TSS) to determine that the options have been encrypted. + + + + + + + + The TSF shall be capable of performing the following management functions <selectables linebreak="yes"><selectable id="fmt_smf.1.1_1" exclusive="yes">no management functions</selectable><selectable id="fmt_smf.1.1_2" >enable/disable the transmission of any information describing the system's hardware, software, or configuration</selectable><selectable id="fmt_smf.1.1_3" >enable/disable the transmission of any PII</selectable><selectable id="fmt_smf.1.1_4" >enable/disable transmission of any application state (e.g. crashdump) information</selectable><selectable id="fmt_smf.1.1_5">enable/disable network backup functionality to <assignable>list of enterprise or commercial cloud backup systems</assignable> </selectable><selectable id="fmt_smf.1.1_2" ><assignable>list of other management functions to be provided by the TSF</assignable></selectable> </selectables>. + This requirement stipulates that an application needs to provide the ability to enable/disable only those functions that it actually implements. The application is not responsible for controlling the behavior of the platform or other applications. + + The evaluator shall verify the TSS details how the application's management functions align with the selected management functions. + The evaluator shall verify that every management function mandated by the PP is described in the operational guidance and that the description contains the information required to perform the management duties associated with the management function. + The evaluator shall test the application's ability to provide the management functions by configuring the application and testing each option selected from above. The evaluator is expected to test these functions in all the ways in which the ST and guidance documentation state the configuration can be managed. + + + +
+ +
+ + This family defines requirements for anonymity that are not covered by the Part 2 family FPR_ANO. + + + + requires the TSF to transmit personally identifiable information only with explicit approval. + The following action could be considered for the management functions in FMT:Enabling and disabling the transmission of any PII. + There are no auditable events foreseen. + No dependencies. + + The application shall <selectables onlyone="yes" linebreak="yes"><selectable id="fpr_ano_ext.1.1_1" >not use PII</selectable><selectable id="fpr_ano_ext.1.1_2" >not transmit PII over a network</selectable><selectable id="fpr_ano_ext.1.1_3">require user approval before executing <assignable>list of functions that transmit PII over a network</assignable> </selectable> </selectables>. + PII is considered to be sensitive data. If "require user approval before executing..." is claimed, the ST must not claim "not transmit any..." in FTP_DIT_EXT.1.This requirement applies only to PII that is specifically requested by the application; it does not apply if the user volunteers PII without prompting from the application into a general (or inappropriate) data field. A dialog box that declares intent to send PII presented to the user at the time the application is started is sufficient to meet this requirement. + + If "not use PII" is claimed, the evaluator shall verify the TSS states the application does not utilize any PII.If "not transmit PII over a network" is claimed, the evaluator shall verify that the TSS makes this assertion (e.g., because it does not use network connectivity at all or if the functions for which it uses network connectivity do not involve transmission of PII). If "require user approval before executing..." is selected, the evaluator shall inspect the TSS documentation to verify that it identifies the functions where PII may be transmitted over a network. + The evaluator shall verify the guidance documentation contains any instructions to configure the transmission of PII and details any prompts that would approve or deny transmission of PII. + If " require user approval before executing..." is selected, the evaluator shall run the application, execute each function that is claimed as being used to transmit PII, and verify that user approval is required before transmission of the PII for each function. + + + +
+ +
+ + This family defines requirements for protecting against common types of software exploitation techniques. + + + This family defines requirements for specifying the environmental APIs used by the TOE. + + + This family defines requirements for how the TOE version is identified. + + + This family defines requirements for identification of any third-party libraries used by the TOE. + + + This family defines requirements for applying updates to the TOE. + + + + requires the application to implement functionality that protects against common software exploits. + No specific management functions are identified. + There are no auditable events foreseen. + No dependencies. + + The application shall not request to map memory at an explicit address except for <assignable>list of explicit exceptions</assignable>. + Requesting a memory mapping at an explicit address subverts address space layout randomization (ASLR). + + The evaluator shall ensure that the TSS describes the compiler flags used to enable ASLR when the application is compiled. If any explicitly-mapped exceptions are claimed, the evaluator shall check that the TSS identifies these exceptions, describes the static memory mapping that is used, and provides justification for why static memory mapping is appropriate in this case. + None. + + The evaluator shall perform either a static or dynamic analysis to determine that no memory mappings are placed at an explicit and consistent address except for any exceptions claimed in the SFR. For these exceptions, the evaluator shall verify that this analysis shows explicit mappings that are consistent with what is claimed in the TSS. The method of doing so varies per platform. For those platforms requiring the same application running on two different systems, the evaluator may alternatively use the same device. After collecting the first instance of mappings, the evaluator must uninstall the application, reboot the device, and reinstall the application to collect the second instance of mappings. + + + + + The evaluator shall run the same application on two different Android systems. Both devices do not need to be evaluated, as the second device is acting only as a tool. Connect via ADB and inspect /proc/PID/maps. Ensure the two different instances share no memory mappings made by the application at the same location. + + + + + + + + The evaluator shall run the same application on two different Windows systems and run a tool that will list all memory mapped addresses for the application. The evaluator shall then verify the two different instances share no mapping locations. The Microsoft SysInternals tool, VMMap, could be used to view memory addresses of a running application. The evaluator shall use a tool such as Microsoft's BinScope Binary Analyzer to confirm that the application has ASLR enabled. + + + + + + + + The evaluator shall perform a static analysis to search for any mmap calls (or API calls that call mmap), and ensure that no arguments are provided that request a mapping at a fixed address. + + + + + + + + The evaluator shall run the same application on two different Linux systems. The evaluator shall then compare their memory maps using pmap -x PID to ensure the two different instances share no mapping locations. + + + + + + + + The evaluator shall run the same application on two different Solaris systems. The evaluator shall then compare their memory maps using pmap -x PID to ensure the two different instances share no mapping locations. + + + + + + + + The evaluator shall run the same application on two different Mac systems. The evaluator shall then compare their memory maps using vmmap PID to ensure the two different instances share no mapping locations. + + + + + + + + The application shall <selectables onlyone="yes" linebreak="yes"><selectable id="fpt_aex_ext.1.2_1" >not allocate any memory region with both write and execute permissions</selectable><selectable id="fpt_aex_ext.1.2_2">allocate memory regions with write and execute permissions for only <assignable>list of functions performing just-in-time compilation</assignable> </selectable> </selectables>. + Requesting a memory mapping with both write and execute permissions subverts the platform protection provided by DEP. If the application performs no just-in-time compiling, then the first selection must be chosen. + + None. + None. + + The evaluator shall verify that no memory mapping requests are made with write and execute permissions. The method of doing so varies per platform. + + + + + The evaluator shall perform static analysis on the application to verify that mmap is never invoked with both the PROT_WRITE and PROT_EXEC permissions, andmprotect is never invoked. + + + + + + + The evaluator shall use a tool such as Microsoft's BinScope Binary Analyzer to confirm that the application passes the NXCheck. The evaluator may also ensure that the /NXCOMPAT flag was used during compilation to verify that DEP protections are enabled for the application. + + + + + + + + The evaluator shall perform static analysis on the application to verify that mprotect is never invoked with the PROT_EXEC permission. + + + + + + + + The evaluator shall perform static analysis on the application to verify that both mmap is never invoked with both the PROT_WRITE and PROT_EXEC permissions, andmprotect is never invoked with the PROT_EXEC permission. + + + + + + + The evaluator shall perform static analysis on the application to verify that both mmap is never invoked with both the PROT_WRITE and PROT_EXEC permissions, andmprotect is never invoked with the PROT_EXEC permission. + + + + + + + The evaluator shall perform static analysis on the application to verify that mprotect is never invoked with the PROT_EXEC permission. + + + + + + + + The application shall be compatible with security features provided by the platform vendor. + This requirement is designed to ensure that platform security features do not need to be disabled in order for the application to run. + + None. + None. + + The evaluator shall configure the platform in the necessary manner and carry out one of the prescribed tests: + + + + + Applications running on Android cannot disable Android security features, therefore this requirement is met and no evaluation activity is required. + + + + + + + If the OS platform supports Windows Defender Exploit Guard, then the evaluator shall ensure that the application can run successfully with Windows Defender Exploit Guard Exploit Protection configured with the following minimum mitigations enabled; Control Flow Guard (CFG), Randomize memory allocations (Bottom-Up ASLR), Export address filtering (EAF), Import address filtering (IAF), and Data Execution Prevention (DEP). The following link describes how to enable Exploit Protection, https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-exploit-protection?view=o365-worldwide. + + + + + + + Applications running on iOS cannot disable security features, therefore this requirement is met and no evaluation activity is required. + + + + + + + + The evaluator shall ensure that the application can successfully run on a system with either SELinux or AppArmor enabled and in enforce mode. + + + + + + + + The evaluator shall ensure that the application can run with Solaris Trusted Extensions enabled and enforcing. + + + + + + + + The evaluator shall ensure that the application can successfully run on macOS without disabling any security features. + + + + + + + + The application shall not write user-modifiable files to directories that contain executable files unless explicitly directed by the user to do so. + The purpose of this requirement is to help ensure the integrity of application binaries by supporting file protection mechanisms such as directory-level file permissions and application allowlisting.A user-modifiable file for purposes of this requirement is a file that is writable by an unprivileged user of the application -- either directly through application execution or independently of the application. If the application runs in the context of the application user, then the application should not be able to write to the directory containing the application binaries -- regardless of whether the files are configuration data, audit data, or temporary files.Executables and user-modifiable files may not share the same parent directory, but may share directories above the parent. + + None. + None. + + The evaluator shall run the application and determine where it writes its files. For files where the user does not choose the destination, the evaluator shall check whether the destination directory contains executable files. This varies per platform: + + + + + The evaluator shall run the program, mimicking normal usage, and note where all user-modifiable files are written. The evaluator shall ensure that there are no executable files stored under /data/data/package/ where package is the Java package of the application. + + + + + + + + For Windows Universal Applications the evaluator shall consider the requirement met because the platform forces applications to write all data within the application working directory (sandbox). For Windows Desktop Applications the evaluator shall run the program, mimicking normal usage, and note where all user-modifiable files are written. The evaluator shall ensure that there are no executable files stored in the same directories to which the application wrote user-modifiable files. + + + + + + + + The evaluator shall consider the requirement met because the platform forces applications to write all data within the application working directory (sandbox). + + + + + + + + The evaluator shall run the program, mimicking normal usage, and note where all user-modifiable files are written. The evaluator shall ensure that there are no executable files stored in the same directories to which the application wrote user-modifiable files. + + + + + + + + The evaluator shall run the program, mimicking normal usage, and note where all user-modifiable files are written. The evaluator shall ensure that there are no executable files stored in the same directories to which the application wrote user-modifiable files. + + + + + + + + The evaluator shall run the program, mimicking normal usage, and note where all user-modifiable files are written. The evaluator shall ensure that there are no executable files stored in the same directories to which the application wrote user-modifiable files. + + + + + + + + The application shall be built with stack-based buffer overflow protection enabled. + + (Conditional: The PE or ELF automated tests fail) The evaluator shall ensure that the TSS describes the stack-based buffer overflow compiler flags. + None. + + The evaluator will inspect every native executable included in the TOE to ensure that stack-based buffer overflow protection is present. + + + + + Applications that run as Managed Code in the .NET Framework do not require these stack protections. Applications developed in Object Pascal using the Delphi IDE compiled with RangeChecking enabled comply with this element. For other code, the evaluator shall review the TSS and verify that the /GS flag was used during compilation. The evaluator shall run a tool like, BinSkim, that can verify the correct usage of /GS. + + + + + For PE, the evaluator will disassemble each and ensure the following sequence appears:mov rcx, QWORD PTR [rsp+(...)]xor rcx, (...)call (...) + + + For ELF executables, the evaluator will ensure that each contains references to the symbol __stack_chk_fail.If these automated tests fail, the evaluator shall perform the above, conditional TSS activity. + + Tools such as Canary Detector may help automate these activities. + + + + + + + requires the application to use only documented platform APIs. + No specific management functions are identified. + There are no auditable events foreseen. + No dependencies. + + The application shall use only documented platform APIs. + The definition of "documented" may vary depending upon whether the application is provided by a third party (who relies upon documented platform APIs) or by a platform vendor who may be able to guarantee support for platform APIs. + + The evaluator shall verify that the TSS lists the platform APIs used in the application. The evaluator shall then compare the list with the supported APIs (available through e.g. developer accounts, platform developer groups) and ensure that all APIs listed in the TSS are supported. + None. + + + + + + + requires the application to implement media parsing in a specified manner. + No specific management functions are identified. + There are no auditable events foreseen. + No dependencies. + + The application <selectables onlyone="yes"><selectable id="fpt_api_ext.2.1_1" >shall use platform-provided libraries</selectable><selectable id="fpt_api_ext.2.1_2" >does not implement functionality</selectable> </selectables> for parsing <assignable>list of formats parsed that are included in the IANA MIME media types</assignable>. + The IANA MIME types are listed at http://www.iana.org/assignments/media-types and include many image, audio, video, and content file formats.This requirement does not apply if providing parsing services is the purpose of the application. + + The evaluator shall verify that the TSS lists any IANA MIME media types (as described by + http://www.iana.org/assignments/media-types) for all formats the application processes and that it maps those formats to parsing services provided by the platform.The API shall be verified in FPT_API_EXT.1. + None. + None. + + + + + + + + The TSF shall preserve a secure state when the following types of failures occur: [<h:i>DRBG self-test failure</h:i>]. + The intent of this requirement is to ensure that cryptographic services requiring random bit generation cannot be performed if a failure of a self-test defined in FPT_TST.1 occurs. + + The evaluator shall verify that the TSF describes how the TOE enters an error state in the event of a DRBG self-test failure. + The evaluator shall verify that the guidance documentation describes the error state that results from a DRBG self-test failure and the actions that a user or administrator should take in response to attempt to resolve the error state. + + + + + + + requires the TSF to specify the versioning mechanism used. + No specific management functions are identified. + There are no auditable events foreseen. + No dependencies. + + The application shall be versioned with <h:i>SWID tags that comply with minimum requirements from ISO/IEC 19770-2:2015</h:i>. + The application shall be versioned with + <selectables><selectable>SWID tags that comply with minimum requirements from ISO/IEC 19770-2:2015 </selectable> <selectable><assignable>other version information </assignable> </selectable> </selectables>. + The use of a SWID tag to identify application software is a requirement for DoD IT based on DoD Instruction 8500.01 which requires the use of SCAP which includes SWID tags per the NIST standard.Valid SWID tags must contain a SoftwareIdentity element and an Entity element as defined in the ISO/IEC 19770-2:2015 standard. SWID tags must be stored with a .swidtag file extensions as defined in the ISO/IEC 19770-2:2015. + + None. + None. + The evaluator shall install the application and check for a .swidtag file. The evaluator shall open the file and verify that is contains at least a SoftwareIdentity element and an Entity element. + + + + + + requires the TOE to identify the third party libraries that it uses. + No specific management functions are identified. + There are no auditable events foreseen. + No dependencies. + + The application shall be packaged with only <assignable>list of third-party libraries</assignable>. + The intention of this requirement is for the evaluator to discover and document whether the application includes unnecessary or unexpected third-party libraries. This includes adware libraries which could present a privacy threat, as well as ensuring documentation of such libraries in case vulnerabilities are later discovered. + + None. + None. + The evaluator shall install the application and survey its installation directory for dynamic libraries. The evaluator shall verify that libraries found to be packaged with or employed by the application are limited to those in the assignment. + + + + + + + + The TSF shall run a suite of the following self-tests <selectables><selectable id="fpt_tst.1.1_1" >during initial start-up</selectable><selectable id="fpt_tst.1.1_2" >periodically during normal operation</selectable><selectable id="fpt_tst.1.1_3" >at the request of the authorized user</selectable><selectable id="fpt_tst.1.1_4">at the conditions <assignable>conditions under which self-test should occur</assignable> </selectable> </selectables> to demonstrate the correct operation of [<h:i>TSF DRBG specified in FCS_RBG.1</h:i>]. + + The evaluator shall examine the TSS to ensure that it details the self-tests that are run by the TSF along with how they are run. This description should include an outline of what the tests are actually doing. The evaluator shall ensure that the TSS makes an argument that the tests are sufficient to demonstrate that the DRBG is operating correctly.Note that this information may also be placed in the entropy documentation specified by . + If a self-test can be executed at the request of an authorized user, the evaluator shall verify that the operational guidance provides instructions on how to execute that self-test. + For each self-test, the evaluator shall verify that evidence is produced that the self-test is executed when specified by FPT_TST.1.1. If a self-test can be executed at the request of an authorized user, the evaluator shall verify that following the steps documented in the operational guidance to perform the self-test will result in execution of the self-test. + + + + The TSF shall provide authorized users with the capability to verify the integrity of [<h:i>[DRBG seed/output data]</h:i>]. + + + The TSF shall provide authorized users with the capability to verify the integrity of [<h:i>[TSF DRBG specified in FCS_RBG.1]</h:i>]. + This SFR is a required dependency of FCS_RBG.1. It is intended to require that any DRBG implemented by the TOE undergo health testing to ensure that the random bit generation functionality has not been degraded. If the TSF supports multiple DRBGs, this SFR should be iterated to describe the self-test behavior for each. + + + + + requires the TSF to specify how updates to it are acquired and verified. + No specific management functions are identified. + There are no auditable events foreseen. + FPT_IDV_EXT.1 Software Identification and Versions + + The application shall <selectables><selectable id="fpt_tud_ext.1.1_1" >provide the ability</selectable><selectable id="fpt_tud_ext.1.1_2" >use platform-provided services</selectable> </selectables> to check for updates and patches to the application software. + This requirement is about the ability to "check" for updates. The actual installation of any updates should be done by the platform. This requirement is intended to ensure that the application can check for updates provided by the vendor, as updates provided by another source may contain malicious code. + + The evaluator shall verify the TSS contains a description of the update mechanism leveraged, how new updates are checked for, how the current version is checked for, and how the updates are signed. + The evaluator shall check to ensure the guidance includes a description of how to check for and apply new updates. + The evaluator shall check for an update using procedures described in either the application documentation or the platform documentation and verify that the application does not issue an error. If it is updated or if it reports that no update is available this requirement is considered to be met. + + + + The application shall <selectables><selectable id="fpt_tud_ext.1.2_1" >provide the ability</selectable><selectable id="fpt_tud_ext.1.2_2" >use platform-provided services</selectable> </selectables> to query the current version of the application software. + + + The evaluator shall verify guidance includes a description of how to query the current version of the application. + The evaluator shall query the application for the current version of the software according to the operational user guidance. The evaluator shall then verify that the current version matches that of the documented and installed version. + + + + The application shall <selectables linebreak="yes"><selectable id="toe-update" >perform trusted updates</selectable><selectable id="fpt_tud_ext.1.3_1" >not download, modify, replace or update its own binary code</selectable> </selectables>. + This requirement applies to the code of the application; it does not apply to mobile code technologies that are designed for download and execution by the application.If "perform trusted updates" is selected then FPT_TUD_EXT.2 must be included in the ST. + + + + + Conditional: If "not download, modify, replace or update its own binary code" is selected the evaluator shall verify that the application's executable files are not changed by the application with the following tests: + + + + + The evaluator shall consider the requirement met because the platform forces applications to write all data within the application working directory (sandbox). + + + + + + + + + + + + The evaluator shall install the application and then locate all of its executable files. The evaluator shall then, for each file, save off either a hash of the file or a copy of the file itself. The evaluator shall then run the application and exercise all features of the application as described in the ST. The evaluator shall then compare each executable file with either the saved hash or the saved copy of the files. The evaluator shall verify that these are identical. + + + + + + + + Application updates shall be digitally signed such that the application platform can cryptographically verify them prior to installation. + The specifics of the verification of updates involves requirements on the platform (and not the application), so these are not fully specified here. + + The evaluator shall verify that the TSS identifies how updates to the application are signed by an authorized source. The definition of an authorized source must be contained in the TSS. The evaluator shall also ensure that the TSS (or the operational guidance) describes how candidate updates are obtained. + + + + + + The application is distributed <selectables><selectable id="sel_with_plat" >with the platform OS</selectable><selectable id="sel_add_plat" >as an additional software package to the platform OS</selectable> </selectables>. + Application software that is distributed as part of the platform operating system is not required to be packaged for installation or uninstallation. If "as an additional software package to the platform OS" is selected, the requirements from FPT_TUD_EXT.2 must be included in the ST. + + The evaluator shall verify that the TSS identifies how the application is distributed. If "as an additional package..." is selected, the evaluator shall perform the tests in FPT_TUD_EXT.2. + None. + If " with the platform OS" is selected, the evaluator shall perform a clean installation or factory reset to confirm that TOE software is included as part of the platform OS. + + + + + + + + requires TOE updates to be packaged in a certain manner. + No specific management functions are identified. + There are no auditable events foreseen. + FPT_TUD_EXT.1 Integrity for Installation and Update + + The application shall be distributed using <selectables><selectable id="fpt_tud_ext.2.1_1" >the format of the platform-supported package manager</selectable><selectable id="fpt_tud_ext.2.1_2" >a container image</selectable> </selectables>. + + The evaluator shall verify that the TSS describes how the application is distributed and verify that description aligns with the selections in the ST. + None. + + If a container image is claimed, the evaluator shall verify that application updates are distributed as container images. If the format of the platform-supported package manager is claimed, the evaluator shall verify that application updates are distributed in the format supported by the platform. This varies per platform: + + + + + The evaluator shall ensure that the application is packaged in the Android application package (APK) format. + + + + + + + + The evaluator shall ensure that the application is packaged in the standard Windows Installer (.MSI) format, the Windows Application Software (.EXE) format signed using the Microsoft Authenticode process, or the Windows Universal Application package (.APPX) format. See https://msdn.microsoft.com/en-us/library/ms537364(v=vs.85).aspx for details regarding Authenticode signing. + + + + + + + + The evaluator shall ensure that the application is packaged in the IPA format. + + + + + + + + The evaluator shall ensure that the application is packaged in the format of the package management infrastructure of the chosen distribution. For example, applications running on Red Hat and Red Hat derivatives shall be packaged in RPM format. Applications running on Debian and Debian derivatives shall be packaged in DEB format. + + + + + + + + The evaluator shall ensure that the application is packaged in the PKG format. + + + + + + + + The evaluator shall ensure that the application is packaged in the DMG format, the PKG format, or the MPKG format. + + + + + + + + The application shall be packaged such that its removal results in the deletion of all traces of the application, with the exception of configuration settings, output files, and audit/log events. + Application software bundled with the system/firmware image are not subject to this requirement if the user is unable to remove the application through means provided by the OS. + + None. + The evaluator shall verify the guidance documentation details how uninstallation of the application is performed. + + + + + + The evaluator shall consider the requirement met because the platform forces applications to write all data within the application working directory (sandbox). + + + + + + + + The evaluator shall consider the requirement met because the platform forces applications to write all data within the application working directory (sandbox). + + + + For all other platforms, the evaluator shall record the path of every file on the entire file system prior to installation of the application, and then install and run the application. Afterward, the evaluator shall uninstall the application, and compare the resulting file system to the initial record to verify that no files, other than configuration, output, and audit or log files, have been added to the file system. + + + + + The application installation package shall be digitally signed such that <selectables><selectable id="fpt_tud_ext.2.3_1" >its platform can cryptographically verify them prior to installation.</selectable><selectable id="fpt_tud_ext.2.3_2">the application can verify them using <selectables><selectable id="toe-lms" >Leighton-Micali Signature.</selectable><selectable id="toe-xmss" >eXtended Merkle Signature Scheme.</selectable></selectables> </selectable> </selectables> + The specifics of the verification of installation packages involves requirements on the platform (and not the application), so these are not fully specified here.If "Leighton-Micali Signature" or "eXtended Merkle Signature Scheme" is selected, the corresponding selection must be made in FCS_COP.1/SigVer. + + The evaluator shall verify that the TSS identifies how the application installation package is signed by an authorized source. The definition of an authorized source must be contained in the TSS. + None. + + Conditional: if "the application can verify them using" is selected the evaluator shall perform the following tests: + + The evaluator shall ensure that the update has a digital signature belonging to the vendor prior to its installation. The evaluator shall modify the downloaded update in such a way that the digital signature is no longer valid. The evaluator will then attempt to install the modified update. The evaluator shall ensure that the modified update fails to install. + The evaluator shall ensure that the update has a digital signature belonging to the vendor. The evaluator shall then attempt to install the update (or permit installation to continue). The evaluator shall ensure that the update successfully installs. + + + + + +
+ +
+ + This family defines requirements for protecting data in transit. + + + + requires the TSF to specify what data is transmitted outside the TOE over a trusted channel, what protocol is used for data transmission, and whether the TSF implements this protocol or invokes an environmental interface to do so. + No specific management functions are identified. + There are no auditable events foreseen. + No dependencies. + + The application shall <selectables linebreak="yes"><selectable + id="ftp_dit_ext.1.1_1">not transmit any <selectables onlyone="yes"><selectable + id="ftp_dit_ext.1.1_2" >data</selectable><selectable id="ftp_dit_ext.1.1_3" + >sensitive data</selectable></selectables> </selectable><selectable + id="ftp_dit_ext.1.1_4">encrypt all transmitted <selectables onlyone="yes"><selectable id="ftp_dit_ext.1.1_5" >sensitive data</selectable><selectable id="ftp_dit_ext.1.1_6" >data</selectable></selectables> with <selectables><selectable id="sel_all_https_cl" >HTTPS as a client in accordance with FCS_HTTPS_EXT.1 and FCS_HTTPS_EXT.2</selectable><selectable id="sel_all_https_sv" >HTTPS as a server in accordance with FCS_HTTPS_EXT.1</selectable><selectable id="sel_all_https_ma" >HTTPS as a server with support for mutual authentication in accordance with FCS_HTTPS_EXT.1 and FCS_HTTPS_EXT.2</selectable><selectable id="sel_all_tlss">TLS as a server as defined in Functional Package for Transport Layer Security (TLS), version 2.1 and also supports functionality for <selectables><selectable id="ftp_dit_ext.1.1_7" >mutual authentication</selectable><selectable id="ftp_dit_ext.1.1_8" >none</selectable></selectables> </selectable><selectable id="sel_all_tlsc" >TLS as a client as defined in Functional Package for Transport Layer Security (TLS), version 2.1</selectable><selectable id="sel_all_dtlss">DTLS as a server as defined in Functional Package for Transport Layer Security (TLS), version 2.1 and also supports functionality for <selectables><selectable id="ftp_dit_ext.1.1_9" >mutual authentication</selectable><selectable id="ftp_dit_ext.1.1_10" >none</selectable></selectables> </selectable><selectable id="sel_all_dtlsc" >DTLS as a client as defined in Functional Package for Transport Layer Security (TLS), version 2.1</selectable><selectable id="sel_all_ssh" >SSH as defined in the <xref to="pkg-ssh"/></selectable><selectable id="sel_all_ipsec" >IPsec as defined in the VPN Client PP-Module, version 3.0</selectable></selectables> for <assignable>function(s)</assignable> using certificates as defined in the <h:a href="https://www.niap-ccevs.org/protectionprofiles/511"> Functional Package for X.509</h:a></selectable><selectable id="ftp_dit_ext.1.1_12">invoke platform-provided functionality to encrypt all transmitted sensitive data with <selectables><selectable id="ftp_dit_ext.1.1_13" >HTTPS</selectable><selectable id="ftp_dit_ext.1.1_14" >TLS</selectable><selectable id="ftp_dit_ext.1.1_15" >DTLS</selectable><selectable id="ftp_dit_ext.1.1_16" >SSH</selectable><selectable id="ftp_dit_ext.1.1_17" >IPsec</selectable></selectables> for <assignable>function(s)</assignable> using certificates as defined in the <h:a href="https://www.niap-ccevs.org/protectionprofiles/511"> Functional Package for X.509</h:a></selectable><selectable id="ftp_dit_ext.1.1_19">invoke platform-provided functionality to encrypt all transmitted data with <selectables><selectable id="ftp_dit_ext.1.1_20" >HTTPS</selectable><selectable id="ftp_dit_ext.1.1_21" >TLS</selectable><selectable id="ftp_dit_ext.1.1_22" >DTLS</selectable><selectable id="ftp_dit_ext.1.1_23" >SSH</selectable><selectable id="ftp_dit_ext.1.1_24" >IPsec</selectable></selectables> for <assignable>function(s)</assignable> using certificates as defined in the <h:a href="https://www.niap-ccevs.org/protectionprofiles/511"> Functional Package for X.509</h:a></selectable> </selectables> between itself and another trusted IT product. + The application shall <selectables onlyone="yes" linebreak="yes"><selectable>not transmit any <selectables onlyone="yes"><selectable>data </selectable> <selectable>sensitive data </selectable> </selectables> </selectable> <selectable>encrypt all transmitted <selectables onlyone="yes"><selectable>sensitive data </selectable> <selectable>data </selectable> </selectables> with <assignable>trusted protocol </assignable> for <assignable>function(s) </assignable> </selectable> <selectable>invoke platform-provided functionality to encrypt all transmitted sensitive data with <assignable>trusted protocol </assignable> for <assignable>function(s) </assignable> </selectable> <selectable>invoke platform-provided functionality to encrypt all transmitted data with <assignable>trusted protocol </assignable> for <assignable>function(s) </assignable> </selectable> </selectables> between itself and another trusted IT product. + Encryption is not required for applications transmitting + data that is not sensitive.If "not transmit any..." is selected, no other option can be selected.If "not transmit any..." is NOT selected, it is possible to select more than one of the other options to encrypt data for a specific cryptographic function (e.g., application encrypts management data using SSH AND application invokes platform-provided functionality to encrypt syslog data using TLS OR application encrypts syslog data using TLS. Protocol selections and function assignments should be made to cover all data/sensitive data.If "encrypt all transmitted..." is selected and "TLS" or "DTLS" as a client or server is selected, then corresponding components from Functional Package for Transport Layer Security (TLS), version 2.1 must be selected.If "encrypt all transmitted..." is selected and any claim involving HTTPS is selected, then FCS_HTTPS_EXT.1 and potentially FCS_HTTPS_EXT.2 is required, as indicated by the chosen selections.If "encrypt all transmitted..." is selected and "SSH" is selected, then the TSF shall be validated against the Functional Package for Secure Shell.If "encrypt all transmitted..." is selected and "IPsec" is selected, then the TSF must claim conformance to a PP-Configuration that includes the VPN Client PP-Module, version 3.0.If "encrypt all transmitted..." is selected, FCS_CKM.2 and all iterations of FCS_COP.1 must be claimed.Claims from the + Functional Package for X.509 are only required to the extent that they are needed to support the functionality required by the trusted protocols that are claimed. For example, if the TOE supports HTTPS as a server but does not support mutual authentication, then for this interface the TSF would only present certificates in accordance with the requirements of the package and not validate presented certificates.If the TSF implements a protocol that requires the validation of a certificate presented by an external entity, FIA_X509_EXT.1 and FIA_X509_EXT.2 will be claimed. FIA_TSM_EXT.1 may also be claimed if the TSF implements its own trust store. Note that FIA_X509_EXT.1 and FIA_X509_EXT.2 have selections for invocation of platform-provided functionality, so it is expected that these claims are made and tested even when the trusted protocol is implemented by the TOE platform.If the TSF implements a protocol that requires the presentation of any certificates to an external entity, FIA_XCU_EXT.2 from + Functional Package for X.509 will be claimed. FIA_X509_EXT.3 from + Functional Package for X.509 will also be claimed, along with any applicable dependencies, depending on how the certificates presented by the TOE are obtained.If the TSF implements a protocol that does not require presenting or validating X.509 certificates, no claims from the + Functional Package for X.509 are required. + + The evaluator shall confirm the TSS describes the data transmitted, and + verify it matches the selections of all data or sensitive + data.The evaluator shall confirm the TSS describes the method by which + the data is protected and that is matches the chosen selections, if multiple selections are included the evaluator shall verify the TSS describes which data is sent over which trusted channels and the totality of the data type selection is covered by all chosen selections.For platform-provided functionality, the evaluator shall verify the TSS contains the calls to the platform that the TOE is leveraging to invoke the functionality. The evaluator shall verify calls are documented by the platform vendor and non-deprecated.For platform-provided HTTPS, IPsec, TLS, or DTLS as a client the evaluator shall verify that the TSS lists any specific calls the product uses that specifies or allows the end users to specify cipher suites, support for mutual authentication, support for session renegotiation, hash algorithms for the signature_algorithms extension in the Client Hello with the supported_signature_algorithms value, and the supported groups in the Supported Groups Extension in Client Hello. The evaluator shall verify any calls the product specifies align with the options provided in this PP and the Functional Package for Transport Layer Security (TLS), version 2.1.For platform-provided HTTPS, IPsec, TLS, or DTLS as a server the evaluator shall verify that the TSS lists any specific calls the product uses that specifies or allows the end users to specify cipher suites, which protocols are denied connection requests, key establishment algorithms, support for mutual authentication, response to an invalid client certificate, and support for session renegotiation. The evaluator shall verify any calls the product specifies align with the options provided in this PP and the Functional Package for Transport Layer Security (TLS), version 2.1.For platform-provided HTTPS the evaluator shall verify that the TSS lists any specific calls the product uses that specifies or allows the end users to specify the response to an invalid certificate.For platform-provided HTTPS as a server the evaluator shall verify that the TSS lists any specific calls the product uses that specifies or allows the end users to specify cipher suites, which protocols are denied connection requests, key establishment algorithms, support for mutual authentication, response to an invalid client certificate, and support for session renegotiation. The evaluator shall verify any calls the product specifies align with the options provided in this PP and the Functional Package for Transport Layer Security (TLS), version 2.1.For platform-provided SSH the evaluator shall verify that the TSS lists any specific calls the product uses that specifies or allows the end users to specify the applicable RFCs, the authentication methods, the limit for dropping large packets in an SSH transport connection, the SSH transport accepted algorithms, the SSH public key for public-key based authentication, The diffie-hellman-group used for key exchange, and the parameters of session rekey or termination. The evaluator shall verify any calls the product specifies align with the options provided in this PP and the . + The evaluator shall confirm the guidance documentation contains any information necessary for enabling and configuring the trusted channels that have been selected. + + The evaluator shall perform the following tests. + + If "not transmit any data" is selected, the evaluator shall exercise each of the TOE's identified functions, while observing the network traffic from the device and verify that no TSF initiated connections were observed during the attempts. + The evaluator shall exercise the application (attempting to transmit data; for example by connecting to remote systems or websites) while capturing packets from the application. The evaluator shall verify from the packet capture that the traffic is encrypted with HTTPS, TLS, DTLS, SSH, or IPsec in accordance with the selection in the ST. + The evaluator shall exercise the application (attempting to transmit data; for example by connecting to remote systems or websites) while capturing packets from the application. The evaluator shall review the packet capture and verify that no sensitive data is transmitted in the clear. + The evaluator shall inspect the TSS to determine if user credentials are transmitted. If credentials are transmitted the evaluator shall set the credential to a known value. The evaluator shall capture packets from the application while causing credentials to be transmitted as described in the TSS. The evaluator shall perform a string search of the captured network packets and verify that the plaintext credential previously set by the evaluator is not found. + + + + + + If "not transmit any data" is selected, the evaluator shall ensure that the application's AndroidManifest.xml file does not contain a uses-permission or uses-permission-sdk-23 tag containing android:name="android.permission.INTERNET". In this case, it is not necessary to perform the above Tests 1, 2, 3, or 4 as the platform will not allow the application to perform any network communication. + + + + + + + + If "encrypt all transmitted data" is selected, the evaluator shall ensure that the application's Info.plist file does not contain the NSAllowsArbitraryLoads or NSExceptionAllowsInsecureHTTPLoads keys, as these keys disable iOS's Application Transport Security feature. + + + + + + + +
+ + +
+ The PP identifies the Security Assurance Requirements (SARs) to frame the extent to which the evaluator assesses the documentation applicable for the evaluation and performs independent testing.This section lists the set of SARs from CC part 3 that are required in evaluations against this PP. Individual Evaluation Activities (EAs) to be performed are specified both in as well as in this section. These SARs were chosen based on the notion that a hypothetical attacker of the TOE lacks administrative privilege on its platform but otherwise has persistent access to the TOE itself and the sophistication to interact with the platform in a way that they can attempt to access stored data without authorization or to run tools that automate more sophisticated malicious activity.The general model for evaluation of TOEs against STs written to conform to this PP is as follows:After the ST has been approved for evaluation, the CCTL will obtain the TOE, supporting environmental IT, and the administrative/user guides for the TOE. The CCTL is expected to perform actions mandated by the Common Evaluation Methodology (CEM) for the ASE and ALC SARs. The CCTL also performs the evaluation activities contained within , which are intended to be an interpretation of the other CEM assurance requirements as they apply to the specific technology instantiated in the TOE. The evaluation activities that are captured in also provide clarification as to what the developer needs to provide to demonstrate the TOE is compliant with the PP. The results of these activities will be documented and presented (along with the administrative guidance used) for validation. +
As per ASE activities defined in .
+
+ + The information about the TOE is contained in the guidance documentation available to the end user as well as the TSS portion of the ST. The TOE developer must concur with the description of the product that is contained in the TSS as it relates to the functional requirements. The evaluation activities contained in should provide the ST authors with sufficient information to determine the appropriate content for the TSS section. + + + + The functional specification describes the TSFIs. It is not necessary to have a formal or complete specification of these interfaces. Additionally, because TOEs conforming to this PP will necessarily have interfaces to the Operational Environment that are not directly invocable by TOE users, there is little point specifying that such interfaces be described in and of themselves since only indirect testing of such interfaces may be possible. For this PP, the activities for this family should focus on understanding the interfaces presented in the TSS in response to the functional requirements and the interfaces presented in the AGD documentation. No additional “functional specification” documentation is necessary to satisfy the evaluation activities specified. The interfaces that need to be evaluated are characterized through the information needed to perform the assurance activities listed, rather than as an independent, abstract list. + + + The developer shall provide a functional specification. + + + + The developer shall provide a tracing from the functional specification to the SFRs. + As indicated in the introduction to this section, the functional specification is comprised of the information contained in the AGD_OPE and AGD_PRE documentation. The developer may reference a website accessible to application developers and the evaluator. The evaluation activities in the functional requirements point to evidence that should exist in the documentation and TSS section; since these are directly associated with the SFRs, the tracing in element ADV_FSP.1.2D is implicitly already done and no additional documentation is necessary. + + + + The functional specification shall describe the purpose and method of use for each SFR-enforcing and SFR-supporting TSFI. + + + + The functional specification shall identify all parameters associated with each SFR-enforcing and SFR-supporting TSFI. + + + + The functional specification shall provide rationale for the implicit categorization of interfaces as SFR-non-interfering. + + + + The tracing shall demonstrate that the SFRs trace to TSFIs in the functional specification. + + + + The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. + + + + The evaluator shall determine that the functional specification is an accurate and complete instantiation of the SFRs. + There are no specific evaluation activities associated with these SARs, except ensuring the information is provided. The functional specification documentation is provided to support the evaluation activities described in , and other activities described for AGD, ATE, and AVA SARs. The requirements on the content of the functional specification information is implicitly assessed by virtue of the other evaluation activities being performed; if the evaluator is unable to perform an activity because there is insufficient interface information, then an adequate functional specification has not been provided. + + +
+
+ + The guidance documents will be provided with the ST. Guidance must include a description of how the IT personnel verifies that the Operational Environment can fulfill its role for the security functionality. The documentation should be in an informal style and readable by the IT personnel. Guidance must be provided for every operational environment that the product supports as claimed in the ST. This guidance includes instructions to successfully install the TSF in that environment; and instructions to manage the security of the TSF as a product and as a component of the larger operational environment. Guidance pertaining to particular security functionality is also provided; requirements on such guidance are contained in the evaluation activities specified with each requirement. + + + + The developer shall provide operational user guidance. + The operational user guidance does not have to be contained in a single document. Guidance to users, administrators and application developers can be spread among documents or web pages. Where appropriate, the guidance documentation is expressed in the eXtensible Configuration Checklist Description Format (XCCDF) to support security automation. Rather than repeat information here, the developer should review the evaluation activities for this component to ascertain the specifics of the guidance that the evaluator will be checking for. This will provide the necessary information for the preparation of acceptable guidance. + + + + The operational user guidance shall describe, for each user role, the user-accessible functions and privileges that should be controlled in a secure processing environment, including appropriate warnings. + User and administrator are to be considered in the definition of user role. + + + + The operational user guidance shall describe, for each user role, how to use the available interfaces provided by the TOE in a secure manner. + + + + The operational user guidance shall describe, for each user role, the available functions and interfaces, in particular all security parameters under the control of the user, indicating secure values as appropriate. + + + + The operational user guidance shall, for each user role, clearly present each type of security-relevant event relative to the user-accessible functions that need to be performed, including changing the security characteristics of entities under the control of the TSF. + + + + The operational user guidance shall identify all possible modes of operation of the TOE (including operation following failure or operational error), their consequences, and implications for maintaining secure operation. + + + + The operational user guidance shall, for each user role, describe the security measures to be followed in order to fulfill the security objectives for the operational environment as described in the ST. + + + + The operational user guidance shall be clear and reasonable. + + + + The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. + Some of the contents of the operational guidance will be verified by the evaluation activities in and evaluation of the TOE according to the . The following additional information is also required.If cryptographic functions are provided by the TOE, the operational guidance shall contain instructions for configuring the cryptographic engine associated with the evaluated configuration of the TOE. It shall provide a warning to the administrator that use of other cryptographic engines was not evaluated nor tested during the CC evaluation of the TOE.The documentation must describe the process for verifying updates to the TOE by verifying a digital signature – this may be done by the TOE or the underlying platform.The evaluator shall verify that this process includes the following steps:Instructions for obtaining the update itself. This should include instructions for making the update accessible to the TOE (e.g., placement in a specific directory).Instructions for initiating the update process, as well as discerning whether the process was successful or unsuccessful. This includes generation of the digital signature. The TOE will likely contain security functionality that does not fall in the scope of evaluation under this PP. The operational guidance shall make it clear to an administrator which security functionality is covered by the evaluation activities. + + + + + The developer shall provide the TOE, including its preparative procedures. + As with the operational guidance, the developer should look to the evaluation activities to determine the required content with respect to preparative procedures. + + + + The preparative procedures shall describe all the steps necessary for secure acceptance of the delivered TOE in accordance with the developer's delivery procedures. + + + + The preparative procedures shall describe all the steps necessary for secure installation of the TOE and for the secure preparation of the operational environment in accordance with the security objectives for the operational environment as described in the ST. + + + + The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. + + + + The evaluator shall apply the preparative procedures to confirm that the TOE can be prepared securely for operation. + As indicated in the introduction above, there are significant expectations with respect to the documentation—especially when configuring the operational environment to support TOE functional requirements. The evaluator shall check to ensure that the guidance provided for the TOE adequately addresses all platforms claimed for the TOE in the ST. + + +
+
+ + At the assurance level provided for TOEs conformant to this PP, life-cycle support is limited to end-user-visible aspects of the life-cycle, rather than an examination of the TOE vendor’s development and configuration management process. This is not meant to diminish the critical role that a developer’s practices play in contributing to the overall trustworthiness of a product; rather, it is a reflection on the information to be made available for evaluation at this assurance level. + + + + This component is targeted at identifying the TOE such that it can be distinguished from other products or versions from the same vendor and can be easily specified when being procured by an end user. + + + The developer shall provide the TOE and a reference for the TOE. + + + + The application shall be labeled with a unique reference. + Unique reference information includes:Application NameApplication VersionApplication DescriptionPlatform on which Application RunsSoftware Identification (SWID) tags, if available + + + + The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. + The evaluator shall check the ST to ensure that it contains an identifier (such as a product name/version number) that specifically identifies the version that meets the requirements of the ST. Further, the evaluator shall check the operational guidance and TOE samples received for testing to ensure that the version number is consistent with that in the ST. If the vendor maintains a website advertising the TOE, the evaluator shall examine the information on the website to ensure that the information in the ST is sufficient to distinguish the product. + + + + + The developer shall provide a configuration list for the TOE. + + + + The configuration list shall include the following: the TOE itself; and the evaluation evidence required by the SARs. + + + + The configuration list shall uniquely identify the configuration items. + + + + The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. + The "evaluation evidence required by the SARs" in this PP is limited to the information in the ST coupled with the guidance provided to administrators and users under the AGD requirements. By ensuring that the TOE is specifically identified and that this identification is consistent in the ST and in the AGD guidance (as done in the evaluation activity for ALC_CMC.1), the evaluator implicitly confirms the information required by this component. Life-cycle support is targeted aspects of the developer’s life-cycle and instructions to providers of applications for the developer’s devices, rather than an in-depth examination of the TSF manufacturer’s development and configuration management process. This is not meant to diminish the critical role that a developer’s practices play in contributing to the overall trustworthiness of a product; rather, it’s a reflection on the information to be made available for evaluation.The evaluator shall ensure that the developer has identified (in guidance documentation for application developers concerning the targeted platform) one or more development environments appropriate for use in developing applications for the developer’s platform. For each of these development environments, the developer shall provide information on how to configure the environment to ensure that buffer overflow protection mechanisms in the environment(s) are invoked (e.g., compiler flags). The evaluator shall ensure that this documentation also includes an indication of whether such protections are on by default, or have to be specifically enabled. The evaluator shall ensure that the TSF is uniquely identified (with respect to other products from the TSF vendor), and that documentation provided by the developer in association with the requirements in the ST is associated with the TSF using this unique identification. + + + + + The developer shall document and provide flaw remediation procedures addressed to TOE developers. + + + + The flaw remediation procedures documentation shall describe the procedures used to track all reported security flaws in each release of the TOE. + + + + The flaw remediation procedures shall require that a description of the nature and effect of each security flaw be provided, as well as the status of finding a correction to that flaw. + + + + The flaw remediation procedures shall require that corrective actions be identified for each of the security flaws. + + + + The flaw remediation procedures documentation shall describe the methods used to provide flaw information, corrections and guidance on corrective actions to TOE users. + + + + The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. + The evaluator shall inspect the TSS and verify it identifies how to access the flaw remediation procedures. + + + + + The developer shall document and provide flaw remediation procedures addressed to TOE developers. + + + + The developer shall establish a procedure for accepting and acting upon all reports of security flaws and requests for corrections to those flaws. + + + + The developer shall provide flaw remediation guidance addressed to TOE users. + + + + The flaw remediation procedures documentation shall describe the procedures used to track all reported security flaws in each release of the TOE. + + + + The flaw remediation procedures shall require that a description of the nature and effect of each security flaw be provided, as well as the status of finding a correction to that flaw. + + + + The flaw remediation procedures shall require that corrective actions be identified for each of the security flaws. + + + + The flaw remediation procedures documentation shall describe the methods used to provide flaw information, corrections and guidance on corrective actions to TOE users. + + + + The flaw remediation procedures shall describe a means by which the developer receives from TOE users reports and enquiries of suspected security flaws in the TOE. + + + + The procedures for processing reported security flaws shall ensure that any reported flaws are remediated and the remediation procedures issued to TOE users. + + + + The procedures for processing reported security flaws shall provide safeguards that any corrections to these security flaws do not introduce any new flaws. + + + + The flaw remediation guidance shall describe a means by which TOE users report to the developer any suspected security flaws in the TOE. + + + + The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. + The evaluator shall inspect the TSS and verify it identifies how to access the flaw remediation procedures.The evaluator shall inspect the guidance document and verify it describes how to access the flaw remediation guidance. + + + + + The developer shall document and provide flaw remediation procedures addressed to TOE developers. + + + + The developer shall establish a procedure for accepting and acting upon all reports of security flaws and requests for corrections to those flaws. + + + + The developer shall provide flaw remediation guidance addressed to TOE users. + + + + The flaw remediation procedures documentation shall describe the procedures used to track all reported security flaws in each release of the TOE. + + + + The flaw remediation procedures shall require that a description of the nature and effect of each security flaw be provided, as well as the status of finding a correction to that flaw. + + + + The flaw remediation procedures shall require that corrective actions be identified for each of the security flaws. + + + + The flaw remediation procedures documentation shall describe the methods used to provide flaw information, corrections and guidance on corrective actions to TOE users. + + + + The flaw remediation procedures shall describe a means by which the developer receives from TOE users reports and enquiries of suspected security flaws in the TOE. + + + + The flaw remediation procedures shall include a procedure requiring timely response and the automatic distribution of security flaw reports and the associated corrections to registered users who might be affected by the security flaw. + + + + The procedures for processing reported security flaws shall ensure that any reported flaws are remediated and the remediation procedures issued to TOE users. + + + + The procedures for processing reported security flaws shall provide safeguards that any corrections to these security flaws do not introduce any new flaws. + + + + The flaw remediation guidance shall describe a means by which TOE users report to the developer any suspected security flaws in the TOE. + + + + The flaw remediation guidance shall describe a means by which TOE users may register with the developer, to be eligible to receive security flaw reports and corrections. + + + + The flaw remediation guidance shall identify the specific points of contact for all reports and enquiries about security issues involving the TOE. + + + + The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. + The evaluator shall inspect the TSS and verify it identifies how to access the flaw remediation procedures.The evaluator shall inspect the guidance document and verify it describes how to access the flaw remediation guidance. + + + + + This component requires the TOE developer, in conjunction with any other necessary parties, to provide information as to how the end-user devices are updated to address security issues in a timely manner. The documentation describes the process of providing updates to the public from the time a security flaw is reported/discovered, to the time an update is released. This description includes the parties involved (e.g., the developer, carriers(s)) and the steps that are performed (e.g., developer testing, carrier testing), including worst case time periods, before an update is made available to the public. + + + The developer shall provide a description in the TSS of how timely security updates are made to the TOE. + Application developers must support updates to their products for purposes of fixing security vulnerabilities. + + + + The developer shall provide a description in the TSS of how users are notified when updates change security properties or the configuration of the product. + + + + The description shall include the process for creating and deploying security updates for the TOE software. + + + + The description shall express the time window as the length of time, in days, between public disclosure of a vulnerability and the public availability of security updates to the TOE. + + + + The description shall include the mechanisms publicly available for reporting security issues pertaining to the TOE. + The reporting mechanism could include a website or email address as well as a means to protect the sensitive nature of the report (e.g., public keys that could be used to encrypt the details of a proof-of-concept exploit). + + + + The evaluator <h:i>shall confirm</h:i> that the information provided meets all requirements for content and presentation of evidence. + The evaluator shall verify that the TSS contains a description of the timely security update process used by the developer to create and deploy security updates. The evaluator shall verify that this description addresses the entire application. The evaluator shall also verify that, in addition to the TOE developer’s process, any third-party processes are also addressed in the description. The evaluator shall also verify that each mechanism for deployment of security updates is described.The evaluator shall verify that, for each deployment mechanism described for the update process, the TSS lists a time between public disclosure of a vulnerability and public availability of the security update to the TOE patching this vulnerability, to include any third-party or carrier delays in deployment. The evaluator shall verify that this time is expressed in a number or range of days.The evaluator shall verify that this description includes the publicly available mechanisms (including either an email address or website) for reporting security issues related to the TOE. The evaluator shall verify that the description of this mechanism includes a method for protecting the report either using a public key for encrypting email or a trusted channel for a website. + + +
+
+ + Testing is specified for functional aspects of the system as well as aspects that take advantage of design or implementation weaknesses. The former is done through the ATE_IND family, while the latter is through the AVA_VAN family. At the assurance level specified in this PP, testing is based on advertised functionality and interfaces with dependency on the availability of design information. One of the primary outputs of the evaluation process is the test report as specified in the following requirements. + + + + Testing is performed to confirm the functionality described in the TSS as well as the administrative (including configuration and operational) documentation provided. The focus of the testing is to confirm that the requirements specified in are being met, although some additional testing is specified for SARs in . The evaluation activities identify the additional testing activities associated with these components. The evaluator produces a test report documenting the plan for and results of testing, as well as coverage arguments focused on the platform/TOE combinations that are claiming conformance to this PP. Given the scope of the TOE and its associated evaluation evidence requirements, this component’s evaluation activities are covered by the evaluation activities listed for ALC_CMC.1. + + + The developer shall provide the TOE for testing. + The developer must provide at least one product instance of the TOE for complete testing on at least one platform regardless of equivalency. See the Equivalency Appendix for more details. + + + + The TOE shall be suitable for testing. + + + + The evaluator <h:i>shall confirm</h:i> that the information provided meets all requirements for content and presentation of evidence. + + + + The evaluator shall test a subset of the TSF to confirm that the TSF operates as specified. + The evaluator should test the application on the most current fully patched version of the platform. + The evaluator shall prepare a test plan and report documenting the testing aspects of the system, including any application crashes during testing. The evaluator shall determine the root cause of any application crashes and include that information in the report. The test plan covers all of the testing actions contained in the and the body of this PP’s evaluation activities.While it is not necessary to have one test case per test listed in an evaluation activity, the evaluator must document in the test plan that each applicable testing requirement in the ST is covered. The test plan identifies the platforms to be tested, and for those platforms not included in the test plan but included in the ST, the test plan provides a justification for not testing the platforms. This justification must address the differences between the tested platforms and the untested platforms, and make an argument that the differences do not affect the testing to be performed. It is not sufficient to merely assert that the differences have no effect; rationale must be provided. If all platforms claimed in the ST are tested, then no rationale is necessary. The test plan describes the composition of each platform to be tested, and any setup that is necessary beyond what is contained in the AGD documentation. It should be noted that the evaluator is expected to follow the AGD documentation for installation and setup of each platform either as part of a test or as a standard pre-test condition. This may include special test drivers or tools. For each driver or tool, an argument (not just an assertion) should be provided that the driver or tool will not adversely affect the performance of the functionality by the TOE and its platform.This also includes the configuration of the cryptographic engine to be used. The cryptographic algorithms implemented by this engine are those specified by this PP and used by the cryptographic protocols being evaluated (e.g., SSH). The test plan identifies high-level test objectives as well as the test procedures to be followed to achieve those objectives. These procedures include expected results.The test report (which could just be an annotated version of the test plan) details the activities that took place when the test procedures were executed, and includes the actual results of the tests. This shall be a cumulative account, so if there was a test run that resulted in a failure; a fix installed; and then a successful re-run of the test, the report would show a “fail” and “pass” result (and the supporting details), and not just the “pass” result. + + +
+
+ + For the current generation of this protection profile, the evaluation lab is expected to survey open sources to discover what vulnerabilities have been discovered in these types of products. In most cases, these vulnerabilities will require sophistication beyond that of a basic attacker. Until penetration tools are created and uniformly distributed to the evaluation labs, the evaluator will not be expected to test for these vulnerabilities in the TOE. The labs will be expected to comment on the likelihood of these vulnerabilities given the documentation provided by the vendor. This information will be used in the development of penetration testing tools and for the development of future protection profiles. + + + + The developer shall provide the TOE for testing. + + + + The application shall be suitable for testing. + Suitability for testing means not being obfuscated or packaged in such a way as to disrupt either static or dynamic analysis by the evaluator. + + + + The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. + + + + The evaluator shall perform a search of public domain sources to identify potential vulnerabilities in the TOE. + Public domain sources include the Common Vulnerabilities and Exposures (CVE) dictionary for publicly known vulnerabilities. Public domain sources also include sites which provide free checking of files for viruses. + + + + The evaluator shall conduct penetration testing, based on the identified potential vulnerabilities, to determine that the TOE is resistant to attacks performed by an attacker possessing Basic attack potential. + The evaluator shall generate a report to document their findings with respect to this requirement. This report could physically be part of the overall test report mentioned in ATE_IND, or a separate document. The evaluator performs a search of public information to find vulnerabilities that have been found in similar applications with a particular focus on network protocols the application uses and document formats it parses.The evaluator documents the sources consulted and the vulnerabilities found in the report.For each vulnerability found, the evaluator either provides a rationale with respect to its non-applicability, or the evaluator formulates a test (using the guidelines provided in ATE_IND) to confirm the vulnerability, if suitable. Suitability is determined by assessing the attack vector needed to take advantage of the vulnerability. If exploiting the vulnerability requires expert skills and an electron microscope, for instance, then a test would not be suitable and an appropriate justification would be formulated. The evaluator shall also run a virus scanner with the most current virus definitions against the application files and verify that no files are flagged as malicious. + + +
+
+ + This appendix describes the required supplementary information for the entropy source used by the TOE. The documentation of the entropy source should be detailed enough that, after reading, the evaluator will thoroughly understand the entropy source and why it can be relied upon to provide sufficient entropy. This documentation should include multiple detailed sections: design description, entropy justification, operating conditions, and health testing. This documentation is not required to be part of the TSS.
Documentation shall include the design of the entropy source as a whole, including the interaction of all entropy source components. Any information that can be shared regarding the design should also be included for any third-party entropy sources that are included in the product. The documentation shall describe how unprocessed (raw) data was obtained for the analysis. This description shall be sufficiently detailed to explain at what point in the entropy source model the data was collected and what effects, if any, the process of data collection had on the overall entropy generation rate. The documentation should walk through the entropy source design indicating where the entropy comes from, where the entropy output is passed next, any post-processing of the raw outputs (hash, XOR, etc.), if/where it is stored, and finally, how it is output from the entropy source. Any conditions placed on the process (e.g., blocking) should also be described in the entropy source design. Diagrams and examples are encouraged. This design must also include a description of the content of the security boundary of the entropy source and a description of how the security boundary ensures that an adversary outside the boundary cannot affect the entropy rate. If implemented, the design description shall include a description of how third-party applications can add entropy to the RBG. A description of any RBG state saving between power-off and power-on shall be included.
There should be a technical argument for where the unpredictability in the source comes from and why there is confidence in the entropy source delivering sufficient entropy for the uses made of the RBG output (by this particular TOE). This argument will include a description of the expected min-entropy rate (i.e. the minimum entropy (in bits) per bit or byte of source data) and explain that sufficient entropy is going into the TOE randomizer seeding process. This discussion will be part of a justification for why the entropy source can be relied upon to produce bits with entropy. The amount of information necessary to justify the expected min-entropy rate depends on the type of entropy source included in the product. For developer provided entropy sources, in order to justify the min-entropy rate, it is expected that a large number of raw source bits will be collected, statistical tests will be performed, and the min-entropy rate determined from the statistical tests. While no particular statistical tests are required at this time, it is expected that some testing is necessary in order to determine the amount of min-entropy in each output. For third party provided entropy sources, in which the TOE vendor has limited access to the design and raw entropy data of the source, the documentation will indicate an estimate of the amount of min-entropy obtained from this third-party source. It is acceptable for the vendor to “assume” an amount of min-entropy, however, this assumption must be clearly stated in the documentation provided. In particular, the min-entropy estimate must be specified and the assumption included in the ST. Regardless of type of entropy source, the justification will also include how the DRBG is initialized with the entropy stated in the ST, for example by verifying that the min-entropy rate is multiplied by the amount of source data used to seed the DRBG or that the rate of entropy expected based on the amount of source data is explicitly stated and compared to the statistical rate. If the amount of source data used to seed the DRBG is not clear or the calculated rate is not explicitly related to the seed, the documentation will not be considered complete. The entropy justification shall not include any data added from any third-party application or from any state saving between restarts.
The entropy rate may be affected by conditions outside the control of the entropy source itself. For example, voltage, frequency, temperature, and elapsed time after power-on are just a few of the factors that may affect the operation of the entropy source. As such, documentation will also include the range of operating conditions under which the entropy source is expected to generate random data. It will clearly describe the measures that have been taken in the system design to ensure the entropy source continues to operate under those conditions. Similarly, documentation shall describe the conditions under which the entropy source is known to malfunction or become inconsistent. Methods used to detect failure or degradation of the source shall be included.
More specifically, all entropy source health tests and their rationale will be documented. This will include a description of the health tests, the rate and conditions under which each health test is performed (e.g., at startup, continuously, or on-demand), the expected results for each health test, and rationale indicating why each test is believed to be appropriate for detecting one or more failures in the entropy source.
+
The purpose of equivalence in PP-based evaluations is to find a balance between evaluation rigor and commercial practicability—to ensure that evaluations meet customer expectations while recognizing that there is little to be gained from requiring that every variation in a product or platform be fully tested. If a product is found to be compliant with a PP on one platform, then all equivalent products on equivalent platforms are also considered to be compliant with the PP. A Vendor can make a claim of equivalence if the Vendor believes that a particular instance of their Product implements PP-specified security functionality in a way equivalent to the implementation of the same functionality on another instance of their Product on which the functionality was tested. The Product instances can differ in version number or feature level (model), or the instances may run on different platforms. Equivalency can be used to reduce the testing required across claimed evaluated configurations. It can also be used during Assurance Maintenance to reduce testing needed to add more evaluated configurations to a certification. These equivalency guidelines do not replace Assurance Maintenance requirements or NIAP Policy #5 requirements for CAVP certificates. Nor may equivalency be used to leverage evaluations with expired certifications. These Equivalency Guidelines represent a shift from complete testing of all product instances to more of a risk-based approach. Rather than require that every combination of product and platform be tested, these guidelines support an approach that recognizes that products are being used in a variety of environments—and often in cloud environments over where the vendor (and sometimes the customer) have little or no control over the underlying hardware. Developers should be responsible for the security functionality of their applications on the platforms they are developed for—whether that is an operating system, a virtual machine, or a software-based execution environment such as a container. But those platforms may themselves run within other environments—virtual machines or operating systems—that completely abstract away the underlying hardware from the application. The developer should not be held accountable for security functionality that is implemented by platform layers that are abstracted away. The implication is that not all security functionality will necessarily be tested for all platform layers down to the hardware for all evaluated configurations—especially for applications developed for software-based execution environments such as containers. For these cases, the balancing of evaluation rigor and commercial practicability tips in favor of practicability. Note that this does not affect the requirement that at least one product instance be fully tested on at least one platform with cryptography mapped to a CAVP certificate. Equivalency has two aspects: Product Equivalence: Products may be considered equivalent if there are no differences between Product Models and Product Versions with respect to PP-specified security functionality. Platform Equivalence: Platforms may be considered equivalent if there are no significant differences in the services they provide to the Product—or in the way the platforms provide those services—with respect to PP-specified security functionality. The equivalency determination is made in accordance with these guidelines by the Validator and Scheme using information provided by the Evaluator/Vendor.
There are two scenarios for performing equivalency analysis. One is when a product has been certified and the vendor wants to show that a later product should be considered certified due to equivalence with the earlier product. The other is when multiple product variants are going though evaluation together and the vendor would like to reduce the amount of testing that must be done. The basic rules for determining equivalence are the same in both cases. But there is one additional consideration that applies to equivalence with previously certified products. That is, the product with which equivalence is being claimed must have a valid certification in accordance with scheme rules and the Assurance Maintenance process must be followed. If a product’s certification has expired, then equivalence cannot be claimed with that product. When performing equivalency analysis, the Evaluator/Vendor should first use the factors and guidelines for Product Model equivalence to determine the set of Product Models to be evaluated. In general, Product models that do not differ in PP-specified security functionality are considered equivalent for purposes of evaluation against the this PP. If multiple revision levels of Product Models are to be evaluated—or to determine whether a revision of an evaluated product needs re-evaluation—the Evaluator/Vendor and Validator should use the factors and guidelines for Product Version equivalence to analyze whether Product Versions are equivalent. Having determined the set of Product Models and Versions to be evaluated, the next step is to determine the set of Platforms that the Products must be tested on. Each non-equivalent Product for which compliance is claimed must be fully tested on each non-equivalent platform for which compliance is claimed. For non-equivalent Products on equivalent platforms, only the differences that affect PP-specified security functionality must be tested for each product. “Differences in PP-Specified Security Functionality” Defined If PP-specified security functionality is implemented by the TOE, then differences in the actual implementation between versions or product models break equivalence for that feature. Likewise, if the TOE implements the functionality in one version or model and the functionality is implemented by the platform in another version or model, then equivalence is broken. If the functionality is implemented by the platform in multiple models or versions on equivalent platforms, then the functionality is considered different if the product invokes the platform differently to perform the function.
Product Model equivalence attempts to determine whether different feature levels of the same product across a product line are equivalent for purposes of PP testing. For example, if a product has a “basic” edition and an “enterprise” edition, is it necessary to test both models? Or does testing one model provide sufficient assurance that both models are compliant? Product models are considered equivalent if there are no differences that affect PP-specified security functionality—as indicated in Table 1. Factor Same/Different Guidance PP-Specified Functionality Same If the differences between Models affect only non-PP-specified functionality, then the Models are equivalent. Different If PP-specified security functionality is affected by the differences between Models, then the Models are not equivalent and must be tested separately. It is necessary only to test the functionality affected by the software differences. If only differences are tested, then the differences must be enumerated, and for each difference the Vendor must provide an explanation of why each difference does or does not affect PP-specified functionality. If the Product Models are separately tested fully, then there is no need to document the differences. Table 1. Determining Product Model Equivalence
In cases of version equivalence, differences are expressed in terms of changes implemented in revisions of an evaluated Product. In general, versions are equivalent if the changes have no effect on any security-relevant claims about the TOE or assurance evidence. Non-security-relevant changes to TOE functionality or the addition of non-security-relevant functionality does not affect equivalence. Factor Same/Different Guidance Product Models Different Versions of different Product Models are not equivalent unless the Models are equivalent as defined in Section 3. PP-Specified Functionality Same If the differences affect only non-PP-specified functionality, then the Versions are equivalent. Different If PP-specified security functionality is affected by the differences, then the Versions are not considered equivalent and must be tested separately. It is necessary only to test the functionality affected by the changes. If only the differences are tested, then for each difference the Vendor must provide an explanation of why the difference does or does not affect PP-specified functionality. If the Product Versions are separately tested fully, then there is no need to document the differences. Table 2. Factors for Determining Product Version Equivalence
Platform equivalence is used to determine the platforms that equivalent versions of a Product must be tested on. Platform equivalence analysis done for one software application cannot be applied to another software application. Platform equivalence is not general—it is with respect to a particular application. Product Equivalency analysis must already have been done and Products have been determined to be equivalent. The platform can be hardware or virtual hardware, an operating system or similar entity, or a software execution environment such as a container. For purposes of determining equivalence for software applications, we address each type of platform separately. In general, platform equivalence is based on differences in the interfaces between the TOE and Platform that are relevant to the implementation of PP-specified security functionality.
If an application runs directly on hardware without an operating system—or directly on virtualized hardware without an operating system—then platform equivalence is based on processor architecture and instruction sets. In the case of virtualized hardware, it is the virtualized processor and architecture that are presented to the application that matters—not the physical hardware. Platforms with different processor architectures and instruction sets are not equivalent. This is not likely to be an issue for equivalency analysis for applications since there is likely to be a different version of the application for different hardware environments. Equivalency analysis becomes important when comparing processors with the same architecture. Processors with the same architecture that have instruction sets that are subsets or supersets of each other are not disqualified from being equivalent for purposes of an App evaluation. If the application takes the same code paths when executing PP-specified security functionality on different processors of the same family, then the processors can be considered equivalent with respect to that application. For example, if an application follows one code path on platforms that support the AES-NI instruction and another on platforms that do not, then those two platforms are not equivalent with respect to that application functionality. But if the application follows the same code path whether or not the platform supports AES-NI, then the platforms are equivalent with respect to that functionality. The platforms are equivalent with respect to the application if the platforms are equivalent with respect to all PP-specified security functionality. Factor Same/Different/None Guidance Platform Architectures Different Platforms that present different processor architectures and instruction sets to the application are not equivalent. PP-Specified Functionality Same For platforms with the same processor architecture, the platforms are equivalent with respect to the application if execution of all PP-specified security functionality follows the same code path on both platforms. Table 3. Factors for Determining Hardware/Virtual Hardware Platform Equivalence
For traditional applications that are built for and run on operating systems, platform equivalence is determined by the interfaces between the application and the operating system that are relevant to PP-specified security functionality. Generally, these are the processor interface, device interfaces, and OS APIs. The following factors applied in order: Factor Same/Different/None Guidance Platform Architectures Different Platforms that run on different processor architectures and instruction sets are not equivalent. Platform Vendors Different Platforms from different vendors are not equivalent. Platform Versions Different Platforms from the same vendor with different major version numbers are not equivalent. Platform Interfaces Different Platforms from the same vendor and major version are not equivalent if there are differences in device interfaces and OS APIs that are relevant to the way the platform provides PP-specified security functionality to the application. Platform Interfaces Same Platforms from the same vendor and major version are equivalent if there are no differences in device interfaces and OS APIs that are relevant to the way the platform provides PP-specified security functionality to the application, or if the Platform does not provide such functionality to the application. Table 4. Factors for Determining OS/VS Platform Equivalence
If an Application is built for and runs in a non-OS software-based execution environment, such as a Container or Java Runtime, then the below criteria must be used to determine platform equivalence. The key point is that the underlying hardware (virtual or physical) and OS is not relevant to platform equivalence. This allows applications to be tested and run on software-based execution environments on any hardware—as in cloud deployments. Factor Same/Different/None Guidance Platform Type/Vendor Different Software-based execution environments that are substantially different or come from different vendors are not equivalent. For example, a Java virtual machine is not the same as a container. A Docker container is not the same as a CoreOS container. Platform Versions Different Execution environments that are otherwise equivalent are not equivalent if they have different major version numbers. PP-Specified Security Functionality Same All other things being equal, execution environments are equivalent if there is no significant difference in the interfaces through which the environments provide PP-specified security functionality to applications. Table 5. Factors for Software-based Execution Environment Platform Equivalence
In order to make equivalency determinations, the vendor and evaluator must agree on the equivalency claims. They must then provide the scheme with sufficient information about the TOE instances and platforms that were evaluated, and the TOE instances and platforms that are claimed to be equivalent. The ST must describe all configurations evaluated down to processor manufacturer, model number, and microarchitecture version. The information regarding claimed equivalent configurations depends on the platform that the application was developed for and runs on. Bare-Metal Applications For applications that run without an operating system on bare-metal or virtual bare-metal, the claimed configuration must describe the platform down to the specific processor manufacturer, model number, and microarchitecture version. The Vendor must describe the differences in the TOE with respect to PP-specified security functionality and how the TOE functions differently to leverage platform differences (e.g., instruction set extensions) in the tested configuration versus the claimed equivalent configuration. Traditional Applications For applications that run with an operating system as their immediate platform, the claimed configuration must describe the platform down to the specific operating system version. If the platform is a virtualization system, then the claimed configuration must describe the platform down to the specific virtualization system version. The Vendor must describe the differences in the TOE with respect to PP-specified security functionality and how the TOE functions differently to leverage platform differences in the tested configuration versus the claimed equivalent configuration. Relevant platform differences could include instruction sets, device interfaces, and OS APIs invoked by the TOE to implement PP-specified security functionality. Software-Based Execution Environments For applications that run in a software-based execution environment such as a Java virtual machine or a Container, then the claimed configuration must describe the platform down to the specific version of the software execution environment. The Vendor must describe the differences in the TOE with respect to PP-specified security functionality and how the TOE functions differently to leverage platform differences in the tested configuration versus the claimed equivalent configuration.
+ + + + OMB + Reporting Incidents Involving Personally Identifiable Information and Incorporating the + Cost for Security in Agency Information Technology Investments, OMB M-06-19, July 12, 2006. + + + diff --git a/input/cc.xml b/input/cc.xml new file mode 100755 index 0000000..c6902b9 --- /dev/null +++ b/input/cc.xml @@ -0,0 +1,53805 @@ + + + + + + + For the purposes of this document, the terms, definitions, + symbols and abbreviated terms given in CC Part 1 apply. + + + + Security assurance components, as defined in this CC Part 3, are + the basis for the security assurance requirements expressed in a + Protection Profile (PP) or a Security Target (ST). + + These requirements establish a standard way of expressing the + assurance requirements for TOEs. This CC Part 3 catalogues the + set of assurance components, families and classes. This CC Part + 3 also defines evaluation criteria for PPs and STs and presents + evaluation assurance levels that define the predefined CC scale + for rating assurance for TOEs, which is called the Evaluation + Assurance Levels (EALs). + + The audience for this CC Part 3 includes consumers, developers, + and evaluators of secure IT products. CC Part 1 Clause provides additional information + on the target audience of the CC, and on the use of the CC by + the groups that comprise the target audience. These groups may + use this part of the CC as follows: + + + Consumers, who use this CC Part 3 when selecting components + to express assurance requirements to satisfy the security + objectives expressed in a PP or ST, determining required + levels of security assurance of the TOE. + + + Developers, who respond to actual or perceived consumer + security requirements in constructing a TOE, reference this + CC Part 3 when interpreting statements of assurance + requirements and determining assurance approaches of TOEs. + + + Evaluators, who use the assurance requirements defined in + this part of the CC as mandatory statement of evaluation + criteria when determining the assurance of TOEs and when + evaluating PPs and STs. + + + + + + + Clause describes the paradigm + used in the security assurance requirements of CC Part + 3. + + Clause describes the + presentation structure of the assurance classes, families, + components, evaluation assurance levels along with their + relationships, and the structure of the composed assurance + packages. It also characterises the assurance classes and + families found in Clauses through + . + + Clause provides detailed + definitions of the EALs. + + Clause provides detailed + definitions of the CAPs. + + Clauses through provide the detailed definitions of the CC Part 3 + assurance classes. + + provides further + explanations and examples of the concepts behind the + Development class. + + provides an explanation of + the concepts behind composed TOE evaluations and the + Composition class. + + provides + a summary of the dependencies between the assurance + components. + + provides a cross + reference between PPs and the families and components of the + class. + + provides a cross reference + between the EALs and the assurance components. + + provides a cross reference + between the CAPs and the assurance components. + + + + + The following referenced documents are indispensable for the + application of this document. For dated references, only the + edition cited applies. For undated references, the latest + edition of the referenced document (including any amendments) + applies. + + CC-1 + + Common Criteria for Information Technology Security + Evaluation, Version _CCVERSION_, revision _CCREVISION_, + _CCDATE_. Part 1: Introduction and general model. + + + + CC-2 + + Common Criteria for Information Technology Security + Evaluation, Version _CCVERSION_, revision _CCREVISION_, + _CCDATE_. Part 2: Functional security components. + + + + + + This CC Part 3 defines the assurance requirements of the CC. It + includes the evaluation assurance levels (EALs) that define a + scale for measuring assurance for component TOEs, the composed + assurance packages (CAPs) that define a scale for measuring + assurance for composed TOEs, the individual assurance components + from which the assurance levels and packages are composed, and + the criteria for evaluation of PPs and STs. + + + + The goal of this annex is to explain the concepts behind + composition evaluations and the + criteria. This annex does not define the criteria; this definition can be found in clause + . + + + The IT market is, on the whole, made up of vendors offering a + particular type of product/technology. Although there is some + overlap, where a PC hardware vendor may also offer application + software and/or operating systems or a chip manufacturer may + also develop a dedicated operating system for their own + chipset, it is often the case that an IT solution is + implemented by a variety of vendors. + + There is sometimes a need for assurance in the combination + (composition) of components in addition to the assurance of + the individual components. Although there is cooperation + between these vendors, in the dissemination of certain + material required for the technical integration of the + components, the agreements rarely stretch to the extent of + providing detailed design information and development + process/procedure evidence. This lack of information from the + developer of a component on which another component relies + means that the dependent component developer does not have + access to the type of information necessary to perform an + evaluation of both the dependent and base components at EAL2 + or above. Therefore, while an evaluation of the dependent + component can still be performed at any assurance level, to + compose components with assurance at EAL2 or above it is + necessary to reuse the evaluation evidence and results of + evaluations performed for the component developer. + + It is intended that the criteria + are applicable in the situation where one IT entity is + dependent on another for the provision of security + services. The entity providing the services is termed the + ``base component'', and that receiving the services is termed + the ``dependent component''. This relationship may exist in a + number of contexts. For example, an application (dependent + component) may use services provided by an operating system + (base component). Alternatively, the relationship may be + peer-to-peer, in the sense of two linked applications, either + running in a common operating system environment, or on + separate hardware platforms. If there is a dominant peer + providing the services to the minor peer, the dominant peer is + considered to be the base component and the minor peer the + dependent component. If the peers provide services to each + other in a mutual manner, each peer will be considered to be + the base component for the services offered and dependent + component for the services required. This will require + iterations of the components + applying all requirements to each type of component + peer. + + The criteria are also intended to be more broadly applicable, + stepwise (where a composed TOE comprised of a dependent + component and a base component itself becomes the base + component of another composed TOE), in more complex + relationships, but this may require further + interpretation. + + It is still required for composed TOE evaluations that the + individual components are evaluated independently, as the + composition evaluation builds on the results of the individual + component evaluations. The evaluation of the dependent + component may still be in progress when the composed TOE + evaluation commences. However, the dependent component + evaluation must complete before the composed TOE evaluation + completes. + + The composed evaluation activities may take place at the same + time as the dependent component evaluation. This is due to two + factors: + + + Economic/business drivers - the dependent component + developer will either be sponsoring the composition + evaluation activities or supporting these activities as + the evaluation deliverables from the dependent component + evaluation are required for composed evaluation + activities. + + Technical drivers - the components consider whether the + requisite assurance is provided by the base component + (e.g. considering the changes to the base component since + completion of the component evaluation) with the + understanding that the dependent component has recently + undergone (is undergoing) component evaluation and all + evaluation deliverables associated with the evaluation are + available. Therefore, there are no activities during + composition requesting the dependent component evaluation + activities to be re-verified. Also, it is verified that + the base component forms (one of) the test configurations + for the testing of the dependent component during the + dependent component evaluation, leaving to consider the base component in this + configuration. + + The evaluation evidence from the evaluation of the dependent + component is required input into the composed TOE evaluation + activities. The only evaluation material from the evaluation + of the base component that is required as input into the + composed TOE evaluation activities: + + + Residual vulnerabilities in the base component, as + reported during the base component evaluation. This is + required for the + activities. + + No other evaluation evidence from the base component + activities should be required for the composed TOE evaluation, + as the evaluation results from the component evaluation of the + base component should be reused. Additional information about + the base component may be required if the composed TOE TSF + includes more of the base component than was considered to be + TSF during component evaluation of the base component. + + The component evaluation of the base and dependent components + are assumed to be complete by the time final verdicts are + assigned for the components. + + The components only consider + resistance against an attacker with an attack potential up to + Enhanced-Basic. This is due to the level of design information + that can be provided of how the base component provides the + services on which the dependent component relies through + application of the + activities. Therefore, the confidence arising from composed TOE + evaluations using CAPs is limited to a level similar to that + obtained from EAL4 component TOE evaluations. Although + assurance in the components that comprise the composed TOE may + be higher than EAL4. + + + + An ST will be submitted by the developer for the evaluation of + the composed (base component + dependent component) TOE. This + ST will identify the assurance package to be applied to the + composed TOE, providing assurance in the composed entity by + drawing upon the assurance gained in the component + evaluations. + + The purpose of considering the composition of components + within an ST is to validate the compatibility of the + components from the point of view of both the environment and + the requirements, and also to assess that the composed TOE ST + is consistent with the component STs and the security policies + expressed within them. This includes determining that the + component STs and the security policies expressed within them + are compatible. + + The composed TOE ST may refer out to the content of the + component STs, or the ST author may chose to reiterate the + material of the component STs within the composed TOE ST + providing a rationale of how the component STs are represented + in the composed TOE ST. + + During the conduct of the + evaluation activities for a composed TOE ST the evaluator + determines that the component STs are accurately represented + in the composed TOE ST. This is achieved through determining + that the composed TOE ST demonstrably conforms to the + component TOE STs. Also, the evaluator will need to determine + that the dependencies of the dependent component on the + operational environment are adequately fulfilled in the + composed TOE. + + The composed TOE description will describe the composed + solution. The logical and physical scope and boundary of the + composed solution will be described, and the logical + boundary(ies) between the components will also be + identified. The description will identify the security + functionality to be provided by each component. + + The statement of SFRs for the composed TOE will identify which + component is to satisfy an SFR. If an SFR is met by both + components, then the statement will identify which component + meets the different aspects of the SFR. Similarly the composed + TOE Summary Specification will identify which component + provides the security functionality described. + + The package of requirements + applied to the composed TOE ST should be consistent with the + package of requirements used in + the component evaluations. + + Reuse of evaluation results from the evaluation of component + STs can be made in the instances that the composed TOE ST + directly refers to the component STs. e.g. if the composed TOE + ST refers to a component ST for part of its statement of SFRs, + the evaluator can understand that the requirement for the + completion of all assignment and selection operations (as + stated in .*.3C has been + satisfied in the component evaluations. + + + + The TSF of the base component is often defined without + knowledge of the dependencies of the possible applications + with which it may by composed. The TSF of this base component + is defined to include all parts of the base component that + have to be relied upon for enforcement of the base component + SFRs. This will include all parts of the base component + required to implement the base component SFRs. + + The TSFI of this base component represents the interfaces + provided by the TSF to the external entities defined in the + statement of SFRs to invoke a service of the TSF. This + includes interfaces to the human user and also interfaces to + external IT entities. However, the TSFI only includes those + interfaces to the TSF, and therefore is not necessarily an + exhaustive interface specification of all possible interfaces + available between an external entity and the base + component. The base component may present interfaces to + services that were not considered security-relevant, either + because of the inherent purpose of the service (e.g., adjust + type font) or because associated CC SFRs are not being claimed + in the base component's ST (e.g. the login interface when no + SFRs are claimed). + + The functional interfaces provided by the base component are + in addition to the security interfaces (TSFIs), and are not + required to be considered during the base component + evaluation. These often include interfaces that are used by a + dependent component to invoke a service provided by the base + component. + + The base component may include some indirect interfaces + through which TSFIs may be called, e.g. APIs that can be used + to invoke a service of the TSF, which were not considered + during the evaluation of the base component. +
+ + The dependent component, which relies on the base component, + is similarly defined: interfaces to external entities defined + in the SFRs of the component ST are categorised as TSFI and + are examined in . + + Any call out from the dependent TSF to the environment in + support of an SFR will indicate that the dependent TSF + requires some service from the environment in order to satisfy + the enforcement of the stated dependent component SFRs. Such a + service is outside the dependent component boundary and the + base component is unlikely to be defined in the dependent ST + as an external entity. Hence, the calls for services made out + by the dependent TSF to its underlying platform (the base + component) will not be analysed as part of the activities. These dependencies on + the base component are expressed in the dependent component ST + as security objectives for the environment. + + This abstraction of the dependent component and the interfaces + is shown in Figure + below. +
+ + When considering the composition of the base component and the + dependent component, if the dependent component's TSF requires + services from the base component to support the implementation + of the SFR, the interface to the service will need to be + defined. If that service is provided by the base component's + TSF, then that interface should be a TSFI of the base + component and will therefore already be defined within the + functional specification of the base component. + + If, however, the service called by the dependent component's + TSF is not provided by the TSF of the base component (i.e., it + is implemented in the non-TSF portion of the base component or + possibly even in the non-TOE portion of the base component + (not illustrated in Figure ), there is unlikely to be a TSFI of the base + component relating to the service, unless the service is + mediated by the TSF of the base component. The interfaces to + these services from the dependent component to the operational + environment are considered in the family . + + The non-TSF portion of the base component is drawn into the + TSF of the composed TOE due to the dependencies the dependent + component has on the base component to support the SFRs of the + dependent component. Therefore, in such cases, the TSF of the + composed TOE would be larger than simply the sum of the + components' TSFs. +
+ + It may be the case that the base component TSFI is being + called in a manner that was unforeseen in the base component + evaluation. Hence there would be a requirement for further + testing of the base component TSFI. + + The possible interfaces are further described in the following + diagram (Figure ) and + supporting text. +
+ + + + Arrows going into 'dependent component-a' + (A and B) = where the component expects the environment to + respond to a service request (responding to calls out from + dependent component to the environment); + + Arrows coming out of 'base component-b' + (C and D) = interfaces of services provided by the base + component to the environment; + + Broken lines between components = types of communication + between pairs of interfaces; + + The other (grey) arrows = interfaces that are described by + the given criteria. + + The following is a simplification, but explains the + considerations that need to be made. + + There are components a ('dependent component-a') and b ('base + component-b'): the arrows coming out of TSF-a + are services provided by TSF-a and are therefore TSFIs(a); + likewise, the arrows coming out of TSF-b + (``C'') are TSFIs(b). These are each detailed in their + respective functional specs. component-a is such that it + requires services from its environment: those needed by the + TSF(a) are labelled ``A''; the other (not related to TSF-a) + services are labelled ``B''. + + When component-a and component-b are combined, there are four + possible combinations of {services needed by component-a} and + {services provided by component-b}, shown as broken lines + (types of communication between pairs of interfaces). Any set + of these might exist for a particular composition: + + + TSF-a needs those services that are provided by TSF-b ("A" is connected to "C"): + this is straightforward: the details about "C" are in the FSP for component-b. + In this instance the interfaces should all be defined in the functional specifications for + the component-b. + + + Non-TSF-a needs those services that are provided by TSF-b + (``B'' is connected to ``C''): this is straightforward + (again, the details about ``C'' are in the FSP for + component-b), but unimportant: security-wise. + + Non-TSF-a needs those services that are provided by + non-TSF-b (``B'' is connected to ``D''): we have no + details about D, but there are no security implications + about the use of these interfaces, so they do not need to + be considered in the evaluation, although they are likely + to be an integration issue for the developer. + + TSF-a needs those services that are provided by non-TSF-b + (``A'' is connected to ``D''): this would arise when + component-a and component-b have different senses of what + a ``security service'' is. Perhaps component-b is making + no claims about I&A (has no + SFRs in its ST), but component-a needs authentication + provided by its environment. There are no details about + the ``D'' interfaces available (they are not TSFI (b), so + they are not in component-b's FSP). + + Note: if the kind of interaction described in case d above + exists, then the TSF of the composed TOE would be TSF-a + TSF-b + + Non-TSF-b. Otherwise, the TSF of the composed TOE would be + TSF-a + TSF-b. + + Interfaces types 2 and 4 of Figure are not directly relevant to the evaluation of + the composed TOE. Interfaces 1 and 3 will be considered during + the application of different families: + + + (for component-b) will + describe the C interfaces. + + will describe the A + interfaces. + + will describe the C + interfaces for connection type 1 and the D interfaces for + connection type 3. + + A typical example where composition may be applied is a + database management system (DBMS) that relies upon its + underlying operating system (OS). During the evaluation of + the DBMS component, there will be an assessment made of the + security properties of that DBMS (to whatever degree of rigour + is dictated by the assurance components used in the + evaluation): its TSF boundary will be identified, its + functional specification will be assessed to determine whether + it describes the interfaces to the security services provided + by the TSF, perhaps additional information about the TSF (its + design, architecture, internal structure) will be provided, + the TSF will be tested, aspects of its life-cycle and its + guidance documentation will be assessed, etc. + + However, the DBMS evaluation will not call for any evidence + concerning the dependency the DBMS has on the OS. The ST of + the DBMS will most likely state assumptions about the OS in + its Assumptions subclause and state security objectives for the + OS in its Environment subclause. The DBMS ST may even + instantiate those objectives for the environment in terms of + SFRs for the OS. However, there will be no specification for + the OS that mirrors the detail in the functional + specification, architecture description, or other evidence as for the DBMS. will fulfil that need. + + describes the interfaces of + the dependent TOE that make the calls to the base component + for the provision of services. These are the interfaces to + which the base component is to respond. The interface + descriptions are provided from the dependent component's + viewpoint. + + describes the interfaces + provided by the base component, which respond to the dependent + component service requests. These interfaces are mapped to the + relevant dependent component interfaces that are identified in + the reliance information. (The completeness of this mapping, + whether the base component interfaces described represent all + dependent component interfaces, is not verified here, but in + ). At the higher levels of + the subsystems providing the + interfaces are described. + + Any interfaces required by the dependent component that have + not been described for the base component are reported in the + rationale for . The rationale + also reports whether the interfaces of the base component on + which the dependent component relies were considered within + the base component evaluation. For any interfaces that were + not considered in the base component evaluation, a rationale + is provided of the impact of using the interface on the base + component TSF. + + + + + This annex contains ancillary material to further explain and + provide additional examples for the topics brought up in + families of the class. + + + A security architecture is a set of properties that the TSF + exhibits; these properties include self-protection, domain + separation, and non-bypassability. Having these properties + provides a basis of confidence that the TSF is providing its + security services. This annex provides additional material on + these properties, as well as discussion on contents of a + security architecture description. + + The remainder of this subclause first explains these properties, + then discusses the kinds of information that are needed to + describe how the TSF exhibits those properties. + + Self-protection refers to the ability of + the TSF to protect itself from manipulation from external + entities that may result in changes to the TSF. Without these + properties, the TSF might be disabled from performing its + security services. + + It is oftentimes the case that a TOE uses services or + resources supplied by other IT entities in order to perform + its functions (e.g. an application that relies upon its + underlying operating system). In these cases, the TSF does + not protect itself entirely on its own, because it depends + on the other IT entities to protect the services it + uses. + Domain separation is a property whereby the TSF + creates separate security domains for each + untrusted active entity to operate on its resources, and then + keeps those domains separated from one another so that no entity + can run in the domain of any other. For example, an operating + system TOE supplies a domain (address space, per-process + environment variables) for each process associated with + untrusted entities. + + For some TOEs such domains do not exist because all of the + actions of the untrusted entities are brokered by the TSF. A + packet-filter firewall is an example of such a TOE, where + there are no untrusted entity domains; there are only data + structures maintained by the TSF. The existence of domains, + then, is dependant upon 1) the type of TOE and 2) the SFRs + levied on the TOE. In the cases where the TOE does provide + domains for untrusted entities, this family requires that + those domains are isolated from one another such that + untrusted entities in one domain are prevented from + tampering (affecting without brokering by the TSF) from + another untrusted entity's domain. + + Non-bypassability is a property that the + security functionality of the TSF (as specified by the SFRs) + is always invoked and cannot be circumvented when + appropriate for that specific mechanism. For example, if + access control to files is specified as a capability of the + TSF via an SFR, there must be no interfaces through which + files can be accessed without invoking the TSF's access + control mechanism (an interface through which a raw disk + access takes place might be an example of such an + interface). + + As is the case with self-protection, the very nature of some + TOEs might depend upon their environments to play a role in + non-bypassability of the TSF. For example, a security + application TOE requires that it be invoked by the + underlying operating system. Similarly, a firewall depends + upon the fact that there are no direct connections between + the internal and external networks and that all traffic + between them must go through the firewall. + + + The security architecture description explains how the + properties described above are exhibited by the TSF. It + describes how domains are defined and how the TSF keeps them + separate. It describes what prevents untrusted processes + from getting to the TSF and modifying it. It describes what + ensures that all resources under the TSF's control are + adequately protected and that all actions related to the + SFRs are mediated by the TSF. It explains any role the + environment plays in any of these (e.g. presuming it gets + correctly invoked by its underlying environment, how are its + security functions invoked?). + + The security architecture description presents the TSF's + properties of self-protection, domain separation, and + non-bypassability in terms of the decomposition descriptions. + The level of this description is commensurate with the TSF + description required by the , + and requirements that are being claimed. For example, if + is the only TSF description + available, it would be difficult to provide any meaningful + security architecture description because none of the details of + any internal workings of the TSF would be available. + + However, if the TOE design were also available, even at the most + basic level (), there would be + some information available concerning the subsystems that make + up the TSF, and there would be a description of how they work to + implement self-protection, domain separation, and + non-bypassability. For example, perhaps all user interaction + with the TOE is constrained through a process that acts on that + user's behalf, adopting all of the user's security attributes; + the security architecture description would describe how such a + process comes into being, how the process's behaviour is + constrained by the TSF (so it cannot corrupt the TSF), how all + actions of that process are mediated by the TSF (thereby + explaining why the TSF cannot be bypassed), etc. + + If the available TOE design is more detailed (e.g. at the + modular level), or the implementation representation is also + available, then the security architecture description would be + correspondingly more detailed, explaining how the user's process + communicate with the TSF processes, how different requests are + processed by the TSF, what parameters are passed, what + programmatic protections (buffer overflow prevention, parameter + bounds checking, time of check/time of use checking, etc.) are + in place. Similarly, a TOE whose ST claimed the component would go into + implementation-specific detail. + + The explanations provided in the security architecture + description are expected to be of sufficient detail that one + would be able to test their accuracy. That is, simple + assertions (e.g. "The TSF keeps domains separate'') provide + no useful information to convince the reader that the TSF + does indeed create and separate domains. + + In cases where the TOE exhibits domain separation entirely on + its own, there would be a straightforward description of how + this is attained. The security architecture description would + explain the different kinds of domains that are defined by the + TSF, how they are defined (i.e. what resources are allocated + to each domain), how no resources are left unprotected, and + how the domains are kept separated so that active entities in + one domain cannot tamper with resources in another + domain. + For cases where the TOE depends upon other IT entities to play + a role in domain separation, that sharing of roles must be made + clear. For example, a TOE that is solely application software + relies upon the underlying operating system to correctly + instantiate the domains that the TOE defines; if the TOE + defines separate processing space, memory space, etc, for each + domain, it depends upon the underlying operating system to + operate correctly and benignly (e.g. allow the process to + execute only in the execution space that is requested by the + TOE software). + For example, mechanisms that implement domain separation + (e.g., memory management, protected processing modes provided + by the hardware, etc.) would be identified and described. Or, + the TSF might implement software protection constructs or + coding conventions that contribute to implementing separation + of software domains, perhaps by delineating user address space + from system address space. + The vulnerability analysis and testing (see ) activities will likely include attempts to defeat + the described TSF domain separation through the use of + monitoring or direct attack the TSF. + + + In cases where the TOE exhibits self-protection entirely + on its own, there would be a straightforward description + of how this self-protection is attained. Mechanisms that + provide domain separation to define a TSF domain that is + protected from other (user) domains would be identified + and described. + + For cases where the TOE depends upon other IT entities to + play a role in protecting itself, that sharing of roles + must be made clear. For example, a TOE that is solely + application software relies upon the underlying operating + system to operate correctly and benignly; the application + cannot protect itself against a malicious operating system + that subverts it (for example, by overwriting its + executable code or TSF data). + + The security architecture description also covers how user input + is handled by the TSF in such a way that the TSF does not + subject itself to being corrupted by that user input. For + example, the TSF might implement the notion of privilege and + protect itself by using privileged-mode routines to handle user + data. The TSF might make use of processor-based separation + mechanisms (e.g. privilege levels or rings) to separate TSF + code and data from user code and data. The TSF might implement + software protection constructs or coding conventions that + contribute to implementing separation of software, perhaps by + delineating user address space from system address space. + + For TOEs that start up in a low-function mode (for + example, a single-user mode accessible only to installers + or administrators) and then transition to the evaluated + secure configuration (a mode whereby untrusted users are + able to login and use the services and resources of the + TOE), the security architecture description also includes + an explanation of how the TSF is protected against this + initialisation code that does not run in the evaluated + configuration. For such TOEs, the security architecture + description would explain what prevents those services + that should be available only during initialisation + (e.g. direct access to resources) from being accessible in + the evaluated configuration. It would also explain what + prevents initialisation code from running while the TOE is + in the evaluated configuration. + + There must also be an explanation of how the trusted + initialisation code will maintain the integrity of the TSF + (and of its initialisation process) such that the + initialisation process is able to detect any modification + that would result in the TSF being spoofed into believe it + was in an initial secure state. + + The vulnerability analysis and testing (see ) activities will likely include + attempts to defeat the described TSF self protection + through the use of tampering, direct attack, or monitoring + of the TSF. + + + The property of non-bypassability is concerned with + interfaces that permit the bypass of the enforcement + mechanisms. In most cases this is a consequence of the + implementation, where if a programmer is writing an + interface that accesses or manipulates an object, it is + that programmer's responsibility to use interfaces that + are part of the SFR enforcement mechanism for the object + and not to try to circumvent those interfaces. For the + description pertaining to non-bypassability, then, there + are two broad areas that have to be covered. + + The first consists of those interfaces to the SFR-enforcement. + The property for these interfaces is that they contain no + operations or modes that allow them to be used to bypass the + TSF. It is likely that the evidence for and can be used in + large part to make this determination. Because non-bypassability + is the concern, if only certain operations available through + these TSFIs are documented (because they are SFR-enforcing) and + others are not, the developer should consider whether additional + information (to that presented in + and ) is necessary to make a + determination that the + SFR-supporting and SFR-non-interfering + operations of the TSFI do not afford an + untrusted entity the ability to bypass the policy being + enforced. If such information is necessary, it is included + in the security architecture description. + + The second area of non-bypassability is concerned with + those interfaces whose interactions are not associated + with SFR-enforcement. Depending on the and components + claimed, some information about these interfaces may or + may not exist in the functional specification and TOE + design documentation. The information presented for such + interfaces (or groups of interfaces) should be sufficient + so that a reader can make a determination (at the level of + detail commensurate with the rest of the evidence supplied + in the class) that the + enforcement mechanisms cannot be bypassed. + + The property that the security functionality cannot be + bypassed applies to all security functionality + equally. That is, the design description should cover + objects that are protected under the SFRs (e.g. _* components) and functionality + (e.g., audit) that is provided by the TSF. The description + should also identify the interfaces that are associated + with security functionality; this might make use of the + information in the functional specification. This + description should also describe any design constructs, + such as object managers, and their method of use. For + instance, if routines are to use a standard macro to + produce an audit record, this convention is a part of the + design that contributes to the non-bypassability of the + audit mechanism. It is important to note that + non-bypassability in this context is not an + attempt to answer the question ``could a part of the TSF + implementation, if malicious, bypass the security + functionality'', but rather to document how the + implementation does not bypass the security + functionality. + + The vulnerability analysis and testing (see ) activities will likely include + attempts to defeat the described non-bypassability by + circumventing the TSF. + + + + + The purpose in specifying the TSFIs is to provide the + necessary information to conduct testing; without knowing the + possible means interact with the TSF, one cannot adequately + test the behaviour of the TSF. + + There are two parts to specifying the TSFIs: identifying them + and describing them. Because of the diversity of possible + TOEs, and of different TSFs therein, there is no standard set + of interfaces that constitute ``TSFIs''. This annex provides + guidance on the factors that determine which interfaces are + TSFIs. + + + In order to identify the interfaces to the TSF, the parts of the + TOE that make up the TSF must first be identified. This + identification is actually a part of the analysis, but is also performed implicitly + (through identification and description of the TSFI) by the + developer in cases where is not + included in the assurance package. In this analysis, a portion + of the TOE must be considered to be in the TSF if it contributes + to the satisfaction of an SFR in the ST (in whole or in + part). This includes, for example, everything in the TOE that + contributes to TSF run-time initialisation, such as software + that runs prior to the TSF being able to protect itself because + enforcement of the SFRs has not yet begun (e.g., while booting + up). Also included in the TSF are all parts of the TOE that + contribute to the architectural principles of TSF + self-protection, domain separation, and non-bypassability (see + ). + + Once the TSF has been defined, the TSFI are identified. + The TSFI consists of all means by which external entities (or + subjects in the TOE but outside of the TSF) supply data to the TSF, + receive data from the TSF and invoke services from the TSF. + These service invocations and responses are the means of crossing + the TSF boundary. While many of these are readily apparent, others + might not be as obvious. The question that should be asked when + determining the TSFIs is: ``How can a potential attacker interact + with the TSF in an attempt to subvert the SFRs?'' The following + discussions illustrate the application of the TSFI definition in + different contexts. + + + In TOEs such as smart cards, where the adversary has not + only logical access to the TOE, but also complete physical + access to the TOE, the TSF boundary is the physical + boundary. Therefore, the exposed electrical interfaces + are considered TSFI because their manipulation could + affect the behaviour of the TSF. As such, all these + interfaces (electrical contacts) need to be described: + various voltages that might be applied, etc. + + + + The TSFIs of a TOE that performs protocol processing would + be those protocol layers to which a potential attacker has + direct access. This need not be the entire protocol stack, + but it might be. + + For example, if the TOE were some sort of a network + appliance that allowed potential attackers to affect every + level of the protocol stack (i.e. to send arbitrary + signals, arbitrary voltages, arbitrary packets, arbitrary + datagrams, etc.), then the TSF boundary exists at each + layer of the stack. Therefore, the functional + specification would have to address every protocol at + every layer of the stack. + + If, however, the TOE were a firewall that protects an + internal network from the Internet, a potential attacker + would have no means of directly manipulating the voltages + that enter the TOE; any extreme voltages would simply not + be passed though the Internet. That is, the attacker would + have access only to those protocols at the Internet layer + or above. The TSF boundary exists at each layer of the + stack. Therefore, the functional specification would have + to address only those protocols at or above the Internet + layer: it would describe each of the different + communication layers at which the firewall is exposed in + terms of what constitutes well-formed input for what might + appear on the line, and the result of both well-formed and + malformed inputs. For example, the description of the + Internet protocol layer would describe what constitutes a + well-formed IP packet and what happens when both + correctly-formed and malformed packets are + received. Likewise, the description of the TCP layer would + describe a successful TCP connection and what happens both + when successful connections are established and when + connections cannot be established or are inadvertently + dropped. Presuming the firewall's purpose is to filter + application-level commands (like FTP or telnet), the + description of the application layer would describe the + application-level commands that are recognised and + filtered by the firewall, as well as the results of + encountering unknown commands. + + The descriptions of these layers would likely reference + published communication standards (telnet, FTP, TCP, etc.) + that are used, noting which user-defined options are + chosen. + + + +
+ + + ``Wrappers'' translate complex series of interactions into + simplified common services, such as when Operating Systems + create APIs for use by applications (as shown in Figure + ). Whether the TSFIs + would be the system calls or the APIs depends upon what is + available to the application: if the application can use + the system calls directly, then the system calls are the + TSFIs. If, however, there were something that prohibits + their direct use and requires all communication through + the APIs, then the APIs would be the TSFIs. + + A Graphical User interface is similar: it translates + between machine-understandable commands and user-friendly + graphics. Similarly, the TSFIs would be the commands if + users have access to them, or the graphics (pull-down + menus, check-boxes, text fields) if the users are + constrained to using them. + + It is worth noting that, in both of these examples, if the + user is prohibited from using the more primitive + interfaces (i.e. the system calls or the commands), the + description of this restriction and of its enforcement + would be included in the Security Architecture Description + (see ). Also, the wrapper would be + part of the TSF. + + + + For a given TOE, not all of the interfaces may be + accessible. That is, the security + objectives for the operational environment (in the + Security Target) may prevent access to these interfaces or + limit access in such a way that they are practically + inaccessible. Such interfaces would not be considered + TSFIs. Some examples: + + If the security objectives for the operational + environment for the stand-alone firewall state that + ``the firewall will be operational in a server room + environment to which only trusted and trained + personnel will have access, and which will be equipped + with an interruptible power supply (against power + failure)'', physical and power interfaces will not be + accessible, since trusted and trained personnel will + not attempt to dismantle the firewall and/or disable + its power supply. If the security + objectives for the operational environment for the + software firewall (application) state that ``the OS + and the hardware will provide a security domain for + the application free from tampering by other + programs'', the interfaces through which the firewall + can be accessed by other applications on the OS + (e.g. deleting or modifying the firewall executable, + direct reading or writing to the memory space of the + firewall) will not be accessible, since the + OS/hardware part of the operational environment makes + this interface inaccessible. If the + security objectives for the operational environment + for the software firewall additionally state that the + OS and hardware will faithfully execute the commands + of the TOE, and will not tamper with the TOE in any + manner, interfaces through which the firewall obtains + primitive functionality from the OS and hardware + (executing machine code instructions, OS APIs, such as + creating, reading, writing or deleting files, + graphical APIs etc.) will not be accessible, since the + OS/hardware are the only entities that can access that + interface, and they are completely + trusted. For all of these examples, + these inaccessible interfaces would not be + TSFIs. + + + + Figure + illustrates a complex TOE: a database management system that + relies on hardware and software that is outside the TOE + boundary (referred to as the IT environment + in the rest of this discussion). To simplify this example, + the TOE is identical to the TSF. The + shaded boxes represent the TSF, while the unshaded boxes + represent IT entities in the environment. The TSF comprises + the database engine and management GUIs (represented by the + box labelled DB) and a kernel module that + runs as part of the OS that performs some security function + (represented by the box labelled PLG). The + TSF kernel module has entry points defined by the OS + specification that the OS will call to invoke some function + (this could be a device driver, or an authentication module, + etc.). The key is that this pluggable kernel module is + providing security services specified by functional + requirements in the ST. + +
+ + + The IT environment consists of the operating system itself + (represented by the box labelled OS), as + well as an external server (labelled SRV). + This external server, like the OS, provides a service that + the TSF depends on, and thus needs to be in the IT + environment. Interfaces in the figure are labelled + Ax for TSFI, and Bx for + other interfaces that would be documented in . Each of these groups of interfaces is now + discussed. + + Interface group A1 represents the most obvious set of TSFI. + These are interfaces used by users to directly access the + database and its security functionality and + resources. + + Interface group A2 represent the TSFI that the OS invokes to + obtain the functionality provided by the pluggable module. + These are contrasted with interface group B3, which + represent calls that the pluggable module makes to obtain + services from the IT environment. + + Interface group A3 represent TSFI that pass through the IT + environment. In this case, the DBMS communicates over the + network using a proprietary application-level + protocol. While the IT environment is responsible for + providing various supporting protocols (e.g., Ethernet, IP, + TCP), the application layer protocol that is used to obtain + services from the DBMS is a TSFI and must be documented as + such. The dotted line indicates return values/services from + the TSF over the network connection. + + The interfaces labelled Bx represent + interfaces to functionality in the IT Environment. These + interfaces are not TSFI and need only be discussed and + analysed when the TOE is being used in a composite + evaluation as part of the activities associated with the + class. + + + + The Example firewall is used between an internal network and + an external network. It verifies the source address of data + received (to ensure that external data is not attempting to + masquerade as originating from the internal data); if it + detects any such attempts, it saves the offending attempt to + the audit log. The administrator connects to the firewall by + establishing a telnet connection to the firewall from the + internal network. Administrator actions consist of + authenticating, changing passwords, reviewing the audit log, + and setting or changing the addresses of the internal and + external networks. + + The Example firewall presents the following interfaces to + the internal network: + + IP datagrams + Administrator Commands and the + following interfaces to the external network: + + IP datagrams + Interfaces Descriptions: IP + Datagrams + The datagrams are in the format specified by RFC 791. + + Purpose - to transmit blocks of data (``datagrams'') + from source hosts to destination hosts identified by + fixed length addresses; also provides for fragmentation + and reassembly of long datagrams, if necessary, for + transmission through small-packet networks. + Method of Use - they arrive from the lower-level + (e.g. data link) protocol. + Parameters - the following fields of the IP datagram + header: source address, destination address, + don't-fragment flag. + Parameter description - [As defined by RFC 791, + subclause 3.1 (``Internet Header Format'')] + Actions - Transmits datagrams that are not + masquerading; fragments large datagrams if necessary; + reassembles fragments into datagrams. + Error messages - (none). No reliability guaranteed + (reliability to be provided by upper-level protocols) + Undeliverable datagrams (e.g. must be fragmented for + transmission, but don't-fragment flag is set) + dropped. + Interfaces Descriptions: Administrator + Commands + The administrator commands provide a means for the + administrator to interact with the firewall. These commands + and responses ride atop a telnet (RFC 854) connection + established from any host on the internal network. Available + commands are: + + Passwd + + Purpose - sets administrator password + Method of Use - Passwd + <password> + Parameters - password + Parameter description - value of new + password + Actions - changes password to new value + supplied. There are no restrictions. + Error messages - none. + + Readaudit + + Purpose - presents the audit log to the + administrator + Method of Use - Readaudit + Parameters - none + Parameter description - none + Actions - provides the text of the audit + log + Error messages - none. + + Setintaddr + + Purpose - sets the address of the internal + address. + Method of Use - Setintaddr + <address> + Parameters - address + Parameter description - first three fields of an + IP address (as defined in RFC 791). For example: + 123.123.123. + Actions - changes the internal value of the + variable defining the internal network, the value of + which is used to judge attempted masquerades. + Error messages - ``address in use'': indicates + the identified internal network is the same as the + external network. + + Setextaddr + + Purpose - sets the address of the external address + Method of Use - Setextaddr + <address> + Parameters - address + Parameter description - first three fields of an + IP address (as defined in RFC 791). For example: + 123.123.123. + Actions - changes the internal value of the + variable defining the external network. + Error messages - ``address in use'': indicates + the identified external network is the same as the + internal network. + + + + + + + The wide variety of TOEs makes it impossible to codify + anything more specific than ``well-structured'' or ``minimum + complexity''. Judgements on structure and complexity are + expected to be derived from the specific technologies used in + the TOE. For example, software is likely to be considered + well-structured if it exhibits the characteristics cited in + the software engineering disciplines. + + This annex provides supplementary material on assessing the + structure and complexity of procedure-based software portions + of the TSF. This material is based on information readily + available in software engineering literature. For other kinds + of internals (e.g. hardware, non-procedural software such as + object-oriented code, etc.), corresponding literature on good + practises should be consulted. + + + The structure of procedural software is traditionally + assessed according to its + modularity. Software written with a modular + design aids in achieving understandability by clarifying + what dependencies a module has on other modules + (coupling) and by including in a module + only tasks that are strongly related to each other + (cohesion). The use of modular design + reduces the interdependence between elements of the TSF and + thus reduces the risk that a change or error in one module + will have effects throughout the TOE. Its use enhances + clarity of design and provides for increased assurance that + unexpected effects do not occur. Additional desirable + properties of modular decomposition are a reduction in the + amount of redundant or unneeded code. + + Minimising the amount of functionality in the TSF allows the + evaluator as well as the developer to focus only on that + functionality which is necessary for SFR enforcement, + contributing further to understandability and further + lowering the likelihood of design or implementation + errors. + + The incorporation of modular decomposition, layering and + minimisation into the design and implementation process must + be accompanied by sound software engineering + considerations. A practical, useful software system will + usually entail some undesirable coupling among modules, some + modules that include loosely-related functions, and some + subtlety or complexity in a module's design. These + deviations from the ideals of modular decomposition are + often deemed necessary to achieve some goal or constraint, + be it related to performance, compatibility, future planned + functionality, or some other factors, and may be acceptable, + based on the developer's justification for them. In applying + the requirements of this class, due consideration must be + given to sound software engineering principles; however, the + overall objective of achieving understandability must be + achieved. + + + Cohesion is the manner and degree to which the tasks + performed by a single software module are related to one + another; types of cohesion include coincidental, + communicational, functional, logical, sequential, and + temporal. These types of cohesion are characterised below, + listed in the order of decreasing desirability. + + functional cohesion - a module + with functional cohesion performs activities related + to a single purpose. A functionally cohesive module + transforms a single type of input into a single type + of output, such as a stack manager or a queue + manager. + sequential cohesion - a module + with sequential cohesion contains functions each of + whose output is input for the following function in + the module. An example of a sequentially cohesive + module is one that contains the functions to write + audit records and to maintain a running count of the + accumulated number of audit violations of a specified + type. + communicational cohesion - a + module with communicational cohesion contains + functions that produce output for, or use output from, + other functions within the module. An example of a + communicationally cohesive module is an access check + module that includes mandatory, discretionary, and + capability checks. + temporal cohesion - a module + with temporal cohesion contains functions that need to + be executed at about the same time. Examples of + temporally cohesive modules include initialisation, + recovery, and shutdown modules. + logical (or + procedural) cohesion - a module with + logical cohesion performs similar activities on + different data structures. A module exhibits logical + cohesion if its functions perform related, but + different, operations on different inputs. + coincidental cohesion - a + module with coincidental cohesion performs unrelated, + or loosely related, activities. + + + + Coupling is the manner and degree of interdependence + between software modules; types of coupling include call, + common and content coupling. These types of coupling are + characterised below, listed in the order of decreasing + desirability: + + call: two modules are call coupled if they + communicate strictly through the use of their + documented function calls; examples of call coupling + are data, stamp, and control, which are defined below. + + data: two modules are data + coupled if they communicate strictly through the + use of call parameters that represent single data + items. + stamp: two modules are stamp + coupled if they communicate through the use of + call parameters that comprise multiple fields or + that have meaningful internal structures. + control: two modules are + control coupled if one passes information that is + intended to influence the internal logic of the + other. + + common: two modules are common + coupled if they share a common data area or a common + system resource. Global variables indicate that + modules using those global variables are common + coupled. Common coupling through global variables is + generally allowed, but only to a limited degree. For + example, variables that are placed into a global area, + but are used by only a single module, are + inappropriately placed, and should be removed. Other + factors that need to be considered in assessing the + suitability of global variables are: + + The number of modules that modify a global + variable: In general, only a single module should + be allocated the responsibility for controlling + the contents of a global variable, but there may + be situations in which a second module may share + that responsibility; in such a case, sufficient + justification must be provided. It is unacceptable + for this responsibility to be shared by more than + two modules. (In making this assessment, care + should be given to determining the module actually + responsible for the contents of the variable; for + example, if a single routine is used to modify the + variable, but that routine simply performs the + modification requested by its caller, it is the + calling module that is responsible, and there may + be more than one such module). Further, as part + of the complexity determination, if two modules + are responsible for the contents of a global + variable, there should be clear indications of how + the modifications are coordinated between + them. + The number of modules that reference a global + variable: Although there is generally no limit on + the number of modules that reference a global + variable, cases in which many modules make such a + reference should be examined for validity and + necessity. + + content: two modules are content + coupled if one can make direct reference to the + internals of the other (e.g. modifying code of, or + referencing labels internal to, the other module). + The result is that some or all of the content of one + module are effectively included in the other. Content + coupling can be thought of as using unadvertised + module interfaces; this is in contrast to call + coupling, which uses only advertised module + interfaces. + + + + + Complexity is the measure of the decision points and logical + paths of execution that code takes. Software engineering + literature cites complexity as a negative characteristic of + software because it impedes understanding of the logic and + flow of the code. Another impediment to the understanding of + code is the presence of code that is unnecessary, in that it + is unused or redundant. + + The use of layering to separate levels of abstraction and + minimise circular dependencies further enables a better + understanding of the TSF, providing more assurance that the + TOE security functional requirements are accurately and + completely instantiated in the implementation. + + Reducing complexity also includes reducing or eliminating + mutual dependencies, which pertains both to modules in a + single layer and to those in separate layers. Modules that + are mutually dependent may rely on one another to formulate + a single result, which could result in a deadlock condition, + or worse yet, a race condition (e.g., time of check vs. time + of use concern), where the ultimate conclusion could be + indeterminate and subject to the computing environment at + the given instant in time. + + Design complexity minimisation is a key characteristic of a + reference validation mechanism, the purpose of which is to + arrive at a TSF that is easily understood so that it can be + completely analysed. (There are other important + characteristics of a reference validation mechanism, such as + TSF self-protection and non-bypassability; these other + characteristics are covered by requirements in the family.) + + + + + This Subclause provides additional guidance on the TDS family, + and its use of the terms ``subsystem'' and ``module''. This is + followed by a discussion of how, as more-detailed becomes + available, the requirement for the less-detailed is + reduced. + + Figure + shows that, depending on the complexity of the TSF, the + design may be described in terms of subsystems + and modules (where subsystems are at a + higher level of abstraction than modules); or it may just be + described in terms of one level of abstraction (e.g., + subsystems at lower assurance levels, + modules at higher levels). In cases where a + lower level of abstraction (modules) is presented, + requirements levied on higher-level abstractions + (subsystems) are essentially met by default. This concept is + further elaborated in the discussion on subsystems and + modules below. +
+ + The developer is expected to describe the design of the TOE + in terms of subsystems. The term + ``subsystem'' was chosen to be specifically vague so that it + could refer to units appropriate to the TOE (e.g., + subsystems, modules). subsystems can even be uneven in + scope, as long as the requirements for description of + subsystems are met. + + The first use of subsystems is to distinguish the TSF boundary; + that is, the portions of the TOE that comprise the TSF. In + general, a subsystem is part of the TSF if it has the capability + (whether by design or implementation) to affect the correct + operation of any of the SFRs. For example, for software that + depends on different hardware execution modes to provide domain + separation (see ) where + SFR-enforcing code is executed in one domain, then all + subsystems that execute in that domain would be considered part + of the TSF. Likewise, if a server outside that domain + implemented an SFR (e.g. enforced an access control policy over + objects it managed), then it too would be considered part of the + TSF. + + The second use of subsystems is to provide a structure for + describing the TSF at a level of description that, while + describing how the TSF works, does not necessarily contain + low-level implementation detail found in module descriptions + (discussed later). subsystems are described at either a high + level (lacking an abundance of implementation detail) or a + detailed level (providing more insight into the + implementation). The level of description provided for a + subsystem is determined by the degree to which that + subsystem is responsible for implementing an SFR. + + An SFR-enforcing subsystem is a subsystem + that provides mechanisms for enforcing an element of any SFR, + or directly supports a subsystem that is responsible + for enforcing an SFR. If a subsystem provides (implements) + an SFR-enforcing TSFI, then the subsystem is + SFR-enforcing. + + Subsystems can also be identified as + SFR-supporting and + SFR-non-interfering. An SFR-supporting + subsystem is one that is depended on by an SFR-enforcing + subsystem in order to implement an SFR, but does not play as + direct a role as an SFR-enforcing subsystem. An + SFR-non-interfering subsystem is one that is not depended + upon, in either a supporting or enforcing role, to implement + an SFR. + + + + A module is generally a relatively small architectural unit + that can be characterised in terms of the properties + discussed in . When both + (or above) requirements + and requirements are + present in a PP or ST, a ``module'' in terms of the requirements refers to the same + entity as a ``module'' for the requirements. Unlike subsystems, modules + describe the implementation in a level of detail that can + serve as a guide to reviewing the implementation + representation. + + It is important to note that, depending on the TOE, modules + and subsystems may refer to the same abstraction. For and (which do not require description at the + module level) the subsystem description provides the lowest + level detail available about the TSF. For (which require module + descriptions) these descriptions provide the lowest level of + detail, while the subsystem descriptions (if they exist as + separate entities) merely serve to put to the module + descriptions in context. That is, it is not necessary to + provide detailed subsystem descriptions if module + descriptions exist. In TOEs that are sufficiently simple, a + separate ``subsystem description'' is not necessary; the + requirements can be met through documentation provided by + modules. For complex TOEs, the purpose of the subsystem + description (with respect to the TSF) is to provide the + reader context so they can focus their analysis + appropriately. This difference is illustrated in Figure + . + + An SFR-enforcing module is a module that completely or partially implements + a security functional requirement (SFR) in the ST. Such modules may + implement an SFR-enforcing TSFI, but some functionality expressed in an SFR (for example, + audit and object re-use functionality) may not be directly tied to a single TSFI. As was + the case with subsystems, SFR-supporting modules are those modules that are depended upon by + an SFR-enforcing module, but are not responsible for directly implementing an SFR. + SFR-non-interfering modules are those modules that do not deal, directly or indirectly, + with the enforcement of SFRs. + + It is important to note that the determination of what + ``directly implements'' means is somewhat subjective. In the + narrowest sense of the term, it could be interpreted to mean + the one or two lines of code that actually perform a + comparison, zeroing operation, etc. that implements a + requirement. A broader interpretation might be that it + includes the module that is invoked in response to a + SFR-enforcing TSFI, and all modules that may be invoked in + turn by that module (and so on until the completion of the + call). Neither of these interpretations is particularly + satisfying, since the narrowness of the first interpretation + may lead to important modules being incorrectly categorised + as SFR supporting, while the second leads to modules that + are actually not SFR-enforcing being classified as + such. + + A description of a module should be such that one could create an implementation of the + module from the description, and the resulting implementation would be 1) identical to + the actual TSF implementation in terms of the interfaces presented, 2) identical in the + use of interfaces that are mentioned in the design, and 3) functionally equivalent to the + description of the purpose of the TSF module. For instance, RFC 793 + provides a high-level description of the TCP protocol. It is necessarily implementation + independent. While it provides a wealth of detail, it is + not + a suitable design description because it is not specific to an implementation. An actual + implementation can add to the protocol specified in the RFC, and implementation choices + (for example, the use of global data vs. local data in various parts of the implementation) + may have an impact on the analysis that is performed. The design description of the TCP + module would list the interfaces presented by the implementation (rather than just those + defined in RFC 793), as well as an algorithm description of the processing associated with + the modules implementing TCP (assuming they were part of the TSF). + + In the design, modules are described in detail in terms + of the function they provide (the purpose); the interfaces + they present (when required by the criteria); the return + values from such interfaces; the interfaces (presented by other modules) + they use (provided those interfaces are required to be also described); + and a description of how they provide their functionality using a + technique appropriate to the method used to implement the module. + + The purpose of a module should be described indicating what + function the module is providing. It should be sufficient so + that the reader could get a general idea of what the + module's function is in the architecture. + + The interfaces presented by a module are those interfaces used by + other modules to invoke the functionality provided. Interfaces include both + explicit interfaces (e.g., a calling sequence invoked by + other modules) as well as implicit interfaces (e.g., global + data manipulated by the module). Interfaces are described in terms of how + they are invoked, and any values that are returned. This description would + include a list of parameters, and descriptions of these parameters. If a parameter + were expected to take on a set of values (e.g., a ``flag'' parameter), the complete set + of values the parameter could take on that would have an effect on module processing + would be specified. Likewise, parameters representing data structures are described + such that each field of the data structure is identified and described. + Global data should be described to the extent required to understand their purpose. + The level of description required for a global data structure needs to be identical + to the one for module interfaces, where the input parameter and return values correspond + to the individual fields and their possible values in the data structure. Global data + structures may be described separate from the modules that manipulate or read them as + long as the design of the modules contain sufficient information about the global data + structures updated or the information extracted from global data structures. + + Note that different programming languages may have + additional ``interfaces'' that would be non-obvious; an + example would be operator/function overloading in C++. This + ``implicit interface'' in the class description would also + be described as part of the module design. Note that + although a module could present only one interface, it is + more common that a module presents a small set of related + interfaces. + + When it is required to describe the interfaces used by a module, it must be + clear from either the design description of the module or the purpose of the + module called, what service is expected from the module called. For example if + Module A is being described, and it uses Module B's bubble sort routine, the + description of the interaction between modules must allow to identify why + Module B's bubble sort routine is called and what this call contributes to the + implementation of the SFRs. The interface and purpose of Module B's bubble sort + routine must be described as part of the interfaces of Module B (provided the + level of ADV_TDS and the classification of Module B require a description its + interfaces) and so Module A just needs to identify what data it needs to have + sorted using this routine. An adequate description would be: "Module A invokes + Module B's interface double_bubble() to sort the usernames in + alphabetical order". + Note that if this sorting of the user names is not important for the enforcement of + any SFR (e. g. it is just done to speed up things and an algorithmically identical + implementation of Module A could also avoid to have the usernames sorted), the use of + Module B's bubble sort routine is not SFR-enforcing and it is suffcient to explain in + the description of Module A that the usernames are sorted in alphabetical order to + enhance performance. Module B may be classified as "SFR-supporting" only and the level + of ADV_TDS chosen indicates if the interfaces of SFR-supporting modules need to be + described or if its is sufficient to just describe the purpose of Module B. + + As discussed previously, the algorithmic description of the + module should describe in an algorithmic fashion the + implementation of the module. This can be done in + pseudo-code, through flow charts, or (at ) informal text. It discusses + how the module inputs and called functions are used to + accomplish the module's function. It notes changes to global + data, system state, and return values produced by the + module. It is at the level of detail that an implementation + could be derived that would be very similar to the actual + implementation of the TOE. + + It should be noted that source code does not meet the module + documentation requirements. Although the module design + describes the implementation, it is not the + implementation. The comments surrounding the source code + might be sufficient documentation if they provide an + explanation of the intent of the source code. In-line + comments that merely state what each line of code is doing + are useless because they provide no explanation of what the + module is meant to accomplish. + + In the elements below, the labels (SFR-enforcing, + SFR-supporting, and SFR-non-interfering) discussed for + subsystems and modules are used to describe the amount and + type of information that needs to be made available by the + developer. The elements have been structured so that there + is no expectation that the developer provide + only the information specified. That is, if + the developer's documentation of the TSF provides the + information in the requirements below, there is no + expectation that the developer update their documentation + and label subsystems and modules as SFR-enforcing, + SFR-supporting, and SFR-non-interfering. The primary purpose + of this labelling is to allow developers with less mature + development methodologies (and associated artifacts, such as + detailed interface and design documentation) to provide the + necessary evidence without undue cost. + + + + Because there is subjectivity in determining what is + SFR-enforcing vs. SFR-supporting (and in some cases, even + determining what is SFR-non-interfering) the following + paradigm has been adopted in this family. In early + components of the family, the developer makes a + determination about the classification of the subsystems + into SFR-enforcing, etc., supplying the appropriate + information, and there is little additional evidence for the + evaluator to examine to support this claim. As the level of + desired assurance increases, while the developer still makes + a classification determination, the evaluator obtains more + and more evidence that is used to confirm the developer's + classification. + + In order to focus the evaluator's analysis on the SFR-related + portions of the TOE, especially at lower levels of assurance, + the components of the family are levelled such that initially + detailed information is required only for SFR-enforcing + architectural entities. As the level of assurance increases, + more information is required for SFR-supporting and (eventually) + SFR-non-interfering entities. It should be noted that even when + complete information is required, it is not required that all of + this information be analysed in the same level of detail. The + focus should be in all cases on whether the + necessary information has been provided and + analysed. + + Table summarises the + information required at each of the family components for the + architectural entities to be described. + + + + + + TSF subsystem + TSF Module + + + SFR + Enforce + SFR + Support + SFR + NI + SFR + Enforce + SFR + Support + SFR + NI + + + + + + (informal + presentation) + + structure, summary of SFR-Enf. behaviour, interactions + + designation support + designation support means that + only documentation sufficient to support the + classification of the subsystem / module is + needed. + + designation support + + + + + + + (informal + presentation) + + structure, detailed description of SFR-Enf. behaviour, + summary of other behaviour, interactions + + + structure, summary of other behaviour, interactions + + designation support, interactions + + + + + + + + (informal + presentation) description, + interactions description, interactions + description, interactions + + purpose, SFR interfacesSFR interfaces means that the module description contains, + for each SFR-related interface, the returned values and the called interfaces + to other modules. + interaction, purpose + interaction, purpose + + + + (semiformal + presentation) + description, interactions + description, interactions + description, interactions + + purpose, SFR interfaces + + + purpose, SFR interfaces + + interaction, purpose + + + + + (semiformal + presentation) + description, interactions + description, interactions + description, interactions + + purpose, all interfacesAll interfaces means that the module description contains, + for each interface, the returned values and the called interfaces to other + modules. + + purpose, all interfaces + + + purpose, all interfaces + + + + + (semiformal + presentation; additional formal + presentation) + description, interactions + description, interactions + description, interactions + + purpose, all interfaces + + + purpose, all interfaces + + + purpose, all interfaces + + + + + Description Detail Levelling +
+ + + + + Formal methods provide a mathematical representation of the + TSF and its behaviour and are required by the , , and + components. There are two aspects of formal methods: the + specification language that is used for + formal expression, and the theorem prover + that mathematically proves the completeness and correctness of + the formal specification. + + A formal specification is expressed within a formal system + based upon well-established mathematical concepts. These + mathematical concepts are used to define well-defined + semantics, syntax and rules of inference. A formal system is + an abstract system of identities and relations that can be + described by specifying a formal alphabet, a formal language + over that alphabet which is based on a formal syntax, and a + set of formal rules of inference for constructing derivations + of sentences in the formal language. + + The evaluator should examine the identified formal systems to + make sure that: + + The semantics, syntax and inference rules of the + formal system are defined or a definition is + referenced. + Each formal system is accompanied by explanatory text + that provides defined semantics so that: + + the explanatory text provides defined meanings of + terms, abbreviations and acronyms that are used in a + context other than that accepted by normal + usage, + the use of a formal system and semiformal notation + use is accompanied by supporting explanatory text in + informal style appropriate for unambiguous + meaning, + the formal system is able to express rules and + characteristics of applicable SFPs, + security functionality and interfaces (providing + details of effects, exceptions and error messages) of + TSF, their subsystems or modules to be specified for + the assurance family for which the notations are + used. + the notation provides rules to determine the + meaning of syntactical valid constructs. + + Each formal system uses a formal syntax that provides + rules to unambiguously recognise constructs. + Each formal system provides proof rules which + + support logical reasoning of well-established + mathematical concepts, + help to prevent derivation of + contradictions + + If the developer uses a formal system which is already accepted + by the evaluation authority the evaluator can rely on the level + of formality and strength of the system and focus on the + instantiation of the formal system to the TOE specifications and + correspondence proofs. + + The formal style supports mathematical proofs of the security + properties based on the security features, the consistency of + refinements and the correspondence of the representations. + Formal tool support seems adequate whenever manual derivations + would otherwise become long winded and + incomprehensible. Formal tools are also apt to reduce the + error probability inherent in manual derivations. + + Examples of formal systems: + + The Z specification language is highly + expressive, and supports many different methods or styles + of formal specification. The use of Z has been + predominantly for model-oriented specification, using + schemas to formally specify + operations. See for more + information. + ACL2 is an open-source formal system + comprising a LISP-based specification language and a + theorem prover. See for + further information. + Isabelle is a popular generic theorem + proving environment that allows mathematical formulae to + be expressed in a formal language and provides tools for + proving those formulae within a logical calculus (see + e.g. for + additional information) + The B method is a formal system based + on the propositional calculus, the first order predicate + calculus with inference rules and set theory (see + e.g. for further + information). + + + + + The dependencies documented in the components of Clauses and - are the direct dependencies between the + assurance components. + + The following dependency tables for assurance components show + their direct, indirect and optional dependencies. Each of the + components that is a dependency of some assurance component is + allocated a column. Each assurance component is allocated a + row. The value in the table cell indicate whether the column + label component is directly required (indicated by a cross + ``X'') or indirectly required (indicated by a dash ``-''), by + the row label component. If no character is presented, the + component is not dependent upon another component. + + + + The purpose of this Clause is to document the philosophy that + underpins the CC approach to assurance. An understanding of this + Clause will permit the reader to understand the rationale behind + the CC Part 3 assurance requirements. + + + The CC philosophy is that the threats to security and + organisational security policy commitments should be clearly + articulated and the proposed security measures be demonstrably + sufficient for their intended purpose. + + Furthermore, measures should be adopted that reduce the + likelihood of vulnerabilities, the ability to exercise + (i.e. intentionally exploit or unintentionally trigger) a + vulnerability, and the extent of the damage that could occur + from a vulnerability being exercised. Additionally, measures + should be adopted that facilitate the subsequent + identification of vulnerabilities and the elimination, + mitigation, and/or notification that a vulnerability has been + exploited or triggered. + + + + The CC philosophy is to provide assurance based upon an + evaluation (active investigation) of the IT product that is to + be trusted. Evaluation has been the traditional means of + providing assurance and is the basis for prior evaluation + criteria documents. In aligning the existing approaches, the + CC adopts the same philosophy. The CC proposes measuring the + validity of the documentation and of the resulting IT product + by expert evaluators with increasing emphasis on scope, depth, + and rigour. + + The CC does not exclude, nor does it comment upon, the + relative merits of other means of gaining assurance. Research + continues with respect to alternative ways of gaining + assurance. As mature alternative approaches emerge from these + research activities, they will be considered for inclusion in + the CC, which is so structured as to allow their future + introduction. + + + It is assumed that there are threat agents that will + actively seek to exploit opportunities to violate security + policies both for illicit gains and for well-intentioned, + but nonetheless insecure actions. Threat agents may also + accidentally trigger security vulnerabilities, causing harm + to the organisation. Due to the need to process sensitive + information and the lack of availability of sufficiently + trusted products, there is significant risk due to failures + of IT. It is, therefore, likely that IT security breaches + could lead to significant loss. + + IT security breaches arise through the intentional + exploitation or the unintentional triggering of + vulnerabilities in the application of IT within business + concerns. + + Steps should be taken to prevent vulnerabilities arising in + IT products. To the extent feasible, vulnerabilities should + be: + + + eliminated -- that is, active steps should be taken to + expose, and remove or neutralise, all exercisable + vulnerabilities; + + + minimised -- that is, active steps should be taken to + reduce, to an acceptable residual level, the potential + impact of any exercise of a vulnerability; + + + monitored -- that is, active steps should be taken to + ensure that any attempt to exercise a residual + vulnerability will be detected so that steps can be + taken to limit the damage. + + + + + + Vulnerabilities can arise through failures in: + + + requirements -- that is, an IT product may possess all + the functions and features required of it and still + contain vulnerabilities that render it unsuitable or + ineffective with respect to security; + + + development -- that is, an IT product does not meet its + specifications and/or vulnerabilities have been + introduced as a result of poor development standards or + incorrect design choices; + + + operation -- that is, an IT product has been constructed + correctly to a correct specification but vulnerabilities + have been introduced as a result of inadequate controls + upon the operation. + + + + + + Assurance is grounds for confidence that an IT product meets + its security objectives. Assurance can be derived from + reference to sources such as unsubstantiated assertions, + prior relevant experience, or specific experience. However, + the CC provides assurance through active + investigation. Active investigation is an evaluation of the + IT product in order to determine its security + properties. + + + + Evaluation has been the traditional means of gaining + assurance, and is the basis of the CC approach. Evaluation + techniques can include, but are not limited to: + + + analysis and checking of process(es) and procedure(s); + + + checking that process(es) and procedure(s) are being + applied; + + + analysis of the correspondence between TOE design + representations; + + + analysis of the TOE design representation against the + requirements; + + + verification of proofs; + + + analysis of guidance documents; + + + analysis of functional tests developed and the results + provided; + + + independent functional testing; + + + analysis for vulnerabilities (including flaw + hypothesis); + + + penetration testing. + + + + + + + The CC philosophy asserts that greater assurance results from + the application of greater evaluation effort, and that the + goal is to apply the minimum effort required to provide the + necessary level of assurance. The increasing level of effort + is based upon: + + + scope -- that is, the effort is greater because a larger + portion of the IT product is included; + + + depth -- that is, the effort is greater because it is + deployed to a finer level of design and implementation + detail; + + + rigour -- that is, the effort is greater because it is + applied in a more structured, formal manner. + + + + + + + This annex provides an explanation of the criteria and examples of their application. This + annex does not define the criteria; + this definition can be found in CC Part 3 Section . + + This annex consists of 2 major parts: + + + Guidance for completing an independent vulnerability + analysis. This is summarised in section , and described in more + detail in section + . These sections describe how an evaluator should approach + the construction of an independent Vulnerability Analysis. + + + How to characterise and use assumed Attack Potential of an + attacker. This is described in sections to . These sections provide an example of describe + how an attack potential can be characterised and should be + used, and provide examples. + + + + + The purpose of the vulnerability assessment activity is to + determine the existence and exploitability of flaws or + weaknesses in the TOE in the operational environment. This + determination is based upon analysis performed by the + evaluator, and is supported by evaluator testing. + + At the lowest levels of the + evaluator simply performs a search of publicly available + information to identify any known weaknesses in the TOE, while + at the higher levels the evaluator performs a structured + analysis of the TOE evaluation evidence. + + There are three main factors in performing a vulnerability + analysis, namely: + + the identification of potential vulnerabilities; + + assessment to determine whether the identified potential + vulnerabilities could allow an attacker with the relevant + attack potential to violate the SFRs. + + penetration testing to determine whether the identified + potential vulnerabilities are exploitable in the operational + environment of the TOE. + + + The identification of vulnerabilities can be further + decomposed into the evidence to be searched and how hard to + search that evidence to identify potential vulnerabilities. In + a similar manner, the penetration testing can be further + decomposed into analysis of the potential vulnerability to + identify attack methods and the demonstration of the attack + methods. + + These main factors are iterative in nature, i.e. penetration + testing of potential vulnerabilities may lead to the + identification of further potential vulnerabilities. Hence, + these are performed as a single vulnerability analysis + activity. + + + + The evaluator vulnerability analysis is to determine that the + TOE is resistant to penetration attacks performed by an + attacker possessing a Basic (for and ), + Enhanced-Basic (for ), + Moderate (for ) or High (for + ) attack potential. The + evaluator first assesses the exploitability of all identified + potential vulnerabilities. This is accomplished by conducting + penetration testing. The evaluator should assume the role of + an attacker with a Basic (for + and ), Enhanced-Basic (for + ), Moderate (for ) or High (for ) attack potential when attempting to penetrate the + TOE. + + The evaluator considers potential vulnerabilities encountered + by the evaluator during the conduct of other evaluation + activities. The evaluator penetration testing determining TOE + resistance to these potential vulnerabilities should be + performed assuming the role of an attacker with a Basic (for + and ), Enhanced-Basic (for ), Moderate (for ) + or High (for ) attack + potential. + + However, vulnerability analysis should not be performed as an + isolated activity. It is closely linked with and . The evaluator + performs these other evaluation activities with a focus on + identifying potential vulnerabilities or ``areas of + concern''. Therefore, evaluator familiarity with the generic + vulnerability guidance (provided in Section ) is required. + + + The following five categories provide discussion of generic + vulnerabilities. + + + Bypassing includes any means by which an attacker could + avoid security enforcement, by: + + + exploiting the capabilities of interfaces to the TOE, + or of utilities which can interact with the TOE; + + + inheriting privileges or other capabilities that + should otherwise be denied; + + + (where confidentiality is a concern) reading sensitive + data stored or copied to inadequately protected areas. + + + + Each of the following should be considered (where + relevant) in the evaluator's independent vulnerability + analysis. + + + Attacks based on exploiting the capabilities of + interfaces or utilities generally take advantage of + the absence of the required security enforcement on + those interfaces. For example, gaining access to + functionality that is implemented at a lower level + than that at which access control is + enforced. Relevant items include: + + + changing the predefined sequence of invocation of + TSFI; + + + invoking an additional TSFI; + + + using a component in an unexpected context or for + an unexpected purpose; + + + using implementation detail introduced in less + abstract representations; + + + using the delay between time of access check and + time of use. + + + + + Changing the predefined sequence of invocation of + components should be considered where there is an + expected order in which interfaces to the TOE + (e.g. user commands) are called to invoke a TSFI + (e.g. opening a file for access and then reading data + from it). If a TSFI is invoked through one of the TOE + interfaces (e.g. an access control check), the + evaluator should consider whether it is possible to + bypass the control by performing the call at a later + point in the sequence or by missing it out altogether. + + + Executing an additional component (in the predefined + sequence) is a similar form of attack to the one + described above, but involves the calling of some + other TOE interface at some point in the sequence. It + can also involve attacks based on interception of + sensitive data passed over a network by use of network + traffic analysers (the additional component here being + the network traffic analyser). + + + Using a component in an unexpected context or for an + unexpected purpose includes using an unrelated TOE + interface to bypass the TSF by using it to achieve a + purpose that it was not designed or intended to + achieve. Covert channels are an example of this type + of attack (see for further discussion of covert + channels). The use of undocumented interfaces, which + may be insecure, also falls into this category. Such + interfaces may include undocumented support and help + facilities. + + + Using implementation detail introduced in lower + representations may allow an attacker to take + advantage of additional functions, resources or + attributes that are introduced to the TOE as a + consequence of the refinement process. Additional + functionality may include test harness code contained + in software modules and back-doors introduced during + the implementation process. + + + Using the delay between time of check and time of use + includes scenarios where an access control check is + made and access granted, and an attacker is + subsequently able to create conditions in which, had + they applied at the time the access check was made, + would have caused the check to fail. An example would + be a user creating a background process to read and + send highly sensitive data to the user's terminal, and + then logging out and logging back in again at a lower + sensitivity level. If the background process is not + terminated when the user logs off, the MAC checks + would have been effectively bypassed. + + + Attacks based on inheriting privileges are generally + based on illicitly acquiring the privileges or + capabilities of some privileged component, usually by + exiting from it in an uncontrolled or unexpected + manner. Relevant items include: + + + executing data not intended to be executable, or + making it executable; + + + generating unexpected input for a component; + + + invalidating assumptions and properties on which + lower-level components rely. + + + + + Executing data not intended to be executable, or + making it executable includes attacks involving + viruses (e.g. putting executable code or commands in a + file which are automatically executed when the file is + edited or accessed, thus inheriting any privileges the + owner of the file has). + + + Generating unexpected input for a component can have + unexpected effects which an attacker could take + advantage of. For example, if the TSF could be + bypassed if a user gains access to the underlying + operating system, it may be possible to gain such + access following the login sequence by exploring the + effect of hitting various control or escape sequences + whilst a password is being authenticated. + + + Invalidating assumptions and properties on which lower + level components rely includes attacks based on + breaking out of the constraints of an application to + gain access to an underlying operating system in order + to bypass the TSF of an application. In this case the + assumption being invalidated is that it is not + possible for a user of the application to gain such + access. A similar attack can be envisaged against an + application on an underlying database management + system: again the TSF could be bypassed if an attacker + can break out of the constraints of the application. + + + Attacks based on reading sensitive data stored in + inadequately protected areas (applicable where + confidentiality is a concern) include the following + issues which should be considered as possible means of + gaining access to sensitive data: + + + disk scavenging; + + + access to unprotected memory; + + + exploiting access to shared writable files or + other shared resources (e.g. swap files); + + + Activating error recovery to determine what access + users can obtain. For example, after a crash an + automatic file recovery system may employ a lost + and found directory for headerless files, which + are on disk without labels. If the TOE implements + mandatory access controls, it is important to + investigate at what security level this directory + is kept (e.g. at system high), and who has access + to this directory. + + + + + + There are a number of different methods through which an + evaluator may identify a back-door, including two main + techniques. Firstly, by the evaluator inadvertently + identifying during testing an interface that can be + misused. Secondly, through testing each external + interface of the TSF in a debugging mode to identify any + modules that are not called as a part of testing the + documented interfaces and then inspecting the code that is + not called to consider whether it is a back-door. + + For a software TOE where and or + higher components are included in the assurance package, + the evaluator may consider during their analysis of the + tools the libraries and packages that are linked by the + compiler at compilation stage to determine that back-doors + are not introduced at this stage. + + + + Tampering includes any attack based on an attacker + attempting to influence the behaviour of the TSF + (i.e. corruption or de-activation), for example by: + + + accessing data on whose confidentiality or integrity + the TSF relies; + + + forcing the TOE to cope with unusual or unexpected + circumstances; + + + disabling or delaying security enforcement; + + + physical modification the TOE. + + + + Each of the following should be considered (where + relevant) in the evaluator's independent vulnerability + analysis. + + + Attacks based on accessing data, whose confidentiality + or integrity are protected, include: + + + reading, writing or modifying internal data + directly or indirectly; + + + using a component in an unexpected context or for + an unexpected purpose; + + + using interfaces between components that are not + visible at a higher level of abstraction. + + + + + Reading, writing or modifying internal data directly + or indirectly includes the following types of attack + which should be considered: + + + reading ``secrets'' stored internally, such as + user passwords; + + + spoofing internal data that security enforcing + mechanisms rely upon; + + + modifying environment variables (e.g. logical + names), or data in configuration files or + temporary files. + + + + It may be possible to deceive a trusted process into + modifying a protected file that it wouldn't normally + access. + + + The evaluator should also consider the following + ``dangerous features'': + + + source code resident on the TOE along with a + compiler (for instance, it may be possible to + modify the login source code); + + + an interactive debugger and patch facility (for + instance, it may be possible to modify the + executable image); + + + the possibility of making changes at device + controller level, where file protection does not + exist; + + + diagnostic code which exists in the source code + and that may be optionally included; + + + developer's tools left in the TOE. + + + + + Using a component in an unexpected context or for an + unexpected purpose includes (for example), where the + TOE is an application built upon an operating system, + users exploiting knowledge of a word processor package + or other editor to modify their own command file + (e.g. to acquire greater privileges). + + + Using interfaces between components which are not + visible at a higher level of abstraction includes + attacks exploiting shared access to resources, where + modification of a resource by one component can + influence the behaviour of another (trusted) + component, e.g. at source code level, through the use + of global data or indirect mechanisms such as shared + memory or semaphores. + + + Attacks based on forcing the TOE to cope with unusual + or unexpected circumstances should always be + considered. Relevant items include: + + + generating unexpected input for a component; + + + invalidating assumptions and properties on which + lower-level components rely. + + + + + Generating unexpected input for a component includes + investigating the behaviour of the TOE when: + + + command input buffers overflow (possibly + ``crashing the stack'' or overwriting other + storage, which an attacker may be able to take + advantage of, or forcing a crash dump that may + contain sensitive information such as clear-text + passwords); + + + invalid commands or parameters are entered + (including supplying a read-only parameter to an + interface which expects to return data via that + parameter and supplying improperly formatted input + that should fail parsing such as SQL-injection, + format strings); + + + an end-of-file marker (e.g. CTRL-Z or CTRL-D) or + null character is inserted in an audit trail. + + + + + Invalidating assumptions and properties on which + lower-level components rely includes attacks taking + advantage of errors in the source code where the code + assumes (explicitly or implicitly) that security + relevant data is in a particular format or has a + particular range of values. In these cases the + evaluator should determine whether they can invalidate + such assumptions by causing the data to be in a + different format or to have different values, and if + so whether this could confer advantage to an attacker. + + + The correct behaviour of the TSF may be dependent on + assumptions that are invalidated under extreme + circumstances where resource limits are reached or + parameters reach their maximum value. The evaluator + should consider (where practical) the behaviour of the + TOE when these limits are reached, for example: + + + changing dates (e.g. examining how the TOE behaves + when a critical date threshold is passed); + + + filling disks; + + + exceeding the maximum number of users; + + + filling the audit log; + + + saturating security alarm queues at a console; + + + overloading various parts of a multi-user TOE + which relies heavily upon communications + components; + + + swamping a network, or individual hosts, with + traffic; + + + filling buffers or fields. + + + + + Attacks based on disabling or delaying security + enforcement include the following items: + + + using interrupts or scheduling functions to + disrupt sequencing; + + + disrupting concurrence; + + + using interfaces between components which are not + visible at a higher level of abstraction. + + + + + Using interrupts or scheduling functions to disrupt + sequencing includes investigating the behaviour of the + TOE when: + + + a command is interrupted (with CTRL-C, CTRL-Y, + etc.); + + + a second interrupt is issued before the first is + acknowledged. + + + + + The effects of terminating security critical processes + (e.g. an audit daemon) should be explored. Similarly, + it may be possible to delay the logging of audit + records or the issuing or receipt of alarms such that + it is of no use to an administrator (since the attack + may already have succeeded). + + + Disrupting concurrence includes investigating the + behaviour of the TOE when two or more subjects attempt + simultaneous access. It may be that the TOE can cope + with the interlocking required when two subjects + attempt simultaneous access, but that the behaviour + becomes less well defined in the presence of further + subjects. For example, a critical security process + could be put into a resource-wait state if two other + processes are accessing a resource which it requires. + + + Using interfaces between components which are not + visible at a higher level of abstraction may provide a + means of delaying a time-critical trusted process. + + + Physical attacks can be categorised into physical + probing, physical manipulation, physical modification, + and substitution. + + + Physical probing by penetrating the TOE targeting + internals of the TOE, e.g. reading at internal + communication interfaces, lines or memories. + + + Physical manipulation can be with the TOE + internals aiming at internal modifications of the + TOE (e.g. by using optical fault induction as an + interaction process), at the external interfaces + of the TOE (e.g. by power or clock glitches) and + at the TOE environment (e.g. by modifying + temperature). + + + Physical modification of TOE internal security + enforcing attributes to inherit privileges or + other capabilities that should be denied in + regular operation. Such modifications can be + caused, e.g., by optical fault induction. Attacks + based on physical modification may also yield a + modification of the TSF itself, e.g. by causing + faults at TOE internal program data transfers + before execution. Note, that such kind of + bypassing by modifying the TSF itself can + jeopardise every TSF unless there are other + measures (possibly environmental measures) that + prevent an attacker from gaining physical access + to the TOE. + + + Physical substitution to replace the TOE with + another IT entity, during delivery or operation of + the TOE. Substitution during delivery of the TOE + from the development environment to the user + should be prevented through application of secure + delivery procedures (such as those considered + under ). Substitution of the TOE during + operation may be considered through a combination + of user guidance and the operational environment, + such that the user is able to be confident that + they are interacting with the TOE. + + + + + + + + Direct attack includes the identification of any + penetration tests necessary to test the strength of + permutational or probabilistic mechanism and other + mechanisms to ensure they withstand direct attack. + + For example, it may be a flawed assumption that a + particular implementation of a pseudo-random number + generator will possess the required entropy necessary to + seed the security mechanism. + + Where a probabilistic or permutational mechanism relies on + selection of security attribute value (e.g. selection of + password length) or entry of data by a human user + (e.g. choice of password), the assumptions made should + reflect the worst case. + + Probabilistic or permutational mechanisms should be + identified during examination of evaluation evidence + required as input to this sub-activity (security target, + functional specification, TOE design and implementation + representation subset) and any other TOE (e.g. guidance) + documentation may identify additional probabilistic or + permutational mechanisms. + + Where the design evidence or guidance includes assertions + or assumptions (e.g. about how many authentication + attempts are possible per minute), the evaluator should + independently confirm that these are correct. This may be + achieved through testing or through independent + analysis. + + Direct attacks reliant upon a weakness in a cryptographic + algorithm should not be considered under , as this is outside the scope + of the CC. Correctness of the implementation of the + cryptographic algorithm is considered during the and + activities. + + + + Information is an abstract view on relation between the + properties of entities, i.e. a signal contains information + for a system, if the TOE is able to react to this + signal. The TOE resources processes and stores information + represented by user data. Therefore: + + + information may flow with the user data between + subjects by internal TOE transfer or export from the TOE; + + + information may be generated and passed to other user + data; + + + information may be gained through monitoring the + operations on data representing the information. + + + + The information represented by user data may be + characterised by security attributes like ``classification + level'' having values, for example unclassified, + confidential, secret, top secret, to control operations to + the data. This information and therefore the security + attributes may be changed by operations e.g. may describe decrease of the + level by ``sanitarisation'' or increase of level by + combination of data. This is one aspects of an information + flow analysis focused on controlled operations of + controlled subjects on controlled objects. + + The other aspect is the analysis of illicit + information flow. This aspect is more + general than the direct access to objects containing user + data addressed by the + family. An unenforced + signalling channel carrying information under control of + the information flow control policy can also be caused by + monitoring of the processing of any object containing or + related to this information (e.g. side channels). An + enforced signalling channels + may be identified in terms of the subjects manipulating + resources and the subject or user that observe such + manipulation. Classically, covert channels have been + identified as timing or storage channels, according to the + resource being modified or modulated. As for other + monitoring attacks, the use of the TOE is in accordance + with the SFRs. + + Covert channels are normally applicable in the case when + the TOE has unobservability AND multi-level separation + policy requirements. Covert channels may be routinely + spotted during vulnerability analysis and design + activities, and should therefore be tested. However, + generally such monitoring attacks are only identified + through specialised analysis techniques commonly referred + to as ``covert channel analysis''. These techniques have + been the subject of much research and there are many + papers published on this subject. Guidance for the + conduct of covert channel analysis should be sought from + the evaluation authority. + + Unenforced information flow monitoring + attacks include passive analysis techniques aiming at + disclosure of sensitive internal data of the TOE by + operating the TOE in the way that corresponds to the + guidance documents. + + Side Channel Analysis includes crypt analytical techniques + based on physical leakage of the TOE. Physical leakage can + occur by timing information, power consumption or power + emanation during computation of a TSF. Timing information + can be collected also by a remote-attacker (having network + access to the TOE), power based information channels + requires that the attacker is in the near-by environment + of the TOE. + + Eavesdropping techniques include interception of all forms + of energy, e.g., electromagnetic or optical emanation of + computer displays, not necessarily in the near-field of + the TOE. + + Monitoring also includes exploits of protocol flaws, e.g., + an attack on SSL implementation. + + + + Misuse may arise from: + + + incomplete guidance documentation; + + + unreasonable guidance; + + + unintended misconfiguration of the TOE; + + + forced exception behaviour of the TOE. + + + + If the guidance documentation is incomplete the user may + not know how to operate the TOE in accordance with the + SFRs. The evaluator should apply familiarity with the TOE + gained from performing other evaluation activities to + determine that the guidance is complete. In particular, + the evaluator should consider the functional + specification. The TSF described in this document should + be described in the guidance as required to permit secure + administration and use through the TSFI available to human + users. In addition, the different modes of operation + should be considered to ensure that guidance is provided + for all modes of operation. + + The evaluator may, as an aid, prepare an informal mapping + between the guidance and these documents. Any omissions in + this mapping may indicate incompleteness. + + The guidance is considered to be unreasonable if it makes + demands on the TOE's usage or operational environment that + are inconsistent with the ST or unduly onerous to maintain + security. + + A TOE may use a variety of ways to assist the consumer in + effectively using that TOE in accordance with the SFRs and + prevent unintentional misconfiguration. A TOE may employ + functionality (features) to alert the consumer when the + TOE is in a state that is inconsistent with the SFRs, + whilst other TOEs may be delivered with enhanced guidance + containing suggestions, hints, procedures, etc. on using + the existing security features most effectively; for + instance, guidance on using the audit feature as an aid + for detecting when the SFRs are being compromised; namely + insecure. + + The evaluator considers the TOE's functionality, its + purpose and security objectives for the operational + environment to arrive at a conclusion of whether or not + there is reasonable expectation that use of the guidance + would permit transition into an insecure state to be + detected in a timely manner. + + The potential for the TOE to enter into insecure states + may be determined using the evaluation deliverables, such + as the ST, the functional specification and any other + design representations provided as evidence for components + included in the assurance package for the TOE (e.g. the + TOE/TSF design specification if a component from is included). + + Instances of forced exception behaviour of the TSF could + include, but are not limited to, the following: + + + behaviour of the TOE when start-up, close-down or error + recovery is activated; + + + behaviour of the TOE under extreme circumstances + (sometimes termed overload or asymptotic behaviour), + particularly where this could lead to the + de-activation or disabling of parts of the TSF; + + + any potential for unintentional misconfiguration or + insecure use arising from attacks noted in the section + on tampering above. + + + + + + + Potential vulnerabilities may be identified by the evaluator + during different activities. They may become apparent during + an evaluation activity or they may be identified as a result + of analysis of evidence to search for + vulnerabilities. + + + The encountered identification of vulnerabilities is where + potential vulnerabilities are identified by the evaluator + during the conduct of evaluation activities, i.e. the + evidence are not being analysed with the express aim of + identifying potential vulnerabilities. + + The encountered method of identification is dependent on the + evaluator's experience and knowledge; which is monitored and + controlled by the evaluation authority. It is not reproducible + in approach, but will be documented to ensure repeatability of + the conclusions from the reported potential + vulnerabilities. + + There are no formal analysis criteria required for this + method. Potential vulnerabilities are identified from the + evidence provided as a result of knowledge and + experience. However, this method of identification is not + constrained to any particular subset of evidence. + + Evaluator is assumed to have knowledge of the TOE-type + technology and known security flaws as documented in the + public domain. The level of knowledge assumed is that + which can be gained from a security e-mail list relevant + to the TOE type, the regular bulletins (bug, vulnerability + and security flaw lists) published by those organisations + researching security issues in products and technologies + in widespread use. This knowledge is not expected to + extend to specific conference proceedings or detailed + theses produced by university research for or . However, to ensure the knowledge applied is + up to date, the evaluator may need to perform a search of + public domain material. + + For to the search of publicly + available information is expected to include conference + proceeding and theses produced during research activities + by universities and other relevant organisations. + + Examples of how these may arise (how the evaluator may + encounter potential vulnerabilities): + + + while the evaluator is examining some evidence, it + sparks a memory of a potential vulnerability + identified in a similar product type, that the + evaluator believes to also be present in the TOE under + evaluation; + + + while examining some evidence, the evaluator spots a + flaw in the specification of an interface, that + reflects a potential vulnerability. + + + This may include becoming aware of a potential + vulnerability in a TOE through reading about generic + vulnerabilities in a particular product type in an IT + security publication or on a security e-mail list to which + the evaluator is subscribed. + + Attack methods can be developed directly from these + potential vulnerabilities. Therefore, the encountered + potential vulnerabilities are collated at the time of + producing penetration tests based on the evaluator's + vulnerability analysis. There is no explicit action for + the evaluator to encounter potential + vulnerabilities. Therefore, the evaluator is directed + through an implicit action specified in and .*.4E. + + Current information regarding public domain + vulnerabilities and attacks may be provided to the + evaluator by, for example, an evaluation authority. This + information is to be taken into account by the evaluator + when collating encountered vulnerabilities and attack + methods when developing penetration tests. + + + + The following types of analysis are presented in terms of + the evaluator actions. + + + The unstructured analysis to be performed by the + evaluator (for ) + permits the evaluator to consider the generic + vulnerabilities (as discussed in ). The evaluator will also apply their + experience and knowledge of flaws in similar technology + types. + + + + During the conduct of evaluation activities the + evaluator may also identify areas of concern. These are + specific portions of the TOE evidence that the evaluator + has some reservation about, although the evidence meets + the requirements for the activity with which the + evidence is associated. For example, a particular + interface specification looks particularly complex, and + therefore may be prone to error either in the + development of the TOE or in the operation of the + TOE. There is no potential vulnerability apparent at + this stage, further investigation is required. This is + beyond the bounds of encountered, as further + investigation is required. + + Difference between potential vulnerability and area of + concern: + + + Potential vulnerability - The evaluator knows a + method of attack that can be used to exploit the + weakness or the evaluator knows of vulnerability + information that is relevant to the TOE. + + + Area of concern - The evaluator may be able to + discount concern as a potential vulnerability based + on information provided elsewhere. While reading + interface specification, the evaluator identifies + that due to the extreme (unnecessary) complexity of + an interface a potential vulnerability may lay + within that area, although it is not apparent + through this initial examination. + + + The focused approach to the identification of + vulnerabilities is an analysis of the evidence with the + aim of identifying any potential vulnerabilities evident + through the contained information. It is an unstructured + analysis, as the approach is not predetermined. This + approach to the identification of potential + vulnerabilities can be used during the independent + vulnerability analysis required by . + + This analysis can be achieved through different + approaches, that will lead to commensurate levels of + confidence. None of the approaches have a rigid format + for the examination of evidence to be performed. + + The approach taken is directed by the results of the + evaluator's assessment of the evidence to determine it + meets the requirements of the / + sub-activities. Therefore, the investigation of the + evidence for the existence of potential vulnerabilities + may be directed by any of the following: + + + areas of concern identified during examination of + the evidence during the conduct of evaluation + activities; + + + reliance on particular functionality to provide + separation, identified during the analysis of the + architectural design (as in ), requiring further analysis to + determine it cannot be bypassed; + + + representative examination of the evidence to + hypothesise potential vulnerabilities in the + TOE. + + The evaluator will report what actions were taken to + identify potential vulnerabilities in the + evidence. However, the evaluator may not be able to + describe the steps in identifying potential + vulnerabilities before the outset of the + examination. The approach will evolve as a result of the + outcome of evaluation activities. + + The areas of concern may arise from examination of any + of the evidence provided to satisfy the SARs specified + for the TOE evaluation. The information publicly + accessible is also considered. + + The activities performed by the evaluator can be + repeated and the same conclusions, in terms of the level + of assurance in the TOE, can be reached although the + steps taken to achieve those conclusions may vary. As + the evaluator is documenting the form the analysis took, + the actual steps taken to achieve those conclusions are + also reproducible. + + + + The methodical analysis approach takes the form of a + structured examination of the evidence. This method + requires the evaluator to specify the structure and form + the analysis will take (i.e. the manner in which the + analysis is performed is predetermined, unlike the + focused identification method). The method is specified + in terms of the information that will be considered and + how/why it will be considered. This approach to the + identification of potential vulnerabilities can be used + during the independent vulnerability analysis required + by and . + + This analysis of the evidence is deliberate and + pre-planned in approach, considering all evidence + identified as an input into the analysis. + + All evidence provided to satisfy the () assurance requirements specified in the + assurance package are used as input to the potential + vulnerability identification activity. + + The ``methodical'' descriptor for this analysis has been + used in an attempt to capture the characterisation that + this identification of potential vulnerabilities is to + take an ordered and planned approach. A ``method'' or + ``system'' is to be applied in the examination. The + evaluator is to describe the method to be used in terms + of what evidence will be considered, the information + within the evidence that is to be examined, the manner + in which this information is to be considered; and the + hypothesis that is to be generated. + + The following provide some examples that a hypothesis + may take: + + + consideration of malformed input for interfaces + available to an attacker at the external interfaces; + + + examination of a security mechanism, such as domain + separation, hypothesising internal buffer overflows + leading to degradation of separation; + + + analysis to identify any objects created in the TOE + implementation representation that are then not + fully controlled by the TSF, and could be used by an + attacker to undermine the SFRs. + + + + For example, the evaluator may identify that interfaces + are a potential area of weakness in the TOE and specify + an approach to the analysis that ``all interface + specifications provided in the functional specification + and TOE design will be analysed to hypothesise potential + vulnerabilities'' and go on to explain the methods used + in the hypothesis. + + This identification method will provide a plan of attack + of the TOE, that would be performed by an evaluator + completing penetration testing of potential + vulnerabilities in the TOE. The rationale for the method + of identification would provide the evidence for the + coverage and depth of exploitation determination that + would be performed on the TOE. + + + + + + + + Attack potential is used by a PP/ST author during the + development of the PP/ST, in consideration of the threat + environment and the selection of assurance components. This + may simply be a determination that the attack potential + possessed by the assumed attackers of the TOE is generically + characterised as Basic, Enhanced-Basic, Moderate or + High. Alternatively, the PP/ST may wish to specify + particular levels of individual factors assumed to be + possessed by attackers. (e.g. the attackers are assumed to + be experts in the TOE technology type, with access to + specialised equipment.) + + The PP/ST author considers the threat profile developed during a + risk assessment (outside the scope of the CC, but used as an + input into the development of the PP/ST in terms of the Security + Problem Definition or in the case of low assurance STs, the + requirements statement). Consideration of this threat profile in + terms of one of the approaches discussed in the following + sections will permit the specification of the attack potential + the TOE is to resist. + + + + Attack potential is especially considered by the evaluator + in two distinct ways during the ST evaluation and the + vulnerability assessment activities. + + Attack potential is used by an evaluator during the conduct + of the vulnerability analysis sub-activity to determine + whether or not the TOE is resistant to attacks assuming a + specific attack potential of an attacker. If the evaluator + determines that a potential vulnerability is exploitable in + the TOE, they have to confirm that it is exploitable + considering all aspects of the intended environment, + including the attack potential assumed by an + attacker. + + Therefore, using the information provided in the threat + statement of the Security Target, the evaluator determines + the minimum attack potential required by an attacker to + effect an attack, and arrives at some conclusion about the + TOE's resistance to attacks. Table demonstrates the relationship between this + analysis and attack potential. + + + + + Vulnerability Component + TOE resistant to attacker with + attack potential of: + Residual vulnerabilities only + exploitable by attacker with attack potential + of: + + + + + VAN.5 + High + Beyond High + + + VAN.4 + Moderate + High + + + VAN.3 + Enhanced-Basic + Moderate + + + VAN.2 + Basic + Enhanced-Basic + + + VAN.1 + Basic + Enhanced-Basic + + + + Vulnerability testing and attack potential +
+ + The ``beyond high'' entry in the residual vulnerabilities + column of the above table represents those potential + vulnerabilities that would require an attacker to have an + attack potential greater than that of ``high'' in order to + exploit the potential vulnerability. A vulnerability + classified as residual in this instance reflects the fact + that a known weakness exists in the TOE, but in the current + operational environment, with the assumed attack potential, + the weakness cannot be exploited. + + At any level of attack potential a potential vulnerability + may be deemed ``infeasible'' due to a countermeasure in the + operational environment that prevents the vulnerability from + being exploited. + + A vulnerability analysis applies to all TSFI, including ones + that access probabilistic or permutational mechanisms. No + assumptions are made regarding the correctness of the design + and implementation of the TSFI; nor are constraints placed + on the attack method or the attacker's interaction with the + TOE - if an attack is possible, then it is to be considered + during the vulnerability analysis. As shown in Table , successful evaluation + against a vulnerability assurance component reflects that + the TSF is designed and implemented to protect against the + required level of threat. + + It is not necessary for an evaluator to perform an attack + potential calculation for each potential vulnerability. In + some cases it is apparent when developing the attack method + whether or not the attack potential required to develop and + run the attack method is commensurate with that assumed of + the attacker in the operational environment. For any + vulnerabilities for which an exploitation is determined, the + evaluator performs an attack potential calculation to + determine that the exploitation is appropriate to the level + of attack potential assumed for the attacker. + + The approach described below is to be applied whenever it is + necessary to calculate attack potential, unless the evaluation + authority provides mandatory guidance that an alternative + approach is to be applied. The values given in Tables and + below are not mathematically proven. Therefore, the values given + in these example tables may need to be adjusted according to the + technology type and specific environments. The evaluator should + seek guidance from the evaluation authority. + + + + + + Attack potential is a function of expertise, resources and + motivation. There are multiple methods of representing and + quantifying these factors. Also, there may be other factors + that are applicable for particular TOE types. + + + Motivation is an attack potential factor that can be used + to describe several aspects related to the attacker and + the assets the attacker desires. Firstly, motivation can + imply the likelihood of an attack - one can infer from a + threat described as highly motivated that an attack is + imminent, or that no attack is anticipated from an + un-motivated threat. However, except for the two extreme + levels of motivation, it is difficult to derive a + probability of an attack occurring from motivation. + + Secondly, motivation can imply the value of the asset, + monetarily or otherwise, to either the attacker or the + asset holder. An asset of very high value is more likely + to motivate an attack compared to an asset of little + value. However, other than in a very general way, it is + difficult to relate asset value to motivation because the + value of an asset is subjective - it depends largely upon + the value an asset holder places on it. + + Thirdly, motivation can imply the expertise and resources + with which an attacker is willing to effect an attack. One + can infer that a highly motivated attacker is likely to + acquire sufficient expertise and resources to defeat the + measures protecting an asset. Conversely, one can infer + that an attacker with significant expertise and resources + is not willing to effect an attack using them if the + attacker's motivation is low. + + During the course of preparing for and conducting an + evaluation, all three aspects of motivation are at some + point considered. The first aspect, likelihood of attack, + is what may inspire a developer to pursue an + evaluation. If the developer believes that the attackers + are sufficiently motivated to mount an attack, then an + evaluation can provide assurance of the ability of the TOE + to thwart the attacker's efforts. Where the operational + environment is well defined, for example in a system + evaluation, the level of motivation for an attack may be + known, and will influence the selection of + countermeasures. + + Considering the second aspect, an asset holder may believe + that the value of the assets (however measured) is + sufficient to motivate attack against them. Once an + evaluation is deemed necessary, the attacker's motivation + is considered to determine the methods of attack that may + be attempted, as well as the expertise and resources used + in those attacks. Once examined, the developer is able to + choose the appropriate assurance level, in particular the + requirement components, + commensurate with the attack potential for the + threats. During the course of the evaluation, and in + particular as a result of completing the vulnerability + assessment activity, the evaluator determines whether or + not the TOE, operating in its operational environment, is + sufficient to thwart attackers with the identified + expertise and resources. + + It may be possible for a PP author to quantify the + motivation of an attacker, as the PP author has greater + knowledge of the operational environment in which the TOE + (conforming to the requirements of the PP) is to be + placed. Therefore, the motivation could form an explicit + part of the expression of the attack potential in the PP, + along with the necessary methods and measures to quantify + the motivation. + + + + + This section examines the factors that determine attack + potential, and provides some guidelines to help remove some + of the subjectivity from this aspect of the evaluation + process. + + + The determination of the attack potential for an attack + corresponds to the identification of the effort required to + create the attack, and to demonstrate that it can be + successfully applied to the TOE (including setting up or + building any necessary test equipment), thereby exploiting the + vulnerability in the TOE. The demonstration that the attack can + be successfully applied needs to consider any difficulties in + expanding a result shown in the laboratory to create a useful + attack. For example, where an experiment reveals some bits or + bytes of a confidential data item (such as a key), it is + necessary to consider how the remainder of the data item would + be obtained (in this example some bits might be measured + directly by further experiments, while others might be found by + a different technique such as exhaustive search). It may not be + necessary to carry out all of the experiments to identify the + full attack, provided it is clear that the attack actually + proves that access has been gained to a TOE asset, and that the + complete attack could realistically be carried out in + exploitation according to the + component targeted. In some cases the only way to prove that an + attack can realistically be carried out in exploitation + according to the component + targeted is to perform completely the attack and + then rate it based upon the resources actually required. + One of the outputs from the identification of a potential + vulnerability is assumed to be a script that gives a + step-by-step description of how to carry out the attack that can + be used in the exploitation of the vulnerability on another + instance of the TOE. + + In many cases, the evaluators will estimate the parameters + for exploitation, rather than carry out the full + exploitation. The estimates and their rationale will be + documented in the ETR. + + + + The following factors should be considered during analysis + of the attack potential required to exploit a + vulnerability: + + + Time taken to identify and exploit ( + Elapsed Time); + + + Specialist technical expertise required ( + Specialist Expertise); + + + Knowledge of the TOE design and operation ( + Knowledge of the TOE); + + + + Window of opportunity; + + + + IT hardware/software or other + equipment required for + exploitation. + + + + In many cases these factors are not independent, but may be + substituted for each other in varying degrees. For example, + expertise or hardware/software may be a substitute for time. A + discussion of these factors follows. (The levels of each factor + are discussed in increasing order of magnitude.) When it is the + case, the less ``expensive'' combination is considered in the + exploitation phase. + Elapsed time is the total amount + of time taken by an attacker to identify that a particular + potential vulnerability may exist in the TOE, to develop an + attack method and to sustain effort required to mount the attack + against the TOE. When considering this factor, the worst case + scenario is used to estimate the amount of time required. The + identified amount of time is as follows: + less than one day;between one day and one week;between one week and two weeks;between two weeks and one month;each additional month up to 6 months leads to an + increased value;more than 6 months. + + Specialist expertise refers + to the level of generic knowledge of the underlying + principles, product type or attack methods (e.g. Internet + protocols, Unix operating systems, buffer overflows). The + identified levels are as follows: + + + Laymen are unknowledgeable compared to experts or + proficient persons, with no particular expertise; + + + Proficient persons are knowledgeable in that they are + familiar with the security behaviour of the product or + system type; + + + Experts are familiar with the underlying algorithms, + protocols, hardware, structures, security behaviour, + principles and concepts of security employed, + techniques and tools for the definition of new + attacks, cryptography, classical attacks for the + product type, attack methods, etc. implemented in the + product or system type. + + + The level ``Multiple Expert'' is introduced to allow for + a situation, where different fields of expertise are + required at an Expert level for distinct steps of an + attack. + + It may occur that several types of expertise are + required. By default, the higher of the different + expertises factors is chosen. In very specific cases, the + ``multiple expert'' level could be used but it should be + noted that the expertise must concern fields that are + strictly different like for example HW manipulation and + cryptography. + + + Knowledge of the TOE refers to + specific expertise in relation to the TOE. This is + distinct from generic expertise, but not unrelated to + it. Identified levels are as follows: + + + Public information concerning the TOE (e.g. as gained + from the Internet); + + + Restricted information concerning the TOE + (e.g. knowledge that is controlled within the + developer organisation and shared with other + organisations under a non-disclosure agreement) + + + Sensitive information about the TOE (e.g. knowledge + that is shared between discreet teams within the + developer organisation, access to which is constrained + only to members of the specified teams); + + + Critical information about the TOE (e.g. knowledge + that is known by only a few individuals, access to + which is very tightly controlled on a strict need to + know basis and individual undertaking). + + + + The knowledge of the TOE may graduate according to design + abstraction, although this can only be done on a TOE by + TOE basis. Some TOE designs may be public source (or + heavily based on public source) and therefore even the + design representation would be classified as public or at + most restricted, while the implementation representation + for other TOEs is very closely controlled as it would give + an attacker information that would aid an attack and is + therefore considered to be sensitive or even + critical. + + It may occur that several types of knowledge are + required. In such cases, the higher of the different + knowledge factors is chosen. + + + Window of opportunity + + (Opportunity) is also an important consideration, and has + a relationship to the Elapsed Time + factor. Identification or exploitation of a + vulnerability may require considerable amounts of access + to a TOE that may increase the likelihood of + detection. Some attack methods may require considerable + effort off-line, and only brief access to the TOE to + exploit. Access may also need to be continuous, or over a + number of sessions. + + For some TOEs the Window of + opportunity may equate to the number of + samples of the TOE that the attacker can obtain. This is + particularly relevant where attempts to penetrate the + TOE and undermine the SFRs may result in the destruction + of the TOE preventing use of that TOE sample for further + testing, e.g. hardware devices. Often in these cases + distribution of the TOE is controlled and so the + attacker must apply effort to obtain further samples of + the TOE. + + For the purposes of this discussion: + + + unnecessary/unlimited access means that the attack + doesn't need any kind of opportunity to be realised + because there is no risk of being detected during + access to the TOE and it is no problem to access the + number of TOE samples for the attack; + + easy means that access is required for less than a day + and that the number of TOE samples required to perform + the attack is less than ten; + + moderate means that access is required for less than a + month and that the number of TOE samples required to + perform the attack is less than one hundred; + + difficult means that access is required for at least a + month or that the number of TOE samples required to + perform the attack is at least one hundred; + + none means that the opportunity window is not + sufficient to perform the attack (the length for which + the asset to be exploited is available or is sensitive + is less than the opportunity length needed to perform + the attack - for example, if the asset key is changed + each week and the attack needs two weeks); another + case is, that a sufficient number of TOE samples + needed to perform the attack is not accessible to the + attacker - for example if the TOE is a hardware and + the probability to destroy the TOE during the attack + instead of being successful is very high and the + attacker has only access to one sample of the + TOE. + + Consideration of this factor may result in determining + that it is not possible to complete the exploit, due to + requirements for time availability that are greater than + the opportunity time. + + + IT hardware/software or other equipment + refers to the equipment required to identify + or exploit a vulnerability. + + + Standard equipment is readily available to the + attacker, either for the identification of a + vulnerability or for an attack. This equipment may be + a part of the TOE itself (e.g. a debugger in an + operating system), or can be readily obtained + (e.g. Internet downloads, protocol analyser or simple + attack scripts). + + + Specialised equipment is not readily available to the attacker, + but could be acquired without undue effort. This could include + purchase of moderate amounts of equipment (e.g. power analysis + tools, use of hundreds of PCs linked across the Internet would + fall into this category), or development of more extensive + attack scripts or programs. If clearly different test benches + consisting of specialised equipment are required for distinct + steps of an attack this would be rated as bespoke. + + + Bespoke equipment is not readily available to the + public as it may need to be specially produced + (e.g. very sophisticated software), or because the + equipment is so specialised that its distribution is + controlled, possibly even restricted. Alternatively, + the equipment may be very expensive. + + The level ``Multiple Bespoke'' is introduced to allow + for a situation, where different types of bespoke + equipment are required for distinct steps of an + attack. + + Specialist expertise and Knowledge of the + TOE are concerned with the information + required for persons to be able to attack a TOE. There + is an implicit relationship between an attacker's + expertise (where the attacker may be one or more persons + with complementary areas of knowledge) and the ability + to effectively make use of equipment in an attack. The + weaker the attacker's expertise, the lower the potential + to use equipment (IT hardware/software or other + equipment). Likewise, the greater the expertise, the + greater the potential for equipment to be used in the + attack. Although implicit, this relationship between + expertise and the use of equipment does not always + apply, for instance, when environmental measures prevent + an expert attacker's use of equipment, or when, through + the efforts of others, attack tools requiring little + expertise to be effectively used are created and freely + distributed (e.g. via the Internet). + + + + Table identifies the + factors discussed in the previous section and associates + numeric values with the total value of each factor. + + Where a factor falls close to the boundary of a range the + evaluator should consider use of an intermediate value to those + in the table. For example, if twenty samples are required to + perform the attack then a value between one and four may be + selected for that factor, or if the design is based on a + publicly available design but the developer has made some + alterations then a value between zero and three should be + selected according to the evaluator's view of the impact of + those design changes. The table is intended as a guide. + + The ``**'' specification in the table in considering + Window of Opportunity is not + to be seen as a natural progression from the timescales + specified in the preceding ranges associated with this + factor. This specification identifies that for a + particular reason the potential vulnerability cannot be + exploited in the TOE in its intended operational + environment. For example, access to the TOE may be + detected after a certain amount of time in a TOE with a + known environment (i.e. in the case of a system) where + regular patrols are completed, and the attacker could not + gain access to the TOE for the required two weeks + undetected. However, this would not be applicable to a TOE + connected to the network where remote access is possible, + or where the physical environment of the TOE is + unknown. + + + + + + Factor + + + Value + + + + + + + Elapsed Time + + + + + + <= one day + + 0 + + + + <= one week + + 1 + + + + <= two weeks + + 2 + + + + <= one month + + 4 + + + + <= two months + + 7 + + + + <= three months + + 10 + + + + <= four months + + 13 + + + + <= five months + + 15 + + + + <= six months + + 17 + + + + > six months + + 19 + + + + Expertise + + + + + + Layman + + 0 + + + + Proficient + + + 3*When several proficient persons are + required to complete the attack path, the + resulting level of expertise still remains + ``proficient'' (which leads to a 3 + rating). + + + + Expert + + 6 + + + + Multiple experts + + 8 + + + + Knowledge of TOE + + + + + + Public + + 0 + + + + Restricted + + 3 + + + + Sensitive + + 7 + + + + Critical + + 11 + + + + Window of Opportunity + + + + + + Unnecessary / unlimited access + + 0 + + + + Easy + + 1 + + + + Moderate + + 4 + + + + Difficult + + 10 + + + + None + + + **Indicates that the attack path is not + exploitable due to other measures in the + intended operational environment of the + TOE. + + + + + Equipment + + + + + + Standard + + 0 + + + + Specialised + + 4If clearly different test benches + consisting of specialised equipment are required + for distinct steps of an attack, this should be + rated as bespoke. + + + + Bespoke + + 7 + + + + Multiple bespoke + + 9 + + + + + Calculation of attack potential +
+ + To determine the resistance of the TOE to the potential + vulnerabilities identified the following steps should be + applied: + + + Define the possible attack scenarios {AS1, AS2, ..., + ASn} for the TOE in the operational + environment. + + For each attack scenario, perform a theoretical + analysis and calculate the relevant attack potential + using Table . + + For each attack scenario, if necessary, perform + penetration tests in order to confirm or to disprove + the theoretical analysis. + + Divide all attack scenarios {AS1, AS2, ..., ASn} into + two groups: + + + the attack scenarios having been successful + (i.e. those that have been used to successfully + undermine the SFRs), and + + the attack scenarios that have been demonstrated + to be unsuccessful. + + + + For each successful attack scenario, apply Table and determine, whether + there is a contradiction between the resistance of the + TOE and the chosen + assurance component, see the last column of Table . + + Should one contradiction be found, the vulnerability + assessment will fail, e.g. the author of the ST chose + the component and an + attack scenario with an attack potential of 21 points + (high) has broken the security of the TOE. In this + case the TOE is resistant to attacker with attack + potential 'Moderate', this contradicts to , hence, the vulnerability + assessment fails. + + The ``Values'' column of Table indicates the range of attack potential values + (calculated using Table ) of an + attack scenario that results in the SFRs being + undermined. + + + + + + Values + + + Attack potential required to exploit scenario: + + + TOE resistant to attackers with attack potential + of: + + + Meets assurance components:: + + + Failure of components: + + + + + + + 0-9 + + Basic + + No rating + + - + + , , , , + + + + + 10-13 + + Enhanced-Basic + + Basic + + , + + , , + + + + 14-19 + + Moderate + + Enhanced-Basic + + , , + + , + + + + 20-24 + + High + + Moderate + + , , , + + + + + + =>25 + + Beyond High + + High + + , , , , + + + - + + + + Rating of vulnerabilities and TOE + resistance +
+ + An approach such as this cannot take account of every + circumstance or factor, but should give a better + indication of the level of resistance to attack required + to achieve the standard ratings. Other factors, such as + the reliance on unlikely chance occurrences are not + included in the basic model, but can be used by an + evaluator as justification for a rating other than those + that the basic model might indicate. + + It should be noted that whereas a number of + vulnerabilities rated individually may indicate high + resistance to attack, collectively the combination of + vulnerabilities may indicate that overall a lower rating + is applicable. The presence of one vulnerability may make + another easier to exploit. + + If a PP/ST author wants to use the attack potential table for + the determination of the level of attack the TOE should + withstand (selection of Vulnerability analysis () component), he should proceed as + follows: For all different attack scenarios (i.e. for all + different types of attacker and/or different types of attack the + author has in mind) which must not violate the SFRs, several + passes through Table should be + made to determine the different values of attack potential + assumed for each such unsuccessful attack scenario. The PP/ST + author then chooses the highest value of them in order to + determine the level of the TOE resistance to be claimed from + Table : the TOE resistance must + be at least equal to this highest value determined. For + example, the highest value of attack potentials of all attack + scenarios, which must not undermine the TOE security policy, + determined in such a way is Moderate; hence, the TOE resistance + shall be at least Moderate (i.e. Moderate or High); therefore, + the PP/ST author can choose either (for Moderate) or + (for High) as the appropriate assurance component. + + + + + + + + Mechanisms subject to direct attack are often vital for system + security and developers often strengthen these mechanisms. As + an example, a TOE might use a simple pass number + authentication mechanism that can be overcome by an attacker + who has the opportunity to repeatedly guess another user's + pass number. The system can strengthen this mechanism by + restricting pass numbers and their use in various ways. During + the course of the evaluation an analysis of this direct attack + could proceed as follows: + + Information gleaned from the ST and design evidence reveals + that identification and authentication provides the basis upon + which to control access to network resources from widely + distributed terminals. Physical access to the terminals is not + controlled by any effective means. The duration of access to a + terminal is not controlled by any effective means. Authorised + users of the system choose their own pass numbers when + initially authorised to use the system, and thereafter upon + user request. The system places the following restrictions on + the pass numbers selected by the user: + + + the pass number must be at least four and no greater than + six digits long; + + + consecutive numerical sequences are disallowed (such as + 7,6,5,4,3); + + + repeating digits is disallowed (each digit must be + unique). + + + + Guidance provided to the users at the time of pass number + selection is that pass numbers should be as random as possible + and should not be affiliated with the user in some way - a + date of birth, for instance. + + The pass number space is calculated as follows: + + + Patterns of human usage are important considerations that + can influence the approach to searching a password + space. Assuming the worst case scenario and the user + chooses a number comprising only four digits, the number + of pass number permutations assuming that each digit must + be unique is: + + + The number of possible increasing sequences is seven, as + is the number of decreasing sequences. The pass number + space after disallowing sequences is: + + + + Based on further information gleaned from the design evidence, + the pass number mechanism is designed with a terminal locking + feature. Upon the sixth failed authentication attempt the + terminal is locked for one hour. The failed authentication + count is reset after five minutes so that an attacker can at + best attempt five pass number entries every five minutes, or + 60 pass number entries every hour. + + On average, an attacker would have to enter 2513 pass numbers, + over 2513 minutes, before entering the correct pass number. The + average successful attack would, as a result, occur in slightly + less than: + + Using the approach to calculate the attack potential, described + in the previous section, identifies that it is possible that a + layman can defeat the mechanism within days (given easy access + to the TOE), with the use of standard equipment, and with no + knowledge of the TOE, giving a value of 1. Given the resulting + sum, 1, the attack potential required to effect a successful + attack is not rated, as it falls below that considered to be + Basic. + + + + + Table describes the + relationship between the composition assurance levels and the + assurance classes, families and components. + + + + The Composed Assurance Packages (CAPs) provide an increasing + scale that balances the level of assurance obtained with the + cost and feasibility of acquiring that degree of assurance for + composed TOEs. + + It is important to note that there are only a small number of + families and components from CC Part 3 included in the + CAPs. This is due to their nature of building upon evaluation + results of previously evaluated entities (base components and + dependent components), and is not to say that these do not + provide meaningful and desirable assurances. + + + CAPs are to be applied to composed TOEs, which are comprised + of components that have been (are going through) component TOE + evaluation (see ). The + individual components will have been certified to an EAL or + another assurance package specified in the ST. It is expected + that a basic level of assurance in a composed TOE will be + gained through application of EAL1, which can be achieved with + information about the components that is generally available + in the public domain. (EAL1 can be applied as specified + within to both component and composed TOEs.) CAPs provide an + alternative approach to obtaining higher levels of assurance + for a composed TOE than application of the EALs above + EAL1. + + While a dependent component can be evaluated using a + previously evaluated and certified base component to satisfy + the IT platform requirements in the environment, this does not + provide any formal assurance of the interactions between the + components or the possible introduction of vulnerabilities + resulting from the composition. Composed assurance packages + consider these interactions and, at higher levels of + assurance, ensure that the interface between the components + has itself been the subject of testing. A vulnerability + analysis of the composed TOE is also performed to consider the + possible introduction of vulnerabilities as a result of + composing the components. + + Table represents a summary + of the CAPs. The columns represent a hierarchically ordered + set of CAPs, while the rows represent assurance families. Each + number in the resulting matrix identifies a specific assurance + component where applicable. + + As outlined in the next Subclause, three hierarchically + ordered composed assurance packages are defined in the CC for + the rating of a composed TOE's assurance. They are + hierarchically ordered inasmuch as each CAP represents more + assurance than all lower CAPs. The increase in assurance from + CAP to CAP is accomplished by substitution of a hierarchically + higher assurance component from the same assurance family + (i.e. increasing rigour, scope, and/or depth) and from the + addition of assurance components from other assurance families + (i.e. adding new requirements). These increases result in + greater analysis of the composition to identify the impact on + the evaluation results gained for the individual component + TOEs. + + These CAPs consist of an appropriate combination of assurance + components as described in Clause of this CC Part 3. More + precisely, each CAP includes no more than one component of + each assurance family and all assurance dependencies of every + component are addressed. + + The CAPs only consider resistance against an attacker with an + attack potential up to Enhanced-Basic. This is due to the level + of design information that can be provided through the , limiting some of the factors + associated with attack potential (knowledge of the composed TOE) + and subsequently affecting the rigour of vulnerability analysis + that can be performed by the evaluator. Therefore, the level of + assurance in the composed TOE is limited, although the assurance + in the individual components within the composed TOE may be much + higher. +
+ + + + The following Subclauses provide definitions of the CAPs, + highlighting differences between the specific requirements and + the prose characterisations of those requirements using bold + type. + + + + + + Unlike the CC, where each element maintains the last digit of + its identifying symbol for all components within the family, + the CEM may introduce new work units when a CC evaluator + action element changes from sub-activity to sub-activity; as a + result, the last digit of the work unit's identifying symbol + may change although the work unit remains unchanged. + + Any methodology-specific evaluation work required that is not + derived directly from CC requirements is termed + task or sub-task. + + + + All work unit and sub-task verbs are preceded by the auxiliary + verb shall and by presenting both the verb + and the shall in + + bold italic type face. The + auxiliary verb shall is used only when the + provided text is mandatory and therefore only within the work + units and sub-tasks. The work units and sub-tasks contain + mandatory activities that the evaluator must perform in order + to assign verdicts. + + Guidance text accompanying work units and sub-tasks gives + further explanation on how to apply the CC words in an + evaluation. The verb usage is in accordance with ISO + definitions for these verbs. The auxiliary verb + should is used when the described method is + strongly preferred. All other auxiliary verbs, including + may, are used where the described method(s) + is allowed but is neither recommended nor strongly preferred; + it is merely explanation. + + The verbs check, examine, + report and record are used + with a precise meaning within this part of the CEM and the + Clause should be + referenced for their definitions. + + + + Material that has applicability to more than one sub-activity + is collected in one place. Guidance whose applicability is + widespread (across activities and EALs) has been collected + into . Guidance that + pertains to multiple sub-activities within a single activity + has been provided in the introduction to that activity. If + guidance pertains to only a single sub-activity, it is + presented within that sub-activity. + + + + There are direct relationships between the CC structure + (i.e. class, family, component and element) and the structure + of the CEM. Figure illustrates the correspondence + between the CC constructs of class, family and evaluator + action elements and CEM activities, sub-activities and + actions. However, several CEM work units may result from the + requirements noted in CC developer action and content and + presentation elements.
+ + + + For the purposes of this document, the following terms and + definitions apply. + Terms which are presented in bold-faced type are themselves + defined in this Subclause. + action + + evaluator action element of the CC Part 3 + + These actions are either explicitly stated as evaluator + actions or implicitly derived from developer actions (implied + evaluator actions) within the CC Part 3 assurance components. + + activity + + application of an assurance class of the CC Part 3 + + check + + generate a verdict by a simple comparison + + Evaluator expertise is not required. The statement + that uses this verb describes what is mapped. + + evaluation deliverable + + any resource required from the sponsor or developer by the + evaluator or evaluation authority to perform one or more evaluation or + evaluation oversight activities + + evaluation evidence + tangible evaluation deliverable + evaluation technical report + + report that documents the overall verdict and its + justification, produced by the evaluator and submitted to an + evaluation authority + examine + + generate a verdict by analysis using + evaluator expertise + + The statement that uses this verb identifies what is analysed + and the properties for which it is analysed. + + interpretation + clarification or amplification of a CC, CEM or + scheme requirement + methodology + + system of principles, procedures and processes applied to IT + security evaluations + + observation report + + report written by the evaluator requesting a clarification + or identifying a problem during the evaluation + + overall verdict + pass or fail statement issued by an + evaluator with respect to the result of an + evaluation + + oversight verdict + + statement issued by an evaluation authority confirming or + rejecting an overall verdict based on the + results of evaluation oversight activities + + record + + retain a written description of procedures, events, + observations, insights and results in sufficient detail to + enable the work performed during the evaluation to be + reconstructed at a later time + + report + + include evaluation results and supporting material in the + Evaluation Technical Report or an + Observation Report + scheme + + set of rules, established by an evaluation authority, + defining the evaluation environment, including criteria and + methodology required to conduct IT security + evaluations + + sub-activity + + application of an assurance component of the CC Part 3 + + Assurance families are not explicitly addressed in the CEM + because evaluations are conducted on a single assurance + component from an assurance family. + + tracing + + simple directional relation between two sets of + entities, which shows which entities in the first set + correspond to which entities in the second + + verdict + pass, fail or inconclusive statement issued + by an evaluator with respect to a CC evaluator action element, + assurance component, or class + + Also see overall verdict. + + work unit + + most granular level of evaluation work + + Each CEM action comprises one or more work units, which are + grouped within the CEM action by CC content and presentation + of evidence or developer action element. The work units are + presented in the CEM in the same order as the CC elements + from which they are derived. Work units are identified in + the left margin by a symbol such as . In this symbol, the + string + indicates the CC component (i.e. the CEM sub-activity), and + the final digit (2) indicates that this is + the second work unit in the + sub-activity. + + + + The target audience for the Common Methodology for Information + Technology Security Evaluation (CEM) is primarily evaluators + applying the CC and certifiers confirming evaluator actions; + evaluation sponsors, developers, PP/ST authors and other parties + interested in IT security may be a secondary audience. + + The CEM recognises that not all questions concerning IT security + evaluation will be answered herein and that further + interpretations will be needed. Individual schemes will + determine how to handle such interpretations, although these may + be subject to mutual recognition agreements. A list of + methodology-related activities that may be handled by individual + schemes can be found in . + + + + + Clause defines the + conventions used in the CEM. + + Clause + describes general evaluation tasks with no verdicts associated + with them as they do not map to CC evaluator action + elements. + + Clause addresses the work + necessary for reaching an evaluation result on a PP. + + Clauses to define the evaluation activities, organised by + Assurance Classes. + + covers the basic + evaluation techniques used to provide technical evidence of + evaluation results. + + provides an explanation + of the Vulnerability Analysis criteria and examples of their + application + + + + + The following referenced documents are indispensable for the + application of this document. For dated references, only the + edition cited applies. For undated references, the latest + edition of the referenced document (including any amendments) + applies. + + CC + + Common Criteria for Information Technology Security + Evaluation, Version _CCVERSION_, revision _CCREVISION_, + _CCDATE_. + + + + + + The Common Methodology for Information Technology Security + Evaluation (CEM) is a companion document to the Common Criteria + for Information Technology Security Evaluation (CC). The CEM + defines the minimum actions to be performed by an evaluator in + order to conduct a CC evaluation, using the criteria and + evaluation evidence defined in the CC. + The CEM does not define evaluator actions for certain high + assurance CC components, where there is as yet no generally + agreed guidance. + + + + CEM + + Common Methodology for Information Technology Security + Evaluation + + + + ETR + + Evaluation Technical Report + + + + OR + + Observation Report + + + + + + + Table describes the + relationship between the evaluation assurance levels and the + assurance classes, families and components.
+ + + + The Evaluation Assurance Levels (EALs) provide an increasing + scale that balances the level of assurance obtained with the + cost and feasibility of acquiring that degree of assurance. The + CC approach identifies the separate concepts of assurance in a + TOE at the end of the evaluation, and of maintenance of that + assurance during the operational use of the TOE. + + It is important to note that not all families and components + from CC Part 3 are included in the EALs. This is not to say that + these do not provide meaningful and desirable + assurances. Instead, it is expected that these families and + components will be considered for augmentation of an EAL in + those PPs and STs for which they provide utility. + + + Table represents a summary + of the EALs. The columns represent a hierarchically ordered + set of EALs, while the rows represent assurance families. Each + number in the resulting matrix identifies a specific assurance + component where applicable. + + As outlined in the next Subclause, seven hierarchically + ordered evaluation assurance levels are defined in the CC for + the rating of a TOE's assurance. They are hierarchically + ordered inasmuch as each EAL represents more assurance than + all lower EALs. The increase in assurance from EAL to EAL is + accomplished by substitution of a hierarchically higher + assurance component from the same assurance family + (i.e. increasing rigour, scope, and/or depth) and from the + addition of assurance components from other assurance families + (i.e. adding new requirements). + + These EALs consist of an appropriate combination of assurance + components as described in Clause of this CC Part 3. More + precisely, each EAL includes no more than one component of + each assurance family and all assurance dependencies of every + component are addressed. + + While the EALs are defined in the CC, it is possible to + represent other combinations of assurance. Specifically, the + notion of ``augmentation'' allows the addition of assurance + components (from assurance families not already included in + the EAL) or the substitution of assurance components (with + another hierarchically higher assurance component in the same + assurance family) to an EAL. Of the assurance constructs + defined in the CC, only EALs may be augmented. The notion of + an ``EAL minus a constituent assurance component'' is not + recognised by the standard as a valid claim. Augmentation + carries with it the obligation on the part of the claimant to + justify the utility and added value of the added assurance + component to the EAL. An EAL may also be augmented with + extended assurance requirements. +
+ + + + The following Subclauses provide definitions of the EALs, + highlighting differences between the specific requirements and + the prose characterisations of those requirements using bold + type. + + + + + + The objective of this clause is to cover general guidance + used to provide technical evidence of evaluation results. The + use of such general guidance helps in achieving objectivity, + repeatability and reproducibility of the work performed by the + evaluator. + + + + This Subclause provides general guidance on sampling. Specific + and detailed information is given in those work units under + the specific evaluator action elements where sampling has to + be performed. + + Sampling is a defined procedure of an evaluator whereby some + subset of a required set of evaluation evidence is examined + and assumed to be representative for the entire set. It allows + the evaluator to gain enough confidence in the correctness of + particular evaluation evidence without analysing the whole + evidence. The reason for sampling is to conserve resources + while maintaining an adequate level of assurance. Sampling of + the evidence can provide two possible outcomes: + + + The subset reveals no errors, allowing the evaluator to + have some confidence that the entire set is correct. + + + The subset reveals errors and therefore the validity of + the entire set is called into question. Even the + resolution of all errors that were found may be + insufficient to provide the evaluator the necessary + confidence and as a result the evaluator may have to + increase the size of the subset, or stop using sampling + for this particular evidence. + + + + Sampling is a technique which can be used to reach a reliable + conclusion if a set of evidence is relatively homogeneous in + nature, e.g. if the evidence has been produced during a well + defined process. + + Sampling in the cases identified in the CC, and in cases + specifically covered in CEM work items, is recognised as a + cost-effective approach to performing evaluator + actions. Sampling in other areas is permitted only in + exceptional cases, where performance of a particular activity + in its entirety would require effort disproportionate to the + other evaluation activities, and where this would not add + correspondingly to assurance. In such cases a rationale for + the use of sampling in that area will need to be made. Neither + the fact that the TOE is large and complex, nor that it has + many security functional requirements, is sufficient + justification, since evaluations of large, complex TOEs can be + expected to require more effort. Rather it is intended that + this exception be limited to cases such as that where the TOE + development approach yields large quantities of material for a + particular CC requirement that would normally all need to be + checked or examined, and where such an action would not be + expected to raise assurance correspondingly. + + Sampling needs to be justified taking into account the + possible impact on the security objectives and threats of the + TOE. The impact depends on what might be missed as a result of + sampling. Consideration also needs to be given to the nature + of the evidence to be sampled, and the requirement not to + diminish or ignore any security functions. + + It should be recognised that sampling of evidence directly + related to the implementation of the TOE (e.g. developer test + results) requires a different approach to sampling, then + sampling related to the determination of whether a process is + being followed. In many cases the evaluator is required to + determine that a process is being followed, and a sampling + strategy is recommended. The approach for sampling a + developer's test results will differ. This is because the + former case is concerned with ensuring that a process is in + place, and the latter deals with determining correct + implementation of the TOE. Typically, larger sample sizes + should be analysed in cases related to the correct + implementation of the TOE than would be necessary to ensure + that a process is in place. + + In certain cases it may be appropriate for the evaluator to + give greater emphasis to the repetition of developer + testing. For example if the independent tests left for the + evaluator to perform would be only superficially different + from those included in an extensive developer test set + (possibly because the developer has performed more testing + than necessary to satisfy the + and criteria) then it would + be appropriate for the evaluator to give greater focus to the + repetition of developer tests. Note that this does not + necessarily imply a requirement for a high percentage sample + for repetition of developer tests; indeed, given an extensive + developer test set, the evaluator may be able to justify a low + percentage sample. + + Where the developer has used an automated test suite to + perform functional testing, it will usually be easier for the + evaluator to re-run the entire test suite rather than repeat + only a sample of developer tests. However the evaluator does + have an obligation to check that the automatic testing does + not give misrepresentative results. The implication is thus + that this check must be performed for a sample of the + automatic test suite, with the principles for selecting some + tests in preference to others and ensuring a sufficient sample + size applying equally in this case. + + The following principles should be followed whenever sampling + is performed: + + + Sampling should not be random, rather it should be chosen + such that it is representative of all of the evidence. The + sample size and composition must always be justified. + + + When sampling relates to the correct implementation of the + TOE, the sample should be representative of all aspects + relevant to the areas that are sampled. In particular, the + selection should cover a variety of components, + interfaces, developer and operational sites (if more than + one is involved) and hardware platform types (if more than + one is involved). The sample size should be commensurate + with the cost effectiveness of the evaluation and will + depend on a number of TOE dependent factors (e.g. the size + and complexity of the TOE, the amount of documentation). + + + Also, when sampling relates to specifically gaining + evidence that the developer testing is repeatable and + reproducible the sample used must be sufficient to + represent all distinct aspects of developer testing, such + as different test regimes. The sample used must be + sufficient to detect any systematic problem in the + developer's functional testing process. The evaluator + contribution resulting from the combination of repeating + developer tests and performing independent tests must be + sufficient to address the major points of concern for the + TOE. + + + Where sampling relates to gaining evidence that a process + (e.g. visitor control or design review) the evaluator + should sample sufficient information to gain reasonable + confidence that the procedure is being followed. + + + The sponsor and developer should not be informed in + advance of the exact composition of the sample, subject to + ensuring timely delivery of the sample and supporting + deliverable, e.g. test harnesses and equipment to the + evaluator in accordance with the evaluation schedule. + + + The choice of the sample should be free from bias to the + degree possible (one should not always choose the first or + last item). Ideally the sample selection should be done by + someone other than the evaluator. + + + + Errors found in the sample can be categorised as being either + systematic or sporadic. If the error is systematic, the + problem should be corrected and a complete new sample + taken. If properly explained, sporadic errors might be solved + without the need for a new sample, although the explanation + should be confirmed. The evaluator should use judgement in + determining whether to increase the sample size or use a + different sample. + + + + In general it is possible to perform the required evaluation + activities, sub-activities, and actions in any order or in + parallel. However, there are different kinds of dependencies + which have to be considered by the evaluator. This Subclause + provides general guidance on dependencies between different + activities, sub-activities, and actions. + + + For some cases the different assurance classes may recommend + or even require a sequence for the related activities. A + specific instance is the ST activity. The ST evaluation + activity is started prior to any TOE evaluation activities + since the ST provides the basis and context to perform + them. However, a final verdict on the ST evaluation may not + be possible until the TOE evaluation is complete, since + changes to the ST may result from activity findings during + the TOE evaluation. + + + + Dependencies identified between components in CC Part 3 have + to be considered by the evaluator. Most dependencies are + one way, e.g. claims a + dependency on and . There are also instances of + mutual dependencies, where both components depend on each + other. An example of this is and . + + A sub-activity can be assigned a pass verdict normally only + if all those sub-activities are successfully completed on + which it has a one-way dependency. For example, a pass + verdict on can normally + only be assigned if the sub-activities related to and are assigned a pass verdict too. In the case + of mutual dependency the ordering of these components is + down to the evaluator deciding which sub-activity to perform + first. Note this indicates that pass verdicts can normally + only be assigned once both sub-activities have been + successful. + + So when determining whether a sub-activity will impact + another sub-activity, the evaluator should consider whether + this activity depends on potential evaluation results from + any dependent sub-activities. Indeed, it may be the case + that a dependent sub-activity will impact this sub-activity, + requiring previously completed evaluator actions to be + performed again. + + A significant dependency effect occurs in the case of + evaluator-detected flaws. If a flaw is identified as a + result of conducting one sub-activity, the assignment of a + pass verdict to a dependent sub-activity may not be possible + until all flaws related to the sub-activity upon which it + depends are resolved. + + + + It may be the case, that results which are generated by the + evaluator during one action are used for performing another + action. For example, actions for completeness and + consistency cannot be completed until the checks for content + and presentation have been completed. This means for example + that the evaluator is recommended to evaluate the PP/ST + rationale after evaluating the constituent parts of the + PP/ST. + + + + + + The assurance class includes + requirements for + + + the application of configuration management, ensuring + that the integrity of the TOE is preserved; + + + measures, procedures, and standards concerned with + secure delivery of the TOE, ensuring that the security + protection offered by the TOE is not compromised during + the transfer to the user, + + + security measures, used to protect the development + environment. + + + + A development site visit is a useful means whereby the + evaluator determines whether procedures are being followed + in a manner consistent with that described in the + documentation. + + Reasons for visiting sites include: + + + to observe the use of the CM system as described in the + CM plan; + + + to observe the practical application of delivery + procedures as described in the delivery documentation; + + + to observe the application of security measures during + development and maintenance of the TOE as described in + the development security documentation. + + + + Specific and detailed information is given in work units for + those activities where site visits are performed: + + + .n with n>=3 + (especially work unit = = ); + + + (especially work unit + ); + + + (especially work unit + = ). + + + + + + During an evaluation it is often necessary that the + evaluator will meet the developer more than once and it is a + question of good planning to combine the site visit with + another meeting to reduce costs. For example one might + combine the site visits for configuration management, for + the developer's security and for delivery. It may also be + necessary to perform more than one site visit to the same + site to allow the checking of all development phases. It + should be considered that development could occur at + multiple facilities within a single building, multiple + buildings at the same site, or at multiple sites. + + The first site visit should be scheduled early during the + evaluation. In the case of an evaluation which starts during + the development phase of the TOE, this will allow corrective + actions to be taken, if necessary. In the case of an + evaluation which starts after the development of the TOE, an + early site visit could allow corrective measures to be put + in place if serious deficiencies in the applied procedures + emerge. This avoids unnecessary evaluation effort. + + Interviews are also a useful means of determining whether the + written procedures reflect what is done. In conducting such + interviews, the evaluator aims to gain a deeper understanding of + the analysed procedures at the development site, how they are + used in practise and whether they are being applied as described + in the provided evaluation evidence. Such interviews complement + but do not replace the examination of evaluation + evidence. + + As a first step preparing the site visits the evaluators + should perform the evaluator work units concerning the + assurance class excluding the + aspects describing the results of the site visit. Based on + the information provided by the relevant developer + documentation and the remaining open questions which were + not answered by the documentation the evaluators compile a + check list of the questions which are to be resolved by the + site visits. + + The first version of the evaluation report concerning the + class and the check list serves + as input for the consultation with the evaluation authority + concerning the site visits. + + The check list serve as a guide line for the site visits, + which questions are to be answered by inspection of the + relevant measures, their application and results, and by + interviews. Where appropriate, sampling is used for gaining + the required level of confidence (see Subclause ). + + The results of the site visits are recorded and serve as + input for the final version of the evaluation report + concerning the assurance class . + + Other approaches to gain confidence should be considered + that provide an equivalent level of assurance (e.g. to + analyse evaluation evidence). Any decision not to make a + visit should be determined in consultation with the + evaluation authority. Appropriate security criteria and a + methodology should be based on other standards of the + Information Security Management Systems area. + + + + In the following some keywords are provided, which topics + should be checked during an audit. + + Basic + + + Items of the configuration list, including TOE, source + code, run time libraries, design documentation, + development tools (). + + + Tracking of design documentation, source code, user + guidance to different versions of the TOE. + + + Integration of the configuration system in the design + and development process, test planning, test analysis + and quality management procedures. + + + + Test analysis + + + Tracking of test plans and results to specific + configurations and versions of the TOE. + + + + Access control to development systems + + + Policies for access control and logging. + + + Policies for project specific assignment and changing + of access rights. + + + + Clearance + + + Policies for clearance of the TOE and user guidance to + the customer. + + + Policies for testing and approving of components and + the TOE before deployment. + + + + + + Infrastructure + + + Security measures for physical access control to the + development site and rationale for the effectiveness + of these measures. + + + + Organisational measures + + + Organisational structure of the company in respect of + the security of the development environment. + + + Organisational separation between development, + production, testing and quality assurance. + + + + Personal measures + + + Measures for education of the personnel in respect of + development security. + + + Measures and legal agreements of non disclosure of + internal information. + + + + Access control + + + Assignment of secured objects (for instance TOE, + source code, run time libraries, design documentation, + development tools, user guidance) and security + policies. + + + Policies and responsibilities concerning the access + control and the handling of authentication + information. + + + Policies for logging of any kind access to the + development site and protection of the logging data. + + + + Input, processing and output of data + + + Security measures for protection of output and output + devices (printer, plotter and displays). + + + Securing of local networks and communication + connections. + + + + Storage, transfer and destruction of documents and data + media. + + + Policies for handling of documents and data media. + + + Policies and responsibilities for destruction of + sorted out documents and logging of these events. + + + + Data protection + + + Policies and responsibilities for data and information + protection (e.g. for performing backups). + + + + Contingency plan + + + Practises in case of emergency and responsibilities. + + + Documentation of the contingency measures concerning + access control. + + + Information of the personnel about applicable + practises in extreme cases. protection (e.g. for + performing backups). + + + + + + + The examples of checklists for site visits consist in tables + for the preparation of an audit and for the presentation of + the results of an audit. + + The checklist structure given in the following is + preliminary. Dependent on the concrete contents of the new + guideline, changes might become necessary. + The checklist is divided into three subclauses according + to the subjects indicated in the introduction (Subclause ). + + + Configuration management system. + + + Delivery procedures. + + + Security measures during development. + + + These subclauses correspond to the actual CC class , especially the families .n with n>=3, and . + The subclauses are subdivided further into rows + corresponding to the relevant work units of the CEM. + + The columns of the checklist contain in turn + + + a consecutive number, + + + the referenced work unit, + + + the references to the corresponding developer + documentation, + + + the explicit reproduction of the developer measures, + + + special remarks and questions to be clarified on the + visit (beyond the standard evaluator task to verify the + application of the indicated measures), + + + the result of the examinations during the visit. + + + If it is decided to have separate checklists for + preparation and reporting of the audit, the result column is + omitted in the preparation list and the remarks and + questions column is omitted in the reporting list. The + remaining columns should be identical in both lists. +
+ + Example of a checklist at EAL 4 (extract) + + + + + + A. Examination of the CM system ( and ) + + + + + No. + + + Work Unit + + + Developer Documentation + + + Measures + + + Questions and Remarks + + + Result + + + + + + + A.1 + + + , + + + + ``Configuration Management System'', ch. ... + + + The system automatically managing the source code + files is capable of administering user profiles and + graded access rights, and of checking identification + and authentication of users. + + + Does reading or updating of a source code file + require a user authentication? + + + If a user has not the right to access a confidential + document, it is not even displayed to him in the + file list. + + + + + ... + + + ... + + + ... + + + ... + + + ... + + + ... + + + + + + + + + B. Examination of the Delivery Procedures () + + + + + No. + + + Work Unit + + + Developer Documentation + + + Measures + + + Questions and Remarks + + + Result + + + + + + + B.1 + + + , + + + + ``Delivery of the TOE'', ch. ... + + + The software is transmitted PGP-signed and encrypted + to the customer. + + + --- + + + The evaluators have checked the process and found it + as described, additionally a checksum is + transmitted. + + + + + ... + + + ... + + + ... + + + ... + + + ... + + + ... + + + + + + + + + C. Examination of the organisational and + infrastructural developer security + (, + , + ) + + + + + No. + + + Work Unit + + + Developer Documentation + + + Measures + + + Questions and Remarks + + + Result + + + + + + + C.1 + + + , + + + + ``Security of the development environment'', + ch. ... (Premises) + + + The premises are protected by security fencing. + + + Is the fencing sufficiently strong and high to + prevent an easy intrusion into the premises? + + + The evaluators considered the fencing to be + sufficiently strong and high. + + + + + C.2 + + + , + + + + ``Security of the development environment'', + ch. ... (Building) + + + The building has the following access possibilities: + The main entrance which is surveyed by the reception + and is closed if the reception is not manned. And an + access in the goods reception which is secured by + two roller shutters. + + + Is the listing of the access possibilities complete? + + + Beyond the indicated access possibilities, there is + an emergency exit that cannot be opened from the + outside. The roller shutters mentioned before can be + operated only from inside. + + + + + ... + + + ... + + + ... + + + ... + + + ... + + + ... + + + + +
+ + + + + This CEM describes the minimum technical work that evaluations + conducted under oversight (scheme) bodies must + perform. However, it also recognises (both explicitly and + implicitly) that there are activities or methods upon which + mutual recognition of evaluation results do not rely. For the + purposes of thoroughness and clarity, and to better delineate + where the CEM ends and an individual scheme's methodology + begins, the following matters are left up to the discretion of + the schemes. Schemes may choose to provide the following, + although they may choose to leave some unspecified. (Every + effort has been made to ensure this list is complete; + evaluators encountering a subject neither listed here nor + addressed in the CEM should consult with their evaluation + schemes to determine under whose auspices the subject + falls.) + + The matters that schemes may choose to specify include: + + + what is required in ensuring that an evaluation was done + sufficiently - every scheme has a means of verifying the + technical competence, understanding of work and the work + of its evaluators, whether by requiring the evaluators to + present their findings to the oversight body, by requiring + the oversight body to redo the evaluator's work, or by + some other means that assures the scheme that all + evaluation bodies are adequate and comparable; + + + process for disposing of evaluation evidence upon + completion of an evaluation; + + + any requirements for confidentiality (on the part of the + evaluator and the non-disclosure of information obtained + during evaluation); + + + the course of action to be taken if a problem is + encountered during the evaluation (whether the evaluation + continues once the problem is remedied, or the evaluation + ends immediately and the remedied product must be + re-submitted for evaluation); + + + any specific (natural) language in which documentation + must be provided; + + + any recorded evidence that must be submitted in the ETR - + this CEM specifies the minimum to be reported in an ETR; + however, individual schemes may require additional + information to be included; + + + any additional reports (other than the ETR) required from + the evaluators -for example, testing reports; + + + any specific ORs that may be required by the scheme, + including the structure, recipients, etc. of any such ORs; + + + any specific content structure of any written report as a + result from an ST evaluation - a scheme may have a + specific format for all of its reports detailing results + of an evaluation, be it the evaluation of a TOE or of an + ST; + + + any additional PP/ST identification information required; + + + any activities to determine the suitability of + explicitly-stated requirements in an ST; + + + any requirements for provision of evaluator evidence to + support re-evaluation and re-use of evidence; + + + any specific handling of scheme identifiers, logos, + trademarks, etc.; + + + any specific guidance in dealing with cryptography; + + + handling and application of scheme, national and + international interpretations; + + + a list or characterisations of suitable alternative + approaches to testing where testing is infeasible; + + + the mechanism by which an evaluation authority can determine what + steps an evaluator took while testing; + + + preferred test approach (if any): at internal interface or + at external interface; + + + a list or characterisation of acceptable means of + conducting the evaluator's vulnerability analysis + (e.g. flaw hypothesis methodology); + + + information regarding any vulnerabilities and weaknesses + to be considered. + + + + + + + + The following annexes through provide the application notes for the functional + classes defined in the main body of this part of the CC. + + + For the purposes of this document, the terms, definitions, + symbols and abbreviated terms given in CC Part 1 apply. + + + Security functional components, as defined in this CC Part 2, are + the basis for the security functional requirements expressed in a + Protection Profile (PP) or a Security Target (ST). These + requirements describe the desired security behaviour expected of a + Target of Evaluation (TOE) and are intended to meet the security + objectives as stated in a PP or an ST. These requirements describe + security properties that users can detect by direct interaction + (i.e. inputs, outputs) with the IT or by the IT response to + stimulus. + + Security functional components express security requirements + intended to counter threats in the assumed operating environment + of the TOE and/or cover any identified organisational security + policies and assumptions. + + The audience for this CC Part 2 includes consumers, developers, + and evaluators of secure IT products. CC Part 1 + Chapter provides additional + information on the target audience of the CC, and on the use of + the CC by the groups that comprise the target audience. These + groups may use this part of the CC as follows: + + + Consumers, who use this CC Part 2 when selecting components to + express functional requirements to satisfy the security + objectives expressed in a PP or ST. CC Part 1 Section provides more detailed + information on the relationship between security objectives + and security requirements. + + + Developers, who respond to actual or perceived consumer + security requirements in constructing a TOE, may find a + standardised method to understand those requirements in this + part of the CC. They can also use the contents of this part of + the CC as a basis for further defining the TOE security + functionality and mechanisms that comply with those + requirements. + + + Evaluators, who use the functional requirements defined in + this part of the CC in verifying that the TOE functional + requirements expressed in the PP or ST satisfy the IT security + objectives and that all dependencies are accounted for and + shown to be satisfied. Evaluators also should use this part of + the CC to assist in determining whether a given TOE satisfies + stated requirements. + + + + + + The CC and the associated security functional requirements + described herein are not meant to be a definitive answer to all + the problems of IT security. Rather, the CC offers a set of well + understood security functional requirements that can be used to + create trusted products reflecting the needs of the market. These + security functional requirements are presented as the current + state of the art in requirements specification and + evaluation. + + This part of the CC does not presume to include all possible + security functional requirements but rather contains those that + are known and agreed to be of value by the CC Part 2 authors at + the time of release. + + Since the understanding and needs of consumers may change, the + functional requirements in this part of the CC will need to be + maintained. It is envisioned that some PP/ST authors may have + security needs not (yet) covered by the functional requirement + components in CC Part 2. In those cases the PP/ST author may + choose to consider using functional requirements not taken from + the CC (referred to as extensibility), as explained in annexes + and + of + CC Part 1. + + + + Clause + describes the paradigm used in the security functional + requirements of CC Part 2. + + Clause + introduces the catalogue of CC Part 2 functional components + while clauses through describe the functional classes. + + provides explanatory information for potential + users of the functional components including a complete cross + reference table of the functional component dependencies. + + through provide the explanatory information for the + functional classes. This material must be seen as normative + instructions on how to apply relevant operations and select + appropriate audit or documentation information; the use of the + auxiliary verb should means that the instruction is strongly + preferred, but others may be justifiable. Where different + options are given, the choice is left to the PP/ST + author. + + Those who author PPs or STs should refer to clause 2 of CC Part + 1 for relevant structures, rules, and guidance: + + + CC Part 1, clause + defines the terms used in the CC. + + + CC Part 1, annex defines the + structure for STs. + + + CC Part 1, annex defines the + structure for PPs. + + + + + + The following referenced documents are indispensable for the + application of this document. For dated references, only the + edition cited applies. For undated references, the latest edition + of the referenced document (including any amendments) applies.CC + Common Criteria for Information Technology Security + Evaluation, Version _CCVERSION_, revision _CCREVISION_, + _CCDATE_. Part 1: Introduction and general model. + + + This part of the CC defines the required structure and content + of security functional components for the purpose of security + evaluation. It includes a catalogue of functional components + that will meet the common security functionality requirements + of many IT products. + + + This chapter describes the paradigm used in the security + functional requirements of this part of the CC. Key concepts + discussed are highlighted in bold/italics. This section is not + intended to replace or supersede any of the terms found in CC Part + 1, chapter . + + This part of the CC is a catalogue of security functional + components that can be specified for a Target of + Evaluation (TOE). A TOE is a set of software, firmware + and/or hardware possibly accompanied by user and administrator + guidance documentation. A TOE may contain resources such as + electronic storage media (e.g. main memory, disk space), + peripheral devices (e.g. printers), and computing capacity (e.g. + CPU time) that can be used for processing and storing + information and is the subject of an evaluation. + + TOE evaluation is concerned primarily with ensuring that a defined + set of security functional requirements (SFRs) is + enforced over the TOE resources. The SFRs define the rules by + which the TOE governs access to and use of its resources, and thus + information and services controlled by the TOE. + + The SFRs may define multiple Security Function Policies + (SFPs) to represent the rules that the TOE must enforce. Each such SFP + must specify its scope of control, by defining the subjects, + objects, resources or information, and operations to which it applies. All + SFPs are implemented by the TSF (see below), whose mechanisms enforce the + rules defined in the SFRs and provide necessary capabilities. + + Those portions of a TOE that must be relied on for the correct + enforcement of the SFRs are collectively referred to as the + TOE Security Functionality (TSF). The TSF consists of + all hardware, software, and firmware of a TOE that is either + directly or indirectly relied upon for security enforcement. + + The TOE may be a monolithic product containing hardware, firmware, + and software. + + Alternatively a TOE may be a distributed product that consists + internally of multiple separated parts. Each of these parts of the + TOE provides a particular service for the TOE, and is connected to + the other parts of the TOE through an internal communication + channel. This channel can be as small as a processor bus, + or may encompass a network internal to the TOE. + + When the TOE consists of multiple parts, each part of the TOE may + have its own part of the TSF which exchanges user and TSF data + over internal communication channels with other parts of the + TSF. This interaction is called internal TOE + transfer. In this case the separate parts of the TSF + abstractly form the composite TSF, which enforces the SFRs. + + TOE interfaces may be localised to the particular TOE, or they may + allow interaction with other IT products over external + communication channels. These external interactions with + other IT products may take two forms: + + + The SFRs of the other ``trusted IT product'' and the SFRs of + the TOE have been administratively coordinated and the other + trusted IT product is assumed to enforce its SFRs correctly + (e. g. by being separately evaluated). Exchanges of + information in this situation are called inter-TSF + transfers, as they are between the TSFs of distinct + trusted products. + + + The other IT product may not be trusted, it may be called an + ``untrusted IT product''. Therefore its SFRs are either + unknown or their implementation is not viewed as + trustworthy. TSF mediated exchanges of information in this + situation are called transfers outside of the + TOE, as there is no TSF (or its policy characteristics + are unknown) on the other IT product. + + + The set of interfaces, whether interactive (man-machine + interface) or programmatic (application programming interface), + through which resources are accessed that are mediated by the TSF, + or information is obtained from the TSF, is referred to as the + TSF Interface (TSFI). The TSFI defines the boundaries + of the TOE functionality that provide for the enforcement of the + SFRs. + + Users are outside of the TOE. However, in order to request that + services be performed by the TOE that are subject to rules + defined in the SFRs, users interact with the TOE through the + TSFIs. There are two types of users of interest to CC Part 2: + human users and external IT + entities. Human users may further be differentiated as + local human users, meaning they interact directly + with the TOE via TOE devices (e.g. workstations), or + remote human users, meaning they interact + indirectly with the TOE through another IT product. + + A period of interaction between users and the TSF is referred to + as a user session. Establishment of user sessions can + be controlled based on a variety of considerations, for example: + user authentication, time of day, method of accessing the TOE, and + number of allowed concurrent sessions (per user or in total). + + This part of the CC uses the term authorised to + signify a user who possesses the rights and/or privileges + necessary to perform an operation. The term authorised + user, therefore, indicates that it is allowable for a user + to perform a specific operation or a set of operations as defined + by the SFRs. + + To express requirements that call for the separation of + administrator duties, the relevant security functional + components (from family ) + explicitly state that administrative roles are + required. A role is a pre-defined set of rules establishing the + allowed interactions between a user operating in that role and + the TOE. A TOE may support the definition of any number of + roles. For example, roles related to the secure operation of a + TOE may include ``Audit Administrator'' and ``User Accounts + Administrator''. + + TOEs contain resources that may be used for the + processing and storing of information. The primary goal of the TSF + is the complete and correct enforcement of the SFRs over the + resources and information that the TOE controls. + + TOE resources can be structured and utilised in many different + ways. However, CC Part 2 makes a specific distinction that allows + for the specification of desired security properties. All entities + that can be created from resources can be characterised in one of + two ways. The entities may be active, meaning that they are the + cause of actions that occur internal to the TOE and cause + operations to be performed on information. Alternatively, the + entities may be passive, meaning that they are either the + container from which information originates or to which + information is stored. + + Active entities in the TOE that perform operations on objects are + referred to as subjects. Several types of subjects + may exist within a TOE: + + + those acting on behalf of an authorised user (e.g. UNIX + processes); + + + those acting as a specific functional process that may in turn + act on behalf of multiple users (e.g. functions as might be + found in client/server architectures); or + + + those acting as part of the TOE itself (e.g. processes not + acting on behalf of a user). + + + + CC Part 2 addresses the enforcement of the SFRs over types of + subjects as those listed above. + + Passive entities in the TOE that contain or receive information + and upon which subjects perform operations are called + objects. In the case where a subject (an active + entity) is the target of an operation (e.g. interprocess + communication), a subject may also be acted on as an object. + + Objects can contain information. This concept is + required to specify information flow control policies as addressed + in the FDP class. + + Users, subjects, information, objects, sessions and resources + controlled by rules in the SFRs may possess certain + attributes that contain information that is used by + the TOE for its correct operation. Some attributes, such as file + names, may be intended to be informational or may be used to + identify individual resources while others, such as access control + information, may exist specifically for the enforcement of the + SFRs. These latter attributes are generally referred to as + ``security attributes''. The word attribute will be + used as a shorthand in some places of this part of the CC for the + word ``security attribute''. However, no matter what the intended + purpose of the attribute information, it may be necessary to have + controls on attributes as dictated by the SFRs. + + Data in a TOE is categorised as either user data or TSF + data. Figure depicts this + relationship. User Data is information stored in TOE + resources that can be operated upon by users in accordance with + the SFRs and upon which the TSF places no special meaning. For + example, the content of an electronic mail message is user + data. TSF Data is information used by the TSF in making decisions + as required by the SFRs. TSF Data may be influenced + by users if allowed by the SFRs. Security attributes, + authentication data, TSF internal status variables used by the + rules defined in the SFRs or used for the protection of the TSF + and access control list entries are examples of TSF data. + + There are several SFPs that apply to data protection such as + access control SFPs and information flow + control SFPs. The mechanisms that implement access control + SFPs base their policy decisions on attributes of the users, + resources, subjects, objects, sessions, TSF status data and + operations within the scope of control. These attributes are used + in the set of rules that govern operations that subjects may + perform on objects. + + The mechanisms that implement information flow control SFPs base + their policy decisions on the attributes of the subjects and + information within the scope of control and the set of rules that + govern the operations by subjects on information. The attributes + of the information, which may be associated with the attributes of + the container or may be derived from the data in the container, + stay with the information as it is processed by the TSF. +
+ + Two specific types of TSF data addressed by CC Part 2 can be, but + are not necessarily, the same. These are authentication + data and secrets. + + Authentication data is used to verify the claimed identity of a + user requesting services from a TOE. The most common form of + authentication data is the password, which depends on being kept + secret in order to be an effective security mechanism. However, + not all forms of authentication data need to be kept + secret. Biometric authentication devices (e.g. fingerprint + readers, retinal scanners) do not rely on the fact that the data + is kept secret, but rather that the data is something that only + one user possesses and that cannot be forged. + + The term secrets, as used in CC Part 2, while applicable to + authentication data, is intended to also be applicable to other + types of data that must be kept secret in order to enforce a + specific SFP. For example, a trusted channel mechanism that + relies on cryptography to preserve the confidentiality of + information being transmitted via the channel can only be as + strong as the method used to keep the cryptographic keys secret + from unauthorised disclosure. + + Therefore, some, but not all, authentication data needs to be kept + secret and some, but not all, secrets are used as authentication + data. Figure shows this relationship + between secrets and authentication data. In the Figure the types + of data typically encountered in the authentication data and the + secrets sections are indicated. +
+ + + + + This clause provides an overview of the evaluation process + and defines the tasks an evaluator is intended to perform when + conducting an evaluation. + + Each evaluation, whether of a PP or TOE (including ST), + follows the same process, and has four evaluator tasks in + common: the input task, the output task, the evaluation + sub-activities, and the demonstration of the technical + competence to the evaluation authority task. + + The input task and the output tasks, which are related to + management of evaluation evidence and to report generation, + are entirely described in this clause. Each task has + associated sub-tasks that apply to, and are normative for all + CC evaluations (evaluation of a PP or a TOE). + + The evaluation sub-activities are only introduced in this + clause, and fully described in the following clauses. + + In contrast to the evaluation sub-activities, input and output + tasks have no verdicts associated with them as they do not map + to CC evaluator action elements; they are performed in order + to ensure conformance with the universal principles and to + comply with the CEM. + + The demonstration of the technical competence to the + evaluation authority task may be fulfilled by the evaluation + authority analysis of the output tasks results, or may include + the demonstration by the evaluators of their understanding of + the inputs for the evaluation sub-activities. This task has no + associated evaluator verdict, but has an evaluator authority + verdict. The detailed criteria to pass this task are left to + the discretion of the evaluation authority, as noted in Annex + . + + + + + This subclause presents the general model of the methodology + and identifies: + + + roles and responsibilities of the parties involved in + the evaluation process; + + + the general evaluation model. + + + + + + The general model defines the following roles: sponsor, + developer, evaluator and evaluation authority. + + The sponsor is responsible for requesting and supporting an + evaluation. This means that the sponsor establishes the + different agreements for the evaluation (e.g. commissioning + the evaluation). Moreover, the sponsor is responsible for + ensuring that the evaluator is provided with the evaluation + evidence. + + The developer produces the TOE and is responsible for + providing the evidence required for the evaluation + (e.g. training, design information), on behalf of the + sponsor. + + The evaluator performs the evaluation tasks required in the + context of an evaluation: the evaluator receives the + evaluation evidence from the developer on behalf of the + sponsor or directly from the sponsor, performs the + evaluation sub-activities and provides the results of the + evaluation assessment to the evaluation authority. + + The evaluation authority establishes and maintains the + scheme, monitors the evaluation conducted by the evaluator, + and issues certification/validation reports as well as + certificates based on the evaluation results provided by the + evaluator. + + + + To prevent undue influence from improperly affecting an + evaluation, some separation of roles is required. This + implies that the roles described above are fulfilled by + different entities, except that the roles of developer and + sponsor may be satisfied by a single entity. + + Moreover, some evaluations (e.g. EAL1 evaluation) may not + require the developer to be involved in the project. In this + case, it is the sponsor who provides the TOE to the + evaluator and who generates the evaluation evidence. + + + + The evaluation process consists of the evaluator performing + the evaluation input task, the evaluation output task and + the evaluation sub-activities. Figure provides an overview of + the relationship between these tasks and + sub-activities. +
+ + The evaluation process may be preceded by a preparation + phase where initial contact is made between the sponsor and + the evaluator. The work that is performed and the + involvement of the different roles during this phase may + vary. It is typically during this step that the evaluator + performs a feasibility analysis to assess the likelihood of + a successful evaluation. + + + + The evaluator assigns verdicts to the requirements of the CC + and not to those of the CEM. The most granular CC structure + to which a verdict is assigned is the evaluator action + element (explicit or implied). A verdict is assigned to an + applicable CC evaluator action element as a result of + performing the corresponding CEM action and its constituent + work units. Finally, an evaluation result is assigned, as + described in CC Part 1, Clause . +
+ + The CEM recognises three mutually exclusive verdict states: + + + Conditions for a pass verdict are + defined as an evaluator completion of the CC evaluator + action element and determination that the requirements + for the PP, ST or TOE under evaluation are met. The + conditions for passing the element are defined as: + + + the constituent work units of the related CEM + action, and; + + + all evaluation evidence required for performing + these work units is coherent, that is it can be + fully and completely understood by the evaluator, + and + + + all evaluation evidence required for performing + these work units does not have any obvious internal + inconsistencies or inconsistencies with other + evaluation evidence. Note that obvious means here + that the evaluator discovers this inconsistency + while performing the work units: the evaluator + should not undertake a full consistency analysis + across the entire evaluation evidence every time a + work unit is performed. + + + + + Conditions for a fail verdict are + defined as an evaluator completion of the CC evaluator + action element and determination that the requirements + for the PP, ST, or TOE under evaluation are not met, or + that the evidence is incoherent, or an obvious + inconsistency in the evaluation evidence has been found; + + + All verdicts are initially inconclusive + and remain so until either a pass or + fail verdict is assigned. + + + + The overall verdict is pass if and only if + all the constituent verdicts are also + pass. In the example illustrated in Figure + , if the verdict for one + evaluator action element is fail then the + verdicts for the corresponding assurance component, + assurance class, and overall verdict are also + fail. + + + + + + The objective of this task is to ensure that the evaluator + has available the correct version of the evaluation evidence + necessary for the evaluation and that it is adequately + protected. Otherwise, the technical accuracy of the + evaluation cannot be assured, nor can it be assured that the + evaluation is being conducted in a way to provide repeatable + and reproducible results. + + + + The responsibility to provide all the required evaluation + evidence lies with the sponsor. However, most of the + evaluation evidence is likely to be produced and supplied by + the developer, on behalf of the sponsor. + + Since the assurance requirements apply to the entire TOE, + all evaluation evidence pertaining to all parts of the TOE + is to be made available to the evaluator. The scope and + required content of such evaluation evidence is independent + of the level of control that the developer has over each of + the parts of the TOE. For example, if design is required, + then the requirements will + apply to all subsystems that are part of the TSF. In + addition, assurance requirements that call for procedures to + be in place (for example, + and ) will also apply to the + entire TOE (including any part produced by another + developer). + + It is recommended that the evaluator, in conjunction with + the sponsor, produce an index to required evaluation + evidence. This index may be a set of references to the + documentation. This index should contain enough information + (e.g. a brief summary of each document, or at least an + explicit title, indication of the subclauses of interest) to + help the evaluator to find easily the required + evidence. + + It is the information contained in the evaluation evidence + that is required, not any particular document + structure. Evaluation evidence for a sub-activity may be + provided by separate documents, or a single document may + satisfy several of the input requirements of a + sub-activity. + + The evaluator requires stable and formally-issued versions + of evaluation evidence. However, draft evaluation evidence + may be provided during an evaluation, for example, to help + an evaluator make an early, informal assessment, but is not + used as the basis for verdicts. It may be helpful for the + evaluator to see draft versions of particular appropriate + evaluation evidence, such as: + + + test documentation, to allow the evaluator to make an + early assessment of tests and test procedures; + + + design documents, to provide the evaluator with + background for understanding the TOE design; + + + source code or hardware drawings, to allow the evaluator + to assess the application of the developer's standards. + + + + Draft evaluation evidence is more likely to be encountered + where the evaluation of a TOE is performed concurrently with + its development. However, it may also be encountered during + the evaluation of an already-developed TOE where the + developer has had to perform additional work to address a + problem identified by the evaluator (e.g. to correct an + error in design or implementation) or to provide evaluation + evidence of security that is not provided in the existing + documentation (e.g. in the case of a TOE not originally + developed to meet the requirements of the CC). + + + + + The evaluator shall perform configuration control of the + evaluation evidence. + + The CC implies that the evaluator is able to identify and + locate each item of evaluation evidence after it has been + received and is able to determine whether a specific + version of a document is in the evaluator's + possession. + + The evaluator shall protect the evaluation evidence from + alteration or loss while it is in the evaluator's + possession. + + + + Schemes may wish to control the disposal of evaluation + evidence at the conclusion of an evaluation. The disposal + of the evaluation evidence should be achieved by one or + more of: + + + returning the evaluation evidence; + + + archiving the evaluation evidence; + + + destroying the evaluation evidence. + + + + + + An evaluator may have access to sponsor and developer + commercially-sensitive information (e.g. TOE design + information, specialist tools), and may have access to + nationally-sensitive information during the course of an + evaluation. Schemes may wish to impose requirements for + the evaluator to maintain the confidentiality of the + evaluation evidence. The sponsor and evaluator may + mutually agree to additional requirements as long as these + are consistent with the scheme. + + Confidentiality requirements affect many aspects of + evaluation work, including the receipt, handling, storage + and disposal of evaluation evidence. + + + + + + The evaluation sub-activities vary depending whether it is a + PP or a TOE evaluation. Moreover, in the case of a TOE + evaluation, the sub-activities depend upon the selected + assurance requirements. + + + + + The objective of this Subclause is to describe the Observation + Report (OR) and the Evaluation Technical Report + (ETR). Schemes may require additional evaluator reports such + as reports on individual units of work, or may require + additional information to be contained in the OR and the + ETR. The CEM does not preclude the addition of information + into these reports as the CEM specifies only the minimum + information content. + + Consistent reporting of evaluation results facilitates the + achievement of the universal principle of repeatability and + reproducibility of results. The consistency covers the type and + the amount of information reported in the ETR and OR. ETR and OR + consistency among different evaluations is the responsibility of + the evaluation authority. + + The evaluator performs the two following sub-tasks in order + to achieve the CEM requirements for the information content + of reports: + + + write OR sub-task (if needed in the context of the + evaluation); + + + write ETR sub-task. + + + + + + The evaluator delivers the ETR to the evaluation authority, + as well as any ORs as they become available. Requirements + for controls on handling the ETR and ORs are established by + the scheme which may include delivery to the sponsor or + developer. The ETR and ORs may include sensitive or + proprietary information and may need to be sanitised before + they are given to the sponsor. + + + + In this version of the CEM, the requirements for the + provision of evaluator evidence to support re-evaluation and + re-use have not been explicitly stated. Where information + for re-evaluation or re-use is required by the sponsor, the + scheme under which the evaluation is being performed should + be consulted. + + + + ORs provide the evaluator with a mechanism to request a + clarification (e.g. from the evaluation authority on the application of a + requirement) or to identify a problem with an aspect of the + evaluation. + + In the case of a fail verdict, the evaluator shall provide + an OR to reflect the evaluation result. Otherwise, the + evaluator may use ORs as one way of expressing clarification + needs. + + For each OR, the evaluator shall report the following: + + + the identifier of the PP or TOE evaluated; + + + the evaluation task/sub-activity during which the + observation was generated; + + + the observation; + + + the assessment of its severity (e.g. implies a fail + verdict, holds up progress on the evaluation, requires a + resolution prior to evaluation being completed); + + + the identification of the organisation responsible for + resolving the issue; + + + the recommended timetable for resolution; + + + the assessment of the impact on the evaluation of + failure to resolve the observation. + + + + The intended audience of an OR and procedures for handling the + report depend on the nature of the report's content and on the + scheme. Schemes may distinguish different types of ORs or define + additional types, with associated differences in required + information and distribution (e.g. evaluation ORs to evaluation authorities + and sponsors). + + + + + The evaluator shall provide an ETR to present technical + justification of the verdicts. + + The CEM defines the ETR's minimum content requirement; + however, schemes may specify additional content and + specific presentational and structural requirements. For + instance, schemes may require that certain introductory + material (e.g. disclaimers and copyright Clauses) be + reported in the ETR. + + The reader of the ETR is assumed to be familiar with + general concepts of information security, the CC, the CEM, + evaluation approaches and IT. + + The ETR supports the evaluation authority to confirm that + the evaluation was done to the required standard, but it + is anticipated that the documented results may not provide + all of the necessary information, so additional + information specifically requested by the scheme may be + necessary. This aspect is outside the scope of the + CEM. + + + + This Subclause describes the minimum content of the ETR for + a PP evaluation. The contents of the ETR are portrayed in + Figure ; this figure + may be used as a guide when constructing the structural + outline of the ETR document. +
+ + + The evaluator shall report evaluation scheme + identifiers. + + Evaluation scheme identifiers (e.g. logos) are the + information required to unambiguously identify the + scheme responsible for the evaluation oversight. + + The evaluator shall report ETR configuration control + identifiers. + + The ETR configuration control identifiers contain + information that identifies the ETR (e.g. name, date and + version number). + + The evaluator shall report PP configuration control + identifiers. + + PP configuration control identifiers (e.g. name, date and + version number) are required to identify what is being evaluated + in order for the evaluation authority to verify that the verdicts have been + assigned correctly by the evaluator. + + The evaluator shall report the identity of the + developer. + + The identity of the PP developer is required to identify + the party responsible for producing the PP. + + The evaluator shall report the identity of the + sponsor. + + The identity of the sponsor is required to identify the + party responsible for providing evaluation evidence to + the evaluator. + + The evaluator shall report the identity of the + evaluator. + + The identity of the evaluator is required to identify + the party performing the evaluation and responsible for + the evaluation verdicts. + + + + The evaluator shall report the evaluation methods, + techniques, tools and standards used. + + The evaluator references the evaluation criteria, + methodology and interpretations used to evaluate the + PP. + + The evaluator shall report any constraints on the + evaluation, constraints on the handling of evaluation + results and assumptions made during the evaluation that + have an impact on the evaluation results. + + The evaluator may include information in relation to + legal or statutory aspects, organisation, + confidentiality, etc. + + + + The evaluator shall report a verdict and a supporting + rationale for each assurance component that constitutes + an activity, as a result of + performing the corresponding CEM action and its + constituent work units. + + The rationale justifies the verdict using the CC, the + CEM, any interpretations and the evaluation evidence + examined and shows how the evaluation evidence does or + does not meet each aspect of the criteria. It contains a + description of the work performed, the method used, and + any derivation of results. The rationale may provide + detail to the level of a CEM work unit. + + + + The evaluator shall report the conclusions of the + evaluation, in particular the overall verdict as defined + in CC Part 1 Clause , and determined by application + of the verdict assignment described in . + + The evaluator provides recommendations that may be useful for + the evaluation authority. These recommendations may include shortcomings of + the PP discovered during the evaluation or mention of features + which are particularly useful. + + + + The evaluator shall report for each item of evaluation + evidence the following information: + + + the issuing body (e.g. the developer, the sponsor); + + + the title; + + + the unique reference (e.g. issue date and version + number). + + + + + + The evaluator shall report any acronyms or abbreviations + used in the ETR. + + Glossary definitions already defined by the CC or CEM + need not be repeated in the ETR. + + + + The evaluator shall report a complete list that uniquely + identifies the ORs raised during the evaluation and + their status. + + For each OR, the list should contain its identifier as + well as its title or a brief summary of its + content. + + + + + This Subclause describes the minimum content of the ETR for + a TOE evaluation. The contents of the ETR are portrayed in + Figure ; this figure + may be used as a guide when constructing the structural + outline of the ETR document. +
+ + + The evaluator shall report evaluation scheme + identifiers. + + Evaluation scheme identifiers (e.g. logos) are the + information required to unambiguously identify the + scheme responsible for the evaluation oversight. + + The evaluator shall report ETR configuration control + identifiers. + + The ETR configuration control identifiers contain + information that identifies the ETR (e.g. name, date and + version number). + + The evaluator shall report ST and TOE configuration + control identifiers. + + ST and TOE configuration control identifiers identify + what is being evaluated in order for the evaluation authority to + verify that the verdicts have been assigned correctly by + the evaluator. + + If the ST claims that the TOE conforms to the + requirements of one or more PPs, the ETR shall report + the reference of the corresponding PPs. + + The PPs reference contains information that uniquely + identifies the PPs (e.g. title, date, and version + number). + + The evaluator shall report the identity of the + developer. + + The identity of the TOE developer is required to + identify the party responsible for producing the + TOE. + + The evaluator shall report the identity of the + sponsor. + + The identity of the sponsor is required to identify the + party responsible for providing evaluation evidence to + the evaluator. + + The evaluator shall report the identity of the + evaluator. + + The identity of the evaluator is required to identify + the party performing the evaluation and responsible for + the evaluation verdicts. + + + + The evaluator shall report a high level description of + the TOE and its major components based on the evaluation + evidence described in the CC assurance family entitled + , where + applicable. + + The intent of this Subclause is to characterise the degree + of architectural separation of the major components. If + there is no requirement + in the ST, this is not applicable and is considered to + be satisfied. + + + + The evaluator shall report the evaluation methods, + techniques, tools and standards used. + + The evaluator may reference the evaluation criteria, + methodology and interpretations used to evaluate the TOE + or the devices used to perform the tests. + + The evaluator shall report any constraints on the + evaluation, constraints on the distribution of + evaluation results and assumptions made during the + evaluation that have an impact on the evaluation + results. + + The evaluator may include information in relation to + legal or statutory aspects, organisation, + confidentiality, etc. + + + + For each activity on which the TOE is evaluated, the + evaluator shall report: + + + the title of the activity considered; + + + a verdict and a supporting rationale for each + assurance component that constitutes this activity, + as a result of performing the corresponding CEM + action and its constituent work units. + + + + The rationale justifies the verdict using the CC, the + CEM, any interpretations and the evaluation evidence + examined and shows how the evaluation evidence does or + does not meet each aspect of the criteria. It contains a + description of the work performed, the method used, and + any derivation of results. The rationale may provide + detail to the level of a CEM work unit. + + The evaluator shall report all information specifically + required by a work unit. + + For the and activities, work units that identify + information to be reported in the ETR have been + defined. + + + + The evaluator shall report the conclusions of the + evaluation, which will relate to whether the TOE has + satisfied its associated ST, in particular the overall + verdict as defined in CC Part 1 Clause , and determined by + application of the verdict assignment described in . + + The evaluator provides recommendations that may be useful for + the evaluation authority. These recommendations may include shortcomings of + the IT product discovered during the evaluation or mention of + features which are particularly useful. + + + + The evaluator shall report for each item of evaluation + evidence the following information: + + + the issuing body (e.g. the developer, the sponsor); + + + the title; + + + the unique reference (e.g. issue date and version + number). + + + + + + The evaluator shall report any acronyms or abbreviations + used in the ETR. + + Glossary definitions already defined by the CC or CEM + need not be repeated in the ETR. + + + + The evaluator shall report a complete list that uniquely + identifies the ORs raised during the evaluation and + their status. + + For each OR, the list should contain its identifier as + well as its title or a brief summary of its + content. + + + + + + + The CC permits comparability between the results of independent + security evaluations. The CC does so by providing a common set + of requirements for the security functionality of IT products + and for assurance measures applied to these IT products during a + security evaluation. These IT products may be implemented in + hardware, firmware or software. + The evaluation process establishes a level of confidence that + the security functionality of these IT products and the + assurance measures applied to these IT products meet these + requirements. The evaluation results may help consumers to + determine whether these IT products fulfil their security needs. + The CC is useful as a guide for the development, evaluation + and/or procurement of IT products with security functionality. + The CC is intentionally flexible, enabling a range of evaluation + methods to be applied to a range of security properties of a + range of IT products. Therefore users of the standard are + cautioned to exercise care that this flexibility is not + misused. For example, using the CC in conjunction with + unsuitable evaluation methods, irrelevant security properties, + or inappropriate IT products, may result in meaningless + evaluation results. + Consequently, the fact that an IT product has been evaluated has + meaning only in the context of the security properties that were + evaluated and the evaluation methods that were used. Evaluation + authorities are advised to carefully check the products, + properties and methods to determine that an evaluation will + provide meaningful results. Additionally, purchasers of + evaluated products are advised to carefully consider this + context to determine whether the evaluated product is useful and + applicable to their specific situation and needs. + The CC addresses protection of assets from unauthorised + disclosure, modification, or loss of use. The categories of + protection relating to these three types of failure of security + are commonly called confidentiality, integrity, and + availability, respectively. The CC may also be applicable + to aspects of IT security outside of these three. The CC + is applicable to risks arising from human activities (malicious + or otherwise) and to risks arising from non-human + activities. Apart from IT security, the CC may be applied + in other areas of IT, but makes no claim of applicability in + these areas. + Certain topics, because they involve specialised techniques or + because they are somewhat peripheral to IT security, are + considered to be outside the scope of the CC. Some of these are + identified below. + + The CC does not contain security evaluation criteria + pertaining to administrative security measures not related + directly to the IT security functionality. However, it is + recognised that significant security can often be achieved + through or supported by administrative measures such as + organisational, personnel, physical, and procedural + controls. + + The evaluation of some technical physical aspects of IT + security such as electromagnetic emanation control is not + specifically covered, although many of the concepts + addressed will be applicable to that area. + + The CC does not address the evaluation methodology + under which the criteria should be applied. This methodology + is given in the CEM. + + The CC does not address the administrative and legal + framework under which the criteria may be applied by + evaluation authorities. However, it is expected that the CC + will be used for evaluation purposes in the context of such + a framework. + + The procedures for use of evaluation results in + accreditation are outside the scope of the CC. Accreditation + is the administrative process whereby authority is granted + for the operation of an IT product (or collection thereof) + in its full operational environment including all of its + non-IT parts. The results of the evaluation process are an + input to the accreditation process. However, as other + techniques are more appropriate for the assessments of + non-IT related properties and their relationship to the IT + security parts, accreditors should make separate provisions + for those aspects. + + The subject of criteria for the assessment of the inherent + qualities of cryptographic algorithms is not covered in the + CC. Should independent assessment of mathematical properties + of cryptography be required, the evaluation scheme under + which the CC is applied must make provision for such + assessments. + + ISO terminology, such as "can", "informative", "may", + "normative", "shall" and "should" used throughout the document + are defined in the ISO/IEC Directives, Part 2. Note that the + term "should" has an additional meaning applicable when using + this standard. See the note below. The following definition is + given for the use of ``should'' in the CC. + should + + within normative text, ``should'' indicates ``that among + several possibilities one is recommended as particularly + suitable, without mentioning or excluding others, or that a + certain course of action is preferred but not necessarily + required.'' (ISO/IEC Directives, Part 2). + + The CC interprets ``not necessarily required'' to mean + that the choice of another possibility requires a justification + of why the preferred option was not chosen. + + This part of the CC establishes the general concepts and + principles of IT security evaluation and specifies the general + model of evaluation given by various parts of the standard which + in its entirety is meant to be used as the basis for evaluation + of security properties of IT products. + Part one provides an overview of all parts of the CC + standard. It describes the various parts of the standard; + defines the terms and abbreviations to be used in all parts of + the standard; establishes the core concept of a Target of + Evaluation (TOE); the evaluation context and describes the + audience to which the evaluation criteria are addressed. An + introduction to the basic security concepts necessary for + evaluation of IT products is given. + It defines the various operations by which the functional and + assurance components given in CC Part 2 and CC Part 3 may be + tailored through the use of permitted operations. + The key concepts of protection profiles (PP), packages of + security requirements and the topic of conformance are specified + and the consequences of evaluation, evaluation results are + described. This part of the CC gives guidelines for the + specification of Security Targets (ST) and provides a + description of the organization of components throughout the + model. General information about the evaluation methodology are + given in the CEM and the scope of evaluation schemes is + provided. + The following referenced documents are indispensable for the + application of this CC part 1. For dated references, only the + edition cited applies. For undated references, the latest + edition of the referenced document (including any amendments) + applies.CC-2 + Common Criteria for Information Technology Security + Evaluation, Version _CCVERSION_, revision _CCREVISION_, + _CCDATE_. Part 2: Functional security components. + CC-3 + Common Criteria for Information Technology Security + Evaluation, Version _CCVERSION_, revision _CCREVISION_, + _CCDATE_. Part 3: Assurance security components. + CEM + Common Methodology for Information Technology Security + Evaluation, Version _CCVERSION_, revision _CCREVISION_, + _CCDATE_. + + For the purpose of the CC, the following terms and definitions + apply. + This Clause contains only + those terms which are used in a specialised way throughout the + CC. Some combinations of common terms used in the CC, while not + meriting inclusion in this Clause , are explained for clarity in the context + where they are used. + adverse actions + + actions performed by a threat agent on an asset + + assets + + entities that the owner of the TOE presumably places value upon + + assignment + + the specification of an identified parameter in a component + (of the CC) or requirement + + assurance + + grounds for confidence that a TOE meets the SFRs + + attack potential + + measure of the effort to be expended in attacking a TOE, + expressed in terms of an attacker's expertise, resources and + motivation + + augmentation + + addition of one or more requirement(s) to a package + + authentication data + + information used to verify the claimed identity of a user + + authorised user + + TOE user who may, in accordance with the SFRs, perform an operation + + class + + set of CC families that share a common focus + + coherent + + logically ordered and having discernible meaning + + For documentation, this addresses both the actual text and + the structure of the document, in terms of whether it is + understandable by its target audience. + + complete + + property where all necessary parts of an entity have been provided + + In terms of documentation, this means that all relevant + information is covered in the documentation, at such a level + of detail that no further explanation is required at that + level of abstraction. + + component + + smallest selectable set of elements on which requirements + may be based + + composed assurance package + + assurance package consisting of requirements drawn from + CC Part 3 (predominately from the class), representing a point on the CC + predefined composition assurance scale + + confirm + + declare that something has been reviewed in detail with an + independent determination of sufficiency + + The level of rigour required depends on the nature of the subject + matter. This term is only applied to evaluator actions. + + connectivity + + property of the TOE allowing interaction with IT entities + external to the TOE + + This includes exchange of data by wire or by wireless means, + over any distance in any environment or configuration. + + consistent + + relationship between two or more entities such that there + are no apparent contradictions between these entities + + counter, verb + + meet an attack where the impact of a particular threat is + mitigated but not necessarily eradicated + + demonstrable conformance + + relation between an ST and a PP, where the ST provides a + solution which solves the generic security problem in the PP + + The PP and the ST may contain entirely different statements + that discuss different entities, use different concepts + etc. Demonstrable conformance is also suitable for a TOE + type where several similar PPs already exist, thus allowing + the ST author to claim conformance to these PPs + simultaneously, thereby saving work. + + demonstrate + + provide a conclusion gained by an analysis which is less + rigorous than a ``proof'' + + dependency + + relationship between components such that if a requirement + based on the depending component is included in a PP, ST or + package, a requirement based on the component that is + depended upon must normally also be included in the PP, ST + or package + + describe + + provide specific details of an entity + + determine + + affirm a particular conclusion based on independent analysis + with the objective of reaching a particular conclusion + + The usage of this term implies a truly independent analysis, + usually in the absence of any previous analysis having been + performed. Compare with the terms ``confirm'' or + ``verify'' which imply that an analysis has already been + performed which needs to be reviewed + + development environment + + environment in which the TOE is developed + + element + + indivisible statement of a security need + + ensure + + guarantee a strong causal relationship between an action and + its consequences + + When this term is preceded by the word ``help'' it indicates + that the consequence is not fully certain, on the basis of + that action alone. + + evaluation + + assessment of a PP, an ST or a TOE, against defined criteria + + evaluation assurance level + + set of assurance requirements drawn from CC Part 3, + representing a point on the CC predefined assurance scale, + that form an assurance package + + evaluation authority + + body that sets the standards and monitors the quality of + evaluations conducted by bodies within a specific community + and implements the CC for that community by means of an + evaluation scheme + + evaluation scheme + + administrative and regulatory framework under which the CC + is applied by an evaluation authority within a specific + community + + exhaustive + + characteristic of a methodical approach taken to perform an + analysis or activity according to an unambiguous plan + + This term is used in the CC with respect to conducting an + analysis or other activity. It is related to ``systematic'' + but is considerably stronger, in that it indicates not only + that a methodical approach has been taken to perform the + analysis or activity according to an unambiguous plan, but + that the plan that was followed is sufficient to ensure that + all possible avenues have been exercised. + + explain + + give argument accounting for the reason for taking a course + of action + + This term differs from both ``describe'' and + ``demonstrate''. It is intended to answer the question + ``Why?'' without actually attempting to argue that the + course of action that was taken was necessarily optimal. + + extension + + addition to an ST or PP of functional requirements not + contained in CC Part 2 and/or assurance requirements not + contained in CC Part 3 + + external entity + + human or IT entity possibly interacting with the TOE from + outside of the TOE boundary + + family + + set of components that share a similar goal but differ in + emphasis or rigour + + formal + + expressed in a restricted syntax language with defined + semantics based on well-established mathematical concepts + + guidance documentation + + documentation that describes the delivery, preparation, + operation, management and/or use of the TOE + + identity + + representation uniquely identifying entities (e.g. a user, a + process or a disk) within the context of the TOE + + An example of such a representation is a string. For a human + user, the representation can be the full or abbreviated name + or a (still unique) pseudonym. + + informal + + expressed in natural language + + inter TSF transfers + + communicating data between the TOE and the security + functionality of other trusted IT products + + internal communication channel + + communication channel between separated parts of the TOE + + internal TOE transfer + + communicating data between separated parts of the TOE + + internally consistent + + no apparent contradictions exist between any aspects of an + entity + + In terms of documentation, this means that there can be no + statements within the documentation that can be taken to + contradict each other. + + iteration + + use of the same component to express two or more distinct + requirements + + justification + + analysis leading to a conclusion + + ``Justification'' is more rigorous than a + demonstration. This term requires significant rigour in + terms of very carefully and thoroughly explaining every step + of a logical argument. + + object + + passive entity in the TOE, that contains or receives + information, and upon which subjects perform operations + + operation (on a component of the CC) + + modification or repetition of a component + + Allowed operations on components are assignment, iteration, + refinement and selection. + + operation (on an object) + + specific type of action performed by a subject on an object + + operational environment + + environment in which the TOE is operated + + organisational security policy + + set of security rules, procedures, or guidelines for an + organisation + + A policy may pertain to a specific operational environment. + + package + + named set of either security functional or security + assurance requirements + + An example of a package is ``EAL 3''. + + Protection Profile evaluation + + assessment of a PP against defined criteria + + Protection Profile + + implementation-independent statement of security needs for a + TOE type + + prove + + show correspondence by formal analysis in its mathematical + sense + + It is completely rigorous in all ways. Typically, ``prove'' + is used when there is a desire to show correspondence + between two TSF representations at a high level of rigour. + + refinement + + addition of details to a component + + role + + predefined set of rules establishing the allowed + interactions between a user and the TOE + + secret + + information that must be known only to authorised users + and/or the TSF in order to enforce a specific SFP + + secure state + + state in which the TSF data are consistent and the TSF + continues correct enforcement of the SFRs + + security attribute + + property of subjects, users (including external IT + products), objects, information, sessions and/or resources + that is used in defining the SFRs and whose values are used + in enforcing the SFRs + + security function policy + + set of rules describing specific security behaviour enforced + by the TSF and expressible as a set of SFRs + + security objective + + statement of an intent to counter identified threats and/or + satisfy identified organisation security policies and/or + assumptions + + security problem + + statement which in a formal manner defines the nature and + scope of the security that the TOE is intended to address + + This statement consists of a combination of: + + threats to be countered by the TOE, + + the OSPs enforced by the TOE, and + + the assumptions that are upheld for the TOE and its + operational environment. + + security requirement + + requirement, stated in a standardised language, which is + meant to contribute to achieving the security objectives for + a TOE + + Security Target + + implementation-dependent statement of security needs for a + specific identified TOE + + selection + + specification of one or more items from a list in a component + + semiformal + + expressed in a restricted syntax language with defined semantics + + specify + + provide specific details about an entity in a rigorous and precise manner + + strict conformance + + hierarchical relationship between a PP and an ST where all + the requirements in the PP also exist in the ST + + This relation can be roughly defined as ``the ST shall + contain all statements that are in the PP, but may contain + more''. Strict conformance is expected to be used for + stringent requirements that are to be adhered to in a single + manner. + + ST evaluation + + assessment of an ST against defined criteria + + subject + + active entity in the TOE that performs operations on objects + + target of evaluation + + set of software, firmware and/or hardware possibly + accompanied by guidance + + threat agent + + entity that can adversely act on assets + + TOE evaluation + + assessment of a TOE against defined criteria + + TOE resource + + anything useable or consumable in the TOE + + TOE security functionality + + combined functionality of all hardware, software, and + firmware of a TOE that must be relied upon for the correct + enforcement of the SFRs + + trace, verb + + perform an informal correspondence analysis between two + entities with only a minimal level of rigour + + transfers outside of the TOE + + TSF mediated communication of data to entities not under the + control of the TSF + + translation + + describes the process of describing security requirements in + a standardised language. + + use of the term translation in this context is not literal + and does not imply that every SFR expressed in standardised + language can also be translated back to the security + objectives. + + trusted channel + + a means by which a TSF and another trusted IT product can + communicate with necessary confidence + + trusted IT product + + IT product, other than the TOE, which has its security + functional requirements administratively coordinated with + the TOE and which is assumed to enforce its security + functional requirements correctly + + An example of a trusted IT product would be one that has + been separately evaluated. + + trusted path + + means by which a user and a TSF can communicate with the + necessary confidence + + TSF data + + data for the operation of the TOE upon which the enforcement + of the SFR relies + + TSF interface + + means by which external entities (or subjects in the TOE but + outside of the TSF) supply data to the TSF, receive data + from the TSF and invoke services from the TSF + + user + + see external entity + + user data + + data for the user, that does not affect the operation of the TSF + + verify + + rigorously review in detail with an independent + determination of sufficiency + + Also see ``confirm''. This term has more rigorous + connotations. The term ``verify'' is used in the context + of evaluator actions where an independent effort is required + of the evaluator. + + The following terms are used in the requirements for software + internal structuring. Some of these are derived from the + IEEE Std 610.12-1990, + Standard glossary of software engineering terminology, + Institute of Electrical and Electronics Engineers. + administrator + + entity that has a level of trust with respect to all + policies implemented by the TSF + + Not all PPs or STs assume the same level of trust for + administrators. Typically administrators are assumed to + adhere at all times to the policies in the ST of the + TOE. Some of these policies may be related to the + functionality of the TOE, others may be related to the + operational environment. + + call tree + + identifies the modules in a system in diagrammatic form + showing which modules call one another + + Adapted from + cohesion + + module strength + + manner and degree to which the tasks performed by a single + software module are related to one another + + Types of cohesion include coincidental, communicational, + functional, logical, sequential, and temporal. These types + of cohesion are described by the relevant term entry. + + coincidental cohesion + + module with the characteristic of performing unrelated, or + loosely related, activities + + See ``cohesion''. + + communicational cohesion + + module containing functions that produce output for, or use + output from, other functions within the module + + See ``cohesion''. + An example of a communicationally cohesive module is an + access check module that includes mandatory, + discretionary, and capability checks. + complexity + + measure of how difficult software is to understand, and thus + to analyse, test, and maintain + + Reducing complexity is the ultimate goal for using modular + decomposition, layering and minimisation. Controlling + coupling and cohesion contributes significantly to this + goal. + A good deal of effort in the software engineering field + has been expended in attempting to develop metrics to + measure the complexity of source code. Most of these + metrics use easily computed properties of the source code, + such as the number of operators and operands, the + complexity of the control flow graph (cyclomatic + complexity), the number of lines of source code, the ratio + of comments to executable code, and similar + measures. Coding standards have been found to be a useful + tool in generating code that is more readily understood. + The family calls for a complexity + analysis in all components. It is expected that the + developer will provide support for the claims that there + has been a sufficient reduction in complexity. This + support could include the developer's programming + standards, and an indication that all modules meet the + standard (or that there are some exceptions that are + justified by software engineering arguments). It could + include the results of tools used to measure some of the + properties of the source code, or it could include other + support that the developer finds appropriate. + coupling + + manner and degree of interdependence between software modules + + Types of coupling include call, common and content + coupling. These are characterised below: + + call coupling + + relationship between two modules + + Examples of call coupling are data, stamp, and control: + + call coupling (data) + + relationship between two modules communicating strictly + through the use of call parameters that represent single + data items. + + See ``call coupling'' + + call coupling (stamp) + + relationship between two modules through the use of call + parameters that comprise multiple fields or that have + meaningful internal structures. + + See ``call coupling'' + + call coupling (control) + + relationship between two modules if one passes information + that is intended to influence the internal logic of the + other. + + See ``call coupling'' + + common coupling + + relationship between two modules sharing a common data area + or other common system resource + + Global variables indicate that modules using those global + variables are common coupled. Common coupling through global + variables is generally allowed, but only to a limited + degree. + For example, variables that are placed into a global area, + but are used by only a single module, are inappropriately + placed, and should be removed. Other factors that need to + be considered in assessing the suitability of global + variables are: + + The number of modules that modify a global variable: + In general, only a single module should be allocated + the responsibility for controlling the contents of a + global variable, but there may be situations in which + a second module may share that responsibility; in such + a case, sufficient justification must be provided. It + is unacceptable for this responsibility to be shared + by more than two modules. (In making this assessment, + care should be given to determining the module + actually responsible for the contents of the variable; + for example, if a single routine is used to modify the + variable, but that routine simply performs the + modification requested by its caller, it is the + calling module that is responsible, and there may be + more than one such module). Further, as part of the + complexity determination, if two modules are + responsible for the contents of a global variable, + there should be clear indications of how the + modifications are coordinated between them. + + The number of modules that reference a global + variable: Although there is generally no limit on the + number of modules that reference a global variable, + cases in which many modules make such a reference + should be examined for validity and necessity. + + content coupling + + relationship between two modules where one makes direct + reference to the internals of the other + + Examples include modifying code of, or referencing labels + internal to, the other module. The result is that some or + all of the content of one module are effectively included in + the other. Content coupling can be thought of as using + unadvertised module interfaces; this is in contrast to call + coupling, which uses only advertised module interfaces. + + domain separation + + security architecture property whereby the TSF defines + separate security domains for each user and for the TSF and + ensures that no user process can affect the contents of a + security domain of another user or of the TSF + + functional cohesion + + functional property of a module which performs activities + related to a single purpose + + A functionally cohesive module transforms a single type of + input into a single type of output, such as a stack manager or + a queue manager. See also ``cohesion''. + + interaction + + general communication-based activity between entities + + interface + + means of interaction with a component or module + + layering + + design technique where separate groups of modules (the + layers) are hierarchically organised to have separate + responsibilities such that one layer depends only on layers + below it in the hierarchy for services, and provides its + services only to the layers above it + + Strict layering adds the constraint that each layer receives + services only from the layer immediately beneath it, and + provides services only to the layer immediately above it. + + logical cohesion + + procedural cohesion + + characteristics of a module performing similar activities on + different data structures + + A module exhibits logical cohesion if its functions perform + related, but different, operations on different inputs. See + also ``cohesion''. + + modular decomposition + + process of breaking a system into components to facilitate + design, development and evaluation + + non-bypassability (of the TSF) + + security architecture property whereby all SFR-related + actions are mediated by the TSF + + procedural cohesion + + See ``logical cohesion'' + + security domain + + collection of resources to which an active entity has access + privileges + + sequential cohesion + + module containing functions each of whose output is input + for the following function in the module + + An example of a sequentially cohesive module is one that + contains the functions to write audit records and to + maintain a running count of the accumulated number of audit + violations of a specified type. + + software engineering + + application of a systematic, disciplined, quantifiable + approach to the development and maintenance of software; + that is, the application of engineering to software + + As with engineering practices in general, some amount of + judgement must be used in applying engineering + principles. Many factors affect choices, not just the + application of measures of modular decomposition, layering, + and minimisation. For example, a developer may design a + system with future applications in mind that will not be + implemented initially. The developer may choose to include + some logic to handle these future applications without fully + implementing them; further, the developer may include some + calls to as-yet unimplemented modules, leaving call + stubs. The developer's justification for such deviations + from well-structured programs will have to be assessed using + judgement, as well as the application of good software + engineering discipline. + + temporal cohesion + + characteristics of a module containing functions that need + to be executed at about the same time + + Adapted from . Examples of temporally + cohesive modules include initialisation, recovery, and + shutdown modules. + + TSF self-protection + + security architecture property whereby the TSF cannot be + corrupted by non-TSF code or entities + + installation + + procedure performed by a human user embedding the TOE in its + operational environment and putting it into an operational + state + + This operation is performed normally only once, after + receipt and acceptance of the TOE. The TOE is expected to be + progressed to a configuration allowed by the ST. If similar + processes have to be performed by the developer they are + denoted as ``generation'' throughout . If + the TOE requires an initial start-up that does not need to + be repeated regularly, this process would be classified as + installation. + + operation + + usage phase of the TOE including ``normal usage'', + administration and maintenance of the TOE after delivery and + preparation + + preparation + + activity in the life-cycle phase of a product, comprising + the customer's acceptance of the delivered TOE and its + installation which may include such things as booting, + initialisation, start-up and progressing the TOE to a state + ready for operation + + acceptance criteria + + criteria to be applied when performing the acceptance + procedures (e.g. successful document review, or successful + testing in the case of software, firmware or hardware) + + acceptance procedures + + procedures followed in order to accept newly created or + modified configuration items as part of the TOE, or to move + them to the next step of the life-cycle + + These procedures identify the roles or individuals + responsible for the acceptance and the criteria to be + applied in order to decide on the acceptance. + There are several types of acceptance situations some of + which may overlap: + + acceptance of an item into the configuration + management system for the first time, in particular + inclusion of software, firmware and hardware + components from other manufacturers into the TOE + (``integration''); + + progression of configuration items to the next + life-cycle phase at each stage of the construction of + the TOE (e.g. module, subsystem, quality control of + the finished TOE); + + subsequent to transports of configuration items (for + example parts of the TOE or preliminary products) + between different development sites; + + subsequent to the delivery of the TOE to the consumer. + + configuration management + + discipline applying technical and administrative direction + and surveillance to: identify and document the functional + and physical characteristics of a configuration item, + control changes to those characteristics, record and report + change processing and implementation status, and verify + compliance with specified requirements. + + CM documentation + + all CM documentation including CM output, CM list + (configuration list), CM system records, CM plan and CM + usage documentation + + configuration management evidence + + everything that may be used to establish confidence in the + correct operation of the CM system + + For example, CM output, rationales provided by the + developer, observations, experiments or interviews made by + the evaluator during a site visit. + + configuration item + + object managed by the CM system during the TOE development + + These may be either parts of the TOE or objects related to + the development of the TOE like evaluation documents or + development tools. CM items may be stored in the CM system + directly (for example files) or by reference (for example + hardware parts) together with their version. + + configuration list + + configuration management output document listing all + configuration items for a specific product together with the + exact version of each configuration management item relevant + for a specific version of the complete product + + This list allows distinguishing the items belonging to the + evaluated version of the product from other versions of + these items belonging to other versions of the product. The + final configuration management list is a specific document + for a specific version of a specific product. (Of course the + list can be an electronic document inside of a configuration + management tool. In that case it can be seen as a specific + view into the system or a part of the system rather than an + output of the system. However, for the practical use in an + evaluation the configuration list will probably be delivered + as a part of the evaluation documentation.) The + configuration list defines the items that are under the + configuration management requirements of . + + configuration management output + + results, related to configuration management, produced or + enforced by the configuration management system + + These configuration management related results could occur + as documents (for example filled paper forms, configuration + management system records, logging data, hard-copies and + electronic output data) as well as actions (for example + manual measures to fulfil configuration management + instructions). Examples of such configuration management + outputs are configuration lists, configuration management + plans and/or behaviours during the product life-cycle. + + configuration management plan + + description of how the configuration management system is + used for the TOE + + The objective of issuing a configuration management plan is + that staff members can see clearly what they have to + do. From the point of view of the overall configuration + management system this can be seen as an output document + (because it may be produced as part of the application of + the configuration management system). From the point of view + of the concrete project it is a usage document because + members of the project team use it in order to understand + the steps that they have to perform during the project. The + configuration management plan defines the usage of the + system for the specific product; the same system may be used + to a different extent for other products. That means the + configuration management plan defines and describes the + output of the configuration management system of a company + which is used during the TOE development. + + configuration management system + + set of procedures and tools (including their documentation) + used by a developer to develop and maintain configurations + of his products during their life-cycles + + Configuration management systems may have varying degrees of + rigour and function. At higher levels, configuration + management systems may be automated, with flaw remediation, + change controls, and other tracking mechanisms. + + configuration management system records + + output produced during the operation of the configuration + management system documenting important configuration + management activities + + Examples of configuration management system records are + configuration management item change control forms or + configuration management item access approval forms. + + configuration management tools + + manually operated or automated tools realising or supporting + a configuration management system + + For example tools for the version management of the parts of + the TOE. + + configuration management usage documentation + + part of the configuration management system, which + describes, how the configuration management system is + defined and applied by using for example handbooks, + regulations and/or documentation of tools and procedures + + delivery + + transmission of the finished TOE from the production + environment into the hands of the customer + + This product life-cycle phase may include packaging and + storage at the development site, but does not include + transportations of the unfinished TOE or parts of the TOE + between different developers or different development + sites. + + developer + + organisation responsible for the development of the TOE + + development + + product life-cycle phase which is concerned with generating + the implementation representation of the TOE + + Throughout the requirements, development + and related terms (developer, develop) are meant in the more + general sense to comprise development and production. + + development tools + + tools (including test software, if applicable) supporting + the development and production of the TOE + + For example for a software TOE, development tools are + usually programming languages, compilers, linkers and + generating tools. + + implementation representation + + least abstract representation of the TSF, specifically the + one that is used to create the TSF itself without further + design refinement + + Source code that is then compiled or a hardware drawing that + is used to build the actual hardware are examples of parts + of an implementation representation. + + life-cycle + + sequence of stages of existence of an object (for example a + product or a system) in time + + life-cycle definition + + definition of the life-cycle model + + life cycle model + + description of the stages and their relations to each other + that are used in the management of the life-cycle of a + certain object, how the sequence of stages looks like and + which high level characteristics the stages have + + production + + production life-cycle phase follows the development phase + and consists of transforming the implementation + representation into the implementation of the TOE, i.e. into + a state acceptable for delivery to the customer + + This phase may comprise manufacturing, integration, + generation, internal transports, storage, and labelling of + the TOE. +
+ covert channel + + enforced, illicit signalling channel that allows a user to + surreptitiously contravene the multi-level separation policy + and unobservability requirements of the TOE + + encountered potential vulnerabilities + + potential weakness in the TOE identified by the evaluator + while performing evaluation activities that could be used to + violate the SFRs + + exploitable vulnerability + + weakness in the TOE that can be used to violate the SFRs in + the operational environment for the TOE + + monitoring attacks + + generic category of attack methods that includes passive + analysis techniques aiming at disclosure of sensitive + internal data of the TOE by operating the TOE in the way + that corresponds to the guidance documents + + potential vulnerability + + suspected, but not confirmed, weakness + + Suspicion is by virtue of a postulated attack path to + violate the SFRs. + + residual vulnerability + + weakness that cannot be exploited in the operational + environment for the TOE, but that could be used to violate + the SFRs by an attacker with greater attack potential than + is anticipated in the operational environment for the TOE + + vulnerability + + weakness in the TOE that can be used to violate the SFRs in + some environment + + base component + + entity in a composed TOE, which has itself been the subject + of an evaluation, providing services and resources to a + dependent component + + compatible (components) + + property of a component able to provide the services + required by the other component, through the corresponding + interfaces of each component, in consistent operational + environments + + component TOE + + successfully evaluated TOE that is part of another composed + TOE + + composed TOE + + TOE comprised solely of two or more components that have + been successfully evaluated + + dependent component + + entity in a composed TOE, which is itself the subject of an + evaluation, relying on the provision on services by a base + component + + functional interface + + external interface providing a user with access to + functionality of the TOE which is not directly involved in + enforcing security functional requirements + + In a composed TOE these are the interfaces provided by the + base component that are required by the dependent component + to support the operation of the composed TOE. + + The following abbreviations are used in one or more parts of the + CC:API + Application Programming Interface + CAP + Composed Assurance Package + CC + Common Criteria + CCRAArrangement on the + Recognition of Common Criteria Certificates in the field of IT + Security + CM + Configuration Management + DAC + Discretionary Access Control + EAL + Evaluation Assurance Level + GHz + Gigahertz + GUI + Graphical User Interface + IC + Integrated Circuit + IOCTL + Input Output Control + IP + Internet Protocol + IT + Information Technology + MB + Mega Byte + OS + Operating System + OSP + Organisational Security Policy + PC + Personal Computer + PCI + Peripheral Component Interconnect + PKI + Public Key Infrastructure + PP + Protection Profile + RAM + Random Access Memory + RPC + Remote Procedure Call + SAR + Security Assurance Requirement + SFR + Security Functional Requirement + SFP + Security Function Policy + SPD + Security Problem Definition + ST + Security Target + TCP + Transmission Control Protocol + TOE + Target of Evaluation + TSF + TOE Security Functionality + TSFI + TSF Interface + VPN + Virtual Private Network + + This Clause introduces the main concepts of the CC. It + identifies the concept ``TOE'', the target audience of the CC, + and the approach taken to present the material in the remainder + of the CC. + The CC is flexible in what to evaluate and is therefore not + tied to the boundaries of IT products as commonly + understood. Therefore in the context of evaluation, the CC + uses the term ``TOE'' (Target of Evaluation). + A TOE is defined as a set of software, firmware and/or + hardware possibly accompanied by guidance. + While there are cases where a TOE consists of an IT product, + this need not be the case. The TOE may be an IT product, a + part of an IT product, a set of IT products, a unique + technology that may never be made into a product, or a + combination of these. + As far as the CC is concerned, the precise relation + between the TOE and any IT products is only important in one + aspect: the evaluation of a TOE containing only part of an IT + product should not be misrepresented as the evaluation of the + entire IT product. + Examples of TOEs include: + + A software application; + + An operating system; + + A software application in combination with an operating + system; + + A software application in combination with an operating + system and a workstation; + + An operating system in combination with a workstation; + + A smart card integrated circuit; + + The cryptographic co-processor of a smart card integrated + circuit; + + A Local Area Network including all terminals, servers, + network equipment and software; + + A database application excluding the remote client + software normally associated with that database + application. + + In the CC, a TOE can occur in several + representations, such as (for a software TOE): + + a list of files in a configuration management system; + + a single master copy, that has just been compiled; + + a box containing a CD-ROM and a manual, ready to be shipped to a customer; + + an installed and operational version. + + All of these are considered to be a TOE: and wherever the + term ``TOE'' is used in the remainder of the CC, the + context determines the representation that is meant. + In general, IT products can be configured in many ways: + installed in different ways, with different options enabled + or disabled. As, during a CC evaluation, it will be + determined whether a TOE meets certain requirements, this + flexibility in configuration may lead to problems, as all + possible configurations of the TOE must meet the + requirements. For these reasons, it is often the case that + the guidance part of the TOE strongly constrains the + possible configurations of the TOE. That is: the guidance of + the TOE may be different from the general guidance of the IT + product. + An example is an operating system IT product. This product + can be configured in many ways (e.g. types of users, number + of users, types of external connections allowed/disallowed, + options enabled/disabled etc.). + If the same IT product is to be a TOE, and is evaluated + against a reasonable set of requirements, the configuration + should be much more tightly controlled, as many options + (e.g. allow all types of external connections or the system + administrator does not need to be authenticated) will lead + to a TOE not meeting the requirements. + For this reason, there would normally be a difference + between the guidance of the IT product (allowing many + configurations) and the guidance of the TOE (allowing only + one or only configurations that do not differ in + security-relevant ways). + Note that if the guidance of the TOE still allows more than + one configuration, these configurations are collectively + called ``the TOE'' and each such configuration must meet the + requirements levied on the TOE. + There are three groups with a general interest in evaluation + of the security properties of TOEs: consumers, developers and + evaluators. The criteria presented in this CC part 1 have been + structured to support the needs of all three groups. They are + all considered to be the principal users of the CC. The + three groups can benefit from the criteria as explained in the + following paragraphs. + The CC is written to ensure that evaluation fulfils + the needs of the consumers as this is the fundamental + purpose and justification for the evaluation process. + Consumers can use the results of evaluations to help decide + whether a TOE fulfils their security needs. These security + needs are typically identified as a result of both risk + analysis and policy direction. Consumers can also use the + evaluation results to compare different TOEs. + The CC gives consumers, especially in consumer groups + and communities of interest, an implementation-independent + structure, termed the Protection Profile (PP), in which to + express their security requirements in an unambiguous + manner. + The CC is intended to support developers in preparing + for and assisting in the evaluation of their TOEs and in + identifying security requirements to be satisfied by those + TOEs. These requirements are contained in an + implementation-dependent construct termed the Security + Target (ST). This ST may be based on one or more PPs to show + that the ST conforms to the security requirements from + consumers as laid down in those PPs. + The CC can then be used to determine the + responsibilities and actions to provide evidence that is + necessary to support the evaluation of the TOE against these + requirements. It also defines the content and presentation + of that evidence. + The CC contains criteria to be used by evaluators + when forming judgements about the conformance of TOEs to + their security requirements. The CC describes the set + of general actions the evaluator is to carry out. Note that + the CC does not specify procedures to be followed in + carrying out those actions. More information on these + procedures may be found in Subclause . + While the CC is oriented towards specification and + evaluation of the IT security properties of TOEs, it may + also be useful as reference material to all parties with an + interest in or responsibility for IT security. Some of the + additional interest groups that can benefit from information + contained in the CC are: + + system custodians and system security officers + responsible for determining and meeting organisational + IT security policies and requirements; + + auditors, both internal and external, responsible for + assessing the adequacy of the security of an IT solution + (which may consist of or contain a TOE); + + security architects and designers responsible for the + specification of security properties of IT products; + + accreditors responsible for accepting an IT solution for + use within a particular environment; + + sponsors of evaluation responsible for requesting and + supporting an evaluation; and + + evaluation authorities responsible for the management + and oversight of IT security evaluation programmes. + + The CC is presented as a set of distinct but related + parts as identified below. Terms used in the description of + the parts are explained in Clause . + Part 1, Introduction and general model is the + introduction to the CC. It defines the general concepts + and principles of IT security evaluation and presents a + general model of evaluation. + Part 2, Security functional components + establishes a set of functional components that serve as + standard templates upon which to base functional + requirements for TOEs. CC Part 2 catalogues the set of + functional components and organises them in families and + classes. + Part 3, Security assurance components + establishes a set of assurance components that serve as + standard templates upon which to base assurance + requirements for TOEs. CC Part 3 catalogues the set of + assurance components and organises them into families and + classes. CC Part 3 also defines evaluation criteria for + PPs and STs and presents seven pre-defined assurance + packages which are called the Evaluation Assurance Levels + (EALs). + + In support of the three parts of the CC listed above, + other documents have been published, the CEM provides + the methodology for IT security evaluation using the CC + as a basis. It is anticipated that other documents will be + published, including technical rationale material and guidance + documents. + The following table presents, for the three key target + audience groupings, how the parts of the CC will be of + interest. + Consumers + + Developers + + Evaluators + + Part 1 + + Use for background information and + are obliged to use for reference purposes. Guidance + structure for PPs. + + Use for background information and reference + purposes. Are obliged to use for the development of + security specifications for TOEs. + + Are obliged to use for reference purposes and for + guidance in the structure for PPs and STs. + + Part 2 + + Use for guidance and reference when formulating + statements of requirements for a TOE. + + Are obliged to use for reference when interpreting + statements of functional requirements and formulating + functional specifications for TOEs. + + Are obliged to use for reference when interpreting + statements of functional requirements. + + Part 3 + + Use for guidance when determining required levels of + assurance. + + Use for reference when interpreting statements of + assurance requirements and determining assurance + approaches of TOEs. + + Use for reference when interpreting statements of + assurance requirements. + Road map to the Common Criteria
+ In order to achieve greater comparability between evaluation + results, evaluations should be performed within the framework + of an authoritative evaluation scheme that sets the standards, + monitors the quality of the evaluations and administers the + regulations to which the evaluation facilities and evaluators + must conform. + The CC does not state requirements for the regulatory + framework. However, consistency between the regulatory + frameworks of different evaluation authorities will be + necessary to achieve the goal of mutual recognition of the + results of such evaluations. + A second way of achieving greater comparability between + evaluation results is using a common methodology to achieve + these results. For the CC, this methodology is given in + the CEM. + Use of a common evaluation methodology contributes to the + repeatability and objectivity of the results but is not by + itself sufficient. Many of the evaluation criteria require the + application of expert judgement and background knowledge for + which consistency is more difficult to achieve. In order to + enhance the consistency of the evaluation findings, the final + evaluation results may be submitted to a certification + process. + The certification process is the independent inspection of the + results of the evaluation leading to the production of the + final certificate or approval, which is normally publicly + available. The certification process is a means of gaining + greater consistency in the application of IT security + criteria. + The evaluation schemes and certification processes are the + responsibility of the evaluation authorities that run such + schemes and processes and are outside the scope of the CC. + This clause presents the general concepts used throughout the + CC, including the context in which the concepts are to be used + and the CC approach for applying the concepts. CC Part 2 and CC + Part 3, which are obliged to be consulted by users of the CC + Part 1, expand on the use of these concepts and assume that the + approach described is used. Further, for users of the CC who + intend to perform evaluation activities the CEM is + applicable. This clause assumes some knowledge of IT security + and does not propose to act as a tutorial in this area. + The CC discusses security using a set of security + concepts and terminology. An understanding of these concepts and + the terminology is a prerequisite to the effective use of + the CC. However, the concepts themselves are quite + general and are not intended to restrict the class of IT + security problems to which the CC is applicable. + Security is concerned with the protection of assets. Assets + are entities that someone places value upon. Examples of + assets include: + contents of a file or a server;the authenticity of votes cast in an election;the availability of an electronic commerce + process;the ability to use an expensive printer;access to a classified facility. + but given that value is highly subjective, almost anything can + be an asset. + The environment(s) in which these assets are located is called + the operational environment. Examples of (aspects of) + operational environments are: + + the computer room of a bank; + + a computer network connected to the Internet; + + a LAN; + + a general office environment. + + Many assets are in the form of information that is stored, + processed and transmitted by IT products to meet requirements + laid down by owners of the information. Information owners may + require that availability, dissemination and modification of + any such information are strictly controlled and that the + assets are protected from threats by countermeasures. Figure + illustrates these + high level concepts and relationships.
+ Safeguarding assets of interest is the responsibility of + owners who place value on those assets. Actual or presumed + threat agents may also place value on the assets and seek to + abuse assets in a manner contrary to the interests of the + owner. Examples of threat agents include hackers, malicious + users, non-malicious users (who sometimes make errors), + computer processes and accidents. + The owners of the assets will perceive such threats as + potential for impairment of the assets such that the value of + the assets to the owners would be reduced. Security-specific + impairment commonly includes, but is not limited to: loss of + asset confidentiality, loss of asset integrity and loss of + asset availability. + These threats therefore give rise to risks to the assets, + based on the likelihood of a threat being realised and the + impact on the assets when that threat is + realised. Subsequently countermeasures are imposed to reduce + the risks to assets. These countermeasures may consist of IT + countermeasures (such as firewalls and smart cards) and non-IT + countermeasures (such as guards and procedures). See also + ISO/IEC 27001 and ISO/IEC 27002 for a more general discussion + on security countermeasures (controls). + Owners of assets may be (held) responsible for those assets + and therefore should be able to defend the decision to accept + the risks of exposing the assets to the threats. + Two important elements in defending this decision are being + able to demonstrate that: + + the countermeasures are sufficient: if the countermeasures do what + they claim to do, the threats to the assets are countered; + + the countermeasures are correct: the countermeasures do + what they claim to do. + + Many owners of assets lack the knowledge, expertise or + resources necessary to judge sufficiency and correctness of + the countermeasures, and they may not wish to rely solely on + the assertions of the developers of the countermeasures. These + consumers may therefore choose to increase their confidence in + the sufficiency and correctness of some or all of their + countermeasures by ordering an evaluation of these + countermeasures.
+ In an evaluation, sufficiency of the countermeasures is + analysed through a construct called the Security Target. In + this Subclause a simplified view on this construct is + provided: a more detailed and complete description may be + found in . + The Security Target begins with describing the assets and + the threats to those assets. The Security Target then + describes the countermeasures (in the form of Security + Objectives) and demonstrates that these countermeasures are + sufficient to counter these threats: if the countermeasures + do what they claim to do, the threats are countered. + The Security Target then divides these countermeasures in + two groups: + + the security objectives for the TOE: these describe the + countermeasure(s) for which correctness will be + determined in the evaluation; + + the security objectives for the Operational Environment: + these describe the countermeasures for which correctness + will not be determined in the evaluation. + + The reasons for this division are: + + The CC is only suitable for assessing the + correctness of IT countermeasures. Therefore the non-IT + countermeasures (e.g. human security guards, procedures) + are always in the Operational Environment. + + Assessing correctness of countermeasures costs time and + money, possibly making it infeasible to assess the + correctness of all IT countermeasures. + + The correctness of some IT countermeasures may already + have been assessed in another evaluation. It is + therefore not cost-effective to assess this correctness + again. + + For the TOE (the IT countermeasures whose correctness will + be assessed during the evaluation), the Security Target + requires a further detailing of the security objectives for + the TOE in Security Functional Requirements (SFRs). These + SFRs are formulated in a standardised language (described in + CC Part 2) to ensure exactness and facilitate comparability. + In summary, the Security Target demonstrates that: + + The SFRs meet the security objectives for the TOE; + + The security objectives for the TOE and the security + objectives for the operational environment counter the + threats; + + And therefore, the SFRs and the security objectives for + the operational environment counter the threats. + + From this it follows that a correct TOE (meeting the SFRs) + in combination with a correct operational environment + (meeting the security objectives for the operational + environment) will counter the threats. In the next two + subclauses correctness of the TOE and correctness of the + operational environment are discussed separately. + A TOE may be incorrectly designed and implemented, and may + therefore contain errors that lead to vulnerabilities. By + exploiting these vulnerabilities, attackers may still damage + and/or abuse the assets. + These vulnerabilities may arise from accidental errors made + during development, poor design, intentional addition of + malicious code, poor testing etc. + To determine correctness of the TOE, various activities can + be performed such as: + + testing the TOE; + + examining various design representations of the TOE; + + examining the physical security of the development + environment of the TOE. + + The Security Target provides a structured description of + these activities to determine correctness in the form of + Security Assurance Requirements (SARs). These SARs are + formulated in a standardised language (described in CC Part + 3) to ensure exactness and facilitate comparability. + If the SARs are met, there exists assurance in the + correctness of the TOE and the TOE is therefore less likely + to contain vulnerabilities that can be exploited by + attackers. The amount of assurance that exists in the + correctness of the TOE is determined by the SARs themselves: + a few ``weak'' SARs will lead to a little assurance, a lot + of ``strong'' SARs will lead to a lot of assurance. + The operational environment may also be incorrectly designed + and implemented, and may therefore contain errors that lead + to vulnerabilities. By exploiting these vulnerabilities, + attackers may still damage and/or abuse the assets. + However, in the CC, no assurance is obtained + regarding the correctness of the operational + environment. Or, in other words, the operational environment + is not evaluated (see the next Subclause). + As far as the evaluation is concerned, the operational + environment is assumed to be a 100% correct instantiation of + the security objectives for the operational environment. + This does not preclude a consumer of the TOE from using + other methods to determine the correctness of his + operational environment, such as: + + If, for an OS TOE, the security objectives for the + operational environment state ``The operational + environment shall ensure that entities from an untrusted + network (e.g. the Internet) can only access the TOE by + ftp'', the consumer could select an evaluated firewall, + and configure it to only allow ftp access to the TOE; + + If the security objectives for the operational + environment state ``The operational environment shall + ensure that all administrative personnel will not behave + maliciously'', the consumer could adapt his contracts + with administrative personnel to include punitive + sanctions for malicious behaviour, but this + determination is not part of a CC evaluation. + + The CC recognises two types of evaluation: an ST/TOE + evaluation, which is described below, and an evaluation of + PPs, which is defined in CC Part 3. In many places, + the CC uses the term evaluation (without qualifiers) to + refer to an ST/TOE evaluation. + In the CC an ST/TOE evaluation proceeds in two steps: + + An ST evaluation: where the sufficiency of the TOE and the + operational environment are determined; + + A TOE evaluation: where the correctness of the TOE is + determined. As said earlier, the TOE evaluation does not + assess correctness of the operational environment. + + The ST evaluation is carried out by applying the Security + Target evaluation criteria (which are defined in CC Part 3) to + the Security Target. The precise method to apply the criteria is determined by the evaluation + methodology that is used. + The TOE evaluation is more complex. The principal inputs to a + TOE evaluation are: the evaluation evidence, which includes + the TOE and ST, but will usually also include input from the + development environment, such as design documents or developer + test results. + The TOE evaluation consists of applying the SARs (from the + Security Target) to the evaluation evidence. The precise + method to apply a specific SAR is determined by the evaluation + methodology that is used. + How the results of applying the SARs are documented, and what + reports need to be generated and in what detail, is determined + by both the evaluation methodology that is used and the + evaluation scheme under which the evaluation is carried out. + The result of the TOE evaluation process is either: + + A statement that not all SARs have been met and that + therefore there is not the specified level of assurance + that the TOE meets the SFRs as stated in the ST; + + A statement that all SARs have been met, and that + therefore there is the specified level of assurance that + the TOE meets the SFRs as stated in the ST. + + The TOE evaluation may be carried out after TOE development + has finished, or in parallel with TOE development. + The method of stating ST/TOE evaluation results is described + in Clause . These results also + identify the PP(s) and package(s) to which the TOE claims + conformance, and these constructs are described in the next + Clause. + The CC functional and assurance components may be used exactly + as defined in CC Part 2 and CC Part 3, or they may be tailored + through the use of permitted operations. When using + operations, the PP/ST author should be careful that the + dependency needs of other requirements that depend on this + requirement are satisfied. The permitted operations are + selected from the following set: + + Iteration: allows a component to be used more than once + with varying operations; + + Assignment: allows the specification of parameters; + + Selection: allows the specification of one or more items + from a list; and + + Refinement: allows the addition of details. + + The assignment and selection operations are permitted only + where specifically indicated in a component. Iteration and + refinement are permitted for all components. The operations + are described in more detail below. + The CC Part 2 Annexes provide the guidance on the valid + completion of selections and assignments. This guidance + provides normative instructions on how to complete operations, + and those instructions shall be followed unless the PP/ST + author justifies the deviation: + + ``None'' is only available as a choice for the completion + of a selection if explicitly provided. + + The lists provided for the completion of selections must + be non-empty. If a ``None'' option is chosen, no + additional selection options may be chosen. If ``None'' + is not given as an option in a selection, it is + permissible to combine the choices in a selection with + ``and''s and ``or''s, unless the selection explicitly + states ``choose one of''. + Selection operations may be combined by iteration where + needed. In this case, the applicability of the option + chosen for each iteration should not overlap the subject + of the other iterated selection, since they are intended + to be exclusive. + For the completion of assignments, the CC Part 2 Annexes + shall be consulted in order to determine when ``None'' + would be a valid completion. + + The iteration operation may be performed on every + component. The PP/ST author performs an iteration operation + by including multiple requirements based on the same + component. Each iteration of a component shall be different + from all other iterations of that component, which is + realised by completing assignments and selections in a + different way, or by applying refinements to it in a + different way. + Different iterations should be uniquely identified to allow + clear rationales and tracings to and from these + requirements. + It is important to note that sometimes an iteration + operation can be used with components where could also be + possible to perform an assignment operation with a range or + list of values instead of iterate them. In that case the + author can select the most appropriate alternative, + considering if there is a necessity of providing a whole + rationale for the range of values or if it is necessary to + have a separate one for each of them. The author should also + keep in mind if individual traces are required for those + values. + An assignment operation occurs where a given component + contains an element with a parameter that may be set by the + PP/ST author. The parameter may be an unrestricted variable, + or a rule that narrows the variable to a specific range of + values. + Whenever an element in a PP contains an assignment, a PP + author shall do one of four things: + + leave the assignment uncompleted. The PP author could + include ``When the + defined number of unsuccessful authentication attempts + has been met or surpassed, the TSF shall + [assignment: list of actions].'' in the PP. + + complete the assignment. As an example, the PP author + could include ``When + the defined number of unsuccessful authentication + attempts has been met or surpassed, the TSF shall + prevent that external entity from binding to any + subject in the future.'' in the PP. + + narrow the assignment, to further limit the range of + values that is allowed. As an example, the PP author + could include ``The + TSF shall detect when [assignment: positive + integer between 4 and 9] unsuccessful authentication + attempts occur ...'' in the PP. + + transform the assignment to a selection, thereby + narrowing the assignment. As an example, the PP author + could include ``When + the defined number of unsuccessful authentication + attempts has been met or surpassed, the TSF shall + [selection: prevent that user from binding to any + subject in the future, notify the + administrator].'' in the PP. + + Whenever an element in an ST contains an assignment, an ST + author shall complete that assignment, as indicated in b) + above. Options a), c) and d) are not allowed for STs. + The values chosen in options b), c) and d) shall conform to + the indicated type required by the assignment. + When an assignment is to be completed with a set + (e.g. subjects), one may list a set of subjects, but also + some description of the set from which the elements of the + set can be derived such as: + + all subjects + + all subjects of type X + + all subjects except subject a + + as long as it is clear which subjects are meant. + + The selection operation occurs where a given component + contains an element where a choice from several items has to + be made by the PP/ST author. + Whenever an element in a PP contains a selection, the PP + author may do one of three things: + + leave the selection uncompleted. + + complete the selection by choosing one or more items. + + restrict the selection by removing some of the choices, + but leaving two or more. + + Whenever an element in an ST contains a selection, an ST + author shall complete that selection, as indicated in b) + above. Options a) and c) are not allowed for STs. + The item or items chosen in b) and c) shall be taken from + the items provided in the selection. + The refinement operation can be performed on every + requirement. The PP/ST author performs a refinement by + altering that requirement. The first rule for a refinement + is that a TOE meeting the refined requirement also meets the + unrefined requirement in the context of the PP/ST (i.e. a + refined requirement must be ``stricter'' than the original + requirement). If a refinement does not meet this rule, the + resulting refined requirement is considered to be an + extended requirement and shall be treated as such. + The first rule for a refinement is that a TOE meeting the + refined requirement also meets the unrefined requirement in + the context of the PP/ST (i.e. a refined requirement must be + ``stricter'' than the original requirement) + The only exception to this rule is that a PP/ST author is + allowed to refine a SFR to apply to some but not all + subjects, objects, operations, security attributes and/or + external entities. + However, this exception does not apply to refining SFRs that + are taken from PPs that compliance is being claimed to; + these SFRs may not be refined to apply to fewer subjects, + objects, operations, security attributes and/or external + entities than the SFR in the PP. + The second rule for a refinement is that the refinement + shall be related to the original component. + A special case of refinement is an editorial refinement, + where a small change is made in a requirement, + i.e. rephrasing a sentence due to adherence to proper + English grammar, or to make it more understandable to the + reader. This change is not allowed to modify the meaning of + the requirement in any way. + Dependencies may exist between components. Dependencies arise + when a component is not self sufficient and relies upon the + presence of another component to provide security + functionality or assurance. + The functional components in CC Part 2 typically have + dependencies on other functional components as do some of the + assurance components in CC Part 3 which may have dependencies + on other CC Part 3 components. CC Part 2 dependencies on CC + Part 3 components may also be defined. However, this does not + preclude extended functional components having dependencies on + assurance components or vice versa. + Component dependency descriptions are determined by consulting + the CC Part 2 and CC Part 3 component definitions. In order to + ensure completeness of the TOE security requirements, + dependencies should be satisfied when requirements based on + components with dependencies are incorporated into PPs and + STs. Dependencies should also be considered when constructing + packages. + In other words: if component A has a dependency on component + B, this means that whenever a PP/ST contains a security + requirement based on component A, the PP/ST shall also contain + one of : + + a security requirement based on component B, or + + a security requirement based on a component that is + hierarchically higher than B, or + + a justification why the PP/ST does not contain a security + requirement based on component B. + + In cases a) and b), when a security requirement is included + because of a dependency, it may be necessary to complete + operations (assignment, iteration, refinement, selection) on + that security requirement in a particular manner to make sure + that it actually satisfies the dependency. + In case c), the justification that a security requirement is + not included should address either: + + why the dependency is not necessary or useful, or + + that the dependency has been addressed by the operational + environment of the TOE, in which case the justification + should describe how the security objectives for the + operational environment address this dependency, or + + that the dependency has been addressed by the other SFRs + in some other manner (extended SFRs, combinations of SFRs + etc.) + + In the CC it is mandatory to base requirements on + components from CC Part 2 or CC Part 3 with two + exceptions: + + there are security objectives for the TOE that can not be + translated to Part 2 SFRs, or there are third party + requirements (e.g., laws, standards) that can not be + translated to Part 3 SARs (e.g. regarding evaluation of + cryptography); + + a security objective can be translated, but only with + great difficulty and/or complexity based on components in + CC Part 2 and/or CC Part 3. + + In both cases the PP/ST author is required to define his own + components. These newly defined components are called extended + components. A precisely defined extended component is needed + to provide context and meaning to the extended SFRs and SARs + based on that component. + After the new components have been defined correctly, the + PP/ST author can then base one or more SFRs or SARs on these + newly defined extended components and use them in the same way + as the other SFRs and SARs. From this point on, there is no + further distinction between SARs and SFRs based on the CC and + SARs and SFRs based on extended components. Refer to CC Part 3 + and for further + requirements on extended components. + To allow consumer groups and communities of interest to + express their security needs, and to facilitate writing STs, + this part of the CC provides two special constructs: packages + and Protection Profiles (PPs). In the following two subclauses + these constructs are described in more detail, followed by a + subclause on how these constructs can be used. + A package is a named set of security requirements. A package + is either + + a functional package, containing only SFRs, or + + an assurance package, containing only SARs. + + Mixed packages containing both SFRs and SARs are not allowed. + A package can be defined by any party and is intended to be + re-usable. To this goal it should contain requirements that + are useful and effective in combination. Packages can be used + in the construction of larger packages, PPs and STs. At + present there are no criteria for the evaluation of packages, + therefore any set of SFRs or SARs can be a package. + Examples of assurance packages are the evaluation assurance + levels (EALs) that are defined in CC Part 3. At the time + of writing there are no functional packages for this version + of the CC. + Whereas an ST always describes a specific TOE (e.g. the + MinuteGap v18.5 Firewall), a PP is intended to describe a TOE + type (e.g. firewalls). The same PP may therefore be used as a + template for many different STs to be used in different + evaluations. A detailed description of PPs is given in  . + In general an ST describes requirements for a TOE and is + written by the developer of that TOE, while a PP describes + the general requirements for a TOE type, and is therefore + typically written by: + + A user community seeking to come to a consensus on the + requirements for a given TOE type; + + A developer of a TOE, or a group of developers of + similar TOEs wishing to establish a minimum baseline for + that type of TOE; + + A government or large corporation specifying its + requirements as part of its acquisition process. + + The PP determines the allowed type of conformance of the ST + to the PP. That is, the PP states (in the PP conformance + statement, see subclause ) + what the allowed types of conformance for the ST are: + + if the PP states that strict conformance is required, + the ST shall conform to the PP in a strict manner; + + if the PP states that demonstrable conformance is + required, the ST shall conform to the PP in a strict or + demonstrable manner. + + Restating this in other words, an ST is only allowed to + conform in a PP in a demonstrable manner, if the PP + explicitly allows this. + If an ST claims conformance to multiple PPs, it shall + conform (as described above) to each PP in the manner + ordained by that PP. This may mean that the ST conforms + strictly to some PPs and demonstrably to other PPs. + Note that either the ST conforms to the PP in question or it + does not. The CC does not recognise ``partial'' + conformance. It is therefore the responsibility of the PP + author to ensure the PP is not overly onerous, prohibiting + PP/ST authors in claiming conformance to the PP. + An ST is equivalent or more restrictive than a PP if: + + all TOEs that meet the ST also meet the PP, and + + all operational environments that meet the PP also meet + the ST. + + or, informally, the ST shall levy the same or more, + restrictions on the TOE and the same or less restrictions on + the operational environment of the TOE. + This general statement can be made more specific for various + subclauses of the ST: + Security problem definition: The + conformance rationale in the ST shall demonstrate that + the security problem definition in the ST is equivalent + (or more restrictive) than the security problem + definition in the PP. This means that: + + all TOEs that would meet the security problem + definition in the ST also meet the security problem + definition in the PP; + + all operational environments that would meet the + security problem definition in the PP would also + meet the security problem definition in the ST. + Security objectives: The conformance + rationale in the ST shall demonstrate that the security + objectives in the ST is equivalent (or more restrictive) + than the security objectives in the PP. This means that: + + all TOEs that would meet the security objectives for + the TOE in the ST also meet the security objectives + for the TOE in the PP; + + all operational environments that would meet the + security objectives for the operational environment + in the PP would also meet the security objectives + for the operational environment in the ST. + + If strict conformance for protection profiles is specified + then the following requirements apply: + Security problem definition: The ST shall + contain the security problem definition of the PP, may + specify additional threats and OSPs, but may not specify + additional assumptions. + Security objectives: The ST: + + shall contain all security objectives for the TOE of + the PP but may specify additional security + objectives for the TOE; + + shall contain all security objectives for the + operational environment (with one exception in the + next bullet) but may not specify additional security + objectives for the operational environment; + + may specify that certain objectives for the + operational environment in the PP are security + objectives for the TOE in the ST. This is called + re-assigning a security objective. If a security + objective is re-assigned to the TOE the security + objectives rationale has to make clear which + assumption or part of the assumption is not + necessary any more. + Security requirements: The ST shall contain + all SFRs and SARs in the PP, but may claim additional or + hierarchically stronger SFRs and SARs. The completion of + operations in the ST must be consistent with that in the + PP; either the same completion will be used in the ST as + that in the PP or one that makes the requirement more + restrictive (the rules of refinement apply). + + If demonstrable conformance for protection profiles is + specified then the following requirements apply: + + the ST shall contain a rationale on why the ST is + considered to be ``equivalent or more restrictive'' than + the PP. + + Demonstrable conformance allows a PP author to describe + a common security problem to be solved and provide + generic guidelines to the requirements necessary for its + resolution, in the knowledge that there is likely to be + more than one way of specifying a resolution. + + PP evaluation is optional. Evaluation is performed by applying + the criteria to them as listed in + CC Part 3. The goal of such an evaluation is to demonstrate + that the PP is complete, consistent, and technically sound and + suitable for use as a template on which to build another PP or + an ST. + Basing a PP/ST on an evaluated PP has two advantages: + + There is much less risk that there are errors, ambiguities + or gaps in the PP. If any problems with a PP (that would + have been caught by evaluating that PP) are found during + the writing or evaluation of the new ST, significant time + may elapse before the PP is corrected. + + Evaluation of the new PP/ST may often re-use evaluation + results of the evaluated PP, resulting in less effort + for evaluating the new PP/ST. +
+ If an ST claims to be conformant to one or more packages + and/or Protection Profiles, the evaluation of that ST will + (among other properties of that ST) demonstrate that the ST + actually conforms to these packages and/or PPs that they claim + conformance to. Details of this determination of conformance + can be found in . + This allows the following process: + + An organisation seeking to acquire a particular type of + IT security product develops their security needs into a + PP, then has this evaluated and publishes it; + + A developer takes this PP, writes an ST that claims + conformance to the PP and has this ST evaluated; + + The developer then builds a TOE (or uses an existing + one) and has this evaluated against the ST. + + The result is that the developer can prove that his TOE is + conformant to the security needs of the organisation: the + organisation can therefore acquire that TOE. A similar line of + reasoning applies to packages. + The CC also allows PPs to conform to other PPs, allowing + chains of PPs to be constructed, each based on the previous + one(s). + For instance, one could take a PP for an Integrated Circuit + and a PP for a Smart Card OS, and use these to construct a + Smart Card PP (IC and OS) that claims conformance to the + other two. One could then write a PP on Smart Cards for + Public Transport based on the Smart Card PP and a PP on + Applet Loading. Finally, a developer could then construct an + ST based on this Smart Cards for Public Transport PP. + This clause presents the expected results from PP and ST/TOE + evaluations performed according to the CEM. + PP evaluations lead to catalogues of evaluated PPs. + An ST evaluation leads to intermediate results that are used + in the frame of a TOE evaluation. + ST/TOE evaluations lead to catalogues of evaluated TOEs. In + many cases these catalogues will refer to the IT products that + the TOEs are derived from rather than the specific + TOE. Therefore, the existence of an IT product in a catalogue + should not be construed as meaning that the whole IT product + has been evaluated; instead the actual extent of the ST/TOE + evaluation is defined by the ST. Refer to the bibliography for + examples of such catalogues.
+ STs may be based on packages, evaluated PPs or non-evaluated + PPs - however this is not mandatory, as STs do not have to be + based on anything at all. + Evaluation should lead to objective and repeatable results + that can be cited as evidence, even if there is no absolute + objective scale for representing the results of a security + evaluation. The existence of a set of evaluation criteria is a + necessary pre-condition for evaluation to lead to a meaningful + result and provides a technical basis for mutual recognition + of evaluation results between evaluation authorities. + An evaluation result represents the findings of a specific + type of investigation of the security properties of a + TOE. Such a result does not automatically guarantee fitness + for use in any particular application environment. The + decision to accept a TOE for use in a specific application + environment is based on consideration of many security issues + including the evaluation findings. + CC Part 3 contains the evaluation criteria that an evaluator + is obliged to consult in order to state whether a PP is + complete, consistent, and technically sound and hence suitable + for use in developing an ST. + The results of the evaluation shall also include a + ``Conformance Claim'' (see Subclause )). + CC Part 3 contains the evaluation criteria that an evaluator + is obliged to consult in order to determine whether + sufficient assurance exists that the TOE satisfies the SFRs + in the ST. Evaluation of the TOE shall therefore result in a + pass/fail statement for the ST. If both the ST and the TOE + evaluation have resulted in a pass statement, the underlying + product is eligible for inclusion in a registry. The results + of evaluation shall also include a ``Conformance Claim'' as + defined in the next subclause. + It may be the case that the evaluation results are + subsequently used in a certification process, but this + certification process is outside the scope of the CC. + The conformance claim indicates the source of the collection + of requirements that is met by a PP or ST that passes its + evaluation. This conformance claim contains a CC conformance + claim that: + + describes the version of the CC to which the PP + or ST claims conformance. + + describes the conformance to CC Part 2 (security + functional requirements) as either: + CC Part 2 conformant - A PP or ST + is CC Part 2 conformant if all SFRs in that PP + or ST are based only upon functional components in + CC Part 2, or + CC Part 2 extended - A PP or ST + is CC Part 2 extended if at least one SFR in + that PP or ST is not based upon functional + components in CC Part 2. + + describes the conformance to CC Part 3 (security + assurance requirements) as either: + CC Part 3 conformant - A PP or ST + is CC Part 3 conformant if all SARs in that PP + or ST are based only upon assurance components in + CC Part 3, or + CC Part 3 extended - A PP or ST + is CC Part 3 extended if at least one SAR in + that PP or ST is not based upon assurance components + in CC Part 3. + + Additionally, the conformance claim may include a statement + made with respect to packages, in which case it consists of + one of the following: + Package name Conformant - A PP or ST is + conformant to a pre-defined package (e.g. EAL) if: + + the SFRs of that PP or ST are identical to the SFRs + in the package, or + + the SARs of that PP or ST are identical to the SARs + in the package. + Package name Augmented - A PP or ST is + an augmentation of a predefined package if: + + the SFRs of that PP or ST contain all SFRs in the + package, but have at least one additional SFR or one + SFR that is hierarchically higher than an SFR in the + package. + + the SARs of that PP or ST contain all SARs in the + package, but have at least one additional SAR or one + SAR that is hierarchically higher than an SAR in the + package. + + Note that when a TOE is successfully evaluated to a given + ST, any conformance claims of the ST also hold for the + TOE. A TOE can therefore also be e.g. CC Part 2 conformant. + Finally, the conformance claim may also include two + statements with respect to Protection Profiles: + PP Conformant - A PP or TOE meets + specific PP(s), which are listed as part of the + conformance result. + Conformance Statement (Only for PPs) - + This statement describes the manner in which PPs or STs + must conform to this PP: strict or demonstrable. For + more information on this Conformance Statement, see +   . + + Once an ST and a TOE have been evaluated, asset owners can + have the assurance (as defined in the ST) that the TOE, + together with the operational environment, counters the + threats. The evaluation results may be used by the asset + owner in deciding whether to accept the risk of exposing the + assets to the threats. + However, the asset owner should carefully check whether: + + the Security Problem Definition in the ST matches the + security problem of the asset owner; + + the Operational Environment of the asset owner conforms + (or can be made to conform) to the security objectives + for the Operational Environment described in the ST. + + If either of these is not the case, the TOE may not be + suitable for the purposes of the asset owner. + Additionally, once an evaluated TOE is in operation, it is + still possible that previously unknown errors or + vulnerabilities in the TOE may surface. In that case, the + developer may correct the TOE (to repair the + vulnerabilities) or change the ST to exclude the + vulnerabilities from the scope of the evaluation. In either + case, the old evaluation results may no longer be valid. + If it is deemed necessary that confidence is regained, + re-evaluation is needed. The CC may be used for this + re-evaluation, but detailed procedures for re-evaluation are + outside the scope of this part of the CC. + The goal of this annex is to explain the Security Target (ST) + concept. This annex does not define the criteria; this definition can be found in CC Part + 3 and is supported by the documents given in the bibliography. + This annex consists of four major parts: + What an ST must contain. This is + summarised in Subclause , and described in more detail + in Subclauses - . These subclauses describe the + mandatory contents of the ST, the interrelationships + between these contents, and provide examples. + How an ST should be used. This is + summarised in Subclause , and described in more detail in + subclause . These + subclauses describe how an ST should be used, and some of + the questions that can be answered with an ST. + Low Assurance STs. Low Assurance STs are + STs with reduced content. They are described in detail in + subclause . + Claiming compliance with + standards. Subclause describes how an ST writer can claim that + the TOE meets a particular standard. + + Figure portrays the mandatory + contents of an ST that are given in CC Part 3. Figure may also be used as a structural outline + of the ST, though alternative structures are allowed. For + instance, if the security requirements rationale is + particularly bulky, it could be included in an appendix of the + ST instead of in the security requirements subclause. The + separate subclauses of an ST and the contents of those + subclauses are briefly summarised below and explained in much + more detail in subclauses to . An ST normally contains: + an ST introduction containing three + narrative descriptions of the TOE on different levels of + abstraction; + a conformance claim, showing whether the + ST claims conformance to any PPs and/or packages, and if + so, to which PPs and/or packages; + a security problem definition, showing + threats, OSPs and assumptions; + security objectives, showing how the + solution to the security problem is divided between + security objectives for the TOE and security objectives + for the operational environment of the TOE; + extended components definition + (optional), where new components (i.e. those not included + in CC Part 2 or CC Part 3) may be defined. These new + components are needed to define extended functional and + extended assurance requirements; + security requirements, where a + translation of the security objectives for the TOE into a + standardised language is provided. This standardised + language is in the form of SFRs. Additionally this + subclause defines the SARs; + a TOE summary specification, showing how + the SFRs are implemented in the TOE. + + There also exists low assurance STs which have reduced + contents; these are described in detail in subclause . All other parts of this Annex assume an ST + with full contents.
+ A typical ST fulfils two roles: + + Before and during the evaluation, the ST specifies + ``what is to be evaluated''. In this role, the ST serves + as a basis for agreement between the developer and the + evaluator on the exact security properties of the TOE + and the exact scope of the evaluation. Technical + correctness and completeness are major issues for this + role. Subclause describes how + the ST should be used in this role. + + After the evaluation, the ST specifies ``what was + evaluated''. In this role, the ST serves as a basis for + agreement between the developer or re-seller of the TOE + and the potential consumer of the TOE. The ST describes + the exact security properties of the TOE in an abstract + manner, and the potential consumer can rely on this + description because the TOE has been evaluated to meet + the ST. Ease of use and understandability are major + issues for this role. Subclause describes how the ST should be used + in this role. + + Two roles (among many) that an ST should not fulfil are: + a detailed specification: An ST is + designed to be a security specification on a relatively + high level of abstraction. An ST should, in general, not + contain detailed protocol specifications, detailed + descriptions of algorithms and/or mechanisms, long + description of detailed operations etc. + a complete specification: An ST is + designed to be a security specification and not a + general specification. Unless security-relevant, + properties such as interoperability, physical size and + weight, required voltage etc. should not be part of an + ST. This means that in general an ST may be a part of a + complete specification, but not a complete specification + itself. + + The ST introduction describes the TOE in a narrative way on + three levels of abstraction: + + the ST reference and the TOE reference, which provide + identification material for the ST and the TOE that the ST + refers to; + + the TOE overview, which briefly describes the TOE; + + the TOE description, which describes the TOE in more + detail. + + An ST contains a clear ST reference that identifies that + particular ST. A typical ST reference consists of title, + version, authors and publication date. An example of an ST + reference is ``MauveRAM Database ST, version 1.3, MauveCorp + Specification Team, 11 October 2002''. + An ST also contains a TOE reference that identifies the TOE + that claims conformance to the ST. A typical TOE reference + consists of developer name, TOE name and TOE version + number. An example of a TOE reference is ``MauveCorp + MauveRAM Database v2.11''. As a single TOE may be evaluated + multiple times, for instance by different consumers of that + TOE, and therefore have multiple STs, this reference is not + necessarily unique. + If the TOE is constructed from one or more well-known + products, it is allowed to reflect this in the TOE + reference, by referring to the product name(s). However, + this should not be used to mislead consumers: situations + where major parts or security functionalities were not + considered in the evaluation, yet the TOE reference does not + reflect this are not allowed. + The ST reference and the TOE reference facilitate indexing + and referencing the ST and TOE and their inclusion in + summaries of lists of evaluated TOEs/Products. + The TOE overview is aimed at potential consumers of a TOE + who are looking through lists of evaluated TOEs/Products to + find TOEs that may meet their security needs, and are + supported by their hardware, software and firmware. The + typical length of a TOE overview is several paragraphs. + To this end, the TOE overview briefly describes the usage of + the TOE and its major security features, identifies the TOE + type and identifies any major non-TOE + hardware/software/firmware required by the TOE. + The description of the usage and major security features + of the TOE is intended to give a very general idea of what + the TOE is capable of in terms of security, and what it + can be used for in a security context. This subclause + should be written for (potential) TOE consumers, + describing TOE usage and major security features in terms + of business operations, using language that TOE consumers + understand. + An example of this is ``The MauveCorp MauveRAM Database + v2.11 is a multi-user database intended to be used in a + networked environment. It allows 1024 users to be active + simultaneously. It allows password/token and biometric + authentication, protects against accidental data + corruption, and can roll-back ten thousand + transactions. Its audit features are highly configurable, + so as to allow detailed audit to be performed for some + users and transactions, while protecting the privacy of + other users and transactions.'' + The TOE overview identifies the general type of TOE, such + as: firewall, VPN-firewall, smart card, crypto-modem, + intranet, web server, database, web server and database, + LAN, LAN with web server and database, etc. + It may be the case that the TOE is not of a readily + available type, in which case ``none'' would be + acceptable. + In some cases, a TOE type can mislead consumers. Examples include: + + certain functionality can be expected of the TOE + because of its TOE type, but the TOE does not have + this functionality. Examples include: + + an ATM-card type TOE, which does not support any + identification/authentication functionality; + + a firewall type TOE, which does not support + protocols that are almost universally used; + + a PKI-type TOE, which has no certificate + revocation functionality. + + the TOE can be expected to operate in certain + operational environments because of its TOE type, but + it cannot do so. Examples include: + + a PC-operating system type TOE, which is unable to + function securely unless the PC has no network + connection, floppy drive, and CD/DVD-player; + + a firewall, which is unable to function securely + unless all users that can connect through that + firewall are benign. + + While some TOEs do not rely upon other IT, many TOEs + (notably software TOEs) rely on additional, non-TOE, + hardware, software and/or firmware. In the latter case, + the TOE overview is required to identify such non-TOE + hardware,software and/or firmware . A complete and fully + detailed identification of the additional hardware, + software and/or firmware is not necessary, but the + identification should be complete and detailed enough for + potential consumers to determine the major + hardware,software and/or firmware needed to use the TOE. + Example hardware/software/firmware identifications are: + + a standard PC with a 1GHz or faster processor and + 512MB or more RAM, running version 3.0 Update 6b, c, + or 7, or version 4.0 of the Yaiza operating system; + + a standard PC with a 1GHz or faster version processor + and 512MB or more RAM, running version 3.0 Update 6d + of the Yaiza operating system and the WonderMagic 1.0 + Graphics card with the 1.0 WM Driver Set; + + a standard PC with version 3.0 of the Yaiza OS (or + higher); + + a CleverCard SB2067 integrated circuit; + + a CleverCard SB2067 integrated circuit running v2.0 of + the QuickOS smart card operating system; + + the December 2002 installation of the LAN of the + Director-General's Office of the Department of + Traffic. + + A TOE description is a narrative description of the TOE, + likely to run to several pages. The TOE description should + provide evaluators and potential consumers with a general + understanding of the security capabilities of the TOE, in + more detail than was provided in the TOE overview. The TOE + description may also be used to describe the wider + application context into which the TOE will fit. + The TOE description discusses the physical scope of the TOE: + a list of all hardware, firmware, software and guidance + parts that constitute the TOE. This list should be described + at a level of detail that is sufficient to give the reader a + general understanding of those parts. + The TOE description should also discuss the logical scope of + the TOE: the logical security features offered by the TOE at + a level of detail that is sufficient to give the reader a + general understanding of those features. This description is + expected to be in more detail than the major security + features described in the TOE overview. + An important property of the physical and logical scopes is + that they describe the TOE in such a way that there remains + no doubt on whether a certain part or feature is in the TOE + or whether this part or feature is outside the TOE. This is + especially important when the TOE is intertwined with and + cannot be easily separated from non-TOE entities. + Examples where the TOE is intertwined with non-TOE entities + are: + + the TOE is a cryptographic co-processor of a smart card + IC, instead of the entire IC; + + the TOE is a smart card IC, except for the cryptographic + processor; + + the TOE is the Network Address Translation part of the + MinuteGap Firewall v18.5. + + This subclause of an ST describes how the ST conforms with: + + Part 2 and Part 3 of this International Standard; + + Protection Profiles (if any); + + Packages (if any). + + The description of how the ST conforms to the CC consists of + two items: the version of the CC that is used and whether the + ST contains extended security requirements or not (see + Subclause ). + The description of conformance of the ST to Protection + Profiles means that the ST lists the packages that conformance + is being claimed to. For an explanation of this, see Subclause + . + The description of conformance of the ST to packages means + that the ST lists the packages that conformance is being + claimed to. For an explanation of this, see Subclause . + The security problem definition defines the security problem + that is to be addressed. The security problem definition is, + as far as the CC is concerned, axiomatic. That is, + the process of deriving the security problem definition + falls outside the scope of the CC. + However, it should be noted that the usefulness of the + results of an evaluation strongly depends on the ST, and the + usefulness of the ST strongly depends on the quality of the + security problem definition. It is therefore often + worthwhile to spend significant resources and use + well-defined processes and analyses to derive a good + security problem definition. + Note that according to CC Part 3 it is not mandatory + to have statements in all subclauses, an ST with threats + does not need to have OSPs and vice versa. Also, any ST may + omit assumptions. + Also note that where the TOE is physically distributed, it + may be better to discuss the relevant threats, OSPs and + assumptions separately for distinct domains of the TOE + operational environment. + This subclause of the security problem definition shows + the threats that are to be countered by the TOE, its + operational environment, or a combination of the two. + A threat consists of an adverse action performed by a + threat agent on an asset. + Adverse actions are actions performed by a threat agent on + an asset. These actions influence one or more properties + of an asset from which that asset derives its value. + Threat agents may be described as individual entities, but + in some cases it may be better to describe them as types + of entities, groups of entities etc. + Examples of threat agents are hackers, users, computer + processes, and accidents. Threat agents may be further + described by aspects such as expertise, resources, + opportunity and motivation. + Examples of threats are: + + a hacker (with substantial expertise, standard + equipment, and being paid to do so) remotely copying + confidential files from a company network; + + a worm seriously degrading the performance of a + wide-area network; + + a system administrator violating user privacy; + + someone on the Internet listening in on confidential + electronic communication. + + This subclause of the security problem definition shows + the OSPs that are to be enforced by the TOE, its + operational environment, or a combination of the two. + OSPs are security rules, procedures, or guidelines imposed + (or presumed to be imposed) now and/or in the future by an + actual or hypothetical organisation in the operational + environment. OSPs may be laid down by an organisation + controlling the operational environment of the TOE, or + they may be laid down by legislative or regulatory + bodies. OSPs can apply to the TOE and/or the operational + environment of the TOE. + Examples of OSPs are: + + All products that are used by the Government must + conform to the National Standard for password + generation and encryption; + + Only users with System Administrator privilege and + clearance of Department Secret shall be allowed to + manage the Department Fileserver. + + This subclause of the security problem definition shows + the assumptions that are made on the operational + environment in order to be able to provide security + functionality. If the TOE is placed in an operational + environment that does not meet these assumptions, the TOE + may not be able to provide all of its security + functionality anymore. Assumptions can be on physical, + personnel and connectivity of the operational environment. + Examples of assumptions are: + + Assumptions on physical aspects of the operational environment: + + It is assumed that the TOE will be placed in a + room that is designed to minimise electromagnetic + emanations; + + It is assumed that the administrator consoles of + the TOE will be placed in a restricted access + area. + + Assumptions on personnel aspects of the operational + environment: + + It is assumed that users of the TOE will be + trained sufficiently in order to operate the TOE; + + It is assumed that users of the TOE are approved + for information that is classified as National + Secret; + + It is assumed that users of the TOE will not write + down their passwords. + + Assumptions on connectivity aspects of the operational + environment: + + It is assumed that a PC workstation with at least + 10GB of disk space is available to run the TOE on; + + It is assumed that the TOE is the only non-OS + application running on this workstation; + + It is assumed that the TOE will not be connected + to an untrusted network. + + Note that during the evaluation these assumptions are + considered to be true: they are not tested in any way. For + these reasons, assumptions can only be made on the + operational environment. Assumptions can never be made on + the behaviour of the TOE because an evaluation consists of + evaluating assertions made about the TOE and not by + assuming that assertions on the TOE are true. + The security objectives are a concise and abstract statement + of the intended solution to the problem defined by the + security problem definition. The role of the security + objectives is threefold: + + provide a high-level, natural language solution of the + problem; + + divide this solution into two part wise solutions, that + reflect that different entities each have to address a + part of the problem; + + demonstrate that these part wise solutions form a + complete solution to the problem. + + The security objectives consist of a set of short and + clear statements without overly much detail that together + form a high-level solution to the security problem. The + level of abstraction of the security objectives aims at + being clear and understandable to knowledgeable potential + consumers of the TOE. The security objectives are in + natural language. + In an ST the high-level security solution, as described by + the security objectives, is divided into two part wise + solutions. These part wise solutions are called the + security objectives for the TOE and the security + objectives for the operational environment. This reflects + that these part wise solutions are to be provided by two + different entities: the TOE, and the operational + environment. + The TOE provides security functionality to solve a + certain part of the problem defined by the security + problem definition. This part wise solution is called + the security objectives for the TOE and consists of a + set of objectives that the TOE should achieve in order + to solve its part of the problem. + Examples of security objectives for the TOE are: + + The TOE shall keep confidential the content of all + files transmitted between it and a Server; + + The TOE shall identify and authenticate all users + before allowing them access to the Transmission + Service provided by the TOE; + + The TOE shall restrict user access to data according + to the Data Access policy described in Annex 3 of + the ST. + + If the TOE is physically distributed, it may be better + to subdivide the ST subclause containing the security + objectives for the TOE into several sub-subclauses to + reflect this. + The operational environment of the TOE implements + technical and procedural measures to assist the TOE in + correctly providing its security functionality (which is + defined by the security objectives for the TOE). This + part wise solution is called the security objectives for + the operational environment and consists of a set of + statements describing the goals that the operational + environment should achieve. + Examples of security objectives for the operational + environment are: + + The operational environment shall provide a + workstation with the OS Inux version 3.01b to + execute the TOE on; + + The operational environment shall ensure that all + human TOE users receive appropriate training before + allowing them to work with the TOE; + + The operational environment of the TOE shall + restrict physical access to the TOE to + administrative personnel and maintenance personnel + accompanied by administrative personnel; + + The operational environment shall ensure the + confidentiality of the audit logs generated by the + TOE before sending them to the central Audit Server. + + If the operational environment of the TOE consists of + multiple sites, each with different properties, it may + be better to subdivide the ST subclause containing the + security objectives for the operational environment into + several sub-subclauses to reflect this. + The ST also contains a security objectives rationale + containing two subclauses: + + a tracing that shows which security objectives + address which threats, OSPs and assumptions; + + a set of justifications that shows that all threats, + OSPs, and assumptions are effectively addressed by + the security objectives. + + The tracing shows how the security objectives trace + back to the threats, OSPs and assumptions as described + in the security problem definition. + No spurious objectives: Each + security objective traces to at least one threat, + OSP or assumption. + Complete with respect to the security + problem definition: Each threat, OSP and + assumption has at least one security objective + tracing to it. + Correct tracing: Since + assumptions are always made by the TOE on the + operational environment, security objectives for + the TOE do not trace back to assumptions. The + tracings allowed by CC Part 3 are depicted in + Figure . +
+ Multiple security objectives may trace to the same + threat, indicating that the combination of those + security objectives counters that threat. A similar + argument holds for OSPs and assumptions. + The security objectives rationale also demonstrates + that the tracing is effective: All the given threats, + OSPs and assumption are addressed (i.e. countered, + enforced and upheld respectively) if all security + objectives tracing to a particular threat, OSP or + assumption are achieved. + This demonstration analyses the effect of achieving + the relevant security objectives on countering the + threats, enforcing the OSPs and upholding the + assumptions and leads to the conclusion that this is + indeed the case. + In some cases, where parts of the security problem + definition very closely resemble some security + objectives, the demonstration can be very simple. An + example is: a threat ``T17: Threat agent X reads the + Confidential Information in transit between A and B'', + a security objective for the TOE: ``OT12: The TOE + shall ensure that all information transmitted between + A and B is kept confidential'', and a demonstration + ``T17 is directly countered by OT12''. + Countering a threat does not necessarily mean removing + that threat, it can also mean sufficiently diminishing + that threat or sufficiently mitigating that threat. + Examples of removing a threat are: + + removing the ability to execute the adverse action + from the threat agent; + + moving, changing or protecting the asset in such a + way that the adverse action is no longer + applicable to it; + + removing the threat agent (e.g. removing machines + from a network that frequently crash that + network). + + Examples of diminishing a threat are: + + restricting the ability of a threat agent to + perform adverse actions; + + restricting the opportunity to execute an adverse + action of a threat agent; + + reducing the likelihood of an executed adverse + action being successful; + + reducing the motivation to execute an adverse + action of a threat agent by deterrence; + + requiring greater expertise or greater resources + from the threat agent. + + Examples of mitigating the effects of a threat are: + + making frequent back-ups of the asset; + + obtaining spare copies of an asset; + + insuring an asset; + + ensuring that successful adverse actions are + always timely detected, so that appropriate action + can be taken. + + Based on the security objectives and the security + objectives rationale, the following conclusion can be + drawn: if all security objectives are achieved then the + security problem as defined in is + solved: all threats are countered, all OSPs are + enforced, and all assumptions are upheld. + In many cases the security requirements (see the next + subclause) in an ST are based on components in CC Part 2 + or CC Part 3. However, in some cases, there may be + requirements in an ST that are not based on components in + CC Part 2 or CC Part 3. In this case, new components + (extended components) must be defined, and this definition + should be done in the Extended Components Definition. For + more information on this, see Annex . + Note that this subclause is intended to contain only the + extended components and not the extended requirements + (requirements based on extended components). The extended + requirements should be included in the security + requirements (see the next subclause) and are for all + purposes the same as requirements based on components in + CC Part 2 or CC Part 3. + The security requirements consist of two groups of + requirements: + the security functional requirements + (SFRs): a translation of the security objectives for the + TOE into a standardised language; + the security assurance requirements + (SARs): a description of how assurance is to be gained + that the TOE meets the SFRs. + + These two groups are discussed in the following two subclauses: + The SFRs are a translation of the security objectives for + the TOE. They are usually at a more detailed level of + abstraction, but they have to be a complete translation + (the security objectives must be completely addressed) and + be independent of any specific technical solution + (implementation). The CC requires this translation into a + standardised language for several reasons: + + to provide an exact description of what is to be + evaluated. As security objectives for the TOE are + usually formulated in natural language, translation + into a standardised language enforces a more exact + description of the functionality of the TOE. + + to allow comparison between two STs. As different ST + authors may use different terminology in describing + their security objectives, the standardised language + enforces using the same terminology and concepts. This + allows easy comparison. + + There is no translation required in the CC for the + security objectives for the operational environment, + because the operational environment is not evaluated and + does therefore not require a description aimed at its + evaluation. See the bibliography for items relevant to the + security assessment of operational systems. + It may be the case that parts of the operational + environment are evaluated in another evaluation, but this + is out of scope for the current evaluation. For example: + an OS TOE may require a firewall to be present in its + operational environment. Another evaluation may + subsequently evaluate the firewall, but this evaluation + has nothing to do with the evaluation of the OS TOE. + The CC supports this translation in three ways: + + by providing a predefined precise ``language'' + designed to describe exactly what is to be + evaluated. This language is defined as a set of + components defined in CC Part 2. The use of this + language as a well-defined translation of the + security objectives for the TOE to SFRs is + mandatory, though some exceptions exist (see + Subclause ). + + by providing operations: mechanisms that allow the + ST writer to modify the SFRs to provide a more + accurate translation of the security objectives for + the TOE. This part of the CC defines the four + allowed operations: assignment, selection, + iteration, and refinement. These are described + further in Subclause . + + by providing dependencies: a mechanism that supports + a more complete translation to SFRs. In the CC Part + 2 language, an SFR can have a dependency on other + SFRs. This signifies that if an ST uses that SFR, it + generally needs to use those other SFRs as + well. This makes it much harder for the ST writer to + overlook including necessary SFRs and thereby + improves the completeness of the ST. Dependencies + are described further in Subclause . + + The ST also contains a security requirements rationale, + consisting of two subclauses about SFRs: + + a tracing that shows which SFRs address which + security objectives for the TOE; + + a set of justifications that shows that all security + objectives for the TOE are effectively addressed by + the SFRs. + + The tracing shows how the SFRs trace back to the + security objectives for the TOE as follows: + No spurious SFRs: Each SFR traces + back to at least one security objective. + Complete with respect to the security + objectives for the TOE: Each security + objective for the TOE has at least one SFR tracing + to it. + + Multiple SFRs may trace to the same security objective + for the TOE, indicating that the combination of those + security requirements meets that security objective + for the TOE. + The security requirements rationale demonstrates that + the tracing is effective: if all SFRs tracing to a + particular security objective for the TOE are + satisfied, that security objective for the TOE is + achieved. + This demonstration should analyse the effects of + satisfying the relevant SFRs on achieving the security + objective for the TOE and lead to the conclusion that + this is indeed the case. + In cases where SFRs very closely resemble security + objectives for the TOE, the demonstration can be very + simple. + The SARs are a description of how the TOE is to be + evaluated. This description uses a standardised language + for two reasons: + + to provide an exact description of how the TOE is to + be evaluated. Using a standardised language assists in + creating an exact description and avoids ambiguity. + + to allow comparison between two STs. As different ST + authors may use different terminology in describing + the evaluation, the standardised language enforces + using the same terminology and concepts. This allows + easy comparison. + + This standardised language is defined as a set of + components defined in CC Part 3. The use of this + language is mandatory, though some exceptions + exist. The CC enhances this language in two ways: + + by providing operations: mechanisms that allow the ST + writer to modify the SARs. The CC has four operations: + assignment, selection, iteration, and + refinement. These are described further in Subclause + . + + by providing dependencies: a mechanism that supports a + more complete translation to SARs. In CC Part 3 + language, an SAR can have a dependency on other + SARs. This signifies that if an ST uses that SAR, it + generally needs to use those other SARs as well. This + makes it much harder for the ST writer to overlook + including necessary SARs and thereby improves the + completeness of STs. Dependencies are described + further in Subclause . + + The ST also contains a security requirements rationale + that explains why this particular set of SARs was deemed + appropriate. There are no specific requirements for this + explanation. The goal for this explanation is to allow the + readers of the ST to understand the reasons why this + particular set was chosen. + An example of an inconsistency is if the security problem + description mentions threats where the threat agent is + very capable, and a low (or no) is + included in the SARs. + In the security problem definition of the ST, the security + problem is defined as consisting of threats, OSPs and + assumptions. In the security objectives subclause of the + ST, the solution is provided in the form of two + sub-solutions: + + security objectives for the TOE; + + security objectives for the operational environment. + + Additionally, a security objectives rationale is provided + showing that if all security objectives are achieved, the + security problem is solved: all threats are countered, all + OSPs are enforced, and all assumptions are upheld.
+ In the security requirements subclause of the ST, the + security objectives for the TOE are translated to SFRs and + a security requirements rationale is provided showing that + if all SFRs are satisfied, all security objectives for the + TOE are achieved. + Additionally, a set of SARs is provided to show how the + TOE is evaluated, together with an explanation for + selecting these SARs. + All of the above can be combined into the statement: If + all SFRs and SARs are satisfied and all security + objectives for the operational environment are achieved, + then there exists assurance that the security problem as + defined in is solved: all + threats are countered, all OSPs are enforced, and all + assumptions are upheld. This is illustrated in Figure + . + The amount of assurance obtained is defined by the SARs, + and whether this amount of assurance is sufficient is + defined by the explanation for choosing these SARs. + The objective for the TOE summary specification is to provide + potential consumers of the TOE with a description of how the + TOE satisfies all the SFRs. The TOE summary specification + should provide the general technical mechanisms that the TOE + uses for this purpose. The level of detail of this description + should be enough to enable potential consumers to understand + the general form and implementation of the TOE. + For instance if the TOE is an Internet PC and the SFRs contain + to specify authentication, + the TOE summary specification should indicate how this + authentication is done: password, token, iris scanning + etc. More information, like applicable standards that the TOE + uses to meet SFRs, or more detailed descriptions may also be + provided. + After the evaluation, the ST specifies ``what was + evaluated''. In this role, the ST serves as a basis for + agreement between the developer or re-seller of the TOE and + the potential consumer of the TOE. The ST can therefore answer + the following questions (and more): + How can I find the ST/TOE that I need given the + multitude of existing STs/TOEs? This question is + addressed by the TOE overview, which gives a brief + (several paragraphs) summary of the TOE; + Does this TOE fit in with my existing + IT-infrastructure? This question is addressed by + the TOE overview, which identifies the major + hardware/firmware/software elements needed to run the TOE; + Does this TOE fit in with my existing operational + environment? This question is addressed by the + security objectives for the operational environment, which + identifies all constraints the TOE places on the + operational environment in order to function; + What does the TOE do (interested reader)? + This question is addressed by the TOE overview, which + gives a brief (several paragraphs) summary of the TOE; + What does the TOE do (potential + consumer)? This question is addressed by the TOE + description, which gives a less brief (several pages) + summary of the TOE; + What does the TOE do (technical)? This + question is addressed by the TOE summary specification + which provides a high-level description of the mechanisms + the TOE uses; + What does the TOE do (expert)? This + question is addressed by the SFRs which provide an + abstract highly technical description, and the TOE summary + specification which provide additional detail; + Does the TOE address the problem as defined by my + government/organisation? If your + government/organisation has defined packages and/or PPs to + define this solution, then the answer can be found in the + Conformance Claims subclause of the ST, which lists all + packages and PPs that the ST conforms to + Does the TOE address my security problem + (expert)? What are the threats countered by the + TOE? What organisational security policies does it + enforce? What assumptions does it make about the + operational environment? These questions are addressed by + the security problem definition; + How much trust can I place in the TOE? + This can be found in the SARs in the security requirements + subclause, which provide the assurance level that was used + to evaluate the TOE, and hence the trust that the + evaluation provides in the correctness of the TOE. + + Writing an ST is not a trivial task, and may, especially in + low assurance evaluations, be a major part of the total effort + expended by the developer and the evaluator in the whole of + the evaluation. For this reason, it is also possible to write + a low assurance ST. + The CC allows the use of a low assurance ST for an EAL 1 + evaluation, but not for EAL 2 and up. A low-assurance ST may + only claim conformance to a low-assurance PP (see ). A regular ST + (i.e., one with full contents) may claim conformance with a + low assurance PP. + A low assurance ST has a significantly reduced content + compared to a regular ST: + + there is no need to describe the security problem definition; + + there is no need to describe the security objectives for + the TOE. The security objectives for the operational + environment must still be described; + + there is no need to describe the security objectives + rationale as there is no security problem definition in + the ST; + + the security requirements rationale only needs to justify + (any) dependencies not being satisfied as there are no + security objectives for the TOE in the ST. + + All that remains are: + + the references to TOE and ST; + + a conformance claim; + + the various narrative descriptions; + + the TOE overview; + + the TOE description; + + the TOE summary specification. + + security objectives for the operational environment; + + the SFRs and the SARs (including the extended components + definition) and the security requirements rationale (only + if the dependencies are not satisfied). + + The reduced content of a low assurance ST is shown in Figure + .
+ In some cases, an ST writer may wish to refer to an external + standard, such as a particular cryptographic standard or + protocol. The CC allows three ways of doing this: + + As an organisational security policy (or part of it). + + If, for example, there exists a government standard + defining how passwords have to be chosen, this may be + stated as an organisational security policy in an + ST. This may lead to an objective for the environment + (e. g. if users of the TOE need to choose passwords + accordingly), or it may lead to security objectives for + the TOE and then to appropriate SFRs (likely of the + class), if the TOE generates + passwords. In both cases the rationale of the developer + needs to make plausible that the security objectives for + the TOE and the SFRs are suitable to fulfil the OSP. The + evaluator will examine if this is in fact plausible (and + may decide to look into the standard for this), if the + OSP is implemented by SFRs, as explained below. + As a technical standard (for example a cryptographic + standard) used in a refinement of an SFR. + + In this case conformance to the standard is part of the + fulfilment of the SFR by the TOE and is treated as if + the full text of the standard is part of the + SFR. Conformance is subsequently determined like any + other conformance to SFRs: during and + it is analysed, by design analysis and + tests, that the SFR is completely and fully implemented + in the TOE. If reference to only a certain part of a + standard is desired, that part should be unambiguously + stated in the SFR refinement. + As a technical standard (for example a cryptographic + standard) mentioned in the TOE summary specification. + + The TOE summary specification is only considered as an + explanation of how the SFRs are realised, and is not + strictly used as a strict implementation requirement + like the SFRs or the documents delivered for . So the evaluator may detect an inconsistency + if the TSS references a technical standard and this is + not reflected in documentation, but + there is no routine activity to test fulfilment of the + standard. + The goal of this Annex is to explain the Protection Profile + (PP) concept. This Annex does not define the criteria; this definition can be found in + CC Part 3 and is supported by the documents given in the + bibliography. + As PPs and STs have a significant overlap, this Annex focuses + on the differences between PPs and STs. The material that is + identical between STs and PPs is described in . + This annex consists of four major parts: + What a PP must contain. This is + summarised in Subclause , and described in more detail + in Subclauses -. These clauses describe the + mandatory contents of the PP, the interrelationships + between these contents, and provide examples. + How a PP should be used. This is + summarised in Subclause . + Low Assurance PPs. Low Assurance PPs are + PPs with reduced content. They are described in detail in + Subclause . + Claiming compliance with + standards. Subclause describes how a PP writer can claim that + the TOE is to meet a particular standard. + + Figure portrays the + mandatory content for a PP that is given in + CC Part 3. Figure may + also be used as a structural outline of the PP, though + alternative structures are allowed. For instance, if the + security requirements rationale is particularly bulky, it + could be included in an appendix of the PP instead of in the + security requirements subclause. The separate subclauses of a + PP and the contents of those subclauses are briefly summarised + below and explained in much more detail in Subclauses - . A + PP contains: + + a PP introduction containing a narrative + description of the TOE type; + + a conformance claim, showing whether the + PP claims conformance to any PPs and/or packages, and if + so, to which PPs and/or packages; + + a security problem definition, showing + threats, OSPs and assumptions; + security objectives, showing how the + solution to the security problem is divided between + security objectives for the TOE and security objectives + for the operational environment of the TOE; + extended components definition, where new + components (i.e. those not included in CC Part 2 or + CC Part 3) may be defined. These new components are + needed to define extended functional and extended + assurance requirements; + security requirements, where a + translation of the security objectives for the TOE into a + standardised language is provided. This standardised + language is in the form of SFRs. Additionally this + subclause defines the SARs; + + There also exist low assurance PPs, which have reduced + contents; these are described in detail in Subclause . With this exception, all other + parts of this Annex assume a PP with full contents.
+ A PP is typically a statement of need where a user + community, a regulatory entity, or a group of developers + define a common set of security needs. A PP gives consumers + a means of referring to this set, and facilitates future + evaluation against these needs. + A PP is therefore typically used as: + + part of a requirement specification for a specific + consumer or group of consumers, who will only consider + buying a specific type of IT if it meets the PP; + + part of a regulation from a specific regulatory entity, + who will only allow a specific type of IT to be used if + it meets the PP; + + a baseline defined by a group of IT developers, who then + agree that all IT that they produce of this type will + meet this baseline. + + though this does not preclude other uses. + Three roles (among many) that a PP should not fulfil are: + a detailed specification: A PP is + designed to be a security specification on a relatively + high level of abstraction. A PP should, in general, not + contain detailed protocol specifications, detailed + descriptions of algorithms and/or mechanisms, long + description of detailed operations etc. + a complete specification: A PP is + designed to be a security specification and not a general + specification. Unless security-relevant, properties such + as interoperability, physical size and weight, required + voltage etc. should not be part of a PP. This means that + in general a PP is a part of a complete specification, but + not a complete specification itself. + a specification of a single product: + Unlike an ST, a PP is designed to describe a certain type + of IT, and not a single product. When only a single + product is described, it is better to use an ST for this + purpose. + + The PP introduction describes the TOE in a narrative way on + two levels of abstraction: + + the PP reference, which provides identification material + for the PP; + + the TOE overview, which briefly describes the TOE. + + A PP contains a clear PP reference that identifies that + particular PP. A typical PP reference consists of title, + version, authors and publication date. An example of a PP + reference is ``Atlantean Navy CablePhone Encryptor PP, + version 2b, Atlantean Navy Procurement Office, April 7, + 2003''. The reference must be unique so that it is possible + to tell different PPs and different versions of the same PP + apart. + The PP reference facilitates indexing and referencing the PP + and its inclusion in lists of PPs. + The TOE overview is aimed at potential consumers of a TOE + who are looking through lists of evaluated products to find + TOEs that may meet their security needs, and are supported + by their hardware, software and firmware. + The TOE overview is also aimed at developers who may use the + PP in designing TOEs or in adapting existing products. + The typical length of a TOE overview is several paragraphs. + To this end, the TOE overview briefly describes the usage of + the TOE and its major security features, identifies the TOE + type and identifies any major non-TOE + hardware/software/firmware available to the TOE. + The description of the usage and major security features + of the TOE is intended to give a very general idea of what + the TOE should be capable of, and what it can be used + for. This subclause should be written for (potential) TOE + consumers, describing TOE usage and major security + features in terms of business operations, using language + that TOE consumers understand. + An example of this is ``The Atlantean Navy CablePhone + Encryptor is an encryption device that should allow + confidential communication between ships across the + Atlantean Navy CablePhone system. To this end it should + allow at least 32 different users and support at least 100 + Mbps encryption speed. It should allow both bilateral + communication between ships and broadcast across the + entire network.'' + The TOE overview identifies the general type of TOE, such + as: firewall, VPN-firewall, smart card, crypto-modem, + intranet, web server, database, web server and database, + LAN, LAN with web server and database, etc. + While some TOEs do not rely upon other IT, many TOEs + (notably software TOEs) rely on additional, non-TOE, + hardware, software and/or firmware. In the latter case, + the TOE overview is required to identify the non-TOE + hardware/software/firmware. + As a Protection Profile is not written for a specific + product, in many cases only a general idea can be given of + the available hardware/software/firmware. In some other + cases, e.g. a requirements specification for a specific + consumer where the platform is already known, (much) more + specific information may be provided. + Examples of hardware/software/firmware identifications + are: + + None. (for a completely stand-alone TOE); + + The Yaiza 3.0 Operating System running on a general + PC; + + a CleverCard SB2067 integrated circuit; + + a CleverCard SB2067 IC running v2.0 of the QuickOS + smart card operating system; + + the December 2002 installation of the LAN of the + Director-General's Office of the Department of + Traffic. + + This subclause of a PP describes how the PP conforms with + other PPs and with packages. It is identical to the + conformance claims subclause for an ST (see Subclause ), with one exception: + the conformance statement. + The conformance statement in the PP states how STs and/or + other PPs must conform to that PP. The PP author selects + whether ``strict'' or ``demonstrable'' conformance is + required. See + for more details on this. + This subclause is identical to the security problem definition + subclause of an ST as explained in Subclause . + This subclause is identical to the security objectives subclause + of an ST as explained in Subclause . + This subclause is identical to the extended components subclause + of an ST as explained in Subclause . + This subclause is identical to the security requirements + subclause of an ST as explained in Subclause . Note however that the rules for completing + operations in a PP are slightly different from the rules for + completing operations in an ST. This is explained in more + detail in Subclause . + A PP has no TOE summary specification. + A low assurance PP has the same relationship to a regular PP + (i.e., one with full contents), as a low assurance ST has to a + regular ST. This means that a low-assurance PP consists of + + a PP introduction, consisting of a PP reference and a TOE + overview; + + a conformance claim; + + security objectives for the operational environment; + + the SFRs and the SARs (including the extended components + definition) and the security requirements rationale (only + if the dependencies are not satisfied). + + A low-assurance PP may only claim conformance to a + low-assurance PP (see ). A + regular PP may claim conformance with a low assurance PP. + The reduced content of a low assurance PP is shown in Figure + .
+ This subclause is identical to the subclause on standards for + STs as described in Subclause , with one exception: as a PP has no TOE + summary specification, the third option is not valid for PPs. + The PP author is reminded that referring to a standard in SFRs + may impose a significant burden on a developer developing a + TOE to meet that PP (depending on the size and complexity of + the standard and the assurance level required), and that it + may be more suitable to require alternative (non-CC related) + ways to assess conformance to that standard. + As described in this CC part 1, Protection Profiles and + Security Targets contain pre-defined security requirements, as + well as providing PP and ST authors the ability to extend the + component lists in some circumstances. + The four types of operations are given in section . Examples of the various + operations are described below: + As described in section + the iteration operation may be performed on every + component. The PP/ST author performs an iteration operation + by including multiple requirements based on the same + component. Each iteration of a component is different from + all other iterations of that component, which is realised by + completing assignments and selections in a different way, or + by applying refinements to it in a different way. Different + iterations should be uniquely identified to allow clear + rationales and tracings to and from these requirements. + A typical example of an iteration is + being iterated twice in order to require the implementation + of two different cryptographic algorithms. An example of + each iteration being uniquely identified is: + + Cryptographic operation (RSA and DSA signatures) + (FCS_COP.1(1)) + + Cryptographic operation (TLS/SSL: symmetric operations) + (FCS_COP.1(2)) + + As described in subclause + an assignment operation occurs where a given component + contains an element with a parameter that may be set by the + PP/ST author. The parameter may be an unrestricted variable, + or a rule that narrows the variable to a specific range of + values. + An example of an element with an assignment is: ``When the defined number of + unsuccessful authentication attempts has been met or + surpassed, the TSF shall [assignment: list of + actions].'' + As described in subclause + the selection operation occurs where a given component + contains an element where a choice from several items has to + be made by the PP/ST author. + An example of an element with a selection is: ``The TSF shall run a suite of + self tests [selection: during initial start-up, periodically + during normal operation, at the request of the authorised + user, at the conditions [assignment: conditions under which + self test should occur]] to demonstrate the correct + operation of ...'' + As described in subclause + the refinement operation can be performed on every + requirement. The PP/ST author performs a refinement by + altering that requirement. + An example of a valid refinement is ``The TSF shall require each user to be + successfully authenticated before allowing any other + TSF-mediated actions on behalf of that user.'' being refined + to ``The TSF shall require each user to be successfully + authenticated by username/password before + allowing any other TSF-mediated actions on behalf of that + user.'' + The first rule for a refinement is that a TOE meeting the + refined requirement also meets the unrefined requirement in + the context of the PP/ST (i.e. a refined requirement must be + ``stricter'' than the original requirement) + The only exception to this rule is that a PP/ST author is + allowed to refine a SFR to apply to some but not all + subjects, objects, operations, security attributes and/or + external entities. + An example of a such an exception is ``The TSF shall require each user to be + successfully authenticated before allowing any other + TSF-mediated actions on behalf of that user.'' being refined + to ``The TSF shall require each user originating from + the internet to be successfully authenticated before + allowing any other TSF-mediated actions on behalf of that + user.'' + The second rule for a refinement given is that the + refinement shall be related to the original component. For + example, refining an audit component with an extra element + on prevention of electromagnetic radiation is not allowed. + A special case of refinement is an editorial refinement, + where a small change is made in a requirement, + i.e. rephrasing a sentence due to adherence to proper + English grammar, or to make it more understandable to the + reader. This change is not allowed to modify the meaning of + the requirement in any way. Examples of editorial + refinements include: + + the SFR ``The TSF shall + continue to preserve a secure state when the following + failures occur: breakdown of one CPU'' + could be refined to + ``The TSF shall continue to preserve a secure state when + the following failure occurs: breakdown of one + CPU'' or even + ``The TSF shall continue to preserve a secure state when + one CPU breaks down''. + + The CC has organised the components in CC Part 2 and CC Part 3 + into hierarchical structures: + Classes, consisting ofFamilies, consisting ofComponents, consisting ofElements. + This organisation into a hierarchy of class - family - + component - element is provided to assist consumers, + developers and evaluators in locating specific components. + The CC presents functional and assurance components in + the same general hierarchical style and use the same + organisation and terminology for each. + An example of a class is the class that is + focused at identification of users, authentication of users + and binding of users and subjects. + An example of a family is the family + which is part of the class. This family + concentrates on the authentication of users. + An example of a component is which + concentrates on unforgeable authentication. + An example of an element is which + concentrates on the prevention of use of copied + authentication data. + Whenever a PP/ST author defines an extended component, + this has to be done in a similar manner to the existing CC + components: clear, unambiguous and evaluatable (it is + possible to systematically demonstrate whether a + requirement based on that component holds for a + TOE). Extended components must use similar labelling, + manner of expression, and level of detail as the existing + CC components. + The PP/ST author also has to make to sure that all + applicable dependencies of an extended component are + included in the definition of that extended + component. Examples of possible dependencies are: + + if an extended component refers to auditing, + dependencies to components of the + class may have to be included; + + if an extended component modifies or accesses data, + dependencies to components of the + family may have to be included; + + if an extended component uses a particular design + description a dependency to the appropriate family (e.g. Functional Specification) may + have to be included. + + In the case of an extended functional component, the PP/ST + author also has to include any applicable audit and + associated operations information in the definition of + that component, similar to existing CC Part 2 + components. In the case of an extended assurance + component, the PP/ST author also has to provide suitable + evaluation methodology for the component, similar to the + methodology provided in the CEM. + Extended components may be placed in existing families, in + which case the PP/ST writer has to show how these families + change. If they do not fit into an existing family, they + shall be placed in a new family. New families have to be + defined similarly to the CC. + New families may be placed in existing classes in which + case the PP/ST writer has to show how these classes + change. If they do not fit into an existing class, they + shall be placed in a new class. New classes have to be + defined similarly to the CC. + A PP is intended to be used as a ``template'' for an ST. That + is: the PP describes a set of user needs, while an ST that + conforms to that PP describes a TOE that satisfies those + needs. + Note that it is also possible for a PP to be used as a + template for another PP. That is PPs can claim conformance to + other PPs. This case is completely similar to that of an ST + vs. a PP. For clarity this Annex describes only the ST/PP + case, but it holds also for the PP/PP case. + The CC does not allow any form of partial conformance, so if a + PP is claimed, the PP or ST must fully conform to the + referenced PP or PPs. There are however two types of + conformance (``strict'' and demonstrable'') and the type of + conformance allowed is determined by the PP. That is, the PP + states (in the PP conformance statement, see subclause ) what the allowed types of conformance for the ST + are. This distinction between strict and demonstrable + conformance is applicable to each PP to which an ST may claim + conformance on an individual basis. This may mean that the ST + conforms strictly to some PPs and demonstrably to other + PPs. An ST is only allowed to conform to a PP in a + demonstrable manner, if the PP explicitly allows this, whereas + an ST can always conform with strict conformance to any PP. + Restating this in other words, an ST is only allowed to + conform to a PP in a demonstrable manner, if the PP explicitly + allows this. + Conformance to a PP means that the PP or ST (and if an ST is + of an evaluated product, the product as well) meets all + requirements of that PP. + Published PPs will normally require demonstrable + conformance. This means that STs claiming conformance with the + PP must offer a solution to the generic security problem + described in the PP, but can do so in any way that is + equivalent or more restrictive to that described in the + PP. ``Equivalent but more restrictive'' is defined at length + within the CC, but in principle it means that the PP + and ST may contain entirely different statements that discuss + different entities, use different concepts etc., provided that + overall the ST levies the same or more restrictions on the + TOE, and the same or less restrictions on the operational + environment of the TOE. + Strict conformance is oriented to the PP-author who requires + evidence that the requirements in the PP are met, that the ST + is an instantiation of the PP, though the ST could be broader + than the PP. In essence, the ST specifies that the TOE does at + least the same as in the PP, while the operational environment + does at most the same as in the PP. + A typical example of the use of strict conformance is in + selection based purchasing where a product's security + requirements are expected to exactly match those specified in + the PP. + An ST instantiating strict conformance to a PP can still + introduce additional restrictions to those given in the PP. + Demonstrable conformance is orientated to the PP-author who + requires evidence that the ST is a suitable solution to the + generic security problem described in the PP. + Where there is a clear subset-superset type relation between + PP and ST in the case of strict conformance, the relation is + less clear-cut in the case of demonstrable conformance. STs + claiming conformance with the PP must offer a solution to the + generic security problem described in the PP. but can do so in + any way that is equivalent or more restrictive to that + described in the PP. + This bibliography contains references to further material and + standards that the reader of the CC may find useful. For + undated references the reader is recommended to refer to the + latest edition of the referenced document.ISO/IEC 15292Information technology -- Security techniques -- + Protection Profile registration proceduresISO/IEC 15443Information technology -- Security techniques + -- A framework for IT security assurance - all partsISO/IEC 15446Information technology -- Security techniques + -- Guide for the production of Protection Profiles and Security + TargetsISO/IEC 19790Information technology -- Security techniques + -- Security requirements for cryptographic modulesISO/IEC 19791Information technology -- Security techniques + -- Security assessment of operational systemsISO/IEC 27001Information technology -- Security techniques + -- Information security management systems -- RequirementsISO/IEC 27002Information technology -- Security techniques + -- Code of practice for information security managementIEEE Std 610.12-1990 + Institute of Electrical and Electronics Engineers, Standard + Glossary of Software Engineering Terminology + CC portal + Common Criteria portal, February 2009. CCRA, www.commoncriteriaportal.org + + + + Table describes the + relationship between PPs and the families and components of the + class. + + + + + Assurance + class + Assurance family + Assurance component + + + Low Assurance PP + PP + + + + + Protection Profile evaluation + + 1 + 1 + + + + 1 + 1 + + + + 1 + 1 + + + + 1 + 2 + + + + 1 + 2 + + + + + 1 + + + + PP assurance level summary +
+ + + + + + + + + + The following Subclauses describe the constructs used in + representing the assurance classes, families, and + components. + + Figure + illustrates the SARs defined in this CC Part 3. Note that the + most abstract collection of SARs is referred to as a + class. Each class contains assurance families, which then + contain assurance components, which in turn contain assurance + elements. Classes and families are used to provide a taxonomy + for classifying SARs, while components are used to specify + SARs in a PP/ST. + + + Figure + illustrates the assurance class structure. + + + Each assurance class is assigned a unique name. The name + indicates the topics covered by the assurance + class. + + A unique short form of the assurance class name is also + provided. This is the primary means for referencing the + assurance class. The convention adopted is an ``A'' + followed by two letters related to the class name. + + + + Each assurance class has an introductory Subclause that + describes the composition of the class and contains + supportive text covering the intent of the class. + + + + Each assurance class contains at least one assurance + family. The structure of the assurance families is + described in the following Subclause. + + +
+ + + Figure + illustrates the assurance family structure. + + + Every assurance family is assigned a unique name. The name + provides descriptive information about the topics covered + by the assurance family. Each assurance family is placed + within the assurance class that contains other families + with the same intent. + + A unique short form of the assurance family name is also + provided. This is the primary means used to reference the + assurance family. The convention adopted is that the short + form of the class name is used, followed by an underscore, + and then three letters related to the family name. + + + + The objectives Subclause of the assurance family presents + the intent of the assurance family. + + This Subclause describes the objectives, particularly + those related to the CC assurance paradigm, that the + family is intended to address. The description for the + assurance family is kept at a general level. Any specific + details required for objectives are incorporated in the + particular assurance component. + + + + Each assurance family contains one or more assurance + components. This Subclause of the assurance family + describes the components available and explains the + distinctions between them. Its main purpose is to + differentiate between the assurance components once it has + been determined that the assurance family is a necessary + or useful part of the SARs for a PP/ST. + + Assurance families containing more than one component are + levelled and rationale is provided as to how the + components are levelled. This rationale is in terms of + scope, depth, and/or rigour. + + + + The application notes Subclause of the assurance family, + if present, contains additional information for the + assurance family. This information should be of particular + interest to users of the assurance family (e.g. PP and ST + authors, designers of TOEs, evaluators). The presentation + is informal and covers, for example, warnings about + limitations of use and areas where specific attention may + be required. + + + + Each assurance family has at least one assurance + component. The structure of the assurance components is + provided in the following Subclause. + + + + + Figure illustrates the + assurance component structure. +
+ + The relationship between components within a family is + highlighted using a bolding convention. Those parts of the + requirements that are new, enhanced or modified beyond the + requirements of the previous component within a hierarchy + are bolded. + + + The component identification Subclause provides + descriptive information necessary to identify, categorise, + register, and reference a component. + + Every assurance component is assigned a unique name. The + name provides descriptive information about the topics + covered by the assurance component. Each assurance + component is placed within the assurance family that + shares its security objective. + + A unique short form of the assurance component name is + also provided. This is the primary means used to reference + the assurance component. The convention used is that the + short form of the family name is used, followed by a + period, and then a numeric character. The numeric + characters for the components within each family are + assigned sequentially, starting from 1. + + + + The objectives Subclause of the assurance component, if + present, contains specific objectives for the particular + assurance component. For those assurance components that + have this Subclause, it presents the specific intent of + the component and a more detailed explanation of the + objectives. + + + + The application notes Subclause of an assurance component, + if present, contains additional information to facilitate + the use of the component. + + + + Dependencies among assurance components arise when a + component is not self-sufficient, and relies upon the + presence of another component. + + Each assurance component provides a complete list of + dependencies to other assurance components. Some + components may list ``No dependencies'', to indicate that + no dependencies have been identified. The components + depended upon may have dependencies on other + components. + + The dependency list identifies the minimum set of + assurance components which are relied upon. Components + which are hierarchical to a component in the dependency + list may also be used to satisfy the dependency. + + In specific situations the indicated dependencies might + not be applicable. The PP/ST author, by providing + rationale for why a given dependency is not applicable, + may elect not to satisfy that dependency. + + + + A set of assurance elements is provided for each assurance + component. An assurance element is a security requirement + which, if further divided, would not yield a meaningful + evaluation result. It is the smallest security requirement + recognised in the CC. + + Each assurance element is identified as belonging to one + of the three sets of assurance elements: + + + Developer action elements: the activities that shall + be performed by the developer. This set of actions is + further qualified by evidential material referenced in + the following set of elements. Requirements for + developer actions are identified by appending the + letter ``D'' to the element number. + + + Content and presentation of evidence elements: the + evidence required, what the evidence shall + demonstrate, and what information the evidence shall + convey. Requirements for content and presentation of + evidence are identified by appending the letter ``C'' + to the element number. + + + Evaluator action elements: the activities that shall + be performed by the evaluator. This set of actions + explicitly includes confirmation that the requirements + prescribed in the content and presentation of evidence + elements have been met. It also includes explicit + actions and analysis that shall be performed in + addition to that already performed by the + developer. Implicit evaluator actions are also to be + performed as a result of developer action elements + which are not covered by content and presentation of + evidence requirements. Requirements for evaluator + actions are identified by appending the letter ``E'' + to the element number. + + + + The developer actions and content and presentation of + evidence define the assurance requirements that are used + to represent a developer's responsibilities in + demonstrating assurance in the TOE meeting the SFRs of a + PP or ST. + + The evaluator actions define the evaluator's + responsibilities in the two aspects of evaluation. The + first aspect is validation of the PP/ST, in accordance + with the classes and in Clauses and . The second + aspect is verification of the TOE's conformance with its + SFRs and SARs. By demonstrating that the PP/ST is valid + and that the requirements are met by the TOE, the + evaluator can provide a basis for confidence that the TOE + in its operational environment solves the defined security + problem. + + The developer action elements, content and presentation of + evidence elements, and explicit evaluator action elements, + identify the evaluator effort that shall be expended in + verifying the security claims made in the ST of the + TOE. + + + + + Each element represents a requirement to be met. These + statements of requirements are intended to be clear, + concise, and unambiguous. Therefore, there are no compound + sentences: each separable requirement is stated as an + individual element. + + + + This CC Part 3 contains classes of families and components + that are grouped on the basis of related assurance. At the + start of each class is a diagram that indicates the families + in the class and the components in each family. +
+ + In Figure , + above, the class as shown contains a single family. The + family contains three components that are linearly + hierarchical (i.e. component 2 requires more than component + 1, in terms of specific actions, specific evidence, or + rigour of the actions or evidence). The assurance families + in this CC Part 3 are all linearly hierarchical, although + linearity is not a mandatory criterion for assurance + families that may be added in the future. + + + + + Figure illustrates + the EALs and associated structure defined in this CC Part + 3. Note that while the figure shows the contents of the + assurance components, it is intended that this information + would be included in an EAL by reference to the actual + components defined in the CC. +
+ + + Each EAL is assigned a unique name. The name provides + descriptive information about the intent of the EAL. + + A unique short form of the EAL name is also provided. This + is the primary means used to reference the EAL. + + + + The objectives Subclause of the EAL presents the intent of + the EAL. + + + The application notes Subclause of the EAL, if present, + contains information of particular interest to users of the + EAL (e.g. PP and ST authors, designers of TOEs targeting + this EAL, evaluators). The presentation is informal and + covers, for example, warnings about limitations of use and + areas where specific attention may be required. + A set of assurance components have been chosen for each + EAL. + A higher level of assurance than that provided by a given + EAL can be achieved by: + + including additional assurance components from other + assurance families; or + + replacing an assurance component with a higher level + assurance component from the same assurance family. + + + + Figure + illustrates the relationship between the SARs and the + assurance levels defined in the CC. While assurance + components further decompose into assurance elements, + assurance elements cannot be individually referenced by + assurance levels. Note that the arrow in the figure + represents a reference from an EAL to an assurance component + within the class where it is defined. +
+ + + + + The structure of the CAPs is similar to that of the EALs. The + main difference between these two types of package is the type + of TOE they apply to; the EALs applying to component TOEs and + the CAPs applying to composed TOEs. + + Figure illustrates + the CAPs and associated structure defined in this CC Part + 3. Note that while the figure shows the contents of the + assurance components, it is intended that this information + would be included in a CAP by reference to the actual + components defined in the CC. +
+ + + Each CAP is assigned a unique name. The name provides + descriptive information about the intent of the CAP. + + A unique short form of the CAP name is also provided. This + is the primary means used to reference the CAP. + + + + The objectives Subclause of the CAP presents the intent of + the CAP. + + + The application notes Subclause of the CAP, if present, + contains information of particular interest to users of the + CAP (e.g. PP and ST authors, integrators of composed TOEs + targeting this CAP, evaluators). The presentation is + informal and covers, for example, warnings about limitations + of use and areas where specific attention may be + required. + A set of assurance components have been chosen for each + CAP. + Some dependencies identify the activities performed during + the evaluation of the dependent component on which the + composed TOE activity relies. Where it is not explicitly + identified that the dependency is on a dependent component + activity, the dependency is to another evaluation activity + of the composed TOE. + A higher level of assurance than that provided by a given + CAP can be achieved by: + + including additional assurance components from other + assurance families; or + + replacing an assurance component with a higher level + assurance component from the same assurance family. + + The components included in the CAP + assurance packages should not be used as augmentations for + component TOE evaluations, as this would provide no + meaningful assurance for the component. + + + Figure + illustrates the relationship between the SARs and the + composed assurance packages defined in the CC. While + assurance components further decompose into assurance + elements, assurance elements cannot be individually + referenced by assurance packages. Note that the arrow in the + figure represents a reference from a CAP to an assurance + component within the class where it is defined. +
+ + + + + + + + This clause defines the content and presentation of the + functional requirements of the CC, and provides guidance on + the organisation of the requirements for new components to be + included in an ST. The functional requirements are expressed + in classes, families, and components. + + + + Figure illustrates the + functional class structure in diagrammatic form. Each + functional class includes a class name, class introduction, + and one or more functional families. + +
+ + + + The class name subclause provides information necessary to + identify and categorise a functional class. Every + functional class has a unique name. The categorical + information consists of a short name of three + characters. The short name of the class is used in the + specification of the short names of the families of that + class. + + + + The class introduction expresses the common intent or + approach of those families to satisfy security + objectives. The definition of functional classes does not + reflect any formal taxonomy in the specification of the + requirements. + + The class introduction provides a figure describing the + families in this class and the hierarchy of the components + in each family, as explained in subclause . + + + + + + Figure + illustrates the functional family structure in diagrammatic + form. + +
+ + + + The family name subclause provides categorical and + descriptive information necessary to identify and + categorise a functional family. Every functional family + has a unique name. The categorical information consists of + a short name of seven characters, with the first three + identical to the short name of the class followed by an + underscore and the short name of the family as follows + XXX_YYY. The unique short form of the family name provides + the principal reference name for the components. + + + + The family behaviour is the narrative description of the + functional family stating its security objective and a + general description of the functional requirements. These + are described in greater detail below: + + + The security objectives of the family + address a security problem that may be solved with the + help of a TOE that incorporates a component of this + family; + + + The description of the functional + requirements summarises all the requirements + that are included in the component(s). The description + is aimed at authors of PPs, STs and functional + packages who wish to assess whether the family is + relevant to their specific requirements. + + + + + + Functional families contain one or more components, any + one of which can be selected for inclusion in PPs, STs and + functional packages. The goal of this section is to + provide information to users in selecting an appropriate + functional component once the family has been identified + as being a necessary or useful part of their security + requirements. + + This section of the functional family description + describes the components available, and their + rationale. The exact details of the components are + contained within each component. + + The relationships between components within a functional + family may or may not be hierarchical. A component is + hierarchical to another if it offers more security. + + As explained in the descriptions of the + families provide a graphical overview of the hierarchy of + the components in a family. + + + + + The management clauses contain information for + the PP/ST authors to consider as management activities for a + given component. The clauses reference components of the + management class (FMT), and provide guidance regarding potential + management activities that may be applied via operations to + those components. + + A PP/ST author may select the indicated management components or + may include other management requirements not listed to detail + management activities. As such the information should be + considered informative. + + + + + The audit requirements contain auditable + events for the PP/ST authors to select, if requirements + from the class , are included in the + PP/ST. These requirements include security relevant events + in terms of the various levels of detail supported by the + components of the family. For example, + an audit note might include actions that are in terms of: + Minimal - successful use of the security mechanism; Basic + - any use of the security mechanism as well as relevant + information regarding the security attributes involved; + Detailed - any configuration changes made to the + mechanism, including the actual configuration values + before and after the change. + + It should be observed that the categorisation of auditable + events is hierarchical. For example, when Basic Audit + Generation is desired, all auditable events identified as + being both Minimal and Basic should be included in the + PP/ST through the use of the appropriate assignment + operation, except when the higher level event simply + provides more detail than the lower level event. When + Detailed Audit Generation is desired, all identified + auditable events (Minimal, Basic and Detailed) should be + included in the PP/ST. + + In the class the rules governing the audit + are explained in more detail. + + + + + + Figure illustrates the + functional component structure. + +
+ + + + The component identification subclause provides + descriptive information necessary to identify, categorise, + register and cross-reference a component. The following is + provided as part of every functional component: + + A unique name. The name reflects the + purpose of the component. + + A short name. A unique short form of the + functional component name. This short name serves as the + principal reference name for the categorisation, + registration and cross-referencing of the component. This + short name reflects the class and family to which the + component belongs and the component number within the + family. + + A hierarchical-to list. A list of other + components that this component is hierarchical to and for + which this component can be used to satisfy dependencies + to the listed components. + + + + + A set of elements is provided for each component. Each + element is individually defined and is self-contained. + + A functional element is a security functional requirement + that if further divided would not yield a meaningful + evaluation result. It is the smallest security functional + requirement identified and recognised in the CC. + + When building packages, PPs and/or STs, it is not + permitted to select only one or more elements from a + component. The complete set of elements of a component + must be selected for inclusion in a PP, ST or package. + + A unique short form of the functional element name is + provided. For example the requirement name FDP_IFF.4.2 + reads as follows: F - functional requirement, DP - class + ``User data protection'', _IFF - + family ``Information flow control + functions'', .4 - 4th component named + ``Partial elimination of illicit information + flows'', .2 - 2nd element of the component. + + + + + Dependencies among functional components arise when a + component is not self sufficient and relies upon the + functionality of, or interaction with, another component + for its own proper functioning. + + Each functional component provides a complete list of + dependencies to other functional and assurance + components. Some components may list ``No + dependencies''. The components depended upon may in + turn have dependencies on other components. The list + provided in the components will be the direct + dependencies. That is only references to the functional + requirements that are required for this requirement to + perform its job properly. The indirect dependencies, that + is the dependencies that result from the depended upon + components can be found in + of this part of the CC. It is noted that in some cases the + dependency is optional in that a number of functional + requirements are provided, where each one of them would be + sufficient to satisfy the dependency (see for example + ). + + The dependency list identifies the minimum functional or + assurance components needed to satisfy the security + requirements associated with an identified + component. Components that are hierarchical to the + identified component may also be used to satisfy the + dependency. + + The dependencies indicated in CC Part 2 are + normative. They must be satisfied within a PP/ST. In + specific situations the indicated dependencies might not + be applicable. The PP/ST author, by providing the + rationale why it is not applicable, may leave the depended + upon component out of the package, PP or ST. + + + + + + + + + The grouping of the components in this part of the CC does not + reflect any formal taxonomy. + + This part of the CC contains classes of families and + components, which are rough groupings on the basis of related + function or purpose, presented in alphabetic order. At the + start of each class is an informative diagram that indicates + the taxonomy of each class, indicating the families in each + class and the components in each family. The diagram is a + useful indicator of the hierarchical relationship that may + exist between components. + + In the description of the functional components, a section + identifies the dependencies between the component and any + other components. + + In each class a figure describing the family hierarchy similar + to Figure , is provided. In Figure + the first family, Family 1, + contains three hierarchical components, where component 2 and + component 3 can both be used to satisfy dependencies on + component 1. Component 3 is hierarchical to component 2 and + can also be used to satisfy dependencies on component 2. + +
+ + + In Family 2 there are three components not all of which are + hierarchical. Components 1 and 2 are hierarchical to no other + components. Component 3 is hierarchical to component 2, and + can be used to satisfy dependencies on component 2, but not to + satisfy dependencies on component 1. + + In Family 3, components 2, 3, and 4 are hierarchical to + component 1. Components 2 and 3 are both hierarchical to + component 1, but non-comparable. Component 4 is hierarchical + to both component 2 and component 3. + + These diagrams are meant to complement the text of the + families and make identification of the relationships + easier. They do not replace the ``Hierarchical + to:'' note in each component that is the mandatory + claim of hierarchy for each component. + + + The relationship between components within a family is + highlighted using a bolding + convention. This bolding convention calls for the bolding of + all new requirements. For hierarchical components, + requirements are bolded when they are + enhanced or modified beyond the requirements of the previous + component. In addition, any new or enhanced permitted + operations beyond the previous component are also + highlighted using bold type. + + + + + + This annex contains additional guidance for the families and + components defined in the elements of this CC Part 2, which + may be required by users, developers or evaluators to use the + components. To facilitate finding the appropriate information, + the presentation of the classes, families and components in + this annex is similar to the presentation within the elements. + + + + This clause defines the content and presentation of the notes + related to functional requirements of the CC. + + + + Figure below + illustrates the functional class structure in this annex. + +
+ + + + This is the unique name of the class defined within the + normative elements of this part of the CC. + + + + + The class introduction in this annex provides information + about the use of the families and components of the + class. This information is completed with the informative + diagram that describes the organisation of each class with + the families in each class and the hierarchical + relationship between components in each family. + + + + + + Figure illustrates + the functional family structure for application notes in + diagrammatic form. + +
+ + + + This is the unique name of the family defined within the + normative elements of this part of the CC. + + + + + The user notes contain additional information that is of + interest to potential users of the family, that is PP, ST + and functional package authors, and developers of TOEs + incorporating the functional components. The presentation + is informative, and might cover warnings about limitations + of use and areas where specific attention might be + required when using the components. + + + + + The evaluator notes contain any information that is of + interest to developers and evaluators of TOEs that claim + compliance with a component of the family. The + presentation is informative and can cover a variety of + areas where specific attention might be needed when + evaluating the TOE. This can include clarifications of + meaning and specification of the way to interpret + requirements, as well as caveats and warnings of specific + interest to evaluators. + + These User Notes and Evaluator Notes sections are not + mandatory and appear only if appropriate. + + + + + + Figure illustrates + the functional component structure for the application + notes. + +
+ + + + This is the unique name of the component defined within + the normative elements of this part of the CC. + + + + + Any specific information related to the component can be + found in this section. + + + The rationale contains the specifics + of the rationale that refine the general statements on + rationale for the specific level, and should only be + used if level specific amplification is required. + + + The application notes contain + additional refinement in terms of narrative + qualification as it pertains to a specific + component. This refinement can pertain to user notes, + and/or evaluator notes as described in Subclause . This refinement can be + used to explain the nature of the dependencies + (e.g. shared information, or shared operation). + + + + This section is not mandatory and appears only if + appropriate. + + + + + This portion of each component contains advice relating to + the permitted operations of the component. + + This section is not mandatory and appears only if + appropriate. + + + + + + The following dependency tables for functional components + show their direct, indirect and optional dependencies. Each + of the components that is a dependency of some functional + component is allocated a column. Each functional component is + allocated a row. The value in the table cell indicate whether + the column label component is directly required (indicated by + a cross ``X''), indirectly required (indicated by a + dash ``-''), or optionally required (indicated by a + ``o'') by the row label component. An example of a + component with optional dependencies is , which requires either + or to be present. So if is present, is not + necessary and vice versa. If no character is presented, the + component is not dependent upon another component. + + + + + + Security auditing involves recognising, recording, storing, + and analysing information related to security relevant + activities (i.e. activities controlled by the TSF). The + resulting audit records can be examined to determine which + security relevant activities took place and whom (which user) + is responsible for them. + + + + CC audit families allow PP/ST authors the ability to define + requirements for monitoring user activities and, in some + cases, detecting real, possible, or imminent violations of + the enforcement of the SFRs. The TOE's security audit functions are + defined to help monitor security-relevant events, and act as a + deterrent against security violations. The requirements of the + audit families refer to functions that include audit data + protection, record format, and event selection, as well as + analysis tools, violation alarms, and real-time analysis. The + audit trail should be presented in human-readable format + either directly (e.g. storing the audit trail in + human-readable format) or indirectly (e.g. using audit + reduction tools), or both. + + While developing the security audit requirements, the PP/ST + author should take note of the inter-relationships among the + audit families and components. The potential exists to specify + a set of audit requirements that comply with the + family/component dependencies lists, while at the same time + resulting in a deficient audit function (e.g. an audit + function that requires all security relevant events to be + audited but without the selectivity to control them on any + reasonable basis such as individual user or object). + + + The implementation of audit requirements for networks and + other large systems may differ significantly from those + needed for stand-alone systems. Larger, more complex and + active systems require more thought concerning which audit + data to collect and how this should be managed, due to + lowered feasibility of interpreting (or even storing) what + gets collected. The traditional notion of a time-ordered list + or ``trail'' of audited events may not + be applicable in a global asynchronous network with + arbitrarily many events occurring at once. + + Also, different hosts and servers on a distributed TOE may + have differing naming policies and values. Symbolic names + presentation for audit review may require a net-wide + convention to avoid redundancies and ``name + clashes.'' + + A multi-object audit repository, portions of which are + accessible by a potentially wide variety of authorised + users, may be required if audit repositories are to serve a + useful function in distributed systems. + + Finally, misuse of authority by authorised users should be + addressed by systematically avoiding local storage of audit + data pertaining to administrator actions. + + + + + + + This family defines the response to be taken in case of + detected events indicative of a potential security + violation. + + + + The Security audit automatic response family describes + requirements for the handling of audit events. The + requirement could include requirements for alarms or TSF + action (automatic response). For example, the TSF could + include the generation of real time alarms, termination of + the offending process, disabling of a service, or + disconnection or invalidation of a user account. + + An audit event is defined to be an ``potential + security violation'' if so indicated by the + components. + + + + + + + + + An action should be taken for follow up action in the + event of an alarm. This action can be to inform the + authorised user, to present the authorised user with a set + of possible containment actions, or to take corrective + actions. The timing of the actions should be carefully + considered by the PP/ST author. + + + + At , the TSF shall take actions in + case a potential security violation is detected. + + + the management (addition, removal, or modification) of + actions. + + + Actions taken due to potential security violations. + + + The TSF shall take + + + list of actions + + + + the PP/ST author should specify the actions to be taken + in case of a potential security violation. An example of + such a list is: ``inform the authorised user, disable + the subject that created the potential security + violation.'' It can also specify that the action to be + taken can be specified by an authorised user. + + + upon detection of a potential security violation. + + + + + + + + This family defines requirements for recording the + occurrence of security relevant events that take place under + TSF control. This family identifies the level of auditing, + enumerates the types of events that shall be auditable by + the TSF, and identifies the minimum set of audit-related + information that should be provided within various audit + record types. + + + + The Security audit data generation family includes + requirements to specify the audit events that should be + generated by the TSF for security-relevant events. + + This family is presented in a manner that avoids a dependency + on all components requiring audit support. Each component has + an audit section developed in which the events to be audited + for that functional area are listed. When the PP/ST author + assembles the PP/ST, the items in the audit area are used to + complete the variable in this component. Thus, the + specification of what could be audited for a functional area + is localised in that functional area. + + The list of auditable events is entirely dependent on the + other functional families within the PP/ST. Each family + definition should therefore include a list of its + family-specific auditable events. Each auditable event in the + list of auditable events specified in the functional family + should correspond to one of the levels of audit event + generation specified in this family (i.e. minimal, basic, + detailed). This provides the PP/ST author with information + necessary to ensure that all appropriate auditable events are + specified in the PP/ST. The following example shows how + auditable events are to be specified in appropriate functional + families: + + ``The following actions should be auditable if is included in the PP/ST: + + + Minimal: Successful use of the user security attribute + administration functions; + + + Basic: All attempted uses of the user security attribute + administration functions; + + + Basic: Identification of which user security attributes + have been modified; + + + Detailed: With the exception of specific sensitive + attribute data items (e.g. passwords, cryptographic + keys), the new values of the attributes should be + captured.'' + + + + For each functional component that is chosen, the auditable + events that are indicated in that component, at and below the + level indicated in should be + auditable. If, for example, in the previous example ``Basic'' + would be selected in , the + auditable events mentioned in a), b) and c) should be + auditable. + + Observe that the categorisation of auditable events is + hierarchical. For example, when Basic Audit Generation is + desired, all auditable events identified as being either + Minimal or Basic, should also be included in the PP/ST + through the use of the appropriate assignment operation, + except when the higher level event simply provides more + detail than the lower level event. When Detailed Audit + Generation is desired, all identified auditable events + (Minimal, Basic, and Detailed) should be included in the + PP/ST. + + A PP/ST author may decide to include other auditable events + beyond those required for a given audit level. For example, + the PP/ST may claim only minimal audit capabilities while + including most of the basic capabilities because the few + excluded capabilities conflict with other PP/ST constraints + (e.g. because they require the collection of unavailable + data). + + The functionality that creates the auditable event should be + specified in the PP or ST as a functional requirement. + + The following are examples of the types of the events that + should be defined as auditable within each PP/ST functional + component: + + + Introduction of objects within the control of the TSF into a + subject's address space; + + + Deletion of objects; + + + Distribution or revocation of access rights or + capabilities; + + + Changes to subject or object security attributes; + + + Policy checks performed by the TSF as a result of a + request by a subject; + + + The use of access rights to bypass a policy check; + + + Use of Identification and Authentication functions; + + + Actions taken by an operator, and/or authorised user + (e.g. suppression of a TSF protection mechanism as + human-readable labels); + + + Import/export of data from/to removable media + (e.g. printed output, tapes, diskettes). + + + + + + + + + + + This component defines requirements to identify the + auditable events for which audit records should be + generated, and the information to be provided in the audit + records. + + by itself might be used + when the SFRs do not require that individual user identities + be associated with audit events. This could be appropriate + when the PP/ST also contains privacy requirements. If the + user identity must be incorporated could be used in addition. + + If the subject is a user, the user identity may be recorded as + the subject identity. The identity of the user may not yet been + verified if has not been + applied. Therefore in the instance of an invalid login the + claimed user identity should be recorded. It should be + considered to indicate when a recorded identity has not been + authenticated. + + + + There is a dependency on . If correctness of time is not an issue for + this TOE, elimination of this dependency could be + justified. + + + + defines the level of auditable + events, and specifies the list of data that shall be + recorded in each record. + + + The TSF shall be able to generate an audit record of the + following auditable events: + + + Start-up and shutdown of the audit functions; + + + All auditable events for the + + minimum + basic + detailed + not specified + + + the PP/ST author should select the level of + auditable events called out in the audit section of + other functional components included in the + PP/ST. This level is one of the following: + ``minimum'', ``basic'', ``detailed'' or ``not + specified''. + + + level of audit; and + + + + + other specifically defined auditable events + + + + the PP/ST author should assign a list of other + specifically defined auditable events to be included + in the list of auditable events. The assignment may + comprise none, or events that could be auditable + events of a functional requirement that are of a + higher audit level than requested in , as well as the + events generated through the use of a specified + Application Programming Interface (API). + + . + + + + + The TSF shall record within each audit record at least the + following information: + + + Date and time of the event, type of event, subject identity (if + applicable), and the outcome (success or failure) of the event; + and + + + For each audit event type, based on the auditable event + definitions of the functional components included in the + PP/ST, + + + other audit relevant information + + + + the PP/ST author should assign, for each auditable + events included in the PP/ST, either a list of other + audit relevant information to be included in audit + events records or none. + + . + + + + + + + + + + + + + This component addresses the requirement of accountability + of auditable events at the level of individual user + identity. This component should be used in addition to + . + + There is a potential conflict between the audit and privacy + requirements. For audit purposes it may be desirable to know + who performed an action. The user may want to keep his/her + actions to himself/herself and not be identified by other + persons (e.g. a site with job offers). Or it might be + required in the Organisational Security Policy that the + identity of the users must be protected. In those cases the + objectives for audit and privacy might contradict each + other. Therefore if this requirement is selected and privacy + is important, inclusion of the component user pseudonimity + might be considered. Requirements on determining the real + user name based on its pseudonym are specified in the + privacy class. + + If the identity of the user has not yet been verified through + authentication, in the instance of an invalid login the claimed + user identity should be recorded. It should be considered to + indicate when a recorded identity has not been authenticated. + + + + At , the TSF shall associate + auditable events to individual user identities. + + + For audit events resulting from actions of identified users, the + TSF shall be able to associate each auditable event with the + identity of the user that caused the event. + + + + + + + + This family defines requirements for automated means that + analyse system activity and audit data looking for possible or + real security violations. This analysis may work in support of + intrusion detection, or automatic response to a potential + security violation. + + The actions to be taken based on the detection can be + specified using the family as + desired. + + + + This family defines requirements for automated means that + analyse system activity and audit data looking for possible + or real security violations. This analysis may work in + support of intrusion detection, or automatic response to a + potential security violation. + + The action to be performed by the TSF on detection of a + potential violation is defined in components. + + For real-time analysis, audit data could be transformed into a + useful format for automated treatment, but into a different + useful format for delivery to authorised users for + review. + + + + + + + + + This component is used to specify the set of auditable + events whose occurrence or accumulated occurrence held to + indicate a potential violation of the enforcement of the + SFRs, and any rules to be used to perform the violation + analysis. + + + + In , basic threshold + detection on the basis of a fixed rule set is + required. + + + maintenance of the rules by (adding, modifying, deletion) + of rules from the set of rules. + + + Enabling and disabling of any of the analysis mechanisms; + + + Automated responses performed by the tool. + + + The TSF shall be able to apply a set of rules in monitoring + the audited events and based upon these rules indicate a + potential violation of the enforcement of the SFRs. + + + The TSF shall enforce the following rules for monitoring + audited events: + + + Accumulation or combination of + + + subset of defined auditable events + + + + the PP/ST author should identify the subset of + defined auditable events whose occurrence or + accumulated occurrence need to be detected as an + indication of a potential violation of the + enforcement of the SFRs. + + + known to indicate a potential security violation; + + + + + any other rules + + + + the PP/ST author should specify any other rules that + the TSF should use in its analysis of the audit + trail. Those rules could include specific + requirements to express the needs for the events to + occur in a certain period of time (e.g. period of + the day, duration). If there are no additional + rules that the TSF should use in the analysis of the + audit trail, this assignment can be completed with + ``none''. + + . + + + + + + + + + + + + + A profile is a structure that + characterises the behaviour of users and/or subjects; it + represents how the users/subjects interact with the TSF in + a variety of ways. Patterns of usage are established with + respect to the various types of activity the + users/subjects engage in (e.g. patterns in exceptions + raised, patterns in resource utilisation (when, which, + how), patterns in actions performed). The ways in which + the various types of activity are recorded in the profile + (e.g. resource measures, event counters, timers) are + referred to as profile metrics. + + Each profile represents the expected patterns of usage + performed by members of the profile target + group. This pattern may be based on past use + (historical patterns) or on normal use for users of + similar target groups (expected behaviour). A profile + target group refers to one or more users who interact with + the TSF. The activity of each member of the profile group + is used by the analysis tool in establishing the usage + patterns represented in the profile. The following are + some examples of profile target groups: + + + Single user account: one profile per + user; + + + Group ID or Group Account: one profile + for all users who possess the same group ID or operate + using the same group account; + + + Operating Role: one profile for all users + sharing a given operating role; + + + System: one profile for all users of a + system. + + + + Each member of a profile target group is assigned an + individual suspicion rating that + represents how closely that member's new + activity corresponds to the established patterns of usage + represented in the group profile. + + The sophistication of the anomaly detection tool will + largely be determined by the number of target profile + groups required by the PP/ST and the complexity of the + required profile metrics. + + + The PP/ST author should enumerate specifically what activity + should be monitored and/or analysed by the TSF. The PP/ST + author should also identify specifically what information + pertaining to the activity is necessary to construct the + usage profiles. + + requires that the TSF + maintain profiles of system usage. The word maintain implies + that the anomaly detector is actively updating the usage + profile based on new activity performed by the profile + target members. It is important here that the metrics for + representing user activity are defined by the PP/ST + author. For example, there may be a thousand different + actions an individual may be capable of performing, but the + anomaly detector may choose to monitor a subset of that + activity. Anomalous activity gets integrated into the + profile just like non-anomalous activity (assuming the tool + is monitoring those actions). Things that may have appeared + anomalous four months ago, might over time become the norm + (and vice-versa) as the user's work duties change. The TSF + wouldn't be able to capture this notion if it filtered out + anomalous activity from the profile updating + algorithms. + + Administrative notification should be provided such that + the authorised user understands the significance of the + suspicion rating. + + The PP/ST author should define how to interpret suspicion + ratings and the conditions under which anomalous activity is + indicated to the + mechanism. + + + + In , the TSF maintains + individual profiles of system usage, where a profile + represents the historical patterns of usage performed by + members of the profile target group. A profile target group + refers to a group of one or more individuals (e.g. a single + user, users who share a group ID or group account, users who + operate under an assigned role, users of an entire system or + network node) who interact with the TSF. Each member of a + profile target group is assigned an individual suspicion + rating that represents how well that member's current + activity corresponds to the established patterns of usage + represented in the profile. This analysis can be performed + at runtime or during a post-collection batch-mode + analysis. + + + maintenance (deletion, modification, addition) of the + group of users in the profile target group. + + + + The TSF shall be able to maintain profiles of system usage, + where an individual profile represents the historical + patterns of usage performed by the member(s) of + + + the profile target group + + + + the PP/ST author should specify the profile target + group. A single PP/ST may include multiple profile + target groups. + + . + + + The TSF shall be able to maintain a suspicion rating + associated with each user whose activity is recorded in a + profile, where the suspicion rating represents the degree to + which the user's current activity is found + inconsistent with the established patterns of usage + represented in the profile. + + + The TSF shall be able to indicate a possible violation of + the enforcement of the SFRs when a user's suspicion rating exceeds + the following threshold conditions + + + conditions under which anomalous activity is reported by + the TSF + + + + the PP/ST author should specify conditions under which + anomalous activity is reported by the TSF. Conditions + may include the suspicion rating reaching a certain + value, or be based on the type of anomalous activity + observed. + + . + + + + + + + + In practice, it is at best rare when an analysis tool can + detect with certainty when a security violation is + imminent. However, there do exist some system events that + are so significant that they are always worthy of + independent review. Example of such events include the + deletion of a key TSF security data file (e.g. the + password file) or activity such as a remote user + attempting to gain administrative privilege. These events + are referred to as signature events in that their + occurrence in isolation from the rest of the system + activity are indicative of intrusive activity. + + The complexity of a given tool will depend greatly on the + assignments defined by the PP/ST author in identifying the + base set of signature events. + + The PP/ST author should enumerate specifically what events + should be monitored by the TSF in order to perform the + analysis. The PP/ST author should identify specifically + what information pertaining to the event is necessary to + determine if the event maps to a signature event. + + Administrative notification should be provided such that + the authorised user understands the significance of the + event and the appropriate possible responses. + + An effort was made in the specification of these + requirements to avoid a dependency on audit data as the + sole input for monitoring system activity. This was done + in recognition of the existence of previously developed + intrusion detection tools that do not perform their + analyses of system activity solely through the use of + audit data (examples of other input data include network + datagrams, resource/accounting data, or combinations of + various system data). + + The elements of do not + require that the TSF implementing the immediate attack + heuristics be the same TSF whose activity is being + monitored. Thus, one can develop an intrusion detection + component that operates independently of the system whose + system activity is being analysed. + + + + In , the TSF shall be able + to detect the occurrence of signature events that represent + a significant threat to enforcement of the SFRs. This search + for signature events may occur in real-time or during a + post-collection batch-mode analysis. + + + maintenance (deletion, modification, addition) of the subset + of system events. + + + + The TSF shall be able to maintain an internal representation + of the following signature events + + + a subset of system events + + + + the PP/ST author should identify a base subset of system + events whose occurrence, in isolation from all other + system activity, may indicate a violation of the + enforcement of the SFRs. These include events that by + themselves indicate a clear violation to the enforcement + of the SFRs, or whose occurrence is so significant that + they warrant actions. + + + that may indicate a violation of the enforcement of the SFRs. + + + The TSF shall be able to compare the signature events + against the record of system activity discernible from an + examination of + + + the information to be used to determine system activity + + + + the PP/ST author should specify the information used to + determine system activity. This information is the input + data used by the analysis tool to determine the system + activity that has occurred on the TOE. This data may + include audit data, combinations of audit data with + other system data, or may consist of data other than the + audit data. The PP/ST author should define precisely + what system events and event attributes are being + monitored within the input data. + + . + + + The TSF shall be able to indicate a potential violation of the + enforcement of the SFRs when a system event is found to match + a signature event that indicates a potential violation of the + enforcement of the SFRs. + + + + + + + + In practice, it is at best rare when an analysis tool can + detect with certainty when a security violation is + imminent. However, there do exist some system events that + are so significant they are always worthy of independent + review. Example of such events include the deletion of a key + TSF security data file (e.g. the password file) or activity + such as a remote user attempting to gain administrative + privilege. These events are referred to as signature events + in that their occurrence in isolation from the rest of the + system activity are indicative of intrusive activity. Event + sequences are an ordered set of signature events that might + indicate intrusive activity. + + The complexity of a given tool will depend greatly on the + assignments defined by the PP/ST author in identifying the + base set of signature events and event sequences. + + The PP/ST author should enumerate specifically what events + should be monitored by the TSF in order to perform the + analysis. The PP/ST author should identify specifically + what information pertaining to the event is necessary to + determine if the event maps to a signature event. + + Administrative notification should be provided such that + the authorised user understands the significance of the + event and the appropriate possible responses. + + An effort was made in the specification of these + requirements to avoid a dependency on audit data as the + sole input for monitoring system activity. This was done + in recognition of the existence of previously developed + intrusion detection tools that do not perform their + analyses of system activity solely through the use of + audit data (examples of other input data include network + datagrams, resource/accounting data, or combinations of + various system data). Levelling, therefore, requires the + PP/ST author to specify the type of input data used to + monitor system activity. + + The elements of do not + require that the TSF implementing the complex attack + heuristics be the same TSF whose activity is being + monitored. Thus, one can develop an intrusion detection + component that operates independently of the system whose + system activity is being analysed. + + + + In , the TSF shall be able to + represent and detect multi-step intrusion scenarios. The + TSF is able to compare system events (possibly performed + by multiple individuals) against event sequences known to + represent entire intrusion scenarios. The TSF shall be + able to indicate when a signature event or event sequence + is found that indicates a potential violation of the + enforcement of the SFRs. + + + maintenance (deletion, modification, addition) of the subset + of system events; + + + maintenance (deletion, modification, addition) of the set of + sequence of system events. + + + + The TSF shall be able to maintain an internal representation + of the following event sequences of known intrusion + scenarios + + + list of sequences of system events whose occurrence are + representative of known penetration scenarios + + + + the PP/ST author should identify a base set of list of + sequences of system events whose occurrence are + representative of known penetration scenarios. These + event sequences represent known penetration + scenarios. Each event represented in the sequence should + map to a monitored system event, such that as the system + events are performed, they are bound (mapped) to the + known penetration event sequences. + + + and the following signature events + + + a subset of system events + + + + the PP/ST author should identify a base subset of + system events whose occurrence, in isolation from all + other system activity, may indicate a violation of the + enforcement of the SFRs. These include events that by themselves indicate + a clear violation to the SFRs, or whose occurrence is + so significant they warrant action. + + + that may indicate a potential + violation of the enforcement of the SFRs. + + + The TSF shall be able to compare the signature events and + event sequences against the record of system activity + discernible from an examination of + + + the information to be used to determine system activity + + + + the PP/ST author should specify the information used to + determine system activity. This information is the input + data used by the analysis tool to determine the system + activity that has occurred on the TOE. This data may + include audit data, combinations of audit data with + other system data, or may consist of data other than the + audit data. The PP/ST author should define precisely + what system events and event attributes are being + monitored within the input data. + + . + + + The TSF shall be able to indicate a potential violation of the + enforcement of the SFRs when system activity is found to match + a signature event or event sequence that indicates a potential + violation of the enforcement of the SFRs. + + + + + + + + This family defines the requirements for audit tools that + should be available to authorised users to assist in the + review of audit data. + + + + The Security audit review family defines requirements + related to review of the audit information. + + These functions should allow pre-storage or post-storage + audit selection that includes, for example, the ability to + selectively review: + + + the actions of one or more users (e.g. identification, + authentication, TOE entry, and access control actions); + + + the actions performed on a specific object or TOE + resource; + + + all of a specified set of audited exceptions; + or + + + actions associated with a specific SFR attribute. + + + + The distinction between audit reviews is based on + functionality. Audit review (only) encompasses the ability to + view audit data. Selectable review is more sophisticated, and + requires the ability to select subsets of audit data based on a + single criterion or multiple criteria with logical (i.e. and/or) + relations, and order the audit data before it is + reviewed. + + + + + + + + + This component will provide authorised users the + capability to obtain and interpret the information. In + case of human users this information needs to be in a + human understandable presentation. In case of external IT + entities the information needs to be unambiguously + represented in an electronic fashion. + + + + This component is used to specify that users and/or + authorised users can read the audit records. These audit + records will be provided in a manner appropriate to the + user. There are different types of users (human users, + machine users) that might have different needs. + + The content of the audit records that can be viewed can be + specified. + + + + , provides the capability to read + information from the audit records. + + + maintenance (deletion, modification, addition) of the group + of users with read access right to the audit records. + + + Reading of information from the audit records. + + + The TSF shall provide + + + authorised users + + + + the PP/ST author should specify the authorised users + that can use this capability. If appropriate the PP/ST + author may include security roles (see ). + + + with the capability to read + + + list of audit information + + + + the PP/ST author should specify the type of information + the specified user is permitted to obtain from the audit + records. Examples are ``all'', ``subject identity'', + ``all information belonging to audit records referencing + this user''. When employing the SFR, FAU_SAR.1, it is not + necessary to repeat, in full detail, the list of audit + information first specified in FAU_GEN.1. Use of terms + such as ``all'' or ``all audit information'' assist in + eliminating ambiguity and the further need for + comparative analysis between the two security + requirements. + + + from the audit records. + + + The TSF shall provide the audit records in a manner suitable + for the user to interpret the information. + + + + + + + + + + This component specifies that any users not identified in + will not be able to read + the audit records. + + + + , requires that there are + no other users except those that have been identified in + that can read the + information. + + + Unsuccessful attempts to read information from the audit + records. + + + The TSF shall prohibit all users read access to the audit + records, except those users that have been granted explicit + read-access. + + + + + + + + + + This component is used to specify that it should be + possible to perform selection of the audit data to be + reviewed. If based on multiple criteria, those criteria + should be related together with logical + (i.e. ``and'' or + ``or'') relations, and the tools + should provide the ability to manipulate audit data + (e.g. sort, filter). + + + + , requires audit review + tools to select the audit data to be reviewed based on + criteria. + + + the parameters used for the viewing. + + + The TSF shall provide the ability to apply + + methods of selection and/or ordering + + the PP/ST author should specify whether capabilities to + select and/or order audit data is required from the + TSF. + of audit data based on + + criteria with logical relations + + the PP/ST author should assign the criteria, possibly + with logical relations, to be used to select the audit + data for review. The logical relations are intended to + specify whether the operation can be on an individual + attribute or a collection of attributes. An example of + this assignment could be: ``application, user account + and/or location''. In this case the operation could be + specified using any combination of the three attributes: + application, user account and location.. + + + + + + + + This family defines requirements to select the set of events to + be audited during TOE operation from the set of all auditable + events. + + + + The Security audit event selection family provides + requirements related to the capabilities of identifying which + of the possible auditable events are to be audited. The + auditable events are defined in the family, but those events should be defined as + being selectable in this component to be audited. + + This family ensures that it is possible to keep the audit + trail from becoming so large that it becomes useless, by + defining the appropriate granularity of the selected + security audit events. + + + + + + + + + + This component defines the selection criteria used, and the + resulting audited subsets of the set of all auditable events, + based on user attributes, subject attributes, object attributes, + or event types. + + The existence of individual user identities is not assumed + for this component. This allows for TOEs such as routers + that may not support the notion of users. + + For a distributed environment, the host identity could be + used as a selection criteria for events to be audited. + + The management function + will handle the rights of authorised users to query or + modify the selections. + + + , requires the ability to + select the set of events to be audited from the set of all + auditable events, identified in , based upon attributes to be specified by the + PP/ST author. + + + maintenance of the rights to view/modify the audit events. + + + All modifications to the audit configuration that occur + while the audit collection functions are operating. + + + The TSF shall be able to select the set of events to be audited from + the set of all auditable events based on the following + attributes: + object identityuser identitysubject identityhost identityevent type + the PP/ST author should select whether the + security attributes upon which audit selectivity + is based, is related to object identity, user + identity, subject identity, host identity, or event type. + list of additional attributes that audit selectivity is based upon + + the PP/ST author should specify any additional + attributes upon which audit selectivity is based. If + there are no additional rules upon which audit + selectivity is based, this assignment can be + completed with ``none''. + + + + + + + This family defines the requirements for the TSF to be able + to create and maintain a secure audit trail. Stored audit + records refers to those records within the audit trail, and + not the audit records that have been retrieved (to temporary + storage) through selection. + + + + The Security audit event storage family describes + requirements for storing audit data for later use, including + requirements controlling the loss of audit information due + to TOE failure, attack and/or exhaustion of storage + space. + + + + + + + + In a distributed environment, as the location of the audit + trail is in the TSF, but not necessarily co-located with + the function generating the audit data, the PP/ST author + could request authentication of the originator of the + audit record, or non-repudiation of the origin of the + record prior storing this record in the audit trail. + + The TSF will protect the stored audit records in the audit trail from unauthorised + deletion and modification. It is noted that in some TOEs the + auditor (role) might not be authorised to delete the audit + records for a certain period of time. + + + + At , requirements are + placed on the audit trail. It will be protected from + unauthorised deletion and/or modification. + + + The TSF shall protect the stored audit records in the audit + trail from unauthorised deletion. + + + The TSF shall be able to preventdetect the PP/ST author should specify whether the TSF + shall prevent or only be able to detect modifications of the + stored audit records in the audit trail. Only one of these + options may be + chosen. unauthorised + modifications to the stored audit records in the audit trail. + + + + + + + + + + + This component allows the PP/ST author to specify to which + metrics the audit trail should conform. + + In a distributed environment, as the location of the audit + trail is in the TSF, but not necessarily co-located with + the function generating the audit data, the PP/ST author + could request authentication of the originator of the + audit record, or non-repudiation of the origin of the + record prior storing this record in the audit trail. + + + + , specifies the guarantees + that the TSF maintains over the audit data given the + occurrence of an undesired condition. + + + maintenance of the parameters that control the audit storage + capability. + + + The TSF shall protect the stored audit records in the audit trail from + unauthorised deletion. + + + The TSF shall be able to preventdetect the PP/ST author should specify whether the TSF + shall prevent or only be able to detect modifications of the + stored audit records in the audit trail. Only one of these + options may be + chosen. unauthorised + modifications to the stored audit records in the audit trail. + + + The TSF shall ensure that + + + metric for saving audit records + + + + the PP/ST author should specify the metric that the TSF + must ensure with respect to the stored audit + records. This metric limits the data loss by enumerating + the number of records that must be kept, or the time + that records are guaranteed to be maintained. An example + of the metric could be ``100,000'' indicating that + 100,000 audit records can be stored. + + + stored audit records will be maintained when the + following conditions occur: + + audit storage exhaustion + failure + attack + + + the PP/ST author should specify the condition under which the + TSF shall still be able to maintain a defined amount of audit + data. This condition can be any of the following: audit + storage exhaustion, failure, attack. + + + + + + + + + + + + This component requires that actions will be taken when + the audit trail exceeds certain pre-defined limits. + + + + , specifies actions to be taken if a + threshold on the audit trail is exceeded. + + + maintenance of the threshold; + + + maintenance (deletion, modification, addition) of actions to + be taken in case of imminent audit storage failure. + + + Actions taken due to exceeding of a threshold. + + + The TSF shall + + + actions to be taken in case + of possible audit storage failure + + + + the PP/ST author should indicate the pre-defined + limit. If the management functions indicate that this + number might be changed by the authorised user, this + value is the default value. The PP/ST author might + choose to let the authorised user define this + limit. In that case the assignment can be for example + ``an authorised user set limit''. + + + if the audit trail exceeds + + + pre-defined limit + + + + the PP/ST author should specify actions that should be + taken in case of imminent audit storage failure + indicated by exceeding the threshold. Actions might + include informing an authorised user. + + . + + + + + + + + + + + This component specifies the behaviour of the TOE if the audit + trail is full: either audit records are ignored, or the TOE is + frozen such that no audited events can take place. The + requirement also states that no matter how the requirement is + instantiated, the authorised user with specific rights to this + effect, can continue to generate audited events (actions). The + reason is that otherwise the authorised user could not even + reset the TOE. Consideration should be given to the choice of + the action to be taken by the TSF in the case of audit storage + exhaustion, as ignoring events, which provides better + availability of the TOE, will also permit actions to be + performed without being recorded and without the user being + accountable. + + + + , specifies actions in case the + audit trail is full. + + + maintenance (deletion, modification, addition) of actions to + be taken in case of audit storage failure. + + + Actions taken due to the audit storage failure. + + + The TSF shall + ``ignore audited + events''``prevent audited events, + except those taken by the authorised user with special + rights'' + ``overwrite the oldest stored audit + records'' + + the PP/ST author should select whether the TSF shall ignore + audited actions, or whether it should prevent audited + actions from happening, or whether the oldest audit records + should be overwritten when the TSF can no longer store audit + records. Only one of these options may be chosen. + and + + other actions to be taken in case of audit storage + failure + + the PP/ST author should specify other actions that should be + taken in case of audit storage failure, such as informing the + authorised user. If there is no other action to be taken in + case of audit storage failure, this assignment can be + completed with ``none''. + if the audit trail is full. + + + + + + + + This class provides two families specifically concerned with + assuring the identity of a party participating in a data + exchange. These families are related to assuring the identity + of the originator of transmitted information (proof of origin) + and assuring the identity of the recipient of transmitted + information (proof of receipt). These families ensure that an + originator cannot deny having sent the message, nor can the + recipient deny having received it. + + + + This class describes requirements specifically of interest for + TOEs that are used for the transport of information. Families + within this class deal with non-repudiation. + + In this class the concept of ``information'' is + used. This information should be interpreted as the object + being communicated, and could contain an electronic mail + message, a file, or a set of predefined attribute types. + + In the literature, the terms ``proof of receipt'' + and ``proof of origin'' are commonly used + terms. However it is recognised that the term + ``proof'' might be interpreted in a legal sense to + imply a form of mathematical rationale. The components in this + class interpret the de-facto use of the word + ``proof'' in the context of ``evidence'' + that the TSF demonstrates the non-repudiated transport of + types of information. + + + + + + Non-repudiation of origin ensures that the originator of + information cannot successfully deny having sent the + information. This family requires that the TSF provide a + method to ensure that a subject that receives information + during a data exchange is provided with evidence of the + origin of the information. This evidence can then be + verified by either this subject or other subjects. + + + + Non-repudiation of origin defines requirements to provide + evidence to users/subjects about the identity of the + originator of some information. The originator cannot + successfully deny having sent the information because + evidence of origin (e.g. digital signature) provides + evidence of the binding between the originator and the + information sent. The recipient or a third party can verify + the evidence of origin. This evidence should not be + forgeable. + + If the information or the associated attributes are altered + in any way, validation of the evidence of origin might + fail. Therefore a PP/ST author should consider including + integrity requirements such as in the + PP/ST. + + In non-repudiation there are several different roles + involved, each of which could be combined in one or more + subjects. The first role is a subject that requests evidence + of origin (only in ). The second role + is the recipient and/or other subjects to which the evidence + is provided (e.g. a notary). The third role is a subject + that requests verification of the evidence of origin, for + example, a recipient or a third party such as an arbiter. + + The PP/ST author must specify the conditions that must be + met to be able to verify the validity of the evidence. An + example of a condition which could be specified is where the + verification of evidence must occur within 24 hours. These + conditions, therefore, allow the tailoring of the + non-repudiation to legal requirements, such as being able to + provide evidence for several years. + + In most cases, the identity of the recipient will be the + identity of the user who received the transmission. In some + instances, the PP/ST author does not want the user identity + to be exported. In that case the PP/ST author must consider + whether it is appropriate to include this class, or whether + the identity of the transport service provider or the + identity of the host should be used. + + In addition to (or instead of) the user identity, a PP/ST + author might be more concerned about the time the + information was transmitted. For example, requests for + proposals must be transmitted before a certain date in order + to be considered. In such instances, these requirements can + be customised to provide a timestamp indication (time of + origin). + + + + + + + + + , requires the TSF to provide + subjects with the capability to request evidence of the + origin of information. + + + The management of changes to information types, fields, + originator attributes and recipients of evidence. + + + The identity of the user who requested that evidence of + origin would be generated. + + + The invocation of the non-repudiation service. + + + Identification of the information, the destination, and a + copy of the evidence provided. + + + The identity of the user who requested a verification of the + evidence. + + + + The TSF shall be able to generate evidence of origin for + transmitted + + + list of information types + + + + the PP/ST author should fill in the types of + information subject to the evidence of origin + function, for example, electronic mail messages. + + + at the request of the + + + originator + + + recipient + + + + + list of third parties + + + + the PP/ST author, dependent on the selection, should specify the third + parties that can request evidence of origin. A third party could be an + arbiter, judge or legal body. + + + + + + the PP/ST author should specify the user/subject who + can request evidence of origin. + + . + + + The TSF shall be able to relate the + + + list of attributes + + + + the PP/ST author should fill in the list of the + attributes that shall be linked to the information; + for example, originator identity, time of origin, and + location of origin. + + + of the originator of the information, and the + + list of information fields + + + the PP/ST author should fill in the list of + information fields within the information over which + the attributes provide evidence of origin, such as the + body of a message. + + + of the information to which the evidence applies. + + + The TSF shall provide a capability to verify the evidence of + origin of information to + + + originator + + + recipient + + + + + list of third parties + + + + the PP/ST author, dependent on the selection, + should specify the third parties that can verify + the evidence of origin. + + + + + + the PP/ST author should specify the user/subject who + can verify the evidence of origin. + + + given + + + limitations on the evidence of origin + + + + the PP/ST author should fill in the list of + limitations under which the evidence can be + verified. For example the evidence can only be + verified within a 24 hour time interval. An assignment + of ``immediate'' or + ``indefinite'' is acceptable. + + . + + + + + + + + + + + , requires that the TSF always + generate evidence of origin for transmitted information. + + + + The invocation of the non-repudiation service. + + + Identification of the information, the destination, and a + copy of the evidence provided. + + + The identity of the user who requested a verification of the + evidence. + + + + The TSF shall enforce the generation of evidence of origin + for transmitted + + + list of information types + + + + the PP/ST author should fill in the types of + information subject to the evidence of origin + function, for example, electronic mail messages. + + + at all times. + + + The TSF shall be able to relate the + + + list of attributes + + + + the PP/ST author should fill in the list of the + attributes that shall be linked to the information; + for example, originator identity, time of origin, and + location of origin. + + + of the originator of the information, and the + + + list of information fields + + + + the PP/ST author should fill in the list of + information fields within the information over which + the attributes provide evidence of origin, such as the + body of a message. + + + of the information to which the evidence applies. + + + The TSF shall provide a capability to verify the evidence of + origin of information to + + + originator + + + recipient + + + + + list of third parties + + + + the PP/ST author, dependent on the selection, + should specify the third parties that can verify + the evidence of origin. A third party could be an + arbiter, judge or legal body. + + + + + + the PP/ST author should specify the user/subject who + can verify the evidence of origin. + + + given + + + limitations on the evidence of origin + + + + the PP/ST author should fill in the list of + limitations under which the evidence can be + verified. For example the evidence can only be + verified within a 24 hour time interval. An assignment + of ``immediate'' or + ``indefinite'' is acceptable. + + . + + + + + + + + Non-repudiation of receipt ensures that the recipient of + information cannot successfully deny receiving the + information. This family requires that the TSF provide a + method to ensure that a subject that transmits information + during a data exchange is provided with evidence of receipt + of the information. This evidence can then be verified by + either this subject or other subjects. + + + + Non-repudiation of receipt defines requirements to provide + evidence to other users/subjects that the information was + received by the recipient. The recipient cannot successfully + deny having received the information because evidence of + receipt (e.g. digital signature) provides evidence of the + binding between the recipient attributes and the + information. The originator or a third party can verify the + evidence of receipt. This evidence should not be forgeable. + + It should be noted that the provision of evidence that the + information was received does not necessarily imply that the + information was read or comprehended, but only delivered + + If the information or the associated attributes are altered + in any way, validation of the evidence of receipt with + respect to the original information might fail. Therefore a + PP/ST author should consider including integrity + requirements such as in the PP/ST. + + In non-repudiation, there are several different roles + involved, each of which could be combined in one or more + subjects. The first role is a subject that requests evidence + of receipt (only in ). The second role + is the recipient and/or other subjects to which the evidence + is provided, (e.g. a notary). The third role is a subject + that requests verification of the evidence of receipt, for + example, an originator or a third party such as an arbiter. + + The PP/ST author must specify the conditions that must be + met to be able to verify the validity of the evidence. An + example of a condition which could be specified is where the + verification of evidence must occur within 24 hours. These + conditions, therefore, allow the tailoring of the + non-repudiation to legal requirements, such as being able to + provide evidence for several years. + + In most cases, the identity of the recipient will be the + identity of the user who received the transmission. In some + instances, the PP/ST author does not want the user identity + to be exported. In that case, the PP/ST author must consider + whether it is appropriate to include this class, or whether + the identity of the transport service provider or the + identity of the host should be used. + + In addition to (or instead of) the user identity, a PP/ST + author might be more concerned about the time the + information was received. For example, when an offer expires + at a certain date, orders must be received before a certain + date in order to be considered. In such instances, these + requirements can be customised to provide a timestamp + indication (time of receipt). + + + + + + + + + , requires the TSF to provide + subjects with a capability to request evidence of the + receipt of information. + + + The management of changes to information types, fields, + originator attributes and third parties recipients of + evidence. + + + The identity of the user who requested that evidence of + receipt would be generated. + + + The invocation of the non-repudiation service. + + + Identification of the information, the destination, and a + copy of the evidence provided. + + + The identity of the user who requested a verification of the + evidence. + + + The TSF shall be able to generate + evidence of receipt for received + + + list of information types + + + + the PP/ST author should fill in the types of + information subject to the evidence of receipt + function, for example, electronic mail messages. + + + at the request of the + + + originator + + + recipient + + + + + list of third parties + + + + the PP/ST author, dependent on the selection, + should specify the third parties that can request + evidence of receipt. A third party could be an + arbiter, judge or legal body. + + + + + + the PP/ST author should specify the user/subject who + can request evidence of receipt. + + . + + + The TSF shall be able to relate the + + list of attributes + + + the PP/ST author should fill in the list of the + attributes that shall be linked to the information; + for example, recipient identity, time of receipt, and + location of receipt. + + + of the recipient of the information, and the + + + list of information fields + + + + the PP/ST author should fill in the list of + information fields with the fields within the + information over which the attributes provide evidence + of receipt, such as the body a message. + + + of the information to which the evidence applies. + + + The TSF shall provide a capability to verify the evidence of + receipt of information to + + + originator + + + recipient + + + + + list of third parties + + + + the PP/ST author, dependent on the selection, + should specify the third parties that can verify + the evidence of receipt. + + + + + + the PP/ST author should specify the user/subjects who + can verify the evidence of receipt. + + + given + + + limitations on the evidence of receipt + + + + the PP/ST author should fill in the list of + limitations under which the evidence can be + verified. For example the evidence can only be + verified within a 24 hour time interval. An assignment + of ``immediate'' or + ``indefinite'' is acceptable. + + . + + + + + + + + + + + , requires that the TSF always + generate evidence of receipt for received information. + + + + The invocation of the non-repudiation service. + + + Identification of the information, the destination, and a + copy of the evidence provided. + + + The identity of the user who requested a verification of the + evidence. + + + + The TSF shall enforce the generation of evidence of receipt + for received + + list of information types + + the PP/ST author should fill in the types of + information subject to the evidence of receipt + function, for example electronic mail messages. at all times. + + + The TSF shall be able to relate the + + list of attributes + + + the PP/ST author should fill in the list of the + attributes that shall be linked to the information; + for example, recipient identity, time of receipt, and + location of receipt. + + + of the recipient of the information, and the + + + list of information fields + + + + the PP/ST author should fill in the list of + information fields with the fields within the + information over which the attributes provide evidence + of receipt, such as the body of a message. + + + of the information to which the evidence applies. + + + The TSF shall provide a capability to verify the evidence of + receipt of information to + + + originator + + + recipient + + + + + list of third parties + + + + the PP/ST author, dependent on the selection, + should specify the third parties that can verify + the evidence of receipt. A third party could be an + arbiter, judge or legal body. + + + + + + the PP/ST author should specify the user/subjects who + can verify the evidence of receipt. + + + given + + + limitations on the evidence of receipt + + + + the PP/ST author should fill in the list of + limitations under which the evidence can be + verified. For example the evidence can only be + verified within a 24 hour time interval. An assignment + of ``immediate'' or + ``indefinite'' is acceptable. + + . + + + + + + + + The TSF may employ cryptographic functionality to help satisfy + several high-level security objectives. These include (but are + not limited to): identification and authentication, + non-repudiation, trusted path, trusted channel and data + separation. This class is used when the TOE implements + cryptographic functions, the implementation of which could be + in hardware, firmware and/or software. + + The class is composed of two families: and . The family addresses the management aspects of + cryptographic keys, while the family is + concerned with the operational use of those cryptographic + keys. + + + + The TSF may employ cryptographic functionality to help satisfy + several high-level security objectives. These include (but are + not limited to): identification and authentication, + non-repudiation, trusted path, trusted channel and data + separation. This class is used when the TOE implements + cryptographic functions, the implementation of which could be + in hardware, firmware and/or software. + + The class is composed of two families: and . The family addresses the management aspects of + cryptographic keys, while the family is + concerned with the operational use of those cryptographic + keys. + + For each cryptographic key generation method implemented by + the TOE, if any, the PP/ST author should select the component. + + For each cryptographic key distribution method implemented by + the TOE, if any, the PP/ST author should select the component. + + For each cryptographic key access method implemented by the + TOE, if any, the PP/ST author should select the component. + + For each cryptographic key destruction method implemented by + the TOE, if any, the PP/ST author should select the component. + + For each cryptographic operation (such as digital signature, + data encryption, key agreement, secure hash, etc.) performed + by the TOE, if any, the PP/ST author should select the component. + + Cryptographic functionality may be used to meet objectives + specified in class , and in families , , , + , , , to meet a variety of objectives. In the cases + where cryptographic functionality is used to meet objectives + for other classes, the individual functional components + specify the objectives that cryptographic functionality must + satisfy. The objectives in class should be + used when cryptographic functionality of the TOE is sought by + consumers. + + + + + + Cryptographic keys must be managed throughout their life + cycle. This family is intended to support that lifecycle and + consequently defines requirements for the following + activities: cryptographic key generation, cryptographic key + distribution, cryptographic key access and cryptographic key + destruction. This family should be included whenever there + are functional requirements for the management of + cryptographic keys. + + + + Cryptographic keys must be managed throughout their + lifetime. The typical events in the lifecycle of a + cryptographic key include (but are not limited to): + generation, distribution, entry, storage, access + (e.g. backup, escrow, archive, recovery) and destruction. + + The inclusion of other stages is dependent on the key management + strategy being implemented, as the TOE need not be involved in + all of the key life-cycle (e.g. the TOE may only generate and + distribute cryptographic keys). + + This family is intended to support the cryptographic key + lifecycle and consequently defines requirements for the + following activities: cryptographic key generation, + cryptographic key distribution, cryptographic key access and + cryptographic key destruction. This family should be + included whenever there are functional requirements for the + management of cryptographic keys. + + If Security Audit Data Generation is + included in the PP/ST then, in the context of the events + being audited: + + + The object attributes may include the assigned user + for the cryptographic key, the user role, the + cryptographic operation that the cryptographic key is + to be used for, the cryptographic key identifier and + the cryptographic key validity period. + + + The object value may include the values of cryptographic + key(s) and parameters excluding any sensitive + information (such as secret or private cryptographic + keys). + + + + Typically, random numbers are used to generate cryptographic + keys. If this is the case, then + should be used instead of the component . + In cases where random number generation is required for purposes other + than for the generation of cryptographic keys, the component + should be used. + + + + + + + + + + + + + + This component requires the cryptographic key sizes and + method used to generate cryptographic keys to be + specified, this can be in accordance with an assigned + standard. It should be used to specify the cryptographic + key sizes and the method (e.g. algorithm) used to generate + the cryptographic keys. Only one instance of the component + is needed for the same method and multiple key sizes. The + key size could be common or different for the various + entities, and could be either the input to or the output + from the method. + + + + , requires cryptographic keys to be + generated in accordance with a specified algorithm and key + sizes which can be based on an assigned standard. + + + + Success and failure of the activity. + + + The object attribute(s), and object value(s) excluding any + sensitive information (e.g. secret or private keys). + + + The TSF shall generate cryptographic keys in accordance with + a specified cryptographic key generation algorithm + + + cryptographic key generation algorithm + + + + the PP/ST author should specify the cryptographic key + generation algorithm to be used. + + + and specified cryptographic key sizes + + + cryptographic key sizes + + + + the PP/ST author should specify the cryptographic key + sizes to be used. The key sizes specified should be + appropriate for the algorithm and its intended use. + + + that meet the following: + + + list of standards + + + + the PP/ST author should specify the assigned standard + that documents the method used to generate + cryptographic keys. The assigned standard may comprise + none, one or more actual standards publications, for + example, from international, national, industry or + organisational standards. + + . + + + + + + + + + + + + + + + This component requires the method used to distribute + cryptographic keys to be specified, this can be in + accordance with an assigned standard. + + + + , requires cryptographic keys to be + distributed in accordance with a specified distribution + method which can be based on an assigned standard. + + + + + + The TSF shall distribute cryptographic keys in accordance + with a specified cryptographic key distribution method + + + cryptographic key distribution method + + + + the PP/ST author should specify the cryptographic key + distribution method to be used. + + + that meets the following: + + + list of standards + + + + the PP/ST author should specify the assigned standard + that documents the method used to distribute + cryptographic keys. The assigned standard may comprise + none, one or more actual standards publications, for + example, from international, national, industry or + organisational standards. + + . + + + + + + + + + + + + + + + This component requires the method used to access + cryptographic keys be specified, this can be in accordance + with an assigned standard. + + + + , requires access to cryptographic + keys to be performed in accordance with a specified access + method which can be based on an assigned standard. + + + + + + The TSF shall perform + + + type of cryptographic key access + + + + the PP/ST author should specify the type of + cryptographic key access being used. Examples of types + of cryptographic key access include (but are not + limited to) cryptographic key backup, cryptographic + key archival, cryptographic key escrow and + cryptographic key recovery. + + + in accordance with a specified cryptographic key access + method + + + cryptographic key access method + + + + the PP/ST author should specify the cryptographic key + access method to be used. + + + that meets the following: + + + list of standards + + + + the PP/ST author should specify the assigned standard + that documents the method used to access cryptographic + keys. The assigned standard may comprise none, one or + more actual standards publications, for example, from + international, national, industry or organisational + standards. + + . + + + + + + + + + + + + + + This component requires the method used to destroy + cryptographic keys be specified, this can be in accordance + with an assigned standard. + + + + , requires cryptographic keys to be + destroyed in accordance with a specified destruction + method which can be based on an assigned standard. + + + + + + The TSF shall destroy cryptographic keys in accordance with + a specified cryptographic key destruction method + + + cryptographic key destruction method + + + + the PP/ST author should specify the key destruction + method to be used to destroy cryptographic keys. + + + that meets the following: + + + list of standards + + + + the PP/ST author should specify the assigned standard + that documents the method used to destroy + cryptographic keys. The assigned standard may comprise + none, one or more actual standards publications, for + example, from international, national, industry or + organisational standards. + + . + + + + + + + + In order for a cryptographic operation to function + correctly, the operation must be performed in accordance + with a specified algorithm and with a cryptographic key of a + specified size. This family should be included whenever + there are requirements for cryptographic operations to be + performed. + + Typical cryptographic operations include data encryption + and/or decryption, digital signature generation and/or + verification, cryptographic checksum generation for + integrity and/or verification of checksum, secure hash + (message digest), cryptographic key encryption and/or + decryption, and cryptographic key agreement. + + + + A cryptographic operation may have cryptographic mode(s) of + operation associated with it. If this is the case, then the + cryptographic mode(s) must be specified. Examples of + cryptographic modes of operation are cipher block chaining, + output feedback mode, electronic code book mode, and cipher + feedback mode. + + Cryptographic operations may be used to support one or more + TOE security services. The component + may need to be iterated more than once depending on: + + + the user application for which the security service is + being used. + + + the use of different cryptographic algorithms and/or + cryptographic key sizes. + + + the type or sensitivity of the data being operated on. + + + + If Security audit data generation is + included in the PP/ST then, in the context of the + cryptographic operation events being audited: + + + The types of cryptographic operation may include digital + signature generation and/or verification, cryptographic + checksum generation for integrity and/or for + verification of checksum, secure hash (message digest) + computation, data encryption and/or decryption, + cryptographic key encryption and/or decryption, + cryptographic key agreement and random number + generation. + + + The subject attributes may include subject role(s) and + user(s) associated with the subject. + + + The object attributes may include the assigned user for + the cryptographic key, user role, cryptographic + operation the cryptographic key is to be used for, + cryptographic key identifier, and the cryptographic key + validity period. + + + + + + + + + + + + + + + This component requires the cryptographic algorithm and + key size used to perform specified cryptographic + operation(s) which can be based on an assigned standard. + + + + , requires a cryptographic operation + to be performed in accordance with a specified algorithm + and with a cryptographic key of specified sizes. The + specified algorithm and cryptographic key sizes can be + based on an assigned standard. + + + Success and failure, and the type of cryptographic + operation. + + + Any applicable cryptographic mode(s) of operation, subject + attributes and object attributes. + + + The TSF shall perform + + + list of cryptographic operations + + + + the PP/ST author should specify the cryptographic + operations being performed. Typical cryptographic + operations include digital signature generation and/or + verification, cryptographic checksum generation for + integrity and/or for verification of checksum, secure + hash (message digest) computation, data encryption + and/or decryption, cryptographic key encryption and/or + decryption, cryptographic key agreement and random + number generation. The cryptographic operation may be + performed on user data or TSF data. + + + in accordance with a specified cryptographic algorithm + + + cryptographic algorithm + + + + the PP/ST author should specify the cryptographic + algorithm to be used. Typical cryptographic algorithms + include, but are not limited to, DES, RSA and IDEA. + + + and cryptographic key sizes + + + cryptographic key sizes + + + + the PP/ST author should specify the cryptographic key + sizes to be used. The key sizes specified should be + appropriate for the algorithm and its intended use. + + + that meet the following: + + + list of standards + + + + the PP/ST author should specify the assigned standard + that documents how the identified cryptographic + operation(s) are performed. The assigned standard may + comprise none, one or more actual standards + publications, for example, from international, + national, industry or organisational standards. + + . + + + + + + + + This class contains families specifying requirements related + to protecting user data. is split + into four groups of families (listed below) that address user + data within a TOE, during import, export, and storage as well + as security attributes directly related to user data. + + The families in this class are organised into four groups: + + + User data protection security function policies: + + + ; and + + + . + + + + Components in these families permit the PP/ST author to + name the user data protection security function policies + and define the scope of control of the policy, necessary + to address the security objectives. The names of these + policies are meant to be used throughout the remainder + of the functional components that have an operation that + calls for an assignment or selection of an "access + control SFP" or an "information flow control + SFP". The rules that define the functionality of + the named access control and information flow control + SFPs will be defined in the and + families (respectively). + + + Forms of user data protection: + + + ; + + + ; + + + ; + + + ; + + + ; and + + + . + + + + + Off-line storage, import and export: + + + ; + + + ; + + + . + + + + Components in these families address the trustworthy + transfer into or out of the TOE. + + + Inter-TSF communication: + + + ; and + + + . + + + + Components in these families address communication + between the TSF of the TOE and another trusted IT + product. + + + + + + This class contains families specifying requirements related + to protecting user data. This class differs from FIA and FPT + in that specifies components to + protect user data, FIA specifies components to protect + attributes associated with the user, and FPT specifies + components to protect TSF information. + + The class does not contain explicit requirements for + traditional Mandatory Access Controls (MAC) or traditional + Discretionary Access Controls (DAC); however, such + requirements may be constructed using components from this + class. + + does not explicitly deal with + confidentiality, integrity, or availability, as all three are + most often intertwined in the policy and mechanisms. However, + the TOE security policy must adequately cover these three + objectives in the PP/ST. + + A final aspect of this class is that it specifies access + control in terms of ``operations''. An operation + is defined as a specific type of access on a specific + object. It depends on the level of abstraction of the PP/ST + author whether these operations are described as + ``read'' and/or ``write'' + operations, or as more complex operations such as + ``update the database''. + + The access control policies are policies that control access + to the information container. The attributes represent + attributes of the container. Once the information is out of + the container, the accessor is free to modify that + information, including writing the information into a + different container with different attributes. By contrast, an + information flow policies controls access to the information, + independent of the container. The attributes of the + information, which may be associated with the attributes of + the container (or may not, as in the case of a multi-level + database) stay with the information as it moves. The accessor + does not have the ability, in the absence of an explicit + authorisation, to change the attributes of the information. + + This class is not meant to be a complete taxonomy of IT access + policies, as others can be imagined. Those policies included + here are simply those for which current experience with actual + systems provides a basis for specifying requirements. There + may be other forms of intent that are not captured in the + definitions here. + + For example, one could imagine a goal of having user-imposed + (and user-defined) controls on information flow (e.g. an + automated implementation of the NO FOREIGN handling + caveat). Such concepts could be handled as refinements of, or + extensions to the components. + + Finally, it is important when looking at the components in + to remember that these components are + requirements for functions that may be implemented by a + mechanism that also serves or could serve another purpose. For + example, it is possible to build an access control policy + () that uses labels () as the basis of the access control + mechanism. + + A set of SFRs may encompass many security function + policies (SFPs), each to be identified by the two policy + oriented components , and . These policies will typically take + confidentiality, integrity, and availability aspects into + consideration as required, to satisfy the TOE + requirements. Care should be taken to ensure that all objects + are covered by at least one SFP and that there are no + conflicts arising from implementing the multiple SFPs. + + When building a PP/ST using components from the class, the following information provides guidance + on where to look and what to select from the class. + + The requirements in the class are defined in + terms of a set of SFRs that will + implement a SFP. Since a TOE may implement multiple SFPs + simultaneously, the PP/ST author must specify the name for + each SFP, so it can be referenced in other families. This name + will then be used in each component selected to indicate that + it is being used as part of the definition of requirements for + that SFP. This allows the author to easily indicate the + scope for operations such as objects covered, operations + covered, authorised users, etc. + + Each instantiation of a component can apply to only one + SFP. Therefore if an SFP is specified in a component then + this SFP will apply to all the elements in this + component. The components may be instantiated multiple times + within a PP/ST to account for different policies if so + desired. + + The key to selecting components from this family is to have a + well defined set of TOE security objectives to enable proper + selection of the components from the two policy components; + and . In and respectively, all access control + policies and all information flow control policies are + named. Furthermore the scope of control of these components in + terms of the subjects, objects and operations covered by this + security functionality. The names of these policies are meant + to be used throughout the remainder of the functional + components that have an operation that calls for an assignment + or selection of an ``access control SFP'' or an ``information + flow control SFP''. The rules that define the functionality + of the named access control and information flow control SFPs + will be defined in the and + families + (respectively). + + The following steps are guidance on how this class is applied + in the construction of a PP/ST: + + + Identify the policies to be enforced from the , and families. These + families define scope of control for the policy, + granularity of control and may identify some rules to go + with the policy. + + + Identify the components and perform any applicable operations + in the policy components. The assignment operations may be + performed generally (such as with a statement ``All + files'') or specifically (``The files + ``A'', ``B'', etc.) depending upon + the level of detail known. + + + Identify any applicable function components from the and families to address + the named policy families from and + . Perform the operations to make the + components define the rules to be enforced by the named + policies. This should make the components fit the + requirements of the selected function envisioned or to be + built. + + + Identify who will have the ability to control and change + security attributes under the function, such as only a + security administrator, only the owner of the object, + etc. Select the appropriate components from + and perform the operations. Refinements may be useful here + to identify missing features, such as that some or all + changes must be done via trusted path. + + + Identify any appropriate components from the for initial values for new objects and subjects. + + + Identify any applicable rollback components from the family. + + + Identify any applicable residual information protection + requirements from the family. + + + Identify any applicable import or export components, and how + security attributes should be handled during import and + export, from the and families. + + + Identify any applicable internal TOE communication + components from the family. + + + Identify any requirements for integrity protection of stored + information from the . + + + Identify any applicable inter-TSF communication components + from the or + families. + + + + + + + + This family identifies the access control SFPs (by name) and + defines the scope of control of the policies that form the + identified access control portion of the SFRs related to the + SFP. This scope of control is characterised by three sets: the + subjects under control of the policy, the objects under control + of the policy, and the operations among controlled subjects and + controlled objects that are covered by the policy. The criteria + allows multiple policies to exist, each having a unique name. + This is accomplished by iterating components from this family + once for each named access control policy. The rules that + define the functionality of an access control SFP will be + defined by other families such as and . The names + of the access control SFPs identified here in are meant to be used throughout the remainder of + the functional components that have an operation that calls for + an assignment or selection of an ``access control SFP.'' + + + + This family is based upon the concept of arbitrary controls + on the interaction of subjects and objects. The scope and + purpose of the controls is based upon the attributes of the + accessor (subject), the attributes of the container being + accessed (object), the actions (operations) and any + associated access control rules. + + The components in this family are capable of identifying the + access control SFPs (by name) to be enforced by the traditional + Discretionary Access Control (DAC) mechanisms. It further + defines the subjects, objects and operations that are covered by + identified access control SFPs. The rules that define the + functionality of an access control SFP will be defined by other + families, such as and . The names of the access control SFPs + defined in are meant to be used + throughout the remainder of the functional components that have + an operation that calls for an assignment or selection of an + ``access control SFP.'' + + The access control SFP covers a set of triplets: subject, + object, and operations. Therefore a subject can be covered + by multiple access control SFPs but only with respect to a + different operation or a different object. Of course the + same applies to objects and operations. + + A critical aspect of an access control function that + enforces an access control SFP is the ability for users to + modify the attributes involved in access control + decisions. The family does not address + these aspects. Some of these requirements are left + undefined, but can be added as refinements, while others are + covered elsewhere in other families and classes such as + . + + There are no audit requirements in as + this family specifies access control SFP requirements. Audit + requirements will be found in families specifying functions + to satisfy the access control SFPs identified in this + family. + + This family provides a PP/ST author the capability to + specify several policies, for example, a fixed access + control SFP to be applied to one scope of control, and a + flexible access control SFP to be defined for a different + scope of control. To specify more than one access control + policy, the components from this family can be iterated + multiple times in a PP/ST to different subsets of operations + and objects. This will accommodate TOEs that contain + multiple policies, each addressing a particular set of + operations and objects. In other words, the PP/ST author + should specify the required information in the ACC component + for each of the access control SFPs that the TSF will + enforce. For example, a TOE incorporating three access + control SFPs, each covering only a subset of the objects, + subjects, and operations within the TOE, will contain one + component for each of the three + access control SFPs, necessitating a total of three components. + + + + + + + + + The terms object and subject refer to generic elements in + the TOE. For a policy to be implementable, the entities + must be clearly identified. For a PP, the objects and + operations might be expressed as types such as: named + objects, data repositories, observe accesses, etc. For a + specific TOE these generic terms (subject, object) must be + refined, e.g. files, registers, ports, daemons, open + calls, etc. + + This component specifies that the policy cover some + well-defined set of operations on some subset of the + objects. It places no constraints on any operations + outside the set - including operations on objects for + which other operations are controlled. + + + + , requires that each identified + access control SFP be in place for a subset of the + possible operations on a subset of the objects in the TOE. + + + The TSF shall enforce the + + + access control SFP + + + + the PP/ST author should specify a uniquely named + access control SFP to be enforced by the TSF. + + + on + + + list of subjects, objects, and operations among subjects + and objects covered by the SFP + + + + the PP/ST author should specify the list of subjects, + objects, and operations among subjects and objects + covered by the SFP. + + . + + + + + + + + + + + This component requires that all possible operations on + objects, that are included in the SFP, are covered by an + access control SFP. + + The PP/ST author must demonstrate that each combination of + objects and subjects is covered by an access control SFP. + + + + , requires that each identified + access control SFP cover all operations on subjects and + objects covered by that SFP. It further requires that all + objects and operations protected by the TSF are covered by at + least one identified access control SFP. + + + The TSF shall enforce the + + + access control SFP + + + + the PP/ST author should specify a uniquely named + access control SFP to be enforced by the TSF. + + + on + + + list of subjects and objects + + + + the PP/ST author should specify the list of subjects + and objects covered by the SFP. All operations among + those subjects and objects will be covered by the SFP. + + + and all operations among subjects and objects covered by the + SFP. + + + The TSF shall ensure that all operations between any subject + controlled by the TSF and any object controlled by the TSF are covered by an + access control SFP. + + + + + + + + This family describes the rules for the specific functions + that can implement an access control policy named in . specifies the scope of control of the + policy. + + + + This family describes the rules for the specific functions + that can implement an access control policy named in which also specifies the scope of + control of the policy. + + This family provides a PP/ST author the capability to + describe the rules for access control. This results in a + TOE where the access to objects will not change. An + example of such an object is ``Message of the Day'', which + is readable by all, and changeable only by the authorised + administrator. This family also provides the PP/ST author + with the ability to describe rules that provide for + exceptions to the general access control rules. Such + exceptions would either explicitly allow or deny + authorisation to access an object. + + There are no explicit components to specify other possible + functions such as two-person control, sequence rules for + operations, or exclusion controls. However, these + mechanisms, as well as traditional DAC mechanisms, can be + represented with the existing components, by careful + drafting of the access control rules. + + A variety of acceptable access control functionality may be + specified in this family such as: + + + Access control lists (ACLs) + + + Time-based access control specifications + + + Origin-based access control specifications + + + Owner-controlled access control attributes + + + + + + + + + + + This component provides requirements for a mechanism that + mediates access control based on security attributes + associated with subjects and objects. Each object and + subject has a set of associated attributes, such as + location, time of creation, access rights (e.g., Access + Control Lists (ACLs)). This component allows the PP/ST + author to specify the attributes that will be used for the + access control mediation. This component allows access + control rules, using these attributes, to be + specified. + + Examples of the attributes that a PP/ST author might + assign are presented in the following paragraphs. + + An identity attribute may be associated with users, + subjects, or objects to be used for mediation. Examples of + such attributes might be the name of the program image + used in the creation of the subject, or a security + attribute assigned to the program image. + + A time attribute can be used to specify that access will + be authorised during certain times of the day, during + certain days of the week, or during a certain calendar + year. + + A location attribute could specify whether the location is + the location of the request for the operation, the + location where the operation will be carried out, or + both. It could be based upon internal tables to translate + the logical interfaces of the TSF into locations such as + through terminal locations, CPU locations, etc. + + A grouping attribute allows a single group of users to be + associated with an operation for the purposes of access + control. If required, the refinement operation should be + used to specify the maximum number of definable groups, + the maximum membership of a group, and the maximum number + of groups to which a user can concurrently be + associated. + + This component also provides requirements for the access + control security functions to be able to explicitly + authorise or deny access to an object based upon security + attributes. This could be used to provide privilege, + access rights, or access authorisations within the + TOE. Such privileges, rights, or authorisations could + apply to users, subjects (representing users or + applications), and objects. + + + + This family addresses security attribute usage and + characteristics of policies. The component within this + family is meant to be used to describe the rules for the + function that implements the SFP as identified in . The PP/ST author may also + iterate this component to address multiple policies in the + TOE. + + Security attribute + based access control allows the TSF to enforce access + based upon security attributes and named groups of + attributes. Furthermore, the TSF may have the ability to + explicitly authorise or deny access to an object based + upon security attributes. + + + Managing the attributes used to make explicit access or + denial based decisions. + + + Successful requests to perform an operation on an object + covered by the SFP. + + + All requests to perform an operation on an object covered by + the SFP. + + + The specific security attributes used in making an access + check. + + + The TSF shall enforce the + + access control SFP + + the PP/ST author should specify an access control SFP + name that the TSF is to enforce. The name of the access + control SFP, and the scope of control for that policy + are defined in components from . + to objects based on the following: + + list of subjects and objects controlled under the + indicated SFP, and for each, the SFP-relevant security + attributes, or named groups of SFP-relevant security + attributes + + the PP/ST author should specify, for each controlled + subject and object, the security attributes and/or named + groups of security attributes that the function will use + in the specification of the rules. For example, such + attributes may be things such as the user identity, + subject identity, role, time of day, location, ACLs, or + any other attribute specified by the PP/ST author. Named + groups of security attributes can be specified to + provide a convenient means to refer to multiple security + attributes. Named groups could provide a useful way to + associate ``roles'' defined in , and + all of their relevant attributes, with subjects. In + other words, each role could relate to a named group of + attributes.. + + + The TSF shall enforce the following rules to determine if an + operation among controlled subjects and controlled objects + is allowed: + + + rules governing access among controlled subjects and + controlled objects using controlled operations on + controlled objects + + + + the PP/ST author should specify the SFP rules + governing access among controlled subjects and + controlled objects using controlled operations on + controlled objects. These rules specify when access + is granted or denied. It can specify general access + control functions (e.g. typical permission bits) or + granular access control functions (e.g. ACLs). + + . + + + The TSF shall explicitly authorise access of subjects to + objects based on the following additional rules: + + + rules, based on security attributes, that explicitly + authorise access of subjects to objects + + + + the PP/ST author should specify the rules, based on + security attributes, that explicitly authorise access + of subjects to objects that will be used to explicitly + authorise access. These rules are in addition to those + specified in . They are + included in as they are + intended to contain exceptions to the rules in . An example of rules to explicitly + authorise access is based on a privilege vector + associated with a subject that always grants access to + objects covered by the access control SFP that has + been specified. If such a capability is not desired, + then the PP/ST author should specify + ``none''. + + . + + + The TSF shall explicitly deny access of subjects to objects based on the + following additional rules: + rules, based on security attributes, that + explicitly deny access of subjects to objects the PP/ST author should specify the rules, + based on security attributes, that explicitly deny access of subjects + to objects. These rules are in addition to those specified in + + . They are included in + + as they are intended to contain exceptions to the rules in + + . An example of rules to explicitly deny access is based on a privilege + vector associated with a subject + that always denies access to objects covered by the access control SFP + that has been specified. If such a capability is not desired, then the + PP/ST author should specify ``none''.. + + + + + + + + Data authentication permits an entity to accept + responsibility for the authenticity of information (e.g., by + digitally signing it). This family provides a method of + providing a guarantee of the validity of a specific unit of + data that can be subsequently used to verify that the + information content has not been forged or fraudulently + modified. In contrast to , this family is + intended to be applied to "static" data rather + than data that is being transferred. + + + + This family describes specific functions that can be used to + authenticate ``static'' data. + + Components in this family are to be used when there is a + requirement for ``static'' data + authentication, i.e. where data is to be signed but not + transmitted. (Note that the family + provides for non-repudiation of origin of information + received during a data exchange.) + + + + + + This component may be satisfied by one-way hash functions + (cryptographic checksum, fingerprint, message digest), to + generate a hash value for a definitive document that may + be used as verification of the validity or authenticity of + its information content. + + + + , requires that the TSF is capable + of generating a guarantee of authenticity of the + information content of objects (e.g. documents). + + + The assignment or modification of the objects for which data + authentication may apply could be configurable. + + + Successful generation of validity evidence. + + + Unsuccessful generation of validity evidence. + + + The identity of the subject that requested the evidence. + + + The TSF shall provide a capability to generate evidence that + can be used as a guarantee of the validity of + + + list of objects or information types + + + + the PP/ST author should specify the list of objects or + information types for which the TSF shall be capable + of generating data authentication evidence. + + . + + + The TSF shall provide + + + list of subjects + + + + the PP/ST author should specify the list of subjects + that will have the ability to verify data + authentication evidence for the objects identified in + the previous element. The list of subjects could be + very specific, if the subjects are known, or it could + be more generic and refer to a + ``type'' of subject such + as an identified role. + + + with the ability to verify evidence of the validity of the + indicated information. + + + + + + + + + + + This component additionally requires the ability to verify + the identity of the user that provided the guarantee of + authenticity (e.g. a trusted third party). + + + + additionally requires that the TSF + is capable of establishing the identity of the subject who + provided the guarantee of authenticity. + + + + Successful generation of validity evidence. + + + Unsuccessful generation of validity evidence. + + + The identity of the subject that requested the evidence. + + + The identity of the subject that generated the evidence. + + + The TSF shall provide a capability to generate evidence that + can be used as a guarantee of the validity of + + + list of objects or information types + + + + the PP/ST author should specify the list of objects or + information types for which the TSF shall be capable + of generating data authentication evidence. + + . + + + The TSF shall provide + + + list of subjects + + + + the PP/ST author should specify the list of subjects + that will have the ability to verify data + authentication evidence for the objects identified in + the previous element as well as the identity of the + user that created the data authentication evidence. + + + with the ability to verify evidence of the validity of the + indicated information and the identity of the user that + generated the evidence. + + + + + + + + This family defines functions for TSF-mediated exporting of user data from + the TOE such that its security attributes and protection + either can be explicitly preserved or can be ignored once it + has been exported. It is concerned with limitations on + export and with the association of security attributes with + the exported user data. + + + + This family defines functions for TSF-mediated exporting of user data from + the TOE such that its security attributes either can be + explicitly preserved or can be ignored once it has been + exported. Consistency of these security attributes are + addressed by . + + is concerned with limitations on export + and association of security attributes with the exported + user data. + + This family, and the corresponding Import family , address how the TOE deals with user data + transferred into and outside its control. In principle this + family is concerned with the TSF-mediated exporting of user data and its + related security attributes. + + A variety of activities might be involved here: + + + exporting of user data without any security attributes; + + + exporting user data including security attributes where + the two are associated with one another and the security + attributes unambiguously represent the exported user + data. + + + + If there are multiple SFPs (access control and/or + information flow control) then it may be appropriate to + iterate these components once for each named SFP. + + + + + + + + + + + + This component is used to specify the TSF-mediated exporting of user data + without the export of its security attributes. + + + + , requires that the TSF enforce the + appropriate SFPs when exporting user data outside the + TSF. User data that is exported by this function is + exported without its associated security attributes. + + + Successful export of information. + + + All attempts to export information. + + + The TSF shall enforce the + + + access control SFP(s) and/or information flow control + SFP(s) + + + + the PP/ST author should specify the access control + SFP(s) and/or information flow control SFP(s) that + will be enforced when exporting user data. The user + data that this function exports is scoped by the + assignment of these SFPs. + + + when exporting user data, controlled under the SFP(s), + outside of the TOE. + + + The TSF shall export the user data without the user + data's associated security attributes + + + + + + + + + + + + + The user data is exported together with its security + attributes. The security attributes are unambiguously + associated with the user data. There are several ways of + achieving this association. One way that this can be + achieved is by physically collocating the user data and + the security attributes (e.g. the same floppy), or by + using cryptographic techniques such as secure signatures + to associate the attributes and the user data. could be used to assure that the attributes + are correctly received at the other trusted IT product + while can be used to make sure that + those attributes are properly interpreted. Furthermore, + could be used to make sure that the + export is being initiated by the proper user. + + + + , requires that the TSF enforce the + appropriate SFPs using a function that accurately and + unambiguously associates security attributes with the user + data that is exported. + + + The additional exportation control rules could be + configurable by a user in a defined role. + + + + + The TSF shall enforce the + + + access control SFP(s) and/or information flow control + SFP(s) + + + + the PP/ST author should specify the access control + SFP(s) and/or information flow control SFP(s) that + will be enforced when exporting user data. The user + data that this function exports is scoped by the + assignment of these SFPs. + + + when exporting user data, controlled under the SFP(s), + outside of the TOE. + + + The TSF shall export the user data with the user + data's associated security attributes. + + + The TSF shall ensure that the security attributes, when + exported outside the TOE, are unambiguously associated with + the exported user data. + + + The TSF shall enforce the following rules when user data is + exported from the TOE: + + + additional exportation control rules + + + + the PP/ST author should specify any additional + exportation control rules or + ``none'' if there are no + additional exportation control rules. These rules will + be enforced by the TSF in addition to the access + control SFPs and/or information flow control SFPs + selected in . + + . + + + + + + + + This family identifies the information flow control SFPs (by + name) and defines the scope of control for each named + information flow control SFP. This scope of control is + characterised by three sets: the subjects under control of the + policy, the information under control of the policy, and + operations which cause controlled information to flow to and + from controlled subjects covered by the policy. The criteria + allows multiple policies to exist, each having a unique name. + This is accomplished by iterating components from this family + once for each named information flow control policy. The rules + that define the functionality of an information flow control SFP + will be defined by other families such as and . The names + of the information flow control SFPs identified here in are meant to be used throughout the + remainder of the functional components that have an operation + that calls for an assignment or selection of an ``information + flow control SFP.'' + + The TSF mechanism controls the flow of information in + accordance with the information flow control SFP. Operations + that would change the security attributes of information are + not generally permitted as this would be in violation of an + information flow control SFP. However, such operations may + be permitted as exceptions to the information flow control + SFP if explicitly specified. + + + + This family covers the identification of information flow + control SFPs; and, for each, specifies the scope of control + of the SFP. + + The components in this family are capable of identifying the + information flow control SFPs to be enforced by the traditional + Mandatory Access Control mechanisms that would be found in a + TOE. However, they go beyond just the traditional MAC mechanisms + and can be used to identify and describe non-interference + policies and state-transitions. It further defines the subjects + under control of the policy, the information under control of + the policy, and operations which cause controlled information to + flow to and from controlled subjects for each information flow + control SFP in the TOE. The information flow control SFP will be + defined by other families such as and . The + information flow control SFPs named here in are meant to be used throughout the remainder of + the functional components that have an operation that calls for + an assignment or selection of an ``information flow control + SFP.'' + + These components are quite flexible. They allow the domain + of flow control to be specified and there is no requirement + that the mechanism be based upon labels. The different + elements of the information flow control components also + permit different degrees of exception to the policy. + + Each SFP covers a set of triplets: subject, information, and + operations that cause information to flow to and from + subjects. Some information flow control policies may be at a + very low level of detail and explicitly describe subjects in + terms of processes within an operating system. Other + information flow control policies may be at a high level and + describe subjects in the generic sense of users or + input/output channels. If the information flow control + policy is at too high a level of detail, it may not clearly + define the desired IT security functions. In such cases, it + is more appropriate to include such descriptions of + information flow control policies as objectives. Then the + desired IT security functions can be specified as supportive + of those objectives. + + In the second component (), each + information flow control SFP will cover all possible + operations that cause information covered by that SFP to + flow to and from subjects covered by that SFP. Furthermore, + all information flows will need to be covered by a + SFP. Therefore for each action that causes information to + flow, there will be a set of rules that define whether the + action is allowed. If there are multiple SFPs that are + applicable for a given information flow, all involved SFPs + must allow this flow before it is permitted to take place. + + An information flow control SFP covers a well-defined set of + operations. The SFPs coverage may be + ``complete'' with respect to some + information flows, or it may address only some of the + operations that affect the information flow. + + An access control SFP controls access to the objects that + contain information. An information flow control SFP + controls access to the information, independent of its + container. The attributes of the information, which may be + associated with the attributes of the container (or may not, + as in the case of a multi-level database) stay with the + information as it flows. The accessor does not have the + ability, in the absence of an explicit authorisation, to + change the attributes of the information. + + Information flows and operations can be expressed at + multiple levels. In the case of a ST, the information flows + and operations might be specified at a system-specific + level: TCP/IP packets flowing through a firewall based upon + known IP addresses. For a PP, the information flows and + operations might be expressed as types: email, data + repositories, observe accesses, etc. + + The components in this family can be applied multiple times + in a PP/ST to different subsets of operations and + objects. This will accommodate TOEs that contain multiple + policies, each addressing a particular set of objects, + subjects, and operations. + + + + + + + + + This component requires that an information flow control + policy apply to a subset of the possible operations in the + TOE. + + + + , requires that each identified + information flow control SFPs be in place for a subset of + the possible operations on a subset of information flows + in the TOE. + + + The TSF shall enforce the + + + information flow control SFP + + + + the PP/ST author should specify a uniquely named + information flow control SFP to be enforced by the + TSF. + + + on + + + list of subjects, information, and operations that cause + controlled information to flow to and from controlled + subjects covered by the SFP + + + + the PP/ST author should specify the list of subjects, + information, and operations which cause controlled + information to flow to and from controlled subjects + covered by the SFP. As mentioned above, the list of + subjects could be at various levels of detail + depending on the needs of the PP/ST author. It could + specify users, machines, or processes for + example. Information could refer to data such as email + or network protocols, or more specific objects similar + to those specified under an access control policy. If + the information that is specified is contained within + an object that is subject to an access control policy, + then both the access control policy and information + flow control policy must be enforced before the + specified information could flow to or from the + object. + + . + + + + + + + + + + + This component requires that all possible operations that + cause information to flow to and from subjects included in + the SFP, are covered by an information flow control SFP. + + The PP/ST author must demonstrate that each combination of + information flows and subjects is covered by an + information flow control SFP. + + + + , requires that each identified + information flow control SFP cover all operations on + subjects and information covered by that SFP. It further + requires that all information flows and operations controlled + by the TSF are covered by at least one identified information + flow control SFP. + + + The TSF shall enforce the + + + information flow control SFP + + + + the PP/ST author should specify a uniquely named + information flow control SFP to be enforced by the + TSF. + + + on + + + list of subjects and information + + + + the PP/ST author should specify the list of subjects + and information that will be covered by the SFP. All + operations that cause that information to flow to and + from subjects will be covered by the SFP. As mentioned + above, the list of subjects could be at various levels + of detail depending on the needs of the PP/ST + author. It could specify users, machines, or processes + for example. Information could refer to data such as + email or network protocols, or more specific objects + similar to those specified under an access control + policy. If the information that is specified is + contained within an object that is subject to an + access control policy, then both the access control + policy and information flow control policy must be + enforced before the specified information could flow + to or from the object. + + + and all operations that cause that information to flow to + and from subjects covered by the SFP. + + + The TSF shall ensure that all operations that cause any + information in the TOE to flow to and from any subject in + the TOE are covered by an information flow control SFP. + + + + + + + + This family describes the rules for the specific functions + that can implement the information flow control SFPs named + in , which also specifies the scope of + control of the policy. It consists of two kinds of + requirements: one addressing the common information flow + function issues, and a second addressing illicit information + flows (i.e. covert channels). This division arises because + the issues concerning illicit information flows are, in some + sense, orthogonal to the rest of an information flow control + SFP. By their nature they circumvent the information flow + control SFP resulting in a violation of the policy. As such, + they require special functions to either limit or prevent + their occurrence. + + + + This family describes the rules for the specific functions + that can implement the information flow control SFPs named + in , which also specifies the scope of + control of the policies. It consists of two + ``trees:'' one addressing the common + information flow control function issues, and a second + addressing illicit information flows (i.e. covert channels) + with respect to one or more information flow control + SFPs. This division arises because the issues concerning + illicit information flows are, in some sense, orthogonal to + the rest of an SFP. Illicit information flows are flows in + violation of policy; thus they are not a policy issue. + + In order to implement strong protection against disclosure + or modification in the face of untrusted software, controls + on information flow are required. Access controls alone are + not sufficient because they only control access to + containers, allowing the information they contain to flow, + without controls, throughout a system. + + In this family, the phrase ``types of illicit + information flows'' is used. This phrase may be + used to refer to the categorisation of flows as + ``Storage Channels'' or + ``Timing Channels'', or it can refer to + improved categorisations reflective of the needs of a PP/ST + author. + + The flexibility of these components allows the definition of + a privilege policy within and to allow the controlled bypass of all or + part of a particular SFP. If there is a need for a + predefined approach to SFP bypass, the PP/ST author should + consider incorporating a privilege policy. + + + + + + + + + + This component requires security attributes on + information, and on subjects that cause that information + to flow and subjects that act as recipients of that + information. The attributes of the containers of the + information should also be considered if it is desired + that they should play a part in information flow control + decisions or if they are covered by an access control + policy. This component specifies the key rules that are + enforced, and describes how security attributes are + derived. + + This component does not specify the details of how a + security attribute is assigned (i.e. user versus + process). Flexibility in policy is provided by having + assignments that allow specification of additional policy + and function requirements, as necessary. + + This component also provides requirements for the + information flow control functions to be able to + explicitly authorise and deny an information flow based + upon security attributes. This could be used to implement + a privilege policy that covers exceptions to the basic + policy defined in this component. + + + + , requires security attributes on + information, and on subjects that cause that information + to flow and on subjects that act as recipients of that + information. It specifies the rules that must be enforced + by the function, and describes how security attributes are + derived by the function. + + + Managing the attributes used to make explicit access based + decisions. + + + Decisions to permit requested information flows. + + + All decisions on requests for information flow. + + + The specific security attributes used in making an + information flow enforcement decision. + + + Some specific subsets of the information that has flowed + based upon policy goals (e.g. auditing of downgraded + material). + + + The TSF shall enforce the + + + information flow control SFP + + + + the PP/ST author should specify the information flow + control SFPs enforced by the TSF. The name of the + information flow control SFP, and the scope of control + for that policy are defined in components from + . + + + based on the following types of subject and + information security attributes: + + list of subjects and information controlled under the + indicated SFP, and for each, the security attributes + + the PP/ST author should specify, for each type of + controlled subject and information, the security + attributes that are relevant to the specification of the + SFP rules. For example, such security attributes may be + things such the subject identifier, subject sensitivity + label, subject clearance label, information sensitivity + label, etc. The types of security attributes should be + sufficient to support the environmental needs.. + + + The TSF shall permit an information flow between a + controlled subject and controlled information via a + controlled operation if the following rules hold: + + + for each operation, the security attribute-based + relationship that must hold between subject and + information security attributes + + + + the PP/ST author should specify for each operation, + the security attribute-based relationship that must + hold between subject and information security + attributes that the TSF will enforce. + + . + + + The TSF shall enforce the + + + additional information flow control SFP rules + + + the PP/ST author should specify any additional information + flow control SFP rules that the TSF is to enforce. This + includes all rules of the SFP that are either not based on the + security attributes of the information and the subject or + rules that automatically modify the security attributes of + information or subjects as a result of an access operation. + An example for the first case is a rule of the SFP controlling + a threshold value for specific types of information. This + would for example be the case when the information flow SFP + contains rules on access to statistical data where a subject + is only allowed to access this type of information up to a + specific number of accesses. An example for the second case + would be a rule stating under which conditions and how the + security attributes of a subject or object change as the + result of an access operation. Some information flow policies + for example may limit the number of access operations to + information with specific security attributes. If there are + no additional rules then the PP/ST author should specify + ``none''. + . + + + + The TSF shall explicitly authorise an information flow based + on the following rules: + + + rules, based on security attributes, that explicitly + authorise information flows + + + + the PP/ST author should specify the rules, based on + security attributes, that explicitly authorise + information flows. These rules are in addition to + those specified in the preceding elements. They are + included in as they are + intended to contain exceptions to the rules in the + preceding elements. An example of rules to explicitly + authorise information flows is based on a privilege + vector associated with a subject that always grants + the subject the ability to cause an information flow + for information that is covered by the SFP that has + been specified. If such a capability is not desired, + then the PP/ST author should specify + ``none''. + + . + + + The TSF shall explicitly deny an information flow based on + the following rules: + + + rules, based on security attributes, that explicitly + deny information flows + + + + the PP/ST author should specify the rules, based on security + attributes, that explicitly deny information flows. These rules + are in addition to those specified in the preceding + elements. They are included in as they + are intended to contain exceptions to the rules in the preceding + elements. An example of rules to explicitly deny information + flows is based on a privilege vector associated with a subject + that always denies the subject the ability to cause an + information flow for information that is covered by the SFP that + has been specified. If such a capability is not desired, then + the PP/ST author should specify ``none''. + + . + + + + + + + + + + + + This component requires that the named information flow control + SFP uses hierarchical security attributes that + form a lattice. + + It is important to note that the hierarchical relationship + requirements identified in need + only apply to the information flow control security + attributes for the information flow control SFPs that have + been identified in . This + component is not meant to apply to other SFPs such as + access control SFPs. + phrases the requirements for the set of + security attributes to form a lattice. A number of information + flow policies defined in the literature and implemented in IT + products are based on a set of security attributes that form a + lattice. is specifically included to + address this type of information flow policies. + + If it is the case that multiple information flow control + SFPs are to be specified, and that each of these SFPs will + have their own security attributes that are not related to + one another, then the PP/ST author should iterate this + component once for each of those SFPs. Otherwise a + conflict might arise with the sub-items of since the required relationships will + not exist. + + + expands on the requirements + of by requiring that all + information flow control SFPs in the set of SFRs use + hierarchical security attributes that form a lattice (as defined + in mathematics). is derived from the + mathematical properties of a lattice. A lattice consists of a + set of elements with an ordering relationship with the property + defined in the first bullet, a least upper bound which is the + unique element in the set that is greater or equal (in the + ordering relationship) than any other element of the lattice, + and a greatest lower bound, which is the unique element in the set + that is smaller or equal than any other element of the lattice. + + + + + + + The TSF shall enforce the + + + information flow control SFP + + + + the PP/ST author should specify the information flow + control SFPs enforced by the TSF. The name of the + information flow control SFP, and the scope of control + for that policy are defined in components from . + + + based on the following types of subject and + information security attributes: + + list of subjects and information controlled under the + indicated SFP, and for each, the security attributes + + the PP/ST author should specify, for each type of + controlled subject and information, the security + attributes that are relevant to the specification of the + SFP rules. For example, such security attributes may be + things such the subject identifier, subject sensitivity + label, subject clearance label, information sensitivity + label, etc. The types of security attributes should be + sufficient to support the environmental needs.. + + + The TSF shall permit an information flow between a + controlled subject and controlled information via a + controlled operation if the following rules, based on the + ordering relationships between security attributes hold: + + + for each operation, the security attribute-based + relationship that must hold between subject and + information security attributes + + + + the PP/ST author should specify for each operation, + the security attribute-based relationship that must + hold between subject and information security + attributes that the TSF will enforce. These + relationships should be based upon the ordering + relationships between the security attributes. + + . + + + The TSF shall enforce the + + + additional information flow control SFP rules + + + the PP/ST author should specify any additional information + flow control SFP rules that the TSF is to enforce. This + includes all rules of the SFP that are either not based on the + security attributes of the information and the subject or + rules that automatically modify the security attributes of + information or subjects as a result of an access operation. + An example for the first case is a rule of the SFP controlling + a threshold value for specific types of information. This + would for example be the case when the information flow SFP + contains rules on access to statistical data where a subject + is only allowed to access this type of information up to a + specific number of accesses. An example for the second case + would be a rule stating under which conditions and how the + security attributes of a subject or object change as the + result of an access operation. Some information flow policies + for example may limit the number of access operations to + information with specific security attributes. If there are + no additional rules then the PP/ST author should specify + ``none''. + . + + + + The TSF shall explicitly authorise an information flow based + on the following rules: + + + rules, based on security attributes, that explicitly + authorise information flows + + + + the PP/ST author should specify the rules, based on + security attributes, that explicitly authorise + information flows. These rules are in addition to + those specified in the preceding elements. They are + included in as they are + intended to contain exceptions to the rules in the + preceding elements. An example of rules to explicitly + authorise information flows is based on a privilege + vector associated with a subject that always grants + the subject the ability to cause an information flow + for information that is covered by the SFP that has + been specified. If such a capability is not desired, + then the PP/ST author should specify + ``none''. + + . + + + The TSF shall explicitly deny an information flow based on + the following rules: + + + rules, based on security attributes, that explicitly + deny information flows + + + + the PP/ST author should specify the rules, based on security + attributes, that explicitly deny information flows. These rules + are in addition to those specified in the preceding + elements. They are included in as they are intended to contain exceptions to the + rules in the preceding elements. An example of rules to + explicitly deny information flows is based on a privilege vector + associated with a subject that always denies the subject the + ability to cause an information flow for information that is + covered by the SFP that has been specified. If such a capability + is not desired, then the PP/ST author should specify + ``none''. + + . + + + The TSF shall enforce the following relationships for any + two valid information flow control security attributes: + + + There exists an ordering function that, given two valid + security attributes, determines if the security + attributes are equal, if one security attribute is + greater than the other, or if the security attributes + are incomparable; and + + + There exists a ``least upper bound'' + in the set of security attributes, such that, given any + two valid security attributes, there is a valid security + attribute that is greater than or equal to the two valid + security attributes; and + + + There exists a ``greatest lower + bound'' in the set of security attributes, + such that, given any two valid security attributes, + there is a valid security attribute that is not greater + than the two valid security attributes. + + + + + + + + + + + + This component should be used when at least one of the + SFPs that requires control of illicit information flows + does not require elimination of flows. + + For the specified illicit information flows, certain + maximum capacities should be provided. In addition a PP/ST + author has the ability to specify whether the illicit + information flows must be audited. + + + + , requires the SFP to cover illicit + information flows, but not necessarily eliminate them. + + + Decisions to permit requested information flows. + + + All decisions on requests for information flow. + + + The use of identified illicit information flow channels. + + + The specific security attributes used in making an + information flow enforcement decision. + + + Some specific subsets of the information that has flowed + based upon policy goals (e.g. auditing of downgraded + material). + + + The use of identified illicit information flow channels with + estimated maximum capacity exceeding a specified value. + + + The TSF shall enforce the + + + information flow control SFP + + + + the PP/ST author should specify the information flow + control SFPs enforced by the TSF. The name of the + information flow control SFP, and the scope of control + for that policy are defined in components from . + + + to limit the capacity of + + + types of illicit information flows + + + + the PP/ST author should specify the types of illicit + information flows that are subject to a maximum + capacity limitation. + + + to a + + + maximum capacity + + + + the PP/ST author should specify the maximum capacity + permitted for any identified illicit information + flows. + + . + + + + + + + + + + + This component should be used when all the SFPs that + requires control of illicit information flows require + elimination of some (but not necessarily all) illicit + information flows. + + + + , requires the SFP to cover the + elimination of some (but not necessarily all) illicit + information flows. + + + + + + The TSF shall enforce the + + + information flow control SFP + + + + the PP/ST author should specify the information flow + control SFPs enforced by the TSF. The name of the + information flow control SFP, and the scope of control + for that policy are defined in components from + . + + + to limit the capacity of + + + types of illicit information flows + + + + the PP/ST author should specify the types of illicit + information flows which are subject to a maximum + capacity limitation. + + + to a + + + maximum capacity + + + + the PP/ST author should specify the maximum capacity + permitted for any identified illicit information + flows. + + . + + + The TSF shall prevent + + + types of illicit information flows + + + + the PP/ST author should specify the types of illicit + information flows to be eliminated. This list may not + be empty as this component requires that some illicit + information flows are to be eliminated. + + . + + + + + + + + + + + This component should be used when the SFPs that require + control of illicit information flows require elimination + of all illicit information flows. However, the PP/ST + author should carefully consider the potential impact that + eliminating all illicit information flows might have on + the normal functional operation of the TOE. Many practical + applications have shown that there is an indirect + relationship between illicit information flows and normal + functionality within a TOE and eliminating all illicit + information flows may result in less than desired + functionality. + + + + , requires SFP to cover the + elimination of all illicit information flows. + + + + + + The TSF shall ensure that no illicit information flows exist + to circumvent + + + name of information flow control SFP + + + + the PP/ST author should specify the information flow + control SFP for which illicit information flows are to + be eliminated. The name of the information flow + control SFP, and the scope of control for that policy + are defined in components from . + + . + + + + + + + + + + This component should be used when it is desired that the + TSF provide the ability to monitor the use of illicit + information flows that exceed a specified capacity. If it + is desired that such flows be audited, then this component + could serve as the source of audit events to be used by + components from the family. + + + + , requires the SFP to monitor + illicit information flows for specified and maximum + capacities. + + + The enabling or disabling of the monitoring function. + + + Modification of the maximum capacity at which the monitoring + occurs. + + + + + + The TSF shall enforce the + + + information flow control SFP + + + + the PP/ST author should specify the information flow + control SFPs enforced by the TSF. The name of the + information flow control SFP, and the scope of control + for that policy are defined in components from + . + + + to monitor + + + types of illicit information flows + + + + the PP/ST author should specify the types of illicit + information flows that will be monitored for exceeding + a maximum capacity. + + + when it exceeds the + + + maximum capacity + + + + the PP/ST author should specify the maximum capacity + above which illicit information flows will be + monitored by the TSF. + + . + + + + + + + + This family defines the mechanisms for TSF-mediated importing of user + data into the TOE such that it has appropriate security + attributes and is appropriately protected. It is concerned + with limitations on importation, determination of desired + security attributes, and interpretation of security + attributes associated with the user data. + + + + This family defines mechanisms for TSF-mediated importing of user data from + outside the TOE into the TOE such that the user data + security attributes can be preserved. Consistency of these + security attributes are addressed by . + + is concerned with limitations on + import, user specification of security attributes, and + association of security attributes with the user data. + + This family, and the corresponding export family , address how the TOE deals with user data + outside its control. This family is concerned with assigning + and abstraction of the user data security attributes. + + A variety of activities might be involved here: + + + importing user data from an unformatted medium + (e.g. floppy disk, tape, scanner, video or audit + signal), without including any security attributes, and + physically marking the medium to indicate its contents; + + + importing user data, including security attributes, from + a medium and verifying that the object security + attributes are appropriate; + + + importing user data, including security attributes, from + a medium using a cryptographic sealing technique to + protect the association of user data and security + attributes. + + + + This family is not concerned with the determination of + whether the user data may be imported. It is concerned with + the values of the security attributes to associate with the + imported user data. + + There are two possibilities for the import of user data: + either the user data is unambiguously associated with + reliable object security attributes (values and meaning of + the security attributes is not modified), or no reliable + security attributes (or no security attributes at all) are + available from the import source. This family addresses both + cases. + + If there are reliable security attributes available, they + may have been associated with the user data by physical + means (the security attributes are on the same media), or by + logical means (the security attributes are distributed + differently, but include unique object identification, + e.g. cryptographic checksum). + + This family is concerned with TSF-mediated importing of user data and + maintaining the association of security attributes as + required by the SFP. Other families are concerned with other + import aspects such as consistency, trusted channels, and + integrity that are beyond the scope of this + family. Furthermore, is only concerned + with the interface to the import medium. is responsible for the other end point of the + medium (the source). + + Some of the well known import requirements are: + + + importing of user data without any security attributes; + + + importing of user data including security attributes + where the two are associated with one another and the + security attributes unambiguously represent the + information being imported. + + + + These import requirements may be handled by the TSF with or + without human intervention, depending on the IT limitations + and the organisational security policy. For example, if user + data is received on a ``confidential'' + channel, the security attributes of the objects will be set + to ``confidential''. + + If there are multiple SFPs (access control and/or + information flow control) then it may be appropriate to + iterate these components once for each named SFP. + + + + + + + + + + + + + This component is used to specify the import of user data + that does not have reliable (or any) security attributes + associated with it. This function requires that the + security attributes for the imported user data be + initialised within the TSF. It could also be the case that + the PP/ST author specifies the rules for import. It may be + appropriate, in some environments, to require that these + attributes be supplied via a trusted path or a trusted + channel mechanism. + + + + , requires that the security + attributes correctly represent the user data and are + supplied separately from the object. + + + The modification of the additional control rules used for + import. + + + Successful import of user data, including any security + attributes. + + + All attempts to import user data, including any security + attributes. + + + The specification of security attributes for imported user + data supplied by an authorised user. + + + The TSF shall enforce the + + access control SFP(s) and/or information flow control SFP(s) + + the PP/ST author should specify the access control SFP(s) + and/or information flow control SFP(s) that will be + enforced when importing user data from outside of the + TOE. The user data that this function imports is + scoped by the assignment of these SFPs. + when importing user data, controlled under the SFP, from + outside of the TOE. + + + The TSF shall ignore any security attributes associated with + the user data when imported from outside the TOE. + + + The TSF shall enforce the following rules when importing + user data controlled under the SFP from outside the TOE: + + + additional importation control rules + + + + the PP/ST author should specify any additional + importation control rules or + ``none'' if there are no + additional importation control rules. These rules will + be enforced by the TSF in addition to the access + control SFPs and/or information flow control SFPs + selected in . + + . + + + + + + + + + + + + + + + + + + This component is used to specify the import of user data + that has reliable security attributes associated with + it. This function relies upon the security attributes that + are accurately and unambiguously associated with the + objects on the import medium. Once imported, those objects + will have those same attributes. This requires to ensure the consistency of the data. It + could also be the case that the PP/ST author specifies the + rules for import. + + + + , requires that security attributes + correctly represent the user data and are accurately and + unambiguously associated with the user data imported from + outside the TOE. + + + + + + + The TSF shall enforce the + + + access control SFP(s) and/or information flow control + SFP(s) + + + + the PP/ST author should specify the access control + SFP(s) and/or information flow control SFP(s) that + will be enforced when importing user data from outside + of the TOE. The user data that this function imports + is scoped by the assignment of these SFPs. + + + when importing user data, controlled under the SFP, from + outside of the TOE. + + + The TSF shall use the security attributes associated with + the imported user data. + + + The TSF shall ensure that the protocol used provides for the + unambiguous association between the security attributes and + the user data received. + + + The TSF shall ensure that interpretation of the security + attributes of the imported user data is as intended by the + source of the user data. + + + The TSF shall enforce the following rules when importing + user data controlled under the SFP from outside the TOE: + + + additional importation control rules + + + + the PP/ST author should specify any additional + importation control rules or + ``none'' if there are no + additional importation control rules. These rules will + be enforced by the TSF in addition to the access + control SFPs and/or information flow control SFPs + selected in . + + . + + + + + + + + This family provides requirements that address protection of + user data when it is transferred between separated parts of a TOE + across an internal channel. This may be contrasted with the + and families, + which provide protection for user data when it is + transferred between distinct TSFs across an external + channel, and and , + which address TSF-mediated transfer of data to or from outside the + TOE. + + + + This family provides requirements that address protection of + user data when it is transferred between parts of a TOE + across an internal channel. This may be contrasted with the + and family, which + provide protection for user data when it is transferred + between distinct TSFs across an external channel, and and , which address + TSF-mediated transfer of data to or from outside the TOE. + + The requirements in this family allow a PP/ST author to + specify the desired security for user data while in transit + within the TOE. This security could be protection against + disclosure, modification, or loss of availability. + + The determination of the degree of physical separation above + which this family should apply depends on the intended + environment of use. In a hostile environment, there may be + risks arising from transfers between parts of the TOE + separated by only a system bus. In more benign environments, + the transfers may be across more traditional network media. + + If there are multiple SFPs (access control and/or + information flow control) then it may be appropriate to + iterate these components once for each named SFP. + + + + + + + + + + + + , requires that user data be + protected when transmitted between parts of the TOE. + + + If the TSF provides multiple methods to protect user data + during transmission between physically separated parts of + the TOE, the TSF could provide a pre-defined role with the + ability to select the method that will be used. + + + Successful transfers of user data, including identification + of the protection method used. + + + All attempts to transfer user data, including the protection + method used and any errors that occurred. + + + The TSF shall enforce the + + + access control SFP(s) and/or information flow control + SFP(s) + + + + the PP/ST author should specify the access control + SFP(s) and/or information flow control SFP(s) covering + the information being transferred. + + + to prevent the + + + disclosure + + + modification + + + loss of use + + + + the PP/ST author should specify the types of + transmission errors that the TSF should prevent + occurring for user data while in transport. The options + are disclosure, modification, loss of use. + + + of user data when it is transmitted between + physically-separated parts of the TOE. + + + + + + + + + + + + + + This component could, for example, be used to provide + different forms of protection to information with + different clearance levels. + + One of the ways to achieve separation of data when it is + transmitted is through the use of separate logical or + physical channels. + + + + , requires separation of data based + on the value of SFP-relevant attributes in addition to the + first component. + + + + + + The TSF shall enforce the + + + access control SFP(s) and/or information flow control + SFP(s) + + + + the PP/ST author should specify the access control + SFP(s) and/or information flow control SFP(s) covering + the information being transferred. + + + to prevent the + + + disclosure + + + modification + + + loss of use + + + + the PP/ST author should specify the types of + transmission errors that the TSF should prevent + occurring for user data while in transport. The options + are disclosure, modification, loss of use. + + + of user data when it is transmitted between + physically-separated parts of the TOE. + + + The TSF shall separate data controlled by the SFP(s) when + transmitted between physically-separated parts of the TOE, + based on the values of the following: + + + security attributes that require separation + + + + the PP/ST author should specify the security + attributes, the values of which the TSF will use to + determine when to separate data that is being + transmitted between physically-separated parts of the + TOE. An example is that user data associated with the + identity of one owner is transmitted separately from + the user data associated with the identify of a + different owner. In this case, the value of the + identity of the owner of the data is what is used to + determine when to separate the data for transmission. + + . + + + + + + + + + + + + + + This component is used in combination with either or . It ensures + that the TSF checks received user data (and their + attributes) for integrity. or will provide the data in a manner such + that it is protected from modification (so that can detect any modifications). + + The PP/ST author has to specify the types of errors that + must be detected. The PP/ST author should consider: + modification of data, substitution of data, unrecoverable + ordering change of data, replay of data, incomplete data, + in addition to other integrity errors. + + The PP/ST author must specify the actions that the TSF + should take on detection of a failure. For example: ignore + the user data, request the data again, inform the + authorised administrator, reroute traffic for other lines. + + + + , requires that the TSF monitor user + data transmitted between parts of the TOE for identified + integrity errors. + + + The specification of the actions to be taken upon detection + of an integrity error could be configurable. + + + Successful transfers of user data, including identification + of the integrity protection method used. + + + All attempts to transfer user data, including the integrity + protection method used and any errors that occurred. + + + Unauthorised attempts to change the integrity protection + method. + + + The action taken upon detection of an integrity error. + + + The TSF shall enforce the + + + access control SFP(s) and/or information flow control + SFP(s) + + + + the PP/ST author should specify the access control + SFP(s) and/or information flow control SFP(s) covering + the information being transferred and monitored for + integrity errors. + + + to monitor user data transmitted between + physically-separated parts of the TOE for the following + errors: + + + integrity errors + + + + the PP/ST author should specify the type of possible + integrity errors to be monitored during transmission + of the user data. + + . + + + Upon detection of a data integrity error, the TSF shall + + + specify the action to be taken upon integrity error + + + + the PP/ST author should specify the action to be taken + by the TSF when an integrity error is encountered. An + example might be that the TSF should request the + resubmission of the user data. The SFP(s) specified in + will be enforced as the + actions are taken by the TSF. + + . + + + + + + + + + + + + + + + This component is used in combination with . It ensures that the TSF checks received + user data, that has been transmitted by separate channels + (based on values of specified security attributes), for + integrity. It allows the PP/ST author to specify actions + to be taken upon detection of an integrity error. + + For example, this component could be used to provide + different integrity error detection and action for + information at different integrity levels. + + The PP/ST author has to specify the types of errors that + must be detected. The PP/ST author should consider: + modification of data, substitution of data, unrecoverable + ordering change of data, replay of data, incomplete data, + in addition to other integrity errors. + + The PP/ST author should specify the attributes (and + associated transmission channels) that necessitate + integrity error monitoring + + The PP/ST author must specify the actions that the TSF + should take on detection of a failure. For example: ignore + the user data, request the data again, inform the + authorised administrator, reroute traffic for other lines. + + + + expands on the third component by + allowing the form of integrity monitoring to differ by + SFP-relevant attribute. + + + + + + + + The TSF shall enforce the + + + access control SFP(s) and/or information flow + control SFP(s) + + + + the PP/ST author should specify the access control + SFP(s) and/or information flow control SFP(s) covering + the information being transferred and monitored for + integrity errors. + + + to monitor user data transmitted between + physically-separated parts of the TOE for the following + errors: + + + integrity errors + + + + the PP/ST author should specify the type of possible + integrity errors to be monitored during transmission + of the user data. + + , based on the following attributes: + + + security attributes that require separate transmission + channels + + + + the PP/ST author should specify a list of security + attributes that require separate transmission + channels. This list is used to determine which user + data to monitor for integrity errors., based on its + security attributes and its transmission channel. This + element is directly related to . + + . + + + Upon detection of a data integrity error, the TSF shall + + + specify the action to be taken upon integrity + error + + + + the PP/ST author should specify the action to be taken + by the TSF when an integrity error is encountered. An + example might be that the TSF should request the + resubmission of the user data. The SFP(s) specified in + will be enforced as the + actions are taken by the TSF. + + . + + + + + + + + This family addresses the need to ensure that any data contained + in a resource is not available when the resource is de-allocated + from one object and reallocated to a different object. This + family requires protection for any data contained in a resource + that has been logically deleted or released, but may still be + present within the TSF-controlled resource which in turn may be + re-allocated to another object. + + + + Residual information protection ensures that TSF-controlled + resources when de-allocated from an object and before they are + reallocated to another object are treated by the TSF in a way + that it is not possible to reconstruct all or part of the data + contained in the resource before it was de-allocated. + + A TOE usually has a number of functions that potentially + de-allocate resources from an object and potentially re-allocate + those resources to objects. Some, but not all of those resources + may have been used to store critical data from the previous use + of the resource and for those resources FDP_RIP requires that + they are prepared for reuse. Object reuse applies to explicit + requests of a subject or user to release resources as well as + implicit actions of the TSF that result in the de-allocation and + subsequent re-allocation of resources to different + objects. Examples of explicit requests are the deletion or + truncation of a file or the release of an area of main + memory. Examples of implicit actions of the TSF are the + de-allocation and re-allocation of cache regions. + The requirement for object reuse is related to the content of + the resource belonging to an object, not all information about + the resource or object that may be stored elsewhere in the + TSF. As an example to satisfy the FDP_RIP requirement for files + as objects requires that all sectors that make up the file need + to be prepared for re-use. + + It also applies to resources that are serially reused by + different subjects within the system. For example, most + operating systems typically rely upon hardware registers + (resources) to support processes within the system. As + processes are swapped from a ``run'' state to a ``sleep'' + state (and vice versa), these registers are serially reused + by different subjects. While this ``swapping'' action may + not be considered an allocation or deallocation of a + resource, could apply to + such events and resources. + + typically controls access + to information that is not part of any currently defined or + accessible object; however, in certain cases this may not be + true. For example, object ``A'' is a file and object ``B'' + is the disk upon which that file resides. If object ``A'' is + deleted, the information from object ``A'' is under the + control of even though it + is still part of object ``B''. + + It is important to note that applies only to on-line objects and not + off-line objects such as those backed-up on tapes. For + example, if a file is deleted in the TOE, can be instantiated to require that no + residual information exists upon deallocation; however, the + TSF cannot extend this enforcement to that same file that + exists on the off-line back-up. Therefore that same file is + still available. If this is a concern, then the PP/ST author + should make sure that the proper environmental objectives + are in place to support operational user guidance to address + off-line objects. + + and can conflict when is instantiated to require that residual + information be cleared at the time the application releases + the object to the TSF (i.e. upon deallocation). Therefore, + the selection of + ``deallocation'' should not be used with since there would be no information to roll + back. The other selection, ``unavailability upon + allocation'', may be used with , but there is the risk that the resource + which held the information has been allocated to a new + object before the roll back took place. If that were to + occur, then the roll back would not be possible. + + There are no audit requirements in because this is not a user-invokable + function. Auditing of allocated or deallocated resources + would be auditable as part of the access control SFP or the + information flow control SFP operations. + + This family should apply to the objects specified in the + access control SFP(s) or the information flow control SFP(s) + as specified by the PP/ST author. + + + + + + This component requires that, for a subset of the objects + in the TOE, the TSF will ensure that there is no available + residual information contained in a resource allocated to + those objects or deallocated from those objects. + + + + , requires that the TSF + ensure that any residual information content of any + resources is unavailable to a defined subset of the + objects controlled by the TSF upon the resource's + allocation or deallocation. + + + The choice of when to perform residual information + protection (i.e. upon allocation or deallocation) could be + made configurable within the TOE. + + + The TSF shall ensure that any previous information content + of a resource is made unavailable upon the + + + allocation of the resource to + + + deallocation of the resource from + + + + the PP/ST author should specify the event, allocation + of the resource to or deallocation of the resource + from, that invokes the residual information protection + function. + + + the following objects: + + + list of objects + + + + the PP/ST author should specify the list of objects + subject to residual information protection. + + . + + + + + + + + This component requires that for all objects in the TOE, + the TSF will ensure that there is no available residual + information contained in a resource allocated to those + objects or deallocated from those objects. + + + + , requires that the TSF ensure that + any residual information content of any resources is + unavailable to all objects upon the resource's + allocation or deallocation. + + + + The TSF shall ensure that any previous information content + of a resource is made unavailable upon the + + + allocation of the resource to + + + deallocation of the resource from + + + + the PP/ST author should specify the event, allocation + of the resource to or deallocation of the resource + from, that invokes the residual information protection + function. + + + all objects. + + + + + + + + The rollback operation involves undoing the last operation + or a series of operations, bounded by some limit, such as a + period of time, and return to a previous known + state. Rollback provides the ability to undo the effects of + an operation or series of operations to preserve the + integrity of the user data. + + + + This family addresses the need to return to a well defined + valid state, such as the need of a user to undo + modifications to a file or to undo transactions in case of + an incomplete series of transaction as in the case of + databases. + + This family is intended to assist a user in returning to a + well defined valid state after the user undoes the last set + of actions, or, in distributed databases, the return of all + of the distributed copies of the databases to the state + before an operation failed. + + and conflict when + enforces that the contents will be made + unavailable at the time that a resource is deallocated from + an object. Therefore, this use of + cannot be combined with as there would + be no information to roll back. can be + used only with when it enforces that + the contents will be unavailable at the time that a resource + is allocated to an object. This is because the mechanism will have an opportunity to access + the previous information that may still be present in the + TOE in order to successfully roll back the operation. + + The rollback requirement is bounded by certain limits. For + example a text editor typically only allows you roll back up + to a certain number of commands. Another example would be + backups. If backup tapes are rotated, after a tape is + reused, the information can no longer be retrieved. This + also poses a bound on the rollback requirement. + + + + + + + + + + + + This component allows a user or subject to undo a set of + operations on a predefined set of objects. The undo is + only possible within certain limits, for example up to a + number of characters or up to a time limit. + + + + addresses a need to roll back or + undo a limited number of operations within the defined + bounds. + + + The boundary limit to which rollback may be performed could + be a configurable item within the TOE. + + + Permission to perform a rollback operation could be + restricted to a well defined role. + + + All successful rollback operations. + + + All attempts to perform rollback operations. + + + All attempts to perform rollback operations, including + identification of the types of operations rolled back. + + + The TSF shall enforce + + + access control SFP(s) and/or information flow control + SFP(s) + + + + the PP/ST author should specify the access control + SFP(s) and/or information flow control SFP(s) that + will be enforced when performing rollback + operations. This is necessary to make sure that roll + back is not used to circumvent the specified SFPs. + + + to permit the rollback of the + + + list of operations + + + + the PP/ST author should specify the list of operations + that can be rolled back. + + + on the + + information and/or list of objects + + the PP/ST author should specify the information and/or + list of objects that are subjected to the rollback policy.. + + + The TSF shall permit operations to be rolled back within the + + + boundary limit to which rollback may be performed + + + + the PP/ST author should specify the boundary limit to + which rollback operations may be performed. The + boundary may be specified as a predefined period of + time, for example, operations may be undone which were + performed within the past two minutes. Other possible + boundaries may be defined as the maximum number of + operations allowable or the size of a buffer. + + . + + + + + + + + + + + + + + This component enforces that the TSF provide the + capability to rollback all operations; however, the user + can choose to rollback only a part of them. + + + + addresses the need to roll back or + undo all operations within the defined bounds. + + + + + + + The TSF shall enforce + + + access control SFP(s) and/or information flow control + SFP(s) + + + + the PP/ST author should specify the access control + SFP(s) and/or information flow control SFP(s) that + will be enforced when performing rollback + operations. This is necessary to make sure that roll + back is not used to circumvent the specified SFPs. + + + to permit the rollback of all the operations on the + + + list of objects + + + + the PP/ST author should specify the list of objects + that are subjected to the rollback policy. + + . + + + The TSF shall permit operations to be rolled back within the + + + boundary limit to which rollback may be performed + + + + the PP/ST author should specify the boundary limit to + which rollback operations may be performed. The + boundary may be specified as a predefined period of + time, for example, operations may be undone which were + performed within the past two minutes. Other possible + boundaries may be defined as the maximum number of + operations allowable or the size of a buffer. + + . + + + + + + + + This family provides requirements that address protection of + user data while it is stored within containers controlled by the TSF. Integrity + errors may affect user data stored in memory, or in a + storage device. This family differs from which protects the user data from integrity + errors while being transferred within the TOE. + + + + This family provides requirements that address protection of + user data while it is stored within containers controlled by the TSF. + + Hardware glitches or errors may affect data stored in + memory. This family provides requirements to detect these + unintentional errors. The integrity of user data while + stored on storage devices controlled by the TSF are also addressed + by this family. + + To prevent a subject from modifying the data, the or families are required + (rather than this family). + + This family differs from that protects + the user data from integrity errors while being transferred + within the TOE. + + + + + + This component monitors data stored on media for integrity + errors. The PP/ST author can specify different kinds of + user data attributes that will be used as the basis for + monitoring. + + + + , requires that the TSF monitor user + data stored within containers controlled by the TSF for identified integrity + errors. + + + Successful attempts to check the integrity of user data, + including an indication of the results of the check. + + + All attempts to check the integrity of user data, including + an indication of the results of the check, if performed. + + + The type of integrity error that occurred. + + + The TSF shall monitor user data stored in containers controlled by the TSF for + + + integrity errors + + + + the PP/ST author should specify the integrity errors + that the TSF will detect. + + + on all objects, based on the following attributes: + + + user data attributes + + + + the PP/ST author should specify the user data + attributes that will be used as the basis for the + monitoring. + + . + + + + + + + + This component monitors data stored on media for integrity + errors. The PP/ST author can specify which action should + be taken in case an integrity error is detected. + + + + adds the additional capability to + the first component by allowing for actions to be taken as + a result of an error detection. + + + The actions to be taken upon the detection of an integrity + error could be configurable. + + + Successful attempts to check the integrity of user data, + including an indication of the results of the check. + + + All attempts to check the integrity of user data, including + an indication of the results of the check, if performed. + + + The type of integrity error that occurred. + + + The action taken upon detection of an integrity error. + + + The TSF shall monitor user data stored in containers controlled by the TSF for + + + integrity errors + + + + the PP/ST author should specify the integrity errors + that the TSF will detect. + + + on all objects, based on the following attributes: + + + user data attributes + + + + the PP/ST author should specify the user data + attributes that will be used as the basis for the + monitoring. + + . + + + Upon detection of a data integrity error, the TSF shall + + + action to be taken + + + + the PP/ST author should specify the actions to be + taken in case an integrity error is detected. + + . + + + + + + + + This family defines the requirements for ensuring the + confidentiality of user data when it is transferred using an + external channel between the TOE and another trusted IT product. + + + + This family defines the requirements for ensuring the + confidentiality of user data when it is transferred using an + external channel between the TOE and another trusted IT + product. Confidentiality is enforced by preventing + unauthorised disclosure of user data in transit between the + two end points. The end points may be a TSF or a user. + + This family provides a requirement for the protection of user + data during transit. In contrast, handles TSF data. + + + + + + + + + + + + + + + + Depending on the access control or information flow policies the TSF is + required to send or receive user data in a manner such that the + confidentiality of the user data is protected. + + + + In , the goal is to provide + protection from disclosure of user data while in transit. + + + The identity of any user or subject using the data exchange + mechanisms. + + + The identity of any unauthorised user or subject attempting + to use the data exchange mechanisms. + + + A reference to the names or other indexing information + useful in identifying the user data that was transmitted or + received. This could include security attributes associated + with the information. + + + The TSF shall enforce the + + access control SFP(s) and/or information flow control SFP(s) + the PP/ST author should specify the access control SFP(s) + and/or information flow control SFP(s) that will be enforced when exchanging + user data. The specified policies will be enforced to make decisions about + who can exchange data and which data can be exchanged. + to + transmitreceivethe PP/ST author should specify whether this element + applies to a mechanism that transmits or receives user data. + user data in a manner protected from unauthorised disclosure. + + + + + + + + This family defines the requirements for providing integrity + for user data in transit between the TOE and another trusted + IT product and recovering from detectable errors. At a + minimum, this family monitors the integrity of user data for + modifications. Furthermore, this family supports different + ways of correcting detected integrity errors. + + + + This family defines the requirements for providing integrity + for user data in transit between the TSF and another trusted + IT product and recovering from detectable errors. At a + minimum, this family monitors the integrity of user data for + modifications. Furthermore, this family supports different + ways of correcting detected integrity errors. + + This family defines the requirements for providing integrity + for user data in transit; while handles + TSF data. + + and are duals of + each other, as addresses user data + confidentiality. Therefore, the same mechanism that + implements could possibly be used to + implement other families such as and + . + + + + + + + + + + + + + + + + Depending on the access control or information flow policies the TSF is + required to send or receive user data in a manner such that modification + of the user data is detected. There is no requirement for a TSF mechanism + to attempt to recover from the modification. + + + + addresses detection of + modifications, deletions, insertions, and replay errors of + the user data transmitted. + + + The identity of any user or subject using the data exchange + mechanisms. + + + The identity of any user or subject attempting to use the + user data exchange mechanisms, but who is unauthorised to do + so. + + + A reference to the names or other indexing information + useful in identifying the user data that was transmitted or + received. This could include security attributes associated + with the user data. + + + Any identified attempts to block transmission of user data. + + + The types and/or effects of any detected modifications of + transmitted user data. + + + The TSF shall enforce the + access control SFP(s) and/or information flow control SFP(s) + the PP/ST author should specify the access control SFP(s) + and/or information flow control SFP(s) that will be enforced on the transmitted + data or on the received data. The specified policies will be enforced to make + decisions about who can transmit or who can receive data, and which data can be + transmitted or received. + to + transmitreceivethe PP/ST author should specify whether this element applies + to a TSF that is transmitting or receiving objects. + user data in a manner protected from + modificationdeletioninsertionreplaythe PP/ST author should specify whether the data should be + protected from modification, deletion, insertion or replay. + errors. + + + The TSF shall be able to determine on receipt of user data, + whether + + + modification + + + deletion + + + insertion + + + replay + + + + the PP/ST author should specify whether the errors of + the type: modification, deletion, insertion or replay + are detected. + + + has occurred. + + + + + + + + + + + + + + + + + This component provides the ability to recover from a set + of identified transmission errors, if required, with the + help of the other trusted IT product. As the other trusted + IT product is outside the TOE, the TSF cannot control its + behaviour. However, it can provide functions that have the + ability to cooperate with the other trusted IT product for + the purposes of recovery. For example, the TSF could + include functions that depend upon the source trusted IT + product to re-send the data in the event that an error is + detected. This component deals with the ability of the TSF + to handle such an error recovery. + + + + addresses recovery of the original + user data by the receiving TSF with help from the source + trusted IT product. + + + The identity of any user or subject using the data exchange + mechanisms. + + + Successful recovery from errors including they type of error + that was detected. + + + The identity of any user or subject attempting to use the + user data exchange mechanisms, but who is unauthorised to do + so. + + + A reference to the names or other indexing information + useful in identifying the user data that was transmitted or + received. This could include security attributes associated + with the user data. + + + Any identified attempts to block transmission of user data. + + + The types and/or effects of any detected modifications of + transmitted user data. + + + The TSF shall enforce the + + + access control SFP(s) and/or information flow control + SFP(s) + + + + the PP/ST author should specify the access control + SFP(s) and/or information flow control SFP(s) that + will be enforced when recovering user data. The + specified policies will be enforced to make decisions + about which data can be recovered and how it can be + recovered. + + + to be able to recover from + + + list of recoverable errors + + + + the PP/ST author should specify the list of integrity + errors from which the TSF, with the help of the source + trusted IT product, is be able to recover the original + user data. + + + with the help of the source trusted IT product. + + + + + + + + + + + + + + + + + + + + This component provides the ability to recover from a set + of identified transmission errors. It accomplishes this + task without help from the source trusted IT product. For + example, if certain errors are detected, the transmission + protocol must be robust enough to allow the TSF to recover + from the error based on checksums and other information + available within that protocol. + + + + addresses recovery of the original + user data by the receiving TSF on its own without any help + from the source trusted IT product. + + + + + + The TSF shall enforce the + + + access control SFP(s) and/or information flow control + SFP(s) + + + + the PP/ST author should specify the access control + SFP(s) and/or information flow control SFP(s) that + will be enforced when recovering user data. The + specified policies will be enforced to make decisions + about which data can be recovered and how it can be + recovered. + + + to be able to recover from + + + list of recoverable errors + + + + the PP/ST author should specify the list of integrity + errors from which the receiving TSF, alone, is able to + recover the original user data. + + + without any help from the source trusted IT product. + + + + + + + + Families in this class address the requirements for functions + to establish and verify a claimed user identity. + + Identification and Authentication is required to ensure that + users are associated with the proper security attributes + (e.g. identity, groups, roles, security or integrity levels). + + The unambiguous identification of authorised users and the + correct association of security attributes with users and + subjects is critical to the enforcement of the intended + security policies. The families in this class deal with + determining and verifying the identity of users, determining + their authority to interact with the TOE, and with the correct + association of security attributes for each authorised + user. Other classes of requirements (e.g. User Data + Protection, Security Audit) are dependent upon correct + identification and authentication of users in order to be + effective. + + + + A common security requirement is to unambiguously identify the + person and/or entity performing functions in a TOE. This + involves not only establishing the claimed identity of each + user, but also verifying that each user is indeed who he/she + claims to be. This is achieved by requiring users to provide + the TSF with some information that is known by the TSF to be + associated with the user in question. + + Families in this class address the requirements for functions + to establish and verify a claimed user + identity. Identification and Authentication is required to + ensure that users are associated with the proper security + attributes (e.g. identity, groups, roles, security or + integrity levels). + + The unambiguous identification of authorised users and the + correct association of security attributes with users and + subjects is critical to the enforcement of the security + policies. + + The family addresses determining the + identity of a user. + + The family addresses verifying the + identity of a user. + + The family addresses defining limits on + repeated unsuccessful authentication attempts. + + The family address the definition of user + attributes that are used in the enforcement of the SFRs. + + The family addresses the correct + association of security attributes for each authorised user. + + The family addresses the generation and + verification of secrets that satisfy a defined metric. + + + + + + This family contains requirements for defining values for + some number of unsuccessful authentication attempts and TSF + actions in cases of authentication attempt + failures. Parameters include, but are not limited to, the + number of failed authentication attempts and time + thresholds. + + + + This family addresses requirements for defining values for + authentication attempts and TSF actions in cases of + authentication attempt failure. Parameters include, but are + not limited to, the number of attempts and time thresholds. + + The session establishment process is the interaction with + the user to perform the session establishment independent of + the actual implementation. If the number of unsuccessful + authentication attempts exceeds the indicated threshold, + either the user account or the terminal (or both) will be + locked. If the user account is disabled, the user cannot + log-on to the system. If the terminal is disabled, the + terminal (or the address that the terminal has) cannot be + used for any log-on. Both of these situations continue until + the condition for re-establishment is satisfied. + + + + + + + + + The PP/ST author may define the number of unsuccessful + authentication attempts or may choose to let the TOE + developer or the authorised user to define this + number. The unsuccessful authentication attempts need not + be consecutive, but rather related to an authentication + event. Such an authentication event could be the count + from the last successful session establishment at a given + terminal. + + The PP/ST author could specify a list of actions that the + TSF shall take in the case of authentication failure. An + authorised administrator could also be allowed to manage + the events, if deemed opportune by the PP/ST author. These + actions could be, among other things, terminal + deactivation, user account deactivation, or administrator + alarm. The conditions under which the situation will be + restored to normal must be specified on the action. + + In order to prevent denial of service, TOEs usually ensure + that there is at least one user account that cannot be + disabled. + + Further actions for the TSF can be stated by the PP/ST + author, including rules for re-enabling the user session + establishment process, or sending an alarm to the + administrator. Examples of these actions are: until a + specified time has lapsed, until the authorised + administrator re-enables the terminal/account, a time + related to failed previous attempts (every time the + attempt fails, the disabling time is doubled). + + + + , requires that the TSF be able to + terminate the session establishment process after a + specified number of unsuccessful user authentication + attempts. It also requires that, after termination of the + session establishment process, the TSF be able to disable + the user account or the point of entry (e.g. workstation) + from which the attempts were made until an + administrator-defined condition occurs. + + + management of the threshold for unsuccessful authentication + attempts; + + + management of actions to be taken in the event of an + authentication failure. + + + the reaching of the threshold for the unsuccessful + authentication attempts and the actions (e.g. disabling of a + terminal) taken and the subsequent, if appropriate, + restoration to the normal state (e.g. re-enabling of a + terminal). + + + The TSF shall detect when + + positive integer number + + if the assignment of a positive integer is selected, + the PP/ST author should specify the default number + (positive integer) of unsuccessful authentication + attempts that, when met or surpassed, will trigger + the events. + an administrator configurable positive integer within + + range of acceptable values + + if an administrator configurable positive integer is + selected, the PP/ST author should specify the range of + acceptable values from which the administrator of the + TOE may configure the number of unsuccessful + authentication attempts. The number of authentication + attempts should be less than or equal to the upper + bound and greater or equal to the lower bound values. + the PP/ST author should select either the assignment of a positive integer, + or the phrase ``an administrator configurable positive integer'' specifying + the range of acceptable values. + unsuccessful authentication attempts occur related to + + + list of authentication events + + + + the PP/ST author should specify the authentication + events. Examples of these authentication events are: + the unsuccessful authentication attempts since the + last successful authentication for the indicated user + identity, the unsuccessful authentication attempts + since the last successful authentication for the + current terminal, the number of unsuccessful + authentication attempts in the last 10 minutes. At + least one authentication event must be specified. + + . + + + When the defined number of unsuccessful authentication + attempts has been + metsurpassed + the PP/ST author should select whether the event of + meeting or surpassing the defined number of unsuccessful + authentication attemps shall trigger an action by the + TSF., the TSF shall + + list of actions + + the PP/ST author should specify the actions to be taken in + case the threshold is met or surpassed, as selected. These + actions could be disabling of an account for 5 minutes, + disabling the terminal for an increasing amount of time (2 + to the power of the number of unsuccessful attempts in + seconds), or disabling of the account until unlocked by + the administrator and simultaneously informing the + administrator. The actions should specify the measures and + if applicable the duration of the measure (or the + conditions under which the measure will be ended).. + + + + + + + + All authorised users may have a set of security attributes, + other than the user's identity, that is used to + enforce the SFRs. This family defines the requirements for + associating user security attributes with users as needed to + support the TSF in making security decisions. + + + + All authorised users may have a set of security attributes, + other than the user's identity, that are used to + enforce the SFRs. This family defines the requirements for + associating user security attributes with users as needed to + support the TSF in making security decisions. + + There are dependencies on the individual security policy (SFP) + definitions. These individual definitions should contain the + listing of attributes that are necessary for policy + enforcement. + + + + + + This component specifies the security attributes that + should be maintained at the level of the user. This means + that the security attributes listed are assigned to and + can be changed at the level of the user. In other words, + changing a security attribute in this list associated with + a user should have no impact on the security attributes of + any other user. + + In case security attributes belong to a group of users + (such as Capability List for a group), the user will need + to have a reference (as security attribute) to the + relevant group. + + + + , allows user security attributes + for each user to be maintained individually. + + + if so indicated in the assignment, the authorised + administrator might be able to define additional security + attributes for users. + + + The TSF shall maintain the following list of security + attributes belonging to individual users: + + + list of security attributes + + + + the PP/ST author should specify the security + attributes that are associated to an individual + user. An example of such a list is + {``clearance'', ``group + identifier'', ``rights''}. + + . + + + + + + + + This family defines requirements for mechanisms that enforce + defined quality metrics on provided secrets and generate + secrets to satisfy the defined metric. + + + + This family defines requirements for mechanisms that enforce + defined quality metrics on provided secrets, and generate + secrets to satisfy the defined metric. Examples of such + mechanisms may include automated checking of user supplied + passwords, or automated password generation. + + A secret can be generated outside the TOE (e.g. selected by + the user and introduced in the TOE). In such cases, the + component can be used to + ensure that the external generated secret adheres to certain + standards, for example a minimum size, not present in a + dictionary, and/or not previously used. + + Secrets can also be generated by the TOE. In those cases, + the component can be used + to require the TOE to ensure that the secrets that will + adhere to some specified metrics. + + Secrets contain the authentication data provided by the user + for an authentication mechanism that is based on knowledge + the user possesses. When cryptographic keys are employed, + the class should be used instead of this + family. + + + + + + Secrets can be generated by the user. This component + ensures that those user generated secrets can be verified + to meet a certain quality metric. + + + + , requires the TSF to verify that + secrets meet defined quality metrics. + + + the management of the metric used to verify the secrets. + + + Rejection by the TSF of any tested secret; + + + Rejection or acceptance by the TSF of any tested secret; + + + Identification of any changes to the defined quality + metrics. + + + The TSF shall provide a mechanism to verify that secrets + meet + + + a defined quality metric + + + + the PP/ST author should provide a defined quality + metric. The quality metric specification can be as + simple as a description of the quality checks to be + performed, or as formal as a reference to a government + published standard that defines the quality metrics + that secrets must meet. Examples of quality metrics + could include a description of the alphanumeric + structure of acceptable secrets and/or the space size + that acceptable secrets must meet. + + . + + + + + + + This component allows the TSF to generate secrets for + specific functions such as authentication by means of + passwords. + + When a pseudo-random number generator is used in a secret + generation algorithm, it should accept as input random + data that would provide output that has a high degree of + unpredictability. This random data (seed) can be derived + from a number of available parameters such as a system + clock, system registers, date, time, etc. The parameters + should be selected to ensure that the number of unique + seeds that can be generated from these inputs should be at + least equal to the minimum number of secrets that must be + generated. + + + + , requires the TSF to be able to + generate secrets that meet defined quality metrics. + + + the management of the metric used to generate the secrets. + + + + + + The TSF shall provide a mechanism to generate secrets that + meet + + + a defined quality metric + + + + the PP/ST author should provide a defined quality + metric. The quality metric specification can be as + simple as a description of the quality checks to be + performed or as formal as a reference to a government + published standard that defines the quality metrics + that secrets must meet. Examples of quality metrics + could include a description of the alphanumeric + structure of acceptable secrets and/or the space size + that acceptable secrets must meet. + + . + + + The TSF shall be able to enforce the use of TSF generated + secrets for + + + list of TSF functions + + + + the PP/ST author should provide a list of TSF + functions for which the TSF generated secrets must be + used. An example of such a function could include a + password based authentication mechanism. + + . + + + + + + + + This family defines the types of user authentication + mechanisms supported by the TSF. This family also defines + the required attributes on which the user authentication + mechanisms must be based. + + + + This family defines the types of user authentication + mechanisms supported by the TSF. This family defines the + required attributes on which the user authentication + mechanisms must be based. + + + + + + + + + This component requires that the PP/ST author define the + TSF-mediated actions that can be performed by the TSF on + behalf of the user before the claimed identity of the user + is authenticated. The TSF-mediated actions should have no + security concerns with users incorrectly identifying + themselves prior to being authenticated. For all other + TSF-mediated actions not in the list, the user must be + authenticated before the action can be performed by the + TSF on behalf of the user. + + This component cannot control whether the actions can also + be performed before the identification took place. This + requires the use of either or + with the appropriate assignments. + + + + , allows a user to perform certain + actions prior to the authentication of the + user's identity. + + + management of the authentication data by an administrator; + + + management of the authentication data by the associated + user; + + + managing the list of actions that can be taken before the + user is authenticated. + + + Unsuccessful use of the authentication mechanism; + + + All use of the authentication mechanism; + + + All TSF mediated actions performed before authentication of + the user. + + + The TSF shall allow + + + list of TSF mediated actions + + + + the PP/ST author should specify a list of TSF-mediated + actions that can be performed by the TSF on behalf of + a user before the claimed identity of the user is + authenticated. This list cannot be empty. If no + actions are appropriate, component should be used instead. An example of + such an action might include the request for help on + the login procedure. + + + on behalf of the user to be performed before the user is + authenticated. + + + The TSF shall require each user to be successfully + authenticated before allowing any other TSF-mediated actions + on behalf of that user. + + + + + + + + + + + This component requires that a user is authenticated before any other + TSF-mediated action can take place on behalf of that user. + + + , requires that users are + authenticated before any other action will be allowed by the TSF. + + + management of the authentication data by an administrator; + + + management of the authentication data by the user associated + with this data. + + + Unsuccessful use of the authentication mechanism; + + + All use of the authentication mechanism. + + + The TSF shall require each user to be successfully + authenticated before allowing any other TSF-mediated actions + on behalf of that user. + + + + + + + This component addresses requirements for mechanisms that + provide protection of authentication data. Authentication + data that is copied from another user, or is in some way + constructed should be detected and/or rejected. These + mechanisms provide confidence that users authenticated by + the TSF are actually who they claim to be. + + This component may be useful only with authentication + mechanisms that are based on authentication data that + cannot be shared (e.g. biometrics). It is impossible for a + TSF to detect or prevent the sharing of passwords outside + the control of the TSF. + + + + Unforgeable authentication, + requires the authentication mechanism to be able to detect + and prevent the use of authentication data that has been + forged or copied. + + + Detection of fraudulent authentication data; + + + All immediate measures taken and results of checks on the + fraudulent data. + + + The TSF shall + + + detect + + + prevent + + + + the PP/ST author should specify whether the TSF will + detect, prevent, or detect and prevent forging of + authentication data. + + + use of authentication data that has been forged by any user + of the TSF. + + + The TSF shall + + + detect + + + prevent + + + + the PP/ST author should specify whether the TSF will + detect, prevent, or detect and prevent copying of + authentication data. + + + use of authentication data that has been copied from any + other user of the TSF. + + + + + + + This component addresses requirements for authentication + mechanisms based on single-use authentication + data. Single-use authentication data can be something the + user has or knows, but not something the user is. Examples + of single-use authentication data include single-use + passwords, encrypted time-stamps, and/or random numbers + from a secret lookup table. + + The PP/ST author can specify to which authentication + mechanism(s) this requirement applies. + + + + , requires an authentication + mechanism that operates with single-use authentication + data. + + + Attempts to reuse authentication data. + + + The TSF shall prevent reuse of authentication data related + to + + + identified authentication mechanism(s) + + + + the PP/ST author should specify the list of + authentication mechanisms to which this requirement + applies. This assignment can be ``all + authentication mechanisms''. An example of + this assignment could be ``the + authentication mechanism employed to authenticate + people on the external network''. + + . + + + + + + + The use of this component allows specification of + requirements for more than one authentication mechanism to + be used within a TOE. For each distinct mechanism, + applicable requirements must be chosen from the class to be applied to each + mechanism. It is possible that the same component could be + selected multiple times in order to reflect different + requirements for the different use of the authentication + mechanism. + + The management functions in the class FMT may provide + maintenance capabilities for the set of authentication + mechanisms, as well as the rules that determine whether + the authentication was successful. + + To allow anonymous users to interact with the TOE, a + ``none'' authentication mechanism can be incorporated. The + use of such access should be clearly explained in the + rules of . + + + + , requires that different + authentication mechanisms be provided and used to + authenticate user identities for specific events. + + + the management of authentication mechanisms; + + + the management of the rules for authentication. + + + The final decision on authentication; + + + The result of each activated mechanism together with the + final decision. + + + The TSF shall provide + + + list of multiple authentication mechanisms + + + + the PP/ST author should define the available + authentication mechanisms. An example of such a list + could be: ``none, password mechanism, + biometric (retinal scan), S/key mechanism''. + + + to support user authentication. + + + The TSF shall authenticate any user's claimed + identity according to the + + + rules describing how the multiple authentication + mechanisms provide authentication + + + + the PP/ST author should specify the rules that + describe how the authentication mechanisms provide + authentication and when each is to be used. This means + that for each situation the set of mechanisms that + might be used for authenticating the user must be + described. An example of a list of such rules is: + ``if the user has special privileges a + password mechanism and a biometric mechanism both + shall be used, with success only if both succeed; for + all other users a password mechanism shall be + used.'' + + The PP/ST author might give the boundaries within + which the authorised administrator may specify + specific rules. An example of a rule is: + ``the user shall always be authenticated by + means of a token; the administrator might specify + additional authentication mechanisms that also must be + used.'' The PP/ST author also might choose + not to specify any boundaries but leave the + authentication mechanisms and their rules completely + up to the authorised administrator. + + . + + + + + + + This component addresses potential needs to + re-authenticate users at defined points in time. These may + include user requests for the TSF to perform security + relevant actions, as well as requests from non-TSF + entities for re-authentication (e.g. a server application + requesting that the TSF re-authenticate the client it is + serving). + + + + , requires the ability to specify + events for which the user needs to be re-authenticated. + + + if an authorised administrator could request + re-authentication, the management includes a + re-authentication request. + + + Failure of reauthentication; + + + All reauthentication attempts. + + + The TSF shall re-authenticate the user under the conditions + + + list of conditions under which re-authentication is + required + + + + the PP/ST author should specify the list of conditions + requiring re-authentication. This list could include a + specified user inactivity period that has elapsed, the + user requesting a change in active security + attributes, or the user requesting the TSF to perform + some security critical function. + + The PP/ST author might give the boundaries within + which the reauthentication should occur and leave the + specifics to the authorised administrator. An example + of such a rule is: ``the user shall always + be re-authenticated at least once a day; the + administrator might specify that the re-authentication + should happen more often but not more often than once + every 10 minutes.'' + + . + + + + + + + + + + This component addresses the feedback on the + authentication process that will be provided to the + user. In some systems the feedback consists of indicating + how many characters have been typed but not showing the + characters themselves, in other systems even this + information might not be appropriate. + + This component requires that the authentication data is + not provided as-is back to the user. In a workstation + environment, it could display a + ``dummy'' (e.g. star) for each + password character provided, and not the original + character. + + + + , requires that only limited + feedback information is provided to the user during the + authentication. + + + The TSF shall provide only + + + list of feedback + + + + the PP/ST author should specify the feedback related + to the authentication process that will be provided to + the user. An example of a feedback assignment is + ``the number of characters + typed'', another type of feedback is + ``the authentication mechanism that failed + the authentication''. + + + to the user while the authentication is in progress. + + + + + + + + This family defines the conditions under which users shall + be required to identify themselves before performing any + other actions that are to be mediated by the TSF and which + require user identification. + + + + This family defines the conditions under which users are + required to identify themselves before performing any other + actions that are to be mediated by the TSF and that require + user identification. + + + + + + This component poses requirements for the user to be + identified. The PP/ST author can indicate specific actions + that can be performed before the identification takes + place. + + If is used, the TSF-mediated + actions mentioned in should also + appear in this . + + + + , allows users to perform certain + actions before being identified by the TSF. + + + the management of the user identities; + + + if an authorised administrator can change the actions + allowed before identification, the managing of the action + lists. + + + Unsuccessful use of the user identification mechanism, + including the user identity provided; + + + All use of the user identification mechanism, including the + user identity provided. + + + The TSF shall allow + + + list of TSF-mediated actions + + + + the PP/ST author should specify a list of TSF-mediated + actions that can be performed by the TSF on behalf of + a user before the user has to identify itself. If no + actions are appropriate, component should be used instead. An example of + such an action might include the request for help on + the login procedure. + + + on behalf of the user to be performed before the user is + identified. + + + The TSF shall require each user to be successfully identified before + allowing any other TSF-mediated actions on behalf of that user. + + + + + + + + In this component users will be identified. A user is not + allowed by the TSF to perform any action before being + identified. + + + + , requires that users identify + themselves before any other action will be allowed by the TSF. + + + the management of the user identities. + + + + + The TSF shall require each user to be successfully identified before + allowing any other TSF-mediated actions on behalf of that user. + + + + + + + + An authenticated user, in order to use the TOE, typically + activates a subject. The user's security + attributes are associated (totally or partially) with this + subject. This family defines requirements to create and + maintain the association of the user's security + attributes to a subject acting on the user's + behalf. + + + + An authenticated user, in order to use the TOE, typically + activates a subject. The user's security + attributes are associated (totally or partially) with this + subject. This family defines requirements to create and + maintain the association of the user's security + attributes to a subject acting on the user's + behalf. + + + + It is intended that a subject is + acting on behalf of the user who caused the subject to come into + being or to be activated to perform a certain task. + Therefore, when a subject is created, that subject is acting on + behalf of the user who initiated the creation. In cases where + anonymity is used, the subject is still acting on behalf of a + user, but the identity of that user is unknown. A special + category of subjects are those subjects that serve multiple + users (e.g. a server process). In such cases the user that + created this subject is assumed to be the ``owner''., requires the specification of any rules + governing the association between user attributes and the + subject attributes into which they are mapped. + an authorised administrator can define default subject security + attributes. + + an authorised administrator can change subject security + attributes. + + Unsuccessful binding of user security attributes to a subject + (e.g. creation of a subject). + + Success and failure of binding of user security attributes to a + subject (e.g. success or failure to create a subject). + + The TSF shall associate the following user security attributes + with subjects acting on the behalf of that user: + + list of user security attributes + + the PP/ST author should specify a list of the user security + attributes that are to be bound to subjects.. + + The TSF shall enforce the following rules on the initial + association of user security attributes with subjects acting on + the behalf of users: + + rules for the initial association of attributes + + the PP/ST author should specify any rules that are to apply + upon initial association of attributes with subjects, or + ``none''.. + + The TSF shall enforce the following rules governing changes to the + user security attributes associated with subjects acting on the + behalf of users: + + rules for the changing of attributes + + the PP/ST author should specify any rules that are to apply + when changes are made to the user security attributes + associated with subjects acting on behalf of users, or + ``none''.. + + + + + + + This class is intended to specify the management of several + aspects of the TSF: security attributes, TSF data and + functions. The different management roles and their + interaction, such as separation of capability, can be + specified. + + This class has several objectives: + + + management of TSF data, which include, for example, + banners; + + + management of security attributes, which include, for + example, the Access Control Lists, and Capability Lists; + + + management of functions of the TSF, which includes, for + example, the selection of functions, and rules or + conditions influencing the behaviour of the TSF; + + + definition of security roles. + + + + + + This class specifies the management of several aspects of the + TSF: security attributes, TSF data and functions in the + TSF. The different management roles and their interaction, + such as separation of capability, can also be specified + + In an environment where the TOE is made up of multiple + physically separated parts, the timing issues with respect to + propagation of security attributes, TSF data, and function + modification become very complex, especially if the + information is required to be replicated across the parts of + the TOE. This should be considered when selecting components + such as , or , where the behaviour might be + impaired. In such situations, use of components from is advisable. + + + + + + This family allows authorised users control over the + management of functions in the TSF. Examples of functions in + the TSF include the audit functions and the multiple + authentication functions. + + + + The TSF management functions enable authorised users to set + up and control the secure operation of the TOE. These + administrative functions typically fall into a number of + different categories: + + + Management functions that relate to access control, + accountability and authentication controls enforced by + the TOE. For example, definition and update of user + security characteristics (e.g. unique identifiers + associated with user names, user accounts, system entry + parameters) or definition and update of auditing system + controls (e.g. selection of audit events, management of + audit trails, audit trail analysis, and audit report + generation), definition and update of per-user policy + attributes (such as user clearance), definition of known + system access control labels, and control and management + of user groups. + + + Management functions that relate to controls over + availability. For example, definition and update of + availability parameters or resource quotas. + + + Management functions that relate to general installation + and configuration. For example, TOE configuration, + manual recovery, installation of TOE security fixes (if + any), repair and reinstallation of hardware. + + + Management functions that relate to routine control and + maintenance of TOE resources. For example, enabling and + disabling peripheral devices, mounting of removable + storage media, backup and recovery. + + + + Note that these functions need to be present in a TOE based + on the families included in the PP or ST. It is the + responsibility of the PP/ST author to ensure that adequate + functions will be provided to manage the TOE in a secure + fashion. + + The TSF might contain functions that can be controlled by an + administrator. For example, the auditing functions could be + switched off, the time synchronisation could be switchable, + and/or the authentication mechanism could be modifiable. + + + + + + + + + + This component allows identified roles to manage the + security functions of the TSF. This might entail obtaining + the current status of a security function, disabling or + enabling the security function, or modifying the behaviour + of the security function. An example of modifying the + behaviour of the security functions is changing of + authentication mechanisms. + + + + allows the authorised users (roles) + to manage the behaviour of functions in the TSF that use + rules or have specified conditions that may be manageable. + + + managing the group of roles that can interact with the + functions in the TSF; + + + All modifications in the behaviour of the functions in the + TSF. + + + The TSF shall restrict the ability to + + + determine the behaviour of + + + disable + + + enable + + + modify the behaviour of + + + + the PP/ST author should select whether the role can + determine the behaviour of, disable, enable, and/or + modify the behaviour of the security functions. + + + the functions + + + list of functions + + + + the PP/ST author should specify the functions that can + be modified by the identified roles. Examples include + auditing and time determination. + + + to + + + the authorised identified roles + + + + the PP/ST author should specify the roles that are + allowed to modify the functions in the TSF. The + possible roles are specified in . + + . + + + + + + + + This family allows authorised users control over the + management of security attributes. This management might + include capabilities for viewing and modifying of security + attributes. + + + + This family defines the requirements on the management of + security attributes. + + Security attributes affect the behaviour of the TSF. Examples of + security attributes are the groups to which a user belongs, the + roles he/she might assume, the priority of a process (subject), + and the rights belonging to a role or a user. These security + attributes might need to be managed by the user, a subject, a + specific authorised user (a user with explicitly given rights + for this management) or inherit values according to a given + policy/set of rules. + + It is noted that the right to assign rights to users is + itself a security attribute and/or potentially subject to + management by . + can be used to ensure that any + accepted combination of security attributes is within a + secure state. The definition of what + ``secure'' means is left to the TOE guidance. + + In some instances subjects, objects or user accounts are + created. If no explicit values for the related security + attributes are given, default values need to be used. can be used to specify that these default + values can be managed. + + + + + + + + + + + + + This component allows users acting in certain roles to + manage identified security attributes. The users are + assigned to a role within the component . + + The default value of a parameter is the value the + parameter takes when it is instantiated without + specifically assigned values. An initial value is provided + during the instantiation (creation) of a parameter, and + overrides the default value. + + + + allows authorised users (roles) to + manage the specified security attributes. + + + managing the group of roles that can interact with the + security attributes; + + management of rules by which security attributes inherit + specified values. + + + All modifications of the values of security attributes. + + + The TSF shall enforce the + + access control SFP(s), information flow control SFP(s) + + the PP/ST author should list the access control SFP(s) or + the information flow control SFP(s) for which the security + attributes are applicable. + to restrict the ability to + + + change_default + + + query + + + modify + + + delete + + + + + other operations + + + + if selected, the PP/ST author should specify which + other operations the role could perform. An + example of such an operation could be + ``create''. + + + + + + the PP/ST author should specify the operations that + can be applied to the identified security + attributes. The PP/ST author can specify that the role + can modify the default value (change_default), query, + modify the security attribute, delete the security + attributes entirely or define their own operation. + + + the security attributes + + + list of security attributes + + + + the PP/ST author should specify the security + attributes that can be operated on by the identified + roles. It is possible for the PP/ST author to specify + that the default value such as default access-rights + can be managed. Examples of these security attributes + are user-clearance, priority of service level, access + control list, default access rights. + + + to + + + the authorised identified roles + + + + the PP/ST author should specify the roles that are + allowed to operate on the security attributes. The + possible roles are specified in . + + . + + + + + + + + + + + + + + + This component contains requirements on the values that + can be assigned to security attributes. The assigned + values should be such that the TOE will remain in a secure + state. + + The definition of what ``secure'' means is + not answered in this component but is left to the + development of the TOE and the resulting information in the + guidance. An example could be that if a user account is + created, it should have a non-trivial password. + + + + ensures that values assigned to + security attributes are valid with respect to the secure + state. + + management of rules by which security attributes inherit + specified values. + + + All offered and rejected values for a security attribute; + + + All offered and accepted secure values for a security + attribute. + + + The TSF shall ensure that only secure values are accepted + for + list of security attributes + + the PP/ST author should specify the list of security + attributes that require only secure values to be provided.. + + + + + + + + + + + This component requires that the TSF provide default + values for relevant object security attributes, which can + be overridden by an initial value. It may still be + possible for a new object to have different security + attributes at creation, if a mechanism exists to specify + the permissions at time of creation. + + + + ensures that the default values of + security attributes are appropriately either permissive or + restrictive in nature. + + + managing the group of roles that can specify initial values; + + + managing the permissive or restrictive setting of default values + for a given access control SFP; + + management of rules by which security attributes inherit specified values. + + + Modifications of the default setting of permissive or + restrictive rules. + + + All modifications of the initial values of security + attributes. + + + The TSF shall enforce the + + + access control SFP, information flow control SFP + + + + the PP/ST author should list the access control SFP or + the information flow control SFP for which the + security attributes are applicable. + + + to provide + + + restrictive + + + permissive + + + other property + + if the PP/ST author selects another property, the PP/ST + author should specify the desired characteristics of the + default values. + + + the PP/ST author should select whether the default property + of the access control attribute will be restrictive, + permissive, or another property. Only one of these options + may be chosen. + + + default values for security attributes that are used to + enforce the SFP. + + + The TSF shall allow the + + + the authorised identified roles + + + + the PP/ST author should specify the roles that are + allowed to modify the values of the security + attributes. The possible roles are specified in . + + + to specify alternative initial values to override the + default values when an object or information is created. + + + This component requires specification of the set of rules + through which the security attribute inherits values and the + conditions to be met for these rules to be applied. allows the rules/policies + to be specified that will dictate the value to be inherited + by a security attribute. + specification of the role permitted to establish or modify + security attributes. + + Modifications of security attributes, possibly with the old + and/or values of security attributes that were modified. + + The TSF shall use the following rules to set the value of security attributes: + + rules for setting the values of security attributes + + the PP/ST author specifies the rules governing the value + that will be inherited by the specified security + attribute, including the conditions that are to be met + for the rules to be applied. For example, if a new file + or directory is created (in a multilevel filesystem), + its label is the label at which the user is logged in at + the time it is created. + + + + + + This family allows authorised users (roles) control over the + management of TSF data. Examples of TSF data include audit + information, clock and other TSF + configuration parameters. + + + + This component imposes requirements on the management of TSF + data. Examples of TSF data are the current time and the + audit trail. So, for example, this family allows the + specification of whom can read, delete or create the audit + trail. + + + + + + + + + This component allows users with a certain role to manage + values of TSF data. The users are assigned to a role + within the component . + + The default value of a parameter is the values the + parameter takes when it is instantiated without + specifically assigned values. An initial value is provided + during the instantiation (creation) of a parameter and + overrides the default value. + + + + allows authorised users to manage + TSF data. + + + managing the group of roles that can interact with the TSF + data. + + + All modifications to the values of TSF data. + + + The TSF shall restrict the ability to + + + change_default + + + query + + + modify + + + delete + + + clear + + + + + other operations + + + + if selected, the PP/ST author should specify which + other operations the role could perform. An + example could be + ``create''. + + + + + + the PP/ST author should specify the operations that + can be applied to the identified TSF data. The PP/ST + author can specify that the role can modify the + default value (change_default), clear, query or modify + the TSF data, or delete the TSF data entirely. If so + desired the PP/ST author could specify any type of + operation. To clarify ``clear TSF data'' means that + the content of the TSF data is removed, but that the + entity that stores the TSF data remains in the + TOE. + + + the + + + list of TSF data + + + + the PP/ST author should specify the TSF data that can + be operated on by the identified roles. It is possible + for the PP/ST author to specify that the default value + can be managed. + + + to + + + the authorised identified roles + + + + the PP/ST author should specify the roles that are + allowed to operate on the TSF data. The possible roles + are specified in . + + . + + + + + + + + + + + This component specifies limits on TSF data, and actions + to be taken if these limits are exceeded. This component, + for example, will allow limits on the size of the audit + trail to be defined, and specification of the actions to + be taken when these limits are exceeded. + + + + specifies the action to be taken if + limits on TSF data are reached or exceeded. + + + managing the group of roles that can interact with the + limits on the TSF data. + + + All modifications to the limits on TSF data; + + + All modifications in the actions to be taken in case of + violation of the limits. + + + The TSF shall restrict the specification of the limits for + + + list of TSF data + + + + the PP/ST author should specify the TSF data that can + have limits, and the value of those limits. An example + of such TSF data is the number of users logged-in. + + + to + + + the authorised identified roles + + + + the PP/ST author should specify the roles that are + allowed to modify the limits on the TSF data and the + actions to be taken. The possible roles are specified + in . + + . + + + The TSF shall take the following actions, if the TSF data + are at, or exceed, the indicated limits: + + + actions to be taken + + + + the PP/ST author should specify the actions to be + taken if the specified limit on the specified TSF data + is exceeded. An example of such TSF action is that the + authorised user is informed and an audit record is + generated. + + . + + + + + + + + + + This component covers requirements on the values that can + be assigned to TSF data. The assigned values should be + such that the TOE will remain in a secure state. + + The definition of what ``secure'' means is not + answered in this component but is left to the development of + the TOE and the + resulting information in the guidance. + + + + ensures that values assigned to TSF + data are valid with respect to the secure state. + + + All rejected values of TSF data. + + + The TSF shall ensure that only secure values are accepted + for + list of TSF data + + the PP/ST author should specify what TSF data require only + secure values to be accepted.. + + + + + + + + This family addresses revocation of security attributes for + a variety of entities within a TOE. + + + + This family addresses revocation of security attributes for + a variety of entities within a TOE. + + + + + + + + + This component specifies requirements on the revocation of + rights. It requires the specification of the revocation + rules. Examples are: + + + Revocation will take place on the next login of the + user; + + + Revocation will take place on the next attempt to open + the file; + + + Revocation will take place within a fixed time. This + might mean that all open connections are re-evaluated + every x minutes. + + + + + + provides for revocation of security + attributes to be enforced at some point in time. + + + managing the group of roles that can invoke revocation of + security attributes; + + + managing the lists of users, subjects, objects and other + resources for which revocation is possible; + + + managing the revocation rules. + + + Unsuccessful revocation of security attributes; + + + All attempts to revoke security attributes. + + + The TSF shall restrict the ability to revoke + + list of security attributes + + the PP/ST author should specify which security attributes + are to be revoked when a change is made to the associated + object/subject/user/other resource. + associated with the + + users + + subjects + + objects + other additional resources + the PP/ST author should, if additional resources is + selected, specify whether the ability to revoke their + security attributes shall be provided by the + TSF. + the PP/ST author should specify whether the ability to + revoke security attributes from users, subjects, objects, + or any additional resources shall be provided by the + TSF. + under the control of the TSF to + + the authorised identified roles + + the PP/ST author should specify the roles that are allowed + to modify the functions in the TSF. The possible roles are + specified in .. + + + The TSF shall enforce the rules + + + specification of revocation rules + + + + the PP/ST author should specify the revocation + rules. Examples of these rules could include: + ``prior to the next operation on the + associated resource'', or ``for + all new subject creations''. + + . + + + + + + + + This family addresses the capability to enforce time limits + for the validity of security attributes. + + + + This family addresses the capability to enforce time limits + for the validity of security attributes. This family can be + applied to specify expiration requirements for access + control attributes, identification and authentication + attributes, certificates (key certificates such as ANSI X509 + for example), audit attributes, etc. + + + + + + + + + + provides the capability for an + authorised user to specify an expiration time on specified + security attributes. + + + managing the list of security attributes for which + expiration is to be supported; + + + the actions to be taken if the expiration time has passed. + + + Specification of the expiration time for an attribute; + + + Action taken due to attribute expiration. + + + The TSF shall restrict the capability to specify an + expiration time for + + + list of security attributes for which expiration is to + be supported + + + + the PP/ST author should provide the list of security + attributes for which expiration is to be supported. An + example of such an attribute might be a + user's security clearance. + + + to + + + the authorised identified roles + + + + the PP/ST author should specify the roles that are + allowed to modify the security attributes in the + TSF. The possible roles are specified in . + + . + + + For each of these security attributes, the TSF shall be able + to + + + list of actions to be taken for each security attribute + + + + the PP/ST author should provide a list of actions to + be taken for each security attribute when it + expires. An example might be that the + user's security clearance, when it expires, + is set to the lowest allowable clearance on the + TOE. If immediate revocation is desired by the PP/ST, + the action ``immediate + revocation'' should be specified. + + + after the expiration time for the indicated security + attribute has passed. + + + + This family allows the specification of the management + functions to be provided by the TOE. Management functions + provide TSFI that allow administrators to define the + parameters that control the operation of security-related + aspects of the TOE, such as data protection attributes, TOE + protection attributes, audit attributes, and identification + and authentication attributes. Management functions also + include those functions performed by an operator to ensure + continued operation of the TOE, such as backup and + recovery. This family works in conjunction with the other + components in the class: the component in + this family calls out the management functions, and other + families in restrict the ability to use + these management functions. + This family allows the specification of the management + functions to be provided by the TOE. Each security + management function that is listed in fulfilling the + assignment is either security attribute management, TSF data + management, or security function management. + This component specifies the management functions to be + provided. + PP/ST authors should consult the ``Management'' sections + for components included in their PP/ST to provide a basis + for the management functions to be listed via this + component. requires that the TSF provide + specific management functions. + Use of the management functions. + + The TSF shall be capable of performing the following + management functions: + + list of management functions to be provided by + the TSF + + the PP/ST author should specify the management + functions to be provided by the TSF, either security + attribute management, TSF data management, or security + function management.. + + + + + + This family is intended to control the assignment of + different roles to users. The capabilities of these roles + with respect to security management are described in the + other families in this class. + + + + This family reduces the likelihood of damage resulting from + users abusing their authority by taking actions outside + their assigned functional responsibilities. It also + addresses the threat that inadequate mechanisms have been + provided to securely administer the TSF. + + This family requires that information be maintained to + identify whether a user is authorised to use a particular + security-relevant administrative function. + + Some management actions can be performed by users, others + only by designated people within the organisation. This + family allows the definition of different roles, such as + owner, auditor, administrator, daily-management. + + The roles as used in this family are security related + roles. Each role can encompass an extensive set of + capabilities (e.g. root in UNIX), or can be a single right + (e.g. right to read a single object such as the + helpfile). This family defines the roles. The capabilities + of the role are defined in , and . + + Some type of roles might be mutually exclusive. For example + the daily-management might be able to define and activate + users, but might not be able to remove users (which is + reserved for the administrator (role)). This class will + allow policies such as two-person control to be specified. + + + + + + + + + This component specifies the different roles that the TSF + should recognise. Often the system distinguishes between + the owner of an entity, an administrator and other users. + + + + specifies the roles with respect to + security that the TSF recognises. + + + managing the group of users that are part of a role. + + + modifications to the group of users that are part of a role; + + + every use of the rights of a role. + + + The TSF shall maintain the roles + + + the authorised identified roles + + + + the PP/ST author should specify the roles that are + recognised by the system. These are the roles that + users could occupy with respect to security. Examples + are: owner, auditor and administrator. + + . + + + The TSF shall be able to associate users with roles. + + + + + + + + + + + This component specifies the different roles that the TSF + should recognise, and conditions on how those roles could + be managed. Often the system distinguishes between the + owner of an entity, an administrator and other users. + + The conditions on those roles specify the + interrelationship between the different roles, as well as + restrictions on when the role can be assumed by a user. + + + + specifies that in addition to the + specification of the roles, there are rules that control + the relationship between the roles. + + + managing the group of users that are part of a role; + + + managing the conditions that the roles must satisfy. + + + modifications to the group of users that are part of a role; + + + unsuccessful attempts to use a role due to the given + conditions on the roles; + + + every use of the rights of a role. + + + The TSF shall maintain the roles: + + + authorised identified roles + + + + the PP/ST author should specify the roles that are + recognised by the system. These are the roles that + users could occupy with respect to security. Examples + are: owner, auditor, administrator. + + . + + + The TSF shall be able to associate users with roles. + + + The TSF shall ensure that the conditions + + + conditions for the different roles + + + + the PP/ST author should specify the conditions that + govern role assignment. Examples of these conditions + are: ``an account cannot have both the + auditor and administrator role'' or + ``a user with the assistant role must also + have the owner role''. + + + are satisfied. + + + + + + + + + + This component specifies that an explicit request must be + given to assume the specific role. + + + + , requires that an explicit request + is given to the TSF to assume a role. + + + explicit request to assume a role. + + + The TSF shall require an explicit request to assume the + following roles: + + + the roles + + + + the PP/ST author should specify the roles that require + an explicit request to be assumed. Examples are: + auditor and administrator. + + . + + + + + + + + This class contains privacy requirements. These requirements + provide a user protection against discovery and misuse of + identity by other users. + + + + This class describes the requirements that could be levied to + satisfy the users' privacy needs, while still allowing + the system flexibility as far as possible to maintain + sufficient control over the operation of the system. + + In the components of this class there is flexibility as to + whether or not authorised users are covered by the required + security functionality. For example, a PP/ST author might + consider it appropriate not to require protection of the privacy + of users against a suitably authorised user. + + This class, together with other classes (such as those + concerned with audit, access control, trusted path, and + non-repudiation) provides the flexibility to specify the + desired privacy behaviour. On the other hand, the requirements + in this class might impose limitations on the use of the + components of other classes, such as or . For example, if + authorised users are not allowed to see the user identity + (e.g. Anonymity or Pseudonymity), it will obviously not be + possible to hold individual users accountable for any security + relevant actions they perform that are covered by the privacy + requirements. However, it may still be possible to include + audit requirements in a PP/ST, where the fact that a + particular security relevant event has occurred is more + important than knowing who was responsible for it. + + Additional information is provided in the application notes + for class , where it is explained that the + definition of ``identity'' in the context of + auditing can also be an alias or other information that could + identify a user. + + This class describes four families: Anonymity, Pseudonymity, + Unlinkability and Unobservability. Anonymity, Pseudonymity and + Unlinkability have a complex interrelationship. When choosing + a family, the choice should depend on the threats + identified. For some types of privacy threats, pseudonymity + will be more appropriate than anonymity (e.g. if there is a + requirement for auditing). In addition, some types of privacy + threats are best countered by a combination of components from + several families. + + All families assume that a user does not explicitly perform an + action that discloses the user's own identity. For + example, the TSF is not expected to screen the user name in + electronic messages or databases. + + All families in this class have components that can be scoped + through operations. These operations allow the PP/ST author to + state the cooperating users/subjects to which the TSF must be + resistant. An example of an instantiation of anonymity could + be: `` The TSF shall ensure that the users and/or + subjects are unable to determine the user identity bound to + the teleconsulting application''. + + It is noted that the TSF should not only provide this + protection against individual users, but also against users + cooperating to obtain the information. + + + + + + This family ensures that a user may use a resource or + service without disclosing the user's identity. The + requirements for Anonymity provide protection of the user + identity. Anonymity is not intended to protect the subject + identity. + + + + Anonymity ensures that a subject may use a resource or + service without disclosing its user identity. + + The intention of this family is to specify that a user or + subject might take action without releasing its user + identity to others such as users, subjects, or objects. The + family provides the PP/ST author with a means to identify + the set of users that cannot see the identity of someone + performing certain actions. + + Therefore if a subject, using anonymity, performs an action, + another subject will not be able to determine either the + identity or even a reference to the identity of the user + employing the subject. The focus of the anonymity is on the + protection of the users identity, not on the protection of + the subject identity; hence, the identity of the subject is + not protected from disclosure. + + Although the identity of the subject is not released to + other subjects or users, the TSF is not explicitly + prohibited from obtaining the users identity. In case the + TSF is not allowed to know the identity of the user, could be invoked. In that case + the TSF should not request the user information. + + The interpretation of ``determine'' should be + taken in the broadest sense of the word. + + The component levelling distinguishes between the users and + an authorised user. An authorised user is often excluded + from the component, and therefore allowed to retrieve a + user's identity. However, there is no specific + requirement that an authorised user must be able to have the + capability to determine the user's identity. For + ultimate privacy the components would be used to say that no + user or authorised user can see the identity of anyone + performing any action. + + Although some systems will provide anonymity for all + services that are provided, other systems provide anonymity + for certain subjects/operations. To provide this + flexibility, an operation is included where the scope of the + requirement is defined. If the PP/ST author wants to address + all subjects/operations, the words ``all subjects and + all operations'' could be provided. + + Possible applications include the ability to make enquiries + of a confidential nature to public databases, respond to + electronic polls, or make anonymous payments or donations. + + Examples of potential hostile users or subjects are + providers, system operators, communication partners and + users, who smuggle malicious parts (e.g. Trojan Horses) into + systems. All of these users can investigate usage patterns + (e.g. which users used which services) and misuse this + information. + + + + + + This component ensures that the identity of a user is + protected from disclosure. There may be instances, + however, that a given authorised user can determine who + performed certain actions. This component gives the + flexibility to capture either a limited or total privacy + policy. + + + + , requires that other users or + subjects are unable to determine the identity of a user + bound to a subject or operation. + + + The invocation of the anonymity mechanism. + + + The TSF shall ensure that + + + set of users and/or subjects + + + + the PP/ST author should specify the set of users + and/or subjects against which the TSF must provide + protection. For example, even if the PP/ST author + specifies a single user or subject role, the TSF must + not only provide protection against each individual + user or subject, but must protect with respect to + cooperating users and/or subjects. A set of users, for + example, could be a group of users which can operate + under the same role or can all use the same + process(es). + + + are unable to determine the real user name bound to + + + list of subjects and/or operations and/or objects + + + + the PP/ST author should identify the list of subjects + and/or operations and/or objects where the real user + name of the subject should be protected, for example, + ``the voting application''. + + . + + + + + + + + This component is used to ensure that the TSF is not + allowed to know the identity of the user. + + + + enhances the + requirements of by + ensuring that the TSF does not ask for the user + identity. + + + + The TSF shall ensure that + + + set of users and/or subjects + + + + the PP/ST author should specify the set of users + and/or subjects against which the TSF must provide + protection. For example, even if the PP/ST author + specifies a single user or subject role, the TSF must + not only provide protection against each individual + user or subject, but must protect with respect to + cooperating users and/or subjects. A set of users, for + example, could be a group of users which can operate + under the same role or can all use the same + process(es). + + + are unable to determine the real user name bound to + + + list of subjects and/or operations and/or objects + + + + the PP/ST author should identify the list of subjects + and/or operations and/or objects where the real user + name of the subject should be protected, for example, + ``the voting application''. + + . + + + The TSF shall provide + + + list of services + + + + the PP/ST author should identify the list of services + which are subject to the anonymity requirement, for + example, ``the accessing of job + descriptions''. + + + to + + + list of subjects + + + + the PP/ST author should identify the list of subjects + from which the real user name of the subject should be + protected when the specified services are provided. + + + without soliciting any reference to the real user name. + + + + + + + + This family ensures that a user may use a resource or + service without disclosing its user identity, but can still + be accountable for that use. + + + + Pseudonymity ensures that a user may use a resource or + service without disclosing its identity, but can still be + accountable for that use. The user can be accountable by + directly being related to a reference (alias) held by the + TSF, or by providing an alias that will be used for + processing purposes, such as an account number. + + In several respects, pseudonymity resembles anonymity. Both + pseudonymity and anonymity protect the identity of the user, + but in pseudonymity a reference to the user's + identity is maintained for accountability or other purposes. + + The component does not + specify the requirements on the reference to the user's + identity. For the purpose of specifying requirements on this + reference two sets of requirements are presented: and . + + A way to use the reference is by being able to obtain the + original user identity. For example, in a digital cash + environment it would be advantageous to be able to trace the + user's identity when a check has been issued multiple times + (i.e. fraud). In general, the user's identity needs to be + retrieved under specific conditions. The PP/ST author might + want to incorporate to + describe those services. + + Another usage of the reference is as an alias for a + user. For example, a user who does not wish to be + identified, can provide an account to which the resource + utilisation should be charged. In such cases, the reference + to the user identity is an alias for the user, where other + users or subjects can use the alias for performing their + functions without ever obtaining the user's + identity (for example, statistical operations on use of the + system). In this case, the PP/ST author might wish to + incorporate to specify the rules to + which the reference must conform. + + Using these constructs above, digital money can be created + using specifying that the user + identity will be protected and, if so specified in the + condition, that there be a requirement to trace the user + identity if the digital money is spent twice. When the user + is honest, the user identity is protected; if the user tries + to cheat, the user identity can be traced. + + A different kind of system could be a digital credit card, + where the user will provide a pseudonym that indicates an + account from which the cash can be subtracted. In such + cases, for example, could be + used. This component would specify that the user identity + will be protected and, furthermore, that the same user will + only get assigned values for which he/she has provided money + (if so specified in the conditions). + + It should be realised that the more stringent components + potentially cannot be combined with other requirements, such + as identification and authentication or audit. The + interpretation of ``determine the identity'' + should be taken in the broadest sense of the word. The + information is not provided by the TSF during the operation, + nor can the entity determine the subject or the owner of the + subject that invoked the operation, nor will the TSF record + information, available to the users or subjects, which might + release the user identity in the future. + + The intent is that the TSF not reveal any information that + would compromise the identity of the user, e.g. the identity + of subjects acting on the user's behalf. The + information that is considered to be sensitive depends on + the effort an attacker is capable of spending. + + Possible applications include the ability to charge a caller + for premium rate telephone services without disclosing his + or her identity, or to be charged for the anonymous use of + an electronic payment system. + + Examples of potential hostile users are providers, system + operators, communication partners and users, who smuggle + malicious parts (e.g. Trojan Horses) into systems. All of + these attackers can investigate which users used which + services and misuse this information. Additionally to + Anonymity services, Pseudonymity Services contains methods + for authorisation without identification, especially for + anonymous payment (``Digital Cash''). This + helps providers to obtain their payment in a secure way + while maintaining customer anonymity. + + + + + + This component provides the user protection against + disclosure of identity to other users. The user will + remain accountable for its actions. + + + + requires that a set of users and/or + subjects are unable to determine the identity of a user + bound to a subject or operation, but that this user is + still accountable for its actions. + + + The subject/user that requested resolution of the user + identity should be audited. + + + The TSF shall ensure that + + + set of users and/or subjects + + + + the PP/ST author should specify the set of users + and/or subjects against which the TSF must provide + protection. For example, even if the PP/ST author + specifies a single user or subject role, the TSF must + not only provide protection against each individual + user or subject, but must protect with respect to + cooperating users and/or subjects. A set of users, for + example, could be a group of users which can operate + under the same role or can all use the same + process(es). + + + are unable to determine the real user name bound to + + + list of subjects and/or operations and/or objects + + + + the PP/ST author should identify the list of subjects + and/or operations and/or objects where the real user + name of the subject should be protected, for example, + ``the accessing of job offers''. Note + that ``objects'' includes any other + attributes that might enable another user or subject + to derive the actual identity of the user. + + . + + + The TSF shall be able to provide + + + number of aliases + + + + the PP/ST author should identify the (one or more) + number of aliases the TSF is able to provide. + + + aliases of the real user name to + + + list of subjects + + + + the PP/ST author should identify the list of subjects + to whom the TSF is able to provide an alias. + + . + + + The TSF shall + + + determine an alias for a user + + + accept the alias from the user + + + + the PP/ST author should specify whether the user alias is + generated by the TSF, or supplied by the user. Only one of + these options may be chosen. + + + and verify that it conforms to the + + + alias metric + + + + the PP/ST author should identify the metric to which + the TSF-generated or user-generated alias should + conform. + + . + + + + + + + + + + + In this component, the TSF shall ensure that under + specified conditions the user identity related to a + provided reference can be determined. + + In the TSF shall provide an alias + instead of the user identity. When the specified + conditions are satisfied, the user identity to which the + alias belong can be determined. An example of such a + condition in an electronic cash environment is: `` + The TSF shall provide the notary a capability to determine + the user identity based on the provided alias only under + the conditions that a check has been issued + twice.''. + + + + , requires the TSF to provide a + capability to determine the original user identity based + on a provided alias. + + + + The TSF shall ensure that + + + set of users and/or subjects + + + + the PP/ST author should specify the set of users + and/or subjects against which the TSF must provide + protection. For example, even if the PP/ST author + specifies a single user or subject role, the TSF must + not only provide protection against each individual + user or subject, but must protect with respect to + cooperating users and/or subjects. A set of users, for + example, could be a group of users which can operate + under the same role or can all use the same + process(es). + + + are unable to determine the real user name bound to + + + list of subjects and/or operations and/or objects + + + + the PP/ST author should identify the list of subjects + and/or operations and/or objects where the real user + name of the subject should be protected, for example, + ``the accessing of job offers''. Note + that ``objects'' includes any other + attributes that might enable another user or subject + to derive the actual identity of the user. + + . + + + The TSF shall be able to provide + + + number of aliases + + + + the PP/ST author should identify the (one or more) + number of aliases the TSF, is able to provide. + + + aliases of the real user name to + + + list of subjects + + + + the PP/ST author should identify the list of subjects + to whom the TSF is able to provide an alias. + + . + + + The TSF shall + + + determine an alias for a user + + + accept the alias from the user + + + + the PP/ST author should specify whether the user alias is + generated by the TSF or supplied by the user. Only one of + these options may be chosen. + + + and verify that it conforms to the + + + alias metric + + + + the PP/ST author should identify the metric to which + the TSF-generated or user-generated alias should + conform. + + . + + + The TSF shall provide + + + an authorised user + + + + + list of trusted subjects + + + + the PP/ST author should identify the list of trusted + subjects that can obtain the real user name under a + specified condition, for example, a notary or + special authorised user. + + + + + + the PP/ST author should select whether the authorised + user and/or trusted subjects can determine the real + user name. + + + a capability to determine the user identity based on the + provided alias only under the following + + + list of conditions + + + + the PP/ST author should identify the list of + conditions under which the trusted subjects and + authorised user can determine the real user name based + on the provided reference. These conditions can be + conditions such as time of day, or they can be + administrative such as on a court order. + + . + + + + + + + + In this component, the TSF shall ensure that the provided + reference meets certain construction rules, and thereby + can be used in a secure way by potentially insecure + subjects. + + If a user wants to use disk resources without disclosing + its identity, pseudonymity can be used. However, every + time the user accesses the system, the same alias must be + used. Such conditions can be specified in this component. + + + + , requires the TSF to + follow certain construction rules for the alias to the user + identity. + + + + The TSF shall ensure that + + + set of users and/or subjects + + + + the PP/ST author should specify the set of users + and/or subjects against which the TSF must provide + protection. For example, even if the PP/ST author + specifies a single user or subject role, the TSF must + not only provide protection against each individual + user or subject, but must protect with respect to + cooperating users and/or subjects. A set of users, for + example, could be a group of users which can operate + under the same role or can all use the same + process(es). + + + are unable to determine the real user name bound to + + + list of subjects and/or operations and/or objects + + + + the PP/ST author should identify the list of subjects + and/or operations and/or objects where the real user + name of the subject should be protected, for example, + ``the accessing of job offers''. Note + that ``objects'' includes any other + attributes which might enable another user or subject + to derive the actual identity of the user. + + . + + + The TSF shall be able to provide + + + number of aliases + + + + the PP/ST author should identify the (one or more) + number of aliases the TSF is able to provide. + + + aliases of the real user name to + + + list of subjects + + + + the PP/ST author should identify the list of subjects + to whom the TSF is able to provide an alias. + + . + + + The TSF shall + + + determine an alias for a user + + + accept the alias from the user + + + + the PP/ST author should specify whether the user alias is + generated by the TSF, or supplied by the user. Only one of + these options may be chosen. + + + and verify that it conforms to the + + + alias metric + + + + the PP/ST author should identify the metric to which + the TSF-generated or user-generated alias should + conform. + + . + + + The TSF shall provide an alias to the real user name which + shall be identical to an alias provided previously under the + following + + + list of conditions + + + + the PP/ST author should identify the list of + conditions that indicate when the used reference for + the real user name shall be identical and when it + shall be different, for example, ``when the + user logs on to the same host'' it will use a + unique alias. + + + otherwise the alias provided shall be unrelated to + previously provided aliases. + + + + + + + This family ensures that a user may make multiple uses of + resources or services without others being able to link + these uses together. + + + + Unlinkability ensures that a user may make multiple uses of + resources or services without others being able to link + these uses together. Unlinkability differs from pseudonymity + that, although in pseudonymity the user is also not known, + relations between different actions can be provided. + + The requirements for unlinkability are intended to protect + the user identity against the use of profiling of the + operations. For example, when a telephone smart card is + employed with a unique number, the telephone company can + determine the behaviour of the user of this telephone + card. When a telephone profile of the users is known, the + card can be linked to a specific user. Hiding the + relationship between different invocations of a service or + access of a resource will prevent this kind of information + gathering. + + As a result, a requirement for unlinkability could imply + that the subject and user identity of an operation must be + protected. Otherwise this information might be used to link + operations together. + + Unlinkability requires that different operations cannot be + related. This relationship can take several forms. For + example, the user associated with the operation, or the + terminal which initiated the action, or the time the action + was executed. The PP/ST author can specify what kind of + relationships are present that must be countered. + + Possible applications include the ability to make multiple + use of a pseudonym without creating a usage pattern that + might disclose the user's identity. + + Examples for potential hostile subjects and users are + providers, system operators, communication partners and + users, who smuggle malicious parts, (e.g. Trojan Horses) + into systems, they do not operate but want to get + information about. All of these attackers can investigate + (e.g. which users used which services) and misuse this + information. Unlinkability protects users from linkages, + which could be drawn between several actions of a + customer. An example is a series of phone calls made by an + anonymous customer to different partners, where the + combination of the partner's identities might disclose the + identity of the customer. + + + + + + This component ensures that users cannot link different + operations in the system and thereby obtain information. + + + + , requires that users and/or subjects + are unable to determine whether the same user caused + certain specific operations. + + + the management of the unlinkability function. + + + The invocation of the unlinkability mechanism. + + + The TSF shall ensure that + + + set of users and/or subjects + + + + the PP/ST author should specify the set of users + and/or subjects against which the TSF must provide + protection. For example, even if the PP/ST author + specifies a single user or subject role, the TSF must + not only provide protection against each individual + user or subject, but must protect with respect to + cooperating users and/or subjects. A set of users, for + example, could be a group of users which can operate + under the same role or can all use the same + process(es). + + + are unable to determine whether + + + list of operations + + + + the PP/ST author should identify the list of + operations which should be subjected to the + unlinkability requirement, for example, + ``sending email''. + + + + + were caused by the same user + + + are related as follows + + + list of relations + + + + the PP/ST author should identify the list of + relations which should be protected against, for + example, ``originate from the same + terminal''. + + + + + + the PP/ST author should select the relationships that + should be obscured. The selection allows either the + user identity or an assignment of relations to be + specified. + + . + + + + + + + + This family ensures that a user may use a resource or + service without others, especially third parties, being able + to observe that the resource or service is being used. + + + + Unobservability ensures that a user may use a resource or + service without others, especially third parties, being able + to observe that the resource or service is being used. + + Unobservability approaches the user identity from a + different direction than the previous families Anonymity, + Pseudonymity and Unlinkability. In this case, the intent is + to hide the use of a resource or service, rather than to + hide the user's identity. + + A number of techniques can be applied to implement + unobservability. Examples of techniques to provide + unobservability are: + + + Allocation of information impacting unobservability: + Unobservability relevant information (e.g. information + that describes that an operation occurred) can be + allocated in several locations within the TOE. The + information might be allocated to a single randomly + chosen part of the TOE such that an attacker does not + know which part of the TOE should be attacked. An + alternative system might distribute the information such + that no single part of the TOE has sufficient + information that, if circumvented, the privacy of the + user would be compromised. This technique is explicitly + addressed in . + + + Broadcast: When information is broadcast (e.g. ethernet, + radio), users cannot determine who actually received and + used that information. This technique is especially + useful when information should reach receivers which + have to fear a stigma for being interested in that + information (e.g. sensitive medical information). + + + Cryptographic protection and message padding: People + observing a message stream might obtain information from + the fact that a message is transferred and from + attributes on that message. By traffic padding, message + padding and encrypting the message stream, the + transmission of a message and its attributes can be + protected. + + + + Sometimes, users should not see the use of a resource, but an + authorised user must be allowed to see the use of the resource + in order to perform his duties. In such cases, the could be used, which provides the + capability for one or more authorised users to see the + usage. + + This family makes use of the concept ``parts of the + TOE''. This is considered any part of the TOE that is either + physically or logically separated from other parts of the + TOE. + + Unobservability of communications may be an important factor + in many areas, such as the enforcement of constitutional + rights, organisational policies, or in defence related + applications. + + + + + + This component requires that the use of a function or + resource cannot be observed by unauthorised users. + + + + , requires that users and/or + subjects cannot determine whether an operation is being + performed. + + + the management of the behaviour of the unobservability + function. + + + The invocation of the unobservability mechanism. + + + The TSF shall ensure that + + + list of users and/or subjects + + + + the PP/ST author should specify the list of users and/or + subjects against which the TSF must provide + protection. For example, even if the PP/ST author + specifies a single user or subject role, the TSF must + not only provide protection against each individual user + or subject, but must protect with respect to cooperating + users and/or subjects. A set of users, for example, + could be a group of users which can operate under the + same role or can all use the same process(es). + + + are unable to observe the operation + + + list of operations + + + + the PP/ST author should identify the list of + operations that are subjected to the unobservability + requirement. Other users/subjects will then not be + able to observe the operations on a covered object in + the specified list (e.g. reading and writing to the + object). + + + on + + + list of objects + + + + the PP/ST author should identify the list of objects + which are covered by the unobservability + requirement. An example could be a specific mail + server or ftp site. + + + by + + + list of protected users and/or subjects + + + + the PP/ST author should specify the set of protected + users and/or subjects whose unobservability + information will be protected. An example could be: + ``users accessing the system through the + internet''. + + . + + + + + + + + + This component requires that the use of a function or + resource cannot be observed by specified users or + subjects. Furthermore this component specifies that + information related to the privacy of the user is + distributed within the TOE such that attackers might not + know which part of the TOE to target, or they need to + attack multiple parts of the TOE. + + An example of the use of this component is the use of a + randomly allocated node to provide a function. In such a + case the component might require that the privacy related + information shall only be available to one identified part + of the TOE, and will not be communicated outside this part + of the TOE. + + A more complex example can be found in some + ``voting algorithms''. Several parts of the + TOE will be involved in the service, but no individual + part of the TOE will be able to violate the policy. So a + person may cast a vote (or not) without the TOE being able + to determine whether a vote has been cast and what the + vote happened to be (unless the vote was unanimous). + + + + + , requires that the TSF + provide specific mechanisms to avoid the concentration of + privacy related information within the TOE. Such + concentrations might impact unobservability if a security + compromise occurs. + + + + + + The TSF shall ensure that + + + list of users and/or subjects + + + + the PP/ST author should specify the list of users + and/or subjects against which the TSF must provide + protection. For example, even if the PP/ST author + specifies a single user or subject role, the TSF must + not only provide protection against each individual + user or subject, but must protect with respect to + cooperating users and/or subjects. A set of users, for + example, could be a group of users which can operate + under the same role or can all use the same + process(es). + + + are unable to observe the operation + + + list of operations + + + + the PP/ST author should identify the list of + operations that are subjected to the unobservability + requirement. Other users/subjects will then not be + able to observe the operations on a covered object in + the specified list (e.g. reading and writing to the + object). + + + on + + + list of objects + + + + the PP/ST author should identify the list of objects + which are covered by the unobservability + requirement. An example could be a specific mail + server or ftp site. + + + by + + + list of protected users and/or subjects + + + + the PP/ST author should specify the set of protected + users and/or subjects whose unobservability + information will be protected. An example could be: + ``users accessing the system through the + internet''. + + . + + + The TSF shall allocate the + + + unobservability related information + + + + the PP/ST author should identify which privacy related + information should be distributed in a controlled + manner. Examples of this information could be: IP + address of subject, IP address of object, time, used + encryption keys. + + + among different parts of the TOE such that the following + conditions hold during the lifetime of the information: + + + list of conditions + + + + the PP/ST author should specify the conditions to + which the dissemination of the information should + adhere. These conditions should be maintained + throughout the lifetime of the privacy related + information of each instance. Examples of these + conditions could be: ``the information shall + only be present at a single separated part of the TOE + and shall not be communicated outside this part of the + TOE.'', ``the information shall only + reside in a single separated part of the TOE, but + shall be moved to another part of the TOE + periodically'', ``the information shall + be distributed between the different parts of the TOE + such that compromise of any 5 separated parts of the + TOE will not compromise the security policy''. + + . + + + + + + + + + + This component is used to require that the TSF does not + try to obtain information that might compromise + unobservability when provided specific services. Therefore + the TSF will not solicit (i.e. try to obtain from other + entities) any information that might be used to compromise + unobservability. + + + + , requires that the TSF + does not try to obtain privacy related information that + might be used to compromise unobservability. + + + The TSF shall provide + + + list of services + + + + the PP/ST author should identify the list of services + which are subject to the unobservability requirement, + for example, ``the accessing of job + descriptions''. + + + to + + + list of subjects + + + + the PP/ST author should identify the list of subjects + from which privacy related information should be + protected when the specified services are provided. + + + without soliciting any reference to + + + privacy related information + + + + the PP/ST author should specify the privacy related + information that will be protected from the specified + subjects. Examples include the identity of the subject + that used a service and the quantity of a service that + has been used such as memory resource + utilisation. + + . + + + + + + + This component is used to require that there will be one + or more authorised users with the rights to view the + resource utilisation. Without this component, this review + is allowed, but not mandated. + + + + , requires the TSF to + provide one or more authorised users with a capability to + observe the usage of resources and/or services. + + + the list of authorised users that are capable of determining + the occurrence of operations. + + + The observation of the use of a resource or service by a + user or subject. + + + The TSF shall provide + + + set of authorised users + + + + the PP/ST author should specify the set of authorised + users for which the TSF must provide the capability to + observe the resource utilisation. A set of authorised + users, for example, could be a group of authorised users + which can operate under the same role or can all use the + same process(es). + + + with the capability to observe the usage of + + + list of resources and/or services + + + + the PP/ST author should specify the set of resources + and/or services that the authorised user must be able + to observe. + + . + + + + + + + + This class contains families of functional requirements that + relate to the integrity and management of the mechanisms that + constitute the TSF and to the integrity of TSF data. In some + sense, families in this class may appear to duplicate + components in the class; they may + even be implemented using the same mechanisms. However, focuses on user data protection, while + focuses on TSF data + protection. In fact, components from the class are necessary to provide requirements that + the SFPs in the TOE cannot be tampered with or + bypassed. + + From the point of view of this class, regarding to the + TSF there are three significant elements: + + The TSF's implementation, which executes and implements the + mechanisms that enforce the SFRs. + + The TSF's data, which are the administrative databases that guide the + enforcement of the SFRs. + + The external entities that the TSF may interact with in order to + enforce the SFRs. + + + + + This class contains families of functional requirements that + relate to the integrity and management of the mechanisms that + constitute the TSF and to the + integrity of TSF data. In some sense, families in this class may + appear to duplicate components in the + class; they may even be implemented using the + same mechanisms. However, focuses on user + data protection, while focuses on TSF data + protection. In fact, components from the + class are necessary to provide requirements that the SFPs in + the TOE cannot be tampered with or bypassed. + + From the point of view of this class, regarding to the + TSF there are three significant elements: + + The TSF's implementation, which executes and implements the + mechanisms that enforce the SFRs. + + The TSF's data, which are the administrative databases that guide the + enforcement of the SFRs. + + The external entities that the TSF may interact with in order to + enforce the SFRs. + + + All of the families in the class can be + related to these areas, and fall into the following groupings: + , which provides an authorised user + with the ability to detect external attacks on the parts + of the TOE that comprise the TSF. + and , + which provide an authorised user with the ability to verify the correct + operation of the external entities interacting with the TSF to enforce + the SFRs, and the integrity of the TSF data and TSF itself. + , , and , which address the behaviour of the TSF + when failure occurs and immediately after. + , , , + which address the protection and availability of TSF data between the TSF and another trusted IT product. + , which addresses protection of TSF + data when it is transmitted between physically-separated + parts of the TOE. + , which addresses the replay of + various types of information and/or operations. + , which addresses the synchronisation + of states, based upon TSF data, between different parts of + a distributed TSF. + , which addresses reliable timing. + , which addresses the consistency of + TSF data shared between the TSF and another trusted IT product. + + + + + + + + + The requirements of this family ensure that the TOE will always enforce + its SFRs in the event of identified categories of + failures in the TSF. + + + + The requirements of this family ensure that the TOE will + always enforce its SFRs in the event of certain + types of failures in the TSF. + + + + + + The term ``secure state'' refers to a state in which the + TSF data are consistent and the TSF continues correct + enforcement of the SFRs. + + Although it is desirable to audit situations in which + failure with preservation of secure state occurs, it is + not possible in all situations. The PP/ST author should + specify those situations in which audit is desired and + feasible. + + Failures in the TSF may include + ``hard'' failures, which indicate an + equipment malfunction and which may require maintenance, + service or repair of the TSF. Failures in the TSF may also + include recoverable ``soft'' failures, + which may only require initialisation or resetting of the + TSF. + + + + This family consists of only one component, , which requires that the TSF preserve a + secure state in the face of the identified failures. + + + Failure of the TSF. + + + The TSF shall preserve a secure state when the following + types of failures occur: + + + list of types of failures in the TSF + + + + the PP/ST author should list the types of failures in + the TSF for which the TSF should ``fail + secure,'' that is, should preserve a secure + state and continue to correctly enforce the SFRs. + + . + + + + + + + + This family defines the rules for the prevention of loss of + availability of TSF data moving between the TSF and another + trusted IT product. This data could, for example, be TSF + critical data such as passwords, keys, audit data, or TSF + executable code. + + + + This family defines the rules for the prevention of loss of + availability of TSF data moving between the TSF and another + trusted IT product. This data could be TSF critical data + such as passwords, keys, audit data, or TSF executable code. + + This family is used in a distributed context where the TSF + is providing TSF data to another trusted IT product. The + TSF can only take the measures at its site and cannot be + held responsible for the TSF at the other trusted IT + product. + + If there are different availability metrics for different + types of TSF data, then this component should be iterated + for each unique pairing of metrics and types of TSF data. + + + + + + This family consists of only one component, . + This component requires that the TSF ensure, to an identified degree of probability, the + availability of TSF data provided to another trusted IT product. + + + management of the list of types of TSF data that must be + available to another trusted IT product. + + + the absence of TSF data when required by a TOE. + + + The TSF shall ensure the availability of + + list of types of TSF data + + the PP/ST author should specify the types of TSF data + that are subject to the availability metric. + provided to another trusted IT product within + + a defined availability metric + + the PP/ST should specify the availability metric for + the applicable TSF data. + given the following conditions + + conditions to ensure availability + + the PP/ST author should specify the conditions under + which availability must be ensured. For example: + there must be a connection between the TOE and + another trusted IT product.. + + + + + + + + This family defines the rules for the protection from + unauthorised disclosure of TSF data during transmission + between the TSF and another trusted IT product. This data + could, for example, be TSF critical data such as passwords, + keys, audit data, or TSF executable code. + + + + This family defines the rules for the protection from + unauthorised disclosure of TSF data moving between the TSF + and another trusted IT product. Examples of this data are + TSF critical data such as passwords, keys, audit data, or + TSF executable code. + + This family is used in a distributed context where + the TSF is providing TSF data to another trusted IT + product. The TSF can only take the measures at its site and + cannot be held responsible for the behaviour of the other + trusted IT product. + + + + + + Confidentiality of TSF Data during transmission is + necessary to protect such information from + disclosure. Some possible implementations that could + provide confidentiality include the use of cryptographic + algorithms as well as spread spectrum techniques. + + + + This family consists of only one component, , + which requires that the TSF ensure that data transmitted between the TSF and another trusted IT + product is protected from disclosure while in transit. + + + The TSF shall protect all TSF data transmitted from the TSF + to another trusted IT product from unauthorised disclosure + during transmission. + + + + + + + + This family defines the rules for the protection, from + unauthorised modification, of TSF data during transmission + between the TSF and another trusted IT product. This data + could, for example, be TSF critical data such as passwords, + keys, audit data, or TSF executable code. + + + + This family defines the rules for the protection, from + unauthorised modification, of TSF data during transmission + between the TSF and another trusted IT product. Examples of + this data are TSF critical data such as passwords, keys, + audit data, or TSF executable code. + + This family is used in a distributed context where + the TSF is exchanging TSF data with another trusted IT + product. Note that a requirement that addresses + modification, detection, or recovery at another trusted + IT product cannot be specified, as the mechanisms that + another trusted IT product will use to protect its data + cannot be determined in advance. For this reason, these + requirements are expressed in terms of the ``TSF + providing a capability'' which another trusted + IT product can use. + + + + + + This component should be used in situations where it is + sufficient to detect when data have been modified. An + example of such a situation is one in which another + trusted IT product can request the TOE's TSF to + retransmit data when modification has been detected, or + respond to such types of request. + + The desired strength of modification detection is based + upon a specified modification metric that is a function of + the algorithm used, which may range from a weak checksum + and parity mechanisms that may fail to detect multiple bit + changes, to more complicated cryptographic checksum + approaches. + + + , provides the ability to detect + modification of TSF data during transmission between the + TSF and another trusted IT product, under the assumption + that another trusted IT product is cognisant of the mechanism used. + + + the detection of modification of transmitted TSF data. + + + the action taken upon detection of modification of + transmitted TSF data. + + + The TSF shall provide the capability to detect modification + of all TSF data during transmission between the TSF and + another trusted IT product within the following metric: + + a defined modification metric + + the PP/ST should specify the modification metric that + the detection mechanism must satisfy. This + modification metric shall specify the desired strength + of the modification detection.. + + + The TSF shall provide the capability to verify the integrity + of all TSF data transmitted between the TSF and another + trusted IT product and perform + + action to be taken + + the PP/ST should specify the actions to be taken if a + modification of TSF data has been detected. An example + of an action is: ``ignore the TSF data, and + request the originating trusted product to send the + TSF data again''. + if modifications are detected. + + + + + + + + This component should be used in situations where it is + necessary to detect or correct modifications of TSF + critical data. + + The desired strength of modification detection is based + upon a specified modification metric that is a function of + the algorithm used, which may range from a checksum and + parity mechanisms that may fail to detect multiple bit + changes, to more complicated cryptographic checksum + approaches. The metric that needs to be defined can either + refer to the attacks it will resist (e.g. only 1 in a 1000 + random messages will be accepted), or to mechanisms that + are well known in the public literature (e.g. the strength + must be conformant to the strength offered by Secure Hash + Algorithm). + + The approach taken to correct modification might be done + through some form of error correcting checksum. + + + + Some possible means of satisfying this requirement + involves the use of cryptographic functions or some form + of checksum. + + + , provides the ability for + another trusted IT product not only to detect modification, + but to correct modified TSF data under the assumption that + another trusted IT product is cognisant of the mechanism used. + + + management of the types of TSF data that the TSF should try + to correct if modified in transit; + + + management of the types of action that the TSF could take if + TSF data is modified in transit. + + + the detection of modification of transmitted TSF data; + + + the action taken upon detection of modification of + transmitted TSF data. + + + the use of the correction mechanism. + + + The TSF shall provide the capability to detect modification + of all TSF data during transmission between the TSF and + another trusted IT product within the following metric: + + a defined modification metric + + the PP/ST should specify the modification metric that + the detection mechanism must satisfy. This + modification metric shall specify the desired strength + of the modification detection.. + + + The TSF shall provide the capability to verify the integrity + of all TSF data transmitted between the TSF and another + trusted IT product and perform + + action to be taken + + the PP/ST should specify the actions to be taken if a + modification of TSF data has been detected. An example + of an action is: ``ignore the TSF data, and + request the originating trusted product to send the + TSF data again''. + if modifications are detected. + + + The TSF shall provide the capability to correct + + type of modification + + the PP/ST author should define the types of + modification from which the TSF should be capable of + recovering. + of all TSF data transmitted between the TSF and another + trusted IT product. + + + + + + + + This family provides requirements that address protection of + TSF data when it is transferred between separate parts of a + TOE across an internal channel. + + + + This family provides requirements that address protection of + TSF data when it is transferred between separate parts of a + TOE across an internal channel. + + The determination of the degree of separation (i.e., + physical or logical) that would make application of this + family useful depends on the intended environment of use. In + a hostile environment, there may be risks arising from + transfers between parts of the TOE separated by only a + system bus or an inter-process communications channel. In + more benign environments, the transfers may be across more + traditional network media. + + + + One practical mechanism available to a TSF to provide this + protection is cryptographically-based. + + + + + + , requires that TSF data be + protected when transmitted between separate parts of the + TOE. + + + management of the types of modification against which the + TSF should protect; + + + management of the mechanism used to provide the protection + of the data in transit between different parts of the TSF. + + + The TSF shall protect TSF data from + + + disclosure + + + modification + + + + the PP/ST author should specify the desired type of + protection to be provided from the choices: + disclosure, modification. + + + when it is transmitted between separate parts of the TOE. + + + + + + + + One of the ways to achieve separation of TSF data based on + SFP-relevant attributes is through the use of separate + logical or physical channels. + + + + , requires that the TSF separate + user data from TSF data during transmission. + + + management of the types of modification against which the + TSF should protect; + + + management of the mechanism used to provide the protection + of the data in transit between different parts of the TSF; + + + management of the separation mechanism. + + + The TSF shall protect TSF data from + + + disclosure + + + modification + + + + the PP/ST author should specify the desired type of + protection to be provided from the choices: + disclosure, modification. + + + when it is transmitted between separate parts of the TOE. + + + The TSF shall separate user data from TSF data when such + data is transmitted between separate parts of the TOE. + + + + + + + + + + , requires that the TSF data + transmitted between separate parts of the TOE is monitored + for identified integrity errors. + + + management of the types of modification against which the + TSF should protect; + + + management of the mechanism used to provide the protection + of the data in transit between different parts of the TSF; + + + management of the types of modification of TSF data the TSF + should try to detect; + + + management of the action>s that will be taken. + + + the detection of modification of TSF data; + + + the action taken following detection of an integrity error. + + + The TSF shall be able to detect + + + modification of data + + + substitution of data + + + re-ordering of data + + + deletion of data + + + + + other integrity errors + + + + if the PP/ST author chooses the latter selection + noted in the preceding paragraph, then the author + should also specify what those other integrity + errors are that the TSF should be capable of + detecting. + + + + + + the PP/ST author should specify the desired type of + modification that the TSF shall be able to detect. The + PP/ST author should select from: modification of data, + substitution of data, re-ordering of data, deletion of + data, or any other integrity errors. + + + for TSF data transmitted between separate parts of the TOE. + + + Upon detection of a data integrity error, the TSF shall take + the following actions: + + + specify the action to be taken + + + + the PP/ST author should specify the action to be taken + when an integrity error is identified. + + . + + + + + + + + TSF physical protection components refer to restrictions on + unauthorised physical access to the TSF, and to the + deterrence of, and resistance to, unauthorised physical + modification, or substitution of the TSF. + + The requirements of components in this family ensure that + the TSF is protected from physical tampering and + interference. Satisfying the requirements of these + components results in the TSF being packaged and used in + such a manner that physical tampering is detectable, or + resistance to physical tampering is enforced. Without these + components, the protection functions of a TSF lose their + effectiveness in environments where physical damage cannot + be prevented. This family also provides requirements + regarding how the TSF shall respond to physical tampering + attempts. + + + + TSF physical protection components refer to restrictions on + unauthorised physical access to the TSF, and to the + deterrence of, and resistance to, unauthorised physical + modification, or substitution of the TSF. + + The requirements in this family ensure that the TSF is + protected from physical tampering and + interference. Satisfying the requirements of these + components results in the TSF being packaged and used in + such a manner that physical tampering is detectable, or + resistance to physical tampering is measurable based on + defined work factors. Without these components, the + protection functions of a TSF lose their effectiveness in + environments where physical damage cannot be prevented. This + component also provides requirements regarding how the TSF + must respond to physical tampering attempts. + + Examples of physical tampering scenarios include mechanical + attack, radiation, changing the temperature. + + It is acceptable for the functions that are available to an + authorised user for detecting physical tampering to be + available only in an off-line or maintenance mode. Controls + should be in place to limit access during such modes to + authorised users. As the TSF may not be + ``operational'' during those modes, it + may not be able to provide normal enforcement for authorised + user access. The physical implementation of a TOE might + consist of several structures: for example an outer + shielding, cards, and chips. This set of + ``elements'' as a whole must protect + (protect, notify and resist) the TSF from physical + tampering. This does not mean that all devices must provide + these features, but the complete physical construct as a + whole should. + + Although there is only minimal auditing associating with + these components, this is solely because there is the + potential that the detection and alarm mechanisms may be + implemented completely in hardware, below the level of + interaction with an audit subsystem (for example, a + hardware-based detection system based on breaking a circuit + and lighting a light emitting diode (LED) if the circuit is + broken when a button is pressed by the authorised + user). Nevertheless, a PP/ST author may determine that for a + particular anticipated threat environment, there is a need + to audit physical tampering. If this is the case, the PP/ST + author should include appropriate requirements in the list + of audit events. Note that inclusion of these requirements + may have implications on the hardware design and its + interface to the software. + + + + + + should be used when threats from + unauthorised physical tampering with parts of the TOE are not + countered by procedural methods. It addresses the threat of + undetected physical tampering with the TSF. Typically, an + authorised user would be given the function to verify whether + tampering took place. As written, this component simply provides + a TSF capability to detect tampering. Specification of + management functions in should be + considered to specify who can make use of that capability, and + how they can make use of that capability. If this is done by non-IT mechanisms + (e.g. physical inspection) management functions are not required. + + + + , provides for features that + indicate when a TSF device or TSF element is subject to + tampering. However, notification of tampering is not + automatic; an authorised user must invoke a security + administrative function or perform manual inspection to + determining if tampering has occurred. + + management of the user or role that determines whether physical + tampering has occurred. + + + if detection by IT means, detection of intrusion. + + + The TSF shall provide unambiguous detection of physical + tampering that might compromise the TSF. + + + The TSF shall provide the capability to determine whether + physical tampering with the TSF's devices or + TSF's elements has occurred. + + + + + + + + + + should be used when threats from + unauthorised physical tampering with parts of the TOE are + not countered by procedural methods, and it is required + that designated individuals be notified of physical + tampering. It addresses the threat that physical tampering + with TSF elements, although detected, may not be noticed. + Specification of management functions in FMT_MOF.1 Management of + security functions behaviour should be considered to specify who + can make use of that capability, and how they can make use of that capability. + + + + , provides for automatic + notification of tampering for an identified subset of + physical penetrations. + + + management of the user or role that gets informed about + intrusions; + + + management of the list of devices that should inform the + indicated user or role about the intrusion. + + + detection of intrusion. + + + The TSF shall provide unambiguous detection of physical + tampering that might compromise the TSF. + + + The TSF shall provide the capability to determine whether physical + tampering with the TSF's devices or + TSF's elements has occurred. + + + For + + + list of TSF devices/elements for which active detection + is required + + + + the PP/ST author should provide a list of TSF + devices/elements for which active detection of + physical tampering is required. + + , the TSF shall monitor the devices and + elements and notify + + + a designated user or role + + + + the PP/ST author should designate a user or role that + is to be notified when tampering is detected. The type + of user or role may vary depending on the particular + security administration component (from the family) included in the PP/ST. + + + when physical tampering with the + TSF's devices or TSF's elements has + occurred. + + + + + + + For some forms of tampering, it is necessary that the TSF + not only detects the tampering, but actually resists it or + delays the attacker. + + This component should be used when TSF devices and TSF + elements are expected to operate in an environment where a + physical tampering (e.g. observation, analysis, or + modification) of the internals of a TSF device or TSF + element itself is a threat. + + + + , provides for features that prevent + or resist physical tampering with TSF devices and TSF + elements. + + + management of the automatic responses to physical tampering. + + + The TSF shall resist + + + physical tampering scenarios + + + + the PP/ST author should specify tampering scenarios to + a list of TSF devices/elements for which the TSF + should resist physical tampering. This list may be + applied to a defined subset of the TSF physical + devices and elements based on considerations such as + technology limitations and relative physical exposure + of the device. Such subsetting should be clearly + defined and justified. Furthermore, the TSF should + automatically respond to physical tampering. The + automatic response should be such that the policy of + the device is preserved; for example, with a + confidentiality policy, it would be acceptable to + physically disable the device so that the protected + information may not be retrieved. + + + to the + + + list of TSF devices/elements + + + + the PP/ST author should specify the list of TSF + devices/elements for which the TSF should resist + physical tampering in the scenarios that have been + identified. + + + by responding automatically such that the SFRs are always enforced. + + + + + + + + The requirements of this family ensure that the TSF can + determine that the TOE is started up without protection + compromise and can recover without protection compromise + after discontinuity of operations. This family is important + because the start-up state of the TSF determines the + protection of subsequent states. + + + + The requirements of this family ensure that the TSF can + determine that the TOE is started-up without protection + compromise and can recover without protection compromise + after discontinuity of operations. This family is important + because the start-up state of the TSF determines the + protection of subsequent states. + + Recovery components reconstruct the TSF secure states, or + prevent transitions to insecure states, as a direct response + to occurrences of expected failures, discontinuity of + operation or start-up. Failures that must be generally + anticipated include the following: + + + Unmaskable action failures that always result in a + system crash (e.g. persistent inconsistency of critical + system tables, uncontrolled transfers within the TSF + code caused by transient failures of hardware or + firmware, power failures, processor failures, + communication failures). + + + Media failures causing part or all of the media + representing the TSF objects to become inaccessible or + corrupt (e.g. parity errors, disk head crash, persistent + read/write failure caused by misaligned disk heads, + worn-out magnetic coating, dust on the disk surface). + + + Discontinuity of operation caused by erroneous + administrative action or lack of timely administrative + action (e.g. unexpected shutdowns by turning off power, + ignoring the exhaustion of critical resources, + inadequate installed configuration). + + + + Note that recovery may be from either a complete or partial + failure scenario. Although a complete failure might occur in + a monolithic operating system, it is less likely to occur in + a distributed environment. In such environments, subsystems + may fail, but other portions remain operational. Further, + critical components may be redundant (disk mirroring, + alternative routes), and checkpoints may be available. Thus, + recovery is expressed in terms of recovery to a secure + state. + There are different interactions between + and components to be considered when + selecting : + + The need for trusted recovery may be indicated through + the results of TSF self-testing, where the results of + the self-tests indicate that the TSF is in an insecure + state and return to a secure state or entrance in + maintenance mode is required. + + A failure, as discussed above, may be identified by an + administrator. Either the administrator may perform + the actions to return the TOE to a secure state and + then invoke TSF self-tests to confirm that the secure + state has been achieved. Or, the TSF self-tests may be + invoked to complete the recovery process. + + A combination of a. and b. above, where the need for + trusted recovery is indicated through the results of + TSF self-testing, the administrator performs the + actions to return the TOE to a secure state and then + invokes TSF self-tests to confirm that the secure + state has been achieved. + + Self tests detect a failure/service discontinuity, + then either automated recovery or entrance to a + maintenance mode. + + + This family identifies a maintenance mode. In this + maintenance mode normal operation might be impossible or + severely restricted, as otherwise insecure situations might + occur. Typically, only authorised users should be allowed + access to this mode but the real details of who can access + this mode is a function of . If does not put any controls on who can access this + mode, then it may be acceptable to allow any user to restore + the system if the TOE enters such a state. However, in + practice, this is probably not desirable as the user + restoring the system has an opportunity to configure the TOE + in such a way as to violate the SFRs. + + Mechanisms designed to detect exceptional conditions during + operation fall under , , and other areas that address the + concept of ``Software Safety.'' It is likely that the use of + one of these families will be required to support the adoption + of . This is to ensure that + the TOE will be able to detect when recovery is + required. + + Throughout this family, the phrase ``secure state'' is + used. This refers to some state in which the TOE has + consistent TSF data and a TSF that can correctly enforce the + policy. This state may be the initial ``boot'' of a clean + system, or it might be some checkpointed state. + + Following recovery, it may be necessary to confirm that the + secure state has been achieved through self-testing of the + TSF. However, if the recovery is performed in a manner such + that only a secure state can be achieved, else recovery + fails, then the dependency to the TSF + self-test component may be argued away. + + + + + + + + + In the hierarchy of the trusted recovery family, recovery + that requires only manual intervention is the least + desirable, for it precludes the use of the system in an + unattended fashion. + + This component is intended for use in TOEs that do not + require unattended recovery to a secure state. The + requirements of this component reduce the threat of + protection compromise resulting from an attended TOE + returning to an insecure state after recovery from a + failure or other discontinuity. + + + + It is acceptable for the functions that are available to + an authorised user for trusted recovery to be available + only in a maintenance mode. Controls should be in place to + limit access during maintenance to authorised users. + + + + , allows a TOE to only provide + mechanisms that involve human intervention to return to a + secure state. + + + management of who can access the restore capability within + the maintenance mode. + + + the fact that a failure or service discontinuity occurred; + + + resumption of the regular operation; + + + type of failure or service discontinuity. + + + After + + list of failures/service discontinuities + + the PP/ST author should specify the list of failures or + service discontinuities (e.g. power failure, audit + storage exhaustion, any failure or discontinuity) + following which the TOE will enter a maintenance mode. the TSF shall enter a maintenance mode where + the ability to return to a secure state is provided. + + + + + + + + + + + Automated recovery is considered to be more useful than + manual recovery, as it allows the machine to operate in an + unattended fashion. + + The component extends the feature + coverage of by requiring that there + be at least one automated method of recovery from failure + or service discontinuity. It addresses the threat of + protection compromise resulting from an unattended TOE + returning to an insecure state after recovery from a + failure or other discontinuity. + + + + It is acceptable for the functions that are available to + an authorised user for trusted recovery to be available + only in a maintenance mode. Controls should be in place to + limit access during maintenance to authorised users. + + For , it is the responsibility of + the developer of the TSF to determine the set of + recoverable failures and service discontinuities. + + It is assumed that the robustness of the automated + recovery mechanisms will be verified. + + + + , provides, for at least one type of + service discontinuity, recovery to a secure state without + human intervention; recovery for other discontinuities may + require human intervention. + + + management of who can access the restore capability within + the maintenance mode; + + + management of the list of failures/service discontinuities + that will be handled through the automatic procedures. + + + + + When automated recovery from + + list of failures/service discontinuities + + the PP/ST author should specify the list of failures or + service discontinuities (e.g. power failure, audit + storage exhaustion) following which the TOE will need to + enter a maintenance mode. is not possible, the TSF shall enter a + maintenance mode where the ability to return to a secure state + is provided. + + + For + + + list of failures/service discontinuities + + + + the PP/ST author should specify the list of failures + or other discontinuities for which automated recovery + must be possible. + + , the TSF shall ensure the return of the TOE + to a secure state using automated procedures. + + + + + + + + + + + Automated recovery is considered to be more useful than + manual recovery, but it runs the risk of losing a + substantial number of objects. Preventing undue loss of + objects provides additional utility to the recovery + effort. + + The component extends the feature + coverage of by requiring that there + not be undue loss of TSF data or objects under the control + of the TSF. At , the automated recovery + mechanisms could conceivably recover by deleting all + objects and returning the TSF to a known secure + state. This type of drastic automated recovery is + precluded in . + + This component addresses the threat of protection + compromise resulting from an unattended TOE returning to + an insecure state after recovery from a failure or other + discontinuity with a large loss of TSF data or objects + under the control of the TSF. + + + + It is acceptable for the functions that are available to + an authorised user for trusted recovery to be available + only in a maintenance mode. Controls should be in place to + limit access during maintenance to authorised users. + + It is assumed that the evaluators will verify the + robustness of the automated recovery mechanisms. + + + + , also provides for automated + recovery, but strengthens the requirements by disallowing + undue loss of protected objects. + + + + + + When automated recovery from + + list of failures/service discontinuities + + the PP/ST author should specify the list of failures or + service discontinuities (e.g. power failure, audit + storage exhaustion) following which the TOE will need to + enter a maintenance mode. + is not possible, the TSF shall enter a maintenance mode where + the ability to return to a secure state is provided. + + + For + + + list of failures/service discontinuities + + + + the PP/ST author should specify the list of failures + or other discontinuities for which automated recovery + must be possible. + + , the TSF shall ensure the return of the TOE + to a secure state using automated procedures. + + + The functions provided by the TSF to recover from failure or + service discontinuity shall ensure that the secure initial + state is restored without exceeding + + + quantification + + + + the PP/ST author should provide a quantification for + the amount of loss of TSF data or objects that is + acceptable. + + + for loss of TSF data or objects under the control of the TSF. + + + The TSF shall provide the capability to determine the + objects that were or were not capable of being recovered. + + + + + + + Function recovery requires that if there should be some + failure in the TSF, that certain functions in the TSF should + either complete successfully or recover to a secure state. + + + + , provides for recovery at the level + of particular functions, ensuring either successful completion + or rollback of TSF data to a secure state. + + + if possible, the impossibility to return to a secure state + after a failure of the TSF; + + + if possible, the detection of a failure of a function. + + + The TSF shall ensure that + + + list of functions and failure scenarios + + + + the PP/ST author should specify a list the functions and + failure scenarios. In the event that any of the + identified failure scenarios happen, the functions that have + been specified must either complete successfully or + recover to a consistent and secure state. + + + have the property that the function either completes successfully, + or for the indicated failure scenarios, recovers to a + consistent and secure state. + + + + + + + + This family addresses detection of replay for various types + of entities (e.g. messages, service requests, service + responses) and subsequent actions to correct. In the case + where replay may be detected, this effectively prevents it. + + + + This family addresses detection of replay for various types + of entities and subsequent actions to correct. + + + + + + The entities included here are, for example, messages, + service requests, service responses, or sessions. + + + + The family consists of only one component, , which requires that the TSF shall be + able to detect the replay of identified entities. + + + management of the list of identified entities for which + replay shall be detected; + + + management of the list of actions that need to be taken in + case of replay. + + + Detected replay attacks. + + + Action to be taken based on the specific actions. + + + The TSF shall detect replay for the following entities: + + + list of identified entities + + + + the PP/ST author should provide a list of identified + entities for which detection of replay should be + possible. Examples of such entities might include: + messages, service requests, service responses, and + user sessions. + + . + + + The TSF shall perform + + + list of specific actions + + + + the PP/ST author should specify the list of actions to + be taken by the TSF when replay is detected. The + potential set of actions that can be taken includes: + ignoring the replayed entity, requesting confirmation + of the entity from the identified source, and + terminating the subject from which the re-played + entity originated. + + + when replay is detected. + + + + + + + + + Distributed TOEs may give rise to greater complexity than + monolithic TOEs through the potential for differences in + state between parts of the TOE, and through delays in + communication. In most cases synchronisation of state + between distributed functions involves an exchange protocol, + not a simple action. When malice exists in the distributed + environment of these protocols, more complex defensive + protocols are required. + + establishes the requirement for certain + critical functions of the TSF to use this trusted + protocol. ensures that two distributed + parts of the TOE (e.g. hosts) have synchronised their states + after a security-relevant action. + + + + Distributed TOEs may give rise to greater complexity than + monolithic TOEs through the potential for differences in + state between parts of the TOE, and through delays in + communication. In most cases, synchronisation of state + between distributed functions involves an exchange protocol, + not a simple action. When malice exists in the distributed + environment of these protocols, more complex defensive + protocols are required. + + establishes the requirement for certain + critical functions of the TSF to use a trusted + protocol. ensures that two distributed + parts of the TOE (e.g. hosts) have synchronised their states + after a security-relevant action. + + Some states may never be synchronised, or the transaction + cost may be too high for practical use; encryption key + revocation is an example, where knowing the state after the + revocation action is initiated can never be known. Either + the action was taken and acknowledgment cannot be sent, or + the message was ignored by hostile communication partners + and the revocation never occurred. Indeterminacy is unique + to distributed TOEs. Indeterminacy and state synchrony + are related, and the same solution may apply. It is futile + to design for indeterminate states; the PP/ST author should + express other requirements in such cases (e.g. raise an + alarm, audit the event). + + + + + + + + + In this component, the TSF must supply an acknowledgement + to another part of the TSF when requested. This + acknowledgement should indicate that one part of a + distributed TOE successfully received an unmodified + transmission from a different part of the distributed TOE. + + + + , requires only a simple + acknowledgment by the data recipient. + + + failure to receive an acknowledgement when expected. + + + The TSF shall acknowledge, when requested by another part of + the TSF, the receipt of an unmodified TSF data transmission. + + + + + + + + + + + In this component, in addition to the TSF being able to + provide an acknowledgement for the receipt of a data + transmission, the TSF must comply with a request from + another part of the TSF for an acknowledgement to the + acknowledgement. + + For example, the local TSF transmits some data to a remote + part of the TSF. The remote part of the TSF acknowledges + the successful receipt of the data and requests that the + sending TSF confirm that it receives the + acknowledgement. This mechanism provides additional + confidence that both parts of the TSF involved in the data + transmission know that the transmission completed + successfully. + + + + , requires mutual acknowledgment of + the data exchange. + + + + The TSF shall acknowledge, when requested by another part of + the TSF, the receipt of an unmodified TSF data + transmission. + + + The TSF shall ensure that the relevant parts of the TSF know + the correct status of transmitted data among its different + parts, using acknowledgements. + + + + + + + + This family addresses requirements for a reliable time stamp + function within a TOE. + + + + This family addresses requirements for a reliable time stamp + function within a TOE. + + It is the responsibility of the PP/ST author to clarify the + meaning of the phrase ``reliable time + stamp'', and to indicate where the responsibility + lies in determining the acceptance of trust. + + + + + + Some possible uses of this component include providing + reliable time stamps for the purposes of audit as well as + for security attribute expiration. + + + + This family consists of only one component, , which requires that the TSF provide + reliable time stamps for TSF functions. + + + management of the time. + + + changes to the time; + + + providing a timestamp. + + + The TSF shall be able to provide reliable time stamps. + + + + + + + + In a distributed environment, a TOE may + need to exchange TSF data (e.g. the SFP-attributes + associated with data, audit information, identification + information) with another trusted IT product, This family + defines the requirements for sharing and consistent + interpretation of these attributes between the TSF of the + TOE and a different trusted IT product. + + + + In a distributed or composite environment, a TOE may + need to exchange TSF data (e.g. the SFP-attributes + associated with data, audit information, identification + information) with another trusted IT Product, This family + defines the requirements for sharing and consistent + interpretation of these attributes between the TSF of the + TOE and that of a different trusted IT Product. + + The components in this family are intended to provide + requirements for automated support for TSF data consistency + when such data is transmitted between the TSF of the TOE and + another trusted IT Product. It is also possible that wholly + procedural means could be used to produce security attribute + consistency, but they are not provided for here. + + This family is different from FDP_ETC and FDP_ITC, as those + two families are concerned only with resolving the security + attributes between the TSF and its import/export medium. + + If the integrity of the TSF data is of concern, requirements + should be chosen from the family. These + components specify requirements for the TSF to be able to + detect or detect and correct modifications to TSF data in + transit. + + + + + + The TSF is responsible for maintaining the consistency of + TSF data used by or associated with the specified function + and that are common between two or more trusted + systems. For example, the TSF data of two different + systems may have different conventions internally. For the + TSF data to be used properly (e.g. to afford the user data + the same protection as within the TOE) by the receiving + trusted IT product, the TOE and the other trusted IT + product must use a pre-established protocol to exchange + TSF data. + + + + , requires that the TSF provide the + capability to ensure consistency of attributes between + TSFs. + + + Successful use of TSF data consistency mechanisms. + + + Use of the TSF data consistency mechanisms. + + + Identification of which TSF data have been interpreted. + + + Detection of modified TSF data. + + + The TSF shall provide the capability to consistently + interpret + + + list of TSF data types + + + + the PP/ST author should define the list of TSF data + types, for which the TSF shall provide the capability + to consistently interpret, when shared between the TSF + and another trusted IT product. + + + when shared between the TSF and another trusted IT product. + + + The TSF shall use + + + list of interpretation rules to be applied by the TSF + + + + the PP/ST should assign the list of interpretation + rules to be applied by the TSF, + + + when interpreting the TSF data from another trusted IT + product. + + + + This family defines requirements for the TSF to perform tests + on one or more external entities. + This component is not intended to be applied to human users. + External entities may include applications running on the TOE, hardware or + software running ``underneath'' the TOE (platforms, operating systems etc.) + or applications/boxes connected to the TOE (intrusion detection systems, + firewalls, login servers, time servers etc.). + This family defines requirements for the testing of one or more external + entities by the TSF. These external entities are not human users, and they can + include combinations of software and/or hardware interacting with the TOE. + Examples of the types of tests that may be run are: + + Tests for the presence of a firewall, and possibly whether it is + correctly configured; + + Tests of some of the properties of the operating system that an + application TOE runs on; + + Tests of some of the properties of the IC that a smart card OS TOE + runs on (e.g. the random number generator). + + Note that the external entity may ``lie'' about the test results, either on + purpose or because it is not working correctly. + These tests can be carried out either in some maintenance state, at start-up, + on-line, or continuously. The actions to be taken by the TOE as the result of + testing are defined also in this family. + The tests of external entities should be sufficient to test all of the + characteristics of them upon which the TSF relies. + This component is not intended to be applied to human users. + This component provides support for the periodic testing of properties + related to external entities upon which the TSF's operation depends, by + requiring the ability to periodically invoke testing functions. + The PP/ST author may refine the requirement to state whether the function + should be available in off-line, on-line or maintenance mode. + It is acceptable for the functions for periodic testing to be available only in + an off-line or maintenance mode. Controls should be in place to limit access, + during maintenance, to authorised users., provides for testing of the + external entities by the TSF. + management of the conditions under which the testing of external + entities occurs, such as during initial start-up, regular interval, or + under specified conditions; + + management of the time interval if appropriate. + + Execution of the tests of the external entities and the results of + the tests. + + The TSF shall run a suite of tests + + during initial start-up + + periodically during normal operation + + at the request of an authorised user + + other conditions + + the PP/ST author should, if other conditions are + selected, specify the frequency with which the testing of external entities will be run. + An example of this other frecuency or condition may be to run the + tests each time a user requests to initiate a session with the TOE. For + instance, this could be the case of testing a directory server before its + interaction with the TSF during the user authentication process. + the PP/ST author should specify when the TSF will + run the testing of external entities, during initial start-up, periodically + during normal operation, at the request of an authorised user, or under + other conditions. If the tests are run often, then the end users should + have more confidence that the TOE is operating correctly than if the + tests are run less frequently. However, this need for confidence that + the TOE is operating correctly must be balanced with the potential + impact on the availability of the TOE, as often times, the testing of external entities may + delay the normal operation of a TOE. + to check the fulfillment of + + list of properties of the external entities + + the PP/ST author should specify the properties of the + external entities to be checked by the tests. Examples of these + properties may include configuration or availability properties of + a directory server supporting some access control part of the TSF. + . + + If the test fails, the TSF shall + + action(s) + + the PP/ST author should specify what are the action(s) + that the TSF shall perform when the testing fails. Examples of these + action(s), illustrated by a directory server instance, may include to + connect to an alternative available server or otherwise to look for a + backup server. + . + + + + + + The requirements of this family are needed to ensure the + consistency of TSF data when such data is replicated + internal to the TOE. Such data may become inconsistent if + the internal channel between parts of the TOE becomes + inoperative. If the TOE is internally structured as a + network and parts of the TOE network connections are broken, + this may occur when parts become disabled. + + + + The requirements of this family are needed to ensure the + consistency of TSF data when such data is replicated + internal to the TOE. Such data may become inconsistent if an + internal channel between parts of the TOE becomes + inoperative. If the TOE is internally structured as a + network of parts of the TOE, this can occur when parts + become disabled, network connections are broken, and so on. + + The method of ensuring consistency is not specified in this + component. It could be attained through a form of + transaction logging (where appropriate transactions are + ``rolled back'' to a site upon + reconnection); it could be updating the replicated data + through a synchronisation protocol. If a particular protocol + is necessary for a PP/ST, it can be specified through + refinement. + + It may be impossible to synchronise some states, or the cost + of such synchronisation may be too high. Examples of this + situation are communication channel and encryption key + revocations. Indeterminate states may also occur; if a + specific behaviour is desired, it should be specified via + refinement. + + + + + + + + + This family consists of only one component, , which requires that the TSF ensure the + consistency of TSF data that is replicated in multiple + locations. + + + restoring consistency upon reconnection. + + + Detected inconsistency between TSF data. + + + The TSF shall ensure that TSF data is consistent when + replicated between parts of the TOE. + + + When parts of the TOE containing replicated TSF data are + disconnected, the TSF shall ensure the consistency of the + replicated TSF data upon reconnection before processing any + requests for + + + list of functions dependent on TSF data replication + consistency + + + + the PP/ST author should specify the list of functions + dependent on TSF data replication consistency. + + . + + + + + + + + The family defines the requirements for the self-testing of + the TSF with respect to some expected correct + operation. Examples are interfaces to enforcement functions, + and sample arithmetical operations on critical parts of the + TOE. These tests can be carried out at start-up, + periodically, at the request of the authorised user, or when + other conditions are met. The actions to be taken by the TOE + as the result of self testing are defined in other families. + + The requirements of this family are also needed to detect + the corruption of TSF data and TSF itself (i.e. TSF executable code or + TSF hardware component) by various failures that do not necessarily + stop the TOE's operation (which would be handled by other + families). These checks must be performed because these + failures may not necessarily be prevented. Such failures can + occur either because of unforeseen failure modes or + associated oversights in the design of hardware, firmware, + or software, or because of malicious corruption of the TSF + due to inadequate logical and/or physical protection. + + + + The family defines the requirements for the self-testing of + the TSF with respect to some expected correct + operation. Examples are interfaces to enforcement functions, + and sample arithmetical operations on critical parts of the + TOE. These tests can be carried out at start-up, + periodically, at the request of an authorised user, or when + other conditions are met. The actions to be taken by the TOE + as the result of self testing are defined in other families. + + The requirements of this family are also needed to detect + the corruption of TSF data and TSF itself (i.e. TSF executable code or + TSF hardware component) by various failures that do not necessarily + stop the TOE's operation (which would be handled by other + families). These checks must be performed because these + failures may not necessarily be prevented. Such failures can + occur either because of unforeseen failure modes or + associated oversights in the design of hardware, firmware, + or software, or because of malicious corruption of the TSF + due to inadequate logical and/or physical protection. + + In addition, use of this component may, with appropriate + conditions, help to prevent inappropriate or damaging TSF + changes being applied to an operational TOE as the result of + maintenance activities. + + The term ``correct operation of the TSF'' refers primarily to + the operation of the TSF and the integrity of the TSF data. + + + + + + + This component provides support for the testing of the + critical functions of the TSF's operation by + requiring the ability to invoke testing functions and + check the integrity of TSF data and executable code. + + + + It is acceptable for the functions that are available to + the authorised user for periodic testing to be available + only in an off-line or maintenance mode. Controls should + be in place to limit access during these modes to + authorised users. + + + , provides the ability to test the + TSF's correct operation. These tests may be + performed at start-up, periodically, at the request of the + authorised user, or when other conditions are met. It also + provides the ability to verify the integrity of TSF data + and TSF itself. + + + management of the conditions under which TSF self testing + occurs, such as during initial start-up, regular interval, + or under specified conditions; + + + management of the time interval if appropriate. + + + Execution of the TSF self tests and the results of the + tests. + + + The TSF shall run a suite of self tests + + during initial start-up + + periodically during normal operation + + at the request of the authorised user + + at the conditions + + conditions under which self test should occur + + the PP/ST author should, if selected, specify the + conditions under which the self test should take + place. + the PP/ST author should specify when the TSF will execute + the TSF test; during initial start-up, periodically during + normal operation, at the request of an authorised user, at + other conditions. In the case of the latter option, the + PP/ST author should also assign what those conditions are + via the following assignment. + to demonstrate the correct operation of + + parts of TSF + + the PP/ST author should, if selected, specify the + list of parts of the TSF that will be subject to TSF + self-testing. + the TSF + + the PP/ST author should specify whether the self tests + are to be carried out to demonstrate the correct + operation of the entire TSF, or of only specified parts + of TSF.. + + + The TSF shall provide authorised users with the capability to + verify the integrity of + + parts of TSF data + + the PP/ST author should, if selected, specify the + list of TSF data that will be verified for + integrity. + TSF data + + the PP/ST author should specify whether data integrity + is to be verified for all TSF data, or only for selected + data.. + + + The TSF shall provide authorised users with the capability to + verify the integrity of + + parts of TSF + + the PP/ST author should, if selected, specify the + list of TSF that will be verified for + integrity. + TSF + + the PP/ST author should specify whether TSF integrity + is to be verified for all TSF, or only for selected + TSF.. + + + + + + + + This class provides three families that support the + availability of required resources such as processing + capability and/or storage capacity. The family Fault Tolerance + provides protection against unavailability of capabilities + caused by failure of the TOE. The family Priority of Service + ensures that the resources will be allocated to the more + important or time-critical tasks and cannot be monopolised by + lower priority tasks. The family Resource Allocation provides + limits on the use of available resources, therefore preventing + users from monopolising the resources. + + + + This class provides three families that support the + availability of required resources such as processing + capability and/or storage capacity. The family Fault Tolerance + provides protection against unavailability of capabilities + caused by failure of the TOE. The family Priority of Service + ensures that the resources will be allocated to the more + important or time-critical tasks, and cannot be monopolised by + lower priority tasks. The family Resource Allocation provides + limits on the use of available resources, therefore preventing + users from monopolising the resources. + + + + + + The requirements of this family ensure that the TOE will + maintain correct operation even in the event of failures. + + + + This family provides requirements for the availability of + capabilities even in the case of failures. Examples of such + failures are power failure, hardware failure, or software + error. In case of these errors, if so specified, the TOE + will maintain the specified capabilities. The PP/ST author + could specify, for example, that a TOE used in a nuclear + plant will continue the operation of the shut-down procedure + in the case of power-failure or communication-failure. + + Because the TOE can only continue its correct operation if + the SFRs are enforced, there is a requirement that the system + must remain in a secure state after a failure. This + capability is provided by . + + The mechanisms to provide fault tolerance could be active or + passive. In case of an active mechanism, specific functions + are in place that are activated in case the error + occurs. For example, a fire alarm is an active mechanism: + the TSF will detect the fire and can take action such as + switching operation to a backup. In a passive scheme, the + architecture of the TOE is capable of handling the + error. For example, the use of a majority voting scheme with + multiple processors is a passive solution; failure of one + processor will not disrupt the operation of the TOE + (although it needs to be detected to allow correction). + + For this family, it does not matter whether the failure has + been initiated accidentally (such as flooding or unplugging + the wrong device) or intentionally (such as monopolising). + + + + + + + + + This component is intended to specify which capabilities + the TOE will still provide after a failure of the + system. Since it would be difficult to describe all + specific failures, categories of failures may be + specified. Examples of general failures are flooding of + the computer room, short term power interruption, + breakdown of a CPU or host, software failure, or buffer + overflow. + + + + , requires the TOE to continue + correct operation of identified capabilities in the event + of identified failures. + + + Any failure detected by the TSF. + + + All TOE capabilities being discontinued due to a failure. + + + The TSF shall ensure the operation of + + + list of TOE capabilities + + + + the PP/ST author should specify the list of TOE + capabilities the TOE will maintain during and after a + specified failure. + + + when the following failures occur: + + + list of type of failures + + + + the PP/ST author should specify the list of type of + failures against which the TOE has to be explicitly + protected. If a failure in this list occurs, the TOE + will be able to continue its operation. + + . + + + + + + + + + + + This component is intended to specify against what type of + failures the TOE must be resistant. Since it would be + difficult to describe all specific failures, categories of + failures may be specified. Examples of general failures + are flooding of the computer room, short term power + interruption, breakdown of a CPU or host, software + failure, or overflow of buffer. + + + + , requires the TOE to continue + correct operation of all capabilities in the event of + identified failures. + + + Any failure detected by the TSF. + + + The TSF shall ensure the operation of all the + TOE's capabilities when the following failures + occur: + + + list of type of failures + + + + the PP/ST author should specify the list of type of + failures against which the TOE has to be explicitly + protected. If a failure in this list occurs, the TOE + will be able to continue its operation. + + . + + + + + + + + The requirements of this family allow the TSF to control the + use of resources under the control of the TSF by users and subjects such + that high priority activities under the control of the TSF will always be + accomplished without undue interference or delay caused by + low priority activities. + + + + The requirements of this family allow the TSF to control the + use of resources under the control of the TSF by users and subjects such + that high priority activities under the control of the TSF will always be + accomplished without interference or delay due to low + priority activities. In other words, time critical tasks + will not be delayed by tasks that are less time critical. + + This family could be applicable to several types of + resources, for example, processing capacity, and + communication channel capacity. + + The Priority of Service mechanism might be passive or + active. In a passive Priority of Service system, the system + will select the task with the highest priority when given a + choice between two waiting applications. While using passive + Priority of Service mechanisms, when a low priority task is + running, it cannot be interrupted by a high priority + task. While using an active Priority of Service mechanisms, + lower priority tasks might be interrupted by new high + priority tasks. + + The audit requirement states that all reasons for rejection + should be audited. It is left to the developer to argue that + an operation is not rejected but delayed. + + + + + + This component defines priorities for a subject, and the + resources for which this priority will be used. If a + subject attempts to take action on a resource controlled + by the Priority of Service requirements, the access and/or + time of access will be dependent on the subject's + priority, the priority of the currently acting subject, + and the priority of the subjects still in the queue. + + + + , provides priorities for a + subject's use of a subset of the resources + under the control of the TSF. + + + assignment of priorities to each subject in the TSF. + + + Rejection of operation based on the use of priority within + an allocation. + + + All attempted uses of the allocation function which involves + the priority of the service functions. + + + The TSF shall assign a priority to each subject in the TSF. + + + The TSF shall ensure that each access to + + + controlled resources + + + + the PP/ST author should specify the list of controlled + resources for which the TSF enforces priority of service + (e.g. resources such as processes, disk space, memory, + bandwidth). + + + shall be mediated on the basis of the subjects assigned + priority. + + + + + + + + This component defines priorities for a subject. All + shareable resources under the control of the TSF will be subjected to the + Priority of Service mechanism. If a subject attempts to + take action on a shareable TSF resource, the access and/or + time of access will be dependent on the subject's + priority, the priority of the currently acting subject, + and the priority of the subjects still in the queue. + + + + , provides priorities for a + subject's use of all of the resources under the control of the TSF. + + + + + + The TSF shall assign a priority to each subject in the TSF. + + + The TSF shall ensure that each access to all shareable + resources shall be mediated on the basis of the subjects + assigned priority. + + + + + + + + The requirements of this family allow the TSF to control the + use of resources by users and subjects such that denial of + service will not occur because of unauthorised + monopolisation of resources. + + + + The requirements of this family allow the TSF to control the + use of resources under the control of the TSF by users and subjects such + that unauthorised denial of service will not take place by + means of monopolisation of resources by other users or + subjects. + + Resource allocation rules allow the creation of quotas or + other means of defining limits on the amount of resource + space or time that may be allocated on behalf of a specific + user or subjects. These rules may, for example: + + + Provide for object quotas that constrain the number + and/or size of objects a specific user may allocate. + + + Control the allocation/deallocation of preassigned + resource units where these units are under the control + of the TSF. + + + + In general, these functions will be implemented through the + use of attributes assigned to users and resources. + + The objective of these components is to ensure a certain + amount of fairness among the users (e.g. a single user + should not allocate all the available space) and + subjects. Since resource allocation often goes beyond the + lifespan of a subject (i.e. files often exist longer than + the applications that generated them), and multiple + instantiations of subjects by the same user should not + negatively affect other users too much, the components allow + that the allocation limits are related to the users. In some + situations the resources are allocated by a subject + (e.g. main memory or CPU cycles). In those instances the + components allow that the resource allocation be on the + level of subjects. + + This family imposes requirements on resource allocation, not + on the use of the resource itself. The audit requirements + therefore, as stated, also apply to the allocation of the + resource, not to the use of the resource. + + + + + + This component provides requirements for quota mechanisms + that apply to only a specified set of the shareable + resources in the TOE. The requirements allow the quotas to + be associated with a user, possibly assigned to groups of + users or subjects as applicable to the TOE. + + + + , provides requirements for quota + mechanisms that ensure that users and subjects will not + monopolise a controlled resource. + + + specifying maximum limits for a resource for groups and/or + individual users and/or subjects by an administrator. + + + Rejection of allocation operation due to resource limits. + + + All attempted uses of the resource allocation functions for + resources that are under control of the TSF. + + + The TSF shall enforce maximum quotas of the following + resources: + + + controlled resources + + + + the PP/ST author should specify the list of controlled + resources for which maximum resource allocation limits + are required (e.g. processes, disk space, memory, + bandwidth). If all resources under the control of the TSF need to be + included, the words ``all TSF + resources'' can be specified. + + + that + + + individual user + + + defined group of users + + + subjects + + + + the PP/ST author should select whether the maximum + quotas apply to individual users, to a defined group + of users, or subjects or any combination of these. + + + can use + + + simultaneously + + + over a specified period of time + + + + the PP/ST author should select whether the maximum + quotas are applicable to any given time + (simultaneously), or over a specific time interval. + + . + + + + + + + + This component provides requirements for quota mechanisms + that apply to a specified set of the shareable resources + in the TOE. The requirements allow the quotas to be + associated with a user, or possibly assigned to groups of + users as applicable to the TOE. + + + + , provides requirements for quota + mechanisms that ensure that users and subjects will always + have at least a minimum of a specified resource and that + they will not be able to monopolise a controlled resource. + + + specifying minimum and maximum limits for a resource for + groups and/or individual users and/or subjects by an + administrator. + + + + + The TSF shall enforce maximum quotas of the following + resources + + + controlled resources + + + + the PP/ST author should specify the controlled + resources for which maximum and minimum resource + allocation limits are required (e.g. processes, disk + space, memory, bandwidth). If all resources under the control of the TSF + need to be included, the words ``all TSF + resources'' can be specified. + + + that + + + individual user + + + defined group of users + + + subjects + + + + the PP/ST author should select whether the maximum + quotas apply to individual users, to a defined group + of users, or subjects or any combination of these. + + + can use + + + simultaneously + + + over a specified period of time + + + + the PP/ST author should select whether the maximum + quotas are applicable to any given time + (simultaneously), or over a specific time interval. + + . + + + The TSF shall ensure the provision of minimum quantity of + each + + + controlled resource + + + + the PP/ST author should specify the controlled + resources for which a minimum allocation limit needs + to be set (e.g. processes, disk space, memory, + bandwidth). If all resources under the control of the TSF need to be + included the words ``all TSF resources'' + can be specified. + + + that is available for + + + an individual user + + + defined group of users + + + subjects + + + + the PP/ST author should select whether the minimum + quotas apply to individual users, to a defined group + of users, or subjects or any combination of these. + + + to use + + + simultaneously + + + over a specified period of time + + + + the PP/ST author should select whether the minimum + quotas are applicable to any given time + (simultaneously), or over a specific time interval. + + . + + + + + + + + This family specifies functional requirements for controlling + the establishment of a user's session. + + + + The establishment of a user's session typically + consists of the creation of one or more subjects that perform + operations in the TOE on behalf of the user. At the end of the + session establishment procedure, provided the TOE access + requirements are satisfied, the created subjects bear the + attributes determined by the identification and authentication + functions. This family specifies functional requirements for + controlling the establishment of a user's session. + + A user session is defined as the period starting at the time + of the identification/authentication, or if more appropriate, + the start of an interaction between the user and the system, + up to the moment that all subjects (resources and attributes) + related to that session have been deallocated. + + + + + + This family defines requirements to limit the scope of + session security attributes that a user may select for a + session. + + + + This family defines requirements that will limit the session + security attributes a user may select, and the subjects to + which a user may be bound, based on: the method of access; + the location or port of access; and/or the time + (e.g. time-of-day, day-of-week). + + This family provides the capability for a PP/ST author to + specify requirements for the TSF to place limits on the + domain of an authorised user's security attributes + based on an environmental condition. For example, a user may + be allowed to establish a ``secret session'' + during normal business hours but outside those hours the + same user may be constrained to only establishing + ``unclassified sessions''. The identification of + relevant constraints on the domain of selectable attributes + can be achieved through the use of the selection + operation. These constraints can be applied on an + attribute-by-attribute basis. When there exists a need to + specify constraints on multiple attributes this component + will have to be replicated for each attribute. Examples of + attributes that could be used to limit the session security + attributes are: + + + The method of access can be used to specify in which + type of environment the user will be operating + (e.g. file transfer protocol, terminal, vtam). + + + The location of access can be used to constrain the + domain of a user's selectable attributes based + on a user's location or port of access. This + capability is of particular use in environments where + dial-up facilities or network facilities are available. + + + The time of access can be used to constrain the domain + of a user's selectable attributes. For example, + ranges may be based upon time-of-day, day-of-week, or + calendar dates. This constraint provides some + operational protection against user actions that could + occur at a time where proper monitoring or where proper + procedural measures may not be in place. + + + + + + + + , provides the requirement for a TOE + to limit the scope of the session security attributes + during session establishment. + + + management of the scope of the session security attributes + by an administrator. + + + All failed attempts at selecting a session security + attributes; + + + All attempts at selecting a session security attributes; + + + Capture of the values of each session security attributes. + + + The TSF shall restrict the scope of the session security + attributes + + + session security attributes + + + + the PP/ST author should specify the set of session + security attributes that are to be + constrained. Examples of these session security + attributes are user clearance level, integrity level + and roles. + + , based on + + + attributes + + + + the PP/ST author should specify the set of attributes + that can be use to determine the scope of the session + security attributes. Examples of such attributes are + user identity, originating location, time of access, + and method of access. + + . + + + + + + + + This family defines requirements to place limits on the + number of concurrent sessions that belong to the same user. + + + + This family defines how many sessions a user may have at the + same time (concurrent sessions). This number of concurrent + sessions can either be set for a group of users or for each + individual user. + + + + + + + + + This component allows the system to limit the number of + sessions in order to effectively use the resources of the + TOE. + + + + , provides limitations that apply to + all users of the TSF. + + + management of the maximum allowed number of concurrent user + sessions by an administrator. + + + Rejection of a new session based on the limitation of + multiple concurrent sessions. + + + Capture of the number of currently concurrent user sessions + and the user security attribute(s). + + + The TSF shall restrict the maximum number of concurrent + sessions that belong to the same user. + + + The TSF shall enforce, by default, a limit of + + + default number + + + + the PP/ST author should specify the default number of + maximum concurrent sessions to be used. + + + sessions per user. + + + + + + + + + + + This component provides additional capabilities over those + of , by allowing further constraints + to be placed on the number of concurrent sessions that + users are able to invoke. These constraints are in terms + of a user's security attributes, such as a + user's identity, or membership of a role. + + + + extends by + requiring the ability to specify limitations on the number + of concurrent sessions based on the related security + attributes. + + + management of the rules that govern the maximum allowed + number of concurrent user sessions by an administrator. + + + + + The TSF shall restrict the maximum number of concurrent + sessions that belong to the same user according to the rules + + + rules for the number of maximum concurrent sessions + + + + the PP/ST author should specify the rules that + determine the maximum number of concurrent + sessions. An example of a rule is ``maximum + number of concurrent sessions is one if the user has a + classification level of ``secret'' + and five otherwise''. + + . + + + The TSF shall enforce, by default, a limit of + + + default number + + + + the PP/ST author should specify the default number of + maximum concurrent sessions to be used. + + + sessions per user. + + + + + + + + This family defines requirements for the TSF to provide the + capability for TSF-initiated and user-initiated locking, + unlocking, and termination of interactive sessions. + + + This family defines requirements for the TSF to provide the + capability for TSF-initiated and user-initiated locking, + unlocking, and termination of interactive sessions. + When a user is directly interacting with subjects in the TOE + (interactive session), the user's terminal is vulnerable if + left unattended. This family provides requirements for the TSF + to disable (lock) the terminal or terminate the session after + a specified period of inactivity, and for the user to initiate + the disabling (locking) of the terminal or terminate the + session. To reactivate the terminal, an event specified by the + PP/ST author, such as the user re-authentication must + occur. + A user is considered inactive, if he/she has not provided any + stimulus to the TOE for a specified period of time. + A PP/ST author should consider whether + should be included. In that case, the function ``session + locking'' should be included in the operation in . + + + + + + + + , provides the capability for the + TSF to lock an active user session after a specified + period of time. Locking a terminal would prevent any + further interaction with an existing active session + through the use of the locked terminal. + + If display devices are overwritten, the replacement + contents need not be static (i.e. ``screen + savers'' are permitted). + + This component allows the PP/ST author to specify what + events will unlock the session. These events may be + related to the terminal (e.g. fixed set of keystrokes to + unlock the session), the user (e.g. reauthentication), or + time. + + + + includes system initiated locking + of an interactive session after a specified period of user + inactivity. + + + specification of the time of user inactivity after which + lock-out occurs for an individual user; + + + specification of the default time of user inactivity after + which lock-out occurs; + + + management of the events that should occur prior to + unlocking the session. + + + Locking of an interactive session by the session locking + mechanism. + + + Successful unlocking of an interactive session. + + + Any attempts at unlocking an interactive session. + + + The TSF shall lock an interactive session after + + + time interval of user inactivity + + + + the PP/ST author should specify the interval of user + inactivity that will trigger the locking of an + interactive session. If so desired the PP/ST author + could, through the assignment, specify that the time + interval is left to the authorised administrator or + the user. The management functions in the FMT class + can specify the capability to modify this time + interval, making it the default value. + + + by: + + + clearing or overwriting display devices, making the + current contents unreadable; + + + disabling any activity of the user's data + access/display devices other than unlocking the session. + + + + + The TSF shall require the following events to occur prior to + unlocking the session: + + + events to occur + + + + the PP/ST author should specify the event(s) that + should occur before the session is unlocked. Examples + of such an event are: ``user + re-authentication'' or ``user + enters unlock key-sequence''. + + . + + + + + + + + + , provides the capability for + an authorised user to lock and unlock his/her own interactive + session. This would provide authorised users with the ability to + effectively block further use of their active sessions without + having to terminate the active session. + + If devices are overwritten, the replacement contents need + not be static (i.e. ``screen savers'' + are permitted). + + + + , provides capabilities for the user + to lock and unlock the user's own interactive + sessions. + + + management of the events that should occur prior to + unlocking the session. + + + + + The TSF shall allow user-initiated locking of the + user's own interactive session, by: + + + clearing or overwriting display devices, making the + current contents unreadable; + + + disabling any activity of the user's data + access/display devices other than unlocking the session. + + + + + The TSF shall require the following events to occur prior to + unlocking the session: + + + events to occur + + + + the PP/ST author should specify the event(s) that + should occur before the session is unlocked. Examples + of such an event are: ``user + re-authentication'', or ``user + enters unlock key-sequence''. + + . + + + + + + + , requires that the TSF terminate an + interactive user session after a period of inactivity. + + The PP/ST author should be aware that a session may + continue after the user terminated his/her activity, for + example, background processing. This requirement would + terminate this background subject after a period of + inactivity of the user without regard to the status of the + subject. + + + , provides requirements for + the TSF to terminate the session after a specified period of + user inactivity. + + + specification of the time of user inactivity after which + termination of the interactive session occurs for an + individual user; + + + specification of the default time of user inactivity after + which termination of the interactive session occurs. + + + Termination of an interactive session by the session locking + mechanism. + + + The TSF shall terminate an interactive session after a + + + time interval of user inactivity + + + + the PP/ST author should specify the interval of user + inactivity that will trigger the termination of an + interactive session. If so desired, the PP/ST author + could, through the assignment, specify that the + interval is left to the authorised administrator or + the user. The management functions in the FMT class + can specify the capability to modify this time + interval, making it the default value. + + . + + , provides the capability for an + authorised user to terminate his/her interactive + session.. + The PP/ST author should be aware that a session may continue + after the user terminated his/her activity, for example, + background processing. This requirement would allow the user + to terminate this background subject without regard to the + status of the subject., provides capabilities for the user + to terminate the user's own interactive sessions. + Termination of an interactive session by the user. + + The TSF shall allow user-initiated termination of the user's own + interactive session. + + + + + + + This family defines requirements to display a configurable + advisory warning message to users regarding the appropriate + use of the TOE. + + + + Prior to identification and authentication, TOE access + requirements provide the ability for the TOE to display an + advisory warning message to potential users pertaining to + appropriate use of the TOE. + + + + + + This component requires that there is an advisory warning + regarding the unauthorised use of the TOE. A PP/ST author + could refine the requirement to include a default banner. + + + + , provides the requirement for a TOE + Access Banner. This banner is displayed prior to the + establishment dialogue for a session. + + + maintenance of the banner by the authorised administrator. + + + Before establishing a user session, the TSF shall display an + advisory warning message regarding unauthorised use of the + TOE. + + + + + + + + This family defines requirements for the TSF to display to a + user, upon successful session establishment, a history of + successful and unsuccessful attempts to access the + user's account. + + + + This family defines requirements for the TSF to display to + users, upon successful session establishment to the TOE, a + history of unsuccessful attempts to access the account. This + history may include the date, time, means of access, and + port of the last successful access to the TOE, as well as + the number of unsuccessful attempts to access the TOE since + the last successful access by the identified user. + + + + + + + This family can provide authorised users with information + that may indicate the possible misuse of their user + account. + + This component request that the user is presented with the + information. The user should be able to review the + information, but is not forced to do so. If a user so + desires he might, for example, create scripts that ignore + this information and start other processes. + + + + , provides the requirement for a TOE + to display information related to previous attempts to + establish a session. + + + Upon successful session establishment, the TSF shall display + the + + + date + + + time + + + method + + + location + + + + the PP/ST author should select the security attributes + of the last successful session establishment that will + be shown at the user interface. The items are: date, + time, method of access (such as ftp), and/or location + (e.g. terminal 50). + + + of the last successful session establishment to the user. + + + Upon successful session establishment, the TSF shall display + the + + + date + + + time + + + method + + + location + + + + the PP/ST author should select the security attributes + of the last unsuccessful session establishment that + will be shown at the user interface. The items are: + date, time, method of access (such as ftp), and/or + location (e.g. terminal 50). + + + of the last unsuccessful attempt to session establishment + and the number of unsuccessful attempts since the last + successful session establishment. + + + The TSF shall not erase the access history information from + the user interface without giving the user an opportunity to + review the information. + + + + + + + This family defines requirements to deny a user permission + to establish a session with the TOE. + + + + This family defines requirements to deny an user permission + to establish a session with the TOE based on attributes such + as the location or port of access, the user's security + attribute (e.g. identity, clearance level, integrity level, + membership in a role), ranges of time (e.g. time-of-day, + day-of-week, calendar dates) or combinations of parameters. + + This family provides the capability for the PP/ST author to + specify requirements for the TOE to place constraints on the + ability of an authorised user to establish a session with + the TOE. The identification of relevant constraints can be + achieved through the use of the selection + operation. Examples of attributes that could be used to + specify the session establishment constraints are: + + + The location of access can be used to constrain the + ability of a user to establish an active session with + the TOE, based on the user's location or port + of access. This capability is of particular use in + environments where dial-up facilities or network + facilities are available. + + + The user's security attributes can be used to + place constraints on the ability of a user to establish + an active session with the TOE. For example, these + attributes would provide the capability to deny session + establishment based on any of the following: + + + a user's identity; + + + a user's clearance level; + + + a user's integrity level; and + + + a user's membership in a role. + + + + + + This capability is particularly relevant in situations where + authorisation or login may take place at a different + location from where TOE access checks are performed. + + + The time of access can be used to constrain the ability + of a user to establish an active session with the TOE + based on ranges of time. For example, ranges may be + based upon time-of-day, day-of-week, or calendar + dates. This constraint provides some operational + protection against actions that could occur at a time + where proper monitoring or where proper procedural + measures may not be in place. + + + + + + + + , provides requirements for denying + users access to the TOE based on attributes. + + + management of the session establishment conditions by the + authorised administrator. + + + Denial of a session establishment due to the session + establishment mechanism. + + + All attempts at establishment of a user session. + + + Capture of the value of the selected access parameters + (e.g. location of access, time of access). + + + The TSF shall be able to deny session establishment based on + + + attributes + + + + the PP/ST author should specify the attributes that + can be used to restrict the session + establishment. Example of possible attributes are user + identity, originating location (e.g. no remote + terminals), time of access (e.g. outside hours), or + method of access (e.g. X-windows). + + . + + + + + + + + Families in this class provide requirements for a trusted + communication path between users and the TSF, and for a + trusted communication channel between the TSF and other + trusted IT products. Trusted paths and channels have the + following general characteristics: + + + The communications path is constructed using internal and + external communications channels (as appropriate for the + component) that isolate an identified subset of TSF data + and commands from the remainder of the TSF and user data. + + + Use of the communications path may be initiated by the + user and/or the TSF (as appropriate for the component). + + + The communications path is capable of providing assurance + that the user is communicating with the correct TSF, and + that the TSF is communicating with the correct user (as + appropriate for the component). + + + + In this paradigm, a trusted channel is a communication channel + that may be initiated by either side of the channel, and + provides non-repudiation characteristics with respect to the + identity of the sides of the channel. + + A trusted path provides a means for users to perform functions + through an assured direct interaction with the TSF. Trusted + path is usually desired for user actions such as initial + identification and/or authentication, but may also be desired + at other times during a user's session. Trusted + path exchanges may be initiated by a user or the TSF. User + responses via the trusted path are guaranteed to be protected + from modification by or disclosure to untrusted applications. + + + + Users often need to perform functions through direct + interaction with the TSF. A trusted path provides confidence + that a user is communicating directly with the TSF whenever it + is invoked. A user's response via the trusted path + guarantees that untrusted applications cannot intercept or + modify the user's response. Similarly, trusted + channels are one approach for secure communication between the + TSF and another trusted IT product. + + Absence of a trusted path may allow breaches of accountability + or access control in environments where untrusted applications + are used. These applications can intercept user-private + information, such as passwords, and use it to impersonate + other users. As a consequence, responsibility for any system + actions cannot be reliably assigned to an accountable + entity. Also, these applications could output erroneous + information on an unsuspecting user's display, + resulting in subsequent user actions that may be erroneous and + may lead to a security breach. + + + + + + This family defines requirements for the creation of a + trusted channel between the TSF and other trusted IT + products for the performance of security critical + operations. This family should be included whenever there + are requirements for the secure communication of user or TSF + data between the TOE and other trusted IT products. + + + + This family defines the rules for the creation of a trusted + channel connection that goes between the TSF and another + trusted IT product for the performance of security critical + operations between the products. An example of such a + security critical operation is the updating of the TSF + authentication database by the transfer of data from a + trusted product whose function is the collection of audit + data. + + + + + + This component should be used when a trusted communication + channel between the TSF and another trusted IT product is + required. + + + + , requires that the TSF provide a + trusted communication channel between itself and another + trusted IT product. + + + Configuring the actions that require trusted channel, if + supported. + + + Failure of the trusted channel functions. + + + Identification of the initiator and target of failed trusted + channel functions. + + + All attempted uses of the trusted channel functions. + + + Identification of the initiator and target of all trusted + channel functions. + + + The TSF shall provide a communication channel between itself + and another trusted IT product that is logically distinct + from other communication channels and provides assured + identification of its end points and protection of the + channel data from modification or disclosure. + + + The TSF shall permit + + the TSF + + another trusted IT product + + the PP/ST author must specify whether the local TSF, + another trusted IT product, or both shall have the + capability to initiate the trusted channel. + to initiate communication via the trusted channel. + + + The TSF shall initiate communication via the trusted channel + for + + + list of functions for which a trusted channel is + required + + + + the PP/ST author should specify the functions for + which a trusted channel is required. Examples of these + functions may include transfer of user, subject, + and/or object security attributes and ensuring + consistency of TSF data. + + . + + + + + + + + This family defines the requirements to establish and + maintain trusted communication to or from users and the + TSF. A trusted path may be required for any + security-relevant interaction. Trusted path exchanges may be + initiated by a user during an interaction with the TSF, or + the TSF may establish communication with the user via a + trusted path. + + + + This family defines the requirements to establish and + maintain trusted communication to or from users and the + TSF. A trusted path may be required for any + security-relevant interaction. Trusted path exchanges may be + initiated by a user during an interaction with the TSF, or + the TSF may establish communication with the user via a + trusted path. + + + + + + This component should be used when trusted communication + between a user and the TSF is required, either for initial + authentication purposes only or for additional specified + user operations. + + + + , requires that a trusted path + between the TSF and a user be provided for a set of events + defined by a PP/ST author. The user and/or the TSF may + have the ability to initiate the trusted path. + + + Configuring the actions that require trusted path, if + supported. + + + Failures of the trusted path functions. + + + Identification of the user associated with all trusted path + failures, if available. + + + All attempted uses of the trusted path functions. + + + Identification of the user associated with all trusted path + invocations, if available. + + + The TSF shall provide a communication path between itself and + + remote + + local + + the PP/ST author should specify whether the trusted path + must be extended to remote and/or local users. + users that is logically distinct from other communication + paths and provides assured identification of its end points + and protection of the communicated data from + + modification + + disclosure + + other types of integrity or confidentiality violation + + if selected, the PP/ST author should identify any + additional types of integrity or confidentiality + violation against which the trusted path shall protect + the data. + the PP/ST author should specify whether the trusted path + shall protect the data from modification, disclosure, + and/or other types of integrity or confidentiality + violation.. + + + The TSF shall permit + + + the TSF + + + local users + + + remote users + + + + the PP/ST author should specify whether the TSF, local + users, and/or remote users should be able to initiate + the trusted path. + + + to initiate communication via the trusted path. + + + The TSF shall require the use of the trusted path for + + + initial user authentication + + + + + other services for which trusted path is required + + + + if selected, the PP/ST author should identify + other services for which trusted path is required, + if any. + + + + + + the PP/ST author should specify whether the trusted + path is to be used for initial user authentication + and/or for other specified services. + + . + + + + + + + + The class encompasses five + families. These families specify assurance requirements that + are designed to provide confidence that a composed TOE will + operate securely when relying upon security functionality + provided by previously evaluated software, firmware or + hardware components. + + Composition involves taking two or more IT entities + successfully evaluated against CC security assurance + requirements packages (base components and dependent + components, see ) and + combining them for use, with no further development of either + IT entity. The development of additional IT entities is not + included (entities that have not previously been the subject + of a component evaluation). The composed TOE forms a new + product that can be installed and integrated into any specific + environment instance that meets the objectives for the + environment. + + This approach does not provide an alternative approach for the + evaluation of components. Composition under provides a composed TOE integrator a method, which + can be used as an alternative to other assurance levels + specified in the CC, to gain confidence in a TOE that is the + combination of two or more successfully evaluated components + without having to re-evaluate the composite TSF. (The composed + TOE integrator is referred to as ``developer'' throughout the + class, with any references to the + developer of the base or dependent components clarified as + such.) + + Composed Assurance Packages, as defined in Clauses and , is an + assurance scale for composed TOEs. This assurance scale is + required in addition to EALs because to combine components + evaluated against EALs and gain a resulting EAL assurance, all + SARs in the EAL have to be applied to the composed + TOE. Although reuse can be made of the component TOE + evaluation results, there are often additional aspects of the + components that have to be considered in the composed TOE, as + described in Annex . Due to the different parties involved in a + composed TOE evaluation activity it is generally not possible + to gain all necessary evidence about these additional aspects + of the components to apply the appropriate EAL. Hence, CAPs + have been defined to address the issue of combining evaluated + components and gaining a meaningful result. This is discussed + further in . + +
+ + + In a composed TOE it is generally the case that one component + relies on the services provided by another component. The + component requiring services is termed the dependent component + and the component providing the services is termed the base + component. This interaction and distinct is discussed further + in Annex B. It is assumed to be the case that the developer of + the dependent component is supporting the composed TOE + evaluation in some manner (as developer, sponsor, or just + cooperating and providing the necessary evaluation evidence + from the dependent component evaluation) The components included in the CAP assurance packages + should not be used as augmentations for component TOE + evaluations, as this would provide no meaningful assurance for + the component. + + The families within the class + interact in a similar manner to the , and classes in a component TOE evaluation and hence + leverage from the specification of requirements from those + classes where applicable. There are however a few items + specific to composed TOE evaluations. To determine how the + components interact and identify any deviations from the + evaluations of the components, the dependencies that the + dependent component has upon the underlying base component are + identified (). This reliance on + the base component is specified in terms of the interfaces + through which the dependent component makes calls for services + in support of the dependent component SFRs. The interfaces, + and at higher levels the supporting behaviour, provided by the + base component in response to those service requests are + analysed in . The family is based on the family, as at the simplest level the + TSF of each component can be viewed as a subsystem of the + composed TOE, with additional portions of each component seen + as additional subsystems. Therefore, the interfaces between + the components are seen as interactions between subsystems in + a component TOE evaluation. + + It is possible that the interfaces and supporting behaviour + descriptions provided for are + incomplete. This is determined during the conduct of . The + family takes the outputs of and + and determines whether the + components are being used in their evaluated configuration and + identifies where any specifications are incomplete, which are + then identified as inputs into testing () and vulnerability analysis () activities of the composed TOE. + + Testing of the composed TOE is performed to determine that the + composed TOE exhibits the expected behaviour as determined by + the composed TOE SFRs, and at higher levels demonstrates the + compatibility of the interfaces between the components of the + composed TOE. + + The vulnerability analysis of the composed TOE leverages from + the outputs of the vulnerability analysis of the component + evaluations. The composed TOE vulnerability analysis considers + any residual vulnerabilities from the component evaluations to + determine that the residual vulnerabilities are not applicable + to the composed TOE. A search of publicly available + information relating to the components is also performed to + identify any issues reported in the components since the + completion of the respective evaluations. + + The interaction between the + families is depicted in Figure below. This shows by solid arrowed lines where + the evidence and understanding gained in one family feeds into + the next activity and the dashed arrows identify where an + activity explicitly traces back to the composed TOE SFRs, as + described above. + +
+ + + Further discussion of the definition and interactions within + composed TOEs is provided in . + + + + Assurance class defines + requirements of the information necessary to ensure that two + or more components, which have themselves been the subject of + a CC evaluation, can be integrated in a secure manner. + + The assurance requirements will + be applied to the composed TOE to: + + + determine that the required assurance is provided by the + base component; + + determine that the base component and dependent component + are compatible; and + + search for any vulnerabilities introduced through + composing the base and dependent components into a single + composed TOE entity. + + + + The goal of this activity is to determine whether the + components can be integrated in a secure manner, as defined in + the ST for the composed TOE. This is achieved through + examination and testing of the interfaces between the + components, supported by examination of the design of the + components and the conduct of vulnerability analysis. + + + + The family identifies where + the dependent component is reliant upon IT in its operational + environment (satisfied by a base component in the composed TOE + evaluation) in order to provide its own security + services. This reliance is identified in terms of the + interfaces expected by the dependent component to be provided + by the base component. then + determines which interfaces of the base component were + considered (as TSFI) during the component evaluation of the + base component. + + It should be noted that does + not cover other evidence that may be needed to address the + technical integration problem of composing components + (e.g. descriptions of non-TSF interfaces of the operating + system, rules for integration, etc.). This is outside the + security assessment of the composition and is a functional + composition issue. + + As part of the evaluator will + perform testing of the composed TOE SFRs at the composed TOE + interfaces and of the interfaces of the base component relied + upon by the dependent component to confirm they operate as + specified. The subset selected will consider the possible + effects of changes to the configuration/use of the base + component as used in the composed TOE. These changes are + identified from the configuration of the base component + determined during the base component evaluation. The developer + will provide test evidence for each of the base component + interfaces (the requirements for coverage are consistent with + those applied to the evaluation of the base component). + + requires the evaluator to + determine whether the appropriate assurance measures have been + applied to the base component, and whether the base component + is being used in its evaluated configuration. This includes + determination of whether all security functionality required + by the dependent component was within the TSF of the base + component. The requirement + may be met through the production of evidence that each of + these is demonstrated to be upheld. This evidence may be in + the form of the security target and a public report of the + component evaluation (e.g. certification report). + + If, on the other hand, one of the above have not been upheld, + then it may be possible that an argument can be made as to why + the assurance gained during an original evaluation is + unaffected. If this is not possible then additional evaluation + evidence for those aspects of the base component not covered + may have to be provided. This material is then assessed in + . + + For example, it may be the case as described in the + Interactions between entities (see Annex in CC Part 3) that the + dependent component requires the base component to provide + more security functionality in the composed TOE than included + in the base component evaluation. This would be determined + during the application of the + and families. In this case + the composition rationale evidence provided for would demonstrate that the + assurance gained from the base component evaluation is + unaffected. This may be achieved by means including: + + + Performing a re-evaluation of the base component focusing + on the evidence relating to the extended part of the + TSF; + + Demonstrating that the extended part of the TSF cannot + affect other portions of the TSF, and providing evidence + that the extended part of the TSF provides the necessary + security functionality. + + + + + This family addresses the requirement to demonstrate that + the base component can provide an appropriate level of + assurance for use in composition. + + + + The family is used to + determine whether or not the appropriate assurance measures + have been applied to the base component for successful + integration in the composed TOE. That is, the SARs claimed + by the base component are consistent with the SARs in the + assurance package for the composed TOE. (e.g. if the + assurance package for the composed TOE included , a base component that was + evaluated against would + not have had the appropriate assurance measures applied, as + insufficient design evidence would have been + examined.) + + The family calls for + evidence that the appropriate assurance is provided, without + being specific about how this is achieved. If the + appropriate evidence is not available, then it may be + necessary to report an assessment of the residual risk to + assist consumers of the composed TOE + (e.g. accreditors). This report would need to identify the + change to the base component that may have an effect on the + assurance gained during the original evaluation, along with + any known effects. + + + + + There is only a single component in this family. + + + + + + + + The evaluation evidence for this sub-activity is: + + + the composed ST; + + the composition rationale; + + the reliance information; + + the development information; + + unique identifier. + + + + + The developer shall provide composition rationale for the + base component. + + + The composition rationale shall demonstrate that a level of + assurance at least as high as that of the dependent + component has been obtained for the support functionality of + the base component, when the base component is configured as + required to support the TSF of the dependent component. + + + The evaluator shall confirm that the information meets all + requirements for content and presentation of evidence. + + + + The evaluator shall examine the correspondence analysis + with the development information and the reliance + information to identify the interfaces that are relied + upon by the dependent component which are not detailed + in the development information. + + The evaluator's goal in this work unit is two fold: + + + to determine which interfaces relied upon by the + dependent component have had the appropriate + assurance measures applied. + + to determine that the assurance package applied to + the base component during the base component + evaluation contained either the same assurance + requirements as those in the package applied to the + dependent component during its' evaluation, or + hierarchically higher assurance requirements. + + + The evaluator may use the correspondence tracing in the + development information developed during the activities (e.g. , , ) to + help identify the interfaces identified in the reliance + information that are not considered in the development + information. + + The evaluator will record the SFR-enforcing interfaces + described in the reliance information that are not + included in the development information. These will + provide input to + work unit, helping to identify the portions of the base + component in which further assurance is required. + + If the both the base and dependent components were + evaluated against the same assurance package, then the + determination of whether the level of assurance in the + portions within the base component evaluation is at + least as high as that of the dependent component is + trivial. If however, the assurance packages applied to + the components during the component evaluations differ, + the evaluator needs to determine that the assurance + requirements applied to the base component are all + hierarchically higher to the assurance requirements + applied to the dependent component. + + + + + The evaluator shall examine the composition rationale to + determine, for those included base component interfaces + on which the dependent TSF relies, whether the interface + was considered during the evaluation of the base + component. + + The ST, component public evaluation report (e.g. certification + report) and guidance documents for the base component all + provide information on the scope and boundary of the base + component. The ST provides details of the logical scope and + boundary of the composed TOE, allowing the evaluator to + determine whether an interface relates to a portion of the + product that was within the scope of the evaluation. The + guidance documentation provides details of use of all interfaces + for the composed TOE. Although the guidance documentation may + include details of interfaces in the product that are not within + the scope of the evaluation, any such interfaces should be + identifiable, either from the scoping information in the ST or + through a portion of the guidance that deals with the evaluated + configuration. The public evaluation report may provide any + additional constraints on the use of the composed TOE that are + necessary. + + Therefore, the combination of these inputs allows the + evaluator to determine whether an interface described in + the composition rationale has the necessary assurance + associated with it, or whether further assurance is + required. The evaluator will record those interfaces of + the base component for which additional assurance is + required, for consideration during . + + + + + The evaluator shall examine the composition rationale to + determine that the necessary assurance measures have + been applied to the base component. + + The evaluation verdicts, and resultant assurance, for + the base component can be reused provided the same + portions of the base component are used in the composed + TOE and they are used in a consistent manner. + + In order to determine whether the necessary assurance + measures have already been applied to the component, and + the portions of the component for which assurance + measures still need to be applied, the evaluator should + use the output of the .*.2E action and the work units and : + + + + For those interfaces identified in the reliance + information (), but + not discussed in development information (), additional information + is required. (Identified in .) + + For those interfaces used inconsistently in the + composed TOE from the base component (difference + between the information provided in and the impact of the differences in use + need to be considered. (Identified in .*.2E.) + + For those interfaces identified in composition + rationale for which no assurance has previously been + gained, additional information is + required. (Identified in .) + + For those interfaces consistently described in the + reliance information, composition rationale and the + development information, no further action is + required as the results from the base component + evaluation can be re-used. + + The interfaces of the base component reported to be + required by the reliance information but not included in + the development information indicate the portions of the + base component where further assurance is required. The + interfaces identify the entry points into the base + component. + + For those interfaces included in both the development + information and reliance information, the evaluator is + to determine whether the interfaces are being used in + the composed TOE in a manner that is consistent with the + base component evaluation. The method of use of the + interface will be considered during the activities to determine that + the use of the interface is consistent in both the base + component and the composed TOE. The remaining + consideration is the determination of whether the + configurations of the base component and the composed + TOE are consistent. To determine this, the evaluator + will consider the guidance documentation of each to + ensure they are consistent (see further guidance below + regarding consistent guidance documentation). Any + deviation in the documentation will be further analysed + by the evaluation to determine the possible + effects. + + For those interfaces that are consistently described in + the reliance information and development information, + and for which the guidance is consistent for the base + component and the composed TOE, the required level of + assurance has been provided. + + The following subsubclauses provide guidance on how to + determine consistency between assurance gained in the + base component, the evidence provided for the composed + TOE, and the analysis performed by the evaluator in the + instances where inconsistencies are identified. + + + The reliance information identifies the interfaces in + the dependent component that are to be matched by the + base component. If an interface identified in the + reliance information is not identified in the + development information, then the composition + rationale is to provide a justification of how the + base component provides the required + interfaces. + + If an interface identified in the reliance information + is identified in the development information, but + there are inconsistencies between the descriptions, + further analysis is required. The evaluator identifies + the differences in use of the base component as + considered in the base component evaluation and the + composed TOE evaluation. The evaluator will devise + testing to be performed (during the conduct of ) to test the + interface. + + The patch status of the base and dependent components + as used in the composed TOE should be compared to the + patch status of the components during the component + evaluations. If any patches have been applied to the + components, the composition rationale is to include + details of the patches, including any potential impact + to the SFRs of the evaluated component. The evaluator + should consider the details of the changes provided + and verify the accuracy of the potential impact of the + change on the component SFRs. The evaluator should + then consider whether the changes made by the patch + should be verified through testing, and will identify + the necessary testing approach. The testing may take + the form of repeating the applicable + evaluator/developer testing performed for the + component evaluation of the component or it may be + necessary for the evaluator to devise new tests to + confirm the modified component. + + If any of the individual components have been the + subject of assurance continuity activities since the + completion of the component evaluation, the evaluator + will consider the changes assessed in the assurance + continuity activities during the independent + vulnerability analysis activity for the composed TOE + (in ). + + + + The guidance for the composed TOE is likely to make + substantial reference out to the guidance for the + individual components. The minimal guidance expected + to be necessary is the identification of any ordering + dependencies in the application of guidance for the + dependent and base components, particularly during the + preparation (installation) of the composed TOE. + + In addition to the application of the and families to the guidance for the + composed TOE, it is necessary to analyse the + consistency between the guidance for the components + and the composed TOE, to identify any + deviations. + + If the composed TOE guidance refers out to the base + component and dependent component guidance, then the + consideration for consistency is limited to + consistency between the guidance documentation + provided for each of the components (i.e. consistency + between the base component guidance and the dependent + component guidance). However, if additional guidance + is provided for the composed TOE, to that provided for + the components, greater analysis is required, as + consistency is also required between the guidance + documentation for the components and guidance + documentation for the composed TOE. + + Consistent in this instance is + understood to mean that either the guidance is the + same or it places additional constraints on the + operation of the individual components when combined, + in a similar manner to refinement of + functional/assurance components. + + With the information available (that used as input for + or the development + aspects discussed above) the evaluator may be able to + determine all possible impacts of the deviation from + the configuration of the base component specified in + the component evaluation. However, for high EALs + (where evaluation of the base component included requirements) it is + possible that, unless detailed design abstractions for + the base component are delivered as part of the + development information for the composed TOE, the + possible impacts of the modification to the guidance + cannot be fully determined as the internals are + unknown. In this case the evaluator will report the + residual risk of the analysis. + + These residual risks are to be included in any public + evaluation report for the composed TOE. + + The evaluator will note these variances in the + guidance for input into evaluator independent testing + activities (). + + The guidance for the composed TOE may add to the + guidance for the components, particularly in terms of + installation and the ordering of installation steps + for the base component in relation to the installation + steps for the dependent component. The ordering of + the steps for the installation of the individual + components should not change, however they may need to + be interleaved. The evaluator will examine this + guidance to ensure that it still meets the requirement + of the activity + performed during the evaluations of the + components. + + It may be the case that the reliance information + identifies that interfaces of the base component, in + addition to those identified as TSFIs of the base + component, are relied upon by the dependent component + are identified in the reliance information. It may be + necessary for guidance to be provided for the use of + any such additional interfaces in the base + component. Provided the consumer of the composed TOE + is to receive the guidance documentation for the base + component, then the results of the and + verdicts for the base component can be reused for + those interfaces considered in the evaluation of the + base component. However, for the additional interfaces + relied upon by the dependent component, the evaluator + will need to determine that the guidance documentation + for the base component meets the requirements of and , as applied in the base component + evaluations. + + For those interfaces considered during the base + component evaluation, and therefore, for which + assurance has already been gained, the evaluator will + ensure that the guidance for the use of each interface + for the composed TOE is consistent with that provided + for the base component. To determine the guidance for + the composed TOE is consistent with that for the base + component, the evaluator should perform a mapping for + each interface to the guidance provided for both the + composed TOE and the base component. The evaluator + then compares the guidance to determine + consistency. + + Examples of additional constraints provided in + composed TOE guidance that would be considered to be + consistent with component guidance are (guidance for a + component is given followed by an example of guidance + for a composed TOE that would be considered to provide + additional constraints): + + + Component: The password length must be set to a + minimum of 8 characters length, including + alphabetic and numeric characters. + + Composed TOE: The password length must be set to a + minimum of 10 characters in length, including + alphabetic and numeric characters and at + least one of the following special characters: ( ) + { } ^ < > - _ + + NOTE: It would only be acceptable to increase the + password length to [integer > + 8] characters while removing the mandate + for the inclusion of both alphabetic and numeric + characters for the composed TOE, if the same or a + higher metric was achieved for the strength rating + (taking into account the likelihood of the + password being guessed). + + Component: The following services are to be + disabled in the registry settings: WWW Publishing + Service and ICDBReporter service. + + Composed TOE: The following services are to be + disabled in the registry settings: + Publishing Service, ICDBReporter service, + Remote Procedure Call (RPC) Locator and Procedure + Call (RPC) Service. + + Component: Select the following attributes to be + included in the accounting log files: date, time, + type of event, subject identity and + success/failure. + + Composed TOE: Select the following attributes to + be included in the accounting log files: date, + time, type of event, subject identity, + success/failure, event message and process + thread. + + If the guidance for the composed TOE deviates (is not + a refinement) from that provided for the base + component, the evaluator will assess the potential + risks of the modification to the guidance. The + evaluator will use the information available + (including that provided in the public domain, the + architectural description of the base component in the + public evaluation report (e.g. certification report), + the context of the guidance from the remainder of the + guidance documentation) to identify likely impact of + the modification to the guidance on the SFRs of the + composed TOE. + + If during the dependent component evaluation the trial + installation used the base component to satisfy the + environment requirements of the dependent component + this work unit for the composed TOE is considered to + be satisfied. If the base component was not used in + satisfaction of the work unit during the dependent component + evaluation, the evaluator will apply the user + procedures provided for the composed TOE to prepare + the composed TOE, in accordance with the guidance + specified in . This will allow the evaluator to + determine that the preparative guidance provided for + the composed TOE is sufficient to prepare the composed + TOE and its operational environment securely. + + + + + If there is a different delivery mechanism used for + the delivery of the composed TOE (i.e. the + components are not delivered to the consumer in + accordance with the secure delivery procedures + defined and assessed during the evaluation of the + components), the delivery procedures for the + composed TOE will require evaluation against the + requirements + applied during the components evaluations. + + The composed TOE may be delivered as an integrated + product or may require the components to be + delivered separately. + + If the components are delivered separately, the + results of the delivery of the base component and + dependent component are reused. The delivery of the + base component is checked during the evaluator trial + installation of the dependent component, using the + specified guidance and checking the aspects of + delivery that are the responsibility of the user, as + described in the guidance documentation for the base + component. + + If the composed TOE is delivered as a new entity, + then the method of delivery of that entity must be + considered in the composed TOE evaluation + activities. + + The assessment of the delivery procedures for + composed TOE items is to be performed in accordance + with the methodology for as for any other [component] TOE, + ensuring any additional items (e.g. additional + guidance documents for the composed TOE) are + considered in the delivery procedures. + + + + The unique identification of the composed TOE is + considered during the application of and the items from + which that composed TOE is comprised are considered + during the application of . + + Although additional guidance may be produced for the + composed TOE, the unique identification of this + guidance (considered as part of the unique + identification of the composed TOE during ) is considered + sufficient control of the guidance. + + The verdicts of the remaining (not considered above) + activities can be + reused from the base component evaluation, as no + further development is performed during integration + of the composed TOE. + + There are no additional considerations for + development security as the integration is assumed + to take place at either the consumer's site or, in + the instance that the composed TOE is delivered as + an integrated product, at the site of the dependent + component developer. Control at the consumer's site + is outside the consideration of the CC. No + additional requirements or guidance are necessary if + integration is at the same site as that for the + dependent component, as all components are + considered to be configuration items for the + composed TOE, and should therefore be considered + under the dependent component developer's security + procedures anyway. + + Tools and techniques adopted during integration will + be considered in the evidence provided by the + dependent component developer. Any tools/techniques + relevant to the base component will have been + considered during the evaluation of the base + component. For example, if the base component is + delivered as source code and requires compilation by + the consumer (e.g. dependent component developer who + is performing integration) the compiler would have + been specified and assessed, along with the + appropriate arguments, during evaluation of the base + component. + + There is no life-cycle definition applicable to the + composed TOE, as no further development of items is + taking place. + + The results of flaw remediation for a component are + not applicable to the composed TOE. If flaw + remediation is included in the assurance package for + the composed TOE, then the requirements are to be applied during + the composed TOE evaluation (as for any + augmentation). + + + + + The composed TOE will have been tested during the + conduct of the activities + for evaluation of the dependent component, as the + configurations used for testing of the dependent + component should have included the base component to + satisfy the requirements for IT in the operational + environment. If the base component was not used in the + testing of the dependent component for the dependent + component evaluation, or the configuration of either + component varied from their evaluated configurations, + then the developer testing performed for evaluation of + the dependent component to satisfy the requirements is to be repeated + on the composed TOE. + + + + + + + + + This family sets out requirements for a specification of the + base component in increasing levels of detail. Such + information is required to gain confidence that the + appropriate security functionality is provided to support + the requirements of the dependent component (as identified + in the reliance information). + + + + provides details of the + base component interfaces and internals in increasing levels + of detail, mirroring the level of detail provided by . The application of these two + families will provide the specifications of security + services from each perspective of the TSF making the call + and the TSF servicing the call. + + Having the two descriptions then allows a determination to + be made, as part of the + activities (.*.2E actions), + that these two descriptions are consistent. + + + + The components are levelled on the basis of increasing + amounts of detail about the interfaces provided, and how + they are implemented. + + + + The TSF of the base component is often defined without + knowledge of the dependencies of the possible applications + with which it may by composed. The TSF of this base + component is defined to include all parts of the base + component that have to be relied upon for enforcement of the + base component SFRs. This will include all parts of the base + component required to implement the base component + SFRs. + + The functional specification of the base component will + describe the TSFI in terms of the interfaces the base + component provides to allow an external entity to invoke + operations of the TSF. This includes interfaces to the + human user to permit interaction with the operation of the + TSF invoking SFRs and also interfaces allowing an external + IT entity to make calls into the TSF. + + The functional specification only provides a description of + what the TSF provides at its interface and the means by + which that TSF functionality are invoked. Therefore, the + functional specification does not necessarily provide a + complete interface specification of all possible interfaces + available between an external entity and the base + component. It does not include what the TSF expects/requires + from the operational environment. The description of what a + dependent component TSF relies upon of a base component is + considered in and the + development information evidence provides a response to the + interfaces specified. + + The development information evidence includes a + specification of the base component. This may be the + evidence used during evaluation of the base component to + satisfy the requirements, or may + be another form of evidence produced by either the base + component developer or the composed TOE developer. This + specification of the base component is used during to gain confidence that the + appropriate security functionality is provided to support + the requirements of the dependent component. The level of + detail required of this evidence increases to reflect the + level of required assurance in the composed TOE. This is + expected to broadly reflect the increasing confidence gained + from the application of the assurance packages to the + components. The evaluator determines that this description + of the base component is consistent with the reliance + information provided for the dependent component. + + + + + + A description of the interfaces in the base component, on + which the dependent component relies, is required. This is + examined to determine whether or not it is consistent with + the description of interfaces on which the dependent + component relies, as provided in the reliance + information. + + + + The objective of this sub-activity is to determine that + the appropriate security functionality is provided by the + base component to support the dependent component. This is + achieved through examination of the interfaces of the base + component to determine that they are consistent with the + interfaces specified in the reliance information; those + required by the dependent component. + + The description of the interfaces into the base component + is to be provided at a level of detail consistent with + although not all of the + aspects necessary for satisfaction of are required for , as once the interface has been identified + and the purpose described the remaining detail of the + interface specification can be reused from evaluation of + the base component. + + + + The evaluation evidence for this sub-activity is: + + + the composed ST; + + + the development information; + + + the reliance information. + + + + + The developer shall provide development information for the + base component. + + + The development information shall describe the purpose of + each interface of the base component used in the composed + TOE. + + + The development information shall show correspondence + between the interfaces, used in the composed TOE, of the + base component and the dependent component to support the + TSF of the dependent component. + + + The evaluator shall confirm that the information meets all + requirements for content and presentation of evidence. + + + + The evaluator shall examine the development information + to determine that it describes the purpose of each + interface. + + The base component provides interfaces to support + interaction with the dependent component in the + provision of the dependent TSF. The purpose of each + interface is to be described at the same level as the + description of the interfaces to the dependent component + TSF functionality, as would be provided between + subsystems in the TOE design (). This description is to provide the + reader with an understanding of how the base component + provides the services required by the dependent + component TSF. + + This work unit may be satisfied by the provision of the + functional specification for the base component for + those interfaces that are TSFIs of the base + component. + + + + + The evaluator shall examine the development information + to determine the correspondence, between the interfaces + of the base component and the interfaces on which the + dependent component relies, is accurate. + + The correspondence between the interfaces of the base + component and the interfaces on which the dependent + component relies may take the form of a matrix or + table. The interfaces that are relied upon by the + dependent component are identified in the reliance + information (as examined during activity). + + There is, during this activity, no requirement to + determine completeness of the coverage of interfaces + that are relied upon by the dependent component, only + that the correspondence is correct and ensuring that + interfaces of the base component are mapped to + interfaces required by the dependent component wherever + possible. The completeness of the coverage is considered + in activities. + + + + The evaluator shall determine that the interface description + provided is consistent with the reliance information + provided for the dependent component. + + + The evaluator shall examine the development information + and the reliance information to determine that the + interfaces are described consistently. + + The evaluator's goal in this work unit is to determine + that the interfaces described in the development + information for the base component and the reliance + information for the dependent component are represented + consistently. + + + + + + + + + A description of the interfaces in the base component, on + which the dependent component relies, is required. This is + examined to determine whether or not it is consistent with + the description of interfaces on which the dependent + component relies, as provided in the reliance + information. + + In addition, the security behaviour of the base component + that supports the dependent component TSF is + described. + + + + The objective of this sub-activity is to determine that + the appropriate security functionality is provided by the + base component to support the dependent component. This is + achieved through examination of the interfaces and + associated security behaviour of the base component to + determine that they are consistent with the interfaces + specified in the reliance information; those required by + the dependent component. + + + + The evaluation evidence for this sub-activity is: + + + the composed ST; + + + the development information; + + + reliance information. + + + + + The developer shall provide development information for the + base component. + + + The development information shall describe the purpose and + method of use of each interface of the base component used + in the composed TOE. + + + The development information shall provide a high-level + description of the behaviour of the base component, which + supports the enforcement of the dependent component SFRs. + + + The development information shall show correspondence + between the interfaces, used in the composed TOE, of the + base component and the dependent component to support the + TSF of the dependent component. + + + The evaluator shall confirm that the information meets all + requirements for content and presentation of evidence. + + + + The evaluator shall examine the development information + to determine that it describes the purpose of each + interface. + + The base component provides interfaces to support + interaction with the dependent component in the + provision of the dependent TSF. The purpose of each + interface is to be described at the same level as the + description of the interfaces to the dependent component + TSF functionality, as would be provided between + subsystems in the TOE design (). This description is to provide the + reader with an understanding of how the base component + provides the services required by the dependent + component TSF. + + This work unit may be satisfied by the provision of the + functional specification for the base component for + those interfaces that are TSFIs of the base + component. + + + + + The evaluator shall examine the development information + to determine that it describes the method of use for + each interface. + + The method of use for an interface summarises how the + interface is manipulated in order to invoke the + operations and obtain results associated with the + interface. The evaluator should be able to determine + from reading this material in the development + information how to use each interface. This does not + necessarily mean that there needs to be a separate + method of use for each interface, as it may be possible + to describe in general how APIs are invoked, for + instance, and then identify each interface using that + general style. + + This work unit may be satisfied by the provision of the + functional specification for the base component for + those interfaces that are TSFIs of the base + component. + + + + The evaluator shall examine the development information + to determine that it describes the behaviour of the base + component that supports the enforcement of the dependent + component SFRs. + + The dependent component invokes interfaces of the base + component for the provision of services by the base + component. For the interfaces of the base component that + are invoked, the development information shall provide a + high-level description of the associated security + behaviour of the base component. The description of the + base component security behaviour will outline how the + base component provides the necessary service when the + call to the interface is made. This description is to be + at a level similar to that provided for . Therefore, the provision + of the TOE design evidence from the base component + evaluation would satisfy this work unit, where the + interfaces invoked by the dependent component are TSFI + of the base component. If the interfaces invoked by the + dependent component are not TSFIs of the base component + it is the associated security behaviour will not + necessarily be described in the base component TOE + design evidence. + + + + + The evaluator shall examine the development information + to determine the correspondence, between the interfaces + of the base component and the interfaces on which the + dependent component relies, is accurate. + + The correspondence between the interfaces of the base + component and the interfaces on which the dependent + component relies may take the form of a matrix or + table. The interfaces that are relied upon by the + dependent component are identified in the reliance + information (as examined during ). + + There is, during this activity, no requirement to + determine completeness of the coverage of interfaces + that are relied upon by the dependent component, only + that the correspondence is correct and ensuring that + interfaces of the base component are mapped to + interfaces required by the dependent component wherever + possible. The completeness of the coverage is considered + in activities. + + + + The evaluator shall determine that the interface description + provided is consistent with the reliance information + provided for the dependent component. + + + The evaluator shall examine the development information + and the reliance information to determine that the + interfaces are described consistently. + + The evaluator's goal in this work unit is to determine + that the interfaces described in the development + information for the base component and the reliance + information for the dependent component are represented + consistently. + + + + + + + + A description of the interfaces in the base component, on + which the dependent component relies, is required. This is + examined to determine whether or not it is consistent with + the description of interfaces on which the dependent + component relies, as provided in the reliance + information. + + The interface description of the architecture of the base + component is provided to enable the evaluator to determine + whether or not that interface formed part of the TSF of + the base component. + + + + The objective of this sub-activity is to determine that + the appropriate security functionality is provided by the + base component to support the dependent component. This is + achieved through examination of the interfaces and + associated security behaviour of the base component to + determine that they are consistent with the interfaces + specified in the reliance information; those required by + the dependent component. + + In addition to the interface description, the subsystems + of the base component that provide the security + functionality required by the dependent component will be + described to enable the evaluator to determine whether or + not that interface formed part of the TSF of the base + component. + + + + The evaluation evidence for this sub-activity is: + + + the composed ST; + + + the development information; + + + reliance information. + + + + + The developer shall provide development information for the + base component. + + + The development information shall describe the purpose and + method of use of each interface of the base component used + in the composed TOE. + + + The development information shall identify the subsystems of + the base component that provide interfaces of the base + component used in the composed TOE. + + + The development information shall provide a high-level + description of the behaviour of the base component + subsystems, which support the enforcement of the dependent + component SFRs. + + + The development information shall provide a mapping from the + interfaces to the subsystems of the base component. + + + The development information shall show correspondence + between the interfaces, used in the composed TOE, of the + base component and the dependent component to support the + TSF of the dependent component. + + + The evaluator shall confirm that the information meets all + requirements for content and presentation of evidence. + + + + The evaluator shall examine the development information + to determine that it describes the purpose of each + interface. + + The base component provides interfaces to support + interaction with the dependent component in the + provision of the dependent TSF. The purpose of each + interface is to be described at the same level as the + description of the interfaces to the dependent component + TSF functionality, as would be provided between + subsystems in the TOE design (). This description is to provide the + reader with an understanding of how the base component + provides the services required by the dependent + component TSF. + + This work unit may be satisfied by the provision of the + functional specification for the base component for + those interfaces that are TSFIs of the base + component. + + + + + The evaluator shall examine the development information + to determine that it describes the method of use for + each interface. + + The method of use for an interface summarises how the + interface is manipulated in order to invoke the + operations and obtain results associated with the + interface. The evaluator should be able to determine + from reading this material in the development + information how to use each interface. This does not + necessarily mean that there needs to be a separate + method of use for each interface, as it may be possible + to describe in general how APIs are invoked, for + instance, and then identify each interface using that + general style. + + This work unit may be satisfied by the provision of the + functional specification for the base component for + those interfaces that are TSFIs of the base + component. + + + + The evaluator shall examine the development information + to determine that all subsystems of the base component + that provide interfaces to the dependent component are + identified. + + For those interfaces that are considered to form part of + the TSFI of the base component, the subsystems + associated with the interface will be subsystems + considered in the + activity during the base component evaluation. The + interfaces on which the dependent component relies that + did not form part of the TSFI of the base component will + map to subsystems outside of the base component + TSF. + + + + The evaluator shall examine the development information + to determine that it describes the behaviour of the base + component subsystems that support the enforcement of the + dependent component SFRs. + + The dependent component invokes interfaces of the base + component for the provision of services by the base + component. For the interfaces of the base component that + are invoked, the development information shall provide a + high-level description of the associated security + behaviour of the base component. The description of the + base component security behaviour will outline how the + base component provides the necessary service when the + call to the interface is made. This description is to be + at a level similar to that provided for . Therefore, the provision + of the TOE design evidence from the base component + evaluation would satisfy this work unit, where the + interfaces invoked by the dependent component are TSFI + of the base component. If the interfaces invoked by the + dependent component are not TSFIs of the base component + it is the associated security behaviour will not + necessarily be described in the base component TOE + design evidence. + + + + + The evaluator shall examine the development information + to determine that the correspondence between the + interfaces and subsystems of the base component is + accurate. + + If the TOE design and functional specification evidence + from the base component evaluation is available, this + can be used to verify the accuracy of the correspondence + between the interfaces and subsystems of the base + component as used in the composed TOE. Those interfaces + of the base component, which formed part of the base + component TSFI will be described in the base component + functional specification, and the associated subsystems + will be described in the base component TOE design + evidence. The tracing between the two will be provided + in the base component TOE design evidence. + + If, however, the base component interface did not form + part of the TSFI of the base component, the description + of the subsystem behaviour provided in the development + information will be used to verify the accuracy of the + correspondence. + + + + The evaluator shall examine the development information + to determine the correspondence, between the interfaces + of the base component and the interfaces on which the + dependent component relies, is accurate. + + The correspondence between the interfaces of the base + component and the interfaces on which the dependent + component relies may take the form of a matrix or + table. The interfaces that are relied upon by the + dependent component are identified in the reliance + information (as examined during ). + + There is, during this activity, no requirement to + determine completeness of the coverage of interfaces + that are relied upon by the dependent component, only + that the correspondence is correct and ensuring that + interfaces of the base component are mapped to + interfaces required by the dependent component wherever + possible. The completeness of the coverage is considered + in activities. + + + + The evaluator shall determine that the interface description + provided is consistent with the reliance information + provided for the dependent component. + + + The evaluator shall examine the development information + and the reliance information to determine that the + interfaces are described consistently. + + The evaluator's goal in this work unit is to determine + that the interfaces described in the development + information for the base component and the reliance + information for the dependent component are represented + consistently. + + + + + + + The purpose of this family is to provide evidence that + describes the reliance that a dependent component has upon + the base component. This information is useful to persons + responsible for integrating the component with other + evaluated IT components to form the composed TOE, and for + providing insight into the security properties of the + resulting composition. + + This provides a description of the interface between the + dependent and base components of the composed TOE that may + not have been analysed during evaluation of the individual + components, as the interfaces were not TSFIs of the + individual component TOEs. + + + + The family considers the + interactions between the components where the dependent + component relies upon a service from the base component to + support the operation of security functionality of the + dependent component. The interfaces into these services of + the base component may not have been considered during + evaluation of the base component because the service in the + base component was not considered security-relevant during + evaluation of the component, either because of the inherent + purpose of the service (e.g., adjust type font) or because + associated CC SFRs are not being claimed in the base + component's ST (e.g. the login interface when no SFRs are claimed). These interfaces + into the base component are often viewed as functional + interfaces when evaluating the base component, and are in + addition to the security interfaces (TSFIs) considered in + the functional specification. + + + + The components in this family are levelled according to the + amount of detail provided in the description of the reliance + by the dependent component upon the base component. + + + + The family considers the + interactions between the components where the dependent + component relies upon a service from the base component to + support the operation of security functionality of the + dependent component. The interfaces into these services of + the base component may not have been considered during + evaluation of the base component because the service in the + base component was not considered security-relevant in the + component evaluation, either because of the inherent purpose + of the service (e.g., adjust type font) or because + associated CC SFRs are not being claimed in the base + component's ST (e.g. the login interface when no SFRs are claimed). These interfaces + into the base component are often viewed as functional + interfaces in the evaluation of the base component, and are + in addition to the security interfaces (TSFI) considered in + the functional specification. + + In summary, the TSFIs described in the functional + specification only include the calls made into a TSF by + external entities and responses to those calls. Calls made + by a TSF, which were not explicitly considered during + evaluation of the components, are described by the reliance + information provided to satisfy . + + + + + The objectives of this sub-activity are to determine + whether the developer's reliance evidence provides + sufficient information to determine that the necessary + functionality is available in the base component, and the + means by which that functionality is invoked. These are + provided in terms of a high-level description. + + + + + A dependent component whose TSF interacts with the base + component requires functionality provided by that base + component (e.g., remote authentication, remote audit data + storage). In these cases, those invoked services need to + be described for those charged with configuring the + composed TOE for end users. The rationale for requiring + this documentation is to aid integrators of the composed + TOE to determine what services in the base component might + have adverse effects on the dependent component, and to + provide information against which to determine the + compatibility of the components when applying the family. + + + + The evaluation evidence for this sub-activity is: + + + the composed ST; + + + the dependent component functional specification; + + + the dependent component design; + + + the dependent component architectural design; + + + the reliance information. + + + + + The developer shall provide reliance information of the + dependent component. + + + The reliance information shall describe the functionality of + the base component hardware, firmware and/or software that + is relied upon by the dependent component TSF. + + + The reliance information shall describe all interactions + through which the dependent component TSF requests services + from the base component. + + + The reliance information shall describe how the dependent + TSF protects itself from interference and tampering by the + base component. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall check the reliance information to + determine that it describes the functionality of the + base dependent hardware, firmware and/or software that + is relied upon by the dependent component TSF. + + The evaluator assesses the description of the security + functionality that the dependent component TSF requires + to be provided by the base component's hardware, + firmware and software. The emphasis of this work unit is + on the level of detail of this description, rather than + on an assessment of the information's accuracy. (The + assessment of the accuracy of the information is the + focus of the next work unit.) + + This description of the base component's functionality + need not be any more detailed than the level of the + description of a component of the TSF, as would be + provided in the TOE Design () + + + + + The evaluator shall examine the reliance information to + determine that it accurately reflects the objectives + specified for the operational environment of the + dependent component. + + The reliance information contains the description of the + base component's security functionality relied upon by + the dependent component. To ensure that the reliance + information is consistent with the expectations of the + operational environment of the dependent component, the + evaluator compares the reliance information with the + statement of objectives for the environment in the ST + for the dependent component. + + For example, if the reliance information claims that the + dependent component TSF relies upon the base component + to store and protect audit data, yet other evaluation + evidence (e.g. the dependent component design) makes it + clear that the dependent component TSF itself is storing + and protecting the audit data, this would indicate an + inaccuracy. + + It should be noted that the objectives for the + operational environment may include objectives that can + be met by non-IT measures. While the services that the + base component environment is expected to provide may be + described in the description of IT objectives for the + operational environment in the dependent component ST, + it is not required that all such expectations on the + environment be described in the reliance + information. + + + + + The evaluator shall examine the reliance information to + determine that it describes all interactions between the + dependent component and the base component, through + which the dependent component TSF requests services from + the base component. + + The dependent component TSF may request services of the + base component that were not within the TSF of the base + component (see in CC Part + 3). + + The interfaces to the base component's functionality are + described at the same level as the description of the + interfaces to the dependent component TSF functionality, + as would be provided between subsystems in the TOE + design (). + + The purpose of describing the interactions between the + dependent component and the base component is to provide + an understanding of how the dependent component TSF + relies upon the base component for the provision of + services to support the operation of security + functionality of the dependent component. These + interactions do not need to be characterised at the + implementation level (e.g. parameters passed from one + routine in a component to a routine in another + component), but the data elements identified for a + particular component that are going to be used by + another component should be covered in this + description. The statement should help the reader + understand in general why the interaction is + necessary. + + Accuracy and completeness of the interfaces is based on + the security functionality that the TSF requires to be + provided by the base component, as assessed in work + units and . It should be possible to + map all of the functionality described in the earlier + work units to the interfaces identified in this work + unit, and vice versa. An interface that does not + correspond to described functionality would also + indicate an inadequacy. + + + + The evaluator shall examine the reliance information to + determine that it describes how the dependent TSF protects + itself from interference and tampering by the base + component. + + The description of how the dependent component protects + itself from interference and tampering by the base + component is to be provided at the same level of detail + as necessary for . + + + + + + + The objectives of this sub-activity are to determine + whether the developer's reliance evidence provides + sufficient information to determine that the necessary + functionality is available in the base component, and the + means by which that functionality is invoked. This is + provided in terms of the interfaces between the + dependent and base component and the return values from + those interfaces called by the dependent component. + + + + + A dependent component whose TSF interacts with the base + component requires functionality provided by that base + component (e.g., remote authentication, remote audit data + storage). In these cases, those invoked services need to + be described for those charged with configuring the + composed TOE for end users. The rationale for requiring + this documentation is to aid integrators of the composed + TOE to determine what services in the base component might + have adverse effects on the dependent component, and to + provide information against which to determine the + compatibility of the components when applying the family. + + + + The evaluation evidence for this sub-activity is: + + + the composed ST; + + + the dependent component functional specification; + + + the dependent component design; + + + the dependent component implementation representation; + + + the dependent component architectural design; + + + the reliance information. + + + + + The developer shall provide reliance information of the + dependent component. + + + The reliance information shall describe the functionality of + the base component hardware, firmware and/or software that + is relied upon by the dependent component TSF. + + + The reliance information shall describe all interactions + through which the dependent component TSF requests services + from the base component. + + + The reliance information shall describe each interaction in + terms of the interface used and the return values from those + interfaces. + + + The reliance information shall describe how the dependent + TSF protects itself from interference and tampering by the + base component. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall check the reliance information to + determine that it describes the functionality of the + base dependent hardware, firmware and/or software that + is relied upon by the dependent component TSF. + + The evaluator assesses the description of the security + functionality that the dependent component TSF requires + to be provided by the base component's hardware, + firmware and software. The emphasis of this work unit is + on the level of detail of this description, rather than + on an assessment of the information's accuracy. (The + assessment of the accuracy of the information is the + focus of the next work unit.) + + This description of the base component's functionality + need not be any more detailed than the level of the + description of a component of the TSF, as would be + provided in the TOE Design () + + + + + The evaluator shall examine the reliance information to + determine that it accurately reflects the objectives + specified for the operational environment of the + dependent component. + + The reliance information contains the description of the + base component's security functionality relied upon by + the dependent component. To ensure that the reliance + information is consistent with the expectations of the + operational environment of the dependent component, the + evaluator compares the reliance information with the + statement of objectives for the environment in the ST + for the dependent component. + + For example, if the reliance information claims that the + dependent component TSF relies upon the base component + to store and protect audit data, yet other evaluation + evidence (e.g. the dependent component design) makes it + clear that the dependent component TSF itself is storing + and protecting the audit data, this would indicate an + inaccuracy. + + It should be noted that the objectives for the + operational environment may include objectives that can + be met by non-IT measures. While the services that the + base component environment is expected to provide may be + described in the description of IT objectives for the + operational environment in the dependent component ST, + it is not required that all such expectations on the + environment be described in the reliance + information. + + + + + The evaluator shall examine the reliance information to + determine that it describes all interactions between the + dependent component and the base component, through + which the dependent component TSF requests services from + the base component. + + The dependent component TSF may request services of the + base component that were not within the TSF of the base + component (see Annex in CC Part + 3). + + The interfaces to the base component's functionality are + described at the same level as the description of the + interfaces to the dependent component TSF functionality, + as would be provided between subsystems in the TOE + design (). + + The purpose of describing the interactions between the + dependent component and the base component is to provide + an understanding of how the dependent component TSF + relies upon the base component for the provision of + services to support the operation of security + functionality of the dependent component. These + interactions do not need to be characterised at the + implementation level (e.g. parameters passed from one + routine in a component to a routine in another + component), but the data elements identified for a + particular component that are going to be used by + another component should be covered in this + description. The statement should help the reader + understand in general why the interaction is + necessary. + + Accuracy and completeness of the interfaces is based on + the security functionality that the TSF requires to be + provided by the base component, as assessed in work + units and . It should be possible to + map all of the functionality described in the earlier + work units to the interfaces identified in this work + unit, and vice versa. An interface that does not + correspond to described functionality would also + indicate an inadequacy. + + + + The reliance information shall describe each interaction + in terms of the interface used and the return values + from those interfaces. + + The identification of the interfaces used by the + dependent component TSF when making services requests of + the base component allows an integrator to determine + whether the base component provides all the necessary + corresponding interfaces. This understanding is further + gained through the specification of the return values + expected by the dependent component. The evaluator + ensures that interfaces are described for each + interaction specified (as analysed in ). + + + + The evaluator shall examine the reliance information to + determine that it describes how the dependent TSF protects + itself from interference and tampering by the base + component. + + The description of how the dependent component protects + itself from interference and tampering by the base + component is to be provided at the same level of detail + as necessary for . + + + + + + + This family requires that testing of composed TOE and + testing of the base component, as used in the composed TOE, + is performed. + + + + The family details + requirements for testing to demonstrate that the composed + TOE operates as specified in the composed TOE SFRs and the + base component interfaces match the design descriptions as + provided in the development information (). Testing evidence is to be provided of all + SFRs specified in the composed TOE ST and to exercise all + base component interfaces used by the dependent component, + as identified in . + + + + The components in this family are levelled on the basis of + increasing rigour of interface testing and increasing rigour + of the analysis of the sufficiency of the tests to + demonstrate that the composed TSF operates in accordance + with the reliance information and the composed TOE + SFRs. + + + + There are two distinct aspects of testing associated with + this family: + + + testing of the interfaces between the base component and + the dependent component, which the dependent component + rely upon for enforcement of security functionality, to + demonstrate their compatibility; + + + testing of the composed TOE to demonstrate that the TOE + behaves in accordance with the SFRs for the composed + TOE. + + + + If the test configurations used during evaluation of the + dependent component included use of the base component as a + ``platform'' and the test analysis sufficiently demonstrates + that the TSF behaves in accordance with the SFRs, the + developer need perform no further testing of the composed + TOE functionality. However, if the base component was not + used in the testing of the dependent component, or the + configuration of either component varied, then the developer + is to perform testing of the composed TOE. This may take + the form of repeating the dependent component developer + testing of the dependent component, provided this adequately + demonstrates the composed TOE TSF behaves in accordance with + the SFRs. + + The developer is to provide evidence of testing the base + component interfaces used in the composition. The operation + of base component TSFIs would have been tested as part of + the activities during + evaluation of the base component. Therefore, provided the + appropriate interfaces were included within the test sample + of the base component evaluation and it was determined in + that the base component is + operating in accordance with the base component evaluated + configuration, with all security functionality required by + the dependent component included in the TSF, the evaluator + action may be met + through reuse of the base component verdicts. + + If this is not the case, the base component interfaces used + relevant to the composition that are affected by any + variations to the evaluated configuration and any additional + security functionally will be tested to ensure they + demonstrate the expected behaviour. The expected behaviour + to be tested is that described in the reliance information + ( evidence). + + + + + + + The objective of this component is to ensure that each + interface of the base component, on which the dependent + component relies, is tested. + + + + The objective of this sub-activity is to determine whether + the developer correctly performed and documented tests for + each of the base component interfaces on which the + dependent component relies. As part of this determination + the evaluator repeats a sample of the tests performed by + the developer and performs any additional tests required + to ensure the expected behaviour of all composed TOE SFRs + and interfaces of the base component relied upon by the + dependent component is demonstrated. + + + + The evaluation evidence for this sub-activity is: + + + the composed TOE suitable for testing; + + + the composed TOE testing evidence; + + + the reliance information; + + + the development information. + + + + + The developer shall provide composed TOE test documentation. + + + The developer shall provide base component interface test + documentation. + + + The developer shall provide the composed TOE for testing. + + + The developer shall provide an equivalent set of resources + to those that were used in the base component developer's + functional testing of the base component. + + + The composed TOE and base component interface test + documentation shall consist of test plans, expected test + results and actual test results. + + + The test documentation from the developer execution of the + composed TOE tests shall demonstrate that the TSF behaves as + specified. + + + The test documentation from the developer execution of the + base component interface tests shall demonstrate that the + base component interface relied upon by the dependent + component behaves as specified. + + + The base component shall be suitable for testing. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the composed TOE test + documentation to determine that it consists of test + plans, expected test results and actual test + results. + + This work unit may be satisfied by provision of the test + evidence from the evaluation of the dependent component + if the base component was used to satisfy the + requirements for IT in the operational environment of + the dependent component. + + All work units necessary for the satisfaction of will be applied to + determine: + + + that the test documentation consist of test plans + expected test results and actual test + results; + + that the test documentation contains the information + necessary to ensure the tests are repeatable; + + the level of developer effort that was applied to + testing of the base component. + + + + + The evaluator shall examine the base component interface + test documentation to determine that it consists of test + plans, expected test results and actual test + results. + + This work unit may be satisfied by provision of the test + evidence from the evaluation of the base component for + those interfaces relied upon in the composed TOE by the + dependent component are TSFIs of the successfully + evaluated base component. The determination of whether + the interfaces of the base component relied upon by the + dependent component were in fact TSFIs of the evaluated + base component is made during the activity. + + All work units necessary for the satisfaction of will be applied to + determine: + + + that the test documentation consist of test plans + expected test results and actual test + results; + + that the test documentation contains the information + necessary to ensure the tests are repeatable; + + the level of developer effort that was applied to + testing of the base component. + + + + + The evaluator shall examine the test documentation to + determine that the developer execution of the composed + TOE tests shall demonstrate that the TSF behaves as + specified. + + The evaluator should construct a mapping between the + tests described in the test plan and the SFRs specified + for the composed TOE to identify which SFRs have been + tested by the developer. + + Guidance on this work unit can be found in: + + + Clause . + + Clause . + + + The outputs from the successful execution of the tests + (as assessed for can + be compared with the mapping to determine that the SFRs + of the composed TOE, as tested by the developer, behave + as expected. + + + + + The evaluator shall examine the test documentation to + determine that the developer execution of the base + component interface tests shall demonstrate that the + base component interfaces relied upon by the dependent + component behave as specified. + + The evaluator should construct a mapping between the + tests described in the test plan and the interfaces of + the base component relied upon by the dependent + component (as specified in the reliance information, + examined under ) to + identify which base component interfaces have been + tested by the developer. + + Guidance on this work unit can be found in: + + + Clause . + + Clause . + + + The outputs from the successful execution of the tests + (as assessed for can + be compared with the mapping to determine that the + interfaces of the base component, as tested by the + developer, behave as expected. + + + + + The evaluator shall examine the composed TOE to + determine that it has been installed properly and is in + a known state. + + To determine that the composed TOE has been installed + properly and is in a known state the and work units will be + applied to the TOE provided by the developer for + testing. + + + + + The evaluator shall examine the set of resources + provided by the developer to determine that they are + equivalent to the set of resources used by the base + component developer to functionally test the base + component. + + To determine that the set of resources provided are + equivalent to those used to functionally test the base + component as used in the composed TOE, the work unit will be + applied. + + + + The evaluator shall execute a sample of test in the test + documentation to verify the developer test results. + + + The evaluator shall perform testing in accordance with , for a subset of the SFRs + specified in the composed security target, to verify the + developer test results. + + The evaluator will apply all work units necessary for + the satisfaction of , reporting in the ETR for the composed TOE + all analysis, results and verdicts as dictated by the + associated work units. + + + + The evaluator shall test a subset of the TSF interfaces of + the composed TOE to confirm that the composed TSF operates + as specified. + + + The evaluator shall perform testing in accordance with , for a subset of the SFRs + specified in the composed security target, to confirm that the + TSF operates as specified. + + The evaluator will apply all work units necessary for + the satisfaction of , reporting in the ETR for the composed TOE + all analysis, results and verdicts as dictated by the + work units. + + When selecting interfaces of the TSF of the composed TOE + to test, the evaluator should take into account any + modifications to the components from the evaluated + version or configuration. Modifications to the component + from that evaluated may include patches introduced, a + different configuration as a result of modified guidance + documentation, reliance an additional portion of the + component that was not within the TSF of the + component. These modifications will have been identified + during the + activity. + + + + + + + + + + The objective of this component is to ensure that each + interface of the base component, on which the dependent + component relies, is tested. + + + + The objective of this sub-activity is to determine whether + the developer correctly performed and documented tests for + each of the base component interfaces on which the + dependent component relies. As part of this determination + the evaluator repeats a sample of the tests performed by + the developer and performs any additional tests required + to fully demonstrate the expected behaviour of the + composed TOE and the interfaces of the base component + relied upon by the dependent component. + + + + The evaluation evidence for this sub-activity is: + + + the composed TOE suitable for testing; + + + the composed TOE testing evidence; + + + the reliance information; + + + the development information. + + + + + The developer shall provide composed TOE test documentation. + + + The developer shall provide base component interface test + documentation. + + + The developer shall provide the composed TOE for testing. + + + The developer shall provide an equivalent set of resources + to those that were used in the base component developer's + functional testing of the base component. + + + The composed TOE and base component interface test + documentation shall consist of test plans, expected test + results and actual test results. + + + The test documentation from the developer execution of the + composed TOE tests shall demonstrate that the TSF behaves as + specified and is complete. + + + The test documentation from the developer execution of the + base component interface tests shall demonstrate that the + base component interface relied upon by the dependent + component behaves as specified and is complete. + + + The base component shall be suitable for testing. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the composed TOE test + documentation to determine that it consists of test + plans, expected test results and actual test + results. + + This work unit may be satisfied by provision of the test + evidence from the evaluation of the dependent component + if the base component was used to satisfy the + requirements for IT in the operational environment of + the dependent component. + + All work units necessary for the satisfaction of will be applied to + determine: + + + that the test documentation consist of test plans + expected test results and actual test + results; + + that the test documentation contains the information + necessary to ensure the tests are repeatable; + + the level of developer effort that was applied to + testing of the base component. + + + + + The evaluator shall examine the base component interface + test documentation to determine that it consists of test + plans, expected test results and actual test + results. + + This work unit may be satisfied by provision of the test + evidence from the evaluation of the base component for + those interfaces relied upon in the composed TOE by the + dependent component are TSFIs of the successfully + evaluated base component. The determination of whether + the interfaces of the base component relied upon by the + dependent component were in fact TSFIs of the evaluated + base component is made during the activity. + + All work units necessary for the satisfaction of will be applied to + determine: + + + that the test documentation consist of test plans + expected test results and actual test + results; + + that the test documentation contains the information + necessary to ensure the tests are repeatable; + + the level of developer effort that was applied to + testing of the base component. + + + + + + + The evaluator shall examine the test documentation to + determine that it provides accurate correspondence + between the tests in the test documentation relating to + the testing of the composed TOE and the composed TOE + SFRs in the composed TOE security target. + + A simple cross-table may be sufficient to show test + correspondence. The identification of correspondence + between the tests and SFRs presented in the test + documentation has to be unambiguous. + + + + + The evaluator shall examine the test documentation to + determine that the developer execution of the composed + TOE tests shall demonstrate that the TSF behaves as + specified. + + Guidance on this work unit can be found in: + + + Clause . + + Clause . + + + + The outputs from the successful execution of the tests + (as assessed for can + be compared with the mapping to determine that the SFRs + of the composed TOE, as tested by the developer, behave + as expected. + + + + + The evaluator shall examine the test documentation to + determine that it provides accurate correspondence + between the tests in the test documentation relating to + the testing of the base component interfaces relied upon + by the dependent component and the interfaces specified + in the reliance information. + + A simple cross-table may be sufficient to show test + correspondence. The identification of correspondence + between the tests and interfaces presented in the test + documentation has to be unambiguous. + + + + + The evaluator shall examine the test documentation to + determine that the developer execution of the base + component interface tests shall demonstrate that the + base component interfaces relied upon by the dependent + component behave as specified. + + Guidance on this work unit can be found in: + + + Clause . + + Clause . + + + The outputs from the successful execution of the tests + (as assessed for can + be compared with the mapping to determine that the + interfaces of the base component, as tested by the + developer, behave as expected. + + + + + The evaluator shall examine the composed TOE to + determine that it has been installed properly and is in + a known state. + + To determine that the composed TOE has been installed + properly and is in a known state the and work units will be + applied to the TOE provided by the developer for + testing. + + + + + The evaluator shall examine the set of resources + provided by the developer to determine that they are + equivalent to the set of resources used by the base + component developer to functionally test the base + component. + + To determine that the set of resources provided are + equivalent to those used to functionally test the base + component as used in the composed TOE, the work unit will be + applied. + + + + The evaluator shall execute a sample of test in the test + documentation to verify the developer test results. + + + The tests are to be selected and executed in accordance + with , to + demonstrate the correct behaviour of the SFRs specified + in the composed TOE security target. + + The evaluator will apply all work units necessary for + the satisfaction of , reporting in the ETR for the composed TOE + all analysis, results and verdicts as dictated by the + associated work units. + + + + The evaluator shall test a subset of the TSF interfaces of + the composed TOE to confirm that the composed TSF operates + as specified. + + + The evaluator shall perform testing in accordance with , for a subset of the SFRs + specified in the composed security target, to confirm that the + TSF operates as specified. + + The evaluator will apply all work units necessary for + the satisfaction of , reporting in the ETR for the composed TOE + all analysis, results and verdicts as dictated by the + work units. + + When selecting interfaces of the TSF of the composed TOE + to test, the evaluator should take into account any + modifications to the components from the evaluated + version or configuration. Modifications to the component + from that evaluated may include patches introduced, a + different configuration as a result of modified guidance + documentation, reliance an additional portion of the + component that was not within the TSF of the + component. These modifications will have been identified + during the + activity. + + + + The evaluator shall perform testing, in accordance with + , for a subset of the + interfaces to the base component to confirm they operate + as specified. + + The evaluator will apply all work units necessary for + the satisfaction of , reporting in the ETR for the composed TOE + all analysis, results and verdicts as dictated by the + work units. + + When selecting interfaces of the base component to test, + the evaluator should take into account any modifications + to the base component from the evaluated version or + configuration. In particular, the evaluator should + consider the development of tests to demonstrate the + correct behaviour of interfaces of the base component + that were not considered during the evaluation of the + base component. These additional interfaces and other + modifications to the base component will have been + identified during the + activity. + + + + + + + + This family calls for an analysis of vulnerability + information available in the public domain and of + vulnerabilities that may be introduced as a result of the + composition. + + + + The vulnerability analysis in includes determination of two different + aspects of resistance by the composed TOE, namely: + + + Residual vulnerabilities in the base and dependent + components remain unexploitable in the operational + environment of the composed TOE; + + The composed TOE is resistant to attackers with a given + level of attack potential. + + + + The components in this family are levelled on the basis of + increasing scrutiny of vulnerability information from the + public domain and independent vulnerability analysis. + + + + The developer will provide details of any residual + vulnerabilities reported during evaluation of the + components. These may be gained from the component + developers or evaluation reports for the components. These + will be used as inputs into the evaluator's vulnerability + analysis of the composed TOE in the operational + environment. + + + The operational environment of the composed TOE is examined + to ensure that the assumptions and objectives for the + component operational environment (specified in each + component ST) are satisfied in the composed TOE. An initial + analysis of the consistency of assumptions and objectives + between the components and the composed TOE STs will have + been performed during the conduct of the activities for the composed TOE. However, this + analysis is revisited with the knowledge acquired during the + , and the + activities to ensure that, for example, assumptions of the + dependent component that were addressed by the environment + in the dependent component ST are not reintroduced as a + result of composition (i.e. that the base component + adequately addresses the assumptions of the dependent + component ST in the composed TOE). + + A search by the evaluator for issues in each component will + identify potential vulnerabilities reported in the public + domain since completion of the evaluation of the components. + Any potential vulnerabilities will then be subject to + testing. + + If the base component used in the composed TOE has been the + subject of assurance continuity activities since + certification, the evaluator will consider during the + composed TOE vulnerability analysis activities the changes + made in base component. + + + + + + The objective of this sub-activity is to determine whether + the composed TOE, in its operational environment, has + easily exploitable vulnerabilities. + + The developer provides details of any residual + vulnerabilities reported from evaluation of the + components. The evaluator performs an analysis of the + disposition the residual vulnerabilities reported and also + performs a search of the public domain, to identify any + new potential vulnerabilities in the components + (i.e. those issues that have been reported in the public + domain since evaluation of the base component). The + evaluator then performs penetration testing to demonstrate + that the potential vulnerabilities cannot be exploited in + the TOE, in its operational environment, by an attacker + with basic attack potential. + + + + See the application notes for . + + + + The evaluation evidence for this sub-activity is: + + + the composed TOE suitable for testing; + + + the composed ST; + + + the composition rationale; + + + the guidance documentation; + + + information publicly available to support the + identification of possible security vulnerabilities; + + + residual vulnerabilities reported during evaluation of + each component. + + + + + The developer shall provide the composed TOE for testing. + + + The composed TOE shall be suitable for testing. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + The evaluator shall examine the composed TOE to + determine that it has been installed properly and is in + a known state. + + To determine that the composed TOE has been installed + properly and is in a known state the and work units will be + applied to the composed TOE. + + If the assurance package includes a component from the + family, then the + evaluator may refer to the result of the work unit *-1 to demonstrate this has been + satisfied. + + + + The evaluator shall examine the composed TOE + configuration to determine that any assumptions and + objectives in the STs the components relating to IT + entities for are fulfilled by the other + components. + + The STs for the component may include assumptions about + other components that may use the component to which the + ST relates, e.g. the ST for an operating system used as + a base component may include an assumption that any + applications loaded on the operating system do not run + in privileged mode. These assumptions and objectives are + to be fulfilled by other components in the composed + TOE. + + + + The evaluator shall perform an analysis to determine that + any residual vulnerabilities identified for the base and + dependent components are not exploitable in the composed TOE + in its operational environment. + + + The evaluator shall examine the residual vulnerabilities + from the base component evaluation to determine that + they are not exploitable in the composed TOE in its + operational environment. + + The list of vulnerabilities identified in the product + during the evaluation of the base component, which were + demonstrated to be non-exploitable in the base + component, is to be used as an input into this + activity. The evaluator will determine that the + premise(s) on which a vulnerability was deemed to be + non-exploitable is upheld in the composed TOE, or + whether the combination has re-introduced the potential + vulnerability. For example, if during evaluation of the + base component it was assumed that a particular + operating system service was disabled, which is enabled + in the composed TOE evaluation, any potential + vulnerabilities relating to that service previously + scoped out should now be considered. + + Also, this list of known, non-exploitable + vulnerabilities resulting from the evaluation of the + base component should be considered in the light of any + known, non-exploitable vulnerabilities for the other + components (e.g. dependent component) within the + composed TOE. This is to consider the case where a + potential vulnerability that is non-exploitable in + isolation is exploitable when integrated with an IT + entity containing another potential + vulnerability. + + + + The evaluator shall examine the residual vulnerabilities + from the dependent component evaluation to determine + that they are not exploitable in the composed TOE in its + operational environment. + + The list of vulnerabilities identified in the product + during the evaluation of the dependent component, which + were demonstrated to be non-exploitable in the dependent + component, is to be used as an input into this + activity. The evaluator will determine that the + premise(s) on which a vulnerability was deemed to be + non-exploitable is upheld in the composed TOE, or + whether the combination has re-introduced the potential + vulnerability. For example, if during evaluation of the + dependent component it was assumed that IT meeting the + operational environment requirements would not return a + certain value in response to a service request, which is + provided by the base component in the composed TOE + evaluation, any potential vulnerabilities relating to + that return value previously scoped out should now be + considered. + + Also, this list of known, non-exploitable + vulnerabilities resulting from the evaluation of the + dependent component should be considered in the light of + any known, non-exploitable vulnerabilities for the other + components (e.g. base component) within the composed + TOE. This is to consider the case where a potential + vulnerability that is non-exploitable in isolation is + exploitable when integrated with an IT entity containing + another potential vulnerability. + + + + The evaluator shall perform a search of public domain + sources to identify possible vulnerabilities arising from + use of the base and dependent components in the composed TOE + operational environment. + + + The evaluator shall examine the sources of information + publicly available to support the identification of + possible security vulnerabilities in the base component + that have become known since the completion of + evaluation of the base component. + + The evaluator will use the information in the public + domain as described in to search for vulnerabilities in the base + component. + + Those potential vulnerabilities that were publicly + available prior to the evaluation of the base component + do not have to be further investigated unless it is + apparent to the evaluator that the attack potential + required by an attacker to exploit the potential + vulnerability has been significantly reduced. This may + be through the introduction of some new technology since + the base component evaluation that means the + exploitation of the potential vulnerability has been + simplified. + + + + The evaluator shall examine the sources of information + publicly available to support the identification of + possible security vulnerabilities in the dependent + component that have become known since the completion of + the dependent component evaluation. + + The evaluator will use the information in the public + domain as described in to search for vulnerabilities in the + dependent component. + + Those potential vulnerabilities that were publicly + available prior to the evaluation of the dependent + component do not have to be further investigated unless + it is apparent to the evaluator that the attack + potential required by an attacker to exploit the + potential vulnerability has been significantly + reduced. This may be through the introduction of some + new technology since evaluation of the dependent + component that means the exploitation of the potential + vulnerability has been simplified. + + + + The evaluator shall record in the ETR the identified + potential security vulnerabilities that are candidates + for testing and applicable to the composed TOE in its + operational environment. + + The ST, guidance documentation and functional + specification are used to determine whether the + vulnerabilities are relevant to the composed TOE in its + operational environment. + + The evaluator records any reasons for exclusion of + vulnerabilities from further consideration if the + evaluator determines that the vulnerability is not + applicable in the operational environment. Otherwise the + evaluator records the potential vulnerability for + further consideration. + + A list of potential vulnerabilities applicable to the + composed TOE in its operational environment, which can + be used as an input into penetration testing activities + (i.e. ), shall be + reported in the ETR by the evaluators. + + + + The evaluator shall conduct penetration testing, based on + the identified vulnerabilities, to demonstrate that the + composed TOE is resistant to attacks by an attacker with + basic attack potential. + + + The evaluator shall conduct penetration testing as + detailed for . + + The evaluator will apply all work units necessary for + the satisfaction of evaluator action , reporting in the ETR + for the composed TOE all analysis and verdicts as + dictated by the work units. + + The evaluator will also apply the work units for the + evaluator action + to determine that the composed TOE provided by the + developer is suitable for testing. + + + + + + + + + The objective of this sub-activity is to determine whether + the composed TOE, in its operational environment, has + vulnerabilities exploitable by attackers possessing basic + attack potential. + + The developer provides an analysis of the disposition of + any residual vulnerabilities reported for the components + and of any vulnerabilities introduced through the + combination of the base and dependent components. The + evaluator performs a search of the public domain to + identify any new potential vulnerabilities in the + components (i.e. those issues that have been reported in + the public domain since the completion of the evaluation + of the components). The evaluator will also perform an + independent vulnerability analysis of the composed TOE and + penetration testing. + + + + See the application notes for . + + + + The evaluation evidence for this sub-activity is: + + + the composed TOE suitable for testing; + + + the composed ST; + + + the composition rationale; + + the reliance information; + + + the guidance documentation; + + + information publicly available to support the + identification of possible security vulnerabilities. + + + residual vulnerabilities reported during evaluation of + each component. + + + + + The developer shall provide the composed TOE for testing. + + + The composed TOE shall be suitable for testing. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + The evaluator shall examine the composed TOE to + determine that it has been installed properly and is in + a known state. + + To determine that the composed TOE has been installed + properly and is in a known state the and work units will be + applied to the composed TOE. + + If the assurance package includes family, then the evaluator may refer to the + result of the work unit *-1 to demonstrate this has been + satisfied. + + + + The evaluator shall examine the composed TOE + configuration to determine that any assumptions and + objectives in the STs the components relating to IT + entities for are fulfilled by the other + components. + + The STs for the component may include assumptions about + other components that may use the component to which the + ST relates, e.g. the ST for an operating system used as + a base component may include an assumption that any + applications loaded on the operating system do not run + in privileged mode. These assumptions and objectives are + to be fulfilled by other components in the composed + TOE. + + + + The evaluator shall perform an analysis to determine that + any residual vulnerabilities identified for the base and + dependent components are not exploitable in the composed TOE + in its operational environment. + + + The evaluator shall examine the residual vulnerabilities + from the base component evaluation to determine that + they are not exploitable in the composed TOE in its + operational environment. + + The list of vulnerabilities identified in the product + during the evaluation of the base component, which were + demonstrated to be non-exploitable in the base + component, is to be used as an input into this + activity. The evaluator will determine that the + premise(s) on which a vulnerability was deemed to be + non-exploitable is upheld in the composed TOE, or + whether the combination has re-introduced the potential + vulnerability. For example, if during evaluation of the + base component it was assumed that a particular + operating system service was disabled, which is enabled + in the composed TOE evaluation, any potential + vulnerabilities relating to that service previously + scoped out should now be considered. + + Also, this list of known, non-exploitable + vulnerabilities resulting from the evaluation of the + base component should be considered in the light of any + known, non-exploitable vulnerabilities for the other + components (e.g. dependent component) within the + composed TOE. This is to consider the case where a + potential vulnerability that is non-exploitable in + isolation is exploitable when integrated with an IT + entity containing another potential + vulnerability. + + + + The evaluator shall examine the residual vulnerabilities + from the dependent component evaluation to determine + that they are not exploitable in the composed TOE in its + operational environment. + + The list of vulnerabilities identified in the product + during the evaluation of the dependent component, which + were demonstrated to be non-exploitable in the dependent + component, is to be used as an input into this + activity. The evaluator will determine that the + premise(s) on which a vulnerability was deemed to be + non-exploitable is upheld in the composed TOE, or + whether the combination has re-introduced the potential + vulnerability. For example, if during evaluation of the + dependent component it was assumed that IT meeting the + operational environment requirements would not return a + certain value in response to a service request, which is + provided by the base component in the composed TOE + evaluation, any potential vulnerabilities relating to + that return value previously scoped out should now be + considered. + + Also, this list of known, non-exploitable + vulnerabilities resulting from the evaluation of the + dependent component should be considered in the light of + any known, non-exploitable vulnerabilities for the other + components (e.g. base component) within the composed + TOE. This is to consider the case where a potential + vulnerability that is non-exploitable in isolation is + exploitable when integrated with an IT entity containing + another potential vulnerability. + + + + The evaluator shall perform a search of public domain + sources to identify possible vulnerabilities arising from + use of the base and dependent components in the composed TOE + operational environment. + + + The evaluator shall examine the sources of information publicly + available to support the identification of possible security + vulnerabilities in the base component that have become known + since the completion of the base component evaluation. + + The evaluator will use the information in the public + domain as described in to search for vulnerabilities in the base + component. + + Those potential vulnerabilities that were publicly + available prior to the evaluation of the base component + do not have to be further investigated unless it is + apparent to the evaluator that the attack potential + required by an attacker to exploit the potential + vulnerability has been significantly reduced. This may + be through the introduction of some new technology since + the base component evaluation that means the + exploitation of the potential vulnerability has been + simplified. + + + + The evaluator shall examine the sources of information + publicly available to support the identification of + possible security vulnerabilities in the dependent + component that have become known since the completion of + the dependent component evaluation. + + The evaluator will use the information in the public domain as + described in to search for + vulnerabilities in the dependent component. + + Those potential vulnerabilities that were publicly + available prior to the evaluation of the dependent + component do not have to be further investigated unless + it is apparent to the evaluator that the attack + potential required by an attacker to exploit the + potential vulnerability has been significantly + reduced. This may be through the introduction of some + new technology since evaluation of the dependent + component that means the exploitation of the potential + vulnerability has been simplified. + + + + The evaluator shall record in the ETR the identified + potential security vulnerabilities that are candidates + for testing and applicable to the composed TOE in its + operational environment. + + The ST, guidance documentation and functional + specification are used to determine whether the + vulnerabilities are relevant to the composed TOE in its + operational environment. + + The evaluator records any reasons for exclusion of + vulnerabilities from further consideration if the + evaluator determines that the vulnerability is not + applicable in the operational environment. Otherwise the + evaluator records the potential vulnerability for + further consideration. + + A list of potential vulnerabilities applicable to the + composed TOE in its operational environment, which can + be used as an input into penetration testing activities + (), shall be + reported in the ETR by the evaluators. + + + + The evaluator shall perform an independent vulnerability + analysis of the composed TOE, using the guidance + documentation, reliance information and composition + rationale to identify potential vulnerabilities in the + composed TOE. + + + The evaluator shall conduct a search of the composed TOE + ST, guidance documentation, reliance information and + composition rationale to identify possible security + vulnerabilities in the composed TOE. + + The consideration of the components of the composed TOE + in the independent evaluator vulnerability analysis will + take a slightly different form to that documented in + for a component + evaluation, as it will not necessarily consider all + layers of design abstraction relevant to the assurance + package. These will have already been considered during + the evaluation of the components, but the evidence may + not be available for the composed TOE + evaluation. However, the general approach described in + the work units associated with is applicable and should form the basis of + the evaluator's search for potential vulnerabilities in + the composed TOE. + + A vulnerability analysis of the individual components + used in the composed TOE will have already been + performed during evaluation of the individual + components. The focus of the vulnerability analysis + during the composed TOE evaluation is to identify any + vulnerabilities introduced as a result of the + integration of the components or due to any changes in + the use of the components between the evaluated + component configuration to the composed TOE + configuration. + + The evaluator will use the understanding of the + component's construction as detailed in the reliance + information for the dependent component, and the + development information and composition rationale for + the base component, together with the dependent + component design information. This information will + allow the evaluator to gain an understanding of how the + base component and dependent component interact and + identify potential vulnerabilities that may be + introduced as a result of this interaction. + + The evaluator will consider any new guidance provided + for the installation, start-up and operation of the + composed TOE to identify any potential vulnerabilities + introduced through this revised guidance. + + If any of the individual components have been through + assurance continuity activities since the completion of + the component evaluation, the evaluator will consider + the patch(es) in the independent vulnerability + analysis. Information related to the change provided in + a public report of the assurance continuity activities + (e.g. Maintenance Report) will be the main source of + input material of the change. This will be supplemented + by any updates to the guidance documentation resulting + from the change and any information regarding the change + available in the public domain, e.g. vendor + website. + + Any risks identified due to the lack of evidence to + establish the full impact of any patches or deviations + in the configuration of a component from the evaluated + configuration are to be documented in the evaluator's + vulnerability analysis. + + + + The evaluator shall conduct penetration testing, based on + the identified vulnerabilities, to demonstrate that the + composed TOE is resistant to attacks by an attacker with + basic attack potential. + + + The evaluator shall conduct penetration testing as + detailed for . + + The evaluator will apply all work units necessary for + the satisfaction of evaluator action , reporting in the ETR + for the composed TOE all analysis and verdicts as + dictated by the work units. + + The evaluator will also apply the work units for the + evaluator action + to determine that the composed TOE provided by the + developer is suitable for testing. + + + + + + + + + The objective of this sub-activity is to determine whether the + composed TOE, in its operational environment, has + vulnerabilities exploitable by attackers possessing + Enhanced-Basic attack potential. + + The developer provides an analysis of the disposition of + any residual vulnerabilities reported for the components + and of any vulnerabilities introduced through the + combination of the base and dependent components. The + evaluator performs a search of the public domain to + identify any new potential vulnerabilities in the + components (i.e. those issues that have been reported in + the public domain since the completion of the component + evaluations). The evaluator will also perform an + independent vulnerability analysis of the composed TOE and + penetration testing. + + + + See the application notes for . + + + + The evaluation evidence for this sub-activity is: + + + the composed TOE suitable for testing; + + + the composed ST; + + + the composition rationale; + + + the reliance information; + + + the guidance documentation; + + + information publicly available to support the + identification of possible security vulnerabilities. + + + residual vulnerabilities reported during evaluation of + each component. + + + + + The developer shall provide the composed TOE for testing. + + + The composed TOE shall be suitable for testing. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + The evaluator shall examine the composed TOE to + determine that it has been installed properly and is in + a known state. + + To determine that the composed TOE has been installed + properly and is in a known state the and work units will be + applied to the composed TOE. + + If the assurance package includes family, then the evaluator may refer to the + result of the work unit *-1 to demonstrate this has been + satisfied. + + + + The evaluator shall examine the composed TOE + configuration to determine that any assumptions and + objectives in the STs the components relating to IT + entities for are fulfilled by the other + components. + + The STs for the component may include assumptions about + other components that may use the component to which the + ST relates, e.g. the ST for an operating system used as + a base component may include an assumption that any + applications loaded on the operating system do not run + in privileged mode. These assumptions and objectives are + to be fulfilled by other components in the composed + TOE. + + + + The evaluator shall perform an analysis to determine that + any residual vulnerabilities identified for the base and + dependent components are not exploitable in the composed TOE + in its operational environment. + + + The evaluator shall examine the residual vulnerabilities + from the base component evaluation to determine that + they are not exploitable in the composed TOE in its + operational environment. + + The list of vulnerabilities identified in the product + during the evaluation of the base component, which were + demonstrated to be non-exploitable in the base + component, is to be used as an input into this + activity. The evaluator will determine that the + premise(s) on which a vulnerability was deemed to be + non-exploitable is upheld in the composed TOE, or + whether the combination has re-introduced the potential + vulnerability. For example, if during evaluation of the + base component it was assumed that a particular + operating system service was disabled, which is enabled + in the composed TOE evaluation, any potential + vulnerabilities relating to that service previously + scoped out should now be considered. + + Also, this list of known, non-exploitable + vulnerabilities resulting from the evaluation of the + base component should be considered in the light of any + known, non-exploitable vulnerabilities for the other + components (e.g. dependent component) within the + composed TOE. This is to consider the case where a + potential vulnerability that is non-exploitable in + isolation is exploitable when integrated with an IT + entity containing another potential + vulnerability. + + + + The evaluator shall examine the residual vulnerabilities + from the dependent component evaluation to determine + that they are not exploitable in the composed TOE in its + operational environment. + + The list of vulnerabilities identified in the product + during the evaluation of the dependent component, which + were demonstrated to be non-exploitable in the dependent + component, is to be used as an input into this + activity. The evaluator will determine that the + premise(s) on which a vulnerability was deemed to be + non-exploitable is upheld in the composed TOE, or + whether the combination has re-introduced the potential + vulnerability. For example, if during evaluation of the + dependent component it was assumed that IT meeting the + operational environment requirements would not return a + certain value in response to a service request, which is + provided by the base component in the composed TOE + evaluation, any potential vulnerabilities relating to + that return value previously scoped out should now be + considered. + + Also, this list of known, non-exploitable + vulnerabilities resulting from the evaluation of the + dependent component should be considered in the light of + any known, non-exploitable vulnerabilities for the other + components (e.g. base component) within the composed + TOE. This is to consider the case where a potential + vulnerability that is non-exploitable in isolation is + exploitable when integrated with an IT entity containing + another potential vulnerability. + + + + The evaluator shall perform a search of public domain + sources to identify possible vulnerabilities arising from + use of the base and dependent components in the composed TOE + operational environment. + + + The evaluator shall examine the sources of information publicly + available to support the identification of possible security + vulnerabilities in the base component that have become known + since the completion of the base component evaluation. + + The evaluator will use the information in the public + domain as described in to search for vulnerabilities in the base + component. + + Those potential vulnerabilities that were publicly + available prior to the evaluation of the base component + do not have to be further investigated unless it is + apparent to the evaluator that the attack potential + required by an attacker to exploit the potential + vulnerability has been significantly reduced. This may + be through the introduction of some new technology since + the base component evaluation that means the + exploitation of the potential vulnerability has been + simplified. + + + + The evaluator shall examine the sources of information + publicly available to support the identification of + possible security vulnerabilities in the dependent + component that have become known since completion of the + dependent component evaluation. + + The evaluator will use the information in the public domain as + described in to search for + vulnerabilities in the dependent component. + + Those potential vulnerabilities that were publicly + available prior to the evaluation of the dependent + component do not have to be further investigated unless + it is apparent to the evaluator that the attack + potential required by an attacker to exploit the + potential vulnerability has been significantly + reduced. This may be through the introduction of some + new technology since evaluation of the dependent + component that means the exploitation of the potential + vulnerability has been simplified. + + + + The evaluator shall record in the ETR the identified + potential security vulnerabilities that are candidates + for testing and applicable to the composed TOE in its + operational environment. + + The ST, guidance documentation and functional + specification are used to determine whether the + vulnerabilities are relevant to the composed TOE in its + operational environment. + + The evaluator records any reasons for exclusion of + vulnerabilities from further consideration if the + evaluator determines that the vulnerability is not + applicable in the operational environment. Otherwise the + evaluator records the potential vulnerability for + further consideration. + + A list of potential vulnerabilities applicable to the + composed TOE in its operational environment, which can + be used as an input into penetration testing activities + (), shall be + reported in the ETR by the evaluators. + + + + The evaluator shall perform an independent vulnerability + analysis of the composed TOE, using the guidance + documentation, reliance information and composition + rationale to identify potential vulnerabilities in the + composed TOE. + + + The evaluator shall conduct a search of the composed TOE + ST, guidance documentation, reliance information and + composition rationale to identify possible security + vulnerabilities in the composed TOE. + + The consideration of the components in the independent + evaluator vulnerability analysis will take a slightly + different form to that documented in for a component + evaluation, as it will not necessarily consider all + layers of design abstraction relevant to the assurance + package. These will have already been considered during + the evaluation of the base component, but the evidence + may not be available for the composed TOE + evaluation. However, the general approach described in + the work units associated with is applicable and should form the basis of + the evaluator's search for potential vulnerabilities in + the composed TOE. + + A vulnerability analysis of the individual components + used in the composed TOE will have already been + performed during evaluation of the components. The focus + of the vulnerability analysis during the composed TOE + evaluation is to identify any vulnerabilities introduced + as a result of the integration of the components or due + to any changes in the use of the components between the + configuration of the component determined during the + component evaluation and the composed TOE + configuration. + + The evaluator will use the understanding of the + component's construction as detailed in the reliance + information for the dependent component, and the + composition rationale and development information for + the base component, together with the dependent + component design information. This information will + allow the evaluator to gain an understanding of how the + base component and dependent component interact. + + The evaluator will consider any new guidance provided + for the installation, start-up and operation of the + composed TOE to identify any potential vulnerabilities + introduced through this revised guidance. + + If any of the individual components have been through + assurance continuity activities since the completion of + the component evaluation, the evaluator will consider + the patch in the independent vulnerability + analysis. Information related to the change provided in + a public report of the assurance continuity activities + (e.g. Maintenance Report). This will be supplemented by + any updates to the guidance documentation resulting from + the change and any information regarding the change + available in the public domain, e.g. vendor + website. + + Any risks identified due to the lack of evidence to + establish the full impact of any patches or deviations + in the configuration of a component from the evaluated + configuration are to be documented in the evaluator's + vulnerability analysis. + + + + The evaluator shall conduct penetration testing, based on the + identified vulnerabilities, to demonstrate that the composed TOE + is resistant to attacks by an attacker with Enhanced-Basic + attack potential. + + The evaluator shall conduct penetration testing as detailed + for . + The evaluator will apply all work units necessary for the + satisfaction of evaluator action , reporting in the ETR for the composed TOE all + analysis and verdicts as dictated by the work units. + The evaluator will also apply the work units for the + evaluator action to + determine that the composed TOE provided by the developer is + suitable for testing. + + + + + + + The requirements of the Development class provide information + about the TOE. The knowledge obtained by this information is + used as the basis for conducting vulnerability analysis and + testing upon the TOE, as described in the and classes. + + The Development class encompasses six families of requirements + for structuring and representing the TSF at various levels and + varying forms of abstraction. These families include: + + requirements for the description (at the various + levels of abstraction) of the design and implementation of + the SFRs (, , ) + requirements for the description of the + architecture-oriented features of domain separation, TSF + self-protection and non-bypassability of the security + functionality () + requirements for a security policy model and for correspondence + mappings between security policy model and the functional + specification () + requirements on the internal structure of the TSF, + which covers aspects such as modularity, layering, and + minimisation of complexity () + + When documenting the security functionality of a TOE, there + are two properties that need to be demonstrated. The first + property is that the security functionality works correctly; + that is, it performs as specified. The second property, and + one that is arguably harder to demonstrate, is that the TOE + cannot be used in a way such that the security functionality + can be corrupted or bypassed. These two properties require + somewhat different approaches in analysis, and so the families + in are structured to support these + different approaches. The families , , , and deal with the first property: the specification + of the security functionality. The families and deal with + the second property: the specification of the design of the + TOE demonstrating the security functionality cannot be + corrupted or bypassed. It should be noted that both properties + need to be realised: the more confidence one has that the + properties are satisfied, the more trustworthy the TOE is. The + components in the families are designed so that more assurance + can be gained as the components hierarchically + increase. + + The paradigm for the families targeted at the first property + is one of design decomposition. At the highest level, there is + a functional specification of the TSF in terms of its + interfaces (describing what the TSF does in + terms of requests to the TSF for services and resulting + responses), decomposing the TSF into smaller units (dependent + on the assurance desired and the complexity of the TOE) and + describing how the TSF accomplishes its + functions (to a level of detail commensurate with the + assurance level), and showing the implementation of the TSF. A + formal model of the security behaviour also may be given. All + levels of decomposition are used in determining the + completeness and accuracy of all other levels, ensuring that + the levels are mutually supportive. The requirements for the + various TSF representations are separated into different + families, to allow the PP/ST author to specify which TSF + representations are required. The level chosen will dictate + the assurance desired/gained. + + Figure indicates the + relationships among the various TSF representations of the + class, as well as their + relationships with other classes. As the figure indicates, the + and + classes define the requirements for the correspondence between + the SFRs and the security objectives for the TOE. Class also defines requirements for the + correspondence between both the security objectives and SFRs, + and for the TOE summary specification which explains how the + TOE meets its SFRs. The activities of include the verification that the TSF that is + tested under the and classes is in fact the one described by all of the + decomposition levels. +
+ + The requirements for all other correspondence shown in Figure + are defined in the + class. The family defines the requirements for formally + modelling selected SFRs, and providing correspondence between + the functional specification and the formal model. Each + assurance family specific to a TSF representation (i.e., , + and ) defines requirements + relating that TSF representation to the SFRs. All + decompositions must accurately reflect all other + decompositions (i.e., be mutually supportive); the developer + supplies the tracings in the last .C elements of the + components. Assurance relating to this factor is obtained + during the analysis for each of the levels of decomposition by + referring to other levels of decomposition (in a recursive + fashion) while the analysis of a particular level of + decomposition is being performed; the evaluator verifies the + correspondence as part of the second E element. The + understanding gained from these levels of decomposition form + the basis of the functional and penetration testing + efforts. + + The family is not represented + in this figure, as it is related to the internal structure of + the TSF, and is only indirectly related to the process of + refinement of the TSF representations. Similarly, the family is not represented in the + figure because it relates to the architectural soundness, + rather than representation, of the TSF. Both and + relate to the analysis of the property that the TOE cannot be + made to circumvent or corrupt its security + functionality. + + The TOE security functionality (TSF) consists of all parts of + the TOE that have to be relied upon for enforcement of the + SFRs. The TSF includes both functionality that directly + enforces the SFRs, as well as functionality that, while not + directly enforcing the SFRs, contributes to their enforcement + in a more indirect manner, including functionality with the + capability to cause the SFRs to be violated. This includes + portions of the TOE that are invoked on start-up that are + responsible for putting the TSF into its initial secure + state. + + Several important concepts were used in the development of the + components of the families. These + concepts, while introduced briefly here, are explained more + fully in the application notes for the families. + + One over-riding notion is that, as more information becomes + available, greater assurance can be obtained that the security + functionality 1) is correctly implemented; 2) cannot be + corrupted; and 3) cannot be bypassed. This is done through the + verification that the documentation is correct and consistent + with other documentation, and by providing information that + can be used to ensure that the testing activities (both + functional and penetration testing) are comprehensive. This is + reflected in the levelling of the components of the + families. In general, components are levelled based on the + amount of information that is to be provided (and subsequently + analysed). + + While not true for all TOEs, it is generally the case that the + TSF is sufficiently complex that there are portions of the TSF + that deserve more intense examination than other portions of + the TSF. Determining those portions is unfortunately somewhat + subjective, thus terminology and components have been defined + such that as the level of assurance increases, the + responsibility for determining what portions of the TSF need + to be examined in detail shifts from the developer to the + evaluator. To aid in expressing this concept, the following + terminology is introduced. It should be noted that in the + families of the class, this terminology is used when + expressing SFR-related portions of the TOE (that is, elements + and work units embodied in the , , and families). While the general + concept (that some portions of the TOE are more + interesting than others) applies to other + families, the criteria are expressed differently in order to + obtain the assurance required. + + All portions of the TSF are security + relevant, meaning that they must preserve the + security of the TOE as expressed by the SFRs and + requirements for domain separation and + non-bypassability. One aspect of security relevance is the + degree to which a portion of the TSF enforces a security + requirement. Since different portions of the TOE play + different roles (or no apparent role at all) in enforcing + security requirements, this creates a continuum of SFR + relevance: at one end of this continuum are portions of the + TOE that are termed SFR-enforcing. Such + portions play a direct role in implementing any SFR on the + TOE. Such SFRs refer to any functionality provided by one of + the SFRs contained in the ST. It should be noted that the + definition of plays a role in for + SFR-enforcing functionality is impossible to express + quantitatively. For example, in the implementation of a + Discretionary Access Control (DAC) mechanism, a very narrow + view of SFR-enforcing might be the several + lines of code that actually perform the check of a subject's + attributes against the object's attributes. A broader view + would include the software entity (e.g., C function) that + contained the several lines of code. A broader view still + would include callers of the C function, since they would be + responsible for enforcing the decision returned by the + attribute check. A still broader view would include any code + in the call tree (or programming equivalent for the + implementation language used) for that C function (e.g., a + sort function that sorted access control list entries in a + first-match algorithm implementation). At some point, the + component is not so much enforcing the + security policy but rather plays a + supporting role; such components are termed + SFR supporting. + + One of the characteristics of SFR-supporting functionality is + that it is trusted to preserve the correctness of the SFR + implementation by operating without error. Such functionality + may be depended on by SFR-enforcing functionality, but the + dependence is generally at a functional level; for example, + memory management, buffer management, etc. Further down on the + security relevance continuum is functionality termed + SFR non-interfering. Such functionality has + no role in implementing the SFRs, and is likely part of the + TSF because of its environment; for example, any code running + in a privileged hardware mode on an operating system. It needs + to be considered part of the TSF because, if compromised (or + replaced by malicious code), it could compromise the correct + operation of an SFR by virtue of its operating in the + privileged hardware mode. An example of SFR non-interfering + functionality might be a set of mathematical floating point + operations implemented in kernel mode for speed + considerations. + + The architecture family () + provides for requirements and analysis of the TOE based on + properties of domain separation, self-protection, and + non-bypassability. These properties relate to the SFRs in + that, if these properties are not present, it will likely lead + to the failure of mechanisms implementing SFRs. Functionality + and design relating to these properties is + not considered a part of the continuum described + above, but instead is treated separately due to its + fundamentally different nature and analysis + requirements. + + The difference in analysis of the implementation of SFRs + (SFR-enforcing and SFR-supporting functionality) and the + implementation of somewhat fundamental security properties of + the TOE, which include the initialisation, self-protection, + and non-bypassability concerns, is that the SFR-related + functionality is more or less directly visible and relatively + easy to test, while the above-mentioned properties require + varying degrees of analysis on a much broader set of + functionality. Further, the depth of analysis for such + properties will vary depending on the design of the TOE. The + families are constructed to address + this by a separate family () + devoted to analysis of the initialisation, self-protection, + and non-bypassability requirements, while the other families + are concerned with analysis of the functionality supporting + SFRs. + + Even in cases where different descriptions are necessary for + the multiple levels of abstraction, it is not absolutely + necessary for each and every TSF representation to be in a + separate document. Indeed, it may be the case that a single + document meets the documentation requirements for more than + one TSF representation, since it is the information about each + of these TSF representations that is required, rather than the + resulting document structure. In cases where multiple TSF + representations are combined within a single document, the + developer should indicate which portions of the documents meet + which requirements. + + Three types of specification style are mandated by this class: + informal, semiformal and formal. The functional specification + and TOE design documentation are always written in either + informal or semiformal style. A semiformal style reduces the + ambiguity in these documents over an informal presentation. A + formal specification may also be required in addition + to the semi-formal presentation; the value is that a + description of the TSF in more than one way will add increased + assurance that the TSF has been completely and accurately + specified. + + An informal specification is written as prose in natural + language. Natural language is used here as meaning + communication in any commonly spoken tongue (e.g. Spanish, + German, French, English, Dutch). An informal specification is + not subject to any notational or special restrictions other + than those required as ordinary conventions for that language + (e.g. grammar and syntax). While no notational restrictions + apply, the informal specification is also required to provide + defined meanings for terms that are used in a context other + than that accepted by normal usage. + + The difference between semiformal and informal documents is + only a matter of formatting or presentation: a semiformal + notation includes such things as an explicit glossary of + terms, a standardised presentation format, etc. A semiformal + specification is written to a standard presentation + template. The presentation should use terms consistently if + written in a natural language. The presentation may also use + more structured languages/diagrams (e.g. data-flow diagrams, + state transition diagrams, entity-relationship diagrams, data + structure diagrams, and process or program structure + diagrams). Whether based on diagrams or natural language, a + set of conventions must be used in the presentation. The + glossary explicitly identifies the words that are being used + in a precise and constant manner; similarly, the standardised + format implies that extreme care has been taken in + methodically preparing the document in a manner that maximises + clarity. It should be noted that fundamentally different + portions of the TSF may have different semiformal notation + conventions and presentation styles (as long as the number of + different ``semiformal notations'' is small); this still + conforms to the concept of a semiformal + presentation. + + A formal specification is written in a notation based upon + well-established mathematical concepts, and is typically + accompanied by supporting explanatory (informal) prose. These + mathematical concepts are used to define the syntax and + semantics of the notation and the proof rules that support + logical reasoning. The syntactic and semantic rules supporting + a formal notation should define how to recognise constructs + unambiguously and determine their meaning. There needs to be + evidence that it is impossible to derive contradictions, and + all rules supporting the notation need to be defined or + referenced. + + + + The purpose of the Development class is to provide evidence + about the TOE. Without the knowledge about the TOE that is + gained from this information, there could be no useful + vulnerability analysis or testing conducted upon the TOE (as + described in the and classes). + + + The purpose of the development activity is to assess the + design documentation in terms of its adequacy to understand + how the TSF meets the SFRs and how the implementation of these + SFRs cannot be tampered with or bypassed. This understanding + is achieved through examination of increasingly refined + descriptions of the TSF design documentation. Design + documentation consists of a functional specification (which + describes the interfaces of the TSF), a TOE design description + (which describes the architecture of the TSF in terms of how + it works in order to perform the functions related to the SFRs + being claimed), and an implementation description (a source + code level description). In addition, there is a security + architecture description (which describes the architectural + properties of the TSF to explain how its security enforcement + cannot be compromised or bypassed), an internals description + (which describes how the TSF was constructed in a manner that + encourages understandability), and a security policy model + (which formally describes the security policies enforced by + the TSF). + + + + The CC requirements for design documentation are levelled by + the amount, and detail of information provided, and the degree + of formality of the presentation of the information. At lower + levels, the most security-critical portions of the TSF are + described with the most detail, while less security-critical + portions of the TSF are merely summarised; added assurance is + gained by increasing the amount of information about the most + security-critical portions of the TSF, and increasing the + details about the less security-critical portions. The most + assurance is achieved when thorough details and information of + all portions are provided. + + The CC considers a document's degree of formality (that is, + whether it is informal or semiformal) to be hierarchical. An + informal document is one that is expressed in a natural + language. The methodology does not dictate the specific + language that must be used; that issue is left for the + scheme. The following paragraphs differentiate the contents of + the different informal documents. + + A functional specification provides a description of the + purpose and method-of-use of interfaces to the TSF. For + example, if an operating system presents the user with a means + of self-identification, of creating files, of modifying or + deleting files, of setting permissions defining what other + users may access files, and of communicating with remote + machines, its functional specification would contain + descriptions of each of these and how they are realised + through interactions with the externally-visible interfaces to + the TSF. If there is also audit functionality that detects and + record the occurrences of such events, descriptions of this + audit functionality would also be expected to be part of the + functional specification; while this functionality is + technically not directly invoked by the user at the external + interface, it certainly is affected by what occurs at the + user's external interface. + + A design description is expressed in terms of logical + divisions (subsystems or modules) that each provide a + comprehensible service or function. For example, a firewall + might be composed of subsystems that deal with packet + filtering, with remote administration, with auditing, and with + connection-level filtering. The design description of the + firewall would describe the actions that are taken, in terms + of what actions each subsystem takes when an incoming packet + arrives at the firewall. + + + + + The objective of this family is for the developer to provide + a description of the security architecture of the TSF. This + will allow analysis of the information that, when coupled + with the other evidence presented for the TSF, will confirm + the TSF achieves the desired properties. The security + architecture descriptions supports the implicit claim that + security analysis of the TOE can be achieved by examining + the TSF; without a sound architecture, the entire TOE + functionality would have to be examined. + + + + The information presented for the security architecture of + the TOE is related to the information contained in other + decomposition documentation (functional specification and + TOE design documentation) provided for the TSF, but presents + the design in a manner that supports architectural arguments + (e.g., the TSF cannot be compromised; the TSF provides + security domains consistent with its SFRs; the TSF cannot be + bypassed). + + + + This family contains only one component. + + + + The properties of self-protection, domain separation, and + non-bypassability are distinct from security functionality + expressed by Part 2 SFRs because self-protection and + non-bypassability largely have no directly observable + interface at the TSF. Rather, they are properties of the TSF + that are achieved through the design of the TOE and TSF, and + enforced by the correct implementation of that + design. + + The approach used in this family is for the developer to + design and provide a TSF that exhibits the above-mentioned + properties, and to provide evidence (in the form of + documentation) that explains these properties of the + TSF. This explanation is provided at the same level of + detail as the description of the SFR-enforcing elements of + the TOE in the TOE design document. The evaluator has the + responsibility for looking at the evidence and, coupled with + other evidence delivered for the TOE and TSF, determining + that the properties are achieved. + + Specification of security functionality implementing the + SFRs (in the and ) will not necessarily describe + mechanisms employed in implementing self-protection and + non-bypassability (e.g. memory management + mechanisms). Therefore, the material needed to provide the + assurance that these requirements are being achieved is + better suited to a presentation separate from the design + decomposition of the TSF as embodied in and . This is not + to imply that the security architecture description called + for by this component cannot reference or make use of the + design decomposition material; but it is likely that much of + the detail present in the decomposition documentation will + not be relevant to the argument being provided for the + security architecture description document. + + The description of architectural soundness can be thought of + as a developer's vulnerability analysis, in that it provides + the justification for why the TSF is sound and enforces all + of its SFRs. Where the soundness is achieved through + specific security mechanisms, these will be tested as part + of the requirements; where + the soundness is achieved solely through the architecture, + the behaviour will be tested as part of the requirements. + + This family consists of requirements for a security + architecture description that describes the self-protection, + domain separation, non-bypassability principles, including a + description of how these principles are supported by the + parts of the TOE that are used for TSF + initialisation. + Additional information on the security architecture + properties of self-protection, domain separation, and + non-bypassability can be found in Annex . + + + + + + + The objective of this sub-activity is to determine whether + the TSF is structured such that it cannot be tampered with + or bypassed, and whether TSFs that provide security + domains isolate those domains from each other. + + + + The notions of self-protection, domain separation, and + non-bypassability are distinct from security functionality + expressed in Part 2 SFRs because self-protection and + non-bypassability largely have no directly observable + interface at the TSF. Rather, they are properties of the + TSF that are achieved through the design of the TOE, and + enforced by the correct implementation of that + design. Also, the evaluation of these properties is less + straight-forward than the evaluation of mechanisms; it is + more difficult to check for the absence of functionality + than for its presence. However, the determination that + these properties are being satisfied is just as critical + as the determination that the mechanisms are properly + implemented. + + The overall approach used is that the developer provides a + TSF that meets the above-mentioned properties, and + provides evidence (in the form of documentation) that can + be analysed to show that the properties are indeed + met. The evaluator has the responsibility for looking at + the evidence and, coupled with other evidence delivered + for the TOE, determining that the properties are + achieved. The work units can be characterised as those + detailing with what information has to be provided, and + those dealing with the actual analysis the evaluator + performs. + + The security architecture description describes how + domains are defined and how the TSF keeps them + separate. It describes what prevents untrusted processes + from getting to the TSF and modifying it. It describes + what ensures that all resources under the TSF's control + are adequately protected and that all actions related to + the SFRs are mediated by the TSF. It explains any role the + environment plays in any of these (e.g. presuming it gets + correctly invoked by its underlying environment, how is + its security functionality invoked?). In short, it + explains how the TOE is considered to be providing any + kind of security service. + + The analyses the evaluator performs must be done in the + context of all of the development evidence provided for + the TOE, at the level of detail the evidence is + provided. At lower assurance levels there should not be + the expectation that, for example, TSF self-protection is + completely analysed, because only high-level design + representations will be available. The evaluator also + needs to be sure to use information gleaned from other + portions of their analysis (e.g., analysis of the TOE + design) in making their assessments for the properties + being examined in the following work units. + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the functional specification; + + + the TOE design; + + + the security architecture description; + + + the implementation representation (if available); + + + the operational user guidance; + + + + + The developer shall design and implement the TOE so that the + security features of the TSF cannot be bypassed. + + + The developer shall design and implement the TSF so that it + is able to protect itself from tampering by untrusted active + entities. + + + The developer shall provide a security architecture + description of the TSF. + + + The security architecture description shall be at a level of + detail commensurate with the description of the + SFR-enforcing abstractions described in the TOE design + document. + + + The security architecture description shall describe the + security domains maintained by the TSF consistently with the + SFRs. + + + The security architecture description shall describe how the + TSF initialisation process is secure. + + + The security architecture description shall demonstrate that + the TSF protects itself from tampering. + + + The security architecture description shall demonstrate that + the TSF prevents bypass of the SFR-enforcing functionality. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the security architecture + description to determine that the information provided + in the evidence is presented at a level of detail + commensurate with the descriptions of the SFR-enforcing + abstractions contained in the functional specification + and TOE design document. + + With respect to the functional specification, the + evaluator should ensure that the self-protection + functionality described cover those effects that are + evident at the TSFI. Such a description might include + protection placed upon the executable images of the TSF, + and protection placed on objects (e.g., files used by + the TSF). The evaluator ensures that the functionality + that might be invoked through the TSFI is + described. + + If or is included, the evaluator + ensures the security architecture description contains + information on how any subsystems that contribute to TSF + domain separation work. + + If or higher is + available, the evaluator ensures that the security + architecture description also contains + implementation-dependent information. For example, such + a description might contain information pertaining to + coding conventions for parameter checking that would + prevent TSF compromises (e.g. buffer overflows), and + information on stack management for call and return + operations. The evaluator checks the descriptions of the + mechanisms to ensure that the level of detail is such + that there is little ambiguity between the description + in the security architecture description and the + implementation representation. + + The evaluator action related to this work unit is assigned a fail verdict + if the security architecture description mentions any module, subsystem, or interface + that is not described in the functional specification or TOE design document. + + + + The evaluator shall examine the security architecture + description to determine that it describes the security + domains maintained by the TSF. + + Security domains refer to environments supplied by the + TSF for use by potentially-harmful entities; for + example, a typical secure operating system supplies a + set of resources (address space, per-process environment + variables) for use by processes with limited access + rights and security properties. The evaluator determines + that the developer's description of the security domains + takes into account all of the SFRs claimed by the + TOE. + + For some TOEs such domains do not exist because all of + the interactions available to users are severely + constrained by the TSF. A packet-filter firewall is an + example of such a TOE. Users on the LAN or WAN do not + interact with the TOE, so there need be no security + domains; there are only data structures maintained by + the TSF to keep the users' packets separated. The + evaluator ensures that any claim that there are no + domains is supported by the evidence and that no such + domains are, in fact, available. + + + + + The evaluator shall examine the security architecture + description to determine that the initialisation process + preserves security. + + The information provided in the security architecture + description relating to TSF initialisation is directed + at the TOE components that are involved in bringing the + TSF into an initial secure state (i.e. when all parts of + the TSF are operational) when power-on or a reset is + applied. This discussion in the security architecture + description should list the system initialisation + components and the processing that occurs in + transitioning from the ``down'' state to the initial + secure state. + + It is often the case that the components that perform + this initialisation function are not accessible after + the secure state is achieved; if this is the case then + the security architecture description identifies the components and + explains how they are not reachable by untrusted + entities after the TSF has been established. In this + respect, the property that needs to be preserved is that + these components either 1) cannot be accessed by + untrusted entities after the secure state is achieved, + or 2) if they provide interfaces to untrusted entities, + these TSFI cannot be used to tamper with the TSF. + + The TOE components related to TSF initialisation, then, + are treated themselves as part of the TSF, and analysed + from that perspective. It should be noted that even + though these are treated as part of the TSF, it is + likely that a justification (as allowed by ) can be made that they do not + have to meet the internal structuring requirements of + . + + + + + The evaluator shall examine the security architecture + description to determine that it contains information + sufficient to support a determination that the TSF is + able to protect itself from tampering by untrusted + active entities. + + ''Self-protection'' refers to the ability of the TSF to + protect itself from manipulation from external entities + that may result in changes to the TSF. For TOEs that + have dependencies on other IT entities, it is often the + case that the TOE uses services supplied by the other IT + entities in order to perform its functions. In such + cases, the TSF alone does not protect itself because it + depends on the other IT entities to provide some of the + protection. For the purposes of the security + architecture description, the notion of + self-protection applies only to the + services provided by the TSF through its TSFI, and not + to services provided by underlying IT entities that it + uses. + + Self-protection is typically achieved by a variety of + means, ranging from physical and logical restrictions on + access to the TOE; to hardware-based means (e.g. + ``execution rings'' and memory management + functionality); to software-based means (e.g. boundary + checking of inputs on a trusted server). The evaluator + determines that all such mechanisms are + described. + + The evaluator determines that the design description + covers how user input is handled by the TSF in such a + way that the TSF does not subject itself to being + corrupted by that user input. For example, the TSF might + implement the notion of privilege and protect itself by + using privileged-mode routines to handle user input. The + TSF might make use of processor-based separation + mechanisms such as privilege levels or rings. The TSF + might implement software protection constructs or coding + conventions that contribute to implementing separation of + software domains, perhaps by delineating user address + space from system address space. And the TSF might have + reliance its environment to provide some support to the + protection of the TSF. + + All of the mechanisms contributing to the domain + separation functions are described. The evaluator should + use knowledge gained from other evidence (functional + specification, TOE design, TSF internals description, + other parts of the security architecture description, or + implementation representation, as included in the + assurance package for the TOE) in determining if any + functionality contributing to self-protection was + described that is not present in the security + architecture description. + + Accuracy of the description of the self-protection mechanisms is the property that the + description faithfully describes what is implemented. The evaluator should use other + evidence (functional specification, TOE design, TSF Internals documentation, other parts + of the security architecture description, implementation representation, as included in + the ST for the TOE) in determining whether there are discrepancies in any descriptions + of the self-protection mechanisms. If + + is included in the assurance package for the TOE, the evaluator will choose a sample of + the implementation representation; the evaluator should also ensure that the descriptions + are accurate for the sample chosen. If an evaluator cannot understand how a certain + self-protection mechanism works or could work in the system architecture, it may be the + case that the description is not accurate. + + + + + The evaluator shall examine the security architecture + description to determine that it presents an analysis + that adequately describes how the SFR-enforcing + mechanisms cannot be bypassed. + + Non-bypassability is a property that the security + functionality of the TSF (as specified by the SFRs) is + always invoked. For example, if access control to files + is specified as a capability of the TSF via an SFR, + there must be no interfaces through which files can be + accessed without invoking the TSF's access control + mechanism (such as an interface through which a raw disk + access takes place). + + Describing how the TSF mechanisms cannot be bypassed + generally requires a systematic argument based on the + TSF and the TSFIs. The description of how the TSF works + (contained in the design decomposition evidence, such as + the functional specification, TOE design documentation) + - along with the information in the TSS - provides the + background necessary for the evaluator to understand + what resources are being protected and what security + functions are being provided. The functional + specification provides descriptions of the TSFIs through + which the resources/functions are accessed. + + The evaluator assesses the description provided (and other + information provided by the developer, such as the functional + specification) to ensure that no available interface can be used + to bypass the TSF. This means that every available interface + must be either unrelated to the SFRs that are claimed in the ST + (and does not interact with anything that is used to satisfy + SFRs) or else uses the security functionality that is described + in other development evidence in the manner described. For + example, a game would likely be unrelated to the SFRs, so there + must be an explanation of how it cannot affect security. Access + to user data, however, is likely to be related to access control + SFRs, so the explanation would describe how the security + functionality works when invoked through the data-access + interfaces. Such a description is needed for every available + interface. + + An example of a description follows. Suppose the TSF + provides file protection. Further suppose that although + the ``traditional'' system call TSFIs for open, read, + and write invoke the file protection mechanism described + in the TOE design, there exists a TSFI that allows + access to a batch job facility (creating batch jobs, + deleting jobs, modifying unprocessed jobs). The + evaluator should be able to determine from the + vendor-provided description that this TSFI invokes the + same protection mechanisms as do the ``traditional'' + interfaces. This could be done, for example, by + referencing the appropriate subclauses of the TOE design + that discuss how the batch job facility + TSFI achieves its security objectives. + + Using this same example, suppose there is a TSFI whose + sole purpose is to display the time of day. The + evaluator should determine that the description + adequately argues that this TSFI is not capable of + manipulating any protected resources and should not + invoke any security functionality. + + Another example of bypass is when the TSF is supposed to + maintain confidentiality of a cryptographic key (one is + allowed to use it for cryptographic operations, but is + not allowed to read/write it). If an attacker has direct + physical access to the device, he might be able to + examine side-channels such as the power usage of the + device, the exact timing of the device, or even any + electromagnetic emanations of the device and, from this, + infer the key. + + If such side-channels may be present, the demonstration + should address the mechanisms that prevent these + side-channels from occurring, such as random internal + clocks, dual-line technology etc. Verification of these + mechanisms would be verified by a combination of purely + design-based arguments and testing. + + For a final example using security functionality rather + than a protected resource, consider an ST that contains + , which requires that + the TSF provides evidence of origination for information + types specified in the ST. Suppose that the + ``information types'' included all information that is + sent by the TOE via e-mail. In this case the evaluator + should examine the description to ensure that all TSFI + that can be invoked to send e-mail perform the + ``evidence of origination generation'' function are + detailed. The description might point to user guidance + to show all places where e-mail can originate (e.g., + e-mail program, notification from scripts/batch jobs) + and then how each of these places invokes the evidence + generation function. + + The evaluator should also ensure that the description is comprehensive, in that each + interface is analysed with respect to the entire set of claimed SFRs. This may require the + evaluator to examine supporting information (functional specification, TOE design, other + parts of the security architecture description, operational user guidance, and perhaps even + the implementation representation, as provided for the TOE) to determine that the description + has correctly capture all aspects of an interface. The evaluator should consider what SFRs each + TSFI might affect (from the description of the TSFI and its implementation in the supporting + documentation), and then examine the description to determine whether it covers those aspects. + + + + + + + + This family levies requirements upon the functional specification, + which describes the TSF interfaces (TSFIs). + The TSFI consists of all means by which external entities (or + subjects in the TOE but outside of the TSF) supply data to the TSF, + receive data from the TSF and invoke services from the TSF. + It does not describe how the TSF processes those service + requests, nor does it describe the communication when the TSF invokes services + from its operational environment; this information is addressed by the + and + families, respectively. + + This family provides assurance directly by allowing the + evaluator to understand how the TSF meets the claimed SFRs. It + also provides assurance indirectly, as input to other assurance + families and classes: + , where the description of + the TSFIs may be used to gain better understanding of how the + TSF is protected against corruption (i.e. subversion of + self-protection or domain separation) and/or bypass; + , where the description of the + TSFIs is an important input for both developer and evaluator + testing; + , where the description of the + TSFIs is used to search for vulnerabilities. + + + + + The information presented in the functional specification + describes the interfaces through which the TSF services are + invoked. At the lower levels of assurance, there is an + effort to reduce the amount of information that must be + supplied by requiring only the most security-critical + information. + + + + The components in this family are levelled on the degree of + detail required of the description of the TSFIs, and the degree + of formalism required of the description of the TSFIs. + + + + Once the TSFIs are determined (see for guidance and + examples of determining TSFI), they are described. At + lower-level components, developers focus their documentation + (and evaluators focus their analysis) on the more + security-relevant aspects of the TOE. Three categories of + TSFIs are defined, based upon the relevance the services + available through them have to the SFRs being claimed: + If a service available through an interface can be + traced to one of the SFRs levied on the TSF, then that + interface is termed SFR-enforcing. + Note that it is possible that an interface may have + various services and results, some of which may be + SFR-enforcing and some of which may not. + interfaces to (or services available through an + interface relating to) services that SFR-enforcing + functionality depends upon, but need only to function + correctly in order for the security policies of the TOE + to be preserved, are termed + SFR-supporting. + Interfaces to services on which SFR-enforcing + functionality has no dependence are termed SFR + non-interfering. + + It should be noted that in order for an interface to be + SFR-supporting or SFR non-interfering it must have + no SFR-enforcing services or results. In + contrast, an SFR-enforcing interface may have SFR-supporting + services (for example, the ability to set the system clock + may be an SFR-enforcing service of an interface, but if that + same interface is used to display the system date that + service may be only SFR-supporting). An example of a purely + SFR-supporting interface is a system call interface that is + used both by users and by a portion of the TSF that is + running on behalf of users. + + As more information about the TSFIs becomes available, the + greater the assurance that can be gained that the interfaces are + correctly categorised/analysed. The requirements are structured + such that, at the lowest level, the information required for SFR + non-interfering interfaces is the minimum necessary in order for + the evaluator to make this determination in an effective + manner. At higher levels, more information becomes available so + that the evaluator has greater confidence in the + designation. + + The purpose in defining these labels (SFR-enforcing, + SFR-supporting, and SFR-non-interfering) and for levying + different requirements upon each (at the lower assurance + components) is to provide a first approximation of where to + focus the analysis and the evidence upon which that analysis + is performed. If the developer's documentation of the TSF + interfaces describes all of the interfaces to the degree + specified in the requirements for the SFR-enforcing + interfaces (that is, if the documentation exceeds the + requirements), there is no need for the developer to create + new evidence to match the requirements. Similarly, because + the labels are merely a means of differentiating the + interface types within the requirements, there is no need + for the developer to update the evidence solely to label the + interfaces as SFR-enforcing, SFR-supporting, and + SFR-non-interfering. The primary purpose of this labelling + is to allow developers with less mature development + methodologies (and associated artifacts, such as detailed + interface and design documentation) to provide only the + necessary evidence without undue cost. + + The last C element of each component within this family provides + a direct correspondence between the SFRs and the functional + specification; that is, an indication of which interfaces are + used to invoke each of the claimed SFRs. In the cases where the + ST contains such functional requirements as , whose functionality may not manifest itself at + the TSFIs, the functional specification and/or the tracing is + expected to identify these SFRs; including them in the functional + specification helps to ensure that they are not lost at lower + levels of decomposition, where they will be relevant. + + + The requirements define collections of details about TSFI + to be provided. For the purposes of the requirements, + interfaces are specified (in varying degrees of detail) in + terms of their purpose, method of use, parameters, + parameter descriptions, and error messages. + + The purpose of an interface is a + high-level description of the general goal of the + interface (e.g. process GUI commands, receive network + packets, provide printer output, etc.) + + The interface's method of use describes + how the interface is supposed to be used. This description + should be built around the various interactions available + at that interface. For instance, if the interface were a Unix + command shell, ls, mv + and cp would be interactions for that + interface. For each interaction the method of use + describes what the interaction does, both for behaviour + seen at the interface (e.g. the programmer calling the + API, the Windows users changing a setting in the registry, + etc.) as well as behaviour at other interfaces + (e.g. generating an audit record). + + Parameters are explicit inputs to and + outputs from an interface that control the behaviour of + that interface. For example, parameters are the arguments + supplied to an API; the various fields in a packet for a + given network protocol; the individual key values in the + Windows Registry; the signals across a set of pins on a + chip; the flags that can be set for the + ls, etc. The parameters are + ``identified'' with a simple list of what they are. + + A parameter description tells what the + parameter is in some meaningful way. For instance, an + acceptable parameter description for interface + foo(i) would be ``parameter i is an + integer that indicates the number of users currently + logged in to the system''. A description such as + ``parameter i is an integer'' is not an acceptable. + + The description of an interface's actions + describes what the interface does. This is more detailed + than the purpose in that, while the ``purpose'' reveals + why one might want to use it, the ``actions'' reveals + everything that it does. These actions might be related to + the SFRs or not. In cases where the interface's action is + not related to SFRs, its description is said to be + summarised, meaning the description + merely makes clear that it is indeed not SFR-related. + + The error message description identifies + the condition that generated it, what the message is, and + the meaning of any error codes. An error message is + generated by the TSF to signify that a problem or + irregularity of some degree has been encountered. The + requirements in this family refer to different kinds of + error messages: + a ``direct'' error message is a + security-relevant response through a specific TSFI + invocation. + an ``indirect'' error cannot be tied to a + specific TSFI invocation because it results from + system-wide conditions (e.g. resource exhaustion, + connectivity interruptions, etc.). Error messages that + are not security-relevant are also considered + ``indirect''. + ``remaining'' errors are any other errors, such as those + that might be referenced within the code. For example, the use of + condition-checking code that checks for conditions that would not + logically occur (e.g. a final ``else'' after a list of ``case'' + statements), would provide for generating a catch-all error + message; in an operational TOE, these error messages should never + be seen. + + An example functional specification is provided in . + + + + Increasing assurance through increased completeness and + accuracy in the interface specification is reflected in + the documentation required from the developer as detailed + in the various hierarchical components of this + family. + + At , the only + documentation required is a characterisation of all TSFIs + and a high level description of SFR-enforcing and + SFR-supporting TSFIs. To provide some assurance that the + ``important'' aspects of the TSF have been correctly + characterised at the TSFIs, the developer is required to + provide the purpose and method of use, parameters for the + SFR-enforcing and SFR-supporting TSFIs. + + At , the developer is + required to provide the purpose, method of use, + parameters, and parameter descriptions for all + TSFIs. Additionally, for the SFR-enforcing TSFIs the + developer has to describe the SFR-enforcing actions and + direct error messages. + + At , the developer must now, + in addition to the information required at , provide enough information about the SFR-supporting + and SFR-non-interfering actions to show that they are not + SFR-enforcing. Further, the developer must now document all of + the direct error messages resulting from the invocation of + SFR-enforcing TSFIs. + + At , all TSFIs - whether + SFR-enforcing, SFR-supporting, SFR-non-interfering - must + be described to the same degree, including all of the + direct error messages. + + At , the TSFIs descriptions + also include error messages that do not result from an + invocation of a TSFI. + + At , in addition to the + information required by , all + remaining error messages are included. The developer must also + provide a formal description of the TSFI. This provides an + alternative view of the TSFI that may expose inconsistencies or + incomplete specification. + + + + + + The objective of this sub-activity is to determine whether the + developer has provided a high-level description of at least the + SFR-enforcing and SFR-supporting TSFIs, in terms of descriptions + of their parameters. There is no other required evidence that + can be expected to be available to measure the accuracy of these + descriptions; the evaluator merely ensures the descriptions seem + plausible. + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the functional specification; + + + the operational user guidance; + + + + + The developer shall provide a functional specification. + + + The developer shall provide a tracing from the functional + specification to the SFRs. + + + The functional specification shall describe the purpose and + method of use for each SFR-enforcing and SFR-supporting + TSFI. + + + The functional specification shall identify all parameters + associated with each SFR-enforcing and SFR-supporting TSFI. + + + The functional specification shall provide rationale for the + implicit categorisation of interfaces as + SFR-non-interfering. + + + The tracing shall demonstrate that the SFRs trace to TSFIs + in the functional specification. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the functional specification + to determine that it states the purpose of each + SFR-supporting and SFR-enforcing TSFI. + + The purpose of a TSFI is a general statement summarising + the functionality provided by the interface. It is not + intended to be a complete statement of the actions and + results related to the interface, but rather a statement + to help the reader understand in general what the + interface is intended to be used for. The evaluator + should not only determine that the purpose exists, but + also that it accurately reflects the TSFI by taking into + account other information about the interface, such as + the description of the parameters; this can be done in + association with other work units for this + component. + + If an action available through an interface plays a role in + enforcing any security policy on the TOE (that is, if one of the + actions of the interface can be traced to one of the SFRs levied + on the TSF), then that interface is + SFR-enforcing. Such policies are not limited to + the access control policies, but also refer to any functionality + specified by one of the SFRs contained in the ST. Note that it + is possible that an interface may have various actions and + results, some of which may be SFR-enforcing and some of which + may not. + + Interfaces to (or actions available through an interface + relating to) actions that SFR-enforcing functionality + depends on, but need only to function correctly in order + for the security policies of the TOE to be preserved, + are termed SFR supporting. Interfaces + to actions on which SFR-enforcing functionality has no + dependence are termed SFR + non-interfering. + + It should be noted that in order for an interface to be + SFR supporting or SFR non-interfering it must have + no SFR-enforcing actions or results. In + contrast, an SFR-enforcing interface may have + SFR-supporting actions (for example, the ability to set + the system clock may be an SFR-enforcing action of an + interface, but if that same interface is used to display + the system date that action may only be SFR + supporting). An example of a purely SFR-supporting + interface is a system call interface that is used both + by untrusted users and by a portion of the TSF that is + running in user mode. + + At this level, it is unlikely that a developer will have + expended effort to label interfaces as SFR-enforcing and + SFR-supporting. In the case that this has been done, + the evaluator should verify to the extent that + supporting documentation (e.g., operational user + guidance) allows that this identification is correct. + Note that this identification activity is necessary for + several work units for this component. + + In the more likely case that the developer has not + labelled the interfaces, the evaluator must perform + their own identification of the interfaces first, and + then determine whether the required information (for + this work unit, the purpose) is present. Again, because + of the lack of supporting evidence this identification + will be difficult and have low assurance that all + appropriate interfaces have been correctly identified, + but nonetheless the evaluator examines other evidence + available for the TOE to ensure as complete coverage as + is possible. + + + + + The evaluator shall examine the functional specification + to determine that the method of use for each + SFR-supporting and SFR-enforcing TSFI is given. + + See work unit for a + discussion on the identification of SFR-supporting and + SFR-enforcing TSFI. + + The method of use for a TSFI summarises how the + interface is manipulated in order to invoke the actions + and obtain the results associated with the TSFI. The + evaluator should be able to determine, from reading this + material in the functional specification, how to use + each interface. This does not necessarily mean that + there needs to be a separate method of use for each + TSFI, as it may be possible to describe in general how + kernel calls are invoked, for instance, and then + identify each interface using that general + style. Different types of interfaces will require + different method of use specifications. APIs, network + protocol interfaces, system configuration parameters, + and hardware bus interfaces all have very different + methods of use, and this should be taken into account by + the developer when developing the functional + specification, as well as by the evaluator evaluating + the functional specification. + + For administrative interfaces whose functionality is documented + as being inaccessible to untrusted users, the evaluator ensures + that the method of making the functions inaccessible is + described in the functional specification. It should be noted + that this inaccessibility needs to be tested by the developer in + their test suite. + + + + + The evaluator shall examine the presentation of the TSFI + to determine that it identifies all parameters + associated with each SFR-enforcing and SFR-supporting + TSFI. + + See work unit for a + discussion on the identification of SFR-supporting and + SFR-enforcing TSFI. + + The evaluator examines the functional specification to + ensure that all of the parameters are described for + identified TSFI. Parameters are explicit inputs or + outputs to an interface that control the behaviour of + that interface. For examples, parameters are the + arguments supplied to an API; the various fields in + packet for a given network protocol; the individual key + values in the Windows Registry; the signals across a set + of pins on a chip; etc. + + While difficult to obtain much assurance that all + parameters for the applicable TSFI have been identified, + the evaluator should also check other evidence provided + for the evaluation (e.g., operational user guidance) to + see if behaviour or additional parameters are described + there but not in the functional specification. + + + + + The evaluator shall examine the rationale provided by + the developer for the implicit categorisation of + interfaces as SFR-non-interfering to determine that it + is accurate. + + In the case where the developer has provided adequate + documentation to perform the analysis called for by the + rest of the work units for this component without + explicitly identifying SFR-enforcing and SFR-supporting + interfaces, this work unit should be considered + satisfied. + + This work unit is intended to apply to cases where the developer + has not described a portion of the TSFI, claiming that it is + SFR-non-interfering and therefore not subject to other + requirements of this component. In such a case, the developer + provides a rationale for this characterisation in sufficient + detail such that the evaluator understands the rationale, the + characteristics of the interfaces affected (e.g., their + high-level function with respect to the TOE, such as ``colour + palette manipulation''), and that the claim that these are + SFR-non-interfering is supported. Given the level of assurance + the evaluator should not expect more detail than is provided for + the SFR-enforcing or SFR-supporting interfaces, and in fact the + detail should be much less. In most cases, individual + interfaces should not need to be addressed in the + developer-provided rationale subclause. + + + + The evaluator shall check that the tracing links the + SFRs to the corresponding TSFIs. + + The tracing is provided by the developer to serve as a + guide to which SFRs are related to which TSFIs. This + tracing can be as simple as a table; it is used as input + to the evaluator for use in the following work units, in + which the evaluator verifies its completeness and + accuracy. + + + + The evaluator shall determine that the functional + specification is an accurate and complete instantiation of + the SFRs. + + + The evaluator shall examine the functional specification + to determine that it is a complete instantiation of the + SFRs. + + To ensure that all SFRs are covered by the functional + specification, as well as the test coverage analysis, the + evaluator may build upon the developer's tracing (see a map between the TOE security + functional requirements and the TSFI). Note that this map may + have to be at a level of detail below the component or even + element level of the requirements, because of operations + (assignments, refinements, selections) performed on the + functional requirement by the ST author. + + For example, the + component contains an element with assignments. If the + ST contained, for instance, ten rules in the assignment, and these ten + rules were covered by three different TSFI, it would be + inadequate for the evaluator to map to TSFI A, B, and C and claim they had + completed the work unit. Instead, the evaluator would + map (rule 1) to TSFI A; + (rule 2) to TSFI B; + etc. It might also be the case that the interface is a + wrapper interface (e.g., IOCTL), in which case the + mapping would need to be specific to certain set of + parameters for a given interface. + + The evaluator must recognise that for requirements that have + little or no manifestation at the TSF boundary (e.g., ) it is not expected that they + completely map those requirements to the TSFI. The analysis for + those requirements will be performed in the analysis for the TOE + design () when included in the + ST. It is also important to note that since the parameters + associated with TSFIs must be fully specified, the evaluator + should be able to determine if all aspects of an SFR appear to + be implemented at the interface level. + + + + The evaluator shall examine the functional specification + to determine that it is an accurate instantiation of the + SFRs. + + For each functional requirement in the ST that results + in effects visible at the TSF boundary, the information + in the associated TSFI for that requirement specifies + the required functionality described by the + requirement. For example, if the ST contains a + requirement for access control lists, and the only TSFI + that map to that requirement specify functionality for + Unix-style protection bits, then the functional + specification is not accurate with respect to the + requirements. + + The evaluator must recognise that for requirements that + have little or no manifestation at the TSF boundary + (e.g., ) it is not + expected that the evaluator completely map those + requirements to the TSFI. The analysis for those + requirements will be performed in the analysis for the + TOE design () when + included in the ST. + + + + + + + + + The objective of this sub-activity is to determine whether + the developer has provided a description of the TSFIs in + terms of their purpose, method of use, and parameters. In + addition, the SFR-enforcing actions, results and error + messages of each TSFI that is SFR-enforcing are also + described. + + + + The evaluation evidence for this sub-activity that is + required by the work-units is: + + + the ST; + + + the functional specification; + + + the TOE design. + + + + The evaluation evidence for this sub-activity that is used + if included in the ST for the TOE is: + + + the security architecture description; + + + the operational user guidance; + + + + + The developer shall provide a functional specification. + + + The developer shall provide a tracing from the functional + specification to the SFRs. + + + The functional specification shall completely represent the + TSF. + + + The functional specification shall describe the purpose and + method of use for all TSFI. + + + The functional specification shall identify and describe all + parameters associated with each TSFI. + + + For each SFR-enforcing TSFI, the functional specification shall + describe the SFR-enforcing actions associated with the TSFI. + + + For each SFR-enforcing TSFI, the functional specification shall + describe direct error messages resulting from processing + associated with the SFR-enforcing actions. + + + The tracing shall demonstrate that the SFRs trace to TSFIs + in the functional specification. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the functional specification + to determine that the TSF is fully represented. + + The identification of the TSFI is a necessary + prerequisite to all other activities in this + sub-activity. The TSF must be identified (done as part + of the work units) in + order to identify the TSFI. This activity can be done at + a high level to ensure that no large groups of + interfaces have been missed (network protocols, hardware + interfaces, configuration files), or at a low level as + the evaluation of the functional specification + proceeds. + + In making an assessment for this work unit, the + evaluator determines that all portions of the TSF are + addressed in terms of the interfaces listed in the + functional specification. All portions of the TSF should + have a corresponding interface description, or if there + are no corresponding interfaces for a portion of the + TSF, the evaluator determines that that is + acceptable. + + + + + The evaluator shall examine the functional specification + to determine that it states the purpose of each + TSFI. + + The purpose of a TSFI is a general statement summarising + the functionality provided by the interface. It is not + intended to be a complete statement of the actions and + results related to the interface, but rather a statement + to help the reader understand in general what the + interface is intended to be used for. The evaluator + should not only determine that the purpose exists, but + also that it accurately reflects the TSFI by taking into + account other information about the interface, such as + the description of actions and error messages. + + + + + The evaluator shall examine the functional specification + to determine that the method of use for each TSFI is + given. + + The method of use for a TSFI summarises how the + interface is manipulated in order to invoke the actions + and obtain the results associated with the TSFI. The + evaluator should be able to determine, from reading this + material in the functional specification, how to use + each interface. This does not necessarily mean that + there needs to be a separate method of use for each + TSFI, as it may be possible to describe in general how + kernel calls are invoked, for instance, and then + identify each interface using that general + style. Different types of interfaces will require + different method of use specifications. APIs, network + protocol interfaces, system configuration parameters, + and hardware bus interfaces all have very different + methods of use, and this should be taken into account by + the developer when developing the functional + specification, as well as by the evaluator evaluating + the functional specification. + + For administrative interfaces whose functionality is documented + as being inaccessible to untrusted users, the evaluator ensures + that the method of making the functions inaccessible is + described in the functional specification. It should be noted + that this inaccessibility needs to be tested by the developer in + their test suite. + + The evaluator should not only determine that the set of + method of use descriptions exist, but also that they + accurately cover each TSFI. + + + + + The evaluator shall examine the presentation of the TSFI + to determine that it completely identifies all + parameters associated with every TSFI. + + The evaluator examines the functional specification to + ensure that all of the parameters are described for each + TSFI. Parameters are explicit inputs or outputs to an + interface that control the behaviour of that + interface. For examples, parameters are the arguments + supplied to an API; the various fields in packet for a + given network protocol; the individual key values in the + Windows Registry; the signals across a set of pins on a + chip; etc. + + In order to determine that all of the parameters are + present in the TSFI, the evaluator should examine the + rest of the interface description (actions, error + messages, etc.) to determine if the effects of the + parameter are accounted for in the description. The + evaluator should also check other evidence provided for + the evaluation (e.g., TOE design, security architecture + description, operational user guidance, implementation + representation) to see if behaviour or additional + parameters are described there but not in the functional + specification. + + + + + The evaluator shall examine the presentation of the TSFI + to determine that it completely and accurately describes + all parameters associated with every TSFI. + + Once all of the parameters have been identified, the + evaluator needs to ensure that they are accurately + described, and that the description of the parameters is + complete. A parameter description tells what the + parameter is in some meaningful way. For instance, the + interface foo(i) could be described as + having ``parameter i which is an integer"; this is not + an acceptable parameter description. A description such + as ``parameter i is an integer that indicates the number + of users currently logged in to the system'' is much + more acceptable. + + In order to determine that the description of the + parameters is complete, the evaluator should examine the + rest of the interface description (purpose, method of + use, actions, error messages, etc.) to determine if the + descriptions of the parameter(s) are accounted for in + the description. The evaluator should also check other + evidence provided (e.g., TOE design, architectural + design, operational user guidance, implementation + representation) to see if behaviour or additional + parameters are described there but not in the functional + specification. + + + + + The evaluator shall examine the presentation of the TSFI + to determine that it completely and accurately describes + the SFR-enforcing actions associated with the + SFR-enforcing TSFIs. + + If an action available through an interface can be + traced to one of the SFRs levied on the TSF, then that + interface is SFR-enforcing. Such + policies are not limited to the access control policies, + but also refer to any functionality specified by one of + the SFRs contained in the ST. Note that it is possible + that an interface may have various actions and results, + some of which may be SFR-enforcing and some of which may not. + + The developer is not required to ``label'' interfaces as + SFR-enforcing, and likewise is not required to identify + actions available through an interface as SFR-enforcing. + It is the evaluator's responsibility to examine the + evidence provided by the developer and determine that + the required information is present. In the case where + the developer has identified the SFR-enforcing TSFI and + SFR-enforcing actions available through those TSFI, the + evaluator must judge completeness and accuracy based on + other information supplied for the evaluation (e.g., TOE + design, security architecture description, operational + user guidance), and on the other information presented + for the interfaces (parameters and parameter + descriptions, error messages, etc.). + + In this case (where the developer has provided only the + SFR-enforcing information for SFR-enforcing TSFI) the + evaluator also ensures that no interfaces have been + mis-categorised. This is done by examining other + information supplied for the evaluation (e.g., TOE + design, security architecture description, operational + user guidance), and the other information presented for + the interfaces (parameters and parameter descriptions, + for example) not labelled as SFR-enforcing. + + In the case where the developer has provided the same + level of information on all interfaces, the evaluator + performs the same type of analysis mentioned in the + previous paragraphs. The evaluator should determine + which interfaces are SFR-enforcing and which are not, + and subsequently ensure that the SFR-enforcing aspects + of the SFR-enforcing actions are appropriately + described. + The SFR-enforcing actions are those that are + visible at any external interface and that provide for + the enforcement of the SFRs being claimed. For example, + if audit requirements are included in the ST, then + audit-related actions would be SFR-enforcing and + therefore must be described, even if the result of that + action is generally not visible through the invoked + interface (as is often the case with audit, where a user + action at one interface would produce an audit record + visible at another interface). + + The level of description that is required is that + sufficient for the reader to understand what role the + TSFI actions play with respect to the SFR. The + evaluator should keep in mind that the description + should be detailed enough to support the generation (and + assessment) of test cases against that interface. If + the description is unclear or lacking detail such that + meaningful testing cannot be conducted against the TSFI, + it is likely that the description is inadequate. + + + + + The evaluator shall examine the presentation of the TSFI + to determine that it completely and accurately describes + error messages that may result from SFR-enforcing + actions associated with each SFR-enforcing TSFI. + + This work unit should be performed in conjunction with, + or after, work unit + in order to ensure the set of SFR-enforcing TSFI and + SFR-enforcing actions is correctly identified. The + developer may provide more information than is required + (for example, all error messages associated with each + interface), in which the case the evaluator should + restrict their assessment of completeness and accuracy + to only those that they determine to be associated with + SFR-enforcing actions of SFR-enforcing TSFI. + + Errors can take many forms, depending on the interface + being described. For an API, the interface itself may + return an error code, set a global error condition, or + set a certain parameter with an error code. For a + configuration file, an incorrectly configured parameter + may cause an error message to be written to a log + file. For a hardware PCI card, an error condition may + raise a signal on the bus, or trigger an exception + condition to the CPU. + + Errors (and the associated error messages) come about + through the invocation of an interface. The processing + that occurs in response to the interface invocation may + encounter error conditions, which trigger (through an + implementation-specific mechanism) an error message to + be generated. In some instances this may be a return + value from the interface itself; in other instances a + global value may be set and checked after the invocation + of an interface. It is likely that a TOE will have a + number of low-level error messages that may result from + fundamental resource conditions, such as ``disk full'' + or ``resource locked''. While these error messages may + map to a large number of TSFI, they could be used to + detect instances where detail from an interface + description has been omitted. For instance, a TSFI that + produces a ``disk full'' message, but has no obvious + description of why that TSFI should cause an access to + the disk in its description of actions, might cause the + evaluator to examine other evidence (, ) related + that TSFI to determine if the description is + accurate. + In order to determine that the description of the + error messages of a TSFI is accurate and complete, the + evaluator measures the interface description against the + other evidence provided for the evaluation (e.g., TOE + design, security architecture description, operational + user guidance), as well as other evidence available for + that TSFI (parameters, analysis from work unit ). + + + + The evaluator shall check that the tracing links the + SFRs to the corresponding TSFIs. + + The tracing is provided by the developer to serve as a + guide to which SFRs are related to which TSFIs. This + tracing can be as simple as a table; it is used as input + to the evaluator for use in the following work units, in + which the evaluator verifies its completeness and + accuracy. + + + + The evaluator shall determine that the functional + specification is an accurate and complete instantiation of + the SFRs. + + + The evaluator shall examine the functional specification + to determine that it is a complete instantiation of the + SFRs. + + To ensure that all SFRs are covered by the functional + specification, as well as the test coverage analysis, + the evaluator may build upon the developer's tracing + (see a map between + the TOE security functional requirements and the TSFI. + Note that this map may have to be at a level of detail + below the component or even element level of the + requirements, because of operations (assignments, + refinements, selections) performed on the functional + requirement by the ST author. + + For example, the + component contains an element with assignments. If the + ST contained, for instance, ten rules in the assignment, and these ten + rules were covered by three different TSFI, it would be + inadequate for the evaluator to map to TSFI A, B, and C and claim they had + completed the work unit. Instead, the evaluator would + map (rule 1) to TSFI A; + (rule 2) to TSFI B; + etc. It might also be the case that the interface is a + wrapper interface (e.g., IOCTL), in which case the + mapping would need to be specific to certain set of + parameters for a given interface. + + The evaluator must recognise that for requirements that + have little or no manifestation at the TSF boundary + (e.g., ) it is not + expected that they completely map those requirements to + the TSFI. The analysis for those requirements will be + performed in the analysis for the TOE design () when included in the ST. It is + also important to note that since the parameters, + actions, and error messages associated with TSFIs must + be fully specified, the evaluator should be able to + determine if all aspects of an SFR appear to be + implemented at the interface level. + + + + The evaluator shall examine the functional specification + to determine that it is an accurate instantiation of the + SFRs. + + For each functional requirement in the ST that results + in effects visible at the TSF boundary, the information + in the associated TSFI for that requirement specifies + the required functionality described by the + requirement. For example, if the ST contains a + requirement for access control lists, and the only TSFI + that map to that requirement specify functionality for + Unix-style protection bits, then the functional + specification is not accurate with respect to the + requirements. + + The evaluator must recognise that for requirements that + have little or no manifestation at the TSF boundary + (e.g., ) it is not + expected that the evaluator completely map those + requirements to the TSFI. The analysis for those + requirements will be performed in the analysis for the + TOE design () when + included in the ST. + + + + + + + + + The objective of this sub-activity is to determine whether + the developer has provided a description of the TSFIs in + terms of their purpose, method of use, and parameters. In + addition, the actions, results and error messages of each + TSFI are also described sufficiently that it can be + determined whether they are SFR-enforcing, with the + SFR-enforcing TSFI being described in more detail than + other TSFIs. + + + + The evaluation evidence for this sub-activity that is + required by the work-units is: + + + the ST; + + + the functional specification; + + + the TOE design. + + + + The evaluation evidence for this sub-activity that is used + if included in the ST for the TOE is: + + + the security architecture description; + + + the implementation representation; + + + the TSF internals description; + + + the operational user guidance; + + + + + The developer shall provide a functional specification. + + + The developer shall provide a tracing from the functional + specification to the SFRs. + + + The functional specification shall completely represent the + TSF. + + + The functional specification shall describe the purpose and + method of use for all TSFI. + + + The functional specification shall identify and describe all + parameters associated with each TSFI. + + + For each SFR-enforcing TSFI, the functional specification shall + describe the SFR-enforcing actions associated with the TSFI. + + + For each SFR-enforcing TSFI, the functional specification shall + describe direct error messages resulting from SFR-enforcing + actions and exceptions associated with invocation of the TSFI. + + + The functional specification shall summarise the SFR-supporting + and SFR-non-interfering actions associated with each TSFI. + + + The tracing shall demonstrate that the SFRs trace to TSFIs + in the functional specification. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the functional specification + to determine that the TSF is fully represented. + + The identification of the TSFI is a necessary + prerequisite to all other activities in this + sub-activity. The TSF must be identified (done as part + of the work units) in + order to identify the TSFI. This activity can be done at + a high level to ensure that no large groups of + interfaces have been missed (network protocols, hardware + interfaces, configuration files), or at a low level as + the evaluation of the functional specification + proceeds. + + In making an assessment for this work unit, the + evaluator determines that all portions of the TSF are + addressed in terms of the interfaces listed in the + functional specification. All portions of the TSF should + have a corresponding interface description, or if there + are no corresponding interfaces for a portion of the + TSF, the evaluator determines that that is + acceptable. + + + + + The evaluator shall examine the functional specification + to determine that it states the purpose of each + TSFI. + + The purpose of a TSFI is a general statement summarising + the functionality provided by the interface. It is not + intended to be a complete statement of the actions and + results related to the interface, but rather a statement + to help the reader understand in general what the + interface is intended to be used for. The evaluator + should not only determine that the purpose exists, but + also that it accurately reflects the TSFI by taking into + account other information about the interface, such as + the description of actions and error messages. + + + + + The evaluator shall examine the functional specification + to determine that the method of use for each TSFI is + given. + + The method of use for a TSFI summarises how the + interface is manipulated in order to invoke the actions + and obtain the results associated with the TSFI. The + evaluator should be able to determine, from reading this + material in the functional specification, how to use + each interface. This does not necessarily mean that + there needs to be a separate method of use for each + TSFI, as it may be possible to describe in general how + kernel calls are invoked, for instance, and then + identify each interface using that general + style. Different types of interfaces will require + different method of use specifications. APIs, network + protocol interfaces, system configuration parameters, + and hardware bus interfaces all have very different + methods of use, and this should be taken into account by + the developer when developing the functional + specification, as well as by the evaluator evaluating + the functional specification. + + For administrative interfaces whose functionality is documented + as being inaccessible to untrusted users, the evaluator ensures + that the method of making the functions inaccessible is + described in the functional specification. It should be noted + that this inaccessibility needs to be tested by the developer in + their test suite. + + The evaluator should not only determine that the set of + method of use descriptions exist, but also that they + accurately cover each TSFI. + + + + + The evaluator shall examine the presentation of the TSFI + to determine that it completely identifies all + parameters associated with every TSFI. + + The evaluator examines the functional specification to + ensure that all of the parameters are described for each + TSFI. Parameters are explicit inputs or outputs to an + interface that control the behaviour of that + interface. For examples, parameters are the arguments + supplied to an API; the various fields in packet for a + given network protocol; the individual key values in the + Windows Registry; the signals across a set of pins on a + chip; etc. + + In order to determine that all of the parameters are + present in the TSFI, the evaluator should examine the + rest of the interface description (actions, error + messages, etc.) to determine if the effects of the + parameter are accounted for in the description. The + evaluator should also check other evidence provided for + the evaluation (e.g., TOE design, security architecture + description, operational user guidance, implementation + representation) to see if behaviour or additional + parameters are described there but not in the functional + specification. + + + + + The evaluator shall examine the presentation of the TSFI + to determine that it completely and accurately describes + all parameters associated with every TSFI. + + Once all of the parameters have been identified, the + evaluator needs to ensure that they are accurately + described, and that the description of the parameters is + complete. A parameter description tells what the + parameter is in some meaningful way. For instance, the + interface foo(i) could be described as + having ``parameter i which is an integer''; this is not + an acceptable parameter description. A description such + as ``parameter i is an integer that indicates the number + of users currently logged in to the system'' is much + more acceptable. + + In order to determine that the description of the + parameters is complete, the evaluator should examine the + rest of the interface description (purpose, method of + use, actions, error messages, etc.) to determine if the + descriptions of the parameter(s) are accounted for in + the description. The evaluator should also check other + evidence provided (e.g., TOE design, architectural + design, operational user guidance, implementation + representation) to see if behaviour or additional + parameters are described there but not in the functional + specification. + + + + + The evaluator shall examine the presentation of the TSFI + to determine that it completely and accurately describes + the SFR-enforcing actions associated with the + SFR-enforcing TSFIs. + + If an action available through an interface plays a role + in enforcing any security policy on the TOE (that is, if + one of the actions of the interface can be traced to one + of the SFRs levied on the TSF), then that interface is + SFR-enforcing. Such policies are not + limited to the access control policies, but also refer + to any functionality specified by one of the SFRs + contained in the ST. Note that it is possible that an + interface may have various actions and results, some of + which may be SFR-enforcing and some of which may + not. + The developer is not required to ``label'' + interfaces as SFR-enforcing, and likewise is not + required to identify actions available through an + interface as SFR-enforcing. It is the evaluator's + responsibility to examine the evidence provided by the + developer and determine that the required information is + present. In the case where the developer has identified + the SFR-enforcing TSFI and SFR-enforcing actions + available through those TSFI, the evaluator must judge + completeness and accuracy based on other information + supplied for the evaluation (e.g., TOE design, security + architecture description, operational user guidance), + and on the other information presented for the + interfaces (parameters and parameter descriptions, error + messages, etc.). + + In this case (developer has provided only the + SFR-enforcing information for SFR-enforcing TSFI) the + evaluator also ensures that no interfaces have been + mis-categorised. This is done by examining other + information supplied for the evaluation (e.g., TOE + design, security architecture description, operational + user guidance), and the other information presented for + the interfaces (parameters and parameter descriptions, + for example) not labelled as SFR-enforcing. The analysis + done for work units + and are also used in + making this determination. + In the case where the developer has provided the + same level of information on all interfaces, the + evaluator performs the same type of analysis mentioned + in the previous paragraphs. The evaluator should + determine which interfaces are SFR-enforcing and which + are not, and subsequently ensure that the SFR-enforcing + aspects of the SFR-enforcing actions are appropriately + described. Note that in this case, the evaluator should + be able to perform the bulk of the work associated with + work unit in the + course of performing this SFR-enforcing analysis. + The SFR-enforcing actions are those that are + visible at any external interface and that provide for + the enforcement of the SFRs being claimed. For example, + if audit requirements are included in the ST, then + audit-related actions would be SFR-enforcing and + therefore must be described, even if the result of that + action is generally not visible through the invoked + interface (as is often the case with audit, where a user + action at one interface would produce an audit record + visible at another interface). + + The level of description that is required is that + sufficient for the reader to understand what role the + TSFI actions play with respect to the SFR. The + evaluator should keep in mind that the description + should be detailed enough to support the generation (and + assessment) of test cases against that interface. If + the description is unclear or lacking detail such that + meaningful testing cannot be conducted against the TSFI, + it is likely that the description is inadequate. + + + + + The evaluator shall examine the presentation of the TSFI + to determine that it completely and accurately describes + error messages that may result from an invocation of + each SFR-enforcing TSFI. + + This work unit should be performed in conjunction with, or + after, work unit in order + to ensure the set of SFR-enforcing TSFI is correctly identified. + The evaluator should note that the requirement and associated + work unit is that all direct error messages associated with an + SFR-enforcing TSFI must be described, that are associated with + SFR-enforcing actions. This is because at this level of + assurance, the ``extra'' information provided by the error + message descriptions should be used in determining whether all + of the SFR-enforcing aspects of an interface have been + appropriately described. For instance, if an error message + associated with a TSFI (e.g., ``access denied'') indicated that + an SFR-enforcing decision or action had taken place, but in the + description of the SFR-enforcing actions there was no mention of + that particular SFR-enforcing mechanism, then the description + may not be complete. + + Errors can take many forms, depending on the interface + being described. For an API, the interface itself may + return an error code, set a global error condition, or + set a certain parameter with an error code. For a + configuration file, an incorrectly configured parameter + may cause an error message to be written to a log + file. For a hardware PCI card, an error condition may + raise a signal on the bus, or trigger an exception + condition to the CPU. + + Errors (and the associated error messages) come about + through the invocation of an interface. The processing + that occurs in response to the interface invocation may + encounter error conditions, which trigger (through an + implementation-specific mechanism) an error message to + be generated. In some instances this may be a return + value from the interface itself; in other instances a + global value may be set and checked after the invocation + of an interface. It is likely that a TOE will have a + number of low-level error messages that may result from + fundamental resource conditions, such as ``disk full'' + or ``resource locked''. While these error messages may + map to a large number of TSFI, they could be used to + detect instances where detail from an interface + description has been omitted. For instance, a TSFI that + produces a ``disk full'' message, but has no obvious + description of why that TSFI should cause an access to + the disk in its description of actions, might cause the + evaluator to examine other evidence (, ) related + that TSFI to determine if the description is + accurate. + + In order to determine that the description of the error messages + of a TSFI is accurate and complete, the evaluator measures the + interface description against the other evidence provided for + the evaluation (e.g., TOE design, security architecture + description, operational user guidance), as well as for other + evidence supplied for that TSFI (description of SFR-enforcing + actions, summary of SFR-supporting and SFR-non-interfering + actions and results). + + + + + The evaluator shall examine the presentation of the TSFI to + determine that it summarises the SFR-supporting and + SFR-non-interfering actions associated with each TSFI. + + The purpose of this work unit is to supplement the details about + the SFR-enforcing actions (provided in work unit ) with a summary of the remaining + actions (i.e., those that are not SFR-enforcing). This covers + all SFR-supporting and SFR-non-interfering + actions, whether invokable through SFR-enforcing TSFI or through + SFR-supporting or SFR-non-interfering TSFI. Such a summary + about all SFR-supporting and SFR-non-interfering actions helps + to provide a more complete picture of the functions provided by + the TSF, and is to be used by the evaluator in determining + whether an action or TSFI may have been mis-categorised. + + The information to be provided is more abstract than that + required for SFR-enforcing actions. While it should still be + detailed enough so that the reader can understand what the + action does, the description does not have to be detailed enough + to support writing tests against it, for instance. For the + evaluator, the key is that the information must be sufficient to + make a positive determination that the action is SFR-supporting + or SFR-non-interfering. If that level of information is + missing, the summary is insufficient and more information must + be obtained. + + + + The evaluator shall check that the tracing links the + SFRs to the corresponding TSFIs. + + The tracing is provided by the developer to serve as a + guide to which SFRs are related to which TSFIs. This + tracing can be as simple as a table; it is used as input + to the evaluator for use in the following work units, in + which the evaluator verifies its completeness and + accuracy. + + + + The evaluator shall determine that the functional + specification is an accurate and complete instantiation of + the SFRs. + + + The evaluator shall examine the functional specification + to determine that it is a complete instantiation of the + SFRs. + + To ensure that all SFRs are covered by the functional + specification, as well as the test coverage analysis, + the evaluator may build upon the developer's tracing + (see a map between + the TOE security functional requirements and the TSFI. + Note that this map may have to be at a level of detail + below the component or even element level of the + requirements, because of operations (assignments, + refinements, selections) performed on the functional + requirement by the ST author. + + For example, the + component contains an element with assignments. If the + ST contained, for instance, ten rules in the assignment, and these ten + rules were covered by three different TSFI, it would be + inadequate for the evaluator to map to TSFI A, B, and C and claim they had + completed the work unit. Instead, the evaluator would + map (rule 1) to TSFI A; + (rule 2) to TSFI B; + etc. It might also be the case that the interface is a + wrapper interface (e.g., IOCTL), in which case the + mapping would need to be specific to certain set of + parameters for a given interface. + + The evaluator must recognise that for requirements that + have little or no manifestation at the TSF boundary + (e.g., ) it is not + expected that they completely map those requirements to + the TSFI. The analysis for those requirements will be + performed in the analysis for the TOE design () when included in the ST. It is + also important to note that since the parameters, + actions, and error messages associated with TSFIs must + be fully specified, the evaluator should be able to + determine if all aspects of an SFR appear to be + implemented at the interface level. + + + + The evaluator shall examine the functional specification + to determine that it is an accurate instantiation of the + SFRs. + + For each functional requirement in the ST that results + in effects visible at the TSF boundary, the information + in the associated TSFI for that requirement specifies + the required functionality described by the + requirement. For example, if the ST contains a + requirement for access control lists, and the only TSFI + that map to that requirement specify functionality for + Unix-style protection bits, then the functional + specification is not accurate with respect to the + requirements. + + The evaluator must recognise that for requirements that + have little or no manifestation at the TSF boundary + (e.g., ) it is not + expected that the evaluator completely map those + requirements to the TSFI. The analysis for those + requirements will be performed in the analysis for the + TOE design () when + included in the ST. + + + + + + + + + The objective of this sub-activity is to determine whether + the developer has completely described all of the TSFI in + a manner such that the evaluator is able to determine + whether the TSFI are completely and accurately described, + and appears to implement the security functional + requirements of the ST. + + + + The functional specification describes the interfaces to + the TSF (the TSFI) in a structured manner. Because of the + dependency on , the + evaluator is expected to have identified the TSF prior to + beginning work on this sub-activity. Without firm + knowledge of what comprises the TSF, it is not possible to + assess the completeness of the TSFI. + + In performing the various work units included in this family, + the evaluator is asked to make assessments of accuracy and + completeness of several factors (the TSFI itself, as well as the + individual components (parameters, actions, error messages, + etc.) of the TSFI). In doing this analysis, the evaluator is + expected to use the documentation provided for the + evaluation. This includes the ST, the TOE design, and may + include other documentation such as the operational user + guidance, security architecture description, and implementation + representation. The documentation should be examined in an + iterative fashion. The evaluator may read, for example, in the + TOE design how a certain function is implemented, but see no way + to invoke that function from the interface. This might cause the + evaluator to question the completeness of a particular TSFI + description, or whether an interface has been left out of the + functional specification altogether. Describing analysis + activities of this sort in the ETR is a key method in providing + rationale that the work units have been performed + appropriately. + + It should be recognised that there exist functional + requirements whose functionality is manifested wholly or + in part architecturally, rather than through a specific + mechanism. An example of this is the implementation of + mechanisms implementing the requirements. Such mechanisms typically are + implemented to ensure a behaviour isn't present, which is + difficult to test and typically is verified through + analysis. In the cases where such functional requirements + are included in the ST, it is expected that the evaluator + recognise that there may be SFRs of this type that have no + interfaces, and that this should not be considered a + deficiency in the functional specification. + + + + The evaluation evidence for this sub-activity that is + required by the work-units is: + + + the ST; + + + the functional specification; + + + the TOE design. + + + + The evaluation evidence for this sub-activity that is used + if included in the ST for the TOE is: + + + the security architecture description; + + + the implementation representation; + + + the TSF internals description; + + + the operational user guidance; + + + + + The developer shall provide a functional specification. + + + The developer shall provide a tracing from the functional + specification to the SFRs. + + + The functional specification shall completely represent the + TSF. + + + The functional specification shall describe the purpose and + method of use for all TSFI. + + + The functional specification shall identify and describe all + parameters associated with each TSFI. + + + The functional specification shall describe all actions + associated with each TSFI. + + + The functional specification shall describe all direct error + messages that may result from an invocation of each TSFI. + + + The tracing shall demonstrate that the SFRs trace to TSFIs + in the functional specification. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the functional specification + to determine that the TSF is fully represented. + + The identification of the TSFI is a necessary + prerequisite to all other activities in this + sub-activity. The TSF must be identified (done as part + of the work units) in + order to identify the TSFI. This activity can be done at + a high level to ensure that no large groups of + interfaces have been missed (network protocols, hardware + interfaces, configuration files), or at a low level as + the evaluation of the functional specification + proceeds. + + In making an assessment for this work unit, the + evaluator determines that all portions of the TSF are + addressed in terms of the interfaces listed in the + functional specification. All portions of the TSF should + have a corresponding interface description, or if there + are no corresponding interfaces for a portion of the + TSF, the evaluator determines that that is + acceptable. + + + + + The evaluator shall examine the functional specification + to determine that it states the purpose of each + TSFI. + + The purpose of a TSFI is a general statement summarising + the functionality provided by the interface. It is not + intended to be a complete statement of the actions and + results related to the interface, but rather a statement + to help the reader understand in general what the + interface is intended to be used for. The evaluator + should not only determine that the purpose exists, but + also that it accurately reflects the TSFI by taking into + account other information about the interface, such as + the description of actions and error messages. + + + + + The evaluator shall examine the functional specification + to determine that the method of use for each TSFI is + given. + + The method of use for a TSFI summarises how the + interface is manipulated in order to invoke the actions + and obtain the results associated with the TSFI. The + evaluator should be able to determine, from reading this + material in the functional specification, how to use + each interface. This does not necessarily mean that + there needs to be a separate method of use for each + TSFI, as it may be possible to describe in general how + kernel calls are invoked, for instance, and then + identify each interface using that general + style. Different types of interfaces will require + different method of use specifications. APIs, network + protocol interfaces, system configuration parameters, + and hardware bus interfaces all have very different + methods of use, and this should be taken into account by + the developer when developing the functional + specification, as well as by the evaluator evaluating + the functional specification. + + For administrative interfaces whose functionality is documented + as being inaccessible to untrusted users, the evaluator ensures + that the method of making the functions inaccessible is + described in the functional specification. It should be noted + that this inaccessibility needs to be tested by the developer in + their test suite. + + The evaluator should not only determine that the set of + method of use descriptions exist, but also that they + accurately cover each TSFI. + + The evaluator shall examine the functional specification to + determine the completeness of the TSFI + The evaluator shall use the design documentation to identify the possible types of + interfaces. The evaluator shall search the design documentation and the guidance + documentation for potential TSFI not contained in the developer's documentation, + thus indicating that the set of TSFI defined by the developer is incomplete. The + evaluator shall examine the arguments presented by the developer that the TSFI is + complete and check down to the lowest level of design or with the + implementation representation that no additional TSFI exist. + + + + The evaluator shall examine the presentation of the TSFI + to determine that it completely identifies all + parameters associated with every TSFI. + + The evaluator examines the functional specification to + ensure that all of the parameters are described for each + TSFI. Parameters are explicit inputs or outputs to an + interface that control the behaviour of that + interface. For examples, parameters are the arguments + supplied to an API; the various fields in packet for a + given network protocol; the individual key values in the + Windows Registry; the signals across a set of pins on a + chip; etc. + + In order to determine that all of the parameters are + present in the TSFI, the evaluator should examine the + rest of the interface description (actions, error + messages, etc.) to determine if the effects of the + parameter are accounted for in the description. The + evaluator should also check other evidence provided for + the evaluation (e.g., TOE design, security architecture + description, operational user guidance, implementation + representation) to see if behaviour or additional + parameters are described there but not in the functional + specification. + + + + + The evaluator shall examine the presentation of the TSFI + to determine that it completely and accurately describes + all parameters associated with every TSFI. + + Once all of the parameters have been identified, the + evaluator needs to ensure that they are accurately + described, and that the description of the parameters is + complete. A parameter description tells what the + parameter is in some meaningful way. For instance, the + interface foo(i) could be described as + having ``parameter i which is an integer''; this is not + an acceptable parameter description. A description such + as ``parameter i is an integer that indicates the number + of users currently logged in to the system'' is much + more acceptable. + + In order to determine that the description of the + parameters is complete, the evaluator should examine the + rest of the interface description (purpose, method of + use, actions, error messages, etc.) to determine if the + descriptions of the parameter(s) are accounted for in + the description. The evaluator should also check other + evidence provided (e.g., TOE design, architectural + design, operational user guidance, implementation + representation) to see if behaviour or additional + parameters are described there but not in the functional + specification. + + + + + The evaluator shall examine the presentation of the TSFI + to determine that it completely and accurately describes + all actions associated with every TSFI. + + The evaluator checks to ensure that all of the actions + are described. actions available through an interface + describe what the interface does (as opposed to the TOE + design, which describes how the actions are provided by + the TSF). + + Actions of an interface describe functionality that can + be invoked through the interface, and can be categorised + as regular actions, and + SFR-related actions. Regular actions + are descriptions of what the interface does. The amount + of information provided for this description is + dependant on the complexity of the interface. The + SFR-related actions are those that are visible at any + external interface (for instance, audit activity caused + by the invocation of an interface (assuming audit + requirements are included in the ST) should be + described, even though the result of that action is + generally not visible through the invoked + interface). Depending on the parameters of an interface, + there may be many different actions able to be invoked + through the interface (for instance, an API might have + the first parameter be a ``subcommand'', and the + following parameters be specific to that subcommand. The + IOCTL API in some Unix systems is an example of such an + interface). + + In order to determine that the description of the + actions of a TSFI is complete, the evaluator should + review the rest of the interface description (parameter + descriptions, error messages, etc.) to determine if the + actions described are accounted for. The evaluator + should also analyse other evidence provided for the + evaluation (e.g., TOE design, security architecture + description, operational user guidance, implementation + representation) to see if there is evidence of actions + that are described there but not in the functional + specification. + + + + + The evaluator shall examine the presentation of the TSFI + to determine that it completely and accurately describes + all errors messages resulting from an invocation of each + TSFI. + + Errors can take many forms, depending on the interface + being described. For an API, the interface itself may + return an error code; set a global error condition, or + set a certain parameter with an error code. For a + configuration file, an incorrectly configured parameter + may cause an error message to be written to a log + file. For a hardware PCI card, an error condition may + raise a signal on the bus, or trigger an exception + condition to the CPU. + + Errors (and the associated error messages) come about + through the invocation of an interface. The processing + that occurs in response to the interface invocation may + encounter error conditions, which trigger (through an + implementation-specific mechanism) an error message to + be generated. In some instances this may be a return + value from the interface itself; in other instances a + global value may be set and checked after the invocation + of an interface. It is likely that a TOE will have a + number of low-level error messages that may result from + fundamental resource conditions, such as ``disk full'' + or ``resource locked''. While these error messages may + map to a large number of TSFI, they could be used to + detect instances where detail from an interface + description has been omitted. For instance, a TSFI that + produces a ``disk full'' message, but has no obvious + description of why that TSFI should cause an access to + the disk in its description of actions, might cause the + evaluator to examine other evidence (, ) related + that TSFI to determine if the description is complete + and accurate. + + The evaluator determines that, for each TSFI, the exact + set of error messages that can be returned on invoking + that interface can be determined. The evaluator reviews + the evidence provided for the interface to determine if + the set of errors seems complete. They cross-check this + information with other evidence provided for the + evaluation (e.g., TOE design, security architecture + description, operational user guidance, implementation + representation) to ensure that there are no errors + steaming from processing mentioned that are not included + in the functional specification. + + + + + The evaluator shall examine the presentation of the TSFI to determine + that it completely and accurately describes the meaning of all + error messages resulting from an invocation of each TSFI. + + In order to determine accuracy, the evaluator must be + able to understand meaning of the error. For example, if + an interface returns a numeric code of 0, 1, or 2, the + evaluator would not be able to understand the error if + the functional specification only listed: ``possible + errors resulting from invocation of the + foo() interface are 0, 1, or + 2''. Instead the evaluator checks to ensure that the + errors are described such as: ``possible errors + resulting from invocation of the foo() + interface are 0 (processing successful), 1 (file not + found), or 2 (incorrect filename + specification)''. + + In order to determine that the description of the errors + due to invoking a TSFI is complete, the evaluator + examines the rest of the interface description + (parameter descriptions, actions, etc.) to determine if + potential error conditions that might be caused by using + such an interface are accounted for. The evaluator also + checks other evidence provided for the evaluation + (e.g. TOE design, security architecture description, + operational user guidance, implementation + representation) to see if error processing related to + the TSFI is described there but is not described in the + functional specification. + + + + The evaluator shall check that the tracing links the + SFRs to the corresponding TSFIs. + + The tracing is provided by the developer to serve as a + guide to which SFRs are related to which TSFIs. This + tracing can be as simple as a table; it is used as input + to the evaluator for use in the following work units, in + which the evaluator verifies its completeness and + accuracy. + + + + The evaluator shall determine that the functional + specification is an accurate and complete instantiation of + the SFRs. + + + The evaluator shall examine the functional specification + to determine that it is a complete instantiation of the + SFRs. + + To ensure that all SFRs are covered by the functional + specification, as well as the test coverage analysis, + the evaluator may build upon the developer's tracing + (see a map between + the TOE security functional requirements and the TSFI. + Note that this map may have to be at a level of detail + below the component or even element level of the + requirements, because of operations (assignments, + refinements, selections) performed on the functional + requirement by the ST author. + + For example, the + component contains an element with assignments. If the + ST contained, for instance, ten rules in the assignment, and these ten + rules were covered by three different TSFI, it would be + inadequate for the evaluator to map to TSFI A, B, and C and claim they had + completed the work unit. Instead, the evaluator would + map (rule 1) to TSFI A; + (rule 2) to TSFI B; + etc. It might also be the case that the interface is a + wrapper interface (e.g., IOCTL), in which case the + mapping would need to be specific to certain set of + parameters for a given interface. + + The evaluator must recognise that for requirements that + have little or no manifestation at the TSF boundary + (e.g., ) it is not + expected that they completely map those requirements to + the TSFI. The analysis for those requirements will be + performed in the analysis for the TOE design () when included in the ST. It is + also important to note that since the parameters, + actions, and error messages associated with TSFIs must + be fully specified, the evaluator should be able to + determine if all aspects of an SFR appear to be + implemented at the interface level. + + + + The evaluator shall examine the functional specification + to determine that it is an accurate instantiation of the + SFRs. + + For each functional requirement in the ST that results + in effects visible at the TSF boundary, the information + in the associated TSFI for that requirement specifies + the required functionality described by the + requirement. For example, if the ST contains a + requirement for access control lists, and the only TSFI + that map to that requirement specify functionality for + Unix-style protection bits, then the functional + specification is not accurate with respect to the + requirements. + + The evaluator must recognise that for requirements that + have little or no manifestation at the TSF boundary + (e.g., ) it is not + expected that the evaluator completely map those + requirements to the TSFI. The analysis for those + requirements will be performed in the analysis for the + TOE design () when + included in the ST. + + + + + + + + + + The objective of this sub-activity is to determine whether + the developer has completely described all of the TSFI in + a manner such that the evaluator is able to determine + whether the TSFI are completely and accurately described, + and appears to implement the security functional + requirements of the ST. The completeness of the interfaces + is judged based upon the implementation + representation. + + + + The evaluation evidence for this sub-activity that is + required by the work-units is: + + + the ST; + + + the functional specification; + + + the TOE design; + + + the implementation representation. + + + + The evaluation evidence for this sub-activity that is used + if included in the ST for the TOE is: + + + the security architecture description; + + + the TSF internals description; + + + the formal security policy model; + + + the operational user guidance; + + + + + The developer shall provide a functional specification. + + + The developer shall provide a tracing from the functional + specification to the SFRs. + + + The functional specification shall completely represent the + TSF. + + + The functional specification shall describe the TSFI using a + semi-formal style. + + + The functional specification shall describe the purpose and + method of use for all TSFI. + + + The functional specification shall identify and describe all + parameters associated with each TSFI. + + + The functional specification shall describe all actions + associated with each TSFI. + + + The functional specification shall describe all direct error + messages that may result from an invocation of each TSFI. + + The functional specification + shall describe all error messages that do not result from an + invocation of a TSFI. + + + The functional specification shall provide a rationale for + each error message contained in the TSF implementation yet + does not result from an invocation of a TSFI. + + + The tracing shall demonstrate that the SFRs trace to TSFIs + in the functional specification. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + The evaluator shall examine the functional specification + to determine that the TSF is fully represented. + + The identification of the TSFI is a necessary + prerequisite to all other activities in this + sub-activity. The TSF must be identified (done as part + of the work units) in + order to identify the TSFI. This activity can be done at + a high level to ensure that no large groups of + interfaces have been missed (network protocols, hardware + interfaces, configuration files), or at a low level as + the evaluation of the functional specification + proceeds. + + In making an assessment for this work unit, the + evaluator determines that all portions of the TSF are + addressed in terms of the interfaces listed in the + functional specification. All portions of the TSF should + have a corresponding interface description, or if there + are no corresponding interfaces for a portion of the + TSF, the evaluator determines that that is + acceptable. + + + + + The evaluator shall examine the functional specification + to determine that it is presented using a semiformal + style. + + A semi-formal presentation is characterised by a + standardised format with a well-defined syntax that + reduces ambiguity that may occur in informal + presentations. Since the intent of the semi-formal + format is to enhance the reader's ability to understand + the presentation, use of certain structured presentation + methods (pseudo-code, flow charts, block diagrams) are + appropriate, though not required. + + For the purposes of this activity, the evaluator should + ensure that the interface descriptions are formatted in + a structured, consistent manner and use common + terminology. A semiformal presentation of the interfaces + also implies that the level of detail of the + presentation for the interfaces is largely consistent + across all TSFI. For the functional specification, it is + acceptable to refer to external specifications for + portions of the interface as long as those external + specifications are themselves semiformal. + + + + + The evaluator shall examine the functional specification + to determine that it states the purpose of each + TSFI. + + The purpose of a TSFI is a general statement summarising + the functionality provided by the interface. It is not + intended to be a complete statement of the actions and + results related to the interface, but rather a statement + to help the reader understand in general what the + interface is intended to be used for. The evaluator + should not only determine that the purpose exists, but + also that it accurately reflects the TSFI by taking into + account other information about the interface, such as + the description of actions and error messages. + + + + + The evaluator shall examine the functional specification + to determine that the method of use for each TSFI is + given. + + The method of use for a TSFI summarises how the + interface is manipulated in order to invoke the actions + and obtain the results associated with the TSFI. The + evaluator should be able to determine, from reading this + material in the functional specification, how to use + each interface. This does not necessarily mean that + there needs to be a separate method of use for each + TSFI, as it may be possible to describe in general how + kernel calls are invoked, for instance, and then + identify each interface using that general + style. Different types of interfaces will require + different method of use specifications. APIs, network + protocol interfaces, system configuration parameters, + and hardware bus interfaces all have very different + methods of use, and this should be taken into account by + the developer when developing the functional + specification, as well as by the evaluator evaluating + the functional specification. + + For administrative interfaces whose functionality is documented + as being inaccessible to untrusted users, the evaluator ensures + that the method of making the functions inaccessible is + described in the functional specification. It should be noted + that this inaccessibility needs to be tested by the developer in + their test suite. + + The evaluator should not only determine that the set of + method of use descriptions exist, but also that they + accurately cover each TSFI. + + The evaluator shall examine the functional specification to + determine the completeness of the TSFI + The evaluator shall use the design documentation to identify the possible types of + interfaces. The evaluator shall search the design documentation and the guidance + documentation for potential TSFI not contained in the developer's documentation, + thus indicating that the set of TSFI defined by the developer is incomplete. The + evaluator shall examine the arguments presented by the developer that the TSFI is + complete and check down to the lowest level of design or with the + implementation representation that no additional TSFI exist. + + + + The evaluator shall examine the presentation of the TSFI + to determine that it completely identifies all + parameters associated with every TSFI. + + The evaluator examines the functional specification to + ensure that all of the parameters are described for each + TSFI. Parameters are explicit inputs or outputs to an + interface that control the behaviour of that + interface. For examples, parameters are the arguments + supplied to an API; the various fields in packet for a + given network protocol; the individual key values in the + Windows Registry; the signals across a set of pins on a + chip; etc. + + In order to determine that all of the parameters are + present in the TSFI, the evaluator should examine the + rest of the interface description (actions, error + messages, etc.) to determine if the effects of the + parameter are accounted for in the description. The + evaluator should also check other evidence provided for + the evaluation (e.g., TOE design, security architecture + description, operational user guidance, implementation + representation) to see if behaviour or additional + parameters are described there but not in the functional + specification. + + + + + The evaluator shall examine the presentation of the TSFI + to determine that it completely and accurately describes + all parameters associated with every TSFI. + + Once all of the parameters have been identified, the + evaluator needs to ensure that they are accurately + described, and that the description of the parameters is + complete. A parameter description tells what the + parameter is in some meaningful way. For instance, the + interface foo(i) could be described as + having ``parameter i which is an integer''; this is not + an acceptable parameter description. A description such + as ``parameter i is an integer that indicates the number + of users currently logged in to the system''. is much + more acceptable. + + In order to determine that the description of the + parameters is complete, the evaluator should examine the + rest of the interface description (purpose, method of + use, actions, error messages, etc.) to determine if the + descriptions of the parameter(s) are accounted for in + the description. The evaluator should also check other + evidence provided (e.g., TOE design, architectural + design, operational user guidance, implementation + representation) to see if behaviour or additional + parameters are described there but not in the functional + specification. + + + + + The evaluator shall examine the presentation of the TSFI + to determine that it completely and accurately describes + all actions associated with every TSFI. + + The evaluator checks to ensure that all of the actions + are described. actions available through an interface + describe what the interface does (as opposed to the TOE + design, which describes how the actions are provided by + the TSF). + + actions of an interface describe functionality that can + be invoked through the interface, and can be categorised + as regular actions, and + SFR-related actions. Regular actions + are descriptions of what the interface does. The amount + of information provided for this description is + dependant on the complexity of the interface. The + SFR-related actions are those that are visible at any + external interface (for instance, audit activity caused + by the invocation of an interface (assuming audit + requirements are included in the ST) should be + described, even though the result of that action is + generally not visible through the invoked + interface). Depending on the parameters of an interface, + there may be many different actions able to be invoked + through the interface (for instance, an API might have + the first parameter be a ``subcommand'', and the + following parameters be specific to that subcommand. The + IOCTL API in some Unix systems is an example of such an + interface). + In order to determine that the description of the + actions of a TSFI is complete, the evaluator should + review the rest of the interface description (parameter + descriptions, error messages, etc.) to determine if the + actions described are accounted for. The evaluator + should also analyse other evidence provided for the + evaluation (e.g., TOE design, security architecture + description, operational user guidance, implementation + representation) to see if there is evidence of actions + that are described there but not in the functional + specification. + + + + + The evaluator shall examine the presentation of the TSFI + to determine that it completely and accurately describes + all errors messages resulting from an invocation of each + TSFI. + + Errors can take many forms, depending on the interface + being described. For an API, the interface itself may + return an error code; set a global error condition, or + set a certain parameter with an error code. For a + configuration file, an incorrectly configured parameter + may cause an error message to be written to a log + file. For a hardware PCI card, an error condition may + raise a signal on the bus, or trigger an exception + condition to the CPU. + + Errors (and the associated error messages) come about + through the invocation of an interface. The processing + that occurs in response to the interface invocation may + encounter error conditions, which trigger (through an + implementation-specific mechanism) an error message to + be generated. In some instances this may be a return + value from the interface itself; in other instances a + global value may be set and checked after the invocation + of an interface. It is likely that a TOE will have a + number of low-level error messages that may result from + fundamental resource conditions, such as ``disk full'' + or ``resource locked''. While these error messages may + map to a large number of TSFI, they could be used to + detect instances where detail from an interface + description has been omitted. For instance, a TSFI that + produces a ``disk full'' message, but has no obvious + description of why that TSFI should cause an access to + the disk in its description of actions, might cause the + evaluator to examine other evidence (, ) related + that TSFI to determine if the description is complete + and accurate. + + The evaluator determines that, for each TSFI, the exact + set of error messages that can be returned on invoking + that interface can be determined. The evaluator reviews + the evidence provided for the interface to determine if + the set of errors seems complete. They cross-check this + information with other evidence provided for the + evaluation (e.g., TOE design, security architecture + description, operational user guidance, implementation + representation) to ensure that there are no errors + steaming from processing mentioned that are not included + in the functional specification. + + + + + The evaluator shall examine the presentation of the TSFI to determine + that it completely and accurately describes the meaning of all + error messages resulting from an invocation of each TSFI. + + In order to determine accuracy, the evaluator must be + able to understand meaning of the error. For example, if + an interface returns a numeric code of 0, 1, or 2, the + evaluator would not be able to understand the error if + the functional specification only listed: ``possible + errors resulting from invocation of the + foo() interface are 0, 1, or + 2''. Instead the evaluator checks to ensure that the + errors are described such as: ``possible errors + resulting from invocation of the foo() + interface are 0 (processing successful), 1 (file not + found), or 2 (incorrect filename + specification)''. + + In order to determine that the description of the errors + due to invoking a TSFI is complete, the evaluator + examines the rest of the interface description + (parameter descriptions, actions, etc.) to determine if + potential error conditions that might be caused by using + such an interface are accounted for. The evaluator also + checks other evidence provided for the evaluation (e.g., + TOE design, security architecture description, + operational user guidance, implementation + representation) to see if error processing related to + the TSFI is described there but is not described in the + functional specification. + + + + + The evaluator shall examine the functional specification + to determine that it completely and accurately describes + all errors messages that do not result from an + invocation of any TSFI. + + This work unit complements work unit , which describes those + error messages that result from an invocation of the + TSFI. Taken together, these work units cover all error + messages that might be generated by the TSF. + + The evaluator assesses the completeness and accuracy of + the functional specification by comparing its contents + to instances of error message generation within the + implementation representation. Most of these error + messages will have already been covered by work unit + . + + The error messages related to this work unit are + typically those that are not expected to be generated, + but are constructed as a matter of good programming + practises. For example, a case statement that defines + actions resulting from each of a list of cases may end + with a final else statement to apply + to anything that might not be expected; this practise + ensures the TSF does not get into an undefined state. + However, it is not expected that the path of execution + would ever get to this else + statement; therefore, any error message generation + within this else statement would + never be generated. Although it would not get + generated, it must still be included in the functional + specification. + + + + + The evaluator shall examine the functional specification + to determine that it provides a rationale for each error + message contained in the TSF implementation yet does not + result from an invocation of a TSFI. + + The evaluator ensures that every error message found + under work unit + contains a rationale describing why it cannot be invoked + from the TSFI. + + As was described in the previous work unit, this + rationale might be as straightforward as the fact that + the error message in question is provided for + completeness of execution logic and that it is never + expected to be generated. The evaluator ensures that the + rationale for each such error message is logical. + + + + The evaluator shall check that the tracing links the + SFRs to the corresponding TSFIs. + + The tracing is provided by the developer to serve as a + guide to which SFRs are related to which TSFIs. This + tracing can be as simple as a table; it is used as input + to the evaluator for use in the following work units, in + which the evaluator verifies its completeness and + accuracy. + + + + The evaluator shall determine that the functional + specification is an accurate and complete instantiation of + the SFRs. + + + The evaluator shall examine the functional specification + to determine that it is a complete instantiation of the + SFRs. + + To ensure that all SFRs are covered by the functional + specification, as well as the test coverage analysis, + the evaluator may build upon the developer's tracing + (see a map between + the TOE security functional requirements and the TSFI. + Note that this map may have to be at a level of detail + below the component or even element level of the + requirements, because of operations (assignments, + refinements, selections) performed on the functional + requirement by the ST author. + + For example, the + component contains an element with assignments. If the + ST contained, for instance, ten rules in the assignment, and these ten + rules were covered by three different TSFI, it would be + inadequate for the evaluator to map to TSFI A, B, and C and claim they had + completed the work unit. Instead, the evaluator would + map (rule 1) to TSFI A; + (rule 2) to TSFI B; + etc. It might also be the case that the interface is a + wrapper interface (e.g., IOCTL), in which case the + mapping would need to be specific to certain set of + parameters for a given interface. + + The evaluator must recognise that for requirements that + have little or no manifestation at the TSF boundary + (e.g., ) it is not + expected that they completely map those requirements to + the TSFI. The analysis for those requirements will be + performed in the analysis for the TOE design () when included in the ST. It is + also important to note that since the parameters, + actions, and error messages associated with TSFIs must + be fully specified, the evaluator should be able to + determine if all aspects of an SFR appear to be + implemented at the interface level. + + + + The evaluator shall examine the functional specification + to determine that it is an accurate instantiation of the + SFRs. + + For each functional requirement in the ST that results + in effects visible at the TSF boundary, the information + in the associated TSFI for that requirement specifies + the required functionality described by the + requirement. For example, if the ST contains a + requirement for access control lists, and the only TSFI + that map to that requirement specify functionality for + Unix-style protection bits, then the functional + specification is not accurate with respect to the + requirements. + + The evaluator must recognise that for requirements that + have little or no manifestation at the TSF boundary + (e.g., ) it is not + expected that the evaluator completely map those + requirements to the TSFI. The analysis for those + requirements will be performed in the analysis for the + TOE design () when + included in the ST. + + + + + + + + + (Need Objectives text for FSP.6 methodology) + + + + The evaluation evidence for this sub-activity that is + required by the work-units is: + + + the ST; + + + the functional specification; + + + the TOE design. + + + + The evaluation evidence for this sub-activity that is used + if included in the ST for the TOE is: + + + the security architecture description; + + + the implementation representation; + + + the TSF internals description; + + + the formal security policy model; + + + the operational user guidance; + + + + + The developer shall provide a functional specification. + + + The developer shall provide a formal presentation of the + functional specification of the TSF. + + + The developer shall provide a tracing from the functional + specification to the SFRs. + + + The functional specification shall completely represent the + TSF. + + + The functional specification shall describe the TSFI using a + formal style. + + + The functional specification shall describe the purpose and + method of use for all TSFI. + + + The functional specification shall identify and describe all + parameters associated with each TSFI. + + + The functional specification shall describe all actions + associated with each TSFI. + + + The functional specification shall describe all direct error + messages that may result from an invocation of each TSFI. + + + The functional specification shall describe all error messages + contained in the TSF implementation representation. + + + The functional specification shall provide a rationale for + each error message contained in the TSF implementation that + is not otherwise described in the functional specification + justifying why it is not associated with a TSFI. + + + The formal presentation of the functional specification of + the TSF shall describe the TSFI using a formal style, + supported by informal, explanatory text where appropriate. + + + The tracing shall demonstrate that the SFRs trace to TSFIs + in the functional specification. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + The evaluator shall determine that the functional + specification is an accurate and complete instantiation of + the SFRs. + + + + + + + The function of the family + is for the developer to make available the implementation + representation (and, at higher levels, the implementation + itself) of the TOE in a form that can be analysed by the + evaluator. The implementation representation is used in + analysis activities for other families (analysing the TOE + design, for instance) to demonstrate that the TOE conforms + its design and to provide a basis for analysis in other + areas of the evaluation (e.g., the search for + vulnerabilities). The implementation representation is + expected to be in a form that captures the detailed internal + workings of the TSF. This may be software source code, + firmware source code, hardware diagrams and/or IC hardware + design language code or layout data. + + + + The implementation representation of the TOE is made + available so that it can be analysed by the evaluator to + demonstrate that the TOE conforms its design and to provide + a basis for analysis in other areas of the evaluation (e.g., + the search for vulnerabilities). The implementation + representation captures the detailed internal workings of + the TSF. This may be software source code, firmware source + code, hardware diagrams and/or chip specifications. + + + + The components in this family are levelled on the amount of + implementation that is mapped to the TOE design + description. + + + + Source code or hardware diagrams and/or IC hardware design + language code or layout data that are used to build the + actual hardware are examples of parts of an implementation + representation. It is important to note that while the + implementation representation must be made available to the + evaluator, this does not imply that the evaluator needs to + possess that representation. For instance, the developer may + require that the evaluator review the implementation + representation at a site of the developer's choosing. + + The entire implementation representation is made available + to ensure that analysis activities are not curtailed due to + lack of information. This does not, however, imply that all + of the representation is examined when the analysis + activities are being performed. This is likely impractical + in almost all cases, in addition to the fact that it most + likely will not result in a higher-assurance TOE + vs. targeted sampling of the implementation + representation. The implementation representation is made + available to allow analysis of other TOE design + decompositions (e.g., functional specification, TOE design), + and to gain confidence that the security functionality + described at a higher level in the design actually appear to + be implemented in the TOE. Conventions in some forms of the + implementation representation may make it difficult or + impossible to determine from just the implementation + representation itself what the actual result of the + compilation or run-time interpretation will be. For example, + compiler directives for C language compilers will cause the + compiler to exclude or include entire portions of the + code. For this reason, it is important that such ``extra'' + information or related tools (scripts, compilers, etc.) be + provided so that the implementation representation can be + accurately determined. + + The purpose of the mapping between the implementation + representation and the TOE design description is to aid the + evaluator's analysis. The internal workings of the TOE may + be better understood when the TOE design is analysed with + corresponding portions of the implementation representation. + The mapping serves as an index into the implementation + representation. At the lower component, only a subset of the + implementation representation is mapped to the TOE design + description. Because of the uncertainty of which portions of + the implementation representation will need such a mapping, + the developer may choose either to map the entire + implementation representation beforehand, or to wait to see + which portions of the implementation representation the + evaluator requires to be mapped. + + The implementation representation is manipulated by the + developer in a form that is suitable for transformation to + the actual implementation. For instance, the developer may + work with files containing source code, which is eventually + compiled to become part of the TSF. The developer makes + available the implementation representation in the form used + by the developer, so that the evaluator may use automated + techniques in the analysis. This also increases the + confidence that the implementation representation examined + is actually the one used in the production of the TSF (as + opposed to the case where it is supplied in an alternate + presentation format, such as a word processor document). It + should be noted that other forms of the implementation + representation may also be used by the developer; these + forms are supplied as well. The overall goal is to supply + the evaluator with the information that will maximise the + effectiveness of the evaluator's analysis efforts. + + Some forms of the implementation representation may require + additional information because they introduce significant + barriers to understanding and analysis. Examples include + ``shrouded'' source code or source code that has been + obfuscated in other ways such that it prevents understanding + and/or analysis. These forms of implementation + representation typically result from the TOE developer + taking a version of the implementation representation and + running a shrouding or obfuscation program on it. While the + shrouded representation is what is compiled and may be + closer to the implementation (in terms of structure) than + the original, un-shrouded representation, supplying such + obfuscated code may cause significantly more time to be + spent in analysis tasks involving the representation. When + such forms of representation are created, the components + require details on the shrouding tools/algorithms used so + that the un-shrouded representation can be supplied, and the + additional information can be used to gain confidence that + the shrouding process does not compromise any security + functionality. + + + + + + + The objective of this sub-activity is to determine that + the implementation representation made available by the + developer is suitable for use in other analysis + activities; suitability is judged by its + conformance to the requirements for this component. + + + + The entire implementation representation is made available + to ensure that analysis activities are not curtailed due + to lack of information. This does not, however, imply that + all of the representation is examined when the analysis + activities are being performed. This is likely impractical + in almost all cases, in addition to the fact that it most + likely will not result in a higher-assurance TOE + vs. targeted sampling of the implementation + representation. For this sub-activity, this is even + truer. It would not be productive for the evaluator to + spend large amounts of time verifying the requirements for + one portion of the implementation representation, and then + use a different portion of the implementation + representation in performing analysis for other work + units. Therefore, the evaluator is encouraged to select + the sample of the implementation representation from the + areas of the TOE that will be of most interest during the + analysis performed during work units from other families + (e.g. , and ). + + + + The evaluation evidence for this sub-activity is: + + + the implementation representation; + + + the documentation of the development tools, as + resulting from ; + + + TOE design description. + + + + + The developer shall make available the implementation + representation for the entire TSF. + + + The developer shall provide a mapping between the TOE design + description and the sample of the implementation + representation. + + + The implementation representation shall define the TSF to a + level of detail such that the TSF can be generated without + further design decisions. + + + The implementation representation shall be in the form used + by the development personnel. + + + The mapping between the TOE design description and the + sample of the implementation representation shall + demonstrate their correspondence. + + + The evaluator shall confirm that, for the selected sample of + the implementation representation, the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall check that the implementation + representation defines the TSF to a level of detail such + that the TSF can be generated without further design + decisions. + + Source code or hardware diagrams and/or IC hardware + design language code or layout data that are used to + build the actual hardware are examples of parts of an + implementation representation. The evaluator samples the + implementation representation to gain confidence that it + is at the appropriate level and not, for instance, a + pseudo-code level which requires additional design + decisions to be made. The evaluator is encouraged to + perform a quick check when first looking at the + implementation representation to assure themselves that + the developer is on the right track. However, the + evaluator is also encourage to perform the bulk of this + check while working on other work units that call for + examining the implementation; this will ensure the + sample examined for this work unit is relevant. + + + + + The evaluator shall check that the implementation + representation is in the form used by development + personnel. + + The implementation representation is manipulated by the + developer in form that it suitable for transformation to + the actual implementation. For instance, the developer + may work with files containing source code, which is + eventually compiled to become part of the TSF. The + developer makes available the implementation + representation in the form they use, so that the + evaluator may use automated techniques in the + analysis. This also increases the confidence that the + implementation representation examined is actually the + one used in the production of the TSF (as opposed to the + case where it is supplied in an alternate presentation + format, such as a word processor document). It should be + noted that other forms of the implementation + representation may also be used by the developer; these + forms are supplied as well. The overall goal is to + supply the evaluator with the information that will + maximise the evaluator's analysis efforts. + + The evaluator samples the implementation representation + to gain confidence that it is the version that is usable + by the developer. The sample is such that the evaluator + has assurance that all areas of the implementation + representation are in conformance with the requirement; + however, a complete examination of the entire + implementation representation is unnecessary. + + Conventions in some forms of the implementation + representation may make it difficult or impossible to + determine from just the implementation representation + itself what the actual result of the compilation or + run-time interpretation will be. For example, compiler + directives for C language compilers will cause the + compiler to exclude or include entire portions of the + code. + + Some forms of the implementation representation may + require additional information because they introduce + significant barriers to understanding and + analysis. Examples include shrouded source code or + source code that has been obfuscated in other ways such + that it prevents understanding and/or analysis. These + forms of implementation representation typically result + from by taking a version of the implementation + representation that is used by the TOE developer and + running a shrouding or obfuscation program on it. While + the shrouded representation is what is compiled and may + be closer to the implementation (in terms of structure) + than the original, un-shrouded representation, supplying + such obfuscated code may cause significantly more time + to be spent in analysis tasks involving the + representation. When such forms of representation are + created, the components require details on the shrouding + tools/algorithms used so that the un-shrouded + representation can be supplied, and the additional + information can be used to gain confidence that the + shrouding process does not compromise any security + mechanisms. + + The evaluator samples the implementation representation + to gain confidence that all of the information needed to + interpret the implementation representation has been + supplied. Note that the tools are among those referenced + by components. The + evaluator is encouraged to perform a quick check when + first looking at the implementation representation to + assure themselves that the developer is on the right + track. However, the evaluator is also encouraged to + perform the bulk of this check while working on other + work units that call for examining the implementation; + this will ensure the sample examined for this work unit + is relevant. + + + + + The evaluator shall examine the mapping between the TOE + design description and the sample of the implementation + representation to determine that it is accurate. + + The evaluator augments the determination of existence + (specified in work unit ) by verifying the accuracy of a portion of + the implementation representation and the TOE design + description. For parts of the TOE design description + that are interesting, the evaluator would verify the + implementation representation accurately reflects the + description provided in the TOE design + description. + + For example, the TOE design description might identify a + login module that is used to identify and authenticate + users. If user authentication is sufficiently + significant, the evaluator would verify that the + corresponding code in fact implements that service as + described in the TOE design description. It might also + be worthwhile to verify that the code accepts the + parameters as described in the functional + specification. + + It is worth pointing out the developer must choose + whether to perform the mapping for the entire + implementation representation, thereby guaranteeing that + the chosen sample will be covered, or waiting for the + sample to be chosen before performing the mapping. The + first option is likely more work, but may be completed + before the evaluation begins. The second option is less + work, but will produce a suspension of evaluation + activity while the necessary evidence is being + produced. + + + + + + + + + + + The objective of this sub-activity is to determine that + the implementation representation made available by the + developer can be transformed into the implementation that + is used in the testing activities. + + + + The evaluation evidence for this sub-activity is: + + + the implementation representation; + + + the documentation of the development tools, as + resulting from ; + + + TOE design description. + + + + + The developer shall make available the implementation + representation for the entire TSF. + + + The developer shall provide a mapping between the TOE design + description and the entire implementation representation. + + + The implementation representation shall define the TSF to a + level of detail such that the TSF can be generated without + further design decisions. + + + The implementation representation shall be in the form used + by the development personnel. + + + The mapping between the TOE design description and the + entire implementation representation shall demonstrate their + correspondence. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + + + + This family addresses the assessment of the internal + structure of the TSF. A TSF whose internals are + well-structured is easier to implement and less likely to + contain flaws that could lead to vulnerabilities; it is also + easier to maintain without the introduction of flaws. + + + + The internal structure of the TSF can aid or hamper + understandability of the implementation representation. + Source code that conforms to coding standards, that exhibit + a minimum of interactions, and that is written in modules + each with a single purpose, is much easier to understand + than poorly-structured code with unnecessary or + loosely-defined interactions. + + + + The components in this family are levelled on the basis of + the amount of structure and minimisation of complexity + required. places + requirements for well-structured internals on only selected + parts of the TSF. This component is not included in an EAL + because this component is viewed for use in special + circumstances (e.g., the sponsor has a specific concern + regarding a cryptographic module, which is isolated from the + rest of the TSF) and would not be widely applicable. + + At the next level, the requirements for well-structured + internals are placed on the entire TSF. Finally, + minimisation of complexity is introduced in the highest + component. + + + + These requirements, when applied to the internal structure + of the TSF, typically result in improvements that aid both + the developer and the evaluator in understanding the TSF, + and also provide the basis for designing and evaluating test + suites. Further, improving understandability of the TSF + should assist the developer in simplifying its + maintainability. + + The requirements in this family are presented at a fairly + abstract level. The wide variety of TOEs makes it impossible + to codify anything more specific than ``well-structured'' or + ``minimum complexity''. Judgements on structure and + complexity are expected to be derived from the specific + technologies used in the TOE. For example, software is + likely to be considered well-structured if it exhibits the + characteristics cited in the software engineering + disciplines. The components within this family call for + identifying the standards for measuring the characteristic + of being well-structured and not overly-complex. + + + + + + + + The objective of this component is to provide a means for + requiring specific portions of the TSF to be + well-structured. The intent is that the entire TSF has + been designed and implemented using sound engineering + principles, but the analysis is performed upon only a + specific subset. + + + + This component requires the PP or ST author to fill in an + assignment with the subset of the TSF. This subset may be + identified in terms of the internals of the TSF at any + layer of abstraction. For example: + + the structural elements of the TSF as identified + in the TOE design (e.g. ``The developer shall design + and implement the audit subsystem + such that it has well-structured internals.'') + the implementation (e.g. ``The developer shall + design and implement the encrypt.c and + decrypt.c files such that it has + well-structured internals.'' or ``The developer shall + design and implement the 6227 IC chip + such that it has well-structured + internals.'') + + It is likely this would not be readily accomplished by + referencing the claimed SFRs (e.g. ``The developer shall + design and implement the portion of the TSF that + provide anonymity as defined in + such that it has well-structured + internals.'') because this does not indicate where to + focus the analysis. + + This component has limited value and would be suitable in cases + where potentially-malicious users/subjects have limited or + strictly controlled access to the TSFIs or where there is + another means of protection (e.g., domain separation) that + ensures the chosen subset of the TSF cannot be adversely + affected by the rest of the TSF (e.g., the cryptographic + functionality, which is isolated from the rest of the TSF, is + well-structured). + + + + The objective of this sub-activity is to determine whether + the defined subset of the TSF is designed and structured + such that the likelihood of flaws is reduced and that + maintenance can be more readily performed without the + introduction of flaws. + + + + The role of the internals description is to provide + evidence of the structure of the design and implementation + of the TSF. + + The structure of the design has two aspects: the + constituent parts of the TSF and the procedures used to + design the TSF. In cases where the TSF is designed in a + manner consistent with the design represented by the TOE + design (see ), the + assessment of the TSF design is obvious. In cases where + the design procedures (see ) + are being followed, the assessment of the TSF design + procedures is similarly obvious. + + In cases where the TSF is implemented using + procedure-based software, this structure is assessed on + the basis of its modularity; the + modules identified in the internals description are the + same as the modules identified in the TOE design (). A module consists of one or + more source code files that cannot be decomposed into + smaller compilable units. + + The use of the assignment in this component levies stricter + constraints on the subset of the TSF that is explicitly + identified in the assignment + than on the remainder of the TSF. + While the entire TSF is to be designed using good + engineering principles and result in a well-structured TSF, only + the specified subset is specifically analysed for this + characteristic. The evaluator determines that the developer's + application of coding standards result in a TSF that is + understandable. + + The primary goal of this component is to ensure the TSF + subset's implementation representation is understandable + to facilitate maintenance and analysis (of both the + developer and evaluator). + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the TOE design description; + + + the implementation representation (if is part of the claimed + assurance); + + + the TSF internals description and justification; + + + the documentation of the coding standards, as + resulting from . + + + + + The developer shall design and implement subset + of the TSF such that it has well-structured + internals. + + + The developer shall provide an internals description and + justification. + + + The justification shall explain the characteristics used to + judge the meaning of ``well-structured''. + + + The TSF internals description shall demonstrate that the + assigned subset of the TSF is well-structured. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + The evaluator shall examine the justification to + determine that it identifies the basis for determining + whether the TSF is well-structured. + + The evaluator verifies that the criteria for determining + the characteristic of being well-structured are clearly + defined in the justification. Acceptable criteria + typically originate from industry standards for the + technology discipline. For example, procedural software + that executes linearly is traditionally viewed as + well-structured if it adheres to software engineering + programming practises, such as those defined in the IEEE + Standard (IEEE Std 610.12-1990). For + example, it would identify the criteria for the + procedural software portions of the TSF subset: + + the process used for modular + decomposition + coding standards used in the development of the + implementation + a description of the maximum acceptable level of + intermodule coupling exhibited by the TSF + subset + a description of the minimum acceptable level of + cohesion exhibited the modules of the TSF + subset + + For other types of technologies used in the TOE - such as + non-procedural software (e.g. object-oriented programming), + widespread commodity hardware (e.g. PC microprocessors), and + special-purpose hardware (e.g. smart-card processors) - the + evaluator should seek guidance from the evaluation authority for + determining the adequacy of criteria for being + ``well-structured''. + + + + The evaluator shall check the TSF internals + description to determine that it identifies the Assigned + subset of the TSF. + + This subset may be identified in terms of the internals + of the TSF at any layer of abstraction. For example, it + may be in terms of the structural elements of the TSF as + identified in the TOE design (e.g. the audit subsystem), + or in terms of the implementation + (e.g. encrypt.c and + decrypt.c files, or the 6227 IC + chip). + + It is insufficient to identify this subset in terms of + the claimed SFRs (e.g. the portion of the TSF that + provide anonymity as defined in ) because this does not indicate where to + focus the analysis. + + + + The evaluator shall examine the TSF internals + description to determine that it demonstrates that the + assigned TSF subset is well-structured. + + The evaluator examines the internals description to + ensure that it provides a sound explanation of how the + TSF subset meets the criteria from + + For example, it would explain how the procedural + software portions of the TSF subset meets the following: + + that there is a one-to-one correspondence + between the modules identified in the TSF subset and + the modules described in the TOE design () + how the TSF design is a reflection of the + modular decomposition process + a justification for all instances where the + coding standards were not used or met + a justification for any coupling or cohesion + outside the acceptable bounds + + + + The evaluator shall perform an internals analysis on the + assigned subset of the TSF. + + + The evaluator shall determine that the TOE design for + the assigned TSF subset is well-structured. + + The evaluator examines a sample of the TOE design to + verify the accuracy of the justification. For example, a + sample of the TOE design is analysed to determine its + adherence to the design standards, etc. As with all + areas where the evaluator performs activities on a + subset the evaluator provides a justification of the + sample size and scope + + The description of the TOE's decomposition into + subsystems and modules will make the argument that the + TSF subset is well-structured self-evident. Verification + that the procedures for structuring the TSF (as examined + in ) are being followed + will make it self-evident that the TSF subset is + well-structured. + + + + The evaluator shall determine that the assigned TSF + subset is well-structured. + + If is not part of the + claimed assurance, then this work unit is not applicable + and is therefore considered to be satisfied. + + The evaluator examines a sample of the TSF subset to + verify the accuracy of the internals description. For + example, a sample of the procedural software portions of + the TSF subset is analysed to determine its cohesion and + coupling, its adherence to the coding standards, etc. As + with all areas where the evaluator performs activities + on a subset the evaluator provides a justification of + the sample size and scope. + + + + + + + + + + + The objective of this component is to provide a means for + requiring the TSF to be well-structured. The intent is + that the entire TSF has been designed and implemented + using sound engineering principles. + + + + Judgements on the adequacy of the structure are expected to + be derived from the specific technologies used in the TOE. + This component calls for identifying the standards for + measuring the characteristic of being + well-structured. + + + + The objective of this sub-activity is to determine whether + the TSF is designed and structured such that the + likelihood of flaws is reduced and that maintenance can be + more readily performed without the introduction of + flaws. + + + + The role of the internals description is to provide + evidence of the structure of the design and implementation + of the TSF. + + The structure of the design has two aspects: the + constituent parts of the TSF and the procedures used to + design the TSF. In cases where the TSF is designed in a + manner consistent with the design represented by the TOE + design (see ), the + assessment of the TSF design is obvious. In cases where + the design procedures (see ) + are being followed, the assessment of the TSF design + procedures is similarly obvious. + + In cases where the TSF is implemented using + procedure-based software, this structure is assessed on + the basis of its modularity; the + modules identified in the internals description are the + same as the modules identified in the TOE design (). A module consists of one or + more source code files that cannot be decomposed into + smaller compilable units. + + The primary goal of this component is to ensure the TSF's + implementation representation is understandable to + facilitate maintenance and analysis (of both the developer + and evaluator). + + + + The evaluation evidence for this sub-activity is: + + + the modular design description; + + + the implementation representation (if is part of the claimed + assurance)); + + + the TSF internals description; + + + the documentation of the coding standards, as + resulting from . + + + + + The developer shall design and implement the entire TSF such + that it has well-structured internals. + + + The developer shall provide an internals description and + justification. + + + The justification shall describe the characteristics used to + judge the meaning of ``well-structured''. + + + The TSF internals description shall demonstrate that the + entire TSF is well-structured. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + The evaluator shall examine the justification to + determine that it identifies the basis for determining + whether the TSF is well-structured. + + The evaluator verifies that the criteria for determining + the characteristic of being well-structured are clearly + defined in the justification. Acceptable criteria + typically originate from industry standards for the + technology discipline. For example, procedural software + that executes linearly is traditionally viewed as + well-structured if it adheres to software engineering + programming practises, such as those defined in the IEEE + Standard (IEEE Std 610.12-1990). For + example, it would identify the criteria for the + procedural software portions of the TSF: + + the process used for modular + decomposition + coding standards used in the development of the + implementation + a description of the maximum acceptable level of + intermodule coupling exhibited by the TSF + a description of the minimum acceptable level of + cohesion exhibited the modules of the + TSF + + For other types of technologies used in the TOE - such + as non-procedural software (e.g. object-oriented + programming), widespread commodity hardware (e.g. PC + microprocessors), and special-purpose hardware + (e.g. smart-card processors) - the evaluation authority + should be consulted for determining the adequacy of + criteria for being ``well-structured''. + + + + The evaluator shall examine the TSF internals + description to determine that it demonstrates that the + TSF is well-structured. + + The evaluator examines the internals description to + ensure that it provides a sound explanation of how the + TSF meets the criteria from + + For example, it would explain how the procedural + software portions of the TSF meet the following: + + that there is a one-to-one correspondence + between the modules identified in the TSF and the + modules described in the TOE design () + how the TSF design is a reflection of the + modular decomposition process + a justification for all instances where the + coding standards were not used or met + a justification for any coupling or cohesion + outside the acceptable bounds + + + + The evaluator shall perform an internals analysis on the + TSF. + + + The evaluator shall determine that the TOE design is + well-structured. + + The evaluator examines the TOE design of a sample of the + TSF to verify the accuracy of the justification. For + example, a sample of the TOE design is analysed to + determine its adherence to the design standards, etc. As + with all areas where the evaluator performs activities + on a subset the evaluator provides a justification of + the sample size and scope + + The description of the TOE's decomposition into + subsystems and modules will make the argument that the + TSF subset is well-structured self-evident. Verification + that the procedures for structuring the TSF (as examined + in ) are being followed + will make it self-evident that the TSF subset is + well-structured. + + + + The evaluator shall determine that the TSF is + well-structured. + + If is not part of the + claimed assurance, then this work unit is not applicable + and is therefore considered to be satisfied. + + The evaluator examines a sample of the TSF to verify the + accuracy of the internals description. For example, a + sample of the procedural software portions of the TSF is + analysed to determine its cohesion and coupling, its + adherence to the coding standards, etc. As with all + areas where the evaluator performs activities on a + subset the evaluator provides a justification of the + sample size and scope. + + + + + + + + + + + The objective of this component is to provide a means for + requiring the TSF to be well-structured and of minimal + complexity. The intent is that the entire TSF has been + designed and implemented using sound engineering + principles. + + + + Judgements on the adequacy of the structure and complexity + are expected to be derived from the specific technologies + used in the TOE. This component calls for identifying the + standards for measuring the structure and + complexity. + + + + The evaluation evidence for this sub-activity is: + + + the modular design description; + + + the implementation representation; + + + the TSF internals description; + + + the documentation of the coding standards, as + resulting from . + + + + + The developer shall design and implement the entire TSF such + that it has well-structured internals. + + + The developer shall provide an internals description and + justification. + + + The justification shall describe the characteristics used to + judge the meaning of ``well-structured'' and ``complex''. + + + The TSF internals description shall demonstrate that the + entire TSF is well-structured and is not overly complex. + + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + The evaluator shall perform an internals analysis on the + entire TSF. + + + + + + + It is the objective of this family to provide additional + assurance from the development of a formal security + policy model of the TSF, and establishing a + correspondence between the functional specification and this + security policy model. Preserving internal consistency the + security policy model is expected to formally establish the + security principles from its characteristics by means of a + mathematical proof. + + + + A formal security model precisely describes important + aspects of security and their relationship to the behaviour + of the TSF. Formalism helps to prove mathematically the + thoroughness of the security. + + + + This family contains only one component. + + + + Inadequacies in a TOE can result either from a failure in + understanding the security requirements or from a flawed + implementation of those security requirements. Defining the + security requirements adequately to ensure their + understanding may be problematic because the definition must + be sufficiently precise to prevent undesired results or + subtle flaws during implementation of the TOE. Throughout + the design, implementation, and review processes, the + modelled security requirements may be used as precise design + and implementation guidance, thereby providing increased + assurance that the modelled security requirements are + satisfied by the TOE. The precision of the model and + resulting guidance is significantly improved by casting the + model in a formal language and verifying the security + requirements by formal proof. + + The creation of a formal security policy model helps to + identify and eliminate ambiguous, inconsistent, + contradictory, or unenforceable security policy + elements. Once the TOE has been built, the formal model + serves the evaluation effort by contributing to the + evaluator's judgement of how well the developer has + understood the security functionality being implemented and + whether there are inconsistencies between the security + requirements and the TOE design. The confidence in the model + is accompanied by a proof that it contains no + inconsistencies. + + A formal security model is a precise formal presentation of + the important aspects of security and their relationship to + the behaviour of the TOE; it identifies the set of rules and + practises that regulates how the TSF manages, protects, and + otherwise controls the system resources. The model includes + the set of restrictions and properties that specify how + information and computing resources are prevented from being + used to violate the SFRs, accompanied by a persuasive set of + engineering arguments showing that these restrictions and + properties play a key role in the enforcement of the SFRs. + It consists both of the formalisms that express the security + functionality, as well as ancillary text to explain the + model and to provide it with context. The security behaviour + of the TSF is modelled both in terms of external behaviour + (i.e. how the TSF interacts with the rest of the TOE and + with its operational environment), as well as its internal + behaviour. + + The Security Policy Model of the TOE is informally + abstracted from its realisation by considering the proposed + security requirements of the ST. The informal abstraction is + taken to be successful if the TOE's principles (also termed + ``invariants'') turn out to be enforced by its + characteristics. The purpose of formal methods lies within + the enhancement of the rigour of enforcement. Informal + arguments are always prone to fallacies; especially if + relationships among subjects, objects and operations get + more and more involved. In order to minimise the risk of + insecure state arrivals the rules and characteristics of the + security policy model are mapped to respective properties + and features within some formal system, whose rigour and + strength can afterwards be used to obtain the security + properties by means of theorems and formal proof. + + While the term ``formal security policy model'' is used in + academic circles, the CC's approach has no fixed definition + of ``security''; it would equate to whatever SFRs are being + claimed. Therefore, the formal security policy model is + merely a formal representation of the set of SFRs being + claimed. + + The term security policy has + traditionally been associated with only access control + policies, whether label-based (mandatory access control) or + user-based (discretionary access control). However, a + security policy is not limited to access control; there are + also audit policies, identification policies, authentication + policies, encryption policies, management policies, and any + other security policies that are enforced by the TOE, as + described in the PP/ST. contains an assignment for identifying these + policies that are formally modelled. + + + + + + The objectives of this sub-activity are to determine + whether the formal TOE security policy model clearly and + consistently describes the rules of operation, states, + transition, invariants, and other security properties of + the claimed SFRs and whether this description corresponds + with the description of the security functionality in the + functional specification. + + + + This activity applies to cases where the developer has + formally modelled all security policies of the TOE that + are capable of being modelled formally. + + A formal TOE security policy model is a representation of + the rules (synonymously termed ``principles'') and + characteristics of security policies in mathematical + terms. Their formal counterparts are called security + properties and security features, respectively. The + representation includes but is not limited to algebraic + specifications, finite state machines and logic formalisms + strong enough to formally infer the properties from the + features. The formal security policy model is accompanied + by an informal interpretation explaining how the rules and + characteristics are mapped to the respective properties + and features. + + It is recognised that not all policies (see work unit + ) can be formally + modelled for all TOEs. This is because either the state of + the art is insufficient to formally model a given policy, + or because the nature of the TOE renders impossible the + modelling of policies that would otherwise be possible to + model. If none of the SFRs can be formally modelled, this + component cannot be met. + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the functional specification; + + + the TOE security policy model; + + + the operational user guidance; + + + + + The developer shall provide a formal security policy model for + the list of policies that are formally + modelled. + + For each policy covered by the formal security policy model, the + model shall identify the relevant portions of the statement of + SFRs that make up that policy. + + + The developer shall provide a formal proof of correspondence + between the model and any formal functional specification. + + + The developer shall provide a demonstration of + correspondence between the model and the functional + specification. + + + The model shall be in a formal style, supported by + explanatory text as required, and identify the security + policies of the TSF that are modelled. + + + For all policies that are modelled, the model shall define + security for the TOE and provide a formal proof that the TOE + cannot reach a state that is not secure. + + + The correspondence between the model and the functional + specification shall be at the correct level of formality. + + + The correspondence shall show that the functional + specification is consistent and complete with respect to the + model. + + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the TOE security policy + model to determine that it is written in a formal + style. + + The evaluator identifies the formal framework upon which + the TOE security policy model is based and ensures that + it is founded on well established mathematical concepts, + and identifies the security properties and features + addressed in the application notes and ensures the + formalisation of at least one security policy. If no + policy is formally modelled, this component cannot be + successfully claimed. + + For additional guidance on formal methods refer to . + + + + + The evaluator shall examine the TOE security policy + model to determine that it contains all necessary + informal explanatory text. + + Supporting narrative descriptions are necessary for all + parts of the model (for example, to make clear the + meaning of any formal notation and how they are used) + including the security properties and features. + + + + + The evaluator shall examine the TOE security policy + model to determine that it contains all policies that + can be formally modelled. + + It is recognised that not all policies can be formally + modelled for all TOEs. This is because either the state + of the art is insufficient to formally model a given + policy, or because the nature of the TOE renders + impossible the modelling of policies that would + otherwise be possible to model. + + While access control, information flow control, and data + integrity policies have all been formally modelled + successfully, the possibility of modelling other + policies is based on a case by case decision. Abstention + from formally modelling security relevant policies + requires argumentation and rests the burden of proof + entirely on the developer's side. + + For any security policy where formal models are not + possible, the policy must be identified in the + assignment of . + + + + + The evaluator shall examine the model to determine that + the security behaviour of the TOE is clearly + articulated. + + The security policy model's properties describe the + TOE's behaviour in enforcing the principles of the + policy. For example, a policy that is modelled on the + basis of state transitions would include principles of + its states, identify its initial state, and define what + it means to be a secure state. + + The security policy model's features describe the + attributes and conditions of the TOE that come into + consideration when enforcing its policy's + characteristics. For example, a policy that is modelled + on the basis of state transitions would describe the + necessary conditions to transform the TOE from one state + to the next. + + An informal interpretation of all formal concepts + (including attributes, predicates and variables, if + available) must also be provided in order to make clear + their intended meaning. + + + + + The evaluator shall examine the correspondence between + the security policy model and the formal functional + specification to determine that it is presented in a + formal style. + + If no part of the functional specification is formal, + this work unit is not applicable and is therefore + considered to be satisfied. The corresponding work will + be performed under work unit . + + For any part of the functional specification that is + formally presented, the correspondence between that part + of the functional specification and the security policy + model must be formal. Analysis of the content is + performed as part of work units through . + + For guidance on formal methods refer to . + + + + + The evaluator shall examine the correspondence between + the security policy model and the semiformal functional + specification to determine that it is presented in a + semiformal style. + + If the entire functional specification is formal, this + work unit is not applicable and is therefore considered + to be satisfied. The corresponding work will be + performed under work unit . + + For formally-modelled policies whose corresponding + description in the functional specification is not + formally presented, the correspondence between the model + and the functional specification must be a semiformal + demonstration. Analysis of the content is performed as + part of work units + through . + + If a security policy model exists, either this work unit + or the previous work unit (or both) will be + applicable. + + + + + The evaluator shall examine the TOE security policy + model rationale to determine that it formally proves the + correspondence between the security properties and the + security features. + + The proof shall show that the security features enforce + the security properties. To determine the enforcement, + the evaluator considers the security properties and the + security features and verifies that the arguments used + in the proof are valid. The proof of correspondence + between the security properties and the security + features shall be formal. + + + + + The evaluator shall examine the TOE security policy + model rationale to determine that it proves the internal + consistency of the TOE security policy model. + + The proof shall show the absence of contradictions + within the TOE security policy model. In determining the + absence of contradictions, the evaluator verifies that + the arguments used in the proof are valid. + + Since the TOE security policy model is formal, the proof + of its internal consistency shall be formal. It is + recognised that a complete formal proof of the internal + consistency of the TOE security policy model usually is + not possible due to the fundamental nature of formal + frameworks. Generally, it is sufficient to generate + evidence using formal proofs based on the specific TOE + security policy model that prove the internal + consistency by means of a combination with generic + arguments of the formal framework. + + + + + The evaluator shall examine the TOE security policy + model rationale to determine that the behaviour modelled + is consistent with respect to policies described by the + security policies (as articulated by the functional + requirements in the ST). + + The examination considers the informal relationships of + the model. Hence the meaning of consistency reflects + the conventional understanding in contrast to the + internal consistency concept of the previous work + unit. + + In determining consistency, the evaluator verifies that + the rationale shows that each description of properties + and features in the security policy model accurately + reflects the intent of the security policies. For + example, if a policy stated that access control was + necessary to the granularity of a single individual, + then a security policy model describing the security + behaviour of a TOE in the context of controlling groups + of users would not be consistent. Likewise, if the + policy stated that access control for groups of users + was necessary, then a security policy model describing + the security behaviour of a TOE in the context of + controlling individual users would also not be + consistent. + + The evaluator also examines whether the security + policies are reflected within their formal counterparts + of the security policy model. + + + + + The evaluator shall examine the TOE security policy + model rationale to determine that the behaviour modelled + is complete with respect to the policies described by + the security policies (i.e. as articulated by the + functional requirements in the ST). + + In determining completeness of this rationale, the + evaluator considers the properties and features of the + security policy model and maps those properties and + features to explicit policy statements (i.e. functional + requirements). The rationale should show that all + policies that are required to be modelled have an + associated property or feature description in the TOE + security policy model. + + Abstention from formally modelling policy statements + always calls for justification on the developer's side + (also confer the application notes above). + + + + + The evaluator shall examine the demonstration of + correspondence to determine that all Assigned policies + are mapped to functions within the functional + specification. + + If all policies are included within the security policy + model (i.e. they are all formally modelled) and the + assignment in is + therefore empty, this work unit is not applicable and is + therefore considered to be satisfied. + + The evaluator verifies that the correspondence + demonstrates that the descriptions of the SFR-related + functions in the functional specification correspond to + the SFRs. This may be done as part of the work units addressing + correspondence to the SFRs. However, if the developer + provides a well-structured semiformal or informal + security policy model to better articulate the notions + of security enforced by the TOE, the evaluator will + verify that such a model is consistent with the + SFRs. + + + + + + + + The design description of a TOE provides both context for a + description of the TSF, and a thorough description of the + TSF. As assurance needs increase, the level of detail + provided in the description also increases. As the size and + complexity of the TSF increase, multiple levels of + decomposition are appropriate. The design requirements are + intended to provide information (commensurate with the given + assurance level) so that a determination can be made that + the security functional requirements are realised. + + + + The design description provides a further-refined + description of the TSF from that presented in the functional + specification. The functional specification provides a + description of what the TSF does at its + interface; the design description provides more insight into + the TSF by describing how the TSF works in + order to perform the functions supporting the SFRs. At lower + assurance levels, complete details relating to all portions + of the TSF are not required. As the desired assurance + increases, more detail is made available so that analysis + can be performed that supports the assurance claims being + made. + + + + The components in this family are levelled on the basis of + the amount of information that is required to be presented + with respect to the TSF, and on the degree of formalism + required of the design description. + + + + The goal of design documentation is to provide sufficient + information to determine the TSF boundary, and to describe + how the TSF implements the Security + Functional Requirements. The amount and structure of the + design documentation will depend on the complexity of the + TOE and the number of SFRs; in general, a very complex TOE + with a large number of SFRs will require more design + documentation than a very simple TOE implementing only a few + SFRs. Very complex TOEs will benefit (in terms of the + assurance provided) from the production of differing levels + of decomposition in describing the design, while very simple + TOEs do not require both high-level and low-level + descriptions of its implementation. + + This family uses two levels of decomposition: the + subsystem and the module. + A module is the most specific description of functionality: + it is a description of the implementation. A developer + should be able to implement the part of the TOE described by + the module with no further design decisions. A subsystem is + a description of the design of the TOE; it helps to provide + a high-level description of what a portion of the TOE is + doing and how. As such, a subsystem may be further divided + into lower-level subsystems, or into modules. Very complex + TOEs might require several levels of subsystems in order to + adequately convey a useful description of how the TOE works. + Very simple TOEs, in contrast, might not require a subsystem + level of description; the module might clearly describe how + the TOE works. + + The general approach adopted for design documentation is + that, as the level of assurance increases, the emphasis of + description shifts from the general (subsystem level) to + more (module level) detail. In cases where a module-level + of abstraction is appropriate because the TOE is simple + enough to be described at the module level, yet the level of + assurance calls for a subsystem level of description, the + module-level description alone will suffice. For complex + TOEs, however, this is not the case: an enormous amount of + (module-level) detail would be incomprehensible without an + accompanying subsystem level of description. + + This approach follows the general paradigm that providing + additional detail about the implementation of the TSF will + result in greater assurance that the SFRs are implemented + correctly, and provide information that can be used to + demonstrate this in testing (). + + In the requirements for this family, the term + interface is used as the means of + communication (between two subsystems or modules). It + describes how the communication is invoked; this is similar + to the details of TSFI (see ). The term interaction is + used to identify the purpose for communication; it + identifies why two subsystems or modules are + communicating. + + + The requirements define collections of details about + subsystems and modules to be provided: + + The subsystems and modules are + identified with a simple list of what + they are. + + Subsystems and modules may be categorised + (either implicitly or explicitly) as ``SFR-enforcing'', + ``SFR-supporting'', or ``SFR-non-interfering''; these terms are + used the same as they are used in . + + A subsystem's behaviour is what it does. The + behaviour may also be categorised as SFR-enforcing, + SFR-supporting, or SFR-non-interfering. The behaviour of the + subsystem is never categorised as more SFR-relevant than the + category of the subsystem itself. For example, an SFR-enforcing + subsystem can have SFR-enforcing behaviour as well as + SFR-supporting or SFR-non-interfering behaviour. + A behaviour summary of a + subsystem is an overview of the actions it performs + (e.g. ``The TCP subsystem assembles IP datagrams into + reliable byte streams''). + A behaviour description of a + subsystem is an explanation of everything it + does. This description should be at a level of detail + that one can readily determine whether the behaviour + has any relevance to the enforcement of the + SFRs. + + A description of interactions among or between + subsystems or modules identifies the reason that subsystems or + modules communicate, and characterises the information that is + passed. It need not define the information to the same level of + detail as an interface specification. For example, it would be + sufficient to say ``subsystem X requests a block of memory from + the memory manager, which responds with the location of the + allocated memory. + A description of interfaces provides the + details of how the interactions among modules are achieved. + Rather than describing the reason the modules are communicating + or the purpose of their communication (that is, the description + of interactions), the description of interfaces describes the + details of how that communication is accomplished, in terms of + the structure and contents of the messages, semaphores, internal + process communications, etc. + + + The purpose describes how a module provides + their functionality. It provides sufficient detail that no + further design decisions are needed. The correspondence between + the implementation representation that implements the module, + and the purpose of the module should be readily apparent. + A module is otherwise described + in terms of whatever is identified in the + element. Subsystems and modules, and + ``SFR-enforcing'', etc. are all further explained in + greater detail in . + + + + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the functional specification; + + + security architecture description; + + + the TOE design. + + + + + The developer shall provide the design of the TOE. + + + The developer shall provide a mapping from the TSFI of the + functional specification to the lowest level of + decomposition available in the TOE design. + + The design shall describe the structure of the TOE in terms + of subsystems. + + + The design shall identify all subsystems of the TSF. + + + The design shall describe the behaviour of each + SFR-supporting or SFR-non-interfering TSF subsystem in + sufficient detail to determine that it is not SFR-enforcing. + + + The design shall summarise the SFR-enforcing behaviour of + the SFR-enforcing subsystems. + + + The design shall provide a description of the interactions + among SFR-enforcing subsystems of the TSF, and between the + SFR-enforcing subsystems of the TSF and other subsystems of + the TSF. + + + The mapping shall demonstrate that all TSFIs trace to the behaviour described in the TOE design that they invoke. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the TOE design to determine + that the structure of the entire TOE is described in + terms of subsystems. + + The evaluator ensures that all of the subsystems of the + TOE are identified. This description of the TOE will be + used as input to work unit , where the parts of the TOE that make up + the TSF are identified. That is, this requirement is on + the entire TOE rather than on only the TSF. + + The TOE (and TSF) may be described in multiple layers of + abstraction (i.e. subsystems and modules) Depending upon + the complexity of the TOE, its design may be described + in terms of subsystems and modules, as described in CC + Part 3 . At this + level of assurance, the decomposition only need be at + the ``subsystem'' level. + + In performing this activity, the evaluator examines + other evidence presented for the TOE (e.g., ST, operator + user guidance) to determine that the description of the + TOE in such evidence is consistent with the description + contained in the TOE design. + + + + + The evaluator shall examine the TOE design to determine + that all subsystems of the TSF are identified. + + In work unit all of + the subsystems of the TOE were identified, and a + determination made that the non-TSF subsystems were + correctly characterised. Building on that work, the + subsystems that were not characterised as non-TSF + subsystems should be precisely identified. The evaluator + determines that, of the hardware and software installed + and configured according to the guidance, each subsystem has been + accounted for as either one that is part of the TSF, or + one that is not. + + + + + The evaluator shall examine the TOE design to determine that + each SFR-supporting or SFR-non-interfering subsystem of the TSF + is described such that the evaluator can determine that the + subsystem is SFR-supporting or SFR-non-interfering. + + SFR-supporting and SFR-non-interfering subsystems do not need to + be described in detail as to how they function in the system. + However, the evaluator makes a determination, based on the + evidence provided by the developer, that the subsystems that do + not have high-level descriptions are SFR-supporting or + SFR-non-interfering. Note that if the developer provides a + uniform level of detailed documentation then this work unit will + be largely satisfied, since the point of categorising the + subsystems is to allow the developer to provide less information + for SFR-supporting and SFR-non-interfering subsystems than for + SFR-enforcing subsystems. + + An SFR-supporting subsystem is one that is depended on + by an SFR-enforcing subsystem in order to implement an + SFR, but does not play as direct a role as an + SFR-enforcing subsystem. An SFR-non-interfering + subsystem is one that is not depended upon, in either a + supporting or enforcing role, to implement an + SFR. + + + + + The evaluator shall examine the TOE design to determine + that it provides a complete, accurate, and high-level + description of the SFR-enforcing behaviour of the + SFR-enforcing subsystems. + + The developer may designate subsystems as SFR-enforcing, + SFR-supporting, and SFR non-interfering, but these + ``tags'' are used only to describe the amount and type + of information the developer must provide, and can be + used to limit the amount of information the developer + has to develop if their engineering process does not + produce the documentation required. Whether the + subsystems have been categorised by the developer or + not, it is the + evaluator's responsibility to determine that the + subsystems have the appropriate information for their + role (SFR-enforcing, etc.) in the TOE, and to obtain the + appropriate information from the developer should the + developer fail to provide the required information for a + particular subsystem. + + SFR-enforcing behaviour refers to how a + subsystem provides the functionality that implements an + SFR. A high-level description need not refer to + specific data structures (although it may), but instead + talks about more general data flow, message flow, and + control relationships within a subsystem. The goal of + these descriptions is to give the evaluator enough + information to understand how the + SFR-enforcing behaviour is achieved. Note that the + evaluator should find unacceptable asserts of + SFR-enforcement in the TOE design documentation for this + work unit. It should be noted that it is the + evaluator's determination with respect to what + ``high-level'' means for a particular TOE, and the + evaluator obtains enough information from the developer + to make a sound verdict for this work unit. + + To determine completeness and accuracy, the evaluator + examines other information available (e.g., functional + specification, security architecture description, + implementation representation). Descriptions of + functionality in these documents should be consistent + with what is provided for evidence for this work + unit + + + + + The evaluator shall examine the TOE design to determine + that interactions between the subsystems of the TSF are + described. + + The goal of describing the interactions between the + SFR-enforcing subsystems and other subsystems is to help provide + the reader a better understanding of how the TSF performs it + functions. These interactions do not need to be characterised at + the implementation level (e.g., parameters passed from one + routine in a subsystem to a routine in a different subsystem; + global variables; hardware signals (e.g., interrupts) from a + hardware subsystem to an interrupt-handling subsystem), but the + data elements identified for a particular subsystem that are + going to be used by another subsystem need to be covered in this + discussion. Any control relationships between subsystems (e.g., + a subsystem responsible for configuring a rule base for a + firewall system and the subsystem that actually implements these + rules) should also be described. + + The evaluators need to use their own judgement in assessing the + completeness of the description. If the reason for an + interaction is unclear, or if there are SFR-related interactions + (discovered, for instance, in examining the descriptions of + subsystem behaviour) that do not appear to be described, the + evaluator ensures that this information is provided by the + developer. However, if the evaluator can determine that + interactions among a particular set of subsystems, while + incompletely described by the developer, will not aid in + understanding the overall functionality nor security + functionality provided by the TSF, then the evaluator may choose + to consider the description sufficient, and not pursue + completeness for its own sake. + + + + + The evaluator shall examine the TOE design to determine + that it contains a complete and accurate mapping from + the TSFI described in the functional specification to + the subsystems of the TSF described in the TOE + design. + + The subsystems described in the TOE design provide a + description of how the TSF works at a detailed level for + SFR-enforcing portions of the TSF, and at a higher level + for other portions of the TSF. The TSFI provide a + description of how the implementation is exercised. The + evidence from the developer identifies the subsystem + that is initially involved when an operation is + requested at the TSFI, and identify the various + subsystems that are primarily responsible for + implementing the functionality. Note that a complete + ``call tree'' for each TSFI is not required for this + work unit. + + The evaluator assesses the completeness of the mapping + by ensuring that all of the TSFI map to at least one + subsystem. The verification of accuracy is more + complex. + + The first aspect of accuracy is that each TSFI is mapped + to a subsystem at the TSF boundary. This determination + can be made by reviewing the subsystem description and + interactions, and from this information determining its + place in the architecture. The next aspect of accuracy + is that the mapping makes sense. For instance, mapping a + TSFI dealing with access control to a subsystem that + checks passwords is not accurate. The evaluator should + again use judgement in making this determination. The + goal is that this information aids the evaluator in + understanding the system and implementation of the SFRs, + and ways in which entities at the TSF boundary can + interact with the TSF. The bulk of the assessment of + whether the SFRs are described accurately by the + subsystems is performed in other work units. + + + + The evaluator shall determine that the design is an accurate + and complete instantiation of all security functional + requirements. + + + The evaluator shall examine the TOE security functional + requirements and the TOE design, to determine that all + ST security functional requirements are covered by the + TOE design. + + The evaluator may construct a map between the TOE security + functional requirements and the TOE design. This map will + likely be from a functional requirement to a set of + subsystems. Note that this map may have to be at a level of + detail below the component or even element level of the + requirements, because of operations (assignments, refinements, + selections) performed on the functional requirement by the ST + author. + + For example, the + component contains an element with assignments. If the + ST contained, for instance, ten rules in the assignment, and these ten + rules were implemented in specific places within fifteen + modules, it would be inadequate for the evaluator to map + to one subsystem and + claim the work unit had been completed. Instead, the + evaluator would map + (rule 1) to subsystem A, behaviours x, y, and z; (rule 2) to subsystem A, + behaviours x, p, and q; etc. + + + + The evaluator shall examine the TOE design to determine + that it is an accurate instantiation of all security + functional requirements. + + The evaluator ensures that each security requirement + listed in the TOE security functional requirements + subclause of the ST has a corresponding design description + in the TOE design that accurately details how the TSF + meets that requirement. This requires that the evaluator + identify a collection of subsystems that are responsible + for implementing a given functional requirement, and + then examine those subsystems to understand how the + requirement is implemented. Finally, the evaluator would + assess whether the requirement was accurately + implemented. + + As an example, if the ST requirements specified a + role-based access control mechanism, the evaluator would + first identify the subsystems that contribute to this + mechanism's implementation. This could be done by + in-depth knowledge or understanding of the TOE design or + by work done in the previous work unit. Note that this + trace is only to identify the subsystems, and is not the + complete analysis. + + The next step would be to understand what mechanism the + subsystems implemented. For instance, if the design + described an implementation of access control based on + UNIX-style protection bits, the design would not be an + accurate instantiation of those access control + requirements present in the ST example used above. If + the evaluator could not determine that the mechanism was + accurately implemented because of a lack of detail, the + evaluator would have to assess whether all of the + SFR-enforcing subsystems have been identified, or if + adequate detail had been provided for those + subsystems. + + + + + + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the functional specification; + + + security architecture description; + + + the TOE design. + + + + + The developer shall provide the design of the TOE. + + + The developer shall provide a mapping from the TSFI of the + functional specification to the lowest level of + decomposition available in the TOE design. + + + The design shall describe the structure of the TOE in terms + of subsystems. + + + The design shall identify all subsystems of the TSF. + + + The design shall describe the behaviour of each SFR + non-interfering subsystem of the TSF in detail sufficient to + determine that it is SFR non-interfering. + + + The design shall describe the SFR-enforcing behaviour of the + SFR-enforcing subsystems. + + + The design shall summarise the SFR-supporting and + SFR-non-interfering behaviour of the SFR-enforcing subsystems. + + + The design shall summarise the behaviour of the + SFR-supporting subsystems. + + + The design shall provide a description of the interactions + among all subsystems of the TSF. + + + The mapping shall demonstrate that all TSFIs trace to the behaviour described in the TOE design that they invoke. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the TOE design to determine + that the structure of the entire TOE is described in + terms of subsystems. + + The evaluator ensures that all of the subsystems of the + TOE are identified. This description of the TOE will be + used as input to work unit , where the parts of the TOE that make up + the TSF are identified. That is, this requirement is on + the entire TOE rather than on only the TSF. + + The TOE (and TSF) may be described in multiple layers of + abstraction (i.e. subsystems and modules) Depending upon + the complexity of the TOE, its design may be described + in terms of subsystems and modules, as described in CC + Part 3 . At this + level of assurance, the decomposition only need be at + the ``subsystem'' level. + + In performing this activity, the evaluator examines + other evidence presented for the TOE (e.g., ST, operator + user guidance) to determine that the description of the + TOE in such evidence is consistent with the description + contained in the TOE design. + + + + + The evaluator shall examine the TOE design to determine + that all subsystems of the TSF are identified. + + In work unit all of + the subsystems of the TOE were identified, and a + determination made that the non-TSF subsystems were + correctly characterised. Building on that work, the + subsystems that were not characterised as non-TSF + subsystems should be precisely identified. The evaluator + determines that, of the hardware and software installed + and configured according to the guidance, each subsystem has been + accounted for as either one that is part of the TSF, or + one that is not. + + + + + The evaluator shall examine the TOE design to determine + that each SFR-non-interfering subsystem of the TSF is + described such that the evaluator can determine that the + subsystem is SFR-non-interfering. + + SFR-non-interfering subsystems do not need to be + described in detail as to how they function in the + system. However, the evaluator makes a determination, + based on the evidence provided by the developer, that + the subsystems that do not have detailed descriptions + are SFR-non-interfering. Note that if the developer + provides a uniform level of detailed documentation then + this work unit will be largely satisfied, since the + point of categorising the subsystems is to allow the + developer to provide less information for + SFR-non-interfering subsystems than for SFR-enforcing + and SFR-supporting subsystems. + + An SFR-non-interfering subsystem is one on which the + SFR-enforcing and SFR-supporting subsystems have no + dependence; that is, they play no role in implementing + SFR functionality. + + + + + The evaluator shall examine the TOE design to determine + that it provides a complete, accurate, and detailed + description of the SFR-enforcing behaviour of the + SFR-enforcing subsystems. + + The developer may designate subsystems as SFR-enforcing, + SFR-supporting, and SFR non-interfering, but these + ``tags'' are used only to describe the amount and type + of information the developer must provide, and can be + used to limit the amount of information the developer + has to develop if their engineering process does not + produce the documentation required. Whether the + subsystems have been categorised by the developer or + not, it is the + evaluator's responsibility to determine that the + subsystems have the appropriate information for their + role (SFR-enforcing, etc.) in the TOE, and to obtain the + appropriate information from the developer should the + developer fail to provide the required information for a + particular subsystem. + + SFR-enforcing behaviour refers to how a + subsystem provides the functionality that implements an + SFR. While not at the level of an algorithmic + description, a detailed description of behaviour + typically discusses how the functionality is provided in + terms of what key data and data structures are, what + control relationships exist within a subsystem, and how + these elements work together to provide the + SFR-enforcing behaviour. Such a description also + references SFR-supporting behaviour, which the evaluator + should consider in performing subsequent work + units. + + To determine completeness and accuracy, the evaluator + examines other information available (e.g., functional + specification, security architecture description). Descriptions of + functionality in these documents should be consistent + with what is provided for evidence for this work unit. + + + + + The evaluator shall examine the TOE design to determine that it + provides a complete and accurate high-level description of the + SFR-supporting and SFR-non-interfering behaviour of the + SFR-enforcing subsystems. + + The developer may designate subsystems as SFR-enforcing, + SFR-supporting, and SFR non-interfering, but these + ``tags'' are used only to describe the amount and type + of information the developer must provide, and can be + used to limit the amount of information the developer + has to develop if their engineering process does not + produce the documentation required. Whether the + subsystems have been categorised by the developer or + not, it is the + evaluator's responsibility to determine that the + subsystems have the appropriate information for their + role (SFR-enforcing, etc.) in the TOE, and to obtain the + appropriate information from the developer should the + developer fail to provide the required information for a + particular subsystem. + + In contrast to the previous work unit, this work unit calls for + the evaluator to assess the information provided for + SFR-enforcing subsystems that is SFR-supporting or + SFR-non-interfering. The goal of this assessment is two-fold. + First, it should provide the evaluator greater understanding of + the way each subsystem works. Second, the evaluator determines + that all SFR-enforcing behaviour exhibited by a subsystem has + been described. Unlike the previous work unit, the information + provided for the SFR-supporting or SFR-non-interfering behaviour + does not have to be as detailed as that provided by the + SFR-enforcing behaviour. For example, data structures or data + items that do not pertain to SFR-enforcing functionality will + likely not need to be described in detail, if at all. It is the + evaluator's determination, however, with respect to what + ``high-level'' means for a particular TOE, and the evaluator + obtains enough information from the developer (even if it turns + out to be equivalent to information provided for the parts of + the subsystem that are SFR-enforcing) to make a sound verdict + for this work unit. + + The evaluator is cautioned, however, that ``perfect'' + assurance is not a goal nor required by this work unit, + so judgement will have to be exercised in determine the + amount and composition of the evidence required to make + a verdict on this work unit. + + To determine completeness and accuracy, the evaluator examines + other information available (e.g., functional specification, + security architecture description). Descriptions of functionality in these + documents should be consistent with what is provided for + evidence for this work unit. In particular, the functional + specification should be used to determine that the behaviour + required to implement the TSF Interfaces described by the + functional specification are completely described by the + subsystem, since the behaviour will either be SFR-enforcing, + SFR-supporting or SFR-non-interfering. + + + + + The evaluator shall examine the TOE design to determine + that it provides a complete and accurate high-level + description of the behaviour of the SFR-supporting + subsystems. + + The developer may designate subsystems as SFR-enforcing, + SFR-supporting, and SFR non-interfering, but these + ``tags'' are used only to describe the amount and type + of information the developer must provide, and can be + used to limit the amount of information the developer + has to develop if their engineering process does not + produce the documentation required. Whether the + subsystems have been categorised by the developer or + not, it is the + evaluator's responsibility to determine that the + subsystems have the appropriate information for their + role (SFR-enforcing, etc.) in the TOE, and to obtain the + appropriate information from the developer should the + developer fail to provide the required information for a + particular subsystem. + + In contrast to the previous two work units, this work + unit calls for the developer to provide (and the + evaluator to assess) information about SFR supporting + subsystems. Such subsystems should be referenced by the + descriptions of the SFR-enforcing subsystems, as well as + by the descriptions of interactions in work unit . The goal of evaluator's + assessment, like that for the previous work unit, is + two-fold. First, it should provide the evaluator with + an understanding of the way each SFR-supporting + subsystem works. Second, the evaluator determines that + the behaviour is described in enough detail so that the + way in which the subsystem supports the SFR-enforcing + behaviour is clear, and that the behaviour is not itself + SFR-enforcing. The information provided for + SFR-supporting subsystem's behaviour does not have to be + as detailed as that provided by the SFR-enforcing + behaviour. For example, data structures or data items + that do not pertain to SFR-enforcing functionality will + likely not need to be described in detail, if at all. + It is the evaluator's determination, however, with + respect to what ``high-level'' means for a particular + TOE, and the evaluator obtains enough information from + the developer (even if it turns out to be equivalent to + information provided for the parts of the subsystem that + are SFR-enforcing) to make a sound verdict for this work + unit. + + The evaluator is cautions, however, that ``perfect'' + assurance is not a goal nor required by this work unit, + so judgement will have to be exercised in determine the + amount and composition of the evidence required to make + a verdict on this work unit. + + To determine completeness and accuracy, the evaluator + examines other information available (e.g., functional + specification, security architecture description, + implementation representation). Descriptions of + functionality in these documents should be consistent + with what is provided for evidence for this work unit. + In particular, the functional specification should be + used to determine that the behaviour required to + implement the TSF Interfaces described by the functional + specification are completely described by the + subsystem. + + + + + The evaluator shall examine the TOE design to determine + that interactions between the subsystems of the TSF are + described. + + The goal of describing the interactions between the subsystems + is to help provide the reader a better understanding of how the + TSF performs it functions. These interactions do not need to be + characterised at the implementation level (e.g., parameters + passed from one routine in a subsystem to a routine in a + different subsystem; global variables; hardware signals (e.g., + interrupts) from a hardware subsystem to an interrupt-handling + subsystem), but the data elements identified for a particular + subsystem that are going to be used by another subsystem need to + be covered in this discussion. Any control relationships + between subsystems (e.g., a subsystem responsible for + configuring a rule base for a firewall system and the subsystem + that actually implements these rules) should also be + described. + + It should be noted while the developer should characterise all + interactions between subsystems, the evaluators need to use + their own judgement in assessing the completeness of the + description. If the reason for an interaction is unclear, or if + there are SFR-related interactions (discovered, for instance, in + examining the descriptions of subsystem behaviour) that do not + appear to be described, the evaluator ensures that this + information is provided by the developer. However, if the + evaluator can determine that interactions among a particular set + of subsystems, while incompletely described by the developer, + will not aid in understanding the overall functionality nor + security functionality provided by the TSF, then the evaluator + may choose to consider the description sufficient, and not + pursue completeness for its own sake. + + + + + The evaluator shall examine the TOE design to determine + that it contains a complete and accurate mapping from + the TSFI described in the functional specification to + the subsystems of the TSF described in the TOE + design. + + The subsystems described in the TOE design provide a + description of how the TSF works at a detailed level for + SFR-enforcing portions of the TSF, and at a higher level + for other portions of the TSF. The TSFI provide a + description of how the implementation is exercised. The + evidence from the developer identifies the subsystem + that is initially involved when an operation is + requested at the TSFI, and identify the various + subsystems that are primarily responsible for + implementing the functionality. Note that a complete + ``call tree'' for each TSFI is not required for this + work unit. + + The evaluator assesses the completeness of the mapping + by ensuring that all of the TSFI map to at least one + subsystem. The verification of accuracy is more + complex. + + The first aspect of accuracy is that each TSFI is mapped + to a subsystem at the TSF boundary. This determination + can be made by reviewing the subsystem description and + interactions, and from this information determining its + place in the architecture. The next aspect of accuracy + is that the mapping makes sense. For instance, mapping a + TSFI dealing with access control to a subsystem that + checks passwords is not accurate. The evaluator should + again use judgement in making this determination. The + goal is that this information aids the evaluator in + understanding the system and implementation of the SFRs, + and ways in which entities at the TSF boundary can + interact with the TSF. The bulk of the assessment of + whether the SFRs are described accurately by the + subsystems is performed in other work units. + + + + The evaluator shall determine that the design is an accurate + and complete instantiation of all security functional + requirements. + + + The evaluator shall examine the TOE security functional + requirements and the TOE design, to determine that all + ST security functional requirements are covered by the + TOE design. + + The evaluator may construct a map between the TOE security + functional requirements and the TOE design. This map will + likely be from a functional requirement to a set of + subsystems. Note that this map may have to be at a level of + detail below the component or even element level of the + requirements, because of operations (assignments, refinements, + selections) performed on the functional requirement by the ST + author. + + For example, the + component contains an element with assignments. If the + ST contained, for instance, ten rules in the assignment, and these ten + rules were implemented in specific places within fifteen + modules, it would be inadequate for the evaluator to map + to one subsystem and + claim the work unit had been completed. Instead, the + evaluator would map + (rule 1) to subsystem A, behaviours x, y, and z; (rule 2) to subsystem A, + behaviours x, p, and q; etc. + + + + The evaluator shall examine the TOE design to determine + that it is an accurate instantiation of all security + functional requirements. + + The evaluator ensures that each security requirement + listed in the TOE security functional requirements + subclause of the ST has a corresponding design description + in the TOE design that accurately details how the TSF + meets that requirement. This requires that the evaluator + identify a collection of subsystems that are responsible + for implementing a given functional requirement, and + then examine those subsystems to understand how the + requirement is implemented. Finally, the evaluator would + assess whether the requirement was accurately + implemented. + + As an example, if the ST requirements specified a + role-based access control mechanism, the evaluator would + first identify the subsystems that contribute to this + mechanism's implementation. This could be done by + in-depth knowledge or understanding of the TOE design or + by work done in the previous work unit. Note that this + trace is only to identify the subsystems, and is not the + complete analysis. + + The next step would be to understand what mechanism the + subsystems implemented. For instance, if the design + described an implementation of access control based on + UNIX-style protection bits, the design would not be an + accurate instantiation of those access control + requirements present in the ST example used above. If + the evaluator could not determine that the mechanism was + accurately implemented because of a lack of detail, the + evaluator would have to assess whether all of the + SFR-enforcing subsystems have been identified, or if + adequate detail had been provided for those + subsystems. + + + + + + + + + The objective of this sub-activity is to determine whether + the TOE design provides a description of the TOE in terms + of subsystems sufficient to determine the TSF boundary, + and provides a description of the TSF internals in terms + of modules (and optionally higher-level abstractions). It + provides a detailed description of the SFR-enforcing + modules and enough information about the SFR-supporting + and SFR-non-interfering modules for the evaluator to + determine that the SFRs are completely and accurately + implemented; as such, the TOE design provides an + explanation of the implementation representation. + + + + There are three types of activity that the evaluator must + undertake with respect to the TOE design. First, the evaluator + determines that the TSF boundary has been adequately + described. Second, the evaluator determines that the developer + has provided documentation that conforms to the content and + presentation requirements for this subsystem, and that is + consistent with other documentation provided for the + TOE. Finally, the evaluator must analyse the design information + provided for the SFR-enforcing modules (at a detailed level) and + the SFR-supporting and SFR-non-interfering modules (at a less detailed level) to + understand how the system is implemented, and with that + knowledge ensure that the TSFI in the functional specification + are adequately described, and that the test information + adequately tests the TSF (done in the work units). + + It is important to note that while the developer is obligated to + provide a complete description of the TSF (although + SFR-enforcing modules will have more detail than the + SFR-supporting or SFR-non-interfering modules), the evaluator is + expected to use their judgement in performing their + analysis. While the evaluator is expected to look at every + module, the detail to which they examine each module may + vary. The evaluator analyses each module in order to gain enough + understanding to determine the effect of the functionality of + the module on the security of the system, and the depth to which + they need to analyse the module may vary depending on the + module's role in the system. An important aspect of this + analysis is that the evaluator should use the other + documentation provided (TSS, functional specification, security + architecture description, and the TSF internal document) in + order to determine that the functionality that is described is + correct, and that the implicit designation of SFR-supporting or + SFR-non-interfering modules (see below) is supported by their + role in the system architecture. + + The developer may designate modules as SFR-enforcing, + SFR-supporting, and SFR non-interfering, but these + ``tags'' are used only to describe the amount and type + of information the developer must provide, and can be + used to limit the amount of information the developer + has to develop if their engineering process does not + produce the documentation required. Whether the + modules have been categorised by the developer or + not, it is the + evaluator's responsibility to determine that the + modules have the appropriate information for their + role (SFR-enforcing, etc.) in the TOE, and to obtain the + appropriate information from the developer should the + developer fail to provide the required information for a + particular module. + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the functional specification; + + + security architecture description; + + + the TOE design. + + + + + The developer shall provide the design of the TOE. + + + The developer shall provide a mapping from the TSFI of the + functional specification to the lowest level of + decomposition available in the TOE design. + + + The design shall describe the structure of the TOE in terms + of subsystems. + + + The design shall describe the TSF in terms of modules. + + + The design shall identify all subsystems of the TSF. + + + The design shall provide a description of each subsystem of + the TSF. + + + The design shall provide a description of the interactions + among all subsystems of the TSF. + + + The design shall provide a mapping from the subsystems of + the TSF to the modules of the TSF. + + + The design shall describe each SFR-enforcing module in terms of + its purpose and relationship with other modules. + + + The design shall describe each SFR-enforcing module in terms of + its SFR-related interfaces, return values from those interfaces, + interaction with other modules and called + SFR-related interfaces to other SFR-enforcing modules. + + + The design shall describe each SFR-supporting or + SFR-non-interfering module in terms of its purpose and + interaction with other modules. + + + The mapping shall demonstrate that all TSFIs trace to the behaviour described in the TOE design that they invoke. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the TOE design to determine + that the structure of the entire TOE is described in + terms of subsystems. + + The evaluator ensures that all of the subsystems of the + TOE are identified. This description of the TOE will be + used as input to work unit , where the parts of the TOE that make up + the TSF are identified. That is, this requirement is on + the entire TOE rather than on only the TSF. + + The TOE (and TSF) may be described in multiple layers of + abstraction (i.e. subsystems and modules). Depending upon the + complexity of the TOE, its design may be described in terms of + subsystems and modules, as described in CC Part 3 . For a very simple TOE that can be + described solely at the ``module'' level (see ), this work unit is not + applicable and therefore considered to be satisfied. + + In performing this activity, the evaluator examines + other evidence presented for the TOE (e.g., ST, operator + user guidance) to determine that the description of the + TOE in such evidence is consistent with the description + contained in the TOE design. + + + + + The evaluator shall examine the TOE design to determine + that the entire TSF is described in terms of + modules. + + The evaluator will examine the modules for specific + properties in other work units; in this work unit the + evaluator determines that the modular description covers + the entire TSF, and not just a portion of the TSF. The + evaluator uses other evidence provided for the + evaluation (e.g., functional specification, + security architecture description) in making this + determination. For example, if the + functional specification contains interfaces to + functionality that does not appear to be described in + the TOE design description, it may be the case that a + portion of the TSF has not been included + appropriately. Making this determination will likely be + an iterative process, where as more analysis is done on + the other evidence, more confidence can be gained with + respect to the completeness of the documentation. + + Unlike subsystems, modules describe the implementation in a level of detail that can serve + as a guide to reviewing the implementation representation. A description of a module should + be such that one could create an implementation of the module from the description, and the + resulting implementation would be 1) identical to the actual TSF implementation in terms of + the interfaces presented, 2) identical in the use of interfaces that are mentioned in the + design, and 3) functionally equivalent to the description of the purpose of the TSF module. + For instance, RFC 793 provides a high-level description of the TCP protocol. It is + necessarily implementation independent. While it provides a wealth of detail, it is + not + a suitable design description because it is not specific to an implementation. An actual + implementation can add to the protocol specified in the RFC, and implementation choices (for + instance, the use of global data vs. local data in various parts of the implementation) may + have an impact on the analysis that is performed. The design description of the TCP module would + list the interfaces presented by the implementation (rather than just those defined in RFC 793), + as well as an algorithm description of the processing associated with the modules implementing + TCP (assuming it was part of the TSF). + + + + + The evaluator shall examine the TOE design to determine + that all subsystems of the TSF are identified. + + If the design is presented solely in terms of modules, + then subsystems in these requirements are equivalent to + modules and the activity should be performed at the + module level. + + In work unit all of + the subsystems of the TOE were identified, and a + determination made that the non-TSF subsystems were + correctly characterised. Building on that work, the + subsystems that were not characterised as non-TSF + subsystems should be precisely identified. The evaluator + determines that, of the hardware and software installed + and configured according to the guidance, each subsystem has been + accounted for as either one that is part of the TSF, or + one that is not. + + + + + The evaluator shall examine the TOE design to determine + that each subsystem of the TSF describes its role in + the enforcement of SFRs described in the ST. + + If the design is presented solely in terms of modules, + then this work unit will be considered satisfied by the + assessment done in subsequent work units; no explicit + action on the part of the evaluator is necessary in this + case. + + On systems that are complex enough to warrant a + subsystem-level description of the TSF in addition to + the modular description, the goal of the subsystem-level + description is to give the evaluator context for the + modular description that follows. Therefore, the + evaluator ensures that the subsystem-level description + contains a description of how the security functional + requirements are achieved in the design, but at a level + of abstraction above the modular description. This + description should discuss the mechanisms used at a + level that is aligned with the module description; this + will provide the evaluators the road map needed to + intelligently assess the information contained in the + module description. A well-written set of subsystem + descriptions will help guide the evaluator in + determining the modules that are most important to + examine, thus focusing the evaluation activity on the + portions of the TSF that have the most relevance with + respect to the enforcement of the SFRs. + + The evaluator ensures that all subsystems of the TSF + have a description. While the description should focus + on the role that the subsystem plays in enforcing or + supporting the implementation of the SFRs, enough + information must be present so that a context for + understanding the SFR-related functionality is + provided. + + The evaluator shall examine the TOE design to determine that + each SFR-non-interfering subsystem of the TSF is described such that + the evaluator can determine that the subsystem is SFR-non-interfering. + If the design is presented solely in terms of modules, then this work unit + will be considered satisfied by the assessment done in subsequent work units; + no explicit action on the part of the evaluator is necessary in this case. + An SFR-non-interfering subsystem is one on which the SFR-enforcing and + SFR-supporting subsystems have no dependence; that is, they play no role + in implementing SFR functionality. + The evaluator ensures that all subsystems of the TSF have a description. + While the description should focus on the role that the subsystem do not plays + in enforcing or supporting the implementation of the SFRs, enough information + must be present so that a context for understanding the SFR-non-interfering + functionality is provided. + + + + The evaluator shall examine the TOE design to determine + that interactions between the subsystems of the TSF are + described. + + If the design is presented solely in terms of modules, + then this work unit will be considered satisfied by the + assessment done in subsequent work units; no explicit + action on the part of the evaluator is necessary in this + case. + + On systems that are complex enough to warrant a subsystem-level + description of the TSF in addition to the modular description, + the goal of describing the interactions between the subsystems + is to help provide the reader a better understanding of how the + TSF performs its functions. These interactions do not need to be + characterised at the implementation level (e.g., parameters + passed from one routine in a subsystem to a routine in a + different subsystem; global variables; hardware signals (e.g., + interrupts) from a hardware subsystem to an interrupt-handling + subsystem), but the data elements identified for a particular + subsystem that are going to be used by another subsystem should + be covered in this discussion. Any control relationships + between subsystems (e.g., a subsystem responsible for + configuring a rule base for a firewall system and the subsystem + that actually implements these rules) should also be described. + + It should be noted while the developer should characterise all + interactions between subsystems, the evaluators need to use + their own judgement in assessing the completeness of the + description. If the reason for an interaction is unclear, or if + there are SFR-related interactions (discovered, for instance, in + examining the module-level documentation) that do not appear to + be described, the evaluator ensures that this information is + provided by the developer. However, if the evaluator can + determine that interactions among a particular set of + subsystems, while incompletely described by the developer, and a + complete description will not aid in understanding the overall + functionality nor security functionality provided by the TSF, + then the evaluator may choose to consider the description + sufficient, and not pursue completeness for its own sake. + + + + + The evaluator shall examine the TOE design to determine + that the mapping between the subsystems of the TSF and + the modules of the TSF is complete. + + If the design is presented solely in terms of modules, + then this work unit is considered satisfied. + + For TOEs that are complex enough to warrant a + subsystem-level description of the TSF in addition to + the modular description, the developer provides a simple + mapping showing how the modules of the TSF are allocated + to the subsystems. This will provide the evaluator a + guide in performing their module-level assessment. To + determine completeness, the evaluator examines each + mapping and determines that all subsystems map to at + least one module, and that all modules map to exactly + one subsystem. + + + + + The evaluator shall examine the TOE design to determine + that the mapping between the subsystems of the TSF and + the modules of the TSF is accurate. + + If the design is presented solely in terms of modules, + then this work unit is considered satisfied. + + For TOEs that are complex enough to warrant a + subsystem-level description of the TSF in addition to + the modular description, the developer provides a simple + mapping showing how the modules of the TSF are allocated + to the subsystems. This will provide the evaluator a + guide in performing their module-level assessment. The + evaluator may choose to check the accuracy of the + mapping in conjunction with performing other work + units. An ``inaccurate'' mapping is one where the module + is mistakenly associated with a subsystem where its + functions are not used within the subsystem. Because the + mapping is intended to be a guide supporting more + detailed analysis, the evaluator is cautioned to apply + appropriate effort to this work unit. Expending + extensive evaluator resources verifying the accuracy of + the mapping is not necessary. Inaccuracies that lead to + mis-understandings related to the design that are + uncovered as part of this or other work units are the + ones that should be associated with this work unit and + corrected. + + + + + The evaluator shall examine the TOE design to determine + that the description of the purpose of each + SFR-enforcing module and relationship with other modules is complete and accurate. + + The developer may designate modules as SFR-enforcing, + SFR-supporting, and SFR non-interfering, but these + ``tags'' are used only to describe the amount and type + of information the developer must provide, and can be + used to limit the amount of information the developer + has to develop if their engineering process does not + produce the documentation required. Whether the + modules have been categorised by the developer or + not, it is the + evaluator's responsibility to determine that the + modules have the appropriate information for their + role (SFR-enforcing, etc.) in the TOE, and to obtain the + appropriate information from the developer should the + developer fail to provide the required information for a + particular module. + + The purpose of a module provides a description + indicating what function the module is fulfilling. A + word of caution to evaluator is in order. The focus of + this work unit should be to provide the evaluator an + understanding of how the module works so that + determinations can be made about the soundness of the + implementation of the SFRs, as well as to support + architectural analysis performed for component. As long as the evaluator has a + sound understanding of the module's operation, and its + relationship to other modules and the TOE as a whole, + the evaluator should consider the objective of the work + achieved and not engage in a documentation exercise for + the developer (by requiring, for example, a complete + algorithmic description for a self-evident + implementation representation). + Because the modules are at such a low level, it may be difficult + determine completeness and accuracy impacts from other + documentation, such as operational user guidance, the functional + specification, the TSF internals, or the security architecture + description. However, the evaluator uses the information present + in those documents to the extent possible to help ensure that + the purpose is accurately and completely described. This + analysis can be aided by the analysis performed for the work + units for the element, + which maps the TSFI in the functional specification to the + modules of the TSF. + + + + + The evaluator shall examine the TOE design to determine + that the description of the interfaces presented by each + SFR-enforcing module contain an accurate and complete + description of the SFR-related parameters, the + invocation conventions for each interface, and any + values returned directly by the interface. + + The SFR-related interfaces of a module are those + interfaces used by other modules as a means to invoke + the SFR-related operations provided, and to provide + inputs to or receive outputs from the module. The + purpose in the specification of these interfaces is to + permit the exercise of them during testing. + Inter-module interfaces that are not SFR-related need + not be specified or described, since they are not a + factor in testing. Likewise, other internal interfaces + that are not a factor in traversing SFR-related paths of + execution (such as those internal paths that are fixed) + need not be specified or described, since they are not a factor in testing. + + SFR-related interfaces are described in terms of how + they are invoked, and any values that are returned. This + description would include a list of SFR-related + parameters, and descriptions of these parameters. Note + that global data would also be considered parameters if + used by the module (either as inputs or outputs) when + invoked. If a parameter were expected to take on a set + of values (e.g., a ``flag'' parameter), the complete set + of values the parameter could take on that would have an + effect on module processing would be + specified. Likewise, parameters representing data + structures are described such that each field of the + data structure is identified and described. Note that + different programming languages may have additional + ``interfaces'' that would be non-obvious; an example + would be operator/function overloading in C++. This + ``implicit interface'' in the class description would + also be described as part of the low-level TOE + design. Note that although a module could present only + one interface, it is more common that a module presents + a small set of related interfaces. + + In terms of the assessment of parameters (inputs and + outputs) to a module, any use of global data must also + be considered. A module ``uses'' global data if it + either reads or writes the data. In order to assure the + description of such parameters (if used) is complete, + the evaluator uses other information provided about the + module in the TOE design (interfaces, algorithmic + description, etc.), as well as the description of the + particular set of global data assessed in work unit + . For instance, the + evaluator could first determine the processing the + module performs by examining its function and interfaces + presented (particularly the parameters of the + interfaces). They could then check to see if the + processing appears to ``touch'' any of the global data + areas identified in the TOE design. The evaluator then + determines that, for each global data area that appears + to be ``touched'', that global data area is listed as a + means of input or output by the module the evaluator is + examining. + + Invocation conventions are a programming-reference-type + description that one could use to correctly invoke a + module's interface if one were writing a program to make + use of the module's functionality through that + interface. This includes necessary inputs and outputs, + including any set-up that may need to be performed with + respect to global variables. + + Values returned through the interface refer to values + that are either passed through parameters or messages; + values that the function call itself returns in the + style of a ``C'' program function call; or values passed + through global means (such as certain error routines in + *ix-style operating systems). + + In order to assure the description is complete, the + evaluator uses other information provided about the + module in the TOE design (e.g., algorithmic description, + global data used) to ensure that it appears all data + necessary for performing the functions of the module is + presented to the module, and that any values that other + modules expect the module under examination to provide + are identified as being returned by the module. The + evaluator determines accuracy by ensuring that the + description of the processing matches the information + listed as being passed to or from an interface. + + + + + + The evaluator shall examine the TOE design to determine that + SFR-supporting and SFR-non-interfering modules are correctly + categorised. + + In the cases where the developer has provided different amounts + of information for different modules, an implicit categorisation + has been done. That is, modules (for instance) with detail + presented on their SFR-related interfaces (see ) are candidate SFR-enforcing + modules, although examination by the evaluator may lead to a + determination that some set of them are SFR-supporting or + SFR-non-interfering. Those with only a description of their + purpose and interaction with other modules (for instance) are + ``implicitly categorised'' as SFR-supporting or + SFR-non-interfering. + + In these cases, a key focus of the evaluator for this work unit + is attempting to determine from the evidence provided for each + module implicitly categorised as SFR-supporting or + SFR-non-interfering and the evaluation information about other + modules (in the TOE design, the functional specification, the + security architecture description, and the operational user + guidance), whether the module is indeed SFR-supporting or + SFR-non-interfering. At this level of assurance some error + should be tolerated; the evaluator does not have to be + absolutely sure that a given module is SFR-supporting or + SFR-non-interfering, even though it is labelled as + such. However, if the evidence provided indicates that a + SFR-supporting or SFR-non-interfering module is SFR-enforcing, + the evaluator requests additional information from the developer + in order to resolve the apparent inconsistency. For instance, + suppose the documentation for Module A (an SFR-enforcing module) + indicates that it calls Module B to perform an access check on a + certain type of construct. When the evaluator examines the + information associated with Module B, they find that all the + developer has provided is a purpose and a set of interactions + (thus implicitly categorising Module B as SFR-supporting or + SFR-non-interfering). On examining the purpose and interactions + from Module A, the evaluator finds no mention of Module B + performing any access checks, and Module A is not listed as a + module with which Module B interacts. At this point the + evaluator should approach the developer to resolve the + discrepancies between the information provided in Module A and + that in Module B. + + Another example would be where the evaluator examines the + mapping of the TSFI to the modules as provided by . This examination shows that + Module C is associated with an SFR requiring identification of + the user. Again, when the evaluator examines the information + associated with Module C, they find that all the developer has + provided is a purpose and a set of interactions (thus implicitly + categorising Module C as SFR-supporting or + SFR-non-interfering). Examining the purpose and interactions + presented for Module C, the evaluator is unable to determine why + Module C, listed as mapping to a TSFI concerned with user + identification, would not be classified as SFR-enforcing. Again, + the evaluator should approach the developer to resolve this + discrepancy. + + + A final example is from the opposite point of view. As + before, the developer has provided information associated + with Module D consisting of a purpose and a set of + interactions (thus implicitly categorising Module D as + SFR-supporting or SFR-non-interfering). The evaluator + examines all of the evidence provided, including the purpose + and interactions for Module D. The purpose appears to give a + meaningful description of Module D's function in the TOE, + the interactions are consistent with that description, and + there is nothing to indicate that Module D is + SFR-enforcing. In this case, the evaluator should not demand + more information about Module D ``just be to sure'' it is + correctly categorised. The developer has met their + obligations and the resulting assurance the evaluator has in + the implicit categorisation of Module D is (by definition) + appropriate for this assurance level. + + + + + The evaluator shall examine the TOE design to determine that the + description of the purpose of each SFR-supporting or + SFR-non-interfering module is complete and accurate. + + The description of the purpose of a module indicates + what function the module is fulfilling. From the + description, the evaluator should be able to obtain a + general idea of the module's role. In order to assure + the description is complete, the evaluator uses the + information provided about the module's interactions + with other modules to assess whether the reasons for the + module being called are consistent with the module's + purpose. If the interaction description contains + functionality that is not apparent from, or in conflict + with, the module's purpose, the evaluator needs to + determine whether the problem is one of accuracy or of + completeness. The evaluator should be wary of purposes + that are too short, since meaningful analysis based on a + one-sentence purpose is likely to be impossible. + + Because the modules are at such a low level, it may be difficult determine + completeness and accuracy impacts from other documentation, + such as administrative guidance, the functional specification, + the security architecture description, or the TSF internals document. + However, the evaluator uses the information present in those documents + to the extent possible to help ensure that the function is accurately + and completely described. This analysis can be aided by the analysis + performed for the work units for the ADV_TDS.3.10C element, + which maps the TSFI in the functional specification to the modules of the TSF. + + + + + The evaluator shall examine the TOE design to determine that the + description of a SFR-supporting or SFR-non-interfering module's + interaction with other modules is complete and accurate. + + It is important to note that, in terms of the Part 3 + requirement and this work unit, the term + interaction is intended to convey less + rigour than interface. An interaction + does not need to be characterised at the implementation + level (e.g., parameters passed from one routine in a + module to a routine in a different module; global + variables; hardware signals (e.g., interrupts) from a + hardware subsystem to an interrupt-handling subsystem), + but the data elements identified for a particular module + that are going to be used by another module should be + covered in this discussion. Any control relationships + between modules (e.g., a module responsible for + configuring a rule base for a firewall system and the + module that actually implements these rules) should also + be described. + + Because the modules are at such a low level, it may be difficult + determine completeness and accuracy impacts from other + documentation, such as operational user guidance, the functional + specification, the security architecture description, or the TSF + internals document. However, the evaluator uses the information + present in those documents to the extent possible to help ensure + that the function is accurately and completely described. This + analysis can be aided by the analysis performed for the work + units for the element, + which maps the TSFI in the functional specification to the + modules of the TSF. + + A module's interaction with other modules goes beyond + just a call-tree-type document. The interaction is + described from a functional perspective of why a module + interacts with other modules. The module's purpose + describes what functions the module provides to other + modules; the interactions should describe what the + module depends on from other modules in order to + accomplish this function. + + + + + + The evaluator shall examine the TOE design to determine + that it contains a complete and accurate mapping from + the TSFI described in the functional specification to + the modules of the TSF described in the TOE + design. + + The modules described in the TOE design provide a description of + the implementation of the TSF. The TSFI provide a description of + how the implementation is exercised. The evidence from the + developer identifies the module that is initially invoked when + an operation is requested at the TSFI, and identifies the chain + of modules invoked up to the module that is primarily + responsible for implementing the functionality. However, a + complete call tree for each TSFI is not required for this work + unit. The cases in which more than one module would have to be + identified are where there are ``entry point'' modules or + wrapper modules that have no functionality other than + conditioning inputs or de-multiplexing an input. Mapping to one + of these modules would not provide any useful information to the + evaluator. + + The evaluator assesses the completeness of the mapping + by ensuring that all of the TSFI map to at least one + module. The verification of accuracy is more + complex. + + The first aspect of accuracy is that each TSFI is mapped to a module at the TSF boundary. + This determination can be made by reviewing the module description and its + interfaces/interactions. The next aspect of accuracy is that each TSFI identifies + a chain of modules between the initial module identified and a module + that is primarily responsible for implementing the function presented at the TSF. + Note that this may be the initial module, or there may be several modules, + depending on how much pre-conditioning of the inputs is done. It should be noted that + one indicator of a pre-conditioning module is that it is invoked for a large number + of the TSFI, where the TSFI are all of similar type (e.g., system call). + The final aspect of accuracy is that the mapping makes sense. For instance, + mapping a TSFI dealing with access control to a module that checks passwords + is not accurate. The evaluator should again use judgement in making this determination. + The goal is that this information aids the evaluator in understanding the system and + implementation of the SFRs, and ways in which entities at the TSF boundary can interact + with the TSF. The bulk of the assessment of whether the SFRs are described accurately + by the modules is performed in other work units. + + + + The evaluator shall determine that the design is an accurate + and complete instantiation of all security functional + requirements. + + + The evaluator shall examine the TOE security functional + requirements and the TOE design, to determine that all + ST security functional requirements are covered by the + TOE design. + + The evaluator may construct a map between the TOE + security functional requirements and the TOE design. + This map will likely be from a functional requirement to + a set of subsystems, and later to modules. Note that this map may have to be + at a level of detail below the component or even element + level of the requirements, because of operations + (assignments, refinements, selections) performed on the + functional requirement by the ST author. + + For example, the + component contains an element with assignments. If the + ST contained, for instance, ten rules in the assignment, and these ten + rules were implemented in specific places within fifteen + modules, it would be inadequate for the evaluator to map + to one subsystem and + claim the work unit had been completed. Instead, the + evaluator would map + (rule 1) to modules x, y, and z of subsystem A; + (rule 2) to modules x, p, and q of subsystem A; etc. + + + + The evaluator shall examine the TOE design to determine + that it is an accurate instantiation of all security + functional requirements. + + The evaluator may construct a map between the TOE security + functional requirements and the TOE design. This map will + likely be from a functional requirement to a set of + subsystems. Note that this map may have to be at a level of + detail below the component or even element level of the + requirements, because of operations (assignments, refinements, + selections) performed on the functional requirement by the ST + author. + + As an example, if the ST requirements specified a + role-based access control mechanism, the evaluator would + first identify the subsystems, and modules that contribute to this + mechanism's implementation. This could be done by + in-depth knowledge or understanding of the TOE design or + by work done in the previous work unit. Note that this + trace is only to identify the subsystems, and modules, and is not the + complete analysis. + + The next step would be to understand what mechanism the + subsystems, and modules implemented. For instance, if the design + described an implementation of access control based on + UNIX-style protection bits, the design would not be an + accurate instantiation of those access control + requirements present in the ST example used above. If + the evaluator could not determine that the mechanism was + accurately implemented because of a lack of detail, the + evaluator would have to assess whether all of the + SFR-enforcing subsystems and modules have been identified, or if + adequate detail had been provided for those subsystems and modules. + + + + + + + + + The objective of this sub-activity is to determine whether + the TOE design provides a description of the TOE in terms + of subsystems sufficient to determine the TSF boundary, + and provides a description of the TSF internals in terms + of modules (and optionally higher-level abstractions). It + provides a detailed description of the SFR-enforcing and + SFR-supporting modules and enough information about the + SFR-non-interfering modules for the evaluator to determine + that the SFRs are completely and accurately implemented; + as such, the TOE design provides an explanation of the + implementation representation. + + + + There are three types of activity that the evaluator must + undertake with respect to the TOE design. First, the evaluator + determines that the TSF boundary has been adequately + described. Second, the evaluator determines that the developer + has provided documentation that conforms to the content and + presentation requirements this subsystem, and that is consistent + with other documentation provided for the TOE. Finally, the + evaluator must analyse the design information provided for the + SFR-enforcing modules (at a detailed level) and the + SFR-supporting and SFR-non-interfering modules (at a less detailed level) to + understand how the system is implemented, and with that + knowledge ensure that the TSFI in the functional specification + are adequately described, and that the test information + adequately tests the TSF (done in the work units). + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the functional specification; + + + security architecture description; + + + the TOE design. + + + + + The developer shall provide the design of the TOE. + + + The developer shall provide a mapping from the TSFI of the + functional specification to the lowest level of + decomposition available in the TOE design. + + + The design shall describe the structure of the TOE in terms + of subsystems. + + + The design shall describe the TSF in terms of modules, + designating each module as SFR-enforcing, + SFR-supporting, or SFR-non-interfering. + + + The design shall identify all subsystems of the TSF. + + + The design shall provide a semiformal description of each subsystem of + the TSF, supported by informal, explanatory text where appropriate. + + + The design shall provide a description of the interactions + among all subsystems of the TSF. + + + The design shall provide a mapping from the subsystems of + the TSF to the modules of the TSF. + + + The design shall describe each SFR-enforcing and SFR-supporting + module in terms of its purpose and relationship with other + modules. + + + The design shall describe each SFR-enforcing and SFR-supporting module + in terms of its SFR-related interfaces, return values from those interfaces, + interaction with other modules and called SFR-related + interfaces to other SFR-enforcing or SFR-supporting modules. + + + The design shall describe each SFR-non-interfering module in + terms of its purpose and interaction with other modules. + + + The mapping shall demonstrate that all TSFIs trace to the behaviour described in the TOE design that they invoke. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the TOE design to determine + that the structure of the entire TOE is described in + terms of subsystems. + + The evaluator ensures that all of the subsystems of the + TOE are identified. This description of the TOE will be + used as input to work unit , where the parts of the TOE that make up + the TSF are identified. That is, this requirement is on + the entire TOE rather than on only the TSF. + + The TOE (and TSF) may be described in multiple layers of + abstraction (i.e. subsystems and modules) Depending upon + the complexity of the TOE, its design may be described + in terms of subsystems and modules, as described in CC + Part 3 . For a very + simple TOE that can be described solely at the + ``module'' level (see ), this work unit is not applicable and + therefore considered to be satisfied. + + In performing this activity, the evaluator examines + other evidence presented for the TOE (e.g., ST, operator + user guidance) to determine that the description of the + TOE in such evidence is consistent with the description + contained in the TOE design. + + + + + The evaluator shall examine the TOE design to determine + that the entire TSF is described in terms of + modules. + + The evaluator will examine the modules for specific + properties in other work units; in this work unit the + evaluator determines that the modular description covers + the entire TSF, and not just a portion of the TSF. The + evaluator uses other evidence provided for the + evaluation (e.g., functional specification, + architectural description) in making this + determination. For example, if the functional + specification contains interfaces to functionality that + does not appear to be described in the TOE design + description, it may be the case that a portion of the + TSF has not been included appropriately. Making this + determination will likely be an iterative process, where + as more analysis is done on the other evidence, more + confidence can be gained with respect to the + completeness of the documentation. + + Unlike subsystems, modules describe the implementation in a level of detail that can serve + as a guide to reviewing the implementation representation. A description of a module should + be such that one could create an implementation of the module from the description, and the + resulting implementation would be 1) identical to the actual TSF implementation in terms of + the interfaces presented, 2) identical in the use of interfaces that are mentioned in the + design, and 3) functionally equivalent to the description of the purpose of the TSF module. + For instance, RFC 793 provides a high-level description of the TCP protocol. It is + necessarily implementation independent. While it provides a wealth of detail, it is + not + a suitable design description because it is not specific to an implementation. An actual + implementation can add to the protocol specified in the RFC, and implementation choices (for + instance, the use of global data vs. local data in various parts of the implementation) may + have an impact on the analysis that is performed. The design description of the TCP module would + list the interfaces presented by the implementation (rather than just those defined in RFC 793), + as well as an algorithm description of the processing associated with the modules implementing + TCP (assuming it was part of the TSF). + + + + + The evaluator shall check the TOE design to determine + that the TSF modules are identified as either + SFR-enforcing, SFR-supporting, or + SFR-non-interfering. + + The purpose of designating each module (according to the role a + particular module plays in the enforcement of the SFRs) is to + allow developers to provide less information about the parts of + the TSF that have little role in security. It is always + permissible for the developer to provide more information or + detail than the requirements demand, as might occur when the + information has been gathered outside the evaluation context. In + such cases the developer must still designate the modules as + either SFR-enforcing, SFR-supporting, or + SFR-non-interfering. + + The accuracy of these designations is continuously + reviewed as the evaluation progresses. The concern is + the mis-designation of modules as being less important + (and hence, having less information) than is really the + case. While blatant mis-designations may be immediately + apparent (e.g., designating an authentication module as + anything but SFR-enforcing when is one of the SFRs being claimed), other + mis-designations might not be discovered until the TSF + is better understood. The evaluator must therefore keep + in mind that these designations are the developer's + initial best effort, but are subject to change. Further + guidance is provided under work unit , which examines the + accuracy of these designations. + + + + + The evaluator shall examine the TOE design to determine + that all subsystems of the TSF are identified. + + If the design is presented solely in terms of modules, + then subsystems in these requirements are equivalent to + modules and the activity should be performed at the + module level. + + In work unit all of + the subsystems of the TOE were identified, and a + determination made that the non-TSF subsystems were + correctly characterised. Building on that work, the + subsystems that were not characterised as non-TSF + subsystems should be precisely identified. The evaluator + determines that, of the hardware and software installed + and configured according to the guidance, each subsystem has been + accounted for as either one that is part of the TSF, or + one that is not. + The evaluator shall examine the TDS documentation to determine + that the semiformal notation used for describing the subsystems, modules and + their interfaces is defined or referenced.A semiformal notation can be either defined by the sponsor or + a corresponding standard be referenced. The evaluator should provide a mapping + of security functions and their interfaces outlining in what part of the + documentation a function or interface is semiformal described and what notation + is used. The evaluator examines all semiformal notations used to make sure that + they are of a semiformal style and to justify the appropriateness of the manner + how the semiformal notations are used for the TOE.The evaluator is reminded that a semi-formal presentation is + characterised by a standardised format with a well-defined syntax that reduces + ambiguity that may occur in informal presentations. The syntax of all semiformal + notations used in the functional specification shall be defined or a corresponding + standard be referenced. The evaluator verifies that the semiformal notations used + for expressing the functional specification are capable of expressing features + relevant to security. In order to determine this, the evaluator can refer to the + SFR and compare the TSF security features stated in the ST and those described + in the FSP using the semiformal notations. + + + + The evaluator shall examine the TOE design to determine + that each subsystem of the TSF describes its role in + the enforcement of SFRs described in the ST. + + If the design is presented solely in terms of modules, + then this work unit will be considered satisfied by the + assessment done in subsequent work units; no explicit + action on the part of the evaluator is necessary in this + case. + + On systems that are complex enough to warrant a + subsystem-level description of the TSF in addition to + the modular description, the goal of the subsystem-level + description is to give the evaluator context for the + modular description that follows. Therefore, the + evaluator ensures that the subsystem-level description + contains a description of how the security functional + requirements are achieved in the design, but at a level + of abstraction above the modular description. This + description should discuss the mechanisms used at a + level that is aligned with the module description; this + will provide the evaluators the road map needed to + intelligently assess the information contained in the + module description. A well-written set of subsystem + descriptions will help guide the evaluator in + determining the modules that are most important to + examine, thus focusing the evaluation activity on the + portions of the TSF that have the most relevance with + respect to the enforcement of the SFRs. + + The evaluator ensures that all subsystems of the TSF + have a description. While the description should focus + on the role that the subsystem plays in enforcing or + supporting the implementation of the SFRs, enough + information must be present so that a context for + understanding the SFR-related functionality is + provided. + + The evaluator shall examine the TOE design to determine that + each SFR-non-interfering subsystem of the TSF is described such that + the evaluator can determine that the subsystem is SFR-non-interfering. + If the design is presented solely in terms of modules, then this work unit + will be considered satisfied by the assessment done in subsequent work units; + no explicit action on the part of the evaluator is necessary in this case. + An SFR-non-interfering subsystem is one on which the SFR-enforcing and + SFR-supporting subsystems have no dependence; that is, they play no role + in implementing SFR functionality. + The evaluator ensures that all subsystems of the TSF have a description. + While the description should focus on the role that the subsystem do not plays + in enforcing or supporting the implementation of the SFRs, enough information + must be present so that a context for understanding the SFR-non-interfering + functionality is provided. + + + + The evaluator shall examine the TOE design to determine + that interactions between the subsystems of the TSF are + described. + + If the design is presented solely in terms of modules, + then this work unit will be considered satisfied by the + assessment done in subsequent work units; no explicit + action on the part of the evaluator is necessary in this + case. + + On systems that are complex enough to warrant a subsystem-level + description of the TSF in addition to the modular description, + the goal of describing the interactions between the subsystems + is to help provide the reader a better understanding of how the + TSF performs it functions. These interactions do not need to be + characterised at the implementation level (e.g., parameters + passed from one routine in a subsystem to a routine in a + different subsystem; global variables; hardware signals (e.g., + interrupts) from a hardware subsystem to an interrupt-handling + subsystem), but the data elements identified for a particular + subsystem that are going to be used by another subsystem need to + be covered in this discussion. Any control relationships + between subsystems (e.g., a subsystem responsible for + configuring a rule base for a firewall system and the subsystem + that actually implements these rules) should also be + described. + + It should be noted while the developer should characterise all + interactions between subsystems, the evaluators need to use + their own judgement in assessing the completeness of the + description. If the reason for an interaction is unclear, or if + there are SFR-related interactions (discovered, for instance, in + examining the module-level documentation) that do not appear to + be described, the evaluator ensures that this information is + provided by the developer. However, if the evaluator can + determine that interactions among a particular set of + subsystems, while incompletely described by the developer, and a + complete description will not aid in understanding the overall + functionality nor security functionality provided by the TSF, + then the evaluator may choose to consider the description + sufficient, and not pursue completeness for its own sake. + + + + + The evaluator shall examine the TOE design to determine + that the mapping between the subsystems of the TSF and + the modules of the TSF is complete. + + If the design is presented solely in terms of modules, + then this work unit is considered satisfied. + + For TOEs that are complex enough to warrant a + subsystem-level description of the TSF in addition to + the modular description, the developer provides a simple + mapping showing how the modules of the TSF are allocated + to the subsystems. This will provide the evaluator a + guide in performing their module-level assessment. To + determine completeness, the evaluator examines each + mapping and determines that all subsystems map to at + least one module, and that all modules map to exactly + one subsystem. + + + + + The evaluator shall examine the TOE design to determine + that the mapping between the subsystems of the TSF to + the modules of the TSF is accurate. + + If the design is presented solely in terms of modules, + then this work unit is considered satisfied. + + For TOEs that are complex enough to warrant a + subsystem-level description of the TSF in addition to + the modular description, the developer provides a simple + mapping showing how the modules of the TSF are allocated + to the subsystems. This will provide the evaluator a + guide in performing their module-level assessment. The + evaluator may choose to check the accuracy of the + mapping in conjunction with performing other work + units. An ``inaccurate'' mapping is one where the module + is mistakenly associated with a subsystem where its + functions are not used within the subsystem. Because the + mapping is intended to be a guide supporting more + detailed analysis, the evaluator is cautioned to apply + appropriate effort to this work unit. Expending + extensive evaluator resources verifying the accuracy of + the mapping is not necessary. Inaccuracies that lead to + mis-understandings related to the design that are + uncovered as part of this or other work units are the + ones that should be associated with this work unit and + corrected. + + + + + The evaluator shall examine the TOE design to determine + that the description of the purpose of each + SFR-enforcing and SFR-supporting module, and relationship with other modules + is complete and accurate. + + The developer may designate modules as SFR-enforcing, + SFR-supporting, and SFR non-interfering, but these + ``tags'' are used only to describe the amount and type + of information the developer must provide, and can be + used to limit the amount of information the developer + has to develop if their engineering process does not + produce the documentation required. Whether the modules + have been categorised by the developer or not, it is the + evaluator's responsibility to determine that the modules + have the appropriate information for their role + (SFR-enforcing, etc.) in the TOE, and to obtain the + appropriate information from the developer should the + developer fail to provide the required information for a + particular module. + + The purpose of a module provides a description + indicating what function the module is fulfilling. A + word of caution to evaluator is in order. The focus of + this work unit should be to provide the evaluator an + understanding of how the module works so that + determinations can be made about the soundness of the + implementation of the SFRs, as well as to support + architectural analysis performed for subsystems. As long as the evaluator has a + sound understanding of the module's operation, and its + relationship to other modules and the TOE as a whole, + the evaluator should consider the objective of the work + achieved and not engage in a documentation exercise for + the developer (by requiring, for example, a complete + algorithmic description for a self-evident + implementation representation). + Because the modules are at such a low level, it may be difficult + determine completeness and accuracy impacts from other + documentation, such as operational user guidance, the functional + specification, the TSF internals, or the security architecture + description. However, the evaluator uses the information present + in those documents to the extent possible to help ensure that + the purpose is accurately and completely described. This + analysis can be aided by the analysis performed for the work + units for the element, + which maps the TSFI in the functional specification to the + modules of the TSF. + + + + + The evaluator shall examine the TOE design to determine + that the description of the interfaces presented by each + SFR-enforcing and SFR-supporting module contain an + accurate and complete description of the SFR-related + parameters, the invocation conventions for each + interface, and any values returned directly by the + interface. + + The SFR-related interfaces of a module are those + interfaces used by other modules as a means to invoke + the SFR-related operations provided, and to provide + inputs to or receive outputs from the module. The + purpose in the specification of these interfaces is to + permit the exercise of them during testing. + Inter-module interfaces that are not SFR-related need + not be specified or described, since they are not a + factor in testing. Likewise, other internal interfaces + that are not a factor in traversing SFR-related paths of + execution (such as those internal paths that are + fixed). + SFR-related interfaces of SFR-supporting modules are all + interfaces of SFR-supporting modules that are called directly + or indirectly from SFR-enforcing modules. Those interfaces + need to be described with all the parameter used in such a + call. This allows the evaluator to understand the purpose of + the call to the SFR-supporting module in the context of + operation of the SFR-enforcing modules. + + SFR-related interfaces are described in terms of how + they are invoked, and any values that are returned. This + description would include a list of parameters, and + descriptions of these parameters. Note that global data + would also be considered parameters if used by the + module (either as inputs or outputs) when invoked. If a + parameter were expected to take on a set of values + (e.g., a ``flag'' parameter), the complete set of values + the parameter could take on that would have an effect on + module processing would be specified. Likewise, + parameters representing data structures are described + such that each field of the data structure is identified + and described. Note that different programming languages + may have additional ``interfaces'' that would be + non-obvious; an example would be operator/function + overloading in C++. This ``implicit interface'' in the + class description would also be described as part of the + low-level TOE design. Note that although a module could + present only one interface, it is more common that a + module presents a small set of related + interfaces. + + In terms of the assessment of parameters (inputs and + outputs) to a module, any use of global data must also + be considered. A module ``uses'' global data if it + either reads or writes the data. In order to assure the + description of such parameters (if used) is complete, + the evaluator uses other information provided about the + module in the TOE design (interfaces, algorithmic + description, etc.), as well as the description of the + particular set of global data assessed in work unit + . For instance, the + evaluator could first determine the processing the + module performs by examining its function and interfaces + presented (particularly the parameters of the + interfaces). They could then check to see if the + processing appears to ``touch'' any of the global data + areas identified in the TDS design. The evaluator then + determines that, for each global data area that appears + to be ``touched'', that global data area is listed as a + means of input or output by the module the evaluator is + examining. + + Invocation conventions are a programming-reference-type + description that one could use to correctly invoke a + module's interface if one were writing a program to make + use of the module's functionality through that + interface. This includes necessary inputs and outputs, + including any set-up that may need to be performed with + respect to global variables. + + Values returned through the interface refer to values + that are either passed through parameters or messages; + values that the function call itself returns in the + style of a ``C'' program function call; or values passed + through global means (such as certain error routines in + *ix-style operating systems). + + In order to assure the description is complete, the + evaluator uses other information provided about the + module in the TOE design (e.g., algorithmic description, + global data used) to ensure that it appears all data + necessary for performing the functions of the module is + presented to the module, and that any values that other + modules expect the module under examination to provide + are identified as being returned by the module. The + evaluator determines accuracy by ensuring that the + description of the processing matches the information + listed as being passed to or from an interface. + + + + + + The evaluator shall examine the TOE design to determine + that SFR-non-interfering modules are correctly + categorised. + + As mentioned in work unit , + less information is required about modules that are + SFR-non-interfering. A key focus of the evaluator for this work + unit is attempting to determine from the evidence provided for + each module implicitly categorised as SFR-non-interfering and + the evaluation (information about other modules in the TOE + design, the functional specification, the security architecture + description, the operational user guidance, the TSF internals + document, and perhaps even the implementation representation) + whether the module is indeed SFR-non-interfering. At this level + of assurance some error should be tolerated; the evaluator does + not have to be absolutely sure that a given module is + SFR-non-interfering, even though it is labelled as + such. However, if the evidence provided indicates that a + SFR-non-interfering module is SFR-enforcing or SFR-supporting, + the evaluator requests additional information from the developer + in order to resolve the apparent inconsistency. For example, + suppose the documentation for Module A (an SFR-enforcing module) + indicates that it calls Module B to perform an access check on a + certain type of construct. When the evaluator examines the + information associated with Module B, it is discovered that the + only information the developer has provided is a purpose and a + set of interactions (thus implicitly categorising Module B as + SFR-supporting or SFR-non-interfering). On examining the purpose and interactions + from Module A, the evaluator finds no mention of Module B + performing any access checks, and Module A is not listed as a + module with which Module B interacts. At this point the + evaluator should approach the developer to resolve the + discrepancies between the information provided in Module A and + that in Module B. + + Another example would be where the evaluator examines + the mapping of the TSFI to the modules as provided by + . This examination + shows that Module C is associated with an SFR requiring + identification of the user. Again, when the evaluator + examines the information associated with Module C, they + find that all the developer has provided is a purpose + and a set of interactions (thus implicitly categorising + Module C as SFR-non-interfering). Examining the purpose + and interactions presented for Module C, the evaluator + is unable to determine why Module C, listed as mapping + to a TSFI concerned with user identification, would not + be classified as SFR-enforcing or SFR-supporting. Again, + the evaluator should approach the developer to resolve + this discrepancy. + + A final example illustrates the opposite situation. As + before, the developer has provided information + associated with Module D consisting of a purpose and a + set of interactions (thus implicitly categorising Module + D as SFR-non-interfering). The evaluator examines all of + the evidence provided, including the purpose and + interactions for Module D. The purpose appears to give a + meaningful description of Module D's function in the + TOE, the interactions are consistent with that + description, and there is nothing to indicate that + Module D is SFR-enforcing or SFR-supporting. In this + case, the evaluator should not demand more information + about Module D ``just be to sure'' it is correctly + categorised. The developer has met the obligations and + the resulting assurance the evaluator has in the + implicit categorisation of Module D is (by definition) + appropriate for this assurance level. + + + + + The evaluator shall examine the TOE design to determine + that the description of the purpose of each + SFR-non-interfering module is complete and + accurate. + + The description of the purpose of a module indicates + what function the module is fulfilling. From the + description, the evaluator should be able to obtain a + general idea of the module's role. In order to assure + the description is complete, the evaluator uses the + information provided about the module's interactions + with other modules to assess whether the reasons for the + module being called are consistent with the module's + purpose. If the interaction description contains + functionality that is not apparent from, or in conflict + with, the module's purpose, the evaluator needs to + determine whether the problem is one of accuracy or of + completeness. The evaluator should be wary of purposes + that are too short, since meaningful analysis based on a + one-sentence purpose is likely to be impossible. + + Because the modules are at such a low level, it may be difficult + determine completeness and accuracy impacts from other + documentation, such as operational user guidance, the functional + specification, the security architecture description, or the TSF + internals document. However, the evaluator uses the information + present in those documents to the extent possible to help ensure + that the function is accurately and completely described. This + analysis can be aided by the analysis performed for the work + units for the element, + which maps the TSFI in the functional specification to the + modules of the TSF. + + + + + The evaluator shall examine the TOE design to determine + that the description of a SFR-non-interfering module's + interaction with other modules is complete and + accurate. + + It is important to note that, in terms of the Part 3 + requirement and this work unit, the term + interaction is intended to convey less + rigour than interface. An interaction + does not need to be characterised at the implementation + level (e.g., parameters passed from one routine in a + module to a routine in a different module; global + variables; hardware signals (e.g., interrupts) from a + hardware subsystem to an interrupt-handling subsystem), + but the data elements identified for a particular module + that are going to be used by another module should be + covered in this discussion. Any control relationships + between modules (e.g., a module responsible for + configuring a rule base for a firewall system and the + module that actually implements these rules) should also + be described. + + A module's interaction with other modules can be captured in + many ways. The intent for the TOE design is to allow the + evaluator to understand (in part through analysis of module + interactions) the role of the SFR-supporting and + SFR-non-interfering modules in the overall TOE + design. Understanding of this role will aid the evaluator in + performing work unit . + + A module's interaction with other modules goes beyond + just a call-tree-type document. The interaction is + described from a functional perspective of why a module + interacts with other modules. The module's purpose + describes what functions the module provides to other + modules; the interactions should describe what the + module depends on from other modules in order to + accomplish this function. + + Because the modules are at such a low level, it may be difficult + determine completeness and accuracy impacts from other + documentation, such as operational user guidance, the functional + specification, the security architecture description, or the TSF + internals document. However, the evaluator uses the information + present in those documents to the extent possible to help ensure + that the interactions are accurately and completely + described. + + + + + The evaluator shall examine the TOE design to determine + that it contains a complete and accurate mapping from + the TSFI described in the functional specification to + the modules of the TSF described in the TOE + design. + + The modules described in the TOE design provide a + description of the implementation of the TSF. The TSFI + provide a description of how the implementation is + exercised. The evidence from the developer identifies + the module that is initially invoked when an operation + is requested at the TSFI, and identify the chain of + modules invoked up to the module that is primarily + responsible for implementing the functionality. However, + a complete call tree for each TSFI is not required for + this work unit. The cases in which more than one module + would have to be identified are where there are ``entry + point'' modules or wrapper modules that have no + functionality other than conditioning inputs or + de-multiplexing an input. Mapping to one of these + modules would not provide any useful information to the + evaluator. + + The evaluator assesses the completeness of the mapping + by ensuring that all of the TSFI map to at least one + module. The verification of accuracy is more + complex. + + The first aspect of accuracy is that each TSFI is mapped + to a module at the TSF boundary. This determination can + be made by reviewing the module description and its + interfaces/interactions. The next aspect of accuracy is + that each TSFI identifies a chain of modules between the + initial module identified and a module that is primarily + responsible for implementing the function presented at + the TSF. Note that this may be the initial module, or + there may be several modules, depending on how much + pre-conditioning of the inputs is done. It should be + noted that one indicator of a pre-conditioning module is + that it is invoked for a large number of the TSFI, where + the TSFI are all of similar type (e.g., system + call). The final aspect of accuracy is that the mapping + makes sense. For instance, mapping a TSFI dealing with + access control to a module that checks passwords is not + accurate. The evaluator should again use judgement in + making this determination. The goal is that this + information aids the evaluator in understanding the + system and implementation of the SFRs, and ways in which + entities at the TSF boundary can interact with the + TSF. The bulk of the assessment of whether the SFRs are + described accurately by the modules is performed in + other work units. + + + + The evaluator shall determine that the design is an accurate + and complete instantiation of all security functional + requirements. + + + The evaluator shall examine the TOE security functional + requirements and the TOE design, to determine that all + ST security functional requirements are covered by the + TOE design. + + The evaluator may construct a map between the TOE + security functional requirements and the TOE design. + This map will likely be from a functional requirement to + a set of subsystems, and later to modules. Note that this map may have to be + at a level of detail below the component or even element + level of the requirements, because of operations + (assignments, refinements, selections) performed on the + functional requirement by the ST author. + + For example, the + component contains an element with assignments. If the + ST contained, for instance, ten rules in the assignment, and these ten + rules were implemented in specific places within fifteen + modules, it would be inadequate for the evaluator to map + to one subsystem and + claim the work unit had been completed. Instead, the + evaluator would map + (rule 1) to modules x, y and z of subsystem A; + (rule 2) to x, p, and q of subsystem A; etc. + + + + The evaluator shall examine the TOE design to determine + that it is an accurate instantiation of all security + functional requirements. + + The evaluator may construct a map between the TOE security + functional requirements and the TOE design. This map will + likely be from a functional requirement to a set of + subsystems. Note that this map may have to be at a level of + detail below the component or even element level of the + requirements, because of operations (assignments, refinements, + selections) performed on the functional requirement by the ST + author. + + As an example, if the ST requirements specified a + role-based access control mechanism, the evaluator would + first identify the subsystems, and modules that contribute to this + mechanism's implementation. This could be done by + in-depth knowledge or understanding of the TOE design or + by work done in the previous work unit. Note that this + trace is only to identify the subsystems, and modules, and is not the + complete analysis. + + The next step would be to understand what mechanism the + subsystems, and modules implemented. For instance, if the design + described an implementation of access control based on + UNIX-style protection bits, the design would not be an + accurate instantiation of those access control + requirements present in the ST example used above. If + the evaluator could not determine that the mechanism was + accurately implemented because of a lack of detail, the + evaluator would have to assess whether all of the + SFR-enforcing subsystems and modules have been identified, or if + adequate detail had been provided for those subsystems and modules. + + + + + + + + + The objective of this sub-activity is to determine whether + the TOE design provides a description of the TOE in terms + of subsystems sufficient to determine the TSF boundary, + and provides a description of the TSF internals in terms + of modules (and optionally higher-level abstractions). It + provides a detailed description of all modules for the + evaluator to determine that the SFRs are completely and + accurately implemented; as such, the TOE design provides + an explanation of the implementation + representation. + + + + At this level, there is no differentiation of required + information according to SFR-relevance. + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the functional specification; + + + security architecture description; + + + the TOE design; + + + the security architecture description; + + + the implementation representation. + + + + + The developer shall provide the design of the TOE. + + + The developer shall provide a mapping from the TSFI of the + functional specification to the lowest level of + decomposition available in the TOE design. + + + The design shall describe the structure of the TOE in terms + of subsystems. + + + The design shall describe the TSF in terms of modules, + designating each module as SFR-enforcing, + SFR-supporting, or SFR-non-interfering. + + + The design shall identify all subsystems of the TSF. + + + The design shall provide a semiformal description of each + subsystem of the TSF, supported by informal, explanatory text where + appropriate. + + + The design shall provide a description of the interactions among all subsystems of the TSF. + + + The design shall provide a mapping from the subsystems of + the TSF to the modules of the TSF. + + + The design shall provide a semiformal description of each module + in terms of its purpose, interaction, interfaces, return values + from those interfaces, and called interfaces to other modules, + supported by informal, explanatory text where appropriate. + + + The mapping shall demonstrate that all TSFIs trace to the behaviour described in the TOE design that they invoke. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + The evaluator shall determine that the design is an accurate + and complete instantiation of all security functional + requirements. + + + + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the functional specification; + + + security architecture description; + + + the TOE design; + + + the security architecture description; + + + the implementation representation. + + + + + The developer shall provide the design of the TOE. + + + The developer shall provide a mapping from the TSFI of the + functional specification to the lowest level of + decomposition available in the TOE design. + + + The developer shall provide a formal specification of the + TSF subsystems. + + + The developer shall provide a proof of correspondence + between the formal specifications of the TSF subsystems and + of the functional specification. + + + The design shall describe the structure of the TOE in terms + of subsystems. + + + The design shall describe the TSF in terms of modules, + designating each module as SFR-enforcing, + SFR-supporting, or SFR-non-interfering. + + + The design shall identify all subsystems of the TSF. + + + The design shall provide a semiformal description of each + subsystem of the TSF, supported by informal, explanatory text where + appropriate. + + + The design shall provide a description of the interactions among all subsystems of the TSF. + + + The design shall provide a mapping from the subsystems of + the TSF to the modules of the TSF. + + + The design shall describe each module in semiformal style in terms + of its purpose, interaction, interfaces, return values from those interfaces, + and called interfaces to other modules, supported by informal, explanatory + text where appropriate. + + + The formal specification of the TSF subsystems shall + describe the TSF using a formal style, supported by + informal, explanatory text where appropriate. + + + The mapping shall demonstrate that all TSFIs trace to the behaviour described in the TOE design that they invoke. + + + The proof of correspondence between the formal + specifications of the TSF subsystems and of the functional + specification shall demonstrate that all behaviour described + in the TOE design is a correct and complete refinement of + the TSFI that invoked it. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + The evaluator shall determine that the design is an accurate + and complete instantiation of all security functional + requirements. + + + + + + + The guidance documents class provides the requirements for + guidance documentation for all user roles. For the secure + preparation and operation of the TOE it is necessary to + describe all relevant aspects for the secure handling of the + TOE. The class also addresses the possibility of unintended + incorrect configuration or handling of the TOE. + + In many cases it may be appropriate that guidance is provided + in separate documents for preparation and operation of the + TOE, or even separate for different user roles as end-users, + administrators, application programmers using software or + hardware interfaces, etc. + + The guidance documents class is subdivided into two families + which are concerned with the preparative user guidance (what + has to be done to transform the delivered TOE into its + evaluated configuration in the operational environment as + described in the ST) and with the operational user guidance + (what has to be done during the operation of the TOE in its + evaluated configuration). + + + + Assurance class defines + requirements directed at the understandability, coverage and + completeness of the preparative and operational documentation + provided by the developer. This documentation, which provides + information for all user roles, is an important factor in the + secure preparation and operation of the TOE. + + + + The purpose of the guidance document activity is to judge the + adequacy of the documentation describing how the user can + handle the TOE in a secure manner. Such documentation should + take into account the various types of users (e.g. those who + accept, install, administrate or operate the TOE) whose + incorrect actions could adversely affect the security of the + TOE or of their own data. + + The guidance documents class is subdivided into two families + which are concerned firstly with the preparative procedures + (all that has to be done to transform the delivered TOE into + its evaluated configuration in the environment as described in + the ST, i.e. accepting and installing the TOE) and secondly + with the operational user guidance (all that has to be done + during the operation of the TOE in its evaluated + configuration, i.e. operation and administration). + + + + The guidance documents activity applies to those functions and + interfaces which are related to the security of the TOE. The + secure configuration of the TOE is described in the ST. + + + + + Operational user guidance refers to written material that is + intended to be used by all types of users of the TOE in its + evaluated configuration: end-users, persons responsible for + maintaining and administering the TOE in a correct manner + for maximum security, and by others (e.g. programmers) using + the TOE's external interfaces. Operational user guidance + describes the security functionality provided by the TSF, + provides instructions and guidelines (including warnings), + helps to understand the TSF and includes the + security-critical information, and the security-critical + actions required, for its secure use. Misleading and + unreasonable guidance should be absent from the guidance + documentation, and secure procedures for all modes of + operation should be addressed. Insecure states should be + easy to detect. + + The operational user guidance provides a measure of + confidence that non-malicious users, administrators, + application providers and others exercising the external + interfaces of the TOE will understand the secure operation + of the TOE and will use it as intended. The evaluation of + the user guidance includes investigating whether the TOE can + be used in a manner that is insecure but that the user of + the TOE would reasonably believe to be secure. The objective + is to minimise the risk of human or other errors in + operation that may deactivate, disable, or fail to activate + security functionality, resulting in an undetected insecure + state. + + + + Requirements for operational user guidance help ensure that + all types of users are able to operate the TOE in a secure + manner (e.g. the usage constraints assumed by the PP or ST + must be clearly explained and illustrated). It should be + excluded that the TOE can be used in a manner that is + insecure but that the user of the TOE would reasonably + believe to be secure. Operational user guidance is the + primary vehicle available to the developer for providing the + TOE users with the necessary background and specific + information on how to correctly use the TOE's protection + functions. + + Operational user guidance must do two things. First, it + needs to explain what the security functionality accessible + by the user does and how it is to be used, so that users are + able to consistently and effectively protect their + information. Second, it needs to explain the user's role in + maintaining the TOE's security. + + + + This family contains only one component. + + + + There may be different user roles or groups that are + recognised by the TOE and that can interact with the + TSF. These user roles and groups should be taken into + consideration by the operational user guidance. They may be + roughly grouped into administrators and non-administrative + users, or more specifically grouped into persons responsible + for receiving, accepting, installing and maintaining the + TOE, application programmers, revisors, auditors, + daily-management, end-users. Each role can encompass an + extensive set of capabilities, or can be a single + one. + + The requirement + encompasses the aspect that any warnings to the users during + operation of a TOE with regard to the security problem + definition and the security objectives for the operational + environment described in the PP/ST are appropriately covered + in the user guidance. + + The concept of secure values, as employed in , has relevance where a user + has control over security parameters. Guidance needs to be + provided on secure and insecure settings for such + parameters. + + requires that the + user guidance describes the appropriate reactions to all + security-relevant events. Although many security-relevant + events are the result of performing functions, this need not + always be the case (e.g. the audit log fills up, an + intrusion is detected). Furthermore, a security-relevant + event may happen as a result of a specific chain of + functions or, conversely, several security-relevant events + may be triggered by one function. + + requires that the + user guidance is clear and reasonable. Misleading or + unreasonable guidance may result in a user of the TOE + believing that the TOE is secure when it is not. + + An example of misleading guidance would be the description + of a single guidance instruction that could be parsed in + more than one way, one of which may result in an insecure + state. + + An example of unreasonable guidance would be a + recommendation to follow a procedure that is so complicated + that it cannot reasonably be expected that users will follow + this guidance. + + + + + + The objectives of this sub-activity are to determine + whether the user guidance describes for each user role the + security functionality and interfaces provided by the TSF, + provides instructions and guidelines for the secure use of + the TOE, addresses secure procedures for all modes of + operation, facilitates prevention and detection of + insecure TOE states, or whether it is misleading or + unreasonable. + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the functional specification; + + + the TOE design, if applicable; + + + the user guidance; + + + + + The developer shall provide operational user guidance. + + + The operational user guidance shall describe, for each user + role, the user-accessible functions and privileges that + should be controlled in a secure processing environment, + including appropriate warnings. + + + The operational user guidance shall describe, for each user + role, how to use the available interfaces provided by the + TOE in a secure manner. + + + The operational user guidance shall describe, for each user + role, the available functions and interfaces, in particular + all security parameters under the control of the user, + indicating secure values as appropriate. + + + The operational user guidance shall, for each user role, + clearly present each type of security-relevant event + relative to the user-accessible functions that need to be + performed, including changing the security characteristics + of entities under the control of the TSF. + + + The operational user guidance shall identify all possible + modes of operation of the TOE (including operation following + failure or operational error), their consequences and + implications for maintaining secure operation. + + + The operational user guidance shall, for each user role, + describe the security measures to be followed in order to + fulfil the security objectives for the operational + environment as described in the ST. + + + The operational user guidance shall be clear and reasonable. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the operational user + guidance to determine that it describes, for each user + role, the user-accessible functions and privileges that + should be controlled in a secure processing environment, + including appropriate warnings. + + The configuration of the TOE may allow different user + roles to have dissimilar privileges in making use of the + different functions of the TOE. This means that some + users are authorised to perform certain functions, while + other users may not be so authorised. These functions + and privileges should be described, for each user role, + by the user guidance. + + The user guidance identifies, for each user role, the + functions and privileges that must be controlled, the + types of commands required for them, and the reasons for + such commands. The user guidance should contain warnings + regarding the use of these functions and + privileges. Warnings should address expected effects, + possible side effects, and possible interactions with + other functions and privileges. + + + + + The evaluator shall examine the operational user + guidance to determine that it describes, for each user + role, the secure use of the available interfaces + provided by the TOE. + + The user guidance should provide advice regarding + effective use of the TSF (e.g. reviewing password + composition practises, suggested frequency of user file + backups, discussion on the effects of changing user + access privileges). + + + + + The evaluator shall examine the operational user + guidance to determine that it describes, for each user + role, the available security functionality and + interfaces, in particular all security parameters under + the control of the user, indicating secure values as + appropriate. + + The user guidance should contain an overview of the + security functionality that is visible at the user + interfaces. + + The user guidance should identify and describe the + purpose, behaviour, and interrelationships of the + security interfaces and functionality. + + For each user-accessible interface, the user guidance + should: + + + describe the method(s) by which the interface is + invoked (e.g. command-line, programming-language + system call, menu selection, command button); + + + describe the parameters to be set by the user, their + particular purposes, valid and default values, and + secure and insecure use settings of such parameters, + both individually or in combination; + + + describe the immediate TSF response, message, or + code returned. + + + + The evaluator should consider the functional + specification and the ST to determine that the TSF + described in these documents is consistent to the + operational user guidance. The evaluator has to ensure + that the operational user guidance is complete to allow + the secure use through the TSFI available to all types + of human users. The evaluator may, as an aid, prepare an + informal mapping between the guidance and these + documents. Any omissions in this mapping may indicate + incompleteness. + + + + + The evaluator shall examine the operational user + guidance to determine that it describes, for each user + role, each type of security-relevant event relative to + the user functions that need to be performed, including + changing the security characteristics of entities under + the control of the TSF and operation following failure + or operational error. + + All types of security-relevant events are detailed for + each user role, such that each user knows what events + may occur and what action (if any) he may have to take + in order to maintain security. Security-relevant events + that may occur during operation of the TOE (e.g. audit + trail overflow, system crash, updates to user records, + such as when a user account is removed when the user + leaves the organisation) are adequately defined to allow + user intervention to maintain secure operation. + + + + + The evaluator shall examine the operational user + guidance and other evaluation evidence to determine that + the guidance identifies all possible modes of operation + of the TOE (including, if applicable, operation + following failure or operational error), their + consequences and implications for maintaining secure + operation. + + Other evaluation evidence, particularly the functional + specification, provide an information source that the + evaluator should use to determine that the guidance + contains sufficient guidance information. + + If test documentation is included in the assurance + package, then the information provided in this evidence + can also be used to determine that the guidance contains + sufficient guidance documentation. The detail provided + in the test steps can be used to confirm that the + guidance provided is sufficient for the use and + administration of the TOE. + + The evaluator should focus on a single human visible + TSFI at a time, comparing the guidance for securely + using the TSFI with other evaluation evidence, to + determine that the guidance related to the TSFI is + sufficient for the secure usage (i.e. consistent with + the SFRs) of that TSFI. The evaluator should also + consider the relationships between interfaces, searching + for potential conflicts. + + + + + The evaluator shall examine the operational user + guidance to determine that it describes, for each user + role, the security measures to be followed in order to + fulfil the security objectives for the operational + environment as described in the ST. + + The evaluator analyses the security objectives for the + operational environment in the ST and determines that + for each user role, the relevant security measures are + described appropriately in the user guidance. + + The security measures described in the user guidance + should include all relevant external procedural, + physical, personnel and connectivity measures. + + Note that those measures relevant for secure + installation of the TOE are examined in . + + + + + The evaluator shall examine the operational user + guidance to determine that it is clear. + + The guidance is unclear if it can reasonably be + misconstrued by an administrator or user, and used in a + way detrimental to the TOE, or to the security provided + by the TOE. + + + + + The evaluator shall examine the operational user + guidance to determine that it is reasonable. + + The guidance is unreasonable if it makes demands on the + TOE's usage or operational environment that are + inconsistent with the ST or unduly onerous to maintain + security. + + + + + + + + Preparative procedures are useful for ensuring that the TOE + has been received and installed in a secure manner as + intended by the developer. The requirements for preparation + call for a secure transition from the delivered TOE to its + initial operational environment. This includes investigating + whether the TOE can be configured or installed in a manner + that is insecure but that the user of the TOE would + reasonably believe to be secure. + + + + Preparation requires that the delivered copy of the TOE is + accepted, configured and activated by the user to exhibit + the protection properties as needed during operation of the + TOE. The preparative procedures provide confidence that the + user will be aware of the TOE configuration parameters and + how they can affect the TSF. + + + + This family contains only one component. + + + + It is recognised that the application of these requirements + will vary depending on aspects such as whether the TOE is + delivered in an operational state, or whether it has to be + installed at the TOE owner's site, etc. + + The first process covered by the preparative procedures is + the consumer's secure acceptance of the received TOE in + accordance with the developer's delivery procedures. If the + developer has not defined delivery procedures, security of + the acceptance has to be ensured otherwise. + + Installation of the TOE includes transforming its + operational environment into a state that conforms to the + security objectives for the operational environment provided + in the ST. + + It might also be the case that no installation is necessary, + for example a smart card. In this case it may be + inappropriate to require and analyse installation + procedures. + + The requirements in this assurance family are presented + separately from those in the family, due to the infrequent, possibly + one-time use of the preparative procedures. + + + + + The objective of this sub-activity is to determine whether + the procedures and steps for the secure preparation of the + TOE have been documented and result in a secure + configuration. + + + + The preparative procedures refer to all acceptance and + installation procedures, that are necessary to progress + the TOE to the secure configuration as described in the + ST. + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the TOE including its preparative procedures; + + + the description of developer's delivery procedures, if + applicable; + + + + + The developer shall provide the TOE including its + preparative procedures. + + The preparative procedures + shall describe all the steps necessary for secure acceptance + of the delivered TOE in accordance with the developer's + delivery procedures. + + The preparative procedures + shall describe all the steps necessary for secure + installation of the TOE and for the secure preparation of + the operational environment in accordance with the security + objectives for the operational environment as described in + the ST. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + + The evaluator shall examine the provided acceptance + procedures to determine that they describe the steps + necessary for secure acceptance of the TOE in accordance + with the developer's delivery procedures. + If it is not anticipated by the developer's delivery + procedures that acceptance procedures will or can be + applied, this work unit is not applicable, and is + therefore considered to be satisfied. + + The acceptance procedures should include as a minimum, + that the user has to check that all parts of the TOE as + indicated in the ST have been delivered in the correct + version. + + The acceptance procedures should reflect the steps the + user has to perform in order to accept the delivered TOE + that are implied by the developer's delivery + procedures. + + The acceptance procedures should provide detailed + information about the following, if applicable: + + + making sure that the delivered TOE is the complete + evaluated instance; + + + detecting modification/masquerading of the delivered + TOE. + + + + + + + + The evaluator shall examine the provided installation + procedures to determine that they describe the steps + necessary for secure installation of the TOE and the + secure preparation of the operational environment in + accordance with the security objectives in the + ST. + + If it is not anticipated that installation procedures + will or can be applied (e.g. because the TOE may already + be delivered in an operational state), this work unit is + not applicable, and is therefore considered to be + satisfied. + + The installation procedures should provide detailed + information about the following, if applicable: + + + minimum system requirements for secure installation; + + + requirements for the operational environment in + accordance with the security objectives provided by + the ST; + + the steps the user has to perform in order to get to an + operational TOE being commensurate with its evaluated + configuration. Such a description shall include - for each step + - a clear scheme for the decision on the next step depended on + success, failure or problems at the current step; + + + changing the installation specific security + characteristics of entities under the control of the + TSF (for example parameters, settings, passwords); + + + handling exceptions and problems. + + + + + + The evaluator shall apply the preparative procedures to + confirm that the TOE can be prepared securely for operation. + + + The evaluator shall perform all user procedures + necessary to prepare the TOE to determine that the TOE + and its operational environment can be prepared securely + using only the supplied preparative procedures. + Preparation requires the evaluator to advance the + TOE from a deliverable state to the state in which it is + operational, including acceptance and installation of + the TOE, and enforcing the SFRs consistent with the + security objectives for the TOE specified in the + ST. + + The evaluator should follow only the developer's + procedures and may perform the activities that customers + are usually expected to perform to accept and install + the TOE, using the supplied preparative procedures only. + Any difficulties encountered during such an exercise may + be indicative of incomplete, unclear or unreasonable guidance. + + This work unit may be performed in conjunction with the + evaluation activities under . + + If it is known that the TOE will be used as a dependent + component for a composed TOE evaluation, then the + evaluator should ensure that the operational environment + is satisfied by the base component used in the composed + TOE. + + + + + + + + + Life-cycle support is an aspect of establishing discipline and + control in the processes of refinement of the TOE during its + development and maintenance. Confidence in the correspondence + between the TOE security requirements and the TOE is greater + if security analysis and the production of the evidence are + done on a regular basis as an integral part of the development + and maintenance activities. + + In the product life-cycle it is distinguished whether the TOE + is under the responsibility of the developer or the user + rather than whether it is located in the development or user + environment. The point of transition is the moment where the + TOE is handed over to the user. This is also the point of + transition from the to the class. + + The class consists of seven + families. is the high-level + description of the TOE life-cycle; a more detailed description of the management + of the configuration items. + requires a minimum set of configuration items to be managed in + the defined way. is + concerned with the developer's physical, procedural, + personnel, and other security measures; with the development tools and implementation + standards used by the developer; with the handling of security flaws. defines the procedures used for + the delivery of the TOE to the consumer. Delivery processes + occurring during the development of the TOE are denoted rather + as transportations, and are handled in the context of + integration and acceptance procedures in other families of + this class. + + Throughout this class, development and related terms + (developer, develop) are meant in the more general sense to + comprise development and production, whereas + production specifically means the process of transforming the + implementation representation into the final TOE. + + + + Assurance class defines + requirements for assurance through the adoption of a well + defined life-cycle model for all the steps of the TOE + development, including flaw remediation procedures and + policies, correct use of tools and techniques and the security + measures used to protect the development environment. + + Configuration management (CM) helps to ensure that the + integrity of the TOE is preserved, by preventing unauthorised + modifications, additions, or deletions to the TOE, thus + providing assurance that the TOE and documentation used for + evaluation are the ones prepared for distribution. + + The delivery procedures define requirements for the measures, + procedures, and standards concerned with secure delivery of + the TOE, ensuring that the security protection offered by the + TOE is not compromised during the transfer to the user. + + + + The purpose of the life-cycle support activity is to determine + the adequacy of the security procedures that the developer + uses during the development and maintenance of the TOE. These + procedures include the life-cycle model used by the developer, + the configuration management, the security measures used + throughout TOE development, the tools used by the developer + throughout the life-cycle of the TOE, the handling of security + flaws, and the delivery activity. + + Poorly controlled development and maintenance of the TOE can + result in vulnerabilities in the implementation. Conformance + to a defined life-cycle model can help to improve controls in + this area. A measurable life-cycle model used for the TOE can + remove ambiguity in assessing the development progress of the + TOE. + + The purpose of the configuration management activity is to + assist the consumer in identifying the evaluated TOE, to + ensure that configuration items are uniquely identified, and + the adequacy of the procedures that are used by the developer + to control and track changes that are made to the TOE. This + includes details on what changes are tracked, how potential + changes are incorporated, and the degree to which automation + is used to reduce the scope for error. + + Developer security procedures are intended to protect the TOE + and its associated design information from interference or + disclosure. Interference in the development process may allow + the deliberate introduction of vulnerabilities. Disclosure of + design information may allow vulnerabilities to be more easily + exploited. The adequacy of the procedures will depend on the + nature of the TOE and the development process. + + The use of well-defined development tools and the application + of implementation standards by the developer and by third + parties involved in the development process help to ensure + that vulnerabilities are not inadvertently introduced during + refinement. + + The flaw remediation activity is intended to track security + flaws, to identify corrective actions, and to distribute the + corrective action information to TOE users. + + The purpose of the delivery activity is to judge the adequacy + of the documentation of the procedures used to ensure that the + TOE is delivered to the consumer without modification. + + + + + Configuration management (CM) is one means for increasing + assurance that the TOE meets the SFRs. CM establishes this + by requiring discipline and control in the processes of + refinement and modification of the TOE and the related + information. CM systems are put in place to ensure the + integrity of the portions of the TOE that they control, by + providing a method of tracking any changes, and by ensuring + that all changes are authorised. + + The objective of this family is to require the developer's + CM system to have certain capabilities. These are meant to + reduce the likelihood that accidental or unauthorised + modifications of the configuration items will occur. The CM + system should ensure the integrity of the TOE from the early + design stages through all subsequent maintenance + efforts. + + The objective of introducing automated CM tools is to + increase the effectiveness of the CM system. While both + automated and manual CM systems can be bypassed, ignored, or + proven insufficient to prevent unauthorised modification, + automated systems are less susceptible to human error or + negligence. + + The objectives of this family include the following: + + + ensuring that the TOE is correct and complete before it + is sent to the consumer; + + + ensuring that no configuration items are missed during + evaluation; + + + preventing unauthorised modification, addition, or + deletion of TOE configuration items. + + + + + + Configuration management capabilities define the + characteristics of the configuration management + system. + + + + The components in this family are levelled on the basis of + the CM system capabilities, the scope of the CM + documentation and the evidence provided by the + developer. + + + + While it is desired that CM be applied from the early design + stages and continue into the future, this family requires + that CM be in place and in use prior to the end of the + evaluation. + + In the case where the TOE is a subset of a product, the + requirements of this family apply only to the TOE + configuration items, not to the product as a whole. + + For developers that have separate CM systems for different + life-cycle phases (for example development, production + and/or the final product), it is required to document all of + them. For evaluation purposes, the separate CM systems + should be regarded as parts of an overall CM system which is + addressed in the criteria. + + Similarly, if parts of the TOE are produced by different + developers or at different sites, the CM systems being in + use at the different places should be regarded as parts of + an overall CM system which is addressed in the criteria. In + this situation, integration aspects have also to be taken + into account. + + Several elements of this family refer to configuration + items. These elements identify CM requirements to be imposed + on all items identified in the configuration list, but leave + the contents of the list to the discretion of the + developer. can be used to + narrow this discretion by identifying specific items that + must be included in the configuration list, and hence + covered by CM. + + introduces a + requirement that the CM system uniquely identify all + configuration items. This also requires that modifications + to configuration items result in a new, unique identifier + being assigned to the configuration item. + + introduces the + requirement that the evidence shall demonstrate that the CM + system operates in accordance with the CM plan. Examples of + such evidence might be documentation such as screen + snapshots or audit trail output from the CM system, or a + detailed demonstration of the CM system by the + developer. The evaluator is responsible for determining that + this evidence is sufficient to show that the CM system + operates in accordance with the CM plan. + + introduces a + requirement that the CM system provide an automated means to + support the production of the TOE. This requires that the CM + system provide an automated means to assist in determining + that the correct configuration items are used in generating + the TOE. + + introduces a + requirement that the CM system provide an automated means to + ascertain the changes between the TOE and its preceding + version. If no previous version of the TOE exists, the + developer still needs to provide an automated means to + ascertain the changes between the TOE and a future version + of the TOE. + + + + + + A unique reference is required to ensure that there is no + ambiguity in terms of which instance of the TOE is being + evaluated. Labelling the TOE with its reference ensures + that users of the TOE can be aware of which instance of + the TOE they are using. + + + + The objectives of this sub-activity are to determine + whether the developer has clearly identified the + TOE. + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the TOE suitable for testing. + + + + + The developer shall provide the TOE and a reference for the + TOE. + + + The TOE shall be labelled with its unique reference. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall check that the TOE provided for + evaluation is labelled with its reference. + + The evaluator should ensure that the TOE contains the + unique reference which is stated in the ST. This could + be achieved through labelled packaging or media, or by a + label displayed by the operational TOE. This is to + ensure that it would be possible for consumers to + identify the TOE (e.g. at the point of purchase or + use). + + The TOE may provide a method by which it can be easily + identified. For example, a software TOE may display its + name and version number during the start up routine, or + in response to a command line entry. A hardware or + firmware TOE may be identified by a part number + physically stamped on the TOE. + + Alternatively, the unique reference provided for the TOE + may be the combination of the unique reference of each + component from which the TOE is comprised (e.g. in the + case of a composed TOE). + + + + The evaluator shall check that the TOE references used + are consistent. + + If the TOE is labelled more than once then the labels + have to be consistent. For example, it should be + possible to relate any labelled guidance documentation + supplied as part of the TOE to the evaluated operational + TOE. This ensures that consumers can be confident that + they have purchased the evaluated version of the TOE, + that they have installed this version, and that they + have the correct version of the guidance to operate the + TOE in accordance with its ST. + + The evaluator also verifies that the TOE reference is + consistent with the ST. + + If this work unit is applied to a composed TOE, the + following will apply. The composed IT TOE will not be + labelled with its unique (composite) reference, but only + the individual components will be labelled with their + appropriate TOE reference. It would require further + development for the IT TOE to be labelled, i.e. during + start-up and/or operation, with the composite reference. + If the composed TOE is delivered as the constituent + component TOEs, then the TOE items delivered will not + contain the composite reference. However, the composed + TOE ST will include the unique reference for the + composed TOE and will identify the components comprising + the composed TOE through which the consumers will be + able to determine whether they have the appropriate + items. + + + + + + + + + A unique reference is required to ensure that there is no + ambiguity in terms of which instance of the TOE is being + evaluated. Labelling the TOE with its reference ensures + that users of the TOE can be aware of which instance of + the TOE they are using. + + Unique identification of the configuration items leads to + a clearer understanding of the composition of the TOE, + which in turn helps to determine those items which are + subject to the evaluation requirements for the TOE. + + The use of a CM system increases assurance that the + configuration items are maintained in a controlled + manner. + + + + The objectives of this sub-activity are to determine + whether the developer uses a CM system that uniquely + identifies all configuration items. + + + + This component contains an implicit evaluator action to + determine that the CM system is being used. As the + requirements here are limited to identification of the TOE + and provision of a configuration list, this action is + already covered by, and limited to, the existing work + units. At the + requirements are expanded beyond these two items, and more + explicit evidence of operation is required. + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the TOE suitable for testing; + + + the configuration management documentation. + + + + + The developer shall provide the TOE and a reference for the + TOE. + + + The developer shall provide the CM documentation. + + + The developer shall use a CM system. + + + The TOE shall be labelled with its unique reference. + + + The CM documentation shall describe the method used to + uniquely identify the configuration items. + + + The CM system shall uniquely identify all configuration + items. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall check that the TOE provided for + evaluation is labelled with its reference. + + The evaluator should ensure that the TOE contains the + unique reference which is stated in the ST. This could + be achieved through labelled packaging or media, or by a + label displayed by the operational TOE. This is to + ensure that it would be possible for consumers to + identify the TOE (e.g. at the point of purchase or + use). + + The TOE may provide a method by which it can be easily + identified. For example, a software TOE may display its + name and version number during the start up routine, or + in response to a command line entry. A hardware or + firmware TOE may be identified by a part number + physically stamped on the TOE. + + Alternatively, the unique reference provided for the TOE + may be the combination of the unique reference of each + component from which the TOE is comprised (e.g. in the + case of a composed TOE). + + + + The evaluator shall check that the TOE references used + are consistent. + + If the TOE is labelled more than once then the labels + have to be consistent. For example, it should be + possible to relate any labelled guidance documentation + supplied as part of the TOE to the evaluated operational + TOE. This ensures that consumers can be confident that + they have purchased the evaluated version of the TOE, + that they have installed this version, and that they + have the correct version of the guidance to operate the + TOE in accordance with its ST. + + The evaluator also verifies that the TOE reference is + consistent with the ST. + + If this work unit is applied to a composed TOE, the + following will apply. The composed IT TOE will not be + labelled with its unique (composite) reference, but only + the individual components will be labelled with their + appropriate TOE reference. It would require further + development for the IT TOE to be labelled, i.e. during + start-up and/or operation, with the composite reference. + If the composed TOE is delivered as the constituent + component TOEs, then the TOE items delivered will not + contain the composite reference. However, the composed + TOE ST will include the unique reference for the + composed TOE and will identify the components comprising + the composed TOE through which the consumers will be + able to determine whether they have the appropriate + items. + + + + + The evaluator shall examine the method of identifying + configuration items to determine that it describes how + configuration items are uniquely identified. + + Procedures should describe how the status of each + configuration item can be tracked throughout the + life-cycle of the TOE. The procedures may be detailed in + the CM plan or throughout the CM documentation. The + information included should describe: + + + the method how each configuration item is uniquely + identified, such that it is possible to track + versions of the same configuration item; + + the method how configuration items are assigned + unique identifiers and how they are entered into the + CM system; + + the method to be used to identify superseded + versions of a configuration item. + + + + + + The evaluator shall examine the configuration items to + determine that they are identified in a way that is + consistent with the CM documentation. + Assurance that the CM system uniquely identifies + all configuration items is gained by examining the + identifiers for the configuration items. For both + configuration items that comprise the TOE, and drafts of + configuration items that are submitted by the developer + as evaluation evidence, the evaluator confirms that each + configuration item possesses a unique identifier in a + manner consistent with the unique identification method + that is described in the CM documentation. + + + + + + + + + + A unique reference is required to ensure that there is no + ambiguity in terms of which instance of the TOE is being + evaluated. Labelling the TOE with its reference ensures + that users of the TOE can be aware of which instance of + the TOE they are using. + + Unique identification of the configuration items leads to + a clearer understanding of the composition of the TOE, + which in turn helps to determine those items which are + subject to the evaluation requirements for the TOE. + + The use of a CM system increases assurance that the + configuration items are maintained in a controlled + manner. + + Providing controls to ensure that unauthorised + modifications are not made to the TOE (``CM access + control''), and ensuring proper functionality and use of + the CM system, helps to maintain the integrity of the + TOE. + + + + The objectives of this sub-activity are to determine + whether the developer uses a CM system that uniquely + identifies all configuration items, and whether the + ability to modify these items is properly + controlled. + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the TOE suitable for testing; + + + the configuration management documentation. + + + + + The developer shall provide the TOE and a reference for the + TOE. + + + The developer shall provide the CM documentation. + + + The developer shall use a CM system. + + + The TOE shall be labelled with its unique reference. + + + The CM documentation shall describe the method used to + uniquely identify the configuration items. + + + The CM system shall uniquely identify all configuration + items. + + + The CM system shall provide measures such that only + authorised changes are made to the configuration items. + + + The CM documentation shall include a CM plan. + + + The CM plan shall describe how the CM system is used for the + development of the TOE. + + + The evidence shall demonstrate that all configuration items + are being maintained under the CM system. + + + The evidence shall demonstrate that the CM system is being + operated in accordance with the CM plan. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall check that the TOE provided for + evaluation is labelled with its reference. + + The evaluator should ensure that the TOE contains the + unique reference which is stated in the ST. This could + be achieved through labelled packaging or media, or by a + label displayed by the operational TOE. This is to + ensure that it would be possible for consumers to + identify the TOE (e.g. at the point of purchase or + use). + + The TOE may provide a method by which it can be easily + identified. For example, a software TOE may display its + name and version number during the start up routine, or + in response to a command line entry. A hardware or + firmware TOE may be identified by a part number + physically stamped on the TOE. + + Alternatively, the unique reference provided for the TOE + may be the combination of the unique reference of each + component from which the TOE is comprised (e.g. in the + case of a composed TOE). + + + + The evaluator shall check that the TOE references used + are consistent. + + If the TOE is labelled more than once then the labels + have to be consistent. For example, it should be + possible to relate any labelled guidance documentation + supplied as part of the TOE to the evaluated operational + TOE. This ensures that consumers can be confident that + they have purchased the evaluated version of the TOE, + that they have installed this version, and that they + have the correct version of the guidance to operate the + TOE in accordance with its ST. + + The evaluator also verifies that the TOE reference is + consistent with the ST. + + If this work unit is applied to a composed TOE, the + following will apply. The composed IT TOE will not be + labelled with its unique (composite) reference, but only + the individual components will be labelled with their + appropriate TOE reference. It would require further + development for the IT TOE to be labelled, i.e. during + start-up and/or operation, with the composite reference. + If the composed TOE is delivered as the constituent + component TOEs, then the TOE items delivered will not + contain the composite reference. However, the composed + TOE ST will include the unique reference for the + composed TOE and will identify the components comprising + the composed TOE through which the consumers will be + able to determine whether they have the appropriate + items. + + + + + The evaluator shall examine the method of identifying + configuration items to determine that it describes how + configuration items are uniquely identified. + + Procedures should describe how the status of each + configuration item can be tracked throughout the + life-cycle of the TOE. The procedures may be detailed in + the CM plan or throughout the CM documentation. The + information included should describe: + + + the method how each configuration item is uniquely + identified, such that it is possible to track + versions of the same configuration item; + + the method how configuration items are assigned + unique identifiers and how they are entered into the + CM system; + + the method to be used to identify superseded + versions of a configuration item. + + + + + + The evaluator shall examine the configuration items to + determine that they are identified in a way that is + consistent with the CM documentation. + + Assurance that the CM system uniquely identifies all + configuration items is gained by examining the + identifiers for the configuration items. For both + configuration items that comprise the TOE, and drafts of + configuration items that are submitted by the developer + as evaluation evidence, the evaluator confirms that each + configuration item possesses a unique identifier in a + manner consistent with the unique identification method + that is described in the CM documentation. + + + + + The evaluator shall examine the CM access control + measures described in the CM plan to determine that they + are effective in preventing unauthorised access to the + configuration items. + + The evaluator may use a number of methods to determine + that the CM access control measures are effective. For + example, the evaluator may exercise the access control + measures to ensure that the procedures could not be + bypassed. The evaluator may use the outputs generated by + the CM system procedures required by . The evaluator may also witness a + demonstration of the CM system to ensure that the access + control measures employed are operating + effectively. + + + + + The evaluator shall check that the CM documentation + provided includes a CM plan. + The CM plan needs not to be a connected document, but it is + recommended that there is a single document that describes where + the various parts of the CM plan can be found. If the CM plan is + no single document, the list in the following work unit gives + hints regarding which context is expected. + + + + + The evaluator shall examine the CM plan to determine + that it describes how the CM system is used for the + development of the TOE. + + The descriptions contained in a CM plan include, if + applicable: + + + all activities performed in the TOE development that + are subject to configuration management procedures + (e.g. creation, modification or deletion of a + configuration item, data-backup, archiving); + + + which means (e.g. CM tools, forms) have to be made + available; + + + the usage of the CM tools: the necessary details for + a user of the CM system to be able to operate the CM + tools correctly in order to maintain the integrity + of the TOE; + + + which other objects (development components, tools, + assessment environments, etc) are taken under CM + control; + + + the roles and responsibilities of individuals + required to perform operations on individual + configuration items (different roles may be + identified for different types of configuration + items (e.g. design documentation or source code)); + + + how CM instances (e.g. change control boards, + interface control working groups) are introduced and + staffed; + + + the description of the change management; + + + the procedures that are used to ensure that only + authorised individuals can make changes to + configuration items; + + + the procedures that are used to ensure that + concurrency problems do not occur as a result of + simultaneous changes to configuration items; + + + the evidence that is generated as a result of + application of the procedures. For example, for a + change to a configuration item, the CM system might + record a description of the change, accountability + for the change, identification of all configuration + items affected, status (e.g. pending or completed), + and date and time of the change. This might be + recorded in an audit trail of changes made or change + control records; + + + the approach to version control and unique + referencing of TOE versions (e.g. covering the + release of patches in operating systems, and the + subsequent detection of their application). + + + + + + + The evaluator shall check that the configuration items + identified in the configuration list are being + maintained by the CM system. + + The CM system employed by the developer should maintain the + integrity of the TOE. The evaluator should check that for each + type of configuration item (e.g. design documents or source code + modules) contained in the configuration list there are examples + of the evidence generated by the procedures described in the CM + plan. In this case, the approach to sampling will depend upon + the level of granularity used in the CM system to control CM + items. Where, for example, 10,000 source code modules are + identified in the configuration list, a different sampling + strategy needs to be applied compared to the case in which there + are only 5, or even 1. The emphasis of this activity should be + on ensuring that the CM system is being operated correctly, + rather than on the detection of any minor error. + + For guidance on sampling see . + + + + + The evaluator shall check the CM documentation to + ascertain that it includes the CM system records + identified by the CM plan. + + The output produced by the CM system should provide the + evidence that the evaluator needs to be confident that + the CM plan is being applied, and also that all + configuration items are being maintained by the CM + system as required by . Example output could include change + control forms, or configuration item access approval + forms. + + + + + The evaluator shall examine the evidence to determine + that the CM system is being operated in accordance with + the CM plan. + + The evaluator should select and examine a sample of + evidence covering each type of CM-relevant operation + that has been performed on a configuration item + (e.g. creation, modification, deletion, reversion to an + earlier version) to confirm that all operations of the + CM system have been carried out in line with documented + procedures. The evaluator confirms that the evidence + includes all the information identified for that + operation in the CM plan. Examination of the evidence + may require access to a CM tool that is used. The + evaluator may choose to sample the evidence. + + For guidance on sampling see . + + Further confidence in the correct operation of the CM system and + the effective maintenance of configuration items may be + established by means of interviews with selected development + staff. In conducting such interviews, the evaluator aims + to gain a deeper understanding of how the CM system is used in + practise as well as to confirm that the CM procedures are being + applied as described in the CM documentation. Note that such + interviews should complement rather than replace the examination + of documentary evidence, and may not be necessary if the + documentary evidence alone satisfies the requirement. However, + given the wide scope of the CM plan it is possible that some + aspects (e.g. roles and responsibilities) may not be clear from + the CM plan and records alone. This is one case where + clarification may be necessary through interviews. + + It is expected that the evaluator will visit the + development site in support of this activity. + + For guidance on site visits see . + + + + + + + + + + + A unique reference is required to ensure that there is no + ambiguity in terms of which instance of the TOE is being + evaluated. Labelling the TOE with its reference ensures + that users of the TOE can be aware of which instance of + the TOE they are using. + + Unique identification of the configuration items leads to + a clearer understanding of the composition of the TOE, + which in turn helps to determine those items which are + subject to the evaluation requirements for the TOE. + + The use of a CM system increases assurance that the + configuration items are maintained in a controlled + manner. + + Providing controls to ensure that unauthorised + modifications are not made to the TOE (``CM access + control''), and ensuring proper functionality and use of + the CM system, helps to maintain the integrity of the + TOE. + + The purpose of the acceptance procedures is to ensure that + the parts of the TOE are of adequate quality and to + confirm that any creation or modification of configuration + items is authorised. Acceptance procedures are an + essential element in integration processes and in the + life-cycle management of the TOE. + + In development environments where the configuration items + are complex, it is difficult to control changes without + the support of automated tools. In particular, these + automated tools need to be able to support the numerous + changes that occur during development and ensure that + those changes are authorised. It is an objective of this + component to ensure that the configuration items are + controlled through automated means. If the TOE is + developed by multiple developers, i.e. integration has to + take place, the use of automatic tools is adequate. + + Production support procedures help to ensure that the + generation of the TOE from a managed set of configuration + items is correctly performed in an authorised manner, + particularly in the case when different developers are + involved and integration processes have to be carried + out. + + + + The objectives of this sub-activity are to determine + whether the developer has clearly identified the TOE and + its associated configuration items, and whether the + ability to modify these items is properly controlled by + automated tools, thus making the CM system less + susceptible to human error or negligence. + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the TOE suitable for testing; + + + the configuration management documentation. + + + + + The developer shall provide the TOE and a reference for the + TOE. + + + The developer shall provide the CM documentation. + + + The developer shall use a CM system. + + + The TOE shall be labelled with its unique reference. + + + The CM documentation shall describe the method used to + uniquely identify the configuration items. + + + The CM system shall uniquely identify all configuration + items. + + + The CM system shall provide automated measures such that + only authorised changes are made to the configuration items. + + + The CM system shall support the production of the TOE by + automated means. + + + The CM documentation shall include a CM plan. + + + The CM plan shall describe how the CM system is used for the + development of the TOE. + + + The CM plan shall describe the procedures used to accept + modified or newly created configuration items as part of the + TOE. + + + The evidence shall demonstrate that all configuration items + are being maintained under the CM system. + + + The evidence shall demonstrate that the CM system is being + operated in accordance with the CM plan. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall check that the TOE provided for + evaluation is labelled with its reference. + + The evaluator should ensure that the TOE contains the + unique reference which is stated in the ST. This could + be achieved through labelled packaging or media, or by a + label displayed by the operational TOE. This is to + ensure that it would be possible for consumers to + identify the TOE (e.g. at the point of purchase or + use). + + The TOE may provide a method by which it can be easily + identified. For example, a software TOE may display its + name and version number during the start up routine, or + in response to a command line entry. A hardware or + firmware TOE may be identified by a part number + physically stamped on the TOE. + + Alternatively, the unique reference provided for the TOE + may be the combination of the unique reference of each + component from which the TOE is comprised (e.g. in the + case of a composed TOE). + + + + The evaluator shall check that the TOE references used + are consistent. + + If the TOE is labelled more than once then the labels + have to be consistent. For example, it should be + possible to relate any labelled guidance documentation + supplied as part of the TOE to the evaluated operational + TOE. This ensures that consumers can be confident that + they have purchased the evaluated version of the TOE, + that they have installed this version, and that they + have the correct version of the guidance to operate the + TOE in accordance with its ST. + + The evaluator also verifies that the TOE reference is + consistent with the ST. + + If this work unit is applied to a composed TOE, the + following will apply. The composed TOE will not be + labelled with its unique (composite) reference, but only + the individual components will be labelled with their + appropriate TOE reference. It would require further + development for the composed TOE to be labelled, i.e. during + start-up and/or operation, with the composite reference. + If the composed TOE is delivered as the constituent + component TOEs, then the TOE items delivered will not + contain the composite reference. However, the composed + TOE ST will include the unique reference for the + composed TOE and will identify the components comprising + the composed TOE through which the consumers will be + able to determine whether they have the appropriate items. + + + + + The evaluator shall examine the method of identifying + configuration items to determine that it describes how + configuration items are uniquely identified. + + Procedures should describe how the status of each + configuration item can be tracked throughout the + life-cycle of the TOE. The procedures may be detailed in + the CM plan or throughout the CM documentation. The + information included should describe: + + + the method how each configuration item is uniquely + identified, such that it is possible to track + versions of the same configuration item; + + the method how configuration items are assigned + unique identifiers and how they are entered into the + CM system; + + the method to be used to identify superseded + versions of a configuration item. + + + + + + The evaluator shall examine the configuration items to + determine that they are identified in a way that is + consistent with the CM documentation. + + Assurance that the CM system uniquely identifies all + configuration items is gained by examining the + identifiers for the configuration items. For configuration + items identified under , + the evaluator confirms that each configuration item possesses + a unique identifier in a manner consistent with the unique + identification method that is described in the CM documentation. + + + + + The evaluator shall examine the CM access control + measures described in the CM plan (cf. ) to determine that they + are automated and effective in preventing unauthorised + access to the configuration items. + + The evaluator may use a number of methods to determine + that the CM access control measures are effective. For + example, the evaluator may exercise the access control + measures to ensure that the procedures could not be + bypassed. The evaluator may use the outputs generated by + the CM system procedures required by . The evaluator may also witness a + demonstration of the CM system to ensure that the access + control measures employed are operating + effectively. + + + + + The evaluator shall check the CM plan (cf. ) for automated + procedures for supporting the production of the + TOE. + + The term ``production'' applies to those processes + adopted by the developer to progress the TOE from the + implementation representation to a state acceptable for + delivery to the end customer. + + The evaluator verifies the existence of automated + production support procedures within the CM plan. + + The following are examples for automated means + supporting the production of the TOE: + + + a ``make'' tool (as provided with many software + development tools) in the case of a software TOE; + + + a tool ensuring automatically (for example by means + of bar codes) that only parts are combined which + indeed belong together in the case of a hardware + TOE. + + + + + + + The evaluator shall examine the TOE production support + procedures to determine that they are effective in + ensuring that a TOE is generated that reflects its + implementation representation. + + The production support procedures should describe which + tools have to be used to produce the final TOE from the + implementation representation in a clearly defined + way. The conventions, directives, or other necessary + constructs are described under . + + The evaluator determines that by following the + production support procedures the correct configuration + items would be used to generate the TOE. For example, in + a software TOE this may include checking that the + automated production procedures ensure that all source + files and related libraries are included in the compiled + object code. Moreover, the procedures should ensure that + compiler options and comparable other options are + defined uniquely. For a hardware TOE, this work unit may + include checking that the automatic production + procedures ensure that the belonging parts are built + together and no parts are missing. + + The customer can then be confident that the version of + the TOE delivered for installation is derived from the + implementation representation in an unambiguous way and + implements the SFRs as described in the ST. + + The evaluator should bear in mind that the CM system + need not necessarily possess the capability to produce + the TOE, but should provide support for the process that + will help reduce the probability of human error. + + + + + The evaluator shall check that the CM documentation + provided includes a CM plan. + The CM plan does not need to be contained within a single + document, but it is recommended that there is a separate + document that describes where the various parts of the CM plan + can be found. If the CM plan is provided by a set of documents, + the list in the following work unit gives guidance regarding the + required content. + + + + + The evaluator shall examine the CM plan to determine + that it describes how the CM system is used for the + development of the TOE. + + The descriptions contained in a CM plan include, if + applicable: + + + all activities performed in the TOE development that + are subject to configuration management procedures + (e.g. creation, modification or deletion of a + configuration item, data-backup, archiving); + + + which means (e.g. CM tools, forms) have to be made + available; + + + the usage of the CM tools: the necessary details for + a user of the CM system to be able to operate the CM + tools correctly in order to maintain the integrity + of the TOE; + + + the production support procedures; + + + which other objects (development components, tools, + assessment environments, etc) are taken under CM + control; + + + the roles and responsibilities of individuals + required to perform operations on individual + configuration items (different roles may be + identified for different types of configuration + items (e.g. design documentation or source code)); + + + how CM instances (e.g. change control boards, + interface control working groups) are introduced and + staffed; + + + the description of the change management; + + + the procedures that are used to ensure that only + authorised individuals can make changes to + configuration items; + + + the procedures that are used to ensure that + concurrency problems do not occur as a result of + simultaneous changes to configuration items; + + + the evidence that is generated as a result of + application of the procedures. For example, for a + change to a configuration item, the CM system might + record a description of the change, accountability + for the change, identification of all configuration + items affected, status (e.g. pending or completed), + and date and time of the change. This might be + recorded in an audit trail of changes made or change + control records; + + + the approach to version control and unique + referencing of TOE versions (e.g. covering the + release of patches in operating systems, and the + subsequent detection of their application). + + + + + + + The evaluator shall examine the CM plan to determine + that it describes the procedures used to accept modified + or newly created configuration items as parts of the + TOE. + + The descriptions of the acceptance procedures in the CM + plan should include the developer roles or individuals + responsible for the acceptance and the criteria to be + used for acceptance. They should take into account all + acceptance situations that may occur, in particular: + + + accepting an item into the CM system for the first + time, in particular inclusion of software, firmware + and hardware components from other manufacturers + into the TOE (``integration''); + + + moving configuration items to the next life-cycle + phase at each stage of the construction of the TOE + (e.g. module, subsystem, system); + + + subsequent to transports between different + development sites. + + + + If this work unit is applied to a dependent component + that is going to be integrated in a composed TOE, the CM + plan should consider the control of base components + obtained by the dependent TOE developer. + + When obtaining the components the evaluators are to + verify the following: + + + Transfer of each base component from the base + component developer to the integrator (dependent TOE + developer) was performed in accordance with the base + component TOE's secure delivery procedures, as + reported in the base component TOE certification + report. + + + The component received has the same identifiers as + those stated in the ST and Certification Report for + the component TOE. + + + All additional material required by a developer for + composition (integration) is provided. This is to + include the necessary extract of the component TOE's + functional specification. + + + + + + + The evaluator shall check that the configuration items + identified in the configuration list are being + maintained by the CM system. + + The CM system employed by the developer should maintain the + integrity of the TOE. The evaluator should check that for each + type of configuration item (e.g. design documents or source code + modules) contained in the configuration list there are examples + of the evidence generated by the procedures described in the CM + plan. In this case, the approach to sampling will depend upon + the level of granularity used in the CM system to control CM + items. Where, for example, 10,000 source code modules are + identified in the configuration list, a different sampling + strategy needs to be applied compared to the case in which there + are only 5, or even 1. The emphasis of this activity should be + on ensuring that the CM system is being operated correctly, + rather than on the detection of any minor error. + + For guidance on sampling see . + + + + + The evaluator shall check the CM documentation to + ascertain that it includes the CM system records + identified by the CM plan. + + The output produced by the CM system should provide the + evidence that the evaluator needs to be confident that + the CM plan is being applied, and also that all + configuration items are being maintained by the CM + system as required by . Example output could include change + control forms, or configuration item access approval + forms. + + + + + The evaluator shall examine the evidence to determine + that the CM system is being operated in accordance with + the CM plan. + + The evaluator should select and examine a sample of + evidence covering each type of CM-relevant operation + that has been performed on a configuration item + (e.g. creation, modification, deletion, reversion to an + earlier version) to confirm that all operations of the + CM system have been carried out in line with documented + procedures. The evaluator confirms that the evidence + includes all the information identified for that + operation in the CM plan. Examination of the evidence + may require access to a CM tool that is used. The + evaluator may choose to sample the evidence. + + For guidance on sampling see . + + Further confidence in the correct operation of the CM system and + the effective maintenance of configuration items may be + established by means of interviews with selected development + staff. In conducting such interviews, the evaluator aims + to gain a deeper understanding of how the CM system is used in + practise as well as to confirm that the CM procedures are being + applied as described in the CM documentation. Note that such + interviews should complement rather than replace the examination + of documentary evidence, and may not be necessary if the + documentary evidence alone satisfies the requirement. However, + given the wide scope of the CM plan it is possible that some + aspects (e.g. roles and responsibilities) may not be clear from + the CM plan and records alone. This is one case where + clarification may be necessary through interviews. + + It is expected that the evaluator will visit the + development site in support of this activity. + + For guidance on site visits see . + + + + + + + + + + + A unique reference is required to ensure that there is no + ambiguity in terms of which instance of the TOE is being + evaluated. Labelling the TOE with its reference ensures + that users of the TOE can be aware of which instance of + the TOE they are using. + + Unique identification of the configuration items leads to + a clearer understanding of the composition of the TOE, + which in turn helps to determine those items which are + subject to the evaluation requirements for the TOE. + + The use of a CM system increases assurance that the + configuration items are maintained in a controlled + manner. + + Providing controls to ensure that unauthorised + modifications are not made to the TOE (``CM access + control''), and ensuring proper functionality and use of + the CM system, helps to maintain the integrity of the + TOE. + + The purpose of the acceptance procedures is to ensure that + the parts of the TOE are of adequate quality and to + confirm that any creation or modification of configuration + items is authorised. Acceptance procedures are an + essential element in integration processes and in the + life-cycle management of the TOE. + + In development environments where the configuration items + are complex, it is difficult to control changes without + the support of automated tools. In particular, these + automated tools need to be able to support the numerous + changes that occur during development and ensure that + those changes are authorised. It is an objective of this + component to ensure that the configuration items are + controlled through automated means. If the TOE is + developed by multiple developers, i.e. integration has to + take place, the use of automatic tools is adequate. + + Production support procedures help to ensure that the + generation of the TOE from a managed set of configuration + items is correctly performed in an authorised manner, + particularly in the case when different developers are + involved and integration processes have to be carried + out. + + Requiring that the CM system be able to identify the + version of the implementation representation from which + the TOE is generated helps to ensure that the integrity of + this material is preserved by the appropriate technical, + physical and procedural safeguards. + + Providing an automated means of ascertaining changes + between versions of the TOE and identifying which + configuration items are affected by modifications to other + configuration items assists in determining the impact of + the changes between successive versions of the TOE. This + in turn can provide valuable information in determining + whether changes to the TOE result in all configuration + items being consistent with one another. + + + + The objectives of this sub-activity are to determine + whether the developer has clearly identified the TOE and + its associated configuration items, and whether the + ability to modify these items is properly controlled by + automated tools, thus making the CM system less + susceptible to human error or negligence. + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the TOE suitable for testing; + + + the configuration management documentation. + + + + + The developer shall provide the TOE and a reference for the + TOE. + + + The developer shall provide the CM documentation. + + + The developer shall use a CM system. + + + The TOE shall be labelled with its unique reference. + + + The CM documentation shall describe the method used to + uniquely identify the configuration items. + + + The CM documentation shall justify that the acceptance + procedures provide for an adequate and appropriate review of + changes to all configuration items. + + + The CM system shall uniquely identify all configuration + items. + + + The CM system shall provide automated measures such that + only authorised changes are made to the configuration items. + + + The CM system shall support the production of the TOE by + automated means. + + + The CM system shall ensure that the person responsible for + accepting a configuration item into CM is not the person who + developed it. + + + The CM system shall identify the configuration items that + comprise the TSF. + + + The CM system shall support the audit of all changes to the + TOE by automated means, including the originator, date, and + time in the audit trail. + + + The CM system shall provide an automated means to identify + all other configuration items that are affected by the + change of a given configuration item. + + + The CM system shall be able to identify the version of the + implementation representation from which the TOE is + generated. + + + The CM documentation shall include a CM plan. + + + The CM plan shall describe how the CM system is used for the + development of the TOE. + + + The CM plan shall describe the procedures used to accept + modified or newly created configuration items as part of the + TOE. + + + The evidence shall demonstrate that all configuration items + are being maintained under the CM system. + + + The evidence shall demonstrate that the CM system is being + operated in accordance with the CM plan. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall check that the TOE provided for + evaluation is labelled with its reference. + + The evaluator should ensure that the TOE contains the + unique reference which is stated in the ST. This could + be achieved through labelled packaging or media, or by a + label displayed by the operational TOE. This is to + ensure that it would be possible for consumers to + identify the TOE (e.g. at the point of purchase or + use). + + The TOE may provide a method by which it can be easily + identified. For example, a software TOE may display its + name and version number during the start up routine, or + in response to a command line entry. A hardware or + firmware TOE may be identified by a part number + physically stamped on the TOE. + + Alternatively, the unique reference provided for the TOE + may be the combination of the unique reference of each + component from which the TOE is comprised (e.g. in the + case of a composed TOE). + + + + The evaluator shall check that the TOE references used + are consistent. + + If the TOE is labelled more than once then the labels + have to be consistent. For example, it should be + possible to relate any labelled guidance documentation + supplied as part of the TOE to the evaluated operational + TOE. This ensures that consumers can be confident that + they have purchased the evaluated version of the TOE, + that they have installed this version, and that they + have the correct version of the guidance to operate the + TOE in accordance with its ST. + + The evaluator also verifies that the TOE reference is + consistent with the ST. + + If this work unit is applied to a composed TOE, the + following will apply. The composed IT TOE will not be + labelled with its unique (composite) reference, but only + the individual components will be labelled with their + appropriate TOE reference. It would require further + development for the IT TOE to be labelled, i.e. during + start-up and/or operation, with the composite reference. + If the composed TOE is delivered as the constituent + component TOEs, then the TOE items delivered will not + contain the composite reference. However, the composed + TOE ST will include the unique reference for the + composed TOE and will identify the components comprising + the composed TOE through which the consumers will be + able to determine whether they have the appropriate + items. + + + + + The evaluator shall examine the method of identifying + configuration items to determine that it describes how + configuration items are uniquely identified. + + Procedures should describe how the status of each + configuration item can be tracked throughout the + life-cycle of the TOE. The procedures may be detailed in + the CM plan or throughout the CM documentation. The + information included should describe: + + + the method how each configuration item is uniquely + identified, such that it is possible to track + versions of the same configuration item; + + the method how configuration items are assigned + unique identifiers and how they are entered into the + CM system; + + the method to be used to identify superseded + versions of a configuration item. + + + + + + The evaluator shall examine the CM documentation to + determine that it justifies that the acceptance + procedures provide for an adequate and appropriate + review of changes to all configuration items. + + The CM documentation should make it sufficiently clear + that by following the acceptance procedures only parts + of adequate quality are incorporated into the + TOE. + + + + + The evaluator shall examine the configuration items to + determine that they are identified in a way that is + consistent with the CM documentation. + + Assurance that the CM system uniquely identifies all + configuration items is gained by examining the + identifiers for the configuration items. For both + configuration items that comprise the TOE, and drafts of + configuration items that are submitted by the developer + as evaluation evidence, the evaluator confirms that each + configuration item possesses a unique identifier in a + manner consistent with the unique identification method + that is described in the CM documentation. + + + + + The evaluator shall examine the CM access control + measures described in the CM plan (cf. ) to determine that + they are automated and effective in preventing + unauthorised access to the configuration items. + + The evaluator may use a number of methods to determine + that the CM access control measures are effective. For + example, the evaluator may exercise the access control + measures to ensure that the procedures could not be + bypassed. The evaluator may use the outputs generated by + the CM system procedures required by . The evaluator may also witness a + demonstration of the CM system to ensure that the access + control measures employed are operating + effectively. + + + + + The evaluator shall check the CM plan (cf. ) for automated + procedures for supporting the production of the + TOE. + + The term ``production'' applies to those processes + adopted by the developer to progress the TOE from the + implementation representation to a state acceptable for + delivery to the end customer. + + The evaluator verifies the existence of automated + production support procedures within the CM plan. + + The following are examples for automated means + supporting the production of the TOE: + + + a ``make'' tool (as provided with many software + development tools) in the case of a software TOE; + + + a tool ensuring automatically (for example by means + of bar codes) that only parts are combined which + indeed belong together in the case of a hardware + TOE. + + + + + + + The evaluator shall examine the TOE production support + procedures to determine that they are effective in + ensuring that a TOE is generated that reflects its + implementation representation. + + The production support procedures should describe which + tools have to be used to produce the final TOE from the + implementation representation in a clearly defined + way. The conventions, directives, or other necessary + constructs are described under . + + The evaluator determines that by following the + production support procedures the correct configuration + items would be used to generate the TOE. For example, in + a software TOE this may include checking that the + automated production procedures ensure that all source + files and related libraries are included in the compiled + object code. Moreover, the procedures should ensure that + compiler options and comparable other options are + defined uniquely. For a hardware TOE, this work unit may + include checking that the automatic production + procedures ensure that the belonging parts are built + together and no parts are missing. + + The customer can then be confident that the version of + the TOE delivered for installation is derived from the + implementation representation in an unambiguous way and + implements the SFRs as described in the ST. + + The evaluator should bear in mind that the CM system + need not necessarily possess the capability to produce + the TOE, but should provide support for the process that + will help reduce the probability of human error. + + + + + The evaluator shall examine the CM system to determine + that it ensures that the person responsible for + accepting a configuration item is not the person who + developed it. + + The acceptance procedures describe who is responsible + for accepting a configuration item. From these + descriptions, the evaluator should be able to determine + that the person who developed a configuration item is in + no case responsible for its acceptance. + + + + + The evaluator shall examine the CM system to determine + that it identifies the configuration items that comprise + the TSF. + + The CM documentation should describe how the CM system + identifies the configuration items that comprise the + TSF. The evaluator should select a sample of + configuration items covering each type of items, + particularly containing TSF and non-TSF items, and check + that they are correctly classified by the CM + system. + + For guidance on sampling see . + + + + + The evaluator shall examine the CM system to determine + that it supports the audit of all changes to the TOE by + automated means, including the originator, date, and + time in the audit trail. + + The evaluator should inspect a sample of audit trails + and check, if they contain the minimum + information. + + + + + The evaluator shall examine the CM system to determine + that it provides an automated means to identify all + other configuration items that are affected by the + change of a given configuration item. + + The CM documentation should describe how the CM system + identifies all other configuration items that are + affected by the change of a given configuration + item. The evaluator should select a sample of + configuration items, covering all types of items, and + exercise the automated means to determine that it + identifies all items that are affected by the change of + the selected item. + + For guidance on sampling see . + + + + + The evaluator shall examine the CM system to determine + that it is able to identify the version of the + implementation representation from which the TOE is + generated. + + The CM documentation should describe how the CM system + identifies the version of the implementation + representation from which the TOE is generated. The + evaluator should select a sample of the parts used to + produce the TOE and should apply the CM system to verify + that it identifies the corresponding implementation + representation in the correct version. + + For guidance on sampling see . + + + + + The evaluator shall check that the CM documentation provided + includes a CM plan. + The CM plan needs not to be a connected document, but it is + recommended that there is a single document that describes where + the various parts of the CM plan can be found. If the CM plan is + no single document, the list in the following work unit gives + hints regarding which context is expected. + + + + + The evaluator shall examine the CM plan to determine + that it describes how the CM system is used for the + development of the TOE. + + The descriptions contained in a CM plan include, if + applicable: + + + all activities performed in the TOE development that + are subject to configuration management procedures + (e.g. creation, modification or deletion of a + configuration item, data-backup, archiving); + + + which means (e.g. CM tools, forms) have to be made + available; + + + the usage of the CM tools: the necessary details for + a user of the CM system to be able to operate the CM + tools correctly in order to maintain the integrity + of the TOE; + + + the production support procedures; + + + which other objects (development components, tools, + assessment environments, etc) are taken under CM + control; + + + the roles and responsibilities of individuals + required to perform operations on individual + configuration items (different roles may be + identified for different types of configuration + items (e.g. design documentation or source code)); + + + how CM instances (e.g. change control boards, + interface control working groups) are introduced and + staffed; + + + the description of the change management; + + + the procedures that are used to ensure that only + authorised individuals can make changes to + configuration items; + + + the procedures that are used to ensure that + concurrency problems do not occur as a result of + simultaneous changes to configuration items; + + + the evidence that is generated as a result of + application of the procedures. For example, for a + change to a configuration item, the CM system might + record a description of the change, accountability + for the change, identification of all configuration + items affected, status (e.g. pending or completed), + and date and time of the change. This might be + recorded in an audit trail of changes made or change + control records; + + + the approach to version control and unique + referencing of TOE versions (e.g. covering the + release of patches in operating systems, and the + subsequent detection of their application). + + + + + + + The evaluator shall examine the CM plan to determine + that it describes the procedures used to accept modified + or newly created configuration items as parts of the + TOE. + + The descriptions of the acceptance procedures in the CM + plan should include the developer roles or individuals + responsible for the acceptance and the criteria to be + used for acceptance. They should take into account all + acceptance situations that may occur, in particular: + + + accepting an item into the CM system for the first + time, in particular inclusion of software, firmware + and hardware components from other manufacturers + into the TOE (``integration''); + + + moving configuration items to the next life-cycle + phase at each stage of the construction of the TOE + (e.g. module, subsystem, system); + + + subsequent to transports between different + development sites. + + + + + + + The evaluator shall check that the configuration items + identified in the configuration list are being + maintained by the CM system. + + The CM system employed by the developer should maintain the + integrity of the TOE. The evaluator should check that for each + type of configuration item (e.g. design documents or source code + modules) contained in the configuration list there are examples + of the evidence generated by the procedures described in the CM + plan. In this case, the approach to sampling will depend upon + the level of granularity used in the CM system to control CM + items. Where, for example, 10,000 source code modules are + identified in the configuration list, a different sampling + strategy needs to be applied compared to the case in which there + are only 5, or even 1. The emphasis of this activity should be + on ensuring that the CM system is being operated correctly, + rather than on the detection of any minor error. + + For guidance on sampling see . + + + + + The evaluator shall check the CM documentation to + ascertain that it includes the CM system records + identified by the CM plan. + + The output produced by the CM system should provide the + evidence that the evaluator needs to be confident that + the CM plan is being applied, and also that all + configuration items are being maintained by the CM + system as required by . Example output could include + change control forms, or configuration item access + approval forms. + + + + + The evaluator shall examine the evidence to determine + that the CM system is being operated in accordance with + the CM plan. + + The evaluator should select and examine a sample of + evidence covering each type of CM-relevant operation + that has been performed on a configuration item + (e.g. creation, modification, deletion, reversion to an + earlier version) to confirm that all operations of the + CM system have been carried out in line with documented + procedures. The evaluator confirms that the evidence + includes all the information identified for that + operation in the CM plan. Examination of the evidence + may require access to a CM tool that is used. The + evaluator may choose to sample the evidence. + + For guidance on sampling see . + + Further confidence in the correct operation of the CM system and + the effective maintenance of configuration items may be + established by means of interviews with selected development + staff. In conducting such interviews, the evaluator aims + to gain a deeper understanding of how the CM system is used in + practise as well as to confirm that the CM procedures are being + applied as described in the CM documentation. Note that such + interviews should complement rather than replace the examination + of documentary evidence, and may not be necessary if the + documentary evidence alone satisfies the requirement. However, + given the wide scope of the CM plan it is possible that some + aspects (e.g. roles and responsibilities) may not be clear from + the CM plan and records alone. This is one case where + clarification may be necessary through interviews. + + It is expected that the evaluator will visit the + development site in support of this activity. + + For guidance on site visits see . + + + + The evaluator shall determine that the application of the + production support procedures results in a TOE as provided + by the developer for testing activities. + + + The evaluator shall examine the production support + procedures to determine that by following these + procedures a TOE would be produced like that one + provided by the developer for testing activities. + + If the TOE is a small software TOE and production + consists of compiling and linking, the evaluator might + confirm the adequacy of the production support + procedures by reapplying them himself. + + If the production process of the TOE is more complicated + (as for example in the case of a smart card), but has + already started, the evaluator should inspect the + application of the production support procedures during + a visit of the development site. He might compare a copy + of the TOE produced in his presence with the samples + used for his testing activities. + + For guidance on site visits see . + + Otherwise the evaluator's determination should be based + on the documentary evidence provided by the + developer. + + This work unit may be performed in conjunction with the + evaluation activities under . + + + + + + + + The objective of this family is to identify items to be + included as configuration items and hence placed under the + CM requirements of . + Applying configuration management to these additional items + provides additional assurance that the integrity of TOE is + maintained. + + + + Configuration management scope indicates the TOE items that + need to be controlled by the configuration management + system. + + + + The components in this family are levelled on the basis of + which of the following are required to be included as + configuration items: the TOE and the evaluation evidence + required by the SARs; the parts of the TOE; the + implementation representation; security flaws; and + development tools and related information. + + + + While mandates a list of + configuration items and that each item on this list be under + CM, leaves the contents of + the configuration list to the discretion of the + developer. narrows this + discretion by identifying items that must be included in the + configuration list, and hence come under the CM requirements + of . + + + + + A CM system can control changes only to those items that + have been placed under CM (i.e., the configuration items + identified in the configuration list). Placing the TOE + itself and the evaluation evidence required by the other + SARs in the ST under CM provides assurance that they have + been modified in a controlled manner with proper + authorisations. + + + + introduces the + requirement that the TOE itself and the evaluation + evidence required by the other SARs in the ST be included + in the configuration list and hence be subject to the CM + requirements of . + + + + The objective of this sub-activity is to determine whether + the developer performs configuration management on the TOE + and the evaluation evidence. These configuration items are + controlled in accordance with . + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the configuration list. + + + + + The developer shall provide a configuration list for the + TOE. + + + The configuration list shall include the following: the TOE + itself; and the evaluation evidence required by the SARs. + + + The configuration list shall uniquely identify the + configuration items. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall check that the configuration list + includes the following set of items: + + + the TOE itself; + + + the evaluation evidence required by the SARs in the + ST. + + + + + + + The evaluator shall examine the configuration list to + determine that it uniquely identifies each configuration + item. + + The configuration list contains sufficient information + to uniquely identify which version of each item has been + used (typically a version number). Use of this list will + enable the evaluator to check that the correct + configuration items, and the correct version of each + item, have been used during the evaluation. + + + + + + + + A CM system can control changes only to those items that + have been placed under CM (i.e., the configuration items + identified in the configuration list). Placing the TOE + itself, the parts that comprise the TOE, and the + evaluation evidence required by the other SARs under CM + provides assurance that they have been modified in a + controlled manner with proper authorisations. + + + + introduces the + requirement that the parts that comprise the TOE (all + parts that are delivered to the consumer, for example + hardware parts or executable files) be included in the + configuration list and hence be subject to the CM + requirements of . + + introduces the + requirement that the configuration list indicate the + developer of each TSF relevant configuration + item. ``Developer'' here does not refer to a person, but + to the organisation responsible for the development of the + item. + + + + The objective of this sub-activity is to determine whether + the configuration list includes the TOE, the parts that + comprise the TOE, and the evaluation evidence. These configuration items are + controlled in accordance with . + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the configuration list. + + + + + The developer shall provide a configuration list for the + TOE. + + + The configuration list shall include the following: the TOE + itself; the evaluation evidence required by the SARs; and + the parts that comprise the TOE. + + + The configuration list shall uniquely identify the + configuration items. + + + For each TSF relevant configuration item, the configuration + list shall indicate the developer of the item. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall check that the configuration list + includes the following set of items: + + the TOE itself; + + the parts that comprise the TOE; + + the evaluation evidence required by the SARs. + + + + + + + The evaluator shall examine the configuration list to + determine that it uniquely identifies each configuration + item. + + The configuration list contains sufficient information + to uniquely identify which version of each item has been + used (typically a version number). Use of this list will + enable the evaluator to check that the correct + configuration items, and the correct version of each + item, have been used during the evaluation. + + + + + The evaluator shall check that the configuration list + indicates the developer of each TSF relevant + configuration item. + + If only one developer is involved in the development of + the TOE, this work unit is not applicable, and is + therefore considered to be satisfied. + + + + + + + + A CM system can control changes only to those items that + have been placed under CM (i.e., the configuration items + identified in the configuration list). Placing the TOE + itself, the parts that comprise the TOE, the TOE + implementation representation and the evaluation evidence + required by the other SARs under CM provides assurance + that they have been modified in a controlled manner with + proper authorisations. + + + + introduces the + requirement that the TOE implementation representation be + included in the list of configuration items and hence be + subject to the CM requirements of . + + + + The objective of this sub-activity is to determine whether + the configuration list includes the TOE, the parts that + comprise the TOE, the TOE implementation representation, + and the evaluation evidence. These configuration items are + controlled in accordance with . + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the configuration list. + + + + + The developer shall provide a configuration list for the + TOE. + + + The configuration list shall include the following: the TOE + itself; the evaluation evidence required by the SARs; the + parts that comprise the TOE; and the implementation + representation. + + + The configuration list shall uniquely identify the + configuration items. + + + For each TSF relevant configuration item, the configuration + list shall indicate the developer of the item. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall check that the configuration list + includes the following set of items: + + + the TOE itself; + + + the parts that comprise the TOE; + + + the TOE implementation representation; + + + the evaluation evidence required by the SARs in the + ST. + + + + + + + The evaluator shall examine the configuration list to + determine that it uniquely identifies each configuration + item. + + The configuration list contains sufficient information + to uniquely identify which version of each item has been + used (typically a version number). Use of this list will + enable the evaluator to check that the correct + configuration items, and the correct version of each + item, have been used during the evaluation. + + + + + The evaluator shall check that the configuration list + indicates the developer of each TSF relevant + configuration item. + + If only one developer is involved in the development of + the TOE, this work unit is not applicable, and is + therefore considered to be satisfied. + + + + + + + + A CM system can control changes only to those items that + have been placed under CM (i.e., the configuration items + identified in the configuration list). Placing the TOE + itself, the parts that comprise the TOE, the TOE + implementation representation and the evaluation evidence + required by the other SARs under CM provides assurance + that they have been modified in a controlled manner with + proper authorisations. + + Placing security flaws under CM ensures that security flaw + reports are not lost or forgotten, and allows a developer + to track security flaws to their resolution. + + + + introduces the + requirement that security flaws be included in the + configuration list and hence be subject to the CM + requirements of . This + requires that information regarding previous security + flaws and their resolution be maintained, as well as + details regarding current security flaws. + + + + The objective of this sub-activity is to determine whether + the configuration list includes the TOE, the parts that + comprise the TOE, the TOE implementation representation, + security flaws, and the evaluation evidence. These configuration items are + controlled in accordance with . + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the configuration list. + + + + + The developer shall provide a configuration list for the + TOE. + + + The configuration list shall include the following: the TOE + itself; the evaluation evidence required by the SARs; the + parts that comprise the TOE; the implementation + representation; and security flaw reports and resolution + status. + + + The configuration list shall uniquely identify the + configuration items. + + + For each TSF relevant configuration item, the configuration + list shall indicate the developer of the item. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall check that the configuration list + includes the following set of items: + + + the TOE itself; + + + the parts that comprise the TOE; + + + the TOE implementation representation; + + + the evaluation evidence required by the SARs in the + ST; + + + the documentation used to record details of reported + security flaws associated with the implementation + (e.g., problem status reports derived from a + developer's problem database). + + + + + + + The evaluator shall examine the configuration list to + determine that it uniquely identifies each configuration + item. + + The configuration list contains sufficient information + to uniquely identify which version of each item has been + used (typically a version number). Use of this list will + enable the evaluator to check that the correct + configuration items, and the correct version of each + item, have been used during the evaluation. + + + + + The evaluator shall check that the configuration list + indicates the developer of each TSF relevant + configuration item. + + If only one developer is involved in the development of + the TOE, this work unit is not applicable, and is + therefore considered to be satisfied. + + + + + + + + A CM system can control changes only to those items that + have been placed under CM (i.e., the configuration items + identified in the configuration list). Placing the TOE + itself, the parts that comprise the TOE, the TOE + implementation representation and the evaluation evidence + required by the other SARs under CM provides assurance + that they have been modified in a controlled manner with + proper authorisations. + + Placing security flaws under CM ensures that security flaw + reports are not lost or forgotten, and allows a developer + to track security flaws to their resolution. + + Development tools play an important role in ensuring the + production of a quality version of the TOE. Therefore, it + is important to control modifications to these + tools. + + + + introduces the + requirement that development tools and other related + information be included in the list of configuration items + and hence be subject to the CM requirements of . Examples of development tools + are programming languages and compilers. Information + pertaining to TOE generation items (such as compiler + options, generation options, and build options) is an + example of information relating to development + tools. + + + + The objective of this sub-activity is to determine whether + the configuration list includes the TOE, the parts that + comprise the TOE, the TOE implementation representation, + security flaws, development tools and related information, + and the evaluation evidence. These configuration items are + controlled in accordance with . + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the configuration list. + + + + + The developer shall provide a configuration list for the + TOE. + + + The configuration list shall include the following: the TOE + itself; the evaluation evidence required by the SARs; the + parts that comprise the TOE; the implementation + representation; security flaw reports and resolution status; + and development tools and related information. + + + The configuration list shall uniquely identify the + configuration items. + + + For each TSF relevant configuration item, the configuration + list shall indicate the developer of the item. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall check that the configuration list + includes the following set of items: + + + the TOE itself; + + + the parts that comprise the TOE; + + + the TOE implementation representation; + + + the evaluation evidence required by the SARs in the + ST; + + + the documentation used to record details of reported + security flaws associated with the implementation + (e.g., problem status reports derived from a + developer's problem database); + + + all tools (incl. test software, if applicable) + involved in the development and production of the + TOE including the names, versions, configurations + and roles of each development tool, and related + documentation. + + + For a software TOE, ``development tools'' are usually + programming languages and compiler and ``related documentation'' + comprises compiler and linker options. For a hardware TOE, + ``development tools'' might be hardware design languages, + simulation and synthesis tools, compilers, and ``related + documentation'' might comprise compiler options again. + + + + + The evaluator shall examine the configuration list to + determine that it uniquely identifies each configuration + item. + + The configuration list contains sufficient information + to uniquely identify which version of each item has been + used (typically a version number). Use of this list will + enable the evaluator to check that the correct + configuration items, and the correct version of each + item, have been used during the evaluation. + + + + + The evaluator shall check that the configuration list + indicates the developer of each TSF relevant + configuration item. + + If only one developer is involved in the development of + the TOE, this work unit is not applicable, and is + therefore considered to be satisfied. + + + + + + + + The concern of this family is the secure transfer of the + finished TOE from the development environment into the + responsibility of the user. + + The requirements for delivery call for system control and + distribution facilities and procedures that detail the + measures necessary to provide assurance that the security of + the TOE is maintained during distribution of the TOE to the + user. For a valid distribution of the TOE, the procedures + used for the distribution of the TOE address the objectives + identified in the PP/ST relating to the security of the TOE + during delivery. + + + + Delivery covers the procedures used to maintain security + during transfer of the TOE to the user, both on initial + delivery and as part of subsequent modification. It includes + special procedures or operations required to demonstrate the + authenticity of the delivered TOE. Such procedures and + measures are the basis for ensuring that the security + protection offered by the TOE is not compromised during + transfer. While compliance with the delivery requirements + cannot always be determined when a TOE is evaluated, it is + possible to evaluate the procedures that a developer has + developed to distribute the TOE to users. + + + + This family contains only one component. An increasing level + of protection is established by requiring commensurability + of the delivery procedures with the assumed attack potential + in the family . + + + + Transportations from subcontractors to the developer or + between different development sites are not considered here, + but in the family . + + The end of the delivery phase is marked by the transfer of + the TOE into the responsibility of the user. This does not + necessarily coincide with the arrival of the TOE at the + user's location. + + The delivery procedures should consider, if applicable, + issues such as: + + + ensuring that the TOE received by the consumer + corresponds precisely to the evaluated version of the + TOE; + + + avoiding or detecting any tampering with the actual + version of the TOE; + + + preventing submission of a false version of the TOE; + + + avoiding unwanted knowledge of distribution of the TOE + to the consumer: there might be cases where potential + attackers should not know when and how it is delivered; + + + avoiding or detecting the TOE being intercepted during + delivery; and + + + avoiding the TOE being delayed or stopped during + distribution. + + + + The delivery procedures should include the recipient's + actions implied by these issues. The consistent description + of these implied actions is examined in the family, if present. + + + + + The objective of this sub-activity is to determine whether + the delivery documentation describes all procedures used + to maintain security of the TOE when distributing the TOE + to the user. + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the delivery documentation. + + + + + The developer shall document and provide procedures for delivery of the + TOE or parts of it to the consumer. + + + The developer shall use the delivery procedures. + + + The evaluator shall examine aspects of the delivery + process to determine that the delivery procedures are + used. + + The approach taken by the evaluator to check the + application of delivery procedures will depend on the + nature of the TOE, and the delivery process itself. In + addition to examination of the procedures themselves, + the evaluator seeks some assurance that they are applied + in practise. Some possible approaches are: + + + a visit to the distribution site(s) where practical + application of the procedures may be observed; + + + examination of the TOE at some stage during + delivery, or after the user has received it + (e.g. checking for tamper proof seals); + + + observing that the process is applied in practise + when the evaluator obtains the TOE through regular + channels; + + + questioning end users as to how the TOE was + delivered. + + + + For guidance on site visits see . + + It may be the case of a newly developed TOE that the + delivery procedures have yet to be exercised. In these + cases, the evaluator has to be satisfied that + appropriate procedures and facilities are in place for + future deliveries and that all personnel involved are + aware of their responsibilities. The evaluator may + request a ``dry run'' of a delivery if this is + practical. If the developer has produced other similar + products, then an examination of procedures in their use + may be useful in providing assurance. + + + + The delivery documentation shall describe all procedures + that are necessary to maintain security when distributing + versions of the TOE to the consumer. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the delivery documentation + to determine that it describes all procedures that are + necessary to maintain security when distributing + versions of the TOE or parts of it to the + consumer. + + The delivery documentation describes proper procedures + to maintain security of the TOE during transfer of the + TOE or its component parts and to determine the + identification of the TOE. + + The delivery documentation should cover the entire TOE, + but may contain different procedures for different parts + of the TOE. The evaluation should consider the totality + of procedures. + + The delivery procedures should be applicable across all + phases of delivery from the production environment to + the installation environment (e.g. packaging, storage + and distribution). Standard commercial practise for + packaging and delivery may be acceptable. This includes + shrink wrapped packaging, a security tape or a sealed + envelope. For the distribution, physical (e.g. public + mail or a private distribution service) or electronic + (e.g. electronic mail or downloading off the Internet) + procedures may be used. + + Cryptographic checksums or a software signature may be + used by the developer to ensure that tampering or + masquerading can be detected. Tamper proof seals + additionally indicate if the confidentiality has been + broken. For software TOEs, confidentiality might be + assured by using encryption. If availability is of + concern, a secure transportation might be + required. + + Interpretation of the term ``necessary to maintain + security'' will need to consider: + + + The nature of the TOE (e.g. whether it is software + or hardware). + + + The overall security level stated for the TOE by the + chosen level of the Vulnerability Assessment. If the + TOE is required to be resistant against attackers of + a certain potential in its intended environment, + this should also apply to the delivery of the + TOE. The evaluator should determine that a balanced + approach has been taken, such that delivery does not + present a weak point in an otherwise secure + development process. + + + The security objectives provided by the ST. The emphasis in the + delivery documentation is likely to be on measures related to + integrity, as integrity of the TOE is always important. However, + confidentiality and availability of the delivery will be of + concern in the delivery of some TOEs; procedures relating to + these aspects of the secure delivery should also be discussed in + the procedures. + + + + + + + + + + Development security is concerned with physical, procedural, + personnel, and other security measures that may be used in + the development environment to protect the TOE and its + parts. It includes the physical security of the development + location and any procedures used to select development + staff. + + + + Development security covers the physical, procedural, + personnel, and other security measures used in the + development environment. It includes physical security of + the development location(s) and controls on the selection + and hiring of development staff. + + + + The components in this family are levelled on the basis of + whether justification of the sufficiency of the security + measures is required. + + + + This family deals with measures to remove or reduce threats + existing at the developer's site. + + The evaluator should visit the site(s) in order to assess + evidence for development security. This may include sites of + subcontractors involved in the TOE development and + production. Any decision not to visit shall be agreed with + the evaluation authority. + + Although development security deals with the maintenance of + the TOE and hence with aspects becoming relevant after the + completion of the evaluation, the requirements specify only that the + development security measures be in place at the time of + evaluation. Furthermore, + does not contain any requirements related to the sponsor's + intention to apply the development security measures in the + future, after completion of the evaluation. + + It is recognised that confidentiality may not always be an + issue for the protection of the TOE in its development + environment. The use of the word ``necessary'' allows for + the selection of appropriate safeguards. + + + + + The objective of this sub-activity is to determine whether + the developer's security controls on the development + environment are adequate to provide the confidentiality + and integrity of the TOE design and implementation that is + necessary to ensure that secure operation of the TOE is + not compromised. + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the development security documentation. + + + + In addition, the evaluator may need to examine other + deliverables to determine that the security controls are + well-defined and followed. Specifically, the evaluator may + need to examine the developer's configuration management + documentation (the input for the ``Production support and acceptance + procedures'' and the + ``Problem tracking CM coverage''). Evidence that the + procedures are being applied is also required. + + + The developer shall produce and provide development security + documentation. + + + The development security documentation shall describe all + the physical, procedural, personnel, and other security + measures that are necessary to protect the confidentiality + and integrity of the TOE design and implementation in its + development environment. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the development security + documentation to determine that it details all security + measures used in the development environment that are + necessary to protect the confidentiality and integrity + of the TOE design and implementation. + + The evaluator determines what is necessary by first referring to + the ST for any information that may assist in the determination + of necessary protection. + + If no explicit information is available from the ST the + evaluator will need to make a determination of the + necessary measures. In cases where the developer's + measures are considered less than what is necessary, a + clear justification should be provided for the + assessment, based on a potential exploitable + vulnerability. + + The following types of security measures are considered + by the evaluator when examining the documentation: + + + physical, for example physical access controls used + to prevent unauthorised access to the TOE + development environment (during normal working hours + and at other times); + + + procedural, for example covering: + + + granting of access to the development + environment or to specific parts of the + environment such as development machines + + + revocation of access rights when a person leaves + the development team + + + transfer of protected material within and out of + the development environment and between + different development sites in accordance with + defined acceptance procedures + + + admitting and escorting visitors to the + development environment + + + roles and responsibilities in ensuring the + continued application of security measures, and + the detection of security breaches. + + + + + personnel, for example any controls or checks made + to establish the trustworthiness of new development + staff; + + + other security measures, for example the logical + protections on any development machines. + + + + The development security documentation should identify + the locations at which development occurs, and describe + the aspects of development performed, along with the + security measures applied at each location and for + transports between different locations. For example, + development could occur at multiple facilities within a + single building, multiple buildings at the same site, or + at multiple sites. Transports of parts of the TOE or the + unfinished TOE between different development sites are + to be covered by , + whereas the transport of the finished TOE to the + consumer is dealt with in . + + Development includes the production of the TOE. + + + + + The evaluator shall examine the development + confidentiality and integrity policies in order to + determine the sufficiency of the security measures + employed. + + The evaluator should examine whether the following is included + in the policies: + + what information relating to the TOE development needs to be + kept confidential, and which members of the development + staff are allowed to access such material; + + what material must be protected from unauthorised + modification in order to preserve the integrity of + the TOE, and which members of the development staff + are allowed to modify such material. + + + The evaluator should determine that these policies are + described in the development security documentation, + that the security measures employed are consistent with + the policies, and that they are complete. + + It should be noted that configuration management + procedures will help protect the integrity of the TOE + and the evaluator should avoid overlap with the + work-units conducted for the . For example, the CM documentation may + describe the security procedures necessary for + controlling the roles or individuals who should have + access to the development environment and who may modify + the TOE. + + Whereas the + requirements are fixed, those for the , + mandating only necessary measures, are dependent on the nature of the TOE, + and on information that may be provided in the ST. The evaluators would + then determine that such a policy had been applied under this sub-activity. + + + + The evaluator shall confirm that the security measures are + being applied. + + + The evaluator shall examine the development security + documentation and associated evidence to determine that + the security measures are being applied. + + This work unit requires the evaluator to determine that + the security measures described in the development + security documentation are being followed, such that the + integrity of the TOE and the confidentiality of + associated documentation is being adequately + protected. For example, this could be determined by + examination of the documentary evidence + provided. Documentary evidence should be supplemented by + visiting the development environment. A visit to the + development environment will allow the evaluator to: + + + observe the application of security measures + (e.g. physical measures); + + + examine documentary evidence of application of + procedures; + + + interview development staff to check awareness of + the development security policies and procedures, + and their responsibilities. + + + + A development site visit is a useful means of gaining + confidence in the measures being used. Any decision not + to make such a visit should be determined in + consultation with the evaluation authority. + + For guidance on site visits see . + + + + + + + + The objective of this sub-activity is to determine whether + the developer's security controls on the development + environment are adequate to provide the confidentiality + and integrity of the TOE design and implementation that is + necessary to ensure that secure operation of the TOE is + not compromised. Additionally, sufficiency of the measures + as applied is intended be justified. + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the development security documentation. + + + + In addition, the evaluator may need to examine other + deliverables to determine that the security controls are + well-defined and followed. Specifically, the evaluator may + need to examine the developer's configuration management + documentation (the input for the ``Production support and acceptance + procedures'' and the + ``Problem tracking CM coverage''). Evidence that the + procedures are being applied is also required. + + + The developer shall produce and provide development security + documentation. + + + The development security documentation shall describe all + the physical, procedural, personnel, and other security + measures that are necessary to protect the confidentiality + and integrity of the TOE design and implementation in its + development environment. + + + The development security documentation shall justify that + the security measures provide the necessary level of + protection to maintain the confidentiality and integrity of + the TOE. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the development security + documentation to determine that it details all security + measures used in the development environment that are + necessary to protect the confidentiality and integrity + of the TOE design and implementation. + + The evaluator determines what is necessary by first referring to + the ST for any information that may assist in the determination + of necessary protection. + + If no explicit information is available from the ST the + evaluator will need to make a determination of the + necessary measures. In cases where the developer's + measures are considered less than what is necessary, a + clear justification should be provided for the + assessment, based on a potential exploitable + vulnerability. + + The following types of security measures are considered + by the evaluator when examining the documentation: + + + physical, for example physical access controls used + to prevent unauthorised access to the TOE + development environment (during normal working hours + and at other times); + + + procedural, for example covering: + + + granting of access to the development + environment or to specific parts of the + environment such as development machines + + + revocation of access rights when a person leaves + the development team + + + transfer of protected material out of the + development environment and between different + development sites in accordance with defined + acceptance procedures + + + admitting and escorting visitors to the + development environment + + + roles and responsibilities in ensuring the + continued application of security measures, and + the detection of security breaches. + + + + + personnel, for example any controls or checks made + to establish the trustworthiness of new development + staff; + + + other security measures, for example the logical + protections on any development machines. + + + + The development security documentation should identify + the locations at which development occurs, and describe + the aspects of development performed, along with the + security measures applied at each location and for + transports between different locations. For example, + development could occur at multiple facilities within a + single building, multiple buildings at the same site, or + at multiple sites. Transports of parts of the TOE or the + unfinished TOE between different development sites are + to be covered by the , + whereas the transport of the finished TOE to the + consumer is dealt with in the . + + Development includes the production of the TOE. + + + + + The evaluator shall examine the development security + documentation to determine that an appropriate + justification is given why the security measures provide + the necessary level of protection to maintain the + confidentiality and integrity of the TOE. + + Since attacks on the TOE or its related information are + assumed in different design and production stages, + measures and procedures need to have an appropriate + level necessary to prevent those attacks or to make them + more difficult. + + Since this level depends on the overall attack potential + claimed for the TOE (cf. the component chosen), the development + security documentation should justify the necessary + level of protection to maintain the confidentiality and + integrity of the TOE. This level has to be achieved by + the security measures applied. + + The concept of protection measures should be consistent, + and the justification should include an analysis of how + the measures are mutually supportive. All aspects of + development and production on all the different sites + with all roles involved up to delivery of the TOE should + be analysed. + + Justification may include an analysis of potential + vulnerabilities taking the applied security measures + into account. + + There may be a convincing argument showing that e.g. + + + The technical measures and mechanisms of the + developer's infrastructure are sufficient for + keeping the appropriate security level + (e.g. cryptographic mechanisms as well as physical + protection mechanisms, properties of the CM system + (cf. )); + + The system containing the implementation + representation of the TOE (including concerning + guidance documents) provides effective protection + against logical attacks e.g. by ``Trojan'' code or + viruses. It might be adequate, if the implementation + representation is kept on an isolated system where + only the software necessary to maintain it is + installed and where no additional software is + installed afterwards. + + Data brought into this system need to be carefully considered to + prevent the installation of hidden functionality onto the + system. The effectiveness of these measures need to be tested, + e.g. by independently trying to get access to the machine, + install some additional executable (program, macro etc.) or get + some information out of the machine using logical + attacks. + + The appropriate organisational (procedural and + personal) measures are unconditionally + enforced. + + + + + The evaluator shall examine the development + confidentiality and integrity policies in order to + determine the sufficiency of the security measures + employed. + + The evaluator should examine whether the following is included + in the policies: + + what information relating to the TOE development needs to be + kept confidential, and which members of the development + staff are allowed to access such material; + + what material must be protected from unauthorised + modification in order to preserve the integrity of + the TOE, and which members of the development staff + are allowed to modify such material. + + + The evaluator should determine that these policies are + described in the development security documentation, + that the security measures employed are consistent with + the policies, and that they are complete. + + It should be noted that configuration management + procedures will help protect the integrity of the TOE + and the evaluator should avoid overlap with the + work-units conducted for the . For example, the CM documentation may + describe the security procedures necessary for + controlling the roles or individuals who should have + access to the development environment and who may modify + the TOE. + + Whereas the + requirements are fixed, those for the , mandating only necessary measures, are + dependent on the nature of the TOE, and on information + that may be provided in the ST. For example, the ST may + identify a security objective for the development + environment that requires the TOE to be developed by + staff that has security clearance. The evaluators would + then determine that such a policy had been applied under + this sub-activity. + + + + The evaluator shall confirm that the security measures are + being applied. + + + The evaluator shall examine the development security + documentation and associated evidence to determine that + the security measures are being applied. + + This work unit requires the evaluator to determine that + the security measures described in the development + security documentation are being followed, such that the + integrity of the TOE and the confidentiality of + associated documentation is being adequately + protected. For example, this could be determined by + examination of the documentary evidence + provided. Documentary evidence should be supplemented by + visiting the development environment. A visit to the + development environment will allow the evaluator to: + + + observe the application of security measures + (e.g. physical measures); + + + examine documentary evidence of application of + procedures; + + + interview development staff to check awareness of + the development security policies and procedures, + and their responsibilities. + + + + A development site visit is a useful means of gaining + confidence in the measures being used. Any decision not + to make such a visit should be determined in + consultation with the evaluation authority. + + For guidance on site visits see . + + + + + + + + Flaw remediation requires that discovered security flaws be + tracked and corrected by the developer. Although future + compliance with flaw remediation procedures cannot be + determined at the time of the TOE evaluation, it is possible + to evaluate the policies and procedures that a developer has + in place to track and correct flaws, and to distribute the + flaw information and corrections. + + + + Flaw remediation ensures that flaws discovered by the TOE + consumers will be tracked and corrected while the TOE is + supported by the developer. While future compliance with the + flaw remediation requirements cannot be determined when a + TOE is evaluated, it is possible to evaluate the procedures + and policies that a developer has in place to track and + repair flaws, and to distribute the repairs to + consumers. + + + + The components in this family are levelled on the basis of + the increasing extent in scope of the flaw remediation + procedures and the rigour of the flaw remediation + policies. + + + + This family provides assurance that the TOE will be + maintained and supported in the future, requiring the TOE + developer to track and correct flaws in the + TOE. Additionally, requirements are included for the + distribution of flaw corrections. However, this family does + not impose evaluation requirements beyond the current + evaluation. + + The TOE user is considered to be the focal point in the user + organisation that is responsible for receiving and + implementing fixes to security flaws. This is not + necessarily an individual user, but may be an organisational + representative who is responsible for the handling of + security flaws. The use of the term TOE user recognises that + different organisations have different procedures for + handling flaw reporting, which may be done either by an + individual user, or by a central administrative body. + + The flaw remediation procedures should describe the methods + for dealing with all types of flaws encountered. These flaws + may be reported by the developer, by users of the TOE, or by + other parties with familiarity with the TOE. Some flaws may + not be reparable immediately. There may be some occasions + where a flaw cannot be fixed and other (e.g. procedural) + measures must be taken. The documentation provided should + cover the procedures for providing the operational sites + with fixes, and providing information on flaws where fixes + are delayed (and what to do in the interim) or when fixes + are not possible. + + Changes applied to a TOE after its release render it + unevaluated; although some information from the original + evaluation may still apply. The phrase ``release of the + TOE'' used in this family therefore refers to a version of a + product that is a release of a certified TOE, to which + changes have been applied. + + + + + The objective of this sub-activity is to determine whether + the developer has established flaw remediation procedures + that describe the tracking of security flaws, the + identification of corrective actions, and the distribution + of corrective action information to TOE users. + + + + The evaluation evidence for this sub-activity is: + + + the flaw remediation procedures documentation. + + + + + The developer shall document and provide flaw remediation procedures + addressed to TOE developers. + + + The flaw remediation procedures documentation shall describe + the procedures used to track all reported security flaws in + each release of the TOE. + + + The flaw remediation procedures shall require that a + description of the nature and effect of each security flaw + be provided, as well as the status of finding a correction + to that flaw. + + + The flaw remediation procedures shall require that + corrective actions be identified for each of the security + flaws. + + + The flaw remediation procedures documentation shall describe + the methods used to provide flaw information, corrections + and guidance on corrective actions to TOE users. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the flaw remediation + procedures documentation to determine that it describes + the procedures used to track all reported security flaws + in each release of the TOE. + + The procedures describe the actions that are taken by + the developer from the time each suspected security flaw + is reported to the time that it is resolved. This + includes the flaw's entire time frame, from initial + detection through ascertaining that the flaw is a + security flaw, to resolution of the security + flaw. + + If a flaw is discovered not to be security-relevant, + there is no need (for the purposes of the requirements) for the flaw + remediation procedures to track it further; only that + there be an explanation of why the flaw is not + security-relevant. + + While these requirements do not mandate that there be a + publicised means for TOE users to report security flaws, + they do mandate that all security flaws that are + reported be tracked. That is, a reported security flaw + cannot be ignored simply because it comes from outside + the developer's organisation. + + + + + The evaluator shall examine the flaw remediation + procedures to determine that the application of these + procedures would produce a description of each security + flaw in terms of its nature and effects. + + The procedures identify the actions that are taken by + the developer to describe the nature and effects of each + security flaw in sufficient detail to be able to + reproduce it. The description of the nature of a + security flaw addresses whether it is an error in the + documentation, a flaw in the design of the TSF, a flaw + in the implementation of the TSF, etc. The description + of the security flaw's effects identifies the portions + of the TSF that are affected and how those portions are + affected. For example, a security flaw in the + implementation might be found that affects the + identification and authentication enforced by the TSF by + permitting authentication with the password + ``BACK DOOR''. + + + + + The evaluator shall examine the flaw remediation + procedures to determine that the application of these + procedures would identify the status of finding a + correction to each security flaw. + + The flaw remediation procedures identify the different + stages of security flaws. This differentiation includes + at least: suspected security flaws that have been + reported, suspected security flaws that have been + confirmed to be security flaws, and security flaws whose + solutions have been implemented. It is permissible that + additional stages (e.g. flaws that have been reported + but not yet investigated, flaws that are under + investigation, security flaws for which a solution has + been found but not yet implemented) be included. + + + + + The evaluator shall check the flaw remediation + procedures to determine that the application of these + procedures would identify the corrective action for each + security flaw. + + Corrective action may consist of a + repair to the hardware, firmware, or software portions + of the TOE, a modification of TOE guidance, or + both. Corrective action that constitutes modifications + to TOE guidance (e.g. details of procedural measures to + be taken to obviate the security flaw) includes both + those measures serving as only an interim solution + (until the repair is issued) as well as those serving as + a permanent solution (where it is determined that the + procedural measure is the best solution). + + If the source of the security flaw is a documentation + error, the corrective action consists of an update of + the affected TOE guidance. If the corrective action is a + procedural measure, this measure will include an update + made to the affected TOE guidance to reflect these + corrective procedures. + + + + + The evaluator shall examine the flaw remediation + procedures documentation to determine that it describes + a means of providing the TOE users with the necessary + information on each security flaw. + + The necessary information about each + security flaw consists of its description (not + necessarily at the same level of detail as that provided + as part of work unit ), the prescribed corrective action, + and any associated guidance on implementing the + correction. + + TOE users may be provided with such information, + correction, and documentation updates in any of several + ways, such as their posting to a website, their being + sent to TOE users, or arrangements made for the + developer to install the correction. In cases where the + means of providing this information requires action to + be initiated by the TOE user, the evaluator examines any + TOE guidance to ensure that it contains instructions for + retrieving the information. + + The only metric for assessing the adequacy of the method + used for providing the information, corrections and + guidance is that there be a reasonable expectation that + TOE users can obtain or receive it. For example, + consider the method of dissemination where the requisite + data is posted to a website for one month, and the TOE + users know that this will happen and when this will + happen. This may not be especially reasonable or + effective (as, say, a permanent posting to the website), + yet it is feasible that the TOE user could obtain the + necessary information. On the other hand, if the + information were posted to the website for only one + hour, yet TOE users had no way of knowing this or when + it would be posted, it is infeasible that they would + ever get the necessary information. + + + + + + + + In order for the developer to be able to act appropriately + upon security flaw reports from TOE users, and to know to + whom to send corrective fixes, TOE users need to + understand how to submit security flaw reports to the + developer. Flaw remediation guidance from the developer to + the TOE user ensures that TOE users are aware of this + important information. + + + + The objective of this sub-activity is to determine whether + the developer has established flaw remediation procedures + that describe the tracking of security flaws, the + identification of corrective actions, and the distribution + of corrective action information to TOE + users. Additionally, this sub-activity determines whether + the developer's procedures provide for the corrections of + security flaws, for the receipt of flaw reports from TOE + users, and for assurance that the corrections introduce no + new security flaws. + + In order for the developer to be able to act appropriately + upon security flaw reports from TOE users, TOE users need + to understand how to submit security flaw reports to the + developer, and developers need to know how to receive + these reports. Flaw remediation guidance addressed to the + TOE user ensures that TOE users are aware of how to + communicate with the developer; flaw remediation + procedures describe the developer's role is such + communication + + + + The evaluation evidence for this sub-activity is: + + + the flaw remediation procedures documentation; + + + flaw remediation guidance documentation. + + + + + The developer shall document and provide flaw remediation procedures + addressed to TOE developers. + + + The developer shall establish a procedure for accepting and + acting upon all reports of security flaws and requests for + corrections to those flaws. + + + The developer shall provide flaw remediation guidance + addressed to TOE users. + + + The flaw remediation procedures documentation shall describe + the procedures used to track all reported security flaws in + each release of the TOE. + + + The flaw remediation procedures shall require that a + description of the nature and effect of each security flaw + be provided, as well as the status of finding a correction + to that flaw. + + + The flaw remediation procedures shall require that + corrective actions be identified for each of the security + flaws. + + + The flaw remediation procedures documentation shall describe + the methods used to provide flaw information, corrections + and guidance on corrective actions to TOE users. + + + The flaw remediation procedures shall describe a means by + which the developer receives from TOE users reports and + enquiries of suspected security flaws in the TOE. + + + The procedures for processing reported security flaws shall + ensure that any reported flaws are remediated and the + remediation procedures issued to TOE users. + + + The procedures for processing reported security flaws shall + provide safeguards that any corrections to these security + flaws do not introduce any new flaws. + + + The flaw remediation guidance shall describe a means by + which TOE users report to the developer any suspected + security flaws in the TOE. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the flaw remediation + procedures documentation to determine that it describes + the procedures used to track all reported security flaws + in each release of the TOE. + + The procedures describe the actions that are taken by + the developer from the time each suspected security flaw + is reported to the time that it is resolved. This + includes the flaw's entire time frame, from initial + detection through ascertaining that the flaw is a + security flaw, to resolution of the security + flaw. + + If a flaw is discovered not to be security-relevant, + there is no need (for the purposes of the requirements) for the flaw + remediation procedures to track it further; only that + there be an explanation of why the flaw is not + security-relevant. + + + + + The evaluator shall examine the flaw remediation + procedures to determine that the application of these + procedures would produce a description of each security + flaw in terms of its nature and effects. + + The procedures identify the actions that are taken by + the developer to describe the nature and effects of each + security flaw in sufficient detail to be able to + reproduce it. The description of the nature of a + security flaw addresses whether it is an error in the + documentation, a flaw in the design of the TSF, a flaw + in the implementation of the TSF, etc. The description + of the security flaw's effects identifies the portions + of the TSF that are affected and how those portions are + affected. For example, a security flaw in the + implementation might be found that affects the + identification and authentication enforced by the TSF by + permitting authentication with the password + ``BACKDOOR''. + + + + + The evaluator shall examine the flaw remediation + procedures to determine that the application of these + procedures would identify the status of finding a + correction to each security flaw. + + The flaw remediation procedures identify the different + stages of security flaws. This differentiation includes + at least: suspected security flaws that have been + reported, suspected security flaws that have been + confirmed to be security flaws, and security flaws whose + solutions have been implemented. It is permissible that + additional stages (e.g. flaws that have been reported + but not yet investigated, flaws that are under + investigation, security flaws for which a solution has + been found but not yet implemented) be included. + + + + + The evaluator shall check the flaw remediation + procedures to determine that the application of these + procedures would identify the corrective action for each + security flaw. + + Corrective action may consist of a + repair to the hardware, firmware, or software portions + of the TOE, a modification of TOE guidance, or + both. Corrective action that constitutes modifications + to TOE guidance (e.g. details of procedural measures to + be taken to obviate the security flaw) includes both + those measures serving as only an interim solution + (until the repair is issued) as well as those serving as + a permanent solution (where it is determined that the + procedural measure is the best solution). + + If the source of the security flaw is a documentation + error, the corrective action consists of an update of + the affected TOE guidance. If the corrective action is a + procedural measure, this measure will include an update + made to the affected TOE guidance to reflect these + corrective procedures. + + + + + The evaluator shall examine the flaw remediation + procedures documentation to determine that it describes + a means of providing the TOE users with the necessary + information on each security flaw. + + The necessary information about each + security flaw consists of its description (not + necessarily at the same level of detail as that provided + as part of work unit ), the prescribed corrective action, + and any associated guidance on implementing the + correction. + + TOE users may be provided with such information, + correction, and documentation updates in any of several + ways, such as their posting to a website, their being + sent to TOE users, or arrangements made for the + developer to install the correction. In cases where the + means of providing this information requires action to + be initiated by the TOE user, the evaluator examines any + TOE guidance to ensure that it contains instructions for + retrieving the information. + + The only metric for assessing the adequacy of the method + used for providing the information, corrections and + guidance is that there be a reasonable expectation that + TOE users can obtain or receive it. For example, + consider the method of dissemination where the requisite + data is posted to a website for one month, and the TOE + users know that this will happen and when this will + happen. This may not be especially reasonable or + effective (as, say, a permanent posting to the website), + yet it is feasible that the TOE user could obtain the + necessary information. On the other hand, if the + information were posted to the website for only one + hour, yet TOE users had no way of knowing this or when + it would be posted, it is infeasible that they would + ever get the necessary information. + + + + + The evaluator shall examine the flaw remediation + procedures to determine that they describe procedures + for the developer to accept reports of security flaws or + requests for corrections to such flaws. + + The procedures ensure that TOE users have a means by + which they can communicate with the TOE developer. By + having a means of contact with the developer, the user + can report security flaws, enquire about the status of + security flaws, or request corrections to flaws. This + means of contact may be part of a more general contact + facility for reporting non-security related + problems. + + The use of these procedures is not restricted to TOE + users; however, only the TOE users are actively supplied + with the details of these procedures. Others who might + have access to or familiarity with the TOE can use the + same procedures to submit reports to the developer, who + is then expected to process them. Any means of + submitting reports to the developer, other than those + identified by the developer, are beyond the scope of + this work unit; reports generated by other means need + not be addressed. + + + + + The evaluator shall examine the flaw remediation + procedures to determine that the application of these + procedures would help to ensure every reported flaw is + corrected. + + The flaw remediation procedures cover not only those + security flaws discovered and reported by developer + personnel, but also those reported by TOE users. The + procedures are sufficiently detailed so that they + describe how it is ensured that each reported security + flaw is corrected. The procedures contain reasonable + steps that show progress leading to the eventual, + inevitable resolution. + + The procedures describe the process that is taken from + the point at which the suspected security flaw is + determined to be a security flaw to the point at which + it is resolved. + + + + The evaluator shall examine the flaw remediation + procedures to determine that the application of these + procedures would help to ensure that the TOE users are + issued remediation procedures for each security + flaw. + + The procedures describe the process that is taken from + the point at which a security flaw is resolved to the + point at which the remediation procedures are + provided. The procedures for delivering corrective + actions should be consistent with the security + objectives; they need not necessarily be identical to + the procedures used for delivering the TOE, as + documented to meet , if + included in the assurance requirements. For example, if + the hardware portion of a TOE were originally delivered + by bonded courier, updates to hardware resulting from + flaw remediation would likewise be expected to be + distributed by bonded courier. Updates unrelated to flaw + remediation would follow the procedures set forth in the + documentation meeting the requirements. + + + + The evaluator shall examine the flaw remediation + procedures to determine that the application of these + procedures would result in safeguards that the potential + correction contains no adverse effects. + + Through analysis, testing, or a combination of the two, + the developer may reduce the likelihood that adverse + effects will be introduced when a security flaw is + corrected. The evaluator assesses whether the procedures + provide detail in how the necessary mix of analysis and + testing actions is to be determined for a given + correction. + + The evaluator also determines that, for instances where + the source of the security flaw is a documentation + problem, the procedures include the means of + safeguarding against the introduction of contradictions + with other documentation. + + + + + The evaluator shall examine the flaw remediation + guidance to determine that the application of these + procedures would result in a means for the TOE user to + provide reports of suspected security flaws or requests + for corrections to such flaws. + + The guidance ensures that TOE users have a means by + which they can communicate with the TOE developer. By + having a means of contact with the developer, the user + can report security flaws, enquire about the status of + security flaws, or request corrections to flaws. + + + + + + + + In order for the developer to be able to act appropriately + upon security flaw reports from TOE users, and to know to + whom to send corrective fixes, TOE users need to + understand how to submit security flaw reports to the + developer, and how to register themselves with the + developer so that they may receive these corrective + fixes. Flaw remediation guidance from the developer to the + TOE user ensures that TOE users are aware of this + important information. + + + + The objective of this sub-activity is to determine whether + the developer has established flaw remediation procedures + that describe the tracking of security flaws, the + identification of corrective actions, and the distribution + of corrective action information to TOE + users. Additionally, this sub-activity determines whether + the developer's procedures provide for the corrections of + security flaws, for the receipt of flaw reports from TOE + users, for assurance that the corrections introduce no new + security flaws, for the establishment of a point of + contact for each TOE user, and for the timely issue of + corrective actions to TOE users. + + In order for the developer to be able to act appropriately + upon security flaw reports from TOE users, TOE users need + to understand how to submit security flaw reports to the + developer, and developers need to know how to receive + these reports. Flaw remediation guidance addressed to the + TOE user ensures that TOE users are aware of how to + communicate with the developer; flaw remediation + procedures describe the developer's role is such + communication. + + + + The evaluation evidence for this sub-activity is: + + + the flaw remediation procedures documentation; + + + flaw remediation guidance documentation. + + + + + The developer shall document and provide flaw remediation procedures + addressed to TOE developers. + + + The developer shall establish a procedure for accepting and + acting upon all reports of security flaws and requests for + corrections to those flaws. + + + The developer shall provide flaw remediation guidance + addressed to TOE users. + + + The flaw remediation procedures documentation shall describe + the procedures used to track all reported security flaws in + each release of the TOE. + + + The flaw remediation procedures shall require that a + description of the nature and effect of each security flaw + be provided, as well as the status of finding a correction + to that flaw. + + + The flaw remediation procedures shall require that + corrective actions be identified for each of the security + flaws. + + + The flaw remediation procedures documentation shall describe + the methods used to provide flaw information, corrections + and guidance on corrective actions to TOE users. + + + The flaw remediation procedures shall describe a means by + which the developer receives from TOE users reports and + enquiries of suspected security flaws in the TOE. + + + The flaw remediation procedures shall include a procedure + requiring timely response and the automatic distribution of + security flaw reports and the associated corrections to + registered users who might be affected by the security flaw. + + + The procedures for processing reported security flaws shall + ensure that any reported flaws are remediated and the + remediation procedures issued to TOE users. + + + The procedures for processing reported security flaws shall + provide safeguards that any corrections to these security + flaws do not introduce any new flaws. + + + The flaw remediation guidance shall describe a means by + which TOE users report to the developer any suspected + security flaws in the TOE. + + + The flaw remediation guidance shall describe a means by + which TOE users may register with the developer, to be + eligible to receive security flaw reports and corrections. + + + The flaw remediation guidance shall identify the specific + points of contact for all reports and enquiries about + security issues involving the TOE. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the flaw remediation + procedures documentation to determine that it describes + the procedures used to track all reported security flaws + in each release of the TOE. + + The procedures describe the actions that are taken by + the developer from the time each suspected security flaw + is reported to the time that it is resolved. This + includes the flaw's entire time frame, from initial + detection through ascertaining that the flaw is a + security flaw, to resolution of the security + flaw. + + If a flaw is discovered not to be security-relevant, + there is no need (for the purposes of the requirements) for the flaw + remediation procedures to track it further; only that + there be an explanation of why the flaw is not + security-relevant. + + + + + The evaluator shall examine the flaw remediation + procedures to determine that the application of these + procedures would produce a description of each security + flaw in terms of its nature and effects. + + The procedures identify the actions that are taken by + the developer to describe the nature and effects of each + security flaw in sufficient detail to be able to + reproduce it. The description of the nature of a + security flaw addresses whether it is an error in the + documentation, a flaw in the design of the TSF, a flaw + in the implementation of the TSF, etc. The description + of the security flaw's effects identifies the portions + of the TSF that are affected and how those portions are + affected. For example, a security flaw in the + implementation might be found that affects the + identification and authentication enforced by the TSF by + permitting authentication with the password + ``BACKDOOR''. + + + + + The evaluator shall examine the flaw remediation + procedures to determine that the application of these + procedures would identify the status of finding a + correction to each security flaw. + + The flaw remediation procedures identify the different + stages of security flaws. This differentiation includes + at least: suspected security flaws that have been + reported, suspected security flaws that have been + confirmed to be security flaws, and security flaws whose + solutions have been implemented. It is permissible that + additional stages (e.g. flaws that have been reported + but not yet investigated, flaws that are under + investigation, security flaws for which a solution has + been found but not yet implemented) be included. + + + + + The evaluator shall check the flaw remediation + procedures to determine that the application of these + procedures would identify the corrective action for each + security flaw. + + Corrective action may consist of a + repair to the hardware, firmware, or software portions + of the TOE, a modification of TOE guidance, or + both. Corrective action that constitutes modifications + to TOE guidance (e.g. details of procedural measures to + be taken to obviate the security flaw) includes both + those measures serving as only an interim solution + (until the repair is issued) as well as those serving as + a permanent solution (where it is determined that the + procedural measure is the best solution). + + If the source of the security flaw is a documentation + error, the corrective action consists of an update of + the affected TOE guidance. If the corrective action is a + procedural measure, this measure will include an update + made to the affected TOE guidance to reflect these + corrective procedures. + + + + + The evaluator shall examine the flaw remediation + procedures documentation to determine that it describes + a means of providing the TOE users with the necessary + information on each security flaw. + + The necessary information about each + security flaw consists of its description (not + necessarily at the same level of detail as that provided + as part of work unit ), the prescribed corrective action, + and any associated guidance on implementing the + correction. + + TOE users may be provided with such information, + correction, and documentation updates in any of several + ways, such as their posting to a website, their being + sent to TOE users, or arrangements made for the + developer to install the correction. In cases where the + means of providing this information requires action to + be initiated by the TOE user, the evaluator examines any + TOE guidance to ensure that it contains instructions for + retrieving the information. + + The only metric for assessing the adequacy of the method + used for providing the information, corrections and + guidance is that there be a reasonable expectation that + TOE users can obtain or receive it. For example, + consider the method of dissemination where the requisite + data is posted to a website for one month, and the TOE + users know that this will happen and when this will + happen. This may not be especially reasonable or + effective (as, say, a permanent posting to the website), + yet it is feasible that the TOE user could obtain the + necessary information. On the other hand, if the + information were posted to the website for only one + hour, yet TOE users had no way of knowing this or when + it would be posted, it is infeasible that they would + ever get the necessary information. + + For TOE users who register with the developer (see work + unit ), the + passive availability of this information is not + sufficient. Developers must actively send the + information (or a notification of its availability) to + registered TOE users. + + + + + The evaluator shall examine the flaw remediation + procedures to determine that the application of these + procedures would result in a means for the developer to + receive from TOE user reports of suspected security + flaws or requests for corrections to such flaws. + + The procedures ensure that TOE users have a means by + which they can communicate with the TOE developer. By + having a means of contact with the developer, the user + can report security flaws, enquire about the status of + security flaws, or request corrections to flaws. This + means of contact may be part of a more general contact + facility for reporting non-security related + problems. + + The use of these procedures is not restricted to TOE + users; however, only the TOE users are actively supplied + with the details of these procedures. Others who might + have access to or familiarity with the TOE can use the + same procedures to submit reports to the developer, who + is then expected to process them. Any means of + submitting reports to the developer, other than those + identified by the developer, are beyond the scope of + this work unit; reports generated by other means need + not be addressed. + + + + + The evaluator shall examine the flaw remediation + procedures to determine that the application of these + procedures would result in a timely means of providing + the registered TOE users who might be affected with + reports about, and associated corrections to, each + security flaw. + + The issue of timeliness applies to the issuance of both + security flaw reports and the associated + corrections. However, these need not be issued at the + same time. It is recognised that flaw reports should be + generated and issued as soon as an interim solution is + found, even if that solution is as drastic as turn off + the TOE. Likewise, when a more permanent (and less + drastic) solution is found, it should be issued without + undue delay. + + It is unnecessary to restrict the recipients of the + reports and associated corrections to only those TOE + users who might be affected by the security flaw; it is + permissible that all TOE users be given such reports and + corrections for all security flaws, provided such is + done in a timely manner. + + + + The evaluator shall examine the flaw remediation + procedures to determine that the application of these + procedures would result in automatic distribution of the + reports and associated corrections to the registered TOE + users who might be affected. + + Automatic distribution does not mean + that human interaction with the distribution method is + not permitted. In fact, the distribution method could + consist entirely of manual procedures, perhaps through a + closely monitored procedure with prescribed escalation + upon the lack of issue of reports or corrections. + + It is unnecessary to restrict the recipients of the + reports and associated corrections to only those TOE + users who might be affected by the security flaw; it is + permissible that all TOE users be given such reports and + corrections for all security flaws, provided such is + done automatically. + + + + + The evaluator shall examine the flaw remediation procedures to + determine that the application of these procedures would help to + ensure that every reported flaw is corrected. + + The flaw remediation procedures cover not only those + security flaws discovered and reported by developer + personnel, but also those reported by TOE users. The + procedures are sufficiently detailed so that they + describe how it is ensured that each reported security + flaw is remediated. The procedures contain reasonable + steps that show progress leading to the eventual, + inevitable resolution. + + The procedures describe the process that is taken from + the point at which the suspected security flaw is + determined to be a security flaw to the point at which + it is resolved. + + + + + The evaluator shall examine the flaw remediation + procedures to determine that the application of these + procedures would help to ensure that the TOE users are + issued remediation procedures for each security + flaw. + The procedures describe the process that is taken + from the point at which a security flaw is resolved to + the point at which the remediation procedures are + provided. The procedures for delivering remediation + procedures should be consistent with the security + objectives; they need not necessarily be identical to + the procedures used for delivering the TOE, as + documented to meet , if + included in the assurance requirements. For example, if + the hardware portion of a TOE were originally delivered + by bonded courier, updates to hardware resulting from + flaw remediation would likewise be expected to be + distributed by bonded courier. Updates unrelated to flaw + remediation would follow the procedures set forth in the + documentation meeting the requirements. + + + + The evaluator shall examine the flaw remediation + procedures to determine that the application of these + procedures would result in safeguards that the potential + correction contains no adverse effects. + + Through analysis, testing, or a combination of the two, + the developer may reduce the likelihood that adverse + effects will be introduced when a security flaw is + corrected. The evaluator assesses whether the procedures + provide detail in how the necessary mix of analysis and + testing actions is to be determined for a given + correction. + + The evaluator also determines that, for instances where + the source of the security flaw is a documentation + problem, the procedures include the means of + safeguarding against the introduction of contradictions + with other documentation. + + + + + The evaluator shall examine the flaw remediation + guidance to determine that the application of these + procedures would result in a means for the TOE user to + provide reports of suspected security flaws or requests + for corrections to such flaws. + + The guidance ensures that TOE users have a means by + which they can communicate with the TOE developer. By + having a means of contact with the developer, the user + can report security flaws, enquire about the status of + security flaws, or request corrections to flaws. + + + + + The evaluator shall examine the flaw remediation + guidance to determine that it describes a means of + enabling the TOE users to register with the + developer. + + Enabling the TOE users to register with the + developer simply means having a way for each + TOE user to provide the developer with a point of + contact; this point of contact is to be used to + provide the TOE user with information related to + security flaws that might affect that TOE user, along + with any corrections to the security flaw. Registering + the TOE user may be accomplished as part of the + standard procedures that TOE users undergo to identify + themselves to the developer, for the purposes of + registering a software licence, or for obtaining + update and other useful information. + + There need not be one registered TOE user per + installation of the TOE; it would be sufficient if there + were one registered TOE user for an organisation. For + example, a corporate TOE user might have a centralised + acquisition office for all of its sites. In this case, + the acquisition office would be a sufficient point of + contact for all of that TOE user's sites, so that all of + the TOE user's installations of the TOE have a + registered point of contact. + + In either case, it must be possible to associate each + TOE that is delivered with an organisation in order to + ensure that there is a registered user for each TOE. For + organisations that have many different addresses, this + assures that there will be no user who is erroneously + presumed to be covered by a registered TOE user. + It should be noted that TOE users need not + register; they must only be provided with a means of + doing so. However, users who choose to register must be + directly sent the information (or a notification of its + availability). + + + + The evaluator shall examine the flaw remediation + guidance to determine that it identifies specific points + of contact for user reports and enquiries about security + issues involving the TOE. + + The guidance includes a means whereby registered TOE + users can interact with the developer to report + discovered security flaws in the TOE or to make + enquiries regarding discovered security flaws in the + TOE. + + + + + + + + Poorly controlled development and maintenance of the TOE can + result in a TOE that does not meet all of its + SFRs. Therefore, it is important that a model for the + development and maintenance of a TOE be established as early + as possible in the TOE's life-cycle. + + Using a model for the development and maintenance of a TOE + does not guarantee that the TOE meets all of its SFRs. It is + possible that the model chosen will be insufficient or + inadequate and therefore no benefits in the quality of the + TOE can be observed. Using a life-cycle model that has been + approved by a group of experts (e.g. academic experts, + standards bodies) improves the chances that the development + and maintenance models will contribute to the TOE meeting + its SFRs. The use of a life-cycle model including some + quantitative valuation adds further assurance in the overall + quality of the TOE development process. + + + + Life-cycle definition establishes that the engineering + practises used by a developer to produce the TOE include the + considerations and activities identified in the development + process and operational support requirements. Confidence in + the correspondence between the requirements and the TOE is + greater when quality control and the production of evidence + are done on a regular basis as an integral part of the + development process and operational support activities. It + is not the intent of this component to dictate any specific + development process. + + + + The components in this family are levelled on the basis of + increasing requirements for measurability of the life-cycle + model, and for compliance with that model. + + + + A life-cycle model encompasses the procedures, tools and + techniques used to develop and maintain the TOE. Aspects of + the process that may be covered by such a model include + design methods, review procedures, project management + controls, change control procedures, test methods and + acceptance procedures. An effective life-cycle model will + address these aspects of the development and maintenance + process within an overall management structure that assigns + responsibilities and monitors progress. + + There are different types of acceptance situations that are + dealt with at different locations in the criteria: + acceptance of parts delivered by subcontractors + (``integration'') should be treated in this family , acceptance subsequent to + internal transportations in , acceptance of parts into the CM system in + , and acceptance of the + delivered TOE by the consumer in . The first three types may overlap. + + Although life-cycle definition deals with the maintenance of + the TOE and hence with aspects becoming relevant after the + completion of the evaluation, its evaluation adds assurance + through an analysis of the life-cycle information for the + TOE provided at the time of the evaluation. + + A life-cycle model provides for the necessary control over + the development and maintenance of the TOE, if the model + enables sufficient minimisation of the danger that the TOE + will not meet its security requirement. + + A measurable life-cycle model is a model using some + quantitative valuation (arithmetic parameters and/or + metrics) of the managed product in order to measure + development properties of the product. Typical metrics are + source code complexity metrics, defect density (errors per + size of code) or mean time to failure. For the security + evaluation all those metrics are of relevance, which are + used to increase quality by decreasing the probability of + faults and thereby in turn increasing assurance in the + security of the TOE. + + One should take into account that there exist standardised + life cycle models on the one hand (like the waterfall model) + and standardised metrics on the other hand (like error + density), which may be combined. The CC does not require the + life cycle to follow exactly one standard defining both + aspects. + + + + The objective of this sub-activity is to determine + whether the developer has used a documented model of the + TOE life-cycle. + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the life-cycle definition documentation. + + + + + The developer shall establish a life-cycle model to be used + in the development and maintenance of the TOE. + + + The developer shall provide life-cycle definition + documentation. + + + The life-cycle definition documentation shall describe the + model used to develop and maintain the TOE. + + + The life-cycle model shall provide for the necessary control + over the development and maintenance of the TOE. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the documented description + of the life-cycle model used to determine that it covers + the development and maintenance process. + + The description of the life-cycle model should include: + + + information on the life-cycle phases of the TOE and + the boundaries between the subsequent phases; + + + information on the procedures, tools and techniques + used by the developer (e.g. for design, coding, + testing, bug-fixing); + + + overall management structure governing the + application of the procedures (e.g. an + identification and description of the individual + responsibilities for each of the procedures required + by the development and maintenance process covered + by the life-cycle model); + + + information on which parts of the TOE are delivered + by subcontractors, if subcontractors are involved. + + + + does not require the + model used to conform to any standard life-cycle + model. + + + + + The evaluator shall examine the life-cycle model to + determine that use of the procedures, tools and + techniques described by the life-cycle model will make + the necessary positive contribution to the development + and maintenance of the TOE. + + The information provided in the life-cycle model gives + the evaluator assurance that the development and + maintenance procedures adopted would minimise the + likelihood of security flaws. For example, if the + life-cycle model described the review process, but did + not make provision for recording changes to components, + then the evaluator may be less confident that errors + will not be introduced into the TOE. The evaluator may + gain further assurance by comparing the description of + the model against an understanding of the development + process gleaned from performing other evaluator actions + relating to the TOE development (e.g. those covered + under the ). + Identified deficiencies in the life-cycle model will be + of concern if they might reasonably be expected to give + rise to the introduction of flaws into the TOE, either + accidentally or deliberately. + + The CC does not mandate any particular development + approach, and each should be judged on merit. For + example, spiral, rapid-prototyping and waterfall + approaches to design can all be used to produce a + quality TOE if applied in a controlled + environment. + + + + + + + The objective of this sub-activity is to determine + whether the developer has used a documented and measurable + model of the TOE life-cycle. + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the life-cycle definition documentation; + + + information about the standard used; + + + the life-cycle output documentation. + + + + + The developer shall establish a life-cycle model to be used + in the development and maintenance of the TOE, that is based + on a measurable life-cycle model. + + + The developer shall provide life-cycle definition + documentation. + + + The developer shall measure the TOE development using the + measurable life-cycle model. + + + The developer shall provide life-cycle output documentation. + + + The life-cycle definition documentation shall describe the + model used to develop and maintain the TOE, including the + details of its arithmetic parameters and/or metrics used to + measure the quality of the TOE and/or its development. + + + The life-cycle model shall provide for the necessary control + over the development and maintenance of the TOE. + + + The life-cycle output documentation shall provide the + results of the measurements of the TOE development using the + measurable life-cycle model. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the documented description + of the life-cycle model used to determine that it covers + the development and maintenance process, including the + details of its arithmetic parameters and/or metrics used + to measure the TOE development. + + The description of the life-cycle model includes: + + information on the life-cycle phases of the TOE and the + boundaries between the subsequent phases; + + information on the procedures, tools and techniques used by + the developer (e.g. for design, coding, testing, + bug-fixing); + + overall management structure governing the application of + the procedures (e.g. an identification and description of + the individual responsibilities for each of the procedures + required by the development and maintenance process covered + by the life-cycle model); + + information on which parts of the TOE are delivered by + subcontractors, if subcontractors are involved; + + information on the parameters/metrics that are used to + measure the TOE development. Metrics standards typically + include guides for measuring and producing reliable products + and cover the aspects reliability, quality, performance, + complexity and cost. For the evaluation all those metrics + are of relevance, which are used to increase quality by + decreasing the probability of faults and thereby in turn + increase assurance in the security of the TOE. + + + + + + The evaluator shall examine the life-cycle model to + determine that use of the procedures, tools and + techniques described by the life-cycle model will make + the necessary positive contribution to the development + and maintenance of the TOE. + + The information provided in the life-cycle model gives + the evaluator assurance that the development and + maintenance procedures adopted would minimise the + likelihood of security flaws. For example, if the + life-cycle model described the review process, but did + not make provision for recording changes to components, + then the evaluator may be less confident that errors + will not be introduced into the TOE. The evaluator may + gain further assurance by comparing the description of + the model against an understanding of the development + process gleaned from performing other evaluator actions + relating to the TOE development (e.g. those covered + under the ). + Identified deficiencies in the life-cycle model will be + of concern if they might reasonably be expected to give + rise to the introduction of flaws into the TOE, either + accidentally or deliberately. + + The CC does not mandate any particular development + approach, and each should be judged on merit. For + example, spiral, rapid-prototyping and waterfall + approaches to design can all be used to produce a + quality TOE if applied in a controlled + environment. + + For the metrics/measurements used in the life-cycle + model, evidence has to be provided that shows how those + metrics/measurements usefully contribute to the + minimisation of the likelihood of flaws. This can be + viewed as the overall goal for measurement in an context. As a consequence the + metrics/measurements have to be selected based on their + capability to achieve that overall goal or contribute to + that. In the first place a metric/measure is suitable + with respect to if a + correlation between the metric/measure and the number of + flaws can be stated with a certain degree of + reliability. But also a metric/measure useful for + management purposes as for planning and monitoring the + TOE development are helpful since badly managed projects + are endangered to produce bad quality and to introduce + flaws. + + It may be possible to use metrics for quality + improvement, for which this use is not obvious. For + example a metric to estimate the expected cost of a + product development may help quality, if the developer + can show that this is used to provide an adequate budget + for development projects and that this helps to avoid + quality problems arising from resource shortages. + + It is not required that every single step in the life + cycle of the TOE is measurable. However the evaluator + should see from the description of the measures and + procedures that the metrics are appropriate to control + the overall quality of the TOE and to minimise possible + security flaws by this. + + + + + The evaluator shall examine the life-cycle output + documentation to determine that it provides the results + of the measurements of the TOE development using the + measurable life-cycle model. + + The results of the measurements and the life-cycle + progress of the TOE should be in accordance with the + life-cycle model. + + The output documentation not only includes numeric values of the + metrics but also documents actions taken as a result of the + measurements and in accordance with the model. For example there + may be a requirement that a certain design phase needs to be + repeated, if some error rates measured during testing are + outside of a defined threshold. In this case the documentation + should show that such action was taken, if indeed the thresholds + were not met. + + If the evaluation is conducted in parallel with the + development of the TOE it may be possible that quality + measurements have not been used in the past. In this + case the evaluator should use the documentation of the + planned procedures in order to gain confidence that + corrective actions are defined if results of quality + measurements deviate from some threshold. + + + + + + + + Tools and techniques is an aspect of selecting tools that + are used to develop, analyse and implement the TOE. It + includes requirements to prevent ill-defined, inconsistent + or incorrect development tools from being used to develop + the TOE. This includes, but is not limited to, programming + languages, documentation, implementation standards, and + other parts of the TOE such as supporting runtime + libraries. + + + + Tools and techniques addresses the need to define the + development tools being used to analyse and implement the + TOE. It includes requirements concerning the development + tools and implementation dependent options of those + tools. + + + + The components in this family are levelled on the basis of + increasing requirements on the description and scope of the + implementation standards and the documentation of + implementation-dependent options. + + + + There is a requirement for well-defined development + tools. These are tools that are clearly and completely + described. For example, programming languages and computer + aided design (CAD) systems that are based on a standard + published by standards bodies are considered to be + well-defined. Self-made tools would need further + investigation to clarify whether they are + well-defined. + + The requirement in is + especially applicable to programming languages so as to + ensure that all statements in the source code have an + unambiguous meaning. + + In and , implementation guidelines may be accepted + as an implementation standard if they have been approved by + some group of experts (e.g. academic experts, standards + bodies). Implementation standards are normally public, well + accepted and common practise in a specific industry, but + developer-specific implementation guidelines may also be + accepted as a standard; the emphasis is on the + expertise. + Tools and techniques distinguishes between the + implementation standards applied by the developer () and the implementation + standards for ``all parts of the TOE'' () which include third party software, + hardware, or firmware. The configuration list introduced in + requires that for each TSF + relevant configuration item to indicate if it has been + generated by the TOE developer or by third party + developers. + + + + + + The objective of this sub-activity is to determine whether + the developer has used well-defined development tools + (e.g. programming languages or computer-aided design (CAD) + systems) that yield consistent and predictable + results. + + + + This work may be performed in parallel with the evaluation + activities under , + specifically with regard to determining the use of + features in the tools that will affect the object code + (e.g. compilation options). + + + + The evaluation evidence for this sub-activity is: + + + the development tool documentation; + + + the subset of the implementation representation. + + + + + The developer shall provide the documentation identifying each development tool being + used for the TOE. + + + The developer shall document and provide the selected + implementation-dependent options of each development tool. + + + Each development tool used for implementation shall be + well-defined. + + + The documentation of each development tool shall + unambiguously define the meaning of all statements as well + as all conventions and directives used in the + implementation. + + + The documentation of each development tool shall + unambiguously define the meaning of all + implementation-dependent options. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the development tool + documentation provided to determine that each + development tools is well-defined. + + For example, a well-defined language, compiler or CAD + system may be considered to be one that conforms to a + recognised standard, such as the ISO standards. A + well-defined language is one that has a clear and + complete description of its syntax, and a detailed + description of the semantics of each construct. + + + + + The evaluator shall examine the documentation of each + development tool to determine that it unambiguously + defines the meaning of all statements as well as all + conventions and directives used in the + implementation. + + The development tool documentation (e.g. programming + language specifications and user manuals) should cover + all statements used in the implementation representation + of the TOE, and for each such statement should provide a + clear and unambiguous definition of the purpose and + effect of that statement. This work may be performed in + parallel with the evaluator's examination of the + implementation representation performed during the sub-activity. The key test the + evaluator should apply is whether or not the + documentation is sufficiently clear for the evaluator to + be able to understand the implementation + representation. The documentation should not assume (for + example) that the reader is an expert in the programming + language used. + + Reference to the use of a documented standard is an + acceptable approach to meet this requirement, provided + that the standard is available to the evaluator. Any + differences from the standard should be + documented. + + The critical test is whether the evaluator can + understand the TOE source code when performing source + code analysis covered in the sub-activity. However, the following + checklist can additionally be used in searching for + problem areas: + + + In the language definition, phrases such as ``the + effect of this construct is undefined'' and terms + such as ``implementation dependent'' or + ``erroneous'' may indicate ill-defined areas. + + + Aliasing (allowing the same piece of memory to be + referenced in different ways) is a common source of + ambiguity problems. + + + Exception handling (e.g. what happens after memory + exhaustion or stack overflow) is often poorly + defined. + + + + Most languages in common use, however well designed, + will have some problematic constructs. If the + implementation language is mostly well defined, but some + problematic constructs exist, then an inconclusive + verdict should be assigned, pending examination of the + source code. + + The evaluator should verify, during the examination of + source code, that any use of the problematic constructs + does not introduce vulnerabilities. The evaluator should + also ensure that constructs precluded by the documented + standard are not used. + + The development tool documentation should define all + conventions and directives used in the + implementation. + + + + + The evaluator shall examine the development tool + documentation to determine that it unambiguously defines + the meaning of all implementation-dependent + options. + + The documentation of software development tools should + include definitions of implementation-dependent options + that may affect the meaning of the executable code, and + those that are different from the standard language as + documented. Where source code is provided to the + evaluator, information should also be provided on + compilation and linking options used. + + The documentation for hardware design and development + tools should describe the use of all options that affect + the output from the tools (e.g. detailed hardware + specifications, or actual hardware). + + + + + + + + The objective of this sub-activity is to determine whether + the developer has used well-defined development tools + (e.g. programming languages or computer-aided design (CAD) + systems) that yield consistent and predictable results, + and whether implementation standards have been + applied. + + + + This work may be performed in parallel with the evaluation + activities under , + specifically with regard to determining the use of + features in the tools that will affect the object code + (e.g. compilation options). + + + + The evaluation evidence for this sub-activity is: + + + the development tool documentation; + + + the implementation standards description; + + + the provided implementation representation of the TSF. + + + + + The developer shall provide the documentation identifying each development tool being + used for the TOE. + + + The developer shall document and provide the selected + implementation-dependent options of each development tool. + + + The developer shall describe and provide the implementation standards + that are being applied by the developer. + + + Each development tool used for implementation shall be + well-defined. + + + The documentation of each development tool shall + unambiguously define the meaning of all statements as well + as all conventions and directives used in the + implementation. + + + The documentation of each development tool shall + unambiguously define the meaning of all + implementation-dependent options. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the development tool + documentation provided to determine that each + development tool is well-defined. + + For example, a well-defined language, compiler or CAD + system may be considered to be one that conforms to a + recognised standard, such as the ISO standards. A + well-defined language is one that has a clear and + complete description of its syntax, and a detailed + description of the semantics of each construct. + + + + + The evaluator shall examine the documentation of each + development tool to determine that it unambiguously + defines the meaning of all statements as well as all + conventions and directives used in the + implementation. + + The development tool documentation (e.g. programming + language specifications and user manuals) should cover + all statements used in the implementation representation + of the TOE, and for each such statement should provide a + clear and unambiguous definition of the purpose and + effect of that statement. This work may be performed in + parallel with the evaluator's examination of the + implementation representation performed during the sub-activity. The key test the + evaluator should apply is whether or not the + documentation is sufficiently clear for the evaluator to + be able to understand the implementation + representation. The documentation should not assume (for + example) that the reader is an expert in the programming + language used. + + Reference to the use of a documented standard is an + acceptable approach to meet this requirement, provided + that the standard is available to the evaluator. Any + differences from the standard should be + documented. + + The critical test is whether the evaluator can + understand the TOE source code when performing source + code analysis covered in the sub-activity. However, the following + checklist can additionally be used in searching for + problem areas: + + + In the language definition, phrases such as ``the + effect of this construct is undefined'' and terms + such as ``implementation dependent'' or + ``erroneous'' may indicate ill-defined areas. + + + Aliasing (allowing the same piece of memory to be + referenced in different ways) is a common source of + ambiguity problems. + + + Exception handling (e.g. what happens after memory + exhaustion or stack overflow) is often poorly + defined. + + + + Most languages in common use, however well designed, + will have some problematic constructs. If the + implementation language is mostly well defined, but some + problematic constructs exist, then an inconclusive + verdict should be assigned, pending examination of the + source code. + + The evaluator should verify, during the examination of + source code, that any use of the problematic constructs + does not introduce vulnerabilities. The evaluator should + also ensure that constructs precluded by the documented + standard are not used. + + The development tool documentation should define all + conventions and directives used in the + implementation. + + + + + The evaluator shall examine the development tool + documentation to determine that it unambiguously defines + the meaning of all implementation-dependent + options. + + The documentation of software development tools should + include definitions of implementation-dependent options + that may affect the meaning of the executable code, and + those that are different from the standard language as + documented. Where source code is provided to the + evaluator, information should also be provided on + compilation and linking options used. + + The documentation for hardware design and development + tools should describe the use of all options that affect + the output from the tools (e.g. detailed hardware + specifications, or actual hardware). + + + + The evaluator shall confirm that the implementation + standards have been applied. + + + The evaluator shall examine aspects of the + implementation process to determine that documented + implementation standards have been applied. + + This work unit requires the evaluator to analyse the + provided implementation representation of the TOE to + determine whether the documented implementation + standards have been applied. + + The evaluator should verify that constructs excluded by + the documented standard are not used. + + Additionally, the evaluator should verify the + developer's procedures which ensure the application of + the defined standards within the design and + implementation process of the TOE. Therefore, + documentary evidence should be supplemented by visiting + the development environment. A visit to the development + environment will allow the evaluator to: + + + observe the application of defined standards; + + examine documentary evidence of application of + procedures describing the use of defined + standards; + + interview development staff to check awareness of + the application of defined standards and + procedures. + + A development site visit is a useful means of gaining + confidence in the procedures being used. Any decision + not to make such a visit should be determined in + consultation with the evaluation authority. + + The evaluator compares the provided implementation + representation with the description of the applied + implementation standards and verifies their use. + At this level it is not required that the complete + provided implementation representation of the TSF is + based on implementation standards, but only those parts + that are developed by the TOE developer himself. The + evaluator may consult the configuration list required by + the to get the + information which parts are developed by the TOE + developer, and which by third party developers. + + If the referenced implementation standards are not + applied for at least parts of the provided implementation representation, + the evaluator action related to this work unit is assigned a fail verdict. + + Note that parts of the TOE which are not TSF relevant do + not need to be examined. + + This work unit may be performed in conjunction with the + evaluation activities under . + + + + + + + The objective of this sub-activity is to determine whether + the developer and his subcontractors have used + well-defined development tools (e.g. programming languages + or computer-aided design (CAD) systems) that yield + consistent and predictable results, and whether + implementation standards have been applied. + + + + This work may be performed in parallel with the evaluation + activities under , + specifically with regard to determining the use of + features in the tools that will affect the object code + (e.g. compilation options). + + + + The evaluation evidence for this sub-activity is: + + + the development tool documentation; + + + the implementation standards description; + + + the provided implementation representation of the TSF. + + + + + The developer shall provide the documentation identifying each development tool being + used for the TOE. + + + The developer shall document and provide the selected + implementation-dependent options of each development tool. + + + The developer shall describe and provide the implementation standards + that are being applied by the developer and by any + third-party providers for all parts of the TOE. + + + Each development tool used for implementation shall be + well-defined. + + + The documentation of each development tool shall + unambiguously define the meaning of all statements as well + as all conventions and directives used in the + implementation. + + + The documentation of each development tool shall + unambiguously define the meaning of all + implementation-dependent options. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the development tool + documentation provided to determine that each + development tool is well-defined. + + For example, a well-defined language, compiler or CAD + system may be considered to be one that conforms to a + recognised standard, such as the ISO standards. A + well-defined language is one that has a clear and + complete description of its syntax, and a detailed + description of the semantics of each construct. + + At this level, the documentation of development tools + used by third party contributors to the TOE has to be + included in the evaluator's examination. + + + + + The evaluator shall examine the documentation of each + development tool to determine that it unambiguously + defines the meaning of all statements as well as all + conventions and directives used in the + implementation. + + The development tool documentation (e.g. programming + language specifications and user manuals) should cover + all statements used in the implementation representation + of the TOE, and for each such statement should provide a + clear and unambiguous definition of the purpose and + effect of that statement. This work may be performed in + parallel with the evaluator's examination of the + implementation representation performed during the sub-activity. The key test the + evaluator should apply is whether or not the + documentation is sufficiently clear for the evaluator to + be able to understand the implementation + representation. The documentation should not assume (for + example) that the reader is an expert in the programming + language used. + + Reference to the use of a documented standard is an + acceptable approach to meet this requirement, provided + that the standard is available to the evaluator. Any + differences from the standard should be + documented. + + The critical test is whether the evaluator can + understand the TOE source code when performing source + code analysis covered in the sub-activity. However, the following + checklist can additionally be used in searching for + problem areas: + + + In the language definition, phrases such as ``the + effect of this construct is undefined'' and terms + such as ``implementation dependent'' or + ``erroneous'' may indicate ill-defined areas. + + + Aliasing (allowing the same piece of memory to be + referenced in different ways) is a common source of + ambiguity problems. + + + Exception handling (e.g. what happens after memory + exhaustion or stack overflow) is often poorly + defined. + + + + Most languages in common use, however well designed, + will have some problematic constructs. If the + implementation language is mostly well defined, but some + problematic constructs exist, then an inconclusive + verdict should be assigned, pending examination of the + source code. + + The evaluator should verify, during the examination of + source code, that any use of the problematic constructs + does not introduce vulnerabilities. The evaluator should + also ensure that constructs precluded by the documented + standard are not used. + + The development tool documentation should define all + conventions and directives used in the + implementation. + + At this level, the documentation of development tools + used by third party contributors to the TOE has to be + included in the evaluator's examination. + + + + + The evaluator shall examine the development tool + documentation to determine that it unambiguously defines + the meaning of all implementation-dependent + options. + + The documentation of software development tools should + include definitions of implementation-dependent options + that may affect the meaning of the executable code, and + those that are different from the standard language as + documented. Where source code is provided to the + evaluator, information should also be provided on + compilation and linking options used. + + The documentation for hardware design and development + tools should describe the use of all options that affect + the output from the tools (e.g. detailed hardware + specifications, or actual hardware). + + At this level, the documentation of development tools + used by third party contributors to the TOE has to be + included in the evaluator's examination. + + + + The evaluator shall confirm that the implementation + standards have been applied. + + + The evaluator shall examine aspects of the + implementation process to determine that documented + implementation standards have been applied. + + This work unit requires the evaluator to analyse the + provided implementation representation of the TOE to + determine whether the documented implementation + standards have been applied. + + The evaluator should verify that constructs excluded by + the documented standard are not used. + + Additionally, the evaluator should verify the + developer's procedures which ensure the application of + the defined standards within the design and + implementation process of the TOE. Therefore, + documentary evidence should be supplemented by visiting + the development environment. A visit to the development + environment will allow the evaluator to: + + + observe the application of defined standards; + + examine documentary evidence of application of + procedures describing the use of defined + standards; + + interview development staff to check awareness of + the application of defined standards and + procedures. + + A development site visit is a useful means of gaining + confidence in the procedures being used. Any decision + not to make such a visit should be determined in + consultation with the evaluation authority. + + The evaluator compares the provided implementation + representation with the description of the applied + implementation standards and verifies their use. + At this level it is required that the complete + provided implementation representation of the TSF is + based on implementation standards, including third party + contributions. This may require the evaluator to visit + the sites of contributors. The evaluator may consult the + configuration list required by the to see who has developed which part of + the TOE. + + Note that parts of the TOE which are not TSF relevant do + not need to be examined. + + This work unit may be performed in conjunction with the + evaluation activities under . + + + + + + + + + Evaluating a PP is required to demonstrate that the PP is + sound and internally consistent, and, if the PP is based on + one or more other PPs or on packages, that the PP is a correct + instantiation of these PPs and packages. These properties are + necessary for the PP to be suitable for use as the basis for + writing an ST or another PP. + + This Clause should be used in conjunction with Annexes , and + in CC + Part 1, as these Annexes clarify the concepts here and provide + many examples. + This standard defines two assurance packages for PP evaluation as follows: + Low assurance PP evaluation package;(Standard) PP evaluation package. + The assurance components for these packages are defined by table + .Assurance classAssurance familyAssurance componentLow Assurance PPPPProtection Profile evaluation11111112121PP assurance packages
+ + + + Assurance class defines + requirements for the evaluation of an PP to demonstrate that + the PP is sound and internally consistent, and, if the PP is + based on one or more PPs or packages, that the PP is a correct + instantiation of these PPs and packages. + + + + This Clause describes the evaluation of a PP. The + requirements and methodology for PP evaluation are identical + for each PP evaluation, regardless of the EAL (or other set of + assurance requirements) that is claimed in the PP. The + evaluation methodology in this Clause is based on the + requirements on the PP as specified in CC Part 3 class . + + This Clause should be used in conjunction with Annexes , and + in CC + Part 1, as these Annexes clarify the concepts here and provide + many examples. + + + + The PP is the description of a TOE type. As such it is + expected to identify the security requirements that enforce + the defined OSPs and counter the defined threats under the + defined assumptions. + + Evaluating a PP is required to demonstrate that the PP is + sound and internally consistent, and, if the PP is based on + one or more PPs or packages, that the PP is a correct + instantiation of these PPs or packages. These properties are + necessary for the PP to be suitable for use as the basis for + an ST or another PP. + + + + + While evaluating a PP that is based on one or more certified + PPs, it may be possible to re-use the fact that these PPs were + certified. The potential for re-use of the result of a certified + PP is greater if the PP under evaluation does not add threats, + OSPs, security objectives and/or security requirements to those + of the PP that conformance is being claimed to. If the PP under + evaluation contains much more than the certified PP, re-use may + not be useful at all. + + The evaluator is allowed to re-use the PP evaluation results + by doing certain analyses only partially or not at all if + these analyses or parts thereof were already done as part of + the PP evaluation. While doing this, the evaluator should + assume that the analyses in the PP were performed + correctly. + + An example would be where the PP that conformance is being + claimed to contains a set of security requirements, and these + were determined to be internally consistent during its + evaluation. If the PP under evaluation uses the exact same + requirements, the consistency analysis does not have to be + repeated during the PP evaluation. If the PP under evaluation + adds one or more requirements, or performs operations on these + requirements, the analysis will have to be repeated. However, it + may be possible to save work in this consistency analysis by + using the fact that the original requirements are internally + consistent. If the original requirements are internally + consistent, the evaluator only has to determine that: + + the set of all new and/or changed requirements is internally + consistent, and + + the set of all new and/or changed requirements is consistent + with the original requirements. + + The evaluator notes in the ETR each case where analyses + are not done or only partially done for this reason. + + + + + + The objective of this family is to describe the TOE in a + narrative way. + + Evaluation of the PP introduction is required to demonstrate + that the PP is correctly identified, and that the PP + reference and TOE overview are consistent with each + other. + + + + The PP introduction describes the TOE in a narrative + way. + + + + + The objective of this sub-activity is to determine whether + the PP is correctly identified, and whether the PP + reference and TOE overview are consistent with each + other. + + + + The evaluation evidence for this sub-activity is: + + + the PP. + + + + + The developer shall provide a PP introduction. + + + The PP introduction shall contain a PP reference and a TOE + overview. + + + The PP reference shall uniquely identify the PP. + + + The TOE overview shall summarise the usage and major + security features of the TOE. + + + The TOE overview shall identify the TOE type. + + + The TOE overview shall identify any non-TOE + hardware/software/firmware available to the TOE. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall check that the PP introduction + contains a PP reference and a TOE overview. + + + + + The evaluator shall examine the PP reference to + determine that it uniquely identifies the PP. + + The evaluator determines that the PP reference + identifies the PP itself, so that it may be easily + distinguished from other PPs, and that it also uniquely + identifies each version of the PP, e.g. by including a + version number and/or a date of publication. + + The PP should have some referencing system that is + capable of supporting unique references (e.g. use of + numbers, letters or dates). + + + + + The evaluator shall examine the TOE overview to + determine that it describes the usage and major security + features of the TOE. + + The TOE overview should briefly (i.e. several + paragraphs) describe the usage and major security + features expected of the TOE. The TOE overview should + enable consumers and potential TOE developers to quickly + determine whether the PP is of interest to them. + + The evaluator determines that the overview is clear + enough for TOE developers and consumers, and sufficient + to give them a general understanding of the intended + usage and major security features of the TOE. + + + + + The evaluator shall check that the TOE overview + identifies the TOE type. + + + + + The evaluator shall examine the TOE overview to + determine that it identifies any non-TOE + hardware/software/firmware available to the TOE. + + While some TOEs may run stand-alone, other TOEs (notably + software TOEs) need additional hardware, software or + firmware to operate. In this subclause of the PP, the PP + author lists all hardware, software, and/or firmware + that will be available for the TOE to run on. + + This identification should be detailed enough for + potential consumers and TOE developers to determine + whether their TOE may operate with the listed hardware, + software and firmware. + + + + + + + + The objective of this family is to determine the validity of + the conformance claim. In addition, this family specifies + how STs and other PPs are to claim conformance with the + PP. + + + + Conformance claims describes how the Protection Profile + conforms to CC Part 2 and CC Part 3, to Protection Profiles + and to packages. + + + + + + + + The objective of this sub-activity is to determine the + validity of various conformance claims. These describe how + the PP conforms to the CC, other PPs and packages. + + + + The evaluation evidence for this sub-activity is: + + + the PP; + + + the PP(s) that the PP claims conformance to; + + + the package(s) that the PP claims conformance to. + + + + + The developer shall provide a conformance claim. + + + The developer shall provide a conformance claim rationale. + + + The developer shall provide a conformance statement. + + + The conformance claim shall contain a CC conformance claim + that identifies the version of the CC to which the PP claims + conformance. + + + The CC conformance claim shall describe the conformance of + the PP to CC Part 2 as either CC Part 2 conformant or CC + Part 2 extended. + + + The CC conformance claim shall describe the conformance of + the PP to CC Part 3 as either CC Part 3 conformant or CC + Part 3 extended. + + + The CC conformance claim shall be consistent with the + extended components definition. + + + The conformance claim shall identify all PPs and security + requirement packages to which the PP claims conformance. + + + The conformance claim shall describe any conformance of the + PP to a package as either package-conformant or + package-augmented. + + + The conformance claim rationale shall demonstrate that the + TOE type is consistent with the TOE type in the PPs for + which conformance is being claimed. + + + The conformance claim rationale shall demonstrate that the + statement of the security problem definition is consistent + with the statement of the security problem definition in the + PPs for which conformance is being claimed. + + + The conformance claim rationale shall demonstrate that the + statement of security objectives is consistent with the + statement of security objectives in the PPs for which + conformance is being claimed. + + + The conformance claim rationale shall demonstrate that the + statement of security requirements is consistent with the + statement of security requirements in the PPs for which + conformance is being claimed. + + + The conformance statement shall describe the conformance + required of any PPs/STs to the PP as strict-PP or + demonstrable-PP conformance. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall check that the conformance claim + contains a CC conformance claim that identifies the + version of the CC to which the PP claims + conformance. + + The evaluator determines that the CC conformance claim + identifies the version of the CC that was used to + develop this PP. This should include the version number + of the CC and, unless the International English version + of the CC was used, the language of the version of the + CC that was used. + + + + + The evaluator shall check that the CC conformance claim + states a claim of either CC Part 2 conformant or CC Part + 2 extended for the PP. + + + + + The evaluator shall check that the CC conformance claim + states a claim of either CC Part 3 conformant or CC Part + 3 extended for the PP. + + + + + The evaluator shall examine the CC conformance claim for + CC Part 2 to determine that it is consistent with the + extended components definition. + + If the CC conformance claim contains CC Part 2 + conformant, the evaluator determines that the extended + components definition does not define functional + components. + + If the CC conformance claim contains CC Part 2 extended, + the evaluator determines that the extended components + definition defines at least one extended functional + component. + + + + + The evaluator shall examine the CC conformance claim for + CC Part 3 to determine that it is consistent with the + extended components definition. + + If the CC conformance claim contains CC Part 3 + conformant, the evaluator determines that the extended + components definition does not define assurance + components. + + If the CC conformance claim contains CC Part 3 extended, + the evaluator determines that the extended components + definition defines at least one extended assurance + component. + + + + + The evaluator shall check that the conformance claim + contains a PP claim that identifies all PPs for which + the PP claims conformance. + + If the PP does not claim conformance to another PP, this + work unit is not applicable and therefore considered to + be satisfied. + The evaluator determines that any referenced PPs + are unambiguously identified (e.g. by title and version + number, or by the identification included in the + introduction of that PP). + + The evaluator is reminded that claims of partial + conformance to a PP are not permitted. + + + + + The evaluator shall check that the conformance claim + contains a package claim that identifies all packages to + which the PP claims conformance. + + If the PP does not claim conformance to a package, this + work unit is not applicable and therefore considered to + be satisfied. + + The evaluator determines that any referenced packages + are unambiguously identified (e.g. by title and version + number, or by the identification included in the + introduction of that package). + + The evaluator is reminded that claims of partial + conformance to a package are not permitted. + + + + + The evaluator shall check that, for each identified + package, the conformance claim states a claim of either + package-name conformant or package-name + augmented. + + If the PP does not claim conformance to a package, this + work unit is not applicable and therefore considered to + be satisfied. + + If the package conformance claim contains package-name + conformant, the evaluator determines that: + + + If the package is an assurance package, then the PP + contains all SARs included in the package, but no + additional SARs. + + + If the package is a functional package, then the PP + contains all SFRs included in the package, but no + additional SFRs. + + + + If the package conformance claim contains package-name + augmented, the evaluator determines that: + + + If the package is an assurance package, then the PP + contains all SARs included in the package, and at + least one additional SAR or at least one SAR that is + hierarchical to a SAR in the package. + + + If the package is a functional package, then the PP + contains all SFRs included in the package, and at + least one additional SFR or at least one SFR that is + hierarchical to a SFR in the package. + + + + + + + The evaluator shall examine the conformance claim + rationale to determine that the TOE type of the TOE is + consistent with all TOE types of the PPs. + + If the PP does not claim conformance to another PP, this + work unit is not applicable and therefore considered to + be satisfied. + + The relation between the types may be simple: a firewall + PP claiming conformance to another firewall PP, or more + complex: a smart card PP claiming conformance to a number + of other PPs at the same time: a PP for the integrated + circuit, a PP for the smart card OS, and two PPs for two + applications on the smart card. + + + + + The evaluator shall examine the conformance claim + rationale to determine that it demonstrates that the + statement of security problem definition is consistent, + as defined by the conformance statement of the PP, with + the statements of security problem definition stated in + the PPs to which conformance is being claimed. + + If the PP under evaluation does not claim conformance + with another PP, this work unit is not applicable and + therefore considered to be satisfied. + + If the PP to which conformance is being claimed does not + have a statement of security problem definition, this + work unit is not applicable and therefore considered to + be satisfied. + + If strict conformance is required by the PP to which + conformance is being claimed, no conformance claim + rationale is required. Instead, the evaluator determines + whether + + + the threats in the PP under evaluation are a + superset of or identical to the threats in the PP to + which conformance is being claimed; + + + the OSPs in the PP under evaluation are a superset + of or identical to the OSPs in the PP to which + conformance is being claimed; + + + the assumptions in the PP under evaluation are + identical to the assumptions in the PP to which conformance + is being claimed; + + + If demonstrable conformance is required by the PP to + which conformance is being claimed, the evaluator + examines the conformance claim rationale to determine + that it demonstrates that the statement of security + problem definition of the PP under evaluation is + equivalent or more restrictive than the statement of + security problem definition in the PP to which + conformance is being claimed. + For guidance on ``equivalent or more restrictive'' + see CC Part 1 . + + + + + The evaluator shall examine the conformance claim + rationale to determine that the statement of security + objectives is consistent, as defined by the conformance + statement of the PPs, with the statement of security + objectives in the PPs. + + If the PP does not claim conformance to another PP, this + work unit is not applicable and therefore considered to + be satisfied. + + If strict conformance is required by the PP to which + conformance is being claimed, no conformance claim + rationale is required. Instead, the evaluator determines + whether: + + The PP under evaluation contains all security + objectives for the TOE of the PP to which + conformance is being claimed. Note that it is + allowed for the PP under evaluation to have + additional security objectives for the TOE; + The PP under evaluation contains exactly all + security objectives for the operational environment + (with one exception in the next bullet). Note that + it is not allowed for the PP under evaluation to + have additional security objectives for the + operational environment; + The PP under evaluation may specify that certain + objectives for the operational environment in the PP + that conformance is being claimed to are security + objectives for the TOE in the PP under + evaluation. This is a valid exception to the + previous bullet. + + If demonstrable conformance is required by the PP to + which conformance is being claimed, the evaluator + examines the conformance claim rationale to determine + that it demonstrates that the statement of security + objectives of the PP under evaluation is equivalent or + more restrictive than the statement of security + objectives in the PP to which conformance is being + claimed. + For guidance on ``equivalent or more restrictive'' + see CC Part 1 . + + + + + The evaluator shall examine the PP to determine that it + is consistent, as defined by the conformance statement + of the PP, with all security requirements in the PPs for + which conformance is being claimed. + + If the PP does not claim conformance to another PP, this + work unit is not applicable and therefore considered to + be satisfied. + + If strict conformance is required by the PP to which + conformance is being claimed, no conformance claim + rationale is required. Instead, the evaluator determines + whether the statement of security requirements in the PP + under evaluation is a superset of or identical to the + statement of security requirements in the PP to which + conformance is being claimed (for strict + conformance). + + If demonstrable conformance is required by the PP to + which conformance is being claimed, the evaluator + examines the conformance claim rationale to determine + that it demonstrates that the statement of security + requirements of the PP under evaluation is equivalent or + more restrictive than the statement of security + requirements in the PP to which conformance is being + claimed. + For guidance on ``equivalent or more restrictive'' + see CC Part 1 . + + + + + + The evaluator shall check that the PP conformance + statement states a claim of strict-PP or demonstrable-PP + conformance. + + + + + + + + This part of the PP defines the security problem to be + addressed by the TOE and the operational environment of the + TOE. + + Evaluation of the security problem definition is required to + demonstrate that the security problem intended to be + addressed by the TOE and its operational environment, is + clearly defined. + + + + The security problem definition defines the problem + addressed by the TOE and the operational environment of the + TOE. + + + + + The objective of this sub-activity is to determine that + the security problem intended to be addressed by the TOE + and its operational environment is clearly defined. + + + + The evaluation evidence for this sub-activity is: + + + the PP. + + + + + The developer shall provide a security problem definition. + + + The security problem definition shall describe the threats. + + + All threats shall be described in terms of a threat agent, + an asset, and an adverse action. + + + The security problem definition shall describe the OSPs. + + + The security problem definition shall describe the + assumptions about the operational environment of the TOE. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall check that the security problem + definition describes the threats. + + If all security objectives are derived from assumptions + and/or OSPs only, the statement of threats need not be + present in the PP. In this case, this work unit is not + applicable and therefore considered to be + satisfied. + + The evaluator determines that the security problem + definition describes the threats that must be countered + by the TOE and/or its operational environment. + + + + + The evaluator shall examine the security problem + definition to determine that all threats are described + in terms of a threat agent, an asset, and an adverse + action. + + If all security objectives are derived from assumptions + and OSPs only, the statement of threats need not be + present in the PP. In this case, this work unit is not + applicable and therefore considered to be + satisfied. + + Threat agents may be further described by aspects such + as expertise, resource, opportunity, and + motivation. + + + + + The evaluator shall examine that the security problem + definition describes the OSPs. + + If all security objectives are derived from assumptions + and/or threats only, OSPs need not be present in the + PP. In this case, this work unit is not applicable and + therefore considered to be satisfied. + + The evaluator determines that OSP statements are made in + terms of rules or guidelines that must be followed by + the TOE and/or its operational environment. + + The evaluator determines that each OSP is explained + and/or interpreted in sufficient detail to make it + clearly understandable; a clear presentation of policy + statements is necessary to permit tracing security + objectives to them. + + + + + The evaluator shall examine the security problem + definition to determine that it describes the + assumptions about the operational environment of the + TOE. + + If there are no assumptions, this work unit is not + applicable and is therefore considered to be + satisfied. + + The evaluator determines that each assumption about the + operational environment of the TOE is explained in + sufficient detail to enable consumers to determine that + their operational environment matches the assumption. If + the assumptions are not clearly understood, the end + result may be that the TOE is used in an operational + environment in which it will not function in a secure + manner. + + + + + + + + The security objectives are a concise statement of the + intended response to the security problem defined through + the family. + + Evaluation of the security objectives is required to + demonstrate that the security objectives adequately and + completely address the security problem definition and that + the division of this problem between the TOE and its + operational environment is clearly defined. + + + + The security objectives are a concise statement of the + intended response to the security problem. + + + + The components in this family are levelled on whether they + prescribe only security objectives for the operational + environment, or also security objectives for the TOE. + + + + + The objective of this sub-activity is to determine whether + the security objectives for the operational environment + are clearly defined. + + + + The evaluation evidence for this sub-activity is: + + + the PP. + + + + + The developer shall provide a statement of security + objectives. + + + The statement of security objectives shall describe the + security objectives for the operational environment. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall check that the statement of security + objectives defines the security objectives for the + operational environment. + + The evaluator checks that the security objectives for + the operational environment are identified. + + + + + + + + + The objective of this sub-activity is to determine whether + the security objectives adequately and completely address + the security problem definition and that the division of + this problem between the TOE and its operational + environment is clearly defined. + + + + The evaluation evidence for this sub-activity is: + + + the PP. + + + + + The developer shall provide a statement of security + objectives. + + + The developer shall provide a security objectives rationale. + + + The statement of security objectives shall describe the + security objectives for the TOE and the security objectives + for the operational environment. + + + The security objectives rationale shall trace each security + objective for the TOE back to threats countered by that + security objective and OSPs enforced by that security + objective. + + + The security objectives rationale shall trace each security + objective for the operational environment back to threats + countered by that security objective, OSPs enforced by that + security objective, and assumptions upheld by that security + objective. + + + The security objectives rationale shall demonstrate that the + security objectives counter all threats. + + + The security objectives rationale shall demonstrate that the + security objectives enforce all OSPs. + + + The security objectives rationale shall demonstrate that the + security objectives for the operational environment uphold + all assumptions. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall check that the statement of security + objectives defines the security objectives for the TOE + and the security objectives for the operational + environment. + + The evaluator checks that both categories of security + objectives are clearly identified and separated from the + other category. + + + + + The evaluator shall check that the security objectives + rationale traces all security objectives for the TOE + back to threats countered by the objectives and/or OSPs + enforced by the objectives. + + Each security objective for the TOE may trace back to + threats or OSPs, or a combination of threats and OSPs, + but it must trace back to at least one threat or + OSP. + + Failure to trace implies that either the security + objectives rationale is incomplete, the security problem + definition is incomplete, or the security objective for + the TOE has no useful purpose. + + + + + The evaluator shall check that the security objectives + rationale traces the security objectives for the + operational environment back to threats countered by + that security objective, to OSPs enforced by that + security objective, and to assumptions upheld by that + security objective. + + Each security objective for the operational environment + may trace back to threats, OSPs, assumptions, or a + combination of threats, OSPs and/or assumptions, but it + must trace back to at least one threat, OSP or + assumption. + + Failure to trace implies that either the security + objectives rationale is incomplete, the security problem + definition is incomplete, or the security objective for + the operational environment has no useful + purpose. + + + + + The evaluator shall examine the security objectives + rationale to determine that it justifies for each threat + that the security objectives are suitable to counter + that threat. + + If no security objectives trace back to the threat, the evaluator action + related to this work unit is assigned a fail verdict. + + The evaluator determines that the justification for a + threat shows whether the threat is removed, diminished + or mitigated. + + The evaluator determines that the justification for a + threat demonstrates that the security objectives are + sufficient: if all security objectives that trace back + to the threat are achieved, the threat is removed, + sufficiently diminished, or the effects of the threat + are sufficiently mitigated. + + Note that the tracings from security objectives to + threats provided in the security objectives rationale + may be part of a justification, but do not constitute a + justification by themselves. Even in the case that a + security objective is merely a statement reflecting the + intent to prevent a particular threat from being + realised, a justification is required, but this + justification may be as minimal as ``Security Objective + X directly counters Threat Y''. + + The evaluator also determines that each security + objective that traces back to a threat is necessary: + when the security objective is achieved it actually + contributes to the removal, diminishing or mitigation of + that threat. + + + + + The evaluator shall examine the security objectives + rationale to determine that for each OSP it justifies + that the security objectives are suitable to enforce + that OSP. + + If no security objectives trace back to the OSP, the evaluator action + related to this work unit is assigned a fail verdict. + + The evaluator determines that the justification for an + OSP demonstrates that the security objectives are + sufficient: if all security objectives that trace back + to that OSP are achieved, the OSP is enforced. + + The evaluator also determines that each security + objective that traces back to an OSP is necessary: when + the security objective is achieved it actually + contributes to the enforcement of the OSP. + + Note that the tracings from security objectives to OSPs + provided in the security objectives rationale may be + part of a justification, but do not constitute a + justification by themselves. In the case that a security + objective is merely a statement reflecting the intent to + enforce a particular OSP, a justification is required, + but this justification may be as minimal as ``Security + Objective X directly enforces OSP Y''. + + + + + The evaluator shall examine the security objectives + rationale to determine that for each assumption for the + operational environment it contains an appropriate + justification that the security objectives for the + operational environment are suitable to uphold that + assumption. + + If no security objectives for the operational environment trace back to the assumption, + the evaluator action related to this work unit is assigned a fail verdict. + + The evaluator determines that the justification for an + assumption about the operational environment of the TOE + demonstrates that the security objectives are + sufficient: if all security objectives for the + operational environment that trace back to that + assumption are achieved, the operational environment + upholds the assumption. + + The evaluator also determines that each security + objective for the operational environment that traces + back to an assumption about the operational environment + of the TOE is necessary: when the security objective is + achieved it actually contributes to the operational + environment upholding the assumption. + + Note that the tracings from security objectives for the + operational environment to assumptions provided in the + security objectives rationale may be a part of a + justification, but do not constitute a justification by + themselves. Even in the case that a security objective + of the operational environment is merely a restatement + of an assumption, a justification is required, but this + justification may be as minimal as ``Security Objective + X directly upholds Assumption Y''. + + + + + + + + Extended security requirements are requirements that are not + based on components from CC Part 2 or CC Part 3, but are + based on extended components: components defined by the PP + author. + + Evaluation of the definition of extended components is + necessary to determine that they are clear and unambiguous, + and that they are necessary, i.e. they may not be clearly + expressed using existing CC Part 2 or CC Part 3 + components. + + + + Extended security requirements are requirements that are not + based on components from CC Part 2 or CC Part 3, but are + based on extended components: components defined by the PP + author. This family is used to determine that these extended + components are defined similarly to the existing CC Part 2 + or CC Part 3 components. + + Evaluation of the definition of extended components is + necessary to determine that they are clear and unambiguous, + and that they are necessary, i.e. they may not be clearly + expressed using existing CC Part 2 or CC Part 3 + components. + + + + + The objective of this sub-activity is to determine whether + extended components have been clearly and unambiguously + defined, and whether they are necessary, i.e. they may not + be clearly expressed using existing CC Part 2 or CC Part 3 + components. + + + + The evaluation evidence for this sub-activity is: + + + the PP. + + + + + The developer shall provide a statement of security + requirements. + + + The developer shall provide an extended components + definition. + + + The statement of security requirements shall identify all + extended security requirements. + + + The extended components definition shall define an extended + component for each extended security requirement. + + + The extended components definition shall describe how each + extended component is related to the existing CC components, + families, and classes. + + + The extended components definition shall use the existing CC + components, families, classes, and methodology as a model + for presentation. + + + The extended components shall consist of measurable and + objective elements such that conformance or nonconformance + to these elements can be demonstrated. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall check that all security requirements + in the statement of security requirements that are not + identified as extended requirements are present in CC + Part 2 or in CC Part 3. + + + + + The evaluator shall check that the extended components + definition defines an extended component for each + extended security requirement. + + If the PP does not contain extended security + requirements, this work unit is not applicable and + therefore considered to be satisfied. + + A single extended component may be used to define + multiple iterations of an extended security requirement, + it is not necessary to repeat this definition for each + iteration. + + + + + The evaluator shall examine the extended components + definition to determine that it describes how each + extended component fits into the existing CC components, + families, and classes. + + If the PP does not contain extended security + requirements, this work unit is not applicable and + therefore considered to be satisfied. + + The evaluator determines that each extended component is + either: + + + a member of an existing CC Part 2 or CC Part 3 + family, or + + a member of a new family defined in the PP. + + + + If the extended component is a member of an existing CC + Part 2 or CC Part 3 family, the evaluator determines + that the extended components definition adequately + describes why the extended component should be a member + of that family and how it relates to other components of + that family. + + If the extended component is a member of a new family + defined in the PP, the evaluator confirms that the + extended component is not appropriate for an existing + family. + + If the PP defines new families, the evaluator determines + that each new family is either: + + + a member of an existing CC Part 2 or CC Part 3 + class, or + + + a member of a new class defined in the PP. + + + + If the family is a member of an existing CC Part 2 or CC + Part 3 class, the evaluator determines that the extended + components definition adequately describes why the + family should be a member of that class and how it + relates to other families in that class. + + If the family is a member of a new class defined in the + PP, the evaluator confirms that the family is not + appropriate for an existing class. + + + + + The evaluator shall examine the extended components + definition to determine that each definition of an + extended component identifies all applicable + dependencies of that component. + + If the PP does not contain extended security + requirements, this work unit is not applicable and + therefore considered to be satisfied. + + The evaluator confirms that no applicable dependencies + have been overlooked by the PP author. + + + + + The evaluator shall examine the extended components + definition to determine that each extended functional + component uses the existing CC Part 2 components as a + model for presentation. + + If the PP does not contain extended SFRs, this work unit + is not applicable and therefore considered to be + satisfied. + + The evaluator determines that the extended functional + component is consistent with CC Part 2 Subclause . + + If the extended functional component uses operations, the + evaluator determines that the extended functional component is + consistent with CC Part 1 Subclause . + + If the extended functional component is hierarchical to + an existing functional component, the evaluator + determines that the extended functional component is + consistent with CC Part 2 Subclause . + + + + + The evaluator shall examine the extended components + definition to determine that each definition of a new + functional family uses the existing CC functional + families as a model for presentation. + + If the PP does not define new functional families, this + work unit is not applicable and therefore considered to + be satisfied. + + The evaluator determines that all new functional + families are defined consistent with CC Part 2 Subclause + . + + + + + The evaluator shall examine the extended components + definition to determine that each definition of a new + functional class uses the existing CC functional classes + as a model for presentation. + + If the PP does not define new functional classes, this + work unit is not applicable and therefore considered to + be satisfied. + + The evaluator determines that all new functional classes + are defined consistent with CC Part 2 Subclause + + + + + The evaluator shall examine the extended components + definition to determine that each definition of an + extended assurance component uses the existing CC Part 3 + components as a model for presentation. + + If the PP does not contain extended SARs, this work unit + is not applicable and therefore considered to be + satisfied. + + The evaluator determines that the extended assurance + component definition is consistent with CC Part 3 + Subclause . + + If the extended assurance component uses operations, the + evaluator determines that the extended assurance component is + consistent with CC Part 1 Subclause . + + If the extended assurance component is hierarchical to + an existing assurance component, the evaluator + determines that the extended assurance component is + consistent with CC Part 3 Subclause . + + + + + The evaluator shall examine the extended components + definition to determine that, for each defined extended + assurance component, applicable methodology has been + provided. + + If the PP does not contain extended SARs, this work unit + is not applicable and therefore considered to be + satisfied. + + The evaluator determines that, for each evaluator action + element of each extended SAR, one or more work units are + provided and that successfully performing all work units + for a given evaluator action element will demonstrate + that the element has been achieved. + + + + + The evaluator shall examine the extended components + definition to determine that each definition of a new + assurance family uses the existing CC assurance families + as a model for presentation. + + If the PP does not define new assurance families, this + work unit is not applicable and therefore considered to + be satisfied. + + The evaluator determines that all new assurance families + are defined consistent with CC Part 3 Subclause . + + + + + The evaluator shall examine the extended components + definition to determine that each definition of a new + assurance class uses the existing CC assurance classes + as a model for presentation. + + If the PP does not define new assurance classes, this + work unit is not applicable and therefore considered to + be satisfied. + + The evaluator determines that all new assurance classes + are defined consistent with CC Part 3 Subclause . + + + + + The evaluator shall examine the extended components + definition to determine that each element in each + extended component is measurable and states objective + evaluation requirements, such that conformance or + nonconformance can be demonstrated. + + If the PP does not contain extended security + requirements, this work unit is not applicable and + therefore considered to be satisfied. + + The evaluator determines that elements of extended + functional components are stated in such a way that they + are testable, and traceable through the appropriate TSF + representations. + + The evaluator also determines that elements of extended + assurance components avoid the need for subjective + evaluator judgement. + + The evaluator is reminded that whilst being measurable + and objective is appropriate for all evaluation + criteria, it is acknowledged that no formal method + exists to prove such properties. Therefore the existing + CC functional and assurance components are to be used as + a model for determining what constitutes conformance to + this requirement. + + + + The evaluator shall confirm that no extended component may + be clearly expressed using existing components. + + + The evaluator shall examine the extended components + definition to determine that each extended component may + not be clearly expressed using existing + components. + + If the PP does not contain extended security + requirements, this work unit is not applicable and + therefore considered to be satisfied. + + The evaluator should take components from CC Part 2 and + CC Part 3, other extended components that have been + defined in the PP, combinations of these components, and + possible operations on these components into account + when making this determination. + + The evaluator is reminded that the role of this work + unit is to preclude unnecessary duplication of + components, that is, components that may be clearly + expressed by using other components. The evaluator + should not undertake an exhaustive search of all + possible combinations of components including operations + in an attempt to find a way to express the extended + component by using existing components. + + + + + + + + The SFRs form a clear, unambiguous and well-defined + description of the expected security behaviour of the + TOE. The SARs form a clear, unambiguous and well-defined + description of the expected activities that will be + undertaken to gain assurance in the TOE. + + Evaluation of the security requirements is required to + ensure that they are clear, unambiguous and + well-defined. + + + + The SFRs form a clear, unambiguous and well-defined + description of the expected security behaviour of the + TOE. The SARs form a clear, unambiguous and well-defined + description of the expected activities that will be + undertaken to gain assurance in the TOE. + + + + The components in this family are levelled on whether they + are stated as is, or whether the SFRs are derived from + security objectives for the TOE. + + + + + + The objective of this sub-activity is to determine whether + the SFRs and SARs are clear, unambiguous and well-defined + and whether they are internally consistent. + + + + The evaluation evidence for this sub-activity is: + + + the PP. + + + + + The developer shall provide a statement of security requirements. + + + The developer shall provide a security requirements + rationale. + + + The statement of security requirements shall describe the + SFRs and the SARs. + + + All subjects, objects, operations, security attributes, + external entities and other terms that are used in the SFRs + and the SARs shall be defined. + + + The statement of security requirements shall identify all + operations on the security requirements. + + + All operations shall be performed correctly. + + + Each dependency of the security requirements shall either be + satisfied, or the security requirements rationale shall + justify the dependency not being satisfied. + + + The statement of security requirements shall be internally + consistent. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall check that the statement of security + requirements describes the SFRs. + + The evaluator determines that each SFR is identified by + one of the following means: + + + by reference to an individual component in CC Part + 2; + + + by reference to an extended component in the + extended components definition of the PP; + + + by reference to a PP that the PP claims to be + conformant with; + + + by reference to a security requirements package that + the PP claims to be conformant with; + + + by reproduction in the PP. + + It is not required to use the same means of + identification for all SFRs. + + + + + The evaluator shall check that the statement of security + requirements describes the SARs. + + The evaluator determines that each SAR is identified by + one of the following means: + + + by reference to an individual component in CC Part + 3; + + + by reference to an extended component in the + extended components definition of the PP; + + + by reference to a PP that the PP claims to be + conformant with; + + + by reference to a security requirements package that + the PP claims to be conformant with; + + + by reproduction in the PP. + + It is not required to use the same means of + identification for all SARs. + + + + + The evaluator shall examine the PP to determine that all + subjects, objects, operations, security attributes, + external entities and other terms that are used in the + SFRs and the SARs are defined. + + The evaluator determines that the PP defines all: + + (types of) subjects and objects that are used in + the SFRs; + (types of) security attributes of subjects, users, + objects, information, sessions and/or resources, possible + values that these attributes may take and any relations + between these values (e.g. top_secret is ``higher'' than secret); + (types of) operations that are used in the SFRs, + including the effects of these operations; + (types of) external entities in the SFRs; + other terms that are introduced in the SFRs + and/or SARs by completing operations, if these terms + are not immediately clear, or are used outside their + dictionary definition. + + The goal of this work unit is to ensure that the SFRs + and SARs are well-defined and that no misunderstanding + may occur due to the introduction of vague terms. This + work unit should not be taken into extremes, by forcing + the PP writer to define every single word. The general + audience of a set of security requirements should be + assumed to have a reasonable knowledge of IT, security + and Common Criteria. + + All of the above may be presented in groups, classes, + roles, types or other groupings or characterisations + that allow easy understanding. + + The evaluator is reminded that these lists and + definitions do not have to be part of the statement of + security requirements, but may be placed (in part or in + whole) in different subclauses. This may be especially + applicable if the same terms are used in the rest of the + PP. + + + + + The evaluator shall check that the statement of security + requirements identifies all operations on the security + requirements. + + The evaluator determines that all operations are + identified in each SFR or SAR where such an operation is + used. This includes both completed operations and + uncompleted operations. Identification may be achieved + by typographical distinctions, or by explicit + identification in the surrounding text, or by any other + distinctive means. + + + + + The evaluator shall examine the statement of security + requirements to determine that all assignment operations + are performed correctly. + Guidance on the correct performance of operations may be found + in CC Part 1 Annex . + + + + + The evaluator shall examine the statement of security + requirements to determine that all iteration operations + are performed correctly. + + Guidance on the correct performance of operations may be found + in CC Part 1 Annex . + + + + + The evaluator shall examine the statement of security + requirements to determine that all selection operations + are performed correctly. + + Guidance on the correct performance of operations may be found + in CC Part 1 Annex . + + + + + The evaluator shall examine the statement of security + requirements to determine that all refinement operations + are performed correctly. + + Guidance on the correct performance of operations may be found + in CC Part 1 Annex . + + + + + The evaluator shall examine the statement of security + requirements to determine that each dependency of the + security requirements is either satisfied, or that the + security requirements rationale justifies the dependency + not being satisfied. + + A dependency is satisfied by the inclusion of the + relevant component (or one that is hierarchical to it) + within the statement of security requirements. The + component used to satisfy the dependency should, if + necessary, be modified by operations to ensure that it + actually satisfies that dependency. + + A justification that a dependency is not met should + address either: + + + why the dependency is not necessary or useful, in + which case no further information is required; or + + + that the dependency has been addressed by the + operational environment of the TOE, in which case + the justification should describe how the security + objectives for the operational environment address + this dependency. + + + + + + + The evaluator shall examine the statement of security + requirements to determine that it is internally + consistent. + + The evaluator determines that the combined set of all + SFRs and SARs is internally consistent. + + The evaluator determines that on all occasions where + different security requirements apply to the same types + of developer evidence, events, operations, data, tests + to be performed etc. or to ``all objects'', ``all + subjects'' etc., that these requirements do not + conflict. + + Some possible conflicts are: + + + an extended SAR specifying that the design of a + certain cryptographic algorithm is to be kept + secret, and another extended SAR specifying an open + source review; + + specifying + that subject identity is to be logged, specifying who has + access to these logs, and specifying that some actions of + subjects should be unobservable to other + subjects. If the subject that should not be able to + see an activity may access logs of this activity, + these SFRs conflict; + + specifying + deletion of information no longer needed, and specifying that a TOE + may return to a previous state. If the information + that is needed for the rollback to the previous + state has been deleted, these requirements conflict; + + + Multiple iterations of especially where some iterations cover + the same subjects, objects, or operations. If one + access control SFR allows a subject to perform an + operation on an object, while another access control + SFR does not allow this, these requirements + conflict. + + + + + + + + + + + + The objective of this sub-activity is to determine whether + the SFRs and SARs are clear, unambiguous and well-defined, + whether they are internally consistent, and whether the + SFRs meet the security objectives of the TOE. + + + + The evaluation evidence for this sub-activity is: + + + the PP. + + + + + The developer shall provide a statement of security requirements. + + + The developer shall provide a security requirements + rationale. + + + The statement of security requirements shall describe the + SFRs and the SARs. + + + All subjects, objects, operations, security attributes, + external entities and other terms that are used in the SFRs + and the SARs shall be defined. + + + The statement of security requirements shall identify all + operations on the security requirements. + + + All operations shall be performed correctly. + + + Each dependency of the security requirements shall either be + satisfied, or the security requirements rationale shall + justify the dependency not being satisfied. + + + The security requirements rationale shall trace each SFR + back to the security objectives for the TOE. + + + The security requirements rationale shall demonstrate that + the SFRs meet all security objectives for the TOE. + + + The security requirements rationale shall explain why the + SARs were chosen. + + + The statement of security requirements shall be internally + consistent. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall check that the statement of security + requirements describes the SFRs. + + The evaluator determines that each SFR is identified by + one of the following means: + + + by reference to an individual component in CC Part + 2; + + + by reference to an extended component in the + extended components definition of the PP; + + + by reference to an individual component in a PP that + the PP claims to be conformant with; + + + by reference to an individual component in a + security requirements package that the PP claims to + be conformant with; + + + by reproduction in the PP. + + It is not required to use the same means of + identification for all SFRs. + + + + + The evaluator shall check that the statement of security + requirements describes the SARs. + + The evaluator determines that each SAR is identified by + one of the following means: + + + by reference to an individual component in CC Part + 3; + + + by reference to an extended component in the + extended components definition of the PP; + + + by reference to an individual component in a PP that + the PP claims to be conformant with; + + + by reference to an individual component in a + security requirements package that the PP claims to + be conformant with; + + + by reproduction in the PP. + + It is not required to use the same means of + identification for all SARs. + + + + + The evaluator shall examine the PP to determine that all + subjects, objects, operations, security attributes, + external entities and other terms that are used in the + SFRs and the SARs are defined. + + The evaluator determines that the PP defines all: + + (types of) subjects and objects that are used in + the SFRs; + (types of) security attributes of subjects, users, + objects, information, sessions and/or resources, possible + values that these attributes may take and any relations + between these values (e.g. top_secret is ``higher'' than secret); + (types of) operations that are used in the SFRs, + including the effects of these operations; + (types of) external entities in the SFRs; + other terms that are introduced in the SFRs + and/or SARs by completing operations, if these terms + are not immediately clear, or are used outside their + dictionary definition. + + The goal of this work unit is to ensure that the SFRs + and SARs are well-defined and that no misunderstanding + may occur due to the introduction of vague terms. This + work unit should not be taken into extremes, by forcing + the PP writer to define every single word. The general + audience of a set of security requirements should be + assumed to have a reasonable knowledge of IT, security + and Common Criteria. + + All of the above may be presented in groups, classes, + roles, types or other groupings or characterisations + that allow easy understanding. + + The evaluator is reminded that these lists and + definitions do not have to be part of the statement of + security requirements, but may be placed (in part or in + whole) in different subclauses. This may be especially + applicable if the same terms are used in the rest of the + PP. + + + + + The evaluator shall check that the statement of security + requirements identifies all operations on the security + requirements. + + The evaluator determines that all operations are + identified in each SFR or SAR where such an operation is + used. This includes both completed operations and + uncompleted operations. Identification may be achieved + by typographical distinctions, or by explicit + identification in the surrounding text, or by any other + distinctive means. + + + + + The evaluator shall examine the statement of security + requirements to determine that all assignment operations + are performed correctly. + + Guidance on the correct performance of operations may be found + in CC Part 1 Annex . + + + + + The evaluator shall examine the statement of security + requirements to determine that all iteration operations + are performed correctly. + + Guidance on the correct performance of operations may be found + in CC Part 1 Annex . + + + + + The evaluator shall examine the statement of security + requirements to determine that all selection operations + are performed correctly. + + Guidance on the correct performance of operations may be found + in CC Part 1 Annex . + + + + + The evaluator shall examine the statement of security + requirements to determine that all refinement operations + are performed correctly. + + Guidance on the correct performance of operations may be found + in CC Part 1 Annex . + + + + + The evaluator shall examine the statement of security + requirements to determine that each dependency of the + security requirements is either satisfied, or that the + security requirements rationale justifies the dependency + not being satisfied. + + A dependency is satisfied by the inclusion of the + relevant component (or one that is hierarchical to it) + within the statement of security requirements. The + component used to satisfy the dependency should, if + necessary, be modified by operations to ensure that it + actually satisfies that dependency. + + A justification that a dependency is not met should + address either: + + + why the dependency is not necessary or useful, in + which case no further information is required; or + + + that the dependency has been addressed by the + operational environment of the TOE, in which case + the justification should describe how the security + objectives for the operational environment address + this dependency. + + + + + + + The evaluator shall check that the security requirements + rationale traces each SFR back to the security + objectives for the TOE. + + The evaluator determines that each SFR is traced back to + at least one security objective for the TOE. + + Failure to trace implies that either the security + requirements rationale is incomplete, the security + objectives for the TOE are incomplete, or the SFR has no + useful purpose. + + + + + The evaluator shall examine the security requirements + rationale to determine that for each security objective + for the TOE it justifies that the SFRs are suitable to + meet that security objective for the TOE. + + If no SFRs trace back to the security objective for the TOE, + the evaluator action related to this work unit is assigned a fail verdict. + + The evaluator determines that the justification for a + security objective for the TOE demonstrates that the + SFRs are sufficient: if all SFRs that trace back to the + objective are satisfied, the security objective for the + TOE is achieved. + + If the SFRs that trace back to a security objective for + the TOE have any uncompleted assignments, or uncompleted + or restricted selections, the evaluator determines that + for every conceivable completion or combination of + completions of these operations, the security objective + is still met. + + The evaluator also determines that each SFR that traces + back to a security objective for the TOE is necessary: + when the SFR is satisfied, it actually contributes to + achieving the security objective. + + Note that the tracings from SFRs to security objectives + for the TOE provided in the security requirements + rationale may be a part of the justification, but do not + constitute a justification by themselves. + + + + + The evaluator shall check that the security requirements + rationale explains why the SARs were chosen. + The evaluator is reminded that any explanation is + correct, as long as it is coherent and neither the SARs + nor the explanation have obvious inconsistencies with + the remainder of the PP. + An example of an obvious inconsistency between the + SARs and the remainder of the PP would be to have threat + agents that are very capable, but an SAR that does not protect against these + threat agents. + + + + + The evaluator shall examine the statement of security + requirements to determine that it is internally + consistent. + + The evaluator determines that the combined set of all + SFRs and SARs is internally consistent. + + The evaluator determines that on all occasions where + different security requirements apply to the same types + of developer evidence, events, operations, data, tests + to be performed etc. or to ``all objects'', ``all + subjects'' etc., that these requirements do not + conflict. + + Some possible conflicts are: + + + an extended SAR specifying that the design of a + certain cryptographic algorithm is to be kept + secret, and another extended SAR specifying an open + source review; + + specifying + that subject identity is to be logged, specifying who has + access to these logs, and specifying that some actions of + subjects should be unobservable to other + subjects. If the subject that should not be able to + see an activity may access logs of this activity, + these SFRs conflict; + + specifying + deletion of information no longer needed, and specifying that a TOE + may return to a previous state. If the information + that is needed for the rollback to the previous + state has been deleted, these requirements conflict; + + + Multiple iterations of especially where some iterations cover + the same subjects, objects, or operations. If one + access control SFR allows a subject to perform an + operation on an object, while another access control + SFR does not allow this, these requirements + conflict. + + + + + + + + + + + Evaluating an ST is required to demonstrate that the ST is + sound and internally consistent, and, if the ST is based on + one or more PPs or packages, that the ST is a correct + instantiation of these PPs and packages. These properties are + necessary for the ST to be suitable for use as the basis for a + TOE evaluation. + + This Clause should be used in conjunction with Annexes , and + in CC + Part 1, as these Annexes clarify the concepts here and provide + many examples. + + + + Assurance class defines + requirements for the evaluation of an ST, to demonstrate that + the ST is sound and internally consistent, and, if the ST is + based on one or more PPs or packages, that the ST is a correct + instantiation of these PPs and packages. + + + + This Clause describes the evaluation of an ST. The ST + evaluation should be started prior to any TOE evaluation + sub-activities since the ST provides the basis and context to + perform these sub-activities. The evaluation methodology in + this subclause is based on the requirements on the ST as + specified in CC Part 3 class . + + This Clause should be used in conjunction with Annexes , and + in CC + Part 1, as these Annexes clarify the concepts here and provide + many examples. + + + + The ST describes the security features of a TOE. As such it is + expected to identify the security requirements that enforce + the defined OSPs and counter the defined threats under the + defined assumptions. + + Evaluating an ST is required to demonstrate that the ST is + sound and internally consistent, and, if the ST is based on + one or more PPs or packages, that the ST is a correct + instantiation of these PPs or packages. These properties are + necessary for the ST to be suitable for use as the basis for a + TOE evaluation. + + + + + While evaluating an ST that is based on one or more + certified PPs, it may be possible to re-use the fact that + these PPs were certified. The potential for re-use of the + result of a certified PP is greater if the ST does not add + threats, OSPs, assumptions, security objectives and/or + security requirements to those of the PP. If the ST + contains much more than the certified PP, re-use may not be + useful at all. + + The evaluator is allowed to re-use the PP evaluation results + by doing certain analyses only partially or not at all if + these analyses or parts thereof were already done as part of + the PP evaluation. While doing this, the evaluator should + assume that the analyses in the PP were performed + correctly. + + An example would be where the PP contains a set of security + requirements, and these were determined to be internally + consistent during the PP evaluation. If the ST uses the + exact same requirements, the consistency analysis does not + have to be repeated during the ST evaluation. If the ST adds + one or more requirements, or performs operations on these + requirements, the analysis will have to be + repeated. However, it may be possible to save work in this + consistency analysis by using the fact that the original + requirements are internally consistent. If the original + requirements are internally consistent, the evaluator only + has to determine that: + + + the set of all new and/or changed requirements is + internally consistent, and + + + the set of all new and/or changed requirements is + consistent with the original requirements. + + + The evaluator notes in the ETR each case where analyses are + not done or only partially done for this reason. + + + + + + The objective of this family is to describe the TOE in a + narrative way on three levels of abstraction: TOE reference, + TOE overview and TOE description. + + Evaluation of the ST introduction is required to demonstrate + that the ST and the TOE are correctly identified, that the + TOE is correctly described at three levels of abstraction + and that these three descriptions are consistent with each + other. + + + + The ST introduction describes the TOE in a narrative way on + three levels of abstraction: TOE reference, TOE overview and + TOE description. + + + + + The objective of this sub-activity is to determine whether + the ST and the TOE are correctly identified, whether the + TOE is correctly described in a narrative way at three + levels of abstraction (TOE reference, TOE overview and TOE + description), and whether these three descriptions are + consistent with each other. + + + + The evaluation evidence for this sub-activity is: + + + the ST. + + + + + The developer shall provide an ST introduction. + + + The ST introduction shall contain an ST reference, a TOE + reference, a TOE overview and a TOE description. + + + The ST reference shall uniquely identify the ST. + + + The TOE reference shall identify the TOE. + + + The TOE overview shall summarise the usage and major + security features of the TOE. + + + The TOE overview shall identify the TOE type. + + + The TOE overview shall identify any non-TOE + hardware/software/firmware required by the TOE. + + + The TOE description shall describe the physical scope of the + TOE. + + + The TOE description shall describe the logical scope of the + TOE. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall check that the ST introduction + contains an ST reference, a TOE reference, a TOE + overview and a TOE description. + + + + + The evaluator shall examine the ST reference to + determine that it uniquely identifies the ST. + + The evaluator determines that the ST reference + identifies the ST itself, so that it may be easily + distinguished from other STs, and that it also uniquely + identifies each version of the ST, e.g. by including a + version number and/or a date of publication. + + In evaluations where a CM system is provided, the + evaluator may validate the uniqueness of the reference + by checking the configuration list. In the other cases, + the ST should have some referencing system that is + capable of supporting unique references (e.g. use of + numbers, letters or dates). + + + + + The evaluator shall examine the TOE reference to + determine that it identifies the TOE. + + The evaluator determines that the TOE reference + identifies the TOE, so that it is clear to which TOE the + ST refers, and that it also identifies the version of + the TOE, e.g. by including a version/release/build + number, or a date of release. + + + + + The evaluator shall examine the TOE reference to + determine that it is not misleading. + + If the TOE is related to one or more well-known + products, it is allowed to reflect this in the TOE + reference. However, this should not be used to mislead + consumers: situations where only a small part of a + product is evaluated, yet the TOE reference does not + reflect this, are not allowed. + + + + + The evaluator shall examine the TOE overview to + determine that it describes the usage and major security + features of the TOE. + + The TOE overview should briefly (i.e. several + paragraphs) describe the usage and major security + features of the TOE. The TOE overview should enable + potential consumers to quickly determine whether the TOE + may be suitable for their security needs. + + The TOE overview in an ST for a composed TOE should + describe the usage and major security feature of the + composed TOE, rather than those of the individual + component TOEs. + + The evaluator determines that the overview is clear + enough for consumers, and sufficient to give them a + general understanding of the intended usage and major + security features of the TOE. + + + + + The evaluator shall check that the TOE overview + identifies the TOE type. + + + + + The evaluator shall examine the TOE overview to + determine that the TOE type is not misleading. + + There are situations where the general consumer would + expect certain functionality of the TOE because of its + TOE type. If this functionality is absent in the TOE, + the evaluator determines that the TOE overview + adequately discusses this absence. + + There are also TOEs where the general consumer would + expect that the TOE should be able to operate in a + certain operational environment because of its TOE + type. If the TOE is unable to operate in such an + operational environment, the evaluator determines that + the TOE overview adequately discusses this. + + + + + The evaluator shall examine the TOE overview to + determine that it identifies any non-TOE + hardware/software/firmware required by the TOE. + + While some TOEs are able to run stand-alone, other TOEs + (notably software TOEs) need additional hardware, + software or firmware to operate. If the TOE does not + require any hardware, software or firmware, this work + unit is not applicable and therefore considered to be + satisfied. + + The evaluator determines that the TOE overview + identifies any additional hardware, software and + firmware needed by the TOE to operate. This + identification does not have to be exhaustive, but + detailed enough for potential consumers of the TOE to + determine whether their current hardware, software and + firmware support use of the TOE, and, if this is not the + case, which additional hardware, software and/or + firmware is needed. + + + + + The evaluator shall examine the TOE description to + determine that it describes the physical scope of the + TOE. + + The evaluator determines that the TOE description lists + the hardware, firmware, software and guidance parts that + constitute the TOE and describes them at a level of + detail that is sufficient to give the reader a general + understanding of those parts. + + The evaluator also determines that there is no possible + misunderstanding as to whether any hardware, firmware, + software or guidance part is part of the TOE or + not. + + + + + The evaluator shall examine the TOE description to + determine that it describes the logical scope of the + TOE. + + The evaluator determines that the TOE description + discusses the logical security features offered by the + TOE at a level of detail that is sufficient to give the + reader a general understanding of those features. + + The evaluator also determines that there is no possible + misunderstanding as to whether any logical security + feature is offered by the TOE or not. + + An ST for a composed TOE may refer out to the + description of the logical scope of the component TOEs, + provided in the component TOE STs to provide the + majority of this description for the composed TOE. + However, the evaluator determines that the composed TOE + ST clearly discusses which features of the individual + components are not within the composed TOE, and + therefore not a feature of the composed TOE. + + + + The evaluator shall confirm that the TOE reference, the TOE + overview, and the TOE description are consistent with each + other. + + + The evaluator shall examine the TOE reference, TOE + overview and TOE description to determine that they are + consistent with each other. + + + + + + + + The objective of this family is to determine the validity of + the conformance claim. In addition, this family specifies + how STs are to claim conformance with the PP. + + + + Conformance claims describes how the Security Target + conforms to CC Part 2 and CC Part 3, to Protection Profiles + and to packages. + + + + + + + + The objective of this sub-activity is to determine the + validity of various conformance claims. These describe how + the ST and the TOE conform to the CC and how the ST + conforms to PPs and packages. + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the PP(s) that the ST claims conformance to; + + + the package(s) that the ST claims conformance to. + + + + + The developer shall provide a conformance claim. + + + The developer shall provide a conformance claim rationale. + + + The conformance claim shall contain a CC conformance claim + that identifies the version of the CC to which the ST and + the TOE claim conformance. + + + The CC conformance claim shall describe the conformance of + the ST to CC Part 2 as either CC Part 2 conformant or CC + Part 2 extended. + + + The CC conformance claim shall describe the conformance of + the ST to CC Part 3 as either CC Part 3 conformant or CC + Part 3 extended. + + + The CC conformance claim shall be consistent with the + extended components definition. + + + The conformance claim shall identify all PPs and security + requirement packages to which the ST claims conformance. + + + The conformance claim shall describe any conformance of the + ST to a package as either package-conformant or + package-augmented. + + + The conformance claim rationale shall demonstrate that the + TOE type is consistent with the TOE type in the PPs for + which conformance is being claimed. + + + The conformance claim rationale shall demonstrate that the + statement of the security problem definition is consistent + with the statement of the security problem definition in the + PPs for which conformance is being claimed. + + + The conformance claim rationale shall demonstrate that the + statement of security objectives is consistent with the + statement of security objectives in the PPs for which + conformance is being claimed. + + + The conformance claim rationale shall demonstrate that the + statement of security requirements is consistent with the + statement of security requirements in the PPs for which + conformance is being claimed. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall check that the conformance claim + contains a CC conformance claim that identifies the + version of the CC to which the ST and the TOE claim + conformance. + + The evaluator determines that the CC conformance claim + identifies the version of the CC that was used to + develop this ST. This should include the version number + of the CC and, unless the International English version + of the CC was used, the language of the version of the + CC that was used. + + For a composed TOE, the evaluator will consider any + differences between the version of the CC claimed for a + component and the version of the CC claimed for the + composed TOE. If the versions differ the evaluator will + assess whether the differences between the versions will + lead to conflicting claims. + + For instances where the CC conformance claims for the + base TOE and dependent TOE are for different major + releases of the CC (e.g. one component TOE conformance + claim is CC v2.x and the other component TOE conformance + claim is CC v3.x), the conformance claim for the + composed TOE will be the earlier release of the CC, as + the CC is developed with an aim to provide backwards + compatibility (although this may not be achieved in the + strictest sense, it is understood to be achieved in + principle). + + + + + The evaluator shall check that the CC conformance claim + states a claim of either CC Part 2 conformant or CC Part + 2 extended for the ST. + + For a composed TOE, the evaluator will consider whether + this claim is consistent not only with the CC Part 2, + but also with the claims of conformance to CC Part 2 by + each of the component TOEs. I.e. if one or more + component TOEs claims to be CC Part 2 extended, then the + composed TOE should also claim to be CC Part 2 + extended. + + The CC conformance claim for the composed TOE may be CC + Part 2 extended, even though the component TOEs are Part + 2 conformant, in the event that additional SFRs are + claimed for the base TOE (see composed TOE guidance for + ) + + + + + The evaluator shall check that the CC conformance claim + states a claim of either CC Part 3 conformant or CC Part + 3 extended for the ST. + + + + + The evaluator shall examine the CC conformance claim for + CC Part 2 to determine that it is consistent with the + extended components definition. + + If the CC conformance claim contains CC Part 2 + conformant, the evaluator determines that the extended + components definition does not define functional + components. + + If the CC conformance claim contains CC Part 2 extended, + the evaluator determines that the extended components + definition defines at least one extended functional + component. + + + + + The evaluator shall examine the CC conformance claim for + CC Part 3 to determine that it is consistent with the + extended components definition. + + If the CC conformance claim contains CC Part 3 + conformant, the evaluator determines that the extended + components definition does not define assurance + components. + + If the CC conformance claim contains CC Part 3 extended, + the evaluator determines that the extended components + definition defines at least one extended assurance + component. + + + + + The evaluator shall check that the conformance claim + contains a PP claim that identifies all PPs for which + the ST claims conformance. + + If the ST does not claim conformance to a PP, this work + unit is not applicable and therefore considered to be + satisfied. + + The evaluator determines that any referenced PPs are + unambiguously identified (e.g. by title and version + number, or by the identification included in the + introduction of that PP). + + The evaluator is reminded that claims of partial + conformance to a PP are not permitted. Therefore, + conformance to a PP requiring a composite solution may + be claimed in an ST for a composed TOE. Conformance to + such a PP would not have been possible during the + evaluation of the component TOEs, as these components + would not have satisfied the composed solution. This is + only possible in the instances where the ``composite'' PP + permits use of the composition evaluation approach (use + of components). + + The ST for a composed TOE will identify the STs of the + component TOEs from which the composed ST is comprised. + The composed TOE is essentially claiming conformance to + the STs of the component TOEs. + + + + + The evaluator shall check that the conformance claim + contains a package claim that identifies all packages to + which the ST claims conformance. + + If the ST does not claim conformance to a package, this + work unit is not applicable and therefore considered to + be satisfied. + + The evaluator determines that any referenced packages + are unambiguously identified (e.g. by title and version + number, or by the identification included in the + introduction of that package). + + The evaluator determines that the component TOE STs from + which the composed TOE is derived are also unambiguously + identified. + + The evaluator is reminded that claims of partial + conformance to a package are not permitted. + + + + + The evaluator shall check that, for each identified + package, the conformance claim states a claim of either + package-name conformant or package-name + augmented. + + If the ST does not claim conformance to a package, this + work unit is not applicable and therefore considered to + be satisfied. + + If the package conformance claim contains package-name + conformant, the evaluator determines that: + + + If the package is an assurance package, then the ST + contains all SARs included in the package, but no + additional SARs. + + + If the package is a functional package, then the ST + contains all SFRs included in the package, but no + additional SFRs. + + + + If the package conformance claim contains package-name + augmented, the evaluator determines that: + + + If the package is an assurance package then the ST + contains all SARs included in the package, and at + least one additional SAR or at least one SAR that is + hierarchical to a SAR in the package. + + + If the package is a functional package, then the ST + contains all SFRs included in the package, and at + least one additional SFR or at least one SFR that is + hierarchical to a SFR in the package. + + + + + + + The evaluator shall examine the conformance claim + rationale to determine that the TOE type of the TOE is + consistent with all TOE types of the PPs. + + If the ST does not claim conformance to a PP, this work + unit is not applicable and therefore considered to be + satisfied. + + The relation between the types may be simple: a firewall + ST claiming conformance to a firewall PP, or more + complex: a smart card ST claiming conformance to a number + of PPs at the same time (a PP for the integrated + circuit, a PP for the smart card OS, and two PPs for two + applications on the smart card). + + For a composed TOE, the evaluator will determine whether + the conformance claim rationale demonstrates that the + TOE types of the component TOEs are consistent with the + composed TOE type. This does not mean that both the + component and the composed TOE types have to be the + same, but rather that the component TOEs are suitable + for integration to provide the composed TOE. It should be made clear in the composed TOE ST which SFRs are only included as a result of composition, and were not examined as SFRs in the base and dependent TOE (e.g. EALx) evaluation. + + + + + The evaluator shall examine the conformance claim + rationale to determine that it demonstrates that the + statement of security problem definition is consistent, + as defined by the conformance statement of the PP, with + the statements of security problem definition stated in + the PPs to which conformance is being claimed. + + If the ST does not claim conformance with a PP, this + work unit is not applicable and therefore considered to + be satisfied. + + If the PP does not have a statement of security problem + definition, this work unit is not applicable and + therefore considered to be satisfied. + + If strict conformance is required by the PP to which + conformance is being claimed no conformance claim + rationale is required. Instead, the evaluator determines + whether: + + + the threats in the ST are a superset of or identical + to the threats in the PP to which conformance is + being claimed; + + + the OSPs in the ST are a superset of or identical to + the OSPs in the PP to which conformance is being + claimed; + + the assumptions in the ST are identical to the + assumptions in the PP to which conformance is being + claimed; + + If demonstrable conformance is required by the PP, the + evaluator examines the conformance claim rationale to + determine that it demonstrates that the statement of + security problem definition of the ST is equivalent or + more restrictive than the statement of security problem + definition in the PP to which conformance is being + claimed. + For guidance on ``equivalent or more restrictive'' + see CC Part 1 . + + For a composed TOE, the evaluator will consider whether + the security problem definition of the composed TOE is + consistent with that specified in the STs for the + component TOEs. This is determined in terms of + demonstrable conformance. In particular, the evaluator + examines the conformance claim rationale to determine + that: + + + Threat statements and OSPs in the composed TOE ST do + not contradict those from the component STs. + + Any assumptions made in the component STs are upheld + in the composed TOE ST. That is, either the + assumption should also be present in the composed + ST, or the assumption should be positively addressed + in the composed ST. The assumption may be + positively addressed through specification of + requirements in the composed TOE to provide + functionality fulfilling the concern captured in the + assumption. + + + + + The evaluator shall examine the conformance claim + rationale to determine that the statement of security + objectives is consistent, as defined by the conformance + statement of the PP, with the statement of security + objectives in the PPs to which conformance is being claimed. + + If the ST does not claim conformance to a PP, this work + unit is not applicable and therefore considered to be + satisfied. + + If strict conformance is required by the PP, no + conformance claim rationale is required. Instead, the + evaluator determines whether: + + The ST contains all security objectives for the + TOE of the PP to which conformance is being + claimed. Note that it is allowed for the ST under + evaluation to have additional security objectives + for the TOE; + The ST contains exactly all security objectives + for the operational environment (with one exception + in the next bullet). Note that it is not allowed for + the ST under evaluation to have additional security + objectives for the operational environment; + The ST may specify that certain objectives for + the operational environment in the PP that + conformance is being claimed to are security + objectives for the TOE in the ST. This is a valid + exception to the previous bullet. + + + If demonstrable conformance is required by the PP to + which conformance is being claimed, the evaluator + examines the conformance claim rationale to determine + that it demonstrates that the statement of security + objectives of the ST is equivalent or more restrictive + than the statement of security objectives in the PP to + which conformance is being claimed. + For guidance on ``equivalent or more restrictive'' + see CC Part 1 . + + For a composed TOE, the evaluator will consider whether + the security objectives of the composed TOE are + consistent with that specified in the STs for the + component TOEs. This is determined in terms of + demonstrable conformance. In particular, the evaluator + examines the conformance claim rationale to determine + that: + + + The statement of security objectives in the + dependent TOE ST relevant to any IT in the + operational environment are consistent with the + statement of security objectives for the TOE in the + base TOE ST. It is not expected that the statement + of security objectives for the environment within in + the dependent TOE ST will cover all aspects of the + statement of security objectives for the TOE in the + base TOE ST. + + The statement of security objectives in the composed + ST is consistent with the statements of security + objectives in the STs for the component TOEs. + + + If demonstrable conformance is required by the PP, the + evaluator examines the conformance claim rationale to + determine that it demonstrates that the statement of + security objectives of the ST is at least equivalent to + the statement of security objectives in the PP, or + component TOE ST in the case of a composed TOE + ST. + + + + + The evaluator shall examine the ST to determine that it + is consistent, as defined by the conformance statement + of the PP, with all security requirements in the PPs for + which conformance is being claimed. + + If the ST does not claim conformance to a PP, this work + unit is not applicable and therefore considered to be + satisfied. + + If strict conformance is required by the PP to which + conformance is being claimed, no conformance claim + rationale is required. Instead, the evaluator determines + whether the statement of security requirements in the ST + is a superset of or identical to the statement of + security requirements in the PP to which conformance is + being claimed (for strict conformance). + + If demonstrable conformance is required by the PP to + which conformance is being claimed, the evaluator + examines the conformance claim rationale to determine + that it demonstrates that the statement of security + requirements of the ST is equivalent or more restrictive + than the statement of security requirements in the PP to + which conformance is being claimed. + For guidance on ``equivalent or more restrictive'' + see CC Part 1 . + + + For a composed TOE, the evaluator will consider whether + the security requirements of the composed TOE are + consistent with that specified in the STs for the + component TOEs. This is determined in terms of + demonstrable conformance. In particular, the evaluator + examines the conformance rationale to determine that: + + + The statement of security requirements in the + dependent TOE ST relevant to any IT in the + operational environment is consistent with the + statement of security requirements for the TOE in + the base TOE ST. It is not expected that the + statement of security requirements for the + environment within in the dependent TOE ST will + cover all aspects of the statement of security + requirements for the TOE in the base TOE ST, as + some SFRs may need to be added to the statement of + security requirements in the composed TOE ST. + However, the statement of security requirements in + the base should support the operation of the dependent + component. + + The statement of security objectives in the + dependent TOE ST relevant to any IT in the + operational environment is consistent with the + statement of security requirements for the TOE in + the base TOE ST. It is not expected that the + statement of security objectives for the environment + within in the dependent TOE ST will cover all + aspects of the statement of security requirements + for the TOE in the base TOE ST. + + The statement of security requirements in the + composed is consistent with the statements of + security requirements in the STs for the component + TOEs. + + If demonstrable conformance is required by the PP to + which conformance is being claimed, the evaluator + examines the conformance claim rationale to determine + that it demonstrates that the statement of security + requirements of the ST is at least equivalent to the + statement of security requirements in the PP, or + component TOE ST in the case of a composed TOE + ST. + + + + + + + + This part of the ST defines the security problem to be + addressed by the TOE and the operational environment of the + TOE. + + Evaluation of the security problem definition is required to + demonstrate that the security problem intended to be + addressed by the TOE and its operational environment, is + clearly defined. + + + + The security problem definition defines the problem + addressed by the TOE and the operational environment of the + TOE. + + + + + The objective of this sub-activity is to determine that + the security problem intended to be addressed by the TOE + and its operational environment is clearly defined. + + + + The evaluation evidence for this sub-activity is: + + + the ST. + + + + + The developer shall provide a security problem definition. + + + The security problem definition shall describe the threats. + + + All threats shall be described in terms of a threat agent, + an asset, and an adverse action. + + + The security problem definition shall describe the OSPs. + + + The security problem definition shall describe the + assumptions about the operational environment of the TOE. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall check that the security problem + definition describes the threats. + + If all security objectives are derived from assumptions + and/or OSPs only, the statement of threats need not be + present in the ST. In this case, this work unit is not + applicable and therefore considered to be + satisfied. + + The evaluator determines that the security problem + definition describes the threats that must be countered + by the TOE and/or operational environment. + + + + + The evaluator shall examine the security problem + definition to determine that all threats are described + in terms of a threat agent, an asset, and an adverse + action. + + If all security objectives are derived from assumptions + and/or OSPs only, the statement of threats need not be + present in the ST. In this case, this work unit is not + applicable and therefore considered to be + satisfied. + + Threat agents may be further described by aspects such + as expertise, resource, opportunity, and + motivation. + + + + + The evaluator shall examine that the security problem + definition describes the OSPs. + + If all security objectives are derived from assumptions + and threats only, OSPs need not be present in the ST. In + this case, this work unit is not applicable and + therefore considered to be satisfied. + + The evaluator determines that OSP statements are made in + terms of rules or guidelines that must be followed by + the TOE and/or its operational environment. + + The evaluator determines that each OSP is explained + and/or interpreted in sufficient detail to make it + clearly understandable; a clear presentation of policy + statements is necessary to permit tracing security + objectives to them. + + + + + The evaluator shall examine the security problem + definition to determine that it describes the + assumptions about the operational environment of the + TOE. + + If there are no assumptions, this work unit is not + applicable and is therefore considered to be + satisfied. + + The evaluator determines that each assumption about the + operational environment of the TOE is explained in + sufficient detail to enable consumers to determine that + their operational environment matches the assumption. If + the assumptions are not clearly understood, the end + result may be that the TOE is used in an operational + environment in which it will not function in a secure + manner. + + + + + + + + The security objectives are a concise statement of the + intended response to the security problem defined through + the family. + + Evaluation of the security objectives is required to + demonstrate that the security objectives adequately and + completely address the security problem definition, that the + division of this problem between the TOE and its operational + environment is clearly defined. + + + + The security objectives are a concise statement of the + intended response to the security problem. + + + + The components in this family are levelled on whether they + prescribe only security objectives for the operational + environment, or also security objectives for the TOE. + + + + + The objective of this sub-activity is to determine whether + the security objectives for the operational environment + are clearly defined. + + + + The evaluation evidence for this sub-activity is: + + + the ST. + + + + + The developer shall provide a statement of security + objectives. + + + The statement of security objectives shall describe the + security objectives for the operational environment. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall check that the statement of security + objectives defines the security objectives for the + operational environment. + + The evaluator checks that the security objectives for + the operational environment are identified. + + + + + + + + + The objective of this sub-activity is to determine whether + the security objectives adequately and completely address + the security problem definition and that the division of + this problem between the TOE and its operational + environment is clearly defined. + + + + The evaluation evidence for this sub-activity is: + + + the ST. + + + + + The developer shall provide a statement of security + objectives. + + + The developer shall provide a security objectives rationale. + + + The statement of security objectives shall describe the + security objectives for the TOE and the security objectives + for the operational environment. + + + The security objectives rationale shall trace each security + objective for the TOE back to threats countered by that + security objective and OSPs enforced by that security + objective. + + + The security objectives rationale shall trace each security + objective for the operational environment back to threats + countered by that security objective, OSPs enforced by that + security objective, and assumptions upheld by that security + objective. + + + The security objectives rationale shall demonstrate that the + security objectives counter all threats. + + + The security objectives rationale shall demonstrate that the + security objectives enforce all OSPs. + + + The security objectives rationale shall demonstrate that the + security objectives for the operational environment uphold + all assumptions. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall check that the statement of security + objectives defines the security objectives for the TOE + and the security objectives for the operational + environment. + + The evaluator checks that both categories of security + objectives are clearly identified and separated from the + other category. + + + + + The evaluator shall check that the security objectives + rationale traces all security objectives for the TOE + back to threats countered by the objectives and/or OSPs + enforced by the objectives. + + Each security objective for the TOE may trace back to + threats or OSPs, or a combination of threats and OSPs, + but it must trace back to at least one threat or + OSP. + + Failure to trace implies that either the security + objectives rationale is incomplete, the security problem + definition is incomplete, or the security objective for + the TOE has no useful purpose. + + + + + The evaluator shall check that the security objectives + rationale traces the security objectives for the + operational environment back to threats countered by + that security objective, to OSPs enforced by that + security objective, and to assumptions upheld by that + security objective. + + Each security objective for the operational environment + may trace back to threats, OSPs, assumptions, or a + combination of threats, OSPs and/or assumptions, but it + must trace back to at least one threat, OSP or + assumption. + + Failure to trace implies that either the security + objectives rationale is incomplete, the security problem + definition is incomplete, or the security objective for + the operational environment has no useful + purpose. + + + + + The evaluator shall examine the security objectives + rationale to determine that it justifies for each threat + that the security objectives are suitable to counter + that threat. + + If no security objectives trace back to the threat, + the evaluator action related to this work unit is assigned a fail verdict. + + The evaluator determines that the justification for a + threat shows whether the threat is removed, diminished + or mitigated. + + The evaluator determines that the justification for a + threat demonstrates that the security objectives are + sufficient: if all security objectives that trace back + to the threat are achieved, the threat is removed, + sufficiently diminished, or the effects of the threat + are sufficiently mitigated. + + Note that the tracings from security objectives to + threats provided in the security objectives rationale + may be part of a justification, but do not constitute a + justification by themselves. Even in the case that a + security objective is merely a statement reflecting the + intent to prevent a particular threat from being + realised, a justification is required, but this + justification may be as minimal as ``Security Objective + X directly counters Threat Y''. + + The evaluator also determines that each security + objective that traces back to a threat is necessary: + when the security objective is achieved it actually + contributes to the removal, diminishing or mitigation of + that threat. + + + + + The evaluator shall examine the security objectives + rationale to determine that for each OSP it justifies + that the security objectives are suitable to enforce + that OSP. + + If no security objectives trace back to the OSP, + the evaluator action related to this work unit is assigned a fail verdict. + + The evaluator determines that the justification for an + OSP demonstrates that the security objectives are + sufficient: if all security objectives that trace back + to that OSP are achieved, the OSP is enforced. + + The evaluator also determines that each security + objective that traces back to an OSP is necessary: when + the security objective is achieved it actually + contributes to the enforcement of the OSP. + + Note that the tracings from security objectives to OSPs + provided in the security objectives rationale may be + part of a justification, but do not constitute a + justification by themselves. In the case that a security + objective is merely a statement reflecting the intent to + enforce a particular OSP, a justification is required, + but this justification may be as minimal as ``Security + Objective X directly enforces OSP Y''. + + + + + The evaluator shall examine the security objectives + rationale to determine that for each assumption for the + operational environment it contains an appropriate + justification that the security objectives for the + operational environment are suitable to uphold that + assumption. + + If no security objectives for the operational environment trace back to the assumption, + the evaluator action related to this work unit is assigned a fail verdict. + + The evaluator determines that the justification for an + assumption about the operational environment of the TOE + demonstrates that the security objectives are + sufficient: if all security objectives for the + operational environment that trace back to that + assumption are achieved, the operational environment + upholds the assumption. + + The evaluator also determines that each security + objective for the operational environment that traces + back to an assumption about the operational environment + of the TOE is necessary: when the security objective is + achieved it actually contributes to the operational + environment upholding the assumption. + + Note that the tracings from security objectives for the + operational environment to assumptions provided in the + security objectives rationale may be a part of a + justification, but do not constitute a justification by + themselves. Even in the case that a security objective + of the operational environment is merely a restatement + of an assumption, a justification is required, but this + justification may be as minimal as ``Security Objective + X directly upholds Assumption Y''. + + + + + + + + Extended security requirements are requirements that are not + based on components from CC Part 2 or CC Part 3, but are + based on extended components: components defined by the ST + author. + + Evaluation of the definition of extended components is + necessary to determine that they are clear and unambiguous, + and that they are necessary, i.e. they may not be clearly + expressed using existing CC Part 2 or CC Part 3 + components. + + + + Extended components are defined wherever it is impossible to + clearly express requirements using only components from CC + Part 2 and/or CC Part 3. + + + + + The objective of this sub-activity is to determine whether + extended components have been clearly and unambiguously + defined, and whether they are necessary, i.e. they may not + be clearly expressed using existing CC Part 2 or CC Part 3 + components. + + + + The evaluation evidence for this sub-activity is: + + + the ST. + + + + + The developer shall provide a statement of security + requirements. + + + The developer shall provide an extended components + definition. + + + The statement of security requirements shall identify all + extended security requirements. + + + The extended components definition shall define an extended + component for each extended security requirement. + + + The extended components definition shall describe how each + extended component is related to the existing CC components, + families, and classes. + + + The extended components definition shall use the existing CC + components, families, classes, and methodology as a model + for presentation. + + + The extended components shall consist of measurable and + objective elements such that conformance or nonconformance + to these elements can be demonstrated. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall check that all security requirements + in the statement of security requirements that are not + identified as extended requirements are present in CC + Part 2 or in CC Part 3. + + + + + The evaluator shall check that the extended components + definition defines an extended component for each + extended security requirement. + + If the ST does not contain extended security + requirements, this work unit is not applicable and + therefore considered to be satisfied. + + A single extended component may be used to define + multiple iterations of an extended security requirement, + it is not necessary to repeat this definition for each + iteration. + + + + + The evaluator shall examine the extended components + definition to determine that it describes how each + extended component fits into the existing CC components, + families, and classes. + + If the ST does not contain extended security + requirements, this work unit is not applicable and + therefore considered to be satisfied. + + The evaluator determines that each extended component is + either: + + + a member of an existing CC Part 2 or CC Part 3 + family, or + + a member of a new family defined in the ST. + + + If the extended component is a member of an existing CC + Part 2 or CC Part 3 family, the evaluator determines + that the extended components definition adequately + describes why the extended component should be a member + of that family and how it relates to other components of + that family. + + If the extended component is a member of a new family + defined in the ST, the evaluator confirms that the + extended component is not appropriate for an existing + family. + + If the ST defines new families, the evaluator determines + that each new family is either: + + + a member of an existing CC Part 2 or CC Part 3 + class, or + + a member of a new class defined in the ST. + + + If the family is a member of an existing CC Part 2 or CC + Part 3 class, the evaluator determines that the extended + components definition adequately describes why the + family should be a member of that class and how it + relates to other families in that class. + + If the family is a member of a new class defined in the + ST, the evaluator confirms that the family is not + appropriate for an existing class. + + + + + The evaluator shall examine the extended components + definition to determine that each definition of an + extended component identifies all applicable + dependencies of that component. + + If the ST does not contain extended security + requirements, this work unit is not applicable and + therefore considered to be satisfied. + + The evaluator confirms that no applicable dependencies + have been overlooked by the ST author. + + + + + The evaluator shall examine the extended components + definition to determine that each extended functional + component uses the existing CC Part 2 components as a + model for presentation. + + If the ST does not contain extended SFRs, this work unit + is not applicable and therefore considered to be + satisfied. + + The evaluator determines that the extended functional + component is consistent with CC Part 2 Subclause . + + If the extended functional component uses operations, the + evaluator determines that the extended functional component is + consistent with CC Part 1 Subclause . + + If the extended functional component is hierarchical to + an existing functional component, the evaluator + determines that the extended functional component is + consistent with CC Part 2 Subclause . + + + + + The evaluator shall examine the extended components + definition to determine that each definition of a new + functional family uses the existing CC functional + families as a model for presentation. + + If the ST does not define new functional families, this + work unit is not applicable and therefore considered to + be satisfied. + + The evaluator determines that all new functional + families are defined consistent with CC Part 2 Subclause + . + + + + + The evaluator shall examine the extended components + definition to determine that each definition of a new + functional class uses the existing CC functional classes + as a model for presentation. + + If the ST does not define new functional classes, this + work unit is not applicable and therefore considered to + be satisfied. + + The evaluator determines that all new functional classes + are defined consistent with CC Part 2 Subclause . + + + + + The evaluator shall examine the extended components + definition to determine that each definition of an + extended assurance component uses the existing CC Part 3 + components as a model for presentation. + + If the ST does not contain extended SARs, this work unit + is not applicable and therefore considered to be + satisfied. + + The evaluator determines that the extended assurance + component definition is consistent with CC Part 3 + Subclause . + + If the extended assurance component uses operations, the + evaluator determines that the extended assurance component is + consistent with CC Part 1 Subclause . + + If the extended assurance component is hierarchical to + an existing assurance component, the evaluator + determines that the extended assurance component is + consistent with CC Part 3 Subclause . + + + + + The evaluator shall examine the extended components + definition to determine that, for each defined extended + assurance component, applicable methodology has been + provided. + + If the ST does not contain extended SARs, this work unit + is not applicable and therefore considered to be + satisfied. + + The evaluator determines that, for each evaluator action + element of each extended SAR, one or more work units are + provided and that successfully performing all work units + for a given evaluator action element will demonstrate + that the element has been achieved. + + + + + The evaluator shall examine the extended components + definition to determine that each definition of a new + assurance family uses the existing CC assurance families + as a model for presentation. + + If the ST does not define new assurance families, this + work unit is not applicable and therefore considered to + be satisfied. + + The evaluator determines that all new assurance families + are defined consistent with CC Part 3 Subclause . + + + + + The evaluator shall examine the extended components + definition to determine that each definition of a new + assurance class uses the existing CC assurance classes + as a model for presentation. + + If the ST does not define new assurance classes, this + work unit is not applicable and therefore considered to + be satisfied. + + The evaluator determines that all new assurance classes + are defined consistent with CC Part 3 Subclause . + + + + + The evaluator shall examine the extended components + definition to determine that each element in each + extended component is measurable and states objective + evaluation requirements, such that conformance or + nonconformance can be demonstrated. + + If the ST does not contain extended security + requirements, this work unit is not applicable and + therefore considered to be satisfied. + + The evaluator determines that elements of extended + functional components are stated in such a way that they + are testable, and traceable through the appropriate TSF + representations. + + The evaluator also determines that elements of extended + assurance components avoid the need for subjective + evaluator judgement. + + The evaluator is reminded that whilst being measurable + and objective is appropriate for all evaluation + criteria, it is acknowledged that no formal method + exists to prove such properties. Therefore the existing + CC functional and assurance components are to be used as + a model for determining what constitutes conformance + with this requirement. + + + + The evaluator shall confirm that no extended component can + be clearly expressed using existing components. + + + The evaluator shall examine the extended components + definition to determine that each extended component can + not be clearly expressed using existing + components. + + If the ST does not contain extended security + requirements, this work unit is not applicable and + therefore considered to be satisfied. + + The evaluator should take components from CC Part 2 and + CC Part 3, other extended components that have been + defined in the ST, combinations of these components, and + possible operations on these components into account + when making this determination. + + The evaluator is reminded that the role of this work + unit is to preclude unnecessary duplication of + components, that is, components that may be clearly + expressed by using other components. The evaluator + should not undertake an exhaustive search of all + possible combinations of components including operations + in an attempt to find a way to express the extended + component by using existing components. + + + + + + + + The SFRs form a clear, unambiguous and well-defined + description of the expected security behaviour of the + TOE. The SARs form a clear, unambiguous and canonical + description of the expected activities that will be + undertaken to gain assurance in the TOE. + + Evaluation of the security requirements is required to + ensure that they are clear, unambiguous and + well-defined. + + + + The SFRs form a clear, unambiguous and well-defined + description of the expected security behaviour of the + TOE. The SARs form a clear, unambiguous and well-defined + description of the expected activities that will be + undertaken to gain assurance in the TOE. + + + + The components in this family are levelled on whether they + are stated as is. + + + + + + The objective of this sub-activity is to determine whether + the SFRs and SARs are clear, unambiguous and well-defined + and whether they are internally consistent. + + + + The evaluation evidence for this sub-activity is: + + + the ST. + + + + + The developer shall provide a statement of security requirements. + + + The developer shall provide a security requirements + rationale. + + + The statement of security requirements shall describe the + SFRs and the SARs. + + + All subjects, objects, operations, security attributes, + external entities and other terms that are used in the SFRs + and the SARs shall be defined. + + + The statement of security requirements shall identify all + operations on the security requirements. + + + All operations shall be performed correctly. + + + Each dependency of the security requirements shall either be + satisfied, or the security requirements rationale shall + justify the dependency not being satisfied. + + + The statement of security requirements shall be internally + consistent. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall check that the statement of security + requirements describes the SFRs. + + The evaluator determines that each SFR is identified by + one of the following means: + + + by reference to an individual component in CC Part + 2; + + + by reference to an extended component in the + extended components definition of the ST; + + + by reference to a PP that the ST claims to be + conformant with; + + + by reference to a security requirements package that + the ST claims to be conformant with; + + + by reproduction in the ST. + + It is not required to use the same means of + identification for all SFRs. + + + + + The evaluator shall check that the statement of security + requirements describes the SARs. + + The evaluator determines that each SAR is identified by + one of the following means: + + + by reference to an individual component in CC Part + 3; + + + by reference to an extended component in the + extended components definition of the ST; + + + by reference to a PP that the ST claims to be + conformant with; + + + by reference to a security requirements package that + the ST claims to be conformant with; + + + by reproduction in the ST. + + It is not required to use the same means of + identification for all SARs. + + + + + The evaluator shall examine the ST to determine that all + subjects, objects, operations, security attributes, + external entities and other terms that are used in the + SFRs and the SARs are defined. + + The evaluator determines that the ST defines all: + + (types of) subjects and objects that are used in + the SFRs; + (types of) security attributes of subjects, users, + objects, information, sessions and/or resources, possible + values that these attributes may take and any relations + between these values (e.g. top_secret is ``higher'' than secret); + (types of) operations that are used in the SFRs, + including the effects of these operations; + (types of) external entities in the SFRs; + other terms that are introduced in the SFRs + and/or SARs by completing operations, if these terms + are not immediately clear, or are used outside their + dictionary definition. + + The goal of this work unit is to ensure that the SFRs + and SARs are well-defined and that no misunderstanding + may occur due to the introduction of vague terms. This + work unit should not be taken into extremes, by forcing + the ST writer to define every single word. The general + audience of a set of security requirements should be + assumed to have a reasonable knowledge of IT, security + and Common Criteria. + + All of the above may be presented in groups, classes, + roles, types or other groupings or characterisations + that allow easy understanding. + + The evaluator is reminded that these lists and + definitions do not have to be part of the statement of + security requirements, but may be placed (in part or in + whole) in different subclauses. This may be especially + applicable if the same terms are used in the rest of the + ST. + + + + + The evaluator shall check that the statement of security + requirements identifies all operations on the security + requirements. + + The evaluator determines that all operations are + identified in each SFR or SAR where such an operation is + used. Identification may be achieved by typographical + distinctions, or by explicit identification in the + surrounding text, or by any other distinctive + means. + + + + + The evaluator shall examine the statement of security + requirements to determine that all assignment operations + are performed correctly. + + Guidance on the correct performance of operations may be found + in CC Part 1 Annex . + + + + + The evaluator shall examine the statement of security + requirements to determine that all iteration operations + are performed correctly. + + Guidance on the correct performance of operations may be found + in CC Part 1 Annex . + + + + + The evaluator shall examine the statement of security + requirements to determine that all selection operations + are performed correctly. + + Guidance on the correct performance of operations may be found + in CC Part 1 Annex . + + + + + The evaluator shall examine the statement of security + requirements to determine that all refinement operations + are performed correctly. + + Guidance on the correct performance of operations may be found + in CC Part 1 Annex . + + + + + The evaluator shall examine the statement of security + requirements to determine that each dependency of the + security requirements is either satisfied, or that a + security requirements rationale is provided which justifies the dependency + not being satisfied. + + A dependency is satisfied by the inclusion of the + relevant component (or one that is hierarchical to it) + within the statement of security requirements. The + component used to satisfy the dependency should, if + necessary, be modified by operations to ensure that it + actually satisfies that dependency. + + A justification that a dependency is not met should + address either: + + + why the dependency is not necessary or useful, in + which case no further information is required; or + + + that the dependency has been addressed by the + operational environment of the TOE, in which case + the justification should describe how the security + objectives for the operational environment address + this dependency. + + + + + + + The evaluator shall examine the statement of security + requirements to determine that it is internally + consistent. + + The evaluator determines that the combined set of all + SFRs and SARs is internally consistent. + + The evaluator determines that on all occasions where + different security requirements apply to the same types + of developer evidence, events, operations, data, tests + to be performed etc. or to ``all objects'', ``all + subjects'' etc., that these requirements do not + conflict. + Some possible conflicts are: + + + an extended SAR specifying that the design of a + certain cryptographic algorithm is to be kept + secret, and another extended SAR specifying an open + source review; + + specifying + that subject identity is to be logged, specifying who has + access to these logs, and specifying that some actions of + subjects should be unobservable to other + subjects. If the subject that should not be able to + see an activity may access logs of this activity, + these SFRs conflict; + + specifying + deletion of information no longer needed, and specifying that a TOE + may return to a previous state. If the information + that is needed for the rollback to the previous + state has been deleted, these requirements conflict; + + + Multiple iterations of especially where some iterations cover + the same subjects, objects, or operations. If one + access control SFR allows a subject to perform an + operation on an object, while another access control + SFR does not allow this, these requirements + conflict. + + + + + + + + + + + + The objective of this sub-activity is to determine whether + the SFRs and SARs are clear, unambiguous and well-defined, + whether they are internally consistent, and whether the + SFRs meet the security objectives of the TOE. + + + + The evaluation evidence for this sub-activity is: + + + the ST. + + + + + The developer shall provide a statement of security requirements. + + + The developer shall provide a security requirements + rationale. + + + The statement of security requirements shall describe the + SFRs and the SARs. + + All subjects, objects, + operations, security attributes, external entities and other + terms that are used in the SFRs and the SARs shall be + defined. + + + The statement of security requirements shall identify all + operations on the security requirements. + + + All operations shall be performed correctly. + + + Each dependency of the security requirements shall either be + satisfied, or the security requirements rationale shall + justify the dependency not being satisfied. + + + The security requirements rationale shall trace each SFR + back to the security objectives for the TOE. + + + The security requirements rationale shall demonstrate that + the SFRs meet all security objectives for the TOE. + + + The security requirements rationale shall explain why the + SARs were chosen. + + + The statement of security requirements shall be internally + consistent. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall check that the statement of security + requirements describes the SFRs. + + The evaluator determines that each SFRs is identified by + one of the following means: + + + by reference to an individual component in CC Part + 2; + + + by reference to an extended component in the + extended components definition of the ST; + + + by reference to an individual component in a PP that + the ST claims to be conformant with; + + + by reference to an individual component in a + security requirements package that the ST claims to + be conformant with; + + + by reproduction in the ST. + + It is not required to use the same means of + identification for all SFRs. + + + + + The evaluator shall check that the statement of security + requirements describes the SARs. + + The evaluator determines that all SARs are identified by + one of the following means: + + + by reference to an individual component in CC Part + 3; + + + by reference to an extended component in the + extended components definition of the ST; + + + by reference to an individual component in a PP that + the ST claims to be conformant with; + + + by reference to an individual component in a + security requirements package that the ST claims to + be conformant with; + + + by reproduction in the ST. + + It is not required to use the same means of + identification for all SARs. + + + + + The evaluator shall examine the ST to determine that all + subjects, objects, operations, security attributes, + external entities and other terms that are used in the + SFRs and the SARs are defined. + + The evaluator determines that the ST defines all: + + (types of) subjects and objects that are used in + the SFRs; + (types of) security attributes of subjects, users, + objects, information, sessions and/or resources, possible + values that these attributes may take and any relations + between these values (e.g. top_secret is ``higher'' than secret); + (types of) operations that are used in the SFRs, + including the effects of these operations; + (types of) external entities in the SFRs; + other terms that are introduced in the SFRs + and/or SARs by completing operations, if these terms + are not immediately clear, or are used outside their + dictionary definition. + + The goal of this work unit is to ensure that the SFRs + and SARs are well-defined and that no misunderstanding + may occur due to the introduction of vague terms. This + work unit should not be taken into extremes, by forcing + the ST writer to define every single word. The general + audience of a set of security requirements should be + assumed to have a reasonable knowledge of IT, security + and Common Criteria. + + All of the above may be presented in groups, classes, + roles, types or other groupings or characterisations + that allow easy understanding. + + The evaluator is reminded that these lists and + definitions do not have to be part of the statement of + security requirements, but may be placed (in part or in + whole) in different subclauses. This may be especially + applicable if the same terms are used in the rest of the + ST. + + + + + The evaluator shall check that the statement of security + requirements identifies all operations on the security + requirements. + + The evaluator determines that all operations are + identified in each SFR or SAR where such an operation is + used. Identification may be achieved by typographical + distinctions, or by explicit identification in the + surrounding text, or by any other distinctive + means. + + + + + The evaluator shall examine the statement of security + requirements to determine that all assignment operations + are performed correctly. + + Guidance on the correct performance of operations may be found + in CC Part 1 Annex . + + + + + The evaluator shall examine the statement of security + requirements to determine that all iteration operations + are performed correctly. + + Guidance on the correct performance of operations may be found + in CC Part 1 Annex . + + + + + The evaluator shall examine the statement of security + requirements to determine that all selection operations + are performed correctly. + + Guidance on the correct performance of operations may be found + in CC Part 1 Annex . + + + + + The evaluator shall examine the statement of security + requirements to determine that all refinement operations + are performed correctly. + + Guidance on the correct performance of operations may be found + in CC Part 1 Annex . + + + + + The evaluator shall examine the statement of security + requirements to determine that each dependency of the + security requirements is either satisfied, or that the + security requirements rationale justifies the dependency + not being satisfied. + + A dependency is satisfied by the inclusion of the + relevant component (or one that is hierarchical to it) + within the statement of security requirements. The + component used to satisfy the dependency should, if + necessary, be modified by operations to ensure that it + actually satisfies that dependency. + + A justification that a dependency is not met should + address either: + + + why the dependency is not necessary or useful, in + which case no further information is required; or + + + that the dependency has been addressed by the + operational environment of the TOE, in which case + the justification should describe how the security + objectives for the operational environment address + this dependency. + + + + + + + The evaluator shall check that the security requirements + rationale traces each SFR back to the security + objectives for the TOE. + + The evaluator determines that each SFR is traced back to + at least one security objective for the TOE. + + Failure to trace implies that either the security + requirements rationale is incomplete, the security + objectives for the TOE are incomplete, or the SFR has no + useful purpose. + + + + + The evaluator shall examine the security requirements + rationale to determine that for each security objective + for the TOE it demonstrates that the SFRs are suitable + to meet that security objective for the TOE. + + If no SFRs trace back to the security objective for the TOE, + the evaluator action related to this work unit is assigned a fail verdict. + + The evaluator determines that the justification for a + security objective for the TOE demonstrates that the + SFRs are sufficient: if all SFRs that trace back to the + objective are satisfied, the security objective for the + TOE is achieved. + + The evaluator also determines that each SFR that traces + back to a security objective for the TOE is necessary: + when the SFR is satisfied, it actually contributes to + achieving the security objective. + + Note that the tracings from SFRs to security objectives + for the TOE provided in the security requirements + rationale may be a part of the justification, but do not + constitute a justification by themselves. + + + + + The evaluator shall check that the security requirements + rationale explains why the SARs were chosen. + + The evaluator is reminded that any explanation is correct, as + long as it is coherent and neither the SARs nor the explanation + have obvious inconsistencies with the remainder of the ST. + + An example of an obvious inconsistency between the SARs and the + remainder of the ST would be to have threat agents that are very + capable, but an SAR that does not + protect against these threat agents. + + + + + The evaluator shall examine the statement of security + requirements to determine that it is internally + consistent. + + The evaluator determines that the combined set of all + SFRs and SARs is internally consistent. + + The evaluator determines that on all occasions where + different security requirements apply to the same types + of developer evidence, events, operations, data, tests + to be performed etc. or to ``all objects'', ``all + subjects'' etc., that these requirements do not + conflict. + + Some possible conflicts are: + + + an extended SAR specifying that the design of a + certain cryptographic algorithm is to be kept + secret, and another extended assurance requirement + specifying an open source review; + + specifying + that subject identity is to be logged, specifying who has + access to these logs, and specifying that some actions of + subjects should be unobservable to other + subjects. If the subject that should not be able to + see an activity may access logs of this activity, + these SFRs conflict; + + specifying + deletion of information no longer needed, and specifying that a TOE + may return to a previous state. If the information + that is needed for the rollback to the previous + state has been deleted, these requirements conflict; + + + Multiple iterations of especially where some iterations cover + the same subjects, objects, or operations. If one + access control SFR allows a subject to perform an + operation on an object, while another access control + SFR does not allow this, these requirements + conflict. + + + + + + + + + + The TOE summary specification enables evaluators and + potential consumers to gain a general understanding of how + the TOE is implemented. + + Evaluation of the TOE summary specification is necessary to + determine whether it is adequately described how the TOE: + + meets its SFRs; + protects itself against interference, logical + tampering and bypass. and whether the TOE + summary specification is consistent with other narrative + descriptions of the TOE. + + + + The TOE Summary specification allows evaluators and + potential consumers of the TOE to gain a general + understanding of how the TOE: + + meets its SFRs; + protects itself against interference, logical + tampering and bypass. + + + + The components in this family are levelled on whether the + TOE summary specification only needs to describe how the TOE + meets the SFRs, or whether the TOE summary specification + also needs to describe how the TOE protects itself against + logical tampering and bypass. This additional description + may be used in special circumstances where there might be a + specific concern regarding the TOE security architecture. + + + + + + + The objective of this sub-activity is to determine whether + the TOE summary specification addresses all SFRs, and + whether the TOE summary specification is consistent with + other narrative descriptions of the TOE. + + + + The evaluation evidence for this sub-activity is: + + + the ST. + + + + + The developer shall provide a TOE summary specification. + + + The TOE summary specification shall describe how the TOE + meets each SFR. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the TOE summary + specification to determine that it describes how the TOE + meets each SFR. + + The evaluator determines that the TOE summary + specification provides, for each SFR from the statement + of security requirements, a description on how that SFR + is met. + + The evaluator is reminded that the objective of each description is to provide + potential consumers of the TOE with a high-level view of how the developer intends + to satisfy each SFR and that the descriptions therefore should not be overly detailed. + Often several SFRs will be implemented in one context; for instance a password + authentication mechanism may implement , + and . + Therefore usually the TSS will not consist of a long list with texts for each single + SFR, but complete groups of SFRs may be covered by one text passage. + + For a composed TOE, the evaluator also determines that + it is clear which component provides each SFR or how the + components combine to meet each SFR. + + + + The evaluator shall confirm that the TOE summary + specification is consistent with the TOE overview and the + TOE description. + + + The evaluator shall examine the TOE summary + specification to determine that it is consistent with + the TOE overview and the TOE description. + + The TOE overview, TOE description, and TOE summary + specification describe the TOE in a narrative form at + increasing levels of detail. These descriptions + therefore need to be consistent. + + + + + + + + + + The objective of this sub-activity is to determine whether + the TOE summary specification addresses all SFRs, whether + the TOE summary specification addresses interference, + logical tampering and bypass, and whether the TOE summary + specification is consistent with other narrative + descriptions of the TOE. + + + + The evaluation evidence for this sub-activity is: + + + the ST. + + + + + The developer shall provide a TOE summary specification. + + + The TOE summary specification shall describe how the TOE + meets each SFR. + + + The TOE summary specification shall describe how the TOE + protects itself against interference and logical tampering. + + + The TOE summary specification shall describe how the TOE + protects itself against bypass. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the TOE summary + specification to determine that it describes how the TOE + meets each SFR. + + The evaluator determines that the TOE summary + specification provides, for each SFR from the statement + of security requirements, a description on how that SFR + is met. + + The evaluator is reminded that the objective of each description is to provide + potential consumers of the TOE with a high-level view of how the developer intends + to satisfy each SFR and that the descriptions therefore should not be overly detailed. + Often several SFRs will be implemented in one context; for instance a password + authentication mechanism may implement , + and . + Therefore usually the TSS will not consist of a long list with texts for each single + SFR, but complete groups of SFRs may be covered by one text passage. + + For a composed TOE, the evaluator also determines that + it is clear which component provides each SFR or how the + components combine to meet each SFR. + + + + + The evaluator shall examine the TOE summary + specification to determine that it describes how the TOE + protects itself against interference and logical + tampering. + + The evaluator is reminded that the objective of each + description is to provide potential consumers of the TOE + with a high-level view of how the developer intends to + provide protection against interference and logical + tampering and that the descriptions therefore should not + be overly detailed. + + For a composed TOE, the evaluator also determines that + it is clear which component provides the protection or + how the components combine to provide protection. + + + + + The evaluator shall examine the TOE summary + specification to determine that it describes how the TOE + protects itself against bypass. + + The evaluator is reminded that the objective of each + description is to provide potential consumers of the TOE + with a high-level view of how the developer intends to + provide protection against bypass and that the + descriptions therefore should not be overly + detailed. + + For a composed TOE, the evaluator also determines that + it is clear which component provides the protection or + how the components combine to provide protection. + + + + The evaluator shall confirm that the TOE summary + specification is consistent with the TOE overview and the + TOE description. + + + The evaluator shall examine the TOE summary + specification to determine that it is consistent with + the TOE overview and the TOE description. + + The TOE overview, TOE description, and TOE summary + specification describe the TOE in a narrative form at + increasing levels of detail. These descriptions + therefore need to be consistent. + + + + + + + + + The class ``Tests'' encompasses four families: , , + (i.e. functional testing + performed by evaluators), and . Testing provides assurance that the TSF + behaves as described (in the functional specification, TOE + design, and implementation representation). + + The emphasis in this class is on confirmation that the TSF + operates according to its design descriptions. This class does + not address penetration testing, which is based upon an + analysis of the TSF that specifically seeks to identify + vulnerabilities in the design and implementation of the + TSF. Penetration testing is addressed separately as an aspect + of vulnerability assessment in the class. + + The class separates testing into + developer testing and evaluator testing. The and families address the completeness of developer + testing. addresses the rigour + with which the functional specification is tested; addresses whether testing against + other design descriptions (security architecture, TOE design, + implementation representation) is required. + + addresses the performing of + the tests by the developer and how this testing should be + documented. Finally, then + addresses evaluator testing: whether the evaluator should + repeat part or all of the developer testing and how much + independent testing the evaluator should do. + + + + Assurance class states testing + requirements that demonstrate that the TOE matches its design + descriptions as provided in the + class. + + + + The goal of this activity is to determine whether the TOE + behaves as described in the ST and as specified in the + evaluation evidence (described in the class). This determination is achieved through + some combination of the developer's own functional testing of + the TSF () and independent + testing the TSF by the evaluator (). At the lowest level of assurance, there is no + requirement for developer involvement, so the only testing is + conducted by the evaluator, using the limited available + information about the TOE. Additional assurance is gained as + the developer becomes increasingly involved both in testing + and in providing additional information about the TOE, and as + the evaluator increases the independent testing + activities. + + + + Testing of the TSF is conducted by the evaluator and, in most + cases, by the developer. The evaluator's testing efforts + consist not only of creating and running original tests, but + also of assessing the adequacy of the developer's tests and + re-running a subset of them. + + The evaluator analyses the developer's tests to determine the + extent to which they are sufficient to demonstrate that TSFI + (see ) perform as specified, + and to understand the developer's approach to + testing. Similarly, the evaluator analyses the developer's + tests to determine the extent to which they are sufficient to + demonstrate the internal behaviour and properties of the + TSF. + The evaluator also executes a subset of the developer's + tests as documented to gain confidence in the developer's test + results: the evaluator will use the results of this analysis + as an input to independently testing a subset of the TSF. With + respect to this subset, the evaluator takes a testing approach + that is different from that of the developer, particularly if + the developer's tests have shortcomings. + + To determine the adequacy of developer's test documentation or + to create new tests, the evaluator needs to understand the + desired expected behaviour of the TSF, both internally and as + seen at the TSFI, in the context of the SFRs it is to + satisfy. The evaluator may choose to divide the TSF and TSFI + into subsets according to functional areas of the ST (audit + subsystem, audit-related TSFI, authentication module, + authentication-related TSFI, etc.) if they were not already + divided in the ST, and focus on one subset of the TSF and TSFI + at a time, examining the ST requirement and the relevant parts + of the development and guidance documentation to gain an + understanding of the way the TOE is expected to behave. This + reliance upon the development documentation underscores the need + for the dependencies on by and . + + The CC has separated coverage and depth from functional tests + to increase the flexibility when applying the components of + the families. However, the requirements of the families are + intended to be applied together to confirm that the TSF + operates according to its specification. This tight coupling + of families has led to some duplication of evaluator work + units across sub-activities. These application notes are used + to minimise duplication of text between sub-activities. + + + Before the adequacy of test documentation can be accurately + evaluated, or before new tests can be created, the evaluator + has to understand the desired expected behaviour of a + security function in the context of the requirements it is + to satisfy. + + As mentioned earlier, the evaluator may choose to subset the + TSF and TSFI according to SFRs (audit, authentication, etc.) + in the ST and focus on one subset at a time. The evaluator + examines each ST requirement and the relevant parts of the + functional specification and guidance documentation to gain + an understanding of the way the related TSFI is expected to + behave. Similarly, the evaluator examines the relevant parts + of the TOE design and security architecture documentation to + gain an understanding of the way the related modules or + subsystems of the TSF are expected to behave. + + With an understanding of the expected behaviour, the + evaluator examines the test plan to gain an understanding of + the testing approach. In most cases, the testing approach + will entail a TSFI being stimulated and its responses + observed. Externally-visible functionality can be tested + directly; however, in cases where functionality is not + visible external to the TOE (for example, testing the + residual information protection functionality), other means + will need to be employed. + + + + In cases where it is impractical or inadequate to test + specific functionality (where it provides no + externally-visible TSFI), the test plan should identify the + alternate approach to verify expected behaviour. It is the + evaluator's responsibility to determine the suitability of + the alternate approach. However, the following should be + considered when assessing the suitability of alternate + approaches: + + + an analysis of the implementation representation to + determine that the required behaviour should be + exhibited by the TOE is an acceptable alternate + approach. This could mean a code inspection for a + software TOE or perhaps a chip mask inspection for a + hardware TOE. + + + it is acceptable to use evidence of developer + integration or module testing, even if the claimed + assurance requirements do not include availability of + lower level descriptions of the TOE modules (e.g. ) or implementation (). If evidence of developer + integration or module testing is used in verifying the + expected behaviour of a security functionality, care + should be given to confirm that the testing evidence + reflects the current implementation of the TOE. If the + subsystems or modules have been changed since testing + occurred, evidence that the changes were tracked and + addressed by analysis or further testing will usually be + required. + + + + It should be emphasised that supplementing the testing + effort with alternate approaches should only be undertaken + when both the developer and evaluator determine that there + exists no other practical means to test the expected + behaviour. + + + + Test pre-requisites are necessary to establish the required + initial conditions for the test. They may be expressed in + terms of parameters that must be set or in terms of test + ordering in cases where the completion of one test + establishes the necessary pre-requisites for another + test. The evaluator must determine that the pre-requisites + are complete and appropriate in that they will not bias the + observed test results towards the expected test + results. + + The test steps and expected results specify the actions and + parameters to be applied to the TSFI as well as how the + expected results should be verified and what they are. The + evaluator must determine that the test steps and expected + results are consistent with the descriptions of the TSFI in + the functional specification. This means that each + characteristic of the TSFI behaviour explicitly described in + the functional specification should have tests and expected + results to verify that behaviour. + + The overall aim of this testing activity is to determine + that each subsystem, module, and TSFI has been sufficiently + tested against the behavioural claims in the functional + specification, TOE design, and architecture description. At + the higher assurance levels, testing also includes bounds + testing and negative testing. The test procedures will + provide insight as to how the TSFIs, modules, and subsystems + have been exercised by the developer during testing. The + evaluator uses this information when developing additional + tests to independently test the TSF. + + + + + + This family establishes that the TSF has been tested against + its functional specification. This is achieved through an + examination of developer evidence of correspondence. + + + + Coverage deals with the completeness of the functional tests + performed by the developer on the TOE. It addresses the + extent to which the TSF is tested. + + + + The components in this family are levelled on the basis of + specification. + + + + + + + + + + The objective of this component is to establish that some + of the TSFIs have been tested. + + + + In this component the developer shows how tests in the + test documentation correspond to TSFIs in the functional + specification. This can be achieved by a statement of + correspondence, perhaps using a table. + + + + The objective of this sub-activity is to determine whether + the developer has tested the TSFIs, and that the + developer's test coverage evidence shows correspondence + between the tests identified in the test documentation and + the TSFIs described in the functional + specification. + + + + The coverage analysis provided by the developer is + required to show the correspondence between the tests + provided as evaluation evidence and the functional + specification. However, the coverage analysis need not + demonstrate that all TSFI have been tested, or that all + externally-visible interfaces to the TOE have been + tested. Such shortcomings are considered by the evaluator + during the independent testing () sub-activity. + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the functional specification; + + + the test documentation; + + + the test coverage evidence. + + + + + The developer shall provide evidence of the test coverage. + + + The evidence of the test coverage shall show the + correspondence between the tests in the test documentation + and the TSFIs in the functional specification. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the test coverage evidence + to determine that the correspondence between the tests + identified in the test documentation and the TSFIs + described in the functional specification is + accurate. + + Correspondence may take the form of a table or + matrix. The coverage evidence required for this + component will reveal the extent of coverage, rather + than to show complete coverage. In cases where coverage + is shown to be poor the evaluator should increase the + level of independent testing to compensate. + + + + + + + + + + The objective of this component is to confirm that all of + the TSFIs have been tested. + + + + In this component the developer confirms that tests in the + test documentation correspond to all of the TSFIs in the + functional specification. This can be achieved by a + statement of correspondence, perhaps using a table, but + the developer also provides an analysis of the test + coverage. + + + + The objective of this sub-activity is to determine whether + the developer has tested all of the TSFIs, and that the + developer's test coverage evidence shows correspondence + between the tests identified in the test documentation and + the TSFIs described in the functional + specification. + + + + + + the ST; + + + the functional specification; + + + the test documentation; + + + the test coverage analysis. + + + + + The developer shall provide an analysis of the test + coverage. + + + The analysis of the test coverage shall demonstrate the + correspondence between the tests in the test documentation + and the TSFIs in the functional specification. + + + The analysis of the test coverage shall demonstrate that all + TSFIs in the functional specification have been tested. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the test coverage analysis + to determine that the correspondence between the tests + in the test documentation and the interfaces in the + functional specification is accurate. + + A simple cross-table may be sufficient to show test + correspondence. The identification of the tests and the + interfaces presented in the test coverage analysis has + to be unambiguous. + + The evaluator is reminded that this does not imply that + all tests in the test documentation must map to + interfaces in the functional specification. + + + + + The evaluator shall examine the test plan to determine + that the testing approach for each interface + demonstrates the expected behaviour of that + interface. + + Guidance on this work unit can be found in: + + + + + + + + + + + + + The evaluator shall examine the test procedures to + determine that the test prerequisites, test steps and + expected result(s) adequately test each + interface. + + Guidance on this work units, as it pertains to the + functional specification, can be found in: + + + + + + + + + + The evaluator shall examine the test coverage analysis + to determine that the correspondence between the + interfaces in the functional specification and the tests + in the test documentation is complete. + + All TSFIs that are described in the functional + specification have to be present in the test coverage + analysis and mapped to tests in order for completeness + to be claimed, although exhaustive specification testing + of interfaces is not required. Incomplete coverage would + be evident if an interface was identified in the + functional specification and no test was mapped to + it. + + The evaluator is reminded that this does not imply that + all tests in the test documentation must map to + interfaces in the functional specification. + + + + + + + + + + In this component, the objective is to confirm that the + developer performed exhaustive tests of all interfaces in + the functional specification. + + The objective of this component is to confirm that all + parameters of all of the TSFIs have been tested. + + + + In this component the developer is required to show how + tests in the test documentation correspond to all of the + TSFIs in the functional specification. This can be + achieved by a statement of correspondence, perhaps using a + table, but in addition the developer is required to + demonstrate that the tests exercise all of the parameters + of all TSFIs. This additional requirement includes bounds + testing (i.e. verifying that errors are generated when + stated limits are exceeded) and negative testing + (e.g. when access is given to User A, verifying not only + that User A now has access, but also that User B did not + suddenly gain access). This kind of testing is not, + strictly speaking, exhaustive because not + every possible value of the parameters is expected to be + checked. + + + The developer shall provide an analysis of the test + coverage. + + + The analysis of the test coverage shall demonstrate the + correspondence between the tests in the test documentation + and the TSFIs in the functional specification. + + + The analysis of the test coverage shall demonstrate that all + TSFIs in the functional specification have been completely + tested. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + + + + The components in this family deal with the level of detail + to which the TSF is tested by the developer. Testing of the + TSF is based upon increasing depth of information derived + from additional design representations and descriptions (TOE + design, implementation representation, and security + architecture description). + + The objective is to counter the risk of missing an error in + the development of the TOE. Testing that exercises specific + internal interfaces can provide assurance not only that the + TSF exhibits the desired external security behaviour, but + also that this behaviour stems from correctly operating + internal functionality. + + + + Depth deals with the level of detail to which the developer + tests the TSF. Testing is based upon increasing depth of + information derived from analysis of the TSF + representations. + + + + The components in this family are levelled on the basis of + increasing detail provided in the TSF representations, from + the TOE design to the implementation representation. This + levelling reflects the TSF representations presented in the + class. + + + + The TOE design describes the internal components + (e.g. subsystems) and, perhaps, modules of the TSF, together + with a description of the interfaces among these components and + modules. Evidence of testing of this TOE design must show that + the internal interfaces have been exercised and seen to behave + as described. This may be achieved through testing via the + external interfaces of the TSF, or by testing of the TOE + subsystem or module interfaces in isolation, perhaps employing a + test harness. In cases where some aspects of an internal + interface cannot be tested via the external interfaces, there + should either be justification that these aspects need not be + tested, or the internal interface needs to be tested + directly. In the latter case the TOE design needs to be + sufficiently detailed in order to facilitate direct + testing. + + In cases where the description of the TSF's architectural + soundness (in ) cites + specific mechanisms, the tests performed by the developer + must show that the mechanisms have been exercised and seen + to behave as described. + + At the highest component of this family, the testing is + performed not only against the TOE design, but also against + the implementation representation. + + + + + + + + The subsystem descriptions of the TSF provide a high-level + description of the internal workings of the TSF. Testing + at the level of the TOE subsystems provides assurance that + the TSF subsystems behave and interact as described in the + TOE design and the security architecture + description. + + + + The objective of this sub-activity is to determine whether + the developer has tested the TSF subsystems against the + TOE design and the security architecture + description. + + + + + + the ST; + + + the functional specification; + + + the TOE design; + + + the security architecture description; + + + the test documentation; + + + the depth of testing analysis. + + + + + The developer shall provide the analysis of the depth of + testing. + + + The analysis of the depth of testing shall demonstrate the + correspondence between the tests in the test documentation + and the TSF subsystems in the TOE design. + + + The analysis of the depth of testing shall demonstrate that + all TSF subsystems in the TOE design have been tested. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the depth of testing + analysis to determine that the descriptions of the + behaviour of TSF subsystems and of their interactions is + included within the test documentation. + + This work unit verifies the content of the + correspondence between the tests and the descriptions in + the TOE design. In cases where the description of the + TSF's architectural soundness (in ) cites specific mechanisms, this work + unit also verifies the correspondence between the tests + and the descriptions of the behaviour of such + mechanisms. + + A simple cross-table may be sufficient to show test + correspondence. The identification of the tests and the + behaviour/interaction presented in the depth-of coverage + analysis has to be unambiguous. + + When is combined with a component of , which includes descriptions at the module level + (e.g. ), the level of detail needed to map + the test cases to the behaviour of the subsystems may require + information from the module description to be used. This is + because allows the description of details + to be shifted from the subsystem level to the module level, or + even to omit the subsystems altogether. + In any case, the required level of detail in the provided + reference to the tested behaviour can be defined as ``the level + of detail required for the description of subsystem behaviour as + defined by (in particular work unit )''. It states that a detailed description of + the behaviour typically discusses how the functionality is + provided, in terms of what key data and data structures re + present; what control relationships exist within a subsytem and + how these elements work together to provide the SFR-enforcing + behaviour. + The evaluator is reminded that not all tests in the test + documentation must map to a subsystem behaviour or + interaction description. + + + + + The evaluator shall examine the test plan, test + prerequisites, test steps and expected result(s) to + determine that the testing approach for the behaviour + description demonstrates the behaviour of that subsystem + as described in the TOE design. + + Guidance on this work unit can be found in: + + + + + + + + + + When is combined with a component of , which includes descriptions at the module level + (e.g. ), the level of detail needed to map + the test cases to the behaviour of the subsystems may require + information from the module description to be used. This is + because allows the description of details + to be shifted from the subsystem level to the module level, or + even to omit the subsystems altogether. + In any case, the required level of detail in the provided + reference to the tested behaviour can be defined as ``the level + of detail required for the description of subsystem behaviour as + defined by (in particular work unit )''. It states that a detailed description of + the behaviour typically discusses how the functionality is + provided, in terms of what key data and data structures re + present; what control relationships exist within a subsytem and + how these elements work together to provide the SFR-enforcing + behaviour. + If TSF subsystem interfaces are described, the behaviour + of those subsystems may be tested directly from those + interfaces. Otherwise, the behaviour of those subsystems + is tested from the TSFI interfaces. Or a combination of + the two may be employed. Whatever strategy is used the + evaluator will consider its appropriateness for + adequately testing the behaviour that is described in + the TOE design. + + + + + The evaluator shall examine the test plan, test + prerequisites, test steps and expected result(s) to + determine that the testing approach for the behaviour + description demonstrates the interactions among + subsystems as described in the TOE design. + + While the previous work unit addresses behaviour of subsystems, + this work unit addresses the interactions among + subsystems. + + Guidance on this work unit can be found in: + + + + + + + + + + If TSF subsystem interfaces are described, the + interactions with other subsystems may be tested + directly from those interfaces. Otherwise, the + interactions among subsystems must be inferred from the + TSFI interfaces. Whatever strategy is used the evaluator + will consider its appropriateness for adequately testing + the interactions among subsystems that are described in + the TOE design. + + + + + The evaluator shall examine the test procedures to + determine that all descriptions of TSF subsystem + behaviour and interaction are tested. + + This work unit verifies the completeness of work unit + . All descriptions + of TSF subsystem behaviour and of interactions among TSF + subsystems that are provided in the TOE design have to + be tested. Incomplete depth of testing would be evident + if a description of TSF subsystem behaviour or of + interactions among TSF subsystems was identified in the + TOE design and no tests could be attributed to + it. + + When is combined with a component of , which includes descriptions at the module level + (e.g. ), the level of detail needed to map + the test cases to the behaviour of the subsystems may require + information from the module description to be used. This is + because allows the description of details + to be shifted from the subsystem level to the module level, or + even to omit the subsystems altogether. + In any case, the required level of detail in the provided + reference to the tested behaviour can be defined as ``the level + of detail required for the description of subsystem behaviour as + defined by (in particular work unit )''. It states that a detailed description of + the behaviour typically discusses how the functionality is + provided, in terms of what key data and data structures re + present; what control relationships exist within a subsytem and + how these elements work together to provide the SFR-enforcing + behaviour. + The evaluator is reminded that this does not imply that all + tests in the test documentation must map to the subsystem behaviour + or interaction description in the TOE design. + + + + + + + + + + + The subsystem and module descriptions of the TSF provide a + high-level description of the internal workings, and a + description of the interfaces of the SFR-enforcing + modules, of the TSF. Testing at this level of TOE + description provides assurance that the TSF subsystems and + SFR-enforcing modules behave and interact as described in + the TOE design and the security architecture + description. + + + + The objective of this sub-activity is to determine whether the + developer has tested all the TSF subsystems and SFR-enforcing + modules against the TOE design and the security architecture + description. + + + + + + the ST; + + + the functional specification; + + + the TOE design; + + + the security architecture description; + + + the test documentation; + + + the depth of testing analysis. + + + + + The developer shall provide the analysis of the depth of + testing. + + + The analysis of the depth of testing shall demonstrate the + correspondence between the tests in the test documentation and + the TSF subsystems and SFR-enforcing modules in the TOE design. + + + The analysis of the depth of testing shall demonstrate that + all TSF subsystems in the TOE design have been tested. + + + The analysis of the depth of testing shall demonstrate that + the SFR-enforcing modules in the TOE design have been + tested. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the depth of testing + analysis to determine that descriptions of the behaviour + of TSF subsystems and of their interactions are included + within the test documentation. + + This work unit verifies the content of the + correspondence between the tests and the descriptions in + the TOE design. In cases where the description of the + TSF's architectural soundness (in ) cites specific mechanisms, this work + unit also verifies the correspondence between the tests + and the descriptions of the behaviour of such + mechanisms. + + A simple cross-table may be sufficient to show test + correspondence. The identification of the tests and the + behaviour/interaction presented in the depth-of coverage + analysis has to be unambiguous. + + The evaluator is reminded that not all tests in the test + documentation must map to a subsystem behaviour or + interaction description. + + + + + The evaluator shall examine the test plan, test + prerequisites, test steps and expected result(s) to + determine that the testing approach for the behaviour + description demonstrates the behaviour of that subsystem + as described in the TOE design. + + Guidance on this work unit can be found in: + + + + + + + + + + If TSF subsystem interfaces are described, the behaviour + of those subsystems may be tested directly from those + interfaces. Otherwise, the behaviour of those subsystems + is tested from the TSFI interfaces. Or a combination of + the two may be employed. Whatever strategy is used the + evaluator will consider its appropriateness for + adequately testing the behaviour that is described in + the TOE design. + + + + + The evaluator shall examine the test plan, test + prerequisites, test steps and expected result(s) to + determine that the testing approach for the behaviour + description demonstrates the interactions among + subsystems as described in the TOE design. + + While the previous work unit addresses behaviour of subsystems, + this work unit addresses the interactions among + subsystems. + + Guidance on this work unit can be found in: + + + + + + + + + + If TSF subsystem interfaces are described, the + interactions with other subsystems may be tested + directly from those interfaces. Otherwise, the + interactions among subsystems must be inferred from the + TSFI interfaces. Whatever strategy is used the evaluator + will consider its appropriateness for adequately testing + the interactions among subsystems that are described in + the TOE design. + + + + + The evaluator shall examine the depth of testing + analysis to determine that the interfaces of + SFR-enforcing modules are included within the test + documentation. + + This work unit verifies the content of the + correspondence between the tests and the descriptions in + the TOE design. In cases where the description of the + TSF's architectural soundness (in ) cites specific mechanisms at the modular + level, this work unit also verifies the correspondence + between the tests and the descriptions of the behaviour + of such mechanisms. + + A simple cross-table may be sufficient to show test + correspondence. The identification of the tests and the + SFR-enforcing modules presented in the depth-of coverage + analysis has to be unambiguous. + + The evaluator is reminded that not all tests in the test + documentation must map to the interfaces of SFR-enforcing modules. + + + + + The evaluator shall examine the test plan, test prerequisites, + test steps and expected result(s) to determine that the testing + approach for each SFR-enforcing module interface demonstrates + the expected behaviour of that interface. + + While work unit addresses + expected behaviour of subsystems, this work unit addresses + expected behaviour of the SFR-enforcing module interfaces that + are covered by . + + Guidance on this work unit can be found in: + + + + + + + + + Testing of an interface may be performed directly + at that interface, or at the external interfaces, or a + combination of both. Whatever strategy is used the + evaluator will consider its appropriateness for + adequately testing the interfaces. Specifically the + evaluator determines whether testing at the internal + interfaces is necessary or whether these internal + interfaces can be adequately tested (albeit implicitly) + by exercising the external interfaces. This + determination is left to the evaluator, as is its + justification. + + + + + The evaluator shall examine the test procedures to + determine that all descriptions of TSF subsystem + behaviour and interaction are tested. + + This work unit verifies the completeness of work unit + . All descriptions + of TSF subsystem behaviour and of interactions among TSF + subsystems that are provided in the TOE design have to + be tested. Incomplete depth of testing would be evident + if a description of TSF subsystem behaviour or of + interactions among TSF subsystems was identified in the + TOE design and no tests could be attributed to + it. + + The evaluator is reminded that this does not imply that all + tests in the test documentation must map to the subsystem behaviour + or interaction description in the TOE design. + + + + + The evaluator shall examine the test procedures to + determine that all interfaces of SFR-enforcing modules + are tested. + + This work unit verifies the completeness of work unit + . All interfaces + of SFR-enforcing modules that are provided in the TOE + design have to be tested. Incomplete depth of testing + would be evident if any interface of any SFR-enforcing + modules was identified in the TOE design and no tests + could be attributed to it. + The evaluator is reminded that this does not imply + that all tests in the test documentation must map to an + interface of an SFR-enforcing module in the TOE + design. + + + + + + + + + + + The subsystem and module descriptions of the TSF provide a + high-level description of the internal workings, and a + description of the interfaces of the modules, of the + TSF. Testing at this level of TOE description provides + assurance that the TSF subsystems and modules behave and + interact as described in the TOE design and the security + architecture description. + + + + The objective of this sub-activity is to determine whether the + developer has tested the all the TSF subsystems and modules + against the TOE design and the security architecture + description. + + + + + + the ST; + + + the functional specification; + + + the TOE design; + + + the security architecture description; + + + the test documentation; + + + the depth of testing analysis. + + + + + The developer shall provide the analysis of the depth of + testing. + + + The analysis of the depth of testing shall demonstrate the + correspondence between the tests in the test documentation + and the TSF subsystems and modules in the TOE design. + + + The analysis of the depth of testing shall demonstrate that + all TSF subsystems in the TOE design have been tested. + + + The analysis of the depth of testing shall demonstrate that all + TSF modules in the TOE design have been tested. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the depth of testing + analysis to determine that descriptions of the behaviour + of TSF subsystems and of their interactions are included + within the test documentation. + + This work unit verifies the content of the + correspondence between the tests and the descriptions in + the TOE design. A simple cross-table may be sufficient + to show test correspondence. The identification of the + tests and the behaviour/interaction presented in the + depth-of coverage analysis has to be unambiguous. + + The evaluator is reminded that not all tests in the test + documentation must map to a subsystem behaviour or + interaction description. + + + + + The evaluator shall examine the test plan, test + prerequisites, test steps and expected result(s) to + determine that the testing approach for the behaviour + description demonstrates the behaviour of that subsystem + as described in the TOE design. + + Guidance on this work unit can be found in: + + + + + + + + + + If TSF subsystem interfaces are provided, the behaviour + of those subsystems may be performed directly from those + interfaces. Otherwise, the behaviour of those subsystems + is tested from the TSFI interfaces. Or a combination of + the two may be employed. Whatever strategy is used the + evaluator will consider its appropriateness for + adequately testing the behaviour that is described in + the TOE design. + + + + + The evaluator shall examine the test plan, test + prerequisites, test steps and expected result(s) to + determine that the testing approach for the behaviour + description demonstrates the interactions among + subsystems as described in the TOE design. + + Guidance on this work unit can be found in: + + + + + + + + + While the previous work unit addresses behaviour of subsystems, + this work unit addresses the interactions among + subsystems. + + If TSF subsystem interfaces are provided, the + interactions with other subsystems may be performed + directly from those interfaces. Otherwise, the + interactions among subsystems must be inferred from the + TSFI interfaces. Whatever strategy is used the evaluator + will consider its appropriateness for adequately testing + the interactions among subsystems that are described in + the TOE design. + + + + + The evaluator shall examine the depth of testing + analysis to determine that the interfaces of TSF modules + are included within the test documentation. + + This work unit verifies the content of the + correspondence between the tests and the descriptions in + the TOE design. A simple cross-table may be sufficient + to show test correspondence. The identification of the + tests and the behaviour/interaction presented in the + depth-of coverage analysis has to be unambiguous. + + The evaluator is reminded that not all tests in the test + documentation must map to a subsystem behaviour or + interaction description. + + + + + The evaluator shall examine the test plan, test + prerequisites, test steps and expected result(s) to + determine that the testing approach for each TSF module + interface demonstrates the expected behaviour of that + interface. + + Guidance on this work unit can be found in: + + + + + + + + + Testing of an interface may be performed directly + at that interface, or at the external interfaces, or a + combination of both. Whatever strategy is used the + evaluator will consider its appropriateness for + adequately testing the interfaces. Specifically the + evaluator determines whether testing at the internal + interfaces is necessary or whether these internal + interfaces can be adequately tested (albeit implicitly) + by exercising the external interfaces. This + determination is left to the evaluator, as is its + justification. + + + + + The evaluator shall examine the test procedures to + determine that all descriptions of TSF subsystem + behaviour and interaction are tested. + + This work unit verifies the completeness of work unit + . All descriptions + of TSF subsystem behaviour and of interactions among TSF + subsystems that are provided in the TOE design have to + be tested. Incomplete depth of testing would be evident + if a description of TSF subsystem behaviour or of + interactions among TSF subsystems was identified in the + TOE design and no tests could be attributed to + it. + + The evaluator is reminded that this does not imply that all + tests in the test documentation must map to the subsystem behaviour + or interaction description in the TOE design. + + + + + The evaluator shall examine the test procedures to determine + that all interfaces of all TSF modules are tested. + + This work unit verifies the completeness of work unit + . All interfaces + of TSF modules that are provided in the TOE design have + to be tested. Incomplete depth of testing would be + evident if any interface of any TSF module was + identified in the TOE design and no tests could be + attributed to it. + The evaluator is reminded that this does not imply + that all tests in the test documentation must map to an + interface of a TSF module in the TOE design. + + + + + + + + + + + + The subsystem and module descriptions of the TSF provide a + high-level description of the internal workings, and a + description of the interfaces of the modules, of the + TSF. Testing at this level of TOE description provides + assurance that the TSF subsystems and modules behave and + interact as described in the TOE design and the security + architecture description, and in accordance with the + implementation representation. + + + The developer shall provide the analysis of the depth of + testing. + + + The analysis of the depth of testing shall demonstrate the + correspondence between the tests in the test documentation + and the TSF subsystems and modules in the TOE design. + + + The analysis of the depth of testing shall demonstrate that + all TSF subsystems in the TOE design have been tested. + + + The analysis of the depth of testing shall demonstrate that + all modules in the TOE design have been tested. + + + The analysis of the depth of testing shall demonstrate that + the TSF operates in accordance with its implementation + representation. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + + + + Functional testing performed by the developer provides + assurance that the tests in the test documentation are + performed and documented correctly. The correspondence of + these tests to the design descriptions of the TSF is + achieved through the and + families. + + This family contributes to providing assurance that the + likelihood of undiscovered flaws is relatively small. + + The families , and are used in combination to define the evidence + of testing to be supplied by a developer. Independent + functional testing by the evaluator is specified by . + + + + Functional testing establishes that the tests performed by + the developer are performed and documented correctly. + + + + This family contains two components, the higher requiring + that ordering dependencies are analysed. + + + + Procedures for performing tests are expected to provide + instructions for using test programs and test suites, + including the test environment, test conditions, test data + parameters and values. The test procedures should also show + how the test results are derived from the test + inputs. + + Ordering dependencies are relevant when the successful + execution of a particular test depends upon the existence of + a particular state. For example, this might require that + test A be executed immediately before test B, since the + state resulting from the successful execution of test A is a + prerequisite for the successful execution of test B. Thus, + failure of test B could be related to a problem with the + ordering dependencies. In the above example, test B could + fail because test C (rather than test A) was executed + immediately before it, or the failure of test B could be + related to a failure of test A. + + + + + + The objective is for the developer to demonstrate that the + tests in the test documentation are performed and + documented correctly. + + + + The objective of this sub-activity is to determine whether + the developer correctly performed and documented the tests + in the test documentation. + + + + The extent to which the test documentation is required to + cover the TSF is dependent upon the coverage assurance + component. + + For the developer tests provided, the evaluator determines + whether the tests are repeatable, and the extent to which + the developer's tests can be used for the evaluator's + independent testing effort. Any TSFI for which the + developer's test results indicate that it might not + perform as specified should be tested independently by the + evaluator to determine whether or not it does. + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the functional specification; + + + the test documentation. + + + + + The developer shall test the TSF and document the results. + + + The developer shall provide test documentation. + + + The test documentation shall consist of test plans, expected + test results and actual test results. + + + The test plans shall identify the tests to be performed and + describe the scenarios for performing each test. These + scenarios shall include any ordering dependencies on the + results of other tests. + + + The expected test results shall show the anticipated outputs + from a successful execution of the tests. + + + The actual test results shall be consistent with the + expected test results. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall check that the test documentation + includes test plans, expected test results and actual + test results. + + The evaluator checks that test plans, expected tests + results and actual test results are included in the test + documentation. + + + + + The evaluator shall examine the test plan to determine + that it describes the scenarios for performing each + test. + + The evaluator determines that the test plan provides + information about the test configuration being used: + both on the configuration of the TOE and on any test + equipment being used. This information should be + detailed enough to ensure that the test configuration is + reproducible. + + The evaluator also determines that the test plan + provides information about how to execute the test: any + necessary automated set-up procedures (and whether they + require privilege to run), inputs to be applied, how + these inputs are applied, how output is obtained, any + automated clean-up procedures (and whether they require + privilege to run), etc. This information should be + detailed enough to ensure that the test is + reproducible. + + The evaluator may wish to employ a sampling strategy + when performing this work unit. + + + + + The evaluator shall examine the test plan to determine + that the TOE test configuration is consistent with the + ST. + + The TOE referred to in the developer's test plan should + have the same unique reference as established by the + sub-activities and + identified in the ST introduction. + + It is possible for the ST to specify more than one + configuration for evaluation. The evaluator verifies + that all test configurations identified in the developer + test documentation are consistent with the ST. For + example, the ST might define configuration options that + must be set, which could have an impact upon what + constitutes the TOE by including or excluding additional + portions. The evaluator verifies that all such + variations of the TOE are considered. + + The evaluator should consider the security objectives + for the operational environment described in the ST that + may apply to the test environment. There may be some + objectives for the operational environment that do not + apply to the test environment. For example, an objective + about user clearances may not apply; however, an + objective about a single point of connection to a + network would apply. + + The evaluator may wish to employ a sampling strategy + when performing this work unit. + + If this work unit is applied to a component TOE that + might be used/integrated in a composed TOE (see ), the following will apply. In + the instances that the component TOE under evaluation + depends on other components in the operational + environment to support their operation, the developer + may wish to consider using the other component(s) that + will be used in the composed TOE to fulfil the + requirements of the operational environment as one of + the test configurations. This will reduce the amount an + additional testing that will be required for the + composed TOE evaluation. + + + + + The evaluator shall examine the test plans to determine + that sufficient instructions are provided for any + ordering dependencies. + + Some steps may have to be performed to establish initial + conditions. For example, user accounts need to be added + before they can be deleted. An example of ordering + dependencies on the results of other tests is the need + to perform actions in a test that will result in the + generation of audit records, before performing a test to + consider the searching and sorting of those audit + records. Another example of an ordering dependency + would be where one test case generates a file of data to + be used as input for another test case. + + The evaluator may wish to employ a sampling strategy + when performing this work unit. + + + + + The evaluator shall examine the test documentation to + determine that all expected tests results are + included. + + The expected test results are needed to determine + whether or not a test has been successfully + performed. Expected test results are sufficient if they + are unambiguous and consistent with expected behaviour + given the testing approach. + + The evaluator may wish to employ a sampling strategy + when performing this work unit. + + + + + The evaluator shall check that the actual test results + in the test documentation are consistent with the + expected test results in the test documentation. + + A comparison of the actual and expected test results + provided by the developer will reveal any + inconsistencies between the results. It may be that a + direct comparison of actual results cannot be made until + some data reduction or synthesis has been first + performed. In such cases, the developer's test + documentation should describe the process to reduce or + synthesise the actual data. + + For example, the developer may need to test the contents + of a message buffer after a network connection has + occurred to determine the contents of the buffer. The + message buffer will contain a binary number. This binary + number would have to be converted to another form of + data representation in order to make the test more + meaningful. The conversion of this binary representation + of data into a higher-level representation will have to + be described by the developer in enough detail to allow + an evaluator to perform the conversion process + (i.e. synchronous or asynchronous transmission, number + of stop bits, parity, etc.). + + It should be noted that the description of the process + used to reduce or synthesise the actual data is used by + the evaluator not to actually perform the necessary + modification but to assess whether this process is + correct. It is up to the developer to transform the + expected test results into a format that allows an easy + comparison with the actual test results. + + The evaluator may wish to employ a sampling strategy + when performing this work unit. + + + + + The evaluator shall report the developer testing effort, + outlining the testing approach, configuration, depth and + results. + + The developer testing information recorded in the ETR allows the + evaluator to convey the overall testing approach and effort + expended on the testing of the TOE by the developer. The intent + of providing this information is to give a meaningful overview + of the developer testing effort. It is not intended that the + information regarding developer testing in the ETR be an exact + reproduction of specific test steps or results of individual + tests. The intention is to provide enough detail to allow other + evaluators and evaluation authorities to gain some insight about the + developer's testing approach, amount of testing performed, TOE + test configurations, and the overall results of the developer + testing. + + Information that would typically be found in the ETR + subclause regarding the developer testing effort is: + + + TOE test configurations. The particular + configurations of the TOE that were tested, + including whether any privileged code was required + to set up the test or clean up afterwards; + + + testing approach. An account of the overall + developer testing strategy employed; + + + testing results. A description of the overall + developer testing results. + + + + This list is by no means exhaustive and is only intended + to provide some context as to the type of information + that should be present in the ETR concerning the + developer testing effort. + + + + + + + + + The objectives are for the developer to demonstrate that + the tests in the test documentation are performed and + documented correctly, and to ensure that testing is + structured such as to avoid circular arguments about the + correctness of the interfaces being tested. + + + + Although the test procedures may state pre-requisite + initial test conditions in terms of ordering of tests, + they may not provide a rationale for the ordering. An + analysis of test ordering is an important factor in + determining the adequacy of testing, as there is a + possibility of faults being concealed by the ordering of + tests. + + + The developer shall test the TSF and document the results. + + + The developer shall provide test documentation. + + + The test documentation shall consist of test plans, expected + test results and actual test results. + + + The test plans shall identify the tests to be performed and + describe the scenarios for performing each test. These + scenarios shall include any ordering dependencies on the + results of other tests. + + + The expected test results shall show the anticipated outputs + from a successful execution of the tests. + + + The actual test results shall be consistent with the + expected test results. + + + The test documentation shall include an analysis of the test + procedure ordering dependencies. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + + + + The objectives of this family are built upon the assurances + achieved in the , , and + families by verifying the developer testing and performing + additional tests by the evaluator. + + + + Independent testing specifies the degree to which the + testing of the TSF must be performed by a party other than + the developer (e.g. a third party). This family adds value + by the introduction of tests that are not part of the + developer's tests. + + + + Levelling is based upon the amount of developer test + documentation and test support and the amount of evaluator + testing. + + + + This family deals with the degree to which there is + independent functional testing of the TSF. Independent + functional testing may take the form of repeating the + developer's functional tests (in whole or in part) or of + extending the scope or the depth of the developer's + tests. These activities are complementary, and an + appropriate mix must be planned for each TOE, which takes + into account the availability and coverage of test results, + and the functional complexity of the TSF. + + Sampling of developer tests is intended to provide + confirmation that the developer has carried out his planned + test programme on the TSF, and has correctly recorded the + results. The size of sample selected will be influenced by + the detail and quality of the developer's functional test + results. The evaluator will also need to consider the scope + for devising additional tests, and the relative benefit that + may be gained from effort in these two areas. It is + recognised that repetition of all developer tests may be + feasible and desirable in some cases, but may be very + arduous and less productive in others. The highest component + in this family should therefore be used with + caution. Sampling will address the whole range of test + results available, including those supplied to meet the + requirements of both and + . + + There is also a need to consider the different + configurations of the TOE that are included within the + evaluation. The evaluator will need to assess the + applicability of the results provided, and to plan his own + testing accordingly. + + The suitability of the TOE for testing is based on the + access to the TOE, and the supporting documentation and + information required (including any test software or tools) + to run tests. The need for such support is addressed by the + dependencies to other assurance families. + + Additionally, suitability of the TOE for testing may be + based on other considerations. For example, the version of + the TOE submitted by the developer may not be the final + version. + + The term interfaces refers to interfaces + described in the functional specification and TOE design, + and parameters passed through invocations identified in the + implementation representation. The exact set of interfaces + to be used is selected through and the + components. + + References to a subset of the interfaces are intended to + allow the evaluator to design an appropriate set of tests + which is consistent with the objectives of the evaluation + being conducted. + + + + + + + + In this component, the objective is to demonstrate that + the TOE operates in accordance with its design + representations and guidance documents. + + + + This component does not address the use of developer test + results. It is applicable where such results are not + available, and also in cases where the developer's testing + is accepted without validation. The evaluator is required + to devise and conduct tests with the objective of + confirming that the TOE operates in accordance with its + design representations, including but not limited to the + functional specification. The approach is to gain + confidence in correct operation through representative + testing, rather than to conduct every possible test. The + extent of testing to be planned for this purpose is a + methodology issue, and needs to be considered in the + context of a particular TOE and the balance of other + evaluation activities. + + + + The goal of this activity is to determine, by + independently testing a subset of the TSFI, whether the + TOE behaves as specified in the functional specification + and guidance documentation. + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the functional specification; + + + the operational user guidance; + + + the preparative user guidance; + + + the TOE suitable for testing. + + + + + The developer shall provide the TOE for testing. + + + The TOE shall be suitable for testing. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the TOE to determine that + the test configuration is consistent with the + configuration under evaluation as specified in the + ST. + + The TOE provided by the developer should have the same + unique reference as established by the sub-activities and identified + in the ST introduction. + + It is possible for the ST to specify more than one + configuration for evaluation. The TOE may comprise a + number of distinct hardware and software entities that + need to be tested in accordance with the ST. The + evaluator verifies that all test configurations are + consistent with the ST. + + The evaluator should consider the security objectives + for the operational environment described in the ST that + may apply to the test environment and ensure they are + met in the testing environment. There may be some + objectives for the operational environment that do not + apply to the test environment. For example, an objective + about user clearances may not apply; however, an + objective about a single point of connection to a + network would apply. + + If any test resources are used (e.g. meters, analysers) + it will be the evaluator's responsibility to ensure that + these resources are calibrated correctly. + + + + + The evaluator shall examine the TOE to determine that it + has been installed properly and is in a known + state. + + It is possible for the evaluator to determine the state + of the TOE in a number of ways. For example, previous + successful completion of the sub-activity will satisfy this work unit + if the evaluator still has confidence that the TOE being + used for testing was installed properly and is in a + known state. If this is not the case, then the evaluator + should follow the developer's procedures to install and + start up the TOE, using the supplied guidance + only. + + If the evaluator has to perform the installation + procedures because the TOE is in an unknown state, this + work unit when successfully completed could satisfy work + unit . + + + + The evaluator shall test a subset of the TSF to confirm that + the TSF operates as specified. + + + The evaluator shall devise a test subset. + + The evaluator selects a test subset and testing strategy + that is appropriate for the TOE. One extreme testing + strategy would be to have the test subset contain as + many interfaces as possible tested with little + rigour. Another testing strategy would be to have the + test subset contain a few interfaces based on their + perceived relevance and rigorously test these + interfaces. + + Typically the testing approach taken by the evaluator + should fall somewhere between these two extremes. The + evaluator should exercise most of the interfaces using + at least one test, but testing need not demonstrate + exhaustive specification testing. + + The evaluator, when selecting the subset of the + interfaces to be tested, should consider the following + factors: + + + The number of interfaces from which to draw upon for + the test subset. Where the TSF includes only a small + number of relatively simple interfaces, it may be + practical to rigorously test all of the + interfaces. In other cases this may not be + cost-effective, and sampling is required. + + + Maintaining a balance of evaluation activities. The + evaluator effort expended on the test activity + should be commensurate with that expended on any + other evaluation activity. + + + + The evaluator selects the interfaces to compose the + subset. This selection will depend on a number of + factors, and consideration of these factors may also + influence the choice of test subset size: + + + Significance of interfaces. Those interfaces more + significant than others should be included in the + test subset. One major factor of ``significance'' is + the security-relevance (SFR-enforcing interfaces + would be more significant than SFR-supporting + interfaces, which are more significant than + SFR-non-interfering interfaces; see CC Part 3 + Subclause ). The other + major factor of ``significance'' is the number of + SFRs mapping to this interface (as determined when + identifying the correspondence between levels of + abstraction in ). + + + Complexity of the interface. Complex interfaces may + require complex tests that impose onerous + requirements on the developer or evaluator, which + may not be conducive to cost-effective + evaluations. Conversely, they are a likely area to + find errors and are good candidates for the + subset. The evaluator will need to strike a balance + between these considerations. + + + Implicit testing. Testing some interfaces may often + implicitly test other interfaces, and their + inclusion in the subset may maximise the number of + interfaces tested (albeit implicitly). Certain + interfaces will typically be used to provide a + variety of security functionality, and will tend to + be the target of an effective testing approach. + + + Types of interfaces (e.g. programmatic, + command-line, protocol). The evaluator should + consider including tests for all different types of + interfaces that the TOE supports. + + + Interfaces that give rise to features that are + innovative or unusual. Where the TOE contains + innovative or unusual features, which may feature + strongly in marketing literature and guidance + documents, the corresponding interfaces should be + strong candidates for testing. + + + + This guidance articulates factors to consider during the + selection process of an appropriate test subset, but + these are by no means exhaustive. + + + The evaluator shall produce test documentation for the + test subset that is sufficiently detailed to enable the + tests to be reproducible. + + With an understanding of the expected behaviour of the + TSF, from the ST and the functional specification, the + evaluator has to determine the most feasible way to test + the interface. Specifically the evaluator considers: + + + the approach that will be used, for instance, + whether an external interface will be tested, or an + internal interface using a test harness, or will an + alternate test approach be employed (e.g. in + exceptional circumstances, a code inspection, if the + implementation representation is available); + + + the interface(s) that will be used to test and + observe responses; + + + the initial conditions that will need to exist for + the test (i.e. any particular objects or subjects + that will need to exist and security attributes they + will need to have); + + + special test equipment that will be required to + either stimulate an interface (e.g. packet + generators) or make observations of an interface + (e.g. network analysers). + + + + The evaluator may find it practical to test each + interface using a series of test cases, where each test + case will test a very specific aspect of expected + behaviour. + + The evaluator's test documentation should specify the + derivation of each test, tracing it back to the relevant + interface(s). + + + The evaluator shall conduct testing. + + The evaluator uses the test documentation developed as a + basis for executing tests on the TOE. The test + documentation is used as a basis for testing but this + does not preclude the evaluator from performing + additional ad hoc tests. The evaluator may devise new + tests based on behaviour of the TOE discovered during + testing. These new tests are recorded in the test + documentation. + + + The evaluator shall record the following information + about the tests that compose the test subset: + + + identification of the interface behaviour to be + tested; + + + instructions to connect and setup all required test + equipment as required to conduct the test; + + + instructions to establish all prerequisite test + conditions; + + + instructions to stimulate the interface; + + + instructions for observing the behaviour of the + interface; + + + descriptions of all expected results and the + necessary analysis to be performed on the observed + behaviour for comparison against expected results; + + + instructions to conclude the test and establish the + necessary post-test state for the TOE; + + + actual test results. + + + + The level of detail should be such that another + evaluator could repeat the tests and obtain an + equivalent result. While some specific details of the + test results may be different (e.g. time and date fields + in an audit record) the overall result should be + identical. + + There may be instances when it is unnecessary to provide + all the information presented in this work unit + (e.g. the actual test results of a test may not require + any analysis before a comparison between the expected + results can be made). The determination to omit this + information is left to the evaluator, as is the + justification. + + + The evaluator shall check that all actual test results + are consistent with the expected test results. + + Any differences in the actual and expected test results + may indicate that the TOE does not perform as specified + or that the evaluator test documentation may be + incorrect. Unexpected actual results may require + corrective maintenance to the TOE or test documentation + and perhaps require re-running of impacted tests and + modifying the test sample size and composition. This + determination is left to the evaluator, as is its + justification. + + + The evaluator shall report in the ETR the evaluator + testing effort, outlining the testing approach, + configuration, depth and results. + + The evaluator testing information reported in the ETR allows the + evaluator to convey the overall testing approach and effort + expended on the testing activity during the evaluation. The + intent of providing this information is to give a meaningful + overview of the testing effort. It is not intended that the + information regarding testing in the ETR be an exact + reproduction of specific test instructions or results of + individual tests. The intention is to provide enough detail to + allow other evaluators and evaluation authorities to gain some insight about + the testing approach chosen, amount of testing performed, TOE + test configurations, and the overall results of the testing + activity. + + Information that would typically be found in the ETR + subclause regarding the evaluator testing effort is: + + + TOE test configurations. The particular + configurations of the TOE that were tested; + + + subset size chosen. The amount of interfaces that + were tested during the evaluation and a + justification for the size; + + + selection criteria for the interfaces that compose + the subset. Brief statements about the factors + considered when selecting interfaces for inclusion + in the subset; + + + interfaces tested. A brief listing of the interfaces + that merited inclusion in the subset; + + + verdict for the activity. The overall judgement on + the results of testing during the evaluation. + + + + This list is by no means exhaustive and is only intended + to provide some context as to the type of information + that should be present in the ETR concerning the testing + the evaluator performed during the evaluation. + + + + + + + + + + + + In this component, the objective is to demonstrate that + the TOE operates in accordance with its design + representations and guidance documents. Evaluator testing + confirms that the developer performed some tests of some + interfaces in the functional specification. + + + + The intent is that the developer should provide the + evaluator with materials necessary for the efficient + reproduction of developer tests. This may include such + things as machine-readable test documentation, test + programs, etc. + + This component contains a requirement that the evaluator + has available test results from the developer to + supplement the programme of testing. The evaluator will + repeat a sample of the developer's tests to gain + confidence in the results obtained. Having established + such confidence the evaluator will build upon the + developer's testing by conducting additional tests that + exercise the TOE in a different manner. By using a + platform of validated developer test results the evaluator + is able to gain confidence that the TOE operates correctly + in a wider range of conditions than would be possible + purely using the developer's own efforts, given a fixed + level of resource. Having gained confidence that the + developer has tested the TOE, the evaluator will also have + more freedom, where appropriate, to concentrate testing in + areas where examination of documentation or specialist + knowledge has raised particular concerns. + + + + The goal of this activity is to determine, by + independently testing a subset of the TSF, whether the TOE + behaves as specified in the design documentation, and to + gain confidence in the developer's test results by + performing a sample of the developer's tests. + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the functional specification; + + + the TOE design description; + + + the operational user guidance; + + + the preparative user guidance; + + + the configuration management documentation; + + + the test documentation; + + + the TOE suitable for testing. + + + + + The developer shall provide the TOE for testing. + + + The TOE shall be suitable for testing. + + + The developer shall provide an equivalent set of resources + to those that were used in the developer's functional + testing of the TSF. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the TOE to determine that + the test configuration is consistent with the + configuration under evaluation as specified in the + ST. + + The TOE provided by the developer and identified in the + test plan should have the same unique reference as + established by the + sub-activities and identified in the ST + introduction. + + It is possible for the ST to specify more than one + configuration for evaluation. The TOE may comprise a + number of distinct hardware and software entities that + need to be tested in accordance with the ST. The + evaluator verifies that all test configurations are + consistent with the ST. + + The evaluator should consider the security objectives + for the operational environment described in the ST that + may apply to the test environment and ensure they are + met in the testing environment. There may be some + objectives for the operational environment that do not + apply to the test environment. For example, an objective + about user clearances may not apply; however, an + objective about a single point of connection to a + network would apply. + + If any test resources are used (e.g. meters, analysers) + it will be the evaluator's responsibility to ensure that + these resources are calibrated correctly. + + + + + The evaluator shall examine the TOE to determine that it has been installed properly and is in a known state. + + It is possible for the evaluator to determine the state + of the TOE in a number of ways. For example, previous + successful completion of the sub-activity will satisfy this work unit + if the evaluator still has confidence that the TOE being + used for testing was installed properly and is in a + known state. If this is not the case, then the evaluator + should follow the developer's procedures to install and + start up the TOE, using the supplied guidance + only. + + If the evaluator has to perform the installation + procedures because the TOE is in an unknown state, this + work unit when successfully completed could satisfy work + unit . + + + + + The evaluator shall examine the set of resources provided by the developer + to determine that they are equivalent to the set of resources used by the + developer to functionally test the TSF. + + The set of resource used by the developer is documented + in the developer test plan, as considered in the family. The resource set may + include laboratory access and special test equipment, + among others. Resources that are not identical to those + used by the developer need to be equivalent in terms of + any impact they may have on test results. + + + + The evaluator shall execute a sample of tests in the test + documentation to verify the developer test results. + + + The evaluator shall conduct testing using a sample of + tests found in the developer test plan and + procedures. + + The overall aim of this work unit is to perform a + sufficient number of the developer tests to confirm the + validity of the developer's test results. The evaluator + has to decide on the size of the sample, and the + developer tests that will compose the sample (see ). + + All the developer tests can be traced back to specific + interfaces. Therefore, the factors to consider in the + selection of the tests to compose the sample are similar + to those listed for subset selection in work-unit . Additionally, the + evaluator may wish to employ a random sampling method to + select developer tests to include in the sample. + + + + The evaluator shall check that all the actual test + results are consistent with the expected test + results. + + Inconsistencies between the developer's expected test + results and actual test results will compel the + evaluator to resolve the discrepancies. Inconsistencies + encountered by the evaluator could be resolved by a + valid explanation and resolution of the inconsistencies + by the developer. + + If a satisfactory explanation or resolution can not be reached, + the evaluator's confidence in the developer's test results may be + lessened and it may be necessary for the evaluator to increase + the sample size to the extent that the subset identified in work unit + is adequately tested: + deficiencies with the developer's tests need to result in either + corrective action to the TOE by the developer (e.g., if the inconsistency + is caused by incorrect behaviour) or to the developer's tests (e.g., if the + inconsistency is caused by an incorrect test), or in the production of new + tests by the evaluator. + + + + The evaluator shall test a subset of the TSF to confirm that the + TSF operates as specified. + + + The evaluator shall devise a test subset. + + The evaluator selects a test subset and testing strategy + that is appropriate for the TOE. One extreme testing + strategy would be to have the test subset contain as + many interfaces as possible tested with little + rigour. Another testing strategy would be to have the + test subset contain a few interfaces based on their + perceived relevance and rigorously test these + interfaces. + + Typically the testing approach taken by the evaluator + should fall somewhere between these two extremes. The + evaluator should exercise most of the interfaces using + at least one test, but testing need not demonstrate + exhaustive specification testing. + + The evaluator, when selecting the subset of the + interfaces to be tested, should consider the following + factors: + + + The developer test evidence. The developer test + evidence consists of: the test documentation, the + available test coverage analysis, and the available + depth of testing analysis. The developer test + evidence will provide insight as to how the TSF has + been exercised by the developer during testing. The + evaluator applies this information when developing + new tests to independently test the + TOE. Specifically the evaluator should consider: + + + augmentation of developer testing for + interfaces. The evaluator may wish to perform + more of the same type of tests by varying + parameters to more rigorously test the + interface. + + + supplementation of developer testing strategy + for interfaces. The evaluator may wish to vary + the testing approach of a specific interface by + testing it using another test strategy. + + + + + The number of interfaces from which to draw upon for + the test subset. Where the TSF includes only a small + number of relatively simple interfaces, it may be + practical to rigorously test all of them. In other + cases this may not be cost-effective, and sampling + is required. + + + Maintaining a balance of evaluation activities. The + evaluator effort expended on the test activity + should be commensurate with that expended on any + other evaluation activity. + + + + The evaluator selects the interfaces to compose the + subset. This selection will depend on a number of + factors, and consideration of these factors may also + influence the choice of test subset size: + + + Rigour of developer testing of the interfaces. Those + interfaces that the evaluator determines require + additional testing should be included in the test + subset. + + + Developer test results. If the results of developer + tests cause the evaluator to doubt that an interface + is not properly implemented, then the evaluator + should include such interfaces in the test subset. + + + Significance of interfaces. Those interfaces more + significant than others should be included in the + test subset. One major factor of ``significance'' is + the security-relevance (SFR-enforcing interfaces + would be more significant than SFR-supporting + interfaces, which are more significant than + SFR-non-interfering interfaces; see CC Part 3 + Subclause ). The other + major factor of ``significance'' is the number of + SFRs mapping to this interface (as determined when + identifying the correspondence between levels of + abstraction in ). + + + Complexity of interfaces. Interfaces that require + complex implementation may require complex tests + that impose onerous requirements on the developer or + evaluator, which may not be conducive to + cost-effective evaluations. Conversely, they are a + likely area to find errors and are good candidates + for the subset. The evaluator will need to strike a + balance between these considerations. + + + Implicit testing. Testing some interfaces may often + implicitly test other interfaces, and their + inclusion in the subset may maximise the number of + interfaces tested (albeit implicitly). Certain + interfaces will typically be used to provide a + variety of security functionality, and will tend to + be the target of an effective testing approach. + + + Types of interfaces (e.g. programmatic, + command-line, protocol). The evaluator should + consider including tests for all different types of + interfaces that the TOE supports. + + + Interfaces that give rise to features that are + innovative or unusual. Where the TOE contains + innovative or unusual features, which may feature + strongly in marketing literature and guidance + documents, the corresponding interfaces should be + strong candidates for testing. + + + + This guidance articulates factors to consider during the + selection process of an appropriate test subset, but + these are by no means exhaustive. + + + The evaluator shall produce test documentation for the + test subset that is sufficiently detailed to enable the + tests to be reproducible. + + With an understanding of the expected behaviour of the + TSF, from the ST, the functional specification, and the + TOE design description, the evaluator has to determine + the most feasible way to test the + interface. Specifically the evaluator considers: + + + the approach that will be used, for instance, + whether an external interface will be tested, or an + internal interface using a test harness, or will an + alternate test approach be employed (e.g. in + exceptional circumstances, a code inspection); + + + the interface(s) that will be used to test and + observe responses; + + + the initial conditions that will need to exist for + the test (i.e. any particular objects or subjects + that will need to exist and security attributes they + will need to have); + + + special test equipment that will be required to + either stimulate an interface (e.g. packet + generators) or make observations of an interface + (e.g. network analysers). + + + + The evaluator may find it practical to test each + interface using a series of test cases, where each test + case will test a very specific aspect of expected + behaviour of that interface. + + The evaluator's test documentation should specify the + derivation of each test, tracing it back to the relevant + interface(s). + + + The evaluator shall conduct testing. + + The evaluator uses the test documentation developed as a + basis for executing tests on the TOE. The test + documentation is used as a basis for testing but this + does not preclude the evaluator from performing + additional ad hoc tests. The evaluator may devise new + tests based on behaviour of the TOE discovered during + testing. These new tests are recorded in the test + documentation. + + + The evaluator shall record the following information + about the tests that compose the test subset: + + + identification of the interface behaviour to be + tested; + + + instructions to connect and setup all required test + equipment as required to conduct the test; + + + instructions to establish all prerequisite test + conditions; + + + instructions to stimulate the interface; + + + instructions for observing the interface; + + + descriptions of all expected results and the + necessary analysis to be performed on the observed + behaviour for comparison against expected results; + + + instructions to conclude the test and establish the + necessary post-test state for the TOE; + + + actual test results. + + + + The level of detail should be such that another + evaluator could repeat the tests and obtain an + equivalent result. While some specific details of the + test results may be different (e.g. time and date fields + in an audit record) the overall result should be + identical. + + There may be instances when it is unnecessary to provide + all the information presented in this work unit + (e.g. the actual test results of a test may not require + any analysis before a comparison between the expected + results can be made). The determination to omit this + information is left to the evaluator, as is the + justification. + + + The evaluator shall check that all actual test results + are consistent with the expected test results. + + Any differences in the actual and expected test results + may indicate that the TOE does not perform as specified + or that the evaluator test documentation may be + incorrect. Unexpected actual results may require + corrective maintenance to the TOE or test documentation + and perhaps require re-running of impacted tests and + modifying the test sample size and composition. This + determination is left to the evaluator, as is its + justification. + + + The evaluator shall report in the ETR the evaluator + testing effort, outlining the testing approach, + configuration, depth and results. + + The evaluator testing information reported in the ETR allows the + evaluator to convey the overall testing approach and effort + expended on the testing activity during the evaluation. The + intent of providing this information is to give a meaningful + overview of the testing effort. It is not intended that the + information regarding testing in the ETR be an exact + reproduction of specific test instructions or results of + individual tests. The intention is to provide enough detail to + allow other evaluators and evaluation authorities to gain some insight about + the testing approach chosen, amount of evaluator testing + performed, amount of developer tests performed, TOE test + configurations, and the overall results of the testing + activity. + + Information that would typically be found in the ETR + subclause regarding the evaluator testing effort is: + + + TOE test configurations. The particular + configurations of the TOE that were tested. + + + subset size chosen. The amount of interfaces that + were tested during the evaluation and a + justification for the size. + + + selection criteria for the interfaces that compose + the subset. Brief statements about the factors + considered when selecting interfaces for inclusion + in the subset. + + + Interfaces tested. A brief listing of the interfaces + that merited inclusion in the subset. + + + developer tests performed. The amount of developer + tests performed and a brief description of the + criteria used to select the tests. + + + verdict for the activity. The overall judgement on + the results of testing during the evaluation. + + + + This list is by no means exhaustive and is only intended + to provide some context as to the type of information + that should be present in the ETR concerning the testing + the evaluator performed during the evaluation. + + + + + + + + + + + In this component, the objective is to demonstrate + that the TOE operates in accordance with its design + representations and guidance documents. Evaluator testing + includes repeating all of the developer tests. + + + + The intent is that the developer should provide the + evaluator with materials necessary for the efficient + reproduction of developer tests. This may include such + things as machine-readable test documentation, test + programs, etc. + + In this component the evaluator must repeat all of the + developer's tests as part of the programme of testing. As + in the previous component the evaluator will also conduct + tests that aim to exercise the TSF in a different manner + from that achieved by the developer. In cases where + developer testing has been exhaustive, there may remain + little scope for this. + + + The developer shall provide the TOE for testing. + + + The TOE shall be suitable for testing. + + + The developer shall provide an equivalent set of resources + to those that were used in the developer's functional + testing of the TSF. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + The evaluator shall execute all tests in the test + documentation to verify the developer test results. + + + The evaluator shall test the TSF to confirm that the entire + TSF operates as specified. + + + + + + + + The class addresses the + possibility of exploitable vulnerabilities introduced in the + development or the operation of the TOE. + + + + Assurance class defines + requirements directed at the identification of exploitable + vulnerabilities. Specifically, it addresses those + vulnerabilities introduced in the development, operation, + misuse, or incorrect configuration of the TOE. + + + + Generally, the vulnerability assessment activity covers various + vulnerabilities in the development and operation of the + TOE. Development vulnerabilities take advantage of some property + of the TOE which was introduced during its development, + e.g. defeating the TSF self protection through tampering, direct + attack or monitoring of the TSF, defeating the TSF domain + separation through monitoring or direct attack the TSF, or + defeating non-bypassability through circumventing (bypassing) + the TSF. Operational vulnerabilities take advantage of + weaknesses in non-technical countermeasures to violate the TOE + SFRs, e.g. misuse or incorrect configuration. Misuse + investigates whether the TOE can be configured or used in a + manner that is insecure, but that an administrator or user of + the TOE would reasonably believe to be secure. + + Assessment of development vulnerabilities is covered by the + assurance family . Basically, + all development vulnerabilities can be considered in the + context of due to the fact, + that this family allows application of a wide range of + assessment methodologies being unspecific to the kind of an + attack scenario. These unspecific assessment methodologies + comprise, among other, also the specific methodologies for + those TSF where covert channels are to be considered (a + channel capacity estimation can be done using informal + engineering measurements, as well as actual test measurements) + or can be overcome by the use of sufficient resources in the + form of a direct attack (underlying technical concept of those + TSF is based on probabilistic or permutational mechanisms; a + qualification of their security behaviour and the effort + required to overcome them can be made using a quantitative or + statistical analysis). + + If there are security objectives specified in the ST to either + to prevent one user of the TOE from observing activity + associated with another user of the TOE, or to ensure that + information flows cannot be used to achieve enforced illicit + data signals, covert channel analysis should be considered + during the conduct of the vulnerability analysis. This is often + reflected by the inclusion of + and multilevel access control policies specified through and/or requirements in the ST. + + + + The purpose of the vulnerability assessment activity is to + determine the exploitability of flaws or weaknesses in the TOE + in the operational environment. This determination is based + upon analysis of the evaluation evidence and a search of + publicly available material by the evaluator and is supported + by evaluator penetration testing. + + + + + Vulnerability analysis is an assessment to determine whether + potential vulnerabilities identified, during the evaluation + of the development and anticipated operation of the TOE or + by other methods (e.g. by flaw hypotheses or quantitative or + statistical analysis of the security behaviour of the + underlying security mechanisms), could allow attackers to + violate the SFRs. + + Vulnerability analysis deals with the threats that an + attacker will be able to discover flaws that will allow + unauthorised access to data and functionality, allow the + ability to interfere with or alter the TSF, or interfere + with the authorised capabilities of other users. + + + + Vulnerability analysis consists of the identification of + flaws potentially introduced in the different refinement + steps of the development (development vulnerabilities) or + through the application of the guidance in operation of the + TOE (operational vulnerabilities). It results in the + definition of penetration tests through the collection of + the necessary information concerning: (1) the completeness + of the TSF (does the TSF counter all the postulated + threats?), (2) the dependencies between all SFRs and (3) + whether any of the SFRs can be undermined through unexpected + behaviour of the TOE. These potential vulnerabilities are + assessed through penetration testing to determine whether + they could, in practise, be exploitable to compromise the + security of the TOE. + + The characteristics of different levels of attack potential + are discussed in CEM . + + + + Levelling is based on an increasing rigour of vulnerability + analysis by the evaluator and increased levels of attack + potential required by an attacker to identify and exploit + the potential vulnerabilities. + + + + + + + + A vulnerability survey of information available in the + public domain is performed by the evaluator to ascertain + potential vulnerabilities that may be easily found by an + attacker. + + The evaluator performs penetration testing, to confirm + that the potential vulnerabilities cannot be exploited in + the operational environment for the TOE. Penetration + testing is performed by the evaluator assuming an attack + potential of Basic. + + + + The objective of this sub-activity is to determine whether + the TOE, in its operational environment, has easily + identifiable exploitable vulnerabilities. + + + + The evaluator should consider performing additional tests + as a result of potential vulnerabilities encountered + during the conduct of other parts of the + evaluation. + + The use of the term guidance in this sub-activity refers + to the operational guidance and the preparative + guidance. + + Potential vulnerabilities may be in information that is + publicly available, or not, and may require skill to + exploit, or not. These two aspects are related, but are + distinct. It should not be assumed that, simply because a + potential vulnerability is identifiable from information + that is publicly available, it can be easily + exploited. + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + + the guidance documentation; + + + the TOE suitable for testing; + + + information publicly available to support the + identification of potential vulnerabilities. + + + + Other input for this sub-activity is: + + + current information regarding potential + vulnerabilities (e.g. from an evaluation authority). + + + + + The developer shall provide the TOE for testing. + + + The TOE shall be suitable for testing. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the TOE to determine that + the test configuration is consistent with the + configuration under evaluation as specified in the + ST. + + The TOE provided by the developer and identified in the + test plan should have the same unique reference as + established by the + sub-activities and identified in the ST + introduction. + + It is possible for the ST to specify more than one + configuration for evaluation. The TOE may comprise a + number of distinct hardware and software entities that + need to be tested in accordance with the ST. The + evaluator verifies that all test configurations are + consistent with the ST. + + The evaluator should consider the security objectives + for the operational environment described in the ST that + may apply to the test environment and ensure they are + met in the testing environment. There may be some + objectives for the operational environment that do not + apply to the test environment. For example, an objective + about user clearances may not apply; however, an + objective about a single point of connection to a + network would apply. + + If any test resources are used (e.g. meters, analysers) + it will be the evaluator's responsibility to ensure that + these resources are calibrated correctly. + + + + + The evaluator shall examine the TOE to determine that it + has been installed properly and is in a known + state + + It is possible for the evaluator to determine the state + of the TOE in a number of ways. For example, previous + successful completion of the sub-activity will satisfy this work unit + if the evaluator still has confidence that the TOE being + used for testing was installed properly and is in a + known state. If this is not the case, then the evaluator + should follow the developer's procedures to install and + start up the TOE, using the supplied guidance + only. + + If the evaluator has to perform the installation + procedures because the TOE is in an unknown state, this + work unit when successfully completed could satisfy work + unit . + + + + The evaluator shall perform a search of public domain + sources to identify potential vulnerabilities in the TOE. + + + The evaluator shall examine sources of information + publicly available to identify potential vulnerabilities + in the TOE. + + The evaluator examines the sources of information + publicly available to support the identification of + possible potential vulnerabilities in the TOE. There are + many sources of publicly available information, which + should be considered, e.g. mailing lists and security + forums on the world wide web that report known + vulnerabilities in specified technologies. + + The evaluator should not constrain their consideration + of publicly available information to the above, but + should consider any other relevant information + available. + + While examining the evidence provided the evaluator will + use the information in the public domain to further + search for potential vulnerabilities. Where the + evaluators have identified areas of concern, the + evaluator should consider information publicly available + that relate to those areas of concern. + + The availability of information that may be readily + available to an attacker that helps to identify and + facilitate attacks effectively operates to substantially + enhance the attack potential of a given attacker. The + accessibility of vulnerability information and + sophisticated attack tools on the Internet makes it more + likely that this information will be used in attempts to + identify potential vulnerabilities in the TOE and + exploit them. Modern search tools make such information + easily available to the evaluator, and the determination + of resistance to published potential vulnerabilities and + well known generic attacks can be achieved in a + cost-effective manner. + + The search of the information publicly available should + be focused on those sources that refer specifically to + the product from which the TOE is derived. The + extensiveness of this search should consider the + following factors: TOE type, evaluator experience in + this TOE type, expected attack potential and the level + of evidence available. + + The identification process is iterative, where the + identification of one potential vulnerability may lead + to identifying another area of concern that requires + further investigation. + + The evaluator will report what actions were taken to + identify potential vulnerabilities in the information + publicly available. However, in this type of search, the + evaluator may not be able to describe the steps in + identifying potential vulnerabilities before the outset + of the examination, as the approach may evolve as a + result of findings during the search. + + The evaluator will report the evidence examined in + completing the search for potential + vulnerabilities. + + + + The evaluator shall record in the ETR the identified + potential vulnerabilities that are candidates for + testing and applicable to the TOE in its operational + environment. + + It may be identified that no further consideration of + the potential vulnerability is required if for example + the evaluator identifies that measures in the + operational environment, either IT or non-IT, prevent + exploitation of the potential vulnerability in that + operational environment. For instance, restricting + physical access to the TOE to authorised users only may + effectively render a potential vulnerability to + tampering unexploitable. + + The evaluator records any reasons for exclusion of + potential vulnerabilities from further consideration if + the evaluator determines that the potential + vulnerability is not applicable in the operational + environment. Otherwise the evaluator records the + potential vulnerability for further + consideration. + + A list of potential vulnerabilities applicable to the + TOE in its operational environment, which can be used as + an input into penetration testing activities, shall be + reported in the ETR by the evaluators. + + + + The evaluator shall conduct penetration testing, based on + the identified potential vulnerabilities, to determine that + the TOE is resistant to attacks performed by an attacker + possessing Basic attack potential. + + + The evaluator shall devise penetration tests, based on + the independent search for potential + vulnerabilities. + + The evaluator prepares for penetration testing as necessary to + determine the susceptibility of the TOE, in its operational + environment, to the potential vulnerabilities identified during + the search of the sources of information publicly available. + Any current information provided to the evaluator by a third + party (e.g. evaluation authority) regarding known potential + vulnerabilities will be considered by the evaluator, together + with any encountered potential vulnerabilities resulting from + the performance of other evaluation activities. + + The evaluator will probably find it practical to carry + out penetration test using a series of test cases, where + each test case will test for a specific potential + vulnerability. + + The evaluator is not expected to test for potential + vulnerabilities (including those in the public domain) + beyond those which required a Basic attack potential. In + some cases, however, it will be necessary to carry out a + test before the exploitability can be determined. Where, + as a result of evaluation expertise, the evaluator + discovers a potential vulnerability that is beyond Basic + attack potential, this is reported in the ETR as a + residual vulnerability. + + + + The evaluator shall produce penetration test + documentation for the tests based on the list of + potential vulnerabilities in sufficient detail to enable + the tests to be repeatable. The test documentation shall + include: + + + identification of the potential vulnerability the + TOE is being tested for; + + + instructions to connect and setup all required test + equipment as required to conduct the penetration + test; + + + instructions to establish all penetration test + prerequisite initial conditions; + + + instructions to stimulate the TSF; + + + instructions for observing the behaviour of the TSF; + + + descriptions of all expected results and the + necessary analysis to be performed on the observed + behaviour for comparison against expected results; + + + instructions to conclude the test and establish the + necessary post-test state for the TOE. + + + + The evaluator prepares for penetration testing based on + the list of potential vulnerabilities identified during + the search of the public domain. + + The evaluator is not expected to determine the + exploitability for potential vulnerabilities beyond + those for which a Basic attack potential is required to + effect an attack. However, as a result of evaluation + expertise, the evaluator may discover a potential + vulnerability that is exploitable only by an attacker + with greater than Basic attack potential. Such + vulnerabilities are to be reported in the ETR as + residual vulnerabilities. + + With an understanding of the potential vulnerability, + the evaluator determines the most feasible way to test + for the TOE's susceptibility. Specifically the evaluator + considers: + + + the TSFI or other TOE interface that will be used to + stimulate the TSF and observe responses; + + + initial conditions that will need to exist for the + test (i.e. any particular objects or subjects that + will need to exist and security attributes they will + need to have); + + + special test equipment that will be required to + either stimulate a TSFI or make observations of a + TSFI (although it is unlikely that specialist + equipment would be required to exploit a potential + vulnerability assuming a Basic attack potential); + + + whether theoretical analysis should replace physical + testing, particularly relevant where the results of + an initial test can be extrapolated to demonstrate + that repeated attempts of an attack are likely to + succeed after a given number of attempts. + + + + The evaluator will probably find it practical to carry + out penetration testing using a series of test cases, + where each test case will test for a specific potential + vulnerability. + + The intent of specifying this level of detail in the + test documentation is to allow another evaluator to + repeat the tests and obtain an equivalent result. + + + + The evaluator shall conduct penetration testing. + + The evaluator uses the penetration test documentation + resulting from work unit as a basis for executing penetration tests + on the TOE, but this does not preclude the evaluator + from performing additional ad hoc penetration tests. If + required, the evaluator may devise ad hoc tests as a + result of information learnt during penetration testing + that, if performed by the evaluator, are to be recorded + in the penetration test documentation. Such tests may be + required to follow up unexpected results or + observations, or to investigate potential + vulnerabilities suggested to the evaluator during the + pre-planned testing. + + The evaluator is not expected to test for potential + vulnerabilities (including those in the public domain) + beyond those which required a Basic attack potential. In + some cases, however, it will be necessary to carry out a + test before the exploitability can be determined. Where, + as a result of evaluation expertise, the evaluator + discovers a potential vulnerability that is beyond Basic + attack potential, this is reported in the ETR as a + residual vulnerability. + + + + The evaluator shall record the actual results of the + penetration tests. + + While some specific details of the actual test results + may be different from those expected (e.g. time and date + fields in an audit record) the overall result should be + identical. Any unexpected test results should be + investigated. The impact on the evaluation should be + stated and justified. + + + + The evaluator shall report in the ETR the evaluator + penetration testing effort, outlining the testing + approach, configuration, depth and results. + + The penetration testing information reported in the ETR + allows the evaluator to convey the overall penetration + testing approach and effort expended on this + sub-activity. The intent of providing this information + is to give a meaningful overview of the evaluator's + penetration testing effort. It is not intended that the + information regarding penetration testing in the ETR be + an exact reproduction of specific test steps or results + of individual penetration tests. The intention is to + provide enough detail to allow other evaluators and + evaluation authorities to gain some insight about the + penetration testing approach chosen, amount of + penetration testing performed, TOE test configurations, + and the overall results of the penetration testing + activity. + + Information that would typically be found in the ETR + subclause regarding evaluator penetration testing efforts + is: + + + TOE test configurations. The particular + configurations of the TOE that were penetration + tested; + + + TSFI penetration tested. A brief listing of the TSFI + and other TOE interfaces that were the focus of the + penetration testing; + + + verdict for the sub-activity. The overall judgement + on the results of penetration testing. + + + + This list is by no means exhaustive and is only intended + to provide some context as to the type of information + that should be present in the ETR concerning the + penetration testing the evaluator performed during the + evaluation. + + + + The evaluator shall examine the results of all + penetration testing to determine that the TOE, in its + operational environment, is resistant to an attacker + possessing a Basic attack potential. + + If the results reveal that the TOE, in its operational + environment, has vulnerabilities exploitable by an + attacker possessing less than Enhanced-Basic attack + potential, then this evaluator action fails. + + The guidance in should be used to determine the attack + potential required to exploit a particular vulnerability + and whether it can therefore be exploited in the + intended environment. It may not be necessary for the + attack potential to be calculated in every instance, + only if there is some doubt as to whether or not the + vulnerability can be exploited by an attacker possessing + an attack potential less than Enhanced-Basic. + + + + The evaluator shall report in the ETR all exploitable + vulnerabilities and residual vulnerabilities, detailing + for each: + + + its source (e.g. CEM activity being undertaken when + it was conceived, known to the evaluator, read in a + publication); + + + the SFR(s) not met; + + + a description; + + + whether it is exploitable in its operational + environment or not (i.e. exploitable or residual). + + + the amount of time, level of expertise, level of + knowledge of the TOE, level of opportunity and the + equipment required to perform the identified + vulnerabilities, and the corresponding values using + the tables and + of Annex . + + + + + + + + + + + + + + + A vulnerability analysis is performed by the evaluator to + ascertain the presence of potential + vulnerabilities. + + The evaluator performs penetration testing, to confirm + that the potential vulnerabilities cannot be exploited in + the operational environment for the TOE. Penetration + testing is performed by the evaluator assuming an attack + potential of Basic. + + + + The objective of this sub-activity is to determine whether + the TOE, in its operational environment, has + vulnerabilities exploitable by attackers possessing Basic + attack potential. + + + + The evaluator should consider performing additional tests + as a result of potential vulnerabilities encountered + during other parts of the evaluation. + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + the functional specification; + + the TOE design; + + the security architecture description; + + the guidance documentation; + + the TOE suitable for testing; + + information publicly available to support the + identification of possible potential + vulnerabilities. + + The remaining implicit evaluation evidence for this + sub-activity depends on the components that have been + included in the assurance package. The evidence provided + for each component is to be used as input in this + sub-activity. + + Other input for this sub-activity is: + + + current information regarding public domain potential + vulnerabilities and attacks (e.g. from an evaluation + authority). + + + + + The developer shall provide the TOE for testing. + + + The TOE shall be suitable for testing. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the TOE to determine that + the test configuration is consistent with the + configuration under evaluation as specified in the + ST. + + The TOE provided by the developer and identified in the + test plan should have the same unique reference as + established by the + sub-activities and identified in the ST + introduction. + + It is possible for the ST to specify more than one + configuration for evaluation. The TOE may comprise a + number of distinct hardware and software entities that + need to be tested in accordance with the ST. The + evaluator verifies that all test configurations are + consistent with the ST. + + The evaluator should consider the security objectives + for the operational environment described in the ST that + may apply to the test environment and ensure they are + met in the testing environment. There may be some + objectives for the operational environment that do not + apply to the test environment. For example, an objective + about user clearances may not apply; however, an + objective about a single point of connection to a + network would apply. + + If any test resources are used (e.g. meters, analysers) + it will be the evaluator's responsibility to ensure that + these resources are calibrated correctly. + + + + + The evaluator shall examine the TOE to determine that it + has been installed properly and is in a known + state + + It is possible for the evaluator to determine the state + of the TOE in a number of ways. For example, previous + successful completion of the sub-activity will satisfy this work unit + if the evaluator still has confidence that the TOE being + used for testing was installed properly and is in a + known state. If this is not the case, then the evaluator + should follow the developer's procedures to install and + start up the TOE, using the supplied guidance + only. + + If the evaluator has to perform the installation + procedures because the TOE is in an unknown state, this + work unit when successfully completed could satisfy work + unit . + + + + The evaluator shall perform a search of public domain + sources to identify potential vulnerabilities in the TOE. + + + The evaluator shall examine sources of information + publicly available to identify potential vulnerabilities + in the TOE. + + The evaluator examines the sources of information + publicly available to support the identification of + possible potential vulnerabilities in the TOE. There are + many sources of publicly available information which the + evaluator should consider using items such as those + available on the world wide web, including: + + + specialist publications (magazines, books); + + + research papers. + + + + The evaluator should not constrain their consideration + of publicly available information to the above, but + should consider any other relevant information + available. + + While examining the evidence provided the evaluator will + use the information in the public domain to further + search for potential vulnerabilities. Where the + evaluators have identified areas of concern, the + evaluator should consider information publicly available + that relate to those areas of concern. + + The availability of information that may be readily + available to an attacker that helps to identify and + facilitate attacks may substantially enhance the attack + potential of a given attacker. The accessibility of + vulnerability information and sophisticated attack tools + on the Internet makes it more likely that this + information will be used in attempts to identify + potential vulnerabilities in the TOE and exploit + them. Modern search tools make such information easily + available to the evaluator, and the determination of + resistance to published potential vulnerabilities and + well known generic attacks can be achieved in a + cost-effective manner. + + The search of the information publicly available should + be focused on those sources that refer specifically to + the product from which the TOE is derived. The + extensiveness of this search should consider the + following factors: TOE type, evaluator experience in + this TOE type, expected attack potential and the level + of evidence available. + + The identification process is iterative, where the + identification of one potential vulnerability may lead + to identifying another area of concern that requires + further investigation. + + The evaluator will report what actions were taken to + identify potential vulnerabilities in the + evidence. However, in this type of search, the evaluator + may not be able to describe the steps in identifying + potential vulnerabilities before the outset of the + examination, as the approach may evolve as a result of + findings during the search. + + The evaluator will report the evidence examined in + completing the search for potential + vulnerabilities. This selection of evidence may be + derived from those areas of concern identified by the + evaluator, linked to the evidence the attacker is + assumed to be able to obtain, or according to another + rationale provided by the evaluator. + + + + The evaluator shall perform an independent vulnerability + analysis of the TOE using the guidance documentation, + functional specification, TOE design and security + architecture description to identify potential + vulnerabilities in the TOE. + + + The evaluator shall conduct a search of ST, guidance + documentation, functional specification, TOE design and + security architecture description evidence to identify + possible potential vulnerabilities in the TOE. + + A search of the evidence should be completed whereby + specifications and documentation for the TOE are + analysed and then potential vulnerabilities in the TOE + are hypothesised, or speculated. The list of + hypothesised potential vulnerabilities is then + prioritised on the basis of the estimated probability + that a potential vulnerability exists and, assuming an + exploitable vulnerability does exist the attack + potential required to exploit it, and on the extent of + control or compromise it would provide. The prioritised + list of potential vulnerabilities is used to direct + penetration testing against the TOE. + + The security architecture description provides the + developer vulnerability analysis, as it documents how + the TSF protects itself from interference from untrusted + subjects and prevents the bypass of security enforcement + functionality. Therefore, the evaluator should use this + description of the protection of the TSF as a basis for + the search for possible ways to undermine the + TSF. + + Subject to the SFRs the TOE is to meet in the + operational environment, the evaluator's independent + vulnerability analysis should consider generic potential + vulnerabilities under each of the following headings: + + + generic potential vulnerabilities relevant for the + type of TOE being evaluated, as may be supplied by + the evaluation authority; + + bypassing; + + tampering; + + direct attacks; + + monitoring; + + misuse. + + Items b) - f) are explained in greater detail in . + + The security architecture description should be + considered in light of each of the above generic + potential vulnerabilities. Each potential vulnerability + should be considered to search for possible ways in + which to defeat the TSF protection and undermine the + TSF. + + + + The evaluator shall record in the ETR the identified + potential vulnerabilities that are candidates for + testing and applicable to the TOE in its operational + environment. + + It may be identified that no further consideration of + the potential vulnerability is required if for example + the evaluator identifies that measures in the + operational environment, either IT or non-IT, prevent + exploitation of the potential vulnerability in that + operational environment. For instance, restricting + physical access to the TOE to authorised users only may + effectively render a potential vulnerability to + tampering unexploitable. + + The evaluator records any reasons for exclusion of + potential vulnerabilities from further consideration if + the evaluator determines that the potential + vulnerability is not applicable in the operational + environment. Otherwise the evaluator records the + potential vulnerability for further + consideration. + + A list of potential vulnerabilities applicable to the + TOE in its operational environment, which can be used as + an input into penetration testing activities, shall be + reported in the ETR by the evaluators. + + + + The evaluator shall conduct penetration testing, based on + the identified potential vulnerabilities, to determine that + the TOE is resistant to attacks performed by an attacker + possessing Basic attack potential. + + + The evaluator shall devise penetration tests, based on + the independent search for potential + vulnerabilities. + + The evaluator prepares for penetration testing as necessary to + determine the susceptibility of the TOE, in its operational + environment, to the potential vulnerabilities identified during + the search of the sources of information publicly available. + Any current information provided to the evaluator by a third + party (e.g. evaluation authority) regarding known potential + vulnerabilities will be considered by the evaluator, together + with any encountered potential vulnerabilities resulting from + the performance of other evaluation activities. + + The evaluator is reminded that, as for considering the security + architecture description in the search for vulnerabilities (as + detailed in ), testing should + be performed to confirm the architectural properties. This is + likely to require negative tests attempting to disprove the + properties of the security architecture. In developing the + strategy for penetration testing, the evaluator will ensure that + each of the major characteristics of the security architecture + description are tested, either in functional testing (as + considered in ) or evaluator + penetration testing. + + The evaluator will probably find it practical to carry + out penetration test using a series of test cases, where + each test case will test for a specific potential + vulnerability. + + The evaluator is not expected to test for potential + vulnerabilities (including those in the public domain) + beyond those which required a Basic attack potential. In + some cases, however, it will be necessary to carry out a + test before the exploitability can be determined. Where, + as a result of evaluation expertise, the evaluator + discovers an exploitable vulnerability that is beyond + Basic attack potential, this is reported in the ETR as a + residual vulnerability. + + Guidance on determining the necessary attack potential + to exploit a potential vulnerability can be found in + Annex . + + Potential vulnerabilities hypothesised as exploitable + only by attackers possessing Enhanced-Basic, Moderate or + High attack potential do not result in a failure of this + evaluator action. Where analysis supports the + hypothesis, these need not be considered further as an + input to penetration testing. However, such + vulnerabilities are reported in the ETR as residual + vulnerabilities. + + Potential vulnerabilities hypothesised as exploitable by + an attacker possessing a Basic attack potential and + resulting in a violation of the security objectives + should be the highest priority potential vulnerabilities + comprising the list used to direct penetration testing + against the TOE. + + + + The evaluator shall produce penetration test + documentation for the tests based on the list of + potential vulnerabilities in sufficient detail to enable + the tests to be repeatable. The test documentation shall + include: + + + identification of the potential vulnerability the + TOE is being tested for; + + + instructions to connect and setup all required test + equipment as required to conduct the penetration + test; + + + instructions to establish all penetration test + prerequisite initial conditions; + + + instructions to stimulate the TSF; + + + instructions for observing the behaviour of the TSF; + + + descriptions of all expected results and the + necessary analysis to be performed on the observed + behaviour for comparison against expected results; + + + instructions to conclude the test and establish the + necessary post-test state for the TOE. + + + + The evaluator prepares for penetration testing based on + the list of potential vulnerabilities identified during + the search of the public domain and the analysis of the + evaluation evidence. + + The evaluator is not expected to determine the + exploitability for potential vulnerabilities beyond + those for which a Basic attack potential is required to + effect an attack. However, as a result of evaluation + expertise, the evaluator may discover a potential + vulnerability that is exploitable only by an attacker + with greater than Basic attack potential. Such + vulnerabilities are to be reported in the ETR as + residual vulnerabilities. + + With an understanding of the potential vulnerability, + the evaluator determines the most feasible way to test + for the TOE's susceptibility. Specifically the evaluator + considers: + + + the TSFI or other TOE interface that will be used to + stimulate the TSF and observe responses (It is + possible that the evaluator will need to use an + interface to the TOE other than the TSFI to + demonstrate properties of the TSF such as those + described in the security architecture description + (as required by ). It + should the noted, that although these TOE interfaces + provide a means of testing the TSF properties, they + are not the subject of the test.); + + + initial conditions that will need to exist for the + test (i.e. any particular objects or subjects that + will need to exist and security attributes they will + need to have); + + + special test equipment that will be required to + either stimulate a TSFI or make observations of a + TSFI (although it is unlikely that specialist + equipment would be required to exploit a potential + vulnerability assuming a Basic attack potential); + + + whether theoretical analysis should replace physical + testing, particularly relevant where the results of + an initial test can be extrapolated to demonstrate + that repeated attempts of an attack are likely to + succeed after a given number of attempts. + + + + The evaluator will probably find it practical to carry + out penetration testing using a series of test cases, + where each test case will test for a specific potential + vulnerability. + + The intent of specifying this level of detail in the + test documentation is to allow another evaluator to + repeat the tests and obtain an equivalent result. + + + + The evaluator shall conduct penetration testing. + + The evaluator uses the penetration test documentation + resulting from work unit as a basis for executing penetration tests + on the TOE, but this does not preclude the evaluator + from performing additional ad hoc penetration tests. If + required, the evaluator may devise ad hoc tests as a + result of information learnt during penetration testing + that, if performed by the evaluator, are to be recorded + in the penetration test documentation. Such tests may be + required to follow up unexpected results or + observations, or to investigate potential + vulnerabilities suggested to the evaluator during the + pre-planned testing. + + Should penetration testing show that a hypothesised + potential vulnerability does not exist, then the + evaluator should determine whether or not the + evaluator's own analysis was incorrect, or if evaluation + deliverables are incorrect or incomplete. + + The evaluator is not expected to test for potential + vulnerabilities (including those in the public domain) + beyond those which required a Basic attack potential. In + some cases, however, it will be necessary to carry out a + test before the exploitability can be determined. Where, + as a result of evaluation expertise, the evaluator + discovers an exploitable vulnerability that is beyond + basic attack potential, this is reported in the ETR as a + residual vulnerability. + + + + The evaluator shall record the actual results of the + penetration tests. + + While some specific details of the actual test results + may be different from those expected (e.g. time and date + fields in an audit record) the overall result should be + identical. Any unexpected test results should be + investigated. The impact on the evaluation should be + stated and justified. + + + + The evaluator shall report in the ETR the evaluator + penetration testing effort, outlining the testing + approach, configuration, depth and results. + + The penetration testing information reported in the ETR + allows the evaluator to convey the overall penetration + testing approach and effort expended on this + sub-activity. The intent of providing this information + is to give a meaningful overview of the evaluator's + penetration testing effort. It is not intended that the + information regarding penetration testing in the ETR be + an exact reproduction of specific test steps or results + of individual penetration tests. The intention is to + provide enough detail to allow other evaluators and + evaluation authorities to gain some insight about the + penetration testing approach chosen, amount of + penetration testing performed, TOE test configurations, + and the overall results of the penetration testing + activity. + + Information that would typically be found in the ETR + subclause regarding evaluator penetration testing efforts + is: + + + TOE test configurations. The particular + configurations of the TOE that were penetration + tested; + + + TSFI penetration tested. A brief listing of the TSFI + and other TOE interfaces that were the focus of the + penetration testing; + + + Verdict for the sub-activity. The overall judgement + on the results of penetration testing. + + + + This list is by no means exhaustive and is only intended + to provide some context as to the type of information + that should be present in the ETR concerning the + penetration testing the evaluator performed during the + evaluation. + + + + The evaluator shall examine the results of all + penetration testing to determine that the TOE, in its + operational environment, is resistant to an attacker + possessing a Basic attack potential. + + If the results reveal that the TOE, in its operational + environment, has vulnerabilities exploitable by an + attacker possessing less than an Enhanced-Basic attack + potential, then this evaluator action fails. + + The guidance in should be used to determine the attack + potential required to exploit a particular vulnerability + and whether it can therefore be exploited in the + intended environment. It may not be necessary for the + attack potential to be calculated in every instance, + only if there is some doubt as to whether or not the + vulnerability can be exploited by an attacker possessing + an attack potential less than Enhanced-Basic. + + + + The evaluator shall report in the ETR all exploitable + vulnerabilities and residual vulnerabilities, detailing + for each: + + + its source (e.g. CEM activity being undertaken when + it was conceived, known to the evaluator, read in a + publication); + + + the SFR(s) not met; + + + a description; + + + whether it is exploitable in its operational + environment or not (i.e. exploitable or residual). + + + the amount of time, level of expertise, level of + knowledge of the TOE, level of opportunity and the + equipment required to perform the identified + vulnerabilities, and the corresponding values using + the tables and + of Annex . + + + + + + + + + + + + + + + + A vulnerability analysis is performed by the evaluator to + ascertain the presence of potential + vulnerabilities. + + The evaluator performs penetration testing, to confirm + that the potential vulnerabilities cannot be exploited in + the operational environment for the TOE. Penetration + testing is performed by the evaluator assuming an attack + potential of Enhanced-Basic. + + + + The objective of this sub-activity is to determine whether + the TOE, in its operational environment, has + vulnerabilities exploitable by attackers possessing + Enhanced-Basic attack potential. + + + + During the conduct of evaluation activities the evaluator + may also identify areas of concern. These are specific + portions of the TOE evidence that the evaluator has some + reservation about, although the evidence meets the + requirements for the activity with which the evidence is + associated. For example, a particular interface + specification looks particularly complex, and therefore + may be prone to error either in the development of the TOE + or in the operation of the TOE. There is no potential + vulnerability apparent at this stage, further + investigation is required. This is beyond the bounds of + encountered, as further investigation is required. + + The focused approach to the identification of potential + vulnerabilities is an analysis of the evidence with the + aim of identifying any potential vulnerabilities evident + through the contained information. It is an unstructured + analysis, as the approach is not predetermined. Further + guidance on focused vulnerability analysis can be found in + Annex . + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + the functional specification; + + the TOE design; + + the security architecture description; + + the implementation subset selected; + + the guidance documentation; + + the TOE suitable for testing; + + information publicly available to support the identification of possible potential vulnerabilities; + + the results of the testing of the basic design. + + + The remaining implicit evaluation evidence for this + sub-activity depends on the components that have been + included in the assurance package. The evidence provided + for each component is to be used as input in this + sub-activity. + + Other input for this sub-activity is: + + + current information regarding public domain potential + vulnerabilities and attacks (e.g. from an evaluation + authority). + + + + + The developer shall provide the TOE for testing. + + + The TOE shall be suitable for testing. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the TOE to determine that + the test configuration is consistent with the + configuration under evaluation as specified in the + ST. + + The TOE provided by the developer and identified in the + test plan should have the same unique reference as + established by the + sub-activities and identified in the ST + introduction. + + It is possible for the ST to specify more than one + configuration for evaluation. The TOE may comprise a + number of distinct hardware and software entities that + need to be tested in accordance with the ST. The + evaluator verifies that all test configurations are + consistent with the ST. + + The evaluator should consider the security objectives + for the operational environment described in the ST that + may apply to the test environment and ensure they are + met in the testing environment. There may be some + objectives for the operational environment that do not + apply to the test environment. For example, an objective + about user clearances may not apply; however, an + objective about a single point of connection to a + network would apply. + + If any test resources are used (e.g. meters, analysers) + it will be the evaluator's responsibility to ensure that + these resources are calibrated correctly. + + + + + The evaluator shall examine the TOE to determine that it + has been installed properly and is in a known + state + + It is possible for the evaluator to determine the state + of the TOE in a number of ways. For example, previous + successful completion of the sub-activity will satisfy this work unit + if the evaluator still has confidence that the TOE being + used for testing was installed properly and is in a + known state. If this is not the case, then the evaluator + should follow the developer's procedures to install and + start up the TOE, using the supplied guidance + only. + + If the evaluator has to perform the installation + procedures because the TOE is in an unknown state, this + work unit when successfully completed could satisfy work + unit . + + + + The evaluator shall perform a search of public domain + sources to identify potential vulnerabilities in the TOE. + + + The evaluator shall examine sources of information + publicly available to identify potential vulnerabilities + in the TOE. + + The evaluator examines the sources of information + publicly available to support the identification of + possible potential vulnerabilities in the TOE. There are + many sources of publicly available information which the + evaluator should consider using items such as those + available on the world wide web, including: + + + specialist publications (magazines, books); + + + research papers; + + + conference proceedings. + + + + The evaluator should not constrain their consideration + of publicly available information to the above, but + should consider any other relevant information + available. + + While examining the evidence provided the evaluator will + use the information in the public domain to further + search for potential vulnerabilities. Where the + evaluators have identified areas of concern, the + evaluator should consider information publicly available + that relate to those areas of concern. + + The availability of information that may be readily + available to an attacker that helps to identify and + facilitate attacks may substantially enhance the attack + potential of a given attacker. The accessibility of + vulnerability information and sophisticated attack tools + on the Internet makes it more likely that this + information will be used in attempts to identify + potential vulnerabilities in the TOE and exploit + them. Modern search tools make such information easily + available to the evaluator, and the determination of + resistance to published potential vulnerabilities and + well known generic attacks can be achieved in a + cost-effective manner. + + The search of the information publicly available should + be focused on those sources that refer to the + technologies used in the development of the product from + which the TOE is derived. The extensiveness of this + search should consider the following factors: TOE type, + evaluator experience in this TOE type, expected attack + potential and the level of + evidence available. + + The identification process is iterative, where the + identification of one potential vulnerability may lead + to identifying another area of concern that requires + further investigation. + + The evaluator will report what actions were taken to + identify potential vulnerabilities in the + evidence. However, in this type of search, the evaluator + may not be able to describe the steps in identifying + potential vulnerabilities before the outset of the + examination, as the approach may evolve as a result of + findings during the search. + + The evaluator will report the evidence examined in + completing the search for potential + vulnerabilities. This selection of evidence may be + derived from those areas of concern identified by the + evaluator, linked to the evidence the attacker is + assumed to be able to obtain, or according to another + rationale provided by the evaluator. + + + + The evaluator shall perform an independent, focused vulnerability analysis of the + TOE using the guidance documentation, functional specification, TOE design, security + architecture description and implementation representation to identify potential + vulnerabilities in the TOE. + + + The evaluator shall conduct a focused search of ST, + guidance documentation, functional specification, TOE + design, security architecture description and + implementation representation to identify possible + potential vulnerabilities in the TOE. + + A flaw hypothesis methodology needs to be used whereby + specifications and development and guidance evidence are + analysed and then potential vulnerabilities in the TOE are + hypothesised, or speculated. + + The evaluator uses the knowledge of the TOE design and operation + gained from the TOE deliverables to conduct a flaw hypothesis to + identify potential flaws in the development of the TOE and + potential errors in the specified method of operation of the + TOE. + + The security architecture description provides the developer + vulnerability analysis, as it documents how the TSF protects + itself from interference from untrusted subjects and prevents + the bypass of security enforcement functionality. Therefore, the + evaluator should build upon the understanding of the TSF + protection gained from the analysis of this evidence and then + develop this in the knowledge gained from other development + evidence. + + + The approach taken is directed by areas of concern + identified during examination of the evidence during the + conduct of evaluation activities and ensuring a + representative sample of the development and guidance + evidence provided for the evaluation is searched. + + For guidance on sampling see Annex . This guidance + should be considered when selecting the subset, giving + reasons for: + + + the approach used in selection; + + + qualification that the evidence to be examined + supports that approach. + + + + The areas of concern may relate to the sufficiency of + specific protection features detailed in the security + architecture description. + + The evidence to be considered during the vulnerability analysis + may be linked to the evidence the attacker is assumed to be able + to obtain. For example, the developer may protect the TOE design + and implementation representations, so the only information + assumed to be available to an attacker is the functional + specification and guidance (publicly available). So, although + the objectives for assurance in the TOE ensure the TOE design + and implementation representation requirements are met, these + design representations may only be searched to further + investigate areas of concerns. + + On the other hand, if the source is publicly available it would + be reasonable to assume that the attacker has access to the + source and can use this in attempts to attack the + TOE. Therefore, the source should be considered in the focused + examination approach. + + The following indicates examples for the selection of + the subset of evidence to be considered: + + + For an evaluation where all levels of design + abstraction from functional specification to + implementation representation are provided, + examination of information in the functional + specification and the implementation representation + may be selected, as the functional specification + provides detail of interfaces available to an + attacker, and the implementation representation + incorporates the design decisions made at all other + design abstractions. Therefore, the TOE design + information will be considered as part of the + implementation representation. + + + Examination of a particular subset of information in + each of the design representations provided for the + evaluation. + + + Coverage of particular SFRs through each of the + design representations provided for the evaluation. + + + Examination of each of the design representations + provided for the evaluation, considering different + SFRs within each design representations. + + + Examination of aspects of the evidence provided for + the evaluation relating to current potential + vulnerability information the evaluator has received + (e.g. from a scheme). + + + + This approach to identification of potential + vulnerabilities is to take an ordered and planned + approach; applying a system to the examination. The + evaluator is to describe the method to be used in terms + of what evidence will be considered, the information + within the evidence that is to be examined, the manner + in which this information is to be considered and the + hypothesis that is to be created. + + The following provide some examples that a hypothesis + may take: + + + consideration of malformed input for interfaces + available to an attacker at the external interfaces; + + + examination of a key security mechanism cited in the + security architecture description, such as process + separation, hypothesising internal buffer overflows + that may lead to degradation of separation; + + + search to identify any objects created in the TOE + implementation representation that are then not + fully controlled by the TSF, and could be used by an + attacker to undermine SFRs. + + + + For example, the evaluator may identify that interfaces + are a potential area of weakness in the TOE and specify + an approach to the search that ``all interface + specifications provided in the functional specification + and TOE design will be searched to hypothesise potential + vulnerabilities'' and go on to explain the methods used + in the hypothesis. + + The identification process is iterative, where the + identification of one potential vulnerability may lead + to identifying another area of concern that requires + further investigation. + + The evaluator will report what actions were taken to + identify potential vulnerabilities in the + evidence. However, in this type of search, the evaluator + may not be able to describe the steps in identifying + potential vulnerabilities before the outset of the + examination, as the approach may evolve as a result of + findings during the search. + + The evaluator will report the evidence examine in + completing the search for potential + vulnerabilities. This selection of evidence may be + derived from those areas of concern identified by the + evaluator, linked to the evidence the attacker is + assumed to be able to obtain, or according to another + rationale provided by the evaluator. + + Subject to the SFRs the TOE is to meet in the + operational environment, the evaluator's independent + vulnerability analysis should consider generic potential + vulnerabilities under each of the following headings: + + + generic potential vulnerabilities relevant for the + type of TOE being evaluated, as may be supplied by + the evaluation authority; + + bypassing; + + tampering; + + direct attacks; + + monitoring; + + misuse. + + Items b) - f) are explained in greater detail in . + + The security architecture description should be + considered in light of each of the above generic + potential vulnerabilities. Each potential vulnerability + should be considered to search for possible ways in + which to defeat the TSF protection and undermine the + TSF. + + + The evaluator shall record in the ETR the identified + potential vulnerabilities that are candidates for + testing and applicable to the TOE in its operational + environment. + + It may be identified that no further consideration of + the potential vulnerability is required if for example + the evaluator identifies that measures in the + operational environment, either IT or non-IT, prevent + exploitation of the potential vulnerability in that + operational environment. For instance, restricting + physical access to the TOE to authorised users only may + effectively render a potential vulnerability to + tampering unexploitable. + + The evaluator records any reasons for exclusion of + potential vulnerabilities from further consideration if + the evaluator determines that the potential + vulnerability is not applicable in the operational + environment. Otherwise the evaluator records the + potential vulnerability for further + consideration. + + A list of potential vulnerabilities applicable to the + TOE in its operational environment, which can be used as + an input into penetration testing activities, shall be + reported in the ETR by the evaluators. + + + The evaluator shall conduct penetration testing, based on + the identified potential vulnerabilities, to determine that + the TOE is resistant to attacks performed by an attacker + possessing Enhanced-Basic attack potential. + + + The evaluator shall devise penetration tests, based on + the independent search for potential + vulnerabilities. + + The evaluator prepares for penetration testing as necessary to + determine the susceptibility of the TOE, in its operational + environment, to the potential vulnerabilities identified during + the search of the sources of information publicly available. + Any current information provided to the evaluator by a third + party (e.g. evaluation authority) regarding known potential + vulnerabilities will be considered by the evaluator, together + with any encountered potential vulnerabilities resulting from + the performance of other evaluation activities. + + The evaluator is reminded that, as for considering the security + architecture description in the search for vulnerabilities (as + detailed in ), testing should + be performed to confirm the architectural properties. If + requirements from are included in + the SARs, the developer testing evidence will include testing + performed to confirm the correct implementation of any specific + mechanisms detailed in the security architecture + description. However, the developer testing will not necessarily + include testing of all aspects of the architectural properties + that protect the TSF, as much of this testing will be negative + testing in nature, attempting to disprove the properties. In + developing the strategy for penetration testing, the evaluator + will ensure that all aspects of the security architecture + description are tested, either in functional testing (as + considered in ) or evaluator + penetration testing. + + It will probably be practical to carry out penetration + test using a series of test cases, where each test case + will test for a specific potential vulnerability. + + The evaluator is not expected to test for potential + vulnerabilities (including those in the public domain) + beyond those which required an Enhanced-Basic attack + potential. In some cases, however, it will be necessary + to carry out a test before the exploitability can be + determined. Where, as a result of evaluation expertise, + the evaluator discovers an exploitable vulnerability + that is beyond Enhanced-Basic attack potential, this is + reported in the ETR as a residual vulnerability. + + Guidance on determining the necessary attack potential + to exploit a potential vulnerability can be found in + Annex . + + Potential vulnerabilities hypothesised as exploitable + only by attackers possessing Moderate or High attack + potential do not result in a failure of this evaluator + action. Where analysis supports the hypothesis, these + need not be considered further as an input to + penetration testing. However, such vulnerabilities are + reported in the ETR as residual vulnerabilities. + + Potential vulnerabilities hypothesised as exploitable by + an attacker possessing a Basic or Enhanced-Basic attack + potential and resulting in a violation of the security + objectives should be the highest priority potential + vulnerabilities comprising the list used to direct + penetration testing against the TOE. + + + + The evaluator shall produce penetration test + documentation for the tests based on the list of + potential vulnerabilities in sufficient detail to enable + the tests to be repeatable. The test documentation shall + include: + + + identification of the potential vulnerability the + TOE is being tested for; + + + instructions to connect and setup all required test + equipment as required to conduct the penetration + test; + + + instructions to establish all penetration test + prerequisite initial conditions; + + + instructions to stimulate the TSF; + + + instructions for observing the behaviour of the TSF; + + + descriptions of all expected results and the + necessary analysis to be performed on the observed + behaviour for comparison against expected results; + + + instructions to conclude the test and establish the + necessary post-test state for the TOE. + + + + The evaluator prepares for penetration testing based on + the list of potential vulnerabilities identified during + the search of the public domain and the analysis of the + evaluation evidence. + + The evaluator is not expected to determine the + exploitability for potential vulnerabilities beyond + those for which an Enhanced-Basic attack potential is + required to effect an attack. However, as a result of + evaluation expertise, the evaluator may discover a + potential vulnerability that is exploitable only by an + attacker with greater than Enhanced-Basic attack + potential. Such vulnerabilities are to be reported in + the ETR as residual vulnerabilities. + + With an understanding of the potential vulnerability, + the evaluator determines the most feasible way to test + for the TOE's susceptibility. Specifically the evaluator + considers: + + + the TSFI or other TOE interface that will be used to + stimulate the TSF and observe responses (It is + possible that the evaluator will need to use an + interface to the TOE other than the TSFI to + demonstrate properties of the TSF such as those + described in the security architecture description + (as required by ). It + should the noted, that although these TOE interfaces + provide a means of testing the TSF properties, they + are not the subject of the test.); + + + initial conditions that will need to exist for the + test (i.e. any particular objects or subjects that + will need to exist and security attributes they will + need to have); + + + special test equipment that will be required to + either stimulate a TSFI or make observations of a + TSFI (although it is unlikely that specialist + equipment would be required to exploit a potential + vulnerability assuming an Enhanced-Basic attack + potential); + + + whether theoretical analysis should replace physical + testing, particularly relevant where the results of + an initial test can be extrapolated to demonstrate + that repeated attempts of an attack are likely to + succeed after a given number of attempts. + + + + The evaluator will probably find it practical to carry + out penetration testing using a series of test cases, + where each test case will test for a specific potential + vulnerability. + + The intent of specifying this level of detail in the + test documentation is to allow another evaluator to + repeat the tests and obtain an equivalent result. + + + + The evaluator shall conduct penetration testing. + + The evaluator uses the penetration test documentation + resulting from work unit as a basis for executing penetration tests + on the TOE, but this does not preclude the evaluator + from performing additional ad hoc penetration tests. If + required, the evaluator may devise ad hoc tests as a + result of information learnt during penetration testing + that, if performed by the evaluator, are to be recorded + in the penetration test documentation. Such tests may be + required to follow up unexpected results or + observations, or to investigate potential + vulnerabilities suggested to the evaluator during the + pre-planned testing. + + Should penetration testing show that a hypothesised + potential vulnerability does not exist, then the + evaluator should determine whether or not the + evaluator's own analysis was incorrect, or if evaluation + deliverables are incorrect or incomplete. + + The evaluator is not expected to test for potential + vulnerabilities (including those in the public domain) + beyond those which required an Enhanced-Basic attack + potential. In some cases, however, it will be necessary + to carry out a test before the exploitability can be + determined. Where, as a result of evaluation expertise, + the evaluator discovers an exploitable vulnerability + that is beyond Enhanced-Basic attack potential, this is + reported in the ETR as a residual vulnerability. + + + + The evaluator shall record the actual results of the + penetration tests. + + While some specific details of the actual test results + may be different from those expected (e.g. time and date + fields in an audit record) the overall result should be + identical. Any unexpected test results should be + investigated. The impact on the evaluation should be + stated and justified. + + + + The evaluator shall report in the ETR the evaluator + penetration testing effort, outlining the testing + approach, configuration, depth and results. + + The penetration testing information reported in the ETR + allows the evaluator to convey the overall penetration + testing approach and effort expended on this + sub-activity. The intent of providing this information + is to give a meaningful overview of the evaluator's + penetration testing effort. It is not intended that the + information regarding penetration testing in the ETR be + an exact reproduction of specific test steps or results + of individual penetration tests. The intention is to + provide enough detail to allow other evaluators and + evaluation authorities to gain some insight about the + penetration testing approach chosen, amount of + penetration testing performed, TOE test configurations, + and the overall results of the penetration testing + activity. + + Information that would typically be found in the ETR + subclause regarding evaluator penetration testing efforts + is: + + + TOE test configurations. The particular + configurations of the TOE that were penetration + tested; + + + TSFI penetration tested. A brief listing of the TSFI + and other TOE interfaces that were the focus of the + penetration testing; + + + Verdict for the sub-activity. The overall judgement + on the results of penetration testing. + + + + This list is by no means exhaustive and is only intended + to provide some context as to the type of information + that should be present in the ETR concerning the + penetration testing the evaluator performed during the + evaluation. + + + + The evaluator shall examine the results of all + penetration testing to determine that the TOE, in its + operational environment, is resistant to an attacker + possessing an Enhanced-Basic attack potential. + + If the results reveal that the TOE, in its operational + environment, has vulnerabilities exploitable by an + attacker possessing less than Moderate attack potential, + then this evaluator action fails. + + The guidance in should be used to determine the attack + potential required to exploit a particular vulnerability + and whether it can therefore be exploited in the + intended environment. It may not be necessary for the + attack potential to be calculated in every instance, + only if there is some doubt as to whether or not the + vulnerability can be exploited by an attacker possessing + an attack potential less than Moderate. + + + + The evaluator shall report in the ETR all exploitable + vulnerabilities and residual vulnerabilities, detailing + for each: + + + its source (e.g. CEM activity being undertaken when + it was conceived, known to the evaluator, read in a + publication); + + + the SFR(s) not met; + + + a description; + + + whether it is exploitable in its operational + environment or not (i.e. exploitable or residual). + + + the amount of time, level of expertise, level of + knowledge of the TOE, level of opportunity and the + equipment required to perform the identified + vulnerabilities, and the corresponding values using + the tables and + of Annex . + + + + + + + + + + + + + + + + A methodical vulnerability analysis is performed by the + evaluator to ascertain the presence of potential + vulnerabilities. + + The evaluator performs penetration testing, to confirm + that the potential vulnerabilities cannot be exploited in + the operational environment for the TOE. Penetration + testing is performed by the evaluator assuming an attack + potential of Moderate. + + + + The objective of this sub-activity is to determine whether + the TOE, in its operational environment, has + vulnerabilities exploitable by attackers possessing + Moderate attack potential. + + + + The methodical analysis approach takes the form of a + structured examination of the evidence. This method + requires the evaluator to specify the structure and form + the analysis will take (i.e. the manner in which the + analysis is performed is predetermined, unlike the focused + analysis). The method is specified in terms of the + information that will be considered and how/why it will be + considered. Further guidance on methodical vulnerability + analysis can be found in Annex . + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + the functional specification; + + the TOE design; + + the security architecture description; + + the implementation representation; + + the guidance documentation; + + the TOE suitable for testing; + + information publicly available to support the identification of possible potential vulnerabilities; + + the results of the testing of the basic design. + + + The remaining implicit evaluation evidence for this + sub-activity depends on the components that have been + included in the assurance package. The evidence provided + for each component is to be used as input in this + sub-activity. + + Other input for this sub-activity is: + + + current information regarding public domain potential + vulnerabilities and attacks (e.g. from an evaluation + authority). + + + + + The developer shall provide the TOE for testing. + + + The TOE shall be suitable for testing. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + + The evaluator shall examine the TOE to determine that + the test configuration is consistent with the + configuration under evaluation as specified in the + ST. + + The TOE provided by the developer and identified in the + test plan should have the same unique reference as + established by the + sub-activities and identified in the ST + introduction. + + It is possible for the ST to specify more than one + configuration for evaluation. The TOE may comprise a + number of distinct hardware and software entities that + need to be tested in accordance with the ST. The + evaluator verifies that all test configurations are + consistent with the ST. + + The evaluator should consider the security objectives + for the operational environment described in the ST that + may apply to the test environment and ensure they are + met in the testing environment. There may be some + objectives for the operational environment that do not + apply to the test environment. For example, an objective + about user clearances may not apply; however, an + objective about a single point of connection to a + network would apply. + + If any test resources are used (e.g. meters, analysers) + it will be the evaluator's responsibility to ensure that + these resources are calibrated correctly. + + + + + The evaluator shall examine the TOE to determine that it + has been installed properly and is in a known + state + + It is possible for the evaluator to determine the state + of the TOE in a number of ways. For example, previous + successful completion of the sub-activity will satisfy this work unit + if the evaluator still has confidence that the TOE being + used for testing was installed properly and is in a + known state. If this is not the case, then the evaluator + should follow the developer's procedures to install and + start up the TOE, using the supplied guidance + only. + + If the evaluator has to perform the installation + procedures because the TOE is in an unknown state, this + work unit when successfully completed could satisfy work + unit . + + + + The evaluator shall perform a search of public domain + sources to identify potential vulnerabilities in the TOE. + + + The evaluator shall examine sources of information + publicly available to identify potential vulnerabilities + in the TOE. + + The evaluator examines the sources of information + publicly available to support the identification of + possible potential vulnerabilities in the TOE. There are + many sources of publicly available information which the + evaluator should consider using items such as those + available on the world wide web, including: + + + specialist publications (magazines, books); + + + research papers; + + + conference proceedings. + + + + The evaluator should not constrain their consideration + of publicly available information to the above, but + should consider any other relevant information + available. + + While examining the evidence provided the evaluator will + use the information in the public domain to further + search for potential vulnerabilities. Where the + evaluators have identified areas of concern, the + evaluator should consider information publicly available + that relate to those areas of concern. + + The availability of information that may be readily + available to an attacker that helps to identify and + facilitate attacks may substantially enhance the attack + potential of a given attacker. The accessibility of + vulnerability information and sophisticated attack tools + on the Internet makes it more likely that this + information will be used in attempts to identify + potential vulnerabilities in the TOE and exploit + them. Modern search tools make such information easily + available to the evaluator, and the determination of + resistance to published potential vulnerabilities and + well known generic attacks can be achieved in a + cost-effective manner. + + The search of the information publicly available should + be focused on those sources that refer to the + technologies used in the development of the product from + which the TOE is derived. The extensiveness of this + search should consider the following factors: TOE type, + evaluator experience in this TOE type, expected attack + potential and the level of + evidence available. + + The identification process is iterative, where the + identification of one potential vulnerability may lead + to identifying another area of concern that requires + further investigation. + + The evaluator will describe the approach to be taken to + identify potential vulnerabilities in the publicly + available material, detailing the search to be + performed. This may be driven by factors such as areas + of concern identified by the evaluator, linked to the + evidence the attacker is assumed to be able to obtain. + However, it is recognised that in this type of search + the approach may further evolve as a result of findings + during the search. Therefore, the evaluator will also + report any actions taken in addition to those described + in the approach to further investigate issues thought to + lead to potential vulnerabilities, and will report the + evidence examined in completing the search for potential + vulnerabilities. + + + + The evaluator shall perform an independent, methodical + vulnerability analysis of the TOE using the guidance + documentation, functional specification, TOE design, + security architecture description and implementation + representation to identify potential vulnerabilities in the + TOE. + + + The evaluator shall conduct a methodical analysis of ST, + guidance documentation, functional specification, TOE + design, security architecture description and + implementation representation to identify possible + potential vulnerabilities in the TOE. + + Guidance on methodical vulnerability analysis is + provided in Annex . + + This approach to identification of potential + vulnerabilities is to take an ordered and planned + approach. A system is to be applied in the + examination. The evaluator is to describe the method to + be used in terms of the manner in which this information + is to be considered and the hypothesis that is to be + created. + + A flaw hypothesis methodology needs to be used whereby the ST, + development (functional specification, TOE design and + implementation representation) and guidance evidence are + analysed and then vulnerabilities in the TOE are hypothesised, + or speculated. + + The evaluator uses the knowledge of the TOE design and operation + gained from the TOE deliverables to conduct a flaw hypothesis to + identify potential flaws in the development of the TOE and + potential errors in the specified method of operation of the + TOE. + + The security architecture description provides the developer + vulnerability analysis, as it documents how the TSF protects + itself from interference from untrusted subjects and prevents + the bypass of security enforcement functionality. Therefore, the + evaluator should build upon the understanding of the TSF + protection gained from the analysis of this evidence and then + develop this in the knowledge gained from other development + evidence. + + The approach taken to the methodical search for vulnerabilities + is to consider any areas of concern identified in the results of + the evaluator's assessment of the development and guidance + evidence. However, the evaluator should also consider each + aspect of the security architecture analysis to search for any + ways in which the protection of the TSF can be undermined. It + may be helpful to structure the methodical analysis on the basis + of the material presented in the security architecture + description, introducing concerns from other evidence as appropriate. The analysis can then be + further developed to ensure all other material from the evidence is considered. + + The following provide some examples of hypotheses that + may be created when examining the evidence: + + + consideration of malformed input for interfaces + available to an attacker at the external interfaces; + + + examination of a key security mechanism cited in the + security architecture description, such as process + separation, hypothesising internal buffer overflows + that may lead to degradation of separation; + + + search to identify any objects created in the TOE + implementation representation that are then not + fully controlled by the TSF, and could be used by an + attacker to undermine SFRs. + + + + For example, the evaluator may identify that interfaces + are a potential area of weakness in the TOE and specify + an approach to the search that 'all interface + specifications in the evidence provided will be searched + to hypothesise potential vulnerabilities' and go on to + explain the methods used in the hypothesis. + + In addition, areas of concern the evaluator has identified + during examination of the evidence during the conduct of + evaluation activities. Areas of concern may also be identified + during the conduct of other work units associated with this + component, in particular , + and where the development and conduct of penetration + tests may identify further areas of concerns for investigation, + or potential vulnerabilities. + + However, examination of only a subset of the development + and guidance evidence or their contents is not permitted + in this level of rigour. The approach description should + provide a demonstration that the methodical approach + used is complete, providing confidence that the approach + used to search the deliverables has considered all of + the information provided in those deliverables. + + This approach to identification of potential vulnerabilities is + to take an ordered and planned approach; applying a system to + the examination. The evaluator is to describe the method to be + used in terms of how the evidence will be considered; the manner + in which this information is to be considered and the hypothesis + that is to be created. This approach should be agreed with the + evaluation authority, and the evaluation authority may + provide detail of any additional approaches the evaluator should + take to the vulnerability analysis and identify any additional + information that should be considered by the evaluator. + + Although a system to identifying potential + vulnerabilities is predefined, the identification + process may still be iterative, where the identification + of one potential vulnerability may lead to identifying + another area of concern that requires further + investigation. + + Subject to the SFRs the TOE is to meet in the + operational environment, the evaluator's independent + vulnerability analysis should consider generic potential + vulnerabilities under each of the following headings: + + + generic potential vulnerabilities relevant for the + type of TOE being evaluated, as may be supplied by + the evaluation authority; + + bypassing; + + tampering; + + direct attacks; + + monitoring; + + misuse. + + Items b) - f) are explained in greater detail in . + + The security architecture description should be + considered in light of each of the above generic + potential vulnerabilities. Each potential vulnerability + should be considered to search for possible ways in + which to defeat the TSF protection and undermine the + TSF. + + + + The evaluator shall record in the ETR the identified + potential vulnerabilities that are candidates for + testing and applicable to the TOE in its operational + environment. + + It may be identified that no further consideration of + the potential vulnerability is required if for example + the evaluator identifies that measures in the + operational environment, either IT or non-IT, prevent + exploitation of the potential vulnerability in that + operational environment. For instance, restricting + physical access to the TOE to authorised users only may + effectively render a potential vulnerability to + tampering unexploitable. + + The evaluator records any reasons for exclusion of + potential vulnerabilities from further consideration if + the evaluator determines that the potential + vulnerability is not applicable in the operational + environment. Otherwise the evaluator records the + potential vulnerability for further + consideration. + + A list of potential vulnerabilities applicable to the + TOE in its operational environment, which can be used as + an input into penetration testing activities, shall be + reported in the ETR by the evaluators. + + + + The evaluator shall conduct penetration testing based on the + identified potential vulnerabilities to determine that the + TOE is resistant to attacks performed by an attacker + possessing Moderate attack potential. + + + The evaluator shall devise penetration tests, based on + the independent search for potential + vulnerabilities. + + The evaluator prepares for penetration testing as necessary to + determine the susceptibility of the TOE, in its operational + environment, to the potential vulnerabilities identified during + the search of the sources of information publicly available. + Any current information provided to the evaluator by a third + party (e.g. evaluation authority) regarding known potential + vulnerabilities will be considered by the evaluator, together + with any encountered potential vulnerabilities resulting from + the performance of other evaluation activities. + + The evaluator is reminded that, as for considering the + security architecture description in the search for + vulnerabilities (as detailed in ), testing should be performed to confirm the + architectural properties. If requirements from are included in the SARs, the + developer testing evidence will include testing + performed to confirm the correct implementation of any + specific mechanisms detailed in the security + architecture description. However, the developer testing + will not necessarily include testing of all aspects of + the architectural properties that protect the TSF, as + much of this testing will be negative testing in nature, + attempting to disprove the properties. In developing the + strategy for penetration testing, the evaluator will + ensure that all aspects of the security architecture + description are tested, either in functional testing (as + considered in ) or evaluator + penetration testing. + + The evaluator will probably find it practical to carry + out penetration test using a series of test cases, where + each test case will test for a specific potential + vulnerability. + + The evaluator is not expected to test for potential + vulnerabilities (including those in the public domain) + beyond those which required a Moderate attack + potential. In some cases, however, it will be necessary + to carry out a test before the exploitability can be + determined. Where, as a result of evaluation expertise, + the evaluator discovers an exploitable vulnerability + that is beyond Moderate attack potential, this is + reported in the ETR as a residual vulnerability. + + Guidance on determining the necessary attack potential + to exploit a potential vulnerability can be found in + Annex . + + Potential vulnerabilities hypothesised as exploitable by + an attacker possessing a Moderate (or less) attack + potential and resulting in a violation of the security + objectives should be the highest priority potential + vulnerabilities comprising the list used to direct + penetration testing against the TOE. + + + + The evaluator shall produce penetration test + documentation for the tests based on the list of + potential vulnerabilities in sufficient detail to enable + the tests to be repeatable. The test documentation shall + include: + + + identification of the potential vulnerability the + TOE is being tested for; + + + instructions to connect and setup all required test + equipment as required to conduct the penetration + test; + + + instructions to establish all penetration test + prerequisite initial conditions; + + + instructions to stimulate the TSF; + + + instructions for observing the behaviour of the TSF; + + + descriptions of all expected results and the + necessary analysis to be performed on the observed + behaviour for comparison against expected results; + + + instructions to conclude the test and establish the + necessary post-test state for the TOE. + + + + The evaluator prepares for penetration testing based on + the list of potential vulnerabilities identified during + the search of the public domain and the analysis of the + evaluation evidence. + + The evaluator is not expected to determine the + exploitability for potential vulnerabilities beyond + those for which a Moderate attack potential is required + to effect an attack. However, as a result of evaluation + expertise, the evaluator may discover a potential + vulnerability that is exploitable only by an attacker + with greater than Moderate attack potential. Such + vulnerabilities are to be reported in the ETR as + residual vulnerabilities. + + With an understanding of the potential vulnerability, + the evaluator determines the most feasible way to test + for the TOE's susceptibility. Specifically the evaluator + considers: + + + the TSFI or other TOE interface that will be used to + stimulate the TSF and observe responses (It is + possible that the evaluator will need to use an + interface to the TOE other than the TSFI to + demonstrate properties of the TSF such as those + described in the security architecture description + (as required by ). It + should the noted, that although these TOE interfaces + provide a means of testing the TSF properties, they + are not the subject of the test.); + + + initial conditions that will need to exist for the + test (i.e. any particular objects or subjects that + will need to exist and security attributes they will + need to have); + + + special test equipment that will be required to + either stimulate a TSFI or make observations of a + TSFI; + + + whether theoretical analysis should replace physical + testing, particularly relevant where the results of + an initial test can be extrapolated to demonstrate + that repeated attempts of an attack are likely to + succeed after a given number of attempts. + + + + The evaluator will probably find it practical to carry + out penetration testing using a series of test cases, + where each test case will test for a specific potential + vulnerability. + + The intent of specifying this level of detail in the + test documentation is to allow another evaluator to + repeat the tests and obtain an equivalent result. + + + + The evaluator shall conduct penetration testing. + + The evaluator uses the penetration test documentation + resulting from work unit as a basis for executing penetration tests + on the TOE, but this does not preclude the evaluator + from performing additional ad hoc penetration tests. If + required, the evaluator may devise ad hoc tests as a + result of information learnt during penetration testing + that, if performed by the evaluator, are to be recorded + in the penetration test documentation. Such tests may be + required to follow up unexpected results or + observations, or to investigate potential + vulnerabilities suggested to the evaluator during the + pre-planned testing. + + Should penetration testing show that a hypothesised + potential vulnerability does not exist, then the + evaluator should determine whether or not the + evaluator's own analysis was incorrect, or if evaluation + deliverables are incorrect or incomplete. + + The evaluator is not expected to test for potential + vulnerabilities (including those in the public domain) + beyond those which required a Moderate attack + potential. In some cases, however, it will be necessary + to carry out a test before the exploitability can be + determined. Where, as a result of evaluation expertise, + the evaluator discovers an exploitable vulnerability + that is beyond Moderate attack potential, this is + reported in the ETR as a residual vulnerability. + + + + The evaluator shall record the actual results of the + penetration tests. + + While some specific details of the actual test results + may be different from those expected (e.g. time and date + fields in an audit record) the overall result should be + identical. Any unexpected test results should be + investigated. The impact on the evaluation should be + stated and justified. + + + + The evaluator shall report in the ETR the evaluator + penetration testing effort, outlining the testing + approach, configuration, depth and results. + + The penetration testing information reported in the ETR + allows the evaluator to convey the overall penetration + testing approach and effort expended on this + sub-activity. The intent of providing this information + is to give a meaningful overview of the evaluator's + penetration testing effort. It is not intended that the + information regarding penetration testing in the ETR be + an exact reproduction of specific test steps or results + of individual penetration tests. The intention is to + provide enough detail to allow other evaluators and + evaluation authorities to gain some insight about the + penetration testing approach chosen, amount of + penetration testing performed, TOE test configurations, + and the overall results of the penetration testing + activity. + + Information that would typically be found in the ETR + subclause regarding evaluator penetration testing efforts + is: + + + TOE test configurations. The particular + configurations of the TOE that were penetration + tested; + + + TSFI penetration tested. A brief listing of the TSFI + and other TOE interfaces that were the focus of the + penetration testing; + + + Verdict for the sub-activity. The overall judgement + on the results of penetration testing. + + + + This list is by no means exhaustive and is only intended + to provide some context as to the type of information + that should be present in the ETR concerning the + penetration testing the evaluator performed during the + evaluation. + + + + The evaluator shall examine the results of all + penetration testing to determine that the TOE, in its + operational environment, is resistant to an attacker + possessing a Moderate attack potential. + + If the results reveal that the TOE, in its operational + environment, has vulnerabilities exploitable by an + attacker possessing less than a High attack potential, + then this evaluator action fails. + + The guidance in should be used to determine the attack + potential required to exploit a particular vulnerability + and whether it can therefore be exploited in the + intended environment. It may not be necessary for the + attack potential to be calculated in every instance, + only if there is some doubt as to whether or not the + vulnerability can be exploited by an attacker possessing + an attack potential less than High. + + + + The evaluator shall report in the ETR all exploitable + vulnerabilities and residual vulnerabilities, detailing + for each: + + + its source (e.g. CEM activity being undertaken when + it was conceived, known to the evaluator, read in a + publication); + + + the SFR(s) not met; + + + a description; + + + whether it is exploitable in its operational + environment or not (i.e. exploitable or residual). + + + the amount of time, level of expertise, level of + knowledge of the TOE, level of opportunity and the + equipment required to perform the identified + vulnerabilities, and the corresponding values using + the tables and + of Annex . + + + + + + + + + + + + + + + + A methodical vulnerability analysis is performed by the + evaluator to ascertain the presence of potential + vulnerabilities. + + The evaluator performs penetration testing, to confirm + that the potential vulnerabilities cannot be exploited in + the operational environment for the TOE. Penetration + testing is performed by the evaluator assuming an attack + potential of High. + + + + The objective of this sub-activity is to determine whether + the TOE, in its operational environment, has + vulnerabilities exploitable by attackers possessing High + attack potential. + + + + The methodical analysis approach takes the form of a + structured examination of the evidence. This method + requires the evaluator to specify the structure and form + the analysis will take (i.e. the manner in which the + analysis is performed is predetermined, unlike the focused + analysis). The method is specified in terms of the + information that will be considered and how/why it will be + considered. Further guidance on methodical vulnerability + analysis can be found in Annex . + + If the TOE SFRs include and + requirements such that + actions and data of one subject cannot be observed and + linked with another subject, the evaluator should consider + performing a covert channel analysis. This will build + upon the design evidence provided by the developer in + satisfaction of and requirements. The design evidence + will include details of how the TOE architecture prevents + observation by subjects of actions performed by other + subjects. the evaluator should seek guidance from the + evaluation authority on the conduct of such a covert + channel analysis. + + The analysis of the guidance documentation is to include + consideration of whether it is possible to unknowingly + configure the TOE insecurely. Therefore, the analysis will + consider warning prompts provided by the TOE when + configuration options are selected by the user that may + render the TOE in an insecure state, not just in the + guidance but also in the use of the TOE. An example may be + when access control rules are amended from a remote + administration console, which will not take effect until + the TOE has been restarted. The evaluator will determine + whether the TOE issues a suitable warning when the changes + are made to ensure the user is aware that a restart must + be completed before the changes take effect. + + + + The evaluation evidence for this sub-activity is: + + + the ST; + + the functional specification; + + the TOE design; + + the security architecture description; + + the implementation representation; + + the guidance documentation; + + the TOE suitable for testing; + + information publicly available to support the + identification of possible potential + vulnerabilities. + + The remaining implicit evaluation evidence for this + sub-activity depends on the components that have been + included in the assurance package. The evidence provided + for each component is to be used as input in this + sub-activity. + + Other input for this sub-activity is: + + + current information regarding public domain potential + vulnerabilities and attacks (e.g. from an evaluation + authority). + + + + + The developer shall provide the TOE for testing. + + + The TOE shall be suitable for testing. + + + The evaluator shall confirm that the information provided + meets all requirements for content and presentation of + evidence. + + + The evaluator shall perform a search of public domain + sources to identify potential vulnerabilities in the TOE. + + + The evaluator shall perform an independent, methodical + vulnerability analysis of the TOE using the guidance + documentation, functional specification, TOE design, + security architecture description and implementation + representation to identify potential vulnerabilities in the + TOE. + + + The evaluator shall conduct penetration testing based on the + identified potential vulnerabilities to determine that the + TOE is resistant to attacks performed by an attacker + possessing High attack potential. + + + + + + + + EAL1 is applicable where some confidence in correct operation + is required, but the threats to security are not viewed as + serious. It will be of value where independent assurance is + required to support the contention that due care has been + exercised with respect to the protection of personal or + similar information. + + EAL1 requires only a limited security target. It is sufficient + to simply state the SFRs that the TOE must meet, rather than + deriving them from threats, OSPs and assumptions through + security objectives. + + EAL1 provides an evaluation of the TOE as made available to + the customer, including independent testing against a + specification, and an examination of the guidance + documentation provided. It is intended that an EAL1 evaluation + could be successfully conducted without assistance from the + developer of the TOE, and for minimal outlay. + + An evaluation at this level should provide evidence that the + TOE functions in a manner consistent with its + documentation. + + + + EAL1 provides a basic level of assurance by a limited security + target and an analysis of the SFRs in that ST using a + functional and interface specification and guidance + documentation, to understand the security behaviour. + + The analysis is supported by a search for potential + vulnerabilities in the public domain and independent testing + (functional and penetration) of the TSF. + + EAL1 also provides assurance through unique identification of + the TOE and of the relevant evaluation documents. + + This EAL provides a meaningful increase in assurance over + unevaluated IT. + + + + + + + + + + + + + + + + + + + EAL2 requires the co-operation of the developer in terms of + the delivery of design information and test results, but + should not demand more effort on the part of the developer + than is consistent with good commercial practise. As such it + should not require a substantially increased investment of + cost or time. + + EAL2 is therefore applicable in those circumstances where + developers or users require a low to moderate level of + independently assured security in the absence of ready + availability of the complete development record. Such a + situation may arise when securing legacy systems, or where + access to the developer may be limited. + + + + EAL2 provides assurance by a full security target and an + analysis of the SFRs in that ST, using a functional and + interface specification, guidance documentation and a basic + description of the architecture of the TOE, to understand the + security behaviour. + + The analysis is supported by independent testing of the TSF, + evidence of developer testing based on the functional + specification, selective independent confirmation of the + developer test results, and a vulnerability analysis (based + upon the functional specification, TOE design, security architecture + description and guidance evidence provided) demonstrating + resistance to penetration attackers with a basic attack + potential. + + EAL2 also provides assurance through use of a configuration + management system and evidence of secure delivery + procedures. + + This EAL represents a meaningful increase in assurance from + EAL1 by requiring developer testing, a vulnerability analysis + (in addition to the search of the public domain), and + independent testing based upon more detailed TOE + specifications. + + + + + + + + + + + + + + + + + + + + + + + + + EAL3 permits a conscientious developer to gain maximum + assurance from positive security engineering at the design + stage without substantial alteration of existing sound + development practises. + + EAL3 is applicable in those circumstances where developers or + users require a moderate level of independently assured + security, and require a thorough investigation of the TOE and + its development without substantial re-engineering. + + + + EAL3 provides assurance by a full security target and an + analysis of the SFRs in that ST, using a functional and + interface specification, guidance documentation, and an + architectural description of the design of the TOE, to + understand the security behaviour. + + The analysis is supported by independent testing of the TSF, + evidence of developer testing based on the functional + specification and TOE design, selective independent + confirmation of the developer test results, and a + vulnerability analysis (based upon the functional + specification, TOE design, security architecture description and guidance + evidence provided) demonstrating resistance to penetration + attackers with a basic attack potential. + + EAL3 also provides assurance through the use of development + environment controls, TOE configuration management, and + evidence of secure delivery procedures. + + This EAL represents a meaningful increase in assurance from + EAL2 by requiring more complete testing coverage of the + security functionality and mechanisms and/or procedures that + provide some confidence that the TOE will not be tampered with + during development. + + + + + + + + + + + + + + + + + + + + + + + + + + + + EAL4 permits a developer to gain maximum assurance from + positive security engineering based on good commercial + development practises which, though rigorous, do not require + substantial specialist knowledge, skills, and other + resources. EAL4 is the highest level at which it is likely to + be economically feasible to retrofit to an existing product + line. + + EAL4 is therefore applicable in those circumstances where + developers or users require a moderate to high level of + independently assured security in conventional commodity TOEs + and are prepared to incur additional security-specific + engineering costs. + + + + EAL4 provides assurance by a full security target and an + analysis of the SFRs in that ST, using a functional and + complete interface specification, guidance documentation, a + description of the basic modular design of the TOE, and a + subset of the implementation, to understand the security + behaviour. + + The analysis is supported by independent testing of the TSF, + evidence of developer testing based on the functional + specification and TOE design, selective independent confirmation + of the developer test results, and a vulnerability analysis (based upon + the functional specification, TOE design, implementation + representation, security architecture description and guidance + evidence provided) demonstrating resistance to penetration + attackers with an Enhanced-Basic attack potential. + + EAL4 also provides assurance through the use of development + environment controls and additional TOE configuration + management including automation, and evidence of secure + delivery procedures. + + This EAL represents a meaningful increase in assurance from EAL3 + by requiring more design description, the implementation + representation for the entire TSF, and improved mechanisms + and/or procedures that provide confidence that the TOE will not + be tampered with during development. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + EAL5 permits a developer to gain maximum assurance from + security engineering based upon rigorous commercial + development practises supported by moderate application of + specialist security engineering techniques. Such a TOE will + probably be designed and developed with the intent of + achieving EAL5 assurance. It is likely that the additional + costs attributable to the EAL5 requirements, relative to + rigorous development without the application of specialised + techniques, will not be large. + + EAL5 is therefore applicable in those circumstances where + developers or users require a high level of independently + assured security in a planned development and require a + rigorous development approach without incurring unreasonable + costs attributable to specialist security engineering + techniques. + + + + EAL5 provides assurance by a full security target and an + analysis of the SFRs in that ST, using a functional and + complete interface specification, guidance documentation, a + description of the design of the TOE, and the implementation, + to understand the security behaviour. A modular TSF design is + also required. + + The analysis is supported by independent testing of the TSF, + evidence of developer testing based on the functional + specification, TOE design, selective independent confirmation + of the developer test results, and an independent + vulnerability analysis demonstrating resistance to penetration + attackers with a moderate attack potential. + + EAL5 also provides assurance through the use of a development + environment controls, and comprehensive TOE configuration + management including automation, and evidence of secure + delivery procedures. + + This EAL represents a meaningful increase in assurance from EAL4 + by requiring semiformal design descriptions, a more structured + (and hence analysable) architecture, and improved mechanisms + and/or procedures that provide confidence that the TOE will not + be tampered with during development. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + EAL6 permits developers to gain high assurance from + application of security engineering techniques to a rigorous + development environment in order to produce a premium TOE for + protecting high value assets against significant risks. + + EAL6 is therefore applicable to the development of security + TOEs for application in high risk situations where the value + of the protected assets justifies the additional costs. + + + + EAL6 provides assurance by a full security target and an + analysis of the SFRs in that ST, using a functional and + complete interface specification, guidance documentation, the + design of the TOE, and the implementation to understand the + security behaviour. Assurance is additionally gained through a + formal model of select TOE security policies and a semiformal + presentation of the functional specification and TOE design. A + modular, layered and simple TSF design is also required. + + The analysis is supported by independent testing of the TSF, + evidence of developer testing based on the functional + specification, TOE design, selective independent confirmation + of the developer test results, and an independent + vulnerability analysis demonstrating resistance to penetration + attackers with a high attack potential. + + EAL6 also provides assurance through the use of a structured + development process, development environment controls, and + comprehensive TOE configuration management including complete + automation, and evidence of secure delivery procedures. + + This EAL represents a meaningful increase in assurance from + EAL5 by requiring more comprehensive analysis, a structured + representation of the implementation, more architectural + structure (e.g. layering), more comprehensive independent + vulnerability analysis, and improved configuration management + and development environment controls. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + EAL7 is applicable to the development of security TOEs for + application in extremely high risk situations and/or where the + high value of the assets justifies the higher costs. Practical + application of EAL7 is currently limited to TOEs with tightly + focused security functionality that is amenable to extensive + formal analysis. + + + + EAL7 provides assurance by a full security target and an + analysis of the SFRs in that ST, using a functional and + complete interface specification, guidance documentation, the + design of the TOE, and a structured presentation of the + implementation to understand the security behaviour. Assurance + is additionally gained through a formal model of select TOE + security policies and a semiformal presentation of the + functional specification and TOE design. A modular, layered + and simple TSF design is also required. + + The analysis is supported by independent testing of the TSF, + evidence of developer testing based on the functional + specification, TOE design and implementation representation, + complete independent confirmation of the developer test + results, and an independent vulnerability analysis + demonstrating resistance to penetration attackers with a high + attack potential. + + EAL7 also provides assurance through the use of a structured + development process, development environment controls, and + comprehensive TOE configuration management including complete + automation, and evidence of secure delivery procedures. + + This EAL represents a meaningful increase in assurance from + EAL6 by requiring more comprehensive analysis using formal + representations and formal correspondence, and comprehensive + testing. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CAP-A is applicable when a composed TOE is integrated and + confidence in the correct security operation of the resulting + composite is required. This requires the cooperation of the + developer of the dependent component in terms of delivery of + design information and test results from the dependent + component certification, without requiring the involvement of + the base component developer. + + CAP-A is therefore applicable in those circumstances where + developers or users require a low to moderate level of + independently assured security in the absence of ready + availability of the complete development record. + + + + CAP-A provides assurance by analysis of a security target for + the composed TOE. The SFRs in the composed TOE ST are + analysed using the outputs from the evaluations of the + component TOEs (e.g. ST, guidance documentation) and a + specification for the interfaces between the component TOEs in + the composed TOE to understand the security behaviour. + + The analysis is supported by independent testing of the + interfaces of the base component that are relied upon by the + dependent component, as described in the reliance information, + evidence of developer testing based on the reliance + information, development information and composition + rationale, and selective independent confirmation of the + developer test results. The analysis is also supported by a + vulnerability review of the composed TOE by the + evaluator. + + CAP-A also provides assurance through unique identification of + the composed TOE (i.e. IT TOE and guidance + documentation). + + + + + + + + + + + + + + + + + + + + + CAP-B permits a conscientious developer to gain maximum + assurance from understanding, at a subsystem level, the + affects of interactions between component TOEs integrated in + the composed TOE, whilst minimising the demand of involvement + of the base component developer. + + CAP-B is applicable in those circumstances where developers or + users require a moderate level of independently assured + security, and require a thorough investigation of the composed + TOE and its development without substantial + re-engineering. + + + + CAP-B provides assurance by analysis of a full security target + for the composed TOE. The SFRs in the composed TOE ST are + analysed using the outputs from the evaluations of the + component TOEs (e.g. ST, guidance documentation), a + specification for the interfaces between the component TOEs + and the TOE design (describing TSF subsystems) contained in + the composed development information to understand the + security behaviour. + + The analysis is supported by independent testing of the + interfaces of the base component that are relied upon by the + dependent component, as described in the reliance information + (now also including TOE design), evidence of developer testing + based on the reliance information, development information and + composition rationale, and selective independent confirmation + of the developer test results. The analysis is also supported + by a vulnerability analysis of the composed TOE by the + evaluator demonstrating resistance to attackers with basic + attack potential. + + This CAP represents a meaningful increase in assurance from + CAP-A by requiring more complete testing coverage of the + security functionality. + + + + + + + + + + + + + + + + + + + + + + CAP-C permits a developer to gain maximum assurance from + positive analysis of the interactions between the components + of the composed TOE, which, though rigorous, do not require + full access to all evaluation evidence of the base + component. + + CAP-C is therefore applicable in those circumstances where + developers or users require a moderate to high level of + independently assured security in conventional commodity + composed TOEs and are prepared to incur additional + security-specific engineering costs. + + + + CAP-C provides assurance by analysis of a full security target + for the composed TOE. The SFRs in the composed TOE ST are + analysed using the outputs from the evaluations of the + component TOEs (e.g. ST, guidance documentation), a + specification for the interfaces between the component TOEs + and the TOE design (describing TSF modules) contained in the + composed development information to understand the security + behaviour. + + The analysis is supported by independent testing of the + interfaces of the base component that are relied upon by the + dependent component, as described in the reliance information + (now including TOE design), evidence of developer testing based + on the reliance information, development information and + composition rationale, and selective independent confirmation of + the developer test results. The analysis is also supported by a + vulnerability analysis of the composed TOE by the evaluator + demonstrating resistance to attackers with Enhanced-Basic attack + potential. + + This CAP represents a meaningful increase in assurance from + CAP-B by requiring more design description and demonstration + of resistance to a higher attack potential. + + + + + + + + + + + + + + + + + + + + diff --git a/input/esr.xml b/input/esr.xml new file mode 100644 index 0000000..da5837d --- /dev/null +++ b/input/esr.xml @@ -0,0 +1,505 @@ + + + + + + + Application Software Essential Security Requirements + National Information Assurance Partnership (NIAP) + 42 + 1.0 + draft + 29 Aug 2015 + + none + + +
+ The following is an Essential Security Requirements (ESR) document + for application software. + The creation of an ESR is a necessary + prerequisite to develop an Application Software cPP, and this + document represents material provided by NIAP for that purpose. +
+ +
+ + This document describes a core set of security requirements + for application software. These requirements cover basic security behavior for + application software. Evaluation against the resulting Protection Profile + ensures that this fundamental set of requirements is met. These fundamental + requirements must be extended to adequately cover the functionality of many + types of applications. + This is not a declaration that all software should be evaluated through the + Common Criteria. Although it depends on the national market, Common Criteria + evaluation generally focuses on providing assurance for products which provide security + functionality. Many applications without security functionality, particularly on + mobile platforms, now receive some type of evaluation (often called vetting). + This occurs because software without + security functionality, when flawed, has security consequences. + This document is offered as a reference for those activities, in addition to + its role in the Common Criteria. + The goal is to establish a consistent set of expectations for all application software + developers, independent of the evaluation methodology. + +

+ The vast majority of application software should satisfy + this core set of requirements, yet a very small set of extremely specialized + software may not do so. The requirements for such exceptional software + may be specified in Protection Profiles which do not extend the requirements + described here. +

+ Application software in the context of this document is software that runs on + a platform and performs tasks on behalf of the user or owner of the + system. The platform for the application is an operating system, an execution + environment, or some combination of these. +

+

+ +
+ + Application software is used in innumerable specific use cases. +

+ However, in formal Common Criteria evaluations we seek evaluation only of applications + which provide security functionality (which are called IA or IA-enabled in + some markets). Such applications include thin clients and host-based security agents. + Other applications will be covered by Extended Packages of the + resulting Protection Profile (email client, web browser, VPN client, MDM agent). + + +

+ +
+ +

+

    +
  • + Sensitive data in transit. +
    • +
  • + Sensitive data stored locally by the application. +
    • +
  • + Application code and configuration parameters. +
    • +
+ The application should also not require security features in the + platform be disabled, as this weakens the underlying platform. +

+
+ +
+
    +
  • + An attacker is assumed to attempt attacks from the following + vantage points: +
      +
    • + The network across which the application engages + in communication, both actively and passively. +
      • +
    • + The platform on which the application is + installed, though as an unprivileged subject. +
      • +
    +
    • +
  • + An attacker has an arbitrary amount of time to analyze the + behavior of the application, its interaction with its host + device or platform, and/or the data it transmits over the + network. +
    • +
+
+ +
+
    +
  • + The application consists of the software + provided by its vendor. + Any software in the application + installation package is potentially in scope + during evaluation. This includes those pieces that may + extend the functionality of the underlying + platform, such as kernel drivers. The + application exists both as an object that is + stored on the file system of the host platform + as well as a runtime object that exists during + its execution. The application + code may execute directly on a microprocessor, + or it may be script or bytecode interpreted by + a runtime environment. +
    • +
  • + Shared libraries (static or dynamically loaded) + from third parties that convey with the + application are also in scope. +
    • +
+
+ +
+ +

+ Functionality-related requirements are: +

    +
  • + Limit network connectivity to necessary communications, and + encrypt sensitive data that is transmitted remotely + using a trusted communications channel. +
    • +
  • + Leverage the platform to protect any + sensitive data at rest stored in non-volatile memory, such + as credentials. +
    • +
  • + Require initial assignment of credentials by the end user whenever the + application is shipped with default credentials or no credentials. +
    • +
  • + Restrict access to those platform resources which are necessary to achieve + its stated functionality. +
    • +
  • + Properly implement, or leverage the platform, for cryptographic operations such as + key generation, encryption and decryption, random bit generation, hashing, signing, + and keyed-hash message authentication. +
    • +
  • + Leverage the platform's exploit mitigation features, and never engage + in behavior that undermines the platform's security features. +
    • + + +
  • + Be distributed only in the format supported by the + platform's package manager, and ensure trusted update. +
    • +
+ Assurance-related requirements are: +
    +
  • + Timely patching of any publicly-disclosed vulnerabilities, + including those in 3rd party components that convey with the + application. +
    • +
  • + Use of anti-exploitation options provided in the development + toolchain. +
    • +
+
+ +
+ + +
    +
  • + The application relies upon a trustworthy computing platform + for its execution. This includes the underlying platform and + whatever runtime environment it provides to the application. +
    • +
  • + The user of the application software is not willfully negligent + or hostile, and uses the software in compliance with the + applied enterprise security policy. +
    • +
  • + The administrator of the underlying platform or application software is not careless, + willfully negligent or hostile, and administers the software + within compliance of the approved enterprise security policy. +
    • +
+
+ +
+ +
    +
  • + Client authentication to remote + peers using X.509v3 certificates. +
    • +
+ +
+ +
+ +
    + +
  • + Use of Software ID (SWID) tags to enable software inventory + as defined by ISO/IEC 19770-2:2009. +
    • +
+
+ +
+ +
    +
  • + The hardware or firmware of the underlying platform. +
    • +
  • + The host operating system or runtime environment on which the + application executes. +
    • +
  • + Specific functional behavior that is not global to all + applications. +
    • +
+
+ diff --git a/input/tds/README.md b/input/tds/README.md new file mode 100644 index 0000000..04e1b77 --- /dev/null +++ b/input/tds/README.md @@ -0,0 +1,9 @@ +# TDs README + +This is the TD directory. +For a release branch, authors should create XML representations for all TDs issued for this version of the PP document. +Eventually these TD files should be pulled into the development branch, usually the 'master' branch. +Once they get pulled into the master branch, they should be manually incoporated into the main XML input document and then deleted from the master branch. + + + diff --git a/output/images/appdiagram.png b/output/images/appdiagram.png new file mode 100644 index 0000000000000000000000000000000000000000..071d91d2ad4b2b049224a472ca76b971374f5fca GIT binary patch literal 33393 zcmdSAb8w|Wv@e^Pa&e3^63z2{Wjx>fJ5SM_$) zS9^V{*Xr)otF^j+U$~;Y1Uw853iZYxvzw{w>kr&aNKOa@ zq%Ow$RVnf7oybU1Sq=mw6dnX53K`_vH)0TwfNc;E&rA@I2P+T|?nw|3q~ve;M5!Pk zFqsx2B8pNXB1DRgcBU5ACLkb^!&ND6iu0=&!dkU7mi|00;WTiiu<-ar)uMfwUrQ5Lg1{?3ixk))({zgjt~mhVf9+a*cYeop^}pVclT$| zeL|uNhC6Pb_Uvad>MLQ!tgsvftNMsc1Ksy6cK+zpfeomS?f5J*%@24n$Qwl$a6tP1x4{+a0F2NPbAEOGKGH~0v zn*CC*{C1u?wIy-!utb%yZe~zN2VTC*3NT2PHxR%2oObL*f-`TjB>Z3kL+Oo#hFmm!IEt zm7wy|Wm}Xvh&qWG;;Q$w7)e8}*hN#?*<%(?J!&+_v8@U86SfT3T_5ImkE(qC@5XVs zc`%Ls{ByYwwGc6q!+L)R!2|7U5o!hTB)@ytelrgION5B#Pf|;m6iA~8i_^<&kJ1?E z^cz>_+mAo=_L#h&q(AXGK~;W!pAbR{3Zz0pPxzHYZ7$nr)daIHtb) z0S7@EJ3F}Y6Dw^oO>^SAEI~1vN-S4kTU1*l_VC2dI!)?IiY1h@aQI=0pFa%Tj1Ua~ zb-F7;=UA>dq5Y#f&JM1eet4*qF;6 z+eAI2pQ(h=nUM^_YQ>r(RKps>;lewS$-~Mcxx=ebCsF9p`N%z0?wYWKWJM;#qNtn2 zDuvH0S87)pIn_2aH}rY6yjz}-udVhN$?Q>ZP;61G!*#;7!(~v6RMFIuPlZjC+!W7B zQ_FyCbaIJ9zsYA{%!kdv8mXnArC3K5M`cH0MsE{Hm8q!VsY6r~RPz?3%Dj|wHK;1> zwR^Sdti;A6^3WUR9Oq)@@J_r>)K5C*a!rm|Y+1rtyiC?iaz^q^T#PkFZR7apytE#g z@Z_e{W5`n(-IOo#c87mwl367RF`Sno3L zCEyF;yx|<-*5J3W%CW_nDpTj!s$!(*Vw3;XtCs0SA| zohvLtPXMgCtTC$w4X=l)PWrdmhkS?n^mO!381xv4DV8ZpDak4Q>TDGt6`SfBRm@9M zOMt3rEx-D@TB#N;i`&$yZkznS$m^K2>>7^hOI3IcDs@I{YU|M}^M4D@{hA3K6kUIE zFL3fYsk#{REb+*5TJVr_;=6bPt@kI~_<_7hXvh1 zzNM~JpRxW8qeO{R%AxsnrS3cZ62KtQK zKHahJ3-7JIe?R`@?)FT7O8J`#TK=i2sI351SF7|SFvm;7U%?cG*Cuo(GpAVLYGry- z3R4dwDx_3pV`FKgcIKF1ujI5gZrVMatgs6j4;c=16Wt*ZCOsuBUT&>g?J?z@<7HvI z+0veDO1G-1O4Lnlym<4Ry`Q)*$!AhBP?E^+W_nL&pExlWcQ(008xMBzzmNDk!eF4_ zc+NSP6^_-BwwH!k=UVq_ND0K-lLqPycMPNs_sCtzmP)6|-6>d0W+}kPSjr7iN|5Is zNZX^fbx}u9r&9;=>go~Lku6fV_?@C{XX@vEFRGF|lPn=VEYkl?{v^bdVUVj7f9)W0 z9HNrGm%cIa5zUS3W|KAIIQ?RR>WONlqR{O4@NhmmDW6%6(7Q-FgP# z=lS&fr6gq0o4Q%Kx$MXCQFdPP%*X8Y9flqT5z`>DRqXMB``m^OgK>(6VEw40rYcA; zLI1|!^W}Y6dQ!Rq0SOTbAu8!P$puf9N7MOA#zW_M6XqylN&0zAH@P8nB{T$qhrqT> zxs;~#<<04B`mutqeBF}GQrfDn3A<_fO!(}@x9+8=Os~27_lFf&i$NiCZC%S~ec4Ia zTYR5stJVy!2iwhYl~MIDxAq;N98jbU8xsf&05U3wX1BV{y&6wbSE$gJEGlT^f=sP=T>ksdURibUJG9YKSyd|mUOu5)^r$k z40|p;^0qg=%w=z>b%CXJG3s~i`5q|es%#HdxN1!6Hnh1uv@hO2;9~q(dzpNlelz`8 zPyZJAt2r~}2am1R_9>nYm%G7;LFsGr*=@MuAN%bL?$y7$3C{&1d7G+uv<~1fBR)Y6lFchnJo2`^)| zVurb=!Oh-A;p=`?s+C?$&t6xCSN3DcQ*N?d<5t$k_;t-k*`f;2?%D2W`>!wKZTD{A zYG}@h|49k!D63P$GocAThj0DM!XwxD?Z8F|V=JSHep8RD@9oEfJHLl-&hS1fW)%pG zmc1+-$R!TQ?;tS2uHYw#c=G8EteFG_eX=Ws&izQteo+7K5+K6Jcj9mMHkcr%Bl4mT zAY_E+P(M{vc3(6K2h%d>EaKOYt(3V1J_)YFIc-3?5vHf7o2IAzsw6UepahpE5|;I# z>Iy(OZJF6Q9#3kxuk~Xv{d>NNnA~lsQaP5pcgY!Pyq7 zn$DVXvfM^?HVg*Fc7`Sl?l$&c(jXwb?%ZFbjft}Xk-LqxtrNF9AIX16aDUPN*o-7Z z{~_XR#Ydtkr${7X=V(I2&cMvTLc$M2L`1~vXl%-@EGqtA>R)esB<9Y}_S}q&Zfy*}~42=wH4D zhITH_d?Y0Q3i{u_|E#BpyTyN(Wb5=_W_=mR_%DT#nSqJ%f9L(B%KMMYt!UwHVy!7^ zVPj(J^i>8w+Ye^m|B(MbQvSQd|Dmb%-@*V|@YiKxqw3?`ovKDx`D6L1+9K=cFo+NmxDb--uG<^qe^UNv^#6zz zWaY-M1aJch$yt;yA_%|k7*5UdiSa|%5Ts2SIr(7K3?x;Xedme?gDLO$*EfOGkJMab z(ZRA_@X6%Sbc{UDj>mDkpNrT+su|od)A_EGX3yz=HB}p1{CxfWyzA4ygb$!$VS&WS zrKMB^Bw=H$rgN&DPg!6BV7{-@esvc8kZ(~$G}Dc4#XzlW@j!MunzhbcnYznFL}VsQ zlpbLu^#1rJHiV0(k^FpeY|`?8*6HS-3j@?oUBzmz{?u!eva<=1{Igv(~zZVi(YU#c}j-Rw|wQ+ z?%^tgTiC}$v#dQ@{&U;o2O*cqF8+7yZA2vm*f71b6BCPsfiYB5Dk>(X zmBO6KL`3;aX8Yc!VDo3NfR^`+=e9vYqSwtV{^6am^xzaBw>f$h{eb~OvOS98ZSF&Bq{cP^$9-O5*EadTYc-TDsflq=zZ5+0_q8Xf`4N&|hd%)ogw;PL6_Ygaa{oy@Hh(kemN z<)P|RqEBm@zP)&lyA`z@jyM@sW83fh>{kR#`fxRz`u=%US&A8L=r-?#-u0T*e<4(E zqzFGD5)a!*KBl&3TeI$c?ll_S;*st#Wp(KmliS^8ho`1LLgb^J;m~1EtVZ}irXLCh zucAa+u3}=_l*A=fRcF=n&orw*Cvg0-_UUC>6VN3G9$QRaWkjU7IULEyBRGnaWJY23 zceNwX9CM#>Dk^CLzqK&<4E8TcO6;dC*S+1vbx3cTgkp2}|4Vwf;87 zzUc2FZ=-JyuYn*Rhq|${%S`A>4G6vmU{S9!^pi6AJ=092u_Wk!tACgh|Jj3H*;wlB z$CVyR(RYSkX85r?m%69l%k<#t7bdOF#5?rEK-zy1;#bYy<3cG*F%$fFI&!gE{Y5t_ zv(YTeL>gDTzJYP|@bLq~O0I?W4=wrafC@+G8{ze0#v3N3WL3>sZvL8P+(gE$ePVdG zy*h6b64+Au&;b2O^uLQ>mp~%K(2Ml25MFE6;B6qS9@lfDl}?$h(a!eB3yUs{CsY+s zKdy+2#qqYz4-j<61tf%=cMo${-RMb%US-R0*lAbt)#4WS#kC zt%*pLcB^ovDrTX% zQjeSO!3P-|zT)_Sf#6FJ?AB+xn+>5fGS(HasPgs%|3|0iV1)S!^&9O;W}-tzsAnFu z3+{R_46SzP_bQ};{zI&|T3>#<$uS5(XabveVWa7G|HxJ!XR@?~0Wr+QrilcxS3dtB zS87s3GtjEhUif^T^atJ(}6i{NUb zFAV*o13d-0q=}bYKZZw42x(02f6C^QHG~kx4bg5f@U79H*A!InaMy9VoE}%N=QkJ0 zp5~4G%#*Ld=(pz)VQ%Gd_J;GsBf!)(Yq<`d&ez5LZJ+aD@WE)Uk)|*2s(Y^igQf~`D%)MwXgN@GO%~uX#t8{t zq45-jKW&3g zedn6TKIl8XX$P9nEi?Q9aqgxqeYwx&3K{Wi^H2n?k$Au`uV=2^gSXU*=STdWI2Ye; zh3sYbBS+rWp0E=NTevxS|L5o2Pj`+40i(+!%#a11;v4;uoI2r&Z3IJZ$;alZ=^N%# zkQ=!9KL==i)C3C5SlZkUnlI?S{#;2kYve^c{%AF_3u zU7EBeLbnMN%K-GQF^Y+VWfP}X7{@AQpT`PyFp8@p%+NU!d&_XJtxp1em*K{dmW0M3 zp0|mJ4Bf&C8Vib0Xk6}hGwlyqoX(wuZF9ieVhnCTcbU})5&B|u-IJ*pn-nry zo#^e0VD<7x$2nNTSBNa!Z0Gr!SxYIRH%kv1_c^|6c9pf}o7_kFnrH_Y`K5kef>0m8 z7lK0kd`qm%!;)pLgg>g%ihX1%ZrL%=8cCAHhr>e-33U7sE=+fbU>+D;cUoF=1<*)b zW#tXB=Uxh)*3fQ2se`)Q1P|?Qs2ccim#X&coSBu;pEV_n>?6@)@@fJ`G=rxPlS7sV zM!pi;3znK%XEe#1b4sFQYTtd+oav+wRP20n!KHk_%E<18f zC;5KD+mYAa5zb*3^pgy-2D8RvtubQFZ&?Sn70ZjK1DLrDbBlkFKmy)y>dok8NA-zJ zug&k=ogi+|Hg&@65G8LC?jy5C-L9ua%YF8YlGFinJ6>BQmP{u{_6@|<mP7hX4I$wn)?h*2Uc}M~7u%i?XL*}`RvYH7v(QiHC#jw!~OIrTJ$uBJX*nIz>PU_;%6QqH+65dux(6M%g*i2gUiie{i4`vHb+f z35F@2EcAX1z>ycNlga27`JAgZUCaJ*@8jhojkag`N-a!o8gu*1>OqhAt*cx6Jhl}# zfg&+`TwdoxzG@;;`KpfdaMEK7dHUw}49$}yhjuYtpgt+2@$gs|gs&#P8wBJ~j}}3qUaZ=B+cGv#UxVQ$E{JEm=D2lU zv&$U2FVyq4;$hJK2*=osK(u7n`-Yl~d;q|kz*v#;5UbIBKpf6MTv3}lI(3k_{WFBI zCk;CiRkrzMVk4wL<0jsL6(8A={J|+c;Rp6CazY7H!FUo?N{`1#s}rHV{_}U*eTRk# za!v-G(xiQwsxW^38YyupgXW>--(uL^-^p9k$;bO7-|A9}wlL8lkJ|0a&fp{{Pexnj zCx#Cew({cbk1j^h84_UvLO(3Brn_Rtml>$Gg-+e_^Nv?6v6Sbgi8b5D#w5`8YBq%D zl7kN(mrGrfh(1%S??it}A_9uNxbn()Qrim596Em8-@VT^;x#zdQU+t!y204r%|AY= z5w!@~xTpuqmfiz(8oko^-D1NczLwA^(f)J{>JBaB*T2$Z>yhWdzQp$Dv$-L?;@IR7ZD&t&VE-Mp-1_ zXKxR1C(6~1epq}JI!LY0(y9-ol0;64{@DeX?(*XgVZkc#TQ&|iE_0_NTDyG$%F)d= zT!<3yTkVB6=oa=8>|f8Q!F4`ICaH@()GaF@TjQY%mAY5TO z+#|8mqW zgI%lNz<8WKhfJbP@WQ3QUJT~KgfL>`PC}EOw%eVh;h>$b$7m}v-=INX!>=`${ge) zDp5>%&Hx#Gup71mO)AJ&EiUurN&+h$uDrHb!uG3aG#Yx;p?hFq%i8VPVy1M|tYs^` z7SAK2Z-|&91d|El3x|=Pi>D1MKcJ}D^pjuQnR|@0Q>ly%a~huGlDpy)a)jn>i?6Jm z?k7FmGY>0*+>aA=2f=yU`ZS&1p7B$@?$l_u23sVV%Hb3r3u#&{+}NE-T%;N4YBK4# zR`Cn*$Nm&{RF|y^N^yrkv5zIYqI!$I#Y$q>+_64-r#rwKl{gV@Zpe*C53$#5Xp<=f zp5@Kd`h;ZX1^2ht#JM&j5#1qH!jwUl&QN^IOOx@;pY*%Dh37eR{M$dNge;_xFSa|P7oOasnTf7z&Kzm`5DDlD z?>H>wZpt`Pn5l-Wa+~GY99obIFq%pVZ`i707`p!sJeFFg!$rKndbjdQqt)L5E!KY* z&ykWk1HVqwD{?s80Rr?`3*NR1<-aDME2B7{yQyRD0rL7bTsbj4ILTl}!0BhMlf<#H zAcyy-J4I@-3IyUMV{Fy1X)`HUO(J*Fsg*% zW{#R6R4ci583gp~m?8XG@uL!q^ewTU`q0p?%`~3EhU1m1-flEg4-N^SIQ&5Mz}|VJ zrOdNA757tmArFrpA!)2Wi|`1l7y8(YLO^H(qq$o6~-%8t$Z!f)&x9*1WR#N^&CRlImyo(-(VwC)VY4U<{>21je_ zH|Xt(O4+ofSOvsn#YP1Cl-nq+5`o&Ka~6**%PE{YMP9+&(D7Sks>cr5Lf<;wvK3Ny ztEE!fiSIhNFx$#U-(1sgi!a=#Y93qj@2`-Jr)b>fO!97oUzg_QgDwPik^1GQ%r}^^ zXc6gAry(3~gCDX@`S-5!hMW-7iN^n3^f3i@b@2Ac5kNS+b?J01i$^D{bGGV~S8g83 zisnxJb$5%oTm9&9B*&^p?aHvQG+&y_NcDm^!?2)efJHFMJiUniAHe z-X&wy`6of-Ec<=v%*Oqg*l59LEyvAoErjF4x0~KWvhSERF_>Q3&acAzp}gd7^*s_W zyHvq?$e>bOT!>_#Jz|{iM z+ZO;vH-F&aKXre{&ERBj$UOZsmD>_l5HnhlncdVTW2B);wp>V#H(;AdYjU_O#xUNq zy=OpV2(56CCRyP%WsVPl-PocsdIJ^`O(N4x+|>-`6GGChZhGomogctQ9{1V&tw>C` zZ+L2Qe4(yy;vTE@*nfrjJu~43td2Fis79$>=H&gpiPxLnIrf5p zz8Dz$nbcuTncqb}$;hKvo{ovNP?p?{Z1jteadas7*;}n5mzo|-pv>gwNMAXKhnCdn z$7}3HN>Ro1COT+fYyBIENQNz=ZRipdR~a zaf_8|#~>1|sFal}?d|(LlJThHOZkE3h0W}5_K%mwtk%y z@Pc0|IUY$+?NDj5CPW9mkF{fxrx%xpJ!Qckg| zbY7|{(rZ(yF|Zt81q z{iq@f*6@B7X*4+@n+RN|oK|qM^_TBA-QAIkUZ!+w^t>*jnB(#_eBObRuxW1q4y(}4 z~J-SDzr6uv!T_g z9}=5h0s>ulzvdyFr&detg{@ApDjSztUUZG{a^v*#nI-2+HK0EQm3v#vj60x(aen=U zx<8Lg#k_v`#k+EoGS>Oj0T(cIr)n%y8p;#SVoB}8evoz$T2~3{QHJBEyLNjhOm5Ow z>FXU)iep9<9G-@4eIcfoW8tb2uMDUI{u2fC8B$q}namU>#_ket-clf_v)0xv4Vy9US=Hyfl zpU1qXCE8T=zm8{#`la?xtn4s8!T71C<3(a&)X5ZVK_rH zefCFaALS!NXb|N#Vk7jXE|UgJ8P-1|5B8#L3l_>SBi|@UWjeORes2T@#XpTd zU7Xh!i*1Itlt!zE?|EpKv7A7{%@oM3&L`z?taY(VT)#y_ z`@j?8$zYa)kVZJETz%|dgzY~Qb6&qEzmjUo>o?(b^jOfG4Grbi?`anq3zz)!Oj5oY zFMz8z)9gex%Pk}|w!O9O&s&d$b_2=ORVJ|lclh9OO7BXpJ;vy8P_hJ$VMr$nj8$9L zWJjhGOA<{?9Xi-HoQRGiOhOt2;X-lATosmsxk36o;l)w;yr_JT+fZX&Z$?2)D~ifG zM-4XpSnbQ3@NBqvc&HYvtdKP@ElE*!R z5GR!<`(GG~M69weqi44)2lRdvD6Oj_k<)pz6<52vsJCy-HYe(Zrl!O^w{)(I_>*p2 z325PQkTF&7=#0Inx1JFdf<=0~!S59mf7b0f6BuYY-lb@wGMb7AHfQO!q z+&NiPu+W8)mRJ7$U5-|mpkdKMZp~jNwoH?5`ozS7DKI(FVVBmP>H*}zuN8D&XOl_T zVZbm%yYF>R7`=#_-qIkMs%>$%q*0Vsg`y*^CcVNz(CQOM;|erm9mR-$;6gVv-mY9K z$5hA5;H2dA<@9XGIiy6NiT}wS65;P!#AE+!zQ}7%L_nYfxMA#sTJ{rNQH^V~d$!tD zqX_h=qBgm)aEq_E=a-Lt%Cej9x$zT2PFnE%Xcy11_i%#^Y}l)`KuxBhZ!)O zB%Vl(quOu6UXvyzBVZ2cONEVZ7EJ>VD-(u#Sy~K-{BzRK%B!tefb-6>bJyY=2d}J< z?vi^0vzn9f=Jn-cl9e(O{UAzhW!LtXWYi2Qydp~mP4%U(p0e=AQGd4HzfN$1l{KM0 z#vD)*Vr-cVW$k8|37G8{b-GudEMyEl}D&?g-&v)aT|-LiY0o%K2FSd)mQAVrBuNne$g7dD4lLl6?IGwMJRydbVRR| z+y>ad4GdI;&APY;9e>GCNw# zpg-Pbjni+;V#AHuu%(O-t52Bb>@b+*>zpSuIeFWk-^q2)yU);^$NkHx+A+U4=w)@K zU>&Yi+Nzldq$^5gHOmQeF=)E4c?$02VGxF)Bk6brHaO;;O7jUEZO?BVpc$1taLH+^;loXI?~YyxxxWa_-Gr$KiR--q+Foj4GD(4t8( zgIX8F$ERwH{#@;vPhwgzMt1IlNlwrR%guXmXj``bz9!TgtRRR^w$)}QK-@7scn?mI zof_oy_DJf|!0@Y~;6G;nP1yc=OuwZU5M|_bUDaBs?$i04(o<{|`e`}~hEc+S#aY?m zd!XZpJ9-TnXHSOSCZ=rGaFw|U_O`p;KmNue#w8iH8LARKinP4o<|+c&Lj(?goyq}z zB(Knoue$f1i& zT>B+R$K^LYWBM)sn7R6b(N{xZo?7=4QGTCKUs{oCT zI+o1_$P8F{Yt!QrJDWDVvyq0Y>?otxtG}^g?H<&Mdg--#0{mROchTF>ed^~O*E~X! zs-Mx@;S!UiD^J-(Pys|?^+f+~@2~ffY1V{wq{AczLZ#M|-^0qh!iWdCK2p zPqc3i@O%%Dl^t=*3_Y`ja}J7Zph+c%#vn#DA&9VPF%`<9_*ldM8EuH9;&6RryI6DZ z4%^91tQ~yReRU@vhC1R30w5M0hORad&h*AF#J+!bQIh7!^Iw<#9pVR2i z(tH@dJvh$~c#r)v=OtS{JTFb1e8ho*+*eX+0_u@zFKMh`QD zD~O@@TK8L;)<{_8VZ-fF>ubyOB(%JpEnQc%QyZ}g8HYUkPu&g1`Yx;CqU0amo_E5O z1@}BnSV>11XeqkwLGY_Z?tqxkQI-Z8`TLoe!NC#jPw}HDNN_J+G{M$}Kz&yl>vAiD@HPk}|4R)Ixo8-S%!( z!3Q0C@mB^|8@O$GR+$v%=3&j%+1I_*4dVD{ML!UX@Hzy{uSm$q3I7Q9XdllgxAs7P zZIg-2PhkqTsAPTzZNp>uxorf14MFtUV@l0NBJFESc-Stdd|ja6g@|Cv;Uh@LA$NS6 z|Gtd!!#H)1ez1R&5epDAis1mghjAwc5b)sJ(S-ZEoW6-lanWQolDsv#*~Ez8V}|$m zx;+SdughM&#ig0PoGFcIJ?pGNK)5Jl|auex7Q*f*)b%sN_40iyFNq z!fwDMGjinp>R^X?wAvyUQgnNOta~kdD9nYxo_e!06f)zC;+SvGT65|$vj%}oE?er% zl?gE}1|P?@JGCUDA-R`f06~-N@PWc_1<3s^_6ehF9pD9Bn@Dc`8ERB-)s1Qk8Yd7q z-@2md{j39|cH_rfy z`(%s7Exwtib69b_3U%J{9pddxD#%zCY&1=m2zy?TMV$gsch(dy{*mjxj}WZTM;idy zS#%!Se%vrmhaJtl1vd#xi=ZpC)TM9F_0A^Th8`~0UkBXNrM8~4+x?2EDDAe)wyFPo zOrBDFfn$8E*-0CFXn8P8yW^*9!0vV!Od0`I)n}UyaWik#zT!GF-Uj1rWN$J=iDbE)_uA_>mn?;CV%wFfbxbEp0@mS* zOfLy7D==r|&lvb!lvt1vfdx7F>SQTv1Yc8K1^bJcDjF`_gw{iXW z9dUdHScx1*g;HiIo~rvwDu(m(8m<8HS9r}>uc@~aJgm6-DU_trbJtRwu|30Hl55Pc zIrrJSJ3B!`{6=**^Cxp=VFTCWVk7cNu%xvP^M=lr>WDE22=>m^q4IY0LsMMdUhyDuW0gMu*@cj6HX{u$nc_>zRtC)0TJp z`n69xH{wF8cdBRY2L+!z)6MX*bgxkmi<3nJBb}=48AX137-gq%vI&+DY|gf88JWgI zAIX;j$MznKaGGm8F_Db|k@qP%QP~F0biE9<8iNDOQOoZhPL}1iZMGM69cGv?#D;D? zZ_g`J!YDx!m=l=2M80N5bzg#<{I1lf?0RgfxHk06A5{{K?xG|^=5c%|5)2uS9a$sG zmyr&Jpd|{GoFH}~BJiCffu`7I@N(P3V1RZqIIb0zW`sAe?*^-5_nhu*7+UorfuU^G zDh|G4$hov`B-@n*;kUdvBd9BKN{6dzUrU|j&^i2C~qDLtcDe=_7tva$>s^(+h=R$M}Wbm`v}_EY(GkCUH*a?X7ZYWa8a2 zTtA{@qTeUA|JN{@*oupak5UT?Ei|_S9)Biou2Pa%Kd{01SXHhvvse?Gj%>MkX#o51 zjjYZp21A|O4I{4Z9r!gb*P&~$(p~GGSXQ0+u@t@U^XFXlZnaeiXfoH}`I4C92a>FK z3-hkv+M6E({9ZA_!lZheP&XzwNkOln35_;tKg^exVBy7v{YiAfcCQZu)NNbY9~Z|q zN0yjnW$bhW;SiU7Ke!0WtN+z+75B?wbrIK!Xf_sy4wXP%c-_OOpz~N$c|P!uSZnxV zqh+D_?oUbUH4|@oMq-%A)+XS^nZeR9As@w@xsp|{(N$vbjj^RbqbsdMNn{1(oBKCz z)MnmtTi^Q4%DeVWo0-LPcH*}%qac}jXnw2 z$<*0~u_UW|Cg)WzUc5-88rzk6MgnY11%uasZY<;}`i?(TowH-uQ}yS$>9HrU97OD_ zu&b%7T{3~}*QUnByVW{jNw(RdQ3x|KR3+R&4@*eb-2 z4CA!YIU{kQXL#K)(h^m^xdKR6psZ{~X|RBv^Zf~0j;-Nwg^S49YGmNq$t~n{i6VMG#zA^f87NyTwC|<=Y?2TlzMX2r`-mHJXM`jE(xWJH(oPBMc0U9(ip; zd*y#d`c^=3O^aSgh3oJtpWjL$^MxIU+DUAzQt}4U8KO2Qp&}|ycOYI=U;WX^0|b-1 zT5G}%*lotZ^@>cc!sC0tKA zhx+}`3w>JSbit1_yqSNuu))$&o`6i5VAfjc&ZKI^X#>hRe?ZiAJd#|`(Vql3p+3Rm z#Q6GjMR)kXtiE1`4_z11?p-dMI=GrSTx<$}Or9MQ%j?KNn6KDid235Kok?F7?*7>V z8~M1_aD5>0R7i)&ZEw-!>#hjY0?v$!k&~lqY5wyy)L0)hE$tq_QfA_oBRm!to~% zzqEMI_V18fbAuD8HG3oe$+@=3Sin+;JZzTR+lx;~OecGBsvI5>LGso0D^T|M*8`ML zOLiWcEU#!Q^WVQfv>yGC{|1Cwz!wO1I~^f(o3FoSCFC95rii-lqs}(L|3!TFY?`uu zza=K#pJLxg2M|d?a*b5mkzd6|X0-UNgJw-yghd^{v^3wxeBO%ypCXVHTgS}`8(ZqPVIkiXE$0|kNqzlQR99DZW)S`SPYefPfE755cK zN~WZviwafE&(C)c`@%r4CzkAb44XY;U*&#&VB+#W`Ts*tr$0dk2=aYZM zlTi7NGg$u@(D(lVgx0MA>Jz*{3M7Ao=KgDW@Vp}R=L3>i zx%7}D%Tm}v&A$A6cr5nt|B@!ZXrNC+;)ZXsN~toph)Vev(4Iq4YkyTEpq8}I9Qups zi;4Tsitz|X{C_W?5R*Tt7aL#Qv@;bGpILny84Ig#n1|J}6*hI4iq*n#j{!XUIAVNG z4uw*v2_AmtI*K1E110;=8gps@LWh6$@0H1yoD!X7yi7i&#fbWjllBU)p&S6il^R>R zH)8GFpE4n=2&%659&{w`crIy9?#W1KV+3rDFlATyHOs?t9D`*}?h41bBmIcRbEi_a zc8%Un;t#eH^<#M%c!?t(WUO`LCO%$v*zI=TjPU$G=_)ByP~u!JF^#)EDSB>>J@A0W zQL5Ke5&f^1Ps(96v)A;8;f{Zh(4=-eH}*;t5R>FhuAj!+e^PZt98e37K;AN>9d0u| zIhMt`=f?TP>MIZ!&?(O9WyetLQEF=w?Nhy; z_ibNi*k{}@Y2|M3C@uPuyJpN_Z<{U zq{qFvj6*(C(&TS0Z~7%4Y-IJRs}GXyX+{tmuI)d(pFP`#S+&6OQ@`dSQm9@-BGe!5 z8%gefQNqo~bw2V+*C-(^x4H(MRoiH|(h4(um+9 zK>+AAY38uv58S!~sw#h{7om^m9%R!~5yDaduYiY1RlLSqnz6A%(BEWk6kV=SOWpN& zFHTgyrPq{B=;#K~JD}s~WIZf2sdcu3c zbw|sU7LCX7q@K0kE?lx+ggsk!d^^u{qI&dv)hg*!JEvMLdCz;1PX%^)^5L*XA%W0@ zFYf2)f2-tZlWmPgPpy8%*>5G^3@V*LPt$}S2%E;d>abqq#Q+AQ8h?6d+<7(s33_Mj zwC`!Y0~|cxXhvy0BB7dU5e2%9J1~F5AZ=IalomNqvsd4^eGJjE=mvpO!8VU-=BjeR zURw9gDLi8_SN^ux7JGedc5^#Xh2z*;o{r#E)q2A^n1CfEcy*?!neYn_uAjj2k&uIx zVY!`rh`o-E&#DT|z3T0cb4hnRg0yO*juAq=ioe0!X+%oy1 z+G(<8)yM9Y{sz(FR!E9YyXXDDxRH6CGAXecyd_*uuPid3SEMyd09`ul$#^uuCW~c^ zZOdO&rPrFt{n7vH?wTAPI*HKc7!Cf+%6q{sb zh2NEA>!ePcrcQL~mKOc>tN@?|&jUa=1*a~1y%Fd*ZC zVf{)7767ndnOwhO9-(ay(NG(#srR^UEm83>)?@ac>?T#4Q$8@4GWBM<1iNKE2qiw# z9!n-1UcO4n{7uwq@MkurAO*AMQH`9mub1}jf%9FUJ%jjaKtHtMqRRD#CBV#+oGf%Dl}o~dq_+D$zPC}2li8*$K8U2-1yHhx9$9KF-c7UY$9HAYTFc5gZ;H{gOZ4>E-^#D` znfDzueMfTkSlW$}EFbHX#+7V+a1Y8XnbMoH#`!n^t8bqoR|?KxXyEn+>gy zW9y#@@nb(d20I*bu|!M2{=RCs6p{WE`$IePLMu={sC#jdcTU@R*1?PJ4&g!NVGvD8 zmQ6E8s-SPBx+KT|8Bo$%>3m>&lH_)cnb|u@BF()&d--es53Q)p>MyJ0@IE~DQ-Do0{nfuNwTE_w(3Lrey>|+`SBZ|sB z%)bg7rq1>*EUaNKcZ^c>TUFOh3sA*Nsm@@dNz%f)c`E0{;Q2Ox z*S>R))(WSxe~@XWJNT?0?O}~xr9&MS__rN<1YvNlVJF(O%4<2pMgMD1NO=HAmyx@) zr6G+NC(69}Ltw#|yW zW83W5wq3Dp+jg?6zrXXGM`NF{$3AcN{tIeV-K*}g=Dg8 z!=_bv}S=v?~&lYz9@o$T&$YaO(2kFl_M|49uVc+ZPSAkglRc>RbfRPgYl5>KT^_3 zX(VC}o!0L(e^JT^A~`_~%x`2`P?T%1cnW7bc?)8^KP&Zme5iL6L8g+}eko*qnzkGh!U}^jaElTjAIm<=y4!!!yh!^- z-MgPDs(gVFR0Zw$Hs|I*p{Z7Ta3s?=i*d{RbB?C?V(dQVk^#3E(bi(^NLHe;+wWzC zV?&I``Ok5CSm272%^AZmC_-mVIie-2beF-{9@k_$M)2?9J4cFy-j>Id_VbediN4DU zoB3FK9r$4HLv?{W=Rc*FKQ5su#oyCAKf2tENZOVziGeHz^3e(&2V8sasApqhoR2oJ2u^vrk9I zdcrSMZ1l+r7z;W}*Z+Gx$~#i2R)9sl{9S9g@!LfJ-A}a6oUj2Qs}P;vcw>0A-(L_Z z{*(1tU4hXc0u1tEbkZT>tCh)0S-D*J(QTKzoF5BW(*{N?K>XCqOIRAU32OCav+?;% z54ARZaRigurf261B&W|rjadp35NB(69fFAweQL(To2mBs*w{K6o;Z`1hleju4=0XL zHR#>FeVe z+&&el`#}u<2{aT0b%2pA2XY5=;s3;EA){{5-3PT|P^%;G`HzP4AI66q_RvEK1w9A` z6?55TW$_K6)H*!5^HX#PFm_&J7!GzP#sDQ6BsYZ;MQ4z3ipnkL4b9RRv}m^vT=F4X z2kL%4lC6Xr^mHgm3a7bRffrOrADE6_zukg$blkwOmA!Mlb9*qpH(X&b+30j1r#KLb z4TP)XtA;@zZ!scrRj!K8XS@u`MS^K{qy*(cs9bqqOy$}W++@$v%*F01zcI3>W_2M@ z!{-wdUt#Ris)h5>NA%o#fCux{sVg^m2r?e@vUn@J6|K2*+~aWg9)7txJa`AxnS@mW ziLYV#ptJ%PslgXJh(q_LHm(|R2kf4P+0}5i`)wCP>tAMDhB9Y8Ga-USW$qN~NX^xl zMH=4QtDZf1L9_P))^X>O5C=evs!hi-_$~DDQIVVg6>D?(zak@Q)C=i1?|N8?&}g57 zhQ|y8><-144TgBJ4a)hjhU~BX0n<0o=cqZeK(nNvgLJhVPL8UNyq(Te9z*$lrv`B?6~9&NJMRX9e)V3I?ASq$sEX1SNV>qmML*$u9=C&^P#ge!M-!D z?_U;Ay%)0Rc!m-9%)*X&;3#02RlS(`9*|=tJDL{m&z0y??rE-sv{aWVn=fp^sS)be zKlQE9-E1Kj9i%)qa`S4A*O-FL<9D}`HDn7xV%gZ9#K|SJI zYwl4R8Nce}gmv+52*sBi>zTmA<$@3ZfW5>oIG=HlIhH=Vw1s|E+j8q|k;SMAt=@x} z{r1v=(7W)<%Ri8KK89<>$8XJJ=M%7c0}`th(!Sbqb4l!3CP<_n@oJ0m3a>YV#Y&gq z^ZA|jWOn{-TZJ`Nj`f>{0Zs*)${(`gPd0cRb_ZJ?AI}MIBhzM|C5idaqQE)VhDg=b z#(5oG&%)m%V3K`;v^{(lK3iph0)l#8>YNNGQhw#dPvqZXv_XmwK~zP1>3W-96wpDY zwtyA0-$Hv3#^#_C4$cX?*+kM9le5NS<+Lkmc z_5zYUiGbMUO95O(e`aApE+T|$r=HahGHevmV8aQE6LjE&A!D7csf#Q|Ma=+)L;i!k z>sgrK2GmsrU`bFP&4nJ4ZG7Q5qnc-n=Dzl%hdF6LFjqI8%#1`k6!^tefJ+q zZ@Y&(!RS^wa`B6!^MQ5iORQZ#jBsOyT8oBXcE2Ad#4BC!T_rGA#Q7k zeb-)Fbk>r~E|_z}a>sj$03R#UI%~=ye^*H|!7|=q3L|#3{2jmQ63>vQ3Eozc{f`-G zR>wet9_({pOas*w{?lemKNsU?jsya}2h+C6BD`57NfjeH8{vgd%~dCi-?=J1gJmjw z&$Rv543)bZf(Mw=Wz)gYy)`;E^b)uC$`2`umYgS&>f!lt5m z6fhu8x~S`(pxiJP8cr*kN~e$+7(Cfw;QG81J8I%WDf3U49E_JtpMF>+uPR6rZ&2iU z@*+9+$^H;FPoA&CmZ|!Kg>HE?JiRaH8jhz&`$jUKk3#SV)7BUgx_!!0&fU=Ykm&%% zlVwFW9-=oxF?n+iL026As3y7JH80l1wc5i1nPz!J))`X68!INR{V9bMda0E?etm6+ zhlF%IAno?IvBWgeR8g&w*>gqD(?ntSROqM~qXesZhhf9uFT89QeA8i9u!Flka|!xi(q z-E~osb6P8P-Wc7rh^bl^N^O4DCtWD|(G5rV1Ka&t=xdm-H>HE=QHl{oAJp8)>P*9eFqeN>pt3sTSScZ79_&1}>N`$%f_?iLYK*2N&!d<@d>G~yggk6JyJIhdEvmoX(&j2G z^d(!U9^BVAJ zlj)$U)iKJLXX{2}R;cLxzR;J&@_285p+Qjk!NE~U?vj)MLCS6~uYxDNYIQ^6Vi8)= z>-IQm?n(dZpE4SsA(D{fv*YQ|>7k@t(}A>@;sBF$u{yAq)>y?X5g~Xx4!Gww{fa-- zJ0-h!;=KrX=NvD*hz{q>7;afLj+#S;q9&)7Xc&pN=5UKhK)v^#x_)sJ^Rdd7Y5kd; zy^0?uOsp2x;Y}-*_Dt6xGyvj=nvIez^&cGhtsk|-#oQ!{!F?IAv8b>!6{C4Y5Ou;)akYueWRt8ElTtAzr`d^pBFC4;<>;3admKL)u|*-9O1bkPy_ z0`^t}mmGqFV@@z?NIp0Mi_#0gfLbVes9)6=@Rx3hN%Obg;eD>zkZkq-krI2rqV z`7QtGbVu_Q7AI`5FKTPY6I^!?i^Pcjox6$f<8cEM}|9*8kN`b$~ql<;@P>M#bVI~l1)o~#%%4lJ!iXk zYfw2|^waa59jIiCN}p=Epb-iichWh$age4IhEsoJ;Z}hZFQ3G9oT@XRO;yoRQ=h(hF20;0P4|@vTZ0Gf0}ck+rK$(vWxtc(SBM%t0>bZa1Rx3k#ECZj za~`QR2giO$s|>>$%?L}Wc`U0x!X^OPXiWXOr*GBjXerza_ST`_r1Ms=+pn2cwNAuu zmZ_<8%hs2g^k`CR9TW?_J)}~x`}y=BvuG3eZhG=4>bZH&lq4$+N8&dh<1;ak2yoWo z4b5y_c>j=_oIfY7Df-XyXy≷{MJ!$*#*2a>S79TswJnG{IeGz|_`HQ0I%IBLL+? z#P`t24{hiPwILg=-W|{4S=#IqQj+2xB;6gLV}9#iA`HU(o-!&@p<$ph4yTKUruo@x!ALeo z%ei^5en`ZLE8Di;L0V}*SYtPvMRH!=!|Y{!F<+RK5ZHASy|IzcNX=2`>@HG2`GKc^ zqya`(<}%LF_Iae2TyJ@EJV!C!HH{5}(WF74SxpF|(+L$vnxv5APH!Gi_w<;$xj5Co zYxi&|m=z6Kw(j^@cOy)o@L9P|OFoXX<%yCJu|ww$pypRwsxUc|{QW6PVF%W~F{xwP zW<8%AL7Z0L;g7gQzK01lTJAex`|%l@snKL?NoK){qXD+=*zn?&%MFH_Q)r)fMLLBA*_^TSJu-8 zQ_-w#aIz}FlQ`&zI}H;jU`ovC&MuQKPtBlMs)OF^rM2}lTR;v$MRcA0t^K!J^$SLW zkBuje6n7w8DY_xQExqGN3zM4kg4(M^CQg}eWp*8OK+EuDSb8-3?S*NZTqhEOILGY6 zfT(#P5@UdCHB}z5yD^1`tF^DWe4&#=E{*rL4{cXCFp)bs0icXq*f>1VvyneRXa}c z6JAlQ7^=*<_zca215$Bq`Mzgx$!DND?I^WkuUssSryX|{iR2-tiYZOLCzkq#g-ueG z!AHq8e`M9W#te!Fv;OtA1T(fIQ;AvlB>etum$5|66RXsalKG^ip|;k6gM-IbrAR65 zf+u~HRb_OVkOOlKJu0eD#mc;v>LbF#l+h#j^a=9om{vdpgbeZhD{6Y@6Ab*mjvP>j zW_uOImR>h7c(0T}*MmkQ5NX{6x4fV>n@Uui(R;W1npw{0b^Nk)naXI4W`NUSfYJjU z#{OgL8XQl-*4}D2LR``?I)S=gP6bBW56d(K8I+5`xbXNp8=@jOlB(dzUENL(>E=!j z6YnZwi(IuU<)-?>ULj3P0uknqD+*dvdfqkxN>HF z-y=uUJsy>%?Qoa3KfZD+r!3{)+gBxuOlQlYr>>J>iW=F8vjL1}LyAvPSJ_$V(rhG= zM*e`JjsGmLptnt5qKHV`_$QbZeoo`a#pU;5kwI$Z0=%ffx$eIH8c^HhCQn+PT91H9 zulX+jC3L#VrR%#lSoq;eOpuY4R4!H0n1B{nchcwEV1Cb@0SxvszUBHm0l}&6Vn}oY z0Q-^Pv6~Y>#-^5>Xus&`mxTR3rZG;fRQfUhb+M@gohQ9R*I7-4h@ZDLUQNG5n$7WR9tt)S(0y0SDwy))|Ja`=?BuAs*oU}nNXk)TWQ>(B- z{A4CNLbjmv=J@?CF2c)7ITU#{^|GQi*W>CAmy#mJPg`>I;4LBOkTGU(a-P12i$1=v z=rOwSVMIOAbTcOJH^N6c|!SY0kQ7?HZwl74qsE6&eQoS-5#C8+<$ zV2y)a))V-11Cvh^t+~=&%@9jK8Nc@5={)DeB*XyWnxN-$&kVZjEE<;^Rg?i0FC@YP z#YHuoX&O!+kQA_9lxua^ADk(kEk9nxc$%yf}2k!@G)@NzXA2lC6`~nJd9OO z*X5M8#{_R3F}7r};ELvW))eK7?GUKWF-a_nfI2kc^S0%^oWhUlCpJ>-pvFRg`PRj@ zpE7k7H#f%l-5Mf?UfY!ao%dSa)sG}RTf;yM1K&<_7EV}ibbE2irg*1M7g5fFP23Sc zSJZE5?mf$93985JPIg7vk!8a07$Ii^<3ukaXt4ovfMX9zpg%v5k9u8P(;jCMsG1oY z7c8#Rz1VTV@cq8Lo5kdm!m?i@XVhseG+WxQnrn+jQqY9|&g5b=YsvIZ;&IkAAu5iG z%sTGiH;|~W6q|PuH7b0>wAx3R0W@x?>aVlNLH(;gx&HD)v?EJ7=Z;+Op;~d(#2)-Y-pk=TU|ajb|kdatEF4!=qo+5VDq5;^!m( zJQlcEgK~&23|=ZQaF**oj}*FysCI5ilqx0HRGa_qENIW`4`eY=Du1=q7&P5CeD;MC z8ygk4-&0)dP)gf}Ex(BF~ftc5^4KX_ta>v_E9KL;0f**(nw zaDQ4^Perxo?^*@)-=LWiG4_nWo%@mN{V28MRePo@c$zbCW6?OOhSK0!vC2*YdWm3p zaMsqHEsLdv?Ij3*!L##tF71EEU}p^ru1rI`%x(DwhdF=jbl0 zbEZxr;MCv(4^U=O%(1&&_6k2;{H1ID%e5jyu!#HK-h{^l_9z5NP{gp7$%Xkl7rV5| z*J?2vl65N7128Q8M`=tSPXd-y;o%Q#i@jX0NPol9#wua+Hxh#-44<#=oq^F;wfz!{ zJaW!|IP7=R>wfzt9H?(MPIKcu7q3g6U3LZ#G5ZUET?^Q;G%{j3O zs?l_19XSctpk4PtkJOy>|+v*Il;-l#2 z9il}Xk;_29WRa^{b%pvrOr>hR+wkmT(SAkZv1JjddNDOSN6^5Fl4rBMnEw>_ZjW1P zTJn@s@5+-H5FrX!v=X{denSMs)r7}EIqG})1St7nO^a+eRT31;%b|6 zZmU1tHKnbgmab)zQL5+zh#a-pQ)LzEjV?SgX5m_d7pne;WzZ^(#Os+koPhySr!S!}kN(EK!wt+I3cC z>hL3rJJNU6 z?#tA)M$p&e+Y4Vx5AQ_y9-o?WH@82ND$){6ss$@T1;dA}5k=FOk!=d4SZ&|J?XyPrtpR_G^r!dFocBI3nVw5SR`b^_ z(PIXWq4bifuDMRE8Uojo;B_5HVP2xsecUeA+kQI4f!VH_H`T_!U)UAwj5c&gbYj09 zT5_>>m)bt=M11ne=syl{iV!@_HXLjsm4-t)cYQbsVgK@FQjL7gAMP6AVl8q9-3a2> zvf0v;^H*3*un7?pK0W08hZ;M!_php1^~+bfJC~&XsY|<;zT*DAxP`pGUn=JE_&#tRNV4V z$BAv9=2%pX#Iw{D)uBW*Xie~SVT;=h6uy8bLLTuU73RNDxK~bFy8)ZR*9vKph>JDw zz=#ADg_B7g=RoLC_lb@hF*tR#`5KUi#nydj$IDB@nJix^=nR@pz3MZtx>LmFN01=) z;tV(g0)=Z7aW3cN&m=5#AlE#xsMkw+luK{z0GPC>q71)(2hVfzeV_ZwEHm|BDd=c= ze3HS6l^0TGgX!W$<{41dgk|ofQC^8?3Kfu@y+6L|*vw>w-ia88zFQ;T5DT|_BMHeu`6OcNs+qpUuZcWV)vsGcL|=f(7Xj{ zn_N%e8>zCMReVc_#2@8r&r1_Q$ZqRtgPq^+8(e?H2|oCq%s`O%lr>2fcVw8Z7mU7p z@yvgMc1o4Sq0fgyXNE%E5iEHmS-tfq>{oFNzvqsGSuCc$opC;O)hd5E?x-Y_Te!;2 zp#a}Wy`QCt8=$45A3pYQzqg&ZFVd3&5RUYJU<9D?xAAAD~*ojD3>Y> z-5$Z7%x+{!AS9wgh~u1}Ygfrn&W|znM{NaNz!D5Zs3)TJ;pD}UuruF)4u_1`J$Uvn zw)^hW{8U|ImAz(MmlJPfIFi*in-O|@nH>4{@&PaFY;Mq+ zn-nOtmtCXmBxS;Vm{Ai*b(tqzPv}ETNGbkYGtt@Wc$Smd&){iPH`Ec z(_$)5UOjyg<=aO=w;1cv!OhXmf5mkomb)VVqIG$sY*}{x{cJi2kj5e@bbWT0;HE=#Ah)zw5?9Z)8&XmE2 zGH{|wUt8~w%gNTF<0j<4e92y0R3~*OEX)UQ`FpmpCdFTsmD-}G*%_(rj)six3b%qv zIO7;qcPx@|#EZ@5gN9S7(mHeaj(Y*GTS2Hn(=jms*c&t&U{;cd{!2SpAO3O~)oOco z@=bPIv)kQ{{75-ozv|9h1S41y;l0G?hKpbWw_Dd&>j6fsj%zrypd#$f%C*8;RW^BR zH)vFAC{PAd7}ypCO^tauj-Yrpz{eglEhw3=&Vv0+up!_=J8WY@&{%$)gHKmcV@(F>_gsXB~Y zeXz_3duMJleY5qCn8u^6-S*MfHYCQd^lcJyjH^fzs9EspW)r=hHdKn2FMNFgLrr{y zju_U?#Wrkx)xI)#U{65}w8*S+&^ea^^KNoV40^3%wm{QJE8{vlJdTVR;Zi9p%qfNCHmUj($y-B?1UPb zXmfd+_Ula?nD#4ao#U5%MLi;m3(~g1LRYQ4;MF^PgazStui`7+Nz=>oX9G*;#(?u3 zoW8NRmWUTv{GwAW!|*eEw(SF3dyZ%ArW=5(^%7zxNI!iC>8A-Lgb!7ZndcQ=){6vL z`6C%9o(%Q$%WQiS#zC&RoWW{Xig(yTTyBKi_RM^ri57sVN>bCw`SQzkTjse-n{6D9 z5Urwsf$_zx;)lp@B(!jWt@tAs#hU6P&0nE(`lLtN6v(?p#K@V@*@PHWZV;H8#Y8!9<)- z7Efg{Oe;Cage|^`05Q0c1v4~v*1-Fd(Q~L?<$DaCX4>}dN;sY0;n?PndRDYfW;0+s z032>@ziOVJg`+4Y`VYQ((tjUnCv)q=Un*yi+Mj9*Z#!&@usci5u<@b+EQb3geT94y zNZ{Hn5WPOL7S+D8$r{}N$&gI}jzk0R3+of@q}isF>Y*}#gb7|MnUmheK0#J{nQC1TL)lM>f|S8Bqrfm^xC^9T+8#yd+YQlNWT@- zDqoszTW6wY2gP3PAJg`)s7%u%IBM}6d*^5?Nv5lRjN8316#+ z0l_`Z%1pIJ_849HA5AXYI<_p?!vhMqJnM37#lQ(Z%k?`t7gj$*&)-M*ZEBL z%vKMxSm^4vjP!4QZBP=TqQ06b(Gt}aeZwyL{4f5v(bFr9VgNzx~ugP-V z*q4SmL$)S02gcsyHei+Hje%KD^~{nCv#r?kDL+X14VED3t;FXs+J()7&7QE(tf!yF zA@gcI-WZc~C)#Pt!mTn?+dKgjxQgxmJU%ma8)Y0EgnCDeIIpi5MChq67#d38+r9c79ZLAL1mzkTstFAaG zu7ry8N)`B?L=qiH>1WMV!9@MFhA~J`Q_B9W{>4RO>q+Gjn_B_;#0lTW!>SMk6jXR$ znf&0Bz%{NRw6`1Z1kusG$Ms*rj`=4T010j5mUnKE`!Fy2ku@_osq!u}wC@P;q!Y)jOvUYmO!tSnk^z`@ zfmQF2CHVG>@W{i+k--<|WjKWhfr44|2tC^8=XwU~)e^P>#0tuK6B z1{RQLME2zD$zHjW^(n|T@HV?5f%s^(*KhU7=xtS-Z@xh&?!4XwY9br}_I6``?S z^x5`U=Ps-}M6*WKc!fV?kyzjKD7ELULNnZ!IUhQyhF#M*n&@r8YMt7BTge6WlLuPH z7@dxShSeNy9STT>arssbXL55R6kXD{_IhvpvJ2zBE@2!Kk0H2}T}1HV|0u_>jgf>8 z4K1p1Q7cD)Xq5x!yOB|pL_UmX> z;68(IY&U`b_Q}C%2Zhi%YITm|zoNi`c$>pW7G=zSReFln(yyYh0coHaDF>}k2|YWT z&`gIgx;^Ok{`c9VMOFF0llx40>PW7GgixACpXZc9=7R+fhcsF+LH9IHF;-xFAK+A~ z=~vu~y5=9StJ>gRM?egOZN9Jg2$av?-DjLira9vY@oz`^CdQ!M^ghH?wHO4 zG_#XUwyT$S3?Ya5-ajIJNi&74H1l`)w7mq%r<5|JC>RaQ@gQ=<;-qA6Xgnb;5_1q{ex+e=LufV{ zXGfO(GS^(a8>g;w!7}yo2gTemKfohJi6MPo+x1yX+O;bB`cLw+*bC|+$-aJDe=7X57 zNU5)+{)tpUR!U1)oGE9B4B~A~3$8yQe$Yv4ZyqfpZaE~WnP8oV-l;pne%GJ?n`*TW zc+k`4X%160@`gOly@(|1+sZ<3y2D>gu7?@5zdDSRv2LH7R6blN6MLnR`v=nrthD(B zJerVRJu-z;X^3PoR-O!tWF+ln`cXHH809Lst>;CiY#WTx&FWu7;?Goh&9w$&V22a% zbyJoQ{zL9^A_iWmgyAw=DywP3wta?x-TZCS{DtJXHkNH$BfWch|AF6yr@3*Y+I zkXqp2E-(~XXdc{8*_k#kn%2f1g8g~q01qGF2x`vyw@vzcOp?rf;;2OpOE!S9+7NPb z(fSvA#FSvlbzst%Ve!hapct;tKDpr*GAq6hoxcpz;#u32`LzEJT07F;l4P51L#W*B zKR3({oB+loC^XvlU5=YbDEz6hr=wvlR^|ZTD3*}CaHZAfzE}CyVEzT0@ejX4ol$w- zeUT||y!JP~t4;y%{%|Ztl(60$(LL=x+ub8ZZj{R76=tI0mygj86-3&-wP;fQiG4j&=>|rtt(plzFpX=UZ6pA)V|h!uG8_^mk7|xz1xw(hJur zd25?kqusba9iqUPzcMF-T2t{Er0OtUAXL}J`ENW?xI)!v8mXNLCAXEWyRJwvp{%~{ zaHwdnkgupmw?anAL-<5Z^!(A-r41bO@h?ZK$q!CM2omWC-b}P#y<$Nz%G_OJL*81@ z*$Atvv9CBO(v@xjlo-11xydS9cLv2ZgFil-bPUP=q2au`Qo_#YxBA1vj5cC~pnSn* zxAQY)@{6jFDB{ec78;IF-y@DfVy#or26Aqbp~x-zL5$B%c#WEvP;jLij8yk8h??yx zxvNmka<8Na&$u7Kdm&l8|HkPywzUire0OEzAC7xqf6TC)T>IJ=mPmMg5usKR$Lf zKT7!O?YXFa)K^7Dx$8Zc3}#OZ0uJQ_BOcFA!KRSd0X!!>#hq z`b7NfvP+myiH0wLhfs>Lb+S`q<g3Vu|45|5yvHH6&hfH9spYWC=5E@dPMo1Ck{R{5e?)J}5x{Y#6ZqiAs{)P0!-NQQR5AOaS zo(G?;^q1$MiuU{I8`_JhAO0TN%&2|bSU;XEV6r#+eLl=&5_9>HTgC6!oI^dx{VPS# zNYIQx$GU=wyPLqrv5cjh!qS$+0N@^e{*a1-`1F@bGV~JsLnSG1Tj)#HK3H+30yLz1 zhvNxz43s|5%Kyd9ruzRoH-qUwXB&r}TufFD+VpxAwJDd_@t@f`(KnW>g5JhKo`;)J z>EE2*L%Gj@y2K}@7vn?B&K+K8KbhXK9^Kq3lg^#ezibVbl<3aS`vUMO!|vIG>g*_G zSnOMw#UkH#7L3+49g_#;46RM(TJl*XQtO~?9P;R6L1ccz=#WwYJA%A84&1}XL)>6K z?{%GOC|w3i2gTJI`t>Zq*bZebq$7RN*(1blaHeaJ5n*iKUhn>$)~_ zXa@Y9fpz(sF~i$V6c)ZBnIZ=L@j3=Y3T`&@RC9IF6QcvS;MmcrDFLS=g;id~Dw&uX z2iVdROO?LQpB;BlCp6QM z(9G=oUN)iBIxN6F_FI#IMy;hAX1ow+kbhAgdB%T2d3Td9KD+L}DQ};Vt6mlBP}8}t}i_T6HC9rSC?U#6cAxKLa78ijxO;TNtcKYa0)SC=@9Ybp{Gf;=3Ou)~<+ zDtnK+1SOGN*P#p=%kz+3bG7}81r^cRKz#}3z}voH!rW?g%mJ*Bj5M+&Z34LqrhGHF*# zWD;eTyqR5Wh;_$!dBgz39Y)H|R=-wuY(=qyy+)vu(~tIK(~tjw96w|*!_Y{(cUI3s z{F}L0d-z%B9$o+e!TEGTE;-Uq7jn))+N2p?v{1wX+!l0KkY5n}_Rq2BL!LIiRTe%| z$8^jkaYj%Qi+{nITDlKcn6&(geLy{Yx;!?m2W;PfxHC9jiY5d-Vfi#j44KF>TVajrC;x2jbUT8(VIlaiRb*WApgj3yg?V){Lv3k+I1< zV@VdY!V$HCTNzIHe{nW;&HKy@UD2*+!b>ZoqgL0Lx)Xx)nvKe{IfT!+W9;yQ`sEFd zOW=0i`7qD-_tSN-VRlDqu<$-tqz-PSBlT-(7;H2cXHMVRsnPgO;@3xdmL8GCWTcGk zqdCw4F1D1kUkRx`)Rr}7jmQNekmTVvX;yjvva31Koq0av)&2wxv zuJH`ku2nL*Fa_?2Nx)mQ)Cqt5UI(_+{tNDz{3h@zTU%@)cdvUvg*oXYYp^;X-_=ha z<6$KoY)%iKodJbgXdFB=r3e2vya$UMp7ndtkrvpqJpXN%WPtE~lF?{2wvEx>y?d>a zd>s~+-!RT~L0VAfW059zetMy6cy`_IaqFja+wuo3pvA&Rm%?^n(X^}dbMKbAt}Jhs zl-Z7}F9C}gO1Ujc$Gc}vgor$A0SPV)wzEj;1%F$+Cv~7Z26g9l81^I~|FTwxXJ`Y{ zYJXz4bl%zhze7GN5aa`;hz#?aZGfTz`&ZrM2kDe}!v3dtFP_KxAn2BaR5RkQzbN}z zLbg36cUmzt4&4`hXheqYr``xB2D=Mb0o-{w{F$<8(VwD+Q?97l=m2BdfO4=jJtq!) zd^FtA)2H0N-at?c4LA6rt#c`Pl8k<9wSCN~9i*qT6KK3I26vLRR3&Be zl1YOqQV;A4l69CO;g!%&!@93mD0&o>J@lmCxT$GmHia@`HTn|TYix5i(X-cd|0CsN z`p=XP#+kw+6VmK&nhLT1oDV26M^Zus0^-2kY<(U(!?UHf7rR`OhntjIt}upc8LD$F zCf>?9;Q#8xoPP_Z*-iN{ysQ#XQbIxaR~*g2Zt+FeRQBn8NktAS-P^rx?Z`hCCPSva xXoRWt3Cg_kKNp++RDxp>`TxEKbnVkSAN?50cgG+6`+slD6&IEfsu0lg{U4@qwVnU~ literal 0 HcmV?d00001 diff --git a/output/images/cclogo.png b/output/images/cclogo.png new file mode 100644 index 0000000000000000000000000000000000000000..84648693e5197d94f16f682fb26013ab77c2c602 GIT binary patch literal 32411 zcmdSAhdW%~7cV^eM2SK4I=W~<^a#;|kPt>6C3=lsM{gm71PRfiL?68~M3m@l^e%eu z48uG5{_cDKhda-D&U5xT`>eJ1Dtmp_K67GTYpReC(h&jx0FsxgirN4G9uxq;Dg@$S zu2^$eeF6Y*0IxOPDq)&H3;}^441q8NqQMXi2uy=H(tv4bcrXN}5dzalf@#42emoo; z95ggSY@9+gH1c4uB$z{ zQxJ^w!Gqd1&%D z>9aZb%lJ52!8EO4a4QeER+K|oR{Eu!rm42Lk(R~_8ACZ~J3}pfeKiMf%cozg1iyxH ze-9IPHZ%x%_cqE+H_iV|t(s7+gHTx@L;;d@FgtvYQ>ITpZ0cg4b;BElV5D+v30u9lChQOd99#A(A&5#gi5<`-pNqNwu z8fZ}s)U8G{qz#(X1}*+O(kvPR7Y#v+mcT_z(4qry(E-%$K(px%9C8P3V#puZ{sXT& zAJCl-Y|RIC=Yxjw0Ymw~p?uJ0IPRuD<_J0r2W`dy4_aiHT&{KGGx!|$NOd{ApX zO?N)cP(Dp-KDhe}xcfV}8*}oVr~A85>v!$$@7k^34O_p*4V7a}R^cs{0Tyd zesWF2K{FLJtBruYdcbBk;IJF8+Vt>mJ^f`F=nz41*$uevB)l8~+_sZncGKK<(_D6g z?=dt4xE})E4}mU+Xzqt-E++x^7+S=PT&O!=Z75%8C|`aEb5h1LR3JtJa;bJ(REAns3;hZ`hjurMoPDvbA=yyLEGM z@o;nT^78Wj9z*v~JYp?O3=nu|YwBQ{m>+;n9Y+~+3CluVMG+8<$Eb>F;M%-Yw!y{( ziiD}+8KzBa>Gb-wnu3$-6LBG7OdCfP;NAiN_&3*w|qw&-?PJPf@oX;#l ze01A`0)7L(O)Xvpf$WQar+iopf7QMAgSh&`5BAS-*6hf#rl|` ztYzuVNrP+PsMW;9=x9@4x&1K7iECPq_>U0dW4)p}xk4TbdRvxW4HvJv(Xj2_B)on9 zp~j`n@0g>fpuxLV-8!qpdgq0kdH1Z-`OOyQBB?eImLh;m4mU}TCHc4J`>bdHYcP-n z+jDt}?*G5FsuFy}+eY@kewfD2)RlLvzalQ?$?RP+IrQwg0^lbE!$lQ{H35Hs6rKvbe6HFK|I2;UGD58mK~b4%2Pq9K(Ab z1rDYl#tfZ393wV7SZP)n)2&$@3dtSn%RSWaBNF)>Ux4;c*aW*Bf8Hw-h@ z2jF0oDA+8q4l~LBJ0&if|F@@95q0jc|F?+Zr{=)GCg;M`#K2yW4woj?r>Fm!a@rI3 zA`@0NIG~}m!Ra@?efHu?JdkBQFfprQDQ=VVr;Rm5T8bCCX~h?eF-#BJ>p2Bftyo6- z-Y!SWj^#uJB5zzqrnQx#F(79Rjw}36se9767vZpsKU%Md&(7_~A0y0N4%-!-{hXIf zo_`nn=PqGnTOMe_i8T5xyD)=5X2!2y`-U@imit2}{<+;A8?KZAV(4!|!mdBoEW}AK#w1oxoD8${=%;5 zD!Pl@K2wC%P3DZ7CZ#f5{&Pp^aJioCso8ls7q?%ca)|B4d17Hcj7%2n7#6v;YN;(5 znUUQD8{||jS^cwV=}(7z#8TUS%a#AQ(*r${U>S6Wv8qY?fqQcIxXRA8LXlFou9St?a_R0x9K$b@n93n}d8a;VKovt^Uo*E$&Bf47f`@grkCR8D#&H@Zk^7f;nX;@P0_^5O z=q9;Fu+wMXah!1)3i_U-UxAp&{McT;J+;lQR$ue7Br|~`a(^cz#3lhVEGM=Kb(E-V zx`}(wPD1Xky?#EqeTKQ=!GkSb26bnoJ}h=)9a}r4 zQ3rXVx`#0WKDH0-Oa(~G5b7#^ojxShT$YEV_9c{W;J0k-vsHXXd6rizRLNg8x)cZI zy(j$__D;aPY}kVTWN_5`p3M<1%Gq#~L^W^`m^9)-$8%jY2-}Y#7VO25hNnp-$ThckR!P(Ayx9Ui$Vb;Bu z$$ToI!ip^&A$NijU91T4xWD@SPC#5nr!WekIk4{b`7^~DT8L}y!eaeb23`7-5s86K2@Xn2Fm&)<@D1{N2wuv>+lz)UtxhD(lwM@amrdU&BR zH0XDgG*&cNc;udKnAX;JH~a_t=t((x<=4RRoqoW~(*k!pjRk38*s%mC{(DK z*<-TIy~d@<9Hui}>R(!jy67_Mjd-mZ?*I^Czk@Y$boub#3Y`v8RYOe9exTn<59a1p zDWBE4hlS~K7)Ky%nk{NFvi2OJEJ*(*eZE_GihXQM77`dMr+v2@KtGY})tfwC^4^4? z4}NrbrYIfLyk38TUU~CWnOQkp6Uo1Ae*$B3OJZMgEj<_J8I=~_W zvV01^m!eEG8OPCk7?K>AyxeudZD}?=(<|9Ra5^o8&qIZg&JJYHhO%)|=DG7-A`RA- zXg4gN;-3@fDkDmaeOxf>Z!k^B)f$v-!_jvJ>F28Ty3Mb>!YNe#ZDdA!Wdz3Uqk};q z4d=TWdF>%*dF#Y`an|dfvK>sg3Vzs4$KdKMyVkH`N4GDkusCD9jAzkq{@BDj23lkh zdH=xx(*qo>S>#_F92YLxx)zfSKR{q%Cg?>J zqJLVyF;ELlv!c)!!a*g>{Is^-%vMu}x}fA{hog>gY#GPJF^mW@ML9V}D&APfz)Bli zjTC4Q)MQ)6xE2#|Uw6OSI7mr*HWh7VTK^_KYK%bit+mvG^z-)tL;6OUeT+}zml6dfEUr-4FF zGtg9gHm97z_HckVa)2zdEGo|yt5*C6mx2jGe9m^`%#C4mRTrY)rzD@? z#X-_0m{m!)Uh}<;5*<{cpQ7lI0Q|FvG$>jLk;d62zwox?muIxhldRZByYK=?mD2F< z_n?uSRGNU5P&*2Iji>D@3Yb~Cl0_>ZGKD96M*@(Kj~{b1%&a{~;>}$?`&+|W@ZqV% zlQYf=Dy&6gj5mOO-Wxv2gE*MSc0B|xT^olhK9O13nJXq$bc~MV$RR19MSPa1`%iaf zz~7$`R#%_}g;uN*h1f0OfeixI*H*t1@_KUA%i=7yai2JBk!h@r$p3?l!Qhd$d;7`F zv|4U6{(7ZDgVXl$=n4CvQX9jz$9Pftf*NT)xOQW8^h=mg1OoxsPB(B#Hb0yo;osDS z!y24qg4t5PGK(ra@BPpXFh>{C2h!s)+g%<1EONsf;&s0Jp3>JhC@Yh2kmu{mfLH2X z6*7|7+Nm$QQr{Qq;lz5YR@~focZewBJ_Xt8AT-lQc3=2-rKHk-RcD{ny}a_{?0i~k z4WNtNLCP^Q;{L;|*toN2(2r`@=b+u>aO;@A3jKRxGNaZdhztBYPOzj9`4{v1!tw>c#JlfaA%{LpFCh>A=53cic!gmv>>t7oyz%~lb(8RK>0KHB@@iqO*MK}fh@ z06l z+B0LMHnFI!57Q7iR$UoR|H7{50665u^jro-8_M>#2SlWeYqa9G&9{Jm@Vu<6l_~9g z@M=0c6mK`#F-lA6KbOHJi!Owo4?@%z@n&kp%(at?`3vH%%x$Y!*!7`bsa{#UsHDFYXs%~sMrs#G)pu>%EFYn2H7MFFftvk*>=YnRmSqYK>j|ffN zwHbx;zZ|XyotsE~o?rHm;J3l6H#&r4IE}Z@)}QXKqk~XvKdY(Hb1~Q37isMBqOMHe z{RWc`JywPop6fKc_s3{qIv1!o3ZFdyAiWs^vxIq!mK$)kkBt}0L6*m9l+;T8gB7U? zl~m)}Ng3&B(R}a5$LISf4f%pjb!WiK{Ou)JY*&iu|t*p5}+NJDGu01Qj zMxv;lop_&oaAn~w|Mgg3h}Hp}>gEWmf*N_;5JS18dI?M>cGrrY%4Apks8p4~XnJHF z_;nYup9Z&UMy8Oi+F53*Uv7SNJ#WS;jY=JaWgb>|lpeAjjW+&yz6R%fn@%z4E<$nk z7gPUT?^mgDHNz)DoR0dQ^!CJXjM1Zmfmk}|VtVOzi_}}vBQDW2ecwWtc?-y# zS8XU6D|vcX!tcs5T56^64I;JYJ^cSmENo^NATF93jVe3m7UUh=QiJ}gw2L*_wn#qp zaFN+lX^1{hQ4M|pb}2OXR|=_6ZT!!N!@*_+P|w)50{-po!17Fy90+iax^$?=gXckK z=97tv5mVj*mmc)L3Z7%$Kw54-x3Z!cutlK)2we_^q|(QArI>R70@!#!3MX% z8>=a`b?YYcQu$E9lBK>0wHABPXOpq) zwjYqNb#KwC)8)Sr2M341kpA6=)ni!CaEprkb@FJ;!u^U7r{}UEmyq2E?9})YPpqAB zItLdSMg9K+{sM7{Zy|3S>=!>-CBmQo7@vqLdT!pzf8BU{3J=`hh2EpGmfBihLhFsn zCimxpuw_vw$Y3A-q)jq*GwCy{8iKPPO6PxtT{|rbr7I|7_CaRFzgM;1VlrG;z-YJX z`(4@nez!{cC3oeopu@_0r;hZt=cuhYD0=76c0VS1%c2tJ(Y2KO^&Pyg57G+vTW)a;#L^yK@*-XyvcLbg@=j9&w{{?{%UJ!4u8E@qS7Uio z<8TH>f%~qxER=lFi&t2&8npRih}oc~S+CRFpwnh4NU;E~iGp6;Ys8LR^xVJ5Va9re zE>2zStBozQ>t+bv(>47%Wg6(~=*Xut+wgW~+O~0G$Hp+-VH-c?gHzxcS0A2W1@QNI zE57DY?V|~TSR)J*0BbhAY&HkfZZG&y$WYKDc+~Cc=1e`@q(?ZGI{h+@e*pKa?)qgSVbIud9#eJ+%unV;hPb49T9# zPsR^77ou*zz%ISd2_iw^mPcpfasM55o_eB3CtrpW$q+@)V;)KBbVlG-EjbQ1hOY*o8;FIekf4nY2-v_36-L z#$gf*`8Y*G$*IVg#UE;o|=MoKaN)W_5E&C9>?eUAg zykPzg?CCo<6Ag&%tyok1w>w}G9Gr4r-1%jsx;^U-Zq=65G7dtcW=kvuXBPpL(AdKT z^CDdD$zkf)uCdi#@>`qZb!uVt%|(5?r}YPp1OeF6jbXk*#=KKz_c(x~_p{(2zoTIJBP#>J0L8Dou&ET1o!X@`vSv1Zfsg3a6*PeUVz$SlLpHa1A z^??4y^offAqe<)BH23pHKcYu`A8C&oD(jLW-r;O>91c|m+x#oQj#;xO;D(y^+5R7X z&;yPimU1r2pYPO~Qd5VRRj)@N`$m7N->+|to3809S9N}ht}wh#=88o$j(L3Olqw>~ z9GG$GiRCyT`A?aG*lK90GB0hNn!pb?lZDb|Wlk|v-%L-(9O{f2uE`kJqAdZ*86a)|wyb_um4bs4SNc)v|v?wv}^GqFzB4 z|Lc7}>uhgz`RMwif7u-KQ}EIGfp@Csm8i6Far-WH<|MvmP0Bv$NSdHI zr{g<~(F#oZ_y=yX$KdWwC&&n$Tn^%|@S60TVAF(aJiCIc^!1%?u?hC@AaU{f^yFOo z&_O06nD5!QoUx|lUMqtN%}V*?@omJGy;Zee3NFfB29Imivc}=F=W_r7XZ-DfE@K z*^24EjkSEJr#&(GC6Y~1l-Q_ujvVsf@0O>dqtEu3iE7^uxPSWGuDSt|98!RSc+=lI zd-~SYV6PkJ9pmT`{PwR8B8|erpaB-_mn_*MaH){e-|C**RRv;>FaMT|WRQ*U@~HVN zlHk}n@sT_}<5ldq+n2rlaXfVxPb{!tW@p@i!da}Cp4`~4(7^FX{12K%e+d2+gyh~I z+a&FV^iMrEP;(qK+C^H8?u}EDTPtOqrMoa&{xLL%kB+XaBa!x!{$I$eO^oLb9P9GX_e%DR5Xt6wi251h2~bagq^YJ#z_ zn;)z_C&M5R7GuQY8R6v6@<=9U?bN^sH6!_JKf{AU>)4=oy1!=cKq>XYVWuR!Q`IvA zBNmlo)7G%y`fo3GAM#V|-fb;9d7e7IGy5-7#({u`&?oRwGkQaiPbk5cN;r#mgoq*9 zN)ln6($+QW?BpzVZ|&>aNXSa%*EvGUa2=5HC~WZPjnPbQSF-nGE!~$%A+^t}$($T^ zTaBDK`1NkqbCL@?;NNXymyn^;$;wCBdg*KevDh0i9`I!VB0Z|96@eNR^P zV!ND$>do9whZWM@w&h~}0T@g%tH3f5q}z?1r+xPpivv8a_5{0#T^tGqTx{8Y?j{{! zFF!x2JarKeyhlp$D1JiE2Q}P4h}hP5=#y7%eFvQAL{bEm{5g`e!P~TN_x+AI;xjci!YyYU?rwK>d=I6W z`<*Rm%gj-_*EL#m`u=+LZ~ZO-+dWQO59MHc&9Bl;#19u5J-7M?_nDKkxDMnhtBzZD zwjPV>8x6YWX7(9|L&c3`BgUR+n#-?Ze?rv2Zntf63LU*bNubF2i8+5KDclGV2)ZfR za`wiI>bKjdtKbb;$ZR=rcK`g71^2MCfTKrDowV0@w^p}p^>bBuSIQpkdu7f6t+a^ z+_HeguD&8}eOu50kyZi&6D=J*J)b0PO?vvs5Q{JxIa%KSrDSuHR8ZwUa)?&Mhy4M| z>*;(f_EkvNHsvIfCpp0s1n-vaS~>oDEE4ld2B)|uaIB%7MS_B8lIrPtSV287) zY@xB={lco5^%1RBOz6Fga9xCm)Sg;ohr&cf;+umn{+uCeh5NIB)oWctrf?Gpzrr@F zRNSK{bZq`_5%%moN$;>W%O;wWehK_k&^FCEog|z-;U=E|ecNmSBQu#BOd zvly>d20Wl(Ec<)k)y!lCfAn}$qg%B(Jm|&Aes@mlyIQhez3{q%Ba^VdvE)>nqe2qTGZkMd`C^6=do%={bTRl2SH$k8~2QCOdDB~jiXq_4I4jU0_75Tz}ej1rn3+hA` zJ{P?$zRuz@;pU4A8V1w>V(knS9|Zbk=0gxEK&(}Q3Qav_YMGKm(bQ& z;tWMN#tj}bU+VDqEPHba>7D@$7KGyl`ks=?^KIOFNr7H^lc=cJj_m!)!Pfs_C*?N>84<>gGCy=Cy6-q3ia@DRQD%muHW(LRu zn%?goG}`pJ%%DjbK6e!F{EDvgwae3IdL~Tl`R*XFN3LBNAw9w>=jRk_YDq6A4M3{n>ZRma)X2z8gY0B zI+zb_5kFw+6)?50WBJg>s-)ggCs&n1n#z0s;D_0;xEMWk0*Qd$9V4!-6CA3~Gypre z^`@uvPj>LBtnu4|WcuxVtM7;=X=>1`pz8m+(B$iWzNflPHR8JqwIiA~G}9Ijm@wMS z=9u=`!oIYKl*_@v{}hj@SUaq3nARq1TWRl$$8xisTe}Fp~xOv}Dh$5MCXEwt$x()B+~(7Qis?Gv)@uHP?TRLp5*U;OkIb+q&R5pSLuHIzo&;H6!}eGd4t&L@bKn=^l+02KgpZ*$K zwea%Ee;|tgxTjZ8xF?e@=~u)N>UMN5v2w36f`~du^`zc5JcX;z!Tn}|RDY2=b~@A~ zSU>V3-F?{N>!Rb_A*(rpDfp)y_*8jRK9d=ZBSecKLnzqe7Q*;&u~ofM{JccUzuyK? zEcWvPaG6r>OafWLezOzVW=NQFwpnmsZ|&iEy`A4TQ+-swvP$Ag(x*4yo=BWKwRf^4 zC`%f|R6cJ-Lj0W@?(f|TtEX4`$y@fS@=HklJ*iBX+)jo}6RN4Yg)kyXu%8)wI9nlG zJaxanOv)0l{p@Df^+>?viNh&E9vi3Zj1idw;@&a!l^(43K$w+y~bxVR2T zHnTgdYwzakNc^L!DCt;}eIYdq*I;vWM_BpCU~D}c`-~aqL#OdZoM?zV;{ifja?RIs ztSYkfuEfuGH#k*T_righBdxue(`cbDWidB0m{DXoX4Jk-2S3Zx7HjgyWGa3P769I* zoxk^&a{AHD$qDohalg5<*^zH`^8-!1l0cf8Sv*bdR#)yti+b*_bJ-|nsK7`ZTDw@TZJ7S!gI=;phwe;e;>ZsX+J zkx!~BWCJzy{#BU@ztrJc@8H%lj1qIDm%+W50PMKlBlVm;06IVRzl!g>a7)o4{d7M( z8g`Q{`~W*YPpp*XswL=4Rs98UH^u3{`$XrzZR=I2CT~f9m?3RV$#CQk4|gZHKY`!h ztp^2pyJHRLRh3vN;4JvVpcWb(baX&%`o@$cC!lsK zIjNLXN4Vqz<=%Qc9ZBE#!PocAn+YCTB-uk3(ES%PiI(yOP=YTj1|YI!;p!jB106c7 zOuhy`pi$uW?FPuIcO{l&HFftD#^twh@322<&W){B&a4Mr%?;mIZwOL7&*mW<>0h3D zjxNbUomC^V91$lsF@ z4VIb@+Fu5rF^4 zC{7$jep2EZQM~6smQ4m-shh%y*4~e>Y%MplNh;OUHeHp5UnKjP{y z{{A8|;Qo&mH6mzjtna7DjLl=v0Nx*y5eDm=t1L!8)RfxNy``;?!c^l& zq=4=6_?yRu0~AITkT2Tb($pgSLX<}24#U3s^(T%PpM-KWfBJTd8XB)n_7X7Oe_%u(QJ9@v;`uinTq7!^f6fC zER#lcS;SpgvVs=L!$9-=2bFkoTXTb_VU{z3k@8%uYCx-eL8>UOjVUwYj@(_y5V!Mh z5lGj0Ds$l>~psBGCLDsPu(F|Z81iw#Zx)Y3<{X;iP= zPR0xr@<}t6`KDNHouI|UjMxs7=v;!bGRkzAe|#cd#{44$fF z^P+7xz0@MuW;CYUZK3sOTR}E54#4}+E2rsoQOYpW1G_^KZBN(jpOcszu*!^2J27nl#5y$x1~;f4FvEd?vT zBU99Jq?0s>_O7~a4S~DFd?7D(tsi}N(!f#eg+s}^Orbd{k0;^8k3@^ld`;SuBbp@U z=Op8w9EGEj4RJcCx%J($XHm6Y20zD7!^D_11K8w#K#{kzyWc`KDDA!F^2YOS)A;Yg zBTMm%n*r+2ZwBCRVSRrcN-CcSOG!yJy!EA>EY5=uRPL0OO?De-8}Z(JgUbF|eMg{P z|5cz4GEyg|_WLW^@z}b$@?>DScW{Yl93J{pTHE21M*asCW*SdY+jDAfehsmNsYwqy zk%+_uRRsQQ04{zh1wSVR+|l2BlGatKniM}|{GscPDobr363Qs7*?fg{B8&XGU%=HT%;(c|Vca!}sezj3G4;pcX8kr3d zK-g11Y8@+RJ&+WNf$6SW=4(@AW)#}Lzmd1vA8zGl>&iiXB>nChWD`+>*HO-vtbph% z{=~o4guNlkDIEvmgP=?EKVE)Ksb?(4%+%Mo9ilf>N zU;VQiB5Et|M(|??vVNYIs?2HL_=n&Ya;(U8Nub!C{?t8Gg|}=IbgoB^E;e3N^X-J{ zI`Z|!CwoWIqF1gzWFXdKSf^3h`i(|@r_QGesMkyOi-t_k>PBquJVkl)cc}Xg=>itEpY=0jIV3sJ(t!fspDP<@HpnZ!QpU1<0+Z^JBHB%=IR zI^~4Li>k8+8Yftv>uN@9ls`iqc1&0QeluC?$0O9s#*E~lIPD6gwiL)F{4v+_s~#cc zFx)VMAeY=R^q)zWsATDxcAK;9ccriQ9x zP^ltf=eQ&g_~D2T$h`bb(V3K?xkf{pN;|flLa73MTDEV*OI>1P{&82cx^lFTiI(2P z^sf0-uooRNip1Xr`@i4X?o-Z1HW?K=--d^e`ms68h&u(k9ycEb1m(PCc-%P#*>wOP z5zdRCqZxbXfNy%~h9Q|`T=YL%WV1)(alHyeK)y)65%@~N)ETiE!|r^%Sy-?2kJk=h zAE?^yHg088c?9-$4%Ld-qgU?lNmw$W9AcmO@&8$F8=a=ef@(v=7Xf&A+4b5vsOY0 z+&OVrgCQ#Y)U3ri>wZ3n?I%Q^H|*2Q#^sPK8gHyL_$+gQ9Sc}<9G7JY{*+zYigcVe zybcbyMtoV42%S$SP}@XewHM`5o!}{dKfV$&;a**0K-iD$uJyoUdBgBjST+k!QMzHK zFH?JB=12TkLO2y>zC9%@TrIR*q>xl*0PrC@(x&jwfs)8hJ-KBah_AxZQ z#`d4k$ryR{v;hs66oTnP)Bn3u^Eo8+SGB1GX?Zi-$f1syMpJ#Hvy`w^n| z?1jV4L!S1ks@LI9NKGro1V=nW%;ly=BsgdSJ`6;*$gv#;=^WJ=6RHmN#a&P1M; zZ*W^PEL=4Iv$qd0Lhh4DO|*u8F3ZZcjE4Q;^M)M#_HI1NpU~O_5w!@9Q9#mqo^2d8 zb8>HQwEx|w(-L!=h64Qq`8iu>~~Q6sREd zPYAwS5Y*+NRRvz)zL|P+AiQlg&H!zbR({9F*$;={hUw4KwwkZMBN*ihIV9!xJ5&|B%dt#2*y^k=(PWhdJRV(#E< zKc?ioqAtpD|FNLaeeM@CyvrYT(%EgX6D8a7@#Mge*F!#Mstz>$;zZ9XrykuFqXUKU zspJ@#-x8wfypG5OT3rD}Dv?7}Kb~@t{fKYo9$K;(d+E}5)`jRR&wTVE1ez=Q#Kd3j z3ltRa^$WjkyZIjk|F7hA!9;xo)dUJzy(|e|hLGRU1*mrtbXUdNq#9u9_fwp!kUfP^ zm6bmM_ZwzH6L0nVK^0Ghbl{(%Aj}Le#qrYvHj6UxS2bjjg9R-W>mSgY*-W-f*1!UqiR{) za$Y{habXN!5trX$_sY`HQ70i~7T-vJwc}Ws*-D3!AEZq3dn4eaK3qg%RA?;f$r*Vf;Jp z-VmAsDSO|TuJkDK{Br{dFvp5!s@R|Qqz!b~mMhe21^1Afn682x7SVaKr_vPXfb6NH z(aZkYC?B7c|A?{B$BMP%Ln*yqys5`~U@OgH)NQKDRZ3i4}(l5 z4eL~&&kJ~cijY$*A%vUVvdL8V%W&Cw%lF1a(^0M&pC5fc`lt;~elIUKKs(vSP{~ae zLd8Fu{vayr{(IML--Uu#XJi%o!5_NAp*P1g?mwsS-#&F3xTLbQdMOAAA`;8(vHJZn z^lBT(&QI$q471Xrcg@bzUQxI_>%4_rVEM#cBO41Za)5t%o68SUu$k5bO2eVd86jbk zFTGTX58AOaP8o7PFfSuRboPgsQd#kK$u^Xyro63wqjVFX`;0|b=Mu71rk^hcStnGL zxX8YE(59SWA|4?;AUzO>TI{V^EV@vs`=SHZb;=@tk-hwh2Qt%R!g63iJuI}J8K`lB)aw- z?8EaaAQ%m!AzJqI+l@Z7?Tg7gq@c2m2I{_wqdZGFV%9ZzRMGyv)}CDz|MfGGns8{0 zS$@LpQICtv*~HYtQ)t<~(tF&t>%}I%P$BZy@YNjpfHctQZjadW@bf9AVZUYVZ3v9> zVwckEo8*-8TN({dr^cn89H{QLkq9=7B&c^-Zcy)64E?5xh~>9oenuwDY#rZ5eZ(gC z8a>EYK4uoq0$1b1zUldh$76HyA>oT~%=$$k(ZoBsSs@`7a+eO8fJDx)A9T-Uz}tiu zBYwi+PIiYzBgFHGc)Of2SIOJBMr|Xq5q>iQng; zt=Zi4tRb?0u-G@Img*iRYM0)-cJ4TcQ0qOSTWu{Ln%*3WC1HcKjv?N&@qB`Da|_^0 z-%YzmRraq03k(PznI?)rTG3o)Htfa=2VXX~fSR^I!mw{9HdUU)DBW6`jgsF^IVXlb zqm!Gep;+M-y86d^j$$GW0o4Yqy7(l}Z|mN4dbL=KAdms>p3U5@lJG+%AHwx0$)jId zz~Ah&fnG{9UcBRoSfCgSE<0&;{F&KDs_<|Et@BBf4l(j$i=#%(-|#Qu2FXu$dm|zR z*OfNK@}NC%EWC1+($^2pOQO!oQXc)<4l#Z7c{l4XfV{`1W4&gA7p-$V-9gKgL|1ts zS2dh*Iay}@cOY$#&YkLw*~X(CNP;PeMcL32t3$yE#YRZ0jZs^bdJm`8B5n*v7%x7$ zxVW68sAm3(Xme@+X!Hf;%Cq~M@ZFHYx}1U=-Z^SslFPk+E^?Ak6NpRNAmx37zYbY3 z;+7@mi1Qi#VZ}b2OU%I&d!(p-j0I*{hM;~sP|z~!%fmR-zP3(_g-2e$VQwJByH(r7 zZ#Iwjw26INd&y9?sSgtgYLS2S2}aNOm<*wPz2k9X&K+&W^3+itF500$$jo3~r{e99 z2n#e5D$Z9%H$Niqn|$Hd-7XDhQdQ(i zh=-}Rf`-f)kvsaksUQ2)g>{p%Z$TWIet8*XKehr{S1d?}usN$~qlHBMZz&w{bFfn0 zd3pB;YT$*Z2SZo7&F9x1YP`|lD2iVL2ll;ddFDAAHJb4!yDEMj^q34d)ZriHoRLt! zjN?u@|8*HaUiZeAVV3Ag-d%7Y@;6f%ZwxH&Gg`m*#Fj0SDGUF@85qQzF`&PoB;BuD`8Q0$=o-$2zN{ILrRrWFpv21fP z{ROhV;l8&o-Rh%QB>EEpru;9Xcm;8o2rL$SSKld}&|d0KDK^yLBn{AoAGGuy@;}+Y zyR{do@JB15&zP!jKKTMK3T_t#Zj{M}5t*XG5HAOLjuWWTFq*aIwgtYd=f}l$3BbhJ z>zVvB=t`C9)AAt1ZQN#tNSQ$jj9uajHW2|f3~g12mpcI$t2Yv!teaDXotjvJN#Q=MAsG51r2oMyb;PXOuVccmp+_Sn5`FEx23pF9;>mh#ckCdR?~kja zaxyVHdLx3oA{vT&wj0--R-_B|QkCCME>&4VDY7}DS&s;84Nht$d>l8=OMFJ>>40~- z58OC>A8dO6^&Mi7Po#fxTZOA=YViGF=IfHiHX^BFnPnxq$)h6iz|#HytL-e~qWYqK zPp3$?bf^p^B}g~Y-7s_wDP2Q{G)RfkAkEMXLka>)2}4SWl1lf$J@|iK-21%0ug~oH zti8_OYwxqy+TWivW1R*(T54;RnD&^X9OF8}>y~)gl*6n>x=!>ftT02B{0KI_GBpkR z7$#@$3B|yX(T_#l>jCN@YAFOys{|o8L3kaNLqC904pwMSt$K!w;w|c(3)y|8@oLc> zWUXcrDEG8|HagwaCM=w7R?GR=K3T7lWuRK5@C!&(8J$?kw5p8Sh4JUC8%+w_#q7zK zaA?Lds0(^F2x;{czkJF`A;w68>h2s)gvPLin;GkuMuEB7n`o(%7x-$_n+S^jCc=Yk zs49 z$+5Pz+(E<9{ABb>l7QT9=4lfZuV%4chBZ zoST~%eZOBn%g|+DCZJch@brE=>8W2Yacz)k=GnW?ql8SxJ~y8W3yZPtq&QRGcuS`$ zliaZ6%IiTEipZZs-Emy$4eO8I7m^SZpMr-*lW4!@@F7}XLa8OmI8dAJY(u6@S-Vm( z1d609?#vun?`i(d++mr+qs#m`b_qvLL6SNr8ai2!5+@4e)5FJTYaw@=>sqRomA72P z+3wC+u;)3tu|H#XqKNkpT}4*$u%7rN$zHn5Ch>&EJV9eqq`7C{-nVYTDvMq_M#8;r z1}>z5-J=giT@HF1Z>F33e}bA&?q~6+@Rky-C^i~d4e@T7`m9rSqCyXbm_AJ#=@PlF zsj$XZgXO!*=Xi6zv1(|_K({Ctf?vLW!m<99mDd89^IDklEsnm2sqqGTJu2%db`MF% zIsJ!w4p2V3UQ8bN@(h=7Vi8j4`>q1YMvm)!eLv`75P!D!+%|-&T*D!mtrS{%CuQ-o zyQoR4@%>b3#?oQk-N1l=GDy_8>$KP@v)0EE&bM_@cpWO-C}lAq6qjF-HXi+JR0lR1 zU0QNuzm)n04SUQejGT}sY;#B6XdL#Dbm*`Ap#$ew>Zz$dRMI{&=Ie@kUD}|eT=bsY z+qa;Q0@C*bKX_(8#IFf&PQtn_*@ws%8KizrA79VvIETXNi}pt8;(*M(0Z3n=MIwCd z%3CPiJn%zlSqno((u#g^a#NaX6%PG=`|8}v?oebJbgqBqPb2Kk z+GtpjuCkSYJJ64o#RF$tW_BiRaInl@UbSf$cq-%a? zGZ7d@C@U^+`QCUPof-b5pl4VP-@>@IUN|%zeV`0ns`<8_@>Kd%n(eIwsYUH!RP!lB z8(nD}M#AzQjjd_5eb|aCS-;A}9S7bqgFgX_qg4jODdzk(&AID#N)W$Hs)55^JaNlh znEvcU4vFeFnp}zrs2Nb{EZPS)!HE-=1`ut4n%$w#mU)3X%uUp}q z8d*APTreo@#dFH0`F*(kT-36w@(H$2^b3{3wU{0hT+%wA|>Rb-nXcq$PQX#!2=HJCh$4#Jq`n(Ne?mI zred&*lkUsK z>ka1C7#Dk+ht9y~#)@PMLJA(Y3mLniy?(|o+I6dMT{UakjA-V|m+WvLQINXS>uQ-L z>1dct#QKpqJ?U7%#2yR7&BRJyF^|G7$$e+jhI1t-aGXs0wkORAm{&a}-R?sYBusbB zbV!c17ZZiFvZX24Xh@FsTaRr-306urnEZ3?=ce-W=(XvlAz06%_!9yNyw*>^FgQr) zJ=0f3`7%W4aGET>wJWM86s`oH(;c08%VJpFvugTW^vZm|`g%9xXRy}&ECCS;)12cr z+DCpSe56>V0+18V1;30HF!>uhl(XXKZS^D9@Ig}F|dbT zgtA@>ie0_7HvaxL)x`iFP-}i!PEjpVxe1;<#VdMx*26la5HN zC{iGWfMcmJDzQjQ#dY;@bk*+y=_1BrVfEgLv2DY~lr$shKa`<_CX51-7n}eyocX#^N6r!5_lZXY?xw=t& zR`z9g>n5P=aN7OX{0LA2IrFz}ZgpAP03UjM!&FEeWcuA&99_r{_qDy>#G8zrUTqBT zKlb-}Kc}L^acGC(qYcX5TfXHv>JBJFC192z_~&wPJLG1}2Wg;HV-s)2U>1}4npIP( zALbHmKg)WpM^2Jbbn65U?8kIY#>qGECNN~2pZzd9Q2d@#V8ht>m5}zgoZ073o^aI& zw1)AUOvar5234sn)IZv1(&>;64D!frZ=sQ@TYcRADg5m1a7tbUw=H`cjNWgq&3_ul zcRs3Q-8{qR6coY->`xN0)dHLYus$(E8STn_4B_kop^>+h&s>Or^@Az_(F}(C*op0I z0XyyH@?lf&6mHL^PyUvMs4{?2lS`4KWTKo5fM1zpR1=0a+4ITXc`EKyQXN4DIa zcbx7-COcfgtZr6HVUzbKN7+C~bLH~B4Rv7KV-gc>pu8fzQ%eG4V(05nFdnjwRFbqk z#*;lvayr?Y$KO(JJbL%iK|9mT&$t!6Q=pCiO3w~q~S zCSOI52|EZ@<%=vi1an1l$$xzveo!pWK-n%eNjngh|9fn*i?>fFna7}v4mnDQTPmi9 zw=BGgZ58blb5_Neo1oBG^)t;01+^cj)U$l*y`0;1SLN1v+erP$d?m|GLku2`mz7f) zQeB`vyr~G|_tD!iD7Dje}x^xwZBIBhZ2|WgR`HIi?61Ba$L8-zaDru z;&dS^ChNbDwbaQtK73P9@P+ynT69n|pO_T2MX$OpqW4iE1JM&TQBB;Um!xOlC^a@~ zDygGwgu`9cc8Bp9_~4t#v1G8dNiS^uWhOIJ%DvUtCF@zI@>2Mawt)5q{M&Q%rU3P} znS)4~gI{vv#qeHv{gxyf#R5{!igyG%Ra}1eHkMO^%v57y44ft@BKpC}pGYs|_U%q; z>=i=Je{YOtoO@FYae(LyQ?C#89&fzFF%#M(k0=TWbMGyG`!2UhJC6g?_2admUHRZ$ zsC&=%#$>$)_V=h{AE0LpJ^HsG$t7?`*4(40VNLj)-gO3CWBG368-Ij_rPO+LIrobj zAot7xu_{$UxZH@>tRZlxl*DV?dP%0<`)3}3cI2hZmuTJmJAC&73G%oaWlJv#Xe@h~ z=R5RnzhB%V4yPZ7M{(HVgt-&HOKG8@5M}i^`mb&&auT-0~0%Ipi7&b zuU5wsS6R=hu;6JJ=zHR2K-~}1IF_w36+A6(g_AP=e8vgt_8k4lIJG<@_?c*z*V}{d zwDNV{>&qH&3Ok@QyS7|&a8@%$sw?(&rA()Fe6navjKTs6xn@F*tP;|INC&d@S7|G^E4{q8e#F^V4*{!xXoSQ4~mx`@UTnMT0xQU2Su=gGlm*U=G zd5x_6W#EQp(5*pS!1jodm(PO#JGA+okrBn7-N`WJ-QjKdmsbXw`_ovlreuA;@+*IF zP2o{?OR{b%v{|X{VfjlkxjU3viiW#<>3TBPI3Wf13An9#wq8$A?qdqa+x2=U(y)Tc z`gQ`3iNEi(;+p_ zWza%3y7f%1$(<WE)j3(;sdGY|B(C*@+CexE`3(3Lg_vv+`* z3Q@CIz!|_7-x8%q9XsCo`RGb-2ac!Dnv3Ph4LTC|SPs>T!YI+MbJ%*48<&`j53B2u zPBH3o2kv6~QxumgqLdnPbJMVU`M*9_!X53p6!miZakCvcDqJ}`NDxHd?@nx}oVM|2 zE$jNNX;ZFWa@Ugl!lG#W!S72%PC@b9=5T7^qCYZc5{2Y9CDopREfSU3^VoJEYMo~} z0>Kgj61em45x>uP`VE4Syk<5!79j`JqM`@|_jfxFlV3N3M_|`jeGXf-%?(>`s<()n zjK7Y?v$tbGaX(PE_Y%Kk9j-)(+p@9L%D`3c7v|{~>~C8{Wgt|$x)Ig`Um5r+4w!gmMZGWe=VO;=IRr%pZ=5G6cS{J1aRfyC>< z3^~LVJj)ma;zq)IW$7rH-_L#%%8jJd?3IlqWxBrbWh@tXE#+MN%ISOB7~HwV@3ECd z@C)M$q5Ed#p0p{p?c=^Yx!TlaqQFaONkPXd<&B=};R;^NKJZFzC^xr0na!ThDP;Ht zc4k;O{V{&TFZt;m`8n%YoEzj}mw-HFIppib*?gv)ey2uq8%!HV!HkBCBeBB^D(i zA%R_EF|iEb$I;w^n*bAHaVeM@SIM)9%{>E$lZ)%Esv@a3dlYPYFQn;7<8vSqYNjTn zLLH%JX!kz=+(-8seDoA7Q0~)lhY~EMW`n|}9U^sTxOHgP_d+u&laDUrkBMQdVDD`B zWi?R*`gzUB>c-#9nZoFN*cT~egg)H7PZ=(^208; zYa(v~d)u=ojZpHMbc`Nt?XJwu;&i7BxC;&(Z?!TdRCl*6hF*8fvShHO_jFSA1yyZr z<1@V;W0cnd!WT82zO=NI-?Atw<0GOUiH^^;c2P+0UFc1rtM)2qhGuj*xky2Zj|hz# zk|iE1zCNbjl!!`Ker%Qn+q3jzyN1azw`c)g)FVh^#<5iV}JJDrVV zLi>?eJj&C>nBYpU0xW-0mt}#!@w<=pX1L!4W;L!mx^!-DkJ@bXxrd5Yu1~x zro|kF4Pfy7zJW1r4N1Fc6)ch?b4F0&6yaEIvzn?dFG;^Cj^x|)qdU4^Wo_7+bH{#8 z0qfmW37_7EZ9R&qNxqz68W6`@a4WsmV+loRz}jD_4hP+ed$fg&dXai4+-1W>^xy7~l!F{fs?DbzG$lkMj(p+5yZF zJNGtA0CI#ertj~Kb+Cy_j_E%b&K^pAFQ$ELq|Tfc?O_*wU5C*XncE$0h$(sCT z#ao0!!0QJC;L}v$BN!lBsTbP@eV2rS{k6iIRO-X0so{f^7+AGTaE`MoR!XC`-E zX;w7WG+ZSL@aywtcP9`PDd!4ZYpc)cp7|jdwX3aQk?ua@`Me*trr5QhFgIKBd_qyJ zsL8vT7lGHzd#Zg)UsJ%d*Lw7h)oX^{R9$J$ORn{1(@`jzx`JCXyf|Orcr88Y;nfb) zuIVX-hSY|gwdz}Ye=o6FpCs`TIXzE7k_KNXlPg8u3{>WE7as+zC-C;_2~jzeCs;h& z54_JPU?9}(+=LtB&3&|x#nJ>aQKy$ApL2c;JIIE!g_ZZEf+{trdRj_iLo(7yx7?n( zA`iUTf;lL=OMnUs-I5A=ZM3;NEInMb=@Jt!fev|`g2@avUGy#E13{j1d(X4Fupm0x zK+7f>e#-q2r5#ij-91dLAIkHCBh1*5gzKDt@S)UcnMBLY!HphkEyduA$ooDv99ebHnEp+~2c)V$K%9eIt?FMgSP8rlW>&@NUp0(`}I>c1wuk-Q2i#o|z>>ss5 z^#s{aP*s>M4qD%MdL(A$)S`c&^N%5}9*OXt>uI@j@tCZplD5N@AvHBX^ahufsVk;y zeau`UH59r^HB)YMi#Q$4tCO>n1(r15TZ1_0Bh7<6XsJX{!oxh_2%x}=XY?auR5D7Z zC=;2V+~RW~K%zF^SCWrn^F>{3l`t!rgugz6m|2HGrui?*1E?mWe}wxYvwysi1flHN zP-7h1aN(0Xb!X2lMH8WAc1nqy7ZX`N?@ND_+RroVDzX&rm^}GSPE#yV?9%B=sA57* zRGx?EwRiF*O!dB*aQ4rR0VF!f1!brhd_^m0qsD01s^rVLXJD4Y=`RwNA|g_1mi7 zIYUCB8&j~`?P>%#Oa0;_s}`YIj)d(hZdg5J1orAWqhtBlUUkWOQ^atA%viqX4YE?J zi0F~wg@UdEQ3`hq+HR%e#S1^zrtK2+OBI(TCjGCiqejSWgQ_o}|BR)XX-l zmKlsrGSs=c#ar&kze10yt(`&4j!jy`uDlYePwOie0U0x3Bz518?GZAhQtEPbI1}L7 z$9zYpP&Zp1nORcaesxrweX`Po-SL@V@Gt1Je~>Waat|Yh+){?ZoZCLTi9fXZoAwV$ zvf-yi{s^G24io%1szX3Xl-tU_i&jKwnrzihS2%@n8vyj%tuEf znhUM@_IzpdnSmP9HO;@2bG77a6TL}*0@Pd>K@#!K^LhfaY%>{>ub=Y@$0W9=;?B1- zr0wZi=BD;G{}vlMnG??p(D3Eajt;cDfLDl+#uK0pCsg>S?%Hg=@ZP0{F`l3%y72Ys zjt`%=X6u(~4)jlC7EIwuw#hX?I6wLo;j-Ax>?gQSoj<%>;92>CNX3c1U|GozMu;@Y z{gr_f%-~9UjML8%yEp|$)V!QmV_9SqCCX2R)s21*X!Z5xNW9Z2S(mWXB}?YU{S=9Ij!N}|&DEyq2@ZyPCZOqZrLFMi%G z`D5X9u8KSFx>v_|eyyc%^^S$s!)oXT49Xy zHG~L+#LG}EWVXL-q#vb!oGSerfPJRtbEeu#gk<(x~jPE zIA(*g1GQfpXJaU4-48jnqS3p49MrF3r|P)hztj$*6SQ5?GoRW>bMG{G37mB}X_V_c z3i58u5GVYJcCOdm6uR#Ta-~LlSw)@>IeQszPgz{IH$Sh58RvW-W{g9Vh=uw$nouFJ z`^Le3PMT;-nLZJ#|6h^vShg!3~JoQR(;@6A4LmL5d1uSl*9L=3V z8rt}0^Q!o6SAFH`3SyV4@bB!6hKc0pkq2rKq*2~Obg!D-FlSEiT^WAC=VrwpX(OMC z1%A}QGp`7p9p?)@;{vJ7xtO9DxA<3x2?Pz6yJwb-_*{K3`4F=BN3PU^sp++hH5f~F z^v8!g#r__!w5jS#g?t(NRGYuA8P+N+y8JtRj`3nygBR;`B zqdHXNs7zx{)xgw8RE7G1(tF3O@q!XJs%6Os5F9hw@tuiof0YVR$+fyaX7x4t3<*~) zWy#hIEK`26!}qt$RQWcf&I&Q+p|G&OF}pl)B32ZQvoDF!zX{%ZrS|wWB{wCNZLEH! zhBBIWq98XSr|h`^5Mwbe~uXB>X@j@buOBs6STe5*r@?r-+*k`CTTz}E z-BE4-OrF5NXu4!5vYZrv86Xe+N9lQhydV)B3Z&dQED(6%ljK)+KBhi2bt9$BhW#*3 zNc?9)DdXN>a{*tPSPLgYR4}17+(;9_5G3!D z38rkRmcQ#n-X+?3b~jvxo5xeH>zA8v<~MsJ1AUSr#<>7Pyls^!zB3*UHC4W|(RmXi zRb$Zz04hLbl)e>hZ)yb=)%Q`RK|gSS-=~nF;UO#6%RXt7N{Cc4S=`9JdD&0dUO*AA zXYs+^+1lH~#-^Ii7iCAVA}s3Wp;H;q8b`7P^)o4)>f!L&SdkPm4psz<*kd7`+fOTM zALJf8r(-p`RJ(Lva&WsG5YXZ$lMv6pdteNy6NG<{bSu&}U{Wd#vb98;F*OvNcRr%^ z-FIDFs;NnAbeY<790$$6i=gl(X0B5t(!7KRhn6%QJzX;=wDLW{t<^X|52zw zraw50dvnSJitMCMMvE=h4Pf-764!(VZp7#<-jG58id?hdq})$uCtFV@@SaDiqPcv7 zjN(V!C<1ga@#IirI8dI8sx5wJ@5nWyuZ=es-o*X*`)E>i8XCseR)s|igESI+FsWUS zF@<7&>;2a}_`K5Y!>BICDL;d#6@O*Y3XnLTauENJCKO+Y(koep$?g0LNS_zneEV9u zP2LQC44!8O|M_mD`a1)Op6UZog;0ozm;uz6U}8eGZY6@p!rohdD4@I4TD~z(s^5;# z(466+k@#9N~uak~!E}jzW?%$5wHnv6&eT#r{{Q2a7}2 z&F;s@ubd>vj&Ad~#k#dp#P`iUxCA2E14Hy$skBF;4U@UIsEfv z!%i^VLPs-D#b4`|M#wXpjIph?yC+@nB~JNKOSs6lm(8X z+q|R)6fCa=(~Z5kB|LkvNdb5p(8JgUj@vr^3h`=!L%V-9bIyMc<%kRQutEx$?2dAp zwO#%~V;y$l-&cXjRGg2g<%5Ew&$EY@O4(A@&RiuFNkeb>Io)l$lgRuUq zQKrVQce}E7$L}=vLDmb$QJ+hX%Z+<`jz=9ok7owyl^fWa(S(#?ok{;^{Z|}^9Rn1l zv6KgKK-l)J>`PfTyc|2ggv zK$tY1;Xwa@_k9X&rAp^DzL&Fxp=`ujGn$Ao%FFYNEHK5~dNc$4m?NIT0$MfgZTqnz z<5Q+Y62?CriBNj9j%z)g-g7KO}gSRyOPC0qrkHa1F-+jykz|Y5@kMEkS4{~w6x zOrG@(6(>nHQikw%mn?e8&RZ*(y4nMJO^QGf+193d-HUX^d zYa@*cb%9UyjT^?fXoYR}v~{G+#)^c^;q3#1jTF`Fo_s`2CszFuPQ9)1q5H8a^>bN} zb*NS~GENG10?-^QaFdQ_x0xN2WS5^Z*D(-JB4FOF{I&#p7 z9_U`ro#1J6cbIN~`b#QQN6de8JanWn!nAUu;gOSIaJZTxl}HQ1U(9~xQ-5xDo<14`;nKyjrg{_r!RCMd(z>ZlfSXa0G+gaW zCI#`h>*Trx^DO#xdU*2n328tn+-Jk)P!tHq1)D^?Q!veGJO z&;EirP7pyGy8e$r;Q$OXp9v~ls=-fH#Jt~u^O2R9-6w>53EUz})e6)?cVqnaWCBuz zSa{E{c4l9_WCsvww@Ca|q=l+gClD~?|CJw85)oqwm( zP27_U>{-GShAV~1>s}?O%uuO2t-PQ*;sm4^qC?xEv%WYMU&Kf1&aRud#RJdQ`+7DH zgzVnG-;Y23>Q1IPo!KMyyZ`BJxMFDf15-CPln~Vum{5+24aY9c37bt%GR5aVe2DLu z^X8L0l9PL*R@!UYd^wA${*y)HV}Id)f(VphIM;fT(TuZ{7IKSALvCg{tmWtDYTw?Q z_q10W^*qa~@;04xi*HAF)xj{Lq0Q2@3@C4V2qXJE02&+7VaLPWuNiKqmx5`RnYC-b z_9N`*OIN0m`y1|;FMco>wNAs-WFx80%)2%28)Vw36zkxB2*haR3e+%|fn(!OQ%Ovr zWsp0Zu!1G)Zru(y3oE{t8IoF})Ho?Mv+Cb|{(g`FL3e>-69h(8qm9=7aC@Jr^5@8p zVq>wZd>aE8W>WTyMDp;tUH)s0Wzt*!a7AAG94E$KO^1rhUbuKf=svI;Zz#i_-GO+2H9-qV5n2?z7|FfDvy4J>-&eG9bZ1(a z!7Hc*uRIf2=HV~#^Qf6EVxt`BcV8#W78+E}7n|bUK1ew2^J4%P zYn2B1EMC@!N12)+r7$AgAR#kfj1)UbN?jz67!cmM*iC37=L?!LY6(DBQ6Cx%7;}XS z8-C_KP;hFVD7~dG$PPUz^2V5U!!dXjnpYX=t~amdX}&VArfdiHxy zfZ$`|V-Dy)^%-0=mmLEmw&%DPVtw8M7MyZ*+x;;IvcD5pRfQ>-Vx4_h7=oF*8UV8BAB0{vZsl3`1ST&3IJ6t$GRk$j7I z<8VDLKC&cQI;EV*$7_oeqrO16w7_Yq0l(e;$UjcF{Z8-79%NQGtTUYNVDg^Bmlwcd z+SE%K^u_YVCn-ti@+OS;)8Yeue1fq!2lLX{t(<{2pchgG5QHA#ortg;l-tboVg-v# zcT74FfFyFd-Z!d>`m2=sw~AA(UjYt~;=ImyW~jp*saoM49hIAxE$aFc>ZIcwz?fCm zY*LNJ-7hQhp1)dMWt;pA4?5V4$?x4;A4YKRX*>ZcZvwd7lFn~Z>mG7SGn}r*&jdDbD>t1gKUkj zru8Flu@qph{D3{zKe?MrsmpK(svAq{xc4{f90n|^0M$Rguv zO3o#>Dt%E&j~QTPN3Y+*j+KYva-H1e19=sEXwgv?Vqw9Tm7g!N#apFEGxo~jLk%Wk zLEzb#5O#|B#do#h9zl0}fXVBgs5Bd}0_lY|=vR?y1*#=#23=K0+7%C{+H%`EgWPPgXp|cU~hdy&XWBuQ&OKocu-vrK%ZixIPp*S&= zUx4Y7+^kM%(>&{zd4jh4@?rbnh9mW}7hQ(z4h5~qv=7)^nR>m|fs@3&e@mvEk*8fk z>*t?B(ry5qW)SA-u(2iP| znxyIs*&qfexPF?*V!l&9 zlg8b2nYpmOIrlKJuW(S_^F8*yY;I8~;k=?2Zsb5!L9}iJp_fw67W*JRO~1pU$rQEm zB_F>c|1dP!Qp@0=r;AsvwD`Dncdkg$?QSw?6WT4b^rb5#bb-ra6IUF+qT=XXUa z3v=a=U~mZ^4UL$(LFRhBr#e+nv^?DdIRj>Gjz;Xud}-Rqfmk#choYnl8lT-Va2lF+ zL&es&B^s;&ubUMA95v<>60dz$O%C!)_@n--r~y(LqQ4p<<@&(z?~X>{-6r=L=Z2?+ za@h@;YdxiAEd&>S)Q=SAinki}9Cfb|e(mGRcU>rhikUDLcVe{$nEOozWgj8vBPS3O z-{tTejopNY6kRB2R7nb+#`DponB1B0Iei-o>B_BFy1Ri1gu&htUGzEwmW@jMgFl9C_RjTO=kIVScS)%R=X6tU!eRRTT;*sh4K>0N0?}wp(5Otj!lS@hhEHv5z;`_H z;SM4ui|1VfcXGisO5op5P&TAlQ7MgI8z*wmZ`s@#+SRJqnVMiTK)*{+5U}#D^^udc zoD?nU>NN!}O#ucZIq>Tl*MS>DE5U(s zy_fz>OhI33v0NXx-=A<&E;-MsLC>nxm0gxHz^{WcKVN6=WYIWFGE_W4eM%cR{8XtE zu?;zEzWq4}Tu|p+MKu~S$KAzJV*K);n`JH=I>CdY9(+4Lx;Q<~1FW!nTJPE~6;JNo znz}mu5b%Q71#r9+Atr6^mww^K_-clQ4cNc+noEcN8V)#v)TkR%)}f%~FjNV@i`)Ry zjn+25gD}=f&g|SRfA@lNhZGU@dpyODx@r%iFK^Z;n+gkK5LNfYO98+8_|9WBR;rA# z7vYOKb9S^@_486-x097pa_#uq`9qB%*E#f)^^xsN|%OgTdA%-z?nWpOI_NHWQm#fsmMJvG-SRdc= zSPS{HEqN}FBABn6X|XBt_<=b|guxBIxmOLC|Ta?RHAu0r1BM=`O{yE`(ad|8e>t~kr`!l zuNRO1)9sQ|u%J8xZNZG8mBr5C5$z(PR*Za~Mn-|a{?JVy9XKCa)x?v(>HQekSV@g3 zsF`(9|MhH9`l00}4~V%1eU$S29Yvf^7f8XTnZNR|5oj$n??QQ2#Rjh7E#EmZYqkm; z_SDCvWGnR*!W;?RS*`y$7X!yD5?cBuRe4?pIe4qf*A0#;G!-ZHtPYJY zHF}?|fLt7kLw7_YjwK9BnuKLWHo-gayvxsfk_?~JpYU_d zX<@B1LpA-{Z-NGNEKRCl;IvBKJ5xsrt-f!Z7L)oLnCm(1H= z3ddJR{d)ds276|a4S%}M`>)NnDkGy55Ed@$iyZd{ZQwQe0+zEXIt>e3`nrPWWy{`$ z?s%#ZK%wote|G-=>cYJwzG*Vqb0>QfKp`9DwY<7qt&BzZ{{gohOd9|I literal 0 HcmV?d00001 diff --git a/output/images/collapsed.png b/output/images/collapsed.png new file mode 100644 index 0000000000000000000000000000000000000000..dd0ea457c837009e67e37912d30ced3bebaf617d GIT binary patch literal 952 zcmV;p14sOcP)Px#24YJ`L;(K){{a7>y{D4^000SaNLh0L0Rx2q0Rx2rrBpor00007bV*G`2i^n< z5;Y-@Cp4`900THlL_t(o!`0baXk1kk#_``tC&r+SG@&WgfER>LDO0@kL7^&m8$_Y= zBEo@U9t6c3G9V~E`67rq4?c(>UXc+LWQs~@D}o>v!3$cVg{n|2LQ~sXZ?&~ed|8zt zBr|6+r^#`{Fmr~(p8r{U?Qea14Lpb=n8XNHDA+iJ*?3LiA#A|8MFHG`Q*Ds5_!^G| z=c;pe3UOyYeA z_uv@}*V4v+H?*4dW4Hh(u@CR#ZG5?ufH01yV>chErH#?{8(Yo#iFlCX*pH9!CU!3s zpjgURu)aNtb3o60{0G0{Gu$0Hde#9;codIgS9|{$KZ}1l0!;g`-ip=#XK{bl4bug*CmkKg zFz4~u(fcsbYSwr50~oS36@X*7BO?0ne10^mIsGM){YI=SSE_w!Te(slFITFAd-v@4 z5a(kQw?#T7A@;xHRMNw|tMMGR;&3f(jOA4=TFv@)TpfNu_|bRpdeY-uoADCLXx7q3 znrGc@HR~UTy*rb7+XfVSBt>81H?jf_;=VAnL){ES4`92Z7%XTuN*U*>#A$B`J8^5D zU{kmhH+8dXg%|3=m%46CyfLbXIO+9c7LuqSxtWDR*sV?xd?X?^(+gayS)UHMSQX2+ z3)>=kCwg6hQU}YwHEQ(%Ok~ipO`(DY#-E{9`RUX17CaFlC*JOpv_490&7(VUSGeBMymTzD zaTUIcR@_m1g6X(Ejj!-jq`;Do5?*aPx#24YJ`L;(K){{a7>y{D4^000SaNLh0L0Rx2q0Rx2rrBpor00007bV*G`2i*z^ z5Hm6U>YMHW00cHkL_t(o!`0bOs8nSb$MKK%N;d;X0#DvxM||T{EL5(G`e)triIV3*J1vg z>zx_xfnm;h&+|Ud_dMr4?|Fac4B{Ppk3Uhv-yS}D3?JYCF2POI@LI3j=1;aN*J==*5JIymL+3*Ea|j6={Sxbv93$N>muHGl4Ez0 zdn_5t%d$?>lK?er$0v9$Yb+GYYoS^x!J}A?omh#Fas57EpNQ(dg&|CfT(CCr%Q&_N z9~ej+#_=uA2jp0qB?8vs%!lx9O!hA{oP0Z*9{vZS|4_uMMf|&#+3^n-<46g#VK0e;(zC+h|$-J;8NPuts}1F8|yZ+l!h} zR4b+Zcmhd={Hq0Vh?i2gjjim#vw-h_CT9ZWM~;;dTSHS}BcSb<#8% zJDESFtU&yL~fe@wP=C-GaV_z1btXS}E1KROMRoXx|%o zx&{p=BQPxPQkAnfdn3MXL*IQD(MF_?24z^V650$t>gy7Z`V{4b^|(( zy2-6d`UTxq-Aq=M^b@+Bx|x(J>9@^_mojx6kN3;RWB+m-f9Ndzb~7G}q3mV(Ci!0n z_uZD_H~+oWugCti45c9+WM2=aWV~{+Ih7*dX3_=S%B*dhqe|UqjEF UG6-tKMF0Q*07*qoM6N<$g7E1?s{jB1 literal 0 HcmV?d00001 diff --git a/output/images/niaplogo.png b/output/images/niaplogo.png new file mode 100644 index 0000000000000000000000000000000000000000..2de1b0584be1c6d5776fb0fffe6e17c64b3243d6 GIT binary patch literal 22727 zcmXtA1ymI8+XVqZT1rZg?nb)1mfR(zOS(G+>6DP}?pC_HYw47hh6M=;zv1^k9~{^{ zusiR}J5SzwpN&vemc>9NMumfe!;qJgQip?sX9S*~qPzxvqvZ0X01vNC6lJC0{=IzX zc9bLne|h65r{e+#hlcy|0}q#;NeKKA*;O7SjlA)O7@qy3foXaI9NY&uc`0$Q=gLWk zj-%c|TJinkLFPE37&cQK_6Ip^xHo5o^zn1nNi<{0=4~f1b=Fk~*I9aYc;s1jY<6mE zdP`Yq%kP%dh~L%O5ohIRv1RUFEUO93I{D0M+q6yyDA*6#BynlOQm-Nqou?Yc2jl~C zLGpNS;{3&+Tbk1ZS&aO>P7$F#Hr%8-G) zGMK-@+P^d$lP8=c>WUc8T(~^;3^}fkO>o-Wn#mf5YK-S4{eFpat+A!lJZE`FX{cAn zlg4`KqrA$Ez<(p*s6q0!0*7>Ub-DDY$>w!&la6+j-3~s349?a+7BnwqPkmH_#ZV{; z7$Y784PiKPl?1b1Sy)4~Edpd8_=Lj**%iNujyuvv+J72*n-UyM%@`5(B^(tIPhSbP zWAo(dDVb|!B%b1s&g(NMf8geoM@_9JFGP$&A%;SU_GS{xr-kFKkvjzvCI)xX<*?8} znBSenK?+U&|Bj>x4yno7z^+**r65!cFwe6_jntq@Q-BH*<@MoGld7!I^1gW^55~dT zyP!ucM#@`y^)A$}o%c75g$_y>LglN7HzA&kV-BrDzq2CO#O-l#5=yDbP-pLjx=!C8 z^v%etN1zkr(leFHX^arkY7HW|dP`7qdEArzcTgLAP+*7!?O+A3Eb#WP#m|A28W1E6 zF*El-WrsM{O>X}6IH#nSEB+|Ljl@ZeHRRdmk*V8hl~9Hr+2^$Qm{^+@L-r+@*FGkG zbpNC)MURFeLcxT^NbA14Ua7hbp?yJEfjbRe+P5+j7savE(-cjQEW^aio1l*!TO$5{ zhyF>yxc-AME!Np-Zs=#k2Z2`uTX##bPO^ybkvG}wGll^@ijKW6E&Z5W@sPOV);SpqZA>py*&NqKcJ`Y$?*My!y|Fd&3|Fv6qd@fn35*a}n*&XHeZ8 z5TMP>1(B2FF%l*ZSXw44dxY0rFt=JMQ(OeQ?hUOdT)TT~4dd*D%TT1tv$LOJ9>n$w^=Gi5fc7ZAC2%Sc}fPwER#2H zl(F@dSQVB3Gq)UK5WLdl36xitslxcZiID6eZ0)Cs+tHOUbdoiJH z++lDX^s98tIHPQ{S%#Wb~-cJ(I#TU+%~qcYf_o$bH*+g%PRW$c6iS5*$16IM3DY! zPDObt0iwmb-`9vOhZym^pu@@!FK2M3Eob3X^5yF{nG!kHLNOF>H@k?@8_jn{sn>T@ zkJX!f5(0D%p)WUCG`hIEmn7ygDwe|g6_={zi7(-54AQGiWf_ZoFOTlNIX&NjgO`n^ zz!DcXi3zdrs<4ReDI=;sB#kT=;{HQ}NM9}?l4vR}6w6jGz8n<(1D^N>_u&o5#eaARWSAaHlLr$uj6SBT@D%ZMg#K zVOqvf2 z6HED$PIC4^qptaMo|P#8FjyX5`8O1)ip9-BM+XIU@)DPbd~9e_UfTHmm?Y zi-%%(QPBWP+xJ)$tiId-bN1G^!HIqRW6quryE77ZQqMHA#lxBuK>`v^;;oBIr&3D= zc^Y+j6--7QPsxZiejBi`roU@uN@$rYl4*NBx%AU{9Bpy=eYm^HU(!7p5hUUx{(wAW zkn$Z3L$E!-UNmZU6lPZf4!0mjtGOu&p^y-&)@}oVV$fI3~SlLs#!(+t8c86TW01O zre1CtT$km>M1tQBcbK*`%pq+cJ+G1Hg;JmLCK(GDK8I_ zv^C2u57yl~MOu22dm^)M4(i9X!Ygr+yq{%A2XbL_*#2)vWUp$wcMl$C-FfBO$)t5U zQ_g4hbq+#FgCtoNeB83%M04MsMRG9>)(B1NzABdRZ(U3#qVR)&!oBUN!zpbDuAo6>>>}bv(O&wxA1Kr%>JgP{jlKm z>gfzNrCgehiCnNn*mZn+FrkkE`iEdKr_#b%qSvpu^hh%D^P9u}MxJ6#M1Z#w&DZrP2OKSvH_C{- zODNG*ra1UXEZjMy8RI41eN8Vv^*!G8?{ut9Ebl0E!X$-01%wHLI z;J39vTxTal8Fy^-__}pSXn7RMcF6Qf$%rRy|J0usBshvDMU!}B<6nG2TO#-@l0Ax@ zYS_=)7C zgB(`Ge2mEej)o5NSgRS&(6~ut-Jy;*ZJ+C1@gbH}T4s#tXXl$$DGi_oJ6Wm=LckF8 zJXGakBeUJ_KNFb42Myj*t^z*M=;(VNV{y6ln_9F(M2<5BIjnI@-ug|s^+DlhlPFgp zCV22(m>sj~VS+*-HuR_U-Y*4%{omrl>)_v6^%ZVcW#~HVA1t&}i_JF?!W8t~h}eFd z??;8*!hm-jjVdy*IOkW#dEPQE0;}~}j7Be{u9UyJqFHQbf=$j8QN#~aJe`JdtIWHr#Rk5aPYT@S#n5=BqFTCK@lMXEmh%9 zF@k)JZOMr~?y#jZZ%p2k+%wDw3%~tgt&L?+vMgLUt$O>0@Ti*y98(PycZwZLyZl!S z!4byVOiZB}q)DuYyPF;4(iKf+rhr@dzltzrUQoSPP-Zo5ILj<~>eh->07>=-gghMr z0u7_oT>8c@X_Aso{ElzL=Nl<+PAm7(!qUBfeWkmdD=1sBNbm%1y}un`wPxh9h8 z7+PujJoBA!%9yRz#hRFdp~e+9(BMqW$lQ7pk}q=`{VAAD7p|+U?wZMU9m65+8E)a+4i)X`Y%PDKw%k=;Sgw-d!LM)O zY#)DlK}xly6B?uzD%qeUwf}~taM;2{@eNbku61fa$dT*x0=RER|7WIc^#NeEq*j%A zdG#l;IZdAiFyz4*TNezk#=hE$OaUp?;U+q9!EGAM^Jm98aGD#IJn+#Yu0%J;_qp4i zF)|7}@+%F^FX!twCSF#u%DlrQv{#4drdv7!YvR?>$iFW_QThoeDpu>2HB|L(R=9Do zwVS~)^(OCF+>+Wojj#-bW_!yzFz^K5S5RJ3tJ%SnBsCZLd4KKq#-(&Ck#5Z`Ea(iiitj(AntZ z(ubQY!Z@{|+!QIuWBF!298*8ewiUy4@AMw*Z%#^c^ZU&o(y9{r6QzEpNqT+Y?i#Mp zFIc+{aZnWRNuCy!2%tgq3#7Mr5Efc)jT-D-si{h>_>17o>DoSnB-7`D{<`2=IfMvv zayw!$g0)z@$pvKjDNn%GcppP|-wGA<5g!NwTbCVz{PSzwb^1TK&*{5%EGpgprBj#3 zWT)VKZIOy3$%Z3Ge@Km`!5(Y7Z=4P~oI{zQYvv>~qQ)~HYBbSP9y*PWu5x~#OhuPy zYe1K*u#=T`FuH`7B13n0p^Tem$Q&0JIn9kH`_{-leOfA*IJ z7gA+A`GXnP&^1<(N<)wI4|Fes7Edv5cz;BPpf@iNYJaI6*$%?3Y`4Fa!sq8(0gt7` z{u6by#wWXEu$ zBfwsxi0|E)V9se>dR{3{{@{5D4lCA7=az+jU}0-uRdxa{{z(k)79oKVUuO6L>C*D0 zdZ4qk`kgF&ZWf%8jSWOGV=Xs+>%ckQf%DLIef z?^}a~5ur<6PO!v*4s1QdA<_)ZrmTCvmBxBUm$|&k6${L@Fz7OlJnO3h>C#E~mTH5J zW)s}-rRDQix{d$g{MVI!9JQsyh_qv2)~$1>S&U>W{ta9p(AdPz;xIPhudWl51XpVQ z6-_Iam*JKB3`19uy?3-t@OW5vz3*f0*9cj7gB4!5>9Qsgo0#eAQ(RH{$rHYtFDD80^{ee} zD;+Bv@UQeLhTYbC$nKqb2{C7kFK|Qv3mVCp)xTtwupRi-PtC(E##JGUc;yNTyv=+^ z2WBq97N0z}Rp;DT;FIui*s{iUvLj}A@$<%bK`CtGs+P${LdIAK6(Oh_`k&O$*Wvo$ z5FzF?q#HUDhsiR^O+1c(xj$GlIUKYuIN{MmSO@Jhp!b=Xc_(kK5u4I;BP*w+{MF8$ z1*1dz$+HW9_Txis6jh8HAJ|Pl?YQc@XQ)-e2njW(&fj86J<`j|Hh5k?4K>b)XyLZ9 zGV<`MPu-lX-A`dUQjvAg4obCu(Epf zhLLIi-2Y!68pX8R`dJt!%aJvsXQ$u0FV6K@LpLXddCr2;AqMng3!Wsb8XqF85q5Q% zKhzup-O+%94{hqy?#X@!%SNmto0O3i<5?QtyU?e{%ZR7UCH>psEPPFcc3XoXVcY@> z#$J#^_}SN6Pfv*LNR7RP%c@NFWs(sM;kEeIz|2EEmz zFj>w|rn0I=pY~y>SApH=?_?ieuJ?RyyuKe76aS}FTa|iM63)51Sz$TqK(z_rSFn># z+Rl4V!IB%ET04f7jSu|vKm-tj4QLQOUw#q=9C}PGxxeEeKoy?=%I^;q9y}{Y%_t>v zW^d(;j4YYe%R+&z>J|VG+u3P!iCr4o%TnGcLU>IiJRuqdKRdtHt z@t8F*1l2)Xlq`x{T6*o|!N>eKaNcxO?aRWUf9iMgo@P)F(J0A*ALw14g^O#-iC!HyHULru}OU zJQ^9ftYtW$75fu5ddWk!sxhUo7(C(4O|4cX$;?kxSg*qx^VhS(B0AdYt41QV+vW^L zYNW)JS?Z?iH|O@USjw=*Ba&n-8MT&n<$vH*UhhFZQK1nrb_K>nI*WAG6N#-InvL0m zdh_hqJy%Cx6&6F`nZYsHPgZ3W`Spe2MTcfKi4XSj`JYOFdgUC`vzdFFPM`^e^`LlV z;uhrxHy@bRw6SGF)iJbQla6%)ej(@&-qUlfqfkz==WVg^yi^bv-v1eyTga)vupL9dYZ7V}TfQg(~Jj4KJJe%JhnM3rPp$vGABR`jF!DqnNMekW7FnBXO9QoGWIkwA9tqUZ$4x~VVw z_RzcRhAs^aHO0)F)E>j~eI4!6bO|>n4rCIWyU{wHPH$gwWD<`x+6I=!W(l16R`0{r zdSijk;gGj%u(~S zUxOSc-cz^6Q5KPmK@q;H5D~w7-7CC_s@VsJpr|g5o-IwTXM@YZD8ov=G@#f zXaE#4>iL{3QE8rE6{!;2MRz56SsX1B3N;wwq=|E8HOts_;u-`b!`n4hzZp&zTkei7)=Mx@amogy%{jA0@lws|4KWxx>)lYG= zsKwUR+{h^o*htv$uA9G`OKKFA2B*8)RX5NLvWTp_OPB$g3;;(RB zAWi1k(*MB04IQ|T_T3Y5mdP#P6t0(Dofl0z6sL-QoR($mUr z?)0HP*p+o^_?r2B_6PD<(99tQ2U%?V*uLGqi{&jhhY_9`S$XfqU&d@(yI=PRKA!HI ztT&60ooRb4tT9bIz_pL^;4db}0obb#h!0YnG3qB0!!E7vY{-zF;UmNY8~{bCZ7_L> zaZB>&`1lL$#+(^)GotugryFlJ&N6@!^=B3;uzwPGf2=a=rG!v_F}l}T$nw{a+HGZg zJ3mPC11*vD>ei$K6-z<;GMdz%nL9kuPM%>CTI6y@dFv`;c+8|9#ux56DSa_NGgnrP znn>_EX(|rxEyvGjMR|V@@V1EwlmwM8>xQHV_KH3YrG@d}bWY7Adz@4^Z`8^m=|Fm#& zjLZYAn4hswgVQvqE#ZKE7^Y&&TbsD2DSnh>$F}dOfx-6PdJEV$zRtE-*mi!Aqm5!C zDFBR!r7C{*Eb#eWfeU|aOQv>`5JgP39o73oY1j~&gLX2gtIEFkHVI5py zo_lv9ql%Fnpr{DB=rT*vJo;N-73Q&IZwZJM^XA|?EZ!^NRbH2lW6s>PZxnFmWfY?0 z<}pNwFI|j>zxfD+I$D-;26pbVGox`f2KB@XyZIhOAoxDjxu=(p(KE63_HHu`tq`J4 zIIok?IuNHWl<<{DN;rJC|7zv@`5)`^$+&o@e|}c+5q|Ozrw(xDJC5J|epwLUw6A%W3N|o+UWy)%r7DOZms;S|=@#^lR=k#qGQpN_2_&pg6mK zr2_N}kW+Tfsxt^u`QI}~m7mhII~wuUkUH#yAWWPrtJUFIk2E3xUL92!jLrO+)Ahc@ z%VWB4_oQ7P^q268I|4Zj66dWPCIhnKFceuB^-v+-4hiy6?LWjs&fgx`4Hm@T7eL3@}~BT z6dI?kAJGB!gJu%Tl6YKbeR2JIu$r+9WR5tOrj7w5_iT9-aa}unL%ts=i)}-xAPWw3 zTxqpr+4Nv+!jM8Q7dxac&vS46FLvL$Yo%zMxDIy$H4X``;zF-W6a&!C@rj;LCGnn2 zG~rZ`OT&M@asPAba@yv#r%l2}W?fuYZ>y8A9;2iLr7i0CnAGm*h}96my%R`ONl6!3 zTV)h&OO~Rs9db*$iE=-Fo|F6o=^zHb}+Sz7i;ugGxrf4PK=~ee3n>Bn75mJ zxtJJWD)eky0CWfoqWcEx&Fk=pn<>frF+9Q~t4oA6#X%PR6%rSo+`+u9t--SCy$$#8 z(dC;O#PZj7bpS;fj44L-rod6TNCa3%?~Z3RM;(imNJF9EbNkW zM6q^|ng+3F>D4)gXY*kiZMGa0w-rmfH9a?sq%|;Uk%7qxmPEI5Po5*%)0EBEy^&sS ze&|;-&kL;=3y{>{pKni`YC3OR#lj0QZL_%_JBYp7E3mU=bEcq{9|^Z^_!UamU*iyq zZ6F6HF$t?Gp5sb6(Le;EAs=+MyUTNndg^R-;)e3wZCf<7zDjZY)pNcw{s2ns91GvD)#QfU)syjanFTKJCW90LE#p)Bb*V>b+K?%!YB z@vcWh*0QWBe{Rn=_bB7NpU%lrXUqZC*_N)w%Cd%j&!S3WLx+(rvpnFh#bS&Z2Qj(@ zzI;5=tXY!HneN;)m)-12XwLkRk)))nkiHzDjma_DRlWuAkUH0J5O@>M$C)%B(_URu zPs+xQ#>a+H3p*_sXi&&N#yZim`<@*(-vh<)%nYpE!_Y|3P{QRzZL*A1k>9TRf6_%g4oe-c)(Y) zd7pt=LL6xOs!`>ueuTu*K=p`nwzabQeA!Rv_;8W+OQ7%eZF9o>+you12VliOf@zjY z;zbXA^%g);f8T_P&8w28Qd~^1_oixYsi9-$fbz?9f z#WVB}MCR}97O;8KGGbAGqgt=gC*0QU6J+pw*Du1T7&l)#ddPh2|ovg{`wrSH&LbP2NMmoe%Dr zCcV#$b+jG>+$tAkAF8u)<^omMHOIxTUzGwb!>d%go*)*cImOqP#~+;;tGWF>;atQR zj~W7ix5`Z)FZwLL0r_>+sdR<2MF{0P{@V*V`cakYo6820AgO)a4~U=Yu43gz7_Ync zSfZG4;U|A^Upzk3GAcwCA%2(o`CNCcIe93MBK!1sw2wk0iCi+SD2y#%n zkMjpA&aPT4m=N70j9$e85ZWO+dF=iDs!Nt@vt+-zPOzk8c$?NW9tAtgFm(gKNCO2G zY##T4!D&<;poU1`4)wCHBn?>6A5f%rP{KmA$~ldoWQ$KL}y<&GM9~gY*~a?<>y(xSIN9iqgfLLy-8$Rb$}SJ zz*Hlwle2J%4$TMJSx(_LBdvUN1dUSXyF0Qv+bNUZLVk`|UoPj~c6ytLV&Jc8r4{C` zzT37~M7}SHHGXu7YTS#Z6akjVUm~gQy8;&HQl7uTQ9iYci*N%9B8_4cWAc^IQO?eP zyT+{^np_;Xrp%lwoJl`rg-IDDAZCBgO^qBJIhHiHx37>t-S3aMcX}3@rxlX%SsBDR zr?pSYn)(}@6K~m`BX<54O3meaf4eA>&p>@8a1h!~x(*rJ@i|HnUNi^)d>t70Q@N)6 zr+A|W^ZRiy>y+4s-l95r;06I8FOH5}JO?`Zu{$2^!4v9jO3}{)T6`K-<&TS34h8}f zE)O0J9ZPPjWmo>^id$b-(LOr6J`~@7**O0dB+k}QCr$6Pd{2KYF47f|#CvBkmGi5{ zP-Nn{^}S_zC0zB*6-_YUH|g)V9nz^Ay!HtaU#e90?Sr+rl)6Jg8Cqmzj68XH&o;ocbFr1N`4y>6 z^?{Gd`+dXC3%=DTJ)lw!C@s9!9Y8w*Lo#U?lW3&DNyz|RI2p0-=6YXzcnQFR6K@p@ z?OJxgYI9XT-+Pro*M|4smP^>^<8ONUiW+{g75&D0u2+4s-V}!C9w>=|RC@t{kp-*v z+wEtV2_r2w4 zn)Yt>R)8ogyWu>lPdu~sxjIANvlr=S94i)JFcs@#Y(AcCbzCqiB zAY&=Z>R?pZ&FtZu%Z-3AfH?Q%y3%e9+;h$^9o?s8qG0Fp3TE`IY{@1Uafv?96p)+0 zNq|t46-ilN3;4>^@)ZG6{4&*WYQG*V$6^NyyJVgO3$SQyu*j)xZ(xn#y)Ny9riYbTv) zzcF%~BQOro6QwL{9Xp?@WJHca1&61qZ?86TQ+`znJ1~IF?VJnuW~ntSpk$fD3Y^I4WN?tm2$+A2n!tcVW*DFyE|2p569#ZI`M zK@QcY=r3Temj^2Ew|p!xH9Gu~*7(ps={oDXFn}p+Ss0qKM}M28iFh+JG zazF73NA02NouSyreX87Xmj z@yZ)r8-zqKkF1mY+f8A&fOBE5R8fKH=!RMf@1NdL;ihpkukarmx%6<$w96)3-9_=C3uF z;>7+8;w*YG*?+g{@;>u4%ZQn@k9qu9_^3TQ@7S_j!N(8(%Tp28J;C91kkMjuu6^r$*+>dziGNkL6p;alM?;)n3Sf{M#M&D z^=sFme7w7R4|}T&Z0;intVNr&?Ho*G)0M`YISK&YF;*iG=2fu>qD`x#VghZcxxGU* z2Be!x+4+=oCA#jgu6Ez_lGXI3I=>9Re`K|?)(qEEyH|Q1$ah^EEj{y>a1A5e5^C6^ ze~*uvn9($Nmo#^GTW)BdZ+zJ5YO1{J3L)RLlWngkw)6%r=(xBD>!s~J^_&qo{ zxAjLb0Q}e0G$#CosrxVUkKbLBM(C0C{UEc3OtUN18Ud|&j$myVxrk3R5HLL+TttoB zR9GHaXQUz(`$V3%3Pd)Jh?@S*TplL(e9Npvg(A&_;8{G-T2?X^oT-+PR>jXcLTGY;EKUjX}thjdl^p6bZccIf$MGl9_fDXL7&1qpnefV8nd>>nTJFNVII?yQzzvg&5k zGE$r4Rsjl4hgR8p^8;*Q4K85kw_I&Y>nNom?4YRSd&Ku=*npTzsIBXbY|o^OghJPZ zq9z_=kc8^CGi*DL;ApH-&0rg-SHc`+cL<9kiYo0@;>`oC(sCJ3s+nKbxp<<(a>t z-`XUfUd&t-R@ZPrYj<}^B{w9=^$~(ori&bF+2T=t=bmix2~ZHez-NHyBK;#>73wV9jKtVq*!`p@;<;p!A^t0F1ZknpUQlqjJ`K ze0@_jSg_6N>#Zz(IO$xJkQkvHyHwiVuS4#Om*k!QZ~%~E8tewCv@5($T*6kLu4l%R z&dW0q1aOAXVn*=yWfwu1ChpkgWIX+ue^~=rOQEakJuTa3=W9^tJzI+Xzh*sMVPa$1egPn|G?4Ef16N}*u~zguT<=_=zW}kYzms18APPx~r4tXAh#J`U zmS>PK(l#=4cJ==HQv8>cV5x0`cYBg%&nX)IC1ls>?8FOM7h6#x@^L3kk=qtKXGB?2 zPVCLd=SLl?RKBd&S6|A=v{lyl`gs72jvrbdMHyxa$zP*M7$uUSI6B^6_s8OLiBfI< zVdLN;GaCt~p+Sf`33ES31i*yP4j`IHZ08^Q(CVyq#0oiZr1Po(#LIOx-Y&^FpAj{T z*!teE>o5AIr>!V!Sfo{|d%x?uR~&8#iU3;Se6bEaeVka#*@@U6gitYfwRiwTLPknKow_6 zDGl^d5X4VCH9mU^%*Pa>gqV<`YFiQ-R*bRwi}C)E&sXjby|bv!wHB`fg#}0NujsHY zOG+@EtR1LW!y1{H$ioZqkb*xXj$J8lA_5i46d zR@Y5a%U|)oM?9&h*?y@kfP|=HFRG1^pq^}j#R3RPFLK!2UEG+vC1}Icch?d+q{@p; z(g^~Gg%*bp008UPr7%WgPCGTDJlG}#EHXqQY}zh*V#-R4454U^GXcaxfV!-;odUph z`R7#o@& zn`#zoZI{nbONcpnaX#th2o;QBMO28##Y58PO*K^7!W#OW7U^iiC}CvZGih9giV2d| zz$ZmQ;9ID58D?C9Ya_)3qy_~HU$?r^CqCl)9*k2w-ye__l(qWma8_&DQ^b!r_r3qM z+2s**)#sm3#vBO^EVuiU4vV+7vsb!81`2>mdp7#<;;%+(#T1@>_t|+|53#pbLX_Ks>1v*>vy`htkc1OW zO}t}ok%hnGw^>$IB`nG+bj{P0wcB3+Oi7K~H;#<)6{ck^utT!5T8J7CI+QvCI`Y{? zN`vS#u2p-ym-i!7XnAEAAd##a9dw`n)kqK3Tdgz%f*|I;e|G%=ZB{9>pQG%gXq?Y7 zsfEwb-QhfZb?hp2Nd6M$8yJNiYPlH7z6SrsQATc2W4Rdk#w%V+9%mk*3)7`ld~=uk zAk23SrWB+h>165g5dgBU!+i=e6>f+`b2^O%BO;0F%{-uW!CbLoB%=314B>BTs z6R#RX-BwYI{}Yu97^^((0LSY2sYMx3@PwCeqJW;1FtR1y<}#o_Xfk*Sqxu0!*~R$y z&Meqn%V8+b+J+XPa&yeEO6Gfu6xiWUH0*ri_}8FkfRwWAvQel9)`O5vK=$O8v*mXO zru?7PsA1&__jJHI?lb!uL?WcOF2+ky4({+GRPrpcPe_J#eYL~pFhGT!Ik6AOx(L&< zcS3?DNLN|_1^1!z&!S(}!YI9s;vW*HuIzI%a`Z`dN44`>OHhd9*Cjhg)e-%A0Lj?8 z5VSFBeIB1vi>7GvsRR$s9;AHby@-MvPe}MWz2WyW=3D|b7=KzXwOF37aoEB1jd$_q za6p>B67h7yscvE1Q{2*-9K<$tb|}#F2z@+IT-PH`qmCcX$KyxEsD>Fo%-Q^Q#g3qB z79h(72x&K~H>-M+5WhUR!zLtPPKOp-vDg-Qv;u+p>NWFTg645|Ib(7;AmBQ@ktX~$ z9zSt>Qc+d7)Y8fLxe0XsYb`hI--SPNO6XHRR0l8RyHAeJt9^{3%!5 z-?PFZQ~8!VDuOvuQrE}IROe>O$ujs|;^S`x(SNHotgxQk3~f$*LP@VXn6;IzQVH+y zm&aeU=hw>E3~}EnH=nU?UWo<312Ynj`wN7Jz6J(_^57iSKI~Ue?iNmw0bndBRle|a zf*vd4LolWN!4QGEUK$E4XVT;9iUh&)vq`|yIaXA4a{gG4Sg@f7`V~;0#1CAfS|~># zi@2nZdYWZph5Cm0*jD|%NtspIW(}itAOvu>O!6CNH{a2ltLNsy$&V4`Cu~5tFMkoG zZmttkrOPFb9Qr=YiKmy3qO!o*91rH=;T&iHngb`(I3T#CWyVq{=#{ExSI(v(4CEy! zTO4MjZyiYm9L?eY2u7o8H2~(*bu0%AC?%8YpB?~^Kq^5m1=(^ezcdOns0W<2b{z)f ze_R7O*h}SGS=Oljv5r+xy;vfNW3+q_1aPPAg`ZB7kfeMRXz%VhK|80aZz3Q zI4vXM0zno0sP>booV69~-`{?`gV*g!na`?lwNqMa+>EUIfgR7N{~2EIsN0BJn{u8z}a+^F6YbZl_u|83?a zp612hn$R@`T2KxbuepSLw;5v=xcS3=b`WiG{-aPyL)=K+#NIDQNsM&sCbmkM?+vaj z+lR~tVI2VW9~?U)Pw$-HOgcQX{BfHB)WgoaZ~8`HouXO=@xB1Thu&SFaraMLO<$W7 z7D1exMKk;E&LXcYFd@eG{@511Ujl+?k`bjUG~&=Ib1%Bt+Iw%j`Ce@+XkRfnAMbT- z-{XTz7BI;5Dy%R2G;zqB#i3^XIp1n6J$>uvnHmA-vfwNZfLv`4AHF`nZsQl-roz!h zEV&9?$gerf&{CV`0KyU=kR8Y?-^ECLhsCqwYuQ1ipQ~y3fD$J6X?zv@YC;PU zB-g^N9ROFzuhrZ9NC48;uBE^AyFb&W0Sc|f&SSL$FbPDLrYlF0x$^fL8FL$B37%k@ zig^pLb(@`TAud7L4+(*an{9EE7q=;`_or1(1PMgJ`IW1~&QL}%G)K!qx5O80=`h1! zVNaK#Jn8K`EXY>$a&b-LvD_y3!lWGA+>SH~M_P?NWW-lsY~Zcvs=hLq!t+v=O zBx{;7NH?Ol^PTMc^S>odkVCYF2pAjb zz9x0Ji3NOc3G0F&!nw&+>gVpOxRE_z1`F2a&sz|G5BZboUC61*k)~)47)wEADN2gu z&f$W-JKEs+>07o)bLiK}&&PC#BlnvN`$CHu z8dA5>7a zYgDz6EEJ>oW?0NN-q0O=X6wyzhumm^i;VX1u!5U_7{pOU+N;Xu`(kV88#Y?_;iK0n zvX6jz8aH;ZF8J$F9MYB>!$11y1#JT1#J3w~Ss#+e0lv?bx78?=S2*X_V_eD=m4ELg zwF#7ss`kWJBR(p-jOh7z51@#AMs{I^&R+gA{8A}w=*m^KWm=l|3x9~*`5mWNFM0s@ z?2x`SPZW$W5QbrAvu>13Rg9?;2b?5sx(bV|Musqzl}{ZLVH&AvyqCYfX?TchGG&-d z7@ZVznz-%P$OFxQ@}=7uk{AGM4g>N4Cik4}CzlQu88B+GIZpHdzv#){69rqVRn7c{ zf;~;|p%^dA2FW#cIE!jWRjScia$w|j%8Hz=G-t-asR-}Gv4>-Bo(uq`dcCobSHEl9Mt{Tt59a9|xq3^s^X^hq90Or< zT7`xkCwnKW^G)lcF(B7EBDjU9;{}$Nm11Vpn*a3;BC`XTvvZHFcHjo5P(RWNE{`f%n#&kB#Pfkv)HaR8sA#_h|Oy{p9=1_1V7jaSr?GmR6M zlpM^$6c*UMz6{Hj@P=0(kA+48oQ#hgGh#yoH9#N&1YaN6_O06P4@r}2{ys7)M%Ek3|gj&whQlEwx)Fn^q<)s{(x$= zmp)NNSa)pv_$qBf4e0-j$@)Qu~sQD?-#nm zb@a@;XaWM<;UMNZ{3TRX#7m{vrU$y;Ixw;z4B^`LvT*CeDqzIN36R7A!bvmEn4{U< z+^T+pnSh%UYoHN0!<^lE!_g4e{e!vxb#g#PXsKp3VHYrAD6566J-#bGZx*6rqA1Q_ zw$M<<{Qm3%AhH<#4XA7tD9H4|jb4UyWC=CqO&{p{3=&Hh_im4r9 zO**@G_l--yFz21vj-=GS?}O5JnfS zTNjRZt*N5jT50Lv;)Jv^dA(#)o%o`DP3A-#X(wE9NB9Uo8|IjwBpulzt9qF-8r*gf zvvCT%uGtwfd4UF z8LaP)o}jX!dvMLpL>3P}gj-K}{7j#8wl@jv5*C%|)Z5qA63iju>sHN=u$&GvUSTeA ziDs?5{JVswQD&DQsAJLtM-|cBMn{gIGvARvi;<`$L&q;DqTPN^$-NFMG2+?${ z{Jne#7^ow(fkDQWpY7thlBws}WLvl2ZsOTU+PysDrA)u?=vP^m!-hu`7LL0Sm~GAZ zd_1x}ijzl92;%%F&`z#@Z3RBPQrDozceSVG_3{vqcec3g?D!7FFlghLu%;b?BD@DC zDY0jAbI_n;dZ{|J`ph$A{}*l*k?IT66b^EIX`R1$=LYAemNFWh3csDr9_?Z-WM_y7|SMUpF)d3kh_?&b!%;;|}G zWr`&(&MgxQ`uN82K{Q2@D;fAyl_$E|_@gIB`2I6T0ceYb`SF!;Mi)~Y>uP79HO}#_ zRP)4!8C_UoY$?U$+BVy{67g`5SjbPv zr!m;ph~qd+t?yu%pK@pVo?_a{75Uk(rDxH7lO zyEDst=}12TO{G{iF)W*arqUP+xPR~Vj%Q^j%Y~^WvPGTET#=d74h;bxPxp7y6>q?> zY+52AX55W@85ot13}Fc<}I$`$$t*&E&W=v%=V73fs163I_>kDtX;tJzD_4 zuB64ZM1wpt(8=#VF~C4;BdU~?42wv>=MtLZu$<0e**0y_@M8%Ns*7DNrNnU{U(z`@ zvB;~}rzjdGXr5ongNKg_RS{sAENrHEV|%Yp=2~4FNyL zy4v~r@ge^0(}xfUesOD#^-7}iZc%44wT+?(4tK`!sgHhN){Pv|O^erVO!MaLIo7sz zac~RTd+^}lBU*qCps5s1i=SPe=JMPMk$}dR4)szhoBZSG6eYtTpei`FO-?V9E|dWH zlc$f+90~F-<8$0hrdUnyGQP6G)Y=v;kr2Oku#2Gf=w08+i!Z+TVy&wwfa&#Z{`=Wc z-kDBPEE`Bw@mgMa@bLd(0@{wlR<=M#EX={SCi+{OSlr5Rb$*qgPeoHCUGXSgO;L__ zw~>fN2nT!wRE4Ntqcsxb{M0h9-I&3rD180+LB4Rf&#k8L2tTI~qP7*)o?mJuz03Kj zMb1quv6ac+3+(h9=pH@67X^QzQJ|a5sf=nJaTE zENtzP+}dSzCySKsO`vJp;J_CT_i?Hx!E;019Ee8&_xZ=+kf~{DvYjvT>ev+TOf69^ zlpq-J{8An~JYqrM0NdFDuZ>M}ps9hc9vkHACx&_UU>Dcs*SIvh!s6C0yTvk!B4~?- zInvR>3nM-BwKP@>1lW%K*wWZ)mZ0|z&2`=cweqG3`p@4uyR90#AO5YQCVI!bmHfK~ZU zhGkte5h$G5J)Ldq(G4pO-fWLs%olM$EaqB>L16Z_#bCSt3>5EfMfH*P&eOw zYJ|@p>UTry1rHrpB`e*OGsP0Wx--w)lS!naAcQ+X<+90%?lwL*+{MB6X8fx9SUPGv zYLXICk}nkb>9xB|uI-R7o2XJ^+BTXZ=!rLQW~7&sJqh@PoS&bhvd)#t{METp&P^<_ zmd>MTDy6bPYb3xAo;}J}jvb`GwQ1kD4ff`Iw^-!P$_B5F&9Gh2@oVY>RJC_lNdcNv z2xuy?kVZ=+NJlI}Uvnef@dkXF=Dx1rV;%mVTB2IZx_`)RhwXfc^<06iyw3B( z-LyAE9{!5dWh6>vlk1D?yma+0e#PykY}*ccsZ3EXb1>1wKx@3N7O!qvT%29y!sHT} zypF0Wn5IQglN{}C<6wK7lRXLcOLWJc@1jsHb9H`&*Kf>lb$$)ov_X+zn9TV#e5yiA zLxld;rYf=3Jy})0hi+OdZSV5WW78yea)c^nS472hGfk^{&`JTSl=w82NI)YJ@DU3I zX^VvzY-{3)1Ff9y?Qr)~r9YqJ5!FLZ#&4Qm(jmE?=B0F=tz3~@N#~m#6jY8S1yUlD_4lC&b)2TG2Y{BhqXqZS%AsPx)3#9EA zrrJ{u<13rIc5|BB%bVD`fe83<1RyjF8{V2sa=fdZXZkxi(A0pGV&5oA%XZi;>ddBg z*xB5LkpI59l>(IaDJ#1Ylu4z?9YTOAX=(`ZRBwXsKXZgLhk6-oi`U#bsac|uf(Ht4 zISA~4565wMYhsC1CeQ8VP5#pto@B5sUO6$H552UILbx?^d>W_{Au7!nZ5vfnQG~3! z7%d^duPONb8l|#^&{P~LP&I{sPpvDT+lTw5+}SZqlk<~H{N(B+CCdW8R(%e|RmqlK z=AEe}`dVWA`R7j&_WSnFI0(1AuRK67~2qV>4UCwjECQbQ5eUV-IGRdr z^VVdNFCQJODfKDqZCa!ds6yb_R^>WFQZy`H9-ZXB{`4$Ay)w@7PPTH|c%75?6I}Hm zNf(M-noaVn@p+OvS@3H(wnZ%9<48v{FAR0k(-^@no36T26|$u=e}DN7mu6P(z1F^6 z94-kL41+@1c!1aj+nYJr(?M@@3>9!J+daV)g>2a(l`UYH=6$|EkElKZY}-wz>4=5+ zqbG+r)z=Qf0mGz_Ei$^a&i_1rgTFaH#9S=!Em zZM(lWOnT!{zIl9*KYjKXCwtq#sl=2i3Wn`)V`-hYCl|T9vW``0WxhY*RNQm|MabW9 zo>WXJDKIR%+G*zf1m}kP)YjOjbv5)AsooKb@Mq5*V|-P55HIot*x4%t$Xw8$srDPHnWn+ z@y7T9ySh<%T2LVb4(?k;1#S><*|OYF1=}Sc!?ehjbSBrf*vu8M z0fcm29=1h8K%=7}j8PhgGqka5*bc&*GApJfpzmMCi+q`^jiZdg zJx!Cmd1s#Fb`A`a4b$T6#3F{}u%0dO2ge8LYiUH0vRW+6%c`#*H3hJ=mEo1qDMptz zs<*X{ZsH4QoEh$_k`%!4?l!)4;viRNSD9N+yKVzTV(4Y=u5R)AjcKAmA0vsDYRb*N zfvQk6EMC1a!?nc}0Zqj;EsA=X&1`|G^)&0b0vM)y4`JJ&Dh%|r^Oa)*d~Ud#K#jGc zt2?4{dyP31%dWGpF%;yFPamc|8Y1LV`T5u^%ey%o$03s|@%qgf=C;yUj?Gt}7^ElO zP>CfKUO}t6@JqRql*;6|IGyC}$tAWkIYjkF%Aq9^;A=+*INI4-{lC^|m=}h7IN96I zc2Osj*AbcmQnFht@yh5Vy)7|D63tcr*M8wDRZ%Dz7U%CQxFqD*VBd3{pehJeLGx*7 z2oy!q-Q2);P7U$Rlf(44#@&jYHKa86O_zk{hPvr$iZR$0=SP>vd2cG|`Y!}bZ>0He zKfl1l>K5OB<}ib8O@w`##{zXkRF`I#`9JU8VkcLEiYm5Ei*Pu=v92~=815m_7`^X* zI~$|?$~lb|IU0;oBKsqTwuaX<=5Uuz@Zed-X=fR98& zh_|MaWOGFf(;`(ec=g5%>0*iJhq{>GN+b6CR-Or1vnHSII4o|Zd23>ki!&>fEE}OJ z)$%QhlSb3&R01R&;Xv8s;_M3j*Qe--$7tF| zj&;kl2nT(fInqa8ON?m1=N82i5>=4|HHC(NkEU>d)`l>>%`tl74b`}*TJ+he`+=uy z#{tJdO36TL6aVhBN9l@3uyD9Kx5jp^gpFV!wM{aeWoA81x~QWm64P?_P5#?{#BNdN zm$zm)Kb0hx%_D*Vq#|&|k3csqCf2t3;Tu;F-0y1=xG5&tl7UcU^-vQ+;P_Q0*S2|W zY=*BM>F0ERCrS+_<9;ld7C}wr8^;Iv@{v9|Vqr|v0U=OTiCJ`?>c$9HP+opI@z572jbxXKf5-`jpPQULJ3_} zKvht@K+xJGsmkdwv%byiH>bIk+@Mq_SCein%OdF0cygeVrceMOaC7|bBdV&m22E8c zn-){+X;w2i@_HFXRX~xXOJ!aio1wq8iNhT&s8a5OTR^Ak-`flLyf2Q>aca6q-o7EK z54)_Z*5HwnQ@tJZw!{efHT+j6xIDLlZr5Jq?Z4V!)$qr?IJ?Zt*CyD>m)xXVA+RhP zO;H$XYvKpbKEYtSTW8AtU3r}X0;)=;p!4fH3;godEVq*>97Q5E70b4{wV2}V$t9lY z@8rk<*Rft7SAgPo{@wvB+s3MV52wxxCaQI}jD>jU-RIagLQ3M{5PxyzNk-b^{OHm+ zKY4G0LcWCM(<;3J_gRr9LEZAOkP_3fnONQ6?43m}&#r+KNT2Ge9Nl2Jx1H}jIn1|C z4%5*XK{u@roIOPf%BICgqKSfGaC>zV+i~;9q!8G^#hGRP{?a)AN+re4dGwEiB8r z7er&2Sf<-(vECM`Tldc(SJI)VW1AKjCc3Fo(90NB?O(m`nJ261EdT4mO@47}24^=9 zL0?tiC_atn4j$k;r-tcla>Ee<4-rM}Qxt|1Ej&Nm&9#L!u1qgumkm%AuxzH5)_Fz1 zvxA+SIn+yICAKqL)I{-DxDHpe-7tFWx}f z??Y-TreP7*6gpxNLVIyzPHhvFZQE?-3XCnKFf5z)&K88?mQ@ZYlK%E4zIddM<2?!X ziX=YFW|YEJ<4^T<@V(O`?B+_OvIPQu4TKo+=|;&yW5o|LUFNQdS~kk1Zv5f2Ak+xsJI1c7_= zm)yy4adw6OdwH7GOaUPTdfDI$BM105r-wM*m%y*7b&&@qrK>V8&#sb6=P?YYS_fW{ zf~IJIBb_buwKmqYuR=;mv23uiljXg+HS)UQ`ipSOM{BC2yE)2GqKS@J^dahvJ^1>% zVX~HXUw^k~R7`)@8Lvt~do0XwM>9Pwv6>E5aK}n#d1sf=`E_z7^WIol7Gb}}iM|8} znxcgLTHWR|)_eofT(L~HSiY~G)LsPzO_jt#0aWFq-P$>o8$l{Qsnl+sOLH5fEAL}k zHoZ*|MiPy*$HJ(UjQx7>Ntl++Zc)cDZ5;c3DIo$hMH2RF1btdf7X}o<^(7T_qgvx# zl?vcy{!1x{27Ls5YNesa$5(CJxe{g5EfKS)oA%~98uSqf`f6K!;wB#JhDo+$U|CM} zw$ygq11b{mB9d587W8x2;21^00000NkvXXu0mjfhS^Zk literal 0 HcmV?d00001 diff --git a/output/images/niaplogodraft.png b/output/images/niaplogodraft.png new file mode 100644 index 0000000000000000000000000000000000000000..e56d71d7abdbd5de11e5ad3b540469b08b07b019 GIT binary patch literal 33372 zcmV)eK&HQmP)Y(15BV0}k(QBIn4+#CD< z6O#o&kepoa&@K{I>;p(d@v-`<{S{}os8$!#O3Lc{hfy^IDT|Rx>!QtX{{aBl@C<#; z!OGLWw0PsEQs%JTmvjE!*uGutx9g%r|1e@Vdke;6+N%8=fe^j?TQmJrP8U%CiYY9W z-TJBng7aG?PF8Su`ac{6i7@ZKZNeIA_YX~6cR-qjbW1;t84wSmzS5sUp>Z{ zV*k7OXE!?OY%D&w$E0|z{#GP1i!1ic9VdM|Mhg}!ka@o0(;IP-s;)n4x=X`OW7M#h zcFr^V8Ir}vlr@I|h;rFk_g7tDe{rLxQ{%HOdm4-Tx5?}2zy2S^UGHW)W^8|b>0Z{G z5!mC#%yl&)$^D_R&Pn&Oo;YWJ5u&K~jT;WVOaT9^y7p+;f4}b9?0xh4-RB7_?)x&^ z^l_DjMHm!~WvYh8=dV0MTXY^0*`VB#cZ&C~)m=>RzndU+a>nFIRo{$P+jvy`>yT*+ zv9as+I@@EkvBZ^yiGE&*4W3O^pEF}h`*M+{sW*M%I1w(1@PqGXSHy&2#};%HlZ9eg ziQ!LTFts}u>xT<<)qzXn%vj|`gms6|bH8HJWRio0S4|hO5n4Z}CG`-OxjMSKVj^NEUd){cIyE0st@|)^ZM#RE7v&(&B+u?31=F27vp;qjkyBioJX-T z@JA%xaIu*GA{{$``A|dKLgvLtGhLiFZ(j3nGkf-I(NL8nKKA%#?yCQ*#AP3H3ah!; z+oB_^OzNR2vk$EpF1j0zD$y4ku=~nC^T)kT{1lRy_0y!GN*K|FnBPexYBvCb;xx#- z+wzh9s4%1)p>yO_^k^%io9kzt3-~azzm1+6rBN%(_6jab~>kdutYb}q@WuQ*yBSI2|gvxRqUTtxeSLmpCWK3Qb%4^U=kj2)2)Ay}w zgAW9PV7mvL2x|_CAEt`Yre1X_+xX{`pAM~8x&9@VRf-RCt5_-*P$aB5)X=WMMmqcS zW>x9m8h2j_ql*uKnB~#psKTxpyywa(*KZun4BM-J*l4&AEW?~3t=i8%(6{4Ic#g2uhSPW>;PHy%Z9=azt;LI#9{|yBVFxZ#uN3zWy+$ zj)jmY5OwKeUde=>W&%0lpUUaqqVo@$(~2O-77D2_yysESu7@Fj5JCU@Rj4f2q(##F z;qMl&vH0<1F`the{O3A;nNuHOE9G|E`^V&PtAs5)EM?Csb8SYS-_L*8y#{ELMyc&z z7xh6-X{@L-7@RW;sH+b02~fR@?im(~x#p9H z8DDFRPKn!Per~0WUm}?@=i8YmC^Em<=eL{>cn9PpsB7rnjE-M=*%$lF9?nJ`!9Szk zLuF!_&*i}D5B1j5e*5Ql*vX|m*mrV(N@g*@EUssy#OT3}TO0dtu7AO|JTP<*wNR5Z z2v!}$v{n7!#k@wre_QVaWCD%D>oUV|q?P;GXE!USf9YHqLvNQ)AOJ}Qjnr2kIzQHg zTT&t&G&*fVS(o%#4DcZkK~V?<+tNSjSqTYggqdr5d_(JhEdu~805AZ6!(&abUsuG) zm{(Lc)CH0njS|}0!yLI;Sld5+Ys<8_topMQ8g2U2sf_|~6e3Fq5NqbQ>Q8R)&%WVe zaookCsn!oARBi8#y#f%&0{b#*pCy36YMzizl8nA-Qi#>UCi-XMFbw-?<~=5TJNwSN zWPw!hs`+r%`-1ZM1?AYm-iWM5Z@cj*X8diq_O!H$>$!S*txlS)KsXB;a;Ts4__^V+X^- zfrmj9nIUKbJZXf(^`ICf+oyYGj^y&?75&hf1H2l~L&R^XK>mfrliZh1?u7W2{Ml9V z(}MH&PP`OB? z9ShsO*wI8E=b&7aS;n;8c2>;3dK$9FJ!;3|zADBtIoPBWXRJ9`+3YpL4tShhJYmJ~-tD14Vsi>CbhKy`QkUc)izm?7a8x>xK$_OL zKP{-J+&*czB9E)!@J_yr+W#Pc022-^a#=H~KjsA68R$X~)FmGol~9Ug;M|^>>ttnCjRT#MrznzOKDsSzL z|9cer=wo{5w#Cibr{IWvm%~35ili!vu5s$aJiS?{jC?Xx;UEmd8fy<#w$%ua{8TV% zzx$hC7dJM8fK^u>Uk-`|U=gC}AQ-W2iKB&~*wj}p`#PC}nWaq29p@BmBsjCcX}@R4 zjwMH)hW&QOpCfj$P@tc&ZrILcaGgR|x~J6n9Nd0C;NX)m#l6V=vqt?gen@&r#V@yC zV<)JHu=vy#G7NUui%4>?sRQdI5fc@L-wXMeNMwVNzB>X}(v)+Met!c;H&ldmE-cszF>XD0qep5v@tUna|Z zO#KAGqG#zI--v?DItAF3j$$ojwdG`Ld9_%hWB--&Kff%^&`~Ec9s?CAM*&t{M)O_&|G&Upa#lNoq7B%3ReW=-hFdiLq|a28znJmRqb z-JYj6T=&)Gy}AcM>C;A7wCa|I(r4O&*>48rj6Zyh(;!y4v|o4e0g0yJGPpK-hGAh) zk)AJN?l(Q${Ii;A9})7q00%WtfLSvRSp^>fK$3$pS0zXgLqluQeMeh z1kqUkw*Wwcw=PHv3ld*5Yx?9GPwvT;ppOC&tOF+MHPL**lZ>WXE=~#bN@@DF z?i^&+sTvwVPx`NR&U5-15}LxDNP7r`Av>KLUO<8%PEF!b{gu|%*2g{XloXd?B5g}g z(NdMTf@*txI(8sn3wG)Pe-+E_8uPka z7)0X#hwT$dQgsqkdhBNqM5P&>oSdu=1Nt>AlP23<#z3=reDZPc>)%bAJIGcQIasf) z7#hYcyKd_aRn{dXVdz`f-(-pgD(2(kknC$bgt-0?8AVI}`7!*qw>UBg5owEFBsJM6 zRl{Sj1|Ww~x$xqHjN-D*&1T+r90w6D>-w#`4bK?#bQw3GIisPtnq%oHQN)_iG(eImn>Sq*5=>r{60Ox)%Zm|j+OYLQEaa!`6b zPGf74;PUOaU+y=pZ~X7wXyPAC}c(64jap3w%7rSi1S8Hgoa0 zfOl^*@udoOIS5u4w6E3G6iZRW8R?8hXuuF(Rv=*Us|^d)JD? zGtDO>%WvVfOJt#%$7B3(41gg(#VE13LVv@N{C|Er@hYOYlJn=cqf(2??nK1>G+}55 z$w7I@`)&NfbB|PzePSx)3ZU=yEFINv`7nn{4sYcZU%y`#DH1ePG6&gw!8bM*_1Uyy zhZO{2dAcYr^&;oXVBTv&;!I-O(Irzup&_j=d$q-0DfU0v_ zu+E(i{J6&bY2M)<^qPHJ46)#feG3QKy04ni;!`q8E39^$pW$F}|6^L!$^WAeT6T~Z zp1*%1GLiM~&r|{kt~k)o)F682Ql$i4+eHqB?pW5_Nayi~#2NqG9bl&93G!plBYwH_ zT9-;m$SW~ssHtr@9=z3cu(_c;_hyxpX;7%>#qHRqRaVSe$sGLkn}Mr`IvDFPut77a zw+-+7R)G+`6qd-Kl3ScbOy0AWP9ZjbStW-*qo3{iv5u6wbOwP?m|0v|TE)@Tpfz*j z@%b*hr#o93Xo-@eP_&t+v?}cgQ2n)ss!vMBpwef;5ELD;-#u){vi6%QlBv)-Sq>_Z z*1G#fWENzWR+wn2e-#*1E3z*t?ze5!8tFn1a%T zyiyx|ZJdLxpcR)MFzZbY5E#AhYVNWB!#OA~<&;;shr~5ZAuQ$av&t(~P#O|cbNr4! z>?vq$mtnsS{_|47-y0E}gDujwyMBo!GSV=M*u486Q>XQ|#5vf4Id&Sf4}_v4tV~~TUDSSVOlNYC#S@G_;-%2s zJPZ#0^Fqv@Yib)52n>HXT3x5mHDIXp)Gq*nw5u0L=*00mWcMY-QyUTrnJlh=hYCg= zxE7aJBDRMJe8J6)^QQOd0knTyyVE%6mynTMSOI{FzW})Pw%=*Lw*UbWv#%Qo&N;oM zeyPcq$w3r=CjNax04mBq4I-3tbQ2YZpS@2>Wr~(X{5^N{|G5lCI&ey*6F3M%kkfv5 zzGCddRK(gb{g2JBO{xsoxy(3i#P!G>>#@HwS5-*TIoj+#=FF)kY z>&(`2tzmXy+c1b=jJ6vy*U^Zi$k*F2(s%<1xV_G9_6s+9geZBxKv?|G|7kV|1Yp*m z{f@Kw6_r0t9M_oV3e@IlfK!j&6tBGlq*lu{snZ~$#FaH!9~@85+b!~; z?W4GUMV*+N@~0d_C{TKOb5S*C)ZQzyH;QOX6Rc}<+UN}RtDmZ8Gejfc=IzJxW{Xxi z`Nd^U`sXIlFwLbiR@${u7dK=gHXvKoaXmUEao-yM#H^gC+I3&6DCl{PjDft^sFpiv zT=m=Qricr(B77!hjqkYsX5XU_00e=~CM8%icWytMKYM)ZG!X)fv^MdIs{J*c(*h$l zee2ZFM!9_T*1n)LRbZb&99%fr{`%uM>_EUNYQyansebjx?}$WzFS!)+Y~2`F*U%Lo zELb?(>$*rhkqA6MWvJ~OgtRboEUs<$R^>$dMikWcfU2JV&w^?H-1d!6Yq*T0UIk8> z>{6#aTQQZP#2pkm%_ou5xD~HbeXw!%*hAOeq~(fFQW%_ z>yEHs_;5&8-9j>MmmkG#CJ=(u)YWYVjnOa5#KNjSZ?7gkHO-FAE?JrO}EhU5eKec{%(@nkY06zycN6XY;rbp z^KT}y0y^z?=bqi#u1Z-6qu9W%pE^&DG1DiurI1$(6Civ5JmL5Dd*{9?$HBV|!ib}L>9*jsd`K>0^BPJh>FosE zBNEtLf%gxy>n}UfH2WITEf<41FY=qYVC%JK8^;b%t+~4RfIIagjiI5{0tygx-pRWX zGfHkjrQ$tiMTXl5jYUBsg>dUb%CDX`>WYJcfz3ASQ;JU47NMHMZ{Za<5V+p`$%#eZ zs00UNB7)v0Wi$|P(CK`J{{qIRW+wYB`7yKC9H;KyCby!Dt~^ar0x&^!kEQ zB;Z=JZrS%n8~$f z>mLCixcI;O*H=wPR7Van7>pJ}n0y5J=HPXiRs6+tJVUt2y!NmAj38}mBMDEgd0OUQ zeA!tnf?EdHjmX5~3)#AA)OP0}v58$wF-ILH5XdB&)0oj3)TXCLP)c13(EL+(1;pl7 z`9);r5v^-O%028qS0*BJOXV_10Zx5y?@hP-)+e=@{sRy=a`%<^{cGi83$d;pxYZnN zamU>jY4&W9KK(D?ozL?ZEl#L6zp+V+G`}@Fr6iYE7FJY=bGKj!5(tF^0-*^V4a?7m zcJk_=AFsUtR3ZS{NE-J0>vHblAFxBGy_fgR9`hzOd)bJ72I|yKkb}(!=KB9}feol4 z6;^X{E2|UoN&|N+kIgIom|eK!{Jm#CEmSQIx`)QR&npI04uQ4Qcl()J|0fE0o;fmi%uf@Ch#o*7Ld2Hs zQV}BL&N%3?`J{=aT2?7@#NI1mJLM_^LLflaM!N5QUq0{bJ+H_lkClL`au5L2iNx50 z-&<}ubvr6CXvb2ex1U~Aky}yi{ryZXpYL|=;hpHjZ~IxxWy(}kyPkjO`!+>~Ojgm| z(npuutSGVIXHKe$I59K z9+em_Y_FLntc!7fuG#xA_|JzyN^ExVg$LMx%sc#pj+#h^Bo~zS+IeyI$y?s*XSJ+M z2yk~z4Y4BW{MbyBzUQB-#dWL1g{^*@?quEF5JO>$MYnFQ`IaX@L^8kGidcV4clzH9 zCw=wWc>;Swy_7wxo3EoKzA^rBWC^oNnvCeWTnekGNO-46%@iD_{Aw-7|O4x z9(UL?F2782Wj+Wlz3}i+Oq$1vsSpU_yuu;aE_6F8alz?(qE)>zK}LWdL?!Le3EVex zB+e@wf=ZWv@Ua&WTW-D*G&?iJ2GB#kAuxdK#k><-BjXTM78O=ik2>I)Qdl8ZSsWPJ z?;HN$V_NW5S2~%5a}S50qLfk09RK&Vw6dyJlx2d!*xZu!UN0^$oeJVUG7dpSl<({K z^od7rwq@}d2zUm?a5+5h^|O?>4+;*!uZg%qWW=7!?>-d)ZB9#qp<8d0jea^2ynTs@ zmU@>PemDd>lbBq=dUxNLECujaD+|HAD)wskC*EskHmpvfYJ`AjMKv#_s5~~mC?Tt; zlFc1z)!n71d3S9FK0((B^eQf6{PCOO9rl#c;PcpYr@fa$e_JZgesJwB-fG@Uh@wwE zq+SYo@1O9gxPk?sh@FX^$BOCS4etxK!zNKU1mz|O@(lU7`m!&e+^i4?ipejx{N>+g zTNd|HUh!f1RjNRU1}0_PeV5{&l$BLjUdrQPK9VK{p4`Xs{CCsF*_zPmBypsZ-A_oAhmeJD`D*RfV~19D=oa>UnJ1ywi8e zMI|ZQcWzezf~6cm{~hNKxla7f$wBd+vv~Y-0q?E`eatE>E#?Ypx?l4ODB4{^ZOI6S zwWA!nYtmE)b2tPg2?c;1cV6#(5D18t5O+{+K?MNp^nT^yU}~TFa+I+N;v)cZ9-;Yo~WO-e-P_g zH4vCJ*nXvRKSvV-a@{(+E|<0a^+ND^c>JpK_gU?*9;cOG06zUZeC`120cM8vN&g(a z(C1ys-Un}D@=I#~C$1Y z1k88pb7IkW_={cx&;kU*yggEQ3cNo|HZ(Nu>0oE5quIt5o$02_PrZMdKg!C)^O~pkjT_1z zjWnZq(?^Mqc{xFM0La?&0=2tzPU6H#gWadDxUbR$vpZD^yb;;zdH%Ck}+jKTRFn)70a;X?ji13nL(Aq?W9@^e7DbP7o*xxOhJMZ~0WYQZWT>bK`Bm`eD7TQqz3e)FhLefxF;FwDyVd*E(P!bc zJ4K3f6G8BDaNNt-%zXnSYkGIHA2YU(z7i2YG8ndCL35k=H7Mxud7rd;+hNSyMT%`r z*v?WAB9d(T4aI(He&c(3-julD?S0SpMB|0?oZHFW{9()hC+qGHKc?Rfi_0u6|6gDl zW^m~-bdUCkWVF^$_2}Pd06`?RU!Er{A8BmXK)JEAgWea+?yFCf_^vTI z#Vam6jQEr%io8fW91xJltio&uDJ}BVOF;#Q=<4dqPI-DKthlkH%)W6eVE&wTS#?Vz z5r+5Zj{O{%ISTvCIpr1G@4UGe8tYSPEUw&NPh1Yv{Dvm7ToB0;nKV}6&_Q+^=1lat zbF1O`c)#1`3l}nKVtd%X+mZ2W+@Dmi`64^4>Ew99*RdGBqisQ|)dW}5G*9o4M!e>J zdiK6}d|%ymv_NZ&e*<;3i%TbCKb)MfdjXBBd!zhb6f}Y(?^oY8%tWGIJxzl#W%2^C z`L=NG@ax{e4gczU{pQqJGuB^yhT)GZPG*520H@B03zB-+s|UwbHu~5_v3@|`xgFL8 zN&Ja+e5ORPK{?}vwg!5=NN8gfOdB_4GFVqB4~0#~+I)DGRMl`4Jo53q7L^R(g+4kT zf&kEe`kXik!xrU*X0nEw(c1gbAn()lJHgWD)pdIQ-;y5NuD>ee^O{Eq0U+(Pm2ie2 z%YiQR#+4eo4VbEt=*4W%5-MPOk2jh7Ou--=j6+ZA9 zS)5$-Y9HE?53Dx7OG#Q#6k^=Adkt*{7^#Ce1nZ(1D8Q89hEU#JjuZUvDr<&=!C;J^ zJPAfWJJA|s!XMK{Y#QtM=i?yvfcNEmVQr2If*Q~%dk5=Dx*!b3q)Gkjf8`_Ssn=15 zABE(xM2p|u0!lnaHd?F%X=$&cSD&tKBNT*uc5-rZ+wM)z&KK{)i$hTC?#YazbOb># zNnMR<*>8l6p#}iR-ULgFPB}Vv+#l0M4*APHrKGewoqT=$%$}UMryt8CO~A>Mff^Nz z0MOCrVSn6w$tE=5D#CWpM;042@;pWiGS=mtun=x3ubn|5CGAtJ13_+np9yq-xJ=ev+J|s85_aS;2Psh;Zdq-^;QJAsh|OA^_ye&XS7W zd5FnaNU+dPyg4~o1)%4HKDxho|LqXl^UJ1DYi2LN>ZFitzNA6MDV^n4-iA)@9c66V zSkfAq8&1m1_HFZPgJ1!Rv+~lzTi?&oq>*q4wm_-Dw?or8QbU@O#aEEitCft4yEpdxFLw$x% zcH6qT{f&%1xH_Bq`hQY{v4N>MegAhpdgn4dH9CSrP!>ri`P34Ts_r~(x;{}M{B6JE zf7CZjhzTvQ1@{m`;f@i;JtbdSh{58xe|DoB1tP&cB4GlpN|Ikx^)){6itxhCKi|Vy zB6Ab*9Bb|RD!I*V3P3Q2$+p^j>ei-t+ z-u&qc5Hqb+&I zQl#aS@=Ckk{(HP}&ZIt8U1f=9$3PIIP^n}h+0n_xP)ivmGYAHzW=;Rwn~5N8UW5Ma=B^Dp?Vr(~p%#$ZhIiB%Ryj)i4OKOJIdZ(>v*uTX3n7XoLVxV>uJ zfMfGrx?wH|9{CR8R0DXy-rUxFf5geo|^KEMB$!(;(?x@WV*LeX&tJ%64s z`0#>n>NPS9!*^l8D_d%2Y?JnK^~ zA`*_gjDDL_^kmZl2t;!$Sc}i!KmXlSm;ep7FebrJN=e15xU}te{CzjgH|xB}cGrL) z0s_BxcnQESfk5C@!l$Dz!naHu8k~`{dE#JeJLvpg=i`^G&ZF{z;$qKM6kV zHW7zllf*~SDSvytNy_f{5`bR>3c;FOYvOu?uUVCMN9xihgce} z8#545p0|kgmdWN!Ip&>JUQLG3V+&m-I9MtbWWf11Z^JY4!Ma}w5U5EZ_cqaWG&8g} z(pAkUp-MxroXyQBV`2wa!{e`p#`e@>tovs0+ED{A|E^wBCl)c?gJT6CV5g(;)5M_w zSuvCVfNxAjSXwRyLB3G1e(WG6;?FxOe(i-vWkN)R4iIoXcmKhU3r1KPD-Y$6e{%Ni zhy(!$_Rvz_KX;4}1=5Nue!k&X%;FJH^w(*_{+i*eYO^L?!z0$AkPglpd-7$}w(Bo8 zdOlw>s{hVuBMcZcpsNrB?eYmY{3rx-t>!!0?VCAj)FIF8a@NSb?!QhR`qxZnr91gF z3Tb>VOELkf;_&W7#TRE3V52lNIR`~m&YJz>COGmB79@gLUt@ADYfcr zVt$F~=6^6PK?DdUy6US(_E|Qf_fTa@+^-CR4UOj?#yI{kZcuz)@w&^8T+crgC1|NI z3L`S}rvH7Tgv}+x&`=9wO*PUItj~33gsr}AY<|)EoMM-Q*KU75Tc1H!7DVg}bi;pJ zN)~5N)-{T#q%o+{5F~=2MorZp5&>$YKMt*$($3n*nFV|1n-(Z=KC>@5_tnK3?F|M{`)PznCv3k%_pvJm^-1D zLNyo35Jan4!bgTw7js<+f_r8-VLuYzOyZg!T?S)6N_=SGwk6F!QGT*A(EW5|Bha`x ziEB2EAB_DdtMgY@P6t+YF~vquLHiV^uZL7x1a^sxOBjM;bBio=w8+FSGj&H1CGf>L zBC6-=CKZ*rp1Zeip38W9i>|lt7B2s~G*xkUt1kM!&niCoJi^(=lnmj?J2?J2kS+zk zk4pK3dCsrmGyLMxru4P>GB)DE@z(`3Z%GyVpQlmc`u!Xsy5**SZ(}_ZZA}E%!Z`lg zn?Mje9}xYitOBUpnjtQ)c>m*&6N@I`%)#;3?k?fmPq~MD!}tyDJpyz$Drv*GK{oo@ zIE!%nwId}Ll)9buDP!{`<^U^LymNsc4$U5oyCFFK+KUhr{oN-pF278AYX&}w_(Uaa zn>bWYorYV1IR4s&;`7S_V$x*p3nBo)v=XL!*vFs08HzIs$6vcRzUKno=CC+Tt`h~J zlg}c*?PuFV7k7kl{3+Y*IP4pI@nuwVsb3(FQChjyFA5lzi#^zAXw1K8>@K8 z%1gdsJC-)HNe+%boSO9{xPlYUqc{-UmbzRJSXf-~D)H0Y0X8@%as0I&KM?dJHn~(( zm9UL1upr1QB5rD5D=NN^I*z~A`n<8Zg+E?_zAUydpVs_Kp)2SfrM1}{On^aI_rm3!{$-wc~ z(S)Ml;b);wW6}TuLGe!-n3{V&;N9wx{Z#ptt9XLKD%Pjsipb2|AVG2sV&s+wfU3XrOu`#t)rPNedWRijOS`Z2!Emnl!3td)Rhf9ggEq1_?mmW_WzDfTyft)L4V%Y~F*|w4V%hRbh=L3_$=0 z=9M!azDqs$G&H546cC{LTJ-f(Mr;`4sIRG3W2$yUKXLrY_%?xwS!evBmD?;IgnS|s zmJaQs)2TaL@`OlkMRinWzIS-Me_}>aC5ude%{0~eTbu6tcBCCPJUVvSKaM|1O2{i- ze$gkdlCAXmT2blw*TZ5qxeV%fM;P1yY`yKDUd&XM<=03AqUe#Qp>9Ka>d@&Ovonm?nXTsV4m}9E z8uBr{uv}CF2^&`k!XOh?jT*SoWuS?UW+w)QaQro*nB0=Uxb*e_UyT(AW|dU_`5^f4 z+_6ymZ?nVY3!}61U&f~0iAsvkF63jdBZ}UuJC!`Z#(38hCr5JwptFnY;Q0G2Dyq2r zKYiYmioQp?fr9{hy!qf{Z8EEWyUfUm99kI8DJ#DfoqRVsG3HZ235PFw9RdUhgx%=0 zHDev;5ANARSCa&Rst^yy@mEWjo^lWVa5p*$Xy>GPra*A=_1l^K?LehEm^B_PEJTH; zUWV^`6p~k32@r@icmx3y1%&9N-WGdiIrld+QmJVe9DlXKFElm#kNW|b^l1O!4w&?* zAiIodqNTLZE(!rDg-p!7xEUH3nURM{Jb*;3$$|wm2(X=z?*G1Zo?vf=iAKB}zA92q z8FTH`$3@i~0P2V=fnqlI@RP8UZsQe112$|hKPEUe>vC}XtC*BrCJS?MYTb4epaHLs!0a7RMp&9@^17kOi9Y~U6q6O2o96tYh zkEho|V%b7O1iJPNL*p*jzex>+h^98@%^Dp6WIxObWGz6i24?`yRw$`N8 zuF*tLG_QhnHQ>XcN5SO+q$ZMFk32vi+8mUycy#}LGn@$oLRT-Y@HOI3h@#(JeCQpS z2&h7RDhP}(DBp1}_}@h?FbuxU%KP>9n|CR>g=p0l_KRzR?MQ>J&$Vp;sT1(uy5l#-{D_4aqI976pSO;z2^84xQ?;X67&}V+i6B6;@RFCuSE^aT;HM7--NgeK&Qqof%Oz zGNy3+wbjsqp!DLB-H!r9@mo*@04NalGSc@N2;z1OTT4Ki-$SfMh!of|_Zod90o>q=ylNewJ$p zf~Zp{yJwC5?wk*c!=E{%=eebm)kuUdyL@Hy_~Uqb-d3b_n!08WD_eV8D`Hzedib5| zX*}iVN(~g)V#m0Z%#2sIDx254`*dx|PO@06)e)sqIv26lXPj9&X@sSbv_{1s=wxYZ zq)xZA)jhLhBB?0MDqzItD$sXdKrvtPZuygCGF>I+<_!yPRDSe4~5Z^N)3>{!>L z?}XtFtsWoBlU6VY*cxc;Fwnq`^9w6}iLX>v%hKQzjXjz=05rrON(X?E4(6wqOf=Wk zYD%i8?a!AgBFd-Znu(Ic}3Or`0F47xdH&_X#6##;`H~P>F>=3O?I-;>U6Ph z(2e2Ijj`81J5KSos2WWymgi*aN5#v~HZ^wkgB4XcU>?6HU26(8G_ZccT(V z*_j$>(!U0~sH5$_%!tRC;UrhLxvKE;+ntRc1ZLk*%)Z(^P@_qWZ(;@{C1Yw;i$wfq z$@m3>dVw`cRyJAzV4qLG!6#u=eEyoNPhbDC2*UB#KBAcC>FMd}>Z%IwKh4S5-#Cb{&qXvUMM;t77e^XkltccO)o5FDA7dm-rEs-8Ihq_Cr* zMsMDH$Hq4z6!Hav<{h^-Ly$<*=-dX0wHe?3)gcF?aLJXdC;S z%=H_y2LjMW?3p>%W_6#zPFBWEaRY*&l)|!IJ^}Y5;{jqVmI(y-#EYo8mXhW&2vg`( zC5ViMg{&tH>k;s=P@cOu)m4JVETquY2y!}yO)M;I^~*R;nqee&0iE)qypWKf(n_vu z2zuOdb(_=L4xlL7!_rcofD87)cb@aP6P+Z^t+%AB?H;Hp0|kiSs0H!IbbcE?PF>eYAPjE1!PrAeMNBUR3&fdz%Uy; z)vQ^+t!|<`@~%fB3v4{x=rg9fsILCi)H9qkU4*b(*FCw244>%Mi}X1z7VVwbhg{ zLSQ&NBX|9kCuKZ=bPlW#KyJsDPuIZpuQF)PLf5DV*AtkM7~~cNmjM>-;SXc_&dx|T zV%IXyi1?Qu(<0OJ3Trm4{N+uShqJM?p@xm(7p;86+QHoC?jTjkMTGWxZ!5ADSVR;wBxN|lhKaQNG73kD68 zK&6oTi4B@IxVV}p`1a(@u%sLwrrMgEi3U;N%clx)-Z1_13B5)=v% z7zFGLv@R^4GS1fQ(DTsD0_=g3_|q}g0$PJVb8X2=x&$iiYz6VyvT@%KQ=Y~(3T}r# z2{N5I9H^~wB-ryHFf=Kb-(mtHh~rP$)NA>%5 zfURdl0+1Ikc>&zIc<+|pG>J2G5_)~ZEN2@t05k*Q?ln@T+)qMqIE(^*iJ5;s2nb5b z5x`#oxKt2-0BlOe%svS#urw9`>^tD$m>9eTfa-{gDD^H6AJeA1)`bzN!08^X{?*!&Gw*PtAY`~b>nT#N!Z22#qY2Qua z42iBb*g~y7&N6wd<*iq#jU0~TH@`>amGN=#bvFK}W+Q>Xn-V8uV+)K2>UT^Bs?+^s z*joHnWW~(ZlbrOR5)2!$wc8*7NR=34ZY1_!IQTjpf0(S1KE=$61v(0U55fwh;g_Dv z2lzrjo8_U-R~EGBBqJjR-DA}Z&#<^(yk3@axXl#hFqi5jwOemV zfe1nArRp-gW@qiW{-p}N0|b3ZYe6~(f89(Cfz*`7=8$j?YliirH! zR5k>Ot}%M@0L*oOA#m|fdkre-`>Rh1M72<5JZO-qq~`&VXu}7Z01ftugkh+-lD+PV zF9|>v7&fvLxqw7cYU>CU^1{Ny32ibW1p;`;kbXG+nxrxwK$Ro2fzM(pGi4m6Xj=@T z)}aRj_iRVIZW{FE=Y2BEDkX{n5)kxz3&}3hDKvTm@L}Sqq?*0@(!*!*830UNU})6% za^XQUcuS_R%>YbKNoo7X?%vbUn2h5OAc$s2CHUA0jv+*(Y8m$#?V#5PAVT4AE8}bH zzny#X&ZqLK`T{XD0GK}5h5$%}X&^m^5e?ODczWLYtG?0MMK$#m5GDXfL<)_qdjOfq zox*n2sraCR@(;npjgd~r^@pa$Fz+*>kEyH-69gGxV({O0Q(Vv7FJkdTxmiZ$5s9tv;{K(qfc%}s5vnK(7FYbDDCjNxd(hj7N zJ1F6tN>d|IbtZi?tU03*0KT#B;jwDk{L?;c9%t%6>;INaet7S$WK+c2upb1&8O0?_ z&iO=T6*QDH8KtE)qO%dLa532K=)G;02+g3x4 zEMiO%kMC`@dCHK&%Idw}jwV*Um(t&4yHT}azwnHljqcCF)AOZQ>_u|Gfs{tk84jO} zBTwc054jx%I-LZ|(wPW`7#@c$L}h}BJL_=<0Yyn*tc7mKU$aNebhJZJp!wR3Sc6+8 z3;{8Dh9FO#BuUt)G&PC^9mUjcTwc+f@iYDqT$mvlyym**1kJP zq@D`R0w9D$p`KbZ-9%Geh{~U(g;3PUs#Y1gbMRO4saTq|Wcm66g3#p2lbZt#tN8w- zmpn-r!XD1X{*l?|tAW_UvRS9@x(=~FFmJ4pdJD^0MByF`qadeT+GK##qNAfLIo!b5 zv?V4~X+2x#w90sbhOvogX61-^O{MvBRhQP3fYg&^JTl3aZ#g=8v;C&}q^4&I@}keUeq4 zlTaAPOjSAU|NWe8-n_YM4O5lgNjy5B#%(`;<-A=+^y3{NLfkaeF`b*uG z9*XZ0s(1fsU!cK5o{wT#!$IU&m)U|8;qsgY}suBa5QE=>e=#vi_01*mL$&Tt~;z*R# zIwsa83k$NZ3q{M!$`SN-bR3BUpLCm`MJ31-B_Kb&J-EQ(Lp))i-CX>VnUlks)`Iv<=s@Q#RsLG+KA zPL?{_(z~UFJPd80@Hl$4A8pAyR-5liMG8>6mPkx ziv5GTZ@EC&aO!rce~yQ9cj=2g#+bSJW!4S}5by|#fBrFT`wXXz;|58r70-~e7HD)@ z8*F(NOA>03mZ4;tU@Nuovk$2c-zH1X#*75kOmUbj5beffhqTUA#!%t(=Q}QdM z5{%Iu@w`1frKXk<;e|fb6(88OUlIZeIJ|v#1E)AxS?YhTPbDi^70!rH|Ecxs)mIEO z8AERjTZFrbfgZ1DyKrR-(F49=lloW^AqdA`%M^U;uCy*AQOy;0JAkZ`iX)Fh`LedL z%q%P{>1nJZZFFksSOM7$=b`ht+<9ki|KmDgh=s9ufAYst$*Lq8eM?$f(&(>57LIY& zlQ=nSn8ooY8H!keVX4_CUPS#geh`komWY!i?fHTP>fkXB3O1b2tadqiEeR8TP2}xu z^3RrDc8<{>W6j-OHTe7>_#wMw`jP9KCJo;?-3dX9rL`Iru58<8nF4^zmrDK?umx69 zxfrecgar7&{eZDOP5YVXsK$a&X50Na z5M&CGJMU9){52=~WR~&;VXBSuLnyGg7A>DQkOI-{%wpR+3^^K+y#NrXn2RgMe>z(%O;zjTkf>f0C3D{W2(C zcDjcKUB^ZN&qK5&GX!n%dX-gHCC@gNEB$jloQA(XdM7x=4Kp=Lkk6zzK$aB9iquH^`~BmPSAK1D``6*HThV^U`@rcQNM zH0aH^ew^o>>7 zpOo_Y?)k`K1Ia#ba@Gm-FHxvn742BS;%z%OWH4?6I4au61OH$h#ovjoOJWb4BY#?cdaz!P%N)&9l z8bG}w5+?VtB0(UIKPjRtsIb04Z$@;)6}uDv@$i+Yjgj)_p(iY-zfcw2tx-ShrW)< z1W1Yv9(F}6SF@j*l=@~E5K1^iokr0_0*SgQg{MTm7ct9OkTwIBumR9|13(l&sALg| zjYbGWkmHphFd*^M<-iZ$j~lF9tQcC`NDM+4MA{X9@RZr}I(K~NTMd|PHK5V>u4J$O z{i34atD$|NnVtA*tNmJ-M=4^n=D%oD>LE<{=SAf7ezr!M%G_kDyTjml4ob#!7h8YC zN5S1bfyHb#fY&i=P6PsJ#mt{>`FX9LAyF(wyqSVPARyF;(oPRncP0E`yt^M6e<|?2 z00&=-K0XMB$7hzaIGPkvL)++fMEu3TcO}&v6K(aiqaDZDTXZf2yA1v?n=-4UeA_KQ zE`kCO4#1WvkHvWwo4#r!@^M$8gNB-+Jp@_-p zp{M!#jFH>#`rm(-w9#eg-Un}H^t0})cy-snUpa^89U8+!QM`C}D?cyvBqrl|Tt*)g zy-E(xT$@qG;)bW?Zn^m!lYDz-jV2MGl4^EM5d|E7O-MctpTFYL!*|(*0vvp8;UM_O z-8avES)@rNXOuF92x@1jCk8}h}(Zn(|-Z)A4Mhz2m~BUZBoKu zQejC!RkiDo-X7s`lk6>s5IoA--_Pm9g3>DeT`{|4oA;}{vMK;n z#o9StNCuvL5oOg)>+*L~@4ZjH8W2;-<7m++juzeTd_T)Ty)*ayQEB`|rRRsIJD1{4hjNq&f-LUxR5>t6wa8Osm>)TYs7P7^^8W?sXe2f0uQ46Wa8Ug;B4VqdSs+ozU()b&+=PG9Pksx5_)M1N9^pgfeZaH(;{U9Ll2-$MW?|yVL2tgai4)}TEP$fbf19xIx(f-GwAY2zp z1_3&WXrNAWFwvXjU`ZknRd8vXO5-o1lqq&Q)?Rta7NSdr^(8j0^iF7(ZX=clwnhQ+dwL|tGa5(HEInN(O$a0dB2LyEB?`C zkeN24UdUlaG?@T%F+~P}N>OJZ2%=;nfT9pl$(%t@@c8raN{&DzW>K(^#aZY6%xmp* z1BUWa^f28^B8aN*Bj~nS&bEfyg-o`8Qs({0#L$d_#i#FITs>`ee_I@XttKiAm2m{8 zpGEmZB%NA3VNzd9RkdfDv?=dL$3A|a!bOpxW=13!#AIP)TF(C-hMZnJp*_NHgL@c^ zwX?wNz7k=xlrf2-I%*_UV_6rOS3u!ErjP7x)a~T+koUP|^G@Dg>O64usNP+o@0A?h|J{6% zSXho}_gRB`j_=i@g3B@0R!b~l<}q1k{GxxKHbS|f5CRAueiD9(5nINriq9&_DX+%P z4C-OHe3%1(B;uAS!&hALP_ost3*cxlXd~gSuo~i1CSaO9%E;M`U5CyHMP5p5dv@ceP9C1p`bIbo@J8$6$Zs+|;5%@??bd}JZ0sA4^vH}Buu zVn0cUxupaM(~@iy-F)NKAdBvLYRa1jL(q%MCJ*gl2!RATg`hzpVFoCMZxvjQ*~RAd zF%D{wNq5%GIUo4`;;X1PDY>FjVoO zxw`uL^G+s>nyD}lLXF z5O$RnTB@D@vTH?cF9{%-C}VHG(LF8R{JQv2Yz`k04!1NEOC3d?*xN)e_>UE!XoVf9 zOQ$K)7?}urteB1&2bc)brjymFBnvgwe zsHv_vH@Y*cfOxmQOM+GuPEr7Q3h< zl9l8WRb31cP!vz>Y$M^UQx;+4q>{}QAPB}#4GKkMZsEM`QlGEub{=0@(RT6IrMEs+ zDS~0>#H+}(!ZH#JZ5lt+)<7HQZ5JZU(dfED5SM^Bb*}7#Sv>yJcgdciF-du)WD?Qd zq#KvV>1ARFb%huvPF-9g)W8+ zb#)2}7lJt95)h{^(DdU8koTE++wb|u=MKRf3E73E96msR8%oDAA>thoF9c9Mb&`{n1q|WtFiyAx z#OaHWeL@5&sb=kY9P%-%FgPWLfQdJPbo~aDj{>h_)3S=ojxVB_Ypd(1({Le(6D|R9 z>dNA;W@e+fioNZQ--{1v14hb&SVRkoJm-Qb`vQt zt+NAb-Qk>)?=C-BG_21$r@p!xble%n373F4sT^gMSKf+3LgjzA7rOsuCbTyB4Pg0nD?` zEoJ(BOk%NFhvvD^h%o*YaKa@ZPMttP1Z8r0yY7c1=M{e{r~n8M&@r|7iNx6a@~m>! zC~LC;=K6Mqy0|-x6D|R9>NtWRh{NSZXBYkNUSMcScBMcFbfhf?0w{`9usIv9J()Aq zevMOKhwcVM7{uLSoNx(3qs{5GejkmWL zXl?}H?r?h&3IH6T5Jg10f1JhQ%cyPOT;c1Rh2uL}V2F^E8wr-hUSCd>mH_ z1bck~<8n*C8^IlBWrB@N+#PNk!J^H#YriO8Am9s-yo#!vGG=;l#rv$nDh>}pk)DRy zwg$R32HGaNns8Sx*@H_!oLV(DU=Cl9lwb1u!=St}W+f(KM4oTwuhJE}!_|BwFd?&` zqUy|2O*1VGxMp<<{?+99to6r26fLe|#pjh2RaA$j<%VbE7FSlM6qFNTSes6r+23ZY zz1eWf?j|}~;_cytLSdJ#S%ynMoLWI8)vR|}g?klL- zQ=(@c*~N@TI)4;Hal-BokGp)HaCE?I@13-{0-+JBHyDY~5?99IXf?8eY}KQimRD*O z3$mfQ8IkCKyw*XZc+yg1SRtn%p&wm`t8v^O(u$4WcL!#jprT(SS(nU4@u0=JRf= zE8bdFnj;hCDa0ZU2Zll5>;RJ2oP(7?K*mxq5FB&*pV{Bk)Hmjf;y?z6A1CB6P67>s zMuW@0Fh^0WlyQ*x1%e+r@+fL>$~9{D963FHbjWCQ`6gUGn*PQ9X95{1n$F=$F;6Ps zf3|MH9W@Jb+xG0Ft_f$BIEf#*!FHQajuGTE{If9_flwz!g_{nH%y0y8Yo$ zF!J=?mRpyUZLKW0=IiT|6oulXH4qAf(Q&u0b<{lN@pl@m<4&(Xf)W^k)3iOFr^rEI z1cVekj#eqn67xP&S-84HpDhx|#e!>0;W7xw*cDOx?y3=1liaIiA=$mqus%beaRfzb+RV#-RC${u+u=xU0UjM${ zu^sKhR$p+??v4pnTK>~-0MEO7`mGqjV(&JtBP{!%W?}8(p-g<0X_x+ z8B30R^onx&f-g7szTMj2J!uW$>cee*wT{fJ4U_;l zZ(g1DeseVA4q|vP9;SDwZ@k4Y)n%{^SR5fdeufcit^%Ev!m%?AB%XdqlR7>O@;Ds5 zTK>7((jt{~Q(2yv$BX&>XyjwK9)p04UB*(x2x?nn*IR7^$NI(tB!xrQVmnF@41?g_ z?%|$ED@kJCzJ7U@fJ-wea;^p$1VLKfhETl2U^zKq>oi(BM$FzY8i+*w7>=JKte+?| zK#;6h@dtQGfl4oz-cVIklbbE&bJb!V49@FgTm}Idn*oDi*y!^1TO2=q@7R-$0RE5L{BA*;H9rzc6=MfsV_HEm(%=F$l=m%&-!g{@A_2Z7l=aPxRW| zarlF-^=9PpFp*FQ`{VvLS`PpA_ACx-h6Qm#xJF6J8;E+t(PJZ%Cq_(dBjz5n151Rh z(9rm)5N(7yQ)Gt=K|F+2pp~sG(XB7hZCsEi}u>u6LZ(d(lrBf}?DB_UF^u1#ckg?e`TJ8R` zq4S;gp}jq0S4W=jY})e&+G#mlnWK^lI5g`@1$-a~3Pte(k{+b@;ThZQ7(gg3<5GXyW;oA;KYI6 z@xSal5yS`phUWEf#ARu()ny9=?tdxxr~7WuN`#yXRntm{T$(s{8LdXQ|IL%9`zGz4 zK-d}xMF|q8;{Ma~N-KYo?vWG^0J5a~MSAt>Qr!*ZMJkCvF645~jz1%E83bf(mX$9A zMRB5GX!NDV-gi$9#9I1-ATun9p>c<>LtSHUmiATUC~vAR{RHsQ)^E0Tn;dVp^tFyz zT%k}DC9!kGu|e>nBN?Z3EEuZJS8piQKe(nUTP%_YIPu6nrkxXmfQ-!{{Q1IYzs2#L z?T06wzCZ+@@9gj6hJyeOL4P^aS*cf7<*1YrAq#;+5p2}qI6dWhzhm(5;Dpr|#BeHh zl#w{hy|A5;x-0+`!oUK3c8*;1)pa$cnyma-W-b*w_F$ZR3<5GXm)J*;^J=i^A8?kzrbB_xch6`XwCgy)_LrrP6 zVsmA|D~&x3LlZ-GcdYsV2*qC07@3G@AvTojOVzSRHZCht%6M!Rct++jgpWZ$#?oX2 z2^<|X?K(C1VaITQq!{=+U#o%?z=j|`2flt;X_-dx(26RJT$0E$dthZnkxJfUavPl< zABJBrOfvQf^ydJ8T*_C91YcWMeJhQh5)lZ3ak|F2Uu*2mvC)IBj} z@rB}J3ZBJ2ivEydwNxV&KDuT361`e3;0f5VrNp@S7zAW2{RYBtzuA6taNB;<6Lf3a0OZMp4w( zMa3$qXu#q)HE!{SP%aE_U0zq)f7lR{l7@>*ojUP zz`i06378>~RrE6z7pz#UPyJ@DWZ@DH!}w$+3Jyf{bs?7f?x+}Y$0N4G96xv8p9D;3f^PsBGlJ~??c zDFds^;aX8&tNtW7hNlb`<29s!tWKk&{^lCqJXFB}_heTK{W|kkNnXvmRSU(81Oxy9 zpS!$}ew`sVqa(JT7_m&cKpzfmf@)Z@vUUA(z0+uVp`=*U+)k z&=K1e1o>NTTAjsWknqedSy-fgr6`6IZydAi%z(ALWr4bmcWG_8i3oQ8Chh1xbN5-` zOUQizn=KP?zO-iXbrpF_3pH@O?Z%}77ESSRg7To)2d4%aM~tsFcZWhzT11Qa?9VJ& zpp%L(qlN-wnJPZ!flZA;8Qyqa0*zSuUTHCV`dM7fLEWn2KH?m0J!?qcdW~wQ_=;qIS5G2 z{0EZ+k)Svvb=jXz0bg3Lf5_u}@Kh)r6OjMC3jSr^KFXH9upso0sBCL>@$EIG1u7Zq zT;cdj<$W+bGUe(r*`L|hGGMZK!)WAeiRbuf5*PxgP%!+zdrssiBs(7dEQh*QR>ief zkLFUu{%j*4$P+25SFh9asmqfM^gO1wagxNaD2_&>k!UCw42HvDpU)c%MR6QOQQ}gk zVq~&m+qOpS$~!g|a^{F@u{nh+wk}f7q#K4_v4b|(kj?ejzxGUdf?c_K{`w~AQwPt8$~nWo|6ZCUp2qzLbNMhDLN9(J6vofd|L=8)2=vTwfUI`N!LJ{rUUU}gXpj*GP^kMF7X8@eZ~ zCc6iXwOfR&QQT_t9<+JSy|YrG{7y9&!BZL)oPd5(uYF?Q+=1X-3)L0u>8_2<<+u&z zNtwKO8kI~$Mp_%x>Mc6xk_E3b7&$p%`TMb+38%Mn!W#WV?~V&D7#Q~B)Qbl@giuLI z3j7*o^La2E$dqK93y(Gh!Q3l|pGY);`UJWmV5We>yimbnWx@KJ3*zh8vVX@xYb3Sl zKuqo2_Im!tJ63D2rc;tcFIc&d|AU)X+I+!-z2m#O$EG~~DW^YHvI+bs{iDZWf9L@H zjM-1GSIJWNY!Xx_*%Wv6G2u*v71PJt*Y@J5?GrOAyjP_V@Q`Tj0A9|Ys@CcIt#~@$^ zTiq@9)uDsix3{7xC{$O+o;~1}E#+4k2%d9$iFsW5_2BC2&#$PAV8pP^J!o_HnH_DT zrU|Ft;`aNZ(HBlwwCl5rlhGUkL#vA=fXzLdbB_J9I&l*GgSk8;^!KjNLY25SU$?Pb zt1S;2o=Di}^uFCX z*f3(=IU4;|aWbb1g+UVjQo!9hYgc>UVr703Acpt?&g6t+@%77Js$VMQbGR&o^zq-= z**-1rB3ymPTBSEG)o~KQ7w>xvHjkQ)4vzonV23*x4o7i3p?R;oGZX`W3<6#iVsX(; z_o>?6J#ac%s0SGxJF#COySez9NFqsOK)@iN6mV5S{*pYc(;pffY8>sirZ6c46tPrhkZ|&HLon-&86?!Wixh zMgF|6WnbTT+qeaQ;Av|+GsYm`wQJdRw=8zN(dkU$1tYOQS7Ue14b{AB=-v}h2*fHr zar9_lH0eK}5E?gU>tIMM{c=GP5(>gJ{t4^0Y*4enPeiv!7F=Ive7(&+?d9Wv_5(*x zXcT(~#@k0s28S<5Lny-3Kw@kjBOuKLE9zGbzupi?w)!L9k#1wzGTpU!#z$FB4F{8J zHwc8Hf#z8tfC#|(WsNY&grisjAv=HhS|v=87b@IRT))Ni`iB;By2~S?7M|I3s>##` zo$X}A7-RDr0ci}(UtQI^Cz(f(!lS0%fvB$fT7y6^)bh?@PYPIoa5-VOqo0~_KNt9L zol=wRJvEm}}33F@Yv4lCs7-JAHVTy%|L|sSyNftI4 z4Ni_ZE6TF2osl7ZeLFtrilzc-5QoR&T6MLz)J*nISPd?Jh$ImZjGw_?5h89WQLhjr zn~OXlOHi_Ep?vxpF_fV6hNZ@xt+wfJ8f8mgu84fGH=Op(hd~(z0W;)YwIxcZ-H{}W zi$J3jW6rWH^|iqKB9pt{ZSbVH1}TEjP1KK1r4U8RsNS3ZIfs;iwLl7h`t*@JSz0Epp5(tH{)Hy$QkN(u0-oQQP?1e$V zj8VdBodj?sQ${2ic9_F}`f5E70m*>f(9_W|?nEzvf`DwHgr})kU#sKLBajF%{GZQl zvigEMPYwU>!)B*H*#Br32py6;Z5DWx79&aFwUdd-dEWU`(DqOW?fdo3c3!GW53IX?v zs}^0qFmJ@^d+kKup3Wivxp3m7UPY2(f$(?gvXaPJ0OTgze+pS8CZ!Ngtr*Oh(R{YUdY8tY6h|Jxm>|J~Z(JY)P zKD)PN%6VbRQqFV~kA7iqH29q?R1jboB5P|ETZ@|&wl{(SIcr@{J4L+7T7f`vNO zs}dR$>0PJwv}|VgwmuIN&w=IN3ZJ*@9Tq;t2Ix{Vmp@o5Q0a>Gs;vrGi+c zP67mIz6B=|<*txWf)p19zj0ly!xy}{x^Q!Ofq={AvRO1w96Pcn>9J43{kQh4`wxO) zoFpdfuAlF0=$W*48_XyO0dQ)yTf)9S40Hc0S<#1Bhq+}1ckYi>+?p%S%@y#{v&2A{ ziNawJ@B-W=m4zQGDl)T?3kXk~yJ&4)9zV5i9*MpH1d4`3p-|B8vKWnaPbihD_c$8! zmC^K7FC^aXjgG(wfMG6+bMUiEgMVTCC4rq*oSXNm&pGU0KE$J)8&#W=n*3 zFRujR_eNiOaOBX5WUV+sB<}uOd&d1of1MmR58FLY?`|G6J3J@>AeWY!e9B~dTb6T2 zR+8HxBG_G_n4~ zZ?BIfVN8see_$kW7`9`W+v@E4(8&h@E&}NkS?kJkZz#{Zeo+xCc3~88Ssio8v!H!u z@Irkbv?ebW6dDooS18%FNJoHAe#+k=PNVk zvY~kQ?s2>Osa;LIlT+Rhiono`!O0VYz)g$v_sUWMElQE6eI*a-Za4h;Trgz3QXV}Z zuQ&DX?;iW3O!UCI%4PZ5GIf@O#|AG0#X$1(hX-s|MIn}W!rW8t(I2KGVJ@~0u~H zf;b5v@Hq{3Arp8pZmzh z+KuJ8wRxJv8AXb|DtF)B4%gMA=7>l^8WZL~AWBh0DDvnlAAW9G<=0kMRTpTO%sB=D zXVFFu9dV>E)ww*5tgJ+s8Pt!Y^%{;ny}z|{Y--HmiFI-OR1O9XppPFhE-lnPu21Rg zkEG!5t#OUREYvF4H2z+Up-`4Rd;62}YlJ7_;Nk6EE{Z+tvyf`2`Ha(!vuib5>|fD8i8G?Yv>zSojMa}1Cz;Bm^<)TFm0 zOrnnkO}T#iVe|39$wPf(6qH(692tK2i1C41{T5+r5jQ0KvyJ&JEo09H!B5i@0EWT< zaCpSrFk*hEsc-$FqKX{le{QZ7^LR8!e#~hFVx7B^*ItbkzhXyU+&i|50P#7|ovo3q zrz(;@Oe%u&(wr~{f?JPGh?pa4|aE^688Y{MLb2> zy5e*TU=V~Yp1}K^r?(yNI&F_D-%GK7ot)e)SN@?YwWDkjUsjj*f@SKfgXqPS8qJ&? z1o3uD-!TEFchd6Iof~x$p@73Z2ZEN9y9bh%nur&_YH#b`L4tFZaBXlnU!T(6lbzH# zkp6@@ntI~|dHnQ*!RaklD+-hn4gxbE$ROYqTCn-ucSk}gEjX@F#8)j@m2UilVYqqJ zba-g;ce{=UA_M?kPB&YJ%l^<2&eQ9asWm?)`5M*hn(#eGoYRXnR}|mXK0I#sF3>0* zuU}TBSJAo{H8&g?On$)574ZYciMg*-`u^#uVrfntHyJ6;goHU5a`;33VEFfYn{HcD zwq;=<(~g)yz{|JEww*^$`%%Q&Exqg z5lIRs?%PnXvTy7sw(0d64VQo&$6h?#`-_d*aMI6)I6@xz-d=Ney2_1_kta?C{!pEq z-4l`MoF>d&(CGjGQ2=fpF%MZiHTmkQ9F%T1e{*MxJOU-c6S>>=S`!Oz>mcf z@!2^`HrHsm>AHA`p78`}3xvP*#(^=L$L0*gilEG#{%JK>?zc()zD$(TW2Ugea{WJb z?k}_llD_xzwVHzD&b4?!9c+4^LahA`J-35E5ZVa z5Ec~GZ!Aw^_8SaCPJgI<()Nq@j<=87f;bMa;F>uMhsuA955PoH12*cW9}E?2}Nv3wB)+=+Vq9JB#tL3ihSbzk|ZLV#Ix zePiE0YP`2bcau1!cM~}LvrYMj8pmF`Aa@f;zFwHTZUn^Q^Wo4l$1K~P-mhea58<*!VHk!{*9f?mD&XY@0(9|GXz=sbX zOH;bVg)CM`wKau8szACE=FWpbgrq{D=x=s4-m|LeKUP*s`5YJo88XNq;HAtWn9bwy zXmP11s9Rc*4QIe5VFda7(ax?(>syUIF|7s8T_wu_oArJd|Hakv)Eu8gEOkT^y7##2 z+;Dz*iBgyRdO@Cu=NKK$xN6L)6;cJ#o-lU~wIPt+8as@3^jKG~$^PVRYqP}y1ZF}7 z83df3?I9f6*a*lHW|vo0=4Np-?CYx>@k&{gcN5U}KSbjVOgF#S^l_jvw}fGjML4GTGjf=iDMsKJxK|Id#tgYx+CP z!BDToF==yEY2}qV)eV)!3~Xfz0up!{uN;J62!aq6y(hx-7f9<|sa&Da>Gc{Vdk)DS zn(}_!ZZNkPtWWJY<_<=IbT*?SpK35}DbIO8mC`kk81?Xmf=wgdQe6tO1?CCZ=s)*a zGqyG5o88v3)!C)VZ-t8BoM{r~s5#ug5C{xYz_a_?Ds<{Xg*0CwWo0}QOe;9d5dw0T z-+6EDP_H!%%(jq25Cno)v~l<}yW_=v;j>v#28ddUyW+F=mW&UYgV;2K5XC^d)AHZ{ zK5X#>tbuq3p>)^L+tY74(9d~fu~H4Ca!ij3l+a730@oFbfaw<=6f$*Lwr8}<9)F_2 zSgTXrmCeGEUsyh^J z9<_Y?wS5M=Crna6#7q&k_y$et%4a#LJ%p?6^cCdenYRxF<@~b2n;YCycoL@ z1EB~2Y&+54X|gXb$S&8aSqL;ulnlKA2QeHY$S8)R1Wu3?41kIDsRH`9Sf?y%o{uPl zfU~hx#|zL$&{HP+6Ym{w8lLc>1i(UYW@s3j0YwaWBGIn#srz60;JN$ji?Sp+a>*w^ zFi~3kw9Wm`#x5KuL>zXdP9^1Y5d^|;%H;NXf{~6%dtHGhUm7&h8||3OntzUHU5u04PE#c;yz_ucctdn8G% zE78|ij_$71(~qcq=xL2!L(u8hZhgvdau^Il;GUlGF_*t4PhDS8$Y;fR)zjY}cKV*(+d?zG z;%xb^@7nZwOV92x%buQ*8>)&`Vtyck{d4<4jG&(Q?CPJ~wA>Ml-2cMPJeAB7&@3s` zg7c3CG6*=6;+LLS+ZwyxZW}n-Hy$LZSULp*e~ir*2m&;z8=7)`<>e3l^uX3KwY*BN zvigF3Q_h{I2A{p>`g61nh9CilBjm8f95x3*gd9!;#X=E0Cr_%E1D~lbIyq_@wz?|y zD$e}#Q!@xSGX}%(gwxw=wEt+wF`Fk4rKmXeG5E*W?1Er~BqRRFFLyQ8{?1B!>Y6>@Z9Pg5l?nWIecQkyawf%M!PY*?eK5 zOsm34kb|(xw2H56sO2GuLcklbx^3Rz;=F8v0-S+J)0m~cEWcDGXU76;=iSjTgMe2` z{TzYdsLk{E8wW?ME_)yp%XMSmkFhzQh~w_SPu@I4PrV|g?3J(F`i)ojwvL(lt&Z9} z)y6U%TAZVm2xNTT6Sr+RHZh>yji1{ z7mA?U+Xmlg>FFJ_#7f&UXTFT3Ne*KGjUuZP->_Kgd9 zoHeC-yC=wFArTVmGdZl@VDpH1V|l^KLe0bLYoK`?7|0;tWg0JNq zAAM%6Mk?a6keJ&Ln7?t+3<6%JMWUE56kd|AsnV&bEzFSzV;Nyo{Nw|HL6XG7D9UFe zi*nTT>(=Vh3vcA}zUnH2fR||kE}MSk$fb$hmodgN3kc(1OeH}E0cXo5U4En6ckZuj z7AP0+6#_n=!va#Cb|gjNBR2A;7~ZjggO z0ydK2upc|4Cjqm^;|ZaGD3&;$fAPF2c(22}Y1)7$+kbak2dsjJI0=<7ML5 z^izRB76K*u@i4H*AmFUqpN@7uv%4wbKBho=E>dD1MUZfW_(vizm_8XlW9y~==L zc-ZV{95esutwSV1CgwDS6S*qcH@B|XRGzOE3(_T0&K>Al2TesFlgh7lwPffR|0 z1-v!odH-|gb!t)OHgcrL_VkpiebW4kcaBYY0wH>fiQN)K14K!VVv%0`yE`_>#R3=v zGw>E@?53x~NrUlk$GUf&9H8&!qvt`9F%L8qn|5H#?+1Y}gs@-^94jEl6L9PD)p=Qx zTNf1m=U=Q0?wAvh!vrz^F#*_3PqS4z=BmECbw!R;q?U-MnT0g5 z!bs8?MhSw%;}D2ogfxtzI6-BGZyG0w5Q;g`Xb2}`g>7P#1PY@VMP;b(JXV$h1S~G^ zznXhqZR(zK2f~T)%=q<20ie@hb$J56;&Oj*>#8gPFJmVdPLX~Lw}epyf)e!s>03|= zILivvav`7oa}dL?J)=`>7+bYr9>rLpivM6!w4A!oI^uF zu-EDtoN_k~nhI4}U*BB2u2e7LvUxC+%1p%L+9o#PGeu;A=lvS{oyzQhAA0ZbMx#I9 z)o^@Za?IvMV2BGtG}l8Qn52j>PT&YM5e)zBcxSFkRH;>NT3AS4Ekuc;G-A>BZ(d!O zujR6k_%{eoDAF}yedLt`Hh;hwibh}{LJ~fQ_b&%e*5qeD`Pq%kl4KBYZe}MSV!=W# zr=~z{aR&@mkHr_9@&-E$=GwxX0;S}0wPmY|b$k}B&zMd(vt=}){;+Rsch~S+%>ynJ z1z0dn5Vbn>sv>=1wsg$yeg0ru+~-OKF#NagHXE2OVal#10Hh;t(ptS{Ywk|4T3PG|Ci4o(gE&aRN2Wa?9oO|FTK+8j=glq7Gc65!t*FAPlIp)YDw0u16 z@SdsL$bt_Inue^NFpmFV>l&qqm$|t;6rdLJ)-1?Xiup8r)AxyhFb#h^4y+Jx`5cx; zEG$>cg$3P1F*qJ>5Vu{g) zp+rOp{hIOxU)tZ!hml2k)q|_6GgLWJ6b)^UZK__DuTPwWB&H2W<9d9uksqIXj4=q9 zNy`$lkVcaKCU0B7Lu^4K2$pg8_s_wc)I17j9@tOF^HXcWL> z!BRf&kxh$rQW2lcBB)Ole2N8c#*U0X=pLDH_>K&XBQT7|Q^{U9)>*DqFHmPK%u$JX z>}DV98}nf}t*8SL?DT}?!T;Owy_;9B zD#|I-DAHLrl!}u&l8UQ!>Z2(JFy3PZ0W-iJTw1YAqxvXVpQKR1I%0lgmLY+4f0r&t1|LHS3{&1knL!%%`QY4|12~|QNJFWG~6IV~m$3nH_$=g@? zg9JrGI|P!k;=_IwJQidEoq0eCp#a0FG{PSU0W=l;*5Uq83dd!R-wzHU(?Cn)IKLmz*}3Qr(YNT5ExGHZPHkLeMQN|?=d}>C*pDF zmp)5+(F;rMx>yL3g&;RBF3vcg2|e->G5uOT&3n>4H?9r)f4=&9VcyZ7DgXcg07*qo IM6N<$f~(4c$N&HU literal 0 HcmV?d00001 diff --git a/output/images/toe.png b/output/images/toe.png new file mode 100644 index 0000000000000000000000000000000000000000..650a8e84c137e7c0a75d12a923398ece8ca518ca GIT binary patch literal 30908 zcmXtg1wfQr*ENWWpd!+Zh;(;@f^9oPyUC5-{MtJ)o;?YdGQ9sG;5J2&E>?@0fcRFXYPm?>ef{WlL%KYz*O{5o%7*$+ zkCXgb$Ye3KMe)WfrI$}6EsTvH`{AXG9xS@EbC~tkAH>HCq(!0nvx?oL z@WY(H^NJS7%=!9kg&{T4?#uWnMEis(8tpt-;a@uvKq zhnJV2l9EzJW@ZP?D|oACq>7Y6LP=FsyoV2**h;zS4wA}p-=IBra&n3Y^Yrle{)%?k z_tU3Oy!`xw8PZYg8@^$Ifd)fa@_o8}P5$>wN=uu^$K%nksiQSqMvHW5anQBOEslzP zU*)~d&w6Y`NlBTQm}ovz$7eZO#580rpCU|p|Ni|m7j%jiONkX{cM38xvh|LxpQWYM zt~+E2+}4J_-XR;CnQ=I+_OIkMdS4u$o}TuX7`3hBnH_JAbK1@%+BRO{NlLb1bunxH z^s8~+`02W%$E;KJyilwBdW3+-X6oxBkxR^X1qF=T)3t5ixGYy^>IL%Ei?bxd$o509 zMDOjL(~uq?AN%_pN`#Tg*Lxg&<*}V{q#-roI=X-*Bj9(UO-@dxij|dHWnDs4gv3z^i^)P{?66JW`6$@Lq&_#k>1_38*DB_)ZtEM5lTF$Dw%FNTR+r%Hqn z{jp&Y7Eb=x{8^>k;&nkmf%(AqJD$gz$a9xx2fP9TQL(YDhigOjE-utmRGDKnYDGGM z%DEZN8-EWs$D<%ZBa)MgluYM-y_fsO8EDY_NvTMOkA#$zkjo;vRU^V>Yl6-4FQdoN zx_?N>!x;M4hL@*%Cb2Kq*4C6tP31!fY$q#1VwtoJjf_6V#NgW4*j%2iq!9JpfA}yH zhOeQi`EPFS*WB-q(o#~i4#W`=5mmLd9EL6Tj-EN^s}(klj^bNdTEeh*4-bteE3Aq7 zwCg>%jy6WyIy=9>-Icr@qE1Xo;`2N%sOkRnka+j_xD|f$1($){WmAKlgJY>3c37m7 zU{Z864hAW|UqS*gQXGpuH7hG74Gm3&&2%UHRgQWwS@Y*dD=-mA�*EH^V51-s7cak7m73NMF2oF*Z2~AxwO{GaD8a zg?%5N`6VO}h?Y{jf1(c_J`9>Zp^}a5PZL8eC@dsoeS;Jj7+9cHE|V@NC-HO~NdxVOLy4)TAF*X)&veGtNF-5q{dNOuy?#=c228*1${Mtx9{v$F$q$d!uGxeTB z8PeF?wli{l$wF(>wLGxpjZI9Df4Co**0^kasjTGDuCy^}4JItmtJk9Rf$;6@wH&I) zA|&iEOYzQ%u(O&d3xrg%KdSGGjERdYUhA@@@#77$hld9eEcn4niZ2!(p2T#G^GKg= zxdralM7heSnW5nam`)!bA90(TlUd)D^^yEUK1T_m-$`vncaOvR-p8^yE}L!U){*cD){qf zRM>1N@SY2sMn(=F>DRi1s1<6#1%FSJTMmqlqVBKw5ej=%c_f63L?niVJ%XL! z=I+ksyskP?_O`js{QznA=!lAoD~3)bD<=h!K=@rYbG9q?kB_r-svS$Xu?`IX<9UM3TZG-=S^vm=s{Py-X zqsEVSKYp+hahj(xZ|v-Zm6Vj6A2;JFJ|Y(`P~hixT76ehQ6UjOHKh|uDj@M0gH+~< z$jHcu%dj9nU$)X_+U@4*WTd!OHjWu8pFe!FKilB4Edrb+M1dX2???a3JSTAp->#u z3N&6wNZft@{=Glh4dghk)>Od;dAMOHeVna9f_kkm6Vu-hIAJ|i%&l4%wrA>PS9+89 zd@gxk=c%T>9m+yfBl!gGT%*L~WIf{o^v>??4Eu%F)%Ep#2(MD_3m50Ej!fA&L~&o~ zOKJP_#~*=GU~57e&Q!2brN^bFruNtJM{m%7B!X>VU_i9wak%=vzP_G>6tGTYsM*P0 z8#y)^S?@r)`yP5!V+;AS-#3y}b(47Rs+wRdMj}@Tfv(Y0aBIJ#1-fv)o(| z+o?OiU{EhI{#&5A-trIDfXKvVrVddk4F7ytzaV2du(J~X&2C~coTD^VW&d$^*KTTh zdSvqAbRlentw=Q&3l^MySh*aM*j)^gdyB4djM^2!R~IKkd9NApn6z4c7&IdhKx*XU zlX+6`&Cfb zRcMkBXijcJ-lGHxa0UPeB9Ud^%e~L%-8Ih;6I1gB-D0wWX<%T0=%bL4p`k{F6`?ge zaU_f={cvr38D1nv6LMNw-&+05VBah(_av-OIxctr9v+VVTd1AC1LddO<6Wjqrs4Kf zHK3Th%82mr=c=m1jx>7VBJUI6AO3&uE*U_+EEFf?;E4@4R_q z@ir|JQTvz(*p2Tkw1&Wc#Ou}oOLDM7zgMu?%{})yTf%p4iiwE$%`@wjKJaa6VWIiE zco1h1x)zKWmqBe2F6Q6_;PvgAn+qf`qn3cjhdZ<6>gwvfiF{%j8U%nx{^%8*g_o9c zz`8A-A8lC8)K$Og5|3lng#z;kGMEv(G1TA3I5>XQ)qH@e8J(5O99I;MkOtezq1FN7 z+CS(MIrxoAj`YUZ*e@;)AKr?Rp8m_$WaR;%#T;!>GHRlu^^tTaL@!^yv|DU{e0_ak z>+ISWOvv$7*qh(p-d;mnTf{ZEEsVSmR@lzPWw|8~8?nH!pw7V}XN%a7ll+Q{S*B}U zX#l4*UY`dQH=O6S+r-6lnEf>A!ute?!_JNsahJb8+|kg|GPJdYD&FE1`B`T6wJ z4T)MIu^mdAy{l`s&2)`Uy$3Eaal+-JE0JPP!0BZcBVXYDhl+Fsl$DhcYYwHpt*uQm z6a(T#TGD{rYxn*6gX(ASbT$ml3J^Tp`=|<>bY96sKo2^NlFg!i+e@R^@X4EVg{B1F-m0QW9ynNazv}qsyz4*_PJU`R#257Z+{_0QE-lqM{;L_1%Rq5vcQl zfbL+l?%SGX{+OaT^2nHkgzls{s>;8W(j`g|VYLOAav)O{A1PXfscS=H`zJZDFOp zy0lE5?lI#E)HE4bL|%8FGaKM!E&~XyvR?=Y3CV=AoG9%54ba^Ir!U+JeTwUiC(|lp>ArHdz$4{5&Me z%l$5v{ZKRn0Pz@PL%?r#_SLa^7VPXkF?ID~xpg5@m&C_c{3YfCPvQ29N}3Q$M4?A& z;=mUmlR4iWK?!_MIG#Pd8w=xI%|oJr5>NdnzSVo*5vyI#>GAwI668~3;38gofAC?e zF8QOf@$tpKdxr$jTi*&YMlU9y1wD~P%|hMUIgb2a04GUTf-a|@xi2YJC9ExeSFPzG|9r&jm{NDz>XTslwX8Ag#peJbxMT0|7Dd!uq<_;(~z7<{Sd*F1AN_ zL1+3-{p5+&tMj?nc@``6#U9-{}c*klx+$` znQYreb8l}bYy^kvOZO*@o^udJi-Vc6br;*U!9-j#)BARCYr>~_^(Gcz_%;zBk^8>jGMq(eV+6^+sF+A3wXn7J$|Ra^b{_lb!sX`xqFe z08)sg#X%qVl62n$CJ|JRDEEV9+;7O`K3C^nMV!{f*TQK#Rdpu%VkVGl1ZFSDEXKY_xXUDCO|ztm;#;Lz09SKQwKH-(0c zjU7tD*RpiTN9zV07-`!L~IKZVJ`^k z1Vf`YmX<+bVPT-d_4JsWY)`A^ym~QR9}SoaRtm97NL9W!!jB(6Mo>mgGuVyQ)zzxG z%9&$Z-@biQP7}QYugg;KA)|gG_8H?(M+X`Y505b56@?^zs#$&tzwnHO5tsQEv=9aj zn7U4=7x4nF%qXZB!?fCViNAsKfJlajdGC~p3T{ftPy`6msj@@H$HxctK(oZ~PPlJ* zFWmRqY@=_4*$wQ$R8aqjbRPrmR=G(@Na%u#?C$OT17Xb1-~TZXWKaZQD?(Hxf&OK` zHb`}TxR&md+|VG5a`yo(8wTw9r@XubF*1K(0Xo{-=RQ6XenmqHdJhE+&1YZ<$Y;7t z5LbZva3{5H3)-8g>FVk_Yrcc3XTLWu4mbA)WI0wYE)xKfkcrrBX9UldA*VkhEoO#% zfQ5xM?Ay`N@lsrT@84%~Jfi&FAGJ&W;v0amq^c^DXi5_oJa zT8=0{X3dg|Z-N9+?Yw~p0-4w4Ufa4o`F|D9Z3#G);oG;l*Bo42OchqY*M{Zg?msWqs|N)afsq;Y8xjGctAMa4>b$YK`o_>uR8;gs>y@;$^!g1GBO`3Z zHxPP6frHJBkjX@oa1g9%_yBe-*23KU{0ETr07gPW34&=>s)Zm^32m^QaX{PDT0g7vAXuQf-V?yfg?p~cJX8@U!nwB=_Rh;~bo^M=6pj_vu z(jR%l9QxuoF)=|NxrdHENQ>am&P}hXL_`E8 z*nA`p7se(8n|gga6EJ^7RFoLRs%(KR+wyH)gA{1J?g%|Vy%=~(yvX(GM@S#3*(c^M zBQHMQ{Ri?wM8spr_ly<25ZOaOp%IB5>SLAH89VT^0a^}|P8^U#q#*OIO;#dciWf8j zK(Ih0U>N;ZZfhbKY;#l7Er?^6?I}k9*Dzp%EJyS+XRg4*@< zwW5wxF;KPcc#h8q^&E6TKy{x=O4#sO^cF$Og1itI!=RqGfw*6&Cf@<$I;{_*v9Pd! z_81rt@CE|N>v-G@P~U%d3}E7j(_&a^np7#$VW|^ttT;jn3BQx)#8)m$yvD0zV#x9)pz6TR zAg5|j0Fnc$&2z{h!-3C1P24*( z+i*I6AMji#2tYLj{{DA9KO#2;tYI}(6#>NM*4+AfC+M-O)3ude2M8#cfduk&9fm4> z?p%&iIwv!sZlw*WZjBT2{^&R>H+So={s78|5|f6g#%tCnat{obID7jixYI zkbPcy*Mi)LU{qKHfS_;1$Q(Jw2d}|C{MFLpw^<-JD68SSs7ckj()Z)7r6t48H^7;D zU+AMU08s}46N-$BYkS1eKzmI8+06cIo{#$~Nkrt6TnZCF<+_?qE4emEO&}$kj@XKn zdN&h+PMcEOTURG&XtW)kuR55mNM2W0w@8W&*<|K0BOM?Ev_n!NC?&A~N`Le_WzQX* zno5M9J3SCuK4i}@H&0K;{Y7aqLAO`t4h3cte59lxqX+4l%iY`C&qx%0F>$u598+%f z_wE(?9n+ki9xAGNUb<|>@Pj90{xbeW&U}pDDq4TY{NvLmBN-Q44q;H73eEkD-^#Vo znLyc+@YPAs*uX$3PgcVpv-s8EV~>DZ2E6FJ0)wUX^$f}*FW%8cLdm~LtD;NWj918x zJ9w(sPW=3)VWEV9o|Tc9KlcJB?Mbc!q4!X?2Flp{QM$For-rNaa^Gk=>BTH+lvGQT zpxB1@=WI+UVn~B5NelZ`?-xx>7s>6qnb-=}Z&g=k=<>_znckI_Ji$8iy~;Uj);A|6 z#GfeAJ42@}`;z=iVX{STh5!IH%(6}A34z=h*~gK}9p;-rfky8~&tv+`47Fw@)9dJ2 z!ZtWW)M-d6NM~E^7gx;JmWmq^qX_zrY+EBpTmrf`;;OGUTvbVga{FC$8}tK{3zO=Q zMeFVw|A6@NmlE*(5}YIT#CKEt&m)?AYz!n_S<5^hwnwBvm*Th!l~?jM9(lJF0@zdK z9pHU-uFUN*Hrj*!)J<%n=Fhfg6M~CI7EF*0H>Z;LsgE{pT z4t=_{@dt4u-}#CHY8HW@vQip0%VD{6x!(HPoM=A(eJT!epAqDQ&8 znb_}!kq^ICWb2F2b4SHdBrs3GvL}gA)?DY87a~gQXFkiO@R7uH=Nr!~f}D$wQ{zDu zTYb?Mwyst(_``R_+nGnt-lm&G(MDp8rl3G@o4D*jhzz6STPt6OA(<4C(XaIntSO_g zx)Qfm!q};Dhn;H*$BtTx{*+!_c6fi`7y3&sIXPU{!oKp^m4b%~Eg`f%_i!LOF2M;% z{Zl_Tw)u~vQE^GH*Z2Px3RspsttPqVqbLZo&Fq7$e&DFi2^dP-_ z$+ngUCl6_4%2~{2(VoX&rXHdmEm0^6BBgkC@~14P>cu+iB?;zrZ`2(fR4N`#FeQ|~ zSV5C+t9R~7&gPFR7CJ)yep!xbW+wOzBgHA?4wPbeY#?bXY3> zqI;^dqckJ&39+Jj68uQgpIv?jDe!l98~=h384n`vB3kC?sC_C#pv6Nuvo93q$F!GhUrm z9&b#Wx4fRqTJ8HUH6H8sT&CBd^u>oewV`WKigG$}+ivGYH8dmDj8$@Bu6IN>6urGX zVl&c#PeK`hR(FdCzztSTPR7!6bc|*CS#M1D_)L)vb-}b4lwS?A?b!l3#DcSy9CiiY zuSE_fOuC6UnSbh7yhm$$z@W}>SY^X^vC`m?dAu{3vYuM>`V09rzlql?)SU7+*72j7 z&ii%j#Y21bid}WR4!SdR2mC$WS~2cPpL)5v>J*aH=LS8R=t}>;7hoqY*$D}Vk%6)C zvqo;wx;LRa-sgu**f&it>RV76T<_bkBtKkq-O{MsP+FB^UueaR#MtQ-A&A#}vp9b& zdMqxve1JLcJ{0;Po3BqNNQa%l&yC_ie$AVILs;($zG~~7IkCQ7QAq3T5{rqFAB>pR zIkU>CNvZM*`z;6qCDr>wzY-E;I@JG2r+XA%DnX7wurhEP5VBU^cTT90dgX_i zS>ZXN^!J9~Ls1bk5T#6L6tf7fh0B`yyWOFSkpZOi@OfX!`$#+J7ii_r%#^JT1Z-|v zK|fT*a6H54;@*KHMR%V+!@_5w18%A{utMMv5y?Qa)+NT;eE6^KEl8Qv)~H-!>WZI% z%}0Lys$o_A^V?lrm`lAEX1$5Xzecia0+cN#WiJ<0FQF<;%dpYTOhXIpSCuXH>TE4-(!mk;@{U+K?1fV)6Tb#zDNQ$yVuzz zFaK9ZxaPL|4G9vC)?hbWURZ15OxjO5mvJpsWe%+`*-7f;3qn+r$>?NY%@UJsg-L>% zC>{YZ`kxMn_!=-uyVA}S?)cwp>zs0>*9yLs_>at5Q}NK8WLmqn4Wd}-m8pAQj8)uI z>lqVOsMzyGo<+6O*bJr=2DT4Ay6M*GEFxTy{w zuDtm!p+ih{biTRRTx!vc^?gM%XTYQS^ADtMj zZ2v0UJgS#IfOG!%^9efvh`ALtGf*Z|SOlT@$G^4qeX{1yy zi^_y`WBSi+3>yh$9du7Ma!M+Shmv|KJvX>u%X!>y19}rKaVjN_(8`ux?O5C{-VLxmo9~cG&CZf zqPkOOe)|~~r!9?#gvTKXaX@GhcdZ)P(h1AoH02j4H{Y?thEdmArlnuT#EFctFbE}R zHpgQ6(nPe{a;4@aQ1UQO8T73iP1TSz=Tz^cc6Keau`yIRa>XuB6DyTu3DE_vkxY~H z_TqjX;OeKcd&OblDG-Gd*W_=co;&(I7J61pbiN7hH&z^c6frxWnEw5~!ujT8^L%Ln z198pka+-h#^{rLnVyvay6d>tU2?Sc{)`cZ9QiTYNv~^GTQ6@BxS1$9K#=*ZPV}Boa$y($s#(9NyEUzOBE|}9u)C$&*zcGqM9=PK;fjNf z$ZY#DR;SKQL@tH=GHnJ-BTGL^9Zs#*Si7zFwePNT=XXTw9cbRD+&j`5k;unUncdNI zj=reGTIET@)_Z@JkLg+ABBrgLpzBLUvED7uuFO$Q=pKi$Q<2g0PEurlW^0OY)}A{~ zQI7`ZV7Z}%GO~fnWuYC1mb8pXQ8vDjtvcfOjELFBX zwtVEo{qFD!S?!>Y#0q$4B#kq|MAgRArd%Zur7aCXL`y^!E-Ex6NFH}<+$vAze%Bj+ zXPKfKxlR%$2#k+G3z--mscLj?Z1p;ytW_;|8@OYhC~-fW%jkz6s!rAtg>r53dOwMrx}`qKTg&&BQ6tAT=X1zMs<+Z>`^ZuMb^a_h>Vg}#mkVrS*xoi0GfS;!0;+ksFBaHp+wOj)$9bdjJJNE+=54`&dV|Bi z-|-a~kJ`MSy&50+7kEM7OY^w4v%(+mHYYoWYFH!EwX_Gb-NGfQp-qeZ!MtuHwlXqn zIV-cX+)oZiDFvxN<)%kZiPtviCmlAFA9SGQuC7|-S6=ZNIf`N35Nba~ke&dZnE|H9 zIjX6Jh2qAmTp?|ThtATJA3qW|aYkbJ-*P&-Pi_-*{{An+{Lj&BU3rc8q>Gl{Um-nT zp87IWIn&+cV8EuY<)0fG_?YL+@YCUZIeTKJ8SepU()Sfxw=t@W!YlKXGUu|T=4Xh~ z9WcMRl*?PebW26ns6pf4y@&Mf2ayKs+HNYwMMhnTJ8z6FklxAML1TMFyJCE$k>7z* zu*Jw38Rl2}=!Dy)cntn+Y58Jb`{%!lEk#hR+qQzkw!VJTZy!XcG zv9ua%C&w6^qdJ+UdZAgW^cu@BvdU}yQ|lFtYl_iEq<02&)?-(J$M4R=bRRn|4Lh?d zm$r9!a1O0DkA6!~ISkH57r*AV)eZe8<5t#c#6!8`a5cqbFN1Z+XdSdMEHCa_vwrUs<>M7H0n_K7bgXgtAzp$){EJ*BGcDM8|iBnCVAdQe)M* zj>f`!?w^EXM!kdt{Fyt^c(0`qYRQNcKUpZs_|b~Naj}rnBDcT;>-P<5WI@6=LCpyY z_E(qIkbZkU*fR_ajHE5>#_l6~_)nj0c{W|@0B-rWy`Pd?O@_dG0m@SHGArG`WuqN` zGIL6mJ%M;u&0T0OFRiTd+CNVxUov1CFF8cg_L;u_{522Fx%{eMZszhk`QqoUhBi}X z*OFZj;+$FF{&XvMWI1Zk8rRt~Du>*3mJ=v4mh- zrKFvgqz^-|{2kev5S!+t98bRjUb)Q>-cI$OX*MeO$3=X-9n&jlvz}?~vLCwCfByUE zzOy^pT}WgknrJaLWa%LQ-?~1pzRsfW@62>NK1RRu+}L>0IW_X->j3p;5Z!v9p|r+d z!^Pz3A^rTinVWg+59I#%%TZc6rjTk^4l)!YZ!6M5&dxtG0Y+N0cghI+qmRY3F&($a z=yAt*HSqYV${>-;JYk?DhJw8wFLhr=w)4rJ9u|KM|Jdsax_>;9;$Gb-ushkxIhpP4 zET@uQvMaN*adWhE&WH-%zOnCWoM|s9eC&15!{Y=ExpwwS->cBCF^x!btWJzBwvRl| z>%_r#ti|tl8g_4ID&X_h9@$1%*KLDh3U5lGM4e=>*5X(1yhj{Ne)hCQCA1MH5F1+A zoGy9~D(9H#dq)n&Vi$+k-C`pBIhTN0+%Pq4%y}0X@VoCzO(ts=6ls6(I{&mUYx+|v z6LH{#lVO(gImit6=;a&H%k0R|TSj0@c#B9lH_v86k9M~-b^@0eyW-g_Y(&t$p4!r< zZ{xzR=W#RKcxS{sjQlYB*8Z)xXi+`GMvwsF?x`t~_QqfpK*y36hD1oQv432*a5weN zR+`iS=DDeW%LnCMS9Xys_@Dda;-k9C9V?M?^y)qK?%a1OMo=7E0&rCYhlEtSEaRy+ z*-AZ!7aHG8U>j$c{##y_@JIin=s`2hAX@i3I5-$#gh7(czWvyfQsDzYYkK@pU6TVA zPb2~^3)Mgq+&j!G>OyTKqU@Bpm^Y6NuDM1IoH*}QpSE=ThPHy(rw9L_mkH+Nfpb#* z_42$Bh&@dW*?UTd_LMYnwMr+vKhJPre?5iTj*N1b6`F|n4b~tUmLkNi@6xExO--qz zXcSGM_l5PGqD5t3WMm2a4lDK026hsky05@*oD9I;;O^bKaw)<|;15F>79GHOI6t3} zFMdyn)7sj)Gma%JC50Tsf^6_au{d7yC8%mHJKp>+3sCTF_H&FfV`9Dn&+T3rA1;J>&3{xZU7hJtIJ7m2y_=2uJozz_{H{YW2#1A;F^ z;%ZEg6#{8NRIz&$F9SRCJjMUV8>4dyVk_b@{`22cb#^fUA7+BLh4Hv4sfM*W(c<(a z^S4u#f;tC;5g}^}xNbk==Ld1(cC<|9?JOjiJD`yEc6Pr&fQN3Nk+rq1)mi&My|j=k zI#Qf_J}cca)&#hi5G_Oua^Y^6V)xy-_qQ+DU_lTL;`MbI=m0{0Nc@7YHx?OeaPS_+ z2g^O+7X1X49PlAL8>8wU9UXNezlDM#dm|h@@LajtSS>(ZM@s5m6tyC?FtfskJx&oY z%Xl6B`}}~2GiNnpA-y3Z8LdZ=f4S&aOOMLJUScANY4_LP`?y^lT|H6ng#E#N!)De? zqNA&uvUUbe@i&`eB?yP=hcgm-wSsoAl|tLs({TJiOd!&J3k#{-ciPV&hNv%+wsY`U zw5}7()*aw+dzGtN#j`t~WRSjhX!D^YmyVym1}pUgjRi=mSy^^_I=5di#9`IFWdeT; z6R7NnhJt@zJ9;8=9{Qmf3T=$cjQ5Eyv`ar!gmQ<><|!^H9F^GrXz6cx{^9B?;Mg@f zLLI@!e~LuH>=q^-LeH>y{!h@};h|Sv4YO{|OK6!$DJcAI`Wvlgd-1ARoC&DI07rPA zSKy9VMPzWa9P_8;#zzC{>1(6KEazW?c(8`a#xnl?o=Di-xaDv3Pyo%G zZi)Ut<7!$B!5KMTDKYJJ z!6=W+iv*sUrwk0TrO$siY(uhz#um5|9{{tONf^+^3eCc`1d4iNTnkNRr0_r2OVL{$?!FBIm23A@gTH1S= z%7N;s0vIEmvY07LpCx5qR6f#1`2n2<ZD%;My9$*^1fWv_`3A3mUZ(s#L#Ek3C*&1I-Hr@A|EbH~(3&|&c&5>Sm; zBw$SN*XX~ zq?kOlxHp2?GOzQHF^P%u-SITKpAUXsg6jLstuHq*$~mHh5h1bZr$+kGpG}@^vut}yDJuS# zV6JihJa~rtpB9B_;%Ud&KNu0mP+E)rpH5Xr3laG;K8g@(drcvI!X78Y~%0U9Xq{BOSw{t9nWZFTcZW@gNGS`g{5dP3vhfsjFwZ) z^PMT(ygXrKQKWitTlLOgJte`m2?m6A^Qp>y3%zGL@zml{Qju}8THIThp#QbE=c0h^ zKxui{?LERfH}>I*C}voMM6V62yRvO|-_FT}T4A6*5ne`4x!Y@eF^B>~;xyWQ+OW!Z z6S(xZd%QRMJx7O3UkZlrXo}=1ryX?(kMYs+WpI@ho>$a1F2zd z3c{j-gtG7?u!7^dJ9|lJ@IA}QmUQZ9@6fa}@Y*Lsg$YsfBxLy!Q&N zrSS=H$y=ygQO|KwTyRcr#P+G(2Dssc|g7=3KG`B0&kry4NsA-IJDy+b_OzD6U+5< zk2sTzH{OSBOs{5dI^8)tz{C2hC!L~%t#WVou(hJDzEzm2we7LTArhDFw0)k=QB0_( zj3E)gi#gS1GGbKOo>6y}_yBKwX<3=Jjz7u#A(p9`N2_zbbesHI6I#5g3~m2HvY#W* zYzeY*_odh$9mi-C`AJ4Oi4an9h|&Kocz$#qGotdvEW^}c?6)>J$AE4`dNnZ zo=#5X9UW@(GXgmBg82y0f%@QE{5>f$QLaQQY3jX&FSt;I9lk@eAS@NEd0%^H8!IwVKn;$ zI4SB#p(asasHQUpVFGO-f&U5qobBci{)tIos?QnOC;DC9@#zIG6F z!BCj0dHm-nKMr|y#`c~si+=aJ6XC`5y&=xyqn)Lov$fi{1sKBToo!dWBc6=$Rk6uN zlLKY4C`VVLebe*5YOojS5Bi5jskrEpI*TxZzmA|%4qfK%^4!#*l9F1p5B>zA>uXI0 zT2Sc*%ZP}4gg)Nyca3y-zf?{Jo_Ft^6GuYN zhV1;4$FTKsQy{6?>E?-nzuJf{zq1fO|HQE6**c4l>l51ObnT}2>ILjF=fjZ`Tg|dK z#5|UBQgbi`$=`P!a(SaN@zAD70VfVFJH(t!GVX+Goh-lAD>Z$gBPkTK3{L# zT_E2-s2q-yBJ#X;bj*d*C*SAV_1P)o#b|P>0WlBoMzmkkmM7I-`~1|gt#TUI$)-PD z*O(ha^~JIu`>;^0y;@q@v-2wyl?__ayp#Ya^)mNa%WQUCJxao(q|6US;zj!PEddR- zY}@s&8jUB>5=!tKw(X_;wDm_$- z*Ul$eua(D~fyZSH?W&n?SU8$5NQ3&@lt-vdaB0HhT+Q%!K-I;0?&HoZ1s$_Le@K3* z>k-@2WBrVwdm@)J$1h}MUr1O`1CF=fZpURNYm~9xu~_FnF20Y@f*R%S=G}25O=HM&DIt)F|PeF1dv#UsO_jb7Y`zsda}BN&ci#Wo}T- z)bED|r;S@5wXyNBc4&-1gt;8(>ga4=9-5u`Q&N+}Z}9bI0G<2lr*@JP(xUN_-EqIk zC!c8)Qe9FIRM|?|3}(MAOx56g1hC;ejy>6znwgnuU|AW5ef#zM7a3nxh!37pnu0n3 z2Nb^w9!S#jE~jX|b}9OOu|ORenb;ER%)r&@vLO&~tUH^fw178kx!U~E&uzkat>bH; zzLAYVZc(w>jVl`)7v=FbQ^?B7(h}R-s;DR*kv5(p2craXm7o4uy6l;(DDqxHV~A1$2(46Wu3t%$dJz zKYr0Onp8@EVM0`4-`wAVBqS!}#XsD9lj4W+tH0%4magFYOPhobpf4cOc3utNKfp{e zmI80o$76qlJLaJ42zz+7y#Ag*@z`;>@K#x=&iH6%WX9*AN14>gwWA7fNi{T-<)why{2o#MzA<=S@5 zAC+2gAq~4byw|?N+}_c#d_K~p!;9VP&yfv3(Q#FR5(D8z7XZ}e|j<9YFf6mHxo zhjES9*-+Kgc-(FnN#BfOEW9Nn@*|7|nU5t%h<#^z&eGL~u^TkUzTtUlZa44oh0%EV`Zj)) zr72zjp?P6a(a7BJo%Z{pB>WU-oYQc@Hn;!kR%UEOtlDZr*)UFYCrL=YA`(uRu5zVW zn`tY?hFE6a$f?_Y+wLTw!3_&Qh9|4h5(6PM_ zoxW%YAIV* z_wMsany91pk_5Lf^pon=$DJJL{>UtTb3YZa`1sW49yo7v=?D@8`40q~=kFnvZ~SH0 zt0q>vd5<`5G(V!6cW&Nq=rD*9N%qXpNV`GxqW`BnYIir&Sg8><9DvZ6j82yhdWRq7 zboseP-A1Anr-o(yP#y=}j-K_`kN!ud9^Bc-dcOb~Q4G~s3cB2=J$-ln;8Ge2t=;i1 zVwIcDjMVomR<1ksskLjyX8-(598X^q;0h8@I*|z$__c--0nMuZqmO^fHkUF9FA~sh zTCO`f3P29E39+sM9DiEyPniq}DB2daOxcmy?#&V7&Ng*q`4(;a|ii%ZM6QoLCAt|@(=7qQnm74kZJCw>94Z*E!Y-;*FJ6jT(?TB-@a0qzc^65*u+qQa=yUWhv!pB=- zjYC;Rl~2hX?ebdwroK)T^a(%@#pUzfzx@bnA)b2$AJRf>RS((KC(NJDLg{y%GEEXN z%-_DXzw8%waz4sg7hE|9Z)ofz>!}li)(AMP)3rGc z0C{rvA!9E|ogZv6zb(Q1WS;pzzOO~x$%Pv~Tzl+E61x^uo3CTey0f#5_utNSKP9&u zu3!d!UxkVvUuEZa;sx67nE+F`RmbrhgN9Yc@FG35&b)nA@@b6B9#m!LHMY}sY&4!#$0jZ zbyHj0N+u1drluysLkTwAfhv0=_;3L@^=kx10K|bOaQ>2TaB!T7KmJazjHmX1XwR1_ zHdl+u*G_BaeRBydD{rZH+zgyq@zTEi!|hsbdn&lK_ASFX2H^{)N=Y-X@^v>>^OhTf zow*DpTa+DY#@VvCkuJQ)ju&|6ckezRA2kc^pbUB|BBG0c*CeR_w}YD#Ga0 zx;225;NSwKc-L@cnYK9=19A)6>W22_!lO16jq!Nw{!#U5CtG8~=g;-^p?N3`30eeO zatV=!8Y{gy?|O4v>Ba>|H!(>FT^BRqT246r8+#3nSVI%D-<}+^SswK=yf{^Ze})IY zzH4Yub#^?zIqnq@%(K{N-iel@u0O#*tABPI`F(&N(je~JFY3h)-v>S1qyMs08W*(X zp~Uh*M>PZedz$!@=y!gRNXUclFmKUiRK^=moV0~gG|P$JLVj_4At?AL9!_aH{^fH# z-YKX*){-YPJ9$qktrO!VdnX)&V6=;I?AYNJi|NJY1Pcj`y5}Ok5!HnABg56<>lXQ~ zzM^u}b{W2ppHmo`uesmNh_NtXS2+GKf!~&eaq3%}>|`wdu_ZUV*cah-{TVPgf&SFP zf46<(#1N_O)|8xz_G2XqDP}#}jawQrqXLv;z$8PudhF9*w)J#^ryCsH27kWb!ug$V z!itKDW?*B6&r$fglI)4`{`nhHS4EcO_zSh53E{oNAX8sOk5lQP8~vLfYhRLtzF+iH z)`X4h@H=n4b)NKLD>)1bqZnU0zM&0mq(s-oja&V46>qJg1-Ttxx? zqiTmQF3?{o<qq=o&Y#>mQ2zf+k zLq+8eGVuDwMqqHTF`Qv-C#pv#g}()z^I?pPIM~Js1zZ@pxw-G%{!p=G)k~L`&v15_ zq;BuvVlcM4H>&BxiT>;=Dz5uFemI{i8vnJjUDnt7#w<+S$v^8qwO&lBDCzjuWQBSY zhrQBM?Rdu^mpzTHqw-`8?uh`d?0acY;Qqt�GJQL`LRIZjWVgeQVj#-BQZwm-?iy}8?kKoYdGq4mbwUPUlVUi#L?id~&J-9sRi;6YXS(*LCP+Zqk zpcyw4DtxiYk?g)qczw0wYh-EJ1*fPGCh^?d+$?U$HYT9LMn^{@g@a`1hlUMjF;g`~ z9trLufqUphq1wS;ZQH$J6~*{aZ%A8miM$aYJ`Y=PrFiY5!4a5@ygZppt=k{Cm&;eO z_vYFOj(5g8Hr;m&%zTr&8hP}HavHtGC0}bkv=ym(=kKWgG^&f>==6y_$IO%K0FiD1 zmBy$4K0ouoSby0jFfqNq;v}CO3Wt>A;XHpVqo%{aoeVP=9|^DByPO& zX8ssXnIJuZLl%1rZKV!NGGuOZ$Vd=IeU5!XZE)r{r=F3+00qv#EW%+UghL$6{Dg2Q z`R)UPU#TxX!tqKl%>Td2&N8aXs9W2J0iq}k(g;#g($XTKw4`(iNQZ>9fS@#pbc29& zcZqa&cXxLPXYThs|IYX4a}39j!DjpLJZsH0=RN0r?Wtu&b#<^0UwL|Y-B!zufU__P z;kSc1dK(y!b^}zy|4x)!C>|akKP2UgLJ$>5NTdM)Fza%No?ml-21phbBt*{!X5hD` zDzRa99h^36R(vd%nDt%%< zNZ7bp;v;dV&P$L9h<|a%Yer}{c{)auk@BND+?nsnsm+bO;WLd@+NN50>e{vym6f63 z+R8|DlhDv0hT;6h`kPwC5@Rq`0160$n7C`axaFC!MA{Ehey5P1KR*!W+-eDA6MH<# zb$D{HmKu!UMcD7obc6G196T+cD1*VK2psWFCpGN7-0)pu;(&F>Wt*2EcpJb3Jq|8z zf1Rtdyn=%Cb1f4SleV_DKMf5Y9TNH^p3v=}2y5>ODg?_AOxk0Dr=jkAg=op^kmpYS^&yzJ5XL&DpGNvCV=$>!`D;P0s4;FQV)fC~Btghz0d-pEF+K7*D z)UN_?2d3#E)+cp!b&NbZC@3gk2k6w*5?`w z;QJ>h)Bp6KJafB_x~|FZz_EJfFieq^75C5G4f(a4C# zjS<;Hi2O`4i6^Xkzg6r>Yk7!O6+@6EZ~r{FlT}rpIMvQPElVjV=o?CJFx~Ir-DLq2 z6Wq>5@DBHY%m1yUq(1m)z(F~ft-_4BYyKo$GNsSMC30J=*$ttGgIIIW;hQn57I3{_ z0ceMo>#>rAgakO(Sh3%rD=HF%VZG$xu>n5_spAr+o}S)kFr@nW`GGqy_Hws=7U%iG z#)gSqR>rSicVPX4&j#EC)B*xpQ=y(jH)U4+$NANP)7R$SCn@O5j8d%j?I%3CHKxCk z?cYjz?h;L)R?nVok{kb|pS247#D_=e3ax|E(o&!psIkw0H3b$KSha5Lfd%UTSQDv= z^uB?C%h0b}>=!3P__e7m#hjdYj*pK4@e_Mp3*L3;Y~(1RY^<JnK+%FcFxA^-$~ zg_RY*Jm4znWRJcK2QMNBLuEQ}0WQ&#ZbPjFBzZf}D<3LQ*GL!(4&tYRV}a#~v8 z124-AzSoOzJ+6%vQi_U-F0HP{#!n(fIRW}Yy`$G)*WB0`CHH&o>ZNXgDb-D!wbRh# zWVPrvKYyV2K!?A`pR-bVwfDM)gAr4Q%lKcXCu55IN0aB%{@F|vb>w)jA^h0jzT>;O zIz*Ux5H{IFw+mm0qXpoCOmNzugBIdCH5gqfo-5~&gT)QdJOC6Bxw&pRuLq+LWh8XH z_3wdU?Sp~AKE%{QSc72U8OgdG&t~+)&6L!BHnFF*WgB#O*CIqjL~dvED2VU~zsql!J)#dEfUq*- zw8=;$RI?4 zmA4gA1tbDE3Bdr^l_;19-${gH2jLAx91+36;`yV9^AfK0KTh`rUm6yIhmfKbeQ3vW zaS2epf)na53Yp6vXs^D@9tQHw{)B0M^!OX{3R18oVq#$Y8IM!As&aa=NX<_bV1r9M z5!o~ouMR`X`fVW*X^{|~*%4;^)tG-%9M_NHrbxb0F{%oxf4vFju0!}O^oj+?vD0n2fx?tgDE@1 z{iUVQmaX(+!+p4s<)0^M5?y|Ps}^g7G33dOlMq#>$+PMa(htj5=xxh3;P@5?^n!m` zXK$|&}xs{<{9 zQR`3R;ynco#XlqtQw?y|s|~lpLlA<-d&c0w*_p5CFEhcJ1+4vYHdvD9*W23fU%KDc zk=h!QZ@ASmRtIfSf=tB@%Lmx!C*ev<2Dqq=Wj|7;u-rad@(a4+1UKl+!8WwuWJqGn zP{~_cufWAjc+{}%sg=J99&+|)Yhf@f;PZ8Uj@FM%?R9R}Gp^NN#>2fp+Bn~9d@TLa zRgL2d9v-Xfg>4X-;G-|O@yL(eRX*56vy^ZYs;HTxAuG}1)Ld+2r_=3@96*Q$Q~q(k%PE~#eNJG*A~yuVL7c2UE&7%`i+P*&g(I!c5WrlHu;lY!bxs>|MbPx&ODRZ zdtURK^}p6IP%XFsDAuH+?b-|zA+cS>lq^rf+Q0kxEx>-E;p8l9x3@btdh6U4rQbHf z{M|zE%A#K^d$`Eu+$MrqTSi$qf@KHS%Em@-tuMJN?qyg~Qj+Om3=SS5BS6G3N5@JQ zi|1Chwp3uWhIAVX%Vs&be#442y7A@{}lGb>Yrozaxw19R8;bGgwe}5{yk!^d{r=bDut(9xSrtGc)lTinL97bYg^Tqy)K@s%=>*E7xIt- zPZ+#Qd4bfX?o)iR?@(=$7o_9Myl>+D3eFGX z&2BVfj=mp`7N(ON;*#ms*INP{XwNw9=&cw3HHRWe#d0#@zo>l*tD*c(*#;q%at*#s z?mb`JarwnLziTw)_FC@8(dl)~3u~U*yxDqLFFZ1Wb=33gq`KEbHyI-B@GnX;rW&<1 zrs|94Lf+t^%6=0f$C%O^qMNLnk<2vGi9LU*#_J3E839qgt;_TiHM5I7Q0t2sD0eh-^i7ndTzL_=ySCDf4VKaR{jl(Uxs ze+aB8d3AOF6Fo!KSDX0=BR{y)g>9kU8wpKJ>;(_Lh;oY|Y=U2wvvpvFu4|rDR8lH5 z9c6-a@$0SpA4^LgkdcwU`}!JJc^W@JFb5!sd3ygnkrolSmLW5244DJ8_`auA#0jXojaUEErrx2VFCQ++41vY%?EQT_wMD~z#GiUm|`EEz+6 zNJT?)8>4ULo0hev^}dyet`TLx^u(-ac+6pjA9qNIn6x*Vw{Qdh>6BM~{_Zh8F;+YB zgZ}-^{CZ>-!!8201_W&fMxF?`t;oSudp?NnF#q@NNS*@69QeYgowjsR((g|=u zk_Oi+tmcs+cL9`I`9`iddBqcc;{E*=`cT>WBkEwjV+Q$XT2A|y_q;qf1esP+xwJ%5 z`w?Y;@axyHZnW8o;FR^5m{9WxB<Eu3rGK4wScQnj}{M zSEQn%A`g>{KD$D_2;TN?%e3GAZMyOPdjH;|>jVUB2yy{IAXklQ+P0}5cug1Tqafrt z7{(euDCa_`H9$9d;c{k0g}*BwFVhMM+Za3%3JQw0Wj&v_R;ERO$b@w%D{zSw+!M$6 zaNx)*=>B8=AQAfI_{c%B<*dtDlF{dV zwN$&~uV8&Z8D+YE0#Ccv`4pMuI(q&g!KfrbX`md>*Z~MkDS5ezV+jn16X1`>?cB2C z?#`saP!c4ZJN8tytx4H4`6bUhDIxiW`>Kvh+}zxZ;48su1vF{5ABmEZ5)l4C*MAB~ zKfuq}@{mA2q^P12mY67OW5Ws_>hzM5p_E-eKQy3L!FU!_O0`O_UK0lTz$~IU2Bm&EjjmR~5SqmE43;+!2yXt&uJ@(!!UapW7_Zs# zfUiCD4OPw6i3{+V*z$?{|?!Gx0DT2)L3GHAbjgf$&%aG)n|Q z00x_M0?^OF`VIsSD0-v5Dgv$&bYV8%9AJUsLi_*{k)xv{!UzW-J;Wv1*>ONU4^j{| z0l^#i0_36(kR}4Q!&m!DQZrOWx2;b5LdV9wm-I6pe{Kq_iR@YwZ}06bSEI^--}mCe z=_!u`Wr^!o7BwQw{>jEMYpeBN#k=!Qd=8l3F{cUXAKRjH7 ztpX$jE5N2w)JCPB0U-l+1xBEl7jTmRQu69)C`{*mhG+=k2FPxpl(a^@&>sWRDiT1Z zSi4QBX=uWtqQ2MHyJxTR+%0FO4}b9~Ra>ZlMeI2$+I=?u?3m(g_b+YXV%IkB(Q)O^5155*LScf3b?9s@e@gwlT%SK+91*aJdN_>D%ed*H0#^jK#C|| zM>hf?3Z_^W*4K?=IBg&dIkFIvIlPwgfg1x#;$ViXf`&$bayCc2SA!0$H>ffhdrFg~ zz1|q_1!>5Lir#(oYGGRfk`Xro!nBW;QHGdPd>Rh@^UKQyez^$c0l+;#Um%0yesFF& zWOxhQru9X<%@V^RZ`n}t6zM}H(f~pd&g$T7HLVJABYw zlarGEQ1Rs4?Hd{%j!xIL-x_;mVZnr;64KM7Sz20xd@Byrm-VPy{!$@MwWM&dSbD(L zQeM<=q9^navZ_uoJ&KDgO?sL)H-byTc%a(c)Rd%1KVD^*-QGC|Gw%=;=)=*})zt^< zfd&+X6`;uoIOMfsClHppE_ymTp1yopsoF3wCizZFs|OTnhPrGh)>HeVp5bQa;dO1Xm*CHzvMF^#NlMWhctT676~gJgM=%7?IX^h?%ciakJ9AZryXXcm6ULK z?FmLVU=xr6u?6_361ut+^x=L0^#MK7+Nz>VPXqudAQ#2RV`MARBcia345$AC<45oy zAUPPXc3=kXA)r=2!J2&n_tu2!6?o2!&R$(prz=;WC{IEU|LdP$8I>f@v{R>%Baz#ZH%z8^m zN{ad@!tL1uBBK0v2JWTrAK%$viJprgZ{W z^8Wn?8K?0tawj+qZnR_!(%4q6QRK$xEz$a|a|fT_ec2qx_v3+(h$8CDD{1^V-hyRX zI}`M}WUZ3je$E$m_y-d0d_P}D)@@rK8c%nAI7p`)J$P7^7ltBGSiX=X~BAzaVXuo3_|b zh6~G!t)rc8wZ^@Rb7a+yr{Sw-PU9DXnzp}9OdVI3jga*3^~^qwH)D0^sLtmTAMs_M z;;)&Ivi(>}IOBN!q(vrf!lb{@dRju+^@g#qv2}_)<+V*<%HmR}Mua=gVY%ye;GM$_3oYTCQflq9VOd*zf)T;v15tLP|`fTn25vq z8`oECBn!KN=^;f0<9LO|v)%d=WQy&l@An#c_-Yvk$yJn;3tZZ{wr1+04+gM2g(unU z7Zjl&abNGYzR_}1yTZNsyl;o+wvXBRh>V>2gp@S?W$fu{x8Xpeth};XR}5MGqRY$^ zWUod7u5}8Z;CP*~e7^(M2=`Ntx4!DXb7*O}OZZP^9KVh^w@eM$13)Qd_sc6PYBQni zVe-gWXLoG3%jkwi@lR9+_046t%LX~`576NrO6xYfM1DQ-;$Y@&Kuxd9g>v?Afz7&b z+0_LbyhvoGKbR)bu|1_;CDGM$FG!OC?G}@I&6lBn?t2Z9vmB}_VvveC{xew^%_Bdx zVpZItEr${pCL8tbtl;Uk$w5eZ3f`7zXlZClGWwN-tkAc~Vfw~}`$9ugm8 zTDV=gC2XI|FSO(9Qlduk3bXE^m5|8cuJYGv2#jJ3geGxsPVE+5-)1;-U2j zml;%9lomQ{?=~UY3iR;;`@4q;iDH+J;#Esb!iLYj|9Ifd$8LzB?S8%S+3;cgBlI2h0%kFEn}*y6SnZ><+zvO-V#cZ!dGf_F*lF$`TlVON&IMI zFj4>8V(uJK)|Y*R#5O@V5lz{A8AF_UMFI;KYr- zL*lK>gzkysMPcJoT-QQ^H8vwkMX^zojV!dwwp_P}iPr=_(w;k3)?931*9h+Z_y}Ti z4fj7wm#Y=YH&j?VHKwTIkEjpNnw%LfrmC#@>Drwc1O#JjzI;6^T|*zqAbxo7c0Rvg zph|*cT+t7`d(DAO?c?700*;Y1838FWxm8T|*~RZt${fVZcLQW*I2Dd1#Gl1qmaVoi zb<#!Lt|x13pZ0iEE6iAih?->l*NopBeqm$GzqXk|xe$SwDV7kfO)NT8@fA-sPx40jN26&ee(tHi;CF#Xxk=nl(Qd{c{1|4{< zkFC=s>rZ~-Dei4&XOES97|ne-eAhGO|b3#n|G<1MmvMS`@>fb z1O&VRGMdgaC7iX+V;^zKBw!)L1d-_+UJQReKkLulMe;XCgiEx;-u>m9ktpRlh@UI` zT!D!9p0*@!6bm-mY|(x*h1I(xp1wbzek1%eR8Bi%WxSPI!D`1W*0Gi|N3-E;X7G#C zX<2D&qkTbUqnS^#MSK3iQOCVp6H^x69wf96%`WHKwO&`**g8-@L6PZC(>@c`z5A_< zl+wfs{}=1w+1HK%6SoUm(#L`-3F>>OJv%|v!7Vg{_4@6xf`{(ei48Mv+b{CV>KMubK_+5E|%mbOO_MbTn$IT=}|%28N$V)=e;f>cKR&k6PGfRW?Rr#bi8d7QvVLRaW-t_F}cElLY9rBGgtWZ z7D+*2cv#Ut`5$dl*sF8`Dq^-8D*h+1z!maGSgz(hs2gt0t!zt8dHs7gI%NI9h$n`J zQQY33FH_bzYz}Gf(SgofZSCaJm=Yv|KUfj-EL7Y9_55`D>F6ywEKG&C380)>4Js&T zith62pDk1mFD)mmB=>uL*6(?!Y&PK)to~r6B9u^@lxag^u-y1a8B^d>_v+(DJ5^%18uO+{!Gk1DB?KkLsOi z#UDKjb7vae80yIEvW2}L?<}I~vbwz)oKeo4Q9K~My0gA$O1*>xb3wj2fd^L~65c?; z$aeX*bGhc3sQ1qZjijn9EODAu^#y_QQkA~r9@L;MDWi_K&^EIV#8WXo)%g!}r#&k| zRP;s!Zien6dGe|{Jth=*-bR;x=JEt?kejZSbXm1>Ph!;cjh~roCEt=EED3C*~cW213~1rDZiYH1r=(Fokhc{#$16VK7E7&BEh# zcFrEHH_f#7TqPEhyz{EYnBWll%yS31p*uJ> z17D(A@^NdXY?t0>S@+g#ahSKZOOrxx@7+Jc(^1`p;&$6u-x|f9`zEI{F&%tKNeCUb(>eJ$Q(S6A*fwcZ4AQ;^V6wuQm6lBQNp5 zHqLAk{Z_o^UxtZ_8DBlWwa^jt^|NAWso`uI>6ur>npK3`;W?vjudaTJ!aJ=Ncfp$w zIH~bEJ&D%((ujg&dd#K^f-Ww2ig$m6VP)oKQe5cmt&{vid8ee>kU&x&TRK^4$9B=l zNAM`92iA4P7Nb`8KIOL<{+%_q+jNz3Z638N&naQ+h4~yWX40ifD`=LZp{1cuqu7%( z(uLi=FTQ_&pQ^wsf4FQO|InWJiobiInzEWT;AxT(i^WXOXB5Yfh@S=rPV82;<&`Xo zT1P&L;YzWtZUO;CD!Qilk30^;73|*^FW% z+Ex+-?hCaPQg%6?+&9U}u6S;-#HiaDH8wxS%U!Uv*^9b6<_#%Z&g1WB>ZG-wdziaj zzQP#?r_;&yOi#^f`uyBl)30xdcXT>t6aO~!`<81v#WbRvCif40`lyXXR(~$*??&l- zO3Ay(-5KffTGa80(I=Vxj$&CkP1W%&Yr(6b;xYQ|&&$!RZzt;R2Bs&#MIsKqoFjcW zhV3N{6$AaYg&}>etxw}zUq)IRV2%svx!zK94rx+q2U%TCX*6{2HI}oRGzA~)*Md9` zG2Qd>TZ$3NhtouY3aawb@mUG*O5zFoE!O?Hz=4K{U)qmCKV1=*Dw!0?_Y^E>6NQYk zYw}7_N3w1u--7g^z-mXruO~u>h2Yb723J#(jfpCv2&P*738tNyJ#EC_E1P`AJP9a8 z?;vAS?!-3*&2kk%0y`7M<|SLN+4HkrHlySWS+edT;PRffU#8XR-oj#jJ(qf@O)lTT zQ1Q>mh`q&>8x{+>U+bTk$pi&dE4Cuuc3WhZEap{&LVG2A7-^v8%C+TC@n_^dyfUQX z+00R;wh+tB#Wk=sCZo;vnjNyEE|1{z3hE@Yok?BHsEI~$SvC*JnCryUHf{;HxIQAQ z6KJIpNf&q#_DtJ#WT~*kf34}t(rxZ|d@%aB?O)_Qv`Td79(2E!6>ycD8P&Y-PPHu% z)l@LD8VODc#FpugW?B*vknN$^2b^y zA2YDH?rhDsVeiT`aSa{%jO8;9CP^Z}$4EpxxZ^7hNt-G?nB;Bn&#Np+GO!R<9af3&f3-cX)WLRm6xr&IrinR$7u zkFeradsi?B26`9@AS0vU{YS8qFk|>!|IhniXz^h5x4V$jb_up#^Yiu%neH9zr-1-q z_=48pSu;+YprqA%?ngl~i~={gL~go0N8b?8^EJ6nlLGjh9cl^+4+_fG{rr6QkM9zB zawEF1#jS0uDOtFOjvU`wV~U=yG6d}_D)XoX`aII?DkjH|>t%~C*4Dvry?9(yMK1~o zqWi!jKePvH1N=W8X;y_fUeN~iFrA@jNo?jS4;MLK;$_j(qZ*UF`e3UqA<1Nw%#tWG z{S<0joH$-dRpS>VJPurwD)DN~WYuK~F3A{1_$pN=0i2tcCQ*k&ie(lWh{1vT4<1yT z$qnjfXVr24ew$g$)*^-Y><<9JU0<)binNwWO)0Ak$t%lwe5)rqk%>eW_P3Gzoj-^{ zU~Oz7s*s;HcXXFnbDPnxc$rwR6)LSIPF7?}m;0!vg;n*CFcvBFB#jcS*^2X;;n={& znR_x96u+28sA1rZ`+=A{P?0)K^OT(L_7rU!otOn>Bio;fr|TN_6r5!?{v8#|_*rdy zwuI*Kc=+&fMo!)-a%Gye#k;fD-b>x$1bm-aFfk+k)7DVR}KP6jQmA8>E$=KRc-(Q@?K<6%2WSovvl=4jE)|9O)PDFSq0-#$$iv zan$()4o+R(yEAWUKv$eQ5cKM`<&GGOhaB4U%)l5Ug zvmJAs1L`nSZ~Ob?B`}Nfjk}t6V6%vh$kes!yrR!i@z*&=eV0Q2&jRaXo0Q%?Qumop zUSbK4L>joDM~*S|ca7-T)36ymNgK=H2Sc=Ss!rHH%kUxIc+6$BvX4K@a8}24!7d>Q zbR`Jsz{LCz@mXCLp!dr5FK=G+uuRX&$?W?tU1vMV6( z^143_<%UNN1_Viy%hF@|`s6@Yi#40fjw~eH61Thx3(yz;x}O({Ev^uCGty~TR_c=% zn(^Ace-J_BfR4y-h2i3}V~(NBCU!~nAMRP-!wfi5gIe|@V`m9Nku7fxHp$RT!yk4>FF_hdwYf`WnZQi$36y#?)H4M zeU&N~vvUZ$9IY2Gtc>P?0~tQ-LCbbR7Op_l{5;C_$k#46Cp;$E!$1Q8)N>;BB>r8I z5Nu3o84-5+Z`qM(SiT?X-*_>>YJ`R@0!HuW?|;k6)}}>}_D-}E6%ps!@ls-E+JfG= z1Hk@)H|-M}JBeF9Y*Gp>Bd;);K+#nkG<7(yk}>|KibB5G&hLs9*s>Ol_(V2p>U)(n z>z4;Xn%UOBS)H~{TBVX&)_-ti<>Uk~s+Y;V(|vfS%%QAtdQ=oOI9n*Y-+JEczFJ^^ zEPNs)?@rz2j$yvEIz=dqaP&hI*swfw;-`^`g9dFQmB5`yn1(=1RN4aGd-(AP;8+BBX#hn=&h;@p^%pOKY?=G9;|ISGY0Q0>3SJ8sY1kCzcQFi687&BXvr zU(cv{mTayve5@(u&S7>9C&2!>nu>L$ZBfZ`g!b@-ljY{-=P4dqlaLNEMn_;y5&V=e zi2eSyAyE9kyLqa{Q&!zFg61##XJd|)^-5-W%hm7KXqi>w6(JJI>l_}!_ z{|;C~Ml%@%%KMFTP8>N)h>punx=)_CEj%_G9*$_u%;ZvUnGg~?t(Kd7$uVh^FF2yF zJ$$g9`Pv~UZKQDfPB{h%V$`_8*mt6uv^6V&`Mw|qn}-R_so|t8cU5us zi*MTRY%B0qOS5Dv(@D2tEGdUgLbNrW4PpIqa*frJg-wBoI9$xRn#lt{UKN!tkE>(x z+V~S2nX>swOmJI>Au@VIC7V)OC~B&&iY@ZIyijd_sL#`*>TfeqVEBJ#m0qbnFR#=~ zJog}ZH!`f|k{3Gue!E!9*u7am)_%)$_<3^iyZ7A>vuv#D^b#{&#mgn$tmU!f4w<0e z*E{xu;0Z%DoBkqCRmsy;5dRxQQ;e^O@iD}|;rSt6fK2h93xR+Be|*Q|zqjfC@iYJT vI~a)c9PwZNpP%_Z-?@Vr1NzVXpT81xQAZo~+S&Po1b^O&%829%>v;YTCd8mc literal 0 HcmV?d00001 diff --git a/output/images/toeruntime.png b/output/images/toeruntime.png new file mode 100644 index 0000000000000000000000000000000000000000..5079d4b86b795e980504f3219fe63e774d117a3e GIT binary patch literal 41733 zcmYhj1yq&G_dg7XhzNp!N(ly?0@5WY2vUM{OGw5%qHkr9kWeg;kdV>Q(cqOC-;NOYfu=3~ z?k&;{;=f;Y8KLmXT?oK@#OI-iJX>5?kNr}&vp;|6M{VH1G5#3_C;m6;RQ^l5Dc~~cv2C8Nz zlU556T;-F+dOCFL3ZZ!q^jMUu?nPIB+a|GFY@wMEu;S;AA7olT))_h2TisiA>9x(@ zI9D54ap5mGsGr_B8CqZL2#xjlfQsVr`Y8@ND)#M1+UWoHav^a)|QL|pc z$%)&kPUGj#Sq}g3@Q3{T{H4YtQkdTnze=ixtf;2e-5&fRD>D-(WJ+Z1%>-PR{ z0#F34?{elTh-+yf8T4Iys`UrBF&(GpO`azZ-I)7)?_OMJX>CQ>9WzMuA^g9~er80j zFdkv-O}M%}A%*eC%++hyRJUgUIdShwnco(#sHliusqi&@1_mlNQFyrA!-tj|&9~{f z?bE|$??yyutHC|be!{W1efu^N=KakHlXUv$?4W*}!1sVtfat!G=4& zpSemc;C-6WaoSdMv(WqZ@7JFY3mzo7&fPY9_?SZ}Uw);xz2Qp1$u*}k%6Ij%86}0F z<5|4t)_DK;Od|W-oDy}oi0$Qgi9yOa`OUGaitRQ%RN~6>E%U3Pyed!wJuA#RD5R)n{iM_%)3hSvEtihDm~Gx1}z-B$Z51x zKlZaeR@t5vuf;AcO40&ahP1Z!^Adx; z*8cwBrLM@Ck5|FL!C$|BpSBjj!^Ksqw0O2tccS5?r=zXCdvNfAhQ{aT&z~1&!5A1A zEJW|(rP?AGRK0zDh0gd%)8%s4_%&#JSz3o>#DRpW64W!NIvJgRdM1{XM03D zV$d7b5}Q`Rq3|(XtG|p+{?DIDZ-3#$xbD2J$o{&cM_cu0-xb)|MNCy}cBEo&E*iKm z{;m5^wX{I|Hkk`HDyyn4tge2x+03h$e*Wy4M?8-`(OqnaMhID_I?{LV-lg;zz9K4B zVR)Yw0;{{mSEmsul9E(d_%}5^X4Qrp5hrUll{Gcu;+3!uLPBtDxSwErOKx(qva)LL z?0il^@eP7tIA7iP`7DG&VR?D$_;^fiF1;=bAt@=TNJL?B^7AZgWo6~|B`aQD-fg3w zOIB54i2|3qZ|t@wJ9^`J{88gXQl9bf5F>@Z|5iLKtJ1?_RYhWNf8xa8AS^6A;4;MP z{-(vcrzl@cLxYrpf}*mj>RDtL4Gj(Kx~9xLxIV_cdqpKBzk7PNI8G?c`Lw_GZ}_qq z&+ad+r~PHtk?5S6tdGwQ30Ws@>0%lzZ?*3#wl)|)-U&3D6Ebt#yDd*aF*#cOFo$FM z<)hDbcKRESVEzOTcK=fC%Twcvh!>bQT(KV?AO9p1NZ4CwTUcCdS?y0rW64o0Xq}jd z4Sw-%errpz!R>1I_&7Z?(_21AVQz6z&OjCRQ*%d$&)n}HtZtVMn_FATrJo;s*m|RX zYV!8&+qxqplkw8KX|f$b&)%S8VNvk&Ckzb8rm({!mu&Kj;q@~uA!-(*O| zN3om6^cxuU{{EZv#?sO<7**3$p+G}2l2LuM%s7&~5$ovtw{Of&ho2FHE7tW17A51d zBG1py|N8Bl*vii0;#(P+U^z-oP68?_D#Z7mAFd5<>KsrfOG|`ZSH$p)m=NZSm88A? z9|_NIf0h z-HU!q^|Rg4teo83#SVMgW>eLA<#};&B%Yq0=$M#`18L%F)iyp+Q3T1!$x1bL3{WBl z42Fzsz_st@hr6eTC>FE5Lyzbm8{PY`5TSw>Y`eKL6ew!qcNmGAs z{!dFwOHgR&t;X>(W91_4+mLz@!?9lJotvH2Dwif^H+lN}x#!Wwi1?#=3h{`bh=^7Q z5H9OwO!xxISFgg-#3SD~(U<7=Jg1`*rwxscHk_y8GN0y^m6dIWyPvGGj^nYvA1%=e z0Tp}1U3<2cq2|0NT*_4YceNo_wSrw~$6uO1>2gTX|2n@f_Q&>CMStBDJID22;G;7Q z`Rj|BA&wv0Q<9$eMk=H9)%JIO(F%~!()mvpaJ#Ck8*B-<8X0-HB2r6*uV2sgkeN6n zH8(%rSK^stV`C6Qa!%?WKD?HZd2s*!eV5a@A4rF*{kO_gBwxS&B4;*`DhA0dMyX;r zSNY=(u7PQ}$(W~5(o3u5L|#W0F)^{X@7}RmFLzV=BtzgD7AW7jbH~NiRk^{9&)Qg- z7am5xGQ|B**K)SkMz*lDB<$o=O`Z)kl7QWW010x=AHT3Sg~}Y zudxyXyvL8*DlHdM7p||bPtVWacg3Rx6XW4|iKH|^PO7Zrj9^r!4Y#zm)|qSm_VvdP z@nH_A1Q23r6nd};_m{f%j*rdQ6Mw5J7RbVCSJ2YN95+o|>mSL4CrU5P{kE+)A8T;0 zbJMrC<&R_%N68A0SFh7EJ};W0rD67^t&>;j>|ttnb(2$MZBXf2H!S=|^G0Q5rRUR= zheNX=rif=xWF|(rZ!QgV`T39hHvNhF-A|_CnPq4VQ0 z6zJ+N#~9Ja_d~eC?8tBb#k<*7e~}FLqSfiTrn3g9S(Y}%(e-yxQJ&3ypvFJ_R~dbN zdiqN?3mqN3alD#4sqk4|`}$B04K?+zU%$RUQZ6}S6CNc%O^uC>^&yMQ$e@C~BAHD` zNs0DNsOflX!av|KK7LSKT(>t7zj&GOcfp@=+_vv=Ey}tM>#n|VTF$=>?fsY~N912r zP{0J~{U-sl5VtutHa0%SZ92vLT!PNne#*qu_xX&Ci3vMiiYh+CL!-`#@JKLYQ0&oY%&_#AP%3G5>A&p-4eaW* ze2t~W#o2rR%sta`mRHRD1jY{fVjthh&p%n3#8jxG^cnm9_IPdZ$k)U=xkeBV`$x%c_8|_qmT4nu|R)#7>&-ggiA9)w)$0 z%`REYIKq{n=_GbSuZ|(=#K!$XpvsptvK9yt|RD`fFd^y_ij*vt( zMk-3mR?$W_O51nVX(tx;_U0Bp?YG8-KYYO1-rja_a>6Ab5Y^QsudlC{B%*_c!^DI> zMBaV@4TSjrrWdrfIt-n<8wdXK9&& zDlKnj7W&q1gIVX-Gvt${NXhJyDTBmMV~rG&m^v!b;^P zgph4W1l-hcZ!KHJPGOmunYFaFrHpL&qkgorvkQ&XMuuqop`OQdn5$f()ZkWE`pTq` ze5ggsC)=eJ2 z%IiSYBYNvmT20fsw0krBHM-_DXDX_QYR`XG*b}g2-N)wg@%SiDL*Hz+n$=s$FJGOQ zEkjQ3-vmdBwfS4^Jq26!9U-lIs6vfXbkJ-;6%oA|`B7F@=ChjFkt!DI9T1>DR;(8y zproQggs5^NBJ9=D-zUxO^xga=qglQ|tH*9SPOjVxofXYljbWL}BLd1w?E zEOmy5g@r|>5;LFXGpJYNySuvsJm}vz5>cpy4Gxt#^_b+zle^g127i1XViLVVCnF;p z7#vitw#hmq z99sdo4C%Jw)<7JOUs(d4Ds07Sresyig<2JF1AYV8D>d}|cIxJ1()5OYHs3gQ=F>%W zx!cBQ8=3oLrjy7|f+hfBqYdr?PIU>$x6o!cH|e=b-`KV+LPy+P&ittv_0Y*RzRQ@^ zpjUUY(sFaAfeb*@7vx(KmpPCj4D19HGc}GUE6g?PdJh1ig`x%u{@WTW`SI_c9Mq)W z-?3QN5)%{2;4Ph->nrN;_usLI^~uAQ`x0kiqpB$jQn1 z(rl75OOqw~XCME?&$ELSYe+VWR$MPceg>8E#PT{8`y|dx*EvI3eVsGJV!y3+d3D8Q zvx);N`|QnkEdzr#?*}h_(nlgL+7rWu|L|dwY}RPKE6?8EUI^z$+HewHhaf;((AD^; zF&c~(e(I@l-+mD@ki50OG}PgQhgT&p(}clg(Pk4@Zl^4K~bYu&xpK z7r>jha{!rIQd!(OI!~^^x%Y4=WztMtY^VE8Z1%i1uoSJu@33`K-o+ld8uQtiq@4dHXkhSo zZE=%DXh@Gb`G$5D1qCJQBm=!SvA+FIfvMK)Dt~FX>eR;t#jgC|`UCWFx+UJJgSAIK znE1Rghz(1~svi^?`2&(YpiKNnk7DSV?nxNFxA>wrQ!j}ji^Ji7V2c`2;{XaIn%{Wt z;dyeppFihOpyE)as@ci9<*z1{A{vLy7huj8I;qhTG}ViM~;BpvI+z0lZ z#I;Jl(zc}hM>oAizB3e286o=a84mAHAVQRmcV-HuqyJ-yPCho?MfKzg21RpWoQ*OAj0itmMHpNDH%@VFk5M1>hniA%VFyUWRw; z1*+N=5HcvYM68b^pPNi{5sdVa#+IK%_?BemdOnFx`~Oi}ytuU&+cj`Y+B;fZ8$15L zn}kt0(NR5}+YDUXuh}?+&fr`_o4<9}RL=Od5Bwmk&g~h_kDmgQAHDO$(&WUY$db-E$KKyGkRbAG< zumS7zC;UUh5#8L!tyMn*?veC@*C93HR#ZrZF*dl)3_i0SF+d0n{N zBUO(fY0)wttRCZ;(^B2?&KlY1sn@jP8BzHBInzcWV-NuK7sz9fK^S7NB`HJaR#%nG zlRw2vy#p#Be&w&yDe7mQ6!C3SUEZ6tDrLPA4-`#z)-egFPB zE9>B<$f12#z!M&H42=2VJXIv6|5&2YT+>OW&aN)x)xDpijPIY~lwz`%Tcun`iUWM1 zK)aB6U~zH}>i4wkiF%68PW=TVumk|K%QC+}O52>M*hz|CTwK%z2F{<|lfyn>dH`9jgE>jy;l#`3AKSP=fXb@BFq=~{$x1gi~ z)$-Dymjv(A$C~=W!k5qs*_c2o&<})f7j=pc3Gqx!oKg2LYN9HttR%=h{uak!o*)xF zzEA>0EpU3RFrBH)WCCurrI-!y63`7uP>)~m@x|BH@-{a&r&djtW{o%KKt+OH^p2vU z;~0Ql5+JsqDA^ zm}&IN@6dkf>gtL{q(NqSfQR=RdWGHH-NxSD`&DXEN=gL4OQNEo6}w$IL2Cw>In<>Y zcoM(IOzgOdgoK0u+y|?y4S@MGDpSElLEBrNoqcU%^C}=90FW{95d$CJ6DB4m_?71Wn~=>2Uq(j8!Pz-9DCqUux2OO} zVTXo9MWM?vJp>voG$cd_kd$~NBL$E=NpF4--JM)sJSV#mJK#A9$Ogqaq`1<;;A9|FO zl<4fvHl?PfzJv?Gn#0!0l%oa41(Py9%Y|MlzF4@yejH8nh5cd#ibDMezatXFbJHpXh~nJ~Ty z;U)u33q;$C(2l785k&|zv9r?$-4``2?Q;PE&GCP3E#41cFBUl+8HG}uF8`9(qo^>u zaqk)kQE2EV?oc%TNX?_!AWFJBP*Tg{j{hiv;iRT$v-bNF_lw61(=HDtq=rU%rbo%z z1)L&~UnIKDwr&lc*jZ&|{+z*DZ6c=AJWDKfJU`{qp1Fw$y3M2mb%#xot7yl)N4x;r zu*il(AU$DLAcKk7C#>&b{+xgK(nl-G?i&wAk%T%!BE^44aGwZhFAOU#_+t&Cc z=j)^oqWor#j*cOH&{0mTAI0bNsVIFsoRW;Hfj{Kam?*wQ8YKD4={Ro@;Tl}q|?{B}*bg%z2K2vwb<92>c4pS<_ zy}Z6g?^AWh2ev_#oScZFJe3>2jc@Tm%*8+-`_}l&*))T-&4HpngDe zDA1E&qXQw~Z)a6-_GQGVY;qahZz-xfQ0-3WF8Al2|#y91PJ6P zlOiIf6BH8C+~R{rOi^j1k}2X(BrGb54%tcPY=7xwW&YI*?hQXwMo1hf{i53C>AN2> zERO_|%8`n0lc)E_ zioyAH-^DZc+9%I;YA@R>XmHSxPlA#@P*XE72xklu@?93F*HH3JVl{sT!rf%1UL99( znO+*>8;Y^9aVSMYOaaz&dS2c*KsiL=K+w1AvVf%GVbs89U|@i^r}&sQ90MLfeHMe- z%)){zEiDbW#mC2ooPt7(N0lH#iNkDibkQ;vcvRT6xk^PS0ImUWq@92i=VRf7^Af!b z@T9l-@vZNddv?6Xsgs|hkF=U)q^@jw7X{tcGptD@I6HU6Zmo^>1l%(aAFDY+`b~wk zIN5PPBE}{7=ZKh^dvy15)Q$5vyL@|FEw*_ru@`xFXy)T;wv+E%C|a@o1~OwDL-;sX zlttJ*gPX4Qk;Ih=Q^G|uhL+|5PlE(SX3klzQpL`(gARK&PSy7t>?~-thxC0|8+!lR z#D(=zT`iUN)vYaL=2`3AQy4yvlySRBa0yCdQ#tVt-oEpg;)fmCZ}%ANyorCO$WCc- z@x~t=T5Ak!XBxO@<1b+3{`;8QQ%+xuW2_R$HUxzvh+_N{4W~p}t?TR7)%o+sz9&8T z0(XX3uoP>TPsvoi_t`}jc7NxS(R4B;Wf!j>ms_guow>S?cjl#4-Qv6&`IYa{u(_PGFr^UcasN+@?Drv*Sx=9qbPv%uP>RMdxGQ zJHAX5Ho!nVA@+NBh57@F7)`4*>@E%v%>cLJ*7EZ5K;wXN6&e=S@-OS-M(*JM@OH|t zA6pX@#CJJ?Fa2j!CKC-9Ri(mA(#VJw2m*knVkU$w>cBmCt>6<7P@mlpM!a`*bp_@G zqz!T8dlx4=9Lk+07$9}GH8ptv>=A92h1?L4AG31wbarDyTty`&xGz~D2hkIN6qGkM zaokH>@&CL4HMTq~k6ZQ)-{3Drez4QfA?Jh;33yW@>2>eDUl%86!-`$m?z-v>HLXcg zZKL(t95+ATH#QHTxlWEJ6Uk*&D% zHInF#Hf1hXRzl~1PZMHIY4cq!d;O$#`I4WMS4G@9F0k39JGrcrqk4ASI;3Y3!}t@O zSMj@=*+ZgTNQCbY<3BNJA9ekStugWRDD9b>#8q@G$KgQn{FlfCVdu2C1-5bIN*SoQ zHGz9a=jLOjFG*vmmTctt{&aM+zWrvp*y3@?bJa;b+sN?_F$$>A7HbQl5Z^8JH*AUZ z6(zm(1mo1b4Nsq3tX+hQ!)w0l0Ho%nXHUz4j zdvRhzPxkbqy=AOAx%%WwG`$tJ$=W2234J>iMww5Cn`qCPXs%thEwMV+ z4@gyr9MY(g+K<@rNq9n6Z-Vm4!&%P4+WG}_FT1-IpjQG{36v+q$Xgee+J2TPuuVW) zE0iTSOk7swa%KgEp$(Kj2&HGxynsq-9%MY6`{{Id4k7#n1>w9G7gsJbLU<-H30Y7< zL4x0ax)Rdz4j5z5{@a)Ko%(2=KK=5LP60Fla!Y-ja1RfUkThmcr6GY%)eXI6qykzC zI4+C&io zc;3FJa>!kyXGpV6sl`5iAlt9!HmY3L<=fTvgGqoJ_odwrRx(--RuS#=vKPt0C8;qCW! z!3bXNAFYg)(|g>SAxWF@tFwIaH>Jsv-J2f*HO0CcT8@UE^RTZ`uQXKg+c`Eq78RCi z)jP$=p=k{!I~1QR$%biqdijNLjMTQ~Hto!RrIJo@d{y9B9O^mdo=88G zQRNUG&dQE=aJ)hvkoZl0f<0uYaOCOZlwSmIYQ9nVQsm^$PG>3AMs7^SW@+`k z#LrFUqbSfkjAZia^En+pef8?!TOa{=+m_TB&}35njKtOa5moJMG3`;E%NA|mED zH@oXyFA!8J4b5FpnBd9J*0!mssYQ~o_i6p7sHmug7IQ*0Q7Ok4&_}Ybg#yGyJm7wW zkN*{Vn^)4&(b3&e%wDOf;32wM*58 z<)H5522-Z)7p7MB;Hp9{hk zI2;RuKf{Zxx@rQ955ozS{kre<`(1|EC#<+Qi*=>#w@u8k|NYjC_ecMu@8O|ENbkts z>4SxH%Q6XZw{pw-osk(0TI5gPeV4x=(ZAksNNJ@w`Ad^;Yzu{gh5KD3{}jPZTkrtM zeQd(Fqaj5idPs7lQ|5jhz9N0Xb}FO~N6dEzHu{K%GFG*`W^~P=jshTIJMS*^Nf23C zvvYP~yp*M__wH%$*{M(2-~B|3P4?XvgZU|T$?fg+qh)D@@elDJuba#9A!g38kvQs= zVaV98uj8Pcv@S-)$H#}Uw0waUv!iIdK%VyD#&DjoRU%eby{%M?g#P@`CBA#ewTkiZaY5bdh;BO7_!Y%``C6ut{?G0%+jK$RXHVYUc5;$j;V&g556aS6o^k* z?52PPwVX4dIeXW~?#SqCzT&kpUE|l`Jmq%s&y;S_-9Nz3_4{q1MmF3xVM_wo8oKL2 z%LgY}mCAnty2V9I5%x7`zs?#YiJ3_&@?NpsxOa9W9J%|xaOzb^S*ol_qBv+{d-O(V z-YPEuij{s}Lp{Skv+2K~(Q2l5#i#84nnXiwK=p~vI6 zeYRk_;d;~J;c`tF-Z;d<@F?Pu&8GejFY$K?j`bNf0sd*AeDL^5vF^~m>+<8ng>FB@j4H*@k-7p6%p72Oo5?k}d)$@cCB31Z%N=v}<}SBY6a z5iB;`U_~Ie;A*Yi|MWBd6VlLtHM&FniMn)}NP0Ugeta`k5~iz_VxMm%+~bFj%Hv55 z4r(;Dhsv?c^Bw(3`)q<+7Ahe zhR*%ExNwYnZZwZ>V!nJNc0nABeGZ$<^cN=u1X=FhRJ1qRDxRz54W z@l6pJ`kv2F%A_w?d|gTRpnhxfBmb@jk@NngwBSFfQ}_FM^^ zH!tDWYg>0uBKmvlY+=h`{n+a~_GpIXxaTp{mD$~dL}-joE+UA&&aN%2Waj2p8#L66 zLoRA=67INu5{-x&xJw{z+kv&vJvu2>EX^4lNQ2^1o6CCWkS-p7wLaQ&AL=d*uZ+Z; zkG6@)#I2!-0w#W`=N9Qqc@ynWmct-a50AF=WFwvS6eTp-k)7|TLf@} zporf;DAB2|Zs_n$j;%FR^5OEE{(OyRgO3T>OsO$0jB;jtZk=Ib6M91>lZ}2sLxof+ z(-or-=k9Tk!GvhGQ+o_*od>d<@5oj>N!6*Kax_z7%BIahP%0Ppx&!h*qG}0 zzkc<<*v@{U*hh+pde!S;p#lS_kPwkPLe36dy^gZ-gzodxC&MP&yZ|5> z1b1BqUkPGdw4HXflmUwRRps!ISe0w=hPz1Y`Um_7wzaM(+S}?gq^n5JF81}^;8^8I z=J@>vO&h+WP>TsBLAR-kY*3>=0Kkn&LKy3H;ES{Q6h8bV&7kK7Q)tye)=v|mBW^qu z2x#f)8q-zFaDAB|{b)-Ib{lSmOU1u*oq}H3>c>FRW1~m`<8Opl?vSf2kQehaae-A;*+OIN-!tX|veFRuJtkgr&;+NI90Lz7lfl zUT?-A&1IERXS)D|puemNX5yuJ{nz-HpUms88(&C87S2XPt)|ruVr1mZj<}?r30%8b|9i^}e#<>ne29Q=J3))pQS-?m1ykBg+--;UpNO*z{$Pox8k6N^=MvSZU?q4k+EddAzH&m2m# zvUBGnLsvZ3)jd=~%E?@9s0^z{?;Lp~_kZF;c$HD>xXZ>`h+p?<^vw$BqaY!i%BuRS zf0Ig$hB_AufX1!8xxQFEI)C&e6+E9RWk$j(Dk|}M0|Nt}hq8zGG8DnUco(!AP-Apj zf6f7-vaK)Z{|pvLA~0_{I65-htbVArS@W!@s2J;64-E|kf;I`r_y4m}elj=j>kOxJ zKhVtHo~ps)r2GPifOzIiZCqOnp{032WqkFxVE*6K14YG=N2Xl^Q%}0CuZlKj5)ty+ zF4@zV1d*2dvy(*U&LpRfEdFQ9+uOY$b<@|?TPA`Z(@2)OCXo3v`hvC-2PqBA&qz7yu zFl|XgM#`W<0p&{_-YK%hb5Z!waZ&V$>7%$f_yIHI{WUZ0O)Iy1+`4m0vBOJNTaH{I z$jEtY)tGH+Y&im!bNfHGrndpZU%IT~M?^$)M_;{TrUo~}DU1+kxt{^IQBe^Bt4bdG z1Bx#6jW5K z4!g75UT*(JOuBb252d2)@`Qx_;NgLN?IR`K_qAt?Ra!D0*{!hb1(S!_oN}REw8C z!sUr0m^7OJp0sEIVYdrN1aZ^=iN|hJ3-pSgL~IDX0f@Gh-uO45;Ukoz?MWYvg0|k? z|M+>?_z8#<;jVgGKf`8gjG`fsOIVuP?mw53qpxVKF6ciKF z8AkIF2|T=TnV_qS6Y)epfB*1v@QeX-nmyQzy2+zYmgK=rs_zUO72*Fef0P zNYiEv836^S4VRZlL)`RjzGL%b53DFh*IR_Un{1a?xo54fKe!x!yLx!1)Lx(gHc(` zw|kFSv|G@_-cumFFY_%vwgDb$jBP+ALK+ZjM3~$hcC~04lfl{P=?R_*6eKVOfL0Jy zmM>_#i}E^N7w0DbBbnsI}>-mM%+lhioE50el3Cz~<&AIwoe= zem@)}z{SM{J|OR-#C=lU(bZ9y>(m=@adB|UynGP<9lZxEsIZ+uPQoO3*_f(%1e*gi zX$&y`zp?)@+@3jRlQ3ey*Rzre+8YtMCZGO@y!#QIzcca7R%j) z;3fz10^xT8&-D#Es+#{V;s^0i-%&kpD6o5Qvq7G^IA(M8f^!?@!;UjxQO5m_l$4YN zp&$b}*UE|oO50Cjj(n+SA8Vv)h#nDmrFE)Fm4c@n+?x27s;uZpnXG@CzJQ4WC{+qr zA24!4P9$K_MMo%HOG}{3H)hJ%vsX$1fB*b>a_{-%$~>NJ8@FD5Fg1+k$2Crl^_)*9AQ$EH?4fDK{@>`VVLWkmXmU^YR|gJD1& zL7oMLM8r)8tY26OeGmX3!cZ_U_(M>FCkesKFf#`q9@-d+jTN@2Xr_h;C27I8fbIPy z_?qwp?-p7uy@v%S|D2MX3`WW2i=74z8skC!MlUn^r_&fndix*8gk9xR3lPTO|JyXuy+#JH^LzW!09C%NjFeop; z7edOyN^r%5kT5$h zR6K(I6PP^c)ha*W)<9IiI7&YEKYx*=00J)LZ%aG7{K1v&;N;rN-kYs)pBf*q5iMqR z_N49a&aH=uHC)r8Eh5izeDd%EV)SD7tT88lUCr`AmH#Z zguRAyfR00GjO4wSmzQ8W1Tj)Zr8C2Ecv+JsA{`6zB^oEs|vL zH{j3%>_9Cb0YN?zQo-%*>UxtUxBus{=H+tvziK#gQ0lf-hSnvQIpm)|Nc&3eAI-W8 z`G$#}-nXG#<#r7xG2U;tJ>Mxe3WMP^d-9i{7hGRNJPqk%y2PjUpl48p5VfKC+dV=K zvp65UPLTgV5rud+v6%!z0_fEYw&P=C!O_tj5W`RxwLy)BeHWl!V<%?H!^vrJd1_g1 zJ|p$%Q&Oqw+n(7w_V)GxWCFeLX^IV1$YkKmRjONA1Cr9jB)8O%yAet|Vi1B4-lq-Z zk|lCMDei!J2hj{U2BJbxP!Mu$lz+?B=|W&Miyj8_uCfU=V2q@ci2D1BZ03bm8ikw! zip7S}?+LxBYNv43ipXtZugs7C&N7D`?`0~Lh@f+N%(~Oey45+Qjq&t zXrWJj&Rw;(w!Sc>4<8ncrTJJ{WEe_54+o7Fswi+(@1dT&%>m=P8JbW^N(#bbclaGT zE?m@Dc2n*3e_5O-mrpb|`Tm(asgz05X+e4zQ+xvg{&R2{;Y?yj&?{?)4Kjg`f?224 z+v5Rx%$w4Ok5gRdzODa|{@-~#%+6a<;Cmo4Cmd~PAPBqjRYdhatDS&Ah-at(tJ^73 zE2{J|b8OpA*4}{lW1ky(G|4e{ATDgp${BHZH|6Byf?{L4poeMEdW8oK@8SATS9|y` zW;q1~D_B3~$Jp&I-ds+cE26tNcmHE~%mcyZ;DaA`8NKAU0%kjKqKtupZQf@8em6D= zd%+0kuV2nSFW&d1kc6y;|?HHxl zGQY#VCb>&01RP7%!2W*rlPRp4XOncGq=HMfq{HsE=Z|PeY0KSiemM;a?;f74Pm*%{ zup2Fp?CapXkN=GJeOTp2fLfZ=%1!{Kn9}pnV0?32(vrcR=`FhMbW3?lVmu z!RWOAGx~ieIk@dP!wr)D<;=|$S$KH(PpgWh_5My;>?o_0HmB*RUM4ttYW3Y`a0^&r z9b@`9g(?1O=!p@-`VmBX^*LobvBhWrgFGi_cRHX^Yh6dP|QziEA-JOUtFGAo#6*-6Jtji}m1B0Py+y z8wCwOie<^nW6hoyaCi0^pH6)tMTq>1b)m`zr)Pg@uC33XFRYxFjaDTHxCRH_6n?Wb zucN+O39JD%Pr=->|D6+_K_J{T+y%UC-6w}Lxo~;kqA*fYrprulL)W2$=@WHf@1EN+ z%+g?xpp~C!IKSu{D_>i`HnZ6^RCu98$aLaZ{O4R#DO=}tU|Z^lx=G$?pHbf(x5+yK zSDbv|rd%>E;ouupGv67Da&{(bGpKnrrNTCNLW9OV5yfB1#z9cE&$-dSCmmH0BIO&g z*H2rMzGB2McX@Grd|BUc^@f=&yEo8!KC(;X;M4uzB)0N=LyLAUZ_wrj+FoVLTJO=) z8JK`o3)ja7cNhr?3gbv_kQaiJ}#Rk8UGbs zB3XTlhbK?;*^zvOXxHHG*_`-dJQIhr)Oofl33X-X$`7VsE1@@kdYmh$v23zP55Qy; zdJ@M|Zpy#$Eg5Tpck{2})cjk^s*b3k^kd#3k_Nm#Bi#W_LmN)--Ro$2W~z!Y4&^Jh zm1fN%*}7H#^w83pDFnM*vcQGkHhtR=v85oTTYy2bRWlm-3I8^L%^s^4hsNEt5r=JU zvpMWi@8f%4v|c&p|9Jt}51orRfW5`PR;wfa+Qgz@Ic0+h(e+n@h6DG@_Ys660z7eX zoI&Qg@-;wy8!I0vsn=M=7atG-Ln=XU0i0jj2>iok`7{yXj+-;dl2IQsth$VHLg^7c zs8K^mw4n0;_ch=RkPkn(jyct$MM+rh>st{ddd*1Ap=sj+CLJqk%C~<^Z{2Ei zuIaVfZg_aOvq#YHeB)KWu5g6anEY_(4%hzrFR&HoP<-y`Ln7CW3=UFn%@*U^wJQJA z7?RTcWbG*&SfuCbe3d9gav|I`Hwb+^>3a6l^%E(H>o&0$bH}as;+60%+TL589v0LV zQOt-+jFyHMImu#+9J(b7x7I>U5U98?%jAH}R#K6mJ(NmH`KWmO;FVT~%(O!ip5sbE z36tWB@C~iO7|D-L10yoMtydJelOItVHSH3Xn0WfER;Tz$=qo!n^D?{>k9c6qh=Lg0 zXl5e8WBw}r;HqZVWaPN}!(&lT8U21={{jKiSG^l2@dnECTrZHjfZVzaO!3@61~Gya zpU9Pt=Il#MWtbtpTNPYBAMM)d%#eK2ud-Krs=LP zuVI+B&JX4;{@&w!{P;0|Mc^NjWKFQhapwIaHJp5?5*+3|R;AAy3JO`W(4&QOL@q3c zmPf0M<7kG8_Kq^n)K~1{7=|8PD#W_ zJgdR|UQK(-zE7B|s=6B)-wD|duZJA#EWEY z=xiJHcbV^d_WEtl!1u^<7v++~13o7WXWtV23YbsV+SasHO_2@F^=Pg%Bfl6M=yeD* zs}&llZ}~7og$W6WoEzwmq0re@n$RHr7hKg4x13=;Vo_S6f7IYxr66OdJ7u{&8Xva6`lQ_Qui=RrwU*gpqvwpGu@6zdqVZ99<9GZR#xv`t{J}HWK zY{}=82xk&&pDUAZk>=e0RcOi-x}3s@2&_SI`>&mJ8c&oW90C+IR>_r7YerR={~cM{ zU7c!n=C2i*GU@zDcwRlKQe?P3C~MI@n?Ys(*`c%m|@dxsV_im@BRoc5S{=0q0xHra@X9-j47=gRJbV9qd@=Tz=}WRp~=(d za->qVybHJ2%0^cCUFsMg7WBLB63Lq~RBWX-ng-niKUTk5tuI)dYKGnYz|d5{gcZ`8 z29;97nImYmLR)O+=mqpk_#A&{iV^>FmXk<0Z6S-l{wIec?Z??<@cpljbVa7_=9L9&*%S9wVm3MpjVZidh@cyx-2&W%~*Zw ztnk|Xc$=3#yV!O1R1uAUKKYTe`siM z#MdHMI&g>Qj1?CT%_K&$T4hU)=C3U4@V*u^&A4G6PEWDKO3L%P=4a>+4~hs9Q^@{q zcI8qT_i2)&zgMgwPVaC}NoS@~ zSGVT$XB!#1jL7=@p|xi~`0cNWvU^COc3UsECQc#(9j~bWEz~qCGaK*;cAd=i|9Qw- z6Wd^5Msb$ootGl{N6%*JJ>EzH2c6`N*YaquMZgwj!R}E^x7yim7^)PyOrir%&Z$Z1 zoj!N_h{tZ;x+gsGMsoKQ*+rA;_brRGw|8sI1-A@bo_I@iE^JJR)mGD1i%8a$F;^ek z5wETMf0X@YKvmxtH41}*hzcqw2ndMMDczt*NFyLfOLw=FL5C>aNH<7#mvnb`clVv= z_kW)Ey)b5hyOT4JIZi}nI zyYO$yE(s2tXl?n05;oGD{%>fkAEUeUMhN1!PVw9NB9FdsOr&}IGO}hFq;xYLJ zZz`3vy?^{x-gXYB(;?3Xih2LIiL-;Z!*pX}hqe>Oa&rZ`ivf7=rXv_vbv#nP2t~Jip zf~`R^PgkPu5LbE!PL<*HnSCo_{bNC$e9GNhB#hx}>w1z=sotz4h8&q)5&R7~)8QiQ z?8YrTt4+RFZJlF}I_wuF`iHud`J;|^o&*)#+p{Xsxv3pnG!i%avMW0FZ{SRY{_mQ@ z9b|1DqbqZzLkVNV)zTSWIkfa3>#JBxHLvU|o{~9FnLb{7=@A-E8QQ~ob?K|w$hX!v2Qo|N3IS-FZmKqwu^adBi>jr$L3KpOfQ%BplzJ&B~9X9Si$flJ4F)`7%3Xcq!L3IsRR_wldYz zr`H%G@$U@v8lptEK3Tr-sOx<&OeBSP;k^bL`H8XmmJOb5Lbc!1S69z1iWswO;_c&2 zd`ikt)YinF(rtxY@-6Z4VOG@DQ(}CeIy-gBjAZ;vHnUxBz(TV9o*#|pc?U(yNNZ6_ zY*3GIDWe2kaHNWkxBgghXtjMVU8C`W>(z{m-OmEu>B&vHQLgISGn=AXZaQq`%7jMZ za??bELAby(caKK7Dg2xptrH_B1pt5 ztvpW#%Z$lD%iQkf{Gn8?VtD#Se`Ty@(^_%6uzyt6;q8YeghM>+#;?789Ez_lEj{_X zqor?SYQ#-*3G*`D?10(2aZ-70PQ&f>?mqYQwdG50H@<&kNh^KJ@glmW_1M@Ky%%^h z%ETrl+n51Rx=}=0Ablb*_!FR7tVfSz=KL?`kCm(FzBQ|0BmA5|uob+YuD|r5%qBzg z(U1KhMaFoh=5&8*WsMG$ouME!Albn{7QJM8+i(Gk;aPH%3Db(}LcmLwE5V%X? z{wSyp9lkE9wN+N|<!FDW=?j7Pwq#A&y=!>#+Jnpbip+d}>B)PlT^9GI|c%PH>iL@F)0 ziYj@WcJbDqIOWlcF0!AX+)O>8c$+N*-@Ilfu|0JQGHFV+Q#$ks{kk$faQdp0?sdd= zI&#(hl~B+X`0*;@zy>LQ&IhTS9(k$-DTiEvYznUbmI7pgu`fx%mXz9Je?Aoo2J&pXtMsM;wVSy-*Qth3* zj-zDdB8%U2CX7{9%BSJEZ)%BNT}_ZwGU)a|XBo$ubh#kGuBTPVqla}PDlB%Qu@6hF z?dkDNv?PIuIBh5X@7O#Vd%oTgO!a?*{TV5tnp<6-q#xx3ZH)M~)Z{%m!rD6Nmg{QA zo;(Td9U2-ppp)-qFJ&u{pG{}e)_1^xhyP2dv44i>D|9w_^p=x1O%>IRsjpwnrG1+?Rusg9o{L*(jSJT%YR-K4b$aJhon0yi& zw4U6K-eZET3{#eeWy!YR#E?n@~9@)D92cOUDx(S~=~Wu2Xa-JM90p1DLm{PetKEIEsL%HBw~x!q@)BlE~F(ye^sC0Y{8X~o2D zYo860x?@x1iC5XaWiM*YbgX;HzcS9ua7As`s8x^t&ZgB#nqxA8C{r&R)ArN_yzJP? zpK+!H1l8BoGuoUuPLbNym2Cg^@A5@A4-T!IUJYINV~zfb=;%}@_F9fg-PU*FDAQucE|@ow%x+`K-NqbF$E@g2_Co z=3#PlHEO`edx>)Q?ncja8IXK2{eUiwDmc57P?LsL=H0k*>UgcEe&2zphd$SHi!qIU zw{?a4Uk}x5lLLZLAN?8EhF^bjPCxVJRK<$I_>oDu^;BK%QSwxj?H`Clqfg1z5Ubtf zS0kc_By0Yw7NqM_XKu0ztj!ox!}-teF2_i5P!L=RGY8WTnv5D!YLYbO`szxT+0L`* zqOt8gyvIiPX7Mh{|g8_NxQB<~$Z9aNoLvlx>XGjE26eEfIqR){#`ikcNyx27Vt z(irx}js@e^&3Y#1%tnX|V*y)1Zk@F)1gOG}2+B^l}gw4%>qGs{oHRp)A>=g-!5o+wYKye`+U zZgicHQcIMhq2VK#@=VSa_)=op8FOTL`P9|t?3MDt=50&}bM8ua>dx;|;+RX$j-frb zEU7+EsdX^EC3jKT+b`ua-XGE#^Kx3;)WbN^1QB*fO$RZ6``=9dpBX^rr-&reLwmn_O zu-CQ-PxTxj@*N&&?;@VlGq__TAI+#ObH60Edr=^DcvaO-A=R06ct9o?Wp=}?5uWW% zxAv}I**W}CQkHF@P6dIZ3xt~wSaro_;kst)B?YG%tFULbpw|8`^Frq&9O;Gp7vBwj!udio7n6)|Eghn=Ev8~O96Si_WNmBR-xyo?9oRlT_6Ho)-w&M zLiRtjexaD9y%L$7h2Gf50$K&Y(~q+Rtk7z=1B4W zRurH8z2+=Uz93IXYd{=f=dn^zvy%XiQ7bo#rnF#KLL@hHDIyAf)<1OpbJ!E->JZyQ zJY2TShDwnoid$Kjka$1ybq1U{3tAGHn$f{o)gSg1!ZrggK9|i|DhrT9$cE)en%ZDp zZf~M{_{q>vYK3pho9nTD#2qpU?m*ZMR)>4gn5{EZ9uEcE`#i$<8vR44+!T}TyvBS) zit|>8_%kHeD~eDJ%oMD!2>n$w`>Pi|OiwX{pG~Gv?OYRe5R3HV4YvJU4RMxgSz+2} zQ#jFaWT{N`%=XV@F&mLO>mMy}rnN5S;+y&XuVf(nfy;t~B>tStc=+Czr(`-1rNJcs zI1(9f+?&%oN@bJ3SO`=V9qeh<1IM)VA^T0`O|{K-(?Z)p4QbczA!YqywKL)u0Jl)I6v$atd)o5tKAKTWVjd!?jWHP9jMIVymEu(N}q`i|ab6|gU%XD&N zQ{I^#61H87g7iaMiUn)8{uPnsG6n0C_P$gD3_6i%rdewL$G_uv`9`ti3sw0qKg?S#1-voe)9iJU0D8HKdEWGD<*!5C&RGx zdR$yhAGqwUx984WC%lkW*^YaR*gd3WsY9!n46(qRK&w5|phRj%##Ambx>~51RY8}P z9kwz9w=UWX`0h~kgK&HvD-4z5_is6ghYwlv_?N$z9tUwh}H*AWu9kl5EZZWI|&t}L4 z#DO#t&*l73vnP(%x#rdH6EFE2p^sC7rMkD@wzqfX+thg{1>nJ*oJtex-;&nDdX}j% z=qkWKL4IP*i2r6^P@j7<+dr6EE?D@IErU?JgzOQPb!6iT{XmU}uX&53g_|+K^u?=^ zNvD>sntdJp_liyeTJ#4Jgd?7w6w3valnD*{>Hms#i(HnFJ*Bo4w~RAYGU_VwudB^> zw7h2Oq&(~I{x3sK+(}2fi^137(=W8;gt^tCt?h)bj@FxE&z)@&Q28Q)QX=AV%-~iy zsx_>3twwCiJsYjf&4i+@=_mj$5-4N8CvQ$Z#fW$vlhlJqm^D_cYsm!3uurGr@WX$n zyWs;zCl{$jl+rz&7x;OW3oVbau)f0q8Yoi27Uh(apiB_d0x|X|Qx5OcWcJ2lOtiGl z>#LE2MI%2v9*5Up9dy&ah5h((y___!hg6!jbDmx&;kL3Fb%^Kc(8s<_pMUeClexBG zGUj~0>kntN+UO{$6^X*DbET#(?67rM0n<W!Dx<7|2sBdNA>M4DqwsmmXgi9V89 zjD&xXTOlvAH~AJV?RPJ2t}M%K_G$Q^*Q_M3sQd`|3F`{82&T-fZ%Qwp(ZH{td=R}^h2`I6;X&BY%Z(#+-tkMlO? zEXr3|;6H2o=~F=7+?!h07~_%Lc9$>aQ@+MFHUWXq@4WBTZU-z|ImzO}p3_;nZfBEB?d-`p#CM4qh(hL03 zJ7*`7<$ipFPl4-3?|0tmJjrp-?XvGz(?>;N)ZE-BQ*Umaj9T|3q^GJLU=lA2r{WSp zKy*)IWRUg39?TvB>W(>HHC&|?t!tW%Ie78$r_p5EhQ@hDqy z_@c#RPv71VPDM?d?9k|$iCxnj`=Q7@P|1wmw_%;&E<-%Ov?XiTg5*SLYt?ruW{Lav z89V6s9c^VlJv$pBl{J%$PFx?(8Q(CLm;Eke$9D6aQ$UKf)x_BBXFw&l9x5v3epY_7J<~3Wp$cuZVKwSo{fM%k7yc(7kV7b4HE?Yj@AKl#y1C-u;m+ z33FP6X&SR=J2mN_BI1cBYmLL7|Gl_FVx$D5_uJ?Ep5zqaO421-R<+AmPe_^wv9SuN zQm_9n7r;95F|xi)L{z^03}4dnU;%!aFg^XJooTi0Vnr7GGF2|U;TBI}P@ELS{VJC6 zNY`!sN%$@}*sm~$^Tx4B>DEj4vLrxSSC@vKnQD@NXC(XKxUdmxfU4@@4XI<6Vlw(i zZ)KdPPf_dK)w{NR#;!dc9mRVElR+K|TuJ6}vwVw$YyOd=0PO!hqLoav=%Z~bYqqAx zalcgNtQEvi)w{zU?3kGsEpKi?t}CEu)%-ViJDi)Lfa0ZJUdxx^Gl8S|?WB_IvWK}! z7~}^}kAhhe?vV(RHDFsoRQ6UyRd&0)P}Grj%JFwAAD`szSoXvh!g~Eeht;Iu7-@#r zCVo;~d57cfk1*l~0jv{bt-;?A6|dai5Hf>Ju7h8g(aGic#dLAC=?Xti^bhjdQGoFq-vLPjvF^W+%Y{UK&%!-8px!I@MQDcWSZPpw`nzmrwyQYb1aWJ*bi zEog8JYbI0Vz>Du_J5?c{C($=m1xqV#Oq)993<{# zsHj4Uhs3G(TwWGCsNC`^CAV;p!c9`H{LzOmj1n_f*k|g{GV<+yr1Ir*+~;fWVH6Ra zJwU%3YXZ+%=CbmMK7keLU5-YmI3T^c)eU)h+Z?A_#Bm4b@N+5Vn6%9*0*w<*2#}h> z*h;xFyH4j&8TuJ;_s-X?J(D{d+k%D|oCwqw*qwq-O`H-niQ$m+ckJ~Ud#9Yh5xfrI}a^&w=EQF zW}-VG%_63@)Za(oX<_7qxni=L#eVfj@ei|rf0@IrFMw*r3Kk`9wHOt(kO=v2TiRcCPu3a zp-=wGJ+8XYp+UOj9rPTpZoXORzTurU7`@gvASYowM^|RH_B%5Xd0Df~=FDC{U_m$C zO>I?729dUwYM$OuoC*t%&_rpHTG3sk!d7AtPHj(=l(=79mVoe*03J!fuqu)|t`wbr zdNav+s;&z+Hz5mz2k31a~13dTA9Tj16jh(G{vgH_GVa9* zeVv@;QqE`lgKG?VSK5#{x2$z>>3@-MKbemR?@LyInLh*=izF-?*-Bh2J$Lie!-@@Z z>u_nLj$-I-SA9#)&i?gHO4Z(mkL18fc=XYQBh-{?8e9_P4weFXk)C$Opub5XmrS-p zz^(2EWe|zoiaVHfR_4&yfm}kN&F>+5W!4S3&>E7zB9UcFR*F2SF~qm3i< z7(YK!3s}=6f{m#x%p{*B2=35gYF~#rd~ssWEx|jIHM@!pO0qSyTK>bff~SF&v;rV9 zXLN{HX<^Efsz*oOhfpl_j-K7h))K2-Ht-X3(BB%;6Y=Y>#}pAmyBnh9#Id#PW;nCV zYU@<;F{y+_x4CA~%4LTSv#JhCtD859=WuZZrp|(dh&W--K}%xIKIcaLdQBMh*{I*U zbR=#C!p!W^_y%}``$tAcGh1cuRpWol*@4VrIL3aVvh^_uIe>XD^#w{7YPsDre%J4y ztNVoiDpr6Yuf?s5SOVK!eN+vMKdzbmay~I z5ovqbF<+?kEZh)TEQTvqSpo_LOGHjFenF1Lr=@`_~)j84#0&l~+{UdW7}L#nb(feH`SCtSK(9Rf>(skbfh}!@ogFn8?De z4`r-jV#)BYu=3K)k4Y2S7*c&qwZX5C0@?6|4*p{jqewr$`*LZL+I@*a5=u|I^trJd zuisJ(hTTK|`6#j5VBZ$POD$^~udKSxz6l77oT}!QB6bmkRs?3bb@J5sqVvPM zSY<%l2g@%SiP_IDXVY?0z2iF?^!RM6k-v#j=L>`$UKt!9t4<+HO3#=TiF$9O+K?79u&V z$w3qMD+t#X(WL>LX^K8NYx+cip(FU4Jrh0`E1z`HwMmJJFfLa9{^NTlZ8SL}zP|HH5D(=o-PjzvR7O&C~1yce96*twRWhR0zsiv+SxxG0zHy1Thj{8!^# z7qAiq_Oce}JL|sP2FZyqu^0#hLirf*!{Chvh(`+>`&E4z2ITSJ4!(|YvgYIMJ^SM! zADFAie|PZeSUq=a^>5c3FB-1~_d&|oj%;<}gHgt-+Hu++)75JX=B;yfvS`-E za@+48PnZ*MC3tyyGJ#P)^z&GoEN2GAECbAeKOuJ*ylZ5){$SpZLCeU<7YzInaU47v zU@<$pzAgr)uAp~J1A9xL(L*LtX0wJh<9r}lPO30D1&Ru2Y(oShwL5jgxm2#a7qg3- z-^FyvkSkEbS;t~HZDam1r~T^~Vi0EqSsHj%t0eulg$b32VnK*OLuKCr+G}W-CYTb^ zS6?g?oVTFkj5+7y=*jvqk0HsI{AYEENl4gok<%Xx$>_1fB9`z!(|@4mHQ%F7NN78$wPils^slw9xDUSHrp9IIp?|5(ne=Rp6(#HdE_X{`LXPhx7Sb+JomD zkG>9NDKdi)6vW|vpa%p&^dAs`Ay%p9i1TheTDD4Q_piEY5DBsv5BvX5QT4B*LmL#! z&evxvv`Pi;FhlUrnLDV1rnQ@U=QY^!mzYf%$;(l0n}LXp^!4jU(Dur_>nwsogvYNz z{*KcKxtb*-Ki&P=Xfk3vtfiZ)9k-7)u;zXn4y3}P?l72!t`Ttbn%0oaNCPSqHB+%o z6cbokbVvdh$qlfM>s(S;d~7)oDW`!B6~i-`>vdmTX2>y5=gW;RT(bLcZR~x z&kvfdNOp6gK%V`(U|q^KJ^~i5DLheUu%`tWeS(Lut)t`i3r@~R za8*@zm_u#MBM231hAt2hpvi$tgYlpsd7LU~7k^4*@k4(b4N=QyDQK4K_Xee6WjgEAC5i5qQVAKBS@oR-$1yu_9gx2oC^Ne$j>;fbUa$YNk0wr zI!LT>cLbrY6Kvb~!brkGLir%{gtvKt+B~6c5L}N=JKiSz0ZpoBjW~6vZzzqT)#fN8 z{2j0ZWnQ;ewA&id2-oCH0pLU3X{-2N-ofSB!P5DpPvu{Q_h}2k(tLg4N1f#kXEq^! zCiRHaPxgk<{35PeIzZ_3?CMeFFzkM#C8h)j77_R4$6JbC04#PAjDOF_>cMM&Zz&lb zT~GjE-|NfbR?^R<-=Gd8U48uwVDwI0WDWT*@!n39-)OQvR@$t|di1n5H-llPxdRVq zb)maO7aWeGrRKySVuz>p7yr#A_CUWfG+7#+ot>50{>08?KOxP3)dXGAKILn9^x1)t zA>YlVHJ9BcWWrt#&{bjCdT6xh7VE+;LjfL+08Q;pTKCLBQzOu(N3a@)k<4Y$e?vWm z5#KvJq%ED1?CE;79tvVi=p|q{o%pmzDuNU_6_{Q9HhELWy%un~GuKqTM;S@nQm@^@UE+3F4sm}IM%S9@e+P=U?j;*|Z2E_h!< zYb=C&I~?FhxD4t|&CSib419cXFazL(W#kNPW_&@tVfE*`59YwY(S~f;(DFA|q=w?w zKtI1%uo_@vhZE-=EWe$q159uUO$HkR#5MxUB&kUzLB?W#Q8dY#4jycTE&kS4fIz|v zXdJR?4su#;Q1XS6*UfLsDqNq~Zc^8$zq=NeN|F+Bv{0-OO;mJE$HI^+4{ z$t9xz(s>9wg(GOI3@1vqFaly6_uD8CU4Re`fwWtHHqXq=Sg6gooDkB})AJmU4rQK$ zcQmv!x8o;%W&9DJa4cUHJBk@ltbX5F@KqfK?p`yaC{8>4l78a}1)yf3JO8XJ+Cd zjD%qo1Y>8oA8@z8L-I6Mqz;8`*B6-c=)HjwC=MGrr4QHx;b6ayOCRz$9m7AMA|E9o zu0_?9>SR1tR&A3mClo7rqO)JQ;^F&S_88#E2C8&KR}hf#pFfl%h`uM{{qq^)_s6e< zpB-1ap3%Wp9YiL63WHpZ*c4iQ{Qa}X7y`&80c1r6TloY{6k`a?sI%LkE08lxw&(KD z#>GSc+!bh+5evvhazx!vECu?&@O_56hVEGzljR_4CwAUNMx1~U&Ow~-GJ~K$S?Xhz z8GkGyTJPFSlg%(PEqLo8@L^#i)98=8Y({pUWoG4Z6p;vmQk6(ej&%#Z3wT#{@bY%7 zg88+XfqNGGUnN+vqBGIw$8A;ihiQ)lu*&d%yBa_qTxydN935U(2K1sPx?kk-B-?*9 z!rYn}I%+fRYG(<*IbW>ZYFtS2IzHG+yI+>w7WQKL4x$FVSAqg`g^$~~aS@2hsOrDL zK>FHW8M^R#1GY7pcWGP3)o&BEn!wKFZ0ZxJ<{^k|q=IW`1-j(A`L<_#P`DF)R;g0oE^SuT+qIGJ{v8~AB3{ahTv}i>Fi(k$j9KirF@4CTlC3c zxXJ;kcPZny`^q)p{)?G27e0MdD0DO8S~mBP@Y==@|12W4Nc{FIv;>%%4+vSqwt2sZ zzF5c8uqOcG#+`>Ek)&lcmOH&cz@uoXekYFZi2z3|^=-;)(bTrXKN77IushvX(kPCz zGSH;h$Qr&CEEW5Ax?1JtPgv?H)_<7XClFsee{k)mYy926M5F3aD~0vU^6od@(R9KqoYiN~@X`nMf$z@Gc*MFMgWv2e8#XVkgFpbI5q8KBY`>e75)FsLX*aDY?vji{>P$h(&+0YRvZ_uoR8>*hGWwWQ z3I)X&)2=Zao}|e)zJTstTC&83*`2f$e2nUR4y!Jqt&?%QMt@85Wni5CE{%)hc>waF z-paucLG2^U(-_V8gE^n)m|UX0`_)DJb}g#9Ki?gY3qI#-?H_R?XXlQu&pTWySNgHW zSwsMQNZQzQX3nwmn!qzoW%%QJ9S!_#ZQW^-tzn3^%e1Mv+&#>ocY>%UbWOR1!%fd+4jz#6a>Gzjdz|mG;a6 z2km4lapct%#>E}8(||Cu?Gu~eym8t3FvBeXiI86>i^~yR%@{75`s#Nj+bISw9Nto> zS{1s%l%%9D{|*GjxEuO{!y~>=R7b|%HK!KLdP>a&T5e35K8`llg*D1a@-`lg))k*q znc-v(4{(h=@uoD3~wJaXUD6!wu(74VM;yv05q#e0KGH?q*r+{vAvLpN7G~RaIOq zZ4Q^qyFcPxx8vx;SBPzxNX?Omq{4Wn6VNYS6}EL&D{C9->x$iAo}W=lO5!8`HTh0q zOkT=NYOY%qdvu$usF_T70!WQUqa%aKkAZ4B2VmvG-h-s8YmTU&wO;3O8Q-!b0x2q= z1+gO)$Fizjoc+QIml9L0(5y@;_V}=WXBW8Wd&4ITAu7+N`-N}HvhUadY8I8kQt%o~NVFx?{Mc6!e5WR*cqHbuLHieb9)vTQ$BBIND$9d-B`d78}9@gf^Y$Q>i+Qyyx(iRiI*tbT~ma}|HNud-X{)9=5%c78=Aho zUb^*t#N*eKU@>7?9G?$VOIYmh#>%)uCYEn>a1l(GFK(o27v~mG0`JFSTDx%jv3Of@ z@)1Ch^YnVT*$ya+M_2vSOgmdtJXh(&@eC1-@bUkCVAq>BW_C#5SzzV6nN5pNl2LiH z`;#B}uIf$n2h$l|75darw<4Ty)r|dOfN^)D?Z2{-8-NT1mEvm>x0JS?nb=6piRfEz0;d_VyY6L9y2&ZMgY{*4n+4?2 zVP+o#nI>zUxCvaXk2B%)W_@*NE1TH&c<7z()!jZl_jP{8vFX@z++Kd8;FTlq)j;t1^m- znLR~?pZFS`%ZHrVtC#n&jq|@O)xzvYL%$Ilo0gLu3O+BN^*YDzxwPGlv9$J)SWd_1 zUmy2We-5cyT3QY>cFplE@BjX`QP}b@{>tRcg%tvUbByO!J>eZ1AY~z1F|vib{OJ{} z8;U+TmdpdiFrL1#+(}m`4w|jv1M%Zm*3e#G*!@K#TOel1FlZ(19u3`WOrHIW;RkI- z5-_-%W5$Vna+0EO;<~6^)PUm$FFDv*vWiV3Np1O6B^d7#_WEF{p-0z_NlMufx!&e# z^NK9fl)X*SL};fJY+BU4R$S%G)qj!Se$nEb|CvoPiX~;@Ht!kxJPUERGa(=}3l!BK zmN+}kn{v+fRJJ#IQB^8a5tx@p;S39HPiRocr=-+gfN(n2iEDHk^Jwrc4_C#aZFhuc zb|i&Om1>4F^HZo8_*BorT|OI-`^92Co5=#cjWQpm#0wBKT|UmqqQ?~x2PR-Xs9JhX zxgdWN1vV8in%ZZ#WH8zi3*X9=(jZm=8PIt2D=ptveqpHEwmRS-v`Ns4$Pwi$RD~5Oju6B_5_Hv) zKCZM8eE68u*kx_zUCUck3lChTqe=~$`{UVqtAw&LYbVh#HFpP+#;VL%UAQXOjD;m6 z@z{)L12Lbs2R+oc+@A5qC$muJBi!3xd#`g!1$%kL+t99p+2nhr2-Z|&og{JZcinnX z2;Gpr_IJ7q^%UinJd8>j_dk0z8BtC0(~GYnD(2KF{cMe2o#*06DN%0U_;}8&-y0-- z&ehyL`j^k~Cta+UqZ}u4byrMObZ?!kT0g|Xe_lWL!o`^`htAmZ z+3;uAxZ22+yc?6z>HKiqf!f%*`5Rh_b;0MnajUXP8z;aA@6y3shg8hT~Uf(VoM~W z`e9J-6sm9hpThG;auFmb{q;4z3rGrZZU1GKJN!Iu09Ay5SsfUc6!TVayf<9sn6@AB zPn=df^zC0zHSYW&^y&HDIMi+YPC2r7ODagW||3u8>> z_Rzh+F&Ml9cIj7))E=Ngh?ye%YnDwcdU-aj^fWGuNp~frddqXkit1E6>nE^aye-}!u%oP zSy*+&2VHUfDPPzTynaZvPnrurbyINa{`gGV)Q4gaB8}u04=O#+FxeGw31QcJfJBaoIlE2oL5BF* z;17nhNmXv1G_uLYMwUIwu9so`6Hc(!GxKY!etHGMUm3z(#jZ z524<{{*QN`j3^l@WcfVc7y36-kM)adf1m(q-^$w3-WEKlvY6sm~ia8it$ zLRE|@=ovrXanp7C^ZMWj%~T%1w1_q4z+L_jUyg@g#HpntVCgmIQ^y zgd)+euTyu>KeSz*O%WkYN1V4{)Ykm=yU+If_o$$7J6AgFfPJq62)S{f2^Leoti$;S z{u1-Eci*j|O=kAdu!VU%bIT&?-+A`dy4_HpxVelI0QLl;n5OI*Z7TZmmv5`O*y8_v zUR}{gtkK!}A2f7Hh!#0Al%q!*B*QKhIW6}a{MHF)o_6a8E666&%(c}^D>%h_SBfWr z$KTUB4s?%4rBcvK$8ldrKul!3yx7oBIxW{`)rud^SM**w05HhO)?PZ5n9m8AJV5$! zhqwMaD)CUd_AyujwEzhX=_*JbSPM3`h4o@owc5s8SMhnTsKh&l<-&mgOi7pYmiE)% zIvL^c>Z(HxK6-jj{8;0T7T}d44v6J}TPZ1#C`WgeRt(z2hAfQSNDa{=ksdr}`Q>pR zryc1Iq9XpWZ_OrKwLAz~^Wg^wzd|m@*d%=JV0~@_#Xh@tdG|3f^}zCxltMi1Y@(}v zI&RIpMk&{yT5LAi#4IrNSkiH$tJLh2?|)3w0i$B*790cMXpwRbN-_?V%b-dp2=1L9 zD4(#$e)e*Ae_uYCz?4b*ElYHa^5B4xCexWK;<@cnhbOBz*df0kNPHP`c7|ZDjk`<; z3O>6wj|}(9kWyT_PN=CFB08v#9SSsHA2DKN2mn`w#w@xY1)?E&$;lQeW#`De{VO?f z6c*sbHEv{TdR68QBE6=q;WBd#B(W&gh5hv**74HR0{gAZy|bl=VrvP@m54ic?uhM^ z15_m?!NQpEK@{Cx?I=ZVnnfFKe%_(K^6EcbwW81i-aS7am}^ppFfq%_rUNqTI* z%**iKA`ScfyB-P%@3gcMQ5G;Mu%ULD3Q%iA#9&o@0@zvB-dsmRM*}%o*_Yp{(BUuG zY)|5`vzHQliEX;>u3BlH62U3NO$>wD`CbqIjSRTXrieBFs3uNv6la&Gra_k?Y^w;V zPjIR9_Vc;(2P$)iP~{b7#fEk!muD;SP-NEBGm|<&`!YY4`y)gHLv>ikdj20tVvncX zr*zahaNUD4#L5lf+<_=CzS4!DS_s~zNV}JA z>MPBPGY!I1pKe)uJ)f)$wkHpK1qFfIXqdgw37q<5WX%R))(XQjIqtCE>^oz)woL!6 z>Mi8)H4jgTX==}6(kWd8J_L{66kF>XZcf1O*kWC9IrR8dh7ac5`ydXi1{N^oXIWM$*oXIQ_!=rygP1JnnUzgIAq4K83_2V_;KW;NZ+xndP5`&WCU=oaVq z^z;Oe&ip)aHZn@F#QhI_6c-b_^~WhtUDiqFVI&RR?ncJW{g9|A{v+M_Lj}Rv2uSH2Ha6JC6Sy z+93~=%Pu;E+hw#E;zbbeL@b*BI79#cCG!7%c^vP=@?y03Q7~sXd zuut`8Z{nk2P7>CYAG@+DT#4Tu)V5XDLvZSv)V8hc*l@Au`;6{WUw(IRg1&>wbO$(Y z@8r3h|PTZtBSS*}=ZmcKN7& za>_F;;;L7F`>$@XU+RtKC0;BkbjL&HlBP?J*b7)>blak z-o`y2KQfO@nf2~|K!TH0qFOBi;H3}IY7lU zJR{BS4*S%fxYo1;oCAy|3z(SiPCxz!S06D7UfAk4pOyJ}U0B<2GLrj8a@D3ew53Ky zr4E3~vHc69CgSqI|L@V8*DEvD zr*%Yt#P+P>QWP#WDy{nZVYEhE4x0e3*Ja^9YJJ1BapVJ;T0nnYsbkLHp@Esjt99gEpp7 zdd5Z5yE34H@#+o+>zApF1(662s}~1h&W*vZgb64jula0t`Vb&K^%b{*^A*($?b$!d zF$?2?FzMQx;_2b#V?qx1A%17k-Jfqfe}0)>EjNvJYt7RqHi-_&yW%OcrvPAhj54G6 z1N(Bo2_F+zHw^uB#HkyESxhDefB>i#oOFlmJ?AZo$KDGM*y+k4h=c+)tqQjMniw6P zA=Rau(+SbjAzKEEOPWADrn;{${=9nm@b8e99L4_u2W5qvI@wiR>lIeLH!vF95KU8=fliKpVQ z{&wY&7I~55H1>B{iEs3>ThfszwWqwYhh_abcEU$m>@B-d(Eyt?pA|nEvwh*APrT)> zARU_YV1Y?9HKyM7a+}DuV!O-VGeWj2SGs|I{e12`|CnG5+Aj`~a&H`XOUxYuk9zX7 z#MW*2I8_Bc1o#BFojsG=5Q5Luryn@;`B8jGzdn9(%Gmq2W^C3gGaE&cj-remwY87T za~=}h>@y0nl9z0EXiLaHsQqFT$y8rAJk%Tm+nFJox;F$rgD(8B*N`lRg*pU>tT&7tut*SkEV zC)w#m-nTA5axh=Wg3En6IFG-J&xjR}Mj;;O5EY4c@?dnYHs6djNuW^)e%6cXh4hPu zEL4BkpG-h8Ntft@)M5B2@;GzmMk@~OT z!z6tfi1q6jNVijRvj1FYOI1I$5dm7J$hka#xT0LoU^Y*hIR;!Zp2Lq`+c48@A z_W_ib!rD}@Nz zlD$aC9%D;XBH6_djU`JM+cRV=!}wnFe80cf&tKeQ=DzQ9U*|e!uJievH=O(1hmq%o zPQ6H8CUILXyawM1-&I1LOS$~ia>$b*z1OvcxptIl^XiKYr2EIIn zHOhY2OYrKSCx9C7$lzQP6~;i zT#Y*ATAE0Iv7SNNukZ6iQ*uw|kM5``<8dXAg>rh96BYRBH2&SSK1{XcPD zV*lo7{L+tAlIVpJws5~4(IJ8rSS>{#$~1_rez#Bgb2D(;L~_=Eeh^Co4{IynM@2Az}> z7QyoSI8MsSW&ygte-ybXR~X4)!agOtXR+eECJ?f-`(4b^oSs*&qp5{j>S^vvNsY?w zh&hyJhUH+`s$@3?=j>$1x(1#fMKXos=gQvbw4EkqIj;zsxtE1=$%+Jx-R!n zs&Ls4UxHs{%3HrAC{-J5iZ5(55rcRqxyyn{N{nht(O66Xp*ZghL zxv=TG(e{4GCZ90&E=j2lwL#zZ9w$PiKI!vwL>vZ%0M-@4=*H+jpM}DE@pe%toyHPl zIml4s2Lvk3c!hftHdc;~*r?L&s~bT2Ek-b_s3q~*Ev_yuB(b#w?A%uSI)nmAJJLLA-gqKbbu>G5XQCmAN?Ue_$P6gS{RQ;724v8BX+|` zjfY-ec#5inzRk5X;P0(x%RR2k+*-onW}$DmG+ECtNRec%mkS{M!8pZ|Jw5fYK*q}n z@)&G|zw5k`Ut`>R;CT2`YP;EJxpu?0PbfkY=|Gtz5P^Gpdw95wbYtLf)rWB^xxANm za%+fsWNfs0bMJmS-lyki@&3I1n$!5KS8|Q_d8NaH@xvi%f6Jj^MusvTRfS{-uG&8j z=>A+x<&{p+(b>)n{~9`8VSade+DbU8C|Md_yqv#1|^edXLJJ@6~QEhMal;qm`tZI@ zW1=@WM`5f>%}h#WyQ{B>XjxC%^Dq)PJnQ#+hboDhuzJP$OP4&;E}HEkL!o)qPG4Rx z1gK11l#}Jel|cNtFkc;Y_1&VoQRl|KS_@kXGplFcOe%R15!PJTHxg%B;i!q@2n%mq znM-x{^7?AF5|z>LT>sUt*V;txnz@T5Z_8(#`=?6O3(Gk)=z^QA6NnSqe@t#p`%CSeBQq-*HSl^t<6R~3=pD<;&c z`hDKzY!%YY9~;@X^gin|R_W5bBQPZ6+S-mHbClx8we|EG+EF{3qu)Jh&$D0Xj?y|Z zqcQTZurL?SyC&}@*=@yXUd6vD0 zqaR+F3Z+2mDDKh9d@i4jkVnS}mSKKv4?8(ndy4ts=4rZh*{_9QA5Gz(DMbrk7gsD@ z;a{2h8ptaq#yIFvi+8a+%ah1pz4p#`I!ep9X+M4C^gl-oNH5uG<-t?AN+`Nhte+Mc z#kSUiBO7UG4lRW$Jw1EPycH~`Of?gkd{&pv3o;L+LJ*Zj?3@j6Kc41c_Xoek!)+Ka zD<gxYjY;}hNg?taOyN1`8YwX83cFotQfmnlUiP^hYuy>+)i&+>0-%GPIp-exzz4>C zcv7I=1uefijx;^~TdQj7H+epC@Rjz|sVg85{k^qljJKLjH=CvtWwQ)Vd`_zhB5R-) ztx264a~4m_xU@w=99>D5q!4fvBTqmhp|~f`s?&ztSYGBsDhztG?%_Nv0e!7Yr%3k< zkhF&S`nT5<-b#n;UisCKc+c}OSL@~aO2MhnZI!98Fb+96Ie?!742ejRSebnYw=5wc zaq0KM%t8gyxX&t7qNpQ(bH0%Nj)`TQYN5?&xk=-;A1%6Pg)|&mN_^n5RW&#~9EOn; z@^ts*q2i>vqoi~KNJTG%&U9Xu5_wX>EN53>I~WwANqLwJ(fZxFWbtEO(oM54sz?w; zz8Z_z^T+}?1(~@KvSH|=5aUa#te6^*l1K^UjsHHYcMK2@4xoS=8=>Vw9&OhJ`=p-q zh7(W#c0%S-ov{E}V_jJ(_(m_Egbw^BDIo#41Py>c)K(FNdpLh$&4T(p@heIE^#Qf$Ca55NjpY)SIy<-GX8!@rkhY;&C~`YsETPMvo~m60a5`@gwnFIcIPyWGgj2Vp#Vk|i+t$r zeNqi02ZxTmJr`Bf1F#=kZ2PH7`$FUZm>2>rwCJM_j!$M|I1@x0Ff<-QFmlYjAB<7*4K4GJPY+V0~V>J3>$B6VK5sQuo&zp zVvUbsGbp`)1qACIZ{NPHhKey2Rm!txFVo5@Di(g!*a6|l*Ut|GtM>3b04fmk<%=@> zqcn;j0Af^Vy7LG`)q(5M`ucC6r{vs1#`X8>l0hAciVsC64|;yM*M~*Vt*uoY zSin;m`XOVs2p$jP3L~hK0crx+MZ62T`SLnYodF;?5Skx>@d$Q2W~YiB9T|a=rJ|M= zZ3EVq79Ogyni~JW7zU$nZjRmfZ?V>DUum)1q=bRt18p)DHFYiEW6F*ASy))WmLu){ zV{)<&2xX-e6%GfxcwqWii?f2x{+fUQ9k9h&Sy`pS52T^Jq1O}|l*Y!!UIB!3t<%8l z^76NehAE)R(B_8`SgxmQn(*+#OYh!^b|xY8;32`avV%zi92*%KOx!Tk$DQs>U<345 zK%({}R+u#*jl47WsH&bGJ!=9LJZ5m_fWyp6pw-ku2g-+w1Nl54Z=RX4?(XTiiNsw3 zsjmYdLIC09y)?*KP*4z?kO11>{LM{YXma@D-tm?&B0&T&FMmSh*4NjeIP24MqXCdo zf9vR+K@nDM=DU)gA`~veoh4qDi^I4&%&TWs@Io$(bsKh~H%Fmlz{2zqf^~Q}s>9YN zE86_tJ(aL9IVd6D59xRq6$Q)*HYim?df;=oc;N!GOh9=%0rvH~CLzHP30d~3>NO-1 z2~m-il_d?=ThA82oZ4;%iws;o(wG73 ziWUW%NYT#Vz(CRsv-&%5dS&I4H*Va}ej)sclf$ic9MFE9uITHZCZP4-KCOVok51c~ zJ62YD{{G?shXDC%G%NsJA3y~Kc>_hj*3OQY`}E&ZB);gFxu2g{YinyL@#nN77?}Xp z{LcE*@fiPtPu71I8TkDAOetvI_)@lV$hoA31}wWUdP(uARb}>9DC8{2v#okDMM&1$QI(_;^)qv=e%J+ z9<7edDHb8*T7tI*oyEy`9bl#b8LA8JH%*kVa9)sJb+wY6UkZ$A#iAM1QTN}CyEisB z6Pmn$E{8%9Gg@olWCDz|aQko^r1gW#{#;yKcMJ{NA^!PSnQ6*<5AtM1UvczivC;~H8;1iVHD0whTO2RZl`C!n4dPD39@c3 z9-dS{n>@M5lNJehY7U^!fWCXN+9NP<2dQUOPpt}_C*X9-D$&!$r3ohwOcF9s2S3{Z z3sEtP;Fy8?Gj9pf4=yh(Y+7C`^+~{h3BlWqxc`Q}<3m_AiLq<-T`PG0 zobjn@VTz-!y1MsLQ7v`2=zL2=wjL;3byAhhuc z2q>3ffSPnOc=L7p77Pu)Ac9lSpUG8npFV75(KE;;P=$A&Y)*%6Tmyj#{o)k3;HF!{ zzI1lNTY;wnJ@0Xo-=gK%ZAvOCQ9${?K(FkEm7FF#cd)608V6!A0Y1`Ao=1o z>(OX^=paEsjqNYQAkqAf&*xZ6h64hB?$uMw*49=b3~x(1H1ImV-O=i?S-@(Ie?UnQ zcQ$x{uJ+~)H>`)Ik8F_-zYi1wy5LpV31W2A2-tTJ+u+BuGA$$*{41Xfi(VzL6ld({ z-rm4%0$LAJIoYCk%byo^G$_HiLT9-dL6QYp;p;bVt}iQ=VKgBL!p;=|jZbR6+1o;v z0>UI;61t(GaL74rj6*I&9Efmm36NFDye1eeO@0hH*4m&=a|vM%SEM23HNSrk11XHU z0EtppSHB`6qR;0f%dZZ;&<;->gy$KZEXRPX3)9uI6C_K)RZoyHb~QtVq$=r zW$%!a3z-^D1SuEt7$kj8m>?r@cO9ObLm&{~+|hybapue!e}DgTOiXIACvES z|Eg3i^=Vq#(vp%HfDdLc{@X8Z>#6qBl7CaD2%N(c2u7X(|1Kno{Aki(_%lUwRaDgA z`oAlOQYV+epA9klf0Iy{K9b{t6DFPH!;Sh)+c3szNRY!?5i3nX+(^uMR9 Date: Wed, 4 Mar 2026 11:56:53 -0600 Subject: [PATCH 3/9] Update application.xml branding for AppSW-iTC cPP - Changed title to collaborative Protection Profile - Updated author to AppSW-iTC - Replaced NIAP profile URLs with commoncriteria.github.io links - Updated TOE Boundary and equivalency text references - Added iTC conversion note to v2.0 revision history --- input/application.xml | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/input/application.xml b/input/application.xml index 9da9840..ac3db5b 100644 --- a/input/application.xml +++ b/input/application.xml @@ -4,9 +4,9 @@ - Protection Profile for Application Software + collaborative Protection Profile for Application Software 2.0 - National Information Assurance Partnership + AppSW-iTC 2025-06-16 application; software @@ -41,7 +41,7 @@ v 2.0 2025-06-16 - CC:2022 conversionUpdating for TLS FP, SSH FP, and X.509 FPTDs and GitHub IssuesCNSA 2.0 updatesALC FLR Updates + CC:2022 conversionUpdating for TLS FP, SSH FP, and X.509 FPTDs and GitHub IssuesCNSA 2.0 updatesALC FLR UpdatesConverted to collaborative Protection Profile maintained by AppSW-iTC @@ -49,7 +49,7 @@ https://github.com/commoncriteria/ssh release-2.0 - https://www.niap-ccevs.org/protectionprofiles/515 + https://commoncriteria.github.io/ssh/release-2.0/ssh-release.html @@ -57,7 +57,7 @@ https://github.com/commoncriteria/tls release-2.1 - https://www.niap-ccevs.org/Profile/Info.cfm?PPID=439&id=439 + https://commoncriteria.github.io/tls/release-2.1/tls-release.html @@ -68,7 +68,7 @@ https://github.com/commoncriteria/x509 release-1.0 - https://www.niap-ccevs.org/protectionprofiles/511 + https://commoncriteria.github.io/x509/release-1.0/x509-release.html @@ -167,7 +167,7 @@
The requirements in this document apply to application software which runs on any type of platform. Some application types are covered by more specific PPs, which may be expressed as PP-Modules of this PP. Such applications are subject to the requirements of both this PP and the PP-Module that addresses their special functionality. PPs for some particularly specialized applications may not be expressed as PP-Modules at this time, though the requirements in this document should be seen as objectives for those highly specialized applications.Although the requirements in this document apply to a wide range of application software, consult guidance from the relevant national schemes to determine when formal Common Criteria evaluation is expected for a particular type of application. This may vary depending upon the nature of the security functionality of the application. - The application, which consists of the software provided by its vendor, is installed onto the platform(s) it operates on. It executes on the platform, which may be an operating system (), hardware environment, a software based execution environment, or some combination of these (). Those platforms may themselves run within other environments, such as virtual machines or operating systems, that completely abstract away the underlying hardware from the application. The TOE is not accountable for security functionality that is implemented by platform layers that are abstracted away. Some evaluation activities are specific to the particular platform on which the application runs, in order to provide precision and repeatability. The only platforms currently recognized by this PP are those specified in SFR Evaluation Activities. To test on a platform for which there are no EAs, a Vendor should contact NIAP with recommended EAs. NIAP will determine if the proposed platform is appropriate for the PP and accept, reject, or develop EAs as necessary in coordination with the technical community.Applications include a diverse range of software such as office suites, thin clients, PDF readers, downloadable smartphone apps, and apps running in a cloud container. The TOE includes any software in the application installation package, even those pieces that may extend or modify the functionality of the underlying platform, such as kernel drivers. Many platforms come bundled with applications such as web browsers, email clients and media players and these too should be considered subject to the requirements defined in this document although the expectation of formal Common Criteria evaluation depends upon the national scheme. BIOS and other firmware, the operating system kernel, and other systems software (and drivers) provided as part of the platform are outside the scope of this document.
+ The application, which consists of the software provided by its vendor, is installed onto the platform(s) it operates on. It executes on the platform, which may be an operating system (), hardware environment, a software based execution environment, or some combination of these (). Those platforms may themselves run within other environments, such as virtual machines or operating systems, that completely abstract away the underlying hardware from the application. The TOE is not accountable for security functionality that is implemented by platform layers that are abstracted away. Some evaluation activities are specific to the particular platform on which the application runs, in order to provide precision and repeatability. The only platforms currently recognized by this PP are those specified in SFR Evaluation Activities. To test on a platform for which there are no EAs, an interested party may contact the AppSW-iTC with proposed EAs. The AppSW-iTC will determine if the proposed platform is appropriate for the cPP and accept, reject, or develop EAs as necessary in coordination with the technical community.Applications include a diverse range of software such as office suites, thin clients, PDF readers, downloadable smartphone apps, and apps running in a cloud container. The TOE includes any software in the application installation package, even those pieces that may extend or modify the functionality of the underlying platform, such as kernel drivers. Many platforms come bundled with applications such as web browsers, email clients and media players and these too should be considered subject to the requirements defined in this document although the expectation of formal Common Criteria evaluation depends upon the national scheme. BIOS and other firmware, the operating system kernel, and other systems software (and drivers) provided as part of the platform are outside the scope of this document.
@@ -576,7 +576,7 @@ for i = 1 to 1000: The evaluator shall verify that the TSS describes the TOE's behavior when an invalid peer certificate is presented to it during establishment of an HTTPS connection. If the TOE's response to being presented with an invalid certificate is configurable, the evaluator shall verify that the operational guidance includes instructions for configuring this behavior and what the configurable options are. If this includes configuration to a permissive setting where an invalid certificate may be accepted without administrator intervention, the evaluator shall verify that the operational guidance includes sufficient warning of the potential security risks of applying this setting. The evaluator shall attempt to establish an HTTPS connection using the - TOE, present an invalid peer certificate, and verify that the TSF behaves in the manner specified in the TSF in response. If this behavior is configurable, the evaluator shall iterate this test as necessary to exercise each configuration option and verify that the TSF behaves in the configured manner. Other tests are performed in conjunction with the Functional Package for Transport Layer Security (TLS), version 2.1 and the + TOE, present an invalid peer certificate, and verify that the TSF behaves in the manner specified in the TSF in response. If this behavior is configurable, the evaluator shall iterate this test as necessary to exercise each configuration option and verify that the TSF behaves in the configured manner. Other tests are performed in conjunction with the Functional Package for Transport Layer Security (TLS), version 2.1 and the Functional Package for X.509. @@ -1820,13 +1820,13 @@ for i = 1 to 1000: id="ftp_dit_ext.1.1_1">not transmit any datasensitive data encrypt all transmitted sensitive datadata with HTTPS as a client in accordance with FCS_HTTPS_EXT.1 and FCS_HTTPS_EXT.2HTTPS as a server in accordance with FCS_HTTPS_EXT.1HTTPS as a server with support for mutual authentication in accordance with FCS_HTTPS_EXT.1 and FCS_HTTPS_EXT.2TLS as a server as defined in Functional Package for Transport Layer Security (TLS), version 2.1 and also supports functionality for mutual authenticationnone TLS as a client as defined in Functional Package for Transport Layer Security (TLS), version 2.1DTLS as a server as defined in Functional Package for Transport Layer Security (TLS), version 2.1 and also supports functionality for mutual authenticationnone DTLS as a client as defined in Functional Package for Transport Layer Security (TLS), version 2.1SSH as defined in the IPsec as defined in the VPN Client PP-Module, version 3.0 for function(s) using certificates as defined in the Functional Package for X.509invoke platform-provided functionality to encrypt all transmitted sensitive data with HTTPSTLSDTLSSSHIPsec for function(s) using certificates as defined in the Functional Package for X.509invoke platform-provided functionality to encrypt all transmitted data with HTTPSTLSDTLSSSHIPsec for function(s) using certificates as defined in the Functional Package for X.509 between itself and another trusted IT product. + id="ftp_dit_ext.1.1_4">encrypt all transmitted sensitive datadata with HTTPS as a client in accordance with FCS_HTTPS_EXT.1 and FCS_HTTPS_EXT.2HTTPS as a server in accordance with FCS_HTTPS_EXT.1HTTPS as a server with support for mutual authentication in accordance with FCS_HTTPS_EXT.1 and FCS_HTTPS_EXT.2TLS as a server as defined in Functional Package for Transport Layer Security (TLS), version 2.1 and also supports functionality for mutual authenticationnone TLS as a client as defined in Functional Package for Transport Layer Security (TLS), version 2.1DTLS as a server as defined in Functional Package for Transport Layer Security (TLS), version 2.1 and also supports functionality for mutual authenticationnone DTLS as a client as defined in Functional Package for Transport Layer Security (TLS), version 2.1SSH as defined in the IPsec as defined in the VPN Client PP-Module, version 3.0 for function(s) using certificates as defined in the Functional Package for X.509invoke platform-provided functionality to encrypt all transmitted sensitive data with HTTPSTLSDTLSSSHIPsec for function(s) using certificates as defined in the Functional Package for X.509invoke platform-provided functionality to encrypt all transmitted data with HTTPSTLSDTLSSSHIPsec for function(s) using certificates as defined in the Functional Package for X.509 between itself and another trusted IT product. The application shall <selectables onlyone="yes" linebreak="yes"><selectable>not transmit any <selectables onlyone="yes"><selectable>data </selectable> <selectable>sensitive data </selectable> </selectables> </selectable> <selectable>encrypt all transmitted <selectables onlyone="yes"><selectable>sensitive data </selectable> <selectable>data </selectable> </selectables> with <assignable>trusted protocol </assignable> for <assignable>function(s) </assignable> </selectable> <selectable>invoke platform-provided functionality to encrypt all transmitted sensitive data with <assignable>trusted protocol </assignable> for <assignable>function(s) </assignable> </selectable> <selectable>invoke platform-provided functionality to encrypt all transmitted data with <assignable>trusted protocol </assignable> for <assignable>function(s) </assignable> </selectable> </selectables> between itself and another trusted IT product. Encryption is not required for applications transmitting - data that is not sensitive.If "not transmit any..." is selected, no other option can be selected.If "not transmit any..." is NOT selected, it is possible to select more than one of the other options to encrypt data for a specific cryptographic function (e.g., application encrypts management data using SSH AND application invokes platform-provided functionality to encrypt syslog data using TLS OR application encrypts syslog data using TLS. Protocol selections and function assignments should be made to cover all data/sensitive data.If "encrypt all transmitted..." is selected and "TLS" or "DTLS" as a client or server is selected, then corresponding components from Functional Package for Transport Layer Security (TLS), version 2.1 must be selected.If "encrypt all transmitted..." is selected and any claim involving HTTPS is selected, then FCS_HTTPS_EXT.1 and potentially FCS_HTTPS_EXT.2 is required, as indicated by the chosen selections.If "encrypt all transmitted..." is selected and "SSH" is selected, then the TSF shall be validated against the Functional Package for Secure Shell.If "encrypt all transmitted..." is selected and "IPsec" is selected, then the TSF must claim conformance to a PP-Configuration that includes the VPN Client PP-Module, version 3.0.If "encrypt all transmitted..." is selected, FCS_CKM.2 and all iterations of FCS_COP.1 must be claimed.Claims from the - Functional Package for X.509 are only required to the extent that they are needed to support the functionality required by the trusted protocols that are claimed. For example, if the TOE supports HTTPS as a server but does not support mutual authentication, then for this interface the TSF would only present certificates in accordance with the requirements of the package and not validate presented certificates.If the TSF implements a protocol that requires the validation of a certificate presented by an external entity, FIA_X509_EXT.1 and FIA_X509_EXT.2 will be claimed. FIA_TSM_EXT.1 may also be claimed if the TSF implements its own trust store. Note that FIA_X509_EXT.1 and FIA_X509_EXT.2 have selections for invocation of platform-provided functionality, so it is expected that these claims are made and tested even when the trusted protocol is implemented by the TOE platform.If the TSF implements a protocol that requires the presentation of any certificates to an external entity, FIA_XCU_EXT.2 from - Functional Package for X.509 will be claimed. FIA_X509_EXT.3 from - Functional Package for X.509 will also be claimed, along with any applicable dependencies, depending on how the certificates presented by the TOE are obtained.If the TSF implements a protocol that does not require presenting or validating X.509 certificates, no claims from the + data that is not sensitive.If "not transmit any..." is selected, no other option can be selected.If "not transmit any..." is NOT selected, it is possible to select more than one of the other options to encrypt data for a specific cryptographic function (e.g., application encrypts management data using SSH AND application invokes platform-provided functionality to encrypt syslog data using TLS OR application encrypts syslog data using TLS. Protocol selections and function assignments should be made to cover all data/sensitive data.If "encrypt all transmitted..." is selected and "TLS" or "DTLS" as a client or server is selected, then corresponding components from Functional Package for Transport Layer Security (TLS), version 2.1 must be selected.If "encrypt all transmitted..." is selected and any claim involving HTTPS is selected, then FCS_HTTPS_EXT.1 and potentially FCS_HTTPS_EXT.2 is required, as indicated by the chosen selections.If "encrypt all transmitted..." is selected and "SSH" is selected, then the TSF shall be validated against the Functional Package for Secure Shell.If "encrypt all transmitted..." is selected and "IPsec" is selected, then the TSF must claim conformance to a PP-Configuration that includes the VPN Client PP-Module, version 3.0.If "encrypt all transmitted..." is selected, FCS_CKM.2 and all iterations of FCS_COP.1 must be claimed.Claims from the + Functional Package for X.509 are only required to the extent that they are needed to support the functionality required by the trusted protocols that are claimed. For example, if the TOE supports HTTPS as a server but does not support mutual authentication, then for this interface the TSF would only present certificates in accordance with the requirements of the package and not validate presented certificates.If the TSF implements a protocol that requires the validation of a certificate presented by an external entity, FIA_X509_EXT.1 and FIA_X509_EXT.2 will be claimed. FIA_TSM_EXT.1 may also be claimed if the TSF implements its own trust store. Note that FIA_X509_EXT.1 and FIA_X509_EXT.2 have selections for invocation of platform-provided functionality, so it is expected that these claims are made and tested even when the trusted protocol is implemented by the TOE platform.If the TSF implements a protocol that requires the presentation of any certificates to an external entity, FIA_XCU_EXT.2 from + Functional Package for X.509 will be claimed. FIA_X509_EXT.3 from + Functional Package for X.509 will also be claimed, along with any applicable dependencies, depending on how the certificates presented by the TOE are obtained.If the TSF implements a protocol that does not require presenting or validating X.509 certificates, no claims from the Functional Package for X.509 are required. The evaluator shall confirm the TSS describes the data transmitted, and @@ -2249,7 +2249,7 @@ for i = 1 to 1000: This appendix describes the required supplementary information for the entropy source used by the TOE. The documentation of the entropy source should be detailed enough that, after reading, the evaluator will thoroughly understand the entropy source and why it can be relied upon to provide sufficient entropy. This documentation should include multiple detailed sections: design description, entropy justification, operating conditions, and health testing. This documentation is not required to be part of the TSS.
Documentation shall include the design of the entropy source as a whole, including the interaction of all entropy source components. Any information that can be shared regarding the design should also be included for any third-party entropy sources that are included in the product. The documentation shall describe how unprocessed (raw) data was obtained for the analysis. This description shall be sufficiently detailed to explain at what point in the entropy source model the data was collected and what effects, if any, the process of data collection had on the overall entropy generation rate. The documentation should walk through the entropy source design indicating where the entropy comes from, where the entropy output is passed next, any post-processing of the raw outputs (hash, XOR, etc.), if/where it is stored, and finally, how it is output from the entropy source. Any conditions placed on the process (e.g., blocking) should also be described in the entropy source design. Diagrams and examples are encouraged. This design must also include a description of the content of the security boundary of the entropy source and a description of how the security boundary ensures that an adversary outside the boundary cannot affect the entropy rate. If implemented, the design description shall include a description of how third-party applications can add entropy to the RBG. A description of any RBG state saving between power-off and power-on shall be included.
There should be a technical argument for where the unpredictability in the source comes from and why there is confidence in the entropy source delivering sufficient entropy for the uses made of the RBG output (by this particular TOE). This argument will include a description of the expected min-entropy rate (i.e. the minimum entropy (in bits) per bit or byte of source data) and explain that sufficient entropy is going into the TOE randomizer seeding process. This discussion will be part of a justification for why the entropy source can be relied upon to produce bits with entropy. The amount of information necessary to justify the expected min-entropy rate depends on the type of entropy source included in the product. For developer provided entropy sources, in order to justify the min-entropy rate, it is expected that a large number of raw source bits will be collected, statistical tests will be performed, and the min-entropy rate determined from the statistical tests. While no particular statistical tests are required at this time, it is expected that some testing is necessary in order to determine the amount of min-entropy in each output. For third party provided entropy sources, in which the TOE vendor has limited access to the design and raw entropy data of the source, the documentation will indicate an estimate of the amount of min-entropy obtained from this third-party source. It is acceptable for the vendor to “assume” an amount of min-entropy, however, this assumption must be clearly stated in the documentation provided. In particular, the min-entropy estimate must be specified and the assumption included in the ST. Regardless of type of entropy source, the justification will also include how the DRBG is initialized with the entropy stated in the ST, for example by verifying that the min-entropy rate is multiplied by the amount of source data used to seed the DRBG or that the rate of entropy expected based on the amount of source data is explicitly stated and compared to the statistical rate. If the amount of source data used to seed the DRBG is not clear or the calculated rate is not explicitly related to the seed, the documentation will not be considered complete. The entropy justification shall not include any data added from any third-party application or from any state saving between restarts.
The entropy rate may be affected by conditions outside the control of the entropy source itself. For example, voltage, frequency, temperature, and elapsed time after power-on are just a few of the factors that may affect the operation of the entropy source. As such, documentation will also include the range of operating conditions under which the entropy source is expected to generate random data. It will clearly describe the measures that have been taken in the system design to ensure the entropy source continues to operate under those conditions. Similarly, documentation shall describe the conditions under which the entropy source is known to malfunction or become inconsistent. Methods used to detect failure or degradation of the source shall be included.
More specifically, all entropy source health tests and their rationale will be documented. This will include a description of the health tests, the rate and conditions under which each health test is performed (e.g., at startup, continuously, or on-demand), the expected results for each health test, and rationale indicating why each test is believed to be appropriate for detecting one or more failures in the entropy source.
-
The purpose of equivalence in PP-based evaluations is to find a balance between evaluation rigor and commercial practicability—to ensure that evaluations meet customer expectations while recognizing that there is little to be gained from requiring that every variation in a product or platform be fully tested. If a product is found to be compliant with a PP on one platform, then all equivalent products on equivalent platforms are also considered to be compliant with the PP. A Vendor can make a claim of equivalence if the Vendor believes that a particular instance of their Product implements PP-specified security functionality in a way equivalent to the implementation of the same functionality on another instance of their Product on which the functionality was tested. The Product instances can differ in version number or feature level (model), or the instances may run on different platforms. Equivalency can be used to reduce the testing required across claimed evaluated configurations. It can also be used during Assurance Maintenance to reduce testing needed to add more evaluated configurations to a certification. These equivalency guidelines do not replace Assurance Maintenance requirements or NIAP Policy #5 requirements for CAVP certificates. Nor may equivalency be used to leverage evaluations with expired certifications. These Equivalency Guidelines represent a shift from complete testing of all product instances to more of a risk-based approach. Rather than require that every combination of product and platform be tested, these guidelines support an approach that recognizes that products are being used in a variety of environments—and often in cloud environments over where the vendor (and sometimes the customer) have little or no control over the underlying hardware. Developers should be responsible for the security functionality of their applications on the platforms they are developed for—whether that is an operating system, a virtual machine, or a software-based execution environment such as a container. But those platforms may themselves run within other environments—virtual machines or operating systems—that completely abstract away the underlying hardware from the application. The developer should not be held accountable for security functionality that is implemented by platform layers that are abstracted away. The implication is that not all security functionality will necessarily be tested for all platform layers down to the hardware for all evaluated configurations—especially for applications developed for software-based execution environments such as containers. For these cases, the balancing of evaluation rigor and commercial practicability tips in favor of practicability. Note that this does not affect the requirement that at least one product instance be fully tested on at least one platform with cryptography mapped to a CAVP certificate. Equivalency has two aspects: Product Equivalence: Products may be considered equivalent if there are no differences between Product Models and Product Versions with respect to PP-specified security functionality. Platform Equivalence: Platforms may be considered equivalent if there are no significant differences in the services they provide to the Product—or in the way the platforms provide those services—with respect to PP-specified security functionality. The equivalency determination is made in accordance with these guidelines by the Validator and Scheme using information provided by the Evaluator/Vendor.
There are two scenarios for performing equivalency analysis. One is when a product has been certified and the vendor wants to show that a later product should be considered certified due to equivalence with the earlier product. The other is when multiple product variants are going though evaluation together and the vendor would like to reduce the amount of testing that must be done. The basic rules for determining equivalence are the same in both cases. But there is one additional consideration that applies to equivalence with previously certified products. That is, the product with which equivalence is being claimed must have a valid certification in accordance with scheme rules and the Assurance Maintenance process must be followed. If a product’s certification has expired, then equivalence cannot be claimed with that product. When performing equivalency analysis, the Evaluator/Vendor should first use the factors and guidelines for Product Model equivalence to determine the set of Product Models to be evaluated. In general, Product models that do not differ in PP-specified security functionality are considered equivalent for purposes of evaluation against the this PP. If multiple revision levels of Product Models are to be evaluated—or to determine whether a revision of an evaluated product needs re-evaluation—the Evaluator/Vendor and Validator should use the factors and guidelines for Product Version equivalence to analyze whether Product Versions are equivalent. Having determined the set of Product Models and Versions to be evaluated, the next step is to determine the set of Platforms that the Products must be tested on. Each non-equivalent Product for which compliance is claimed must be fully tested on each non-equivalent platform for which compliance is claimed. For non-equivalent Products on equivalent platforms, only the differences that affect PP-specified security functionality must be tested for each product. “Differences in PP-Specified Security Functionality” Defined If PP-specified security functionality is implemented by the TOE, then differences in the actual implementation between versions or product models break equivalence for that feature. Likewise, if the TOE implements the functionality in one version or model and the functionality is implemented by the platform in another version or model, then equivalence is broken. If the functionality is implemented by the platform in multiple models or versions on equivalent platforms, then the functionality is considered different if the product invokes the platform differently to perform the function.
Product Model equivalence attempts to determine whether different feature levels of the same product across a product line are equivalent for purposes of PP testing. For example, if a product has a “basic” edition and an “enterprise” edition, is it necessary to test both models? Or does testing one model provide sufficient assurance that both models are compliant? Product models are considered equivalent if there are no differences that affect PP-specified security functionality—as indicated in Table 1. Factor Same/Different Guidance PP-Specified Functionality Same If the differences between Models affect only non-PP-specified functionality, then the Models are equivalent. Different If PP-specified security functionality is affected by the differences between Models, then the Models are not equivalent and must be tested separately. It is necessary only to test the functionality affected by the software differences. If only differences are tested, then the differences must be enumerated, and for each difference the Vendor must provide an explanation of why each difference does or does not affect PP-specified functionality. If the Product Models are separately tested fully, then there is no need to document the differences. Table 1. Determining Product Model Equivalence
In cases of version equivalence, differences are expressed in terms of changes implemented in revisions of an evaluated Product. In general, versions are equivalent if the changes have no effect on any security-relevant claims about the TOE or assurance evidence. Non-security-relevant changes to TOE functionality or the addition of non-security-relevant functionality does not affect equivalence. Factor Same/Different Guidance Product Models Different Versions of different Product Models are not equivalent unless the Models are equivalent as defined in Section 3. PP-Specified Functionality Same If the differences affect only non-PP-specified functionality, then the Versions are equivalent. Different If PP-specified security functionality is affected by the differences, then the Versions are not considered equivalent and must be tested separately. It is necessary only to test the functionality affected by the changes. If only the differences are tested, then for each difference the Vendor must provide an explanation of why the difference does or does not affect PP-specified functionality. If the Product Versions are separately tested fully, then there is no need to document the differences. Table 2. Factors for Determining Product Version Equivalence
Platform equivalence is used to determine the platforms that equivalent versions of a Product must be tested on. Platform equivalence analysis done for one software application cannot be applied to another software application. Platform equivalence is not general—it is with respect to a particular application. Product Equivalency analysis must already have been done and Products have been determined to be equivalent. The platform can be hardware or virtual hardware, an operating system or similar entity, or a software execution environment such as a container. For purposes of determining equivalence for software applications, we address each type of platform separately. In general, platform equivalence is based on differences in the interfaces between the TOE and Platform that are relevant to the implementation of PP-specified security functionality.
If an application runs directly on hardware without an operating system—or directly on virtualized hardware without an operating system—then platform equivalence is based on processor architecture and instruction sets. In the case of virtualized hardware, it is the virtualized processor and architecture that are presented to the application that matters—not the physical hardware. Platforms with different processor architectures and instruction sets are not equivalent. This is not likely to be an issue for equivalency analysis for applications since there is likely to be a different version of the application for different hardware environments. Equivalency analysis becomes important when comparing processors with the same architecture. Processors with the same architecture that have instruction sets that are subsets or supersets of each other are not disqualified from being equivalent for purposes of an App evaluation. If the application takes the same code paths when executing PP-specified security functionality on different processors of the same family, then the processors can be considered equivalent with respect to that application. For example, if an application follows one code path on platforms that support the AES-NI instruction and another on platforms that do not, then those two platforms are not equivalent with respect to that application functionality. But if the application follows the same code path whether or not the platform supports AES-NI, then the platforms are equivalent with respect to that functionality. The platforms are equivalent with respect to the application if the platforms are equivalent with respect to all PP-specified security functionality. Factor Same/Different/None Guidance Platform Architectures Different Platforms that present different processor architectures and instruction sets to the application are not equivalent. PP-Specified Functionality Same For platforms with the same processor architecture, the platforms are equivalent with respect to the application if execution of all PP-specified security functionality follows the same code path on both platforms. Table 3. Factors for Determining Hardware/Virtual Hardware Platform Equivalence
For traditional applications that are built for and run on operating systems, platform equivalence is determined by the interfaces between the application and the operating system that are relevant to PP-specified security functionality. Generally, these are the processor interface, device interfaces, and OS APIs. The following factors applied in order: Factor Same/Different/None Guidance Platform Architectures Different Platforms that run on different processor architectures and instruction sets are not equivalent. Platform Vendors Different Platforms from different vendors are not equivalent. Platform Versions Different Platforms from the same vendor with different major version numbers are not equivalent. Platform Interfaces Different Platforms from the same vendor and major version are not equivalent if there are differences in device interfaces and OS APIs that are relevant to the way the platform provides PP-specified security functionality to the application. Platform Interfaces Same Platforms from the same vendor and major version are equivalent if there are no differences in device interfaces and OS APIs that are relevant to the way the platform provides PP-specified security functionality to the application, or if the Platform does not provide such functionality to the application. Table 4. Factors for Determining OS/VS Platform Equivalence
If an Application is built for and runs in a non-OS software-based execution environment, such as a Container or Java Runtime, then the below criteria must be used to determine platform equivalence. The key point is that the underlying hardware (virtual or physical) and OS is not relevant to platform equivalence. This allows applications to be tested and run on software-based execution environments on any hardware—as in cloud deployments. Factor Same/Different/None Guidance Platform Type/Vendor Different Software-based execution environments that are substantially different or come from different vendors are not equivalent. For example, a Java virtual machine is not the same as a container. A Docker container is not the same as a CoreOS container. Platform Versions Different Execution environments that are otherwise equivalent are not equivalent if they have different major version numbers. PP-Specified Security Functionality Same All other things being equal, execution environments are equivalent if there is no significant difference in the interfaces through which the environments provide PP-specified security functionality to applications. Table 5. Factors for Software-based Execution Environment Platform Equivalence
In order to make equivalency determinations, the vendor and evaluator must agree on the equivalency claims. They must then provide the scheme with sufficient information about the TOE instances and platforms that were evaluated, and the TOE instances and platforms that are claimed to be equivalent. The ST must describe all configurations evaluated down to processor manufacturer, model number, and microarchitecture version. The information regarding claimed equivalent configurations depends on the platform that the application was developed for and runs on. Bare-Metal Applications For applications that run without an operating system on bare-metal or virtual bare-metal, the claimed configuration must describe the platform down to the specific processor manufacturer, model number, and microarchitecture version. The Vendor must describe the differences in the TOE with respect to PP-specified security functionality and how the TOE functions differently to leverage platform differences (e.g., instruction set extensions) in the tested configuration versus the claimed equivalent configuration. Traditional Applications For applications that run with an operating system as their immediate platform, the claimed configuration must describe the platform down to the specific operating system version. If the platform is a virtualization system, then the claimed configuration must describe the platform down to the specific virtualization system version. The Vendor must describe the differences in the TOE with respect to PP-specified security functionality and how the TOE functions differently to leverage platform differences in the tested configuration versus the claimed equivalent configuration. Relevant platform differences could include instruction sets, device interfaces, and OS APIs invoked by the TOE to implement PP-specified security functionality. Software-Based Execution Environments For applications that run in a software-based execution environment such as a Java virtual machine or a Container, then the claimed configuration must describe the platform down to the specific version of the software execution environment. The Vendor must describe the differences in the TOE with respect to PP-specified security functionality and how the TOE functions differently to leverage platform differences in the tested configuration versus the claimed equivalent configuration.
+
The purpose of equivalence in PP-based evaluations is to find a balance between evaluation rigor and commercial practicability—to ensure that evaluations meet customer expectations while recognizing that there is little to be gained from requiring that every variation in a product or platform be fully tested. If a product is found to be compliant with a PP on one platform, then all equivalent products on equivalent platforms are also considered to be compliant with the PP. A Vendor can make a claim of equivalence if the Vendor believes that a particular instance of their Product implements PP-specified security functionality in a way equivalent to the implementation of the same functionality on another instance of their Product on which the functionality was tested. The Product instances can differ in version number or feature level (model), or the instances may run on different platforms. Equivalency can be used to reduce the testing required across claimed evaluated configurations. It can also be used during Assurance Maintenance to reduce testing needed to add more evaluated configurations to a certification. These equivalency guidelines do not replace Assurance Maintenance requirements or scheme-specific policy requirements for CAVP certificates. Nor may equivalency be used to leverage evaluations with expired certifications. These Equivalency Guidelines represent a shift from complete testing of all product instances to more of a risk-based approach. Rather than require that every combination of product and platform be tested, these guidelines support an approach that recognizes that products are being used in a variety of environments—and often in cloud environments over where the vendor (and sometimes the customer) have little or no control over the underlying hardware. Developers should be responsible for the security functionality of their applications on the platforms they are developed for—whether that is an operating system, a virtual machine, or a software-based execution environment such as a container. But those platforms may themselves run within other environments—virtual machines or operating systems—that completely abstract away the underlying hardware from the application. The developer should not be held accountable for security functionality that is implemented by platform layers that are abstracted away. The implication is that not all security functionality will necessarily be tested for all platform layers down to the hardware for all evaluated configurations—especially for applications developed for software-based execution environments such as containers. For these cases, the balancing of evaluation rigor and commercial practicability tips in favor of practicability. Note that this does not affect the requirement that at least one product instance be fully tested on at least one platform with cryptography mapped to a CAVP certificate. Equivalency has two aspects: Product Equivalence: Products may be considered equivalent if there are no differences between Product Models and Product Versions with respect to PP-specified security functionality. Platform Equivalence: Platforms may be considered equivalent if there are no significant differences in the services they provide to the Product—or in the way the platforms provide those services—with respect to PP-specified security functionality. The equivalency determination is made in accordance with these guidelines by the Validator and Scheme using information provided by the Evaluator/Vendor.
There are two scenarios for performing equivalency analysis. One is when a product has been certified and the vendor wants to show that a later product should be considered certified due to equivalence with the earlier product. The other is when multiple product variants are going though evaluation together and the vendor would like to reduce the amount of testing that must be done. The basic rules for determining equivalence are the same in both cases. But there is one additional consideration that applies to equivalence with previously certified products. That is, the product with which equivalence is being claimed must have a valid certification in accordance with scheme rules and the Assurance Maintenance process must be followed. If a product’s certification has expired, then equivalence cannot be claimed with that product. When performing equivalency analysis, the Evaluator/Vendor should first use the factors and guidelines for Product Model equivalence to determine the set of Product Models to be evaluated. In general, Product models that do not differ in PP-specified security functionality are considered equivalent for purposes of evaluation against the this PP. If multiple revision levels of Product Models are to be evaluated—or to determine whether a revision of an evaluated product needs re-evaluation—the Evaluator/Vendor and Validator should use the factors and guidelines for Product Version equivalence to analyze whether Product Versions are equivalent. Having determined the set of Product Models and Versions to be evaluated, the next step is to determine the set of Platforms that the Products must be tested on. Each non-equivalent Product for which compliance is claimed must be fully tested on each non-equivalent platform for which compliance is claimed. For non-equivalent Products on equivalent platforms, only the differences that affect PP-specified security functionality must be tested for each product. “Differences in PP-Specified Security Functionality” Defined If PP-specified security functionality is implemented by the TOE, then differences in the actual implementation between versions or product models break equivalence for that feature. Likewise, if the TOE implements the functionality in one version or model and the functionality is implemented by the platform in another version or model, then equivalence is broken. If the functionality is implemented by the platform in multiple models or versions on equivalent platforms, then the functionality is considered different if the product invokes the platform differently to perform the function.
Product Model equivalence attempts to determine whether different feature levels of the same product across a product line are equivalent for purposes of PP testing. For example, if a product has a “basic” edition and an “enterprise” edition, is it necessary to test both models? Or does testing one model provide sufficient assurance that both models are compliant? Product models are considered equivalent if there are no differences that affect PP-specified security functionality—as indicated in Table 1. Factor Same/Different Guidance PP-Specified Functionality Same If the differences between Models affect only non-PP-specified functionality, then the Models are equivalent. Different If PP-specified security functionality is affected by the differences between Models, then the Models are not equivalent and must be tested separately. It is necessary only to test the functionality affected by the software differences. If only differences are tested, then the differences must be enumerated, and for each difference the Vendor must provide an explanation of why each difference does or does not affect PP-specified functionality. If the Product Models are separately tested fully, then there is no need to document the differences. Table 1. Determining Product Model Equivalence
In cases of version equivalence, differences are expressed in terms of changes implemented in revisions of an evaluated Product. In general, versions are equivalent if the changes have no effect on any security-relevant claims about the TOE or assurance evidence. Non-security-relevant changes to TOE functionality or the addition of non-security-relevant functionality does not affect equivalence. Factor Same/Different Guidance Product Models Different Versions of different Product Models are not equivalent unless the Models are equivalent as defined in Section 3. PP-Specified Functionality Same If the differences affect only non-PP-specified functionality, then the Versions are equivalent. Different If PP-specified security functionality is affected by the differences, then the Versions are not considered equivalent and must be tested separately. It is necessary only to test the functionality affected by the changes. If only the differences are tested, then for each difference the Vendor must provide an explanation of why the difference does or does not affect PP-specified functionality. If the Product Versions are separately tested fully, then there is no need to document the differences. Table 2. Factors for Determining Product Version Equivalence
Platform equivalence is used to determine the platforms that equivalent versions of a Product must be tested on. Platform equivalence analysis done for one software application cannot be applied to another software application. Platform equivalence is not general—it is with respect to a particular application. Product Equivalency analysis must already have been done and Products have been determined to be equivalent. The platform can be hardware or virtual hardware, an operating system or similar entity, or a software execution environment such as a container. For purposes of determining equivalence for software applications, we address each type of platform separately. In general, platform equivalence is based on differences in the interfaces between the TOE and Platform that are relevant to the implementation of PP-specified security functionality.
If an application runs directly on hardware without an operating system—or directly on virtualized hardware without an operating system—then platform equivalence is based on processor architecture and instruction sets. In the case of virtualized hardware, it is the virtualized processor and architecture that are presented to the application that matters—not the physical hardware. Platforms with different processor architectures and instruction sets are not equivalent. This is not likely to be an issue for equivalency analysis for applications since there is likely to be a different version of the application for different hardware environments. Equivalency analysis becomes important when comparing processors with the same architecture. Processors with the same architecture that have instruction sets that are subsets or supersets of each other are not disqualified from being equivalent for purposes of an App evaluation. If the application takes the same code paths when executing PP-specified security functionality on different processors of the same family, then the processors can be considered equivalent with respect to that application. For example, if an application follows one code path on platforms that support the AES-NI instruction and another on platforms that do not, then those two platforms are not equivalent with respect to that application functionality. But if the application follows the same code path whether or not the platform supports AES-NI, then the platforms are equivalent with respect to that functionality. The platforms are equivalent with respect to the application if the platforms are equivalent with respect to all PP-specified security functionality. Factor Same/Different/None Guidance Platform Architectures Different Platforms that present different processor architectures and instruction sets to the application are not equivalent. PP-Specified Functionality Same For platforms with the same processor architecture, the platforms are equivalent with respect to the application if execution of all PP-specified security functionality follows the same code path on both platforms. Table 3. Factors for Determining Hardware/Virtual Hardware Platform Equivalence
For traditional applications that are built for and run on operating systems, platform equivalence is determined by the interfaces between the application and the operating system that are relevant to PP-specified security functionality. Generally, these are the processor interface, device interfaces, and OS APIs. The following factors applied in order: Factor Same/Different/None Guidance Platform Architectures Different Platforms that run on different processor architectures and instruction sets are not equivalent. Platform Vendors Different Platforms from different vendors are not equivalent. Platform Versions Different Platforms from the same vendor with different major version numbers are not equivalent. Platform Interfaces Different Platforms from the same vendor and major version are not equivalent if there are differences in device interfaces and OS APIs that are relevant to the way the platform provides PP-specified security functionality to the application. Platform Interfaces Same Platforms from the same vendor and major version are equivalent if there are no differences in device interfaces and OS APIs that are relevant to the way the platform provides PP-specified security functionality to the application, or if the Platform does not provide such functionality to the application. Table 4. Factors for Determining OS/VS Platform Equivalence
If an Application is built for and runs in a non-OS software-based execution environment, such as a Container or Java Runtime, then the below criteria must be used to determine platform equivalence. The key point is that the underlying hardware (virtual or physical) and OS is not relevant to platform equivalence. This allows applications to be tested and run on software-based execution environments on any hardware—as in cloud deployments. Factor Same/Different/None Guidance Platform Type/Vendor Different Software-based execution environments that are substantially different or come from different vendors are not equivalent. For example, a Java virtual machine is not the same as a container. A Docker container is not the same as a CoreOS container. Platform Versions Different Execution environments that are otherwise equivalent are not equivalent if they have different major version numbers. PP-Specified Security Functionality Same All other things being equal, execution environments are equivalent if there is no significant difference in the interfaces through which the environments provide PP-specified security functionality to applications. Table 5. Factors for Software-based Execution Environment Platform Equivalence
In order to make equivalency determinations, the vendor and evaluator must agree on the equivalency claims. They must then provide the scheme with sufficient information about the TOE instances and platforms that were evaluated, and the TOE instances and platforms that are claimed to be equivalent. The ST must describe all configurations evaluated down to processor manufacturer, model number, and microarchitecture version. The information regarding claimed equivalent configurations depends on the platform that the application was developed for and runs on. Bare-Metal Applications For applications that run without an operating system on bare-metal or virtual bare-metal, the claimed configuration must describe the platform down to the specific processor manufacturer, model number, and microarchitecture version. The Vendor must describe the differences in the TOE with respect to PP-specified security functionality and how the TOE functions differently to leverage platform differences (e.g., instruction set extensions) in the tested configuration versus the claimed equivalent configuration. Traditional Applications For applications that run with an operating system as their immediate platform, the claimed configuration must describe the platform down to the specific operating system version. If the platform is a virtualization system, then the claimed configuration must describe the platform down to the specific virtualization system version. The Vendor must describe the differences in the TOE with respect to PP-specified security functionality and how the TOE functions differently to leverage platform differences in the tested configuration versus the claimed equivalent configuration. Relevant platform differences could include instruction sets, device interfaces, and OS APIs invoked by the TOE to implement PP-specified security functionality. Software-Based Execution Environments For applications that run in a software-based execution environment such as a Java virtual machine or a Container, then the claimed configuration must describe the platform down to the specific version of the software execution environment. The Vendor must describe the differences in the TOE with respect to PP-specified security functionality and how the TOE functions differently to leverage platform differences in the tested configuration versus the claimed equivalent configuration.
From 3dc5aec093d5d820b034bb4fe0a6f2b236b52f47 Mon Sep 17 00:00:00 2001 From: drumleytx <216058183+drumleytx@users.noreply.github.com> Date: Wed, 4 Mar 2026 12:16:40 -0600 Subject: [PATCH 4/9] Rename application.xml to repository.xml to match build system --- input/{application.xml => repository.xml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename input/{application.xml => repository.xml} (100%) diff --git a/input/application.xml b/input/repository.xml similarity index 100% rename from input/application.xml rename to input/repository.xml From cd7b89d983c141056535c17331436f1f5b17c6ba Mon Sep 17 00:00:00 2001 From: drumleytx <216058183+drumleytx@users.noreply.github.com> Date: Wed, 4 Mar 2026 13:41:39 -0600 Subject: [PATCH 5/9] Revert XML rename, set BASE=application in Makefile instead --- Makefile | 1 + input/{repository.xml => application.xml} | 0 2 files changed, 1 insertion(+) rename input/{repository.xml => application.xml} (100%) diff --git a/Makefile b/Makefile index 19b4cd4..180dc98 100644 --- a/Makefile +++ b/Makefile @@ -1,3 +1,4 @@ +BASE=application DIFF_TAGS=v1.4 TRANS?=transforms diff --git a/input/repository.xml b/input/application.xml similarity index 100% rename from input/repository.xml rename to input/application.xml From 1cc4638db3ab6a821fad8d7abe80844ac5518630 Mon Sep 17 00:00:00 2001 From: drumleytx <216058183+drumleytx@users.noreply.github.com> Date: Wed, 4 Mar 2026 13:46:26 -0600 Subject: [PATCH 6/9] Fix document links to use application-release.html --- README.md | 2 +- Readme.adoc | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 806ae23..abf07a3 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ This repository hosts the collaborative Protection Profile (cPP) for Application ## Draft Version -- [collaborative Protection Profile for Application Software](https://appswcpp.github.io/repository/Version-2/repository-release.html) (HTML) +- [collaborative Protection Profile for Application Software](https://appswcpp.github.io/repository/Version-2/application-release.html) (HTML) ## Archived Versions diff --git a/Readme.adoc b/Readme.adoc index f67a35a..1f2af98 100644 --- a/Readme.adoc +++ b/Readme.adoc @@ -4,7 +4,7 @@ |=== 8+|repository | https://github.com/appswcpp/repository/tree/Version-2[Version-2] -a| https://appswcpp.github.io/repository/Version-2/repository-release.html[📄] +a| https://appswcpp.github.io/repository/Version-2/application-release.html[📄] a|[link=https://github.com/appswcpp/repository/blob/gh-pages/Version-2/ValidationReport.txt] image::https://raw.githubusercontent.com/appswcpp/repository/gh-pages/Version-2/validation.svg[Validation] a|[link=https://github.com/appswcpp/repository/blob/gh-pages/Version-2/SanityChecksOutput.md] @@ -31,7 +31,7 @@ are looking for the officially released version for evaluations. === Draft Version -* https://appswcpp.github.io/repository/Version-2/repository-release.html[collaborative +* https://appswcpp.github.io/repository/Version-2/application-release.html[collaborative Protection Profile for Application Software] (html) === PP-Modules From 97cc8a82acae4f6a9cd520680318a1c08762cb42 Mon Sep 17 00:00:00 2001 From: Brandon Harvey <64159025+bharveyTX@users.noreply.github.com> Date: Tue, 12 May 2026 10:08:30 -0500 Subject: [PATCH 7/9] Draft version for Distributed TOE / Microservice --- .../Agent/appSW_PP_Config_ServerAgent.adoc | 237 ++++++++++- Archive/Modules/Agent/cPP_MOD-Agent.adoc | 17 +- Archive/Modules/Server/cPP_MOD-Server.adoc | 21 +- Archive/cPP/v2/input/application.xml | 5 + input/application.xml | 7 + ...ule-distributed-microservices-redline.docx | Bin 0 -> 37990 bytes ...-v2-distributed-microservices-redline.docx | Bin 0 -> 37818 bytes ...ion-distributed-microservices-redline.docx | Bin 0 -> 41005 bytes ...ule-distributed-microservices-redline.docx | Bin 0 -> 38079 bytes tools/make_distributed_toe_redlines.py | 367 ++++++++++++++++++ 10 files changed, 641 insertions(+), 13 deletions(-) create mode 100644 review_artifacts/agent-module-distributed-microservices-redline.docx create mode 100644 review_artifacts/application-v2-distributed-microservices-redline.docx create mode 100644 review_artifacts/server-agent-configuration-distributed-microservices-redline.docx create mode 100644 review_artifacts/server-module-distributed-microservices-redline.docx create mode 100644 tools/make_distributed_toe_redlines.py diff --git a/Archive/Modules/Agent/appSW_PP_Config_ServerAgent.adoc b/Archive/Modules/Agent/appSW_PP_Config_ServerAgent.adoc index 0220cfc..f6aa24e 100644 --- a/Archive/Modules/Agent/appSW_PP_Config_ServerAgent.adoc +++ b/Archive/Modules/Agent/appSW_PP_Config_ServerAgent.adoc @@ -1,4 +1,4 @@ -= PP-Configuration for Enterprise Server Applications and Client Agent(s) += PP-Configuration for Enterprise Server Applications and Agent/Application Component(s) :showtitle: :toc: :table-caption: Table @@ -43,13 +43,13 @@ This PP-Configuration was developed by the {iTC-longname} international Technica === PP-Configuration Overview The purpose of a PP-Configuration is to combine Protection Profiles (PPs) and PP-Modules for various technology types into a single configuration that can be evaluated as a whole. -This PP-Configuration is for enterprise server applications and their client agent(s). +This PP-Configuration is for enterprise server applications and their agent or application component(s). It provides the enforceable PP-Configuration path for distributed application software, including server-agent deployments, clustered server deployments, and microservices architectures composed of multiple application payload components. === PP-Configuration Reference This PP-Configuration is identified as follows: -* PP-Configuration for Enterprise Server Applications and Client Agent(s), Version {revnumber}, {revdate} +* PP-Configuration for Enterprise Server Applications and Agent/Application Component(s), Version {revnumber}, {revdate} * As a shorthand reference, it can be identified as "CFG_APP-Server-Agent_V{revnumber}"" === PP-Configuration Components @@ -70,6 +70,237 @@ This PP-Configuration includes the following components: |=== +=== Distributed and Microservices TOE Architectures +For this PP-Configuration, a distributed TOE consists of multiple separately deployed application components that collectively provide the TOE security functionality. Each TOE component shall be identified in the ST and mapped to the base PP, Server Module, Agent Module, or a combination of those components, as applicable. + +For containerized or microservices TOEs, the TOE consists of the application payload components identified in the ST. The container orchestration platform, container runtime, operating system, service mesh infrastructure, ingress infrastructure, cluster networking, and platform-provided secret or configuration stores are part of the operational environment unless explicitly included in the TOE boundary. + +The ST shall provide an SFR allocation rationale that identifies whether each claimed requirement is satisfied by all TOE components, by applicable TOE components that perform the relevant function, by at least one TOE component, by the TOE as a whole, or by an allowed operational environment dependency. The ST shall describe all inter-component TOE communications and identify the mechanisms used to authorize and protect those communications. + +==== SFR Allocation for Distributed TOEs +For a distributed TOE, the SFRs are satisfied by the TOE as a whole; however, not every SFR is necessarily implemented by every TOE component. The ST author shall use the following allocation categories to identify how each SFR is satisfied by the distributed TOE. + +All Components:: +Every TOE component shall independently satisfy the requirement. + +Applicable Components:: +Every TOE component that performs the relevant function shall satisfy the requirement. The ST shall identify the components to which the requirement applies and justify why the requirement does not apply to other TOE components. + +At Least One Component:: +At least one TOE component shall satisfy the requirement on behalf of the TOE. The ST shall identify the component or components that satisfy the requirement and describe how this satisfies the TOE-level claim. + +TOE as a Whole:: +The requirement is satisfied by the collective behavior of the TOE components. The ST shall describe the TOE-level behavior and identify any component responsibilities necessary to satisfy the claim. + +Operational Environment Dependency:: +The TOE relies on the operational environment for the function, where allowed by the base cPP or PP-Module. The ST shall identify the environmental dependency and the guidance shall describe the required environmental configuration. + +The following table defines the expected allocation for the base cPP SFRs in a distributed TOE. + +.Base cPP SFR Allocation for Distributed TOEs +[cols="2,2,4",options="header"] +|=== +|SFR +|Allocation +|Distributed TOE guidance + +|FCS_CKM.1/AK +|Applicable Components +|Applies to each TOE component that invokes or implements asymmetric key generation. + +|FCS_CKM.1/SK +|Applicable Components +|Applies to each TOE component that generates symmetric keys. + +|FCS_CKM.2 +|Applicable Components +|Applies to each TOE component that performs key establishment. + +|FCS_CKM_EXT.1 +|Applicable Components +|Applies to each TOE component that invokes or implements key generation services. + +|FCS_COP.1/Hash +|Applicable Components +|Applies to each TOE component that performs hashing for a claimed function. + +|FCS_COP.1/KeyedHash +|Applicable Components +|Applies to each TOE component that performs keyed-hash functions for a claimed function. + +|FCS_COP.1/SigGen +|Applicable Components +|Applies to each TOE component that generates digital signatures. + +|FCS_COP.1/SigVer +|Applicable Components +|Applies to each TOE component that verifies digital signatures, including update verification if performed by that component. + +|FCS_COP.1/SKC +|Applicable Components +|Applies to each TOE component that performs encryption or decryption. + +|FCS_HTTPS_EXT.1 +|Applicable Components +|Applies to each TOE component that implements HTTPS as a client, server, or server with mutual authentication. + +|FCS_HTTPS_EXT.2 +|Applicable Components +|Applies to each TOE component that implements HTTPS with peer certificate authentication behavior covered by this requirement. + +|FCS_PBKDF_EXT.1 +|Applicable Components +|Applies to each TOE component that performs password conditioning. + +|FCS_RBG.1 +|Applicable Components +|Applies to each TOE component that implements RBG functionality. + +|FCS_RBG.2 +|Applicable Components +|Applies to each TOE component that implements RBG functionality using external seeding. + +|FCS_RBG.3 +|Applicable Components +|Applies to each TOE component that implements RBG functionality using a single internal noise source. + +|FCS_RBG.4 +|Applicable Components +|Applies to each TOE component that implements RBG functionality using multiple internal noise sources. + +|FCS_RBG.5 +|Applicable Components +|Applies to each TOE component that implements RBG functionality using combined noise sources. + +|FCS_RBG_EXT.1 +|Applicable Components +|Applies to each TOE component that invokes platform-provided RBG services, implements RBG functionality, or claims no RBG functionality. + +|FCS_SNI_EXT.1 +|Applicable Components +|Applies to each TOE component that creates or uses salts, nonces, or initialization vectors for claimed cryptographic functions. + +|FCS_STO_EXT.1 +|Applicable Components +|Applies to each TOE component that persistently stores credentials. + +|FDP_DAR_EXT.1 +|Applicable Components +|Applies to each TOE component that stores sensitive application data at rest. + +|FDP_DEC_EXT.1 +|All Components +|Each TOE component shall identify and restrict its access to platform resources and sensitive information repositories as required by the base cPP. + +|FDP_NET_EXT.1 +|All Components +|Each TOE component shall identify and restrict its inbound and outbound network communications. + +|FMT_CFG_EXT.1 +|All Components +|Each TOE component shall satisfy secure-by-default and file-permission requirements for its installed binaries, data, and default credentials. + +|FMT_MEC_EXT.1 +|Applicable Components +|Applies to each TOE component that stores or manages configuration options. + +|FMT_SMF.1 +|Applicable Components +|Applies to each TOE component that provides security management functions. At least one component shall be identified if management functions are claimed for the TOE. + +|FPR_ANO_EXT.1 +|Applicable Components +|Applies to each TOE component that transmits personally identifiable information. + +|FPT_AEX_EXT.1 +|All Components +|Each TOE component shall satisfy the anti-exploitation requirements applicable to its platform and implementation type. + +|FPT_API_EXT.1 +|All Components +|Each TOE component shall use only documented and supported platform APIs. + +|FPT_API_EXT.2 +|Applicable Components +|Applies to each TOE component that parses IANA MIME media types covered by the objective requirement. + +|FPT_FLS.1 +|Applicable Components +|Applies to each TOE component that must preserve a secure state for the selected failure conditions. + +|FPT_IDV_EXT.1 +|TOE as a Whole +|The TOE shall identify software versions. The ST shall identify how each separately versioned TOE component is represented in the TOE version information. + +|FPT_LIB_EXT.1 +|All Components +|Each TOE component shall identify its third-party libraries. + +|FPT_TST.1 +|Applicable Components +|Applies to each TOE component that performs TSF self-tests or integrity verification covered by the requirement. + +|FPT_TUD_EXT.1 +|TOE as a Whole +|The TOE shall provide trusted update support. The ST shall identify how each updateable TOE component is checked, delivered, installed, and versioned. + +|FPT_TUD_EXT.2 +|Applicable Components +|Applies to each TOE component or update package that performs installation or update integrity functions covered by this selection-based requirement. + +|FTP_DIT_EXT.1 +|Applicable Components +|Applies to each TOE component that transmits data or sensitive data to another trusted IT product or invokes platform-provided functionality for that protection. Inter-component TOE communications are addressed by the Server and Agent Module requirements in this PP-Configuration. +|=== + +The following table defines the expected allocation for the Server and Agent PP-Module SFRs in a distributed TOE. + +.Server and Agent Module SFR Allocation for Distributed TOEs +[cols="2,2,4",options="header"] +|=== +|SFR +|Allocation +|Distributed TOE guidance + +|FMT_MEC_EXT.1/Server +|Applicable Components +|Applies to each Server Application component that stores or manages server configuration data. + +|FMT_SMF.1/Server +|Applicable Components +|Applies to each Server Application component that provides management functions. The ST shall identify which component or components manage inter-component communications, enrollment, or policy. + +|FPT_AEX_EXT.2/Server +|All Server Components +|Each Server Application component shall be compatible with security features provided by its platform vendor. + +|FCO_CPC_EXT.1/Server +|Applicable Components +|Applies to each Server Application component that enables, disables, registers, or authorizes communication with another TOE component. + +|FIA_X509_EXT.1/ITT/Server +|Applicable Components +|Applies to each Server Application component that validates X.509 certificates for inter-TOE-part communication. + +|FPT_ITT.1/Server +|Applicable Components +|Applies to each Server Application component that transmits TSF data between separate parts of the TOE. + +|FCO_CPC_EXT.1/Agent +|Applicable Components +|Applies to each Agent Application component that is enabled, disabled, registered, authorized, or otherwise controlled for communication with another TOE component. + +|FPT_ITT.1/Agent +|Applicable Components +|Applies to each Agent Application component that transmits TSF data between separate parts of the TOE. + +|FIA_X509_EXT.1/ITT/Agent +|Applicable Components +|Applies to each Agent Application component that validates X.509 certificates for inter-TOE-part communication. +|=== + +If an operational environment component, such as a container orchestration platform, container runtime, service mesh infrastructure, ingress infrastructure, cluster networking, or platform-provided secret or configuration store, is relied upon to support a claimed SFR, the ST shall identify the dependency. The evaluator assesses the TOE's use of the dependency and the required configuration guidance, but the environmental component is not included in the TOE boundary unless explicitly claimed. + == Conformance Claims === CC Statement diff --git a/Archive/Modules/Agent/cPP_MOD-Agent.adoc b/Archive/Modules/Agent/cPP_MOD-Agent.adoc index 1dab93b..be8ee52 100644 --- a/Archive/Modules/Agent/cPP_MOD-Agent.adoc +++ b/Archive/Modules/Agent/cPP_MOD-Agent.adoc @@ -92,11 +92,20 @@ For more see the http://www.commoncriteriaportal.org/[Common Criteria Portal]. ==== Compliant Targets of Evaluation -This is a Collaborative Protection Profile (cPP) Module whose Target of Evaluation (TOE) is Enterprise Agent Applications. This PP-Module is compatible with the cPP for Application Software and collaborative PP-Module for Server Applications. +This is a Collaborative Protection Profile (cPP) Module whose Target of Evaluation (TOE) is Enterprise Agent Applications. This PP-Module is compatible with the cPP for Application Software and collaborative PP-Module for Server Applications. + +For purposes of a PP-Configuration, an Agent Application is any separately deployed TOE application component that communicates with another TOE component under the control, coordination, policy, enrollment, or trust relationship established by the TOE. This may include endpoint agents, worker services, peer services, microservice payloads, subordinate application services, or other application components that are identified as TOE parts in the ST. + +For containerized or microservices TOEs, the TOE consists of the application payload components identified in the ST. The container orchestration platform, container runtime, operating system, service mesh infrastructure, ingress infrastructure, cluster networking, and platform-provided secret or configuration stores are part of the operational environment unless explicitly included in the TOE boundary. === TOE Use Cases All use cases of Enterprise Agent applications defined in the {base-pp} are applicable to this PP-Module. +=== Distributed and Microservices TOE Configurations +This PP-Module may be used in a PP-Configuration with the PP-Module for Server Applications to evaluate distributed application software. Distributed application software includes server-agent deployments, clustered server deployments, and microservices architectures composed of multiple application payload components. + +The ST shall identify each Agent Application component, describe the role of each component, identify which claimed SFRs are implemented by each component, and describe all communications between Agent Application components and other TOE components. The ST shall also distinguish TOE components from operational environment components. If the TOE relies on operational environment components for execution, scheduling, networking, isolation, credential storage, configuration storage, time services, or protection of inter-component communications, the ST shall identify the dependency and the guidance shall describe the required environmental configuration. + == CC Conformance Claims As defined by the references <>, <> and <>, this PP-Module: @@ -178,7 +187,7 @@ The TSF shall implement a registration process in which TOE parts establish and ]. -*Application Note {counter:appnote}:* An Agent can communicate with a Server or another Agent. This SFR can be iterated if the registration method varies depending on what TOE parts are communicating. +*Application Note {counter:appnote}:* An Agent can communicate with a Server, another Agent, or another separately deployed TOE component identified in the ST. In a microservices architecture, this may include communication between application payload services. This SFR can be iterated if the registration method varies depending on what TOE parts are communicating. "No channel" is selected if the registration is performed via out-of-band manual means. *FCO_CPC_EXT.1.3/Agent* @@ -260,7 +269,7 @@ This is a new component within the FCO class used to define high-level constrain +---------------------------------------+ +-----+ .... -FCO_CPC_EXT.1/Agent Component Registration Channel Definition, requires the TSF to support a registration channel for joining together server and agent TOE parts, and to ensure that the availability of this channel is under the control of an Administrator. It also requires statement of the type of channel used (allowing specification of further lower-level security requirements by reference to other SFRs). +FCO_CPC_EXT.1/Agent Component Registration Channel Definition, requires the TSF to support a registration channel for joining together server and agent TOE parts or other distributed application TOE components, and to ensure that the availability of this channel is under the control of an Administrator. It also requires statement of the type of channel used (allowing specification of further lower-level security requirements by reference to other SFRs). *Management: FCO_CPC_EXT.1/Agent* @@ -301,4 +310,4 @@ Dependencies: No other components When this PP-Module is used to extend [cPP_APP_SW], the TOE type for the overall TOE is still a generic application. However, one of the functions of the device must be the ability for it to the capability to be managed by a server application. The TOE boundary is simply extended to include that functionality. === SFR Dependencies Analysis -The dependencies between SFRs implemented by the TOE are addressed as shown in the base PP. \ No newline at end of file +The dependencies between SFRs implemented by the TOE are addressed as shown in the base PP. diff --git a/Archive/Modules/Server/cPP_MOD-Server.adoc b/Archive/Modules/Server/cPP_MOD-Server.adoc index 8fe618a..4599f74 100644 --- a/Archive/Modules/Server/cPP_MOD-Server.adoc +++ b/Archive/Modules/Server/cPP_MOD-Server.adoc @@ -92,11 +92,20 @@ For more see the http://www.commoncriteriaportal.org/[Common Criteria Portal]. ==== Compliant Targets of Evaluation -This is a Collaborative Protection Profile (cPP) Module whose Target of Evaluation (TOE) is Enterprise Server Applications. This PP-Module is compatible with the cPP for Application Software. +This is a Collaborative Protection Profile (cPP) Module whose Target of Evaluation (TOE) is Enterprise Server Applications. This PP-Module is compatible with the cPP for Application Software. + +For a distributed TOE, the Server Application is the TOE component, or set of TOE components, that provides management, coordination, policy, API-facing, or other server-side functionality for the TOE. In a microservices architecture, a Server Application component may be a service or application payload that coordinates, exposes, or controls TOE functionality. The container orchestration platform, container runtime, operating system, service mesh infrastructure, ingress infrastructure, cluster networking, and platform-provided secret or configuration stores are part of the operational environment unless explicitly included in the TOE boundary. === TOE Use Cases All use cases of Enterprise Server applications defined in the {base-pp} are applicable to this PP-Module. +=== Distributed and Microservices TOE Configurations +This PP-Module may be used in a PP-Configuration with the PP-Module for Agent Applications to evaluate distributed application software. Distributed application software includes server-agent deployments, clustered server deployments, and microservices architectures composed of multiple application payload components. + +For a distributed TOE, the ST shall identify each TOE component, describe the role of each TOE component, identify which components implement each claimed SFR, and describe all communications between TOE components. The ST shall also distinguish TOE components from operational environment components. Operational environment components may include container orchestration, container runtimes, operating systems, service mesh infrastructure, ingress infrastructure, cluster networking, platform-provided secret or configuration stores, and other infrastructure services not explicitly included in the TOE boundary. + +If the TOE relies on operational environment components for execution, scheduling, networking, isolation, credential storage, configuration storage, time services, or protection of inter-component communications, the ST shall identify the dependency and the guidance shall describe the required environmental configuration. + == CC Conformance Claims As defined by the references <>, <> and <>, this PP-Module: @@ -205,7 +214,7 @@ The TSF shall be capable of performing the following management functions: * configuration of communication with other trusted IT entities * [_selection:_ -** _configuration of communication with Agent according to FCO_CPC_EXT.1/Server and FPT_ITT.1/Server_ +** _configuration of communication with other TOE components according to FCO_CPC_EXT.1/Server and FPT_ITT.1/Server_ ** _allow/disallow the enrollment of a TOE agent by administrative function or policy,_ ** _query agent version,_ ** _provide update functionality to agent,_ @@ -215,7 +224,7 @@ The TSF shall be capable of performing the following management functions: ** _configure number of authentication attempts and failed authentication behavior,_ ** _[assignment: Other management functions]_] -*Application Note {counter:appnote}:* Functions that relate to management of agents is intended to be used in conjuction with the Agent module, however, it can be used with third party agents that aren't necessarily within the TOE boundary. +*Application Note {counter:appnote}:* Functions that relate to management of agents or other separately deployed TOE components are intended to be used in conjunction with the Agent module. The same functions may also be used with third-party entities that are in the operational environment and are not within the TOE boundary. === Protection of the TSF (FPT) @@ -231,7 +240,7 @@ This PP-Module does not define any additional assurance requirements above and b [appendix] == Selection-Based Requirements -These SFRs apply if and only if an Agent Module is included in the evaluation. +These SFRs apply when the TOE includes separately deployed TOE parts that communicate with one another as part of a PP-Configuration that includes the Agent Module. For microservices architectures, these SFRs apply to the communication relationships between Server Application components and Agent Application components as those components are identified in the ST. The ST author should iterate these SFRs as needed for different component pairs or communication mechanisms. === Communication (FCO) ==== FCO_CPC_EXT.1/Server @@ -419,7 +428,7 @@ This is a new component within the FCO class used to define high-level constrain +---------------------------------------+ +-----+ .... -FCO_CPC_EXT.1/Server Component Registration Channel Definition, requires the TSF to support a registration channel for joining together server and agent TOE parts, and to ensure that the availability of this channel is under the control of an Administrator. It also requires statement of the type of channel used (allowing specification of further lower-level security requirements by reference to other SFRs). +FCO_CPC_EXT.1/Server Component Registration Channel Definition, requires the TSF to support a registration channel for joining together server and agent TOE parts or other distributed application TOE components, and to ensure that the availability of this channel is under the control of an Administrator. It also requires statement of the type of channel used (allowing specification of further lower-level security requirements by reference to other SFRs). *Management: FCO_CPC_EXT.1/Server* @@ -459,4 +468,4 @@ Dependencies: No other components When this PP-Module is used to extend [cPP_APP_SW], the TOE type for the overall TOE is still a generic application. However, one of the functions of the device must be the ability for it to the capability to manage agent applications. The TOE boundary is simply extended to include that functionality. === SFR Dependencies Analysis -The dependencies between SFRs implemented by the TOE are addressed as shown in the base PP. \ No newline at end of file +The dependencies between SFRs implemented by the TOE are addressed as shown in the base PP. diff --git a/Archive/cPP/v2/input/application.xml b/Archive/cPP/v2/input/application.xml index 38799a6..dee09bf 100644 --- a/Archive/cPP/v2/input/application.xml +++ b/Archive/cPP/v2/input/application.xml @@ -191,6 +191,11 @@ +
+ A TOE may consist of multiple separately deployed application components that collectively provide the TOE security functionality. Examples include server-agent products, clustered application deployments, and microservices-based applications composed of multiple application payloads. If a TOE is distributed across multiple TOE components, the ST shall identify each TOE component, describe the role of each TOE component, identify which components implement each claimed SFR, describe all communications between TOE components, and distinguish TOE components from operational environment components. + For containerized or microservices TOEs, the TOE consists of the application payloads and TOE-provided application components identified in the ST. The container orchestration platform, container runtime, operating system, service mesh infrastructure, ingress infrastructure, cluster networking, and platform-provided secret or configuration stores are part of the operational environment unless explicitly included in the TOE boundary. The PP does not require these operational environment components to be included in the TOE boundary solely because the TOE depends on them for execution, scheduling, networking, isolation, credential storage, configuration storage, or time services. + When the TOE relies on operational environment components to provide services used by the TOE, the ST shall identify the dependency and the guidance shall describe the required environmental configuration. Inter-component communication between TOE parts shall be identified in the ST. Where the TOE claims conformance to a PP-Configuration that includes Server and Agent application modules, the ST shall use the module requirements to address authorization or registration of TOE components before communication is permitted and protection of security-relevant data transmitted between TOE components. The ST shall provide an SFR allocation rationale that identifies whether each claimed requirement is satisfied by all TOE components, by applicable TOE components that perform the relevant function, by at least one TOE component, by the TOE as a whole, or by an allowed operational environment dependency. +
This PP includes platform-specific EAs for the below-listed operating system platforms. For "bare-metal" applications, applications that run on other OS platforms, and applications that run in software-based execution environments, diff --git a/input/application.xml b/input/application.xml index ac3db5b..6c83680 100644 --- a/input/application.xml +++ b/input/application.xml @@ -191,6 +191,11 @@ +
+ A TOE may consist of multiple separately deployed application components that collectively provide the TOE security functionality. Examples include server-agent products, clustered application deployments, and microservices-based applications composed of multiple application payloads. If a TOE is distributed across multiple TOE components, the ST shall identify each TOE component, describe the role of each TOE component, identify which components implement each claimed SFR, describe all communications between TOE components, and distinguish TOE components from operational environment components. + For containerized or microservices TOEs, the TOE consists of the application payloads and TOE-provided application components identified in the ST. The container orchestration platform, container runtime, operating system, service mesh infrastructure, ingress infrastructure, cluster networking, and platform-provided secret or configuration stores are part of the operational environment unless explicitly included in the TOE boundary. The PP does not require these operational environment components to be included in the TOE boundary solely because the TOE depends on them for execution, scheduling, networking, isolation, credential storage, configuration storage, or time services. + When the TOE relies on operational environment components to provide services used by the TOE, the ST shall identify the dependency and the guidance shall describe the required environmental configuration. Inter-component communication between TOE parts shall be identified in the ST. Where the TOE claims conformance to a PP-Configuration that includes Server and Agent application modules, the ST shall use the module requirements to address authorization or registration of TOE components before communication is permitted and protection of security-relevant data transmitted between TOE components. The ST shall provide an SFR allocation rationale that identifies whether each claimed requirement is satisfied by all TOE components, by applicable TOE components that perform the relevant function, by at least one TOE component, by the TOE as a whole, or by an allowed operational environment dependency. +
This PP includes platform-specific EAs for the below-listed operating system platforms. For "bare-metal" applications, applications that run on other OS platforms, and applications that run in software-based execution environments, @@ -216,6 +221,8 @@ PP-Module for Endpoint Detection and Response (EDR), Version 2.0 PP-Module for File Encryption, Version 2.0 PP-Module for File Encryption Enterprise Management, Version 2.0 + PP-Module for Application Software Agent, Version 2.0 + PP-Module for Application Software Server, Version 2.0 PP-Module for Host Agent, Version 2.0 PP-Module for Redaction Tools, Version 1.0 PP-Module for Voice and Video over IP (VVoIP), Version 2.0 diff --git a/review_artifacts/agent-module-distributed-microservices-redline.docx b/review_artifacts/agent-module-distributed-microservices-redline.docx new file mode 100644 index 0000000000000000000000000000000000000000..1b5c5c221c77dc086673540d5a3ece1f32d7d185 GIT binary patch literal 37990 zcmagEV_;?5wk{gmw#^DEtk|j8wvCEyyJFj}*iOZ^ZJTe_T5IpK_qp%B_h)3L_t8GI zHs1rJGwX=;p+5z4)rC*b19JL$1$!jngv?F`j?63}AL{PjGB3lsKzkvL+BMe$wyxdDip<_u5lNjBgw zyET1Wx+p=Hf;k%giE7V4(Ug@jDky}5K~M@jBjBOc`P1yV?WA@}3Ma#qyR>HeBXZ8~ zV?Hh<&qBT;S?@~>6e^jP=`gK+94TRXSIVNndcWfP9c!J(Y3m(KmF??RdkPU;2VrfI zX7;SR8C*tHSxzA8N+a(SH8xNzg7(gBEdwcPW{*I#R6lLFb52)PXwBL+)T5QW%ufQu zaoit;5He1?{i!MIiM4-1q%pV0RC)$J_B}pQ7sinBJ}-spJkHHZTaPLG4kHGCRpzTz zXcLG@`pv@0{%LiUamfhs{^T^eg~gp$D01mru|A5^MNUi7oJ5VoRH zjbFoyD_i!gT*9CD8h?oE`SPE{+94~Z$`~H6 zv`W}55|oGp4e&|0q&S-2Qp*GDS81!!EVl8@-2!Wk99n0BP41yvJKlBnh9*$Mp!gud zkhn`fqi|St^p8~ojJ4M+5gN|Q#K7Lm?w8pc3R5n_k?sh295|SoEKrGbCT*#OP%hH` zy05Hr!4t%p%?d@iM}msT(#ydr{P9$+r0_)hXw=7kegt6&r1AC0rA$ILo zv944#^d{;&wo6T5D2MYa=(`YA>O|jl{cVjz~MK0uLqems6YA5@s?YW$-E|}c|~eR zYsw{e7%GT)ss<^^lJH**2ytl*sV`Iy4}}&rv}H7-(6hhdAUl(92YI&u@7q#>|Fq=6 zk`r^**dcs0!+A$yxVC0G+=v+`lTpS12pi(Vouu#z=4lo&J1_`#FDqM)=^z650egD^);M$6CRx!eGuqz=Kq7_m6}Ui`tL1 z6~XD7@)iAP`MM|B#L<~OeeUgCrn>O}t4 zamp_x)@kp&#u!YKvHTJo?=>ZYnTn>4Y}GrpQ3Y-Y6?IF zux@`u*+ypuhajqnGnZy9DL#~sfRE0KWA#!S$b91pHZ+C-uF81A<|Yw^{nlPcCG_0>gQbbf38S|Kp1kgu%Mqs?7E-6Uk>HZk4eyLI zPC?Itg@D9>g%nC`n%2{=D`WhZf@fHYvjgeUni-{_ftx$oP`#?%eT=f1jiIamx??>? z^f9_eh>)W$`Vy_$6X|cyWG;PX(%KrR(^EP{W;%-@>RYkN!vF;m2xV%r=a~Us5<4nT z;Ks)~@H(f_s4ID7=liPt=^}7!^M?s9f*)XzTM5Vtfm{165ns#pq{MdO{N7Zfi%2iP zwz;$5{1*eJpS!KOPT|I(aFb-TFK~gD z{n~EuHfT~S`>R(QN;zMd5RphGHObu=N9^py?D|SU{`!(7Wmn1u-|`VvD(6^}#@x`X zY0WK_qdYPx@G`b1cZ3vJUcQJN;n1k&oaM_s=&uqekdW|+8fikhUG74+K=X9Q@6sZW z;U=VL^pU)wKk0Mw?0zB-I*{jbsf7`N>_m$Xt=2aC2$F?1n;P1^2^z*~MS2TiJtM*m z2q!1&vwfj`7mc7VS%ah-Zy=`gnhLH9(gVfuWK2`EC!t{%Z$tB6%7rN1)X;Z;k^uXb z46Tt=mAbA@SyOW3Lt+(4suC=uK+w9T$BEIa@M=T=9I_r<*ef5aufC}$>+}F*YzaCq z|6SND6p2St+8}SxOsHW5iVy`Ir_h^gALhC}PPAAePB#1wDF!U*M_Kd>4o0tYX`IX2 zS#)SwHKSrzJ_p~X4_)|*9b95oNB0*S>;rtaCc>VIzVZjlnTI#>Cwz3V+uXS*_MB_zV-DHgzndiC$;w>3iaDlUrSftYHgm z3Pc1~vJuF6wyqRuXt$<2j@sGU2&K2-Ll2}xC6bz;rg`~rzESl;I9_DM=j}`)(k4c@ z|6189Ac(+9(O81taIB?%9)LErf5h~lQlB{eyS`v8=|x|;{!1&S1iZR?zi77bj(nio zG{!VO+V6c>$+l+ka^+>t+$>j5;)HOhnOvWo#wYVKxAjJH%T`wo83jIGv(`q2srS0I z3o+<%lAbA>FxEA<0&|!rk#8d8^hqwHB5#@BMjADN2X#>P-(5ru)To8+Bs$HMOROc5k}_0uC23 z4~_SXPq}3dIWqM>+SLq>OzB^iX|MVUon zV}bW-P%hYa9k^z;JxEF8qh5!#T9Gueq-j*q&7OvK7JKz?vvE{ELH>JKw(-S9VFt|C zMgj9RJivVIuVMM`)y97g&VR2wehSD2e8CF7{DA2VNCX`ff`~R7Bxj8B%@i^Dw7XthS-`TA z2%4*=hpl7jo1pacd2OOu#i8U+={K0#7V`c&7_x?38~zsbs;Gh^QN{S+I(7{Zb>Zpw z6#bCwtRL=eB-i6r%{LttmRo%5X^uTxGW9C{y~tp-OY?f#q+iMPb}kR6?w^eCeBL2- zU`&3^;|Ue*`@KnPMWN_|sXS(Y_OU$anUCz6EEoa_yL1U93o#egWGHTf-W0P$2yl?s zr6~ql24Rm|a#-9=|Lk{{f&SqE3BtF_8(ECE!-=nEDL<+zcFNOxm4f0&L}`uTxKg5W zptts&W94qT8jSNfV21I(b1nF*x+$Cy2uMd690>7Wxpw^FW@YU7X95IRRVVC-)_HYx z<>l+X?ODeL0u4>r0L44w>3ei!)n2klv&^1NO<|hFoa_3K6Y~=)D=4c-mc`d`_hw

*wXI`)2@jAac z>h2QG_i3kQ+lTzvwtIVU?}~k1K5VA@7*f30=iR_d&}ZtsoHgX3ZsWYDA1tGvlRSP> z!*{`#`GLVJ=aR@TAMQ`U()`vgxyNjyO7W{<7}HG4;+TIL>pfx&c^}S$lAa z`Ve^YlKD{h41B^qw9Q^$oVtweTGT&dNy0W;zg{KY-?*mXvya|IcstO$ zzjL~i-X@gqQaibIx~;772@A&f1TlVeu64FGRg5MMF!@-wt$B57XA2hB5r!8h!A>;XPpy&_E$f58T3?-&Qm1Szx~h%@kUM~$NA9)-Ep;n)0WKV?G~Zb z=E;4IN?aWldsl-9UKnzL!ZjIEj~G&2#rIyL>!r@;#Sz5V-WFpVgz5ACaoA_#1NDBl z{{ACP>#fFnxqb5+Po>M{MMyIHMHaj4>8F>@r8iGiw$0)vYJX=^Wb;bbxy<2ejP1_T z-e;{wmuMDlXRD?t+cWh`H=Fw-6FKF_)9QgU`yni6>Gi;8TPPmIgMoyb4r4x67p@9S z+747*%C025emUZH2_lmMVXrcwK?QHWuvaLxXXvcAlXK_Y(7E{lC5(>JbD00El6T$~ zX<{~2v+zD841pY=sfU(NzQz{t-vQlwzXkTE_S2a75+tvU%&Lz*YnvIyGQ%?A&G}uzVl1o40+K8?fJQ@zJuG_+VGk(5e|OjIACD{{Q~CB z?)SFtYf{{ZwNEu;Prujfl1N+C7{*NV_SmNIphYz&A+6;oh8Dvj%;s>Z1 z0Z)8gDv8KKQjP@POOtZt;WgnmCE^%Kae46)6osEG<$-kjXtc!N=@%uT;$>R9DttEa z7@t%|+K12pcwSybw{vQ(m2P)S6rV7J98F1Hs3UkH<=utod zct!iQM^6Mx|Gy;C6G2hB!9x9|dM?4G0jd4ZUH@(>a1{DA;oR1Vs*}YftT9j2Nuc87 zb@>eJqwb?YxX_l^EeRvymrVIHwxqeywR6*_1yys&+7VA!ZSKInZFy+a>Vqzlhe0#x z?Q&rK_1>vP+h)K+;H__Q%sJO=$@NzAX>c~XdfT=7c%E1GaR1@jAO3T=9 zlg5-Po*w9kKfD6PjZcNPk+UX~4dr7-r-DB>YO`$Gmc3fE_+oy!>QE52sc+pxo7deE zo#MmIKV8@{%PJ+D;d9dy#{B+dyo^v#agEu|u72HZ^BBq`bECS?5(;dnvQ1sN5K&LQ zhVhs&P?dHr;9TTu=APjg(Fw9ptBPOM?7)|OOp3Nd|?AKzD&FfVy~Tu zVe7l4RyacP?S9lh$awgrgIeNH$i$h; zmcGQHbp0hJL3}5?|0h?v6q{_u*{J*biz3zM_RSDt?r{vFI-i@C&kCU+JV(M3ca;rl zm-VM}_}YHRW|OLbc}VG!TKk*r@4=lTk&D5dF-lw9i2Tu}sDYTnPlgHEU*T7K`wZ4D zXi|oYk$gCY<5Qc4v2Ja6J;!E)h%hWGdk*9c@@{!tqd_l?%~?kJ?(yVX5|I_k*^cC| z73CS0W`T~JJw_alt`mtazS+P~T65-V()DTwk=YHtg{D~x7m)FDX6{Xd9+J$V#YdTmkYfZM3KV4dK?TJ zb#G4$KJiu0j$xm~sbrFRF}WzEll459QTpzhy#GhwzFBHK&EYA&i8Sk_e};@O-XnH+ z3*u*|to&nUyhn7~?N4t;C(N$GvS7{gt>PhT1u363@2-fqS4)LU-p%7#!qL}JT+Gw+ zhoSxF^;gvo&8Ab?;@k4Rp1|vu-H#tDT~~aBm`Bf`-;8VzwqKAuy)HL&2o^*3zKdKe z`r4yL=e16bbE18vPp9))(d8myvN^g@Xz`HTXMpb%Xj8eom3{lT5dj`tG`m(s-k|Zm-2h!N4VY9x?6mBr*YK0w@O+l4dX860fz?>^QcIjGjfub zrcFYsDy~$Pefc&=1{6$d=*8NO42Wvtnxq-B3#XR$9vi3DX8#dCPo3TE==gNXL`9mK z0&>rzKF@5pIff}^ndRm}yIVD*UP1Y&ULiKDf07Wd{l}1r=GzXBn|usd?oFj?k9u%E z$bub~T3^pNI5zFgo5)vEqxa}b3U>XZQZeTP z=w?ZI`1A4=+8_OjP;+AgP8LmKWjdvU?*2FA=1WDLB)dk+hMD)-XQ)X>@T1sIx zxy^HD4@&b9<7zQ-on;k+-CYw-P1pv*C7f_^mI%v-4AT@zF;}Mu=)C?FL?37)8Jxhk zh2c#F#nP|sb=z(&uXy;1PT3WeLz$xargR4j1>hc0lQx<*U+{kl28(8Oq)6sw~X89Qx-_ z`j~!nyftg#Ka9Q1f4`HA6VvAN6;#4r(X#@IMnhV6YHxC3l~KdIgzwwlFNeS29!#zl za=olM^HaQzhBm}>IKXdYDQi}w%+OAFbM-z6ug1*VAhHb^PgSCff@DxdA#n#cQ-i&d zZ1z|{zxhDz3RgI7doDq9l6_T4KQV&bcs5IJpP5iCpNSb>Gy*)zOcoN>88T>UH<|rJ zANq`#B2I0q2}}*eC)U)cSBWNpdCVS2x2>%ehxV}xw;XF*QY4gZNeYwIYXp;@)<%xG z1?XahDtN@|_H*F03teBo&p6wZo@|ye$)YZP)`-ZH@+wl+^fP;Z00RMTUXAT zwe;&9911jiegQdk+gdD-DMtQTEQYFzSIy~);#STDwVv%+14ZP^*<7^8-QX+Uq>pk) zBLQ5!UcCale5Mo&g8DYTLeFLi7Yl4^lcf#F??*M2aZ;hZvUQ^`5=m}KBiKta`7(nA|#|wOEyRuE}B`3dwkB+epKCGdpu+r4wL_tIHQ%7IMv<_5UXgfQ@ z@mmtni(nL#=7%=U0!rpeia9)H^~+Y9>u{`%zShlwY&bk$4ixIU>3|=b9MIt#HRXSg zjdfp1MoW*8nr#-&Ngt4=o=!ZH^3RjWQ{CBxNuiNo@7((KUUK7s9+?E;kjZrL+6S1i zelT!dM9TZIK~n#6TQy0$8wc`IK|8GD^Ez$@ez`Ki)G&D0Ip6K-;r)=4>-udi8SaOc z&HOV%tye8Po=YAYN5+QSdl0&~&saKnYcV}JBK5o+anXKe8k;3i_d)k?bbU5tTvzoS zuKF6gixe;G6Cn~R+b*MFM^o!M>JlX&4GW81@!hl8`)KyS?px4chiU6h&<|4&bKtjl zWgJPHvonzLy^%5%S#eq5w(&-`$Kk@a@)9kEN$pR1mv`d)n2?Ahf|=mG6sI<_a_7l1 z`cy$f$wg?F25m+}H&@h;XY=}~Fr7P( z26rUgv5ENU2FLROgsQrNxm$0ar}D=WKf!uiQwh#uv^;GDGebhxJWdtRJ1iE|N@!1O z2#IwPV}3!amGN_s4PUl4*kO`6(IoOc6FAmuE5@sLJl5Znsa}INB`^xYwiWbtaCd_n z(8ZkY>0FJL-0hd)T!9;4ooE4MS0nn+9mgC)u&$shc#K35Q@H9$Q|U}w{fL6D4(a%_ zTVx&$)kpBk0^vtd4T{-*8%wwkU&U+c3Y26uTt3+?P7BS zuS+`M^V=r)osQ9M1o)%6?$-ov{K(h^ZwI!H#*7s?ilX~|G>&Dr1HRFp{iP=?p=Cw& zF1UpeAU`HE|8dQ4?3021YJ> z9bGQFV|Up8r2iR6)lSB;lK&| zCm;y_&=uI0KYbV62-%%<6vdqdA_FYz()AfW@tL!J@=uCpj-ni|3=0r1u472PRNe$y zzIAf7=F^mBzQ3@6Qd?gM!HeQRdUM93^z*q%^D(IE@)ADS>K7SJ#Y?rK$!Kw=7d4HH z7TK}z&(D6GUmu(>1aXp$dB9DW4NmnY7F>}mSD2^!5m|{${(Q<1*$<`;G*^BlI9g`~ z-@Ba)FN|1XGo81h_2bRggmKOFrTqEbF_eHonQ?`Dm3UbO{Qky$yg;6@eHsq+p5Xv= z(di}Jo%~hgXx$28?|!bgD58WN5Dpv6o3Ha%_}o9?C;tw=`x7pJn5#3-i|fvQ4D80! z@NrCXGOqr0wKZ?DBpF19Y76>)1}`t<`+S7^Z)fpFMS+g?4N>zsSX(RM64eI2u#NF3 zejQo*gw{}ZN0sr$w^CCQ85X`|e?qkci% zmp$}Nx20kXpO%WKV#?c2lr3Yhc!_qPT?qoqmLwk_@o1Il%zbYZs>@_Oc?T?}`vuyr zzstpXsBcRVCFA@IjZ8g#4&genEy+hgN(TKIqSwWZpDz$yK7L?WFyr#bIQn^kcxjsJ zmM6bJJecx-*)|~yR}!u@5xtW;j6G<$wrZnQX8AQTOqJ8=;ROwXVK_Hv?8mB{{(AY* zpD#aL>Y#N(z1%oXc2XW8aOZ)~z7EaqRhf!#xQ9$3$8P;TM#6Vml%2b9Li187YAb)) zBssu+(gcBxuGEi8pvo*-%14*@MJn3HhDkR0N~PR*ZrMFS(tXYMh0Gf6QCQDz7Kc5Ei$5BfZL zuV%A4BM3|_a(P_7&IU>7{E@EkT8%mAQrBl?< ztH05Vv^F0_7vt(7#fqveG{DF<%@R+{&m8a3fqx&eUbk?C`?mK%16)0A2P%QlEoC53 zqWllr7m@$PmcjM^#U_Df)ZU%`lyEw{?D%U|^(#F{yzMW^d)9}RmvG-b$FwIcd=dT) z_3>j8qPGeYKoXmLXVs(T^LyPv!lP;1%(Ewwit<8wrpGU#OC(%r*#ye3mvm@A${xVx zz7SC1l|Yqjzdsr>&(J;n0zjXWSyL*;*1oC7p7%TBa(F4vk`O(MmMh5`W|!Ae5P_XA zl@av*=|+-vDOW z&V~^KRi>C9*BZu8+)s)aiPM)Fj0B?JU=JKQ;ut0(ci4)O`4j}WB_Op<%=tcbAT}R& z>!{!0j_10T8Y6!(H9(^-WoO#u8wMyJP>h-sF|JI&Z>x#YV-7P#C}EhRZV6w!Vd$Sg zOhg!@jG<~$s%mf|CfsrAm{7x+ba6b61^=NjPFcE=YW8%B?2qp=0)X%AEg`z1=1%82 zELQ|>+~~i3=NSPY0T-;LPAqeQeuLIt11jd#u(6eg0V7RA)AXXp|4`|e|3_sh;vbdU zpnp{Q`>ILR?ymjd#d566jbIDnFYs-B2j1gf`2_Coj%JF*5T+}lr3)sh&m69R1>1A? zFlp<2_#Z@ToDC(A*>dX!6}ln^RX$Iau36ogUY^P$hu7}DXa!kWy=AHzx-DdLGdpP* zNt^ie9LLn)mF0tVvR$lFm-#?KZmSn9rA%pEIGS%p3rb45=nI?)#A243jRq@)wBdevQ8KsT}wvRW6Yx*l1(gI#|mU9@~zW4PMk2Z z&95e+0vaVU>Mf}y4C>fwj9Kkv06~X;2W9-9K_dq@N$!qrI~o0)VU7SQ38@7LwkL{- zFk{c1jKNem9-T19g*=Tv{cZ5fp^hiT9>x>uZfL%R-e^GfGJmxv#gkE3g09x09`-Zy z+RN-p1rt>Fb6U#N|LI?c!0zX~pY32itoYX4qrlhf$3gk0UHiKPb9%~{WtMCP>gZEH zXA}#zdppWug-F9+N^p&k4(DVaM>6VfQsBS8r@;SP;qNJg+h{JLi7=DD6>|Td3f(52 z`woU}Rd72>rgEI;;9870m8wA9cI1vR_RLjhB2#a^mF?u}h3F|;mIctUF?|p(UCIm% zU;Z^h-@RR4=q7!x6K+iQQbm$g35Bw9+aw)hzVB(=y*S>99#E|PCcu^(Ur9I-^>Y^sAj>)j@0_f# zIDwFqvsH#qvh$!e)rW46W9~uGQj517ObHW#CD=*qL!o2BOM+5wUact@Upi)?W0Jcx ztLaDVUC!z#W%X$AQuB8&x2OqRwPAt%zSY47owU^(uhms0MYnQ=RE?LU7q(sV7d81G zYW*-j_n`ptKeO)xE!$Iw?_d6+=B_gaP~+qNO?@06CIb0?p?1~X0o&-GWVG#E%h#y^ zyH}algKjdH#YpPren6rV(9w)vzt0XEK>pTG8$zyTz(I#xXV;`JkzPA%s%DV0ajo~) zEPEz$mB->=vJ80-j%KmCvPxTUv6}-5qPd(YX?n4`)L0#CZBeHv$P-6QS?`w@xq{k9Jm{7Qj^@} zwVEPAKgTOSp6)8zm{7TY;?{H&PhwHNGzY3IdC({-j&5z+25c8?gfOa0AEmh~tY;}T zBR47%j@p#>8X2@>40i{*6RVwcAce*|`Nl(AnIvW3udEQmgK)oJpz9-jP59b%T~jLK zK!N=zJjt483ew1;d>e(zdR$tT&tS_TV%fzQc0g9?4UQ}gI{ho0acs_`4@vqINE+4b zf{5?2VV(&D%>8AZdx$8F!qR&;S22@Sn)xEE$Xs|9%*wRv0JqqDMp0Qzd&4em!8@B` z++5=wh9nIl&wRh5j_zJZU3iv@e-z=^PqX!ozlE~GJ9rG!$y;gOPWfXe`t}PnTFdX|Mw0TqUm1=amx;Kux zn)n0!ImMeD=wbqDMOT=NpMWV=~rX`-ys-Ofc8o%U%IJjzaU`|!o)=a1KO8AbEe zM0w^!X(}7v=M^psC0Q#$S*3HZN%VSrzT;!)bMv^bTQ2;|W2MLJ-p+r3J$IPb{blk; z+Jd{T;kvoT`M*pS(%)~){A03jNJs*H$&=K8DS)A)Crj=-LBG}PFn}}m zsB=>(ysZAx;`xp5>rn}wU+z|gS?DqSK?Z#wFjx?e6?3RJIFHrZP7ik|J4_&mvUE1! zP+7+@i++G$cg$gZkN>J53M@Wg)^Pn7_)g@tlkxP!|UgjU~RJcm#i4h^gVi$r2wuXV8Afx1+vGV zb`0F_d-VrR=MP$Y&H`vGh^!=@HtK8KG-!jSM_!v+W;}wT%-p_ zkJ=PFXUmnbnvgBN8rRGUjZQ;pl8V7>?|KyYf-=!VXY)_874pPJxABKjf(R08!_#H2~&946%S|MmrED zSs3OX_&pe7iBr(g7adoSrI-|b zM2#+>Sdc##Q1vb#Bv8#RAPllLZvhQC-7Ei@hdqQ{@RT7W9X&=EEH~2Z_e#vsQ4Q@b zU$=4#SHCtPo(Rk>?m1{iw8u8-!vH4AGi^ZfoaX__a}EUE<7d+X`S0X4%2xf8yd@nr z-7%9hiIjg725kr3I7MIWMClhu=xBTYQfC-zb-6ANmPK*m>Xq?Md+=F#`2XB9B_dj?0{yye+0COa?% zY9>Ee6d^^r?W>L0AMa>!)v%3wZrCJ}$b2r%L%V9en&ChH!;{#QQ#Yq6hkSbqbeleL zc#CYx*amOx4HDq5p{0Zfdu%4pLsQ`wbktn;PE$5`4ts0anW>CBW{c*)=Ny!9|Fi#1 z3aF|7jmr$oz?;fB%pJ=0OaYUnvT68j#n!2K;!Q~&##QTyWNW3thU=Ermcp!*9hK~0 z5%_=|yIIDf$(%wEpXwHnyxupkVDK+|e)0livaVVZ2dbPlvMIW-QP8V;-bsXDXE2nf z)M3xqKsI5|PSa5RZ+0o0!?2!gHKs-P7^%9i(%D+{UPSRd+v9V?hBuCWb~ec$qRm6qwgqWZ?|t}A`g@2?Kn}X! z{IBPnIFL^SQ?t8sa)Ni~`vhMiRAXQ)DH*t`tRAn*>^*wlG|VtI23@?px9lXhD*kt= z4rO_qOCwSjG>yE^3CVK)$zOB8T$Phzs_yd#?^9!^Ig9Wl)ymJWHai=fr~V}gOWi~- zWNfT~f?-i`-{qJMM=7Y|YCQytH8}9}6F`O19bCyQ=tV#b42CtMiJ2yaqC%N_x=A3r zW|4g-O7DMoDYNGtM{9MpVoaA^E*|8Odl%rSz%$wIy%kp@D$R@8RTdk@fltpV&;Pve zXPBiVP^O$Y5y!o$Sit@^vZT>NB8&*Bau+CbT01X$nu|h64n=eA)ZV{1lFHFa=IVVWyjxe_fTQV17VMX(h%Jp8-8fQ|R8fV)u zanPoEA#`uw;II2kY~A=mY^`*ak0t=#6^;3(!3iUc*>3ASrPzb0uP}+v@iPjT=IQwK zy-3Qf!`_?bDOKZ2XwvV+9T@#hE=n4lPqCPAA3@3;-$0^so-6%Qrw4Iyo$*E&&aS%GCb?c8{7;mTq_lt}cfZ(405!^F5=l_r3tv`aF0D`F&qwcxd zQasC@*fu--3Cm*2(cea5j2h=-jEepNZr@rQ=^6SLFqJkJ^H79|p)ZX0i+dNfqK<7w zHjH->#@m!*PNxn(IG>WCB7o>vY(9#WyDsa$fJF_!yGDN>0W#sA9Zc;H;~lx!=DpFu z;JW#iQ|wPDid%nHINLj|;63DI*8-eRwPNc~p(h3)tq713CLPubj znkQnZlOER-E~}4Sg&tYMe--opH8*Y3o=m%RXvX%Cfc#E1wdz~}Dw^t_-So}#S>N#+ zdYR`mtjjfRckhPll$1VWYE+`>4TNO?KHU}EPId-pHe#wu)n1N3)#*UpPmcbvFliwM z0hVDEtQ^I>G6wL-V#qoAX^)qcki-31958w2pG{d`^ej;pb2QQn8Em6j?}hjM%3#>| zIDi&>9faG4WgI6!8QtF!AkdbVO`EhE*d~#eBN6x^phLnpy@E8fywS9NDcFUlnAEBdRv-QO6 zGPYbXx0@~1qm3Owe79U-52-l-JN`Qm#2hy5JTIU_=?W%{TO3u)=v%JW{J%l)APFfX z?Am4Rw4OY%{dd8J+MtH;H}N&jC|=oUi&62amx=!D^^*)WBjH_!|8Ici;y(cQ!hZoY zzjF83`|oN8?mFusik;bh!&i}^Av34 zhXdz8;0^WLa?RdqwzF0FM?qze*-kVkFuz@UP{VFt7)xdZZs1n)^}`V&o~>kRhwpCl zh?4K_fXZ(`v`vE4-}H_+|Ip9YvJhPTF@I~f*0et0t9@&L^S{G?`t91kdAmnIBB1gE zN9pQxwY39>4=@fFfYW7xl1Yq6lEx>=H7h(muIc>VD^*A*AD!X0oq|zL%vZU}Ay?#a z9h)&Jp^EC_9G6QR^rm_ep=?RJ6z!4wt`6WvrYXk5S8RVUQV zKS+$A01_?ne3Aq0m@QH?*RGdwH52W)2WGhcz2(4^znFx(3miGh(bV%}wNcI|K6r*G zo>Hea%m=Jk0MqqD2-+`R%?X)Wiv;XOuKah_2%pwjMH4=l3*yy)w1zRf# zxG^w@q*L)!Y$d+{XgF9seUN+<#M#skH$U{6$0ih1Qi=t63KRN_ft2;qfaVk$%u#A~ zc5*F-#nC~WFJG>iGAsNBhYu14dNErTA2^q-z9D|oeNqWa{9RvXV5mqy8}P_Zu3`d0 z`)9lyF_NcRDd`_!H8Jk#fArMBTr)7CR1vMH0Ijh4)`)@O0S{O2LsH8ec9*7T!%)MJ zd}?eAkCmd9Dzm_EX#8Qun_AC~Q%BLyrk;v9HpucoVzp3-LYrV}Jn+%@O$EZ%@p}ba zYT~}Tsxbu-d^k%cq2x z#fR9XJ8Ky|O^XICeHqnr_=k!)1waKS3ZP<288BeFS~^Ux1=z$M`<8;p!^UK^PUBTg zHaQZWnd?>ow?UMqhRsYn>f|*l#n13Fai5FZ6av3ifpMiKmPc(qABA={CGlBj3*tSLjQ&F)(nlLoJ;@$2aiB(SpqKq>&2C+l_&x-mHa`1Ze zj(GVBlpNt(96~LgVw6ni)%qr+oJSH;Mu>$~%zeoI^ z4F)+WGo8x&M}*bXe~_SNhYwT>9xoc3vQJmb5Khgx&R%LzX3gxTSEx*_&NZ2`d2s35 z9Bb2A434zmju2(_R^6ViQ<0cf-IN<@qYC!=57XsA2^&u3zBo3H8z8;In9$&U>fxq> zOKry-MXeaK!wi7U!$;1Va`v`iqKY3uiko$k()WP*LxZ70QHX2K)pz*LBJ;E7Y>mIm ze?jY-=gJk7P#tGg@@<+UE17~VnG#GF_J;vOhoV7Jisjq-3e^MhN(-%0Wr0cqmc;&e zu+yYLsYGRdpA-yp#cK%7r1tva1!G4V%b{(^&4a$}~Dt+zX zmv@M|xEU+-B=2~#$72DKdT@g(d)`5P=ce>)5HUgEj`qmMR|m#S59nGnS1!k$#psUV zempi19tw9Z41TT=wjl)J&+EyQz4Vxlx8yVRs~}V(H%t*p^fGwlRCixqZs4*jLA<>_ zqZKM8V2w(mK(!2;DhhMe5gUjGMLidWHs=h$Kzp0^WF~~&bfJtDe4ng9R!9N-HeRof z?08x>EuQNaGQiEol@euo2EITC0HXc}2<8t^<-dX0{s5iu9q8~C$bGU{2BHmK%+-ky zG{XLkkTnl@w=`omhM@uW{gA1Do&`#gf+m3AstCi7zY@)g19u|E$ASFhxm&AP6w7yGL7PY~fOI^;5;$HDQ|wRnD@-?BfYsnZ9a{K875g>8%XyIkP`w-1m zJ?i9eGi&l%w?ye z^~})Xcj@ip#;e<2+WO#{U;N4WX)x-TFq9pb9@3P&@9xvw;j+5#=+Kvbe_?*_e$KwU z5T77>C`v=faa*IS86S6w6xaU&^f3x>wt8_v#iH`P`NP4SRvkikg)2(_VcOY({dU{@I!!7kIpos& zt$o7^lQ27hThjfFL1gdU=W}sgyY3s04MFdI@xbb>cQOGd-s(pk4?Z^m7vZ;0r#J46 zipRFL>P>oQ#Pa#--|ys=T@@%od}9l3^Ii@nElcO7ZSy1^%v|{2C;197nSGvXR!tEg z%ZKLQ+cNIgb$=^&F=lOUa!-txK3CoC-5R_s%&;(yx2Upx~k#Z7+srpNi8%QJt>w?mZPywEb)C_S2z6_!?1mo z{$S9lcZp+9C7^~o*=~9KP4ckaj7g43$M^or?WxZ5twvU+y^Bvx7UAP{NVlzEX_kQ-o{`oU2>D1>kDQ0o^6PNJdvveS2eAV5@Gv_-b z&m}=VA3;*}abAX2olZgDo8wFQ;T>gLWUUacZTTrZJ|dbFA;QOJ{rYxG{)iM0J?3$h z7kfnm8~Lw;FSwYtL*y1iq!y;abJ4PM6DcK`(DK}h1I`cWA*2fR*3F7p+3Wn#m!|Ac zyRXaeIZxis0fe2|>)k8*sLk;hv^Lbkw?rT@o!{q47y|s94M%F`W zn=Z!cz~TAM{V~HnID64a+Vjfi)hDUz`RGw7A=@@nLnyO&g(WH0TVCx=#l?YBr6N?33x|#Z9Ic%Eol; zhm6io1fn)8x{-F3^oA{**_wfuCWwe(LL;EY^Yd!mKTqoD^ukTNFusV_%fVuisnvp4 z{H9<3)cELJ$%JltYQAJ{Z+gI3k4Hc@VE%k$BTAnvt77=ltGx+MjzM!E*VQGsj&JpQB(vJl$n>;Ao86DUNWm)^GzXB(qiKgtev z>uRL55ePw13D7~k0_Y$*2Xw>&I%-6l!R`JHfwutl{}A>L(3LG~*KlliY}-}`9ox2T zbkwnJ+qP}n>DW%k>7;{icb{|bchCLb@BPOfS$kxRTJxE6)>^fzYOSiL1?Vjur-y9s zccFis{kxFclnpR$ap`ZA#^3ONQ2w*Pf1>=)EHK$x!0l7>zk_f}&)EXwLRho_Ap`^h zz}Wu5^>0ewLC)xq?EuA~0mZETF4k*j3%kQ8()1f=6ND3P{x{Bl7Wfa%wW5uH*=gb} zKrs|RvER}VtQ;#OUJxGdZliw%9TFXCk-yeRBy<9KdoB9V@zb?TJb;dz)1j))%uwqm z@4?^eH#|FzJW2R!`QtKqR>aIyOzjqx^4q~hT5aop9KT+L93Ezk_dk7##F5~4oABOp z<#c_y;%@W$IJTNUvwCE!8rkQ7E%`cui1Gf@?HTIQ(ew0eBdZ&YH>+do*C~B9WOIjc zcy={D++G{M%lk$q@fLnw_%V~h)3)*Die!9arD{9n+j{#?xuKS-)3JFwEvKGN@AY*2 zX`l7rZ1KYn0@$n1G=ZelKQVI4;r^W|ir${O=! zXBm5*FABlvyO#G|n1eNtfE~TQm;sH-Q8}0(gQVm3T4RWdXwjVb$LFtB-RRtlwT7X+6^5A}V!0HdA&@RE38mPT* z^HFM0AMKKN!r+5Y*~%nt`N(|<-6U?-eEv&8!GgQOqUM;hU)(j}56eU;<$fU?hCRzK zw_{p~ya|C+4+$|Np!uaKMVC#KJcht2O+L%VN0q~L3OQV>^3Uwk)D?FO zxGdety6#=_^Bw1AyuR&oXSwUi^>yzj@V?iL!n-)Gc|E_r#)$A`9D3hrzAfyJ*S|LM z>$2lYm(#ztuKnO(z@@WAw0m4+O^a5!>6ROD+iCOmd~V&yHjFEB7!a~ej<4e-x6Q*B zO{+RMp5i)IU8~BTxtqpl0)HikJu_&O1AZX!|XF0F!-MhVRma=yVMaB?g#JDwf zoklzkJ=ZbdpuK3GEGl>O#B;Q(V#~6cwl#KvQbJ;p{cMWsILY~WSo#;TpkQF@1C+xU z@*W7$5|o1TM0AZ36Xb)NWB|XbdFwJ3j_LND(t565zzFX`hkV1pj|JSjlCR_Ml3j%z z`^nkeiB6c)Mm=}aD_`9`X}xz4+_3tgQO_6a+_iXf+@fx5wGoB~9O^%BIcvWN%Wf{a zowjxodppLpV9;(|WTxbB7Qr5k&Nb`n0_*bCov4oQ@m8ftE>|Ytfg^k3bst2T5+6CL z4p@5G0-o6v-=(71HOfmEK1{m(IA2Xli{?ky|UcbjzI9 z4Z|MegO4)L(n0mvb5d<)TWF2T*|v)hv;Xe9NjHO8g8?V>vrB#6fJaQ0>9_IEW-fB` zbn+>A`&X;C2+Dr4V>o9k6zJ|^Sr5LrKk_(0b0TnDUcB>(^4PW!U9w~lYq58w`THex zF?;wLM``veDGuD|I;+6L1@WpoPHVOEan2G>Zo5=DSnu5`<4%8Guj=zGmkhl)X^uWze+88$yG)9&I#L!c+@*KIO-W3MH*ESbcF8gsLTWRJ}{ zc;IzHjh7yzHHbReAm3`9)u0^Rm6-*d*>@N$s1dg0f?uo(Z_McvsJR zvCrvI$sr38#3dOw^*>4>Fg)sAwM~@k5WBF{D;=2=)#41E#fF52V!~^-K`vS{>T7P~ zj*ZozgIRK-6idS>$?$4caZ+G_Cf{2#$u5wS7|7c05r)9`lmX-TR30_dS@KyEyFAqr zC#{$J#f6`zR6HiJEL1UX(wjm-(L%2A`+DOQX}j@b@Zx86k|TbO34u6SsOMQsLJ7ZG zFWfb{V$mx)XRAsE(2ZZl^c_7q>Z8xf#=%4y)t+u;G;sQDqz*k5EBwAyWhez*oU1s0 zyPAJ^reCwp`E;hYm3P-?zLVr^{+@8w((f$}bDh4`O=l{+y7|40`dMDto4&>@bG}^` z&0U=rMIbfbX$psPfXZ`T7e?^eGKtR64$&l`F#F`C`q> zshH6!{H|C4+D>A(V~>@GR|_E%G3e+Kkwbq8W+kKQYnMkiR}K6ucxU34fB^+v&p}JP z6hbex>*dW3gZo9+tSWf#G59s)Yg0(i07xqD>}O!wLHX_0xfp0r%=hMvs~-~b+K`RO zzV_P8+4Qv6fCWmc=xtuN$0bX5f;$o)I?8By~p^>b19Mj)b=Zp!p zkufhF0QXc(ysOW#kx|DFcr4_}VefgdB^^MBDKqgRve~t3O>hOjf#W!8S&(e_RUfM< z&=VA{IZCjVkCB}8W3u|c0nb+tC#7eI0$416j z?~|#lMo(!6N9N@~m!GE)f`-lFAF0Xqc7LQk6|Z!1M-E7^8r)hkd_}#ADjE>j*@^_) z$gpN#kZtFv6IwGi_=RRyJ#~O@6 zma`r4N)DoAKF5kozR#5mZ}yAs7`+B9F--%kQ#0Zd#1%Z3ag%~n9ZzkfW`7qj#QHGd zMuzU)8E0f?ZE9@=peD8eHKBMlC0DW8Jzm0yjTTvsbVZU!Os}!zoKu}shM3){n#+9-)1=4EpdbFMz`(uSe z6xl>&85!lo8xii;!HEkbe;6`G|cl1;4(TRG+q_~ zW72^NEooIq_hvmTQ`Xz1cv{`*1ID|k$k)p!PDT-O{6frj6SAL4AA?(#3tLoswfL~8 zI-AHl*`5nmxD_=yGFdY`=7L&Gi&}!Y^iOcj*R?$?%1=M8j>u9|M)>I`39#oK_hiU~)r# ze_RHNO!mt=t5PWzoAIzhZJXPzGGVadb!z*0&qB)3ez7R@-NnsH#={D{^H6E1U(2dr zD?v`8nq=2)fNH7?L&wcZ)x#XUr2MO!)!GEM+#vl8 zaXpsBmPrYI{pf&})qO`3@78Ua9f0C))tH(3N*sUJF5Kl}1brtPO&8lFu+Xu<`WCkD z95bVGSJU{xgN9ucvD4?yrVEp(<0On6?_lGqlq?VNa74Q*3A-xa7B6Bw07W;eTj+h4 z!T>wYUEYU$Si31nJ9wwwS+3dU76|=DI5;Z1%OC4YMoB5IoHbXOCZ7^|xrDgilNW9X zuo;w(XBS@Wu+u}NEV8BAqBzdq=xscoYBk@|5w?E)N*VHDUnekyMw%Z^f!4{qRE@Y8 zJ8`D{{E?_T`g%BEo5O`$iLW+9WU*mzrs#c=w+5ZB5rHN~mG_vStd+-hZ?l&_4t`W6 znlu!BDqMcEdNaEEa;YVF@<4EV)!QIYx~ zL&-q6!g^H}7#HfDPSyZbegH1`9`TgGxp%m!P>Bc#NQi}T5OrY|exI^^b$q323jb1; z5eRDWixc)CqpEM`R4$)uA1P(uI2Q^!n1p*qD#7y`hieL#6Wnp4s@r=p+LQ}aBxfy ztl>f&#u(0H1eda*{}~bq_+KHu|Q}qf=q9=;&>4e zh?6Ci6&mI`)k74LV1!aCgRuS#>M)$G0R)M#{tZb0!fHpdGqo^~zBxp2uE&{}0w+Li zd5P_n`PVOC0=ekv3zQ*sAO|+VP(Y5q1gm+3cW#2A>RPUHj4`WewRF=-#SY;x2h z{tKl+tI)j+$*&c-Zzx~^=nEJW@@gKm{S4+Njp}8(3N|qkOPEOjSUpCvoXwF z5Y$Cle`+7yZx3j_jc0*9SK?)Zpn%|}dXbdm1~@Z?6C$cAJ?!K34?BAND!6Ib#K!I z>xU3-NW8%k2n8Yn;b8^7!Yc3_D%WWkw?c+Wn{BhUK*M}qVGo4jW)9-ALRM!9VhYeo z?Sn#Ae;v&QeXJ(Sf1+GR6|o-;7-W4C91?CW;N_#(cbYxRo>vkj@3+=u zaECsF*ieXZoCFy7@r;D9Pvcq%za9m~@%w>}f`F-ce+>8y_~!H>6TH(P{2Cb=NSRrm z(&`VnOJ4VEkaOf_?QCT2Ze{K26dw->l7cF|+qu^B<0kl_mqvnvhQg?lI1+jB8o5X{ z+Cm(*fRm(5*Ot=uO!zjUeN;aZiPk5*O09V+^d+h&Ypm*MFh}=s-}z{!=C!YaW4?j_ zvZ1fD(6I=jM|Ui9Qnkid-mpTgp5kzGLNm|@u*@I%L)Tl9wR^O&c9OMc7E@@e(~TLf zIwlrAu5ZC^cwuDYVrnCBWV?NYpxpphgbY^qkPpU=IHGP3lkNvE zKIDG9p|b2D1X z-QN6oa^xh>q*{}35*LeWjAczH)R-yjc4^iUZeL93`p-jFwnJAK_{p&Kj5XCw)Ah_F z^XwJ~p+wb=DW$fxU5X)Uat6--61KA4z48Na2UBZY*Ng2wWUK&~F5o{7cD`3iA=GSR z*7#t{nF@x{UaHv2D`s@ZbEVPgjpYso*BHx1Gtu&(Uq2Q{j&b_QdQ$_)8B01qhJ!z^&UUpWunV30<7ouwl-l7^HVmUuhlr< zmWG3}Oh#`kQ~4VLS^)DQxAMgp8gO#s|3l9i!Xd0~-#_)(`Cv(rG{c{tlWLwk+?m`I zh;OAl?Cl=Fay<{!!&AwrS$#54r{ot;X5k0*^7%#D zBCK|CkA+M#<9plk#A07AFs6B&f-sDHKbH?e&rRy4eqjwTH$A>x0Ty@p(m%&Dk2E!j zoI;qs1PW)2osT82pJ+a;rnixm`I@*Cr&tv`aP7ay%Y$lR1cnkZe6wZZB6 z9H@|+X!iuqBGmLKR0?V83>bnLeh!Y3QId6^M(#>JnIgm-AR_+{#@`~&1cX?BivY0t z-$g_X3O7h~>HZ~vDHnPUj;0gebiIK23~A~ji0U^jS9%{jUu6nX+%6LMxk+3HKp*3C zuRt+TIxx6sm}z&axhvII0H5FSAy|ph4T4q*MI%ePM;^&uK_-dP!}d_~v9SIUAqnL2(w*EL4DW=?Moja3$C*OaCf)_1NKUn6F!CIp>o z=@c6J&2_hitsnDTb)M=~-ZCBcZ*LQO{27;s4aN=@vblDNKhs8)2wTE@#l>26{ z6sqLWw`Wa2ib2|foa=W)&5V2H-E2)N=mH!ldSZJL?10Jys@sgB8x>P1>s|rdc0|P> zf~F?F)gM%>u=NG4YNLJ+NnUsQQP5q`9S0bjvW9qJ_sVQS6eSTuz&!9))S(|~ZEf&Y z>@u$tn?NG#RyD<7LP<9q+d8*12v(+`GYA{A&18ryw=?rH;MV_^9fVb0SEP7gb0#^8 zl#;=B7Vhw&fD)JKInRpbaOp|>EU~3MR5JTkQCS}NkWSki`;gAKcAAa`ANcUlnjjG) z@wbXwYG%B@RJa2Nn(A7I4oD~iwqALacUAmbhf?k_K*zh&zjVBhZPYUp|1Tt5@-;Gj zh8|wzlNEKp{juUx>TfF^75@eCSPHP>)Bj?{u)#sl&;i78NPWVsr5CCD_{7Z`_RxxD zw*g$sXKx_as@ON$49nT{NlPxt$VMBRHn5JK>CGRgdXsB!Y}<9R?BYi%@#fsw*t~YY zmX@*xZ|*x-)sg|$3dX&INJci;r>=@0ILtFvVo~_2Z_NSA*7Ae{T32 zwbD=hZ`2{|q{6d5sCB_{ee>zO_gUyxnwSuwY`9345|z89syp(kG`{Mfb-{&-{+ugJ zg$Mz(ZK7$Ap=_B@bZAzCDC1g!G#&KIq3~FP*r9BizDqF*99oqMRFM8x1nr7q`LqGiVJp1R^kwUVK9^k85^c*sCa6e~{ZL9Rr!J;G&y zN}@7Zikq<(tfn8vV{DS=f|a|%=I+zjdBnP^v*XnfY=%M*fZ$Q+`VU5nQ|MO8l8lDs zDG1zy*uj$eGE3vO5o}Y4po7>5P)(%E_KWN;lvWvE0Hz5ks;Ok2V=6YOBx@H?(hg$F z1}2BI86HwplxEN^m!cvLD>L9Zhq6WLwiItU{$H}#s8;XY zI-gb5{3L4#soq&_buvyf^LOFreXLcEy{?$mgz@#GL@w$9ZZc4q90bFson-( zye$WI@s)o@d~OnR(i!S6r>|oFMti^EHKLl7=nSn<&@LQB^n4M&<|g9xY8qVSP!P|D z@N|$4H}8{~V6~CmGW!lnRVz@Po-4*KuJH-AkV)!Ea2eU=Zy`jxF)YY@ZO}nIaWlSYe-}OljyW+}OQb zTpJhcxIOGP==C^uYGamXDrxPj{l ztig{O&=R$y;2@K*%aR-TkdDpX>kR8kTj`X_23 z^gmGv5rWAG7Hi2<;g$ckK)V)TK^!dlZwsb6!V{he?^h#sNYaa#}d0 zBpfyEL;$TJW$wT(10uj-jQB(iKp8L>JSkz~2B4gfFZN%Qi9!BJnKO09)LM5aU7uZE zBr1kf4vmY?EbnKy$viiUaI~Qj7rhukW;!}W((F)Bvg)JtLpbXD&LZC*OQ1JH;%w+cv7P-s_+w%AXlF*a*|NB=YW6-aR~UO6sc)W zm|xRQamOc}kt_)p6Dby>Ce0oo9xa1j+aa2F15GORAn8EZd&mx>??T4Su>023)lyi_G{u9#*6{yjy)m}a(9 zdrQ**G~dGV8BU=8R9IE>6IrGkN|3_nre3T);jVV@mi-7W3PLOhbjgn$hkio1pU=MF zDAAwY`y|M4ZJFsAcCYWgf!NeN|A`qlwwX71fB+4NBI`as3K(dRQQdEV7{!j#P|vn2 zV=Met8VmzaN~#P{Dl5+i8f(uTN4F&oZH6i*xut3NfI*5Y&Y6VsUN}7^-hL1sN|G}Zf^gS4KRhB1CHm746A$L#8N+X< z=!NWBjR5q;{Q?)9u7wL2qgS(;6A;x2cUP6fB9!}g$@gzj5cs#%AWdNlR&k(13U1Sc zG@jv55J)p`jj4W5(kH=+<$g=k<^-9VIP6DeCrpP8nE@irlvP$^ zQRolrUyUi*cmoHRHEnVN|8-UA`q9vzUEU1Ys3DLUQ4;ri5k#Hxy}1gq`aSIY8bDXxLiS zOtjsHBnrS43N{ZZ(n@4#Et(?I_v6y$x~e5SFt}CKU5M4~;Tl+$!OE(fSdx*BZR9k# zX;SNgC)Hu*=9j6~2c64-xOe;Y{cnpr^-ih8!HrdHuFpc*D?a7L6I;hT`y7vfefFgY zxF;xSu*pS0RK|(6>@tNbS^I99^2K-eKKdk40HlW@;BRH%g*ArEJm ztZWt835Z8%vQNNLrF18Aq1UV*=G;o>CkYMJewd z;*MD;f1`BuQNUcU(XVX;{+ROlP)0LkpWe(SvuWaY-=6{SoFcElH;@ZV;XeUU-Zxfn zta*)6ei*lHhVlaf@&6TwH!OMj2GUsj3!rQW&mciNw$F6|<)oSpC&S|NJW(jWZw}GB zK3H2igdn4#SrC~xP{dErJ;c-o*C~zP+-iYKLiq{b^|?ineSnH)3BJG%*bmcd4?1=L z{;x*%VKnkC8zJEJ`zgfE>HGW4-=$}ZehOiRB$)SWmwq1p67>`GC)OS!T|x!mF^FWi zkNYccxg<${CV;-vayHkWcJrH+DfLcf8W)bKo_{Y`AuSLwGT zM!W)mY{iqB4@MX$Z#g%RIQD?r*h4Hf0?3hvc|$@tYKWI}Q@7>VL+oYSLo}Ua006eG zdOuq%G^_z!#e) zwUWh8bL%yw!LePE7suawSeLfNf%lpdG6#~7L*QEBHH0(G;QzXAbkm-X)l9xN8NIK; z6R|OGK!gDXM#cQD2x|$y%lPQ1kSpNN2VUZ*0z6QvSKG^Ii7Bel^YdPDt9F>5uP64a z3*8RofI{=2!sFf;qrO^Ya0Q$iR&_nCedT5d-b~cDN6!@dWUT#F3$wKcv75v!Ft97f znT@fU|FZHSw{evlHV{Tf5GU;mOLv?;Qc;NEAz+#39Nw1X{&8* zHxK}gCF?}sYRGUKg3!@lH}O4em-Xwa1^zFkk*vG_8SJxc3D@~tzeVtZbDcr*4|TmiP5hd|$9{c1tD%eu}I8!qc4k#~nv zl9oHl^;-(O&%&evIKsbyvH+`%Vx&~TIH%qm(>HeqGaz2|0U~uu+TdvcX!8R77R_da zXjw<`XPF$bEP^JooKyDc87}GWk}16aVsIsG3_Lf^7g3NVG$5Hr-dt00=QEHO>JXpc z?9)5WSzG+TIj3~6#W|-Q;R;I^ywoB2yYQsRV5!#4`1G8=c1vy=O&4#oPaDx+A1~-S zD8-H{>!pFq-o!5kHENW|QXWhhN^f}GnN&GBGdayGwdnRiFX7Zw7K$lGKe)CLb2w@m z!Q}c=4`{Bw-4iVQn8xQ>hQXC3TAXDNeXRBEN9FY|@`9KbXUkWqKMXXsahoU@qRyRgXv^y#Os|}j2cS+V)6R@ahG3K z_wbi6A}PHmlow_C`@R<;Op$k&G!?_s>!G8=Ej{B$m6y${Dym4_*|?#ILtuR`rgD6L z&}StHn1^o1Dy0)r;!7z?GU6#An$t8@lwsLPSqg}zKs!|-IzLUr9L>GSuIJROISh|5 z3k2G21P#pjem)<*jeNs-h@;%JQNijgxoJ(HP}?Qa)X8Jy8J4wzj7dNvExHi{b~p%k zSXkJpo#yyO!31GkVz)n=ih{Umf|BBQND4qmuG17p6uEpx>IyTr4(KmjevTlA!f)Q=Z4=W~Sz4CN5&qD#=nx!hhkS(l*a@RHS5yC4twqbx%={g-QBw ztm+6_Hc9*x_ecgf9OY%+OLJijC4}Pfjjjy&ITBZ9+A~N#%4<7AjO_<_2m?6W%|dw;BXcU?HU!dX z0TONzWz3m@G+@dQ;~Jn~5i1^Qo z=;IPVf z>>lMKF}vDWPZ;1TQRmv#O}xl!mX~eM&jfoPC8&k|+<-#(PZsD&2>@pfh5zl0BMM|5 zMy*p`J!UfexCHK`8B4QczXvHLg$)%2f0gSm?6w2@uy)~inM|0lKviPD2}_AGC8Jg0 zqz-OpxEq1uI3B09jL$6JR=jMpziPMz;~sWP8S~_){SK*Uke3+*w;)ATf$5)&P7g+RX{5r1 zr1aNEM^sRn4e9qI%=pB(X2k`@P|=&%kGOQQ5|^g@`h&!LdDKyh-7m2VeCSueT;P8` zOD3oX%Aj0Pdx6>YdcgWNlniKM8YtV`g-zP)0+L`YMf zx}dC>fp)yG@3Z(+{6f2OhlZnMoEgSJqdn261;Jgme`a_ameE&6qiE8*39~<>%I^?; zGyOBEvB0^O1ZA_7%@4NZtqDtZX~PXu{xW0@?l+$#0Ky+bijzSBd?Z#f0$E&nqta$q zg&j2k^~BXBL4)83<5+GCa7pZTjPX`dGOLaq6=&4qR(v7e-+5BZ(l_({TZcy_QBjE0 zVp}OJeR@x9Y(zbI`qjoX1sw6E<6CFS}dC)P} zoY%d|rjAt6kjtX<5$HvSn_#oDmpheh=f*1h;5364@mAavR#*oun-!ielszpY`1|kBwg*b)g1hE)k8oWUXjxnL(F-@d-4uE8g1UV2t zW2Wvj1c6?569=Vkth1L#8&N3E3x=-IibPw_K&!|-7H~<+d_7Q0nt}UoLWMk;Zc2|G zB$L`e-%R6d?voy$h{bj(4O86o|3e*?|8I3dNdH%zH5@=4Csdd3+Zo!w!Hf@HoZ_5I z{sOW^$AY|Didf2Arsy;7e2|54~D^i4oH}ahMN6uZl%Qf)qs^TIW(M+N}rG07wcR5`{h0# zn?9Xo8n6cv`Qf2gYm;hGLKsy`Z&+I_44A)F8CTs;z~&mV_fA#AMF-*Pn)0HT1}NZy z%oiJ@&$Y|Mm)enBbWN;|HdzwXD^{9cp7!bPxg4|-ifFA6`q_~wurZGagVq#HIyv6; zx`aXOjlVJv645rD&hV$9K1{AEUVqkXA)Hwtl z8O&zBOv3X}#G!lS29dwmXM!^^Wttkedv{}X;`*tIMP~R*jz7-A4jUH%J zXII)2kJbueDKpa(lP8C={wPZrrc`ACE>}I)_L*_Cb~w{J07qeSWmxfk6|R@T_*xf) zQ2Ss;JfbAPA1?Gf?K#Jv4I`PUTvges?1ykr!gEC*`N&EHO+EAbwTR@oO27_#_Ea%m z9qxCMK33WO1JZb~F=q!DXodg{FHe}T>iE;8TU6$#_=_`R2o8?j+X0D;9J8)g_;^yj zAmfMw%XF8nQ|^AHmS6Zy{9NhqZdP@KowJE>s&Olk5ty0&G7auW9}TYVl>h~)%6%1o*>oom7@Pxn>&Ij?BT zY7rAX+sYy~w4gWa#pLPAXLvU6%j{0?OI+Tv6*lwuM!E;|fIuU(e ztjm6BQkOE+bum9d@2Rn85|&`&@XA(wVU{W6<9yp>EPa*tQZeF#^>Axi*bhgCAMz4$Jx5r3t@X>yYdGQC^O`xCXY{Uz9DS~&c^cmJ)*pKQxzh4P^H2#07zn5t@b^2T z@tYaZgTkN>sMxgFQvRBavrQ&&Ft z`~~4lXw)FFVHtD1#4(cg5Z4%1WG*h=sygl*4zl4Hg>4{z)~0N}197RY1zPoMH6{Lh z)J+Q|XS8HL%XkAY&a(TJpcpdU)c9OX^F}`13FNT?h(hPciQNp8iBH>a&Ji7s{x4e1O#QIH;-LtP4TvluECl?2Jc*r6m zbgTE{b(>r8e>(PyE7!>gkOKD?3=j~?zZ^3KWPDaOFtq-Y2X`~M&-Obb?(mOq;gl(v zlGX`LsL0gA!Hp9LIG#YCaBI=m<1Pi-=6_A|SjRA4)=G5T+r)ZY(oB*9`$J(l3yFgg zaed4@8-Cos;c2#frL89yrlxNF(Ti!%XYXJPAP{uzp};Hvg;Gv-CJkuv#uYv z8!+#kkm-TSHAu6i1};YZ@B*_yD<)CUA7DtITbMdH^T{n#1ka12Lgz=bD9meV&9iJJW)aLsdtkmB zzB@5}G`05VP4?vQ*-FEOz0TZ{qez5Rj^i-8^Tcji+$Qrk>+UG)+aL5L-|;0Yja1g| z*@1&FOx683{1!It@|x03eqQ1sQ!QHl?dHES04E9(w+;i6k9SZ50ipftl5{pVu`yxz zb7cCH>r7L|Zk-*o`$-L{{b2EB-6gzTVuZ($%O=l&_n~F%9gr6U(nYb$CaOKFl^UH^m>MVycPR1JnVR0_Ll|Uj zs-#xB5TYJo(1VFKWD|VU+qftxgaF9+Ws)MxwhdZ$q+jUQc_H7IH|L<%q2N%9TrNR? zoZj){2)cJHX>psN*P8~i62xiJ5!E<7lb)4+PL^~^VXlT0+Kj#7c`you^n-vo5>b3t z<$7(9WD=7gi9;2p&6l2i7~s#M7eta&UpifN!@N^@d3cz}u&^jkX9d63ty#HLneU+3 zooy}>p?OAq@UEDbkcb5tVg-+Po``bX6i-MhPL^xfI(5cACr{T5F3y%)pyoKoQTZhE zS!jW>R>rJg-6q`}8!O$EPv+y+qrtY&g4|r&|EYG5^4nNlL1|QE{%O zU{O5N)qyy=lmXp1ACf?EIpw@@6B>0D(hxfrxsj|I78;+~i&U@`rf)EQF>~tfI8ohq z9S$u3NZ%V&o75d`y(~@Z`xoz&~FYX??=BF-o0O_ex5&n zwafNu0vb)|-S&C8XwmD@_C=ByJg>=lyV+Yix8wV`3!xBcg@*`{*Z}ej4d6Kex{#Nn z)@vlgt|!X_#n>Zt9w2Z!5dx?8e+aDTyOJjI6Y)iu$Ft8FGt>%gWpXd2YC5kE6CX(q zZawtCHjGf5&#PPoYDvVDSeJRd0cl$$g;01P>>Y^;qA=@b*LkPbfcU+$yiN@&PE@n7m{o^S^hSgS7<*V z(^w;9-2O$e6`D95!?rifSGP`emPBIIhH~SJh-=B@GVVwaTrm?d>OJnDJJC=23`^?G z_$CKIW1G0L5~0*y&!E`#*m+Xpgew=F6YwDqgKZgqzCBN7CBoI>e09F^<64j8=%Dw# z(Ds-(_4+TH14b*jk(Q?YFivO+UBS|0Q2B$dVYn=q2q2d8#*c#X z^6$PW?IkC6woxxGE>jeVUfx=iDTHCliN{Fpr+OUxywp2Ijww-l4-!U zplCorIVfe60e|MroNzB16leR(#VNl8w8~mD z+3GQ~`qMl_WQ5Gz8ImQFlY? zCKpyC>JDdOq;;1pP)5>E&7egtXA0chsS}_YF7Lg@eq}SvDh$_0Aj#f8>`I+>zleii zOvA|1^lS+`uSJF)%6azX-p<*Ni&oU@T;hGFFR9O5zq+^KsK6T)W1}#F($ba11S{uk zq#F;EGU}19upf z3__ZMZtfbyljunvBs~@1N^%UXhIxEMgrX=-jjF{h%ZR5R#Fp~IC;1J}$;8N3Tu#s$}SF#kHza(XPK;QxR$X(b_K9l z)KZM1HJsB9%cxBewn-WEDIn5FqKzp@;qbFW3>ku(_1ff88s|WAlGTnD$c(N7y{HjV zt}QNxu3vM;bc^=$^lN!OcGGB~9b-7(YIJ`7*FGWHzT7J%fFC>vK=1Vv;M>T>$=S|E z-Nu^1!r8>;&(B^}WF1UDBP!67x5!xhSTT1f>VhH?1#%utwZzMJi1^OZjNajjrVj3>3Zs0_6pcvF+ zW2pPuOz4YXs(~P8_GR!VRiV&tqxP7M{-4T+{3EQ@l0C_rSh2+zjx5M})_hd)Fy)b7 z=&K<(4KAzbvNy?sYFc43j2#1)*8WQu-}vED7eEgMKo|Z$bp4el_TTFMB#DihsRQ)S zksx-udsdJ#bVyV`*?D)@j$by4)dB=P0_iRO zVcOKq$wsHyWHX7lEr$oh;eamASQh_Ouk&^UI`t+!N}`biCV8b!r2+_;juG@7ER%;GN%XOTv6 zorwD6v(5GHCHo5g^YuC)ehVQC)rtKoK&xb1i1tWoa(Vy#DdmLx;z<#D4FzR-w$(?# z;$!zcX66_2`aC!abxjGSI`?;qo7L~)X_3}EQ5>QD_sM(e*NHU;Hj`yjYBabco-;%9 zu6R4fYGFG}l1f7?LDrB;6}bhk%F%|8Q6xzBVb94R$OR8pb^ekQ6 zPuTB7w~pfSX$2VMlo`_tq%z`InI64qa^E;&VzUtR*%Bkl$f=Ff;BIM`zL03j&?`hz zk)rj%z9N*8mpdnv>m~9%PKdDE^`yW)`b5C_4|N84^6<-x(!WS@?j&hSByrw9Xt zZ5A5$_pVRfePKwft{`x|#%D5`jk!a~NTf5=Z+Aa@-ail;3Bn9RITOlM*`n%R&~LnQ zVP%<5ge_i7L0HOi>d=(K0lnQIhp*)O8%LLu8FKk+Uf-h}e#p%lp?}_<;=XOt;rIpB z4MDEgbyVd5aiqX{ej=mjSLAp9PN+*jeq4(S5uT?ZXH#M(qyl>pc z<)iw$42qs{D`R$93EqG=xZ(+0jGFUHBDNZCl9_`BlWYO`{=+vCNFi7!z_? z#yvEaRju1hZ81NRb!|ntM`)&KJN0^+n zg7VXSxEZ4(3TTm;*X%+`J1Py`#%K30)#T2x1KUkWqkaW{6`&hBX19|hb!9{_A>V&| zRMYBL&hR%WIn7rz#sg!l%K9O|N7!4YrQl(Yhf|er<*7H)+6ffH=4iuAXDKC9HAQk1 zZm8<|xP-2PtnKdCD@^1I@GS^vh!L8Rm8vurFf9~(Ax#L6?QreTj-m0Uj??#gP?}$) z^_5g-&6=g_I2s!LbRZx*zHTy*kj&bf_uot}rtL5e4sKGUNTG}c=XmR=c{KB6B~FcV z8pGm$)04Z&JS;wiFUlthdBDrq`!h^Es~aZ&a75UEi%+%{bBiG~ zr8qgZa|S0$E>eylD*w_M^zoSQb#uX_n`KV=N*wfmYA9f*D3ZkA(eh>`=cSBx!;e@! zNSv2mR7MwS@5nolnO%H!#-z;L=g!U;#QCb0UCj?^OvJG^Eh8+$K_boU<-%*ueSYjn z?I)N>x+3n3hun8}PBa}7;97bry)qJX&fd1pAT6QhvuX~i+0E~Jf1)Bz9((mnUcoYH{tzh6fr%SeZ=awF@TfkM=9?a zgJ4UM0r5Ulg~S#_91-)g#qGor8OGW3CaT@klRNZML#s!VrSvlulC5-Ui(GU4B!%C~ zlb@?(@lHDBF@k>H)20>ccCOf2CgW2-Ew_<4IV|<3pf+`sk-e+x5Oy!!HUMT>4{uEG zPUXGnn_q4|o}k_pv@-ND?5bVR!{u4*LU;`<@5%q4Q7IO6d5tAXak?yW%2^~Q93`u% z8O7aMHIq?yquspcMhgCX+1NHlJGi>&erkDordEEKQ$5Zcx7`2QljF<5Eze{hk{v+# zAy`oY^5C<{VRIOQmBV{)&YcIp-czV2C8|?Nk-^L!Rb~cJoL3GAMK$RT=+@c!D*I%4 z{eH61z)K}y8zx$FOy%e_C#BDt(IneCtui(7)~Bcn++idCVv(i2nHu$FAAjYQuYNRl zyTIsi1^L6s|E#dxioCem!kpp*JtGq>nn|Pgaws)cp#zM8pbx6&_Iy{A!pmjw&8p6i z^EI0GM}j*R>mT(l%b&(|qNh@A2$$!49puA{MN^NC(e++%r9{ufS?hxt)mR$}R=i{C zSK@IrUhBexZPP%_w(u4!%~g9 z`9a)MDqb@nLH+`=LFLw%x^jHwY%#c}CFa5}(`I2U$vuV&d}S%^hU?lxA#}GZ&qc;y z9^9D3)`MN!(A=&hbUKZ7x#4}9WX2>LnH$q)^PGtoj48Z)IZ-YB=#|;D+{bs@s!6?k zN0cPWWZYIjae zaqquRAbn1jTx<(OPBb1Xx`n{b+nCu}J7_&FuOC=(z=+&HO_;&Q)%;A5Sn8tx$Z0tK zzU*C!_)hO%Bey)P7{t!kTi96(2`j9o$0dMQcBPlf?C;Rh!3ebl%(;EB9p8Rrunhp5 zkAcZxj2|9-j^K|8bommUK>-8}Ys&@jQVy6$mj0#&|H(p6LB!V>e>Jp+3S*fR!^Tcy+tyB+##UoDHX1vPZQHhOC-3fqbDneVz2EoGPBP~h zKa9Edo@33uBL4*(0s{mD1O{Y5zErzR@n=jtC%VUbfEoiw#vGVlVA+|?Y$GgFRT(HK(6d5LYpnO>;MhBOb{ zadyy;+m+qidT4>?LRp%A@#>EtkyK?-s%XT0fiQ}^Ly*B0xsx2(Eg$TZ6^{m}w&~1w zhvc1JN4%ZM9)*2GGhP=MDOJ<0QsJ6>Ig>*4FI2?7>;H=Faj0?{rK|aBrea^c-1!s9 zr4Jr}GPPsV!RS1!#(D%*T@-$!q`8J>8Mt!_unM58oIU{0P_tY>O|c zi}F^0hILBV?FS?Q6UuvbQ&kc^x;6A(Et;CMNx^a<5j|QP38cb+qBztW_;1u|j-CwD z04RW%bls=Wg0jXPYv<4h{V$Pkbf9ea~m^tT=Q4(wi_op`B;^B zu2~zk;0ZH0sl|T&p9Kp34zFYZyv!$o1wsWD$QWQG{}o{8z+?pYYV!LcPmdjz?f!@& zdha1RBcmE}jRGSoNeg-uDkXv8yU=*Y_DRNiID>t3eLK%aGmFlNXq~73+Kz9PqqZL0 zC@?mVI4I`a*Ekej1M_X!5NqW*LzI@QEIy#?yyI#5iqeeRXs9Dh0S^JLG6P&Pm03r6 zE|~j6PxU9ZneSty=?#kc*#|;Os4|P+RRv|)Ry`uY-u#C?dZK`pA!Cjv=B zEzAZDN$4?<9@B-GUMPX}|GH@n;e=PNDYtd7rp1i6T!*;)t+MIK=!)6fi%=6W;6%Jv zUvV$Zgt`)nh2Yfb5fT9zlvO|>S<$&cm1QIJ)ZwfB`nVIgP6_+eUK^YP{dY-*6WQ=pHyOA#je&kaTILorT|Cx~}m5b6swhm$8q5 z>tYQ70)q0-buqBB`(s&@hi#WXqO?5ILFjx7wSX2>z=`#n6Py%Y#jA`>tDhMnlZt_8 zWZv@fd<@3q`p$G4!c)WZ{A=iWUeFZ!m#n!8=I~?AfV}-GTx~^Y|K9TGKA8hVF=P>@ zYA>pez25jx*(?+T?6+h!`SKxmvKqsYOCo4H2RXX&Z%ar5Yrov{n`P}hCSFVgL{FTm z9(pd~UJMq)mLb7s z)^EKSF^8~(cmH-z%dcM-PJV0Ll4{zwo%@OfY-#Wm|aQw8TB#< zcIdC;8WN@IBDLVFh|}nHb;15Du20~v!qnk|Qy=0j4FH`tsF~`%EB4V1cQr*k(MVtJ zkRYCTgce?~L}-_Up*0Dk6Pd|1S|*^n^4I; z$0qqitA;B}q_!AKNqNirsK^rtpACue>5OR3)b{s<=QVX?wIVPxKjEP|QEUc!HG=K} zs33n>@#4sfJ85na-<#vTqA*_CFz;_XI`YCFIYV)JHPpZoC7!}szYc~E6Ztk+uP4Uy zjjFAa^8}?~tGHXs#U%DDOY;Ae6K`!vWqM&Ex`0i6yvBc@y*(lR&kN)7>=LX6xF^v8 zx2oT7SZBajVk02ARi{nWxPzhu;k#N7;E&+|5P$7u@8Y(&nH_wf=Qa@Pr;Ks) zbiCRWwm6))tW7sMY-1B6{kI+sFNo%gr z?wjL`d#YL3`4E@Sf|XlVHE50&k$X{6Nr^QkxaxO|=%e_hG9)?QQIefhfHr zu|uv{xUo2zpUIw}wc`VM4(}xz%riGW`Rm5A7x5?0uk-wUr_feIIdPQU(o5o=>qA1M z4_F$tQBV1e#Nag}F1`>$+l&3R>>pR5#6+)^1xr0RIWsVY`n(09WkB2vekCplmJ}wygyHvcJrfh?FfNaj-H=I_yNGj)TwHkBo=7twDI~<%Ug+BI&+ylp7 z!NmjAsiH$56i8jZidK7YM8a|gkX+&jd#(D2k;};HELTf?$v67hzoJG1?8QgZUjp`Y zq2s=`3A0&2FDFZC=+ZL5_XMCr)(hl21s4e=6UIz^`GyDjamQQ^w}W>rKIdX#0(Pfc zjFM~zipHLdkwFYHA%QyprJ!>&yw!Unm{jnRu!M!Q%*QmyL#75TkKE*Bm8M%fD4NGd zelw>$oFR(EreVwW-KRug+H!rWZNTsR$0jVxrO}W}hpgl*GJ@h})AX;O+gof&EiJ+} z8&b@6S*_B}(ifb|>uzuljNfNMDXd7~3p17$q!vxl^xQ|j7&48-Z)%q|jQHBSUN=%@ z_-sh)9wh|DUucoue7F!H!wn;${mBEerEV!RHnG7_;Sqf3{Gn_TRIvVBVbzt9bcbsv(bRXFOzRr}SBdG)|A@SK#3@;3ImeZce%6q}|Be z15zLjoFtHhSZ!lJ0Z>ewv-7!>B5d8=C{?8FYydJvE}8MA*`SOwGZh(g8B3u+E6eB^ zEE&YC5LSijITtXEID;-INB7fOaVP_4&Qrg26sNp{%95$Cq7O%t9r6|dk2@3GBbIcj z8bxRu$!KY&Yz#>I{)|h9s-2*CCbSrE+=c!>wJZ(AS&E1K_pM+FHUTuJWpRUMQZK2! zH}lu2f;Hc)ESOWormsb7B%Hrjx_L1Z$_Z1@%zbGZw6TXzl4c}ZO5VIL84ha-#W$O6mYCKo(h`RBrL|A?Qi-x znNgXR^xz*4J18dJ8qWtcbZw!GT^ky4QPad9)%3oX`VRe{Tb->BJ{k+K2O0+UKm>np zb$@p7|J?BY?B;(6%K3l9`F{Qe*A*Ctk#8G@dy+%hOe(3EF2fw~_<(6;HE5r~L$yKtf~%g@R*rA_dw0@g4=PKxRjr2wly+)*n| z%bUp`J#MnF-`t_W__z7O3kbHj2-U3=hSkK6dAlx>(0oa#Y_J@b3RU;?SH5sA-Aq_WA z|ClXEtP_EOduvA3Ijaoo^vT2owt3X4o;L-l0I`aqimFs`Y&B0;29`X{u3CDWvdQaf zrgw|=xtAVsWa{hLDo1xaVq2rux$1Ml=-G8M!0Q#qgXeMY%tiAoBVqZ~_Vp~4f4(2^ z_89g4_&k3eS-@X^ysh)_xO&-~INSWZKYe)H92B&Dxwl;0Y7nRXGg2tcdp>@>h~Lq8cp}-+2vt3=TQE4J9R)e z>V5O}_1>)u?rF(@x!!$H!F;z@Egw<0nb%@Qzq^L5)4aiVS%a*^(W6TKGye29EI#S4 z;+OK9{XzZ@dQ8jDKvB-?-fO4G!~LgEtDc+_ulz!zyr*hwz#APKcWyCnA}>C2Z%Xgp zclf*J>C3ZY=izP3nnxTdL}-`A0HfB-)5z54i}>3smlQ&d;hQk8uMBRlTy7t(<4U$^ z99`R7msa>igrd9yncmt~+M4T2hvR#hy=|ITJlnLj&f8vZg`Z3n6N$R**H@X4*S(TN zi9IATPD$T;DjwSnJ1d4~DHCd5zG((|p{7vaeQSnoy;#F*PUQD;4O4FR;5kJntq6&} zsYHhS8FYrmJswnp98^)x|5~Z%slo5b8OYSq9Ay%S?fv?;-)-s*^Ln%T`YlEKrP6D$ zW&Ja6ne+KsP$I`!28Z17yQl8C7jJo{?fg4>Pg_EG!&3XH?EZ2TVC!M$y-KrPECau- zNlT3Vk>;s`-R+*4g6i#IdC!SsAD*k|viH3?n1J%mP|{VGDHo?5UllH83#K}0TME&j z1bMR%nOTvzONH35l&?p`GnmFBc-qU+sqLo!)S{OPPFMLc#BW;JD`(?Fd?s~+$SxHe zkvwpyla61Z5&-;bkN&mC68Bx_VMJm9n$K2t+0g_Hk2b%F{B-@bGYG`z5Q#y^E2?94^?-u3n2S+_$P8(m-{!B4e__wGHH zVxqKbY88L@#fjYq3hxWzdAZd3#4t;UiC`BpEW zZDCH$1y!)V%&dPc!b{Q&rGI-~wP@ujKkvy~46S5lU6))?x7mtA$zunXf>BI`qk!n# z7qKTjipve4uhmc#ieCCgLkeTIhS8x1bDi&l5#XvM0JqdaLjrHJR+^qG0i*bV4$aRl zw%&&%ZAXVEDh4GlqopKpg8~4m!8xcUfFgT^g%S|g0y)4SbcGe|7u^Dxm-Tzn95{*f z_aww7IRI4fulVv>JPJk#CRg}@F3B~pzp+o*Vu7h7z&M&eQZ<2Sfk52o#J+U=?w%P$ca^-p0=_&`01C_t|mzjhc%;2Hi) zA_EBwl`A~VAF5~KoNG~9enqv!b}sJDi|Ve2>ga9&2OgqQQ))#qEsMjhK; zcfptL`4OjV^97e{t%ttp%!*Byio;nxx&7U}!JN&9h;@FQ`dbm=NZT#OMS*zj$n#Gz zc<;}42*M1m%A)^cV}LAZcF`01c2wJ7ea5c+A^!?&*LUksvho`$lp8z zButKlH&HXj6O9z2h9|ziuT^E(HZOWMYV$|^a?zzEZr0eiinOS{COIZVn0+|2W06yi zJ0av@AdVV*XF3m4RCS5k%&d6cZg%faCwHa3%@7W#Ee9koor!8BUc$Lg8LG)R<#EmP zH}Fhx4(SG3s+Y$uYqb)}Jtr zrc}9}iL-Wd=%LYrO;7PQpTuO~sg*`@U)a=%8^BQbwP^JzDo$c6 zwC4wRsx-S?+R3on>yr}o`{q?Ya`s^qvIf7aw)YaT5F%&X0#CUudb`cLQ|QWW(0aX^ zphZy8f_lpfV6boNK=iC{YlI4bAC@~@AJH4N|IRoj_bc>bXP42&8AIA=KAa!VXmn!T zDB87|p!3kY4;hYiY3D0Nt%7R~_i*4-T|zSEn)O zy~|jII27G4ha0$nHYt<1!5BXEr31m%iPnh_FKrTaFjgyr}gbJ1Kju<|DT` z%=y?6&6}d-sJc4{IqNOh=|Vay9tYc$N9Jt(cG^2{x;qU(3C`U5SGB&6{7Uq3%xm?Qpc5s�V&V0dJ zp#4-CXslmi1!Y^R$!H!q3!Ov|*5y~pWJ!ZIvc?Sz`(sbw3NtcEY0VPCSz znFa&b6nwU_B@3n&zanLh>dd9Bv%}7%z20*mz*}v1Jv=&@G*+6Tu87)sZ@@bpYJp`& zRcy6B*Wy~iq@PzZtp5`i-Y-Fz&;G67RO@An*Hs}3BKxXLtyANBF4&wMj(T_JC?qc3 z)r;t-55}*N=ag=gkP&4gk?+BZ>)e;S5h+$PYVmNPbJc_b@_?-?apjiage~Oa0mCAx1t zN-#4cy^fak;>Ef}eQthN6c!8lZDiZVDn{wInJ4H82Z+PC4-|eWE!hn-CwI!TVWa9% z@@>VXeI4y%j`g^P1BF}&F;+;6`;3#62~iivNSJ(nr6g|{Lup)~*FQt+^9p31TdFr* z8=naXl^iom%lgyBa?R-X=JFujBgSpDY(EnI5c)2b(V8T=WmX|ecFX&0_tD~Db04sL znsR#YJZLpqyeS3Q?d{?1X%z`S_Y+zcCr!`#Gu}dRWr_kM6)l6b2 zY#n9n{I`kjLR?RAaS$;WS{D73j#GuFvMsl?;Qrb(gVxRbt@WiroA7Sr zY4*#FRE)R|zmJeI?vlPWNF)Zzs$)yNGn=eB_Bmqr=57h%8Bbqgg|N$c<%zG-WhAT- z_SZeaI@aO_C8{)?xEB|%qtFWMoHY_a&}gzURRlDn8XB1!q`5l$g;az49Ol&C2RpZPBSV`EsL9rOtHf2{{87W9<&kVC;6J7Mgc%Y921tPt!D#Wcw*d*1DQS z>8XrqMR(bl6RuM~-cKtRy_6DRJ1x&GDr$p{)RKnu^mxpt1x*eYs&l9-_70BW^az3C z8_`wJ#xRTEU$yF-xleGH6Jv+JqW0;lVfn=7$3uFST8U4+`0MD&d$ARLxj7Id4)ByP;7CWa-SmLSjDPfg;o#_Qeb?GLX`2aW2fy&_ax;-v=#Wx%-sU?B~}Gb%J$?0tYl}X zSXE9!4zzi+j{Sb%=SxYUHsiR?JA?BpX>L?dSOU@1_njoiX7UoJ@nZYR@6L{T2H*Qp85rGx+6K&)3u+FtQOvtV-=x>h}H4!1YH}17=D0(Afv6Hn9 zr@ct!)p;}5UfvHS_eZ`$H2^b7t^$l49VBxjVwW5)Rqz`eR`fDh4;v`SRWcI+A?u~l zQ?NB3_Gb72vKg@iiXBq~wo7ZKi&p}+!SQ6zKHEY#MG-(LgB`+6-x_QIms=`#ofS{Z zc_??l8blk0Kl#Ow0c`6bXFt3P_!0pVN!SFwM#4lY^F|M{kjvLp!s!ii_u7gBL>0l% zgNRzCOy9Ky{JT%$03&D1MR+H$>gIs8{Od;#wq0IoPG2>oF9$OHT)G|j6MHV88Ubqq z)d6cGpj74O?jI;Qt60_C!`41x<^`{Xnpv|>;y-uTj7~07+vRWL@_?>NeI*nC#Q7eN z(69OXp}Xu>2CRKc+lFibwTZ-z7Cnfd|8g*jW48sl)|2_MGbFBYN$uu)F^T96JDM=y z1NvktZyM(`7Z9hz0eT{pHIo60@m#PIw&kn35P*B^5?G^p?qW@>Y>sOBYz~Kxklk^= z6R`5Fv_-3%??phEz0hoqd6ApFUZWN5uF?uA1@RC7L>jaJVqaLq5BVBKuf&6=3z!#@&=lTa^C# z#12klb0Lf4M1Fy0d)vZXAc8uDrExhh#^i8lRS% za>ff2!E~uNU~i`ga)Q3hhPe$oNz^F`wzjN^S)o zoJp;*tW%N7RA7Q^k?%l1`pG4NoLKCt!?cLh??hXeIRAw%!fi9+7tC$(UH4>jGSUm{b{@i9!N`))J)^uS=X<8%_cP>kvuxKKg*no`r2pgC zggjJPq{>w6Mt(nfulCZqnNEfE*U$iUR-3ygEEty2OrMD_n@Z~Q`CCt}!a&hi?IW7S zx>53@k}$y=cS4R;SPsv!WTgEaR7!aco7WLC{^R`2?71V_r!p~s!g;+^FV9gu6fUN6 z4?2+=i&zmqef&r1NLyQGxx@?A5|f!lw>T-c8SA7jQXc*TO@iDlB1pZsP63A6+Uj%> z)V`Y5j{AxaW>HWQdb7V)#M>rmXQvnTkLX@w#x1rS95Fy$Pxq%q1zet8X~D3pWlzl@ z#UL?31N-B{6)h9xM3LiiQ?(#wC|YKVi5#8C3dl&(TLm_w(}}+^~VZ%Am} zk_c8;$g&tW%T#X*ul2EL!Dz8S9mApFplQJ@UEW`l!r9>YY{Gnuc_fzyF^sj>@5Sb0 zYM{mQD=al3$k)x|k1S3cZZSaz_t`ERxkG(gx?zE?9ySA%A?O#OmD&?XcWSko9iBqMn#H3b&2 z-e+1PVm7zS4Jg^pdY$}}0tqgaWuoKa>;6&1;28WEqGIO+r@HJC0E ze?A$B5NdQ}Io7|-1x7CAlj-+|5$%a_)WZ~haVb&Z4d{vs^*P1(zp4rJ2R829(&@PK zO|WlN`+r$H9MO(HkB*SXhYK!{!o#@qc<%Fv_P`{f-8aLJ5t*;$_(78=J?;z|(w7^K zL}9+f?XvXw(TLccE_{1zOSKdED8U#Ll4c-W(YfOwhWg?SU*O5GrZKUEV-{tN=hOy9 z(yWqrFRRDtzZ0y2h*M$Zp8F0WQhXeZJeiH{#gL2Kt-^VDtm-j@TeP!f!a|oV5Wu&A z^Of+GCPm@$p@ATS>M`7bL=8KH3(Fp`reZk;18wwAt`>K?P411(#osvSF}&futfIln zolo}HtWMgRbpDJ5&JPl$E=`Ir>py5cR&>Z|t^^|jchDi}LofjQ1B96b>jP7;y0n@) zf~YA^j0QH$KstR4uS4EHG{&gNlu=I~PmurieL@8Eow*@QpWo2tRE^_;#DgFCr|%qN zASCbwXQ2(pLa@iMsmqX>WjSPI>8{sU%g8J>|Nb8;9dduGEJFURaufWwN8kCO zZ+tio)!AX}fdY9xO|PIk0!#0pJspwE(O4q%`E>N($!gLEO5q`P+}ur@+wT62XoI(= z3^rY2Q>#j!|5c6OgSCBHZ>o#8?BMHjM|Y&6oSgn5btU}7-`a7rg2?J3mPiadaF$B{G4p!zDzaTKhuAnV zPz=)7u~fh^U&_#Lqp!1#86R9qh1X!sqV1E9E!sp2rYZ5S(m9MBF|p4s$D;!WCDUrG zXe14**(*)h>}7#T`+p{-{m-PKy{iN_2iL8%9mBQ(A#9SE29su<+T-ZcBeBs_5ae zQegN!zY2xh!*x5|%CcYjxuH{$zrmN2>i4+L7fF`Xq!FtOxis|QhaRp7R$R9hwEa@i z+CP-w8>8&c$lVX6)m$YZetAto{FlPP38d>tZj!MO(?1pR{7;3hV~^c?0{~V0*20M_ zrx}DsV=m=#aMvyQL#!POwW;vrtIx$-+4@2HDptk*^z6)UqzmV={R8KJ?9ewa=Vy8e z@2kXX<6YF@nm11lH)4BKYW+$_S02~D6vS#iEn+84Pg_^u@gjkn zao?%m8*Gw0ujcfnfiJpM06*CGu>21=poPbsliF05H5_bKs8Jl0KMnC4A>T4SLI~Lj zN|aCAUdb1!Hdk(x6D0TqZwiPEbgh0Tv+0w~+zj@06Za?2IE8E*FSR^^l9C6gAST$k z)0i2+w#2Y>qG_wgTJ7aCHL5BE5CKnNUo+y;#|g=qmXsO?hI`L-*eF)vHTw^I1=jV4f0`98R|9 zuZ^kRKJaKcNF=bToLhjD72av)7eqESZvu~t)`FNcWDZi?6jw8p8&K<%h=*-Ux{M85 zum(B;+(^}rT2X>y9erY9txXd$ZYL$pkH#9DKbW%aa-d8l6Bq8DV}Uox2D+SF{Mcua za-%$}kjRmqU%OT>>ztz6>=&HxYp&^fF7Tz*nPl=8(gd6Dp5B#%o)%%RKvuzeD<)!& zMfDyB5%;X*H2HRhd5RdDOovmxWt)8pC9jI(%r0Vq#p(U!Oj`bI1xbztNs8*)ms!R0 zpHggP;A}EkxMcdB-d_l@40w3mR;}j#_E_dVy|eWXu*X)5>OV|=OPO=iGg`IKJpJ3` zPlnsIslQBi5B)Zo2Kn3M8vFmB$+Z01^?e+I{iBsE zah#E?!Cs3!r(Z8m?yf zrqgd(2o0VP*mYchiXefI3iSAV1k;Wtmx{)oK~Kw?bF1!_0NrB_z)aF*#~%lmTNz#w zfiJ8t{*K+SDqiCPy5{-gLZ~WH<6}k?SLzOf>4HCZJ}7XT^aR@xNI3-U@wxboru!SM zC2J16tlQ-`8aAi9zv*@|-HD0K7UYbUN;mupyNgB(2*6+5B^%|=!M!TU&dF+Nq%vp& zG8h9!*Jl6}_zMn-t`B@{5B!zilOOhvl*?~8OdX%UUw}O?Gmc-I!W%GIp)+Nz731k{ z+!+mRLAvl$cER^jdUP7I?@vGk;ofDbdV|npvDX57A;xH6o6!P-O&)^119=OTU;V8#1XMMOU8*4#)LF=4%=D@UW&%yN_#$rHgN~FmD+4 z2G0yE6UKeB%)UP})rk(Ucuupx;yDF??+CDKgZ*dm>g3A*D&B%FyWWWDiDc4W3IjI- zuN)&Ub|d0UH$XpC7NJilf5w1lRYrpKrH%IovyH#h%mTTOq^fqqCwm;UZ>#-~Nn zjgEsclTqNNF2SF1q+o#PBGMm!+Mx8wR<1!8UTc3@-(6Q9@&wYg=RWuxb$z-IrsrP% zWNY*l)l4+THoW4s4(}*U4)do^KO~RDt0qVKql!m%!CFH=k{)!@y5UDW;P(QxStD}# z^70?zj|@mXm5Rj!Yb8+$)#~V^W*c}7ycpO7Eqos#(buneHw(!3%s?6__U1)Dpj>xX zh3$^EHo9m6VjgSPNhH%Bi*hh78ZM>;PJi>n*JoAFXvw2qAA?+{j_qHgnlUvans|Zv z`)O(`Bf}q>EAY~m`UV~}RKL;|_npFDTeYRD;Ew<>zVbT-#@+ttd65RG?|I=ihcNV_ zb_#KWaXC@MW-Y59cv%8C7L2_pE5NyEKag!K)!K4j(*Y>Wi#X89_vS(OIB*+eE$b~P zg$SvyfyL{3f%p#jk>6KAa74~UTXIj0%T_K)4?Y5RS>G#x7~%wu>X;_v5f{WZ86lfH@Q}olHRPa_s^?|@5fbQ*&n1uxnM^2#r zc!WiOTiRFSr8myhyDhBr^vc;DI=e2xt7jUic*LqXJ-K%9FS<}dyJiJhLAyTAK@EP) zUg%AI^wJM2xMjb8tX=cMGsw&&`%SdIuhu*#W9GGs*v4=RwGOO7$BWy8rQL3VcbFo$rCv{TYykV1i}}2 z7NcQGnwTngp#n`#0)sek;nc4#(CyQxK4V3<-#k?~ zatPMlq0+Gb*z`&iojssfbjlrj8`= zuS(}|KMyTvc9Mx8L#y5d$R1bC${lB;5mUg>UOKk)%nv1VHj#K<`)7oDz$m$$?Sxn( z$S2F`opYEB9YDL3EucE_yH)GdOqToyE)0D#F2fy)sMJ1 zss!_8D9X5QHp)2vFW{Dq`JvAKzk#WBxLNwcOpSctyq?_JX_RyUX_;_d`B*O#4q0uw z0+9U5MoK`UL-E-NHlFH?{{R*xRTVFk84(Dj1y1*_we!r3Orl^9>M?Z_6A^2Ko$ z0O&pFXxkE!U#)awU$HX^C@mjY5@uaMtzt*OC(t~-M9>c^Q8d%?n`X=2A;EE>uW!8W8crt6rA>ZIy= zS5y=LsQ_N3xObL|($EPcPQOY%7y%QJhK|qn#&$7mo~h4%@(KUL9`X@j$z1#`pYQeY5_0GgOm(ym3$PW!nNU@hic_~nP|TN=aJ&am$Zo~O{RTRc^UsTxzx#oDDqquZQpSGdzs#MYG!>sHUUHHdka17|C+g*K8-_u|7SLBt9@9^}DW zr}LF8bZTT>%*9%7K^bocH@-6G&L`k+gN6@t)^~neu9NqU{XRt!OQl;C;tf$Ci0$$w z4C@=K?n>|qw?>^+{!2@|!S8s*4@6gDY95cA28Gd9eE9RFBEVV_VFUsy;aDOWSJ~Ge z76D%004x^`c{(}B)fcn!z8($z1Ld3or71&NZ_;X!e?t;2_Am_x2Zc7{{BR%M$B&oH z>7~AX1AB43UD%EDcU+6spOHW7J*bAn57ty08YvOc`QLL;sG5S&{oXH!j1{Pt3VVjw zOiem_?mcv|R}4+5RK-e5!Aq?_*I{9~BO=szlU1>V+@vVkGFCDs9-EjT;v}gj%gzZH znY@|vCD(A^Ra5q`Yb0Zj^s(NNS?7C&T$jEvDn8Jq{x{Q)zq^1XWv4;meVlOmTq>w(La1%}lg8oWlt}QR zr(ylCe^Id{0jUtgfK<#$y@t#e3;U^6K%2NDpOcVz*_n-3X+0~*$A?1Gvt3IO)<{y+ zaarhw9X*Go1sH$C?{f2)K@nCdGA&g`^QzD0qR~w!#Xst9K%GcZFNfARluDC0g~U7l zh}ST3W;azcPDV5jiI>cqPy6bi)V2F{)V=bE<6{*Ia3SlVhi^Y;w$dbjBCTtJw%UpC zU|%#@rLAIdRaLb{88b4u;M?pOiq=R5p^7mx0kcE>=Zg9gbMm=&jd=Ob0V}KZlSFln zP?g+- zh~d*_TwTrB=n@Ce66S3m7&;;RU?I?9C?&LJYFd4!Q3W`%Hb!3+K4P@ba%T%ks*SQK z`_#{n7f!$zP6(xn_`yM7!qB29NAqudg6RZ%rh`>2w?wCfNZ`2N+p5>3Ql_@JP52IX z!3TiAd;-NxIbWUSC`1tp=Z{&q*WgheSe1vO#i*l1S0*XUf>*ZlT*rsqFJ{m7 z^22sPACu(*iom1|Z}F+g^m8q76bg(LBep06IlmH=&&HO|4je=D^oR5PR0n;cB$Y(B zV-*C~h)=uTBPj2i<;N)B89LBpS8nN8)-`euuJxjN8~{hrJU%TC+IE|kCB&2^1iu{e z425ZJwl%uosAL)z_b(NJL4T?c+IU1Nn5Cvut8G&4ye>$CDj(4j4T5{;w$6A!A@#xx zMX(lvGLf-3I?lL?#-5dt$f?ZohVH=IM;FdqALLRjTRzK;)%b?-b~HKw5e9!I1aYPg zzBUNy_s5eNN6{fYU*UW5Cn15;dq(ruFP%jTV zcT$Ae3FI6-5Qye4Ah_Q^W&Z+V{|$7+zo*NeC;!fB6@bxqHd8H1R0sbjLdGocv!wyM zE(8O3?uSbA<0L@(1LT9Ogb-W+hNUQ+lzZTkFx)LMRT;73A3or6JCY+8n-!9H8Nyl=uI=c z5x3Vo4_Jw(A<%)hX+*Ri zpcy_H30v$#AQTbSWyf%nT+GaM$1uKP!^`nQ)PMhrgubiaG}k8(5QhpV5WN3B)mCHx~Asrm{976-^(;eQvOul>ID=C@LNhyy# zlA^5#KEyAO>4P>9B{2|i>Xk$zfE(S&>d=oA{P5=e=HlA+?Af?l#(sRij_}U@uxH!o zweY!oE_2=c`dn`tK()SddKY%Pz2#b?+xEUUzI&GX{&@cW^mgpr{F*sFysC5ce0$bh zQGtAZo_Pm+vVX00nfEh;9#(UEYbjA(>gwL~8vr>q(K%HvQx$pGS&w76-+4@*lk=s0 z{&dfvahalTFYNX_Z1uIMF%ePEiYYAU`rQ%AU-IhS($ix5E|R@s*zxPtwCQv80+qKd zKUMpJm#h0LyT!F*m7b?IZ^fN=zRhEzsh79+d!3HAv*q^kuxDQTBV(iQxtF&qpI%E* z)16Ch!8_Nx;jlwoe`Y{xP<`UAn|DL2^YX64*Y4EYGmBfdQ;x;C*f_a;FqkLlFC9@TS zuM}nNrD($ZBXiBOo?lHH7f#KZXUW`IxCy_E^Z&$V@qVmaHba6g>7RXVPP<*z8&qj$ z%2;3L85=EnEWg>gHhg{b_}ch(w@zGrpUic`%>4M~RrPw;eX`Vbf6lUM_w-?2A;ecr zb-fkq$@ad~6CGn*y7j|Mi#aL$$|CrJQU_JHNUd(%W;tUR}v3yT;1;x?DklKXC$639)Ka z)bQ=|^X6mM?evlT<9kNJvG;jG)cp24KJngrQE$-bvYWR@))#2rbD~^+qJ)aWoHXrf z-MsD>ho_SL8>;5;Dq(y;$uR>VGKMrU(%XB@>Skl^kTfp?_F=gvM`B4p2gu`5yu(63Y#hXgm?9sVQ2?sG_mAvvK( z1{E$H{-#T8NHuExTJQ=jCS#r6!`_ycf)ITg}L6)Lg zSA)%AIBR)*5m_$x5%hai>%i+2qt}nH6W`nLROVp`qA4a!?#4Kc95IM?61VLOLaP+p zkcL(NumZ+eifRiw`k(`K`x^FsVn77|!(f47R)2+c0Bqqm zK8n`<##sg9M40-G^Ur{Pc&-%t1w5T5TLXrn0mFVBKd@LcYPK49Joumt3~-z zAsN>K;^i^p&A`u4KYR<`f6RcPIzCRTpRk2^qhIs*wf|nyN6U|Z*}WucykvCqXCXfT zA>3+R|9$`EENJ)t5%w0qaV%Mvu$b9mW@aV}ET$GSGc#CZF*7qWGcz-@EM}I)wq(J! z-fjvH@{qyO>C}K@1%a)==dc++**A$zF@EI+}q`|kwG})yO9xNd>!j?eM_|P zw);w7BN$N%4MFss?-Jw353EqReNXN!>_r}&lPD8`+-!7!i9k-aiPy!F2%LdiMgOG* zL?ao*@#~8@$e4UCv~z&>8cCejtqFFJDKV3OlRlDVF6M$AN0DxHoZD{*%ToKe68}?FWLhdEWvLwERHku1$IoG-Ha|uK&;$OPsFM=)C zLRHkFmig@X^Rg0^ZCYDb5)-Nix>unN9rOgQ{Xhxp7JjLP+5ff>tq$|iA$>0jIRulV zLgrq8+Mn1%=58YpupAsByeBGdfj#%dLksb!T%20|H_}n~v%*RTwzb%s2w2Uq2rCkX zf4Xu^`DE!+D1!3TvqD021zeYiAaEL2ZvPj^n8NU?j^hiY}8ewaP5e zkM7cef^HUVD>!&&JNL>PdHR8){EM9mje|cH@$XB&PP|KZ7j+(_mv1Wif_fD-@eRB z&E+nJKOUQJG0+3m6R1B`o7m^CPM2P(N+f_p^&;pwj5Z@Zc2XO(^0ou6*_7O;q1iVn zNEtm&x&OFWOHPlR*1fgRXEOl(%1!HEdXPM@c-vI%$g`#rkYZPCEE@>i2G+Rd3MF`X z#IPJwgCm~qKx0C3q<>~dvg>I=w|q`aRg$6qayyw#YKd$NK9(t6mv0!?Fd2US#u?hIYk zkP*TJHJxX5It6&=iKlnnYFz9O?p5(;zi!qHdQ%#coSX_orB3@ZOewE#k2*?+U!1kZ z9&f&a%Tin=CsZG+h!*WJIui)yAhmVaTsEzkQdpnlPl~2Ymvq{2r!}pZ_ix zXEQQa{(+ugLd zKtvu(V>!DprL)m$f~eNQXM#_8Cp+a+b_U_2_Vs)PjqmyVNNJZ=Y>f8ByvM?W)ted` zB#+D45n5wM(}b(Z!efa0VtZ%B@!K=*fmx42DQD4)8DF#2xjyf5(>T*oIrPMiQ0=?% zZQWK<VoiagyqMZIU7SY#sS9TtUcgOGkXKX!oZsRS2Gd9Y}>PVsM4$hCo z2R36JcS@rK?p>*X1`$1v@{4G9qDdKdWgqSKr))_Tu4#&=7F`0!dXc6pPx4x1T^+D* zwa@A>P97?(!r$70xIrAVB@#S05qISX5uUW1s_sWG?+$3*AJcwQM2HMF!^agSSkelj zY~Jqo?+HGIvUc?OUPa$2<_&r~DpgaQnbEfwBYNgKFFAqzLzs_j*Oyk&S zV&7!9M1o^P+!7A-Co0qT62=iF&+DZ}{hbnn@Uqb_vROnDf45zFXm-b8R(8!*mkwf@ zyo?(-d3H9$oR?2Ph&8GIypz+!8?co*@=~hw|5lx;9DI49>hkS+;qjSq-6r?bx&C(k zeZR$SvWvxg;(6bndsWq_jcN61r;C0TJx-h4giLSB&%sIjKqkoy~#v} z21oLw;K_-n@|4dMW)ba`q&O>+qHk9=eMajUW9hoj5%7-Vgxj0%rDyR?7P?ZYC8fw> zR})_BnUwVvJK|u%Rxhv4p&^HhG*FpW2Tt1VSm$wo`jKfIlg%ve{Y)}p0ZMHZ>!8)6 z3d`fH62qseBPA<%bAK%Yw5$szxB24fdY;+LzneaX9zG;(*}dX*T2KN(rYFrzz*Mj zM;;|DTJr2Qb3{VywPC9E*0TNj8$$eNI?|YI!T>u@q~Y`By0>!)vvtIMi4d&4)L!R4 zJMf_xNLk3i$4|&y2Fq}(nblvrJ$ra+5$7PglD35msTg_>TN7lE`e@y*Zg-hHF0<#< zAp1@rZ=heBLwg6o()i~-gVGNv?6l3t!h&PJw`^YjkW$crZc6cU&|%GCq`v`fP+G%m z_r5zRUA`CImHN<)BOpRLUf1-zq$cTfG#pLt+b~4&S+n^VAU-96z}Pw3SeNRr`Du6^ zld6_{a2>)%mR{R^e~n)>@On%r)gWHbcsY?nCxKf*Wbbdvs$uR#p^Q2 z9RXL>F}A$Bslkr`aV=-*^C`qjIsUi^?|OR4`P(X;*G6IQHR6dj^Fk-{4{c5d``v8? z5jDJK^iJ@}GKx(+gF0J;f$lSo+8E%o&Ga=jQ`Apl2fFKBuwgbc7i0qwewL8#8E|c8 z)(Zlcg}k^Nye_w81BtQaCSSz1y7z2|t`Rr!oW`sQQ;fbE;4}w$fg`j;3%7B-9WVQ! z2a{3Ox;abiZENrXxkXd$Zkw>hx-E3$3~#&e8~=b>%>#UFW{&s$Gy`b%mUVJvT@7~o zdx;=v+AjSiHO0aHFR4FER=aqk2Bp{y@2r@>OMbexGc+_uB~k{QqYMV2`}d{krMI(Z+>|4DRoB0N=*74yTyyVo$o7i!5EhwJKNO zdo9PG^P)G-s7X&s*9h<2g8UQe8j;7OSy85*uP#b!pc@owV}y7!Q}6zqJF2TLt*#Q- z65GI*P`aL$uiWaHDCNmg|7qM{xe_Jy%dR!GKR33Wzp<;oJ;%P39Zl-zGDk-;;r^iS zu;P20`>#8XP7j%uY%k8x-OYfu)O)b+4VKKwt+P3Nh_RWiv8!j-mDLoUtHN7!`76yR zb|EBo;>I*1{@>)*sNCE^V6;IGD~$GhmLH!G*k#*y-ZBCPh4fY0PlA+0M#t!jPR0ys2X&6Hgn&qb@eN?Kf5 z?3teP!L4S+tsy)Hr}!2d+ThGuP$3nqYU%R)7uAa7pF&$xx~pzgcJ>!%<3#rxl#x9q z_NqC~sxfX-W~<@st6}Zs1VUS55VjCcKuYyo_Nq0{stu8_d7-~Qt$;+O_~)NjtCmR2 zdRn8m&+k>6GFkIGxBq%zBWLQkToU>2>TWIPX${$Rq&z&JZ9Sl!C@)n*w&y-bGhL3Q z>u#;)X`KchGUMOU%>hzqYEb5BoxHx?xQ#1T@zvdWeG*rGi1C)R0mpLNw3M)6Y*5?! zp|hEP`!3xcNO7-v++1TdUa)%);c6+8v5SMQn_~)8|Ki z`EytErD^m@GFGlnh)H#7wx?tSvVFCbeYIb!H>p05qPz7S?15`hpgs2<|6>8X{j{__ zqI2II&s<9@ltB{$0*(FEkBw#H9$Oe!aHi?8;$8KE+k zIWq0hTo-SQwq8H$wB9n1wtxRl9roqiATonRSr|!$)y=w6i@Y2^b)o1h0>BXP`LQJLep5 z=9;veO?+j}B;raXQo&c>Wv>ebk&3ibI>F!__iX#~@rs67iS{v5*-*67W(@#}5A)6d zFho}vLypdg+f}V`>C$9Lf0~^ zFRQ^#3v$G*f{|2oZXaEIS#Qc92nK}|grLrm;Y=kAq;C!Zf#s1sLWIi%%VnJC3J~_+ zAyGj89r9w$92nB|@~@D*Pa#Y7=Kl(r1%*N?6xN3%*O#L-QA`5nY(-;@fxSWV7>yzv zshq|nYA}mFf?#I|MJ8%+OBRT<)|ui$D+*#@0Tq(xc`l*I4OClEYIkk%^$Ubh9%jZO zb!a`aDwpkbmaVybbhX@4O zHcCGX3D_qQ2tDS^Ss5!e;H?D#qO>gjE5&HxuuV*f;<9-j?OG56P@;`Vw>Uy!AS7UX z?4Z{;g5Nyz}%kR3^O{6Tq|Kznf-R3j(D5k$9DW^u|L3Lf{JoWeCjv?b1)_xg)Gs zh+7=Sg^sCLOiO(uw@7v-3{n&>;x=~&-2cf(S_Hy~(uGl53sU^O8IdF)M%J(g#s9N1 zHd|XTP85p&a4Z6^!4Iv4auiU%d>m|}b4z@2J?^$Y4d(NIZZH4=>95f{$H%8T;Jk0z z<|{BO;MQ~g+HrbK>Q4s&-H?ocf}aPx`6%w4Zr`f+l}y>^tt|!8vEMK*3~B-|5e{)8 zGco+rgm&WZC!q<#0g&ThP+I;UgZ_hlx&5d_?{rANM~4SfXE&y`2SV>tHoO|;op{;1 zn%H~V*t@$VCqjc|V9M@yZ}k0niGJv(li^{YF{>txMqR!}Ezyj%l7=thC95#Br?x*6 zzm4h~H;hJM^vkZ%YMqIEi7w6_uRb2i)q6T{Ii9V3?XToos3d}J?C&aaDu(LS8_$|j zt2I$Ds#I^FI@+4l3i1VR^GE&A^O0un8EdMWV(*>97TNA{XGN%qjYEv@U$h@t9NoN} z-V7Su=@=#IFvJ(5fY*DX_V&5=MAh^CJ{Xg>n)@b+tk=t;_rXsHeUM4_y5Y@?>uyuKqiAk*^TN~R zGc~GDbJdcQRhfcg9c#Zj@DSH$^^!dZ#v zu^c<;xk!FEXY=b@0_NT$5O3%rH5VowH~$uErz~|rjgz62@Bn(dV*r0`tEP*lNNBl0D=8&CV_W!T-4=q`r}zD-;gi@ zS&w*CF2^xIQ=0xSdd`uK;Pv|dsmI-6#7^tMoPJN0pY?+~8nd9VSI zMqb_OtI~|yuJAx0`6F@rt(S;^rVKUc06a*AX0;-CHEP%ivG?zT6>l29q`=N2^(-<; z8LTYKO^i=iQY(_6>d}lo1RyE|MxKH*3ERGT9oZp(c)skhKzU6?RQ|AfE5qzp}I8#t-3(`sHMsUJ8WF0eo)7cxwHi(sm z{leUcRe~}_oVMQn>I$Ni9p~^6!!F9^JVX&@_6P!=9%2E7j!lu_*rO$`NsL*b`NSG# zhB8f@@#q|kW$gF4VhDDAN-ymTd!U8c$=xcbr0bV~dA90h|U zixGAG_57+@gn4=|98tDE7%%Mukt}_L7!AP|W=ygq8N%$1&d(PhMZ6??rv#Q^X2)SN zDAVVlP^^ga2-M8d><4u6*9s|Ap%y?91%F}uOT@X52>TxqKvw^65z#}UjWXSOe+yvA zgPlj9>moGUC}cfHnZ69B`9sT%(U-tag^C=%n+$P&3f~c!V|?xtDj~@Lg%l4r>q)b4 zqxlNt^CvzOJ4uFN@M@8GRB6xX6U8go6iG(-K6(KT&fj93{;y&z)Y*SqHdoT5r|StT zQL_Ek(&9VUAZ*~d!K%>8?aQUJ&Ia$E*3!oL&hz4D%u3UYq+27KO2@dh;oi9YV}YmM zOQYIHuJhsTZE{~Q^9s4q#8JxLGM)Kj-L82oCkimSa4&xrJf$yi`IJ7`f9|*(kz0mn zHiX9@VyNU)A5zan5L#vKfV&-t;k90&sDiG4w;>{O%_Ag)047DGMO^9eQoGwqKt$tp zxw`E6@xC2B{Z+L2a~xRi5iO+eVRMq}uCN0bM5 z|6^KK{A-^U8**V+&>-Jyslt)xx%hsT}Iu^J`3?_9m40ME`M@Ke9NmxmLRNT?B68x>g12o7? z&n9e8N(K1nl~)BfrGM#A&N~6>cz6D{j`#7+23FGl2MN~#%`D&H#}|bZCB1KdS@9|D zj}=c!|Au%f16uLv|6#?5;bHLbA=F7|L*kv4H@U~e#VgzG@;rXwsVNY`dHir;76#X9`E7Uyzj;_4=Tss`ydHQljttk?^EeWrpK}{Y$#@u4Q>&Q_##dL6A4yD_`yPh;d4s<;`HtL z7)cEmXwhqN!bSd)g^(I=*shJHxXDXRY3Id(NckbR9aS9b-h2$pP0R==*4)HP2^xd< zcL=64=3yKt){=K}k1l!_*DtTC2^B++z=1``8{LDiyN2}}M`AE4%@TZM|p`bSX{NF`CBU5iGc z(iog_x62&K3Ug0yeaVx0>2L;S2&fSvbdVOBH8<@LPZGvH@rqCtNjZS(cDxm*`G?6k zhxCPT)t;z@#|&;hsh-;0L`@`zkq8tpcr>QLqw&%-rnQPRvr$DV67LXhh_r#+@`PO^ z$22nd5H1o-Gx>_c5~nM*b>l5MB|O%@m3`n^Z@vzofUbS*K>JG-53 z=2=$39^!(pjp~W_4foeTZfNFmgP1Os@>J!+>G2`VqiPJbyO7Jbm7s2ciqFW;%@WSK z!vhtJ)tukxA2z*5)smB3U^NRnM59TbFB8_?#k^n5LaH4L69kZc9%djc_+}+qZ|1bl zy@S)#3DsoeNpMPPenM|z_QHW>!2gr%HL0NUu&A(7i68@PD(hx-z56H@uhtDHSJSrp=;}KL?yl~_QYTfap zWSoe2mm~93bP+I|m6Cf@5GInW6zi$PFktE7l*BY6^CDgd457P`qKh?0@n(S?C8(( z7&Hy_fwX2!g*4n)e=@b+OI4--B}g5WDXHWlWfp2>Wy#@xq87pa6O|Y#go0?Pjxr5V z!Tw2^J8jm?MsGO7fKx#%I+k1>gGazT|5t?R z0xz3rjFB-9qXbb_1}0V0tL4f=ENmIb6xjP5q*qwqPt2bgmKWn)iJg zztV3vQ^+5;PN3=pGGnf4h?CM_*PkwPlhJkNK|qP|hy-PnXz5N_U(?UY;-0 zV7OlRX<@j&2wl|wK-`1cjju%~5G_pLnzBu{yBrskrrmZ(bo6)*$^B6Y-WaTS867lu zAAx8(q9Ms0=P+@fh9nMNYoh1~7bQ%(TrG5=lx_?8JypttZmvsbTgwoMV32Su;SR3ew+jGo=(WN!zex)QXCj;>5pB<0b+z-&wh|-F`qs9r6}<2SQ(l2 zZtlN<+15Y*6*GQ(D}U+`2^Ja+;IS|U9B5F`JZyp)$Bog^&UL8ZD*jO#0tZw|t^!mF zP!Ir*bKs3<*p`GfN0*o0)-rm;BFC5HPR-}qWC;xdF9K5HabKX1CE*k8KLp2=L99> z8t)+bJvGijG$S>^VF(dMnmY@Mc+aIEA~GH==F>0>ANJ5W(;uf8MeN&*f%GN)gBG1{ zL<^Z?)^b=Aku`|-)|4e8RR;Db5AM*A1b5V-&EN~y@L)p=@6tsypApcI$g}QDX#Py( zu18Lk^R3?0AYSg3*_p5gAPoG9$GzlGaA334t~jRFXTp%+snM=#xaf zI$E*G|JP?e_W=vs1`%{w0R#UaWBDyhCD_o+f5in!n~pU)p}>#9=SDBLFG*j#qUPLM zv!0h)` z+YF&}{kvJ}7r(uSnA142IR_t!hnEIYQlv0$;(fm`kycWqe7q5g@- zvW@KA#xP#u^EusAIA=`9P)te{-+iQ)pD8&5=<(1p%n@tg)WL2rvm?Uzcb!{d0wAkl z0%sgbtg-be^4%lP+^cg@2Dn`CQ_1LymU zfA1g(##StZF`J|M_GLAj&yc?R{R%|n7JCJ~g&?Y)xfS(QJ8zSn!^}Q*io>JH4W?Fh)APE!n%O!a?fN0Nv5@t3s52la= ziTnk=kDS)%Hm&)GTODX=m>}`H0k1f!FG%qm(HHnZhY?1dA*W8@|23$-%*H{r-IO&!^{#e~Dm+CRz;Wlzkrg68#JO7tTI1Lt-Ux8ALk5*W;DHLYizK3rOF2 zC5Pv)c$~ZFf4q<#rQS!*L;p^KKh)2R?*R1dzod}){~Cn(+cBZn{K{Kss*K_1B=?hG z-VarXza7ICuIV!1%xx58B)GjVqm71f#=M1|()2o}|3hrePx+4|W`aVXY^BrM4`w(C zRKB2*e`@je{}mYfA0_j@M1YfCQhD67H$cIHBCq{0P8hL&hH$;#dd;c0s^+J`8-=TZ!`uXovn8c zS{`u^y2tTs0kTNsQw}ZEV_a}BJN?|VGED;qeS8h}l{+BEx}#qGNwo zg1184V}5c{%o7R_fGqV_1syEYuj^yB!WP%;{q>-Q#Fm0_29P_bo5@o9gY z*+9K2q!K|Lr>244p=v9XU^e>OlUJ%k3eLfrrTO}!#BEYG1jMz|?B)??9Y|=q3^;7+ zdXB$}O9la;blraucu8@VdI(@6^0zErnuLA=uw|KXPk&nr|2BGy-)bV}x46kv>T%xQ zb8#C83UL0KeGG&t{R30_H;gWz^jT?=;LrE8vyLrMAPQ-mx7*kEf`HIC0B0gMBc{7h zq|Sl*$?xHN>|fU`34be(X5asx!9D{@c`oJ$EJGG;f)}Th6|nwAXFYstjUZ<2hqp&n zHa5UHH2YZbQf`#Zhq=%4x@K_`3UinJt0nOs`vzNF1i)D;{~oV2J#UQXj}%1T#VJKd zr2hbA19uz6%BVqbPro^3Z0!wYLcJOQMe3HeBhmxW7K8>YTg-_uvX2wav$z0k!lnT3 zX@`tV*9;Ho)IK0Fgwl21hN$HG#lmu`YvC4q_>P`N_IGBj2UlE7WEvJPLsHS}StBn$+9R+fT$>~X4AJ|!o; zlA)#`ofe@xOIJf10Zaj?pqhj1)kGNlwTyDL_NTg^)3WEWJi{%K=y#Abu@?ped<8ZO zj257d^U}wJYqI5Mv_Qh_mdVqmPEcpr)(bPIfSt7XW-P?f5W-PWQI}4-(-%ckqzS3L zfgBnt(&|ZSsy`vAfFXI#Qk~G`3z%su&D}d;zwr1wfgOn=*qhN(9n`aZUHgH^W=$f@ z)1Jkt%0q)-Y1qv}WT(hu3GS=_I3!-3cv^rGa-pM|r%r>ogb<||adh?*Z zh|kMP%g;($!lqXSP)j3z;i1v7$Z}GmW{V?3)U)$QRRq8#e>hcl2CtYVeTsjg03MF> zvmRu5aE24Z2n5Dfhy9&MtFj!Jq@NVDsi|}o0pj!ShnPF9HPm5{M~6<|RgQ|7i-Nzs zd$)-l6(LRu^TY@0@IgZVvEqpQfsAXnoZlkWi4_^x$A3tYPQXTsD<~<|%aY}lRl!8( zIpjOy`iJ4s*Pw<`qp;%o0~cX{hx<7g&k|H_Mf}F#yVuU7IhY_0uxqh#LNw^;JUU!| zuCL&|RqnNvyhzczuX9@L0RwTEPtW&zm>dC|%+S$7NKVx@Otv7Rt>VnNv(SbtnG!sM z4Z>tF`v%wz#rP{^dslF5+cnhXm6|143Q4O$PD*Wa+($(UT4WNqubX#_$@66TSFEcq zWx#Y%92uA{vUBOev%Pe`GU_)KlD-Z$svWx>!f?Yh*2uF25gs+s|L?1J_CLMmq^;P z+f*p%Tzxove#QRu*LjClGR)5kMp%@gsl*OQ!DNJBxH4AdK~etur7JEh%YpJ|2{R!n zzC~$~IZXUE?jt^fqSUpypy4p7KmmQsa_>vrq5$SKC=cXcuVqv8LltnI=>4Fa27OQi zTWZd@#WmPK=3U<+vvEsZo)~(b;<8~-C#^P=!=~6~R3U(vIIAXBLAcNi^`~*mJshXQ z2TEtWF`BXR1jRUIg2ScQ0*9gQ{52s!p(a1VIvCRZUj#gM8xNC6Vfp_>fbs~62Lor^ zkv-cBOiW&uyfoN+EPgR_L4>%JxKvtP7~mT8c;KLvAQjr2uOSSOFw{v9^?R0_PFUC|+RjyK0TY;qtOvn0CD3CN0Q$1(oOY#c*=KWY9Ksfv4KzpQ{PS{z88Wnn!$9({yS>feT}BmCi$3`F?LkdhQ|ARnpK%pf*5{^<0%HBl!mU_0@2OVJ@Y!8ui! z09}%}8)v?gmd>u{M8_Mmypvo^2ymH_u=2}#|JLbQMN%9pv(#P&&zR907Z=$;nQ^^2 zLxn(k<@DB-IyFBJ!j_WH_e#V>0PJgRB4ops=#}`>b02jrv=;QPb7-SfHRZFZeTDik z5hgjT9pujd9lSV2AKd1!Vm?Y+qKX^f<#VDlMS!#7B&qB^Jb0`CuBTuwX{x!pY#yk@ zXMQ8|d8n`KZJ(-5WB=SK%+H4STA$prFirf|3`rx?dLIdg02*jy)nreSX*~LRY9A>O zL+mM7OxnDoE?Z2z&;Tu}od}s z0u$7GHIb1pEhVY6CP^iL)8LKD2+WC%Pw8SU^FSmM6zIW(S#u5NVJOV<+jtla6W#rM z`p6HWc~>CVC~_@xUv3)|1l z+9=iC;J?)21pHAag7UxB*&qPbal>@`y`5wH2h8N~#W~)k^luVE?Q9nzN~ki>00UU;C_@)wZ0zbEEg{lp3_{nZdR= z${x_1k=Jd@QQ81E+=DcH1F?PJN-(rZEuU^~3qr@qTq6z+u2(l@98OLV0xL-PWvD zoET2i+85p)2L};gUCvYg3;1viz=L!3NbzBWhL(c(l_46WFze;!*mK6K0t4?{D% zlWn#X?W(obm!Ag=4?K?AiN*BRNCTXxRJhp3#KG%Ird?d``rRaLj{vtH81)BJ7gvM3 zQBFUV)N3(MicS!cQYf$kv4+y+<01qcUIPnP*RZfV>FOPWj}7OtUZxQFsNyj_^MWZ~ z9I_yp7CWQkGSCr@MW)Q$qoZCZDTpo?34~7|u`?C9}qj)@#WS}6j zuNI>z@zakefKP3(R$}`t8nG#Tv^7(Z7d*)@U(}T6EGGTX5;tHq-la$Jk>ci0zq~fI zG7v|=Z?&elCb+P$f~zHgn7mca8TWQ8gw)U?A-Np`%ZnLgTyJ02n}E>{V`;2!$x%D?; zvmj3fqPulHao1cDf|?y4AWJ+y*S`G59kh*U7km6-An?Eu9vgr?>7er&rRgpLw>ikw z*^I7$t9u6^lAE+|)#m%CN-8h(QEpnT40>n{Ph{Nt7c$O{pqq<1@7Jne48;ml?|Rr1 z5pgbUJYKd)eT<&UX^Hx9UV5v#vf&J5r4A#-PQHhRvB{W+5a`Ob)N#(KUlv4W1YIq$$7NZbsVD!+$tA{!oyL z?|t^idb@X;PZ=)j7c04;Xi)OH{0RkbOyAKpI6tUN7Q0Uz9zgCLyg~dm%f_JGqLv%6 zBfo{4byojo*va==map+$f8(+Dp9PXmwT_fQKtVuSfPa6g1pifc@vEtk@_$|X(R2M) zgUkpZb6!0IhY89DCQ&S35?HYbI+KK3kR9+TSek+RqNZPdvT1T+cRo;(oRO4o`{GVB z?n>p`Hn1|WLaFWNT`rjr{RrJM9-)TegNeq>xP(i(+9=YifP6vv5*9r~YE;hJAa#PG zGt4uN6P1Tgu%>}OkB4e>PGuJ)n7suka3n3$v&5)*t)V7dh`w#5=8lmbV4G+J#ar>X z7M4I|n4XxAZP_efIE6k@1XJu9J++^OG4)NqdnYnUdXVG};U{dgZBlaVqF)(1O~TRa z24Hrda+dunBAY`}oeR6d~M1(FT!L)uq*|5EX{HJ5TdGef% zfn{ZX!-0UH{o64!U=?K*LnE8NYRhh=^xJ)B#vl3dErL2VOWG!}86A~&B&2B)3C|1U z6Mh}$M*Njf`@-)TKATwPt2(L92irK$E4nFi&;S@57ZFKt5}uFQXQPjYHv+BJuk;O+ zqO`PaKl*ST=m)@Aio6f`h+euULyT#npHUf8PbahC9!IoDISk9A6es_USYG~O6H4}S(~vvM<~%b z^Ff@2iM0#|9A~0pp&^s*Z;XuD>1(LX%w%x#n3cTyj6jh}7pp|EU_}TO$~zoxFB zmot2Jwzsi3hCQ!q)xq>>A$QmWc`$A}-q6)}08wZTWYshp z_5%Xtb1O?HcLAlPs_;c|blAdJHkCyky+yX2)Etts{i)tu0XtcQ z@YmTpN;IkPstG)155Bl9%exf87QI~+1Bb)@lzV{`<;;EgqARrk3J|$f&Ol?h>{yMV!RqISk&VGXvyXU7m zO2^^S%Z6)2huG!X)k+B>TB}HGlc=^0wIcBuc@N^1W1pYlR^1@nWy@e)wGjN}!dr$N zK?~BUJ~qvI1ht~m@vz)?3g}VNXMXQqeWjb_i%>$)-(iljZ%Us4LmF%t2eoD8(jZT!cx}s{YjFB-v$D7f$cYZAx)#0m7Z_U z2OFug{go0-dY@m8mJdd23Ey-edSTxj(cX`LGrjw~(EPf1{%W7&-3&68*tg^Ra@nfi ztK)|vHFQy%`*yp(eqk^0aUV)0)`kcbDzypX6&A>M3Ua9+PpjWVf!jcl5014@?lMT^ zd@2IT81NWW*?%od;xFchv_RmHJ8q;M*2dydM$>%J5H2~I64G|$iE9+8w2)u52GW{@ zEwv%{dJERRMh?5?@6fAIWk(z2nJ9FO%eYx|K`NJQOIipQ6CVqq;Ov5&Px=ZT#qnWd zn5hVm0ORk=19z+^fp({!I?Y^5jLE^AU=)#VJYD%VmtW*CDA!agV$$(NsSTDi1Iw;2 z+)uAwZH`Q8%$9odix#!M^Pt%PPrVH4Z<@=}qsKCj@o zjkpDJlf-LR-BZY6Ps1I#0D*lkR%PO~k^&8Zijz9el$hZ6{jiSMc#VcHTZ6`{_)%77 z18~k5irpcy<1ht7ZWSbEo|)%g*96si?@c;oHf)mL04?#WI|6TgyjvknhK3ELzc;=J zbyT|2INyZMFLCY-?TEAb&w73LkmvhhXm;^df~hU|6wFkfj?cZ)%T<*jc|N6Y$P!8VJeNbPDX?xSq!@7!8GfJ zp+e$3o$XwPZ?yVl4;`m(=qV{kSR4;OC3uO@wU@$ImM4yb^9%03DetEwb+ywjEv--$ zi(lPYmMey1%S*;eAEbF6{<_jXLyayPkj;KMOqWlQq>*dHwWMl9Lpv;EmV{}Jw}>SboaYl1mCdS_%UVlX$v;&iPsdUAEZD!aFpGN_(KfrX8`E~WkfLn3W`i@6 ze`*0Qc0E_*ardcb|mlB zpLaL!Fd<&qpnFB|ow2kbYvcOCmaCFrOoD^T7)DzUfDKW>-NY~vBxBkMuVeEwy=yT| zB}omWA&mwc1Fpk82B}t zMA_h}?_V^jnbXX}o=|bhjJ8$m8vOX|0qY%=d(L2-9963;du<=R-DoR2N9792`92Au zyPor^w2mm+f(*9u`%}3JMV_*)s(6rM*S&dNU zscc;0gQ^GU9-5TohRhY$Zp3S z0cLcNpFU#a3F9TaVd#rWC{(EVa5Yjd-=Pw^5{isIw!?aN-M>1F9^1;jgAuXw0$RnS zoE_l2uEYUEKktu)?oom-f`y^8YEUec%_THl+uR{Z1u%pJ-R zPpiXV-^LuUn*u&n3QHnZbOFdbV`^sf7=5nwBzzA)B6aT{J$GvsVh1lP8~ zWtunzEwBF%T>=wF%iTadR6t#X|Iqb!o!I}V`>RN7^lUvaKSzPu?UpBLvZydMr_R@S zLIYd>;y_XvH`@|c{Ha4ma=WKM861aoo8aT8v#l?3Wt%W%?0i{CMY7+i!-FH|x%rx} zT{3ZtV-uY?^EqhI%XQ)Beyes9i`#HfVN#rS=2H9WaRwB6)imOi$sisLM&lgUhHE49 zxy+9Dh38(9PAX-5ak6_un<8vN*zJ19jIKa}4r{+LCfcS>G-K}2$FzF(i2h@oHOX0& zcQrXx+44>`!MD{nuzx1k&7HDxdqBZPK;hW`5dKH9f|I?2^Ixr+9anD`$c!%bwP)aN zf1D)`!U8=^5`@NjSz4FC-H*bCY(q4<;@wM*m&17UYmLkGG9SL+QIMTM)f_F=JS91d zN+n-@NLE)b2RqpqZw;@2B_vOKAjK#tw~O13<7o9F6eAM(9pO>>^zG?pm-$o+nWP<; zC)ClP9^QDi;B=qMP9!Gn79(1cu_HERm2Q`e&loJ(4@}?&Q>Rx|F2@X0#V;4m3v;aN z*QYXRYV5ZAx|+H2ip>nYj;O>0*s|N_#_rxJ6^a+vX%0_h zhhT3i5K_~P7AI@I2cg8SJI@_sVcxu!xiX%ntI8HEi(r#QbDNC*HGqrN?{xkKI^75w=>^d6S%v_tVkmbkTd+h9Q)Qts5G}_uy zY7O4+RJUv2CDWs9_@cSO1|CxOHExn>4{fK)r`753$-HKV7u*PTP1M78S)`SR*@A7L zl`HcKUs*Zf4(=9QvlOGc_cO&58iaRi@gHdWX4#gcQ74{)1H3-?&73MET zR@CYg`yG{+^I6DL`z$1+(x)z*?!QFli-yTWOp&k=+S3@Z(#>Lql?Cv~aB=gTuO!Jq za#2WKg~)Su%KPoiJf!=1ap1!;(fFnZQjgQsnnTP$##ltaIZDCWuhP@;eEan@UBrX& zbqlZ|2)RQk!MPc872d6;Q}O8)NqukrY-Pc1nBU%@00|{pLf(1=QU^sfUa6}zSMoxy znW{~)*suPzqqv*vtNdjBkqHg`unfkAFl$S}C0m+SOUxWY{4e9s zi{x^WI9Z;3>GI#WV&k%r3^G!@npF3;1tXz1IRa z<62PMpB-k7!72TwA7PcKHY~pgq8k=I<>uWHFf%Hlm=hJ#*s>+ozIeCy5Khmz-B`a{ zcP}_$8it~*H;*39`3>N9(fJUGy!zd2bm8#RsFSk(Bzic8&>s(>TS~%+YW7a3BDr^0 zCAFqU%6;`=0M@#DZtuGLMpjQWy8GtK4s^e+y6(tfu$LGUlwCFk@AvLcJ^kS*>~3HP zeJ1B}T1|PwDJbN#v~Tx6eBVEinux-U!nhO5)i|Q-UodaI^WXujr=pfGW?*dPx%C(- z5x{IW*zqgn!RGPRRHl5vy7%{J#~<=@#+aXXrg`t0b-8}S^gvPScOO?fLLDozUz`eM zcz@o(>AY=LHGhSvL6WTriPp{LN$mSJ^?MCN-(B5%hu|CUNkxp?M-RN5I07Et9uhRD zf}YM#cimf;=DR&XUR`>&#O!xF&jXwG+PXYrbAuWj%%whlw#yo*r|Z!t)Z^8@>!~_n zM0)1IF5I;~1ZQi5d>kk%0}-|+Sil|&Si<|S zZVEW^0$!hXhL$#rRt~1-S8CP{pH$HWI=#4PY^PDE8PK5zI$8UQ7{1Vfaaw*aN#ZPG zsC5jHN|gJQL23APF$Itv{{r$D%J2PAkFMg9<)|AkB&V;YIV!OkFF1X zySY^as}K~gKXbXY{??OqzvVp3<8@+JFj}BLICqEU1oX`a?drX40A!lrAUWK=V=!5j{NaB-1EMl%f08^_kQ2s@0@$#FM+2Z zL|X#e2!E(fWf9N#ECZ+Adw$ms$xE)C z48@WdTd9BK_|WZ#{Gh-gMao3t=!JY=0}Zc6j=c15W2}bATW7ec3#!v=8lb2{hYj#z-iNR zr2nl=@i6DArp=A_$#mGk7QH=anxk~4*{iwNtUD74!!@6!#IltAj(90-zjcVYi|^Oe z_0T6f#o*{w+id(-1TXi=P7Md%whxCYlN8Z`M?%{W{fA$fvWW_1sZ92-xKqpr3=>jo z3^PSmT>9tD$U%kJW=~O_OrnI*`fa%CxA71c@lP_o(CyT+|aO>f`^O#}X}SsSTwnNrntU`cXJ53L&qn8^hjIHJx31sTJ9EDIMcnJ}O6R z1$GzJiLJ=W(JPE}sq;hnE%d$iW(BbP7N+xd$@e3IV2l_(Vc_}X5K;=p$me`OvU$MU zn~Qi{s?JTjc!A!fPS3_kaw;GqF-*gL!&-*`RsUR{zib*zeAGhZP;t7WYUWd{^d4Ip zQ@(jhjXVCC1Un*HvW1I33^VXtfkbj#NLp>((qolV?vTjI<;t6=Y+LcjF)#QgW zCBT`Ms1ui`%p#jeUAvVgRAqM5|GDE`IK}hq3$altFLr!t^Ue-A4|YeIM;4iJrv5|b zy6nk8ctL!N-3vNwApYi=GpQO`=4WRz3mz4(c+Dtwdj&@mAMw8EHYMsq-v}kTFtoWl$2|%)P)dJ1-#zdX3(N2y zp`{^Nv(H(Pe2cFW&GjCiHTL7mzJ$LSJJ%AyAN=wa9c>!@ZixQW?cc9y7K_)zjB4aE zk-l!d;&F&rIL<|-ey`(2^3?l~u==EpV{WB!X|1jq>8JbdVDVo_>*iZR;o}Vli?6`Y zJUcUcTSvV|6?OfKjwrE9h;cLMm`0E(9349!JbW06xg%dhl-%Td?c$o3MUwri&8{MapW77(E}0XerN+wuKF0NNlB*MmSZ7!`!^IF1cQg}N<8XJ7zU z+tzXpxRnLuk!8QDfp3DyGXU`|#$OKY!NP<%S;w=$E$x6%QAjufwETGYc%KVd&P0Rd zp9Th0IDkAr90E}gl1BqAKjf!_gV*}k(;ufrtAQcw1BC+N&U1m*<;nqo2nz(pzLq?Q zpuWKv=)4)|N<*mg7`YYsw~?=gtT_u-59o{}0|><3Ndh7-MB+kMNTC>P0BX5%37!M+ z-jd(-1d$@7kQlVnB$xv(nF=^6nD3lbMHH|cTzC=46~b5KpfU`Y04_ub2v*n?f>2ok ztOsX}1^QR`6+JkI3`T(cw*b*XT+@w%0brvm02IZn2CQX!!7Q+M6tJkVt69QM5=;SG uEdizS(#os|885IN91jZgM-x{qG2!UY!BzrTK})Mj5po(>9tYEwe*F(KN9QsC literal 0 HcmV?d00001 diff --git a/review_artifacts/server-agent-configuration-distributed-microservices-redline.docx b/review_artifacts/server-agent-configuration-distributed-microservices-redline.docx new file mode 100644 index 0000000000000000000000000000000000000000..c702b8588190b98f0aaf426e7b10ecf5089e3c0b GIT binary patch literal 41005 zcmafYb6{j$wr_0P>e#l~v29x&+wRy#$F^;wW81cqm;Sz)duQgp``$mNs`fr>{jhe` z*|oNuBrpgH00004z>-|KR)s=AY$6~4z$h310P@$UrjV_Tqp^*nu9BObv4b|PtF=`_ zqO|NPKSJ>3J8BXgFM)>;JZkBV9l0HKES7Lp`aQe)65Y8J(DUOsXPEMgTnHF#Y)0y% z7v5?uPp4-isiu(dxwdwO>MtVTBF|szd9)WMZ2KaygyM_ecX8(iz^a=wJTa$O0qJ+E z`#5!xf-VJfH2f3Qo&loBDxy`8@CSn+6nI8KL#uwxu;sRYvr|$y87AAMGTR@ObABK9 zaUpsZ@)gN?U!o;d$+S#|YV~7J3Ddh$77f;`kL!1+ah{;6`(dhVU%T2<0OvXgZHw@G z&$^q|WlWXn1gy5?=bfU)29ib4-np%1AZhjN5pb63rwv!m>8c8qS-XaMl#-YENx*k3 z_eUYPjMHv^3bHyv?F6ti#`fq6&%npN$482SXky;yrBI#6xmjuJab@3O_+S=gz8Zx# zf#{?WCJwew`x7A|ult-p&1DW@8LxI>T^@2j{(g_AYq-|~eb5z*Cm6rV$M0_)h5Jsc z{&|K{)JYVY?}@nih+VPzuO2VZMP-=6yghG=MeF-~qmM*+uPD+w0CN9UMK@AO{->|% zZ2$oPK!3gJ{xG(3prieBt%#eD0A@h&z2p@cCMmLMR2I%())79E&gbn;8NVpB@%~=8 z(%B&|tgVLDgLinjYiP2N{tJ7Fs?aJx)j)mTKXEE)Mhxie`EcU)$ag~Ghf`6dF)bNrtuJkIW}0Q! zv_}C#vWhyc#CKp5?MVIXruE!KGtIkV2Q@XqLKk}owHqL;iN zMrJfwFaO=3&|qjq^RHz-^JNg?mqA9hhH^h_?HuR~ZGRa5S>%~CD=!yIQH|y3yc32SBF^AREP(Vfmoai7?#wp zFEyzHGP_g;8SrD<3d9+!QbTszu#qfr~#~W7zHtI#zXDM$_CVkwh#=3&W1L*K;T; zM=;%e7*`$FYyIf!qJRl_y^NVM>ezGMu$=umR6|wx(821&A&~<}DQF3*$^fFaz3$X# z#XJ}dq+_b8T;-?-QJul~H6FN~gDlmQ;|d)AM!iR2n~a_3^qVoi$eDA^Q~y<>T*J~v ziafn+cp30}m06iv@e~h>*zWy_dQu`RoG6g~I}^y5TbViea;PY}Gyyh)UdPqA8Hfe6 zhvR*%(J^9Kxz@cPp_0>#=A z)zF*B^O!C*fuS4@7T|Xw@}DEWza?7e+xFZcW~=$F*~c_L)Rl0>z)3#9fxK`DF1?`% zQ?3YsYv9JjH>M){)QsBRp0TmR#8=z^s{w}J?7bdjRwF0yo8v6EA`*K|&hU!Vj8&IO z?9i4I@>C9z5hvlk8sKA78B$!R9v%uUYG})7Mxti3U?Dn_YzKL_0Pfq8fhJh;V91F% zYwX}Znqj>o&|X_J9Bw^3@j#!rfU$cw*FoYXpF>)`kNh0N^J})+OitvTP~9Zv3dulM z_OOzTP3~V6=PQsE>u67>d!xgs#w&{q=DAvoa>MEp4&6;@&&E{I8P74M;R^sKO38frlD@L~4-<=BKu#4D_10C?XA2 zn9wcLhzNMUsl=Wo?}ZdQqdECuOI95G8t&WCuTgtDx7|Es(6lQElA7GSd-SlykQKxX zGjjhpxZD+ZT*oe~BM9?XBYk_D2tQ@>dA-8#qM0JXJaEV|g8A|NZkZ8w>d{0!DGL|p z$Zqh^ZzDTGPMn5p*_-?j{0Acu`oObJWgJto zSW`K8Ax8jI2F-!}b*<-xwx;}J(f8cOl6>hO`)O-Rm;Bcll+?&P$ma7lZ3kd{li^ZX zsLiBjjOX}Gr*~AS)Z4O&+pP1^R(Wn#mLHx`?;B`5{^|)7jU|G0<9Vb`S2Qk`Y3{o+ zs}1L5B)9dW()DBKq;BN5Kq6c5$)~?s&04jMMe7KH0GZ*ZYzo7adc0s*{LxH9hdbbN zGB1qld%H@WO^e5~@pFA&J@N$w)zjQvG=Xegi#d~4cgG$7{qqn8xg=53D zB{Qamnpcj;7^(`IN~|4XM#I@iPY?pmsnywXhl}(wjEx(WTRj*XTQM{;+xvc=;EQCw zTt1A)r>0CAJn>O^)9dn<=J6~+8boP=Kgg7ux&z&lOr3BXew?ahku<>`Q2AZpAXG$IsQP-*5{wBnoehgP z19SxC11v@XbQ`!m)NLp5*W>aK`ysU~QDyZ!QPTA#W`KbR5T?;Zk1nA|e{~Lc)&#)9 ztopM-zoAZh(`WtnDS@pkd5E7PV77VOy6EK4y1bcONg zIhCZCyixuzdhSbH+~*H6t?zyIpL^vl?#^!)x*n(95XRKX@)KitAEvST*tvi}6l)4HDJQhQ&TJqCt2DBy}Bq_U~wM zG=TY%fepkAO87iM=U?7$JkVy|xm_b9@{ccq^_@2Q;tDqmogt9}#pKiqoJa#&UyZY? z0;d`+efNU{CEtl)j>p0_c8)!|c}-(vKeHyu#w@@V>}5)bSN&l@Wm-*324kA5CX~gQ z6CDc3S>FwVL;u($e83=JgoT-6bq5J;Nw8|lhFQ826xuxB#_gvA%OT^M?gjVeWa8dY znQ-d1d)Eqsa_Q?1yNlzL9U!u}K(b>_t@<6xDWnG*YdRopQLyOxv@j1|i5(dezD_H5 zMU2BPI0l(@YF8@1SlTjCJV2Q`pcqNbw)k>FV83dxt9$SM&WgwXM9?^E;SAMZ27>6Q zbYo_kPrx3kz~bnIL+%tJzM4bUi&r|<$G3R{X81Qa~l5!g4a2#|RDdNkL~I#5Y3 z(BB`XbBICE$d6*}J2Nn%JIT7Ru%|Uk*_F@e7WCJ8@D{ zpi$JY5p(87L&#D;X3?~eN54V94GI&ou`|x7D6~yECq2SPqMCVd`P@DNa}qJ|uw-P! z`av|q^4@OEJPhB;3B8hm#3w%}(FzJ8Gk1ixqXJI2tL0nHqZzmr(_PFei6A8X86Y!< z)NV$c#o){pY|0R+gC!A)p+&iwO8)d-$;vdV$$OaalwyD%qZ0rk9o(Se_k#{a5$e56 zYLGnLmMXyL#xA(5@~R=>>FOj_QgEE{qvYlUmwuz+3wHNHXT5v12oj`&#qnee3jsbu zgFvM1KNLmhsh1ibk%~QXRCJ2n#SoMYxe(6jX$IY5s%N&a1H^uB7no7nGzf*EB3Oe_ zAs-P$8S?!EKJwH$e6yuRVS|OzkQB18j&bVh)k^0CB8Z3{i*0=K_(0muU> z@c83fBLC!ag=2PEKesGa`z%XV#qW$=M){)_la@w{X(ABOX3*9+_6X&ZillYAZP=w- zbmgh&8c9~t>7lLnEQ0o_ZN5fQM5KYTgN$Plgclxvf4K34W>L^HEr1=(`$df4^xf?$ zE3g0n(sejVqrt1$(R$pUTY1XW(3n6!gt}lqeeU|@Mug}ak)?rD8CuvYG#++@5VQrz7@5$adfdBjB=92 zx zT~ zyRm*5-V#N%m?ZOw>^G$BPkC(|o~DGFD{>eTFcoOP0oCr((>O8}IBD_(H)a(mf!fk- zgp=f*l?|)qZ)s4@CU(+?ItY z7!d?jG=BPom98yuPDjiK^>*yS>nu3V74K&p)~ZzBLM=}>42A-w9S}jqhw%eyu&HJ= zXkk5mqGQ2RFy7f4!p377pkIf553dNnq#y^WuVP)yi2R_BV2rh@Tz*>#A==*jR71XD zLEi{LS$_8svcZD7z;TXxSJ&z0Gx%_AR`?E)~h_i}YH;*sxwGeUIo-xcB>p7O;NbOue$@kL=rSt@e^v)r&>qrW3zhfKGf z@(sOu(b<2mO?@CQkhFA8{Y;Pd-k#kl(ufvUAOc>i5=wdZfxjD<#EY{kWcd+&{5y^2 z{uG82$yy2dlGUwDrn{sKHx?R8}71v2k?-Fu zAcIzMB~IarSgC9d53L7Tdw`9vI?hN1VqtS=cYApA$WAa0p&^7yTjkDwCbyP31+U>l z>EXz92v>~x5N&OwzhKzJD$A6k*cJtyhePo5Jrp_4u`JAzF8&fy{9z7jvB;4kfvghN zP7w|Pu4R?fv08o=iggci|uZvlkqhZl&fsT6-t0w#dPvwj94miUz2E?%wgAkml@Af z?fdPBq|1qr=f~lPiCYu^_YD6mgscbtLP;MD;1(GATk@FqM(&NcJw?zs*>+(<@t-T- zQfb94B8{+RLdC2Bq~feN0A8`tH)8X@R|vdC(Q2)5}!#1#(?cE$H50io!pJ8A^Oa)l` zsD9W1g=Z=$FOu6PGkSR5QvyAf3QS~+#h(;MVh^~zUc|MNi8E~&;?SPF&zr#jzHgyt zXVt>h+r$}zGmtHgGcpS(+g_g^Xu{2rh?8#!KJjQBKXEJObhOAa(>KtW3y=^T0EX!U zw|%l6>mVB$hB2$6dlz`kBBrqbL%WR&A*OR@T(Y9EkT9w)7KYfvgtraGAOpSDmNR=> zr@b3rMXeMuuw0$u8EXEKcXBT(1?NM8;>_K4t=Iu+{LArjU#I4<`$2t2R;xn zFqlunH_BS3qfM*yVV}_ejy2K@SiN4~*8|ra@`!6M0reI~Dk8hq1gT(*9dLW}o{xMY z9yY`lhoy5n29nHzuBZ^CUH3UNm;%x^jX^Cnjs+<$;|h*-)S_oiU$1O$-TWrLjBwf1 zW|!a{O?+rEQU1!4wr6Q+5h<`9K%A16PJCiNu5CsrI~SL46S^{U-i=;Ej5$k1kVNXV z(rY8HHLb7#t{-a&JeQcnx&Sf%+&hmDFLq16T{af)Lz|T5(tL;~F2jc5-PZP08-Q8$ z1=pja&p*9qKnEWx1saz14O1W<@1j_**)hasmZ-tFfXrF^rlrTu)5ZS%5N?SCQ@9Is z^CBLG^pkO$6}=CDx6O4s3`Jf4x)||nWda8yjjxQAz&d8dplOD5LZu}8Qz6@E&K>%E z8?G(XD^B1@Qy`uA+8t@dbt+KmDv!!#s;cdq)S)@$#C#fwcWwX=B+CfFC2Y038_%Qo zptBDsoB$*Li%LGHT=Sxr!}Y%Z`o@|LQ%*Y(y@fK{lmOu9<>$Fz^rfdh*hup!*i-&spxq?OHOw(CfpS{)8e6QcUVK z{^x@ee6A~qxSkFlRywyUwFZ|L4z%57vslW`P(t7QVUh9R_6VnjDcc$ zG1aejOyV3ZiX(-yF2QdYyr`qk-Gg1)BQo)NjcT(rh5_9Td6a`n?A$zBo$MBanr2lK zj{)RtVo1y#2kx6eQt{t+P{IMUek(Ui_pZ$Rf(*wdYipim<1Gm#3^Hs)7!?f1>vS34 zMkZj&KfN0QRthjv+d+?WFf-c4IY(a`P<5PfPzjqddUiy1^mRAeInj?r*>|^rqdBQ} zYUpDwmALkuE!&ByvWCe<4o-$2>jI}?TsL$|kfXdm@)g9QeYn5~wuR{TEiE<(*~xp| zT9T=>b_h*uXFt=q@Z{3UHnDP>g06cZ?(1o4*|Px#+@A=jay-}0 zHtK(VFN*nGd7O%ek@^gO+`2ahOMk>$B!(#X>)CT@g{qQe`gpZm3tB9~gy`JP z_S8eo&sK9>)}&IAU}}Hmq;g_f5jl_9jL;dQWwf4k!+b8?M3H6E@H}p5hfabN3%3n2 zP9t19k0S;0H3;RM< zx@rbgmZ*e#TRN@u!TV=P5vIuo{<~aYs1!sY z-(zmwY3|ElzU_fZlXsP z4Tr3RD(~H(C|lf!4LF?nV25oSnqkR9d^jG)%p&`3o)>h?IF@cSlwcrtc?W z)J3#)ufWr)emX73ZO_B!H=!cTj7=BCBqQpNbV#Xkslv63BoK!2E$Cb$MwdZ@)qUJT z2Y{dsB!t2feqwr5Nz_UDt>ghQeWTO44LP^CFpf(U!o1~-Q_L)8dBFTJA?C$g)gu&K zH`c5WhE}u^A`^^u6YDu_UXiqra4uk1ugf7TM5nXmWHpRO6>c(G=+A|ff{kB2O;JvS z%hh$ev!O-Ye&E}q8oM0Kj(A39!82HyF^;)in`Ry`uC+;%?51-#oxd7d(KM@YowH3B zW(rOqkCKCJY3vAHWNmJ#qr+;@ic!bnF*H%47b4{J997AVZok1}F=7)nC!o!+1ukyg z+`Z4}Rk<=NJypA`aPhQK<3$m~y16@guJEzAN*DdYzdHS$K~kq9%4C?%<*X)M)C8Cm zKQi}3m7awLxb8sp=TK?daW_nOY1;-=2RT9A0 zX^1Dr_?9mm=mxA6LIj;P*jL*X z=d11dS9k62LxX?qvHg93kRTu%K#vi8`2p1%6pvD96M=b_N7_ayT2;m`gP2p(lNNX{6E+Y~|Ay6{X~ihf9T zmZN(c(e*@S^G!#&ENF-elmB$R=KBgx<^U+($kj_e=L} z&pIX$U}(|?AkG;_-=ia|=8{R8Y4&V-8r>}VT-S$$kRM-JL0LtjG_IDbHw#UUVqY~g zUdj0VJ=>?<>e5>mKPvtGVx6t83%0XG^HSxtXyW3w&DQ%J!;|az;KEhoA}eY2-RAuw zoo{i-_TxGF^Z9l0GOCEL>2z27>3RLSEqT7}^>Ft1zAYqV_r&eJmixo{vvnhg&U*!4 zC#mRas_!r)d4GFs^|Yz%eeCq6-fhi_t%wi5yr;WEHkc#yXYJ>md7XyG>-_4NyGuCV zr=6N@AL3)%?(M<7E9QCGu$k^-NYP@ScLOh8pQ-n9){uv~jq{>@u#A3A^2A9s-vwXh z2O6)`53y^x?V*r>CtbSL*Dq2on?4)o@MA;gFY8|H)9-wO6Fldt8((KD)*hUqK6u`| z#6F}x1E0_jZL`-Gr!Hf=7In`U60qQ|%YlX++2>K|uUCopH?C>8Y-4v3-alyE-#OgB z-Nu*gQaHJFx~;772@6L11krtTu64FGm5(J3F!)%vt$B57XA4X z!Ebt}h~RsE&pIdk?5}$6GU%xqn@9o^weE3OK zQ!X=W8Zioty&+9Q@kX7BJBK#v4FyO`uU8V-S2JP z*Wa)s);`sYJ^fy@i+|dxM$=`Qx5qSv2Q8{`I-|dye_S0~Q)S={{zmjfC47MRE#Qf( zOD_Ji;2V29@1;qZ^6;AQn-XEP#CQ4c#YhSXOl5)8`zTa|k~E7F5OFfCUFANTICM`c zqwPZ|3+3$$>AwKwt**11-b=7jG{UJrUf0b#xGFFE^OwV`8JIT3m(;9x;t}#$fh8am z(xFH|dJcu{2~XmG1yVPtD+tD{I8qQom~NnS>q6WX`l1B7De^k(fpIY?)q0^&e&gk6cE0& zqSWuv5J1!X2SpkJ2r@Tlh`(6R#k({hwEwy5zlQQ1gz6`q+d7eTvN(k`<_S9SRGhpn zp8(74(!{OhsLZvsDJX%Y9_s1 z4y?c4JGE%r40s5<^(~G&=bA0K-fBJ#&SqC_yH*{~^U5CXAB^N}KSgfxX*b;q<44)- z&@S^QYDHbL#A1EE+QA6XxJ~IHP_LEXW^4|u5jSa$VHr+LZyLt9wc+#}n+?K4F|F+VAZd_y%i|midTDIVGSYXCBiR!FS+1PzK=N8% zmSJfY=)loq#Qx|yndm~2ye&cNPqnP2TFan4!aA2&Zqpo>7tgLmW>25lk7yT%Z9cnT zYNhRE;_zXMjmNy>J`FJ&Ai91KeAc)bqRw0m#h^hwwJI{}LH-%x1&(W|AMh znXs33&|x-ypT|&$9@(}nQi-Uu2a~tij-Dx~z2|rI zPY626qGw0DPvlfQMX{J%n9|979!w{FcTLjo7`Shi8b^6}ifbaxeCeMdBaHKi8Quc_ z*(odkm>K60)pncUP3MH(RZtqNdA?ONWUV0Ov*z6u@%Cz|aLK!QJc~c}I);sYdj2r9 z|GfUH`k~o$DqD10*4Gnw{j&SvxYBjShmU^r49sn0d$9e2;OTX_p@X*=vL`8WvFK}$ z9F^BPHNkR{AxZ9l_ zV4SDwwnzvJz27!6jh9R^@gv;sYTYd^ywf;x-diOtl#*^2{eazrfN@Nu))_I$OVcJk zRTWz*%f4)zJp%%&HS}U_M+QhWaZSPu(S<`xdykbvYqS4|pQqODc5GrMWwJa?O#!jz zQJ-fv+#Jo6tkiOIq1~;DPA|V~Os@bF+CNE%*ZyP3MDuNj$4x#OB=@F5wMRYp7tn$o zhFV|G1Slre&6^0zH>3BcOHy}I(8!AMsLxP^P0s86$TZ72)kLW9g<4#GIoq8ZF{Sp< zq#gLuBJbsptjp|=pR0t2*=+9HYve5_^0Txam~h5!`&O)Xq&jZmdS=FGl_g@%2awGY z^04P+D^!mCiV$<-15OrAVx>AIgYNz}B<4$nokY7v%7&Tu*=NW}N3dgIWik>`V8cE|89jE(>F?sCrcHay-X7r`CJx(Btd#y!LGmgG1$y+)?lo@C>QKD_T zrmt((9ATX9yjaw=Zuy-PRhJs`c5t(hsnF7~;n5galoUwCt3Z?4R9cvG{^*}W>SJ*1 zcx%?eeHee4m%NjR71QSP6;#4p(X#@GLP1z}YHxC3mQh2$gzekjFN3|{8cePda=olR z^HaQzf;2?`ae&*%RNAaamZ2U0=IVVCUWJ~wL0}s)k*Y)%2~MkuMC1-?rUrc_(d@B+ zdh>zY6|QjF_FRnOB>Sq8eqsc^@objd{(Dlj?059=qS4npJ)3?;Ov6Fju!k`cw;QF2%ACs)WB!eK; z{x>L7W8JdU@2pt`51H6Aj&pw=mbI$^((e&_?XT_1sv}P1;s(^zSPbVytqxZz3y5p> z4o*L*VS>cAVrsyRAeMoDXg0cVo?)&g$Bq3!9Mn@q^NlM^1obMn6#M-apsg$C&0NBA z2ZIC&`zxP>qHQgP#}w_?Sqz%0idXgNisDwz1%;mNSp(_Mm$SJjkGsKFoGBmWkVZV1 zI=wmtHu+2`COGwNT!o&^VooOL)Fw+Cppi#4m5Facd!_3}^x{cwN)yinqKS_Tm03_7 zxrxY?b7%k)YsU+GX}hvbY{e%d!AHj!2OriD(->*$FrvUAzf#9u#@ zQ466Il;(#v&H{?(ii_AiX7x)~n`^PGjaX{ufHre8n_9K(w;I;2-$NE9b zdGS-;j}@Gv-fh(+?QR0VO9kbyme1?B8Sv%G1YN`6UFUqatB3bPPOfXjS|Z#JC7UrJ zL#Mxm&E7||2X@>+gB_-=J3)@79_D~=amrW{ zHfLu*WqYHgDze{Y0ox`TSs#ZB-pY!#Xs5J4X2)P{{fVyRh460h3?wneLbZOA0gLiX9{&+U8iwx7b^Js8K z&>f$Qn`v-3AAqZ@&7ZsV_IWCMJn<8(vo#gxC_>58hBGt7cg^Ea0lvdvLau=Hv<4Gj zCo<+2v|5=s2iovuZG#>rniEYT*)xG*zP6&fddFcNnM(B>tAif&ahwM0JAA)uTUcsRwh?vG!Pnu3=*y@KDbp4TzJG({f z(NJ{+t1J+H6xpDd?YFUn{lFq-Yv^LJ4DAe5+ZMP{c>C|z;D%$yE@(TTbrgDx$WbJ<QzjSbWQh>RoUt zfyf;zl925;e#3A+bxk>ZUs_OFMKiKLQ8coMZwW7#qaikYEjgA%C zG4apOew<$)oX`ew5RZGnOqvZ&_a^3F5iOUSr~46DiA*ItWr*wtQv{kTzv3OOGlTBk z&V?65EU}u-TT%J({?deU&GjWqkaP&eqgAF`Az39{mI1xLai7SSr)!^qLB6Lw0A6%@ z33n%X6**eB0^7Tv>n)5ZX8Q_<4(9!(^H=!XKf+J`EBx+HxBz^v&O9%+JKHg!8&AW> zG119{I?HNn-c)fikPi74H-q4SZo66OsHn zvNZ9nq3#YU6OC_2OeY1t=uobL9n2v|+Y0x2I<>fQ=Sp&PRb)z7_r2JHh$qVDr+F@l za^1)$1suZg$)#@Ebjxr<&XmQ;i;`54?%R>|5cj1I zeKT#TXv3!^BC6=}wv(mHXiQ$B9Vl0VfU?EO2M9b`r8;wxjY74V%qQ<(f2R8d+O8$# zVm#Ehr3jL-5<-8bo<4_gp4b-uLPAIeP6*NK;==tU5LGsDV3_~g<&kde^8)_TG}kRp zet~c><$r0L5Qi%X*O-Xj$sNWVG+bM?Q7JRkj}DXPbb5F}0-+hs4I29~E2qC+e)Rv6 zA1?W!bwaV+I6-_;79nuwfy=fI$>vp&3U|1NNGiu>{XR~_cUqX8yKqAJQXy(9f7v84 zz;)6DhKZ`wkBq0vC|bftok%YgWn;r2n|!5GW<0m-9xvfOXO+@R$i;W0f%9tz4^%h4 zho7dQp*B+(aj>qV`?2bqX*Ae(-TC@8vCbLF`Prqz6RP*vDf1l%Clo-p^TSyYe%Dtw zN+2{VnR8Q6QBYLCprOQ{3Kq$-BJlCQ(ltTmNZRL1@tmBAiiij@JNUO_GVvX0^5hX? z{HsRva*##qzn}yL;kj20U8cr$=IbH8{}&EW+&^)OuJa>&uV!6~A=IiloOaPMP?bPX zz9dN;-w{x{r{Juw5#`WsSE$?<-|C@J0#Tv?I{gHP0;dGBaQ%Ew`N<5;YaQWh#3jBu zf?}k#`6#*=TL&&ySY@FBLcD2~cw&C$aE}T&a>#t$!Wr({-Us=m>S;Sr350qn1C9*o zztQML{sS$8^Z$h=j$+i_o&FSmI=t*qKdZ_@0~BXlFLBTO(DD-QyXTPhq=hTOzo9;H zOhoWjZt`Vflkcp0+YRCwlGw^s- z#So`a$$@m>_zH;#1QBDRD$)K+Tu{_XA(7rt1m1xtTN6aFq-&WnPhf9+xbHd2|K{eG zKAvl@&sIsF!)jp<;`ZUE|61+@k za(OU6ae$5k+gWRCfECZt(ts+sC8Ggp@{v;nQ+oeEjbh#uPw-}tL-^cN{%qFrdiGrE z3Zg&h+z3KKiH;onR@EG<1-@G*@D|^vdiWX#sxX1_j-?SOc2QB~LAAJnFs3)1TUtuc z3)qe!+%*m$qiY!)$Cgl^=4zrZp%y~cCoW#gotu`Sg+_rODPTmg`)pOcg{Kn6V$Yw? zUkDe9)4d0X2y8%g;~!e(7*r)^)QFtwB;dPN)4dG*>vddfcm~$a(SSZO`@Ir7Wag~j zgGOEIddmqf!VkYohPp5Y7QM%n_kek&VY(0@6lGf66o4b<*A#$(o>;RaG!fb?DwhO4mWeU%A?G$w|&N_e?8QQN)zY$mx`iZEs`M3cT*{J;*jHlklr$p06PvC7gFZf#c+k= z!jAe|cb?H#%C8H?QYVJFK)*q2uK_vZYS{S7!+?>dp=o;Imv@#p)tz60*@uY3abcSkYApb1kKQc(vJ)nyKsLxb$OdziF! zKKyq^Ype|=pxH9(1{LbUAF6zwOkK0Ozk7Kqj()s$_eCkl%IYnXS5t2xnw!~4LrK`g zrRO-L2Cpn1tP}5Il(@_X;&WNOXenh%>%vfS8!ad)>7p)h#1o2HYBn0I6i|gHa#o7- zNxQ}$H4#(g>xKawalXKCg3p|LyPQJMQe?W$V!9F*HCL$))R@@$J6p#~&VVf?xdU4n zr1!IiSv%8^j8Hc+RzWgcOH=P6Z!%9B9bHTOtV5eeIwYQ4wvG|VP~=;ua+o}!W1U}3 zME)8SGc5I3l0tu|)1m-z}h{5vS)e+G>n+$6a>xb0;0bA&m3L5WK(fU!Q2PKFtK z?qm$6!tm&XIV|L9{F!fqWejyVDe^F$RCh!1E$~JGu$TF3JSmQt)Dn2L2Klg`k=I^k zS1K5bB_XFvmZOzpK)zTamMtNamy^(4CJw=evU{c zO!s!A!*Y>^znEYfAso)hK8|M8-K4-uzNf(c7sHWhxZ5aBg2^zGzZr7hIZaZ?vXnW?WzkjCQaF_1n>V@bjTb2e;vod@TE?vqD4PXBC zguZ*bywFYhT*u#->Lve4TqzXF%w>~wjQ+l-arfeICwf4pI;41V<9S;zFIva4jGi(( zYgL8C0|#u%`JncwzfJ72o;R2QyzE}}^}~LE7I4G{E;Qwm(y6kl?qIz}j^LogGRkKN ze^2`iB4{V@y>iy(My^Dqt$M2xC&@Q-n_qaicRiTMdQc{NJJiozEPy!c9JF()+~NdG zLe5qhHp$L|!c-r!J(jTtNlPuxaxf)K1R8HAu@8xw0VfGUy?M1de`4vFiJC#~(yY24 zzIQpRqlDR`!As5Gz09IIaMgwhT5_v{6*6h7H%_aoQi^)z3ZV)oNiS@>`Y&jbKhXMN ze(pm7B!70_2U@nLV3PEIL37m_e?jA7{|$W{7bXJ!zd*a{?tpCcPtn_mqknJ=6XP&7SPd*Tfff^8$jglrwSoaGhnAithH;>7f-L5HB~dn*|^sGYnT1| z=PHlIKfzx)jlRH3fd2wt#YhViLH}RC&8ms7Jcq_?ZCd^Tu3w$+SwiI*RJKYEWvI3@})UIMe&11VNq0T+xAzxXd{G9UHT}^U12>-sTr|R z5r534tk=k(9c{Qf(4A22qyr%|&dE0p(#j+$`+jAG5Eh8*{Q^}VfhC@$>$?TG*V0N-CV^?W@*NYutIa;Sr9AJ(gW-w^WTcfV%i&aX$#)jq!Z>E z?@&Z(V0q^I9ktZ=I_ko+ocyyOY3svNUe-?2fPPutk4Q|Rg(GR3u188_((yk%^31Vj zm;qN)OP>eL)9#e!<&)Vm3mZ0?WL(lz+WbQc{meAnF8L)pTnJ|B;ij4W4s>rEbTx4Y z_;ZRjJ5XWs%xe$W@HpqiXNh;S%+f@erMsOAEjsPfNO_c<=JsKW%+DXM=Q0ZCs|fPU z3DQ(HBS$J z*KpljEa8K8eeZm|CUL}nB=Y#wSmq^Wd$iG-Z3_rYbAU4x6B ziGYg49h#_SjAxHx3iV#@KmT!k_HYZJbrGKg_>w1~0hJF$O+%dAcY=DW*{08c zQgB&C-{Q&5$8uDRbC5w32nZ6yW5pQi4a#G+w$sBE$_5n(q%5616~o_g z%%mS6*d2XX*W`CXxZ#y>C0LWJPM;Ock-kS`vJ}8s2>A7w^a9%BPdf(e z_r3a)P3KRx_M8Raiaysr+0fZN0!(&Osm_e8cR=SfmHVLASY6fI0c-=rTyqf~96V}L z?3^uE#;ZfNKtoX=bbN;azusUV==eg%^+VtIzxbmkq+L5=&~@Js6JefV%RL_CgPkdiEHx9!`UVU_Rui_yADkur_?{g=k~Gwi)dJ=)_^@ zd!Y9qbj40VNAxc#oe|3+Ug?Ym}}0hj~jnth(bS zXW}XUU>LL=bmJ6twI3O8vIWReU4lHV#Ek;dp#%r%N0}G^WGB9#LV!TTUP`=E?A*!Q z9WmIXO<4f2^mDsyrfQ1`uIRU-CMa01hk-!9k-kwO9@~=nK=4V2`%g9?XbfEzZ=V{` z3#jFSnBTkjGYK}5=_O3qwM-{8BBVAn!yxRGOAIFqF0ZgIzK$|xZEXde>zPm5;7^&z zQo#-vyqW}k$QUSdSw-$@-}$mm`)g@+Q)n-y7XWSe!MH4j(yJaqIx&p_S!A44w@ zH)jVS`XA-ab|&5tO+{jDepbCVVx45jq89iLfpUF+*I>(hR`$#-+Gq|;(FIT0G@!@& zIu~fj8JE?Qllzu~UL^AAHV1@%IV+Z&CnF z{coIRAO_y#&SCBlu4fA9OchPTZ!5M=MU!tz@=&f?PefZQ4K|#&RJNpMC2YvV2aA9Q zY?#e57ER`)g1F?jU*`3`fdqrn^ZCgOjLW)ei65wP*vO{nLPtWb>Uk&OgPcK;ol=B7 zV*=QOJv+@n^uO7qYz{+vvR0cG-lL`JzDi5Zr)E=107gSQ$GrRv1#MZ<6!c{R;KAXz zX++Ri)HGtkGb9Yu%AqO`wNbY2eQ~vyci!&k#cdf@6Ww^#Gg{sG*{wrB$(16~Efc^R z((P#;V(4@3(m?vNw_ZfiJ?rCh!-hAOes(s|AE3=c)wTs`Q}2D)PMUkL%`XqS-~6xV zoY)ah1XHuSb8>=r=lcX-B2=THEXim&E3F={O6@&*-!#n7HU?e1y|?Tnw#xsrREM%W z&Lt743z|mW=lH}q|M0IlV6M_hF;(~ZgZHVi)0|0oihL!3#b#%NG*DRv% zWXZjwmoi)4agEmeiFZDh3M_-|-dj->ywbdwT}6>$Ea=Rf@_fRDKkY0T zo-*0*lkeC!PVN1Rqp9qz1YWlRS>c`# zitZPCVOB75sj|A4Y{sLfk++JuQ*(m&?r?L9(8Y5h7FLuGshsb{t+6IWsj;>VlLu|8 z7ee>;4gR{%gw~BOgw{$|zfc4~yQ0wFG&rE7(c5jkrxknP^%bUY*%KlGDW8r{-wUPO zI_$kEpHelhgr@vn+yPPF?H~J2z}c6Be-#i~O@oK>6-)imTA&zEm$MT`@Vm$X{%;-H7tG z*^KYNDP5iB*nVjbIoY)Uj|gT$F4$;tl>Y4`G57MZN`&fmm0;`9{kJS>84hltFMZt`e!$Bdp_$saHE!b z&Op0dQ+4-lxK2yy)1^ixn%;m}2H;X(!R%yb0B6Ies#Naf2vnX9)F!a^kB3PM(F!mP zt6=0P=9SWd{wxBYqnYt|SqVAZpTz=^XH00yqSv!TTFlW%Go-bRV!jvN_bY{B^b0yR};i8TAMm1)Z%YW|y($ zioV@!sUBtQ0OY&n3Vley{?+l{0V8C$Y3F$X9!gg*q1$4wWJKL^z2+YQ!U4x86}M}b zwbOd?#Pr_<8ES(V!rjExI3s;!r7A+ksahuZ)9WW1YDU1h4FAsr%|(9_+zbDep!t=n z$KHQeJ8;)o4_@rdmK#?^hKyaOPC(R;33sX=R?u$E)#DC4imhN=r`ul3n6mqNM;`{1 z9ga8DZ_71%tJ%(0Jp@o`OOWUoXaon-7cm+dr^a^f$Qs~i$V9@p{T zCdK5DT^ti~iG$wcPaRI{^p#kYVE~Zvf;6v&erQZnduT+D*BBZ7ke6n{A)oA zRhS~%spp4D5fnfY#h#A}pdE9+l+AwB$+?dPAGZ!o+gs_Mpdikrg}C{lSN~~3K_#VFRHQJb&m2hIC<$mz zrNJDd=Hw**&agB#h{MEm&74*4H#mHlFwl$Hvh={cV#$Zdr}L;9mNZgVt8bu8KpXIf zlU&spg!c3Ia@0_fYPGn3l+D3h6g-coexP3OW0ky zvNc0BL&~X<5j<9^dYas#kb%*=sX$sCCr&LzKZiyd=J+7%1BvBg1qy9~iP6A&BcCdS zjl-96xU{4LcQqplBFNEE`!_SzfYtK(2o5^mB2jfQ9Cxs}6h5~ZtSv(Sz?d5y^mF(f7(@bH>I;MXWIu2#qLt1lFw(9WeM zJ!x-4oJmuyh1WTh%Mv+pa!01X~r++k7BMpc$&cq1B7WqGO z)Q^x$z@vBEJ75vutkzE=)kS<&4j0J_U-*txuh9RD*il{%42nuSH-ckYPM7L2nYn=- z0Ejp;>i?ua$W58$RMtN#rmo>gf|?UPP$hD_WMslQQzb_@J?}bqsY#hVyO&X}I=wdE zWWwRWqi22mgU)<#v;}vRD7&}v_H=`a#H8}3%-{#ANU#4eT|ShU!F1lUL*s-#(i@C1 z4ep07ZW_4kPR#G9RU=NA0k8%5$T<`4-Zo5Bso#)Nrk$kpJz)OOV5m?OQd;wM9lmqO zLY%qV6K{%4Xk80Dc_Pwk6KpEJP4i^M)3C+UA{k=-Fkt9VG)OA3g4^s+Js>Z%(5jW@ zs5D^7oPQ2?n=~m^sLbw@gJG@&Y{1Z;fzi`1Hx@XHkt8AoG%E(Wyb)H& z!&Jx%nuPZXfbnB*ggjH0Nu}Ml2!UzArP=BiR`AR9XHe(~A8xg+G+jWRg{U!(&7QU3!3^9fY(Zy=6OpcBDEZNWl?4_1pn zw84w{T5*C#*uN377XW2TGiGBL8lc|~nL6<-P?i+@QBFz(CJ@bB97e_?XjK&Eo{+MF zQ0XrnFa_Od(JO6=sr(F)5-{+5benO04LQ-3N5U83QhA1?hB(ySoFXVnM1=~JN(yT< z^8|qFLY3eCQBWO%YBKt+8QFq8U|I-pVz)xM_^n@?9}!bk42JxLXif^a6EQv(ggA&N z&VN-d?*VY#(8V!8fsb)itiMegY#IWl1ZfZi0mgOrSgU;8{B8Fbu2S>s>0`|QTq2?C z=0C^H4g};-1p$Qf-_!Qh%p6U{jg5^A9RHrd@AV_4K%(~ig<_QJ}1B{zrOc{D}-r6JQd*P>wIkaE#P&;JJ4ywGeh}3#-ErLg?eW&%3Kz z=Zja%Mg_;|pDnl#j>kjm7Vl-g%Eg>5pW92FJsZlc_49{_`@LPaI_=Jn!>NOdjE|?w zkLUMOm$tW@sj-b8H!t@WZBmzOyYfSLW99c%o2^g0-AT^;2FjTswYn`Z|00&YL_W}tOY5%mc89P-Z;!|ooaNvzVlZ-`24bZN-_5K@%d={;p1Yy zw>IWg*!9HF;&eRkT8@Jm=V&Ha^UXM+~Klz;9%dEaerZU z?|#m?vKXHreA@PNvUz=m2{eJdE~8ny4GdGX;ZbdsA^vE*8Fa7MymlKw#pNw_%P#a&Uw3IcAYMp zn-X&A{o1~1iAk7~z$@ea${@b~=JT<%@uQZH-Ya-XFFIYyYHi-!U^ky?fWZ zJ@lQe_WrqK*|2>kT~ZA5Q&ZjQz<9R))9R{@Z*6#O)+M{xX!xjHHdThkHn}YLab4Bq zIF4cS^7WlTyUrz!GmU^6?qsLs&j`uGPBSJsCY|70z1w50=WDgRTzi+Gx;(=B%aBfE z*#w8i`qq|wQBeS4GGiH`YD~=7{maYFQ}6xUiQUsjcJisuWpd2Y-Ulw>;YZ0p$i$kv zk7w=|Nd8NL0zrc0s^k33@3q>6eXkDBWk+|EZILyixHe^{^!SKqvV;ilA9Wi$Ed`^p z{PdW|m0q0X4IJe4hfKJbHbdm*L!{;=V)N1R^OLE?Sm>c@>cMWxWlq#T5{h|eH9hfMPawRF1S#$FgqQgsTj zSY+xo;N>Iq8y}kQovT^UO^?l&EbUDX7#r~j$oecFFO4fp35Fpet&escI+ZSCyaEXf z;2sm_g&+a))jwg>Ntd<2%aJW>K^D%}@tS`UVxR7-5jLaURmgK(82TLVu#YJe<;Hu}1M>DK}Z5$>h;?Zer@ z=+=v}h26dyEolToP*wq)pk4)>AUX$}hy|Re2E3=k_TLbAi%?BKZ|S&QPJKee` z`=LM5zFPix%pPSiQ)Lr7KZ^xz;36%ybU%(>FG3CuvPOIVphn_K3%ZVZZ#r{1KVR^) zczzsN%$`_0uvZN2al#h4j3HvaKe|3ao!fgHzpZC=qVr|7ZN3~cR6;hk8HQ(962R@Y z2s-VZ!V^T!Z>=0?%keWAZcW_dHkQ4`L>QL8w=i_<+~34_9giF>JdZu?uiU+w)l7W1 z#}B;?Qf|56%AE8>PJ6vKYVmyIZs~FfG7zj-9Q*OGecv|{GbW#5HS4vx?>jl?l9qvg=m?!A^yFzK_F9&K?cuUIYn7xXOEmetC%*@^#mpYXfVJ8~Z5IP#`A@P0mmtJIm1HbY2uj z*SWOk%oMDS6zuTz*#u}PY5}h0$o+er0n3+2p&i1{RZzQLvr%eLAFVRC zV&MHy*(#*2`N%y9ousao0{#m@!NNOY5~f(wB5s=S2PG0z@-GMnVNVK+tymV~Z=xWT z1EMSl=zeL+(IsO=4UI*d0sNH$_C&8vk9{Bb)73^6Slh%e#P|8TGa{R`4_TyaqgR(Ek!oq>g_fU2t$h#oK3s8!V zW6@R0%#io4G690lrp=4kxW-$z%4@kg0YiLqZ3=aLmveZxMJ}W7G986&d&$|Ii4Itk z23@z4OD=96bl%$tuGqcMXs7cvZd!afu2I+4-w_7;>}vTp9lt+|$!#pU9yhm>c-zM{ zVbX1$Wv1kC{e(Rno@vz82G$m+`K>y-%U6*mvsj*h5031C-?<-UOmb+i+Gp-*4H&ce zb(@M}Q?DSce?RVedAgjG7BTVT+Ej;C7ubc1#;<5Esdw(WzQT@sS;aru`lo?x0ALwd z-Leye;MoEFLUbjzM4BzNA@PCEu{H6wyCLnu2@&P5be-qxvD|9mg&UT%P8g0D9|DwF z);4N>k8!oBEzuQjN9zs&tlryIqfSPXIz2AvC#TxHKKGa`W3N$u6DRpudWDp{y^G}= z1QkEI5!{m{N(?v2tb1R)%REldoCsW}XYYLCJoYU_r>w7t)i^t{g1s`@SX~13!?b(l zl>4sq?G@nR!uXYK$JO8SaZeI{-*l*Qvfa6s#~nXjE$enA*CpE9=Zi`I?nyVIxVS!O zEgE=s&>X(MasibkKTnFUI8+fU++lFQ7tBUzZnZqCUo;}OILaFnOP=`EX33RWzi864 zc6(c^Z@-zvz*P3f+9`T}I3{H)1r~q8(PUwrUt4b-t@2p0=zyRieYJ>y-70wLu6Ru| z=H1iP=x4sDJf`|WRzY%Go%twXm8thAukuz_GHO;j!M)bSOewX`$;@C;yJk$Z*6EDf z?49|WDhfEazP zkQG~p`=5K3!>u<;L-?-kDRQ-<+HNJMQLcnzUtE>FwOSssq*OR3$R8Si;DgtQ)}OnR zRU!WP4&qhyqy}a0rotlZ)f~tLWS1ow@4gPd{gnXjLDRnccIfP8kNW*S^@TiKw66g+ zwjkb&Mi6QJdbejs@F9eywcF=B>P9iQ&(lu9;<or$C_l!!;-{x?=!fx$eYBU}2OknQ^0v)!MOp^eL-X5557B1ouv?y`|1 z%*+rJ>0d~Rp+cqki757cQ|~~Lf{l!j#0KjLu$Ao%WncW@JQDD#@h_fsW1rHal0)XC zNs2PAYcGo-Fx_jNzZs>SI&Ne+k(#DrIEft)pE)K*=~9~r7a2ealx zDHVrNk>gh_jlVZ%lAj?bF_O33Aq;@;ssP&Ysk~}v(-hN2HhHQ=4qDH5^K*~K z)VxNqtkf}YvKyj7(W1`rdpe_KX*=;F@KPr=GDCj$34yp-Xs21sq6sg}XKorDu^46T z(-lR17>3Uyy7umEwb3UfqhR9oYJYCNYT))-eL3(@D)aNI$WRVCJN@S9buoMY#IRzS zgL zXk}wK+N#c;G$wd-xeo<*15bj(n+;(Y*^aU6erwOVu>S8w`5 zI^|apqWJl!2U`Y3P3e{dh_Lzdt3yce{v0(##`&JTmMi8-tX$3D1h(ONrsr-3sjvWr zmWoB-(m|=&VdgKzilhY|?9~HAvGdnovy;?bhI(h6mqy;>Yb8F#O&&Bu8V}hfzvio- zLAGHZozgLUUk3-@{KuZQzk+0sN2@k=2UAlu7aNiZ%^D5(xasB+HZ>gg3wLle15&n z=ysMhtqR_K1bzki+7Qy!2a?J+%@0i1udvlT69Wy3_1?ICaVf3v9kM>z*Y-P0HUr%i zV1d#yMvLdoQPIM!@V4~Fk63&{gu@jL_cJQuHaoqcr0z96B=2R*k6xnRgkb1f2WuUs^^95B0JuND zNOp8N*E4Da0mDKboVFfko3a5!SYOAU#Wy;3ED0~**KzHK%?pzCU39S<0zE+C8l!}p zIo}Q!ywQS4DXN?uBzHE|c>vs^D7QBaS!0}MJFo{f9r+9{A(nFGKGrivy8jr=90 zab}+Pb@+LRB4}96|0Olq*5)s%e|{~s^F;PZv+3QKGrFK%ME&d&+TM%=ThFlMn3HSe zys+K<3i@De>!k2ztr$nM{4$V07I+|60K)w-=1(q zwpXWCmjQBO6Oa>17ZdVj8=a#?+?i^B3~J35Bc&g$n^JmmVp{m>+Iw2EZHm}Xr2j0i zw>1w?%Aer;GTS5+XZ2CqZsp|LkoI6#?ATvBR8 zNx-7lM`AY4Uuh6^dl2Ax+60<<}}(yK_^q zV!O486)-jx&^BKMLYkuCHsFtdinJYfDm0EO^boLkAXgt2fg+Rr z@=hwg{gRw=w?J!|*{LvMwBU1SdAwsKV{AQ}7hQF7wfO380p5O~JkYCU(W{jpFI`Ex zWyNN8;n$9IN>Nu{G< zbpKw%CW^#?zrEqiDC#H)GsipFup%YPT`C;Wrb61L!netjLBGU*pp_^Nj=RJAunh=LkDeyk3ZF#Z|Mk|FE1$rJ{)U=#?VN!gDKEIGS5{b&PIMa((!*J zY7f62^jYU{zych|IS;1&ew=Qm!!^nNKnzrW52W7%^w9ntdK|=h&~o8 zy=U_Tr^JOUqH_~QQ71~#Qr?<&n;#HhDG2jLqx7D!PgZ~K S|XznwV^~B07 zm*s%*px)`_^w1Rg;DYZEj|m;S2OA2NiGhGbS(*CL=BDBIs9KjtmntR*&gGbZpyov! za1NMMecLCxfrP9Dhn+&8XugCSi-Mt%izAZ^YX`^Y2PdK#Jsr2gK`{_eg{NyhB9T=8 zK&>t+{b3f`omuOw2|nmt%0MDEy^AKXpgpb|2!%ufgkNn(f2ccRnlu1mxh>g|Mhr;T6e2j+{X|lc3!t{N$oj(6 zMFdPJ7bAU+Dx?Nv-zpdi$o@sRl2>f|IvA?5rgou0bgJjcnp;Os2jCFhDw`mu{1-+dRpQLgyLZd;6n)nKcWVU_dSRL`(Q2S8k$U0wQ1(!BD%` z^M7Qf4=`WBuCWC5Bw*h>Y%Ki~Gdu}xuIA4S^Zq|)m>fRI7nO*c@(> z3VlmT%M;Pt(D%dIp-A)|*<~8dV^NW)pIIXnhy6L)4||S>Q&q1$Wt_8RgphST?S=L~ zA-c3jGRIY`3>Eat)M_aYHpVmqeE`e+kw3J(W!O50>#N7vx~8#2H``rV;3{Kc;p2Md zYzF6s*3Tx^1BbR+hX`Bs@WjbswI8TFy>H!-wS89mqEnZ0-lPz&vaO91J z!|2YxSt}@IbjEY1(d&%l_6JuP%8#C=G(c4mYWt9CcfBT>dd8XQrI~r>F$Z^|)8HI^ zG3z_E>HT+<)+NHh9kTR9I@gtgtLKSRao4vY77-EckDn(n?Bc7(4d>y#CXa9F!A6^zwd92t_!3#Q|@i(>G`2U5Y;cNd(D-}EVZ;ms`kpjkXUOPh!N{;SLE zYa`Qp%i`F4PcAT)X}$K2!&?KFYLaZdS2hqDRj$xieAH6gV+Gab!0*W&aQ4{yEW<`` z-**PEbYo;_CwE%Yp05^1(+Hi-7Eo1If?Yn@XjJlj3cKIr7wWO z8RFz)E9fSg4yx&_j+@(}O* z#y1N!J`DYWG;sn9!2&-6N5v$=wnr;}p^!`&VhRwE{};wTB2I)v**--8SpC06MD>f+ zed*BtTL5z|^b8zrJAv_90m})}#90vaCoN|NAADaGN;13-Quvv1JUc)ggTGto7jZf; zxI~z7XR4_)wF`jHXM6}Y;&i>Br9z3wqRycQ@>h^?;`Fdxw0vyrzs1=9U&WZJvAviz zlu@UpX$vb+u)b(&@}8&@)N)^8mTKm7=g?YYfp$!2YGJQ(Kl>W6P&Xj_sFY2iW!PAA zt=qhu<*xBiukilbcK7x+wkw!%j#y`CCv9Vv#`Ljb-7uUTDK|8GD}Nj`t|M^vkk;38 zVz&^UQw(q1k4rDAr(|CfT*HYUQf^|4vl)Qyu~Mq2f~Iq`CMtTtEhGd7B2B1CROa?v zwcUhINbPa9wBY{nz8N*)BG$kk3zBm{1Maimkm$56YzvE-E@2Dn#3k=#s~oEA-m_~- zNQOz)gq-VlNW+46;oWFSChPLKVK-c09I7gkxt$A>F$t7JOd-?28wtB!q?MKa8_Dy$b{s~a{qdrzHSBIItv4#7z8DaYMs` z|F;S^;6P(-%g{b)6~L=kUKN~`{?VbFdj!z&?(i=i?<4EAEF}LA5>ELVnLY#e&kD&( z+FpNIftvbh#e>qnARdYVR-pbrtQgeW4;t8qI0~svxH0!6a~mDIUcnhyGVj!bYvT6? za;}JdqsuU#P9HbtmWiylvT6Zq>zdrSMAI2xd1K$Ik>ij${1$J@la0e?18i-H&8og>&qz^nuGVWg!_wp!$a85G=Ve9D6Ev8Dgf*vp+oJvv%6JFGi*) z#SHax<(T>#!a1rNrQOReP`uI@nj_Zxcp8Gyp)3?DlCe~+b9fz|sJ;Jaym=vBkWgRP zw343$T}vK%V(lqP)N-tFp`TO%xcVEGQ=Jh`(tLgD$shh764)~(A8e{PmWMjeVpQtqwbo5o|^|hz^pQz=2>i?h) z;3O5E{DoQ*9M?0O&UcrEVWEiy5z3B-WG-F4Q>?nJpi1kj4q6jjsN~PJ#9W9FK-VIX z1{unp2}O@?(T_5!B~07Kuow!D-H#K>uIalFqsXaMu1F2(U!u+P8_5ET#*ZCcrImh> zP4M4b6-|cn%IiRDAoSs-qX_LP4Wz({HSD86!~tTEHE9+@lSFF#Rh@s7Bjd7sDyj!6 zBP_6PR4-5(hEeWtoF-mm>g=ld^`KTXkd6@ytPc+vsEK01Mbponh`vj-C{#{dB1d^W z(uCb`X*j|zb1GcEBWCJ0iIYd7tvWqg8NseE3IPZng`siwLj+)&sFK>Z%u_6-hHuH=3#jP&apVG%!`bx@ zC@XT4eqdVk2gB*Z_v6rap9~de&@UFFAr7iA;yZ@2M`}0y+O+@QWO2|e-aCKrtE&0Q zR1s0XvswShIL^%9fuHrU{C4Dd#pM#f1<6#R8{N)alA^pnG18B5P=T&`6MXiz7}z0D z%8&TeAnEX9ptqEvg2RjMZryW8H7U^%TBD#i#h#F7AtG1h2OPSCQc|Z1+-Rb?VhyD@Iy4=OlDI}hZuoPVv@ebEm8b+d z`XN?vew+$(q{&{|6n~FpZun>UMWebTI-)Ed?oO2(zA`3NtiL^Zln_7u#rmFvN)$b5 zd_+Nh<8(B4#6uJ?;Kh4RM5qxQC4}_~?mu94el&oR zz^PO{D~ewpow~LrfX0}yfSL>Qv!>Q{_KneB3H-atxO7sXGBcI3vedwTqZUH{H!2ZA zFgf9THAO1C%0Cu-uLf8U2aEA(!9-hl!V}Tma>RDAJ947Cn&Lp_d|NmTgwf_Vl^V)F zmHDmWGcM@lfAQS||3uzs3%_xIQ<;$}<-!dr2z?8NwD4aMLT49<=lNDXDV9R*`-CPo@I@#4!cqL3%R#$^Yl>Pz))>}gimKgd`4M^;(>PM=>pF#3%|Vz* zXqO>MlF+`-009%>5(<7%qM`lG@|t#x zH#+W!WKJ}nNI4%x*_X@akyxriI@_vZZ{+u2R7(xZ#+V|YvFvNwX(#}SWW^KrHYv42 z5t)_xRs#`;3&r`&M+3zvB6M1F3BLoe9an{hFIEuGIc}9?eKsN}L$hg{VCVJ}oO4+Q zS{I~v78Tfc8xC(Ys4m47YddWC)So|=X>y`?GPRcLM#Y$(dD*XFA?11lP@?*G{0Mq zG&!C%3j^cM)vXtZRn601G2=!y^2YZOpdnG@+-8RX4GnVYyLAwQ*kM|l=~fjS#ZRTd zFaV`wDgdQ&3Id?9wmfn4n^MpwX!0_fn)>&cWO!0sDS4dh%prlGg#b$2uCsJ8#JplX z`=A(7To3c7L`k;IBhBrBeN%s+J5MdV(L6|ZY*p0lsA$WDdi?^GPxj;?I#Z;kBCEwMjc@0#p*v{{B(*z)TY@0 zKwru)aL(aMtbi$cIh!Q`QJrXKSy?hdrFVy7?*;`ya7zu+7`9*;7doWiCQVf12@VB; zEc3>Y`m-Zeg zOwsxqIKZq)qu=l@5;b?MzrMR++ z-Ocj@Q6+2CP<|Tze|_e4?KQ=z6-AR3(De&6kl!#f@cJC*|R?DXpT-~9B@Ii{8ZH~eOGbrQ-^hME^oVj1(~b2I|R?@JkQM_5#6 zm5YF=f*Wn#VGLKavTB?n;=6Mf{X3R)+SXh0?zxtP1R<1*XxBGXw21^E4|kBfWEt53 zh*xyHN67qJ@mf|+T__LH$@GsD7zYfy5DW?xpIwCKKgrp>XmOBVn8KGqse+uLrUr%a zZrV0N1%Q@91yY&2=Jybzgt!ns17^AnUbYYfV@hX3nM{y|#mOOb4Y4}|PkT!(3pRg6j=c<5eTTTgzQbZR_h0ciw$VPlkR77hMa)H8CC2OTVZyToc=jJsNc|rBp#FAD=rynG8j>=7 z;3?7dD2V6d8`$5DVF_2Z>vH7O2{Pbc-xkwEK{;StLyl{B9MXLfTlQ7{l*EKz0FbTp zyXu1pMiQAfaPYsic=|mC#Qa;y%%dov(@Q#+Yw8LhSWxt}2g)8j=CcXc<>gKA?I*I{ zXKrv?Onu6^hQzf6j} zhBP?#bBbT_ckY(OEpg!8rbH}(q!bW%7Wj4H%u@s}SM{#nXJa*!uZ)K8s_@0FOzRL~ zfPvAlR+V7Q;dhuG>=ko``~|>^{JsJA73)-YGnr#aXmmZ^DQ#8{3JP?^x;W8qQ}rn} z_A5T@jxgz}l?Ru>sbN>v(%F`8gy2s_c|CZf*d}A|Et{FF+)G|3W`TiS*iWq=a8v_@ zw0r@DPFczJQ*lhkmn&NFn*%&j97S#dSnzy}b7zJjsB)~C##|F#%VAza*LY2a;=Xh1 zj74rIEuE*=0l;z&E?I{Fn4(XZqQ7B&$Q3;)jp2V@r*==^qK|FSq9CGD=T3BLuVyyV;Mhs z`O?#^JPS+CAtdWi@$Bmmt2a}(*+u2tIt0cxn~NFI4%-@QY`C0*blxp)QCjXW_oozi zpSf{GaD;yYWdT+j#e7i(LeDykKgr~j zV-+@%vrTV1Woz;S z=bHF|BgHlG09RN%=cx`U*nuxg4okgeBB0~w(kZiHF!^hXW72@(>S#{ePC0g1MJEkh z?mB)xs9vK;j%t5GUv}N|)~Le4k=bEZxk+XdEkW2waV2JtIP!`ye; zS1A7`BRT&kM*O7HY$Q&W;uj8Rd3hNJ|9pm)dk(Wwk1wO1+s%&h>sAU zKt|=#;`nj8fOeI;R#EUEL~XxLYqI(G#$r4?-R@wp`*ScsMhPLM>_Xa`)8=lS1w4V%7e{TO{2%hhg2Uq$(-X_?4-UxD;rw)I7~~P^h3uDv9&De#4M7 zL#lJmvh-XGs4hw%0;-EF?oe!q2ZcJL(rAO;ujsJ2v)GcK@2 zs{vrjaPn*~Nv0>GIAv41;bj{=#8S?!QlirO^RX+=#bSmFGF)3R?H)+!eNH4`Q*P?f}Q%v`!e*-u>6xT7{KVy4Zd+BDgXWXAt5Zw zj`TT%8J`%}s5HkEDsdhA5tmM0!3b?%1(Z8# zH!!fw@j#aLzh{rQ-D+y0KcWg)o&4L-OP5QN*m2)J$6?I)5z^Zi4B z;sAmh9ec!%Ez1K$Twa!}D9B_uZZ2b1l&FZPNJc_f&MEMI&sHg3I;0^_U06<1?|ZzM z?~~L-{9LO_n})qioC)TBy)E&u8R2cVe`a_Kwt)+iK{VOzn8{zHN^cQ;GyOAZu)(<( zgyphSO!qexEQyMC=)(0={x)OOjZpC8t$;!jnrJczvH;1xo_sXSDSk|@z0Pi^DV`&4C!65 zu@SWt=@;vhlyD^H_HXSe<1;frtjT%2uY`>FfU?#yTsCx`PKhrq=l+MO=B)NbHcjL= z4f!l8AE9mxxG{DMTlr(TRvzra4=xjEac`v!F~v2|l4-HYLb>CgiPBl!xUiW1oDV^q zGL+NRS=p!Ymz!=Cy4&)A*o|r=_Y0uKmm>@AL~ps zibGpT=_UbSh(830%b2uQXNgM`=%Pfn5aQ9z#>&+vi_7sZxvWHHq*atn(bYx)a7g-G zIkIcI2#hAsan%b4B}sJSoXp~D>EcPgqNp40h*S@ER!bcxqBYhHPsgnLzUkAR_Vkdz zAB$ON>@Vl=Fv#opi8s!wwQB71!S!K(e6R5n2XupgU}&UFQH_yM-(dTR1McRCGx&(a z34A@?h|H;@fOxeo4MYSCGbu{VF%n5YH+Y>g98*HwLz;Nw3;@Xx39>JK%0%5^00N`r zIu1(R@W*Z*T|}W29~g#4GZI}bBb^e@NWeKA%T-@BSq9#}2^I2Yx+*`kk&b@{@-mLI zx=VWaLn66DrJv%e`ycAC{Xf--BK>c5mT&-dTu>dpZzt&g1~c4$c8GH<`Wwg^0~_*o zCGu;_zeusr-Q4&jWW9d;k3H;ty%(5AL4kmtq5osYX9pukM>A`azt&kbsBYM=a-nr@ z73ntb7(+MO$?j1flT~kirLY7nxCg5B0_EuTaG)oqmB7gSi@3`%>5`NNIAoOw|Q{rG95(TX&8MSl1>vRw|-^)2) zqSx$=pPu(^N80~UQmeu^Dm;QqOeV()!0b)7A zrHsRH&kdq@w#@`*oNJ4UO-F+}6dgBqjf#AxASXPV!xugR$I4LT&Ex`#h&x?JfrY{a zkK}eo_yPfzbv_qGftPkb4tQ&Wg%azFSopfk!Nz2MZqOM0OksVlgSgCHV{EVaNV_)q zN3ydY-NJJJVs9)ypZT)lvf%9OB95jce9}eC4 z_3o3!gN-=a!9X(xXn19eNK}GT3zvsALI=IGY(laojEBy=x_BTRQK?m5v5ohxc6coM?w2;lxlv8Z zK*!na7=wq#u2EQmmE9|Q<(WyQsE^}KgQ4t2-gDWI50cZ^`qw{St$yl^Y(Q|F8*ie3 zk2!CV5*pF|CIDhx{&}TeGl4EZ30hz}FaoP>jx>>ZE0@9U@e)9^*AG7vBjP$S?E?O!V`U5xaV z|Kr(@n(i_0V}b*k_UP>0k5}F^jARyxXTid6OB8NIw8bN5ZUC%{nt1-hs=bi-FD_W+P zb+ir`chT)aSQ43jVss{^aXp{@H{_8bh+_NDZ<{G7BcHUJcS6I&J1MSUK7u-{dL_Gd zy2at&iP#z)au^-I+1bnjXF2rfycJBN#@4QbY@U22;j)^$QJw7I;URw#V_3W&ty$fG z|F>f=+_?@0AV5GbFhD>k|8mUO#@bOuPv6q$b62U2}8wYYPkmf4p{UdtG!^J?j~JF8gtbJ}q-V1FoVM^PzIV(yQrC;gAR zH+;<|7rI&sF&diY%WfQ7x?WJ`LeG6(!sm{$U<2x?CnQOK)U7n+gY`y6%{gPLX4T}D ztTGB%Pmgk^b;lp*kp(kk(K+UxdxNe~l zP@*`oY9vxvJ3Jj*Nn|Y1{$4UA7&t9q9Bs&t_==b>!_yK4w(nQZpq$)0;HxT2zH{<5_nrOBe$X`MZAe7v(Z*N1p|eOoldsPmzS$?-53Z|2HLgW1Z6I-4_Kh}ajq8K>uD z&2Md!s{XqJ^G8E- zm(F-sj)1i+T-fW>4F!sHSotU}lN)dBhS^QBV59c7imvT`Px7rmvhq-Q^{x##2;)S} z<$+h&q|<9kC&g)z``1c|Qm<>=|Gp&?g-MzRA%K9|Xn=sw|8+|`ni^RdG5&RA{%fx@ z&963V99W%y)R0>D=bzV{!du19md_V|!J{;Z#?*^xSyCwy9g}s!pWAi&>TOi_!JIYr zRaXeXp3T0cTjMt({MNyuUJ0jCv_Bm9x=Ic?MDoPv*`=d&wQw3j0Q?eaC;RrGd7$J5 zPqg(5;bG{!!6V>(U=e2<s9>PIt76%?i$lvMLnRd?e74DxsCq-OdM z;w~}J{jnBgBLcLWxTr4(0g&;Fq(9AD*6G}kUNElmLRJ?yW}w!f;Lv_Lor3^5yc5I` zc5a)~;Wa?7HS}dANYSPvs&RQFJt;qq7qx%ES`I0+8hOKaXA%nO1p%`srd(C!eyx*X zmXs!qLldLRmz}=v6U<@|Mv_rqI9_(ey8ZTie?OLCW>%Wc27aYowe-K*y2_}iwl+M{ zC5?iFG}2w8l1c~zC=${s-5?DkIdpd;NHc;ANarY}bju(}$yQMYS%&|CJU;L2!gz`r~#i+7!JO*3@JJEe0#&upPDdlyl`dh>| z_ghHzOuewzx$0wF;z(L83ebJ|u{&=-RAhmZ}lUm zf_;-2Vm+}lqk(~x!Z_>|MQX1DUm>e#9Y z@fn2tSY_W4boL~UXMa3cOV$O?5#bg(_|wTeGmD*U^FR4Imp0T{p~!D^|8!;I>jx;q zxdB!?{<#bJ#p)UVMZhWNG4jOIDc27M=uPTa2t3_vFm5*hlPdQhp?T+fOEX9(smp_K zj)(8A)3A9vK3(7Tw-nilnLgy5pm!-J3|SkY^dU9u-HOjGv#2Md1(nl)hGc5xInd8NjK*nJ{OOm@?HZMi zTp>P5GOM@vJ{KXGK`9Q*uLxoj;;=N_+(`xJyui1xYv=7=~Bal>vd;v zJ!?8CHupw9pZue@>y!S&1x3!?pgO3$MU&i9&e^&zARg=`9zqDtc62DS&4jlhi_>7T>L1jMbfs1;W{?l$8-S{ zB(>x#q{%q_x=>fDeC>@-YHaAm5~L|ELAO?JzT13?F532a7l9kq)#?+b7NpKQfb(H>rlz$eXLE8gO%)!TZoAKU z-f|Rw;Y;pz+u7u3-3U5iYGMopIEU`LW+ce-6|&nw1!14JILKbLXo_onr8 z%G6Zio1)*36oI!X^~WP7C;C@I3knbXHJ4J8TN=5>$0s?86}I+m${t5ht1HDl`kL;u ze7t4+jVz|9OEu?oIYT{Fi4*kpmJP>Sa`NR;0TA}dz3d^^XdTyV2C}AM*$>as-UJlC zsDD)|P?k1)R99Hla%Z+H$f@ z!{TMxkdPMt?kYxVz>ZU?+oGHj#?4OzYTWIJ2ktY`kQH^`&iwrm=YEBXTEi{+S-z6m z?78jl4&oK`y^5k7=6L!>YSdWe5_P=&Au5*5ga-CU87*V!Pm{F)wdtIg0J-yBY5B9V z_mXKGOGEZ5%UY_NUj$8b#Y`84Lh9jzh)c(*M-yK8c!bmTNvffPvvSYw2&7v<4#{Xr z%@9u=Yr%J&)MlD07Tqw!L@TEz7vEjBw~|jTtdwbJ76c@QfAJa7;&LI?m*#a)UmDEQ zDDqKl(4xhDxZTdMih0K%UuxN#Ksbw$`&AndO0ph1c$d^z3tY*5Q~&KK0|{|)jNY@V zafEHu(GIh%#{2ccwOFV5$gYqS-yP0xZX3pht!p1G*d z^l+?fbH!p!sdjo;(9S_}k|umnhDKN?%{=y*d&Wu`*K^_pR(=x>oD7y&i#x1D3^@yTUY^b$RvkbW7`H`$Y7GyS-JA)0w-nTFA04d99FT@0 zLuGNZt4XajtrVYmyz|0lQpdc>)z?S))j;sZIF@z@hLv;K_4O(U{&}x6bzKleIXo!J zUMJO;9VT*1k$=^Ot$ij?o1R*O?3Aw>N5XWgiZ^$jEfo5WAj`rvWMT$QmsJ1CL@P=U z2TB*i6vBu0I|aIjOl<0a+MN@q+R2$9s~Gtc#?-8Qot&T6_CJ!xlZ=Fp^5U^y_g zFQR6^N7T4vwgl5R*@1icx$2t9%_YKrq}PZwH4O0XG9IQ13bza(q8Iyt-j{#SG2YaD|GC?9&Zb?q7-Xe98D^Rxj07HS@E7$+${*pZfO@4Vd(`{1Ep-R zB^!g;J}^tTzgTejP&J0bN6fmcgeJTEQfR(9Tu9|URO!i7I9cIe3qyF7{=S~ zLdIC9cDm&kil|msm#aMt`1B5aCn3rDm)W` zvhM!zIUGG4%q(3|0h(Xd-ACPd$0Z5s)`b$81O)?FM3M-WNL`_fwqc9{3+w>EPW@&h zuUAmu^R~*C`A6=`9O=?XVO8=M12GhV3z8RpYCo}$f9?h+B8Vd>-Nd$o^-C7yc~(^h zC%;}CrLD7X9zDUIAt(Pd{4P+&=5p~OZs?3`ZWNoG3tDnV7dXqYH$AJA5p91rMjX=h zJ#|TUHyOI@Fj)3chntSYcL+ZEg8qwzPQ(|%N1AZqPiu_kUg~SNH?vHw8Ys{N# zyR<+d9FVdvk%R=rO;mQFq|mu#1s8UWC2V$G1`!>NkdfIL(B(hi*VhgCteNB_uZ{lR?SE36;Dt}$Gr+#0 zbol(7ff>Pf`naK1Sf8+Cts@Csl<}RWc(^6~j}JcpVy4`zh15&MoCoLs;N=PFZ$2+BBaLv!A;#P4_^?{ld z3r-%m3e}vfP<`R1aJpW7>@aV_G2txJzN?Z(#;cp`cd|Z>v4WInvVA%-)cwWd;&X^i zM3bY+*tsk+i1v9VBGK6$8&bQFn)=>_Z`V4!xZS#| zYV;tcbyscyx6@F^@cnYA??ZkZ#~do)Y%4`uX9TIp3k;$Tiw%%oT|PXOly!*f{9q^W z;*z-Tc7z#3BB@MUG^XbC#-3k3p_XJe&SUVt5%1_ z80JVOb@&gSO;Z_r>G&4=)0>mZZ)u~z7J89L54FH5N0suErD;BDR_wQv2<$0mzr=zKjJ)f&#_dsoP<-r zkMMhbmo=16-LqXZMuLD(9?B@r*85!cdKEeVV>{=XjgA1XLVn$Gxn;=b9OD)jUV4qgzDw_fASVp;m(E!(Jgb!?MxZ+N1f)(~QDqvBc6J&MK;{Bw3@hm$6TmMOrr zEqgp(=l3FK^NCcxIA0U;_VEu1L~j${ldFk2Bs`%uF5ZZCg(pid zHBTBcV1mJs9E2@M#O%}ZB^;oK^_{?aPuNoia~5Yxk}{^BBGSk5g>+6#1yS{59SPd8 z5TzS}Nq#MB@dQF?l<{%`2`9@^LUEL@VDW=A=}0BLylRgZjGwq5CQr-tiBf;eBxLva zY%LMApLHayRcF#S@mVqDs=MOKbP@NYj3pr#rVcN9A4D^ZdR#7k_jl0nczdyLbsW%! zo7eiYFC<91Gq0!OW~4v^IPozHB7lvAlQVevR?}W;XXudBcxa-#PSyJL>LJwWq8uTx zlr*jaf4weSDcg&g&*lhwgzd#%CLhTxn?Ndh9vP5Kd^(L@M=i4SboZ}^`VzJPD>#BlX+Y#fPB#`&>1A9%f zfO4#)`|G)aAD0QRR3lY{P!UxKD98$DcqiZIfw4Q+f;jtuOcy&pR{9xX?lWA9`V}(p z6dSlQ17DvwH-g0oYdv!%76Pgf&NFQT#J8MyZ$RA%b3rAABT-&P-^4Kt5Tr2|^E5F= zh@d@nj7{PPXEOD$<5mFS%~8$UPrw2*9b+?IL*@!3yX5S+B+mWMz_0*DL0?Pzt=efP zsu^OjYLndcFH6~4MI#g@#g`0@cEgMfw80VEIOYUVoUYMix-8u^8S4zxQH}fMsG63R zy0N=J|Ni)K5z0+!0-kOco<*-*6PrQIbzHOM@R$MK(d)*`qjAP52@TJ?SCjEmx8_;0 z!#{xrp%ioBMbDqd(52kB*-y@He*LM%cXBhR%eN9+J#BT4Fo)nP=$K-#LIL zFDq%f4Qxz?GXyM;z>o~SeqUdg( z2Ym?tGwJiqfo|g;bdo-mM_voxoId%T%^#gx1xf@iEY<4^JfcZ=Qc8QPAP&iI+d{;E=!IXlWR92J}S4 z9|l?CFZQcqD-?6NI;8heH~e6i~ETW-w-=2IDn$NN#q5qM3e}n&u3z z4-=f=EZa4`y!seH=OQ^;{)rloVA0f-F=`kj13_>~{KL?p)%jCgxoscqRg{i~sJH1Y zc83*QUPpag$sa|1#j{=)n5fh;tH`f;a(8CQ?K>NL8+r{KMqRxH!qpY=tVHLD<3a}2Os+m53%u;{1N|uQ z{7F@?R;g7uCg~SD57)cHktn(MZBC%}B9EAycbk|#KaHPIpXb9R%JZHf^b+0!l3&%m z3kZJrBUR>F-W8)hBAlT?6Y2Yh#6l;&JoGNF+ipyPqBISU2BPz8&5nUGBl7aK{ zsa3&3yZn;rAV5@JSRt~)j@jBn&wY|V9S3?t| zaZr2^Nl4tepGi2PCidI15zfkUmN*?xWny5@dDqkQ6_q)!@o-m!B0dsAO%|k7I;*bC zTqy6yzPe8wGr{9znaxT?xd$T3=(3B!YC`ceKR+Uq?qbm%`uP!uC47vpM=xzEA_mJq zFUbWDOX@R}8P|iFUMPnT__k>S<$_tk_sXJ zT(}i&mo-3NVeR0|%+?B{Bc-pPlSwms4d!d(2sd@IAuwY#7iG|u-#i39^ZWhHr6p_n zcPXr5;S4CLpOU{BI>z!2>V4k7ynR?8q<`SLgu**AN7195b`^bl>A52K&wjaCUdBBJ z^@|M@7#P~W_lu#u{a@XpGGe#Pg4Xs-52foAZV4-_h!^iaCp;y(ieD3-(KItmE*%He z!ny_YehkIt31+?xpbPjm|J z@hJiE+L4-a=`E%TGXAOoYKkPHXCo2&b}% zW9sV^d?6XQs-8CTamjtlQi6r@U)tN!nO~TRFW}Q3uL<5~Z%;`6^Tuc%=i%sv1p_M} z{QC>*3ixKi4EokO+kytCKX=BMrZ#|p3kSHaFMQC?Xdv}*QBlYCggh~S22~TW7J=c8 zGKZTG*${>2>o&W`<9$3#=@N>7JaNqjw&PRHl*&7IyD)Km%ryNb!9D-(`TIXHEh zL6J&kd7$R_GcI)>Z{rxuN2gFZzboYJz*62J3UvLgY{Zc;?;YZ`NqczThPu)rg4S0>OO{kMku25b!V^xC%+B${`Cz-v za&$MO7jBzj6QQ@ZK1HX%FA8Gq+jwxR?DQ0;8_RF3(?6nGftj{~1iCv>9GAS7Tt^*A z&|(*!CW!)87<=IMjG??eqr4iP5ePna?pnm-?=D)I5uF zTq=5Zz&$KYyBPvKZ@f9{myp(<+c1)GUQ-U>d{sft5)}x8+ncyCm_^{(l=|)rL0dFk z?yOXBm22NAgA4@fgG2U9NdIY^Voz#u!?;#m<@dl*GDYBC`PFM_x z>iV~qlb4TyZiEUO`?v-z<)(BDtX>}~_@v4@JrMu2Mmwy|FGk;-k7-<1~X zjJFbZKiBeSWT( ze10w?92r}=4^Xyt+)Huy{>&T9l7I6@(nUI@fmfb)hHo>+?vp1cq){1D;XvuCe=9- zg^;5Z@;`0gL1AT~VBgyrt)UdScf)+_IXb}>B)&hJrx`MlcuIVG# zl2+<;<_rf4@9YJS#V?Xr`ihWIQt`;7x%9jMobAYG_mTu(5lC(nGv-23t^mrr9}PWN z!(m9VqVNNzR&So-j_0x)$TDv5WSxYini__hmY^-m5J{f_ryW#f? zcsfIOPOS|>z7%sP%eNO@8>5onw2mBiK_`{NB$kFfuQ5yqw;8*eXRavOT2b2(e+^@u zC|oo3BN(x{S=_TMWq)p-ut?A>QRoo%!x}|66hrw*lvf@c9Wzut@VXC}e4UsrqvQan zNJHE}7o?uR6*H_dt8AdbXt%6GFpN!kgy766HJ17=4g`yt7+A>L0Z9_D@OY_QudBPw zZ_(jk?o5NqjBTLXMp~B2<8zs25ELvM=Fv}-;96nF;`wtG87$>*>sWz)&P z9>sa<#GYhp!~p@H5L{3zMbrgK9lu!KQ>*1teO+tsW@wSJ%0x?z7R&91C5suWF)_&L{@2A5;j zumd6V+>U*_lFj}$SO_V=sEib+_sVYW`W+WSs>u|ZuC?YpUIGd)uZ(+>k>HVX5Y1iX z`+Ha`?qK=UOZhFf$$a~$5QU@W!1E4s=)Gp3kMzMC!b&$%2=gVK7g~#?$Q8Ye)r)S@ z-5ym__EB30i3fA?Z|%L1IJ@Xhp8%c?S@&L@Nz4HNTh@z` z;$sG(u7|uF{$N`z1B|J@!PUB|!S4MBrIJ{d^H^c`FNib@8OHWxt^?#!Ihoc8bScVs z1PJQdgOS@`KN{8>d(?GCK>r*?W}WOm$={VSYIZa3+sNM>f_mRXrgD=UvO9KVQF-fl zApOqz{@XYzj4yi?n9gXnF7WEggO|u`=uJG1I|ASuF}pBu4~QOToYWWyf1ppZ7D#`w z=R8*xMGOd-qDadaD-&+3c%G`i{$;Usnq7Ua5Orz_;2_TaqNn`udbZW}!@J{6nh@=HEyCzn3)Mh2;ZS@Pg0Z5PE_Vu!`&=KAhxHwbDsc7kULrEXCi6?yhUEnlOlN z`EB2GdS_GHPLJIw&#m#{(f^S4=Z=Ix#hMOMFva+6j+%VjRWGS3Y+XqT&s)>Y*}m{u zM0V=5HqoMDU;4Z33qoxRWnUcvMMJKgPz!cdRKbCSa(r+dmllMk*i?LqVMunClSeE0 z{@udsRuWLMT>U* zUSxHmF!Z6+?lT~J*&hrnhqukZHwc$RHC+Lu=16A>1L`L zisv!lH}ijHE%KwfDV!M$OivXW4E0}GJ36`Bm^%KMS%H@830o3%-kqI!`T8$Awy}X= zgX4B!@h*ghp6yw+=j^iV(rBcUQZ7Fi&V?-TRGYy_Vbc2pyHCYbq#BOvqb z%ca8RU`W7&KJ)T3NR;ck&)O;K$l&SIsyFxKtDwjj|Ec;KXtihS$t&SQ3>2X7q4Mc} zN4#sDzC1g29oe?3f5ekUhILyEG;Ys6jZS~QNW8srOC#bMxrqRNWAu3C@%VV1P`*v; z?B3zNv?3@b65|uZ{MND3(b`lolGxAcW81po-Jzp>-tl@X`ede*Ox)|RzRHZc4ondz z@si9sC429ye(W^rt{$1CN~(Wx(h32hr%~cNwZgYwtl_sN3j*CER9e0GPBF=d2Lnr5+GY6M~h zP*XR(pkfUG^l6Xbwa@CqyY9oN47rlGe*N11lju{;EK`n%Z>QV2#dv0aK z8P_zb0f>u}yAPB;7bNrY=}pNIR#20n*7V^uW#ZgI=yBj;#D)cI9bK=jU6&sTB39lt zOuhV`vr8fY>M_ijmTj?3;X(5nye_!Ur*9XBw)7dq1HaL|u*vS=ehYgM>C;F>7JlST z5I8q0R~=drdr={ak(N}HEWuFv&R!nKu!}`c_LXs78ZKV$XJ>`aIwA9e+Hl(-)?7s! zYkEGoqRnM?(`zYyidHzo+w-brJ73j#U%_H{4J-S))PjcXRsvc9C!{o-QaS=9RQJA^ z1KCkRejr1GrjkhPk`pZ%ocS77mpfBX0* zU($>nUA~w&w1TX*@}Lb$0JtXiFKr<-xhovBz=SsFAx4oaoLK+ZHt2$!KPN3fCvpCD z5^9qI051H`^;He{luS^}?ubJ@Qfm+M)iT@21>v2_ufeRA5P#@QOK0Mm$(IP8zm3#oT?%;S z1)KSPa}VnUS!qp=W$U~7~bKoF5X(iGJnv;WRCF8?F^VrQ4h))h;}cs^1P-*{|t z-8k00m9YEJVgMC^eQD<#WrL!79`8udQ)6?MiJ?b4<%U#bg=)4V<#R=OhP6eYBTu&p z_r2SAqAO+crZkg3{i2R~9jopy&Y8ptyXN@31a2K_2bRn}bo+P$%jr3D8(nWR$2R~0 zF~^q2B;0g>#Oej<7ZTKAx3JxX?#E>~@Xs75XfFf1Pf-zvTy|V9W(6_p-*?jX+AT(J z^H_^;qgpq`tI+j!kn+~sa5F`8SG*3ksg5i-2JLg<=YyzHm^coD5u}@`wd3m3&=@HL|?0gkJoA-6VjL!QxF~)=S zi7}nQXGx!zl-2IwN~y(DdY1{gL%3D#{969y?MfVcVBX?V9esD&e}}8>RJ}{9V&*IU z0^O&YAQOXfYZ$uc%IX>R7`~0iE_`YJ8u2{uDMG|(=HEguu=Z%>tazD z+&(~5ngI3J#J6z!i&gjd@D9_cS)f{4C>`@Q?jE-%Dcgv6oeO%Bx3*nEsycy8mP7d_ zcLp57&(O1#EjbAF#1&}^bXOi7-5pLIo%Oy0A^tl1>yfdkl<|r*4JGvMdqe)|a7!F> z>N4x~xifM^b`4DsVcpAOkW6&Sy zuU^DIeKdKEKBw}af{v;jjeZYRTIapojY_kgQBOn&pQ|GhQUGjSeNkx(P1-^&D+Vrx zWSwWfMJ|)=XLEUMuF$j`DNZwaen2sG-?ibqq0)1gGO#eksVe>AvIpNRt%!VDzC`cT zrwlhU+V5=D^rcL%bil*^iqdkSsDpglMAbO+Hv0rK=>U1;!vm#%T3c@O%*ma~Y{ZyG zj6z3Q#Xwi*xO3A7qoEQWq&RDo#eJqJs-&2UV-#!w{|eGKtlUti*m-N_5U}qdiswi4J!Ic~7G|}N~x}~pb*B;;< zZ#`Mn|J?99C9f$n6=?tbiCT?`nTwdw$f~qZCP596+OEpVlJ{HR3`Q@jQ~OJ^4$9{Ytg1#auAC?Skz@o9xR-N0LTsh=4aLFQeg& zalh>mHL{mAD^q9aCcL--kHV{Q^VUcKA!Dg3)KRcZ>KNo6&=wkq7t+n1bJ$mJn4RHD z$E}YgSkCg#YUxKNuxpPN$!)*K)ysd!49%N>Ze><0DccM=ERCzoKGHWsW?XUS*5w4& zhTzZ9wwl4&~3 zK-154e){^`#jf;Jhhn)!w?=n5{e*&%hpAx)?^pbGv^IuMetN+N>O!*&(o~1v(Cm%% zi!#5nrjk#Fb&2I@Gz@kNQy-WAqge!m3h>MH;_NXo<@ zGiBIOG&hNqy4Op1*%4EltnDCv-D{|geH7g(TQy;kN^(~jdnA=eyl1V-LTJxT#H^aZ z0UKL6oD)pjmT%%JIr1MH<^nO{|sl)>r|2(-o^{s7$6gnxcj*ZW+C0CxKr2=4G)h?`PHi#crd+Z|2b%&-TdcPkdwKmCHPCcD!#Pc$q7XH z&TyHUyrevM>sTY_{ZQdcd5I3wgzh_|>nmA)Oh`l$@$cZB6z5ioa+irRhniqlXMICR zMO0z@BUYK`-u1bV>*0QcYxbz1>iNlziFtU}23=-UcQ?$pN6Y%CFufbk1`jm-(ee1H z2FKHWl&ZRdnQNfWL;3xYpGZBxT#Ba{D^C~2!kEM@k4Fvi29F)H65h)eMrxJZR7k{T zY3vkY&6l$kafp0IB8hUx42k2?hWX-^kmJ`xs`r3h34)Rspn}mJ>1JRJzL>`&oww1N zukAdXH*gKA11o^yV%QMA{g8VQ(G7BmkeM`Ml0Y+QGM#m!4^_nNTRPG728Cxs^#QV~ zaQHz~gL1at+5*Adr!N3wSF1%t7l^vnz_p_5M=y?Dej08+b(F6MvV%N&T?CVRZs3}M zYeRK`Yop-QRp*``skm#|)jcEDSg;F1*TT(h*ry1dyKKj%mTByZwm@A-eb(OZSUMay&YO`ehM4_Jkc>$%z11cigcLN6q zrEf!a`E;e3 zuTPwiw6+(b$P)OlK%RJvK0$X`K_+#50g^j_VUfvXyv$E5IUSz#qNd@IB71hB+3B~_ z%e^C}ARdZQPo!~+fyti4f(!D+3d?jqQXBD!?++Q`yTP=9ma5Oh2df;=JJ&Peg%Jy! z=Cd~ReggU02yVH))Zf24h7vQWGA~gslP$_Y-(Go)6(};dO(9|4GVMXmJ3obcP(F(v ztlGfr+|KkAMU-%X$`OMF^7Z~IpZTZ!=)cNu{*()&=IYG~5O{DMg1hrKyd9DsjcI;b z{+TyXk_@3ovjKnmn=mir>uiL_FBi#1W#RU=H3`cZM1YN0iF$)z*xFc>ke)na!p~3- zN42rWmjm{rLSI}2H<5OZkb_O7+dREGqWDu41?FmM75v*C0ul5h)zjlVS7n-opTt(5 zW`$?c>#Z79rLz^8q1zO?Fpmm(#88vV+;y23Q3hS;N|NWl(noo0M*V=hExYTTYE8u% zIxZDg$5jN3mo4J3drP!qU5J3omn83@@#~c7&3tVXt;^&%dIc?}`-EFBzbeFfYHrGq zCgXn(jZ8g$4BG3ewY$`_6v*?i^?J;AM(nH24c%Vg?zeNnKpU^GD*w9dy zDTY2!-`;g!{n0!IMpA$F$I6$EDZ1I|h5aM?*SHDGEk|c8aQD;wX>lR9XLmXX92>b) zb7%=@Z1AAL#7HHpWO;Gag#2`Es2R$(*)n2h7xH3q(#&?D&Dcy5C&oNQ^jQDuUj{jt z5nvv(ecN$`X@$+c)$B5|QL&9Osr(w7P| zP>4;w)0$DU`8^&G;nDQ1mf7P;MR_6JQ)B1wB~otmoWkXo3wm@AWp_|BEW|W~C2%F1 zulL4mzZo8WfS^w)Y^jxFYhN^DPy1X5xV=@U$w?n2%2nizv&(C#Ngp$a1=PQwPh!(R z=%EM}k&}v`$3|D-{Fk|)=%pfZgTV;mJqfNRxRS4K<*NLFJqh8yr&#}6njn7=6RvID z&O1)R17kY>kIusr@A`Y|2z6ql_yQ&33uLx_$5%adZrq2u`?O)7rucKxr!j3lPmTv3 z=ut>}TU{-fk{KpOXeIY#90+Ye8ronw;5Y1Oj&-T;Kvo5`_Z`*uW*zTGuZ7MamZOff zAPlUSsDY2w&2c)g+vUP93BBt3&+*VoV_2{FT7h5ADyu!|=hx6i3?_5S%1C>_+wjCX zN5SOut%KvazW+#bGc%Od2%+wklB)Zho0g%2LyPuR*o1cb(WYjDSS{?6gHVA`5lSdw z*A6&3q!Im-F{WD!~@)})j<7*A~e1elS*m*%gCv@5D=E%L=1>h8 zbqyqOGrl-YT)3f3hB$u5f`8K(rz%@XGkrWs@yGWGG01oJhA2Z(bB9YEo*N1uLG<6g z^GraHpab4Q2cD&HpV7}ABO12lu+gQveiLnD^Yo(oe^cq0|3_sh>K~PxkbhMA`)bJ4 zZm&2A;5pXiMsNlR75M&q1>X@`dI#_8ie`<)5o0K#X9y;*&m5{igxc}&G;8g+`)@>B z{52Jb>2li!HHM;Z>VjVEozwcid-y94zCCyKMk~q78!Xb)Fl?Y(TG-1XNZZAy=QySY zFD>q^Qf%Xuy3PiY@Yy`+sAS6OBhh^}nNv~G$DZR!Ap2si-DtE_NFScaTO}nZ>y~iP zL_uGm9|m^7`-H>`J9P?lJ%(eV&2*do;6_&5T&><;Yi957Vw>=F3T7e61JcGQy^k}@ z)`gMs7egakH9YI3EW)%l!KHL$JR@J${0vR z;@1mvoXgYtbG{XsE!6R-*wb`e(;dsV5QqilAoo{$QalBfHRN(F=6)ZWfP>t&OfYeE zACI*nFC_#fX!|qr_rn?WS1HI}UsI6(OX06cluu>{G(> z!>P`qwQ;rE2R>~_$s~5wb4#$wk~^)U;^?2Po1pEYwGd`a*@H9>rPVBzX7om7k`cS| z9uuQBoT08j4>FCTcC^rVXWw{u8?&VB+odHkWC*_3Gi*b&PYItoFKbHWzEOR+7n|V7 zGlytoSG|tH`i(7XxhwV{R0-@1mA*X(XGmp-A_M*uigUMoAoRJFNH_Wm^ zKzTf^@(q%vQCS1GbCokWWZBNbiY&#Zp=`{{_6UkCe=Dng(Ot7on*(N3jah2FB9N!S z7cX^Ktr3Qa?$tqx6i+d5Bz`(**|G1xjJ|fG?+( zJq}o=-KfkeCUa#LHLNwsxu&VL`iB>OC7t?#GRfh$r+?+BuT9i1lvBLk zj*XmWS+~bU%sVSJO|hM2ktV?*+vQSZ)!~pv#jol-vx{78d3t|2lTkEVO`2y(nx?k) zbyn%TP@1C>l0!D<1Gz!B&sQQGLq2|wRqMHbd93uD-r4#$u*Y`Gy1z_1rOkQh8?Rbw zo&L*YA>-}Z?|)484*xNk0sY718t4C?$&8|g^?hB(G__8UN%-j>K17`ID=0Bj5eQL4 zgJU&p3Ea`_p}@ty({Gn2ch_J#X9-E*PkGW>2n7fXj1=Zptf(c0Z zm60Ve#FD16VBF@_FZFKVYu?{4L~4^YS+Zhy(svlm76N#Sz(K>LH^h!m+97zK@5LW9 zy+3GeIdhPey>5TdaJfAL%(heMPfTsMpl7sIdl6SS-89?400Cdza?$P_J!@0!U96Wz zYeF`lL$ToWe22h6|KOqN`69;mAzt}E`Qv_1yL7^1?)n^j0r9-dG;wW)Xvl1h$(*xR zhOf7AXFR+G?IuXogV;~y)osGLKM57`;Vwtb2aGm{vjH?0Vu}S#Gups#DZ+4fpl_j= zOPqraSoD0|kv5@=lE(rbW9zlzcmG@50O=obNFr{z51)2SST6`&7GhEiQMEe3Vj=z< zAT>L|&>*!t!Eh*Afx=n}`WODc?{-kOp;HFY^bD90@Z3LUzgFUojA-e0`ns1}x%st< z@<-rq@Xf$8W8JsP?gy|^pXh?ZbD0H&=Mo6HBgCl#@t@%}%2)jp-hv*d{;1iBRLVaJ zgEoV%oTD#xqY}(Ez(3WLVos`j#)4{BL4o(9OALUpm)cDsMI+}fqu45O=@96O7--U^ zD+F7J+-#ky-e5;5{;jMH4b$UkB;03WXi`MXwP4vFeAMm{$pwLkr~e7)Q!8bXVO=y|{1!U>!;{#QQ#YfnfPQ@pcAY-He~oU=+=^@p zgb480(osQ0JhV{cr>pP_I%uwYr7IgaMZC7|$W$d51z>#>bO}nh{oeN?1J=~{!fOF# z1f+2Z^MG?ZQNm@fY#Mr50yr0szo;l8xamBQZ!9&~@m|vds4PmkFe&!t!S}d6G|O2v zSyG7*(OiSV>v@3+hGr4;QxqPRchiyDQ|GahPtiw=f?qZOCXqm$AW$FEhCO}&vkQB4 zo`UOpu}@haLiFOSF)zBsN!5Rr{W_bPO(zW=gXj|b^fwivb!k%&C&>ii5Q+4{F7HQvCy?cuZQa{MOd(dtK>`qPtZ$AHocWsGZfuoaB!<2>}x z$J~Yf^hcmUMDZ=>{bR!#5Z^F6oBR*a`o4PWoUA!;7rBG+7G@okLD!4_<%}~o`jJR# zc2`bL@b+x4$Ww%R41zT^6K|Ex{Y9CBXU~h41gr2&dRC!k8c7GjUATkViPn=-#^)Ht??ZDmn1B7kv>syas-NmMIn7v zU^5<}qK&Kd6e-r?CNxZd6ixr;Mq$M$4q;?8q#aGhIw2Yr%GTXQ4%<16?mJ$3>*TG< zm3J7e)A8=uH*RW9=%V7S!hA!Vv=1H84n^Osg7CR^mDy#)Y-vV1R%Dj>+Hl{fj>zh9NmL+ z`^NkLe9F&_KY|f}a0wn~87&~e-Ty7Pdt%1_AHf@c1V4ZT)67TR^0uaUl{<5;xBHWn z#gt>e49A!>&c>J&{R7;#F+bcr_%C1@U0$}q2s2|}1mKfLC#|v`AR`+AScLO3>6p`@ zCj>31Vyp}zI{Y#l#lcsX^&h|zM$nxjzYai2_-6;x`Xc}%=Uahm?M!a#FFD2jBoYMm zC#Am^@pAmLJJtZh-{%STi~X}pp#^UUOR8}dK&}^5F4&!)6wfxft|SCn?MAmyR4$Hl z03h!nN847=g6b6;`%2w0AZbOQNLcj%H5<5Y9leh*0nRHt*e^E-9&`_6GDqERN4z#~ z+e+Q?#{cTf|7SL>Q(mmw3|OWPu%LV=n||tDfO<65KfCF(*Q251XY4YsDMZ&x`mUZe zw@Dd8=G3S}^D7wZ03wD9q^;}>$ZXV9wW^&Q;i}{Qy6@b5qhYe5Ov3C#YIr%yd1Xw{ zk;Skxj8mRZOCkHa)A&$|Y~P!*SPZN&=5w^tjF|w@9JgY-eq{)pg4|$pzTZS|4-Sgx zz*S1t%K}NycAjs^NZj>1v^xVih3)+}@XU8G;Hc5o#L?_{TsG=(KcFE2AcL3BXj1B$ z+|khhWJ35gUwm@hl!s5C@dj0kAPAX>HFbTrH@3^*qwnFP5wi`x*k^3G;chltYet(o zLildDA@0+1gLeG4V92=b+W4O!2h)|zm^Zkq*swR;E`@$U5Wzq%X!KtX?Gjv)4~P*o;Pa9{xW8nv4Gc+=~4L(EQBT?cl$y8@TOa zfcoVG@R>+Wj+$GqURc79ooJ#DS;T(D&GQB}nyYYBuggKll&AsYP;`t^RSBVcE8#$P_>NX+9_2^ryTjs2be@qP0Uxj$e~o`cN_g}Rzefi$up*q zH~^%15T|ZQJD2E`36Je?v0LHINRwDsF=|{r+twuEUk;kB#ueE}Io(T)paPR9@p@2z zY@aStw$!bcbF+|WzXfNy{k8FpHGe*dU>iJgguAKRX}M9sCqDQ$X*{)FZI};Ku`sUN zn<%_ryoNjBE5aI0PSp?XFU|hPEB;`5lE3HiDQMA{?7obAzElF(NFj|v!6Y3^rhZWI z3xG#LG%$q7$3UG<4RQCwuDNf*!2C!xr$}YSn9-lIS{l%tLWes-%f&^h!!$oKfX~8m z$(mW=H!!r9(BFgGGJnUjX!9BMv;KoxSmLkxIwNCcV)}r4E=n~s2>L(c<*KtWjm%CrsQK&Q)Ijpja0cg zA!E}w3xU*nF8n&GK2FV4+|dE{J93-3N(}l0bJPB}#?NXn0LQNtNU4dt9_pr4q_D%o z-(D@*1C}agA~+d*6X7GJD`d>oI1$`Gw5}!D(k$?(QK7Z=4f75UOT4+6)K9>gG)_^d zQN`&w4v)#gCy(6L)xjXiRLD?U=hU)I+@7{bhOFLcF7{lvr9M<9)w4OnDBHk~8naxC zcl8;>euxAECY!TBOd|9cn4lAYTpBo;vHY0@EUCEs65Yp(WXPw6nI?kSW;kgXIZlg) zEPWa=`1TJKTMCE@NdiR0n$mB?da=sCYNWL%sD-I4ebtf8LS3|TL^|p zvwEtok5_5P&8x1;jdd|adi;kN^5DdbCv%@18^?^$UJ=ab2;L0{QlVuwV-BL0Ot}#H zp=OaIr_FhKT5&NY4`3xNIzBRXL;1r)VZu>KYR}ZS`%a?^api1`y(+R`bK3@Kw-ntp{c|QZhV64hIpojSF5tZq=QQ0y5HMs(xO(OvAj(R zMz|0FKw&?DW2c?3&T^HYNkj_9E!=DJsSK?uz|dheQemo)mgFF+*n6)N!0(rF=K2dF z1{0_Iu>u<8N)&!8(;{PUASc4n-9XZDtWy*N6bw(~aihf&T9F>$Cmc%bi7n;w4BdOTf;rgcWje6>@{dk-Y;D{600po+wMF z(C=7>AhZzBt@jBl_~rOBDRhSq{j{&La<1$dy@%9(Q9BMqplqF(Rsip~&Bzg9&JjUe z4ts{dwlUutTX0r3i%9q{6+t0?s}R|EL@A!7p;vGCsn&g6oB>lcsx2OZ@Xl+K^?*hO z#12QY5rHw4wLCh`x{Ae}m6gn^bA^MF9H!#B#16ZR+0cdL%pH-v{N|Upk2${{EBc`5 zc(lWB1(CXUg(-j9PJ837@?!usLHLILz{gh)!NLISQX*F&$AjJEhUs=JHV_$(U?vQC zrV+6r1m(};$(*b7kU^m2J@u0aTq7Ss5qb0?bmU}LZ(eTTq8o9%gCVmGCN*e{O0Gn+ zh?pvYaM2zchy_PG6NWY80>Z$0net*IL0osGjum;Gs6bar0sS^!Z;0-ATs9?{>lf0` z$H|)#WqtxZ#{dGN{Rar)4^ZWQ0df8TIuhK|6D&}8XSWW-8aSJ&6DMv&{2L)_7W8as z#%&D40`2>u(|$h*l=%q#ASWq;5Qt?Zjv(zBv?PjfOF~^qqV$&!g#515=*3pW6n>^i z2?XTN3~OExI{3NNDCCGl@ylgW{5#`p~|oSIH(E1G#`G` zifsANZ&3hBVyjZQknu}Ohv(!_!tC3jC0vF@>4!;=DKTyK&koV_#x&U_CH_SH*oi#=J^B$=2#5_hX0?h z?Wd{z<|*{>1raSVt7y^-z9)Vl|P^70wo zw5s?cX}TuROZ-CFz8FI>l0$)~z!X}c53w!mj)N$n4{ttiZtfk=-Yu(@oX7X;Nbj5v zdv-0rh0j%U+3P;n=la_K>h+b=yNKKEE%$o8j`zKZ-Lv%f$Mg56w`14V*X)UrRo$!S z+q2f{YSi=d>^sn#{cG*Z{GS>1aauduD~KD@SNEph0I2E7uIcjGYN#Ww`drI{uHy#W z+%KK;r+bDi%aj9q5x3_NtFNUk$;kTF%n>2i@6Ip*Qdjp@-j>^U(VW#I&fl)4&7SKP zsD11NsXG^d?w+rlmeVb^@QY z#|xAA&a2P+{HkuQ{xqPA=i(`C2@cpv7$!Qb^@GSerq*w16$CXM< zi*&Tva{r6`ZnGJe5|=^n^@saIo!3i^yj)wSpoTok+w-7)WBC}T=F0lId~tCANfL88 ziCRp|$nEp<=3~$8^pV5kdsfo1&v{bJ{PsHm$=-Wuf5_OfhmTjzS6KdY;(S5kr0T=G z44pc?g5DR$r}F(9>ek3wQ362uF(VNwmJA8X+k5@$W=sCC3_m08VU;&mMFS`0k3ALw zT)-fu)!;`fbFrCd`I+&Ql1z9-KIMLwyY!HcO7*tQ%30Z~Leb~uTyWdZi^w?-K$ifL zj_lR0AW+l62B--S)Wm*wE9j{~_}1~bDT(x{v+8bQWa-vcvNj{@F11x3XSsj>bnEtz zX&0KS=qT;+;?7~hbz0Ov{jFx*PU%kDc*FtDMx41?K4R5M9S~*24V2YfTU~D|AJp>9 zkAJNk=wY6S2-%(9dvs`Ne|CNx)GLe2=5i&8CM*GV!F%i$&+Zq$>h^??xHCLaLUx<( z6wlh}19EqAn;GnptMnmO@e$uO1gh5b#`*iZ7n_Yt*z+}XEh!L-H7e|xp8qm!6ZcF=YvDLewFJ8pFjc=wCC7q0Yrd&O(BBD#|3TZ z3Ur$~h&e1*ZQxh2g|&)&Nv^-)QsLvIl6AaT6=O@)s&l%|3p zeGvUBX38+mO~P&@6s=BtR~A--Y!i&T3e^sD`llw?N?41Zr_7KxNT~1tgWn+T9%i3m zv;+L^%|v+%2$Hf2a0ShG;0od^;EFiliaPN&NQeJG;IF{6g1l$o^-}ErY4q={|1@%+ zwgts6Df@%c^auVgl>ct<-zfiQ7T6rEkPc}D-@&+L=j}l8p)6ZLkOG5%U>yJ8`Y%e~ z!Oj^_?Sai;fz7P{)vV9n4t|$etoaYl78p0e!XKRfZt!24>%^OYqtm3@z-DN`W`Cq1 zSvyrqy&^r`-^Kh2J|a2NrhKcFO6&sh@m}&}5M*ebd;}l8U_e)!ouxHM*++aZXnb)R zeU|dm4!~#es*IhjoZc%g6SPN&vfeTHee!l4dUTXMG4T8;3QtPVebQ&!joa<@nz!Bi z_lfnwx%CrA_2>Z?eCgLoWUP;$?k_M`PF`p4o7p`W{Mnt`zs?wIpj$dkB64a75%${! zT@Nl038R*F){pc6pP5Z|rXTTID&J!xO{zZH8N2r$?_$55jh`&PPQDzjKfGDiPwO}l zgxv=#w_kH-&3L1xzdf3^d%yFv_kImF7OY;G)P35092}3Gl+UzX__lrMH?#OPDV5{e z;qllu*GKea@yBc`U;E~lYqE*W)#{zpZyOyy<%e6V&&C(*wVivrd^R!&XM8s@VvMh2 zJ+5zw7T$N?=xYQcN}(Z$zVlsT{P=+tD!1>+y@kEVgL4vPB9NPn4lohO$u{x2SQ3FV zaI5IQw18+NgE)SBH3u1!&xLjl@LnT{^SU*`4l*TX@^8{dvdqO?u;VDwjgE8s1z}lg zA6MdEs*WfxPsab5#9dFy(wz9>JL0Bw3ckx6np&fh^}b7k(~*h(-KM zcl<@Lq=rm^+5M3)S-i(z_lMJVco*7wJ`hN7NXT*es@UU zi$V^;;T2m~w#hY0V9id$gMeeuvjJSrEbmj8ux6#k;H(t&L)_AUZe zGc3Z2gyEmA98*47`V@+wJoTcG5M2S+CE|FaCO9u3*ROKR9*QpaSYOgP=(>ClaNEBU z6gbJte0x9O&Gyij@9#NC zTmQkugwJ4yZ2z>xo*tum+ao{fzT58O_0qPPV-#QPI4EM5l2Ff2X_rqZo?d-;GROL6BGK`|j zWK69x3-qJAbfBP{McWDvp4ra5@>TAW^*tdJdz_NROS=2Ccm9fcI=l z?$glhn-rvs9;e)YT&yLhM^5YBTIjPGfPUqs^)Ee09$36>s&?dAQwd11D>jx51Wp5M zTyupIygXu9j;X;BPj{d(Avw}Nvm@E{G@)BQC#EXN(0{$1%&QY#zGF@Af#ZzzB}7|b z>!kVYHKjhgBeKrpV%IHzJ#hcsw1>&O(U2SV#kC=S&@(pM?Ayd=b65EV28Go8gX^_B zBo%+aINtdx6{d$o_M;#Ek9;oh+(3!2xMK>|TMUF}i~) zszY~%u4>2#VS<{@vpSsuyz|7__LokYX-e3jY&>U1)@@?{TZf|*SAL< zrNghzT4RqlU%_Q5u96d~k5xpA_86TB1apwuI&3bRR!k|ZPx2>4Q>IHgZMf5#R?Pc1 z?(Z9noVK$WnJb^|Tw@N$VpDfg;R&W)%$GMm>ltpM*PJPq9uZb&d@m*Bunk##DBIAA z{qS}-EiMp|$I@8NE==icw3;BQweXqXQ{Kr=`IMbO_^5q7UqR!0K0i|0r4<{aeKGH` z@L=_>h6c&wa(0B)*wHlMYO?Sc;=b74S#kXSf_q@rqfp9OG-JlsY;~^ByWBL+v{Vi~ zu_ILbVSHP+l@z(nbasXYyML!l5TGche~m@-wcVAS$Kk{AyZ;$mkDc3ii{OlnaaRWATB_SjU~xD1m!dDxg6`&!hYz+MQ@p#$DM*yZtF!QiW@p;;BWK0J2`B>B^J5 z7FkyZ>|5=NI*gNt3ajw9wjgd0$83oN&rQT#IYNXdEvKsc(aXC7nvch{Ulb7{gU#@9 zg$b6lf+(A}`~7=@PobmtOCa$%%qKB#Ju8=_3_4x8_2Y4PV7 z4WDTo8%^xH?3PGyjEGypf&N5g`d-2~qU3qK^r*j6Vh~<7`b9R2NaC-yOApQNILykf zx$4qEOq17f11HbUhM4p62?((!_2)Y|O+4UB8IHV^D*eAzXDSC@UZ}c!yIy#FVO+P# z{dBIsoqykNv778-@sW7mI^ZJ-cayQ*!(b-5w)MT8_C-O(hq2Z?YoP;x;UURtnhPT_ zVry?Q(V@YSJSli`;;B64Glf}1dnGB(%B1Mql}(?~dd66~?sEiu;yB^<=6mT`e3ON) zRBA~nve?yx7kegUeZ`JAn6TCBn{#N$;UW!G=GB3dwma5&9H4$=8pmWa%X>eQOjv+Y zTg5tP^{B$~IIBdlI(eBF=lc<|=+#@v!VJwf6T{1%AErK28|A)btzNXFnol|AB};X$ zV7u@?T{AHK-bO~=114W~<-l^LV$@pt@bPbbZF``ASDK;A`l&Mnn5k)l!Qt!Q;a%x9 z6BA&EZ@(jtk`^s__L?~&A@TD6P7Si}1o8&@tvR%J5G;*L%y#d)lhWmT;a#cUx^VN##h`?#u7AajK(HAB=So`(2u)wUA ztXA>5401=nRdtLl?`~@FBS2isS^9hm@luXIF2cK>UUL4nO6Rpv*n5q5qRqU}$^1i` z)4_gsTR}t(uNl1)e6oyU6VIT|7Ga?KjH5ON_<}cmP0bYblh}dodKYY%&CCVaK!oQK z(meyN&CGg1;B6rVWybIEEKZ`7a^yWyP`(^vHC=;A@4-R&rd%}g84ML-AF zwZpy~_>-N3tHQ67ZTEf~f#?5!b^!Ls``oXaP8@Aqn8@J%UI*}PT)w0z}O&qOItmin`CgXKz;)K9zC)c)MqcK*h${`MUEQg$?{=VgwL zWWxPH-(kg%Hus-*9-SUCE!ke2p}U&_ZK?NQ-y1BMlUrwV_z+_=TVq$xt}Cl4JXeLc z=<-*ZQS3rU?8J>}M*P3Ytx>tTgTQEmkX(7*np6R53uV<2_36Dd55|jzsd7llD@>^f zSq%rNtQV;0b{TTJKj~?H(o6SFu^`~d!<%81>pmUeYh2(P#AkLvYPu>0#by8(S=O$U z?aO{#p>D8G^|HP<0ABB+qu#8XIvYpI3yQGXPXa!ZKZUfe6t$}LX$#=cbTw0Ual90* z@+xU@WwB>^&Ih-e6}N`)7@Xo;Y-ocsYe9unw5p}c^Iudel79+qP3f+>RoU5JoQ)IR zZ%{_|nAof4IIG6ENtvyNv#*A=mlFtWjX~H#JOL@ybJ?rbJgYWD!sdnk{-9-o`60$z(gqyMZPQZ1 zhOt3y>xa%}{_VSTdmzQV>Tz?8)p)_~J%p>JNX9M>x^9jsP>~a%jcr`Nc~)kX?&gWZ zM@{=^Qs>WI&6lRpC&^g3J|QO6so9>A5yiK#K0xcd!SpMS=F*d;E_D z@b=Tv_K41Xb3Ah`txyI{2naOxS3fqEjgwQ|xNEPoOg|;|@rdw#q%7VN;WDY5%q_mz z<7R})SmwyIM{`}gGunDR*J-_HAZ`Epl{)Opxj|$Gi?T413aguSr51TPe(FO1`FE1u z*xS*dT`muP6`}etiRGr@xsuOm{yJ=dW+a9LP5x7&igrH7gYAC71mtnGc=B+}nP|oB z+U?ld>y@_f=_3hx>=_~PbPL&ej93#*=0ua1D%AJAY zWbd4Fz?o~(ayIdmIg^Mhl}H6&eV4s16htc0Qt1SPcifBZ^Wzl_vl8uNrm~@ErOg@u z6d&e;0bq!(Fo+QHfP6;e(l^pvq)Y+=BErTzguXb3ctG8;HnCbgO?U-h27y`n;*5L5 ztmfA>-3KCMCphLB3PURsVI~5BP9cU$I;IzrP!N)YZu)Z8fdIouNF9-({S$?>PWMw? zX@#z3SYK9yn-=7VTLmMj=-fWK__E%VK@bcIDF{KGBg2_W7)ak70s_k;dxQv=36{$^ z(G?)*Ze|d7na->dpTZG7AcYR4A+uNv@8UuTS z<}n&YI8r%{Nz`B#eFVYI5QZSK#T;z{EY0LoN|a?F+FaT{Ds!2UF1=Y z;@<|^KODFS@&y70buAy(VHSIfPVFi~6_*r+E#G;4ftLBM))ofU#RTp?80Ip4Ag!O_ zj|cQVCUc-(s|kQ$7!ZW%J``p7LGCQk#K`I@&-0@gH!4vO2&;UaXeVqsp>4A;5aL#% z!wwM$vTc-p7!t5gA`p7anX@uhYQRSe0z_$9{8x(6!eN`362)cnJleG&2B1V6lWuW@ z!azvC_}D?OaSFYLD|8zttWjao=h|&7F|c1&IfGz$S%Z13Q8n0tSpv1w`e9Ht-p2C4 zpK2(w;ZQ-aGyF-)a(L(IXQ)hiGbVt0!+&?pvK9nL`y=rx0qKp02!y~F2+9zc{oAEy z>A54UH;7vt#)XclH%v=?BezI)CJa&(F5)(K2i*V3M_L5Jh|+~oTMJVBqZyGTAV$`( z2gU!hGB#UVFisST|8Ohn>7zkD2QqjO7qaXs#~KON@tf9@~<0qM`tJIBYT zJK(r)+U6TDE8y01{@QVRP3lhv0o{;{fP$X~eE2BtgKpod_l->1=e;cj(y`w#E(~e{ zFA)xLA~P}k(}Z^7uP31i!U2%uU{G5AAA|mbe!2aqL?3iWzea}#Q)f4(wFg4)Q#QOB z<(+uhyPDX0+St3hBqu_HWnjwgcW?Cld5M1Lr<37fpfRf^jYeI*MJ>^cwUUM};w7sv zw5PVe5WkP=95;+cVf4$c(Q2KEe2Fg39ee18}TBsy~ZtU+Waw>-E z)f>;6QmZvlFsf8+`n-ZR!zH^tsNhb^+*<<5#w6B~yZ-@j-- zvN*bVIlUP)y3;XA)M1D(Mggz)MD6W!?}@7C`+YDbZ8i5@5?Qa8MejF1A@o6lkqY1l zilX_9E7W!d7>BR(}AGU|P+a28q4L%vB)MMZ%|{u8%4iq}mLC6B*0F z3;TipMCn*18rdVyNTPRNFT8o3z7TVNA7%aWMeld?3onU*ZS6U1ihT@tFKBkZo9$*f#i?G?YCYc0-7?^pabwA6`IwG;MJ&MC&b>r4pzKr{E`AY zkJPisBxSI&FgGziVM(n>f~rR|`VfGq5Eyw1&LnL6mj2?)D*8>ka&eiy1g}%lYbn>l z{L#KLxzwKrifz%Px99xc%&nFz+w?651f4ohNRHrBg~OSGT3e7#N;iTN&LQiV>ATL} zFt$OgH0&4VMywK)DdM#C_BU4$rR+F|hZuHIHs>LVFtbMx@bnN1D0FO!496ZVaZO^( z0?jAZFf){C;*3Y#yfm)gsK(d*O(({lR!`ABbe>BgAM3wlHIoCCLzGZ*+dS04d@n**hh$ z3^O|plR=q22ZdrqoJXK$mS#VolfPC-p$fGCiYWLC<6k1qg+$o@hyb$se~XA75^a>} z*85ukOCIbz0$mrO*+wDjIm+~9FwGxYZj8PJekxSt_}yfP^Hcbaz#QXqpHK-&1}LO> zxLHq{g&WORAfG?+q1Z_>41-sT#G^`kMxQ9&z@|tt!uQb&aB%(>y~^5BG)`ZLI_||L|Vj^9* zNR7|(l5b6SwEQf2p48eACY^Jqq@ngma8vr14&}TPppFmcf9v=d-)vwd{eO^fEzr#J9e#XONKw-J z_Lmi((*9WSr1Woyr!t@wpZ*_Kj2IpU4CZHMUWo!R<PC0CSW zfhk@;qfte=`s6|7_-h{|L1_}*1^Z(v9m(`q7KRPQOtQf(q7h%jDPSVOst7+=XfS+E z$zPnlJs%^f;Q}psEl#+|U$PKV;~m?z(G)j%sVVKeI1nj6Eugf^iqOxMY{5{8H~gd4`8<+mKG$faGSNCO>EuE%?dVvSAf&w-)R!LY(E z_#du{=A-#ljo|fAMu<|;M28&q$QZF6OzzhL3LWB;|LbK+k9pXvC*e6~Qsv;=|P~DEV z;xzv-8Rw9`5U$!2weXn1%_r4Uo13VKAr@xI~y8psXJTy7B4#ZsQCd^kNmgn3krp>`K?`Mwg=El}|p z`K4LHS$BA#g0Y(O8~wwk_o!NOk_)V6VTWim$;)NJy1SV7n^{P;V_|{-((_>k!h&yB zqV;A@>)Z!8O`T9pMxF$xq~<5|CT1@jSO)w*$zGERIuDBqE0qW$FawJdq3}|Ai0dmL z7EWr0i74yM`6OusC1^sfXc*&9i7WNV{D2tgg(?kERPlhUTzU9B!o;IOQZXJug~ba; zj-b{ZKT5`lh<73+N#L7vRH&Cbza2!q-2@V?#xMI!jz2NBPq2AM)K6S zf*3_0nu_9h4!SCN9knEeDMJA5`K&2oMOr^Hj;czUabASD(y#}1NF&cPM58|~@J!%Z zp^+W^SssI?p+1n-jH!@@8|zP|)_bYS6rcpDqcSCxT%^oGt*k6L{7=*(*ngrDBZW{9 zE!9z`A*%e#0-ZXb1@Z8he=L~pj7WSTeprj#E%QW8@>EwG&RXh>poKEsR#mB|dafzx z5S#ysLGc&g1IRzfTb&Vi&Il^=k`>%|!G&S(A<)(V>p~bD0tvjTRWqWgr4i`qr$QKw zsq=^SnNWd_FGGLP6&m zv99^pr|~QOb~A6moj_*HRSj`c8tnShWo|OM&O8VxF&>eij1n!~DeGJM8UDnS z3yKx-QWDitG}T}pyH`?$3fV%3ij%4TlW7ADJUdgWfaaQ?MURO9IEpQA{QHdLI%QOL z+Iu}z5FQNID?cp^*B7CS`X7jUP`mN9=mesL30zaQ$#$3Hg3`3x4vCH)FCn=1=Bmf)`j? zy&wn;oQbMweWJ*6M+;UQ+tQD7Al}mn*>)JkM?;DOgDw5B>o`D+@bkqF5-sMlN52#W zz8xzg)85VfH!$1!m%n1hk8kBq9U{R(qX9e?#()!t5z~dZv;~BOkVa?IyrMI<=9}r67~FRl2~8 zQBoa5wNm39M8BuTIf!PYCO8Zs!bo#xK@sn{6huVEqs4q0X5qsgI%oRh6r+fJn=z2S zq<_$&^NnaBbIe)}Ya+4+@!p!UM5M~V9_7Iu8j|3SIlSc!noWvRMp|c?5SpXGvHpPMPfwkDu z&38zkSu>`mh+n5j_CRRj96XV7958_e4`!k1;~Xx_?WHo|LsO$BWw_tGbBVD4_kV{a zEf>*@NB=7ebPTP5!?=^SKXL;5LY$%L*9y2N}z6St`MXX8tQKNZNF)(Fp~93_dq{xqV6c z;uSUL)*{c{DbF-NrMF2lk}$lIXJ{TG&a}u}(54cdsi;f+5f|8dAst7Xx~Y!Guv8(W zV&T>iReGr$y=8M`#zB1ge0PnMCl;@ohAXLt141L)3PgFeGg}JEiLJaQFI`%F$dm@$ z{K5*&#*j+|2=Cs2LBL(Hm;M=zB&3O|?ag@@XXU5-1X7#W7vGa{h|hjhfe%EbjkbA6 z$SQa-R^4U@rR(3#Qos1^J;a>Gkc*fl~*&!OV^bf4vqY(7K!;rBBTkz4Ey^cH%NCE_PA%E#u~tqs3%>JO9l ztuR4gAi=)_@rS3(+(Mh^d;zu%nkr-X zCCU9HnD@6T#NUo#3)gfRaOO4&G7{Y0m(fPUIAh*IPicA`)Bhp1=BNBe5;H*|P`1)( z?Qdo{2~@tIk$-CO_Wv0e`yVCqKSh9pUQ&77vo}D&f+BDIFise;e=gyAzxfcV7NZ*e z=?xz1**|h_q46Amy|Is6Vhog{0QZi9bljLA@2+9TwU6A#v5#yv#RLRwTl0CbY~E-L zL^@mV9JD;*9(0f6*#cyd$fq1ysK>bAV0QYsXJwiO4*CXbw&;J<&mxwXCAU!|%<$?r zrz3D&QI;e;c-oY;$3ym65VHo6Q9|Kc6EsG!%o6^(X>!+Dh|@~BF&%rTB@nZwwBJhynEcFn;M&xf%jIW+rN@ltM-&4;C`?TF@(}~Ccayj%V=m*Ii&^MP4X95D4jG*n?5+Ng z+|#ceRx*-h_z(`siI7Uu=!R=s}MWxU#|A_=9KN4IuTE+;KxxV!+`L9Mm- z2cpFvGlYCAaQFa{r8y??r#im@bpC*1Z>R-Hjsn$&qaYJo_sPOxDox?$30nkCuI!3f zdKq^bq-sMEbEqBloxNFToWgWAOW7*|xGt6^g1+gc=;4enmT%vm_5=ZXN54do$r-(1 zys0xj4!nusiha6eX_%hhj+`9t7@2=pd)vOLp^L?zPZ)_g1~v3yt0W8re^!=)d+c$l zRz4*sy^^7(Ae|PWJ4;tX8v#rKsGypI?A1gV{I!g7wf3jFU(&MYu{^^qk?41jG_e;3 z1bhWH3yc<^j`PyTgln?pXS6`V?3T&XrcO|2+13j)r+_DE@y%F>qalQ&qM|OHbf+(h zrbrV~djmN%RHW6D)Kq^$QUOEqoTWOU$rmuwR+_ta!hYfLcLF;SMX)!cr8=l*`?~f6 zkgM9mgQhNx%fk*WxQOaARt-5I=Mn)E6D zi2}Gd&d+*~<-r+F3?mR2TOIayBCX1DV3K}P(59x+RRoC7yB}iiwAN6EK^`4CeOEau zVlE2)_Tk+oc2tBoCCn2asKW;d{l|(U@&_`m-Ew}5SSMCw;5q)cB(BKSytm4|mXa4KdiQNki#=c<4)f{deh-r)fRhM? zkR?-sXRtw-3})W|yP+6=g>3H%j%~Y!y1Y`eBugP_HONV+ZI1h>NI{EC0{3n6jxl+j zO#g~?^|cI`E{Y=q(?wQK7Rk!2PyIy7sXpEt z4%|yLc=q&?F7sOy038Kc5FcYib+Dfs(TM-a0y8-g=**Gmf1GhbgU-jQbIxzTPC=ZI z!k;o{YjGOzB&VjbrJ)k6cKe0fe&`V1A(|kU1s5KqM(RIlB~`9$ye695$?Jk}D^wEC z=e(ZzneE%Ew_VOxP4^J|qaLXOb#IWX9Vdh;&S`RTwrPhG$GIG`6S;ZH? zPv9+*_Utwl3OZLG4xgW~&;B|e&`O5+S-}X4GBlOg0V$Y_5DZtwsyryle}8nvg=INV z{@lV$NQ!S!T4W9rzm5AHpFvUT+Fa0Zm{g#EK4!W1C2mmw^BR-~@~_XbDf*!bI8XF` zP)>tBsDUjtXWZf%Y#{TlZ;{!!r7lklJx_7jFsPGO8_Ho*Y%{75Kunxf6RRLxXomXJ zxaA&>)8PZ9Gu{}@Sb2hCoHD`TQfz_4PHaSQ9=nZ)Nu;p+{~|zn z1jU1aGw#Tq?FA+#FH2q;Y(5shn7JTATuNLjEiMdj4SGCqP)d*rZO+#a21pp{B#8RG zNKPj#cBph}I!VWyV;wd*kc?Rp-RA^kMYQ7>e`Pj~A-|tA|BF<`J+fa`Ko%_yB+s%i zAX~-aa9hEKxO9&`!YK7`L)H=g@JR+D{AEZ<3OJCD)M{oBn;U<0`rMkRlNPX_c)F$N zkeuM0DolVbN!*Py-$_en*K?xdjalAFE+z!HOi5VzWqo|>^sFK&4wYGIFN0^y=#7hu zY@p1z-khOAAiZ*W?@FDTp9f(}$>)0`Vj=*ZYi%NA!C=6M&|QSU)kF}Rh!2Cc~Y344e_l$xo2UT_^%O?MyB;X5)J`0(8#LEo+Q(F z^!3y}QXq!dQ?Qt{c}HEgn0TQ9T2wm`KK()*peaQR@Oky?dQ@h5b>%F5Lo^VFbkLnM zr@oiabQ%Lsqi95e)F9r~GNFM!fm9An!({JE-B?eZ}AAkJ@{dVewCFbEi?X6h{UBq_}uj=vaiZ;re~j7*v) zFyxEOnmq|jQ18`5M#8j|q|%xsl>iQdH!34ACpJE%i?z%HkxWpa2NPz^HJpc`Fw1Y_ zVKhv1_w(r^izN9WFg4py=o^^mm3YSkujpBC2J6T(@&7}ph%d`s`Kgm^N(bbdS-kB- z^3yY^#2&R#s=L8|sly5QqfP|nf2*@W0IK7L>Gpd+$M_GJ$>FPWyi4idKz5io(D&<6 za_#>n#Y%s7=bM=Q_WOTS)%5dOW|;s70eOY}uNrjDrY>bl4;UVJ9JLdR>8+6lI8mu^v5$#^*Og4WxIXl|N!lI(Za*;U z52h}z26v;Jo|V*VF;9w45Ry_TumiD%(&ghK1RUN13s={$usiAM9fOYz=dxa>5c#O$ zF+KBwDPJA3Aek0BqvJBr5spQs%-o}+UMVSvE*A-ePav@~75TEbK_cTXHqqc=@F1gj zJdtFeAhNF(qbc#zk0^j|ZLn5i`z0E&DSfmxQ;-)t$uM8kl;FOU^U*QNAWww z&7XdGZD?g6j)324O>s?dVPOSVO9C-@tDH0L{ZkB+DldPjPE?MCoA-p^wSrMh}cw=WtdsvNSLN zA?zakB{zTrD}|*(O~tzWhiGu(OJzUh=xQWg1MA0)nDm8e;4Wv*bO}K{{&%u|cEG?P zc>=_^iz6H?Q=q1|7hHHv!rAg2I%{;o<+%wI7uVk1pj2kAd3PIP0=Yo2N#vnbhHLj3 z?|^daFT!R)o(x2H>w4m@xg-QNJ3c^`cz&*Z`Heeh8`CcK_{Birfg?ON0DICw=QB#v zT?B4(kgKy9T>)434nQO~Y2T{N_feHpUg&qZX|uc(IM&cl>+3M+p*1{_aqpkVI6H!FF6O*ntAa5U zD@?uXVNXQFxwP?k*&_8ZdMc+S>ce^It?J5#Gmw=!j1)Wh9va3bV;)NMIIm3WQ-`}R z7bY3KH1|!z6Kx&eIBG7ZdUTsK5&?hR5OctWc)2?g5z`UcaJi2D2JGFY-xKe!ky~w55mt zaB}>iAQj*H;*a%y?=+t>T-GmEazoLe(KR?fs7w~SPaGaV?j5{A{58wQ zpxmOC8?ht5g`0I&|7O_9_ga>(@k4*(vG<=dEl;(MltDm2Kw5x*e@Z3)RgCJZsgd%3 z9sAL9{Z@m_2q1G_Jp+dc$_FMu?aepgjIB?w2GmT&0hs}w^I7;zBA*G{P-3@othL@g1@Z~M4s#>^N~nF|*9@OcEb~>JROf?joaYtY6gg-B433M4BsdAr@7Wil-w*Eu zTCHE{8z@C-Y1@AE;X2R{fU^{NAMz2sc29;F(?q|ZNCbS^Nk=`}Y+=$`G^1`)OKH!p zq=fhOs&d_Q(Zz^@9ju@<8i>Y*8?WO`bvk6F7o@y3CDw@IAeaj~Pmcs?YjDQ%2#bUf z!HrWVmBilT?cPZyXN?J{WQks$u=NbvP#H6%7ZXZi)izT+9%VkV#yh>jX2F%r7cH|k zV|$5EqI2ehI13YN84ftkM8!fwCf(l{8MD*ZP@9>_;N&qY`S2NmB9$&yiDJQu5Gs^+ zINZoPH151u@5h!Ad+_9>wIDHL&!{HPvQR`Zt_Zx9&NPrpt)xGVh>6N516`}?pP`*= z-E)Jynku(f4_GR#*YywPISbUb8!16h&SfpAYBjOy{)BM<-WB(v=g;d7%6~6ncBpy- zR=WH6{SwC2vm3Ftrd)@MzisfMBtqR2mMz!V!<7XuO-#*E>u#Kz!6X0P0jz9nTwATn z^{7wBG|Mh$`0Q+NV{s7q;`Y9Dlu7@$A{OVdh6flSK%Bo4un%lM1hzz+?8{i`%liOA&0*+f^}eIP6ck7f4Yat*YC%hXiAquK#iL zEquoHEwzX8qSRBaM!e$N?f)n(oFq)zHUg|_-bo7rg7NQN(#68m)|Bb5CCgv6&a~w0 zH#o6-p4Cx04wqgxTq8QfF4wMBN)XXnMPi#owQZ;siO?f5%^C$muK02qW53DtKsp0`G676~b` zcyv+v0@=C8LBVWBVH9bN<+C++?0ePM$H&P`OUsH3cE}sO+SM!7g-)uyxt3xvx)=0E zpUMR(sW`A+_!J@B08{y`mHc`~T!xFN3lMA=O^$#U1Wli6oBx(3Td2`SxL-T?e8U_T3Tfekf8y7qz+XxBKfC_5#1}L#f2t5TQb)HbK0?0{KosE*0cy^_wVg8z}O@ zvG&Pb28oD>!Z=Zh_n+@!D1Q6mrXnRu*_1&Ntw=K0q(LABm{lTMipo8)&uOZ+OZIAtI2R!Ebf zVMFP!jW0qSm98|-H=*-OoO?q%;;jC&Uf(_B`F>cMmz6S9Nmu?b@m!6#_Py`ins=Sm zcGvA4+$iE9>Lm))T>bw>UUaf`WNP{E+I#sR*gIzN7=Jr|I)%N?g6Y@?aFRU+v!4z zvf-Ky&P@KP1-#hxT#=VIZ4zA5^`pjzt|N`f&74k}|9Z9M=sLcU0~mNE@xYo zfQj|gbc!-ZvK-nGCiBY{5g{!qFnn4pzdSNIk!)C-W3jg7S-}b26T)FrPc@FwbV)xd zr!_;`A!jn6f=VZgF`*_$Aj}psVhU-|ZZ&Y;Bky(79R~Y8=78N4@Tp=rAks!X#f!3;9an#>LUDyuD|QV{zu(kMPj38>w)<>3e;}5JV}#9 zg{e7pzQz+8*!mX-lFGQ*mayVa9Ws*JJq60(IIP}giCY|-=){@NL5p6m3qSW;wVPPnhKmZ5;>Zr{>ecMHdb>bo zbg{2J19$u5EO`(X=wXr|G}g<~x&-ci6gFfVqR|x}UUIw~#-m?rT&|b-@CA>8>!`yJUREV99=90wXV_m;Kl}S@$x82v(%#~McX6SW9C2j(|UU>&^*BpjdZx4t4M(T>VAb&9U$-m9w z#okal0sZqnh4d%rKW&Md3k|mh4$p)Gv%CLXbJ)4s8ksr)2Wb9echeeMcKh7e-8-d1 z@!~qo;fd@J>`etiYP!+lWX<;=l-PCWxnnHMo7XZ|#?y3F*@9&eY_e!>lhL1icX&R$ z0dJ5$-);gEwvocoojI=qwM%zI=#OQlRt`R%Q%@-`pOs+O(a>h*+I)p9fA4+7&i+E( zSb#*Mtu3Y2;QdZ@yY^i&J<5hJnk#JJA!T3VCaLz&cB*_@oerPOYj$|SjbPVAJ$#o% zT6vf)*alj;GOzHBl@spZZoxH6Var&}v8y(WDy)1r0v@io1H(EPrFP>`+>ugYACgjo zkX>D2{&HkRtxmDuQF%F^g-o^2LP9Ei>cZ*%OJu%im`ubJ2^*n3jS(x|EM{0)0FMk8 zH_!P>k{l!#h16AuJZGo8-_FcKx}O&ZJ}eWBZ+am0I9;td#0+GNMFgCq6s-L!Jsr=t zpHI_8JQ!cM02_jkJCqWfn=x16-D)}&pWcwv_vX)57TkvU?F|Z$P@*N|tw$hrP*mfU zx=M2;FZ7zJ+9Zqp>fbtwyScu~Pu3rq(9jRdU~CApwiH~lrD?Uq%rV6Og#S)*=On3+ zUWi3WojJ2eE+>hT<=K}m|BWj)E*r^!BPp_+lGY?0;f{X!3z?Q2qhb^dIYvMHtKzVL z|Ay5^EpRff1;zc@VdfZ|(l7cER*7oE@{1t4Vc}D5-W>rmqY{caQ8A4zTVm~t4|@;c z^qkv`^}BWVf)l1;D9U>C=;54S0B#qZ-y)G$znYCM9G;CjDeF(7hhqr+@esPDB#fwL z?}RFndv{e*YkH*IS04sot-I&;uDfq!^+cn)Z@%n6_v@MVAEb(muGBlP=kZH)W^?uSp)UI+B)y3 zCbBjT4>j~+f>aS@fe!@f2&@94t0=Odhy|n*1EGiz7Lrh6s8SX}7ZDZ~^`j-a3R&t> z6#?l|B?^Y#ixHMZc3@Fp4)e#%nS18<+?jjMd*?0Z+{>7K%@7>zshVwmcA8gFrM6tG zw~EKx)hX<5wy_zCgWjz=_%V;{*V(qUZHou+oGLslNWas|FDsioipZYY`4^{!v@pOpwWMYU zaAkJpY0Q4n zDsf7VR=)hmI2pe#!$_@Ek}zW&9X(eZDTs2v^svg%G zTp!KN%5nOT-k?B8lO3~MB9Tp%=P0iHV>n>Ry3FOgpzdqH($C(bgNSK_N8*sb=s$|d z=OJIdt}WgfVsub7!M}Vgj!P{C5of4ETBYl$#Ug$$ifa~4oieh_B>Vg#)uIq#cQwz7 zC;4+9DZLIiGtBkZT2;arIqgvCanz9vQ!ki74PRYSXTsEn9>&*(v(b_rJ{v>J0q$l# zFTO6KRst(wnHB%M2_foNXV&ElN2*W>@t37(finE^^1*bm(uL&e&{n;!(0I)C!f{@5 zE4aF-Tu4z;ib7U^Wer*n{k8ACBh8J5{<@HMoWEbj15OQIBMiKm8P-n z?>#3|kuN?Md(W5BB~D4ku}>8NOu_Xk{VLUFZX&L!PX9NmQ+E>e;zfqZkBgp~r^WXe zlk54L=0)cwKf30Yf;((v-OM$(qAL;du4j6q*G(;qeqc?rte7x6@~0uHQ)nu(D(7L| zv96KHM)}yWrw@shhW`EJexF(Kt5QGY#!sb_r*%uOPfW|!%iRNaELJ<^T$nYFZnvFF zFu~qlax)hU%wtVBHJ+jRmd?d`DbiRC%&10~5K-)HbHCxv+F}$woRD2IsF77>OAt{D^;tyBQq!X4&^uMkxFsyh4pS{={v&mWM5@q0GjBoqZo zsp64tGk^5n5$fa9BHLw*e;iJ?$Z3b$J>HP?aBY*KiU;4HWq0I?lJ|-hydhmH`e0mA zB&uXF58TrddE?i4-GIipE)B%A2$y2*UBw~43_F)*mT{N^Jv^pKse{*+-Vtk?M55lV z9Zlp+o*9%*4{tGProacnb8g>`kw`k_vY41&_N1j8-#tyN!57pQ$9JgVu|6gXxg|;>-N@X#X|g+9GLYV0G$o1m|McW(M&M}QSVmBmcT;zYO(1e0pHi{fJ@6w9 zOLZM1$Li6R-p~Tp^w+1GYHdGD=->*z_?D@AX*yjcgy) zD&9mrXX{?pFqsf(oTYHBmiax>{3kD;+Q@?w*7;$vtyT%~_I=N=_%Csst1aHrlXYiu zAHY!z6J1kdbA_^^n*I%QBul8wq%Pltgom~?DrD7jwxxJ_7esBF}i;hM$3;=Q@pq;0J1F=;(01-a!;J5E5 z_aKNLPy;(}0=ohU-wy&)1mCv&zc1en*>@BSUs9-%$^c+v!3OYu=WGt&GI+c7BHkFR z8*;012^|CI+LGV&1g3obJz~g8lTZ${WV*wV@cG8sRYZZxp@o+nxe#_+4k^Px3D82s z4&gj*o3N)W0o6mZ#yk3c|7|@qhYUqPB6peCUhmM%m<_a`O{)?F>_PJ|irc*V E7yg-AegFUf literal 0 HcmV?d00001 diff --git a/tools/make_distributed_toe_redlines.py b/tools/make_distributed_toe_redlines.py new file mode 100644 index 0000000..d89175f --- /dev/null +++ b/tools/make_distributed_toe_redlines.py @@ -0,0 +1,367 @@ +from datetime import datetime, timezone +from pathlib import Path + +from docx import Document +from docx.enum.text import WD_COLOR_INDEX +from docx.oxml import OxmlElement +from docx.oxml.ns import qn +from docx.shared import Pt + + +OUT_DIR = Path("review_artifacts") +AUTHOR = "Codex draft" +STAMP = datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ") + + +def set_track_revisions(doc): + settings = doc.settings.element + track = settings.find(qn("w:trackRevisions")) + if track is None: + settings.append(OxmlElement("w:trackRevisions")) + + +def set_run_style(run): + run.font.name = "Aptos" + run.font.size = Pt(10) + + +def add_deleted(paragraph, text, change_id): + deleted = OxmlElement("w:del") + deleted.set(qn("w:id"), str(change_id)) + deleted.set(qn("w:author"), AUTHOR) + deleted.set(qn("w:date"), STAMP) + + run = OxmlElement("w:r") + props = OxmlElement("w:rPr") + color = OxmlElement("w:color") + color.set(qn("w:val"), "C00000") + strike = OxmlElement("w:strike") + props.append(color) + props.append(strike) + run.append(props) + del_text = OxmlElement("w:delText") + del_text.set(qn("xml:space"), "preserve") + del_text.text = text + run.append(del_text) + deleted.append(run) + paragraph._p.append(deleted) + + +def add_inserted(paragraph, text, change_id): + inserted = OxmlElement("w:ins") + inserted.set(qn("w:id"), str(change_id)) + inserted.set(qn("w:author"), AUTHOR) + inserted.set(qn("w:date"), STAMP) + + run = OxmlElement("w:r") + props = OxmlElement("w:rPr") + color = OxmlElement("w:color") + color.set(qn("w:val"), "0070C0") + underline = OxmlElement("w:u") + underline.set(qn("w:val"), "single") + props.append(color) + props.append(underline) + run.append(props) + ins_text = OxmlElement("w:t") + ins_text.set(qn("xml:space"), "preserve") + ins_text.text = text + run.append(ins_text) + inserted.append(run) + paragraph._p.append(inserted) + + +def add_review_paragraph(doc, parts, style=None): + p = doc.add_paragraph(style=style) + for mode, text in parts: + if mode == "normal": + run = p.add_run(text) + set_run_style(run) + elif mode == "delete": + add_deleted(p, text, add_review_paragraph.change_id) + add_review_paragraph.change_id += 1 + elif mode == "insert": + add_inserted(p, text, add_review_paragraph.change_id) + add_review_paragraph.change_id += 1 + else: + raise ValueError(mode) + return p + + +add_review_paragraph.change_id = 1 + + +def add_source_note(doc, source_path): + p = doc.add_paragraph() + run = p.add_run(f"Source file: {source_path}") + run.italic = True + run.font.size = Pt(9) + run.font.highlight_color = WD_COLOR_INDEX.GRAY_25 + + +def build_doc(filename, title, source_path, changes): + add_review_paragraph.change_id = 1 + doc = Document() + set_track_revisions(doc) + styles = doc.styles + styles["Normal"].font.name = "Aptos" + styles["Normal"].font.size = Pt(10) + doc.add_heading(title, level=1) + add_source_note(doc, source_path) + doc.add_paragraph( + "This review copy shows the proposed distributed TOE and microservices changes as tracked revisions. " + "Blue underlined text is inserted text; red strikethrough text is deleted text." + ) + for heading, paragraphs in changes: + doc.add_heading(heading, level=2) + for parts in paragraphs: + add_review_paragraph(doc, parts) + OUT_DIR.mkdir(exist_ok=True) + doc.save(OUT_DIR / filename) + + +def source_block_as_insertions(source_path, start_marker, end_marker): + text = Path(source_path).read_text(encoding="utf-8") + start = text.index(start_marker) + end = text.index(end_marker, start) + block = text[start:end].strip() + paragraphs = [] + for line in block.splitlines(): + if line.strip(): + paragraphs.append([("insert", line)]) + return paragraphs + + +base_changes = [ + ( + "New Section After Compliant TOE / Use Cases", + [ + [ + ("insert", "Distributed and Microservices TOE Architectures"), + ], + [ + ( + "insert", + "A TOE may consist of multiple separately deployed application components that collectively provide the TOE security functionality. Examples include server-agent products, clustered application deployments, and microservices-based applications composed of multiple application payloads. If a TOE is distributed across multiple TOE components, the ST shall identify each TOE component, describe the role of each TOE component, identify which components implement each claimed SFR, describe all communications between TOE components, and distinguish TOE components from operational environment components.", + ) + ], + [ + ( + "insert", + "For containerized or microservices TOEs, the TOE consists of the application payloads and TOE-provided application components identified in the ST. The container orchestration platform, container runtime, operating system, service mesh infrastructure, ingress infrastructure, cluster networking, and platform-provided secret or configuration stores are part of the operational environment unless explicitly included in the TOE boundary. The PP does not require these operational environment components to be included in the TOE boundary solely because the TOE depends on them for execution, scheduling, networking, isolation, credential storage, configuration storage, or time services.", + ) + ], + [ + ( + "insert", + "When the TOE relies on operational environment components to provide services used by the TOE, the ST shall identify the dependency and the guidance shall describe the required environmental configuration. Inter-component communication between TOE parts shall be identified in the ST. Where the TOE claims conformance to a PP-Configuration that includes Server and Agent application modules, the ST shall use the module requirements to address authorization or registration of TOE components before communication is permitted and protection of security-relevant data transmitted between TOE components. The ST shall provide an SFR allocation rationale that identifies whether each claimed requirement is satisfied by all TOE components, by applicable TOE components that perform the relevant function, by at least one TOE component, by the TOE as a whole, or by an allowed operational environment dependency.", + ) + ], + ], + ) +] + +server_changes = [ + ( + "TOE Overview", + [ + [ + ( + "normal", + "This is a Collaborative Protection Profile (cPP) Module whose Target of Evaluation (TOE) is Enterprise Server Applications. This PP-Module is compatible with the cPP for Application Software. ", + ) + ], + [ + ( + "insert", + "For a distributed TOE, the Server Application is the TOE component, or set of TOE components, that provides management, coordination, policy, API-facing, or other server-side functionality for the TOE. In a microservices architecture, a Server Application component may be a service or application payload that coordinates, exposes, or controls TOE functionality. The container orchestration platform, container runtime, operating system, service mesh infrastructure, ingress infrastructure, cluster networking, and platform-provided secret or configuration stores are part of the operational environment unless explicitly included in the TOE boundary.", + ) + ], + ], + ), + ( + "New Distributed/Microservices Section", + [ + [("insert", "Distributed and Microservices TOE Configurations")], + [ + ( + "insert", + "This PP-Module may be used in a PP-Configuration with the PP-Module for Agent Applications to evaluate distributed application software. Distributed application software includes server-agent deployments, clustered server deployments, and microservices architectures composed of multiple application payload components.", + ) + ], + [ + ( + "insert", + "For a distributed TOE, the ST shall identify each TOE component, describe the role of each TOE component, identify which components implement each claimed SFR, and describe all communications between TOE components. The ST shall also distinguish TOE components from operational environment components. Operational environment components may include container orchestration, container runtimes, operating systems, service mesh infrastructure, ingress infrastructure, cluster networking, platform-provided secret or configuration stores, and other infrastructure services not explicitly included in the TOE boundary.", + ) + ], + [ + ( + "insert", + "If the TOE relies on operational environment components for execution, scheduling, networking, isolation, credential storage, configuration storage, time services, or protection of inter-component communications, the ST shall identify the dependency and the guidance shall describe the required environmental configuration.", + ) + ], + ], + ), + ( + "SFR Applicability Updates", + [ + [ + ("normal", "These SFRs apply "), + ("delete", "if and only if an Agent Module is included in the evaluation."), + ( + "insert", + "when the TOE includes separately deployed TOE parts that communicate with one another as part of a PP-Configuration that includes the Agent Module. For microservices architectures, these SFRs apply to the communication relationships between Server Application components and Agent Application components as those components are identified in the ST. The ST author should iterate these SFRs as needed for different component pairs or communication mechanisms.", + ), + ], + [ + ("normal", "configuration of communication with "), + ("delete", "Agent"), + ("insert", "other TOE components"), + ("normal", " according to FCO_CPC_EXT.1/Server and FPT_ITT.1/Server"), + ], + ], + ), +] + +agent_changes = [ + ( + "TOE Overview", + [ + [ + ( + "normal", + "This is a Collaborative Protection Profile (cPP) Module whose Target of Evaluation (TOE) is Enterprise Agent Applications. This PP-Module is compatible with the cPP for Application Software and collaborative PP-Module for Server Applications. ", + ) + ], + [ + ( + "insert", + "For purposes of a PP-Configuration, an Agent Application is any separately deployed TOE application component that communicates with another TOE component under the control, coordination, policy, enrollment, or trust relationship established by the TOE. This may include endpoint agents, worker services, peer services, microservice payloads, subordinate application services, or other application components that are identified as TOE parts in the ST.", + ) + ], + [ + ( + "insert", + "For containerized or microservices TOEs, the TOE consists of the application payload components identified in the ST. The container orchestration platform, container runtime, operating system, service mesh infrastructure, ingress infrastructure, cluster networking, and platform-provided secret or configuration stores are part of the operational environment unless explicitly included in the TOE boundary.", + ) + ], + ], + ), + ( + "New Distributed/Microservices Section", + [ + [("insert", "Distributed and Microservices TOE Configurations")], + [ + ( + "insert", + "This PP-Module may be used in a PP-Configuration with the PP-Module for Server Applications to evaluate distributed application software. Distributed application software includes server-agent deployments, clustered server deployments, and microservices architectures composed of multiple application payload components.", + ) + ], + [ + ( + "insert", + "The ST shall identify each Agent Application component, describe the role of each component, identify which claimed SFRs are implemented by each component, and describe all communications between Agent Application components and other TOE components. The ST shall also distinguish TOE components from operational environment components. If the TOE relies on operational environment components for execution, scheduling, networking, isolation, credential storage, configuration storage, time services, or protection of inter-component communications, the ST shall identify the dependency and the guidance shall describe the required environmental configuration.", + ) + ], + ], + ), + ( + "FCO Application Note", + [ + [ + ("delete", "An Agent can communicate with a Server or another Agent."), + ( + "insert", + "An Agent can communicate with a Server, another Agent, or another separately deployed TOE component identified in the ST. In a microservices architecture, this may include communication between application payload services.", + ), + ("normal", " This SFR can be iterated if the registration method varies depending on what TOE parts are communicating."), + ] + ], + ), +] + +config_changes = [ + ( + "Title and Overview", + [ + [ + ("delete", "PP-Configuration for Enterprise Server Applications and Client Agent(s)"), + ("insert", "PP-Configuration for Enterprise Server Applications and Agent/Application Component(s)"), + ], + [ + ("normal", "This PP-Configuration is for enterprise server applications and their "), + ("delete", "client agent(s)."), + ( + "insert", + "agent or application component(s). It provides the enforceable PP-Configuration path for distributed application software, including server-agent deployments, clustered server deployments, and microservices architectures composed of multiple application payload components.", + ), + ], + ], + ), + ( + "New Distributed/Microservices Section", + [ + [("insert", "Distributed and Microservices TOE Architectures")], + [ + ( + "insert", + "For this PP-Configuration, a distributed TOE consists of multiple separately deployed application components that collectively provide the TOE security functionality. Each TOE component shall be identified in the ST and mapped to the base PP, Server Module, Agent Module, or a combination of those components, as applicable.", + ) + ], + [ + ( + "insert", + "For containerized or microservices TOEs, the TOE consists of the application payload components identified in the ST. The container orchestration platform, container runtime, operating system, service mesh infrastructure, ingress infrastructure, cluster networking, and platform-provided secret or configuration stores are part of the operational environment unless explicitly included in the TOE boundary.", + ) + ], + [ + ( + "insert", + "The ST shall provide an SFR allocation rationale that identifies whether each claimed requirement is satisfied by all TOE components, by applicable TOE components that perform the relevant function, by at least one TOE component, by the TOE as a whole, or by an allowed operational environment dependency. The ST shall describe all inter-component TOE communications and identify the mechanisms used to authorize and protect those communications.", + ) + ], + ], + ), +] + +config_changes.append( + ( + "SFR Allocation Tables", + source_block_as_insertions( + "Archive/Modules/Agent/appSW_PP_Config_ServerAgent.adoc", + "==== SFR Allocation for Distributed TOEs", + "\n== Conformance Claims", + ), + ) +) + + +def main(): + build_doc( + "application-v2-distributed-microservices-redline.docx", + "Application Software PP v2 Distributed/Microservices Redline", + "input/application.xml", + base_changes, + ) + build_doc( + "server-module-distributed-microservices-redline.docx", + "Server Module Distributed/Microservices Redline", + "Modules/Server/cPP_MOD-Server.adoc", + server_changes, + ) + build_doc( + "agent-module-distributed-microservices-redline.docx", + "Agent Module Distributed/Microservices Redline", + "Modules/Agent/cPP_MOD-Agent.adoc", + agent_changes, + ) + build_doc( + "server-agent-configuration-distributed-microservices-redline.docx", + "Server + Agent PP-Configuration Distributed/Microservices Redline", + "Modules/Agent/appSW_PP_Config_ServerAgent.adoc", + config_changes, + ) + + +if __name__ == "__main__": + main() From ddd1ca1ea2f145d5c5b1c98fbb000ed9ec19c6b4 Mon Sep 17 00:00:00 2001 From: Brandon Harvey <64159025+bharveyTX@users.noreply.github.com> Date: Tue, 12 May 2026 11:52:26 -0500 Subject: [PATCH 8/9] adding language for container secrets management --- .../Agent/appSW_PP_Config_ServerAgent.adoc | 2 ++ ...ule-distributed-microservices-redline.docx | Bin 37990 -> 37991 bytes ...-v2-distributed-microservices-redline.docx | Bin 37818 -> 37818 bytes ...ion-distributed-microservices-redline.docx | Bin 41005 -> 41234 bytes ...ule-distributed-microservices-redline.docx | Bin 38079 -> 38078 bytes 5 files changed, 2 insertions(+) diff --git a/Archive/Modules/Agent/appSW_PP_Config_ServerAgent.adoc b/Archive/Modules/Agent/appSW_PP_Config_ServerAgent.adoc index f6aa24e..55f9f9f 100644 --- a/Archive/Modules/Agent/appSW_PP_Config_ServerAgent.adoc +++ b/Archive/Modules/Agent/appSW_PP_Config_ServerAgent.adoc @@ -301,6 +301,8 @@ The following table defines the expected allocation for the Server and Agent PP- If an operational environment component, such as a container orchestration platform, container runtime, service mesh infrastructure, ingress infrastructure, cluster networking, or platform-provided secret or configuration store, is relied upon to support a claimed SFR, the ST shall identify the dependency. The evaluator assesses the TOE's use of the dependency and the required configuration guidance, but the environmental component is not included in the TOE boundary unless explicitly claimed. +If a TOE container receives credentials, keys, tokens, certificates, or other secrets from an operational environment mechanism, such as a platform secret store, mounted secret volume, injected environment variable, or external secrets provider, the ST shall identify the mechanism, the TOE components that consume the secrets, the purpose of each secret, and whether the TOE persists, transforms, caches, or re-exports the secret. If the TOE persists or manages the secret after receipt, the applicable base cPP requirements, including FCS_STO_EXT.1, FDP_DAR_EXT.1, FMT_MEC_EXT.1, and related cryptographic requirements, apply to the TOE component performing that function. + == Conformance Claims === CC Statement diff --git a/review_artifacts/agent-module-distributed-microservices-redline.docx b/review_artifacts/agent-module-distributed-microservices-redline.docx index 1b5c5c221c77dc086673540d5a3ece1f32d7d185..3f3018fba64a783712d967fffcc95214771225be 100644 GIT binary patch delta 2467 zcmZXWc{G#_8;55mjh*bxlP zC5$zDGDeJ-=rhjgd|&5#{<+Tm+}H1U&i&VYuM~q;i$M%#M(3#50RR9Ez{94Rp#uo= zu)&Q01>Hox79oM<#?0YEZj^)v)Ugh+WFRRrY*uA zX4R(Zk1e^#KaQ*ZjE`UC%`o=(V8@f`my~Po9347<1G>1)^cPr;Y#WT%a^f1kEn5v5 z@`T$mPhANI;Y>+dkWJ7YAeddKyXsij)GP$NiEB9SJhI1rMrMIJCj2M~RJ@yPq!pO}l@ zqP|BeM~OAxoYFtG?gz0vi7Ow`_ZgibOW+KGqNoh>zjWgjFi;M8&|#^p$CCE1tQHq1Fl z8zV$otza=WC0TsnThYT$PF9h}Mbnzx*?!5pw^K>CnPdD1ViVZ!aAtUS+d0)G{;MM^ znBCf!-kGreZDBMdN~>jriORffk9Q8DBAvuvo$LZrdr_XD?zV`8%?sDhL)SA4hri={5g;xvNpS(+Ey>N9-QEifqEg-3p2W` zU;ML!&&@`jtHhUehnVKX?`IiE$Ufvrx=@|L5s|;f@v+6>A4ELtNlf~_pUC74FI3nm z__1g=PGEjRploPHj7SwSA0VxIMQWcvdL>t~O5pB7lIU*Jew&+>lOxOcgiWD~<>y2T z&cvKS>H-~xQkVg$;HH)ia^4IK^4@l(ciF_;VaXHT*s$-Jr9e+L$1~sBV8by5mQ3-S6l;b zdEqfB)I$i(u$%Qoj@WyTV?@G@>J^BwjC`4$Lc?@{LY8mMLsi4B70B%MF(gjz4KFSf zssP(9dRgnFcIa0(5qYdN#cg9JHvkgY} z<_AU-FrEt%Jyqob#YM^?VKw+?8^sreYjj=!3&bv)JI5E;y6V!z&?Ue$@*A{NecxPF zmL}am@h`@-q`=3_9on@fWf)0`(*zdty)D-bMfTN~M@hQoe2KXuxZB)a((TVhw#g#t zkAlWRjiz#%ky;^SL+Rl))-9CO;(D-u>x|Q?PZi+ zh@J33-l-{!i(V4lTM93{w+SLZ`?sE^4qakp*uo4A%LtlSv_MyQ(`v0}6WDi}?O;#q z%;rnW_M2g~-x2DMgug1L|ME*{9CygSrYSXS)64u`lg&Ns}z0#6~g5F_&d9}t8v65~E zB+h+xbVpvtp$?wBe8+A`9KCA}pdR#{&3TD>`F2|=d&wl~-(9Def>-!8_eyhanFO+! z4_vC+tI4DV3YxMrZoBV#UFg&O>?7GrN!sA#cEft8*s{NO9 za)>6Wvof-MMdND43HZOenzE%;n7q!ma}hHhN~z%*zE>$6^e3OAuqR0NtbZ7c0#WLO zCuHy`(NW>!6u=|Ml()AdInFFZRK{6~HkNdr(mqbopg=uYk%GWvH45sIRsZJ>I7(I! zpj-urFg{i}AOO%$1pq)!Pl?}87*G~%hLWNLLs1Z578;A7<&H(_2v;Y9h@9&&44A_AdND-u@HB%tKCNw-n;K#+7mx@`2TP$BG8Bk!T*~E-)L;Ia4I^T2DtwS7^ADu;*@E=pdmnK^gddM TQt+fgfG22$R7o%~iK71p9vK2v zFeKV+a!==_V&kOL`y8zdPkH3622oJ;CWQAt_6^&V49}g_nC#HQqnkKbxWe~jj6z)e zTWpwNXgQ^AUUnS&u>y+oNOHPIu+HBX~R_Lxb>E3 zob`lV*zeSq|2}TPuHgAau++C|o&C{_HCO(TK*d#427{f=rr+&?735c9FX+_p*9F{2 z$O=;Xw)vIHId^Y=ye=g%UG?fcXeLU>V<@&io`Ff=drOoH=jPSr&D!D z`uW4xE)PCMAbVgwb1Q|HF-pE}%CV1VF3Y7CZmk{ik~Qc_KWuHXR*9`0vgJ#QF}asC zdFo0og^v8l3jdD&-bT@7V}%&G{`JhsHFc9Jb}6DM67^tUNjyCCiTb(5ejIfhq7Mnr zYLH^hc9(0u=Kt4i!P>&6ICcT0*D788FDR0Im1J7zu;NhkeC+P1H?e^#v)=IURi!3G z6u!)LIvg*Oo8wq{;~4RTmUrUmcLb9=8=;GoALqVUmB@cv%!uU3-R(8_z+cy0NdBG?v7C?^S?ajVr9|@(51B#j<4f?4s4OJG5MEU&I5DB) zY^dYgt~qbjGaBcl%I~7N`*&aKA=N<29v%o|v6`P^f_hrS4 zyaHc938(lkBMsN~mwmId8m3)Y#Z!yn)4W5dJki*JIM!11&q$bE@u(bSVd0cN*fM_~AUWDNc@Rmqi<;3R|iW zi*k;{7rFXrl7T5%-ujy;m^#@;FQ_nF$YFmIakcGSmBZuaQ-Ut{T$IF>vDx%UFPPQj zGU>;x6Yj^1(ao=R{tAAJQg->{C$)S$Np);;wn=#^J$@$rML{PVg2NT7iH)AEoHEk? z#q+pS5Sp0MU1_hR^A%M@j;HwK=-Jv^3Z$HaOY5c{O3KvDzZ;k-(H5*$fIOb83>~Io z+CNp*Q_OZJ)q8seu9|tKyQfB*@Axe)+G>%NMKIRaUOReCx0EfQ^QKls=W=gC_0=;x zuqeG-&OxeL2u!1N>|g=^{m&-|!GhMj2eO1t&>v=V+%zgn=P0V@Q{fcX1al`vCi{%3 zY_rqKSw%=9C!wermrii|?CcP_0C@TFyu;aAkdn3^w6Q1NZ6lf2b_yy<%D{@Ekt4!C znrKH$tZ5D@Keu1!rC%(gF2iJ-!|v0<*^|_yvPXK(&+eI^KT~v4J_d^3$b0f!-+$+K z1#+Fziw7;`3x0hIt9+D?jdh-fqat2D~7ko-y9odn=%)TAmTeHoLDsLA&a<=%Xg{_C> zr$-)z8_5`!cSw;Im1FRtW$AFE<0p+yg1)6|0DUoFH~4kYMU7)b-KOHCdq>6$ z7F=s?usUiA+4N-1cN(D?2 z>?@$;GnRbH$Q%Ym&5s#jf^|Y4A~6|zd)KPj(^f)nRA2P^C+}mE3w?x_EDuC(gD zmaDn8ojtO`?xFA29a7#;O?qmWMJN958QA0gqw{v|s(>jjEgqh|#Pn5s zJusogHqT?^%vK9LirA6pvKA4vrvAI=3%&K`xYOGlISh`{p3R;I!*=xl@OD&uc zfwGt$ylCgOC*@WeLB6rbW9C}PiTBnv8o$d8XgF3U%J~RS2x}Q`(`h1d9IMIT>k*^yTA}r(S^)oqkB+U5t_#^{w|7M##KX@kC zxLo~y`_CGR_bAAEY30E7BxX8n0M}+=X zeuYefa${=LBL61A#JKldc*HMqUyomv*-`~0WN*2IQ|9=%>GkVqF3{-+E+Wzoa#5Fl z;6H1?YPzu!cPa3X*(GTR0e~)E0Fd9@B>tQjh#rWeX>*OyGX971R6>PbdJa2m^rRAHgPLAk$z$hRT*E^N4DF8$SRvY5{=EUz#i6P{!^p zO~H990%|jn;$1_hnAS~V^epe3+4PMZAkO0Y0QKnYQh<*ES+I~6=oZo$cYy7 zD_IODB_kAi_*EQDTcPk!JLE_8xbD9DqsRUAe7rxe_xtnbt6czY7l1WSx+|;bfIuKM z5QQYv>`?+!NKK5MVV5sXh>`RO;1K3mpK{7or`?^2pz;Y&CNy_ny)J zieIw}aP|!^95Rkb`B7EoRAX}il3yWcOe-~kt_C+k`<7MB^=L6~J+3sKoa#F(ZsX5; zC1Wn!W1RT)wNZ(Pu{?Ok+>%=a2@_vSJH6+WeGj2xkm+&2jj2 z()Mk}(OAYT% z?CZD2^i3v3*NH1fB*huwt>UKZ-GqjLU6rf7K5x6JDWh-n8<-f<$?S2;I%Md$LVxWu#R~e+#!J?->d!gHJ&L(ZC6(x;J}sivFIdNf@dz`-2d+|KnnxXXn#y>c;Z}tze3%|J>nfuE-swzK;;xNQ zMIX^?+w#oyTJ~)G{4rQoX-X9tYjl{68O~1bAI79!K8BLqQ`>7R&Hf?_vkbtvH(>t? z{f*zSE4M@I4-uIbZ%qoHQo?&C63P10tC^R|Oe=7N3e!%%+c0gv`iRp-ESV}Y90dwA zV5MpOKz=uRn1Lu=T%zN(jZ0*q*^@B+lEd(t(yDXIi&*cCrdo6}+NMHmW8-!{rwTgU zQ(R4pa!9RzdLWe1{&0QDgwbeUdZ{Z`&E6+r(l_!?$Gb)?Y=kCyFXp;dMJh}=y|r-t<0rX@hv65%A?f`Ii@SEDbqp zjE@l}i1>A6onT^bQo-e0T(=~$RbYh5a7S7C#Q2`__KAxN-BEY7UgR#G3A#b?_V@Dm z+Vw0woX?*z#_d*~+p@0B33%eVNs`<;E}^dueN+B_nKb2ZJFjSuFIpl?pjGZ4iM0VV zN!U;ZG)O$4$h~N6FfhxKHlY7mFqQTa;67smc&$sw&9f#<(V|8Twl delta 1336 zcmYk+X;9L67zc2~#0#}t%W|Ux)Aa}}GxJWoNDx6Q(>zj|JRmchOwA@dFgyb!T#s^H zjSO$a)bK*h^6F4iSgZt>)vPr&oW-4N-2L-nXJ38h`F)?~_wp;K1q*7yP$Eu!hY<(_ z(gKNztQF?dh3_|R_N}iW(ME%;%cu7mb zynL`lTa46XU+eR-r)bWV`GrPW+v+}}{h-n5@#sb_&$A51n!;T-Q9B}!BkU8pec)8D ziQj0;hkPv%aw^0s34ucTYLt{X({|Pl$O?O@(p)%t9ae7#Z_J3H-@@|^A0E2&=XlepTg#msu2GAgxV7i_A`+|LG zPmfoE6npe)Rj+@F|C;06{7s!r)Sb8a<`h%i$CVPQ82ej{;f3@G9LaWqBMWcnn#fE_ zQ#}2tGDGSg`Kg4?Sqp=2n5}su_7#{~b6r3SA!PikH&SHtt=#1lv&Km^bmwZ|`!v+C zSJc6Yu1rfg?F9|du!UVG8H_oW@*YGa85xeSG~-uzOdUB%(GqaCX8BBa7>WKi+4VuI z3)MBuUzqI&LWkB1FXPlj@riUK{E%^NQU6ByQ&_Q91=%bFB_;7rkHdLTAH9J`BI$tJ z`R3Eic-q}or8qbTSJQn=cl1h5>~1bT$ z6Jm18bD|k4Fz@WnH-*CTGW8Q&Z_26t+;({PyCmdyyBMbNYwKwJP#sg7U5csXKlE}= z#ifdAW=`q{g+=8Uoq-d#IQOiHv$X`z{mmU2t-k=BT+9PnxuR&Ze#@v3l_a%ecRomLV~ zZyS2&8*zMZ8qAr}|5YB>Hqx$MUB1@T=g_gFx8myO$$9MQce~LWZqX1j-hqM-890w% zL0yif8n8Wmuega2TgMp@wZ_8RerRZCE8M|85fS8se=V7zSAK~-i;u&TJ##2z=G#4Z zy{f!pfr{Bwa40)^5R#m}@&p5kPH|kxn%{Zj;m4NxscSx)pC*OGc-r6cH_j7en~G4L zp|s5KevCa*e<>R!Sq>ghGr44Kq~rWJn;S+ZVeIP0vzI8^`(@NbtCdFfXe@TCVt7NO zs6g|tQ{s=7`%Wu-_@`3twA{RX6h`nex0=NXMiY{BOZ`y@NtsMpKVBfnH~LJtzma-6 z>U*_>v`ogF>$mJ_DpXpmy4$e+>Wk?b)2d2y({ARWJ(8P0Ptir^VRidvUI>m%R<_(P z-OT1_kNRSI5gd2Om?Hj+@ss?bHNM~^L$JMAv90<4GT}4y$g1}ErvJniXq7hi#N&Ww z*Olsk`%{mo@_;lJ7?@@0O31&mC0VloZP`lTwVt+HwKbSirn-vA`>FxNfsB&?#f%dG z;|w$i1z5u~2)jo&i0Zby6JAiR98sL1f>gS4LEHEt< NdjlZZs+9yb{vQd$dX4}9 diff --git a/review_artifacts/server-agent-configuration-distributed-microservices-redline.docx b/review_artifacts/server-agent-configuration-distributed-microservices-redline.docx index c702b8588190b98f0aaf426e7b10ecf5089e3c0b..45a3c3aadaf01470ef38b82d92a30b2e2eddf328 100644 GIT binary patch delta 5424 zcmZ9QWmHsM-^Q5%hAtUFLIfPTV?bc&Ax2QZ8xWB0MqwlbW(a8{X6OzuW0z(+(unRKvvsdxR$gk4?)*9at`E0HCWP6iUvv3PUi z%T$5?(x7+k`Wd?AJopF_7pt1T>2f2)gj{SglO(}#hFY}`FBa9JPR=QA&*qMKF=jHG z2y{1d2t1Q-{LsfG!D@S^&7a)HhiU6i9bx>0D`r2$6~)X!O?4cYr#;$cRu8q!C9$6u!syhc1jWjz$9y-&=5RLi^1k2P8y;f zUJ-0r`AlMbS=aPfC*Wp6HeB*_QF1?-LqsUO>rj@bS@4m}XVZ22-7!Tat73&AcGeA> zJzZt5fm8p_zvN@`bJ6o;As*E`9=hx&^C+At3=uocWBgQcdPo|69~eat^8$Yvw=vXf z#SaT3q6026V_y;pp|7ddX4C_WTH>f~hguDv3HvbO)3yF8_3)hCPe=X^S-siTZ$VF? zf17ykwh~(L>SzsqW4fv6E&VWp0|3i(cjL@Uj@wZx(0yK+zVZ3l0dj2%FWZHza_cC# zZTO*L^UDbLUz=MtN8$q)v(^_+(WY;T(+qH1sRPYbE%Icq(fDKM?_9hSpIWqoWszl!x`~oyTY1{xEs(&w@P1f8lzWlAV#31wT$RjS=|6nsmxso5tDYRnj1(-Tn%u`gf&Squ?xYYEv>&9D z9}k>X5}17BH=I!;AMHLO!!Ycr!yQM6rIAbhhL^wmM0{^zK~us~xQG9#M00SkJN^{d z*mcs2Eq*Oow z{VSzPdxI^nn9|WDhCr3E3!0fjjB=Ev0mOpIjQRG6+H!iW>IWlON=E_l7es4m^ZjRaPX|suwn-VS&TtP( zJf{xIa7b`)0P!ivb?}YEcWM<0yHxF=h+NRE87&3xP?1LELVhx!pXYeXzT~&lDR5PA zNs2{2t^C$GA+e;O;tKu!QVT$+%bj_x{RYhNH7A4?bkd{SR<+^Zr}2~P3%H}N4ZP^lN-x$jS}|7~TbjHMl& z(rJ8Fd&@J$JL?X?sY-F#tq>9L=j2y3bXn;DC_sXYy3D5B_xtrPT(1vzM@@w6T;_8p zd#l}gUZi!&PL-XO8OX}$H4LE(8&X#tEQ*TUfJ9$*GG3W$kR$vECQ{(JSyvRtq%xf$lHp=eA*LU+||+T8*)$O#tX;2NJxH1Qr1> zidD;}ryGdcZT}O*eErlpG%zW-i8eQpzkff#`EYv7TDC|lEjt0ZVxr0c6HMX75OFUI)m6uDIMSFf-XaHm_x@~&*N`hY&E`Rjp7+A8A>{1su|) z+jR~m1s0cxZKi#=5yT3|I%*8fT+fEEE-&8dQ6ED&7DB)?f6$7~^uz~@?osEG!cY>C zO>Yq|{oiJJfmXZcd5AN((c7c%3yz4{blxo-?BaMw$*8WeQs(Jqol zWl@~2d^`z84r{5Y3GUI4^?L~*=7k1FaGT;upCLd!i}w$>UUMnryg z-8{y0cC-9CxEek}EvhkM9P=flpKgz(7#7@JZAY;Tzc3AOkTm0MQdAR+bH1&)e$^)kw>|^$zul&{Y zgR%bYe}=zYs+Jeg56POm3sb~!R1ruRQV%GHWm75-Pa3P2%m~xR}BL@$xBxt%X&Leq{kyB|Z%^RnD z2yPv@^IkPDrYIkZTpU{$`M6&2(V_tFJDaPd4=&QlsgVfJ!zuNZMa9PG<{x{09vJmP>4oj`!p$Ql zZf6)*)`VfMxHqLmX#t!av_ZU;lpLy#BYEaE;!?!kahlfA^URs(9Hbh!RrwdhOKb&TB{RCgdebLET&ryWBMY>=ojD5W9v9T&`(|5Rl?sJ@tlgP4jT#J>y58 zl`B|stNvo_Bjn#+jv@|L^VkyOdy%U9&O8y4$w1oULHiwj;Ae!9|Mlu{U#8FWSb*Bu zO^9@qCOg=8p4FW zJhoVfv4#S}&*T^)W90h5oM>ad%S`$E5pkz~~Z~CC5l|>b# zx)`oaKzv^B!ryFII+r@<0E&Bw*Il%;A;Bqk`NxF+*ToR6bxdS~^C9fQV$H!5;rj7R zkDadAhk-Bt0EK~n!H>wN`{#Q7p_17_Jr(!P%4sqWO@y~q^-I_h0u#d` z)AQKH5d(QvA}6|auYfPwC>pJT3jt%Dy9Wnr`qR{sQ@Xa5@p7T;O}~TOAa%+9r?SQF zf(@dNu{F#OMFX+o2oh^C@xvXmmuSz{*J*U5mmkcS@Qw@1uwC0jWc=D32NliYl zo2M7(3+FgSl-Eff|It;j1;JcgCWusI(PIU`#Mz$9M=h@r_t=D(%8gzSz-^8NHO)6KMeav_%Z!-+Yo(d#h2xM>#~`K09* zd~EXj#tY-WZF0oaC^Kk!vheO1M)Tdm`|lj|>Zng&4zEO4TUxq}JbhFAml$sP2&Uw& z!jux5s?765I~qzVUWn%yO^{zUZB^~Dj*F!y#+F=>9f{_4C1#+%HJB#9{&=CQmrvI| z|L9wu?8&P0Ky*nvpAAshh1W>iqq!l?@%6`9!$OJZ9l;FFrCB%XH9BEcHtkUXuu7)& z(q(<%*79>nMGSmdEURO@`0typQA+`5-nfiRfWW9@lHSldogYz+hia*7*)nSK7roIT z1k+Ew07;%(I!5o#ub1LCu`m`i&&S9mR(p{V!P<0NvF{ZcTELm+rQ}wRNA#$=C|1*6 zitOleg|F9j?__WsBJOpy4R+0Eax|TjUy83D@o#Z34mIDuvI|Z=SCIv?uu=zX5BqNI zy(>U@984Y3%heo_+1dL&8n6SEiw}9PK6H{=W z+x;O6(_6~IGyAP9gSF?+#>{mK|9oUcbQuG_BkT0YzPsBj)9I1y>#1p%Clr|Tb#Lb` z@y2Eg2Iue!ZP;;QNjY*3V)jc|L`8A;UnZakf|wDbvpjf%l$Q&{N4xv5L7eO8*GRM@ zHF^6YIeHG+mrPN8`-o0*aOt`^wH#t`w5V=sY9+kxUIPg=!!sdd!`8jxtu|UPlO)ib z<^h-$ki&tBW!lT6xF~%eaD-#}ECaWOu+U~YD_k_yO}Yci&h3Zv3jOwW>%OFtO2&sx zv&dql!caO;$qaOdER%Imv1=aa>HD+Ck?QRpdL~it!MQGsgP-JfYBp~nx2-1XEz69a zP0uGP4KE-?d%V$y&5;qWm}TL}sjc@PNq+xPp0jAhRw273ayJeiex0nEez#xx8&(m; zucIN?BI@JdPg3XYnrh>v9$6*#RWGA+I>)op_&qSUK~i2C8qK<_JRnK0w-Om*$eYsU zfR^%1l)4^R!|h3rs`oFP{?tL9#LKohyxpD_Qo&61&iH$ftJw_82*8KhO$@OyZtAxL;o7O8IiwtU|W}NKoa=>>=-(lTCauk=r-hoVLLoPg8sV zp+ngxL z&C%PK(}@I0oG#83xSk7tTWh?M+`!J(Oa&4DR1|*1@xr<)dK@P5$mq>h5WYrw{fgAa z8%T%7Q+Sei!H%XS%f#_k<)-$0b@1hhu`>cpa#P1-JCVdCrG}!+(em!YIcga;6BXEu$`yicL_O23Cs4S@o7r?x-J2Ah%2b@$!AbVgzq z|Nkz*3T4pVxr7;vK-(Z}=6f0}EQ9pUdHUB$3C4~Ffw4aS=Y;=t_`!kOt{t0EwZyr6iOXLP7*gtrS^2$c)cX;E4SjC;ZcwaxY9}7Nm-33@}%?#0;`sIogJD&#^)G$N^>#<&4jYMyY!7dLTxATlLf!5!lU={>! z$|o~|grnzHZ<0}Tw3{xy8$kv1PtRtDz_wS$70?A2)2Da8YohH9n$6C*vJ*eH`p>{Nt_{D5ZnnByrRi z%hwF&vU(iwc-bR;S6=+8+ht=pt{qgb9ol8}VL!%DSVE+1e`>aAHnLQ#fiZ*ug^5R< z3Zhu%TE)iN(%&#S$+ ze%l>5mfWwkMuzBbtP@SaIY10{{|~W1^KG?4IULKpX!FbCHezr;7Ef;l;zQ{x+>tcQ zzY54+rrL?9#6Nmkq`1umjn!dlGt8U>7j_y#3RKGv3S-pF@(5vcuEZ z-P`qnbkFPhc1YPV60)o1w$y=+2g6TvG1Dx5DhCl^u`kC6BWS>uo{5`Bmq@`UJB}<_ zpnR}=mrxQy*UgU0`ZF&Zfpw1FGn7Pjd?Zk!wu69{|GeS(x`3Po4Jg&&1Q*|);g_`- zsAM)QvJp1fA{AszDE`7b{XNl@hm~(zMbfs<%1JW;`F@};;R>xsR*1s%6w9(Lx2`gt zM?@!>W-J6bEnj%JU64!s>IoT$xW+JNR!Q6?Jb_GfbVV(%NZtM;G~_jRND--?bJ6~Y z+*)OCd&lbOiGy_Tmb@iuYKJ2D1rF0@$-?*;qdE-j^7KoQ*Wl2uL6o10<{Z%CqjbR@ zAP%esd4TmW-W@X#SqOxn4+nF697A83ga!u_eCZRAw+P~xQx?X2q&g-wOi@NT1JNM( zfMF=PSF_EK(Zty}7buS9I=m+yasp*##TcZB8n6|vH^(gr5>`Y;oCoy+7dWighIS<4 z;$W1EnjR*M=S)?T54Cc-8EjdU9!8~*J*w@cG%xGwFvz72tQavV?)i8Tgr``}!DQo0 z(z2N^L3A*4EU`IGG;6&As#FOhH66#Wd6(89NIM;#ISb~DP+R}0z|l9YIbI=~-lbZB zboh2k5S>~Ca2p%}D6~moK~H<%6~?^j5`yXBN_W`nU{YCn(TQs5MntE-VR29+l0Xcy z+cNA24MtD7oIcy>TCFBgVeKtKunA0s!1{VISXyz+#dGN0?Y7E&4v2)hJg|UaFH5*87k=r6(A>1 zCQWB(RHAzn^A@gV;Na@#SE^kf=^k0e0Htx|&fSsa5?HHx8i6fINF`iQir zbUov@0?A+L;9#QRq(()o9Yesf!Ra)0c=`&u(g8aJz&cN)YSDWzF<49YVJY+zkW&-m z6ithRMTDQ8_`XtLX;97#JP=FK(ZJ!sAd7iDPQ_~3Zb%^}T zT9xv2?-nmz;aA*)Y@Kb#_nzx4Bnm=bPg$SRGCbGbe4SzCI9-tu&bL9_PJc}ib2cTd zKjI+i#ohDz%AC$1tMqgQQMY|n*xVxCF1kJ_!IqF+^I$WqZZ%oaMRNQGT*O>p^i4F{ zG%++qbHp^5Vx5gJ*4B+!=0M93#{Sk~hqycX3#-V5Pj37&{9+l}d@j|o^j^!^ zF}L~#$wt%3mbz=z!^92|E7% zi_m(OU+;)J>T)qh+HWtI^@XaxdxQn;e;iT;<{H=MCG`71MMKOXc;aeKhya;U9Y!ff zmq+h&us^7+6rIk9z2T417EE-gn7NvbU_vk6>X99ZP%T7|&s@WvInm(l(R#+6O9+aD zryaL}h?y$RZu(T8Mswe8{Q1+ALPGxLKtne7j-dTfJ9eJ|`9#he!wJl_T7)Vw2&T0X z7O$s7-jqx+G)wbmy&!*nMVayl7?oPWjoKWpLyn5eidhi*_Y_E>B@d9y(X9pHbBR=L z@$A(Jy0W|q%~gbMbnNJSY`yEUH%gEJW#ITTJ}qT!_}N7sRNJ`M+V-&`;h;!Gb|}gR zd>OAy3XT|S*_P?Me9z~qT%C6Iggsx?-ZSks9T9+@ST59$hiWrn&Q(53y@nB=46D+^ z9STI;;(vcf@|EXBUCu}wb^GRn!n)kFOPs-1mCov#||*~dOq#oya*ZJ1+TyDoL~y3!e{ zU5wGJWSpB|AyS@mnatZ@OE@1mBea%#tXHJwE(|}RB{BU!5zc_mtd-e#60D4xvMx{ zquFoFjzVXT%$i*kwx#er&80-2l6zmZtsU*tLBqqnAHQ#!0q#T6Uir07SiT-zk$yGj ztu0&Jr09Ic&}*UMaC=D=o^Z5*+LCOis9jC@TZQ_3-YDj0YNIOJircng9 zun8$e&rkL=&}FN@wd%sR{F;Zie2OI8?NBzRX2w54ROEXw3A!ITUpNl6u?_SS*i`ae z%Uz-%Ja*WW$M6UUpReFg2Oc{Wi_b;RaaKXZ&f(N-ScgWMHdph!C&RxeDiq9|+xR>A zd^lm~s@NA)o1DWv`U!+G!w3t@$Ul73D|GxCaHhHrDQH|R=DLEJ*(CC@1!{(m7g+&& zGOmxAXkifY>u`R}IAH1~~D*#Gb$aZM(pja=PO#97nz|mB>N35E=d9LkPW+$vP)^? zs=d8ktlWGEBo&zs*>W8=vSHNt0nc-aoE_iopsIp^Cb$@qSv_XEoU{zbv=<(lCfZ~E z_?Rp@g){l5Ymx+^bj*(~9YVl(laXGH8}!f@V$=aGEf>`xpvt@LI*mIOV* z@kU3HzcD>5dbBe;LQ9R5DHUaKOqexm7-t>PDbBjp&a(L7i@%E|YKeRgm)kUuONSi# zlFoXMhN>Opa(RtbwlJ%0*mA-~CXp-wIU&-xA_ENjgr9wVq|c$fo-iyTIYHUKI(ZVB zjnnVn9j*n>FU%PWWw$c%+r1VWl>-j$-|ouC@B5o#4>WFLkA}!7eu++jDA~nZ!qI~b zokvpBjViU!v5gtM^VDw#WpArKOi0zEtJ#7g4>yj!CKcMTg1F~o|E$Bd9!nnJz&qPu zqI^CFWRVa7&gH#I$2@Y~Ub7{9FU#{4t>YoC5<6XoX5qE4jGiKXC0+HI@Q*)u$=x|T z-!gnBppVVLLD3iP~P&>~;20O#cL8fP_`RW<5b`Sp-xL2yCK@1%}; zS)t!g@Scb82F)J*JoSbN%gPJFST=pT*eXHwTk**X8Z%ykd%21~VgHrnnx}m$ zgbUTrHn6_ce_j(hM&P|*Tuc@haFeI46c3ZcWs)z#n(UAg$cK_ z=c5P$wcF_PrBhq%^mF=Y2yXs{y7&9s&Q-5wyh;tBn@jt-u<1e&&KGo+zX?TNmY(~J z0hf-7Q0t`xmxs`-!fwK1jPVe!pyPxO=ugQaxrUIw|L-PPD}FMrQnYiJC6aOOy2|jc zkj!51RU?IyI9Y;Ex4YK-pFOwg&O|%=;&q9VZtvVc`%(1->wbohnhNcjwC|BY8{0&= z5t6YWI0UZ&NQd&I6N1=Ip2lG2yU+G19Wa*=k_|OUVe+HTh;VgizWyX(px$UjYBz-B z@{fv?`Jp=4pyUt5sJvjPlLg7u#SeWg*;y`6E_F5wK~@WouQfv>)o==A&U0$EbN2+COWdYNp&eUpx>R;E@kx0n1tV0Z~X$3oDn*X-9CUBNp*SQ{xx z!Imt9pF)-58~;*DkCLgy_KyWkA9$4bJ~?CVOvW|{C9DO^8+s-@ouj)+PUjly@gHqI8A1PdrteJjURz`b@I0-)<0;!e5z}vG^nKW%(9*u&)>q` zObK`9abfh*a60CWkE)_9q8LI@8<59O#b}zi>#}VgGZWJYf|(kVD96P@rVs(*!GxcatW+p1=I&sh z8hut$9R@PCI^Wrj7sX>9)GR4-}k`0n#7JT+&Ld-?^PW8Tv}jQ?M~AUqM{ zUW-SaW8V=Wm@st@yu|bSSxh*^zb+a?+CNua@)6d3xi~}S9$Oh=_h8PHzK2<+)c;S! z$}$D+D~p-57-t~FbtdP%;y}@2n1K;WC_0Aw0L{cFctTtR0C-o44WPM8-TpHIfgn`` zjT$W?8%1z$tGKg82O@@1kMGs)oeBv>;Ab)2E50mRjJhy{dKSaIa=uf_k%-tV=6@TY z0wtyk?^eYI0swbG-G4_QP%a)Zmc{t^{uECK*CyNUN^Eyc^#5%E0PaqKAj#&rUsfiY z7D$RP%w{vWHzbTjMA>5k08tbG0O|iRaKHfoFK0IkJ|_=HGfOvHCu?4BM+Z$+AO<<$ kKe1w&VQ&AFbsH7{5Xt}mQ2ihO*N=#mY!2-D^!wTW0a^vq%m4rY diff --git a/review_artifacts/server-module-distributed-microservices-redline.docx b/review_artifacts/server-module-distributed-microservices-redline.docx index e66bb9b70018e64be3e382041d9f47a10ac6ddbd..6ac0049abefa00bf5ffcae5c453d97c2ce98a01f 100644 GIT binary patch delta 2514 zcmY+Gc{J2(7{_NuCdv|q$yl;vN{AA&#U*6vW{JqC>}wblW@H$K7#aK+B}JB8QfOR; z43l-JEF-%}nX;SGwbM17bI-ZG|9sB(dA`qi-uJKf+f)i^EQRn{TXOA#fj}T0kdIRp zUn>~m<3wSCkNn~ag#3%deQ*e`k5f5HFTkHn2cAKtabqD8TEcfGD-6Gxm}f;~St+6{ z6;(ZTFzjT{Q})hVpYUq>l9_6B-gDfVSjUxu}Ft4J=j0sOm0ehAzO)J8WS2Zo;%MUPP0Y% z2>|2}o1NSg)358ww^TkW$^o(Mox{VK*r;m%ao6RQa?)w_CDxC)|KbDLm=UD?fZGal6ymdCzgU?Vqg;c+Wg!LG31Tpa=BUDH|Akd-@sx)xZ=}r> z`Q=zZ)TU<1b*IL*3e%6W>_RuYvIEnqmXag^Hc!%D;gXOiST916RMgm{cTNp@D2TEM z_y1m=j+{g;UY#6znZ^@MEN7bC92g&?k0bS3_F1$oV4mM&g&z=l(k5==u`E0?+kGCV zyV>2`!Az)dZnC4-Q24LFY1d;!-rU2sydkwrE_5gd91VD&Hj-M`8X&d8t9Isg z0>)I?FVp+k!yZ0=u%)i)A>JYX?Jv~+5H#taIWh~Tb>pYCb|uQ}MyIXN3j3qDw35aF zHj6%qHfx>9$Fg~$OFE@+)BOCaS`pWZvvc)E<~^8Syo|5XSJebZ34Ie!f|qddt?`?g zk#X;dC%21ScD5PsfIfLGTd}vOc5diRuh<11S~Gk-n^I?!Jn8C)tpnFox5vp8l;llg zR=GAeJ5HRf<;CEiQ(fY`kzRSK9=&CSK?^dAKcml>j+@%1b)W1nvkOQsnbDkE$MZcmX?s7+R>Ha z{@_;qv?^r(?u;=`&*@$X~=d85fz#_BK~54nY;Y6Gw1&7ya0~#ZsHO84$Zx1PiaI*c^LFH zIER**`hhQN`19a_hyFNKyYs0E_sO#wp}JqeaQnk{!Mq{n0ooQ_mL_P~%^`hp_=%1W zWM8(U^-^3`QcoFWtGFaB+0gO3Pwz4Ee8c(KhN{;u7-{3sY+%PSs_6J?kA&|%0UG*+ z=#=4BzG(3k-S~K!nSG`67wXj+r17Q4l@eav51p3s7>hmd$}t@Ns(|@Kr>@lm+3j_@ z3yV>+QnNKa4-NdGADOs$PHyhBd+3!`k&@EXX8uU6hY&)AqRyB}Ok_*`aj9O{7ELZ{ z&SJ$iC!4mqXAEMZh&&^6q?lWaJaYJ@O0TW=s&8H&l2TwqfO6ZZz01lLpQ|CgK2g4I)> z8N)!=JZnjD9k*Iy5TR#Io`-MAGSsDGSnB)9nCQz2#CmHbdY1YhX4RG_Kgj!}whb2b z2nRaPy?f?w1j$O@M7fUIk;eP+)4TNKAI{HgT-OThXK-EKx0ZZ9|D>OI@6nkUeqUh- z{T$#{u)&@gmqAFQBK`;Wgwe*DLR=yI0}(cF+kZFf{Ahf}0?0ZX|LWKrr|^R692 z$m4Dq?h`C%WVk|{zyJ!ie^RkvmwRH9sJ~=hEqOxa#V?C5_Z!Gge3jp{GZMV=QNT+t z%H+xvjp2zp+Vr&O>7=J`P+$njPHJw;l^vo;^Ng09{jxry`}W&S2!H6`82*4RAt6NJ zj6zqq*!!|qa}%~K`$$S#m@!3kq0{BV!18P{u6cJ;S*PLVJh*Uf+o(f0geu`R97-VG z(j9X8N(*#3eZ9V}?hw}{Ono;5Vx@Xu)cyTaQ7gHJ>r|J4f2eG28mvpS8|!90;}c8Z zj=>YD>KW*iMbyK~eYwo~g5bYzS;byMm}g5ffgOA0UeCak*ppulsq_f9Z0O1-9OB=P zL#|(1R(nm1U#N-38nY^hg6#wzRsF$CDski8+D6Fk&PtO*9C|}ob9&0HZZn$Z2VEm; zEzE3Zqy86u7oYbesR{YXV&b$7Y4%2xI-SVDywspt$NnApf z6y_`L?gmF+9X;oaV}+$^iKpg?St`?4Dbv+8F4ef+7b+bf&L3M<)|Bx_*m;APHf{0n2fs0>7^X^7m|I01Z&#*cSF|g#>_3Kq&ogD@UdECMNlF ufj~*3Adv8Hx2p#(Wy&7mJimZ3=uP7Wf#PLAAoy<{dw`UA0&14VDgFyt9ghG2 delta 2462 zcmY+Gdpy(oAIGm zEBM;Lkk6JcKY)?@T!m!pGZ88VIq=z%=2Xj2SA7Fexx`71fpCl{apJ1p*LTWT6R9C9 zrvTQ8`-Ptb9S&CTDy_@pt0DMZ1=LMLq^ZqKb7cH|Pse8w!DQoOE&|Q?Ee3O@HB~T6 z8jhp&&98W<#+&n8Hfz^^hO!_!Ft)_x+BC}C6kbhb%4y;(hz-96XMVvvGb*`0W2lUMFd>j7*My!Sjbh`D~x#b{4@`+tV%)?+mX6;d1xNk&J ztr=2IxsditJ*D7axM*3%GK|8gyYt>KJ4qv4)$gQGjK~N@ZPtAhzkH+A=+wot4OqFkQP47h>!OL9f*2WS=s@w-?8#RXW8lJ z+SV4a&LMM}8UGH(;+RySaK3Fd|4t9x-wkb6p?A+)8a7VDc*f2sN`IRi`K|J?D!HDR z6QBcko=H|+*6_j1H)U`devk0DukB0qy2?F!sz_bhlKvFqSH$mZq6-z3gHak4vBmdO zNMV~fTd6V2SHo~}>OKNzg}Jm&h}G~V`U zrdaBcr{Fx9s|2N(Dft$HiYyN`RX{)5U!~1r%P$5S+P^AQYF~W#cb)HBoyc>cm)#UM zIFy`WbdwX(c^Q)|H1>GqyQz`Pkp*Hn31K-oCx)$~dMYTXL`rRDpmUbuFa8)foEZY4 zGxT~Nv?Z^25VjI@l_eb7d6bHL`6q;L9P3u4nF+-4opeZ7} z(Atp6i5F6`;eA?RC!vcP&&23XE52isKKFC+E1UU%RrUzK@0*%-LSOf*5YfA&OI=Xu zPwk^V`7S}s^PUTHTA0*AEsUF}S%CRbXaG)an6hyPHHnfrqb%dBXRleo^l+`3=1UMK z6)e0Dn_O6;PL4jEJW%<>tLJ$CfuGPg(Izx`Nw;;$YF6$`?fc}Y7*7vUH~yr336f)~ z*G1`9k#TrQr=+-q)4T!1Tt=64=Ud~9!08*N{77=KGEXj-V?6AHc!1HtOy825XO6FO zLp*ZT5Gke8-n8W>$i{_KdRKqFk7`!#)$Q_{C9bD3E%H5ZqoqOz;UpKEXye0aNY4%R z_<}7f;=BmaUs08xf&H4FkS}Mwm>$Igr%hzNkdM{qE=rD{#KC#Wg2jEPQ9R{JIDL4IPX4U=C#IeuIw7hGqRZ;Uxx>RQ_J{Uo1G z%n--1f4sqCDKs^jLX8w?_)6BtoKLC(8vlG(_kNEgE7Ib+C5)0X2C@sHMW>Ut2qi$2 zK8Kos7plkr6D_k|_3AB2xHEx|Y;b_?>3fmI&=5#eNIF_`GRVYD-dN#+k*nn9p!TtA zl~H4{@{9TTqY;WydA8R!OfA47!CrlZE_sHu#KT3`hr{b32G-NgDeI`^#|3>lfp_~m zH|Q~G@f<7;J7M!h(BY_-BX`TBe2Q)(ONX@FFddIBzZ@k+jpUsoVZ&};Nii8;hMSFN zxQ$bszw}kVtlnaEapBgqBBFmS3SG~th~Zy03@$4SG8pfXwP5-sF>VM+m>&_pz`gXs zH5=^Tvp$HTl}wG=%^2+@sPq<%d)|h3`L7Ml`jnp8s_pd#97-&k^ll4x^Zsin@cMWG zH8v%+qny4o7udH$>iwroMm5mp0%VQzNfwKzSZNGpGkJ*1v2FsQ)YE@6PISP!x-@Et z9&6}<^|rtfk$^BvLpE%+{LQr=LOfjSo-t+a{+tb6b;H!O$EQB=TKc>i6k=KP)N}Ww zwS8roybUmIycL{mk$>7cPr;0Po^s2H%*wN;5ChNh-Vl67(!Z=-ia+nOA!qkk)^xn_ zjZ&S7Zw_B3q>B4eBLbZZ`^j<5C`fbM>^8d5ba+w7u1n!`R0G;VSN1hTZE-CsZW~R% z_)TC!{>w#oK@<5GMoX9;dkj9eGZ?`+FcZ{h?LRjSijxR*E0YjyUBL~k?utQ7YCJg= z>R;@p{SAeY3d+=&%J82u?S}|9>AMN_V(rxaZR!sZkHN-nU1_`neQO34zu|C~bm8l7 z-qAOFaj0d5$U}9;`YVcNzT3_j>$9>odGifT$eXCl500~O6kJL(DO$bhBB9mknG46m z5M3ypr_t~y1LAnyam=x-K_Rf3jKfy90B!BecL)xEq;i`=nYlUj;nX& z(#mYMufgYpjxP+ztkz{`|4{i}QoNv~+p<}ZuN50`1$(%^t$nQWdHb8WP3saedWoz@ zIDb%H>5+SoWElN~Nq&wWpzz=l49&>TlZ*3g`=ggYPA z&w@bsaxT!ZKPUGX1*QV1w3F=DuB0Kr2p}v?f-PBT2#5#)KodlPo-{soWn`~?9@tEi zWD6WXfQJD!K$71pong5(6~H925BefdG|s1h^hBPv5^S XI2{48y9Wf{I|`JfAL245vj_YiLE?jq From 9feaceb295b9dca25a063d90368d7a104120a471 Mon Sep 17 00:00:00 2001 From: Brandon Harvey <64159025+bharveyTX@users.noreply.github.com> Date: Wed, 13 May 2026 17:29:24 -0500 Subject: [PATCH 9/9] Adding draft release for iTC review --- .gitignore | 4 + ...uration-Server-Agent-v2.0-draft-review.pdf | Bin 0 -> 194579 bytes ...Configuration-Server-v2.0-draft-review.pdf | Bin 0 -> 75715 bytes .../PP-Module-Agent-v2.0-draft-review.pdf | Bin 0 -> 223483 bytes .../PP-Module-Server-v2.0-draft-review.pdf | Bin 0 -> 292773 bytes ...Application-Software-v2.0-draft-review.pdf | Bin 0 -> 9015930 bytes input/application.xml | 11 +- tools/html_to_review_adoc.py | 140 ++++++++++++++++++ 8 files changed, 151 insertions(+), 4 deletions(-) create mode 100644 draft_review/2026-05-13_iTC_review/PP-Configuration-Server-Agent-v2.0-draft-review.pdf create mode 100644 draft_review/2026-05-13_iTC_review/PP-Configuration-Server-v2.0-draft-review.pdf create mode 100644 draft_review/2026-05-13_iTC_review/PP-Module-Agent-v2.0-draft-review.pdf create mode 100644 draft_review/2026-05-13_iTC_review/PP-Module-Server-v2.0-draft-review.pdf create mode 100644 draft_review/2026-05-13_iTC_review/cPP-Application-Software-v2.0-draft-review.pdf create mode 100644 tools/html_to_review_adoc.py diff --git a/.gitignore b/.gitignore index 508efe3..002872c 100644 --- a/.gitignore +++ b/.gitignore @@ -9,3 +9,7 @@ tmp LocalUser.make output/images/diff-*.gif .DS_Store +.venv-build/pyvenv.cfg +.venv-build/bin/python3.12 +.venv-build/bin/python3 +.venv-build/bin/python diff --git a/draft_review/2026-05-13_iTC_review/PP-Configuration-Server-Agent-v2.0-draft-review.pdf b/draft_review/2026-05-13_iTC_review/PP-Configuration-Server-Agent-v2.0-draft-review.pdf new file mode 100644 index 0000000000000000000000000000000000000000..132e783b076ecfd82d9772b878866b58f51ef25d GIT binary patch literal 194579 zcmeEP37i~7)fc%JkV9^WjL4AynVspL6PG{^?kglwzyNWxI~x{~-LShM;l59iLl6W6 zl!$VOT!M0l$c+l&P(YAyn;^&;IR(D|tEyLBJ>9+CT|1NL??c?|cF*+dSMRP@uU>6B ze%uZt^Vvenrk~?~E%{6?(>wK`mbSJ`>!j|1>9x%8@#9C1?d|F6o;ItmeW1IyC)3s2 zm)X8&pw>6Due-mNnON&PwAPmyJ#*&t?hf&d{!DvMXJ+)YTF*eMaXT}%cgD=#9^Bn; zc>jJQMzpk!?W?s909spDt*dKPOY8W)-p*Ma05*Jde@AzBXKx363Jfz&*3CMFtuj;F z`)i#UAThqLeRdCS7qU43+P$}PT>Ai!9k;cUb4s~l-pS*Cx$4MVar0bmbAA`lult^x zFFU2YtG_pDR7%-eV~1M?=;}qKCRZDaq)!-Ev`7^!`khK;j9y1&jglTm3bDprv)snYEtL9fHJ@#lxA_9l8g0 z%2W#ZY^Az?OY670YqM*8<9a(J!v^|h)mktNZzP1M zW~vy87y#(sJF90PQ)y}4wY#%Fqh6Y?5SAIIAb&|roT|8TNj@fITru>FD{k&@yosLS zH|#-We<2f*nWEr+xaan*$)bJ2KYl17e*gfR{Mk)J^)27q9HM$oCHbwaJbcUB)W1(Mt` zu{MyI+)C2hI;l2iAk(_@3^0C-`aM?t-dWJkV^+zahazFVRNM>kdvfmvPFO zNnI_I+lskj&gm?;rLIz~R4P?V<#Ms?jLJB+OPFFaZK%eN}i2)E7xt7Aml<85g49`b5EzqELslTbc@Fy2@ox zwOA^YXb_zexw6|p#Nd>26$sj-*+OI$lK7P`m887pAvgJ4wx}ewP^yr`Igs2mvWtP_ zg+P$pLToUsE>IjpgOK5CYUc}8(xgg%?NGPl? zAgR_Th-L@AP4KJPa;2CrLEDND;0nGa1i94V5n8Abh-7M$m3Fz=qEjt{nm&R<-`q+l z!KH9QJRz7Me1XX0fCT}<;64or#-Iy-vGkDH5QLY)Uvy1!LU}twAmu6B#EDvythmwRHKc0{PT> z2zfkPsLF>VlzhR-7V`zTuM}XM5`u?3qHa7S!8ny-7UrN_O#?=bCtrn;FAjA)3}uMp zVK74(PYF({YK+G%XN#q@{K+dQ-gr`g@%Y1FyzvYIhMX&TmI_=OCIWT8NkLdSAaVI> zW=4x4PnfpQz3D9zTPE+1sJ0Wr=Ol!ugvbX^-80~&L9bdO^gM-eA>gS%`9~(f8TWu) z9mu>OU46*ww>M;&iXaP=&4Cdt!uxV0ZbUYvQ5i5lSFAuO5DAclmKHJG8q3%@j?xD1 zic>RMJTY;sxM#rB95i6saL@n=loF6VUMLKVG)Uu~Jty-H5)#swMsc&PP!NG$G1Pe_ z-Tt(_ZquR7OtON6c$5|Izj`UoB^=IiD$y=a`|m8k~181Y}BknZslc8f{d<1Ic_bLGry+yz)RI(V_U|-3uXbJkJcp)gZllAt00T z%&?5nd~@8K>$r~7iQfhBFC1S;h%e*V*igbl+~cBQH7H_EMQ;xtvuj3+g2y*3;d%Ts z-(jJ1JUq=jjb8v*QqCDxGLmy*hE0=FOc6!u0uPDo5a#zt07mgJULO7Pfd*MOj(~mO zRB)Y&fgW}R7)K5+3A|fKDO;xAR*?AehteS+ld?|+m-&jDMbjGMTE;#4t!=S4L8O_cfnKScE#$)t0_9ab+l_=@wDtB+ zWusGPNK$6u(!HszBUTnfpeEC^l$ga(kfcSZJy?)!mDtwVKa4DkwX}Lfu-X-ozmr)| zxe5lnM4CCxB8QiF1RJxts>pGs%R3qm`s3WdYEr`%W{~+sV4chQf6KY4{~mvbQ>FPL z`93G_WFpaSqm1YmKZDaCRO!NGU*wOl5?ZKYttv=#CtE_8Ou6)qb^~U-;ubN_#wu1Z z2$IuM&|U*#eU{6+Cb1zbVN{XjD&@*p8BL`Ifd~C+(706s7Uufji3GoZ*(mHXc;Jn& z4$&`!esG~@`lJ%8q9^?Igl~ZG*MqbbemPSpV%;(CrV{?ZgLN_`7nmrb7@`Xex9f>S z-=SiMDn#EHUmcpv+An@5Qvs%vr78p%F?3Z3fV5QwY0j}snMF87kyz4jDDa?P#wN?W zpImTFRRB^@tN*mrjK!6*7c<8%aoej6<)l!?Kx*UB!at<{ccGH4xYrY~0peZ{(i3-- z1cl@zqk=OfwM7Tvl#RH15Bg<8iMvCVB3-=`RU=^Hh*djWCLj~SVFYv)4$~05>`q=xYex z8rJ_Ckxykc4N3J&$5^n<;J4doWbg3nc0&7eM`+2<{uw zf4xfBigNvc8z9Q{AZON)ew5>*EWV7zsc7Wu8UO$3 z+E&QxC7}UAUJue%$W?TL#VjY?WHj)gU&xVtkrPqhrX?(>qmnDc)FFhwwkn}Q9#pDVY$mM*@4-6RB8~9&JE4R` zhC8$u4g0k))6}8Q;)?ZYZ!;CpWTKJ&ZxgsBjgPIs*GokM1il`mC-9ZTSRNAC|5m@G zBTDizyR_so2k|bY)`RRb$38gLc zOLoG5aS>M%3bss$D+vWVTE&%wQj$=x3yp4;C6uy+QkGE45=vP@p%N_mrhsBL*&slE zi6Hv4w2nb<6hW!hLRY0)>)3LS-hp0pXX)-5Ii`0ywn+k66o=L4%ssdNs?(XX!7<*uQU&eJ>T6b$#7f!L*(zC^Y;UMr$|ihoR^tqQfW=m(qff=?H+BDkTsu^_$Q%j z9)*$^he_CcPRNHjd=il$Y292diw(Da(vlbrKBQc&T&?E4A&uM_eQvrtl8sDAX(EZq zV`p+;WYRhqjHMgFk>wGP(-vC)&^M#hCKho{*)g}{fhvX7H)U4YTf-JEzY+Z~blEWaDbUX6Fw$YUg%(sW4C*f-1`X1SMjcd{-G#O} zqG?DOyF%r_h!DsF5@}Eu4MG!PL@yOZtOV_L@O*{BYw-jYg76zskAJCM0(IIbdcimT z0$$=>WjsY#6&u>dp@^C`^w6l2HY`kFE*eHMA#E0YTBKA-Zqrb?bBbsJLOmit0Qy&~ zf#F{oG(H=o`Hx^1y14+d__pl5A;^k#im2zCAZZ0!E2q7Troxu0*ijzQCPXL|DJm%y z5dw`CNL6U51q*u^m{c=TD5#o}Oxd`Giaz8*42T73QLQS{6_McGG`*t&Ce`!??}=Eb z3}ZqQh={G%B{U}U(-8ZfQ122Zh7c8hGaht;5xVFK{h>_=Vn2mXq-g1in>NwZ5~W+D z2rmaaGvQr%W<{M^+BXgl12}H<)A!Bb(g&M;_%d#ji2#RW3d-w*q(0VJvjWB>| z&Y>oh%?g%}v5UcY1y!$l5r>CWD3)=+{28@IHsPbRwCNhd8_o&#abby1?X=ZP-Kx&9 zXjLZmi%3d?t0);EW+tu^u75B<)yQ@#vSAaPZjmfE_M+2|e}`q_RKAv7DIK=LjHEsS zrUnT!v_uK82R0>Hy$9>b3X$SKlLBDc-YCLU*k*Eh44@EdH0=A|mC#nbK=`LvgDpx3p>QRxqAS-rUWi_P85#q}-EA z=Av&p+JppseOqy=45v^|u9K@24L3yD8mS-58?9`7BNek!P&m1=X?7`P8v?tOvPJW& z&{^mz6iCOsSzQtP7)6*HzA-XSe9*POCaLQT8GIP?ij9si4W0mV!)F_Ca`Sn2m=VRgbaTkLlxc0F1On0qltM^91*N<@R@b7|B*HdEiD_sJX==HOL8*+0RJF+7)B1<+ zZ~$B*kB_7_Em%fn^f^r$vMlArL|!`4>!K2tql`^XpkH%NWUb9*C3NV=2CPs9gw4bi z3wW_nW_A(BiQGN4p%Mf3FE^=YXtg(F2bx$3Ks6vOn_~AFkqc{IlrbQfAUaM$K=xRC z=4;hYi(9l{h3rx|;gfSLqoc|toXp_~F03~hg!9MF zwAkUT|Hx%cxsoJSl7*Jg`mb-IGzxR#TsEJlCfwqn12b3vEzM95)Co6r!S6}M6zXNJ z?UVSc)qGN%CeT^uc~FLg{_r8RZ4-px>V=TJlE^u#Jf*oTsTM)Qo1Izd9#S=W(LkDc z2Wv=l=0u=jZMfxA_6WO%M50WpOS@WVk;~JmwtgZx3nsIqgej(aW55FPGmToJYl3LN zYdWxXbt;(8qh=_S;2B z05+Ze;^0&oNjMQX;1gQ1prvV(IXH+3-=uCaQhW+ckYsA*CXTf-eRdw_b>+gHiSnjI z5ONaIFbD|}>#~EM+9l+J1}}2-7%CB2thm$K4M9VD8*MTGn+lBT*<|=^JV8^Ny=oxVlX0gBB-VZeMFiOQ87{39cSZy-a2BZc zA{il))tx6~AWTch{A1-qunVYArCymnS#V2PC`6bWVT)9kcq36Zq9DHzgJ)vxt%!9s z+P#D;v33tm7#@8vt_ztFD}6#{0+y9H4kaU7D2OU5t8^Sk92b_3WQ8y#X~g_Y$dKMK z(gZ2M2|lh%n|^)7MZkn(r^1K}glHg&Ecoq}J@`~Y1hgvPjP$a;Bi#U31gEC`lTboJ zl+chGL<}sU0awiwskqw7Xq6^n3$>)GLAabIkQqmIfXel5f;x$ZyNUX_KqP6%KEa|u zO5q^zwN>+64KRQ@>an+5{Fj)NliP3w)9; zS`mf|dV~#ElUix`=wG+q^bzHh*$hlyOba9+sY5krPR4Y?Z&-YA0bT~jzXgOkf-~ZK zd<>mww}h_|)21d+ReO=BBvPA-5>${$8qESG9HTVJ)T`O0_80h+;vr*J2ho-$lU#JQ zjM!fgO2sDRVu@5VZB~$d6Q2lzB%k68Vegcabng^SV?#Mr#Lg+`)TCsGbB6Dn5(nAx z_JIG%ty6imVPXmIopLg8i8;Bm3Og%|%^G@#k2*BCRc`T-Cl>oRYdEwoM{Mlyf479C zsrv0eI7Tk?yTyD3{b}mpA`2M?7e|?jx&Ysf5y#x$!#hSQm3*NYJ4ULQmHH}zV1nte zK(R)Hw65ALs{$`9fQJNL(q|(HgD{&M9a#di4OB3~NY}_IHicUOb?Oos@MT%x6BZ$3DMvR z>7>=4fd}Pj;aKuU42kyg(t5#81>_~gW`9xk>xwq<734}&mi^X07^qK8FY3N|vk+2> zO+}W2VptKY%JmP!E}4NIS*_q~){bi>G(~~pksV0KHRHhm*TQC)L*pSN!YN|KLCrQw zk}X)*Ltcn+_g1)K{7)RPhVVFInymC)q=AT!=0q8qUbkjdXY5kSL$pavZ~ln5sO!TK z$}+Q|IDq2Nsx0#*=}EzX!GYCt02WT0{GgrG7B0k0uyqxFnR-|vHO$|S&?7huEx;;= zNohH7r=8plo4S7!qQ8rabxNn8QaV9cA)3AqcjnW(Tj| zQwZTteyQM5C@)PcIPKvX>A@Egytt`|GG?{yI%$lc7~wtWr`_Z>bD*%N90x}&k8~g>K<%u__mKD7rr>3Ec#@gDTs8Fkhdd?eN?-Ao(GC`DS0XN3q7!44XOC*!<` zL%+ioa#}FaM=})WikTj_fIcT`?{O+C69=rGKRg+W^pOy$)H4tgeo99el|G&=5euMF zN#g8DgwKhNcg#4-<3M6fK)nm5>2tPQ{5hVD+2`=CwJ-2(h$&JyBNLpe&n< z;9L`*)W7 zr-m_(TNihtuodU=rRPQ*uzGID048KZN5be1sui$0n#!TvkdiIzpOGCQ2?i`>$utDi zqzL$QUr-seR&z!RN^47l=^jE%P2D8=EMp(z!2l%#!5WXE&fAJSahRMc%8);eZ|sv| zE|z3?(p!&^vb@YCcpDE3Go`)jjZ*nBeic44sz9A?#LTX^X33xkrbISWAH8;Tv+ zDHLW~Z>hC@-l^hr&_afvcd+t-tF#-E9SS-0hGe&lT|SwV^EEmlt<%Z@Ik2CtV&olb!c}w*3=(>w`g4XC;Kd;c|=WWqP zrrOcl$ub#I>AKPn?@v^7B?emPjdfpO!tSsk;pt-h>E9BMVvAENs*KAl5 zWUdf!*Z-yrf%3e02lb`2nNF!DR{X^cV`m;Z(_9qA|-8M?%hQmde$cAL}Dx-`NbbgF&IsHzyyVby1GDdOUjxju7ukF;I&mXFQvYVM$<&nLTgRo=E}}&YZCLWeBV?h9FtR+di#yh{vy4rJz}{%0MlS zy78B}b7*1eo3D9uw0iwpBDRd9HP0@p@GF%uQ=wNC zr{3oZo?QeeOna>CqN8E4nFs<)X&2FfL+=w7u`5ZJsJ>N>Bcg%vjUce3>c;jnih;17 z9tSxgLhJ8d^;fb|I$7T!SBa_eol4@MwAh5AR;OgTh4Oix)uq)w#*ofQ3f~uoWKCTO zpj_d?iU2jJrOkJ;n3Sp^>)%OPJIaz$y2qC#^>W!!>v_rIFlBDFG_gwCNRxlo?70Co zjZG!yj2AXH8eK+cMxIBwoC=g462syfL10PcQa15%Fe$Bu?OHG-mPijUT2S6$9fN_RL~05X~*mhS++66a$kfG2PaMqo!2+ zGl)V7Di4?q{}@;?p5*bv)Ha`i@eOihNJUp;?3Cu!M%;=?24-=TjW+_us3b6TV+d?wBOcAC#c9Mf z{|xI!hBy`f45CQ>DPUIoOF{B@{u!f^{4+4C)7hkI#zs7ff6XxBvZ6s&C(y>uP_vy! zaabv02Xt684)d=UWKqwB^>Xg5&;aAjtZ#(D<@FB_mRitAC8W}L=W*6C&NI>Jm^`{P zS1r5!d9c`k1%V}%DjA1k;-0O9Prm$tIPx;ZBGT*r1~NDpFtoTQl}YzFSEtsgsLd2n zobpV%4eJ<~<{jS%(mUQH=uxpC@Qom_q|8$$J(7Fo+`j2?xyL`l){$9G#XlyB<{tyI z;U5Fj{No!zlE?Fp5z)Z-Mi5w1{wb3l$-icpbgFzwot(*2-A&j$9i5WHlQUt4KYB*M zEu?7wr|zrNm}tJCMqI53dk#U}NG0ORAwZxDZ~)w083!X`8%j!TVSA)u@r@v`q%x@- z0t!merz;rELnOV-Ojj}IZ_G#gz`F`4fFrlw2%n(M0Bf#|88C=K^#q22#?pp=22mvc7?=(J7?|cC-w2XCo_~yp2F5pnz>?}8 z`-CX|HNz()3-hrPFtpok8&$lDIG&0s(I=OynN?p+Ur($+Wpj8Fmt>KnvZP838ex@H z*^CCIu5Ii)u&NqIRG>c_y8osNhS=6u~{p% zJBZ9A455ivK4}xLVgbb{$gxMX@$&Ywn)O0q`zXWPc%ea8LW*LpU>XbmT6TTv@rX0N`rLJs;{$`AxIf1(0tx{lY#By z%D$<`Wvy@OEe6QNW-+z5Ez!4qoNXO-!5@a z@pdUQC3Jo-+0)(jamHP~-Ing~^w<$7WhTYQIV`h$oNk2&xZ6Iia95Ap z;*K`(1*UuY4IM?x#~F9|xTVY#&|I`)FYmUGE8NxNwz#8FHRf`*HWFQ5tR83F<>QvP zyA@1CneORz)%J0PyL#MG-dzX%0$JWIaJPJ%ahH!<;_gt-Os0E!UA28&;jSLHlo=c> zOpQ#XyqBstYcrK!wSAm%mv5K2r+B+c2jL05pjguCafQ2j+)`%pI59KFbWblc zwvRLJ^6i!~gF~YW>{ipGZuzvrTs|F(xSZv;j;kHo-BFvcLPDxg-%D?IN4er+HK}NoB-5bO_(EVMO=-yVVi{HW zRoNTD-&CZnQJda0OBDaDSfYn3=59JiXu}gN8HyhBq?x9dI_BXyH+Mp17gLkhm@3y$^cT(64g~)?`sHOJ;%Xz)e`oz(3X`3te`7J zX@qstd}E!o;2YDI8OPW4^p2NGMuH*nbv>k{oMR&y#k$41lA^h$?TRpesZ_)u2-16c zgM;Ft6{t8`$8*gXk5F8`w&faI%_y!lV-aPL?PO6q8_F~f3F}+bMvZ|0kUH6kj%rv( zr)%_AgAEYfzC;<6eZjo4-cnZ^U~^T@R6|nNspQGSsiKW{3Df0j$|>&UD|VzEqN3h7q2B}#WO4&xR{D-nj(s83X~1klF~Y!YsPqp zYZ|9|El#R?Y{{dz)(lIII#@EX>e$qX?G31u!P(OxJ?E0yZt5INby0j8q^gmEZKtMi z)K8Pnf-wBY?Llz14xc%*JkSkQHx85T#7c7ylF$M(4%#>xfNSCh?Lv4 z1Kpt;v5T&8enPEudG=i{U8PbX>2U}rgymdvOMvYf1!+KRQ0pNjm3rxMN~kG!tmg}~ zDcaj+UobZ5m_-W7D(ZMVa%Iyn#=`WZA~}PS-10zKaF0PT`}n$^>hV^~Fr`8e__`ia zQvNAl6Uo5E>T9&hX=9w8YX(8EIPKYW3$8IJ<{Dqu(>k7O#&`tR__`iaQm!dq6Unuv z_!^&8j_@@&qZkG%)Yni43zv@Q#VH{)XAr%IWp`ZB(zO0F&v&G^0?JxSo;Sko$_0B5 zlDtl3PCT5vJrgCsfoDzy$FLnnPCp1KsVpfAjtX#8!G#sg={WZvhAl1Em_W=m24%rD1{Fu^ zc&;%L3KCxeC%@VzRW>%u^20Jcidzxbh^ z|7azT{dfgBq!Fnfx%&!hy(tsHrB>Nz{flz}Tx=DGfBZ2%{9PUgU$0F@nUt0*8T(-s7k zRFVfo(RWbG}KD(>)Avz*I4=Gbt+mLBte0lj`(fZW?(fqwc~A&F(3g- zUE4EGxsFKAEne5bd^2n-v@aFk42lT8DNr_iOHAx|z8M1&d^51}>uyqoQ_drjZ%fp9 z;Al-)s4#PFIuFnMQ<8_=g>WO}Hpr0Eu?EtZ%X6S2&Ac}9hWjeQNteSzSd_$zgV&Iz z!o-756jMnnc~(Mren}qJM2Gi4Y2djCP6L~LC<$$VgHV;R9wb@nno5nNt3h{{tmAmD z27vN*Qxpw}?P>s2Qps1Y#w~b5EFJVzW>{kQi&T6wC?fdApe*>tpqOub z9Uyi*-xv!9#n%B)N%_XECW>#(a5et4e?)?*m`A2LbXI`JF*Ct`@{n*k1V|qA1INM% zCs=>l;63y?LgUP>s_WN=TV1CTN@cjgZ8%__BM=}$qVa1SA6~ADfdhN15h9xU(4B z>1lm3EEl+#N(&5vppaN+{%yFHl-BWFGsYvhrmn43N*U%zt~J9j!)hi=AQdV|B4d~# z{ZEyO2liJ}_J`~<4z|qDAqxc;O?%oJv3{$y*HF2%1?JMQs@+eXiI&@$QVFMmgk$k2 z+VkMzfP++U^k5_)z63^oNJ*`LGSS5fPG1XQT+l=}p!ccfj9+7|=pb34<7dSxD^Q9z zktB^*c0C@+9KN(>4x8v`?kq+Vt+{5Hu(bMQP(*Z=VNezd#h?_|_%cB2c&;%L3KCxi zASG2PHqlXBTe2p)fUex3IsSMHjSN5PLsbk-tHBk-)kxh?u_qm-OPPNBM~R%qMA?lq zylNMxHsR_zm7Va6Hcsba8%}^yP9Y5gBLJ!E0Hmbyrc5~cCb*#!Bb^)JC_B6fNUHi8 z%^5@QEPMZH)+kUmtVv4Jcw=CUM=-}g%E#uU%wZEA&7H+*!lj+{LSuWotGTAkr484T z(mI}NhRqgSGmx_48k_Jat}R&;j_sT{EI1ftx1~1WSj1(6F3&w8)9p9vFy&nc&|%v3 z+}y~yyNKD5Mi0RSPjtauI7q@28<23(@@7~|GzG9Q;A%_0=L+N|c^gRBv+5ggcAT6=<#*rZO$p42lS@F(?a#Vo*w>_%cB2c&;%L3KCxiASG2PF^%R<) z%4kR0jFeV&S`K2h{qOylvMVlId^boS}rWMhv=zu4J5al zSpTB=rHx>Eei`IIpDxeHTQH14#SuE*To~i2!^zM5q%2cLK9XmPwfaSKO&h`VTw?-B zF6lgyQoB@Y#-J3}_%fg#@mw>;LtNv_0HmZ`Q${|LYfUop5r^7@R_Z$?Bzr^Sei6OX zrd%9fjO0tFgOywS?h=)c$kwCVb&lNuC3SqK)yS>B!L?q_5g3Udr+_3>ShPPmK^Drl z)Jrerl1z2dg4kdHkHe^j(*RB#;|vD2*hXB}#JhQm%#Cw6s_&k56zV#aPO%fj5)W-@ zmzM+xZG}?-Vw379Na{KWDydE>=aoZZDl9@VoR?du;gF8z6>n;e85Rc~$c8+cWeSuH z%Mw#M-VW*kDW(}%`T3ueY3#nDxVCuRSL1w+=9_XAHhfD=?0CLuho$&tU}eWQc3@F_ zYl;KI_FZ@v(GEhGZ>-&xZxDZDMg53(R7Mfdyq01-W7y8O=SY{{(&Jc?+7G z$ihxpLewr^&Ihrf9|d+B7s#^+bc8$9$!^1u<;zH0g}G9=5!&Ad;Sd%7qMlT5U+yZE zF+QVf0bZWN{#k5afIF*mKR{qeozOfxE)M!OjB(oYW)&paCe?E_@;a3X^l++pi{W|n zJ}KKxlSl^zBpzJ=R8p%YT}{4-v{!h1qUT9i2lv`e(2=0tRiUeiE=b!S!$PO!q$U%B zcw?@j8tA5CC4-9PK)fk41|*ot*VfEbE+~?li`4~bz8MxeE#EXn6yF$>g$gn#<{MuJ zh#k*2#)3idbpTXSB~&gbl5fp$K`_8Hok4+;IG!__hm&6n zk}{7?cNF&)ujyu6EO?fb((ybqMk9EpuB{c0&2|*enqsz9m`?UK z+*Ie#o<4lWfH?uoGFg0DxJJy6;M=!uM)y^xA=#^r+E$3Banit}aYeK#AHsQUPSW$* zXvbb5>a@1->YNm(wUz(pPivzS&YFE%+o(}3t^4db^`KhEK!#3In>f%uW2TcqISjoU zpUVH&dOCZj9@GLw^NzsdL)Quwr}+Qt&^0W9R{207gpDZ=SSedRu1u$T-12~x60+y| z;Ii}wtk^!Ta95989z%0amHOfZYl5B6X%`&m0o6SA7|X<+hb)$&IrFa z|EpBa&@4zLKfXBsi_UJ=HB{>C6`Ooi0!qdwC6r8SSnB$V^S=a>REoxiNy!Nt&m@J0 zW|Bthi}Syzh!zGWSNEF?j`VYC_Ng=O>N=IeDM)-Ekq5YJSE@tuBn~7}Hj!}hgG!pW zl}UHBX&vMQFqL#iPuOPmg4TyfX$zA65GjKkNLP3^Qsy60v5Y~*QaWDyi~$Lz@wGM6 zRI)viYe=@EmI1{R*tp##y17tEg;>)<*42J3ixCG+8f4wHa;1+w8( z!p3m8&d}OZ7YmZPQOI)Tpc3Ug&d+K@^^aBywn7$aA)SoMKWgu#u2Y#pc2`AOyx>Ap z0%YmDa6*v)qy`s&l+t%aA25Vul=NM-LJ=*^n^$J4`Ng)#f?ozT#8D;+lnukQ)Wi@v z-XQAnC`blUKISK78GEiMo;BNZNxtaiT*bFk+F+1C@Jaay8$KnaZakl~qf&e_kh0iNGEn&Y^f`bk{fvSxbhlL9ur$IX*5cQBdWVa}MRKfQNA|pH_`-tLfD%Byu@J*#s zCF+c;ev-VRa8JM?dZ{^{pN%%&Y9YyU19E96mEe0gnMc}G>dwZ9ADdz5 zd`H^ULrQ8>PQB8pez{1px~(oC3HN? z44Y?6t4OF278yd6lx4~dMDnc3Zb0+NFq75?*oY-o?NOAX88m4eb>kr!;~_rrr8S?F z8;Io7P~8ARZecO;TTEUk1jl5BW)VfFGZ3zKhKA=QHy3e`jVR;zf-fhz(|@^sM8#8H9Khv7(<)7j*#ndTRpXbds!fhq3lQ+d7UyjH*@ciH)Rm-(x+vL3B(YNVfSpM&}qMpTNq(g)8v_R zS)^nG31%{65+)paU`V&cZp zI-YBcgo4DE)?8!59mTb#7;azhi-`RNMI6SN3rpr>E0~^qP;^ggDTW;v+k)xn%g_zK zSZWjd3`q81(Xrk_)*MM8ugjW|P(n+Nh+}PH*L!GUgxQCf56CTQmcF@u21SB=OAgFYXtWZHJENTlK)~jf{Tpo=#nz`#)bBs-t1;;cw zL_xFmlr}6gupkHQ!Xx&Z%uJ=I5^8cdk{O~D1U`zkI?j30fA=tX)k&UH90DgloC#_ z-nryCq=KUfTZkX}I!EJ-vf2UQnRi*zpGtf^N8x(?z6o%_Zkj@)6Oh=R1wbX0I5|%# zU>9NNp&k&p63ja-bmy_)U1{PBLu*#`8Wzaxyia}X$ia{}__&Pw|cup}E42rJ)deWTza%^cR;rVZJpiYUgSGaKZpfms^`$-{lBeKJ=tLTAf( z8iifas~VWyM4Un)-cQ5g7KGlKMc^PgGuK5kEOI~%SSD|r(O0{uwEIxksgy;z4@hCv zn;l@eCR??e9nk0mBxU4+ppweBbRTXN2WJm5I}q*zCo4CzEuZF?q5iNespzc9A-3IV z_hG{_b|0~njyFoifCSUjwLR06`-tRPv)u=1(jc3!l}j0F8%`xAZ#<_AcOf{Xv8vb9 zr0S*IM^`tQEK)EOuA|ct>@}=5Etj)>r#w*T9KbDCBhHB71!knIklTborWSgt zb8OJG7xH8n8dBS&rNOVqsZ4-0wQBdNXSC&ZQX5Fv!dviSega&yi}`7E0uqld04k|e zDWi?!1;OvI5@avtAH--I-5Jxju;MYu4bF|Qw3=mX9xYgAU^O_U<4pl$!A#?8Yo@W$ zj^f&4P3dS&(-uy6%vAbePz3wL^-c7RP)ByzF)01J~<{Ltb61^ZNmO2@saAX{YcQL9Q#lf;BTlpdLhByTfB zxC3#JQVwmP2M^?w+VM(i?4-If(JPFd7i#v=fJk544OV^&yCI#1+PANrhPqBA$;$mu zA5kyTCqUTUkO~lwh9RlzAgGj1BUgwxB1HR)QlX=WN@X{%mx%1$gXD$h9xQlc3>+;T zG$`~YD>|ys1&7aUodUKYvwN4q<6E;4T02>q$d{dxo_?DR1@qFU} zG2aZV{2H26t=K(8@vRx|0oym>7$WxXIXI9r^n92$aSnu-Fu=E{R(bFT-V!%Fg)By; zXdhmqZXH*AlNPhdtjpzP6w<=0bja#lZ7+;vZFFOeIHy7^YhxdVNK-X#e}s~+1{iVG z3PnRw*Qu1ib1c}3&D-P%5W1zM0%TZ00ZCm4K_!)2IfroYE8-9j?GLK{-l{m@yLr1M zH23`0!-iCveF~Hf`w~+<-tZU$5)3r3^2nPwZl8CVTY?0CKz4nlx3u(IQuau|d1EwXNgto0xpz42)mc1_UE zHHa?Ra2eg>zP7MbkE7t%x4+k=rKSOQks1z*@+VVq)F8Ovvo0KwfOI~5gxJiE?<1c? zn3=N-T$48u$typ$y$%%^l&suh>#{A6z}8%XeWB`<+SfKdjX z3Xm}x0g0~zppx27>HP8)Orm2FXdReBH?@_x?DnRoH8$4HAP1VSd7vy<#-NyId>x>4 zyx}w)oM0MX2S6odnsRuNTx;^Ght@5_1Eke0g9d_A49bF242n6$*8%dzbBeKGP<$N# zm6TJ;#YJ*zsH+~ZpX4%Bt*b0hqFN_qvT1$05V3HcM=A!%sj#HEbWM~VgN5$EJDh-{ z;vIPnC|_-$ft9TTJyR{OQ(0JL^h*c;y%VgdrJ=v`f4nTQ!C**y9RQV7mXxV3AZ-;M zh44HDHBR;MOa@coN&%}_)PV*0EFIsZk8^n(Qd1jZW0`HNxfX0=tYWDh&p5_{LGiUU zVjlmX8h=`WiY0bD-*`X_im$Et#>P8}Z_P+(!SvD^ zgen(`C|b?qxX*}FU`Y3|2}|a(IbfU&wzTd*yXdN!NnI^%uD4yqG@B{Tpr{(hB}_VOW-Ze?zI|G)1^@QddImDCJm6vX zT4#6rnBF;=$vNC8q9O_BEL4D6rMiDh>)5{DnUNoknO>`PMt(Y}uX{%1hok!jB0n43 z+cN+J`!nLehb3|bMLtt42=dgQLE#dS=r9U8u7b~?$fM%!i!&%%x>`&@?eFMmA!+6x zaZROng^X(TB#$FV(d=4z0`<6Muj~@ePp;Va`L=yr;jSLH#JvbpT;M+6`8*nDmoj~| zh8%Z5)Wx{9UsCeq1Le2yi}|^F{{|S zTt%5MPj+$KSq6ohMd8$CGgzt=6zNxy9M;Qs_0}`R2w>8TCPS5+xHdv#oa0r@%!YlA z?y#&!->`CBa6SOm|m<-(vx(JJE9gI6Ly_TH0J-2t+OY$MXkB|agwZbD5qMN}+Gq@sZM@LQx>2j4z z;k&`ccDi+4IA&1|wcCP=!h_^X;ziQ)970dnNLlEKgrsItI{mJ$QyE>xNpe`-Z?A)Tb zwpdf|ns0{fhvuacYl9+4ndq$sHhfD=?0CNE0o66wwpKQFZc%(|Ts6yeHKHQH!JcT)xV@Q_ZMsa!MXmZAlJ6BTcVuv?U@pLk`GD>Z1UP zT5r<}x#%f2ov#KUi-M>imdjivqT!pcG4Am8(rxg{;^+vPtffx*#|xh4AA~j-MjqFx z6iY%<=``)a)U^d91Orss%9XAJC~sHnqamr$1wo~AVUZnyp;RTz%yO8Qp^FCoYTo=z z*{eqQ9nCUj&umzxShF5xP*jOd6pNWam zr}`6^(8wIVN6&C0YH5qeGKaRTZL9aA!hLfWM00D1a{JOPNT!d2(?FETo z!&kTL?T!RifG79Vh)M(1puK<{bjExcaS{b9v@a9mBF-Ynh>8yc<{({YSccby_liVK zHfeM8tV6LlX%(k5L}Gyur^8sdwvVHY6EX`c^aWJyS;U zTskHx^7&XrMJ7e;Xaa0tg@28bGO^|i5}4!*tC29t7fMb|!UC$-Fb1z4gI8}LiOClR zA~+j{n#VoV(x9^$_D`c0Wcx`iKAy)QZ9Lh!gG*H;*(wU~P)R~bFepS7>RyC%Y4bRZ z-OQk7I{x^TNOFccu1bl5=`g1mN)nQe9(Ndq&gZC zwb_vqzf=q~s3IAtfLSrnz)UjGfS#Ix#;7DP1G73{NtKbUYZ3->=7%~F>qY{m64IPs z6z0&5P5-PvkUrGT)X2dWa!%HDLv4b{rOD(br8JR&m5C^oi!}~{5$P#^4v=0Rn|Jdp zh=GxdqdJPk5R548BlFHfZ?DgS)d-`{(_IaVZ=_NI8Ke_lRZ&B%Cc~J>7cCu#2TNHn z!mAEgQkj(w#6@3m)Y%3dNXT(ub-sevwd-9)e0*b=--a1?=8*Ojd?OXh49q0YqUjtz zOv6Y?VCu#Yn5I0%AYAjA4o*Bbsi&ICsOjnzR>4#xH;6*{Ee*_yeb1fUS+K79vX0xA|vKqguq z?F@aZcwfXCUPtJg>GY^DH;LsDT4=-4r&tT%PNP(QDyyFG8=rs#5aHs!^z2!)(W!4)T7x;Q4mjVkXN}M9weOz-WQqb1pV|sEHz%%QY}7{-q#!{4fn)BKfCo z41s^_T$1pw=`%Tp&Myj^Imqfck@2G`1Q#e_8YlO;p{~wQP(w*tb&1*UW67RK~pG8=l9 zU2Ux8ja0Tr!BTY(o4vq5m>B#j6F?5T#v^;_7*n$V+w1f;~PPe$McU7 z(ZKjd5Li+TR(>oI|C;W{A~jrNf+ju5) zQ%5cop`(WEIF^n{gHi(oR&}tFO0{wrbU05~SY%}3Xn!1vxcz-q*$XMZGW6`5$2&v) zsVFlQ#XYi6MWpsCHq6r^#N6{>*O5HlD(N9HEOo=4ee6`C__uhSic&Mrso3b9M-$0A zWw~v5mz>`5yweVZdFSC(CkIJYj~z-9-ZkH$-~t@st&b)A(l)C&LL5g-q0dNIlhsmaI3Bi3XRnsMT3Tv7o&5uSwe}hG7qtO(^F}|=|H&q+ zqN8cEo2<$$NthMoG83p%YU@6GPCcmBF_57)suKs=XUudmkS_J9Y`V%6#um8xj;n}r z%7rgFt|o8%xnw)8mT1M;dS?d$X{*PT15%I2?u`iFPFBj%@`F9@mX9;;^6^;Qr3d|@ z-Rc+ZR>^azAX#^}Q^KUKtzvm}wa-&^xdt6*ks2SwDKvB^PmNXpR?;9&1>ljLJk`=S z0u-Y_HPqoJ+k~S>@I|}T&X%N1Qt@LXlQ7FozN)FJeC9T%w#MW6kl62lPzZy zHy3N_Li0_{>TMjAK@oF>Sn)BH&tp)r#E$2iF(9FYd~MA)Hl|U0gE93=t3&e^;o6sK zH-}C%8f7|>Em+O9UC|%KT;bK7OpO&@d9Qwj7f;Eqr;uEcYS62@bYJ^)6Qih>t8J>% zRyPh3OS;I7sLVL(W$|`d#7b|~4Na0P3x{G7)nXMDvrB9ZSz9fLe+N}Yp!4XP6NJ)bi<@5$=45`|%%5~vjhCW=~8sY3DzjS)t#?l$o z!TelqPhmS^@NYNnQVSp7Sy#h3)$60@zAuGy37RjFi^Q+l#!$lQS_)#bYfI6 z*>KGuh~S!XDmGlxSShXUy%)^FOKLv7?LP+7fegk*!&Mi@!@YS6?cj zb|#{O)ew^P@lxQ~Z6TR{`(oh`RQAntEixZw0||oYE&mc+9JrYZjxiVl#Fqg`NhMsm z7Od8U_p+tMUz~xQswk=6*?4Y-;v)4z7iZIi9lk7g?|A(Z)7v;E2}s=_ccS^vhRK5e z23CXeEnd1A2_;H=X)OWDGewHPV)abQedy)mA-EIGHTFyvTw~(K(K?=MjD&*3m)2ZU zo+*-ROU^SzX|~TZfv-!TEGfG0>yXQmV!LEwMvN64f0s;}+ec)vP>+QvALeEFw+q;z zO3T+yl&ZNzcXA>mzC(K+QNbmqj5TAYX&`>2VrDwd1k*^`0t&3?U;NNFX_IE2D!%A_ zxJT1lar}oohbkNcv1s2R>dQo@#Zspzm=3@*`~X??Ms&+`QDx?o%XMT$+!5N-77~av zUc?})L?THF8Y+jsR+=y1a^{s|U!XS~ZAPA){ z1nN@4M4chh=K;bhc^1;C+HHtoi*yY^5(Y!0Lhv;0;)QO2Xy^?>@+`W5;60+WP|7o8 z66B*Dz`#NE2qo#~8j-pK!wC*Gm6rPy@gx|cgr$VN!d||qQDk-z0_D&y$!`>pFpB6v z%!m_WWD+2s0>$7~W^Xe&zA0=i@wqtfsgKUi7)WPtw-mogC*fz;HA4ZAD`g_DrfAMpz{tW9-D|x}&km#A9h`0?pcCQRFkEfMJ!_1W&4| zP7OmI2oq&b1-;>zU;#VvU8q|VRLViC9N|Pw7XX3FRwBB!4<$$;6D>_II=Ew~B7h*H zPIqaDV#w5RKe)-(APkX7+BoHv(Y~9+6!)at@PAh{Ajjt-5@-SmVSXy*N?pu{Rc5sN z47W-YG+?6`_^c4d-=R?*nRM`73<`jim8*~C$i~V2BiP=-){YL0qJhe5Vd2Qeq9Kg*9U^wqOaK9W z1cOhMHheIq2C!pGYINa=d;?k1lGL3h5W0jt@;E5LPiVJV$wHSy2~7bn*{dq#N~}5Z zz@hrm4vL0%$^cMM04piv4%^vr_Cv(UQ;Pg#YB=nmzj62i6;5EMJbGOEjevP2w#ygc z8Q?_gc7Z?>070FkquR3&{-~&)Id8)^G~v|tg>=8LIJgK zEaaKt^T|kb(OG2X@QGcJdoU}8C5o-;U=fm9|BrE(LOG%;7*R~($y>T{U5 zf$35R+X5$aP}fbe&?+}%l8|QEB<)H{#hfP9kuyr0!eS2E5=h!tx$kcmSKn{OQ*^W= zAtaTN!Bw#!1AJI05)J%Ii48u^B+p-hV?ufT6cEDz!u=|%l5 zW2!M^>D0u^!wq6wp8n>!(S9C<+|`4Mmn1hcO#;GpS2>03LolP zL=q548_->-0OfoTdO-rJ_{&Qc5Rb`>NdD%?ytp#VqG>{m0vBn1B|N5+bB&{V8-Jux z9=+%b%xAw+I20L*nTrr}8XV;hlt5xIIea5v$YCSsTO!aF!qF+M1&Imj|(#lOMiCn^D3ugFZNWwZ& zf|WG`t87j#6S7MZj_33BX&AA1!if?ie1kv;dnz=Bif!;2{_fIKVKsvbYFsnJsZud& z9t(Vpl%N;slfxZ_O+he8`7-uLx22KLA?$g~C*AW{L>qt{In4WC_F>nL%pp-|-;|j~ zxmd}Uvj@2uv=MiRS^O+P!tEpl{G|C>zv3Q6_ z#q*Z0$Mj%G$J+7pwy#HwJCt+jit2gG*CR!Mx3+2(WZTs$~?*sXpOks=Q)SH16-pR6oRCD z)0-YNyLM~U~UW7|0$!&!`iI0Bs9 znty$Orl0aWW4OHzY$MZ?c@lBP1hoyJ4XBBR_^-2oqZM2SZ6otYeRSe?LHtX}Aj)gR zXFo*n3d+y|JSUPwiJaKWM_ClW(Qk-I1SZp{##=7-kDe7&4l|WLd3c!(t-(L*hSsFk zzJ}Hzz>;c{s+`9`hpM5q-wNV14F15cWo!kVMp!|%Q`!phjZ}nYE2x;{0kh#614}^a z#8%Mb8(YDk5G3UrYj6~Q{`;*U4wMb=m~0q9hm2r|v8`JGl-V|E_L0vvt1tZfXPIh< zj3W9Y$Jjkl+45g$_q5cr+EIkz6Ghe(ch*IFUiks)Hv=XxEcQdOcX&75 z*w{}j0{%DJKow0^}>ykEk42y3BfhE-?X#*)D=nra@a&#I4<>+8D zv2ciLjvVGWZl;ZLmC5pL-h#DS#MEnwymG0c8?0R+If;T$UhRurDbg z|7I-`71A`j7AbWH_SVroJ-q|{naQY8plT#4*q~qHYJV#7QFTiNm@-w1M6A$tOBK|h zA*k`y3>COt{$#8Q>+gDXCJ_2k-4paas&t|%qcOdGowdHqWO`$6{}z-F^$%o*PwDFI z9RRMi&RW-${D_v;iL<5-95%Cts-*6ogIiiBP^0I=GSiBGrCEHhL0Va9}!>_ zNWDkP$3=$O*c+tbzCHv>=BrgThi@1B9rv9VDC#OM73 z?E~UD+*U6Qe@3A#xA~GCBCz2~pws&^IX0=0v)Z;|Dj6mNrlPT8!gVvP&P_16K~J7erv+cE%Z-j_<;ihGq-MSojrSY7Ob4n+tbkp z@$2hupV`|t&^|re+c&Ls1R1snJLyF%j5kV%QH5TF`H4rJt>hrI3utHrCTwPq0db|N z&gU@yLj;5c`Do&?*=+y@R7Q=BCq;}~AfcvcaTu^29|VKGTAipz&;V8(hu4&FKoBN4 zjlVhN%ppalH#Nd#?9{b|{i1AAkj2s?nA>fFy0Rj`^ z0$MQ?q7864fdNkPZg1rB^=jmCZ%<%z!)HW;lK_hq*qocMROE#T05Y0RLLz(Vz8}9acUipIiMCa zF*8Vnx_CSkbz*{G=v4eBp(7z8W)ZWAVKg*m9tfWd?L6xQ8mf6Z!54!5w55-POh}aJGod0hYCMPbjG7Tla;fGJn-Fs2 zaqLG7B4;`i4#yl8uoot6DCVp{{4h+B_?yTD;N`MM3Kk;GBRO7? z0Az+?+b>8FquW>_^aAtnA%bPhxke0;#Z*{%8kQ1Up@iUmsTeyHoD0z6U!^5k?ayd^zP z-(&N|@5VjCLq`dOm*G@n4x`BXUc6|Yn8O5MR#G@JENY;!T3aK%T znQ$jski((-^c@}>{Y?&sJ|kL@d>HuqEuN#Diy3fX)zGteD*BSng-0*PIY^%bW0>Y7 z)Gs1xn5M-ev8EqtjcAqftK`gfNo4Ro2>q!?sO`8p}}{X(T9mZ}-C@P!UoTg?4=Eic3^O$;*PcEbwJfTo(DVBrZ{L zBfnf0mu0@J(51P;CKhW+A_j?gRds=AmZF76tm>eC+gkgKmP072pk>+#JC4b8^oy=rTnI#!J;tYFC;C36;uKL+ znc1Z!m%%9Zho*G;0g6W|Sm%eNp{T+9Eo)n_j5AxcH$h%Bhhk7Qj}=!`f=#hT zc=H88TB>FYAUTcnlv~IloaVMPSi2-oGac)onaQm?&=T~xT1RhZO-Q8@h&ez0-4QDu zIr-HezV*R#N8G&6EjK^?o#_wV@~eT751skT`_BJh_X9R*z2W8O&V1uX<4zyhdRk}o z{0&$5`X*cLeCoN|W&Sk&z|1|XK7QW&tDp4ln1zdOIB(R#UtjU{C*FPffS+9Q$X$=# z{pdr#{?EFbpa1-=d*9e`%J`2zKH~SYUp?Zj>Vj`R|Iug9R~J0H=CbW4p1tnBMsM=& zq3=I)`kPl)e{jNTmwxH0*_$l9c^1CbNt+_UET<{`TnMy-Qts>ATB*`ugubeAgLs@R?sfZ_?JoT6Vm0r8|a?IdjT( zAN}qL_p{etxZ$~N$L_S~;Jbdi-VI0H_k$PL81wbNZF1FT?k;O@{Qlvup7YW*Z+vpp zoe$k!+34JrR(*TqPqrMl%;{6c?>T4Aiz~OSy454CAD^^*W!EjQ8?(oRQ!gDoVbNFb zeYvvM`o~}Wz3o=NYvOr7{&4m4GV{ODw)}(rFZI5=d*S5kRy%d4wbxkltc_Rr=W>6# z^46PfTJN#9|8~w@Gk^5$`rzb~nu|ulCJzPFQ!$5vP4+ z__N0?_d?Hcw|}{3mCMdLv2E37?w>Y(+3UXCIpy+}&)O%AKL1NoPTFFbvzB`P%v;_m z+;!P;?+(9uscounE%W+P*MHDo`16+IR{qw>cf37+r)^HXqjPCzuWzn?-v-;Qe8`IV zwr~AsdAAkIu{f;~D>XpyC>VWK1 zowWrAc3*Po=v$YYJEC=?YxC>u^UG4_=l{6n^UwF2_2%e3kD1cD=j^?wJ#gFmx7>W~ z$cK0D*}G%xQJ36w%g=AS`o_!e_~oyE_Gr&d-)VVww;jf2=RVc#zT#Xp?#CBxwaXeU zAGV#oNp6do?(PR{ebAyEMttLm$EUU*cK`BUe!k_n@-8P_*?sdK=e^%|(4vDL-ulrE zZy$YA_E-D<=9i~kF;KkvmNg&kIr+>xU!1ydr8!qVyY!;=b=;kH-1g;#vo_p)z3OIb zt$WE=4tn&>Gge$@*nI~)Gi=5)qw)*hzwNI1w|4IJjVBhavv13z)xDgvAKGsF_kQ$R zf91Nh`rzddU1W54P->)9(Fdu_Rq%U-)z{^gfWAODSM&L4Zv zXsMjLXp@zO4g1-=weDz}z3})oXS{#W#2qf&>-p<9-{s?~jeAn;#`*&aYxx#`=-rIklzu$D>Pp|m%-)}wdyj#1=bJm@8*iW83>AsD= z_Lp%Ne`S>&u9&~#eitsBK5@^6P-(S61%Um?$cbDEeymsKQ+TUMz`Gh+cUi$Fadrp3OeD3ipKV0eiXI{ALxsR=N z%ji8WSZ>m_bI%<(Z`v}y+3wmOu9cbi^cMXS&RqSN)sH#q=f^E~#*KyBj$g|C<*@S0 z?{D_mEqitzyVNriR-2K3VC?e?PJ8m!W3PN~)2XkFn)aK~t6a9un8Ir>-M!Au`6u?O zK5_kqd#-){5jQ?{&$o7-^u0fBF!%cLn;o?MjGlF#b^di}NB`^BegBoOo%+iDr!2R5 z=JXl6{bs?kuk7=mhi{$wo%fbrev2JW$Ub@fjjQ)Py71EX&Ny@Xn-6$+_!)o9KQs5S z?O$K+5BFwXerMGicV2P+pFdw^yC)7=c=@=F%YJd~1>LWI?cMV>-|m5x_US+G4@aG_ z-u-h=yZE?8XSA#`=9#evJ~(>(dB-2y^X22auRM9$r0=eF_sEl8m^qJR_oxuf?UbJnYSulMQ=S3ULgjh)}0cjI?|al`g=H~7nat-CI@)O`b&w_o}7 z&ZQr{aniW;zx(8u)?2Epvij>Eto-CPzdq$1_k=$$Gwj;e-@X2*j_2;#ev=nh&W<|m zx9?y3(zh!s{r$v&@ps&N{Uc|TE-Y?&$p$n2@nP+jS5JQF$t$KFzQ=>V{`Vs{+<)PT zqnCNGHuE<+LIrxvFxG^pV)fq2NoTEb#cR|zcw%X@V}-{?!I!B z-~79{Ps?{-I=J${3!mIJ@2@X@a`-82t#{4;-ksOYdvB}bPTQgPo)>Q2Z}@w6Y3Jvm|3+?YM4yf94Q=FTTS_TaJ`XV1+( zw8GhY9kTDR%{y98opAp$AFlh4!^_+J@%{y8{^7LhTbYYr-f6{4PTqFI`*s^yIqs@$ zPFeBjT_)Z8;RcsKwA<2K&c3m4+J28rd-cl?uKde;&p-az1wZTg$Gr8{-p74?m3@x8 z?fMP>J$LIlJG{8r%&m8Ne7nB2FI{(=yGG@ga#nU$Y@0Fjlo#f&^1;5p-S(7=&)Vyf zTMoWq+uKf^-8%KPjnAAla?!49AKJQA_Us>=wEWtquDZ_5qelGfsCB;G|NX1}aOKL! zZ83AgoT*zK=j8wSz=*f^IQcg#%-?yxb9a7p(i(+xmzn(5CR;6Y>#^sqboSakU;gKN zqwhaq>oxD#`B!Hgx%S?7?AN=@o8_5beQ?Ej4^;no*4v%mTy4R&Ctf_Ru=(W2Z(ZSo z1v4jBzWPS(*!|bKpz!% z^o{o(`>4F&829rB4*SDN_g!$=#p_&A`rW>lopIA$Z}0l|C%&?0>))4o*Yu0UVP>nkIY?l!=wH){G-Po``(VH{c7%qH{Ubo?MGkv z`o{kr|Nhrsy7~4S)}OX$+Rs}LTJ|rOpTFvX2dw}5%4aWDx;MIJgV)#p##Q+@7XAK} z%^yARxdWeC_@}wOXTJORuLZU4}M zHJlRdt&1(o&91O^`&DZX%sBO>PcA?CfcN)(YMV7* zeSV$oKOMV4+k)Jk$IN`|#e1&&`t2jXv&^|Cl#jT6_p6&8wC>8M z+_SnnyFGKy@H@txwAX&8RyK21n%#Nmp&je?cK-10U#_v{g|}{de)*u$gE#CfF;|1x@vVuMt+DBer_H%&PVJCqU+S9w)|@H(ee?bcC*J*w^=Itx#KIL0 zU-{EDc0J@vm)$>QjhpZN*S-DszP0l@)v=>Se|F9mm-oz_|H{6H&Anszls{hf!tWnE zYsI$XPg(Y@6@IhQG3Rfx%QHV3=zV;xy{=tYdhEJ$-5>no+&wq_y#Mt4t8bpS>UVcJ za@p%o&y3yq{S8hVxMa7zm-}GL&ev~Vu=%OOR{G?y1q+_qWBf*k?7zcJH$1=k-Y@*+ zx-ac;>DVjR{Pyv~N9=LUeYKYSX;c0@@Z2r09kKVFfBpM^uHEwaX9q6c^4!XtPd3VK zf5`{Go$}!}-@feVmT8|oyX;f@KXOy=(RV*{(3d8+ZZ>_b$tzCW`77uA{Oqqz-D>z% zo4zx>>l@Rqx$3l={`%lEAHVYOO^@8Z-#VX-eE*$^zv$TL)6bUuV4Fu4Ua{@21 z$fDs#zw=<**S~w#`~$yqEF`xU;Ul{-uAr z2hH93zE^&A&0}2`y*6;|!IwO6$SYIMo%GS7iGTRZhNqmi@f*Wl{m%9W+2t5W{kO^2Ts8S$ zW9MHx`>1C>IOv*Z*L(e=wX*LV^~q-^TyoQK8~ylO&ph?RAD(r~h?z zJpbLxSK0lekDhz>sejFX{`y}ySwcUQxALf^z*yo6+)_!W_ zS$AgV^{?{G?tlI0-H#t$<+iP!`sFVU>hGW5)4%tXhkX3V<3GLdpMUuN6&GLhUdwWC zF6`U!zjKgPfC z(&J8k#9dqWU2y+|YxZtk^IN&%+7I8o?HWBl{`A``zjM;%$8UV_E^kaca=Evjsa^M% z(~lp0&MlAMdGImMPzdPc#UAFx9-~W2^ zKUyxSth?JT^Y-fePObNa@{eZif61-S+&pa9tv5We+PoRxyX@T$SKD)gG0Uwz=__Zh zddhy^_~v=L_Fu643d>xu(ujfMHaz&^VTWFG#cNOAb<+oJ8+@|yKiAv(lyfir+tH;7 zS6%bLlUwY%+&_=}oxDd;9wj zzy1Cf-#TPb+xzd_(6P~mGislHYpLqLxB76`@2@=lr-Co}L zxbtq9I{&77<~{J)%ge8H&(d3ToImNJ8I!)U+Mc7nKk@VSO%DA(_TDkNmapIU+_94# z+qSJ8+xCv_WXHC%W81cE+qTUWcmB^g=icXz?mqXv?$IyiSW`7;t*S9*&9&&K*b!F?7$U?(rMR>iyvh8G)%baJw2Tq!gMA7H!m@Vdj zwBIr|mhCzX84bcp2SMW=j1#W`b7hiu>Nzx8{xY9PlB|y`1F}fJ0s33BhWQ5nNl~;_ zsHv3uJoE$+lp5rA00B0rA>p^;t*501dnp{ow%S#<+G3^I#Kd3KEW=2oP|W-!v{Xey zE!XNHfM=U@$%u-iz)HMH3zPh3z|)Gk*EJsB-Ye=drg`u>pa~06lj(z1hO*_S(5VGq zl@#BJzLpL^ILTPq9nFFRw$3Wwz}FR3vd$(BwJ33LF(F8<#4CQmn8$~L%^2+w`#Yo=muV2;eVL*p)6HKoacMYC>l z@XgYi{Ah7;2(^d?b8B%fu?R+L@5yISgf+H+ZlW7&v*r`gW@Y#iMzq)a)Y-=ne0yVG z!qqvXr1`*!kTxm`C(@Zp`mmLf@yxv<41OadJybN-t|ceG4>rP2vXiQquXE^2@}ZjX z;PA(?msH0aDEroSNTw+l6Kzy2s$nLsF13jx8pibp+_6E#HYaxb>xZA;SFqdcJcby% z_J@n%_Lj_6Coj0rbZ2_U+iT>&;q{RBm*x-A*0a;%+C6fu=FjOB{4SS={NcA(yss0A z4i69fFA6^N`p@o(!>&xN(Un_IrQ@EBfa+?Rg~K*t{7f6k@lmAP>b%9~o7L!|-;8CDlPSJtB`Q!4Z?P>&6NVZe69$T7mAOuPVPvu@LFYH#*QJ-quF- z^Nj;#)MwShYTEqzwX4(=o~F@_+ZpV;y{y{2IJEMOdY75J>Z>MHm-ft7ux8LJt95`~ zPF&`Kqh+PVy||BCaObLpjjgqgAs*KDD%;({6F7W34g>a{W0t;ihejmQM1kWyjrmYP zd<4w|qg6t7!&2HD<*hc8vy9U(!NPQlN;%zDzNS)>)?DRoZ2agTmvbpNhXepQ{1%j1 zIV8qX+YeC!OE>e#@kA=fin1gcspBVEE2!&%Q1#M@*dewqL`!t@RPC@RSBHEODN@;8 zJ^w=vRQP5Gk-6#;5};{=70D4-OZ~(~9qVGgDK<)dvY+CMrw$=jyS`;hiz%e#4(;`! z@^xfVvchKSY4d=Ok<1jVoGUm2CB8(o|`Wq2^J_5`Iwb#LFf} z$)`C~w65;0#PEk@hIL{`;EF3UC*i=|dTCk9l->MtC}N62I-jdaaXDH;eH)Q)A7Wr( zQV8`)5wv9Oi}U|Q5LD`{jZ2`{dQ?C+Z^LhAX%FxlxQ9xHd4Fojv#N`cui4o^- zr_n?yu*N~=&%S|Np`c1W=@d2br6tK^g}VH~F25~mVv@YS;E4oBf;Aq`y1WWV>z z`C+9!WHa^XY$KdV#E+8Pd>t!96C-82>7c%@XO!^hUysG(Q?fYqL7fbR9(u?cJ1#!G z%3<={RolcEQD%`vzUAwTpuGXR5D^twagzccuchQ7{NYuu5q(7!{Q&)%`Y)jzWxh^&I(mbN96k z)^%tbN{^eF1uF+8>(YruwWJm0x$vsmwPRiOlKH#GF(>!QcTb<^!0s*%4LzYPowhF3 zYDf4am5sUI3~g)<`*2HyS@3tbs@^uk?GE@)toID`K>;XA z=2Ihdb`;EejzVcmo3&e8ZpZHB(s~m&VdPjt>9B+6{ZlLOj`nQro`(rqrG4*$Q4Bx1 z)7h=+(3IIu;wrZGkr@LzfrmiYkAY?PFunOMR(BZEz5AQd4lGijZWN*>&3~U=tgb$B z4ed0To2bOvLz%4}85j@s(Od_XX8avZafq+wVW*{S_Vo6XYNJGxyID&GK&RitL%%CS zd52#IfQEPPkZMP)-t*Jwx_5!@<7fxDm0g^M6t~??J(H|WsRM*0J(d3` zRV#ZfLQ&IB`^26wt&D~6zB4maKX^OZl(aO+m)VTKmzZcfd$yT3QAiiM^LdLB?6V|c%q+t?sfz{uW38|Y>okylT%Zc&W4xe zWmQpSdqjEe{5g^RC2k$)MRcJsZ@cygh%`4yD8tE!O5O-;m2fb3y!_29rEg~xaT^d! zLQ3PMVo2VckSObI>GYHftPT*z~^Bkz(4+!{7!~0V`gW4V;)tv-bOJ4r1#*XKG z45)2JV1;j5r5OTxwc{bSzt}6(>riWYEbtj0g%TqQPDogbghm`2W}h5Bw?s$`#k*Y+ z#Lq6(&JQ0xul4-9vDMPsYIxMe9j9D$v9YJELRH9;biiV#XNkz0RF_e(Ls`CFc6PnR zQCnma#nhZv*honHlu}4TZGOrlnDqna(Pz*N^ajJ0BWlM*h+K@Os0uo- zWL&DwcKhO{qlZgY)xuzl)=-m#Id&y=(`r4l1=q*p$6N5~c6usMb;h#4!^(BLm(e_T2EpUC&~s@CCSyOWnrOlWq;w-X*6pLi?mthS}`L(+qEZyMvGbs8RF^EB@Pi@ z3e6HbPAIPCip%&fPai#C4~k&T@hb=q5L&4`2F3g7{oA?$)P#$FajQj{Y}o+q}oXXr+IC&p_;+$fmOVa+y%}Imf{Np z6C9DQW?CQ*g=8ax3Sjua_-|9$%^H{kdBzL@tFu#)4qAKu=hj|iTN)9fH%mE@RQBke zdWKl&7vD|^c(CR1o=cH1^_B9u+ZLdAaf6({F|# zdo&%7M2`9$!sb~^CgEO!{n%BNT6$PqOYDW{-`uk}{Q12ZH=sLJrrne#0^t&VDG-pY zw$}Suk;Gs*)YEp-P>+F2CIyA9xS5&38*N8^sonR?T5{4XCPR4QqqE1Qp-C3aDcL4W zCrYGu%7g+1p@RqB(9!m|lM8D(DWwcCAFq{qQBfHw7L3K4nirePGFOvJ#kYSz8_`l_ z44&TDkJ2*W>jigfFarSsh#7S8Rw@B4h~bLPldL_2#deiX`ob0i8vGUYOg zeot*C)6=GSp8 zC|oh{T{f~4(pbJCQUfHM(jXKU=Axn$hN3*{<2Y!hWX4VyQUeAmj4W$#k;{a1w4Cq> zk%vCwCJuBI#Jkh^LTF+Y0_X|e_wx4)=>JT;{8X?Mqd>~@_+XAVgv;$YX`4}|s58WR z2_8MKp-!22H6??abj9v2Z~J>R6=ZHXF+RSWZyS^`2%!SLshkbr$&)e-Cj5&xxKM+V)Sk0(dvfgE)-B?8@{ys zJXhK2-j>_d+}P}^yS=tNx4JD>U44C8dVON){5+S*>ttveQr=kISP#-d*4AYhYh!t7 zhdT2q;ma)aW}BXM8`AG&7Muku3qhu#_W1gt7n6twGw6Yo^%Nr=EfYNhw7meRu*Gp_ zyv&A@4PK4@^tZ(Vc z^c!w6a-A!EO@SCX*SrB_GDm_XnoJ&awx++f-zFEb#DoIQkH`1Dr?Jlr-_KsE-xJ*z zA<8|;GKg~u!Ipnz4Srf-=E8RkvBi7^_pOy}==U>YHGZ%_uc#5Tf^pK>}m~o zv4N;7ia*BfA$vSP0hDwRE8bJUykjDNFDF5Z*I}}(LtMz0&laf0FUx6Ad=E@GgX`FY6^9`rL-XiJXj9-KJmerH0ozHRthGJ`!*oc6LzUTj~J%x zJ|O)Q9&Z#?Yl(-x*k2OC@q<(cNhTICcZcxHM~CKyqXIN+qz4QcCkbI4y0pW^Id;2e zh2I0T^;Z7cb!JS?Uutib9?mv`7}ethuYwi<%%a{=6*}#C0)ZH@SIuqk>K#^qZ%p1e z;14T~*IRiJU1+2I8q;-xHgqX5pTHGKgv>)f;F6I_<>{D+kjDbzQ!w9qKCeTF4t|j` zASd?Xl_TYy1f!)9a%;|NhFWn8Hz7Oc+KdG2jwAz(pdko*LBf%H)Bd8NBf9(gk?`f{ z@{b$He{vN6Meh8=SpBc$j;O7T(>J{IEl9Wf*7tuC8Q9Yp{JE|JTzp&zem1w`i*?p@D z^zFor%}vezQG&32m(~BP#K6h%4>I!=I`J%AjYKo{Z&sA0CfUOJHr%q@F{=)*GHy7c-9y#Nmn^YbrG z+xXt?I%kgE*Tbh9HXoOFhpKN~56SaxrWakAXCLR(pG(W0o48H!+1uM!ACIRzbZ;Rc zo4e1K{mpNeUSGSze<(k`%gb8l&GRqDU%S(C)9dHQ^vmaZAC1}9Z~Irb_S>&3;IEu| zKBLuMK06IDa@KF}PCj2PnfKF(J{@{*TX$>H(wz;Tem?+2J~7Uu)0QdfLH%r-eJAN>JZfpSRS#w!E%GsC9eK&8wV{9 z8(k|q(5e%c_ZsgsJ5+Temd7k_HQi`+sjL6n#{TmIXV=UQ`0DuOUFSQl4q4rh<Wk|;ILB0Kc1v#k3! zJO0?J;-hhG@1u9+uHU^p>-TSFX55+@aOFnczl84IyOiwsj}+dzcez*L+KyEHuM`qX zy+zm`?gH7mhbvg+8e;IBzN`Fzu75fVa_{WmG964>9#3W5qDgjW)PMiy8yv|_?FpYT z1mqe4i)pJA{$11>N;e)!Uruww+R8)0v{ik(J8DdVq1~^HjA%afC8|FBR4h`9qDq=) zQMXSx6H3*UeAS}Jhu^8vMG9c->ub+LchgDC9kFcnLg~>5ZCXS6Yu7Vg_)pMgh z&o$c!XSZzPdMl^T**iSaJY+35Qu%1K>Tq^vwJGe@I__FG76d$#DVcjBy0ue0klK^M zkWwp=Lf%pdly$9-37T8TtNiR|(}pO7H={wxqG+O)E^OPRDfDL%D`nl{DSU_u>N6Bh zhtV1@F1^jAa{A7}Sy*)FBbZyfcStm@x{j5(w3;@FjzXrppk%Ey6&5Q#@S!(tT{`BP z?eTSTRmxSXDh`idcGb&M5$}MlntK{Ebf|n>(p*s47I&-czFpAoPkmBpednXjXcCHK zpIU1Yt$nT1Tx+<}$ndniWa^_@+bQ3F&fQ2e1vY4t3W<-4vL7uLhYgRl3r0(iLI%ZA z9$6gu4z)`%a*-k<6p3$FbMY#jmwv6+yMH*eTgRNfTlU3~{^K0JlK$^}#XgBOTRV2~<~?(8OzL^{>VBp_gc(PJdm@VnF7b7$>cXDNCkF3G}Z>k=*)6V zFC;D=@P@pAN``_Xrg={?|#^jqu@U!>!VvU z`X46MzJ53_6QV`}5#Gg}Al=9YIh?H=Y|xb}enKbsKvH@bxR0zh6k3uC{*@OcC(CR% zDY4yu%dJ8iyGU@HTWmjvP(!5R36Qs&n`rQ;dT)#%hSb;!er+~2(P4hZEng-^(G35& z={KTnFRT}&?CE7Ge5xl;(Gz^GCwt^0o7IhC38CseJx)5g2TLLOGpGaoAs$DE55lEH zZ9-0(~UJ(PqXWCoHH!dsO^P6tVmw1+sNqLx_JYFW2~B|jqPU8(e_CqHY{!Y0E1f`FXqx_n zn?1Wl5nsT&1U>J`4+}KvoOetIX0;s+_y=8MmKrF!TtPiHX`-b9;W)SLHg!7TGM4WT-F+?D&b$1>|q$Ae?;W=WnWD4MG0~ttb z)Z+NBNOf~^`Fv+y1wnk^M;auEUuX&w<|utQ!boKBoF&_N`b79d$O8GgaKQqq9SVCc zx+|v8ETI}C@Nu9afx$si#6-plvktjLWNdVNgbIHXA`_@oGy8ItWzyJqiIH<@5~7^M zZAV5YnUB(;p(EH(lM|9s$7xX$RaCW{C%5r7d=@`>qt2G<9)0*N)ftT4Sh=Xol@NDTVUA!@3bjb5}F*8WM3D z12gD+D{M919``wL9%(E!t#V@HDJW3WANoE0z@_e9*a+MNEQZU?4Zp_!!qL)hB_%B; zam3Mz6t-C{4b^6it44Q*daSn*`Yen+)@1QRy^s-37eEEsQIsss1T+rDXlNkd{kG0J z%QTE=0;0a*#>Y||RB07-T0QX;r!W#CJeD{%nc8<^Mq^TLs|4@_k?b0&BUILMhVWKe zZ?csOR$k2-FS`|FsFVn*087QRj3JZM7!5-?IR)}&e?0B=qZ7~W{8C+EV86IHf0~g! zX%}BdLq~8k(#V3HIvZX2NOw(X9gm;Xu+F0CYs~d>&IoQKtQ9K=J6IX)CP;yQEvxxBQ zN(3=vS8H3hcnOzv(loh=C#f_U&FKg1bC}U4o}2UtSa0xFVFecO<@i-(!I}#A8-d0G z2{!%NWMi8u5)iHyI~cpTp9?NNx&E1!BCA-xtyjP10UD%ue?F4lNh$hHMBN7FAj=m#?pYpda ziv~)27zkTnOjJD_;PX%PAP9(R@@47dUD?*wWvx1)q5Z3q5qGwsFWwZ8{A`PgeD-k9 zr0aq9VHqD3&AO{t^UUD#Bysg!Pw>V0A>&Ggk)>qK&3)tG6Z6Eg;wv_i0?)tt#R+N_V|S^f zcCVo3#0fiPOO3PGAJQlX3 zl4S%~&#^Jw#Y2HDK2#dOJHTfseiO%rZtRCCui8uvKH3>p49~5}9ElDPn+=e|3h?uF zej`-CfnWxL79~&Up$xo>8sWco-7Ny|ENcG5tE1NS7U!^Y7y zc8}v-a@hgKzc9Q0;Z6cdh_KqOm&>5SD!=N;hkDkgXR5D3>~@|3t4-X^{I53_7|W1UJtT{RU((+2uc4iD>kEe2=}un5 z2oTJSOthPlGC*9_cyM8fMQGmVK42A(O3!l&m&A>|{+6{96ODZme_25t-u z{Ge4g!;E|qXafoZhea|&^b7Ds3)~72&i@_iu2~BSV7U2STOX)h=hsm+DZD_#1P|?e zL`S^9T_TIT4$EWBF#gWGTW|x!ohl?ny+U>Jc z_q0EhOLD{)S!nPI6iJG)`xI06Tmuy%7LA?eUOWNInN&>z1!)p!5VW)-x6K)HsoNC~_G+Y^)XJj-sj zHiwF=m$_fVp^59{W-4{;k*UUQ>lChenY~Kc)@(Sj%-m+y6A>;%G?^YKxu9!S48JhjeUSBFIhUfIKkv(UC0 zfPZJkHL^LkbdJb>AduOa-ac*kE zVc)*#sL>a+skN!0m75W?;T_IB9@W7~va#WKKjUrV-L)O{w)ruG(F-R;-QuPN3_*_% zAWo>9(LISx6j?LRmm3~!VEAbB?AW)%qEp)^}sXq+L4(@7bF zHmM9a3-Xk$4w%c|`x@ri5(w3{C+!PM29O#j zsZ5iupM;XK5(5tQkpPH2gp$q$r&x{=XjQu~_rF|VEj`-?)J=?Pspkn{V>!AxbX6DX zm?$5rPRQz`yYW!!E_ua3{oVQ5yRO<%_`TT*?q|AZ{H1ayHfusYeMU@<6WtL+B2jrE z!nP6l1IT;vd-VQu0e`@BU|$s#sobRR+II?e{_Z#uDvwBy5EIe|cOYV+a-qHoVxX#G zKK*tz0d($e!*r8cCtt<_&D@+XEFN7dPm*@!-hxaE1HHlj45WCCv? z%XU3T)R?7pU^0#^Fhyw=;pN^Z!!0b_u?wTyEFv&v3$?qwLO*78hP>jc7nD+ZHD5K8vX+4HxKJE1EZ@cjEaJMbP zir}w5AI8d)KJ(`B4Ia;{4Hv7kD9`FWpUJb4bQ62Z7l*0!YIhm`p=w;2?x zY!&zHauBP(o8V3`r+WE=Z^gM{OF%Ai)HWL8dVEU8ml)=|_CSosKhWwKd8 z%%hspzjI8BP&RIjTp#OlW=ZESccr;YV6Ng?<^;q z)VHPDtxFd@`jgz!RjZ<=)2G7ap_F!gUXD>cjWORiy`1=@Rs`BNaiwn7bct7%#5h|D zHkrTlRLxnLI*a8PGG#@*qFsu35ftE6im+te@tdAe_oF08B0)d4T)`x=mmxr~6!Jjk zncC?HW$+GpP}pxgq%_Fq(2ZFnA|*$-QM5n!_Ihu7r#c&1nT+B-Bh%ZbbTx{9QD#E= zSR8IJiAf0spMJ!4c+7d`xO}96jGw51z`B7eZT`$$Rt842y^ZUg>8-`nL+a0;H>;@9 zQW9>i<~Vo80m59NeP;EoN|i}lyw@o&R+TrpscF1xS=wslL~G2WHF&P|KaCcoyMK`= zorAvYH7cmc0@*``(4=|T8K3sDsI1L(#>k}p7!p#C7}KAyAvvXog#%eYi=?0aATbh1 z#iSRQ0J2HjQ5B2_R`SMjzBnkI39MV2>i9%nkC6Jq!_Id%*R^)AcjbY1?R-&h+Q24a zs)asxP7Q59Vf|>gn&44w7U`4Sjg&7FO_k;9Znw7x(wJGTzu3*a&GA-KPSM!FnLiM> ztdgt2hn_zb&iN7{GVZeF`oi*;@WNXfXXNJ-Ijd^1@NYUz+<;qw_w&PT8L)uf`RxPJ zypdW&9xaFSpBnirXCbYWzil)dpjiEUh|U)0&o2|6#^Dr>wtr_= zQsGrB9a+CUP5BLr!OU5TO+)_rPz0~==u9-u&ySg9&zv-WE@%Wf zf=YF2#;juoEF^^pvMo&^_1YrdjAa?km+t-XTj-qA`*iU#nLZ7mn0$v9#-o>W=<0D9+XZAb_--|-y?=X+*6bNefHtuV zCXf+AKidOrC{jqnW&4y3HbSq}@OaWIW!wD=PL%BB|0XH}O>gU6x^qZ%J+2=gX$kZt zc$c=PK-67%Z(Yw|gz7hwC!Nlb^R-1%?+|yV7n%vYS>^ZAbIkSdj`THnS1Md3on11M zTu9Pq&I`&s{_*{ycrhifVtw&#U(DTQu}l#Qy$znZv8mQXDS@QIb-b&|g&vA8zN?B_ z8Jv4+`%fKf{beP0`n>2$ne`(aons!mxBsKZP&2~oB1#Pn7$udxZ@GVGHd+intA+A` zasjE;nl|h6MJS)?g%&r~#->VGo%;O1>MHry4MOG9are)U6y|luMY1TK;_lv=myM|S z5TAQ(TL)P;NwYM`b=6cbfnOKR(*`f?O8&Hd8^T6k;=))y9l5&n^mS(pgu;RfWM}o+ zosTi&VjuT52pu8(Nm-*P>IoKI)hf|ZUPEFK zLzyUxWU6nzo{fi(eERf{O}jhu#myTE$^E|G*DM`hz}mkacjHcJfF%S+Nk?DIYxBEf zt4m$-ad}=&>z``uw5zG5(Vm{-a6W5sI_1dre#SxxcX@Mq25EctEMSjqH9dd@{Zxr` zHH<_DkshcLXFNw)kO-=ZRFZ#c#Ojs45#wn`vj;?qj@$}SNuFvN=<o10NGqr=I z(>wLJ={gtA-&EEhz>>meCbzWAukLp=XlbNkUT5KxQLKAONWj0!Ul3cKpQcaq zKAvK}UFw|$XQyU*nNV686JR+FL7UFbK z_nSU9dN~xVw)UO`ifDZA(Rxm@eqHTqbYk`Mn%Bc_qHHAyp&?XUpf36UI+X zBY9TPbY2rLJY3Ep9OWyt62%HM9^Brps4g0+#R~Lx>-70Mh{Nr7On&747r;L!(iuin z>W^`}VV*Dldx{S~pF?@)CZS9Oz|+-WrJH#Y zypFNTR1#Nb+r+mbeoj8I%-rSDnoxkH_7YYvvj1<1ZRSrXy4@23D{YOGS58K={<{xw zqAC|B<25rf6t+qbqvN>Z)JJ}Rt2Hkpcc2b(4B(HXK5l7Gv|O(`S+@4oLzRnjn_~Fu zW#2kPIfzc0{ry&O7Dy(hE*9ww)svT;O@_A{eWkhpMA0JI2N{FG{Q%85~0_~4F)(?S$ zDFR6j;Or3vjo5GCC9ClhV8D}IT|6h|F-Xq~5Z4OS%)``$88#NEoJ+?bKQBZ+Q9mKJ zj}byh3QmA*`F7wCedrbFBSz#mP%^c+csu&8H7}a|c4cNBmOrJLRTJXN2 zX}2qFKR$o*UOtBXC1@7x**NhUZVFy#&UPbqu6dTHDO?`B>s60gUXX&-^CLv_5=zRz zqaU&rqjY?19j$4mJ<)6o8^;g4LX$vcy8 zmV?a|$}_J1veb?fM@B`bbKoe@Rv@$0^KN2U-mM89qN-Q2W4(q_E4CnNH3}gnDkQ-5 z5j2;~;o@LoqfxFBSGiHENn-Bbpu2A_86I>X32>~j`uO9B`Bg$b*q&VQaMSGH(K}Qb zQGT6|m0P{B?9#~|#|jOE1Etn>i}0c)D5p?4b3eWh2&@7%OSI-IaS4 zDZ68DC5C5nPZ@hyN}YtNhWsoo@5L2)D5d@JD(Tr3*6W5oSIV)ja=S@Xa65}Xw!mTo z;8k4ZWc`be{MlN}QnhhN;F;X@3U++^p#>&rP;5NbRG7Zy6gRqE2y zy}i`q=C3_d-Hr#=*!Vzk=;F|Tg+6Th9xP0e95TbkICu_c#i7;j#Vi2uE<5?~vWdFv z!{}sDX0$3`%rd!<%C>A99!F;MjF-pn@sZdB0dZ$b&&u=kDNxZzdBj^y`!MZkNyE;! znL;8frM#F>6z>e4j_%dX0dnZyu+&5o&v+A+sAuRq=t04(m~|-B=eIY>e*cQ!&@8J$ ziR@&YW~b7{)=t6-T>esS6z>QiVmiP%^>8I%C!@`l8Iz2bPdtfNECZ)T%NP%((YlN7 z=^4jFcEoVbg=$zgJ?*R6%URrKD$C%tH|cU;W-HGU$E&rq6+ zx>?zD9TticB!-i<(YO^6@zjl!k}8wQ;MB?URQ!G+{|P0ibQO?a(RA0~(H4AXwL1H> zn=31dS}v0mG&md>5@b5*!j5;st}neG>uRj2?XO5S*L+!W;cZm1voJfSE9Gui!&LuE zXDJ?2WsB|ig_|n_KMNNhk79XrBB`bA@OfHfn4_Xb9@7h4!2JNnb<|s_PdQfkB1YR2%S|Q8-u+NEc*`WnkgEd{g?7vgI+uv8 ztBmS30_~vdmd)-b@Mu-zA#$TS1;HL+TyPq~=t9#D#)Of$w0u|?rK5sA zW*%)QKXwuC(Fi@?TSJKke`CRwPFY24vEgD#^62LhVrX1aDxd-OJY|jBTMZ+tUChCS zZN7HETESN7>FX61d=*D%o3C+^eL6?$ zuyyrR+k4=T6WL1rf+d3;1TmVZh}jyqKA21ghFZ#}!-`h;s9Tgrb^BG}N$V zIMX6x7$W@ejY&1Hz<>lCWZNsWOzQhSnZd3{(ZC@)2Y;SX( z=BMvc_4V{^5fPj8aknTt%jmy5%v%-Ruw3xcik#3|S-JON({1GaGS&?d7 zTG;4u!~|OCuP?m#cti4PZ0ey-H&Ew$c0^J@tOgm`B}NhItO7dM>;Q- zx3&mi=wV{RyPjvuy3(^)ThGj&Imkz5M%n+_HT-_x{X`i>$fd$~lR8lo9G_qTGL+UrRe3F&CeQ zG5U+5#H=;aH8i7Y^ATVrJ9_591qG-s28!r?dkbGQWRjsdm~!OdlygLaCQTbBi6h>X zfN~%cM@g=T!-IjUsuSH=Mhdh|09<#EcB6?-y*F%^;k*-Y zPQ11$XgkI6iMA=+Zsj4veBfM1!X_j3=xmWWG(D2zI}w;ZwhkFYISB4OiFB1IV4hwZ9ioZmIGWa2)C4eblH z@YM?YVh*K7Nzp4_<7;vq51!c-9F02c0UXn=s)h!HwWQjE*XVXa%o$=pJ~bVN5PGDm z`S-9#7$2%}Zw*y2q@$v#*j=ZegLxKx^fRkyWokW%jbbsBN9VGWfyc7Nj+u@vo^ z@cgFo59p*}qah3E1d!mIbv^-k-w;fMczRsNcPWE%1leL-7y12gW`r0#Xp}|y%2$?h z9&Q?(R4|N@TOz%IC=5HJ`T6Bs+e$+LurHNF91j(03=0Y94IYs0T&9_Va$|fl(1> zssxvg4y$5%q5_|W3a@H1$J-{mkutGKquooaQBk8a;2kae&whR%J!a>2(C6f~U|34^ zDw&AvjqB> zzZsf$hm<6R#9nS#sPmF~Spp7i>&fW3uI_!w2!g6>(@OqKr}(dTy%d?B8_5U)UebB= z_~8>1vU+^5iA>e6ce@Mw6Q*4qD2EWd>a4u=4BUKNY{N%~2S>H6^Yi)0bWJuE;?t_q z(lwU_W0Oto8&#{BRr+4{4;w7&yJ@)i<}OiFavY}VMa4zOXeK%11&&Uh772^BmexxS z@XHk*p6=n3i^nJj>ClluQ#6XLOBNfGT&t}b$2FF7ob8#Jcu;{3!vyD{s>vRnPT`I1 z8S$#e8S%K-*=Zmpd~KE~xZ1zfun|14rv(f@RyH=IYkTdcd7n?jf_fi>=Hr7EmNS5` zbqc-n4kw{PDEIGwBzUIz~xXob6q5E~rUF#dXGAwNlIM zY$}|e`lHg&tj4l_ZiQGxSRXsEoE$v~tmt_wZ6%&b2i#%02>vl{rVKBtX&3Q$J4D=xb*Z)pF ze4ODZ=;q{JZ22d=#8ThgJ1G-FHfO1oyXb5=z{Bj1r^!^MON`t}v8fmw?P633v`ju` zgRjXfN5wWHONe?xhyy|RNPsrnf-Hy^aBGfoNYTvC3KcYiDkwlriC1H?7DemMDX=d0 zE*~sydhRn037RwHgFOpT1D44B%r;a4SxF|6ChZUSYl?VzW@zi;ohc&Rg7({1>`B6d zjac&U-`+uZM~XjZ{%HR?3uJ+y&Gelkjbx8#0V0 zQf--rQXc}vbL1aO)8~ut7HwD$u5F$VO%nCgFzA4lU3rcTe#>{+Un= z+D>?%5%OM>Bf^x};d8ATle*MEzfU^-7SS6UKO4E^BZXKiDStZSSD*orszMtZJxh?U?rT24(3w3e?0 zs`~=eMSpUZ-y$p%Xcv@LDjgLmM@AHuhacr*%}vNA zx{cg7i0c2Og{2}#n2bZ7L{Y#-tRicaoFJ@OxS2cUOV|C?F1`mxqJ)fEI$1AHCGiql znaWT#vF7OA3uAe{bfx4sg1{_Dc_(u)qd8Bu`B#%7`m%glCxrmASjKj`CK`w&G$%>t zKD*p)3c2z!mcuhl(Ww;3d4e-Y=(nuFKeM&|8xaiPTn4xJPZ7*t^)LV6WuggS08;Wl z1TeyYDJn?lrxnrv1py35=&xCYf007}R>1tNfcaYi^S1)#Zw1W%Kmh{+tZo0HlKd%w z0h|Q@lm*f5-f%&V0(4P_*Ap``F`2Mll zfr&tWx;6b*3YaDzVgnuh+Lf8*ERHCAR)VO)9s)(Vn7d?TX9s5l+$^jhO+gBlL>3OE zkQhmMWI0ViZReEHhh;9-zGiTUkAGdd^bQ<6j!JC7HDNxtEoMt*?+aZ>5O*5Z<_rVsa=dMAZ z$n8S;{^+Khe`nsr$c?qrcb^g`B_9oAMj3bCK7Ed!LSE-g=@6!mcIYO!ZYX88|= zN*+r}`L5Ee;`(0G2|?IKJU5Hupdlv3(mZ|sRI+K)CG2sV`a@%Kp*Yx87x$rbb4iAf zTWrYx|b-#Y~AOIFv5+y zhNu*Dw(E~Cr{?N*fRpOm+i^nf++Z{wo-Jn#j@*=&3YI((9fz- zW^I>0NucvyEaCIulAELCGb3}%`fF*W)(2nN#LU7TDzgdWl4X7Pl_Pa@hrRKQzu5vgqr<0%q!f!xi<{KR#qJivR~m=9}ovGHNRP?lAcQBFc{)%cDL z5uZUKp7^9^c9m~KYSFoW;AKSQAZP>T$T)db9 z^%T=_gS9lK>kE3fx9flo%03cO{YY#3Qi$}(O9>UTk%Y&wkdcu@6>BIm%ueSB39hytTL|D)-YalwRB;NljA^dEQz!Px(l@Ct08%3TJk!Pw27_N_Bv05BJJ01iRPPPh6PL-CE`WJi+fuSRZzvNIvr%~wjDC@e7faEx;DNby z5|!}10eOuTpyb$ovJE`)G zntVWZsqxSO!Ar z6gXn}!74d)cO+zf@Kd=mn)H|Dt-eKKg-TL!jt=O% z_LOQ>Xb-kD?$|i2s@CtyGi+ns7SvMonM?2}ctvQu>&;+s`RR9g9y+sRhQgMKsG|Ty zFqAmhYCGRi8Rp;+V0$v)YZR(S*0%Mq&)+D?s6x0`iV@pEc17b5m$)lTe(^fgE~BsC zJ)(HjeZYO#y@P|dwBAs9OTqsIJ}nK7!Ud|iN<=@^Gg5H)C$c1MX3G%l7y??BcY-nk z5t^4+mt}5;4PC<5xVIwij@`>Lfb6KexWBM`bTw{ktMi1A+0i}b1($bY^gYl6yQPq; zrp?icg(X~k0d$i34SBEVZ4_yCcoc}tC=Ct!C$JNh@77>&vmdo)HM4 zK0P)oQv)X<>jA5GLobUPC9Ye8IMa1MKPZb!N0L}n_4n`I`<8X|reTqBuNChtzl12-hV1qh;Ki1Bg}uoKa*LEoB|@#an|>4acKAlooIrD^la?&OZ+mP zqY2~D%U_5#>!?n9JP1ufrs6JZ@_v}hjY`q{zP<@R7LCLmiY(Gf9>cifbrN^z(DUW? zF6fX%5-wMYXN0G;5#e0x%)#i!5bi5~tC5?sd7X(yp0gt#+xkA2xZ|AqDt^hM+zUmt z3da+!2s`=EYRk=hT0RziUZbctOccI!O$mUTL`O}pM12c!_`zw+_dGAnv+H7qII{)V z@+)+roXz}moNNa)-wqAauL;MDXuA2ti5UhOpAyu>IB554Q}vScX=wTtnOLfIxWERi z1cYX_?REKT@WKyM4{zgNo}75WEYCW>2`5*NywwzT$_VxrHI3L`5S02Rwran6k#p$X z3fC9eU41o3Rn+8be-10_cQ#WtxqYFZi?^3Q+bw!gy`zT4tjFXNvYNX|LHUHcTWh6? zlrsG9mwM#Abg#cR9C3uVrW@&%zZUvR-gAi;M9fWLR`_Oqikz)nV}ggx@Tyv*;Qsdq zm5^C=F{0E)txaY6>{LND`V;`6JD6dn!OtAKOz=Jwv4kZLf7`jxr|3&h zW2zc7@61JV8n_X_N}W4s$Uy5T5Jb5#b?2<0Q(%7gu(r;0>ZSIkDUHK2-v~iPZ0*sv z!)G9dl_>16_gSf{`XDV`R(-Wri^~zQIdaJk?eY=I47UmUX8e3M(k@Ni-|+IgZiX1C z(m{A0{ZPJh3g$IC-s>CG?p`}P_{KUvefasBr=$OR=}KaqXiM{yX(rM!;M>r^0Kev9 zGw#Um2w$}g6w;+gFdYRunb73Vi05wP^RMUA7j9B@OOmO+wV4&PYn`h!)s z7c+U0m}doDcamiL-tHbc&lpTBHsSkdg*Z1n3cWCEIVPIHKJ(>P&~9Ra zy6PCIFI9Z;v80w?Vdm$t5I?Kzy?ryn?yy(wyiGBKGl+VRh9psXwQO3Aw4w*$U)GdQ zRp$roLZ*YC?hL#h}FkjM^sA#xExr_ zr@W~Px@f}#Mos2t!&PUXqgjmg^7SuO>I1NxsRTAa`$H2-CWLn3_f)a8PXiBVvg6*h zG|(pK2XKuCByD8yU2?!%WlFM~H=rt!6RmVXaMBW|3xq3=2l{CLkfv)jvphQD0qmy2z}0?rEAE-T|J+thYOkoA8SQ9?M=3b;s{q(NMI6cz|yv-R|%CzZg%?>GyX{S^)DB( zW_hGo3bV5jKJcpOVcR$nkf2MgZ0Bpy+fNm~`L;8BABq#4CDY{3yD%Rnba{Xf|7ldG zObkvj>%*b2&C#%T*P6R2!@snb22o3N+g+Wf%GmqPE5UK>S+Q2Od5LO7u*t8Ii9{Vb z+W6|D?&SfA?fd)5F1ss+mA6~%mTqnusy^k#MOj7AW{K1aX ze3*;nD~r)u20ah(Qh2b#o%?NOQp_jcZ_Ycnf9sZg^Hx`ICT3wcv6)$VR*u3(P4a5} z6Vj7XjI#Vn_p+eg=BWfrKDL#FzI$uVyuEPQCLK@?H*SU^_ z9R5*U3-Vzxs+$&R&+AmU-TH;jbVyH^Gt4$V?mh_;B#eMoT<~=hUb74R>fy-7WIQDD zVm$c%yj3Lsn%|7S#n-8Evu~@frSBByCyMKf0_|!|ysN zJ8bxRXj>U>2AzECG`z2FYir`EGuK6#)+zp+CDZWbR0w_8%!{x+O)$---8CKJQmKnY z^W2soL#wXBugcFYEa-S6iD7!gfm%5F1v(R5yT&)GE(vz++TPUro=PABF17T{nL2RP z-tn85fEs5+y$i$cKHBs?me(q&tC@1Vp4qgW&9~}yKXE7RD`G1^yY$N=IL$z-i zFGB2nsav?Iyo|B~oCd3m?b?+BI)mhRS>2nmW8MKy21avzX*WCxu3gCEa(w173;$|_ zS8ZRF&dkf^&@bcgk%?g^lQfK1W|1EEc)ozXy;vjYVw?V9$x3N;j!JWkOUcS3?Od6s z;f#JKCzA758HSqj2Mn~TJ?6HL=;9yhHt)qQAn=*(%hPYpypS$J@cMI&7twWmoKvkf z$nUVk_xqN3^Gqo9c9nJ>!Ayzne8R?AX5tn7$g!pPa?tG5UQ}yL?aW^K`p{-3B zF}srpueHuD{B>&Ix#sWA`m&{=vm%N?CRDRACS8rhiZ>){a@N{TLLx*u*W|ajiEV-f zwjL>QBz>fHea)#(W!oxgK&1V&ASs8P6em#Sc7*+C<#5~315uera07j~XMegFmo%A# zvUbzT55^o`a zmx`tAIv-bT5}Kqx{BcOJQjBNT(YbS)Z=I_%zc<18P(GG&=JHPCnvm{JEKyXMZPlJ| zc?P8(d#5^iE1%4z=PhomR!C#m%}n*Q#t~5&bc;t zYvvIDu~;+4zHGU zj2%D0ShA$JAzI?UbvIDr^=42z%`g@7jpizQc=q>~Lmuky`NF^5!^`;=7{91UinQih zw4=BWuQwwVNEz{ZKUXUdKxkScU|jvgqBq+)q1m@pC?Msl%-#sol+WqsI(w&u)t3hi zP~`#1M*mytI-aI>`xc@6(6d}*u1{S}qfS}m?Um?PFZ?Zo;)3w*QVWaAm+QB7r?<#+ zUz-^7(5hO3?)4Uo*-IuIx$f1|SZy?Zpx>d@;rxtP4SZD>G}(XSOk$kGCoqzSVvt2U zws>UhFf!xqnN8MJ#w6G$DE-1JV^F-|wuP7OH#OOQo$GJS7>eARmc^KLaD6Oe8Y`GG zs&Kj1+d?J|WE#XRJTt4<`1f0NG;i0tN@tB#WbOnE;s{f7W4XuLd3*dYIDt?fbnOW8 zaN{tOn&fL)o_vbV|6F1GCRYoFta8~?k!-5$TnjkK+!OyX`8k|gUN4fAz^ZxtuG)4V zB7k-qglT=nQme?Jj47e)K@Ub5r56p&hW6WR%EH%M*J48!5&bt{PF4Hh`G9%bDxQ*| z5UWjZ--R{ns(qcdiHOz zZxhWg4`g4W=zpZC%he`K6(&Z(7uonM#r(qBOF>l^4EK3y0;X`t3OfObT=WVN0aN_r zo*>*<7qX1IcusVov0MHGBnk_~>x*fDwp8Y0qY?yNO0vA1=`zy0as-81tm1khm#EY$ z63s8gJo4i-2zL7-ErPk?dYFK7PbTTojS%c%wnEJi#r%eT0Rj@4s)vFc-WT^CIELWh zwl?cx!=zj0)Oc$%-{Gz}=(%!_<4vL>&9Q z6S=T^O$5bf}x0fGOxlgIi&EhwfBo63zEq6 z@0}@~>}6H&E>Unwh%%kMkIh}~r?ygftW;Kl(NB2i&iog0r^;AiF>Nu$ZOY5B4$?G7 z_`Q4V9DW?V(U!GhtzgRWV~%R$V^y4IcsZOQph z#Jj09%`4}ul)NJ!crRU$!jM#n^?oh!=eArZy-Ne92mo zc8)=MRtrK+COzz4OWm{Ue5JIrOqFjO+OFQS&NVC4^H-3Kr0Z;?$F$X|jiQWuUrF|e zP#6D3=A8N_-%7TdcPhqhDW6Z%+K-+O#grnT^!h2%p*E@c(62dKrX8Z z;Ymn_GI1UyQnTH6=EQHp9|WWZ{y)zm3}l5omuQa#^f!s>ZxYqtB&xqjRDYAG{zoLLU#aH*%RIvW zEQRYY64kF`|BO8K>)3y1`zMJCNaG6^22$_-L8AIsWl;l68&J^m{ANh?@WuPcx*dOKp-u{1=D)`@h_kVJzyxnYU2?1vYAq1h& zpD!RQHj2+@%kn1%0@iq_7t8HGF<}HiE=R*40NW28gNgu&iqYa=5P)uvhKT^Iz~3>|C2c2r$5WM2~}@WCLhrp>SZm zh=##{(c*UuEF=O3lB)j}2L_?Cq@!bCVAMH>A<*jugCM{Nh8_n25|jUqL50A;2!W2l z02U`Y1_zRt|Bk^C5P&9%j=`a5?E`Ky481IXi2%&c-^zl7p%9Vt7y@8~{vHS9a|cF8 zbPR%iPeDK`bzn3`kAng<-E$a_l>HoraxOu=em&zLhzJDe1?U*!e7z!w^YsG1a?slX z@Fve)8&v40VC1)Y0StnEy#NMesQIH#q>oxAJF9U7)%w=dKM52A&@DI0*PWhMM)!<6yul03Ac1k82<( zSOj2Eqs0MC^mBCp-2=UE0qYciWsP3;e4l|rpukE4Jr0IGmVls8(7C<7G<$14yNer~)6Ffd@ofObAO6nw5P zz<~+rT->>N3j{?70V^`J^8s_ux$hTv)XqIa2$Unm?`2`Y;`BTQIoAha2*CCXy{riQ zT%SP*0W%F+96|_XX7PKyfS1O(?*kzWKR0G0M9$60AQ2%UU}gII`G67eulL#A%>r`#L&Q^rXZ(i$go!u; z&dJPHSY93{t7qe8&%#M*Ys;uQIa=CSxx1LU**H1kES+3%3mx59F3v7Ct}L7`%Vj;w z1*h!nY;R+Z-QhZ0SXR}AW$Feu%3HE5Efs}jwOyPn+|A)WDP>o48ygEJb95D6jw9j8 zcoIb#XJ+ckvcLg+Z5LAyM>tKv69CXsCyNE9Zh*%EITC?HBT$JX0+ULokYxzeSp>o? z?z;f9HusT3_E0!yc3^yznmen$K zfCD0deYDKo&ECclPS6mS;4->b)6|S*?~0>STTcPT08!tS#eG0nc9}EFQP~{ho*^CG ziIY{caa)XIP>6U2(@0o$g$>Jt<)ZDvvShii9L?b+NCFFNT%GMry%so`vt{At;?5EV zGFmA?i1OrxQGyWw{C9G9biK2JAj~7INz$AZ*`1+t&*Ve@q@!cB8|eJ2(VFh0c*XDIcxbM6`Z-NFaZyO;Cx)o z9fkR>s_F_{)m7CJ7FN*{X29)CXazVrosK6^DL6d~VOcd2o`56Kae9`*hVoPbl|Ztf zkZG1Q7L7(@(&%(5our5(5%2^elS;I0~7BrwXu=#AYRhD8M!{%?wy-Nv8u= zR2qdwhrbr^0mcDd|BhK;j0p@7l%5ABat@LNGM-GMvE@w!z7q*}Do5fJ8Usm;1d{KG z?12y>dJ0IPBDMormcVi#4bBN@44p|LfOarwRJg*VQux^d+-udM4uuAIA#J1qo6s9c zY$#lP1D5jikw&DM!`%oz6HjMQi8RnwDkuO0?!pv-X5PwZObvla{My(n?Ih!=BqkVe z0fv(qbUc;OA;Yo8WkIu`gY1Fv6vQ49h@c%~;5;G;8j~gb;%X0Sb{ON?I!*;p|j0zzg7wG6n1 z-o|QW%wOwUD?`XcJd@j~kr5{{P?MIYB5c5RgMc}9nu4`(pdM&Ig6yUdL|q1l_XG-_ zN}+&dv*4Id!LEnjgmX=H`zK}9$bcmikF^%8w-Icsi1T0^Ndz)*3?$T!4z{J@(a~+A ziCH|vAo!pjhK(ADPQ??+OdRMH3AG6vi3nx`=fV=U6tD{DiM9}kL?)iX#2(^6AyS|p zAX12wo`4}iw?-fmNkr&?*~pL>R6LjiIwZc1ErOo9)RJK4+l&uJ%0d$I#<-QFu*|qf4$8&Y9JhmF===vc-0QVeEP&W zXD_TPY-j{tp#>-(I6mEi$5A2yc${;5@Vbv49Z#eo^tcTMtNG8qjNstd_ZzRYElG!b`cdZnB81X>zo$I|Mi6j`UvyEwI(v+uAFh`Ht zVdvF7$?@UJlN^--10m3&UWttlAWv*ufW46!AH41{xNDhl(c!`4p6I=_pjYPhS$~oi z@-Nv=7jphFN2F8P{kIu7PA4T`FFEIWWaPN^5jrdyrPW>nC?bK`YkLVg#0JOLnA?Nw zp}ho)NJOI*WH0$gg7V1eA`|{bMto@U+5?|X_ohkkf#k`G4`gp-#Rsx`4DPy>@nOUR z$#<^zGUKz1oy(0xCXh*F63GI-DcE1=_&RX$*?w%7t^^r94S(<3+@ z_*d4A;{gkR1LMeZE&&vk(tBeGqGE&NYv1ib_Rv_88F(_Yb7T2eLgK@d z*Dm;UyEjdP4LioZXF<^ zktQE{FjAorJ2D6;uG(t5A>h}!^%fk;b{;wdHw{lEKqQ|#v?XCP3z(zE4$q>%ERX_0 zT5z@hUuPHK;ZGKoC{fCZX4SfFq=5;x~g_5@rj`~KOa22b`(0-nMZ zJ^ygQP#%Pbrek1ahvo<{nz@rLsC8Mw)FC$ULx+()n=Zr$pdN7s0`OQc2HGB?g~O|E zOgX~y3=|2#o`4`cd_&8FzbNF5W=p8-I04qq*%MUgU37Q~VMYDVgyJELOY3M*#nG=` zOs}!^h%H}49e2VDo4Y}weV`fr1)as_VBnq(r_Vq#|B=ZD8WRPZ`R8Fd)1GbSRd_Ld zU_Z=^uxFOBCeXu)&(_HZfP-hi zcT4esE++VDAcIy4+aUUXO8;l2=kljVYDH~T{@7G!Um z0>_*a=y)={M@^yKgMv-rzh_|A`({IeWDH1cLd~X?7lI`HuXB}ptL|+X_z%>*Ey%x9 zcPfJcInTXNcfJP&b%UesBxEUiHrPiQN-#u&K^PjKp&(Q1P`v9%#=lVbPKo+Ig+~JD z+Rtytz`s}cb|7079`a&4n3(GfOSYMY)HFP$XT#lg4|b^V5E7*gaVr(0er|(rDnUQIQ(A(%J@PuE+X+-+~@~ zZ`HmnqyK^0w*~o^7M@IoAbW3In$`!~=n$lXus8!+GFoFnMe{=_(Vw^Iq}$wV8^hrq zcWXe)3u00`MfLyGTu{wB;zzfIB^bnP$Mk=o`kl(LhZdjXqYxq3*PFpB`3)7 zXP$zo{{I-;59=CWeE}UJ`kf=+k?{Ywoa?QUx7CDypyX{q_SU|$y%UHj!mL7%?0dTh z1(h6ztZeUHVD%S;NQJeJ9hmxVFO=ch_O{>Mvh|Q9KqfH2wc(>z5bggp9{Rs(vb}5) z?F8`mO`;vh-Zlxg-KWqQkVM|2CeiM}HoApcMC-yanCoY|J7`fKSEFl%AAxyy8a+iC_ z>bjXaI1_OToZ#v1%`X!mkrw(a5{;8BhB9@S*kpANrj~Vtbvh{2fa*>BKV7H+RaW@B zLJhKNQ1k(-sDaf=V6XwQS5I&XRbVSyAu$lW3W_?&8Z0xjWtp=d;)s)uRqjAn(GALu zj!sZT!VuPZ?mV9;?Cj2{~EopvT3IsB9=y zHWVrw3e*BXz#vx#`(i_Z(I$4phC*dSfn-&5l7>OyukV2_3+e#kh_I{*)Lg-MBTKV1 zGbfwP)pBxkf`TqKmNF_%_K>!y>u%osNIMjkU1?+CX6=e&VDt#f>N)8<+L)s%DGYWcmDVa6hya8r zw@Qk^s?~6Y4hwr}RGg!`y}c2)h6`4eMUW<}TnnnA;R=Ewwgruy;6A{v>|!XTs!E&< zi^njw!2xMDj?5MT9FXCF&3Y--g-hXpEdVJK6H`ZXYbO^OHz()WI2ijNo=cgSn%g-# zdDycotXK}Hz{qSI3>4Ux%*{>Ap@fc;ivv8#GBLL|wQ+#!kORWI?&=0bZqRdZn)A|* zpW(u^baHY74P;rcEKPt02)eOhanD038FU`%g0RoqIJ#jacu)}xTua(@+h=mj1Yg_7*r>Z5 zT}bQN-%F%INf%gpFK8+Ftsl2E4*^Cx=-sZ|3P*g!cY0NthdtnI-pyqi=4OA_r~Y8#ub{7Zv_>{wotJqJgr8q0$9>*!lbHyk5R6ema?K z+Wo0lVHvc_LC>6Bnh1S!Pw{9d}k}iG(Wgbh`eYUEzZaY0c<9 zSiFcnf=hC`9kSrbj-C77TVWEIc!*v6b78iE?V&JR9~2ZOWGbU%drks9B(*~VIF=F* zQ(7?8#WE2DG7=Dn(ZUw^i)zxqWEdx5{tr!yM1s&MT4!JhAth}21HaU%mXPOF_T3dmwW5U*)2+q*=$Tsp;e$Ze*389l-)coOpvimiEdXazgcj*XiYx=MyNM%s) zG#Hf;Nfdm~N&?YIcqRqMeI6#<@KDyL`z3`quSbg;U?A4(*K?ll^7UOW^y6qWtev8; zYt*m_q;XF4XkDWqZ(#|sAhUV_3!wpKg13Gc@tw@*;c`n38m+MS@M;6BXDf%POsK=x z(Yh&lsu^0E$X>vMY%A5GL;K0@>$@yQBPbFFVa{62Udf1$cGLiPz_=RSBO&#Gvt4T< zA60CTb53+1^X`fXEv`hZwKF*x%G1c0csN}kbb11FEmY_nx!qvLo@e(Y`0pDAB$r?o zq_vT8PV`8At#~n@QE?aPBiLw_eUCu#=@lCm_e6VO-IX5XUx2F&OL{wAb_b1&?Y2<( z)=MI%^ItSJZgco2?W0v#T$S#Pu(%8b6WA4pyWQ9jnQUNun6;68cg4kRY@N!BVnMN_ zP*59d9b8ahkuclM{DXn)u3rX@D%6haU@bK#Q2ZOB1M7vNuZN#XOXXf z<3CN_=>i#8WXK@3D;EoE`$-+uy+B^9KzUWPmY2Q$7WtiM{Vp%V4h=bAXaaX&1C*Yx zfkgusY{1gS@}i*(R8M6W?8M>&SdmY5ol^d4sO%X)nE#_fTm?#UVg)|i;fd0=u|X1h zV1-hoP^1Cnw^CXy`@dgV4JApTnqG&C(mSu8%T8%QY(b+vIHFRZR4W|Aa19WKvuI?< z7DIOlM~x0Gjc%pZ6~=;8RNabVuR>lX{kAfdC1*KqIpk1RJPLjg11 z3hTB_tC^Jt#DP zunbfgT@jEkR$&z;%rS|gm;pd;*DzWeFcmE>hd2XzGo*R(Vl)4~QINs%FgjjI4>gjZ z9fQ)b)f`0v`RXG8F{p}iM?|2zS{I-HsU+~90#@wo0$>=n=mRwujuTG?=26X1!=zgL zXV%)2As7UGVQW9ZE(G$QO9JXb?IAmeOeRCcc>Wq2Bq%NqPI0G^4{p5zq{Nss1g$#C zUBY4;9jP$ZtMs}b!IT%NIOqfGz<(5I6yxEcgu^G$BmWFe8ToXCQg_ZHexI zZxnb#{YD2(?myW)NHhpablfqcE{lU2pd~oQRD^H>l>H;pVH^)RSgjbg%|_rqZX0cG zd(4f8vquULGHg?am0gVbKa`czg@*EiSg@EDRuu5NSjYiJtN7WmBk=aHoebL62k+43 z>?nZWotP#O?O6bYfccR5XZs>>K!fpv6hoMB1}NeBr?+-8?(0aPXeNfO z(y%TBPp6_3swO{5{z{qT`S!k-&h&WCkbZ2t6>QDs-<3 zIy?NteV!e2?7{P#AOjUoq4fUkFl~(<@ABnck9@geCqdI;K+JU+_r+PL%@PG zd>7ixWU-y5e-o79%7_<~;hyLbqxqPD+CwX_-bjrLtQ)NES~WQ_m{z%QPxM}HoS;mn z@`0jA*dU{`E)w}oXtWQ*Of*{Njr=i>3F}nb#0t>B1Z~B_R~-x+dO~I{_+MyX1D-mJ z)%ojqu{W^b-?jzJGZ%B%|ANfml%NuoBl5>7so>LKyi+H)HJ#F6sGCH=5cKxKq4}GX#&v< zI|ho=P}{@mnFWM`XbcESbDV`%1K4`LWBW(y#5w7nw76D=W1;?u$>Pb28~J7TusxC& z53eq{+$qk$0y zcL|IJFM8L}Ogb1l?yv!AGlyr;oxv!y{j0k)b)^4lQ}-9i_oVJ7-&0VYN@uC}-Or5a zIQ1UeZ&5J&5^c};|Ij9hkiJOxACP=c!hzq65P^(M_@9@24_-c;<lJo z(Iz{EoW0YgU}7ki-rT{xs5B_lHa8QfQ1P$r z%_ujx11z9)B%anb?-eQ-c6c)x$}SVyp}|Y26-0vseKE6bmMoSi-VP0J0E z2$IR4SgYdXVgcK`V*7j&U`JDwg%4Tr+;ntynmS)nv8Iiq9ol^p)>s(whaMneK|nzW zBBeDj09_CXf&>7Sosx~Mz2M6n#uE73;m#S?Kx!)*DG6YXCHZ&u00;^B6@m|-OnCGF z+Lo1*Lrh_k|CB=9@lc&kMY~P*dZf;Iyvwn2$1ewU!h_PYQIRj_~uh$F{#kh<%2v0D@!N=h@?DUv7(+Uh9tUFg_Th6xs)N76o0-OXGn zo~SrZWN$>p#|UVQJfFKavf_a1lE>Zll6jCg^z~X=9DlDdG(G?; z2Rd|sjcXHscr?_ld+_DnF$dhx|H z|C^(tXt68w0UZv|JBqCmAiCKB9fG?(x6T;zMFPP1fn(kAoBka2r2JQh0=m{Fw)ge# ztPzdvZ?6g2X*;2dcYmh3(1FAVrk3N=MML z@m*+V*&yJ~m#g+KEF4d0JQIMKsa|o2D>W{tUPz70To^3-9!~CtQLX=cUY3wze)~a+Yf%oY-w}0iT|(23IRg_+nYo2 ziB{_ParnpCATV(OY3rT64U(53SC#^kZICoWAj38vuq!k+fr(PRpesj(K+V}nXfW9a zSyZjv9{+H&qpXp?$eSU;dSVi!Y<7+|4YD5L9|1-xmL%A-4E+aNTce`qFtLa-y0E-Q zPG%#7_OaPiAPLP2!qy{*NQ^vlxD(}P(@B=yC+#o7=>MvQP4{cFb{t5D9G=$j8#@O0 z|5zZM%q~X)0Z&&acNcS(D^`w1+r`OTmjw|}S?vXCI9WZGryEXI-2vtZR5;(NoNsjq zeqxncPymv@at#WHcfVK-yI2QAH`|2Gu|g+UKony&Cv4945*Uz}1#u|BcqlJu-Tr<$ zn60+qQ(oA*{p~a+%udqUfagW7`S0hrQ_vMKiC}025#knvK>X<<7R@e=(n&0uYw*Ac zC!)7-OcKnRVQ=j;295EQ8zF9sfHEd+PVm|sm0*Fl<7D-hs|%w)I4Ns4H)lCnSq~2n zJQQGYaB_t5I&M&h$JE)$1H-7)0DoKYaWH6Cpr#WZunXPM&`NTMcT*s$L4tW3SW*Cy|IS&!Z{q$EfmRlb+Cd?-P8hOqY_!hpC{`q}EBd?f?pDg#ujf+U#oN1KM?0>C_h%LmVOI&5wuUGQ zEZM=q`YlKr?9^0Xl@YsUL2tBxjR%((U7*no>nT{)t`i=xn*k&nKnH>YlK@TxB--L& ze_=embAyRhgzSO~-FiJw6F3-fsqfrK2$! zyK*Mf5W@~&Y{x12hh61Tqi5r0&%()DvMenL;Ni1BBntv8Cni9w06r}EK#xje!iP?P zow4CVg5N~=rf|-4?t|0pd*K+}gN`Y1KZ1eX%Xt>Suwej9sGJ7NRN41}eZqdDXX)sj zocl32=zZup^bT|QAbimM9pC}0V0d|PG|pg|%_D-atQHy=!vac-Lzp)%SRhm&yNi!& z{FYddYlsVg1?*_d#*9M^#yy|{!=8_uTuyMg(hY1mB_Fk6)W8#N4^ZcKhy_rmAhZ!` zX7E9RMuGzlV+;l|Xoxg)jDCYsVBZ{Jc8)fYr-#UfbM+9cEq1`>KXOgs3Y((Ng&|N^ zlTR4@or3^H5U69T4M$}$^+Kw`r=k=F9CK6;69z|J=}bPg;jo;iHXX2AphzYka{O+$ z0CHqtHwoB>X#_%w%SwbaLJ-)E+7}XuVB6wDOhBJon>-ec;WT-OAGWfZ&Z(BkW;KVb z4yb`3HjHw(X?c9)@OM5PlEY6HV2_!RzcC>cBoDskkNrmM0^ktrY;D>cCF045ty)+> zijy=b*t7*pdh(ITKO*RuM34|ya{q!vu9{+&6_LeJTdWbH21)IbOpc7%V&zDmEmpw{ z&Ccu@f3Mmx&49R4k{t#MExqSYqSIUO~oxSWof zV-q>VcO+54JYhaM1$+elj-5*oNkQQJqg(RR(0gs6Tw!;rKCfA z1yYsy@Z}Fv392ARE?m43j{NxkYgx6U2~#z$s5+uaFr%7}rcT`iGU7GI_#=L!z89H+ zp7LMNq2cwlbdF_5)zWd?12!3)4xl441arOl$mrB%;F7_wN<3@EX%0LU0+qrJ!+LBRDA{ih1LR+(Qy}2oq)yRpvnYIn5H+aS4n^`+oIKfi?NpemfF%cP zcrXCv7L%q?QE1+^vr^I^ODGbIK4?i;+tlRNt7u*lOW+XPPGViVM>@}DM$?!$56=2` z7`hW$lUuPPlvC016dSg{;{O<8>cAax!5F)B&XFx?lsXUQjVE}hN`*Od_Apfgb9ic~ zw*3MY+SvfpN{&K!1}A!p=ouCqEoU|w`-}(^E$_E0? z83&qP3^tVvmeVqu6}kC^R&di3N~G95>4K&54Q9+-*I>HO;j>vwenc#tw9I7Iy>-E{ zuL%&obvfrXjSX;jk##B>GlKTs#PTG*MD2B zQFBEhc<+eNJ{LVGxNG)zukX?5MyE1?kUP5B?`$gLJD-_!?j_=Ujux1Sxi;_EVVVv@$kOY za`OyF3_Df5ZqoLhgGEEE&pfYx7!%m1+~LdkWN+4>>myaI={F}0Q?l_}o>ew|YTmZk zdI`O(OZ|V1xG0$u=D5hv%Qj45@0>`fi+(g_EhF>C?C~E*Pv0?Tk?{rk^8M3f3wI5D zI()&%V^r|!5i;GVKyf{@-~pS~OY7B5|;J@xyLi!M z<4y5C-{bP?EA!@viAi2aGkmjT%Xal?+Yjk7r1kenE|<`_^DGpCh zvC)PymbyB=%F#JiH%=xDjn|wr^8C!bhqm`s+&^u|zCCL+V~zz>BI7Dnl zzvDx-Z)`ci+$mB)7&Kx))J50+qav=Ss;P(Ml?EAK{XRYtsX?`YeD!w{P<40Jn{HK$riYFYEIODgEyxKGG zo<-7wevhW5f7&yCRiuLgJ;UY>RWhL7ZTXJS-(p)o5l;EsK3TFvyGicTsSzTyZC+(% zK@zvUissecxq8EHd-%Brzv7P^`7SZmV4S;GSb^WU-T@t<{fT2PyPCWcerOKsSI)9=o6*nA zfQe5pUHZ!*D6@~yjYz4Nw)^hf%@cEH2st;6QgjK4Ssk`BPXvF`&824V>ftrJo7d>sz-^*j?qN>V+)jwMY8;Iu6`o zbJ^EJFHB73;8s`0oC(kUsW%2)dPJgM7%6ksNXTmI{^yVo z2;Yw+shZp{SK0n&8?}aw*g4$fv~Q@@>lUww0^Ktok5qqteg5vwNppwYd>4CHO?RZ^ z-E`NXMFl<&eH*_H_c9JlNxv7J*U;B@_e`hvZ{s&wHza7L-c8XN5|}+|)ppB~E0&Am zR02$zulEZ#S~E9oBxB>3zG@Sf-qK99{?d2kdG%v9{qrv{a+4pu7?f~?C`8+_ruKC6 z<;^vdf{!;2zfKG|La=E{)p_vLcjWQguE*b=U$9U!jCk?^<@y)zK;tRr8&=)!Gp*m; zYmw!lUXgph>+Trx?ZLoFE5h*7i<&cqYNf>cp6@qfn3UB!|3}lSCWtAeDjiOG)ptgJ z)~q8j+EL2y%s*sSuCCaRe;2aE;P!TNqrJ_C(n9tw*?ZRF^TCBB+0z`as=n}eC+&Du zdc+*nB;n)YMdOx)E#3EHo$%8v?Y&`IB|9{?h96pcT#~V3mg&^|0TYe3)Q648KP5_; z{3SeWW<0Haz?$#2+a_P#A3oy3<~ zVJqZ>f81NJ#4FG)C~9O;Ufs%Azm~bNIn7fFGdIR5N5J&pMn> zT+@(!ZEwclTH>!S*X%L^0}ck5H8#V<}Sido_agrEnW0o z^0vc+c0b+59JHH0<^C$hnfYX&*~^qxT#)$T^oNt%hlYogOW)ohwQIYP#)H(c zb?;n#64lIK4M-kk|7>g2Fr5V1i?v9b=h0UcP7r(9`ssT&pN;(wDDVo?%bPW zw4UzA-MC-$ZbgE5J>%E!ijgfR*4ryNrDlkna`L{rJ#R(RFKXVDT7uc!J#SLXR;Nt9 zlx{>fG~Bgn&87`g%*II5Hl7z+JZYVO)97`f8$Abjlt(|Ney)2cW_Qr+Q}MkM{pJgq zix+8?=9r6|-BZ2DN5w}ybBLnJ!<7xiB_=a#rf=O!@)bM%cG_q0b-S9!^pROR0e?>M ztm2I9!Tr|l@N}@Ld_1_8o=`~-a49)bm$gVsT)AxB_;2sYO>?T|H;%{~b#MBW4~q43 zjxJrQ9bJDULCE+>BeOXBcf6AHxRF(2YsS)qYe(Nbb|gexUGAux{tdMoi@w-BmoBH~ zFYP~4{dzI}tewS47pdrjH4|i)j(9b;vHqd#<&dx_7u^N4UviH$w2Q;YPsKqaQ{I#~)vN!_v$nFf!oL^OMhPU9SX2l3A0kJ*_;q z+$S+@&G}pIv9pRV zBn2*Qq*yh^E&ZbZea(;T6J?euR<%*#HL=6J;^gZTiYpyg`dls>d+R}C;!aVwhfAC5 zEHV&4lgsCNd`i3Xajw;=pdq1e9$8lhIb7VZ zHl`tJR`H>+j6qj+oK*2jU3_NdD`r{bWSiM9Y^sE*xv!n3oV+6O+Pe7Za&3yU)3Ldv zs^v4rHomEiuYKS-GS2PA_T)0ved5#RX{zGV_uQgWg720ZY;(;DlDgoOeD(xom%317 z@@5m6BkC~}n|^!m<>>_t)g0e4^5Ol>b03Y{Lvq`jYBWkt_hgEbLg3})v$v~D*t%!0 z|0Uj{Pl=hW8ybWc9;i#vx2#Buem;IKwPY<}w!+GTHi3!$#g@jlA2RTj zqtTBe8G~M}9`X2^Mrny>Q)#908Ony1+%5f8T|fHGK49+Pni?f-bK9%JZ>RAtqy64H z9=hqod?y>`>7JUX@Z-@)x?QwJU9HI4Xz8=&XZ+vlYNpVx-wLA6I70HDH9$N4keBSx zd*VM+MaS+Or1!%9V4`m`^3pM*h)@Gzadr!wcB ze&Y3b=L{3~VNze2%WYzfsY(u`6{n4Q{xoCLmgw~BHM&^}{%GB;_iPDHQxy*+E_<5i1pb!z*<3s^{)d}M@spMNmEOGi`Q_QI;r0{P?D$U1 z%x2A_J*+7oWgynH;#)X=-f$CzH^G61VYi%g?oJz1Hn}CE-@`Qj8P!2S^-rG#tuYd( zZv2?+eoZ7;edP{|+~=ma6b--msk8NycuIDUp65rq9YLX)|Ko@LpFVi2PJy~SYwJ}RBhqOGNZ#jDGv5$j;b~Nsfd-VJ6eh0q`Q+GM%L}Wjx8Xrv- z7kzOlc=h~E@jqMqhwXXctm9+qt-a>O>fI*$m#%v$W>WqtHr8D;zP^NcdyLDM)tS?y z=9O7*JF(`((Uq2B`tqt`%!aWlV^me6ZE|0JetFX0|0T6qbf`U(WMN(GYHC{gKZmgP2v9Y@?bM8&lk6)+nMASIF zYHHFO9b{i$`CwK0qn15G?e-SFs97IP9PVFhJ)yZJR!z%;S$_HbuK>48&AAm)$(nL; zE$Y)}RxyMt8)f?D6xkt(IeI zZ1j6DZ@Br%*k{~l#87U}GDVD6z!$}@&|&U`aQCEZY@u()1--dFVi)XcbU1DEoXI~^-`;CJGG(`p!i1k1>sxMKwL17It~xU3pyk?8 zW&4&hM6cr0m+3tfzxm>6>P?>+*$q2La_%ikx=nW~&$r}^*t_wuEydL z!y50lObHgRi+ee+;zpQkzaPe1H~5a!&nTD^H)33}!(9EDWg<;|4JTQ;XYAe;bM!^> z^{40Rb7!SrOsu?k^wZI6lS+d3OmknMb5m{C=CtXvHP*OEmi(?ctDyF5{i;$IyJZe* zt#?Vue=7=)khU{V&I*%?OHm;%WW}G3d_n%QrO3jjkuu41>|O`4S+qe~_OpM#wK|4( zQEbHfXlxRWrCu?ZU}88pI8E%8EHUA0?YGNDag8Y-A7x}@>pgpKR5dlXe|m^dSXI=w z>>Ce;#?;Ah;)RmcjjWyx+c;Vy~6Q;&x zC$AXu)Ol`-(|6e@|LlmJBcjuWq`n&+Ip)Y2wd*oB-=;XTZeR2ciA(>TC{tP*bZXp{ z+n26rOpTDzJY?W-@sY-7tGxwwclMUnm(;8ddUe)dbL#SgbA?0KJh9HQm#bU0DB$kq z%%e7!v!bPS#3ft~$3|Ua4LLt17XRw<#)|vn4E)zRsOfLZ-EKYXxOUE1Yb6O6zq?F> z!%JLfx-K&thWGdMl+4u*`u^5%L-4~vzcaq&i!{>kKNfGZd#XeGfL}H@?#DepIdN>wiHY+os4=u02YkilEGwUZtBxl;pkFOJU78p$JLZkc zq|Jq{VLQ#d%4o-r(99oxZ%BK;Y^ndIJF2e5S~@$X&LW%4NLh955>qYcaSm%>iPfN2 z^hp!qE(urP$T_%5|Fq6ZC%1DGqRQsPH`-z_FHw$`lA z(PvE`&j|%aCd!A}#%DXu)ltE}+j`2MFz=X-QstLd>ve4}8R*8()IT9}P~y<&@3uCd zUo^%_+THX@(YrbA=7Xlv7dofnzh)lIxYtzmF0t?%b(O81uCI*|)8~_FqmSh()5z4Y zxdrEnUnH8p+I!yH`?pMJ!pqE?x|AY`(oS zVf{XJX>E%~HmhI0pq34cIWphd*&EM1LDMg_yOb?G$A(p4@Mf>mr|XY}Z)UrB=ccG^ zZd?!+PFZERMA6#B=4emS`OJt1N%yjefpf@X$~-fMjozo3t~c(>=V@(CVXMD+%-?eE+b1($sbZu34YtdoUu>SUDlNkC7yi{1 zqWD_>BFU_5i7B;joF!x9?@W)H^+G*>^mhBYMVIt8zZpDthU~^8$4Qx6=Ow)LGKfwj zSQWYy-D>!x&N83ATq1f!mDKh71026w&yyrS4YGfjLh-x1CdWixiKw4G)Gs-z^nKa0 z)AB1byepp{zI{X9qjsQOS#xDB$ssau$|X0^RUv9j+|W~=5$h6Gt-P(cX38r^>0Hz5 zLx!d^e@V-?7#t;=JWcfV2};bEX(nekLvl{Z38yKsZVr(F1DN77KBhlOdOfG*aeQgZ z`I!gvnIU+V_0c7bmLEQPtXHb9c_s0+1v^(Z{I{x{|ymez9&6d6*Tpza>_ev}wMZ*;9)P zj(Sh@-^^fD?je&dZM>2=uOO&mdfvVt--d}dS<;5u+Aghl@FP;u>Q=!Tg$=7iYwKQU z*xt+vxHcy7@!Fi{fvYr6Foz`?u2E=o8*5#qmHtdFR$s%=dTC_Z$-_FYB&^Ge$!muG z7_V%?j2>Njy;$@`&gk8${p@#aDa>&Yc5KugB|7?+jZOT97d0n888j?-zrfh1NaDeM znWytlO23xTJiLoixqj%#{hEQc6B;vy<7?vWaGRW@w#5uly~1iNynk@Py*Z+VH3yDo z_M53=Y?n8%GV9(!+Z;FXO-l}$n9p$}&L#<0#c$lGe$eF5+zmG_`>K02OlygZ+^RJM z|B&M7IG3`1r{U*Kx{<3#B&^G}$QjjN%*v(0CqLP_5HILGvHL_x{?K2 zi6$5FKa@tK75V#&+&i;uoc(IE45d)~(R=fCXO)~gr=HpGw4Ru*|7K0&F{S!ri*G5_ zYzgYOJz~eh8`)-!w2gNtsXAaOmszf~v?H%l2plt_Wb+L0et4DswaVK8H~m+|uATR2)V(K4TAl;H>^Pn-yh5EgdqjhhYK>vktr_o6ZaqC$ zmaZxBRWo$qvLy}k}*Tn<4 z<@e28WM{lRJW1y1%dq2-lz`@1lNK}kFHLTjh}AXAYeOAfJOXI`aSF$+4y}?*S6XX+ zH@wJFPs)Bw$cXuKwi+%wJtICI1R`e%mbG?~|F?+F8# z9=d%$hKo}|wtQdgTce)T_w8m$AraqAc%fOzJ`K73rBy7yDEHM;^D^*k7^@!t;=mT& zbraUlSWC>FHhkO6<7P2gY9*R|cg&NXt(nw+)S<#5#}{ak<_qac9SdHZB!5I11L-wK zDAgwDmwR6=l>vGheaD2GUZe=kIwNPhYNxoKYO}o1`B52Or~6B*o!feNY50lin8WYI zM&7=^dW}llc9r+KLN65*Y$GN_M3hgCovqo}KgGAuLFiumbnzjN5`7D^uBGQ6*=%Gj zCtj%7@0W6M(}yn%htp2PeCZ5_a;3F2d5Mz|dvjOZ@v*mfN;9)yG6p_b+LA@6J~KT= zaWk$w=#9$G^c5Gs-XyLZ8RA>_p^5TlY~6s6ySw&>9uE%K@^XlG(z5;b=bcDD-#-|+ zmbPrcG_wAfoHriD4wK6UlK1b}8u(f1e%}XEbM|~(dwO2Rh=2#*XQ}##g}Jy|%c(T( zNT25M)3RUH#E6-T`aLln=j!-!%JFm4#e{AbywUP_*gxX^gX(oVru_(9wI}yWh~M{F zsRs+Q4l<7q8y0-mX7#K5C3iO5bTe0tz7x00xVFZwx~ld}0sYGtirbfXqeM3=(Kk;E z-?=r$&zslBE@Fb*z)v)foiV$HYi^Z`aeHe>j`4LqK0NpF;p7vM>d*BOeUs>w8vFf9 z$V2k_tIf)ox#-jE;xA3XP7^JOV#kMR?I_&6<#$9g;rCmM`(xkLea??fs-jdzRfor~ z@*XbfYdGB`sN(vRlru4h$p^18<(aJExdDc9L9cYggu^9nOv*j2P6?Q)-T#qu%C!`m z@cvod_=?8rRzFsJOMdvU{^ZxFN#4_Y5TEMaMB z^2qMclUIXg^bJ-l7kle=e4*i%F(qf;6b{^M{L|^9o6CALnGD-!gN}>-kb5`jo!g1G z77Iqv*5u|rw!S6dw6n2b#?O`N0g{qIOwol~&I{My8Sp08=RuOYouy?ywSU5xq<%?u z>Wha9xs??qzf!w5W9rZw%zVF_8>Y}FJkQRZxOscSXuHC}i%n%F-TJh1_Ju`4r#_zE z6;d`aY16~KRrWI(MaEa{=RFO1ec{O^$++l4+Wn8rOH(3RJ^Q`Sa#K`*^GI6X)eA@c zNMrrD6*p$ZLfNuL<1K|!_HW&)OTQS1YEQ8paOG#X<>!G0vI=!IeO~*oSyQYPmVb5T zJl~2B-nW>HqUR5;Bn+nvcAs$Ls{G}uKGvh-9!l@@5s@b6EL1uEWL;p;q7fG^`yD&8 z$B5{AFFT6zLh45LEYqkwskjyct>?!S9Vb0lXE&{8uY^`A&MJqsf4kVXhFQO+eE66W zwcW7VKG^a753S-gMz4Hn8J`Hp@@L;&J$lazv!J3QCm9ZbV5eBf zP@%4k3<;LB5MgU!9IResK#~Q_s$03@XpolS#&TGJgV}fX2Ib0*R*(e^hsv(zuw6ae zPGevhgxHY`>@5RH)~3#jSvFSIa209_!a`Z@5rK)7?&A{1pM=Ft>VVZIDF3UgxqVha zj^it}aXa26Myceuja=+HQz%vGpkqS0koyK9SGWF858>vD6#INn6gz8Umy|BMJJ{>4 zN$OOerY~QfJo)ZcJY~}zqYBr1wHcpYJ2qF>m#+AE_sg*-URG6iLn@jp=e9gA*!X5r z?BP?z#Wl@eKgr{N?%et2U1N1>+|O#C-|sTk&u)g}0>jF?^wENnoAs*`Rv7Os$hP~u+DpcGZuB27 zrdED%_Y6rG9(}mroqN4pf|l{lf~?9qIj>2^v!efaF{85dt7l@ucO?wlU$Wpp$=(=OgeJYm&R8BY<`^aBT2QG>DzO}yq-hFibhL$`~S`*}$=tfchg z>Qd?@3;pJs_6hFZRL67o49o7mVyQGW&eXNpIMVBm)R!6SW{S+1t2<-x=Q+w3@4m`b zv9ZnOSIu!ce^3A2&nnsX4_oFK!f*cy=_3(Z-{P+xb=YEm z((|g^$(fVa_$-a_kH0hf*NDe;nxySF*33{{oTEnn`0V`djO;rq0h(EZ{SM9kX!~(X z`W+3T+zc_%h{eUxatgYYk-uNXcsIM;aoGRqmt9greCUH^Wi8eBc2<^NjQR4Deyy-> zVh3FWH$Bvl1l4FEBezE%$WO$Pm}K5FRDi+#^b{7lA4-d{VZq)#bof9?5FTs>ls1MG zN8T|%eAuN7R+})eYfz{L)?lLL+ni^iTs{B2fBH>@)O;FjZ2~LS*x!(|NT2I^w4gYt(W7+;M z;foP!o5)v#Ro1Oe8!wF!5_-YA;kY_X*o3k>u1?5?AsY>!9c@gkRgfvN$O)up1&02T z&IuZ0SX8nw&>?F>LiY74MgYsuc$Cw%su8ocOXiO#8KE*udMaV6-vRZh^R=Z+2;tTF zo0P(vk0;U3i3^L7j3V-n5RTM;USjrrUZZ-w+VS-tnYD=<@)R0hyZ$bF?V9JaeuUa! z^?bzzXYPJnuUg~y>EQb9b%V8k4oo-Ftv$E-g32!Me%6or&9i)Q;^ezUVX3(MJv$RaqbbuQvnAGhMI0EsN&9oZ{P`O_?H$Y2;u{^dpOsd*=sMl80H=DdZjtpJ zVUOg&BTjFceQWS_-SAL3l46YRH{DON;acgc=7;-5T?#BF4qm7*u-YTw&U!7KS)Yya zSBSW;PodT*Zv2+Jc>BKJgTfD-ja1Kj;FtQ*YQ#&WbWd;FmkRC~*Sr-}Om)J{=S_1> zJE$=K=BD4(G6&CXUTA8zAnH_b=FhDOo2NhhCgW3jcz4it3GLC-g}=*|&r-bZIVLp! z?hT{Y_m`~pS>?HBfWqF>`JxB6M5mo`EZ4BqP!0*->|eWcj3i?!LCEOS<|j^Prv4h> zcYz?3HhA0~v*+q+)ZAPu?!?0RqUFxpU9S7mB8;7VaY8e;?~sznj5)okg4z<*|7*^L zH<|rw6ZORE9)wT6C7Pnpx6#4b)!Aw12GQ59dJ1yW8NMKd0%JDu{e1^8K*kFLW)GlOW8nQzANDLu&qOH_%gE^=9Cv4IJ#-*SM6Gy zOx^h7vkn+EZCF4&uPx=;XLn@r8D)}Fk;bM=+f{XLO-^$%W~?F7j_k_MHO~x1=i%Bgidj9h9>l@duh2M>ejd*E!<>KY5M}l%R zmh7R6j~?@(Y}_z!qxH9GOAlwCyP!XWWTSUha+)+{f%GWhaVJxxUZv|dUMsqxD0?{l z+4G9UA+AEnH}~Y1v3&Is12b~IeYUS!ttH|-{L1?qO-z}bV8$Mqh39VDKTp3_6nA;z zoh^3^L$npmN^cv~p88&|cK5;A&qoJexbQ50+szsK3|7h3m^&0zOq$*ht2j4v-jp$` z)AZw2-3!Y%T8|S?4g0XPEaKsNH}Xdjz1vrsFCeX3UyA)$vp_o+r(-q@{@X6d~CF0=CIq|!NxBK_>|ea`t?gW znvxTgyed)R&Zc91$Q~PFn3r;c7M`WuklFv_DoOI2FhytLyx%MPKY7=((Oo8Obl703 z&gO+@4TjY{%v7I+0(OK;!cecvQ6hGhBXYiJO1pP}{_eEt5wCC$3 z{9GN?m@??Oy|u@~4H8S=;H>)X6TOr0 z^GEWj*ipL9I>uQmg{kx@GA#PI+n&Z_Zd{x&k(IcWvIVjvYx;z$+L;PQFR<9XBl_z3@lh-|P2DZt1h)SoM|M`kJ+SS=U%%WxV~e(}4~*-eh?UacjuFm~b^~ptsjB+FXefH*>{`e{7J67nP3xT@*F) zs#(8+ij6}~1S%??%9yiht%}!$9F6`N`o5wOg&#w&d)|n)R{Lx$Ptl5?Kg~dM%q$WsQ&UF}8cksvf@V+J9`Ztwr zRF)55>faQ0KlXC-r|Yw=E&KIT6(tgt9IozuuJp9e_yJ~~qmmVT!?NX=^nx`1tHw+A z9)94Tlxis1XQ0!mEk@OLwwIFn9zQVt zeOaYbHO+kCnSrm@Mn7e#zP%)$_in@LJi|JL>NgLMt(|32du`sS^9228D+}EfN52e~ zy>>OaPH&I)kb`;#%cmZC88+?X_tCPeM!d|3Bgy+li%PG(|Kz^%c(r~aM^23yeO5=w z{1-)J+4QjnvrYRGb{IIB58CbHSUdhiZRIq@fRa8Vn|3B1C-;*J{w^P}{aumvL!(c_ z-p?757@VKe>^3!gZxY#g;&WE*$^F;YZC;w69J*?1>a`04a&}22 zuSl12nT1J%ZZ7sTn>d6zq$25El304f_GE^%SBZ9*UtRE2YuVQYZzGfk5uF#9jm%$A zKI%0^*!S}J0U}Dn`#GJgRh_?|p0GUJ?`4Lw?uCh=`y0;Xz1#iBB5ad{<9Id68@Rj~ zx1y7CapPxgz2E=9MA2Ht63vVPYxQRy1L91Qw_cokt4??fUb?x^<=gwrlh5~GOR6V6 z{5eiUHb}9ei7xi$^T>#Kif51MMJJxT@Un55rBlrv^;MHaheRuWl?vFX_f=}N%Uj0! ziBsh6zGwJP4)FG@c;_QZHZ7l;^gj8*pvcEdL`&`t`h0WHvB_tpMa?c;6D^U+2%YyW zF9ScxJYe#MUoT3{3j$;&i5-x8wvis{utz61=}L%n@Z}R{OBvzQiI(a!%mVdPwBN^@ zCS3ipr?e}z5~`Ea2Nxm$i5{9^oL{8B?XbFqv5 z!}p#^Q$FTF@mN!F>-D-Ts`+NWUu!+ONe#caZ@jd4!CT40r>8#@e>FAj;3S=h%;A|~ za?ZmlJmu?MB=skI&8}Z9sj&Oo>9Tz4{ViV`(@ceolNwLO#aXea(z^oJP8oC4zP@Bb z!pZgZH*T!o;MeG>v#4=qnb*GBN;&5bgD+}2)_shfm*|saG^|Kj%3!hS6!FuC@-o7+ z@%uB#hto`6#H1a*IiO-yrr24}>++c(>7F zCN?dSGTd^i_Q27FO);6ylk5B4mll1!YWs&Q4J8$cJ*CS=e0Gkwh4Zv?2+V#uT|#b8 z{wU_`E8agW?*29{+EBS@j~ zr9tmB2aOHb`bkDP|VC`4=ElQszx$Pcay2PpP zzz-D*g0hxKH5e^2d^EX2yy0jc9g>Fh|JUAI0L8hi``)+{Jh%jRnE?iuKp?n7aCeuW z!QCN1u;3D0gImx5!QI_mgTtMyz1KN=gD)dR{w9$}P&a$asQ(<-)osmZnu2TMeDX-a>~COrE-axhZYsn~Jb$sFWKWP|2Se(#SU)#XAi z5Fa2lM@d6DO>sxTBKk;wrUqkGL7y$>b2YZ{BS@m?lf{JMC3;$&Stj+%CtO{U_YaeITROT_d@#5l=s$FSA@25q4xtVI-%$vXF9P?gWqK}wt|0j~p6pOdsE}i?m$Z|rW&YAY( zjJCHC8IH*W6Kg5}@hi*rw6C#G8XkCy7=zsA=`63%2F zh>CZY#X1N2AJQez85m387hyU!mxX2IAnImWtV+vKV8@k5aVS(?_lIINTjsP#>8?Dm z%A&jubTbJlh$L6n5>%qr%fW{^Kfxm$SO*0>tJ}gOT<<(g0(~Nw5%qC?}gt&!L zwGO%6zkkq5pQ?#gmF5nISjMaL zakX9A8L{K<;RUDXAuN$D3gNvG$x;H()%=?@a19J%6(LxH*85`GnHo-uPjv8MVjHOR)d!<*k^q(P z$bETqAXy>HM#{w8>f$KB~+#{*f?hL+pWP&V_JkD!I?+nzf#chsH zt-Gn_Gl+=Yoo%fhD$i?!8;Ly*@tFt>t4bYrFL7Wi<7?e3tU9X2S=T(iU)hv!ayPmj zR6bVX{+xDh4p9+w(dKh3Z=$XFN|)31ab7)3osY11D2)HKy?HY^d^n99uS52G7j#es zZeb-46{aKG-n$62m1X8feR3G0bgyqTFGV9!R(C({!{4A{r}!_cTAjYl{SBsFO}()kLl<>PF0=~7h>tn{l%yF(X%9{6 z>(|9raJu!X$;sJa?d2IAi5*xr;o0N zyye(tEnf)H17fvf-Q^XYwtcs?c5fybY9ACMh4d5KC_af6rr{XN`6whEsxnpypr)vZ z$a|zJHNm&K-9j4f81O26?Ff8ebtiG?MToX->t|ASYd;aon2T6V zPTj)QsUIx^+ezi%4Rl9%+R3m&b^;}v`}tojjdzTS2g@KCzR_3Y+D-jEWwF&@2;p-Qz?VwJ9qt=7*xB@40sbJvQDu&;)5mJi!Rhc z9@R*e^-gZi7A>+_>IQq^bnx%%G5lgfAtH4_fKzoG_ht3_WES@jvyF>1y8ud@y`ACf zkxkxJ%KPv{c>ndE?e#{rqE$}szkkbrHtVax%jp_YWbCIp#QNF%hZ($H7xWU&^!=1G+aQ~udI zbGZ~V4ZBxb^)CN*-Uy!9InBuq{obdQ9GD(!9an-+E~;M8bgKQ{EAJLV*V+yx7O{sG z!9a($o2Zpz@0IIeF3c!7s}<4akCY2@qqz?3EV-t&^lRNy^$!GXt=Xv*qWb+tMdeSb zF|O-}wp{y>_FFUVD6|`pZHuTh3vIkt*ax*4kN2ZAZCsOM4tqanNFNTqKJ?f+`A5si z2@1rd@t;JGkAGQctZ6VkD4wrvspYw9cAi`1@}^S&ca*R7EIBFCo*qkVLoD z*mT;w^Zwv58^rr`eEN`U)56nw!|Tk1I2WvTr{1^G*DhmvWqXmfnikHJb;!3t&U;ry z;wLuZzpTP8iP9OHrX1d&IUiBMYFww)2bH1lDhDXJ^N@3YGi?FGU_NVY`wY zFir1gRmcJ%jV~`G*XXr~o!0tZ&}E%mwu=Xyb54!y^=Hl9h|k_O95G#8?iD+yJ6|qL z+wPS_v)HM|Th-=Ppf)u&Mqg}Ce%Q`ttkzHMUND;-)wa`hs`~&)bW&aS{OtQ~f>9DlOD- z7kmV*^1c4AY|?lz%MX-LKgI@bGd!!-h6kJlZr8Jfy0)kB`&5GTN~Aw3VZ`2(gJEk- z(wweSJK4xrG@V~JCz(1XV#;}>WvejzjaU-{L&^)P@)Tz2o|s>hRuP=&e(h(JrMu)# zW|=4>W-K-H5X>FyqR_-XH|7tYluy2{)j> zd#sy^c08{YF=Xjy(0ZPVS{ zC}>TpeKs{XNT;mO+reiJzf8Gb#I;3nAfIq^;D``@YOl@n9Boh2i(N?W)^J7B?xi=v zP@W>!x#VO<}>)yedHgeO=3F?$QRm8Jh_qgJ#T9vX}mgJ(vIm0 zHa)x^;CGrX5{@ZuJ3jh<4qole&SzQpI#PZukh0#UE3_2fenF0S>cAL&PHH8J$rB`) zp2x)NW@m1}?Vz)%Cc@4AsPt}nPTzStcX5(iv-q|#msw@I^xF1z6y<^pMl9~x>RoyAKi(hINzQ5_O;ysQ} zSUx}M{36)cM9Wsr-IhPIQ!ru_t<81OUaryKIUZNPM;;Yj!^(V45UqA2Y4ol#OE=tA zDMdB?rhuN$uq+Mi<>SY4e zVSR^TwVv6E0{2T%W)N@bt6RopXU{m&!oIb&!Y{R+Czfrk7dYP}q+>ehUdN^g^81x3 zjEYVgm8gytSGo1GxA3C0CB{r=CG)ivukFD@)6hu1Bv$U}DQvu#xg^Y{3Y}eq-yPO< zZ@oNfZ6*W}9(iv=sIFq4AK`Ahe`y7MjEk|6#LVwg;mF%HN)u+yJH|B0BoeZu3fM|j z_0B`kKyf;yX`=3La*dIj(DCA~yRz~4A({YCP|FXM-!!k5QlzMyb4iBL7AGSVDa%Ut zxN|TVKby%d*?6lGDnOT4)MhYL6Vh8nWy<0&*Ruf(mZu>QX@W{0LSw*YA~mGtg1T*c z%a|d4bE)z6XTD!Y0x`Wn#S7I^U&bn0gZq8rZ0cU)Gl~s-iH^5!C45RfyBDc1Y^fn- z8KqQ2yL0idy$@!miwf)SN;}(bjZI{t={VC8)QhUEgG3FNADCsV)n$#0+-)SnB)>#7 zyU}Mk6_~FT@V|*&HgX3R*YF+I4*6obeo+K%ctb zs??Nf_vFtL-}*dtrOrt*roo;T7pbI%VX8J@)g*#elTqK}qu*FcZ#yK7J<>jlT2lNdrEAgck?_2QAd2H77%a>uduyFqEURR`$Qb$%Dlp8>c0Qb8-x;3&m zxt=;LDB-RG+$kyq*Cz*yS8(3JmJfsd1iDE^Oww_5Gfcnh@Wmu&dp=|Sy%VBf39 zXygG^l8Hp9P`Jus9L{hcEACABlz03&1OE1MC0U15l8DW2w@5 zApsX;6X{5)Q-DvWn{`PAtDa)N2+QEE+G+JN(r}I>m zf-*toyi!3X{wDkA@q&@P?DaFAfxw@r{nw}umxI-j=7Azt@26xq@~umDXX4=z$$hM> z)6Cy8E!}2HE6ixbDD;Y9UrZU%I#}VG2li-vDmHUcQHh?+qm!xqnq9QI8*nhDd%|U!I$*i51j;-5_BpgO)Rplz)4dx$1J9`% z9-Y!kJf&XEt}B3O1e}MQ%|7vqv}LilO726G;$kg{u@50Pi8pp``SqL>ip$;~u%ALf zqXziu+C4+sm)8-MMmO`}cvFvtnc?kEO|_dj=rVj8siqtbCTm^TA5(vHt#x8ZgaX7U zL*!H?q5^}I)hSNHL+=w!mZNokw&2MQIb9^a2p*-}T=Vo$o0#Pdn2|&TA-P8o zT3yvQdPg?+fQ=oJLl5Aj;$rK2FQtoKk@feXtq(|HWD|&w9>gS*KK4HLh*`ZO_9G?^Ig^ufCN-bA)(0 zO24!*-FyXy6_%?$(vjfoLEkEfz?@Yf^^ois8u^!5*iLGhjAE5Lg+kmgeIwmM+}OLL zZ7}`%=pHuAPb!U=3{aa03qJllZ(}~+zA*E{$29gRjPnJE0rpHXrC%WuofU+^G~&4=8bx&&M+!vxVt@MVt0WF8|^Ue*~ZW3lS3&@l2v9$z)ux)4f+) z=R)d!XQD1@GO~j*(J!J0DjIq|Yt@=KIJgcBPRXF`%!XC6)kdKu*G%5wmE>e%qO`Bk zKK+w%SU{`0jgbNCGILOJ=gf|eM+dawkSt2$m)T?t(7eucFQ;4s&HX^6SCEx6Y%CGK zho!!MPI~h0=%acPD)Q$tM9#eIv{FkseFlcP{kiJdAs!EF$KbTX5;MzUv#ROYx!Enw z+Myo&KZ&zL3Ndj80U?!qP1E9X83Ql- zZbqnSKR+uEJI}YM2I?SF?M~Kkx~q%pf?#Qw0}va+IVowH{ou*vY9H~@E}}tML*J~q z^Gix!b<05K1) zB*zF3;sx7AkOpyz5OjsAdar5EO7I)&A1!pPm!YfvOOF+Bog0wHu*{{+q z@djUe=0)11#- zZ|XA+tI>FKnm@{!DdQJmn|irCburIf$_Id9$W9=(VBWC|+(s$?fxu!&?K7w0_1aKD zu-Cx$m787UMzW6)zik};3SAJbjZodGp!_M^mATLl@8GKZ#G8V8c8tGNek)v@?BnH?%>0-PwV#<*=fNAVuG}{* z5xFypNX2U;GFSk;l&b^Tx(qi=T`>KMaJdejma(M6Bva#tq){ ze4@34U(a%YgVWAXfbnJ;S6AXMH*OKo31mbU^i{G8PZV0}-^?5$W%xd1KzdDL$bQlt z#=7r!J|%f`@p+AdXuA?cqYLYsEvw#>y%)0)RmoQ@!NvBgw0An%jzX!M?~_n>HgrpY z-oYx<`Tz^LWjDM8R2UWXpK>Z4pu;8^`#z_UhLk-a<48aeW@kiNSs& z@>1-vi1kHx4orN=Mhp||<2IqBI6f_wF(flwh(tqgz}YJR&TA8uhyk)6ZG|I;4;91rzRAHN?#U`U)39K4Q`4M+wK9SM#< z01jlw#SIp+2EXP8kO9Fk{GWM#y~hpw$7>M#FCZNpfD>E>I9?ez+RQH>;P9WnUV{aS z!FQ&=77F}TS@4^G9@)WhNB(dO4p{N4aCUHEzm6Q>m_~nu$oxgs1KGhJ_#gRxMf?2q z;knttbUT=M=K$;S{*fN+lO3$(%nlBD^9Lml&cgww-MPR@${c@$0s2QJ|0oNb_J8^j z_^aOk!|M5KhsOW3I{hE0&wrBd{~840Px76coeRvm|8uDW-kX4aeF`- z6DA-gAUMA_0Au7#5qd4vG{y%C^CR3Ixi1VRk_4r2p2cXRYPjP3p2hUf{o6}t&AQ9E z_C}n;vMJl?S{qVl+v&q2=S7RHyEyJ`e|kbJ6U6VYS3*swnW+Z&4@7Coo8O7tx+LHaj_FH$36qxsCyEqCl`WR!PC)k3E{Z>lGyo%arkEAVQ?lN4`L*>my?+udY$shkB1*7LRv&4FWZ&#K|`$Z#Rwn-qDzKf{Mt{235 zLgFVEn?daGYjI%KH;m~M5KBjf!pXZ;UoN+tybI88cj_LjRyK@9V26AYMJ4)1PL!>3 zj|=s+hW3ZoS(aZ_vP=Op0wWN!!^|`Db|(L=DY8HERuBWUUN`VHzj!-bY8i8xxW{nZa@nxig0Y@7IQ}5843=~VN0`-YV zy?rwAiZ39`7neoBl`gQsDNGusOV0yQo1y2aMHt6!D|4lqKJU z^(!j8d2>c$z%$o_X3{dz=J_^KBL$d~<~Lrsz+CkrX?{56_O33(K6%Y4OZv0dRj|ZL zgVX?KzqA2$tcD7x=*wP^BqROU1k~~q6_iVW6z+E=BEXyE{6|cT3ZjnrWnJcz&4VAV`+y?e)C05~xI_@r1CV4qxN*q6ph=zO+!b1v|myHed=4Ly6 z^>}A^m=gl>00A!~eW3KNniA!fMtxH*JnXJLfma!XK?qTtp2erO;spsZpWz`)20&+F zd0qG$V+d^S4WeW?(~S-kabRw*lGr%S7Lu0&O?<>wT$1tGy91{%KADMxuoJsD)6j-| zKz1_d5|kJyLsk`F{4=K)k4G@+`+f!}n{Ps1ED1|8t87f>!Pzu5X{^MhL(+2n(B1#t z1O%cD`av0-q8WPD?zV86uLXAUn7c>9n*xm~vkVGCOcJuSdiHS{1DGZOMmR~?h_~S@ zhY{)45MmtY*A5T?A7MwrioPP$PompNQsrq>`P3Qm6Rg4kyLOxVRH)A}K75vkrTa1# zhG8!0=l6LGsU@o&y|tUn*|6 z#bFl+lZ3#S8;^a@?bOK?j3+z@T_*-`r0rXOW z7|gv;81HOeV$iK-bKAQ&-uAh_>?f`W(SI|3xghvXS#+u@m2uvy{onwX@h5CNp>xdT zZBr;SYEg&ECDp8YMREcPlIwm|J9+cun3-TvQ1Hc+``s%zVBR1Vs=t!{fLDC5DQq4f zKr#eo74bFYBqXNr&82uac<+xmw`8X4KDt=^OSadY1@A);$0sP*;mov>R7K4<{1~Yk zUiDOXr@GSg4L8EMcsoKD+Q&m+__DmLtU$=7U?k{@0BA&DYf%}*%fH?U4A8;LXF$}3 zP4LCCbDmm!u!uV`R^;S^50AqLr^(Xz98kiAaSOAvo;Cf7f!_Zo>jKIY)Enq{)2wbY zLUT4p+JF)fykK7Ccx}Qek{7ErulP6uCSMI?qJOdoF0JY0a>hFbtE~pvud<4D?&*6a zF%9+9`O5PnF!{Y)=h9Pyeu>P~Q|Z&~LpS;j3s!jy%%MNP^aCL;+Xpid?LHRD$*HjT_kH)HxL3eoUB~9gVHz2Um)PUuCRUm?F^bWTZJ{{Q*A!Y>>+A2K! zK2vhCibxSU-;Q#POPFhMlF2LU(JC>81{Kk%9^ONLJi(C)H$8|1O102xM(0ZIhAc@Z zD0xvIREUB&cr1Ad5i)cHlQCp?05q+SZ%il@ATXu_-3by90u|t^<*Ua!Gd>Q3urTs5 z=!}ump)B4NjGvBs3+sBUNTpN7ad6(#ky&foN_m} z_UXsCQ5S+8X4-4poHm7-pidN_Jz>IKw_BnQsvW^vUq;>PtqV|ZMz>BxOMd6Ji!@gq~cYyx?+&DiwE$oXmG! zo!6!nxIlA4;P($|T_2sl<{|XT;tG`=UwWZK{?T^VJt?p$Uk{HsM>(I)lwOVwtWgRe zF1jg_?6&V_7=YZ8AQ*Sm@{?KMJ_1r_^y$6GtRLwgF_!ppEqcm<^ARGW(Cme%CFmB- zRU*Y7v;uvtM4eD*;?;{%DPcu%2jP*VKwc^|-ZCr%2*e=hS_Hr@5$fJ>qNYQhp*)ZoTJqTS@F9)rp(?DewpC7}mtkk;{=c zvJk}Mkgqtmw*ytA^XTJ?=(u#gBNpz87Bc$+a*^vPS~pe#{YhU6_`PluxSngk0`K4i z<7byerT48(q+a&J4+9cc#~J+8X|rE%Prujk{j|3@828N3IyR@Pz9!|WEw|+jRTtmM zHlW@KOw!MOyQ1)!0KY&{m?;;^B&mCF!uz`DBG2iicgW&!+g{80rT(t^f*Yc#g=y_Q zo}6#Zxk$cV>36G6#7^({C`m$zN0DQp1p)v2eFgeZEiSAZx8!=CesMToRMSw7vrMt1 zvQf~y!LZmtN{K%8<0kSh&TfME0G4xtMG8+PZJKqJO3G|FrHJk08E}`u{OPdrJ*NrF zk}q(yptW3hSs4b+b|9+Ur$T2WXGGT5LQ$9zI1^z9{`T5B#-*>8?Ce_Y?4T(#z>C3q zNnnC0z+k<^QR9%VQHo1Cr1gH|l!E2zXkp0e(xLB{p(niKIfw9GalAy{P6{S>-n0k?nLEx~8a_Vm2XE83%+yCx z5yxukGzjh6+auOFv=P@ycvx10+8e7xO8GiCvidem=^0sb8Q%_JB1d$Yub23VQek_f zzwD2HRiE$Ez-7PPeK~)EG+^V%@yRMfk*A!^dK>!gX!!8M(O6IIxsrXW)5Zi@dc<=1 z0O3!xnS~qVBd`3V26?)K$4ks1xAc;2sF762;ds%H!%zu6o0(OT2?`>6*b#3Beby#o z_KcNH6BAe74MuS>Elpr%kTz`JFFuS3NX+54_1f=@M?O~H-rp=tUrG#e(v@FA$li4$ zkHIUR$qim_o+svwd#>X7l^=*ts5J-}>(YG|Csrmjt-Lv<$#8ufuE!8Z;ajpOEMKty z*>R31BV9g!`bb9Y|CmUF-h2NTaf&`Ct&$F)F~!^ zf1ktjL-pue*s|?M=AQ?6?|>)Q43)gR6{{yK4I9BJxAczTDKFmQ*57RQ^j=R4%YE)v zSQ7s-a4nqWsk7_&6m{9DDX_o%G+lZ}h$va22ZsdhK}_eA}3IuPS8~-3{u; zKVa;t?hNdXV&cCa0=9XAm~?g7+Q<)EGba;bdGiYIj+?Jwq9z0irdF2b3TLfgr#$7G zkN4&_nHrG&mh$r{+BDVX7}A#b?_phP6rgeH-#*c=YAGTg=3zl-nkDWAk)Y9WXR!Z5dFC?$u zEI@Dnl=1~1D?ipcnq$nhDB?-wo$o+J^gX>C5c3=KC@-0pC9;!Tnp@&H{{ywC+nGVg zS&QY~JRo2IC;fajD3qJq)qK&6eb%qRuajB={YXM$HL2W&B=n|LiMwS?(D~>y1+hrZ z4P4U~j3!&a<(*+v>vvt}5lV=kJ!&DYRvnLJzX#S7A#EqbpVM%Bglj2PDrYC8g}w=l@9N)X|! zhzzNUb!#Q|bX_OQdYVVQ5#{sKl^KKHulL$$t>Z+lzEcPixkhY!NANHr-JnV9mHN^o z@_MaTl`cbMWj8t2Up)FXDfiJkFSU8?X#vmOQHm{YOV8~T)gz}ChNBz&Vq4wm#;+yZ z(|1$phWosd(w@-Y2g{nzNNX0ZO4`bzr#c}@LifWQ47@e25#e}^+8Ij~jFk~rsXFQd zA0Mxr_DRQE8>{G^_9b-7QzwjPn{qeL#&D$H6U*Mzn!1`z@_Ap+jzYV6!7VxD$Bvu2 zw&n|2Hk(%l$_2TdVdx|4v>7*!pGSXf(jj?Emuf28bhVVnKt9>J-F%!s`8vJ6e^or1 zNh{hBP0xJhPCkv-L%6O^pzWZyMc$^~bJj`xT^;%@A#UGf4&_LiEFe?nE&I?^jFP6S zl&{*UlKuXB3o9))4#}JK^G!#~ZQD43TfLCQF=IlnwQ(8V(}!Y)JqE&P(l~0bZ0O{T z4C0?W8-_@|1MSKM)T1G5XGXCYGeQ}Rd|ryxX8O$prbopQs%x%lhX>Z3-ZANkWlkDO z^aot1awc_*N#=xJ;z;k;GYqCoi+E2a>j?7%^J-|;PBc{kHuw)Y6u6Q1yS@sPdiqJi zlI&_h>RgUE{j9-j^2I0&^6W_c6_{s@!a*u06N?m`7!^p-{UNM1cD+n=QSq$G&|B4VRdez5vy&lUm(vXPvFP#kF! zv?)4~;=7I#^l|77#WzGV=VvVee2_BhuJ}=+KN^tmqh5#C(-?CRFs&>lu7(cSbYtU3 z3A+__<_UP))_qwd-Y^|Z;ttn6IInSObgi!A2xd7t*x2ut_bGRT)mkjp8v1OZJMvvq zYcZYEab$GYTzl{Q*004YX>`-<%60z6>Jbi^bnE6t`_|qI*AF^gCPNW^v(`+GX|Txw z!Bs}l$?J$GF9c=|?HU`27F|wTYb&=r#m~76k{MRaug)%+#nqB2c2*WiY|#f2cbRFH z$9_ZucsmD#^@i->{U6;L8j97*hs?k9J7{=nHyoDfF|*z|d`EHV8>bT?n_0iO-dogj zXc#8kU}~*hu@J8dzlJ!fZ-yM1U4P%$c#}EbtvMidP0;p(&_oB*q<760#>C`>x23+U z9NEmF`7Wfb>xz@>&4dB6ZEfxuRrkwks_?c>EnNk}((Pl~vSNm^GEgex2N_~r4JB=p zGSIX#wCWJ98t6o2Yp;rNX%o`1(QTT*yN&^U#dERw%a7&VS6Nl{TFbT!%Uj4Em?upd z{MPBJt>dfK$M#?SalO=B5^02peDB@TR=g8wb`TVs7wh^b52<$dE-#(V`NK#dmnaRIer>VilxOY-h*`fwg52mpLhvMz=&VxPR|%|oq(#k)_m(66-N|L zwLM}5>uXAKaMNJM@vs3gjXLb`O_lUy3+f1JNlU#7EmL#&s8Qk$6%jJ?(uaxi=yHM( zbJL-pH1~!)7S#_M(|p>Dq(j{iQcdV*HM}0pAo*#Jj2jdBEY--geCd+?$Ha)Z7}$8t z$#2pGlTV?>vUBj}2{k?{!n3Uv((u+w`hoAvmY5*U3j)?)D4Z7{<@t*sic3eZn(?M& ziN8+zq{fC0l|mw+?N`GU7&`?ecdS-AG$Iu%Kwqe^zIF|Srj50#bzK;!&Hjl3AF=n; zvH#{cyEP`k&hYcZEDU#*3O#EcZ1- z-iWwfmaJ_`>|3ZKPN#j{$uA@4aRjn58`HNiT-JoE4=oT?Mo@@2=*yD5^O!Me;h%)_ zndFf<3t)JSoEko0hWmhG&<&ojP{ER3|Ax8vOOW6HKjy;3fZGW4pUef*KXd~Bf?oVH z=I*~}4uXS%{)t|I|C{;?dI1893;tWtK_)h^mf-&Z*}>-#2EhRa|CSy6TXyho*}=bM z2mh8G{NI-yf%q^f9v>5_7D80|9|NT_-A@fFc9%8?=LC9 z|DumypacgPz+eXxBERyogC!M#Y+%BJ0}O9~B?*DQqy+!z^Vc~SHyFGC+d065#~%R3 zuRLHvgq;(dj}r`Z{Ce-7a)`h3ar`1m{+a*pp^DoA2tA(0{Y#?&JJF;{g#dcjLbf>ae`M=zoi2Q>;BEg z1_J&HcKw%hY#=UfFyH%E8y7hE`7;|>mHN4j<9S|Au*T=_{y?nH{c(W@*zf7M*`C#z zoAnnq{MY(%gBOd>ZD4BZujv5X9Khf60=T)s1ONAQU^wQv4NP$TH61u0JQx>yX5)IE z?s@%ytZbm?=>Xu#>34sCXYB%>s-Cqy*!HaLfvg#xs8+UxefGee1NBD(6c&oa)T%B z-^u{7frG>UZUcaCG{4)}pSK_A7Yg`$I?iX;BzR;2p8MnGd{!+^Qz0zA8(fm}c^ z0r*?F;BI@?Z(uO+S=)2{o3`TOdVc+J{hPJ|kF96z#|?Nkrh(i*@Qn6b{kVUTjKABs zfWKcuVD;f=*A+V}+p~THEB}Jk@c-%$YhdfdR literal 0 HcmV?d00001 diff --git a/draft_review/2026-05-13_iTC_review/PP-Module-Agent-v2.0-draft-review.pdf b/draft_review/2026-05-13_iTC_review/PP-Module-Agent-v2.0-draft-review.pdf new file mode 100644 index 0000000000000000000000000000000000000000..9687db1128fd44f2da15cf397a4a282239d92459 GIT binary patch literal 223483 zcmeFaO^hT-mfr{RBqemwMFMYe5V_M@b!NDGd=kYGr@OaTL(R_gPWNhOw=hU$Wkz=8 zY*uDXW>)t!rMnISq=O&<0toRUNLLBaQM~ai3X%X4B0vG+Ngn`tkieU$-~XAJo0)$^ zxJO3RbnndcR7H7&ySdr>e$U=}_Lo2V<90jUh~`c{@^E{od4jn&(44F`@i?&FV4RzPNy4w{rF*X@znqGXAg{ix#962JYL@1 zT-{&lW+pi)Ppi{%_HRsHT|92CCii!f&mJzmzT@lJ>6CGq)h8EE%=eSOT29NwbY7Ix z^?W&-e>k20&UE@a;nhsCabHy|%SBPv_kI8SC!4z~L7_~c@y*-K8i3z*^N%iGZEhbYWx0soF=xj7qsL8n z8xD+TSFPFM=a`x%X)4w%Y&5G02`sXKS|IW?k>&?Sw51Z@F!{+Xi*9cdi z+&sR$z4+#n`%8zlr-yf&6BZKJqN&!HwYAt1K*;?&a99*4XaDxi)nj;T;a*ZSz~M>|^DAThHujZD0O8dB467@Bh)}?#rjwlTtrFK0y#~PJVeJp!*9C z{(17q7xk0{PFDUDfd2=ZtDB3D?te9TscFsE^V4z_!S(UO{oCFjKf2v)u6lp{;^F2^ z?~gxtclg(E*mz$sd{zsF`$CK$PB# z|M=wOqc2Vt)oC$bPpiptxjdcDXOl0kPR>3pPp6Y|Ir-xHec@SF@<#ah^UTaol z^Jb=-W%d2Z7r!{zBxWmw)?~4+POA)-rGsSy4%On-VgrPhg4SZT5L~VtY?#;Kpff#P z6jjL_zBZiuNiJrm#bV(QjNQ-B$K^y>LJ{kEfb+_g!Qd`ewDUr=I`Cn`xq$XEKm+e;)eUHYcd?w=l1sM?aRv)7p^TbJ;k`@1sRgc2m#cZPfcF43 zOW!zp*6%ZocD1;I`}meo0Z$1cTY%wvjkx4~{uO8tggL-FPMO0Qk<*#bRmVs|7H?Xt zKm_v#%=)`xZdyex9a3sO7_eu81j0WDc2%A(rk%hB(4xjGmbnH%2&pBsx-6IL?@w0i z)77k6&L=NQ0dfh&L3xG*&yWT(6I_6Otwq|M9^{M*_!yxyaOlZ3Mn(%|dL#Gs3sb~p z933PvPu{FKTp@lL*Ej>BIRf>f4!me67N^j0TQnf>B|H&TnvYhvIfD3v>rdB#VWf%* zkbHgeVlDt6OrS3>U}h$!pftcHG!B&HQhaWu^V#}Tf<;SpiYQm0sp1KWrv2pErxmkY zpROSw)0quUmF6^kSOGAIqO}euZtHanmi#8R1t9)NFZ!v$wkY+51kDMX^4et@RKx)kZ01<>|bb6|*tJlnd}y6lGBlgS0ketr4I+ z_`LOmQJ%S;FwAq-vp`Q2$$F|KL^u{dGe1gP&xm0ne!?(uJzIv6g&;M#LbKu{G(N>3 zfjNrPb+w+nIZ5aVmqy>+o_v1t^5@vLR}f!0a6C_o*?9iDWW3?iD^H7+rst;%(a$j% zM-7#(EDV=?*B-Jk&@~O+T;51B%>l~{zCj2|o&W{tsQ%zZGJ42fWJSWLcagMBwqBr~dqOulOmITVvc zNw~rb(;jTTm^m|P-l@EXVJ?|#jk);@cMdAr3vJ1OHQK^}``|1YZy11g<19?49xr^c zKeo`ywa(gtEt$8@&Xez9hDa~&eq91CD5+FlhVMoRxoA)7PYN(>jMEP!vB}@tp zx#8k>9YYS~GA}Qu^HYKn9X6|su4?)m9K~q{qbL)N`>;eDGT)q%}mgmSJe6c^`qOj~m+{+gxEr}!I#!dBi8g{i1 zs*8Lp60S`GHZO_6y>bCp{)KF@D7oT<#JiERikB0XMFuZ@th1KI(Lt1_nM`l7JY7^> z0)cpBBD;Iyea=tGUD^K788bbdmsNCawKbuwroONlt6KQ*wgtx(TuwvEsk7S^w~z6@ zia_srW$PRl?n@p#`!wGzIo75QYsUX)?GRu<)?ciJx$i2UuJ z?J(%HHv0%{&c5Sp%??!?=xj+~ohpQVd6A5{n_uL(n5*?b!l^=>_wv%%ql^MRO~pMwa0HalG-4#7cOVPm4dCHn0|AK){JtPYCwZ_zQ?}7PNBv4Qcbi>Z4A~^{a6N?7SBukfx{`>G%W2Fi zVDh)0!zg|Toc864CXx=o70n?dS71VpR|(bZbUqu!6<#I82OIP^yT(|(zvV^l!v!3MF<*%iR=V$@$Ri7#+YDt6u{Ra|3Zs=q1ZyU#lJCHW?> z4?yzGA)iO`<(edeah|Uu`Q*U{9Vu`@kXPAe`Wv@inJq3o$o8a_ozuPXa%gLaL`G6X z<{19{)7^(0eiNSAljK`~em=>!hI}T;FW0BVK3*=lWZ}UE$s2)_y=P<(!LxgxnK7f% ziMxY1gAAEk%J)z8H-U8bUE{ta-=vEJkbHB44Ii!tu|RFh_fLIa^7!-k++d{SwtNe?2O#-KqfJuV$CfXZ0<@3g znmpK?hcZT7s%{6_n+|Z<;WB*)_@D>YW&+6^S`!A!N=ybrK9GO&a|k<-=zB`81a^P_ zvVKd}wTs#U(gDai(qWUF_9E-DV&`WM7qyHJ=JR;TUIBDniVPYhA=fj}u&;SgiaklC z%eYs#Yk#dtu;F?L;TH4xDe3RB-1{c}+r6qCdv${)OhdLe0e%1`Xbu_88H$%i1SOZH z_NgFLQhY}-LF>UjCU64Y)lB)iK+0`Yp3~fh#=@cSM_bNyXh(G@s-VK#HIYyG&--B) z@tdQ;!acxKnEc2UYJ+o$lHZh3N~@HyE|ehs`X%wdoSawJ{do^ z;ylZxuw1+`SrkF4H$TTo`DD%c)c@R(?V-)BJ=vfI@aMBZYsh`2yr<>`Rny}(WLppB zwB*@fCKM2&p<+;lo|rXc)P&Ft^4p3lDN4p%mlvz#RN|J-d{=>Ix0$4p&y5-ROGay_ zYgtLa`(mt$de`Zk?iZ6HLNN!%x0uz^Qs zy3Z<=wwv7|DpbMnmC>?uL@Uz&3Ml&OeT5?HI83tQ#>5XT3BSwZ?Mv{HoE&fuK=92W zBf$?(VTpUHMMbsKJ`QX0U`{tkah%nLoi5pH-381V#|HQ5uD1V_bR$SwSXi40EBeQN zS5dwT>I{4$AgO!t(^KQowY?rC^?G(%?c;UE=Q>E;$IB7Bkh+CM-j@MV;5{s5 z0r$@Dxs>pm{QRC=(8R^_nV>o1z5?F`2$yp@+>Da<&F69+z*a%tTY%kd91#ynnhI^^ z^Vx>RL7Ri<*J{D+Nyg2!JfDo4BkoJaE&{@?Up3Cj zY(Ce(kx{X25zz&#;y*HU=?3H*9lS4*UYBvi^)=@Cn=F#YtbI?qZ^Hfgbl)5?(tUSP zf0qgK%U1iU=FX&*K~Mh1$#n9I&}8WB^QVh9Z;Qz%_dGqUnX~Fukn7VGY#Zt^wwSv9wgn_$zq>ZSxJZ6H6rB6skLPB|?|wX5GrHgXc=WDw*M2VxIt<_7NSJ4P|G`6-LJDcYl2UbpQG0;pY0okM3`2Pxbk`S5MZj_Y2w( zi>N^$Pkyp_ynMKMtA@^{n;qZZJUl*q{QBZyQk5rXKf3T2<$Qi}_Qy9@Pp@g2>}Gy) z_Qm}l-Q8TOXEKQ`T13)bSc}(OL(}A+{mGy5&5}lUM4;~8-QNB@G<7!o<;$}E&FYQ& z2*o(OCPUj7;Q`kpnO3)gAst=yv9zlcaz+#35y#an&{gHD^&*097}N}B1EFU0kweY# zYV0UnXy$FOEvE2Z(Eyv)x_wFI1^YnPaY-NkkY?F8m%~{&4Q%T~X} zx#daVBd|_dj?8D&Hd5c~u5Y=fKlW^mkn&&oo(2_}Q1o!-`|t%_{}|yibg)@3PO&RB zfb|i>`6_8Wz2NpR;F?;hIoI|=cfr#(9e2gUyrj}o?h6N!dMJNsFS_)d_$oJz+i)4D z8HNh$NY{ON^4eNkt}FgW#eDwhED1{KzxLDnEwpIC_=mf#AzJX4)~DfX*DBnVju#Nh ztfM!q+Bdj9rbOBEF5uQmnj9NC?<>EC{ZraGC=zeGSc7_t+y1N~rFE8Z9Z6N})VizE z>$tMmzS=@BnTze{a$nvzS^fVlpC`;@wl$l_Y|g_phh8izc+B@Jc8*vzW&gIj3pX7( zHF0B9HCxB)pO84X_t3G_5uA;4WGJt@0+O=j zYDznzjIC&fbjs|spOY^j6;e)EG>h)0Uau}(kXl`HL)g3ecrOR2TZ5H)iQX5mbsc#eYy zmonA6#56)t1grcq5uL0LsaQv_mM1L15LIG1y((S)j*G9_>aP~dW-ggZO0JZ1+#s8L zX91>>t>bMV8_^4-E~2um34{%^xikgn*ssO7M_?D)$*Wy+CV+~HgBQBw^vf41yaL5_ zs}ms55TAmXM9KGwo9MMmd_X(dLGp(mO~zxPaAHY9&UHC6uk!~CB+}eH(>_c?$QDyn zs{IF5b^Q+jzBC>;$tNb@o*>N_?Fb;|*qK>HtR;tW$&pz-LVg!ziH;?nJC+S~UK=-V zuE?q69u~-wRXSqoF5nE1AOsUipLSC^BbW&1Q((k)UjigXK|%mt8JM1CHI~t~TISUV zJOVgtLzAc=(cms~!kN+{0T66uUuFcj`3ovO%al9F$@35*gUMwtu@XT?L{pa(#~h~G zL*h&q!BGB^-XfUT+aPX(cB2wugyM)v0Z^(63&v!?II);K*f6zhFUhiCC@qrDC0NKs zsB0!-dnPJh6a78tKR9Rn<|3i08WvkS1$(Q$QO;>qeB)>1YH-UBla&Hd#Omb%< zpMo`ocARqf8Fodm&BWZI{=9{huoLMy-_kHIkm9)n@?{VX9*;^g?F;UP1rkx95P>yb3I!R=7f$dE-@dgLyewQ5-}%6%IBO` zr;Q2>ltQCGB5YH?AKSW|vPno&Uf3YQBVX3H&bB@#xu;`~BC6Qor3J_XkbW<2s&S<6 zMKy*1A^tHoeCxpmjTq&-+EOK8u!V(zQ(NwYSh55J^7Sgt3^JL|j@axy$^4SU0!~qv z%#RRgEF>j>-;{svOXy7?9)QrBLq1c+b6jyb&RO*`K0cV!hnMlbs*b&{h3FUA&R*oV zO}58_1=s}*aLAYQ8!OwpSbJYKXae^DY|tEXUp8=|m&J5>$_DNjdEa_4ryJN{ArN-# zGx-9&W;l_cq2=VMPibfPW<>7YGj>z!_)P+nd}+TiEU_=SM`Ch-I{>*ihkPEn&na;( z$GNbM+>-|zG~rWxT>kKSNoM7&s4hJHlU|jWI#;tgyN}=dsQtaP(%|^Sb*bX#{)KhP z!SCvKdlGaDIL{~O){v2)SEFX>%x?0ED1#X#zgrLH1Wj_Fy6#$2fNfo(W2#V|OHHbi z?Uni%W;>9xX8iSga$(61Ur<>InMXL~%l&g9(?=0bbVpl2IRJV0!nqnp-p<&bQ=e6h zb4Obb=J<}}?MZw=dx~OyJ*QNZW82qTVligN_r+wC>!zJj3*5VojFusXpr>9Op7ZT6 zv{OY8br$2B?}rsgeW1Oc5(pBQ=AijjvckTk9SO%R@&KgW9CBaD?JbI`BBNuJJYTqF5IbGotRIHEnvYk}gz*s^`sO-`mjka~~D>WdRA-#(mOE}-g`}Za0 zCQuGQ%*`S9C1z(VV+WtE#<`8H2b;tkn>$JG zDQeF7EvFR)L**oaP-CIrMnY}QX-~p!E&BO{+Zu9T!gXfw49PPa=N`5m%<+l+>?t?c z&)=V@=|ROw@{<=>7wS%KWkdu!<|NIME~8WybrgL+mTpmR-zTfj7xAsMbelwZ?CX7r zK9ZCJ>H&zpIpi~mo*pLaeVoQwe6T?;HO(ivDh>03P@n3^R73~8Zx+LMUz<59;d)4} zO5CLHpZu{2>DxN~z69Q+f&&nEbI5%O+tD*Zl^hQ}uW{tfdE^TV__qMJ zKY3G=QqhO2HDaXhq8fgjvV2ExHJ9b-dYtdrdN8MNtd_d;$J@{?l6HA0?E)W&oj&NQ zgLpsoOG)i6W&7k^%_1D~<@`q4FZ9|9jV ztFTrSDphw;679KLsWQK)%vmMb$au;5!GLZ`@Nhjyk{8;ERbS~@?;;K@F~7~@4FTFckFq5BkN8RnV^4(x7-woC^#sr7H8|=(?gPpk!rp3&6gQat$ zTA3EK1#zFgyX?%5H}m7otDxPjbACI57C=6cRnD_XEujSiz4Ezr8}FiJz=MR|k{qf2_= z5r{CM$6_*ZW?E!tJX3J%4 z#^(I1CH?K#p>l4oOpA zGWlBvYcOeTo@UmDhFQ>`(GHS|X6(V5wSm$CK!!d(9*k@`b5L>@7_*7F{!?mSr;QvB z#1wo6((Ftk8cE8Ksk6x4uBL&%qyE#DPFDH6WK;n;^tfqNMdQ@k83NrYibnt(6;+UZ z-Q~^$uB3-;SDQ$hO!Z`qxh1Au?nr6~%k@1B4$}!yMwB&96{)bmMN{y)Ca9GBEU*__7SS3=yw10DSh6-s z99?Lu5D7zN+Kc2j1;W|3;X68PiRknc-(N4pk-Uj(pB=@gg5(iSJf$)S!=P)Y29y*+ zN4Ds>C3d>9tgKU^`8<(uLVjg`t$d{c0|Xk@Um?$bYf$njub&`(4}|cH7l9eXcbW`XgRVzEl4Y!gAm`) z%})$@R;&C}pStFzObZ5ROwkF2K+>7M=puhDO>E~P@LH@l6-0@0dHL)VR-Pr5yJgMp zw4K~P=ZoES2m2R=HTSo%M#;f-$-4+uH?_Q^Agrq@=WDF0$72RIl!JTqOzbN;DxRYp%yA zK6J=0#(7=g#Xz8-A0h=2t|Mcn4SEcoh5>T~pw^;)zCxXLiGBbnUX$fy3Mx^C0L(2M zFxSd!k#&=)4FEF@y1)Zkq*(P1>)XhCT=t|>g}q3bzlz}4-I}RWj|@;T2#wPHswnwhD*f3@b|m;P6a0X-wvJwgd9li$rTTvta?LzZ70gjS-4BqhLH z2tdMODuICbCATqEWzH;zZx`&;ixjeA0yo70CsWS4eUf0*8g<2v`|>9QI`cP}skB3^ zST$|o%&uHVW%f_hO14rV#T-88?j^lO8J*vtaK<%Q(MeR+lKs2YZiQ#a#BS< zTQ|&AYMyevba_pq}FFv2f`g) z&3J1w%a|*)^_AXr;vN9A`0MZ%REypuGIJ~#TzH9p<^r+#emUl!PMM>rBq<;PlcxoK zA(SUmKUoS$&-0%Y%rO8QS&4>QxOH8|h+8&)Tbn_b>e@JNb6Mh2HZ-L8YD9UY^ILYi z64iPcPk2aVxJhhTc9P=&vl*Bhv3XRVJmDnP$fGFci&H=`0qdu;plj%c%du!W--2*r zIee?4o&b1SPz{|8JMi?kgi8&r((iMa;M|@{W9oq z4!$i*n%+}8R1oC2;&Wzyb8W^~Uj5@N9Umz3C-Ayb&_sv zo#A>XtfZO6ZZfEx`76_S3tL%Gp;1)#-D9g#$Ad>l{CkvhZwG zeT&)33XBfHRwX&kb7!fHL`;0J2|ujFExT1gRE=gZ^FhD+42FrgivHli7%UDu5|7OX z55{0|;3k0>gUx4G9SkO?++1Sw-|C>R3l&2;^6riqHpZms+CAJyW9b|Wjz5xDH4-K9 z!6xJ|^g7^^9b}{xY}Zt?KNkjIsZ71-v>uF+;;D)$)0zSTM*qzR!$VCVg$w%Ghov97V)ci2+N^0Cl zS_Pj9FBw+x%uHjNhsMd@!(qNN&{+qL2ts$qVA%-FC+C8YWEv^zMeIvEMEdlBrBRdX z+FBp5CBoJMrtOq1k=|+V+`c4uVDUP+-SuW`2&L$A-*8Gv0HD&@f?Fnc$XInmA?_tA z#l`*%lLf6~qWwoUL%HE8Svag{gk)eo5|UaZtng}pkbyjF$8>Sm^Oqbg-_YSu%k^9&pYf}-nteLUa1LpOmDFy zm8NJ+Pix#hy^lXG`sSD96)cyW<%j`N@Aj|JBwOaF)bWlvvSD*d`dkh|rI&ZyJEO4! zDf9Wg!gpAY1J9@TcTXp0A6-0d^smWTwYj)lmB0Jr`=|TQHxD=03GBakc(>6*Bzd~@~m`jLArEgtOL|Iyve z<^9!$uZ)yZ9My^MDGB*)6mm3{jb(-0_m>^F&)5W=<@Z-XMs(djB|UQ0xWAL4-E>O! ztfyt;esM?(CH{VTltQc-T8xJRTAEz&17k@~%a>0#_jjOVa`s0*{o#rJntbo|)6?6( zdUp2p*I%Dr-oJTse+OEgK;6aL`-i8C+td4pFV8+O4({fn#MD#e5l6$<<`sGV>t05x z0&`?gL`hRAy=q{n>LKU?Ex>O%Gy*|O6xEdslzV6mk53Pqi#I2~jHlk$`u#&Q4lX4( zzPh>G{Pg!fnp{5eYra31{QB|d*{>n>Q?VEsA4{50B)cYuvObbw$C)3=gM;jkUcX3o zh?#|CH4L{64r9@g028(*@pECKq+Geov2a=8c{-O5 zHBmLxCJ~=A6A8l!(y#3!xTSl!=*VI6t{OEP%4{#=9(0tZggf&Cd2zd`ojpbY%sZ^Q~!4+SQ5yLDV9rf{{-7zRoqI``7q|4D03fLS0 zpmhLZ!O``|pswU27pgprgQ?9jkYNI3OYm((8pBS0q_xG019chm$=yH4M^RMu(`n3;?}0-eoJ&Ff|X!(47v%+E?07mz88-U!PkELLX)c(#J& z!mo=f!mlJo`sk7cydx7DHS3reQt4Ey)gixJD5cRM(#8}ZRo~^~r518gW`b+DcZ@_^ zY#IvB8q}+d?!K}G(V@b-ie%Hc!9s1G@&Kqmhki-ZPMY0QSV}4J3!_R&N?Qg%S2n$r zsi@UL##$m&?aI=SMBG!44Euf9RVHZ#~VGb6(y>@OfGfFZ;ujJ!%$;t45;LlLV8 zRd=h*!;x9Xui%Dzg(>5EiBfyko@>AgEL?*PpEzSFta>h`4RFxSYDbU(wXT_CtS?YSc(5k3%~$C1Ijl9x$S|a|B2uzbFA3 zNx0ZT30oafi(x-D%D+I}DcJ9VVwVaFvI>F_13_T0s4D6uH;u{rNUIwv4mUv(_Da#Z zJD9;PmPYgv-Znz+#_$nH6_=x25lPOBcn;$`UH7P~=EjBtD}WwKDk40|OTR?qNJNxF z5D1jYLI(F*7fxkLGW+BVli+5VEmfGP!A%OgMPX`rONV zjuS1GG5f6*`Jrm0TMf>|U`Qy!6R1i-KSJ}_lPgY_H2iPGO)B`GmM~p}sPWI`70Hh%H zPr?vDAlOma6K3{99ufi`K4!#s1WXQC?iUxvZbK35p%zio;1R+_;Ymm#PG~m)NG{^X0x$a8D`@PL-cBn=5 z#l7j9d4B_#NAZ%>D#x7uw79+GJd-2`JIX2Oq6IAc6Lp4io)XLj=*$TeNhe*Uf`;ce zN7%vm_QaogS2+^8Kmn)%1Ga$c5PJm1q2U!A^QMIj%wnhcFl^nD*zr+>5;QX0q|_eR2l%*!K~fk zkb{Gw-kp?p&4N|g5Y&p?F7@Qn_pYm(A=6~1LW^BN5TRMS5B0u*)9wb$D9@G9U3V-v zplQNkwmRr0m727F>FZ$;0vW01go0sxZ;~h&vBT;YhyWM?lOO0uXDP zj}7LS3DdCogyG$Em`JBxL7HbIX&^QQO5 zA3Qwu{`N6xuT1cfo+Yf{U~RdLU@WQHw^OduuFqOo+0C}xF|XO$a$C}=!M9GkMtQfI zMO*9cu6wEfr`=YTj%n?^JMPtyA((CXy>+5&K8FgQsA!~qTbuBZ^cvDU3j)JgnrD)( zxmPl$Poi7l<*Yjjcl=pUG;Vh3Tw+vh47kcalSG7%y!kz%GtSO@ms)fXPwm@0QEj-B zex}AkU^7!y={~(_>8zMX&quizIJJ*kne@KpVx-Cz(-jTldzX{+xEU-yhCorJtpuRy z|K0y;>FO~r-4hBWCmStk9kXpJu?@+X3DpUheF>T693fK7w?m=!?#8@&UszD>D6?|_ zEa)9EW-*4gclER@KGeDIF*;x}0}!_B}H%Iu1KBFFHP$ z2Y{UaUCT*<4?u>k1R2WOrtR$D?o46}$8YIxwIq?sN)|zpYUs?G^R3}rSEcuj8fv03 zLEGC~&qPfeb|h-zgH6k71`Cr9D{D3;{3ZY(e(y>e}9_8A{H#^&-G+N|{ev3kbnQ zkW7R`kIXfXTB*8}fW~qL-^V#~1~JdTgxe!b@3pW6B8V-1-4A4Y%{qk!>${?fbg*Cs zsT&H&N<7RgVavl*HC1lUb<9RZktYSqz^zU(>2z!4zxb4heA>LvEER0IdNID3Gi zo~}M&pcalJC}AHHsj;Mj2EDVjiY6AEOo!U*&^Fq9wE$l&LAragnbPb~!22w1yRp?+ zggSXjP;qKP?;>=_iG#i9SadCW!Nh~hH*%hrtFwX^Bu48E5A7mB^~YEUy}g^vYGuS- zh_Lx@6=G7hf`ktXx?M1%zid58kbIvt?MHX%N}(j2r*gtsm6S|(t<}jTaK(DL!znD` zr2p{P5uCG&ywbT=q|=vF5^tGoFL8-;*bt1mmT0UNpzlFcB(QzZuyYa0cFYyQoSX%A zFgloA>QYnMXCiyjLpnVw;O6s!xN!drO$;@FNt$8=W{>^9&x%HYR_^z-tf*k_o&3ue zeIx>>%0#i?y);Ei6i(`R8P&)4+U0Ybwr=NH8IFYgTjojF9$=g!Xi6Y3<0yj$wc(2w zU6!1VOHu*jwe6R>N)ilTNo90C(8wXu@7YnjSa0|7j7f5{A8>$VUA$||7SkeYC3FacxV;6~JUVr8 z8UA>uojZR~2|RmB*hjcY4N1mvYkb|ocs}b?Hn`ORMxU}3YLGT;g-D%O>Z}z9Zhd2v z=gPQ-XRW#|(u+JC!dM-M%}e8vtk_Ge0GlHM@?ff=-lUmTM6+1_~(%R+7PA3+1AbX`(n$iEdrAik=9l{%Y43U{TT0#_I&+*KK( zuU(dT!?j<|{qKC{Ja|>3>Z&HD4P-AOY;Qm}hF&m~*6{N%Z1Xh0+~Th;$v zLd^v5`pX3xEK;-lP! z+NjXec9vzL2)ujk%o1m=L^id5$yjK2h+tHEpDWyP-jn%DJX0Hq8WpO-po^G37z2W4 z5od0jar#R4RtZFp7s7ua8PIua-j<+hXUca>#!0IQjQgjhSyawTzV5KE+L_3cQ}Je< zOC_d3s4HppDE#Ln=tBZJ9|yr0$DrEVF|qBnsUYI?Ft0jJlq% z68`J1;8Eee@Y_Z{-7-@9;W#@^ft(70Hx6bt1@c#|^NriO3LQ6rUs`EApU*a&e~ME` z!4x8>oV=LN8$y`k-Czmu&kHg}-H6(Tr3;-G1?nO#ZaypC=I}8Q8zfp=W1&dRq zk`4vbT&7WfDuj@jR{u<^uAOZ=Ix-Yz+B(Xg7W*1J;BC_Zwrn zCmVAy*Up71U9pBQhlpT4m<*&{99s#^{QLsjxyzm6cxksAD=Db#PZQ3z)r6<7X|pIP ziBR5Z)kOk|sgNt44slrJ^iiehqqH>&0gt4Z#J()YjM@w=3A)|A+{qEnmIvK2E1@+K zh=4C+f|0{p^bEBd#{unv%!ypRkb-o|k<(rB&}mtwMq39*C01S#GyG&%#9*%!jk)sB zo!8L-g5&D|UidA#Ycj-5r*n^TOifvcei_AAD+8KVSviQ5CF24rQaQXybZc*lb8&pZ zOa)Avjcg(KNn<)~egpusL0}#9Qb|#ei&a+uazkCO6;k`X)g$*)IwWv-Ak3Z`8iT0# z`VyRIcP}BTp;E^aqBkD`WPp!?G1_$%7CYZ>WUCqSR_<{S^&uh54(4?P=weZ_Yul`x zpv`2}?e9Uf5}S~SElBY_-&&#}5S1;y5$OR;#h5rEuuDif!l{2T1JQuyB*=4!*(-68 zfE!Wr#sk+GrP>ENMh<$pZpBZFITli<_Xnd{s)ZQP7>g^hvDA#o-csHv>*NtZ~7sZSv%u5%v;veEI#*f?X}R#e(6{DU#O$DL^3!B6wj z-n$8Q3>N8A330KxeJ8(JCKCBaY+PdBvkz1{U zVW_U5=xSYWuM71H&8FS1b^Vs!@I{g_Pn*EmB*|l^i`}g3ZM$vj+x6bEuP1$)qwd}t zGskzlH?7*~TW{6--XtH~-kW4;?|5(M1+RAC-S0hr++4n+>G?P3*YEDEMf%0<`NQUy z?`|G8Z&a|;H>)J=3M~p`lN6>354*oZzY)}SESz87-#y+uQZaP-&H2NHI=5fkZu+JY zQ*l(DJBisYbOBl~da1!EddEB-H@BRZ!0XRn(dPeZ5M*K^$cp!K6hz3aSg>nator8@ zDu9lGt+-*Uayw412pgiLs;>HRHLu(8=Uh$R-zkBWtb&OS+EFt9=;qB0)m|^ZCq|xp z@B9jEKHR)|_XH3x?ykZvOH7>3$=WU*CNB&SCrU1Hkm-i#MBk2zQ{y zgz?G`CKM=03UN_=FtH;Ebn$zCz=e}fI{Jcx6x?0syz%n&{lkY(_iuUDo!r5kE-wG< z?*8lB&DEEl)F*z}^NYvFcW>Sb?~fl$$nLe5onKzsB<~;IFdh@Wy|{V9@9qc&#?ui3 z?>Lyj==J>i^8SO#(n-zcZ*MOip6)ge8t&=g{#N&%U%tIO-~8(7gUQOtU3=#3?ajsA z)A`fI!~J1;Whu<+oyBxjsx2HA3*r#O7OKuwJ7n}#k;51 z`Z5sY%>}ayL~)~fOaX{PAvikb@%4>(BPgUPH85egqf76TZsAb;X-`-r_Y{XW9J0ZL`_gC+3H_##6aP`gvF4P^yiZ?uLt~b=V z!hHF1xjD@IE%#hpLYqZkqqh(DPhNFy!f%u;;s1r#JU!m!Exh_Jg-?KmX%%{uS8w zL$U9Nx6tkB+pFs>2b9!%-JJ3>gL#y)S|L2y#U%#buZgsDt>$Ge^)bo1DAAiL*Ct}408wA#x*`EOD{<{FAbW1{>v2vpVN-Td#HhJD)+RZe zME-1yB|)721eVU)#a)B7om>(Wv_H1y?}IwG#6*1D5;vFnG>d^+Al~9T+Bj-;mr*!= zha2o7maiSHDl6^Ppf3&o$dYYGcT4 z1hKh9B-mALhT2Uibv!)==GJE?gV%A&#hNB_ol*35ZrM>{jVfqkuPoWL2i4anE^olL zCpk1{OX5a58B`~ndeB>+p~I14gj%`i&dwkQK=MjKI@nclTfZN`*4H(80OXnQy{8g> zH{3%#36&fvrc0%k4uFYpRsxUUY~4NEP@E~l$!}P=&55HlTF|+ZH6us)!f8d!%jKI6 zn_C2HP#Nt!naD`bmP+c_xM;TAowNVn88}zE1tf_G?*c1R|IW!I$v&0mN03J20zY6& z_nG0cX~v#^cZ@&FH$8^h%i2-5$kO!QzGR6wvs{mC2d&l-=%FNKFThcs&um*w;H=)? zj|+0AJfXjkRN6)e2{U2$@!1oYOM7FSXYIpgoaX3_q}*$K(xl_wMemdsy2e@cGd>uA0$Fiipb>SH9g+&`;zmn&A{ob-!7ZdojU3n|{2&&n?%iG2FES3@)66dCwYf#S`t4TW4 z9H2e@wBfp^B&`z}(cT01`A{via&uU|r5RW%f;aTSvMr6l_k@j30n1W5+^uRs^#W0x z>>}d+*u@Y4g!n|s8JC?WT|94#JsEb~9((d&t~F?4bx<3B34Eu-m$MgESxy|LiITQ_ zdU&0%g?p%!9=vnEuP#>OsBk4pJ~dr~|6%SM3@WK8lJmrOP*%`M(2y;>kj@|_8fv$DD5jMa z7U#&nT=>c~kk=5zYlL@xlP=INN>lL`>4@0FVMw4@(J(&5C9(xS>qz8e*l{F~JotX3 zU-rV3<}lJ*LDZ_&iN3#ow3by*)2Mw^2qL(uNDlDcp4)CJ;wyyW7=zof z!MAI$Cf8!J_GPG2h5*u?@|NPp+2tG8s>IAbkfOR&C6j|3nSC`eIO|wMp-iQQW8N8t+a5DQPaPN{f;+Kz-@dE>0X0Ht|y<9otGKLvUL4eO6iS=jH>x&#Lu^TI$&o zr#cx^p|%zLB4{36Zy7Wkx?vMnT)W2%h?5_xVs}Enu?WHtbZ=dfY(_jHE+lo$)krRc zi%CSnLNNOt>jb@oMv``mO|YHD>e$B1il@<%R)p=WkY?mgHi``4VB?_Ir2kwpNH4Xf zvAu(VtKOJcPAU5DDvcs^EdV6va4}h|k7zAhOisod`+2b zXN|UKAX71cqatVEr*6xX9g+KSm@qdy(0!!iGf@?X9f_*=V2&yxPZmbVc1cCCNN3o$mg?6{8LRrCT9zvHLW~a!S!nCI3Eb~E(X#rTZXmEAvLYIln5Z%ix>*e|g z$UqfVMYGc~U9j*4+TnE!Vnr3}M!=>D+9VlveOktISNbk12Dc5ofk{YSo3u^X!6xRh z7=-EwSYQy|$ejAZ+Ab=WoVj`gcyb~oo@66`PkFA`{9OPYW;IGL8etFz1t_7zg(D_M z{1zfK^eD7w+4jffMY4|lY~@@E(s%)yIqH}OQ)2!uW?)#O_{BAligf+X69Q9 z!vIU})=slrMy*jIoa&u38TSs@);a|~1_d-2laptC_W_Gcf9szXlETb@L4Y#ah-mCi zSB&h6vTU?SqAO}6pDr3{L&Fo*d-TNeHAF`&TStyt&+C%A9nlHNZSRtZ>%Hpp1xm;O zX@-Wf8xxzbeUxPUZq{%qiidCER6AwVhjCy;r|dXFbmEXi8<#**Ox?_@8K|_9mF{XG zW3}3k2qd7urF?>;1THH!g6c#jn`#=kWUe7_xz#J#8S{H~z*2{nvRjnfP!)%8)>#dy zHH_P~-Hm#`fy&0@3rbp+3tE9vIh-sY6$QKElrA}nMaq_n(gIAXP(Utgz0X;@KnFAV z8_TIGNNBNOcOqL(ijNmeOi>ga%cdrbQaUEWyh@QquNNb8#{6O11x3R;E8yg$$Ae9_)=X8&NkKum zrjtWrW=IZm!J?oW8UM)>thN5L#W@oy=#W!V3$dnGN;0Voy$3#Gw$O`K^gPaAnG4n`@Pq^WXvpv$93@5WB?OlSgvub!#E@s9YZ55<`o@gG8xVJ z0DVa_Kp|!%o8-+M{6sPZ)$Q9>`_)>|#1f;j@QXoHEq?_!7iI_n0XYe+BR7GR_nU3g zQE-f{gR^jt?c{}Yn+)EjdleHqYX3__efQ~BD7*%U%u_Xi?vz>+w1CHVCKL&x0PC$u z2&pSt<6Gm3tW4c06o}eX)G8g@Y$+EENC>%(!T5A^#du5w>2Ew|jdM_6c+PQ0RkOcA zNnh5UldcHKsa(hfl0-Gpesb{>&rRY+&x^6%+)Ox?Fi?7ODFpD zra;Gz|6M-?^|TE^K;9Zv%;9xkSrE7nx-XSx@)oehi~03@g)*L2>n&Y4t$|5j6v61o zZ3QW#(Tv=Tg|+l#k%!QuE_Va6W8be;9Z8wIwbkxQV$go9Eb*M=C1GWo_Z~-jI3r+6 z=x|0tQ6^+9C%GF-NgT9wtP#*A)51raE&Ola)Iyo7F2Z$LsN#Jia_*5VfU~!OM$Svj z60ryvo8n$<$`}<<+xu!G+>MT6h#^Xu@kbzcVq(+vx(QSr^AK!~ob+3oE7L!}?(Qcb z#z%A|paE)J=s<_=KzA+_b5)J3u`@JSUTEVY zmdh+~e{PF&Zd8sdZKV`=>8a*9LKzd=U3w1SMZ*K|C~1ad4lnfm;h&LG4cKO^VeQkp zAuH)NxAO>Ktz8qH-_V_uBwj>`IW?v|E=xgiuru;ipg_HkTP`v809RWV03C@5b&3P4JBTV4Dz{gCDkq)(bh_wFXKwaY<|cY8Dl^&of4UT9*B0{Z zXMggi4Aj*X*?L2E+{=k*r=&$^X~)*Mu;X4bN>AyLnco{ypDjH&^kqGNyu5$A$-6s# z@9F+BYlGQw4?9A@frgWH<6t#QeXx$GS>NCZO%ED(_O%!$QL1?>Yx4~#=@i*|W&HL0 z`u@RsIj`%}O-obW6B&7$`-Zlx_g|@{?&fP6Vj5ZNM!tUcNV{4Z7<2nfH4NN- z^XAJBKmGV8AAbDV#~=RQ&%R(XzO|=lV8T(U+?95?B&rsY;xkIdD{3X?8?T5uMR88b zsA%Bi>?7u2B zyem4OGx+7h&0CtaPDE!H37yg37&QH$%_~z>A^&|J%gip@C zxc?)%^WI-=_{uST!l*GfKU*GUZ>>hh%aEI&=G#}8u}8_br|yAWie|?ZAE!b$qJ7s( zY>XMHMG8lt34@d8oW`qBM~olN9ijjsHW0EPo0SS!I$zk*%EBSJ`50}Yd_UC(SIh!w zK4J9*c#&+=9nM9nts_j_=91!^9mf z252Zh;NmHd!Q@5)XD0W89ZPmZBUN%6AyySz40hw)_TN@lKCa_nk%;Dc3R)|!rnJAB zWNS+Ovt%C-yR^g6!KQV=JF8zvl8KKtYc?x5DRsd)3fZj9XsI!g1wD)|Bp{#^wZ*w^ zX7tNVHXlyGGgm2a#c_WwtR}M`Gyb^I$OVTP)F(scOJOHflCBQGI+DlNppGaxCDLMu z9f|V&PajlDloeYWR3Jf1=~6OUQYAb9mdB~n7$f5 zgO?-pF>=y`iMP>mif`~*liiD5vi?BX%he)wkIaCvPlYub-$ha&;wr3xN_a)SO}wMR zde>l$n&3H!?K47)1Sr`&uBLq`Ya!Pu;uwzVLbSg};d3FfZww2HiBskFN;6m>y-xnr zVbtosEHd*W)h^>uaTM#SiD8Gvvm-Oa7lx5f~lfru5X?ShNq<-_*_4@0tZ zj9R#?ojduwg!^RJao|iIY=ARV(shEaMN%RS#b_W7MX)&U+6YJlrx;C^(yd62yIX=E z`;von`%v`$5wu)%pESA`g2*FS6K)GOj*}_0LI|%IB~x|{mLpInMH61N*pwn*U?H(3 zI&?%I4%)bGMZv^)CO))B=JwxWXxCR?Zo_iaL}FfxuXi!5&1Agk7NrhbiJ=YZNH&QN zHlZAZp;53RmC~T5RqM65SS%rI3%Ga2GWCStWvGMT;48qs=ASU8hvovIN1GnQt@3%j z1wcjzI7-g5=6Xap@<5`F%&|I8^4Z!MU&(V%9CjoQ0x4fkMM(?`Hd`5`xmR z5^#`2mTA=~N+lk-H!x0OWTYl=XWmk+*mq6gd6dGg zCSDpRzb(_FT#J}fRYJuBqteaMtp^)LXaV)K@#f4$LmBAnb*3{? zsFQ;0)DU6{Iv0|*@YejuG7cc0p602wiMXiN80*s{lkB}Dm{4~C&Q>_`m72OAhtBmn6aWK_stB@&#fxH^@@ z+yAk{RJ30>;$cm*H;j;yNJ<>hD@(V*FS}7Y;KSu0JO-Ct4%ZPMS_lgzAzu7~&+x?% zRqD0XtfDhX+{!)}{^GDB@fRO#;?GK^yUi5k379sc1aC0>hCr#{^yq>P|C0usl1%AQ zmDDwg_QF|cW<8tYc85M6hqFbKVTU5k8L`QOxh*=@YYP?$*z||VyKw5P(N<--p3BI@ zS1|8NVOK@%@EG_m#{Q!BmSnE%jQS0Zbv_T7o&oVGVmBs;?Rn-R75DU2tlPpk3ov<>l2*k{@-lGe#R_I@9=(3Wnqq8T_ zSk^?$##PpxdW_lw zJs34&eN;uUZUB?be5Ta_OlJT~UK+6cC$1Dz&8KTJ6>#!BcctYa1T$nF#FYLZIm4C~ zz-P(UbI@&)apjt>=q+;2(%-V319!5r2dkb^o2R1zj{w!o%Fohb2*@ZlC(GH`Tu!-^ znw5}mR80C)Bv=ZB%jZ{WU2$>I#xgI!R@JONK&#K5fmBw@E_J+|ghH&ajBv zL15(Ji6uJ~14;U*xP}2xup`~mgiEKB3C|{PU37PI^J8vBSztScAvS=Lnn^gshj*>c3U$LQ?QtCw-~WGvX&#z3#xTW24BvGDpBld z&gF}PoYNPw#(LJj29qhNowmukd9(H zB6>P&AnD9DYn#RBNjS4bwg+X^HEk$3T07O81)2VxJ+HPV9ynq!fQY<8S8<1KnHo{K zd0DhARS$sfl^!P&g4iKqMvz1?4Pu!lwIg|W>kTrZfk;E*5%!&R$#kj56dX*nFO^Aj zr2r-rm)Au@KP)Hx&dMyU!GO66ES=|EMx>#@gG4|TJ(>l9NOX#tmU?!-4h3_L1Xdvm zLU;Aid$0wWdz)(od=rmKFG6-4rFmw}$0`dO;d6}8b5LPsy0H1dg^0GQguo#j2ZFB z0-xZSN-j)N$vK5KoPE*h5phRv@q#z;Oz4}j>&8JsrSCBbnR%&wvQ6?zc8eLLKHbL2 zMak4)P#(cDL5|Ujx(QYe@##5!o+*ylMa66}ugsQZ3mH|Srx@t-3L_AKOd#oaGdx`ly-X!cEA9nNM*y!ytl*Z++OhMLy0iy+I?$^R^_f8- zjp*Xjrr~TEOc|QNhLff2Y->>)I@PRcKJ~pctD*$CEnd60_1n4{FVx)8vK>Zo#Swr? zlm%m?Nwc#>*dA&|y1SXqXwn-h+u2qoi-EglQ3tr1E}b#1q7VgQypfG~@#awA0;sI6 z0T8`$t%@QU_x1+w+_X_BDiu8+R}@6!1}7!iCQ9>C99bUL9e_R?cI=XrT)*9shwev} zIO^1y_g&&B(oB{UD;%>WrJ8DFg`)(4>$G9)Z_YE6vCW)!w8I_S>I;mz6iPG!RGWYY zi#FH9MZe0pEt3Mm4qsxfQ2E|f08U(*I|3gf{!Gd@^+2;Sz&|Co!^Emw;b+zd42W3a z^Tx6lx0SJ&uj5vR6*>EY(jli?%#z~5gQ1O`wRD==vO@i%(6XuKXcX||LrP?sKy2*= zh+xe*w{!-(&xO*2f>xx%{~lcIcK5cR=B-}VgnjJ7n0c|LA%ljs2IEK2PLa|%UK=>H z_fnwrFlDDNOpz;ORWH?Pl-BB`givb-K==6!iYVC#9xwMVVrCMSsZ#De+{No=RCxq+A%e#|bo*1>N#SDM+ zjk0^Gg;>$-VLo|tGPhIF!}TrKbADgbkjCHQ+au3cFeiON`QG(Q#xm9jmpozpli3A5 z#W~Xm?waExc?gO~hAbDlC%n^LF@l?tyJP?sP}zg-8z(L1^?3f;z3=kGU%KhshRZnJ zdNjA>Z2gxfuTQQ48YzDq`Puw*03{y$b(rFBq2_S@`sDMIKLl<&(jVE8SQTX*{iKnE zNN*0|bPEbspeQM7GShvAT~t$VzU`K6c(vK3TmFi@VJw6g=eT8EYn6zlXUM+0W75;kC7VofbpcSa1fyS z>=LRwCxC37l|+d$KX_Ks^Sz7iUDV%s`_51R9`dKuYsWjozJ@f@n4OE@iN;QMf-bPW+5xglhzJ)Z5 zFSLm`A2VI%=tQzKefYON!^Elro11oN{S%Yq75SCZF)!`{hMz;%PxW+WRHv2HhV&x) z+tFo;QpYLDpZ(J$5&nQ-f?Cd2WW*EligLDaXJFGBB=og1IjTsDgc;JJrXKOAxEPK_ z!n#}pQwg%aQGd$a?@q}%&e1a*l#oX`LQ5;ZmeA5FQ`3d@jj&#u^cI`L)auuXYEv93 zs@MUXyqz_ak=r^bu7Zm@bM1UljuY8laKkqOvrZ>#sWwEeFW8sP31J7>B+7`gCuBF^ z$MKtUWYEQ##{n-dY*-v6K2d#qXd1P6!Q2D~pEfAeOLEw(bFDA+ zYT@)iI?_?XjG5@pzxHX0n4HS+w6r=KTliAQV?%9_2-|`lN$*|RB`##50ESoGJmK=w z%ACY4zGbd}Og44n^4qotqtIID5^e9!y9-AZSni71jR1f}Hut=8&>llClsLmsW}+8N zn7#;lp(>37Is_5b?UwrooE>h4_xY7!<7_jvs-*E4}lQv*=5>3K0>(&HZs6P!a_Rx7NX<@WpR9*an3};32}^gh7y@rzK=$E;MvF zDNv4Z!6oi;=YOwCx+EU(zgNjy(y`;|S-W^FbujuI4!>B=iRPTL!HZqWI_19}`?Mo^ zV4hQQ5-K{X4&|VGE+gRF*jSs4zZ~8xV8mi|IG8qUuV@iot|;HjWwEeUnamzSf+SahkuzPPCWESl*c^OyH;|R5rq*p)o^oPY zIxn+9%fdJ#%Jm0&hAF?_XU>N_KXdhu0#)9t?AtW487V(kjcl9$-AV)(I52avn7L~W z*+;#~^43$B{RUY|^DKM2&992yOYGNGSlpl4=5idAcNV^HazymKRf1q9vYe5?7e3dX zYx(0@s73D?59McMzaHwCkLXD4()Qi?udDRPhwtPuAC}E|u>4n3d&&=G#81;?SnIJD zj`@&Puy%J1I_Bf-2X}Y(PmhzAI1vmzSy}FEdT7F`J~Y8FQs>1YTFGH(ZO`VpuHm!-oj~x>{lnGfVe(RWwbP%UoN-LT6X!l$-rsS^#1n^3d~+U7#@Kw2 z9Io)Ao4Y?dIr}NcY)oF(p>aC!(Ce=bNS8P;C1W}ovh^yR)}L--3l1r_J=1vHY&j*P zXEs#`K)czfhnxj^cg!XveZR~B$Wd}_0P2v34q#Vv?rof(vaS=B^Km(Y;*)S)8uVuU;)VX9Ie8eBv;YH{>-yd|%yMZhrdvA5AVFv%LChHE_eK!vU{GWVg`BCTv?O?uMGq}ON2Z$@Rx%S%D$YcZ z*^n4Zb<~WmX;IDWlGsCB77qrxP}M2WX(|?$J3&z<=4?G3CWcjETe{Dx<~_=Ve@&tvPgT;Ar4C&pV7GqO;Y9XNTmz9y5_2`fmt%}(1>8`!Q5%|So5Lg z5OTK64+ZL*GzqM`t0@gnSjWomfO-c<5QlRQ+c7bNxWPS{tqUz^TmRd|KkRWWi)K#p z0_{}q*5$6eOVV)+u#1@hx^@p#hY;CG36cf|5EiN!t$al(Itx-R%NaRCB!Q+b{d`Wt z0Nl74tm8YYBAwk{fKVUC!&qM|YRt{MMoUgv6umc7IPJ497d6QKl)>t7KY(p^TH7)q+z%W<%uW3$4f(wgH0 zck*Bk=NC><%1{u0a@Dm>CREG-riGpWaz(eL;llaZv|UUI|1ht<4N_tbgEd914biRD zG*)|i0LPb%B<}5lTO&YnK zDQQ1s6z@eUTa?y#^|TY_jYViP6+KM{rEDR&;i{b+?Pw%BIxe2>I<;g@yVLb;Lo+u@ zF*SF`u6^Q*p*K@M|FMADhsGb0#tTJqfJV7u{r1Q6AXP*Ipk z2&W@hWV03RnH?n$R%@0@hx%BFg@oi?Zed~jHQRQEnz^=$OB+M*IPlRv6|E}f1vOdO z+P*Dk`-IN>6&WF`&Ir^#XEfGsOfu{^J1==KKP~}_+F`i|kH!&_nA(E%ibd2xI8l)a z7dXtH<=dEI5I8Dwh6@Se9$FoDcHXG8>t*DJUGnak?$H7aQLRfKdj+ssL4fZ>zX%<|5(s{)+OK49)MO6v`*gu84028E0%2 zj*h37j4w&)nV)h#CN2+1;v}yvJBBt)5#JJZW+g281XBwF{{@U${ ztOk~6@-R}@)?t2!q6#h*NfIk|+cE1S*d%7jCe1Iy#-(DjE@~3&ms(>U42bF(K;2e@ zYD>;#=+dJ2ph~KewVkEGu@Y%_XH%tHf3~NT(v7Q5VLkFWl7z)RT*QDtI*Mf4FgZsTCb2^&)(8gd8K;u~Z5&Ga6 zxod~%+(-#TO|ZMfYj^G%1?(};e|AM{x>qe%&HA*0Es2q8F*ks(B@gE~+U4Fp2E*aw!G>bpQ&W;t`P=)bdK z5EMB3%6LT>pwdu*2#-T{8mOhflI;q@k?nX!JV1`0JA=?pw5FD2oo=MA7L5Q9E9(@y zLEUt!Yy_wan=l9EBwIkpkL23*C=#pmD($kmFj2^4c86ulDd4~FPq6zr|71z+)Qd3@ zz-Nf7;iYFNutMIUk}eD-jE`T2(A(6i4z`IMDye)Tjt`{A35FE=0g&yW4*56KW!>Y_cC<=2|8RA&;N z{p=^NexZC*4gdMm#hbS@oGk@D>o|)Pi@BxiIzw}9H%!ic_9uVJon0+ui)l#F+>#G_ zartL=_g~*`uD;y7+1x!n_NBr)Bi_yygq+o9eqBsSz@1I$kGo#?Cc_rf(5&_VlbFwV z*;3IS9iwO^iPpbq_axG!(w>yu2XZtYZ|?8TUy~nv|L{#8BwSk?WB`I*kWel#Z6PXR z9&q{=K%|+X&zwU9grA15_}o2-)Qsqv#M_6>^~GgxQnaT89g#F&PgZ0GPf3klAV;cg zs}IU`3mNQqaa^>2cUbh!cL!y?<=yCKSn%en&Exs~_4(EPm`hSZoETCQ z%9u&F-vSFtYNM6dgO3rjsG$)i5}>hj9)m>X?Zp$o2yD`;HJq%(xwW!$(FMijlX6XH zdYh;$28qgnbBK`e)9{ekJ&Pf-^6mMX`>S`in{#mUz`u|o_ji4y;Y4St(lbP7v82Bd z8!&X2C&;i(cv7dflQ!Otnn?tTpG*MC&Z!KLrEw}~lFb9PHh|{}ae8xob9u21K%QR6 zIF)T7KozSM08;F5n_Q(s{s;h#omB*upI89a&S?#hu}}9%*snGZU)^lJ?xPzI7Q6}C zbRu49v{Wqwpo${qZ2}env=c5vCJ-Uu=MW&UYXao}*?M_TCC|;p-P8Hg#lx4IC)2>2 zuP$!iZKW0UB;bHXQn7Sa9-bG;BFdhl?b&IyP12SFB<-Gaig5DN3UJyvrvXw|h!mE_eqGES-XK!hIfEJoVGb$U!D=1JeLee5grA zNcwpONSflzliqZDxQcx9M6QHKL2wU@`-Wk`(xDlAXHKoic2X=|u4O83pj{oX-%c{u-B} zKknjGKYg3HhtG z={w&(Kr-Jye0gzq^Eb^NytqA&JbZt9b9uAN8d}nghPrP!NR1umlNBkZ+XOJ2wv&7I zoly-WKdC?;JEk-nBWPm;sZTdK0lUQ6qx`-AUn`DiT@uTyiheSgjghXq=MW*`rr{y6 za~1<+YE2(;7U$RZ4=D1DY{WjOIPO_eeoSL1`BrPnR)_tnkA{oU?pC~d^>+KGYEk#f35{!s6T*S-aA1H|zGXBlDX zCK_P5YnB5fb3M!JcXt*5LPkAoe);a^VaTS+vOt^T!InhSk=BqL*7X*!4UpFRPAJ02 z%_+cW*OUf`aBSwU6aw0*z1Vcdqc=0TRJ+Y3RlVD^`fPx-9`N#d>Hhs;={w#&A0U`> z6X*K!e!Bo#;9jvMTPR9OD-p`f39E0B%hu8aNq4d(iavM>5e#k?9t=C@FhDA^aJ;C? zb9PM6ivjlC0(ng2v&87066Kmr7SycGwg_VD*Rlf;!zU3T;pPz_v1<|oWG|l3lXjcf zY-F>^w9@1C`Ssf!`%Rn&iT_Q23wl_v<*3F7>n#EnEwls-^QM=1ktb-&oez}X3mVH1cDaB~O{*foIxLb8_IGPfTrFf&|_ zENE#-w}O)Wt~F;fa1vO7LH=0m! zg}#M-rg9wnDTWU41Hd!Bk5>&FKc4`bUDFvLV)I=Vi;!NtL%yJQ-NwuL_07e0?L(~` zZZ&&S$d*dGFgjanx<%@us&<0uS@VkUa#Qp0+BvTQf*5F=|7t#6JDr5=F|~Alxq0w= zRhx76A#Sb)Y(&gSN+2{-acY@Npd>5XCIk_77LY!d72joEnF zgi(7Sdr6EY!T!r#ho2FU8jRJWV2 zHn+DocVF%Rgvxj^m#5UhAereLhC9*EQ7FBgU>Grn2njch0Eu0*7$9|FnBhH4op_;* z22M0mSDWS>sihWsTcqxCfYco|3$o)*X*V?S^9aD$HH`s6H=Tx@DYk&0zInSN#y8_= zF*+!a?M@5T1*S5+u5c%|5XS&gteRI$`QBkT^>ln zufKS1%HF&fAkt)lfF+nQ*U3UudHI33yKgfM}rwdZ9

V7?!@j<#^PtQ$; zl{%_v#ggpmRrGRfs=~5W;F38|i&{k_%;?ZFwszsn*prUOm%~Cne=>{|#%f`qZaA(m zcQ*f-xUfOQCS?R!Ag#3o?lrO!^!d#=Q)>@gJKYWWKwEwtTkt^bnRcDq>qzxxwvKv^ zV%Q+clQqn?QVr|LM17NT+>8Srx*$J8CK5w$&p1=BsY2w`Ne&bB5EhjAvrEaP*fNF} zAFwjx1M!1aS0U`;EFSeq%sh&I6O$IVsMs1|_nh;@~B**q5mH2|Qg94HRIqK7X>qTsBdTJPBgPY=P&j?5ugsZnf)S!Ttg z-4J9ZHRPD_%&$hD+3W=c&05g$)Sn45-S739K~Ef$t|oU)61Mj$)=PJPWo*yuoDlE} z_xiz+Kb|ZCBCvg*QB>E{wv38F>>ki3a`Eh5v$TMq1?!K16I>ooMs_VSd!D z0M+9FIEHtsl}`g6@6!DOv_9+K0cr~|BGs*Am6DWKm$kO&g5_Mt^t25dhmCF`64CfM zo3SZ)@m)>o9u7-B!+HX1nRzW3>KWFj-;ITJ9oR-Jbn=r`zI_J^BGq=y>sTj`wB=(Q8tR5v9llYQ#O z(|M2`Myo=jXkCApOE493GgrT-^YenOo}b60Cs31j^&%XP+SYk3@0JU;liI4%k@$AJ z`Zd_xfuoV5WEbl&RV6-?yQ_7HWVx;tf$jkZdUhzE+q2?tjl;X`6F6;$hlfB$**OF( zi>iw$#n#;rU^Qc;lqhny^B=L=h`yD>p3!t)Ex zSXd|!nR;?H^b6(O8^rUlg*!56hBSk^(>shz7}r=k3G>vVw@Ln)`Pi8Tc^=GWW#Gz&`T7wRHMG1qNHzARu6^b7HcloOMJ`tl0hN~k6WE7?h z#~~QemDDlUcIAQOjestOqffLF#oIvA=v#r5GF)n}1^+nMk|{vah1F7_!64Sj0PCQ0 zwj^BCXYC~nl661Gy?T$*ltJp*qODDnd4jW%4`uo*t6ao37)@0 zZ^EGgZ#6o*)`7!t%C=mK+zb-i$qmHRyvbaH)G(eC0z3FmNHf*UdiC!vxh-iaq^1ZK zENtzA5bX80vs$g|1L$@r4KV2fg?5ptMrnhh-!fxfh7J#kCQ8G!4TXpoEnyrAv*0Ab zjjnlDR5Es1WhQgFQ7G_^5v$@qp;LcYl%ZNynHRIQ+689^5UC-EQ(A|L8h62H>4Jd@ z_Pe~ttj9&hjgpr-v#C407rYa-60Ix9rURi0i~8fo{07fC_BIkSONF~v>`@B zCg6ey10wIKfeqkyDg>C#=9$WiKut~_CJMnDfL>l?=3ovijzObSScin@H3yr(YDx(6 zNdbT)gakZYhNrBLf>ZaMOtVhGpGuQXMc{yInpMCAvNZtV{+4Ft9;0&oCWHjvNl4(j zewKI9bGzPlc60)ZHk3>QZk)@2b<~!uy@sC=!7lD(!ht)3$(zqJuEo~IUk8;=-aPP{ zC9~;VHb^iQvLmQdE2-C}8?=51rCz^q4E@;p`FCKbR05?|mPtLsrGts?*Rz7tus9g^ z_Z!7^T1@FSf$Fpv?`b+I<&$KBYW6bANvRxw*}2>a0B!V66{p3vq?9Cw7Cq9;1fGrw zfQ|uJYEJ;?+5i^D^*{`kPzYKy&D5P1UM96Xl{p5B;@|qsz<5q-(O};Ei!R`0XL6^& z>)kSL0}^-{8$` zIZ5{*E%-j*(QK8L)aTxy8IrI{!yQft)VsW%K-0K)$!<|Xu8n5LX=CIR92&11$r4;3 zA|un0OHREKndmNh)tS)WkoUTsKY+s$E4Xc#I2|kh# zrRyNFTgGgHTw_*AEg)mh2$>>Zk5pS>O&r@+=}Fq-*OBy=#*gF@7_F4UQS*A z+sXHe59mlcDZ*uGmz;vE?zofhRd!j0%b8uy!sXm9=izc;my2+@w993~$l;n&b!z62rUCVcx21f)+o#O~ZK6L_pUO`*m-km2 zBTX8ZZ7$xN{OWK0oqz9N{MpOD|DXQTzw=N2+K2zb|M(aG^soQL|L4E_5B{~k{`xQc zg;)RTfB1LrzWQ(e>A(ILUj4WK^1u79{LX*$kN?4+{NI1~SAX!||L8yYUw-&k{`UX% zS8jgiKl}NA{Ez>;|9tij|Mrjm>;HH4U(EjTU-?Ua|NnUUKY#SUUj0u${D=SkU;3B+ z_kZ)B{O}+A^}qFB{m=j8pZ|Zq^S}MG|KYFwvw!sX_rCgjf9;?B|LnbEcx=zwH<)C{ zwr%d%wr$(CZQI$gZQHi(WXCop|MR@(o%0T!neQ_n>Z-cyUbSki?yI}1SO35rMJFH@ zeIU^WsMscRL|i32f%m*z?~bg;^e4nRkG}#PFnC!& zDpcb_UN#SMR{O%6XIcENs+HW zoxq?@4Nr<|ptnyi>nmz?&{4q2E9xng5O9PRos65_7e?Ie3Y01;P{0Yhgk+5btYUb! zsKNv2zCAOF#xFrM0K!}ud53)xGycvIH`v}1;q1c=GXP&1d_om5Ij#u&Qj{clYe`9( z{5@CIAh12aeo4`dQqXO86(j&{p&G=>Bv>YxqKMTP>_N=NOtX+?>rzk&)+7#cVL2wb z^}I?$`$2S$!4o2ana~I~oyOpq-UjeD@9>Bh(o#G=VI!Vh3Ay-Ph+bwva{)~^%wFza zp8}=OZxikfVk4Zeh(3OYMpW(KMd2S`{b-A_a~wLb2IORSeU85#>F(l{M}@3Kk!!H% z2aU;VXtnmr2y1s&$dPW+7e!}zk<8s#&ZGv!K9Vy&&YH|b0*sQ!4xobQ^H*El?Cit~`6(sElBkl(iGvcBGLn>%ii?~* z2K`$4y+n-0M<*FfH7i*>WvYp2dwSK?l(ZByRIbWjj>o=xv{15fZBDGBQa#dP=AXw~`84efA#u7k&oZ!e3qz%&(+Y(4p$%e67+K!=E|*#=n)%dn zNb~&n2EocErNfo#<(qOesy*sensZt`t5P%I>BBJ?DQrk2VSbJnNpI4wYZhogNm1Zb3exhOibMgw+}EIh?OS^Ptv9$A z6v-C#_8T4{%LzdgASPm$k`3F_KRF?UZv_6F+lkjQr^7SE#EZK!mWTu#=GzXO@hBI# z_yd~s#hw5GsT6XEL794cXkQzFD`yC*m$4R6v;I0G-Xo2dL|t#Dl1UH5V#r}Jm~t04 zKwwv>ml)ufX_KB~aGM^G4Vn#N(^_sg_aevvbKF$!1zp)p6RlkU%IyRw<@c`LxmT)@ z&&fwW7ezWRldM+eNHWOoQBYFh8AlN#7jdI}VGho1^G^HUD`eK6WB=%0g-md=nkQ%-uA>ptw*4F z(O!7$-9Y7``FsQUp1dxc)cheU@{KJz@j8Lc@jSwQj3QR2VlU!0<`m9$!|oj!!R>iq zqhRN8`Ixt70L2+7;^lGqi@wJhlEd}1Ru^n&G(_+97ri)kFNFvz7QUJ&G=|GP=;JnC zQZ#It=w<3xtLgWR5226mna}>zdo3oJGYQ#mGmyoA6u8X~x10IhCjNOIIr>=+K80Va zC@=PYe4i+vRi8BvJzF!9PQ*^Pd;pNdsd1cRGhzz$8XXxo&atl7XQb!tbZ1E}ZyY0> zuFiJ~*crcz1m{Qw5`LEn&Vx{>pjB7R=2w%EtPlrDI*8w;2Vo0x&Y3@84g6iu_ zU0*;yGc5pyx&Y$K@DK?v_aG%BE1BF32FwyljGQHoz(-I`&j?{)=I+u*wAJI3uK$xe zHu-6IZh{)Lp;VZ;25tN+RNq%|;dtz?Icxxy(SjGdLaqs0SLrO%HP`k2U1hQbpM?{6 z9>`Nx>mhE6=J8R<9fWpJ4xEp!t2aas&CR=IHSe~`Fb8tCGSqo^fE|QQ*P4c; zl-|iW{UETJ)z&2`KFpx$U`^QlVIN7?$QPwf0opa!oF6ij@5>wR3w;`qBS{J^+)M(c z3-%+zBMAZ7ix<1@fN!L4@+v;da7+@0_5QPfFr9fXLWt^SoDJjelhd-_j$-l%jG=ZKgHA6!m^cN1*hX`JV( z*3^TBgX<_>D%8l4p%Y^J1cfo~gq1?`d9Xsf@qK)wZpiwu-azrEXwiI`Vn+e@>YE*Gjjx6r;AKjvIzf@{8?gl9ghXODL38nIuT^JCng zjrhV}If4V_c2{b&!f!e~_nu$0Z<>XIvfPh?h*+cLMu&h4S`a&yQXE8dO_t0mjXjDt z^LY#$F^UulCQN8p$Bl*^uFSf6$uji+{IX7l;EciUqs7Z60k*$*kIM*_B?r4M;oBIr z08Rs|XUj)S11G!TlZ@GP=vC7fq336Zy!LRP`BJ?ao#;4N`qiPkt-`iLIaNtTSw4{@ z#&8B1dDc)kxMVueXov zaBB{WB)pml)f5pW&?RR)%4*dfFM4uj%%7_Z_P~svlb$RiC0_fx1>iKH-Aha6_yhxk zTeoi-b&2XVp0LFEJiIURrM!ZSznR9R8h(RiTRCxliEUB+;u$@1I0q+(%UhJfIn+Da z_P%T9sYmD9K6qoN@AbJpy}I z)OHMZTVlEWMB@C^NF4Gft9qSZ)t=6jULZtM0wE32IXr4if`LOW1X!xY3E}VrrS@%5 z72A?KJ@$g74f3KKCb^K0iRNgC;`GptRs2@GY*AjLs_S5>EBb3hM~C-Ssi&w!K6$6> zkIiP=-rT{*s++&R8&T&@VjN}cP&*LoJt8kl$O&{d_SWZfL9>)>Y*#huh9=U|6vr+j zm{kVM9Grg2kTKVm20sFHTKb~nveO}|pWNU;(bqb4cYbdJhwbN%)$iY32a^wju`aBO zJRi2A? zT#?b&JBCh8#+H!{OUp3QPp=L2$fSFtGkE1M8;m8m(Kni4AH_gD7^Ql1P*7RatPtUI zkEr$>*x`CcHvUMBFp+}QgQ+Xm7RDFu36%+`Ba`&<3gUvY-Or=P2@%#au`ykZEoEoD zO?M&E8kJNQO`hI7ZDsXD8w#kF)--bm)K(G`%#>M~IoQ~ozP{S$jC*a4Ga)rvTf$zm zYChkR8xh}EuYs`uzM=TT+JRk(k%CkOSysZIv*V@D((-W^t>Jcc;AkaCVjM4CH%(G1 zWNP?2SNk%R1LlWQl;~3-;#B59wq(vPM~Hb+<;x^aGvB|}4e9A2UP!W{dT8g;>l2~x z&oxM#>X~A6U8z-y6u=D=m@-HVG$59~`DWD>4d zc0tfJQfX=~w8YBDTo@?9H$d}mQtB;$RhNfA8vyqYh=x!yVX_(}BoGo+e4#=J1}S@n zzKR}dTF`F3dEfKR#QUq1u3%KJlvtm5I{bH)ZRb61L$zF-a$ByWr_IJtKB0K=#5}ir z)Bmj#SU$k=@=x^lg9;rf32mkq>q0ytr^D6oQ{!3u@o-)H1CDw1S4IZR(AehsR{agc z#VxOJ^XR&B@m^TpeDs9{xtMM{W~&_787UZM$%^~pywLgR+WSmM54ihERv-P0EjPDv zWyM1>)qMxmhv)iygQqOE0i@-FeVfJo@G{q`deTgG{~fC+3`&J#bh1k{(d?C(?|wmn zsIPlrb`woSOG7Rz^E(UX6En}yY05cOssiavA;7pA)AdC=TL1TF;H&c%rD23phJ}&~ z5?Ri`E$D

(R6v!ajOc3waNL|=(p3zD9k*J3(2;WyOmfc1y<_cM#$zhMM zblv_=x(a?UCnC?O`tUWr5DYPSWR9?cSo4OzLfH?wha#3O^J$dH#pudgi>P}9@wJO6 zU%$I?Rj%cXQT}@Gfd%#-W zpQe~#tWTt5%Yx3AxSrVC>1?ciM#*}bug2Ta%yWHKDQ@#hJ|KIeZr;1LVPq*{T{I5^ zW74q9c$wxMPt9cCGG0l7V>WUy`I>6kcoDENuR+I%FHAKG6`UUZ0&L%P4ftJ-pn?2p zsf2JO(UOn*SCZ$#xQXGrj(Vu{VLH{GBcTWrWoz(!Hi3{xsdBh;@O%rhdMNkw_yg!$ zu@yg`eOhwclo`!`V8LytDutbth)f+_>o7g-S9Vj2L+-|{60*JYGOwOSQFyTQ_-Nx{ z4>f`HkzS)%=KV-b5zbU-3X&>cSTE<929i@^0{EvZTMbsY{E5*vc$M}idW*K`Db$<4 zPalo9A?S|I0lixr-(rUYM`%jO`%|zca&iAdE1mNMTDZw(xMi3{ubr2FZa;CPe?$*K z2~YZg?-1t+`rR2gSvLux&mh`lFP7C>dyPIs%`7NN#(OgLP~mCz_e;vyt>z#n!bSy~ zrJ|rCqofsfIItsd*)Bj#I2H+f;A+zyU{)!bqh%PsWC}EvkILb4C){#21g+Pz)64L4 zN5?npy+8>aY*p8-?(p;$mUqVnOvn=$%iEI^X6ngG1S^Z}7q8^~`OoU@#O2Oif8FrZ zGd=|BY4l9z8%?SQLA%CVT7eQ;lT$7(HX(Q62X0SADueft>V5SJ((T~RFs#6{}Pa_*V5q0@oWx2C#pm7+C2BdRQ3jOqgl8KgjLF$0@yJIL*%p`t> z#0sVEEmhdc9{Id(aC<)IS=3oZMyI^iV{5xlO4Y70RQ-y^ zl=S1H`Z06h2G)CbLsP_oHY^twp=W@8TbDX6Nm@ARqKQ;H+k`-rVU^dshK)qwAY<1-7P%^R}ms z3wQE`oApe#E3W#Gh&=5rX3Owo)dBO>oU*#Y^s;y-sEzrz#m%8my5Ywpcj4i(M&^5~ zXS>P-lN3`TbZE4X%rOpFwnG6I1U_Zm{O>zL)$-morK3W|cup{f3+!tos$}u`n~=yo z()bkd)YY&=EMf{ud+cw9LeE=big+r6?K}fuu1I}Gf&*qgRMU<*A#dQn$aX|=66$W3xNJOMWAM>M+?1b5TBq=EtHSs?`~`&m?|4X>qlDjb*% z0lqXYDTd=Ixl1Esz{H)Hhmw_Zi4zT%ouP% zIjMgc95G<*BW6|=44TSMrb*G=_Ja!DaIFfZ^i|yMKR{AR&?{pUi;d6iEMByonX60# z_}c*Uk2r(W63Y+*w~fcygh7zLa*$<(sw4N**^I{Gq4R{+?&y5u?K~cjP+>fI9zsk( z&JfrDjwf|mQq6?3sxtZ;20!EL)S9`d5uRth2PbgJnNt{sCsKXgaX?d7-OsWNTQ#DUQBq7+IGE1IIUJKuq+gvrCcDqZL{(!yE{_9VkUMnHyLYm3X`NkBI!aVezK-7* z1)6@HxOIWH^gPh>lu=y~U(F>qu1#P;X*w#0JZ*Kq($+%~?D58_r^Kht)fJp~$U?km zVs9OJ?4|*SK_O>*}JeHGzqDzd!>kUwSH!DhbGM6u=rX zIw=Vk>6cyD5{axD)9kv2MCA;Tv4YH6z3}=rO{KMedZO_X@BwOXq7IMNg$T+TE*JqY z*h;~>G*^4v4VL!a!5mdhhHkE>wV}@44EMZWVMQS!CR6_$IU4fxvEN^$eMbHpp-Ih= z%1yJQYRUq~?fbp)odu1HZ(o?ELB+_giiLkX%CE|z#?Zg@cuQS+%pfPK}_LTq;4$kYY*lw&Y$nsp)9+h~3&a z#v{_;F{_GB8rh4oVmw8w>smJ!+xyy&Y)vaeC#hnTrD(`%%%L=xs6i9e`52p>9zcUg z?TfxYrgS?v*rMGRe;KGH%Ozx9=*8%hOf4 zJFofOgYscbnJX#V<)^Qpj^~xp{nplU+e`64>NB>_cf7~S7TOgiF4tK@J%?n)m<@%r zsWoT^oqMva!Hj8S8-C(-t1-t{{*hm7CK!04@L#%;Y~CEkmqD?eUsLTkoWkP8i-%6h z;1vTaic_#fu^Sj+IhVHUZdSE?$?ANblnIfJ&KU_XSGS+{?sHa2LP}~f)_L8*9CEbl zn2&ZgB0di^XeZYO2~eJ_vF{>J(!xd+N4Ov{T1Aw1^}(78AX*Qg)kvz{Wt)V{D8@rn zio^_xm4w$n#Sf4hblS zcWk$w`RD=;6QhzZIt662w8*RkYGlD(>IF^{rs zGA(J`^4%yvm7JJffDjWTYg);u-Vj;gM6a?_msi`T1AOj3aqB0$@9sl-*csR5hD%K)1tg9fWFl#!yLs;E2&AzF`L2MC&P79X>`;`DsN0JEjunwhmCWF zeT#fT*6u1@EF=K@sRk5+VzTCNIW0=kEw#*)L>9Qo;+ofL3>mHZx45FFg!6|W)mk2= zO;(0Gf!S92cAIb7#q>0o^=>iB2lcub2n!`Bmav1G|Ne{`c&g#kBk9GdM>nwJ2Cr-~ z$5++da@75$d|P5lX#lYp5Rymm0>507=f>60e83#GKY7=7aFcOK%HhvfX8f^Fra}#) zvEH9KLirL{SeHs}#O=jp>^&qaVo~w9;GJbc5?$tAh4F@-sB$bb?ly8g^k~ej? zn|K4)_EKvaPu=~_!38+%<|dop5MXHD>50)Lzt$kX71p}V+i1}Cv6eCG`~&gS`^=p1 z+~Hpm>}>fA^WKK?9TWta1JA4JK{k$-z(ZX9$xDl(Q zqZE=u6mRo0=+JU)yHO0dCH3tJBW?#m&`GR1NPdyAutSC5UFP@@W3gx_jMz}5xbxb( z)RvIREl(d)RPA}PKUYLvbYLjEI6wO9Vsm;J`#Q@OOc`7h!wGRAhSF+(t-ViAkpX4O zK(niLvj!b;LEUKkS@5aO*`i&jDC~Yn)bDC#w-{VqKIgMQe3i0Kq1<wuzfV>?u*3=+D&{tmW7sg}X=aO1x%qY!!MbGo^G4 zvUm4XLYBr_-P(eWswU|BpJ7GTT49L|GwtlD>%)fdZbZ{gLcSO-@ z@!W_)6-eJdl|R09@UoOmW#Y$?*|&HLk)vFf*}y&ZI+&x z2lMv0yqC6bzFxV{JBVDyLa~$bFju`OGdwU;hZIJv1E|_&2h$wAAgoN3{38h*K@ zA;{%xThBizDHa#^E_91p4BR846Fi_Yy$RyrSuPJTAt_3>VZ7Htg*Pf$PCkLMH=-D! z@GwS=2h{+6%L~A>TBCoF6l3g2nJ;>?T2x~9wNHQ@!!Rv$7yF%7iG1Tue>>mG+`noO zi{4WqGqGGEKA@}fdE>g$|BY0!Y+7;)QB&MWow7qL5jU*(fnN2-aFoHjMrWp^=_nbs zTKPNqXf3dhZ8(|pnd5e{Gj&tIlq5WWf0&@5qF)z11FL*7Mh{7TVoeUDI}6gQVNRc- z=J4*ImFCXf?A0FI_lQl#hPM9x))T^?nDDB)9M0+N6f!~mCW%zG-rO<3qW_o0ZE zH_hwJylP5Jav@Vw1NtvY(-x91k{$~lUbze`UWDX=X=zxyLTp-&9>eJY$(sI~e$I(=GftoJg>9(P#5dBp+5}G7ul~UA-Tw2;CwlG zWYT!t`g3rpzU_8;$a^_#%;eo09n% zN@mW>&AfLF2mFbY`M1u$$jaMz+E~n0&%wj1~7w8)dMV3=86U}+-DA*GYDH-W!xL9XczzJr< z0!62h)!s#%uW$gWfl)hMJtxHDEZj>tsaZuq!1jXfa2pJ`C=m`;VGg5(mc<0aB3s!? zUpEH}gH~6}!o0i^-=t+#m)S=gj~{eIK{rvRj`oiF%KVaeO|_M6jn!47&z$XIijz*KJ#yUF?!rIa9G*;0KZR>cmA*4nAmZhqNc zBy{JCszTb014cW8H!q8Y&JJ#a94z!^mSyGwOJ>l~1=eOjFa`WfLB;Se>6JJPQ;bx0ouS{>b8-E;o5_#p{cLzSS`D5w zkx2nrVLEF)t`7_Ko3sWVbM~!0039#tdocv%%(uP7t;Mab~Est#42>s#ykrMC=4 z#jeB2#-s9UG5pN${I^^Eql6mmrJZev2lt(wp(cRfK!z1yWhR#VOkaF6rp*y^0j?X1 z0Mtfk5e`5#;d=V6g=>HbDVuECpfdBgoM@VcF=E!@SWRCm z+2s@;8yqP|OG1N4`;{L<=-$L+d-!$rDOP)S1XmhpfTj)YWUXpss5XD(F*zU! zp$pwODgsYQfiZHBqTgS!Qb~YhE7WZ1M!z1#DxGt^!lY!Bz|~bDC`D0rd2MbYFvEDA z_0mCW-H<9@On&ydP5wDfey&dbzBM8`H(|_XG#a7HqTe2oYHECk-yqMyzEF@qSk3=| zpZhmz^MCRD`!DTJksm?nAFQjPgSnlPt-}u#?SS!Kg8xH=6L%Z>ykh?7F^VHQv6v zjj^)U?;lRS->rY{XApclb>Fw|)}^Gn8oykons)A9i>`5FMn*#Eaa}(*zwYDNaZf0W z7iV67o;29-#%h|AM@vYWD|1Mc%qw~%`!keACCMA-OHrbY3m-|el}{$A8|P6|QW-0+ zk!Oy}tSQ5e)650-SspUGMR$VM#INi!-(hx&=mf5eTHau~!{`vz{I|&=%cCZ@s!r6J z~ioye7O%Ucb18Xc;d|28>re(3D>rxUg&ab?f>j-yjXCv;`({D#9FM~AHD zzfF#uA3eHtb>h~ft{gnxd35UN#I8)7-+H)n>(JKxcS+k`tV0;Lz)nEhIM!X5JJ3%4 zZ9mpgtQ%1GU)%WqeR2@%DB7){6Tvo#b${#2qUE){;=?vIoH$$pQ5-RuIDwc_oLF2b zK`fz^IG$KuoKQSJK`23pA zZ68OV+AY-Jr~GvJ175>B3~}!6;xHUeS)NR1-J(i#sy7&Ss)t0eQhC8<4FkGGLSxt} zM*M`D!O1bN7#qHIA4ojFdl{tU8@Nm~D!BG*7xWj0IkvNfph#5ZpV+A4u#;p-89{Nx*L@ z`OCXE#s$nR3V9ltJv&oyOq>9?NsEY!aM9Y}Bxr!d5gZmAIGNCjlO3H5Y zD4l*+wx-_j{i^j&trb*D)fiDI zvHr0b{4ukl$NvYi&-znX{)vBxN31_8Qf%~W_&+R`|9$L_A}9M#p7m#L)*pdN7Dl#z zg+J|FMnvVMYA=I{yFqKi<#(d~g51*Vg{$!}$-%=EvpaKgcEjlS=X9 zzW1}K`uAps?#D^z|IKdaj~9fO=1|k~WS44vr(|=dc(c=yrTRAUTFSHX_Oo_MDqD=P zrVgTQ-32^Z5OFa4K71}Mh`??zvVe}ntG~cP+-!>IJ9tqnUhG}h@!XO8=n9Gi1YVKX z2jcr1Cu2e$Bcth;<8(TsY4ss~6g(t97u zu>$pihV9gvwj5o1AOsE^wPQ4kxufDc9i>)O2*oo6b?=oMId7b(}ABLvI+K$V46OcjU zuza7Ej1AN29Wg7J@Q}bPv6A^B;`xd+7r?l05B&j^o~Qte@x^k#{H9= z1=tu|n*I(yCAsZ?f>QZ2GtT>wUF#8FcZ&HRioWo z_%23;K`<|fW2584uP<*eUe;9EnO|StetZpg z)nV}+FXFsy>ix^&V?>?EsOs$RRikrbOH=cY6Aa7Z%F?ous&cosi8&!fqV}B;CbVmL@*ZQi;a&T%K>Y1qrgPGG)+}@%JNc*+B8}op&_O&$<0*@CCC@zmGybZN1a4o zsOxw7ai&?eWMQx#`Ki-vU`+&W#o?BlUyXz6HKt}IW+|}G$**6OL6D|?^e}(mz=N#t z4>!g8C*8A@0?b3i%PHAr@YU%smZ#1tum`S|o3F|xnq*cCr79dl!IK*ymE}@w%!4;# z>kmgDoSc$)bDqxjKT{9Q?C_b*)X-fXoIBLP9<+@rP|@HzP|B{1^5*|^p0v!-IhJrr zmsUEIAXdX%Rva)@!h~-jc4_UReMjhV^ylzyi`lzTD0F?)gc()vcSc4o0qJ(J)t%m``bIJ$fyM}t@Eki`=L-Oow3U1u_ zmD{*wxk@7PQ_os@gViF>8_UZ;5$L+%`l<{7gh$Zv=mM|=$tKG&?|!yeQe&du3^Tb} zmy13&+q5(xGN^>AiYlKhOwA6^15jet6rMR|24l1+kn1jy`71MT&q;TXVbV%8i&Jm6qB1W1LmcpLmf{e`BX_T!7AEk=_}P;rCfhs1u7@oSEn(<3 z$Gnmo<~L%JSm~1C7b;30?GqCSZ^}xQ&pn*7C(?%bn6GirJx0TTEWDK~aXUe0(e(ty zg|6m=%Dq~4kv)Rwx2>%&Ngavy^Du8A1J6b(R5wEAIrRP0;$X|YK?tQ>oy$GC?6#O2 zJ2fh|l(bJOj?s(-1V;$5kdHnt%tpdtPhTHKJ3b zm)mya0X%D`y|1m2qZBL+5`*NTfS0+Hi<^5on@|aYoz;jzG;=>i6iFhzpQFQUA9OQw zz>5aNJjqk1h}Oz2I;D@Je|e+yNjp86&aNBs$2B-0M`hv-V0mE?A!$b0uU-W9Ww+GrrJLHxqB4&rW*3MZ1IQpuMw3hux{3>@%B1WiKQ zjhPEPj7djRl{+Dc;)XMdw$}dZRI~d@rPduVw0tzZY>eF=g{L(PmSV4tuKY`pUJmQ3O~Fzh64sLmDBtn`c9x7ItT=c(Fi`|!*?%eD`*hU zE5u!;2IR%&R^JHsPB`t`Gzm}yhfiOMd?h=-Sz6{n2Bw_jgB{9K?VWYY>jbnR8+tqDR+qQi zK}%pe&?r#9nMxt)`#)Jw#2tmd2q;4oCd%lvr7^1CQdKt+>GL!vld zGi(m730Up~i`ZveKaKt$M87G(4>=cJ&p*ah+6Z$?e_blNmZno&nw`40UVTm;WyC8k z6|n}Emx0X^Eo+rj0u5=-ro|+MN`OLL#%c2Y!1FurV=lfLoxbNunV)Xttq87}H{x~q zRVOx}^1z3ayde6Vc2*HFH|-_tKwb>^RB3L$@U(OXZdO@$+5GjkSzPNVdgmI3d%)&! zfleM_Ze`?b-}+_G4RfVGswRF6V037ILL~1VJ8_gDS%l_d?O0?J=s@Z4N?xsmc6SKh z)pmTG_qqAu)dTh1@s>v)fEA)*ci#vMi_3EpE7#2LxlX{G+$c*j&^8JdR`y%0Ea*@o zT10^)B9|oUG7EGgh!Z$YAmdGaT7Od5P+A`lhlpsT5v3oQ!0=S1Urg=}=Yx;6_RvJ_anCT~ z7g^r0qc$KOD%>XKEVSH={5tfRKvia1cR;ql`z)-Hps6k1MeB20Y`PU`x_e4nW4)uX+#ToGNv{M%4ssIMd`GCk3;P?l%pl7L zFlsuXN&GAGJqc%jcfZeAvLjimuA~xT$06Vt*gVkRvMc>bOB%?ZB76K1VC^@d$xJUh z@=eg{l;<7w2E9C9tC-yAc3JI*Wb(d^Oz^40wn>Q0N7Y4Y5;`iRu_?BeXKT!OUiLg2 z#G2f4qVZp3l2Qr^*ROBrm$0)D0*^c&sCplc?W*g^)%(U88GcqDNGI~-Y4hk?&vAX@ zuI%u_u>5`>>*P6i^?8EWQ-41c~2GVg& zk=NmUk7=U49{WbE(e9@1{@(uE>2n@jk)&GZ27(v(Ne)TS#SjDt%f>k|Xl#0<#=s2C zlQP@fGqZ+=k%Nx6mNauxG_*SL6y;oc>7^U5fRh&`y^NY7gh6$RP4j}OIB`*QKeH^X zmIm&1c_`kFJ^PhBbHk5LhMl)ri5Nl`>vtREhSZ=-k+wwH0FOYBrfkuWyP29a6&iH2 zCLV%)H<@?stzsm_IEmpV>JN*GdehQy^iPAcp7{MXjbns#et6b(+5EjopAh2)<{n1W@s<1X89 zye=O4TaFlyC-q7%>-VRXL0<3o!AH~f_UtyF{XsHQ4$c{`{qzm}+9Frt8vNNtlFXO_ zaQ)yHp;-}%W^%n70c`uDFgYtFtn#WMOhf-*5^ zNj#c8pC%R_{w%#RZn1#ZJH4BeMkcvRVynu7Q1?+xgve_ zDJ7zA64!pE;0``L{gsf8Dk3Rqr(%?{l~&cviiKvEkvVj{Z+hl-s~6=el^9z(9a4>+I z2a%Lz2xz`rv`?W~Y^*n@qoTsTlZ^3aOI~g3a)=qIRpyd<>~vc@(X53T1=3ua$k7w> z&v)aLnl^b7r^i9&^%)gbjVvx>^UMm$W9mpvX!>&9tX7k0sYYKg*&$P`O0(~jd^%z^ z?O(bSr6Vhf6-7@3y`8f_XH4l!lKuiboIgVJpluq+Dd5nIqcHJ)oohZ#b;LSdA7+5^ zyLSjCd!qSj{k4eGvPBE$ulTplADSPJj!MQ#=_ghfoRU+&Kf>(|OgOj)we)DFVUY^T zK3uB3px-+E>Q@d$gN{wXSAwBHk*H49EE+2+2FM!VBwZT|i<)MZjaX5NgH4kdXFyhs zt@NB2XxpLJUugt)x+{tezKdShLOYNoCYpvcLxYEsu1h}pcGqmf7{a}*fM-y**`$`q zBj5CGEYdOoj|xa{WQDp&T?+ox^Q235X3z)8o%ixgkj8WbU9xVNP(gxLz@%^VG+FM( z&t(;^$0rPXcVR4n{hn^k&Y>ObDNnPK5O2i8aF~QtHe}-_Z7HGdDG`GT9uEj2IXZ|qZ#U!fA6DTpN-f=v2v-gcM!Ifj2e)5sKT568ACO$#w4!Tt zqxiGo%k!?pXQV%nl9e6mii~>c<>7Sk`iuGOBfG04v|S6OE?k~qEI9hv#6@k2KuV#h z!0rxKT3(h`W<>o=N>FKe70GZR6^^+v8!7eoh1>al_+JC-;$+#$gxg>dl!ch3VL}|& zmz^t0kE4#}t!SVjPt>OX$E>M?8rEyj2V{+w+p!4SxDtbIiv( z&Eu}G`X@%O=6+f(29^u*FSw7rjyV%ymG&*%EV+cfE)T{u*>J!bx>B*QHyj_!iNwdZ z^7Ry_Te>FkJDOf9Kk-nh(%JJJqA(PPF`d-%n^skv8U2Z>Z59+qFqmXb$MT=Q{Pz=H zhVCem<*XFSq=#-P*`&erY}&p@v^%g4n4LR3cf4|4U8`8S?eosTRW+HHvv5eEC|BEi zE+45DP3!Qm9GSnK?pblXrmQ^AtB(f}x(z(N0~>^n!gcjNvu>{hc`hq8QI#SvJExU< zwS7bXx5?^={5xtR?l@ZOK7K~-IYB@oiN?OmSgc)uJgF4Jj=Z6QgTp|zWJ z(zkc?uDssf#)x{n+gX2iG4asJTbfbH21~QuX`0sEJyMiQ#$^V**rLq8KY4D6xFb}I z1mTC~3(T8xdLHPe#8xH7oG+&CTxm~l-_K|7_k0`y-EXtset(>wdhoO9pz>;a)EqpB zlG%a&?!k~Y;(KsL9R{gbs<9rx0)2Y33;rz-x-%lmST02=J{l93iKcuzM9RE&t(--z z=Lvw8tYLyUvnM-Pix5z%$z}c=JH=d|GixoxwI;nz+rxW-)|2K#`Py~x=fuw5UO22NbL356vCl@J%VC?I7sp*h^)|qFNorfTvoRO^0 zL9^=Q@GT@ZS4bG#q(K+?`x@$rW@m{1#I&c0QP!|bBI18z?=55F==OYFGdp(73^6k^ zJLZ^~nIUGTn3gZ~JC>5;LtE#(8)upcI`TfCv zKQtsA*4jP3AAk0qD1wL&k{j8og~a4_DOQ#^*Wq$Mjwm!{>uOq$N94I%=(Rq}wvJFC zn*j}jeUr(;=@g{Z)@_wClF@j~O}#uN%H;WMaU|7O7)rue7#DA-QI%zCY``)neFlxu zS-a^F`F^)cz}ui)hhjV)@z6v>XM9M}-A*grj$3HViPC^d2L&_9G;O_96Zs$#qP-c5 z?$d+{Lrg1)@{4LE`=bUxoa{=#FJD=Q2J@8v2!kH4-=-2&Q&Wn4rgcJ>KD3X?d%9O9 z4wd1(ikm4_a^11zLWZ3~7F60{P2&0{ILqp(Y7cxP)3E!19)=yg6KQTsdeR>Q~>w@Iu2N8Zx13fuY`B3+u(V zRtzK_M}T9D{i;wT+%X%CO@|6^0n+_DWNL@$`GLjK$-99hpse!-TYP*XYm@OVEpGj0 z?d%e3`v=j@_=Vn%l>AO44N(+lKTBV~GyPRec&Z+GjJtlx2^x0C3;g48D%wx=?yOeb zj;n$ti)nJ)ze@E>>Q=VnE=doL8b z4Y*vD<$Qcvd0DrU=(4Xg%G(c|CA=-w7HK+ntpnsPStH$(^G5 zfzAN$zi*f+_X5;UQbLhy`WE2$+xaxItjg48PLF{M7qD2^rRsUCTYw# zkFW*1_0sc0gr>!6or|DCW$Ge;u+r{alk9&;tyxB#1n(_$j6T;K?MIr6;?vZSS(k3L z*!_AXExr_kcK(bKo^X)>xI{iQO0)Uvc{N?1=A1szPShIde4px>G(?EVsjvOmQc*9| zSsp4~TAZ3~$n>0mKFPRSD0jtuI31qj3L_^)a*hNlM5%2YVLoX_bQ2W`u&_~to`ff} z){J7OrmOU^2>zaT|{q`AEB(1cN^zG0|1QE#kK}9}`)py=-5;=Ki(4z07X% zNem?O;EwLmd?eo;d%wZtY-rReZ6qBO?|0A}F@DK*=xbx(O`ww}B~oG2+E@FLmI5N8 zt+Entx8N1r{F&l+ippoCu?hK~R}=El|VSwM#n^U3#6;d)T#w9HPs}X*%gKD_NJQOpI-LCq@b*m zd^a$i#ZF-jcAZQgQQmH>uj=107>-%?Zid9pgm(ZAfQRqrP;RG!!P}hnl;sqK}r?0Yct9%73{2y z%RLyKH+OGTiYEu+MLbnkr#uYzp1q0j4q+_}T$Q`W-ag@Elag2LOmSI!cjNv0bI2T< zPkcoJlOw!ap4d9L;=ATkdZ8sau9uUgr5(R_t1t0u9<5@qDQjVxlt?{3Qmhc5az^Vb zt0;b4wY?svJY7zNjhK&AQiwGroy?Ka;=LSrHzY!k48Sb7W-_sbk7?!HQfl4xTX5cI z2iFo~Nj5JxZC}4Oxs8g^21AJw@*-1&QQnJ@k_{1c=MEDj8nLTKq4)1E;u;ZDhBSuy z>@I6967S!z7Z#-BrYR5MJ{eE@5anK2=t6Iae2MiBWOQj4U3Bq2kaGialQ^h zSC95V&9j%!Ri8;`gc~_o6L_(4mMQRgddaK|b>VQbC^cJ}#HJaa);7%_1qJlyKj0bj zb-e4Zb%3g|C1K&Y9U(66KF4;@(cDjY*i#d6jv!G#dIko%rm!Z;hRIEiG~?<%BSxo%uDW1=jca%a$W=k)@??V8;*+ ziEVv=Vtx%#^RP76EN+}e!Pa3=ZQNEBFpCN_efnYr+Jz z^${v4yOKI~E1+w(TkJRty{+_fv>-^J4z-zbBP$AYp-93lmxxRVEd8cPA<<*HYUe;@ zyUA$etB!|ft^B*@ia)LMe6uO?b7@N6{FVBvc>An+hO$wlIKInpP8H206ui_Zb@&n% zOU{p?yfBf}BE0&6vbr=HK5;85srEbz@;XYIbyn{A5i=ryNtb;byq�|8hC#_pyRe z$4;Oghk=?WCnjmdHP(iYG0NdsUc8jLe^n(uGK2b*@1M{Juj+P*KMn&I^(7J8Atsc) zZ^G2T9Cg-OQKwov3p+z-65@B^HD;%1 zO~hE&@;N@p>*fjPdJ-IsNo`-~_Lnte^ zW*QQ1TyN0KuMiFpRgm)^GH&|hAuNPi$SC>ZGQUi0sv$tE1K)Si_+a-$V@<)SOqV+Z z!>fOSVSg zVGq*Y_LFx`r#*xt+d8f&PTNbqps{J%{JpDRd7C3h*D&0Gz7-bDxpT}^;9k3 zm>ETeajjlFcJC)jXtLU`AbV6PY|M(*Xi=Q3u&ZY!<-#fjtX}kKa6f{5C1c`ud;mPJ ze2ggTy?4i3xP4l*@3dXWgX*QipDc2^cGPOBnION~JaFIK@xf^_gmiA>VVidm_+wZw;M~ACJ%Sh_p_n7%MK&&7ytDnP-axF z)YQhLA+ymFg+7e_r-3aMzU#~H)jdKgxNWb~=XZC)!go_sle|Zi+*Pl;+(D9>-&P)>pH_Ulr;5YDZF+XFs{D~??3GSLj-v^?s1969KktZMY1)F37o{SR|4n=mOkJHz38tfHHVekS>g{@H-|>7_)IUYR zOwpM`OA8(U1xzS#j6^=Qwvnp~)KVD?#W+Duf9*Za-Q-SzJzlw! zyI|or9trNEt4njml2Y~6hw(3=_=P<@AkP*fnBKU?PJ3UsBqMXY&w}ww26W9WRZCXv zJK0RkeQN*#eIJ_?BX$3-05)QDNQV1z>fo>vY|C)%Tu-S{^JEKhVDpFDI1izqGul zD%4C;Ynz%}MT${~C+hVy)^9QW);l-;Vh8sUF?A?r%iiMDOkiEjOH$xPU!~j3n(`80 z)hLlylG?E1q-?>wz%}A->XdmArwO9DuOVXhDC5_`0Zd~P)9`kGY9|2PMkk; zdqgbO-OIaTg8v)7eh(NduSm`Mml3PLk5C4vCU)-TS2la&Eo_Naw24h_zjp%pyL~m3 zpz=*_NUKJ-J0ui;kq%diSfV7htDxPPjm>sA;cSz3SMPiwI`=!^VgJv*Gz5Q71G5LZ zE@st>3CKN&^FBmhz@Iq3!0Zi!&P}9U?=UD*NUSpj2+P;gOyq#eZVox}4cj_gp+k+y z+Fkh+M_ye}<$UwS z>*pfFdAh^+<#v(i;`bJ#X!w4KA`1_P&?XMtxP(X!NIq6x7D(9+ha-Bv=I$z1yhr9t zzrn(qmX;Kdx|c|affn8>6lnDX-i5nZf$cAl`StjH)d-X{FRxRse4?7 zqKB6@LH;>3OZTbV1@%@#kM zJZ$ic`@a7eLc!Nr>{)W`zdJC(b;LFEP|2uhESMW~PH1RKVp%&a<$O+b>dY-@shw0_ znuRMc?<{W#vM#o$l-$eM12Rc;zRXN!mF2>iObTY$d(Jk9AP{Sk}AAc?KL!wvnxj`5p+z6Y{w$Y1%D5{ z?=O#=D)_xx*)>?0Y`ZV-aY36_-L7{Iy4|VA6GNT#`xS>6_i6UMEwi9TM6T=c6_5n- zy!4DR?5{qiQR4YrgEhVT6)?OZ zV)8v-Q)+EW4*u)NBry6nv!hZx(rpf~0}69C!_2#A{6cl&I?OyPF87x4^>tv5Iu?gMS^>i#lvRTlC)A7LPPm_zo~T=h@LXH|!kP`db^@V{axgYC zV-qt@RQC%*2am&o5S`(lN-A>Pe zA}gWx#IkigU^`#yj;Hx6+0-e} zjTU);6KO^K|fFq;sd!XMt|$R^K%Shns6RQ zzMwe@EQ12bY@U!Izc@K&!E_fpTMs)PpM}86cAlLao{$=NF=7J0ztWe~N)QwlT>-~p zyqGRjYmkqoY~^_f);ZwBS?I>ifYu&Pw;8l~$eLxn@EP!Xt^3%m_jwmLH#N?PO~YU{ zHG%WrpkLEkQU5z``agx;|04nYe`(h+G3s-${)b)jpT(MggwX%9SOY+v|4po6Wd0-8 zFth!CCD#0Nxc%R(>A%F9e~C5!5^Me?*8EGX`9BhC{=LA)AF&2dv;-i80K}3%lF2_! ze~Rre0j}|XroXrUF)IHOYXI~ANv!#2>4uU0KgRfbtiR`M011T^Ak44=YDuyIYJac- z3RkhPa}cooS?2&qEdbf(PhU2`^rwx3>5qT|Xk!M5EdY__Pa7*hVqpPPN&h3eumOte zv9dA$`E3F$0PL8*cf|CMH~aUT8DQ4@)y4`K2(U9|z|Q{6S(sP=I|Y0&f2EYlNkFazwFzl<5c!2-^f5Yr15QI-c4#8y4NYm)w@70BguC=>Du- zvtT9cw**aZHLvum^6v7&6!b#_{i*4wAm#T#)DwcZ77#6{Y|zL?2<{;($vBR$%GB1t zN#=CT;;%^b^%h^jf<@zc2)Qli3T8de0(i&Zu%4d_Wi_V(K2o$3mkJ;F0(tt=vaw?H zeR=BQ1nT7zb5#odP&5^TD^b9kwf;rK-p^5ORuQO=8p`#6b>;kvS}Tr=sGsC~$|7I6KDb-_J?GkBu+6mVVIx~OBvE%)##>>5@G@iD=xL^2} zu65qu7oH*fl7Sfm<7~Czf-YNXZ|~}Kd7}>94P~9^NwrV+?2N4Ce*igP;Tm|zIpBO!TXF2(@^|)mqgDy@Xttg-hd0z$j`@+k zu`!S#XcP|LV2iu^Mj=d0naBPUIecTcvxnx_O^__+8!4a=yDa2=gN;HA!4-d8i`_O; z;`tuPhR{6_8Y&)C_PaLh$7AnonqChhBZoYBNBhh#A3qNdrOYpU`65{K=q?OE;9u~3 z15X1tGVuHZA@5!h37IXyV7v)-dxm4=W*GAH_uy`z^L{hk{iai~6DcXlZ!We`7x;(|fHiGlb+J>x&KuiAH!3cnGN$BjzIDl|LxFyux8^Ulb?~ z8{v%UGBbW3F5k`|qD)_hBIM!`VKh9jLl0I2@UwrC)~D;umn=BQJR&y z&(ao6lF2Cl?EZDOIEF(SpHS;u(CnLd5%)w1qWG<&qClXaDo-nJ<- znCu-(6qMw`hQvpW(GEFS=I|IfQmQ387vV6Te<0l(IJkAqW-@?xEk$%A>VBy%(Uw8g zSx5+{%-PZ8p4d0LE0%A9BpDJ)hgc2zC1a}&?fxFb{8snAx%p?^v&>B zgi1J?!`?7x1?LX)~1&_^h7v#m9%o&0}Cf}**!XJC4ZTNDS@J03Kc;1BPs(Q z>Ym}?#)59gmu9jCoJ>THo)Kr`NNXJv=kBfcZmlm)1<@+=(jl-&0${O6>|fz`_8Gi5 z8Q#ozVN;C7^oLCuveul*$mTRF3(VGN_f=N|zRiKzGM5vCIowguv5fY)4wT3d=`sA+ zpxH*9b0XVA6*ejat!}uX3YBul7|&PAPrUpRz&i(w_XzWKOqN=B7D5I)UY?LSe%EEg z$Iu@wtRp=baZO1JBZS=u;Y(gA?Vz8+!!|~@EuLm=a2~pgnGMY{#^M#+rr<|ib$w$; zZu}rS3{Y4%zLUNllB#HOJvP&=kF<49>M0IEzPtz00GaExU8oAb;WiKsi=9^+<@aYJ z8q&kZgV|zvMs6C1JD z)Amke6T9$|2`(|vkXXsTfvi*S3TsX!Gui0$S>8Has_cL1)MeMXZSkSuh+2uAQgy!G z{aAWp>RgL!WYWm$>6`-N>*KDmJrgmWS77(Xee^_Xl3W1e+Wyi+vRZ3-F3a6)7(9qu zzP;XKm;C7le`$v=zNqYuFbdZ=sG1^|XgH<}TQ*=`y*<6(@>45hFq<|8nCr{(YpvBe z3!488emci!vL!WrtvJaGiHQVlye3r)DvA!Bak}uc5bfmT?H6U^9sYA2B;9Meo4!sG zNjOzhe%UYT!m?=vIHhm&R zMU*fUikHV=KIjDRk?$XhKVkxRIfRv^$ zf#TK8o7Qk+b^|VAoD7G41q(Srf0x69(so)6Id=f+IR6rqS5Sb1Wz!eOOWu%}DE21V zhO6xWcM*cajl8Q;8Gz+Lsd(d4Ec{q_?(my3YD`$Y9*yt`^{KQ?#y>bw@po4_X#!8T zoCBPvzZZ%gQL2x*9IX1c#kr#$CP?0U&JfyOE1`vAXqr38eoCk}wCDSd$?Tu^fN*Uy zrM`8muD(tjk5*jI;LafnH(Rvs29Sp@>}Q@-H_>~#^Av*Lg;SwWw|<0%1c*{i=gKt7 z4E-3_Qyi}ZD@JzXUScS&6a1x)cRT})G+hQQB?|t8$m6fgA2wayxo&8^x$^6MgD;22 z6!P>nLIi(Dqr3?USD0*|3A$crerrF`1j<=qkX~Jc79nnEG-`xTAC3MY^d?kug>c2z zxX5K!SyqQrLWt^3M_#7?CA6;28Sez zH>&p_oXKc%z_`GnMxu$-dEPngBMe(QlbuGhjFDZ6vNC~1P;eVjRGiA#7T_9$jPgae zXt$72n&W$m@JkB%5lhe5?t|~r+os)>_~w_ZiE1ER@Rkljbv3uqrQ?tL5F30W`^)nx zBXzAYBkRr4ii1uxE&uR+w6rfbJV50IP!9?@^x#9!B{ofo?_ZsD>-bvESG7NJK4JLA z9F)h89fYI1;`(+qpNwyD>*ObATG(U!T59`cS;ik8haU1n-o?X$S`6tDtO+^woz%wg zy;3=%`fO_1pV&_Z4fNC=0_Iq7e0TdqiTk5i`@x?r4h$0T3k!`RC&;;kS|b?31o1s= zR#D`awhKY;H|N)}{i`aW-p^bksrd9$?lBO{}puE!HMD(GMhHu8b+8%K6y6^)6! zMx?o1qOF`$2!==T^an26*IE}K9yR^#62VtQQh@+wTY^qRkXI(HH(p}*;ixyh!GRU` zNw4}RoXH;C=#8mbhPW?vLx~CkN$M+v%wRLPeL7rtRQDl) z%`+jXGaGM4sk(}4#p?+uO{SyFhEhohm40WM+~9Ey)4i4BDopy z#^t--tmGob%leUqxnn@>0e!XNdQ_6aYG-bCH3uIGcMIoyK@Rmcc5+2qL z77vx|q}yU1=IkBxO(5P+!sL5qDo zF$xL`HHL8By)URQ?;nl!_&6?>JP$7*fI1oXutE+rF~hLAOAjb$zksJkKa}Dz`++Jq z?&o2(_KU2w-!Ntgj5i)TQZV;FmV9~DpFNf&7EKn{*1U+xs&_TS!g62Vi&WG!ZP(0) zPtG7~nlNCiS8dk#=}a-JdHc~}u{uDqOn$b~vVntRN}UJ#IMWW#H!L)}zSG#c8pkNt z4^RY;>fRF|wxl7!R4%>h<>b;3w1WUstUz3`pR~4~&EH+=MtXRiZIr!TW2-JGHkcZa zyx2^elG8rVNZFvoMcQ`M81#M&giev{~lOlZSq_xG4J;;1`T-=R%@JVWKn$R`ng?1)fr!;WFu0JXSe=ZwU~m0X^|?S>LMpRh%A zthlp{9yBYB@26d-M<@10YQ?j7%Kf~__=sLPF|ZH)x_9}Dg&Nfok9f55IL&7{8#A&% zS)?lCBl}EU^rfiZyKX9dYG^k-na@t0A z64w1J5lUfHUdU!$`L8n~+i!+axnx%NFg)77R61BQvy`0Pq!KEfQe~Pv!p(|P6$-~= z#};EQXr4uB-Fjdo)J&7zUT4HjLVjbE3_nHDby{eIT#UT>j;4lz5ydXp1ma26>8EpdE zpl=PmCxj-Pc+|P&$xubh)2y1K4>vY73JG0TJA6HYRD|@M?-;j*?VNNB8^5i!#%4dt zP?gKU`}&jbU?j%v$(gaJ*&2M-^9LL~mZ}(NkH`|;ei6KG(|hpu5sce$nSF(KFN$;< zd2QF#h+!S45$QM?g6B-JXCc`9Az+=~yCBQ>C$Br?)Tnb8=U(ABs2S z!@l{X7TbjR0Z_7i$7eM=*;C%6LnAj*9NO5k^9OY`aSlm-?%Wa{*GX5yUBi!%p0E*; zWZGdwa&%ofK04&Se!Cx1P#%Vv=K%}k>F`g~t}z%oba$)Km9{i>?_04+q}mghTtS3{@~kDzGg)TzEbW1~l4~-+SVQ zc&k5I`0@CF9)zb(vG5|?Sp@~u-9bU#EQ7gp-0Uu>4v(4|c6^eaJl;j>tUeEOai^+C zbXs`Z)k2+l-CZU;?)DHSxNm|sj?hw?C8tVAtK0A|6E_i< zmk(Z&w9ABd!Zz#h&-r55!d3EprElMZsy`0eVWU4GFGrsl7H%Q1Qq3m>;uK1(lYbcq zX_tklzX5OYL+Efc`#}Y*qL+!GZB#w6)y-wKxwiVjqOmeO<>PgMWC8uVEy#+uB^ye! z&i-IqDra~DH1gq%sxY&|{zw(Ve!ME0>}pHJV_PA^7uLkdZtf-^U(f`*3ND>Fmw zC2uv!*VlPa=Y!W)KgrtexY>Pos!fP~_>3EO@6?)|ulRv6^`Xw)+$*+Q=CoVQ*CpOb zEI@a-?M$alM7GBL2(GmGstca^s_vHe}gSG`Zm zErWWg^QMoR-Vnb5eO0@41P)uYbLfggrRtr|e}p90h;EFizg0@t%oaNnV;g#zScE1) zvAYi)JDEwxnXLWyVsi-AcS9xn`4vCVC~(8QkRM4G#S>Imlea4{ zvKk`7)rfqntQvat^xpB!q_!T55U1S|r?uTS1Ru$|z_~=luz*)6L5j7^!e8n|ZN;a=93d^Yn zabtORs9}aaQWP)tjP}E>d1bbqz!BYpyO=tAqW7O7QI%}XaoJQ?E7;)6Sb8_JU>GP4 z8<%B-dAghH&(T=;bK`G(kej1AxtldCwktimZKo`QwWkGfz7d0cT*KuVgYQE&i<>|UHK!pxsIgfn z5K-mow3el%HclX(vccbDhfYIQ6`iFK+8*D>Y+)czrQOk*|B37~k8Oly z095PyCOw$vE17ECMbTIEpA}n^r0x8xRnbbZ zYo9g0Ya%D&Gl3udScBnTH6k`!3rsYkCvSKTBJP!XjqdI->q<>F-XDjV-s}gdt25}b z>NedbTW(O5RqCqECESE1_qJH^G!?T_XBKVAhp@6ecM^rCocgzI$o0=jRmL+Z{AeFr}0Pus=(Om04Ui zlTKxBfG{-rjiFjFP;@MWVD<5YT)r5SXj7sm?Fo+&Q9JSlOt>`>v3qJtFXu%`r<_#O zc5J%PmILYgk2&(#+w6YBsY6Cq*^3KkkV8(z4nv-O;)BVFv?vr#=4l6iib`io7u}J} z{W_(Z`isBMl!eFLJyB*qEb4`3wzOK$_!#JA4xMQTEnG*K)_Y}u)|$Rm``PKlt=&%B z$@b?;j-TN)+r4ZUX^K-vNxw$;-smvu?RmHmkyo0ef2%J3Ja`kqVW8gzvB)VuD2@zq z9Yu|HIf_fW6pz_AQ|uNN=WLue4Oo#XJ5RyK*t5DHzI9UUa0o_8GQljZlSs}?USI1P z!+SG+x7PW4U@0R9YY1&X?T^_`OM%`TzJN$(LG2&RCecV*o!66B)ND_hq1yjiA4x?T zz=Tbi^Qs(A6n|ha)FEtR?vM`&*yXayq;vPPF}jM9*O#3_P^7;NOoTL!#)(MKMNp3lJjQnwcbOc^uXB-7)kZ+`fG@k8aSqxT3o`y@(g9D?79|IVA+)1Ju zq@a$+A^uq4u@KBX2a;Xew_^s5Rs%4q_&O^zUNEVRj@UK9A;pRf^rOH{sHa(D;o@Oy zsyZY-8zpPxRPBnnvBpdKV5upu(W7N&wA0FqVA;kh_mX)?rn&v{^EV57Eyu_{?zT$v z(2AKuQ!8Ig_`}rJK`h?TE-wG4@E7=AQ>(_M6|9%#W4RF9!)1oNGNKa(M`*l3!L^MIeLeb}G<1YZI<;EpOnQ zy0?$jgYwKYCCA%c?{Y1KjAxV@1Cz1Jh#(-=^j{s=#O4NookYV5CY3c|znQFJ;d;bW ztTIfkTNZHs;#?Hry0$c{S50#jtw^97O&LF8Q^V%*BXfrc-@n2lWlinkWB8G=F{7!n z0=s-pa5KcXk z1ydo(Yh+H5mBhs2No-vKYMbhMMkF<%+?LVAa_0yyRd-fg5?a2vm6TA`=*nEfrdD=Z zdRF?payXcZW)E*VV`%lWxK2U1+dBenx+`Z=&nfrNF|w54)HFRF2ABC?TXsej)@TEuKPFjbbyT*R>$VnI;*j{Hl6V9oWu9NPUV5FfT$ zPJ$nn9(*taIXHdYj@B~Q7;R(ubt6bc%XNMCa0&eyFk4ipkOyul1mzdQz!gV+3z&PB zPy=-V7=$Q@;|iZm5tmz=!~Lrt0av0&d{OkFE?nL502o`?FEPZ^crk=CdB>?+jA_^! z)yPbw4#)(VVsi`cw_4a1ehTesxO$9)5*!WFxKvQl_xJ+k{GI6Y6>si=n_?u>o2MMh z6VVkyxk$8*gI^4Lx)V_Xcl|QV;jLwA%){n>H4M{@y~`LOweZ<*Q$L%7-n3wxx*L8` z&tDGYvd)jD?79RU)0wM5%H||CKEC$su~3EA{%~sqvi#a1)=+{vgyv&J*2kr@zq%ZC zyYGb}0&?iZfJmkO;7ybw?7`JfUItcz6YGJOYJ7tUf+{Bsyv*9E6nXj$E|jav2mi~h2fZZQX_nv>HVmk^F(^An zEGRJKcONEjf;ZSQk%*=>JUMVgU`omM7~FOoI76(TT~AkBPuEK^kd$9Cxvv!FZ5i*@^6T7DU#>^4szu9rzFb%DMFl4kAa=l_&*>=nt#jv{?DxA zp9k>r|F-ELA>zz{c-MchjsO(oKe3K%fVA-cHbtC<0q~6e|AicJ=0BO{e=;|@xe5LT z02uy-JN^rI{1@){FWm88xa0o`?#RsWk4x$QoFo1Z-0|=1>wm@_|H|P0FFE4>-L^m2 z;~(7d?=k-C{4d<`FO=~geg1(v{@w2n?)dleAKdZJ^1tJb03`FTwm(GSKXAu?@B3%W z|IPG=cKp-+SI#$pcx3*AWCAEfW?8|3CeF{)2V| zpu7L|?gntiu>4buI1?KK;1=tDh8-8wEG#udop|l(#N`k);%TTtQALTihHF&l*6eWB z7FOehg=a`J%B3XQJuLf0hpG5#9V<4mJ460*hO za(jMyS#G?m*7K*Wimc&l5z8Vn3)D1Bcrmrdl2k=lhJBvMG64d`uhKc}C&$;_t@MTJ z6OF|ShQ+cij+z#EK9+>2q0I~_aVJV7SAah8WtXHf=$jd$pTFm_K*ZFN0g{!cI=pvO zviS&0mt%s_0N4pW&$Get5^~P)6su+h#MknYIYFQR8X^0)XZeXhJD7K$GZQD6jUl#1h!T{TN%S3 zd?RsZ+eb)pf4Cx_)s~bu#DYJf?zGn6HBP=%W2;&5n`|6&@843CCw^dYtWT(|z=C|Mbv`aQ@qE z>gs&0?dWDB>SB3wVP&TCVTPt6$}~+Q75nT=v%z8s5S-0Ph2xY~N^kyT-U-FlBqX_p zW@S_T{aPKx_ZUW?e;@Hh*+3F6hQ1T)1cK2EeO61PH7RC%z`eLAFThj$q+9dIw{?qGY2vWWV93YAva;6(ua45ZjKi{0 z0cAhNCi528Mn}Fl|JsE%Yi+_KEQX4bMz=f$dk5eUPrggsirO!54|4YxR}P&WVA3|RK^8zhp^Hn)%Q-dCF7rS+=q=OzZq>43sD<60r3>tqhkO`D5SQv_v6T5ciw^*5* zmq*v`4d1j*MuhSQWw0{)3hV9FBNeARzEUHba>Tsikg~32rKb=Q9P^YY!U{Gpd_Fr| z>n8M_H3%dp*UaK!h?!3R-D5sIqu=YbP%Pk(amj0CJ{NUq;if}NFXZ5Q6#s|qTqn4m z&!PnQIZBSagShcU(!u2%sbqD*Pu#7tp783uh4!y!S305s^ zrlbp#c6|u4hfsepGstNwX>;)OLbrac`?)Ht7e&859mUf;paD0qYiyrS5vYK9lv9W{ zhZ`7DjW*k-ukbB(t+KBH?Ife*UdBHVWOaIZW*TqoZCFm z0)>=020uF3I;7y)nSh0IJ*S+OSY&*t)y7ia_wta$X`8Zvde7yGAeLc!o@;Y%u-SqKz#MM8zvv4s^~#pW8S6ZZ?!xDxNjJ?XI+vMS? ztH8JcG1YThbAF-gA<4oEQHT1EJ4xI5WTn(i6J-leK`;Jcg!qFmgjL;>y71+BA1k?I zWu7z3J|@Q2JZt=U<(afu;H)gc`k?!dgNNF{60?10t$kK%Rc?p4WUO^EfR%AZ*DUzaiY;A?&H+c^$i4 zJDhaSIqTZ0>a>Ph-)%M)?Sd`z? z?<^z^T2xkcRQ9SeU6cw`G^_TtQ#=QhrT7H7XQjbqu$kg`GSu zD_Xiz+c-_!%`P8WEbPPV3pm=g6JoAvQg$9DAWrjEhU!4o9EmL8c$+)tHT9@ixV8s1 zpc`e~ralDQ%_FMRu4WT17@W@|lCgY7ZRZV&&)Sy2FKpHzo-7vXPIF6JqbyDDt@zG) zx!qKG5OJWj;k99DAujTev!uvRxA~Rs8i5aOzElUbruo8eVEa0jvmT#T!tcUU4nvSX zyInM>AMjr+tPZHN{4hD8Q76W(fHH z8hJ+w9>t59YH~hs-2#hVY&{pPMnEm)OHSlAO2)N4cr>($*)RC$dy zWBQM_e1yF>lfcZldzx2_E|Y8I1IiCrPx2wAdryzOY?|hw8 z_e11AtY<~xvJZtf4)8)lw=WejwB*82$Phc#QMVsEW$RtAqDE5U18d^r&-A-3E;f z?j)U}XmTB~On&HOn%2bKXyN=c35iANWHrOe#X8UCaJ60`shuAByGN7y;0}SrW3xZr z`?=Zf@C25QY>$tf9phRXfW+OL;D z;k6x^-dx=0Tv}BJ@Wsz`VJ_Ri&;DGhuL;i7t)ZMJ)-TLEO_%Fve>cCv+-3sh`0>NyRiW4TJJMZA_Xtfea7(X5I@99MIxhVy7w9A=m1 zvost?td#hgjw#(n8)tIM%(^c8g_mTbE~aSQB5sM+Owc+Kos>MP_|mvCWJqEmwpu)g zq}AD8 zkxL|fov*o)x#snFbi|C9JVcNFpZ2~wDywaK6cr?-5fN#SlJM&w1!+kE0VM<^MH(q- z5R^`l6lo9yDWyXJNs&gSyGuY3c$@RC=N$Lv_}zQ|c;mhC#@S=Q{`TB+u3mG^HRqml z?R@#-=4jd7g@U>e#$Fm<8fcX@b^~Y<%%=GCzJzy?xRw=AzJ!(#PJxgZUP$3P&=iZAP-PjnNAg)8#%Qm|nwHCFA zPq5IRo|~#^G8CI;*(r4pC2-!<6_0IS3OLz4>v}0UQTdT7f#bnp?WRk4b(ExXs=_;U z^#?);@*Pq%+S1D1+3Ezvl+%}Kn!fk)a#+fVMT(})!P)h)OW>|zr>@E6Z!lcbYrATA zDYcD0pi9!S5}v5y7`jKUCce7HXgwm5Y3mt%hcY|4H2MCs8H9Ha|8#GL-_{fs7Escb zOBZFaJ=K1b;Qhk9(~yu4>hv_EluSeU1h2}(>9aZbDOY;W222x&m|k2&{NU-1YL+`W zM0zvKjIb^{+5J8FwLH9=+B4eH+yk%N2~eD(q0cW|k(tO8oNJ$Y)8G>{=Gv^x5)5le*=U=iQinHGD&^Q0K3Zm>hy~sxutg3 zco}g5F^=6(?K#r<_>Sk=O4p4}1ue5}bJ!1bTxt)zp<^C6t?zz2Fl6!QZAttx*_)SK z6S0Qhw94sYS4@-qygS_S5ZPky&nWNN;rHQ_H7>EbHS8L#g{L!}UgLh*$K>NbbvEqE zV&nx+`6n$8HeZmbpFg0K!Iv2tn9#%uxxP=9yt8S~eKsT9^-UNegT3)ul|mBDffub- z*m)DJnG9B^tm#}DIl*oRnUv+6&uWd`N!t(s<2NypzO;4mu}7u4!5Cua=67PEY)?On<_{Tu{_Uugyq-XGpQ4eO4b?rMSZks~og--~#;%5A2>1hgq0|QB3!O>5vYH#cI z^GU~g!Wx*|nLqXG#lGtVVvC3tFl-jQmsiM@TJ$<~w=Ki{H)aVyDf8FH_TQN$;3kH~ z7}#HCiC^pye{7L|wMQWTZ^d2!9A5vb)xW$EVQ~0=vOm{T6}4$%rTp@Z7R`0lU#VZ2 zC|7}wLMgxU;KX@yy4=(L8{=MMep0!8KE0wf6ry3Nflt`>PW}*;g&Uoi^Xq)wEWqGT zY{sH}x!z6PI!CEw{w?Ndi-*8#(gx{>s0|AC!6;{p$S2H1CX8seZYy<>0S0Y+vtIu@5AoWB{PaEBhohuZnhFuvk1J? z(EECD^1G;g_3wtl&oCT+s2$-*z`+v*<^`G(_t3?0#`~SHO{-$=sjUfXC-1ISj z`B)<%7{q_V)@pRfY#9daJl9s&uSQN@Cc5s=Besrz=!^F-=$Hnw0y9LFB*YdrHDVICpEzuV0gBH;t ziS%#UT$T~WvQoP>!m1hU{Yu#jKF$?YHqK+K75mJqSNy3Yhvyk5BW?PO@BNS(R7Vm` zP|A5YP#xLp8(&`66>Qy{Q@$9K-F!gf|EkOH#XV0~Hfpb{F_e?L92sf?dsFRlr&#X% z;2bg&;4kd5iOFja+aIH9Ge1LcaH4iTkEYqWewg~CL{|bH)$JnL{i~60bJH|O$$yCB zt=$ai`sS3{!E$2%iOd6%TZyXI~q+a_cCEwxyNYxK(rf~@qCfWjG zfp*Pk+kPvnJ8TwbFKs8?V3tN`B{`HD?X;S)v@ZO>GqI!+tql(~c($9G%jc21l=#xT zt*_rZ@SL5TSiQ3Q#=s!ebpu5`6{dlhG`vevpTZx^3bT07%si)yd~7Feep=Cs^eja+ zYmEJv4^@VnOh5jn$7Zq@S?AO)=B01hRaRm!?;1<9h(_MKm4JET_`FL9ZWkow)-M=ECIVk2`2JikiR)uk2(xLaYD4^& z`tzZ;B^cka2}c%%V=m4;QvEnl;#c>zL+`-I%T_CyzF@5lA4bEItDvjjqWLABN;h_D zTqv-#YN3?c#(wYA$D!AQhUoL5y-ubTF#;pQl#6D9oKAHahJy0(55oi_oVMEEbEEBh zUc5x{v7Y`RTSL7@`03)B99L?@re&sOkD#Xbk9MP05uT^gRaf&e^$EGlXX&d&IpZ|4 zbR#c{Ux^6YTMbR7u47kAv=_e;<9M?AeTMqQu8hkIV{*xfwDN`Vy4`IGg2H%)h*^UC z(7uYx=P%Ah_g*i&>`!s&y%6{5Oy7w_E@K9M$8FO+r-)jXuaJ7J5L zCBvcgqwyhG=ShxahTS$1iIRtRTTKg+<1j2tu2|9Q7-`wAOxf}d4|WZQ4^v7CzVDeR znY=d$>Kv`leP58cNdnbsJ1l76;o91gt8z+MpblzdBBGJkJW=G`fB)3{S<9#n6U7~y znNL-xtnqQp?Jy&%S4ia6_fvbNbk!$Y+Qv2kb%9mmz#+b?)imby zq5Rr2Sw_axjdEU})>D1Sx9vYq$ZTJ@gZ^M2HITun-&L>TXCz1zL_<{klBO`KIU@j0 zhi7(uB+n!HZ7>;60hys(|68h3KDU^$2@UB_xnr?ASy}vh3(oW*y)xf&;0_SQm`4qg z*Cd=W16^pA@mZ(p$!OI0gDtvgUYvAs{gAg?9r)%M$s<@6+jX_5LA{ zBvYRFsFHyqCS42fjax64!VI0=;xCp>KI4{84t{(UKeCEb>ekReoZ0RC)IzhKg+OUi zz69VPiONoyLHi)VPZ{&%7p221qAi-p?VHyj$$TtilMU}{h2U1E9!u>hV=^lIjfS+tGJ=Lo>5f7j+-EE7inJqFSt#4rb4-a(-wrevSX)p6xpfMW(Hw zEf)Ae_}XecmO$vK?HIu>DJsFItI?IlOm_XnL)11Dc8I=J8I$cc=BIu|$Ax0Ar%6|O+d4YS zGw`~J4Y~&T^|I2BzFYCB-_67{civ_1#-wFCq;jcj1>!&>}JwB@65`LW~-#`~*x-3SV`b3f0tt_-#ZgGn`A>mDTRoI4EmblXf`ywAx z%mq>X_gX@tJOtiFYLkqVZ!(wM`p`__Ei`4zL4%iMMT$>0zHMtO#)zGhwb+1O$}qxQ z;q~P23Yjc>baPm`x?H=!k9(2IB|$)vFON?1#_D?JpD-1u<)svyh#j=49X zeH$8AzJ@JUj9(#4RX%(5^5muEChCe{2Rjw}qqm9QbPm@DB-V+y??qhQT9?@*bv&

c;>u;5VwYl5YcdmO?Q!GlWMH7_gc4Eq=;#9igLf-A=h>nK6MO5MJW8Z7A3k>? zk*ibd{X0`$#k$)v`tla?qbUjHFm;=Q(Gm`oW|4s4&}@?SowH9g*Wjo`k{xZPpibfF z?_}u9iqAzZwlTlkd|X=Lo6KK(W8e-)VAyK$&W&I_C->S|(|vE`+Bdh}EBAcv7B%Y| zMAg-Wy4O8@b+v!T?NpItVV~3YFam5Go6A&zmF4p6%`=tIx841dH#j;}bK1{IrRNqi z%(Y*);^EW_{}*i0bs%nQ^|1hsaks_*6m@y6a^*X-gtq%K26E zhu59e{>9zdoO60~2Es?{FFk+EWq|(wORnNsrFs`p!Tg5g( zHiuuUR)jCrCzR%JGR4dA6FzgDD%Ym%i6b+}MW3%qRH84b@MId-{GNBih^Nw|mqB~` z<=PG3BMCKmR~3hV`%!#CFRs&SW(IU@lNIG#ou~>LP&Ei08$$GGkYe+Kl7>|%rizx>RUl{G#yJp0z(c1UvLN@gxYBZbDx zXZk@UpBsx)9=`tQbK~ZoVT#j1*SU>oLLGlB*vMuphu=6a#8O13QJT=vRDK#Nz9VJfVWtyT_M)xV z;M0$B2MRKeuWgyqi9=9JE+`2sq!^@8$yR&(6IbE}kli2_A68wwSPAC7_b>BeP1=`?nFP_Oh~az)@^YO+PEN67o)yy9at^^b6x74GH5R* zW%1Jv8FWFCWoDI@w<^A=usb62AlWZFYq9l2 zw#B4sS&P29#&Gq^>K@&@LxbXOUcmPi>16xl%FH=y`GV$Tq=WB0?q8TB&rQlPx|RA~ zts$#lVenpbmOMvWO|#};c+9PK!kUIKR9$|8*4=>K?uE`Yxs1bUpQF$F6AK+7<;dqO zy!Q(EFRjEcw4rY;lDr;R7u)|hzm{6OqF-E1-Z%d z`vJ3tEX91K-rGFSKU~@ybyH01Z^cvDf))5UZBQvX7JV+HA_f-+3` zA?qD8M_vh$o^NmEz4+xEyd8b7*~L4U@KT0EO7X~vtg^u>8Fiy#1Md*P-;gQ$1$_RZ z!^)`gwy}gSg6xFS5jF4HSIUa)r0uV6pPAv<$rQ&>Wu+*N8XB4!j%e$^z!2q#!yc+C z_m84NCzGPL!xW<>c7whs`Wg~(%lKx;88^5jNf}>c)X^tZ&k<=DuQBG_Qo}~?+1m<= zu%vJVA7%#79-X{X%orlwXqQ0LXTyv4O}3HP%Xi~U4^6`mwZNdIBd5%bdYTyI24Qa2 z5@l*|z!Ms~Ya-R=kDAZDNbh1BQcO3eFKE20eO}-hr2?z(1vOET&xn&qymYmQ%gFly)oYT#5~D* z%SW4MHJYE{@vGu9>5`{M@OD7dl_^uFY(^{a|vX)NV2^<$|Gu0cJ za5WDkgv+fCoFXIb7w39~SH-Pe*D0w%%qcdUovPPvc;KS_Mf6H<%CbqZn>M4YcY>5) zkQ>Qr%vwM!^28w3_?OlOD_IH2+h4NYtNJ>qi+Iq8wtE zjra8Yl0POG+PoR$9mAfqda2UW_lQrI`1aW^YSEaIr^fk_mLG3^9~RO!yenDw4i*e) zEK=0ESU66ny2xVq=0mKld(zGVv1wIlS>+9h@Ej{ zpJ2y+A;<55=-PkB|GQEA=Wi4cO&fLWPxANlpa@n35Ze0}*x%p(^ZTE+`E?BZW%vam zf`dO`0phizVSugoU!SwUp$Ncn_uu=QBx|3siXNmD+f^~*zUaL&F#JZ*{XG&gr?4 zo|Y3L|K=sAKUd#J<&p0dPeXJP=w_2K=Lu$7JFRS3?w5iU`$YCh2d+eHZkB>N6brHcd4EHFD`Rw%RA7z#g z4(5Nwcu~zwO+C7OWlo^^Yjr-xCWN3|B_h+7uF!crsrgi~?fCGV{RxuG>110{MzFFD zr&*$r%Z*<{Y2L5YJb2o1Kneh?H2P4)$qWg!RFB&M>NnS0p8seD5(o;FN2Xou+DS%0%qm zO=5|WwWnVsdSXydJ4T= zM6N1>xS+&U2NmcP*$kmi;&ji3S}F!sLjW`WCnF@G<|< zEo%;Pe`n)aJ?1eBkzN6bT?(*Z=DVf((O2N|Hg}wl8gJ#YHM zrCXa0)mN<0Qe@{6M*ZH_91274Hi^~cpikWqZ{T>+T|>rYO_;Z|QH6gY?absl9%Dd> z?Nf6(0=r1$9d6fzYMDa&3tf#)c6O_ts|e@Fsz$vA_}xZ$wZA)cw;=QNs(}o>JA<2C z*KJpRxURluNayNmAwS_`SuL+W)3Llx?f0dg!G&5zQzKH)gAJ|0CyaDL(_} zC3|njSNqR~3}I3|WSZB4t7jVuS!!hNnqONnFS^UtelSf>Q4#L%{v4gBn#HzHjBVD7 zwbmL{d#9B{dZDVI;n^f#9^+T#ssew;t$EY0cmd}|23yc0R$u@7tUUT{uN-pVn+=agH3W=NZp8z*EJw#fC5xZY2U zP72RFr{P|;pVcgSPjB`W%)y!O{qk_slW*ScdMsmNL+bHZt)Z6n5h{}l8;{cz8`T+R z1z3MPzhJ}#6O<5<6=jchPzo(`Mv(~)VpmQY9U-^kAfKIvbem%lp)vNcX$utzOR(;A zpN>bGcPY-c?e}|sIRl)bZa8keIWm~a>Yh3tR`~_Z{wjp5%7F*Y;9z#SeD3TPc2A(I z*sI~)>2MJ-#wnxPmT=O@k_`4OjajzqPrlI%%lN*sMoD*>c(qw(;`iK}j`Rx+J+B3y z{dO_CDNm44n`iBZ{bYpw^z8*$j*i|uRF7lo;KPcO24}@(MFeUoAS8(noKJoD zdKNXYZir_l5mg+YUNo*f-#83o`BIW;XE-D2+&-pjT>HkYRqVBTs?O^z$hX03XIdlN z{HD#$()2ZZJgj@B9cv}*D(lx|&3bS2AeZQg*A(2|uzzReQ>IAVHK%9B%<-l6oEvD_ z*`TwDam(nKr`w`0mTryoy384wJxLaM)tb|Z=p^-;yLOG~E}Uj_^woExV#C>G`{WCz z-r;USwPo*m&7Au+BX;wIPd!b)_^Nt=j3WziiNqpc{|4?5!qX{d`St!>TUTdQoON>HeSAJpc9fK zeW@rzp>4)*A)Y%q`I3mzW|?sgJArY3SaI0+>9s}u-L{9E?P$k)>n~T9+34KO`#--5 z^ZPO*@Sw~!Qrf*`(WHRs`z-a_CwIRgg0tfFu3qnHt9Tlx_k2f1B~_5lvJ@@&cXcLr(`bcnPO z)oSpaO=x1&;BzFmze_7bXEMO+$XxqwfUlIqCc8+IZnD?niDdUf^tfHXfH%p};|L3Z z9C^k_dBGc(N~3rKxKyP)b3ZV4u+?eJGsb)?k(`sH(t7^ERkeA8M33mJZnR`~vqzGK zIoa8nuGYJT%7y$drN=yDZ)JZ_ob?DWg{78X~xK{w(^s^d-XwS zckieEfysBSdi<-z;Yy)|Q7eyJ@4EZQ{AcORrd?r_1|A2zk5)Zq|z(uaB8ws5>qjHW>Fme-P7-LrS zqn^IWgtxlC7r(kS!N!s|4sw3h8X$EDhWK$~{x0>*|Gu(bX^?Q5dT!41l#-v}> zM%Jt@hG&E~)3T_ftRVIVVt1^Ch-FC%-O}jDEc5 z1M!T?Ioueb!|_s{+KmMgcSzc;+1nFfEvN4nNs5-!?^m>uvP)8P^$hxFsBs%&)wo%| zr8H{CP4whSFA#4Vl9&`g@?4;gJ`yiq#pL^R@=Qn<@Yv5Q(YraMNZslflh>tx7klrz zlwn`Sp4B4`x3dLOcAOzWXM5sppz=q26egumU1GVtS5_oixzl>*`Q->=^=>1gjbUu^ zXwH=mt{5fxQHZ;uWulaHgwfLj%an+Vyx$`uC}oNXsNk6{ZylQ+TWNp1Q*OLxQo>q@ z4|!#`ZE_kbxZn|ew*4WU&@=VC;HMYT+H?z}C6daF3QF0tPbOs2mh1aWxn;zAUY_ma z>r7N@@e^&@;5aPUPpvMi^!H>FtmaKRd&pbOelfyLWe=9gLE_nVlI&ul(KW9MW}kE9nDP!J`G250A~ zwFuw`s7-kK$i+LK(SM}Ee0{BsEy5{~Sekq6{Mhf^$7G7GzgIgL$~+Cnh$2LytI=&aYL z!e=fh{t!|$66bQFR2PyAa=XM#>u>6Fuz07W{(ymIW}WaiDrVs5sJ}KS|4zk>LP3pC z2)=u^R!$Dkd)5N>CT31nhW5br#m3qZ*ut2=SdSxDfYi$nK(~yB0BU7mlLUppkbmly zflbhFLm2`7_x}oHgh2tnrA!=*O{^VR1)vDv>8hcvoQZ{*xg+rXEbyrPuLlT;nAmak zjw2Vr0BylvmHO8{>mQx+KRV^je{{A_DgQS*Wk50ezgg+6WBn%_i2w7S{QboJ zdH+cRe*OvnZ|^_TIllk={XeDgcf6nYKkq;3z|TM7$M>J_e%^n+`}qvM|NZ^(yPtnQ z)B5}KPh9Z*XPRL6KhOX382taV-Tu@myV#qUk^rZmA`v8jMD?%h_#jfizG2GxCkzUB z0Ulqh)_=lafF%VCLjVSUFboAm<-&mh7921PdmJnB`1&&s7z_ac1j=7wa0m`93=SaT z;K49}+yNH`$H zf?){2I`k_HICT{c#sgxS0Tv`M9w5Ntz_4g=A0g2Y;2c;GEpSHdZ(ta3eUWGwVEqEq z!hy(YU>M@q?f3Zlv%WywH7ri~(8p)fg7J_*L^m+(_$*p5>^E(I{!JU8v4A!5S6ZO? zfb(v_Fa&V;E)EQc7zc(ON36qvVZiNz!k}=*8U}&_qU!xhi-AIbD0E;L6o@Xn~AsBF3 zU|7JuiGzm(^FJsIdmPd6*L-1E6qq*wco^W|Z7?1N18!5`q-+?tj{q2WJVW6S2$+`u zFenCGUpNLJ2IULK;>=%w5##Vv0EPhbXFz!Y#e(aBfFOT^hXnI+fcE%s@n72jI656X z&jCCvPP-rg)&%Zf1QZ5H3!wA>-UOP{P+)b#Ei)7a$0-XGXI%wovEVrkn7Sdjv@j^n zctOC9zeoX<4~77*JwSRu=tdkoG+6cl@GvNx`U0JfLkn2raq(b41X560;0Q1;fg*s9 zVZh@V0f-E^Fbr5e0BEr|;~oKgbb>>RfZ_HB0>~L$J_HJaQ#S+}h@uLr2XOQ}P98`I zu;T&Y0TDoO@<75N;5map9!F;d(;k0O1BRi&YckOA7@WBZR0Fp!QBWX?EGRt`z;$q7 zK(FJ#j-$zfY0y;a7bjozZ{{=_ejK*s`1-lV11mfNw{B=8Zl9ykFx-4G zKm=WIdRQ!&{{hPa3@2X<47Wcp2nbFeVUTc~x?uoyFF0Qeu&Cg`u*XV*U+as7;PwX= zhQr5!7{K8D2f%TV$AObU=>bA84h(}^J}mA$LIUg_OpAoTz%mUK2?4khC=X!O{|z4c zH|b$;#v~Gg1=~yo5yz3Ie;rpy1depY-nV9tQ+frg`T z<{KIq&*1h$0}Ti+GX{mmkyU_I8fUBlt&Ecg1`99~P#a)@^%9&177a*yU_1;Oynh1- zQDB}3bR+`2&HykpSS|r}oDlH7?0A<9Uh`m32o&6x01OV6uV7Fp3cL@6L1Dl||Fs^+ z+!QRc!T_lb%u4_X81Z*`&C%WvFs9o7aRiIHg`3GA%D&6jZEPG_0q$~qSd6^2sSPW@ fk$~TT-P6I*(BAP6y&w#Vfy1CAoSf1sG9>>C0~W*( literal 0 HcmV?d00001 diff --git a/draft_review/2026-05-13_iTC_review/PP-Module-Server-v2.0-draft-review.pdf b/draft_review/2026-05-13_iTC_review/PP-Module-Server-v2.0-draft-review.pdf new file mode 100644 index 0000000000000000000000000000000000000000..5037115e446ff680803d33f15b7b068fc20f272c GIT binary patch literal 292773 zcmeFaYjY&Wm8SU}zaqbkjcC0DG9&L}Fq!cp?r2t0v&rgd^_0nAC?Fw1T~#OnC{fx! zzx%w$-NP>tkr|N}uqdh3tVBjec(@-we(sn5_U+f-d_Fm!o&C4}kN-QHjK-sfH-9?2 zyc}J;x_^GV8U5ns;qBY&HxG~3&-Z`XjK2N$^WQ$)e&mO{hsV+Po5#Ow9!Fn%`0)1r zh8rH;F-WtHpResmAO1ayI{bJpb?G@qZ8RW}3x))5)@0Ose|6U;grJ^Zr(Vs8WFZ?Zakt z@zwS7_1lL(o?U!<{m0GIXvz)Won8Fy`W;^;WB2V}KR&;`f6s+#x^h=^^KY)-Y~FHh zy^PnGGh_by(BHOWzkU61<2LU3@#E%=<=Y<$i}`2U`6-k&AEe)WC!>-S&%?(FQ#S7-C(`D8s=E=J4c@_am> zjb7cJU3^oWk4M#V^y=>H_2pu^xLe%tzsaIn+%2nLj;itbc(R^PN0*Dqa<*767mIl{ zp7X!zc6Q6%v*n!oxwcs734WU{=F3X=@%$e~um0EBuU?%oAGXl{r}>1x^{Ls1mFTnl z9_C+7Cg;=HYP6h<&!^MI^e<lvt@pp<@A@MSARO%BxWlp*=Vtzo=-Cf zRt|!*Nd~j&;>}_MT$X~-VzyZF?=AmrmTc}3p))>TOs1U7S3lZL`$;Zl=aa?4Z8J0+ zDtA72)11#1D>ie=w)Ng}DD536FkeiC2m-ATL08%OwL^j&C8|{mqO7Yi;F#FE8BK`7 zvv+J90AfBF(k*qj<|+hR&u1xcXPUi7y7sM)05*IBI4Rogg@)tv)vAJe=70v?(^Wg5 z1>Oa_ttD4(8QOiF4ltv}Qcm0r;M4-w=gZX`YI`YAv-FL_XZ=3YXt#@7&Ky@674TGS zWCJi<*N98*=dXZ+Y?uSQ1J|6B5zjXhx@{Rro5hj1pbHem5XWUj%(}Wb8j|S|S zAOXqGfjzCx7vol7188C6Ez4X3AV|{^T!k2|e+hFtU(Ke=`RK9|AeUgAktpu-2hu>M z1G)k1Yc105^dM(kz{d!cfkWH3M)GKEncm2K-6Rwu8AoT6m?v-69Bv`HjB6(Yq&Wfh z!UQ~Nm@Ll0<0ff<%!_zJsx%+1aB~9k$*DhIhXW%9G+~qP&MxNy0K^3R@&smPWD5KP zY}&@2lw9o2t#m$HpNp_)sg4olY%^s%fzdRdy!d9yEZ6625Xd-XaZ<%EjSEfz7)a4r zhaaT4<`NGEgmJN51? zqRD)(-Al%-cQ6@qpB+qwgfO{XOs+M-z8fi$8P!83*P282-N{LX4Z{=Dj@`VR%}mUj zw=%DOJD1G0-nsbun1I?z3mfc>Mspd(Xmj>hZ#b{dWtlT=T3gyCw0~ z$$8Q}Oc3eZyPt}{1tyi!%W!QFk&6Pway6^zrG}bR87berW62=}hum=STFa1qPubkj z%kdohg{POPI(sRhYdSt;kK#0gP?V9zeU3yNGVDt_WVkkHui}uJWe))F-m~Q3)Y$&dsD>%PfF~Xod?OG7}eeoy8%XF4qT+MBRb} zoDJuN>p>eBXSaYj2H{e}&lh_WOYOTGE}rj}A^UEhBbKw(^n5nyCYA?nQZi4kxE+zS z#m!2N#y*>s&$0)Ecb~RoM)js8*P3|Hche%Z+_G_wS~@x@nmL&sa?+A{*PECS52@pW z&PFnx->pb2_u0N=yne9Wy?x2@96E#x`)^z%mYo~-`qHQ+c0|;;vHnfXu1+^F8=x%V zauVRt#0K}q8C>}b+G196*$J_CLuX|#$1DpCUV2++O^c&~C`~h&-eP&an6?oF?2!rW z?y&bcJtbFVyG>`z^n6}TqiQSHgd9v=W;0f`@aAnZjt_N^M0?*9L+^TJ>l|k8OCG%V zCKWH)zY{riSTp)RzMJgRfjYky?gZ`?hHC~Ct$K@2W3Oo7F&wd!+ z2TuE*igJ^Va4O0nFj(y8+0l>ONb8^_&2*lSiMGkw2%;Us4FPL33K>t zxn9S+^oDCVBjsnGGc#FXj~}mfXgVj|2MPXB?&-ZLh5SO%A6%wU?QR@}i;=+T>C#~q5cE`)Hr6B?t2@#ni_;*itA9VOfcxF$OZvgsm zly3}qAj&V-=aYT3Tw=+>g9XYPf)l-GXb-~Uz0bs$LE*&hMx0)POiksxr}~e8y8Eti zUz9KL;s_{T4!JMNJKdJ_7-wr5s@o$4krHw@6At^F2Zh)ZRJx45!Zet)?J$-I8@~5J z+{t`?PWZbd_pXWm(^s{_SJ#`u6tukr_z@04Ib;-Ph8==sB|jC2N{H{EL(q7z>kv2s z?{cPmULff0u68e+=S-IWGBQFw+)bq9J2YiJpixMAQV+4fNZR zD@jU5T$dKB;8g6EPJCB_XS#uV-V@^~c{uwh ztdsa)jyF(oFust}MSHEffJx)X;6B{d{7*?Wf~16nm6@=lf8=*1icuh+C~_>O%t)8)YX&VTcKF_ha#!OiYhDWJIv4SCrnHC7z4s>MR+R=YkAUo* z`!j9Nh-)*_MT_}*c0S!l>x|E}pt`r0Lv}%RGmE^G05U;)SV{u!oZq3C@Q?ibo~NMP zi^C5=IbtOE!_I&+5H9CbxEVz6%jfblfUE+&*C7Z8AuB4hncd9pklZJ;oB5p*Mv$3& z{RVRY`|Idv|Sf%;fl5ufyw zQ>a&T@%{7lyAPAm*AG11FMDe|UXLa-6l0(6sMNu=rGgDe-1@h(e`~3ds#>j~D(KI$ zN~)ENJ*Z0R#Wz%3wKBO@sMHtbb@`d>k1F_DX*PC6$V*B6y zcvC-~D0UrKK*#qAamdScym7KU`T-GY@0d`;Twm{vi~Nwpz#evaCL|it9dsF%yGJGPGR?54al49`@DR!8B}v z!$2y+X>utf5xRDP5<}RV^&*0@9~5nmdqUCXdUlaQ(NH5@s&=Ib#>E(dHz~lV9SBfy zgsa4k>*e)gd>5DW`L8L?eSgzyWqucW;m5?|QnE4wc#0pC$!J^I48xI%_~jU)6BL#f zid`?U_y|(5;5AMHuT8AYn;(R)q)78#C7c_Bc1mWogE*7S=Ccjj2zmx;20DB-xE=^GkYuIHShsG7v3UBc{5Vzo}-&^_W-fJpNM&Wxe(@`C+w(MNi&lPpM=G_~x zx!<4xpd+AkC(NhAP}(`kAg||>=^&JDJXoT%(e5U)wxy2uhHF63^0N=Z#&G0hwZ){n zHvXU2U7dyA8&w>Dh+YohM>qiGko(ef7viwQ)r4F;gr+wh%y9{0DJQ_Y3>qZ6?GzBg z;JaENVg1lkeMy&Q61boV06m<|9=Me18Dt?^)v z4-wrR%FphqjXHVFZe}-h4667GbrH`Q#@MBb+g!@eC57`R_JFAl7cD7J8zW5erTyKb z`o3sh0_+HAUJki0nmgjWSYhfLrkXY$%yGe^xpRN*N!1bWsU^}CUhIVYnF8Sm9YPUM zSe)-v^D@+*R$J%em5xLLzZ?vo+>zK5g&PYz9EBT0?u){X;4T()P~1n^OdiblE~0Rt z)EEXgqQbK&MnNbw#yua?&~Ezsi79ricy=!FlS9u#1(to$J0g$6fg_-IIpn_R?exb5 zWgSV*7$SE!9?a4Ea%wh|7R7Uc36U0G!G!3oDTK5wC;TE(Th}amA@d@IohjBy?#d{E zL$RDgQRnCK{Jtn25$I?rUJe;id^Kp6UY4NUPqmL~Nr}DiV1W}taZkK0)E!B|0_Tx+ zkQQDDc_(#6*6xY^T#)alp64L6iWONKfIk9#??$@4kbk^9Cv{^8efOs(KG=r*T>`kv zmzt#gR54jc_md{(X_V1l|#lyBzW` z%09=%UhSh^CJ*MwjchK`Za#d6v&iDNCYe*ngCc*#Po{o-m;m+@pW7;x@We$EbVCL($>y{r-K?y~K$lpnEywf#^Q3=sCX+y2l6G(A_Di)VhC-fSvEopCZPa$N95Nz$ ze>pdXam}YwQh^2`y0cIw59avcg_)?U8vY{CP}2`lrd^<^3WEP40!JwhR0%s-?+ zvoErjKs*AnmqYH0?9O^PpUf#LJqXzw59as*vLmmwMQ6=?_+shsku6enJydkE)dKl4 zs9&2P6PV;n`-egOebGH4lLOol(7hb;Fm$Je>G^7yqUz8+d9c6-m zC(~<>|2JHZ0uA1OVi@Ht^>yT1vHc|^d!j1O*Og+#yBF5R^nb3`_C)9ga1KZ4#*q6W zw6hM*mRKP6Q9_dk8wj1*)NhG47jkFye!VG?42c&qB~I2fv|1}%rhDQ)SL8hAy!S=) zh(^bv+}-;$-A5{)&FN}6O#O6HdGcV6=;~_eFx`8Q7RvZR8lRG$O%~6mV`i)-YbrUY z?PBL*{$WIua9H+5^oT}BL-caU11UOjcmzEScNERygRO{eo+8*!XAyT*4wDok2_~&h zVD%&k!?jL0ZERr8L0Z3z#l3=1jaPChbuRa3e-wtHHeJIOPLeD4e}7?xVklEmTDw6^ z=k5MYkD_U1R#oS;E**l~o`}Z>yKuWE;$S0o^A$ZK$J2E;8K13Hm8OE+o7YI`bgn9@ zHNHW9r{oSYmakx=7#Z%E#T=xc!aOsb(clVY8SL)@$R~yU`(kprxWh5I95K@9p_uID z?lD&3VTxqq!5ovFG~$w$KV@sUJiW@Bo<#^03kfXxAK`Of3@?FqIEI%arWj7T`+%M^ zj^s`$+&&(rSvDTb5yK1IzJ?f5MlgdLCH^G*`71iiR0{Y`R-Z58lcKLb)d?GfPI&FS zgwg=&!C2oIaeu6LcD^ZwG2%#uNGOd53xsJg5LPk}D*NG63c;oD-Wt~`xF2CqEaj)d zx0ihHzPMci?Qq;KM?4s}DTa+$y9aK^2MdH~!R@Kx_MED_rf8bFDV0+3xzw$&EFM!O zxu!dcvcNACvm5ouY3Jfz66;R!u6;4N1jyl-T#mRuCOaW|Dqr0&J+kp&iOIEC(vmRo zX#~^4MrUIzAIa*AMVtbQKE*Nj#q5YS4seHKb~)nynC*pU%3$wRLkROncrZr_q;8Me z!9wy&bT=BPug8ngC3X$(irdLoOFBAp}BHreP3S0^FFaMRm_fl?j4KxhnKqd z#rP7Shhuy>;-MH{;n@QVhe##vs3Z^O7#|VdnY`O14;=HBE2P#MYD>_+R!m5MC_j58 zM2sn}L2(PUaIaTgO#V}(x2K-dp4i<0;=$P67;%5>b^-@g`-j#OYCKpVh>>%L+1AW) zv8JqqX{1xJ8F_C9+h%e;Pp90#++`9Qj7!^xB zHQpU-{C)AaT=?PmTaK9GZ~tal(PKlt=FoCLo;t?|^G)^g2nhV?%OlC^^F{nq9vNa# zjuyZMKo7_GErATUJQZamnA-R8G+Hoo?F!8tMrjYnt5+N5WCdmyc-t*#HnJS{c3 zCI0HAq!F5NP?ifFRKZprLd8NqbqwAYYs&>6j-~o9U&H z+UPeU+T&BTid0>T_@@-Irxa2G^l*$XM?4hcC$yX$SPsa^-N}PF#yhKs5dPD(igZu@ zQ>VSBnBSiCyaB|6vAZ$i{@CrD6ytz@S*lDRAji9CKg%j>zKxcQ}5RBc}M>A1`Dzal$h8 zwEc?xBoF3DfxJ=|Q8qD~;#MU}qgIk0-z=4^YsBn38@m7Ak zm2XP8^5d=icq>2N%8$45JcR!wMb;)-> zp2HKq`|&1zJX+V;c$HgkRr&EMKflV4#~F0@`SE;H%*r>#BqH4Z?#J^@F)QB`v+_+b zE8i5e@=Y---xRYVp4i5BO)<09hZ;GYQQu5&GUmluGrdE5<~iMo(gf#Iw${4A5oa?3 z46p9aE@|DTz@G&ilvJqRWc<%(cA#{q_)i>@GCV+%u6p=SM(@t3qJ7TJ`|of0KIiu} zo98bfmAV_IlpxXd`U0H@mZKYTg$F5gf<9zvMyxX(D1Zpvsx?{5UA5q5dk;w^q?OOd6{ZKu zz^)k4)x1$3@Veu@W}%9$aV7+I=wRM3-`ZRewK(8376|ka{&T1mzdKnLis!pIm)~_i z11y$P&QA_b%C`~|*aptZ3UDS3%*mG5(mXh2b6Mcqp=_FH3)h`>#`4C zw zx)(Qa@zT~Pn9$=0^de>lI9UvuX3k9SScOorn7?$L>2+`VeD*mp(xX>5+FX!?&u}4N zf<9ZZL5sjl1tMDGixu)ta~X=>=s%e-2Zknt8#bZt5Psm^jd#iiOO?^m3be5#)@Z}s z33K_qoKb|7N!mFxuGjQpW7l3R9^7IRvI!myfPObC<1cskC40VRQ&E$#wd6PU}A z3`11jc_Q4AZPODLCFrYIgc6qVtLpUlb7kkyh?x%5sYMKJ0cchCm7no zDBbVQ5RLgbc2gICIsp-{Y0rXeXYAW8*akMR_L>4^6h>BYhb`@}9&p@u9+K*OwVI=L zWV=6K(*mQFWNz6qjzzs3$Emj8fn?GVQ43ey#p? zu`FdCncZ$BK^16|XYRt#CEqC66oLa`Qo#ZvNLDAUDFSFbvJJRj2dd-Xp5V9;emX%T z&S6SZmq{C)etnt3D`1>Ye=F7m1Pbygn2D795(9)@yF@d+tVErmKlZP{x&aKL;=bph z(RIl$M9J{Com_{Kc83#YNu5pwQzFguybi_GY^B&kO$cSn0I;Qb@E4R%hk$$B{U&pr z0K{lYvng6~4r8>qSqG8dg;_Odn#*QUcXk>#w@!X$fh<`jVxtH(ShY7|nAYRQ&Uq`Q zvmr*p`4k2tugkp5C_D#vB~*Hx)mVnxh?#K%PXNxEz|W_&b89E?wv|EwNkBTOCIq0^nwkF&R(sap8nQOhbHK7w}<7oHx_Mgyct4UUP{Q-A{__?FkT^Sn~;h z4D`Z-k!nQrrECLZHZf_|0Ml@gWQc;m886aFR$iNM*2JCGPFVJ2OD8OGeCLc}QzR^f zvm|jmA9rh|+Y>r+>>kWRMCQJBJ9YX4k2FRLZPgi8WwafRZ$}6!bn2iLCDS#C( z6F(ORvuO_@-Sd?kCg&K7vHzcgH24d=-J|U%Gl(&1&`s7`O2KqZd;SJE&*ry7CbQiR zr`N8rWRI6yUV9RLs$Qq7Kr9k|iYP1L0gMIoC+4CPY7)=ctBi_)!;#UO%fakga$I;q zA`Ho=SRVspR2i43<(UNiwKQQGaw1Gqi}h`0g^3C`;4?QRcyZhxNm-aol!j#K$aP|^ zn^%o4M>}HjNHBu}aO3&;IP7Q&IK@7*mD{AaK70lNYKr3-Ki3Vm&H|7-^iWGeJ*T^U+m-+N{?*rHG-ym5g=yV09(Aq zt@)Ev3d%X20H`(ThZWH%t5p=SvnF{-%MQ~PGvu3FIAFHloP8h_PHF+bM1wZ)uq_%( z=h?JE-s93^9V^ruTP3~un+T2`+Cdv1>A_+k8s}>)G3!w$fG+26B-BqQM`klKH5gy5 zak+QDS_jY{5+VU5;lYnT^aIDW=+_Ts02GFG}gZyF?EXokwt4+fw_(P zmn7Y3pu`f1;9HUdDC)dj6RCNTuq*oTgj*)W>i98JaffJ-PsFaAM`iL)>ISH$(Mk)pT7h{ zqdQI4gm|y^#2hzvkGQNU2EuGpdz|&g*>1G!=7IM6>!qI7w;M)@j!Gh8wv_D;ZclJ( zdV-yniiyBffOAH}-VSn)Nlv;QQ(Ln5hV>%=FaUYcV&RNpmL0BOG!)-;r8u^UCDs-JpU7eIR${@QKHt+ ztlgaCmK{LmtkQFmpQD2wBtoSuIHbCSx2(j5zW&ry;^;R0lyoflmI8JpHv}`#NkzeYK)wrI+@18L;}q#UQ4n4QTKpQ-bvq3-Z`;H zW27k>s8zBW-4c2#euskzRdqlmf{tKbg&u}L!JlU^uLV(_T^uKvS9HY>Xkhk%y@L4! ziB|EJ3ZZO9`A&%PwQx}VoJRSEpiqkiO=C1IdQ_l)?c+%=e*d5UhZm48PA{p^`;Twm z{^4x%{#LhGglWsY^D#XIC&j&rLJeE`<-_Cc=5h2|QyUYu{PpJPdGw3#zy9p(;`@(p zp8xh?GrIWA{rmqC{BDSSj>aj8q@&tsv_{-o@VrBjFW$d@c-AVz^c3*gGCd4z=L8ey zOA#QpPw%U*CSCJOH5)=bRwP%~`o@abqAhb&5N^vHt2t4cfwq_3-cS?{6M%H(avV z;B=2dNN|R3j!B>{Vjjzvl@f+Jf_O4rYsjbP$IbP-vp*;NX-VO+wd2lWP=|&V`+3Dd zOD+@SIa;WC+eRvu@T=4rGyn4YO;B!V^-T!Ew4#N>1mwKsb7ueYUH25t8Jr5}jZz{zwKcQNs%$ z6{dupuFaoF0I@>dr7g3+;1R__)Pr;UG?EJjZcKczgx{>ytmkaIC_GYvICADf)*-`+ zwB=Ztwe{zJtf)1gSZI!Rtm3c(cdvZ#XvZoJT%v_PR?|=TSXqtmqa3SA?X?=XG4a6? zeyGo;&o{!~e4E-m511L}e)b0pV@GNzJJtb9h8?z#jR%i)z>}$q-q8+H z9CqNYl@A{6AjN@8bO`Yi$m(+c$&PGx)?l|SErg~in1S7_h`Lv<<~)TeIHT*}$8r?k zpCWZWc+DYid+7Y7W*;^ej#-Y)8NSzXA{!DX!f*kQuB73?5`JdnKT(ulAX(zlz}Z}| zz(31sfYb%M`7WJIomR)DedUGL=p@GIvbNh^qK_G$G`)Cvmr(+hGxRr|g+ z(FMaVaS{3CKrr*q@M*39IrZfd@E({!liSlnjHea7VT^~kbJ{zjIWVZYV}-Ka+p^sU zp5*Uf+98o+%jAyfx~sPkr#*38%~WPrQMk=B)@elUYw7O;4;M5-`WLZg9={U*hbGrO zLGzA;K!+e{ZfVxqdm|4vSFBd!`G|nuj+CP7{wd?Nx2E<^B*PA4SIL7VRczb-CUnIG z`qNLvI~Oi`A0pL{KK3US$JwsgilDiGgPGg?pzTVA9kyM`gT1yZ@4cFs_q1(xkch~8 zaiGpS60R-}18N+0AW-9jIZ!F-&_r0oAalJM1Z7yIOof?LWoR8z7^goaoKd)8()0ws zrZhLC&=q&e)0ZryjmCIJ2qk(Ud@TF#bN{JLaYE2M&HCLg*8**vtxWTYc5VhZmo16ZbbM^*vU>4DEmA6R%uoyK!C$uTW%kW)#L zhYl)rU?~?(6jAa8Yl$#DTHq4q!x@{NhqG`{C{)rSF?Z|44o=d57o{q1= z;9X*6ot72EQD0!f>Iz73ZI{(+x#4IatEIAOMFd1!fXXFIl7oRIIuwLBYCIR|{*nc= zz}@xgd=`#(ejHk5dI9YH_=29Z1V{~N$~D? zJR=`8BMD?RpMOG* zImI;H=q$8s<`!(sFkcai-XLKorw%RU?WX`PR$+`bb>6&BlpsgbyEjWb)gBwJ0TeAc z#oFX>>u9^+K%Z}702C?67R08=T%>E3zw8gVK;1U71)1_*qwHY%t?qANp{&xbMuCV1 zRHK-q&6~I8=fnt%PL13}C%|Ha*`?JY$gmiZI&pAjSUhC%QFMDJ!!%tqu%hPFBq5Hwhv z0K~QEf>PNYrcT|5aJVc9u7Mk#Ik`X<0I(5A1R6l9tP?Pmh43k{O_)-X1!H4kFTN~; zw$HXj%*b+GxWcpk{jDTITcEKm>!4tX143H*>rJqzSac*Bx4hou>UlL86E(hs9STBV zZ^ZS*^-g(7xe$ zmnzg>UpOGv_c&#H!Tz4XY*`S4d4 zGCC(|m@1_%B$e>buO1&hbpH6|+s)>-^Ve68_wPD?{NnMs^S7^vp=5$j)H5W~^1EY2 z`kMBpP+3MyqkAvD5&3a3z>4Gj{lC8XlR{%JFGm;OKVQH5&{@ydm1Rvse65hH#gY2b zt`_3!V;fgEITm@)r4@Ybx}P$qtK#-L?6zfiish3wki~Rb{n(D-7fZ4$%JDSXskLNcJ@7_JUC$#mM@Ym}P z50B5+Z_ghd|9J74g-W+aA}1ayqKIds#4AK4?n%`djcjFc8_OJzsO?HC>jESpdiQk- z!trQMVZHgXxVMg=&F{sqL&wqL-Vi=pj5|XhAPGO)mKiQ_7j2x6J6SEyDTSQht5U;S zo3K62WMR37M&CN&n=&{ARC@~D;K{D$9b$@PECdrQNHD%2VtDxut6itE*d}-w z6H{vVR=MuTT%MFVIwxmbeu)Vj;irwun^M%pPqyf(PAZ6e+w@^)Pd9C3*P@Xt8m75c zTZ?_X-(y}#t zRF15A%%J6*05@wzZ8=e?qt*kT3zwRXlrWA9;%5OC1?GhsyM9R~tUHh&Q*pvfx|~zr zKBHO-L<&68ZB*;n*6DQNzAy!al$`zpfW!uzEoGrlD!$2dN{(|I(dU-}ScaX#y`)Bu z(I+yu`84yEX;=g}vliZTZgcG8ZrqHeuy{atO{vfjvsM39uu zT|X4!NxN6c{({CjrMa;Ow3d!!!{jI6n3;IiCQ$oOENRsfBq#iMu*|KX;w_)8lLg~(6T;#O`CBAIp9(6lcw3;%@? zGhaFwB%|^r3`S`7^RO&qyrsP;&`EI+LE#+#SF3vyr#cR(+30k;o&ir zy?V+ZqbeD@eV0Yfx7rG=w^gRSHlay8aiK7_0bKVA0_L;6u7v&$ycu2YTPxU-{eWu@ zxamBl-mC0{))n`hey2M*V}@oDad-PUaoMi|ZQFi5{xUni;wSU$&WLiMXQq4dC5_BiaoSoZi}X=e^}+~}kz z41mN05LlR~PkRkdCkYsx-BRmzx$p%;*dnEg7(ej^;atg(-q>=S+>I&q)7o2Z9h7E} z3_EOVk_XGJ@z^Y*v0N6gHyJWkY)z0mNY;I6@WFfATWuW%zBuea@Wlsn@R|AFT9yE{ zpupA4KM`OG0l}faB(_v^Ht8-=CuMOktz@re2OKX^Z(1AiFM>VC?wEoSc8AHLuUNSRENT*mQlU#jQ6p@bRd7`|s^w3=Wphae8$)BOQU+b(z(i-1X6@mYE$bS^>(L=N`CW5aGE8eu=Y=B4;avqp%F*3C2I5o7mG zu@EYH7l*Y{4Yf9#my1B%O2nk(8_5;}kWMUXh~Zzh9)*;f)8i%aE?p_S2<53FLab}8 zPAg`wSg%_PD5yPA<3w-cv6aQF<0GP1I@c*Fv=!C+woJAYxpZ<=Ls(02W+^olw8&R& zR79|opq4z7IU}fO71-L=j?@Q-JNryzKRPr^r$-+DobKEUN_KY5(8y2$Obi$im>u%} zJ}cTqezLhs{T|cX9dz!R{Oiju6p=wXAcycdMG8lCOvv%gkXz!1 zn(Nrr#FyAAWkej-)DeV2{t9k8DJW4YaSf*A@)JMyF$%f*a(pb3Wge?-0Wu1vcRAf8 zsaezwurk_ivkeLZ5EYyRK~n)FebgRVi_ziA4qOtS^C=g_4&{ROwz1)@4asbz;{Wsr zoYU-50x;=y+8gZ`yK>UL10=Y&JKZiF#?>Ual*3MFw4{WFTIY?r=XNxatH&y~(>mGs zs5U!Y6G78G-*9SdPrD?Pez*mW>-;m4C`12v|NfTm$r|}FIAda%?4^wIMYg{jSn;Uk zM5_$%v}M=1*LK)q$Y@PIj9sB?7AxO55%*M1(7spG=jCaioTNY{- z|HEj&l(OBgsF#_jb>J|eMC07eY4ais$tnT^^@clbVNSVd?M^BK2yYY=)2LDmI1R+ zXa9A6?~F>T>!M|VO)X@Vl!-pBWx$r2{FCT4oi3Hrl=w37=PhQPnK}lGUGJ^BdI2PU zO8?&IJ>2o$koD7+*c8?~?R;Tg$fAKzPA)%Dw} z$IYKV-al^MDGjb`R;lR?p?@_>%vc0AuDd%U%tEfxmRa3AynniXA`kE8Zk%J#Z` zyXl%rG{^8>8jgB{$CNf_lT{}&81ipN27vRHTs+=>^@i>Wx4i(9*aCPzT6NT~(IdK% z(@x>e`Rut_waiWu2MjRE#3~8Yy;TGPwGx1e+LPm=i3Md`l2oz#clV@FzW#;I@#q&< zH#b*o>D|NQyX*Hio2#3**Z1$9K4Wiwcl~Zt-$&}F2oVoepV3kxe3|maGAH@vSHI

w`1$k0htIHe`H`-!Z~p83!;fz_w}15LOeY(A2lqeUUv2*S z;qAlyvtiiP&Gm=tH}`MvpYJzMS9c$tudX+L<&NjiMw5x3%+>YN)5muogc47mjc`=B zvD%kMXoY@HDJuP%T7aaN(Aoq9BXjY?!+Xx%)$Qi){ykH%7yaT2#1JO_g_%9vUEMz1 zeAMYoA-Hpp2?5A%x_8&_?%)3H>doed>%ZJTe0*eq=yUDAU9lAt*Omq-mrq`?HxpXc z`)6++u5LcuXeL*ar_JMEHVnOToQG%cudn_(AFtid_s`Eao5$z-yZf8#=grk$uHW9@ z+BSseU>bhZch6VvHpQqQas2h^-CcYiu@nB6xPw4$q^V1Vbt)sLIEZyl_;C(L6J zX4$c^Ff~my!yOITMId^m$3BrCd;Q_V(~mbFKAivY{`rTGZ_e)@E^fa4_Tq~VAHM&O zEB?B=e*5;}$Ib2MKl1zMZz00xA8zlqB+dqznt&qA{;HKXUC~#5G@%9NdJDM=J#W&? z((!6KJ4t3~g$bY~j?E=)G#o^8m-AyK%BZ!XY`zdnR@>T!Xe--o6cq(hmg7SITvC%3 z)u^dD`9gTushX~F6cqVI>Um2)We{f1y)E6xWu@Q=Yu)bbhNg#VY?Kmbk8?IiyKeev zxT7^K#=TFW6AIaMo)39+oSWOMqZ$=;3QJ~GagL^W;(C`>mK!B`TUV$c+MV@CkYSQZ zn$gxP=m1i&(11_o95bwHQC+5KX?ENzYYTQ!+lE*;MZW}2|ZN^S{{3$7iwMK0& zGY3)oHnUkiI9|YX+ok9HUnf=SDN)iMa@AVPEBL~@a6&c!mm(p*<}rgaYAb{~0JOD) z_wiElKxEi{yptWLFe7(1I7Q9a70Pr%fvk!sl|(g7_hI(iOl+14Cm==CXMS=72 zTy?6cnx=c>_dNTWXWq>3uno`W@}$%q&M`^q%JF(-DlL@I&HTJ6uc^ayMiW|@oxoI1 zn;FZ}v!K((ufaIwBT+EJS*%A#H2Y3G`6yynjOZ{l}u!zyZde~l6sk4M0t4xq7tcjI4Z=0Y1 zB6>C<7$+fY{DJ{c(BZlvUq`xx-pK38iypqvufbV8grSrzPDLXbqPsU+UvwB~GfK3NkeQNUSY^Nvstg7dDyN;v2A z)~IL}B_UdCltIj{!Oq+-g7%{El+kS$&EP2wS9Y@L+I69KMfxVDUbA4{s;CGj`{^$B zBg}FS_(O;sZc`FD6tW%`#GE{s!?%m@_oq{B7b173{ z4nkKv-oA?WKy-}{=J2)X4?9beG*Dq#j4P=A;s{HzbjVFpPTdP(38Pz0*R}rcF*d$p z5XSBrEC*>sS>%LU@}Q)b_2*i$yQqMN#2Y7ND-J}oFv}u_{z3uUY$pIQM109jER_Z^ z$|OohMMI=iP+#;$_l`Z({n*iUM*Zldk#Z^zw8{sO2*(F=NYMr(Vx+H8oC|9lOc-_<^4gI1n`%S5aL+9@16}0YdKIeA?AGF_4)V@&J z5sh9#DTh)|p>2We`z6oRQN87yVzp6%wG+vMrV*6pb~&P-oYqxb#A`_=VSvk=nHwj~ zm~=8(ya^IQmkj91cxRFO+=eooaPPz;#b3?nR-e^+m{LEoHD4Vz9r4ZDnqo_|D*kBRMJZ~rzbkv!yBq~z51dOHO4;0qGn&4C?IFM+2nx7(0mXfP9 z4QC7z(9Do!ATp}H6h_`KJ2o>V18g@0kY7v%=2sb$0czNu69BbV*=bf7qwF$mnAzub z>V+(|CB~pjx)>{h3o+k@M!>bqz}BI!oq~K5d)tx1^a-i>^qlR;gV`s46C2@lw#I1e z%F8&xD0#&o!D!cDIXjnNw2z7(_QL3kQ^yVU?SN)1q)i+GIgK_oj*`pbtf?LW^rEA6 z_#=pF2hG&s)QIK`kMgnXQRU-|On~)-AcP$LQ(AGvUZ{~IMw3db2(@dl68<7_rq3W) z0zJ2qjKpkJ{vkB6i0qc#kgXe72C~FwgG5NA<$A(@;9xbM;g`lthZ8q}aZaji0c#>o zd@{x$T;DZV3F~e6gpgF2p49afn3>Qb5@~{r4B>Aw2H;7)5mN4kr>h|x9N&@L@@{?` z+i%Wu(b$Co{&m2w$hEzLEM7Am2adi+ncb)$Ox8H|qk(IubW|${$%8qRFX7%oWowlS zu%fHA2B-LADvq>s7ehwtqr%-$OxcFQr{G7Eg#x|2Y~89(_~MYcWJ=BN4JHx}G7dVh zsKTu`FJgyhSWjd{nc@hfbEh65-xZf&>ipxDHNS7{K5FN4&xYr2=Ga}J!l!luf)VRV z%TG(6S^RvvzCn<5r~A)jqc(4o+=a!VGO1(+qI2*#NUn01q!JvEkS^DJ%lV)nns(@r z8UeKA8KB$}f!CMMUWS)+2KusJR%T9ml7Y#BtPOGLfpX`@1>o1pB9FAMN- z3)wPp02%U)Ql*s7z|y#vJJBr6;q3%!=|3`JnE>4w-RK+d4R6silxaQ7qZeZR)hZiZ@!(_LUFc3#ZHIiCKaCRSJ$BABRnrCSUC7Ia}gjrgbLSm1c zBAb&#n(8rk5l*@H9b0yibw(mRbiywps19aspDg^0dsNcXxx)LSawfqtMje_4R81n) z!8-xEinBG+g6E2JY=P({r_3z4TB1mlzA-^Z4MgH96RvA9Tfpb{4g^M&(=!sc14t8o zBp~pl5YP#GiIE6-%9pM-qF*hvtzk2Sh~}E-nsdvWOP;y&jA+TLKb_?Q_ICTu0og~# z=~EQTTI`A;XwN;O>q?BO{aNN7QFeex;bZkFlKg71)qxzN%rbgw?orvAh?|InR){jz zQ3uu62H&ljL&USS-n%4!gK+JvAI(BR*Lp!QE=YV%es+GZBB)#Lozi5Ac>eret+M6b z2`vtgweowjM2F4$KR*93QjF2@0+&^}+LYatPtq(qIBIfr3Q{iNOI%-F#zzzzqjioU>26U!W4T7>PC(pi8|hMIFWPvduZU!h{A90RH|r@}s_ zZQRf6^|DsFoM}6GMJ|o(Fs<$ythwFZw7td>Q%0>d{QtYR87kq$U8yc@ah`0QsCCj{ zguizogfqM5V!0@!iQ~g*V>Iq9RwVN6W86y~%wa0yo`het_0(0@BE+789O9{n{;p_> zy9}}Zlo@u)U`yIZE&J{gBzF=T&IBg8!a=;KI*NtKLF@pg%GD;bm+2^(RlsVC0bodh z>{OW}Ks?#_6ui@AG4b6vvE%sRs@VvfDaYcoO+j`Be^byjibxjsix@2oU&Y&;@yG6T z#vSAb?l4a6{jQ-Kg%T?j&H@67Zz&e`V(0G^* zrcCreu4vzxTR15f*zQk{xrW+%(J1H*!iYBl$;yFtkkS{!6DST>>wH6&*s>{o7Vb>M z_P(eMK!J`)0V8mu|8~2{V<)8|KW-KMm(C6cX>Sh)z|1+E0?Y8`G>l+Wq&SWC0a&>X zc#xe`j}xtKI~u)rL2^whh1C4P>3blrRgJa%mu88mdjiPf`&bibRiH01F0K3k(6$!j z+Zzz(FkERtN05KDvnx6 zEnYVHWJ#Ko5B3E-sc{FWculrao7p~8A8WD+P)Ol=UX}#iP!T~eXaXoET73)0@@N;B zji=tSVgwJADWB3wKucshSvmB#*_VX28Z(nQy*_tBlH5m2ouypo3{#a9f{op%kE>v{Wzg&78djo_4V zFvCO$Y9xS8z7)wc>iA z9(DJUk|DgE0@N)sjvYzyxys}<;A;Le{^bgCAOA|0tK$av&LIXPbd(#=A1Z)?A~P^>yY1D zQJR`=_xZgc*1@W&h2o2`xTne%K3eI;thVRq7taqjSrNgy9B9`Q6v`$Zgi?U@on3`P zM+9UPw^IG_+7)8Fx_d`m#bu}sSPz!pVZ{e2jaCf9hWlcO)L?835r4g+;N%sR`>q~7 zY(f>$tIhkr+&@0NxAKW2gK@T+mZzT|HoV91GhO$G$A>p>H}8^4jh~Gy?!}F_rE=(K zRYT_Pk>@|Ce&G8Xm7N4YZ~sQ=Q_3pVB?Oyy z#Wk-!exQirCf*WiC_Z0(eE(zWwU+U;X}- zR+Rqo+gG3e_E+H-dT-cT?3r(0eg4I-e(#^b_HVxkQAbqq=Sx}?aajlMXE%q!|9VG|NH`L-AXvt$jG?bFOttZtkUesSWTGF?!j)IBW+2xc8 zdsCUS40#(8Twa>>5qtX*RDd-U*(Qs6qHA)i%PR3rNNtvMtVkmnUM;+|#j@23VzWcE zfEanjtH~(mwQZd@I15;2bMWu-(z&VFvQ?P3q>RT3_PeIUeo84E=yVwry#c@2)@1o| z=D0-{nxZ}F%ZSxNowrILA_BBF=d?o`1pGRecoz~MCu&6^LA!ZyAIlpD-9@S-!w$0u zB@Y%Bp*hJVJ!Q>4=Nr*tJYLU7*$eTi)|IhPX{B1qa4d1ZE-Pkgfve(`o7$#ElY$iq zV_T-Gw$=3`7Qg>~_gPd$pvPi98L#tYr3xk#0=EiFGU~v>%x&WgV5a$OMN!k0aPG+J z$iJd}5!H8C!OJ8rJ4|>POmjlf><@|~p+0{9;~AYJ>c?RRqJDhP`(}`S%f?X1;#MM+m%~Y?fWrqK)_GwAbl)SP z07Z0KvzQJG!Q^y=VF#i>eDH;+U;09mZ#>RH{TfKerhR%8ZwAe#OC1z1T}p<$T?Efa zPm_%K5HF4#DU;BDnS(3@4P;fSq)%ded1R&dX=_f{fyf$%9f+*)!5mp(F>j8`B@f#{ z@K&;#Qu!=kU9#58vm1I2w9& zJ_5Aj=T@cbdLCb)Esidp9bw?4#C!0#`*5@=)|$bt(|4O@RDeUy(OK! ztuesiOdTHuHYDLc?4V>wX{YW$f+1j>tn&o%yD>a&NxtxEmN^cQUDG+%a!>>c))b_8 z{in*U;ctDa>_~K46TT9BSpyGFe6WCEx=QAM3U{#z*tR;3VAypAV}Mx-Ny%Hl-0D)> z873xP*w{rhb&-T`2xhzTn9C4Kdtloh3pSRXn5$M7I zS-+3k*MHu}uuG@}c99;Xl`#eP*y8>J)Tl>46Ep;Moz$-#7rwKSW4 zDjlkevkZ!0x4d);Ot&Z+&WmvxyH=NoFzqG{Zp=#?;w0U-oT_LaZ+9so?ySo2pjwum z0*Y#$0A#gsc1kKGL5@vMCg*-;%b00e0LsXBY3I;15e6U=ZNYc}z*uv7Te^1cI!i!6 z2WzRXGRl^b8gx|6SoJhADPAo$0lKY(zr4(^=u~Hx;1{3&4~kf!2!2sY=@Cu5OrHiV zl=fSf(@zmqcAHahlqo%RFu%HOkMziqBbOND&o^YewFK-5h~$(|PflersoECOoJ^Cj z9Me!ZnNuucGM&?HEtylcGeULG>1N_}rf`&}S(Y}@7gv!ugsGW1SXOW7jXPB8Y2ZiG zbx{Ov85=`l!-UV$6@+SGVCxhEqO2((|ie)oz0YM za$r`@_N>KV5YfGE*Q5uPxr;OMD7m8~AiW9Tkv52`CkTB<-=H|`zzvEI<{O0hpf~RJ z;SIsmPi#*FK*kxQ%yP^U`@oAGAF6hO9dyRS1{<00q;^AGR0TB*_zR)9IyT90V7}W`QJ)sS5VC4AH55w!Y2XWZG zM91$ze6ZXDpy_!nt;@|ekz9#9S-9m)<2UeP!?c=HpeMKDW?i|SJ2SVS&lcV#P=^*l z1(!FjBYq=k!rYYPmyMF*>`6DlowVa~ldvEjy7LvE;X)q-_q#n=V^fJTz_E5a8Ftui zClBVkeQCa0nYv_h1V6MGWVyhij|RUu>_GU%2TS;6=}(|w zQvDW)7KmyG2}RZiXUq5(VgAxECIzlK8mFx((j*Q$5XSMr9LB~+rA5HC%yuWs>vqN4 z(+TMrQgx9|rB|q5#*0$|`YR^w4v&V(aoB-Sjt}NgRym^_$V#npS*S|Z#z5-6LlIyQ z2Fkwb<#A{Nl{T5j(P=^)b|56x)KdI))>bq3)K$_7^iw&*yp#Q2{a*2E^S zkI%m1sKX!~pX&qY+-H{?vJ9cw78mUk9Na|yptJf)WnNl#o2BZ(*1OT!M7=qzeH0xL z4iH<(xH9~`EX$;ES8bL)o_rZc9kylhxnj%aZ@R3HWR{t^M}~vG#+~_XZy@)P-pH1v zdGV6?pA?oc6b{p4@An;$lyaQXm#f}WZBI#A{_ImymPbuVkxAHPp?E7zNKY}H-{R1% zDCT5TS-ASpqL`KsVaX~6`8rvJf&(<_D`M5_WR?70ST+%C#l4zM%eZq|Q#NAY>tvOD zT*5ya2{SmxTE|7&I;X5>7F)kkXusxQ2`H{8=6XF}951w9WuobU5)3`Qym49-(@grc z^}HiXb7o1;V%YdlqUHE#ez{_rlR3pnU@_~_minC})D~)lc$5)Kml-e4daI)mE_&lAJRQo$un2t{y0VaR>JJ)E!1e2LzXBS2-Hc@XMGFB#Zp- zD$A+J|8!QgK1f5`3agj|FjkL6%vJ~2*BWXl+OKeZnMGx}=05(Fg>AFAR)%B}NL2>~ z`n_S?!d(~z>NE<35rfx+_gK8p31A4~sbXbuJ{Ib)Rg2V-(V=p+pq!8@1+BLk_!4gl zieTwAu%b)AP*wTvGdczsVmS>Mpk|>&_=pImw;-a74EyA<>XvuZH`$=z^EG(!yr@MM3h0l={DWHwIl6lq_>#*1l~RwuZSbbrk^^2 zEsiAkZ9BLubgtN3DeHj!_Jd~2e-4GlIg>l5p6le50<6tMLIaVM3 z1%?$={$QSnhd(wvwb(J%=e^vJHA}04=ZFU%F{Xh?%-M{j$sFO-iab!K6yZ8cRwTku zbqZmqnC66}o%P(1E1hbJT#8W=ZV{#e^tA7d+&pn3-N_10uXqk1zaRzjG06MlEgn- zbi!x54z4ZN7l%j$7Y<@0qDUJdaj6$IgG>|h=btcn;S@bk>cfikdOnS|#CTXCzLM_b z|N5!w=iW+$vf6AW0Fmhcb^#iqT9G`Nxlu?&8?by(w%ATS6~RLa3H6v9EfcArU4W}! zYTa^L@{^sJ9b8HU7(j@CEGe!tQ@Q3?2QyjK>6wk|VrM=SmRKBLz&a1D@cF?;DVp_V zfHsIO`oUjbV&h7kr^Qv4mM*pSU+S=lgGuys;^+?0v{NyAv%^4mgnOUkXw1ruu4Arl zF-}}&B~fBIA_1C@*Ripv2P(m&G#71hI<$raNRiUG^DO=2r#)IWj{q*Ib4j2$02i%l zrF$m;EHb=G;m7ux3Cs77xwAmpDxMT%EW@JUcY)w52&W>V;jW=WwWU8C$kVDAT$qD-U z5_fVjILU0bszbgU&6+NWD-ObMjt|cG;*dAlIZp`;=5l2?eRE2fD#T{jzMLmTt=OUFAD1Epeu%ATdxHH_U+1+z79acG=^yqRb|; z{*pwAbJoQgE=@a=MHPa<@uZt0G*h`@A|O!D6R-!Y!sHJY*1Du_%)k%67L2MJF<2H+{B7Np@j0lQ;3IFS8Xz3F05DpIQwJE zFxP{jP%If}X+CWfa|D!0kjSDj{Jbeu9=z5s{0U}0Hn3p zqFDV|8=JZ`K`X?LAUq*MoF=idnlG^)`JFT~kuO^-72R1=+n9}~50)`V1n)_#y{NnG zMcZe7Zo%3+Jcc-K>cNUA@m@{ZJy|1vWKd1B2K$6Ozl627n7Ube3C5p|vgzmIQ=l~Z zZ07vv*hL#1hfk5gaLwG7TTt0u(S43=7|+t7hE|(tEAHXZm`QywCsh1zEe{nKNLyM= z8&ecxNeQ>fmog_neE^TCdAsC3(F zj0YbDc*1yIcDjuTuWFg1ppo` zGp92c7%1reZWWzd?p1HSRXK+`wlg2M z!tFvi>wLa-Y-e#VF{5R{a7>~R)qdk*FelY&Jw09!CQjAWlJ{n|z$~&cmG^=T*%J0r zQ(h8xkf!e+O|~nhskj3=rVuxqO*N&`3TmmUHsXj*iY#V)E0qU=!A2zzyzvnZRv4Q2 zO;(AWvY#K{BHx^4!}y(KC>bHeS=CaU=sMFMZci!eZE1&&mETEr%#Od%N}K~!E+TzD zs=b1?A%uz)R{pHrd5UTSREz1!Rf}TkQMJgXU!q@#5pC15Q!N-|IJS;02TvV9V$wmU zuzph1n?hLIjAQ8Fk_Hpgv+(UeE&G^ya4q*N$P0!ZL~oifSdC%Lf@QV2W~J@7$W?Mj zEVr0=b84^{XHS?#Zq4{f$Iasjatj|_x)Y;&*XcdtlHu94DBmD5{g!FQJXfXQ z1tyFO7a%4`m)af&PdFa&W59F*0Go^kZ=nq?08}Wk&rdS|fdn@jUM}s5s zz{}DFH-`JlHsNEGqOY{(*x1;>udM74IB8n{Pf%EBPVj9Vz?lJPzY3dJV8~SRvYJ!i zlUGQgj1t$*3Y*&p%Y&~jX`6+mj~tu%lnQ&(ao3iafRk>nH-_1!$<5QY(Y3+Mhyn(u z0zv%mwN@J!xxHfMPVJU0Ng+Cg)>oXa)hK~#QP5nrTb!qo-yE%rWhQ-syIFJ9{}-$k zUJjmiQs|Rx4_`8Kn6-fRkKw^${$~GT&YBt9;e(VoNzRDSLcxz*FK)74Arn-iY>L_0 z7!X%|9HZQv$br__(!)$W$*===uX8>@r0jQ$go(0IgNqo~pq&mwJztL0Q{pGGm^xc? zH=-#|VAgl`zZQ%DZ!}&A)wc1>hiic$`Donh=(SqP4GEb)($-GEwjjP`Shf!ZhM=r5 zQWg|AzG4ss-ZfZGfqnREe~#LN4CRHtEhSbQu|ncr^M0!T9wt(U}hE=LK}3)ezeIz5{=Oi@#w z51tsudP$j!x*e|*Tj3vgn(Lz*&;Aavb=P3U3OaStY}@884NVCII`dFBRB-g!`IJV! zR%J_@3q@3>sIZI$7Bs-P4X}J2Mf4@62dEU_q7uv*_iFjQUtJ``%zSWDiA`i z=c8E|o z!Wf%#B0RFnpt8Pa~{hy=r&8+_f7UphKcz@ zXmrL2WFa<*h;N+bNQK(sq+Ns!nv##g<_X!az4aOi$we%CPH*y-QW%4Vzv3{U@7eo8 zL~x?fGt9PFR2>HCtkT%&u``_Z@7#56s3v7?gsQ@w7>wB|kS}qlAo0jgzg$>V4juP~ z_G~69%R*q~vSn}&unxIhP8L;cdNgoh-5|UnSU)Xl%6^xWh&CD|DKlwl7o7pDRYx~y zp_A>-CMY+s_X6Rez|HGZ$48+hEM=LGsw6L+ocQdp!^ zZUdJ81oeb`-gKeqa;FyFsBhzqN7|5>%^&D$EsENbE$H5Z#G|l7amG)7%j}FkDna}r z3%F(*W2>j5fe=k?y(W?}ix^b4QC*ol#Y_TybR?ymD&0?;Z|KxFZ^Y0qAq5?V53Rfn zp?oC}b7n-Rt>%#+@33^olw_!%AnQ6sZ?o#W!be+M@EoREPE%k3IhZ>DlURgkd8pGY zDvKilQ?^dOEJ{XeL7o&0r+8n4*tp$(9=4ei%RsdCV2|NEIWjCTLl3} z-$W(tFGr>9U(rusZq&4n?UY9E4|Wu#%Slf@H0ID zmJr%){nB#UR-tjXu?JU}1ePVU3CxzIb~#-IP?=OfnH2PZ*s1`e*Q_p)4?N~qmL5>b zZGo7x2P*VEywy{s1?4(}3sW4f&eoGms{$>y%DVy!0tZ9ISkjn#EMQv6gq zgSHtS@xb8nqR(Q%{)y453twdO34X$kc?EuJ{H#43l0#OExG!XFPeehk<40@?8eCu~Mb{FOP^r^Iw!-6Dk?2P2R0^UhMy6fa9|U3g0* z@UZBVp6y1GiZ0>MNb+@J%FbAp;fLga?5E=tn4e6eV|kZfs3ZF+ln_^0@SkV)ldlN> z-R9}xh@oL_wfAi{pRuh z?(;7n-roND`TFhs&Dq8GAKyIx?ZXDJJ$~Hic?Y4dH%~W@_aB}g9!JxOO_=NVk5A8E z{cz2t>g?h-*Zxa2pPya)$NlZ|4^RByR)6v8;osli-#pxIxTKXEKmsU2+E-GZelne` z*2heZnk*-i!p@Q98|5_5$$4JgkrH?#whKLRez&a@Pca06QClpK)4LPJr_BaZP+2qZ zwKFSILA^mx(pXL9GI7Kz8zB9`l4L89&?3ogCILr6h$5PXQ@x!^IlhhQjC{LH>dLZ~ zazM*DRiRBHBuXgsZc;d@uix0-vsCwTPrA6>Y(jFK6FtRsi{~XCOYSospK0VRo3*z0 zdu@MPaOFurjNN0#Y6}pjwd8XU3yW((vfzm<*hh-yLWzN))FOz)hvx^LYB-eoq0_M> z%<2pY@2VBmy4uA-#o>hemI5kP6;4^06C2E_a{z97%uj&57-6Aag`&<3W8zZ|T4GJ& z^i6YM`Vv1R2dYk&bHk+FASAsv4{B}Nw5MVfWJfyqSIW2~MxK^3CvX}r^Zt&4gsua8 z1g4DRmwXCF zZ9krjV#J^eKLv8e5w1)459(Ds8S;Rt5IUN*DSHB%%!t|~M|FdLzx4#zs2Cnk17@(V z_Io*l!g4~vz;@F3%YZXlnH)vGc(1cC?OsexBRasC(OzW87*<%eeaeKzXkA+X zhk!evuQ(3j0tSekwUZ_t(+6k-HxV0Z;kIT3A(m5Ua02kwIxy{HVm;oJJjmkgLbx20 z4oKk?DB~d@N>P+XsAfUKfg;qzusFX?TP%$1$23UA1)I%*I7tb#DOGwuEgDHkO=CsD?GAnN|*OoO3EZ>XQ+ozhy^6^RB^i zc;ioTtj!E5CZ+={D4LZdkmw}5mM|1*ik6t~X=`nu={i%j3D!}KR@xEhv~5Rj3a< zq!7bsVZZWfw6KDay0MZ|aI$CuKD`Uk zm~5yO?Pv~n*KlUP&OC;Y~`hJ&EKYp@2?!A(};>9Vl2)~niK zo8QU(4u69SwgW;uC1?jJxeuf7+Chzzou1(khq6qGqsS>c8f7SdI0)jq2FoFCWhp&l z%xJb0T9cf$0iJLKpaS9~-azcmSg4_OV6j0e)V*67A*0v4C7pqklx->z&xs+on9$RM zu?L-3cAwSObuAY>{*%Sx>sJigja`G~yWxtSi#kZx6J`}u9C{$@T&iN%QcWlQHR{V) z8J61EhX1A)YLjcVD$;zABY#powJ*GY>$Ik6YmD&uvvM~f@tKIMh<5FQ-Hs53BbgUVvD-8(b62l1K>8C!9p%%mEz&~FsX!qR>>-2RKS`}u|VPl7;FD_#fx|WJiV`lL)G{Dq3`_#AB2ao#4WQB-G+aU!iL!w$_e; z>0%k`KIDu>c1_WxA(Q;; zj(JN1W_tp%mLAfgIXj510;&kydG@l?G`{;|v-6z7En?p>3F6_2sOj^zBden=jEcw8ZB2@2a14P&yx1phntlY@0AsIGkg)%gGyHaM?*;7pl!&_A;k%XQ%{_S0uDT&wURvU1VIg(+O~( zn0734noT{k4S9ozPFG7OC2=%wwnKN}gmI1l|F#@~I_P+tENoj?hX&Ss@%YTTg197Q z2cn;v!*FmBG)ISW?NZPIW==vk0_)*W7e@0>iA%b>kQY=A?SS%VJMlRZ2gdaRIGv^q!I^=Yk`^~$5xp^G=fzESg28p zh~a+^3aK~dI?+X2S8t&dI9ViZ!;Xm0*))a4l>b7|pQKaGx6#WVPJI!<{DevS2_&|fY^!`& zV0}4+cC(Y7Z0?hw><1)}^>3dwo#Sp?jj+>_o9e^~!4!@2?(A|(l1(jf?h<6$Q^?lp z36*CXeM_Fz*~Pclj~nu;l-Wafs^4yI@2|gn`0MDka)0JH^QzT|^js|TWMF;u`0%0g z$1mS*Hn*L>zIwcW*ZJcYkI$XIeML?b6MP!2{S=RrLS|xy>yzaR2fE}irzVBuvRzqY z6SBtYB&j@WY@Wc|cafr4$`PAL)#s2Vp~2K(a_UJErz zIvP7JmV;{wyW14^dA6K%7gXs)Rx+h`P{>FI887*}{CXA=7sH({Z%hrqC$misbCEe4`vXQxN&)pw1=)E9n9yW`yNk*%>rpnTY0p1 zbgDU&Kvq0+vfk7z$LI&?D4zC2Q@Yc^3Y(71`A{p&^;k9YT&@r+P`AhyU9xxS-YGN+ zFP`xWGpP|56#Sn@JKZ!VrRX^pLl<7_JV^)=F*Pj(2Sx)?T=A(;$tw#iG+&X2msxcc zffCB?xz(oS{SxO|lVsGnC$g-w@>up7X;2j0g)&$gCQr*3C8A?|!)7T@GCVb%6MG@k zj)%9=f3r2m1AjEYMoL8g!#WKv2WAN(vu_$fcT6o^v^jt4FfySa3{deAwfCn5$;@Ze z#?%rP=mU>nnAuhuv(z?+&M$`CwFA*RDP%D=wxoZ35YbW1lvrrM&q9WvR8M>ET=3I( z8?D0$OH9>$Qh2<>Ot{n7luUwX-O`jDdh0I|%N;(}q<|tL*KFtbSUAT#;xp6A%JjW` z=yjLJyuvtm7`+8XzOut?&f>VVgVmz?U_qGAmlzUAwsVSRMQI|;6P~+>gi07kSejLm zKW1gptBZGPn9C9}yKAz4CJhjenE&tT=KUG5Ts%a23Os1(jU{+<3CBiNMu zR|a5FQ$6UfIFe7GnjbHGxA)zgxvzdYZ|kr1bi-(2J?Z*y&VD$%1DDCCnPM&}KEMC! zcl@@TkAD0o)Jmv*fA(*{W@pwYy_ALYJ~c*6dxZQNOPS^D#z`_>!U&Rv>8QG9kyox5 z0r5+1$3=HFt;-yK#e&e_m5y~3pC$cOaa?5sPSHSBy$IHxEw)rK6`nU)2|DS*9ZbsN zZ>jxaRVSg9bTtKpvlV9dU=~V2cxezo`hmdNI<)p$Cfh|UcJ60Q+0IS4`*xjPhUE)}CUTW2V_gfTN6v9v>ieya`n2(;3BK0^U0c1#Y$Dy=(PlJPPCy zY9*Y(gmVdsb*&Em4&r_gbdyCOZ+UT{zOMoM&SN4`zT0CS)d&f^{I9yLL3Vt3U`num zJC4uH8fCJyYc?byuq~U#w+TrkDO*B4=^p1{zG543;?Cxj`vRA$$zmif%28?iNgP8p z;|YE)d!V&8$fcAR8=;Hr=nkCN;;q-Dr-nWH1gevb9`FfmG;ozIqwQTN28 zxkxZc%$28u({zSFKqf=?bR@|M3JGbxr9BwZJ=d6|MT8$BAq9x(vkPj1|Mg}m9bVyuxU}II(Ej|wcnn|O~K%>B_Gve(+qA3KhNN% z$XM`1CQ=uA#*P*>1|s|HfqgZaw{9RVl(qG@PAv%4oPw$$h9+g9XlM=AB=v!*25W#L z)v8TVFMz+%QjD-#8IW!gTa#xeZv^|hkpr_^EM=2Vb+||nYKw!LfoB=a4HmjY4d(fJ zP7#2|r_B|9hE`pzX?-b}5kL|W%F-f9Nw7M_xxxHggb5i!vbD}-HYHuQO$Ol_v_@(# z)02RQb)h%?72$WRezKBdW`+RJzvpZ7Nf+V2#?MVyh}6agUINEB-C>iJlYYGzj=JPrjA&f&Rz1Sjyp7bFWYJSnLv;sQVwHBMyN1-Ru_E(3H>l950a!(k3&By=<2Y zY#hd`f#=3n|2n8>^ne}AhT~%8`w7ZpkHuCg^y_KH2@n431$LHjKDv$M3gC)BM|C8U zHL#F4S~u~RBdPhcPMD7_jcsLd9MFEL&EA7A2_-6T_Lr2j%#r9@C^)GhWPmBB<;LWP zLgol|4aQQCwS-D%@lXXDRDO0t{n)8OGBQ0q9ELvcwH8id|+DcZ3fB=kw@6~SewO9eskLI^eaDHNlSULG9b9=IUv4^YL+W_4eWB`uYCh zJ>MVyvU&V$^oy&fn}-jZtB1R*+lQNv?}%>vjNr=OUB9C&{`N=d1)+5^{09wr{r2i{ z^XHHEj~fm0^w|gr)BpbX$Lsg^|F6B6yKE}=&wso6@IdYO`wh1e(&ldc@Zsv+!|lhn zo2&cx&yW0dqoF?=QR=U};c;`fAzJi?TW@*c{oTD=8aHbzG_eodbA7Y<4DWG$<>7f_ zV`|0EKWwg^pYE>iK0JRmk}b+V)p5^N#iGL4kDIsG&zsvCYODgIu^ZuW^OyT4LHURK zCu-mS?X%Iu@TC>nqpE>R6RZB;f*>>Mb@N-X>6&IBo+9ddF{=^ z`zPiCxc+wa=r>~XSyH$EH}~)V>+Iq?U^99h4Qz9238-?vGi!mJ;~8T*s$*v&IRNfV z?3l;X=B)?+8yXAT<`~m4ooL6h>D2b3UDF9c#>K&z$|=`?VTh0|Zyu9UH7xSwha$qu@pWUW@Z!_%wO<{`1GpA3wgmeoSE3-Gaek zTF({?o=T@J7#snOG!Nx6K|LQ>OkLE;@mes{YJb*t!OUP-j(xmti&4%TBYQ}GQDQoV zOz!k!M3-}dVVlCKb52N{QB}UeXC~nW5hr+>OeU;jT+Gq#q(t*ZnODpUS%p=|q)YWh zKyc!3$+fZ(75UaCkeL|k)M)j4{{H6NC z20LtVX7VgW3D(T*6F4y`P0#30!R5v{ zjKRT-gz5MuXNWGV^`zg9L8G#xrFn&}G_;O z_!M<%3Y?s;jE%vZ8HHKp#xm}H`}l#TQkZ|n2`ChMe*#yZCNl2@Z5$#g|U z-eehRDF*dO5eZ$xQa3@S)%lVYRV(2y7Z}}chBO)2kV5@fV_f|)razr8sB*I|r=KF~ z<@|PlNZX$#v4Q9FK$GlXCjkx4Da)RLeCrB_hIJ%W$v4TQiP05LXlVQE+S^M9F^M%~ zV?rM$<_ZZ8kyEfSO!Kjjp)Dp2dtfy`Y1jk)NeU0o!n^LWm4WluE;mG*24HOy&kMRi-2)Ns>rKh?2}jlN2dK3TdEzYwvT; z9qLYfK0NRHe1GpB+|E7c?7Q~bYuanAy%y`2c*QnYoc_mz7Vw<1GKwRxCy=N@P7tK6 za6=`a4b(k=ihw4hIg+PvoEgOj@D$LrFj7G@uqt?-15uAU15_ZAr6`dODgnTz#uleb+X68U0WJNmkFGPdjGaO*!fRV$s{vK@{&LzKM=d*nnRdKu*1<^zD$9nzJ~N{ZnlUIsgGSCIC>1IR z%B=O%;E#p;f>uwXlq;OU)9Ps`QKSfkLR&q}%p_|4G*n2`&}jWMl}dzj@EFc3Jy$^< zqShZQw#PL@&XFI(?u7Wi5IJ#>fH+D*{EZBe*2mdeUsI<#34;Sl@o~@LG1I1;Jowb^ z|9psC1I~6Zoj~k_@NYxpYy-DXld`?oN|XK%g~%bO#WOEPxE%?{X@S3CGpcK;@ydAl zZwZm}%qsa`6(UE;5)ks@+_G{cb+odagd>puM2Nf<=(uvdGV(!kfX^-haEKi3QgJYx zTlfK-A4HWbq5wJ(zNQ?;M3j&Uv@jdda*G6j4<4RIr)|kN6j3OOkN=;=MSm=|#PrZZ zAxc(G3_C)Y!n;k(L79kjKr{ix!2gD~9%sQ&K`u;WY~flW`b0*tz&>wNJPrcAD1%51 z?f{Y@QiYy{zziT9Qc1y!1*LN#=wk=LT2(sSg-_!2+TRG)(m_e$Q{YrFCdhXuO6j6A z!Q{DMBBPG2ObqilHQYgY8>l)4A`slkhD8ql+G_yk#ne<;?MVrRP6r*pZ0X2O5~RJv zE7nBu0tx`)JObbt9?@Eae%Sr7M{AiuNLV;@k1bXOS19)h)%UbTp-fDFD4a+vESLNY zcp5D@iYEg!00+t001xN(4$lSO1)gLf_K)!yppOPw1DrAx2$a?4krTndY@DaB|>LL;~~lti2)gSakiwQVsgvz1muA_&HUtvP!V3koJ`>d6*2i zm390(=mj8KRlHGyl5RjE+#Dut%N(MUb$~TuzBq1Oqa1$?zbTCd}WiVENRDooO zoLC?rq%_EP$iyF%Yy(VSO*&+OoQe8?m>_YCoe=);E_x1?P(Wpo(NRSjCyBRKAWZN3 zAEQvFCO~D+P|U5(K~ZfoLJeey#VVQe0-VKGAs9%7vx4N`&1F`TvI3(hDmbPmN2kx^Xgl8WL|*KAQ->MH_|tTCx;;zy|{E(H}8 z#bpDVisCXShNHODl@L)}>QQDCm-^!W=V)tR6c^g^DuOyDq|E=Lu|8%L7sR`wDoQUx z@=A!wQuP&h*r!~o*MVk1_8~H}uo;B57NAqG(F3}xZ4~$K)mKo(RilNU?0;i?9x6y6 zqlnX-Q&oX_tK0*R+!wM{6jz0_9T>S`LB<-JCC$0a?B*K#lEYSqO$)v zTQj$HTHpu!qh~z``<4dPu9-P4t-P&V0_sGRnwxKnzsmU=psQ#>ypWp!|G(4@R%!dKtpDH9ZirV?Zt&J|>eknsachuITHLL6P;=N)`QH+@R#8;pDoFpCkboFC zc+;6KX|fgs^EZ&ZU^y2dcZ6SQX8~hziV#R@MXHqao5Ekn@5$3!OsHkBdDz;Qp~GRw z&IYbUmN~X*1lry0J}!62*+r2mq}Okr9TVXK76qzF5S_EvbT4 zdjrl$s}crz`{Xn0Jx<(e19)gl0oxNK(%=f5)D(&+dd8NF8rsdF$>8`1vRi~bQ~fXU z)&5k8I5>$cWGN6{*=kgQB32op|FZt7Dj>6OJ)*Y_fu#ZVRF+Lx_HgAS`G zD-D;8bxlrSmR{3XCm8I5CtHH?v z_+iecaji2lw~b?LHDqSDt{4Yx2U*3#$O=yCz+@a1oOoCGf%;-=>}?o}^mV0eJU~Ej zN>aAFdPW>~DJ2EjzmS*+<$uumDJmAuZUtzow zKNzQw0tJAi6AHPZObOBf^S@LDsJ8aX{b?1zmN(Zv9l-V?Cw^NgfmSXR6wgKamrVg6 z4*_x*V%Hwwa$#Q}6xD2xf@n?T?AH`o6Z=|@yth_1x^O!Bucw)Tg~7^%W9K`dVq^?} z52BUp5zYYvGKuay$j1uaFub)8uCmEr@E-8Yl>1+mW`@pnf}exawZ@Sl_m2pqjS<&= zbB&#Tx$Y%efsWJ6R5aBg&5U>1DCAltw-;)ptDW%5;j}VNFCTC$SiEhkX#E3^A|^*t z0ubVt{udC!^xvsN2XU^|sK7PaPLm(ie`EEyL_)3ITL8kB2Qdun#Y3m{0p)-Uo{->s zI57mcSVbLbud^V)W8ic6@IIv6u+T{DL(wNU^Isr6L3tNtdYh(>>=}ChkQHd0%8Ugv zVHSAf4+{K00XiEiu!GMjNBOe?NK!IkiSpDE>>ynDhsaq$D+F$A<^~W_YzPSrtIvPq z_!m&bVh&{Za?P~C&~l^}p*bU^4OEXanU(PUu9%iIOq;Nt z*@kVOCCBz6S%{lexfRvH;kk~OBamwZRuY?VC^`YOjw+E5Qm)Or9N{C1qgb2)&I8~G zNQH%jL&OdP+lyj2lii^V}H_MVod>pKI&9j86r^LJ&%ca4>JA!^L-ErR#sDn z^C^@|2XhlX-hkXA%;If4;N$J{hD1#q>u2$mAVDoq_5hU7C9#z#0BefX`=fl6kCqonc$4adJEe#*s>w>MxgE<_F<#%=+@A*2DSTyih9Ins|vdsP%4nv zWfQTQHbp9tW@M&6kjX!ku7rFh9NXux>&e2D-0VUUV#0DEB*Wjxgo5-ksQ1(w;izRG zMJ?hQh4_*f(pSYe|LV*vQ%nnZyNlhqc2j`aIPxdTsZne)jQc6&i0Y*Vy z4kQt6kwuB!N5tNW+}dIfAA4pGm3)PhT3{7WLJNMDsVV=MScAhW%F3vN7rO#eh1P*^ z?1!s}Ly0ZO%I3&LB47kN30dDb^$X#bz&Mc!#|_s&*MM!-2A`e2$l9Q&zdd%t!LLG@ zV;Gg-29#!l_dEDIbVz{Y1z2MudkW=Nu?L}$%|}}HET;csXk?03I0}TD%Ch`^F~I_NtRl3PU^7Xu5G7;>-8LWJ)yzFB22AZZCo&bA8nu}V|4dKz36 zZOUGN|CuU#!TGc*G>U+mt;S}LBJ=1gWM$*v?Beanuw6-ZePZiF!`@PeFbN?g1F})H zq@lD7d@92^8e}A@Xle0oDnz5=swkBGFM*(gdITj1t)@vhn8$tu0YQap`2f+T=MxW1 zr~{_epr4hdqM9ng1RO9zaRF86Z~(jKR%$`yA~X_QvvUo3gS|lh9cOGyjcQJCXgD1hJl3%5)29x0-+E>OhPj|XcLJ0 zomoM9Hjh>IuDqJB5wt;r@*i|0DSs@68F4AYJ<;uv;ztzHYh+SYzTxy zC{fwEbsk^3fI}*fV@=S7I&>VP!O3UnNympSgc6lP!ob1=2?mJ?fl#OkBP+SLJLG{5 zLUht#r;G{-tALvy_phaCpw<|C@S!G*@N5?(EToXYP)HF7iV(7t)dP}ei$@*^B6$aT z1R>i3AxcG4lMa8VLLMSN1PLKm|2b4FWRZYT$Px&a5Hi*idV9J+C(kwZ3~vD<1-34z z>$?gBtwE$91VLR&=nli1k-&fyC}4#FfQ11P1_}cL0T4pA+PFY3M0+b|PfJfL_mvD! ztbrM8tQ@^?pG#gyfjY}zhe6IOY9J0X%!L!lTNoO4v=CuyNKnLwocLzq~2BEh2Y zBoHPcq%K-0FAs*L4K&{L;Dr@}gH&)gZGu#2poZZuEe&M3^C1->WUf#UFmXTuLE=Cl z1au+ftu6FGb+@}}j#P%B)>Vf3&>@Ij+gJNuPhM2}QKXi`T94z;9J zA!wxz@jOZ<^Fb3`2vPi}fMj8kgpLWtqTOAr9T`rRwhTLaXM5Zhnui%clAE#?+EIh(f+H}<3{Zg_9oS#+ zAvYl;`#%7Og&qF2p_|)oDVvLkg@+1AQp}Y zm?#_x07*j#*~>%<%g@M5_Yi7W1NL~zpmTu1HQ{8F27IeZ=ZzK(A>?j5U|?Z_0E5DW zASi^8x?G^J1Q`tG9s}(pcwvRm$WTcKHsg2)t_4Lew4~u57{z?>B82e$hY+!FL;ywM zNDxFq$Y2*sZ-%3zr8Q%f)fy1PXs5++=Y<)9jUYk|J95Ab>Ibg^84eoIR*|2khC}cI z4I1&Vs5V9L~;A?=l_}Mrlf59FN2du$cs0ES+ zQqLh~$D6%0g%Hz1{5Wgs#P3s67xe2wh-4;ngX6}Eh}v7)ISCRo$`FPEp-e-O2Ec*} zY^nL|6kxM0kY(Bl2MZ$vC=^BnK_Y}uhS^&>F>EXuKAx5;{8bb|6m*o71%@v;7HDvO z8$<|{aijAQx|%`=-F861#03cmg$qGY2q9Dv6dq1?LgE3={{c@xf)to^uy7f%$+2YupVM_6+nc9wRo0$79&Sq0!*ff#}! z)V>2`KvP&cAIS-|NdzLJ-Jr10LO?^IMG!1Ph)h6$r4_>ma|w+=I?93k3o3Bl zPhA6dMup;_d}Jr|4HSrxc0j?x1px?!3&?EX3q^ZmDB7>OV+XkK8Wwl8N3s;0aZuM( zOB#w^!d`&4P60J65HCz=+CGR_I0CYT92*Kpf*=w?s(LUSNiMR6fRk-IOb|6F(*SxD z4w~cQcyvfPP~jt7Atz1<^t2xsCT>W0DBK7FM+hm)>5j6qap7;|L!B=Wu%K^LzMu5HApj5urg~p@D#cM1uerXv#uJT9`P*MTAnkgh+wPO0Y==kpd;dlp&*7 zS`BVSh6^a4#y1#kkDCBf$BDUT5c3Pjr< zfsctk0zwLXg1{3(IP)|tENKF03?1qM*$f;AXJ|nbfy+pPw{V6;dcnB*2f#2fLx4kJ zMi4MUh-PG9067UVfC+ho@?}9gtAOWQi$(_%M-`k`G~SY#1}Or9Nk=#cC=`$|kSGuY z07oB7Ub(E;`QI+D0m|Qnycin9e`y-vj=~wOyg7*3+L2GPqDy{nxqU|Fec??aH1X9O8gNKP90wM}Og5VKC z5Hk%=PIrPJIf8O~A*x1$@G6em`EXDp^zd76d}Z`ot2Zl zqc7q1ws-Lo;PF<4v;Y)G1FH^1Du@VGaQg6xq|unQ=J>FWuplszKmb7@K@bE&NKzKV zI5O5i6u{njB`@7VNK=$iivnnHX%fBYZB%yQ%L&3)zsPe2;2_*Vrn$zQ7b-+Cp-{LL=a$5 zh!6yW5Hgkv6$``#Sl%d#M)DF3+(CR|Xy^daKj9_bP%x1}z(FBH5Ew$pRzL<@Du=6; zyQee59i`NHy1O`9vTf!BFcYNIqQDtSNQUF$5O0KBL_UVBFz3+zHE2w%5x`Mc69k$N z!nh3?tMWn*!Ar=u4N8}#laODNPm~PeMS>|vcpxZ5kYG@V5CDTPr_;Fck|10_zAOrf zk-VgWs)+LOIS6x9tzA$skwL&gB10e;LP%KP8V|^bW;omUT2irRo{0;DO{)Tls3>0^ z3^!Ey4!Y~`i-*ym;f)Z2r5#W(kwL&gAwv)tLP=Q`7|8Jt$>5&8t~}8}=wy_QivnX{ zCMZLC801)jXNXT|j3&&PHTGo@0um-l2v{hT2m(Y1S?giv4!a#!v;lHP2~dzTZ{_F< zB*RO1kVv7S)12TWfbbCHQL2FVhfj2jCd|>bc0w@9yCVDg((pI7~j*3SB{}3RxK%@P+m&#C>Ylve@3!ks+;Z$FQ>l z*CiD1P)DCOCryr9-3@ejiTzlq^vg8}~z1D;WxEUL7?${pO2 zC_{&sK7kiyQ6)pzoJ!O1xi`SdbOvC>4EcYUN7yxCZ^f)Y4F}^XL~$II<3JPw4g+Hi zp8x=!6hMmsMUzHILf7bTgb?(J07XdQ4J?hhhWKn8a}A;EC0x z0ay(*k0$7xwh*%`7fy%~JtJrlIUp2MWJG5}9Vh*&u}FeoWRk7%aW5bOk|ao)CxJ#m z4!B1EjW?u%X`NjaaR9A`)*bfYR1N0MSVs)T8A=@1p0?dmMbgHeqnwVsKm2 z3NrqA%z_RH#gOCE7WM2K298-k*q7i~M6HNOxDm_0g&65BCS$6R>&0yqRKc8uSYliF z*|i@B{LojKDM2VA#!?1h7T`wMr??lB6`Bj&!=e?_~1RCXe?XOy&oXqX>??w#&u7OX65AYVy=4CNm+Cz+7r1=}1y!k}e`i_zsPSkwua# zr6e(O(0d3;=vj(XxFJoAyT->SFPVhPi3vLDmr7NwVIu>M)0*5d0U$HU0iZ_WQH`1j z5-x1B#eXA+(d;$YmYEY`73MPIbC>`!VY*RQZJWrPrfC^QC) zhxvlv5>so*)Dc|g4O#&_k!{GE&eMdT<_Sk-c`hpWz6m>sT4ahG(I>vgb77grC&jSD z+EJ6?HV0@Rih?t3=fKmbV9o*XPZ1`TqOe9tFXJ^pYl7AcJ`t|5{DDtOb5LtZU1K92 zJ&)c;?;^sc=8MK)XHAR)VvP|Ea4-aV2hk4D2{w4pm_S4r1~hJ)HAlb051%9kIqXQn zJeDRq+wijHv6$pe{QwCQa{#d#{DZIXCkONh3kYgt$so!_vm&v=e4f;67~6#s3fn>!- zQk1%EB}zDPNrRX@1i#wilBa>jAwo!^piEy(G$bB0;FFpU#aiq;7(`s?K4xKrbBfgv zv5{k7{NQzAn-?c>sk3wnY0Z(uMP3oah0jicz9G4a!(s*X2xf&quHtFwQ3#>r6P`4= z_;})IawPwAa0#8Hcw&KAHV_oU#dZ!c5p@m`zzHmz;^%5!;}N)v09Y|30w`dqPYP&s zPYqZb3paQcIRMZ#9aaJTjRYSSe&~C29~=Yd9@=&w>j2q8bXZB^Z?;t<0H?e-EQP_L z-Z^InaRHRy+?FjijdR|rS~z&rX5JiUvpH?H*7GK>*;f^*cQrJBw1Q}r&>Z18yqf49`W~$^ ze1}&b$sdFd@;zj|;(HX{&^3Ap}uivo7{9;I>#HelI+_uq?Y(NTa+)$&2YE^RCFyQfoLJd2L z5V%+y09Q~_3P~#L@PIkt??`Dz=`%_~3etNP-|dVr!bT?wFP!Xa}B-Ql6wkN>-9|$SYEeaM*O50u>!* z=H|eLsInlgB2nF%bkMXg`2eS3Qh`sbP)X9k3K7T&a|L>ahtd>GN*p#Km`&VB3HkaU z_Su${klf+U8YKJxE>_Nhggi2mumVKO2J_*oG!R+9_!>yLpyfx(hWw6m$>Dq6yGE8_ zuTJWFV%Z_Tl})tb)8|affFc|MNzkc-O{?n^@ESuksqecX$9YZcDwbvDTX~Cvp+6BlyKz0I}75biS zc4#~rl8DG&Ms^{RM(m+5UbEz|-Ke$XwnB7>jBz7lj+zwQ=M1YtNkn$|FdG7_Ocn*{ zh5n|)JgEHuUS0T}lB9@KS-wp+&ChFo9CjVQHHDUIT#8sG!5Y2HBG3Z&$d1#*K z9l!|=_Moxg8t-f1J&Xsqrf3yz3!+t)aY8U5Wt>n~Bq}&I;`rn}(`x{m1Vs&QsNik4 zktl%vGpuEUY|tQ;DQPiqY{5BkfWszS z>~K5+SJK8?MOZt^IKp#5B#N{jh#NE?^o%NOyEyQKwoMei$mb~qLm8vk$fEFyL;)h{ zKZ6^VmId;~dX>mZPA zOw$AHE73hfK&_DlNTGP1@?mi3Cu;RuZ%8yqIv~vp@`_Z^9IggV8lh?8QXOsi1dYIx zM%bsyVORhUQD9@9hiL*?;P3D?T>K-oMXf7eo`;inTsI>e#aB2~FLT*|4w5zl>1l%3Sw|m1RRxP_#(0mQIL~BM1TkYDGZo9R8NF!Zpr}h6Z#(A z2V`P92VEnCA%wz$@m&~r1`8OpXfPIzdB9kBVY%@gf{T4@^d9~lHrol)5g@lU5pv)T z7gOS*crf<)GZg$jMTGFv|9N|YCsC0$14&ezrXq)IfdY_1Y*sXRnu<(*BvH|tj1XEd zIkYAX;8USZMv4zwEh8uF5DZfUr(PSm$Wfc84GSQ>$yav*O;Wm(azZf480LiaElIAJ zeBnP#hKOWg^8aub%CsFcN&f;V0!T}O5CNR?r$aI{x8xH%0#7m)IDc4I=KK+RfhfT9 zM{`4V6D4;k`H5H(;RUHrz%6A{u*+tIC*i_xFb40Px)w78hYJreWhgGO0#}3#CG&I1 z5FBMua6_P)Ivlj(MnF6bP$b*f6)PqHgaCvb_+%QHAjc5WsMsV9|0AM72t=QNDf|u~ ztu>;UN(Js=naZwIDC!^>gT_J#Nhc)#lZt~>DjfDFCk>&3a$He>#^X*ytx(XK|MB$D zw2&wVo0EwGl27nf3h@f1tATb1w6TeCYJHjfPtJrxA-0+cl+uUFGHs;+Z-cP)OaMYk zxML+I3{{g>HMNn)N(_C6W{(z|JxQs}tOy>5UbWaD=0>8>6OcQP^S1q{S+UQCBt1%w zVSAtAZN#$(Vl-QlY|$E0&r&$!?U8AuP9Pk`P&hQmWFTlGz z_nAVGJE_tLa>v!4Sp3i72cmFJAXf#Si)Zep)wG}@4>y`Y!}F(p61#tg`bmauMg7z? zxlaX-fiU~PvH9^hDq(Rd!&ZdC?$7%>8igC#_ZpYT+wF9ga3!%~4g0`?SdE zG3l1%W~`@>xJKNGXceC0Mem4a@jVy>^8LFe2Mu5_zB&oXdgX? zYzcw;En#S1i^J5z#k7F-NnCP>dZ<~)ZtJO|gKgY!$=lYWNQC+XzGX^C%549)vYyi3 zt*M=K4^q_5F%>$Tw&ms#yIA^T-N&Z2 zIYZVg;{+Er0~#fzHL31MiY3im5+9uHD%IFqVX_M~-Ub@L+1fzk;8G#xjOPf{jpq;J z;n*7BhPp<$A@I#McgpH)O~o9#U8U9Z*n4-fPY=DsUHwqg16U|V#C~}I7cCV6kutQ~ zkObTEV!;R3l#)hd#I#LeS@9H^sNy$GlB&t*I@eVM9m#4s%05kY%goTr$wS&qSsESD zUmz`~GEQ_dbm65gp;{4K(x^)~$P1UM)TJ7}RHH8G_>xXts^d#_>QVz=YEYM&_)?R) z)WVn0^_K)g8DE3dKz%_1#)M3T08NDnn+gFO)Oev@A;5#GLDUx*Ky#P^^I)77WzO+A zM@Jo^xLnb1i@R7qFY#RqYovNRp?0co1jL;xEoVJ^dYrROSW{6I&v3LUi=R!*XBC^Z1} z(ORUhD{bR}JG4^`#yxDD+3)HZaojc1GZa;k_7+u^o&*0@i<+6kZ`yJWh+olEhgR&; z%8Hzy=yfbeyhX{fOXz2vM9Cw+5ExUIb`&)d<=)g9m8bhZjNla{1&J!uV`5>1SZg@M zP1jO~WHV~%m1(Lta^vX9aF;eynu(fePG{J-*fKD=ku>2GesgUPpW!o(t}^!i_%$ly zrIo?e7mLh7oR$SB6x1q6g;dvH9bIw2I$PiR)xN-~A|pG>j&$qaU*v(9RVVqt2VJ(0 znIk*=wqkaA`j&`@obB@2b{l(J6@S@k)$QQ2Vlk8KA=chrwfA5-TPcB*@o zx=ydoYdT-FU9nDiaczRqF})qXdh4Dlyp>+A+5c7_<14r7>u&{r?#!U~Y!G>%Bch_E zcWdgD8OK{XU-9o2pHxyI%yc#P50KPq`lQ64@}v&U~XxBe))l~-B0O=gdX2s_pD6(R?TCZ z8_i-TuPuJ#CjQp;?o%&~u#1%%bF!N^zP+>KhQ*ZN4g1%wms4vReDShq&H9rA8+Y~F zG-~i3ajB!-kG}og(`4}Gx4*TcqD*=Ro|~pLYN(%hkNTs-VmF=a*`eQpXt}O6qF1DE z_1Gl-wK8~YgV?Zi%lIWCI7(!7SH|MJ*QNoh>WjqRmG&)-jC5KY`KD8JkBy2a z^LliB>~YFo?!_Ika+#MWbf)*b;-sIr!0*I!y>Z)5ZF}00A$foK!_vwqHqp-HhLzV#UixZFe6zMO$M*p!Aewdmla*o8H5(uio-awfAlt zZ<^R?ck@6-$H}`JyELvG8JjL<^GR;^uP&kc-`(%z)b)9jNRJZB!vmKF9rf#Gt1x3` zv30+mcRR~1KljANV)uKQS%&92otz~hK781m6Wot}2=@aYBTgC-7*T6N`|edR3u zkGUubl_m9$+ZbF=hN2KwkVlICFSK6y?FJc z_~q-%=abLHpG>{@^5eO47tec|95@tuaKPYX(Vp&-Yr^PbpE*KUq}xr!Wg`#G9@E1u zUd1|i!PMX`Gqo(vyqq5}uUVO4UG*_`c|?y6qb_wR?elEodGq42bDJ8RztXXCpV6ya zYJ&pAY^Hqfo##CKXicNe)N04&j=hb<_aweQkr40J;akzE|5iW>0{NE?xVjaGde6U!#w8GTF%yHow z4}}|p&76DxR9%sC#;|1WVVe4PRg1?po2L5wl>Hi=6FzRpvZb}5OL8B|WK~+PRVq2u z?c%V;fXYkhT~=>eXwZFQw5y(-?YbGY#^p81gJhK-h*w&7yYK3mvL{dKcaoFbP?5(k z!(DHVv2Ikfy!N#7REG5G(bdZWBxiQ{wc?ajAD7fi5kvb-I9z2`SDs%h=G|C7@`;tz zjCn)U3qPE_RP?db?#xZqaF^fb4i@%4n9{PMy6@8Xo%TO(?g{THbv!3Jaf;iib?`1sAbF4r4@N~8RsQV_?!A)yF7T-cUtNSrHTV5axMgJqU+?EA3j@IOZTG9 z`|Pl8#=!i?ex{cPPt58tEw5Ah;zPG|M5=81{Y>5V~nqXPpeS@43nmsWgRL#{ie;x)IJ7r$65scKv*;R^R&bxilZkrdM-P z;ym_NGxEDt`kSYEbdg>C>&4BLswZ-O(t0PBWHFd_rpLwavcRqGb z4Sm~h-OcJzGqnvXMVZSKTYg zZqQt`>G9V-0V+lv=d2k2$Xa)Z)IP@M7p0nKj%M7@N}05Iu)9w`pKeR693JVY(v-dh z*iQI##CYa~=}t>GU0*n+Fk^v8c$dS|)5AASni-HhNwz~k$FbXPNM;Q=V7}nd)P_#G z`bN$%FVOY&=~!)=e!1(zt2y2V72Y{Y5BEQ9$oO{WhwpM@5$BTa^k25aq{r(&9=Muz z%|?EkdXK7mHDC8^St+k=Q$NmT#rYwJWxFk^A0po^Wk=@jATiO7W!pB2rwp7-|8m{+{p}w; zPk&O1|CG}5EBISnM6{uSk>^vR>qd1(XEO9;+;`duDSe zuwS!H{W%*;2{X-^OGacI3bbk*;;eJMMy_Qr&a-q~x`XrlXf!Er)o;E&DiWcTL94wPKRGFYM=)YKw?9UnxH0 zI%V(}%@rCQE?-F)zqn`;^t)t~D)o9Jb9DJu*@azp)@MCeJ8-VDviE+U&UyABAG^#O z)GTF^k^PLrqr)?!0DjIVqJzN@?UqF93b-?AQ zYoC`mNUCfypOD#C{6xH$_tA}N{Vn^ZjZzHiqg1I=SMrwb*F&-I-dV|C)6#BspWM;I zHujF_z)$k$-rrkze1WC7sIJ^%k;L0c+wyiqOrNz_x_0B><+8_Q#N1pY9?P$JyRJ&F zO7+x6W$|3`I3-8(e3^QaTP7ZXHRX%HPS6W`tT}P>vFTD)J)AR?-VC4KqeiZ#lZyVJ zkf!^AXM1JMk2q1>&$j2f&AT_3i1gf6uyydZ3upB`Exwz%rTQe*mmPk8I7g+)dSB+R zwHL?Ivb(SKt=+S~eAW-Kxad92H^TAoTKgUOlUst`+;%MM>$SzC=TW!m zM?-)9KDIl}YDz=txVn2TmUWXqh*>sB>SymPk*?Y)F5P*~_{S3>w)RhR`>}d!g-*}3 z%<4^0cT}M9Y$4R~ZR#kVZL4Da0e>XS(gNu(Yvs_#lq%iuT zPG)mmY;bVWrN)Me__sMZVI{U3ewIaQ9ILAGtGf3jGHw0kgl`Wl^=&_PEEv}%Zj_Gh zqfYBbByTO3={)dyypdSKA?tSq(RA5)DX+|yT{MV)JbPm9_~YO1$Jsnz_Pvi@k4i(; z8JecMJhL8-+OpJ1UfDVI$oz_-Ox1C|C{mzNY!vpoNbR|C|F1`PWgZ`XT-(EBsMjHz zy&JNBPZ3FZ^2RGcvij}j^gbgdKc1*lyI*yD=6I8Z8xmf8xuG=5M&-ldvRj=ec)ML3 zW19G8#~TUN{<`+c1LajN%SDursLwtp<>Yo|V&R^6KmUcruU}udQ0El0MrZNOb0J?U z-F@eU6sg`7&)pmF=+oIXp7WkBE=+rs(7ZEg;E`h%0my;1zkGZ$@Wg6NBC}& z9#AuD*$G9nv-00BKC*0CX*MV8%fv}KHF;}?eH_tnD6`Sd@8QvqAIIvyZ+`N8m-X6C zc3B0VV;!2hO8!utvSI2e<1q)e8rB6izw7)XLTN?m{9_qs`g~DMF7WUiqcyBxyItll zE#L9`eZC*BGj48pWfZ8t&b4>`-Qvl$WdT3#I*A=GiBmT5 zdcQQg%+V>TTln6bN?+M1his!QHiJi8aG8|zC}P9Dn|@9jHC9Go8Xhy6Ewr#lVYNca1 z*2VbN<27?%&r-e6cTu3F!oY0CFn{aZU)77QEK%LR!}8X+`mX1S!}mLeTjt3|8QIp{ zZnSY*ow!J1|AiO#Tr%gswcKX3deMN&*_T}3{urZP^($wlLA*tO(YrEH6O0^d4eI+R zoR6jJ<>fyOxpi!_oMo?V! zy#DpbRFTPcffu|@Chi*|pK&Ml#O*y%6L$0oJmKtq!rm{!WVFHMz2R%WN;DbgC%u>7 z=j&E*tJhzpz5S47q-uQQ{lH**t)1uMm!40FySctOYmIvP zJn>y~eYYG6^_Qa^y43Ui`AzxaV}2_bjq?@P`&jFDTB%`2V3=34k?;B0@4}QSe1oEo z9MHKl{Bg+mvCk#+C%@f0VoZtk;<~SXnHw?(&D1Q5{n{~eSr@zLnoR`?9&_!ScWG`t z)j0C~#+5~%Q_2ms2kOtwt&}=rd_*h%!mhan&1LwZIT zu8hyrYo{JA{jP63-8s)Jv8KWKc1Y1;%dlJPcY2?>v1?ARw@(f_-3%4;=->3p^wAQX zg*r1*#Fsvt8*21ouAB3|rzc*eEGs+v$Tsd#OP}sruP?Zud&qohS&Y}Gb1p;Nx0)QX z3f@o*TP2Mr5)R4k2m0!Mebjh$`tQ?fr;dC3#!2jaQf^n&E6&`1^ZbsZzR&nQHSO!w zv=!Y-mPxAkBu_j0bAYF!f=!dyrPw(h3ukH@C%olAk=}Ma;vRP!c&sT@`^AM%M_RsL&3>D-(|dGk z%=??6!;Xe6dm9-%OGQ5@tKfCoGEtRXyAMg-p6#z<889SKW{G>L{ftz_de_g()|Be6 z%nwug{{2_iL0jirNm#7?Rx;0gt$O26&mnsyOA0=e6fjJWB}^zOy!>v1V$LfU?H8{a zp6{LYCF51gFsVrr!9{m#6^?GqziGSSRdkG!#Yf%$d|2!E*C`{uK6JV7 zP`o_y*+J*;R~J6NULm#gu0{EwvPIhtIQbt{(D2f}bkSyQjBoJZX+wP6PPpIixWv(U zU8jgE*UpHjK9H|X-WqFd*iySgVMInZd9N#V6)n-S8X8mPEl+T6St0&A?WbF8UpEo! z%g#1#b5sKc~HYF=O2g z3HS3e^Q%+5C-xNpB<@Jx}Mvv_{%IW>v!;(+OIIJmK;rnX)YP~f-f9sg-yQrd3 zeN*%Dk5>u}6MxQ3nwXZL7V~6Aw7QO_+OPbX2HBB^1~f=^_U-yZeVfbtxEBjvI_J9l zysqm0GO#f3N@>&RF@~WS?9WB{mUg*hNomy-JUQ1w0>Nu?ZrzvP4ApmMpq5Er<`W?q> z93DPZxA-{JJXE2~DMEf#`JuYFZpS0!y!Rcy8F--B!olNs-Q2v&!}oR$3Mq|$lKXsf zS-O$MfwBFjk1>2b!(zaAx@Oq*&7NawtRhxc_#B@eHRoXbaK-qX_=&Q5tH&NIlAdR5 z@OGPtwB%gr+2?eJep4Jcy8qI>W+KTa`d!v;%CV~wpOv(6c<|i)r(Lrue#T7Drk|@_ z6sHk7WcRZ(tM6>z6TD;o$S=F6eC-AaUo!y}Htd zi_e$o&k7FmT>EKjR=9Kato@g!G#${%NzJ|7WTUo+Zf=mWB2I38-|9evg<}@=_aAjo z#4y*t@`Ks43-pVX!?W&g7&!mqmA9M2gM)p}-1bcfSm*y}o_S<~k+uFz2}57w@eb;7 z<|UDF$K*%rCH<;$dXuJ7JK~*so^w3QAfyI&Q-0pTM)9YLEUSoYeTPrOBB5A>f#ed<%me^ z@>uDjImatLC61nuaA!+!{L)nI3;p{%YAMW=yqx&b{odHc>-;-+J2bJ&(Zc@D$`|GL|-RPL|q9U!og>yCf&)$L^ANKchd*{_c%{yR+==2Icx) ziuPENK6Y1@dsX;ruXpCY=X<{IG|}q))SU9N82#pT23ES~Gocvtn!6# zTB@7r1-G}$kLP~qaUh~^NMnfN+sXd+HzH4+JF76?=~I5$@s{y7M8wnrE@!Fkr%m!+ z)AGSS*fl00`gVt3wDjtMkGC*tWHP$D&%9zC9Xw&{sFU}HYPprIy0b?j@!W)qIb*xe z`5iOIc=p{-VzW&b?pw0o==|U^%O10Kg_KJ~RBc#yEhs9hKtgm|WTf^ryWYWGpAH4A zzE=LBa)F~?aD=tH=u;d0{FNU@?0-@GDMrh6ph39aSdH%Uo!$Ju{xnhiR#&IAZsz)K z*Ao?Yel8IyPq`PFDPdjoGOf7aTGh$jVNI!17MxI&bS$&5TQ)6O{O8~cE{cY8XJ75Q zZ^E3q=GyXefpvpE8kolVC5^tBZs`)=>t_9%Ni9L0Mo4>|Ia+Z3@>G-I(stvgnygvu zHA%PRs^!+yuQxuWa*f5os{*R<|H24(qruI{m-LfeldPe$$#taH2I0i<RpZP;+h zw=DjauGf;0pJV5ad+^M`K*Q%=pGOt?^E=C&TG}-+v~hCP^svWQ&jx%`6^(Rh_StYK zXkGq|9}_d~+}yeIwCJzM$4803;#akw7Tr#ap0X;xB_*_g(+pSl>IU+lck$Zi!Q zx$~6#{wtL~-05M;(B1Uz=ScN zC9GU|qaa|jaf91-_u5UjUkvPa^G2R=O6u!XwT^G{hL?}*q*Fi1cKxrNZuT30AFQ9M zxYwzCSn?|;FTczELuC(5)7-GpdXD@9do4p_cNuk=suYD7$=IKR&NtSW_8u{qp^y_2H|N;#K@u8+Rou0V zY}E%cWMu6IbzyESvnipW`Fii?{2 z^(+-l@fk5_j!N3^p3m*eN~D~!Qy%vVo#eZ7{H)C~%2o@mhj%efO8dQDeu6~Kz`J&8 z*Wxe!dLAN?a9HDMp^MS*@9*bc&{!6A^vbPUj}rA?<$PA?H~H2~(F47rcT6%p{XMMP z(mB3$k!P=OS~4iy(sJwJmkmYh&%HNa6lGC*MET*BPcJehb&Ty5)kJD`zg}8AFKM#V z+~;)9i{{@=wgf3SFD?7Jbijr?zB|{8jaYZ(&i;M{sRwT;xmmnDQY{&u$M= zw(R3Ajx#o#cPvRPJlL~F(qV6YdPd;I6>8T5wY#jF-JoGgJ6&NFn4ym++l>C-jQyEd#TKet1^Zeo**SD%(zk(V~}K4+K&ZZ+IH zcyQox(Y?*C&)*IEJ+j5Wi}lakbG=*hZd=|Kc%i+4e#YVS*yIfzBqk+mnCm* z^nJ1U;;9mkYq6&v|JZALD^c6!?yo0S3&XaStddJuoqW1O|8b1j&l*Eg#ly@mDopvH zv}K(^#DQ(|clCZ(w^)&({K%}EN!*A%vb`^i>f&ovS991iVa5@&+Xt2{S}oRG8z0%S z?u6`JiwMctH=K`^J>4Gk=F__ghl(dithbgPHSKwyaYGY(yc>0;HVS+u z_M5rx85uLln&hzw)&ut)P5km%yy?r{g<;QVwW`m19LQQ6WRbJs)ToIUE`C4!_?dd# zyrQC1E4dpqv(SahOBO^toNVtEbx;0S#e=eR{TIhwk9A)^cY@)!`rq;U{g-&yCmvL^ z&z-O|G%S2k|FhMFiLa}U`JGX^6gO5?IrXYZp9kxAtv#Ks`pSMngl5$Jv){G8W%YIo z?d&BR`s&DPxl3k7PtQ+G@|pC-KDRv8-1lSmt68fi#pWhWdK!{#w#B$;ZQi?1X@lOF zj6ADfS=dyk`z6x5d_m5Dsj-jWEv{X*ZKUd5L(uLC5kFyA zrRM&brkT&C92_dTXTW;1qYLeFViU&iSMB+1Tm3HDXeIOJSgmu=QtGHw zTyfz6hW+sinN6_`rVCenSr%h7T69Kk#`C81E$?1xnfIxfZddtWu)f#>O}|-ZigOoL zc~$QGWL#&UE^)|i&9EJkIumU+yKdN}vLxuR+?YOhWS1UU^h>pNn8a203dN8~Pv?$b zYT-BW?#PwZv5gk%-5I_X^6N(>YQ6}%T@$aoJLs$4n=MVc_vckESFd<`OZ&^d?jD+1 z*Fx^M{3;j_I!kWH?4Y}G{W4$pjH%a|=eKX9`Mvf2pUX==JWyzUIsbh)M~`4lJv?UlI2%)9u&ZGR@@3{E>I6$DS$p z?Az!a|DsrQWzD&3lDbC}8I7)s+;^I2ws?&Szx&Pe@QP&yf#wG5=HFRLk3WB4=hVvw z*S$V0A$m7TOLf`7n`vr?CIyUrcJO;ZZdAF$H6tHgzhgaaxY}5abnH(vP8o0D?P_W= zz+a=2O5@O=s9jB)b9#&%Iir6^^Run`WJV9Cy_oKQ#AMW5wc)*cESj$t1E zemz@TE%sefDmF=`IJCN?!0^j#RT8w#av@|m{T78wVTg{|J_s=z~ z6qB*L9{b|cNkw;$&BdV+yTklF0`;4_$n|!){zFRf({7i*HzRr`ip-T39jI^Bf2j10 zedz-}#SV|W)ZuRA6FK?mb3Eq{7&NUVW8utH<3JYKm1}s(;xs zXm;j%x$uo)mo!8Tg0^dR3SY5n_qE|WDk7CyfJ+h#njcp%qn?EKmdGfIaXn0;5jbm^6SS%J6R&Tcj>A2}j)VN2g_;ycPV=gY}Y zYd96{aPMBy{9b*;<~{Mq002lu2wUb;W< zVNQu{soz)03rUTA=0EM|w|dlLsa{=WuRgZvZ1Ae_UU+uUu{Y&k-^djW?6p;U)42{h zYT6UKI_lTlTJQI4P2-Y^=2;cvJ~$3PdUTjld_nc~kBSA-Q;x*C$lFTwGJJLN+hPCN z9&!`ItCh9rMN_n2(!0p#?b~bkB*Lb%k#|?w&EdU9XZYWGGW)QH-<2tv)8_Z?TKQ=5|u%EB})u0?oCyVZ!UdsZfEJdXVSfU>vWF1a`OCs=MQR+Ul>R9j?nsE zwf$n_%P)$4UdHprys+oL-ft@C$vG;_5+pqf_~U)jTNnB1mi(WxV=PD#o($!^b#mUY^nG5Tu! z&S`5MoK(+GvsoqKq%Xc|Nbgf4)wZp=Zz~zJ@Lk8n-D7PwN==(~mY%-4dW)BVo`mEk zsl5}O_Z}^GnC8=M(@XVhKlO444bkbkZM)HepyM_jE|;qeDF|G0%j1AciI~Ln4*?50 zeCXYIec!4ja^9z=mYk}|G+XOaD6=B@$f}?R-9iQ`4y8Z*Cb^N;Rj0GE?EP=bo33_n z-V?oMrQ|w|pC!f5GCuBnCXs18_<1Mgmz{r(J9cQ~v3rXb2V^&SXbyAgWcpoF?x#|u z_P{8|G6l7+{&S>L3!a$&%I$X3*}$%|Mdpb($*O4|90C`O==|YPq}~L(w0TzjU7w}* zjQ*);G0ZSKab3%};w9mB(HljhE8i$g+LNBprz$dKu$#MK=fYgG;Qe+xstbA?b=tmi z!jz96XjwVga^)S~8%_?&cKFeY zSf1grz!x37PWrvMKK$77o1!lbx)++ADBhUzD}PD)<4dw;9Y2=pt9^An9edEySK;j7 zWAh&0{!zNB`=*#3Yh>$R7o9lLqgY(lcf?p9E!~ap)KWee7w+oOob-LpmVNgQzOoIG zdX^bC<>J_t*&Wiv&NR^b#oyJ;wc3&Q?$iv~$i|O>uczF}z8$-@;B)wK=d#Rw#ir&3 z9W`>kDNDW^ciA+$xl7E&<$d<2tE_zGHhJGGpW>Ns9z4(#`5gW}tRZ|y+MsS5Uq@UV zHrZs?mcpsq%jNow8Tm!&qjAv9F_8mKPdg{qn=#dJ@b8xMuCxc6mVJ7%>f`jTeZ!WY z6{)@0fAOyI3&zw3b=Qs@WW7LVX>`8}#l2!uyK1i1`}}4?#G8>tZ^~kV`=nU+Hr@U5 z2kOnXNL^o+!Lig0`Yy+b6cD$t=Vo&pWZKC3{N zJV*?tYeKpzBqy%)kcMZ6}$;iugE|@uF zd+E)Ky4jxnW_ieV%$OSNobsWg*V>LAo?V`YNKfcl;@@yn{ItD8`aPwc;l8Ps86*Ac zzkh%BtiiKHYW)rKDvz}4%*sON-=AyWEon;qe(0I+%1@~gRlh$@XnvWuu1NCg{^KPj zUw;3n)K+W?2q-H3`8gx0>9c=JY37=7zu`L1>|@fi21ZM1?)=<>j}=OJA1!|;9dp(wN_^QOk0}gE;>UZ>|K+cWV0OxuNA+#JAjj8&WKrifdoboqO|2^O~H*lG=u- z>Jj@gGXqpcc>gYJ{uZn?qGBB5d2WMxA06i@foAq{d*>L~8&8}Q{nW@WbQA6Do&yUR zr{<0yoHgU!oaFNl4=iJxlpjBVVf;!iEX(kfu~?SElP$L#%IQ9PQ@X_k=e?oV4ojJ7 zu_f=m!`ETHy)8z^@x6K1;a#FnY|5ax(7d;awWcXcEOzH*In(ubG#_Surs(IrUZP4C)nDbtEKYTO_GwVQ9}Vrl+2?+kyp*C#TipUVM_ zw?)mXlNzqa{Bk+8Q)cI!{LTubt3a(_bCO4g;)|2zeQw-V@|l!S`nf7&bCRk`@uNFF zlf=tDi>AH(JSTu@R#Nw(Pk=T2gReGqtnTZ6 zchZ|TlC<(1hl)qxHG}4)EK6XdEZe?EW5PPI@OvG7cJ~_UVzdh`&F+OU?uX?a^&M7x zYQRvJB~7*O6A$)OD2v^*JE?NxsJM5{i_Vzr9e?nd+ETXzReDD(<}{kgMT)(-XwiR* z%I(`XP7U@o4?TI`A=!UG%CdP1K0O(ugMt_ryJx+!^quhWC_X z={tIit?}H$#1S_b9Pd@&k^^U7avD>UxoU)MhpPbM#{E|Bt=549?^C_B;(S$IQ&kOffrV zjG394nPO&UrkI)GF*8FUt93EtAO(*V)J@~u;{X~li4+^x;5S!@(K(+w?Wxw*LH#~nXr z^TxSTzWEM6fTv2nM)k+=_<2`@0uAXF#EONt2~(%a`#Ieija^B%%J%CSWt|Cxe1O+efw`x~+ry4QcL5h9#&`n_NUK1mFI);{<9YumgePzkNA@dO{pPtOxkA;UMA!hFbl{8569mdwu(NRdTMmry#`bqWU<6+v4?)BV9Q3caGzaUymAU^q0v_i8qDLHmj{_aD z1NkyG;Dp%zp6Fj25S{(2Ap6(O4h)UL4x~H&na6+S|LYs>|7X`m=N}I3?_%n|uiX9{ z62igF30zhEv)TcMUH?xlce1@k6#gQd+DHy_H z?>Cg!7hcwcPVz>dO_hUGoo&%px1>%(!5L;ghFB+txOa{i8e%X@1VFPx+Y`EQU# zmEp(4;?syBZlq+N)V~FokC*xSy>U0;U78dQO7Ie=NMGeXVDmc-g5HeGe(5+Z=8wY$ zjUfoWTd_7wrFXQ7+jkEiZm&`5pal7BwdOdGf)<;2PQ)NVlgz9-zlDgse!9xL7hjaLM{n8}7K=YfIntFSw@|wpJDpsr$c#YL z)YNz%aqTv4GxE1DVu80L%h;jZ?1SZ8DBvf}3Z(+!Edq-mA?qVrf}~$4)&(2v76LIg zX7Jg>ta=+7HK8jw)Jn^#J2>~J|DlRhRYG^n$PaIKE zvG2pBzv~<%3in;E!K7v=aS{@gkfgp_jD*P?+(pSqtGdeB>iP;9C^|@%HC1*N)R(s( zTq0g{SboNfxonvEfLp!|YmgdOog7~@x-_;lHM4QDbNpUfSX5S1QB6wKkd}^!goV4g zb#$s{otvaE(o7&$%q1E)ZJd<~{>Dbe#nhvBK$&b$7pSP2tiadPfeN*zU7(<4MP||q z`em4>&p#9D$Ndn8t*<}FE@yM2@OZo|eN|4%;zEl06lOk&5sn`D)kO;p#0ScS&1uM6 zom76P+h_Vgrg@HZQLsMMk@HMoO$0&3-nzSgjicHnj#ed3=@;KaaB!L+STlcS_-sVz zAZwz%HOamSk1XY%79o=5G+fg}8cf)WlP48;{TGYP7v)k-a!W=s6;7eh$&Iio3MsZ0 z!K<r?kn1~(dWf#WzbJ?ATEwfBc zCA_kwm5wDS)$r#PyKI&4;p->>?JdmD2z{QuT!9S<2Y2cpfVY}3;|ih9$jAjSJpfnj zQEQ{4zQWdi-_CPh-e5XS9FygFh;FK?E`PbJ+UDkN3S!hY*rjpBD(>30jaK`5R96O} z69~jdGHm;|Cb`*NtN9m|1?VrJJ0R&N&c-|9j2g2h*e5#(6-9Bhl4D9P(J?*2Tm8IMJvOcaqdZduQ0?kma5g zJk#2!cXGqrYD^L*Q!>(gMd`gmVgkukS*gmYr*qDD+K?doB|ettNEn!Lbo0%s?cvoq%G;+D-r*<)N?p8~jTZ8GkB&vkMx=9Q1lVbxPt%*Mqy64cG(O1qvh zlM=JSh7&*NNju|hZH)qrNNJD+>^Ev8xpRfM*@u&H)gXi!%@`DOk0TVZB#PTvCY<&G zcXLO=Xi%KPd=2Vo?Y!b6<~Zi37aHHRqr<73y1@Vf!(A#AGO*8DTsU$f{QSLdrbR** zAiWwF2xwz4fTS5|K4>FK#CEGm`l+v%V4)J(3%Rg3H( zMH=}VvDwG`G%I57yp?V&z;6xVtu~MxWY6+~mu9SbTk*UIoXKcLtQ~j(oq7S0-fZby zdbWaFeI_vF{mj&v)%Bnk^V%YxV8mB9tdxI&Qpxqj3+1o&$+{MB23wVn%35~$`8{@w zFx%s7^UL0K?VG``qw~<~p8ltoep*D<#Zcy?r_k%>T}HgmrCmG1LxOJ~d)JS# zdIDXJ+QMTp;{f+AZf#zuQKoEO9oETmduKD5r-;Q^tywA1A-KY)xv`4HS8=eP6-{yt ziIRlP2)P8NPN_t`&fVsT9{{=dSf<-@|)3 z$%=C&-2TPIFXo9>waTi2M)W6B64Ih2V4<#K^!eFHLM}Tvzn_hdUh`!vj#l%RL{=;s z2?74qi47S1Na5s9D85IXRix}q+XqJ--ZzH z@OWImCJ(c>vhudCgFEoSUl@$2OCEq2?>QWjDtg3@?`KFCW4hWn725_n(l|a-RV!oO z>>&Z#4i56)*WSFl;T}6)@|l0)hN#-#Hhw`M;J=DhXcqGNL(HDsC{NzsHUbq^#voA^ zv?moU_Jcekk20Ey%S$_{vx!-1|0EuTFKh;uTc@fcQtH|dv-< z=-m8RofWdXz`x_b6?75+#g40hvmr+;`_UQDT<9}laRCQom=q;bo+KvWN9U8eGA#2d z`A*XdTg^1hTmpjmq@^8R(fZgHn{G{!?vc{gSnp(_aKk%#*dqm#ik3gdsQNIL!>p6+I!y{*=rYcMZ7@F7&<0gm2bAs z;!*e(^=1Z}Y^ZQuSesPa(U$}N`dI6Sm>Rm;fB6NGM_4XTe}T?J+EDQb%`;n=v(J=1 zGrerzFG0IgQDDRe^88?>Vq&$+b-53g&F4BY!M6_2HX*VALl3n{biat+_Lq$!S7XNG zqSwg)?!>w?eZX%v8RejGgZhR(DSKN{=*ZLls@I`dKwWp9{wMD6(4$6wI;j_bn`iHz zT(=j#$_{UAtIyZbPX1Fj-v^j&6@*SrKxe&76tPx+(08hIq_b3=z8%1}i5pl=2Q1tr zn66ujqOQPeOcUef=qE;vP8VI*=f-iT?`d#Fl3JZR1YzJi6)Z7;B?uIOi+6m$#B5)k zh5ajk%1m?j^a>$%E*9ZR()3~R;PUuGluPNkw_f}Y{QM}{MT`_tY}z9{`X?Nv@w4LF z>BaBrY0%#1dy?&VGat#*S3+2nc=>CUC?QO-{?|e7s1175X$v$BNXW!#DwYj-YpF?- zp+Q$Gk|B6E6Zw}us>U*`6WH$J0SFivR~>HN$C#oRXeV0FX_3HBX`S$*?L^S}k$gMB z0rqKM$ZSXHKqFwpz8bW)_N`-LT(ooLrgDDHeXMV;=(JWw(c@RyVNt78NN3-}7cQzF z0PMmE0sPF@JTaaR8kOEQuMbND0zR(;_h#+wIc>f>1C(Ywywl!0>8l2{#cpIZL^F-# znK6aX2Ek9FGh)=uRQgxKcn{**IHq9ff1pnwsUNG53S>()zMlxzvtE^o84d|Br z7U^d|BNcU(xB{L+F!1njEF~LNOkUDX%PM0htEQC|`;}WxZqMnq>5TpeH`eNOTc9U7DW^XX%9$Tzxv)`m* zI!ZO;F;j~2zBTodk{7c6=1HInj_f&kUm+oWwkR`XnhGF`x% zIjG{+4YKLBc!7FfEy|R9@%-sC(Y4E)*4w?4vWar~q4gQB^dtjtpOm2~58r^cKK&E| zYGK)%Yqj^+mrnosr9JVW12gEQU^qxr+9P$##)^u5$_7Mfx5lF4rs+jvPV`^FW=X8m z5X&ak`pztj?O*>q(~E3&Rs1siEPh@I?Ld_pZyMAJ4Q>{RXK42 z_9cuwAf6jlUOtMirKL|n88g>T)@owEO#30gc0X?wO&LUC7rQw~Cp3tz6lF>z4%R=D zyp?^1jFOi&p4<0ESzpG%#?16H93LW>Hd2laq>ss)%aXU=trfd4mT+(DFVh$s zTr!JPkuL_emT8%w`-K!&@}d9=*TU?2{&eZi4CWw((;ohDikOa|bIw&$T3E;m`1IB8 zCabOZ*{q^J@d-md0PF=QhN;$^T*iU!@-%BH$woqK#|c;!BQ8FQmJ+(|5(&8Av7aH0 zOy6__)>S4?GhQgF*dL>kj2{WD%dsqI=P4QyCzQDeR&%u2e9z2AoBD$_`0(k=G|Ubw zjo?SKHrBKf%Nb86r_QVC_je;s+sy?7hE(~DQ%g4@!c~HUQ7;?Xp&gdn_fsnj`lXlG zteG0!sk2x8_+OO;jSc!!vT{P*&@j%uJ)O^I;MZC=oL?sqh=M}rM|VLbeF%9`A*;k<;5klk;{bPMfn(Wf z=nZyXCr=wSAo+OCg~b;K`aM9}Zf>R4Nhng70fJ zo_POK{wKxxnyE?hhQ5c^UouptbmnxEGz{HwR5!K!s#Oht+F-nDg9F_O3O-rOsr-;f zW+&lk@P;~B!TLv;?BF#Gmn@XNZQJLtP6zHTyGw`Hrgxs3TNOu_L;fkWnil(F7Cr?W z&2oG9`91A#vpPatC-#qrTTXoMNo%ju>VpB~E<-P$zy{I%a6SF^tm_LA{_{#L4CM%% z&MB3ijd7`ALc*rf`EeAZn-=8>K6XPX!qfe)vO^K?csJ6Q7O zuR6`T=^LB+7v3)~qomzF?VJn%Hhv~WD|1@;U|FskEwj3td+KuOxXhp@JM_8N2d{N8 z59EsBAfnI$;W;y2uU);A*s8>s)8DC^7dlfLw{tl=-EaF~w;SBopKqr}o$; zHM@7>l=hGe-Pp3mf_E+$Ll6}UH8%aYkPk2R!3@Hoo5SL);ULcssnx-hz+wudo$UjT9zF9oRPO{hM&e({4Tao?4*e!5|>jpAJ-awv(e(F{! zE7D)ulX#|{Jnl9xbR5JND27WrPhK^CVNf^PpfyX}orfAiJo<64(6lEs=%epg z8BB7B%EUns8VyDzP8;&bfK4(LHm7YakA;Z&@J3CX59bp_VuCLBwOC-8W^)oXy5$n6dhf0Jqh zn(0LJeG4h0=>c_5Cxcuk{x4G=v?g>$XxJ&%8M~#rn0v8s-HimyfEILEG6oqmf7+G2 z_c};$r5!2w4V8o^23JhE1E=`H$2(QB2zma?#MyEck8KBD zRJeImVU=x;OrF9as;*Y==Bj=M`LfYL&Y19;bwf+E_ZwRC_l!B8WEpQbn?z+0u#b>3 zI`Rmm3+NRh96#CW>w_himHqbN0nJS;UkohLVKdq`Sh}s%$UZ_lnFT@DE2B7`B={x$XLZ%jC}c*xXz)FB>y{ zpSR;_xt8XfkGJDt0dAv?XWHGX#D)fWgyLfO_uI2GixP+3XX>3MeBSCx0RbHWqn6yZ z81IiP-Y>V93NQ4kTlYL={B5;XnR>VFgPNXK$-I%b-4ESzcx3xyv6L+vMyzp@7e_B` zm~y!|8;%$HiS8*3QU^u(r(uDjB^6v`(f)xKLoY7lVy%E5?lD8rFD|dw&Wrl#Y_|F} z0Cl9#J35u25C|ip4##F667g?0adrayo`ryQf&^tP|4kGx>e_n>r~Uf}0N}g9LDAxR z)p<1!{_;3c7BN5gr?%8v!(q@Cd_U;fOP*@`hK9Juj+VF4Q{8OkFC0}h{vRDrTzcIz z9p?eQN`n`yF zqiNAuyNMuebh}n%2JSQJmXW3)`hK~@ooSB^pv=b#Xlu!@$+cVUAYaN!F2!Sh#A}Gg0 zC)TA&N4%RXHCn)WXuf@>KqxC`TS&vOPBM=RT>+cjzd1^=TUyG+*N+)W zLt8QJ;FF*l?bMKB4k9Kay)3>#BIyV)Q*hnQ`zg>mu)4dO(?d0dg<=^7=ou?Q`MK>B zIFyzLgFdZ`qKD@927WCeDANgZWeU0ha{Q=5@!h=s#c8yyn3Qz0qRh`TYz4n)w)Bm< z`Uz!x@`vr^qzLZy<=RX3%Oc^|x_N?JDyX)7umiDa-fH%ujrR%EvOoaT4w9<~-DRw- zyDVVfY5~h|HWl4La`wlYWg10)5;Bz6>d(4`JWXFt`&cqj{Obd|xBfj)ljI-FJnFet z9D{}(Po2IMl9NSJ5Q#MY@X%`7ABxJAqJ$XebaksDL7ix`&2P$zA?v!>SY?ut!wUtx z>Zy6Da1O3s=H7BBA7QhY!cE=ZSf~`rV&8Q+5qGm`ULSb@nBQ=5z(uYT2GXG z*Es;PF7eLoLl_QQZA~A--_SnE8(p}7_=0#ydou0gA-gb6b9qVn^XL7`{L3-S9j~)N zbY73p5SJC6hn<9E9~E!AfTu3xu*<|YUo_!PSXD7k-H@l?+U>h!xt(&Q>o(!QEnbs@ zqy)8)uN=)TDO^@4mlqi|3%(lasd#fMN?V;Rb)O%;PGJ<_98&_sLj5Jfp9bIHY;m@9BQF|ap}%DwR@P$D!n%D?G@tA{VS zV>xXQQHJMnF;!j;_}rhiy@z@P1FXL4?j9YpkxJmcHzGIZA)Ln2a2? z9Id97Xh}Vur(hs>-uG)tfg~S$gGW=O{^RgQTj zOHEH%Mskf=TwmUa|LrW)JHg89`|O0M`+zedDMl8&TkOm8G6YjQ)(`!gt8%{fR4zNp z#MO?-my@SLNx;Wfer32DkB42Q)!Hl})AXdi<@aG|@IcW$fvEuC&2SX}uECj#L*RLc zw7Bz>0AQrQoA!31Bjp)Ip_Ns(u!=|+;R&3K1ZZVMu?T8fX{k1wyyKGQ4uM1-DwrCq zjfWlw?09XCpLH)S@~Gs8Gh>_vHfe-3_5~?aqHa=VX07AK6Aw#lzJp^UhiiCSTWXg! z&!FMzF{?Lksf!t}B)EMsRU9>O5?8>?5cKLykqb?JsUm2>26qS$Ev~qfJ@PDOY;{}& z97Nny2fA1hCDTRNPkU09gt$|u;#W$=B!`rfC{s)In*VWhrghk0G5M)UKwzi(S$8Rz z*>$$j67#V%{loHw4q38uPBUB8Bu0|ZeI&nzehM01c8o4+35Pvjx}-2tETe>=aj>Ex zlU_j5hE}$-(2A;ohJKCX+wV~eQh0}myrZzKysh8Q7ej&XD_9L&M4E|M=!J?BGB&*9 z9fVk8+%A=+OBs8YHIk#V=#ND~$<6TUo)?4@uwP>lQgEH)Be?n}&5fK0Y8W>Yj2JM4 zg_Uqt0y-YerSQ-rAMqZ}DD7Pjd?6n6YISpQvqh&MKYv|ecZt_Uk9RMh5rVyJ9P_ND z5@i1X={gTTvi1shv8oGUyE<7qM3*v*RLN*fos2=d)s;-&L`^Z+C zqjSZT_QdMnv29`KE4wOltpur6Joi=N)OlJ>A@K|<=y3+UH4AtaCNYt`f6gCz_EMy@ zIho6;8cSDocC*ed-#G($tvh_5By*G5M9xC=S8q^^SJ2L z<*-l)-A79}RpNT(qSI10Np-og@3pbPZ)a2sKHjYW2SKg)`!sbqt(}bcc48?SXDRqoMoLap^E=-G705XyzucnUee=(>8W112 zW%%W9uZ769!3l}5DPCQk*VgPU-d^T!r^E9X029CGptV$RHgw*MjONr~i?L&+eyoAV z!A&)Rs|%6ZUQsptj+dFU+uQHoZ>OiH_z!8Q?D@oplmhki{IB~)IW0256Pw&AP~>bJ zo|>h5D47rXerQPy*qZZoBXAS@~xeHWM)?r z!iQK4EP6j3-XNs3=xL4Y%lI0eb=EHzPD0{k?9pH5fy)%n9YGCDP|KH`-QJJTJaY}Z z{Rr579>SL$-^#wW&o4k4sT-@BNmkSAp(YEc zZ?bHrrSaYfs;$cy87j#hrqDsx_A1b<9^jzBHVafLA2#ok9p3bEzq5~?M3wIitli1z zQdv1GE6e{Tx1>`E_dqXfn6>y06Y}P4WbN&7o7d#xriHS_Ug&`qpuTGJya3S@oml~UUc9ONJ5A`L-omgcfHgI5?x5H#k*CMW4RIR%t)1z94 zlq{x&ZjzBR77@&kwQ_vZ;hqg)6|brKu??4PX#Yoa*d}<*lK$zqb;r2v-H|yDNnv5p zoMJigFxfKeW(mWmwUCWtsm0X**9WS~tRwR^(y@-$$@R)z-@>Ca%axuy2u8!u8WBrH_QZD zR_EzqiKW(3XH2XVzNfG^om>a*30}U7SsZgeFg=Tn28Ieryx{hT$XOGhwRmI_)rPEQ zodM!jS~g*Sh|`k)_#`_IqpK~T`J$(6G53Y*kDteZ6X5BzWMG<_jk+tJfdM87;frX< zIQfro5-D`=bi@(DHD_LcN#`mHmGlDtzNd`)WvCL`H6}fZ4-X7 ze+ueVY>;t8iugji4+^1T--)<%Xku!~L>e(9$F(tjbj?q3a`jNE{*b^Ao26~7TK@#) z5PE1%SS-8C2tXbfhP%@zEUF{hG5r>o4F%=(-B>}C#qXGz>$le#_}dn78shWA8tpq0 z%vRAR(}o=Q>F+`OgoGs?gB^L4$_4yY%$A^NJ{Ap3QUX}T;~zqAguqPz?{9=Kv*o1R z7I{K01BBKRV+&prI}v0-b07ZSTBBP+nKkrG|{*b`O`+{@Z1W`ugkQArt z*HAPmAG!Ut<$dAe*KTBeyIXvOsbcad=izyl`2l(N%9Kza1VeM|xN zHH7mrHeq?X^BLs#a9QWGpmN{&%|W07vRiK^qA9^P|NVi8LdqrpeV!GrVYkr8$=lRZ zj6#o(^*TbW?AfsjrPfJf* z1ITt69{OnK)0Ovy{f!3ZH4uS`^oWP-9b!~0wU=7bP zycbN-bG@kkxI^+t(JWSc26#IT^dWzr+tN>?e3e@hFBu zvy>RHoO~^pxyPrYxu0X&#kx#}xc4pAjx6GaY9z_}2R3t7u3D{ZUA^rIO#4NohtUZ2 z7JHXm25$FF@LljNyw$R+nv3U$+>)DGQrTBe%6XnrT)PU2+v=xOm*&0}TXt2ph1!)` zRm<#V?}C`6xLxF=yR>V+-O&l~bF(tbi7sqA`?9P08vkKMU5aut_crzp%e9w@p5hfV zz+jzP8Fj!+hd#2i#5xe*=08j;+@C$xnOdPPs181U*6=0Z3eY^XO)r;6tj=G#PUlV? zW#>1@$iZiCQRXawWs5eQ0n7NlTkAVKgSVqdAr*Q=gX+kxzzcr|vlsLOKSNlgR@Ecy zJLOh?;lqM1gQjEOJWQu+uMd_chsY(j#J7{YI|nvlt>^-eqe~De)ZcQms&M}OtYc)q zql8zfTW?38k6pcO#T(|c;BJCw5gV9#wH+6m@Jl4{;|}tQ!4-Ip-5boIW_|?>t4+RK zlD?m$BrCIss(wj^mqIwwf_dbQFp0WJyOpvr@)F*iCA!+N>-TU6KjdaKLtPlfYorEY zv=wukiG|UunwmNL_E@mcDq%FHTtq6}i zIt7YJVsThbK(WRBWuMxT(>Uigj_{WzSp#;V4X6 zC#rG(9k=+oC6dCV$F+w$&k-NNq7c-A7u24IvfOx)sJ*k$6lAXjYMe}E*VOH^N z+83Jm+UfEU9)}OV(PSuWS-Y9=$Or6#ikQZ|W6zud+EpR?h^?%AXv#7=9~=jdea^Fm zPqJ({4H&EY0XetXE~SbJD^T-WwEj-aM6;%;cW}-1P6BQJG;`MwPX^RM4p4cPVZ~C) z1iQO;LU3BrJv(q)C-zx)2`~pCq5+V6qD(o3zWsLh^wi*q-Y^c+&=5NN1V_$nNB^H~ zoc~a=lEZw@?T^PF#pexHUCgIEI?tHf5!N~=A1wXZVTE^Z>u zzjdG-7Augp`P&DmSM)C%H|t*l2WVphf-OLh<*$tc2(hpOWlsLWE}TGBGY(F+zwahs z0Z7OEp*eM zzbDVl2Bc^HMa%#v3vBl6wcp1e`y*n4rX8u^uYnFGXu*&-~V4otbgbI zzu8>>B4Gc~oPcVP!0Z2S*Z1#D`X9CZ-^ljg$(nx&PyVxL`)_0oD=P<(Oa4DsJ6s%` z?7+2{#s3{gTKXy?Km z6t)m^1-5WGwgHE%DCQ_58LOy*^jWTOMWf%N@?q&*VzP#+(J{MR{7rVBP8IFQQMU)( zk8l+yYv*T&Yff;YSj2mQszeyc`xpZ;x+hEdg3wEXb{gLSZSgWDm_!5Kus$ad!LD5w zh3yTT zYCH0j4?WB5t*DlH{lgR2{+UyVRb?%V1bF3Ne?CaI0uHrkCkUfHj#z}doIf%=Z+FCg zp^xj+q5km>Y}>eb7zoZKzT1-sf;8sTv~hjbG2syoF=5(RST?p$Zj6Bz966=9dZiRK z8T4I3^J}kls=f^JD+rJhtuf-<94)?ty9r~d&oxJv@*p#eL$N*n=`x03hB<--vCE4t zr5ygIxJj!rkPYjpoc}CA(F~>tL&pb!1ZNY&7nB={Om>=to#&T!XZrcG{E8lu8QkP6 zp66ahLMAW7;%%w;j?hYPn)@SGDm||tJLn9ybJQ%@#v{`(p19aSs}*gaHf35d z74$%u*{_Zttr$s&kIvPDF31;NAQfA>ux^}dnyswq)=4C*+b3}jrE;!A3;lfl9jgnZ zoNb!L1e`0j^oQ%>X~p|1!w$=Tw=Ch3B&us4R)t<4P`I@oI! zBLhtZq7O8kpr&@js0}IF+t$^#7i=^Jm8Hq2NSln*1qv|dyUjgoHq}~dKhpfZB-cX4 z1+)e8=vSs^#(eRB${0%qTdy+~z&s+crsP3%!yNfTuK6_*_6Abnqg2e#LoyM$|L22= zW3Zz?@cv*M8CKgbNfBd{I3+|1gG3Y(aXAXlGoVUa3MC@*Un*ciiy;XS=f`Fz;i15Y z#$*43gqa)1WqQ_njY=Vx@s=C@SyNqPoOC0Qk*jM>Lqj)`8=uPS^XGTgS>*&Z_OV47 z^{8YbrEC_H@7gkRILvjS*wBz@EEWMW0R~ObQ6QAnyK)zQAfzX}0?i&vj0qD?JcDu4 zb<7nD6efeQsn~q8eh7k7ZVU?)q7L@^A=eX&1J0(ODau5pr?F`Q8*7;xh3YlxOwbXs zcY6=-R1u6fCqudcSSzV4)dBv}clQivr)@(cB(^(G_1+T1YRO&v)+l*5W4cNUc}8h) zZ!aj%V%Rc_nj>WMnk7LHD6l;&2DXdAeo6ym{g9H_RX9m~B=S@J{<+EIm`?0pcWl|Z zdU$*!E-`3};~1(4cFOKlxhau^Wnwrb81GjB% z7#ySm!};mV<9qsjEKfMBcRk&sKYgR*F4fM`6CW=_kg33agYqn#mTg&eBr0&T;nA9= z6>-Flxx6a;uvV@Mq%I`A^b~uGJQ{(WmbkoO0j*3|(zkT8H_%8H<~ee&TB$3*dn=2{ z5LV#!zBsxQ?)Vc+h^s|6wI5JXIi|Tm3m8$>Kbw#K z!}DBnMXH9LDO`GO9Pf`Zly&QcO3d;dn^d~I9iw!jdR}V~_Ailbv2L^rIw9jA&a_s?>x<(sr;`>Hxy#S82zH?&R5tV(A20~#|lBz+o}P5gSsc> z)Tr*Li^S8``u)hGC0cW9x8@y$Kd@a&e#;*SA*`%4Ql<6o3>_#t1o$`~cj3Nh6!?BS2FZrphEB+nZvTYmv6(_Xk>L85yE z&U*UDW@4Bu7)|#!5Ey$CcCe_5Wu*#m*93+X=Ljera0AZt&Yv`iiXj7H|vT7V?VEN`p zD$L1D&sTNvK;Eh`5b2Y{eYn*Xuu_!1rn3jzW!$QMR~$g!9=1}@U01z@4rNDR?A<}( z#=NT6+g0>jPnlBLDfS#u5Z2I;0g*H+tC@8kI+0C@Z6(G zEB*NsO_R9xtnf-pjZ-WbhfX6`d3Y406k?2=14b1wl(TkAzYv9k(Sj&IoWl!J4{~Hq z5|HaIW0;6=e8pEBIk?EzLHWXni!aK-6QIk{vA(gU4GZ78ElG%`<>ZuPQ#}dE$P*eP z3ZDb_LA%s9YQ&@b9#E>`D(L#lFL~I6l>U!@+-Zi@c|WDFsC4Kr(p$nY%X zkr^^a!AdD4dttI6pAWJxMh_xDE`Qt}R}tM()Mie&60F58B)4mc`*$F}-~vfCje5uK zW*j3#rfYueY^=MFogVpJ6UYMs7q0K+FXG|eQl+4f2rgtAZ!~mPSOR+gNd6UmaNhL7 z(l{T4JUOiR>Rkmhp@mo{!5F#gtN@UV@EZal&o6+8ltK@mvQdO@%Rz5CpMtM548Pyu z!ufk2)ftg_Lgd2jP$j}k0i%2tux{c*Oqya0h>5WYgsFagbS5WgyXY(Rr1hv1wx*$_ zN`6^C=i4IJ5M{oh_MVCPRzpQK3`C zQ(RL;P^(t-EhPg-ft(y#TyqnyOFi$DDs?9ln%kmUScAOlBulMG2T8W zw4TAuwhThOIm&$mQO@ShLe8M}0ocZ7q7Y5ag& zg!HIq;Do;jv3~zRvi0Iv2dv%61l8s}I45#_pWurR7`OmU5u(A4iUcc;D5|g^r_AF= z>?r@uZLhq8!9mw;Zs&d5*+jOqalR9E%4gVWdb=0C41+GT))K)D$#bCusw@<@m9h8? zlBgRIFq&s25OEfxB(p?8fgq#{8ldcn`5|&a!^vKn?Wh7++3U~=Q?B-=A@*DM;x!S! zfZNXSE@Y<7Y-=*os;DD2*1%8RCwU6cbj5+_)!;#v@4I%`7KX+J{z)n9d71Uco*)RW z!8@_r03arsW2dAKzEurXU@n|KN9M&grB% zKFvABp#+JRur%A^=9eQurdg3@{`zXgO)T1&$03-7#IVKlnZ&2|;LYj*=LqONyc;aU zZAmn0iOpp*{noKJ=*A&1j92k|h8Q~9rV`m~qXoEMMcQ1_>h4(5&QYCd{kVEqbWt{= z$;*WF9Ty=LE;NIX(wLS?Am$?^G`muO>y;VWOj|dKy7^(KrDO1Mh3go#M#|_$!|!)K z6Y?E?0-NvvjGIq~FCuDNo~Mgg&-b_I_F29e$B#@#2p%}WE*^ldW++5+Xfv)9yRWY9Dqv$;Ol=tRW?nSc=FJ4~?%DNpd==7iM zYpF}BJmQz76lS&rL%Icwf)6{c{@ODv`aWTd7;K&pT_bA_x;9^7Su&PoHxL;{e*<@V zS-kNvuQy20p6sx>n=pBz#C`jU39(f1UaO#pxuqL0bG!(@;WFmoGkv_-70Z3I4?wKG z9JVu3F&ey?+~3>1m(FpkG^pnL+~6hbemG+lH?!vdyiR^>srGwxdl*k%l$F-)uya}Y z)7-dVgJDF9>K^um08#`p2q07x{`E)HRZ_0OGLvQ%vdci&-O7mB=F23n`&%+6Kbh6Y z>Rv@rU6#kt%e?dxX~kv*`?-EhCEuC{qM6?dL(ue|t;nA&NV+X)n|m&QZGPoVDqAM1 zL6<}!ZQ=p;cm5^Z6-0n`jMe~EH~2J6na0`jzLF`!G=sN2QUSk>wJNcpHh$dZ55Yqr zlFJC-&PVtRgXQ&z*vLU^_aN=wlk1dXWLeVpur)>!W-k&a%hz0hnEdZ&ZUM#UwUOh* z!1QGZ%q#A<{^!Ot>p}->_Q#8NA<0=Wqsc^h?Lo7y(uR-p$`r%yDHmA|*gMF&Sn3wA z*tfN6a!f(BnYq{lvEwdo$qyKdYh3Ny#nBKALhez*tG81wDc15glW$)icFfWSikmdV z@V4G)xkXifthag!RwKkoN9%{iFhzxUqYz>Squ!H5OW=uZdV-!hcl`89$_yz_msGeP zj6b}whG~Lq0WLzIv8MAQ5Lb-l4%Mjs)(7w3I zYZDf(F(?!-xnIU0My?pt!@S>_C~pH&z))i8tp6Z+Z2^3sl@R#8))$i$%k$y2(lhXa za1ok+r?I6KNXk6%xFhvUxuRuKVQLGS1K6fB~Sh(fd|<*UcVof~XU-xmQL>kIJe0zzO0-jDW^w zq(l&S-=YAbVy~|^^N_WxzC-!OUp@8-_u$?XnX@bt{XXmA;sws*vx##>em+$>A#(H( zS4O471_R{{xjh#>B066$u$c)J0Pi3-$L4p?@1pUpvc0=?kU10~5=eobqzl`5jCP5r zdjlzzpqW1wif`)z?~;C&kr7XQ97EkO&fOQ;b;TbK;M${|6uV&_1s9md9oNx(;bEcf zk3c{pwvkrE+N8s-rIy{bp8r}kcF&Dysmdy1k7%)qmcb`iJjbmYrRi?J+KZ^kQEl{R z#9C@4E&VKJ58qfGX0#gLDysqcv-~WZ&nhRuu?q1_@jlKfRK(|K1(ejVwnQCy?bS$7 zKexc-aSD^;ZR2efziRpQq)UF&ww_@{v-Y$FcZ72)_7ZJ(y_>(?H~e`;!%3dM>9LRH z_GR#Nkv?lhQ_<6X_P9pRDw|{>$((kNF0<4PZBZWPXJdEdpfsAPu7YjE0+*VFVa2WY z$HzzHZs1AO+E@}#%>re07y=u4u-1%8pGpxcqbK?n-$gq`i31_^LPyTX(kBTS7GLuB zGqfqeZ>7#A6y2$zTVdIL2%DrCsmL9!)5O<$>(I*uYh<*A`$ept2CCD))~&76ROuKA z@8ZrbbRf_thI?W=rl3}0z!70)kUSd#bZH<+mwor?&T?#X@}Otkg=L!M`F^=mX!ugL z%apk0s6ok1gqf3?-D>Sw7AVmwS+QPSck``$ML;T!p@(Y_0cbO*?HbkB!#GLgH&kqx zM}76J2Q!OXZ`eVN9*VMfG85ASU$s@BK1)L;SA?W4A!g*7#>#Jg1obg+Gnanz*j9N; z`lHOD^qql*GvoJOj$tV?>tRkHEW=n^_L`Az++uwKQx2H|nGC|?+y zhHl#D*WGoy!6xiI65KPE2s1ja$hx(_r2I2Q$2y3ejW7Id!L-5n8K(FF`MTndpFN`B zP2~Rvdv6(3*}7(HChkt+Zi&0QySux)%fcan1QJNxA#r#2#NFN9-5r|Tw|1R0$BnmljbGUoa;e~Y!MLMy%Vpwf`p)w7$Ezxr`I-}Hh96G_Yw5O%h72T-o&T99=O8&fz8DwCH`Sjp( z&hgyqLB>)E59`K@g_#lf=Rx#->-j`cC2cx$whc9L(F?w}(!g_x-^OH{-G`_$iR%4U zd4K6A&F!GFT%M8^(AiwEm;ur3t8+_ryXX@6O3PJ@qy_U~>Ot!X_}ti1l4{`yHmD`Q@Ef=ourV!|no0c$oZ&bMGt>2d6wJzlwB0e=)!2^5!XlrS+$;n0N zIFZO%rc_+6gFq-vjx{KHzVA+^LG^V8$k;zS8K&X zTgM>mOoNLngvU#B1iXcdp~`3{vedr3_DAqJ4z>4*wcF_w+U$8@*3TzaS{Kx}EyxYN z6E)E(S7+h)%^(*P04Nv7dOM7b>lWU2M6`-woJ`ES(zXF)B(Boh!*j20g_Asw41k2L zIdf`go!%F_jyh*oj}uT&A&bLKxx~EsA4+r_c1{hFKfjS!HM@rME*&-Z?F@r#rgh!( z6x_Itu8~B@Ei3jfObseoTI*n^v96)k``pegQY@&@$RJFx+Eun-CUV5A3$STS=ai{wP5{0Q=@Sv2Dyz&{tC4Vlt3{ z{rdEC-$aZ6pqnP(k!i=QXE2KrIK1MjNZzz)&N#CqnARMn0VwebH0KN2>|i2xW;#i@ z-9ii*JQ|IuAI-{E(@8FwzG{_0j99CBlHtiacTG!+u4$GIRz z=XteeJizkWE*2!Uo|EfTAI9-=r#Hascs-$a@qJ}Ilk@ROqx>ekW(Pdk@ey=xEAZZK z6Ww;3V9Gwki)zlgfnbj5lNn+>IIHc78qR$=LE=|K{4@AQ85zwgNg1#dwjrzO`C+x# z_1NW6FpxMobJm{xxYy06q2_TgMYA}I??41|a5%2Ud`+^AKATCjI2 zIwCUlE-1;HBReK{;8}RFGJ?_j1qZ*W&;IvjyjRA@<5knhn!Dl5_r9T zhmr69>I1QCpcCi&cGpbH`ld4F6H)4tdRhUIdAJ~XiK)+L4z>=0^%F7o!r1cb-JR6Zt`^G|^tirt zTt~OXA5Q^eMZ0YIqbB+L+Zzz0V`o9zSb01xm|oWCi8ON~XBVnpEMcQSn{VP7$8=oF z`-auTROjA^t=AxMJ1w@WyE1$LOWJhtx1+%@1|A#4+V$7*-6)CM3#&=&*t!E1p&1i1 z@)((}7Z&y|+C0Ql)RSo1d``OBggo<>Jwpm8i00z*)931nPr~gFjq8qO(Aayy@Npep z97fh_4|O|7^Q$LEfSl{ub2Xcuahf6O5n2w%B-p1&9|A$8EYot(XK-TFfj<2(l~Xgn z6)?Fl&Hy6SP9*Wj^M|b-?NbzX+43HcsFScOk5`!3Ws{ZhSJO#8T`6oq!8uwykXky^-xJo}F zc5RS?t2p^em%>!k%keo4ME4#e<-0-C!?f2W#xUSW-H|i6+1A8|E?Ku5ksTvm0Iu0c z9b#mHI+gfG0iGL9-TZd8f=B!yIK-=#N``If6c_FxfGOc0td^ej4LHwQSIBdmd|&LM zQ?J7Vm}J;t5lqzNFie~?zLb-_V40R3KDNBy>XSYam2x7og;yheOGF_^1%HuwN-C8D zy>Yw`k;*rn`EFjuaNdde+36d15+h9t(;k!AOB&{A?2+N%o0qGKW)m_@5Q1i&<{9^L zpAXzVlwL8-rIvQ4Ih1Gas4*3vtjr)rD(5~VQ+mMR_LM1ZG%kG~H|eXXzU)|j$Jg7p z41HPnS013iX1_ik1h`S+4g*N9+|}K;i0)FObtQ5e9DZvp{It~Z;5!Q&4ys4m34Ldx z2t9fCZ3oYWD1@HcV zQEfB;Q_f3WtweT>5VB43;o&(BZj*<78iGR*?!5VET%AM&8z3MA+QVn;1$$4(o5H+O zN!xy^l}z@w#UQ3BaqNb@G8I~-4`*DAwoMWuJTd&3J8)5!t(4!Q6e0?lXK>A-8)U*h z(yd$9oHg+<7$RF@1)l9Bg3Mm8X;WZCs@lMI0iu`Uu0Ru8E5)+J>g44hI!E+csdVn> z5skMbizrwwgD-QuK!}xh-LQt4rdGL6x?!oz%RjHEo^seWLr;rgbV z#DYJ{m)0fa{fO05iz*gvHY zk}?VxpFp;zYqSYdoqyF7kpOOSrEJj!`IcoU+ItZtrmA68!#1117Rby!!pwF-I0)vY zDgc=oqy0mLJ|Ht$B`H};d0RhWe#P zhPnKsg_Z9`Uss zy)oFGoa#%B){dX?&fQIZxBQ{B_4q*to-2J)Q>_};3EO~cn&R&pJ|KmX0^zNSw7q?M znVI)+&onKZu0W$$4xMEZTxW4n8{Rtejs3*d`z}-N*(i z^EK06m7@JLJ24(a&6Uj;S+?c@)*q4r@l^K{eUxGktBnG$DX{W4M*m|X_i0zg9$8-Q z0wFG#yl^Y0tdNk0k)SnZ2ayCwDI-inR9Ug!i!pyB&XBG8Piir)DLr$B6VkB%D&SZ6Y8s7s=8OTVqn8R@9!kcf@d-mq^ z@|NFjv#FVp@gkM@bjZtX4kF6Y4y@2T%w4ZZL`q)YJBy?G0^!*66KqhOG`|lld$}uN zmKda2`V^~wA)L2qEScDT=cH08&20VYdJ#-112!9*@+Jpb7zVu2!vG2=!g=%cfoszq z6=*+G92E=@3Ixr3jU~@5>36~m9w8PhkNhBqEAzV{#W$x@47#U-@mSZ)4zYt@qb_c zLH~Y?WBstTXJh;zf&Y#E{ayDb{rkuEA2lDa?eF7%(!U>s@*ng425kSNe;NOh1Mu4# z|M$3$ThqV)!7ASw8kZpx-|;0X|I4|JY{d z_#lmc!@wVeF$>#A-N(;h{vec@Kdy=CqvnruAAcTyX9BSNhJ-(e=HKw|pV#sC`X8Uk zf7g5QC;a<+zTfxgf7iVKhv)eV{QDnMgFfyUmcO{_GqEvz{EPL!W`AcjtgN-fTzQ@7 zBoq*|;%KPCK8q2r4^*kqEj!{Y&o0FYD`xK=h)j~Dm&!=CdRg~~4N&n_yOgb#y6KR~ zPR#;hIr&jgwFuOyQ>Ys3<9~|BW_Q~9Sg*dQ*Yc+>i7w;okjNu43slvO`Y^S|kXA%k zhrb=lGky5$pQmv+jg72$+87GgCYVa(4T%4=+HaWSd7T%ghO#iG#2qb?Ui|ciFF!An zPT$Dz<3T8!1w6X?%ZJhUc$@F0+D|^h;)UpMXpYMM_&g6r2lFKPa{Xe~c(H}9KraZf z0A^Ldy(B90MJ*SUz$mK;k2N3gTeR^KyUHu=wf{SZ`@FL&rDVT3+l?=DJ0&hpyb{@> z69zu$IMZaUF88g$=bs_pDDj6(VEWF`Bk)G(Ud{)1Z&%JoaZkQdeo+J=nH#dq1iasO zwCuavjH4@`k|?Zo)E+xczUORDLiYN%8g~HCNkGTL+@zt~wn-SHXlu8T(3DZLQdCW5 z#)QAcoWywgMGC5vDg)Ump)C$$5I&Q7vh5%wdfuLskMXLB7u8d-w#X=0?>?Tz`A0_s zIieJdn&79Q$4y+-LgW=_1JKlt7-s1xA~b)f4!K(La~@E^D9u!Wzjn~t+OeaiL4J>l zh=k>HFhBU|YyWHi_U8V!8R6s|Fn)fr+_HbU8g;s`HoG|4emhB17G<8Qm4bbItX*d{ z|KTIgNrmH@T1;f1q^p)BMoRABwDe0 zk|haW`v!5hS5op+=hIf4lfG9{ET9_5*kIY@QSZVR`?Y$u#ZH%SAB&-^s2-5R;N(ob zbIV*;`;}|ybx(7YIHXW7g&FtNG>CansmleBG2YOj=4H?+5*uBgl7tq{`ulELu1D~h^q{n7iPUy49pvyN@2hbgiKPTi zSvj5f58kg0>NgfEYTr?FVDc6vB3f#y0FoTu_O>vF0CAXt@4J9XOd9s0IiNv4#L=Wm{O?_A}ENzIe@~rT6$e<%HJ=~J==DS|+RB1$@QF>iMSP-e%G*+pYVi5Nqf zkfO0}x0PjNk*uQ|m6YrmZfN&fpPVK_*6}LH9!d>wVU*QS)Z*;zgKqa!W4k0`5JkT- z5yjKks|DM;W$Khm5v+u{pOud`jT;>qT;5%Wc9>ptBlk5Jcxhr`asqGo z@XC+g%<6W{L==W4epKHxWlZ%80)>nv20uFJ3WVVCv4E9oEvJHxcw}6d&FXx&P-$qw zgnjo)Ut4p37nD!DLdyc+HBf2}Cm<;OtusHtUaHBtmI`BUu4lqN3>20YuBfb$g+NJP zG)#B}TSVDIe7deOVJF{{nPiTvie&d>-e= z3nQ2Ne5J2N5_@lRtW+D`#!Nfu5RZ=RxxZr3k)fAVKxCg#BS0KYo}-}BG&M_ zGcQ%yXppz!%(kgaGUH)QbCZbJDF?^q{k`*S6;;9Yz zn~!4jXn@r1CZfEsAJAF)jrw2n9OyrYJHWCGGnJT)BEe%3n5g2Ob__#`ru-1&e2ldJ zh-yMpo;0d)5kn}(cKQ8P(!lt6aBQ!*`iX-jzwkxBbpENBbM5Q3w8Ko2O3Ip~al4WR7AGdaGDRi}DXlZUuVR#{>mp!n;FeO3B&yqq)m8~+fxJ85hVBL7m zBa{03wl%R%9Wj-IPfPQpx0sru8sQzm#fGAUT3y;AI>L3)LwH|%Mb&*ic?WuWU+@*p z;52mtvn92?gL}S!J5k5+x^#H7x$2*A*0faA=*%Z?Yu@*F`ktu<;xn;4$XOOW26lK< zdfd@rbZ~eoIdtf1Y6M{W{e7tTjs$| z?U%vtt!8VEvWuIetj%w1_)d7a0qQ)6I8eH9x-hihr#UE@GUP`a{3_S=KzsJ^l_AZk z0dT9>0WPJi2S?>_TX2*E;N%a0(>l#v{?pl|UQHG$vqKt966|We9NG*|xr1Y=Wk8e7{gEk=*JNN(yqGCwC%qRUlvip}Ie`yi{b%{*uZ0tH;*o$Q{_c;cZ$Hx$wUZ9@*91#0@!K0@ z1qm;XQggfc^*26mY*$*O^Xc&e`q!3Rgzaau;EdQCnkS47vkR16%2ya~@_wcpZ?Em2 z^ysq3us&47Do>=O2{t@JeC^{m{p3=1Q(`w%cU#re;ENWVVjtNHZpU}?ajy*>W2pI) zU>sV3QwXWTxNfNdX+Q6yt?f!N+#$@~xQZ)%p@?^{fX*sMD_Mm(#Mk4had5LHTfVnT z`AVA|Sfu>KlbW*XaJ&ww&8ihoJp59tFVTOvjCPBpqf$b0OK3Y9C zzEUQwn-=!osZG6mjX>(P))VLZ(CD~#2t)T}n~$9x-i^9BjPuZr zra2|$aPLa(qT78h?vTa$8_i>70xRWu(3cTas51;l`FzY-DmEI;th(aiY?Y+~Uh7HL zVl^Q&n*vdnrEIE!9NI3hlr=# zIG!62GXi{!Nio}|(s_)KP=(?F5XKK&K=Gv92}h92VEhe_Baq z{=U*)ULN~J&XsJ(I9+McSxu0w`O}zd8HTLZ5whPgTf&em$!0ZODuX)#Hk+*Ib+dZ6 zv!&!XD*e7RS^j=g^o++Z-)~VnH`171g|O!PZba2NvFpp~)GG8>MT3~7!62BU7o%-J zX9(7N-fcj>KhyCqS;BGM_SVe;SwkrFSt#Fo+-5;CC79KsA56SQn*N|ketcz{>n zJ3Gg*UE^DihGo2fFz0JWGR5MhB9%FH{J*){fczEEl!0FEl zzC&LNrz{IZA-4&RS_qoKKaCo+1NGgMi zdb`yf7aH`B(O>9D_fSn(NG6#**o;C%)!?Py#E*wPl0^Byc!}>L)c0Wzl18%CWfToT zzMT->5IfF|P!5NvYM6)Y=z8jhd_Q{csYyD4YpNjIj5l~xtH+E#HBAfj8}a;H8dHIn}*8p}r_vES>e6ix}_6;TvabYX5& zg@e;$FkR62%JBn8p^BhXSGNS6Sdu30+;-qA{24jaVOD?lfo5+ zuJN=RdK#mqxafe-9ZB);wc6qAP;Py_ygY<1Ov44o%*ISpA(+DjR~9Tj;iYTdc+eN> z#;jlL%4H9inE_ROpnW1c2sE#Hf)uoC%V!Eb9nU4O>ywe4xSn{+vpVs;qaRi~JZ0Ed zWrGruMZ!nEAXY=Up8u*X@n?qPZ_^HC5BrZi-~T-6m&wGyh@J5tZHa&GNBsVZ{LlRe zmXAj)|F2k)d!emJdv3piG&ZpFFayQhCus)qm6wu*k7T{@YU&l0hDYDWoiz3 z*pvIcX&PZWMSjFwA`s2TxUq9Dvu{RUHdr$}(|2zkb0gz5#QE5F%KtQy^cN8msNmGO z3HX(I%B;TSy(qWysN{79CBVF*H=JbdAhV=DXCO+}A}g_v+O7YtfS}gBGtw|74UO!I zE2HU2+M6@y^4X=g0L?yjuJCEmQ>12B`gBP|vrKaUq7|Q}S6S!w75ItAvGrfw3V*uN z{9!u4#PXq~|5*M%q{aUGT7Ewc{d@WU`+M-0$BzHeQi*|pgN^N@W&3X}Ru&HW|I%Z} zHVrs=t@-%&`?do75k5#LL_RrgDS{ga$ZMlFP;uZ(1Yj-16LA86W8$yT_R`w@vayjU z9Fa9HX*N1+7OR=3WXYr5r@184Hq-ewtg)ss(tXpbr}-8Qr>0!nrCf`-sS$8XPMI0> zu4!*4*7t+w?M`Dn_bX2APG{cdSYMF@H4Z?tqumy4ik_91iDw}<3B=oK4AvEcoJ>9u z7DF3*)Pxw7wk+MEd}VA0tK&jll&>1)T zL)5SNAaAjRLWdWNgLAM9otq#K-?En|U%^6S(5%`Vsc3UpU-4HALYjwfeF+I5QWd_> z6bI`D5WWRSp`Xpb=OTV45rs#U)Up~r z+sp3@)~RDbs~J>RDVjdpp=90-3S0TD|G&Yta7m?$`1 zAsOzVng|3QJpd&`!H57Ct&HsYnZ8?<=yEaE-Pzb}1>tFR$kp6*_6t51sq9o7f)SUz zJxoipTjf-pppdfvj0Jj-X|R^N%;n+bWuUO%K+TFdmMkZHeCtFI{RmC^YRXoZEXi1? z$Hh5Jhp8RW*PI7p)Ey4fXY4%n?xGf(9Or>~RWAVkZ)Wbozfr6b5(ajX%n(SRT09PeL?onKtU%?*Nk6Zre$rsYeN4W>&U ze)m#j119(c|4TWC&_7eNAq!Lg0VOAcWIP-5mejZggUn+{3ZN@~iz@vi1EnaVY*QD$ zdhz_O$3yh^$_f70LtGRe1IVqjUv9wgW{pq9oc(31cKsqF#X|BWfqSf&BK-RcRxU)=%p~G| z%?L2jht?n2KXkoCrPWNUwIp zdXEhVjJ_b&fh+^4^qPgd9Yo?e(gRKXeS)o8acabHlaE^(#=dYMB)8k;x46nO3N@Ni zpXv;b0t7UMQgZ{I{&{QG>V!b!#XgQizOg2rvH;c-g8mt|*rqFazBBxDMoa^yW6kXg zkQ^)47eCLTYn;}K1&BVLL~>~t&la+ISHaAE4z#t;0dYi%L?p0M7={+G7)?Jbe8z$& zpt2H?K!N#MBBKdn3yd*F%atTFWFIXmH9!y~Y-Vq4ne0ivi9_@zcA*M)6>WHZfu4)*2dFCD&`22GM^t^Kn zR@+as5?BV3rtk4$L26Kt6_q^v|A9(D+z)9s!$3Yv~tT5Vvaie&R+9 z(dD1L?C7NS@b-%nhG}rxXbVH1(w*JU{LE4&QiCJAy+0S|WKR>N>!`z5u7sM)C>ItC{+<&(D2sMxO1O&^CVHd! z#0TsEa2*j?eow(rQg>XwYSuGWjHh`MD0hKD(X)+9kk&aF&E*4BI&VKQ6eTzJIeH)W zE2aXuoboB3_Oa8=w!GNaR(wcoLfKEzO3nGgINMwZJf)v5LED$=?%Aw1|GvZqT*XS72A*hgJD4|rLO1Y$r zQ?`_>pWhSp09SnFSClWU7tguJLJznB>v}s&%!)dxGz+m?4)1!V8GNrX+@7xr%0C*P z_9J5{S@|RtN4Q3w;{swNKP$>U#oW*wVSG;DFd>!)748&XoH|sO&O+KBf~V<~kyxgx8{ zwY5aI-{QbkI)K`*u?d=q6jVoaTWWQ)(^6+1x23ksMYK1A&D>&`A*^Vv?ND#_@fm@; zZK-a5_}%AjBWD^ApVxr4KYzwynZe7l$}-(M#N@OCe$=0e@VUXbSd#TzMs4nK>_qG7 z?GQ<4e{CrYO{vNO@H2RWIsO5crT=?(@((GZag_tb!u|D;Eva2q>}56`z z*v97$lCZaw3Rd`l@kRPJmD?yDHQKW~nR&up@6_?uXDMRBAImhQoHSgROxtHFm7E?p z&st}oSdv|0aR>(b?hbsD&)ZPum55Ge+z^#v6oM`A=iX|~MJiWv%X& zJQ`Va%fM(D^SKLhlM@K7;JvCq?>oBlHno-m4%+QyQMvKWO&o|PU5p7@o37xqzqiwU zOC{FnS6l1h%H(+HZCbLDRb&cf+rZI-_kkrOF$C$YRw<%T5E^1gmY1(JO|8f_w}RCv zQnp$;uCrjm?zo*sHc=riQMFl!v+R6kV-(rfQ~s>xJafFW9cLLOoLwvl6_jPy)i?x> zfu2xeb@MPPLjxs}P6PFY`1!D0o3JvdcB{E~6zs(wh^m9Iv0U6DNBR4RCn9m8HahNt zq_3jBv)Z(JDucv1GSxz! z3%M<%JE{eWN|hB#SlPKm@WPM4$J z=MH}FHVXS8o<@DTj=S0Af=MiPHYI#5XxNk>?^4veDs<9{pRyNBbz=T{6k=4P&X%d< ze)Hjt!${*QCP~)TaYqks=ZA$SmvzdwPg-trF6PiFrr=_#Vz=Ix_-k!1J6ZXjV>`(q znzuRi#n8`b+b~h^ncg}Ecu>oh04wPG{&RZE6o`mm-IkiAM!U_m$;0dD`t;LnmNTwV zA2%U~S9_suezR29m-y!{xxS^ZSV9+I#E+l#q3u4EK;m6eVmo#1!QdU&gLr9-ta0g; z9hR33(0beRT`S1pNae4 zzsd5M&z34Vg~{9uR5|mvofUi_iH)YMFqCqu%HJxV*x*%Nn_tJ>t*E)>mv!W%(+?4s0mi|GM!|A^(5PF+_UXQmZaX9Tb0eGnQ5 zq6g8z8A;c|hhC=y?R}cQr^_lOYE! zqh7T%(}fhB(}iHRV@|aIUS416ZLT-H>FMYwW)3A}f_f}f=dqwvwJfi!dp={KDQzi} z6MMLvWOaop%@RZ@R#jI_&uG=^35h>UO)+F7NqLpKd23xC%;IuzU9+$hb_Cx>)C9lx zt6%D3RZn1|WpjyjJf;Gj^vz}}vGa8!d=Ht1v|Kq6>*{j$zH^#M>l#2i(WW&`tKCB2 zPCCN!$z>g=>Bzt7h|As)ToJDe#?p#6xh`F{^GAf8K*ZRzdD8dq%o^>Yqa4;PG@mUx zN7XXdf=8r^Mv(wWoT@g z{Ab3O@--!0(oqt&66REI$87~!>U@&>3E@9862$rDtY9iS$27YJdo_`k_*fTMU9PN) z@t_;tg=JjitcQAZ)LM7**`%Em&F?gO9`o?PEwws$`CODlW%5qwV!sSIuJ_Uj)}3>@ zUnWOBKI3yPRsw#``r5s8?is;!wQTgtfL)V}=zI$Xnxc6b`c&mg24^?C1c%y5r;~@; zUi3+Z^L9>8f{wBB^D1rxS%epPnY0>;)b+(Env|w14=WQi# zIiA~x;u7)X*wo%#UU#9u8OX#&!FTYj`?d&tk{8F(MYI0J$Ba{8{efsR$PV?pOl#d7I z0L^I)RSsoMy&_7RWXoZu6q!e5qr#DPcCXj0h>*ML{k>_OV4@Y=lrHO z{^A8Wjw3d&yT!0>q0VGy{kqX(g1s|JI~C5-SoY6F_@T^cA?C8V6uG(BA}OLqH$TOh z2E_RYr;wG!JBX$jjSGB9KPDYj4s*u(Kp8{;5GkgrBAmE&Oo<|#Aa#;gBAl@RX-4WP zjY8eK)U$!9BS&*y45MR9%j1O%abq9CU(IM{qt^Rfz+9ru*(d4*Sn9ku7pWmcRglN< z)FFG#L@+*cpRZ}YnnDnVM=u;9!@@l8358#mhPGw(+bXrTIm_vDV1-dv*X^Z%>vf+< z$FB3Eg7KhCF0-r;Kn z8gNI{b`?c4D&=BCZy9dDAz?6%p7iVewaV-Y!4$kZ8i9yt@UV@J~kw;LH;$E_4Y| zWF6>{;61^blK?vhpI$Zu1!}N_?ksXB(5r@nkcaN9Bs#K->*#L(U6Gjb*?}R(7T^Se zvZ|<{lp!H!SB_fL@RXb^FehV=HO3PhzftCZgb7MbQ9|aZ0PdzNJ8@#l_Lh`QAPYi@kporqq5A8|0mj1(M8>jO>0*}V zp$fgwVFpH5?pN$ZdS!LrPh8+NFbJUr#A%G$)eD?}(w47yf?uA~y0CBsV=qoZ@Un%h zA%2yRa1H~zf&S1yqa>t!Xr%5z0;dpQS5Yy31$|R%toBpb$xjmwVyNk|BuODjqvU9MEpp3V0)5C$3yF*wJj@G`B4VRTl$TcRL$x{Zs4fw zm=GE-c7zs+D?{VL1}KB1&*R|B00QKDRGK^f8OPQ8LPHaD(0Q3PJ1J_mVl9eFmqjOV zuW1lX0g~eG*Bb=CDh2UsY-p#7hdQ#5iWkuAcL-Bz9Fc$3`TEmt`@hlzHDEO|WH9c-6yZ`5YC^H-DpZ(Ae`)me!7WRLSX81p@&-x(o|3gcZ;qP>Yztb81 zPG|T#o#F3vhX0*(h7XnPU-Vi3I}Q2YTBZMK{cjWfe_^E0#PXq0`cE4FY%Glbeva+8 zzUeP@e`uWkvj029;rDqq_Wx1G`k{&X_j>l)((6W&FQ7#>)Dkq556(TSxVK z{SnUa*Sfz#B!6zReuOcwe!xM0XvzMZpMjZx`2*bf>)5}y{{}w(C-=ZVKnceGs6PLQ z$oL3n_;*m^Ltgk_0wvPbVLm{KPThIlLx!1$Bu zN0>+uEQ)stKB$= zaz~kGDlmhWZnJ+KApMk%&hJZy4FA>Y z+y=mr6*J@Wd$*ymr(VAU4ZYq+=YsJ)(v{I}+m1l%ns)401PDB?=bLl`00ILYpY)!^ zD*2UP;PGeL9AO)@(atdrz&VB6Y`anBQ&Eug-l1(wprX4 z!&#J+WRV)CYVz5wb)kXE-Y$m;c$}39Y3h7^>0^S^l|U6n5L467^;p&l)_B&o)}q!j z3!;@WhE!@E;FY(95oOD>b6Kpc4GO(S^1A?KJTh#xORgD)?FNGu8nKY3Qug$~+%p5a zw|z4Wa*AQx3DXxhaNGkzCaElZ{}UYb=+qG7c19yVU~*96B=y>GwFGWWXp^XTHGM!5 z5aqku?RyBq`+FQpC#B$~U*p^<%Jcn`$i}j27-x7zFWorL*}iRfZl!CU42kMld6H38 z=nUt^rOUNXjm(UC4i!h$>M2wBsZVNQ9isx19q+-j$6?fK-oU;V`Rjzi?2yV6w@ zWOrzaiZ}Nc%aUgi`{$`mXFnrhr=rCZI+P zldgV;)Q5~;v}652u9S%1?ZBqL7dJ6CP^_YCOlzkk&R)W5TZ_rwM9F+RHDKjW*49uO zPLDTrqHy~XVZfioTWcy@H%eWztKo4LS)8`-1=5{o8vWpH;anIccdgw_HwuyDN7RMK z%8+Rz1hizM4^N-HK?pH*(h1>us(uEALQ|WKa+pJH{YuDNhR)GoXLMN7Xjt10d-`EG zL#iB;$fFSRwV|Q6vXU|I&!MNg9AY za`Pz+`?3WsB@3VELgazd3*WY@LY&uv49PM01>5);8z)x_w zsQDtWY6pGCBzKhaopkswMa}k|o}0jRD-NqI`^`BQqM?yEU%XGglRKx#C@4xer>764 zK(rX#fYxQvw$%(8_=!9<(0LpvAme?fRVGI83`x(i+x7sGDI7kbwr9PF2bkq_+cF-F z(TT4=7<=9qdY)Jf(uTDtKg0?hKc7~Bt{c8#e5mXmuuLroD;!X-0qqkC1HOU{8N=Qx z7rIb7my=&|_m|HnS_&f;XKEj+N~7Aq+|5|@ikNn}PGrb%^)ybc`OA8D(h4@Bv#P=) zB7^H+qxh07wZxb*r!#noUkkGvcDUHeeZq@^kWSu^U6@9xMZs%V^;vaZHUgva>|%WY zd#|pCGU#o`f@>1-=uyLhAW_=flC3ACr}!^1J-Kwm)6b`{H8@lgSdZarm2`4@ z2NUM_G|uxq&j)j-EV@r=GyJ-GNm*`rs*VvHVp-tcp19uAOkaUL723CF$uD z4g2otk~`BmUx{liN3%ZNd06y6Uhh<(@$yKLMdHPe4L&mX0V;C5;8BT9dVZ9OIx&!m zJb{0YTa(|ZWQ#ejQWlAD`^CezeR$Ro7q0={{LR^2F8GG9&EoqxKJG|Dxk(GAZq&*6 z@&g%p?Bz{%WjkAzIju8JzLvAKC%Ig;zliEg`>aVIn zXD_umx=*Z>KWJ-hIWo$2)DWILKVM$93EJaFi1hCE7z>xAn-|t(VX;tXSr(Hu$=J+2 zeZBABUiC(y@EpD?+dLIY^*jitk!>j{^tnHvVwD@t%3rIlYhjC$PG~7}EZ4sWA@!}2 zr*HA-9<7KW*2^=~E)V)<7>L_qH4u1DT(6WOXtK;4DQ97Q)3pD^ka^GZt%<=gURjb( zTrL)H_+jCPtZa;~w6nCurhbY_+?<{U$Zx{jp7Zz7$puSVPeLk*8(HxyS1t)sFrK=u z?nr9f*~&lNj$ThHnS%px2S&@_UDuD&z`3aOUD*VxNpj95aScB!;bLnZVP6}k!#-0R z(hd7!ic$D^CA^!hdi0&q1nL~8jbfYbtshwuytSnq9*XCd=Ij&|KzWWUHAU)*rU9#m z#%swcLkb02XDW0Ibyh}MwJfv3-?Y5Zpkm!C9h%u$lBK5dE*%Py#CUEE3Vpfho4bC6 zwIg1;Xb*J&m z4jC?o%Pd&}pFxuOQW)_4uzxo#GCOni#?8II`^d3PfEmmuj_muV(#_% zo~o+zEW3KWL|tM#ON?@=L;O9vF8)oVqZJ zH9)Vl>xK3gfX!e;rOa{h!xw({Ex=5l8W~;&x}L3FUahX!W1I(2^Ac(%hsXN%7J+jp z9AxdO&D)&}_s}j6EHH+V%hsMKB#Tf7OGc+BfWO4XgItbI+bV0xCq)twO+_U&L z%^}lajaI|A1oLEG?6XcedD_@roD6)g*gpRbMfk`UOZSVsG6zT3tP@-!ip!RW*4+oH zZ|UgfGpBE!nyUpJYUMRl61Ra;o}|<|8>0R4OT3Z!?9p;AY3ln&I49Dx4s`F1AV* zxb0wFl<9C$U4-$vKn)un@naCUZi)CWY@lrjV%UTS$1J2AeB7I0TD zC6ZQzA!sGe;BgANc{N%7^+h+(BUK#nV<9-F$Q?kAbh*6{G-hN8oYU{$!QQ&L0UWgP!#%sEubKRf<%lwlBuEOn)7n%w z=A4FzkX=K{I{S9wlPB#RX;Z#A-PQ@_5F<0 zXHS(OZG3F1jEBiKQ>8^jaL78)ro>$3$b@#9jEi4Jml0_cR`em;Q_`kJ3X>HH^hX8O zXrdnrjwQzp4~p$H*Eik!WEA;jYq-FY!_IEK5{JB84t~~LPt6ToZIR*owxq3AW`mn~ z&#=w^)!x+ySy`2F%8%H~NGuTxq`8S35p2BYocBE+)}kR0Q6mw~ut+l8U>Asw#bqf3 zlL16NCLz#hB@4ryDD4Byp`F4>mJi8sfC?tDY+OFH2AaW01<9q~VYnOj_iPjX>+EHi zd+%?b^PcBC=R9BMy!UxeoLX?x)z7ruQ8D=OqX$Y#8kb-3?Ol&8=r`oafnRJX|LKlF zPhWTCk5|keHT!+t-mFTlT=vTHeACMd?!LC=3w7@KMTg#4xUzNZ(H%{X+<$lDk}h9; zvwY#T>abaLI^XwKz1M~6^IayayS?`0D_uU4PM-LO-##*}SLym>#kP-6UA3_96Qwop zf9f9t|5a19;kN7Q_iw)D^xm1v1|C`+j@>r-`j)YkCx>+(GJ3>a_b+;OXH}m8W6OT| zjqc-rG`D8c$+3MZ!uCmfN~>1ivAMbD$l=|8-#A-MXq(sV!%xrnO3B_cxw_o=aQN3r z^}5{Szj=20p63<}durC`zdro^z295^v;5nA{xtOA)#bZyICs{6Y+n8J&kY;d*wTCW z3lDv*^ucSM*q)!T{_ksAzx%+_=AO6guRXA#;#l+Gx1MXRPPZTE_Rac9gO7LJvgSLV z>AQPu*{h?=_T7GD<~`MS{$kf_wyE*oJ@y$;^QM)Z``-0WcZnJ`TC{-{r-IJwU$rq-*~p)LwA*YHb45z=3Az| z@bc2}KNv9P#M;WPQ%|h=>Bk%i3)vG_;w8b5Her2-e z6L+>WZN2sQql^DCp!)6ehmUMp^3Dg_rZkPd_vT|q&i<}#@wlrFRd1cSwQF^&f3nxc z$yYQd2dnxVy!XX#Et!Ax+|FgKAKmf5i&qcrv!bN&#^E<#zcx2)#iQF-^)6e|R`$2! zD<13MhyX=z{=0qt|9&SmHSb+kJ81UYS@Y+q*>fuEYo^Vgm9H=QxzvS>wdi;t!P$UI za4dig5tZny{cIrpAEn!n&t5Ft=Ho*Mhu6%TQZuKayi%q3c58m_sG1qmrZ?azm-t$J z@k^2$Iy4S1KFH8$S=FSx^Gu+v^Gu-gOrY~jpz}=NU7ZOOen&eo?pGSrJG-3!1=_-U zp-o}Wv+(`hz89`{>3iXGN7pL+Exz;T!uLWu{$9Z2d*N@F`(9`h=`a1?5nkx0KzHf) z!spKS%UgF*PK7yokIAh4OkhEMO>GXUsBI1r)x}qQ4mr-JYRlU(1;vf8@;U8Td~P~p z@zLXqSv*dhF_%cXfJ%hLbQ(qQa6d+TwfC!yLX|?sjKRGrL}xtrt4(U;_0k}(7f zdJfN)XUuy9ywq>N312amsZ_`+(`mfdq^PY$V9PvPlXyXARE$ZB+d?kPpEX+WXN?j3 z;X&^y^9(FVUgE0YeqF*cu*RW!VKJRE0hKKYOO04pE;Tr9Wx6z$agML{b>Pxi`I50L zK}iFmv$%DW8-%R9 zPsDt9uQJirn?z!1$};sn^SrLScZPKp7;e!b{z78Kc!Nz@em;0!Ye?lBk3%IY;rRfj zcs?S=^8rlrd_)YV`b9iPjCEfnAu+@=FylnqkfOROT`#0ow#``fxL%f$tRjYrt$aOb z5@9Maf!4i33G zp$04K5wMi~n{rSFmY+-TsA3u~>J4j_3oyq#yTryaFY(nrN2tLn>68-d*>#{ZPMILD zmkRkg_&iCM3EgrE~t{ygju_lv?2sHR-Z zOGsj+UV#a@1n?)XmvJnhU^<1q1-K}l^WZG|WN5h)HUb#?{b&tPQJQ#mLFiHNutZGf zHOCApc!P@3bUmMP%mq3t>|gNk@}jNxLRKNc-A>d;z`_!k?x1Zd>_!NgoVQ?wZiRpW zi#`I|cAdcaki7?{S*E}Y&l|9e<3C`QV>n=*^%oc%O)-Bu`b&vv)=SW(Y$t)ms^dj+ z24;CKfqB+To#3Bns}}C;Dy=hJ;8;Mzo8xXmqC>Vr zYZr9!t~#d6*lvK%%CRBU5aTd`<5LZDFUOI>vvR+w!45a^l4g>>=%fT)ylau$BH&;w zLy#n}4&(w6NV-@Np8Civ=YAS@?z2w;Ch`ECSYcy1wL7f*CJyO zbRvJ#2~tzBo}-iEwutY=oWrb1x{Pfx`fzg2o#(t3bg)F+uU8y5=>)1E#^yzw2s&Z^ zfQg(Fn3uLLK+~C*pgN#4oZBN9PuZ^m%Q|Rl+4q1B$&2V$#ECj40xYX|Jj6O3<7Zwk z_=$;q98w@sx^ zBjV?HO)ID`>yb(`$zSR?mqgnjWq^$zF}BPI`vM6_IU^Mpqe_5jQX|Dm5xpa?wepZ z?}^hU#*461^o#6>_W*Q;Ei&!{zgOY?I!qBfEAfZOLik_oUWqwJCeC|vn4);PQY+!s<=k>Ur*i92%fMi8Tei8Z01 zAfE=>)z+MmQ^LX4*4V_s+1M5BZqBIU?BHr{>WX%--}|ct8hC|;gEOO;qoXa_6nF{n zb#(^|R}W)nb1p(Y31@R-SKz-n6&<|Mz_;Op^MV-lIknLCW)2=Mj7l1eU=S}zfD!lt z0w%!diGb;I{q?=fwaiWA(XM=OD3TY70Nx@mqoJs9iP08qW6pTR+|1O!2V;9w{O0ztw-+#nDK@CSIEqJ!Cge~GX#p*ipofjB}B;%REk z2qxqcS7hWR@J0$fsa#Z|Q0U#0m-%7G`vD z1)^$4=$X`{t>{35B&%L57=9s|wK4n+7eplE9JTh~3Hrp!9DmqXoH83N)XEo1R*zEs ztLkV97C57)hiu17uVwxu1No%Z6l~myD+7b~Bqt_PuP=}_d6Pqba!5Pelry{Vvi#bs z_}GDkb%r+6^}#|Z=lcfWids~O({h(s{L+A)I^VU0$|gO8$1S&D!(@7qxob6pb8Ssc zBSV{$+_)3po!v?oGzaVpo$kG{74gspKYeHwfgA`}!0{FICG#Cv5ji=WCQOmFPL4H5 zElTbijP(ku&Fy8|>D3p@?SnsQcZK@WFJHT{TK2toX0h9Lcj~k4xxot`$(tGRb?|>u zG4vT0zR2fiuh6^X)A+E({9|W(VRPMXqQ|UhiHUs9g%t|VHnVu^RO@q<*K?s(T^xGyP% zc2|M7ydtc3q@wi1rXlTQOyCDM`rK!8W3Rn*evDWWKvmuCxY!$ zP#V!IX>hO2R3It*RnEuE80w4ds6IcVGuZd*`LWc8h;DPuFcDd~JldAtNK&bLes^7$ z@ypXyF37hF_a2Z}&~(=cLmms5imHeAXlp%MPY=wiIEyz{LP{W)JgDo(?N1i37F6Sx z^TxX7{CobD*S-8OjSg<78+dFNFaBiUazfkFR!UlCXu1g-R$XVH)qWMq{Ti)bI3YpP z#iI41du%yDZ~mOyI6U9t?Uhi87`ejtT&lCZHA{2}r`WM1<{rPid838bWO=1Tpf*@^ zIJNdC{g$#wVK2Vvny)v0hewC1fKu;JnpA$DM0-?_oQUNlL&m3OSK~FE{P=E)a~4SM z8LG_gYgHvyrZTF5oib791Fl`MuzV0BbWv_Lz(bjlH zkRi*1LzsL;-%@P{8wa@;0gaL}=;A{p+j^5sTKn8?-YJk2o>VZ*EUKk1iLop)2fUbg|U@#*D4BPt}2+oLr zf_RZ|2tN{dy`;H|D4gR4_P%5yB7J zBSipI2pAA5803ITT2jSOQcA*5N?U^$$Wp(JAsmAY_OIgwMnV7z1PaOs10n|k!BGGi z2)aiLK{3Km`~Vpo!TvdK>#Qe0)z?)2LE4B{1{Nk ze+>lz!~X&RqH+KQ0Y(i5N5cLSl=R`*j>2HVSpNKvvmF8g?F9-7XM}+ez~}*CVT3@y z04E%nQeYG?ctGrakCVE(%%K?t24O&<{(Ybzusr~NAW#QTzQ) z`S-F8fdOlM6dcCS2;~O@Q;Hu9XM`a5_jCcp2n94B2p#J8Kpmk~U<_FYquZK|D~L85DE@w1jF}8kx(R@5eh*7BZz{+eg~6~I6QzD$__aOW#6AwP~dMM5Nc1U zfLR5B0jUNc-Fy51(%+%})C4ewvP1s8vO|Dr1rYE9VL70J0s#W16)=QHQ~f!uFhm{l z??oK~gX{sokeE<=Nd^XB9*uOw^M@hnkbf`f5X9cI2Bcw3CSctFd<{r}|AFeyKw(Ha z^_KmeKw zx; z1X3a#GhF+u`&g!?JV3$0&gC!`hQdSty~1N)0ZU^bTu9V!;rhk8j|CK&td0i5(0E`u zbbRB80+ay(1D1Ul6Mvs|pG!ko%FNuw)EVt~#N3BqC_VJwEB!&xfQ2#y0jLHP1MU|u zCYqtRgPXnC5t9r@|-M6$UJQ z5O6RG*wgN#?&JT4>Ijqsfm-XIk19qofF5Tu0QMIU1h7`cjN(4-KAMDs{T`LEy(uur zw#Mi``7km96eA=2w^An*&i`Afb6#IBoUWYMN2Jyy`Lv|`{Yo5Z-=Wdmo`AEV#iA*X z8o_EX_tDFw+v|5>-GK>I_n}J@A8c=r&BcFBwc z{PcX-eJZC-L-?E=x9urw@#mV_xZd8oo8QB06&(0PuBphRt^!cdlR#m?+5f2qq zK0RC5G*$oj*8~>LunRvEMrTw<;*!sVT{$aUzBw~{tNI%C2MrW&S@+aE;Wyb%SvuKN z5T9p7F0DOFk?KF!$Ai&3Pi2}V}wf*w>5hjNMkLrtguQ>g0Mvmu|wKZ2w%xyiDJ2FeW8l| zLWSkB?dttwa=bVonKrrAm;+6NdJ}zXKsk-6KI%X?V2xgR{Kg{$@gg}?*KZ`9pT0^< z5xdJ`D&?2yOZq%UjZ9_Qi}nr?Q{1VVdK^*54;^vTbLfa86tnSbchZmD2=~;x1h@FEkuM%@Pvm3hGYFLh z>-r{%bwB21T+keT#T2Vn7NCF6IDeSaxmTKcj4n<}9bjX}8Ix^}g_54!s+~KBb-v$DXyVT|zo~5Jf*}w~-jlnG+mj z77rcGZC0cN1>TOo^p2T8lYsJPbtifJT&NdS)aU7KPP1}K8FU4G^e{=J*Yr+qh?8*6 z3BB1m{sK~hkdafDB#iu6hVPUlJqV-db`lpxe}4#jv1p!I`rK#S)cKl06W1A?M1}%_ zF8Nd~;iTI}&64X#%S(JWUIG=>k}) zI*M35-<@NWXHTz}K?@a8V4sn%vE1qI+~8y;;9=Q|#6f@ff_|(q&5BXdc^hvd-{#xdyl-_M z&zEXUaNmuKb7MJ8MSXid*|Lm%*_mZZ2je)8Y8e$}*z6TY72Gcjv> zo=uPh!A7g*Y$5#o(JL~}u~W1Xz7fEXN-Dh;xq`g@utF!v2>i4mi%uv^JX+d#qU!}D z{Mv18+|%1srK7V5**@h}Me^W`|J5dG3s)m!e*!&qCSS!N&k4#j;@ew817GTM#v z`6bj)jW|i{#Z_`ExfJRPq6vG`&G*$AD`2v#{XN+`>)X;9t>pp=Q|{-NockcV$mQ~R z=ck&c_4`V7W<-)MafW6?R1GHfL1rxR9+bA~^b2Sx<1eWWHZTx9g z-#UN(3?bo=x(|(V%1W)%yemp@dG^jOz!ka=*ra=lzJdiVfw0UYJ0X{gsASz_D~z4DEE)55+0xLP;>IK z2_|{$Y?&_=;G^yiY1-L=d1@VGrTEKkDCErS2c$J@J$xxPr<=+wlTFBbt%7&B2nB4~2 zXNGm5leI|?A9eW@cP^`j7Fu&MUqnK9xp`Fgtl#$JwM4lJdrrcvs zZGUbgxyKq`4)(wIpl_y@=)$AtGF8H_)!s*GFs-v?ZoD%;`Cb2ZX}<{^8zQ!DWaK_u>KSHgtYUCdn~7j{LJtEyfxK? zt+yu1DD5<@^mYzbB+VITV-Q_@qegc**CLHL^AYN*Rk*`E*jSrOyFEt$`<*DEBGjCn zC?XXsp+Rt&>dD?LF}Y`@V8oB3B-22!k#>?@9T9N;J!kj_+ByEzGf;Cv(~)@4Bu{_0 z!pG;GU;;R6pll}CZzAExy!q7R3q-3>)MSxD`s#5TS3^>oP3m+n}7zisL-0H;)qv054y(;eHSZ8r!Hakx)aYL+A|-;6FXNs{Jn zM#CUV%K>E0w>V4RZv-~$P@w1~^gbrtU=1MYD|=!;y9xcQY2r-9RLzZyjbiD&qO?&l zN|SM^yHU2SiQO?VXF->cGS`q!+?qTfF1AY`@xCWG+`*ve-ojLPVM>u3(kBS7xZYbY z(G#7p`Tlb?RB4_)UJf_$DSw8t*bAp&3bV^W469#fs;LI?30iE4VvGa075gsfaK|cs zn{$^&CKIqd@OhXcNMet*q#xrLE|A?TUTHQq;$d(2#1au5vExZFyW@CrOUOeK9lpiL z5>t8dB<(9`Kf7#0t3#!mYsCfIqKckYcAG1U9!0Fd%08Od5yJ(YS?{*pN+_Wp2$biuSqnT<)+MdxRyKy<(AElSi3m9z83T3@UL=MHq@&U_Z zqawLDf=852==(}>S=D~Mm--4iZrxmN=t#%iu#HKci>Ci+O?mUC<<_1XFoEo3w-?2$;w7n zz5O%u?dT6QQoP->+x5v7=H9iZ9#J}eF}|8~eL%Y0zf)P>Z6Gqc&$EM#pNZ|Y=VJ#i z?7X3~{<0sQrbVJfeqKo+HN~5fbSB7!w_nO5rpLBHhRnF?$9@%^J(DK-3oIJ99e*#LF4BlRdWHMam5*iTK=;t5kdQ zMTPBh()^V#lFFoZd`4l}rJyWvb zy7dq$srP&?CoNb@-s;-zzzapqRrrj(AfG1Ak)5F`(w3*E2;?Vz^nI({2^k^=Db-GO z_)XGW`I4wq_4)m*7X#__+)B08$&brD=uU8{fKcqZ_Ug&jMBvdQo4eWKScMh*{s6R%vjXzf$S>MR|d`)HuO?OCn4$dn6y7#1%($+#&}rd^i!kRj)(NEsT*ix6307l>mO`{1V0 zx{KvYIpP230XOV8D`kMU2dLzOfW7m<796N*07nk{n_P8sQ#WU{tCt~Q9x|~tw=!B2!H%SB~2N*^*52$V(Us(kSoZUj;;NQx5`>^|9%FdR?_Gs_Fd~3$G zh6khU0Jz!Ee-wfC>{q|e=z$9U@zEksK&=)IhW|FUzdpe}?LMBeiS?cb&;3t8j5;51 z@^XxT{6N(f4n|@=BKy$)4bTv%4H>#xnHwrQn(tW%9qfTPOWC`logM7$0E5V(vNIH; zA_zOqG8+N`ly~8PfdyltB7S|S{SR=M2BYW)9BmzAIN^H-nh>CVeel@q6YkSEn>!r_ z!YK6tN4Uob1f1Ui;Xz>5aS^{D_kq-<)&6*ZF^YS@3Gy)#LH17Vf#V*`5dEUuC$ca- z3FGjFbN%Fgg`)j77qQb$h{AF0AzRg z8G~UY1Hct@d_Zu(LjyzziCM}<{DM3Ha&$f%A&evdNZ>I7A@^)Mu-{H6_8~EV{)iBU z&I92+Mj*tVMGXd=4IMo9@L!MzK(2qxAq-sy4)l%@2=Gh;5yG6)@L!DkJb;gx2hbuO zJL5mNFytEWv>YQB^e=-NKju^dOe=q}?sKV&{UJv%48;aKK*tEQ=lg&IUU1Bj`vtjA z1e|dlp4%9T4VZM5bZ?>@PJ{=?O%`w zK$d2QfZ!N{jW|xhhV9uFfZ2?}v(I?IV{3Yt2ScxcHy>kw_Ph%4J(Jo&fPOI^@VFkH zL2wMYMjWSH!}dH1a0CML8H4>|JOFYxJ{%wnxkenPT*LO<3Gh8#f186X}hPBhgT$U4Dm)Br+CBm>PRBKvy8Yu#ZMm6TflQs z`0Hj5aIXz>uks7}Xh3xh<)Z*GvIhTgW(_dvFCR8=%LgNbd)JZnppPI_Q9JaEATg2# za0BJ|<{ucjXLkmcofu^Mv`3N|iYXl#JB-}Hf1J4k4Ad`{yu zNreA6lL&C4157_C^0zfIcpv;|Mp;SCqZl#L2>)@W5in5m1mcML?X=_o{Afl6S@EM7 zG13T73_HHD=Ksqf4Fh2+-~sp1h#FTVk3z)ABEZZ!K184{3Y@|sfOC!m4cx~*f>81B zlgy8iK2XP*J`j7xXy7ry)R=wRBgqUUq>oB){22KI*t{HH?0{0~o~!(~Bkg_aqX`xN zzWsYBkMLvU5#W^f_y~b3e}K6hNF*4eyH9-tp@zy~GK~BIjKn_Kf3=l^5P-TLbkOM4 zR}7~uKU3XVFy(@!-sC_|cA~Ar`VlQ{;~EZ%yNH$3H_fwHcmsoiWqi>sMK;q6@u#I{0GWTRgi7wSd0dcHLY}E7hv|k-81jJbBI;;eVG*IdPl5Nb`dw&Gus#g@)~n9(gRfYsBljg4Hz{pI}-8 z?=LUHtZ{wiv3Rk5oER4Jt-|_oYM2kp2s`(Y@H+mh=vj{*A^K;t>>m)$)mrO_=9FhQ znq5C%TNGrJbdEcN-9;@b@XX1h+Nr#+f~UGRD=_Naiy%TI@wLn3xS#T_jKnwlyRv3F zse9AU)LwS@oIiO5RK&>;51)PL6w0yjdZO8GdgDYqiFGAW!!}=oJeEhk%ZHasWt~j) zZX3CtD^t_mRv9wuu$=$@{6~h1wHiW@kqE1 zLoMVp5h$WkY@o|t5%-=YbzPq&CsN4oTWN)_o!XXNs_giz`}7Q|f0(VY9pp+s7j}-~ zqN09fNjS5cbd)JK&((LC6d7BdH!jFE|7aBb+MtO;1UJ1g!eosfrST%c zY`&4a`Pon12sAwnyGwJw*%jl4`%jE3s7#@HXkoDYgB*SXP1C%jhVbaG*I=4Y%Lnyt zIbSxrKq75AuNn4Z_chpyZ$3W4nYh(^-v3e0_Ys1o9)-_hN@Hx!=MgbxU)!ReI-g(A zoEy8YLq!~{Yj&r&yORh#=L%KtBKAd4427wDP@!qyQ7rlZNulEBTGd9uX|AX(#}_ka zOxT;_cd!LGamPQF{r+h#T%I_YbD-pV$lx8~ZI>deaVjr|M=fq8Gyb{??G~zaEas;& ze|WVLwY8qBPYV_IG{(0WCw!L|!gO5=e5&1CS{{)d2Vo??G#tvRUFpufy2vH{GRUY@ zObmjjtX6k&WvTyRCBh`i{dq;dYofY5cOTbjnn&N&TB2t)%AGGPfn^f|zvzyeysCWv zES1NiOxz`HQ1=zX#hN_*jNFe?QIrSpiUe3{m43*TVH&}x|BiVc3nyY9@!TywWsFpuVW7A#o7U~I_f|a#O2z6I$OB&CDou0#v#c9*9hnJ&zFB6|q zSG_zzb>BtlDpD$M;Cx#RpJ%A&AWvU>Etk@@e4~yuVkNbg{CKD7_?CCmjjml2Mp1si za@NV5Y~>iUa+!^256bXheS!007{Mb#;q9b}YGNC!eioQuJJM>RIR%x2 zx5Qqyz91uckL8S)0k5Ovno`=ExNyB4YgJ@rx>!pLQ8o)%%bT!NS!VV8Gr}XioH}OT zsoxD2Aa^7|skus3xv#VXf|1@#g$!Gx(j0tvH}1jR^{1q3&RX@aHm5udmhxgFW3)3O zuhbpm_9N`;eqBuF_d3v5j4WPMob_(dnY&RInU!D|t(M1p+ia!mHIMwcc3LfSwWkKQ zPugnM&-qfyKfOi&DPhvci10K~r3>wpEk6_wAE%l|&)-LVwbpvVWoVTQ!b&GAz9He(Klf=hODr0u}_DaS?@+9_PXdd?3x#4Bu=MUCi_KXPi z_OoT5lP7L0V}rh>@#>1AxyT}ap8-`Q{I=?omlDYUqylT2R`Nw#KaX zpX*Nz*nBB?bKx{Uf1X3qkaM6^md`YIpe_A_F+GTCBy-D>?MRu~gy3TuukRGfvb;R+ zBD$FsZ$@bAJ^;g#-r2SCRo?Eb>L<8jRtb z^%fIliI#J^c$giMZ^(&9$lEBS;mFv0y%eKqMns$;g$`~T;tXxQbox_SL25}@;=JNqpE>o! z_jhZ>j4t1ciZ2e--&7j7Z=kfnBH^s4Br12Oq`t#MQM%dPq7hNqpLj;)GXKlel8JU= zSpzO!%F`u*9s@m461(&M2J9O1aajDNf(&;9UUfcrsit^O12OI5tfQaBY&uI-S<<7@ zNJJG)WE;h^qC*8uU%T_@N`?>r{Zp>}b8R6?(oIEm)k2BS1%LXn&2`Bs#AL9&dDx^& z_JLd{DTdK>_Dxj|#nkk-Pm@&@tu!C3#R7(1sacdxig!QpE93RcseZw{lC%86F0%h= zS`!14gcte|PTp)i4qLFijhQW6kEJ<_mySL%W8U><`_lI^fxuO{6Qw_Yngp4#zY=-b zN@tYhlIc2^x+?Nr_8jp^NmS&MOFpgV#un1X(0C9 zh1TROms`-11cwVA!6n4^QO=JM)UCoAr+<1yA@H_|u{%c}CNU_BB>M=}k%fHs50#C! z|CIT2risnR$L7t-z<}~-j@097%@bV$a?)`fq~Q!-YU5QZcROo86Z7q?O*FK0I?#*w zYzV&mu~B|YFpObmV<^$^vyjn`5fvr2&F}fqCBE-s`m!%ExUOAH9D7Q>IfhSoplMZ$da9;`y=0JP7TPyO=(cRP~;6g*+^e?ags_K@h z%og>++Mb&i_@1kVE}2|EfAueGk7;axOZZok?5ToC?1B zd3>yH88I`_@18t(cPif@%u2C?>+yn`z1tw=Yo{(2jux@iRy-40Lu`VN+}k2|8pofG zJ~mkS_CBIHd~3nBL3*}sRbWPJnJ)K|xqqc-cv54Kb4mtLDaT5VsIgoB&DTyppkgsF zR#wAyFI9QwR-Zqs|i!Y$yimmVCs>xDTaUPmAQa|4XDY9P(;Cn#rIar|>l@#$# zGBjyIBAcs7tE7WIR{bK#KrnY)Lw!ZEso@P_mLKb!dQ6N)5X#FGk3uTcf8t>S)T*OY zi+%RNtFo?fej>S?mr1>CQ{dg1ALRwY8tddWd8-&)n3o z5M;j_5nN;1JV=|HK%z067`ig?_!%Ae2J}UL-6e93+|!)9cuj*3?f$eAqmHwT@{gSu z=&EtBZ#`ru-ak{3)&SZr$!Z+2t>(w5@&J9L_P00xV~3oByX61HM+`Ztv?%$<#tWmi zgF4Q-$-X}qGjM;Hi4S78*Ro1X?WovcRCa)i)yEjSU!Gh{!e18XBQ~uEO|=ehUNP!A zsN*b}{A0@fZSMVoJ{nL->d5JbQPly1j(e9J|YJ_qW z8j!0F?&yGzq2(wB+b_E>Cfs39vX!y3*|?q7(=q%%z+q+q-~!L_1??X@FmOPL@gV#I zd;sTYZn~FAf!lwFqytDvm~-to#s8Nt7z1n{cAv}`Xjf$K^+&%QAPr$+9cKdAw+CZ# z{bRE}!1`y=#$$puu|+#rIvYD${TVvUYyg;9_6PO99p8XaduDNr;~QQ1@Uuv=nswm# zhV|uD-T^!LQ)r7AHWV3~ae5NLC2r=zJMGS|Ys2Tt26~0mNA3F`oVYXbb=v#J>W@~0 zoVv^{@2S*VPx@P!rgqu`7Ssc*qI=5t3KF`wC~q$iB&m1Yo?djQG_0LntW>7sde8nq z7AJ#r{38c84yOc2@?(EXZSBjc7UX*QP}Audhut||pP!!VGhcU>69aapdxB#FfCHJS z6rlk_`pY!lbRn~kGCuo;Cwy^JjU|*kd$*Sqc;j+xfOrT}uAa$guL56{PB%O(YOFx45d1D& zU*V81>7DexYfCQOp}vHizE9~lXUn(Mu^um>ZLo9kpD)Rh8tMDodi`be$H0%zcb0Cx zw@}!5L{%$at6WP5r`Bj@FAi?Dl~|%En7C_7(CRfa%#%wzHMKEG zYh>_jyzI%1xjPJWk>5Vu7Mg1boTYW*hs~AE_8|GsBt=ipYGyd}HYLS(_hCIa*Nx01 zD@G^R$ZNCcj=P9=On}U^d!Rmd;9_)N!&Q37*Y346=z0=#l?;~>oBOc6)bHc++_q|v z^{f`RoET!tdmv8RRjeDT8q`nK^4#r(6cLLLTXp-nVCC2S(rrw;_gXme$0M?eXu9sK zIx!9fNyt;x&xmT62aA$fd`m|Nan9$ODnh^Bp$ZRN%pb8zo=oEXA-1FC{PRH}ti>+< zK2LJSt5?rUDY)bH6{3j4q|Y{O>6R>=Gj1({N+)GV6Q{kt6#6=dLN~pxTYI|6SJHx) z1+Q0I0O*@=CMk>LT*R_8)$mujQ~b?X8{7J_Z)fq#u^T=s4kB`G`}!H-rW##Y6O`S- zB3yay=i)x<+UHEjf4YdU3f`I@>R!}jXu?-^s?Ax^gcwY)nzYgBJ<|8);ieg^2Z@5@ zi4vrS7%A?FMJpv-Eiw3U$CS726IsD#yIsb+o)^2ieA^CJW9(NP7j8w@boRtkaq(=F zq$Kz{H9cv1Jlp#+I#DV)q`&miwV`|OY^@u7BxpY5Awn*CUHs_imK;pp@}jbdQ!v&i z(ee)39co&aJ}E&Q^wq_HtHWSBkBepP9PX|5kkme;X-RTvsGDA`CY1dyOM~Nd!05BH z+r=E^WIU%oAPr~-yK6Ojdh?#W{h8CPv!JjO{levzppE_8;D;|p>m+IIwv#F!MsN7d zODF0SrP`e=mMr9|?k%GVid@l9)j-C`TVK{;diLaMc9`-4w36W>TiViuN`{is=^Ib0 z+PX_f-10Q0Vlt_}h&u?STfKkV59?&ojZ!mJPu~?Wi4^R+mg7g%E1vqG(+NLZ-n%&0 zLfhk3iMHCPQCLfa5!KsgE6uXB;p42^wP)Xc2-{j3dA|80v;<|+R5~YFZ-_g4? z+Vrv2gCoOZ1IX0XMkPndx%T4S)y9rAN{0FyabL?hcihO<}H_1QQhm<2C?~LQtRrgZy7v2<#-aYJ>ZTlq?Kd@6r zEw>;PD9<&0Y-sH;?@)(%B>X&|;h~o#+&Mgl6-)K7lT>}NGCNfXt)k}JocH*VeZ9|u z&w{X9mq4DavcJ|er;m!e)4FX&@Z{1^BI&gIh1Pb^bDN2=_X|5;x2yV|D)-&mcIq+w zxw5&oJv1Az&ak){td(->x{RUEt>w-6cA<6msWVZTTYp(F%#ebB})i*rDPQP zX9AL*Bua2!{E}Q1NkaYlc9yagi?LJ$30iDTzfn#urR7rTl{Rh;<5JX3Ns&1vs~8BY zNo@jx+B`5&@Ab7vzm=5kny+V_R+mN_Ho0*8S}nfmy-#WDAMq{p5*vFp-}*-0^`d6v z*o#3@Hq|FrA)WRa>RF)n=kagZRGlB+Yi|g8?Z-U#V78DIm004{dGQwMCb5D+BLr5Or3Xxs4DFC|bpT)+gjc^C_%<7leAcNLEj z0kmTVuD|Zx$KC7a3;61x03{S?M-Dw$>H=$`KigJ=F!xi(&`%o%-U9#whA|lM3ljjZ zCJ-;!Up=C zy&7G4l2>bPLfaXNBzM;4XZgZO zYin;^I-OYZZGL-tLP=3gVVyzwhP37nWj~dk?bx2vSov6@IDw~qC$K)@SP?(Q^Ce87 z^Mx$CxW%W~>^N8MPEM~1Nqs3>!ONYx9yaB2ZR3IQP148uBMqIdqwCAQ`3sB8u-9Kl{Kib)gavD*V^U_Zv>_F5Z;$QU+aH=Rb-tZZyJ+cyBw#$EsO`^WRFXW}cK-e{80?WrJlr zQA-GVV?YuYtf;1Dq$`znLsJ0n?i^&~`a<00>#z}z$Q_G{%t}qat7?&&T(tUKP?_Dy zE@Lu76Q2T6MlqDzQR^gH*S}%pddaWWK)_aufD`t(PoYXN!&5}>o zJKNNH@Turl=(=w+Ef9|mI@boLve2`TrCb%EAWz2bW3p_IGUFhj93NYx;e2#Swa^z?;v{n}W1cUXjJ$D>2fnWYDH4^R=9D_js)B9sE*y1b&KZxoC{W ztg6-|?^*Y?OdYC@knxUlJg0LNd*8`e)N4XJ6Sbu@@3$GS;RViIE;V43bW5HODl%pD zOdP7GkeDGKF)u!m?F~-`gGe$C8u7>s#DWWjlrAg_d=2jowE<*Z_{h2x*y)0Qd1JFZe{GQYSV{6-lhmi2g z6PG+ROZx6%nm1_Ay^4B&t->N(&bg>fcOe8_@etvHE4Jfqsv~tjTh7O} z&Z6h`P+D4hjV6)H&>3)*Y=~Yi=s%Z)BBI%Yv zI!WMm9ai;xS!RiHsj+j|<_cwsIEBlRsh7TEK{EQuW3RMaESkR;I+5hXqn9dN4p|;x zjnh{+*sYS~O2&=tf~)c{SIbeL1y)Zf1SZ|7pHFyL;lqp-`!1~925m;-HrZzz z?eBA<6NNNWWDs=9{NF^>c^60 zTBVhDm75r=q}m^Uc6wZ;)a%oDLD!JpgD2F2FhMv=S*O;GHiv|6>8$O#iAkT(A~F+) zX->F-Jw1go+|nqx;l7D}R?LYe&#Igu;x?9%wneJ5n*zkDca=xg`dco}r(@@AqT_Jd zX5KSp)hUKNQ5x5~Vju{z&Wn2 zsptbkQ57RdSA68#j5Pi&*K-C{7c*XUd*LfRB~jG8Q2f&EvT|AN_C<<{+)EyaE_=C$ z{-3EP7ko?5)rgd;6v%Tl>?j}NbBu&|Ysr-cXBj_$m8B7(ToiwBB``Wa9XT`f z(=AEEzMKcdn$PKHcH$(`q;e(3vn^24IZ>(E{Uqi0burg5qM4uuLb-|E(9G{!>0 zc9w<$xalvNz+<+g+Lvh6Yyjt((K6$J~=kjJ9CsPkD@2%&7>y5l!RDa{# z4T9G>#h0TJbU&EEe%x?%dy3DU!ZL0^u(TS}-g^QyfYJ(nY3CXU2|L{&T)=asgN--M zV0i1+C#FT+)1o=?crQ{$&y-hf6$aW|_EbTA4~xv|#ltP^fF{=8xUyJS#lE=pyjsh? z@+282)im76#g|iP+d!0hP1pc6b0*VYm4uvfJiBpxes*PJaP7Nkc4bC5pU1k$nMgg^ zE7R3{i@RCrR3Q$umqKgrNQ`in(H38#BUHQ2H|H8|`Hqh6qOHl)u)KVFN;t3Zcp>=* zm65Av57w}@Xi}AQXglr^tj%5b_0z;R_%f4j-onSgp?v|r)kxoQ@Tqg=NsnRSx$`pv z&MT8WoxqwUF2u+?;zQxES-QFRk_(N2j}7#e_inli=#h^!Mc(AkZ$CCht3G-z>@F9O z_OyTba&zd@$5U(w0UotCJzrUvXBcr`{we;Nr{KK&>&Xwr!F_F~ zGxBm{;XjfFPfZXbm7eB+f)b2L_|mhek}t?yFyM<;=KKJAOi)FP3N6XEWGZb3l^u(cPlcz4e=mnt+ZeX49&?UK_{KacPCPr zQjK~qJCfBOp}@Ten*xWrW})*q+?e`%sRGqJ!xtf3gqkgdq6_|?Q7=e?xXlA^3W~9^ zYW>{hj95tw$K86&oa<=*U2oj|$=!18W<$af<`19KO)6Tb`jc+XJIRH>lhjX#ILMvxUo11{I5L}WcxJs9n|eL7mg!34!B(MX|D5##yg1Mc z-;+JX&@QYeL`dguZwvuLf+XjQ;rUQz@1loG9M9*?3O$O9aq5ZB3C7#H6D6FG{U8Qd zURJw3DUR5UVg81d|F)!uLiXy(2SwL*efjXgiZejbwF~viImm$!MC4jNq(nkvR*gG0 z=V{k~ZQBz0QDWz&XizwFI(b&%R|DM9=@`i(dP5;uVhU%HUG_Mm&HJeZ?&o_3lrsuA zI^a-o<>~SVgCJ<<{*r!SrL$HcMcGg}!YS1vtNzZ0JoOeupSbpfuYd?Du{56J=kBal z&*lhVdmrLP-TbjQy|A;oGWT()v#+)~&d7V`=l2os+p_Jn?DiXJcQeMe-`pahgjfFf zK4}9_o?N1?&7Z8vI8e0+2-4Oz9jFCZKxPd?A9!tRGm zJ1e%UMqKvMati(N(NLLO8FqK$D%EHTap(PtVK`3|BfmHB=lb6GiQLblZH8h@|RrRrFf={CrbxEVC8K1KI8HG_y zLq49D5eyPy^3kVkN+NCGcj4m2!^1AMTp2nC!?UMwrnoqf`5+XWIAx!5Ms?}T5cVT? z)39$sAii8valMw}j&x$A#j~V{Q>S&TeT+lT2ZxvyS9G74HLH0eC<$h}Eh;RJ4^kQy zb`NSLyB9WaIl8Ju=rA2Y)#|`bpduZ?It}QDEG5f zsBTl7qf{St!u3M-M%=qmZqoQJO)H_M*Eo=O{nZ`S6^-U3l-*J%2R-gyLtb=z{SExu zyNA^>t&F&$q++7WP$knr=eZ5PcfVs%=6Z3aB->f669)QZ5Yxd^*uC2uxhA9)Tz7uB zMW(Mq8iFR-p^Z0qO#^uHjKCR>vM)XGhx17i8YD0E;jrSKrwny&66GG%&+BH#zj}!z zU!Sb@f*9K;{wrS?;*v#%H?M5rCYmzT^?sW0NS;r~p@a7^-xq;&TwPX$_o~W=KPMD1 zunB{Q8eM${j`01UDQq82btaE{@SJC4@1~QU`yHzHDmCjoH((QMo4C5)H1gl(m(`nm zdM@{xd4sU$L_r)4Y1|{Sj~%2xwrztfnCipl69=tQun8=X;`H}5cxd0pOd+@n#PsUR z%2i)bHLdv7TVWYK(Q3CbZUogxU)Q)Piu$1`+V1a5{`8zkM570u#w_O*-v~M(>YTO? zYQ3wMabgnVM@FFwz%uTh^Z}CE)E26E&~M z6>p}tb~;e zsHya=%9^Td36a0KYMSzNTLG-EVp0ctn4@*8^i8L?J=UgTBDAser!&H*k0C#QA+wdMBk<-y5xfWzsU-y)!|OuP9>!aj$9Se zsu(B;>RJ-HIYq?LCPg?D`rRh*m{UbM&&FkxKy~#{y)~<0<5Za+Z$gX-5`yGbT?9pNOyNicT0D7i6D)%ba%HP zlG0rw(jX!Ey=>3jd;iZp_xs=P-oxV~i?!yQ>z(5r@f$J6z)+jI;7#@H{+`b%(Q{LL zptdE0%jMu`FD)RD0Vk2sa60d-@+IdT!A3j3z$=Vjr+oyr@}`90tP0#QR}qzsXBrkn zYGQJ?o;QPmq^9RrTmu4TF7@NTX92Fg&vSd zp{P19sb0J}`gQk$V%w)}zb&PB{s%llp!64+mDBzANfK$nw7+_lNnRP6yP`E@E@V`B z!3|EEZZVlywS44@oqVoOC0%55`}PCWA!R}JYrR}ERWzQj7h~pnH@|e|_b#tIMhqTv zG?gA8?W=LSI`K&I3lm*9y$Jde!E+YSBYu+S3BOctm6^^h{WJ}&zxYTvSasYH{Xli2 z)6SE-dTNNh$ZV(5T3Q~~^y&jz-KI}UMVX1=c}uo=7gx7ug=l7AI*VrnX_$Ow}`*bw`3pR8dRcNjL*YWZ7h>j}%AF$>60QnTr!$ zQ7ca6<}Z8w*`&tzu~bcbR$b!yk0kW13q9uAh_J0>Hs&2<(&K}5XT&Nk$vJ7*l{G$9 zeO`4AVX9v}woeUK?xfDO3p|i=pvAW;eKX9XX752wyfHg#G-Q(b@iC-zU`jelP5k}X zvgdMd<0~Ay5+(EjGp_O=>kiE$Lf)W>ZROTzM_PLAes>$Q*=`1}?{!+$1GArUB##gG zn&LcVU_xz985gQwmCc&oe(1JRG3OG{`6ks)t-HQVpx~;-bs%NQzg4hRQ0^Djh8uip@FD;mhS`6hNwR^h$?hpzxE%o{nnoG%0<)yV>Iy5cQoA+ z!OgK|51vYF6=QM1HdaSrX6KUdCfBPT&i)bPT#YV4flXL}BNenPS<622Zhf5Xu1~uAeytsETysm;Hr}uJF3Y;! zyPd9WY;(twc6enT_}t#=$F8mGueANzUwRZn;c~*2bIzjHBIP{MA)MhthsS003>j}I z$-2&PkY?7p(SguLf!;ER_jzK0*l;guBc^ixsogG@1f2epf*&%9qD;)vs8Bj#)#?n{ z{j$(9g0ZVf9QqDk6kdF^aY?~BG)AwICCXAVU^HjP0$%G-IZJHh`8u`v1`5UIa{kN>XgqAq=kve@68N9a}Pr z2mbO8cV=^apek)9PR&xmM8x{q=983?l>)cGH@LQ6|w)}%*3dKrx1mX z+{b4oYH91x61;VXNg+ybqZoJMv5n6m_htjnfQTs7z!q9_sfM3HFmE zK4DUBYpUHv8-Ko5?nCPiDPuV7Cd)L+7)PzJ<|*)I z&h!UAz!ME7(SoBKmDou?q7K`e=8yRAC}02wgM0H zT0uc97bu(pgNZ>Q6gy~S#?Hz4(EW`Qbd>;|GXE@d0Z9{iS)qR}31a(uvC_X`{vl}2 z`H?GC;rcAOSZq4s{R{hA98^1 z@n9Ay=+pDpvOq@&uv9RQ`@dcmldPSwv-Ll>sbpjOdr}qTW&f<``X90wXeSDWfpdWp zZ8lz3!1-YEE*TpbB@5nU1CLDnF*5uac=Jzz{I6L5@5$AF!|+2eW*1P170j>vYh9e6 z44;#i6*QgsZ!hcb^GLz`*4ZRRDVaOWK+ICplpMy9N0Byu<&Y9B}-( zlE1AEm?}U!@C?oW^XmRyvI<7&{%>jbV4r}|e6UYE543wQpMNxU14EV{Mz2564!rj# z?fwu_FhupA?I!!*Ey3TXd;H%*lfW(mM*S-^xv#4otHO=tbExl-sUC5h@0Ea|Bri;J z9XAycRXfTE)hpH6{WkRWg5mm7>HK&rJ;mSeS-fA0%L22ycR9U!B5`-{**(*n?9b>h zx5Z5QdhPt)&)KNM*B!&}9lNj-G-?dT+z?yas)FJZWc`anQUZX~@nh{m#DTdNEMCe`nSn6KxTBihaux z=0e<_+pST%iP{#@{>+!;`qG^Z-Anu3f(~l{d{-wn%9IEeTehi`@$=~6bcm$frQ!4@hxK2o;j4#m z4YVV6LWx*#C~#6km)RkoNRnCEL~zXOVCI$P(b+P$78t&mY&s8|6e){$2}FG~D06Ar z5N4@}!$VP->*BYYoLxeFB;sU-gQHM4wsqdn_tbF7GK6+#*yLt5mO_eYlVJN>`z7<+ zw>P)7J(y+qDjM3C&L^ebN8f@{eR>mUhrh;{|F9U`AQV*`sv2|ofYvRvrh_#nly_(r z_rdCmQQVdD1V2StK8CppJg3_LnR6ro=?uih+Vm}AxEBH;Tgu1GaC~zfbIZmi1s+r( z$pux|kPy*)T}*tv*=aKDmF;GBf;jqh`JVN?s|w|W%rWy4QHy~ehur(F7}bSqsjeRq zVQSyH!}Eob6DZW0q_4@1p+!c+7;98?Ag5BLs7UAU-d?CANeG3CpbhY{svcIlyBMBg zCo0~C524|i8|}8nx0fLi<@U6h@<9eNqnnZn- zEIyv7?!_ao=gr1XuCg%CTao%lq>~xuO(GuA|C&TM&(47}J5Bj7#A(iGOeA#tNIhyj}`@9Go zHvYgl&ER((8vK&7x-;5lve6tvN-?q8N3P2&+Y>le7IR#0s!14=$-4>t_IHGy zUapV@eDw)0>W+_EzJ)D&evkr5F?3v>6Q}3TAEcjwdKwZyG5)p!ihhL7AeEqI37zm& zf9-_?dq?8ON@)^Z2XtXwzJ$KDn*z!x=&Fc$#)!1UDM3iy>&xDcah85%9~MfNSh#K0 z_1^clE9YiCwf*N+f-L`@`3OX{I_!RMYF_$ zRUSb;JiqAj9@DXIHp`FM{2!zC==r3=aD;kikFTU(`V9Au5n;)^b$qd|$-|)_)uavI z=X4mM$&t)kuA{KmxE?3^^f0A_J0^z0JsWZNa=c3e8!gBA)kWv{Zlizx;0Sz#5#p+d zlUGDJ9$lzT=7QRdJF)0;rk?8|Ihta$b5GW6aOx8TbV)3C4NoeFLseoz6+f#B{1p<7 zhyhne)*#(7sv9Jnayrn2Vcfr!5#|+K6uy;UGBsR&@w+uxgO4~IX{&Y5DlTs}nBED! zQmu8sN^9DZ7-}((l^Tu5 z;)f_#!ve9te6-uu=!wgT<1J2Ty~Ol(Q=Y0dOe|rSO31R3?)dSsIJ98(TYy1ufwjl& zRtk%I#>~0FRP1B);_aan;k$F%1Wle;9+rUWRK-YYGO~TWpLQ9}yjYxkVP@B^z8}OY z2X7S-pXP`$p{?QdUSc~gG(3uc;2D~q%xlN<%p$q=^sa7+O=FYLldqZDKI;WFcti^O6d8^6+w;R4w#2Y;Ks$K_D6l zSy; znaXGNUxk=Ym8e*8T#q4Ou3AIk@TMfXFd$Lx{I5nQ;8e6E9#Q0x!FY{O2Z*$n8x9#cQ_=mxfc)@q_}Y6>`=R= zlvBL*-XkPu*l7CVI=>z@UY+EX>q?f>yQi5YTH7)4%bk*~*pBS{#6|)mJgK7oGDDx? z@=H;tXEc78AQW;Fr<0xn#XHDXViC@WSz0;88?&bF$uZK`FVxY6bgp&|y*3y|wtjw+ z*BV+7BMYdgd{{@Jtn@MNSC3`JU>cY^z6JK6f{zFo1+EitVBA-R5XA!fSNJvMbr31W?Uy1Qw<`r>JnX?@E`a_++O z8kLU6Qq6=~@3NA;X3nzZD$(Pu!V<+mWh21|^MpI~MaARQ9cBk-$AKxiHth`9EPGvp zDD(dB-_*Z~Oj@VltHX|q?!41jXA3+dh8WtN&;@5G5@_WRIhNNZLOhN(ahSJ-g`)iA ztb}LAlrokFy zE?js-oQKR(|4@;m+)BZ{qX%1f9lhbzOd>Bx#S z7GEen_D^BxJXUSKE>kLu);1nLVNSd((JE_pc{)vxg1nEx$qnlp*j(`f?{O??P0?i}0vx?OpokKaFWRa~#5&JbC*!!QCm6#J zXHw=Ht}Qv;JEvfl+K98_6rC0%F-lmI6FlP|bir%psM)=S3m8&S_%s3ZXwY>*s%$y= z>w-?0`m^>S=B%C3f}{5`BG4N`&uB2L_=2B=?tP)mZ+6FmU)d(1>bFldQVV+;hgzID zYAzsYU-ZomH@wU_@pZ|}>jP#L<-IaN>O~>3*wdAM5pcPFu(EmZnr->JCb{ZFbCuYM zL8;IyPlniu;yqE^>c#-PEc1vv43ClgFqU*rNHVf&;f%@=6b-WgMh)Hca&93}Ma1%9 zT>Lr4491U^g;@CEcfoS1S&L2|^l^&%_oL+I4JK^+_q~Kjv&Lwsf8J(Qbf`NIg^x0C zwPCV|VX-RcRBrBs@%Sz9RPSU?C{1~t{W3_X2}eThpa^5p9A-B28vGz6y`y{dYyJHs zOJVFC<{NUnY*Yt+O>^=R?llt+44>Pbt(K5{w9!`2<*b+9KG#=$Lstu6lPbgUevT09&H*Km7P7HomeU6!Q4Hz>sm&zFm|Ydm;xL>p~rWBl9`r- z(AU9aSf%kQBijh_$ktmh@6nprp%v||qJ=ikACeYJ&OgfD?tl4W=ka{+3R8EbF|vW#18t#iQ4c;T@rLHDa#pmu%V-0DiEnZ_6 zF;MZhQ`piz+ZRZBv*z7EwNCR0wzn%t!~r7cMRhM2i{ri%mp($uNk}6~xMS@U+l` z0skU(@%Ooxa%3DxEdRHV2N;O=_lSpgT$@x61UtCnYXEITAR6%#cAiG_gaQjCdkb>h z8MW*p<+lZ|_T(j$e?q-+vUg@+Zuk3cM2mp7zDg1Hp(gK@Qk>gr_rO|b+l62`B<}r( zmtoyvOBmW}+UdUHg0JZph+&PT{SMz#UbmjfGfN{A+igOV3S!rnK0_dW{YCzg(UfNG zbFzFc8MFbGliL{UtHwvqZV6mWXHmO(?&0=+dKz)JrBT`0&%$VR@;Qf~9Pg|t<_#ha z%wmtTD$eDKArjya1k)34?R<@+%~kH|?Ccd0ew9ux@^)6Dm5M zf}3nxG-7Fb&#lpqd}4SPbNRC8al0;Sr?^Q>8r}hYxhsYoJ~;O`^wpz~_ckI@5}#Cj zAi-ax+x`{B|I?HA8ox(sf~b_U;Tv~*6EYS_8v`>C+f%nNeq#=jKWs=W5+)XA=5NT@ zIk}Nogzc>D9F^@2j7-S1StNypg&xMSkbz#=AfToMf?dk822NJs?}w+=L2Gs)i#JXR zCXT{jj0WhaVEcxQ=l^GyIe8w!h<`=4_A=l#u*Fw8%_Khgvl@vU<}`U-`x$oCkHQ~*&O4P|M(q2R`$nd*sru+ffv2B0kr{w zWEf$JL8N70XJ*93#Y3NBP*6O3<}wgNym8VdMuq{sQKnV&@goGG_j{H5>9^x67YYmn zs3Wy9H#awgW)dM8y6*1o{@sOWK{A+5?Yi}E->AQPAh6{lprMge*l|PqV?cx_q{Kki zJs899z5V^+|A zAVIUq;@7LSU#=r-YR(zd1>6KySF`)8xrH4=EMWbU1yHmZvO!r7L>IX%QM_h%K{|wx zh=nCm8&i-HQ<8FGvQQpYYx`;clRO+4!z)(nvQM8rK_JuVTF+4mR}FS-5FoSd-YtT= ztzGWN>wV&+-ajYhUm{)!6+lZcAoTt;aMSwrYdZ@Hf=%yEDOY62axCcp4Z+62shSd^ zrl!73Qz}xSqM{-qN^A4HK+6@n{!vmPmnHDxtI9&X4Mn^J#4kNP{S|tn*DrQR=is0P z{(DZ!+S=Nq(huY2LqkL7=jVXVMCXVM3=DmJed1??D`*e5?44Yx1vu^bNysC3G!=Dq zeqOd%uZtzuP_1kNA|f*r6I3poz%F|ShbG_qJ9T|;uJ2Is@$qnQaQGo-=jUi=o5DiU z(x3bL;Y|DPZm+p*7tJj!5FtE{o1c#4!X9?K{~cmUBG}C;+g}^8FMqDEenpbi*Z0NO z%AVX&RaIR)_qpD0;3O=|&VD5<9JsJQY@VH;kAsQX)x6ble_PSq+?nkrGTTnn9VlXi=k(!#yqTjwL(`fP; zmp$cXy)QB#02*8=%lD381qTmLT}kQf+qdjS{U}sa`K6_dt*)lat?s)s73ip_iAhOn zs;W$kj5jOycNf!0Das7Dx3`&@nKh;N#~N7It`?6?b%WR8@@+4M~9?C8dep-p!j|r|7t5M!R@IiDr#064_0*C4gI2vQ^N?`=`kK3 z0{x&>Ra6!i7q70bSA6fi=@V0vlid!N+v@AgoK1XK0fbR^i4e@NqukPyIz}HS%E2nx-BkD&!4BuQ0sU2+-`k-|DIVl zN2$od!UDXwy1iK8WsrRQIH9w%6YSjbvL2+fT({*&mxP3blkm&u&m|=#yL)prKpw%x z?ccYz3q*@WhKIYKY)Tp#W1$s;9EL zx*E_Q$OjJ}-@{h}jt5%>4#y8MF*93fb$7bGIs@7U;s*}9Nx?B2Nq>rgz{|_qV7Fpx zZLOlF7Q!0{*jq-Mx>OA$^^ot#IXIL>MT14imztfydODh#cxh?B0~Tg^ei=&Y1A*)< zw-H&wLhKI~d2dt}3A=vm?uLtyFLRt+omm+f83DPxR1y&}?g>E+oIXV-6@Y=P_CQL@ z%DxN_AGHB$IXXIC5)U134BVGWtf6~)dwc8ZF1@_F3_OEwzq_)^R5P#?RaeIwjrjTV z4Ui7{M5NKVuV1k-F^|C)xE+~gd57F{0}Vn)M|XSjnZ;gRS~?QY{$j-!z3$|AfVAY} zM>kK;`|}06BfkuO*J{gy^Zf;gAHVCtjr&VObMx;zJK=})OiX=shOb|*9v;RXHal)1 zK~{m-TW3N4p&?~7%EBTe({6%;gGB+ig4OJ@k@{S&6)6`Eef|vi915acZ{1bbt)=cX zDdpzYSYFP&n*_8hc|3xhyqmenT6Zuf;eK~8^84ku_;~-BDg_3>g_m7mJA1_yc6WET zx3<<=GGBPYL3o_L4SzTc$j#3O_Y`avoS$!^riQz~Ixe2ntv8> z7X<|cue^q)rewa-)YKFrOgB8KS7-C?+3pPB74euSn(baqk&(!d)gMzOFYj+SLJZE% z&Mplu4weE*e=XQ`z(U;I-Bs^I-Q9U1AL{Fq_GRP$5U8LjB(oKy5g@f2-@hY36x7sW zqN0N6=UUx4z9Pj-7{5qPQ}gonwz0O>XaGj<5oC4L(^l)(e#1&$em)fZ;Naj91RXtg zZ_oPXQoTYiUV_q%-rM`O&T3}8rTyv$14K|*_)$YFB0;Sk?Dl7t4o+@vc!;^VIWTUv zvz1T~`_)eWyE`9L)M!{_Tzl%G(oz_Rh^Q#gbuBF|8?JnSNjy9}AP{2WjJ!NbH)+SS zA5(ZNdJxF6=i!SR6ooK!lINEW@Q!Q7;!sR11n#f`cqA}$^o7Up$-d!fMa>eZ{ua`~6H*rX_> z6&0geqbtqM$dIw+<&k|OAvY^3T3QJ?xr4Qy(4(yZphOA{S04$)#Kb^BL0!fJ<*ZR> zIklbTtEZ_+M^AqRc4K;44W;MEOp%F+sjjZ><;{`sWp!H{F~ojnA|Kp2B4RiWgW75# zpXqtUl`oY6x*l$WC&R{P%F@Gd4MBv8=P zBSq&{RIo5GAoF(ttw&5qSX^3)vas0x>swl^z!k!wi$QRMnvAThuCDI!`$|-#RKs5< zTczqs>gwXu2_3(_5lzRx2D@))Xqe@5W#Q}F0o1>>HKR{45Z=~k+wmOHlamvDuVYbP z-+Pvh8$&Cr$cAfPK0Zqei#4OQhus4T1=GdN-@XA{b=ZDA($ho1%328&5jiVJI5}69TW)|r0%Qcv z1*-%k_9Hr6Y^t%Cq`pDf-`_tHzCHB4_XGxOV|^VkD^SuG*M}X4vsJlGO#~zlmpNGJ z@C9ZBnBRct*Y@}vt>X;L%xH*+lG4)r&Ofl1HG7c$pb&nhn$P{MD^jo!8J4Bi`&bc% za>Z!?S^IwtqJ16u&=PXddM`r8!SNWaHc&-HB`hN1wy@bGk|2p7NsvVbkP{m_!ctQ&DrBf|{-YBL%@^Yrut=9!Jjp(m+So6 zOpp(`%Ee=od~iz&&?&wmc^%#4W}gC@YGX_h39&x7Et8?~=J_QhpMm)-&*4D(!pWcmV}z zKg~Vx{wX_iN*apkDX)Wxi)oN?hsUP+dj&m{LxAl8Bxgfu89%L98Png z&fH&{c6a1N z>gQO6Z(iK9G1$R2@OFXyR$9RzB|Y5Q0``@Pk6%js253RR1tuK zXGlysjg>%egNrgS>;n4}#HUgD`jv#lr?*tnnF8KO3Gb4Us$b0Nsi=INoxKG9S$;vm zx;Niw)=L&fMifLuI!4Bz8u(SMUjRT!OG^t239WBz$Y(wu^e6^f0lW=hG67itu5hvh z48*|2b@uZ97rNKn#Khaw)QC~H2iI?LQRmXt!QuEr&Bem}{Er_$97lwXM)(gQ5CDv) zS5|yiJE7#zAB1>oC^7KsA@o1M6>eFp$Jx->7zT6A#MiGPx#Ol^QcaAFIRQ2WGSlTO zCL|;TU{+aaDZs!6iP{PZWPn67oL%p^tSv138A!S%-#!>nO-)S-irhp7bq{yggyY$U8?i0hs&sS&=6WcYk1$2K^jUd#FvA>w6AS$ z0x$0lY#S)W_NE0QLr+g%q1R?OC1q@!2OPNNA#7aS5GyKHRt0f!c>Ubs>};qWRyT&; z*Q__Uw`=DsKG(AH@^)iltlHWOjg35Rs!B>q0R7wZzSZ~nC90u;Pq+=#X9%)&RsR0L z0UX3WO-x2tmsmgKWGIn=kB{%@-W)h?099&z`#hw;Td#MQ-WncrY5iYWkJ%i}Uk*06WC!DXXi89`+UESXk`b+;}}_+AIEk zaBv6wW3Y1@8yloIeL%}0z;qYLrmfDmmtNrQPL~m>FaWE7goFg7zuonaBw9=x7}~%t zzuohl-ZTW+PXl!nFadrkO@p3(Kcvyy;o7+uBMrQcKEg1j@FZ=~*Sy;9g&j8?7EczOZjEANb zdVjrge|~gCmN59(j8OhhdK-;{#JrbURcb0B1XAMhx`AH@=K{D{7`V8$=H?QTl2vte z!SI#KWn(*UrjZ)~xxNko%koi$enBfCu24R!`o)tgAanLahy}U1H9of#=?QXv1qHv`JzW+W1ohKAyg-|Vag0H+`h&~aq)=FJ;HLBFUdlx6v@VjO^^goTA~OySS(dfIU~ zI5>bN@ltnnbUR)L%iP@B(j2h;_3M|zq!f_Iwze11VlAE*wjfktZvHVm95KY8 z(z7i$S6E6aVxiZ(tgH+M+Fz zCUE})0|EfM0a!Ac!T%n3TLv27p4%?~tK)}+hlQ=Wa+Yc}d0sFF3#GjDy-VRRD=sMk zrof>r{iScF1f`gWNcs!UbFi@-W+TA4xj&oHzrMb9Jy=9!xB<}n0nKY@00+o+u@MUL z;7j0w02n_6f@Tqj%(A}G1qUmDW?^KctgGAReSHon8W|DsV`s-3i2RY?1Fiy58W8D& zfhpB(sjsc&BqQ?^BxBTXzp+WYz4ZTs-qZzZ?Ck7E{(9-P4Gle+cwV0$2tF~Pgo=s^ z0uaF57!AZ!k=z4EVs&*Dyzhm)u*o!2u3J-86%WEV+}z;Kp6_ll0TO}$2(XzT{sT@d zWnQQ;8%^hRqNJj_y}3an=IgaNNdnGx&%l7$T(!y37EPAd`i~#YRx`|(6EiceEA8H` zyPH5}LV|-WEG+>r)Y8zfUTi!r%A|fL9ET{C}0N}AQ zLl_<0e*iMQHV@IlN#LP=DZD2MS0jJS0R<^VRSTm-{C&iE?SHDgrZI_i|}Wv_~flGRq%_@kN6 zj_$o1)6%}AOAFT@9OSJG)TG5O^M6)aiO!*?jaFtH9c0=(ADMRl@!ic=2*yx_pb5Cl z4eUjA6IyZOA5h$S+u9b^;)!X{NV(Owp06%?4P;)s9zT9IaDB|9y-@7c<*f!|hz;;o z)T0C~2AdMlvaP6-=eabB+MPJ6=_(QFljRxk<6N*aCPTRBXe7klWl`j~OYQlZuwhVR z2;X%*mCar*N6W+My_}qM=(w;MA6SBwpD%Y=vEI1f56Qy;N<<+PIyIO)F_{^H|e+`D8o+-~EjI z&(fE(eUie& zyT{Jny}4NHD6oiX>-*I)lVj@3JW}I@hvor79eL+y%-dM^la_`iYTwBizP(LZTuZxK zuI?{VFI;WWym-${8Z)w@8!WfJ7AXUR6Hp$3p$r3@-lQa4fsSJtwk4;#JOw{psh)A4B}a;Qfo2Q^>K)s4#{fpIcZ3>(3ZbM|e@MiGxgm z2xMjm|CW9O-d4-qZH;r$XHg~Pi#fXXNLRrQg$GvU0DLrzunc)-t?sQfgOnFF&<8TO z)YWRq4U|vi>}M=odqxU`M*-TMzTI5TEE|ZzSv`MPLi}^WE)xBgMW^ioG64c;HlA2* z7StPKcJ(a|pnD9fS-a{coGx4v65*D+93+%KDncRG#4v`YgI9QTg1s;InYIH#^Wbrq493 zPX2K$g4WJ{BYIkKrhrfHesX5a^~L#qqh`%F)1~lPjQ#SE_2aA5WKsvitq)JxrMxo$_-3B~uLloAYKgU}DU zln$sC8QcdfBnkXA!|FdwBNF&KA-H2(K!^*^>|)zSaN1Oo9F{P^)Bejhu?oFq%BsH#FiXjL4C z=Ettiv9M_sj$%4tZSg}CY2N{h8>Pl30&ai+#Px=BfA?Tg-cKZ`w?2BvE*&H zs~^daazHHia5o{qSAqCR2PJlXrbEI`V5p6rf`YWT?5{Jbxw_gBj7cRkWKm&0Y%@XTT^$p6*J`Z{(RlT(J}K-Wk928s(>h70&E@*Hf=wxoB7sx zy`{!Ms!{7N#^QhMCla<1c5Cg)NC;F}@2`J4-onIb%1;gJ=Kp*2^IFFmTP8+VCdpU- zSPYbfiHhNVQ~oobeiwgguCmYK7sCQ{F(eKyM~C0ZUlP6C_)!u}@zUmOsyq7q`>u`+ zsYf<9QQWoI2+xTMHIBxH%I1+Y4w$LoPyb`RiHhN?Ptc?Mpdjn&a4`odiFI3Mw9;K2 zOl_!85Q>U>Cs)cZ3Q1b^+&JyE$eae#K4$Nc{aBQb6*AyGOWM3Lt+FFdizUnZ26Jm#Bro&WgqZ!SF;lhfE*+&`v(nm*9@1&hPOz(YkAg=)HF&c$NY964Pj3E*KVyOdd3AZB2iX{#%1G*_ z%q!{>HkQBNV9BTiEpm54jb$I#kd~Mt*5PAKSAiMkv3JZ*Q6O>2Pk%hIZMriQSX6aq zo-t@o2`a_c84(mx8)h2vm`uCIl(rK#U?W`QnN%oiZ|mh)mJ?HST>7PxT)+Mk%SxZZ z0v0jKPf;|8vGrRyUlqbjrc=wv+uMl@(R>jIq&r6?6yr42N)-BDKiLo9#N|}K z*c0DX%9pkjGFOAc{=2(fKTzGF$iT<60!&+LtRMG zNr>QF^_L+iOeYPnVstomGA>@JJ*&kYR!AbpU~LhcY{Y?zdHM|>$|(8c%o1%;n_gZ{ zE=UKb_b_d!!@+I4(OL{bL0aEF`LQ64r4GBRWex>N7h>u@ZJoPPn@-nbq+*dH!`ch{ zVkiv_&XF|E2`ZgURgO&Q=dB595=#sSO2%H|SZ02+^ZdKiiVBVYy|_&0gWi(&;6LbD zb%9JE9fmO>LLef{r~WK~)k{zi%wNlwPznrA#HMS?f;1I~P>{xf`E{*qg~1Yev_(wo z)>avrROY7)aMucr7JZ=P*`^Nqy#xcKGsks(vbY-xB0%S>ezwcM2O7{CEaG6A{M>s}*9=APpZYH1-aoG;rxwl1X6&m+ z2w)e!8|5zrJFdXsfvZ*OnP@r`E;$K%N6H5E5Cp`>&ch*51ll$Pip`=Kd?g9_`fz6C zBC+HV{>Q}PZ(h?u9H>)a#)eDLP-T@Sb}HE{5Hed)2zuGrcOgQjcTKt)HrfvB#joEZ zl*~=f8!Ek-?a9fbg1>N_9P0o483L&(tD74!{V|dr-q1=1Z`n6L6Xwj)BciJjMSXN1 ziHQFIr9Y6B9U;W>@I(CaN|U2J+L4j)~LWD~6lTe;B-pNr*;@f_i zX(P(5UK7>4V=>kXe4^>LQ>?v|ebWUjH*--jMI|Y{bS~AcCY=hA(0qQZj2 zWqC8va0`*UGr{HCG_@bL?-WFX-qmf*2^0YV%{IZf5WgvJV>x(oo6!#D? zd)RebD67}4=)qhOXnBtyn_rE8*rJ#R3sSn#@G~!E;;VjVV3f*_L{?AN46uTQuzr?t zdL{caAk`eO{dBg;Vy%)3XPQ`Hgj9qG-mk3#2_#)U`7klX8Rg<8waxbjC=k{QR$Bgg z`?EpOHTPxmbxx#2Mry9HDiX!jM-Wz*X=Kg4!Ggr~Kms5im9$(ron|{Ry~&2YigcLl z!S6cw2`o%Lb_p|-eP&^-2-}Ch;AxLSq`9wsi3_L8zL6ArH7f(8UJjYlMDC zBoH}55oLXozHCM}{I3yxtxc955%w&T*q`r7o(&txRRYyqi4Jlx2EzjJs&)qomgP8_ z!)cKQ_ULhn@1mFx?Y*4{`rtW|@qAs10ty(FU0|#M@#}fJ99LwO3~2p26bxuL+xb7p z>rPmAtF>uX`@S9j&cI<%}G)Sj>J0R~`Pd9T*U z9et)K2&qu3rbH0#w83448yeftM$)RPTwu;JU%d zEd#4l;$Eb{Fr&`A^#@L&MhBiPW;q{ zPA~sq{8L*^N*`I6%)_CV>1e)#eAZn^HTlb;mr~?(iVvtf%1R4n8cK6~Bg3V^udE=G z0>1P!uS4bH(npPvKW(hSgAL42+)IWk16cpJ6%TH(q!JLwEK0O~fFB{a_AUX=yVDN1 zCDJMJm5X&1EL$}n0k)z>wwscYlS5mW^rBVxuuAiDnNhG31kOebr`}@Ty;oEF2PgrT z10@wq5D2Pwc@1HXpnm|zvpVL&@n8r91R>JpsY9Pgh3o>)>>w-tkbHNw58rw!u zDuW84{e=c}tpcsL0dNOuKQ1%aP#!?RsyM@o7cW5m*AAC0?=p`kiPNz zVh6(<^H`7|8SDFJVUa|AIS~)w;3zi{98 zLBM2ldz%IX8@?+=3d)FtiGWn2A&B(lOTQOu`%SJk;tKY!EZ-7#=K|z@kD6N<8>DOj=WsmKU1s4%i)PiiBoEabO$CN3Iq+ zS#a(fIv=p1g!p83NfTY`#)0SIhfRcD1l|oR#JZE!F+G8V2Wy1@6F^kh_9a`5FJ^E1 z!Dj%7pRCcrBXh@34HPH;_0CWaf@OZq4n~&b@8xzyPacFka%G@FJALq8z*!iJJUclr z?He4g@c%j}VWcKot$Bp=w>w0&v$w~{$Or=6AUR4EFAGzCD;z|zK%P_=)a!u2 zFWl{A;k_mLA%5wL8vx5493E0FAgvN`$C-12M;z zOMC_cek=LF(YhR#1Y3@61QHeaAyANSsT$U^K1cJpqX)h>HXz|uDD%eaB*Nc<@jlFah*wsW?qbNBnJGg=qt06lSU>ceXT1`F>P+5PhF|hxwa9#&KAa_e=r1> z$TLSUpD2$dL)qz}k!)IN?13m`Z?6ax1dBr?5VyI)a%j%YJ*D&Ih{o2$R5w>4?!dcC z2Ft;2o%xQeT@E@LYg07y{H-ThCK!Ne5_vp+(uRw4vobc+Dy^Q~^N4&opb!#LfpmtT z5^0nTNj zj|Ag$yn$Oc6A7R)1OlRm+;+=PIGs{Uxz=2F#`BTAaD@SRRJwbEG{xT5oWkg>#cE@# zPeVa~$42_nCu+NAj_ew$Y|j_Zw&~3dNSBevhkriLLu!3SRLECTrm>(w48b5G`h0Cw zV?2lj@oUahlHGOm*FWbG*VR5|$nn}7nTe%N`boTT-8jV0!%v4}-b@|%O1o#@_S8aq0s}~sUG+dVj z3z-E4HVqZBMn)76L1lf>)%WzBtd0}cr*a+j^)4z>e^@IFJUnaeGJr5NE`TNaM0q$Mwh%xh!SI|N-Xd6g%F_}2HmG2a=_^Gqe3g(V6A%Ct{kL+}a7;eUN4qbh))b1TsE z^;X)5#Y7;E^o;`b!W*95s$$5w$I79wTs<*7{q978{14z~8{Xf!hUhuU!#iL8L)lQ7 z%_@+Yz!HPq(=2lp;!r9)V%I(7y0-X5kv%o`%poq~t?Y2&34F7du#%abgIJeLS2ncO zzAJ;2*jyF7MhMgJh81OF8zT5lw-$34Hzvu@kp3c<)Gtx~!GF7+V13MQ5x2KG>_^fU zFJJuI{)AcgJ;7a1Ou9WrV)iiKZnLSLwkiL|S8k@fg_dM{r?asVb=`^Iie0RVM#lOY zHAToXJc%xGY_)Ak=iI-Gc~h9|u8-J{(rY!V+)aA^9T{*h*iEqL7#*cKcnb_wYC2mf zEfp?6c&uNgITufoy1Yo~m{=|pUnNXmFT`x^YOLe>^!{i2`ycGV$FB9AN*_Iml$gyf z{>N`zZvSjIxfYy!h#O1AzSwLW%EgGRO~EiT>IIiQd2ms(@=d4pTwPGY!LV!kWUXz^ z?a`v4K_yc^dsizrD%Z)8%5Me26Zm!Tv-;=Le&4iCtYxd+R&9D=_awbZs*UCQkmR@! z$Amq2lM-F!jRjryvUbxEIk>)!#CJY8sH+&0rZ%%DZ&Agu%aXmI><>e8 z;XIj0ot3OCxwu%}SC(ERS$uw*j;sj#`awvAPg?9cf+#T^<#jFjQRFqmL&I$q0i@F* zl1F9K){P!FL4};$s-IKZ$aXd)Q0)bQuO;~CmZ1{opUmo>rWhuoD8B{=vkv1DTj09# z+T0-_xR+z;om4>}-YXmwsfRmsZxH7>|4C0l7sTUxCT6&0j+lP>8cN`Y2j4973_slM z1Vr~W#LK|XjC`?mg;dG4hcm;L-daqS-;@4uJ{n=NdSi}(f7cZJe4cRoc)<|m>OEna zX0k%RKzVSP=`c~~9oec<0x@3e^cQunv2W1v3$a`I%Vr)_Mk*il&P zVa$EHBqQzh0TzN^1~Bu&Nz6s}1?`bK|8CPrIuy|4OXc=Mf6T!j`$PLMf9t3M?vcf)p_ z<%LwhIhxBW9!~1`Eh*MY*&Ho?A%(VSl4B*vk1QFs;v^Zx|BXXlzrNbqD;iw25-eYU zxs$u_mWV7T{LP3H(v*TI@uq4Cj*Cj5J zNf_`c2!!Ly=~r>0>fSOZp#ar+p(9mHP{N_~+NfQTJ;JcuorA!nqF0a?t@?C@A)mC` zJNg~dpJJaV{TTI9Tx>+}y7#i-P*P6s>D&EZ{EQagcNq^`t>lQamU`oqvPkCztl?%z zA{8wdP;z%BAh*HMR8uHAFV%T#4V{L$q}S4IfdVmc&mM8VGtTpP4uYM`k;NV`xY?Qv zkbpor;c_G0q$vj@utF~5u2Q*tQL(x!qzMK`Pq$71*1LA+jlCu6FesI!?r2CD)_VMl z88Vs-X1UzHbol)i&ItaiF}5 ztd*ZGqamssymP5ql2xjb6^H%g+owWNZfn=)3uwZUkJcQIGefp(byM3o^keWl-7pax z#gT!VI3wRf{=T4mP{@NR+TvkCwRz3%Ys4)!%87`Cn49ZL5X?coCCT{a(oJjj9LDR2 z0K$+f0~6DK%kqUMC7wiS&z35}8YNyoD{E?jqV z9KSK;8aJGuyy{*sEa0FSRDOv+!>3?)9U^J3`?8)q2)e>SayxmIkNsb3PVKU+8}2-j zrKnDi4N)vx#}u-YL3%KWmN6T+dhrG-mK_KcJ8~-_@t>94>l+G}HmfS%_Tk#Rc3O>( zxDRerKIypvy24&7KDzjw$?5%dGyhXrNO!2RJC$M3{Bf1o&7F#RVm0z}^j8teM=YU8 zm*ypbjl5CPe@&^?ub*GG8;AaIBLa%_5GAAy{|YxxV#aoa%qc#XmuhxH?L(q zTK_VKeADx$d|U9Pl@NkT>{ojN7KCQwPr18)+`>da1Q=@nU3@BbOLbk}9_~^V*%O_X z{BQKZ6Nje|q&s$-NrGz>^4B4xY9JrdrjSn!Q9g{S=_!0`2;=i~OfS`Hs5{o*#u75# za(qMG9X6<3v~r>@p%x1dwZ*K2xqj^3NH_h5@&EO}_hd&8=eYM8-M!!PrdWPRASfio z7A}>x?|(n>b(eD@!v~U?Rn~oLSqb&D=MPnk+r;ll&~YdjDjc?U%tt?F7cSCk{gDX) z?$z>LxO2dxGP`CI9yPzC<&XaShBEg%NBFD@5i}qqtfD zhJjuo8e^&Iq&J889#d+wgDp;da8ux~PLhMy`{W?IT*wp;Y9w-TrPfAxzOQxjUdp$( z^Z>`|Gya3&hQ~i8++7kSXozPOLfl^bPyEQ#b z7hspL9W8ah1wN^t${3|^M844!b;UX?bhVS0e|W8*UUxzlzXR(b`3XT`!eku6O6pt? zt*)t&(IxrDa{_kT-jys;ku@1z9YZx$t4TFVdt`iKqP3M(`JIvRaWXQp@zGHMww+ET zb@c%NK>%(Ek_>n5+ySTsjr7{9eM$^8YehrK_-;;bk*e%Z+00z@1^m-3U8sj%q13T* zhDOb|w^v8I`|py!VT`N&q=^+!YU2C?9jO? z&aAQJC#+%k*IFtXE(YIk!5WLeeGsU~&|Cen;8~#z<4ucr#=Q@;{R)sk*FpsR;=sHu z{fuN{>K5Bn?}Lo{Eye$$JZ-LKbFa_z2fbto7ywEE*Ir2itO?u)GAa=cE1&W*S@96C z!GqB$L||LXrpLd=2vp>88?M^pPq)oymdl|K`-O&Z5$b^1+xpAEYkOKot4B$T>`f6? zfAS=4D+$ z^KPEp=B~t6_+~IwFY?v9RKMn=|IEZu(u0lu8E-?Y!B=xm>eOCJzVdw!@?OQNa`)u` zU31?BGO4OKoja>!mVK1lyh6JdZJgayLe<6M8F-g!MYtKyP=mZ4SDIbb? z7vSO0(`Nxo>x+l@w_8@4r8UDIS^oxTo7jb)-yucLOlja%xzKl$I3$m5B5UOgp#($o zemEvZm)Uf*n)Fd;1f|%<+g%B?iEhXqk#RqzCL{Zhmgc*+Bwu}*`Sa(`-Q8WtcmbxX zEgF!ifIY7BIdK7|6abm_w%!5E3^!!>Y(S|O&@Dh1TAT;4IzZKD%FG@BJ_*=@z_!qj znW=x}=;Px9|6^yzX2d_6^&kx5c|fTPIm~o=T>y-zm64Q`^a}1e!2b=yGR|(*Z8|6P zk8p4C78nN4Vl;k6)9KD^LZ&a9R#oTac$f&548DarJ+}PN-;RY;V+Gy^0!ctUWSn^LUESRYu3x`NPTs-IEG$fp;sIJFfXo1S4BR4M zK1C_3F<|sFj&&Q8;7!Vz7*<(&SX0Qc@4UD(sGQG#^^|C5bPJV+PWMN7%nR+lvwXj9 z)o&bT5G3U)_KB!i*ZkSDzXt~khcG!}A|fkmYZoWE$f6kHtETfFO&AP`0*a`8^}d%bP6z$^l>- zCx6zjA>7^FcgukH282tXqM%-}5a9r<*lFU+v)-Fo0K*h_Ucv}9+bvAWv2>V=kBwDQ zQK3#qmBUF@Dopq|`%sf?ZFxlRZ3IAC{mJcCpAWXQcjYI19AEXLITQ2QwO@Cc4&41* zsH-5{uFVcqJ0M^^@1Ta2geZf2^?xR8LxO_`Z7QW}I=i~QfBQDmw2rl>%rqI~(mi&h_hKg{JzGAz#HhA}y$378fjl!O z=Y4v5f3w98T3YX6nG_Y-18TRy6Ox5*YieGZn3w?9 z1t?3K*BxiSj!jReq^1IR+&csPq5_XMR!P~s|6^0FO;yY0i8GW(p(P2ka(nJuOWJ1*4&E(9hwuEy^B(2#R`6lL*s zvw!#VM!dbeGId`E1?@cnv**-sL&aIi6QJOzdh((T6sT;JrFrKM@5ZgTH>`K9J$`k=ddo$NZ%B6UjZ6EC;FNkFQ7#%ds4&J)d^;hBE3t^jODhu z_4O&OrjH9o0qidAsHt0G3>ocSpJ9F$Y?^n8iNJ0GssunkJ&t$Hz#4-+S&J$Vb^rn{ zFj{}lH(vr950;D^!_C8mKjYnC0btPpiXAMoy}dmkVSRmkc<_VnUdz-~WYmPgf*rnC zV4C5rqeF@?{T@LIc~~j0gZ!#0!Em|PTZkB1X~+fDQ;*;z5Fe!VnIkFfs?0X_Jr78EVv5Y_3#+-oixcLH2tZoD1aF(2u^w^ zeBWTgU;xrE>@KICAPSwl<2Pd#{eSNLa3!s1k1ZB zysaBsTL2BFI(!iFUf|`O7wtSz3OTcl-iZ&_s70I*2s#es5Pnd43*dM5^zhidSPKr} z&6}Y;x%%j&+KKj*kABQRBvz0s^J}Wt}u(HAuXYh309Onc}H5u~`9ChvVS4l}4K0K%y z6r$R1cZva|2CQoLe;A(`9KYVz5?7|;TSV|65Et>Zx9_NiW$LPVQ|y^w0scrU3XZY% zj*d&g9WEKjzv#`|M1-`f++hgEkj?>%@1vhY3xyifc}c{5s1uLI=?rNknbY$=xaD^r zH{^9q@*mU(PNM}$Jj8vK2(H~5eARUaR!V4VRB0A2wzjM_5*s3OJej2GBp0qOOZHH~ z#)^)P2Hw8YVJPeMSVgEAS>CP;{{tXV{oB;ST4vK@BO_Xxn%PJs=TCK>P@rdFVPZZ3 z-S>Qx6aX^=NgfQWjQ{Js0JS`942&x=fX;W=4-Zk?!<3G$7Zq2ytq|C~60f$6N8*=z zllhMyC(C#akK@`0J!1}%Ajh|Lbd>ho|CA}+{c~hyMxsq^5l&+OSjzan{gMl8Gk>ul z>>GqTw+AC)FfS>OVQbeMTGJD~>5@O{gD!#8g7G8=RnQak==R+0B;)@1kC)m5>5@>n z>IZ-{)XTI&Y6pjb-bkyb{)?t9SV+>o;ntPO`&h65oQZw z-SM)b?1?%vi&&~r9P-rVOdwc)ITN>Cm!EsBB;nObSsdd1&e*5z!2~LEE{0I_t1=@6 zY5B7pGKH{;_PE`J+(nt<*!1{L&XaPwQU(*faedx_bR<1HKmA*yeHY;#cfwHru(WGN z=!Sk}14+Ja-=rZ&{=e&LB*ihZuy}iVf?~tw&!0AGeiZnjKpzC=4(O>}CKFLm*jQP8 z&dX!@*+Xjt{z`9OUr!Oy2clrY}^!005n|l+Bo~R&I_79Gx zvsccuogFX+#G@`tvxq4v3yO+vQ;Hr_w1Ghf!hzmjg3!=VGc&VizLIac-av6CmH)A- ztJUe!YVPKI!H=(w%rEIw>Uu#i27C_ea(B?bB_@czcM+$u-rWeE4rVQ>9Au4GcI6;LanS z8)|r-O_R&(ULij3yudq3UG;V&W??a0!!jL2AZ_=G|>ny zI1^}r0cMkJmX>!ie7JW#Lmvu@NqZY;YoN1;xxRWuD}W8>@xrkDwv^0PqY3W$#}3XC z>64kM5po0_0|PO6N0oI3DG*=Qe%mq1dZfRaC1_P=mALqFVcrzJNnPuq>*jU<6+Ie5 zB_$;@9tw(3Q4x`-@#($LFkLx0IlzR%mS5-rHaFOQFtp#~O3)t>jSzv8fVi)$7T986 z_a$``B2*mIs{hwZ^5@)k4tLPknD26+7!&A{v9z6p~Gj|O<=6=cHT;A5Dm+TLJL=YW~tBtiogHX`6^5nNAE z0WAZFR6xEVH#c`LgKJmuCo^nM4Gm!K>wCNc2M1?o6gcTX3*1{XfYk?KleImkY(Ptd z`Oy9tTIp1~*!cJk7NSKH6%iJOjc93gPj4xG9ALKI+l!&Du0EdX*>V4xZp`t6*s>3i ztcT1ZsK6TMw5W}RRx?=U{VC$ zhkg*P+>RILCkRA!sNgpYIg^Yjfp{ZB*4>XUil3pX(R+0^1O+Bt5Eq#)d;8?aq_{lB zYbUMp{06R86Mp=t(-9a7zlu+-@1Bcw34CUD=Xg)quKtH1)fyTSqc5ebi;I2 z>xzo-h&Ka(Ww&ux`ZWP~o5t+Lvm}69s1lYlGBSGll;*4L;Nl3(s^b{0nwy&dbvD*t zJGj%kcTrve4Gj_;ZZO5;MAKM?Twx%78Vw8(})%@Sn6OYQ{&@r-M$Se$BK$)^$qlrvr$AiS7m>|2tNCK zy{N-{KF}l%DrYv92`Qw#HSRA@&lBb548xT`(Z7nZ3r#0_+>@# ziLUL@A@8(EL)B{|gkK=AOd+WR-W2qcS5b+AJq8&PC8dihcv=p?ZLzWag0UbWS^oW7 zg(23I8$U*Y2l6cVC~z$*D*k|l=HTR%pGWK@m_BTP(B$XsTaadwmtQ0jWJ@T_%)B~~ zZr`?dbW~@EMIf9i`5PR|zkC6ky|=%g{rFycd%M&9o1tcqp@wJ>LL=Dn$5a22F93Xm z;gk&$uc$*)UHre@zY8yIt&ua&%2fm^ze(`CgMx}GB0Rh`&kJ%|V0?M;gGNXe)#t$n zf{$p`&>;fXcYOUG;G*_o8+mzofo1I!O2C$2XJ?0tjn$hWZ2}Lyb)8%h3?7-CxH9#Y2x|#H3D|;74as>nEZfP#=aj zpsr%AQdK_plCYSjXBL}E@^}JMbs2y;tVO8>5><={t=-(~cL%)}huAvhJNo zYtlK;%KQDocC)Qri{1WWxckRVn-FzCJ7N3!SttU@v9-F2{+hSg{E0CEPjWeFp!&=JAF)QzSPpJOXG8X2XTLXGU|o5=U*YTK)Sq4#&;dpBiZZ_ zh-oUdm@3^8Nk2mW^ziUU_@_VftGWJY__A(LqR!}ENgv<%L;vR8JwHOia3w5+@z$vY zJW#(MS22xV9buHrk`_A@uX##28VN*?py1Wk2vvDh(ZI7uNikHpIw5~td7j96e9rn& zYxjK$AT@8>;e0OO4dN{!{pMyBY{)v@=@wD`vHfIPa(O3yZvr=2YB{Iu35KZQBsV>(2PT{+%ibg;l`hac(|!=iFN8 z#CS0)3gq6yW6$=S*0Umj1GV+41k*N>qJNlRPG zLVCLOV+M@s`uoI*)ItH-4E)pl{AtVOm6GfdTN}INy2@iHZ^Rh0AHVtR?jLPK6{icq zyOITik@)1kudUN(Wg#TT^n1Hy$Ktlfj|bxg0X{vG(*CiqfweW?q08e5-P*Wwo@xUai5#!-*{jknPGWNl;*Kf4qFzr+2Z!|Z*?yr5*y}1dqRV+OC z;xDU1*u07wZ==fIuV2bdbe{=Jkw2PoqK+|UeAL6Wdzhx+Akf(>pX(ch(unM;7Iu1i zkBzkc>qwP3syzBlcwTc$oSbN=nWD8D@_>M_M>p;)HgAAXGk@aYw{QFuQ3f)t&-fyr zBDH(6Kb{|}`uW)LSgROz%_U3N2hyfo&WKDd^+B`)%g2zA5J~iVH1wi{I2a^RIKKpw_)=ge~tRO?7mq)EP_Sie4 z6!LdoW-f9RwluYx380Zt-Q<@-X0knLR2VzkQvdnB-d^3D;zNbs2u4+QkA78LRocwO zV<#s$BKL`+JH}gN%-A^w-k%aAkxb(p><@*{;Dz?Q+|O^;&d(2P92K72z(V(4Rm5UL z`V|d+u!n2+zTLH6!2jiISI>r?gHC~8T&zK0cnzV&tBZ81l}M#~{mHE98b2kz!i#0k zQ)`Erv$tK9xCTV3&69qcc;&NNE0158KHVcLyk%?I`bRZ?a%^_Qo6WAb>vC5*1Dm)n zhJAFi4ubG=y9~m}g6NSjk~|bqd1>6IBqawv;mabYs>>Ei zDxY;GtRHA^r0n=hz%80kJmN_f-u8WXS?1WH!t&+YZ$nX!s+sOkrRbm+VzEJH`d#+Q zUv)Kw;?T__B1jKdin*S?ws1ZULh1_j1`yGDZ7|3mi&Scke4*^12lu?6tK{DUbt-PRcMrqry#_Ow31ZrKo?o=-yV_dL4{5E4Oje|KZhTO~ zNA*{~9IA3z+7c?CWuGeiO9T%wHcP^kO%59*(u?*&ktcb1Frss4>PKj<&f+0MM_%*j z-{uQcgJHo=31Jkj=^ytHx_wx}a3VQE;S^#gLIPRZM&D#!lt?uJwO;+{*d|q}{L0mDvwOUwumGt-75)qWqX=xcdu#Vi)S} z=Ye5gQwI&OurAAUuQ-f^3~ziWG~Qej#f-MpFf0)F)o?_{3B}fCZ70Q;1n3qFJ{5@2 zT}oux9K#LkA(@=o93RLIPB@r*S67++BOz)$Xw0@S_-#Y2pqV!9HCrY*1)9FHKl@mx zB=1zSwPc0T7{x^%>ELbT%KuHyvBzXNu(6z76kMUSkm`5M&a;>I8Alt$MI=RpbMS2c zJIq_)+3yTJkHd9aHMhRuNu~XDc<@1cA*p~s{D&u|KLY_}qE*46tj|jHWA@~9p5dXj zoeWxTLIu*Il=E)sn~PxBdO~3&JobdY-tHZvd2OUQHg!0s4o7gNa1um*@~4yV`tlT6 z>**0rofbXXQCgbtAkC=QK$pHeQHZ+lD!0$7_lVuuzKsW;{YB?z>8u4)DpAHH+6s6g zmnTR2q6eC*JGz>NtRixsb=0Ts2G7Lz}$l~@XQ z_K59OiUzw)zohj)W_%QvaeYp1g8018!0H~81I??ZlXNfH2d?abOrH#EH0(vES|{c| z4Io8C!t+kmFXhEdE~nL2GWFQQS#c`~qfd8dv89jIQs@aH<$Uk`vBT`EbH%7$443Io zC;W-~ggw9hX5DGsxReAhPG1`=Qt`UTtF`fo{*M3?A-p_%eA z^8ONVkv|;zyh$?AFdEz6kq z$9{x{ka!mC zXHrwxK4zcyEZYRGL|-15@yb>cJ@!PYT6 zE;@>{S@}2 z20fQuL(lzC53K&oN|yy?%E)IZa%bW6$6Jo`#@ZRIE;osFgXa=Vl|q~;LRIk&OZ*%EauiJ`wBtopO z@9B!i$|&YRm$Oao(R2pigaciA?vR3rSUt7$5f__aqHezE!C%YizjpFRRZom12ifdz zMU#uAej_dvc%q}2VPt!fugBq>ql~^D!iE>|*KXBzV(sVc#6fDw*Ikv}TpWT;Mf=%R zF2^V&2Vos!?bo`;dh9Dy%SXx$)^#K5h*Zk8`qCF9Y{>ejjU2)ew(?P_fj0Kh?S1)A z4s9*3e;dff$C`3={zI}krkwVfO~_YDZDI7rQe0^J9KzbNwiSv9n(>8Qw?lu`h?btOi<^pILJ` zN;^@{x;HIbP4}5-7R{dS4+Vx+z$d(D@W?${jG2%+`C6wMWHIEo8M!7z@Gr2Y`Bd-4 z@=2kuyI^Trmb3+fp+QO!m*yujR!x&GiY^6*Pr82d)nAG=qF<&(d3>rXJJ;s=JAtBg z;I!Aa&!wC5kWDcBkeP4%Wz{WxoByctgT;=1LY438&iuT`uAQer&ezX5QEaoG1vY)- ztCTw7(*vasS>uOj2QPe)a^3ZY5&VTDBi+Q{C2gRaGmj|eU%t_`i1k!JH@wDyCE|$L zZ^Zj4Av?-#R6^*)Wr$S7@jC_bCyl=qekN&)IRY7=i*IY``vFZbCa>|u5b0oqhGDGQ zouTe>isk0;|N4>K$GLKS%aq*qZkUzkQMz{ibE8|N0W%`yyZ=gN7 zhJ;hrbmu0LBZmJX1?TD>261h^FU0#kol6<`*daX2GrAI}8wE%~Ppx;lY+DFR!n6*w)jA|&>? z1q4P1um63|`Aa}Y!kaKzn3+kwX!zG_35{GG#_zW;RWXnVvIhzZSZ|jxT77DY=6`QZ zM@HT_qb(OT=931kpsxw0*4ANWlO=j4!e`zenW||;-kK#TG7ck?g?*lD;MH-l--RR& zWbR%l&P*HH9fr;}#5O)7txJg;m_SyZ(%sOuHF{qu&XmQDHd)1nGS*JOcPP zzMdGx1BHSF<=h%WHLS_I$oNnH_&n|<_F$r2`_#P#`6?&{CJyFyZ zGr!W2XOC&1&z6uaTA+mac9}SwQOXbBbx#2eu11lonVg#1@T*20a@AH=Ya(`ZEG!SX z5>w9pnsB((NwBb3FI^h)@$+*on?&+AXm0m$U!4m84XPvC5`~?u9LW>Zcwksn!gK4(^rXo!}TmE%Xm zNV5!P6D~te1^MvBi?+bB4Z|Qc_dlO)2vkT}H3?>$o;fFtznj=jGDVtw(ZFi$)?>0E zsC{9;G(r{6&Le@5CyvO!ZSU&Zp`Ua2zZ(DqLInqWTm(dO5YhpCEBJrmoBP`AmzaHg zW%mEG&J9-$6&%g&a3v(T|FfU!|BKEI+;WyLZJ${_bTRY%zu%%ki2wi4pkZtH3xSLo zB4ns0NlC?&v{Ao{j3)dWhS*7n9Q__?cBV*P!x(3iZQbh{vJr^|BvRzw5?y!@BVn9~ z;{X5Rf5{*Wzx=UvGUpt%x#8f)6&5z%blT||)w5Zi{|Znwtp0>;J3GO@#g*HaCF=?a-6^ziV#NX!2M~ zZ~CZNMTqf!6up9q@;i#mZ^Vp>7@r1TFWtcWH1mcm{$W9O2yO%>9H?zi)r185 z(W$Af55$X8j%4&<-i zmbXmF0|{oRCx;enp8nlb&yaE-8cDOO{%`LFj!&}DwZm=eM@4_Xi7K<62?5;X`8&b%HWEIh>HB9q zm~hbtH~?Tw`+F=%75yX_v~Q&W`Lk@#5H; znpNM1Mpb}&VzH`2XPe$twseJu4{ux)fS5U8|AHTb0IYV#3b&{BlP8j6ImbSJAbTEt zr_yi>kYYr#{9BtKzzYcW8B&-zPHygpIDq{Y8K+wm(+KWxvC5cT(K z|J)$^oN9 z9$Ok<#rF5f4RB$yE;I$Q&oCr@>wj`J3*;DNa6s6(ZTXHVl(^my#VO}nl#QO#&ySBYCn#g0 z1sE65*hsqdQk8$Yym8 z43LM*T`8#(*;E<2o+tM(sOOkmZ}%C}5wnCH7E;etD?{ z>#JSRJ|M0*Yxw%a-?>JAmpT$c+s8ycvR9klvP86P1RAY)#6ios9gvL2$pXB}qy-NJ zkt}?7T&Ss~1#0SmG=Bcg8x&j3=vA)V~-(Ypo7=C)_0c# zAi$kGDvuuFc@%(jv=dWO9>7-cQLuqpzrfyt=YRV>35#1$SXhrCw&gRlawyP_@cfvO z!5ypEGD`#H-M4SY?W)#ZnX#y6XltLZ>|AzEOjJu26qb+6`Wqzk@)1ujS5{{5^ZE66 z{^Vx;@(0f`I?ta-tDw?jR9!}<<+0+?zh{qi7y>KaANJ%v8dv-GyEVugg6Ua8v>pr*{U ze*Ao@JS0lCqoad`nR&@%XTCXxsLg_<3uj9okM;cocY<;jEpQ$JE$ynP6ep&qLEk&# zRj8snFaV-@4+Kp#gw>pt8)FmT+tOEd72`Nky4rd+yWQ@U!;s3jHyZW>Gvz?vMU$}we|7}X6V z$~#8@KKQ{Kr&axU3QN7_`4j_j_-=>{-L3ccKrlzeg2CW2E^3nU+i&!mAECE!Llko8 z>$4jh(|ia3f;PDM7X*%>T2Hi(nZAGG6Dj=k$&!xQH8v>rn zH!@as^*k*<+)!8g@{h(m>J3j-m4T$s&eQ1~dTDD5iALY)AB*a4V(=~eeS3%abF~n> zCMjj`x9U#boNDwwkhB;Vc(~N~3DopK2U0n=8?b{wox#4)_O$cE_4dHM_B4(TPAI5< z10F#5QTp5OS}tpE|49haN`JSrw-3_j0e%Ba=2d&4B;OUpy#hES-k<|0-d=zz%4$~( zjB6w`%t=WxYb5N|!qE!iQE$BscHWw^|G5|>jgd!4vzdl!>aS$kSNgrDX3!rrY6qx^?9k#{ac=*@;v zsuLv!;?&KAL#RA2k+FCIY|pRI;VMBnLsyxd zcwR>}+6Lagzs6TpS@~{n?#B4W;krB~#-O35zD-Lzz=MytHEiDH!qTN3Tn9QE5I>v>CvtQp_2m3#OyPFHjEHfL)7IhDx~) zt*dAzXyE$Y-NZN;YphL&yQ6MfA0P32ixW)0aM>U>p1T_!95pMs`TM+Uo>pk_&608L zO}4Y|Uw+i%I>{n7A`K@wX( zf5Jh58^RzZ^^_qN#AVDT22%52uAKJPNZ9B_g+LL%XpAA)#ntsoz1?0R-AB77F$TuV z&eeTbzQ@NN(Fy>a%FfAwB#LYn-Fgos-{2skNCO+6Bo3<8<7;b^YpkD`P;T0>iWnnr z=wxsxx_JPER%y(YsL0r&8kYx4xlj*$gOSa@WlLJn%Lbq5ZZMtMb@d1toNze?eFRb1WkQ&ZaDX7ft@5bByANx)ItdKmW^H4>brLDpsI!(>ks*x>=K=b+buS$;`#Gc7f*zJ9u&+qZT#ao*@QwsJ7+aN56|G(*wrycOPi6BA}%1{27;u(A9AsNBXNU}kP1Ka?OQ^= zQT#_t`VAvzM?2FcApOEl;3757oR{v< zRT-C3x$2H&1#gt1yx>ttqm`aX=lOfVbRl8kyTKO9v|(mmC4Xv7lUdj&ESvB=?3~{} zW2f!MEYN0iS%J1|I!Imh0!(j@Q@OmeAXTn^(p%Hbm+MhcVEU0;reB?NxLG2a4x7ob71nW|TmAe6J)O$iN5GqL{DSlD>pw+JHTfU$9N>`a3ppQe zww4+l9Iq9SF{+#GU4nlILa+LHn{CLGE#a;&6p?(JbTSnz&&<(49_G;kGl-^Un^Wg=2;?!O7e_GEhR^W73XJh;C z-X*(=cLe)R`4n>Yp!p88SSVzL?ubn;Vz>VDci%=w19pw_a|v`>nNG)&t$Me@qpr%V zrJ->%u_vvcN0M~RTo?FqCMFpqS@%7El|A1bwGk-PF5EcJa&>X}N%YJ7-7^UYO@Le~ zgX3JA8c^kzQZCH62@C&&s z-BaCi9VsSnVLMEe0h*%w#`|hO597GW;cJg;5 zJO&LOXTms*d*J?kc>b+H#&^XrdWdjxHb(Z^e*{;n2z6);6h!3WYOUt8*VIF+JeuEU zBEI+i%wZcpv1iLiC-v3o)ks%Q+%BH1?&eK;-FUmIZ7HG_oJw3-LnP#(-WR`=RBiOw zlg)aZl-L-W`v(qc&yZWwb~ZMUqE72)`rh8I_TxsGg)=liD{6^GZ%f;l{HLZvxLXN5 zlguR-g9W+#sWozh<~bR7G3edqyf7zO!}mwcrq*mx+W{N9l@>)a>0W@WTm`3ydqBz; zT#4@;9Y)4au8|+5Y6h(^{2{clu=v)1Pkj)ioZF^k4BM)AV8EIpwAkoZK&CeJIcz8} zFL(5_&6HgN@^-(ctf38!=4+tXbH(2oI%?F~ywx%^(sm(LH~4D_$ifzlw4sisB99-# z!{&SA9OF}gZQ$Au)I2Q9Y(#~L(}j78^`R+TT_B+$^}7~ZnBYSXL`IGPfOeEv1bluPBv?@+!Bw_3UH-yV>q^po&(`W#i_CI28Po$IXBey{oQmY+S5cq{F7;=XddG8~Nlfa9;(U)E^!cmHG)L z-%~HpaLv|8@4wl1GhH@U&1nf>F^Y_FJ*%Rn2hdJxePsm#lr*)8p`qA}j2LHV(!d$3 z$b*p;>fz|P1L5JzJvd1r`t9q30fS-)ISxir9^4r|%EHpJs-^}4J`J{nrRNrDY8^Z( zz`g>fM^~2&#j_>>xqAg1@C+7GWN`rD-&zW>4}@5|6~>=N%m!N}w!bR|SIsK?P10u)z}@K{DnV zTcvF7KAhZ8T+l6ohAH5K6pq>Huq9L}zc_>?p8Jm^%eu6jd5u;5Xu_&oS(^ITZG92X zTk2o6#hTh_>(rBqc@3t-qgCxsqLN0%g{zO%zBGZ-lTd?)fX{3^n+? zfHNK*^tjYCDDP7a!O7$6{Dn3u_ z{}Prbt(4m`0@;s0iFuC&yRx(6P*nBosV*Nr8p+!)zqWTEZ7r2qyuisaXc{4P;g$Uv zosU=-O3{i9z1$Y8VQxb2I-5)PtJoQ{VBCsEHLe$1tw&xhp1O#Qyf!5v~c*yC>rG`<#=;KE<~{D%0oQ|TmvkF zdBD^>#eKj)24dr>t}xXyMNXoK;H6+sW*7N&;M&Wl4~1Eb5VF{P?!zn zxyi}&b{T@%bepAa`}4rr|DMR*VU^ERta-i*TUwOneVpu3V$x|=>>o( z)@Nj5f`}Zm3^oZ=m!fJTg0 zJs=O3g1rX0*XLj9>FJ*0liDJMZW47%eD7W~=s$#$om;n(uwV}H8z5CVr}kW-+tH=w z8g85`ThBc?ggAwBwmUF1dvUxcbYk+}U%|&e&`%}Tc5q`{E$8sSY|<9IV)+OEUg2r4 z-h39g(xr`9)(sEQTVoQMmF_KpI&_t{|JI1pCS4~bU%!x6t@9A1naj%7CaNy=@>2Za z178i@nNRt>zRt!ciKf55QnA_i)Gb1_pmRre(Y}hp!v|M$qlccS;uTRxMgk9MCn-^=}MB-L5Ia95`n3A7BrNJTtIA-K|533hTZ%NLW1n@++u` zWb?rHygAOn?fSZ8p@En3OH~JItj}<6m)w>Z(=_2q`p$covWL$~6X15-FC7OiPQ#v~ zIzYh{WPO4)*|by1IaQ7yd>WmfEa9M;U#9;(w#dO3Y8b!0?ci5`X*vHs?iCN~n}$ze z3dS)Uji#0ssK{GfT$IaD9y^2y(%2Xet*oq|+{oHGSBg0}JUmePhI?`pVAa$hnujb& zFy&2SXd2Ad^(SdaaWFJwqNy!Kp{svMBq8mp1>mi&4hqS%bJbD3^9u_N->9Ot$p;)^ z_B7;bcCS(J6ggvLdE!>~j$v?FuKMj5S?ivm(o_@x*KNELh_+u^0c4@P>cO7U zkT(2LC|@GU^ZkQJsVr-w_%doT*6s)W;~?G%{1Qn#!`A~|UaE5}_&5J&j%gy6?ip z&ca!k8Pg0BQ0F!@>qvn(LhbKo?fiqC<%qS8?t9YGv@9&C9#~42$nA00%Uz-V}qT}2a4!nHZ*i+F*5oLp-p-_ z#2Ij63NB5#OnRAJ4TabcLV_VLNamrkwYgj#zN0j2A6gFtxW)6sp+HDzsMZd$4XX4L z-iL>4sH+2r1@S_F;6*gzBV185x1@x;HUsDdNLgUmIuvYoHiTHa>yw%;<{co zB}Qt^Motw*298c~lsvM*7J2Q9a-I&1^2q)}Dp}dC(su1E*X~X>_8*AE#U+<=*H*UJ z!L^b~-v3NcfCPp4fm)x z5cYZAyJ};hvX2wLLl#5-mRqxOAau<7EUFWTdPI|><0vCHFPtwykem&)lWhbq`+bM+W z?!dY7&Pvi#HxU`*FchDg6zh%?^;f^+CxujviLR2RHw1-|`FbaQs1G0JsBFE(O1a*r zN@m6qs*bd&3{>}EAq~x7!y1o7m=>bnDX^}z-1YkU6oyXn_!So{Mx20?P!r}IZ$Dz| zoj&b6)$;@{YLx{$VK9a7utytVn!=v~%qk|ul*CX-OSEQ}p<$52hRN$b6`GK@Va?tSqRCnI1D_p2T)^htAe}NEV zN=ZSzZ-f>(jcnAOzj7?G_W)x)>#iV}sGl|zv#o0G)O03z6 zU~rOKbkGg4q6s?V!c-LBdU+Y=$D8CQw`KiI71 zJrRqz^c?zXb@+WDvHO|SO8;VLx`}FI(90{@>U&|O1S6J*=5yURk zbQB#@1vyw9Q}|4omNu8VAaEFx@H*PQbVrA2{t7#Fq4vQHPm>imMP-I-SbEj7jk!6d5W5s6s`($z)Z4VHIHDhUyUMp^ z%dO3lxovUFJI}z5-&m$1`8A~X!H4bk-h&3%cy}0Dx}E4nJq?MusxT#@j^us`K;OL6 zqDvuzb$ra?=JRpbfxN3s)p8Em&0k+njfUUMps;F}h%#AEh+K={PK7 z{qcpin^_0~Qf4|de!>~k{#*CUmHD~3Urc??kchV@)*`Lf>A*$b4GL6Asn8v8g|y}G zMt(f?Wm4YB>I=p5-`7-%N*F532{HdSY;p;iM#%VlAZEmqAFlke;BCzFd>0s{1UQjk zisV|s;9T}~B0{>mg9Hd@JTX@IIu})IlyJ!BWNnyX7}QD;IIZ)hVYtWPuB>+5tY+ z%8&$v|7rLuE2~cF`%cRBg_Le0ckde8D>VT*0HFW!P6b-IF)#_+1Fj zwp2S;mnTrpDCPn74jv$STb*6xMrKkAjAg%J$Z@&iw`n_L!fa1 zkfv8-a~l~O`>BsJkq6_UP`+i1M{Gml6c!$ShY*vsSw>n~m6M{8 z4@%l05qESHn={{zhTiKImjU1aAf?=gQ%p<`%D}NOS{pBi=TuiSIK!OS4NW3#6BAZK z86slhD5;LlPX7YVHkBAz7;q2}9$-#e*IQRt2k>!K7J&5MIzSk3$!zN@BFZEXyhVOE0w)J18&lw8pC;TSdun1b zpZsm)4hPa_`v5mZ9GE-`eMiv8e4~lWcI6}sp1Dv3nGC!NVsI<$lt_Ekw}!2az6B)R z&}0uo!v&^Y_AEYn7d^KucS*0xm6Q>PT7od>gTmquo7nNnWg_@>yOU24nTH~*ZEPrm zrCgw8re;c$Q?B^nry-D^V2Nx6(z$Enb1;?mD_K;iG zg`F6Ua+0P4#mk#P`rv~|qpgyP3T=3;XhaGFp&)SP7{73y(=9Bww&JZ|81zovHVlu1 zV@+3rBvPa$#0f=Umz6;07RXN|BrX6#urq)_*xsIhHND?LM_aoy9GjOKW01?&gMi2Z zz{01_itsQb@oIg4=>Dh9aZE*1?|5l|^jBf#2wuKR!^jxdF%MlRpk)EH2Xnr0rUE@H zw6&p$&p9;M0I-~&@KN_Kc-hACGL&&&<^ueF=2?WL@s+doY+IxN6-7(Nqt=^U(>htF! z4T+6$g8qTMyT%=TSgUL*ipGwZ-q zK~=sD^hDH4Q=CeEeo4qqG5t4WZ;vRqAYYz|;d%}bUmr0y*<(ktyzqLmr7F>{8d`zi_Aktv4{38q>OE?vPURW*G~u*ID@fa{p6f z;t3+aQ1-2%L5@nABA9XkYJ%TN4(pt4X!4{~`|2{1Hf$k7G?>l@G(rXjpHw-!+S+^{ zK3#324U>kpAj(<5yUjb4Yv+FdsnTi$aOI{Y0KbxW#PMLk3HrPp6>eVK0pp;ZYf3E*Vq{!jy;~=4$6r1-jA(2Ybst0nQGukU5Q`a11rFAWT!ubi5O25g}u+$UOo?|8*zq2&QX57=a2 zVLiEq4~K?^U<5G;e+CBLn1!JGOAfANL+>6D5gZ(x)=geH*!(Rmk|)#$kTxycG0_B~ z&k|M|fM1x>-B!GC0?ZiXvH)$tkX^reK2)T~+6+e=!A08HHpMFmQ1@0EU+=>LLd zF$P?Z|D-*_!^Wwd=96b6A`ETnFqB5gG48A0;b|FYM16M1OL^t2oT8wQUI$tv_@X%8 zxJ%06YCg_?p~cne=9Wr+n?`-Xf-ZrAvanw7qB*oK>`D@P6{-fE0$_4+Au3&-t=DM% z)~FZ6j3q$JCjL)!ZgTBX7Li<-ORiiTc&K}RQ7Q{KekFN+XmW@I#1Nz(MciEczxJIsgJ zWnCg7+}d*&vUprCt<|P}^tlLgtLVwRGVgV&VF|su$sj zTKuUgYE>y(QEzQtiIN1Y<;ldszELsIqmZpbdUUVG^v3@QeOvicCaT<`IzGDceYI$k zNa;HrpstQzbMsPd{;q})B9goXZ87>a_{?Ni=bg7EG4#B%c!Vsy_CPXo{`oU})yx>F z4_=9NThEnsaa*&E(|O_Y7(z)Qm!C6(gi=6v0ip1fx5X7iU6;S!OG%!jS33!ITcFI+ z)lQxhwKJ_QzW&?qxb-^=)8A!Y1(e$6y^4|jfb4B>OzEtM!0J3k z+m@aOAfC)Xp^z~sA)B!Wct?2SR(A?Zm#)&||J?7cm>2jU>Umxz-p)a67T|wj(}#a} zG~EIiNo4N!uvrr@ay}9zZ>JsnC7ITvQ)N_l=bZEX00D6XS)=oM`C&^Zo@{#_GxBn%^Ed!@jS z?D~B#GhANtjuJ}^hfpgA($t@1A*+MCX^_Bz_`}5)j|pA#lUq|+!XwxFb9P88_>)<~ zEe4)lj7;&qar^5)pf&$&Kc;z62Z&8EgrLmmvJXA!5uUJaH~b|*yn#r6$d9A}@v1!6 zeSFYpFkxf_LgR!yJrC*IF-Rr89}gbSb1m<=d(^mYeoDIg)gla4D=6(_Z)fy-;b7(q z->3b}*-iG;mu(E!Q{UHNxorpUZ!P0(iX}PtiBBGgoZ`R43B0Su;(cg;SeLN(Yvj&2 zWA1e7=zIUWt3-8m?#~%tr9bG0g~XL86w42{;C4?pbg84lRf7$dB{1`#>YeAE!s7g# zt=+PpOK-xiUG=tC+|zln3)iwsnjlu;~kXb~3w-&#dCyX4n_$vY`5fLciU5H7}kM zDO6MGt3d6NH!?b^cXsKk_WhYHSK{l4g2hl=;)PA>e|?PT$HfiCG`cz> z1>e2RSv!FV0x_+ab>xJ%R>))+1_hy$WLZ?TQp`H>^h?DlS>ksFEywLMgI3CMzi^N& zWRKWB&xZ-$m+Y{(%0wPRk0Swq&a(zuK$2=$0L`Rk3Q#fVALC@6t)8kdWsrltxFrsh z6i-d`3e({WPMW|DCK=!2_ZbhgNnd8vVzCS<_{o9CKrayJt3uH_Y#8CBP}z~B5QT!{ zienV-B7t8Tg?f(2lb`bzoRGE*=!BP5uZ=bg86u_3)yAh-dH%fX855!gV3xkI+>S!+ewk}Xt=wd&@5Pfj_COp zF~oeiJ=s8zO`N~@>3w>lz~4HK7eE0MnmvW5v->VJzQu9&5N~{n8@rD4T6tq|w<+@G z7i*#|*!}m09h0 zK59;K0)L}=AUDv#V(2rKnXF%aOpfY?$4ot8m_%PcA|B(7-%^~;r5I%!*f>5(6I^(} zzX-3X=kKw7|BY0V6#udf{*Oy6<)fw7LUAG#2JUQh#0ht#^a(e(r+=ky0A zNMnz;uJHLbL=EGkvoge zPTK&)_9v0@dMqwkDDUsr_PQ@vD+4B!Mjz;3i6MwGELQLL_HMf zxSql(>DiX6)MiLBUK)skJ#6~%HbB1TSkex_!m5?Z_t6ADA&7GguzGadC31sUWu9ZW z=*Wt;Q)Qq)kYiwYZR56z4qeXTCP-n82Zc#C0)|#)eV&dF%AlHhKiT;Nx>aN&VqWoV zM@})L+2C$U>_U@v70z#uGnU__N}A?}{|b|TD!6F=#UV@1m3C&OUwij$d6ziS-jtWd z`rhL5C-FaO2rnTEaNG6qKQO)aq)>jrQ6RL8&|4fjCSVr> zRI8&s@A@aS8ptZqRQ!*Jy|TmcUkDBs5ELH##XTx9ohnQ91?mYu4sCtE$K6X5P9gfs zf~nzt!+(?P=>noTZE$#QISN^Vm&ToDG|)d_lIMKiW#y?J!)6JuXws@ki|fdc9uslm zVdC1M-R$^}-4anPD3%i|qn{sQ)+1y1A7>u!#$ zP1*$4^hfDuxOWXCJ*!t2IleSVbH;(U6J$UymEl*523jSECR2no8vH+Sa35~$9-+R7 zUQ~(WBL*O{3JA^*$lb=*U1r)hTAkwPxb0eizln6{y{m_I~T zF6rtIj+b_hGb3{yVmf<~op7ICl{a^-zLS|vr*x?oeXh5bk%ZU#4%S^PWQrJu-C|Q5 zDiED&W7ppPvLT&&V=&6hTF}-)krDh5V;ad}u$%8~vHhxYvQ7S8M0Fz7DMWIiD@=sR zTD6vb#5a2z+LbEr9p1X>8Q>2;=$Y*$#ilbkygnJGtyE}D;dVd!fYuqe2@C%PMgaJZ z0FS_^21bGd%ypXW$WI)I&9h9?aiC#N`{7ZvE1!PVo~`3Rh;1%+15FQa0|YnV<>9hK zm=O?_-n}Pg6rfur$@6}g^7+BuZ(yPAuKxzsC5PrVa7jSPZeqwn&;aWQUnUyF;V1V;1quMZXi;pEwt$w`Z|VY(f^p+xrcxHFt6kU{AcHaVKry&wzyW@@8Uq{B}=2N z2%i*e{xEcT(71l7Xq)Zs`Joe5&ha_C3PgNe8cBi5DJpueoMqqH z;UgJS-@oK`$6Tk~*==JV`8xIqeN{D|TH$Z!=Tbv=KJL%dV#DDM$lgDN!+9b!kMn{3 z%}?CD50GpLtrEQ!=jVNazjD?sngXQmF5vzUYQp@8Ui;PR#CORdcL%=J0;&%-(C+K( z(8RZ0ppzl`+;mgxU>fqVRTFVzetD|9xb>pT4R)RycOX|Rf54vie}zkekG3ZK1({8^U7AZGKtg+u%xR0F4O;cIGq+&9ukG_?M|!Z7+FLRY-N4xQ$z7b6bS z$T(?a3-D+B-rf<~!dhvf$jGs4poxuK#71__R)fAk49jzj0z7Gal2O8wr~=cB3r787 zxG9Lg6a593@?}TpWbV}f`$E6obfCy}4LfJg(b256c?~#3Dy|)4ihuj^Ge#E)GEHg^ z&U?>FdbjCqn(oLSQzq0x5W$82S}XpTjWoGcBSDHoG5Ot+RdIc8YdHw~ji<=VGtG~g^aYk;`HYVHFb`W*kLX%NI~ zBsR&5(1pi z(RBW0-rpTxeR1F*Iz1nt9@na&6v7LG7;VV%B$rQ(-z zc|K>%h;$37rjA7Y_%;Hr6pX6XplmD7^hDajm!}_Jb!-ioiE#IX6$>}f`4q9Lt~$v~ zs38IzGKWC(48gvg5}e|u(3U}&t%0H4Akc$2TmUuRd{uIGjtFksW?jC(S@7K0TDKtZ zwM53q*MG)L20r`1or_REPJa^l%*$gD?{2KYld5IZR*65P4Mi#X(TxsUu`U}w+NyQV{`F4Yt5+LDd8VLsV1;e2ed-MgHTLo;nIU4|FgmsBJCy#bV z$%I_k?uj*&^Zm1fe2GjcGpY5E5X=x?7RsT7EyqHRf$;y!zEJ4eE=zs=esRj;&&xeT z4YfIcMt6cxIb)pnIXsux7n-r~wS=C-?Oazfxi4qT>_Umu(r`_m(&xQ%XRfsv3J&vm z<&!-JhM%H8CBB5tt`MLeia#XEf%D`7HHrK(rXEBgQsR>6-^4Q;_P&YMbU@-H@5!#; z<&FM)p9QE8OMeA4M!mHaVo*7I^q1&gBOFs2((g+$-H%E8q4ddpJ2=+r7c(-AA%$)c zEY-|S{kO$UBga>I`RypQ5Ff$BxA)RvbM8!BnoHQZ%ch7&It~kZ4w%hUr+d*uOCPp` zRxwGYOES+v2;eSLcnm0+*2LtloBLGn#{~ln^lxca(lS?oz6k7k?<6-1T}i9TOPT98 zt2Z0lAbz+CU^9LjdH-X3%x`SL8Loh&h&5C06-L6mIf3F z|4QmB5i>2=&61flHP?^vKh-%@qaa3c@^J`+aEQ?C$~*C5S9}}s+p$E2_M-@Hh3$ZI zA&HN@$DE4q&`=(T#MX3EzEW5*yJ*r;bxu1NNL~#^fqO1^E5q+2alf(y2WiL{igJv_ ze#_CCPcsnp?VC(Z4QP7oX|y1ME9U~-m86LO$s#q9rkf1WxCOX}1V56^A&{QhF~xoB z$4w;IbNl)ZJDhyM6bzdi+fPk}gga6OW!$!Y;H8PWtUu6)IU>b>0>L>+@Dn510R8X- zdwJzCSBf_TrGG;JC^Mk_-Ct!u=kt{jX+a_hQ4e)DnI{kX0mbCigMOs)G9%*5(U5Ve z0wAXD`7BMg1{xWVTfuG>#|}lcB<^S;&~hG<4eYntv*um7!9u<<=VXY8zq*#Ic~c(S zaAWE|N~BINe3X9YNKj`&cAW#mTBiSGEc6Our?sI0YwfcayY&!YX=gWUA3|7AtSJuJy$hd67?=5a;(?cU}d~T?1xv zjATFK*-~6jYk}V`3&;4kHj)0CdW#F)uXkQ1p%%zGq$u4g{^&E46WlYg4H~9gU+9LM zn%a#k<({)fs~=lr=OBB)d9K}#&gh^A-eCxdK79b-_Vl-$k4se0N}8N}8YnoR=&w?N zaU7j?h5T5M0?dtPQc$kJVE_mLBF4)+WS6i9#6uME$jQz{S7IN1=Ntm-L+~D430Y zV`MO;8T(XTukBf2U zR5grR-PIN94>rkZ%YN)D=`H+Ch<84g(XZCVynGNNjI4+MRyl5s7Kao74Q~mRf|&C*;$*puwQ!kKAfpGrTr;YG?LvN_ zyn7a0GaO*MS;|52H}W@8NYQ{>cMtOQWJ1sp=0uyZz+-9YH|avxe0vk_*tL98551NP zSY@aXsnjz$xfgqCK!U}Il45!DD##KYc6*KH#dJ26^aj_sQ!KNdv@^p81~sVI^X8Y& zsdF0UcFj>BPk!)a@YE6qU1E|L{&#H+`-|kEeWki`Tsdv*pO1ddHgVfyJSKaSrzXrU z`nD;>iDEHnw}x)1xtFAgj0;izG(7)UZHd!Y{&(@JO?$@}{)#B0P2r9< zG)c$tOM}|gmo}E;6|XExLDR6-ZT&qbXB8@A*rLq;ycbB2-}#(A;jtlBs$Fd}UQz9F zAW~*R=e39A8I)$STB^{o5d4`ZX!%6G#Cbm-1Cw2>iif3fWO~h~d#TVcMyE`BMZ|-s z%zl3~TfNZvylwJ=s`y9%{q_JL>3W?UU@CKOlkYmpwtsmdKtnh{BqS}Z;C)zXxwEvH z+Ntb`4k#D0U}77Ly-G{}?C`d`Z{S{R%rf$0(f7vkkdU86MREZFam3e4Opn7QzB?Z- zp6s8syl430b<{2DgOtCSTbR>1GR>`1=FLEA*j00dxHen$Il^;jWcnf~tU6ouJazE- z%GUmO(~BKHVoe#na)S_k9yc%MR|BFOma{M60%chOVa4z&4VNvZUJeha@} z-n=;Z2Nb>Abr(A=mbrxmwhK@qC>3$ctEOTPXvfA&`&_&I0lk9_mnNz`Bz*@7`_0m% z!)VPR9R)j^QYnh%{Se+Pr|dw>Y|;NrYaeE+Tkx!$9_=jjS7bq<%%j)>)6c(-Vs2|} zUVIWnmr`}{KAa~0o2;CEPt^Iw^Pk_k_oYxtd~$L`=zn7w)?!IYgqBVKPjvuZM#WYm zoo9;h^6(VF;H}avv{sYBb;7>+A(1#^_D25ZJI-gx zs^|-Xa1Nq5#X_fVO2gn}v_mHh`ukpN^?e2mzCw@8z49hGRUA#947ee$gLK86kKoD5 z1xpii_kad2=?3#`NdRigMLFj(ZCvwpDC( z3nUx9cUHDI9w_D{zdMlZfR!aD6JMQWaRT1w*y4EsP)0}$4fhCCp6o$O5_NYZunKpS zGQB>~{hymk040zfdIdZyMi#QD!s)20Rv}S?Z~)UF;LjXn@Yt_Y+7%y=YC5KbRL4W~ z05_D`p$o7MKmcjDDskl%rAuM(a}r6&a_-w|g)mCKl*>F!O8?uvT?!cwgbNe0U0VN= zYsJTIB9Bb@8K15;*I7*hY48E5F^br`wzC(Y)ozR19{Qxf!m#f><_ZfjNNl8?dk>4MZIHxCt6+&pnmYk zIo#9d0GGtMEJzACrkp2#*m9J9TYe3l^b6KXq3>PXTO>2wU;c{<4gNrH|2!gB_5gPP zvQh)B(GMj5^LyGlw&=v%!aI1|>20TxxU$)ib_!kK;?F{UZ~U}Dt%YR>Tl^K(DkR)K z!xq#Do%nRkEZOp3kf(;e_knGXX?xmhxBT^)ez^lpxkVHqXv~ge;&3@eFx)SGzElr6 zDc?0*tDdCWq>^Z=aQ+KTy zEM0sF;=e2^f<|e$u)FE*7uTRkmtEDj4aiOwv&smauB12puUTT`AX?NsO*2S;=cJJ( z-2C6$zDDH)lYwbUV!D$*_#egtv^}ZhMvl(<_9CI61;K=YFcBoybV8dKH_#`eK@kSX z^^AXvA$t@?TbjVv%D6+xeTO#e(C6QCsn5*GA5BoLm5$@ zbHowx6Ew&Z0kW5$vs*d25sw}}o+rN&$J4*EmvbR*i8$+j3CV}BA@TLjiDHA_nZ?D$ zU|oxgqxQsCt%*@Ligi&&Q~rjARJ)kmiP*r|{8*kK(RP40HI1>38&5kdc7=mDOo zGBtk)KSGIweYviW&jrlKgn@syFn$1ubm034DyEPO8N_viHzv|6NKWXBLP?w;8aNtM zIWv@l87T34nQb-yp~1I=fz_Ro{Cwmsa#LgDczL$NFJ)yKx$02m(bKe?shbG_IE?gL zq0E3ul~8&4$fNVJ){2Owyc-FnX>KnMBjP?s;#_s&=CsmV6-AAhhT~EWt^Oynf*aX zCgttA{D(D68dGVKF24_609AZuNQ zASe$_Rq0CZPL;@4<il8D#3?R+gOE6dNfm6m>+pAQ#nwvD-_M$5uH72b_M_r~X& zdUh_hE0oSdH4%skXKpk3!-TI*8juMoXTeNUs6NL_gFvIiI77*7lc@PO%NfHVJnlrQ!9nz=lEF z&E4%c-cRJ@SQZ81S71?f*QNM@T@q4b;TgJhdze!{85}975AZYewDekLIM(k%0SlX9 z7vzkK@!sp#_}3`qu&ShFm-WHP@v%Hx6immEl*I72 ze#Uk!7)%rVw{bfm6*?~A1zfxRLH1@OltzF1#woza!NP*cq^hq^T&u3827B;zx^#MQ zXlSE{shJscT50I{tMO(d=J!j`$snIT^?kIt$QA|Frd^YhjDd++$$2ni!9M~OH`ro! zKIwBl7_@b?^tlxN(mFkh8guh>UD8@9?Cw^8?d<;xykrF>;}GDCV47WRbc3TX;qQW2JeNn!o^QIifQDINCrWL5{p1LXobG$)bDn>a#j3d32B&-g}6Cd`2|pK>UN1S_0fkY{m_z6220 z1wGu4Kc^i4&nZuS$y1gb5fL0piN8{>KP`B~8MkAZH!N{sDRndDmYQkGcYGxV z-HK>hG%gSv=Uz}jB*G14Uh`Z@1Ovc$X)c&=jhgU)W*LA7#-ro&Q;YlW+RMRY&2G8U z_&lqyv9)c{dN7!$CnqP@i1{9-Qevt%h#N=L8}Py0n@iuUHpy?e&bL!+KYDTu(|R#e zWHXdKrRj^Sy-x0Rly-J^5)=PsMwESB-qgf4j<#L}NRpdm!Sx206rSEB zTXh|o0zH>L?Ah=ZQP<5I;_0=uwO~bV@;($-c6R>$`{nBT`um_DMa~$us4H&}=H}*J z`5@E89QK+bHG^XcgSwh^%N?3~dy9YkI2@F4j0MYSE0AC_S(B^E>G$T%OYuMQcqtBd zhb(_PZ%7z#rDBMLsf9(;nlCiBe(L?s_|!qTbs>m#^<9x;5EKS~H4#Wa4;+2*;ZuBk z{Aii&ECVQgH`QTqsTfRTj*pDQP<(_3mUjBC-l)$Q%v*-#uZ!oB4C?${4ly^Qwg>c$-b}BAh3MS&ijl^ZsOqH{Ic$~cih@KTbI5k`qy^U@T0<9?AG_h21Rf{lGo0hj89I09crOLr-<9o@d+zyA|e8W0(Y`v2GW z5K5x{uW#Kqr!I3(-eW|QLn7%2!GA?yJ_=9M{^Ns&&@cU{lrpmi&C$?FA?5eg#pS}k zJy!DBS++J{?J>O1PZut_CERCD*e?d>A2@NN>CZT;7>QnUZX3|>yaaNyF}%^o@*Sup zT;UraRrI z(MW5eiUTFGi(kskA_?^cn5H(BKa|AC)V)3E2b0VvLX#R|LDZpz5Q9Pk=STFxX+5^* z8~$HZk-Yga0+XG|XL{imbl<%XmLy8)X1eLLqy9jny{gYf*Ve_(ECng-tG%?DLx{%LszdriEZD=|9WSvBEN9*G05R4M%C3aPCT}LFx5OS$Xa{y@J{E zMeSQ~Gnrp$HgKijK!C`a69keOii|~){;e%lV)>Q|EY;>7T{|+ht8g5(?YbQ;7vrVD1Mc>m&N@1T)N+M=LCs1>tw@b$->Aw}_nj&rx=hn|l37Xd zeTPEbREyUwp7S+oeU5aCwTek?SF9?w5pL9CzE%#Qzx}LXc2(1J`614H)v&|r`y7%% z#!hBOBfQcbu~9v|1X?6e)98wtO6E7IL5IwBk@)&ad1#G@dmVb#BZj z#(gW1lYGn7Y2sJN0kK}$1TxKuS>7xa1zJf$6i`KHppQzSW9MTXdg8Nr}gl3GI zT;9ZBnhnh2_{IZiIr~#h068@6=GC_rspzj*FHJL1%eN&c+W6Zs0VP@ZX?-QVpcMXi zW0C^58V}X;Q1W}Y3HU$U7D$#3qxvwf$-Q4pZELui7ZJMW((%Mynl-TSh9(qvL%u^n zA$O-mB{utqXLEbqln@`X4c{IVBLFDEYbfJ~6>#W_kWA zIa_zlZRyJ!0X2Rx0XkIT%c*1TP*9$ocm(iZ5$#xXweJ|yt+CX_X>YXH51ypD|Dgio zKlX|Md8ef}5VLWPXymHB?%R4qbCg=)c*V)4=AIes&z2_Jw~`ZFDMhbO2EKByBgC5` zi0RMqn6QX8PUn}yFk*xwN8bBiLUs)w96B`(Tba~L563DNN;U*uXK`z*ILm zi4G-c7m59!=7I^c9G19iZ|@%h1#}TxO~o|VJ&PNd1M7)UKO5Fb`aZOfRkM67MTC5D zM^{JH>W!nJ2q@@NwVu2o?s6LevEky+hj@^L50P>540G}h-74aNem&eP+Tck9n~18a;dQ*^oJp3&>FQEq#yL<`86w(s}Kup<>(;`F;eq~?w9UqA8x z8ymUoyFPd&`o6dO-0}OHm-TBjou_(qhKT6KkcJO=8($bW43sbnahZmAhuqi+FW>1E zOWpmQj^dqU_P;AK?tMnyy&>V|TO+W4$VzyGv(;PK>pL<2hh~Lar`1)CN zb*jmBfv{R)bj5>q@)`1&gK(!I;CFN55(@8)UHpes*)Iezzr8DX zBCXi_OqE&B)p)9}wc5j1HD@X_0E^X(jZim=kQB73|= zadz~bmTd`-m)$#Nh$lOYWe#Y=^d;u+NStg|cjDISID2_Kf3`l_>)|TFcetlQU9Q#^ zkY4F?^hkf}@chjrdB$c!>hEm)IaH5F=-iCCp_;?=Si*ABNmk(#4dWA5QGp6}@! zPKI%*wGW5V(nx&#;TA=d)bo(;^^GU4aK~gmuj7u6m%A}#>aQ7=apX; z{hQEl$1ZAfkW8oowl zTXc@g$Jf?_HShRO(xGPUn!*PU=4>`&!g-(YxS+ELr?j@?@e~ zZu;)6u?>fGhHO>GvbEi=GbhU5E|$o_h{eWw;-$RU8}_RUdBnI9OQ$6i4)^`3uj;73 zwH)O*=6KVoF>`!`(y)=3+dBGKS@EJ5`GPOyfYKy`JJVC+-XJ6SQ;Cl&OO>VUDyi51 z_e}?@NUSZ>IarV2s8l!}eCj`%L&beRpV3!0jlXN#wI}-pe!$oAt*z^maP%)EDb^LK zQC;Wv`hIE57Djn9F* zc+9c@|Nct@VQ)txKlnNIr{t$p=2irY_t{+x{+`pjkq^&yZ49T!8yYq=awR1mOFWJ^ zx?18e?Pax86+G~s`{8K`YU?8&wMsJ1YWr4~Q0r5(=+?_w$?&0!CpLe}Fg`<_Oq6i{ zU7+wQ>_d#tK$)O}6sBcRr<8HBwBf+$4Tct^HRCDgUujB~v<{7XaGet~S-1C<*0LzZ2WY z)|W$_jZU6Rhh35)nBCEu5xFrPDV=>~K9&58{NYRhgQzo!BsqtoAN}66eJ4tWoKpD6^&h+>m;?^x}BXSE>@qEyG)qQrvlvJ`+0Ruc$&lP`~UA4d^Wz zT5~1|SwpFogy1+*U+ZYm__3ew`(ff>Z9`_Wmi}P`-qyIwq;G~o_`_ww?18%*2)mM# zp$C$W2WuYXGU%w%axWEFsEtE`mtW9#$dwZ(YYc}!r~GvB-uT68>XiT6Dn~mkZ+9p=(UEz}(qzq-C90XIs@JJv#8cVp@V8yE%(m6+uft)L3ffGI#2e;L++)g$$ za$Zw&ai2X>`Y?&NyyK0Sbj2INH-?*iE>0I`X=r?B!Y)wPqH9m* zc`t%*;0c6Zk~quX-JN2`3Qy&d;GcYtmB#Rp#Mpa_p>d394p6`c?EW(x58IJ*Wh{7a zZUi?nZtv8-i0>X4c)+eWySeQOjVUMbl+Rf+1fC?{qgJ3Jd^kbGekx*`xixHVx(EBJj4Iu^y8A|M+5l*EpS-l~s7-yg)mbC(csZ z9a^zNt>;Vq!(@PHXYKBrY7di1C2RdJ_TDa1%6R-_C{5JaRwLGtuDDBY+us31s4 zcMAwe2#O#`Nh3%ojUbI6C?F-BQqn2X&9{&9zB6Y==Y8h+n7_X3o68aXf#=+3?X~X} zd#$xq>41JkgPX{~Oe}++lcrU zg$^iK6;~6=nV#|D_Yfzi4J<@_y6Zz8D1Wdvy`fY&S?}XyYw9-TXx%mPwVda9C3Rge z`m2w!1v&m>r+LTAtJlcZ$)qd#9zQAOhw`3&e4N>{776m9%xqi(==Dv5&KzX5&0;Ca z`Mnp@S8mNhZpg=|Y~)v+E<(}Zdlx}p8F~A(y>!L<$1kV*oxrf|kdUt#00Z@jv>oHU zi+mD$0{V)v1SchqbG00Bg+`xyc3_S#$|5H&evDayMJv)c?jh>bw{faf#C@8#{pLt9 z8AnU^PClsrR}q>sAHS)tcjl#p=>snUXFrZ*q19^y|*=4jy#!@lqPb)I<=Rypu(v48OGxDw;x z(sg=e!*qq)<)57Q>Z>>nQU!9V?(6T$jt}IeOooK7*Al}6nB`8Ga=^OWY08G2w=Z!G zylPS{ax{+`oDkiTCY1m963w*`$kYNnBGKfPEPdu$IoB~|JK0`?`;-RQRhz6K_Y+^;v;|NU-N4)0su4Vq47a z`FR&w-h|k0u52(YZU~;xM7z!1oX*Qkz8&?Nv@F0X=@by1{M}uuCb)%-R6!G*kmuMr zQ-joK@~<(}L+`qoL%B|WQRtvHqTd&3vT3>UGA@@%6bI6_l(S@y-|1NY}~8;!EtOW-^|+ejbU<7L=u zPkSi<(fGjE1*oc6{bY7fpC1#~;B17$JNIp%$bxR-;Fo(s6JEo4S~OyNgkXTUJX8g1 z`IE!SZFiXWr0##DE!oI)nl|6a^XvF}soHM8jF(N{-|6^4V|vW^+jIo}s@yE>I^xgBwm zb*y$5PveD1WYhZV-qjAUEPW+gvCPB3_hn)lPylb2`Ks^@qmq`Ag#n$PSqCybK%$g< z{w(h?|F5@CGy9yVrbx59Q6v(1O<3k7tjS)7ncIDP>qgIgzxz)jZbWF9qBqRJKI2es zpC-7Pe6sIbsqK!gqot6bMnQRdL6i`lX zO|;7o=^k?xF}~TOivA9mFh~g888AXn{)E(TaVwc@ng7n3Ja~!YJ;=+#gRaGl{&>2; z(^O7QPT^^ZZ1c9M`I_dGa8OUXOb`6jx~Yv-lDxgu`67Mm&&Yd|r|lU=k*BCB2El&1 zjJm^g%{SU{v6N=(LR#*X*CkorT6h7@UXNeFHNcJ;RMG%3Y+OPrPm7{S!F0tB;kvuS z>53$YmMgw@_N1WGU?VSi>8q)1SN%SPZ$byp1jh$DP#?xtbd`g)Iqy?9?X{t8zF)9^ zY8fE>-9giM*Jw5k{P3uFA5{A+ZNiNBqw0yYB~<%PHsG)`g)S|zUe~ghv{*^b%-3#G z_M}?)1m_Pw%?qOD$%%cK&`x)@5N*w#DBN-eICzs>c2j9ro7t^9NGs@oWZcLUP!gMX z*D1~USJzb5xy)mTm6_lHdGl!l?gQd}_qlF#zbC#ppfGAR#T}D)vFZwI*~wapi}u0~ zVS7;4H2|b_&9@>6kcv+**hJ@r*IX@DNk8P+^V0~c2&e4W-#@-5O#I`GpY`z_L#@vT z9Ob9m?0Y`EN!ZlUT&+M*Jw8HEo0;IHV!pV2me5s~hh#uORHP+Z`z(j0eQBb~r>Kvv zl)`Uw95x&3XTC}{Dd;|3PIpQ&8)gQvX~$9FnKa=0>5!kDoB%q>pL_rQW_b=eF^xkM z>%hz1-R-=LNok|)J?1o@sC5nmwQH*+%`FO}97eRW-$z#fjoFJK4fm*|p!s%KBBmh@ z6+K#*P;JW^$(h>Lfx_>I9{R-T$sd)kMmbcyuCi{9I7P9u%~{?;+rK6+zi`DGOq?*P zo=!8Wr1w^P2k50#;E7fp*uAG`#9CMeQYKF`BnX25f4WN68owlMWD2a9d<7oS#+u5e zVq~u24KWRqVF|1~i+eO7?Ijt>l6Te+ru*nkr?Pm=d%7_N;Ed0&$-tIXBClq>Ds0CC zF(O<0L!ff^*lYKwx>Zc<31*sbxRa_%ZJu4y`+yaOyzHiMZ>8O>6M9!o5SO8_QQBka@^mfS*C#D{`?xJ331MCG*z+Cg= zhIL@G=TcL(Z)AP@GSr_ZdEo|#uR*}-#=}auN9B9JFHW(=owi>8MU!e7(!ve|fEGdv zw$+1=L?XXT+XHgTZZ~H3Cg)*voCJz|d$`2yb&15Ykce=L)j8~@Cma3<>=9kzqVGd( ztU@PHo)IPxfBxyrs^Md;I$(`*MN^adOLgZKK{ADjmgail5iQkMCe~qEWngzMc!|E zo0B_S_s;Hi%L1S>Q%zuj`+5X=E!L*)Xld$ZY;e)sGzDPVjn&R&)l_V)PH4_A>-yzL z87Ug3FPPDT?FHiL*G%VavRy8oUu@>*h>nY?ESVdl1-X(Z9VHntds;O#%?vq{oq3lP z?pW+tC}?}$ihAABfGkB?jGd}lPbfcvc^0rm06dxnV1KiCaQ*m;EG{&}j! z9Yh|N#Y97C>y3578(43WC?NqcS0x>ih}Kp8@%MqETvPz?+h8Yu_&vF9CtYhEg(RW# z75~Y%`-|d;o=R23JuZ8&C*;Y^`kvjw;+urcE*IsC-@IrVnw?bTI%0Mv13fjhGt$cW zeOEe+?lo6FSUm}9EI3Fn;;CU>|G2J<8Pn5+Jmb{K)@b6l25i^6CE9Ye`kaWr6 zkG3VHxR~t8?s=x9Al#6h39=C01=9qHUtBp&`L4rKl*mq)PWK45T z^29{P%rf<(5059$VbfwQ%@=(hNhE=xhD=|7>=7aU#Kn&i z7`#k&enANN;QiBVH$RQbg}^|OrxzEaA0>k+)z%td3pq5FZeJ(HOhmbbCV zs~d}&yDByr4d%&|mjlO(ar*HmV#!P4+t~%*Q_9QF6S`9pfznuL)E7&X|Jc<>U4+Lk zH}tgL0W%t}fdUMPz`#I?&DGMe6*JNl{z<0j|64Q)~;i0;CUBt#v!y;@EH6`d=DNRReGBje2nLfVDhJY+DmB*WQ_9b0*x$a z6gMkt&4evyxLny_{PX7*LqCn%f*~MDMY0S*X~o4i!Mqr@)1b`OWzF=SU~mHX+^5CR z?qDuC_Ie$6)4ZEt9vC4k~cP(6))BB!OTQd6Ig@Ob!?-1TGAvrl%0gROb>*R?p}FgF<&+H%@>NP~Hn? ze1gNm!m6vqz&)YT%u#0-xWQZ-O0o2e3|+}PqM}E6h`O6<=-%(mB!Zb!H=nRmKN*cU zl6#Z;RL!Oq`$Hyx#T^VL&vhwGNg*hGHSekNvWJN_ zWqHA98+Zs+oV+yg_j^}Fcd4w)20>8*sM`?~q|c^|ZMzG#DZJD;Vf(U8#=}7%&atc_ zDTxKt0SQ%)T5mRA?e6T9ApZ2}Q{r=?sP9#AzpYr9T*^&uU)fJ!IJ2)V{2Ym(DgRk; zxlB9JY??XO__%heI}rN4EAdv$@@X)jF>l{)Wj}tSk>wK%l!ha;f}3`qd|JP|r>F5Q zRE+p`iCl_TkgG0ki2+c@Ag#kZpJ=;KK1>c1j{q!*U1Lzs;X7e z=s0)DZF6hpG`{#f{HIQ?q}hjN4qE!XyJ#k+*UyfJ>jK z*>0$+f-&Lsx%e;ZkTHR}XS3AJ@@_JT;%A0(%6z~cs<;O(QObQz1YS1xYIb^hyD=Qp&E)iSbbt~4 z=!dzlb8rr~mG>grO`#$aZ9`PD3SP3{O#A-DbzH2HX6 zp0gKN??S@iRdc3qO94IBxdI&umN>Et@4w-R)#UFa*bt4_s~nU281X;Pz~jIBrK=(DI4h9GigE~XkIu5&5uGc zp`dVH1V29p$^?Nycrh3hnjgl5f}wb!2=Ea63kd@|dnP_zJw01cj0WDs-qu0iUQyT9 zz|x)x0!0Z4VIgAgA%?)whXw|PVR)h7T0H>acU({;KlT|v=I>ysNGbn>3yq5lb9h`( ztZWb%CL{(0#07yfLE-$oD1ej+1p)975cr=(rT+_Afty}`mlXoLAb+~O`M+L7IFJw= z13^NVkVqIWKR*-(WrD+zKvob4f(eO2@S+e9H0IB^6eXnoDk~U2E-uKSalwGBP;eN~ zEhHQRgat)Im|$=?kRJ>R1c-zJaRID<#-*wt`4cV(E-vVyae?8Y02fewFrga(aKTV$ zCO8TTWXO*ISozTa7Yz1iSYomYDnH?Z;^KlG8W#ix0~mnc2W5gG07L{D17U(7(Adog zg~FI%NUX}C;fOy&`<2ANJ=}k2*iZL^|JND@fg-RVFc1{j=|DV47!rbo2EpQmp%6?E zIE0rUf_?g*vB7b%{d6(&{|jswu$m||9K(ba8WLF#hX>HcL}mGbD67>Q{Gl5!8>Z^YREjIhZx;4 z#)(z<7VSQ3S7~?7a9AjDJfEcI&^0~SS)3@?oETjgolJ=z+MlytL0tPBKX~76du5O< zZR)etH+doqW@>Q!)U`{tOOs3;>BAMVlVoI8WPI;1^p^X}qk9`cWR?4yH`5fI{Rehx znrSZ@r0t-H5GR@U^M-b2_NQuKoXxUwVaiDn?Xf9v_x{K2TvDYWi`(P^H2!yEUW=m!~8Om*xD zllEVt5OEg%G_#*J6BQ=cOlB4n6@E9bUZ?(KY>I>e(y8GyS9K(NLGZ!kHxu5ncdrYg z%C%!z1rzG%SYnH{FLEg0Cro9|^)*>hpf4OPFP_R`l8MRE3A!*d85(9aQ2l-7+)EQ7 zQ_cxzsaGZydd^DZQ&&Dez7o0x&A!$7u&Uv9E0s!ontl3_f;qXT2~Qq|L)4rN82jWp z1f~p$`%bjo^K9X&$gP&JujZsJsFCZu>R|LVM0W9tYuDL7+h8KJD6lXZZ{LToFPV2^G zuRYk`nY7YMI}!Fkr$RjaHhtVz8Hfw)4ab5cYASuDu{JofYti1nGdG>@?2;)oXGB*; zW@G^=Sbucz)U5aw;|Qs3Q`3Ey(A=t zX_gNkOJ|Of_CBVOxtq(Z`asPgnp08EjTssY;>?HaJLXO&gZG=G_T+4 zX_E^HPGMkYc-TF9L>y^1OJN#l$yINCJknGrge0!p`1oDzq=KvWLy^a*ecDIV(q`~n zl5Wk8ox)4b&F(P#BJ)KuU_<9|q=H4tN%%|G&$k?9QY5d*++uCjzjAeMT5rgkGEw?d z!dhlc`AEQMan$1N6bQ-uFxasD720C%k$z_iba|6O~i*5|BVQG|nl1 z3CZK3m*t)PlEyjtbi_gKV&N?^!}`zhF>ZYHS0_Fq6SPM)Y$_s(`&GWBU#7X*QT!FZ zxFFZgU*Bj%&S8wj#?fbVAfh}hw!no;`Mk`*6VY{zj&K37_9jzSsvoNM*rOL5r_8T@x*qgknt&;;WMwIp&&NRrL-S!tra@YyHY};j zne2n@n{ZEV(G~(FvyiTgp<&hO0oJ97p7dsZ99rg38qaL}MCQBM zcG^}8>&u(ovoRHhqI*}l2@8TXM2kj<#qIeOpIvhyqMlCQR9K`6pjYEz?mX?u?zdlF zzZY>c^y?hWmfca2kIoe3gZZh}uAVj+Al8ewea4-krEW9IfAwd88*~`pNd? zW(7BuWo1$|`7?{z4=ULUE|hoKUbDQ(O~1i^AVm2xeZ(enGa|UnXM*5(5W8+7^XZ;v z))rI^XUr;7cixyozlzSCN&@xYV|emqt?S-~2_4qB!JPkU&Ms zD-)S+Z;9h(Uc9oF)66Xf#|*MyJ=Xdb^t|1#&pcYGp4*z|As; z>$lsNsoDb=B4`DpSlg_hDTlOcPc3iUCgHG~zJL~|@`(?-5OuFUTzopdwXowliP*x- z)7R|{F?R7)QxfW=(}p4&1NKB%%@7{>Ot!glZ2w)oQD{p_mimK)_XdJr9w=9vNagfD zJ=JMG_3@}rM;`fA>YEOG)_uvBhLVaq#wj8mtzEI#l%vgVB_7`#`^urhc6Vx1GDiLF zvG+%5EHe|IOeR$OVdC~JZ3(t$P4^BH#q+Q*!aE*^RBjzPbIuLv53qUV~J(TI5KvallYMCF(P+6jLmPNY3| zPqgjKO`msz?{ZkikhF?AA7X=1gkiMJGeuLK*1*6qXkR7Kz{C;eJ3S3xSq;A|PDr$x zdtF-aMVUn@{gM&UZr@RlJLCDXM)U0)M+Lef9~n$8hlYslV50A+J-{n*qmJcdF6Su; zAYN#Y)@XWgq()n<*RIZ6Cst(GG|Mc4PNF^Kef$Er%vD9-c_8;=A62}z>7|#?m>6xa}l7j zGzVYTi}IOCBub_!f19PGljo!-MM5n3PBTt95LDTD%ATpEKBJa<{g&NZhl0%|sQ{~c zUr&)DI1FNSx@yMnBY~`}fG~IC9bJ_wU|~313~{(0F<&P_=#d zlE%E8iKMsL-aA3Q`GsJ9i|KP-3(p6in7O*UHr&(PYr42b^E}Wr`Pt+^7;pV2uPWKg z33zdicxn3v8ktcac1E1VH!UOOHKD{J;EJvXd|D?HXV7i)HACU@=}>_@uq zZm(q|XbUS|9KFE)@Z;uw&Nn{o4>#Pd+Q*DO7+b`e6rr(~gyzMNEg>|==W=*OBr>_Ly$HOfR{Qx8 zOADjWl|^X^x!HEI{qs{nLA~5n#nDx@RdX~w@h8*fO};v|?1)=lir^Az(Poq{@izI= zl@}Z1ef~d-)RYJ^TuBr7uGFgl*pvjz*Svy~wm`3Eas1(r?}PDflA= zH_~t+@NIm?7&X_WZkqht-+k*%Bh;80dE**(a)rW4bmO$-rhR&^r)-e7Qg)^tmSRVf1zXUf*j4a)wb&?XT3r`Xx+M-%gS!==a?YVOEKS)k!hcKHsibM z*1JakOv{{b%c*RUtqDS|D&u;V(NnZO`0z+cMdMFyn1j2U^`0;}X2L#g~ z5QBnOM}hA`|8q=(o0b8=(4kWe2yCzgVo)4Ra1=Jo=LazV86@0{4D#^V4;Y9?u~9P! z{~!n;5(E;;gv17>7%27`2v_;}5s<%x^S_FjakDZYmvUH9ffNES291Ftac}`}yl^xc zWJLZsE;w#h27I=|;(~*$3^rSYVgg8jyue4rNr>=+IG!K*pQCs1M z>?0h7O?@B{NG1#n=oK2t4+luGnU8-03pXW${1*}*C~STd2@+R-z=B|~DL^CwK>Z~w z71h5cir~2E806to9#Aw$>A~R$Aei5U1p{d-3D$SujxY3!Z^=7FK{j z;StC`XNP`~Nrr=io8NP4$ive+R$4&gK?eB`Tt65L_Cs91#`UXJ#HDy3=)=kj!jH{D zqG4dk;3%*YQ9z|2P$W<|6b8GtAPEn);$H>!D`2=pk2*ZjLqNtI3P-}hUW8)l09ZvP zFq#7h5rGD{KpGy31^efP{1q--qDLK`=%H}z&I2bEIIw_8gk#{qO#X9N2wa{ADd5Ad zBOHnTVV03NxNvmtABzit%k-$jGd*_6z$p$I5EUQ?{@<1nhQx{xWZ&UfO+$dC{qr*Z z%&7=mrbiu~>HjzYfB{zL$EMkt;NW-wcsBfKCKv|zJqQ#A^=DYW&@Kcn*MrRXVV4o8 zG%pH<2I}<(E(98EQ8XI*x43>zZXYp`Kg0!e3WEVhfdDEv zeM0<`lL`bb+XKJou;K#D0E7+$Bn6fY9G@VtkT3urzzGH4`bU^>nI4=C9TpP`IDNnq z1Y!ZlDB$=K&VFC;F*qYuyUFbwuY914W=2P`-QL_-(|_|Sg?>sR8!rFifm4=XMNC}u#xK#1`N zECe_*1dWE^L;npdMMWNQD@#KYBL`budlM_mzqTZmmx01JWj zVG$6ZgIK!`Y7PFpn!iGYOZ@1=6F&@&b!xB`7{8-}fvgS`4tB-gp!&u7;qpG_@VpNP z^#j12fZ~V>L~KB-_<{ZXwWxj(q9JjK9~l2b>pFHf!eJm{hk}w31Ox(v2K(Vrz#u@^ zuxt5GRuF|t`+$B93k&c8ST24T;Dp~{fp7@RZCF$Ak741`KIZVW4+WJLAS(f02~a;! zcL)e#puiLWkig4;f{F|j5=ihrDm)68_JOl>SaAX8`3F7W;sPm5tiFL)|1WUiQa$GI zR1cE6C=et9c|pK3{#HH1gv2f_2Fec#Z9uLNg@i$%e@R{b?AxPoDIPc^hZPtUh7}k# zF$jTyVE;#14^S&?h7N=wKT2zU6af8sC4a7uLgA7;aDRWt^?w!Ap!m^1FPZG@Z4GoS zPTY%K(9#TIFA8-3cE={3=20e{!_ia6U=~IBRfc)8g!TDjn}tgTu*=T99+koAY)ZpsVdx7k^Ey@{04p z;NZnO(F0Bgt{b1M))qPxgtrFwDm~moi#`jv?riPFl@kzHuc!~JejOPo<8yZ!-cx>i zM<96fIdo;ikI!m=amb^nVke<;cejr0+rj#pU%$^#%)On(#ZaPRPAAumg}D9?;rmnG z&x@Rd2i-2Q<8!{3HSrGXzRDRGwyrIwxRVeU_96wJGv%RFzPjAf&hXkg_uJ4RS&t%{ z1H0|!fvmlD1xuP_{9X?;&0+rimIb$xZr}U8CXQ1nOL5aSR^N2Z<{o`s&UVW`IC%G+ ztR(BR<+uHv#V1Z&ThUtYx_!B?CZ=?v+*I)N?4i-Q*CPpt+Ww3M#r!4$PpKCFt;Z8 zh$yTHmmZ999{uK%S6egj+HqV}yi?Ek?E}Jc(FZ?${pexs6%} zzG0q^oAMPiV`5d3jHwXKKPY>tw`FJe>cvgbkHrUs>qv;4UrF{HdBwz$Fn zG^r%%`679k3m87?R_aI3EqXEs312rx%gZ&# z7R<%LPBzO+mkGRi&$8AZFQn@s2O&JmHl0B@O?pak@n8|}RtCC`zXIGpHu`nArj;J6$?C)%Db6ea)aJFjNr-(0@q=k zOlqfIM8z^=%aJEDp6sG`$+%Cb_O0|^FHV0TNAZ-do4WVmjNejgRqnIEzS0&QwZJ_c z|0T-XX9KI67u_xw)bYB}4B@ROp%YubKVS=+T{MoNQ&C3ec=^SYSL`${bWmQtuU5F( zFiCjhvd$TqH{I~QXLngmpv}>VxANg;ISyayG*UA8l~VaB+j;XXq?2-)r7!#2TFidt zJWD^9`&jhlHtCMc$2>BB3wM9JPt+$fMleUL-hTHw-umt8cjX%uY~y#T_l{=YwxQu) zijj(O)InPsJ##9qymOm00M^J(M`TP$W_`+OrCurNVoQh1?3Junysgo*covep?S|tl zHFuJ?RzgO&*JSS%ut$rOsA<F@z!n@u4_3?3E z@XX7ihfqR=ZsbPJ?8}7xhVS`SI0RblU(%MooKc6``wBNM5uNhLxxf45et02^MAVCS zv=gB(v^yx2kC1Dh>vFjHzKeOYq!@CZ!siJrxsRXXJ-J2umse`nizXePpDaxJBofLh zyY73TBaSskUE9GQl^& zp1biL7sJT}hhsjc@4vnK)&13bTBw>ss9%kyagNPkrm3-XTgO+pAdh^9>DZ|(WJ@df zQj=h?ng5$mTA!W}1M^5@blVc?jl3TTNZw{JxK&O@#?aMnouQibzO3$o15c8ssZJ^J zvsis}{!HP$>pc76_gHIWOU)+&?VLvjIx}c(R#vIE+x(NTLT92aHJCo-@f52p9(g`d zxoWhmG4&JYl;n=x*2Pqqp<12@c6FSqe6x6+cS6N>s`&hCsz@1vt2wtFMNwwYAbY8R=^=#u#Yz7q6Hl^U21(j<+K& z7&R3l4s>i-gR`G|k=ziMEs?{rH>j~DLQDldMrqR{G+pPm-0s+Ao3@;F*-Y$iAxw&RKHoO$WBooYVqa5tIKWQI-1SU}KK zsx9A$syRXFlt*-1_6?!^he?uLg^Y3Cmhz)46&syQ^OMZ1&4vvpN+?GeUrOooDox6h zJim^@S7^bP_}J>1C>^qxtUC?&kZ;??e8g%@r3?!ZpUV}Gkf>XdRuXE*8Q<=QC7)DK z2y=;YG@NBs?^DjZb6I^S>FNbuo&fb5MJf}XS%a5!rk|yzc@c&zMy=mLdT^0RJzl`a zSB_TcvotgAsjs{J%F?F1$?0W#Nw@3S%K{70t(CNoaDtfuOIq4bafWN z&T&4?qt~AcGLF?q$7Ej}X-ykfKJ)eb<}&A&BynHbIE|#jC%zEUQ+oz0PFLoHnoEZr zXRkNQ4<<+w6@}D-+r#BbcJPN&6iI7$CXX1DN;+ps(o(-$T}b(`b~0#Vq1wslVOlF-#; z(rKBvXDs7XZgZ9b`HwS`%5o=kuD?RT0%wM8S*Q~}(ib`2^9b@{7z~Ucavf}R9ou;y z9aI>Fmhoz-l!u7k&!@7{?^J4?kkuUWE>u{o%t|kseA;&YLa}YS%#mUs7AFlQZabdzWM#ECEaOi)(d=p6^NS>wg6CqInclQ@<~6&HwSdPA#1vyc1B zPm>60dfcm1^hWD?#`4+wRSl8Ze$`H{;VQ`!cKFnC)u$>2j!s$PB$00mzdId~Nc2BD zUiZh2@2%+6Dxy;m(axdlVQb= zZRuchfp4%@!ifCE^wU%#-^!{bnzQ@bTbnc~-{enlJY8Fnm_6?%aZQr_6kDO9pY+U^ zS&M8DlSd97tECJ#s(IA$POrT$sV+aNq44n2WhVbc+0yG%QZn0(lU5YjCzQ-Fmopz5 zb=%bq9$moSd~wP$Ql9$j$Vc12vEp>bQC;pHXoMMSAUCqT9xp^HV)Zp=wEPN@{}0wq z41a%OEwlJ45nSZ`qhjf_rnJVz&f7}%(*j?)$D>Y8-5%U$aKFR23< z|6qJKXK_7%W%?+*=)9Y4VB`4y{^ACWkfGDgmb~W6hq6SD4M85!+6Q?;kW0pig1rMl z)6Ljc(r+D}=XJwS+o>HkVv3NpP|`0qXSiRa2|Fr;Q!)4NQoXg_EqJ@Mr!Ulj^5C*M z;J71I6QUYTWA*rzUliQyoQ$b2L?Bcu_Bx;bxV1;>UbFMick^oh$W*aw0c4np~w;ZV@q>P58Y#51rU`5(qr4w=ZEz zn&dQb(T`C8{hgNE?w-l^GCajrZkk6>(NW38=JEE#N?hmEO~z0TTXvP)m>V6wGiBYnEi|!Ix>w3+q(b## zsjt!e9s^?0mld4|(Kd@{SYzM{#cV#PH2wT{eD>Jz%ilgzIIP$giW6y_NYwOuuE0a{MAW8urhZ0W2zFBk zuZuJM$vxYHCa11ajik}b#&y(9;?HWOCCftEM^|{aZnE;$o>-vl8=PHyM$TO=DN^as zRFx3oxyEi$@VY=d0%LyZdaDZ4Gw|N=c#qlQM)}%zX+QliG6D{yVir$rRrb?FPsfqM zPD^}&zRRlN3ieSp;xy=S%bae9T)qRl8yykbwc4a1{y7uz~|_HMaUT>E4qs;hlRu7Sg&#y6NKnHXOZ8_4-G7?&Dtt^l3;I;I&1Zn>*1 z>*-ZNQMw8+92H%p*&us?y5Ao4WfSJ`rK7MVKArrSYpRs>C1f4q1ktd5;q#m`m4$V& zvGq#UmP+o&+?w^oPgr`Hg-KY7Y5EEAh?Btu2_DJLL9y!Xy!aI8ORj`6(G z+!Qr}S08fPggzdz!uq5nOy(rwMKFrV%%ty!YX)pdh+2sJ%JZx0vI0Mxt4nvLY?b@3 zBp~<^MeWZUR^Fd8Pf)3$D_w+H4Q?HLbV-_QR^4|yuA0#6=^Ik9J6#u{5NF(Y%4}?X z4n06{=Zn34QDEO{;HYkL_BKO<<+E#VhpCMt&8W)UHr$S-D#s{Fsame(PcIdG5k8-@ z@c87HWAybh-o!i(UGG#JXG4h-EtAA8jbJalSy|3KBU5LU4#`UX6mg;QcDFhzXzKhO zjn&r9*pkoO{F+T1>*u1o7yDeIRC>I$+cn46zuNELYoRJ>A@E&RYVZ>p9R3*Bd)ZJk zU}kB%mvYP^>dDs03o}H8t7R)WY-0TP_rofEKYn~L%h?h^?ZE7r@r~z1#u7oLA4>I_ zr?|YXnVY1>d#zJkTwM$uK_L#mX`0Kjh|IPy>LBB85*Orks?VoT$d`1=C;{K;#;DEi zrCa%$gSU6{3d%2!-m>)e=Wr8_bVlrbm#17e*N==W8Sb0Mvwix8NIB?M@1tYQCIBr+W z8a6>A5tEieTD{z*`^kJY-{R2rom95GKz8h_~5|cUy?y@moep|s4_vzCjl73RB z-#n^2=Nn~y8G@?0kEjSHQ{7GiVvV=_5p*;PMSeQVI)b`OqL zdm4;XZ+SM9#LPmHQ(YCI=uj-X zaIEiOLSzaXD)6*vyS{zjckDv!_4!Q`%oCskkF9MTH{x(C^GI3P<*d;#?TALE)EC`O zg5Gc6<9up;19C4nN%uhE`3}{Z_LG6M2>ak9P41@`Bp2Qb8OjS-6P;QdxnNC%^1f_N z*x`AZ&HMYYLh-`q3I^Hwr3iQ%;P_8b9nh;%6VDp(-v+$XD#h9u6kTvt+ zL%YnJb>fZ;{#=5pfSK#1y{QdwALl~7m}@6G=!0hDnS0IdYYG)4`B_bEuX{OVe+k7m zH)R|1r$fhSlVN(1$Z>OUdo*2(CV-Ed31IMCI{+c=mQ zl7S|Fqn^i1EQKefqm@>D{#q1|O27WQBFafunEpEyQRKJgfGzFMk>A#iPPz)}zw3cb zy1M!Nc;XNzFR1gbhkmlBh+^`kdv3@K?F!e_O`|o6$s4*lT>P*})QnyY6gK(1&)))i zyy=GW@{4b*j^j2yM1wtVAEr=0OWYA;&QFlOe5P71K_$(K!H&h!$mX118q;mrW}V^) z#pR)EYqE5McdbdBV`x5~ z|JZST?xo=J+{-vU!u3pmUeisrgYpQWG+CONz%Ts zZkvNFSEzw@?qzJAPy=gbkZtWY$DB{Y(K*WFx^8ZCx`MMr8Bwu$?`)s0sWa%hogpmr zVS)Rs0c|Pn3|KS3YRl<4o}jfhnga1*>w3|zMcnD_j6_$@?6{P%WUbkr&Y}12VLs7; zx{|MOktm)^)h^bT?lk>^eSo~s!!}Vtr`uApLF89BFf8|6;4JqPO_w`6^7~X26r}OV zHw^1<88PMS$hrtVe<(tqcC=WZ#j61>cck#$>~A*5tr&yW}F{M=~`T{K4$1 zi3oh@cF9_`H0GxKGXr-+h#79;lbujZDt7m*UE6;}TbZu%RDVSqvp2zOP~K~5bdGgO zL|c|OS1(ap%uX+?9`=n?Cp`2!VbFHTl{EwdS1bXEOM_RcG$q3v+PQP4kBUQqtWLz4 zpL5K}1&x%JZPiI-Gj@T$&%?-hrKVAyr;EiWF_iIAhraQET@)31`y7RNE z=Ju~T@{ggr?M}llauy!%5v9s_-R<&Ybl=)q|HOE(K1H@QYE`*4%QswJ*S>~gf9QREV;iqChI1{^ zG~*T#g~J0?bH$9bq9-quHx)~clv2#kk~o!c-mIXY!QaX?PM>$06pA>uy9>QxrG7h0 z05#EYFD1FXA60G5ZmSfTDX8Hbo}+g!X`5d|XV>vV#jKa(C7pVubnJu8AYT<2cu9)HobQisN$(-k!{C7iKaGBy{%EDY<{aYQxh4GRB{vcu>29^*?FBjCtHOFSbbMN7Iiovg~g#`KdF zp0A%>P@8eIPEk8cbdx?{^448pam&8uphd&j@0XOja$6pT)|V)5JoK0}cz!9S{RZZH zBbXvPaRlS;OgpdRg#+E9e zQD8O+s00ReSD?K6&*zXo7b~D}Dkz}*hc8xug4%3wa0@CEen$nmbg+*=Me^UE`o*a& zP6-8+|M0~MP|(c*j^DxTmH(Mw0r34OYJ!8}Re%)R*zwn?7QZMrLE+R;Kta9t?}xVk zFPj1optKhhbAjv znZLs&`qR`KG)@Tx6x8n@78kal1Jpl)t_K9R$O8dK;Z$}Y(AbUu&{p)jxI|SY@5sta z@IroCN1PH0DCihFEG{ry23u7KXyJEUU_KCl3IQ+vGp@gxU4+J|pTJgL92OO5I03AM z1|^uF6b(oVw45;gQO5^H-T-ldF16pq^>?sv$|sdQe(%%!0~NM`3Dj6&d(?i7 zN?iP>CB!L`gMv{^heh>=u;4(oerwP9Ls)R2Tfb<}`I$}8xEv2TJjY|l++b&5f#N-E z8w_Yuz_!7Fp-SK(9NTV!ZG`-}-Q*X*aA_V4%{i>Ruyx0v3kKBc;ot)O0HFF2bWi+a zRJbe;su2&13e+G21b|X;Pyvuw<-#^z{T;0TyS5gC%ld#54+|0jdKUht8SVEaMSuz? zP+g9lnDuuc|GEP(xTFut(hmy@>_MPXC>YQ*0Pwel7zi9&Qu||m5va?=YT92rVnE&R zb*sA$=3o@jpC_?laJe6hLi!isfzB{cX9y~}aN&W7vX_6kl*@baNxnP?(EM^DSr=jKl9+1NLKr9H`gC72b~tascvQE$QFw3|t!lJ-m(hW8=br zlM6;C{uv$U8bSTk+4J`+i)$yKhqn_r;Gj^Tc%VP!PqG6wo@lS2o> zJls`1yoJC82H^ZwH;)Sp+qHxQX#dJ`e=+wnjlgi`(y@KspAfJrp!?{TkHItu-Lh!%;5aEgu#Y z1O#^2kOlaX!0`Y*2B6P@3G`!NV;is=L1Qt{t-lKEr_>%4f=m1$4RB~!f3O6Y848y0 zw?U^r(hMjhh~pu^=lE4u#xFz$!KHuT-5(Yk9E2($5d^y2aG?E>?)W=osw#gS^b3XH zGC%C_%#UqD0!j`hGXQyE7ZW=j7G%a*K#u&}!;KTB`!4LfjByWz06Cbdr+QsVx7VZ!f8x8+K$R^tI(#@?g~^hQSc zaJh=L+s4F1P-UsR)7GdS%7W=uJu35nqi4S#Kdou9>T8ACe%m+Uibap|o$ckewDs+^ zVLryajg8^G(K@Gt&98NHR_-fp-{SXI#xhFx*Nbw5-Al{eUALx5ZfBLe+nY^t>fQ99 zh;iOom_W&yq=mhaqs<9}$zignlEl8CR|f7_Y2DO;QN>)=Kjv`#gu&(FV-MauiRm9p z9hz)Jy$maf&KSBar_D~+M*FUGlPTRhqDx-=V#xv-O@A-dkR_=fQ6AB`;p|hVl007y zh2)o3@(HLrn%gJUyjLVVHuc$dcW_SJeS1%^C7@^2s$qC(+qiCc#BTAPyxI8BTlK>7 zw{K>6>I)B21{eqWq6<7pDt1P8^JdlgN`nZBJcIV!-fDk=Wlo*XCAjD(?Sb?=9e} z%G&nf11LzVNVh1WlIPIfDBUH3bV!#p($Xp*E!`c8lF|**(jeX4_3h)#C^OEy&p1Bw z{@(BZJ9^;kvt#Y+TLaI2R4^5TR?PhAi~+Y2{(!e@G<%1+Oz zX4K!nA;l4S$dc}nd0=DMdhBJabh#Z_Q{LJ)e^7I<8y|ecGv>@SV<@_Olk~G5F+q^( zOh{~TWP}Wrbn(IK_Z?AvT1C~LRwA_CTin^XHY=MKoRyzt6<#rT_V@{Ybi)YefZjEN zNB)u=W?5zgHJ3KAGw^ZFNUt-j8_f10A^7@uwCSmlWhWia_UgSp&~}WPLCZm9@h0l7 zc#W>vME zXEYJsh`bo$CEh9(kIfQpfv-_H42|03S5+o&Rx}rV>n>M_9rG$@qBx*);Uag@2YsA< zl9N646Bdij>9<_7F(Ow+*!^Ny{bHDgNt}-uI}V-+OOJ%2I;4eH91Qr`dn} zR_Oz)k$H3#yE>fgCnPokO_;ho8HiGj$4ajzJZ8j9HZlrwwystbP)p((tBA%TFe8qo zvG?I+F+UFN3#?vkV>abpGw)SzS++{U(d#*qR}9M=8Vc$(EaM)I=WKga1s8PUjiS7h z8quZF-`|9bF{HN2vX1)rSWoTQA!Sw5g=ODu&cT=kJ9^c<1w_*O3Hwdpp~7&jNP1RE2|dVxZL59`VrO4gbD<)|IaV%i>_b5|iVW6SjWg18)zhM` z5Lv~$y6~o^R4J1#L3C^O$_8rj*Lwn0eI%CRDO7gCDn1!K6MQB4`p87PqFs8hoty2{ zrLSnCY;W9p@Z+bs&)4)UI%Y1qc42@s$o=geZ$QKgm?D(LXyk&V)y>a*~V)oVh=BCF3 z5g6cms}Fph&&jp5-M))Sp7(0`Xi=`cl87gUGMG;-DH_|87w#Ze+KDrJ^;KOJ6RUnji8Hk+P5FE_Vo9TPLwc zH&-p0gs=|`Pd=ZLGFSTgz8ng;NcjFl$@_&>TYz75;jJZ7In~x?UmbyuSZk~) zr1|*Ivh&L9U**=H6wF~a_Zt~49d;d--})H$kh_ecb?0!j{wY&5)1$@UD&25bxtoe2 zMUfK|hv@GusZEs5W)hPmqml2ZGgV4#(-Iip60Ev8hxNjx=f25M=o=N$Rr*(NIgV$9 zww~x$%74o8x4w*~9)5AKnY_j0aw6v?=-W%+t$9D@DCXR3bq7~)RcjHM9YaYwT}7bDJstpYWr^R;4woqkKUGR z*x>QSTi(s4g6q)|EyG=^*YFPyyyR0i^X`oyJ06s%);2{V(5AN6RinIJbtmGW>~wfy z+UlL6@h;=sYr!YTtZ-(f?d@FKctv5Le}MTLd)D_Er|-%ZTu&CFZOaOk7A!od-l6-t z2S3P7V=SXm&B>!G8e>}yoL~t==xn6PoK70nohYw#aZ@@n(0YC9G44J9=eiKuMXo{2 ztQ*J|xk3IY^-fCwrc0Ho%Hv>CcHLZV2W~zCk65eDgr@O5S?(?iF~2G8%r%gfib+mD;*qmN{k*`xl(;KKY<$^KtB>sfWZZ-Iog-c+4|2cw!QoPeSaCz*LkcpDnu|lje<@Jo3Nn zJWghe(Ke$XGXG;g3 zTZ*!Au6Y`9>&7f$+-&poK4;_zjsjhzHo<{Sl+ucq+T`yUpDI2<1y@xXNIDqoA5%?A~F>S(ODJg{h|%2VQ7+f z@nieJoH>6sO56h0CfP9u>{FL6EmH?F<20<@P|`PUY7Q8Rq*?K@%jvoj1}V7t;@X`7 zUEWwD{>@qbB>kaznuT%_XHpl$$1aGTaVj~T$7n+OE_znzQk|XB4Fd&KTw4%-mB+VS zyunk>z^?hwRNxGfHF0>F7FHgC1w-O!p|CjOt~WwQnWo9{qsd)JLnGB-f=pqdJNpeP z^8(DaJ*7zn@%<)&v|Sjcb(xWg8+m$w%&qL>`xRpjtTG$Zvq^ze=go+>QG@7TbbmkKCi9FRh z4%h}btiNzF(fUfX{rOcME8y#J(TMqyWhJGLxwZGH%g>SBUDP#aYZ7&!sqJxa>!e17LsEB*Ya)$UE}JTp`9G)cF7V7%z`CrcByq7mlxqpHP<~fmLZ{4< zYAU<4u6<%bbsJgy)5|Bo5x6t%B5o|^dj&7JvDQ1d79g5}hvE~-ot|1ESPtDj1fLOh zv_8`$<9}Admfos#kF>jO&-%IZ4dJu#fz|62$vb!PMf*S}&+j@~)(2dj^AFupxrJ!T zM=Z3n>Sy%^x6g6n)i(GYmpLlH>M%k{JPWFm9+ca`i`-=&kWiiSKOliCeU>=Y<|1<` z%()$DK~CIrAxkw>b6J5HY~vHy*$GG{L}>}E9253BW*s$pN3|O+1h%u+boDRead>s!MvhjJv3RO7SfQ@v!l@b?mNChbSq$7k4bSO&1YN(S|b{d zMqn9=uHAAq3_?cfV56iW{K#k?lj?T2;le-PAm)k{#p5 zy;&olu7b}p*zB!^e8R4aabj6X(V ze6ixo1P9PW3#CbU!s8g;Yht%Fwk=uC_8b%+LaD64N>(X~s+3z9tYVVN z_Eo)X;G9tB(%KBWi6X|y@;+=~$~{7@um@N7FmCd&j@+!?PtV#n7&~qzJ4Sgoq*ABHGmM%a7h=Y`mb1DSihj%4QTz13sXiJy=b>z@WfBkJ)6t9 zw@8%+99dFS%GF6JmIe1y1sjfcE0^P6X2Y3o2E<0rEuL;(G5NB6J|RYMt(KS z-_#gxEi$cY*>8UPX#~-dvGd*1ra_y$4w2_Xaqp!Gw^eMtEqOam%qb?)Txpg#XIx%j zOT<63sA}@3lxF_4?;mku=CF!8sxBa@ZAf%YB7VK?BynnlF368k+Tl)AQ)0u(=M00y zOytRD%xKxdpep_%iS+JZ4Wi{NQhzUp)7P#z=Dil+#&e@B@Xi!;z0j_xDmQaV z$4j^O{I?Q);{uP~tVQbty(&%mw6XlU4f!sJ|Evb5c(KFq%=Z!**F(^?tQOv`NRazy z1$?ThXjdw(s)LL5Szze~<}+!#>rbiJv3Ns;uq7{CPDyL8qRzZR8UY^Y2igXMzc$rP4A3dX;pO`4of+6m{i!13`)(Jwd6O z3c@P@SJzrUQgDeOg=s~*_CaS+vZv}-;4g`a=Y;pl$gh2<>viCZO?sCeUOhuayYL20 zYU$UtCSYwooGALDrcj;8rX1gO)Y`mWV7G#QMl|PjDL%YvkN?u6$JYC^d;7&tj^s~H z2f21MS32zl79#a@v8c4R+o&Wv0|>exwXKvN)(eqCEgbad$z&|`^2PbQf?^_Nx-N)z zPNNA0#ze|Z3Myb(Dw^>(MQYY#p<|Qlb6E4YHz8a#(z9C-TmsjG-kZBBsnE`w9!{Bp zRmSFMl&Z3D!9bne4J_HtNEZug7rQ0hkO9n&M!@XIB!Hi$N5v%v`Iur0f0o!w{rK5k z19c9*X!2DBI40cec;CF2jTGuR_8Wpr^kB*Dc)P^Ncv8Ets0G~(&yvt6dU#;{+HN?>Zn4MdI~l>-}z( z9}6Lgwg<>_%J`|a;@UOV=W`5O9xP#5hZ`TOOgN2h&_wmXQ7LP?U71YdKC9ypouSSu z;JuP$`D#EpKA_4-==QIh6-Gjn_G#^#1gN3twnM;4O^L#@6Y|e_tKca!Tj z3H(uBOA~Qq78s23-3ysv!YTGZ#w;pt_+_-Q>#GD_1kMGRnxoDu0JT1*mS&E(+LhOK zgBPA#PH%uu3FsJ<)pm2WvF@;C!dcN;WKJURM|}2Ucs04gpz<;LR~cG{$`GK#l_wDJ z$7^i>8$x{G$~;lIa-df@&$IgrL~W0$ca?Hnint9nXO=|^$RbyaG`?ndU>sfa=W%N*)* z9);DFIa5Bn9>7mhK!|grk&$#=QzaqsP;fV7@JVqh;z&knY9?~6b$O~cFiB)hF)?9t zl7BF@HgH|S;LjlDDUP$H*IWo1=w%GyV=$E3jpdkAa0kw!Y8_`;XsSf0e6mD6US^XN zMG$IhA4bJGr;upOyGxvx0jHnEa1<4lozU^&v5^6=Kv-tWD|AaeWzWno1dKS)dc|-* zbe@Qc`Z7;EKjB5qtoHZ1@{-+e5lvj$QKkaIe4ox^7(Y6G09+nhfb8()anWB4Vfev4 zIz>4wQ`&UXz%jmEOwSY}2TL&1q+tZQ+1SxZsm2zg>Jge-Use3Gjp7eW8o)#lie7$t z5kAkA4}Z?^*8}vKu6zrTX%|(`;3wtJWcxgcdZRBBTv0v|6A+@h|7eG9n;f|nx%@Q6 zhA=@wQ~s=5oX<{~Y=^GwzT<10Pa*%rdf0cI_Twf3qXW7522PEbXUBnIOTQjPI| zTZe8G#{;AshC@kN(twh}I2@W2pHUUGsG$n1nI5r9p?VyK>$$tE_el)qXS*U7@8Y{F z*O6sF&01d}G}fv<^x62e>H8(KIr2@2QJP&Z^NE>EMSB6*j#vx zqn>?wb42ZEgrFiet%6;WcqCC~x2-T4-=DSa&4r}e$9UPpb>oeG#lhaf=S~K;fty6A!bqXVkvs}e7Rdv zyjWjMAvFiHO^@X<`D`Xq_^|oBM={!$IU@4Ta=Ge#vqA=yi+US)m~wxjb)33|!C!UZ zRVS0kL3H*|GDUd62&+%8(cuXZn@DFMM@rU=^k%AarUD8NHE~CX8Gjw0&BBtvS!%IG zXo(hcymM#q+r!kQ54MNy4%G`ygSPw2s!{@a$#I4@AMOxH*YT%LVWU$KdWxrgGPLS2 zv>hU9Q5Hf#=_KzlBmu{gBv&VF6M>0y49!>Nd!+kxUfY(Zx-lzJp8EL-`oO>Tyuy-c z1Sm&%xfSNC)g$Sd36buef@BKlW%rMsBWGt;!{r(A;$udB$RZ$G&qNGG=ckOxB#<^A zv)~&f(}B-3GMCOISkI%?;aBSWNK0vokd*0-nEsv|IQP)5uE&}DKoj<&>?XN_p?-dzvBd1YlGAYaiMBY&D{SzQ1Cp)oU&_%Vd(j`_xjh== zd}EiI9BA=*5cpM+J3o$Z#ng*W!B@LwhD5YFvASiLpVhs-mCT`WwR?6!JtQ@Li-ihO?bn%GwW*LNc} z=-Psx3(mrYuR=w5-Gcs!(C2!4pu9QKmKe3V1}XX7RsVaVT8UlxDoa<(+YmQey#yVu zzx1cJ!4jgrA>6rGEZranFWthgHJuSnHRV{!5K|@pEO9FwMTYs3--{GeJsDKLjnGn+ zJ{{U1PMZ)wK=uFuc?t-KAFJr7@hG3W6mVs+$9>MMR5DGvm%Z(y$a4k}G->1VSZTxEYWb2P{&g(0G!Jex>ong>h__pfJp>0k$0Z4|bt?K% zD;~`EB%WXrj^CJ=wzBm|Qh$mt`>7Cj`FeOTfi`nAjif0jF%?2uZb8~RLW{=5>C6+y z>D%dvDX5*#3O zaOJB(Kpox3&)foAjChLfK;QonskKIx*>cUCv#R}erPj|1%KipbtU@*Jnw?l(U zjBG#s&R&_MVlX0b%;99oI}}G|){#3$_^@!T6~n*1TIW=_eY*bmI8bSf6?aFy_dyDd zgYvwtlVa=s>1dqmTY+mOc9)lSYYH2>Q=ZVg^|k)g<`NUIHm2HNus@o{fpC^TvwM43Ep%g3Z~~ z=s(oj5Tb-@l+D_W#MP4Oucoo6?vQzh%AxdP<0z4q@r;?o+UYSZGjt= zE?-lFL`j4Gly^z4xaDo5x!&f4bepDgv1l#2U*z70?18jE(ic6Z7_!zaIm70fTDR$+>^q0shIX;@(lsHruQew{sBwo%N78JK=C~nFWn}F|yGkA}idA;o_c#wY||H zZ}k4#21xp? z7?>@+T)^(RmFMhbSjU%VX0uF&cDT4xQ86r`B;2@#py=KeAvB9Wt3Q@v;Pd&d2cX)`ky81TSbYlS*Zah8K7UG1tosXO8p6di=k zWyZmJ2NwluOW_QsW3#7l-lW2teGY8pr{?=km*GVyESlnEks$b9>peT!w2a_-@A%}MLx%U0Gd8soDj)sM zTo?9}oqAC1)?6cQ8Uh+T$Rb}A<9h!3uK89^M&z9)d30No%o}oneb#pbHC^o4#9c=! zqSa4_(}JtU#!pTUD?dv6Hf-#g+w^<9tX&!Qh_EK)F2~h-cVcdbNQMTY0_lQ^5k4Y< z9zI9njRSpzpSayF(_`%(LFzZEkyFohx95L_$EFKEx|Q(yBSKPo|?R1u|E8gr72PC29Dzl4A;`y z@h7xrmg0tP6b`xtfjRSXF1?aICn$O34kQ$3z!ZUyQx)Xzrx1=gef|zCyBnZE55E1HX!FB$DhH33%b_neGA@ zdZp%S>*CigM>Ie3^W-C&vZahC`w&`*yNV zRL{u%!t2YE#=@*wiQR*j3T&N6d^=ce8%_@2t*y@u90<&>@5Q!uk_9Pf!@s*491PD| zf?|Hj!5G((u{7loCU)Jmy4yiSPv;fnD{~NUw(;Hpd6LbAOhm39`NZJnm_FM~;2B|M`luq*#;+w$Lb{(We|=jsp?QhdQ|9p4bp4 zIk+jcn!+XIrE7@Pj%Xbj=&W-i0v16!Icm)b84Buh__EnASJ;CYgsX=sZX0en%!z5V zbXwV{<~OZ;Xc6R@GHxzqG2s*(@0@X}Im1J`kwu{r4j&9ovPj;ZpX%_Ac>eqWhn3wO zAwf|>wu-jeBL+RcOl}1m?u*;Tl8(v?B3r|)p(l^_YWs;3{omi*8`QcUnH5Br;CDc| zepN+(^-(hkjsDecXQSslBGuw=By!mEsPbJp4Z7dOj>4CeqLy5>pc^T@@SeLJB8LfS z^R;p;lXP>Q4^uovt{6w&c6b!elBuQ`HfNXcypPcoEEuOMXC$}hoKnUV%p=y8aX*`s zPJ(S*)7a-dlHv=gXA;hB^bgylb!(;RDPpvV;CgRQRvX%L5X43L5oVT=zje-*ZsECn zmzIdOvBt2Pub-${en#U_;4NxB`-smPhSYxx#Xh(j#RlrvK2zzJKswKj75bI)BZ+c>joSB^4d5+xH*oU*EZ?O zURf;krrG3+SPP}7?dY!c6ktAl?k?0!RxC1cZv%4I$e@PqBIq`rC?>7h)7OOqZ}Pit zJGIYrt*Ahx4Wf2FM+pnl+8t-Bvi4Db(%G{w^5-SJ?ecL*=Js}}>OjBVXsW2laG^(Y zX={1e?ub*t2a3UpYu*`aJC`4*$zuEc3!1?NwWNsW|yeyO7!;OQ!(t}+z{Hx zVXpZ;9pv5Yy5SvUL_st7UCRBA3tgJs&qzWFYp3HJlm+a!jpW&@oqUHHtB(({i79rd z=qH_23Lbz&mtU!0dMEABH|mht@Irop8Bsa=vqHE>#~ZIE{vyo?Gq2CK7cV`F9f~!~ znAQ(8Th;oAYlzvE>z@7~|K-zdYBw6Sex6F*)>@Tg*Q9A&5^kZ3#$#cM=N@qUJ0en`KN}>kh8F? zUsFhbL(7djry0ja(EU3hT1g;)#M>!XDlIU_# zj<0tWlYfxlB0o4oVK-bhKqq)ZF@G4&6X0e4;O01TN8kX`2->hyTto$a{|oUP7D;y< zoNdn6VrV<*b7Q`?SP2=6S8)}>Us@j*-jUODRuj-yd(u#4ar!DJX*ylTSDE7K-3)Yn zTBC~Q_!9%!4He|@pqXRK(lXE9#eF$nw4|MOnQBtt4_E!J+{aG)PEV_wt{~}-;$6#F zepWQj^XOosc6(q66P1Vj9*^;}p~}iK*R$Qev(ui&$;E;3 zGka3f)BV{#Gqcrn{F*UcMm(3oNj+~2x2OqSczvP@YlE;1D#}}SgcVmB60#AZ9BY>; zy+#OM<3EK6+;MBHA;^A8XKQ8CZc$J38on{;`j|(d4M?@B83U_A1m$kS#AvW}To5i5 z$7mIGC7HzMe!DbY1qNxb`;sw+ZVY?^3!3>@5?fA@|1ElH3Zu0e=HfC$)dtDKx_tk^ zD`DGX_%*b1ibu|FVIJWzVIEVWgu+2c>7Fy9$8LAJT=Iy@{a2Z3%JyBxX&zH$UAA@> zFp^aAd*DGhaZ}%>{(YyM_Yl@$*rfHFVP|Ew^(Z(o^_$e{Vd%27*ZFfG_jYXVKHEx@ z+8e%m2`-a}#mVc_R1wnywPlh=TjQtoVNUc_Sfg%c~Cic_TP5qaRAGRG5 zE^(Dv;bh&x@lnaO6Vah*C3vnI{?f98E(APAS0si+aFaQ?_Z6IVoz3lKl%i$sZu|ns zMh{c^Q_Zc4hmRL4jNMhkOfWDzzPO3k${1^mtSfdeeFa(T4`}Ud0{EpKj!@aN(G*a zIssOlKZ}e3i2MTTSORez-=KlPUkY15%a(kHOiJjlp`Bk^GyVK3_FF28Z_t>4`d&a$ z7oh0xk3l=Xzy^YmewMXwnPtFG;s4U15a4M9vZ81NAAd-nck(Sw|y9{wA3?SGpd7@$wXpksjS z+@J-5n7@pb?+2}doX{T=9f2X|Cy4(-efzHp1*lXAjadUyqW~%oT1y@p!3p5~qGbLi zw(~Q@f1%L*w;}tDxN}4HJL0~Li9coT{3P*TD0hDj-B;=uzGQ%51}6RQsrwJ;&QBEo zjiUEoA~>OmqP}qlEi4MnOhyJISNem@{ReR8Cki0F&3|vWev>*NIu~lj0qKXnr|#=; z{nLIuKT!aee+BnHK9^;t2gKq0bJ0 z1NXXa1a`u$o*p4oCBIO-mNFWMl^l4*QAnot;JDp9eden3apP0CBexK-rJIgNE?b5a zp0mP6il?I2yb0HC3ebBKqWf`;nYo-I9pxVs^U)@6reCjKP2@a6NaX9RkalApAX7P8 z+7V+Wuy^{TRxY@^9@kzU{PLl?dil`FmN#5kX=&x4$y4O@21wQoEH|%lW;*p1L^&ZI zg?nl9@~dw)0!}fONYS{tZzPuFaU{OHtZ+4wx3gGMzIKi?Q;p?LY&)Cb7=iUges*10ww?;Be)kre_X5rlLDllT;cbkUP!6yL}zLW;Vtirn8`bvc-- zq%cHU3=yZI>X#Dm!>|Z`7H}FQN`T4DZG3^!%7`-Z)qx?xJpKvsYi_&%siWiK`8aj5 zM=A>71di0!_(YHTQ60u=1L>~nY3f~GNPk>1K2n-NL$yT|vL%rL4M1GphC@9wqx4-;6qG{tx#%$9d~vXO&4*;zsib2mY%l98m6$@|p%wD!F9*O%(dZyBZ>OQFNrCtq@QS(vuO(Khj$tY@GXD>WV zW~t1}+q-E$rgA4S?}(aY)(^F9DSW=!@}@Oz{VWH^M!#i!u5IC zdw1wmv8*4v$Hm3NJ-{LmH|lyM>yH!SxT#YVaC@w%7dml?ddR!e%6PrJ@be!r~J581po!9M7f`vh?}?!LtZcY}JL z$Z%Qv7k)IH918V;GCVEjT>Ph3My?Pk!oL&pTD|P^#B)9u=`12jO_EPubIP*t2AY^? zOH98*^<0lMKe^AKUJ>?Ux@CWIjeO9&)Q)l2QitMOT&_jBqk9QO@{Nu1O?~2P4lYSK zGYkq=3x@{eA&N^juMEYXe~gM(#ZuFTe;ZMU6Ovg!J?;>}XGn8Hso`eC>h*QT2-_`% zB7WM~=e5|wGa+WLr1;ZC53Y&bj1;>ao*O29Gpv}QiFXy0U+)#Oc1e)%(zQ3Qo{GYe z@FhIOhoeWa^`I#iM@~>Z>P{|f-RCOES>uKD+(oA8=<}p(M!xdy#^6}=N;y(8M_SJhOWCvcEC0NAGt6gZiMz-lFJarehPNfYACCfiNN7uUBCdlzA zRvCYJUUmr__=YuN{O}gt{7}gh?|_cg5e?!-2~G@xb012362)Ua-d6gED6(-4&~^S* zIT}n}<5ZK+L7RnF=qO4k+(EM?4zR)Y4|8|Imx^)c9rTXdSKCJ;$w^ z%x@u*MTIYzo+aV=G|yjs-=)c+7LfaP+KqQPb@Z60e+%R7;75_V>fKp?;(Nu>ad?t5 zve$X07{ocs8Ex)CX2tJJT<@DUXnRK){?t7Rs3go0V6t*KB~oJq`E{mCX{j_#=3Bl# zDVYi&jIFj^6wB6X-hZjdONPVm1aCd4aFi&qy zYa4pn({1`aNUHTk4bv`ogAlpO<#n3q;vKBTY$YgmTkQDJr+lfMyw9MGM}E6wiZ&Y- zl?3Q(q%y*(Qkb6!2;SRV<6bPMcIkq%c*SAFSThA76{D+OC1D@nXmRpQ2%E{6+1SZW z)@NfJS`SsG3PvLIEnG?yaT7`kbmCa|$mJVn>T0%E%a+fTDr!7dfx8o(MbXlV4{!IL zZTT2c4&SuGSA>Pj!&$RHoqX%z`+P||!$s*UJ;Mu4jrGwyYusw;>c->T&Xq?~yQfuB z%a(vwQ#fcqX?fAlYlqg6qjIRPf&xtDMxUR_;Nt?vzY9;hgdg*;sjUH?0r%)d)Y`r7 zc#6-i8WUNwMb?;=kBKKZaiXNg8Xl9BY73z5d?+K5cdUx?S(qH#YWt8i>koIaaOo6t zYJ!crOSJm~Q;GwOQ3RmT4v*1o!W40d)`8D=D~54o8*8|>|Fh@_p{a$eQteB zEg9D|uUwx6Y|KXj@&#;lFZ+3rR6;=cY9cVaNH_Kbi8r8I&dU%hutG1 zpV3}MOF{{Des)%}pVGtVs%uvg$~CXfsC0jbx}$ZrG1aqqhadE+c5d!jl|w@=4qld- zyw${EeOF(%Aybsm%Ylu2;mj5VuFhPkv^O8x(07>LmkVc_Qk9h|XUu-c9Fhy0eOEMQ z=!=S`5Rw!`kwrsQ5_xyQ%Yy4&--|bI-Bi@W{nR%i7*tmyGVdiKae~yHLqc$J&4l%)r8mLU&KsP~X6sj0Mbw zLMLEmY-TBEuBi>2DyVB~sI4nvscDZw$8TtDC9P{IU}j=&W~ysyO$J=|n`J8~ATOw^ zZKeY>`{iwNF|J;@jD<%M}Ycf}^Vl%*BxQGST)I#7RzkW6Zx&%GU13K7;xWWGY!hi<| zt&U}KqQ1vxBl478gpOG+%2-aq&#*v(`F3hO@lVh8#Su?{QH#8-8BH zENn&eR?W51V|$`TEyY`Ne0{P(lcmW8Kb5CGUE_K!k-mkRiBsIJ#v zP>%P%c16pbS{k+s#>BrP6O2>S6zDIG$8TQ2I=x#V@TxU<|LLq9eWcxfiBTJuQ?YA) zp>+qE9?n?YL4&gRsYa+~QJyKr2=O}(bK8lP>S2!(B-qFQXW6KgPyN+>ckho*NC9BUhGmdM9s)K6?f~kMEoO+bb z?!lpJ0HrHUEdFoj{^NJU#zKzR4S=yTkOH@3i%g7Tu^vf>lATJa`g+Os83<4O^Z`5g zA2?e~z9YssQoJ9>S8&MNk((<|!EY=R)?A)>;uW2;hUzM{;n_J; zltlJV8~^P(bkckIr@bg7*fyYcuw@OEMQjY`G;Rtxu2o-{_qUV(={tc1 zY@qxQcd&u-BXq$A%8#%Gg3TyDL>CA)qx=wGuo>lt=z^JEKSUP@W_tY)Uog|_hv))< zV5ZlP5C${7euOQU>GeZw0e^FaE#`lOF_`J~BW!_Srq>VA1v9;Vj4qhz^<#X&Os^l} z3ub!#5M8jRUOz+^%=G#(x?rZ)5Ag*vy?%%;nCbOnbp5sI#j{K^%Hw~k$#7sHj1d{% zj%Wbki$eRT=fQ{%`|y94gMr{6z^fxh=9PkJ21jPh+ON(7YUPvk`POUw6c>|T%xYcd z=}nvK5GE{D6l!UDuY!B``izcRwtv_Q%R*Y%E*KO4l1#k$JV${(Mq(D_I~lk0V3DU- zl4tQvhlMsccxp5Q;|vszb2VhfKH!~ehKojA>y^`r7%s8nO|y(6CLX=C<=&I1xFWe- zBbRomLD()B6aSJ-)a~%3Mei=+)t!OTb00^w2Os*L>~BQc+eHwXcVLW=X4iIAx3#%G zq=<BrT6QgOkOpp_csgqRKTp~5)_f2S@JG2=i zliMi`A@`%iyY)g~AO0_MpdZ3m;QwRx`CpvPb2j*A5rgNF-e_x*(K3J;n1NtF2{JlK zAbwBN_*@z==I;`eeIHyX3|xdlC#!2^W@D+XYemM%NhfV-rY)yyP4<9JT2PpbPF~l} z`qv;t{$Jk(eto|Wq<0arvlfxF*0k1zUMd11gC_Zq1whdKdN1g1WiSxu2>tnT2zrp8 z-^`Be0g%57NCCtOq@!j8QVl_X8udVfB9>-0=FqEtNsRa9BM=P<0D%T6nrm9>nrZ{# zjRL@)^Wl#7$*e7HbfInk8o$U4B)s`8c+mm{8aD~to}P>b2%3cEH2ZQpGHnwS=uQBa z$d@;IGE02`0)$N83it+4$bx1lGAMu658vfj`^p4>RzlP2@we{){q*H4h})PLnwnV| zS_5A|1YiUT2_WlSpRs(GAMLwlfsQtXeo6d+|b&gku zq|7WV|6&X&Jsb1?UJPl*+M(Asg9 zzF;P8moctfV0gOA6P6V36gMU3lNA5=um6iP0~Rr{IhJr}c*Ytxi>)z3j*ZN>e?Bzm zN-W>!G-s{)w4+a_ia~Chu7Q#yK~Mhz!r$Hv4@u{gU&~f5J_9+Dwsif%Y}e0ID{O=0 z7rWz+6St;)pvsQae9FY?!2Y*U{nd$=I^s9vDhsrFPL^HoitrxrG^AmQ@cz}=e|J9| zelN+LC;il_t`)&E2J@u1_IoGi=l|~2e|a7SyGOm`VZFc9Ucqq=F~am2h#-cG_%BcY zy9X}l!-N(lv>=$!0s{u7X+a>ErUk(?EeHfN4?rN8c>pZRVdeqMrUl&GVKyzyJb*4K zVCDhLJOIQ1W*)%I1E@NHnFk=4c>psHphE%n^Z?)hW*)%I13(O5<^jw+fU3m*1@oY2 zn}kZUt!kHN;FJkZGW^7~oc6I;E-q8b0BThCl2^N-P0eg^>7$v(E$p1KFyuR^N)}j&3b^qwea_tMh z*^>xM2DR}b4B@-cyP8e)RxWL9c)4bSJ`~vPNA%NL@2m8P0+d)_r@|P3F#ux##=yVA zfL(OV8HnBV(nKTAHBHiklcXuqRh|)zKlRdPIaje)8}QNw{B8f#MVsZjnuy=~?*1>i zXajD;G#tdl;A) zfcnC}xxN3(HGAG&GB{VW2kLKq&fyyFA`(0TBGlpfHsEj#4-b^|0l|Y15ui&o5F7%w zEWE`<97aUI)0+G`1D^~QnE#u%b>~>j?U~M#gf-IYx7ueQ6-n+vuP?+hf)v2$qSF|g2&sgb74y;PB|z^PT6_N_IG>FKx}Fv8~Z?H|1r16;g{+Cr+&$}c)yFA+B^f%?d!V8 z1@9aOJxpqFCUP_ye|@mOU4HMU8i!s?E;e`S@(>(%ciVEMGvJVQx37w8Yh%Igr%P0T z_`^Gok4tsAmF8!LhURP@gH)MWlSn+tTvoYl} z@6WajhoZr=wYd;_ppg`A>ZIS*_%`QYEiPEB?&;6A41cZCb#A8T_GXm`?Z|#-Qn1N` zt#KZbaNnP87>65D#snRM;V#?Ho*^VG{jKq+k;Ljf*c^Fdco45SWfW zM+Wf6ZkUe#9Um~O;~X6@tK%FQz$VP<_#GcGJNg_QFstJn8PH9b)p3pxnALHP44BpN zJ2HR|FstJnBQUGu92vkS%q5fe|0#Z#4$}T76!=>B}5<4T6CPsk?tPHuu0*cP99}$+76KR zT85`;tt7WSEROVl8^U1Qtw%c~UO#+4qRbG2YeES-1Y-jx8~^5TNSQMWdE0cF7FvbL zZPnrW-u2Jj@u8{5e@&6C4NaQP$ncjQ`RDSh|Kc?My?6KjmPbAl;E@k?HvgSRK9~*a zjL*gb{9=T9%z;eorq*PvD0ISx#@4!)WOTyDKq`DeU2QWR-LIMG!AwlweDdvLv>%aS(SyMW zzVr+XNxtjrenX|x`GuB`nA|) zFYUlaDk*~p(rtoVJ&)drI`>R`+&APa2>HZj_mN1?2#XYNloSur)m|km zRNF<757!nOZ!&?fiIF)q$Y$rRb?c(w4)oO^{*>OSW{BaA2l_-`PU)TdQd!FWJyg;Amf=4TgI^a;rENtM-lZLy~Kd z=3d0K$1mUjV6HltmY+Vui;GjEp^1-h)!%J>+J>L6h!-c4kHMqf$iIJ&~<&XONwW${n7`!9I=8ccey*P-rdi=0iqUYj`P`+ z#G!pE-L!m|nJ#JL5w4J}8_>fjoXJ;VhGfieBdd1}5kW$>{)Dh3J*j_vHJNIX*F2!3 zoK&lEKA8UQa=#PYvlJ!KKjZPcSRy`CQ!{Hod~LL>?ag(`=)?_8fjR`jWQ>3en_21r z^7;Tea-dZgWOcQHiVsW-U|KMQ4d@YO2s14U6IA4xfGuDjn3;^3k&Tv#9@qz*FQ{t; zRE5wo)DjQ?ZUB^C(6*L_mS(U9)DpwF;smVU#o+unD0(n0BP$!AftZ*9C`^njWK0aK zP)y8VGA0%_T6%g23p6b07fhO3T9z7rf(m>d)psF0Ka2_jpaL{7fB?!F6BB?10)_y) zAVAm=6PO7=1?>AhDmh_5d;Ebc$az@jrm0`%o*#zA!a&Q$#zqfC!^{Ho7AqqY83PMI zAR9BFxgo6d09Ih%S6spZavB0+5*k9v^0W-J4Bx>6ifDW-G{O4a)cC{j7+4r-Ss0mF zff5`LHd-(<1GE?i6DzO}pb^*t(*jBn%=Slkvft~!2`q_ z{3|?qW+-R~1ONztre}bH{)+I6V9CqL{jn#RfC=hbPyW2R2Qz{J*=Ay7Bx3-SJW%=s z${a8#p~I1$88CpLL-g+@0%5f0pg|a*fFS_JzXB%rJ!$9FKCsmISzrt-fT94@K7@=FIvRhWjEx?^ z#moeBF+IbdGWNY{g&NY|2EflN{BL8E1v&_sfER$~|6}hxz@kdFuHhylisYyy36i0^ zp_>c}l0kxkWC6)JNRp%|h(u8lBuh{vOOlKrIZMt8A_^ioO88GZcLc||cLwKrpZEWs zGb40$^$D9*t9Gr^ReKi_08s!2w5kBgz5TtGJm~X*Grs}$pPma4Q22Kb26K9PIkd$N zmEu)KIY*;T1=KPep~OyMY+~yqRXRmqag}t~fnhjgMt5bLVw={nY3fUJgl+?jUcoF< zp`9XtARu1^y&!ClW+}YE?8c6{=*gTaAc2UVnlxcl@;1KqUHbXAoe{F(ciqZ&w%&H^ zIc_g3tmANzCiYVbXNuo<74N>1N>X3eShCb?SAZj@wk}CrW)P&Zb$9C@t2F6 z)91bSHgY-$+&vfT@~6WHmQ)~WbmVVUuHUkw-CbA+5Ec;gc7ycL^WCI%oSZ+OQ@|(45wg;_)4z?V2qAy%;T4{bzP^@bWJfXWO5Eu0{f7R$ zc=yDuC#2AoL(EbO^6%5;g_Wsh^u=dX2V?(nw_dAHwXInguFaXxeR zZhG9^v@`{lXB9oyv+VJzDSg5v&mdl0jTfSGi|~2$CV^$c&f&&+Qu5PD(m~U50w~X3DuEUz6ax{zTGS zx79X3`6C$%57pY6CVSTj5){&7@2e@K%gH;doszSNy!#0gVqY)}%)kb>%9Wj`ZR5iuTd zb#nHjH`BUI+~>6(*Cp7g+$>Qb+KhXm~`U4G*mDuTD7jU7tK$sLmwihH466|FwH z5hdm7?le;^+X1_h*VM1H%|B`t4&8E&mQkFnTjyQhi`qIm&qg*RGkFgusp(nxNw3v@ zKPng^^bWVa<6CTL6QmnOp-dOOD9>XGBy}%!U0S~Expx*mscqKQ;}>X#8U$1FhZNOI z*xBpTwzl9?;&o(si&~p|gd$|cw^o!9AA>ZZ#77b^OuoFGE6#|{<}njuI1>0y*UWO~ ztbF1M4l`XT!Hpn>MUTdC3sL;0ll^!ZDgAx1C)Zg5m=nr^oBa_o$*&Vkr}3~ogeX-C z1yqhT(Bx4Q#Z2}KDo7q{G=8`#Tz|dGLjD+4!>2gz_hQV(D>?TeCEbioLMs ze0);+F^L)m=Be<)D=?x)wHXOZ8s7`20+vZ}cYN2`yBpE4PEkL9UQYMo$h=NcuoSCJ z1>(IgYoKa2VFf|KilriLgvz^47yMxR470A-RZ_%*2|B z-DyckjpZ?$GD~{%EJw!DmvawT?>`L3@97CW8&N-E2fZ6lMUqisARf#`dTSJYp8Z30 z7q4~C8R`cPlou1j^dq05BO7UaWKUqFC2id%#t1#%?hIpX|oP& z>x??qCW03BiM!cV^h!TFCo2!MgxsmNnySvddb_Z(bJK;SI0ok&|7b9qd~5#EYhJD- zc~SLB)*qtp?yW7fv7aRg>*VuS4R+}1@1<`jz2QDH(Z{uQqS}I|A2YRFmLY+_)2jOD z+&eh-qYK`qn$^~|nPnFU!pTIF%?IR-wO$dlijOLwg^tPI9 zG~_ajIHP(8OD8cNN;>)atTtp-_mk~0nE*9ybFv~!i@l-=T|LK8%(F=;@lKnRkyWqo zbGcfqqdzB#nG&#%8AZPucq2Amy5KrL`iSp@zTYF>6K9%lSZ?H&&km4{*C}2$31F&^ zYpTf9DZ0kaJ~MdI%o@Mr;px|By!SA4jh65t4aJrihhrHtq~g<;v)6*;Uc&B4 ztB&TX+qZe1E*g+7jd?O<=Hc3L!SV<#8Se@%@ziZvMjNRxdeyqA$m9lDDM<{E;CDo# zH>3oT8e~O)8pPX6m0ZJjrIoLKfD-F9Isz{dGAmKH$wY4`&N@n-%sS)8lKI4+woLWJ zJHwM2);&xXtj|bF8MxCD{oA70PXy2QjM3AS4?tOwSQ<2`t5{gjsxTROHW(LYZ$;vsX;MUwFAyW7Fiw*J9)xC_xWm~%ck zFNJnCaw@V0IBOCpP;oY8&b(u6ujO)Hu~{QQu^iEM1jcW&2wVhd>Sm|*1$wLH(7>Db6C z9pPt8#KPOaby4u-+Y9`TyjRSqL`-Q#;Y=Fp1eC4V_ye?lgNbOu$4~GjN*^7Wq{CFjhSn=hYPjJ)!Xr`kmKyIzjwR}w*j<`PLp(ep&GdE{P=->h{o zI$H{i%ISrHNFYw`ODhRw`kT*j+vjmGtnIyspVZ#DB4g{V46`y_;AWO+V?S5pk*!xx z)e&oE_O4Mwp}%wFxt*((|EvBK3UL?7_r0RrgNyG~GBTs#Usg2%Ncb@%H`LQOWTiG~V*KfOX85;_OpHDo;CgK+<5$hW% z@%fBGVyuJ$y)y8VpeA#7Kq5%Z6v9=ArbD80{#e0+>Y(0%B(F}QyN`XrwZjh(;P!(WK06#NF3Rsyt5}65sAC>cg$r2*Wq390i z+UT2@+V>;cS{)%=iwqcCSvc6*8|HB&%}x_fn>sfOW3NZ1J+du&3O6_0`pl9f*lpbuZ4LjD zYIxdB&cQsvvpLPHSZJ>7>KawqP?XhD47SER^?(w_6Bm3J#ZsDk2`lz@O}nn#46%YF z96`(UC1}_awkuOEG#~e!^ zW`vy9@1%LZ~)yVx&5Oz6*}l5E89G4yW*Xjxr~ zr~gc@*`|!KqDCp6NJh63!W;-gJst+Kr=- zNkbxTiLu6_=k10Yxyy}_P9=}Em9u{R?p#wL_HtH*Z_b5nk{`cepj^Ftsj9Y8jIDPR z8Mk9mKH_UWcWW&#G1#F@Xs6tr?r|G7eeVr7#LPLYV(u^0w@WlaqKMfDyKx=N$jv`? z(i8GW_jJA^Ca8Wf?i78g`3z)oj8|QK3itAe)R1h7t}%KPA~yQcjB1U(en1Biv0!Aj zZ)n-Tk~h1<^>DdF5wTuB%FgTJb8x{aamWODY3JE^Oo@~P8_%P!vCFNJCY0m0;xCN! z4mY_?=j{}9RR}KS}6WPG5T75yi+#Hm^H}2N`gh4e8rz&sC zm{)km#~!plpmo2{{K}KQ3;NWFI*|m+u_lq^gr#FrH{m-esV54JY(dKNDzipHC(dLi zeGER*+7qs%=Yk$s4kOZou9o#>+{2#-BB`81ka)q zNY=#C&^rDo6PBNi3R&ca6@yt6ZtZ#u>m zaGQe8(Jo!ozQZWlfd?3@&49tWA+q~+zjLi=5OA3^J29MIriqIr)TZw;Zcp2Vxn0?G zx7~ftBb`hk8M3WFjy9-yjp23r)}ZBB%;p9ehOl9Irdk=)7-}k1Z-+B~=Vh(f3~a1p zkt3{x^-I+3JHhutf`KKbdF>Tv~_~)17r1u{Zg2`suL171h)`HRyy7A7N#rF_8B?;?^3Ovb1~oT>Caouc?Ao zo9HXO)7^IoW}CM>`Cd(CuTGH$!p$X9VaFYiJ!W^;Dh3ce;tKG3y;&BA{!+P-LR)HA z$&fy_&;AN0g3_~2OxSuhZl|tRdj^HoZ|6GHpDb#sj*V$)VL98a6a!TXw04Ag<+~3k z`jMdU2zn7Tv-V=Pv}SryC$`B|icYXpDW$CPXz~<~3Y*61XGJ^unoarMIwrGm?u4Q} zvZ<0yGzR@sD?*Byo|LZyu31kL4(CJ4#omVu=fs+v*qvr-Szle+nklV zvfZwWp`X7rUF^&I@VuvJF${yl)zyIHMt=f5oTubtaANF{SIg%zqd#A>C4$CuM5YEE zaqnNeP$gt2Q<(bhh7X%|d6`sPyQKToQBf0$w9I>yVOw447faA0Ch*&FR%K25tL>;? zdE9Klu0m(gr1R!Lvs`I-6X2nF%PL#*i#@&@+bwfZyM7O+ioWH1Mv`Y0HFYNL#G`I` z>Ln*m>(-NZ;LVf}9Czp`9?&{Uefyf-3wExQDz0X?CHAn6p|HN23LVQkzHedT_zx)( z&)q8D{ygkczEf(EOdouD?}##OhflEN*tPK?5zj@#(=G#E$!1*nH&s3x24>ELcvROO8AAda7Wk~ z~-%q#|dd{d=6%Cm1uJc4&5qF}ZcCqs5NTh^`b-{n5Hs+4TU9 zY2x+)6|1DoX-c4rz&Val;7AOdiS(d zhuHDn`Arv7?b*+_Cld{F5dy?h11!Jz>4O__JRhz^_dA6FYVXiMcR*`cI84{W8Lx)D$$%rY9tz_`N*>ckaJchES*U#jQdMetlYQ^y!zJ=+l;o*NWaBAD}@z zFdjDhBrUh`#DCfDx{FBU3L2}tF6Vlp+7k9Xnv_?17{wNem;2vnR=;zMIZ?^RjJ)(E zt(C82l&$Q!!}AZ>^Sy!6(ePn)>6xOwd+*3DakW~E5NOMlX5+?^k1T9qeo!B(ym@@HL{hfC}Y16;zzJ7&u?%RcX z*tS~!nfK>0mWD>LgxR;37!#5WPZV6~KIJkM4cBOUJ;gMTRli!KuTN(08vl4Mcebr& z`~7D=9fq4BDxWt$Z{7}jV0?R>CFEkVSsLwP=f4a8gj-Oi7MbURsrY9kjdP%KCYb>Ur9TOOWfRe5uQ{ zyLH1oHFwpc=Yo&WDvlc9-y+*CeizkrI}G1b^F#H;`W%}fT?hS+CmRj|!?YLDmw1fu zcIu86vwt{WrKw1phY;;^^B*rgX*)UZ6Bd;oF!a%2m}L2hozK?im>e};uhpu(oz=y6 z;+0!#WptHWAIs=`1md?p()nz%5&NvKYWnPKaS`ONsi=j^6~=mv>Tjr3e8C>YC1}UY z=)X6!&Hrp6rIBiFQ!slhv8)W1f!v-rb6jRRd#T+NREK23cqLc-{9od!)*a;`*T5^`cYlYcoeTXB{{ig}L~1x#rK>bH48+&9<*OL7Q2Q zqp59hT)*#vVW%)-n|HA1C;K82G428WIwF3z`P=pOTVkGuYz^8=sV6zI!^s`X{p2Hc z(+yOZKg>Tco_p*X<081RQ>oL?sc|Ck6EQ^hqkK;NCDBU?l|8-9USrc2u7!D@Qn{kCIhneL)Z^67NM4Mfz?O3R9HgBM;Ndiw;9?Or+Db+sFJch3U9H}-3n-+;( zZTGEwslp-H=kU(bCa`AoZhf?3l_ zMpxU#qMEs^oMT!UX_lJZ_(ia6`^=M9*&JRi7_~e-6NX67VWbnC{VPW;B-gIzG49I) ziXD3Q3C0GKXXUwQS(|FeqOn}w5tPbZi;<7C<7Cb$#jASM|IABM(2uvPH~(7U@GTA% zThd(gV1Le2?Y?36Ghbj`yp(M8QpAtE?53ogMb?)T`*C>@ebb7XEFSgE#zpc-M2VmE zjl_&S3_q#|w^7p>PR@=dhBm)XY@jlqew#n|Z6@e1mNUVCNzQKzn)p!V11p;T_L>+e z$qT5(Y1xG_$CsR8|8+zVvOPQchUIAdz>VK196m1Om#(@N*KnBqR`9&dE*l6gO z7&t(JQD#(vQ8Wz90~tusRLO`*NHK|^M(9{Dj57?U_LGZlZgd#SrD?sk;CrORa!)P= zEc_=B6sVP3Aw!I1{cpG5>yOjMn{C_CaCVDmB?s|2n1*t8)jbl(mmxQwXgdj3fk^xs zPAEE-|2In~FYlF^@kQ8HrD*Z?32g*LL3`wSOE+s#rdw6K#XCOl zNyJ-fyZ&)HUF-yL+|R|!>^VbwkY@>cTldX6TBHpJUvJ)unc1!xU)_U5DFRu738WZ`M1D)FeFb+`!o!cS6I&diH+zx%x5IOV$=#&fk^xsP821G z=Y@{xifS5+o!(9K`20lEXY1ySnAdyV1QzT)2-T;Ly9UDw#T%>l7WW`}26VYmdk~#> zrmew)cVl31Q)%nQwrHw+M#L4c3Pj@9a3XK%%aLO7)mc-YeuA}`(^I=8Vm{pSf@lSv zWyr9PyhGvz!@}LBD}xmXJEa(~0D|xjnJ|2!+s16GwJ_nKOFrk%>G|)^!uYeSl|Y8E zzg`FYzez=jT9W+RvgGemQ6dF^gf2kFH~z1=*?@dEGLCjv?de5Ccz#>A{Piu6^@g73 z>tbSiRE9WXcVKxkP$OmHVqt6|<7f!Hm!k(V$e94SU3e5tY|Wg_f%J3xi;NxcQ0tok zD0u0)fW^%~PD}w*Cb+*yLy0n1$_`Hz@6Q%k|ByQA&}k@tYn<=WP{MhC$b0mc>$c%Q z8d6yk3o~$3IR?L`Xu(N=->lP6=gXrePI=i;4)s1&|W5y2=t#n&*%LDmJQ`21aJ) zW@1VX?)F#QbWO~R_o^XBanbT|FZ^rSHZ^c%)T-$Jc%`bpV0GR+X z;Wq?8CV)%;neYt(useX=;Tsu1od9+RuseX=;Tr<~zwQphc|%)I&MRhzK2hI;aICn- zClvUMBIDzt-9HXK1YbZ1KoVcbG6m@aHq$KkU!);|%KmYQ~!nnDItU=zcfjjha=4LV?Yo_~3AQ zem>L|FTZNa8`#C=w<&Kp|JS*9;BJ38<<0l+r@VjIUFIjIy!ZE_1d^7acI<=m{;)U9 zj}7+S&WkW8|A8rQeqh6~UzMs%0NBFie>UY^i)(%$Q`vz;WGE?zhJ^!UD#HfmyicPt zm7${&nE`X(SYM~b(J;u=NXgOp9I&v7FiDtTs)oe-Q{LMI0l}N+Hwms9MBCimZ3wQ6 zx>k6Pz~#B&=RQTzp{9T`E#7r27TUQhwWFEfM<5y?H-2e%c-TJPTJ&NMVpgwDCw^oh zVM#xsV=;_l+sJ3_wK%~t`|~iW1WH}QkA25PgSs#h3Kwhw$@ajUl~es$ZMhxmX2KUc(6+ueiYOfBBu&B>cu z?RbBUR$RMyd8{g|ZbIVcuDE{|8lJ)U>UJe8p?6KBvSho%xM5af_geqrM!D?%K|fhy zQ24T2^{`%jtFqx?zj*W~w;jvz4v$@Niol<|;QnctY(75yOB>BTngdH))61e^bXhu^ z^9BtQi}d>k{bcDD&-~V|0oD1LFSG`_yCAs%7(sIXz$K8}e}n||+S@>00}5d{s;*uOa6!mC`*1o1Om#EA29hJ%MzcsgfGCi zJUzZY7;?x8l-=TMzdykn5Nx>kbQhi8gJe-`cJwUV+4eMR+6trF>{axcI`Y1^;N(z| zUyMelljYEH8=W(48Rmk8HaLi^MDQaJ4UikZraRy+?Lp!$$n2_Y_pcbF>-J7f(yFwJ zzX#IvsC`V>EngIWS24aQF5S!`-t-_LU06n5Il_U~Wjc!S=O_u*>ZmvsU~}n`7cvEm>pllXAU{A|JmVm zf4BRs0 zN+*6OJ?gf=-Trc=6Y}4$bQ1g{vOlrX3Dr8^C-;D&7GwQIgZ*Kp(}7JHp}eR}AHQm; z6ObMSb|7KOuTAfPiThW(GGbuox$_6Q-_wL-}uR{^;t##R{CURDph}(wBe_k`GfcPFYKy#^;2j)uuJ5q&$D>p8P&LJ z1*WvE+za_G6>seThVw>m7dihI_M!y;l0&pSHP|MHKnvJ)0c6)9@B-O&2(VCldVuUY z1YjV$4gnU(u0w$Zfq?8f6kwq5Iuu+WyAA~x$gV@d1+wcrilk>^c-&AiE9)7s#$d!3DDGP;i0lIuu+WyAA~x z$gV@d1+wcrilk>^c-& zAiE9)*Z=$M;;~9tBmX?!Ph|+*yxI_;xM1cdLiMHt+YSCQ{uub?|1Jhrz5TRA1MM$b z*o&QKMlaNN?8qZ?T!L$R0}@D%d>;KGqu8*Oe>qQ;h;BxGxxOJ}l*4GsS~n}`L7rm~ zw?{lYY|Jvq_!62v&he{2ER)1%CF7_ZfcS z9?}&Rt6?WT!?QNK%)^(92wa%$+ENsDo?sErnj}M-KC`{3)SO;&5y_r5bz$UL%mZ~t zunI)t*KlI=PI{SsreeoxOU`Pv!_3T5C$?vF@auMCXjH2yoGQ2;Ec_=BqFUWA|9Lhb zDDRJyn8N7~8G%qqfMiW9%*>tX1qFWL-e*ug0Rg^!P=9SgAdFtz3;){uj2eOl`MSB; z{*x>gHVzs(Cb0Jz53u(c1RWO(3)le-se&NaJzWFYI}^-l<7B=$$JpDUqJ zy`p(mHcQTBFt5I;Er3(9%P-&|^mErba29Sm{oKXzOL>-i5RZiBu4>Va#q`>)&I3pM zTv6Hq$1;1XE=coB&#p!&+Gn2-W!g~RpS#xnS?KWF!WUipIJK+Bo-7sE6F6;K+OIh8 zfBustpwWghD)WqbcUQ$9B>P@Vm{bo)PW;J>?VlDralBV=HHbWCJ$*atB*w@dggRD~ zX8-e_EMb}vx;&fDyj18@aem7D4ej(s&)W|le)3}br!fln6>54J)n$OR1!)V?7WB3d z(Axsu5%jhY2q+Q&B7hI|Sr06+jm0sz8yBEjs9kV>+<543i}k~ce} z_DhYKP)<9EV6V4*bbH3~&GxGXu`Eu{w%@|zG^dZm&Qu8~PG8&v4+0?oSpar~|BJpr z>4Z;TXGpK!EmogPdypbHYQgih=R+Bp1$&U@v{>_oJqVqxmzyn{Vn+^s9b5G3+ZU;D zv2rA7npwa9#QoN-g%P#r1pO0t)Zw$W4)Uhpp&$Yv0w4k)0>1N%;D zGCM|L!49ENpS{69i<{;9>j2mPRa7z@h)PDq+kO|74CjT?!(hBfASxM-IzT|+zZsQ$ zAb=JXl?=ope~n580(a?AH%8s=FN2cd|2`<0|BvAQL{KuSf&LJbjQHba|1v0<|3FZ( zpdcQPq@A^$qq@DJu?anol!=Rlv5AbMp*tSWSqo<;6%$8EI~#jDTN7JndI3BhX$xy- z6Gz}U$qP~@#&%as{&o5VM?+gDQ#(f+dR{ypMH5>yXLEWeACeFGKMP8p#x?&}Q1Xd? z1tkOF$G`uFhJ}NUfsKkvW&xs-fp}yz;5Qo9Z%3eEkg1{bIbdO962V9qpl4K1?FS=w zj1_jbBy3BLiFxJIO|muUWk$^w-lK7OZk*kxcy*{Lv`h=yZ^a@scLn?iL<8i;ujvk~ z2?^FR8!a`>g8jfg;!7S~23wI*VjXX`1W8MBdzr287?#jW-zS%N!H+;RKyLh(yF)ORP;HF3_=Uwi2&HGo=!U1oq{xd! zPt7HcJ&1BsKvi4V{N_n7%Y@i$#*J;C;oXOCejk;8`V~*S(>`!loM&whl6G-bU=L!@ zI5i_?W*nBKvpni8#zXwmSN{D(T(zCuDjuryy`LOcJ6bKG%=QMk408E*CV^c39SLCR3Fw!< zfdTsEZ%_d9&Y)lZh6boHzCi&LK#j4F2Bke*J{AyAW9)+gYK(m>K#j4F1*kC& zU;%2317Ls};{X_-#@Gh~)EN6%fEwcf7NEx12Lsd?`&fV);{X<*#y9{5s4)(J0cwnW zFhGs5j|HeP4qyRljD0Xbjj@jfs4)&;0cwl`V1OFq02rXg*arjD82ea&8sh*KpvKq- z1JoG%Sp12`s6wri^EhzGPZkfX>}%OLIeBZu)Mqux(;!ce@6~x$9kY)^BneN<;VX04 z-f@W?-33%zE`H+5ok0Du9pN+JM<5y?H-1fbAObqq#htLciv^Cir;e?E&?47sHU?G> z-wR`#6dw^kPw;-QM*Qg%_Y%^EMS3o!akL=%MA1D)m)BQphZIAG^I!TpI?U{nMBAr@HhkC#1TYis9> z$D@AL$l2W<2=7(2u(bk$cP z3G#9C@&a|=%ri7Hax{I6_&{w>20yax^YVI%898wTS?0*%KHY>5q^1|Y@<1kVcy0(SB7@qe}TZvuvZ9<=L+ zov;sW7atM<0LIG?rRV1bpyTI90OkOcL&8z<_WUpy(2{(}zivnb?4VsgBrrIm zxq+R(1>pbAunX$ae`G!aNOQ2?C4a~saA>;#ZvX(shk(=bA^Cp;2XK!_RBsSK(gW80 z*0_HIFkn~seZzhjehzIIp8x{YY6tD&=LPyEKrp_4XV;(Mg*a%|503lLW|>2Yo*LpZk0m(0(vJpkLDSK~Vz_ z5^!cP0T|Gdd_X6K0qpzHtUnuzkOy7<*Q_J|Y>-4*gXDt>0FCy|E>z#-6XXR3&L0i? z*BJie=#4z+^MOC}pN`&8L6oaN0AdPorU3Q70tN%TEFVA6j!=}g0IL3)`N)GlAO6pM zJ{%Z6;5<$}QlbwKd^(YGQG`h565_xW&Oq=xaqfIo5H zFksvUS`rHVGsIAaNh_-ViD3twKK!3MeK?@G0BM6n(!+uF14eK@dN{y*po&kB9u9~! zK>6|gVUSc&`2ntj9v}YCJ^sFUg&_eG5WGMqhYF%PBm&hn0rv3%mVV>c59S>7^zi?J zrw2wxK0yQ^C15E12mR3;B%oOTy*UT{JN%#fcL5Y{1dvGJ2?l5&ekc?s2uOP<3LQbf zM1El4K_T|dp6{gn4_F=a@qGW>#~&~bAQbO!#_=Lh7Q+E%z~F$BM*tRov+k?1zo4%E zgJB1qJl{We@=!R+2qfz12Zj==C?n{h2$X_GpdJQMLKS80_lEtMn-@6f=K21)vWN1c zJQNZJsF|-LBmxEl=ni-c6y1?P2?;bZQ1>@1JLuLjo_oHcl(gOqz`g%Z# z{8P)IzymFe56R2VPY*@uiQi1y_p4Bp()kn9)TPz_*f|9bI(*;ZJh zeZ#&fuzzdUg&)j1==cFi`A^N_hXRPe0snB&E`B&*tAHRB=&k<-us`{lLg3&S0Q{Z* z)H1jL@DK?M(m>BdDII`SfDZ%s1yB!_Ru78OUcXw`lV$t$qm|bZ#=hQhZ zkqQ4~`TSB{>GMVnS?HeK>wEFLDFX>&6DwPDZB=%VOh@x4OFYB^Q%0`>3!Iv@Y|>oE zM?K*?o_^40lyRYC8*`smk%hPD6VKYUt-Qy^PdddnU{Uz)0Sg~*v873H@x9ci$4)&u zg6}~lxpI$RTX2C;Jw~+){drM8G9~#`4r6W~5}6XWgr>u&loImXn^uH9haoDEkKK;` zX0XbF1dD6>Ma;yT;p#&lB-9yh#cJfmLk*6 zHzCP;hxb*}CAIK8gWEZ9g1x0)zCE|~+P3_h&drYjdll|$WES$`odIk&kGu?M+6dR* z5xedl7w_#gwPx2mH_C`9KN4yP`xtQV#ay2Ka4KDjAv$mRiP&R<9A)C%E>=^7xRhmF zY;%lCX-48#ia9=oYQ11oOmspDP#q1c`;15^4p@F!F3?3=Tv)7=G3^YOYW79MR{Be5 z(e=kl_^G;+1TJ#&;42(?zO?50oX@-UiZX6uUKc!Fh{oI4jiPF5r%&-!{ z1Kx}6LC9^>WRg?Tt`9zBNEtA1-DUPT7pc`emThf)ud&ZVs;{qz0RAYAezHwpeOsBy zqnMNXcpN)_s16ZHK*7<>-c${FD_CABF5Y8o6K4q)HC!nBY(+~ZcTE6c#ZrCu1rt&R zAu`qq9da$3<{3k+utF%$duH>D5UwK0+h;7CEx0IN(_3a8dvOv$)7Zs*`bN07c1Ogi zL=x{lY9B2P%-k#I9OaqzaQNP0NIu~xqYE1yF1Z#-7AVHrNnC8Dfoa`z=gn&ZWvB?B zawY5wQM8`gDcrmFI~3Uk??%x!w{i;-;WD4TLD&{cDi=K`BY#JwPcV0pTFf!h#5E)@ z)9tFw?e}{QR~|hX=(MFZiP2vcJ;9(44=W&=Yhz#==gg+k5x^QGdoWmV+~jEqS3}mt z2iDXf=qbGX32f(WOx2j3EwqVB`M7VkAJ?(5_SQRL+>2mbekAB?_WDWi$!n>DANpf+ zgKxo2Y0hTpa4_mjpMPg}m!Wl+{ADfU(~Kznx|Ko@G&oy<@F}S zNiR2k?D!z^W!}JhclL{GRi(GM*Y0M%`1tO0i`;nw&&7$UxwarpWXEUTH<-2_t2_9u zb=*@gJpF*;cx{X>*lT;?{heJq~PimmCkhdH*D+skuZ z;ne|{e8~)c{wA{MSzO$;m|18y4HsUuqSwKKJ4XFu&mJ99_V8E@`?&0`I9pI8w!;yu zWR~_}#p{Xr25;FJYiqw(LT7@tle-@gXQ)^`*G`VpdbC@g$X_9QQx?}8U)o9uu4|HS zK-jySzv8Wp7l_!LpFUa<891<%ZSW>i?!C93U!H@OTB_3He7(hih9kj`TJo_|?2{sl z-tv3Qik_XintUF+`e^|(L=&y?Jx<~S<%kbP*RFaKt5b`mwAy+tczR=z3e3_MoNi%N zz0Ti`W0`YBqcsPMtU{TegY1@j63diD5R!Mg~L~|x}Ndg zgAK4Fv|}jX{luE^VvF6X5@X%D%o|Kvn_l_V<6Ie&3TPKQRIln>2z>nbDNR;*Varl8 z#x1HmezlrJLs>fc5}L`gm+vF@2<`+6G^g2T7sb%Y_Lmbf*GF;g%-jvn~dE=C<`sj5eDfKOGcQq$Qq3OtV zer7)ea#+NB2G`hq9Lv6>>r!!Wf_-!xj0sCaUH1{=;5&`9XkRWH==-!yyO{B_SlpCV zHy~t+1-7FktX8-?E*Df}x&8V5wa-nDc(7}`pS?MkSqSU;@**u<1CzG(QKa^no`FVN z!;cceFplGAL?%+RKY4rQW61?pU(^i5tPGintgo>Oz5KZP6Ixz66Q0V5qVSG>V>{dZ zv3%Yvi)iUwQ%Tn>da1I`ibd8*QKvGfI$UG+R_|4=4;B^rY6MLj+F4nA+PN)5mb1Ku zrk@J*bFUuvbjaUyJoB``kXSvi@fL>?&BOkflNx8zbXgUq2;q;%q{Cn!Xuv4-+R2ZT}Ek&WjbuuO{*@lgrMsaxXc+bApP6QtG z-iUdVC${pM=?9L07m}TB=^SN9G0B<1TMs%Qs#qi=LuS5Fvbn2N^z2M!i&Sboch3g( z7BHlYo6f=|Wan)>v2pKIqkad7Vcf(>VCX$frXe}7acq-8hbIfCsA$97ng-E2aKpyw za!^di!y{*tmF`7JOR?xij|nFv<<+0e?S!#}d15=2boeq8HVt9DzbtG)yUe^yC;vjD zrT~itXIgufG;1o?HqfV=lQ*SRCy)p3d?h-GcaP&56LTbz+RXD>^Qif0h;Jk$7?Tha zaz9+^h+ITC6Y3Y=DdwCM?^9~)Og-kU>FK!AyM zN%n8-EF-j~IF( z{`^g=;-y=ci?UZ=eL6+=V6fAlA-||aDoX1;+?1tUHGt}iw9NYu`v@e(W5<9p>X5L~ z=N^+GDg*9}=?M4fkno(oyNn+Q%84A=h4L4r8`;k1E=xDkxG}yv4%7vV$+Aa}xih|_ zPHwUR-dowFtX6A~(}iT!_*3a*+8nnwT;7B+m=_qno&c^PZO84mTYVy(vmm&M(T+*? za|q?c*lp8znW#PPVVt#7<4IRkEQ&P!w~|tS!^wA0KLoCq&p1iaOdOlzn+wP@ z^?s@)YGePjRQ0*HZ*>c$KBoZr&TRD5jS?=c3K5x>8Tdw7cFAx+UqNS0_Ug650^Khz zocB%0`B!r&ILev*mvMr%_tj;%hq2@A);zp+- zL06~A%iDOL&Q{%NtKjf?im7$K`~GDkah@~8z7!BnS%?ODc(^lhg!0+f3bGzYuIGx^L`j)HmWAYM95JF^8oDmPPaEZmNjxf`Y8EJ{V>2R*HbkPBWpiH0kCN>=vqO(uESh?`7u zvik0eT?=P>F1{RTaDaL|)$97;oZk~Wn9XRt{?_v8eZGNFAx5oy|KY^?V$qUkHUoAo zYvmf+i$t(UIuRWU`O9SkBVsxfF~aEf=)PUVzITD%kaaWV!M|_=t}nN9A?5QFvENy@ zC z`AA~^_>eQfR60!;WM5>q^p$zO8rP3{D)sCkd<2of%tF`ZRz>>q;fT$NH>#Fvidhux zW_{t#52M}3y&=2_S|`vi9ihjA02c(xXo;vl8~EGhWFvgvJ)oc?;PEI!OL-r}`QlZ= z^8~|Kf4=|VL)a*~f0D~(G(9(m{`H7iZ;1GhU30b?>^ZORh)W zb=Wq3nM(a7B;w>~{`1P4#y)!I3BndNEj-IyGiF>Spa^ zp>b?jx;OfM4p-%EEuA&Ulf18W==q^mjTcH8z|I&E=tx*fb${em>UP?XxNR=)>ca6X&er?v!DD zdEuW%krw3t#HPVIBGmoM%N!m@j;3m7!pj{pF3{-F`%;ycYBh=jRFE?wBkMCmVYD=jtg* zX~oPOT~=c4Ha8=kJNCwyOUk3#d(+#N&M10E-fyt9!RO}WEXbZ^z3(S-6hFaURQ%3K z*oI<2ZeNm<$$-}i8@~)~f4hi*!usRhz)d}AxSVFBefPT+fz=(pd)(VMa zWt&AS)&2Q$)DuI^M-ga>L{b$K{3p#{)N-{4-&o(23`^2uc+^gt{eiMyQM(-)778JJ22VsSLJV8NutA+;DGa3X4Cw zah;rSyY~FTji8L~*%&YOh|h{HYp?DU&5@2p>oFJOT_Jc+=vB#R2d}RP8qzy*X*#hd zZB|#fSJr*K0{vue9VQz6d?f)|EF@g%3!%i>*K*%npx;eY-@)hcaKx>DdWqO}&0EG+ zkMJhV*$ZV1VvV5@K{sq`-+gMOxZ$Mxx#CGd&QUnVwAF*5nGrYr*=_`bE&ejCTlW@s z-9@Vv4ezWg6f>$Bk51hV(I4i0(etjib5E*wncSeIW|(*_Yo)wMFTfG`A!**(sncLUXzH#k5jRaLC0U;Lf z#vB*$e5?#q%uLC??{q!+F$u$CgL3?DmPTv^%8v3srENB(Vkt1QE;@b29D1&+g(??O zj{_ajFRep(St`zxHp-Y3V8Dlx$mJ8+G_Nn`;L_+kyJko2!4{wYGQ)iO8C#JqZIxJ^ z0>xdS=?9}cPlvn50yz4gg&{~yWND_i3hxxC6O&m$w zOc(4@CGA(uO?5slcNGs}5sNoar>HpZUiQ_YE1uuHz#m|xu4z%s#;U~S;73cYwIl5`>}Ez8k1jC-zH(h&EDCMZspx4s1VHcpUXI5UOc+^Wxq)ghts6r};CAPjME@UqUjh$h_x3+_$(lk5 zQ(90l`yxx(x9nRX>)08_*ve9=wAd;VEhpI_=>o|9o@tOR%Bd$jz#oUgV9*DgQ>#e0kOIrlwyW0vf z*p|J_LLJ@q0Xcxkf7&cB|CHzW_B(oh@ACNME;2vxthsW<5|{Kzvdm?;EZLwb)Adrf zf#Q@ZbKz6TzUbnt=SS_C`0a0a-27Ocw^Df`a|7-+myb-pf^=2&YA%z()`U&0!I=@{ z)$fjKXl@)l63~}5(J)AtaT&}VpBfGoK z&dSijZ@1ULbCRcwn_510SV*##>1y=_p5>Wke2EnKlM9D72)Z_~#l|KNY4&I(=B&z3 zb>N})?sjK-Kib6qnoL?+cp-1+o)OFaBS+VN3d=Rh4jF8y(WyC8ieE$7#UxgH6cR)* zHo69#mSMw%4=uXSo*c0hTJ7su&6l*H+kn2EobOs{e-sM*5Qd)<4FZHzm)DP zwDEfXnq1oGaClP4)bONU;e?$0c=y%N&?I46+ifzf|J6oaZ^hlFPoE~KTdh?{RqJgW z%9gUrI@7eCq2tN9L)?~G4WcJr3xA-RUH`1sBlpbzbf$o(NJQ1?mhu{N`99lP;UMDf zt|hznQ@eG7&(?RRtUqyQ2O>^8C98FJxw<*aTc?G!p1UXuuS>I5?_Iz3Wx@@~9=M=J z*v*#Bf34b+aRq(FaB`SghH zCvBpuI_+2rS7_?UZH%5;Bwx|=p{1kVQzR@%R`gMZZnWuh;pER}6$hm=c9eG@ReSmB z zX%9DQFO(V)T3^i)(N&RrRbAJ|tC5?FL;OPY`_jZ~cwE8zs;q8xYH-_!9o?B{YW%Kf zr)5fiu&cE`VD;2*X@hFK{}Ls+4^qL&A9<~&Y*dR(%&4VdpDJpUuPyu#FlyuFRXs9@ z9AP$!4Zfo?+OjSr{nnnRVeJB$TdjyM`b9>=;+}0+JNiNRRf5^JBXylE=Nf8{)+n5< zJ)Ha8>hcw1)BFS*UqqtQkx9;=^A3+zZ{L@HmZEm)roiN0!5)cqVimw)tkVVVOLD^~iCJjs7O)6%pc!Iu%ftj_Ple3e;7VkhWhX6~G zlRfPoY$5x?ckFv+J!)wBVM1U3mW_p#fsvVs?axOIF)*?)Lk}DJ@+cw(qyZx{%MujR zBL2mEo9zr&%zD(&=t$-LCckp|RF@{d)8N;g6h8#<-;N-VvgGxZif2T1#*^%pbBd118Z+)<2c+`4DE=JK;a*C)U z<)rZf#iFaqD_-$U$$soC><}1tdiz3gP2(u8vh;e$mfQi4q+{+ACqX43r5=qwBrh+K-KiR_ zwSI?zef43{So2TkOD+n4N<{%Q|w;62y*HeIfv`2xj@d@7xsq2^br=|EQ zb{X90syg9Ea$AUtH@EmSg-GZ$c>nn8hlbxPG3ij%odU|Pq)ny;elUzEF^!nEtGrte znp6AtR%%77ZTh_ne?4oN{rQa>i%qP|dW|Y6v5vBNjv@)$9#mYc6PQ$tShK@;2kPsw zzgemg;cI-2O6w|gJ+m`58Cjc*=qalc@Q}{R@0_qjS0`7^`_WpgC*DUr?T<4v88;q$ zd2wk}#?o*{)2v(<-+hI8Z41uCiAL=DP3$wLVMy7b9m=Fs0PFr>(e=iVWi)P~f`eU?Q=1`j(pb zT3^$XFEcm+oZ=@$0;l*1G2d1Lr}&nSpY4H>;%Cf!TMtHxZ~6Gy9vCTp#>}_%Kt6rT z$IteFeEJzP-_`^9^erDh+XM3HXUu$459HG~bo_J&$fuuD^GySgPv6k-(;Xn6eoD8I4pZUFLWHXA=L1NroGZf3Ut`81o2pO=Ar z`Z+hVTY!9;&Bo8mKtBDPo7pWuKFwz1=Vc(De$LIT79gKyk@1TnkWarLXI2xCPqWDQ zMG?rSUyw7a3CO2eWc;ECL3L`7}44fP9)8Pe4A+i6aPjjOQ2ISM+hywCy zZae|`G&i1re3~0iKt9clCm^5Z#1oKDbD{~zr@7Gt z3CO3p(FEkv9C-rrX>LRT`7}44fP9)8Pe4A+jVB?lj zZbSk3G&i1re3~0iKt9clCm^5Z#1oKDbD{~zr@7GtyMNE&`)T~s3tX5yiDnSbC)2QsKN)=&1@imIwd{gM&U z*4OPP%_)Hm2cm~0tDlRvUbQNg_C)%4A3hmj`O@xPn;>53=8Z=cpb`-B-)RhP(FW0n zk_WeroJbmCIP>Il5Dj)ou2?Z4UQ{Xz|4@-TGuk4*cSY6Hr(*f0Tx#~c1?_kzO49q6 zsbhG_smQX>WUvD`0Cq4BUpRT~(WQ!)la`;Jn26Os(Ur*;m9s_-#0aa&gkSJ=6jtBn zS$W1Y@LdP^1vvO`v4grDxr$_B$v_=x7i?5P@7P=L>mT3%7D{X6AbC3YP$?u^4|<7g z=gNV`V&Moly(A|mV;ty3g3Fle*}0PJsT?v!zIN2<8Z|P-gG0uUqZxC>b6NCW`ck+SW03ERknZtnNN8I9|6Tabg zh6o7m7F!>;uWy3BH~k)Td_7z|$v!Sr2(dau2)%zGt{~VmU55YbWxwyT>8{|AF>`T% z-X{u)Msdh!kX)Rcsc+^2hyLXPqXa^*#;ajLn#`IMiRcVN^79Cz<9OPG}T}X3@{i2^bbaR z0aJ$YF689qy0!XYOGYdc3o3h)8Z;|+B16mV|oqh#H*rfqa6Gcp`tfBholEVz% z8(VCo*9LL26!q=ib>s9$gdl$bD`Ttwy?d6rBSH%gHZy@k058B8fRp@7k%6tUxG_k5 z!9%@mF6SnWi`AM2hCb|c+b1VT#XOPDSd3-Q60-6>BVkwBF^I!lZok7wWB%MLh86=%S(s>@k z2y`k)I)kJ$NIHY0Ge|mvr1Shn5|AhXi4u?~0f`cjC;?yY&2uCHi4u?~0f`cjC;^EQ z@R!c>8%jW;1SCp8q68#LK%xXBO6E6`fJ6yMlz>DDNR)s?2}qR8ZzKVU5|AhXi4u?~ z0f`cjD4FL-0um)4Q34VrAW;GmB_L5Uzo7&qNFZ{6-RxC;^EQkSGC(5|AhXiIRDaBp^`&5+xu}0um)4Q34Vr^BYP)q68#L zK%xXBN>4uBm1HvpmFhmkNjaH#a&^Y&WFn#&7P62*$GOvyur&JU+r2ic34%7@HDN#uDHNIK3n%Cu1DwMS{zi>)E-I?5P|wM!t5`=^8aM#e+k}kmN)5rPz~v z;LxG^6tcY$i3+!n(N|G}%NUaasBjrg4_haa(w|%9Kew7z95Si_RCOb&EtNz+RUHjS zL-#aPP~iA-FM72(8jFY1U(-$WMkOV30NetNK*Eto3><|)Lnk7Uc<6fS6tb@u{iHt- zPwzr_AsiH2PaiK^3dz$xkV8fps!<{Nx!9A`DYnqQCY(y~CDAXfL-KT@I>T{T1qJw@ zgm`nHkZ2TicLaO`8i9cB1>Kl_Ke)XI2fY@;r9Qnuz$s1;1~lBs2YLr|$SPzG1CAe& zON37NhTIt@Ah=s>ecZmj3Hsjjd(iRqaPcJjxKJU)>JTIJ4uZ&nV1MZ|939Lzm;Jua zru%|J#>~Y5dY>pH7R4c>L2_|&rb6!vg@CvryOSwKUbgm7kI&{v$%X2pPogN3J-o=C zBu^@wz#*gN;!Y(|pyQN{RY>+^2hyLXPqXa^83!D?;GdMD@n|CPE332yS__O{t3@Pa(eiRcGy%U!!%}yX zikT{&pzmQ|W^L!>?4+>8JJ8D^z>?%-PrCe^(rEClTHeqR>UD?L)`7C6AeY3quB>*2JQJlGoS^S!~bbF zkV)Erj*k*;Tfcqj+lV7Wf+gS#+3S|m<==oT7WtHpLT;K*fb|WG3KhhS&l=JE7rF` zXUA(RnMGfv$#0g}4eNW~)kvnj+>(z0mjxsMO91WwVgeLQ0SSPFKgLvG3BVG7CH%nv zumoTUz!GK{0PX0~j5EI{ExWkMwfYAZC18@i64l@h@cL44%V+>$)0PX0~j5EI{L&`V@HR}M4|2}i)`B{?}6<3KMGT*h3_&Xr_O<&ZJ* zwWChgsF5ii95RL^AF?mSp5z0E4%MfS?TtuOxP^?qiW*$Tm=r*T%V>JoI+2wA+$#UM z)wJS}Q4OG~8&PekB>Ji9XgC_Wr=fxZ$CrE2tIg3k1f2ewZlX6TDUk!<7APVTjznPL zC=3QV5sAV=*HfpEeZA->{egIT7s3nSpxAo)c-c}&p7wzpGRjbm3dzsKo}^B(h4wY! zREjT&erX+&rxVo~j>9S_!2cw~n*)W!qM*AY;2Y2g6ar4aG5vmUdk+qJErd&bdV_#d zoFEKnxRVd`4(O0o$Q%Y7KO&cYy>G~!VFH4?#n#8|>zknOO}_^nUk?{gvX2WDLaYuk zLhm4mEC}{YpV9gI^RmjD;Ybb{dt3T%9c4HI`mHtn+l*ebMF)<7F1mU8jYEuXfy?MZ zooVYn`)b&)SNns{&7Pj*+5NBM;t4@hqhCsiOmQGl;1<(_Ks{jySqj_&i9<=_F?b{f z562O3(kLvFK!hWS7-eKs- z3UQ8_jSM$$WGEC-8bie5(Qq6ZBaKC%2uL^zLJQR)pgIg50t?m60T_BVF#NoM5s1=6 zA^}H$V+nK&XgmRqMAC5)kVGOJhd@A#L6zSEGuBi6jxfw@T!eY!!lIDUL;?|un*|Ju zK}h4#L?q^CxHju+euoQkt*-`4oHs5c5<5)}1_FjhOXIPSts$W8gF`~Fh?xJ(*6d&pjTrMqg~Vg%aS9r&(P%8h7K92( zqz~mdEJPLr6fq}MvqL?8{-K_3QA8pN4N(NeuxYMlb?fvnJ{PWL$9cj(5a-eK?!x16 zSU3?UjX+`$&^V36LNN?-MjTY6TON*H`)xNGe>Vi75wk-*BuM7pjr6#VBNE^QC?FuQ z2qff;1OfyXhb6#?P|xD%b>HIpKB}S-vtvDB{;?jiZMxCpF|%-?G4x;$ncLsNH9Oi9 zW<`577k4V8MrG98q0bg7Bzv+0>8rL!U?2e{ zft!!pEBDCVIvejVCS7P1i+bRi`#cmYvCf@+2ZKvSmRjpTe|Winxs0I59`^fX&tyXz zf+mCA7}~Erd)hKEb)GK|7P+HID$;A2l4l%a)g!(Of?B(+F|KR(@JL^0VW@u5uz#h{ zMa>tt7Zye9vZ`)tw%)Yu&7BXCS-VthEfZcYWIrnqvyEWw`$kax zAFo==j6N($lD=9{SGPfNvah|i-o}06>}l&e)_D|#*7$;P`<@Pmpvj7bw?obR$lG05 zj=Wky(cTlY-!{J{?$wGA*kyr>2=3$>cA1H(j@JCert9?gHnZ-fuGnLCuCR=3G2+4B z=Bt1BsLP4R3LC@@HH)0%xy|mPLvbB`F_ypcO7dQ1*lw+rs}Xw^74JK;WSK87w|MZf znxpPQkL4Ho&{Q4T`VKzfgGH_(!AHz8e>%F}9P0B2-m6zm~@wp!;IEsK}J)_Zvx=Ali9G5N{5~^QF z_;h$Ei@9x(GWm{lx*)wqu~jx>9jbuwVnyp-vu(o10vL`sr>+`khehP;wi*orFI_`(=&@NIHxPPyvc|dB-%dP$#SvwT;1i`^Qw6lYgZPV z2)qzE|LJ1m*@c&L^QAH?s&7fu?pWU^t*g9qhgi~HMi~#c!y62G-DF+enVHn0d5at| zT0{;{_vKk#T>1q@3kJ?8EMR%M;bF|{RrrYP~)e63KcA zET=6md&AvCeBW+nvwds6FCHOpuX+(Kb%QM2$G{kO*yfTYbHu&-TGEUh;aU47&t^H} zD13-upVfld*UD7KUcOx^pYe9(HLjw}WbTMgUQV6#7M!VB`i`&_6b8wvO=qrC_=NG$ z%m3|492t6<-h7;N#qw=xoaI|JtvX!SJtoEn_p(`KY{w)7`8o}x_1CQw+_n2L%h~25 zhZ}CiK`(K^?7($`m#;lmow96SsTfH)@`BZ_-hi!`%FepR)JyovI@7x=cyAtH4%CBK z*;uCP{+w0q=7C6?SgTT1cQwvr%L~Q4ha8GhrI(JntX?{_FgDNQ?QS0Ch}~{njt@p6 zmd5RkbLYIyyqT}@z=B&D?nQO;EjIvrdJG;EtW{X#4;&U0!3mM|kLGNuM zEUzH=i=%fi;fIT0wZeo3ew{?Kt0ZwrXXAAzj^gr#8yl{z)#zEkJ;~0vhW5uIN1l_!6*C-?Lv|m%9x3;6 z_b#MY#(f?&1nFCJVi+5zh9#g176Adi{guwvHRhggE9zwUe zYs*+Gyr$=UWW$YqtX*5wRlbw>0yX#a0=21^tHgVpBVQ6?usx$^nfD&Cw`~u@rC(a? zaI@jXb&bvCS7;+c@npr|iIUrT<$~6C#>!t6hF*KzUM@o}ymk9!!QDGMk}=X{(&W%P zm+lZV1Ui^cz@8Qzc+%D08(uDGxKhg{Hun96SolS6!`6)0_dYw_5BEh#CmqQvQONE) z9b0_7?|9$2iX!e?z~X32_I$ID$Zue^^kjJeT<_Ls_!e9@uX9uk~6X($$Fn`&tC z=1L#`6P9{RvjeyNBJBt@+YMT`AGh~5AD7|S)o^5;2*X~={T+(bbhopW+m;3&I40DU zxKhYIu3za*S>&e=j?uyqUYq%(ml!SZHavIn`Qh!c2+3Zi)urdIf z10S*Fs4F;u9$wv$(o>VQy-0Rt-;+yOhc;l3C%ia=z-%7Xx@O0DzU#>Tga^p?ENdtH z4y807UK1%$*mT69>N3{4Gr%N0WJg_*wwJLs+Gd>b`gH{+T%1PgP445JEvxGpZgMY= z+0BGPY}(_ni@6lG;3(6;zUO+XU5$3naU{0RZHmb&m~!hjyYO+YTKzKBS(LwjqF!O! z;Fi8aj<;H{Z3gW|(i^BVJn7B3eWIsQm7$T}Sc!NjJJOTaDIQdail>;_S7n zK0H=KwQ4x?5k8wMcN0&c$-KBX>-tEGjNWHm?=kP?UW$_8_C$+KciYcaOfi{XVH9 zZm^~Cm@77`ogsGUfs31l-?^YbvSg}ePy+8*$5`f$7U3mcYVFU8EV0U&pEVuNrCq-! zyP@dPJ90*%)PRV3)IRLJoVEuB!k2UQA8~hET6+EX5%+GP((6%MgX_FEDez#N7FI8l zIfWJ2zxuL))-EA?O10ey7P9<-6J^3B@kNNl`$smCc$Ljr(o$=@(u!Y8eJFp#=VTY- zC%GeBWJCIr`ukoYj5Q3qy6-WJ$~`-EGRdm{pedXCL|f4#?_sWM2d=9|^SkdkmUeCH zsQc2Gp4FDNmUS?*1Mjf)_faA_>!=w_6cHhK(t^aniA#bZt522qdbb!RFDi2VxFxSu zlWOAcn^NZcLDVEPYKsKBH0|ukt{i|1(3vriRi?(Z>A5jV>>Ttt+f9RM6Z| zE`&&@ng1~c<*Y<_5?f;KBilT_tz{psjbP#B%Q(Vif&E#p}=+pO~OZD*)lj<|IN@9Io%r>bKrs^nfb zWt@7)qKMDw;ovyWI@okY?bKZ^p2Qf}lP%AZA21wzCMi~%q$@gxxMi8_d#KVzA}N93 zDwI1{4xb>ERN5?iSC`=Gw+L!lGw`qG|in5%P z*WECZ?5?-6Uen!`!^v?4wK^xra;uL^nmJw??{@L>QQ@Pa1+Vn5Yp>ZJObcWBP`X8w zTzDt^;pKN85pngZ4`C1SVVupJs37!X_IPB3*V2d6opp=fM)go$-)fp=U9mY#9I;6Da=}WJI@{VO?zWdgM)PBxLvvW3aG#kEu zU2?DbE?;epPo@FM5u^o;Z*AgFq!PMa3lJ;Z%B>~0r>{&VeVBqb8kE^{ml&%@K%yjCr&m}oFi8be`6IV&} zE#Z7~)}NH#zs%%~=ZU&9ehM*@kC?o*&`kSwW?X3Re!F#{slD2@#=84Rx$S3=Ub<)F z7=+=c;{q35cU1C`L|qI@Ev&{aV`Y6IN32!!z7w!xxocx+$jC@d9^4#7+9;**CbzV2 zmy4Z=>qRSW*_&hb($?py4p^R0P7(G##Z|H7sax3UHvBVlfsYl=m$oGy5vb5_(>NU9 zK71zJp7W^6g_IXZ@3SvrI{B3IJ!5%=8ppMGJ994ag%qW;0@$hp!4Boa8jm9qdydO8 z@@>UL8+Z7;U;Y4_^w!~S^f}`89R>IJ+FK90W!bG>BEosw!mbaW*%d_pU z`Ne7F8;_prJppY>C~GWs5dKuV_$Xh=Zoqr zm8s5qR#o`Mro;Vi|K_)MYKgLx!7-yfX831u=%qJTVH6bcZ;1N{w_Ps8u`ATpd>%F1 z^B}HAn^iMX{`A9^_a6?fr3_22y&}6meO>se1mU0s8y?n-E@CeUUch*wXWLDa-WMNo zj&Qkk?=@03=ejAib$8a;lE^(9?Zgfzm5CnQ^x*`Xg!RJk1svfM{BM0zv@O<6aRla^ zj(_l&dWxh`L3XZt9On5+WY}d;U!l^)n(5{-i7;ICE8lUeV6LcFQB?}Nv>a?x2pM@1 zQCZBor^N+dZy|?Yn#7h!6_4dWw zVk2D7Iw!jjc|62t_4VzKn$f0Xn@+9WaItU&ay&Dktd(zIqS{`NMM06G;(le^;X?Uh zUeUJxO4S817t5RSs(XNu#5Qic2&eOi;5m1nh;BUU4nn+ zziKonAI0Ws!o1b^*8OW*h4ou-K_RE@9V2rQweFAHlGjQjw6<(?zpEX4ypvZ?e0$$6 zOSVetv*j_BOckS-cWj_O)(j0UINnGx@Vax@BF^E4s9QqmgH0P{i+UYypJ`r?+E{8W zxOmyQ;*4wW6lzvq*67r1EZR;kJ-zKf+v=^Ui+S>nc2!zG!urR2Xx@AYuie9(bN?Cl z&b7u5hPXQu&vnz4(9(}r{uqypkcaS#k3YVkUDa>$q&arg3tW&`p~tcM$(p-f!RtGH zZku|ho|oCdNp-V9WE>*!45?JCC~ zGv?5U=V#hcqjg>H?nXW#JMn+Ggg8|bnBkR2A>UqS>@P{}fL9xq*2e9jsylq%!8>+3 zAyw^((v?K1jgsAiBi%bLZPV*AAY3cxTzHxN>Gl2G^%6~qIh&GXut|<%&o-tg>rY!{ z{YIfu#!>Zqc3m8Syo&}{Sx#Loy8d#%K}4%kW5?cXQDIX<;ag9Y^0yeBzWeFeD_DN& zq0Y0-n?8*Qw|r1RTCutFFI`lR+8)Zd?(|-jl1&*-)N3;S;$jvtyR;%ciZs3QJ2l9? z=JnvIFeX<2Tf&nEY6EX?gvF)g+iTW0Nk0kjihf1*Ppjsh=-biO$7I@6VVAAuxmrMg<;khn3904TP2quA^`{HUtJv&3V|E{+G9j}@;_PKhQ}1U;p!NHdM` z(ThYH*g81H*)xo6S#@_v?Wiy^^0&SP{0xz2S$p>bdpYt9x37B~58c zU7<-V+vv4>X>CK~2v2G@lOWk3@>N3RI`q>;5oJ&0&ebftVe$Sl3cbJdUakB=3EA)* zH?5rEhgXi@=!Gq>w$aK7cM4lf9Iv$dylbt3pBtIIeg7WS9kqK4%?j3Uw+vRhd{Z$( zc+7kOdiBj328?~(g0Z&?R;?zAd&<{|C7j(QIw+e%&pY40xoZGLIFk1u|7;V#VO3(aq`S!=e@ zgCdT<=6<#(wEO6@%k1(Ksu4~f7UlGom~D%-31{TLclYFZ-FoNC!^iMa+qp%cvgSm=n9W@o{yrC>pZ9MUPQ+X4V(O$-t z!b@&`((6-r61q%*A!x9_rcyB^=}qu>C~ffJK$l`6t+T_rfc9zdYT^2;1(PMA!CH~D z;fJ3?$KQyn7H!bta8qKxfAs_IAig3FRu*1m3`4+t~labL0yT}CU;8D-Hl0pX}nvrI{8ZB=Y-aW z8VrOZ%a5;F*d*ZW@e#iH7=gNnVCuIkvfl5_Zb5YC{iU_3$Lh~+5#oHU@vzb$s@HvV zuRp)nmL)3BRs^`!i@s5Q{9ti3@tu*JqyD+mE#5pwbFPQT@!G2-DO@PKUy8CP5!;e^+meKz8(Aw5fCKV)|@#mLLn9-7oNdm50E3)M%T zL{TPtc#%EnvreG%zGM1fnO_`aVQ}f5HAtDwH<>9_$7HAE$78tLV znx-0zfdK|%fd0W~FJQ_r-i4gpoE*H|T-=NJc=?4SmI(<62qDE+i%7_#<>eq%h2NxM zsk=$VOchVi_b@QCwsUfJQrO}h=;aV#NpiBM-GeP;X9!^5!@$4?qZPq~p(`^o(eE+y z!@|nI$i&PBHLl@>Zp_3?Z-;)S4`5id*np3Ji5)YNkp;!HdBsXwS`&<&-lzy09a)Ax z2Y#j*NQQA1;YKE~z9Tf)(xm=70fYPNYW6gFS?Dfwx$i;Pkjj$Ra{ZJ5r~*vD*U`{$0@Q= zWS93{UHs+ZAy5UF_?K*A+eAS=4Hhjk{1Fqa(I;MR*$(y5 z5Ka}n39~yi*s{~1txTmOE~x&XyID`{H9PsqzM^^8P&pf^j<*>2Nb+<94qw7pA3D+uUKAl zc1Ae=ZlS)TQ{>$g$#~p)$at{OFk*Dv`HB1)nHyURuD;wrgISO6tsMCD{_*c#{>ynx zdPx`jPmac!^@i5!J)P7-cl0KI_imEmUk?A>Etf*bk=NvRCf3(zFcZa%LlTuq*CQS_ zwvO*R*){o~8SeKYUW7bJu_7NtpW&ce~Ye}gF$ec zq2g~9Kydq8bp3HK2yVYY8gvQ>ZokJH2yVZ}8whT{!Q1~o!7U^+v}Z%J_23~}8}vO z|G*l>y8d?Et+!6a8y)SUSm|nCF7+i!r>=hf7E}Qy{w15R>!Q@RzkNc3Wm+qCquK^W zU7xY~N=Y4el>$Ey19r)#3_o0vitybk5Z}-I`X5@63Yvt5o}P&I$NEcOR-}SfUO*9` zzFW%T z@2^NT-9g{3NJaQ=EsF2^>@TzR(5SDo^-$2tQvcR$JvM6Y9OY+e_B=G0m;Y|#&%5uX?Y!4wBH!XAb><^siC(~R zj?_EcEJm-{7%%rRfdc>!z#f2K{2)H?tQ{5GaydEWWQEWJ#Bs4+vqZ7}L`3w|@xslc zifu;W&%TDQ-z+hcvy^GDCGRHf9zpYSc7&Eyy;od2;p#Oe`ng?`9S)rO zM1#d8KMTny%A_xrb#>(*OTeomdp5Dgm$El%Z0K0E7(-z!E8^Bfus z$+mkPdRMXC`IFeODJ&sanvuctRSb)0}RepVX%}x=o%98Z0Aq#ndo7@pRCuPkr}Z55O{9A;#iHX^_HoEPq$?{ zbG37(PGUd-kN_+Jc)@>}7v%Ymb~OdkV2?)6$s9K?nL^TFFGL1uu;xT^Y3o2`YxMY0 z=W?+r#hqQJYTOGhSK!J)0gwPJ0eHcGpBF%Dq8aP0x5XcKemF2#GS&R!Eb@2j(0`wi z{GZAqLs{GD1nD;7%LO~!xaOQ;Sxpx7K}G5Gn7AGiQH_!k5c-YLauy$X7MPb z0-8kor?_&(CP{MRK5G?TmR9DYe0rap0y}^MUiR z#rj8!6iQkOxMlhe4)h1BhE|%0LLyve#v&X>z{NDeQL%x zr5HU?_;HNq)1Tjd&SP_aYX6O-{)xhN8f?GWz!}BviD;SUK~4?Ooti6yL&YAoZkor{ zr%z?zuudAAvW`e?4=IW7PKp>8Rm`v$?Yr7Gaz|sn*M_aohQ4yJF7J<>xY{r<>C>NN zUovzhRDNh8RPf-uFU~9(652f)f=Y@T7q!j|LH7hqT_blC6h^o9!{>eReKM7kp)$or z1BLeGLzTtB(PDKO6QAq*C$_Je_qBO1j?!RP+egYm%z6StZjMxDw~f^no*A1`JY2ME zzE@{lT&OrSQMgpEY%*G=UUBKLT{354K~h{dELUhb0jzwQQefpjvMgZbKVk*M@*lAR1F`%^ zw18OtBUXT7`4KBXvHXY?pjdvy3he)uVhNqr<@29o&NBN0Mf()nsQ{}sG!1rr-^W6v z6{bipcEjyYUHr|d`u?5IMaF#DLQZc6JAeaV2mgRCu=mwmGMOlOV&WlcAgW&(qVzbY zPcnM4aBXz#Nac8V=SLb0SIJI;8MI4};aznjn~o*>U3mZMvMksE8~{7`$9%yO`rhj_ z`BdoTf%ta=14)uJ80Ck#eByVHBL6-w{6Cb-hf>t&=`{5>xqK8|P`1rGh~w-TA+06oXufSu&Bzr2{0#AQZJQ0CI!SN`9GzyC( z5aCGtmq*>>p$Ew$5KtX-yb8&O3Oxm0*~r?+SkGG3+*leZjf8GRrTE%Y^=&EihrFPX zNCgG@gJ#Hft{iCMcaN9(+wf30j5HpDh2xMY2nc$5Q2-2t7=y*YaVV$_3)Rhlv$eCM zSZ`J}`VJLpHmdKIKKR?H&;&Gu0foWM!i7N)Af!m*PjTsL8X12F3_TmzcgqI+ZD1HA zk`4lzck-1m3`7%#h{Pd(MwpTQcd(%K5x(}~cgqg^ZCGD=5lbXUV-XlU8U6L8a=2%kYUo4p^R`e7GBQ&zrkg+Y8bXXkIj!XW7uk0hXG;i7vc z1_{L^+>hD%K@Z|*qxx>j&)-Hh(}M&opgzASKNSqDpyFmT7VPOz>2m_Lcp9KqroOVH|>W8qt?>`h` zHmLcBdB}R`2=GKW21k#icq|f*!O+7z5`~9j@bpLu)qUHCKVl0tE5KtA^AGUQSUwE` zg7Xy^77H{kgfJxc$OtyvKsgZKv`Jc@2xXgp*`kojW~1V~8Gy%REe$U8C9dIzeT=|;M?QP$I! zMv9}>q<^dK6GhpY{9M@Zd3^N;>tyAnx2N<(WOL9C&$biIm&O4Ggi4QtaPUsv6$5`FJAumHsGhA zW=DP0{G&b=l3~!Wh{AmZg~dWrpFkk|4Al?DBJ}L2kNO9q{*2N`f9XOQcnEh1qdBM9A+p|N**vnt^^-Xy@aZ0k~u*e5?sEIic-IG+avpyh zzQud?DU6O+v^5X$VHg$%I^_|+~1w^{z&947Dm-2?pX_6GtMJ5T%N28 zzb|uXbD*1&hW&*-+&AvrRrXji$}G;TwB#;NC%lXeLDFz)p&GyUeQQtdySK;W2xnGR zU-cz3q)MgQ{qv@EW1KN2n?&Pxi?Y9s%@rL;bh{Aj|M~On!U^d&H7}@!PJ-;tu?t*? z{OL;U-kX(35%}zL)=pAWor4!A+F#-QD;3x};>lBipL+)P9)Y%O3g?)58P|xsy#488 zz03Lf&d)MuB&H4<2Kh{>cCo3Q_49wwte$Q?()uO>HStErX!ijOPZHukdkdyNc4(i1*c?l7;Mjt(p`Dp zo)j8uPg0NKR!MotB7*YLz0$I-NcYHQMIP=wQIGf!PI-ry?TU0BWa*(f3wC}!em=YG zi1xcy0PnUm5F?4Kh-JeL(kQzrvn?=%A7DyYwVpCu z_e$5z6_YSf>fGP_iu2tWa?Jg};UvYWj~z*`C%b#~%AJzr$J-_g3oSnlge%?&2n_w) zTJb8k-Vf;+I5>1#(iWb(O5j}2A))RJi`PM+pA+hMud$|LWivL!Dpt8g>Q8ZPb_+5n zj;Lxf&%hoJe0y!pvqTLyw`%J>+3mkSPLPIWul$8Z^3?U9;>x78n~W2m3DvJ% zeBrIw7X9~+`^CzQiX~JIM=8-RW(vlw=nlG;SRyQ^M*7*fK+ioGV~U3=d9(21ej1#Vy>MLqC*Rhfeon<6+(-(?*40cKHU#gUG-p5nnkf|uc zldLS9(1jNB8UouTtQYx8Z>rgNty99l&;_^$o@;`Y$uHjV}lNfG0$*PpGd zM3$fQgZb*m49P1V8kUl^6tURZZeV0})?Q;LDH&b9SG#w~vK;j5Yi4Vh(*pW1)dfwy zr%p8S7`j<&z6#hZi0hg_ncCcW|5k#&)|A$Io6d z#UEl~gpSZcJ`Wwy@wQA6YIsk&x5hUtdrM4$RMteydF2<5f%eKdLATQ0v=ZfmtZBVt zOc%7_M-?eyxObF_O3H?WNw=G<3f}j$GB@iN7cc2rA)%dj+>JNZzX@t|ab!NB$%C8> z7O#h=bU5B*MP~Flz79L#{v^^e>_(g$uhY%_J2uphar!wGYxRV*TTQBElGr0pwr^A9 zxZN`GTt|qL6Pb~&lc(SI5I$MYhR9BhxAAT*Cz~JYF1xL)WT&EV#O=*3%ZHBZNXqL=6V2uK znmw^Mw@7r+joV_O9JMv}vkA`hNPI@k%7F;&DSL{-$!Fy}B~tGvc=rS<+Z|5d)%ng7 z?bGHJtP$;0ZI0i0l4Tj|Cgde{NddIxn|k*)5zRj13q7x*!xNngb_G>e#K!AhPu#yPeT@E6Vp`T|C4yxOA7EI8sY2 zM{al$v@O%zD9A(mIUDg7e3v`2eZ^tg!(DaZQZHK4b45ITuRj#AE^4H|X*uE_BibLtz$bcLU#+|W7}A8APln46rN%jj_dN3TlH9prGcUe$MfNEPL9-0`&h(|ZXo zdd5~V;d_ejMadlPzgyK9hVcvETXZ1kd~W33%seY|brVOc{nz1ryAylt2#;gVo-#CH zIf3noPCm6t@M+gsJ2lqk@kGi%b<>*hE2^DQK9f0JnmLo~IsUSnU#4H^c<7)lP)F)M zl;B&OB4<<`(&6`t%hb@zEMt|=v4rRK!Cvl*R`E-=tJbA1yVKVr$!S- zXW@+%F*O%2Y9S>pEV z>(04L4yg8R^*eeV-aGbqYr_7e8Jdrk0*1&S$S_xabHv})OJ6~lVc3Sn@mk%eE9OFZxLUeR=$ z;|bPdixTp2x4m&aG2WiNPA#V@o|cn0mvG&d771^6e6-|NxYa!gdw&g$h{vIY<38G= zq6dXadtuGYj?dqu-D8erb`)atNgwyxExB}~vKLkuv1{%z0}bcLicYVqaW@ zRLuI#d6y2YD5?K{?7ay*RqNaTZwi?uB-0L|ls!+zGN#BpD;c(#&9=!x=*Ltt(v+irJtFvz7 z(E8(d*;hx(+Z&WEJ4r5LPu5+k&*>Mlqpf&vE}IK_VuR{onf&#pS(Ai^=ZDvy5?Gh? zdhcS>O+s?8G$z-WDsG_^fuO~v(No4@j*oK5!pn0zBeJRqoz03jl$w*&L@!0TMQfcNlR1(81)h;^8_-T1D8#`Fa5mE~?ZmAg z9o^8dw(@*-S6`@2go`Syx@ZsfLfavRr8;SPu1 z3%=HA)xxZ6p4h^-bJ9mu?dl@`G4~?LBW|8eCIy*G7D+V21e)2Sp5eIm7Ma4RSs0bG z>+G107BIaPx}Yrcu`&2SCGL6qjVbvS=8Q(Tm`U@Ia!>wI9L76U;ORlbM~i!y*BV`W zu@`3eed#W>i$_|{Kf|`H=b_53wlkf2;QysqoG$<;p%}A&PhEcJ>oey}jpdidh2idT z3&rTEC&QQzE;&*b=du+capqQ?|21b{HoU~xm~BTxG0T^3J{6mu^&GDin_otcNkrE* zX(S8mUCf-mc=IWNm9R86*QL95XuZrzJIP@Bqdp25j$v{D{n1rYA3zce5UtF4k(Wsevt~$BpSf0d# zlp>P*2eJ0i#v7bfz}t< z*F9e*)861beA0MuN@a2>T7c&m5)gI1w@HH zw5%OqUWHqClw*%U0?G2}w~80FCrV#vlqac*a0iQUTV2Unk@S$|Y~qs&7uk(7!DuujtV;k03G}M20$$Rad z_xf!*ai8s)k|CeL4}0&&xC`AzoWJ&_iEZ(QoAY4@lPyjkO1_YV#y2H(R=T_pe;~oHtO`$v~ug%K~K zREIBKUS#IezX@7;@-%-H!Qw@ak8hUgEvXvsDQ#p3cGqxsfM+=yZQ>T1KE5z{XhRD`|w z4ZC|e@r!Vulg?5N3lpn5QZK~Aip*nE`vR^++hlZ}c`+OoTY7a1|7GQ5wZhdxoAV#v zky@ju5pgRjIm}bGOy`n>mQ7hgXv^B8&fc7e9*uJz#U8?~nz3grBd*1M+itIS*8_8M zVERl(YO3SAcNeP_qfs@sy4eZxM=&e6gak66d#)Ajs%mt0s@ZyY*(*JLgMW9ZbeT_~ z>5Z(|>S39njvNu0#XIHB*BbN$E{Qv<(`C$Dq0J@u*`&wpY2&65$OT%r%&z4eT@ zfq(du&w-cqEh?_2TxBaxFyok_q(xb{ttf^Mm@Da`{9bNE#^<&q9vNt{iV5|9c}Fh( ziv6mie=N0ZMDky?TlF5-CGmJ3kGa8sSeaKwh1=KqWjitwEYAe@ zt;G}emJ&HsH}-cSQ*VBoc)e`-4YU1K307yHwTB%>aK*LDouMTlUXDi}zaLrY>hQ6l z`{KyTp9gJ8H1QHG^m9DQQQWs_@XO7e22u{i@F#m(pfy6;?(D6MT79{#bz|OC#rKE4 z_N(gK>iagWb`2a~62bnc)$i&Fna4FHNWYeid2hn&?xY`e^K-mU8xwcZY2?YGk zL(w39M4tKNg|lY6UF$+~PjnpBI&`@0_1B6mA6gGJ8O0uVyBOTqYZLKFC;%rSwx;4d zB9p};a(rM6&4J_*$;mof)^rCQnQ_@b-Pt>P>(s#KKbvzz4*T?tY^vg||=4)F< z-R!jfdFy?9Z}ahM-S>qa-%C-wCmp5KwDrTtC*Gr9KSi%F$O*#)yEhn3kDk4de1m`I zVh5(x@?zcZyBm-zKM1*}Y2Df%O3M74qxz(yOXCxp+e@i~-a_aCF(%xu#r>t+NP))b?z;loS%mM&$+C?<@0t|Cb{1ZLfT4VqANm9 z;WdZsyjYqsCl8*!GWCoX_u=84{Ke-?X?euuiSZq~ndFu+S9DY$bq(HTUVkjNvw!7g zWaf4RQT2-6nnxegPKa|y=lc(7)LsvN5c_Irb6!YA(YXkU8n z%G$UQXX^|yclr)T(afDgmYqAohc7>z3g6)L_7R)HNn2Ze*;lCGyIwor(D3d+@!0O?xhI=H zuMF9HRVf$SII;iu2L6UaO#RV_=VqT__b)p#$x7mIC0|U1c7H7G7~CRc@x0M!MTPbS zoM3I~p>6is%)x3#hDV4|{NnMY?SuCc&Xu0V2Y>!TTs-n@=jr$zc=>jH!L|qCBWJ!{ zuw2=ST|XRErY0DBA^u&q&^8lW(fW?5(9-k$2P5MX#MfkdbNfl!2sj$X$r1Qvzo3ey z8m}}8p9ss^>{y#ct>hH2AHOp-IjYgRiomYB$bN9O-Ti@}@}_k+!czObiwL*m=;~iV zbw3h(qgVG)3$yoqOVhFt;V7cqgGry;eg_`KHFXCfTaAn=$N@`k284-qPf9NTe79GH zpidchPb~dxF>)b3*H&G#<{k&z3-81U zddDC1wDR_GD>!>|$ier_gRLXZNAh(c$M+dJgs)m=&I0`!H*|*Zb?t#g}1Bv`g|S5Uw)bBTHmtqV365)xoIh4 zp5NC{hr70Ex0M2-nEQM$P`Jnb&3SFcL_8{mBcdH71eyUKrOOhi|g-6@J9ptG;PUPq1x#%w@~i zHJ8NG^1UYp_F(QU7Bbl+l!NJP@Q;x-kidOY z?@GEqlvk-(4c)rwcEWzE=yur#>zWK5DXW4Cb2sU`fqoZLJw7Lo=3lhmPTV`vDISsT zm{1yty}iN8xU*{{*sk@EfLhPXAiYa=8&)pG?ndr<;U0C{^8QG*r@*J&SfX)G`jRVd z(Wd^ZZ#7tk?h9zSDOe`%RDt+D=;L{9TT70ta&7B-h_>G2z(tJe0x`#t^KGr^ zXk_}5s}t>J7^`>I!gn;0l27gTiw)SHZs)fn@VMg=$){Hv2~{3@-HudTvZSWGO5AAL z$f@k8e9fn?*h}%0BU$TpJ-{NsbH1<+aXG_mtNRsd`-Rqa?a6+}lrFGaQ=4r_~M8q|H&q@UdH=^zK@0ul28qMgk33jk zKjsg6pZo}MIvj?_f8lqNj^ajOpBUfznq+HzJ_xzZD@t|s6d#|TIPqBqJIBajC0w*6U5|3Mp%gX4QiEikh)Y!eeRso8xL$Z}B+zonvn^Hd??t;m*$f>+4%6E%-2 z&-1D2gy+35i&5GCbrgQuM8BJGQWkG6kYarawp?_-zv{^x{qXWbvJz6wg3(0-E6OA( zwKZX%1T3Ske~0#|ru`yG{E9z9mwSpZ8Qno;pHUyU#k}++CZ*Lv63Fdd2UA zl?+rq#J;Qj_L{@+@Sw(_!5W1y!%e66NPiT+uIoTlxh6Tv|1zU=|Iu;xq+{1c$`?3nN`v$)eSq zMXMclHWu2v6h5-IasA5m_v@xvBm1R{XyxZXDuv|aOD{x2B|dry%;LvCVV?WX&}Y4# z3{Rj>a)rX9@&CQ|lR+<-Lqa9$|J2?7yVG28<#Fzw@q#kw1!O;_u=@Fb|1Dx?W?^OH zfL>502fd(-nT37kG+4|_kWc||Daw>p*m=F+3YlN;CL8@;`z8INZ94dY2xP<qEKEsyQ)L)I zbQv%tyeXgX5a{bFpFDop9&SA}vGF@fSSK=mt0aEnO-KEXl>E2DsR}ux>h4cIX&BoM zhSeSeMgZjB84NaO(eJv4Jg1o|uA|W>GRLQ6CK@%54sGHouS<;Yy&t~$%cE8C18z@9 z&d!<-GUHcDSE=}ZW^(s|xrq8b*jyp~TMgZjB84NESY!#<$J8N9u$V5Ke zZu&(}y8rtXH|YP1mN)(Wx$aars(4@GruY$&K20|B#qlDXQ!1v51i*j)1_BMx)sW3U zC3D)c&=7Bl&YNa3i+da#Ti$fy_L}A`o#dC_@4G*A*IPI5yE^`YakPyLlrgl`;$Fi)H@Z)L7wlu^DiOh{l z46*+@g*ZK6`}`lj!H)e@@8PEdC#)?eErwb%#18j~MdvGp*cRNn-;p`6w>IW!?5_D; z`=47ek6nYe$7bEU`Y|)*onrNNk81VP_V;Tt+C?TcW94^PQChD^W{^J30y6(1NT25CGTRE$r`bg2Uk2&Z{9I;RLHabC$o$J7eVU)kY%55g zW)qoz8Kh71bD3=g>Cze-nn3zAm&tq9S7$$S=&KFvpEt_`G5bD7L%0qN6xROZ+~`ZNd0yatdy&5LD@5u{IZkj!fU>C?Pe z<`_ZxGzZDN29Q3@i)D@xq)&5@%xeJY)4W(_8$tRso5=jjAbpyj%WNx1pJo%8e;K4t z^K+SP1?kglBJ(eU^l5%Bv#lU~noVT>WspA2&t;Ysq))SeEU*aDrv<>wGK2JK7LWxN zLHe`+m|13!KFtEMz#>SW763EL4AQ4rKo(d8>C*yWem8^k>31FrErIlDAu_+)LHhJN zkA;>%`m_+4-|ZlM`klu@OCWt(h|KSHkUss+W1%IGJ}pG%H#9QT27@L@ zpBTWI(FM|{888?$LHfi1&WtXQKFxr^pb63^25@F{f%Itx3sq}D7FE9ci|H5DxQ}v8jm##|753M+rI_&TY zEgTtH7mke|M-4dNGJOffcxh9lx@PULQev(7#5B{^-sOpdM3r#Oi#t=F_fEyTe+}16 zYnqg*?HP&G&mU6Yy@g^L7I(vL7?RLpD)Ag=3JP&R< zJ)Q_I?>;q2jeRxJvRys-a&Mcl+sAOcdDG35npY!!nfXD$2!Q+xgW*<6qETG% z4J1!@4=N0WBVr&nWFIoc+~3Isy5KVzX?aouO-K}NvadhckK{*%5xC%bo<39(1zJzr zLWkr+b|wAX{0D6}C^ldSI#M(Whavo;I^8(^nn_@zo`D_{GcywtGxUdPx`j!bNr0P& zkB3WukC$(Wpn%Xa#pTOHM3y0CS4t|Xpw-ogXaauS28Ye-bgXsp1QTCVYe#2y4|fft zfKY$e5C@XG%k*6)ZceWKoEFT?f=ts7n8cwyvob?JztpgZor9T;g%#>l7J$sGixxwN zU-WYgW>$6l|4#ZnNaB zU-!np+0uI@YSC|#=Q-san!A*@d*E_;{<*)ot6!VNUQ)i?p6C2>qJGFuQM|UxJlcKT zuin4cViq&mVqWU}Fmp8beSrx+^-(6@(_MdWSHHGmL7lsq8TRmy@sNFu#~(<~{_6dk zEjH5npv}XFL{i@uCp}-+9=ZICs>_gvQbvFI;Y*)_$ z#3_hV5U1dN3ht-ie)?;)`Fkxe?t^h3%w2)4wx<&fEsnO+noh)J;L%6x2;Y z-4xVKXO4`2rw!_+pl%B4rl4*L>ZYJ>3hJhRX9WFi8&Ed|byH9`1$9$UHwAT5P&fT; zX#DF7pl%B4rl4*L>ZYJ>3hJhyZu-~9&)>HIbyH9`1$9$UHwAT5P&Wm2)8EI&zrFZYJ>3hJhyZVKwAe|`L%wFRh~g1RZFn}WJ2sGEYiDX5#y8XW)XBB+~!x+$oe zg1RZFn}WJ2sGI)P(R23tpl%B4rl4*L>ZYJ>3hJhyZaRB({Hx2LZVKwApl%B4rl4*L z>ZYJ>`d3HKIqQSEDX5!*x+$oeg1RZFoBlsgH%;1m+U?QMRL_0hjY1jIOw!%Fn=!Zj zUv+JI3>p9ehyt}GPCmGw$} z-g#SdyyaE*c==a*@HZd;2mk_r03fgsfx6M!4soAx!8}yZrKb3?sjZyTOudfNOPapwYC?pyM9UTE%i^35xFxr7>$Ah`}a?z}iU-~~j5HN~6*+@h^rS)_>%;!IKoBg*ZTdB%x%t~} z=U%fP*MbXf?db}gCkly0alto`Jl#F0Fccn%fY^|I$P{ybCl~07&t#i7+Rer3&%(4g*z$$EN#xA&2gl)-sq>R&aGZQCmdrhV< zs7+#NANg->Je_@+-~S~1rF;D+A@BW=$oi5+$jLYZOxU3Ns*NC?PzkmUV0T2TV#lUKBi<-6Si_;cwtNCcAWfXdzZzJi! z4X<`}va;yGU%AcSY_YBK9vN~vUgsxYl>~MRAb>~!asc-P=w=Ea00@7KsUQ+SB!Ecx zg8+yG5D6d>=mdZqfE?(-0P+MN2OtL^2RZ>D2OtM}Fo4kk$N|U!$bn7($N|WK9t>b~ z0CE6w0CJ!c0CE6wpa%mO9e^Bw9Dp3?1b`fX9O%ISMh74VAO|1^IsqUDAP0IdfYAZS z0muQ!fldI(0my+K3}AEsasYAwa-b6casYCm2Ll)#fE<7vfE?%qfE<7v=)nL+2OtL^ z2OtMJ0U!q;2YN7o(E-Q-$N|WKP5{UO$blXVU~~X-0CE6wpc4Rc0CJ!Q0~j5E9Dp2v z9Owjq9Dp3?!2m`FAO|1^AO|`DAO|1^dN6>|0muQ!0my+)0LTHzfgTKCbO3SyasYCm z6994ma-atT7#)BdfE<7v=mdZq{x8Vkjw&=&;^mna^>4Ljj1EJYHIqT_;-{JH;^U^7 zWNdmi@so8IpI;XFYCKw@gc1(^0u25oaiAFcEPCwR;M!29^BDDMrr4qkHTi}l#Jj-{ zwUhFDw52|3{%mj-#Uf4Jp#S#%boKQuQ*C8gZMQcP>BkU<^w<_|+>=sOQyt zh3A*6K{vnx!r}j>4CI2k`_D{42i(PP#6pvh9V%b(Eju(2DBiw-H+(}ko@ae|f&U{p#FiMDG)lAk-(1BSzDXuy5~3E)B@v9zNjU~5r$Bmzb| zFzt9S7hf)#74l2}#|HvNaff_B!`uU*GoZPwL*_E&nh!1p+Tb_1bP|xeMoxj=zfOX- z^y3^1gM2;x$bp_z$YXto$WK_1+w^OOoxR)jetzVcSIp4U589a?3WMJi(v2qFrG!V;A+L@a^`!{ac@C>m!SQXq6$ot&L1juz(T zkarM27pe)3FBOKypl14n`^P?EkT_)`5sAma@My$Or!Z(N9 zgF?@642?o4qcCW~f^M1X&2bA-!LQgN{$saL1U%#d28)E@A#&IsywC^;5(We57!O@# z6c%DQ>pISZ3pc|r3@v_tlhR*~c{C0U`GA719u7ylWRSRFXabUEgM^PGp#Jc6mS6M4 zJ$|NN$bak?5{hgnmax$M4Tm5=aL{-H42eTQj^U9QJPe0ILQw}9|J*aeOwVXHvwubm zg{Kk2K%6i*=$c}2SR4$EB|vIG5eYC10Rj01+30@hX`4H08=EL2Wl?(Oo3!Ty8gZt3 za|WKjd_f6VnlABpA`F9t9K}NSG8hsHJ`53uLqjg(pbI+NJrk`>I(m+}HWtdr+3sNx zGu@kW>;B8`LAO^(2M8h_hDKu`SBMxG1_DYXBCwDNLjy|0(AoXC%dR&unBx_4rdR*` z&QH5)cnkuA`sEcCiBZN7h&bW`Ug?<3=hw`;Kjxp`{qabM3=x5Y{DL%q!xGUjBpw0T za6}vo8l(_N$V8{5r(@!%v)=5F3pvlFoH+zQ5~2%1&(ntrjfQYNA1E8qA-RxUN%U+0 z3sL!%4}_fQ+hQLtS)34&>iE2tSu4Tvq4>6Cr^GyOj~{s`FLK2FsdUCK)}pWwWY*-B3|xDXeoMM`_##cy;NX)(_~G^&&d`o2!HswbA+_RBqNZz|>;us+uk!@joI zcHdLwOY1{XEBudH%iB3@Z96AVQWx;|wpi}tYImG}8^v6%{H^Z3t&a=iPFmyFty^u! zdSMt_944&&^@1>Gq0HdHlyhpt$G+#TsWq=Ec$$gyR!U;xy8RBR#6Qyfv72nI`ygPXMmB3LQALO?+0!^%}U7wZ^u9AZV zi#Q(atk}9O+<4JQ<7iChwTYw@e%Cb7%EF?$sS_{ixhhS+a(i8cg+z~fDlh*ioL=C& zG`&D%(en**c2O|JKFI^!RNs9UFm9g0cgY*`8|qhOzOCH+DQtRWycOxFqSBt*PWR7T zXXno5xwTp9QT93Q6d&(4g+01Mwc-}+iZUx7dW)VoplNo1S$GMDQKifqnd#}o{*zUY z(n~8=KN)i_je5AqVRxLZ%k+e$Wm(q8eoM=2vq5W*yUJS^v2GI+S3W|?Nf2%bH`$pl zrUNT656Svm)~Vu=d)Ij)tJ%?VJljk2hS$|S7~Syv;bIHjE%xE(K9`T7rfqmRj%IEu z9~jLZk$!4^*~xY~aYL^iYNxWPN33-)k`L2T6-LV09J=wwg-g59CF$&3QJNR6j5#mY zCCE}T>Jsv+vZ=QeUYy4aoxL3BFHg}pW-sbu7yqsE_L>gYx>p5{WFpOZ8b#llbL zkVqI;$>|*A)}vK%Z8>&(>fWVP9%&fdDE2iXL7O6L6VujpLvZb@$JS;yPM;d3=v_u$ z9Ivu`Z|`Ak%Ngf1%>JYqM^WHducuI`moKm*<+Kiq_|5+03Bh&SSa}xv?7AoEK3^W-8~xXBV-;k> z3B+-2Hjn4^8)maldZwsf@Q@vEKbZGe&ueXCMXC~R&@w)*wH|ru3rC9u4ND@Bcpcxq0r>^F+dlb#GKPm$dn z+sgOx;wZswcfPH6E+1F-2`P)_?f=%xj(2R1dj)x^f%i$z=Ea%WKmMZPrEuoN?#)L| zw90>0$u3;M>GSr8o&!=+9an-$y7$o-!g**%U6)L8 zQ1yPvNEyYRy*5vLFYJ%g>@?tZ2=PQ$V$s?g98>9WbO$y>$KVZ(l-?~~ml zZ%%*fKD71DiOBJU7Yf9WJ5Td4Pau4)Q}%6Y3vst)g-RaKR(?Z~M`x!vEW z=EAc^*y{dHwX^(^_uH+ z{IxX+rs}Yqg&XndwY;QBt;(~U^4JQvOOmXKz0h&lvvCyGVW+fS1r?Wr`K+SB)QeeJ zLaVDw3cbg#q*z#9-G6hxu$lg@0Y?K(*LP|bXsVvI*6BM>Hoq)CFe$HE<1KkVeNU7v z2mS*STElZkmnKOUF(V)tcdl+-=-&i`#Wh@n3uHmdRsI88z65th#!q`ChUuhw3K*1#`>$!#5fet1o%S-7Sn>W+LUesb=`x#0$S8 zoFm&`NU`b>yK3B4pFrNU5hypP_nm4v3cvN}t%xo9 zIQJe5t5k_l(kUt2ZOJWU#3_nBDYn*6#E(7gNKxQqo3MeQ(T-KRmdt&ZcC33#iry5s zzP?(e(Ked!;mFr%uV}FZ$440bOY$4N;VjRimE`0NG5ggnZR%^gl2YNSw1vM?wy6GA zHdYAx`Q}Fyy2(4^>k-|2o3)z-L<*B8x_5>Y@%KT_ZDrmw<5!es(ciB%ft4YGT%WQ;wVs}X4Z2dTu1L>6{SE%+jxrVT7@(3;AU=Lac=gZw(CIhC1prJngjscJELp^S;&#EBQk%oc z(;qGB$|lv^^4xmnLcZ;G`s%7fNbXPTKH1qN*0!!1Cy#^+UN+il?s74Ud+q9Gd)w8G zXUA41Jq$VP$igXI3m265wrMw_l#-U)T2gq;&H7>B*3e`38;ZtziqhFC2TraOJKD~D z=_He@-Gg%#3!!;~%cdYAt`b=!9Z*PE-<$f@pe>bI5d8ifv7Obr!u zT(DjGOq_+1da$FpD*kED*u^XNu5PSM4lmYo?Ke5wcB)M|;LdfqEwE1Bvb&ouVj9*l zE4ZDMx}Gn2@-|mdZS$=Q?~$FVV}^SjzeyMQhFz~PJvn)>wsw5m(|1pVjj)3W*>6kO zGd^_m?SDMtT$R@myK#wDC&hT=WoO@+Z4Dk@i%xQl)-(hjyCYLjFP}r9no8e(G{R=P zHfzjzr%_7X(Pho|TRh(l@ztyI@mdGt6xrd&4|0*5h1s3PkMA$PmTFi#X{NeCY!$b2 z$o(VM0S$brnd54-5g>Xg#({QodGljjEzgzRn(feaa^vHuovSU|YoDRi4a9O^c;LDe zhHoavZ9$*@y7j#GvB0qV+uY@Og5B3U;DS6rM`#Pe3kNt!n_RmP>A!)1k)70dWno_489mhP_3vnuZ&FR51fkYAN_ z*8KhTir{NuaHNWm6O0q&}a=8m@f;Fl{`3EsM2x*<(^tYH5HF84#%1JBM!Pgfgn>11zM^Q~Oe zFNe6b#CGv56HHz>SJm#J6q}dduscTz`(wjjHher{s=hNi3l(fPkms%LkJ@glJGx70 zX*l=gxXkU@rX`AKhlG2wS-4=U+K)z+?#D_TZR^-EANTlfCMH`H3!9f+*^RR|)<5U# zen@b$lC@csrN;H!QoT5D|-Q}PSa@F{{C7Y29~V%=qVq^u6glhrpJ z?pP%M04a6INybcdX6)Uu| zTuVH6;dS!K$K7vNQ$j3cK4wOLPam}T?o*ySz5QShPYMQGaDL^vY=?Fw=HdL3`<^XJ zo(-QiXYE#PFybzgEfr6+<~VcZagyPsAaa%Fu$;sB#%A(vu68#5$;99!Jm`?g7pdpL+q<28J~MIcVYWLaV;>*o*_9UehIi>cyR_Rucj1Tn74L8K z!z_IpQWV?0N`UQ#^On#wR<^ZUFJt7-TOR+^Tkuj)t1OA>#FCo3qUA~QJUlSh6;>3D$RLC--h#c0KLb0h8YLeeGyPMDDW5xRMCe6y{t~{zVjob0^#u7&f`Q!O= zx4B%4yAA5iH4WZ29MZa=UiCk-DR?bBd9Vb_sihg3rKIoWt`thMk8_HHi zt&_Iq(pOFIUXtLUtcIP>cWT&$z@K}0eCn;qREA0^VXAc1TgU#_sn_3cXB#dvbQh9s zFuvLz8(Fa8$;XktTaFQ9D-L~pH$C+&zAAruqO;pEVzRRhUN(7CZG6gcdRQ4d)e^5c z(f7F6>_7z4f$A!_zvi>P2Bpr{I9rD8lWDbb{t^r7qeV(Q3UQzPGo!DkslIv5J&9PB zC2~$V6?x|M&`XQ9!H`o1R%(s<1;|aoyFUQusB; zyJEK9SZ0#;B?NJbU>R_Z`x39@cjvuQ%L8_P|MD^NM8>k5q9OOCsllrhZb~2VRuT|& z=GlDni9-2(f2pq1{N2b4F|FIA;j>kiiC8>TuO<7CDdzr8E>IPEX5CiHlNxA3qG*$S{mFi`(j&Cte;(xO zXj}Z}G47Aee^h|opn^3FL4UA|BI5AS1L6NvdZ!zwUo#18)HBdyVrFJyVut=OO}8*< zGYN3>@bPd7@bU635fl(wrnr2Wh{!Ue>`F;R6|}k<5lz6a+u*QyosP9Go?zl@YVGLk z?%}Rs6cFm~8sb25cbUG+#LdZ(!MU56S&(V^0h2hiXBJl4G3Y;w*qK>a**Kuil>*R# zS=ed)|57Ju?~_qHFajX|&R|gB#d*H_Vz`qSx+9P;kcTxh z`tbFU9nu_QV+Iq;q=z#HdcRZ!#i#_N9*dngBfFqh_7?rfjJ#A zkyUpp?921XeaF^(sdw_Nnj%ayAx?k4qxjF&KT92*qh8 zRMz{Hjue-Bvl}P5b(|an?5WgHzW|f4|g2Pxk+A13PplJ|djTjq3dRipiZLI0F91bH!MFiHG3G<>1)%6C7&ibY#(e0#02Cbs;|2i5m=C=d zfTE*d+yI~$^P%?wP;?ZG8vqnzKJ;DyijIPD1At=8hu#Z7(NQpN08oti(0c(WIts=O z0E#gmdM^M)N5QxOKr!Y+?**XfC>S>YD8_u~y#N#)1>*()#h4Gh7l5LpVB7$p81td` z0#I}mj2i$HV?Oj=0E&)+aRY#2%!l3!K+#b!ZU9h>`Otd-C^`zp4FHNUA9^nUMMuH7 z0YEY4L+=Hk=qMOB04T}Rd zhmJ$Z1A!6BzDziDCf4DtbGNK0aoLTEhfnpCDab%z1VH|s!O%SF zhTI-66o2sG)VaLI)ZwectOtkcNpA+TO<$H*>F0NjPBYcEbPTw-$y^yYRntO22PPz+ ziEVxB)-8)CiruKFd8+3Ji~z{LGZ=0OovLZQW4NQ*^37pUBMsJki@$cVHw00yX4*?S(@!yJx_T)UxHErpm)di=wG4UFKABey@ zj_Ia(rYXfDU(Y4^1>WcbZZ?X!cMpxEU#s97J&;1;U_JO(!@#gTXCGAygRr$8@GzKR>m9ej04yg6oD*_06eHR1$4deKZUW9n(xhgX=%XqM2EEx0HacZNVI($lKkAEIahJmU$dYFaM5O9g$|E^t))%B3ZosF zc08DiFBi=UIi~;P0|BGBLq4Ek?t#!L(0tY*bD46@M;8fg@Ect^3dmg}r$FytCqY~K zaSnz-zMg*MKu;=k2Kq3}k1GVxg4`zgxzcuq!J=mGcJ4)+HMcApHDhjB1n$2$w=5cu z{ok8gmcnWAb8gw?(A=^!rjDgOm{`Ql!OX%2O)aZLn_89`T4G{e^mA@mW>eNh?1Ca# z7B(c>Jb)6lLP%H!wO;Gj1hW}i8g>?Tl0~eLXEI$D1rAAn^hk-=f3Uj;d;kO>3jRex zh)+$qf2Lo-33q#kW|yRikeK0vX{Lu)nRSf1C!Sw^ptptR!hTb2#q-BaDiujfQ88k= zzyNqG91gNbHvN%oau+nO;lsZ1)`+$50l@UgtZs#;&9Eai7Os)zmKY z!-sb{$;Sv-sLE#b{$;Sv-s zLE#bqDCph!Xy~o`NCM%%`0ji(?WOcT-kpzt-qQ~qnRdKCdv`wM z_k!=v$IPbtH{PB9bEbir@6N~0-tF9rHtXH_*qQInM`8Yp@6N}f2s36Rm~NbY%_Oi< z&p;1)dp#5MetYPz=@uq!CIN09J{~RsK3={hf&xOz6qhd(5m|u`}q6zqQ z8yq&T)3MgY6HI(ftsR}+J=`^n0z&;=LmWu%F4K3JxH&oYa(euHcfR<~cjy0nH$Lq# zHS;147FKrJ%kx)5FVAOUTeOIYg@yI!3M`8-0nDtzre^F*ghZU#)~`SbE=9`xdUt+p z`;Abf{xlOJyc1sYnEz7@wf8e2DR{etk*exp`Lkyq3vGVdbuiOC;K9rMk~f}BtpOOY z0^k7R0qA0$`$H^gw8UvLAjHj8KXIDLKUAH9nmB!G+c=RYo~Oq@M$yqU@#UzEcJ!2g z&^gzEdn)Y461=PmhuNc!J!W0^q$>(C-hGA&dF>&l=8xe?AuIzAQ&xy+CI@M>dP4azKBPAHn=)DWa1b`fX9O%IS@&q6UAO|1^IsqUD zAP0IdfYAZS0muQ!fldI(0my+K3}AEsasYAwa-b6casYCm2Ll)#fE<7vfE?%qfE<7v z=)nL+2OtL^2OtMJ0U!q;2YN7o(E-Q-$N|WKP5{UO$blXVU~~X-0CE6wpc4Rc0CJ!Q z0~j5E9Dp2v9Owjq9Dp3?!2m`FAO|1^AO|`DAO|1^dN6>|0muQ!0my+)0LTHzfgTKC zbO3Sya#&CfDq#eF==FiAFNU7*bsv?il~YaGuwCuQ=g<|cgW5OVMh5~jVDf)EAU=9d z_;-CDh}67jiM6n1)2io=e#K>42*VU+VTE$ z-W2S@^QPcu)BPLsrqHg?A4o`kuCys`Fj&Iu-LCiZBU8EH=0VQXP=68(Zs_Uf%>~zk zK@+5Cktwbu3e28%VhD(x8OenTv&W*)$`}F>3&W$3%2))FK!joO1Z5POfX2Y^XpAxn z3)!I6bx46!7~IL(nc`?-vet;~8stNQ4n(B{xlm1v+$?5{okP!bZq9xEFFS|A(VWB1bd7+cU12P89@l={M9lTf=3GzA zOt1d=uz*KG5k*8m!G%T8t{o1GgCU718b+F5NHl~Ihy67!%<*UDNB|Am|Ma$jBp@Ls zI6TA&LA%+`^#>36$iSbOH-G#;zxhMA0}PRX#}i=~D7LW(JVXTviH}HxP8I_-P*})B zSD~JciKEVXv-t-m+{{}){-59aXZQwb5%Gs_2wF@L&}clATM?mnpXuF?pt3MGpK}ps z-uvZ?Y0XIQ5Y;8+k%eGyy4^j`3?U^jQ@Y^odsA_ zX&d(kX^>JHY3Z7w2Bee{q@_W+LmH$(KtV~Rr4$6Dq+3C{yFoxCrKP0#2H$sCcahz1 z_r3PJ_Pee#J9y6A&xw0}=RW^)pLx#S4<{H58?f)xo$rpp(jHb`9$wfPzzK5}{D0*a z^hd3S{_k4P2}>fNoDf)w0pkPni}(BCuV*6{ zCp#=dyVWT0=r*;k%NUACp(NB2LyI(f8*C53O)2kp@;tOLJ#3Ql?Nyn?CymfmcxR-dk5h@ z)l?|tG!23YEtDJP@}Fb-QS4z^=l^;*e?2eRVOPpiY`hc@Zr)SD<%QjE!2q)V#;-rd z_M`H{^znan4i;SBl?&#`X~F|xXFt6UgvB2x4;VI}CHrZ{1M}`z>Ay%cpg&#$c>ecG z0PLa&bBqfD(=gbD5e(sgz%nuDX`09hJH^;xLIUN6+5Y@!{wV*j-28t9_Jd!rd>;&f z-PFO{Idcrcei~+{#y|J$NBxJ5SbFA}xS6E`>{gOZ+)~fMNYu!{+7NatC~ahA;$TX_ z%>#z14TZgfosr&sH0SsgE$dKPx)86)q-5>fqRYAlH=nA!_+mLPTOlxRB|hpF*D*I~ z_WWa~k3DT-=rr{+cUR5CDdtezp2ve zBhfUjdg;uGCipeIc%?V(-5E|+>+14@rH#G>u{<>9(T$Bz|D+J4A=DNb+@oLVv#bL49dNLRx$59cMoLZ$jv9R zOF0{c)XDHthe_M95|8_L4EO&)cP2eNe&9oM4K{wa z_Q)sHLC7M?L~(o9Bfh!$&%t}d*hcwcBoRA?MkWP$*iob7Pf2hY4td$`58L~c_@whU zzpT5Xr!+GtY2NeP4(YI}?2ej44f{b8DZO?*Tpt1pmP_K%g!)Q$?_l9k>NODaMzzbM>GTTJU9gl3=6j_wefqf(QC;Y{-*cX<~}r zSn`Q2S8mxJt&WgO>o4`qC^+6lRAV>8?rrx{TbW>_-%K?^O_ZGBVZ9r&Aqn zzryo$dCy*0#8}3U|QQFNnzoat7=k2>*Zpr4(%Gd7B`Vn0ylBG(C zU@BKGXT3CTBu%XId9!TV3;%M{MA zy$OEbTMcY)pJ01SBQtrwP>G|&x6}sX8Nc2B5W4XNyi{%}v{b&#vsCUNw4|sWyM3r6 zCfB5{qfOBMdODlnNNP`>W2sFyGh1~k36Un8a{cq9*YTG&or&YkC7q})LAS5z2VO_+ zJ#FO2>x-KQm8!XG+Wch=-5dL3e1%r>L=)-q*N(Yo9M!Z>oWI2mekyKM)iCJR@Er`$ z;8QzkK+gH9ZSgwiV{TWc`AYkKRm#e@viB!>QFY`edGC&MD}}164yKbVK`sH-lCGlJm-eYO>;{OW#8E(Ta>2X31Q(jC8TA?ZQNX z7`ee^P4!PlK1wJvg9MU9mt)X;LvTxk9a#4S@bM7iqy&hPv>itaLc-;$9zIkuZE+h# zW1$gw7|4~USBYPUXvT8gn&l+X=ao`GNXcL2g7y} zOyCLKHmMxx{+$m_Ih=6ZSJ=NwM^ywIEL9#cJ+AHLe6-9lpl!zF5W|;)kX*35Su6sF zhgxSf{F2|aluMo$0gXB~b(V%6yx`=H99dGUQl(1tu(zeu%nwz#KkrG!!X@UMstEko zR<_nX_bZgQ!x&N=$&?h#_lUb4Nm@J((dG`YFn%#Q(13(na3P0j*743?li}PScoZ23*kqV z7>XO>K{?AZ=C63+MsFZx4C}wMyMj9rFmgABo=#=9G~QQ?)0s+`&W|6YQGr<$6I|-Y zrQvO+mW0mgvE@wPZg*u{FO~Oba5?WtJ7zxEMJPYys8KiBaTL*rr^1XNMIzTi3e7)F zDO1mbaLA1>Bi+^`rkj9v>k+Dlt+39uzWMDK!Q7^;{5426)L{QzY_|#B)(EPHlQ6mT z?ze26uKjJY?X1$9*k)oAhF@k-P_j>~0%AYKzv_>?S%<(~x9#|ZK3A$XW?uV#Ngw&* z4PE3VNxILJE3?C+ZGvPgM&!!ggBqAGR`Q)>uwJl~Cgfb>j3da&xOSPuH|JK3+jHEV z$97;h5ne*8ieh6QJ*pjJJFv8s0ge5$qUXNjnk};!dcKj5{mN-8aHF&+Wn;X@u>ErA zA2YVM*5c}U;m@HSsM(Z{7O7wB-Rij8Czj1O7W3`#6XLO9WV{kWVMwqCPvEWH53BYT zL~glMD@bh+x#75miL8P4tM4`w?{`JDO(YRFOe7IDv1`&4Dt52~IoWmP>7W^QYsMCMclM1v#(-Yn$^Sr=L& zwzCl0Om+k}V!%V?cA2i3tPW?yfS<}O$fTKU8ZvQh8fVOazs^baa9Gc+6)|I&tZ2f( z%|+ymjo6uF1)t;}DZVsWV0joWvJpwlx#{|l5H*J*+lW8^VV7z?v zNh@$A6)r=pm?^`0HDLLXb4HD0%-x}JxKZ@UnUAjuC2r#*CZe>XJ_`vWWu7nGm+GG(o)O!EPt>U2qE9I+g8&+viaqDt~ANeFri09pSS0X}@ z3lh{^-)IqIJyCYaaCP>lX*DK@YYY!P_g)Jp9WEDq1~;p?oE+=!8SFdE)8}uyL;97r zIM62Eu*LiGK)U3p)WEV%aC;*UNjYJD8R7NI?OIM9X1kKaar7o1R_N*{j+#%FQ9^m( zt#|8VW}9C;SWenRJDg6)*WO$~o(T91m4STy!cmPs#N8<+c6GA4Z7SNz(?Tw|z^y&~ z)^nb&92~HQQWEnX&s)s8#k93>b7Gac7*4`)B!gZXY2pw`dxPGOF`Up-AU!dhLbM&B zlA8v-wJ}9tT9y#WK!e`TVVwOUz0OxcGMoB9-`}5zzFlAS==F7@lJ`PdG3oY1TA9Q) z6`K0E=9d<%^2NE5vm^Dk^#fy9yHp)3)`xt7DP7l|eYHZ+kgs_>P|AeMwaSKedq$fF z4NJ3K&psj0%_Dp){sEzcKaSE3!pyL`S7^M~{xgC0Tg`v>i#S}|p!e|9Kb9a#^zZ)h z(6V4kQVU!U-U=%+F>+N&qf<x#mqGOxO-blqiO4Q&byH|_3O%*GdN9q ztgMVFLmhsjb}cg~%7KB8718N3_}T7OUVeVWJ(7Az)Lkba-bA27vFxaQefh?0hbzwT zf!y%>7hkSeq_t6&fAgLBT029AYS3Rn$z(>F`gMa8J~5$Mk~p`pa(Xa&!&wdqJb^dO zx257b18OB(?QC=*HcjNIbm49Fi82|c>963Hu}EDSN5oKN$<{{cN7WuyE3i;5nq;U8JMzo6ARJr_^krfRL;*_LQ^OXzTYTxil$vHTfJ4Z(?- zueRU`@3xDD_tv$8M!rdGx+hca$r%z<&;4#yS4^Q!9k#03qz9N3DN1O#a;^oq#ITTc zLG6ir=Q${2^m0fB8x>gQsWHv{m52ncFI~NMx0f-lM5#i<=<;f>r#J1w!@_VCnS)QV zc71LpxclF{QM)u_M3FgANe+pEUO{?go$JY?9y)g24AOI_pN3DW`7n}yrOM8EGq#@4 zN*0eFB4V3|$vI~+&t86orH18@hW$%dM;jSd0bYp=qW}EVx}#I&)bi?Jh2H&Z18)l} zHThmIUcJ^!Q*UF#K~>%&4UR|7_Y4ts>gKa~p5{m&QemIj0Y@fgzu6x}P|1^t^Tlws ztjFmy^?QEombQ8mq6f%6Qhv|tKay8CU+QB`bY=#)wK_>Wm`=rjOUszlCfs}WFeSOh4vR`fgWO{owa`~2 zK6pBKt)8T>W>^7syzRL=-@JG{U?n_i9l5dko^dRoz2oLG-A!ps<$e;(=$&*-rp~v9 zW@%nQ$l>;bp7AlhJu~(c1xKN+*Btr|sOjIBD(2k`nlh6O;eROU%%)2uEBvYS<s5a?w1xp?%ArHQ-EONoC{nIh`VSaPdEYGJ(?|N`{rjV&lm)!`;6iCks&GdimQ2@WRPxG*(t;X-O zHk8%aO3wGTf2F9Eb|*PbEKv+3N~rr<&XW!_rGVkvq-1f=pZDCPtw$IbR_L3_RVZ6D zY#@F(_fYa`nD*5Uw8;X8{)LdEqZUk4w2G)W!7Btgo-ynEz0G@==#N6*_QSHY^d^HqBP!_{@DPG=Nb zUDN!XZQIF)M|xc3NhHdBc`rh{f-{?5dt|~dS$*VbM>0}=(YD0iafmS8rU&11ETai! z%c6d)MEXWEO28Ud^w@ZDz%kby!8mDzj<0+Bo1MiwXP*jv2gWsu+Q^)}$3)-wT-z(B zcbBF3G15NedZsV6prnz6Qw~PH33^GwSL^zXnxXV~-R5L^Mp1OTOe8M+8Jm%0UJ~Nv z+tDYP>?ryyUabM}7Ps}0=OrgBHfo;iSr`;V&LDk~3DmHEJGGx2nb6YDU)o#alq0q+ zSpW*js>>T4w&lXeT8Sx=bJRVugxBIO|Kw!-+<4;k)Y@RI)}~y(sX(NhYJAtVqAP_# z9`9&X#vB)DMMJ=*i!nViA?p2fyq0~Nl$?&8@6ehA6L%Etr zV)b42z#w+PURI@|gnEsHGM2KW3G|%U0<5QWi{!L@f@E^fR%w*e#2ZNJ676jAiHF3y z=H+lmOUCHzw-e_YktogS$vXTJ`ybd_Y;`miB^kXVPT$PDi&|LA*Q{G`sU--fkFTq^ zjWTF-JT)%=XbV08X|rSCdDC8A#nnEg#Dz!r)@>2di<2W8jOa=IL}s;UV#REwCY5^o zA_fejFO}^t=it@c$ZEH$+oO+yov}&tvOel$$%C0H(<=r5PKD|UFEqhinB!J~FrvsWK9%R?QVsy$JaO(#VaUtIRtiNm*vlJbq_z%$n9 zjyd|E+H$kfp-fFBm0b|Ys_tM_TD&{zk?}4XZmG70-Z1seoDL1Ihe0FdY&PNzd5<3< zB&C#5Jz!Jvs=0y6FH=Kjg53CyH9GZ@MD*Y%CK)$v3RG;rjkm3 z$DmZqh!2J#ZwlX_6j_c+0Oky(caL+fGmg?)F%!ADJ=zf88c906NZGq`qorb7j&G7p z`gFI#iM?2lnOzMWJY+k2MhTOuOOc1Iu2fhJ%SJyK!A&-W7W8P}!LBfRo$4mDG0P#! z8W3nRlgckXLmBd%ZiYp?lvdkWkFHIc2V%xr9;;_uBt`L{BU)h+8rJ7Xk?TiV_2zmB zvhG+dFGs^&56r&Z!_^=cMMe3|=$kYiL-MZpiZg+b(p=g0MplJ6f&CozEo$r7OJ+VV z45+##kk))YbGW@pXcMhQB%gz6Lyx;D=%)!^* zxHZkpL+{Z&di>?}5}E!x$|r{m*ZP{~sJOpU%iK2@ZqHdCPC&J}iE=7?K{ zJR!ZFt|oM&&A0D7H?7hdv7F#9N;7*uZJV$w?lQFNs7S)zc}>Mk; zAKKzBjJEdLn;Od)^$*lxoTIw^X$yOHE|K!bPO2Guz_iYv7v z-g_ixQNCR`m_yY1AkNCPbW~SXj3ge}R>E4~*i`wtNX>}G!}mJf9Wvz;Z2IZKLJlul zn;n-^_&#)5r!5+VW@^vpjfbZP^)zbeFgavF)%Bk5sC5#~txr)8m?R^98tQV!)ygYU zkb-z4F|B8C*tCBJp}oY=ezRbPwNo~+!k;VBs&`qo(uI7id^sh4y-MV5+fx+o#+&R} zD=iMM_(G1GE2kF}9`zG7@#Vdiirm9f_xU<#yQREk+~dSot@S{P{8Notc6HwHG~U+! zg7VhwiCJYik3_pnfmhlJp{mdvr^gwA#qRFCH>8taiPYGEH_o-b(@D7%)wgQ782m2O|9x78()Q5ESajb+{YU9z z&A|LWGsJU`7&*M`%_ahAZ3mb+(;{ zi>WJ0Y*i;KM(sB%28@&m0xOla@$#8Q-hwJ;TGNCB=4BLu=4V=;K7JyjXp>rt_^RTH z6GlQ-D29@O&=9`Yi2pSTzTSC8Mn3DA9!{ehc;e_~R73fsMq(Uhx%saT0#}>Sb9ubl z<6IOq5vKf9bFF5r;8h3xjzEDA6<7idO@^^>v&;0A*ZnOODc-!mKk^oN0+JiO-s}$+ z%i38CZ9_a!m3UE)$&CZfJ;rK#HA8s%c;bKirha))k>^}Ty_%f9Iqd03*z*v-JVz;c zU(W>A$E9j!2 z?fs=Y?PU1m6A1f`xTH7;4h{r@gZ&3O83T!cu+cALUPi;l#K63QgMF2do|q6HpAbS# zLrQ;xLx7(b)(L)7;-2hHQB^T0kNkZFRULg3QxicMTNfKc=X*vb1}7gt=qN}cC_Zp- zIG~ey5D9F{m*7wLarQz)g1ZEdfDCKAjt$!}JOZp4_WDmd+!b5}1Vjk?B|LrjTR45W{-fq|KT}9^JyTA)Zpn-1p14gpYkPcR-(O8ol$DuW`dL4J6&!CM)C%Sr# z1rLh}V)m!vcznPFkoad};<833@t#?lP>8lyL|tff=x#UV*yh(0kP&rS-@vg~eeTrD zOzL9+Pd@9z#mPbU#KM{FB)aT90h5*`K{@pe*RF8D2mtwa27_8c;q3fT$q8tKN8H?@ z=mb>#mEgeH>-nbC<+_3N&>cO2QcuV%=()XDSC`pSFM0xMcwl=--E?#UdODZebQpVkZ(|_Fjq_b? zTXECTqe|=br+Sb*=i9qqL~(Bc?|%US5gj&^6A;d57fPD){l2D1MNRVk2<=|Li1VT{5NOdi;T%S*uaJN-D@XHxBa?i z>ryEG=BCe9!{Fb&ZQjQ=3E1ySLcviWB~N)A~NUgfL@(va-jv#s|(SbYXJ1>9FmI+fL>ih z=DZ!ytMg1Qv;cZ_A)0dyfL@(La*+YhtBc5-w*z{0p2>w4K(8)DbFKlUJu&vo)x>+5FGfy4{VDEy zrtJbZyx2BQ3kpuoG#zO;5Wfis-H$#jwmr66c|gQEP4m&PGAP>i`6|0sqf}W7U;;?| zLow0UrAj_ezhaz8OLv^b7rl1%_yjaytvY|){!Z{-F{zgj+s54+Iuo&>`?0-C838At z4Dv3!6A*P_df~o6QqS^nsL7U_P|C;=S=Yjj*KNQE0Qq+Y1J}mK6VSX#s6v@nzR)&S zR{sDj()(3c=8xODm@n6#fI=q7(|5O=&5ecLPTXh-U9uQygBCvDvD5C98fkIkWiz2! zo_QZ14VVBD|3pk!+!$$#PRumf-#kt#>e{YrYdbQB7h2-txEI+1y#E~p+VCL9c^9SU zf5i@eGV-&rB)EPZC0)tI1~wYR`LQI#VM9EivE4PYw|2BMFtVrM=Vz0*vo=sPa-h&; zlNS}IU{f-3cA#MUKIVk*f2ShvTn@$^rg{_?_G})m%6g)f>?3`TOu%Rn>A+XKewzGD$IbG*J4uAg$8~Os~ z#_50*HhOkORtB)4EJR?IABVP(q;RlvG&KYly<2M7@f84dw9_y^&jJOg>4Ja7h+wQcnqOrUXs}&<YAUe`s#o(*0L9@Y7|*jR98y zsz9s)rxhSpfUW{pE8xQVJqH5Pm7iuyf5ix7RzSWA+ywwPEWm9baK{S#4gmaQ0sIgI z{AP9f^CFO1|CKEIr^^DVHIP~ZsWp&V1F1ETS_7#ykXi$&HIP~ZsWtFC0B~;wJP`8J z8^*t21Rk>io(KY-vjU!810J*k9$y5Wv;>}C1s=5p9$*HZwFdgFfQRjYj?2Gr8~O7^ zfsRX{;}Yn&1UfE(j!U5966m-DIxc~ZOQ7Qt=(q$rE`g5A|1UZ&k@SVqk2T_@O)Ze} zfcL+G07`ouguJ!!1SGT<#TGg^y|d*7-6yQ>Yzn%^(5t5#^i>PzIB>4A#(l_{?Zq16 zrq-t_i+2Pa4}A9CuIq43paV?+4InoDnbTooXl}IiBPKH|LobbX?4Ys9QT5NOnw?hi z`c37n^ChzWUsW}O!ispER_yvu5wHJNHRAw7C?F6{SXna;4p^BnDCa*|){KK4w)fMr zX0Xa%6yJ9Y+uxs-HG^JU){OV}aQ{YGv(p3g+p=c7r%wLKG5cLvGp--YnnAh$xw2;L z5D1j_*J5%1a9J~Y6x08fH6!^?Su#79EFxk5<=xutNGUHI3!X1hc*K|RMWkNV%W7E>P8s=a64E`DN?lPx81 zUtfL6;!2mMT9oT(ec|9BO=3wt&PBH>?sIs|s+#;U{%m9-H}B}%lAFS7N`x1naW zp`3umB-RgGmFcAj+YlQPL-Lrn93PsbWTOj^>Z&g+UFy26hVOdgLt)P#BG3px03zXE zeL5%|Xd5v)&<4@?LbqP~Mb7yNEpM{ZEU6ss@W0c(ewG>h-5KoEZ(rx88Mf_cmy$TB zw2Q5~4B8q#-~79q`(-^iG#xK8EA}K+Dywq9U4SkS3?LA2s-3C>pbXzN5(ow$7`_L> z=|4a)0KotR!x;e}7|u`t$^Zld5DaGofM7U70Vo3y3_viP5debW3n1b|>TLjfoQ5DY*toDl$m;S2?!3_vgd!EiAFq{zpg5eAWpbS7T0KsrZ z00@RN6o4`S!2krq837;|&QJi#00aXN3}*y@U^qkZ&nrXOX3CKltdxRKr;?vnDBIo% zsBYnG_kVi^SLam*iWiyn<_YMr>Y~ii35d$7ng#U)RKrhoz=rdg%>}?#=LeCUWKr|8!Gh5G# zdcBIY*N;8aL{31aX;Z4E(P)*TWy+&8wQqY^@tmI6WEDw0(n`L^xN-$(1RwyB@b5ew z0!~1J*26w0E#G(z|~;cUsGollOFczo}~a z*NdfoKR~}Lmdf$_&EB%IvUWgYQ*_jKaIrC>V3RhpvOr@Kr{F|m6SlT9G_s@6JT0&a zhOxVAWZ*!d$;r;c%FYRaePJ#LH!GBji<=!*sg?_71H)?4a zC~>pH!k3eS6%1i#hfuJyLt)-=orW|Q7b}z-!p?i<-uL4wD=u;l8pn@*omMdZO&I^> zc>BSx)7bj2U)-#mFu!->@5$*LzoMm{OWI`XSzWE4h*378rTiYw2Q@CHJP`!QW4ViJ(lqIPbpm`k%V&s-U;m2N<1@r3EsxKV_{)q%^lu@ zApeP_^hE<=aw@fJobsy&!N*^+ zR(97nzhSXeU79alJ2{wYP{qCG1tKrO<_0GkWj*scAg!L~5;~ryoAtWhx<*DbOU)$o zxI>KuuQzf-z;O2VvG=HDXEqKauYjZ2h-351Hw^K8rL#FlNsG%8a$7-*WQx) zNI_$u$L}aoWddR?tL|Ib{cdAo`jtnn4`x#glS>U6)8ZP|o6GW|qelhqEkTD98t@t} z20UNy;^RQ~CWSnTgX_mDpJ_$y?Q~XlAbzB$4Ta%SJ)UW;zNN}4Xpt>UYWcb&OBcjU zl3J{B3oNfc*B>(JxPr2YABNrEb2vtJGiF<^>ZIkH(B5(G(!qTue}XEDX~%8#TUJ5N zRvXjOxAoDVr=yk}lCK|4zDJHDF4<2?XnJf1UU0&Huj<4xkuowd%hp-Q5X~lwXu^Gb zhmug5Q|<%j?T}`g7u1#Sr^sEYNU!wVogwh$ct&>z`TpiCIUy-uH=zQ?ydH*6(CHsT0iv-unaZR&G-^)cKF4VZnIhG4*%S< z_~-AwmTwa7Ibq*;y} zRlz>kBwzJdcFf)7UWAvsMP!n;6#}~NhS+3q!Ak{CBFVjwyL&ZKv&gxZ8&&pdnDXAP z@H#(=a-Bu)sy2@#KZHEr;LY+p>CHHHR!3nkrKiz8h^lD0x9>!u+~xn-#4&&rQ~U5h zPRR49t?R^jvu$U@gzb2JD_6(T_26)`i7kch8IWdQX6ZUL=y~MQZ+|iM)lU1S=KZBKRf`4h zBk{O?y92~HCI3bI5G3@4oBKPlgePO@SI1N9?;Cy@_PE~oiV9paCS#p@QsFV!vN1sE zdo(0yi!GW-jf)l4GNiYX#L@P;xM!QsOEy?6tM=Iv=e>$i`#D$g z6qy$yuhe-GO*-(ITBOUZ4B5gDHw$mq*kI$=d+b}{l`;^y-z|{Aken+Z8h!oYz5NR; zzifG|)RF>9eyu}ptm|Yalgi`ejUg6uwHYgM1d;C}Inc$A0L>s%tP*5)R}uN6o+xA95ZaFC$*7RW>0gyRo

F?+vMEZJ!Q?9Q?6YtzrtBP20hZ9q+L5gIUP2K8_Ne#8jr7J>usAxj=Li#_4p< zWBFMcy&78h=C!ZY4X>U{GY~y@;2GmvBQl(Ik|^?GOnK(NEY|QiJ`aQ1QjCAH$y`y$ zYUXyujYoqD*;y@GW|g3>NJY*Y8@wKgEu3wyu0Ojn;YL)c;#JA7jpkxRBuf#fXFSQ) z{UItBJ}DXXT2Lo~Rv0a+-N}6`>ckJ9Qv0+zT#2U|!xB~*HeCkl<7&4b71D`_O6A89 zif-a14PAByQe0Hc(A@@gH1K$;#OwHs<{6^3P&AHoCSmCX3rPh8?c2{KC;FwWq@AQ> zXT}o4l&%LN`8#az-g-9`FPb^ZYwK8*z}Nle(#Gc}h9M-?A!s`xO3X;~W<3*D@^4x& zQX|`^1`vA7#zgLR6Z?nNmw65NSEEU3Kgti)`dpE4XD4yf)*n|dcD%pnL#Ej)x<2uf z^5?dRZ#A`N^cfhhP9w!B$dW9DAii58V^&p?Bim%08!>pWKfJivG@m_UKlqW?Vl|%2 ztMi4BNk>v4ey2M6e0GEV;AdWouMu47a_VD4TV2_+;Sdk@G!ynTynW5I;O>)0J;(rlxcv1C55Y;M$}mV)`L zt*RLBNzQwSdEKnOo{gIaR$SE!NnI%F$tMZMWCQg#_Q~dXG1ALMHR;3(LN7mJ*-+vY zXp`>Qq#V8BDoa_H$^gY*;aS?jVBmF|-T+tE?D&MvvOGl#5%%=#Ac4Q-=`j@?^s|%Ojb6ti4<}eu*=@rE%U`EyCGRdyn)^zoW4)e&jZB z$1LvRgq^MS1A1R~hE`h>#G@@YccEGJ6Y17AnogHHhh(#xBM4)qt(Lu>5V08P{jfvB z-fwy|_1f!QikneBSqgKsMy^cr2IZH$uNumEEFYH1O1ij6GGTQ(p{v?G?#Hzh?4~2x zj^(ChamNW#u6sUEAiG{L?ZNqMK?%y$Rg%7WV;~#tND0n?-lL82{=P?{XxROOe4~)) zgq`Cx=)-{CBvr}woNdgq%-5||G8nJEMO^!onMNgrSsWT#dBv0PjlKDElo(9}FXg3M zU3@_<>gs5-?~|+7%bw@#ZLRgW=4lXyM+)Ou+{PepvFKr%m#8d35ijnH$03RQdT?)g zm7SDRIU92S>40gCY3#SXA{@k!uK1CMONH;^yHkn$o2`r%#6xiZcsYr5)=SnQ0gKG`%rmZO56gH`2?wdfy>=7?*u2ZG5q)l;(x$~8Hj*@#x zrETKdoF^TxvLaPUaZcLsIE(a0{g8%)229+;4fASajtoa%1GAiXAzCHn8&aSON5tKE6nq4wYUR%d5Jhq(#`GNcziXvfDb!snDqphQNHM{Su?#9O4U*? z{Y?Vj8JVnwcnklRk+(lxmF>_iPG0b^tWU-xwtj@J zpCHIyvkx;V11(h~+B8afF|Pm#%_*aqk`Ry7$(O6uVBa!(j_|)HL<(3>)fct67t#f;Xu!r!ZXWIVg3$ z=)yLW3}#YteQct7@C7kZjBeesDF{J1b@_PKuqz~X#>h6NL)Ny5tE?{F)9s_4hCiQa z5&H}=9D6WxNm-rf8u9S0M5&vWxJ^ZnXZq$z5|EBP?r?pL?h<&iG;st}em+SM7V(02 zdX)mkdu}ByVJG#3bavH*Y|LcWlxtSoV~jD2lVYBDF0bR!^>H7e=rWuJ0LunAr|q@8 zKb%VpHx-tm+sxF}o}OZGTM^7KY;sq6>6yP7Katrp{|teRmpjTi3=KK1ljLZ9^cX1A zSF}*=nWRw*ncLCf-=^S3Y1bV=SR!W$du* z^WBFPO`#i)!9%@aV9TCVn}_Xj>k*uwDS7>uwcAf6`~vZNP`9wz-)bjCQr1u|NfV?x zEx=WEX=2Btl^|kOt@`C5W7+U8;PZb7`2^>5iA?wQI*3oYE`~deMVj=3?;5oE2IAO5 z1ZoQTA|b=6V*RX4|S*^LmIyp(I| zBM|DLQcKp$PMc{3v)>eO^J}l@N|b^`oDc{L;6H?sz&-wmpxYb_5^;}1EzzJ7iY0~= z!xL`Q^_%KcUP}{~UP%*|xTHnDwIEDd5P{@35ct;53pdS=oM!M*x}>pRX#N#63OBF=ScvQZn6nA}m}S+&{nUx)^0?ASkj z4FpfJqf0VpHTlhl9(^&e=p;`nH11NjpU*xLZ}Jeav~}47$xJ{iLU8UsA*)kMHqjub zu7yoTWBecIi-zhk_i)^Q?*F(-v@3!V3#0IgfZ_o^XAzC-WsfISRg_?cAR5<^)DPw0 zsD({z1k1TZTX$RW#$elHJCzcxAQX}RY<={)xF2k@o~N4)!udXFzI~J} z+SN}fzN?Wu-*rD|{r;0GZVJoht~**F z`!7F7EoV~QGs>jWGpZ6!yJn0y#2AKFt8Bw1D1l0Fk1aE7oqSgKPCWDLdY*cJ!pC<_ zFBii83>Y|N2NkGt!8ggtKO0ig?Av1E95D;lw+P?CMQ6y@k$5uxeWif6qVDw4Pj<2C z&>8e&sBYHV(xf)aAfQm{;ZPJXntqo{d~z!t3CaY5yC0rz!rxj}>EfFvAL8j{%?u+V zP;R~)$Y|IohL;x1qYs;~PbZ`GHTobZ9{3>iRrnx;pUzkM)XQFJp}kd|eRmSuM!(Sr zZzR?GDhG2`KP3t$r0`KBBmP5L<9lk)?B1H{H$I9?hHBxCC8PFLJVhXa8pcVJ6w0LS zjL;JCoz54?(C(Pl7Lm!sa3`ZGx^Yq}s;cbT`_eXvm=RC6K3%?}F;-S^H#T~QPhC9& zcK!SG*isR8`HLYb=*avo{G^P7`(8Al54imrSG5{Ja$uj zyI++#zp*kUn85eeW6}Yd{Jx_3iE8ELqTY&%#JNO{E8|YWb>HqiAjtN_JwT;PuH^S> z9Vnlk(_!HE7+@VQt4nQ6qu*+?Lhj)l7D01 z;}`Ia4R~(p;m3}S2y44^Op^>ZdtZ1vED~{33kmz*DgzGkFtDO@mL(|LcGH()KtFO`mJL_oUY4OPeb^tsUI(cFHB;_>l(uB_Ee`yI|#LP&G^NS4TEs*q|5i`&3?z{~BYcDBgNc*Q>Gq_&CPL zjmRKzln*x~#;K5%zDe3WR!%FN@0h|l)>?4DqP(bVSkq2j{<&y>EA$2mdY^iQ@aO#~ zP1$;ovW^r9m=fXz3gxc9cgR_geKGlx0(LC|Ne$7x!SPdbOx+cebng zaD5!=AE0y6<>gWNemB&*>SU_P+H-FzoxGGl=VY3#db!?fZzrzW^Pmv7YBETrlT5kX z$+fd-Lb2fsp|>)Q&o;dkzQhpWn}s0sk_qpywkr;_hT7Y~^43 zMDW0V+pb|C)1IHq*(it`R3+G*Gj8ZRl7k!sJI>va`_hwuhTx4%wXxJ5p6n^vXi!?~9wsMqX*5N8v ziKvDtPUDBv;ZSClH=hjhyrJ~wTp?T`A9HRw$Cmk+-h1<@M0`+r5_Zcr#U83Q*C^$t zsnIoVYr&97gU?p3LGt--p%fzPNTkdo?0K1T!ujP^rJd2MX-Mvq? zHau!{b|{gXuP&88Y3(HO;FO7NfKNfZ$6MJW&SNGwf5K@fs-4fxd@8*Aw%C6P4$IUS}&u8T+@`^PbPZOEwsE@lLnq{*T zsx{GOgDyo-?ECss)WFFlX1o&0^Bs0v;J-c$A(RJ=O~S~`#MA-S4Fu)*2Zteq!aD7K z?Z)_rhap@+@%dpG!b|W!jzS1RM1qYqh=2?mhL9FE3?bYlBv|w5>-)oPa1aFqM4YR5 z?3Zx$;cro1q0;+x48px#Vvbk9>pOuI(B*pWuj>OtO29=r$q12Fh^#DT?Z)CuV8>`@-E7|w7I^zZ~khSgUmX%|K0@72_#?l%Yz z3*n5=uZA_c$@)U|xwGEE^eYQup~B3rI0oH;WPWN}R86n&1yJ$o}=6 zyYDWG%I)SFtWR#{?t0hnnz4U%QGTqqRCoITolJcyyLK%4Sm8CT7h5Z*?!nw{j%uaogyVV+%|A+&3bVH zQs#ePChjtj0^ZTHK<8Ff)7&`Di#>d^(EN9|{mXjrayO{+-y11+cx5K?6{YYm_Qbe> ziyy@?WwY#gsYxFzIT-%3=--{fr6=GFPrx2ysveLd9aTtlH2w8pRDVAh?0_8aY0yW?Mo{Y7GhU{=1w0Wj)T#WImEX<$FW>8Pk<_I68BP{0q_5)C($V zC!@Fhx@K>S-~46KzdI#%=^+hXVti|Hr1W(>m1tfisBYv@HuH#kpal2E+X?g zJCIHN4#zzx#%O1OH?>Nhwp{s3fC7qj_o3y@9ymdC}PfNbhwHos{B zvZ>$T_@fU%HuXnzerN--sUKkc;Vh6%{UM$o8i8!;2N-`e3uIG&MCZpgAe;J;#vjcC z+0-A=`JoNSrhb6&$Fo2-^~Ze9T7hip48@?+ZQ-93o*H$2# z`jy2W&jH!gAM^P??7ay*RBa#sKh_w8L@F^_Wg9bN#!mJnWi5m>7>s3xF@!9Yq-?Du zEsAW(u4GGPsVs>sp_GIqdt{6MneJ|N-_LX3&;0B6{Qmdr`Cp_t=ep*c^F8nL`F^kO zoHN&TE!Toy`(@kMJFkc zP0=GTgAn{+)gj*k^Io)10%O%)F zXf)HP#;4o%Sgco@J5Ro{uYg;(r|-r?H>UX|*we%hmB(tTv_dktIcsDy(>AS95G;ON z{ZvPqg7Q8Sc{$4Fo&5kP1VH|oVz@m~Z$B!$O@xnc@mk)C#JTn_JKhFPUGyuv*+Lzg zX!^Ji5;D73z66WI*^7^^je1qINlsyH@#BW4IwT6l`^=@wQ7_*)4S+%bqJcX!N zb)O#9SMNu5@h!pZ+QUChw%HJl#K$!aB>R1FQp+kz?O%BL`qHII?_d(Sp<%YTLQbw9 z6afQ7!IqVL1jC4e7@z+vvCj(<197YZSRAltjbm6eg^{+oK_0i zto!vv20?L#Y``F#y`fW}*{nr|o524aT{N`8ALuTlfXv;6_jdb!6126i=V0jLK_rpA ziB!m9T?h&73jKzJKysw*3@bwe_=ny8>qYx|G2loGq9b&kXcPwh!?bK@)PHeWHW?g7 z;XBp;^0aKlZ06slWm^YhfYGL1`{5=91M3PFW=3dMHgVdlY)ninP%R?^%hz`>FbkM6 zv0@of7%$2Z7T#5SqFd1FCf{dfOAFaHn~?ZCJz7e2XtTTc#ZwDCIR4$9mU|Q);LQhE z!ptrUfK@;Ph~a<17r3{5^7YuoFSoa_-jMoecF$b$mw?o5OR$~$AG}+Ft-I{|Ls0p- zMTUl#yh||Gw%ItToc^KdLU&=K@r*}~hktHw-?w7Acvn7)e9^vhkyPQP^UYel@AW^q zq;M%T0@w<;0u2BS01W^Q01W^Q01W^Q01W^Q01W^Q01W^Q01W^Q01W^Q01W^Q01W^Q z01W^Q01W^Q01W^Q01W^Q01W^Q01W^Q01W^Q01W^Q01W^Q01W^Q01W^Q01W^Q01W^Q z01W^Q01W^Q01W^Q01W^Q01W^Q01W^Q01W^Q01W^Q01W^Q01W^Q{H}qI9;ZGGF2SS= z7H##GU`YePCcWD$#KzAqB-iYmIJFj8tLz9?0SzFA{|R64TY_bj4Z5b^mMsZzUYOFI zaW1)HH=NPhx&-S8e7NH$$F};u8PC5T5mWX*53cxsYeY;8H2mYY!7{&(h>3wlgha{W zXd_}`ps_Sj^78-15iv2e5iGxsh>1oaXh)_U?>~-+iTUdhF|mK9`x7H#(yq{-M#RMZ zdAI*@L`>|DBVx+R{1->W#GvJ6{;!RQS4xQ&r#%fCJD2@QZ&FA0kkT0wj^y z>hV+JVrru+8a_Pn=dUpSF{lAtB$`ub|x@w%$RKfBxCw_{vg zFz0ux*6B8{ZGC>y`rG72vr59-9luxq>?;G@>WlJT0%qTd?0zc~uFj%?jGp{)#Lw<- zdAl&l#j6tNi&Y~PY^IHaZwt03v}hkh*PbA?R;U#1lX#N0F1qcF26(9&8RiOC; zNEILmAXT7A0i+5L1du8~5J0Lx^9PVBKoCHx06_q$0?i*lssKR%sRB(3AXR`MfK&m3 z08#~-KY&yLf&fwl2m(kIX#N0F1qcF26=+fbsR9H6qzVuOkSfsp0i+5L1du8~5J0Lx z^9PVBKoCHxK$8MU6(9&8Re&IXRDtFXAXR`MfK&m308#~-KY&yLf&fwlniN2)06_q$ z0t5l13N(KJsR9H6qzVuOkSfsp0i+5L1duAwqySO{2m(kIAP68;p!owx6(9&8Re&IX zRDtFXAXR`MfK-7d1&}I05J0K`K>(=&%^&`hDrC&Q@2Q*_TY^;#`o9Z5_k?@fSz)8i z%2)OLl}}Iji@uxCd;*FAlmBf&#L6zpdo3#4jm{CwpaH2CmS8pY3o=zvuG;07v1`al#}cev_A7aCSW>$0>V))g@S#Ua+Q%R{Wo${=V*rXBA;4zZ5= z>mkBp{H6M3NgEse_P(BQ?krM*;<5 zO&dF224ZJQaG)Zr^P`_*sN**OGtALZk zB4n}h(rDVT|6q@TG?r%LU)v-9qdhd0{Td&6EM$(noSXte7KMZC!C`R-lstyUM-Cy2 zR)CN}Ma$;=@#>-eg_gpP*3o7;_&;Wy40O$~a?mwH$>3-vV=$0?C@h5QNBi*h_7ppF zGqXP%rT`7r|6Nx9G8@GIYgwUivXH{%P|)NF3Ubm|6b6OUE$J$t1`&1agn5KAiR+Ld=Cq^;AS6J-i)B(jG(y3fY_NM3r_RdmsrUsXb;$ zccMK7Pw__{Btl+s&>M;O^z=r$x}s%p3K*O;-rLh}J9KV;aw7%QkLUZt{0urocPiw> zNF8@Pm7qm%AUhJ^NJ9e2nd*YT$>1P$A-t&+0^S4ecX`;>DrbWnC0MN@DRG71&Bx-T z!}vGd5>MDqv!fjtFge1}MLX_bBEFms5n0{7u_I_s$ZF#3e^$J>Bkn74@5Y#c9>!Qzv z7fJqKb|qh1sk4?$Jmif+-4xtV#dLG4b8Ph0LWI)RWJb0)9J8^BTcIIyp99-nQNcd_ z@LXcPy7n3w_Z%eKjax>6XQvF3PrW>BrYhJVn-+z7>cM7mJzSp0&W>}fX_M=wC*=5# zdpMhR=8H0Gzw;Q0EHo+<-bR@jba^3|u9KD$S<@L>Jb%kUU>L@&7 zdN%FUUE-;I7tMxCZ+!vTdtq1<>M&%Oklg6 zuev*Mt%muHBku$a8QmSqg*>*bJgd*OnzE+%l5Nk{A;DMKlgbABV?5hiEh)#{Kdoq~ zO{%^aRqKkzYmU`2k6P+I6`Lp+Tko|xc+;95rd9g+qI|3UoE@E+^3ZXeQtuda5(1|) zLj8Q-?0tNG#ae{pN_~cXwt@$1T|Z%p-7KjO6z2z6VsWd_oDIDb`N27)P(3_d#x>^t zdF`rQi%ZBv4+&JULjDlt0`Jk+HuoDk(V0uL$vZ=+gG&|CQsqrI)7j4&ri>;{)O0kZ zthh4ligvpt_k3lO%mklA zyPPMwG$mX=lzO(clVkVAt>MpeZ2gnrZ==iXEjy1-ZxnMNepER6)~@(Ujl(;FbAMj+ zF(S&HaEsSmz{17CYRuNSFHAitrN?9@I^4u0%=Y@A?BJXGN!Ze`>FQS4_-PG5y6-c?Z?Uh2WOe@v%-d8 zV$fYhOQs!p3)8Sq@uOUgFLw71n5{STzVfs&#f>qy#HOp8RfVAVS-bB`r?fxJuj94; z@H}M~>{I?{sV$#qQp-4wIQro5>>sCSx`=vF=rCf?i8Ha9^*T+5Y)TXS;?|-hz~0X8t9QtRfL2sQd zuD2M!@ka9@FJ7~aT|xPT*HHFARbyS#>kmrN0u!$r;tFhCVoq}+CZ|7$bZukYadXGZ zcdLyY!f$Vif-lQdQU|Mta+KuxOc-+q?*cbL(smbK{b<#`}!EeOpI~j zg}epnfz@z6v&kb&yp3I#T4N03O55N`+MX>V2ygcZ+Z;yLZdsL(24+}qXXaM1metQz za=&p1R!M))@L+1Ucj<1H%~V|BdiR3~6V}R}d>+(Z+d~`Gy&XQiNtQCLymE1BzvImU zgMfRA$1cZ~?bx+V$Smo2e5-TIMdz!X6{ z-o0Us)H6OQLsdEf>tpX6&NJRr(jeGx=X}qjb~eBqvhN%fzj&MQCUFT|$$LGHFeRfadoPeKLvf5f7wb+w^&edDD^=rB}K9BajVR+(J zgyPziZsV#pBeVD8=DZ6$bqgm5Y!Y#zl9tBcid(JHv zC0iTTB-rGs(#T10Sv|mbgMit7+rm)9>v+NRG0$slr#-PvDW0{pm&RVP{lvh)xEF`@5 zz%FB9XRTh_#I;SP3%CZMtzsMAM!A$JU^gZ3x?=GfvV1yPZd`1eR@t(#UcY-ZI*i|4@*~UcxM~Hl*ALg> ztX^v(FAC96oy@vBD6E!XVdc3fupM4F3{Qf;G_1|2e(|# z8kdQ;8oHSFCz1r6wE3E13$ajTv_G-bX&ajOmgnB#p|`q^ElSp8M<%AqNSFt3?RxJk z%WiTbVYsZAX~Ujo#(^Hiq^Q9jHn)IyB43i0dQ$|Rrz(&NPgXjV06)lS`gc-rgsNQclzd0+lSu{rElze z`Rv+ut;0Ic*UMJNq(3Yqmh-72hc={UL4QxvSK%90VLa6Nw?0L|pF5f3J0rvmub6CM zWV^jv|81aILQTTvI9q);>vL6C{D~F0Nd{}e$5xbIi#VS{MU~$=Sn}|e@gUZ`SY@Zs zb*Ga?2dfK3rfov4_H9X))#B7Fy*+)cKbQ|q%&SPelhQb+TDQuJA?}oPRM5~sRD`p~ zqk=opW}Q*Z3CTsp2?kE-$AwApVeiHR6@$BmkO;u}4C60)wt1TLy zZQ1v{ycO-OvtOHH57f6_v2DuEEK5+5D>gZ=lVWhj+VI(%*71$KTMl$C3}4P084tbq zRAuj3{|<>LSFEVXn9LgcUE0p&Y(s79;stM6x@?gP^!M1d|I>C31UWWk4JBEE#XIS- z^!UaP_P&uln{(t=H$S07T#wJMsOpZI@{fH%5bMTS+c(+a2-Sf#WO;^w7=5%$z8OU*^8SKaUPo=!U-j*7Ee@&=g zh<7j`YbP=>;=UEyZ0E^c?+JNC^B%Tct5#e+rOw;fm^F5CYkO33-4vxjkvY3;YueFm zhfgbfyl~ZsB$}B0EHL5N`WOq2o9A}y51yYgB3FEDPOnRH4#66YVjVTLJ0dNVOqJf2vW8uC z>%+39IJ~S+jb-w%Qq6EzeV=)7xV3b=(^fUzzi(tuwyX_dXz9)A7>&;lN}fd?Rf~}s zlU=FI(HK7Mal2bUVsPJ{Lv2RNR!2F%RP9T37glt=(_w8t%a(lAFR=FHL;Sr?c@R|MlTNJWV6(#I6t}gP3 z1PE_?6`Y=S-fjD-&1s=iR6WwkgSO4h_f*7YJRa@rE@-H8v5`qm-izNpB@eG$KdjI8 zMPHgkMxVypSt>qgMbEF`eXcAl|AE*uR#i08(|6#&mW3tb+Vr^l4_8pUWY>B?>pY&T^$nmEyFaxm?Xw`0Nf$0MZL&(~GlIwvxOuXe9k zdm(D&N%x1I%qBG_nj`x;pFQpG;c2`gvQO_fDn1Z#w2ToVaL^ve9=vvT*Db&AbNMd1|C41Px zw9K*<4o<8>DEB)zdoNfsRTW68T+N!BnP>OyaX#_!rkN^x*((*ED|uY!r=C>4ZYa#> zxV?Qw|FRx(Xbv=UK*8-t0m`N@%0J5!gBwC>`93b zACUtqsg)%Lf$ckH14$}fAJ?bKEh4IsxN_c?s^#o8Rm8Wx8;eGcR>5%!l=0dj_3)X~ zSupS6vMARogJkI;BZn2uX{CkNXHtb8?lRkYrFx4?V1A#cwsHp=f2Tg^B6i#ppRW|# zFrRRI^y(tp=*300=*Js&YTZokYm~P-A9ILMCT28MmviVu#G@qZtSilKHlB^7=5E)w z1O0+FWaO7%FZp>vyR?FGhOt}Y9F5W~8!O8@SbQT4FMN@*9%#ke9Lyp5I*A=6xE4Df zb@eqKFjzY|;?5V8TlnaT`YW{Ca37XzpcZ|T)MGZk_juyjQ^}4hl6=!obVH7*SYD_w zKT+WvDM;DSBcFX&>G>wUlRnRzV^ndDrC(h3xCy_(akyM}#EdH>TNTOPyg08fIKd=} zIQ(G4j^QU49P7=xJq_1KODE&IP6Ucu>w1-N6U>_XhZ6KkI@@-_+&{S+i1tTIjb}tP zXFQoV7@LqDoLEy@Tj&?YN0RqylsFmQy!O;P?LnJ?>T#)LgR_3MRMMu~)uYPO>YjFT zx5JX6A3fYjR2x?evOe+7`9La?@ctf=Y-{Xr-{rk(#vRI$IP8iZ7yC{f z+@Ey09UYp)Sh`xoJTYWV``x*`0Djj0KTnpK0+c^z&xw(W1f z`Amyr!ASZ2KIL^%>f$S$)?K(*qfzHmY1kKFZk9e6S+YN^q_qVxXnwN3(DY4$%d8E* zS@G&Pc&yO@V&cA&dCz8U2t0qRXs0);w}$UFOLJIlctv4khH+7opSg5DS=DsT@J8hA zXBNu5rs}yH_Q5l#FQS7c&d5-kcJ^P+seT;9Qzoh5z!}}!=X&9N(3q+0(=-E@DAVJC z#*#fPg?hIZE1S%>QVf6lY)r@uPsI!l-Qi34PWsc|k|f z8RDDwb;L|{o%fSPDk+jpX_MBWEln5B?GFu>@hayEc!xZ+S1K*!m18c`JqeGLJBX;8 z2e)M9ptocdqLIVJ+-CcNV^4fKEv`7Y)3&yGC_;7XYr_D(?n@Q;x$G%*Y8_N!?=xA`SxKp zriVLEs65}G-0sBLzHZomF@ErVu%T->}v74HMh6&VIQZW9#Io_9k_Z#Go5H z=oJ&z1tm<}H;a!y?O^jU;&-0t4OTM@f^u?FLpSo_>pde^*DYS$Ma3~Wx_ z)5JVv5*U{s$Yho`eRMdnQPSs;68UcFrF>m-Rp|OHCb_sh1^3)U!kGetH#=(|A zy6ferLft%7`E=;h!zGI5n-I>)!c!EAS1X^&hFrHy(WH|o`3ECstX`2h!h7X~XM5yh z?ruCN6LXN~iKxY##cKBILyx@NlMZH1=T6Rh6ipowmNE`W-aP5+7^WK}^a|SI`mLDy zfuNGkLxmCtH)obM40sAn_rN4iX;V&Ecx=jJLbzSf9tO(Kt|o`fXd>!Dq!eBmh%;Zu%&g1SOA zHR02~E-D8bt;3TPtKMp6$8e1s7lgx=9W8LxBFvp0wbgeUv&&FyUM_HQF+Nnrmc6v> zQl7Kw@g@C&`K=)x;X(-H{m;A1eO2E(xEP4Me1>>a+Y$Q0q+9UvH13ShJumr*trEN4 z4+V9bKM5Ir{9%0m;7ZTxOIx19tPeMBid^j+ZzpEuwbQ&OYwz}R?V6FjQ+_*5uM`e8 zJ3sU*(k^r*1$DGG`k%PK?Ty%048^p#)+NT*XvMFOIKJJ!Uw(#0$8%YI54IV45%<4$hUFaGsT1D_8OI@Ck~o6BG~-L~Yu#K}->&qO5?Cm)oId zvwMe@g|?i$v4@F;oxQV*v+6D{e@{n08-laL(tQ{Q8z-9W=nu0fLo+1*Fo`mZg_VJk znP~+yi}Ge3=)lm7$_&sC?fZJr4+Arbk!96tv0yS$TB3FQMg-KtwZm**@wlDlXfhu>8Hlq!=;vB@zc(vdiCX(}_3q%heqp zOyc5k3DsJMXktAfs}5HFxeU0x4xD6a&>W{v+ClhrGp?KYRuPC4(SROqzfd{NjXi886#5JAJ4Tb~?%`^fO~|1+d2 zZOZhk%}iLl>GLvWZOri6aDr5iQ|%~6uw4zGs)WkgpWpYlEr~IYKXjvS_E+4za&Wtj zL#fVJ>F1X|e0^d3SYt$^&W>L_#5#w3#iFR2#W^3+Y->&8!G-wuK*5Fh_gwy13OwSE zJpN)0gr>g$^T%Qkn*PY+FV;Y4`U^0BChl^Fsv)O+Uc+>qQWn{+i7XH6S$o0OPM0 zL1_AGHs5PNX!_3LZiv^Lrf#O}~@)+gA{p{ua;gl^`_zPU3H0L1_A0Jl`roXrhM_41^}SFoDoS z7bXyz=)nX+6FrnbXrhY}41^}SIDyba4<-N+2}R zMG1r^`Y?geL=Ptrn&_bfLK9t-Kxm>569`T8Z~~!;9!elI(M1V_Ci*ae&_oX>5Sr+r z1VR&Clt5^r4-*JY^l$>9i5^NIG|@!~geLkhfzU(`ClH$Gp#(w`U6ep*q7M@YP4sXA zp@|+!AT-fM34|v4FoDoS4<`_s=%EBc6J3-*Xrd1j2u<{G0-=c>N+2}RMG1r^`Y?ge zL=Ptrn&_bfLK9t-Kxm>569`T8Z~~!;9!elI(M1V_Ci*ae&_oX>5Sr+r1VR&Clt5^r z4-*JY^l$>9i5^NIG|@!~geLkhfzU(`ClH$Gp#(w`U6ep*q7M@YP4sXAp@|+!AT-fM z34|v4FoDoS4<`_s=%EBc6J3-*Xrd1j2u<{G0-=c>N+2}RMG1r^`Y?geL=Ptrn&_bf zLK9t-Kxm>569`T8Z~~!;9!elI(M1V_Ci*ae&_oX>5Sr+r1VR&Clt5^r4-*JY^l$>9 zi5^NIG|@!~geLkh{eKslLS9(sFW618pAryTRPk9Ct&?n$-r|Y{3x5qEBU{<-tzyxd zh1$%7U9AQqrcsZ4qbjo#Le6olw0?JDQED}omsjM2^`ku^b>(s<9VIahExx4W0-p_+ z(m%e^b^4$L3IULRrWl5^#nTsUA6S_29S>=BLr+vK!S*E7+r2c6dE|Smva33BcKbeq zXtl;E>@K_1O<#Q9)K@&+^(C?ClZKI z3#^>yTTBxFa62TVMMX#LW8FDEra;WXp_zr};Zx6#-gKB6;xFh@>iF2*=rnyuuArm* zYQx8AvU9;9l}n%y0QqN%p=SCJF(Ti2s`1_AQ)D|%*{=Qa;rg8(6t{CW3Gdps7Gs}e z?*c3TbOv$T_(a<1`{eNV?_yZ$fD=fL-c$+!??GE4+q=TCD0zeog0`frj5PQ6Bp{HM zM)s}*2PzzC=3`I&TB1Xyc)*dS1aGnr#ev|BfZl3MAv>56s0eGMv6c=3X-@E?B9QtX zcxQsfw^z+?ullxdq_!Vb*Nlp%5@?(1Vh|YUn5L?#@ZXO`E4IX<;p`2a0L@}8GTa3I@7O9p8~lOoG6=}rU3hP|?3pikT84fRUHmp=Yyuhn9u5oV>AziG`iLvx~FpE-!yiM?V{av%}JT z7zZ0CBbzw`121f;3bqc~GZO>t7|TBltSeX;nV~u{9_Y9XEbLJA@AV8!jI06}EHeu) z%EZ)*a>R^pmHJXAjE(jNHCXzHM=LqNL!`E9EH;wCLuKrMRN6gGmcq{u4&S*tBO~zq zH7jH1p*Q!fjRFNZh@+w4Er1IU18|c6Qe+5kyz{a=*|8(5?Y67DRg8F6sapTbj`z21 zHW>Aq#q3xPct5+KP!wvAH6*$3o==5@_Jfv1to*yvKfABx?Yxn!vDR&tw*!ZQ_eO?h zEVz0-K`dAP>_Y#3F7cvUd9Jf<3t4Mcn9a2Gp55`Y`}%!5hWfH~d&pMyt&>@^`=nQ< zjb}XCeE9dupM7Pz=qG!#JHI+}z4H;3*V%SPCANf@k`_ z+L(Z6`rw&9`05Gx>IwLU6!?bJueK#H@C_;OMLzIFKJa~0@O@M8ebZlVOu*No!Pla} zxA(!f_rbUKK_`=6ZA?HX6VMk5^o0U_p+J{C(8=Ui+Y%V)WCA*wfKDc$lL_c#0y;qd zYGVRAnSf3vppyycWCA*wfKDdA+LpjTClk=g1avY1olHO{6VS=zmm3q%$pmyV0i8@h zClk=g1ava_)y4#LG69`TKqnK>$pmyV0i8^KwJiaiOu%T-V6*Oh6|S(8&aJG69`Tezh?HolHO{6VS;7bTR>*Oh6}-Uu{c3ClfGz8JNBd%(4e& z*#ooe?fBKk1avY1olHO{6VS;7bTR>*On$X30i8_14A5W(XfOlx|Gy_He^sLNFlMx? zBIS^cXi((qQa`7MUctj(4ph$sUrThz6c0Gkl;BPFp*Rq{5zt$WDP#vT z0u^D6G}h8VAk7JWR0LAr1Mf`G`1Y##?N#3vj@0&}>Y7pUR03^NT?_&P9n(}*75@9N zXvLOTvvsi8skLs(;EPzV%C7J-(hSTD$yeN5*-M-6g;%9kDyX~2((=r5=hQe7X%Kgs*3mq#0!o_VbIXg zWe`#r897-5?ZC9-Asjs5v{J|}-LEe)2#Pag0|w#j4V?kaWGyn>1pe>f()RZUxXUCU zb9dpr-M*g$ZSCth82We+Nn~##6|z_tB0{@B5G=^-oxm&E#OECq9b&k zXcQI=N9qxX&Ms8wyyWE}He`1)#mp1$0A2AP8EFuy-o^xqCfUQ2Od^n|2dYQ8Fnk;p~*l63S!4^2r*0?OHkEFO~nu_GcAyb8m;^PCl?eRnYC&RP) zw}Mqb1Bl^&$rtYVc*GJbr_t3tSM{EVJTAx0;<5gCks-ajuI=X6B^@N!2nMJgz`vh8 z5}w@8Dtsy)tO6Q94F6NUkWp^E-R!z7UUF@Dt)BjV7tJ|q+?Juev%~&=WqRM!iJx2& z-5Jt;DJpd+PtK+b>=r-(N&xNvVgeLQ0R#Zyw>A|h0Vn||;Wq+62|x)z3Cje4I{-_z$%~t#PGl53)+*J-kGK%XA+Q{lQn*e)k__40?E;vN+IAqXiH>!S2z|e zi;zLkmXwu|=Kh`p1k%#T-j(1$g(J;;?5ST%bjTDBIMS5hP4=NU5WEr4Ta77X2QvZ{ zVU0A_(m^2234T-rQr`pbOwjoDs`>3z-xiM4_M_^WQSnp)ZBtzg0s|e>R8|-n zmRK|fLHqk!MXS`%Ap0S#(F!O8N(PHS%gRCa zBAMbypdhTjo&vQV?SUCl085vnQ z=-pZbZ|K76Xc^mSX=~bPTbfIwq|uO>5J(5AF%2{ofltN#n3+X}RBwlfls} z#$X`xa9C-q3}o@LeRz9&ik-Qc*}oVj`=epAcvAcA<#IKvcf%He+V%bD%DdFiS+PxBuRS^9VldP zvJ+L>f$V`KkfipQA>E1g6gFSD>!6{&H(s*xAzwI;~|LHnF za{ew7h3}`ULv*J?8bIo}Lq4cQa3DJpmVH1LBP;*i3;Zq*+gP94P{b9iR$+gYLu+e> z5)bnW+egGBcU;yn1?|4F)9lujHXo6>QH~D=4MJBG3OZg1W-+-dzpd9R3*5Nfz%hLUI&$%3j9c(6PG# zpXBOF`TUdZsZYOK? zv$@A|dFFCmHorX>@@7DJY&a*;I6=^A-HBw`gp`v#21I3kqL{7AeHN5Y>OD^v<50O0K{tE;85}WyM>pR@h3Hpo)cMLsx+Vj?} zwtzEBOOqCLaq;r)^)Yg}2dJz9`|QPx^SyS?&!vkR?$ACiCaI+^8jxRSt}3k z{m5teO`la+Z?bB`;?|DuKXT`|)mvT}bVIreJIipx6B)$iZL3=5&#~VSdoT8S&8kAL zr}|UixU+N#E_;Uw8{1Gu#`C z6}={{MHb_|;#G53gL)iQ!MFUYy4gFkNfM*X_U%S)*pN{4wZ#{`%K%1&BK z%6NscY$fI0Z{ZSH<&~j$f{~*bYcKj-N97Thz}#5!@Y};-;=A3fc`OfTzpRVX*swxU zCi>QT=&+?Dyc~vD0cgEJVDr17h+{AJiHh>2;M~$e-_Fm3o)OP{SgS8YoZ??;!z0h; z!n~64gVf6SyAK%nisTP`U|n(2((`nV#7c@=m3k_dqV$!OZ7!AEz7m&lT>@SKU3x-y z5ngW|)@+mU80L$=GsSLbJAX{eP4$R1BYVbe9Swi{GnYX>^Wa{*tU2DoGGL5dGPjD6 zA;8rVaiDEPyDlg1^hpUx$G7V^E|xsh5Zx--G87fodDb$$FngezSad?@URSnv!f;ph z;PA8D)BIjYYv|pbC&CP^9YoD^C0Flzph4Or+0u46Z1Lf>rsnbVg_=s2^oQBGh4(cC z{Hl)L*=;X+x=Q0d#**#vt*jU9kE5{yj8`8p@<|9Z`&4SUX62rC3B9^AEmXU6EOZ#2 z)^Jbza`)CFEPJ7g=aGBA5GxRWr<&2M-BPdcI19-~@?9I8V~QoCsdN0=!qdtF>9yIp zpANIojwH%s`RpmXq)XA0^%$?-HSu?+I1FDM5as0%nDD9AAVpg~E>v$MU6HHpS<$7S zGy`2NveN(i1mCJ;I`SsSL#@XL;bQz;B1Sa5Gda_q6pU0klWUq$2rz<*7T7 zOaeFMv$E9fMFmfW9k^r3<`l`Y|1l|#rykm7$dXORUeq1^=ug}}od`4be&ns4Qur)z z{88fTpvj&u6|Vy=RhJg3MMi=@Q;zgSB1v}LS4eh=`^z-Y93_2I+}rAXcG*13r6f%g zW1Si%=7tBoVZ#jdQis`L*Cs1)jDk!D_A|UVos+d9H{tjATBlODIS!1# z44HEe_FWwv9rM|6DzV_`DO^p0T(HqVh3wYPqX8iqBK^E|^VI7(8@VeQ(Gw0tcge=5 zbMMsVt0(40xA7Gp9h)odo1D;-l$>pj9dZvnaB;9LP5NG7P)fNn|Di2cd$m$;cGV|V znm49PZaqmpzD;&JS54S65pmnt700yPV5z*xzn5o=dV|gk43|2zaa+T8B(c z70A}uEypY)_p0Fq&bfB-nMv$i@jFGsD<%5w27~e}?lLJ8I}$dq)TMJizId+RCgH^@ zfnYlSP9LM?n>MRs6Rx6AXhH_mPrbs=Q?U#J{eIK4F0xo1h@a`N7oyh4rI zJegqd6Rw?jDBA;L~8pH4jYVxu|)6e|Gyrz$+7Qa8$tQ{T~8Axd| zN(d0CEoTZFm~8Sx%#K7g1yIbDcC-u3%a;$td&x;~r|-ylR8foRCG8VdKZ0Dp>H?wE zDy6Xk!DVzJqPMJFgY45SH{iGJ%)yryA_i%pUWtKIj|MZXC&r#ws72(cj);FodyJMA zZ#*!yjrVY%SO58(?Xc4l!?0^)|A&O~!8OXhCi7j?nn$vZ9ADfev4lT( zMLB%h`^w#O#+$-E}L)IG*P!EJ}Z>JxYU-+xkZ)XEgOT!2e+Y`n!M z9RHcSPJEDOsx~8QL$7PG(@{@&Q6qZxoW7jf*`4PqwhyN^@;~tmUOcT3)Ij{4@9x+7 zNG4N3&URrBOZmq$I;s_JHkk2R?M21zEoA8+J?mgCf{Kd}KRKYpRHOwSWK%kz-1T{4 zO_`$e#y4cL>*CotF8>rC(w4rQ^k_a?yUQEjH)H$yDYv-3^-f3RZ6`w?j9E-$Zsb5J)K>FT;^?XHN-zWD=9$U^FVz zG%P)|znr3RSU@#3p^Zmw`T)lLI&tx%3HMP~a;!ApwUbYrIg?n}X6*{?7`4Pbn0WRx z9P3&z42a3$MLZN%I^?Fe__2;OV>RmZ>`m zkh-sZ#@&`Zjz*@iS%mE@zi`fFA|p^pI(^$bt1)hLoHH^y`e{Nyl!#`B|10IaY^p+Y zpSq8CyoqLuPS@a8+O54$HOAw%apM+$pZCG$HL61a?vi)3seO;T-rUWxxust*lU@yP zpWoSTw|f(}$f3IHA1}j%P*)Z5jqBiz+Hsk8eB7fmLT$p^F}u!bi|W^*HTlnccv5G? zZHd2A$Z*cL64_GKI{rDn*m}NaIw5+_tgmXpQsSlgiDU8})H<>ex&bW3P7nX33b>e<` zm8FaHxhS7|#*8zcq!SZYgoY&q2Rzi~m+jQ)U9_nesZn3oq#Y(LsHV(oE|aHceF$E= zZWl@DT!nF)bijj4lj4dOTxEALKP|xWUNqS^5PPzF1(LtFtoi-yrGwYi2l#amqq+p8 zocqMk-JR9N?y3?WEvT_-dtWObc`B88PmhJKt#?)CwI~U{&210z&$8~J21_YWlBv&P zk7?_hUPzZMiET5%pU@t9rTW+%nY_Woa&2U+(n`;@d8PrUueoY+y^%2FLP*tfdy?!| z-bb!myH(HRl}v0xT)4gkXMVz^ClveX>Bg?7NZC4PQh`t92rBp5PFxk!osBgf`r8Ai zy~+YKYeRgtT)ylyKJQz~sF~|(d)X?df=8FT@m0Iz7XQbmH3iQ;Hn?R;jh$dV`=U{) zxAFNrIy$HD!YsEGEI*zXR;*@`o!74CJr@$#S*e#PZn-!Thz-i4tHKqHVq%z8FnSFgV&>NpK5|i$Iv|qjf0}cW=!MO4Obje<8=P zZMdQ>Z#1p@2t{Xh*UWtD#={EKl@H^c7fv?|$**WytF#bS)}gZWO!dr#UYmg@2f23? zlHVcg#s=5V-gv5+$=<6PbY%8S$>*^sy926~M;Jri9edk*cXGk)POkhSQE}1VuI*BP zBFnmv^0qsP*$o!t?x!IVVhtsiK8pm;^>ir@?q3=Zd5uIaei}ZdRz5#nX{1(Ry+3er zv?5rq>UHqa@WIy=7oImE*=jp%>en93@_$|7*I?}Hvyr8)BKFz6=_hG#^|iyLEkDTB zf8;uNS3>E~rro6bnfey3Or%Hg@R9}_lcRa}bf zDF|g8-jlG%#qkbaB+bf|P*s@7M!Km`$g%F3jhDl5Va)S6>evV4*|fT&ETw8X3eIJ> z&lO+Fb(7%1RtsKMPWj|w8DERK5GejAN}_iwMR~^-v+OYo^OGla`{Fe}sfOe!ownrD^{AU7D|(f4!~g1l@&2Ks)?)?-B*wjDqgF{eJs$>BZ6; z7>|LDz7C9m0S04$eql>pFijW_2j@yoIL}J1m8*Dp_yon)2?_`ZqBd>WAf|{>QC7gn z%k9v!*}X%{LR(JW*u%ua&feL@S#_6}zo(<04Z+!A={}5ujZuj0C<6m8Y^e&i9@;Y_ z6YUtwKP;>ajLb|cpvo;g(196QSQwz6Z`BN|O?X%FqwE=(S@_UQ>Y^K$I$>1oTD2RI}}1;qM^qMaRo9xkT+R7r9*5l~#0dQ7)#_Hpi} z4G~s(J8|2cszDJT@!!!z!Rr5qz3+ghvi<)*wooct$tfjDj|})yvdPS8 z53`;!nkq#IN%qVvvr+(F0bKlo>kI(bIKG$`>&;9v$ ze`1Z(bROk*H&qNPNVp_hA6z^zI%0Fl*Wyic_UH~G&*_7{-4$hxgi`+z6BdOA(`&oX z=R#~SCH$9j%EYdKCV<4>@d+VCuZEVfRQDwh(McV)jl@+Xn5Ea6Vj=XRs9I#8qElzy z#t`Y;s}DO245V{HTVBg8lN7j}%ewcrC##Zyhmex2hd_)hJ7@w({3V~b(tlX#bjgag z*t6$IFt$3rA^F|X4M{b9^(f!Anh25h4#!ggx%rJqR34=A#SQhT8lO)A<7@ zR&&9h(t@4;E(X}v_g+hCT4ap;vERgva~7o`S}UP z{EHj3*IoHi>MpCfMfa<8rr+hNNRiWjUDe5m^Q>hj!FYQY1QnVD!+-JO6Q?cQI3Vws zfeIhiYYnYCvI8A`*eg3Wu9n@3BXt8&x|v1Vzf^A1#L>UF!R^rQ)9G%c)|2r{F@5Bc ziEani858qVp<0BK)+nKfpRnPE*U?|R_QYwJw%0thqXiL7gz%sv{Q@OvRp><}6;7I| zx?KrFBv_yVQA?6*;^<%9Fs*nfo;K{KQ9y#JNquTny6*bOnCE&_SFBT7y;U~}CUSW+ z-UaomSD!eqEc$?>Ywx;fKVtZi!I!}s2M-pBi|f=Ice`fQH4^pF!-x6~OdR}+8x*0s zPd*MdtLd#DQ~lH#Cg-j}V&H4+z*aKz^_b z2-pt*n$`^n*fc1d&fFV4C2FP!VUyZ++3>|f8FaSRW24zu%97k6O6jZpgW{qm6 z3GwbS^858yZ%SAg>Ac6R1NWsYYFNcLrr@pvrMOmw2&?861SY9)tTSj*&<^wTL)wBS zfW+VN37t?qJ5EdQPVvA(>DHKc83(TsUYVz~=7%edX~nJV7>krB=96~zU^NqV^T%}s9A z(O3O?ZPP6^KodaXFZe{w{lQ*G-w(A4B$#$kbf=_V1x`bK1I&2MBZoq(12>)~bzFS2 zHeT`2jn|S7T@MUA1-t*VX#A7YU#Qt?_5+swQ{7avs%oIgLK0JiAO63oYCtLM*zq*> z&l(b6RW)#8aI(e)1}h2|MTtR*1%FIaV^UH&SyKbL(YU4tlnf6kB#4pk_9I0N$lSRU zHPB>zkSV~C991R33RDSAs|ok+tF!Iy5?Xit?OrwU%m?9)$MjV@DYL?AX-=u6GBSiZv4d^^ z3vh@3*=ZorpBA9BeV6n;(_3RZnLE^O==Dk%kzk%0`-i3TLYX)H)PwhX2Q9CC+pS}D ze{X_bZBWy}cHXr^FYDj`cJ?LAPW(i!Lwbxs4Z(%r7yQ62s8Qw2?ccVRqUa+tTlq+? zr^DC>qPoxH9)kDo73aS9zxPvpbm&A04Xrlz4Hbi-!~4YPo)WQQE~|g))bAa%yaYfC zpoRXx5O^&NEC|p_0Tu)p3@iv>K^T8%0)_w<1hON51pzDwU_ls104xY#LHO(l;41@! z17HYXK>!QFzqcUROCKkyTQ!8&zd9+MxS^|aSUTDQPq`Zn-=241fmqS8wOr>{H=?Mo z8E?Ai^<=5dWzYrC0KV~8rh|7qQ7et`NucHZ)3yD?TVsMM#l#RVLhI+n;CFsg%pQcF zQGMb6Ul1Mx1>wIHa`+O2M?-Z4kVp&^g@?l0qDbUljKYt{yrIe#P^cPCzAbdOA4cIZ zb4TH46rlKpC_H&|rbXdrl#ZA=VAG=T*l$sIDD?dIqVQ1F1<`*i3QtKve{ho69y!SV zRZI_>Bos7sl+?6TP#k_W6o;q!9Hsv%$VWlNrc8;kp`oQ-!m<*jg!~qQAL3=^>Iv#+ zcF?&Frxzkw{nXbHWmr=bIB3TYb^r#z5B}I(DC|w>-4G>RJye+8QZL0qy!&C4 z1mo<<$XiQ-Me=n)e`F9L(0#f4RGy^7V_!uP!?GgIzFu0e126!7@W4W*0YyH>;Km5C%+bW`^wVsuPX ze`&Mp3h8|by|o#>xec3s_u>=`dUgGy>8PMr0}|;;qos!VZR$kViteG*ZNGbI*vg%s zh#3KSDkJIn0Tt4h+nvVD>PlUR(j32^E<-IyAXM}W6%aHkdq!G%C4G4#wT3(O@*BG0 zzisv@MCS-mk4v%j(+WLpqDf3+e*{6YZD>^Y_tS9}-yI{t^a>jV$Mg&f+k${|!+>+o z^jF~AGcW-w_Y6qD$~^-TuyW6U1kjQhkN{dT9TGrGrXvDq$qYnbfR@a_1kjQhkN{dT z0}?<>Wab$9pl9FafMt|BEpa%SJle%d(6&5??G z%vD};gB^eY@Pj`v7g|dDKb$4OUP_sdFu(5VjV{d3f7->{^qK@)6N|`_{_r7qG-G2Z zF+{hNw=$UzDq(UxBKe}($2(OiVWLs3yTA^>0QkWlm<#d&?KMaeEX=7B$^s}Pj9qpP zAym%ukviMqv!}q3#aE`trOeEzl7s4sG9Z+V?5rGY4UO#J5)z0#wpNBJM)q(m#2y(r zI6~FP$sUdv&%E05<#X$o&+Smo+C=Ub`BZr{oGj4-C3Z0&zTAu4ycdhcK`C(L1h1(& zG;w!92$fy> zcIM>&?awu1$$L;E9HHP~VQOh*XKL>Z>Fq#pkVj`~3LGSoGwrf72W(mj+@ylDNDLPF z_j2G+Xc64MmIOx=@pBbt`Nu2H(vBy|eHEi&RidU@!UC0?Wg{1yUAjvDTN>Q(5I6c3 z_!&na7{-(%+THc4t#PP`1Y4H3;!xF-ZZ^8!vu@^};B( zsgNl)LYsH?qIolV>d9_uPo;-|eR#T`L2{(ia(zX;r z1!+$;vmc5M)an^8u&Vth3aqwdi7)G27iB)C+6~nU?QMce>t^*bifR;X7$%pB6<+ZN zO2zip^LRr=T(QJ(C#dkLa}QMbRNwj3)%DHnqZv@m+W_W2Q1jNg%O?*iM|%Y-6f5EQ zGFW05D&abHME*eaUWp-jL#VKBF(Lehc&pM4H>enGpsv1g!SJaJ1i21z_8+K2e8Y_| z2Fk5&hKl#{^b3?q?L#jrLWsl~xnnaX|3talAo_NzqVOcBo^n1^>A2J%s&vd)B=lNOB%x`%JVxT5DBSyb zj%Zhmgf)UW@`L4t8_ba(AT+6)3e1s7X#8-~6g)?Mh|$CW3&C?_0*fDQP=tc#$d53Z z)Qjwx;?k)pdYcd?)-v(Uk`}j=h1zc+i96#CtT&P3i|+YZ4eg z*aTeb2LMg&23%_@9^c&qTv3?O@M37h0HANfNRYH%G^zW zYt4<#j2^(XW73MiUgCo`bjE3w%rx{0vP-!{2<@o=yl=QBJ4R5Y)@j5#+W(rmdy&6 zq9lnVGhBDi^Ri+0y52DdqSI5~wsK_IVe{rDx9aGte!aHomKwzc!%2F$^`HqL@ppXU zX?}67yVL8Swt)T|#en|8mX?T;y|mBYRY|<7_IF%eebIK;QylpCzYoFQYX8`GIfZjk z=6SWxDoKt({#fDqUy>w;#I~{Hg4M7_5{BHuDbhfNKQg@a0<27FmoOiy@1g z|E4VY_y|ptB`0gTPr2+5Wy#Sf2E;ZaQX%Q2{;zbJ=EnTvhg;Ri=lbxLt$+w0_U?W;m0*@BMZQ7>2 zdy|ZYEKY2Xg_4GzfyqG=sa-bC)(4!ljZ6$lnJ`9r8b^9n3W_B#QVxt8x-waIeA1Ml zp{1jsrh@te$g1R2R5TPYN=mBF2T)M6D^t;8DUoO!+ha6KmTqQQgZidR9!g*tH4g1@ zSaLVC=79Gp6{tc$;^C~Y5=MqlF`;$W-aZJoI}UaM8o(L;7v@6!JEFYt%jabd<_bCa z3IwwZRf4Z-4heQQdVdeWd$;(cCFK`4y{nf%BBPPLLRxyo6&(jFC4w4Nd`gb~;?*Wj zqeNTV?5jiN#*NmvmwTUhO2mq_zn|#+)eSxz9UCwepbC5yOe?Thfprx;t-ym7&=tU} z0AKx8Mm=#Jpw{3E3;1pYzOjP$0N|Acco78NS%Ei!;H4#a6%5{5gIE9vTTFaO{KX9r z3<7a05Df%@OAxpOflCm$1c6HsxCDVq5V!<^OAxpOfy-a~O8Ml&o} zUJ?;{L>)0=leD|KA7R&Bzw8h7Pq35pPcTTazo>tL7Zt($Yx*Z1^asD_pDg>Le=HhLxR-mU;=2W#y{POHoQ&zDb~z z*8Zb(h0slxDt$s-gaj)W9PYO{*W232(()>AZE1v;Vvq)BkW>^>>WH?1+el&#=mxL= zclh6&29RDS<$dYV+?FY#_lZ!p zzG)3Hu}yLG`W#38S18v$`7z0XuV!PCDY3 zHYr(C$5N||BqDR(*a33^y1*G=Ffi4~O9@yR#urrJ48R%29fAA{I0JA7;0zN80B4wh z0;~+c8GtiPAOM_U0t&D)0A~QsFo6JYh6yOZ$^e`JIKu=2z!@f>04oD<2H*@62moi8 zfC8)xz!`uuOdtT9VFC)UG5}`)&M<)haE1vez{&ue0XV}10>Bw2pa3faa0cKE69@oj zn1BMT48R$HGfW@=oM8eAurdH=0M0Oh0C0v0D8R}9oB=q)1OmVrCZGT-!~bn(u*u6G ziAD@U${V*b3H;j$zKB6i!l@QZ|2^XN50AaMdudUP(9OdijHnWJ3h*RrZt8eZKnFSj z2*4Bm)6+r4F5_t^uDh8S%-mI&v@J{e$<+}OtgYvH81dROkItdgrX5SSEWSJ0nV}-FIXq*@vDT)`y z;6)(?Kv5AfVH6f>gN~Omva^RH}4@cv1 zQc?^?mItg1%owm(@~y~Q5)ug2adUpdJTwjunTN-~k$99a4kL<%1_jzeVex3(gmp8_ z5u0od^0&=FiXq9!KwgN3ws6>K=AeZ|M80bdezG}aANxIY#ITSxVmKTm)riKE?+u}Y zLyeCeG)1tVEt~*n%FsmS@R$kP^bHJb z^;A_#$SdCGSvV(L=*fo7 z5XqdkVUyv4h7l!-6+uEP@Hf1maU93%n`sbW7?Bx(L4ugymW3IQnt9uW!sDT33xg7c z;~_`-Y!!qWG>T|EG_pt}WEI)eseq}d&aewR*{(^8w4CW7duXvl$Q^=|N@a`;tqwqX zr3yxtCiVxRMG*(Ba&S9)TO)l72B&Ksl5c!?5-xPMtRHbcw&(sjU5f0?q9=_)4>S)M zP?SUj55;pnJ*VzonW4veHDFbW^T={JK!s544m8MQ6G>yJm5! zdF{@3>0L$({_37Rw=83x3vTgsUm2-J4Ns}$ytIbHbftH}GJ1WRed}#&pY@E$ zR0*^_f7^grcUFp9PHy<<1F>BUN6&YAdZhX+WcROFi#e$J=qTk#=ALMSv$~s}pI6Uw zN)cPQZVTLib6rEEg;#;W1JkFJtLg7O(~6Z)&FgqvK$33nYOn7r3#WU(P|sGj=Vq|x z;^RsuR|@+dd%Kc-pzV$@Vc12Jv~8(;i)J$-J^s>3Un!xLLiAEXyLG_+*eml09CN4+&6~39Bi=Qw12-17Bm1yz**&5wkLJlC z?ngZC89RUqr!iC8WNo>!gN?RRpo4um%PV>d5mWfWD+^^VA}Kv+PrRtTRVkmvAZJ?4 z#CAn5(wMoN%cQA5>XBqdlTvI*xQWFDoL8U<`#~c%(+&+yS2p`?Iil~Sxa*{j>@aRT zUbRwK_!(unZRC!bt(RKq`}&)vDqedXQbcSpCdE!SA3tI0yShj!!+S{L8wWyAHJDL|HK zAn*P8Tje?S=GKcBFj!OE!wE$zt_UN#ywzh6IH;k|R1ZIDpmh4e8qb;mCMj^8OwOc^PPRV6@bKI!tHT>txE{IC{BZEr z+Y=gjrgi;3nRLO&&%j;e-%_n>SuE2>$NPwZI=+qP*r1Z>!e>zPkv$tL1+r{TJhiUA z`Oxv@%}B>f@sDo?zvnr|eDhjGy7`LhZCx&HtodTk-=1R4=W}+|JX5j%L)UQ=rlfqv zyevMgO{FMOBC75guk1yRvn*0}t9z@Ou~kA2)x1GQ+Mgu%IL0ta-VE%AthEx9@CYQ>Eh0D zPiW6F)l1hMf)@EB|DiE!S$&vUbHFLCZRavR+09SSp5z<}*~4tH%A$~P`{9zzE2^U0 z5xh05F7Z_+5o6c)Mn1wvr-t4NC_GykzKW~roT-LW-GD_?vQ69i6VG?Qekn3yUwq4C zJt4k_Z{jmIQ&Ax_opM<@_vRD}>agX3(zd98m90e=)yI9J{6cn%S7oBJDT;#!k zY%ti1I`$%o{@C%i9R^M-TgryFA4`*3X~Sl4kwf4a-RXx7dxs^K7M8d!{$&5aOKD&1 zrc-wY4u*&DS3Lc+uur`@*&&>gp>^QaaYLSB*F9mC|M*MZ%WMx_d#J9ZSu()M|IDS) zf3D)gE(acc5UAaruxwd-nD5E~hF2&1JxQZY9k|ZAv5}Fno?H$D(SEQK!I9=R+|*H+ zQq~bs=IOdA_NbQbnDuc7Gyjz0%@=lc2*30h?P)Fkz!-V%k?7#QWx;X%`>x)LlZ}jg zRb>_#S;nnv7WtvD=@lU;-No;`GV+bZr|ysWWg3L!H`z?9jXAAPXufPuq)kOF@(Qrw z%FlEH91}7bVa@DU}L5LK8{uIl@ z{o9t-a9*UA??_+wGR0w`-NjBr+Gdls#2p}$cg$i9( zi++*4$)hw^(~vRT^h2QYo=16DDbvTnw>3{;n&tiUH`gq{S7Y(&?3v{}yN1&Zyxlk( z<%v~UdNKN%m?eA*l2|;Hi(bUJ-XB`_HdCW&ulj3PRMw|d}gckeZPTWfldjdtOe2~F~$}iX?_>q?u+SZW$3(9uG10Ni1oR= z_GS=IZ_E3@BfD5{@bu<86g@L4Tqamqd2;d1cN;k4}}cE%9VZ?d$J~PS4399PC9hL2t|~6McTew zW4e32G2K)(Xx^Kyxjem{ck1+by6>;|sm`mqrbN$I;UO7dt$nX*D`{?T;b?>qJ&QKJFuYATTB@^n_f} zQJN<@n`t$@O-0sGM`9uwZ|{`MrQXWXlYK?3Q0vy=&8v0!{7rN+snO+;%k180gqH9# z@6p_a+{%|kbD6iA)p+rppe8GK7+d0gw={-zfd_RGU;^g!V-MH_RUb4mRqb1k(Ur}F-^{IZfLmZ{dv^e3#3$<&}ij501y)L#nu_@eJ zmdq4O+jDv$Hu`+fh1E`>x0jvm_aT)iYJ@n2Drjr&yWDbp6=!Ap_2YXgwP_l7_)_h+ z^hTX~nIiOJRj0kuJsF)%0=|_y?rF;I5HOV0y%z~r5pXg(``|t_~>qgwho18E97=cHvP6r)a9!eps}ZZ|+gNiL#G?)^8PH8!D{Q6mndUT@a^EZYaAHK zw^VDp5n4-L^+G_aR@fyM-O82sA6t%{e;bVvN$KCJwqN~h-!1tcs13 z-&$-JaNbpom!@NLU-x9ob>c|@~MVk7hI_q`Yu`3j|-u54#x z3NF8^5kK}`h^ekhq3KY=hn~B9a?9@?E4l5lMj0!2?VM_iud2EgpWmyi+l=&=g$cFG ztYdt$&BzAY{HW^9#1kQRdZ8NMiNlm^u?F<2O#d8Pr=gcs^Gf`r)_ukWbnD_-qvGH4 zOW3a2JY>1~epip*hE?3E1Lwrn3{^MmTymCatE^=*!{M_k>b^#X7#kH))FCZVl)cch z;00G7UeJgBJ9bsfC@bX9fy($p2j27V=31%Fa$3x23vXyE<(6|f>RaBdQ{J+Eea{xc zGQTa)*Nb0~RE=7Yy=0V)Uww`KVQS-3+e&i;H?A|5xn|aglh;4(LmU6>=J7sfilmS7 z3()qL!g~*0_Z9AQ)f2t#fC7hV=^mg7#Y30`{t&rjFmej5cq8vb?e5%Pc9b3JzJY_7rEc9!ZOgDqHBR-Nl2lK zdpc2NxurUBC-KsqF?aC{<$R8;nChjqg9f`&Vk<6%csd`9SR?rlvDnSW^wAyH0q!jv zL%1jGr)}>9d%ZY&fqA`dl_-s_QPBCI}W&m0a%>bO`J-wMKSsjm)8|UN612_mYXcN8SSI z`V%JohH0W+mdnE0jNHWI$8HY&^QN|3nA`NWwfmFX-or5K^-M82xo8#lw7fM;LzQaF z*77GkW2*Te7D&K;*g~0s)xXA2dyq$+=}l>0*rJBclA|qy4-?-wHLIP?@%a=)811ha z^yawRdZb%}$;EkiXH|C<4lzJy))X(!*DcTG41K@6u+>__*S`t5PT8I3d=0N|vfIgw zcOy6IEH_)Q<|MwQEHHgwd4$k@hQ-(IT9R3*u6IjRPkv*GwxlQ9``CkHjQ?OFp4?Ht zCAup5oukpBmY8CtSFa*{u~sw}mYrgByL9VB!NWKC8q5x5wt|hax*y&tl^-e%P7Zm4 zzViB6ZD`=BMH_rdKcpS%ODw0{{SN88;qui>arw2O_i5Tc4(SAi`YlNlKHSV19}v1d z)y(q3hZ1kC{2-!7)KxC2jR}{sR%dE%Ij>k4OeuXxB>K4M>wrU8X{9x`hm_>yDS5UY zy4qLTn3i*^y7QXa5TmhI@$<`@5|RcLjrR5AdR>2MiSUbzX0C1dWOZ0sQo5(H{p3Bt zyV6}}J{-NhJ@W7~QS8uAaV_<`&b=tFYuGk#(f-3+Pb9Nh<2e%#ALA;jktOcYp$ye1 zh}&hcEupqe+2r!E>IaYbsVcISY3;07ENFX^)*Xx$-Mp2yheC)dNsn8HHj3{W6K%x8 zOAgLe7gZKpW>B)j37VTiOGhbWgKh-J5#H1tHxEwGV^UERd;0*nZgrhLec01OF~Ky- z;#aP=@zjjolIF!YNF0CJaJbTjMHwg2km3YbMZFIajCLEoIIWL zXxx)#?#8zPX{hBx{O1s#<|$R_(G`{|ViS*Upnwb$BSbaM7lvEwhhvA#&q z>z>J$hBXK-TU_E<2C6(u!I+f2Y0o- zet9HE%Ry(Sbg3Hbp2dLMc8eDqoN(yIV8@7^p}D8jgoOQyMEr|NjwPms-Mb#!g2;~z zki4GJUaGsOMd_2qnnNyG?>F5|x#Oo(o%28*oj7`{HLmJHTS9hVTlLX3&L1U@;2cT! zS7+E=OJ5;d->PpBn6btnCSr@1-J5kMj~TKVEYAoOxwDN)TTlP}3qe}f3XYX|kqB9P zJU3Ov_CVnvL+cUhgrZT-_ipcFWoT(F@>iXFeBl9N%hElpEAw(==uH#OE>GCN-=m*o zv;Eq#)2lKpADz|KezBovAdl}ty@s)e!KNOamkW2vxyT3Z$(4KwXL=X&kA7r-+$sIK zp3~V!8%9t$o4mGfy+Tz#-0yKr-uT{T&WB-}ITKY*h&ZX7;3VF2WP8MAe!kx}6ltt= z;>kksU6?oAcb-4{;J79MeJbm6i7^AS_$RZ`kB4HO#f3Ymd^tu>5Ul`Qj$$llKe=sv4BAX7P%YxN=9yQuE%GeLlLn8J8ByGAHBtZK~xr z%Ni~ahLbklx}waudzfusc+PS$qHXo_^~jzwoBe4-`yij#`nOMFj)?DupU$GSxY43r zn&2yDQ|Tfqnvp6PpK@?-1&>du7IDWO7r#wCV!n=-|5^6LvYStuRYT3)xHv0P|EZ&h zFR{jP3EObtx}LaDU21biN>!5COLd_(oMnH*P!l6j2C>tBs4lrR!_>TO@2ioD`l9mU zltF1ySIs&f4bmsy&HxTle~qtn#@NTP(u`CcUANx0y4tmGc{4~KJL@to9&gCzX=)!S zmyy;fwvstOLqBYhdiJr)Qa$H=(t^36GH;Jt1l=n*0~c3Jj0kubySCxo@$?`ewUbFT zhCALCM#Lmv*2lh)_;e&1hJnX3AHMLhKSV&`#R_U>)4jbHTJ3Jqyi@D(RO5JNbV!G3 z^t#2Z4wkH4OX!j|aTn2W7*`n@YX@2C9=b@9Oy3_TS<9E99_x28>FP~$&s9tFIInGT z3{kIW%ev%)Z&KN4yq61itC4CiDwn~1tAC)=1|B=Mw0)1tilZxPlIffuRy|t#tjI|= zR??WG`I4eDRwc;S)Qndty4p)aBck-uB3HDHzn#Crn3{#|rPaqX7Nx>7X!@6AWnwjR z#t<2)84{kbT}F%gR4VHv3=~i+b%g`W!Rmb+R z2ZGYkGJv^Z;3eI#R&)goA?eKO^PU4o*!-?K_PqB${*>lfmJVM0DNoa>l7k4tr+w!H zoBTBHV4cKt*Ciw#c5-mt;3)2RYOx%p`SIr{&r2q6*P5wo|D)!_=;5h+VP8>Ow>zs* zdPs0zQpU4Lj{vFmo{0B7^`^}4ZaSWq%}gDUHm78&Ajc%WyvP3O-~6wwT)6?J=_5YGq+LhtKB=-8CAoIkw;vi>sC*bT9aLFt z4OCf-f{KcUg8cLO0E(roN^D32N@^Mw6xHS>D_4ChDmFY+I;5;3^gLs*n`&v&T5Z>Vm#r%s{4^x7`;xeyyn3IFAs zGO;TrET9P>@ppV8_gwciUBa7u670f5bW(>Y2}Wo@47?}7)-?Nbory^B9nhC-%;0Pd zB*8p!MpZdEgq+Zp*Yd-$cQ5UK=*6ydyg)=#j#1#T5vNcv4QK*L{2iaj){QEVF21p% zE%xj=63nCX!YE(p7_`yiSVmL`9vL(%lDr<(^>8SW1bdL+L_8b9!W$q%@VT^Eh86t# zA3y-x`rfyjr`BE;72&-5`m5ao()|LpX;o-u6Z2G|T7;9(LbnRUi?MDnh zGWarhg~}>Zi^yIfswW16{>+ z>W#Zyv+5d&`sm?9@1OkIrN5m;wL9%XO=nSfy2eP@V4bp8TTQUYz~Pjv;)cOf8Tq4G zCOxm8pZ|9FuWiv@cjZf|yR7CG-LKM_ewV8vMNYrH!|~MB+)hS<@9@derr2QkuU-1v zSqnD~$UA1B!iV)*L+g(0Kt~_;%6?td$%yl;WhcRSdlv*1n#gVXcKokxaXYm8bh;a< z^<=zKOdq*qqT9iBCN{2?-HIc115vt}McTi_>*%jt`rBEUw%0thqXiL7gz%sv{Q@Om zs(iy{)-5nqW`$+0Mle<8LT2`M@Kl){mpNO(Q)NzQX6*n^m04k#yAcquxv`n02N1AX zK>1D+AYk7CXSOatz-B{b&Ne{6=7eU}4nV+Wg=OwWK)~k4X0{$cz-B|`J8iQOup^I1 zuu4q{6OCb!1Sb;gg&_1|XGDIet^LGnx`)gMRy>hB?+PE-40iu_(I|`VBfse-UQh^6 zSBZAeNDCSaS4wk@GhX4F9WffXYk)Tn&D(F>?)v1c?}-0s3KVL>Ii!2V9^pa+ujxCG z?iKL-pAnRv+|Kt;K@&jYZ}^1&^&@?RtHCMh1N>`=5jVCbMnIvYa1zX+f>@NQqZP-q zabw0)*Azl+P%rVWxcf+;@5rFNGolA)|8kf+h)?C6nVYxbg|Hs1lw9Z&&;*e9OFm)# z>RpmVPzHgR_r9bhiR`5JIxC{b0=V`YugOr<8|oOS%@Hd@VrbpH^F)-8;jc zI^cyv*SvfOng9}i$tMh4!wPptHJFSvz8XmsG5vJYwv4F7Z?qD@a~R43dQYnVd_!9S-R(8A0kLUz3AHA?cT|nZY&;C?s?vawhWz zC?gq;f_9+0{YbzHGFQfmL5X3utmqkHMe`T18Xugg0#>3kgob90*LDki6G(hT!}I{8 zy@EobQQwlS(NF^Q-%7R?!=NG2ny-ldzz#qW8 zm}7l#ZgCSfP~Io;{&x1*)-#{f49^gejm$*+sUg(+3pMHwZb>Jea^Dg&0E7&&# z4F`YPCqefbN=v`NyI`)vf4ZFx{X|mTvCWgcboBXHB39KYz!b=uSmxQXC4Xa4y*6_?NmCLoy3V(Chmzbhe)tu-m2$srAmihb`5Qt%Z#6H z$KTl88k?cLH=fY!+i|dq*JRYp$?f;GP?wj&`!(yLgtVl4iWl+N!w@ zTx0^g7s3X3?-vIF-b)4oti7Mz0j#~_IDoZx90tG~KFuRt8 zKmeWqX2E}J7F3t6yj)Nfo6(sK{b}u3%>8ykt^HmStRK%ce0d28Rw^u{4~a_nS`JFq z@f3e_O&7mfJ?Q3$OZqtU(aNr-ySla|r7!x8Z^|8 zC0B9!Tj@3EFBRf2XfZhXw$R;vm|laPJH2K`4XIy9uOW}lwDg)86`*Dg*tGN-?4 zEL1h_Z>87Z(U^ZPy(W+T;3O$Sa(d0A{2B@xI!fB{{2KmoDMRY<^c$+rM?flv%1c?; zl-MygG_*^ok(>3u<<)dyRIrM}%*hqaI!V0kDu}W(X_*K)~g`|H~q>6lG8#azW6gH8Yf@Pz;LbYPQ?8}^T^3^xcg zCc*B?D7oMBDJ>ch9C?*-qyNKD>hEVNt=##En5M_2*!qd>h~4mwT&&l8CHw$LVp^h8|@X^f5am_X|&WJC{k;OshYAQ9l@V=0z^Q>#PxUC^)Kl>QEAO~`&a2l zM#%{D_T$bp6Xw4=#i=u-OCxrTm_U*gTZc1-S&Kak$6Un1`K3EH2FI!%HuEV~dL1r~ zg$f_Gzv8(9ng9}i%O^TmRON}OBv_wbkDw=;{77NOj>PaW6`pi0hxg%YAkj0vffgce zm__Az74i0UB=Kcuf#8!K4_k@b*L(#+`M?gq0QkWlmRx5 zdL>1>LbWJSK@CZQDSt$0@P6VSJMuI`&(^A<`fC3m*Z~*-Kll@K;i5|t3HI6st3ZNP z-hRrD@V!H`@`Wyn?5GJ`9JRCalo#(*Y(#9#7>ocfSr ziHrrljR65IA}u1B8=ag;u!jTnB-lc|meK9?T^ln>hX#g>GTPmeEw1m14U2aWEeU!3 z^3BGpCMt(oK@&jYFZo1VPoYa{Mm*K1&yqkd(V#&h9|@+&+@pQ>wEp{13Bv1>wNzcN zpzlBI3X2x;^AXo%2r&_^ZG0x{K_9c3U0_u%_1>GFtV;}z3+(|-0Exfj6PVsi`Qa>S zj^pDceLw1-DTC6satSQ;M1@p$ZKz;CDuz(0i7I6t(6=Zg!Nf?gmFQu28{)>1xBZXX zPE^oEF>9|#l(cpMyZ^IjV0%X!N97s`VrA>%P3w94)$;O(n*{2l_Qf(Aa|CKWOxL$6 zB-g>Uen0=f!L&25z4biaP~l)KG298Nwd>pi)!G$F%_{cmWpvjg*N#0Sw`tlb^WNol z?()fl%DP^GiW5sXz6_QahROy9>gpR844=wCkjvm^|A8{N5<~KaP=VTFLii2wR;3$m zPyys3gh;HBTUK2Fxt?$RAE@Vh!;LQnDz)1T6~X1{7bun5hn_wlPv(uzv=gWlrIu7e zHG}P-a=t!Lq1~VjP@!GMBB9rMA_-07C6*KaM2Y1f`gW_L@Fb`(aXwTtxYQr28GNdl z{ZMqER?m2~Xzf2yExPpNVO+DCcEw0oBUJskr4XuqoYl)Hs!_CIm|XZ;nCA}^zHZ49 zU)H-W%6v?<8!F@6+XR(y)^|R2b$v7YXa-c4IAD?2(P;?Jdlv)d$j@U&3+Bkrg9U?? zfjRQiaDnH@PeTQRf#=9Pz=FX{!E@y2@mdJD*3W}Q5em50&!Yvn*3V-F16*q!U;(Z* zAFu$|ng?2dYs~{Jz_sQD7T{X*fD3S~d4L52Tx%X^0j@OymKwdMg9 z;9Bzn3vjJ@zy-M0Jir26Yd&BBt~DRDKn!snXaTM@53m5&ng>{bYt0KRz_sQ97vNg+ z01I%f`G5tu)_l+cTx%X^0j@O%?m8RwdMgA;9Bzl3vjLZfCaeLe9)SU zYYA&e53sjqlwh(9dwPAl%e1-QR?sG5A4e^;Ha`J&{<|1(4?E`%`Q$n0T~>=#6joC> zM1r*{rIY_q>%IgDc5y*_%78DI??~+a7^Nk={er`dhNDd{;)T_73o4VeIMy399ny~U z^oy|tO#q3%;}bg3{-V+)y35s3{A-C3Nxq#c^g72hknVcz1=6Mdcf{S@_1@jFuJo2} z8QVeR97FQQ}M9tg;LB-mcMSry}O zWR0{bx@I#4$o?(GI6R~nN7h4|su+h8gQG;SB9LSpRuqm#Aw~XVfz(O*W;P5cBy_KF z%{a2K8XN`fk?;3I)j0f|s&P2vbadyh8aF;dQ&r<|WNEt}4B9l+IP|v?sYs*<{x7P= ziHe|+|C(x?8olb5BB|Uk3fOoN)Nfw|X=v#vD5*&~unka+R2U^KsiESi z7g*TXk!Y;4s=m!J+odZvqqcl2m3sGey!{(Fw>3LXBloVfX?uQV=n&TR@q<^LwAmV| z%NFW(fn9(GaEAYhxgcdW_B=}Uo$}QkoLLMV0tC*yC6Jg`$_aY8vZ0st^!xRx=s7oK z(JmG_c9IDWcK*v4ED1Qi_?1dV^k}YUX`{-(BkdI?-C@~wH@`g>esRkyb$PgBv(P>Q zcTn8zx4qKdyO&-6#Y=rVjoRpKlS&5C0CKajNDjKoqh{9CzpuT-hoD<`eb|#dC@-|* zV4?(s!|9ey-){PATNGSQc-79Ly^n}kX>-}f%>?dixQ)MdsYz$i7d|csbvMWj?GF32 zPna1EO}C_Hllp&cQ%-l0ns_h!25E1_s^`|u5Dp7Vj{e%EzMVyh>aq>13yd)xHFGcb zJW)i%idou!>;A>9B>^Y=c0?~V1Wo0h+u(mD+sqvye|9I z4UiiEasxna07zs3i7X(I1!P@;tSgWr2vP(=iXg~m{lAmX>Uw4es|Dht7-5$j%U!7A zx^+?6&bHIWSM;>em=`1UmqP+7n2Is!iN>aP`?Jxz5K&xLOpkzr00h7bz(n{@t_8ss z!;kokc4u9ZZkBH2BL6AG$B2E`)j~(_lzDRw9Z4Q}_EFH-ylrdZ-OJIDiyHim(;ta@ zXkG!$02AO4U^alI;D2d(Ox+c4UUpFK6uvK*9x6j0+_>D(OK)~X1oV&pxc*;KM1cOz zA3OfH{!~1k5dnvX6cNy9I2tJ?_7@cq&}69r5%>nOXaJmiXY&1iq=*37EMvu> z#K2%=dBD!z)=1xiyhRo)z~V5|(ftKQ1o8+?Q$)Z{zwAsIi)o4o*vX0rDBRyvL_mt7 z|20Jf6Z(T+6cLtvQAB{W55E3T(9ls*(UK(*_#sII3Ti3}7$pVGmjfs$so0chFgCQ* zOHeE;k(-rPebYiHt&MMgr8jgY)n?FG+AEaDRTEhecM*I52!I#-hbDqd_n?8aSE}&d zsJh`Z7t3=qTD8v}38H$O+iDOVc0@KKD2_Fss9#Q5^57cH_5GQe}_0139U>+3W9 zmp^HEpDD2n^%Jc63X*mZ^e$-JYZPZ4d6n)Ot>~F^^p`LDR1!=#noDtgWkiL9 zi9yi5gi?nO-A?C!_rkC(0YPoA8U>qN*<4z@+Ev=rhd-uCA(sC3b?KFR$6Qj4B%%$X zwY#r-95JhttO(6**z~&>reM$|L~D43`n9XI-9X1EMrySr_YI|P``zopR_-kAZ|%O+ zljf0Tmv>mOKf-NLH;CihZ(o;M(3zN~i@Ko^qY>p)k}DNwb)&7Up&S0&7e0lMu87D} zDHvGSU&>V(S{~V31mF^1fB;)Zfb;wut>OMFEFaEUKS050(b z2*4%2&JDmNz90d(#1|j{m-sq20GIfR1mF^1kpNuc3le}!d;tP*iLY}5aEUKS050(b z2*4%2&JDmNz9Ip*#8)H$m-vDN;1XYe09@kh+yGqS3le}!d;tP*iLY}5aEY%-050(r z3BV=3AOX0<7a#za_&PTLm-vFjzs4mZ#`A}dejR{c{`{8j9F53~5=c`h9XqIvKw1_D zo(pGx{YiX_-N4}!(k2Jd-~&Jayx_kx5l))4cQB+I2F4xERbtyJ`A%52@Rb6g;$28s z2*G*`<8D#F*Uz>y)w|=)liDf;@BttIUhtor2zQGK*AFL-?NT0nrG{1fIEN~O=#T%v z|KCz&z(T4FWW9kYsthPRS(QOl6jEitkX0G*=)b7SfSpifK;huzJCpDCLsbUs+^P(? z>FEA~Dg$|hrl~TBO~34BOG_(z284=(fxWY}5geglYH7}Zkb`3w5L>Kl4;b0Pwa9W4 zA`o`UMuzrqEgVu9kH?FMl9e#)DN31dZ|Ht2X6BRhLILT;C; z-c~tzJ=wjg!bo8xbSryX2SfWk`nE=v_Hc{{PD<*V76tyd%|nS`g)w+h6c&yV6@g5_ zVIeQTV}x;#6F_Y^v@i04CBNm87D@@fh?IJA%RdG$Lcq*!=R8~ zjQfTi2923++!X8}d5me;;U}Ai{DbD9MexERNF+)Wj)VpjhY^KPL_;RyM4`3`?55j; z6q#%fc}DymTu3n_c`Tu+jYcAcQRI71u?KQBvW;`wgPd&73>BGq51$y>wZw2_p%+p7 zxIK6{QVc`3Q50$uLw&|Ct)8li%8YS@#8D>Zq}U80mw6k8!jjhvEHo!k7!e2~G!g|zK}!ZSC&e&u6c+L@ zXl#GNF3e=RW;}o9Z5IX_F=#16Lt}?Tf3XWI0(m(aTFl@m6d6Rw)*s`Aoov^Pm3!WH zA)$o;kH_IK(8`L(LxV;J42i`-BZ)&{(U7$$$opnmrYJjOBt<7%_WO%J5;;BvkQh-o zGy`y=5L)Cx#gc~?EeeP5#3IRU6OifI>tSZBTgb_4zSyKSU(WQ9J@mvu$Q{zRH{Ita+)ZW;qBa!4_7|B^LU@p!md8zr^1A?6vk6Gw>((vkH}!Nkc)l6 z&ncd!xv%5EBei2`@fT_LP$*q}`u^rKr?V>OZM|w0Pj9B_^uD31hk1bV3FObdBSA}l zfwM`X{=nY#p_-qzZ{1V1`MgCmA}41Z=j!Jp{P7#v+^lc=?LA>|n17d{{eGS|+dep( z?RoMzWaZ9aIYp0a^&g6}664}~dW#uKYqg1ohX?dliSy(O7usA&o z;BnjKk6_#WdGP$hRkf^yy=S|UbBnJQuFEX9PV}kNIu!jOlY6V4yo5sMQi>dYv0FNE z8wf%8i~IIP8t|L&FWh~>QC*Rro1sqd$%}GdAWc|Q-PWJ5u(4m+SPR>{+ny%vhJhq@kMwsU<^^H!V`*~k&$f&WS)K~pZU~T#Qn0z0zP}4T$SX^C7%*VeZ}@~0{b-NBQg4`9%Wwacky_{e|M}gHeSlS zty4qGQ#Vi8`v8Ba#8NJnkZmj0-W7VHOV#$qa`CbH@Lu)j4HT-MG8rmIOgh}lKbmw9 zS66MI6-*w8f9(*VTVBo{-jAF?%MNg*Xu z5(#7W8HDU)-*;KY7KSl|idIt6Mv+hnCA7#=DJ`O;Bncr!s3h4+*8e%)CB1vsXFmCT zzyHto^SFt#+;h&k=6PS&b-(7m-f#C1N2ljWc6?pr{JdjFkTROWrVB$az05qG8F(7^ zGyr);F7l$cQfYp(NOaNaZSU=h?FoU`6V@Nm@iJp&dnEm7tvegnajOOCFMMj}E|Kx* zJr;}DHm~wj*D(Rq1t-d5=~!RC!`g*~m9c7mxr?^p_wmW^hF-Dv!p0kVbA4a;a5cyn zFV%X^i#f*d+_&aPQIJi42pdOdmDs6W`+44{X-%A7-g`7n(+RtAcVO1(H3!jWl`15I zb@68B?;Nmn+BALn!Qi%d%6}{?4x@!@3;wUI^GIdG_+(Ut>99BsDtc z{jmeDtkJ~_)OBwqn4}w-@0hP=GS6A&EuqTR%BKBf<(~TG`q{pl@++%IjYki@SyfgT zE5vPIm-)`%e38|)Ck3JlSvdvh{3}{B-8On}Xmqrr-ZQn|fHLj!evZ|`zV?zW^Lf5` zpY^$@%h*d%Tx{}DpD4a^E)h+3T6WQs2HOwk z<LK|h(ye-|;|uP$au+yWvkknzD(#b}ck~_)q1y*( zw+=qvXM^9nD@0S)BP%hPaJzSBx#}Q~l2ifW_J;(PTD6UC@?wSir6kP~3v~zXlWMs7 zQubLq*cUIw$nJ1fj0%v?pVzg8Loew~Tf>DD67S~sH+Ls&d?Qwn67o1n>-jQnkxv zb%a#ry{Ox(D^l-w@2TqE&gRZ;x48QDO2@9H7QQ^m>zk51lMPP$4yv&?Us3Lim5jRj zkZLZFbYjh1){6Zf9m6ztNIpARmz~5hPhaAM_oza$otFEl&o@k7VMz$bfF;K)Z;dOb znU>Fa;DqERHH7zcZ%q=cc`(G!U4E3;dg&PgfqOxqkCh=36UM>EJT`MTJI;DrI?OHi2vWAb71NW98&1|)L6YH!lJ#T)`eoI<4zh0ZXxK-U4}*?dt&n6?A1Tyx!;54-t3~4(|T3x zn)5`er$yVLs#E+{ZL)&dlgdH9_4e7KZF_gDX4@8@U3NT7eeL5+)IGZlrR{MsYkPMu zJK{em!5wwV%Bt3o{3M?-_lv^$&(F0!$CDDTH5$b8hxE1h<82ZTEs@I!A1xf&v#&RF zWBQucx&6yJo8!0*LtlK}Cr;;5Vo`JTEIulvYTOp0ca5vMl-wctto8YINjrgrdeW76 zjnzj@OYQ{`(rcHDrC!u$MYu-QZi?ILZM2|U%6#ks*)`3k@5_lc?(Hwt)OL6Txh>=- zX!X2ZFLa$=@(}8F*%0NCe$bq@dA;)FMV*VC4YRgcWouQglX+=Z-)NuaT3NqDNJ8*| z%|X+)T?Cx-GY2#Nx0~|vw=Sm?B~IwPHkm)ky=Ftqb&WTwRgtA$zOQs_OJ5F!UsW$# zFBNcQU-HtC z;NjMz7u)X0yw1-bc{RRY<6387PjO*ohNIb&gKc5SZXw6=^WC4hj!BZ5M_m2zp_@(- zmxo9pu!U@D+Z$diI}r2uke1^Z!9F2~C0{XdFol+WLt%N-zuB1vdnhDeZKmiw zAyK&Zqs_4Tz0RO0^yQQ+fmeG^Tt)ezx3X^ZwGfe$=f&b1%0uT+Rnp zlsB}d@TK1s>M=Nz@Jj1^?wrpF9gUZG)&!gotKU)-cAuEEr>)$cKehbSE3xy>a-R)L z4__v{lY3Y&5U%(j|9n`u`M~M(YWxdo=bxrouohTIAsuA5tuxBZN%me|h9V}F-#j8& z###{CT7@}nuAO+}jJV@w`}o2o8?@I}Z(LDS`DniC(uk41qn}%?J>uV2?VViCS6i=| zwW`|cN-pPo`tyaD#FVn!Aa#Br<22D{yKmz?ksY#q2T!smjKu{VRNzBuBzmb+Sqxtr z%gD!CM-#&zde9o)?dvF5d_CD>neU+?C5IQL(45 zOO-@^U|z6KYn|jnkM<1IljpfK<36$F1*0B(7j`$bcwAHR4LSVc!;6(YpRZmxNVE@- zDdn{A8hEwEy0>nTt)Wleu|w^o(LCudv;~)rhrCF+r0ZexK(o&ExW*Pe#br`Om5JNV zSBK;`-3%eoHjX~@zh-!>W#vP^!=H?=eh4I}uIg4QmWxIUZEs%0K#qP!6Des2ws@*n}bel(P zISu4p8%pgin-m5mJKcZY+tq*On#mKfn9otv_w*F3>xY=irK>jxv0f`yySMCmlRSPX z*{`zX=7xu#FN!(m>G*HK-?diq<}aUrxyErQ|Hzon!Lhu|6utKs%Z=kjDX%kQj*o_3 zU$}8@bjS0x(X}ooF6GblJXvwu+oQJSj(#-DLeEy_kn67Ct?wbs(dE>{YBb zCc4$*rQM^mBiTGBgWlUcl1~%n^pRY#+UDB1F6o%Xc_|x{&Z$25*rEP9^+qF3@q=S& za%QgY-G-`Y*-eMj?(Yz_iNl_kFzyrh_}0HwMVsAyQ9+#bgGU?>(^fpj*SXk;sY1uVmqGc-r9P+^mkj-KwyOKA=yvG0bCa-5PUFlCrq{UQD(XM7toB?* zPFtLtytvV3v9JH&`X`8-#|XDYq_T}4w^=#4g=rqvBEJThJZ*rE`^n?f04+xD*$hUeJF3jsr5q z+rOILHUDVKgB>NGFD*o#@jz?l`N*dw%`Lf7S2H@gzof&(hFvA#Vf)a1EoUO!{=~+S_gxo-yDJwRwBGi5-MmL>a>^6OoVeZ&)$IR>rmmE^nCazx zcKcz%JExJ*f#kgPdxU+nhE;~h*F!29v_kB9@LRmXn8Mk!k;LbH`;uozE;1K($AR^OMYTYR!|FOH)qGjJ1QNz5Tq+{xA zE9hIkjBZb6P29OuJ^E~BpTw*D9jrZ_r@OYZUrMrDT*6`Kx?_p#@xA2BL!t-x7_pD< zNaXQJp@lRT@v4+xzZT@qy?M3N4c>bM_T9(SKUy8ZDK8R=>J~Y_xj0V1(wDP4lxuaSHH>UGz}YgH#xh!3@dmiFoI?-U7+wN`mu$E9L?*2j4FYNfV1 z?_r+$gM19yzK%pmjZFooNB0T}>~C7RN0=pb{bF*vmh#xxKy5?L2z%wv7yqs)yfwXY^jC_66P zJ~x`*>{qq$WUp{BS)?vsH-ckJru$ui^S2in^kxg>-6b!jo!eaDW|!i;UQQgU zhYD3BsJ!uQ{&BKl@+E>_Ut3Qb!2UBM_5K2n_^3HxDlllAm`T?|cD%K@n+D z5g{QFjD)0^v?6YeG6hE_sp&cxscBkkk;o=~rq<4`o?f0RhJj%L?x7A;Pq)dN2yQO! zrCi%*{LOIIIq);4zt}lgSlQ-qe*2r@tnAQV4WE7i3&xa{jeQ|@&V0cI0&88(md*H^ z;a`TUZ#@rruqMmNODRz=6js?K9w+M=wAJ@|k+dPBAByvDK? zfeFQrZ%ey`Mm=9Qsjh7NLae@D7-5*-@0WJicPts41VH{XouTY)+EG<||Gjf zGkB^ZLkOG%K>jnG!8T7eezWPFWB1E6ClPx-q(6>TRc*VHe5Vh)zrrf#PX1~eTSoCD z!o|P#qmJ)NMH`7%ZyPz?#SVn51)Kl#2nct#s|Yk!2{g$Ro{h@R3{ib&TKujiF@(B- zn|Rd5esDq|>8vDsJ8KhH|-kgf{$s#3xh>`GpjBR3K$Vla4S z(EZyh|8&cesVI?OLba@ms8jyDO55$6wo79|j_h+s7h3J`ZO;sybkv{T`rCE$Fg0Q+ z?J{}iKAr8lqK^}^!|_(-x_CV4=8i}!7hEH=X3@7-{_)m3Zuk4%MV7(N1;%SCO%p*- z{DLG1ieG^F@iYjEA9?)h2#gfJBJ<;UFjD-;<5x#ur1%w?AI}5%^dpa79Rd0DD>6Tx z2lDAh9=|#Q^66J(emD>0(+@a)c>v_oFVXza0OZpTIDUBmv_o zFVXza0OZpTIDUBmv;S{T9!3BalziD1N&Gzi7J3v1D7SD7ekWbSne!BzY({J&7YXtJ?8;Rd_TRoPc~{juVhi%y9zpi8)R{ zJ~71!$S0;S0r|unCLo`fFi+C@-Z5wGZ(c>H&) zck$ha&d3_XGGFntyg8&m}aCr;oRQ+v~fI1?)d zu2SwC6kArbJcf7g{8wVa%D>s8*fWd!?A3U$N z^6cp%PuNvmK!{7-@86sTe$Af2R=&wbB-P(Nh(V{i_`!QLS05ySf<-By;5}t!v_)6| z6@|7jcJ-mUF_38UU{}V}8EqQf4~aIT2GN4)Zqy(Y^imT#&CQ(3K-r^BG__G^3u-6> zh1TNz6OTA>UbbA}6p3SX*&L*bxjnyIKDzdZ{+Z9|}7Q1H)G6Wpk- zP76iZV@YHbnT*2X2}Bf@g2O|%)1lLX1K?}^GI;6`G8Zy~?&2R5;6kVRyM-aq8qgU{ zYKXTRRfp~Z9qXYO^k6D{X9KFgC&LRxB&evMzVZk}VlmK@6rgW8EEx|y3p#?IhjQ~n z!e=3~bfz{6D7q(P0}kaG1ib;+Voe&-6!}kV;rICi+i4JxxrQ!58@|5@_-N`q7zF!y z`_qEF8IZ*~5D>V3AXbps(_M!D`)z;jvZ<~>qOHB%q4$Z!;IK%vF4f!9i-E$D6>tz6 znlFuR9^m2zb@)t1>fVeX6DnPU<`+Qor}{HcWF%VK+m}J5L$A}Y(4@N2+^JtLpQ7yn z`36d18YvEkRlt0wI@vJ!62Y&pt*4D(VL>2Rpl`%v6G8*Q&&|WjgXHI($2(tuUrxnKV$lfor9Bwl?`fJ#SfikW8;LI=ls>o!a9dT2tzPqV;95) z(zlrl%$HbeI{6&I1>Zpxai-tjQWf8(Xr}XJ;a-+NrI+jFr8e`hm-TMjTAcDxL0Iqx z2W#8Ln>QVdhDEqzTIYb504~58K#=?oWd_db^2W_NbMF}2d7m6RB3@?|7FpGIbP^$S zj?;Yj>8k_NDeq5rxSDq8=XMLpIbT;zICbmk1cB`S=1=c6eVv5-Jei^#n}UeJ39G$R zh8{jK-T0?FvBmi87Z+XYMr*&=$%+}bn@1UK{nLAWyN(t6^2xdIyL+vBjXS(91gq{d zTBP``?T@!y4**ht6nH5Je2`23IEj9}5ad!YJb@7(h$x^-fi9ihSOTOz`1Axmkb=+n z;4?m$HksW>f&ep7U~&)4mxB3HFa>>LmYEa*aw#a3fZ7wNJ%Mr_sF2QbECEGlP{#*# zeDI$}K>t|`$fY2c&Vm3aI)kD!C_00pGblQPqVp_<5$IA-bOuFdP;>@GXHawoMd#U# zB%n|N3MHUW0tzLdPy#0RW;v38LJ268fI7B_&=RzHP0a-ADooC7@6O3MHUW0tzLdP%_Jr1Qbd@p#&64K%oQ_ zN7BD3pLg2`H3+Ldon#5>O}sg%VIG0fiD!C;^3%*^MNiPyz}ipilw| zC7@6O3MI1~NkE|l6iPs$1Qbd@p#&64W;c|8LJ268{Ern%C|(1i4yB3e;WZQMg!Xc$ z9gSQziNI${b+ldvzW@W^2OtbUD)^^Nc;>|xdH{hEtj~C-?wuLkchoX@+~SzRB%-+F zHYUp0`NNhP#ls(Bo~AL3PLG}nmTD0^tMVpA@3ZDRY8r=_x zHlqg7g6VG5AQbdc6FSY!oXSAiqfIomQD_TlC|ZZ z3xf(@s)Iw}pl6z?s35;R3qEZ_px{yP&r}oKsIE>6McLyNFenTLkHX?{I24wGAwl=k zq0@o`;EVpUc?LZ|w>g(1-z&>2l?h_@S6hwcI$>!BF*U@ClT1FF9# z!wW?usHmX60trN7F*q#rbOn?gmaG672|XBo9?H!R37>`R(wW*Qpy-~E4LFo%5cCdU zlQn5bQ{+FvB|;bc0C$=MWUir0(1!1C0zR604+g=0-u|>8Zw6$s4nzd*AP5#@_H>_- z{(jq^`)sN&kZ5afcj$d$F$63UtxNUx^kSf}WUKCo#mEHtTZGF)VzLRLf#B!n;pIW{^UmX)FTgJ-A}uN+BqV~7kQ9?v#H~@L;K(F3 zT?ZpIO=~R@*~HJ(+S%39%TvWLFf715)Pd^hHhB}l&Be{e<;B7xfS4>pEQanphXwlj z{^68`os*Sq4hPh@k{>$F!3wn_Sm*rp0v1+wyjkF!g&YD4gxCbJ^G#hQpCh>7%T*C$ zJcr7?Ms~E^HRyO9UA#`XHmkE-%J^ZdQChM{iYgJK7~$*67;7kd`{iOx?SPvgXa-n- zJN#FN0Xj_%cQkHkyR6fq*RcnOgfr7*S9To{m_!sF)W{5^2doo$z+Pc|CzdxYT0~5h zS3xmi$$G{Z`R3c0O2t03}AEs;Q+z`gu^re5Dp+5 zrkw$d4j>#rIDl}NCIG?#gu}EmfYAYj0|*BY4$}lcIDl}Nb_OsyfN%ie0K#FK00;*V z4%5y6Mh6fMARItAOcMa%0K#F~8NlcO!U2Q>2#09`ARItAOgjS@9Y8pMZ~);jO#p-g z2#0BB0HXs42M`V*9Ht3?Z~);j?F?Xa0O0__0ffUe0T2!#9HyNCj1C|iKsbPKm?i+i z0ffV}Gl0KsbPKn05v*I)HEh;Q+#6ng9p~5DwGM07eH84j>#rI7}1x z-wTJ$A<$y4W-}lBNBc7}SjBMGBqACwF^R~Ps*u4(?y=GKQZ+;m1(u8Vu#GE+sf~p8 zZyW6EnDe&1lC!oVo-b>^w7Bt76O~lu6I(ztzyjRizcLIoTk9&gA}@;{@0W=dANJU} zatD55!ni-kP<%WrWB-{^+eySc^TS`p!;@%Ihx*mUdxV`c)1=eD4`2X%0QkV)eBesj z{V)l>PkXXPvrE!ydYfx3ACkt>KS&FHkSb1X+Y|#f{~ZXV#U~q)RDbs%2A%5S2k+5b zeUJnS8Kr=N_mq{<7GVKY6xznv)racFK%&iqT^Unnv}trdB-)G`L<^?7QG-y>OHJrB zH*+cjWsf$|)JCB#sG$rLTF=kLldAr8tMPTK=ZHjWg)(%^87>See5no&g@c}HrlNxU z_AL0c4S_;J!9P_} zx{H5MfD4`K?-qtcYd~i-sUhBOR2{ktbgYMB(1WS)tqrLDo(wM(k)Wc2`U)fviNz4G z(9;!Aa#%7}0eTi@>Uk(PKO}q>vP)-bqky7&LN?$~oOB|)`+57*g1i}!#X1lXxPu^AklA1RjHmz`^TTb|`uo#n_LzaU zKXfx~6ds~Tqq|e-DEq0m0I@TJ`W9u6!4Tx}6fy=+M3D#>c^EH2oPq!Fc^6S1q_)o({HzTlVIV)E zC=jtIJXT%-16f8uVMth*8wH0V;N?j~_}mZN47D`Aa>M*&9&V<2gzx5Qd;2mVzea2O zLU~1#>PB;?PRBJtflT@y*`ddK9PRgu6&;L7bFQgoQ9o#Tckz0W#6=rQScrQKWl_~} zZB4H3w9Azm6XT~EN)|Letj*GC?_8-7DmG$?dBFE{rktLHKI_r+U9P4kH zY$+LeqWxO@<(=DAi^YYwUJp0YzNno4((kO2G%8H^+&N#wJxHhUh;~NHwkvBE1Sw5y zdoEkfzj4mlXyZ>4!HxE-IXU)SDALNW2a8Kd~S{dnvv5yDG zR^LHayB?VD*v$%R28?uFo^w`?~K>w=bx=y!K&IrOzki z_KnhK4Eu?3CoJP$e0X!_;i*nfOO{?6wyYez&d1ueJsKX%-&{bNo*msotsNWSNMPBc z>;0ro+of&4(_slJ|Dx5a_U_(0HtAgIP*{c!HdpjWy~R;fymj5~%SQF3n~!Csb-wKl zOg*yb{!ufZ0iN}@E_Hv=)gNHUs$B1Tx>1AA5<^dwQX3ud8CSo^$rgEQ{mK#d`RA8VmLH9Y3yo7~6nuN&>=Dn>rN z+F3SqAGEJr|2XeS;%ydj%`5|ry+T)CCFwsCL6fP+7GxC+G*}Akzm!2$wUeZkFv6R|xFpG-w%KyWB(7 zCQ?|{#{Rl^&Sj&DE47bAgNGmaC)N5i$r^1)ADpvDu$WN3Q**Ja`YAu?hZp0Lk&t-6 z?zUivtNNA`wQr0J_>~8v-npqS)U&(snf;^bFe?MY^2wF;{av<(eRD4e3#yf|y@3wP z*czaJF>^007F@r3uENyG)zG^kVzzm^8LWR!T&WNoJJ(<}#%0`5*~M>O>V^4Aew{{} z?$-BhlAv1cO1PGI^Y*8Rt&en7xlBjaa>+E1hu3md*4{Mas?1pQ46}6mrPrLK^{#od>)fLF?%psW>a+CzMeO?G!&ST0`GdSu`vR`LLXoyLl7qLCv{u_I+d<3|}meSRBJ;&=wV`)|@ZNkKrpEV9(sP3+^m2hix(O*9*7~ zdDSf}u5*CiWS+^=14ucsjaSdhGCX9ekV;b9PPbSaH#Ax3?%iWO`Q>v(M}D=__?HP| zXW8&CV*}UFA7}>KONn*~ArY4?z4Jw|n3spV-pJ;X6sgiHTp!njrNy`lK6ox8j9Nji za_@bTYqcY=JJ-p3cMR8~fz%p(wyypGQGu|IgnN2!4%`9!TkdHVJ-MeS?3lSLo;T4q zXQla7!*0wznG<@eyAu)>9gof@Mhz~JX=nX1A!M@cRPYv09uIz2o;f>M2M?`HKNa*y zT`I^p#fJe54*;5uYiVEWY@Ig1?yh zpq7k@NJWQa>iu@4kltD|6DgkTHvtQlBvg!*JQk?tE7CPQrQWWckd9sThOhHgiiHD* z#;FT94<&Bvo78~BCwg5Dem5WSaR;ST2rW|V&1(x0Jn5C0jM0j2dG9mw!Nc|9zLxw` zf>9F_olVL0kvB@ihMZN$hwGw0Plk`4jAA)_=VnWCvNa!v7sfwqpl6?LbzII_RzJ-b zSJ<Ob3YRzz_IHXu@U%03{9G|Nx85%O8Go&_==Eo8c0u9> zJDQq#?b;oC9;;a>CPeE;mwWl?j*ahnR-T#cT$-fE&S|z5U)f;MDxe-%zsr-`&i-0q z%;iGu4V%!Ku`Km9}@l|=X2I3>m&OzEOz2-*bO$8H}7>O=-O^--VpIb zdl$?0&)a)~(*63g zN8I^}-DM<>u$RjNMROD+eJ@}y*2LaA@g&i6q4|5e%PH~mpJ8gpFE*CQ9As;4EI(V_ zcO%EwL-os!`;pz{73P~)^~HBAFS?%f?yXAq(8TeY$JF$NMdrNA?#)fYYc~3Q=-%g0 z__1c!1HsQ zTykZc?tR`!Mv!a*qtcqHx z>Y6chX)y75%%D8x1f#6-IHOT!2cvgo-toDXIQky5BOi|M+blQr`IImcj5{5Q!w;TYc*6ia z$*ZOR=`s z=5T6=Zc)FC7__K~rAQ?2SW05wbu6>^{?erCC3V}c-r6Dbq3^ibiPLB0`BZs=5lJik z?7Jd2zjR9bVoR+YKbV~5zsGf4%&zs5(;Lb9X#MOi&ygE(SbxuI8y^!(V=YzIq9c8S zEo(2izxcqGrhU)ugq~4}o{_2Z8J=y`~o#O%al zBX5`O%KotYhOgjyRh&Qxh00# zX6=1tl(>n|Vqf0dnIh}hR3JU&DkF+_{^6MLH9azm=3oTp<4pQ{53b}r`rN&~ zo~0w;dTf5)etx2jnMjyZh~l%PE!PB-PHv2nSBQ-(5WLmxu)6x{$rZBO*KNlf2)mN7 zIcKe;7qtU>hIC7G;loE}XGst0id%;zjvCqz-lgVFCaK+7#&s`9@vQxR%*Z{e;`+T~ zD%cQp*N>ILz2~t}CxVM>kKHk}G4y@kZQ-jxsXraUmb;@~@z67ugo@B}w^}+>`EIW=oUQ@1{H*=#F$ptnEu)n~TCCb7KFiH2oInmk8s z8@;kFX9RBaIC6xfM&r=eja~owQ>5KVP4^P}We@ITvsw9{YAOsaXgQU1vte)kiHCU% zV=uQ4{ZZSa*?J$@5>GV`l(5!gI+tKv2=}+pUgtT|J|7%*!2NK|;S&7Z5vcbGE;?{*(uzKF49xI?EDl zt$I=B;{6U>>*99p-s5QE{&+OXuk0khpl^2W-Ry10ERp=-at^wPbh^HjR{5n37R@eZ zZxK?ba&itWn75awqTTB5%diuL*M=@$>tj6fSyH6B z3Q5VQ3yLPBS8O_or{r=hY;0$D@6i->%;LOqW_jXV#YUOF0J7E95R@4HrvavcM&Y>DoPe<22GUuwdvamu+*<#%;KbeXI|f z^tPH?;W9G^cx==JdPkg-;xW5VpfihuA0A$JlO&(!{^lK*@$OaCc3P#o(?3__B-f|z zM+*$uOVlrYbWT#Mc2kp`hq9-Z^u2V{mu&4Q3EOBFcOMnlcX8j*y|Hl@wimU`pWGrOBYeAl)BejF zEtE8{**Ju&vmFPt5(`uBB(aBMjBeq^IF5-E!!+l5H_LCA z5}sFM!H{^SQ~n`^Pc$S+`^)F8!+Ga8SU&aUak9@Bo2!OcHP`P#8cqA`2BlZzMJJWg z$3ic6q1L}V>%(8-PT(@O*dgln5p^NlE9 zTr2cGlJZVQZc#FN%k7dDay%kh$%xAj-M2?9tNnCX@qpanl|GwqonDk@d~7?0A5lGo zVt-Jm=2DXQ%4^>ao!z3_Ef+i+-&6j;GA1EzJ@>~=rPg~_wMQ#IcKTQ}c*7-OVz6YB z;&{!g4fmdOU34jEH5-v2ADlQAt1+^A6`!nkySRLo>Zo02=_iNBIwebQDLv3h2zWiz zWxOkEyTr34*RT1%HD7j=57mQ-(BFklK~~!q^rZOFJ)JeboUzcYI6r#dLgf8}4E0M= zW-e4;D~_D=r?0JEx0w;zppYoEmyvq>%l|0(yX?j zX7}Ub_N27zJi#$1!u*Ru>b+>gay^yf9cslmsUurIac!}k_hs|7*KbJ|*iIiitt!V7 zNeJt;J+k$w$)ljxYnoj8df0aRxo>z!eDE=QTm@wP|TuYFp#?$nYO z?gtk~T4vh^%Db9%>&S&jXr-J_PYPUup zxbZ#FOQON5A@BTk_Wf*YOLX&Z_%2Df_`0N6q4!)8DlNUMT7m6y%e+wQHnl;~g2j|T z8Pv)AwNGC(ZtphFnYVk4CfMV!Wqf6%l|4GH6uDPryh)Y2pVU24?bS3guV<*fY2yH2 zqojSyjmeL9ik#19h7a^kj(da+wK_+BzO&ysa`;u2_)%-;@$O#n`F*N4zKn>smK@c7 z&1Wm^*|^h%Oud)Pu_!0U(>P}je~!*FN2`oIkBZlybUe{0_<>;^@=5c!!(+a~dHQQN zDV1B?L>mPKE4BL&$$7#hSnb6K)vNTOM0#9(HNGPK8p#=Z@X-*`%y(M7CF|8QzeHeJ`AfEI zxFW?~ZgWcKA>)q3KrR2}6@nJnj>@s^GABc=;;!sXCH62r4&1P>P}^^1zKPW7 z4dl~;38eTm?~RHTS(Je65XYm^7@M1`c?gHymg*SU^ZP%rTP-SV7m%#;tg#`0RQqay zj={ygr>&VUf)r_nmV|wGq5H*=3*JB7Y92zhURE}q=MX#kzLGm-{yzpzh5GGNIBnXnp}Se|Rz+y71dv zq^5?&x0%SP%csf_9#HiJ1>Nv#%>jocQJ~rLZ)JzchRK%*etm5{Z3GJo0>J`(BPN>= z8VG)F9$p?KKkq!=`2zfcBGRHFLP8=K2}v<&Mcf)?3XV)t({(UX)3nwikxl$et({#x zy*yP61H%H`LmjA|Zj(0=++18aT-#Y#1Q3&Dh{e#IS?9pdnEqntU}0sO!wEI6D2*FcE%=aW^ zq{dfgop$Vs+8p+>uWLs|D&NvjWv~l4{9kv1sFl6Sgo2vH!Ttibm4|ueY!V7O>Zx&Z z;`)lK!mA42HoEa94YnGN9izRjja-@h1>br2D^a6|7j<+_#!18IFMVHe{c#MRk&h;8(mxLpxt^T@^T z&WLIJ%5X>N%Kc7H#m*?1gq-ME`+P?Mrw=bU{I8`Eb!5aeL7@Icd}Na4MWf@|J_Y^Q z0_mn;pDHE!f?dhnIda2{$f}j$7U9#MB>r?~o?ngFmL{3Z)e9}rO&N>)a~DNZpIyjz z3Eox8*EBaZVQK8vKfU$0>+nUI!JmDzi_aGrjbAlA@~$Q^#Bl>RQP{@*9=^kH3E0~M&kEd;7-5i^R*SY6H}NFz@3=l1l)-!Ou(I(!vx%k zIZhxuF~teE6H}N#c47__a3|(Cf$YQ-C*V#@VFKBSIZVKvnBxSp6H}akJ28a`WGCh@ z0e51K6Ua_XaRTnd6ef_Jn8O6zi8)RnJ2AxxxD!*DKz3pd6L2TyIDzcM6er+LOko1q zi8)NbotWbUvJ+FBfIBgT31lbcFadXBjuXgEOmPD4#1tlwotVP}+=)3(AUiR|3Ahte zm_T-74ij)E<~V`u#1tpsPE26}*@-z!z@3=m1hNxToPawqg$ZOQ<}d+wVvZBYPE2tE z?!*)(ke!&r1l)-^P9Qrm#R<3*Qu3 zQ=EW1F@*_aC+08#cVdnc$WBag0`9~VCXk(&!vx%kIZhxuF~teE6H}N#c47__a3|(C zf$YQ-C*V#@VFKBSIZVKvnBxSp6H}ai=T2!~c2?*|?supHUsYAlo6_18M^y)8@>chl zm-@$3uU>{0fbxbHfU>W2*-#vOO15GMUE5u586GBZ|Fw?P!6m7hbg&CJ{GWFMIX@=} zne^V2&}7`W6-MQ>kcXtv&PJ72Y8a9crokW;yOb)9m?y)>GcyWW2^}6#DTdsv$H}0o- zl}Q~5p8NW#)M1lUL-jBM*aaN^uRFn^z_}eA{^Piw`_D=Y&-<%nlyr2+@{|?swI#-# zzO$zB^@sZ{hp$P67`;zvRJyd$9UT5Q(>y(dNOfjHxr)G`b%WZAJ~E1=HQAK`7{@ zCUlycIhBF3N1JGBqtF)APzDOE=jY-{RsXux_`20|M547q89L?+7X}r+R0oH`LC-W( zQ9*ut7JS-+i0t$;K5K%ZRMgh8?4xJVp0AKW%#Z!ln zy^tMr7yqCD7dqA7Eewg)fX--AL%iLnI&>H4SP#XZ2UFo&8&Lf{8D1zNK}7}i6-Xcw zi-8`c0Da40u~_JV&=LGRl$#$CJ`35UGqq7b(LEs>a463p=pDc&YtoRW$bW)MfiCy~ z?lcL=Ttk~hzM*G1Pe0zTc1HT{q43t_t{imAko&| z?$GBWE!h-8Qj&6h?u4{&jVdVD4$b#F$H36-uv^9!K)Q~enz=(XD3 zz6>fIdYy)aCe@ARPW^iM6m1X4IZz7INU?Yd8S|a$WW(f31i!wvo;HGo1%Y6Jz7dm6 z2n_^3HxDlllAm`T?|cD%K@n+D5g{QFjD)0^v?6YeG6hE_sp&cxscBkkk;o=~rq<4` zo?f0RhJj%L?x7A;Pq)dN2yQN}P%aA=76HU$8DbH1=Q;2rzJIZEaI&yLP4fKE={cP2 z2v(Lk?0+@0%;8{V!{7*kbRl6gw{7eK^92_yTqcQKYdZNH!3Ez&6_GiC?#qvq4BdIw zWD;SyXMtG1!XzS|cgKw|wKqy#UZe)?+1iRs2a-HAPe2ZjQoz(+wa{b>sMdL2klAmM|N35@kXl*}%Xf;S{xJbCr30pP zz?2S{(g9OCf1E<6E(CcLS zf;gbikAjn9>1LI)9u(r!E9}6y#BmM?oG1c@*T)KPLdDbikAj zn9>1LI$%oY&vPhzCCH;7kAgf3@+iooAdmhr0WhTlrgXrR4w%vbQ#yZ~LZ>bSc@*SP zkViot1$h+Y(LW~urgXrR&i|n)9m!$72az!)lL+hKiD!8)!{c6#fPa7hATX0as`EXo zNkmJF-2I8P?k^gH8C3;iJ>~TicmHu25DeyDFDdcAvrPP#eb~>GIJ#m7Ise7Icyxz zN+8nkN+2ApbD(8N*uTDlg>??zERcO6#{wZX0l{S$XbF(z-`4=Ce(|(ac}QaX#0a&0 zwYGS-u%o4~Yp~_Tm^!O+DNB2i6mSS=0B87bhy{6%_SNc8gg>+%Fg6~$jTS!Nl{Kz^ zV8^F1PHs6{7yOe_Q{(OFb6qA8Rbqqjf!m&#mUHUqh=@rpSy@ng@2%Jw zsodH$fz2}$uXvN})h;jDWYyOl#wgL9_1%}Pt8RLjX~dw8eN16jZ1GV)`-Ul}1c5UL8nm?mIfa=UnJe$yKKnv%W2V zMpsW~?Wzv{l})MGHpc?m(xRj5%C^q-zN`yM#!H@4m2=CQg32A%73Q`->wg=1V79kK zs2@!$N;b$!C{FedeGn5;R}%ih5j}s_x8*V$_%z@h-(Mu?SG_1u{&~@U`v)0qYO}pB z3(_g#g&#K6s?F~Ta9!ZKz;zKI>%vI|WL=m7$ht5EAQ)f@Krp}*fM9?rAb{3|DFCet zQviYirT_#3OaTZ6m;w+CFa;nOUh0j2;1155!32ABd63@`;C z7^Wxy!2n|bf&r!g1OrR~2nLt}5DYK{AQ)f@Krp}*fMA%S00aY!0SE?|0uT%^1t1t; z3jcQnLmW}{Zdhd6xX%*Kw}+go(E}opySj?jNiS`YJ+X;#XbGj{!e`0q_Cf1HbTr zy9zF5Wod7(c1zh3k0e`}#W9JEj$yae433-w_s z@IrkGBxs>NJiJgJ1@}L=P#p*}JZ1wR>n-oIR^5BKYZ`Urogs};)7F=x0is7SQA zp-a#Pl(I6~A}oN4Lc>SUNfg>3*w5Ra7UazcL!xycBybP?ZJ|Em-*3Ct-=D^St`2r( zOx?`D+aJ1_HVThKtJCQ2R65EYUV%^nVrNEmW1#G@6r4PTg2xe1Bn(DgK>!-> zRDXAP@jxPmG;8Z{BobsDmOw@k31oS~ly!I_Y@Gs;h$50O^4K4&)7CU`)?91mtYu>% zkNL?s;!NYnvo;P-#>?X=3OLA+Y2yfxNq91u0J-qb#%Y*4n_C$F!Z^}Q<0!K>4o4ut zeF&{FNyOrze#McXT`C=3M)IU|vPK@mvAznpQ}@qVI(ooUZcqtd@^ z4+bKGrw~a5$R5I1SNqYP9|PehdvG)D`6-Y8+xCzNkU3-$6odrG%?Szwh!h5*f`#%L z5k-Ik6H9>3P4m$sXvQ2w-PF2w(^bkah52iNX`$ zksLM;L!`g~L7_k<6CnqL&i!cKKXvEK{EwS`{>NeAD8NChAb+d@H4D`vTA1ThenOrT7{od4+>C+!LkuM zWflPgbs`SRVpFCnU?5Zf)``YiKhc_*`*Hsda=!vBSRp+Pjo*;i{tFj&YCIr8=O~b{ z{n@U6;x#kt<7Q-iZEs%&^ob3v?F)TQ)TFx6+@TL#22_7fh8K!JAkSC^J@j~wqy2s{ zQe1>;>8Vss5!>Zw7xS}u71cIwNxb{0?B@Fo&)Uhh!(zYUX z>H0R6HcGbf0=F=^de0WsnVO25PFa* z(gYP$Ktw^LHvs_w5fG%RNN>_Rs7UWsI$v;R7@XqE%-r`r^WA3yCi|Ry%09od*4qDM zZ_mOsJ&M|V-XX(iaD9GYFvOQfjsJzp+R+bugNC;b=GawhUTXHq4JlC&)xAMMx$o`z zAY+F6rn|NH5i!qPcu|R%AG>tYKuoLYk)ZuPp1cJu6G7sbjayo&rX*c0ci6qit($gK5z(ik_~@m`K#TMln|dEO-5}nRD$`?BT1L&&@#iv(+Lwp+;XjSzeG}fF zWRhWcCklxdt0vj^7_DjBCg-PgP+ig|Xiay1dSh^{rhh9)WBjy#XCviJ^)I?(UHHle znB=d-so;8C5`(w39ph892f zlR!QKhgA;tNfwh0)$2~Hy5a8O!6kk*N$yPx`@g;!9e#A4h<9bQLiEcCEx*`k$vf35 zlAC8C@aok{8-q~E%f|3o9vqZZPE^1vUdM>4V=Y6s{il(k;R*5W1q5~t&LZzF>0XS$ zd)Y{?g-*?~cBnoS#uvLp6xFad)wOT z@74BnT2DU7GO(hRX{NbJMi8T39+;jN`I2xW-#Ju&=?>heL`RV}=1x$n-R6hviH74G zUPPT+%G8HWZT6SA3F{(Fj#WI(MabWH+w^6hJf~XD=6IHf==gj|ipbZLXH~Z!@KsZ_ zC%>qavzjuov^!qo%F$cfu*6P-6K>ylEp^UImug&dEjnjQbIoI*RcQRw!z7E19_kI$ z?66(iYy8?<3jt>dhXY<_{sIS+ZuVNa9&$!l=y6RUEmE#-8|9TERzi$!(~ue%TH4$z#=d2PIJLNb|U7+0e^ocM}tt|s^MMK|+H z(sgtFctan%>6aqX)0nH>Ua6U!dsPnSA}owvEo{Apw$v5PGBb|vwnj0Gmlw8HU*cq} zQ9C2Cw9(udWUj;tN$vfT9WBS>EY+nFA9_c&d#)^D^6sSpHD=bE?z4=dTMKm+^ovc;T8|x4rE8S0s1!tqji+A_Y=wy! zA+)+RUNo!MoaktMs!`;Z%Okjf`1*-Rcq6>T0(RM`2>SF9d~|eCG?9y@B4#sgDa>Uq zcq)}fBW-e$?vl|v(;(j){At}0yyE8jE>~Dsi9d*@a5>>075IKLE6uL2i;i*B```;r z=_X^=t#XWOKgYhvs9=IkX$yMuEta=FDQsuL90cRe#gTMTG+E1O5zro4?8T+c7KEC{ zcaI1dwOdA=RHGYiLD&9${C8`#ZQ|>t?KxB5>nkmS-5gb zTS!nSDF?k#lIZELy3wRF1Rm zpeWD7}8em))mSTfsX{8N1XT1kI9}vmP64VlOLf0v2L&Ohb2Gj z*~O->8tH_uk(aH-sJlUO@~%XxGfO_KN_uwRoxYocT$)`krJ-=L;ssx58B0~xghqk3 z&ii$Yao5LAAsdB6XMJStZR7d2xR%aAomn3j@5zqkvA;rJ+Zu ztAvC7)kiL(==Y%?LoA^Ian~8zs>Cz*3(}9Ga0<>m%-r8>a6Fl3&{3%`q~N0Okr1KE zyHgKKwW3}yVqiWWohZa*G7M!;xP3m5pLNp<`DrpjQIOJ#tFP5zU1tJUOR7@xI)#dM z8uu5=>Ui&##Mckn@}Pwi9bsomLf|a=1!a;@{yWCR(9XNYrzGs4@KX}=P&k(aF*F;p z{lX^U%M4GIGBsNhJK_7GsV)D!`{Nw6<{JFvE2|H8v)=`ad)UCOz4Ao5v-x`q@2w=e zaqG2-X<-tC%x+o7P1I;Uk+3K19!ou7ny1^QR#s5jSk6EjtyLRS*7v~NUYV;KihBdv z>HFofEhI1vYkz?xlXk~CUP<1#t4a0Z(cLdh2_v|lql79m86K$gJwKUlb;G2jY4Pgy zZVgNM#mD;9NP4tS`(k)nR;ip$N`tyk-_~-qo)Vp4y+NTPd)Nr8f|~f*;AiE|so7-p zSwmlS=OgA_8`e6kQMx@zONJWR+zQWJeEYnQ_+*CeH4f@ORs&dAW~+KSiH&^oif8 zGzsxM*M+vzZ|w8W9%c_1z5k%7r?!`T+I?fj@sm_{fa|P2#lpha@cR2l>7|aROXa26 zCR&=D8xomjQoK(DS+yfJA`=OE@>cOkh4Q>`wVL{pf~;Gz(@fspxqL=BUhNAx- zx#ea@?nJFk$7mQOYSVrEK#KvHx!qftKn6utmp}%8tZBKWqUP$fK3 z>6TxGTbHty+Iv*b%&a5jXf9cN??B;a(p2d6xUrMEnW0()p{ZKas~a6@@un+Z3(%ed z^Wq&5@v5}#wGwJMVNN9)s+Y^{vSuF6J0Q3U>(Z|Ek!id&-{|3FtkW-NHR`=98B3jp zTN90UX1`wWlfJd*#vHe;_rWn##|22MWN&<}M{)}B3B0b4cy?6i-r~e3J-sqV-8pT1 zh_2a(x@1PntUhk_r9n5f$j6^guau2Qx61NgY_Dv8T^Er+|H$sKJmira8FOd#hvy`9 zRUaa@UkXX;YCd?8a8z!;RDXy&kai-KU@nVWn7EncVDn7JQLlX`NFq@lHpdCfrr+nj zV)tIOWBi(@DVPU4svyDtv0R1jV$n)6?}rLC`|`*TZ8fr|(^>bkCsg>okCs9_%oe4=>U_N|U?K%#W!)XuR!6V%~(z z+2~ghP3Po797E4=*z=yYAn)<_a=D;ieKNC%TJLsABpE|X;itDf*Tcz9TdeZ=RD_ef zee7)=O(>8UoGTxYx^$*W^U$I48O6$=>ptn5o{y^|$XDl*B#{uCv6?44h3 zA^+o0e}fobQ@l%;FaNUfh(X6pJeRL5lY<``%TKEF ze=R9Ul^MEb9kmegbV63uwd7cCTdpmWxW~QA)Aw_0BCRJbJh?H+aJqD{f?sB}pv3+{ z-+pG{Q(6l81wrZW7ltx3bmJZ$tU>b~E`F;g*5vLP(a*y4VEg(zzum-|T{kiAr<+Kc zb71?=ANxl#sre-8_GsoUGh=m6#ZlKR{M=OX`df!4pU0Y>>rDI@;MODAar}MJIBnI~ z`es5D?^nTg{*F!OE1I|^!AWO37q6XF^T6Dtlz)$SI$ZljjndH?Wf{s~l(`^u-c#K8 z%Q&1ePHu@g)KBgeRMUIuHJRlTmx~!%cTT>pkQ}tJ4Op5ozL;6W)rr`=QRH>2m;n>m z{QSHS`(xMk0*kHIKJLN3mmoDR4Jsm$${y2d~vv5k}WoKjB zSkFn~2dxL$0_+zFazCei+{(Q+me2MnC{1&Ta>?*s@LSzhsASqg>y0YLyAq}KT4l3z zPl)NugzEcX19v;x6|be_XFE1z2`hHkoxrF@U$pKd7hqQCrNTrVW9rXCSQV>HJKojK zxF3Y6dag-5%x~9b-=1$FfK5(@-BN;h;~Iy(B$ zU0Zl$bSfPE@alB$K=q2i3NtotF|V)P1cy7^uSQZ=17!u-A9Y3}7s?KxbtmS6QID8_ine1`bnmAv8_EgM4QsU2L zZZOVk>G=h6A72--6dX_)CW39$71Lcli)4_w>V0#{f_3fmv*OhhwWaG?WYL#0T?$gX zAKbNkf68_%&$l(v&~1L^lVX28y$@%}{WDFDk`a20xet(zm0ssLr$^`>MV^n*r`V1U3k~DcIvj7{fT=ISd?x>P)Sv4V&8(lMeMt;N@F7KccjV}F9}S` zOka54w{mP)Q7QR^ZYr4*9iIMCCwog=9M~TRI?kFIhkAXGnbnnw zIvv<>-Diz`&8DID9h*u{#-lpBQ_=nS7SaTx{9E0X?Frg#zQ$4O5#gH-Vf889P7J-HoreA@;*tHuPb30rBc^$ z{Lb~5Xq(0L$3kZPz7wHKv8)NVZ*uD1le`m83~Nd_f0+Ny7yEP4%z}Y(Q24`bnWJyt zQ!2$^UsM;b@;Yq8e#4z`=z5~?q3(;ge5tAz_|7Wm6nfjKd96!pS&1C3E_G1beC0eb zbKRmgMz4S>(*NUN8CQs3qjRK=?9{xMlmSH#e?w(E?qejhv-%6$L%R#UVn20xGQlUm z(hJZE7uQaoM03~sRA_9G+bVYxRp@?QtX?>uj??~@^QduvW$zN#(1#?~RzA*x&JTM*V`;@rSK-t=91=8A7ttyhVN8U$7sYIS}dvF)OpF zb^ede91cx=cQR49x4e@y{DcTXlxB^^%&2`>!mTw6Ls;Sgy>TP@xYp?9uo{JAmAt08 zL8jxur*E&2JKwP%Zdc>k^qz&`44%A{r{6hm%B0sjrqQmDUhJctcwN`v!Q0-*BZ1B* zT`i3&1|KIq&>*Y6rW|-SES2uAGrzZca@Hm8Cx;#DQF!4Uo8~!1uSM=&eRo*YD^Lnr zZRt|3Dcf+V`=xg~)l0T{rU9YHBWP_G4{drA4-X)O2w7`(P4TVx)^R%F*Iy>%$ob>F z^akGq=?+;9kMq^&7dW}~xh^l4I`vbx6>pYoxd|36H(>fVW}0&uJ(gFJM$3>Tn_nw> zmNA%;jf!sah*5W_7C*g_pF!EG{eHv9T15`mTUUfRF%RGgJ%=vamlF^ZdrFtsBo(}j z*ME;2D*$QN&GGLXN0aPd9)qWZA4+K~&Fo`J^=o7;I&aQ8qGuiU#&{HW;8L;9SI^H` zECeH}ufp>R6$|1Vcw(fl5Fu&!az@3DD$)yx(Oe++&l7RImPKBzOrqAkfxav{ay@Fq z5vLs?E_sKCZ_}$)=F#m>eB~^R_l<7d>$$@4^-2{*@CvEsx!DQ6a^~yT&3(v4xeDfC zAL3iH*Y}yeKf@qwBuNwCTA3QSER>ic9H;a8P=>s3gAK!y$(6GeXKA}q`OCT@?qp}c zaNotB#X}d~DTwyiyw>B(ecjn;>C}gk*?YqF-10}fEk3UJ7}0PfNm$YOyIPXV=#nb= zw|CChjGpJQuy--xV07S(V)N+Iq)qpfcy*MEdRus zQ9gUEgjaZ~*`POKxaeIYV}WY}i=*iAAu&hW{SHKjGd3BirPo)s=Udp>+oBAtc4l6{ ze>cLVpxg`y*-%+yW=lkKubzo{^jfEZ@XW% zHL$ib!Pr_sxOcvgh9RJQ*ijP5&rROy*!qY=AuD}B8V45_`yaiqzc^dnI1)G%#3W=S zL=j7S}CdP8=_6oBA2c@ z+ZbQdL7|Pd-rx`)IM{i>3m5kg&enSzdhC(+;ccH|=ZAn0cOM@9er)9l3hasZ5n`)% zHo!g1vk#wu5~_qpWhj1#iFvCF=fHNQD9*}q!_3n}&8Of8OCaH%!T=89&Sw6{+1dhw zn%YgI-}8m~w(E$j#+)es=L=Tocne{A&5^DKX|NIi`F9!vPfk?W=NdV8exq4AzR#uW zrWBI{r5i!_wYk*i*JYQXRFWP6ddHCKpZnWfqq4p%MxT1VB8;vY7g5lhyWa2!tOP** zoyMRM2^$=qH`~IgdZ z8Uf4rc+@d^wvkR5>1qLlQsc|}{z3L&B>?j8G=^p!O}0(VPj$whnLWy!lxCzEr)0sTl2BN&OT_$SV>BhOHe#dZ#?%B3PX$txu(6a$sIbY+4$hs zZU0`0@X5se`q^N0)s4&ZJqfh;Cux1M&Ro;XE_m0UG<&PzUcKLqzjxqY_kvd#J39HL zw>8Y#9!>?sw$GTwTCTcTTW=^+D6b24P zQ$^DLy6xXAncc6Pn5I>A&~H@`u2y<7)%Y#SgkLP=SoNThTYf%L`8N-|vm2hAqYV05 zb!y6Hiu07RA8?8tGT#?~Q+&_k&z68w{27_=*Mpwodmewb1bT`;BlG=w&{KTRnDo={p>Mx&Y+UpQ8D$0?4QDaQx{4kWYV#=DP|YpT5KKrwc$n{VAI7Du8_Y z4#%G^0QvN%Xm(cs`LvtHpO=Ar`g1nBYk+*(P2*c6PrG3Jpa|sC58&*o0`h4Wj2{$%eEI>LT~$Cn?Sk=xB9Ko% zfU~O#$fsQ}eozGR=?8Frtpf7tR~A1i0r~VJI=|Kd`SdG`AC-W7`VpO9>wtXvmBo)r zKtBD5&aZVqKK;t#MSBaX>Xi> zeA*i)AfNWe3CO2CaRTybPndvw+8ZVuAfNUI3dpCuaRTybZ=8U9+8ZYzpZ3NH$frGV z0`h53n1FoR8zvy1_Q(myr@es!@@a3JfPC5;Cm^5p#tF!$J#hl^X-}AdeA*i(AfNWg z3CO3tfdcYrZ=8U9+8ZYzpZ3NH$frGV0`h53n1FoR8zvy1_Q(myr@es!@@a3JfPC5; zCm^5p#tF!$J#hl^X-}AdeA*i(AfNWg3CO3tf%+r)l)Z)1ayCqlYddW&!*<$SzD+@O z0vqu6Zy?ZooDZ8eH}7+(s)L-mDlF@#w7Jhq8$Xtf;L(8-$~8IGhER~RCNqnkw>3L>!^zHwRnVI?JF$eMsP&cknNFD8Q?Q&G ze&uA>SrAp%vt&J-L{Z;LXp+Ad)X&500jD1;lbT@n)Fy6kL& zf^cal7@DJu?1{Kk91QKht&zsqS`l$6qwFvawnivB2zFCNTa1wk${wQ4r6?&4;kt~v zW)I=IU}b<#Qu+q=rZATaDXl|@8|emU3nY7GRO2eSR| zTh(^uxpSCn5N#-u55mU>fx>wa5GaD1AA2|%Ta1Iv_C7x~_}e13x!7jd8d%%e7}%n$ zjhudJ=?D7SOy{!Xk`^a)AYqY&71i>pJ0{NN8RU#-4_DtN^Uk)fQ zln1hX-tF^2jI4;Z*J7I`^X-irVvEMM0R}PaIwEQTirMk zI26PrWF$lsWTa$=4^bSUVWXp=rl#RxIeCmt046NN5933Mo!5~UlT?>N@+n#=sp}h} zP0=Ekt~%QoU(-RMjkez45Fa?0e&8}L?jfA5_c-*}BjaKJcKHAS;eOnGc=*^#b_(oi z@$vU#n}E074D1iKhLD<9`6@oa5gwSWr^+E_sM2AktuCAc+Z%}DJe#vt6@`BmP?lMt z^2NO>@bL=gDIF4m_v4;7@*-`xj~+=U-1phx%^My0JR0J=?Ra1lzy%lsaFYL0WZ2(O z-sviHuv9_IEOz}dW2>68$Gi|~3&&UWX6U-P&BU&-_xFnX5Fe{kub26%&nx6NUK#SB zix3p}dq>)}*MXXw>}liF9Qt)4<5E90bYxfc-z&0klBDE5*U0gJucc9wp=Xmzvts_< zk#_Cnmj_Mh%QS3VZ=TB5;Eyg(BCEf#tNL#h_dx+tfD~9MaC{I;|5gCqwG)V?pnC#6 zJ`hnrmjYe7t6TUxMIiOTrzh}%6nw@9pYdbv494-nI6jyfu{|vY#M19V<6m9?u@uBo5KBQU z1+f%NhWyK&$9Fq`2|Qo|517CMCh&j>JYWLPcOAoDUjT#7V9*&1I)g!HFz6if*MsM8 z_5iUI#8MDTK`aHa6vWcsbPa!T5lr9#6L`P`9x#CiOyB{7&VRA%_|4{E&>0LmgF$C7 z=nMv(!JzYRx`w~F2nL0Lm|HZE3x0{235-?B#21>v{2^c7e`E6+Y z%gZ2^f>;V-DTt*YmV#LNmphN|b^wFUV9*&1I)g!HFz5^hoxkfC{_+ACbOwXYV9*&1 zI{%LkIzMk?n5(MY!l~xIsdD>*X!ImrGV8Nr7kI_SE~M;NzN9Gd(A=}-(PgryVKELT zT0td%04(8O>JEN+=2c{>+Uv2KnMS-@IBQx~eL7rJ>bH{*j$WcQ@mZHWH#EfUGoQwD zcO_sFyZ{Ek4uBhgQ1C~Q5Y}8~Hzjy4iI!b83|e-SW(&t?!{d+h)AIi3WT*dI`Dx+U zbgbLCSAR;!`g49-7&i}uhX;<$s|tfbpuGIh|6+n#*mg45?F6;h9IlY<6K|jIKPIS! z|9OI1#BbsLjRdvZH|RGBYLUM^?0-y9%ey;4EkEynFF`Gg2Z8+GOHf;K!1TKWwYWd0 zpZ)gz1TMjTY!=$>1huT&32F)VZ6~n(WeePW1aRf6cvOUkD5>!ei!1R!e@#xiOncI= zadH3D=S15%iJp_b%}GP$rxfb^buZ9c&lgbo#^6I#nA|zh{NU3w^y5I2Jn(TmG4(5^&^Y+ zp*bc>#x3B^aK(O|@6G7)RZmb2umE%TKkWttm&`-UD&E2k&e9gip1;rlXWGJ%MZGUD z?-RywhTQ$jqb9%I0spkc(!5zvt2JwP7&t6|04xEx1BeOOC0Pe7344`)a?f~2YxWf(s;10kY zc8me^4!|9NJN%J5)JG#1heNC`R`4eT;J^5~DdK(PoamU_o3D61jk^nT zs3W6as!ugn1t}ywVvAN_RT7Dki*pkSm0Wd(f@**Tn8W{3Hwc*HXW1+phRA6ZLEoo}=iSa{k1;eS5)$IN>}-RAaEV)6W9*5zR2&TL zzb(s|Sz8csNkia7T<0*h#wc5e_Vzy8?37VP_7H6-H$NvoKY|C2<;ug!%fkcZ$6hP~ zyAIBefIxZSoKOUI9d>(3l$||<%fQgkR$oz(;}XW$!4ic%lfA8jk-egUEy~&+0*CX9 zh!CNyjknu`;N|(pt>b~iIgxNAFO&}gh4OK7^T2qZ5FP}K6V8vsma%Q-=0yI!eV0{K ze%mr$?%gfhzPR?T?zpv%6Wa zf8H!CFn)d*_9h}>SYF&beEbj?FB02S7&i|D$&1Csi(U79yHqdyjuv!xv*7=@Sy1Tq zE#u`wKoI;$PTp_L;)NqQ;e7nt&Enzag#O$tamcT>Y-DeSvBowH!lkN=Z6fvs!e(l3 zZ(}FG#bt~!vg5QeGqT0lVNC2fjWAYRC~FP}J8Xr$HOijL#MZzH<%F@d;4;Eko0y>; zY*8ErHa2!#r?FS|8>{7o?Y>&xe|)t(uje{GziXX9a6ZU$w zmM8;T>p#3)8(Wm48OFhm!x3d`hsCu601IJ<0SC4bT-UD~+jFCkCOT}6!j5*FJlxzm zr~e2Bd^Zfl|0oP3H}>AckXUDi^KxSU!T7O&V1N1E|8LUZ-A!Y=Px@zJ0~<`SzR1gs zb%Y%laIE?B^YdVPng3ZB26i^vo?wKrMRA!pSQ}#KB@ z4E}N_v)duC!HD~t4ZwCn6#~JJ^$4t8V8hZs_lSRR*~s0O{ktyvFJCqcd$Y0q0YBE~ zcdnXuyT9e*=fmFY|JqfXV(jcW46Kbgj8Qh07-udsGdnIPlp)7Yk?@avo^RKMBmTLl z*nPj@u%CVY*KP>Gi@^H)f8&1t^()^kSP=hQuwZ*x>@9~wVG!PJ4ZzEbfI?tA{MdCc zJ~)IID_6L=vFpC?f3f}2Z@VPKZn=Uz#y^caSf#QZV|e)>+a)M3Rs}%dScQOu^T1%= zO5EJob>Fw^_qqVFTdpAfxm-c=U|Yq{jlDn~C>9M5RvGX@c(5je?LK+2GM@(q#p=85 zwL2}7zI0h%<&rcf4=2y>pzT&Ih<~nHc=&m-fDmvv_H)O!p!?Q3C=a&#h9h=0c&BOK zwDDyX>EE?$x4uC9bA18hhhlqAtRRNKux-J{5pE<_dm_JeBG?i?R*r73`@UU@7k;Pm z5WBm2#ICMh+RV}(`%!^Q+S0%tC5bY^7-N;b9LgGPZwf*1AhDMNv9q^D8CVfri0!5CYg5$mOGVPiKUmMQ-vl<^eHo>9JAIIOv@in z9{gyU-*JgLRiy29E{mAYa)}hD?aHGo0i18m}#uaThYp-x+0d%=|D6V7N|yoo$~s_Kk}g>s;+ z5*hp4aOpl)jZbe=ncZn~mfN{P7An@JF?wzX+c^5Srt4C<(i#``^Od~UVz^8BIk&&j zMP7MUUypLrg1wN7ov8i2{tPkA@NN73L{5s7)}!Pct#LuI=8(3TxLF0+0c8zEtwlN+ zj;F-$_30+|)8$GHFp{+v~YMBK$MPb_;=e$nI4nneA+yd{VHj0kJ!`fb@b1IgM zB!m@&>hZx}iIalIZsB8&azx@xpFMbj?w-L7N-a?_B3^QeWPgLp++rS@S0?SVYn7hE zRA^_$V>;s;Za%tz^6e_tuX#qw>itr=O3<*D=(51QYNDX}3iF7WrlfkcF$De7Fps_m z&fMbRd^2Mb2A>t`wUY5=6_g%{r7gbO+RD)9v@m2SZsa)9K&ZsoHeN;$>OG;aS3Xvw zu~Brt70RA`{>+=QgBdv7WCZlLf=;WgmUa<0g zsHmcEuyvIRoXp-kOpC1|;Qhjon2=8~di*Yj+o3NMg{Mf{Po)_q>O?)AX;kI+EO$wO zHHMzgDyK7o`446Gl`BN@G@;q)j_NO}5u_1aRZ1y-QCP<;r$D}NB50{ejZTSe6G!cI zBi#H}x^o;|?R8nd!*`t$g;UqX50&D19R8A=KPE&ZHbTF|WaY43Y~t58ZQVJW752B+4Z8v5`++o7sC0ReS%#lojG)_itXglZCtg z?E&--a!ho%HXv&rX}L>CpGF>>E+yZ3sAmRv_ESU1ru z@Z5aj%5h>@A8&%79@dzr2JkCPhh@%6ekLLg6fk5u6mk~NnsQFX=eFGVmxwcyaOLo6 z`w;%L)w*7@hFW$>aiN)0;*@%fjW|~A(8kKUUo{{p;;jarrcVMNY;vAIuYh;>aNxzP z%UuVHbNWvwzo^b;C@9V88-Ua`x7Z$`Aq$#4(@$~tCgx6dFy>B6Bl3iyxA(TOt?o9aboPWUG0+exi`7P{QG1%kOF_E2m?<2x4+N@l>=Wi?c$$Q} ze-MxJgYwl=YvmG2iSIa@?a+smiO!$z2y46lsWf$KbtNf7q;RXfo4f`cU9>tsD5}S0 zyRtrC&>j+AfJA0YQ9Y6B9ISIfvU3=uNYNUynufI?P3z`{dh5{2=BE-~KWe&mIzfKR z@Ie#J>AIqzk>>u9r;-m2^A!0YJVN^8w?2R6Y**TpIz4*CF7PmwMa36%$T;z&+x2$* z)3Xn2bS#MH*H)M22kS%)^Mje)UKg&c&Cyys<8}>y;?KCE<2Xw17s-=wB-1eAx#D>x zy=0na4w0L_!mOND1MF%<$(~J+3tVdTPwD%Olx6%#-DihnTb(OYO2r+dPOzQ3VIdh8 z6x6kp?{AoA6AAC?BUup)(rnt^&k??5@BldW>AdD<_gL$a9?&~acbBN zN0VjKZol&!DhHo9m`385p!3F_@$*hR4|)x=sqz<}x?|RMAEy`@7xmmoK)doSv(x0u z{M51{W!#)%!z|0J>cN6B0>{;OTV3uMIu3GAFXPYkr_ZfCzXLmV?_Ck&p_y)5=QG6( z>_PnTM2Hb*zZfz`q;fU~QGNr}@oQD@T*Yl@FJw+A3n)H`K}c0TdNBEE<0~vYf!vZ> z<77}EoTo0d#NtKybGJn;S%T4$&o$5N2*#ww10VO~Ka?N&Sj9|@p(((GKTjrD?J}lo zJ*-{XNVHfyazB@WUxm~qrN!qa?rW6vC*SobR6f_uRYdM1zWu}A2kx-5nDEUUR?$Ja zy%A`<%m3jnDMaT*_MNx(O_nS1Z*QRA8T$@t!F$jhVM3d&42NV7G8Rp%;4(umvwvm2 z60tF?Rr*F+Z$;S}|841rkQcp2G12w8h|^bjy(*cN1d!_j8|atvmtPHxA-XdPTKFp? z&$3(&)$w_(tS4XEc0BYUB>Z%8?N_GC_}FnWx^|-XY`F>~xx?9vvX!lxqRru(6#lNV>5fi}eyUA8aNO99L>VVEC?iWbr*F1g87+O8~ z)nU)}V@AC^0imC$qc1*trX3_1tG~Y46vq_&Xpl{!w%_{PEWD+q@m64?xCU)pdH8dY z;93^CWo?A-+%hfI{-r~-QufigE63VpKB#gFeXi%0Ipz9*fiE*Lo>M>lQr>-&%PpZe zm903YwIAQSoM?YF5<9Y==$+NvIu+xp5Nj07*;lO!HsNOZP?g*HblWrob?Pu{@i=!0 z1IY{Gn!}j2)8%RMWvB018h(6N7=nou>V5+Zjv|AuvN9U7)^CF7$(%$e1(m(#VU+L^lSZkQD>^DxOu zPpV|>iwN)HQ*KgvX_`$HvknQ+r#>&^e3FiWQ^7Bv^IB@w30JZYFZn*d@=UH2nLkq4 zQMo9)u5o5dXU}!0&U4VJ{_LZ{6MJjF|Yq1s;N8JDd4G7kce5lWP?6e zkYw-!((s)zRR47@3y2_y?c z=L=NbP)Tj-8$)XaZ{{U0HBHXDG^^A5^;<>U>=xk2bxXIlD4iom61h@nxlB`^#5;iU ze=0n4kE~jN9%8d9A)}t{q2wcnS*#r?jB+d-2^o2+=KbV@`-Jgs3LS-qg|QmrGFSW(>=KR6q&2ut?zT zwRnverzkt&iP_Q}m5k(mUG^=F(vhW|N2ifv(Njk{NbZtU_!kZ)xGYsN$RxHKexGYC_v^B5zSK@XJvy24dywh zHp1hTZ`tpp<`glkkDt9MnEYThZ0-2kq_XBDvP%41=<)m)ThI~}OC9?vKi@oLz(#P8!Nj&jlKkG8}O7}s>gN7WkyTTxTX9Sb%^xVvE zpS~kYtp8ea!F!#m-T)i7FZ(zmzgE3SH~%>AXH_$(q#`qZpiMS# zNW@uteDteIb5^W8uNzzqLCrO`oMTDqStZJ;J!IBMaVw&CE-#J$=$4(2`|Q>ky>#NouhftTHR$tu!=HjhGJ|Fhz=ih- zqgaE(i&QVyCXvlgRec<2#WQb>y;>^P{i*s@R-Sv31hG!Nc!swPEa`e{-^~iysiw!1 z&Zm(6g{b-niG*6!i>xo)FG)AQ&8K-b%~fT2!7l$2i(=%}`I^N7czrVKtpJVO!MMq# zRtcDyWU9*xPUkI(+JqSzkyo|QmoH>Pq#8KW^U?IB_Y~e(L|(5l7%Jx%yz(sR99z1QkZ z44iDvC!ZegE@59ND}5nQ`S9@ZMgQp#S8w6Ku&Ok&vyN9@SsfNVMm!Me0J+Q?vy#0e zA~Lt2R)W#P`vNy#I1t{9Gs+Ug+)=;T!uzG^NW*ofL4V4~OnT3(ds66>+c$4-=;iRT z-#PW5%6{1(>1KELpw0W*PaA~NA-zfUL5^M{u( zvKWB*DR(+?v#}Za*f!i%2U$>2&Eo3EXmK~>pSI8(woa;=ziVFHR!05 zb!%IVc6$EN@#l}u-qkPci_+?rPI+lt(lK##t=Dk>TG`t34HN$8L@!e*_W(Sx;cvA7xYskp>Jz`1qitM>lYmBW1clyBKA&5yX*-Pd`+jE=9?R zC)`phS3aLgs_so>5m}Yel8YQ5u1@T-5SG8zOqU(%E%1eq9xX39P~&n#?F0Xl^bFJ6 zXL{5EW2n5{T^{(7rG2PgI46CE4Jv;weJsZ8W(SE1eOF@30{x`ic;*A#c(pf>_hE)t zQssEgs}0d!)8?YBPUY*+U{fBrnOGGX%gA7B$ zgnbG0v>_uL6dQzJO+81{&+R9cRL=>Zu6#{O{H3RQUt@rTdFz=*XWTaIx|L-??_*~p z^t&O$w?nM6#p{Xlk9)=kp6?-i&D|BVN{Hu{c88R_?F9Y#V1C3$^HUv_#=R(`JR)!Z zMK;lqIz>u2nF*Wu`>!U?*yPpf$V@6bgK2H^5E5j$wGT>jXyX_cvdu@HA0m5a>Jy>a z&4g}qtPJH4{8HOR#$QTlK`2N`%+H5iC`+6$^duo} zD{Q4XOeyRVi7mns_IcXzv~lhMSz11E_l^mQ3m#OhSUKSS{KPcXvsm_mN~gzH+ow4< zNcz|pBCXgs?ATw`T?!g7lle4fk8Ypjoj)!2(n`T5^wQgh&;XaKy7wzdyX&$Y_CGZa z(S;Obx-NHkiG3JQdzO~vI-G&(Y)O zva$-Z>X?z4@S5KD?GZ#Fb`FH9Ott9CMO7&seaRG7HtaMRUDJ_7jcxL`pT(<)pH$D} zXjIGOI5cp=@s!Z(xzm!`Ym{;KMF@h8&4Y^+F5G6IvmI2qrov!lOVy1S;&&eucxCnZ z%7A#94p9gfqoMhra@e~E$@UEi499(*d6Rcvtx#x7VED40UW-Q;ZT}hVOYu|mE&5C& zKIOVG`VyhbP(_@dFLBUHBsMa9lF}ys)FsX@71XN+&RYB07D^K~icB@Qq%L|K>+^M9 z+bj*}cY8#+F|@Tg+&$Rp;W57vAnG>%sUq4#OV4dFqr~mbdylQ9@Dh);D7>hti6hj_ zGowqdKBQTpnogy?jXUtM(F~Cr$=c-k?%enxEzeLl0|oWlSzPa)iuEa^u!qp4bw6>O zSu{(xM(fnkwI{zhm~Tt*#{UdG6_SAakZ?@IJ;za&Pj)x%f1UHzBH7bQ z@`-&9rGx2s&gG$dUbNS1<;I%JFSc9|&74&Fe3gEL^*S`dtl%u@5HQ&IP9>5&b zvgicy@SH_{?P$gsuz%aKKMJF>7AhEdKT)$`c*#bsH7NCUwD7b%8V{yV=3E}qkP>#L zI+9E+QN)JbQPU|DKOiPUvE@0VouIAOO`Gu7UNO%xoB~lDV@ptk|yR-3dy@wJ1Jgu4iZFC6r?Qh5>z73U(HILK)Alqb~N5( zA8zRWcv6`Hq?RA~df#9LSsPBg6g5x%4Smy>pTnNLi@jIUT64}fUeoL4OP-8o^T5Z{*V1ez zD-hEkJ~1i`i;)eHy(BuXwngs1Vg%cs3H0+g!7p=y5WgEt)=)4s$Ie8;j+y*2XX%2K z0UA5rpl)W29d3Z~Ao+;6&ZErGruGmX9$o|ymjuQVW2<6gV1%9TB#E8>HgocfdhMJm&hvnok zHUXHh5O$ysDRy2*UQAM53dyHvrKGNJh&DxwT)OIPV|+~qg*MuHgF}1(|JDI7T--xA zTkmn`u}9vAw|$PC9|A($eR%l$v6Uw&uqVbni2Lp5r+Qo^e1bzqD5-d$hWqfunGQ2= zb>SS?-dz-DWf|rPetsfw6NltIa%H)!d3ZK-Q$Q-pv_8z#EYTah00#dGJGj-E=r2-o zFkm30eVBWg`;CCB>i`$})3QhV?5Sl9k8$$ZiRFT;_m3eOSUbOT3x%T}SI$KH0*dzDRYS zm1X^+yV`+LA6Ku)RHIwI08TQY{i; z=21<{+`>tg-k58B;&Qeq)+B%BcJcK1!RQ(vu^qkrHw(BK{RhS|nyMK6u_WtBwuWLY z7&$8BiDr7S0j6N}9eVCl=$+jNqg`3jim;dBkrG*u9WSzCS}Xim&tTVONQ>=k z{5K19ZZr2^Ee5MCZl*X+HTkU##&a)eI^PZ(AEI6>dCuy=d5rdN9{JbZ%)Y)8=x$Th zZeLCAE|7&yKlUr_L=90}WIWNH+I$hZo@a0T>&Abtgqs9z$6m>S+p$+tIKVshj0yy+ zJ);7_YR{-}K(N{~D-f*qj0yy+J);7_YR{-Zu-ZE+5Ulph3IwY?qXNNd&!|AK+B+%` ztoFNs}s6epVJ1P*Y_RINs}s6epVJ1P*Y_RIQ90dDt~z6cJWm7I`%*HM9;P# z0Y68MP)FNsvZQ5g;e@JUGzV2)HEbr(f31-=7|W_ZLQK%T`iVQIgX7R4#xbM0>~elEXnX3mDuBHI>Dy4Hiq6*q&^+Kkg% zI55UB$13c96@3!0cygsrf0(l%B;IzxTF<|x@%42im-OIBPZ2#>1xWmNY~qs0G}nAq znOPyv-7OqN#~OtVqs`bY9FIa1JM+hzeK#6AoS!u9PDWj5Q16^*bD zH644(#xefWdv`~LNh2^&!^b?U^9tem0UCyQ7-?QI55Do_2^*}ft?DO0HYY&9u zMQo=A{Dta&`GIh12QKe=ARHbp4&E*YARyeo{X{tI1L4kM9|(uD@4)`;`k%Mht|1^i zM9r&oga@Xqa@E$8i5W^Ie(u-j!X;?7x$(v-5V6x3QBH8Gx^r*guwKZRFb>-+2X6oY zu!4V)BdmHRw#RRSyR~(Dxqv;&F(*^?scWQSM|N$|NVVmH0^?OMv->T0PvCpcp(V9W(8ge1TR{Gmx6!g`{Y;KfLE=-dja5W3-D$Tc;5=V8wlQG1#bs~ zH`&481AxD>0Dlky{>%paMbKAY6n|j>ym1NMxCC!pf;TR~8<*gXOYp|!zjfo%DoE&_ zj?W9IpL)RF7@t&DxkHH#d&kdKT`t^8r}Pe71la(^@PA?~kTq1w@8wOi8>5+GL?|yk zQyd#OnxWQa!68iF8f9*MC15bufC~GJIlgsD!Ss|&6YT03JF>?4~fdkK>+ZkF?2nh*jc-Wgj1ipR5`+w=NeBfzw z^yeqezj`bm0fj+uC=BpeJ^}$eCXdGai;v|a@ML^`EFT7i;17&H-akE-4?zCmWBG`U z7>A*<3W%~{|$6lBi-5!I#9?Ea& z%^z*kUy|rWF5YMFKiHpTw4d!1Gj^o&ajjmBlHe@dp(E#Vcu8oS%cwE95+ngs!hdr( z+;m>dVec29jN*B)N&ubo?0m4?aFOQz6K8CR!qKAwsSoBCRTX?js2@^dE8Hou<&U&$ zsEL}P_KXgGXYPlxlEj^S#oND?(2NNSt^`Q{mGIvh4xGRk#TCpisw>Y`4!ZPE$0D0F zp3Y^x)m`a%98?<1-Z4+V&?btr<(!*dB}iEoc=Ts%@XJ$rpTwK{=Vp9Tmf;y{3GbJJ zOQf%MrnG0wkC%uD(Eajm|J;yFZDiTA*hDbPFzfjH>%rcZeeomD-b_ILT>s0{0RFO$ z^cwZFS?-x;5HQFvAS6%{e~cz@(EVvEpd>&^{HcXMrl2H1Nq~~rzyK(T4TOL$0ZIat z#0CaHNo*hlbO}%rpd>ah07_y5A)rfuk^m*KfdNnw8wdei0+a+Oi46>ZlGs29=n|kL zKuK(10F=ZALO_=QB>_re0|THWHV^{31Sknm5*ru*C9#1J&?P`gfRfn204RwKgn%vq zO5*=7Nt9hrn4O+0k==0opI_vVUm#y4u+s`nIXZfDq;f7=^noka&C^aAH)EZjp+w@t z#GlvBOJvO4P3+UD-v&-V3P2V7cLu@@21~}9qV?>k1vbr>FVbStm|Lc7eH^D-Rtfau z_bV4 zAmw&Y1Y8Z$0?Oh4BF#dS|n3)3k z-Ubuoyu zql*cJfVd(=K*`S0#=u%cgu=wu7@v^@jlur4w=cO##B6QtoPo_;44pscDp9bowW1J^ z#_vkp&e7P!5u%Gv-~k1CLe0d;8KR3qqWE!G9FWQbjl=MxpfD^Bf7#w5CC5|90KS)3aI!{05NN#U;5ax03-t1LaD8W3 zuJ?Rk!{3Dk!vOt+L<53ALjkrv!-Au*KpS57z)--T@oj6JD6OHQFDa+-Wms+$KX$$E z<9^@w5eNhT1h6c?U;%!&{D2+)E@=ofKBU0+8*pO!LJ$Oj zK>=6+kPzgb{rk_j);m9Lo%2guSUUsZo`AHqfwPIEiIJT#5Jf7O*qS+;0|6cq*bL(2 z>}X8u|okuu`w0CRfh{ z(pQsFTJDij>K>?!ZP1VUv@@HGqFj7=t|xi1n?h{I;j?b89z34o5@Lr^iV@l3dH326 z1(KTFg;5^+$Q}5OnUUdU2-SUV#{|+--ePPFo@`-fN=p*=4G<#}^;L8SyyArpP`=<# z74xtXKgo1(r=hHbB|})b|AnKyQV$M?a!Wt0f~qvvs2Dg9+9U-VpY-syc=Aq`P^XeC zZ>9Cdo)IX&P5isid++KfLvMx!=OV5^xgW}mM1G1gzat+SrD4Cl@~L_2$t-~|+imq4 z0`#^|YR;ScJ#F5@8)nw(kc8q7!yT#VZit93TWXkGxp{eXc|O);dE#|Y!+pCmOOutW zdhy;8dQ&tX4bIatLPb83RndJC_Ia2;MRP#-f=?n^-uX14pHNEcA>q_%Sy9Nva{iO7 zpAI9Y=bo_@J{nnAB#9(sX-#%%6Ft%=Iwz~gW7;#~wsU~i;o|DzkX;lXR5i%!CiQ!g zI_&*odC?P3Og&CH@M2)nM`$yID#UdxQiN-$?)M@Zu>@6A#Ks1DGalX8T6SiN*O%jC zG!yZ$M(BramB;NxVyK+TGfPTjko*!b!4-JmJ45E}FU13^th>lG`1t6tYfp7Ea$C)JSyB<1ANxqbWEzHg zk`a01mZI1})c}KDwG*Q15eDU+H^ZB$!qB_uSmm;rk{IHq+KrnX*)KD%%mHPz6r=REY{7x;9@?fZB0Y?>KPmSeK^z z<;2#)+c|b5)!BQ;FFDlt63!2Ghg=9+u!v&8os7x~ZW7F+t@2H}&{0Uw(Ph&lPQvZr zpQf>g;x^q|#$hdH&gZ%CZ0_k1pd0Pnwi(^CX<1p$vWw0t^_;C8DHGP8o}B53Xvx}n z(&=p+D!7C{n><1xfuUxv5$z>iQDPHo+3ZBl0IK`^%vRaKMD!2=Uoj=W3GzVhoLzT` zCgb5$=N!$#Vn!(>F833^RW*FC$Wtd+k4U0;kpMH5Cx|OA3Dg>RrwDSGFa^*) zwCEB^(mjXU7Pogx2bd-zYT7DK2!@|D_KyyCYMid<2(>ZtvZTMKx|LRKZ!+B*&5Lw~ z+81{c@kSk#ETNM$m%I_Hab4Qrj&Z z#@_9X$l`C&+m#)1W1#KR&ikaJri9Mib1qOFy^FB29c^6brncI}K z&!*)i*%V1^MkQY|_>O-8Zx0>k6Hmg&^mHjm{Zewl?KK%=Q$d;p4u|uw>&3NlS zK8>Gv8sV|6I5TKw_1WCsj{^?u9jJR-O^QAAyq7&aX8NLcX4&4@(4mC`*)_nNPHy3{<1@R*Cm~Hk$O5_SEB9hZf}GLsXLp z_oScAtSZTvboXddupIfdV7Tmy!9y+Zv$j^T+9(SB5*BMG%PaR@=jUrHa1CTYxCZV)1h^jZ zsn>gQoO^Ok9CJr7tU~QEg}^9vL)^*XvoBzsIGe zb!b{A-A12SYsA*>*aeftxSBEwAA%7(uU73sKC!!d$+j?&zu`T|!W$UBH{XrVy7w|= zYuNGT1cfmrcd?UKCJs7rCZk(CO!iAW>w1#f_ULVNg~0;ber>HtpQ6#d*J;n#7d_jP zG1VxwH_gg_l$4V1#I8ugJ%Mf^dV0$?^V|)Md5^`I&-kQ>Rd6SmIYveCM%jk2C-2~1 z+`+ADM{h!!Kcge;QhLLw)Y!h?iy4j8hr0sPe1}ph);Iy?2f(yjP(LudIohDI^qg3? z_jZXOZ&f1lKKVe>zV1@Dc|-*3I>Bwoo7f&#qifshp0Xalt>;v7slLrb z)0M16ry!X}_f$ticKOVuvrYNu47zQ$OVrwIXHGJlGg4XDuR0bZ5)Rf#3R_Dx!43wQ4SoAsdZk$-Ke#sx_(x19dbJ5hQP~1uFEzl5k+t0zf zoMBwyRpRz`j+d56ORqgIF5i*%V>3Ob@rm17Dxao#@WKrD$wTNmxgx)UmIjgKy<;lZ zS}0gdyX!wFxeSaQhbf+#%^ao3AH3Vm#wsVvYf;|&{5;>_jMvB~?e6w_)m{atqB~(* zl-%b0w+Unl>mOOIdUmgb0ekC1-m8xA(2rhLX|UFAX_XiESolvTQ@n1XGLYaB4?46Z zd57~2)9bI)cdOI#h8==RnWBoC47J@E3&nGN>d?cUNCwbi%8Xz%MAIZi4CYZ!**Nu}z9O}Fw7Tdcr==V}#=Q~3< zI>q!2p9SUKwXChDdl+|?5?9qT`7vUGl|x$z z=_70Ey3@s-@+oT=J#Eh;B(ka&;xX#wHOptXA~hRzdkn0EEW_M8JiMvY1?Rb_0ylCk}6@kvy; z1B?@Q_NIBS3X9Ng%wpx>(Tc&Q@rUzFd3_@l$=dWs7=-*;$cq&#T4tqbZJOTYPh8fB zt~$gzZGQKx!Uk6<)gWJ**SNnF#xT5YCr{zbu-Jmx$+-N?C?lhS7g{2LBR zRGf!Dd^FQ*<#{_ycpRIqx=+=`iQ$lF!8S~S(UY4GCb2sL=*E~nj#o`SF`qsdYf0-y z@6fNZ&&us#*2#X`LTpYCz4W{Hu6lMFu1i)&eD6*k#Arr1V&=1^Ic~y7w)-xrsEO^n z&RzX!_H{x{+cDQ7x2yNn8uGg8W@Q8pK7cf5V{AV>=@BWpD(n_A;rc-KMgB*gFcx}8 zqQkpi1w}Op30v15%CEcCv#))ESHNr=o_4q@pmV zivU|>!Hvi(r_-*uHD6j3LaP_DoR=pTYW45t_7$wDxn^2=v@=r}fw{&Vu*~u7RbiiK zo+!nQE>wY;W}0#RlPVXfMUEXrpGDxTY}~uV(kz@sdT!)=$t%YfmlN8UUs>=GINkx$ z?a>>3xbsQzMwDH6*H}!&sgOsQeZ!4=n-v&PUfr*&gCy&(-w>}z#B#igty<}ZFUI!kHhYcE2PLy`O zHcIfGbbx6ZlzL*SD{Jdp?-IPa{^_Lu6VwDn@Z5^4RqlmdbJy;02|PDtICpds>xh@@xq3oT|hSpr*A%A;UM^i6)?*cnb5AzV=%gpb|Q?Iabaq*pLYxD0O9^S%|p1vbHD|6pVO|AW%$%TSqK|tdO&}goH z;(DUD%M67j@J=I_yt$j2Q^98~d+abK8ML+!+r$lX{B;~&^5wVhqrCTg*PwKX&WRq? z0u3pQYwnx(HK-F^FOF*MKc;^|F~-ufC`6Gwzo7FIYuY-)`BP01NW5zrIL1>P>7LzgIT96$7#MCaws#JKQ-(T9sk<==x4_y5}?Tg!9d! z)0SaNf`?g85KkT=dR{nkCV2J^0iGmy_()*4rhZYCNUZPJ9@FT zWS=RxXolr`Zyrx*F~}T_PFrELQ_Xiimp=HUv`LCH)=kZ6@L?AlrnYj>+9tVa^=?dy z`lV9(DY9PW;%aK;778@2M1dDqP1fR#&i%@FZH_)T>(Hhk)BsLA+r&!N90uGdrG z^r|&}#$CXy=94oW)q&975O$iUPZkBt@>d$JmSlt>Vl%e+-CA{oE@UkPKx14W20GPO zD#*0n`sZYZ&}yFG)#_Y5!t{DS-EyLv!TBe)_6FxUZ@3u*I21a%+8Z1v5qt<`$&Y1W znMGsJ))-8?-3cbq#}6C~+9R}Nc3AgU-0gERz&Ebiy-uI;qm&O5M-LN-2Ulr`_j0R= z^YcuK`*w2&q-r@L15!11T;qJl<9ye#VjS8?9<{q5`@SL5>x$!i652bwm9~o)^3KZL zX6(YtW|2V}4{*(TN?carJfrMQ@uJiAn#CuR zjwNcN_R1-Ldv<8V ziOa*=5}uvP8m~E(<)71YyX19TTaWvPNb3^TS(<`R!$-0U0;iW`$HioQp0LuyUcM}1 zK3nVOlaqSAmyvO)_(Vs=4XQn5*9&`tX_M@ReQKWRdKe1QH!AgEE~Jz`w{|b-+aIEC zlOA)xMZw-?w`|e`7XE)Qesvi6m})UvIX;xU=72|oQMz(g=}<}ll^Yr4TH zrRDzpqFYGBS$Skd`pYAF(ss<()xOOMZWBw$xZ_W)xyUeez6tv0(9yUkXt(018hZ>m zcJzQ}r}67{`*0<0{aaj_NiE|fE|+AyJ>0YiWEKOQSS%uECNL*Ti?VF%i{FVS67xB| zXmE=d7-L~V8c#D5i%fb%zPDmOWC7jT9m1)^$QU?#V%5KTlt(caK|j`tZoo$dx0GrUc`9aidQmtHKTV?;WC_|k6Mh`R25 zIjiGS$aLYG6%p6o1z?-Pmz0pJMbb<5_N!Ts9xn7gUKp8%MF!EZ`z)*!MV`r8`QX#b z+p;oM#D3aywWl`W^yxC8#o6ex(+ZD#yr+8ldc7{(nh9wQetC`k1BQl@+U2d16j^gp z>hf_)#k1@sDX%2S3$D*376m!p-|g@;QC}&rKKZ0s_IjyTq(-@27kaz$QzWcOWeR(|D`4 zIaTC(v31?EvebdxLkXPwpFZ%q*Fj#GNw!Bk^z4>GL{6bTWAaE$mRDgovu4!3k-06G z6msBY9CD6bQ*0wKA@6$bUROF@HrkGRlJrdTxMvPR=e2dXcBR*Vx=vHo(7~f)Cw6sa=ADu5WFrDKETB3uJdT$;Rng8zPO-=(3n%kr<%*Y@+cXE&cTKSA2=~hOG#@`p z-cMw8rgcvUz1btt1KJMq8n3Ub79V7|QQdXA_!e@=h|ci@N1(07!#u3zEV4PfR z2LutqLO28#b6EDc(qTz0DGXM{MpaAS(9GOSMA5;+-q`)PiJ8&rBLYe?5=AoKb)__j zh}T!rARr+nB-%o}6)2^#4_``ykPKM8R%?S$bqmS%9rO$^I1#a-7{^y-H0I}+5NE-^ z&kXnxP*tHPK30$PzrVU<$LNt{gM9K#aU1voa`2zf0aL6{YfAJ@qluw`*U+h$lPq)Y z{rr70Ny`RHa-O{E19PJvi;|6klDj8u%JzXTAP4^m9q@T&_ANOs-er;@8JjuSB&Pa&Uhwm&D3C4F%gR- z1t8n;nz~8=PuGio7<$yo+F;;7pNP(V>IMPm{S#gleQq=UE$Kmt-~4R; zXB#?N{9PX0O^ePNzGFLfphZLnvEdL&ke}V<#`kX%nv>D>tWWn`Npl^48ag$Q1RcFM zMTzQYp)R`MaSPPfTH>va=u;#it1}Ve!K*V>c`w{SObb`10g?L1V!~jYBsI_MYWNUA1#BT z`VlkVw1cAhhLRsNfTH>VG2b?WqWYGT@3(-W`aUn;X$3{~9a6sA1d8grw0y4-6xH`w z`Cc0+s_(J#-8N8E-=*a{ji9K$L(2D?Kv8|4mv37^QGLtF4_ZJ`{eYNnnn6*0L&=XC zKvDgOnT_qBs5Ub4!(~uZKcr^E3Q$xV2>J0MD5@WG^Yt1~RA2M)H%p+X{)U{dR)M1W zijKcq07dn8?5tl0ifTO@e>)F~>Tl^;w-OZ9Ix_x#78KRr^YhnQP*i_$@egyLsQ!VV zwbh`g)~NWW8BkRJ#L%DXK~eq5#6M0!QT-!Df4l({)n=I@07bP~sz6a~mMKtFn`R0W z)uyQeoocgGfuhiC88EFIdF%@PAiHoGG}p>ps{vF*!Y1@OvJE!hldZ&b6i!^?ZBM^ zDaCqjTUB+(;Mgk~FK;FfFkrw&kdXhH7&I{l()ABD%r^u+b2r+tEY@wKKf*rD(l->^ z5Os{jy_q^f>%mfyux7!;va@^lps4Qn4t4u$vHs6r?n{1+!jRv2sHj+BX$v-jg#0JP zkiNt2TCs4{?j^m#t*U&&w$3F|MIZ(i1pG)^bA$<4@xj=1ApuR0|ynm`!3_zB& zqfn*zUY_1>$}#?Yz2eUu^o5Z>(*I(h-_%n4w$J2j49tMqa#|L~KxsKRP|9&#`d=7O z)mXyL+Rjnk-oVJ@YmUS%oSjrm93|{*?Cosvb%cSu!GBh*la$c-vu54r%|Ekk3e-RT zTp;;N6+3`KI8c%DPgeis^uN2wH2z5cy9-Dxj8E^oZU7LHZY9}53}pWm0J8rQ5R+~t zBp@OpB>DUfLL%ZVr1U7Yiwuk~gt~*{S(5E^svLW`;9>@=F9^u+`w=Bb@!7FtqWpG@ z_O^1`W6A)FP|+!04~l1*TRC)G9=+vJddM1J(LsD6L-3U&L&|Y#@!XNKb(+`hao}4( zUO+K`gXDkS8T=kEg*D}Njy}^2HDHpb8PmGP-j6h3U*>b$ideF=f49#4er=XG)}3RO zz%pZskx#!wH1FoCL7y-sHo9Ni*}AQ$O(9@LF2K!)6*;MA%0g^P*`W#_3M9W9vAJ$ z4U!6y3Mv&G{-CFVo(i6*&ivAOblpba*&ht4z>o?Islbp545`473Jj^hkO~Z`)`f?^ zG7Da%0o?I zslbrxtMKSo7Qm1S45`473Jj^hkO~Z`z>o?IslbrxSE8t|wgE#bFr)%QDlnu1Ln<(& z`Zq$Vs5kAGq9=W3n#g>7#!@R<EymgQ3?(>)br(;KI~2LadpBcjr&NM21)%cnrM+-wHASG5|6FGVnjmz=ue?0X~kQ9gqpA?7`NEt*xgrDFq2LeffkZKMj^o$IoTej2f;MlVl4ihsF z|0^L-OYbGsYd%Y2A81~+g^G^QFD*Q*nxAnvKQ-LHW2miWe@l9(a)K69f=DJz#QV6R z7q}Xv1(d`8$zdSrb5@gm#qeW%=u@9T8q95S(OMzM;%-X601pG^+ul;5Eo%PRs|40; z^9$HVQ_~J-hu-xQx3t!5O-Kr*5tU)ueL5T}w9I(jlp z$*GwBKm+sb$ccoyl$8^*?0-yR|%At z;iYQ&BlA0KSWT*mEc@agM9Wv5!G}1%^G8Hqyj=XkL@1-G+o|Tbe169Kh=+6W@8`zi zkZ;CbsrWz$gbT6@ih%$eYM+e?bOt;Ppcp_gd}aU?!x{~sGk{_M#jwTzD26pE zKxY8O0E%Ia0Zp35%{s|GD6#*gtPx>=YI7s(%Bd!c=J{AvAG*C>@kx%bZY z+`d8$t^`Q{mGGY&4!-+VTnvf$_)t$4pv?A7|1+Z6tS%2?_yqMFS@*{3qA&us4AS;Fo|#h=78NjfJh9 zlZCSfg@6pe2)=_hWYR)!+^v|ct(`NlwTq$i=bb57*aAC~h9ChJ?Hr9w93i^+6k$++ zJ2ev{pxa;=BtHg;1~Qak5LkXF6b8(}uvmT^4voS>FeoTL1_iVM@0T=j0=m|~(9ls| zMNSSlhO?uKk+X_{qlv9Ekm3vp^puIMF+N=w28#J@To@Pt0S86HA!r;P0|JAEz;JLp zRul{`4}KIBXj{Ye4Ib2bJlNmH1H;1jkvKG}cF?0i4pH-!yuKo=$AQ#)3s$k#b`uk~MFa!<&fk7jH zZiM4$`-}{Q24sbSqX8}vc;0}q~$;pf90NfH63}FE_&&4z?cIH)orlM}`K* z91;VAp&=+N<_ieGy4Hp%6#Auq|FJ7^@b$pHaq6E2hQz`F?}8$5>u{l#yu?s|*gkg}1OeDT(1ylBP=I-S9uNP_*Ltgm{l3*BPzV46 zaH2&afq{qu&Nl!oywk%mKpO!1vw?gK>w9#qcYN6YgyX~UZi+!bP{8Pef5rvFVF0LT zA@;?^5K?DvfyhQ?Eafgv#v;Is{N8J;f~1_Lyru?XNqj6Yj$3fOwn zhyT9mqhP?15jZRmrLEyY!2#39;*iLn!L{D=;lJN9;aGm)k$prGqbAO8EM{}*pC zAYKLf6`y|hFW!K7^)r`0;0;J``&C2+#J1~s`+e_60=&VIF#I27OrUnMV=Wr2< z!a#s{9|gm=t-<>o_DD*pe1mJf_rrhR`~RX10eJrxTz}Dq1ib%iTwlu#@eRE7=K%P+ zbAYskwKMSLM?l)zz}ZC7#K_LrghD{U#MaE&9D;&kfWZxMa&|N^u%U2|8xz)UVZ}Ip znBrN$JyNSS%#kGuJo|w~Tj`ATg%gyW-ZPfoB=@cyeH*m2c*c5nb^N{}nP?L`DzA2` z5Sbi)O@;_nbMXbcvm{ZX2PWD`j_WOX&DTmqA7wMCd zyRSUZbgD>wrNn>W@S9_ZmJ4xOyL`{9^WHKCjvQv4fut*;eHe+Bt}>va4ZNKbTCB+` z+x>h<6RM|ox_D_oKT2z-?9ER@SKPR9ymeHqBg5gc^iUaHj zr_{x;sWkl~-Ja$2#pIdd9i2L<%TDcs-`ODVG_|t@+jhs6n6++dTe54G@`{OFV+6+ zMJLWEx9Rr2TQ%idS&jsmI~Zgpp{Mi64x9=$3Af>smk=Z(*%iw8uo_+!C>+T(bNc*>IUu zOB2JR!#ktd1^PyJ$y{!1_bEO-)6|VAD|RpPny9`ks<%4!o~R*OUqqxtZ+C)zywLrS z!GZZtJ4^USJzLAU*_&8&ryHgc1oR1>Fg&s(7$M*#IztGlUlk#^p#S>4eo@7{E{dSq zJVjpR87KXmaMXOupy0gI-OI0R$97~EWb7C)S-LQ?=+byhW`u0f(PKq_r?cio2iLO$ z^L^0*1Q*l_NUN1j5vCF!@7}UU&B2#k^Mcp$vi*B^vxw(;OZp?=SN7ABR|*r>zpWp7 zYQ|xISD$=@?y0_Tnb%D1$Zlnq!8_FFovMxmWxu+al=g266d&^(!xU%P*h)=YQ%`?q|#wV6} zr*kZ|_6^J0DEfLgi7VX{&U~oJF|@Bv%II>k-Jqj7rb7Itz}cf}9_ja-)E927ynTO5 zu=`F52PGvs$I64yyKd zDT^*m4i+7usK4btsWqJ~kJekGW<&`{FXjXK5`{o z`=~GSvQt>`Fy1tkCzS|%Q?7FC5Zi^9*KnPR<#&fp9@^TXy4YkWVt7AU<>i%{foJ>| z0*S@il=km`>9*`w;zD^#ljL&^^4BueW6{;Um3IHG(%K z9GcH_h0H`zN~#lbT%#cCx^w2jbqd)d*AyQK$&7sx%(?iM?kd}3VViQ)ZgbKc<=uYo zQAQ&QMI!gS>{5iSq&tS<6$MTkjz1F#vk|mgFxRfQH_Ub1x%Dn*Aw#q_aYjjKyNM`C z3RTaRMs;X~*Jul4-VHWVwW`yVSEpR#!$-Yd?mu&7>&|8N8kvRNLoY9$+9@M5B^M!R*Cot9tegf_Wc$>b@u zd_kFd)3Lwaz8*o%bv`fNZ;X{S`6SZmBWqsYNR{-{##i*V8lUd^1uh&u`lhryxH4>5 zoUtd1w7JV>c*5Mmi03-j`2C_&;jG3v5!%TQy)Vv6#OK+B7D|bALr(B(yJ7urE_Vu{ zo~hdNxyU@OyV={r*wD^vJsVa3)W_(wc+F9}n#z3R4$r5o!pKrpv|^Z&+eB;Z8<9FH zVIRrD$If$sb}lU3EtsospL`&oI&p1}A4`G!vOi*w(MmQ>(^NUBPSw|Kk4(HTUt>9P z>*B#VOvpSoRjPW6mE>`gnWgY(9F=95@0;=GEB(Eh&67^iBjL`k^i*Flx*~gGtzRp+ zwd9{_tB8C*nwHHTn>Yty7!})j=tGCiU|Rp4cli~`Sw1q(f)q))s8h0|^WFi_#{}}k z(-*zVEbn5?5LKO@7CpHJb)6(m$K=B`&)DTP`X9t{mFzo-AxXK_vE_??ZdkxHEk*}E z72kKuy&*oK65ci2hm)0(!<>4Qq@epi+1u>+Gn{#c>)@?$k1?9+mqXT`Y{56YWVWUW zDp)9ukfyo@yVOUwUtdzcrnAS~|KafkRYOYDmygTjK(XSb$}+)nc0~N;ocHM)qV=4R zd-q;A_LWhEr}Q^wExCYGTk$rMNeo z*3te2S!|LyCE;_=QTbT`h9Gp1=IxtY{VQ;zIMOe`pLvSPOrIWQXB}g9-PfyjB3->qq}RvL<72Tgp_UD9*HZj5 z{qnJd6+zAxnOLn|&fUy5#NIEagFkwTXcShlj$d+6iO-)}iMz*DJ$12l@K6G!hikON zj#mc)xCUi&Y-$9Pt-RH=-jYWX%YFOj|6t z&nWx4U*%^5Fo>^ViJU4?q*WGRbf)*!hNgWe8oy&Blvea0jVA2PFfokh)X2({eafE7 zrM1<>OVy59uy8}a9_<-jr+DsNNx788kKbzu7v*$VeMq%EqcjeY=k@`M=CN+D?qK^d2(R;n_1= zgYlx|RGFuJf|R~uB`R3j`0CIK+whs5y3UVkG0%?eiSlH7oHrsnK%wTtcBf9S*Ou#| zK}dJ@1%YT`bRV><(@LItbl$kmrr?N-93;JQyWj{^f`mgCjys-H(R zZ*4Qr-laSxbHk`5)c;5lsmEIw38@3M+w#C z_W5=zH}SiBvuDr~r;&~^M`#68+=UnSNw+I2WA$d=9ijE)x2vhs7Tyt_Smd&zG~w~6 z_O$LRG9TgFRNJe~_UCt2k`Gn9xzerZODiu<{^7YAXD;kIwNNz-aXqJeU%)m5qIJq9 z`^1CMeG7axXHkpZUcAd$n5Q=E9Wz~poFx$gyHMMNSzE|H<#oQDjH}8UXgpNJZTRGp zUskjeDc!}Ac=Asn4f6aBF^%se&u{qh-((-+5anN1d z$VWpcd)I4W=i$+pcM$u=Q<6C!5_P{85w9LLe-33w&D}f7E1mJUNvH!!XG^^pJw>M{ zXtK5Q;}T(-yLAUc^i9L01lN+4#Xi0Km0@Qk4afJ?v}ryJEHyQ3Kjv2r0au9s@3s}t24ug@=q$<>&>~chr;{~ zvHp$R!Mt<4LuXYz?C<2Lz7Y3Z<%z1;W^p)VHQw{^em3)A1C7i8}>Xc3rtlB2`}SrpK;J9CX`_5<^k|wJUx7p7XIh9h^6*Q_bXB(1o2;b{yA}FS?UMTR@%0y;L5@sE^ zOP`TToE6%uf*VvRY0=1BBFMUQNxt;#EAF|*whGr{1GkSzj~%X4*~M+loK~TEkxpFu z;?6hSrU%~^UrMr&xP46}R#tz9V}IJo^E=Ytyo5JWM6I~bpElFjK=7xfi_QU9J!BrcBzZ$-#Iqk9-|qkUH}>SBIScw8{O)UUmPHNp#R#P= zu9C`louID1`#aUQ^l>StQ`LpOdFIN^DLi;!xT?j4YQof1_%Jn}y!L(9PySY;G^thS zX?owJ-9yaFjC)vy#vkh(!d}hWmmzA>{-SAW8gA7CU3{)RqCCV9-=tRSHh-VeJ0&d6 z?D3}v4xRh05n)RC_XkV1P(_g1MnnWRI7}XUdM73MIJuCuCsb(VOu21gt6+?u1@)}D zz4LCfS2#<9@E0Fk3>VdGuUZA>KlTuky+RiqGzsn7djISjWyf1H4`)iWZz$ zWJ2G{$7ktweJj%oZIf?f^;c%m3@amUeJjgFm`l30=RYiWqa25Y&${>AKa_2D^wHd9 zoS`evK~<9W(F|<5OcJA)o0jYIJyZnq#w#{j1JN|LwM6ub4RcLA-ZtisaNU9JkEmGos$bowlI=anVkdR4^ zCM;EiwV3s>W|Z%PlM%HCf_UxbBs&NT^T}?O(+V}*zsat^7&yh$;)RXau36>hQA{is zctU>m_n4&HHe{ zo9!9nj0vxWMk^m33zviEYN0gwlq8oF14xXjRtTfco+>_PmZe`N{6Xs79H%$VX_9=} zuGo-6az8 z+vHHW)e?7We6epwFPxQdHqq)0TF%7!dpmO_avF9-;)t{N(2X}{4th_BwHW%XK7S)n zdtpatSFrc?NI$owcZE-h&yX5qc2axEkiWY!%PJSh7l_Epg-=A=&Nyh{NbXCd*Pgo5 zeKmb9xZTvZt=v3bY7+5r2NzGXJ45sEbiY|e9#d`q%-&C83D$1}^mg^l1e>uq^`b9^ z1>r9Ey%aMQyVbTzc>a*~0RArWA6NMP{FMUYn|mJrSceRQr4W!cu`n}thQLq=U_rvp z+Rjnk-oOa>;fAD%tA&w?jH3bYdkt|5XD1aCM+rL{dpleF4tq=~cIo z(81t_L^~LW#kO*OY(GV+N2=;$Hn5cH9tyZb7^ zz1i2R1l#n7mgHW46fA3*o1HT$8+CA=zpi}sIrsu{@So5@TUL~A+rV-*`&;YKDudir zg0czr1$UoI1H1?tnb-X*jr+3M1Mfu4-Fs#40Aruvn?Gr^)Yb0Gt0EOlmLtY^U{Cdy zV~HX3+YP}ckcods6WS^9M50X>=Zfhim6x=fs6-Mzt?|*R6LGy z_qk7Lt3O{mPoB^)6*1A#u{D$C`0j_o_MWe1%18Xb#s9Nxyv|A(Vt<2SnXkEe^u99L zDnVK%TD0Y$^!#{R%qeJ5MN{Ml%G3HaJ4BjaN#|HyT28em2FTcBTUnkvw*Hcu7kS3koQ=vSL& z3-qf^Qw93f=BWbx>SwqD{c6)}fqu1VszATmJXN4y{R~&2Uu~K#(62U473f!+rwa6| zpWzDht4*^7`qieX0{v?9RDpi=GhBgwwQ06MzuGiapkHmCD$uWfhAYsoHq933SDU5^ z^sCKN1^U&`a0U9+rrG+jU$ra;6bVeO5;X1;6*#a;z~-_mOgc$5^|>VqocS>ccd`5*%BHw8Ee@r{jH`uC^&|m#s8W_j+$ zX(5rSj%oZyrRq})z$TE1e@PP^4GipqA4mmu?C2Mr(P=C@mN27TvPYN|5R$lduS%^nhX}5+?elmQ!jMrsoWkMKg24V(;r>cuWVZUuMKc-gnHm)oiNo zDgc{6CjKQ&R9p9?M8VA#rdAS)=Y90-LZ7k2W1j|IHgkSG&HKCjXlfyx*qDmj<%eQwXS;IN7;48ksmjgoFfC9PNzMO`IXR z0xFWy5CIJncV~!zoQ;8*iTEE=i9e=tK-EzxcV`)OXP`DGep49)1YgKj4Jd&s@W-+6 z&Bri6#(w<&=T-QX;^KDh5M4M1i!Zebhrp32Gz0;ML4h60ING_` z4UkyOzgOD;hJ|B*^0t4n`tQ~@AZhvk*gF$IsJj3Ek6lBul%!eA)oTCnUgwLcV_R z_Xa%t(!6|v5@ZV(JTZW^RzPx*)P!l;-@b2<-p_1X-oLd^IqyJ z;p;Z;YdmoH6s!OPs0aTIzR=W~dXcyzSo)~14t3G8!f{V!E^6MXTjP@YywA&jJ%O+` zL3BTjPhpZ)xu6-W{F@mFS1b~a%sz|Uxc6?Ec<#01n}QW`OP^Y9GSC{P$$zxSGifs^ z=e6B&@BZ#{iuyd&{bVYe{YQHmUPxkhl=0c_Ez)2rP=&e*ZUtfmx(cloG^|>~I|+ZX z4BZvzSwVjly4G;R0{2#M#|qB@;E@G92!dx;@FWl(TEe5?Ke?a$t_(c2hOqz`wt&GP z7`KAaKp10%;b0hKhxY;CEem)d1YWa&H-f&qQT&4y7`TLiOBlF>flC;;gn>&KxP*aA z7`TLiOBlF>flC;;gn`RHxSjmI2n<}pz$FY^!oVdAT*AO53|zv%<^OvFms;OKYk5sg4z9eKVEyub zzfGE#=7W*vbRr=$1~FZ|&_fd>{X9L;|JIyNL}UV^FVj7Jo70Ji!(;FiIuSW@FmdK|LZ&^!aE{D5-hVl#6Yt|Ft=tnuI;S%;_}w%bZTbCUxQw5JKi{;zuTRn$4NiNeG$n ziI)eN*lF+&4=>*Yl0|@kAio4&Y8qjY`SfoSI#o3kJX>n{A?n?Y)|yz&D|1iU)Xq9_ z^0-oBVYE-~k;OD$S4Tx}$$Ce-o#pp0K_)YA+*A*GR1 zQ@iJBk1On4W#qkhOh#h&_&!@queFB{lN&s%W*xOuHWOx&^gRzYiB z(~gKhCP09i@UL`-sOUaf{I0$gy+^~#b|%D|&Of@jFDdeFmW+DIy@&zS^yP(1_wEqy z3ym!L=)C3+Zo|JXqR_w2(4ece|MBz0u#4Jk4F=R5kL#I(h)pWeJ;+1_kgr{SSn>h)NC8+Ky!4;%gS zRsOlF`$A8ZuXc()(^he9SFU5*@s=lDn18;bA4+V%p4v^3{0ic{|%$?lw0J!&P( zXa2C!KVKD3f8W*mbZ$3mc1J1^sTRzAS9fi>wC11h==&19JBOds4fQss4j;BbQm}kpu@nS038Mn1?cN?C_rDALjgJr911AtFmNb9 zhk-)@It&~N&|%~s z=rC|7K!<@t0XhsE3eaH~qyQZT4hHBja40~BfkOd03>*s3Vc<}J4g-e*bQm}kpu;do z0XhsE4A5cVP=F2thXQmMI2546z@Y#g1`Y-2FmNb9hhdNcbQm}opu@nS038Mn1?Vtv zC_smSLjgJr91753;81`L!ypCdFmNzHhk-)@It&~N&|%<;VF9`>~d_N(1mf2)7euEV6+M@cRNDCZq1T|1Z$r6ae!uuj9aOX{_+4rDx zhp*%S%F%Pz#|OISYVXhLKY1J5eKHzyfdriXLft_R-XJ@61S4MVg$z}z)vCUjqG(R?mjH4j4 zb<+IYIkSjTNSs4`H=pPz%p;K~$~YW_%&7%m%_EUjl__K-?HA@DQ(OLE9(A~R`2SAx za5#jXDv^T0s}htcBo)L^5}t_A8*biD_NWfGhg0cBhYL?du8FD&g^VHL5G%+(+C%yq z;SjDL?ZM-Q+rycEb#(Sn$%r{r3Plw|RKX#~RwW_xx2h@=NGcR6hDaGSku+q@_jL>Z zlX1vYqTlM)Pjl7&IFbtI;vvT2R5%6`k;_O#>K1{l`pr5QS67y^m8IoRW)X&) z_0uG;|JW=7nT*sQG9F<@#Br`62}7We5VJ@eW+aZ2a$^;7xK%&R5&Ms=LMFjQOu!LT zzF9@ala&cXRTae05v^KeX=3pcEYfhZerj|6u~~QmVgreyNB-j7guy2(MPoW@o5%GlKwF|F`$ORrr{N6B2{hx`c3^#1_ zf=@s$B+`Tq>L^K>z%dMIPH|*}7zxjrUKx?upA8$S-Vc|0@-V5_XZWy@h6bzer#$eJE9&~Z>avEAuwLc%DUvweDc3a^ z@)o4%HScPIrqpe~ZtYNe_gaKy^vZwN!!0uxZdK$vQ8{f_^FwAzBI;e&V~mjMDy4h2 zZ*V0c;UBvXB}hnDY>(udr+DN&ZhwJ|-Hh(erk3Z2n;wlJt<$4@XR-w@R(`2+ZEEQa4_jz&14)>78PX-wSc_z+{uZ7HH zLS8-E&u%>1@I-Y{>*+D_X4#AWvT~Ur9DZv?)j&~*@&!h*Czr{`3uwiRe)F+x6VdXlo}^}Ncp6A$sNy@B6vK1S!PpfKs+ zEn_di1@u#h(Gmkux#?}gZN6MuIx$R&l_LV;2<;)hoC$>NRlB>!i>E_tWAQ*qwE^{&;`V93z=6)8ZrrC4~A1 z#yu9haUt`%OaW26!f38ghySgFly~p9Ief}2bS|l_T_Ci6f%u8qrS`frx7zr45t#0h z4`#`kT%3!Ns=T{gBpMxacy;v~1Et97H&rdkX|oT`est^7$=Ic5Q}Vr9n_5!j;+OT7 zeRy+JEUMmEayr#EGIZe8)ot<-;aveCZ<^bSlQlKvnmcb&>XtH>)D<1hS$vGQ>?L*% z*=9ra{t}6}3Y2@o6u-y&_8CUcOh3ERLgt?E8he*AbtnJJkm#EX0DUOn7atr zNt92%Qc_`}PM}n_;8i8=xa*%N+;iQ0JMWG*UG|lbcp353s_=S;?eh-Yx@+ID?zq9` zV3BP%Vu}qK$z|7Ztu3zuR&Nt@TFW>{w_;}$B;8#&dBghf1I2q1NL7X7UmWXd`mjfr zuTaN!yT~lF%`%tmh)2gTOU@rBh`1+KhCO}Sqx`{Ox|yB@P zNxs)z_6U2)^r4qu6*@oWZ~tejFYOe8`_1Co0$Z__Pa}%f93KU$J%kblQFQ z)h&-AoxI)mGgcoT7rin0PeGY5tvS-_Kt~vSwMS>dsA|-o3FPq z25aB1JY!1n>O8kk^JXiytu&)P$+tDQc-i>QUs0kp9_!|6+`ZLd97l}1_F=`n2Cqw5 z=}}v>c6yv4Qc_q+*p+&wCDA>Vwf-&iEeB3^d~|3$H_6xYxQMF$=@+eQ->98sH0}*j ze-cEjpBfju)^_QI?qw-r!72fLYPrOf*N>V$&|dg?He=pN8oS!U&O%N88I_#Ct8?wi z)QT)JU(o~|i}lZ?WaCl6wyF+d38@RWi93*1lrKQv_TxD@n;twV!oBTg<5+D=fkvfG zwFjTdrDb+5zJ9&&jY%=OIy|oT1pCTmaoVc9*O@-0=MSkBB@12VVeL_hNs5v zYV6f|XFF!;sZeUfn?r}6T`}E@vHn!WcYVr{+p>A#&tJWIp*4Axp+4wocUBfi+R2tLi7pQjQoT?(BIZ(O)s8$COf>JR^SL%M9@w+n=5-cqkm?{X{2Fb~$PW3D1<3!a;(<{y|vySZmWx=2azTfThfx=TH`<9#|_jAiWDGhJ$H z+r*aflp6cRFki*cwim8Cka%qyK*v1sH&c}t}!F`T?y*= z&g5oUdodT|hvl`_E;lu32Hxwd4~+Bl8ynQaQ{aeRrd*)B{S_v(VDn#Noaen%cMTHG zpS!hROh8Ru_)Vn6`M}BVEW?>GYCSPyQkyfbnVi;&yI$J}c@(QXwQu(pa zep^m{j@jJP=-P>!?>wuUa>RI7)2xO%|jk`YS;Y&I#8k?=HDAw+w z^`R~)VRd4qTONe+v$Mu#WaykkmFp>;_;}(NwUXvt=OwM|@#Z;y%{n)4W!H$k`ySfV z$iEq*pmt6h`*}`Q@EV^N8Fl10FZ$1*NZyyS?or-GmPi-bx30@x7BYj!#&XWvJvC#a zqt~}YoC|LKYeyWbH!O`EkX3r>Io~NBlQE|AY|@S_yhx5$%V(s-x%aQ>m!kETL>;b~ zReC>Rf3T;}xz43~SG34l)K*DPyKO0My&yVlZ;GGAnrsmx-|Bhei(mPAbxJ&#usk|x zStE&bR-)psiGB~=%~vdvuDGe#_7KxSyQ+^R_%3U=et#?Wo=0n6xsv28{fvFfc3fO6 zGFEAKcWPzniW{$bv|lcp_Qv7e1K+ZHcPwt?6li&*AF59!=j2EDs_Z0vLh9_+SvOz3 zLn^KEvh*qROZ@j<8?JH5A*3H#;&A>w_Ih)9-O z#<#Wm-rlh|vgfFJPvOSy?Q-w0Z4rGWQ&4}l&_ylTHlwXu_>-TC@6wYg-m#f4HwPb< z^lAQBusn5T&Ryx+!*z>3m1#HRGQAaNp0;a9nHdmyrr0{8tTE@Quh?Tv$E?f6V|M7- z)>&#UjcYd!oo~NOugBAVeaokNWXUSNzp7^d^p)< zPOIwqlC@!Jdym!}U?075*G8nNPpS0no2{9<=T4NzdF;>R54#?wG124Z68*F7!QsLN z)@Kfg9hV77rv~RH@GrW#*=~9Cib}uM-NE=+ndOvtDO*cLAqDLC(2fopF=xJOpN)Ge zwH8vvvG{?wF*k^3gf-MfYfcMUzxFp-7OXut3+0)#z3`#? z+UPrcF;*|CN)CVUG342?`J=fzkI%Z=uuTU}`({f8i`VUu^OQ4A4>oys$l!fugSwi~ zgo~c9FUl`@s5V1&AgzNqpoXD+@{gGOfAfe@!-N!v6;`c(<2Oa z96I@!FXWxxJDhj%Ciz{DSb~zWS%)V)H@z*Gdn{O=d2n0kE*tf(P($l*tEy61(2N)_k>Xdcvhu%X(Db9esVgnCD7U zbly0%2^^kK?AaVp6268p|FZXmGI)rkO`mOcSuJyXxFH+6 zd0FMkN%sVHF3>c*UT(`_7^_KhiPFv_XOJK@{KL$}v+-SxJO?$58Yg$MrvllN_nF*if49Dbl9+KzmYF9ah~v4hh_5VezZKT)2i!c zo!>ouiwyldeV)yW=y}%^Bz9OxJG^__b!Pj6$9E6PJU;oP_+rClmD1VgCkA_CCKpCs zTBnsWz*}I`aEC4UP*Qc6;&xXHyEcRc1aEC%gV-0Bxx+fcXkW4_nzN5qRVX`d! zUEGjIw7RsF3^$qq%Ow+_(qS4(3 z&Z9(xMG3;|hJA2{mydIdp+5qGJiPpTLdXYqW+ETl;o%iTvWGU{;m7j|NRB6%^G$GF zBr$E+=XQEORCV5A>|`gI&W<-abcaELh2KHA693`+*n^r!ou;bpIw>2PdZlZzI1p2TlkK0~uhOp#Q^~&#i2&r^Ss6@x=^3Z8GBl^!^;wRaVi&oUcWQ&0X1(EE z%l7`rXlDVz%xztDo0JAn)S~XxIY)Zc>DN0nmfF7wtBS8(wJ*OJ5&_7+voh?QGru>m z_rw6I*?yAc;=`Z%r}y2{+|jyo(k5%QNDry{;Ei~b$Svdv^GyssBy`<2cvEGX!1hT? zqsdKHcvf$qU%o)a{Pu~st&j*n{+*S>PB~?Ldkmfy z+ql#(4zXvQ8bG=D-RRWcZ4z?KpzHa;vErUly0Vztf}2T;VCCP-U~IsOZBG{D^D`11 zNo7G6CpFv6PrbUmd!aQBP2+^6&Mygz2uu@XEM7I?@d z6m3XWEK%x>lri~mGAWh%l z_|*zX)33;Umk!eO9gbhEfHeJz%4vn$5Qykfv`eezOG9^cy(evOt=?vG~mrNYiiN3}t~d z4Wanm0!Y*E=nUn7G!3En-2zC{@92EZ18Mq7;Fo862LkXmbD@rJkCaySvG;xCoq=_3!AWd9R0%_t76G#&` zoIskmp#;*z6(x`+?l6Hgal;9ui5p5FO=dkS6Xhfi!W$38aY|N+3;KQ37e=4iiWd zH=ID4xS<5n#1$owChjnSG;zZTq=_3!AWd9R0%_t76G#&`oIskmp#;*z6(x`+?l6Hg zal;9ui5p5FO=dkS6Xhfi!W$38aY|N+3;KQ37e=4iiWdH=ID4xS<5n#1$owChjnS zG;zZTq=_3!AWd9R0%_t76G#&`oIskmp#;*z6(x`+?l6Hgal;9ui5p5FO=dkS6Xh z{oj+O$a{__`kdd6*(R;fuO1}3RX@!2kdSY8ylO3fqm*J^e7DCfyj8QRn{4WwG2`>f z#)@;5rk_)9zv$mae;2NqR{wcw)w7;RgZz)`kO)Bjm6hRnbVYy4*;Qqqr1}reYcGt9 ztX9|8d~qXQifTnbl=SvJxqFjxOy@q z0+4@aWw_E4&WJfd@2+ZoTZyexQFE?KSyQptm*pMrl+;`|`!xA_o++&S+ZpVfBPCzU z-JQelx8fP7N7MY=1KBK^i!W!1>FR~1kck)^hO?xmhP4Xyr(v*mOI^KaZfrExGRT!Z zn4-^Q`J%BFv_NJM%Z(O@K{hpGG2JX_Y>Xq;OjjR+wW5WvF<2vC7dlP*%dgItU!!Gc ztX>G)z>@94rg4fI5HXx%T4-pXzaEQ|Y)2szFr0sbS)5F5ZDt6@kwBqhs8kGrL{`BN z33wc`I|CLo$e&Z@Z-WO{5pxkUST25n{w^$<)_G1t^3(EHm-aMlLT!6e9+;l~VQun~(55FlSzA!ZL< zGV+hR{rQp&UJ5kUmf?<^Cjn0+ps|KD2Hlg5A>t?`gbmY&$+Gl!aYHWna7Nk;cAy!J zrNi{~XZq3n*cd7rtIzOZ(^$xMI##+gH>Nx7OYuS49!TB5;D(SA$y6%k8`Xh(1C1zg zV|^oi6b}yy#e@7s4Lm^Upu|N)#YEBKVq?W5CB&s<6l7(jrDgClX2~fmAgZgW5~&m| zL#HKLy0&^0s+q63t+OlLldfSJ5bEz9;zXmn4V*`b2#fLxTk-Hnpaw3XWRX4d@o{u32Fd=K&%?(nC`}~u3rOJ2Edp3;Eu|zE4ctcwb2iXKWxn#Q zVTSq2mtX2k+`{9l-nl~Q@L5rTg7+8JoZR;TCw=#^An*O~#`BI#SILMlUPr+uzy&G; zILZHzGHj|k`LHz2y*{_L(2HsxH!rtXv-M&9vqC4irB5y6w1x!lPZv~+qKtDp<~y7X zI;W_2p}L<;ZQlN;`x+`2h!sq9thFm#)e&K{B`T}WE8se2DDzJjT9=QVS9IjKS8r`! z?nEKW57ke1X#MHFzLw*uD3P^h+Pl`g&Fyti7CYRPb#>;NubF@P%eN;+lol4FN9w#1bY>$*pVHpl({^^41E~utZO`)2Cnj)c#|Ki-y;t;q85RdmrB3hai*DHYN~c05tK#&OpnLv=qXd4p|NWuzM`spZ zjC=jyTza_EwAEW47l(LU42XF7dBx>VMcq*oUp=lBbuNyy!$T5~fI0!L@E;)x@?sxK z7Yg1kZohlna%)zcc!gJmLynhQ|BZ?{vEA|T9}oZn-xJv35ms_;pdL;0a}Q**XfD2- zC8nzvnnG5=;4qveH8reNs6P#ZwOi`yMRQ}Lv6exu?7Liv1YpZ7_1d7gpI)(`MS_)+FyQkzWf?3Lu2(q*antt7dDMk)PRT~BFD7Q z&_I7Z7AM(`LMCH4{|2)-ncCXS5R4-chsWUYBn*K>L<-`mRAhe!EM|~Dr_kRP53VBi zB6hG``~v-5STsMkP&8HtNztXPWVq1`ST4xA5r)kQqH%U@Li3}uJuxa|4Gqi}AOUCs zo=8BBj>9MsaTF4Ub70Q#FmAqRPAX!T!Qc-L!=fWL5Ha*XoU>i=#k)3kOJSq z9U_64Yw8l{{p}<;YlG)t66DM9V+JzVh{Xm75zYldU?FA?T{G&ByZ!l^4PFa0)|TOp zoF@TKCZMr~GzQ(1jhq*iim+k&FjWe{!Blb9~*;gtIzOZ z(^$xMI##+gH>Nx7OYuS49!TZD;D(SADP#iv8`Xh(1C1zgV|^oi6b}yy#e@7s4Lm^U zpu|N)#YEBKVq?W5CB&s<6l7(jrDgClX2~fmAgZgW5~&m|L#HKLy0&^0s+q63t+OlL zldfSJ5bEz9;zXmn4V*`b2#bmfd-Cu|paw3XCL??1<3av>d#u1CAjHehCx~RqizCTG z-{tb~@(D~J1y~45m=D}X33JM6qWVO4T=DE*^eWva$3p(tPHe{1qTRd08eCmELZdh3 zw$6rCpaGTPKgk!)2Kgp3%6bTwoAw!Am%mo3((6JFb&>BdJpN#=)q(kL^C!xLX{>O0 z*1L97TC3pHZM$I=Xh3E7kMf1AQpdTL2S_gSCzX~P8ZGzK`RJ%JtHY-EWoSr=;kWL@ zA1+N>99fqfo6&Kc;`9J^3lN|tfIEODAYuv-0K(sGD%1q12~ZRMCIB@7Y68@RAp+nI z;0{BT0s0Bx4&V;p4nqXM9l#xiDg(3*;11vp;0{9sz#YIHhAIQJ4&V;p4&V+$1i&4@ z9fm3cv<~17;11vpLj=Gbz#WDv1GEm{4&V;p4nqXM9l#xiDg(3*;11vp;0{9sz#YIH zhAIQJ4&V;p4&V+$1i&4@9fm3cv<~17;11vpLj=Gbz#WDv1GEm{4&V;p4nqXM9l#xi zDg(3*;11vp;0{9sz#YIHhAIQJ4&V;p4&V+$1i&4@9fm3cv<~17;11vpLj=Gbz#WDv z1GEm{4&V;p4nqXM9l#xiDg(3*;11vp;0{9sz#YIHhAIQJ4&V;p4&V+$1i&4@9fm3c zv<~17;11vpLj=Gbz#WDv1GEm{4&V;p4nqXM9l#xiDg(3*;11vp;0{9sz#YIHhAIQJ z4&V;p4&V+$1io_z=Y^|o?JPOIt^1JOD|Xhcof1hRv6tn|h~rmlRhW14;SH)qVHIdV zW%y6>1*?WUcD7lPc#>#Ci`tx{B$v;jGm{8cd&UJR?sf3*TYq~saYCtXg-y2<-m%)` zGSeJZfd*8D|0G|~dz%xOVm5~0+1NCT{pL-yiMRW1xEHPcZ&=j&N28ZD+ zsi|SDLj7qNtld&qFPa-0jkOGNWe=w4Gg-c9tOYHQ8N_m<1!9m*%~(t~OBx&Fh&9vI z$6&2!A#4oR$k&BV)Bf_S^X1oQ85*k>!ZxsEyRd1Tq6S0^5jm!Xh6eiUu{g3ybFG z7K+B|ASt@El?*qU0m}thH^Q)4K{U>;O=x~}wkJk~tf7JV0we%Uz>^8c(Qz0hB92PM za1P8l9>&cV%}GVM%r$ih^!|1d zoVCGoFbVQy_%Q<+Y{X&%gb3#XA+Qj$zg{yH{Exd`Tw9DIa;nOzsuUuLjG^Fh$^&nt+rz>3-D&<~dk89IWs)jM6*>Cf<`AeP#6S|6^s_l;M!G+m zL%qXATiZ;+TUcVaTc^WeS-{p<;+cJd#F4u7?VaqD;miX+L1HG_m-}F#K@C zNTW84j7P2;Rh2@VJ(35wLHvz|qdp)qCXHkyNP^ ziYkUkz$0i>Nr*0}a&%$P0XPIzNkdlYn^`$8(zA2cv$ImhD-(XIV=BXq`>CDz#~Lxr zxIqWx7>85g7)&H0&E^Di&lvc_eFM{@x03&HxrHEQ97C+kFvD(Btb z^!fdwE(dqYbw9?;Ih8Wo+t^(s`(4|DT=GMATWRzab!}yyb8Eg6db%_s{L?2>;j$wn z$9~1cV-;ao%H>>It$%6hKvPfZgW^ZF0-hNujb}f#pYwU`cZbnhT6kvVl(WjyR!!b5 zKxbW5>wJHhS@fal^U|V;kBvJ{ruKj8dE!VXMQj&SS!0S8N|v;EQmXmn{gkV%ni2Zu zB?jiF<{VTQf4R)aJf-3w|DN#^lf`9=7uBZp?>OP_k#4r`n(O$dl{xt*?#$EkHkSy*#__Q4vDaJg4O4uOVNX{$fXvujGccFA<}n+-3!ZyH(WH8f6;LZ4D19Wrz) znYnkm=_HyvQO%-I;-bWozw|F>)oDEXYeLt?<@f^+^*`w(kYD%8`@aUhBrgC}*2#9jwh; ztG$1MLZkHt?UMHW+nM{(H{~d2u=7bCFv9Zi)&1rzdlDyWNqy;)u8)!heRLWQx0%=k$fquE^Y-+k}!{u1h3e1 z{weyx)Xn0zbcH>UWj)Ta|M+Q*RBf$^)Anx>Kek1@L3kZCs2}Yx7k)s`psCYw9`-ZdlNTZ zG264u^|_#kf`61iRpNBJP8;$0AvfOJA)rJIAG#r+=JUH=L_i%!K+Q)$wIQJXLO>NG zpqL1#EioJRZ>GG2>Foq!VW2FD^E9UB4?#eg^OHtJ;`X$HX($rKjUvr>$OMXJ|WCT5@ZX4>g<<4s_Emry8FqvaRWW9rw{6!AD>%w>e0C~r6J=j zm>2zyMwCRKdKP8JlM!pHT+LYSd$gh9>=UQCmEAMi90L8OwA~N%o7r~7-;dgMg{8cl zRasN_Am`kpv!N4qyJ}e1cRxWif!W{be`(MD6r=46E7j;2_Zz!(Blz3y&ssjS?IX`o zqI}ftX640Tez=}PI_X$Uf=xJcM4-a+i0x2CrKq{N}nzLc;h5d>qDHRN#Mu5 zrRF`G!xdT6}PG3GZ%Y?V+haL1Gg_#uGY}!d)L=UpGU_%oPkF-kGrG5`v_CLr_lz4tm%4bz9Xo$a z`*2Qp>g3LAM#~qaDT~jqdx#nz^{j;9=Pz@ia?X?n-1+UOsP$>d_Hh*@%CUES6oZu4 zdo(Ca8)qjy^I71I)y;(FCI?*pY$0O9Ebo~grETs8vq)8YbmOj+Y8;&%xhG=5=~YMi z+cK9WC?r&b&qY;E3NL(hi?+OUW5LTCW@zIlXHga(%Di02P6@c0=xNRL?y@UrS(vg~+w*$wg}W|&N$Fk} z3}qC~cVE(+c|PvRbAjz5Zj(^!HqZ4kC`k;@4mFlIp67e z-1t2Y-yCSiJ1QF{y6Dy#B!%v2jeql3xL$!}t?e6Gfti^!$G^H|`GmIYVk;?N7i;O> z@Dh`+u)I0JvOJ_T<*05m}CNodOx0UwPq4IuJz-_%u!KUfG zM>Zu<#?7cZTsz^t)j-Ze!qJo7d1>Ph%#$uYSkKF7sHdgVnmBz$yBjWc{Ehn# z^C!+_1iUm}@M%_zcktO$d9l|UI<~h>G}hk|yVGt$bbeQ{;>+A!SNXkr7uu>G-Kmyv zVcEPfV*~4p6Ax5%H}+&sQCLtq=QjV9%QnoYZJ9?}Sa-Fg`r6k$vz#;CD)G@nPf4ky z+G5$6le=#zFdrBMm>Tc7d((keA^mB&k*NgZ9psuT)}WIoHN7u5S`)Xi zq}_e*W)Etdj$J}c>t4;1`W4AHOX`;wHkaXH3@1g_)!=1J8auT_+ zn8eStm5^m7ziJkJ{HcB47WZ?BB0+M}^kv1@4_4>;IX`&yVac|Y{8Gxh^Rg_1-ejAV zu6R1h_J(A&ah*+zQ?7lWZ{Rtn3HeE?jIGw2YI+E_cifoeoaDJ^*_+RO(L1Z#q;ku5 zubR2VGBf&9qM*&(JgbzoCXN?xP!CJaK5gul-a0?*_-WA;H}ZlMkp*swk}OiYG@N6J9R8A>@v- zy_aBvQu|c((yAQ8UHfdC=km?$RkHMLkxu$((zN(N_U(O5YV-ff(GOkD65Ey%6_a}U z$;DM=r!~nQd5>b(-c#h0B4}O4OI1ZD9ADKizwKsNgHPMdz}kl?WD5P}P5VI3Vj(?U zqts$kei=$?f!{!0zD{#OaAB}vu2;ZQwFkv{XOGAox^;!!ON5 z%zaY7+|V%RjmF$*)_F#TrSI||GVc8LG^%DE3R;=6)X;WYho`o~rvc|3+dn!y)SPoD z`AmW0!-a2KBrR6E*oM%2-Zh@_X)Br|Z`@&>t-R>isps3{BIk{%xe@%A`YSn81Jw#z z_(i3A2IGhmZaW$s5Oc0B>Cbqb{_?@u*-xwN=Uz8n_{r&pcGbMjm`&X!)#H{XZdfv< z_2{0BUZsXQg~oGaCHICH8hOTV&eJa!aH4J$4__GfL6)-NW>O2sr(c$YRwku>X>KAo zi#&MS|)Yag(nw>rllL3W$lR;JgEeof~$r{6W@7tJ}^TXP28*>(N! z>r`e$fA!n2)}k=K_9?ex3RTtL;IU(yOfx7IYXgH)^X}3o)F_`?;WY1K1VzyBz+LA+ z^#j*8{3Rk}zE-2*6QApSuZ-M?+V+})pz_2<%aajN)3>(A2rk=iR2#i`O~*wSYm3|c zT|Uj#=Q7_4wKbn$6LUUhPBPf_HvUe3#)(gvU2-{iTRn4PMvc7EgLW5wIRlox&-h?t z{N=(&FB49L&ZzV1v|e^cRJpfp-r~xV`ILJNE1#3EoLx{6zI<&EcD>liWVsiy`NgKp z;sq%sHmT0F6&5rHdzav4O*OAYD+IK}T3=P5!`<`*PP-jHNnA(P!PT}D z-@BztTjU6~MH64P2Yy^PIrRRm^}!dtPw$&we&q0@H=Rl+WSi4JuPg3|RV|g(mHG6n z>`6t~948H>IMHCQuB%5*OlCPvsp)zf5U}aKlafAVZUH;hciW>UrW=+<=q!qxn5m4_ z@5bKR7elBgwa~||(~B5rqtr;NzLii;>6)};OGLQT5?r6Xgdxey5tDU{=kem#yKjkm zo-gf=&M>9=-5ukxXq|}_o%SK4i7?f$eQndEEW`L()nv~*+Gmm#)7b};OsR3JLsAu_ z)uW%9Ozw~zb81}C6C2w+y@O#iiiL?|W(!q_*Hmg!^&Y2cCE=2#t zj+1gXc;m~%4ECIe3-wN$xcSIa{A^?6EXPSo`z&5{;sOqeb?la0qOi2vqsy0Hd9Sy% zkK9umhD#Rt$X0#gB`+hrF5!ERD4o^$dDt?ojtHl+SQf+SVwwx#jp_Q^qT2>u@?Vu} z)_CMhJ~S!Mwjin6WXz-IPQ(hv!OEN<605XOy86=D1@%P^&P*k3i*e(PX_E6&a`weK>_vyQy0ml-wQf+A!&wYc)w@)dVx94PSH|7!Z!Dh;iq zDTnqMyl*87_9>3LQ($d;z3!^7S!v9P=~f|*#SBGRN^Zi#(~Ltwehy6+s>i5J@-V!s zALJ*SRjIOE)_H$fi(-ubAtUdFSh?ke-X$c9`M36L7~hx|c*k(8rhsk+V}Db01!H>7 zhbTGsq&lWmuvvI^TvV))lS%8=kb^T(LH4>9?F}&&ner9oY0B}Ld(PCkO0;jzZ`pCM zxxsoyKwEaA&mHU#Oo!aB$+LpED z(X}J$Em^kXk|%FFIHkL~nXFQl6kHYK_OkL;pA~(%ceUn5d7-DtdW#bIHeTL)G5*#A zc|KyxuJcb0*D;{3QXJXW ztApw9825OfWz&1BU_Yr8d#SNV4{>90f#q14iBm=2epqaft#R6P(?(;_M(NliW5d{+ zN*^XpdekH|c5dT~;_~i?5wQo>V6lNglqX)KQ!!)X#$4Etkf+iqO__w_Q72ST-(T;v z->;=A-CnUyfFV^>8}-C^M?F#8i5{pR5+kzupv(HH>UTc+cRKBRdX&7T$wOT~8~uLe zopF3CO$86`XoyOmJb9m}h>q%&9phSL0@7b<#ceaYzFo0PF^@q(msmnLZB zZ)|^fWnU2KWQqK9|J??nflsG3YYkXEd8pCA?) zb!SqNLu}oI^860HRGZ_c0^@q-RWbXHA&o)zWFuoW1mqE<4%3Ipvh;UxLq@WOkNs#f*nws= zmJZX`pXtXL!axdsec-37WA*iM-(c~itmFd55u+on$&Y z-ssRB1_>5^2jNQmhx20(Y94i(s=Di>Y-sA0uEpxa!hKthyz`}}d8<#he|Eo0zcx%I z|28B7kbh@oF!7~loXX13oNCu+Ic|zwB1q3sM&I=~bs+@6cFk|0b*|zIN5V{ANf5Apg$FuyfA*-oV}y1E^;ENtTNbf9jv!cTaOi z>&{7=tkohtr0Rn=;!PsAkSEMHG5CGgvQ-8Nf z$T5Si=Lg4%dq(NXVr~m=CM|-Me=mcv0V}pWS&+}qNOUBX1zDWbY&Spk>h|uH77fxq zd7VWqeJ;c&`M0+Zb@=~qL2&nrxZJ1n^1MH0)v*#h78ZEOB@}H)RxDBKjg&F@aO9o) zAMSXl7*EE+895>4IZ6H5K@Za>#l4)giKf)#QT|#a!ug7nhNAkUp-umEff0ADy@8P3 zdM!}<6T|rt75A3wf=O^U(3n5omfy5n|=Cd`{8Bf=DXoSdwSm z$3&2(ABl{#4$?Fdm7mf;ntnnuQUXZRNK}4G18MpR$p{G`O(Q`0ISHicXC@=0fHaK& z<>w@jrk|PooC4DHGm{ZgK$=E?@^cbM)6YysNC9aY0m@HFAWc6Z87TpzX(TE?rGYg4 zgk+=ykfxES{FnyP^dpfG*Fl;_#PVYzNYjr*MqCGJ8WGD6i6Bis02z4|q-kU>Kcs>* z{QzX-Rgk8UxqP1r()2x#U#x*N{Q}JQ$skSN^Z3OYNYgLCe3uN;^c{|0t$;NBip+QE zAWh%l_|*zX)33-3PX}olPUDx$AWgqSGdu&NX*i8vE`v1v63ws-kfvcUe!U3N^lLW5 zazL7f!T9weNYk&`e9Hl8`o`inOCU|Zf%7d3r0E-r-zeiW5i^H<&=0xS<5n#1$owChjnSG;zZTq=_3!AWd9R z0%_t76G#&`oIskmp#;*z6(x`+?l6Hgal;9ui5p5FO=dkS6Xhfi!W$38aY|N+3;K zQ37e=4iiWdH=ID4xS<5n#1$owChjnSG;zZTq=_3!AWd9R0%_t76G#&`oIskmp#;*z z6(x`+?l6Hgal;9ui5p5FODdzQO;%-*2^h?VRl1t8f@yNiV zeIXxneT|ELa$0OVg;8Jt8ffdGv%+^6N|Y-F(r* zr00jLCqp6t`FB=^D?QU{Y%T875zg|H1Q*)D7vr>FrD!#Spfh6eiUu{gu`8Sxw$<)?nhF}~C6e@;F z#Slnj6%3Jp$055jU@?RIIc5GfcyJXl7cqn7;uq-e!lL=Pg`%-KNQy3PCBuzoz;Z#> zjWBFh5RJ2E6Ph2L?TJw#YiMA;@CZN?@W_#H$X_KQo|b7#?2SaNkz;u82rIu zSaie&B8DD_oB+pST_)NbJrY|IQs6tbLm&`yOVkvDg3s z@`V**_Ru9G|G3+qFWKOwKx1tg?#Ou(@I(R{Ye-|zJ=qu{jzU7%FnyRTOMe$P0u|rAu>Ty3@WCAEfPp)C~-72q}?FrBc38 z9k@5ph!Qu}H_}J(@SspU$Y0dJ1C$O*Ttrk%6fG_`R!mYtTuMekRz_M{20vq#oWcU4 zx|%AHO3^ZOTB48)G|(MNbvr2LA5B# zIJaZI!`Yy7ih38S`^nVi?SHzjp>ly(!9>SeyTVl+5jI<*viiINu49HW|8${s`Pg|y zM~-{-*7oI26tetK{d9-cpYH2xIi89VS!<@fYt7r-UI%5d!(CZdXRi60`KP~pdqPOr z4JR(=v^l;h`1?8;{pr4j$_WuV8P=t=Ew+_KEuN$U-H<-I zmsx(>KS*=y64jZ1y04*fQ*K;Hx9Q%g9_KEQP^R7}FnZV*+FPFs2W$p1`Xo@P-t;AvM~z z1O;zM!HazGA|JeO3h$f3`=+CAOyIR>cr6;<-iNpM;q840G8t`S0zoDa3k9)I5DNt% zdk|zY+O`A*K_(Dn0zoDaWCB4Z5CA>e#sq>)AjkxQOd!Yvf=nRDWVCGw3W7`^$OM8+ zAjkxQOd!Z))Qt%QnLv;U1erjP2?UuykjZEp69_VaAQK2OfglqIGJznI(Y7TJWCF8A z!)(zosX0t)4wIT=M%|b|kO>5tK#&OpnLv;U1euJsF@Ycx2r_{n69_VaAQK2O8Esnv zK_>9|GWdKMd}R;5vIk$;(;97K0zoDaWCB4Z5M%;DCJezl9X0XQ<62SY;z&C@BmoJi6W|K} z5uzY3_Mvp4;O*k}yT>iJX2pqDcvU#$c)9i8sF)Mm9S{Ej0U+=_fgK)UCFcg}(KJ8z zKsJl!;>%fLx_Y506cr2(!&y>O!&-&<(=b@OrLJByH#Qn;8RW_yOwnhue9>47S|Brs zO&9 zh!`SrObZPS^w(o?lI=8NW}B6b-J{@^eyI${G6Lk~pGfMc>Q6K#$j z2`&XG@EzPC5{S8`E`i?PPJ**Gcn&5(z6?KRAcKuqY=98qTp$D%V)oEAqyD(tpRd{A zwLoKS8Scn=67XaK8f!>n&^_76c~Pkd8>SDFW$EwYhFtOCjI0u|rAu>Ty3@WCAEfPpRF40{-kZQf)xZD$GxmmLiBK4+s4!-;Z`s$f zFCj6;SYjAMNYNrG(MFP}$eJWX2_;gpBqVEEwAe}_O8m}r*Hm}qGr#Wd_xHaapZ{C8 z`@EO4T<3YN*LA&}nfEzJc{)<8A|8YOMs@DtTtAG*Sl>t=28Y97aOfXwt{bKU42S77-E@6hcd`6qQ!Ns;enul@zrMoz`pV+UY4OnfqGUxww%$Ng8GW zq5ke6PDB!6?mCQ&xk#(dp0G z#Nv}c70>|A@L#2coC?R)R%dXoGQt)0hDMt_bv`&MtQ@kP9tjP(X83J5@rNY|lZcL! zv6(}KicZ~Nw*Uh01Rw_x6QE!UAOHw|;U8dQKn_3-bY}qB0muQ!0my+)0LTHzf$j_-I{-NVIRH7(2>>|& zInbQ}WCtJzAO|1^IsqUDAP2fLfb0O|0OSDVKqmm?0OUY-29Os01!}H&GEXvB z-+-D_0nYVP=!#@a-Q=R6wWl`v&+KX0juoiTZLpo-M?1Ee){-qi70>|A@ZY2bz45%j zJWKJz$tbSzTOqTxbDapHpL-ycLUi?|mB?=12t`F@q&$*VQd2`&hx!wdDEkd=-b4Zw zfwBs6qkeADCsTY8C`)1>Ifz0a1|p$V%_(Gp6_JW`M49XABT?4G5GoR7(tgJhaep>%4j57 z9*@M}aL|TmWh}Hm0}46FpSICo7Jsfn_Cj`0T>S$5T`5FALMQ^I1GVT9gS`ku1BxqD zH$qY=K}6cFO^JRaswYwbuc3kb0we%|LE|yd(dCh{Sa~HSB<;Yo;~@#Y2wE#-m%-!%{4yHlAUVh|2FDhiQ z0Yrp$fgo6r*fGVEOZt)tfCwShsI)&iWsb%ygbwft*=WAgf6YCn;XSNSI-=>5MoH6 zn$s9lk$8;q_jb|n{cyVf*LEr4<#5VMw3Eik;~^WAv5H8vqB3Nc0?k6SqMRZgYNOkw zZ*J|fPS4&&&)!-NEr3RuVpMKl%?i!uZbDqtXR5H6g85*CS(he`@i8y(zd!#4bE7v_7r z@c-B@9FBJF(DKSiG#)31N8{zucqC3y0cw=TL$)eFE~h|i{L!#=R;HFeA;W%en!-Oe z4Ua*~VX(@01tc1WhKPMO4Ufag;gpo+A+N(@A!I+B_6reUao<~}_{}nXuPszadno-a zQ0&ts63FgEdhEet@ZUwBkdzT;$9U1w!#gyq&ZaHlu(@_L(slFmmzOxV2%fapN)@dQ zUKac8pl#^Gh$`t#c@G;$HL&+;NO zakS5$(4L$7sCYMdYAoyS0mZQCR}rYb>t}b3xmuWTA<93ExjjvuEWi8OuRnbHVwg3X zWbttx#XZ)2`-D!dbu&Wg*jtC`M7`7IkqdF`-kWjYQI*46l+m&QHN?9o2j8H+VDQDT{-~ItIEKk&*FHl;6%>FJkG#vvhg}%FY;{pxf>pbRLQAU%Xros$zD;i z<$Pn2CQv63pzUU-cg67HLoUjaYW|wg3l@9_cLyAc#ksDN{S=Yopnu2rYFqBHO%L_- zd^L(b zVdii%OkZR+u{%d?dHZ6qycIEmH;)i&Ep6>Q&z+yj%>KaC?&+Jfx@!D7mrdu&#P!Q9 z?pBr0Ouuz5Dm|LG`36Sjq3q}X%xM3&-^F_O;%3E*o9*l`F15dS(*7c|;BX|=7P&v< z^f>{+LkeziFCQ6XP>uFkyv*htg2Zt)nYJa_`aU;Jr%$naWY^0T;%+h_8VdUpr0lg6 zC$)?{4zjMea51t5FL>x`wf1sBnP-pI3Q}SS60J$8Cg}~!^S61FS9=wad9#ko-e97g zm#w{4*FM&a{KCjKUe1^Y7bDNbMLCIFGx^N$TVJzWD1ng zy~o0NLw8ry=4xnlr)lV{J~3I^*&EjEikjJ0t1TBG<1W$~=yl8?BdB?cos#dQ?2~tt z74}+sYWMCVI1QH;MixU1RNN$5Lq zTvl$_Ho9y<*T(&OkgNHs*H9X2Zme~G@=^d3^ac@Se}*SgTO#%_;T&2$8coUQ#dfob zCk#&elI3l+RpMvk4kqq^nteg$4F(QMnhNUpMVOczRw zT0dla4McV5M~e<*$l*9R#o)Gjy$|fI;>N14>NGyHvlQORcL^RLenEZBqNX!A>a$Ctv^UHb8<@bfq%~Pgs*FB0BaGVbrDDNmmP8jVST(&dmFaan%{^nT(2bVJbV+!#k6J3 z@bw{kl`@=M>yW5qPSU{@6^-?WIQ&wUEQSs0uX1NLjJQ{zD%6Gu-xRj0!egRF!vs$X ztczYEnw#mlLb+(Ln2ppf&&9f?!*$iN$GUIQ8rFB2NlvH~HSDwvZ`q%q=PyBUYFi$~ zd?K8>DJ?OeR0Z|6G4GRK&?dDMyVpgT?;Wro&wn~lufCL3P*M5q1ukK>dgkm%csD$y z`UbM-)&hQt;SB=^%7xCc%|ZvxwDPQ<8WpaSu#9$1^|zGlLx@^!NPnL@DtD0Nc*|L& zw6szD){;rDhacLm=+rYWtaH@%{doS2LP~szD#6=&y-k;ZR^BoaZl&=P=K?+Hqh8aU z%mYTDi{FZ@R*J}4?iDI@&aq*GvzYD2ORe{o7|VFv;j(zqFSWNe$Rqu_uS$g!udUGD zj<|(lyxw=ySL}(uf?DEZWy4KK&uIz7pR|z0MF!O_#vM4k;r*fwoNQs&Ev{uGAY->a z7`fWzJ>>Vu>H$T)I$3r|AzmB_)#rVVyJN#{MO;>bowp)hxZ13l;OO{J zyL5d~o5LcRMXfr6yH3S5zuYwvx}-Bw4Nv%^7LwE8J8KS#x+i-0jER$6(<>Moq44NGJNZBv5R)uPsd1Hk9zQBN2 zSiJB-#6-b{w*|K>O|1h<2r74s=cenT{nA95jnab4)JJz$RrT|!r@rHi5`1^Wu&dKu ziX4TLYhl{FKh^72=D{VXC{Cph*!J#2sl}(?24CCCbZi4|;M&%x%#_vS-4D7J=f*r- z#PQlXHtKn}A&zhgl>ze_=z7}EBFTyOrmnMKk@Zb~{I=vkD7o)x6K7%u=dB{CT^y?f z1AI)%-e)B|-F_8$EV#w$dCHO&<*Xc@GTXca%e{Ap{O5W<_UCw~EZG>ABiVjtTwC9~ zFEB_Ib=^x+v?MmLGcwWsqV!tvz4q!7&d(1QpVO1~8@A&-c{zYxti;?%&s1dP+1B)D z##8lMI}Wc=IeXPw+XU8@?lZC44DCNtAYW^~ zF^Lp%!4lKIWcx+9<>I=%maXWe)Y@e?ADRYBrYn-ujx`?X%$%UH%!Xm$1bjw7xrow_Fz3VYr~5ee1zC zYC{57tFGi|mx+4W(5&uO_KI_(N``4Qwa~ChY7LWlyxxj)efg`SKHSJuAH>F-&57_; zIFnk|b-@$ypi(4et;>kS{z!ui`zoHO_8srq4Q-Rly%(+1m14gk!BOy}Kku;jS=UMt zud=LaYwmTo``KI$wzb%8L$2B@KQ(A=veVKLxo^d8%zWAznE}qdAu^xm9#3m=$YQY0j0uXdLvk?m3d-d~Uy8{*wZ|zsFkJ#;N^77Pit1Bfc4c+Ni)|pEN1jz-|@@Q4{Dn5Ok!5IxMraxyh7xR$H)}N-R>!?uybgt=*w#=O>wop#9pi@ZZ{ze^LK} zTkhtl`yL#*yBuCr89EI>zqQsO@xHesAUh%sU)`UxOG00PU>a4zwZ=ohYT|;>RKuD% z-v+GG$)MTpcQ^JLSS(v=XjZr7wm=}4LBvk2l^%pRUg^9j>bSSPRZW?7-H=`)M+mpm$(4{iBaJq|E7;X3%YJTunSIfRq z?t1RNtC}sn>&Q8(-1nsd&V;uTtC{jKqNnG&^k_|%iIpme(&Mj73^sAD=N$3<_qHW zlfsM6kxx~&=#nR9Jar<>9#*HX?|hkFlQwW&;&y@Z8_kB*CwZP~zFU2=yP~~iSKNDN zRf}?!48q~F6!KLTYmrlg%?m6e@4th2sqFBpZ#LknzIyMlTe@fC!HOQswCl$4eeHzc${nVqCsQ-XJSro2CfaqRoP0 zckM%osaE^YRen3w28)c_AKIR`T*`5DAJ6TSE?K&V?Ww2C#^$n(5pFyCmiZDcHc5t` z$)OGj9=k$V65@VcN1(px^=pUXZ^eo8!}1j$t_29fP$Wh#mCxUZc1^-F$RG zz0i!ss}lV;vR386X$E8g8@XePEeZt=)%mv|AMY)XN_85Oc^q-l>~<`&Zf(^_Slv*G zPr-Yw-jH(DlD-rZ$G$OMRGF#NNk^-t3(Ghh)B=n$E}y#i3T+R?=rZ z^l381dSnMKB0k5xanRAZ=c33!`lfpd%P*{Y(|Uh-N8OpWh41g+ZcoL&zcc*mqkC+j zOH1j};m1KmlVfaas&l6AifvN%aUmz=y-0gIv~Y6oTB69YEu1VJ`M1YnS9@Pu#r#ZA zY5__9W4mjq%646ktgaEo**v0eWj<_LTLXVThn2Xk>?J31F?ni>SewQX^Vc#RVH-3q zTlDVZRcr1MmacyvTGDGisb*j~;AS;Yq|Y7{e)(C2%kIRM1p_7MQwuatjF5&h?o^eG z4PCGIRVWV18OYw+o4%~0l6m{&<+;v*Mb||)?H2A45{sfnPLBj%ubP-_YTWEhod-J{9l?6vx%Nh@f-Og1`2xk&aQ*7}xH*ez_ zxT)}vr;?*%bVu<3I{4G_{Sq!Pw*Y0H2#+-Vz$A6+|;>^Jut5yLv z9*%+=EGy1G^oGS%F4{cgjqH=!FxjbJba!|7Cg1mYPyK?#o{bNFwJ*Zr3h8FM1M2M> z1M$49s@25!#B3)H-*f4u@i((j5vM3CM0&QAj=Cc~Z(-Bp7kCYcr8Tgx9S+-RY^>Ih zy-34)^~$;Pn+7wo&9vuq)2zEsc}gN9&U%$D*&^&16Pd={lrJh%FSS0{>hjx8?Anm4 z%XexzWn~1Pt_wsPP;Wa{?#o%XRL|h^<){85O;tI0a6_#luy?|U1 zHhERLKQ6^|vlQ#wv}3zg7N&3K@p2Zb@@kknAMYE{Dm6Db`e{a|?v8lx_L+C%@sCJb z-%ZZVzK9;Ejfj|QZ5FSbdpC{}Ph9fo(@1<8-`Jywso4#h;TduDD84;K)9++ml4`N< zh&hVKwja#iHE~s(=jfUZ_d-}6vgUL$cIHGt7v8R1Oi-4aq*Gr>2*~uJ!xyr?y zWqDy|-S&!MTR#+!tDNiK+OeB;TTk=^zv_vhJw48H(enI7BPFb@kIX$X*QyT@Y|+QVbMu75HC~v1 zj4h*JoqM^`a+Xc{J&}2_=ER4*V3qT1yk&QarSmoJ;`~h(k9|1qqH!vIxx1$J^s=X9 z4Z;TI*pq8B1N%o#4auKepOx;lYPv_fDLI*fPa~1j){~fvhP!$&$D5Orm)1X8cHZ>G z^_;H2V}iPG(EVAL;}_zO5=IUDE}y=-)+tBY`DK&ur~_$x-p3Q%SphXTh14g$`%_Q8 z$j`~mtPH7dU$)Qc?)rsF#N!GA+C6^twPlTR`J0X1&0b*z6nI`*mL7P~eYrpV%_6>D zh3Qs}?8qc(vd*#Krr{gOM~?2lRD7scKyItw2lU1pY$M7ErjL@0`>0V{MXss&<(@}w zc{w<1JA&C7wKaqt?ikr3d0;Uqo3!z~62DEzOm|V={d;be7dGeGv-_&dR4^|(ZEZKQ;>{<1t>c9F7gMkl-K7a6oK-qb@Lm#SO(27b3lp)cJ z2_Q&4u9M zUdYYI%fl}uEg~c+D1??=DJrdkRaaBSDk*9iI<42zwbN5nGWWHxb8#bik~GW$LjB!C zoQNdC+;tcy2N#B87aYzDo2!8>h4#$EOgjeshm{S^#KO!Db*|un4$Q;`b<wio1i>CTYG28Xv{%|{=ErxrZ} zjR45M(-{(_WTpeBFU`T8IS5;sWPO}nKJ!rX$n!+uXdAT%5B|=rd(oy52k-(irUp~T z###*CHk%!zZb?rkiY}FY*=e9(ucBblaw+a0Xaqq1ozCF1f4^p;f4fDE?i_6YD4{=A z^U;`7-p!d422aavT{}%e94KXTFjv33Z}gK)LoOPOy*j&)$8)!?2(pE3A8s9}{CgQJ z4A>n1M5TzuE5Q+WGsyC?=AcE{XiHMCWuM@d3vWsXW?ZpPidqiQ2mF6nU`rZ~%YVA& zg3pJX4$3hP)nX6PW2I3i*ItvIju0}PI{(i74|h!844$bfnHN%@mpq#r)N@WaZbUem zDEru>{x#F-2- zSqGu%mstMZ2tw1}iTtt-Lenp?{H+m$roRFCbrpoBUvv3eD+o=01M=%C2u;7{@?$Fq zO+WJZO$~&m-+=kC8HA=EdHkjZLep=+{LlB;Kxq1&#&63YH2oIMcO4)!eFx+BMG%^P&*r-x5SqS&@%thO zO}}UJtp|jrZ!G31fzUJ$oNrwqG<{<+PYHykdEn5yKxm?)n6Cgr(|mO3eIPW^QOs8W zp=mxkU;994`buKnB?wLP;`!PMLep0g^DaSXnitQPP7si6KrPG%2p@}g} zAT%+;34|s_D1p$#5G4?r7{dfY6C<2JXkvsC2u%!80-=d9OdvEd!U=>XMks;M#1JJA zni#_bLK7pLKxkrw5(rHUQ39cfF-#ydF~SLiCPpZM(8LfW5Skdn1VR%doIq$|gc1l% z3{e81i7`wdG%>;ngeFEPfzZSdB@mhz!vsPTBb-2JVuTV1O$<>2p@}g}AT%+;34|s_ zD1p$#5G4?r7{dfY6C<2JXkvsC2u%!80-=d9OdvEd!U=>XMks;M#1JJAni#_bLK7pL zKxkrw5(rHUQ39cfF--s8g{Fvyj+bU!#uvm3O3$hXi5%2Vx5#eu#)HD|A>>?8b9tgt zx@4w4FWIc!c+@hsE;#n)h2)5%oZODj_RY#J#`E%u4?5P_h~KSHwCKDV*Vq>9mtGVk zdNO;s*T7>?6*K}M|4wHZxv(aC*7=5=760Cdb|1{!nmL$Fa)V2cWn5kG`J3If2c}nV zG(M==Jb^cJ$&~yQ+}}{uWcDeoWq3B8^lqDGdgmvx=9iNZ21Os#K_dY2uXKi2F%7dR zmEku(^3R@KGguN4(Wb7iIehmhKXW*CX4}+EYxG3xu3W;zkU&wlYUglYv&ZB%#iGuN z)W+dSGO1{r`bp3Tfc!h1;nw6ful<)u6V1=Yn@}AJYAziqkqsuk6rZC`$3UZ@*^y>*2EAh5@qD; zN+N21S?YXQ8aX3SdLdK;E2=A%NZZr^i^M|5wA9c*d_5Me*={YX?#qyk<;1NntV00M)Cjzps&i$!BFNZN5}$3qf)5wupw zEQ8Mrc_f7d*?>io0-+P2S*%M&SRj7I77cCi16w)>$XqkmK%Z|XL92Z}2h$*5FF$gi z7ZtMD0QuMTfmlIi(=Qq3@4Nl^l6}4u2$Y?dJ9M5HG!}zE84|rno>U}OUJ(beA#Wj5 zto&UG&;|dVk+v5#(40uoA^ZB1{fK^4q!I$9@3nWBn`8GP=EIjCnAY3cOAyb!NtU3 z4Ttl>=4xOf(4Lv$v}4eJ;B4%yOe|2JG!JxKIO_ta`)fa(nTbshi)UfwMO#<~PMa$ESpuy#ajISM&#wxDS5%xM{G=8+xo9N zZU`6R^m@G;tOB?IX8Uw+lqEB{)8?F9{#oVS8YA&Wv}!9VET; zPYcgCEnHK2zR-L6!A$-VcB`qjr$@B@bYEY$gEw3gu^~ISwU6gdZpB_z>AvXOv18tN*;Eh@*fo_7c$TT8-O5^agx>k51#V*h z{k*Wdf(56@^)3EEng`b_ulUn_(YIT6_r^Kfi9}f!l}8C@`v)ULQYeP>&Oa?E9|vv< z+!VMeh^A211JU$P!|0doKr{tOA0&M+HvRlJ1c;^}n*IX<;7=&g8r5-`aGyuJ*)z6`u&54>d$yk$@8 zpC%J9$plO?0h3I?Boi>n1WYpdr?~`7G68RZ25*1{Z-D;)_lwGVuc}tZz3#3$x6Mgn z`+-O0As*EMJ4QZjuKid#v3tqrqX%3rTp8!($uLug_+*1{*Y%S%3t%X(x zbK-a!yc;&=c@t*uHb})z90mUY0)W7e1de!wU8|bwL=gSl1F00Et1qoYcJoFkDr1rI zNLoov4P_nbPeh{ZH@JBd2~-5iD#(rcxkaB$@kO94iGk!G3V|4igjO}DkO@{qD$)^U zuB(qkSrbF3NR*MUD~YK6WvTOJY2=JR>4i`Ytf;P3B5hLxERuFiOAQUg*JII|?G=?V zNZRk`E?TFyHaP_8h?Pep(P$hJgTq1_qLq}O{TWcmLH@Lj{<8RU6|xtygW~EJ=^Lpml*6tAR16yp}G;0N(my;c5O=ZBT+q(3V00-*{-Lp%N+3dOFs+L;~5J z_+|6Yv^^l_K+4mRVioZi^f#(=59j(}JjVJ)`Y<>g27^QYU~}Ct9T*QM7dIDzhkGG6 zA1@ETkhF-9pr8<1a;2!W3RYcB8LOnIW$3hCOV>_MQOVrb!p_Bw)Rpjh@?*XDNO$5tS)cnv@jQ=jJ*T8WWxWd=;ny8o(L;o3v0F z2un_XW{?~G1=&L$S01gd}r zaEAXXE#y=>|&InbQ}WCtJzAO|1^IsqUDAP2fLfb0O|0OSDVKqmm?0OUY-29OS#*#XD_$N|WKP5{UO$bs$*AUgm#0673T&D2OtN! zGl1*>HlG1V7rb&9s(m0jhuoaEAXTE$EHs1?E|bA5KPb zjo%8Ht)1&c5dGW(sT88CFRes&^F}BtDflhQs>Lk$Qgms z3!xfVQC+D-+NK6rBo;cRrG^IL>#=Cf_KM1QB<=Te7p+rUn;e34#3-YYXn8ymgTp}^ zqLs1G{tPJOAb;9Me_8yw3fT+UL2>m9^mnBY{Rp85ln&IQOAPiR5Dh4mFjIcob3a%ow!4GihBp`FmTmyZ+odm7+`5a7xe7*e0fnHR|VgrZ>?E*ot zAhYS$OzH2tUFYXV{{D)Ydig;+(?{YUie!pAk%Dymd1=-FG#q2-|6T0tlY zRC5|?DiV)X_})C_|4H+(N^gGmqv9_}M$uPxlhAGL@ z7<{=L`d(Y85EhjF7RW7ii3GAck?s~a9R54U2uT@nHi{Q5<*lr8X?X!VbNdOm5Sxd- z*ve>@7+ECAU`#M}K-YqM`u(~9*-IzmSn~!M^lrI z`g$*Bh6Ww zDF4ceUgtF_Zub$Ri}tYOCB468U5IqzmU9|OD(rh66KY=5QE)kg#~n_vNM2HKen|-I zfp3#9@_ctj^3W>?l85uW?)e!b=GikZ8@i2;UPVX5agAId(4#na>G69TnYowecFr!RcYbh*g6QpLxc@)mE6$xT>vTt)KQ z;uB>HEaV>crO4dIgk9(5zaL=bX$a5XJvp9Xcyyz;XQDyweQo>d)%UZNf@E4n9e5W} zYxWd7V$({wioNY76CYcoWW9MQYZX(se8K%|-AB&%UCNfT)3+G2v3RvtKi%tz?Q~T1 z1M?VXw^vBMl9`jO@mb{k6(zhZoXL*6SQ{I~I1PJT;W67}kU`N=TBi2<>V!E1+T0}W zXQz&5v@H(`^)7Glx=a?#ij%#;wC2gqxL|v&jq$7*BZZM|Vw^i|FGi;Ck5U@Ec!=zY zOJ3!d;1c4wFyZ0KM8AuXOr`c(b$S;!v)1k!V7I?G1LI5-cfIkJSq6zFNGw|-v&RBD zqR+dORlYKoiR3NEm1HN)p0pJr?X~pO?zM1p8V(gk7OM*$>LN(oLkRj?7xEa03cg)v zogVr`e>x%hmiYb7#^;o_MU_lk8gU z41C!7qY8qn?ZG^e z0`g|6b$qgGfD4Ri8JHUOZiaiEKI7c^G=QCT#Tw#LX_k#Unc~(gev-Xg zyYh^MXL4Elc8@c7E4Rdl${e~QeaLkj$W80~*JBKBOlt&k)rc+FS*D|XdeU%T&AvU< zltYK~7xM8P%)Vl3JiIPZDsgSfsv*IE!6f&%b)Q}2-Qop1*}8CRCC$9swI$3G1Q#QA zW=ith4`9+3DbX_2&23ckN}syAgOJg%rjWuDy|LmZe1e0iU^`N>E@e`d`;ezi-9c)@ zp73j~PAZxFJMzK}P30lyU<+ugM&1_@$TC_=I5x1fNKgL&@u+;z@M=W1=5>qLi^tpxLa#@W?cp`f=8c)jeYiX&%Kx9*Tt;`H%gYwp61Za?|TB1xg*4in}x;Az?V%k zE4^d)f3_%cirEvYPBA}(THdhxzg%>Boc-Q3t&!$=A7mu%U4?#w9kfqFzZnA3{n^?Q zaVpZ!mWmwg+J4Iray{b7*us6fvX9)>d7BjW<7#(xlVW#z+PqkN$n)5%!v0BN!U_)= zCB4G_U}3^pd{}UK>|vQl59I4JH2rmdZeq~-V<6=WFiAyQPwzn`_c9_QbN)&_XQt!I!Wx~NC>>ShjW9Sj*Y25 z>q*M>>qZ5KRyjz!FJA9113OcpytBr(fNfp&BEyncg6VndLl4k?`N$z$ag9Y1){67} zqG*hI$_}o#3ga0QDxsX@Mz!nLy#=!Mt`gR?*h`M{CN$i;P0?MM@@dM|?B0Qm2{{%q z7cm~#9>3+6Rrq@jcGhHC&0XGP@8u)pbo^;{@3OKTV|6ZlJH}^ws~%l@R5|seR(y2F z9OY^EahJZzYpT7K8Wm+rPAj-x?s$}@+jDkZ#LJ|%O5X+1DBjYh~#UZ}Ww_leqrAj4imferq@D`N+Mf?QUQ9iD0h=;Z{;t%lV?1Nsu1Nj# z(ipk>6H7K~E#03Y*u-3$Bb=D9!v1nthH_intKvf|q`P!e%60kKlZ`vX-I}dm-4x$9 zv?nmMf@*eAu;f@wolRZdy*A>XZyzM`bTrZ zj$%v$5A00rvmOzZs}4Rj!C@R`fqg1!9v6BV_Z^ zX)gY2Mm5c~8V;{C0>UGc)Z#JEQZz4iZBj=rd&=kB!=A%_MbPcZmUsK- z>h{gJ&pvV*om=bT?~+y<`LR1@CV07~VbijV#yyuB^mg<#X4*c1AOM&m#HaVN5?KIX+ zR=z)3B^(!gE=PKoSA618QkWu&bt!VXnu1sd%i z_V?uIj*`JIn);Bbf(|Nw77%o2(oOWq5w#7#^2=@3vT6P~&dn z)FamS3>@+M;3tkg?~@axoCw#yu}dQ4c8vY~7j1e6&Mk9R{j^8rU*DMrOSI3F6a!oYmt6=dL+DyHhK(lD$B%W`%>YnG0sJB*V>Rt%*x;ncM19 z3QjvViIu)jRm_)EjUS+D=&$p?9xJe7+uEc2oE~$`cbEn5u4*r~sXwBsuyWcycyApy zPdDF7nAdafji;L``Yb)Xk40z~lpad9y``TYV@_SMB*3D3ooS%0lx440M^!_s*-_hO z2N|}kOTE-P0|`sHj=ao2)^tJ84!>yQ*6k*DGSQRcld-}G+6na|&2h(?RX+=%-xM>|O^-77e za_4iB=RU$@#?cgI98q8waEM>u=O$-&%7WL54_UBk530}TjMj7(eHeC#7~K-0zAb!G z#%@;{acIsw!y?k>-Z`a!h^aSCOJ5W@Rh)QqEc0k~+|#r53!beoR~(w+YxMJumYs@C znPAbBcMMEaXvK@ZS(Ipoy8XO(tpZ|PrRN=X^!jSAZR-kIJ@gEH#8zvJo~^Ibzp7Eu zxSBP;Noj#loNn%AFFDZ~zZyB+7q<_SGg>k_k#~4+9pcbY@N;7^(py(GP4ORzwBSj3 ztf=grVp8UC&G-C>&1h!1hzcj+&ZUJ`pTzb_jEP+pDJ#9`d)QGX(Eagl*|AF0af#vlMn`ec@3)^J^(rN*$uw+fp}axYjM~87LtU&yO^UPdqlb+qg!; zT%|H_-SP4*C$}Y5@3J)w^K;L8YS2?Br=?Naam0DlY{FcLJRpe=Qfj3RJw04%kYT^t zp<>5*zh0RYLsu(SU)#LCrCNIE(!)6Zf>TfBqylF0n7j8+p18}kH!yB-gknt2a4q|` z3SsedrRK)UvbEbP-?RI4Y%3wb8uv!^o1DupRmS@%2#oIAR&j4aaN#qyR9D+v$txd@ zMNLX<<(>)nh=e67cN$zX=|Xxj?MBJ&)8HJX!o9Qi&jv*d6e=6chOzPk4R)- zG-kQt%w-MI%76w5m`h;UQbmcP7af_+)=g@|TFING zceolqh)$_n5;|Nkv|8M*(r2&FkqcXjx4#R&kT5-QcM~l5kX7^kzLg&lv#+knzVTUm z)Myi-Jmm4i9jZew6B?cUF%x56B4afKL~U7LN872p=bc~S)wI?pet3CI(xlI&Y$Mgk z?J=n&HB+$MV5%Se?EFHpju1qaKtgg5EP20i+wXJtZpSk2VFY8KU+@+ALr)q94k)%;Gur>txzUz&Yd zv=;k7Eu!(A#;dE(tCfgN5>MKufd|7UDD^b&Ph8Mc-cdaWQz_MAN{o9QN+?uwL^0=Ps>MY(<(nb&MJLWIrr*# zY4-v0?5B?RJEzKDSAOc=`Z`;x@MM33=Zsyq(|hj~JMJBwp@u(Ybr}xos{gRSJxos| zNwHdK;lv)1Uf0B|`{}AP{VY}DrU~0_e#Gx(s&slj=uy+|86dpDeih3S*yYrISwGBX zrZ6r08$4a&3(^)KGKjBOCzsioJ$Vo!b%o_g5BsjXE!%FwM*fP-OH4J}0VOc&}1)Uh4oyQw~VLIEH*Ulp&k2u9Oa8Hq$q-=ZV zo=ZaM`ar&&37u?w7x>t0FYWv2vLiGiR8XRHaF= z$@)j)KRx!$m9TrNR4%sOV39``!6jxOJ?GZmOLyH}ixuJOQYO~#zINSQQu)>n z_s(7ZN6VN{v3X6t!wv>MH%APkZ>qT^EnPIGpxaF85y|y_c_7;9;7+CD;d_xf!LO{F zrl01-zONg;&wr5bWX`jdQpJ+@&iUCT5vE|X+i*TN(k`rHtP8jdq%C!=8^~lsoA2$sfZ!__igTXfC2g{irhrvyDSzr$wB3rWYOLpEIQ(CPY z{O8+eO7gVZaX;KX`}yAF=X;I_l%1D5bUzP+R#ZZu42fPOPbv~4kH$dv0Lfd(6f1vM z0(58d`+I@fUerKyB1MPn>reKh-NS-5{CZDFSI7G69ih*gf4-~e0o?>e%G2)=Vddqq z-`ymddpOq*<1yAZ(ucv}Fc=*A2b=4L>A-k6xwyFyJlqSp`FMHwg``D<1Ovk= zP1y8Q^X>(E9jaaBlT26fFW3VL^FiPg+Q0?tlDylIUW%D~Rn#!6ctB>j$u<~MRG4ro z_WUq(t=6gvJ3Op!x&;~mkbkE$pc76dPdH?1iaBr3iH^71uy^MozegKR7J0xVdS@tnb~gX7TFC!PsM4+|vmwmkLWiyrX~1SOH^E2pR#9f2T7v zhMl)~61UVQZn@Odg+BFtuf}KWWVdUqviKC_-JmK{5|ua!*?7dD$4JYpF;l&A07Njxvp;p|E-e^*T^F-S-L;hyQ6EmV0K zcllLFQMbx)-P5#h_obD21 z?1g;cXky~UBIlr}%Ga$6QrpF1BmZ#E^v!TXXH~j0Z5%r$tV+F)k(@VTx$nxldR!gi z-2Nz&Up-e{n7-WUCT^^540<5=vC4GSHtR6VpYEBy zUF(H?Lw+Z0$S&>cdvh&L1$llB63Ij7W#8{eGM&tR=T2Ys4-4=tXWj?BnB2aq+*9S& z=_-RQNx=?2ocIoV$I(ynCq^t@-u}Zq(>G&Ye^oO7D$%AQ!bUYXM?VP2f{y0L0+7Xz zJbqgPviL2UA38v`_yNc7D7(~rS=es^Ii24r3JVh{w zng`DJU0@LPJ&k$FU=TGAobS58AnH39^A*7$YCbyO`oJLS8;f~MU=TGgo^PFC5cQ44 zd?hf5nvc$ReP9sv9gO*kU=TGQoo{_$5cQ44yd^M*nimhf6AYs0DCRGKLDc+w=)GVN zMMp7j0Suz%#q+Hb45GfVn70H5QS;)VcY;9_9mV_wFo>F;&(~fsi26$6KPOTPb z+6@L#UrEfr1cRvg`Otg8Ac~G+{sI_8&Clm+FBn99CGj7YU=Z~m0Db8OgDA#0!N4Gj zK~P{2#TY0sh+>Qr3=Em45Aq01nxvJ$mzd& z5LN0l2ZNqj{-LU2)i!6Bx~#u`Oss;+bgOI3JGBh|VnP1`Z+{WaAcdjGp zld&T0>FGA9;igifeXnDpa&LI<+c%r3YMV4>ciBS`i@tK=U_*nS2O$u<^h8om!>#9_ z5disjIz#bLaozs({KTZ2n(c0HU+YfK<|$Mbs9W|A=2?pMUMS!@dTHyMh6t-flVG9v zL6g$Zh&2-*!sD}UgZ}{r{|Z02ljS@x)AppePs}YM+k}|6ByCW#s^dAaQD))UaP{)- zozX6S?dT6LUzM8fxZK?Ie8*Po_?5I%4Kt&p7lE3pC#HKqBLMR6bcWzny{gx?CEiKv zkP56&ce$|RLV+yIV`XvBU5z`WPN_>9+*9wUAKA8I(rEZ7sQ%Z|SQ+nLs7|Swz%%$) z%)G0?=Q@A&LRjp7ej%(r^qy7(%90pJ4x$i;1G)7p+rU zn;e34#3(8um6VVe99{u>8LhlLv^xU|Imn;3jdiF$^bXq3RRqckGK1pk7wGRwA^H(Q zq4(56E#JSN)(A;D?v((m_Dxnz;u0d^-tR?ejU92KjpV zkpsP`&>0v&K)$eo%qIG|({`pLkN^8_|KmG+vCwOKzr4d2t*oH@zxNJb3`Q9vuc3hq zq*92kzKH+jclZ`^SbuqkuQ2ou-ydJ$3xl({~MpzLJj<+EVtm-zM?-|X3?W43d!)gf~*n|-rq3pcNAni4{cSF$l(d%ZKV zK(!w<03N^{fExbCg2DJB&+^*)BYr`7=ARs*M{G(-Q{4yCUU{Dm(mc3cbl$wqP-md` z!ZlmZ+ZWGHRISxx&YAJ{fBBE!j|dA~19l3S0+#}c0s#fYQ-<=;d@F%;0#Y;>p@0Dz z7@vaSIr!^jzD&tTAIPR4n}Tc#vMI=>Ae(}0%1FkXZyk_LK{f^16l7D7O+hvV*>t{4 z$w(i_rXZVwYznd|$fh8hf^5o2#++{*kWE201=$p2Q;Ae(}0%1FkXZyk_LK{f^16l7D7O+hvV*>t{4$w(i_rXZVwYznd|$fh8hf^5o2 z#++{*kWE201=$p2Q;Ae(}0%1FkXZyk_Lzh+ZZ zME@LYt|fZ-Ywm2JZKq#LU55 z>c!7tdJ6`;(X;pFixQ0WE&BC?zZL%TQ>6c2J@^|BJ?EPCQ0pHa{Ed}IBhhFa^yF_W z7KxEp!u~Hl`5TLYjt)KfoAz*QB<;Yo*g@z!`JL+pBUCv13Cc&;0ga~IiQ*fPS~bs1|*`m-s&69 zo_#m{w%Yq`wdO=d$PVI~V=H5cyPh-~*b9cKTrX;Qz?vF&QRZFHPEz`LPIb}E4ljq8 zKqr6zJmFt0hc(*^FbOLB`g}J|ez4Rw9@iFsH;!33WIH_^8gk9>>ww^oml7tgpElmI z8hmEfq2Zxh;r&QG9!mLebI3Hc)sI{!ht7a$gkahyo^Fs z#VZPL$UCg)G<||^A}@SW?b@alf4sY|8}gicKlXpvI}>=Sw)g)ZV?u+>Do(QyXC6w1 zGBk)JgpircV?<7+IguhVRw^^eP%;%Eb26qPnKFmWob%sD_vTdhe*Mz7`@jF+e|Z(_ z?6daXkN1Ao+8<{>>v=j_H;*`M?1@0H)l0JtFABW;{N$f+FZ3rpR}NY7t%+2k+&jk( zu^gBhAGY_O%;0pc zyy+*Q{ixEYwBUox*Y_9Lpkvi13EH3{G}qc>0M`Ys3tSflW?kxB0%lz*1u*MUDFDGh zr2qs2l>!h9R0=Slb*U79)}>Maf`Li_2nH$zAQ-3=fMB3f0D^%^0SE>v1t1t^DFDGh z#Q+2Yl>!h9R0=>aP$>YxK&1c#1C;_03{(n0Fw9Z_f`N(w2nH$zAQ-3=fMB3f0D^%^ z0SE>v1t1ux6o6our2qs26$20qR0=>aP$>YxK&1c#1C;_03{(n0Fiv1t1ux6o6o$QUHQsmI4qAR182cP$>YxK&1c#1C;_03{(n0 zFiv1t1ux6o6o$QUHR1N&yIlSqeZfP%!|( zK&1c#1C;_03{(n0FivfMB3v0D^%^0SE>v1t1ux6#fCh;Fdh& z38kjY-G*5=J~Zg@U&x<${o}?n(ojyqqyy5qFG7;=tp_Qv)w|@!BDVMLR^DwAY*tg; ztLmLwvsyR0kG@aQocHK9nM~D2rbeHa;x#U(Tq0B1(pKLBZvqIw6aJmUVO3>M)fwq% zDYK8;Z*IC~VRG}6bb#7)fDv!Yvd^DiPG@u}&L~J2=MpOaJ z)+tZs*`3sZ$Q^jNmP%#;5os@5i$)Jc(F&U`F3<`sx7Ly?&eq%8i?AKy41n7j&iK*wC zx0np!Z;QzwsikSYsrs^jVlvbV^ldR2B=Y;i&Ra|dPhgeUWny7w?gYmm5x=jN3=t~B z^G}tMp$ld?O;bvSo`JTK42+2xsu#n!2r4DB0V*X!$4JKrz5izqx)ofihTM!yoJe{G zlq|=ZwR6Q}CdScZp_bj?3nD-kYK5^s$B$1-*X#RMqo3#=`qS4o zKb-X~jt@+QV+#6%V zTaK}jY^U?gx<7w>@vFZJgG$8RV>%N7nol4TF2b)Y;reWCQfb zaVO(nJq=w{<*RK8(uNvdpzKBswSTS|dJAD`?VjdlL>6Nj8&Qt{dI=`(&pAF5uC zaBv8XY#A9*CA&L4@eWkI){W9t*c)B!%r73fp~e_&0wjKuPgo9hM^2A^az3G?Qb_7f zdz;e`F{0HYr9V)j+AM9Yb>23voxDf$Zue#iOuF0heoxm03M|PsKZ8_R?WtmPy`gQC zxZMXd0EA!kgx44Q-6eBLb`+Q)se4^qcP#YSqgyC?0(vedv8nh}ZXv0Nl++*LJJL1o ztR_@{sK-pKsbcTzVt1m1*@oV>?9jlJYoiW&U=twmdwe3V&s8$SqJ1A{+(1pq_5N087YZIa^j$ zR#p=mV@D?k69a2%i;9$hM1K$W=L0NfFVJ@ZmYDAk`{Om+ZEav?!YZL@VeDiMM*R4uh}sdWO-XYrlU)Sgv3fh zL$GY?)2JY2Cdp@~R1inh%J{g3nZXOd0QkYLjD=a4%%G)$el7NmD;2GsR zNr9~^?UqJ2K~I&9)_yeHld_#(*AI?o?V|0rp!S-*Q{>#hLbb`9qQH9To4u|x zN1H2;lcjktF6eNyJ27r1k?M!WOGugxLzA7u+kJ%+bS4J$i#`m(X}c|`eO6*%lC00K z(mf@pf0%5R+&U6R+TJrht+#$bhojwT`MntmOuw{s^NhYxX-`DisHA6_ZD%$~=<@TE zwEY&+rsvAd?V0c}k&f$iJK;DHUgTSsFg=#kI_Ub#ITT@@Z65dfGCwwImNx-?G z>jRwodnX0X{XG#Vvpkr&zk>p1?(cw5i`0Ob`#UH=mV5_ z0q}$W+E~~TIVN3^R5?u&_JzjUIg?3G)pnA95%j^swOrz-Aqvbcg#r^A-4azaqv)SK z*5AEv>dAG_{=3bYF?jF-FaUn=UmFX0cydAdI0Y6n6rh{FFI>O>@OO9Og}jvh>&OS{ zLeqcAvRgb9`9OWB|4rn>Ydv!;RNQfJTh(|*AJ2a8%akN&=()z1ef_An?|N3kX&FYZXBM>M! z8iS^i!9ebhqfQ(+C;$;l^*18sE2}SK@kgJ>(oXfWA&lS1nxDUjbB=_D1|AlPL_s11 zjiyejI1C((#{OxSEL>7j;^6F!SJueM!qx`5l5h$21G`zN-{8XLPEK}?TO}mSES$`p z4aJRYttFuU*0wfA4i-)(4i*LyMg}$p4sKhFO`M>+v#rBs=)!+DcCfT}3@8NjJJI&j zza1V4{T@UFH1ARU5{pDb={=A*40Y%rsj;S5j5rF1M17|K_V4~f0U&>{kM_=i{`EV@ zoPCfH;s_*kC&9vzL}&tp?zGS-hm6MKs2jif#Sa$I-ZRj@e$PM>sM8$|51D~RLU4Yt zi0UK%*&^Dz1^UzxE1JaY!L5#vecY25rjtJ=h6dnP&7KVU<#O3#% z^|yA>-Zs!Qw+#ggD`;Fps@clG$wbb?$krIjfTLt$V+N(b!D6w{P=WuEpvN_|Pglox zHQvEfI`>WlgIGcA2W|v=nKwrHq}5ejHaop+?KeF#*HSJ`UnL1~g#;Q3J)BBi?{3}4 z$7iWLh|!8?n@~?~h`eezXjYAuD*nRLVQL#B{;WzL=U^OS7Y zNZwb4?@#Y#f06G=N*)XzjVg^$w#&)NKH@E+5M?wov{H6wU;IO1dewP#aR>(&j&W~&Bg8EN=0V-ek~-PR>1uUE8Z-61{Q zmvG8b;pn8B-RkUBY$5`$O86qi*R)&1@87;7i4k^qc2|lm0DfzSt=lDe#&y~gVMzfcWQA_j zTsHIDq47B->7}KO=c_U41I;JYs_@A)08WoO&qb!hD)Ja%kf<#MQe7dwY0O&U#y&D(`8u(bGT2jC+`W`F{s!88MJ(cjuwwPQKl`T@m`xwo6ljz~v>4oNz4!u_k zVinI#npR(Y&|J~H@AXtc;}PzyJ>im5#VHYzQ)=$%z3Zo5hxFN4Ub@eghObUm)juz2 z{SMw*KJsL6>XQ|x%xzhAHrM^nCX5|UHx{3hv~0-tKRop@=I))^8~lS-N9x3`qS#pc zEQ+gSUh3(xck+cQa@ExH<{K#A5{?K&3%7cksvlPRd|1~C-TXYaH_{$%hP{hJ+YSp< zY2*yWHy%D;lW;QvyXDH>DgB3WKCir4pQfnu9}XR5i^sM5J&buqPdr|!-)r7!HNYEk zUKFjmig)T{X~<;p1a^mb#4e_y$-$D~*5WcZ7q1g zt@7M1XYbdt76o^_?#v~_9y_L4X7k@wS11llm-mk0bM5tWH zh^9Y{@^9HIzk%+KgMinI{Y)$+Ot$T#`WEj-^<#9;#U7A9cj^3Mx=eO;neg?7fwvoX zuZ#5cd88!z@Wu1pZK+qA{NFSLbmf|yFRfKb%5&YYc5LJ0`knSU6?{6{ zDlO@}X+f`FhG}2L-%mF&*_kFXd3Q#Db-0?T3cAyPPM`tLLpAahw3+xX2QlT2OLvN zlE?N%^IVGwyK(Nx)csQJNA^06!J+CL!(EfteWfSHulrJh-5p99^obuDp1 z#c-x~JEg{1D`uYiSeCeEYl`KCie7;`DO2$$5;;TMPOUr0$G`KK=wt#5T##@xMX#ly z_{{L#$9JA{roSwGiNDR3w?bseoiI5xG0`=72N~mI(IR^#)XL>~5b3m?T-nkPi*`6D9blI%jQAU4O+(i=RSl9DVuc>`P()ebGcjBuo-$F^wum+X_ z51Ct!?MmN%dj57*;nDjs%?}jvnq1iQbOL;tr5TLE2J;l9%(1zg3aT1Ii;}OY30WOG zVYcp}o8o3f#*WU%EuDIwxzDV#GHP68z;$-4+y<|*c~$YFBlaPuxy+_rFFtJS#}~cp zNaH)&)O#$%J_7sJY{{6`)TXepvWR%*v&$2wH*ZU+F0Q{M!P&H2_o=F@!Qz^d;8l(x zsljj&%YfaxUx&bI%U4$1TvCy7ZE~VviO7aGdx9%tkKBD=LZ2We^M?KKWN+eDw$!fD z7i}x!Pplqb>=)iyvbbF&V7VN-c6!ZoC#yJ{#!I@p*L%3$uMo02uzW;Yqz-vsM;VRu zdM$@QcZsT1L}kXV-K}^mE_@d;Pux;V)2cbuJ*)aGL(7UYR$UIP*>6ox2+7LsNb=Yt zTTyVmmDeP#^I=AXNRqKefzh;fc8bKxmNn}o<@&=P zW)rFv#Xw4fw=+dfCRsFZ+Oph0A=05*!fk77(z86_kjmG_3Z%`HEOEQ%QRl)L;_gJ$ z*mDh4F5=j&(r(@&&&Jv9N1w{H=d!vtg1^qC3%O*Rr*tiol#L2DefYs@RL(vNbKEAZ z!$`B3zl&A#wzz%)p;YI*M0)Gh9v5P2U}6Kj&JnkW{jJ%AKBLMcq{!lG5hGp?ol1jr zy>z6|=hM7L7wwAaGq5f)Jh$ys-C$E=TxHG2LFKkP!xy==TGqXmeu*u-9Q^3I=u{Jr zo#r!}O`n8M&YbiW5lg1<7zDJ(G+UmHYhhl$%l*-I>DqdsqCH!eI#n!gwrJTFDXH22 z(mc(1(1DAWF^k9c`;=V?PEQR$f2;t9=YRu!Yn#|&Cts+is8{8-v%q$qUqWfBj3?qPhmE> zW2SNUj0}hCp}6!*!m_e8eD>>{_c!{x0PX7h~-0&u@NAcG`dTxiP2a;-ovqtj`oWl-gK})H~Frl}wwvFkNTw zOpK{l)$(}Y5|1JiI1O|iWDG7`AsRfiUYeKH?r~NW^O_~X;s6(U!v=AWWQ!u7&mYgk zQd}lHpOoIrm%R8wkjZ*VEJX91%88AehffPs9^_ji(md9n$(LZkh)~QNGYFGGh^#&H zavxi`&`6KZHGEjs%ZoeWLfDo+Furg^*EwUY!=VX3pT=Xs<(`fW))h>VDILw?mTI+p zflb~gvya+{YLvTxC%tYrR>6%~xCTTBG-vO5^yo=oz+v3>qd>^OftLWP8qB{e5!Voo9>*p z89kx+6kFcWRjly3jrUJ+**_V0_0i{o*p=H}-Qm2{^eoot;E}2=G8~?w zhiV14#4GY0Hmt=Z=pp_EGQ>@Gnez=;sh%rFQrM-B|vVZsgX|^E}1zvITxQA7TP3 z>IC=>lN6#7ViMZIN;?zRPJQftQRTMX@L(M429@*owsb@XJ&dptHoG?da_D(|XU*Er zll~iegnBqqp67~XH~4>KFG80GAGL37O%q!6Zq3#liGz2z%?tv_cj;GUn+qO1neUnM z&ekWh{M={=bd!TLMZ$K)gIK2hU9N6uHn*3%nU)3wM?a*q!ihLoM@E|nt|UC%cWw`P>FqmRx7JQRKB?Lx zv?jRpT=P;bkeAZ5pb*t%I8p`!}^R>A(Zu@at4k*5xiMV~~ z)Uyrw%emF>U42l<8*(&e>4w!@oSgwzU&IKOjPba7={GL5e6o7YlW{te+r`)AYVR(_ zYYb~QsEe=hx70nIB06%M!^VI34Bf6bi5!!{gND9)JiM#!HR^vl7P5HNm3^7llHZpu zu|PgdZ=Ja#W08?m`$S1=2O)O7l^)BOCMOZo451*bducaGQ6o9JQpr`=I>XS>Jl_lSj>C zhX$$Ro&#G3L$a!dLsVDy<_-!Mw+?;Z;*vwtDp+C^yTDJ4P>`m==2vDBs zD356Iw|N{}wk%@bwuVS9mwJ+>;LL7LXCd`T4@}XDt;;`by=<>6l6^cAr*Cl*GkYU{ zIaO|&>lTq#>17lPlWz8$T6R zFZuYuVr}ORnURTFKLKa00$h<0nh^5-L4rJENMzb`cp!p#^jW>Goo9p&+7Epoa2Jj?xnG%-+P9N7m#dGK4xO3@_hHs8)MFzuREBHls1h|V>FMU6HUF; zmagDB$t>3_;AD$0IC5>|$mDfpa%6euQ`Q%O^<8xbNgZ_sGQs;@YmGnLkM=qYU(#{z z+|7}on>A5hfje}_)rzN@-`f+;jc{(id46$bI^S9Y?`Ml$%uJn|c8ymTdM6qgoWJymz` zV0D^nN$uO^QNdv%b|s0umj*twXF4E#UI#1*Tb`Nt@dmT#CGICCfdj(cWs4?kPlvym zZs&72y~^Bo-@&C#U6DPk8<*TFaA@yk+*Wd~!orrb`18fCvbgwH**HSKNQChcV`q}a zlXnhhm#1^a!y?yQK7;pihif8tuNX^~wShyl><6-FHFbKS9_lpj-xPT$h=&s1wzfUs^_itt=8HnBK5E zP{FG8Y%gK68I#!id!bw@r@5q6OV1S&kQ#9MR+}uk}0A9s>0V8{733&1EWnfwGY_;FpPDYCWomjj6 zSjS{2(bJXIcaexuhs?b4S7T>$qbBprhF(|wa^4N*Q1^8i&06ZmlSb4!v+wa2Whxl- zwjVnia&Lf*q%v}*vOOgdzK|sZwEHX}j4C?jJd7RD?~bZ;--Gsb@t*Zh{N5%WazxMK zh*C2J8QL8d(iX7q_31oeqTZcbs}eryZzkBse?BFkiN_`|Ys-vu9jEk-3h$E(IWX-$ znAX>;D<(_gYDuvX+xvtowl|`enTckJy_0a&nIy$;By9=fr|rL>wnfpyZDAt;no#vc zbt(5o)lm0TQ^5*NSFI;{pB{atzz!*qb+)1wbZFY0s(p=*ZR-(9QYXiHjHN~r#>~sM zhbDeXamsG7?IJ(8Ii2ogOxu4UZMrDI7yZZT)b-+K4o(bMDA@N`1-TP-TTHv$^O~z? z4A2u+A73owz_j}?C~xAKeWL>`2op)-T(&5f9CV;yWo!U zEsuF#fji1PfWCVh+)=&*@}FM<>GhxaeD^MpUf%(k=OvI{^8otxZ6LkA>uc;m7uR3R-M?#g;)Mr93|1@dAKP{=xA0j3K)M6{TqyBu#p}$4CSL_7Z zH#P5dHS`FgTBzG>XvQeLKj%=X)FH_SZbycmwR@E=y0J`55WM_fO5EXAm4Heml~E3;^|#7PRQK*dfc;-6eE-$7B19N z|E$Jz-Lbv?6xhcM<-PuG;2U7@FYp8HLFdh-Aa->i&X=oO8G z%&m6h6rsAosS2&=&;ZVBcN`8X@3~m4N)*|&L9PvK0wjKuPizVbP5m%)pOolv_(Y@9 z1K2UMjJN&AwuM!6I)cW3gy6F6bRb^*(`Iai?^pis$I z6lOL_<9{{bDwLG#&*dogtSBUOB5Gp0EzmL;C;SzER0MP9Sq!{?5q|}j{8j&aFxAWkixua%xKj>g!<7jH@ zU=2rn%_aq<*8Jxd_(-xGq*>teU8Pwj=0(t|9%`joF{sikjFFjsb_EbU1NBcVlbxV z(}F*5`*TNn{EO`x$9gXFR8B=sCkQh1Qean9mYtXR^ZkYXq~mWBjN3L+aM^68imc&F zH%cmuI-h@Qp@;jrpZCx*^{~kg1u5i@6qu;u$tmepwfvS}|NK$GZBcB+jJ@G&3e1TV z5cvn*k6+Kb(8fARuUa$D$H`U{*c0iJs`pZr<29egofdkyulsR?%XX*a9zK*#dMDIw z{z=Ge`lzeN)~|0bw82sdAJJ+~6w{IJ_Z>=gU6w+|N=mI>=+VCJ$7pu-c>F*;&z6WW z#R+Z6MG$3yaG|9qzjjz)gB}gMmx>N}@2mp>@14Z}=H6KhFfjL0Ie@wMi#Gt}@Pz|V z4pa_6IehU3pd4m70Oc@?0VszrqXH-gDhHq(zIX#r4qrF`Ha#H~Jl}F|E1O5sAC2iRDjQn-N_e!(Famy({r3`l!64YRCc52_OJo z00zRpaV|KvwxaCvvLWHYf{wo|WDnK*{jOl;k3o9>R8S=b3aX^W41N<-iH6FmB9Ry< zsuC*SiX-5lqMV8jw$65Q#bak*LRC5860@OxcGTkPMo^I8PG}2l(BN)3RD9ipS|j$4 znv%HhqAF*r-$GH9Q0O6?dRpjg^Hs5j?ETxQ${#9~E+DFsdUd{ws{EnC=#LldyQoSm zO;jZTij@3aQI$vp0YiiIH|I@PVln^wuu3|nMf8je%urb6CMc|uj)8%Rnl+u_OKNo} zrTPJGj4IO#P9A$^4#u@el)+p?<@6G+a<%F6PwJI29i)?$a)P(_8dnV%ZS-~L$GA5X zM>ZAi6C6dEk0oDM%=QLv0tmnp{?)_5WH_^0{EcsKwZsyqeVo&QQBl?0`u8{8@OwFF z5_e#p&vT?;?tAA7FZTR%GDVX|G*UbB8X+FqqDVWKZvn)l)_ADD6TadK0VcT{Y@$Ykez zo6VE8x!WH_eHeuQ@{!L<=)b8Q^dHeJ&_DdSyg*v}QD^$+X}$HoeBkBxdZv!&pu*!G z$MuBYd>qxIF+JK8aryblUp+ECS2oF3vrw(}821UsYCPA>(dO_s)q}2AfAzqy9f3)G z-Qy+46F(#+9yk3Ek)SjD=D4TCieEl3%Yl)ZY<+$e^|$IHmB5vOEC1n9z?J8Q7MPXi zSir!nJO=~J%5yA$z?fqJ1jZZ-ATZ`w0IfX70tk#b7C>Oku>b;th6NB9b1;Cwm}3D1 z#vBVEFy>eQficGd2#h%vKw!+V_)%aab-F;GE8nH*valxYtlUZ#n37PFp0UUcp}?#K z1q@9l59P`g&E$F1I4%nIIWnwTCU}(SRj!C|i|$y4UG=OZGDs4<1!w@@_$|XBZ{rMy z(AcsH^5vOS`QSSn`F;0iG<(MQ=xHDAi|7?UeoQlIy18;fJbFf6RfQbpzE4ZAT0=3l z)~^q13|;^Rzz_ZlW8r!*1*Uqii0uDPFWt7|2QpJrqS_iBWtEhaIOt{vB@F#BF7}@aWX3~*%+xU5ZvvT7L@1CM0p)AOV4y%| z;_plki=}4Dr3Nxnv(ZAQh0Zo_AT$2&1DT26lU+a{Gxh3x8_0~MnmEq|`!0|f4+Ssp zGO;i-cY+hCsbYUyATth!K+R>`{k?(A40l;h(*!clrhlFLTZf664hm#m1O+m0pawG2 zGtcIa{SwCvqvKL#M}cHRR0!9wVYroA`6ahxunCa(O+N9wrK8*D``un}^8TB)29(R?WKGI(y%vnDh}`(|xcBkoY}55vMPqgLCw3 zSbU*n^;Ao4r}SX{q^pUF`viizIfMz2FrY?D`CQ@?3ylfjHE3dqJ z;%sg`wd7&T#}{9FFR;O&BE`|rd{g~I(uf-PP3DCNuF1TJXgdJ!qNOo!8+g~eh-ff1q*Sv^mI{@#Zr7>?Cc-Op$XgdJ!qNOo!8+g~eh-ff1q*Sv^mI{@#Zr7>?Cc-Op$XgdJ!qNOo!8+g~eh-ff1q*Sv^mI{@#Zr7>?Cc-Op$XgdJ!qNOo!8+g~eh-ff1q*Sv^mI{@#Zr7>?Cc-Op$XgmC0^{&$H&KW2Wa)Q*s zDIFL%{<%D~416_|Cq)E~`xHV{)Kx4cV}o8(U^S5*Q0VB^2gCk(q&jkj(w0N)a&n53 zLDR{|K#8M48EU*DhV4p+V=f0E9qx-CEGPk+0Eyq@6E5MdL8bmKXilMF>F(s-T=P&0 ztk#UTJ;ML7WX92*Z-$0S4!Ei`lTD>-IyhHTU`V0vy~CsWof5j0$r+<~slv{Nw^J)4 zj2wGyPFw+-0Eyq@6Q<#wrPGu4h9}P1OLuefU!uU`p=nfcpfj{I_|QtZw$W({OzXUU z=cOR>6G{7Op}N{(ha4Nt@{)-ReY|K#yT{w4kN~g=koY}5(W|`GW^e|1UAlf#*OW@& zNM(C_hz$QlYe9#KyD2dn?*?Bxx*PoXe;z?{jF?JjveZ5qTFJf8Ht8?(Xkd}^r)Btu z@@POAA_%itBEHR|fhWL`SR^%(1{O!nrh)%&mITDirG2nxMIoVc&1TYo(oMio&Y-x51iq8&I-yNj2_MV7$||niHF^Y}MTYsa1;x$KWmsEd5-5X#4F4okVjh zVukj~rH(hi2EYTj0~ihemB~O_VrX?3euD(BhD49<8jU;EGf2z(xzpNHi&Ul~TGgsw z&P{O(Y%$u}Swu}~>h#3%^h{MvC#?2rqre2h!+lOJ@PJ=;qenlM1jmJLFMz|WPXG>I zh6dmOIDDNXp$6~=;19qbXbAv+prrxk2jCCDA7}{xf1srS<_F*pz#nJ{0DqvR0p^efr2*y#;19qbXbAv+prrxk2jCCDA7}{xf1srS<_F*pz#nJ{0DqvR0pF1@PAt1QvK#JO63+`Yc6>GB4T@{bQSK?6Vl zo&ZL{zi$*wbnhFPyb9GAA6Z+kGEw{fuNR$R=3l_{Pc1q_LyOL+>#4q3bcRMi#hbAh z>Y_6=n)(g#8yB5HYt3dCok0t;;M5aSPdD$PGxXmtI>UYscL9ses2AwFMQ6D05Bp=m z?e7+yVdoZ|5fQ(2(HS0#|Hl@cU1Tx;`$cDTOpBnJ&D2F_)cVcz)auUA59mAfuOT`H z?gR7~dnRT^4ix7aq%2MS=E~-yxe;O4DX{%BlAb2jLOtTinwA?y`iu*7H-5`-C=J&~ee@j(?07VhQBQ#-OI+@m9-+XBjd#A8UUs># z30WG*8=cgmw#tYCE8CW*7SFfG*=w=#1B1>IW|I}>#X;orl&BJ2ow3(x?*@q32D zQnzUlGvCSlvYCO4g^8;&>_2>JuGXJ+QIcxLNmqWhABpvJJfk=~NP#7hC7#lL5V@c> z7wJ|D=k#=L4+Z8O*R42C_R)*%a3M_A=5DWV{V)h$&_QW;IxErKGc@QwqgNzxc)FrU zNc&OelW7mV^|XB!)LwpXYQ|F!6%p6a-V<@Np|wY2dQ9K<^7E4mIvUMR^jx{5q|!pQ z5%*Quj>FqlojBSY-ZMDpdX=Wn!kRk*2Sz4bOFWZ|0uw#WjC>PxhTnNgNvv4d(P;K! zIWR-cmEc#Y?R6NbEbFx&iSu+%Dk}IOL(^wLO*&Tn-1_#`&6C+adKnX8K2mA6mCobi zS-Tc=G}@ik>>Zn&&N7kKOfIdLMkg25B~0|^3h`c~?X#dZ<7Q6^Oh3>&s(X}pyc75` z@Z~?;2>3GXcmnhC91Sop&#?gW@*E2o&=_+tfX0|(0W`)O3mDMLb1;C$m}3Eh0gW+7 z189sn7C>Xnu>cx_h6T_Vb1;C$m}3Dn1`P|KF=$`_jX?tgXpA`+Kx53Y02+ga1<)9C zFo4FGV*xY<4GW+#XkY-1K?4J5j5!!UW6ZGt8iR%f&=_+tfX0|(@r}l?A2ypNDGF&P zb-Kw>VA4Xo#WWok)@0l)EnBi~0*W!pxl4gXd~EL-CSfB6U#}R`kC>7?+EU~zuA-*j zc;A%*OWj(gmdbz0#S5wY(sXkpd%-r@peS=RS0A%s*e&oDpaFd2_Y8-nZZpA#(v5;< z12c&{cI`#Jo4m+z(rxJ`pH6g<6P-zIx%xs0$M`5P3+JFr3pB6wM#H|lWxA<1FQ;Ee zy1X(KZ&WIHvm3kxXaL{%J;On@v_}_7el;CP(%eQGHJRunKV8`En0Bv4f4y1|KmW?J ze`>WL4q7cpT?qHhYC#l{x>}H0G7f{8T`l-KOVrKQltaL`Kr8Ct)DuIi1?MkOhx_~0 zg4Bw4zgnV>dV#)MElB+Su(CEbwoa@PYR-mEZgwVc2_*{~OI8U5IEGbXhpmILi341R zx(brI(DHzZkrP}8O(ck;FeoGrj>jU!u?QrA2*)6C;zS}64{gI?#8FtNvz&>e6I{Z; z(9l8upqd(V0w)J&Bd7fa4kk8Ea4eQ6CB!~@I0j8c^P@e` z(#`*54~o{FAL<_dG#>&MGKYZ26X9qg{!e>wIA|jtfrs1+@rBt}KHprvA7G(rjr(Cu z^RF03z(5yj78ZhP903hoM>LV@anQ!E*8QE=T-YU^;lZ_epp!i3-)1<;wT)B2wlrL^RN(0=oMm) z+qdRHtCYW;G;mM_%Q<{BcOL}{D<^28l2EWRa59lIF|su_VUL(Kq;JljP<0$$eug6dUh*K1@dK&Z1yww z)O4KAtSOf`^DJw->K@#NWihs%2M`01OM0J&6fGSoT$HL*c8<0r&m3B@D0M zBNSS_4vmUg=|%8`2FUn$FMDR_a5Z8SC%2<@XDZ9ZD#ZFyx>xL%J4P<9B8D*TmK8!{ z8o1QHa;r18I#@@!8FQ9#OZ7d&*4zyl+A*ezk&b07q z1wU)wFmQhZyVlY(Ra*Chyw^X-S+0F=nf%3O59|BO21tbL@n8>x^mOaz4?Q0Vq+84P z5jV)Sst!dqcUsd8bq`3#O-V=hw;xc$n>k0BufKIg>d2Frewlsmq)10(ygm*gjn}_4 zJ3+yBt&HDfe7IYuVaG13yPU_>nsd6gagQmRFJCXTQ^C+f{6yuG6WWie#XcCupco~3 zBX{Im3AF_!?6fP9dV$nlY+)hPCj9#S3ehQHRvz(fA*bSR?nqCxOmUM;Xsi$BPh8oX zW|8FjG?<`oW{I$6^K`g&+982oV{Dt|=7g6poFR)L-|2gNlDx*MD3#z!W}PRBUK(RC z7iHOE)zsyZnug1(eyREBz1Jm^YgBF`Y?<6vaBmRW zq`qk78Xi-#k6Zb*uq5eZd54R-gPG)e9D{oq<>*50pDt!aubdgf>xWn#v2VV1Z3F+t zz$F_VK4ZCFNhYVHc)HY4G|jASZU*ul9({Ub-HMCr*M(a#cDmnAIU29RTO_=)PI-Wi z7bnTlkC=L6Hb(Akig-6Q@y^};McYvoUadzN?d-Y&-A}ai$KYFCAF%arb)8OnJQm;+ zuJPnzTDVd6wwt%x5ZWI)y3^X%C}vD8M><-{`MgvJmVB(;!Cu|8b!WgM+^x~N(;H7+ zF3~AAc(^=NEGu9Y^Io6pLmCdkueo<+h!WTLY&@o(4)?K^`D9V$afgt)i_dxLVqVq8 z^>XrDtc%zDN1#=@w~-L~Tef=i_J3VmenCPA^q zi&&X1;N%1G4wu><=bawo->ACdIqUUZ)zxbdkq3o06>n2hA~q@`R$Ql;c5YkYM7-yk zD!yJKXNN3efW3D|eDsy5$(E5Aq*n)$l-_o4OGnZUnaR8CYKi_?D~aFM6xjU0|DhwUfa$z?(ga6* zx2I%G0>5GLbyY>4pj-8i*~HB17rWiNR^`WZLBU?_h+O=HIO2Swl z5nip8cyQ=p)&b>H8#kHOH8bvM;u=9cG4wwuEfwxB`#GW3?(?bIysbpeqb8Tac9}d3 z<2QMG$-13cSEfYw2|Pf5v!Cd)-V#-x#()Oht(s2FiG_vNGWDlN-@UPw&Z2aUEE+E0 zmGE>VkL+dWD3ut{4_6sWQkD?B8Y*k6cY>7H<;l2@<;Dj4#9;>;bW*soK8%Io@gi6! zY(4BTBb*UV4~N0rw&$-qdAF-ME4R0WHSo!RIEnl!YqDoC@%1i_-Rwb{B%FTDrVpR} zU15a!D3odF1DS0cQQJ*O+c{paUeesu5jJsg$Jk8S&TVO*My}=taz4~!qx88sz{+4w ziCkE%nt=lo{r+K_N_YrH(v&#Os3cEEJ+&nowU0l%$$0S8pPfH6c6V${;XPMNt&=tq zQz4}+j{@<#ru6T5v@I1UvfW#&-t?6294pyPsNe{f&l{cI09VWvruT|#PVB=Mv@>gio+_*!0ljKrS*(BD4Me7RWmYv*k zAU?EG?VJXa?)mPkf@jL5e$+wzQ#U0$c7_4^K%@wW|cfvln^u36Rvf2rFYTUf^)_% zwGv;Ggy~zvPanM}4aO{eo#5ALZCs>hs2}818~t8x_ceW;)qAlPF(vni1}nD79}zlI zuq-n!S;VUX`-<33y!$FAV(*oVtRVKtmBB+&W9l;=kHj{#DZ91KSlud!6g16mO-kQ$ zS^jlr(!;~-IDeGV-rIJaqWDhj$1QDdQlxDS3PWD;4mfaxD_&ql=e$)Dw>GVpsnd@g zedv(+c|v}Fh}GNc+;!Na#c_x@J0FHCZ5+Ex8Vs{;eTTYF0{~%5ZlU4GWL2S;UgrE~a{{ zUUcNSi*XR@$Vf1kn9R$2Ym?N?w=o{_7C&h6h-q4eIVkstmlM_6)Qr!57+NR@} zsxT$qT#LHB$4(y)x9r>=9o#lFjn%OidD*{gM-2DqBd^9&3cNGr{`W1rgA{`u4Kq0| z1qO?7o!Kw`(eSX+)lsb0m9rj~-)CKU)^1>M+m0;oT*q+W`K?lXB;Sq~#~AXFM>t;O z`$|uLCYOs{sWZ+VUnh@{Xyy(*-@kT9Fr<6+^XYc_flF&Yoa!KK-1@d=HSSU%XCmg%9ckvNljO?#+^puAzbxQv&z<(@++N3-to^Arj1iU<>-X>=RvKt+ z(?9H9%t|_cW&A?_@?G^^eS7SK1CtKJMoYN49@*=j&c1xhZhtM?&MR=k|l*nb(1L01FM--2* zsk_`U#2oE~2%O+vti3Dm{X5d2QfOYzZ35?6((rx{N7sFWrmcmcVw*l?-AX4~KjV^^ zOp=f0H^@F={d99@~ zaIdR{#HR;}JRv(h3IkF$=&_6Anp7;RCq?r8;~8?-$m+@xb!Edw+ER4O0St4 z>6&XM_Lan54G39$V#~4r!`_>~L)E^2{9~<%>}kQYD3xVaGb3A;u|(GF(HLWA7(=$w zCM}j0A}uN*gi6sO3Q-YBmZ&5lBwIwu{LgqwdP?8<*6;cKpa1WFTV8X{ea|`Pn)iKO zpZhxJ%zYoxNdFVI$FH>nKJ7bV>!G%0jL_zJv*udd?t0Ne+ZWGX2zG5+wYnrDYi+Z@ zdWpJ7Hj8Y+spH4qVXv4U^v(%MI7}EiialSQVM{M1^W-?DXd;JNM4tLCJM_h(>X!yPx(ih^>mi{|beK0Lfo;c-BAx5qq$ zp0(#$nH{2Aj>z0!5u?g*N>R90BRtV>f(l;BC)R!I&9Dhp=fX>I)aW2$vHgA@&g{;4@=;_#f;kkz&#?X%W9GgI zkd3@h9(7Jt%O1^U>${5Qo?>+3P|on{Dh^u8f~98qH9hMFa-S9-j6rs4suIl!YA@TC zX`#;XFm^5V?UIoq3#(jcS~A#{*X--FnGL75&U^V9$yRZ>NP^S@cPG{AF869z%Wcau zOFGc6HQ#aHp~)U56?CWgu34G@o7+C}alzx;hgQF8eSUM^r_9-$?-UBh=T6|N8cW#Q z`il{>Bz5e08{_Co?^6Xk+XC@Q?z(mOYDuHCW##l%A9*PWtc5w=?!sKZm&R`&g&YwH z4~#fV42^8NN8)?D$>X-rNBpdOUnhyy)K7=zM);RrRFrILeiY2#nRVv;o=btcb&UcM zi4v=QbhA}gmtENwYvgv)?$$+tSFdDVnzM5=rh3{28G&f0{_JVR3Chqg;yi&IHp}Nl|UGl}Eqyndl z^TqurCf##C9@`@tlCdA|>Svare_+6lL@1U>>bgGRsgtB1A~iA`t*NGbVuxoXe+JLx z3lm(jTbJHop0|EE2c5d?^~1He|2T6O4$q^YOL22?rNfaZB!Wjllj=#OnfZ{&(3Lwa zN`M=gqC+DEL6`2_=zhi&nkLoDhw9C|;s$N_^(^5o{`G?KTUGnM8Ahj#eo ztQiGej)E@HeLZbvG%{Yo1oVk|L>P0*EH>yD#%P9V!UTBd^3UZF;OFBP5)=>?msuz- zCMJ$tCM_YOgjP`|pz%0$UAqnHT9(>4ys?*wrGul3tBb0kZ;+2updH19%(xBXoy~b; z_ReWjcYU3f>&q2rE^an<4$fI$rtV^crtyO2?)q!uF31uQ6HYE6QKTcgFp6WH;F4)m zca4prC!|`>J$Az+8m>5^2Nr$-VdZF8Bn&OkQeN`ee_-4>Ec(!%<7h+0RjGF|jj6{) zY8?|j%?$UuT>?db#6RQ{rLCzCm5b)Yw8h7FB03Sbl>(tJdR!i9Wx)6xI>+@|`<05S zM@L2}MQ=lIc%3xNP0#aJtV(_Qq*>{>i7v38jxOhwt?4YM7Nh&rb51icc_D{Xa_sJ2c)lPHYRq*RIZU zYn2+_SXMsPF4LlFlRM9OeuDMoLK3xNf`lIPc{BaHAHTJX9cq<`8jG{UPGki3r4xe& zYZ5{b1;r2JhIqF*49!WZh#;!}){dubv@obYx@`PGCiFy+jmle|BrA`(R;nb}lbj!n zg%>G|?XGSwNrq2*|8FhwDUa%qw^24e49hsRw%g=X=oM$lN(DqNCA7FDe!SRau(jro zr`F>>6}s$F5h|mjsLn`YSf*Ol2L1O2x%XSfPuqyYNL8@0<=93)hwilKkFhREatk7I zc`Id~Iw11f88F1L@oRLaY4887MYgo0*>9JjAPLSt&ObR=FZfUSh%YxBu3% zTW9gwMMJBzJwBTcw3tQ?wI?G+NI~Jp*K~-D7j+1$#q&pQ|E(QQ+Xw?e7>&*xz_hQ zez^v6tzY8#dnL%V{!V1(b&zY#%;tw0kZb*bu*4QwF+{rU(xw{ z9muu*PUIKsAlLc@oFA(|uJt36nMy#eH4~Yil!ILBCs1ZC0=d@AY<{Q#xz-OzW-b7^ z*34{vtO2>!k4$DP0lC(UXns}!a;=|H`FR=0wSLa!r==j*`YD!~3PG+l6PcfsgIwz; zP-ZFuxz*rj4 zS_*QlpJMrWA;`6U&gJK&AlLdim!Fn`T0igK^k;`Ps8-#CBu*>-cgj015dv<&%;+7CbxAo0)mL_nd{c?OIS zhzv|fTEKv1)Kfl|LN8V5iqC_wTax6gBd8S>SN)Y<%`o|vxa;{m z?I_CS!C06*RZU^IO5IsH?>hE=wjs^qh+X3Ah81At-_D>y_;vZm+cW0I|3!t` zPaigd`{5Z8KTekSzx1#XMFJcT{eOM5hJuC$H4tu#!r|f2ta%9N!5`3*NYK#ie9)}> zIy9=k4_sMU!F=-B8k4KgtoCq)$vO9Ym=D7sL$md1LM78@@6&@r56hrHlih!vj!$vg z6!yM6C?s?&CJ#C0B!F<{k(tMXlf8JDrI2AdlP?H3%>}Xn4R`V5QLtj#tVQK9;rYo_ zgt#A`aG@PY*D<3*)9FLz8j}1xzI_Ph+T>?2@b_}_ruw^kdW+fjhHItXT*@pE!*1DGmfdev_kwrf%{yevKw0-b zuBc5fK^33@eB+-9hk4j-CKr-#zq

%2D)%3i zfiqTc9ROUi02hM5H7jr>5L~nbmx6!qjPl!7;Hova7XWTsfSWQ0A;}YDs1UD|hjZ1Lj65O~1H!i`A%YX33<@Vo9 z(!Om*?D+Pz_}&SfVPCcQ7zRv!vB#=UgSmOU;2$smJ^*~+Cq5v>Q`u>`(dcgY-I9gA z#QjB5^T&LRL>RFApN|qoLjzx_j_y2DLvDW@aQeSAN*EgZik}?+`qz-yFQbIf2qZL0 z7)5|a38T?)G!l>h2S*8`nZs|HqlBS>v~cE;naBH2ql6)wXB;Jr`8(a;7$wYXp}&n1 z#{PY`KQ`LmMhRo5j}pe={=regiZ~qZe{GcTvDvO)MhP$aGD>*bFkv>XS?nC#oX{}g z70@tY*yJE#Hm)ykU}NVH#hChXadQeHg_oe#nJoP_M7a9Jl{XL724)o~f4meidRMW# zsWjiBUiwDfCAqq*`@FL*toQeFw9WJodTwiV6jTBTz!UzJ;UJ<@ojE%!(q2@?$Y^ZW z{T_{^;nf=Ra{EK^7Dt5**L1HM|17h9-uRumozWK!p?_Hs{~eo?FYt0nY_^i=VZWne zCB~z4`=Uub7pMdffG7OB!hsWt(OFp4ZLt&vOkCCFd4GGdtn*RJyW6zYx}HQzPI#(? z9a6AKtE%0tCh5>S5&!br+4XNO@u;0XEI1xil>d=pf37I!-tqH8DCr)HvA02i1-iev z&u^P8S>M<8u*|IcwPAy*v(_#57L^!<`TM@r|K<|ss;%Qe*B)%O+jpb0@?LzFZRe%- zR|D|h+}pR!!WD{Qa0`qw58>>_jtLEChK?u~*f0N9|C>t!DIW$p+ExwIR`evHm)c*Y zo+^(&P`dp$_cpZ|yGY@L@-vERw$^jM4yX0?SwoG31Azyp>VJ1ZBfh2lcw}1Lz2n)T zmHUG03PU9A6@-3wZ&TaNHvKd@%xHQGPMM#E|UUKT_y#PFfb{Agn>x`Bn(UnFp%pqDS%v;NdY7bObQ@j zU{U}H1Cs(s7?>15!oZ{e5(Xv(kT6VA00{#V14tN{6hOkjqyQ2ICIyf%Fe!k9fk^=* z3``0jVVI-<5(Xv)kT5VQfP{fb0VE7e3Ls%%QUD19lLAN>m=r+5Fi8O<3``6lVPH}K z2?LV?NEnzDK*GSJ01^f!1&}Z>DS(7wk^)E=m>599z@+g1-Go88>x^6wS?Xi0ved&g z={ckYXU65TF#$V#ldtebNu0KG?PYJ%ah<<#t@^c^Ca$vRNAjQ&KmeZbZw`l@$YJn|@@f=@^Y(#SKm+*3|EFWY9{YL!Rmx|gYex5zD7_+IA7-xdhd)1``$O?R zPb2ZaHTMS=n)`z}tHpP7f1n7=xj&GK(A*yw=G-3y^glTF2X<=i4;&88JTmim|8edQ z?96k2;QmhcH|G9ew$R_^{=olzx9hyUsdOF%Gk-^VkPii}VBqHM!J|NgV|Wxas5B=E z4Q|Vv)C2*sGo_H}a9bQwomORm7{R@=&~;n6t>>afClM4~@q| zrl8O`I2NZUkHcaiLoqmA=*EGK_6jxfzQJd?wBlimE+?2rT| zJVnS^u!?Ai6AsICQ7n@k3Oi{q;ydF=j*c`3GxNWjg+oj?3;D-peQQ#vhLndq<$G#43EFbHU>9}F4;H7e6Q3=Rb~Dgp~FeKmQ?yvas2GW)?S^mMa+nEL0x zHVci$LcWH^!Z9esUx46fs3oC^kRVBfWW7(w{%fl+kX1Mg60HbF zD?->5ktoO*EDACUiGV~JkCaCsp|bx73p?GcA9|wy+ANf!A_NNxLx>SZ9ye(g8p{k! zGy(^iij&8FXV!F4`$08uiqnnzLCF7W<1jc#D=Sv;ijaJuAqShpIMtFr`1^F>$N#zTBO%{`8W73@&?t!4WD`!e z2lKZk{K1~-T2J_Mt;aLH2akigG!$eRN)e4j!N1vvB48j-hsvh-Om``yJo4}6;iqdp zlwbU5^G!1k@*vz_<{=cBHlrZ{L*XIO|IWTiw=y^TLAUVJ)t>O@YL7xQMGA|9dPXP| z|Kf(i;GyuuqTwjW*6*>+Xx4OZv9rx_Q!}L{)+4NupD?0D#SWVWuogtkS&!K^5YZH+|^ z{q}EbowigPI9VsaqB{;gcY2=V#H%jF$iJs8Uo`)1+VI7Kv97`D1Ex0OkJgXPH(o$0 zh~P>=7Q5{2;(F|Lv+a7Kruk5zl|8(&|VT-di z#=$!*f>lR4*g2OMSllMIM3}587&;ooenv#gBF*c>7GGJjSTsGPH8RmY753`#X zys5rnJ)4Qa9Tnf43twhQvF;}0DO`{=C~78<%GXh1^zX2GYHiUWNo zHnz^YxI@xZ{`3V~5t#)qCYC6>Q37AaRLe53)`dj1%ZoWGZt=z}Vsnpa7vrf|HNFFN znp0I)B>z41jKw?}q6@AYywJ1ur_BmiOa_Cc^QZ{K}68LxxZ!ZO0?*Uttl=tH_x@2 zGV2@dTORG;b$aV>78G@|EWn`2X_KRgZHlL7xEahQ0^j7?DynBj@3byS!j4;)s6`k> z+w666)8x%>zd7bpbw18TA>eEavMIJDavtNk8zNt5*X*hTjPd@VB(<&M?GMx1k5lc( zTi>-f$kWC~nw#Ud#5Xs@&;Jl?;vDq3L_1~mL7UiyrA~|YE+++ju5DkmszzTg-}LYi z)3dQ!rtSuenp?5-mD0zQy=$p_rtWd48dek;jg5W6MCTN4vS)l~uj{GERD0&NBLjcl znQ!&k`EOG0@HbvNRMCja#UgjPHG>l{>G%B7 zn2e~Ds~*qd?8f&uju{Bcr5rWo?jno4w?Bwk`<|C!amYVNu3AgE_~Ncp#~wf2DSRkq zG43$s;ijvc)^A9{{DSuS@6!=2d`@?ql)B$LgxaTcz8X4}MN%|hAaqiP7Emu6JG@jL zH}-UHd{eD?Mc3SVh5cF?jya|Gd7nrMk6|c-J7OwszPxjRYhye6F1O2iJr^D|>2Fuk zJGfg<#;{DullrvaM6T}bm3B7zW#=Q#WuXt^Of-U{9zU9pe|fI7`F*1B3;kGUzMX>n zbD{$LHCC+>P0459ciV&d@u|wO0G(TVHWuYI^q1cva*fp3Yd(DL-l^D~-A&2w4jb>? zYMV2vs(ZAUAh`$1A*gQ+!Oz^G#&rYC3BKDq!1v z&eIp{=hYb8p;~qYrm;XLFGORGj{R}(CDNEBjde%$VGH||UY_eOOOTwiN|yb+=nazM za{dzt)69FIQ`fum1jnXSn!b;Rom1do(QY?rRg3Q)@aU7I|8z zpW`jLv!FHV-6elwBfGcs0rWB1$k3|U=BX>MpqIWruAh6E)E+U8 zfV1%1?&d0&_g)p=kUic9Hl}cI9~M8;UAXiw$O>YOZC!;j5?}RbTY>apW0v zg=U0Yj0IN1^l6jRdJV#-*(MmsXsZTXbk(tut9ifANE=%#P%``x7gq3WiCiX)lMCvVSahTzsK=Ss+8C^C z`QpJo(nigov&xpYx}~E%HuP=TB3(LmXhrtR*6U$+ue&bE;dt1eFE@|pTD(f;(H76z zYs)<)JQI5<&1(lfJE~Yk7Plp89!-6l+}L-qT&|-1nM_i1^36jV(JuaRXw;?5=Q>Bc zcHMCOu<1y{?YCi@P9)Ulpf&}nJxCf$jC8*LKtzeNba!>#@JL(R%_ZUEu^O+PzaFoHvlkRJ>MwUgXlXngEt(H#Id_MoVj%a(3mwJf8W7Wk?8CN4U z>u|nmsh7_^cUgb^Y;bVL#Va08b$3^^hG2(mvThgbH-4euZc?n9qFIL>S*ISP$Y)u* zeaLO?N&Z`xp1z;Y+oWizp}XN=``JM*!?;It)H)33sxJ$@5Iz*QrB~=B2Tyj{)6She z#5?}+;Y07%n^~{v+Og!tlY2(1FJ1|FvqcX6C@-u~sd8UQ!_#%~o5>;u$~Rgs)*@El zG3HqjooK*&bsyO#GiCLPQRB8UO zZXM5?U90xib@-*i5q*UNBInlSz1yg@dI|3i^n9LDW#7dqb8PLN#TggAhz_ub4i-!N z6vv&Un;f0Cv|j8$?VZ9h#`e7X%{`B{o_wLK-_vKMcgHhrdqGOU2Fq+yxumXZr007E zi+5eJT_LPvbE5yCWZIE;Pusn(J-g-3xA@`B#cx)+(*_r3Tzl+zHna7SY#62ZO7raS zlN-*@+amHrW>j^wH7wyhISY~z~$vC9w)0)mAHFxZE_GsLjF#x{vbaV z@kp{#vN$WRIzi>7GUv;uB_&Im*N!U6rm8KqdMT!xtD8@Jnrq;kQLmHB-HEMU7`P*` zR!`c`tc%_-|GdYkssq(Mk)*@J{f_j9QNzd~oTu@L$}F61T=x<}aIl&vBWCbU=Gk=9 zKDQF(?VNMQbmbg|eG9#fG)=ctjjfiCKYlhp?vdppeazErtjDX`hC8O$Mv=$r5lM=* zZp%7ri#FcNra$0n$xZ|uP>)QGC9au-8I|w)0M1ia?QCb_epmlkR$KUb2oMEGjv#EtSpZ? zp(xZ*>#X#-eW&6Bw)ExhQFReFJTPi?N`= zEh_r$UV%m*2YE^D94?$qTu^A=8C&h^rvePoOSmlm`Q}~Cdi_~hk*E9J;$}6WMJ(?7 z1Yc3u91vb<7LZlyekM}$@Y_83-K(pdER0+}dn(#3Jyp5kj46$$-g2*LM(5fD{rT1w z&e5rE3eGiyk?#{p3ql-CZ&XqqEm3W{^Q>r<)x4w2?Zs8_w@Avz3su8NzN%hnwR**6 zwZWb29ny&v|QzsJktN%L-^GGPn4daUD49~(WVu&cZXB#CCo7wilW;> zw^^wjTdXaAiGVcBxC$%jmiS<>#`^iWOvBir1^Ml_U)#4|%jM3lj~*JEyA>T#R53Ut zZM!CRSozw^G=qI7??v7pb2gD47B_j*Kj%tMax34>bz#?TzDg7uvNb+={Xm;6RKxnwFnd|vPhr81!pv3IC)I?&4{Kg!<+lCc7YZ|4Enmq1x-*R4` z?-F(QRMT-U8x?mq%h}plY2s5JZ`(5#Tko-c_L`#{`gR+&GB+n(QqL$` zTe7TorEG1XRu5Xp>v-CO2)J>okxzhPN^IMf=Lv*mO~Vr{okG2Wnp>VPSliqZH`shq z(tPz%TIh!*dzN+$Tnwv~(r9I0@Juw$#c@NXqnbj&LGpdMwb4V@l8G**i!*#L;MVQ0 zu@dd($Ig@VdE0&Flf6Wpl2C_QD_hk>M`gfJ8ux~Fc~;JA%vGUQ@dd-%x5V{2>HDCwn{P`_N~ip3rA-D6BfF`yTU0*9$DXc=ufN(REpu^KDPqORHfxoW!?{lr^kZDoj8lRi z`g~lY)ur3WF%r7-UA1nXvy<7|?MC@w14_p{_whfvC|Y@;VW4B^MgB?s9ef(OsM~7i zo8cF`qIlOiD;d&M4Ts!tC+qzl6>gs0ox!+sg#S`W+bbG5g^}qV^AMk}Hg7H%8|^BWDl{5=|B*4# z**o~Es4(n9TXjp=$AOaSiUVql!F(g%{+1Wp7$5SbuAh6Vtw*ANY$AqQ^E`dfzLi1^acL5w+W*?Hn| z@;f`;lyf|mUOl_twx`ZEh?O+9NXcCsBb+3$O8s~rTErT5V8NC>JJt$i4qZl+k|W0iVg${d zxC529FV{T(BuDpfXykiNNwT2I!=~1bPD=i}9g3mU^jmD0v!c->;)an(smJciRgKc! zjbtpHwK8j8p-Y#2kjaT^Pgt%Q;xDSTn|x|XL6{KEXT|<&jQ-Zz0T~TF+4=5j5ff1= zBZ%9073BLJow({P>v7MzjE@r&VtQL$)0dc&)k0pJj21y}sjeCwtT81MpVr=a@MsqQ zeR;p~O6xw%OEzLuzj*VZ+Qqw%&lL?6RW-d#wbltK>D{}h1n(%mXkNRQj7r+)`h(`0 zw#vKRW%p`U@h`x0#w)a+Xt93~Si~ov^k#3PT)55(%*}Hzj%}jk-JNxU6g0S`v--o! z*?Y8tY_-NZB-C!CJlU+F=bRlWSsERB)~t!Vd_f_ywBRvMNgD0Rgz0sstLrkGbD#89 zipt~@FLH~^UEb@<9h&NR_t5#`Jz|M<%2&i2L_hYdXv6aDe`54Hv$!VSu#j-yL9$*w zz&{Z@|swb6Z z=0hSwH!HO$0d8c94viE9-K}(^`x#Scnp7_zsyFl2BDCSx3qx9(=3g%hO>S;ZBYFEd zQ)yms#J3AYXe=7KB>nYD5u=gu5+i)-WN9l=%D~{-$d+de*3%`O;c4YK6-&wUBJ4r%(-ol`yvVrv~=&Prq zF1+`0N%l}#Wc{Y8nphvKm|Fu10g!*EGZ=Weq+Ux;Rg<(DH=DQEDlCd!@`bY6Q{7s# z?uoE{4qV*lV+I-`0tOtXukJN{r%6$zA0g!*EGaOwhJLWfb znE`uky})dJ+NX)7P$+t7_j~C$S)(+S_bSgOU94swB58I zJzXDYO}oZ`k-RJVi3tXQ7j*`@&hiPk?$TNaui@T{SqE1By$tw#H^;nE%H?#6v&EG7 zo93x?n_PQWlMrC~Ld-L}KfisPgnpG<^T*GR;7)iOoz=EF+v8(;11;8h?GKc^= zzq#XYo4G~b>wbaC=qSoKxn&iRe3Llo`j>AOx5N+ZuHIiwRR8wg-&qpCRRE;GmS0}xKPr3_rTaH8~rG? z>S3&*L+Y~60WT|ysti9T)x4dEad{u2mi+XyWc8boFrD0wDxeSm`Byqa*S^Y$6NRBA zpM)pQuI|1X7WPDisP?wvh%iSedOT!wyf$LEc4r28xJNX%dF|7;FRGnKLU6fHZ=HJh zc7*DZ8=`U?6apasPG=|^331zh*=4x;^-z^UgQBuS!-?&c>%C|mN9+<`H>|jhy`OCe zR{re_j;<7zs%P!Y;n(kCV?5=dcsu#gX%vzdbBXHc&Vwfq;0QQ#Nm*IJJjjOvSFkd2 zbf=K%JPKz1j`YbAB9-RFqhLz$qx#dx6hAohR%05KY(}BOZ552Qh;RjSN+2Dspyx$$ zp=f-0)%^0Rw~0qVJCLqpMkmoJ%uRLBa5QvGQ&m--ug78*Tj2?KIP-t9idm_lK@Ei4 zqHs_#9*)9b72#+U5&`W_heq}HVQ%x6!IP_yxsVw&lDD4^iAM1z2k|IqLM2+105>v4 zhem?d_26`xKZUtx1B$l`-4(8gRaJ$5;o-}JLPAGEK)-TmBnky*9+!DMIN6JbSqhn@ zGx>sm(_A1M&~O(&=mRh<)}r#5@chV@fM9O*9os1okhz8=KaX!8g1I*N84Ucr+`OrN zZgj|E9S8`seIQnl*ZEd4~Yyl_;f}ZZgf9m3Qd#hao?yi8W}HP0{TQfB8-g<24jPMVT@*&CQN{LF8^E}0e(JyAwdCQahZkU zVq)URWzrHdN@x{j0veA~*R|WAu4So>!y9{+u$c)=C-q~~6 zXPdLJ3Bnkqu!Yc`IoO!TnEGMkp2fw^3DwC6K*wd{ngdmTt!Lw4=N3a_Ik^OpCZ@i$ z9cIEp>ljV2*~~Yn!Op+)s-p&bNj)g-k2}ETrP9AyF0F7b*Od=6@!|5=L!i z(dtuz_qz*({9XE4J+d~1{zYrF?>w2n;$I*9-F;1M=cm9OXIpP|HMD1&#erSvtmACHJxV@vQl?%toKI9ajI{eSO`It+HU@Myj=A-B8w;jXZzaKzjM| z?O!W@_m$&VASUC*<-3`kwu4vxYA3zl-PhE1vrzqR8*fn#SXSk?yIxaDDoa~@c&hSu z7x*bJA7=(vh~=E5KB)2WSBu&}SpK{Fn%Zu0#hnz3;iGa6N-c3`Uv`HrJVDc)s{Gvr zLOgI&;HJP$fto_S9#GTYmC-NT0W}4kKIrs8ZaR4m0n`+z=^qdPr%>P&3Y_VKGktKT z4=zakK{xW(rr?4UxNZurn}X}6;PO7Wy#L3Y3AhUd?m~gPP~c`MxLFGB>HleG0`BR9 zd-~w3C*Z3m;2Tol8&ZGTm%zX`q`(*Xz!&+z_f5g~O~Lm~|F|;&UyBA`iw57`2jAWY z-`)pyRG;0=DVNrhj-0?*HS;%;bxc>5)=Uvz$ZW`{GSj7DgM!0Yq@J~cGq4q zi%O3csC2Ki$#f@AR8+2v96kd600BVYdjf}@gA0lnPkAWbPJVP6h2+ItqB^?s5D+Lh z0?u4gR#q?%@}a;Ltc)DpDP%g2f|_6YhxVsKqx$Xe z_92*Slb^xB-^

    gPs>EY^XDFl~ZhL1s_28RqZ1{jtp^+k!{I(#;9_oG2s~#iO80 zadUB{L!S$ehuBa(sWdYm5*cdo>5Meo=zhi&nkLoDhw4r7ro*B465TxM6dLqCO>->@ znd(IOviT%!XUI9=h$*CK92SNAMwQXXcnK5GC+ZPlY-}(X8}tifG{ZDu0=#qi=kf^f z^YIG_3J8nKEEE?L6GtwSmXJ|Gt0)uDc$~Vf-3E0nOKlw9*vrJy!O_LlMb*$Z$j2$r zj^aXQ+=lVao+~ihm5ogh#wdj?g7(b82K{`ytiZ-Ki=C5$8>*BNfQn~*SIfrE!6l0E zHRTpGVKl*JGq+QNjn6$?<~p(NU5aO>sno@z3aOI$2?@b397#Pv`y#SBR)AGN131I~ zrC2ER_lk2X8A07`J*9hJ>fSBIF%mY2B-NvPsd<(88CkOIeDPq_&7?PDJ0g-hxFur} zz$%~toZw&JGy{qO&TSe&}i?QCIzyjTG>BMg?EmJ-JOOwD@Pxkz08ap(06bxe00;*V4pYtm@&phL zARItAOc4O#0K#F)89?s2!|;GARItAOgRJS9Y8pMZ~);jMF4~Y2!|Z~);j#rI7|@$;Q+#6${9fK z0Kx%;0|5q;ICh|t!l`=+)Y*nu`8RkIhJednt z0S({`|CeIH{6#iB!#GhOaqf$D<&`-Y(&wP%iKz0CdH!oo+W3s`uGxwfy`@!YF)WO< zePVEzY64aP4d4v_mtsMCDAO;~RO(Qo!rY;`B2~rRz{BQ6f&Jh!OY*0K3PJf(!6*SOeua;e;S$M2Z!EjOrw&`D0H~3 zg0U76u3%0Hq{9{Tyhtt-jW4g7UtaY#@hE5q(sj(}Bszt;sSX;BhK^~fs><{ASj=K8 z0s;eP{!dmhD>XEzfpA+C0SQM!R-!N%XhS3c4ed{dM)mh$ZuFPMldF)ukR3FVx1SG* zM)4*G@hE6QC0djKH!?+sMuOJ$;B=Zlg}G}3inj~h6|RU?RfT^6;>&|VVo}i15pX#) z0*{9?56nCsob1KJEQRdSnS4ROX)cfrXt;|X^a+?IYf*Vjczy;~5!&E8xKkt`a}7y; z9^XC$b8Yf782Ed+c~kw|=#a%a5D{hrL9igRr`inn_ua1Z_NGp6F#|VmXlFz?2BJu% zIZIFOLPZ=Ft_UsRu+W>eD1K18 z5{=Cr%r|N|Xj_@fBjwSMl@LcV-I&Rl4#(ng({025PuhmX%47es4WY<17>&k32IJ*X zSjgZh`$&$CGzW7tvmXq@PdAM4$A+O0C?+5@60V3reSwBTA>~mREaWSSSPTS>CA$dI z>_Rdd<~twxuNxDEXTrf?A%DeTAU2Q{koV%`aTpAW07v6-kgZVJ_q@!^|Bj1*m~IyG zkInk#V^A1D?MT2(b1^g;^_QhnR(zIN1XV9iu2l*Ca(zhDPF{ z#w1{-teeTl2&n01F@^2V%z`{yo>!BL7#p@6JH z;S`yya8MDBDHE(%1$6>b(u({+vHxqUzBv{Wi;zbkkx)ZUb9|&CN*<@kES&PK?>!&; zgXb$wH}HQ_`;llxc`Oo*M4_QBc1mE87=k?Ndkbgu{^`<>{B!C5=KV+%xX`;mXH{TK`a@--w12a&=-cqT2wq96yv6EKjlLFOVRNlsZdy;V^^ zwCVIN05z=(Ai8^HJ8Sb z#Z?D6cfvX^_&rlS=PJapH9(@=uyuW#(!9@~c8cinNt?t5e8Bgv<7>3{T~6~paeR-^ z!q9Q_y>`i-Oi3Cpt%zSrEPu5NrASI`?ulosPRYj zd{ull*0}ADm6SjEU8^Sce~8iD|6zwn*Me07x&z)TS6R52!pC9h+$jbLD^5EvN#Ku)?d|>1|{CyRo z1o0P_*2pd9mcGm$<;U~*G**fK@Dj2N-{Cv0{-N~?mu*_8O>WDIj-3@ZYgWnwzLK6J zb;j8*!q=R+t+$#?(pttn60cVxzIpR%2i3@h<_}N?CE_bxZtQul97V^1;OVt`<1qjyf$ z;l4b{=JoM=$Fk*W!*B21GVTs-U_id=BhKFDoFPDrx}z`p%E~0%2b*3Th&2lzhq<_( zy7ubxZcXX5-Ev3#Qs(SG=6c=cT^7L?NnAe8fnyWzuf~???n6vq=b0wv#_oB1O(Mr+ z{XTvDl)?q}6K(H%D{AvwPBs`DFXrlfFUCXc+RfgG&k}|k(j{quW3>W4ex^&K0^$Dk z^|S8b;1x}#iJyE|&2iIHJ1o_>!`o5Yi6i<0*Oga(U4{L)=;QAr7xmrsTbPvNx4m~@ zo0@Hys#H`@85Vh&CsM3T$n>ERR(0{pfw?9&@(Z^`gg1yq()9Z8ow&Js{Mxmpa!&nu zp}huy%VSaN2DWJ~eUSR>RM6>jm@UFQt%nw#ydZY-wYS~j5W9sd1{+3CQ5H3<&q(Nt zIrmK3I!U;2g-ZN8vwcyx2Be~cpr|mVv^?j{Dbm@#o|tt)PH}$mJuyy^(t9voa54Yx zgU0(V8+U3+?-6_DWT-jnCEI*(|E87g6(bS6JJj;;?z(T!eI?xJPCI>|%c~;sj-W?J zF0#R1|K7s1a>gCK^xCTdro~$?UDMw=+eFo1DZf&t!N(;0$E%CnPkRY9DULds+sO3I zQju9_Nm00ywYPoP5+w;2{jZVlO z9NDQJanSAIf!D_)FD@CjxsiBnE7ouA(XqJHtUdvqefTKMSt;wxjtg~56ck=^bz&c_ zz^5iG+MLT5aD4MKVsE-oy{QhLjWK4YpZ~Lz-n``Ag<0z1oOSPS;WrC1QZA<74$Ufm zmZeC(i@sTInC?Wyjtw0BPpeh(`*Dc!>(-?dB*?4|qtmFWr?c?d!Y~gS@YT}1g z{_5D-H1^Z`=432WA6A|-pxmyxW4-kP+S|mohX;A@c1oF!9~045HSqOaoUd$Ul;~1g zx_3}rKV$Qg=hikGX}V@TX3|5UNff1atMeY#R#m!teVnc*qz^TnC_APsb(t^}YTjd6 zV=GB?h^-EPtr&;Qewd#9Fe&==(3auCl900b<&XJJ1Rnk1d*TBruV`fn*C|eSM5^1h z{n;qu>*Y5eM0i^j?7h09py=JaIgN=H-tmz(VvZI~SI@5VGAiEo?rE$&Qg2oH!S{-` zm^|UO;>y7?L!+k&b|=JFziG5-PuaU-=d#pJA+oL1d-1L-mp5zgwZiY<=q^;i&flk1op?@;#jmg3rw4!4fxAWiN- zWjV_ywJsb-RBgj!%q6guT^){kBa5>hIP>2ZnUg7Ivh!GRh9~1!d|fRnlkZ5-{p_vMJ==iFSp z@7=A{9A0GhH;RpD_md(rnV$=)a*HL&T&D53d|%c1c%J9$Qy=Lg$=5@#>2JLH?)+*S zoP%ku*Ktw*_tGl&KXi9<+Sr{nxpgoiQfNb3{`)whoMue6NlxYd;ShVbUeoy<+9JJmIfcr9|PEc3${=vCNq$i^4ZSa+iGj&R+=|t4~k4=0FWObLNn~`0hiDa7sgl zyuW#aZqen8ZJTrA9VZ%Uvri=>%MM)HUEJ_A?Rqv2r-UpsYsTmT9zRp%o7KVza7y!zx{{9w`HN;`)|ErCTYLnk{2N|w)_BfEUFhxgSxa{b3{ zZCN$+_)5fj>#ZLO$~mNt-Kbv0h-&T4kG z@Y3`Z?#@4b$@(ha^HO(D3$L9?aJ`VGlmdTQTvOd4*XYIJ1E(ZceYlaGlBz?_rf;ub zCK?s6u}?g(t3TxhckK$R`(78Ha#NE>%;$JmDBTj?-Nt*%X3Yn;t@%C67fYQmD(W)0 ze6u~L)3278osaq0Jt`RAek^5;X_81FAujmn{H^xavzC5vQ|?w*5Yyjyasgd< zT|0KG`smn&{v`5=RY|6%(Q--NHC#23&a|7SlLq6jMnBZ%yIa|~g;2lnYQn9Cj&OUz z@PW!tdKtz>ml8e{EIqsa2>Qr@(;^Gs@48su%N<^l!Bxp{JC0 zgysyP#ma}Dt=%SDeYMZCj?4Cp;T-M8Is23<2~GsKxox}TRZp$RGfh|7?i!wN*}2EP0qS2ft$N*eFpbI4Lx?Yo0~Yx-}rNQ=G|#Nud=Z?K&0Q<=DJZ& zh>E5eTa00tKU-hZ*=Io`+^4V(1G+cOPwDSYbj;{B@Qu;FMV45SX5`fosk1Tu_T_gC z=*`@X${}QJr#l+Th2&IpY7ODt*eUUVo8&mb8^po0!uPTQE_%qx7$Z?UmLTi zbK{)@%a(RaOYPN{5njY6j-!eQwzlf-4bHlwHE>|Z%hjPbS8LyDTM^g2*8f0hOte<= zo&J>->5cWY5Z4~;D~p~4-lCHJt>a5G7t5TAoztgS!avtR{zB31{p~}UZ8;5n%}MA; z&gWY{j#pIY5QFU}J|$82xP%1_kHpW*QDqDcl=QzXZ%=3s zJ0mXL@F3OMEGBLj)z?e8dJ=ZI{`duiNywGU=@tPeKhm$j-j4d-Im??Ul=oU<_v+{L z!^!Ke-G2q631qZyRbL-saG>YmT|b9p^)?Cpw>gJy(2mkjo!mDPLEx`l5!%gm$iGeuk$`{`Q%j{Y1r-YjxBuTr_Oq{_HnwaW(l@#HyUMcHhgybkj$&rw({yv z$+M-;VAMi)d~O(Ndt-Q^4zsoWq-n^+UA1QQlq^O*XbI`GJj*%Mvg7 znzbZ0`886p)^%6z8eVAH-x%v@w%w3EW?nTmoPO_&e(Ge^9mhCh-qvB!qS^wdh z=*Icv076(H_ez90SN+CV1^fHSiTYTWKFUwKajyj7bkmhjR*yr^>IJom?zZr+OIjVL zU=ipa7JD=9`r`)==g6{^iCCB7HN(z0-aU1``0W1jYHQb;>@`oMw5Zk4#rJVHKyMQ&~T&s8B=JQR4*T@H}fJkwB6S;Z!Jypujk#9 zn@`?TaE5Myz!6ht;&=oax*YlSOq|ikcnK5GC+ZPlY-}(X8}tifG{ZDu0=#qi=kf^f z^YIG_3J8nKEEE?L6GtwSmXJ|Gt0)toE3@jlb{o{SEVXfXV=og+2S*oI7ga;wARnhd zJBkaLaT~@v8}@njPBu0{7^4)n2--6{2lE(HKU~~w?3^64ph{^0sFIzHgNqIN`KzAI zL_}0bP}q^3lM9LBShr*;qX{;fS*Zpa8?DydS7!an7k^^IO5uH_VBuE~4lLdf32R!G z*-$gyVgDkDik`s5cwnkzYYt!>AByJ^!2*Err=CzITkBw%m%xBQm*UzH1H-|=nAss= zYDU(&pQzM|v~hg~Y#!;svI(WnYKs^!HM!waD{@Qg0~4!-tzUU48@lYfFn|R`fW$xJ z6IMx)1AYt`HKt2Sx7x2aaF_wxTh#leOWuu?;2#p$gE%$X*Cv@BGnyNs;2|u?fC(j4 zKh-fxOBFE*7a?hjn-IYQfbgfD&`|d_IjuJ0c?f=Q(rEU0On;1#!)SI$k&#|(SWa&y z;_XP0&*gEuutwWLwVK5w z{0G6?>Wo69KE_gWdXp#HH8<4ZnH&QqHMYBY@MAD)Dg*xAh1!Pq(I1MAZQN%0+5Gc| zZj)0*d66Z#O`nS&4utvSkB4;#t5tNpx%a!f|GFKAk;CJ)FD57(#~g;uKD4A0gD0BM z{M8;GcyV_>7q<*BUed)vo}3=K*$mC%67wC4eZ63RT3 znauM%%TUrl1DPXJ=1j>vLV%LkYp;e|Jpi7yL5i%be!}3zVG|rKA+mper$W+ z&$X^~Uu&)X-0K=2JgXJ7LUdNpZ9dSD&_usu^CyplCi)YA{^-|)Ui3%E{P}r8qWg1< ze)aJ%I4hSG@lnKV8U#OeM_KhEVY8^G7vKTevJ(9Z6sHCMByQF0GYWe!SO2H z<;2H{CH-JgLtd-#UFlFqn?7Ab4cD7f;fJ&I>CEoe2dX@}fs!*IoFX9c&vT-xhC3qz z$GU5si`SH+<}ZIK84b~zzq-6!lEtHP-h4Rnw(r1_Q;}duQIyR5`{{)_-Rg2&*1?=jb3SVpVey>_YV_0!Dga{;x6^_7_Uj1V=i=edU_ZtszHH+Yb zaODHs;C=^O%?s|+{;XmVg!@Moi?DUILcdi3 zJ1_pNTR9ML2q;VX9npXJR*shxioe~;u?O7B0q*4Z{#FihV$x0EP7V%mCkF|*iv)Ko z2krp;5R=l$lWZab#X8nDm#8=IqLHKhb}vWL3Q^SxQP3!uCh4vaDc$#YuKe)ah0B`_ z^C5%>0t5sW{LktL&L0!heP9V#Mq=jq{`Bwu>;)8!g!jc^M8M%IQwTT^aQKP<0S5vO z_y`dAfRDz1CQnLqbkBG!rra3-cadt_`?|NT5FK2amMCiPJpDNBX*l7500Dso|8qKm zMA-_F?%POCyT|S>Y#9oXLze;#GA=C zk&=;s)w4riSI=-|QY62xo{`YXZ$emaCL^VW(d?Ilep@=5W!b?v88x%RUhA&;o#p;2 zt%PHp&wU+Xx?OdlUu@Y4PY4(gc<_()h1#jSDeiQ^&e__Eq2A*(%kjgDD?|*FrBxg& zL}>>jxKedYpv+eWqT5`@Fg-;^ctXH{z=MCRFO(;KE`>dKKN&i4)pA~w zy4NF6Y=uas?z4b@Fy(`@o9$d=wQp;=VsX4z{k_Be z5(~?vAyo?VCDkEqf_FbSEtzyTx-1LQd;h)n!}}}JBOV@Yle0A*O0Os9ho+ACvZSfa zjcZl+O|as<>hB$1;T@k})?$j9*$I(yHx0 zvZSS3I~qkGH~7YaKyEyOtR51`{Uahogv`AT5<=!)2g&!D+YE^2Bp5wt4HX7u*<_V*9GoA=%ED#6ub zWZ!Ue%O1NKvWR2Ci88XrgeL?H2t3$$UpN^h*phH?Ic7@mg?sh2Aa~8<$0ZjQiv%at zU{g<5h!Rs4J*LbOJZ4~DX5G8qLP2%JsKdv&uA*eL#fVf#VF2L?0RsXL{(-)rKIcBr z%re8fV~%C;jpGVY7B5%hLf|iI>d#&-`13D_*6o(Q{`-di)Xmix@C6a>>yPhmuKvyv z2L5l}UH!Ww3=FpFbHEA*<{y9J2Ls~$qr0o&cpJTcwXXRaUl8G1=ld^+KukZ}UH!|Z z1yEo%fkvQ!aR@L9`OR|$1~$3}=fLLqXcW#?WNl~r)jjuRezaRbLGT?qR=-)>nCS!* zI4J;s2^5MI4afX$w*tWcBMKB04dMg_0Y9-@kva9lUi&Br49`CSe5JTitPsHR1%ZX4 zKn!bfA%K$tI0xSS590a>T=*Ux@OAgy|8f(eamFE72nxoEf+Ii^!a*?r6!>DG5oibo z1uScTZ2=OTTx&*AMOiJ8(~7^@`asvghVRw^Uv~rlFUN<30TRKnNMNe;)d2&=ip05f zz;VVVFyP+-oH9@#IN@)eNW!{y#+DW!Fjn5P@~5}p{$o9CWM^k(%g4*BYiVw7X`yRl z4Ez#|wRsGU?TqYoc#JK1oq!VvuZ_N$zP7DCH466Ff$C=4M9#A-=blK|%0c zK!DH5Mo9vL05>26YBgUeUTTLP2ii)!9vk1PW2z=dF-@i;d1n?dL#vN$9xIosx zF%cK*y1+zFDrl|7^|f29qY1vP2z;GT{&IA%Z?GY7elkS~{?_2ecdjk|-yMO`SMsb5faXJNvi^Pfh zYFr2?uIEBApf>;$8*m=aDeTW+!Z)_x4sI@)_!kPVEP7%{Jp%ajoHnKmqTm@5uItap5ZhV&jSc`-T@V zb^6^dZw)UH>tAd~d@TSfw^8=v@e2mVMMx}=Wf*V^Ltw#Rjuio4_0WT(zt>QapAigS z1(5%M3VZ_$3I~9#2KJ3$AXwlC_hVo`i3^4=0)V9d9AI$ZfcRTnYk3_s~3H=gw2pc8^51%`U?-=ji;IVcQ{0iL9IQEhl$U~6l%HZ1_x z$_t+V*{lGDFCoZ(QbOPeFf#)tdtg=o{5ioW86-A15`$v~t_l7t7mKe;U=+1cx*@<6 z2!?=x+_h@V$y<+5!260phRP9fDaIZuo(lkHSD7{Yh{?ov^_0?z!QOC*;QE2@V!qKn%bk6E7|_j=L~$)qjB4PqQt)JfSu&PjJwZAc*gp630Do z4sh=e0{cl~gX7B+YUA<*umUka!E^!u^wrGr+lmJaEZ5*xJa8_?8}96XYsCZSV6o86s(~)f zN^~tUIGF1IHsiMF_-SB2=}>Td;R7?z4Tl8=P9Ovnh~ZmUVDt&*{-E#wJglGfCpf-H zp*Aj3I2i_g2dvcL#RX;-xQ-6E{PVzm)}Qe81gzq27_Ze8P8b@bXWRk~&VrQ{2}R>v zh*4ijx9Y(9-|JBL3I$e&H+;Q_)wwztB0#af=MOlrJO<(bN>yM`Tmk_YeBYr?|7h!t zg5&EGAlrt+0?QX*yavXj!1oymJdUAYJrfBg>Dbl69h~T+a3{Zy>u3DH7bwtz8x9PO zTkHlO&I+ubAy5<+f@TG)e7JL9e2c~T39paqXZ;*spU@lEC!j*0pQC^kJNOy}`86&W z5P2}}28%90L18Fdtl#7HleiH0`UHjt8^sF&;z9t81SsLmi&ybNfQ5LVSwPT%!#(;h z#)U5=zi4_$~!EZu}M(2Djb^0Si}u5ZBKVBLZJX(0DrXyVcXrOqMaL9p?9v zCSbCx(dDa=cgv&Hqtcm2R^`5k8<8;agNYm9fRn{t!pPs0Y)c%rgj3N? z+~RJ~iJtvfLum@{Yr8$IE64U@A+cUL*LFWirGCj|Y2nX#m25YY{9%Lq>u!6u_W8M= z*Y+BJ4K>bBK{yr{T-sF0w1u^0T;LVNFk-)=tUo+{+f}*UL<}+{?ETN4a zW>0MKm?$6_@F3RpeQ_<5Jo=`p`vjKZqgqtZlEl#>^O~Aq%{L9qI|uX5tG=B~OG>>&FJ$7!9=ypL zLXEI7rS49ASH-vM)y`2OHZ}#%6q9|?ap#THP4`7VfyUlTZKZCx0ds|fSKr<5)V$}` zU{Oc1eZ=dYf=sG&ZU&2n<*xnQy|c@7N8WE!ITsXsoQ3O}d|C)=%}JYzCwsX2eO|CX zR83GZs&7Bsl8wq&^pO?5q~B@8+Apg*czF75($m3O7i=tY^wF7tK-E&gnxynt6W#cL zyhv#Mi_vFWpV`F6CM=DkBy;5(-^|vMU(}8?4y3r2JNaTHVt?Dz88^-3(!rpxwm3_F zbz{>V6{$o*cH~wKhlH~dgXeQcuP|6?dr_)fsPK2d%!cX#=3!R zh-s-&kV$L#%UBk#Wz^C{uNi~zHR7#H5YMd!)z+WbhDI*gBJQOqSr;!BJsP%rUf@z+ zAfH@seftSkN6)-=@1eIsg%}J?!@j4PYR4DVANvjt6I{X-QpQchD#TVdqX3pH%8nBZn>_}tv={dW+ zT!m899Pt#R;t=I*DSX2dPTX4W@`kG|^*PeiroP?M?rrm9A*;dE8m)$oo0JB6cL&RY zvkK(I{TxMtka9CmlzU^1so?nb(9aJZ8OATg zez2aiJS4I6fuo0wWlDhSPOEq*X`Wf|DoSTktCwFrLS-E#)oa4+Ia$)jTVHiv?ubEo zu2d17PIFp(*MpM`tq!9~MJJwhRqC@{jH%9Tr#(pTX&a-HGGl!Y`2tmVIu_lQ9e72* z^NZ;jT~)9M8oGO%2Ti5bgW|S^}24m6Dn*Y=;lsR zcv2a8oc@#I?bg~%e6ZIkls7inT=qL-qNXM^MAyGBTXvy=?xy$M>jv8yPYq~Xs}>H@ zBlDZ$Ls~h@#%IqAoLzA3$<^kXgcua+O1oK4Wj%Njkex)Sy|S2WDyNZEq@AwxGp6@P z#;`CrQdIV7dlfM4jDEIXCGk=mtYGtPehDEo5d{(1XneQ$5Q zq}};)Gwo5n?!JpG{sB?M^QW!$3wBIw2~_HuIvTJ0(mLwNflld@@#U{96bl0V?1C%x zsP>(8ZJ(ZJ@mNa#tQ75TrG7o^%7N_0WbBaHeU*n|(Wh@s*j}Z)a><~e8PycHD9T_}uPFFuu5yI4^t%zDIpIJ@-$2Re%Mw?qZG+0%Cc0Or10CMC)vvEPHrKS=a+EquQN^? zCdI&axgO2Ed)Tmsv478<*{9)@6Q^kR8J1hW*RNx2lb6${aJ-MuY?&Wy^*C|JK|<_V z>VtzLA}86JuLq&^c6yx{iVkgFGNXmh)t)`~FCvh3idZPn=GC>yMdq}( zyPF=IQROyK5;J8iATc>|Ja2axIHWO9s zgvCPl7%`#~(-kLoX>%nl1_t^Wt(>!{_U*bt)9Hn2MJ-;J$vAYUE8Q|iCDGy4lSB=6 zr;zPpSGMJA@x?+M-EL@fAC{Tt8O|hYkB_?j3=kFeK(4W4WfecITS$IZfglHDcQ;Tmh{Mh=w ztjlGWeO}e{$6QxWv+?+YeH739p6c%&yl#3Vfc5xw$q=WM0}Oqye2BcO+5FRQ!&1EF zoA2{!26i~B$CCM)zI$(dYg)hiZT}vui#kbcHPWijdizc0wkPkcx8HMKJtMSxYee<- zTP>LL)A@RbO{^d;o#g^ZZOlaeDJH$s&zkyo&AmL!F6OJY`>II%R^P27h1E#Lh#_;% zS;S4v-TI>%;g71T4(f(fb-L(2i9kDKju`DN>3+jeLACktK%ciPY~;e!vxhRDRLG8$ zDa{qUyQ4ii*5t)CU*HwhnmqR6(z$1(k+p703Z29xwZXXfR5Z^ujr6X$UPQshuI~szav!~F> zd-vv<<*w#=>D2JH)B-kBe_oXU*XLooC0Y-3Y9KP=KXXm(;F(G`MZ9S;y|bSrZc>p) zcg$CD_!dbpYdH110$GK3JozS~dgYdyMBf@>R!O$w`yLQYZ}UnfzIt` zrm(b_9(a0`(msR2Fmz{3wHF0Adp`IEGtB`Ahno2N(`9KKyYGauF~quhp1;#cEqql^ zWRoS#lyo!OGNtl?snnzg6kg{u4q!ZAUiYGmtSyYr&v<{6KF#6TPG?D<7m<5Tafu3?ctaM zCtd&&ma$U3?Nc{im4hkLcZ{))V)V@Y9yN%qK^`>&nMFF}t{7BI@@8jcrAa zOc`XE-9D`Uw%DMaTSWqQpvN5(=se}0<0U_M!Yz32TJYRv@|&~DdPxpJabDYMDd2j_ z@}9~H7q7S7iSZB-WKLPS_)KAqSA8MXpWvaoPBrMA7=gKG!WiNbl39AmQxT?+1-5{TabE7oHu`{8R%`SCbbJwm`Nrtu_eA^_Fc{*QYMm5hVaawkQiqS_| zUE4?5Ks)laRRkOK^8u$``%m-PvJMkox*HHKp3ncnJ9+`#6 z94Ap{E_^-=Z#$;`ta(VvjR>mLP9m7=md}yc=P=}RkfEcMJ|$HHD{M#A<;o_1^}yma z5sRXGk=f4_U0|uwz4S68$>wDm?`OUE^^59<$--sMHp#pLw@GIs1Pd7ejX8p zW$pHu@yUzoR%%6gPG(Voo2o@J%ICK=2}m~I-`;G+CF#_@Goe>G^iwuevLX|rJ&ijI zfJpgXp_CcjN)w5qV;9Kbl_cGBM3SM4o_&Nv{CaeCIqALtuYE3Dk}WEJ7}2QR><`Y1 zD|_i`d!7mNQpM1*Kltd>WI>+|-WCF$35*>wI@wHao>U#ZU1nrgr}on? zuIg%(vo>*lw)cL0CY9t`A?ZFJ2BzEg-ZcVHZGmJ7MQcAc?W@t-8*6s`rVfQW+7a2p z;hG80hU%fYcX1u+ruksKX=`U#j<3BAJ>+`um;3yWQ{vIW;cw&HLO7&6>V?Dg-n&g* z+uEM$R1+9sN2woJt`%Z`fpy@T4!TwE8ff)8sJ-?b=6^9V)lrHl%a)&AD(1XzXp5 zPBtnm34mD{p7>zZ^#2d3nq6(9Pyl2YA2DEP_6k3D zt8$yn=nclz$GzoJG9N0WZsmQ`wP$~?-YX{FLUR&nnNbqyl)9Z( zF6|6fE+%`eRFT0j0doq>u}oflCsnN)&?$PRTaNckuh8W@C<&xi^R`Zk2^79|U@)Od zUQ|Dl;UV7)4 zduMG{%g2!R%^$obp~Q)A_OV108}92b*g2I>oap@W#LWToC&s}uKBwU6;a!igRr)y5 za9K@iTZt13igxNcX3(2$lAbEr3Z+xkGpjxUHVC-FV2XR(UhOK7=`jhtN-GH1mEH=uic)8|@jV@~l>0Gewie+)i z?jThxv5S7Rq&YE6MAaYbFAeGEt=eNj9#~j&sl+0@^!`X~ zVX_(2GjWEY%zNUjStLq_RK^_YNzYHiX`EEmr>a~)B^c_u9Mui$ZrVJMTUj_& z<8`jNioufQIdZU#ek9dl;p0vZnLDG^kMFs^JXUv4W1*1$f}CZwmGXFLSkFXP0cqZ` zkQcsz0xFTQzGR+ly)7hTqFs?^J~_Ua4k)(cDl_+Gi`IQxr^lZrCHt=bPS2CPyw4WC zdoSw4D*abrW+5<@AT8(l5am$gHA~UiudPhYLizgoy;=?HQ~TeYDR_X+(no|NlD2xEpjT=rFt<|v!V(UbbM~#wZuB~K zxbzs0*1d=?){p4t#-3T$$0UUBGCBUjy!#m4@rYw592vWGcbvM~-P~LI#ZCKdkw#JO ztII6M3`u1)&*zh$ao8HD=e{ZM_DniCrt9;Q%e#*trLI19(Br~m_W;kGwW06~H z5H+EW9M#WSP5i@1Q-k_2l`Mm{)Hk-EN}A4eXX<#~OURi4SM zv|vE!T$$LQ!@Fj{(5r=MTV!a(z(F=oOWwhLKTFAy?zf*U+Xp!! zdDx@Bf^^TfUgetl!fwab{~~ZDZ`TOsg!kxQ#?%++UY&ld->wZSuk)+i3gK2KDj7 z0d<#xrJn`Hsj^;;MIgT<6lA;kV_#eazds-aB|jsc74+de>vqOLq3wp(&OCtnoA{_q z1-{|DduGzxzv0J{XInJa`UC6g6Rd&1U_su%ZC6-uVIOl#sK%snP~ytz>hXI5bUN2) z$_liPxA|A!FNS*+&CZ-|W%u;KrTgj#qqjG4gLRwwFm+riN=BNR)bB}Gxez=@9x}(o zU*r=p(bV>O>+2G`%2E}2GxUp`i_|uH0sdbU7>$a|Za-ge&eB9xzgsGHt`F15`kX0k zwk#gU2fa2*34P66ZgY?FNwu=tZFEo^oQ2BkOy0eMK8g6lC5k?~z(Xc@Fl{|wzb92C zz_c|o{xd~#ef?`H16QpPhFrsWy#n9y^}d83eQY3= zp|YUNfkKkA$<+0_j4(LdiGtl9Oc>9})6i69bbL9tl&t%DD2euDGylWt#M@i&**kvx~U9F@zgY;_Pb+4PQRIo=%5awHcEd4myn{P3(waMS}{Ms8mvp7e;|7P7GcjV_+b{cfJeoH@(e z51evw+3V20_#W1KI#N41&e7s(W8djBAs?7Vs4@esGvbUEZY^_3g@@$bf9q7V#QO5- ztRx-%ZDy^9a7TNYY@uMOw;h;|WU{Wt&sewh?`fyLnrzY1^x?sdWGbS%LL$TP3+a`# zF^4mAt=U4GA1h-bUypOqM~=ODJTM*NkiYgJyI@({kwzco#4b&!2!3NQHXZI!_ zTdVuntfYydY%~p1EiJ6}3wtAfvW`sTBw6ax3^MJFQ_QWl?ZNJO zW_F$osjN|#OlV#`$*}MtLYXc%Y<_7rqGam85k7ZU_xYm}Dg!MC7mI}!tUU!Zcclaw zOHW@YI)C`FJ-fx{Ou?0a<`4xf8~2czXgde#t&DVcZ9P3GpITP5Tp>Aj>p`w**7+VH z+Onw6e6^<^$okdPb2tkZSb!n9te+~PzYs82J?rz{h%cn~7gAm}8<(1tw87O(=!u_Z zDdmjn#rRWFPwjQ){Iaua{LA@|8j)c4g^OhvX5b@eGWkY<6ymxyoQci*2S6 z(U1&Z;x{}8zUKMRjmXZ_BngeXt!@>N8Ov(xkY|##+q#=AsqyjjWhcl$bz9B9m;o0@XSA8}C86)5$d9 zrL3*@b_h2d+&Z+E%w|=*h(`?`n_WekJ~Y_gnz|%9 zp7o-pi7H`RgTpKMTk-=hdt4j3|K^!JNKtB;7MeJzE5NPTgbhlxBD%%LRFY(PTAqhB zV=xyN8g9m@r1RBprx`YfavUFQNHJ-@v9%O@C%rIHFDnewIwhGJkRr6)>2eQLFMR7N^VtSv(7J#KJ( zFQ*?n?XpCZ1cyaVmcIn64677-`Xj!$T>q{1G1>;lOxS0JdyL0UU#(Gjm(OxA=%LuL zD@{-q1DPe)nYXXp5Qb}nOk)lWIEj9PxoOeE_6cr|%Pv4@qh;YYi|Favnh z__eI`1oir*4@)2Iav=(gADOj|kD8<(wnZ!7oqv-2`rw(Yx;=)}?>3*RAB1*`eQaed zmQ=q))81NdUXs;NB^}>S!zgY2boXAFF>{k+jtgnYNeLGw0#ge1OC$Nu_5^CQ2bEHe zWOI&nVvDk4sCAlyieFv~4&~``xN;oL^04r&jZ6JpGxR;Fo6hG>k>Q?O$HUT}#tBQP&fxkl?% z(kg1pdNJ+1L^oAjUMr9$6~)&rEqUQeidO5e5N2r-Oj4fjJ4EZGvLtv2@ue4cccZPH zjlQ<|+I^1bb+^Z@uWkQfFI_Zd&4>zv#{PSI>4KYXu;7N3-|sy6cb%w6EGazkHq+gN z+b#Fo&t@{>O(dk`U^87du$eCLCbHGdc7J;X@oqU%Y8qOo&Zf;U65;*34t(29cWxGb zhw$?ifdHayPtg;f>YJ-4?k@9*GMm*SUMGa_Zq^AiQ;_m8&XhtONvI^8A|UZEaROtU zCBs{;J3BBiSBI^GP(?ChA4gs51=}J%jq1I$LX=usomJ5~#KdPFA(fS!YmaJ3c+=9s z7jCFvHbOW>K;mEGM9$>QV@=Br;y|mLPqj;j1Sfiy1YjXYv_l;i1#Cm5dIWdO1M?C( zNjfU_gNqXG$`rNNR4For=?)*LBvp>Sv71`QlS}rL58)I6iGPO^29Zt_wO;PLo2hA* zIZG&2d>Dh3hb4Dy}v z1p9`?UpgWX>@UHz_96no)}Z)n2LyusHJpBb6@g&CBk>m>2?YC#K>hYI0>OR_FCqfL zehn}J!F~-d0>OR}F9N}S5imjq`!&D_1p76-2pQ}b@gflH7Xc$=uwMg=K(JrKi;%&7 z5ibJ4ei1N22KzO@2n72zya*ZW7x5wx>=yweWUyZYj6kqo!;6r?ei1JM!F~}iLI(Ra z!2SxsgnsQU*T4FY?w{jLnOq^#HlJC&K{I5rRQ!3H{C069Ys+QA!~c2+Ob6yg#XlGh zvrHY$%bpxKTh+K6zZZAsMx#?i# z_43ET&lcVjCoG*<)nLGe8iun?2R4}~VDt=y0HX^r8%ukuZ$8hfPl4eVE3cxBwuP;g zwvE1pt}`gL2WLd|9gKDL#cZ^}^V6($Hun0s_mBDpy0D`ejVJP zP#?Hd0Y^3PaewC54nqDTzjpLG6PI82YhP`kuZV!{2yniF*wrY%a~NFTWjkH-yz;iLrX`7RD{B73X1_TZeIPe1pc09jpr@lf2_D9%rq2DrUyp0}HD9O(>UY_>g6#M$Fu^WHenTU z)t*2Q1wu9eMEKuJ1Nu`QJTeouJ0>HTcY-@eT5nzT2w5T0T%<=YmOk?wTp0v!mw;U7r`bp~R$Sw3=E%$5GUQV0twWB#P-P$UFL z;VOmTa8@`JgZURLh2XH?DurNZR@?{UKJHH|g)o0uDTKk59eoGx->4MAHPH8!LKx_e zZ~Lc}LP)$yAq47QtQ3MHp{V~@rI0j*(H~a|5pO2nL_&tE6gskMS4vI{+)Rl{NmdsZ zh)Lu(ZKmE$hp?t4Bi&DP04lr-cH&!=P~+Rs!+q5&L_5Fu_NG9AEn?!(t6Z6=b8n8j zsp-wlmZ*{IH?_c5B5X(k#xFRxiPdo2jCjZnWq} z+&rFR*=YZ1wpe^aZ;kuo{Sr|#6HYa@npM2&1B5pwK(Wdw0xQ-!76A$Z6l(~q9S~SS zfMN}SwF3ex2vDpcuy#OT1p$gR1lA4+tRO(KhQQhZffWQO)(}`bAh3b}#To)@2Lx6S zpjbm-?SQ}v0u*ZqtQ`+YMs)5(o9eyg!mUt-M zj>$jhh0Pfy;pay*$O%sgXb{Nof2l8U+Nyt!Fo9G1uuv||9Edj#bytqySUhI6LL?;# zU1ry?80ljFnD&zJK!AY2g8z9PfydfIN>XmwKvMw@U)K6*@f-$MF7{o0*ZM-N|4{K9 zs0qWa)`fjnJO{(#isuk$P&|jg70+Se|6=hR^7rC71d0{+!MKn6v*I}r@*ml3Vc^t=-Tn)M+;Ch7EE>cBfxuYNP&9}O4yq}Ua5xVZ zgN313frS@{3yy|;AD6hIqU`#}kob|UGn4ye#9#;*4;G6=0CXU59^`6da0CK}7$~_! zLs2|15E-tr^DAPaCl$0-1JgRCtjGgh2OKCd{07`QJGNgA4*`RLP@pLM@Q|QE5g07; zPoo2sl|M8q8b3N*LF;!Z;@6`CkRh-z2$~gz`r3pTRs;+Q0EHqktSAiZE1+xOtpA~ z76Mumfk3jNkiQX&6@fwkydc2U4;Sld*8q44e={2t*0nRXv;d*8@}8AHy#@Cl>tQ21 zJ1bj0US3^Gb8|}zT^nONeH&wK9z$b0BYPblV@qCJTO(c@eKUP+TYYXA4+Qs|`?u#j zMt0_AN5GZ+zz!q?|7zD&^8WJGBH>6JPeBJqfg>0aiGr~rkw_kpnm`6cA#e!_ziWL> zM(bMv3B`|Vov{6KTzIVjgM!3^iwlm%B`6pu=0?F0fVJS<_pFtb7`Qe#cqb$b z_51aL&W6Rpkw9Rv;Bo;3-!oZJ=F~cV;HwsP*#SsJn!{E;0*bKA_{S(A~l9TWi3%hZ}f&nFkAy6;ydg7ctJP@sR`S`v;1-4qJW{W)NGf&v2DxT3&8(gqTTM6$v`s{yG4fgxdF zqzea$7Z)q!x48a0sS$;zQQ&(20g(dCMPPALOgJ3%TSFi)xcLzT0R$g`U2BN{(govb zAGqLuK>Q#m&@FL;83<6kufzibVc=tp1}X?95hoe8w`vV&?q2U z_&owlS$`JTPf`e;N`b)s0hvPLBnbv&1qMb|u+_l83=r2NfE_n(WCI1Uf}Z+cA_$)L zf$QD4_@SYIA6N)r2oPcbI<6t0SlkE#1!NG01i1i*!CGqiahQO@6Fm^n##Ilx+8t3~ z?gOUVzcB+pAfSZ5wZPZO_qu?-Q#)XtzR~d`2FzHn7&Oj}9nkVCRiP-H0-`}iff|*jq4K<^g%FK0q+C_D!hsr7_*~5!iHl&!iEC*S_SPdg!Y}1 zfD7CxY6u8!0Sx4A*45z(3M@~6Q8I3!47U=60a+8QRY2Aa`quO8J1K!~TuPu|i39=0 zd|(j=H(pr{42s32H53@WgCvgrSzzlm4*i{!K=GtR)YuFxrLgjfnrYkVi|FfG>Ves` zq`rlroe>xlxj}{Y&uYr=>mU-pSCP zpPvW`@3shpm3!W;Ss@OhMUjTes&b~@adBChA7p9HKu1%PdR`r|F{Er|-UO-yFX3*m=UuYM3Pd*)~O*!$Tb7Cl)7UCT>WJ&T2)qE$mPq-#%mg z7@F?*DZn>$w#kM6+2~lai_X(c=IWMS&o5ul9B(v!9RDyH5_A4aR9i>1A5YJ_Cdy-) zmTIkg1Kb;@^D$JCnjPfnXbmK{tOE(_Sx@-c%dGdP#1n{bonfF?^%6R`B`uCU z>9TZ<5!3!mf!I3n(gqpM{5-ni@nSXqkWLoL392uy&O`CS}=2Pck z!*}e-BvqJp^@5vzk;V{lrMk@R>9wS19e6m+kCQ{NcH% zhW>((gNIx-7dwiyR+f90#s%F&OXdbEwRl$MyACBw&QYcG zQC$Ppip(7D^pi~N6@Bo!##aKOVZ81o8cWjYCE?Y#ZD|+np7jrnR~zn(8W`u9)qI9= zNdPa0uIw9jy(`$=V9VXlv8MzC@TI<1NtanI-1#QY5<7(~Ok{s>bBc#_x1Pa!$!+@A z@7|FT=^PqYZ?6=VpgSNa^R!^DXo7z-opoW7H{_VJoQmcPgPT{jXnUTf4Ap4=01k#=mRyYd8^Z8*33 z9yNdG7A`qC&pteP(r<)YNDZz|Iy@}qbd(ci<=NP{K-w3Kd4x3%fUc=!+Pc5 z0w!0*>L-&_n32`7pNkJgb@+eSOS1J`(ycqi;Sp!%>33l0s`oIB-V7y)t$N2bIB4`V zo;LM<`&5(3T}~>V6AfENSjM}j#izNvd(tS#Xi-L0M6_nN2hRIu%oT*}8V?qdC*JaD ziwP^1|E$l2aHyRX6<5O^)^Sn!dtXxLcjXnLFut{7``XQBG7K{Nn)lM!vYURWewT@@ z*Nu02lXphke2FR`IfYv#Ad)136s{P#W0az1m$#AsF^zUEt^)nX{S8v~U5bu$O70<> z%W@gdE3uru$WRKuslJ=#{w}^-MeO$#oDgv-G_G{}BVLm07W#bAt+dlk2zF`~$Lc;D zzoc`=Yx4y z!r9VVXKz6qBo36rE>QU}LTb%MRj>~ugGlx|wUiU(aGX)*Js(t_#AK{U>7e3SAX5!F2!H#o=vn|!=BqNQX~(QA8JOl?~*xLEcWPJ zq3Ywx{=zx_$}@`FG2L7?Zv7w6heSE#9GyP%KKikQwf8yIb_}&D#|x9K?3z3C=A}$QQ+Xj5N0+GRPWpmpHS=8b`nAXLRe%4H|YYe7F$hHctQU z0*k_&f_ui~kC)J^?e%KAacs0$J%el8kAOat{&`u5};=4pNfua&J$Mv!4G zqdbSQ9yhAJ)F1Eu_{ur%sh@G3J?q1`kCHBASCRX<&MJ^!;#$nT_6#GZg)6Gv_?HKX~XySO92&M@iVq`-8iE_k2ns_HECC9NXHgOR3OU z)1F^X;Z_utyXAatyg_n??}wN@uN|)0C^V`gw~a0OC<;RZa|`7>^6D=@o#N07Mx4GX zF7-0zioLz(BKgV;Gv%&`sW~5g+h+Mv{jti8MFW3_Gf$g&N;IC>!!^0)OYgN!)hzQd zWnX64^;*&0UbT6+Js8>26@B9q-%)c+aas?uVuzQ}&X>xqaeEK#PTzCPHzM+NM;6B2 z#SU5zyq)8= zqOAvB=d|z`n(HPqU`=i$S9%=Mb{!8qC!eq57{Vx)YtY)*RL929dV45P7aM=9=z4qB zjih6x*H;P1`24;BXu~^PCZd^1jFq-ycZZ_x4LwdJzEXE9=WK;E3%c1gMXRo(R(SB7 zZ#W!UIO6c-s#jm$jZ*IAyL2bc&U6*0VLrr$2pF6uK2vtlD@|32!Mt3J%HYk?y{nI( zYY&WvjQbVa8t+UfP+;AkU0U^Jbb!J;9Qz`Guk!Nt9aLNle&kb0`+eIL*ivIJzvQm( z%q>Xnkv$mAobxD5zB5zmrKLp{QAoMCT+L$Pw=TpNS~10 zq0>_`HbFHn(@H-=i`gn~6iL4uk0#0Ih~nP%eK|vY|k*s z-)Q}p2`PVt8hiCMOF?N?t>k><#4ZtLfB zf9>8fnspUrtVVP+*D5d6Aa|zPz6V7gHK;IB_B6cW^rd_e%j8F{cXmyyt4N=E9?x3f z@lJy=vq0f|x2qPs@Xn^8leS~t^R326+F6AlP9;Zcs&nakwmkB$jJSU619w8v&d%c= z!44jep2nl{vKLsm>IG9p&uys|ExOAQ5n7L9i`DtEBOba>1Way=jV14D_14Rw@!L_C zKV|)hkqK(&l5AAq;P~ODLcSSE72TD zju2UleVx@ZLsq`uP6}gk-ex13&#_!zkSNXWvR9l8skS7kRorfl_B>~vpIzK}T`N)a z)AZH4Vm;w4<7FwgWXw`0^j|d?cxOGX6|uYR_>l~it*YZJA#*v|wg}FAD0wjs>Ro5) z&*h(QwrQ8l0~LL0OR;JsONm-e?-yczTQd%GJxU4l?u7ieCplnwN74 z!Z)m6&Q`!g>qu9`<)n#`o*emOMpMt2#tbLLv&dWJsd#M!T*~6}24h~4#fF<)&bum6 zv(OV52tQwOnPe*pH--Svp#DGhz66k}tquFgR4Sp86iy=&&OBtwkSS#>V}y>GV>mK2 zXr2^>OwCEiP#IE5C6${oWiB*PrZS|E;a^8}IEJqB-S5Bu_pk2vIcu+d_TKM#*7H8^ zT5IojuOxy&H%Zu}eOZNxbF8%=Zz+dVl!B3G#Yd?~y5x=pvd)zcbV z=Nc%oTU~y(eScVb-?8{(yk`w<<69?I$(IeE;-k+LsTNHRXTskmnrk#WdY3Eg;)u);orMWX;(u&nzstP zna-E@SKx`&#&^GQI~gVEBw=rO&fyD)5KNZz-Im&2ExfMoLH6?%{_9NUb~Q)MT3^Wt zPC>f1IXlY6yX5Q&%eSd3PHV@n^y`Vayy5k%wej4Zx6pCrPt#kvE0eWJRWsJ#lWCq8 z7VfhkcvD0AC)1rX9Pf*K+I&>#^wVe8KARknUM7^h{fI4Z*xA;n@01saph;=yFTCrl zZe%8-r{X%6C9PNDX>&Q4Z&|D9*6`vbKR+Lb)LmA|O*|H-#XpojW8)({cMW|h`Sr!R z?F+6y*Xx;|-4nA`S}46r3(;2XxZ+jU-Rs}Z)%N!Hds0+2u9^38dXsm2m0IW1Be;J@ zTm2_;N>u#J(@P{?+wU~&Ijrx}*uFo~g=jd_Md+DXcP@MSOY>KYrIya(*;JubvyIG^Q=x$5i*LjIYw(#rR zge|S%N8he~tlQ&`J9V^n&SuRVkDcikgiAi2+N@LlX`$Rj>4xHIw@<7O*b#zo6<0r@ zx+i*OerfrI=C?ApcU&m;GrO12q5eL{SNmdPpI!Cm&D9}>%d!^TOuHjeV9DXJD`<+z zn-^M}al3`q?b0EzZWS;S(8yj4P*#X|z4%^e}&t<-JuR8H`)rprY z%Tv-a&2Kw7X1uB_`$88;?$gfBBE2fpWL~Kd`uvqe-_*?)eYO>4-k=hC<#7ClzUq%r z&m=wL9{0!UJAAayik6#oXCC3Hi*i+&_q%nh8Fi5@Yd@<#zIbDk@E5yFC2jY^cD0z# zK{iDs))6aQzMgLMFPZ-Q?b?UOiU}*VEDl*F-FkuQJ&_+9MxlPWX2TB7cy7Y7Dq9Vqc__uEm^>+0D3(sHq)dikA49ZPVhC9XYayc|gR zG^6i*olv8XZ#cPzoWgfi+2(%Rsx90JKG$rsP^(+kKDraby8MV^0A=?}JC72%qd^X= z8=VZC&OAsY7F4PS-hEMiBlJs;FK0=UBu8V7zjslblK9+9(-q$|pV4$f2s@Ec>QDCK zXW8hoKDx+pWKD}>bcRK3d!4VqVt=0{e@&OjZYbkdSi!Qpy)IM<^M2Jc6T+9c1!AX? zn$~&rT#oD1ND6b_^7)!$Ykf&+#Y;DJ;$P2_K8b$bEf=NoOb#J=I!G~ibwh~fm9HL8 zLl4IXN(!aAzl#kuM_<{Nejt){aaEy_)tb6}7g*L#`)DVloH0|rHcDD_`r_oQ_mKhW zxhfwEhjAI$egl$JbNrk^<(Pxu;QhYcvUs#UrsKh zp>Ht_aqG-h8H26XG9I*Py&rKK)8!I;gWqp+IHRMv0%6FKeDc&{l!otWGM@NKR%<(l z-YzLMnY=X;1nULcl$TD?;99k>DS2UANvJ^&;=HKb?VQe!@75UZFV4!zs5;>BZg1%e z&u3xWw=Yj!tTeTzDouC$4C4>aiev7qRhuQ@EJHKP3X-Az4gLOXcnGE=Lc z6y<%yaIV7Xm0Rrk*v7TZ<1=DMZpNL)!$sCts+Q!QY-wvu?V>fH(uJ%mZ8gfxC0RC3 zTWs}oVfto~M>9_!Ui`5(^P8*e5gop;&7Wp}u&A~6VmnHC5A!1lXx z%`;0MUHN2Nl=1wmRsCL~?RFn(Y`@a2=UJNNoLeiUJk~dDYHj2Dt4*o%!-p3qo=Z$k zpD!^rx5wdSPiPvE__EWx;@Fbg*WC{Az7r{4Eoe7mH1MTWHeE9Yu!h5Fuxg(3IDSAOyrJ9Ec4&_=A3MNA`q z!<`-0p7pH>Yu|5p-LE#TP3P90YuWJ`DKDM#=Zf81?m7+Su;s*?8C@!m zjx5pLkL~Cd;xqZ&#O1X=AuGJweO2vIE;T==4tDF$In{!Ho!@#q4B6f|z>@6Qbddfm z+K<`C9}j1uQQ%pZ5!1b+pY+vmwzLJ)n1=RSz$_*PO(bzit5fW4?P%aJnSXA@1#nLp zOtb!+E*+>Cc!l86RMk*LfYlBVV8H_fV&DZr8NoAs2KNju9`2dke7rof1;hje`1u9U zOO^?Vt-{L5lEGy7YIU>qt5pow5J@`Dx`q~3wsyAi>)d=?w|JXTY^?|GBc@M95U1|> zvEYIrI5R7KMTMb%EK^w7**L*^3rHTslqvL`L;L5j=uY9~vt(mMFH#&@W}&-FRQW`H z@L%uT$qNJ2mYjfvUxBdH9k&{hs#@UMTfgplcfH?h?{1sJ8|@@;b0fJ5*lqTtC>ozn zcnT{Z9^=qKMFM9i9ckS^-?m#zpf2DD3rFo)nc&)vemT3wog&NMcKKfKvbK2e*BZ9P zdw3P6p5LdVB(`V{&ylIH0^%_a9S(O{9aXRhSgdf6*wEcw+vVZsgcm)lzI-NlS$;!V zSG_`ZdVArjz192PUVQP8%6mt(Z2|oFe;oq8&Zhx{LiD-M3LpHQ4j?WJAe8$L_RZ=MffW#sap-VD!SAxd z)fYGWPY)oXJ~a6?6!v+%4A($}pAod~u`3s;vF;DEal#VjpPEr{z$P1O8F4MY0#-mg zenE#y)_b?#{m3$ zCa1KL64e`NiUHY;;Nf`i;4J}(#{EYVTfswUKL^xqT=bDV82qD7Bo>Bbm#MU1T^c@ezBn4*FBZi|JZNwx6c4%ElG)S{lraDpG^<6EkK^m+I zWvjh4Ma|vP2js!p(>!!2?#fhWSE>s=cNNTS{CtK>McLrz6I_Fb8@OA#c-Tlv`H@h;*+>kiFQ@D;b_Pd+(QAWFYzSh=r6@1|>3fGpQtNb== zTBr8k56Q9b+btgO{M!_Lp_nghm%-Pj!LLC;AVZ)p{11x5m7TZeJ^!{f{kifw z8~>uLZSM~)`|z#jYwetmx9%l}nZ1mbx^+u)lZSiA?fN=#&w^aNrc)u&D5rdl`RSGFR*x_}hzthDUbd{As&G4?X1`@o%fCAnO@H4-Go`U(a zCrlq*{9JP$q%I9!6$}roow?`(4q%ho;0FrnZVL>+B5ggmq>Tpc9e;E&Dre?TMi=xJ z8acWcmGLsV)kcgihOIh}`6ovgL^4QG`-$m4Ji3_6SaW{<_gkRDhZn4D94u45-vJ#Q zUJScG$}(jxE8A>cJxgA8^w8Mi{`D($UHhvn&gfm-p|bRFeD0yhJF)NsLI7Ft?{kC` zrM*=l&l@jjG;frCv^3ov|KW?C!TO{xB@z+e7PG#GlzDMar)*|Ou$8WT% zn|d#WJ0K*G48L-N6&B`Cci>ffK`ySE!3HHZi+zVTH1z7mlQjLHEY-Btgu4Y2U^0TzAiz%;<3zaSJ1UdJ-{V$$z#>iMSzSU=xO3IjOTq{N1MT>_<96So;Ii#!Q{KT!2*|&a z456YcyFI#-2N3U!=j*SH`PRR#v06(`g>Q-c!{f8XQ&QRKRM$;ZCKmBq9aABtN-l0 zLq`c(C$CCBdga#D#+XgHy5X=PhM*ZWF?fQk%)}B4W(&JSVmStX&Q;hSldvV#zJLO9h9a~kc?FUrD-fw zM%6)S8U@K16;PVS0A+L)l%~;`j8OxnX$(+CS3zkSjmhX5C{3d=8KVYD(-@$Pu7c7u z8j~?wJI$T}!ZBM}*M8%oodu#BvP z(lip0F}I;KjS0($N+?Yu02zA|O4Hc5jHrduGy;&ZH=#6*jSF)vlqP08#@T|>G!8J# z)liz4@fc?dO4B&NFjYfoVuEA54Jb|HA;VM;rHKiS@iw3|jfc$edMHi9(HOT3rDO%p*0O4Ec;g3>fGn4mOG1Scp>6F~_| z(}Ylh(ljxcpfpVcCn!x5K?zFJgiwOgG%=W zO%p*0O4Ec;g3>fGn4mOG1Scp>6F~_|(}Ylh(ljxcpfpVcCn!x5K?zFJgiwOgG%=W< zG))92C`}VV2};w1P=eAlF_@qO%p*0O4Ec;g3>fGn4mOG1Scp>6F~_|(}Ylh z(ljxcpfpVcCn!x5K?zFJgiwOgG%=X|?@5zig=uoHMaQ&2ezATzPr+lVQM$1u4tQ7? zAB4ChS&KKT(&zQ&#z(Fz)%>V;G-vD4?4(G);OX3^?+*1#&cXBYiZq($Y!J!IBJpXWDRe5fxmwMpQ3h5*K>nR%Xh~WT+rKHxP=EFTzfwm``@;dmhRA%2mwEv? zTNAQhJo4`rH_<$%P}GTEXK{H+-_}?8_X^kbohxqc548QfO(CkXPq^sA7eBR>9ywSE z0r^*wq2X|T|LMEiv%k&mzqq0?&CjnyPF0~fFL*ZVc5LsquHNSdJD=~lV%^y^H|2#) zWphoD&6jP&l*-Jr1PQgkD$iI^ekH2iQKayP`aETYf*lBSN>XO zcgJ9}$am$-Z{eRLt%Do?b__yAXN#0gY~=9kZ?Ozia#38ic+lJ_md^AN)yjbjjlz(T zC?vfoD=Tf_<4QqF8);iPP^@WO()ylOw80uxs=G6nv>wHS>gjGx@j!yF>bO&_^(i!@ zskDxYDpJ~j;!Q(JYdBllQj~stD*yP@*u*8h#+#<5PqU;^=!dFdkyvm|J$ZSqpVy*S z8v$EL$iY8@JL$WXl&IcFQw))WB$1F99G-y0V$djXLN#})rz`!a?O;K~V1lt-&n!6{3er7F-i!IF#Ng&9}BY!~R#)UzHE1|%D zl2|kbgQQ=Vem$hMGZ(!Un58!OfkL|50voVMTMzIP22EC>a_Mr7g)f$V9233_Fo419 zEIk~Deg=JO@KxkPpkm+^f=5$TLlwcofWnE<4Om!s5d#kqg5b=oEc9zI{;_ayvQJ?H`^0#_by?V_ zf!#m%v#?I#;K$qdT#E!^=I=b4pbqg(!Zd9i2dkXO7(RX$$i**(x1gyu646y z%-tF6sb8~p-8kEY;(uPtF{NtTtNW(f+XbfEf7%Pb0&#(4fKKucDZ{~{8!t1Xwp1pT zr8$s{16CwvDAd2K{E%iQr2SSuU^PSV{aF}w9@3R=RJuvStb2=(!1k-dM?Is z9?~2qP0NhZwm0qE=)X6v*TL-xlCkqo3-#tRSEMIgcjzwbO`ON6-&OK9X!W0->*sMS z`F8|2P>rohI}*E1q_|_+;&PVm`nmH@KUpKZaaU@RAH}~nZBPB)P8xrDF2-@3m{$7@ znG}D+!t^@3o2$+}j#(JQ*!iagZpy1?@xFQdSIyHM~h z6uemqZ65)e2@=5$OoS{h0mM9=S?Ra zOyFbD@Udw4^geugA3nVglT0QXOkk1;%!PuvP%sw?rtHBalgY*s1WYo4NhUDK1SXll zBomkbJ=tIalT2We2~0A9NhUDK1SXkGHkKe@k_k*Qfk`GX$pj{uz$BAN2NRfN0+UQ& zk_k*Qfk`GX$z-y@1SXllBomlq0+UQ&k_k*QnQSb9Nha`Z(eQ22@TKPPrRMOZ=EzA0 z6PRQIlT2We2~0A9NhUDKWU|2oCYit_6PRQIlT2We2~0AXY%GCECUE&OxO^F0We={h z2Upo!J=tIalT2We2~0A9NhUDK1SXkGHkQC76Sx92Tmc%c0R8{>Lgm%BWgY~4dT}p$ zo7tir{M6kZ%(2VBMdWFM6~y82%3;01;qDAjrn|&b@(3E{e+*51Kp0(wSbOS~+l` zQCJKTg`^i{Wu*;#Tq#ItBW)`OiZzW(THn)(Hdv!db$8~H)}we(J>9J-9!T(29e1j= zK81!fmDW*FMM@h`ylF^j4QESRiqely}IrwLACw;e)64e`Niba8XG!BWuVZotj5(%79&7JD$Nwg!^s?n$AaT8rXhOS3}~2=emCADFmtVbFtc zppcSS6cLA{UzmP9q_r~_3YZM+QXBk0A>D0(4OpbD2lx$xHmgv%bh*X^nEqp#0A`>8 z3|?pH;W+d&=v#xoLd(@D1t;WV8s&g81xXb0~G_W5ImZy8mb5u76gI?{D&BLflx;9 zOrOC$gNuiICO021&ujrPK>>b#0rZk(LSn11axo-y*{h{MC7kbLboN}$5Nz8{rU@Wg9|IISI!ggmEUan zp?mkisCo|Jz;L(;(ST(5pYnycOjB|F3pmS_^D}eRHO%dldrS$-nl^T~_;}w@AL>s0 zVQJA?zw%Q@FE?E$n!SLhg&;sCKzD$e0K^o6073X3Qy~)|6Ce}5BLJBInE;uf&VFc5(50NsH>1{fWnJ3x1U?!Z6*x&w3v1{q*5nbb#&v-2u7-0|Dp`&>a|LfYAZE19S)I4h#gKJ3x0}kO4*q=nl{wpgS-SfbIa@ zfk6fs9iTfvcYyA|K!C{|EM&Gn4ZU+cu=A49M_Sy|P~OPtM<0pkVCU>uov+);idHL` z0XHEUkPQDzzF<(3M7yFB$rCxFrcPG$D$cUcXK5rR=gTZli8Cgyz59xHVCQD4j5w9n5B2s!r$7ApQM+22y6qhX?GyoJQ9P$fkV+`EI6Z@JJr*be%N=L2RDJmz!G;$ z7Y|oUcZ!R(50|tus8OM8wYR3Ixm$v54J6IolR`hW7RAMuW``sY^sT{Pq2=jp??UykrvaPQ=%CPB2_Ob6A8I+`$P+8NxKM|;o0h!`IGrjI z2au$?Z=tv&O$UDlz)ugfFwzuFCQ4y&1RNSk#G|DE!dQ$Hj*KS|kwgLx>>;7i;JYdm z574-lR#xs7>IMcn`oKbfqBTv2jxr5NAd;BOB2C&X3=s{?z>#o2%_5_u$YdN2GoD!n zTBD63GZ{smv{6_zif$AN7%_+y7E1yMVR697v9VGa!zvPLxK%iMYcNscw_A{e2S$;I zL^6_yB>|!gwi=d%1xBKzh z6{}-y3Ec!~e!HZ7inanG72h zWqzCKL;g2p*pLs7W7wEJ2qb?g4=5-1{mm|ZyF zj6@s?OBm0tu~^2W^0>*X{E%nj31|Qg9k8LOhzDwdr-L{F&m=QRJ$~|1k0sLs4h9YI zVVH(P6M&SViJ)$5)5c&KnMv~Tlb8Hqm|;MFVkBlb)OX@d1T!Z2AMA@wPH1s>I;Q~p z8HVAA^ezqxPekI!Hf$`!nDie%dHo*>k~ktg0^texVWAR7qN@m~V@7PWTauZ?AOD{a z|DVwkhbIH})9o6HmUQUwqwN~QEy+yckDt8w4^a$|qc9G)I9M**g< zuRgMWL1xl^{N%MCbhUs3f<82I$S@oVO|L_bXV+K^V^V%V&dK&Lu%I^qdZ*wQ;?O@@ z4T%LX;mBAt7Ky{)Ckhyo^5g#l%1=Pz0`#2)Ki;n`{jRpSq-7p*pcqbT& zfZ;HS9>RgKf1?#d6qD)`Ca?NKy&f!{1YD917#7GaU>zuc5gg`+S&BpBTSaS{J=JA! zgu6jcgG(CxL5kVYXs#Zsq@}H?&dyX9Yj=AZ#ogXg%GRD{=V>KnPnGuYu#M1wvZeMk?wEf|6n9u4Xk zRt*l}4Yb#cGK?vX5GEf-(4eyke2IubV(6|tXcz`XS04f(2i;iI7>4PqjxvlXj(}kF zA8bZ6h_c@y8)`>1aD8UT=nY96WfoHuAxu7spg~Z>k%)PZklbgzYo zW{N4q|3FLu^L`)*gMd5CG+>kznM5W5d&g-}eS?vnfM$v+#K}jMVLFQjT^QgJXb|Ow zc_>6^eGr-W9W0!-{(u|W|2pk#S{WS zTm#V!J=qDhhRh__X1r>@lbqi(Kq&^1V{Bv60 z`*e%ki-2lE(5LqjpBLW889$QXVf*m0qLO_p|Ec+`K84=y3o4#G4)&?IXK|b_?xG5R z^wt+H=TdiH$}r|LPMB^?)SH631w$#GfU!hjoIoYQ`u%_+87A4k)mRV?E5#G_IF=K z_ngWr3j1{T&>^yr;zsSF)1ePEDa~xTj=NuFzdJT}m*9@GhqOL-H4&fp=4G6dD!Rwg zbopGrr%(T}p!092uX^A0vE_C@3GZqQY(tAKX?@{%!Hh-D12YwetwZTabv@b3pA{(f z{=ClmoLZeL8shW69ZtDv@=U{0@j~QTvd#nPOIWc>(@8!wr9cha=?y_$iaNnT%fGPB zmR;Fk<9o-s^<{BfRYQcnCYz*ZxQ-@oh|=r@X*#Mauou`~r?$%z1bOe!9DH{u#_e}I zQCM`^{ecAgH1XH6DvQOX7glun@_g8Wbl&Q_gGFe6f!O(i6Wd-?grF|5x{ ztd8P)ynp7#^St{v>OG&oYdxRK!ZVI82_J%18AUqAIpn=6I^6D7c7C0!iXG8;?@p6F z>7VccoPu|b7f#u5{C3N=Jv>>powvEz2Ba>Mk8X$0y_F(N*&tv&jW)gTI zoHPqnUc&jMZnv}bH|qRpO)p<0eywXO3|&S|xUo{RX}@QdP%1^&#o731WB1OjkD{VC z#YdG!%Bg0QMy@eSG?p_>5j%6&;Tk7B>~LBqtI;C!rd;4AfBe@md(z|Ov$&vju%1MXkXS!lcWG{(QU`bjGNs#KB1 zil@QJ&*Md;9k%9_zB|2o_S1+8h1`bH7kOcNO2?n=3VEz9uB*9MuQ5!|K{DD+&tXbn zpcq-fI^Xblyq|dp+oCguo0pR_d%)@2X~*?yHR7yi?d%svXSTg5t$Sqg(PXwx9vhzujw zxo#Pjn2Hxm4qOPa<7{Nx+lg4nrLz-zbUXPft1EGqb@Rn6LN-VC8_dcnYrWY*TMw;# z&1?K1%4S+%q}sZU*iB6jefR7+|43EyBF}?7R;5@@r9-M*!83Y7d6E`9-z*Tkzp(9H zhitd3wtSHXq4o64l@2D!vGz|cUS8%Oxlz_Z+aQCp^!DNwtBNHiDy8i$>+OyS*&Pcg zo*^k&X0q46(x$xjxpqc4&8tJtrNpUf*-U?qs+N~$&vyE^U4HL%)M8y$u2yQ^wmgqj zj!s5Bs66lD?RQ=rjW&HdOZ^Rhkl1|jqgA4pVCs)% zX^fkPsc${u>&b|n>UIg6!XqEIuk{Pa?_QSmNLmX?`|I;_(;P#oq72W{ym*s~8CUH? z42xF^JhHrN+Oy%)?&+`ZT|Xsnc;T5I7u(@0Q#V+eoW5VsuBRHLcx`HVa)RLl_mstk zhjwJ}->%Y7XM7?DhjO~jqub|KFWJCY95nwvw_10D2b`Vy;5rsUUf z<#`yq)e|A&*B3loYGz(66mo`M31%?04GZUSGR4CbLND zi1|LU4f>_(ESErb){80!PtM_QCd4~LJUK#ESvI5CO5~u1%pTt`8DRkpOLWlD4OnW` z^2qB4I63*7k8{f0?NIYK(XKhR;laVmI+Hp%_BRLIT6DM6c&7;*Or>7IW~O1*eCjw$ z{Tf7C`&E3Cs&;*7O<+}rRd?Tk1j$o!BAWzrIA1$CHwa$rz2VHFxSsqnak{#BXbRT? z3#y*aq7&&$IAZyNXLQWjmPLG*6~ONJXz$Ef^>hy@Uv+(_7UmGy-so_1F~VPvJ*QXz zebBY6rcUVkhbOA#Rrx0)h?MBJMZ5&>#hx+#oS(z>yl&@K+dJNp#VfBpDUNP zuHHCbwgn&jG56`#+wrsTD{-z*Lq0Yt8z&^WY92H@!FN^RbQY`U^8M-DtsxIGBIleH zkJx3&^~q-D4u_zKE2oXbkrmD=q#`jlb_ae@?tH50Y3*m0Cl_kWIbuk8dXP&!D^H&I2+6jwu?TJfU9OHaLd~bH#+2`H4`bRCE zvx#8JZ|l6Yv$XP#s&}62XAr;2sT6rt94DxqUb=A6{L*r}D=seg_)kW7Kj?IR`ZX&# zC+6mcH|FHmtHK(nYr0f!biYn9us&7ClDrl)j#`uGDDSh(YR%M*vhpF9_vp?Myfmk(=UA_-S)_yU z!jEBFr_9~ATR_PNXD|AfqTAcuZ=>5n**Tx=#n1Y(utJkR&3kG1qh3wXvZ4~DwV45r z**DKAOM6zH+j&86J!%Cyi7-7dP`ZvSNs~N3(5z=Ki=%L}v8$#ZYO^ptJIcnJF3WYg zDY6a$YAuKBMb6Z#>8)4M*A|(#V6Nfwkmsuk-yTsEHYU0|ZR89sU3D#i5JX8ku`>Rc zm9cXPBCTj{hl{MN-Jrp?FCn~iMk{9lVLH$Tk2FUQt@k-?4d{r4-`XAFjl;7#{;jT0(Fu0I02O?%`j zaAeVqidBX0&nUW`RtZ|j#^>w`1Z2$ievs2&%N zZ59pIcB>Ke?MigaQ=pvtbn;U#vhtmNucZ94a}s^}qURh9*NN{gi)%d;^u(6*apR}n zhQHp5DzqQEv8v<4rN#=eGI}FF&r;%O?kW_KbWkglO`75-7I8Ex*Uh)yt>xS6peHdQ z#_X8%CQ`?tyQ?|`qzj$r*~LWdo>6iA6%BWsWr1)$y@8TEt-!H-C*&fxKi1Xlp~ zciH*Qh$hW5JNMZNd+xA^dmb?TK6-P(Ub*S(Sx6j=!yb6W=NIfgB=C5F#>3X!b$b_= z-?-Z6x7Ct#Y}tNIpPT+0A4$BPFJ+gbx$8>;n_ZFSF75=jd~pMg?a{NFmTx}8zaUOQ zaL@B78F|mCZAY39l=yLou3BGt;>Jr0&qwH+)dIf9xaXulb5T<14qb+&zTQk+bZ+Ch zm~29fcU_)%$in2@*Rd;E7w$B6t#gP>@7-H6i+ucA*bSvyj|Ps_9Jr)f;I8-Ra^pt6 z{%DuOmA55#Mrl91WxjXqlFY&jo|3kEI&;@;*_@Sb)B8TNugnYy`4u~bb^*L3jw|;N5Ep|mr>e8HP2;~O} zv+-=lWGk+3j`F_tI*Zy$xHU1lq8zO3b1Xt-_y$D1&Zmv^ov^v!d8QGV-z z)pcrz|FMeoP1QGhKh+dO+I@{|mygl#s$3SSy5xZG1N&|07&Al8W!i}xE6!ymNRge- z6`GbEO7yw9ZMnTf{I-nC57&0dy$H*ExH95P=n4!TMBLYS#R&7;c*RwGQrzqg$?fEZ1F$ z)Vm?x?jWdRYAZkQSaqp?uZv-Zsawq9J2e70b)5)afAM6ZR8ez<;``ivd>YmKcZGZCzn&Z~Z@XCZ2w{|ZGPJDWiGV^$>N4E@*@Ts~@+IEglloVOf)48qX zXttl9UKMY-bw%lXNolFPXY?Dp))Q21j<0&RXI(m8c|>zY?Nm?wMcF14P37KomX!uB zE&}Zqets!>OSW~cc)aV*zVJ^z+jP;31qQO7ec-)Za;WS>x5ko?FLA|ro2|ul9ZFVd zUDf9-+Z)JPuAhSKNKxIB+>x^JVNg}Y)Urpjo)jKyoBH_WZWR^O+7#}sdV2mwS6h0Y z*;T)cJ(iXwb<8}nM6o9|edDd#UBN+OvRAs+v_(sL9+>1Hp*<766zxttXl`G%WC`(J+3HETplwg^-eU3uc_#PfLTbAs@ebPIu zVPoWRas7sTr3ads8yyUJH+{(7%Mw8g`VA5HV8F{^8l)mla_k?ZO6|p`cHv$v( z03Tt^zLWa}bjKw4@j5FV&Ks5VCv<$|+N9(ERZ}I&D1ECGKCk_#z5T+&6|GiX-uvPN zwS#(i1SR7iyjq%S$Q}@JbIn($xp80BuWV62UY?*UQ`Vt->Co=wx6GTvp01dqeNQc& zEkJJS`*d_sQfJFwjh^Xld;Pb0xm*`NcyIl@x;V3w*q|c|x9zH&dhN34;~-9YxJDsB zzfgHFoDC#r2I(!~3-ND99$jih>z~3CwpP-9U;|ryK*FrsLOV!$S9FgaKINcnxYcw! z(G2(D)kklEXd_|c^twnd0q=sca`TjqnO7^j50p16Wjk)Y(16c)+8UYZu+S?IX+#%sLH13OzU^Nz)8@%Ka4$GVN8)PsIc+I)wN?mKLOT>UBNn zy|aRjSRY}0Q4~MuVB7T<+t+Lm+vJjVp3Af6B96F%M=y(u>~}uksK*D>L)>}Y=9+t| zEmt33$)cFd#`cJhXHK3eA~YTGeQcq#hIr|9>oi~Dm5o!TK4@woxM@{s#ohL5&VT!e zZD9qy-$E~h(+BFt^wC58k4}B(-n~hSa$@9ne^9M+eWmr}@c;dT;ZhFrdWW>?kmBTB;6*-EQSq1J!}?vf*DGC84cezOy?!YzQ(kG$OGn$K z$n~6sCpzXT^KG_xuVmFmt6A!D@7W=?E<=Z)Er@7YjfDwjL6SSKJZN9XznGwU@A^kA zHCCF;HSWZfDoz|Fo`Q?XHf2tilXfhb$!ps5CbJ@0qQ?K&F;KX(Ryn^ie1B;b^*IkV zJXfn>U+%p5$8)U|12ml@SWmWk-Zq%eMTxDNBd9lb$>+vxS$@qY zK9o$mtGL6W0>3`E)zjpX-5O`MMi-Bo%f?T)9ZE-f1jJn_6*8FnDc9?^IqNNhRUP=N z`;m=~>&Yn_3~eM3%>`u@H?gKHuGAZkAFDQKIn_iYB7Er^2P(PZ%b-h z$H4Ryo#uF;6jGh*BcAX*3C`W<^fLTZ-aPu*KRrCV`6EA$-IJxp__`e zoScl}ulv|0J{IWArQAx}XzRL6(w&<4j74Hm$hV6Tp4=xl=N(A9t#|nuf0{((g_5KY zot9&zCl7{Ri@=LIx8qV4>XnL{ zPJNnrT8}<+H4ojmN0O7^zN_l}5udN&>l0iJJe~%v$jS02_lb!)Tq-QjI?oPv>XxVCd>V;$m`o)*^gxqZ;&E|J5-M+@DZF#)6Pc8Yn zy)0<+3E_L^v0p_Bvn?0$>RfwioNWEcO|;nZZGF|p3!%YThc2Wv9i}ROQb0Bb*0Q|V z@Kr>2U&Mp=M$KzGFWtJA{H`hc3ce_bVm-|`#pnIqxOwOFrNf`yd$l2hgVk2Q)Jtmn z+H>Ns?$f70PPbRh2p{b0u0vm(-4Vkct0G*Jm@VeEulU=S1-l0}^G0SR&W+q|k}Ot5 zs6W{e7TL^&JbyRb&byWHyyZn+dRVQrd-8FY6<_nxSEyL!d0A-PGv9gd9pb|2vRd(k)`%`+fUbJD`4S zpe_6BK-X&_iXJU$KfYM5{gkxlL#m$i!uGs*SyQ~4htzRRxY1-z@-E+@xqgFiM z6j8I_0;`ey_8XrZjGqZw(?q*E?Gs#ljXF6jl6X9n#N#f`G({wbo?400@Lf$_Rv)Nz zH>_*MCB&Itl7q&BEr@O}Z;~Af5&bS4a7JwJto)ugXciG(YhA zr3GKMKl2izt>ahO$8%@dhc6Es@2sS~FFxnvB`lYa+LHfPcxi)GwEQ9s8c8Pb?xC|b z&R(q@$)=B2A5?AZocUDF#FBbc_`E`gRHE;jj^kIp>~g1UOI;-?U+oiqs?e%ZRKqK? zYCdmU^8RT&!dn)Qtk>M>ZAn)MFy+;>y8F4+`h$gE&PPFk7?x_e*4|eiw!N@7Jmri1 zboF3n(ru&8uazAy?6uKhOV-+cX*W0Ap?XW$Ghn4Kh4oOUduz3k-K=ifGl8C0j;^xt5?lX1EQbIo6> zCHLFYkGTh)s)kKjv3TRA*Sx#hRA>#!3sT%9+gPYi*3};*_^skNvzZq1VzDOY)h=Dn z=vBMwa(jGkC119d(OVsznxp<~N0dy5QoMJ^HT}0qp@RE45?zY)(oK@yB%)7E<7c%_ zTN!kQMMT`l?co(y)#y3P(2_lF`!i${70(fBECsOqsfMJUAHq;m^=K|cSX51(mFR5iPS%pj5(0&U@1Hqt);1;4f#opGAh6Hy;LFNe6iR!NJ zYH1BJVuojsDB06IbSUo1RA*PJ3qAb-9QX5Hl!~&!&pT0rhY#kW*ns32Bsk%ZgcCFo zj~SM8GEgz_3c;hPs-cQtVL>2Rz<-E=7YJnp&-5AGGq`xTXL9rL^2`+l*psJ#Zf}eJX3s)IBUL zyoiB^hy~!xQ&{QOVEkj}V41?k$_aKZ;{g|*!p_bD{{7g^GFO+4Z}uGY6n0*W6|3T+ z#RFA{sr0=Hi0-bUz2c$9xfD!<)@6P15LoyX2om$PXCSJUajZ?DGO z7(kp&Y&f?J`|k4gkfNZ7c71tG+b3Gx;;;%L@y~F==xk;C`@RgnL$Bu_eo)uZzjy%Q z63AB{I{)BCVcC4q46nCB`XX-%_B?p_(C@Hz5xX$S*XiQp+?DVT#Ngk-gYtMlO4m2n z+;|n|Ht^`Gi9q zqZl;fINbR6VxVlEbf`7pF-_HYLq?4DipvCrM%~QqsWw94=9V@s+aJ`v=(EIjyMErn z=yLyIfhERbYBM$AN@jUa+}q6P`Q>@4mX-VK`CZEMCHwA`%~lATrMmhL&&@bY&=dTY zp4|9qzbj{Ds&vo5AHslUbOE-=XiUbhfz%own^AipwMIemiwa1sUw|`m7o^rmM1Hjm zsr4&#M(l&s8Ue^JHzBot2@ms5NG)bOe!T^$^=o{X_Cjhg!SOd6kXnBO(D2=mTEo%! zyE3HK-yt+?Kcv<$F#fg(sr9!I4SfMpYY2zX2Ac*6)A?sr5T(LDl*Vv>>&911zXozXKMe z*6*MNRqHpAbqa4we&dW| zf7P*E;f>4!g^m?5o@X~`d8J0J>bA>Yb?x~ZOY4?%F^Bi3r1uxUQ7Fl&`=%CPURCU2 zBIUTI!0uM!Jp9G_RI@VwNLU4t_-8oLvT6Wf*Op6M@J-ct0I^}``yQ3<4Q*%4eWQiS z^YnxV5P^n=wKm_|o+8qiwKvE6&;Ua3UYJ|p!b}IWd(^xY@DIe`U%>hC=u7wqV(_ov zLG@Kbw^O$U5N5QZ&g^eiqVYX%n;P5Ok1tR&JkZvoMGUNRDZKNt{8VIzhq;SmL4nV$ zt3-T#J*86yXq*2R(j9$Qb#Jg^=n4x#w z;K1rO|Jb{3uwWgiAzc6Acip5+HTdza8$s}{8}O=|pRcl^k9k=*IN7JLfmhv#(O-4L z!pTa1*UgW?Fbn?_Hg-N;J$+UVu!e`5`)=OZONQQd6Z@)S!yUc0{*9vD5_8#oYT4oc zAqJ2GkOO0IVAk1hm0teQRkbFivHiw@jqxsprXIFy;;(H#_f|h}^$)%I^N)o!ui7?I z6Rx}5%cR!XHH(OLmAoxR{`vWS99i$hd8BCv#ox29$xlLUbGO3d7~#W{J}W2ormUf9 z(@N8;pG><=WH_Jn<4K>@Cw*G-nXEUrYmKd{{d{Y4i!0={+v0LAuAb~^S@J*5np@VB z$KUj=tbb!bR=eM^^>TcZJu8CS*3~;Hz04@xq9(mPb?dC)UI(`i$0vPS51GA>Jntqy zy4~M-?_|_>cB$-|>}gpeUJ6Sjc7{rpe@*O76x#c403mqVcj;tLi&$6)SqoW(*h8TE0_-7x**Z8HgFOVgFTfrG>><#3 z0DA}k1K2}=J%mALfO812hX9BG=MVr0u!jJ92!o;s=MZ2IfldT?mjQqPdkCiA;2C2od^H#_7L*Ys=UM2a^HJ&H(>y=GEX_6Df`}u0ff;y z!vpPE8(!bJw!xdaa<2J;Ja$+C@ql!I-teCg1MB%c z!a}14GqIQw*03lv5{<@zj5RD4e1U-e2Q${N7yt)7V+}_{4qg{r?r$^JfXU-#tdZy^ zq*^&}$;wK9Uqt;6GS&tgX=KJ4cI1giH{6JfHT2*m*~=uvI0WEK!8zz ztbkB35MUG_DvSNHF{A3i`TDvkQzhJ_mwdaa@x0_>5mtXfU&+fY7cQIAFKQ*w> zhO{_zA@+z!Om-iwULkk(?HJmED_)B513~~<@Go+NCG$F;gJo^Sc2YkZA5-{pUB&8v zb6=^#%fusoo%PwP*2hb~$#3+NkF+|OH0zlG_@=n$=QOF{28T_e&q{74dLvrn<9+NN)xEsO(>F_`42GIfo2n{{!-slZ|x1zN_l$+@#Jo4|;PdJYcHirNE zw;*ubZ=957+}~%${?}5P=^4u;da5o{N;8HGQkqeCkkX7BOlkfn7vaSJOlc-yk>9UN z`1?gTfyv{iG~-9&`zI;Q^hO$)(o7h6Vnr7hDve88-_wfb<4QqFYuURva!IQqaa__$ zRQD|uccdvjT^j{5!u2TDG^8npjFKXgaX1VTN5)FwQA9i%iAAG99hOW+;!y-C3?9^h z@2gNeXh>;GD=T*keN{bh4Vt^BHBHCTo#H}66469?d9I<=L5Y(#42vU60h7?=;f4`0 zQbZhvh#t={1MM}V3?nfaHfp)q-$o2aKuck8D3D@4gcy!Q0EVHk-BrOmL@;#8#e?;)u_QFzQ*jJOrK6^&q&5!M znBoC>^6_AZYYf|ls5Z*B@tDRG49JrY2186^SOpZAPBipyBgPaEK=7Tc?&7h)J4s{= zl3^MiPXsk2uweMufQ>;i?C@xSMom5%3?~@|gaHB?LjWwJiv|#1Bo>E}LZLw&6V3Du zw8y3yc6c~IgZJJ{7PMhBV^}wgXQQkehiKU0fdCD}aI$s{BO1dl&=&?WhsJ;&+bFx} z&N)76!vg^tMB&L=hsWZih*&acNi4%UJRU?TED3asM_V_Zq+y3g0yNO?$r?6{ZG-)z zA8f+`-0&nkcw-TEB->PUEL0Tr#$ns=P(UA!OxC<1whdV~jBTT=8;@Vh zV%v~iI2=9LqtU;Q+VD_-Mom5x;ISZ-(}iuwI6NMV7J#w=R~Q?#v7~KyFaU$jNuxHL zY}YB;8Vfc_5z1R|c^$0dTf2hg)6es5DUy)TKwkU{H$K{Fb( zGowwvOWWviD2^#20AftGIft966KLIQg7 zAz?_`hO8T6+i2^?V;fUM0Db1k!ZyUVA-ixmBIx9TUdL~v#uN~MG)~q!Jeo`oqy%6I z9`wKocoaA(9z=K0kps$!CW1aVQ=^VcH>Qw)o_t6cPB#>Y?B7kpV8DylJ@l2rs^qMD&+YsZ1j2j}{XzRw|8=fgLU?v|KhWIvQ z7nm3vlsM9Fqs9~%Fq01qczW}Z$oT)m+FL+Hx%J=Uh#;T>f`D`gf<+C(5E25?c>zHh zmF^Ca6hZ0kQc6OU21!M_q@_h#Qjn1RKZ93h#*zE~zCT#Y_uln-m#)n@`<#8Ab3S{2 zfNuq0ulqHn?7%lOh>Z*Qeq#p#y9mOZ9!WL?WdOk`gNUJt4RF)VEMjusM)!{HLvtP7 zv&>SuX8JY;)W9b&Km%%P8!O%Wre_`E7BtiXDY)=l_^Vzf1}}eRie#22Fr1>h=x`6M zjP^UZAf_+93Z@Fy9`8!U(6F6-yAHh&{)PJia|IeXbJKZ)-r^Qx{1+29f2fJ@kus!n zEXnS3W4TL7#;xp2UWhTAo~8B2Bv!k93XO{kcNwaR|HL@BXS3CHsy7{%VV2xl z##*^@C!xp^y+zEl)*Kxqg?h7~j$A{Cv&k;rs-7plX%F73_`fr6yNU zlexIc&oALi^AlluM8#p|I!cw;uBR@AUTE5&Wk_$aU*K0+uue-w=`f;lw;b2Da_^H~ zn0x7bK8Nb**X`iYuI2s$E%sfPVY7;)CzB7VN?9YjO%K@tqDX z`r%gee7w`I#cH}6ZHUFt-;48QZRvDaU9Yu-^$IzTM2B8RitdnsIEFDP+rt;5L+ZRQ zx%*Ys#!K(;&9$a_rxs);;%(okDBmbI^g<2!lw!+cG|JL!8fR^~_;zJlwAz;PgGwT9 z0XmiJ67JW^?G<~iJ=e9#uLYv^mrh#(j z;_WcGow6m@joqcn{f5fXb^PJwU7q`MFLyhKh`+yUWRBzp7rB9qNYwVI9`DQ8GBBlY z$!g~rJ}3WHoqWM-3{B}pAj8j#S22BG?1*pa&J*z6Fh)-ixoA?)^148to84$KQoXYO zYOSe}u|)k%l)I-BOaDHBrXEwNm;4+go!~T?LM4;n7UR9lZoG1M5dV3Tufk3rv0zOlnSq zQ6-_aQgGzG;Q>FA7{cexkAh^4I45mq7?6=k%BfzEl#5|ze9ysj6ZjwF`(mb>G+=tk zXRi8^&k|K7pPBkcDWv-gHZA*4;in6i8FH`XQ%AV@U-{y5MLX!VsmQvi8z&q3Xyye{ zh3ce5P6d{j&yjFuO67kB$agM=SqTVLYfmuXMX z*s<8#^?feeo~Tv9nYfA8>md9j>ViC;kf)=k9s`47E};j?<1GA~0-wfxVD&2Oj03B; znW`<_H};b5RaR1?eYyw5wr4=LWYLA1MpUJl~s3)C7B_>poKLPPdn03Cv^|JKI&-(OGBW$c<^)YhXCu!KKEu z$f~~&j$ZA^#am=6;@G?uxbS#vrS0K%`VuQ7CWE_wEVm-GH$BjQp=4#1NPX0BdAWo- zkcxcR+ntm&0Ebdg(s}F4XZbUd_V#3h{ESUq&07wbO0JueHL{6(ds|ZqSogTmv$JBm zY72vm@E^VV&P6-F>J!wBLJ@_s*0-b)y6SrEl8lloB*57`-!wKX56!5b! z;(gi^mQd@EXZ~#KxRL!c*Zr&Ua$35*PHB$JcQY(!x3}E>`k5`LHsUV98D8bPp3xE? zf@oV92(f}mzI{&YFW{Hl6b{`)e_6!hsQmLs_9M#LbM4BMqZ`WQZ(U}byi()DZ(NGw zTI{P~)C!5x{~}B;$wFpjL1qS@>d0i%si$6g?x(g6yd(63HiXilGt}_35zZBw0A1%y zMv?nMq?L6Bd65KsKUKkvkf0w~&sx#SN;Gl5IMFK4>}R?#*H7Z-+lJPrc-V}%)y-6> zq^8u7r?t`PlHyNS1UsGXi?u9cy@8SSU9Wi{c`ckEMoPZ_+Y7;zg8Jv4Lm<>wbi+II zMtq-aLktE8VxJNuwz7#)**eWvf5k7?Xh0Zu-t~FBgyyyfoPKSu- z78e}X*oLPKH1Wg&-^uaM`lQnd>-Cv`=)Hb{EA8s6*iZ{=x`UA3gERR%x6wJLb~uEn zDuR;mFE=Fh6btF7o^4DK8TM$Jk8n&Ayld#tb<@=tpZfVNOwx%p?uR9(Qa{);iDQ;5 zmfXV1ez9xCH^RE`%I^*ide;-x82zf(lj4?RVIR--QY;rdcYn%_>Ty>*IS|DIeNps% zI4f6Q)N7e@A=WcDr%-ugLmEeiLq>Y>iNdrQUAHY(dpprSU25JHw6|W2{J2YbL75|q zC9d&DrYc?QfExF!PdfY}MWQTunc7nqMC?RatSIQlD@u}NtvuIQiZFyYh}W*VM5r0F z$@#R>FB3kQ7Q#Y3*Tx-Cq(&a1k*1ws>|rZrIZktXS)KNj&@8dYR6l`&6N@Mv{WC_z z;MwSJ9|%auFIv49dz!0AeB&Nggy15`HD^k`r69(irTS}ix5>oaJ3(WvpAt1Pi1eyT z=uerUZxh&*uAA6RSfhIge67$?%Dz5OW$njtQAOuz&T~oy*;C?JBC2)zH#{9@E@QF| zUcK2ZU@|8)pD2Ry65{HotI|H?$(wgA^;M&J1w>&@4Ube&W&rZqgLq4bY#_X&eAI{7 z=&5dR{$;hVy53?aCCe{Eo1z8LNU(gkTp?#}2ooulgsEl}Rf)um`Hscma(GVCaX0(r zNvL{kwd+#Q5{#o5gy#gt)7F|RB@3p<2B%7zeGH3ex?A+t2PZqlN-43|ECyeW}P*r!zN zymF6q?EDT_b_Bir^@s8glHYwZth**m+|delW1DSHdXIx;v#st!x^!bUM$gHmUy;g^ z(#=EpC6lGT*Hw9@c<+65&-j|b^U^)%@r4*urYS=5dO~Q|d{sBEsWF>5y(n>OikRos zSh#n&L46PHVX|VBg-g2H$7Fl_E)h;E!3fDb($IyV?8&HXZyh$hRzH<(k?D#>lKTS0 z8wSswI1G(TC=wHglD?xLuIGHFvSh3`B-r%&pH1Ip12)34`!p{=xonku`2RhLk>kaDl7)#jzQ-Rn=R7tbd8YfPhO(TDpM zg7ZpA@@qA6R+3n0Eng5m1O+sjiP^ExfIq(>i9fbn>Xt8X>$WS#rjSU zMOAvPKbhi@@A@EGQZ-ZlZKm^|zj3{Yv!;LQ-H#86aEu|G<{o162~$Pg0ofLmtL42b zO)?f%m?Z%x-`blk9nx3P^TJ<`Xo-HTVMtiw*OB2FJKLmP>TA4Yspc|FEG+|I>Mw!?X1WSNs( zbMyHs=F4x(d06qecaox)b)SbzkM=)*^0o#T*^n!>eVbT%MJ z+2f{Pqn;S#fs{*L_S$v)oHLu5m#92A)@UG2crml3juEDf1y!m=1hF2&@#D`)FVPcz z9L9AZWlGj=V63||rI)D^r#1U!dRKI)xI2z5qsU4}tI~$=@-064EY|*j1}|I{w#O|4 zecZWiXFHnYWetTaKiaCTyKSF#ZVZc(4Nnla9BtFoN@6I0;4n=p#8!N86%f`LggmaK zo4(cC_DPP?W*4Wk)#I_1;t;Ql{|!xPvtoR1_omZq&%dMWs3x6NrjgUO>f>Y=F;pB6 z?|+yv49OVYx@5oolP&btPwU$dA*+VO(<`C6rnd?&R?JH*kZI?ntq*)Zoo+W#rm!8k zK};@0d*@lumqv?Jswgid)U#-OCCqfVg$Ld?z2Pp+ zl~%yM5oo-fs})~OL+AER81;uV>||9n za@&c0qc4Dpb7Rgw`2pPqKYAp|6NWpH=JN*Vnv zWS5M?M;DS~`iQV~9pwYX!|47%lpDp~omIi6TO4Ll4=b{z=`j>^2gC$BB88(^c(3#h2GuNW+W${)Y-4JylOLAO` z9O>vJlVu#qp%DN0bK_Lw++>>Giz%ZIJKv&m*1myAODRwsotmqM&V29#bJ>c5jIF0J zTg@gU5^A^Ciq?8Vu$cR_maxam9I4c3QWUMnTjM_sj-s*C57MYKvZ~-Va_V8%1DkZA zxy{I}a*S_#-Mk|dAhI<>#;A}z<#RL7HUvz!Wp%l8X3ut0F`RR_O2umZ#Mz*ph(UcR z#LZ5~@xvTVi(V{SbYT`1wJ3u2 zefznc7zR=}U#oLWD6tUNKKtnyK~Cdz`MdEt*W~ z7bDi7cx!#}rBgFeaPJC!DuzRQPlR>lUZFPgQyF2&RaO=MMmsTxl@w*ZUVU~ytMTYe z`K`MjZ~C{pcg{Op$$l-Pj23cgI)|_9l>Ph%tA(jIc{e@23D!DK*EXq)y?vZWbhhzI zeA!~dkfWNBHCg1nGrd#KLaBY1Rw?Mv10*DVNMzZ|?r#Tj-@2a^y1zS`9OLg+sxd-% zYMyUSs)YAUbZmZGWh5R`>jVzd0qHGf4@mFTa)-H$dUYhfEoB_TtHo?XWjg%}$ZY&= zK2Fsvd#L7V(!MXPi)Gy$-E(xqBlClIB|@A5;>VMR0=&07B|1T4yw^HQGd((0juD$| zh$VV@legM`(3zzUOWC3^o4ov9_x$^dWU--HqF6I33}ux+?(GDeFMUy<-fAiS*!HpT zq}=6@Nac?cTX$b<4C&c!<7(V;C8WYiyZsF}^USB7ttWa(HE)tfIHDH$?n{^Odh)AV ze;C*RNvuQyp!|__kK|nTIN`F8|c( zH+5|%tI=M2!?C3NRdVb3uy#=-760x|abJg#`QCPWaaS#sR@L^;nmJki{gwOgHfQ^) z9-sBEa@yW{W6s~XIqvG8U})3EHTbA}zwrBdnvsr-Dp>B#DB<@e(pl!PUZTb;J((Mx zd_#om2^JKnRf{&^=4@I49r0g$Yt%K?OTJ+z$miS_w4k|C`X;v6E)<*oULb+U+aQA_ zeLgZJ6#7L)LbV`n%dB{G99z=ak&4NWca<;<&Z)nm@Jv{HmC#-GWZE}___}`Z_&TxS zl5Pfr?c!VC{tE)!`s@`U+xh*1_LRHP_R}5X60>bQi_{@ZfL8e2DNSCTiJiIMV~4?S zR;GKN#Vt-fJ<)7aHJI>6-3;Cq+fq}eK3`&24_~szY(h3ptgJnyLqAr8bFj^L59%EU z16J{%#4Fh30(gB@J1d6#J{QW>TQ`XJ`r1EhxLHPhYIU#2z!;QF*D(LqT26)Qq+wh7 zZMuJawqQDHw%90eVntKgSva~zJ2m!n*@M8Vt@{MN`B(3IzkIYhQy*MI8W#Ed#;m8- zl!<8X$mf+zh8m`TnFr%J6}GRZEk?fiWRm%osjp$@X7%Twmd$tOWNYkPmz-}Jt;}m; zx&jt7dFR24mclhi9}Q#;ZNHV_AnEWfV-NBl5Ri9|?Ab>dArkb3K1Kg~oBO-`7+O(u z+`E0amj@13;7*!_je`?-0fv_OLZ~@_0!$D)D<|AbKJ?*1PW*_62ZXmc&`CaZ!LY#| z9+1%;_3(i31P40Fhb|Z{FmTHcl*6(8&x3~W3I{y3A9qH9I$r1-15mdO1INw=f>x3M z1*}I5+FuIF*%6-K*iQ733j&mZvLH|m0xfxG2grx;#w8^#_;;#75MJQePV$Wlh7CqF zWOPSR4TA9YcF;5qp~u_*Tto|dQ(@rXxQ2x8D6SzCWw0Gz3*fkRIB0P1sYtk>WIKA) z5X1oRLL8fHfJFe<*MKzz8#Q1O56a;Mvx!wVfR>${^x`PUmlJ2O2^m`ko*NY5+dI z8o(9-3>$0_Afr2C5pW;~0r>br09ynwT!$MjGOYg`H0TpNtb`Eoo*jD)0AvC-Tuw0X zzW;kd+1a3$3NC=i$mouu8V7(de z#0~cVn7Dw9z@I$hK#&4JS&oei@a_O8fU;K@GIpSN8+sf9e(&$dq{XF?40ap{G62}m zj*AR_d9px{-cU~>h?N6?%MSG*`yB*z#Bf*b&+_v7M&TcL;W z;8rLSyrWhqf)D`hbB~J)ZiOD=0)wIUPFCQX<9{AD1UUd7Uk=#WpcQ3Monk+P#}1VH zKs^F~o7G=y6xsH~fglIq6O{unB=J|ggFir#^I51ux@3Vj%ur32T7}T75IF&Hs zAtO7AWSj^>z0@xiUt!x236TqBR)zjE;Rk7P~+Nr0TB zBphOctyE-iN32vX1Vw8F$o5 zclK z1X+Nbq%6R2!5m|3NVuSEJ9^X*WC3z~Spaje0S6%#U?T?sC!t@CF~BVb{SE}a`9MJS z1>&6kVjJ>7mkU7`Ajj7QIJSWRN&nZ&2JM+kZOkxDaFkP?qB^2G}74h7QIy z5E8nh*oGhnfH)r)7wixM!v$j-GOqs~H3U82I0-#~n!v%p_3ObW%Yi=;x&olFF9(*z z|C3*glLbK#0Nc-TM-7f_P}kalUkrBOWd-g558Ps~125p}1a$tdD$2=%pa?)1%5l-b zxCR3U;~Fx$zjKX~1wjxvjxPu>uEB7@4!p>?pj+?$ z;OY%{az#e>YiC0`@p7^t2m)|9cHHTNCmZk?`mb*i1f0tMHNyh$e1J3YPjli?Zdgth z1Wn*Lz9zu&4TcYnaLD+MVjO}f0KUuP4jmlhV94MMvB=2&%SX(~f}je(oB46^!5pz% zpx+KaI72MpSo~vRk0c#}E^xr{4F{4JW4n%4JxDlb6R`D?uA0T7 zc)iqFtb-n7qF-E{R(PB);B>*hGb^dHTt01p-bS0|1Sze3aZUK0e+YhF6gCvec)V%u zcFK!Ca3XolYI85W<_!i-%d^h&v&D+2qCYfo&R!4&CwT`h;f(GXZdz=vC5g}!DswAF z@u%du63M^BPquZ*eEj3g?rm3>T|G|c&F{NoQ~snQ`*tOcn~xm6f1S!2*V4jfDSzy^ z@y)?az;Ralg2ed&bj>}-3pGEM<~VA0>gzYW`?M%%r1t$BWpTnpqp{U4U5d<1p>b7;E`=N%jUIQFzWa2qA3oyl2~J>|W4TK~G}Iz` zxBdrsnZ^k{@Xj*ioTlb=2Q}8YPZ)af$t^On40>I_UlGv#;#2__-p)?gS(hIY8SZ=M z$(gD20!Cdnmh4Lf63L{Du42U7ToCx_z880$&k^{E1g=Jhm4q$o8JjtEHg@(@m}2nq z3(@78y8bh`7gCh&XyYx4kHkqecsXy9^Dsq9pIGnF|p?@qcE4Sl$yx|ov zCTk%hO1tsn>r4`sm`Tgf5f-(2?h4d1aRA zewdo2jdPB?JUccHr;-9u&Y<|Ae%e48Xicm!Kc#)sO#np>rS7x=wzkwwhEsmDKNP(a znhmL{9!_!B*jwbNJ-iwFEoOkLZ8W;+>C(qXD;r{J?(`@H{)xFf=N1|oWUt3MSTTEh zyHaTK+lYx{k)#qBT}+)^9Fb{XYO)vnNjr-k@lNPXAj($JqUE=-%!#3vCtO~d;^QKW zyfQa}y{Wt|p$Mid%Ir2bsqwLVqq}E|Pb$LvG+!?ytnTWy*;8StatiHN+`3ow9sLq1 z+}_2`xU(*aKG##7AP6|+nWnyRt!iFr??bjk%{VH+RgYs!&OENLuotYYw zB7X)QM?sO=P)5lj4+bqpV}DClmu?y6dR_UX*6*Koo~e;rX2d)0JvU%ooGwjaEM%IN zC8^0v2`6I+el-`x+5j>xph~^CqUiRXu6ffQ)XaT$gO%@LK9STtb6!a5+AKBBlJsh zQJxaS5U>;p2{Jv&>J|*Uv*_3(@ruMUjz*N!*63#XBc}JaDyfzXItoTM*w{M3uZweK zUP-<#p2ygJ+OOdt>T`C<;Jt^>9W%GHUM4D5D1_&K8mSD{-O^Eiv>Y&Wy99kH%qNj} zNvy};K1aK5*&+CAys8_)lFqr3d!B_vPG!r1Qp=X>Y0^D071xA%dHQp87#uqu5{%PF33nH<;e@ht%)PEExRoD4XpFJW=dmjU#D0D9j_|?uih{`Zpgv;qaBuYD zM8dobPq&V|nCB5aQa0IoFWGpagdnHv6iRy>qDPg=_KbX4zc* z>8iBVB#6s3H`UQJBfoTNaBz)cBh$9*9(geJD!PHj!tJ>_p2exC{y-jwx0=?*tJI^d z*9rWlvj|z!-1*Hih^c&Y&J4yCDt(fBO-O&W7G>p*8H&{bfhGEYYcy?+A8&KG z`npOrB&v{Nf${qlluNm9Cvz=Ac^-~IR91EBgK3G(LREU@-e$khRuOuix9*w|Ph04v zWo3o-hKLhn;w=-PAXQad5RK7$wU$$O=&rva$Fvw~bw>c$iIG=Q$%jELA{$+HN~Md( z*h{~489+yBCbqCI=xp<%=*MXGOqGXY#M9B(#Rx5bns*%!&^|;kZ7Q^d6&bQt)%0zZ zKhxUmjU#eZsSF*nXUM$5B;m7k1@)?*1LdiSIh7#mFsj>khM2XMyuRy+c5;0)8jkNA zUy5Ev|5#W`Kl`KTA+On1ezWf@yVv#7@frak8b9c*9(FVbF-qe2YI;2`%r<>f-&pb^ zyI$Jf&JjA^<7xb5JFBgI{&ZHS$20sgbuoKqiQh|Yb$NQ`+s{bJTrUpkqAq9%p;*>w z4W*D==P^#uUkDt??WK$*XK%sGgcOAaNLHodl3n{U61ewKM@K(r)} zX1$&uSX4|tro3Nm6BFBR98WX+Th5~tr+g=x^JZvK8NE|&^Byc$jWHim_+GqR`t;&} zPIHKU+$VZqho-oY<|m2kDZoc3LnD=1A&YrGNc1kDr(%ZFd>($hN5*2SDur)JM!QoT*%D}OMUX?rNkDlz&G~wcy*Gbx{xNZb{#r&yC3WL_ zvlJEX;P!9KHkHw;L%6m+w^~TBe065DLpA&Kf3AHsA>(ySy>?SP$jjwTZu9Al8`oma zVfNhJ*SkK0Gpl{ZBmQ~vd(}~n&f2b0cIpc2bEFZJWXfi@+$K5ad{Gi6Y1X^#F*1A2 zI7sz*?k+Vpc)xbKr15bfd!?!6oHDN#o#kpPvpIjcgQfNMZu;ox-uBqAD<3xVqSolB zq+3~JO><<;N6h}L{coQs%D9_Dx#pv^Oj-_gFTv-hcpm*f!d=K4pX(`S}>zV@p$6^m- z;a-iGL%fN_KdptMTNCn2{HgDC0(d>+*h~flpoLf%K zU#`y2-=r&|s81d`y}+Twq4+p@P~%?n!>5JiYvf7d6K9g{Lnroj&B4TG3j-5t{1e+o zK0W=1X%m15exInuQAxJsu#`*^n+V<~CRRdSA>9Z6|Ttws0F^6rTxGVzxFL83Q= zSE5Zjp=RdV!Qx3r)<~c@%uGGLf?pG!ka%-b!AVZ2?LrLo=o=ovtO|`{YUx{IUS7;M z-Ce{!5HvC{j_}BbTcVqEkXMJ!t=`XlD#H9V?Mt9p@hSJDtiFY%lKm@akL|?7Qr|9B zp4+1_4<}|P8f0zw+Ux%4_c_(VBrs804s3nLMv*{SJKP zleG@5Bd}SZCA8#w@fb%OpmEMY`EUc@D9bsRcDQ7<`ddf5!On2p{dCdS{x1aNwm*F% zh$yy%i!)K?aSF?ZWiI^-vPxf@cj}Q^*-l_q%d8h>d3^6^%YF0eN@vzQhc}cBF8FK( zU2~`3KJVv}TF5_MA39WN&C^gfNRV}3dHNJH&5bWt2z<@(OWn>zxh%*0}c%S*>Ud!nl zmOoYt`DV`z;+0br4eOXk@W?-YdfDG*@?LA!Q|Sdiyv`X_zV`6>a;}Pf<*rLTSYJsl zsm0#)Y-4;NC#e-e{f7R{`F`4KSq5OU(p{+%lb@@8ryIy@Wt-|eSEja~wtm(5xGN09VNvdjP*SsovtN5Klx_KRn_t% zhk5t%Ua^X?8NbWc_e693RL9LF<|VJ#sw(IGaqr?pmz|$A7OSmGqt0h>_g5AdaF_Vx zP4k|(;rVZjl)a0!YQQM`nEg`kM<+?vTkWSmE&RxN&)SF(d6uUc^Qjnfz>qCVFR>W)=ge0_N{rtnQ<)MD^A@z$ZOoaO390Dbj>P|d zbId1OG0UIm#qercw(7UlD1`;QwX<40^ zSj!#-GMnG+p}bl~mJN2+R+wj#uuje&A<5uAli3qkMA6Udu>!HWQgK_^Pi-)-XduF# zkpyCS=OP)$+UpG7vRx$wMQOF6iOko}T7yk-v_myi!>wH^uK#d}*N}MSdGBuOBg{Iy zo>V>MFYmU*yeE6Ao!b(N1a5IMhV%vLb#c3PKre{j-J~;LBiD}D{SaD9?3mre-KBMil+K3f&*`j zeQ$yLpIUp|PE}p=`+iG|Nl#;0gZw`Wkb8(L?Von7zWwZPh8Ccn<+%4~a95;2o-!4~gRy6Tz-VVYr}GPC(`^aMh2D3wkm7_Yp&QCIG5bk2_*;UKZ&6?7>{Zd0C)Y zUw~%>R>yzTohU293jq*_dt6{}EQ0`LuK#*jfP45~dAl6YfVn^1Eb>|cGJj8Z=43^9 zCjj#Jj|&gRG#ENKrXis_ifIVX13+hkp7^A(fwi@(t|c9LXQx@J$Gziu(}QiG;Qyfaq6%Q284t253>E5PI2)+ zimN$U5uOH4pydVpG5{)Y|Mb~FWBCxQ4+quqN8}cAvLZYg1C4NwJD+f?;1C>a6+n>C z9kB`!8ilX|am>fX1-A+galsxxk#YU!s39~8VFi-qkBbhLTL=N{UB65tu-rljG|UiT zPJgWecj2XdNPgsf(QxT3Y&lHFa@<5EOyy_=*4{8w?zbY{=-2 zA{&Af01a)9J8Cep!EnLIhKvhJwxdj4oFD{2IFW7_zpFZ+L98tQwq^Ras)HRUF#11o z4M7S{px*^N*MP#IU%=qJ8PGleh~5lEAmUv7h_Vh4!ej9Xw7h^L+aWqQvLT^6ifr(D z06KxD7jR@d#09lxK)W{p)(j+EBL6vR@Ol6`fu0v^EWp_xfCDrX0(!jsDotktK_kxD zpq4#o=^DbE{@U4)^&O#C2(BNE-+v}1LCHEm|SFB|2=B( zf&e;!o)>Hf<=O13PgVzMm3ADX{(G3OVF>618ec#)6fo8Tu4Xpi-s8Z^0yrLla}l(mCL8c6eNab# zIH^Z%ZwUQDKqt`n0*-DVpkK&AS@5r#;RBl^2rxVzRD>TQ`#o-d+Rr!?o$ee*xVPkb)EFb-@m8yTJwx7=ZzU?Q_V; zj@r|}2wHFgtuEk62HZ>@*a?6=4fr+&A9NFh=KMoT)DcN0D|g`C7Q1h4@aNSGLYola zFFN*|!g1{oARO0_03O9P1T{E;Ru^zwJH!P&AOYD)z@ZJeKK)+@4nYo1pxXu9)B@Kj zzpD4CfhPm#)h@IX60}t?v?12~3& zC@o-yp>2|YGt@!5n4_jxN!JQ#iV?mhP9Q}NZi-BmitdL4A24*(F`LQI0V73+<5be z>o&NS1B>{S-T>tiW!`7$GY$RXXg^O!JeX`m=v({f z@lC!*6Ca-LpCQ)XeAME?9)QcgYvWPR?o6_9rw#}0{~T@}`!VLt;eBb85-`JzGMe>w89a4&XsS(Z0&)23C3fG5lgn{w}3tq>89-zPHX@3I+{ zuROfj)p&Lke7u<)IQ38C)>>2UWlZBG<~T;hVLT+4nZ%T}<`QA>BwpcvLYPg(q_q64 ze!pCkv_SGn#|L@qx^yFcvA z2XWeFid~&tt165amh3J1hIe~A6FQ23-x=g1pYL!{Z8I8->naMZ zTp-?jG`Mb_5B>9P30+0FlTL$rNo~tZ%j;(G-ioSTa^FjCFVF zZCyz#a4mP*-mS-V-T7fDZfquFY>(?5>%`6icvh^mFSb2A9m>Mpmi-T(u?iQ@j-A7q zY6>?Ll=~=j7#ALG#h00TdAm}bCo4q5ozQmJbOio0F-oZW=2sd_tbcA(dp^7^!GPvR z8u#|8g}|#@D25fDxzgEBpDo>)|Jo3@%3|GJ9kx`1b~UWIVaGEYT^d5y&l2;v@FmUo z%b}~U)dPK(`3t{)`SFa5_gf+RqpnaW!B6Hw1~{95*E1Nd-fknH;-PT9#FKuc>7Gq-bBltk!nXOLxaS z{pDxV^EaT}K-)y3YW?SgbU1tFj<>A6ewstXFFYF8Yt*yGzDOmt9F7-L5}^J9wtt;Y3m0t2~ELRvXz35IOB(1ljh=lMylygkNUI3`a9`_8(MUM*p%e7Zq1t+pCnJ2NI$ z%OnCEX#GJGZf2M(Jw8epn*AjOD9oDf16U4M>SWKCa~hw~RQ>{r6UmV%#iOTIy8f2% znPdCe_p^2wEno0zj2>Rg?~Lfukq)8wq$3_G-f{lZOXnPln$9AM(ynzd>UMM;Pc!wr zdjf>u`|wR_^_DM@={73w9!0-T;Q=4x2E#J`m|5cNq; z`6_Yr{h|q%Gq1)el4Mpw&+E#2`KTDO3C;d9L%m)~l1b5h#jxx)1+zf>1f7+S4jLDp zj!?*HtIG|*-$c=^JKl-3Nxwwm?&o%L_UKHsMoBV(AKpt0TvTKLsz2`rcwS3q z(#b+jSY@tLs#TD@vw$-we&k&q<)W%N_pl!#1f*(*wz9GY!t6 zrmrgEIp?N*(5Ge0Zgzb2OKS9@lQr`TC6rDR&Mz>CAX+%Lz~K=Rt_E^h@yu^Bd`ZD2 zNx>@ecD1nhjYOZM%7CsI2T=;hvts#~FiT{3>WkN6RLv7(Y;1|-gv@(nl8Y)6KJ5>7 zYDh;sa$KfHd+sTQum6QUSMTOI<3K zpb|YcmLPqdEH=$7?>R2da@5FR@R@cRos9RWf@bdNYiCVyVy4(74Of!XbDXb_P^N^t zk&6^@=d0T(dp_m7^7etiy=OIz_h|yCZ^X=t<-HJQ`#l6iULQH@eQFchP#@;yseNp^ z!pVqTr@EClqu=aScynRYY&`9OnGUGnZ7#L=So(4e+sBYnn<&;1eX}x=Yk0K{IF};M zwPiB;i`?PFz~yQuZg=Af84*(WK(6-DgspbrLUOAjCc(WHuVCJ$9MXQA72s!O5zWM( zx<@Jr{Q3g0f#IfmDDab>iF#P39gvMOcz){hx%cGa%8}=ytkIc-#_voTFRh9c$UiCL zcv;(XMXfhcr~V8ZcJp}+eHHiAh?=Nx=M`t~(zVT5-_dhpCk{>Bo#0i~`E+f&dbfzE z$l>ei7)~ooS>d*v#vY>e!wm||^R(bo;@RohfGVji}mwJC_LAluhb zy^eQL^sM*Tgj)?}-pj@Sx?8GXQQ!4ayYrHGctiAa2AYA&Kj{8JB}>JZA{dH1OFktX zKG09%Ak&e>iJs7P=B;krcvzCBP{>7J^)@LPp9F@muLHzCznG0cCXyRhu~Vq@aSLq? zg_B1w=MjHC%@BU`OA6%n{UR|D7BT?{9hWx51K5pw#&jS|j27}8y2IyXfSEtfKT=$nN<#{zbY$#AWeZ1)o$*{L3qpKawsF zL};f)6k)4@L;&X7(Q%P?(>D|tco0bgo5qXXx@C8)>F0Ou+vqWvY$?RAHv+I>iT{{7;(thCTq za#zhZEkmh!--vW>Bc^+HgjGhTNx#3fOQA3l9e8o769@ZhjMTel_frhKf?qlpQ3w^K zak0jP?sTiObS^lRD!k-MzekY03po|m#i*5qZ-T}U6s{(%Dj)tmpIL7pcPL(tH@e~< zzeJw5r&CJMQ!Y%G%gRJR2r?r53xeW>`SslF#-+Bnv|o)A;Wj%xF=lDl`(ng>AtwCN zX(6vVgHmU@ySDB$HRo7#xSn$Y(m;M74V=HEK?slrHyVX&RrD-j#QdzpATVF^`%jZQ z;b#maVk|Rhv)2lo(2G^=jd3ThxpgZU8jEK~sVs?Wa?KCM8TPfXd&py38{E0@4+1s0K4Wb!w2qr@B-|rp%kUfC0|$fX1hh2e(g#G?RF~uMnv>PS~)hK z@hUbIjmLy{YCuNngDu}2NuAVG{w0Yg$sMMYJ|q?n1WwKPj`O>vkk2mP65QWLN?gtP zY2%zWSm`Mrm$RY%>{UfjaWX_0IGTx?`T)DZ-HQ@@Oww4XYc|exn;91+R%f?v*jbzj zSJ;p_gImlHGaRXF6ge!2hI3!y8QHxke0&`Yuu7+nWN-~{7(p~aD~mk1My%s}vha9; zL0s>E7I#%iTkw|qWO6)HS;Le1VMU8`u_ZP=;V~R+dKufyXpz_6?%w1(T|-6t;at3# z#@FVpxqw$APxvCq_!7yBSznQFG@5qKzhicDX9|veAv4LWbDnYxx|ch69_-~4dheLd zYu}FSu$s|hvU!MdnpB49^Fk9(tVq1XV6g0{Z?63GVy2t82Xi#F&hx3W0z?lK)4Vn* z*ykkIzB1L#H3=B>Rg=2G(CODiz#LZpYydl)p4$M;K@Z7I&pXm!tp7YZ9$u)TnAiGt=CA6PL!ddBgCfYIbDwC2Q^AsaE`E9R1 zY^@jGBVW|yGJGjKw3OfZJ-x;J+TvrppRIARqY>6;O$yh-qE5+kuqT8w4=Ov7=m$>S zu8fGBTBg|RsQlPmQliamqB-7L@HrC4F}Go^UyjQ=w694X`1ys}XrLz>UW%1UGINzl zr}R9V24>qy#;nI>iU~Mxs$(5Z{UiOmQmu^%7x^UQhTo1RV8}bD1Ypf@c~MPEd8)5D z#z!w{0p{`%D(z2?6`!!!{pd2dU-yNd|1o8w)?4O)rly;jYtjxz)A zr-$W-AIRVLZ>OpD^E)*@M28w?cM)j#fvfNJRI;rNoajS{$z~d?VRAn}K(D*)?1c=n zRa>5PibzXN&mz<)6Kd^VTGrRe{`E_^6yY{X?wQ4`t~XX@IU8v&=lFPCEwNV8|N20$ z$NZcD|8hd|Zgols>1;htc#?ds>?{1)N89eP1{~yEBGb-m@E5?HNJ7JG2Irv~rMux`A&z6@hzj*LVkj@C;Z7hvAn~36_ z@5Grqw@H^NrThBhj&KxhuO5}wo@s22;WeXT zOy#(KTZ~I?!BA(!j$o}1k>Y&R!BHm$_QZRh5ODSZ0M_o!G+$x_y!aM9z3Wf^|6ov!O-$0o%GA`() z)PIc|!jf>t>rG`>NY zQlwG=gm`@5$2;}|6>KTM@WGY>GQK000zy1K=mdh^VM_sq3$_%HaUm`Rq;W$?$OmdO zk3DXOO92KCwiJ-z9kmn?0`h@7`{UyRf+c}U2546lX!JI;%M$Dj5&~Tl2zH?ZTz_2( z2m$#(a`&;3!7l}10sO+odXVD?0pidhU}#-ELSr6aDF7*x$c8zDgnZBmB)!8eflLXRA9G=tV=|CMIQdj^6SoIuJu zjAk%oa5O_gb`;GJ9uZF<sN>Go%qi$i)Xn`Ph2~8wU#@>>$7u#|{wg z-m(ag!lkLwHfDnxj z{F!498XV0Ik-=z&jO+-SA%xQ;G5^w^k?r=0aLZ)!@_ND13@V=pb9tm_B81?B0J0v} zyaz`!FyQk2)glNcnn2AYK(jwv1VK+4?0?b>AqXERO+7X=7|meFU^GKUb_C53GVnns zkmU}e84MSUX2`gH(+qjU5K2c*BF+7fW?%@kc^5EmaJw0p1KN)belCxs8AAR&=me77 z;b{i=d;jc21=PL%g=Pvee{TZ|^n--!dImayJa;&%9ioGy8WOsrsD>Z{ClKTgN3}y- zFt_9XI%)_yZ~}4eaFYt;7XW;NcH#l9G=SSa2%yctw38A&=KxPOsE~ugK?<0orDR2Tg?(8hk z0$>)XUFvWyp+7sAee0-^12>;geQG@(6WV9gak(Cw`+`{QuS1&yvh?6V3w zfewg_JginMMh!ukc zJwg2-zlaBG;DyY)UmGz}W&jsL-Wliw0>$9S#tLNb{O)q|yMY%ga47ks&CRd-jw9HH zpc5yMD+Xg53>}PZ$mot@8-hZdK%y9oZ7^K0mP*LD{{0v|V$=|H;sj#FV75F~K;aMO zl>Ju>%0UM&RtU6D7D6+bUwlJ8Rw5*xflfA9j1{=&{udhvXz~tij?6~Q3Y>lazy=*V z1;xK7>;dO@c!fC8Y%w@|aFj#FcNFIkbm2tP#o&+ujkAFB9WZMD^T;8jpMg#yUko^4 z0?$#?I?QSvjmQtzf&Ed9Yqn>!$Au) z0r|hLSA+mG(1}Kj!O+1dhm7tB#vw$X0XyfhhYhyN!EnJ+9g%VU_oyLg!wE!;9d@dP zfn#Tf_J8LDZVZsY9Z5C>ZGev$`%fns1Oj}j!M9aXF(>E1cS+RhXg?+Roe$-`8=cyS zbHjsi%!d4NP7$K#6gP0*ZZBQZ36;)E&k}1hs5@O>_LkPRwDCc1z?)3R3ry;pqyHak zUjY^6x_@l}ij*LYgh)3t3@P0yAdS-9Ass3RN(+bxNQVeWcY~w?k_t#kNeN1csC@6> zIn0bB_kZu_taaDDUeD6A`MvvjeoyVaB^d;K6+#TcX9p9f+^O8dn9{2g2K=iH6D$|M zUU@bm$-_=bUjulsJ_BEi$-tF^vYpPEPg#;-|bs`L%oS$l>^<{1>gNj-1Tw6 z-qwAb-me=C!(3jUriAtTdQ>6i5hYx+5zFJ31}kx|1^2n1_1d$O+KWB-QaGYQIn`FQ z;1nKz`FYnvdrzFnJF&$N7=E(7K5$+ZXA@S{6iJLaGXt{n2(W@r?43Dh-$wS8Rjg*^fnf=?_y5u zlp3?*ciND}IJFCwcf{J!X5yT9`j=)Fm&RO_nPTX6eFq4C=zFsYxhOf%TEwY&QXS;& zN_8`4sYyBI_&YFWxj#_7&o(Nu6v|rvdT#CgdBOrpHOk8aVR#F5GKP}s**^IEf>`sI z+*7nRcVe*RAy^CstTs(`j53*zRy;p@y-&go@2l#UEDR40d1lY5yZys<>1JCUzQ?0i zA)NO8=w@=53U#tC%}C3no@h$reJU&WzPnYivIaTJgL$n+ya{qp>&K$-AaCTNIzs`S zas}h4V^Y3qNt;e7pAC`4nuEY6yS2dt{K|DIbAtFA!Cgeucb|a4Vd~eX%1vIbF6|fK z6v$uB!q4hwdRk+HkxYS8pK|W3#7hz3@42Jb@A6lFw|y7r(IUdFm}BTFNG5B4{>x-w zXEpPQ7#{h!iwp`$VWruQBNuxU+I0r`Y{)Enrt^KDMk^%ZQ){{?h`X}&xQT!(6)yyT z9Uw8@DRvGiU>0}~7(+lr6r95X=BFS`=^#lS+r0hper!PsHuL3|AW8Hu=z+G^oIAX3k@X58jo$v@mJR34aAltkoA$)9>rj`M_$GxSTO^O0I8&E#7p z@r0L}JC0!WCN%5pGjEo@qHv@a$G2uBc(jdcA$_XvA~TiA(&D}>ExPmRF6t9kE@r(y zsOGOyWZAI2?b2YF@H*Jt@rNhor=69wkhXQI=&}3KYYp)~gyPeNq~n>(A7b@T;gfb! z;gyJW(fEsY62H1c?e zwwn6&J75VyS`VY?ouku$vsO*#a8Hux4wAM$+(mj}-io?srrOB)djOdK%R ztGNBxq1-rEy3SdbJ7_HNJ1GN+8TjSx8|WqZ6n5%YtDd7h9#xrbReN&h>GO7>Na^3x5{y4u^B6kO@}x-YlJcLf$7=!Y9K`Ebq8LUO(2ij9d{=^tPj5piCzwgJ3MhWg+qQ zUt_uFLq2~JPjKmu#xoU;A&6~v1^7&&YsQ-!P1)~TfxoZaNI#qoYwgwx^LN$O6pb21 zU2kGq>1`tKDAgRivZs8FXFE_5q=c@mbgB5kNur<9wx@vUD7pBYVuSXGfT4QwW6F1# zfEeKS45*gD>&$h%> z)HO{~wAJOwDN)pQ9}{8~@d;nW^h6>xK!no}F({kKA%vR)rxO)38sd%A0V)J4q02ba z*$Nbx&29jHQMoNU8pO=PQS+UtB3feE8F$5hzA{YkwPxEY0RJ{H^9Y)4_thkP z$PDL;c6@Ywhh=~B*e|tfY_75RA{1;9SBYLmqzbuLC>2*6IOedvq=`56#E!wL5fXez z!}_a+XMfc&npBtHo_zb|Df%a%0*XpL=RCs!G;MC2<=Ax7zBP)5I-gq&qAi+qB@gmU zS`&u$Pb!vsJh?sO!ByX|xL>yeSrf}2nr8P-GxL4nzvJUgXEQxAOqt(eSwYgH#1<}P zeNN-k44lS5CWa$O&{D(vo%H)OS^!nu?I>({ z94>Skphc~1ShV*BI`ZMLw50IAeS(M6VQBVMFxN=1&NMrodh>O@+2C4+QgPvgtyJyE z9NlXAVrxKiz?qgE^FUiw=XaA~Q9SaRd^XRU$A|?uEq6h4hV_&#ZwD|a_^i#kZc1Xw zyAw$4{`k%yq(I$?bvuae+wJBlqN|hUo7(#F=kg#C1{-Uvw-#kKAF>-ik;ibELrn@9qEiu21a z#9bOs__WcYf2U}*x*{7ClF@)~{B-Iasoko-Vbbdyk^(6=$aEWHVHEK*C6K5X&{!~T z--Z8iNj$R(_sVD2#BYXuFq1668U=qT>wmIsa{uxvI(I`%3Q=BpOFCw59&ufH9_#RZ zvS*6KSt)E=*KN^c`Uk(^6)Ne2sV|jN=Wk{(N@MhH787mfyZxjt*Qp(rd` z-mw+UJ-|y*;ItTdcPeeGq$n%SXt#sp>E<`;_2JJC=6zT({4#OTxT2rc`Z*-~_I}g0 z>Re>~Y*qfzY<*frM~le3H{|)f$w-r>j|A1vg(%2*$h0ug#Lj9_&09Sv>3(G4>6LZP z;JfYh>cl;tzM{;Tds_7yABJ)L>-_wEeQ#|p3>p;rdwc9psSIxa2;KKqURo<%8ZGSt zIX~@Ls1@{he#)ZzO8u^Y@T~8`*|*I)tPJ5bolkntvz>BRYUFf&s7f?ANz?2Vcen7o zEh$aL%ihI3io^!+3(n_5weiCb-?c5XF)Q=2ieBNyqdshdqSSMtW(AjOLmn)J+{pKi zl(*j-D$a8XP$jKpZ?Prw)&bLL7W9~3s!jbGOQZ_{rOoTOv_Iw^_j#MbeVaK*l9Wa- zmIB`_5a{A9I_i8jn1|~roWcglml+Wg=J~4pLt(PQ99*w&e45`Re`O)w8@HiwCq~Up z-PX_GwnQYLxT&ToDrL($aU-O+#55;&*m#Cuc+MLI6 zxqxC@^IlZ@)L{BrNqW^S$4OoMil6r7vg|vFL~pJS<89#8pUma^yobYQ9==~Bztzsf zD@wvl{KFyp+QI|-yxEEKqUY^9n#c<^Z+|n#3oMJOynrtaVI1X50yxdntjEuFW4gep z;2OGv)Tvk(L>@m+yo`w;KK%aWOAn1AB5)YPhjOBY;hpY2W>!6043@WS9B(1{mF_&;K_-S`vznP?L?4-R z!rt1WiI{ztY2dGX|C;Gin#x>t&EsyORUG3JdL}2rM+EUnG0QkdQ|I{Kv_Oe^`t-+Q zHO1M1O#IUyT^<>e5i@F#OrLr!4bkjlCf=oeA?Y#c(fHn%V3sn|nCnxsX=wCf6-Eq? zbc7QwJ+Jn@I0pJlZ-ocrr9D5Rrm7NizU*lFeu^?+KN0PeX7c@NS=w^T#AJl6>B&J7 ztgn8%KR(SyC?^o`oHKb)*oG<5qW|M-&z9e=6GNx|Y?k`ZrJi+i_W8pdHNQ%K&uor? zzvtDyH?0RhJp^z3*x#--m}>mFwGzBL2n_HaTTDXVJI3FNH2SjU^eTqo7bLm#j;MG3 zxG}u>vP~lKqSJe3TGt(~&C7JkN#;FBByf4NQh6yv?=PNRf;G-0ak)m>+FSCrJ^Q?DkG5)tK6 zU~aWhYZYC-3p%e%-Dy7>TW(*=wDulSOP7XkJRJLxhEeaC{gRunuc3l()vzt+*T=rG zr?=#`D?;L)YHh0Ww4D$aVlj5p(mnaE_{w$ZaR&SiY{$9K{J=(;yXA=?gn`&P6A|*2 z&VU+l`vjl{d>pxcw{_r1!0;_f& zF5pfb#1CA7!_e^nx7qxB&;xg5biYnJkuMMtEbc)l@M?!68!TMs@RAcykNqiJ2O2V^ zBqj0Zqjdy}dk_lD+F@*ip@U=Fe;Js>k6>{RLV;I1jBPMnFt0o0NTUB-HTYLUAQU*Y z!yT>vn}G$5@c=GzfTML}aL1Aj{>UE)Y540433##rxBUM~+Mux_&2`?Yq z>$KxD;P?@2?LjE;XNP0j5jr@gA)z~lX$ZFVAQbqs!!hj$7woq1f27VU5u za7XB18F0wxez6VtMFfJaJqQIJ?XagozjBH*-T1#qhmJSYKVc)zQ3e|=7*3^?G` zHNyD(`%FK$VZa0E{r`mZX%=mH3pCu zkqDmlAky zutRru|ITVq&leuR#Q_>P_1h5r4^d|PJn#=iK`3=#hoOU!4H?}rWJ9p82cgt|9fk{D z67|1T4WS#Lzr+$4+br?EnP^>p%z+ROtg~nLxm=evJXZ zqY0STIDy4I2vDIShH)JNlM_=G`(1Q_U`Y?ChW@%2Ksx|{0@(kjpPKkI=yl zP$YE63{dDx#Um9B5QX;F9~5qY9^r!JGybntLudx5Fm*f1X9Scy|4g~?h=13X9XCQD z2+aTmZf(+*#_A30iFrJmLA-^(C`R&h15UFp2KV@vETFZ_#p`W00pjYFuK9u z!RUqz?>M?4^aB)ly1_mk3>Pdq0vXr;Q8t8*fC5K1xZJX%uL{d&M27c^Z^(-e1gkj^ z3M}2=`Njzd#i38!;qn;|Q_YYAuN0IH`G%Cw$d6z-2SS0R8yw$`;KA_?8oGu6?-;%z zSj~Y@VCe?Owud`7s4E5P3bxE}gbirI0~8-m{)2nD8YaCC!9 zkKzJi838xD|B%uI5DsbChTu2{LV>dzjB9Y%U}XERldbr95xN2joZVn-gF|){()b5p z|4whnMMG!^D6n>er8L4pgH3mTz;@i+hTu8}LV>j#JlPJ@qM&j%xS+;gVOt0qx5K&} zpVY|Di_jQQVDkpYIT%DZ&K*W=AwWEChC|pZpu*-2IOPCLLxJmGsQUS^F#rO=qp-&R zkK!RX(ScCw_XYv(ApeQWJ4$N=BK>~JxL}tsP#N_9kv9n3pTjSOQR@8$LkauD$S9Bb z!U&#pz>I*xB{~cjOcsia3x04Mm)6LS;7|ubfe##2SHP!a(>ien5I1_v6>ByaG zl9q!hKaiq`kB`6Cb~xGO!T#3r=k1MQt-_yr3ivK6|cR5)h#> zM;4)$917gw4NmiLnXj?4Y2=ie`P+0p-JdzJaV@qnBR7~jPTNpozQm0D%GA*c5eiKB zW^CF+>qF)dZ;U3NoAy&sxA{w}F`C1{PM>?0m=@VsmpyJA`os5=K zm0fI_-C{)frDUSbK_JoV#Yd0E3~#~r4l5fWe!)4ByMk4Hvp*u(_Z%DR8?x6nwq`0a zUWvTlxhNe`xwhrhNR%SH`qnsJVA2iCcYf(aj(p-K2Y=>|&pEjMdt0AHrhJ)=dUA@~ z4m`ZJ4bktk&h9dB%?NRw#m;!#qC;>w*sXOoGNp?>lk%4JmVUNZk|B zo2A*iP|5dUK!_%Op0w%giSQHOPB!tKuw$U*)FyBF#6)|MC0f%Si&>SI+YHQ7z{SUm zd)_JlJsgdb+X`f*yf0sB|MTX-R`&|VP(mr~Py`)$SIk2?+6~j2;5n(%I!gn~#baU_L=9uYsFZhj+iB6%J z^clNKUVb^G7_V%EDHUOb*=FU&+aGrFjl)1}>lSII2>VqRWo4zDTzBOu0=co^mj~=h zufG4--{Q}-=o^nHc{(ZRwd(q*SgC%XG*I=f%Qw<-%9lhj^dI`@`6(3-g4XGCzqpr5 zXAJ4E)O?ta$tLI%S16e;<{9l8^*m$TSGsET@@`xpAEmIZ$edbw1Qq6j#|1weE{P9b z-|?*Zy(8Lj-(pvrTkVRmPl>YAY3s*yoq1u@8Am6h-x}qhS!UO%5w3tc7fnv>9i$JM zwFuHzbCq~O9?u=!k&iy?kz0>$U)`-&GkPBKQ(Nn%W1njbX+!$y-WPAIl2^4$9t)B3 zm!N5a&*xhbdGt5D@gun1+59ma-+HF0@U~&Jfisv!!p!zMXSg=?3)@}mFU)i;`=m^P zO_YrRE}6UyEy6Fvori^9sWuvN@X`i;>{`8Bc*79H#qr=2Gpoz?sl;s)1~b=tM4%C! z^g5P}V6fmuFzr(&`rzdZYR#}`C+D{tVuIJhv)|KH(b%2mrJx$TL^WttV%DXunA63} zqKom~aeulUy(xb>$eXFE*+PoE>hlMXX$b8NuQ%HMlWG#fp> zH6}rJ!k{40wsCjx+DP}cy_u3_`pDzWBaUR?|z%r%~C(Kl3&oe|Sq}IdA#> zqVWPzq3FdBmHWK+#ciJbFguG!&(^UOONe_zzvuq`1=p}MZw21?c?c-fo;PM36vZmI z6FU1u@ugFct&VfpEY_a6)OZldaMhM5R{2S0i~C$4KlA%(Us(;Yx$KR)H%NL&L|V@9 z>!R(5M{t%Jr`8MNUjyk%tnihJGk9{BnBofQY?=aJtVi%k1vP!%RRI( zE`4qjL`Xqg&tWA`QqQ3TX^P=dabqR*?2jVu`2r20%EqTHNo^XlFnCD9CB!Y6C+&2B z&OC8l#f0pMlUWR2K}E2$K&iWp4NDuTr*PSW(NJ(!9;Usu&l69f>wQ@|H=`Ru%WPsW z*~ZNT!I=u_l`J!4{In4SbDbGC1z)jLwqY3{5%Mbh$^z=hT+Zsdwr1;)L#CCis-5-ho zL9(ZKS}T&=WcQU#WMX&e8tK(cE643~do(oOWwEyubbC1)Rpb^c-;i8gSbXiYdMj3{ z?8SyRN`-5$@?U>I&Mh`j`1IQN)71q_GtyqYi`E}x`NdyFKb`IhV(^Yzg%*Bnag2*u z@|jZzUg<4YhXC5f>0xT=r^`PrJ`syL@Fzml9%)VUzjtEqW!}vkXE67-{qR_=pp0Hn zxJso>p!rGNO}>WBB)Xu23B$Q&hgt2RG;YuH*a>AJ1yX&cr%Jd?Uq#cJnsoBAj6o9e z+p{o~bcIE3q;&!0&yag{`aPM_&o2ZcU*1&q9+YG1w-h@!on>Y$=e<6TWydvss*LFbRn^;i3CpQP#mvkDAG2$_Y%bVHntKw_5=)SS0JdxQl(dFZ+xEV(;D4L&3BYghi z?ZRr7jXIEt<|YS-XK{snN2qe>aazm+9V46j;v58}Ent50d!!``T@kdjMd>s}>1l>i z63rn&cL~?D3NH1NU3i>CL33#&-a_j=r$XD5nu87qH(xb`YtB?7^g8dNEP7K{WK?}z zG961>44XoP%mWf`j)Vm%P@QEEF}7#Fql8T(^LE!G`O!w5;sX!o%_IY|VjkkJ!zAhC zZ1mLnJw^Ohu`D&^lNW64K|*xUp$ zJ(7IB5LT}gc0PGjZX@++EQA7MwS+h3ff3fgrMN*)i{iP9d$KgwL}U;2(N%IA*;&oI8%#rzTWC%nE6KX04l5 zn%}LvH&Mb%5SwzD@V4v|i#>Dqp)Z1l#l$u3Pdt+-H66`Ii121>?uqLCMbI8u9TNv{*&5Zi{Dieeh z$tv$h*nM%pZ?8K@+B7Dfl*e{coTXVfVb;4T_wsT?E_HSNgKlm_qPd}n z?C0mVFD|5xe$hC0Rl`JPvey@l#`GYf{$#n0>J!^IEZb!^4AN;Ge7I9zq{GZ(s&+Bp5KZ6W`5c#ZWX`Yw4DlhAl)(PV`Td!8uyq_$4=S+@y1w+nG!8?v3?L5FG9n9p{ zq4b{p7Z1nSDfYXh8p$5YB2qyrP3^ZBF<+5}Fbi|YPsH(kKGnJ=cnv+_ z?@LeqKx@OiUb#78;Kg`5*j_DR)saQaICMhvftKI6mU;@9?{-0rO=RBWYF%IflQ51g z$qDt&l@md<|E`uH#Tr*RZ@iP=(xl?R`pREC+&=6`SmCv>RPRKS^pJbaggtgM^vV;- zYCLw$=L6CgBgb7#dtxprxJ5H;rhDEj>nk_e3O%KUWx)6T1#1i*d0Pw3gRD4v6Jf?O z+SSBwx<&O5aw$dCTDQJ5M0n-Ax?X$Bic7rVn%_g&+AoIBPU(sEy<&)b*M7>MIh>< z^fHS;-*BSZ@;qnt4OP0tpZ>hmfvf&>MfmMkAGB$lyy|{n%`!KbV#mwcpshbz6`xnE z;}Xp>=r48A|R&B`CQgs*K$p;hnE8ZqsWc+!W_|X*?_bg8s$(4c5id z>+LIiuO{wUN46yt++nYDQ#vm>@G=|ivQor(Nnm;{neF^sf*$cY#2k$!fiT}vb0b~u zCb-LHP3tL;d6zpbZPwsd??$=1l&bM;qopTz=*E)vz4bogjvsqli-Ua(B-bL$uZ@JC zlw}lbclx^G5QLkPqGFxIULI`pbE%d}t8OXJVQAy$RLt_au-~_t{mPgHs)PMP_trd- zdf$WA;K~%guS=~P%Nz%L<2hev)+g(K?AJzaN4*nky5H_ib@MyI6IFiyMP7c zwG^hohY_^2b&ujIrmJ-C8KtXtYIR7L&#B-|-!Xioe;`k8iea!Gw;T~2Vl8y1RoM?@5_6w7vVqV&ihdzx)bn;e-u}qIb2c% z=UHH^{P(-e{eBK2mIM=5%S>nY?JCRC^0`wN83y*zG+ncvK^RX>xTtBx?g`Cb_ZF`e zm)EN830@7ZrcI(Nz#lMp^yMMe<(6o>D0yKyl6L`@DgC}Jsf&c*r7pCt_lX>QysvaB zY~li{e&(d;(g(}@Yq(6Bnb%#DCa9EiA3WKa-FfL8LU{F>8?QEv33cwyxvc7b zo%OKmmrhG<2kg++%3PbI%grSIXuc@zt@+%}Q)MaY<%KH{`nB+~x4_8a=Dfg zS7hQSMAhCWJaX}SO6b+dZm(n+`>sgs>X}*Q!GehwO}925;w(OH-9aVj; zzct(A0nR@oCR^?nQ;WHtr?YLsllG*{mzgGo+WV$!)`>vE@q9IOBPp$2@AB~~7N++l z0ceJ=J1>90+7s`BYOcabTGPw!65S1z^yQ>>H3r63I!JUaHr8Qc@9(r11PQl6IWz;4*YSOx|M~dne*>&9rzFq^HE@i z4?B&9L4-f4{1wx}eRQ6B+({+E?Jf$e@L~5KFkEm-7@ps8{THP}ILJqVB|dQ32|X?c zUJvntfa7vN4*=NdLZJ8dP)AK(;GaU33cr;OIfo5+HUxi6i2_f2FbGO9fPHYlz`!G8 z;2qGRQtZD4h7ckELV+bd+<<`To4A38H9+JRVEu(GAwu}73KGAM281*L5DJ{}VWRll{4{sBoPDrY?d-8X>ETpkMV*;fVk?gr$an*AXP5U3i$mI1X6 z`A}bkU*iCdYTST*Iig_fAFBO6=K|Oex&li5@nO*5sD=dXSgIj(1C$!%!+^n24GGx4 zR70*ALZ$!+1@8E;)Jd3F3@)eb&tkDZQVk(i09YoVa#jQLav@O-%m+G#YQKjla&dAY zGy{~Hf2sC|njv%o6j{}qS^ zqZ$}Ua{Gf)?9Ws~=mn^?#s?C#kg0Zf%zz++{byGDJxCFt8bUKbsVhDV8XVP-pdCv! zgjRr3Q+yaOII1B5`kADPNz&q__5~Dp%b9M3Li!_5brNx5dK934rvMzlH`ESa<{tE>R8%+F{L*0}Fw#3Ev99C@^q?XBzap z<50{A7g-41wj(j^Pnm@PHuzouMuB}B9Mg`V!7&X9+ObT7?*zcQ<*z>{9Mg_~!7&X9 z7?f#$t{H-}9MD1j8X8=5;Sn@ArXfK)mT3s4a$r=Lw*iZOFh8(@2ZT+(WC(zc0(uj} z#|@QW{i^~zx=OpweoaLP}lzx9bfqP6U5BK*asm#e)Ui0l(sg%IK&8 z{{bN9jvp}hfWkghRQxXp;m?bJ>!rU&2sd0|W#oo#L&3n|)*q_)Pe1*m>kCjp_~rmc zsi7MT9&E@Wf8^taEP~S<7^RMGFkrCkF=Sx>N8Jz_1WIh(4lUe(1sC@b^?0D46}mV? zX5R6m7NI|&z}5|BKXWAEq=s5<0f9k)Dw7-7av>(&{X&N1egserp*x_!(G6}Wz%+G$ zfAcxPbN2Z_#7N4hRJ2 zIWX7X_Xv2}0Wkjo2Qxb40v@pZ2JSy4d~tCiSkQsF{=P@R@eT$Mj(5lak0l;LdqAnt z8%!+;NGPHC=Uf1<|M%J<>>*HK_6Em1VEJ^o1OTjIV9Wyw`b$-LG^rfVJcJ&BTE904 zbZ^QBILiX!T|Vf0DWGux%0EsZLlXq=uz9@i3cx#rR)JE>HyAt^?U3Oe%Q}Qkfl|*m z7%-Ug3No<&2)^%n;TxCRmL44VoLH~Ru8sn!e7vO8eG#)HI#-lG@HKs!;*foK zIaiZVYI`g5t=p+7S83DY>yOnhN=1m*Y)mzwLwxv&4$d$Hy=|oM6LEYYL%S9A^I~*j zKOX~nR~TuyxwXf^!o~z~Yi;W~2ETJ!()G0FJ*uTij_T_XPgE5?kuL@u93&P7Epe<* zQQ9{|w~mY8@Zxd=S@hXA2><-i))chZw|eO?3X z9O9|Qt99SMc~p6RHMfuJF!yzl$1FPSZhQh#&T=nIi_m>@*o-{gT7s)$AgEEkoF)%a zhL?uT)(!ctF(qA7V=JLyM`ENowxN{^aUDkQEHD0=H>9oj`5Ei|jb~RX2XR%fgI_6Q zC5ereG_L9;bEG7+59w5#PZbze~2J&*sEaUvJ_G zkx$b*wH*bwpK{sz@BVb!FDhwV$9ulBi@luGAojGs68GNzKF-W7|0&0ar{sJcy}n;3 z9TsWmRx4b*<041LI=}=HKYONh4LlDZ=4cQ{Cf{!xmGhEZ2FsLaoz08vr7k4X-o2F$ zBr?lyb7pl`T~%X=)h|C)+xn2s$gvYKc1Lh_bg$NZTuHXPc0YMw_frEuuJ5L=?`EoF ze0b!%@TLep-Pex7^@blCKl|QNaf>L`?S7hZbScEJ55iChJ*B#MTFch;uHGBrZFz{$ zcW00Gc*n4Ft?}S6rV9t`Br#w1Ha6A+`ZEX>o%xGqW`bu(O_D(EgeLkg6C=WM_1ZJf z^D>g~T<2wc6+d#)XAdu^Z6Jz-hhmb8!fe*@-Hq68?(9#qDM4J=F`2rY*+0&bn8<^& zFPaGa5aMi)kh`YHDi%UVM~>|>peY~Muv?o;Os{wK%3Y4Z46^FYxMrEwsvV8~x!f_r zBECD}nMTw`(_o+SbecY?T2-BLA9iPm>jzK9Zw~@Udj|62!xq{ZHaD}MWjsLh=ggwn zs;!}yQX7c4N%!U80G}0q7U-C$w?^Id6`mU^Uan6_7Ym8#5 z;W3%t-QkP25NeYVe zli≫o2wg-*y~NtXEq*E`pSSgU8w zzh%8^zGv3sj240A>iov%`fHJftW)lfub5*N&=hByo{}nl^H9jyRMqUmn_>)4GM&3+ zOb_2LOh1hdc?^~{51A`syftukv0u`f#4pP=T!Di1Q%+SVdrAjs6Db(d`6Uunarpmm%yQsyKGIN zJ1`haHYa3rjm6oZ+xqITq-dB?EI(-m@TED=l0mN6TJ^KCC1gqMOLo-T`?eSLKWz_o zS$3D(l$-r}mSM+_x1W)RIm>Lx^=g}^axh!6I#J6HcCgC6a^&FHwry%4+w`Mziejxn zfrJ@GQms(pC=I5Q>VhRg%`N+H6RmC1R#(W}Rf-$uGJQK>r=sriijaJB_5^K`vsp>i zgOkP<)zRh?;^UVWH-?fKBrRgWB^i7h92V@&x4%u%K94}dn|zS`EK_ysqWKe@682ho zGP>u{?TyrzmxIpG-a38q^ts@gJGX%!-%U3qgk_T50bjxJasbmu`t?Tvw0r~NSC&z1I? z$;Ej4#75KSv|3-qy0}jCYS*`It6+D3dNPiSopiS2we5g+Ypi_CdCk}6#kwcFsrW&3 zH{ZKgLbBegIe&1bXZ?N+GtVW)7>|$jJGG%ii_r|m$-#81qq1Nh)~2*KMSoG2^P#mV zXMscKg0T3C**qKHyZ8TRR*nV$ne@eykHH+bsS&0D6py} zG3*nu?=4SW@5|*%sishBd$Xdedy4j2k4<=?1#1J?8e36o7%?2L5ptLd}RclMsWRyhGPUylraOCDe;pCG1;BE0sL(b@eR8-&g5IYd+6A?aYixJ{GZY2 zQf3)Jv{tG{Wsqw(7VDcE3K26&uT52|4n99XpK7JwL${z(o!CtHEr6wGN`B1rxk@*O zMB*3TxmwG?9p2jPua_GGAUc};^chjZLj=5B?;=hT@X{Dk&on8W{c0^`GnoCM+BQw8 zf~zs!Du#aoZ-%?9Ye4ZurV;>DVX!h9GF($lHU`EBV8~L^94_mkrW1X=!3V{;5j*4b z$7=Gv$sT=NV;N)jTKjQXSNy9%dWFHN5QP&pw5@WEg7y5?2vzB2s zO(|~SwwYp(uXlmARzH0zFZiUF1i>kEe4O`z&;bpxyW3E&sc+)PHAwIAyk3){XHI_1 zRkhCz?8{>S^>wktVCO05xr5FsU?aQ)GMV|dNHERDXrv4BI}V(&j)mFJ42-!8=7hxMGm5TIgx&G z=Uz*Ct^RBUFNg)$e^5VSuvEu7=YtZYa6W&u!x-b5w*GjT2#3N@uOh=e!yu6FXQ`&R zz*b@dU^dboOkWDJq*`h!!fh!cA>UDTRSHPWkqxhymD9vBcPD>*c}k_Rg(tb9{A22} z3%Y!!|71nQ*CE$WpV%@+u@*oz6Qz-Oy<0O9*n8+4Vi*3SoLRRWV7^^B;+A-6zmeZxi$R%resTwE0|q(8fzy&3KRyDU)D{X{}74L}RGXawi+F zh{i}MG@Cr#H}iDso|adSYVf4p_dF-gNBx{H1U$c;3UgqYrv;6&p=_86;mKKwX(}k&ON!c@EqB$!Q)~nA7+~(bQ zgdM-hlJ5lYNfQVuuVVxzVCvJg^zcso+*zI|wcxER6#2flyco=Tu*WG>>+k8$K~n22 zEaWfjVU#={wX=OeE8}sm)039^kV^?wZLy<8G-wVKZ#7DDbqI!DMV7O@AQ9?)QD5g2 zt7WF$=CUGBm`!i09Fxz`Lb7r=M{NI^BckRpN*_dhZnw1%>s*NAQ0ml`5q%W6idh$w z9XZzMCR<&mHnUJqqb5v+ zhSGr0HQ&6YjJcHE+V9TEHSVfcSENrUz5%{mucdZBCtE_Q6hWqC%5qh)9o^dZ2;tgp z&qX=6B))}Mg~_h;UT{mEpCLR7Pb>;gfAx2VCItEth6+XBXYvZzT$v5&dU5MGoz>cl;wcbVIRzjPTAxo1k+AaLzCbvmWXR+zjt$37Bs(}hEm{_#MmHM`gK#7HK_q2Ug% z>$jBeI0U5=os)is1}xezti_tNSacJ&FXEaLtXNTaXci^E|B|JnGAmRXy{&(59J1p% z;N$8nb@p}%Zs2A?%K`CjNF|tJ0FXi^vX|SOmx+%Dx6Js`pYZj=e;>&emME5 zn6Eq!(mj!o?YhCkBZqw;@O@=t{|>fvm{*jc%)zo`3(3~cf6on+&)`1$Zy?aVYb)|1-*+*@8#S- zn{wmQnimY-$=l+~ERJ?6KiQNoW27r17}>xeQ;;;QSh;_HzHiAzO-54xDV8ecVm{N$ zw%5<6h~79&)5>(*k;}s3j=01umi56uO+I$z5{7;HL?qE#-IUv+@DkSf&idy(9 zr%!J@%&2L3y~uTA?ZR5OVa+mx%9Y|9(Yd%P`8OUsF1eDIg<8o1FGfbAduhM?QP}AB zuJ{@&u~PuCFs?7N@zBY5tK zFn*+GvBZ%a7A^)0>N;wkubvSznr)hu-6aSc#~D@Sv$w^u_b_eyM&urkqe^+l*<@() z+R9R|-m~X#w8P}@kzf91+K+KRL=R$Cpy$xdSIKUF?z((_LbToqyYqu=t?axj3$*z& zPrDjdGbmCy;@&Eit=4%_YN%73{4jD_y^5P`CW7u7{~F{`s(UJJ%B}gn7>r4K<_1Nb z{^1*iZh4M$RX1=P=}DgGoJpohwk$C|pLe21#vqnx=&s3V;9DxSX*)80%%#N-uQc06 z5_=fqQ*xLcq!&fWTrfUg@Bs9#b&_cx|DbmTqaY0c?&g3O@K}Z#F9N1*{1D(32QT0V z&CPRkrVPDqkvPs$mWvZ1KLLz_Bmmfr!7pHNr?!Z|jytkNNKOEwAOZk({`m_L%t`it zEEU2H1`6!|dH(f`{e=r=_W2vG;}2;Ot}IYt{13dQ<_8`qK&T;rat!(ym!BVat^whL z>R1sdb^P5YLP`SgCiJgw@Zh)(0j_u8O-3QWOOM~Ve!Rgbz;=Xt3KV$$!`S`{8jS6~ zK|7Z12p1G6@cM_b{TCvbspxNr4kw2HSS*Cg2^5(9gMs&IKnwx!+!6v@Q$SVRd;rII zf%hhyfWa^X47_=Tk?dH~BcvmMQDE{9$1fg!Xdn#~7x$6TDFn!yK+M5|uiSA~om`v{ zcugFj6aVXR0OJ}ACLG_8U>-*~gp>qeGW=^`Fv`Jz!K_aIzw3wa-U$Wn|InvvfCB*F z?Fxel4WI+OP61&cGR(vJ{lV-M__PR}00qYXu#v$7yqEZucL*C9JirTaL~Zi%g9D)> zpuqYcesF+~q8N{S1bBcUjR*~XaHu2s2mrN1xXMO>`#;>UI06V87RUgP9To_^0R`^= zaKqvV7|clk8QA|>IfPb$0{eehk`B)iKv*mcGQh*iiAfP@U2CymtL7$!g z6ABQn22B|RblM0jrfcE~lG4Y#okU1b0HYuZ05&LK0O1A&62RjI1uwi%0*rzf0N9{_ z0RtRKplbj?V)_43IfO2Of;0eF8YuAN{-aL=0dGBkWigE08<^5 zQV-C`|E|0RgP@D3KWWsske)mv1Sx<~5D5TBx+7>X(jh}TmUIX$0tGn$aHKl|1}7Z) zUuuTXBv23p026tGkD$Rs-pADJk8((a^aNl*fl8_Y(=HO#07cg^R6`al^CD~|Q0n>* zg9f7-GPL8UhLD;7xQ6_7(O^`A0fSKu85p$bLp>OfYle`N0GM<9Jv3lD4;W?vYh9>X z?RVuZ2-y1nx5`_DumnIX@Ym4b8Y++nEkJt6g<_qf5jXFR67!R19p_Z zQ|(y6GJ^3QU?1|=*x;yk1PzXANYIX@8bT{Tg|pp}_Y?OKFqriAf2tWmCqRL<9Zcj6 zg9ek{B11c@*`Gw-2&Q{r6nNUfF^vm2k@+@!6>k^gH38MU@)d313R{6fU^t&w7=gKz(n3KXfUQBLpzRXfMy>7 z+23yp4t*#2d4LNF2yn*sD}N3ux&ihuK%e0Q&e));YSq_@GI%$;|0uEnLEVMmL^e+qA_0-j?e!llt~hv4 z)-mwT#9N7!1hYbVPw)#qFflDIejDNP&cBhGDO#%h`IU-n!Kd%e34sc%AGR42?mbNJ zRF$PVAb-~s#38fM@5S|fYkcO%9ha+QX~Ez1WbLJA>q)MF%)tq{Gp#GFxCU4bxa+vi zbK;)4#&_o>8g>=f3o5-XDh9ojDGaBY?t9D;G#E-XNs(L^)tWekt3r7b$G~@cZhTfG z8OQePx0U^zj??6^ACj^4zch1^y6(+41#cX@B9{0z+nU%~>JS;sfUELqEvd%0)|hGZ z`J?z~>@Frc@zHvcB!wk;nw-3ledk-rLAC=?H(!ET1FQn`Xu^Gf->@EdqsIF2!V5L8 zkM!6k>SVf2;FjSi=>`FnRKr1=KXbycm?P6Mga~>valZ-5nq4+SPl??B=<!~tm)?`Bp24+!eS(2=d)t>k2b(=u7tI#D+{kyuIS z{RKy9aMV*T&28?|r^$zvJiu@CERA{!&iwNmCW6MSZYM1|;@<-Q#66&nhd|=T1$(=~ zIh+M@RWD+LE(uT$dfwgL_BrjB*+8YYWE%ET)+hZAKDSbd_~vg#FD?F@*_f-QtRkg6 zwJjMo8xU&?eyu<(a56h6cnZgW3y`uXa%W#P8RN=M24(Y`baQ3jiq6~Ek2jsEtO#2& zsp0U0sFOL@bY$6l=2e-Bbbct@(a2`9EbPnR2Vv^@IW@ zS}2mVn_iR5Y-}sl_G%9h58+~u))xxswsT?VPmAsO`SKIPJ&K}RFHT#s1r4omv4rH( zReF1JJ+iGcVGDlU#ZB%r2l&gkT9UjqdL2!z?oCa^U`%UOOxG4S_#sgPJC}G(W`3yd zrs>y8O{#2^&-;P@QOc9Xc$gOOQJrnKWS2Bo zhOPQdsX4!wsx@go<-3iIO}rPuA02Hd7yci6Zvs!%`o0en5=9{rDKe8`+p{rqWS)o2 zGnr?RB9gI?%nF&u5E&DZnT#QlkSQTjiuc(%r^8AAx9_jM|IhDzKRTUlwb$BfU#{nV z?)zSA-S_oKc_SNwm+D6sWMx!C4D^roG-+CP*W%nS4U!F#ep4hNEgSt(mDeZrc2hdt z>8OpT3ooWC8Y5k0W?wMGy}hwankZ7Fi0Y6jITJ88JkQBUO0FNF)JWXD<|A!tX%D|5 z4A;TYr_`RL$Ev#ES&HS^c`fhZJCepwvMXBp)zj<8r5$-coy5C@t4qgNXJ|p9>i5iq z_N5J7ljg%Ce)-Bt@p5uqZjSEXeUCF zy5Wu2r{txSKpM9V-I+rbd}oD~i&raQ2THK`GIX4<9;gJ~y`mpY;2V50K|j1D22M&9 zaOsuX$FCI0FCO&{1X$5kDa75X9xOaK?PqgSmrdN>k%E3$CV+!A6ujE1l{ly3uROq; z#%t@qnznj!Ou|EW94hvin!r>N>8cev>@X!4Tz30o%Tei#b{)SkTm(&(u7xa5b3I!t z#VhC2nbXr})CeN))JHFt)+f+U+Sd#N-_S%e@iD2Bd&fu71gAL=xIA2afP=VQNmbr7UsTxpQ0Fbv z&eMbomsR*|b5967vHNfU=a{xq{DFPPMsqBw_Y37&y-z`OX!l>^;$Kr7n##4Mz1csR z^C=^mBz=G7Gb-|l7AkVdN4FF)Ba(Cc+lX{#9p4&}0V;B2`)5A5K#s2O-nT8 zHBK>wM>q#X-n{9stCiGk_P|#|p2%L9GARm!C=ArRHsn*Vs5OmpuUt7!O>s!i`>9`= zX8-%oxcP&VQEC^=V^8P4huqCt;tNpy$bGkgx4g6EpumbAqUqS7dcTuiOD$DQ$;S&- zhjfW_R+`Un9y;$uQEu6NH@lDFlquxN^=kv+ub*ANwq~lTEvc@+rQNC89e<#+gvryu zsTW2h;#74%AdPvgxHm;8GkN(qg^YRh^r^Xzbug^iw?^m5d{=JSF|za&EBNDooiChM z?)^Zjc<-9u!i6wt-kjGhD($N3A-aLm?V;z25{!r(k>?ovCD`uEBJmG;~Ovd^ZPs&@WwDlS6npCmx-|#lI}3|xNxz#HIfx7!FzKo z73X-K1!Nku231?*=EkO~Mig6ytI2j{v1*lcNO*asoQ_~`4OQykyTyGa15!bHFv_1X z<MY9W^JLEIg?ha;DS2OkXGvC~C7P**b$8C)`}QgIX#|Mc=A zJP>bI;EkvE?fC>@>qCY{dA0AD&qh2CSRW*KL!4YJl_%$#bKNaX<-YZE!xwjMj}>cl z8_EaframpU3{`9E%0mA=QK(lILjsFogQ4j(R;P~T$sB?kclRecS2Y#2nLV}(aii-~H-QnbMS_@SmlZ<^si_k$lu<-O9=oy?eEy#rJSAWW6rhSp; z*%AGjG5f-_r-?_?Po6y1jR7f{J!#&{pBtO5x_+^z5jnH}B3ogPpRA2ZGPPlZqWWVd zs&TET_iyVu-N!8}sMY0{wS8s9!-5PV#!U|+++(rh5RZc|Xbg9KPZ1^DUGFwSa=N_PyEt1mLbYHff;JS8f~g8F*t6Y^5oZ zl07&Tl09pC!Q!&-fXYhQ3B>VI{5aH5HBWw2n(dHP1GSw)tfEu+(*p@d49^GBCmaFM z-I^x;?9+>bA7gW6AZiYlG;871deGQOT3#JkIXdMy@dIV6ggArr=cg~+PC#{Y@E-Oe(TsV|eIZ%=uUo>B_)bsqqm@@jZ+_hqd4C4Cq7Kx9|5MJKOOF4I*T$+B#?zNBZ z*(F^s?Art#sr2RC9gwlNGSYMB?1$fA+<1;f?}tE3?`|Ih>NEPe7l)PV^LcRvbS#Uh z~y>si1M@;+Wmi()e-F+?z1rolx2dOEn z+>7$%Y&obPykoB*JZ8v7*eXF@V~ph;QI49!C8)NLkct7QVoPa;iA7=|tm73JEwYYR zn9%}_uYx^VXukc)QB@R{xhL?u@Aj?WT%G{ShKi$ebKx&m*0SR%paz7Ka%5?*3?&0G zucCqQ+*n=3d0Q>+_?jj9u!qwx8}!(xK2TaWKBeuj^<5;snUSDiL;P6qC<*aoexV5L z0SD7<9f}VpHq<&VPP-uk6zsGW3GY3Ab41X+;stN)?W%*TDMz(l5M9i+g@0-BrdY#0^6%Oetzsyn0-<5m6T~?HGxwnU2!YYc{&ehp*BM)f+im;oVh$Aj8_>? z%Wy#&Z#o{26&|SqQOaVOwzl+ppLd>vAScM0_Q8YuH;>22a!vT8Iu3Bz%t&k}Pe zmue|5P3H)Rq$#;ccv09XhVq%Ouc{Gw@M%1Vpx4*E)_5R%~?Ua{+uU9zF&R6LE8wkGZy_in?6d>5G=3zY^-gescS*d^UKN|^`?$f z8y`pe>mt0XJeFsN)K7VPeROeK`g%&}a`3Sl_pdWk{ipP?2Cf!$nJ;*0pb2q=uSGQS zl-{>4m*9$j_#lz2Rs3i`7qv}1h3ee`J{eafs){=LeXA#=*pgg5WAU{fr@z#CX`p2g zBVT4H*?#=k6E$qBuS|S0A5PYCgncOL_EM`nJ6KGnwdiNTXUj*mzz|VFsYQ#Y{)ji# z9`sHKUvUq6k`rp0*G=Ql)6CcQ!Q*7N%BF=tCVg^Vdnk+F$961dNa@T+yy6pXORqM(e3)B$GC1yirNP6mZR^j z23$7b)^@HqtVQf~9Trt4)w!A_^Tjyez$Ig1kwD4m{T?i@fgHlAQe|AT2bIF!ert7? zE*|AB$1^`Qko3q&!!=NXOwFNEpgvrr6wpw&-CRU#~Pngd#M8s}>Dj-%s zQ7bxdN$%jId&vb3ujbFW63JOny=37(JT;qJnxirD`eYGZGYJcI%7(v(ylahLETMIf zVy>N}m=#6tSrwh=NXN_QOuK-w^Nol42k1ok9Up%Zr=5dr!q7`YyXk9jFnC-%U63-q(sb!QQ6w_n-l zKHf)p`^;&x0Crimi}wh#KT+<#kHvxNi+jIR>A)yU-w2x}RwmcBMHulC92^O5znarZ zBcpoc;)?fEnx6f;HBbBr^?J;bRxl(eCIdn@;PE85Q4UHOz!M*^CZQTO*ZUYJwx74O!Xe6j41`B~9f60V)i1>qo$KQU=0)u02jso$yzc7J2>X;%* zPzkgfq#u_Kf`C6eZ0PrI;X*;b1{gAMrxXc<4WZz6DH3!)0ggbe)3zb|c2D_76(aD2 zZ3m#=e}u<_S-u5^01xgE;CVd{6k|i6v<3mF`XxL&ZYBQ#$$1{IqyY>K1Er5!c)-IG zu$UdD8DbYe$|^tDHDt#PxhrKmocSNnm4|HgB_V-cA1#3Q zmz7~8H9<~*=?no6hj+0uQE}NH=Hm`6eh?3S+o$t@)(@~mA85Y%2N@Lfv4BTSKS#D( z!m>k*A4n(vHZqWLU_u}!i2_}xe~%{ug>h%Vy8<3}4(D!RnP-Q4{{wpRa8QE}3>{39KIsBq)OVw$9mhXuFQ&cE=C@6I${hM+c~Q zfMnyhm98+TASg_Rg8=mv7}?-m=H#w~ZFl|PGrvt3&-W<(4>Blb@F+tz`yP1EyxC(U;cYiMD(tL<<1{O~`ZBM$-L5Hpq_%YlK-t$I9K z2&jI;j3sCR1x{nD4D&m%pXP%++g(3sU;1szFi-8_Ks6TAumdi0XfdjpARvL15Yv*k zRZaLWR6lCRLv{%7gU|dnDhLFP@vT5sbsIDYh?Pjt6o_fe-W}U63E~drefXacjo<3k zLGpl8{lgk&UIOufpCj9CUhYubhyMw^_-|tgqV+cm+cuV9e0Q_3-Ntf<0&>imnPiVsf*A5aUOe+B< z!T-y9fgB9H$qmdF19#^besf>D8Q1n?ANb=xFpe0Hk13slVyt~@ETNzx6@+eZb|^;g z7qdj^zg?Jw)Q={%!|DGCU3kz{g$5GqK=Jx-mk&i?h8WXEhe5j=XS>`2*de74I-`D@ zGtjRBIO7H@T>OLVyVAu^fb9~!cL?dj|9}|$KTFAPCHUXM(f6g~F}mTqjpZ(k?U2w1 zde6Vj7+5kMFb0;nrR4$o2wRIq0eu8;mkTrv^3X!T!Yi06P{d9v+l{jA=|21qNWk-K z-2+5`I{`eP9B^xGA+Trz*aDLkvIQ1XbN?@3D!WX~9lH7OKcM{%ZtI{i(kVP3XZ=PG zD96U!rvxRqAZ@__-&rLqET*O>p{&3O;e?3&Fgan{Z}WiS%- zP-nT-uE6tsQ2znQvkSl-(clm0zyGt?GXz}HZ50{wfTSO!|6sXOuxi71)Zg)aiw6=v z7Foh}1cW~z0T0LAngUV&UbaBY}-oV(Pe?rL>A!oeRn1MLd%xow510z;t}kf94-$yfLv zKP%U}LVMQrMZ(MLnsalM(Nh;2AP>&Qhcqr1c-NrHm3U7(%Q-WE z>}e|DV$H#t_bo}s*Lv~XKaEXQ=q+61Zk2Xq6}nFv_2S4IaeJ#6_yxU@nn&yFNt_Gs zE>|hboTG^h#p%;)cHKNv{7MUQsvdy~OZuF@z&U+tVRWQwO-^TIWBJ`v?=MU5Y)_4B z&R#!!$F|yi@y={bP38NR(ow<6$`OIe>Pw5}oKJLhH{F;?M}`htUn{-SFEr{^_sAiB z7QcPvwxbbxitTGpqN6n$$yvuRCBaa3`C`)OtCdS8XGX({z6xw`qWcZjKZ1{KI)0p4 zd6`{v!R+7>cWfnNw*1Mq+;fUB)MvhkE~JR&;3A)g_r*y1)0f`~ZdM{R z1Wvm&cKIkUku~FrTHhqNx=%aLydVXC)6KEtcs*`i@k*XLyR`Kt*8xkZ_M*7*nf>H3 zWX2=1Ixd2#Nka>M>>rF`P9S9&`o$H9m((Unm}8=9J-o*NQDvSHDo$o~#*xhnx7?vd zOV?pzs|jnRRz}aPlb=mF4HfWk;q=_|rBeQ7Yb5<-CuFl_oV=skMs*5P|lLshRw_S3-0eG}xMM zHl2<!y=WsL~!)|Um=6B^2d4J-#{ zc~xTmpbpYdMytg|Y4-GCyfm-Kw;udWZNXZL$L2}nUPZqrqYGu`(O+%Pw0m)d#grvj zKBm@gc#gySRdHWsd>>&n^r_aR)~vCU8CaBz6~tYT0-t~;eYje-Z9ug1%wuC!7r%5N z1rEEsCHEm^oLG(99*E7PTtdn&_Pzx)xl%HT){Iyay3t}u z>b)(8G>Q~CaH`+)h$X&9&oD@dkU=&Zmn`C-l<-h9%w2OVVOfV2gC$`uU(~sl2H)hz zGCWq!os?cwIYn&FHXf8lRVbM3tbbM#=a7@*u<3r8^q9QI8PC7E^(r*UB`SWUyv-BI z^kBZI;z}gWY&Vo}a^aKi?CnwZO7pcl^>Whs`oi-Xu#W}fT?a13zd6@H8;?IaroTZy z70F&3eNG2`19f6T+k9rp)S<6K2beBvcMXVOufxqtMy#}ybn=& zEzHtiqV0KxCRItkO2t*nb0>u@n5qI^Ftf<^Jo2nRpPmx@oFFYVOi`lbVBOe@tGzjl zYv~M9W{gt2?BdTgS;O0*cl!SB*LE z3$%dh?ox#B-Jo+7g0H)epME&K8dD2%4hl8RF}`6CL+K+bWto~>8;aXlz=(}tSnC!i zx^X<`IUgvdMdPQk8|Y64_vxzPV&sTRdV`@*cY1?e>={z7x1absPUteLP)uf z%O(sR3Nvgv&+$BvJAbJ2)mfhq45!*u@bf9AVDfi5(;HxOXhc0~9+H3F7RX645Xdr* zqGPGDZzVWcuGudUO4Ox^r8nqK7`Mj%L0rG0ll=qN4Ur;?HRp`7oLXZDZgZny5v21l zg{IGQc;y*l7M5AL{>A&!`~ue|N^lIEV#uGDM9$|%-*t069V605N6yi7^hs?L?j<>2 zI3|byS0EtOdRuq>!$F8p` zVVg8ALlp$gC30$c$ko(XoVSweODdp%P3m;)j=KM_mC3UzwJ7kTsY)$$*lNPO=R`%Bg6Qz@-f`wY0b&NCm_i%)LiHL|9 zP%Kn3$&;uXvEvMuq1_o?j4d$=x3bBnWZOfvuQ`>Occ;Z>C(Ams-{85M#VF0lvj6_O z_w(=$L2o$6>^}50w@{fpN!f#w1=(_ToQEwJ@!rjbkYk(7uXx6~KP*inRw0m!iFWG0 zVDLg(%9n$nFMhujl}w7MdC#Gc!DHn%30QHz36mW3GV0KejR2;V9A?xH!`R{&$Cppx$&(-J?&dP zHTAp`BYeJ-@J2>@8Vw5NF@!r1{^~Js$y&6E=Vkc<{Jdgj8!B#<&Go`_S*`)4auog|zpi_`Wan?HVWdQO3M+tmblR(#dvRn2R!}u$(YKsYP-m}SqZ;z7_W_T zlET)lD?41-bS@9uIrtJ?DGD85jbu50_(1I=9Cnz6b0T`a&| zrS{kK2Pv(6=FMD8#ysgWtbAvd;H9jm*(co&*i}i6-f2@DZkBab3CO1;%_$%bx=7xf zd%(qI0Y1xO{n`YlQ^Y9hC|{PI;S_~n|K2s&O?oTs7ToC;R* zn)bgC(G5sw1M9A?No8H<)~Gq9_E zwwCBo*Lowi_-qBTZf!BGbSt*=eU>az#>%}g@Jro=G4u0%51x~8ln$q`?wiFLDb;VOhA6bjDHx=!BbQ<&8cQ?aw|mFCUN_bE6O^C_cb3CoTW$ z#}l%u^2)v4Dk~rS@jdG5L|e}QFl#Wmj8)h-rpkWxxkTfJDt$7< zs!QhaJ_`2CnnYkuqO<`)9(sYj27)O|oB-JZ3B0$7(pX7s#AjZ`>CFzyBoY85BuR!4SV3#(QD~J zRLN77X1v!!hN@5U49=fMH*q-DQuqW@IXxe=ZY6PfDAgpNhL!s&${FpO*Dx`7u#SVI z!vc>WCv>uEe;v=2ifZD!iqkO^4t+gr-HLZY*}a-?>uK|kYdo_eQu1Xsq~pRyz)&|| znY)qcgETgI^-9_NgT%nHRcgGRWpK#nM?@KK1nvJ=F=+JAU@{jBp@QTjlwd$m8 ziheE>Zxut_S0>SW>Luwa5x#SKI`M1qm#{SD*JKou?<+Z3-ca1nydomUb_U<6VY1Tx zX*7Oj+XzB1C*{IoU*sWsKXW0txGxPssOu&{!M$(kQYT24Ku86bLP!Ooil@DUejmaq zW{-(nb~d|j_A*&yz+=+EDWmOq)hzTz^y7Zw@|mG~?zWjn6JJthlEids!&4HlwY#Fu zDYVhISswlhX-V%kE~m&J%?Kgxeb5#wbbWF@szWqC7N4o)=skA*8(AGIoQoM+-Qo#H zYl(9XvoGC4<#EonR`BGxxQB%(CPRJ?kvTx*i;I*{cMBGN1{n!r~G`ccaso>%% zX&~||&F{~mOL&Nz|4yH5g1Pj8a}Z*A(BzR%(L0~<6gFy)OR}P_l0!GjSNEMvFJrBe z_ECa^7hi!#%+so*C%#N4`=2-@cgGOgHKIe6rKi=H zN-h)`aJ{R`v-nxX@rDCb7tQTxYj2F&f$Tg*(Q#`Qkz{s<-bQxD_6V?koPEm@XkSf% zEIw|gs;QXA{Plt>4V`q~L}5&lcxbt2&b7~Pt|1(33~tzlBl*N!kp$K)xM5-DC%f#% z+ep~@xV>mxJ(cz^A934ckX^i9j{hQ`BT6ar0&H5$*I+QOo#??QJ}nV`KB~llr}{Q% zW$D&0<)c@%@=b(2iQZ1k6dIDu)G?{vIKq~wW;o>%6x?=(&@J3X5jLQxPj2)ScP&Dk zs0G(=P#|-$fiAAOd+`|uS^curfVFWBbS1NLDLjIT`B+``Y^d-XPIv+LD@R@(F@v{{ zl#5|=m+zS^Rbi#y%?ssuqoMh&gU40Dxnzq1=Gv|ahR0F3)Ku`I zv-40L%GJq3W=zO28-7=m*_&g|@P;B4@y>>k#Z#3Lgbc(D(}HU7wjRr~HvRlHo{60l zmi;p+Qp;+YaZmbm&Nr<`#i)O=2im`?+V?3h3ByDs|*VC$f&Tb7{rwk653?H!3g;PBGay%j$gft*SOlbn#cB zj(&K{kTzxGb@^!f*7;!3nmUc+jSeAyf9=M;6^vt=Qcv?kA9|_rTOtMFCYH&ZvscXtrbCa=mMXTBcUYgWP zY0o^YJ#>DBy8K)MBTUXKN{2YXM4dF_tQwbum)^;n)n}1cgI_*4C~&EDu0Dv*HoV*lXQxDgs+}_EcY;d$~N~k18FMkcUk)NJ>F0>&UAI;cq zQ+n(!V&-&Ize`CHmaY0aYXQcE;Zv1>WZ)6!p-Y)(CBph$A2^^ENZ(${KTAxGzlvoV z7odI?VS1ZL>}K|BOU-_ndED-7tMKDKkMx z&o+|JI_It#t+Y#G_p1>++f?2H#Q|PB0S6EK39km}{RRSVFR*%Z28NfgQ|K%u?>>Yy z+p>I&7c5m!x>rv5l+aAf$*hY=tjkZ-y~avC$$v1sO4*6-F1;Z#l6N2XdqtuQ7r%s} zun(_vf{m^V#p7_=IhIeIA!J@yO`(>i#j3qp{$PJ04c%R`K_dp?nyY!0&n>MK$Ll>Z z;{6gkXU5Jr^Eos6ojRsL6l|&~#wWTVR~tyL<_Gn$mSg4Sz;%f=_O47-ehGyk0~<$ETL)`eZbB{@6B{$| zO<;Xv%t{G=-)-L<*nEX`L|Q^h0t*`(3kw_khqXC`C5mS_rHwEf&@-5o_KpOSSjb9uxl^n~;$wf_1NaVG?TO>R*m_jMk?SI+gff_5CJR zT}ApAsrO$FyUMSvZlG;7R-A?eWsBbIz3g%DzrqeC@@J#IRMre#nLbGpFG)1izd^r= zl|G*O==`C&t}j9YrevP@@83mlVg)hd)YjK~*OxB6GD^R$gR6Kq5Jn>5!_p~Ebs$Cf zsQKxTy|?z5`0v<6T2l2sUN^}_&!b}UU)0^N9|mU1{zZN~wWaa%Qg5`!n)xPH!2^em zMoqucJDXUjX@aDQFXJhBC`fJSAv+`A6O^wS_wW7Ve=i5{uVB>PhKzg1yENyv36X4K zsp=wlFW;wL2g7>_rN>?5P{Uoiw27r5vx&t;eC2!k{Xg8m(Hp(yNgG}quQ9- zpf7u|iPf4F-{+YX?^>K9bXf~}SdU16iGow}E3XVke9gM#xlOFhu!*lJ>31%6nVJ{D zG-J=SQJ4ln#bc6N_ukm!<0s}|vA)sO-OLxV(KRHrqBiOMoH;AM;d1%LeVX;9p6lM@ zpQl+v53aAadiP%U9rqCP?nz&sgmky$jZ@e_O!r>)IQU;-2i8KK4ZQAds60U?=8d~< z@0cs{zY5!*sxIPUo^8SLZvEg<6Sg|PiKV-VHQpdU_0^+>|B2C8+p@N};1_!@dmQ|) zu!AAJen_0%Mx|57=l9+=^c7#-HnF_(9!$_8!ulo8ZA1{ItjiW9UhF`a#X;L*CR>+H z-HZ5N?7gwa$4|`RqG_C!P@hTa#^;h4eJtJtxpd{so*C!8jsG(VSf@5$?6UR+oaYBE zw;$V4BtV-8A(xVgqph=pk%=QMKR=g(gRPOWi4(0hmx7oCEtiUko6}!yD!F*H_N{bQ9RRS{nTz`ER=4}lKrZr~kWosv9w}^2w6SJh7=4cz}U8> z3*gWn6r_I~xqmehL3zG662TFm@8`eONQ8p&{NL*%;y$4AS0B-F&_}ehjR*^GKRz}t z=pteRT}0UX@NjXqI*qn2OR;e&aQ2fZ8SH~V;r0$!@koWq>3Br`X(hV9iG}<$P}9{I ze1@e@?ZC5@?o)3Iv&+s{zB@=&;nR@!YVRL=9PHV_AD9c*V{2IY6kjV2^=42KE@(V_=Vg zJqGp|*kfRif&Y&(@c0++2><*rdPn@MhR-b&jmyqos=S|VBr-3v867)Z-g103UH*&k z<(@g8ubD6K)|DR|TunDVHZS*#YcS!aUI`yKS9{TC}=z~XaTl`o(&1T4S^);h$jCi?$Y`2v9dwDM)^ggXfSA5^|< zjncm>Uw&9{`^S;{SLF+QTjdMtzgYPK;YMOsQ~$f7=)WwXD|Wzqn}jYXefe7<7ZW?N z@$mQI?8g+puwsf|aB%QI?F*3E-HNL~T~~>eToI3q0%pG-mjuE?Cv31yMz>?+;asoY z+Vx7O^`cX=tV8)mOfN4TN6Zd1mFhOgmapTSddnD{x!vC`A5CZ1ttkCS?nAs}gI9Qv?^R@gp z+VjKFmp%+^Y+~J#@5}r&WPhqLeM4ya^3N}+e|1mFS3DA-#%yr1+s@M7`EOKLXrKe> zvua;H=F2~QefC#R^Rwfy33Y2`dlw^D^bGU!Jj@E^`*J@m=q3f#U-{W5e)au*N2|R1 zv&UIys-Nmz_|RdPl&ifwQYCck#;=~>r^n&4dTe6lt2Ze3dIeTLnofKwq*Xdq<#Cyd z^rs*B)g1?vK&72-esFr$I=Po)w?N?K659@s4_|Z{e)SALJ?_Z;*^Mf_jBxcX4u5`$(vVQKZ5t!{>bi4VhC-~`cB6spX zuXvgWs1Ib%CdSMuuVi1o)Sv!(k@lyb_|+YLTzV@rYt0_{h3fqRdj`E{(Ay1X&!D%l zvFD+;k%5J^=b?AdvFD+;(Xp3uY$F3~?xh^t`PfT2wz097LvJGkZ0@BT+xXZ^Iku6p zmvZbN0}E>}<=95ZUdpkJ46wPEa%|^gFXhgm`h?r7V@LWH(Kcs^@Xi8X$@_R)Njc>YA~%amxoVn=+JQ2lpZ ztu%vZ-wH`?*S%ePZ0y;_e`Pvclbty&)GFxuL9Z?OOfLy{tB0S*La)&0FFmSh-X$G! zv*ept)SpAnw|Hk{v2J3ST~KxRdD|yNMO?wc$Rav#hGO z!<&unEO)ugH@*C^=@BYRmWi^;O64&^0ewPS2V)ZlTJ0@yKv0^kWMTv) z5g|wzClZE0p=ptD2q%y&1g~f`90(X95im|3I5<$u#1ZHv3X7@fNhm9DLO6NEz!v~z zLL(;yjB=q9Ed&DR-XZpf{B2lB3<@+if`=A?f^)*Tp%__37#h5Zgn`jOpi#SHgNXi! z4YC8<4-%5UK^X#$1~9g;q2U-BVK7<*l82KUgZDdg28Mh{M1`5`8EEqW zV+zMu7B}**DawO@gE57n5dbasx2f?9$dEgb{Sb}*V`MY}F|>cI4UYQDPi*&Va5V777!&-?+CSC?-No9_JK+6(G~j_E084N< zk`@jJ4sB~P@W3&17Y^Z}g(Fb^nhQU*HpGsA0Q-{x0kj_d?R5W{rf^`4JH75d#KC?f z4zVL9znW0g%aLC`20gA$eR$z#<-ywe=)}Ir%BPIY>{<{tY#sddK3W0A& z1_Oi31LH=6Vg8%Uoyc~b42T_30si|@;h)I>16~dZ2N}rLWZ;2q1$h_(3d{|>`5oIo zV+s-fAu=F#LI!y+sXU6$?b>?AgcU9;-KG&Lj#O31Q-@5$S}9ie&_ASq1+J> zKuh88B7&em#6%;Ia9St~B(UEsZ5twm zVEdT3g@nV=v``3$4iNC>capx_{*TypL;;{W{<~~JK@DknM2$h~IbnP=E)MDWbu3E%I;Dpdexb$I1;v|3Sorg9~2B zKbOW^r0oW6hsy`ovcF3j6a@v)cwoR)aD$8UZ{rC?BQR+OxVFOJ1-O2Iro0PlJA6Lk z_kBJDcy$;W2?Z_|Tyg$oY7h{ZfZGKj3c?Ly`7Y2vqVc1x?ePAH-}n9i0)WBIjoJnc zlcvE?0NZ~CZATbDYzqSt78jks-4!m0i(uslF%u(OW0UX8Hoy=(U}pc_X6+U~FEErx zQ<}Rl%Rc!D>$Z4c58i=&b5%4`AMQQ1FuFShH|v*DUVHu-b@=PL2$h9D)T%y4v%21n z=CP*L4f-3&=K_&!h__0gYzus8E}PYN+_ZD^bpAAjcO^vf zp-SOd+R|H6hgb$raFLI=Fo{Kmw18>T5M&S7{rDClA@%nVhpC zy~2Lr>f&4X$B{D9BcHKZ8AXqzrA5Y7-k`K_t8C4^IdGg>q}eLIT-4BtCCwlak5t^3 z4t@17!;=4!^Vue!x#B1%nTk)PXhmjxp&3v5r;}ckmp3+BA{MSfCTuB}_CXhf14PrB zhmPGzT8gL*l{b9c_w=@H`=kkk=m0VPs!K{xQn_7>NhUmdQ6<&6)Ebbi` zGug1|bi|oV3Z_WE#S;1OmAfU*YyNZoB9oKHE0%6RPr8$TinxMxY_@H*($8OoN#+x+ z&@I|-E^i6K5iS;;yOFN8BN5M|l#<KGB!TEe{LkP?~KV^63J$1`sB#0m|>-j z!G?1XYibn1hw%y9JEsC2V3}DypClEr^H}nQs@=cVRg~5UR#R7hnru3C^75urL0#$S zh>%y=uuu)Zdjrne*eCg8lpPzKj8^9qHn=}CC2HdoV~`=0xj z%sq9r;+R_KXc&ECb%}Cl?VjNI6{Pn0!VThmi8U!Dhv+L;SZnIm_`EwhWXAnI=eK>N zZOB+|Dumjckc?kGVN$6urMZ&SKX|U9BB@KAw*-DvtNxbmC%u^K%dw4KemSldh56PG z+Vk!W!?nhrG@<13^dnR+OmGV2XXPm6ct$kaj4-a^vy!vpUsOPbVavNxOul)-or?Xe zj4k0M;{&||3Nia~r8qTL$rL3s+0F(q-9Lv?KB0_lY!xbcHu_TA6272zSW{yOR%mB1 z3zOUi?a{Bq9B=RLt9>=|S!X2t5*;d&hgT&{{aOllI@zIh?$xAgkBTPz;P0jiQwwBs z#@X2?3f&sQ)YmAYf>co#5*pb9?-pv%q#tng9Sf+jHu_AiV;65`sGT)iIr@SkZ^$RQ zAVnV;KSr!o%ph{ zPFh#U^Hwl@Db5>mtLRz-=9%dGVcNXWBz=2)Q0PM}E~)hCPTmJv=mCn)kG` z`i&kP#^;JgH1Iyf^}{+J5p^UIMl`RayZvKQ77ec7JNxk&OT~TlL6;6v{IXg@=VwWU zPn(h2Ialyy`*IcpMI%;(qjR}Ga-ed*^b_DC*BvL6V^iBAS6+i9?(~;MTh?GgLNWQS zPm-!ed6W-lD44&Cq&a!w{K&J z%g-Ob*+v;~GsRbc>XY3_pWvydXZ@O%*-Wpu*hk3n3Em@Kr5e!8_LaiV&Omo6t}7ku zv$r#ZQ8q%oCKJYob1LM~bj5}(hb@ytq7SJ^ePq8rz?e`V#dt>Zc7buP0JFl!__N|6 zXC;Z8d#b}Ht`$YGFiT7H@&!F%T~_-z;4nh@EL5`b3`xbRb@|h3*$>BuN;gc`DZ(b5 z4!nXE+iHu|@W(~1<~cv{pMTYJFe$ID?9!*ZOTl_Cs$8EaJ?juq?Nb-2kjy20(vuT@ zU3Jx$UBDtH<<`T`?;uy&uv;Gp3*IqwYIjNZ^(B#K?R9kNqa?{nrD-M(ggfr@;h zmG62kX^)q_neXw4GKUX_(T`gv7@rM|_pzj=Qn9ZS)M=Aiy?JSt(@-~W`NiBcBzZn# zF}&0G9~<_j+ne9AO_ zg4chYZt6|JSb|pV07qzRwNwQ0F<}UtP(LS6o?SF(c`hjM$Y9#z>#PnBkd#Jq-DVeq zSF+<@pM-oMtdB`>%gU};$~EECoL{K_S*PS9av(;9(E-1`+@62fIs_X3}EC0uNS$1x|kKK<68C{)a zws6I3r#Xu1_)>_=*(xKzDCO63X?Xn;47)_U5PD&OVlNkIZxL;Cvlm&AdihMJTs5C#l?I4zqx14H39|Wy`?CM(C3@ zm%gxiKQDYIKeVkvEhe#pKoiQ@jKaZ`O~NVQZ7?NSmURr zO~c~4Zlp=G^065g+l~*b24k8C_ba z2lzoaV5QFqendMJ1XB5ezoArF8D5O%H&KH(H3K1f+aab&Vz?W2^WWTNad(~9zHRE;U=$Z{rh*91;Lcka}z z2+efqv)eVJ36HZ?`D{bNL?p8}yfmig3CtCeV19i zj9xuDK9lkF@{@$57(=VVBU6`({Rk$OmFnvmRrzb9ZJ;P+`48rv=L9+AKFkKRS+ram zPTU_jazq48WvV1gWlmF5+xuepV7Sdv6YJ&sO)CP;>OoqOkU`S^{knw*79_ImE*QIW z*9g)|`4URfbH|W|kzC1%d0<~7d++&;rn0hvu^IEO)SNlR;J#!Lytdp=j^ugfqevg7 zq{?B}u#&8`^0#?CqK&#;g+-VNxgRqjC1~J1ilSSy(FhlP(9}~V@C}+iz*Xg@qj6qp zwHbkmpH#sFv$eU}R4ZF**3&1)3<^t#9+1txyWV9ZojyM;d3fQLQU#;@qTqsi^oZ+` zJEP1m+m@HlEOXwoF&|F1|9J7U#;P2jH&ga{&xW7rd})=Hs!mXqxyz#KYh9(V#!x2M z{VFQF&BX@~9StJbP^%(i+OT*xAH169D4Wz||VZ?OO z`cElk^uvt(W{Im7O%zW)rr6RE?Y!W%@@UH#7k$hUUzp1JJg_N=u)0}=6@*C$W z4M>VUln-k6#4bK4$AKK@d?GERgnDgfGRB5XA{;`#WD~gUpYoEM`)hMR_I|CdItx)| zp_~scG@Gq$?1D!s`7K%6zcv(S*2PlZ>Qihnj>B>xX^xeLRn0vmK6>U^#wbVEnwq)F zAXP}+iY9ZA-myz5l=BBu9zC}&WS%vjo@w*f*6n+;EO0+r>rmw|Pg~@yj>rnzfF_O1 z=T|i^hpSq02XrMF%BG`3pSO%X3(*~McvIp!+^xRgWt>>t9jfLWMPpacPE^thYv<3T zn@;uTPrg5qmHE^U*RQzp#fnb*i!~NEp)=zgRz&u4JlY2m_l5M#>r~!gLnRZhvY|A+ z-gQuvjQG*=7%@pK&C-$Gah0wkrFu;ocZ~iN-*e+P(*Y@I166S(IUfB|56X`|s#5Qw z;O#zYK75X+G`3eV_-)-%5oe&_q|YOw_giO#pPRH(nS-)Ene z7H3C2@EYC`lUAZJi8-sG>v?PFhInXzOU8k?Ys|jBGyYp;54U9-?H(~;&5vmz>9HWy zdtKnL<@4?v(vRB;6AaJlJC6^$SCZd0nmlh`k%(854t*G1YWZ?|ChY;)drFrUzHZa> z?{s41qu!P6@NQt*G4?!~+ObzPa88&e<7K6>!&!Nf#n=|1cWw^F!=I1vC39KjGw|~) zzN1rM+Fop#oyk7fnmgAK!zuk~dR}+Q5iT+l!RfZxG2uVt>NIxIakMabX(|b|IOWZ` zH2XF2{R2ISnMjxLRqLI1tC*aboTM>Z_E78}9QHNchvHe%-pa@$-8(THOPM04L=J(=75Lsci~=KEY8d(vjL zFxTkGASC2PGlZ(BKiQ9~wQ5V#9UKj_Z#i^F;MDN0J5O@W2i^$H@?E@WmK_k$^~sc$ ziA{6+UB>s3cl#=8NPr8XRQ+AVo;-CqlshV_5q36WP-r?Sl5cKrPj5UANxhF(=*+I_ zFBEw4O7(43tvOB?T5dx6qOk(b#4~*nAGJx^Q4cSXhexy&wOTjbjczTSn|+2=VTxbG zUs}WsY&px{CS-eW>UyuG3eG&iuIjZwqj_TXO|GL-7tTap?Cb8kT_>!5qW5t=saR!c zV)E%rw(Tzd*R_Qoo9((VlUODiQA#Wc!%QSb( zyuRY){itOdL^?l9Y2ZrRS{fiWouMuJRM}JNf>H7Kfwj^N5I>d+2_)3n%9HXUbP{ zSKpV)EU!^n&iY}2d;=5<yG%X{D(m-pb-Oypz!2d2#7grp<}Mp!$5 z`D0ZB0!^5u111Tf7&tJwza|U5Jj1FkAtAYOwh*^wIv<$N``t;_73zST_n)~UG+`ng z3#8njgo*3rT;Pv6^TR9DZOk;|*39W+e}Ce91s)0pWEQ?>C0F2~fOQvZvui8x5I=#p zW?mmyi}Snet*rDx0y(!ovXaY~5x{y3LS|`gN_V+sRTMVnOL1%F^|8M{dA>p%60o#C zGHxrxA%V41f7Px(S$ct6Gq;cZ{R#9Hc)*&&@3}u94f4b6kiZ1`awhI4X7`f?4!AY* z`vCL5+pY){&=-K!K0pExNyv&2Qf~lf{o2&q_jdis>^^SI>^_h#_+4bH zh$HmZWn`;}LlFAwn*7^Jhd}?NL#&zM$NqjYb!CAi90#~M0uo>;D`7DbklBC($<$>o zf3)gf_lGrEUhMzm5CI3$s^9ZQt1S)=EN=Xs$N2$ng*nVd=J0C%x&P1E9Kp$b&%>>ePtbA$pi_yuFPT{afm92_Nr3 zN$w?7%-(Y2yd{?skJmmw+5N?ukEmdfrqS>fCugHDRZn{!5jk@%ONn$}(Qvz(aaakU;z%+Pz62b`Vvom{5{`XfJ$`=prq4r@JN>U?d!UoNJru&~OLiO!R$E$qWp z_l1Jtqs*9X{V@^lEZT4mFCU)=wnUdhBfQ7B7T%az&{MXW(+eE*!~^Nxb$r^5;KAJeFh|*>lb)A;9R+&3Ugt8PhOy0kZ*&Z&0y8wZ#IummRX6N&sM{=WMTIm4 z5K9wn@3`_z!%g={Zlip`MP5x>*K-$oT6pf z{bnUy>{3nbeMZSSw3DS;NBrO_RkxEF_IwSGd(7z-#xXap)UR-B+D^8w4=+&k$}hD- zel}D;FFmsEX_xvz|5O9hb5AAT?W;DrE-(4f;#5kK$N9R;S!8^&jKkM2tCQfik$KK! zp6HM?VreC+nzn(AI&_K;Mz9I65?Nyov*~n5-u_lVmNc)`iY)CbI^W-D`c*`DjK1T} zc%;!Qi_Dz6rH!w57+<~rAr{)~HOhU|X$wLiPI}z+HIX#QQ;Fkq)4jv9P}ChgYq5mp z!d(1$!%H7Ap5`H_X6}lN?#IyXcNm^X=~NJ*U;%B~$L~F(OWouGT6z z#;SMxo~ESz(cLbUls59sS*4UWZ`@>()CeeRPNgX~dLL$ff~_npCeg9H@tvFzX;9DC z92FU}hIc9UQ+>t@cU^24CskPjrbPKqJWpuX7kp7Zo$6~}*3z*ZKdRShgK6H)U(#TB z=S23M`wDwgLyYb-=C&R zH}0NF@02DXPuj(%%$t4tsc=)NXy0I>Ku$K*v_DzZJlW^_h()?B;rIDT8H8$(9pytl zxmMkp$30Z*BICwS3!m+IQK4nuNvry$0R-M~_Xri+}% zb4HRhX-^f~)g!_)+wnV68HCP^DMsd+BX3NS#hkc%dhgEG_D;u{2^~qIN-b*#uPo9uIbB7sr(}LbH`uxDK z$yT-&Y7}ur$t8$ZY670>V}l1*l(9{RdbeSpyTyqNywLd740Gx`OyA^{57n5Jhs}<* z#0uFOn^fd=Ru)~vYqM3c`y{2>-P4K0%G72EWJ=-_6L*%y#GS1#VW~%iokz2x272lq zq*^wrh|wt*$cH9)h{)()QqS~su~jdbv@7`5p%YdPw171)V7+wQL*25Q-B?7xAs#R=Pl4ny3crB zH{#;ASCjhMZ>r1CX+m*Hp^4^EF-2KfLKmJ?1@np~g_iNtat5cC4lp$ETi!qHURJ9o zjpRYJ?$>I%ot^kOq);cr)7(s*IKwmK$#Ii_$)!?e+Z%;FHhKCP5w~)l^t{O7!dRVR z*z-n0D{J=b0GB{M=_l2Qn3rW{{yMVN+CxsPWY3S|d}1$ay}}DSGYzN&S-z~L9p=li zAI|;6WtCO(k+pbEmE(QZkY0{%5v{l5o+SABkV3D4FWjcY%};J{o4TFK&2+Bum}RJb zU?O35B)I1Nt|J%2Vl(}E?Qdyi8ttz*GuI@_LFFE5pE}N6R{2`xGm+c}e4+$m=Dhuc z3V%Z6F|03|uU6A`W=8A6)+_G0w(^s$tmP?ME>Q+_H>2;>T0UQ7f7qfga*4sODq!I5B6QU5>ZPH zZ>fmjU{l?jHT159%Kc*weReagu>BXv{5~d~bH{88?`0$(IX`1{9k2S7g1ElVa^F+M zxWF%CkuMbEP}e15Ygs=Ge2L%ZiytMymzGi;5$3__=9sr9$h_`O3$l1Vdbak?3vpBY zftb4u!D)U>`}rFOKi(kO^`iJmxBc(e<(-V zZPKssXi#9DxU<`|)#ZGzlXSIN@Ylk%ep$0-^jY&fUOkx~+FZP9fsp)_%Yx1J;zBn! z7j(;fdq+s-kPdKe$>PP#mrOVDBEhBE-VTLij@aP-%P>}UkxEsjk?S@Y_h8#aFMdh8 zn=04-4W>U%?pya}C&Sd$##e!z;lt&Jdbd>ul@1kz59K2qGehF`Nbk&iS#Bv0C8pBr zB2sUX!vvd%67v^34&Uxf)gwcEI(~aBaY-_9ME*)><1x#xp~$2Zp(obc742!PK1AYT zQ$u13cj3=Yl&nt&KOKFsz55*b33s>}- zUCM;+Sl)zUFa0~U#4pcZDMM1Z%I%Tnx@+gHdUU9e`&Ife&a?1aTl=B0(09FVoHGuO ze>T5{+c251>6RQ=9F^cPBU57&;MZfswS0o)hpZ zJ5xJbMI##tOLHqr3&M}%fD8YO;w2?i{#+The7TB^o`vmMOB-`2u*rw4k%h6H2^0ax zA%O4he}?t{?4BHC{FGN#?a2Y`xAA?$jqjQsWaPlc8>AG#o*dkSJvoRdm-p=W;~hjN zNy)bDVAu&q5G(1E9Ol}-YD12hX{0;&?>hq?5SlmGk>R4cw?|KkKL`pi~GOns#i5g*_@sRF@Fpwx2jt*iVF#$OXHsl?1{@A}MT}_Y@U@NkPhU=()HK@T}&)&1^o-ucI6Bnn`A{2*hq0@xm#F|<+-_Ky`VHYtJr zY7>H1RfGO&6&afqL4UOwLo4;5zgpp9lM?8!HX&$LHR!Kak+E43^jDiPv{DcHs}(Lb zDS`fK6M|M%gZ^q28JiVBf3+DyEA^niTH#`o66misA!t=K=&x3hu~`xHSDP`kQV;s8 z6)rX@f&OX}f>u?7{%RE&n-xKSwHZSz^`O66;bM~#=&v>*XjL`nuU3(H1RfGO&6&afqL4UOwLo4;5zgpp9lM?8!HX&$LHR!Kak+E43 z^jDiPv{DcHs}(LbDS`fK6M|M%gZ^q28JiVBf3+DyEA^niTH#`o66misA!t=K=&x3h zu~`xHSDP`kQva9!O1z)H!FdVNxkEf~3F7x682lF;oIVyYvdcVz@bm2|-mna}i34q7 z8b~_TaI0YTq_(;(*OG=7zU~%(|F*-#2X9|>^Ztmk7_V`W>~w6zPUP2UXBF@i$izQn z6J}k2%}F(jJ1#-)13$>WR5fvJpyR+2L`>t>(2SEFj~VCC5(LTFd-1Ks5+vAv zV*gAl+*2Ss@X{{uKac^Cfj=2QkL5(t>g-a@V~&_0Gf!KBd=T&5Ueo1MR`%_6bFtM$ zH^Jsbowm|OG4Y0&;x_n#OKwYzKNW!8uwBbW0az(Omz7FT$;j5y-p0Vl7Ahhl zsAywpploCZ)f7~el!6MX7&+QO1&^ES85<5l91*WEW&AZI2sV6UH-FNNvJ+@#L^L}i2ydxK%s%1RS19JSR5R@t_zcnnQvP5JKyGAVNZ3mRIJaTHn2jyB+#*zhYNm$E zdb&u&igYjV;r==4UO2F;79dsq-;wSmU8Gc5CEZIx1R+_~O~}Y82->}XbT1zu-3uY1 zAR~eh1Mo?Islbp545`473Jj^hkO~Z` zz>wo?Islbp545|KRDEa4QVB!zVrh+MIFz*j8 zrT`aHfGbph1xjGz@6XWS@4kYwRNyQXI7<-(4uBYQptL6>RO?a~;FG0}JlcS5+(YPfDb8)8ZB4>sHu}QSt`@S=CPNh^UIXkiFX8Nwd06f}X%{-by>alHZwdCR0pAKT z05SkF05b3oFz`zEUB(h5Wd5f0ohZ{tKDUWo%u5jK#kRkYRlxv4Aq1U{9}*=S#X0_K zvMOlkA8H|h=E{n!3K9l~qHqLR6(kanIl-X*L0J_fVp%tZA5M@|Av~Dyyv=1*(9pk@ zRl%+&`0vQ75L)RwDJ!xn1O=E)T5g@J3VOAy3LgIt%BtWnIM{znR)uT_rO6su6(WKn z%Afy;$S81hW`zH;iUNMY|i`ebe#aD+`KG80I+j3qwfX+ooq%9^RW~R)V^KHz0Ue7qkpTWi7 ze`U~pl(}R6VqV$eeVteZ|8J^IsLG?F>6TU2Jw1-M{{DUcxbjGlZhL(lPrcJlhc4M~ z%FU_EUE!w?8)5`Xq8u+#m)1ZWbVN&LwGXcFs~ z0KEig5}-+}V*oUXb%cOk0yGKGB-Swin#4LnKraEB1ZWcL7ywOT9U-8X08IikiFFKs zCb5nX&`W?O0h+`*20)WoM+oR8K$8GXVjTmZNvtCT^b(*+fF`ky0njAY5dwM%&?G>U zSjPZp66**7y##0yph>J_05pkpgn(WGGzrio)-eE@#5zJiF9DhaXcFrf08L^YA^$Zm zp<7usck!amlXcJk^+WoohOUKI-+z~7$@xWXf$6c^#1mIr#mD^0J5I34b9E~Pu$s(1-A>d}}P$Wf8=aMHYk0;~i{04?EP*&QD3bmMK2o|5QXf*gI? zyaXYCdh^kPC5TYhbWmKxg6lcsH#4V~AQUPu=iNAXHEU)yZ*zVU$V59Ge;HpYSD~Y1 zac(rgRxL2(LC%ww`VQ{SWF9P736cO>!oRXR2$(JKm-r9fRTxXxjCeQJ8LL{aHlc9; zPz1s$pgi1gZ2x_cl1>Hi;9t&x`(Frd;Ww9U`mYIY;Ru3T1Rbe0f?EhYAh?A^0D@a6 zg5VYw{tpUnp??T&;qg$yg9*>uTyP8b*MeJk*m{Ehj^GxdmDUMv0pQjNZXLF;u(YER zRJPZ*bFwmm3d)*Vm{AEzK~YqKM=Wg&jclNr1TZjwKP4jrJE$fWE`Z15VHgAyi-rpj zX`Ipl~=I z1&E{l&;i2}7+j+R_8YJ;cmNg*35cJ;@dyAK1`UT|VFYNvxgY2@B0{f0g#2wpa2#9! zg~wpgPz)ZRi173^h|mHs0?PjjBFq{@sNY6}Lj!P0orew zxF3*yG~q_JuxqfP|0l5_{=|lap#^{r3`apR$o0^arIc(pqQb2~wLur~m#qo~M*;}o zIG_!Gph6+hfK|bfn4h51)7Q7rRZ;kfz2ny)+aRd-%gE4hyZ{!72fE=3GBg^nawHCi z{0TCBQ+-9^WtHLc#!CC=?701-$Zi3x^_+2!KT-8ej|t`)+qX zOzf{1L%`r`kZl-pei<1Yh9sCj5)VaV-~ckfeL>*}G~ms!csLe{#{SVs{{v`D z3M+ue;ZXos6zV&T{{gVo0{{m0`vU+PMR2n?paY=b*zXMom_0BkAaOv9heE=>o8DSv zii#V1=4$_sf&IS!UkSqy1V0OhBQUE%F(kpyVt{i$fDwjrMWy9vOmYJ{`07yr1N$Es z1rR|0Lm`3D34sO1Z~zG&ibNCq1`>{h{y_W#-CvFZ@YSOL2KM`-zzT10EZ{*fXo5g4 zfD9M~kSHLU#Q|Lw4xIb}Z544F9WH#$NC5x+kpKw;Iws)TfKZWO^#mknVEiORl7KG; zkYa##C7k?$@2{y_GZ?^se=t}@9nf9>z_yw@LJwIBZiPI=Psm#{CIExq?|Koy&Iq0t z==NB^1ur83Yz>HsP$)DOO88o^%;$eV-I_50u-M;527E~ZyetA3-~ot#Aj4n?13Vsx zih$tuC&-jlHg?oCLjn*O{{SXsdfpEBvL+~XUeC@*(#XKl(1=P<*2u!x&V-;my-La0 zF?2xmv_E&I?@(Lv(=Nz|W4rB%uDgd@Mu$N{j&8@^%4rH4c^1BN4~tZDwVj>1tQkEo7I83(BzQrQa`ILLWGIp7J8G zY2q`fuj3;X9m#cb-cr@XsNUI;Y}K*Moy4VPkHYeM_|0B!RjoA9yIZBmLm$TVbeqye zQPcPGq?~N|3Dw&f@)b!VQ68Uk50MkelNUX-6oe*P>DWS#F%);?`&PHkY+dv}VI z#J#xZV-&+-9xqZJz4Y_|+QV1RM1=(wLKR<9QIVz;nEBT&7+rrXO~n25kjRJ5?z>j< zM}j-`s>$>c?0h)vO>y^|79*E~vQQA4L=ACEyhN7pKSonto+vIyZ{l&F)oZ}NiTxT0PiZV+b zpG2gM?O+u)?U;XZXcyuIXU~cKbwN!%O?xrqvE1YDNync&^|0Te`QR#L?aA#IYfBXa z=o#e}o%Ip)W=lDj6mPQBC$fdTNX1bqt$59gh z>V){YXLZfqTy(D%aTZhkS(-xd#+?cBA-pUSMJg*{gnnv zmQE$l;$2;;*I6u;&AK3gC5n{Sb7{na6)(O&n<8U!NRxugsZBRwd-oMIMk4Cucod19 z7@g?pFt-}_Q-jL)gKC0cC zNt&*-^TA^+%FgOjTW-x$cGjFOBa?f5`S9uJ+mzH?pA&GNynS~cJWUwPWLk{fcQY~E zF^CjdiZR$x&JsZ(sG^~AL?#r6C9UH{Iq#rRwa_A!JhVfpeYf-#{IKtvEuHZA#NO)< zi2^KAW_KU>$Ya`|kD>{4bH4OtQc!xx2crj7?z`E= z)NV4&JbBPj5u;l}6A^XP!(OaS*EQEUvu79AY{Jsw@M5+Cr`xL~l*__|x46#I@VPs6 z*tQ&J`&T(R**P!j1!Ql^Vz*jNwI7Wl)2VrOhWJ+9Fd5meB%oY}!W8OPGg!Hc{lJlEJK@SCSLnuE?vydpA6O2+);`PyWXDl^~ zwO{b!+Otb2_>A#I=QlaI**S~t_9qx`mKDgx-MvgDHT_2Xdbv1`XCx}HJ1X$jqUDu9 zFQu=EfyFTqz5%r+Jif=lrvH9go_Jx+$R9hQfy08Q^ z1!1;Dy!9I3a*IR`sPWW9Ek5(%8XFQD(;ri(o{f!|-g>q*ndaWyL+cPR-ms&h*`t{P zWf5g%FEW;n=muUhbMkF#oSaK?wtM`%Mlj%HzxY(td%qi|7Wxh)yCV!W+z)B*Z+iVq z@zj8$7-NOno~ow ze*0zGCxaqf7p9|c5~m!{nU}kSe>F=_A+mF(8oT?Om+_(zykBF>ySooj0`;HSls(YC z$$K)TXnmaPqt!0DWO7}nN|S{#3GC47f?Kbc0} zt@rn;#0{txOrNzkxNtXA)83=p&U^K^+)aH0gR;uH1BNEAq~^FZ`ru8pHPE-+a8nrf z!2Qur$f{DStqhSwPI^Y6t+uZ(K?Sx7+vY>P?$&({PfUWC)*hh`Zz*SEe`sLcUU7cu z{Znx!`E2oh7jVxRPCe~NxZa?2F65L3v|+bG_Kv7Yk>vNpTMw8>g}1+y;Lwz?)V*cU zlG1Y2s3pOOV`pcum{eJR2~K=5*Q?prNT`xS)TF6-cLs;cz%0>$3vUg|Q*c94`7#lw zDSY|1eY|`0E5_Ej;-pK)2WIC$C|L?)QqNr6jr^>)`vO^1Ij(t2m9T_m?r`FILPHYK z6uF=xZr2!~b>l()(HP_R8M?%RZ%x=D7wFl?nML<*?YM;sG^h>dX+vmC8n37V}yf}&to20@$X4-Y+ zV}{lDj1^^NH|2`HshfG(CUo7nwW4xSymYeEuFzH-d!GN|%;f>bsY{nqn2S4N?7GcA ze8DeiWPIbTI5m_J6DgCL?msDESMEbs?cnvnpmsbMCA!=SsXRwLWA2ExV>f~f7okS!yL zZ!jlnlQ3Ob?Ag{C3f+8Wt_knngj*j;i#Fc>H=6Z0BR;ru5c2SvUi2P!0_4B9Kij%%(d>rhl8`@Ww7Jv9# z%M{az@Yp+_Uk4xUy-8j}TO;LHg9FT}$?tfoL2XNLnsMoc3m)zo>VednZtow*Pbn#M zr#-Bjb0}XRdG+bdc3ryO{2AWE-#QPqoHwk_ww15!d!pBONc3}BKh3p>WIn7ZUw~eM z)g3J;9dqemd_QZ3gOH{tCXGIsaZd!3UW33z`{$o3L?#1Ij>;6z>>ZRB5~>LH(dlxo z^XUQFI_#`0r@5yImb=3D_@!v)3&?gUsx2~t``ZlIw)7jdYtwT@$W|C6rMOab$!sY- zA;mmnAtF#3LtOhH5q@tVcPDkJi#@57w{K|IiS*!LzC^9Ms)mUh79&=2tY06QD*B?2 z*xyLhc@kZ0f|T;)(kNsW<=$HSB!Bs1iwil}m-#3Jkk?4+ zc&^&??cGJQM^|$a1--w0eQGQ&gjcpY6!jz`CLyt_-{C~l3roFiRE~O+kpTzGb}>E1 z?)LQzts5E0EXj*k^F=K7d1j`vYE|&o?lyVCFmlra6?;$F_+iWgTjDF|;9Qj>kNgh_ zlH9f24^<*l>3@B3z~F=LYr6&a%Tnif@9cTVs3bvpu1`zr%a&tCk+CFOZe=_nEk4BX z(CQRL7qU8wRMNow8B2H6O?JiOX_Bh5TTzUZbi6ub$DWpt}n0Ym;oc^$C&A6?SUHY}FXUUNl3Vgij-qBcd z``zy^CqY^k3xsS*HT)PFyW6nN`$ULb(P`w_6Q1{CXS&M#wLNo!Zl1j9WT;HNZF~ot zb8;TB&vY77i5P;a^q$0X!fe8wwF!Q@@>)6usi!< zgq;ZcRXAX9p8rL@y|eV8Ecpz|Vam`aDC!+#`y7~*-X=o)U&lkLB=7E2ZAZL5(Oqn4 z#r}DOXqPhI8?=bQ$y0Q*?q-*uoodTWyQInF6-?Bqgcv`vvZkk!R+PF_K!U6TNvPlOR9&BqZ{z z`x358R*)FCPeRirM}PPjlxE*a%YY%Ip0GvA$i;Dpd2u&Pau;*t+b4~1QwP~5WJmU; zmzNoBm^fdZ2^hC_AJ&OYNVhdA65$q%mmM4q^^CpI^l|z@W{Ru)UVk&a#`7&N_hqQ@ z>+X2v?Vx%5)5SLxW65PHPoK$iU{Qh#LU}F3%~AR>GU}K+W6fK7L<-2hOAGcjQp_uKVwa=u)xMfhh(6@fOp)uE*w^S!zenx2j z0o@eJ+!9OvQM)2|po((rm{xRXsiS{fPmXCHpV`Q?v9(AHgVD}mD!1(6;E5N!MSJyL zV&;V{xrV}L4%^y0XotUUWqy{clc=F%QPto&F?tT}c8KWgoaqayRMOHZkz$Kpl}7zT zv5zF|w5IlcraSSvCu_+@RyUk|>2Nkf!uT8e?ymdk6D>twy{tS&JL9_YyVOHX)2FXi zJ(uk1I$>2%Yi4j$G^RG^(!;}NhMz9fG^n@u@jW|^pbaOn&bVaZq8QVTm~}0hk9{L@ zkB_TZBq=p4oz5Wok^d z?m^s?0*Eu&`P`I)JC*5l@|&`@oSri_)(XjZeRhj@-&Z5$iSp^;evt&~1L5sGXH)QO zPiqdwjol5ZTIg(uB*CZAQGUB(w{*k3rFCMD9R~GDVjodqI`kWofDfsHU<7F7mjOpD!`>|~LQpV1%YvJ|H1C7#+ zNrw|!C_nOydOFH}lzv-RP6R}F&ut7Ya|AG6e-icX!t0M?-?De?$20KiEOjpnoshi#9o)i=oD2*wBCx^@8yxXC)bYlkXDYby1s~$q?2pgfW zlNkMZ>;4p$^O$p<>||NjBB$BB7j7eyl_LC;n-X18KTe%%$_v)IFWOj$Nb)~0#E&Yw z1nFY8dc_i_#p*O?C%hQuf3x*zI>x|``SDJln!MAsLOR#tRFyku>h_5uX)eX!ihUM# zUNb3@Xqre3aq~;QQdV+KkK0P8+Wv&q?mK0R8aHFQ;`u<>$YlrXN`I^+Ng%^NL*V zK210Iq?J7v+?mTTLa#L};j79&6^1Q{H zpSHr}_hgxUp2^Rjx>q-NzSp{S%JWrHmdZp!<5-!grT$~#SNEo}dJmR{(VogOJEPXm zBQsWzO>gNrcrfm*ben(ZhcohrFFo=|adoh8scPD#nb%+PY?rj1L3`3G`^2vCtoog* z4NMnedw1!prD~Holyqo2ab{$vaGeh*+vZCjlJuFf;F*MH@j$Kp8~(AH)|BjGPewN} za^qV{yPLU7DJ;ip?4pDy_ubEatSJ=Y>a*v;@k_FMKQU@o#wTNFA4g5Vi*cHUWb`mYN|F5PE7FS{f>P+O4$Px6$ul zKETS%$jA)evyc6N5K>eG59BHi9n+FOB&l{3i&Hc|siv!MY+@`XXYFKV=%{66Y_Rki zLQP4OPI+b39%RHMtG6J7kdYG+laNvXdysK2??FaP4%Gj-M;XzMohP?3kdkeOE9n!H zAP#fwUfF(ZW*YhEQQdyoFoazR`11cg1>8O+ka7t(|3Wog|2pKny&tPpDWRMz_S|4H@ zdwzmHJSz2l#>IP8N{zjmq9?#pAQS)NHc{_w9IqS1KjGxMNOG*-=PS-4%f8M$73fB3#JulkI<8m5iV@KLzrJU!|&T>>Tw~D#kZn5lC)iGO8nI3u{Ddy6Iq%)>&WwcOhWn9#qxms1QfJ7m}@WQT{yK2C% z=2XRmCk|9aIQVR67{hf}{qiAEOjU}o?|f-|g-TGSL&S~g_Qt$*jba%atO>q^(-}^+$sNudU4oQzyCzloT>jhc|y58PswLy%A{O0RM7GCOI=6J8MjWr6BcOb12l_D=D{!5w$L;03@xAP4^nJ1`R|u=z4+ohshoJvi6ZvEbzD#;^5_ zyk@i}%_U%KT;=IR{6Tq{x;ts#zye6Z?^=R-JYL_mo%VEV;<{o z7fvog4nN*MKbtqc1nIf!`ow(ESNG&hcyUCc=FE_;LebYlfBV*dTu4Nv+cq)bY$P7v ze{QyGOw?CgBXg`ZH^TeP<=?$EF+*NnU+;9Oo7%_viK@;^tgh*nU9ViknQr{=QHL;;XB*X#6~; z@6_U@hPn~Q-`3ZG90{6QaM5K^=$&KDeK}ucpztAaekwWU>j?C>QC|}rnw`x>MAT2B zU2H+a1`T_oMS+IBmJ`rpujK;*dhB(CKtPYZju9{vSw{#23`N#60)`@M83AMLwR`|a zU?{Sd5-=25%g28^6p34c2#e1F->75P;rR7KptrlaP5${+%-O9dc?m*OBfgmC-z6>~ zsb9Avjw3>0_IbHm(~gq2CV1Qc#eVjO-`dmILLEE;{HkrNn`q^Q4}(=88=!6cGu>fZ z{DS&d@c}yQ0#kSU62wzQ>gn0M!IC8ix4H5Xq;JeLEXF=!+D&=?%w)4toAmh0-QoiR zIU(9lM$H`pO46GYxEoAGz(bG?&=~$V^aZWH#h|@!7owCGhw4ifeW&VqUuooxhIJ5M z2ynuJ|NToC2&DUqg-yuK*T?*~7B&HEb>Nug1v_gNHX(pTMpzsgSlEOjENsI6liCjG zKNdCt3xA-5=Mo;b>B1%e@?UB@AW-Z1{W}Yr2#vIUVH0}&jSpK`SlR&s7xwyg%OV}J zrWR&Yf>KZvmEaLe8$%--s3u_*8w^+%retJb2i3&F1@L%041<7T5jX(^8i@rO0F4kp zps+{`6pMljz+k{R;Qf+Dwsug#!_tzvib_WX-~#ZYz;ghZ3C!PqpPB@5g7uu2H6HFkY7f&(yD;y$e+C7 z5dv5g1`UT|5bJr{(2@xF8blj3M1C0&90wOb;W1b=6a&Zo!4-T35fZj+XDcna5fNfF zBIJg(n7@n&hXw%Quvk144cHbIjRly2qp$!+083aX8Za(23^@6t`F@!GMr^0r;XnzA2YM* zMq+^8M_>(&0a!!g&;XMFTG$%W{u&vesI!W*4MWf`BSRty7KS9CKmeA$j0}lJ0`3iH z5Hu3~A5(@|18jru{&iqD3;+Tc1Xkg~;|QnV$iD)ntg_L_0Ii%=g#EtjhXWu0Q%B;U zD8Qh;6NW%w020war$Ax)VePGyFx7zmC8AHGT^IroDi6o3kNWjeVBzyKEiL*qxTarnRo{as`TJb^J33Jpb~fp&w#fx#CE zM-n;&5WFBUz|f8X&i(LZf7vaOYaBoF_Z|PrP=p|O)MaFFpj!fN7FeT>gaOUE2H9a* z30(;}2||D&xuHdoYX$+-?+*eZI4 z0T@D0gaP5$3NjRqV1F>guOVAA1fYI@2w2sk2o%tIXu{%ufHOQEiv$c1fy4^H;K0cr zq^)XFiH%LVW*h*b``_&fNWl98&4)z+fjglq07wYE0!e6R04O2KB|t|1fVbQil+}*^ z#N5^l1*qR23Rb8C0>)*M(5vEEz~f@qLR-b$#;6gwW3KUK)EAUGuV-f@ zX=Gq&X!JwL4voYCo#;=|HOJ5aZOvphtc`1gZcP=@J>FA0EidbR4&76><<`~|Golc+ z@owBAq{sC!_~7}o0voC8}}NY+@Y&YdFK(NdT^5f0xB+*(2gAMt&sO9gfI+k`uhI=2Kj@S8MnAJXR zE{z@c@2FJ2<8s=eopM}A(~R=QR`Q2wY0*cHkZ?FF%3dQS-;z)zyK_;(=ep9UYwQ9I zoY_y-+H|{VnpzNduGG#RrsLRibzZ1;iQQTcMvtVBJEsUVyu{va2pSS}n+xiQp*Gwz z-xpLi`=#PSkg@J#y0QyPmz*Y}CNQP@X{@)1@ta6!1z!nn%^W>*dEzjQdh4Ns5tRMg zm9(n23k3F;?8?o}f9cCdk@?X6#j{U&BSFHUM`kCgs9C&2y=?P(gGL7<685CjIA(mc zF5Xu2cxkCYFlZ0l`>iJ*2OahPnnM3R>6FI@_FoTB8oj?=_F<6+5ruoL)YrRb*>65i zLcMvGljR8OK5*upiltH@121;!4rY zK_BZk+jFl-G6&6e=Yne_F@+O?-t$HJE5{bGoUFjs>5g<~Ot&^qU@|R{nOx;rjp3wP zKI*sb`IpI3ZVEr*!iYU#I$}`9n7v3<@4+u?R6@!BEE#bO97AtYy$_6dNswTybw*YR9n*A+0HZ&ebl}Fk*;=bp0oW; zpFnt@xa(q1e5R$V(}crJf2y&Y>uhEhHD83=;`Dsa==A7lKbhbMLBYINAMKqpYnfk4 z9-cLg>VI2i3}GhHB0fX@nF%706rl~VqWsJTsXjHRCM0fd4v_}qQUKgThs~Y zTWs!K8U?{8?mYK<6|BqyC5C3^GWrJTHD=82zMKxZ*Faukb<^j$*h4B?LDI@jJhF{vFprgQW4XUO8mruz3~`cb?yjW_F#y~uZvqvw+Ud&-AzD-q-`uHY_J zwTVpfPEzo*iBoTb;|sm8S8ptwxywSCFL{P@mtwn^E8oWy7fVN#i%?thNp5m-uY;Zg zW>&3Gr~9~v=$hkpOYJ!I%38;f!V7shGtoD9TRe80)MeIlTC}woPU^`LF{s7JS?W4e zaNNC>ww;e-_XPa|Rxb(ca4GY_NK+OZoxwLIL4`N4o7rDD^w`syBr!QC2E2djB#b7xOjC2jI*>b930>v{C7PO$3^RNQ4Lx{=OU`@D$61Ljy2ym^k*z9OD+s14 zI=Y?Q`20ta)Qcr^PSJT^@5@%IAA6sPk094EOHI(S3O>P8xs$nzO4gQa(a)UDh`shk zLWvr?f+1^i58RquqPI6U>z!ep#U4a(ZmYk6s3C*w)UY^>mj-!bsC#q$hwiq=x(vUwsO7+}w>6!+^ zt)r~(=!9W4Hha;pj|C_go!F;w?3`z$AEV|QY5W^4Gnrxyh1h`<9Pi`3!|wtuc=DBq z{||d#0uNR9|3B6wEwb;^in7c;WXlpQ%9dn_Bx{!JyQw5XRMxDOElX5HS<8~_A%vs| z*(z(6G5&Y-JQ>u}_U-w7f4~3rdexkB?wxx-^FHtMIp^N+cVz25RVlR9264f=H@6NKSWw`IT{IoWfd3Iz{tF98oSx~C7?zP)4Usm;z z$B|b~>kcKA(T$ymVX4!!B{BmoWjwq-xxn*zZ2`^Q;b@dq#D{1f-eZ{`ooUHkjGOm( zH}|#UW$_&mCzuwI!MZZ4CHN0|$(yDq?N@V0C{9efX1k}eTxENKVKaLIrFf!# zw$|}6TfRPzBRWjoUXsqnP+V-?v9Spy3-a5q%q5k~W*kn)peZ(|4U0u<-o0J=AXxTT zh$zI&FegneulS=|yYS#EYIL`_wqu6h)DGuvSYgKw$>^8G?h@Y4n?G@E-gU4l#723r z2fH=;B~z-wHP7_kcjlZAq}L^tmx)HjFnXI>uS?iyL-Yqr&9PI;;)SliaI`@ZQB&J zQF8piOQs{L+REvERq5DC?M$6a{`0wcjK$_^K5a|L%Zbl48{JqJ zp}qyTy1D4okxN?DZxa33V+YQA?z_&rTQl+a!?Wca?H;+!gCbnCdAehpjPc2xp-*!u znWEc+q!mkCTSEo3FV{acx?LN}?^)|n?={PAzunfWB#WxJu{7Y+D8Jv8Qqz#f&{1oY z@VdqmR()lby5h!y)tYN;n3WWP^)w#1b(4y88~PxE9f!n#fC`Ix@s8gmE2 zo5N3?s#QCv4tYq8r)JSc*IZ}WeQb=dD>V8bf|ueh_oIwUa4w-~n@|~VCPUT2x{G2x z4m>xV&^3Ztjn8nL;p-DP+eMDZw?||q7 z`H;1fsUdgHlU(DqdgvjJ_XnQv+kQ0T>8-qS?^GmQ4jW^$nsajGtb8a(Ft+kWghk0q ziJJ^9jH`4Watj`rGPSM^y2iMmx~*&3Yc=CUPsN%PDfmg44Ar0MG~Vqv)|3$CQ{T3W zYj&QK`d6O5U=T%6SMKvhQm+>?m~5zE3|zY`t2uxT5BmLv0&x+XrbA zCg=9Ssngu_z1}Hlsjax%WrNmo`4Ry>cl{q1J+^ND6o_mPD`l&{5V))MLAG`En6t7U za`OmZ?ThFO5>b3@8CNgaWZUO^WZPs0mN^=m?{H(e<)K;;KjL6gG(i5+tHGPXdB2h5 zfZa8*lX7OOCCA3`7dCnI?Sq_ePD}2MK)NWI7F6vrb$^xGRPpSkdtb^t;Zw`)z->ZL zqG~t9A#F}ERn{o*_XxV&*yDd7@rvW1?Vtr(#_zJ*OOv6u`&n+x_;~S!X|Apy>wR9& z>N$ikWS`l9moITs@KHX?SI#2S^Oi;KDu{onw2H&M`>Zyo)=>%CJ~T^O#Pl!3h8wwAitR!n^xCi>R86dS!`lS)U6j_BI}q}#Xe$t z^sIlM$-B9Arss1N*l!G9kvCC@ryp2nirBa5AbF8&#H3v2;1QKENXN;skS980$;}sg z-E#A44n`i2z+%ZT@%2~JAu8%OPsb+%KiD;%z74p`YckXG+uJ`$G|mw*?$8We=R8v6~FJJrOL|)!x;a{ZP&AE`ie*HH0V#b`77Q~*nan- z1mfbJp%d4)GT-$(d;Uq3!_)Ila@*s#AT~vp?p|GWG){o3-$!w;@ze7sH`+hi%D7hX zsq66+B|a?Q1RqXi?T)&XH2(Ez$CT4kcBMw;`tF(bV2Ul?wylqvch4qv`;@NhDGuHT zOx8a*f4X$r`5>CTw_J6u=6-r`vT?OgtDVo8^VxxC&O4ktfZ?*PNK8Bu>F^+UO^D%h z+TgXxiNW{P6NA-{^oGo3>+X=v=u##?R_UlVG;vca=%g(CJe`O>YCavA`2hM2DG!f? zo!>LtSI!#jLU&b+^%HAw9p(ef=Z%lFjYiL=U03~tKCzZg`beAC-Q1F0{?2EZ-t$F_ z{)Tp0yRBQ-%J{o(0De?t1{41W<%2t8Rm%1$IsHS) zcIRX*3lXzRFkP~;lZ*QWLQJ>-%+!q|1I?Hiwy zLY#fhLfpW=80a-^tDxcF!K*qH4UuOL81L<-UAc~k zoLX&FSqYcFs1;|cgn!R$wF|55dm4k<=*Qu<7Yv5ipk$+VZZmYm*o1WbC zkjuYE#)1tvD}~>}0vMDbz@RL8PxmBccd+afg}>o6_i=%pCsrA#>m4$+qc+eu^aRa% zDr{^flv!)^`h?dR(en}UQo0n|o$?(zj5OcsI^GUS8Vd>wwi~HFd@}Hz^zoE)91@#>GsTK1$ztVQ=`=LSr8VBl{vj zx>@-9={r1I(qF8f8CkcP&BhR?aOHGv4vzstf%g59Cm(V;+Nh~)9_@&Db0y8>`IB46 zUyj{KlkXkdbZnTSErh3Hz;cXjvP6RJk&VFBO}b6H?^DuWZOXeI-|r5*%8TLaDyx$! zDvHWGR7Ytr251k6$-olXh?y{xw^IJRyoDa1<+v~79XyPE)gPByxsEn_P($qAKp&5;cY#2n$1E&`m{6Movkw3WyrBZ6Rt5 z5JF}#stlP510xe975zr|333XA^d^#kG1F7XXYU*;+Ih{R?|~ox`ynu`4>&_tik-sm zD)5j}tQ#5RL^bZxj5~lbHM%5FpAdn{ln*s&s9^`2KqUSQClr;|q8fX~6>;2p!s+@w z@cJ_@Zjus)?Im+u9a5!9>mPl>aTTr8ZWfoo)E#lCQ!}5yfd7FQ{7>`1zGS*(; zdsfEI8YjzWa^e!5$_-x>Tpnx!k@(MZ;>iX6jJmS{G4wC>sOT98JM&AthX)BeUn-Tv zR|WR;q{0T@#LamHg}Uvk7R)ai47hx4rtrbLiE_GbPfpg?<^z-M>><`-SAmPTv5W|nh*8DwWo2t3{o22anN78_TsnJN_x=0wCYvYJvDcD z>cjImNe?aLx>}ZMftMN8g7~7b)v>81^}ij8h&on^<~??7M+TaZ;^sJ@5-TOh=54&D zm)TOImzkh9eZH>g&AX?IQvF(qLMisVBgb@zM#MZsT~cg+F-l8U@ zfVut1zMeSP&>Oenno4|eXVp9ec5NnKg6$VCzW6oMv5x`WI7G^r-at~hM*`c}XnnZD z=|X*@9uIx19w6wU;+!tG|Cz-v{8|Y$J*8k>bWPnkV?wRFNY#IO+N4@cL=To}Qv}Ny zorhF!_sCc;zx&rNzW6P6H*nA_qVXdoaM1h+O3Tgx2hB1-exM4@G(P~+(o?{hW+@&& zR0C(4AA*VWByf2~ipGzX!R6VH;k4u|aCx=_jvuIi%d;N-wqv+rZH z>FE0heb#1k=)!{->8`>9`l#({99i`RnWz=JM&wH@NSQuD|0IwwbS|rhD$+`F}1T*HnfqovN&yJNsNODc!B&KfJaXD@ZaHg z7QVg!w~>{N1r%@(`3qAl7V+<;0G^^b{FgHa8-xt9)RzN7MZJpb?*zbP6ciLd>R-U! zV`2D^QPMM0sOpnbqv1$vo3m7#q&IFu$jrAvXo&70Qjo-Xi12i7QNyiEf_(Fkos14# zC(8-f9}Qxq&o*0nQlxcIuhPt=TbF6a%4PHpwyWmZar;Q{FbE4shySC)0I+_O%}jZh zJagaWHoW1sy#n4Pk#|ne-4nnTMn_&r~tDe99#p33xn;yL3o` zi}aLVDpMMtcDikqcGm*un$cr2#KSxFyu1F{FI|fCOY)AZd_iGBWI-B$0}KKIwE+aA z0Z0R2f&^&*(g38v!b%aG6hLhN5CNnCNCS`tM2!fp4M1%G(ttP;z)4|+HemB1#7>)8 z!%uwFUGvyUnCf*t%Q>+4Cvn&!cHx9n$ZY~{I#f90gFU{0r-pDLW9)vn#(oRf9R)WH zIb57*`s>>3Z`#!3u~0$b@LLV)b?N1RxvR zclWvfE%O9m&m9h=vjGHJVxE8m(gh)~fV}_;$p3`JqW++H0`jj+p1}S+kZB6YAPOV} zGO(Z}iUbIyuAW!_J5E5Fd{S7mL=wiQwU|yFum!{*i`5 zC)a^ zgCGbX6aFiQgMJw>f*T2U#*Vq(Xf*RpNeuHLMB=(1!e;GWw9N3&G)aldDU3DFL-c0! z&Mdqk`JMj&lSOGcrLiXB9dw=KJ3*X&zpk>ab5D}9) zq&`unI0?vKBr(`H;`G}w=pZs-88Z`Zh7uYtQU_zM4XI6}dbqYEb&WuOTV^j|y@`RT zN|%hg8Z8pY7fFLh@Sif2%DQ&{?v=@Cb&Cd@MuI2wPGqFJ7~fTDzCHaxH`cH8%A zoUs7clG@EbP*|p?GhTNh_O|xes{$#Oi@$qe2qnMEJS0QoiCUApZ{frKm@+A?oW24V z58;i!eQ6riiFt@_hJRAZER(x!qlB-=eXBZ`alG!<-@f#Qgh4`q9-ET-kkBBZ z7a0W-dJzj^3DnRecz_z31PllS)X+=d0GAvjaDYn=5-@-wxa1(k16)IspaCv9NWcJ! z;F5y`4{*sr0tUF`SONwFe9J+K2e{-QMFU)NEJb6*l0zN;0eEdUuzTrgKVKu&&>4Xv z8uO4f&+FzPS{i-3ym-12x8HIx!zI2fpOta-b9?+!yLVkzC(My~+Veq9HCI{T@%Msb ztE{cU#lV9g2p|*wD~AJ3>WoDxE=#=cU9K0;o0QGBjBuT{_^^~%LJ=A{4`FLE#Y-G1 z>TBGeU~4trR3o`DI- zSx$wZklwU$v;Jb3tLZ5=5mXY}C6z>sAy{ zxBeKCQv&lUvHf|wOQe;W#ehY@!JOpm39t!7;tz2`YucrgAc`}mRw)*vzc3Gp?e-l1 zSgEU80{et_vkgCZTx$JH_&kJJk(qY;7W{s~QJO06`;`Jgy5T-zPj z!!yRyWjukSy;^OvJqO9{+(v+%axj?iL|ZW`S(a z0YK{NSRfC#5lgscfgUVphM4S`p!1)|DgF7EWB|X!3H&AB+drZP`{a8NEjexqvTF$* z|6Bpt_0RY$KMJyIIU@g52if&c=&U>jvTG$K-);ff^=)jvb_8VC*HHOZ8_2G2A@lWi zkX>KLZS_`W`~0$3b?HqVfGQ$gb~Ww0H){u0u1mc zb=S|K1+wes@B($$&)@~J>u1mcb=S|K^*_w6x>>+@KNeqXFd943A1Qhb{JWMl7CXXq zDHdOuI&2)G#x=oLC#i*8myha!-F4|~*sO2%$YX?_XFz+b^odTvjuSnKI>~+^aGOM- z!)2A>57k(}CJ>1~#EG`)69z&$tod?E{_~KOy3Dx~wnyMGn$!ESb)jh`og<@_s#D?$ z_#Q$M?7@d=pLxi!SKL+j8LNkrSji`SFJ8`a#2VNRS-M}Uy9+jfNcM3=l z>%u)3LNd)mH0L3=bQEH2g_MM}F5%to*%9<|@BlY)F$ja134gnei0OxV*qyySZZ9(; zL&j_hEj4N?!6p!iKg0>^F~`^#jPXp*oHawwoXzxf?^q~VmNO<$6um8aAA0NaAk~B5 z$Nzo^LebmOrs0T3Ker(N`q@(72z-S7egvI=E$|VB82E@7(r0PlBdiD%0Y{4hk&l3b zNCX`ApG={NSq#x*O^bj7_aY|C6ePw50@8MhEZpz=!H+Qi5d4UE#U-JoekJ%3v743$ zKN4Mj;qL}NLM|rJ6crWygRzegSPWtj*gu;@lcJC2@Lx$Z*&$>QViHY~AwWgFij0zC zz7)bo41GjFLA8)V^YaO0l+3CW)M#=z(%R-M75zqOhHZ$&;73U~2E0+ys6Bl`Qpd?l zUTW}p$ODJsu6&=O} z9xk1SBxD>P#a%iiMxs)Fv3Thv{X9hd_LzXSUQNre$qVt=Znc2gGrxGXFJB`^p0?KN zM3mjfcX%{k@~j}BMTXveIr^)GE!b5|pr|0KAXmX*1u830uY$7`II)7u6>wz*u2+9` zMg8S_;L;j=U;&@4z$aGlJplO10(=n!zOw?~1cEOu!B@fHTWfGH0Nl3t@{st81#mM6 z+_wUE1Hp|;aN`o(xCA#Y!Hr9B;}YDs1UD|hjZ1Lj^8fpd%U^t=T>Kh2c5&bCRcDt} z$a8|Q9^se>p-0N&hym5Kraw!M5lk;6{4rPs(E!Qte`PF`ywS`b7)YMU%FQ*H83^px z7#x^~2qh21PJZ2`2t#zBS>o`r(l6y-b14!fx)c!|WtO-UAz^@X4_t)kQiMc8k#G@_ z|D;P1deQTR=u(740JjHRiU5xrDDlR`+kM}oNc7ttMHu*UfPcZGXrY&uc@$xYl76S> zmZeiiFM1TgVQ`T@=u(76B1wS#!!AWLG$wz!6mk6JQbgiYL`JoWoPwGX@G07{;8R2e zI2@4!PDTr-kWnzJl2b9FteL1O>ER5UHcM|rsK_jO71h0p;2UTmZ2G|SI2G_HN=xc% zdZHAo!6xahb8>pZItZ+SXnN$= ziCXZ=AR2!&0|EiLv4{nT1}PRG8Xy`=5g@IBdILm*6amsQ$PEw;QUplLAU8lXND&|{ zgWLeoAVq+*3~~cRgA@VMGRO@O4N?S1%OE#EG)NI3ErZ+u(I7>Dvm z5DiiUNXsBMKr~1ZAT5L30MQ^tfV2#914M%q0n#$a4G;}d1W3yuH$XH<5g;vt+yK!a zMS!#nasxzz6amumzr>9v?NUwdQl0Yu_r8cMt~@qXWRFb9N|v!Yd@r8TrXX=`U=sBb|m5uLw*AB0+t@UJ+S6T4}- zgE@Nng{3Vmt?X!p)$C8$IiEI!3M-mgo}v|&hoWeOWvpyY8rnd$iO%!Hl%J}G26j+w zEL;e1q=y0GV^K&U1R4q#MF?S07$99I7L5T;lQXong9-zew6n1{uv6BzF|@RU!VySO zNlB7lNX#<2#MAw!1%Zpeg;1gxpp&sEw9qm+gs|vui-LkJ5oJXN)}Izd1Pw?cg2jqL zu`nc26qE?i0Eh*E1jhg%eUU|4QC3g(psWyl1wJVF5}{TkE&XYs5J;F1kg*jDhhjuw zz(7C{YbY!rBG6xp66v2fVWX#Zc%?juCGxDub^6otpiw9xl!zz{3&mhD07z&w2B-t5 zK`|ntq!@iuA|$Cq*cDMOep(`=C>r200xk;0V31H0oY-k_EE13py#k@bN_$p9gjyod zil`7jFAx?*6bK^%#h^q1h>#)}VjTs@2lU<#^cfJKVR4LMS45NeX@TGv7?H?uVkaSi z?7$)jKpqTmVGO|VxAOQ$rK;lB4A!-ApC=`XlE_5p(6QHrMD3~Y; zfbcJozex8@;LuC-Isp3bN`?>xW)xsqgMgxtC;%fYF!Lf2NB}q_pzDd!61#a3x6kTS zT6HC6OEf$%dHt?rBwY$4st2NEq+N=D1N{s%egSQ4vg+P8=0k~u)+_vZj4 z8V;x}BpgX98D?SW1N6x^BvV#i3E7ev&-GDXE zS0G!tRK+Y&{=m}UcNG~NOPn<^qQK)Euvq@wmy3@%2sp6PSSi@oW=+fzUwA%Mvmc=Ul0bp@~*BaTc!SBMZ-w#0=a90LqeqHKsS zYUA@{t|q@?2w;|Iec)05i)`|y=61ltvar0lzMY|*p@G#&Lt0@)LrY^j6DSH;!!L%U zbBY?4Xb<4R+I;BSIV1W=HEoU68U5o%@z$evq#Xnw%?_9tW>9EW?iiINNJ1k|vdp4d zJCM2Z2xuK!v+2E~pLQ_2GOF&KKj_lX7#lp*L=~lr_n7XZdc@~vv_tC3qa7UNhvILm zH=D$~D$K{D3JReNJ7k{B^mJx$F+C}^-mGk>`mMlDYNLqD z^~tY2Bcsrj1G^;y?$S~#`xiX8yv{dj9aLWL*k0`(aUoCG6(hr!`Iwy?M;qnXLkvDj zzUdZZ+plKE1mW9Exu4;}YFXt?M=f}b^GEkSwHHvVJ?d5Z6*`EqR8vO&g=R@qgNhUs~|nU{22?7+HuIr374HJd7*`c=u?LoinW_kF@l zUD|(eqnDQ&{gvbA#!L(Ei|6O!yGI*~6f=Z(?R%+*3-4WTg)0!BCc7Q!F&A4E#Pi6; zC-&JMO!4{G_>=wtHj@YNHyg)T>h+zA43!){`YqDzmR zs#?9)XLhE~ixIl2D=TB>fb*o%aRKKf8orb;gdD13etyEc-vxH1JXel8l{cUx93uy4&JcF_t>2$y($(^k4Ad2 z*svIZ-u1#l&Pdiojgidar<2Z5f|;^G^u=TBw$0Dsulafc?l)Xt&HT1&L)SU^m$IA& z#~&HxSU)%86WNwq3NO!Ag*qKFh}nW-h!`z7OL6q^6%@0~YcK17O=DtE7gW~l$ZA#bP?+)h` z%S;>H7C?Pr-yNZ~RAMzzdw3p3srV{}-cv4&FqA(O?v;8IDJ+<92g;v-{;Fpi`TXvNy?P)eI0#b@Zg~Dqs&pE zqy4^JW6c+!$LO7Ii&I%1qknMSPUoJ>=F_^{RtdPNaGlCm;j+N1a4~W7r=NSJ-GAkg z=e^pJN$;w!%^2MR+o{@ zlOuDb@3GRRqdm@nJqKt`+_(UJUBc;EdVGeXT#7f~lp%cP$oX3zk>zXohsh6K-x4q@ zkO7bHVV9MWseVn#j^E-eBwFqZwVqqk6?Nk^M{U{Oixh&XPzJtk8NYRiD_!Bk0zO-K z-4!>vv>s;*ir=f$SMOz>fw_3C^oB}0Rcq+869$n3jLBY{2L8kKW$9`1mo{6SVDDvg zG3K9T*S(VGfB&se+_jex;bnX_|{$Xsw+`ZrIk~!(7Hfpt>aIiw^s_`M;y+cm2^f}wy zM&4dk-#M?V=%oXX3=u95lDh7b7qVrmTMT|SvPG)Ub++8kvC*+pVtTBjNFsWCeC|_@ z(g&fOI$@>v!;}s#get1uZWbTI&4}cu$5AF3tky1s*&eam^`|V(HCJnm6*NDoi@nqs z@gWOy>pt0Sw7ZnVe1@N&|Gt~?NqxB3F3J(<1yG_qf@Kz#QS7g3!jUiq2<){r!r=lU`)N={|&xy=hP@zk=F@{MkPbD@=9U>vhA)GAR(F;GU0YK_t3i!z3a zTFv1{w<@SzIzV5#1Ex9E!0FhPc}zfkM#xx%u{$W%t4Gs;Jn%%?IhdB_gNfmD#`N!Y z#fFQ$*=H~OE=`7|!>(0P4ko0v9TC#(orQX#SnYFKOQ+6<+(@uyFRz8UqT{Rhx;oao zkMktYHYV;f$=G_?;(o`=XlPo;J@QqPcf1S|rCn;*_QqT*mMm?EI<>9(v{B`;xy@I| zS>j_2iqeia9MLFo_D-^htZ8Fp@fC1r-)~M4@YsRUL2G?1;ryvjl$}q;a_+z6xu;}V zH)47Ovk96+EfVKTqa*IfH<@ba#+0)|a>hd&CKcdUV_SdoxHeq(npll%<~z!~GM7ZO z+bNY+t_}9FY$cnxl+Lw=(!?m;m_05<&T+}$4%az-pNO-Y%&0Hia=$(Mo}aOtfH8Cz^TNpwJl^%z zfy}`!Fj}Meahj{W&_;jncR~d3!cu ziZ5)ntJmh|2^xFSryt*Jox{1WTsk)mV)+{0>{(cD6w)PwvWsPuPbjCiY3V9NiZ< z_(+cvw_zswo>XXCj3F*<7hsWWQnSHiB{L<;ad zKbvN8Cf-=dkMtBz6feoP~K8>PFGLCGhQ$+2K#m%eMw6GrVE z$x5y1H`(uUO>C2QqIrcS*1D%jD7c)FFs{>!k;rike(gE=(&Sz1*e4U?yo>4=pQY`s zehIx>Ihh;t;RauI&))ShlBJ=MW>uS1s9d+#`9IdDImB!Yage>k6=zg_s}*jh*I($G z&B=J-;Z|YvTX^=%0E>sRRMRi@HB~T-j5{MvN|~&!+ZFmrZp5IzV|xov>l&JS_lkTQ zn-#2^C{PNmsf{$5QH`;UtydkD_jY-?h*czN<|C%|lbbMSNWLK6&jCdps4`~o9M6iD zk{{-1;@*AVVh-A^D#nLq-Y%XPc=VpHm43%Pc0qnMj&p?Lb< zp4Zn?vTy36blLPQS)TjVjX`I)s^V(uv--lf`swaGeI4JVIq>F4hXSv};bOV{$7qC( z^ST)`zaHcZo7)hjdjtt--y~8nUOpw-sC zfwQCcE?{nZTcX}rT6nmIoi?lET$@vedP_HU87a=p&b_9_*k3DWXMnQ4WaS1``t{L{ zqW9XZjiI_TI+`C-Ypbs!`!TEDTr!w1f8w^@a`&67f=97iGbdzM-|^rh!_aMet(M+V z!22dYB2ru{@?QJyVq+m1muG`dTXNhR+~OT`_ST$@q`E0hnXevkF8iSOUaaBeV>=Q= z)i75tj-F90Pn~KzL?bNgI8vY`e|k;YmRGD$9_`B4tX93uYw4$9i6!!GfnmXBu@=4; zYO^Az+k|X8#xU=!hK+n(Z8Q-~dz+*K3tMpefNAZlN(pg%Y%-&feZJwdR>o9JU)Pa@ zYMmTWk;usJ6lduY<4Qheo9XI6|n)*&Wp^G7Zx@>BzM+)3i33p)@lCL^a| z-+F&ue52;Oo6>tKqi?y-NSI1$4zn^ArR*_b?>@<8ocHLtL1bqYb%U4@hYRjZ%b}0& znZ$diF1!k+77mZseixXps(h7o%T@MJ3;d@fS)M8ms!sc}`HtOqJ85z6ync&enl}`| z1=;?tiQ$LOo_KNUnUgT*UIFYN9^cWRbeO_1Z|f?1-Ao(Ct0(g9&UsIz#~bxw4-C&& zBGdCf5bW`4X`d#vdMq=C-H^cz!x(zsm$f~d`@4kvn|F;!$~4*YK{Ikf6y+zY4zyl< zo_;a^UD2xOTys3Ez)Y3f8S!{cDn~;5hS9;Guz)VkIHws7vKq}2p|YM*M?dYor=5dK z1yxhG+~lfXox8Q_;3H~5-fb)leQPYwL7QeQj`{35ZEm+?12W-}LO;UkSwZ?GJ2p4S zq%5q9)!h3ydz`%3tvRWVqdA;(y9zDbwuSU#4hV>OOI&=h6Sh&ar$nbgw>M)|PQK3i zzGu|3U6oO`k!b%RI{v22x}!~JM~L57YT=h%-y1Hy8S_=jgG)l#9Rm=#EBYLf_63cih4-{$ z2eaLLqxrc{ciQM!BzEhecf>{W4DY@$E*~GDU)E^9furq!?@q!wc%@pL-?l-vC-yF9 zs}P4IRyC%knc1B$JUtmdDFk&Nif~K*QzOZ6zW)&Qo%01^S!xg z)+P50mwUIWF zXm+?}u)iV@hwsZnO=Sq<2(wi=h^=-ECWZ&|DPOnmmvy`5^3WIQ_fUnbzwMe%xN^hlm>=!Bgk|A~M-m?w`TwjO#_?;8&t>qMZ8_H-UH|-ON z>QK;=Q_9TFn{sZwed_X-IL()CUEH^C<;bsp*6AE}L}J7_Hf55#r*hK7Udt_a7KY_A zXyx74qT8gLNlAZq#7w66Qx|ou9Q`M&SNUSxd(I@fB+k>1XMDJuNA|>Ycgw06y(qW3 zXovgBIb($qLkFA6Qa%{hQU-`NSw>; zyY?%MoTZWeOw>MWEoMXS=U`q0+cqoveNFevj-}0zM7=r(C1>G-C3vdPO` zGQ{oZhu?on$unow&Ku$&hq+9_0 zKA%9Q!nBcr5lFdkf}9FLA-!qyV#E{25N9DK)!1oQLGJOa{`_CM7g>5;g<1lB|ab7xbGN%bm}EYQeEiE8@x` zZ}y)!A=RZeJ+9JT(&)u_`ep#5O0lnqiUKX)n?0O-abOdO#Gl~=e@4~KfLELn8Vd9b z^AM)ay9D}?4?v+dqr1(JXKb`7+`+C;-*D!^JmgM}JFXa2Y%uM%B@@_Jh1OI1prmiE z-C*JgR{nc2V8<8Iw{kVRZBb0=G#wdDu?JEOCClUSSw>vZ!r_{Q8P$S7CXea!b)z50 zPcE*Zf2~B8R97r^8(*0^Su~K;;*r2MHd?WVFpgQeuzI1RK{?$?LZ^OnXHR;EOva<{{yV^AO?n^1Bzm^J^t`H~f~|&gzt+ zQ-l-YJ8#rSp*I>$RT`02?gI1qyZfRY7kbwRcNIOI6L9&O?rMR;9%T z&h$^soiCs1+=4l2RPEn-B@%%&k~e=^bB!$%Yyy$^Gn}x^Oa|h zpKii^JqjEU1?9UYlmAu}IKX@pj#;qbRFwq&0HaG8D<`Nn0*JN(_}l}&-xw(1{tdWy zE7(}spN5Ky3x789T&Mz0-caEM%gfWmSY-x)&895SLTbag4+_LGGbCR4FOP1bANb!E znbx#Gq&cEzKMX1eSb{={cO^QT8(7d1+khBs3JV`FsEsio0TOC#ODlYILEdi$fCIuG zECcr!0>CZw&}TrtM3xg>5w+pFhOS7&7eiMddeEOUbOmB?{d;zssK z+|S(B}Vv4Mt)YE#F{V5lVbzw=IjLgC^Nv6h;5J4Mq{TC=e+A?`_*Z97xBH#)Kr0 z4oRFG;);ljY84Pjhx)G_MsjjuoE>1Nk!oR!k&J>#m64eoWlcp*Pq}d`LPeipafcDV z-rIj#X?nfA-ZhIWgmVAFaM$}m>mBatzi(EQXaj;BX~I68+RiTDo{gYgqx9;wwIV@Gvk>qY{1;!ofv8>H5c?YI}n7R#!m-``9pvFovS(oxv> zAT@XN@sh?gRu_BE^@r|&hd?wyZv4^Vz$A5lIz&SuxZEF!Yxo$r27gm((!=;}_e3gA zVsHwtyLILJil1!RkT3^?`l#yWpVKp_8jP);6!*Aq)mMPy@hd&^lb2d?Iyqxe(crY3 zp;YRSv%BqdOnG4QZTzQt}MS*2qyMOjt%g-mH)$5$V7b0StCdCUM;_D2` z2agb3TSlhx_bxy6r|X*z%o2*io~X?fmWQ=ST^n+mGwZB#AxN=Y{OL=6;8swOYapmm;4}u_oO!)5{4z_)BOqo2>`!fl8{hGL0!t{a1NJ8DrnH5WepKe(7 zRf`iWjA&tDb;6AHi+}h^(}jP{;si)mju9o=QY^7JK>#Vo;V?8{ae_huPUf&bXmNu6 z+u{W9MJL`CxZC$FPDHFC+rq- zIVqZ2o&u6CK~X?p04tl5K$>>#15;hPHN4;csV##{l60{&us+!dB#y`e~U^fCvZ_42AwnBp``Akgy&G z{MsKD32>(;5otxdhMyJ*4Mz)!iil!Fp;$OT2!x0b7AcA(VulpLF2hLeFwg-&)C2=N zWnxqXJ18815m_S7iVz1sEe~7-26P(+i-lrDu|TgOU@&5@AyI&QupjF+(Iq0S2#)a6 zA|c=ipw}=!_y-I?Bp8fnuZ2LOfu2KS;7|+_0{{iIE#s5Yo)utW0aGQC&Rby&_tTPL z;Q%(GFbo11$)6=7(i}?!Pz2B=@a2+8E6VB}R#Vs8bM&wfTnH|=QbPC=30D}D{j`KA z7zV%z0ob;|fzCr>(LiD~Kq?d*jb4;_8FFfBE9F8gk!yuL+E2@cKm+oi&O zWC$z@kQD{=E-)sA&_F*g{ApR31Egr1JlEoJ|&_Dg8^+{ zFk9NEh_Cc15Z7dpb-*D1UCsKXPl2I{Cdxw6r(b0LBHv%y^(%dfULx1;Yy3szkVrt` zFGvQ*VuhJdHB6bK7gb)@3Xm)^ge`ALbMSsTgORp|t-B++%GBE(Z_;)1) z3~~Xzfkq*Srny2eI2;(e2nO-33hN`%36?& z1Un=!Z2@>LO12a`QGE=}wW{STP zbjq9S+Zq0yqVuoVPe@S_KpXvSM(h+d%vF`%A!matEIze$S5uSK>P;Q4#WmIE>LFK- zA~%uAJJVge6JEq)pU2abojPo5NpqQl`E9A8W6Nx-17*r(Lgevt{kGDC0rEq2y3rmI z`%KU8L54`F?AvKhBf@{@$WaOxms$My-1yA-O+Fh0&by4IHgyXRGHsKfwUbv8R=UMR z>&1R8waxQ1*@nJUXqJOfgYN2nGW>b=Xd1}}`&!>*|1v*$V;dz4|DHEl;~ovVw0_bvS)4x51VoU7^n=%zVrkb5#YZzdnZ2I) zgn8H>a%OxyLQ_~tDzUMcZK$D%5yhWwmjJ!$58gD%f+*p#uGPo2@`V~~yRUd}bG`b_r% zix{8o+s~!(_`xGy{&~@Oy5gIMukLN-BNMu{&k*IUnyp#6?j)iI%DdW>De5rn!-2|6 zQ5unNuOG@a&Ca-=)UK}3ni#TC>s;bc(|+1+83wuFon~~!{nve-UX^DJd5`xqDXqI$ zVD0K3xnWD&NlWdxn}^mKxnH6sD}Wg1WEe(05=!4irpqsp$s8PT?%J_+`WA%^cQJZ? zY4+p=nJK!bo@Y<=-#=H8xwa7HYPu_=!h?xEr+6j^U7!b7u%I%J#+n458kb|s_P3iAw1djL~K zgs$Mt1V?wujxK||Y@t;V!pd#^A;MFck;BGeZytn%@#=8Tb=M4jcvUbr+?v<#C(P~c zPMGapohV$C@9rkqAt@n|8+41;G$~2=kj?vyrxl_%6n%0{wu(qexZBT=LoCU%R$bn> zyR#Zs%mv|tSdh_?vqE4aAB-XH*iI|OLf*HhTs&SKg^2XoGoG=5?D}x!ePG=Mw|TBJ zBV$(GfcH#TWi+gLwaR7O%C?WSv*m)V%!Sl`|sUp3e|sdFsuWo(O5-R;Q(=RGFI!_Rou zkRL*MDSkT0aADKA8;VK~jCzw!r64r-3!mG^eDpyStSWe0t)R$r6|syif91!gdRlJY zG)F^vU&;kxp1K4n=T~**Z>eLB7U)`6z?;>-X@W!a3_B)*0{;L8=shl+Q~aHgm{@9d2Vh<1{>m|d{4QRk}(r|qe=r8F5%7p zggJw$`_mdvafbOFkt`_}qAnp{aZu=vdiEuD?ski6DXs`lP^QpyS#1U_OFgXdz%J$a z+5KeYz!5Zuj=R-~au6U+WIe-fQjQ@m`}PFfJqsgxrdsUC zVO_-`hgO>XimF_jEblQOWw)N&>7DOL3oZBVBU^wpX4|VB%&vNXWUnZ{X_RBp@qLc1 z2acpB*Q`G&IVeZg5U}HV))O8YJsQcmWO~2&^4bTS#+!5*$8zcXi=*{cZa>BqgF;cVz<*Kt|Vrimh+G6{&UDSB`w)_tTWbkj9C zrf3Dvh+8eC92?76cV#(B!S`_{TTF4l{7knVMd2?`s?ZP0Y}!rOn{~`E?IKF=sSMdW zR@if?q$Jtt>7j0tR|C$1zW3yACXc_#5hxFD8^h+8TgAM#%q{B5=yc4s5b}swn>~4p zS?-~rtdC-te$}l#ruTIMB3hN+^*JH@YSSa1912O&D--o(fBgXYdQHBPPrmM}ekLql zeBfMlZd}p>sS&(__RaMacXO5QT~H|A@qvNXljFQq-J1b>uIXdhYJ2(JjqQ)y$VtZb zAgwO2oDt-H?q{0US#m;_>qu#NdXCQEh8tZQGdtC=VO&%3s#g1+rgS9OOmlZJ&#NWqnKNMpa!@ywamG*80p;u3-0<%$gnJ z6r&$fFF6hzJ3IcdCM7`2k;&C@KtoMD>3(Br7v@YrXCl2*fn(b6$i3o_iFj<3_?ZW( z-utK7syI<6_N1lA=F>(#ykozf=0kDDSv3!_ry`QG+J?R=`wUAzY`ORNqqI0GX6*x` zP2p$8P@i6~r+>(WDd^Fr1sp{78ZksvP(4>wk1pUhPrhFqkBwt-WK0zd$~iDjUCL42 z>MPY)$U;AB|K?s&$-2>F93yF04z|82)wDRSoE*77JVLUrdhP4#rkk2Id(;M!$CHIN zO~Cbgtkw=2oVqgRp`+x&oZ#n`HGT>2E_yFSD=AHP?_kCm4k_mww;8mgBdvINU^|Z2 z*p#!@J<5G`5xH{ZT_LX+&F%JfvNA`8rOP}71 znTnqb&3<8yp?yuErbiR%7DR>s18g4@x7-TBOEwpXGDq;K_ zGQ*+Xtg2A?#)Xq;N>BFFzJhdHBQEH^vb@+R8X08dMX@V5#FIvfY^eUiYS9^mZVxNX z$^C=+lCLN72A=o?Z+E!B*}zd;mJ#oEl>hUvX&-bDX-CFPJz3l9z-CUbb+h{l=gED-jL234gb!VUe@6JH7MAq~2 z;e4>GUmW5Lvu#3=C(3Y(asbB7JZ4D$<>i3Y`<3s?`ts>EhNSpO=z1g(1``=8F-dRM zGa52l;c+snqmZW~WSdxzYdLP_M{+r5u+LaWHFR&$#gM5!YyFg=NB7|#*R2=c?p`HE z);CTHUUO2OKxJBHlk2b>C0_;p7fIE%VK^YViS# z)o*Q5>#P0l2OhO9jZ9N+WGLQIq1<`z!yrmU-TK8&Gd}{u-O!Fp*oSs+WYcZi39z-I zmi(hAST_4>AK4V5(@CW|ia+Hm;WfPjQ=8~yNB?RnhlQVE%t^(zNUg7P%HOo>ex-=L z?wuRTVl-5}cg1KPI-bFgrl%clJd9|K z@8IEViZICW3t(-w=_^ycL{6yAM1R;RU@qTs&^2jO%W#umVKVQK?Dj2JbX=s=1q-dU z{R+1Tu0}j{z)TP(``S_7uRNzM`tyxDdNuR*TIZeJafoMaL}b_w_nt1v!YMbrtz1akZe6lo>nh$(g{K8Wa*lw zwkEKCz!Bf^hHKr`;?whkAzf|;u1a?6PthdT*+^_Zn^4m;6H2E!aR-xc(3Tp~7k;GY zPB&)T#EVB<*w2rnV!<^}%&DIvjd_Vr6+xM-^a&L=Z>`jF!=MlArJje}oBFgXpryog z|DeQ8OH1p1si|u>bp_)sd)hO!)5f3AyzS2T(9d5T+0yId&=*+g_c8yPAEkyC*(>wF zT?XnEG195t0tO-XhH@RMYPBiwn>}n@EsA1BDGQah9^VD?IX#r$(B7DG-a{vPRkGOe2%akMsUIz8u@-VIo>AN1G#M{nEQISD zxRI10)Myd9`6bI}`S7?t{dBXG1y^g{_S0`CLt3_dnBJh}wDsWD(C6femA+HDY)3z8 zNK^NjRN&n|zI`nbmOobGo6Gd@YN!RZrWNxn`7Jb{ z+`6?*HO+ctJ1c5}Wb>xrQ)&)At6Q|Tgv>q&jTK{T>3`U`UGNafaXxV7`HRS|n00r` z+Q+H<-`j`QB{+x)8jbmkF>cdN-hJ#-&SUFskx}iJuibZ9YdwekIHy~EKPY|3#bKl% z_L%hihp?`i2-msc8lD8#(;rHM>T4o~TxROCZAUCBU8hE-)uZ*zZ@^-hoJj8$>fXKc#F5JmD_f_iZEb% zIyZH(oP&vx>^0Nr>CVg>P1I4bSgTuObJx_p3caqT_<71#AjXv8JeNA&$mQI5Q&>#H zLZ+G~%KhrhY!QVF>pBJrsv!w(U-(7nKOEn=eROYxrI>pfa>><=ll@;_{cxk$y3M^9lnv-WH~^SW~t;~D>f zbN%CMlc~2Q%+Yz(F})?ezO=EmCTN>|dyxrcW&ZA!((=FTeK#qYnCbX1!N|Z6`pX3Z zgZ}4cB_nxJ80bC3*Y^qk?6hR^4b`%Fol5 zzZ^lrAWOb}!$zbIDFup5gr0rdw@JyS=t2+zR zXV1Ip`LVBUs%##{s=EfK?`tYo?xmU}iR08S#UQjm=ODeeEP#co+FwG8EalheJ6Mv9_ zylJmlh!iLSB>v-?sJ)UBqs60M+wp0bt=-c5nRfC#EN_JE<7w9$ZCq$NiPpBcGLB)k z3r1I`lHXZcA=yUuO`p`AZLPb&RZgpN_c8-g=K_~Zp%+t<=%(E|g`fzK_|I#ikXAJz zlv22Y{&fz6nDngjnG0+@GxM;G{nDP(sF7*wT7Spks(F~U-b5%{|I?c?8X#B}0Xpuhww4@qHYYC2( zcYw53=CiaGNNXvN759L&R>bpNC6Ly4KvvoX(prhm_jN#8-xFD3A4qEjILoSlw3Z?H zc>$2t&)F=m0n%E|t|$sP!6Q^11LW& z0@C^^n&lNhTFaUIyaY(==WLeM0BJ2lvO)on)(UXGuL9Egp2$l3Kw2x&`K}H~>pLJT z?gDA8h-Yafkk(QjEAIhmt;}ahEs)j{9DlL{r1d9&7FYjRTEdf?w3MMALs}j4F#lt7 znpz|E80I_Wl!j=LK-!o3ZeZu%%V6{LwCgi-d;%Dds8ou&cmD|-;H)WT-y@nH_gelYsgo3?*4E_e-hio_URd( z>C*VF*KcN6!gOu=&Cgt^Ov;?Z3q1!#fW$wei4X0M&zecBhSlR)s>}6dNMWed+&GHzKIXIU1ObP4vGMY ze@GKaygk`hL%9t;j=6+Ans(K6<>8sQL;Eact6Y;n;0@y=4>|6EkN*J#T++d*0Vfy7 z?SFUsCrf*vmSqfIo&e~-w6q5vN=Aev{`h`r58_Gz7$o#R7D}g$;>AFDj3uls>@496 z%aMHEg))!Bc@(U*&221+3oGb4K&gqK5;20kkuE{PS{vFw0*4k}AV3+@dA_79#zD!+ zza|*6qCp{{TM?7b?;~b5f}@~4;{EBI}@5_>#G4GmHdA%*?c?k5Eujk&u%@ ziJOp6;wBgcDFp?Ll!TP(^AW_HPS+XaDK~Dy$|2EK*5@eb*Kd$z-?kGaBC7o@iPQag z7~`y&R(m}A(ObgrlSI!BZKs>LW6RogYpq+(=((4tLS^{Zj+Ib}ymdIxy}xodE0seB z*_|N)a0uW6!~i(i75W#z4)Lqysj&5S-TpQ0!Qc2ZZZ#k1|=F!-3{dw3P8*%!1SX(_^M}qb| zEXy?b?FSd|126zO0Nnt%f**Rq$9rA3+o@@dJXA6)=xBGHZ}{PaP%JdT)I!IYW?}Z~ z@_C#8wHdb<;*4A3MAAPdm+~AuXmJ{@jz&PUZSe?b#w{8R&49(>|C2Lru}f#%qKOlb zp&7T(gj6{3zQo)8`Gi}{3KMQ|-}C)D6K;u(^!wpJmdBwwc(c;w=7>~+%B4OOF}_KN=``zO}XWOrreT{laatkNugP}e~c_i z$u`PSV5}&~={KO*ks|B2eVb=n*%Ft%5t?WwGhXw&*?%rMm@uICT(j;N_y7oi3jRGE zfw1BE+lzC_V{c|12j*cJEcD(CR;T=?_3?2?rey(70qbG>qH zp4)Ry#5jM@3}d|X+t(%MbePN4M1?9RDaW6#C=^Py2<@wRKLY>l3w!Vg*T+1UFPYpk zQOW!|sxEG<+0j{Z$8TSEU1ZnCiPI$xnuVH~ZTlHM);@MhkiPuv?C)Nflp$vxrkTJj zz4vuYy?}vEm|A+JUC+qrYrlJ8*g?OrzS=g<4yTQdUEcljeM-}Vxk5bafBU-Ba$}zy za|i+nIteF6LcGoxw+Plp6}~_4yB8**(R58v_Kv#UuhHh2?}WVORoZc_zMW& zhrjw+;D^7E0I|du5FnQL+BZNf@s$LKhrf~lvBVb=AeQ(70>lzu`v!<5zK{U1#1{}C zmiXE?KrHc<1c)WRk^r&97ZMlzu`v!<5zK{U1#1{}CmiXE?KrHc<1c)WRk^r&97ZM$S-~;rf(J_~Om2KJUXNE#M zcZYi!MMu4=Dpd`1eZ*hV&`28>atC|>1V9DeozEt(%+{@{(JDt1Zn-yy0-wAVf zjcNoqymysWyjm7tHV?bxmlkR~F3~p+lk3Af8KF<5-2@*10Z_res3X`YV;yy8Bnw@~ z%r)m>HauLF{eSn7zUaK4O^qh5zWZ;P8jUATjV4a{T{1Nq#RpA|#^Rx=(a-|HNE9CX zpPU-KXw6*WV#L@lQ=^GfhvCE<6YuxubEEMq%#G&z9`N6p8%=Db@8(9MiF3G@w48{! zxrHsXB(t54t%D^2&U4Jj+=PZl9FC#kIcQ<6N3e#g6VE|F{NxC_ws3VklADi@4}n9$ z@fb8W3JXW_p}6rF92N=3V{y=7VgwsoI1hA5XbopwTN&aS&$bW}UJSIJGr?Sscy}Zo zOI;m;P`mqcq9&Dv_M7Vn5dS5yrR}26$NhOazv1@7TL9IMe4t77Ya*kEG*PWI9{kP zKvv-~7-*qv93S6eK-xMw){t59%MHRWF=*LJ)_>WcZ=i4(95)t$CNABLz(YpzqWJjW zI4mDT3o2Xy_J?WGhnAbhyTr6*$r}E$X-KH$phiUV!LbmX&sIRHMM3Szi-7VS;E*V8 z1kv8_O#2Zvz9ptD%X9G8OV6jl&L=Y{5y24V+f3YYv%`=Vky~!r5~q*( zeW#B`5PKj7iCJVB76myGUOwy(41;X?0j?z;9|~1|_o0Zwpoq9IkWo<65gQQ#ha)yD zSGdKzbY5ucm z7|4zB@ga$^E%Lk8B!(BFQliU43p8Sh=g0iM=l>Q4BJqFpO9&d|y`cO+7!(u&^YU>o zg(jkKNbAUPF>WL`QtbQA2_+O-;>`X7{vY!2P+BBNZAcsxkrA5@1xI61P)9%`p%KAX zoBy;Upb<-+0GQu@0wD3kHpTHmyigd(G$9`FgVB=K>U})m6nF=PFSx{4NfB`^<{*2 zPUgOQdv&i5dORnXwu%M6<#?##zlnYojyJ5+G^_z z!ul8HA6s3`c^=oTm6~K)2B9CT$Wm?O-#VnvGfx?Q!tR&?#OPTb3N^@lKr z?&`+9phydrICmnan%P|hYxkgLO(_Q&^^8C`Scn_^bo=gD)P?sajR{y6#m`mXYtz99?8$pLgx|XImF!Q>-4^>*56OAwqaYxzRk}ZHXQXt^c;~eG1%UBGpy(x z1(SLr$rd*U>N*5v4U>TQz=y1)P#K+JuNp#}3`a;S*||h2l*P*j<^4y>9Fi^^A?IY_ z*PwkP;5(O9I2<{XY^a`MpxRX_+n@e^U%aOS*TdHu4{lYOP;WdMtsFlxmeuY~;IS!k z#mSb*$ZR&la<1B`nWnv0TUvEB_w#bcbNY2BllN~PWT~b|(kN3Oej2FPC#Qeb&CECwmk1?L${ohPS`ueH(+m>WbDMa|sA|EVf#?gTJ-E)73)+;dG)nRQ0i5 zY~prC%?EFDk2Btx@YuUG$Rp~Kcn(|hteQadhmmcuep5=FnL{-SlxlmOw%yWYZ$C$9 zH)YnKHKae;!WET~L6<6O$Ry&%e9%+Hh$%c$`(k}pdK=pKDy%k>qiV#9J>M%jfFXG6 z#oPNWGd2f5eezg!ESTr8Ns4^`BgTul!2>~;93nBe+6*oix+|mhsWEX~8@&8ki^R1( z4juH+bga&}{J<~mjRi|r61)J}7qwmQUO@1!V2d=b)EZX#*MWCgYx*B;V`}K^hFhi**kh?;@sTK>LVOCKJD8PaFsQ!KXGb(Oodm$s^p>8^x`cQhvw?kH&$-# zenP5QErr`TmveH-SA8W? zo=VOcR(aHAyz0_{eo{DFpQ3enc#2}3>OE%J1hz?Ie(6-^Ow0RiR*}1dZzBv9jrLL} zQWx0Mn7GaERx>RpH?1%@jH1@Hl4|g2d0tWI-QcvLsaH~ek9*p<-Ma2ixY9FZVY_-Z zbh&17uXZ|IoSJuwL1{iRWq`8v#DMR^LqeBLhdzp>>vwCvzniedg4s6Dqb#Bzqtvec zT;L>4Y%Y^XD4tf=LjqZU=~$QAn#NaU>onI+*1s-tFF2E1Z@l~P%a|7rUMoi(UN32! z6s>2!QD^(>onDUu98S^aFodTWok+TAp0H*6ro{dGg*Heja<`i($z5l>8baS>rWDaz zmo-1m6dPQLnhq$P;dU~oV?OIZef-KsGQ^d9-B)jzuz2wSbn_|cu7I4;SG}`iI*Ae6 zwd^%BgT=T_gc5j-j8Pwrnzjp7t3IOLR-u%1eCp2TUAN$S68tQ?6*I*;ykgbrKgho3 z7*u%?HDXh&Jl5zXCEwM8tduzZAk-(_=khasr%N-+4)H#0oU%sRS!Mxmc}oPTG6JO) zj#oRoJdBSe%@;=;U4Jk)**M_TyS-Q41bvSlziDq=UiL~&qT|_tnSR~dS3*v1sf$x+ zSmoH!mbpIu++#9trvuyv3{q2bs3k^&`D)}Uj4E^ZefR9456Vx@l+gxq8E3Eq29^&vVXasHR^z(Ycy-w^WXJ|Hb~88o?%GnQd83Temk#snp2U z-EM8|Xuo>MA z2Fdg;)+dHAhWEi2$uApmV_9Gw828-p@`Cr7$^oj9^z>EAcbo6Nm~LiUeUTzQBq3l6 zgQeYBi-T0x8m}a2o)syyZ|@|HpgU4@e7gHhz2KwBQdOe?T&X=7ms*s3j1DFKo_Q8C zcSCBf{D+e8?V=h!+E>t*DB^2w1vqMdeD{hL4Qm={4>KP)V}+@Bz&EVrUM=S5aJUj- z>-?N5(uSo6l@j|Pbiz@Oag}=HoBd|?D8&b3X@snsZxdbb*&fU{F>x}xw()+XVWfa| zJcs17;=Qgr+EjN5*~sr4w2KrNyJphPxc7rv7s?o88dADD9(` z@-dsNB%N8py-g-#*Kg3J;7*z`WGb(Uyl~*qv7>T{dtIcFdi?!`5C$w(5ru z&ZvxHC}-Gt-!YYKPxN3n-n3R`CdAxS>(C1~nmWUp2QP}_w_tQB$P;1%3Ze;njX@O~yNdsDP%l*2Q^&||d+>m0S-#5P+A zHosEK=pN0`7sQ>4IksCUi|)RZ;;AznJR9>1E_NQAb*i|dc@piBhPJxaq%koreOavC zEokOy$Rxw{3tks}YJ=UlvT>tlEhTs#X-Uv^K0CKf^Fd;OBt!1(;k}JXM%HRr@`sIv z9x{xT4U{hLgGn1Zt*q>m6ePH*Irdl4`{|#Ho9Gjq*nY(MNN%Wtg5W4!B$Kc(yyT5! zLk(FtSt8r{nwtq^2)cZI??C1V{pVlY@4SK&X)V8p|J0nPLf6gBo35xGJ=A{*y>?5O z71OA3yllxvA>VT!+EN?324n3{MIFl#GTuDt679F_j9DE@fH<% zBgG*pMcZ`7juVJ?Z$o)UTUL`-<_hbwJ}5TOKBZ3TvZlz2LYZ^(?%-0*nU}{qEbP>{ zW4fR6)dgOAE3R`scZ=5RWFgJdq)x0S2D`6CBK#7X99)KuL?%SM&TE>0_cC9-oMwJz z_PCD@g^$Z6$1HYN>06V@xe=nWo2I?`4P7!`9O6<9J#8%)Q7skITp*;nmw&&ibOOKd zj@%~So0zS2{-#_Vmt8kXz&ObtD+`Oo_p+G^t z_pYhutj>Ohot<}gBk2zH$j3KdO5x%RiI8Q#WZ)xTo)P|HEyL3j2`BWqJ&mT|PwDdv zPV-DrZ4ld}8Cep{7rnnxm$T0ByhCKgO}?@#8ufgq%joPp_@NEeq}^j zTk>Wsb~0mpBinF^QE&1)O@C$iyj^0WekiuQeZm%HeEMKM8uZ(Of@-W(;B6v35VHw{SE4yMsOHV!K}Roj%og;mQ@INk^=_=BHljF-0V$ zhChb$W{X{8lbb~SBXX}3f^2V`4Bks-975abois8Nr<9U3L3iSWDQHFB5^T*wf`by{ zcI#)-u(!Ry2)1TA>>s3XTjRXmYw)Zlxo!$;Y+#(d^A)o$`of#eLqa+z-gP-!I%SS* z-Ay)Gv2~3x zrdOinJ?{r7WtMbmlpfR$VHE1>&!(2oJ&_Pbs7|QZ{dNlR`c6FGtMd&vrB=nV!T5E> zmH1rjk=P7V8UwR2U3Jmaa(2g#cFlNUXZ0gj19t}2v5%lEcTLi1lZzvC6IsruZgul~ zP(Jjb+s*1?V^`LYD1OUSgi4ZCzt;<|CW=#+$EB3yb<^uy=_>4SSB^-_RLdSx*SCIn zQmdMA*Ko%tH+QMYU2+=(keyxpFE*#T!0)A<@LT_h;{mgQ$?7h*__*|_>(Ta2EEFyi zPl`)8U%0%Pncd{0QAAPt;YzW+f6FZ#c?dOyl*0Vkfa*OC3?ml+2 zF=cGssPqfb^WE`tAsy@zW@|A*VhP6USg7sYJl&?v1XI0+o?K2DFH2!Nzs4tDfV^mZ zJGFrLmFEu{kj7y>kDb=~B;VDPe1$#{&B~@;*g_u^_S$c+CNrL?V%Egq3(noeVn zFm2L3AC8>VQLsll_wht{86=07!$zZZV| zskP`-i_6qV*QuJz7B173bVkEkc{7t1ExCU8Y;IB(;sTGhw67Z(c9@{fRV2x^6MucT zVN*CwY=ip9xWL5VyHfdvx2$)`UJUUxA6E>mZH}*Meiu`!A~>GdyU*Nrm#j#U@_-^N zw&Onau^U^x56wN0uVe@#<3t?yn67U#K5#9mV z&4s1e<+mc=?R(vZ9c5Xc<{a)srJ+tpXE}2Ob-sqWlHJ&{7Vn$#|Fo}w6l3IX9`OJH_(1}A`JoVRDyjP7qzF1PI zJgXuVxgWOX>4~I)XFlr_8usZ!m_&L57M zC)?8`RzUn~-uB&1~IR9`cvLC+71bloPwTVBTAN(Y=fMR z2>as9?bB1}bKsvp2)My$pW%DD3u~fM&{I8|99n}P4HKf=_6aZ>y(^WbR6C8T$@dMV z1%&{}zf%kx`B`vepE`|XA6-%BS!3qh&4ZmqbS&J=M!VALp# z1N;CC{uMgd=NRAO7nFPQ>2B{ws(BT{MQ)i@?wOLb1$nwr%yPf6a&1-BNG68~YY!>US?BC=c?YKp_C~uM|UTl*V~PxKO>$#Y=O0(>;P_ z+hz}_IU)j1e~hm6ckHkFe!yRo+^5;IJ2uCZ&_%lrO*-lY`N++v@NnHpBkh}99Z-f{J*tH zlAu9f*PI;vHZM9P+ctu~x60p%E7c>gFLvJtm)FN8A9TO?Ti0E564~*r?Qz)z#avg# z{q{ZLcC`_RNmY~8*m@Q9!B2?+1F}`Wz48EMh^>UWeMyYtT(tc_wRc~PxORVX-6oUx z#PsGFZFFNq1bmS}e`|9Mf45KCz-^_8PYMG~k<9f<-USVW*hNhte&BCichO0k?W$PK zn)bx?eSFxIeiR)a$LyJ0s-ha7^|a;GfP1B}kN4R{NB^x&OkX&EQ<|cB{e*nF`7Hwt zH8dT;H!(%S&g1b=)2h%~R_4ET*~KRr)r;Asn?|Q6^hTLC@2<#tq`$RvpSFHh-|90h zX&VHi`B96H{#)BM@fZ8d8x$?HYL7Q($%fb&mI?Z*JuSDZ+ccAB%HgD7tM|7qyXYj6 zD9|ky;rRI`=oUX`v!n)eizPUIx&xjTKSi^&0z562^7!c8W2P+rm?~{2%=Viv$zTbQHyE(d>aH&KWDR~1_V({aQu7+1W`X{v$zHXQHyD; zunmH!72qtY0zuRw7%OdpAZjH#i|RlSwFt%vn;?i<0nXwo5JWAevBEY8qE>*js0sv8 zi(ss@34*AV=zOaKLDV-ED{g@xYDGNXDnStSjm1h^Ac$It&Z0UHL@k1`(k2L^R-*H* z4g^u(Sgg1Of~XboEL4IZY5~Q{8z6{Una@Hk2%;8HthfP!s1@;is{}#RHx?^yfgox{ zJPVZ|h+06g@&*W^R_61y76egWN&Lwt2%`Q3(AR1ZM13W(@+SzQR_3!%3xcQx6f19l zAZlekUu!`S^_9e*e1ahAPXK+X20_%Xae{#$>K8$QAnMmZfgtMFIKe;=^^2fD5cO-I zKoIq7oM0e``ZZ7>i25~7Ac*=!PB0Ke{Te9{MEx2k5JdeVCm0B#evK3eqJE7N2%>(G z69}Sy5fpe6^^2fD5cO-IKoIq7oInuui=03Z^^2fD5cP|oz?-OF0|kPpU*q)u^G#Id z9F&B%a`r!$bGTt17NE$Z8vXEVlGtp_JWN|Rn}66}oqMido9$JlNiLIOed(4^6@f&D zlcV_^ZlzSdbX;4(?*Ax_3%O^ypFU`^uoo_yhbfxWWNz?^Gwm&kmTk5(7OiUNeX5Pt z9)e_ZwYN|w?U|UXTyD%$L`?kMErIUV#`MJxBsjn(;P8K51U2!)-g}1C;;N9swJt42 z&;l*_5D`rwp~im*qW~VI(lJg~dBRzcHYoq#_}Q7Wdq>js!+RMg}eJ z2_q%@<6Qy?*(N!1N-QZ7ZDoCqf`0u@l*oJ|jGB19Ff3{w#x`vy{P3ZdLfz@t*u0`o ztxc3^mMYkk^Z9YXo7R}VOEfW{a8u{y+T4(TvaVt^s00vz68@Flp`iHFK0hsq`@L~< zEuH+jv(aZXg!^id!c(dJTct-H7M=XXcZ)wij6U1VD{hQSEiWjcu`1C)_<0m-$j^`d z#Ts(`ckg4IOE)ES_Dw!A{cNehfnPlLr-zX+XYfY1pbBHAvp&VKP~Dt0wrY6!)1!a2 zLfm}qp7gRL<2my@6Y>1^dD!M)d)r?<`KQOx2LY;pD$pwM0Kl&TzY3mKAO--D6^N`r zyb4AEKOHjsY6Tcufw2`Bv4Zyi;Oz={X9eC_fj5ER{VI5C4c=OVzXcS5vDL2*p?-QC z7+Zm{6&PEAu@x9wfw2`BTY<3^7+Zm{6&PEAu@x9wf$s$VbkO*#72rF8;G34<`>Wtv z!Qi{r;Jen~8|+|S0GMq7W?O(cEDyoh3XH9ObqMv-oy^1f=ew97&(GHB zQcTA_Up=Pk&Dfd31gZfRAcz0WZXnS3sV%0?DC@z5n3&zclv?3|TD0)TpJXj2rs-Xh zRCjsq+y7eDVmvWHFEJVK9|?NDWGzM`kZ?X6F>5gz4P_BVqyNFI#b^|CcVgCJD5)=; zcw^%I{yb|j9{%&J#eClb{ySNViLLZq)?ysd&_8Lp@3IzS7iTTzL;r(Wi?RRBti=Rs z!!KEjS^mgcyf|+$2?Z4?B^fbq@g68|F^qzo3`$!}`X#k72`NU-ii~2D?D`EGDaq;C zk=sxr2erSYF0O1jg3%BAB=W&?*iM)3W1+CH((5qrKVSef05tHO2Ev7()Oyatkj}fR z0;NAtm5;x?S#esVKW(4S=Fz9nl9sR&J5afFXESmyCqHsF~;$r+eH?H>7zYRk*_FDO-`>tZUm#*8@L)Kk$n+G(0bR zo(dNQL6_UxymKz^I!-oCLDDyFy4S%n=kPCHV z`q|l^pYUrnqzu`g1YQ&N$B8xA0CNFdAO;u=bTy*y0G{Eq2L)mPV)!fs;twDOAO;|Y z1p+_}3n+kR0Ac`QSReqzuz&)11|S9?h6MsZ3=1fLX8>XVVpt#m#IS$@cm^N_Ach43 zKnx2gfM)<=0Ag4m0K~9>0(b@>1|Wt70zeE4D1c`GVgO=TAOOU$fC6|1AO;|Y1p+_} z3n+kR0Ac`QSReqzuz&)11|S9?h6MsZ3=1fLX8>XVVpt#m#IS$@cm^N_Ach43Knx2g zfM)<=0Ag4m0K~9>0(b@>1|Wt70zeE4D1c`GVgO=TAOOU$fC6|1AO;|Y1p+_}3n+kR z_>mZ5rW+kBbN{2s=}M_|-g2 zZXOm8GU|WA8vF+c00N5$bh<*_qiC*#wcaUcTKJ7XsFR#wB}SK#(_NQtJWQ`SssV41 zY+k9?99o<$c+=jAqkmGWp+6`E6ayyz!-7ahdh5=;{PAid&?+8(x@N_HYqb$*{R|}j z^CB8cRvSU_L92~m@X%@_7~*Op7{oug+6Z=GwGlq(UeJw+_xsb;Mj)Giy4nbic*P}) zg8YruMn1RF_p6PdzrV1Exw(Zc4UfE?j;(_w0nT&G$lQd6M;wl!;W=nwtw*qis}ol! zA@Y+W=-R^7@knkyK0X9wA|A!djl!a#C039aUTzE@9s`lUW02ek1XKu}AV#pUh4Y9g z9MU>+T#OsZjXVV1$ky6U*H%W`nqY1VN1_pUAt4%qxgPPCh1wDGA2bh#$8kdom|&5M z&BO8XK{i8$KQIsV1M_&7n1}ss^Uyd1Hy(rH!@_YmG&i(N4rCsh7fCFG;4PTEV4b#( zjMa$Mo`pXs}p%%mN;qX{E7SH#k6_JZ9B6fkr8e47=YKcY5 z78m-<7V%;sgLv_HJ~-4NzgmPr5ql*T3l(A!e}G#M)A^#I9w}pucPv8jpe0 zjl%IRvJ1^iv=xQM|G=)#eNjecxnbBPhAs2mf7vh$j_6|%L^v2cH-ZQUj)8zdWzf1> z7%U_?BE$t?pAC~&SZ)|@iDAF*`;o+3WAG>hgbaoFVi^*8B0yaca%mVe)G2?>vL$XG z|NCwqg&=kS9106Z<8WULLm{E(6GRISN8@>a)vzTFAL`)0>%35qyoo^w7K#e6kYQM8 zH8M033lT%}LBRslS8-6$(xz09Uj8IPF7fyH|A4V;o`p`fQGREB^I!w|*4jF`Oq;brPaE%EyJ zMP6Ur$kY}JY?wQUJv1YHX~0u9eGg1LdMA+g&-y#{V$YfaELqd6ViA*hkSnr=1J zrQC0GP9~V$lkKebyWYd~1EOBIP1ka=y!tb)MT*~M`#7}P`pDolN$XPy@w)YEu63WV zKC-sU>4K>EozW5D%O~1Lsq*I@ZS_kRZk}@?gKJ;&o#oksczXKkb**)Vn|7wcgErM4JQ}fSr>x4F3J)B^$>KuJ z$YIzX(j6Yv?yDVna`4q$-A`7@=t&0Ane8~NuJZP6nv%5UZq~=nu1(LKP)~29k%Z^? z?Amvjs?1`Y!$ED4n?CCZuLX~^2K$msK01_;JN#T#4R^xS%))}@ZCc&g3Gdc8y9oDP z>rUR%z};|=JAe4PmwcM{$lPRlQ`o%GwB^m~6LaI`$#YZV1p|e6!~W3%*A`7@GT&oU z9(DUP^Ut4bCf(}%E@P;`Pbpq2yb$%wQ|su{_fkyZmLvvA=x6Qh9BZFnq|S!RFuhkq zx3};d7Jc2=VsR8^oM8J#ZF>9FPh?En65L1EiAi0PGj5%qiL&rLqx9v`Tic z8sBb=T_e^0g8#5oyCth>oZNwjiViedj$OrFtFCV%BfX6yta&NoO-pT-%YIXBr^rX7=Pqc1`0aaN1we z8*e@a#olt4TYrR8u@`TW{WwbK@ELPfmbo=yMXv1S+V|X*wRkM%#wI_O4@|HP2|hVT z=2ORW$K$9!vw41W4h3rz-P+QiJZ`Nc4^2%ipQ=VyJ*=k3#USm^Z!p|pm~Hn~*OR{b zaHRyNiUhe3iNOmqQPZBP664f!F!;_`%fj3{yDW}RhVMVXXl*MiX)wIwjn_7w4PFX& z8cT1Z0(6QLgkhpq2-qoF&x%#HXR*7_v2WXL)HB>deWStu=*%-c2BuyZtzhAWs%8Io#ukE=rVUD@IN@9D2`x4LgQYbxk^f#?0xI;Sfw0Uu}BT`WD4-ius_;B^gL z{qF4WIC&h&=6MT~HIB)3h+V0a*XFmyAvcXYRlMIBEx=JB;T_Z;YGS-f@O843dYxJV z%Z7KK&aWol<#~RFHN+{d`O$vIoj1+V13r{zss*Xa%S2{!&0{O?shQl3%ohyWvwi1B zGJ8w;RWCQ4kBL8lb?D4|;%0-ktBc+O>)CLvJ&GD-eKh+T#^0{smObVDM`#4qny5RU z%<**wdq z9b0p|-r{-RwgX8G#RD?MiEnB?lARJ2`M7_8MKfgG0sriJ8j(8+*F#zKw2b%Ys;`ac ze|=(b%d5*w4_)v!6xVcw@s-6~5*sDn6z?y^UJTe9VbhEAJ3AP(UG*K7OPdbL zCdxWJ%G*!Cwe1C)&BH)z&JX*lZoIs>i?q*?ik{TO<7OjoCr29nsWhDZhDVCm#x@-^ zmt$#-^{tLuXYQ(oBE4Pph&Rfk+R*GU@7l4|^lVp!=Z43kPO+e@V<+D8bhnT8>Yf;t zJCAnW?tIkL+!fPj-+h3p>V7KAPKL(krHm)*Z6`Vh42p!NhGU`+sAs-QXt7O1lUAM} zk)GGtnzkp2&5)s5{Lt+WTMR0nrnz`<@2FuArLE@@-S;e##-HPTt2QawZoTsJ>b2)( z+Yx<%kBY->0^#Z8ZFFR+7I3pXtvC&{%+tdHwcGV;l?j97Va~DR@90~lI!j4|wB5Jn z(+0)oL=UxXHEMEtD?bA3zu%HQ#rkeTvd0;HO72UrQrpLRCfOusl+3rsiPrfc)lV>( zxZRf*-&qvEGQvY&Bg@grBXv*w(S@>_ZJvd2Wwh$_%&O$ueh2sPlq)1l1Y4^mw4aR` zA=9Mm)`uesRVkH=OqzIEplb12Ew_IXXETxP;;#oC-W_q?CI#wPauKYrJd_ zp`k=+AnaTWQaR;7=WF4|>qKR$AJlhukIO!CDZa{vbU7Y)?_kAv-v0y*fMOUWmlA>KB@_XEp1^wg$`I;y7NPVuHTV>3z$-oL{)pY|QCO zkelcA_MORlimtk|HktUoaSB6GXeB?-QrN#a`(sApy^->?zOHb-b28leOlytaUJg80 zRW#AFHo@k=t9s*|k;QZb^)>Y`g~B?Rf~vQpZ`PnhIg9pYzLKOpprLi@epuP0#+!^- zyULnR51h$8OT=H8wlqIc5fSdW?~op5KksEimy%oJHQ{}=rZ1Sy&i@F1%cs|?OQWjIz+aa1;@r;{&PG4RpG9R(Xp58@(>5Jrk?iweB8c9id`(^|K0LgPvip z7>V^0v}yN8&SvfaaRDP-G_(ZH(7u2`C4vs?@P%d|2Z{IoX6yZP`5>{L=& zbD}MklE(Y^@r>ji&Q2Fw4bNkTF0s~z~FK?FoV zdKUqa-aFFypExrr;^^b}%=5k9?>fvilC#fA&dt5=z1GgzYpqRBV8QrIiQ$g4a?7>r zv4(7NAEZ~(DJF}?h7YspPn2_pHrO>gORS|6y-2B0UFF8j-OnL#lc&?G2elWuC(tVX zRR+bvWLcv05!8J(r_8Dp#pS2>OjVwU;CZZ^C~Hb4Wu-4TaM~Jw@Os8@Y_zuR!_$>I zq(M)8-(~XYK96#UFv|&@pTd|rk=~E+S=w^wEhA=V!qqOD8?@F6ZanKUl%FWXHfF2& zl#02_S7%rdA>fQx{1~mpsN%0o`~ck{5TUs)U$*}0rVis!0N+O+Un)AW?7X$mxT+oT{UG}WuT%zx zFmx)RRMLm~@C8zqI<7#p2=fX*RQiK^giyJ)UgXhY1*q}>@(EiRWyRc}g4zB-$=#2U z*3aN({O^)E{n8uiS|94PZat>VKB2fmq&7Ho>4I`7`T5YGRvfGAZkoGu+5)mnwh%(5 zA&3J*v>I};3RN)|cFCQ6P^n_ITlLkgql&$`Zg8htaOruO36{4ueXdCz<8dw3u=#%K zGY78kR+}Q#6v}VzGOos-xOH&xeUR20dV!W=w<@2(j)%2N3+ZPf)%eFn|)l(5vZbwNhLPxSm z$I~tv_kK0)K+k}Th$emua)SG$pZl5Rn%807nUlh?NbR#{6iTR*$tRLMmibl8NLLVq z-O|1R6I7j!T1Bs>PQRMIQ$AQ^bQh6+pI?lOknUj!Nv!kiaM^qR$H`T^r>=GOO}yn( z?2VgJeC{iI-<`4Zr7HcU);`EmIHtW$8SzeSXeiksu+mPj-?3&Q%tch`*v)rSPtUz{ zAbrqznCQTh_gCIYi}MSc@3t351QKhaM6RX3z8l0?AWr7lr5tsZzs1F+^WmIy_XqE_ z>;oi6wFhlTVj`9$F2|(n?8d+Dcsq>9T3PA+U7PX?_>;J8_ZkZVkyH2jAKwiz**6^7 z(cYVRgU=~82}QcFzuJwh{HlYr%R^^z+NU?J&9tzX+uS#)J1&$kWa)7)XKcZz?l~(@ zUi1Dd_hZu&6YT6O6g?cR#s{*B`_OtT4iqw1a+qn&MNHhD?=K^ca)e^$MJ#2d-me z&Z(u;xUxQ9pX6IGc+ULFasLtFM>M9NFvD>Y+1bO3Bb}-&-&+exwcS1Uz)UKzs zd$J80lToV2bH+m|4Qb0dvV+-2q6J@2hbix(2&^b9r%8N?r)UQ|ZmQT;VQ65y3pw4d z;p*dw9`aVL&QMNj- zB!`(s4a3}0wXlb7w8BVD{-|IL9Oyy*D|#o5YEk#}4}Cm$I;woD%$LhB29HxgRjj>a zM#K*FjJt<5G27}$aCUEQ-GIU?*4?XOl{efMh{nq*GVI777af+Wv@qhbl|1Ijd{O!y zIh9*|l%;?{@^~TlyGobgGEe^pP3NBn9(!O!M78dFT#8Inr=v1loGaKVciFM$gvIgX z)8@M20xv`9pTWjxr#)^Yldti|CkPzYyGNeFnNfd%d4XHuu3^ZYMU|>%qhp6ClTXn0 z=y?(#E>!rrtS`^byK><^W<%L-;>@A4J46Zl?J64xboI3J?qC?tG@A|^dZO=}6Sa2K z>7wEfm&)85V$b&AX$@CcO3#32UJ}hr)zy4m>nfQbx6eE?FpVisM%d%D!b8G--a+2B zr?FW|R;LNCiwYTxFp#ZSy%q?YY}=6T9{LKx~YSP_k{4n{!cbxLMa>j+zJ~e!7 zM^u#(5sc-V^(Wb~NaE@RN8UKmEkw=^Tg>de1}Uh2TDP&byg)+Bd4YoWSqfl@!5mi(u0yh{~jpn4yQ|dAW|C zExuliO~5b@n?PudNkxW_tQ&p|8Pm`yQai$%_&91?B-Y_0o7g43KOd=mUhG5fSXoe) zH!ug*7=b5wf2~GJS?QYq&*s$3jDSaTa2N_r%yrt>%*50IiiYzNbBWqm+Sn;w&^H7Y zF2#(U%nXes?etxNl}j@Rdj(@VQ5&lZHrCjMM&NyaJ@gY3RsQRd->0`L+v!`|pSQ8I zf^vU;2na*MQNTm}zn%hab!@$d>^mbNB>};~fk1G8{~%jk5K+iJl0Bq*i1(51CEZWH zkAn6%JuNjgE$lE0ji{_2=64(WgHxG$W}Ro0r+HGJnTI_|Lh{b!NtcT1Wq2^2izEU*Df6F&mZS;C>8Pd zQ^5>ycac-T@q`Z^(%*UuA;O*&f~+hv(apH)v5|1sH{5$yPkPkk z%&a3^wjlfUt`WPH+^W0PjbISq={Xuv-t2PUhC=p(S)nZIX51{;1Tyh2X+m?+sdwFO zvxAI0osaxl&H4qeC?=Lc4g{HZW&E3$7C6i2!?z&RGStLJ53iruR41Cvczc;cLEM)p zO_=)lp$dHU2Y!^~24EA&#J{5njd)#Le#^j$_XdZ&E8Ll{)eNtnGH~OU$<5Ev4|nW~ z-MAW3j_HZ1IkpN#WCp z5{^@i-`=C~_CNjXzurd><$gG=1fKL!Z!G@SYKV#MB;ED%G%gwix-&UTTaa*>O)UYs zzb^jAzs>&mOHzTq#0C6IenunMCqH9o`*~1Z+xhtM5vZ;o^YiUlP+i|L@}px=T|Z)H z=Q&VaJ30CL7EoP(&&~JFfa>}lD}UDps_XBV`F=a7uJ7~m{Z>$2-{hW0KU8hQBt?` zQV(40YJ68xAGaEFSZToABS8L6;v7;?BK~#D3O(2aGV$+dLPp+xU~psYdU(ttxnITk z`OSy3j9%xpqh$83nw0g#5Ey8g1oPh;s6Xn8sEU@E0}uYsbC4z=<9hDb zrpVvFn)&Q9NEBZ5(&Z#gAP`C5VrB z9<~K>ak^YMeHr{8x-~xgLnFVD40S6cav<47R1`tpNfUg9t0Vo4d2G~g>=oCO}0LlP65cvvUqIc6yO6`Mo5ZD0n0m=a! z4gU>eAU)_ZWmtwYQuX=mej0m{$MrR;hE*tqM{A+YBclb zmajMUl7c$eIT{NJe%_^v_nWwO1U3vEh-(MpzM8$DQ+f|;i%z(3l5#ausBk6Ztc)wl zcxN-NZ$zD2Svy%ezvSpMJTXpK-`PeMlkt>U$V6SxtM0i6cp9Vyl*9j%!@$;lzAf(F z7Q|A}BI^C4T7(KuF=B;!3$pkw+{T6sXcn7Mj zdY7>evTl~#QA_COqg-t*5onLE_;3n4_xPP39AaJXR5kzj&l4I!YF03`uR z;u{7)Nqj>HXeB^NfRgxz0Z(Gp=f-(n~Vj><#L+7uS2ou>}cyqmv=ONG07X zmrM0x1Ah@PBV0xbzNjcE_*Yf1>6z@Gf~R?3-D|KRG1(n_M2$&oe^)XM0re zVsm-0DJt7?dEgjqE)O?1@DC3*mj{FR7jt=#f93LE5K!!mvA6qqE)VYya(S?uUf39z z6MxP-`X{+O*k1ZJmk0Ch2Mb$U+c*FTO^yZ*pAwv8%&aYlxg?;#ZWJOmc1Ff_P%Uhp z5_XG^v&M!FP%R_^!HGd*fbBR?NEjy)ibV2q@}SWu6cokF!wE+M7m69%J3zVg4Giq` zl;y>N4+nCg3>_4(xl#^L7y^y}@}i8bjj(?p428jd{In{g`+r8 zNCdD?2n-1a8c_%yB$Stjn-j?mG=7FAtSYRhDlEqd`CBze5~iCvga1W1Fvt z+u@pi86E=34G@QbVfP#2{e%PqMW6uF2Ji-Ke1t}GqOg!Zqx)Op5U_2?cG&b^M)rj` zIQ$P37$^(_=S1=F0z(5xUFAdqykR~g+c88D@NI~G-xAqOs#?j;cxO56e2h$bXaYhp^$C75LHqvIAy=FJr z&DZjP|K7f)a21>eXD-qNDUF!Z_)Q50Jtu@#a&;wo{I73oqc%5*egWZ z_^9u#%QA0vF~V&nlJ{keOF323F9bI#KIxy6k}6?RpnG71sKOb){y|cYfhH2~iH?YT z^&x}Gt*woWDG%-f*wOaPw2Xn>CuyGJCA-&ebj8*P=1(wp8RwNw`GPe>Hl6bfk{i=_TdsD8`OVCqJ z$g1W3X^Z^v82OT}bV5_B+L`WxKKJZit=>sJM5@X4VQa$t=~ZvnH+y>NOy%8?<4jrE zWzz$^GxQReLF9)k1QPD6x}EHeF{8!fX4Ugf10_wK^u{V}uh$|a^0MYuvJ1A_`$jkV zMxEm^qTD_Q(eg!2p;ERF5Y=YEMaR2R=Jjn)zL?9@ioE6K>UJ+P_w@btn#Z0GJ?i<2 z=N}(1yDkek6%%lrjrdBBQ+~l#qICZQU`Xqn?JvYfIl~CS6XS_=;(8=6^{eac-hAmE)B*Kgb4Fu zo?qLQPq>Mg?u)cx%{_MSsN0wEZ{aFV8yj6m8It-7Jghv5_ycx28O^7^N@AjGFS+)Q`+Y=rS@;PdwsQn~-f% z-@Y`SR#)Uo zc`c0gbr@vmm5V0IWZB^UxSx=nX+8l->a9izy?u|HJ4cxhoi0F*hCfq0`H1p~Spx@` z<~v+F%14eq9)ul=es^${raFqr%r@f^&qQ$$;@3ZDXDV*YL^ttwHU*T5Z$KA5dOv@- zhh=m()F$u1VWI>vbcAh1t zytlVagQK9$tb9P+-$Zw6zSwm1>Y-r5_Nv(fWitKHJbSu^2RR(_^bV!PT87r6o}>#r zj!BHJoxOau=`1v%u`N2xc#Zd2ZLY7-nlE>ERBt43_iA6Buj&wzAlAU+JkQ>644?I? zrB#P?q7TlUvu7n02%?1{}%u^7C121mRcHz)K&_TINzK8&4b z`J0bHtY!UJB5RJP3O&tY;#+57q8+iHJLR57$k|RByGz|lFobY_bA853rE?Q2>rr?+?;z#(8j^7j6;F`eb2pq9H+NpGVr>)bwB z`9_Z_Khv=I{trBTbD4UP*)@+ljhiOmW_rhaMP@IacTu{iHSB2OUeiw0Ku2{@=jaE% z6bWx`20w(wtP-`!bB~ZJzl=NZ_0xBreW0m4l-n_3R2$J}X%`|9^HL zx;gTS4plW`Yw#fn z(bTBRd8GJ!TM^N%wPTSq)CY)cFkN_skQXOk)bDzbw zm`VHkiHs9dR#hEdX(R7l-{K`W5ES*KTW5%QXL0B#)rY-{7^rQQpnPez*L9R0gQ4O# zV{{{~4D30%Yvg!0hh&Vd8@FFrSqA@ zKl#YLzk(0e{von!_pLtKYf&RhX{Hb#xh(24moWFJE;m&RG??LXHQX1S!+qtV5Z=>z z!s5c^Dt7<%3rP~;RTbT=jiC>Y9{PyE37y@mD>&UT%w@1@z)#VB#k2WU8?p`$A*Iow`y5<^Lsgi z6XMM*qE#aZ!mb7FT7D6MGrX~JFenJugz?tNg2$sJA6;%;enI+y0h~51kA{W>hCwoJ;SlKy1{w1BWdJjO}m_CcqgCSo{(OP;|ufot4=Mp zKBLv$c(1+p8S*6HE{z=xmL4_{U+7_%mMt&|GthbeBAneu)GNflXmn+j?&^e@?88nR z8Iepi++bueOH|h6Yr*u#+6@m1GMJuNJj-`mU#JKgz4Y;o#bLF@yd0Mqhx&tkI7xJ9 zn3U_d<~2smTZa9%P539$igx$W6l-y_hp_97Y8M(*T=A6?K6A#3=$@`(_)*luUbQ~y z#>hRg0gly%%~~D4vdPPFIg@7v9(}}ra{3w}%fWqh$tkHC&C)F^2U59V*IhZ=`X~)& zLJlRKCxFHI#L(xN=*pX$7BJd+6jj()M)#ZfiCV`O3QCJNja!^(bGV?pGJW;_G3#Rm zmM>o2t2yNt7SHK_)u%T6U5rJO)1*%fErE94idN}F4`0gqX8*P5j1G#fhK&1H8P2A% zW$X5$6&|u&(0cpCSZ@kHMkSADX^=PogRIPMe?8ria@R3TgW#M3XRoMfZ{dV&QJ$#N z0a2BsSDtjS?9#sf&>ZhdNR9X9$@He)+6(&}v{KT2sx{4|Q)PIcb#4Zp9;v&O&bWFz z*>Is+ZqxM2GoAd+oL1`hlWSzD-d;VTH`cZ`*NmO#+lNziOFTFG77KE^YspGB`bC-6 zn`?%JiahE|uTJ}`*2QJia_8;4lYg%4Nno*HI-AIIrcOlz=2xf0O|+kL%iUhM(p3}^ z8hzvCm12s!Z0#&{ANSFDq(>xa-DESf=SV%l5WDvx^DzetRK>aU#fwtjQcZeRg6ygn zbq8mZt@K@_E7)o9%<=Ea?0S`$fTwfH%Czi?k-!ltop*)kf^ryt9&0#(R$i6cYQWC)azd&sy;6KP#7eo}Yk7N(&9^!qZdr9|` z@1vkSPESisO$$5B!g%~7LVzEGK%-8b)|NXZrY4R;D_AM2=^2=qnh46;x?V7H(Ka?Q z+5#ZqB;}HT?npm(^ns9gR`l^Z(4y7Xbekzy&F8(eG zIG*sqLtnNXURkaqP~yl4sWyh+lZjJe1z-G#1XXxAH=e1#ZV_{2O;>!*y-n1uHp^O$ zjwcb683uPP&(`{Cq)GF#p05C#KqmejO=M7JoG;SJtehQeUy(`yQ?M?G9Sz$Wf3>yYIf`?J(?AV^bsVBzvE)2~j(2~|X-PZ}5qmB$ZvN-ziYC~ z(ZH8OQQY@j9JJ@QkC%i|_S3gGhDqFU!d4p|+tZJh3S> zL?LvyUgFf3%m3LcddG=d(_Y3Zb0w|v#j7DEx|4L*O)LsIdbnJ)*1g{x^*#~pfAODv z^p|(>jCV5jtXC%wdMCwrE*`HddW#^fYj@Eo)Sby$-hzb7Y-$P6eYyM}zA|f1=POzX zRjb~Ds0gl&DMqa&^Mf^gqk&vt|V!w>)Rw&qkLXZLxw)X>c&&yOv! zCqJ6L;p5ZkJ3s6GvbTRzAF*P&VD#ncfA$I|UibCX#~~Fx_6_B==|l;~sm5?8r-GNY zA3k0!sa$_)GS@ls`k#IDmv`aG72WBcev?$Jwwm~{_pCoSRK9TYy;tB+`5r4jY6FML zkJ$P49OzZPW#q@lpjY`ZKReEXUS$U*KWqReU_Yd1$4PJkwu6!%Hh>ebAJVhqBsc-v zLCH@VzzNt-2-}L#ZKMzj8w)63`qyL{y zz_|QkmatEYfv^|g$z=Sx+Xn;i$H1UD#k<_u9Uujsa)r9X>l?t{otK2W$eF`0r~1mS|_uK2TC0Pi8*=0~WazqK54wm>0>`7W?5t zcL}-?KE3lBcKKTn&MCvykGZHeJPB^hk36X*#b9v;a4M`Q2yvqCOdyka)Qip1ZI%HL7P;nxef z{Lw?(3%Q`Vca&k+*=tf(`X)eLx|*4hgDDga)Lr=;?hjPZ`1iv7Q9L|fCBXl?(f&BI zM9P0g`_ln=1lxoCAvgqtyZ+jd8A5=Aw+nm0AL#%<8UQuTStUFIBn)9|cWD>-enkq( zFY*2fTadl$%3F|XW$(cw-U&}tspMuj*rML6tMI*ep5%NzhqA*1%Ss_icha1vllPb}A^ZdqJ5I?nZD?+d0$xi(z?)Qh+9O!vJ zt7G$2Jx8x6X3%tk`Pgzx-^gzVVM6Trd@3A^(+s-3-Mm9%pL@jgD_wu|+h}p#Op#Hw ztycIsZj5fK-YT8*4v=HI`NO~OKRHQ=$mLhl8mB(d{xN<!R9Xb>O}&>(;Y;ge4WX9%D{zzP902%td#4Z!WH|IQ#d2wmP(wfT_L*Lp=L_r%QficqQ*23HONm3n2g8~x_eF}mAF`r-JI z=T8Ouzus?q4?G330czu484dw`n_5NQYsZI2s*WvgKHOkcs@;t9_a6Jh82rw^IDfMi zzoUBn&Q;z2*;+hMl>d)q=51^72y8ud7!R-*j{x?rfMItxkhHULya4^YRmrDApqM(8 zOW97}+WrD|+YdumV7(b=5i@o&Gc=a8(+7^Fpun~u#y~-OE*WEM6JUv&_nXCd#Gl)$ z0IStd>}`R&{d_V0?{`%}bML6Y|4$avG-@fe^S z{g)7je|Iq+7l+97tI~Vewf3)S@8Rqs#KkAT14{250ZQ-T{jpg8S9v}hJgT#}Jhr`={7Rem-?pfX0?0=;fC-AN+&>3#n{U-dQ{Za4$ev?K+2I)=S@0cT^ZQ+Z2ePz!NvL^cP1gtocW%Tz={v2e)q$1i1m6G*NfpXtxNpH zdF%CtmE)?L?(MV7g{Ob_qag>S*EUPSUMZ~>SBA9<-J5XPFz>B*+Z3Yt{iqpyR&Ve2 zx#enawT`*f;dy~T=4VZTr@{MZ_kp7y3mTK{6Qx4`)Fy6*2s z1W;0Gprep0mTgg#l2InptyH%0$T1Jlz^6d2PL58-a!dCE!jZ{I4${> z5^!4bEhFHxWCtSiW(b3rTl9Tb9ak}-)9r=fW4Nanw^MlQ&9=|O}}`R&{X7y5^Y>+G zfIzx$*!>5QaG$#9o3b=8EYLr@O~TC5!PpMUC1I)WU@T^AXk!Evqxmz`4-V(~DlE+< za#B;v=0FaWSFc{_FyvufD9sD*=bDn%%x8JhF7g-nPUha8kWgV-ohGq+ebB^tv@`VT zV^*UVO*6Oo!=|-ePIv9ET(7){GyiPznqW{~Ue|iQu=4n6*$r9$x_sIyZnR0%C_(gZe36+>58dMSIy6a+lGs zhNDzMOf?p!ZtPp9d?d1Qgo7f(?7gYcxCW1v;FSrd`I@14oBj87n?iyK1PIb(4${kp zJoUK5luqdFVHFp+Mi$}MK2W$aGhJI@vFE|4p9l9rS`lV{;>ShP%_qssmadzaY+b4o z3_mn5FhT1tX5y2A>1v*sxLr)!06p_TRN|5M($ZE?PU%UJS9M+0)E-8$8FP9I*~vW; zZxR_Bp+H@Or}8z+2iigrF>HfwR1<~<5dEzZ=GwgGrg5g@InV(sv#b&uH^8LjT~xpn0^uc zyb4)j-Em0DsEQRumbAb3k!1b3qBy21HblhcaA0cfLD(_QcuSdk2U%ye&-skS8Ey1o zq+>D`wz#A%1mhAzTy+C-aBeEc-nm`kNIL3ss;J8lcDVUTo<*(`i!f1{y@=4U1>heu z5w3Ih>?W+IFFH1ageO#JfsdJg<_{(F!sO`?lAD{lsW@EYKE5U=KKSU+d~~j-;{izVnIzTO zn^6IS`%Hb-$PQN|sQKegvR@-^?#yhkxI=VesCoKnY>cB_&uU_D!sf75^r`GyVR@=b z2M^xYI7*gBW#qa`W3H4qSAgVh!d~?n`tkSnOV_zBB0{O26AOlxZm^|^SrSMVs^s{} zNWD#YJrFrIe|WOfsj6svj;#ec=3}DaM)+ccn7jJiM@UR{M{HTkvnz>q9bu={bZlj_ zbyIS?QZ)vBSmJNh2R?rO>ZFT%_~vzL$m28Ytu-mC4_b*k!e|1saJ?J{9LPJE<@245 zY9-4u7o1JxQ!=kUSM^rV&`xtDqYRnypq^HG=1qf#aqgj~=sh>UEkf|@zvrmqQE5Y zT&I!T)2b{*<(xiavp6j5I9ab}_KjnM|jhUiur1O9z)5Afx>q^LLMGlPG@Syx7Np_ z@|M@S$e4wSJeQYOg7aMFyM&nFvs}|Xo9k1>^6EDGo;EMU_`U35wV^d%i4YOBdi)?- z>&+oqg|{OOyPohKjAfj%R6Y5YoRDJh=}9A%Gt1<3qIh~y&sv=xx1L7JQ}i6d-M_+% zQBW^g@a+fb0seFOaDQ_LFCyRF`C(@32<{h}s5Ytgc&_8jrkItp|0%>f&L%8hW zn##os<>m>k%aH*IP5PS0-nr|KM8^y=B8vVnPZcojkjf zBaCY|#haoDsxDME%+awEoC+L&T21nj{3&O>xU*skQCaaNd!NRWe(y{grWe$0iL zS>=Z~J*!wID0z1N*^GlF>z0pceW+ab1P9JxE?%s0rz9joqw|4PIv9Eov{vVJi z@p(R^?0Uf%$|Y=VZQ}rBM>rZdd^(mfv$i1Sl7R9MbBWm4837X}E$q~n8_26TYi#HM z)q=y2oWN`es4~clDJTH9 z0MaWA9Tc$X7YO-@xZa80B{e0ZG(M7*?D7qhZ6?+_Qpnkqqc3%0RCTa25=q#3UuxsQQU~Bh0kBculiT-WU6_=-9>?;m{%!2F6k z;9JcnLcf6fLLU4(7Ai&u$i{9@!vqWy)%FG_Ea zwB3G0tDkoNG`V?B;pXPTN1+o!FdQYldTlT;1H8NP_I0W=W}o6_)!RH)t04Z`B4z zlMT66t?|s$==DZ3Z48FRlz7gs=Fr%@Jru_wVn(%~zmn+T;NI8}4=!Lcwg*IKH>gzP|X96^IpVSi*v2%Nh zH*nX5yyDkq&}v_hW4Fpg;yIb^dC-3+;k02L8jqsLEF?4W^k9^fVUJ>$5AB@7h27{W z2l@a`dU}_jN(29tj5gjp!La9uF2}U2EDxe;mEVAAyO&qwZXU{wf7dvC7)zPAlYmj)qAJ%)xzP4ruw={ zLp1T;(ZvFzmXC{9>@;7-B8W%6 zUDTt=l!(om*DTO_HhZ(}ZA$&)5{Xpr6CuuH_6j}rngs=Od+x3@tv}>ft8~y~uf4Re zGB=?Y&lPQp-+2eBy+>!C(TiL7jlN>K4$#+)zD5%KPy74r^Y|l;?ju~$ zA#bfe|fv9v690xf1#`~u-FT0qnC#{a+nHyiO zyxGpX`)!ZcqvQOi9=|s*@T?@lqsDo3=#;b1?NE~$wko~eM)_4ujoYT-sUH;ZQGuh5 z){g~;F1W;-+td3Q%T0_I^f4B8KXNotO1#D>Oi4-n=z+q%T~{9+KOSOrlw?U$tk!}Y znQGi3sFSFiGsn|F+u1AQ8-OjTf_lKhpVv85sbx| zwrlw}-lHQ~ZA=VFbx;{728XrV8MKUIt?cTKGrD!q5G(FWszy1T29NHR$`KHfuj91$ zoR8f7__bL&1s<8J&vAFWy}lmg1H5Ul03}`5*#0B6G#n>zb19UiKBx|xaXt)RI^UyD zU4(CATRHih)9S|iOYbK&Y0gJaP2@MOkw<>4wT@&}0al(!rz78vW$FY>eTc?2d0Km4 z#-G2N%$L3BCWJ~Fx3{Fwt7_`Xon8A1eN6+RoR0JbUug(A_3mt-q=k0GifemqT>(iG zS2Ou7)qQ4;H#(75ZnnJ=Z?~;_CwOX}@6M#bSf5jw|FkR2@H+kNo4Hm4k@$P|a~~Vv z4>@xD2Kv$s${XsQXUmDHPkay+6M1!0(`Hl?=)OCe~V4 z(<`>wPmnBT)OjD&ViGsg;$TwOZO%&z4s~L3N*LA?&WmIQ73<#f!YE4@YJ zUZP%#QYr4q=dmzfBBE4fyLY41XU|dc1DQmd7cK0OEf3mWoF7iw~aDru3`BojBi^06iQ0&PPS&!F@sb zIfhjkwDOS*odac-M|A|fZIUStzWvx0?KLosx|)>4B{~*8>@VP9^N{~;eP0tZ4`VAH z`vua`?v5(fwIFHpUG4sOPnk$<=H+6K8dpVhbf{WDBp2Tct~6cs$gbsov3b#uyueaa zD@~QQ^32Vtdk^Mi)EtsA4lODowVJi&#du-aYsW9!`{_a4UFXPhc$M;&5*Fx3oZ}eh zL+qHF#bVoDE}#)Ky-3-@aeDY7S>TQ9Erd5ci_TwtX>_2Jo{CWu;aaLn*OBl+=k*aK z#qj*Cc2%m}i!QPG4L<#zd$aPdadjc@3JkSR)HR)?Q_^Za)N-={Dm?%2027;m_#xFJ z*nhkyUKLlQDIXf)ysSn=eJ+(ExrvT7T&*KukC)9o=9YoC)pmx)rD^E{>KYD$18@B= zVB)pS*2(4^U&mBMsY`3-H4%*?riZ+oN*Ya1M63mzy+juCk({;P@Z|a|(|)0XX46as zyI@;M%@2}AqoJ`DU9mIskn9QqpJX{Pl#W2WmCHwgBLS*%7s;PTZH=wHUX8Di5q zoM{)+JYd+?Y*+hg%JfKAQ0Drb9;cZj4gpMvd#qMMEpihYY88eE`}}dmDwWC8U2pH? zL0+X(Fup#wzcj)4d2lJ*{79?>+*}tsV)7m_n)&1_Oj)E86g1yjP&F&b&Li+l(M7#+ zvtycN{;2UxoV80nX!2OqQn1mQ)RFs6hv<+&iu0e}jvQAo%VFv+PF0=AG;OweEKO6% zyd<=bdo>O2p;$^EMRDQG689~;>1q*a_mT7&?}P!`YXmQKN^O%ZT~&|1u3J5yLZo|T zy1;BWR@xd7{EA-l3n8d-L zb6=Q^mc}xMCBtNr@{(fd2$4Q+%Gm|zrRF1q(%_(5S;nn=1clex~}<@XRvG0ex#-Yn`=KNv1dq)K2qc`nOu)P4UO z#rOJ!;wt!pftA*eW`<-E2W<{QaiB zajz4pbu{+eR5y7uGCg3|2~(ZzUAb?*_YhQt)FfQ;zaOf&CN?@WP;D9yZPE;)$M;h$ z&CWfhU@dtez>&DS0+$B4hR10#K`!T6*0q#l3an4cXE9c2RgUM*(yvw`0=|vEMc&- zj}N}e<2AS6d>(w5A}M%Y^eNpcPS9+%6_v@9my2iMiMFZkcsr#-ID(w7Shc()FFq+< zsZz|j%@$UoC4GpmmWrBc#Ps?F5`*2xU&MaoUYMG`ZwwbUBO*A5SdumsDL+m4@HxAs z9W!fGiOvbeJN=yDj7F?yg|>L2B4>)0t}}3SXNHKLxr*F7JHOj^UVVf=yw~q)TxP&3 zpEe_+e%OSz$?{1%=U7kZ+I{|T%X`PUWyOO}P>@`+y~_fohh7DXoDH58<|ldU?m`{7 z0TAFgYSWv>U{=$DA@eN|V# zka^hCtd5JIp0}ap0|0vPNJIWFm^(DBk& zD&6r~_OO3tNx#lrx7J4I87};+FVD5dnKIjqtG({FBF>!tP)fZ!J;Stq;iFs3&t@OF zGjIjf_c$?$KiHD&&pK9V%ge7-QA#a(OTxUNkGis#w01n%V0gs*eFRHo5M})Pj>;UZQVCOa|tXmf7_bIpjKeBlG~ML+S#;&JdcmvAf`3ydXDVw zjl1K>1pzr1ol@f0(M-J#gP(an;)t<(I7B#2K z4_-O=pSJV6u0x*_&77DS?y10)v!_Yv@;OT7owlG?$9>u_hiksvwdo0^CiP=WjF*){ ztFPQ(fFx4_huTd`k%TXTPqVZb&k5O;s0s-t?gCpk>7G27SVqz0yDdjcl7c^4B`rV` z>riiMe9l}xd$*2dla{I(4ecw%_k#@FVsvpvbo*7_4%F1Ny{VFq>8H{yHs5TVq81lT zzBTU3T{F1o&7IHp-F`mT5r`~`*%V_+_o_JuH^LT5Balq~L~MArz_hjLK*H%=9WO<{ zKGJ#GHs3!ncu%oxTRytI^hKPV^h|;)LoG#WWAaHY7ANXWlb{$uAv<9!IK`Jo7fUP8 zbQgL(OKfTwc59SEc%RqRRc=1l^P<80sd_+w`3lXG2j}^vU)D#)pWT9(>@Cj777peS_!9Pt@%;EZ&Y~T|5w{s+qA7j$ zp=((VQ;E4^6p9;y{Y+*KC0Qy9&O#1+h@*q$meopJHlnyrW|)Gb7_&4{#)tneSzGC8 zn=T~+08Y7|Pv75CD64B4e`ynk6#U8A28F=?!8UPVd^+(56W%}DCXVRnrfbXE#QkUi z_q{fhjGTy=gp>kk6So&=6Gu!8u(mDrkt33)XV|`Vn+`E485lw$xtnvTPu$Ej^h5XM z;zn+h@KnOf|2_nUmEKpV-y+9ng|cQbo)y!5Yz>BCsxgcP1tH*zo`g395H_d@hPNiG zPm7{o>td}YFevu}-kv0}G1awNE#_F^EX>>3XOp5W?Ty{j%}>XB5=Zn^+l)m{>)%Qo zfk*61ds}N4Qn8(Ih=9bO*9l$Kwz`^;Tz>wkNmj0&9fP9J%+b?6xCn3Gc3vo*%<%X` z(CIn4FZjI}jA-5dHXZRc^%+Ozp7B0c`uEiGuJq>%n8DJ7Hv|wipb4kW7r-ax0HyMt zaw*~D#_{Cs9+-1j02Mek%?h1*>5`I}_@-_k2KTynB*Ht5%DiX+B-pb#vIE;5ld=n1 zM6qj^g=IeB<$oH2H@htA>agw6$Yx-02mIALMA?l}a(w1bAnPV;f*eItns{57rl>GQ zIBh64H+-$VUF$kVo}2f;HV0dhFq+pJJCvv3IWeDpk*&gbiV9gU|GH&l0Tgs<0mL6G zEwQf4u5mJp1MY6~)Y!q4k_AwFWbXV4Xx(Jx>c42m8ed)CA;Z2|8ON5g_&gq5yvy9g z{t9%Xw08ewo<*7yy6MmYh<(PbVszH}!uqbd`fQ@ulpfY03?v?#G8;EH^f5*hW4gmV ztzrIk`3T1185YyIUA(lXa>Knn$s-6uv>N@tb%ZcPe+#CyP9n^rwNUvx#|Vb*@1V5C zIRrzu1}J~;5W&#>J)G7!i(u&10OfBTA{e^A1=H%2{woY!9+UVa;{wPh68l<-ik?`hUfS{cFVgYos#Zi35U!_BTKyfM!=*}TMi)(<=sXUADqoONZ0Ll7M zsQ}OBb~k-ygK=7ILe5!Vj|OkOctrIs;|0PS0tg$_1XEELK&N7Ix}JLj{g~qOiWfiz z5qT4;QxVCzaWb>H4R;2xIhuQU`hoUoCPnjdj&jb8TY(l$=!&m-U5&{lhr;ivrg|Xc zFP8Au9}V4~rpIU!T~0VeK;n<<#38SH>S%N^rsA1<6W0A)??Pxe-et=e(|-*r_-T?Lj)xL8J#eZ z%L}!@MU3jt+W{;$Q;{mOV-EA08m}(yed*A-qa(on;(Jxpg$};}S;EWzI0Ts}y<0fn zT4znQiPdZJ^&j~QI#JlFt%Iuzj{Z|k)PUkAu;5|^)VG#l{D%*l+X3AzfQ}4;F#K*h zU?VdajKFX8`(u2fz<$6VB~6x;5HN5nd1zh)76*LNOkoP>hI}oS29VC>SGIoIOOujHG1SfX9te3W<59pq`cx*WeV_OMnY(8P;r|2-2s%K}fnRliE>K{+UyF)PB_L%~ z$KU92_1U)zpb_J7c0U|kaCZF;``2%HO>SBM)!65$>NI0=&>aTfFD&%ydF%eXsp9-} z3bKz^y<#c>o5bciiYbg`myuZab$YLEmo14;&BdEjM$;YWfPex^m^178FZ9bdNcEpMsf11h9O{~@!72Ml&WN`w`o!G- z<*fC8^qi!-J?4^H@Nxmx7NuH6MjK}grE#-PlGQz`r*|(R6-X(`xiioPkr#uJ>&W9BG37G z?M2|H;fIy`${a6bjq%m4t-{+H{|018Xs`cXU^Xt6edLtk=kpa4nF+rlph3`$e`Gpn7e&6R z784(F51AQq9Z7goT3S@lCSHx6&)&yw?&XcCY@e+W4<80-U&VcJ;lbiAK>Zw z{_ri}dV#?8^w0-(VPZ-r*mq2dVAP(CwV;be>^8hP7IZkU3zrwzeqaXuv}3lbU98Bb zPZ{UfH;v=pwjtT^U*4pET>#aMV)ev%CPnfzu=<}y=8ak^oH6VLZ4&qsHu6J6iH@Ab zp*>?eT#5qwB0cBW#FNx#hEm$6Umn}Ybr-+8`{dXH2wggI51aC7bpFyvq;Anf0!DNK zi($I8;fs?VaKZG=xIiNP=h)E6F3^5ET!wj9Zk|uu2*-vmex1K!9>ZU#IGU$hI#E&R z?89E0gq^Az!D{W<@U^!*oB?V)JEluqRQl~*UQAa!1ynvSViqUv@%G9_uTD&#Cq9AA z+aXsn@55gwPSEm2KnYsDrd|=Wd@WcAwtOvA2)2AJR0y_wEmR0AmbFj;{lB$h!GuT7 z1540ei8cS$bsWSyXW&vlR$IdhAlArn&Fu@IK55*guUO6$_8p_{kAcIcitMBAnpv5y z&y+u0?ros`tS;G@U?6N`N@13Cf1oCvmGCP98U)?=N2WtmMc|wf@KAnFq;4F|tx?ml z^=tV8s8N5u^buy>#V&%|-+dZ)qGD{M=w6bDc+9gxL10s`rsLl18y#i4B5qi9->zr=kAUQH~ISV331sAqqQt`v^KO9jPmB1Qom+b{(1Hv{aYzp$jQ zV%kKkU?_#J+U2`$oWKAJGz_4%hXaJ;cy{X55+U(Y{={pwL@TIC0UGCxjvT-T4MPbc zfsz33mxLURqyrl3|#WCwf3j)P+$-@EOcsLBN z=6JLqcq(!j98W+F$h#KHy`ti3$yTtE0z20?irO;vU>F>_2pgdDOYFfg1Y!}kCHt^A z7uRABMywzt1^(8J%C^KFyd>HZd+=XLwwgT{xq^xmzRF6kdpMVj1QZ4RM&}Kv+E4ai z7@mi;JW233GVPzF z(0Jpw$gurWw54GMuU=x{tMZnpivYgsjpDY96dITW-?+Y)IH4inU#Y(T8n_j10kLtn zuml_!c#CIl$Fq?C1P)jre?xN(;MO37My~J;0NwRQfmg36pKDuSmVW0V zUs~Sc4dCCTA{SiYAb{2}KL_?-Qfb3r%i7QYRNA{VQ$A-7%ws9V=^pbPRk%k=Pv#ri zWJ1T9iIA8I`TWT6hEt;I>=TUmnE;deB41~-T)qItW9?FE+wzXfTTv^VTA&elHS87V zGJEsQKwq^vw{iGZYpI!?#kcP=TXJjxw_S0!t&kI^F_(SkcH@qv!^}keu*!Bf6A9Pm zk>Plj7c?0G`RBYjxtOWb>W=U5ig^d)h(Usnq)0#_g02zQAJKnG-W;(hdN*BVZL115 zF<7jXT8Z~Gy6#j4Rq+Yklntu%Ya;( zEOj>%nR{b3HEnZ9YqVF%AWZ6x!3UB8ZLNbhksPgY(FborkDcFs`Z|u|!hY!;`w*`8 zzubRWK^(08ELPP4diEijR8&getNUOZ*B1dE{+rBq3^YS7nR2E8wBatZ)x({n#hWm8 z5Kp=xt+3>X`_o?vFtRFgCg(qLk85u#BT-`~KOFmL$|JX1+i9z)ELWIV+^%b}L`mB^ z+6y-YOS`2@`;t%_u*SzLbKzXBD(*+;g}*!Z^;p<+h|9gFE$4<@Np+Ki!Yq%#J}xYL zDYl?JRkbzp0hfTF50QIadyH2+cdYVur7x5th1DGAUtNt2k`#HJD7B|V;D~rr1Sz%9 zX!rKBr>JK+3$C2n@%1Qu=e4o?i$PR^w389`U*iz$oxXMs4EfG1)g5|8-mqQ z8v8vDscQ@;oFP)bdBRsdNI&?(7Aayf+9=18hczF+l_0<3978@xCfW}(2X1vW zY`$$_gg$UMF~^9}b^vn}oDs@MCQIw=I6E=k-qV|64iG8gJ`X(`ayQS*nZ?cW`;ar| z&JBKv>8orhE^3>7`_jspMX~<%6hoo5>^f%O8tAlMAL1#SyKYDS^;)6^I*R`D z>j{P%W?yC~Q~Q-8QqG*u8+Ov!C5mRh-PJetdW_+Wx=L^y;*EWI!+EG>h9(o65k=68 zB+b1Z4<{dU<}^%6qf)S9JzR8r?={8|LfO3;g1PaIJ=0&?gWGvb2Bs;6ZJj8eSU6Bx zbdFOBUveNz4%gB)j#c>-T+JhpniMW}bzf}kd5`M8_Nt!J1pn&5&Bn2EJbsBUb3Z&6 zs4Xjfok&$pHC9oj`uzBnhtShjT6UVX?_LY1b?y^q6Lm?T=R7^(lb6>_Nr7;8b(fP< zL8`T%L)>GspDiu+?#QWmSbTKU%wn4;wH!J!mrR2ERp`)-*aaa~^OrQuGy)>?_GiLC z0^ZLJws77mdl$4tvd?Cy^8L-7AglJr=RvMV!|v1)pJTgwVxKgV-mQs4yeD3ZxHR~Z z*7{nwYL1%6K()V$O_zzRdw8_G!$*IfRR`%~}yak{X&ci0iv zyF<5fuLYhk^B22Z=fU996kDJd3Tgn`9<-5oCI7ClP_XqpJVf}w9M|TmqcYtwFMMc4 z)7|+D*|HwkH*yc~bT~GC-gBRbo%hf#??MBXYONf~0XGoyWol2K0!6xG1$hbQ?m9`r z9uM)h_v+c@obt~U*%X-0kgC`L3JUYr@2V_td>>%3n z-TItCkNKdGcwM!k{OM={*tyyP8VenDkhB_0tY02E^|!y8+*E@#wrL(EW84}iFsz2e{$Ay_V%q8d4da{T8t!;NImrP8|GAL z8rtHyG;bNPygHGnMjBBhhkW}X`mNUC&DnAcHpyKL<&~*}!af4RjAo^{>k1QBL^?6q z?-v@#BP;bgh{*e69(u^?$y1a&TL-2us28d!-xOmWao|nMJiKi_O@C{;ZU^ZF4ZhjV z8DzU{SVAg&2FzANMY+FAU#r7)6bET2&n_^G6&cXze4X%i>g(>RciExYgL`%oCx`~W zQxp`-WI*qEn={Oj{wcy+Y0Hk?N%uRWO&p~nn=e8nyQoe=e9qotxI)~e<;G%@6OOl{K<=yxKd*3v%_Y*=)&uR~3WRtP! zH(WNMit=FF`M@;Yx^k1VbtJ6cPujUES0PvZvffo1=^dqCOP*YSnOHfJci2*^RLrtQ z9ug=(2OD3M>FO|y6G7-Y*2mnl)3TZK?dsfgr_;3q_aKM8LH9ZRSL(ByvAl7L!=ldJ z#YRj6v)!MhT6C+_E*{R``G|(6EIiEnaGN(7 zH_F%^uYOa*#*+QOImu~g_WXSx%UxII$3REGsanI2W7r!GMrBK3ZE9N@ryJi67NJqh z7}k;4+j)DHJ7_K9h0NnQzkJ!%?p;`*r;=TH{QkgvZ~czJEc(aIHWRoya*pZY94I9L~${`RmJ|XjjZ!!qcc5UvG-cd^xJJz^yN8D2%EEA(#J5_ z(ps5+RvjFC|K+|g)dy~?t_pb;))&f_s>iL*$K2LK@7Z(wniuauYG>F~Wt4|(V3Sa{ zm|+$7>DdR)51o*M$M0xWT{dLWaIB`FmnPL5Vi-~MbJ4PN&givZI5IhmQ+>omgrzRZ zVSkyo@1@k?EfrIU-RV}X|0 zzHN=}AKmMCY@i?FDvwq#n84|mF#Zwe z&U@8OrPh4a8GIxGh@(6MCafhBQk_l~U6~EL6bozwC#HKwwSv^>l*KO+$0Z-INE~$+ z=eC0KH|_39lw+|qm#U2oJbINb-YNY$n(Ayoh8tC%%c-M%6B<=!6Suvm4%71NKM{iv zgl1mnE%I=$b?b2Un{QQIJ3sR{zmLlWllolLq80IJ z1jP6#?NwUDSLIW^WVOPz@3Q#{ESLgsk2Gg}{G9hl*YU%{Xn)5xg()4X*<$fnkLtVc z*(0l+-&XWIw~j0vD&fq?^6rVS+!;Q&!}ddyj60hHHaXFC&==vNQmftH_tkO1G3y*_ zG+X^^oT&3%BG>ztBs1sJ6S>TrdRwkrRu{3fR}Z>#&^6~^W=hj44I*(uD=H%Au~<#k-1+nQH>*V$1E$Ky(MbogJMI$cbCTz9BJ_R1 zh^SjSd!HX9vNU$n5b-zmx=BOY1bbAHocmPTFJFd9apL|_C1cAHcIF+%`MpKp?Zg3> z6{+{B(y4uBo~A=Yvhr}4D}bTqw0jhJz*|0)NxxU@^1LKZah&6c6R0wk&Fpy23%ePO zSAyR8R~yl9W^P1GXGtdW+&IRp`}j7}EV!m4^TXGea(h1?MkQVvu|W>seM*y5xA#1g z=4*{Hjb=*7d@#*y;e?&dCpZU%Z4XsmtTqbRGtigzC6AMQs)%cej?1KP1** z`BjIe&9w@7Tlw{_riQy283-|x;wP#yFyr<|Iq;;ewwE>ZN>D~*oY77l#kA98h~lJ0 zI_AA#Ge31M#={z?j>>G|JNro8U6ZG=(^azb^4F(d(JAuK$A>~pwn2aj2XxNGIDeL=H}B%ILzBf^G`K6OwqF#fG*_e zXiugk;{Cq*w~d0K`rA#~Ov6s6-69+!An_0BL|sDRh&{&a4c6z_`}WM(d0+$m0;oC$ z8+brF$U&Soa#9=q$%Ww*rXcX?H>Ts!eqHQ%pEffu7n$4nC!UO3ue}yHCrz~}pKyqP z#6P4H)hSPW#;U}#`=dEAZP{Oi9WX7^DN~~CUrUQ>1`-4&CMy>}+80K`+52BNwgX(b z3!vT585c{OP)~j=c^Hd@A>rkJ9ReDF`x+S6tvN$o^d(6hLR`4`oPJEWf>$4&3RxI! zk!F`?@oXATQH<02160U4E_Xi4|^6%O9X8uIpiK1_+lsF!7Pj z6Z_xi;Yout0KR1pfY#Xu;3n?)6P&@}gui7S8)5LL8WP53eTb10bZmWq5p-<5c!3By zwrc5I!H5p-;wfD!E2x&b5T*t#Jj*s*m&M$oZ!0!FZ7>jsRVW9x>DV8_-889~R^ z3E2NtJ7%~5dXhSwn=(gb>(hH%8#-enGuq@a)XIIl7`;5JcrfK&?_|6!(5g62 zdScF?OjI;aWkw)!q$OoWApJ6H*%6ufQ!biKn2672?Yy6*Pd+ZT*})gH_v3{u&p>(K zUWg{)5CMrluMl&N?v+7we6bVUO8UZC+@ zHFyD}D4ODYN@o5T&gCT5$1FRN>(W;(2bmFwo%Si03 z-JH*E9H6Klk+z?eaKNj|Kpn2Mf|nXN=KY!d!JF!tDJXlLS;VC7Y{RTodH>g(u)s9m zNh_`QC+mwHQT+OQ35N(s{CS-~%c@m4qOAG`A7N6EJ#(iPKpGBNd9_!dxHQ&Nb$hK; z2><>&5GYW1Te|Mm^;%yLU%Sl=a@AJn|9fp_fNEPXzM066mMTBm%;5WHz)?t`&kWE* z0V1&2*h9w3+{S`KM1=oaS?=OTpaBC1|5+<-vr87*R(fW-_5i;GSG01O|+|6}( zp#ijs2sm9F^l$+bin9%zXBUg$XAJFqV%R;_0MHo5xXM{u7!G>Vh*svuW(mTkWXL1B zTdP0sVsRw=ihu?|H~yjNAP!pqJ$`?Dnsc<^(X2soK`c(F?@`{Y+C0T+pdb_n7ll>p zn$n~rJ~T=ZUjFwXsNB)d0)*=rIu}4d#pL@$bj4H*Hi^x36jK-*`^V_$HP1bZ9Fmz) z6Q%gN0P>QPi@Cqn`e|LqzH#c;@nsx2WQrGU1Y73zjJ!mc-Z5{G5#?h zT;!%dj?W6Mb?Ul~eWy%MU>utVcFgd|+{Z?a#Py6@uj?Xfo&1fHzE1g2*IXq|*++5) zATF-%?q2KEbsggpb!~gulANecP~m=dhR%6{3KLZL`vj79q$se@BUoV&!3zH{sRS$h z9SOoh;yVz8g~WFt2n&htKoHi#-+>@3B)$VdSV(*ag0PVI4g`p>kobx;vA>|P_%=90ChPq zC={rcf#bPH{;A>|=ywt*pm>D?e`EaZ{(W%{>|Ye;tm?b}JHx;Tf3jDnb)1Yex97bwml!T$rQZis>Z0uL=jBn%3~ zFiSFW(yfr~yTOv2OGP;qEo$9kz}AF2^J3zmCPnjlsK876^qPu;Z6Oym%Yq3X2pACb z;1A3NAO7+zE?g>h5)=785BD~gKV_zG0aScJssTsWX7{H754{;lcvD(hRL~|~jm8P@V>d7N znOOkI_|(Q>humalu$YMjP#g9~=<~NErf(gPSw-RN`)M&;A!Y}c5m4||gO%n-V$ZG>aP*S^j_ zG>b#;kn5deLu=slpSDjVU_|?-v08gJeCaI@ftH!*()I)MXx-Aj$g)Whmkjf+91Oe1 z+bbKrI5B-*Uf+z9o_IpPz4N7+h$5fbB z5gZWIP?>4jA2~LSMgM`=!vmaa2^SWKY^e0gVS%mFrF~ zK);W5b7w1j=A&v0L?xffoiS1TxRZW@obZ8w0YMM`z+6C$&4=iS570s97C;$a^xXq} zeEjkkK=BpWfU;b=9P!?< znwS;ELl6|ccnA#C4Z&de;vod&A1oe%|0o`Up*Zk2#^3JW7Y`x-Mez{oSAc(~cnCjA zzZ4G%;yVzn7&%EZGjnU8y^)QMwY`NN2mdKUGh<4AX$}}A|6y~h3wl-@>iF*n0Prd3 z=~{EBBLUWD6bkxkYZYYu+NQ&MQ@Qwn?#KDZQc zeV{p#uJsvw^CW8yFjNoh-j4d6otafe^q$v~27UNa!+*mWB?o#?S#JUd!ZK)hcS;a=`#zYe1pk zU=9Qn#s?RG0==&y{ z#^s_d0f$@zIDk`k8E~uW12-TZ9R3}oT39ca?YK3^KstngH9!wAp z%s>I4b`zME-^Ud$faF6$QGzgzpCbR1?k{I1N??U#tDMjJB?Bx137{tG!BLoT*M4NO##ecfF(f!(*nFW8J5i1(vX5z zn=}+;xp=5QY5QSdym&}p(t=SCyqN>u!2mEJaNyX_Azfu;Q7h~|;3_xjjlhCnU?>rQ zHG@I$M(tOLAi(hcYl&8vebmOyKA`n56tE%z>WG0MT)aClgiyf5ApyImTAPuLb^Q zAS*EYp=wY*@R8Nxt#AN9Q_PKux3mBP)g&j;_g(E=yNk@Rh!vqKZ0aoPa&EOU*1zbB+5O^;5F7Z#{{(4}S`vVlP z@8YMzQ zh3GvTo6Zjv)QLSX*iO>ZSMx$6`MJ24qkZ=?{>OJO!qT|P69=-Py&$F`Unu9%5gCPh zCSLT_n3DZ5xs^34?DC&;#j!3Ri;&8=(e0bhUGjYVPQdtbVSIL-dt{9}iQ3`Q29{3K z^TmBb(v*@CUd^f#$qtvoZx{MXGf_lW);e$>iLJkJ|3h>g_y|9&HeVrHm6i4U(QMH> zw?batIwRl0`tHdj5jQ6fL|HgePnZ?_&Q0Etiu1#{gwx|Mm9LD<)fj>l$n+qa$@?`W0Shsve%d|WJ(X|#>hQ(8*PEqc2E>1p~~ehNpO z&z~PSb@P6qA+c*UpRcVE4D*~$dB%>$Hk`GPr{v^J6?KjcdNf9bYT~t*5Tnjksm0?WNUXgo#7lEocN+*Ulsc0 z__$#1>(N`Dr)X4nZ#n2;*}=euzID9hJdMI8TK|kv6`Tt>?**eg_G2Us#}KDYu?o%e z;JD@e9uHq8W5?7LM=yh&IziL`z@3egMtNk|?t+ zL?2m29;_umdE>l-?6I4EED(w))hAcd>M8wc=)-+A-8v8XFm9RKeCXU406(x z-96#~ZZQ1v^7_losR`t@CK&3F5iKYC32G?oawp zxIZy9Y@0hQT#$R_z-#Kc!&0TtVX6Uo>|xDok@>W(`cJr~JI1K7hab-;c%F4^+mkj~ zAFVmisK*GWd^A&QcOW3nQi=B*mj%p*rY3bC{J~fi&CNjnL)~3x_m;8QSX^_7LWOx; zzH>IrHImgx_cd@O^=oK@*jA=^4{dUnsLf9=Grt(|9;7hT2JXOY7k<67+tC z?otVOH}_pAds#`j6I@QGv!>lz9~VgjeRCYqN_{3KPXEKs+6&|#URrbAqxg`*a3pTi zEY7`M?Z}l~Ta(Rbnd%fg;zH4M0%s@ha|p4%RD3Vv-rG6^p$OI zC)$0;TutW*qpMgvsgE{ah6EFwW+G|~Y{7V|mieVD=PP5nXkU3`-u^GQ4hjxOOCPvp zr&IWLQz~+pOkw4d;wP16f?z-3)KaM-guhlr@@8m%8I66*w^4|4G*`N-R5p zMN%bW_ohrG$46sYw!+j}p}W(Syk*2t@*ffB;$O2wfteAz%4~EuU#+XWshsi3?XmwB zF%QmrIZZU(JGb7c6H2kkqqTXC8VQB|zj1v#b54_KF^=LWk%-JzB$i?va-oZp&zw;p0yO`RZW~PVYvY z{cm&lDAtP1-Aeiz`M~a-kXELixm0sA$*97DxY9fHXZF$g`I)bmZ+?MJ&PoT-3;G{4 z?759jDte|T!{(FJc0Nh@#v`#t+xkt;nSE(<@$zVRZ^GoMuFsFkP_Aex@*Yn@Op?+UPn_Rc+DJzvU1TLD`d-S}t9!-zX+* zUH?(VYc{?<*Qmm}*^70{ecCIRI7Fy>=auiKJ+R+xK4)G1QMaMmR70u9O+j1ds+sHy z-MxKX{*G-aXG0#w`L(L}ljwGE*EDz>D*wV(!;)Vu8kA9PWLgT|VykRybvIc)X+Wdu zVn#vrXoFyQEOo3`pL3R9qD5FUJJhGXu3gP6tMJsBgV`1iY_P^x{)x{-=!~9sImKil zxqNv-uQzDzb@Z=Dn3o7Kzt`6lIvMvqxo{%MqIz@m4AI>Mvq^VPUxrMJ%_H6kDr0^zW&c4f!io{)Zv=l<-^4tUk4sOQ;tv3tFVSoBqNM{P2XK<+TwYc`rVw6U|QI72DZXE zE3<9X4}t~!KO7x(m=hE=J?pXM3bw z2gYW*QG*>HyaGF_90%W~v8D06=&?x0RPTM>82mb|eox{HtLVOjV5PLDGpZU_MZ@c3 z;3~p4!e**^xlvShsSl)OWZndX^gOsP$XEI*AS_j#*pJT_nL-o%L5~jkw$WrTRqQFwMx_M()f4`Jz+ovaB}3BO`-vi!4P{ zMBAUVrrGQ)Zi#8^u5>Ce<7!E3eBNWCt^cf2G3{*giw8MrpVLYkym(m9v$l#=VNRXd z_A`zSB<9AaOBgRcryL0H)4Xn$>Yng{6)<_#O5L>C2@MtuS>=V_j2^S~AlN%1u}3F2 zi$rX56Vxnhcv&Jm%oSZEX!T zd47`;nye~yI9Zo$eO1bjDx`hcG-pKfF0*``HjVyrL2oEd?p3Ng=0lE~o|t;XIVIz& ztP?ZLDn!-LruU(9t*550T(bC5{Q5=l=NoCCsq}}$wuj{%F-%WTw^u%%t{Y=intQXF z%%^py>OJ6v7O;#_rLuYLE!tB`?YTxxDg(jqvn_XcpTh}CHIUUAI2_Y{JKty9UsN4+ zT&HjL^W{(D*;5skSv{j<$t?XX=mpX6dpiprhjX&0k6$Y8OSh;&`&hN_o*gzEbHj}e zRyU&2G=*6+LwV=~kGvd*vB@_Ha^~VLXPCt2M=IoQO?TC$xY#?ZgjVthgoJ;M5Ev?Y z*OGZK$@dN&Ehl+b+-;mxyd>)m!RH4JKh^GZnmm&{A#EZ6c(TX4ASxGN+|z9)Nqp*R z8E%TXb5TUp9J9ByJ6#la?X#!5=6-J{d$-t5EeWlzyj@7*gT|%cJ5h!#_Mt99mg)hn zf_I3rT`Nb~8dDtGg%fo zW?-lXxN66s2XPEeNBzEPmhKoc$nLH`*+}n_JLC;{=LgM${L!~kCtbfeU8&TW zZM%_Aw@OoLP5oeXn2cDQI8A`5AFRFRoToqM;S;dyZa%)`@8dX=#a*!JdAC7Q4@rji z4%fZ^R8HJ(A`PX8;14^@6OO3-7-BEXmU+X-sOEiIS8O$-z!*EbAa~%i8%F&1#Iw&C zcD{O4e|j*Ul-*UT;pv$q`}FpA^*lENAJ%QZ`i8!#;cmv>ohfPvliIE24bOYbPY
    Sst~o_4~j(DOsoml%DI&DyuiU<`EMx%dEItIU-Y_h zq}Cdgax9TL-l$1X!|8=D?M$~pK*7Tz{aC!OThymR<;7H#K(qh}0mAS2>;wmpg92h}0tg@#2BhflX^f?) z#$P{~FOTp6*_ov$^KY~$8whQG%h2H^TaFq&ONY;}{0tf_MKmC50Jl8I2V^7vqTk-pnFL?*c#$3 z5A~r0HXcudLxDID6bSFZ;XvSQF|G^;;(IVbJn0S`0sL}}xbo^GEDRslSvFVyWE>3+ zL~*}oESBL075GK8CEQl0t$}&9Ts-i`<7i81>&4U#5QhZXo&3yP!v$cAAyUN8Iq{d% z6}%$C2VNFP`_1XP6ugB2X#sqM6iD{}NMHl0*~Rea-w|v@gb%#&{L0cy0E!M4qsl9) z5P(e7FPJTj=;~}X47@!3g97SBeg+_a6SpPtfP}#}NtW9YD84!Y59ZGyT@r6~&KL$> z;UB<%z(4#p~*1F!H8;6LdfAcA<1fSC94afP4&zl#rquQ9Hu)dm>6!asmF?jM$t?GPaC zznB}~0Ic2jWcyE%e@ge)2DK zq43LKFbweU2ti=w%K-y)4Jb%KKmk#q-|$>orvEi~D?9|`PkIQzK_I`0wyeejEP(f| zc!AdfZ&i^846?#SK$f|Pf0aUmAi=;yUrM13Xngi*dQO9h%zIryCVSHP47m zXX=L@AVK?|u(Gt-y3FSGxY%Q#WY1|K*>O49bA4TM;^Lw>T&dz%Z_Q`AqP&-e_wDCr zhdZAOHw_KSmRy%+sT?s1otqM_AK~9geOUJc?auLmw^MloT15Lv?#rfx&S3^0Y?pO# zr-4o7Ar6%jGuKpJJF_J{g9Lo!8dFKsr4zJn+piQ39^jX-k2@=OZ<_@0Y?~TKOfLM0 z<#v2lS99}FGtMHc+Km@})oWKNKM7^aaUaO>6xJ&!5HlT!aEOjgUlp>Qy_LO|vmxO4luT8iz7zYuw`^_r}g1E4Xi; zmgSwT+>n$nOk(+20nFVX$q+LmoZe@oY)3&lZGptyYs2gt;qfJ z9IINf-(7BsfPR=b-U(t~5oS!;1r4gn}3)x18I(6xeYe;J# zb>L^)(Or8N>~oK$Tn`5|aOcQ`Ta)kczeBEuF6-OHv|HC*Sl^0qJEHY8mb%OGna$nj z@Af8#Q|6Bm4^r`l#KwYj z;)(9th<_gEyA^*SiE{S7G@@E%#nJI0{Y4f>nKhNX{VgMP+D)U8VL@f z5qNplu=pr_T;FL~Tw^yN*)%AH0Wr{ZatA9?1eQI9p2#yaKPKl7qSg;*!>ihOhRxKr?08K1t4 zWsA)*-FvEaXK^Ct&59AeCPJZlhb#_68h_L~gLK*T(NRl^$n4DaSC@9k*w>XKhK3Fv zi|`adSzMqA;Z935EKYs2x1zzTMAY22M3@Nm+YhHf^`%e z+vCE@WNmL09j88ED|{!;z! zhZQ5|*sFuwqYsPJb3f?3s~~-!_Iz%vQ%5Sd`2V$!UHvD&XpOv5R^-_u{>hKZ_GA}Qp;8$bJ6 z`ic-8)oi5~w_HW?sbIBpce^ywSV@EP4d8$SM4T2d__@e23Oh1B()&1(lypQHUNjh9rE|il{Ua_Ncl*l2pa+4Kz1t`C!u@jMX@^9m zYN)~y^T$&$?RN|`EL=_sZD~JwWMgTyGwf!Ne@d+Ci*BX!3 zO9=+2M|5}aKBM0hhGl-b46ySz=j!8}lnq4cJ^p2?rSp7-6^qj%SM zur2gZf0dWqy9$P56gcDgH^Bm%6)K#s92&hx6`lJ@vi9xGV3&{9wl|JbfSCiB$fhp! zrCmsSal(~ZXyDA$Gq~Jk-umOfR1MZIA4{~4$k^#0nl-^T8%p9Ds}T@1ti&=dISslj z(mt9oRSBlN)a=T0#^5<5L~*m?E`JC~l}~gDwSqUqJy=+6>+u#|OFkq=Twq`~Y?#Zu)QKXm zRQoV)@aXtMUWkLe3+Q2>t`&>Ly>n+~gPSHJdmo>=ctc{OeX!_rAS+CHvq}0`^dSjD zZk?ArS~G6*a}ilB&+CMbW`7nJb9P!thBnSEVEdw8%r$1yv5V(8&Q8xLUYZ&kTCls# zj+^=NIfc&Wp=7r7wI`n(GTGTP&C$pFxiq`>?7ueJZT&?(oQr2`Vmez5Ofua5but@e z95=D#mF?iOC9sQ~9Ar*uAqk=d4Dc6&n`Dn|Rycs%a^3`4e?EF*e|>KGD@_wID&_m( zH^1aOyPp2W;x&1SB%RKK!Z$Bk_wl=DYPrG~NJ|{3AKF-r(u=1{Y!@NstGMeh+tqi$ zn>0I!Mm}MS6OsN6NWw&>M2X}{*%C=hJ>K0#w_#;5N9a(UNQ_$arFLPZkwaQ6_>Iapbh>Htuq>&j-f^!_1|CHo3st0HF3*Gma`%J zbWFMfBl9`GqhVqgm-q_KJ>&e|SQeZN7b5t4;=Vh~&t0qr4hZhex#b(??f&u19u?U8 zWOv09u;L3lngB(qN~#WJZk|2lzDDlp`V)M1XR~yo_M^H5Qys`^#D*TYrn_u1v%c`K zQ<>s~`vo@1&cX*dcWcvFo*h%V`!wk5ZNw2Py<)OG^@rR?#meaPq=NLH?eV-P$a11? z%M$}G&)3Q6W1TTCSt(&Qt?2jil%LE(x=yEuIi<73MD3BhbHOR zBL2u%;%%ajY7QI5%p06lntQ@P*)SCyK<5X)bG<=Q?V7U60-3uYtbDCFJ`f%FKj-Cj{?AZDRUEZD@6-!U0~bGawhM?hSrzP=vhgbn_8Hg;rFWm z=l)nrACWryqZn=R>x-P=7tO6qIRt)|rvXt42oN3lvAACNw9pFLazgsJGzi~*mI(MC zXrU1#1=>PIO-oI=g_eeP+tw}HnfJ3WGcq!Rx%RT|7lMk4;0sPAj%mnB98o!n6g*=p zuY%UmH_#V5ZE0_D!A?U@Uw7dZh-wp2^QLRd`rv+Var z`_kSL4iS*}^Ez>^)-Geh$=oAwZjScuxaSmG#-l|Iub(ti!NQaBIOX<``Fc3mtE2`TX00U>WlLghK=*{=7~EwHCl9 z=9qiNy{BACIJt2=dAkSZ92P(Yj!m;dr=HKFO;z2|nLcw=+=UK8Wry8W7o=}`>iIaA~H9%=AjHjrO1@o_4 zMixLprxrl`u`wJQxXI#IX+$x{h8$=7RXQ*=axE?ocl6B}tp0;MuWa-_u!(uDoS{x7 zwEqG~N!)q%o_@+ej6nZno<*7yy6MmYh<(PbVszF4ve6rXs_TGhm=~<%qB4JWeyUeK zA}`bPO+%td#WO6XbGvwHPxrfx-iJhvFhswLAz_Gq6FI^x`c2?KAcCR$P3Q=Q z?l*x0zD6)~zlj~e(ETQG1Vi`Rz!41HZ$n2gbiWH7!O;CKa)cG#?;=Mqbia!nVMX`b z$o+q1=ql!~=e2h&fCPeYiVGmN9NAdKxR1RyLg9or{{n=%I`I+KA^imqB;F};KHg<+ zVt)&|QChoZAojuQf|0!H2e0da&}RcD7w(aG;FNcyxyFb|mj|>UxUFpDqFtJZY6Ncu zqdwsP0gtuRAu}Rxi1q)l_a5+A@9+QkZ99mBBH`B1u`{KH1dpZOhcoQiORuEWk4JEx6c-!9R+A^us{Xl} zoC8>=PVr@__-EczQPYr70&B_n*OEbirR1cwE~u8LQN$Fblp zhz3Z8{~Nk6MugmHs_)a7aQ4)eb5~1L_3rAw5jmqhOY@R|#!W66NPljVjI)&)SpDdn zchk7dJG5ak)rINm+%fyX-k*EilDoF-_5mLYf&efA1OWu$bH@NO0b~NmgwF_oOaPex zGT|!%pgMr+@RbapodBu>s1Beyd_~|tQwN4Z@90mpohJJ<(LUh+{}TvEAEzuK#3v9T z;sjIw34*ObOAWz%W{<&m=4f4?;#_oBuB`9(>ls<(s%*kPF(bRs zL@Q=w7X)2as(y8|tw`{NUNR#~+WuWLvOwKeAYt);G$UI`dvr;DFJMM?>6|PX6%9Ex z1!+!pCom`bc}f;I|9Re)jGRK5g-wZS-FlQgH6=5G7cOD6B*#}(hmH$>1`!hDb<5ql zDRBDQP)PDstDK9Wrh`XXgiZLGJUB3AjW5&mi{&3rBCNraAP686{wLKzX%FV3%v{-c zE5Ut;2pQ(t&@esJuY2CZ#^?3U962>LVMW{9O@1as$a}6qb$cJbw3fZ$KVqY(zUDqGQnHQK&fVrpVt%HD)*0b z`dfeMsY`EK8#O@4G2l>Co7^?i^T303{#ZxEMBk_E14}RZscqgv4fF1~h=}+>wTUXZ z$(=KGd3y$GMqPt`>S;@Fk_<_lnK)s(N24)*AmZkr%0#@EM?-YyD0JyXKec^U*kGdn zQ>lAmvPQ!mWMlMz`rK5aVo~SbpL*Joo5<+&^9JfhuT2;jCq8mFPgbl?m>$uO^e;TQ zZiw&N*`Hfvp!>1PI5I(Jygf&J!-b!E+R~dScLI6M5;cld>OB2&Gx{Qm z#I@6Va@@Uy*Dby3r?zR8Cx{UJ#Ea2!vuvJ@AfZ7*FVYAk^dc6dEwG1PiU-(3FF^zB zp_hOGY=S1o5=j!nNKCk0VqnAeIO* zeGxh7wmbT2Cin});D3h)^AU%||6=jms(R(CS5f^}=}3STU2y!uvaV%|-w=3U@f#Wo zEPg|g7Qg+@bR_66i{F3^(rbaY{q5p6K;XYjM}k~ZZC%yP4yYsfGmGCyO|)|H8~TUS zku0fh35TIEzi;&$90x%6UoC&5g#KN5OA5*_&f9s-g0J)CH|P#}NH*^7mzL@2S+sMMqY()YUNy?(3s+o7(xgGL|3I!e;-rA-Hf zqbddZ!sL+`9@wKQ`EC~0;BJ|-$aPwPhd?C$bxsIaglSK>v}9?=-eIoNUEa8f>pGcEHgR1hK)uU` zEOn#7=Ogr3%l7qzj`2St%gpyKpZxgoJ+ego7lXFtaXAe$v0b@Q91U60E8ijg%P-mJ zJb0;it~9>QJ1$~(zf!nIsu_2=(1#S4oVT{X!hG1xxiqIEKQ8<7JIJEJPqG}5@9u$Z z@?CgVo&?#o5|QujgY5b)JS$Iv>{^M)clSYdeHWgUCqZ_tMC7~sAiKT`&&rb^yH+Cd z-F=W<--T!8NswJD5&7;u$gc0gv+^X!u9b*tUL*_ zYb7Gz-3QtAU3gZW1lhF`k?-zg=ghSkX$~u*JPEREB_iM52if&qcvhYS*|idp@9u-_`Yt>xPlD`PiO6^NL3Vu?o|Pv-cCAF@ zyZiqu?ArTXDgVLAZ>`-QC{UcG-)=Q93QL?LiwiH(CbKt2R5n| zr8hHFu)EB<U8H!I0)J z5%T)$~YJS`?63c2WL|;F*;#6QyX)qqfiWH zF(r{b9Rd!#YoX2|DHjq@TM@VLzQ0fQg#J#lC+tdueB(Qhf}0{PrTbCl!(m`T2iq@amWKAWW$_I;+Pt9R20uxvUI`28$`%a0g>|CNdt(} z1rJN<8B=zEyC51M8U9b`0=L0CjI$n_xO$?-1iU)IS?1G(oFYNcgXZeoG5f|Peag>m zQrf%;oJp{~Y1~Y($+MKse@BFD40Cb%xrZ&ei#gQCuYNjMF!BAsWU3Xn;%IEizmWNY z<0%f56~q({fxw`}9uA%ff^3XlQ2_kga# z-u)U%ZErv{0b!axC^2IlHvb?E+}C*wbv3M?0I_>yQ&mtp9}jB z%(;7ysh;6(Aj{vDAi#G^BPROf>oZA2NIBP_s`aU4r8Mdy=|)aAPD3kj7eoUj!~X?c zz(tbX%RgoZa*=NYNK>XdI0oA#|pmU?$L`dStyq`0~m)@mB zIDJ6o)3|rTjH%{*1Yv*sJqF+%>T^@v1{*Fcz3`{DDR?-%?KC!K` z?;dpx`l*L4y-6~Jr>mlCXOSC=dk-iuh%mqnkP?3?2&i;ldJ2#dASJ$V;m^MyB|u7m zlvsfPNQo7IfV~7r36K&i5CAE$0uZp504V`dVg&*qB~}0e_7Wf^KuWAY0HnkUK)_xC zqy$Kb6$pToSOEywOMsLBDX{_pkP<5Z0ecCM5+Eg3AOKQg1t4HA0a5~_#0msJN~{0` z>?J@-{0$}4=0(&w@c(5NEg2m^LiH8#QC*Ki3y6=#uEtrkQxtKGS zzikTJjXY;&H(1GavmgaL1S0X><>@WI@WNWv zVZOW3;7Je!kO}{z>af+aif3vAiy}u}wr<|Hvjm_>QSr-S*jI;||5sT8fUtL{cV;2KVkrj=O&P%9rSVPj*vG)I7(g^eYhurw4!CoE~}aKzLBszXXy zK*CQM$R+^Q!NP^`z~{ptpjZ@A2tg`qix9%1Flaawi^c$#?KgFFf(ip^2Y_m{CQgS* z)oPufa1;UyRHj}0grrKi%Q*DIg1~WbAru~iMFWDMg;vNRghhWx6d)PF5>ZxF3I1VG zaA-gh92Sd*Vqr)jGz>|q>INXYFokd{*xLaxRLzf7=I#dUvJ zFa#0<2!Tdpp%^?&2(};?0*waR3k@d;3$z>>5caERM#jbt2C6D5t0Y6hmPxj%I`0ol zwn!rs9t}u_1^5HUph%Db)qA067#0u>IQUgG>BFi95{G3Cq%>895JK?P62g~BxGIy$ z4@-!^;el2~q0mqifEa=#3=|0`VTZ&+Q5f83p})$v0G+Iag2Zac5KARPugU=O!;&H4 zIFb}N)KbaNFd-l%3LNuSqRGq3ORW|SsAIgS3BU*ZRi#7#Gz0ov5@-ng=N1G&BLTS} zE(!r?$I@2)4r-`nqOBTpejGIff+PkOKy6Vppk;w$Ff0`HZPC7s8hV*%t2*l+77dO? zk-AVEz^jF>Vu5OS6d)P`fmjfCK|uhnNi3EHmoRa%u(bi26e_HyEK5iF1>JGf$;nPc zSorwy<3bijHbz3W4(7r}j*b@QHr7Bl>?mw)dc?v=kdzL_aVPL0R(8@zpknwEKKz@b z1rmu8Lc`$*%#r~EiNXpYFu<{|TC`fCWy1#g-yAlOK<9`hy?vQPfL@cN{EkG+Mh~Ep z`mgHD;^=_@+Wb$6FaR1wFn|pJG#nl%Y!3sJ2?g|yK#BVWaq(Y~ z`)kRTjUMPW(opb-nC!UOaN2455k4m2lV9+0$y)SSP$A4Dx1d;nYb zS3lWOeSv@0XFL>+Abm6}9)*JAp88N#wPe2|WWJ}Ox0f~TJ1s8&^_bZ8xNC3l zIw`TiJf=@|N2VB>Y9{@=*by-IJ!J2DJK zEpOvWp5XE3uXsOH`|_H16+U#Lyu8JS^3*zs>rM`a2TpZ5l`_a~rZBE4Jx}N6X(14w z^kTTQna+~@eA^-AvwX1!&il;-&9n>@w3HbLdCw$vw^3awo*ymSCVt}6olf~d;kik~PCufU39U%)jzb!R2DT-6DwfS@n`vnRw zURG_*NkM|$bMnq?f>$#21(P0o{eh6?Ni4glE2j6JGe>g0(0rcvoI?gR-!LxnX_uir zl>6>X@;baHU(YvyJ&Fsckxqfl7cXDN zj0YU1(Y$al>;kOHru&pHCEcdWd!o0fYQ1(w$imdR`9!KTw{nIWGJk40dpHjzK65$=IkaGH*Q`%bvGNuXLcj~j>&Ofs>;p$4lnnb z>Z-qH3(BND*l|};fK|%8!|6_rw$p==q#X?h<&%Ws&6EnHO;j2%ArBhc?uSyLhEe-o zZnAn`JD$OzfAv606<a-%0sqK)VuO^P}wP0NjrvV-FrrIro6Wem znj4zVWSi>TDDJ0ip*0DKk-!3bS|)mL)<09?;#lvmM{AoTb{>0_rpy^W#ixzrA-?>D_7uja!d_E1 z_PIY>SIzZKH2pZo!^dm-I8uS1G^Rf0(w3kI3E;q|@J2xF)mJ(tkk)A#C{*blJYi$#bHUL8}CwR>+=s^7TGOE#~<* zDIp!6vjyj{{K7FGI-7{fC%cPgQJoy#n+)LEb9S?jIVZGf(>9Q=8!39@x!o6{M#->O znCt}^j4bH=h&p5~*(8g`ue6ZE@;QDI1gLSw2Pt!|BZ&UK!XxE!AMCQ2O8jG4>u4#w-oVfzF=2ysf7$=_K)G+Gq8N^=&iHc^7w1+ey!_Oc~-f z=+v0r)5w?OAMRh16JO>YZuRa?pZlDCNuW!RSd_f=b`Q>4W0ls4Z5Pn%VbZ(0>o!DJ z-e%X{He7mBBbR$O&4zGAqp;LduQ!_SguWDU7|c-Eeo4T{Gc@6keoyy$C zo@3vz^_-oQ!z7RWhW!o)uiXp}3bPiy@doayefff`&Sk$%?4k2LLR|{`4e8Px88WCi zXjyMNs&^h@*_(LRX3JQ4PUm|D-1+PC6K6~6ZDF@hW#L(gzV;5M!fbkZ()>iioOkE! zJ=!>}>8NSoD%R_A-O?g9dF$=|h7HEBEfp`G63M*|v0RHNIsh@V$>vX3yC#KRDAh%c z@yO|8s@cAyPXglTIj8qs@~3d_vMGpRr1@O2Zk!LD z8bY2nO+-pZtVq`1*6Vhz2A8p(%SXn6V3wi2-6-MKhjGTI7)|y-guwh zMkKKquw27#=8k!JA>~prmxN0$GD_NA{eh-0?Yj|+n`e@4J))tvNrYEYmetEPy8Emf z?Mk&Ui3(4=0Sj`cF4d1ZTy&-!C48^9LY`UqTC5~DCE08dv%E{DY8sSUMZH-?O%1J- zG&LOh@EB@Wm5g&erQgeA;=5`Y3Y}lydbDQy&QHZbmtro*>f+ShDOv=XJ`{14p+pas zHTlE_KQ|o> zcix@F3VHg{EivnKd1YCRgPD~~$3-Yl$67qrPMMjMUXy+w*H^OdZIiFJ%$BZeOr81f zjCI7v^vn)8-9~o$G*!eLOfqP8QgXAk99UPn=3S7$z)}1wr-seywr@hQjRL-{&( z=M?*u2)#|@&&jzgo~CIZ2a!VCXfobxmEhXW_IUeItW@;I50roshM~l_S5(Q;J64M& zcgszbIcT;WRGGgK{6Lhct7A)m=&tc*L-_+yAzl|vxt$``{R*#a{3ac%=SUwwuzcYI*bm9rS>LW8r#{hWF&-=T zta8ITOoVU;=UDQETJ#yU-Qi9m%JBWjH=6_9(iITt^8V6bFA81Xa7gne3Q%|rqja#{w9z7r_Qxbd9q!9>?oIB6R%3- ze4ufhCo-9)`}Nw3C3`w-hA`!H>n!~=o2}9u=tak%IkS%k@A`vVJ1Ru z&QVNWPw--Vw9QFv_f%azYPf7D_(P1k(~WD|$D=Eyv1y0qxwG7BF9g(A1kXJ*&OGGh zaWg^Zyy;;4!SP2zZmQ|mJY3SbOIpU12YRZ9?yhlZ)o$^a*!HMI#52QD!cM?LTrcS3 ztkvLs~E-a$%=VcE=AYC`kf?o~%oXt!Ae+LVpf+LvVB7>6U7 z)6!FXobDgLczvh3dE>RRfMk`pwGWQW(?wr9UPB>&-OswGWkh7{3s-3iE~5V>|B6c% zZOu)%Cx7G*+`71sbDdliG>*Y?Yx39I;3w{^wH(Fk!P{bZ?vrYaLLS}%q!m-*_;a0iq zRlEgadj;2@Z0O?R_b4D&P%He@YbCZ@t18I4t8#wUc;ciLKVzF?uBV{x0dLkmr@o7U zm-MWwU+(QGGglaweacdl@>p$eUhfzOPXc#>N*9{P>R6ah$w238_YHUQ0_~mF_HB=V z4l%A>ckGc}dv@>R#~u#tpWbUdD9L@`5$KMO388BEqh;Wa5q{ArSe*VRSHEMbRk$9x zIctjCkvCDTnw#4^-i^oH-)i^#5?5QUloLu?&wcYXeQA1=@VhGQNQqfML$c*w(cGVp zRu&W0rd19%6>e;U&s;bhSb2DJtWxqU*@NRRGp!?a&Ysq`$QDcZbg%2iCc(9`a~orK zWA?}j1}f4p;YDlLd+Qetxq1y!Vd78wbY9hAGOzh~u<7*;neFE=CdUM061SUusI;`~ zR4lJ>MhJK62Nki~hx z)O)M_+qdow!Ix|(6qPS}1{?0yNRsZz?0MhpyYC^fp!3BGV^7%Y)`!@aOfKTPw+z(p z^%7}4?)vG&XqIhmWx3Y`(c2?MbT%?EZ+^I~fhW&{XyZ0n$3&chlX=g+9}v%*e&wGp zOj{h4)nTOJ1}LxPZ(UdDB>j1EcKuhW0PtZopnWto(ozU(dVpD zMAN};g3I3!9qZ1ngx;8~OZAbO8AeDg_dA);u6kCsc^~`K@VugWB!ys7F5!VX`hZ4^ z^F{&9{_2AK!VJHHOhdA1#=-+0u7wkC-%LEnVXlWlOH69%?`t@8mXKvAv%S7@%x->9 zhBA78VcP%}Nks)t!~NID6V#Tv}YBg9s^=mYU7Sjx{=+rJ$7Tc@)OrP{N%IZ=Tge zSi!@lOXHtry&HWRudI`iAKzo1k!7!O#z;ILoqzPER4KC8e3yFbRW;ZAkHjs#%Kk?1 z+g#G3y){i^HH@B#PPQf*k5VQA&Y^>RnkASe-qned8N5zOB)Pv=&c|X_IeAylc&|vV zj>XXlA278rKk5X`%PUeOiX1QjNE`pRtqP`!=?`VY_08V zZAdevztGE9lC}ToIf0{bXuu)##dY#~bE{KW(w<(D zTb-POl)wG!KPqZ6atcZsAh-H9Ah$Xh1qBru>EGw`Wb0U!*x<(GlvFGT3JGT3&5LQ( zr#~SHJa1*ee*gjmo-PPOA-1oV2+?!*=7{XN?^5Gy9Zi+`CM|4z&FN-49R+%ed~2K_ zcnCz|_i%zeqS>w{{=*Fd-r38M(UE~7T1IhJ*w*%w8o|3T(zdaV;9Zh_ub2o)9_xEx zkE-OmSy+R+WzHhkX%QxmyZ{~ok@!uVXoxQ!b@R30Ik;L|_@?*5-eqd-5eQoPXCW4Z_t@1}5`2#HJd;OSAl z=RS3;d{6kJ4=JuWZ*5135ZKMRG^elj_0Mi>oEW?`;$^BfmRF~kJ9Euke~9B;%9Hl> zwi~hq3F7Zr#Dgm@p8VN|f4L7e(8Sd~R~p~#9T(|2v7<7l8OdaBnJv&R?5Z>8UC!q% z7|!wK+MoVw(eQY8&h&MSQX)i6Y_?x1+#}VDyRyMmD_j3V`X?gfh8#gh1o6|4|8iqZ z;*sMXxT?8ZKv{mnmpMCh3`zRE0F1L-8$K`6w#7=c6UmR$=2b*-sdS1~vbvCbL?z#C` z)9YWZ06`t@u_deHrrL?b36+uDD2|3KX`{iR<7Y#QM(Di*r_WS%r`&^nk?3dtt`V7( zIi81zn>Of=?(jT_Omw+e(9}FakM(a~PlWJ{{}EYcF1`0>pZ?{(jn1H|e8J)${RLI! zAHnqHB2ZPnAo0)sf}_em!|Cf);HdHyihr^Jjw=5IrNwJN18fnCf3yV}VE+iFuNQ#^ z*jFh2*#>BU{WF~Yyb3hHeh4lIXn_3~UJ%d#`ys$U1MG+3f`A6tkKqLY4X_^r3^c%g z3@-?1fc+3)paJ$naDfKckHG~24X_^r3^c%g3@^|C`!T#g1MCO!0u8Vq1PnC5eh4to z0Q(`hKm+W@-~tV>AH)kZze8$qV#QS^)2>5Y+FRNfss5ukWEb_^{h z4IToK_&uDss*t#y2oZ}A>w4jxEIzTOZA#5MZ-Q;snFx72UPb{I?@E{HgMB1;mX}Pl zMCaTfq~(UCc;JQ2w++6_2@6TNGU=dSd8p|ncnCz|H*lgRIHkQ(H*+>Na-d?yt46$m z`%&V=Z3ZIbVTlU*rS5g`|NjjHl2wxt&wkA2{r1&N-%ihtS(Wi~b+Gz>m7X04oCngd zlcMLBr)LN9V*^p~Kz4Q@eJUJ_{#UcJFNub?rvow?lCq4#pn?nUBjx1=UiY`j*#VLN zGC4bDRoc>@NY1{{NGp=FV^(DyUEOdivJ4;*i&+K`_}`di0D)VYpz$|n8Q4Rsx+Kd0 zkYwOX5&@DPP*Ky6QIJytSq21vECUcqDhetHIXT5=6(Of&y-dcuUd4!l8VyGR39zV? z*d*5RN-icFh$2Eb=Z%A`QKz5t=#+x z6Gi^c;A24$Kqi3d0L(;zAb=n&3@IQJ02n|JKoC9~SRfNXCV))%i~z_4kO?3Yz9Ims z1E>yP$pG33pgMr+0II`R1VD8F)!{1{z|jFz2T&bAb@++^s1Beyd?f=oI)Lf`sspGF zUlCZP4q_!Y`aX(ZDd4`ZxzAU;Me(_pj<7rD^|6*$t%!joc= zNHI3cVv&$AI1~><0kKF(BoG{gMC#EA%Q)CN+d;p|ys%3rtO6BYsK9Awi%TpHWJvx=umv`7Cs7Kx0ChMby$6pKWvcnU-z0f9=S zUkf!)$tc*A$x-%H)RYKj7GAi-l8UEQ9ol`}RYVByRA8i4$;7p;NA+^f%`Y!yX~7#T z`9y|}l;}OYG4SLnm&;=l@Dzv!$c^8k4%ZZ`(zeW$y*1r5K!h}&h}7mMLQF3+nSb!w zq*si0=$v39c*S(_5RB@{!;Nrs&OT%cNrpS?8K^|^PeyCPSO=)d!wsLQJY)w?foOo- z_?Oi|8c@25$jCTXB1F?IGV8;qnqoKm&QXIGiSsUUVnhf=ylMfF2ZqMz9&qcg~B=OCJ##-`G76 zd9$%=Kz(k?Ake???d_REW4fHuY=77z$%V=STp+8B#i zfcEkt77)1Psu|SONxUV=RIJ+8B#ifHuYwEI=D$ z5e(4ASi}OfF_vHf+89f~0BwvVV1PEpA{d~Jv4{m|V=Tb}v@sUJ0Bwv#EI=D$2^Rma z+ZbK%t3DBAc(fCH-1Yw7$Z5oUm{-wjo@SL> zSr$kQYrbPc_bc>LZ^oxxMY~j+J!+P#Ymo&{foOo-_&w^NR5qvwpO5-9LNMQ*ms&P1 zM}++PB0&h*Uqo;r|2`1tzlz`jf|B6)g~+635nKp79Et;e5GWKWf(!LKt4X21L~x<- zP||xzulw5wEPEcX#!>R_d`_&DkG*yM*LU7<6Kp>on(_vDeoD&p|Lg9d*I8&P=q<}J@1xfY5 zmc^F+uw+O;5-bXVLqf4goDfh+42eezAy5d!pQ3)1%*fc-!9YbrcK>Rb@XKUcRW$8~ zWkO)k06Hi<28u-h!l02ru`vV=zzKyy1BfAU%Y~9vQCuYx8n#TPRfWcWTqYcL;r;L> zG9h6k>`-vv*eaQ%_N|r)h_zeNcB^WX{jf|(Bn)^z5{-vq@OYr@NH`%eZ~!|59%w!| zLI@25jx9&)n@xyDEENs6D%SLeMMGe50OL_WkSGR+`O<`V7zsiYdO=*+YSCm>S7U}; zCfKSV%^w#Ghaj~X28zJ~8=oPABLT>e0NpS+^go9TwM?>AQJz0684^okI07h&wqB zm}R1^>al+qG$7U(XihW=0mT5_*PmSlh9oW^(t^0(;@P)44D2$=e!a^_039p9b`q-= zB?I^ckPi)j1_1dj$-dQXEbH=dzux7eU?eG)B8Ebeh9fu-Lj4zVeY?|G*6-tfz28TY zR1$>%La{Lj)EDK%BS;#60JH*${T9!@)%#B97h83+md~w zF)_==0Nk&S0gILe8viGy0Mm|yBhZvk44}CS`ucSYSk=Q~mUaF3U+?}s0>}T-+(*lqgiNpdj!vNj`GJkEu1yf8_MP;>U%X)tNulM|< z?w(|cA%P?dfF*{3BY^IVWFO)YfbEKe4j*1E*s^{fzog%nwy<&n>}6qT zDa_-q#kdS<6sd(=T(Im>!l#Oy_lf4TCR-2XUvO)C z(&}prO&v5jdz$SJp?yu%8(sz-PTKh($jJDrNqN%TncDne1%{UnC(m$woVbwRvetrZ zBXzP+ZE_L$IYagr)cNelivkk2tG6_sd2yCIY10YVwJY*3eX#5>?T=*Unx!yvz4OMy z3iK#4oik^4j^ol5A@$65h%y{ps*E-_dIz8FHu4!srF(n$lJ&1lnZ1YcrJXu^Piuej zvtb4Q#`QC*JHhWPWBp(|8A_n149m$%<7(In0};}h$nHw_#|b~$6U{256(>q zD{3gdq!}N}i;j=JaiUz2_3njyj^{HU2t|D*b4Dlo_R-a9Qj8jPp!Lh!u3UMI$P(!s(11iLw z+ihRUQ#=tumgi5u;Rr71N4eg+q5|8qJ?!*0Cv#Er8z&P5L!A({+iK|HK9Xt@EXRF| z;vQ=WbKIbmkIp1N*e-Xg``SLGs2wGd?dzMP>&#{tcuZ{1ka5u_0 zev&V&UGXu*!&bYnbyiR1z(|C=eae=OaG>>$KW2O(K;*Z7!=QW`67psOeN!gzQEtZk zfCGGSZpjtB?y&Xm5O{GGmSOvwhGjvkpaEm`Rup032QwsRRw4?SB&ckAuB6U1Of zbEDUDvg?m%0W#!JaPPRf0P(rBJlG%yQ zU)>IIpoiu@FZei2`|RzK2>DT5M&CX&f8J^KD)BQj8@6k6 z=3NP9zU#bpvygo@Jcm2m2h=37J+$O zm~ErYVLVyfc{9~yjaSJQtyk`+cGgz3b?K+y;m~^J%$q3`_J}@u;CWx>hfJYth34qe z#>TbTXKzJCv}h?%y&PfR-}-zWCVrk?sS@j+`3Q znkS;}k$%C6{WlUgxM!nG1kkTfON z?w98t8ywj~IA5!5C;nVy+Ipmk#eYM)LVTH+kw8-F)?A*HPU{H$;><@KF8uA)54JsU z2o|u6AM1Uu>c-FCu5hyFUC0C5vE6DMho5exdvca0#8}PG=Q@+(bDq0rol+Zi6T6DJ z%gHigO8JYf)!H{)3m3~c@HpP4$M1pwvQ(F?&uT|!Oq+8PoAdSgf&y`rF9 zEjud^Owkv=y==gOCQI`5BaK0U2$iGGcb^!1D#Dg-V#_>&&`o;A_tdH^+A37NQn`(q zzDG^7Z>;0cnDjBrqjaKclDP7tD@uKHqt|ubzFVdqf7(SvB=%_Z)%Q--*$THBWXDA; zBG1lzkZf~VXPnkvXJKi7bxY0WzTJteg(5HiuoQo8XMARxM{c^ak6viYwv>=t`Qw%S z*QohB$E!=U;He^N=HeShXfF4@6m~e|)suT1>vOcp;r^vN z0pS@jem)0eJlHC3-;)B6^^Ch1@DSQ;G391$vSEnoa>q{YhZ}rFVD?6Hk z&nRfBq}I&0^$~`hypPBDZa#Nxhr?<{T6Z{<2}$?pl#D%#aZl87fvdNB*mE~V#*dfT z$dru~oA)se?!Pupus)Z5$uZ|4L&I(%!I5JbdSw%>6_5E_;%Ysm+?#m&BD_;{g(}Wb z)fB#sK|CjsAodtmdN-iHK=X;I6;n&Gh4i1ws?-%$=+;aOJ>Znay?Z#^D7`^_o&63j znW?FW=*{(qxn-T4YF|yiN%NcBwNb5FOsiP>`tGDx>xa$NU6c?d?pn|8q+C80=b9Gl ziMrX6z=DXUvClM_JpV%d{Kmv&?l-|UQ&x_a*@xGj4!HX4eZhyv&4F@l%%w^!P0YM zqq@v{oteDoz4;V!@8>7;>!7B5y-Yl75-AfH;~$O=P;8Z9GHc^MG#iySHdi-k6ss;m zyb;Biwl9WBAbxC(@S$kO>A|*KTurp4ThV)j^|lm3T>Z@L*7pHd2)9EYOWCK@T3YjS zSx-0EQuOL@)bK(-Ot$h89(r)jzJ4npe=R$w{A@j5hjLux zpzQQ!vc%5l_Vx^}pn+Swh$vQ1nc)`?FSR@m3WWFU6O&fG!1H00c{7LdS?}8i`Yk?E zoVY0eG3nSjAD;9!HwMPRy}|3ZZqXV&dXd?ZlR}O{=JEOMBki6~Mg8|0-rR6MFNYXlK4^5>o*f=W5y(_& zj|ykZu_&CzabL>ZsEm#<4^)iaQgY4CRfxwKt*(j-d&to9>`vpI;6dX9aGq0*8nx#G z?Kj~cN@PA#Rg&Zhd4sw1@LqDC+13IhZg_dXxk*fFM8SCdVbuan(fh}&&hM*WWW#Mu zAK6u$+IC&hBD9s;p06T1P1SRV0iqzrnw%K@e#c)M&xI|Xve(v`hfHd zb3RK!DY@ZMHs`xbdpgT4gjrrD6$OoJsb|n~+2zG+OEd=6RVejEoaKN1)XYu+7F>S! z9mmJrZ2UqmcbzV9@Qgkr=vxF46*mwYu5l!|iC;3$sg4TpoS#0QJDNoOSY>z2t{0DI z#Fb|@+L0WDe}1w0I-LOcs($smECNpYb_lo~02j^|cLV}Ka-E~GSin)T(jBqzRrXt7 z7?(M{@W1X`LIX}X6b|^dz9<(OaFqj&dy>29+j6NYO0E7TyUgi@{})_KFa*g{4hPVI z{pm&mzF4DxV@Tj@HwFRt%t(R3ZWP0RA1ow*wseD&c~v zesjVByTl^~i1zDlr$zoR5e;A-;D`dIQ2#=J(%AlMSO)8`bbKRn%lTJUYc z0OvVr!i@wO;N=AL06~Hb@PrAWNsuj0=Y9vXB_1(Av|pcZK*R7PF>pW*)Q`z=OHWi@2xd(zbN_kskgT{K<@Lwab*0WV=(c98TiSCs54^ByN*BCG^^C zJ}8gLuVHgm(;yOgneqj>dXHRk=tB>-_(sn&7+ym9OL-gbwS$TqK2E+p*HVRz+I!nK z;l#0fhYe}nk?WM82eLfpW+ofFo4m5;Paq{NI4=gU)QgwqcpuI`8bt}I5Zv3JFh3$} zU`6q+D?MGq;Koo3F(YT@Uc1=rU|l3PaiW4Ry-M8Mb=>tT=P@cTM|E4j!=K*sJ!4N9 zC6>s_7=~>Kzjw2P&^PLfx;|+(%j>P?HA|qD*l%Wd2KTnySNT9tWh!u zz_gs>Ja{J`H?(=J)Q4apRKBGpLZFSFJ4}OvlDnp&lH(q9pFAWJ@d2 zz~)l-Or1Xl$jQxOD5W$+Ov0-U*~W~AFr`Z}*mTq!zr$P#o&Q7om>5g`CdsoqU!g8s zm)vDR$F&hdZqfD%x|!DOx?1LzklQ=d@-KXngqkNioNSbV*>Y{}L6Z5bp}V^pY%zDoZ=hv@m6`0(pn=`9|pHnno-tv_HMs%2N_C*DdJpX`>G-taL*IPK%v z=_}sEz7k<^&$*Iwigi&jgUa0P9r`&bp|4wJZEbeprDpcB9kw0ue(K2=m8N`JmiRDa z-L-4=vKBm1XJ~dtT~^*Vql)m{DA&+@e3~Wdj6Rym_beUBR`3HoOA@zt|AJsT+ty!3rK{25| z_J+s}ul$%IrJAe*&YNJm7w)_kyD3N>c(2H}ecSHXG{UW>rrqmRsdcV4rFG&`s@QQ( z;}odM`4>^o3VmLi+>5YtReocCvzuDa_*F6;dvxWww7ibQ3w zy3NHha@w9LG}4cXyB%hC(6`d=2DMW&>R3oc^S~{aan@~@@;uyAo6UX8C;ig&Um$ea zj~hozIPCU(B&d7An%7^x$U1~!OjGY#a8JSHiN;7qPEV1!7O5f4YX|SVkX2{v-Nvar zR(t+hGI{vMXm#6LL;(@QWUb0x$3)A)Yf4hWl8brD zr)H#?Ja;`=SC`~i=U`qDXI%ru?=~G5VoN!~J$?yeduK{(bN#to~(A!Pb`Xi5#JIUV##abuO%3`>!>=%ugA2oPWc}1NRUNWlise;ovEu=K{B{@)cyOI;Cu&yI*HoYMA!s40e|q;~(pS_FBZb z`m@mGIJZ&l$X;_YSl);H;p^)sv$^T4VaPZ`>dnx*_F?2}D~~2vEAFD@3`<1qe{d33 z+P%)wh?|z}J|mTx^?~DuQ0kmQYdxU2m@D&koWh5nPK@K;mQaO5C@ds=wI3=TXNCBk zjEiOqIue9?9e|rei++(aHo-ya%|2Z>R7p7WYPAa_(o)5R$G>fk&5~a-K~*Q zDpw5h#UJ&ab$Jt}&Xyppn!T5XH~+9ux$rC7n%k_Z7Ow(!Y+=dJ-a#SZ!|_7?-kBK2 zwIBMAt{I3=>Z?RHLGb(dqHuIKaumjbu)VWU53(WuE7ZnUXRle*1Jwy4`#8sqg*%KacN!-EN(A)?Rz>_j#`O`?c0S zXTSH#V8s@kKWi{_;gH(6II1&abh6}-eo~hGO-9M)#j1%Cx%t!vYtr|X(oY?Oh0f))E7k0-8fFov<}q7$vs9x-V=dmxNI0 z(-KM)G?I_BM8Yil^~iIgN^PaJUi4I*p1NZB{bLLUvX@wKyInRY!==0xEpYZHs zYTaF%Dsqx_ozeh>u(c#rW@nSOSus_Q@1e}C4O|*thFJ&1GiHsR%8Z_fygGDuTHfc< zyfKAEz?rGUo(va@aQ+SVJNjVtXQWB%IrBEx=Y?&quMFE&Z>q#s|Dp1nHGQ`9B<#tg^6 z+vTYf#Zhe>L+rG^^dW(7AJx2-VF@XwEOYI7B*8n9XqMPfD8V0L9CyKQ>tKJ^39L{5 zV_VCNocHGI!kDaaUiKf%r>U(G9$ePOj;hun%vkHJXe#TLGsc5tLY8sqw`i>ni{Q7d z7dKFR9H7UXnDLmch-D#ht3qWCrBp~%cxY|7xqAD~O%k|Sww$dq#?`fxjbft z+Yj%MzTpYJ?`84Kg6Vb7lh?5NaOmT6K_5RK`uJ7Q$L~?%)t#=Svu2F9>%edGDhOxB zwvfA#G7ZPmmyOE4V4W!Ad2dKLP`!0hfwJX6{oN4Q*nE1-dSmhKI0Z% zCx6y8hFL)EiT}&68T#?1JMn_$droK0Gsw+S-rDbZ#Gv5uyRBDzQpGLdcMd#vsGwIu zMjf+Cmx;!9>mE$=rC=>~xjxtGC*&S@h&GDJ>_Xr@ea#uYWN4$M7wd*cMR_Jl78|K> z`a^~r3|?DJm#*7^+~nXI8_D396v@!AehjfG_-dJ048sdG7N}SkZ@VRq>*RP^hMR&? zU6$>;Y>fskUei0}4I##-i^ETDxq&SZO^~X{z17Xqg4p!x%|#Wx$lLzcPwhA8oq8mnq}y+C{OJU_jtb#xOUS8m0LrkS_1L_rD zXs4a^qr_3y>*pQ(dMS}%kMCK@nD>agx9V@2*=_OAYG1WRe+rNF;V0QM=d*mBMV>Mc z-W`m<3J2OA^uP)+Y{zA=>Ld^X{JFY~W}?m|QQ9g8>*Sx5)E-;xY75Bjus%?r;dK0Y zd!7?q8iuHt*g zbsjq(Wp+y2=YF@>L*sEETFN1zgyE&@iNWX;#SNl4I8^p!zsOi#TI$R4qI}fi?cy0l z(TyehuJjUAAKacYGl2mKZ=+;YRH{atmkr(kb%{>Y7*SBA#t zCo3)8J_c}J%x)3S@ZXYey8pd>S9Gbxru802+Z4m2gm!VSFRL^vr&g05Y^-^}V`hvM zaTo|3vC;J}4|5wR&>G}cOBigtAsk!2?u_B4vsL|KNw!8t2F(MZ)5UHssCnPO?*D>s#i;z*WeAA`FVL53GkjH1*gQUWE*V>7%H?U;pU zV(Ue`WM0bq@Q&YCpV;@zIo=tqifRzs&?DLGv^8PJSNO+#eq>V8f6^v<#yIkJW!v(*1UE?ldccG(sm!Z_346W{Zn>&VQB&U#kQzuY2^iYYnq$z3FEz5eZg8{)BD=CIe6&? z3nbpbT(I?*t4;CAI8{(t zI4P}@%4Kb5&b+D5Z*QVhVljFi-El|?`jK_PIiaoXii4wFKv89J(`28qbLJx<`X+ft z{003x0T&|8EH5xV8oPLAUAq+PhKuhqdHQu3*fIz1D?Z&^>;Q*sg8p_}@C>(D@Z59M zX;e53563qOARD$=9UOWwF|Fk%uBsr{U}`1Y}Qg~5ZP68OP9I!mTwG7MWKj%MvV zlhxjl;K{-`BKUmK+r%k8_0uUI?pAD3e&#`s;xdev1$N58H=83d+pl2hx~WqYtVAHY zucAtl+bc2C0yeuAO8`xqmZ=xSYZ=;ExPTR6~+osr-8~szaV(BR_$hER(Es*dUI&T`L z-DXAFr8Ye^cie+m&y}THj1OS(_p#yP_r<=g9EYRxdIkGs%WH)TcKKh`R*609F8O4_ zE~6n)@?VZOSq>NteN9@{W$g$b!wDDvhujDlun}pB*??|ZH{0g_wzSl{JE}ia)Tk6}Z z4MG*%>mn~_j^K*z{W~H{%sL&Ht=oAFE04X=Mp>Ttz%aI~)~C?8H6R(E_8#9n4{K?e zcRf5V&9Sas#$xZox!wHfR6Dc1GUz%Z#00R##+*F0?X08_|%VMo$$sDd<;Wg#q>k|OzH0x z-g1W{I&UExx+qP0{3er{V~{^?oohGcuD|S-oYx zj{3pS_xIwsLX%XUpO_r3ZAlLa8xj#W#Ju-j6wP}lJrfqOK)2IsRAZOB-2*+!1BWNi znbML@J+yRpp)WcpgKNJ-&FqieR5$0@!B@auI$VBv9L-rBa4p^SG|v|7g( z_EnKJ-A$f1N`$s5SiJ0?Q}KOKLi?8Ks%`K4-Z`Un{AI4PJNAcu!rCwGxaWGdO|BJh zXnk5KZt?PYYwLHs=@IjyGwEJk0{3>U*T`;pS$!~f@5uIb>eBapG?hm0Ett&pKVuZu z4@_5k>CIMcz3l(-{rJ$Fa5$Ny!XBgglq0=ET%1!m0UsyJ7W3P$Wtavne(01k<<%}- z?p|K<^_%7}4fxm@VH&V7k-`CeUANTdlEgI`VHz|&n=OZDbG>w}%=pbcW|QZUfiLc$ zJnIi0VA$j58dB;ZIXx$+yPN*O#+Ft#?^!*GLT>f-cYG&Ogp@bUIH+&%cb78AwmI-} zi_}1B$sBb?yc6@qU4!-~4I_ajadq$%|9wws zg-eR;BI=EqN;ohAli-Db)4lFji4+ZAhR|q4GEF~pU{43Mr7m9AA z7GF8sd&bZ!y*i4{TgENMJx2YLegOMT9>x#ko|hyS_C9_nbMQ%FQs4qX=CoE_lxh1s z@0bgFPRfRgPV#yd@8#DO)sNpaT(pj={?zN3CTQ>;;}?WUWVIGE?_jF3(S1oVFtOht z8SYv+6Lr(4*JSd_ONu=&hvPm*7V_RQwaFl8<#L$#HMO=am{*k9vBO`6rz}V|UM}ow ziqh9L-BoU%byD~FehSRqSj~X|%w=i?j8ZH;L47P4VYvPwvT?xKus3JHHey^#JBuQy zWIg{m$>&dnD!0DvuhqE8M?T-Lg*R-_-u1!K{|d6rK_tElezRyQY(#K>W=f@;uh+x$ zP``rq0^!U>6*CQqL)MJ%X+P003ujp|(?wm;5L6RQE+=V}YeFY6y?I0@9rfI%(a@#B z|8QjYuFRt%_LK+LJxO0CS5iD1_2ZAN(AU>L{6hERf^L6W7fcF6Ev|yIv$2IT!6cB- zB4G+HjxKmzS942fIk?r!r^(w9+_i9c1s5k*7iVJP7_{TpugDb@^uFF^`+4`z3$avT4rJ&!|zI|uD+_Kz5!mv+CRf&YSAQvh0hh({(M1h2XhL(<&nt^U3-6lo` zCKiEhEL*m)z`1$Z1f-ENyRgu2tGiW<_wQCT+$)9Aa?&<5wXm_Zk=1bXakcU`#@Sdd zKO~`{T1Q0{ylP>v&r5%Odnf|MdQvj-b(CKg1|ub-pnw(y`@AX`)P{7k_PR~Xa0@aD zMkWOL9?n$@gU!z&dnUbivC~r?djtwUgYb|XzHz~K*8{>5Qtqir*~|FkOPlL0E;{OJ zgxTe2ND3yGqgp@}An`Bx1ph`!yT&>7pdAlNv7y)y()#NuFN%{wdoRshSd_pP1x45> zJH6j7ZI_^dJeBMQU7E)~smENjVN!n$ssM?9$tUiOj29htX(xRxsbnG1>c319LHVZk zweigm^X|zv?kcgQr`&(-V&7H=VNfL0! zs|V(l!xIBseS4-KjUH>J%%V4Dzb^yc{-33>&0|Tsmo0qpx=31a{Wb2&%!*lTHvrzXn#NDdz`K5mXmtbNU8`yQv<$rKr-)WJ0N%Bl z#!t(@yMBsjbpzmCt7-hS47}^7h*mcM-nE*>Ps_l&eu`*y1K?e&Y5cSdyz8fkRyP3N zwVK9H%fP#SifDBM;9aX}{Im?b>!*lTHvrzXn#NDdz`K5mXmtbNU8`yQv<$rKr-)WJ z0N%Bl#!t(@yMBsjbpzmCt7-hS47}^7h*mcM-nE*>Ps_l&eu`*y1K?e&Y5cSdyz8fk zRyP3NwVK9H%fP#SifDBM;9aX}{Im?b>!*lTHvrzXn#NDdz`K5mXmx}C``#t)kTkPp zqPv;Z96s;yG*o@k=GZRQp6d19$VZoH!JGeH1`dtQ?2Ik1?pF!r6Gl4qDyl#2lgjoy zQ`Q)o#I#|e^P{r*(}lZcIogaIBf9S^o`!b{TMRfFXP%DE!RLt?lvlPC7;ObrfW*J# z6K&I$mKAU5gjt!GmePx#&YsPd8!0$F@*WW}+L=n%on&}Qr8kGwKPc6-j3b8olkb9G z?EHsr-F|!jaLvfnDYUFo%Cm;~ZAsjq3Xu4BeB$}33IEGM?e~4cYvU3OT;xW?XGY(P zqi#!{njEcNP~S;-%_o=H$1G)?=B%$#nOdMPC6qj%*O7K9S{Dzh0EvIcCpyDY3lC?g zS5H@EPsh8Bj7-(6_m4kQ_sS9;_re;f2>-B1#DBcp{FiR}gUXjxSfIKemUj5D>;Cj$AmX!tzC0KR zS^(f*d@c|QgMrq1__`wJzx!Mu@nTae)3JO%V z<{N1_K@}kJ@A(8{!XD@m;@wX_S(J}{8VM3sCYhD1NTFBW{l^IP>;ICnK4D8M9Ni*n z`c`-T5Qef~361fU{`KR1*^}xOY+S$lK#u(~iEmP6?L(RBcd2EyHNSmaB{xd@tcCK^ zh94W249=2H1cmQsKYQeN4@-tTxl`Y(N#syzSIShbE4}-oz3T_U?;e!|>a@1>k{pZ1 zrD?h7>qq>O`gB9DU-|9Bo_S5zXfl0zOZIH)V&)F=j%AW<2{LTIeb{w244!FkGY;Gf zD%KpZ?O`99Yv>&w{_VqZV~*W346rCq2W|`87Pu`?TN0qQkf;K+B_RQm1jrGOcIES0451U2w;)` zK>(8kFi9W=1DGU05Wpk>g7DoW!KO!A>$*=6yll>1A}hV@<6|4?>{m?K#z5EjSLyGM zzw$6m;B!w~>_sLT4sA#nDaEJ{>Cb~k00Hm<5D5Q`TA;B#sHrBr(d2|c(1B%=JS6dk zXTLjb=^44pB$detwojKyIGh8#odwmavp1Ft#!vU&zloGBlG>bX(;V_T>czrjhfaLb z;q76%$k8&leb%5UAOHve0)W83LcoPN|K)?cllH(8WFSwx(1I|~o`o8)99l#1(O zVNbnlm$;sfD-I_9V}|ShR&p|wZTltV_PgX{qy!v>KuAbI$;n703<<|zOsK_`@h%>& zuoa^}zoiz}g^BCo&7Iv{&G9&AOCKov7OGLidD>axl=0@!dsP?#?}3w*r50DmIol9y zVUp-?Ikd#&WGE&1b8<42y9*d%0GB{!MaOMlKyM*sQ1Kla?8 za+A@ka+9&xe=|2(3MKW8>%W|vJVa&tB{zBdm)vA1src)Eq!g57{b|fHiRrU}5m_6{h)kpRoq@9An|}GoUw5R^ z`Lt9j&Z^lshM%r}G3GX%9_W|-wEXq%uMK|nm6Y1Fw0WRUaH06@;ez?Zv$FSGsy*iB zid25}fGhiPs?9De7UAR!bE=x3Q$Uz--IdtU%z)z?Z*z67c1(B%nJ`fG)4V0J^+_0{ZzG=<*5;FvnOy0TsX; z;~Nby$N0tq%$L8hAOUlXZ!o|d;~NVw$N0tq%rRE60CS90Fu)vR6$~)P_yz;aF}|?? zbBt9iz#QWn3^2#|#sbVSRFvs`?1I#hLu>f<7RV=_9;~NYx$N0tq z%rRE60CS90Fu)vR6$~)P_yz;aF}|??bBt9iz#QWn3^2#|#^NvL7^TGfTjB3f_kDUU}W>AjVUR`7WrX(ePH61>iS&P1{(PJnPJj-=24Y+q2HfxlKL1T{W`M4god+8o)RH&2SL&StgP0a{Hty80c)A617Z% z|C^Lx$)6{d{;#D3qlqcO#7x)kQi2g!C?yz& z_KG-n0!-Z8!UAuqq^hM0odim)wj^i~Q?CgyI0_>HrCEPlNg4awrXkUikZHuEY)MJD z7#cDSS~?md0o5U(E|Qc&i6J1|Fxodgy#_YZ1+GEGtUFQ6g5v+Rd;t^Z@okZ2?k8pI6h*e}eaFi>|Q&=|;AslQ^j zUsYG{$L>UaXW0)6WBqiAG`}Xg`>yqonYor$LVnSY_D{qtSnC84^X*G$aDD;+tiX z7%>D2f%%UN!+dAh4=Vm28-~C_o`fPILrEgO^d?dQa(omDE(JqDiuM=1`B$-t{m!u8 z9|e#^7e^tXfJCCd+J!|x5D^eD6r>v8+ohzSYpS58A%+lx7QFw{Fo6AT7=ZfVx3v}m zgn)QqA@PSo01ih;LXQWLBx3B8DMW0{>a}K|5X+ups@VILJ6Yh zV~|M5L?jfK-MF zXzmKUzqjl=@rS0NzuT=SDWa4~NFrBRhWhOK5>Qb7on?O|7vHHr#QS$GBMwH8G@u|W zR+yoQ6G;pfiqpSF_7~!h{Z9NL&Hi1xAO(Z^61u#C0ut)g&wYu469WNG3=WAe!SU0+ zL`!@p{m9>!emI;s`@z7aq+oF3fJt;IGz<;}0~RXy3IMEW{sXyxX)gKOxm_&_$u0)`@1*B$>ldOU! z13Tl`;0gp3xqV`T0mobT8;XnWOz3_t1 z&GOxQNOd;bS&uzWB=|jW6v3I^Jv`Lc&y!!$-@Ekb)Z1X^EA4$ehyA#)Nb*jtZarp- zmpu0;yDOwhKE+4MgQ+HpS4qjd@5eVvLg#32 zoFC}r@X9U~6oqA2)!E)FE{J>uA39gKCp~IMe1Bb}!H3L;TDLZ0Z1z*tl&DISGdn)y zMeaLLsM@=uUdbuj`G|0Gc&HY&O`LX*sgiZZ=8_HZ(FTqW*~rV-ocuhvqxD|cajK4P z@3xP-`|6xQ>JjA4Gc!&xZi1Z#r?`2C)Hm3b#mPMH>hKSGKb^D-9X{oKt?kBSsr_Wn zf%4sl@;6MF>zNUfW$D!yN4FX+4vc$ARhOKz&3n7ly!`mYWT|T3o5*E;jLPyt{?dlB zPvoYuIg9jGJ`n+CSnrsfg;+~gFX6M>4`Q+wT^^p`cv(h`cQ@DtUsSNb*a+-3yGw4( zRfd*u-r@MlExDQY>Ep>OV~A`0FGFH3aMm2E^f8BwBBZWp6b&x_}$5o z)a&Xi(32_@52Jd*NW}DO_Bsg#7M$9|Rg`c@xVCG@dBjQi>xRrtAul#(D`-qTIlpfw z(l(Rtrh~pZ)sSRQh^hkv7rrC6LCk66JvE1Gl9V@9()H>P&RXYvF6OP%WDvwex7%n}t|6tRrb?6n3 zclRkfl9u7+<%RM*7urL#hmrT%8FIC@A8Ofcrq>~!gql&cl(P?anttiGIng4R>a?|! zlQ-d6!LzG~eesPF!Z#Y)oL+6S-f`&C^q^{CQtn69!k~z0i~y&=^_hL%B3&Ny$q6G{ zrX6|PHcXekYWtK@WyVgi?g;4>o8@=2QtdWLG9RlxmCAL`&CCyZRljxN8QFNVk?+vK z53K8l)a~!;I9=VSRaIjhuf>&naDqYilFptKEqHESvXVG;iK@Hc>mz5~?Bp*gT1wng zeewZ8srk4iZHM!wqpVS4rQv*eg5h!PBF(){X7cW?sf|YTQ7?jPxTH>y^3u$4(Tl6{ z)d)FWW_Tf#f@V{Z$lRTVu+*a5tWLJ6rJpYn87jL+!L8@T5fK*~N38CvmJpGIqZ0Dy z{yufgVU>$-Ua%@_ZB!;(lo|5w9Z$cswBe}RqVy(2yXGl%tA!not)`$7VRV8(wk0YM!)lQz;Q<~+_;q#7G|_Q zEDX2)GPUd83t_%|RJA7+@7=;?oij}FDn9$>ap(=Noq=|bYu~z*R8|a@n@+e~{xnoA z7cgDbZfg2TC)b!qwA9b%{n(yE1sggJ2l{bacp5s^*;;EfP!$v}z8gfoI_jRqJ5=eK zB|0>6)E$T2n&AE>$S}cyX*t#J74!MP#0A|;9A)$Z@9*Znv+*`8&k2w-8*dJNVUBH< zJ{z4>^)_T^>g^Ki`}vuvQkTO;I~WyoET~d_Env;+!DQ{{$~3n>RDp%qx#$)qEoB9# z96iz(G}W^8GR-Y324x9`kOP-t&z>}#iaW=`Naf6>eIqRB^v+j%=@Zl5TA!Tq4jkiF zk5ZGLWLTc>o*utUHfgbkprY8!DmW-Zo3kOr*tRtA1WsER)`{nh2;a4D{t>eIC!iU z6ZJMMJ8O+pTg=#y_wC>bGN?c|BukcV4$aGLlAi3kK<5;wpO-2+fACI5R|y;x?8EgyvxQcVO;j33c2csC?&s` zW8Xop4$@I?^9jfoPxZiRkDljL4jw!m*GJ_?_#+$NtWQ0iNgdL;QKA*EgQU1Sg^!vl`)Rri>4j;-5>5~C%Lo)s_A=u`q_a*j&)-qJ zL7{4Ha-8gd1w7Lz^TJ~UZ*fAcUHSW6j;cGy)bH84)9)`dnRt{>ae}{qa)?~lg+&E= zC%DmR;*r!gr%N5j6mqI$=JEod%9#Sn?xrDj|908g9;3nz1zWBH%B|zP8_Y+U&<&#G zjU5UJIn^?XEo~hN0`$+mvMLcS3~hgqkC`g^f|H5lvuC! zvk&Vjc2H|6iqK3d9@%hFv4Lh!nvzu-WCD*%lHW;x=wn5jUUdDSIMM4r^~ii?vWH^m ziqWO=TjqR`(aXZ2E4@2V3CCs>V}w;1De{CoB0s39G9IO2(^HCiqL#?5Qn+km z>3j`SFH7@AN2#vK@s#1c*~oO)i|=mx&9mz;r(~WCmFo-0zh-mRaIwqU`+eNax)GoJ zOP)L9ye=Kg7bj2j6yN<(g>if3QD$@g9otl&&ClKoX^pObB#LCYlcrZUabae76Q26% z8A*fPO!$$aPiCk3{iYuXi(j)Kvs$*G@^7SG&_~@mZgKTP0-0&-u$zRyB{PQmM`T%O zojR3Ju2&brhijT#6hoD++lf#a564|j%OcpSoyr&?gfMwXBb=D1xm%AUDRqvE@OGp%2)i9r7})es zKd@nU#ANu^SCUuFY)9qy^vHWcg|-vHSM`%y?p=W$IP*Xt%YuU@q{*2>I@jZ4%~hwZ z&>OKWADoV7UJIwt6_4InTORyUPp?Cw8 zPtW?}G#<>d+ia@P&JXsZd-G^Oo28^p)#=wf<)SCWz)?d)gR@+|sK%x#n? z6>O)~RCQ#deogJ0b4cI6^*~G-*|FGhG%iMX%ZRHA1zp9`?mH%0YDc_}WeCoPqHigG0c$ReXXqwQwgO85h8?nzDbv_jD{>b^w zot<}Hh1-?qI!fN)(63;+d(!BkapgyqM)g98B3G{@J@+{3 zqZ7W*>3o=#2EG?R-n=ngXRHq5oq=^Z_>%eL=8#?>o*a?+z$3=WGe+)*2lk(GX%nsMw9 zub)=$;fhZW5k8Elo4Wfn4en+YQTK_PokE||OXe`>6H8Z1uaK54tKe~*2vEFz(W8KS zSd+opv9c%yA!Hw&Ns6MhNt#7jC|IU+FLeDiWliff(P=(X`jEuolB-h>HF zmBhnsl)Mg#zKkijM=^txmXyM8&iDBliVpHR)v0}i?YQfsJIi$#D!qKvqEM7I9DVrU z213Y&yUpp1_lGi%_jsPD<;^^Fi2A0QlYHXG9Vsy}@@1b}+HMicJP}oJ=hUlDoH!}C z5ihN5ZqG3`{&CcsF8;EFOCH>z#E_$bzr7qBVnKKDvy7^>Y8cK^r#&%kJ6Se>wF!z) zKBRl{-ZMe@TT9lmAMm_Jf>y6$<->U81>cclmv8xMN)G6}Js+Lor<>JqlqRUXDr?h@ zx;K-zP24rfwn|InskSbjy*A|U9jm#GBtBfZ3lW@4&wBavdQE$?E#a;dHIoxgPaaFu zv$F_k@xSL$!_84#OFw^2?U9ixis`jOhVnT?)_~SLPfNexn}E%m2iJLty?BNq=^7j# zhR;oQDP&#{R~{_1)EN+IdcNShtiFLkE#@N`^C%mY+TBv>ksH~sH$Js{b3cM^#C0I| zs9bfcxx3Jfvavfy@$bg>%-;wh0=ORMHA;+GB;`ve%oN|T?~Klp4%9~y_UmN!+YN*q zOYP0H&1$DIR~J)1Q1J0SzA9S$NJq7M1-4?$TNr!u_IX`u;W&ic7H*9PDK8?*RW3|m zZGGw5_`_x~u%qM$rL&o;5cV5yCS0#S)xKHpM2|f@;^2CNCbk#uX*}g3^%BmdWTN$r z)&sdQ93|L#!Qpma!b% zF}ppkrOHC^MoGF6?;bvP6W-)f{Z9YqvL5>{?npG>SmJ;7s>r))`hGuyXPu7nkq*ua zEoyAa`;anEb+~5Fy6Kp@@B8S!s55+Z6MJsMxm`Q!f;jExkCj$tpW^M!V;jpk^Neaa zL@|E^t{BA9aW9YI%8pwG7Y0c!#X36m|a2G%3V&1Ro^sb{wzh%44f91Ig_-b7dD7y5w{6FO5U zS=*v!8j~=&t6&*!8kn53&!8Yag`+R;rGT~u6?>COouZLctp65mv&JJYs^m4jb{qOV zw#;3;!B5?2S(Gg$H!LiB@g@5MT4t04UWq5pE`QT|XPLL2_0BSs8r6Hsu(nA8T~F`u zlGdGQ(|d5<=FQ`m+jum$=T(mHd)%*gQGvpsGC;o1BV;c}d%E)7{X^Y8Vjpw#DH~<5 z=dSwXKYW`R=yl@E?GU%U4wvY|8+JZ8&aK(s;(jnvGBg7dyE#FP`V}vQo6wV!x|~X% zz4fkpjjVQ2g#HHf=9Gy5!R(7d;)guU#DW8@yj~r~_w9RjQ*|Hr@QGV~)1frW0bUeI zY>p-#mCou9RLs-H_+|2@D`l$-800aq_5xHsQpg%pGK}RCGnU`|_Qp=rJBm|8@jj_=c&oo>Sv}uci(xUh-g2?G-M#ce?9!bU@|flw*EP zL)sm7>?*PPa*rCuGWh4YYGX^$-6uZyx_6LQb4t-7hL5JGUh!}>z4d`olfo;lSX}SI zM|qAA@k_&A@$}21iqGg zmJGrrj8X565Ccu=#?V2GRL!fmQ}~tB@!Lyw zj}18_I&5~xCRsk26c!y&e^f@_{b^ywgIDR*JK2wya{c|5+~cN3l+Di~P2XRq_0;#a zRmUBdv-d?%CO^|;wG%Tneiho9Ku;4GTk(i7zsED&Z#uX6rEi(2eqWcMUa;n)1uE@r z`jsezo;aC|Uqg+kIQ^AAqk#LPd+ndm(Ndc5;9>XMX>uA1uNpSa-{r17`nI}{Jtq6` z24<62?{{OyZe+@4<*dt6nGLK8gTfxuF8!wBkC)5GW^%YBOV)|`SH5UV%(z^CV!(s( zPSb~mckk;iv)$l3Hn!mL_R5uoF_Szd$}BfK6zk}DrKohiYth>yO+U|orIdC`O*Flq z5VRFYzH&7#cqa9=j7Un}S+>?Cn6e~~V0N-*N4zC+zD7P#mnVNd@$Q1y5Npj;y!IKJ zz^BKbq-uZQPfO|4y*@{JOtQpR^+f&k#Bv#3zuuUqjHiZrBZL~v91N|3tZ?oRx5{i- zj;!k3+rCqdYlzh9rK5?ab}7G$K-m*jy5!LLsQ#fj`%wmjEr*5~a@R74&j@zXL!+R2UcbN(|GKBh;UYnRolcFB#n@y*v=1e#OORHoXJxb+e-aiqr zC^(jDR7srS$r;xuId0+#z#hZDX{a3Jo-d%HV&K$zqm-oIVHMC*MK3?ecLuA%O69SaD2YO3fA(QK@oOg+TqluS-ZD20g?}B|Za?2Vi7}jl@ zJ~$$u(|4SwS(A=dT2w+?_nJrLg+yFp*PDbPg=4nTv127{LnkGbX%40qN=s~J4fQ`L za-ibsOC^&#Tor7GB5$r6cxZb3MhN`+NkJYoU#Djq+xcx5oD)2&u(tTmGn`YeWzHyI z#b+A~uKMZ)n@;L4DUgWA8aAqW&GX{(`fAQ3U{Ac?o^bm*O?hN?ZrjWD;_i=1#Ra?s zfhE0)`g@T#q|@x$8=qye9FUbb<1BO@PIZZ(xfikC{K7JgdG zspMmws1)_elrNv2ud92F*Kf~~@OY4wxa)TG;se5lfPA+47)Pb8OrFhY{MhXMZLwFc zR0VmRf3xw-#?;YCjSudhft>y zTjZ^{c`P4)fr3vZVzbh5)C=x%8%_$d*W>&5ZmDbB8gljS!#(F+ZI0Zp93#nHdhf(7`0~v$9GNF>>vZ)_Q?@QBgsSJr&ycH^?KgjYLUg3Z8DV5L(@?Bj= zc@%Cv;ZQlBTVnjsQsi3f!JP?<55{7!504C{l|+u#&gKT!?znyyKB#ag{K-&2TAN># z@Q&J%J9D(}YVye~v3$>K4oBPa?PQd#XuVN7G9V*DZdh~@0<$zwv=zEGHsTDV{Ios0 zMS-#p|I~G3ku0{Q7BAh9%s6Q2huLON)##mAT#|5hGqSVU8z;)K5p5k+FqT2v{E)NN zXWyO!eHk&X!P?xrDm?oUlmkw|`=pQNZOhNWvAq<1tAyIIz^KseE#RW?rl81qqbfSL zT;WzlFs6U(+))MBH(E^(`mWX#Si0IND?G6lz|>zAWi+w(q+mZCkt-l3wnU%{yAn|z zu{Uae*W`89eYDc+_y;RF1mtopbFXW+x%04=z@HS=R3>dgS;**B!gkb*ObB^wcjrAZ z&L~2sG%XUG#2J)gRnD6I*!GdX);{CY=7`<7?aX~}#=5Nz!?&i!s^az=)x?Hk&+VOn zDi-S3Hj)=g1x zadg4!x|&-;OXRFxQAXa5;I4(kE4Vnhx;PW>e1vxV`kRxYg5K9(oIdaVd2JeN7rYZp zV&yj|=nfm?svn{L-L+C^5mdpe)=K%j8p^k19E$a%Wb4Q&p|w(YptVv+$<{-Qr9jK2 z{P7>@Iyf1{rp*X#a%PJ?jGU`hN|~Rlo~*NrAzakpyP$fb&JG0%{{*4p!ra4+*W|K| z*|D*C+kBEL-l@qT?_Cbh_~2x7-9cvi!Qr-Qr6ym=yS1Pa0Qv8926ZQ!M09VvF4Q!5G$1{ar!UOs!raaP^?mXl4<0 z<+-SLwaQb~8c_tt>(_B?+XaSOm6a-`CADksoDBz+0LXu*GdP5W$;G%fYCln2CJCFc z>^URX{mwYOY%yNBuh77}Rn7Y#{{AwFxpUQ|Qk=T?ZRK}wu5DznJ*Kz~R=fTrY7cnx z-^*a5n_0wb>AUOfqK!~x9y)n)Bii>TYU4b0y0$oGP38|Qnj>G|t^Mr220Zty#$pk3za^*{++_d-LdbESBF(A z?OxURmx|jg??~sLNh`=6NinI^jsqR>*AziV{56;FYe7VO&*N|20crXhFyB`LY5JbW z-@F6T^fzF>s|M2a9ge?y1ElHi$b451r0F{xfAFrd2Thz6hl0@7a9Y0;K61i+?BqY5E5^ z-!=hh`o`iPN7VGVYy;A?g5sYFK$`xE&ev@~n!b|w$5$Xt z|A^=7Mj%aJN&Mq0kfwjc^JOEDrnOKa0n)T4OhB5}gb7H~S}*}=S_>s0O>3e=0;Fk8 zoPac~1rv~_wNL`mv?fYGn%0I1NYh$40clzbB_K^}q6DOAZJ2;Gt%VbirnOK4(zGT@ zK$_Nu2}sjgI00!|3nd^;YoY|CX>FK*G_8dbkfyaz0@Ac5Ns0 zO>3eAq-kxKfHbXz6Og90Py*7lCQ3k>)`kg4(^@zIX<7>FK*G_8dbkfyaz0@Ac5Ns0O>3eAq-kxK zfHbXz6Og90Py*7lCQ3k>)`kg4(^@zIX<7>FK*G_8dbkfyaz0@Ac5Ns0O>3eAq-kxK{=bu^pcbP$ zi>B{4L~IdQlJVFUu5?}dR)akn6#gDUYSu2(*V6f07c0{*YBcVf&^hze^GsRR#h?o` zbVmIrmqa(C85uc7jGpRqR255Uw>~)gvcc2&`dtsUOSi^4m90m1f=U47ztb7UvxIIf znLIMoWeN#ubU;i!StilH_`C@jI#Ff)ANFd_Jzw;Pop(Vles^6_Pi*4rSU1L zc5Era=7XQy_0~`9)x$GE%6AuJKqUb3U+D~QPQ6%4DDf}*$h34#Xyjf{P=kz;+*s8G zCUSq|qTk$Nedu(3aGK@xDD&O+ovmYC)z&k9Qg>U6FTWg{ak07UCvyo@0wDjL&QLMq zXBT$IX1con{VVZi$z7(+2}fS2IpG~H7+>sf<|{xy&(Z*I{@WSE@H25Vt?kO;pIebG zw^HMrt=tKCoVgRR*2f!FmY8Ua~quemsf=^uc{{0;(NUb z%DMz|0*<(=G7^S_&Z#3SOa1j+#Oec(Eoj*1e?D&{ZkCsK@rD^8q%bfH28KYPC1FSe zTmm|vGTz0*mAKa*CVzel84MYMH+Ob-HOJ$eEq$oP6`&eLoTr^7P8n|wy;p@1@E$ng zk=1d|HUwLkq@=7Y>3oU{#1Eo^LUWHsD;T&=u~aWcD2s>`%# z&vF|H6|sRF$*l>eMi*Zvj>;#K(WgnBWG2l-Q%Yzla%UeM$-6u!v8BFyJz1My&qE_k ze-;|Mx5q#ezy&x12$FwE8A7Y`I*PAbwPrTmv&S4fE0kF%H`viSe9xFovrqTz?iIoN z)dDvE*uKnBkwYaOrNVn3H7ubq{pWu5SS$Ovi?5G1YC3Swe>BkG^s&@Md$;GXm5skz z7(BdDC_f{|e!gijb1S9pTtnaa-M@OQultd{DB7m)a?qmjedhcjF}jp@sZV*1eBJn~ zujKLGsI;y-<>^C4Q@MZilj^S?Yh^!5#H5{mG48bCtNa1m`_f4jDLc-uZ2Z*%9j>P? z-M4B>cA`sVt*eJz_I-h?+`wM_=n13EGx`S6SKks|9Q zz)gXgLZco~(_fX*FZ%&C1%o~q^ugTp^ECueQ=q25K>%DrflDZGr4O$3!IeJvLh3h$ zkw10?Ur2%PO~Lo3;CoZ>^*;D||F;Jd@GBJf6$<k-}J$) zC*al-aEBDQL+W?O5)yES6u6NO+{g#+HwE{bg8NN>doTgFMT6U-!QK1d?tO6gK1ee8 z-N6JTnSfjsfFu);WCD^* zes?edNhTo41SFY&BomNi0+LLAcPs%(CSdt8uzVRf2UgkJ{kww+NHPIQCLqZK zB$n`li7gATw!6(9k80))c<2~psnn=9VAzP50rK1Vk^^(?~+`xl4O?Jbw8 zUhtopz5xCQ1OS2W37og~Eh=4ZrN%j1xfAd>b0=cS#loH%A%VieBw)niu3h4KKCU>J z_yJ7|dz>YKT3pw|g7CRU$p!C3Ev|!eck#em;@n|SQ!TuUr7n&DGZNQQRDy}?;k*ej zaaAXC8=U-?SA{RHswULpd%X$Dx&(6qj<~Bb5{87%sUs^({qI0B17})23K5ry$ zmX~+&h8ZCx;4nBG1w){a(5`R{20EfL-o?X}xZ58#e|`&D3|WFVcXoF*$K#wWeW=A1 zpc+M-r=2BE8E+1~SA`Mq9ysEm)p5=?1Y4M-q^vCL3lleL1RRNgOp}0#A|<3yFye`c z=Yv@~Q4?z+yOck_NWkzmkPS$fjXU%iKHIG5Laj~xSAfyP{k{XdLIW~b!`$8B+s7cj z`}`@?J)G>EUEJ*mkj=_OD8ycZh(VUG^c))g=L7%PbDw*JTHMgi3i_-FI2u7Mu7b0( zu_ZvC4TFLBxH!7tbzRLZp?+V@N#2g&u7$%ZxH!4GIOCiNFsQAPog)EZj+UB% zZX?|$Mg}Gpfo&{Xwy?mtdD#S{kutlmNQ~5O732N86%F@FVYHmI4NWa!=zjT{V6HRX3(Ny*45 zm{D#z>lw9|+eoO0`^k|k(w?udUD`8o(=lC#<93XAGJAepoNt$f`KZsS(9A(T@D|Vj z&hURJ7D_yvqV39N5aqp>Ri1M^E0&x$NBfv_jH=|c3+i1Ju@u?L;wx)rK0JRk^!ng> z_J}y}7SI6B@P8^6Qj3iQb+4k#MOcd~Ra6h#Dl8aD@{StJkNbERseGGG{9=hyEvWg@ zndH$NDdTo2!|B{ARItAtT+Q0 z9Y8pMZ~)=3LI8vV2!|DC0HXs42M`V*999T`Z~)=3;tXJP0O0__0ffT}0T2!#99EnG zj1C|iKsbPKSRnwy0ffVfGl0#rIIIu=;Q+#6#Tmfp0Kx%;0|)zMz_P(G0@ALbw279gV z+I#J1KkNHEYoBxWa^^BkrpY-^5?GTqM%MD{qBsI%oAu^s5i0FWpbFRk$?(6V1;hS4 z@^#%LmL#VBSCT@v(AHo41(T5V^P9c*rJ8vxooWj}Z7EZ1HkxBcn73=z67@h8umO_c ze@P2Uv$6Z89EnH35O53(iAF<*BJe1vM->v$+kRRVbuTMhRjJLjK3dVgA~&oVz>m&*P@)rxmd!w?uaMBtw=iT^q#97+_67RN$EgB67a9Ra6Q5lEOg4lauP3m|1RU4tJXVZVcf z{bfjK3|bV8hvOkkXmJP=8Y>QwL`he14E_g9hB`_=Lc)Cq3HQs8P)O*+Xp}fa3koF) zhoi7K7z!FNEE-B!2qtAPzaKk81LYrK;lG20|8-cD6Qdz;Fz5#a3kz|C630MLkvMS} z8jXfvL9zdLWC-}5k%?2%_B##z=c$gNpui&Wco+(g5XF3jhQMN=ffdJLVQ4rS8pyRl zLwpAf@ypOKNVq5(hsTKj2^j{37scc72=sr14EY_hADsO^CJlwgL;O%O3d*n5;lx8j zjD#!$g@>fMM$S;*A^X7+|6^om3=)zclw7E97$8xipaF(sAY5qFZ{xd$G(&%f3;oMu ziK8SG4vWRZ5D2s=9DzXMkx&syi6WrfLm7*+sgWTt-=X_;zei!Q5Nk*b z?$7AZa3p0w;n=?gr>*uA<41gF{NlfE{AdhB4H}L|!*E!LISlj<8dOLIcsLpZ!$Vmo zPKkZbo4<53Yvz&i|pAWYs&Aom|P#EGVYz3f+q+5^RZfgw;C%EFJ|V!|(S3ekoHH zrqP6A&%n2qp6Q!Dg}KDg(b4va6tlsY1&&h5G!+OQ2+MR7kQo_Zs4Y_E^q+pS9bacc z%{#~O_LY8<@xepm+touq1z|nei!J#_(nYWJ7!OD-eS&34$#$DB+*?s_@%b+&Nu%qjEAK=N*T+Yv&olTrXw(a|y#1Iy@Ra{; zMZl*KuXWS&Q!9h~4{IvU&tl&a)g^+S=?gEt$97HAi3iP~@^;Z3idb(a!qdsNln5ys|xKf8yH(z`SQB>B6s%o?1{*G!SiOl?INFUD2q3v z?Ppe&t3L*Pdh=zV{PUanH`(b+(+id|CE-29z}XMov(?W^LUj(GH^y!#_8pLHu=9LB z+I!jUNsG-&U2lKD$9Fj_FTRY-1^JU;G@Eu_I-Hdv3Ijjkt*MI~<2RS21v#~aMHe^y-5Z&C=!dAr9~6^RvFs5tmaza(GC zHkrNXLO=gt=EuG#qo(U4$|l6o%LkT?uL=*oyOt*Ytg(H__u$owOJ80~PQ8wM^Mc*T zi8l1M*?5|Pn80IVK1a$!S1JD&dv&IE>3l@!uxEc!EmvWZ3hZRk*yQH_Y2f|B-ZG(w zr!Vw|?(zz5cX#`2`KEegW~lerxMd^zeASjq8y--dZEb3JR`YV`JiU|spy%iH>iTfQ zZE0Pv?=Xvasa(u{U#PhvTaY8k<^SIQQ1X67(}2u)-}UbAozo{6ilj3)4hDRbGm2&5KW$J4oKGI1?U0%=|)j}m8|y4c1a4YsOT@2SRM*dSpQFe}a)ap~n| z{*aOT&O^H!9vpdxs}k|uf!oN*=>A1q2V1Bu#bz`@c!zs#wfjxYqYuZ@(%7W6D`#R( z#!`mRe%JhC`+?H*q<$T(x7qgd28$sgO|r3i_Pds>Nq1Dv<1@o7ujoi>?0Fbow#PPV z#B7YEt#4?hlx45&Wwd;Q&<;DX* zsZI@*#>TU_aHLSnP$ZVNkgkXpvH8`b(%90v(;i-~Hs=G{oq` z(u$%wTkH((3P+v`-&y*A+xp{U>z>G*#XRWD9f8i{cFz279vbnupOWM?d6IhiijOiE zM+^F4ib<~CGW-g))}sw*VoKreVPyW3%p7;vIlHitkUGA@{`kz(i8Cex$YJM$XhGQX z_Ruep-et^E=l5JBo4PV@8CT}sz&?H`t*6d3HTQrDF1an={uF-Vg#cr6d<=ZtNowHz z)|rBf(Yp@FT)o`aF8Voj`-5boc)AxKofCu~MJ2u*C8-^Lap8t^R5c50~e>b?*6H?Ce&^m_EPBB>A{aBhEc_BR)xzg@B)+R(aD=yI@p;qJ`@5ZA7hFpgud%<5EMmWY*iQEP z8E=xI(*)186LE9;w%1B8+Z)_h)r#~;NwSTPdNs0Mu|3HDll|7&RK6W*YE}2LLhdr$ zWTV?sUrBwKHcLmklcjaZfxOqe8Y#+lP%tA-Eu!WQp6!Zsa!pi&y+0^g`MkE(Z{8VMUZe_6Gr@J-Z$YV&cqbs;0`MGZ4)#1!nphX>S#HeI$swWU1Y zptJ{RWzZmwWz_ZFqS*B2jIiv%X_hA8LzAvIJWC7f1^AjCv4&k+dH*hy#NZgBzs!`i zUrv~=B2s_kQwKBNQOaqAxyOXAgtkmR`Y;kcwySO1B6ZpMhSPHRT)LBo8Lv>wT)Gg; zbVT@3#)VkaksMwV@3Abwh{NhFV_A05ht;*l4$8>4<$h4AieS>H%GHiJVQjH+omhc8 zNDV6yvXfwJ~vJ%iFHN-1$kGKcTZ~Um=7x$Arca65TGCpu+X#0PPR2yoigTM@J(j*n zo%Rur<&po89p>|TSbh9N^&142qO*z(ah zRqegPk!fCX5?0w^1X5~a0){+paiPal{-ve^>S9Q$KgQkns^h3;{v(#KMC`>&5(jc8 zkaA8+42BU?BBP`6GzEQQst39`%dqB#52A}J5i^{)-TgGJHRgjZPoFN)`|a*OQCVZo z(&e`?`e41^Mw&Pg`D>=z=8{=Rr&Z>*$n$&P5$g`k?Q9o!c4(i73wAoCE2L%{{(y(a z_gwrl?krNcGAceD{eDMEww!)^?BIxSZbN<8MqYML>Sk6hs%@Usa8|CaohDLwz1y|l z2oKRTDIT)A7`E|N7K)Y2WcLtF4;{15nR_-~+4zL;dkx18cZjfib{r&|^&9n?D!ydC z&1)qf`f#RYyLHsP>m0%BKSza4OmY`S-%EMG(D1$^=LmDi%H5Fxdq=E7iF;7tYx9zx z;pCo?kxGt%%^QRoI@;5BRv)~pa)`LKW-dYQ&}OEgBUZ>mo12$YT5s!SN0irTrS^a3 zwbfhqar*eZSy{KLlInHX9eKVgx^S2%n{9SC)oj$pqSnu>&X0;v&U1EFXIQ*rIW)$d z_e`IQH;BA`D8tccK`o}WGwe3)qrJPT9vK+LM2Ag?oV?c$-$pL4gMSe;xcBUqG76v9 z=^8aLS1J=);}pak&O3DEF)XiBaqx)zp<4_!wc4)SMNAC5)Lhx()b19F*&|6>p8LGQ zUfON<;e6iJXL`lj=k;}#;D!a}N+~IYF)D2D7W`qlL-SN~Bhq7xsznhx@(;HiC!=on ziG&(!KCj$yW9#k%MCKH}`@RAXH};Q|*SPd521Q=s@QOTH^M+eRc$AwVJT6&wXk_ zi_OmG4L2}}Qmj*h`IFex?<(*v9ra+#xj25-j@fhUxFX*~@3sEt2X*-_OzzMgX1={` zlqHl@TBr>5rA5(k=!JXa(^oi-HCr!i^C50+IlY)}%uP5LRM^9}TSoaR`=P_uhYw#W zB~iNuEsUo{B)|T+`TfxdKdn(MwKl#uK0}9;r4KBGL(N9xzG@xum&QfR-LtVnoU;{+ z)=`ewy}9!7TyF!tue_fu3cy>b^|UvJcceNOyG1RwCEJ$}nS1OD)04V&rfe;`KBwK6 z9?HIEGZ1jrB0YWpZp5p;ZK`B>AkuyzU;C4S>FccN9rbZUH5zc!01 zD^!>@eK&jibUGSGlP2pHHIL6L=CQxcYuD*~dP~)$^MKgLLlgZLcz(+h*YgL1T4Xjq z;|evYGsq<|KG`6)zE@@Y+g#&T37)ZydWH4ks%3@JM{IPi?~}Bch)c5fUuQW0$01vd zk3Q0%xrJSqKw(!8TAXt6q`%W-Q$Q33=18a^}=p?nQy;e z*dSf%(dnbFm9Q;z`YjJC-HSF@4#~X^d(%5pzj~0J3=Fc zx##C5ylxX_-CX#_Ts!rtWa}Q+n)2?+7{iM*3$M_3sP=x9o^J){^qw)@z?riht$uBr8_@f1x z_3fLmlQ~2T1FA!aM} zyO?h=_B8|)_F+Ta3Og4^zqCL6%FpvH#|{b8D(@e4&nC2_?d`g>nG1W=amClc*YDHS zZSv> z=txh7a;LGpb2||Oce08f$4tsnf-?-;5BV5(#UzStc``Ar8pXvjR_iCIErveVP}-^T z{*(O9rwtp=zQ1#dx4by|obBfqT>krILq%>ezF2A)K6#hzy>@V3QmK<8uRt`vfY{Bq z{OXG3$?tVDq^~=Ey90P9PaFPh{RoTa&^spF1_TLv&zoXhIP$E^w{y#y-5pYf#wR?gQt()8t{8|@oehAgh7<= zsN-v69<3-@#WMdaYtgc&@Vn=iM2=@R3WrR~8gDpitn-35>M-ZK=xna0dxzx*G;(GN z>ty?EVIJIJ#trqx&h&53Mc-vHERA9c>=iQqE!)$>{$`0#!>1m>aE3IHm-0M;F zG@-$_#ZV@;yv0FRpYK+^xedocx1DZZ#GZ00h7*-1t+vDt)(Gd;sIbs6(*@JY4a%`V zJ3vJSIe4`KCR1~B$GL`Jm3!VZ@WkEgK&nK0A|Rta)sF%g58)k5Fjams5M4F>-~*wCGN4i8=k= zZA0SswVk%Gr^n9u)Lr6s%{w%ysae={D9aX)r(vCAP8REkLzXY`QYXBubvbjrH?i%$ zG(KSXrMX@?TYY0(Wt;b)o!*C?xE-F1ydsQ&OuR7-f~~4)m5&%v7qGGd2K`iz4E$*Y zwQHxL=`c!ldzJ9h^|)>(QN_#9E&h0Cd06}t>j-?&0&A|zz8#$E##%S-dxmud4DYH6 zYxuY|CF$D?c$}S0$fLj{#FQYVUF+Gvkw9SyyXLJ|d$~pFS3R7^HKZ9m= z>*hUh)0ak-cG67nknM>a?3f*%^t%aLt@IO`9AhMD<7ns;Ir1wrk5lhn#{?I)3RZip zXOO99rEk#QE-k;s^06K}-(4PqRQ{s-57?a3>^j=d?+d;5c;9a4jAPj*`UF9oQ{&!u ztdx#TYZbLrM~X*md-QwNv}cr`}VZPE{<&I;I9biujl3-ZLSc ztG{!&#OziOW@n3!$a&YXSIgsg)3e~Wxmkgb0UslaOc+kjKIstxX&!hs@FHDc?_LDICN!p zC@OQmuOMMzr*IRWn(4G^<9ii-)$K#h)suBE{N&MD5Qx}<5!J>P6@4Gc*n-{|4!-u%%2?hthe;)L z&UZiKHjl33Jm-G+eX5DjoelaiWrH7D#@4e%eta??WNe{UH0J!q@%{C=%S8{}V()q- z2X21_f5D)5^O@Lwi{gH)D|cXmM$Y83Il*_S=3DgztO66M!VAqkn>Vw=V!ZZ6Em+e` zB=YZ;6?kpLJ6lbsn$ma1HYkzmQJlHwm(A=Z*e`Io#r3r}x;n>wwc3LH(Li5R28!V=Q!X{RM7pcNEMbrg#k}-pck9i~uQm`(SXSLVy z4jUf-VsXN6rweKClfVm9E89~UnJP4%NL+rgZt^YLokx19H(f4$?n}_nx=cFFvk5Mv zajr{hk;5u5;nD`yuoSHHy1ZSA+6L*d(F-Ta1{DUU=^iC1jHW+|$oPCMrQwBXN@Ur~ zNmH6@nP+Zke-M0hw($6}a@eL=Pfj`HqJta)`hUAcU{9SXom9GnKn&hn@jZDwtmaKS zYj|_c&RF(JgX8NTeB`Xs?9T{1bwY0{l7?&RJ%K~1JJvmXzafywyJPwG8+a>j;?GJq`a1py4T1k&uOv$mm_=sf=?##5*b!ZKlW1&z|1Gc5%}_!H?M@su#7*&+W->r^$IUWGSSsCMcrf5R-HuK4x}G4tY2` zoFwhyv~TQ#IjQI1SyXDrwMVA9?!I-`>>b+d)+;t2aPWM?%bi(qq@BhKbN4`$ne21l zOFA3xePNj6X%$-X$j(WL%X;ywa+*|{wi(e_(V-y`TQ5oUHokV?YEb_XhEAD$>c^RE zswwlSvbp{P8^Tk3pJ?u-PEy--t^o?C=|itxa_HDD1_%j8FKWjqBR4!T*xe>Ae_I80 zQIV&(RqzF!@TAl3xJyk}J+5EW%s|B1+_6W63ud?xZ!|F&-Gj6U=Pc-5he|xr7I$j9-GJW>TQT-zA z^A8hWy%hIXz4`v6hekP<|GetxIezO4_XXa1H2aw{O?yV}a?_IF9{kg@5;|{6F&eZ%;^EH1R>Z-- zC-o9#56WrJxmx9(u5;^na_=S&Pw_#8;bMB5rQhGi7IVFCSg}5ONjbLzNlR@(k2g0f67TXnoEu^7#m*HK9WU(0 zp_YGeYSzWQwmoUWE8OH*Bh8oLX^Zf#^qkWsB4{112YWjMi1(`wP#q=j`53QY`Jv*v zIfF}Rn6~!oW<`di>jS&G9$2sz^D^pKy*#GoG~hBf(?9wt*0xi%uqd~qW8?RLeb;cp)WP6ZCXp828^^kuZkF7xg3$BK&b zfcN~Cfs37QE0*5ek~tQ%II=lt@tID{Co#*Qh1a(R3}$PmN@-n})GqJfDmnNpe(s&T z{{%YHfrF8_{dlpnWVC%b^@WmxT;eGu1!=3qlE#bts5(+`x}B{cw3m{*_OS3C1F&E%r~ju zXHt+7zZ7H_zQMTjwozMCh6Qt=h3^FS3#WaWi^|KFSxy@t!PH&1E_=W0meKg^4y`HL z@hvy}yiEfVCi0^<<{v7w3pd6LiOA6p`>0PzXM-^6mM}w1h(g&8G zZ$G-#>X5t1=gNtbE)}F~4HvVU$Igc4<|P!GEp|^#lL?9U$3JYbEFX6k*;70;{j~0a zw8x`)j;w|1lEIno_xCRuO_&Tf5H^hN@8{pE`fgM2^M(gJ=2AEP?nUlQxILpkknqB* zn>iE6pr9wLe*f@(rE6u7ibY*nO__?Cnu>}V`b)LaL#05) zvXP0IiIIhQ6Ehnt3p@879&S!fZp6-Ae0wBNQj&NS4lApANLyCXSP6^Mb<;Dpv~h5B zkk<0__ptLjL~yWOsifMto(Z}B1T{4))k+Q3HmGMBTFNhYkhyheJO0959{=>Z84W2^QQFxXAKVb;z+GTTj-3^wzc1f8YX-Y+TBt@_Mhd^srGavlA(=$Xz?krgUj@m#vljRh%(M-$RI zrtgom#yvllRyYEJfRO*rWJnO&zu>h{utGIry464f-Xw{6c@w~BJ3gt%T?LDX3g1cdx|CWFhFGcpMt z9eOp2D^zEuZ3iP|24)WBRxe#t87?uh?$+=#CEZ)0vUYEJr<|zim#;GOCSwze<4Hvx zSQ~v9S`JkHdpX$TX%#&rQAp<$Z;r0^*1sz=u6J*`Ezw86pVKw(UGb|WYt&F-+qu;n z{(o7ZPn?XpIlMQ|<#SFa>Ad}cJNA6%i$jw4m5M9`ach3M@xkt2cD#BR_0$`3JMO+QfblK`-$pOErn2w2mPoctsLtm!AD{1^h(^dl!f zMu0W_$jMJ4z?yzS%8wynO+Rw-lL)Y;pOErH2w2k(l>96Jtm$X0{15}y^aCY73jk~S z87qH{0c-jzBR{PJYx*fIe+>d_`YR(ptpjWNDJ_2q0&DsUAwRDIYx+4ae~AKX`U@dH zuL5iOIWONwfi->4$KTX|HT?}S--m%Ueb2|=)PObp4Kd$^fi-F>GuqXk&gA6)!H30TuVkn=|qu%GX@m?o`jq{Ny{OLVy>me+$60I^=bXcdY{PZyriJGjm+jFVap;M z7*StwI=P+89S9gB#8Emd-(fX3!Hn|+_@ZqS; zmF_RwTgT>uR0=;!fgm8{zcLx#gf}mzlpm{JWM9tMJ6;qN)GnngGuaf!PJ0ZsboA5G zv(UL`C$8JhO>8ObInX`X-)cX96kFI`miBmZp6F0`R4N$+0U`gL$xt_c)agut!(8jg zY>QZ@xTIxg%JF6mHBD5d~K6bU{~wgeTDHB?uFkxAYJO3#`EcL%Z~Ok7-A z8upD6PevpHIunHt5flQ6gi+2*IUmf{jgbdhIP4$Hu5_&oQn9Ejt0_}a zQ&Uk9R!rCO<>;(>amrKX%?^$#^Y z!#Wx|sBI4mbYALp8=&Uj+o@@3=s8gsx^=7wJ$+A7umL-p+{z28^^_fCsIE=Bbr6rZ z@i*4Ii;tjolX_<*l3mWU?#{=m<9E|O!8xA|(9^s)I#_A0bBueV)7z6^7r+Zh1|X9E zpPV7I^=@z36}#@6&x@RKrcrxumdK3uc8?Vu;?o&6h>~43ynkE37oSwWIkDfY+`D3* zQdRph1~+o<-}be7oR=7Vy!msJqGJ<*MiD1-mYh8w!B!jpZDI8AroF{CZaXhLU%JV~ zVDPDZI9B%G_VxR5)Xk+l2Z^RO9kVwV%tV>9XL9NVkN@8IZ@07;{m|F@3u<#;o4>#F z+c>HH+rCzhV?e%hI#@=CFm5S+<#(8&OAxV?7>Lgp91r42A*rr5{@Vin0!UMkrXWp$n?kc5aMOQlqu-7L zZVD!SFzJJP)32`~fSUq0{RIZVODOOX3cS(>uk^tyeej0VFH9r99SYu%0`HrG_f5h3 zrr_;;@b>;MPbT0~DDWv1_!J6!SPDKY1)u5v>SO{w(+8jFgGW!mqbJ}ADe#2Uug)b@ z;0Y=4ARl;;4?J%Qo;L;0oBr}-0v?M7k41y0_rcTq;OTv^$mCZi6R^kxtc3z=p}<-w zuw)M`GWpfHgbFM&0gFt)A``I41S~QE3!r~>G69QBz#Clj#91S~QEi%h^G6R^kxEHe4k$pkDi0gFt)A``I41S~QE zi%foXE&+>7z;BBNzbzX4QgiT2&A~4TOR&*3m;d0wM-V{Olik22Opks$DFe zJIOUY@SMrAB*+8-LVyX76F>_86Q;n={Hg2!eOt-+v)cw|bD~(9otw>aoo$z!nuQ|g z;=n(^0AS#I24d}xlvb>CGZNhGyvQViwHu{Gv~gxc!m%hA97ZWhN{Si!dk|n^COS6G z1Y0trn1Qzq`D;X(NOEHo(HWM^-T)TayWtLsd{P$~pC=r5S%e7bR>0VL`&a{`lHRX_l8K`oYXm za0Cp2K*Nw|6m%#8hl6@lArZYjD2M%q`D+zI3?U&|yL)+9lL+p%{)}P@P(+d7<77)v zAz4FpH5i%XO`vqGNpN={JHo`prKMrtIPqjeB2Y*O8XP8qf@9Gz%84oGgW0+u<# zH)7{5zC98sDM>sEhm}=5q%Esxtc1nsy6G8P+Bi5mNNaied)WCMA~@KtR8nnR&&0Cc zk(!#7YNdv18`Lu`HT36?cNeJFG0@P_(nF2>EKr!?yH;u%+I3sdp8E8xdMhue)>Dp? zp;}^!t#e$Ko6d60)#uMo5WBj)I5F`^zm4^Te|YH4(cPd5*Z|4!zodn7Z?|}->Um`C z%QV$T{0(K|3)UEaYyJt<+daaDm-pN5=i)vhZDl>S5FC1Clzw}3BB%m3Kr;MKX(6Y~ zT-e|;+Is)ivPM<4!;T7{&Bb?37%fcs`<1HxaXaxZOFJ}zI+G)>PTa;G>H*yX5s0JAcxgt0QU(%4nPh-4yz0RIRH7V zCIgrqfE<7vfE-pC0CE6wSWN~nI{-NVIRH7VG63WNdu2OtL^hgAlE9Dp2FlL5>QKn_3-Kn|-60673TtR@4P9e^Bw9Dp2F831wsa#&3U zFgpM_0673TtTF)P0OYWm3}AKuasYAwa#&>m$N|Vs0JAcxgt0J8&-1CRrd!zu$n4nPj8$pB^tAO|1^Acs{3fE<7vR+9nD z4nPh-4nPj83;;O*IjklFm>qx|fE<7vRv7?t0CHGO1~5ASIRH5TIjl19og6F=9D9;b zdOLb9(`1^Q^CW>aX=7w9zb=X+K(<+LjuxTP&IGD}4Ui1~OIk4O&m&*gO=3x6>VG9E zbPH|$#a}Q9SwFwodta)V$I_{`0MwQ;#b%>9c7%DmW-U<Nf$%+TM1024FOv2iBYk{QJe zylu!|Bg#aQ8>5&$!HeikvL$%Ipj~xIL|X#_8D=h~tEdbUGbH$tVPa}-)(!;uZ(D_L zTQv(tF(p5;iUHZ0OrRX9f`Xx-bLvY=GyZ-qO4tO#f`NVg@wJiCEH6*=gP9}o2p9qm zwV~0_p$I$*>QRM6^!A_}_8aD}RR}SJgk&8flLbz1EZs0JI z1B3wubMS($;VWiEBBLJTPYK3ChkQryDjN`BEo(2AKQ4n(`+60c-fm9rL@y^Ygjt0` z3T2ca#vtT>j2!N-9m~196aPGJnojOecgip{#3YeqMzg`B!pFT9gFmoJ66phDW zv3M93gAm2QQCK7lfk0A%2s{)NM~fmc(B6s!FKBqJZEQ%E%4)g>5JZSZTe2>NW-<(c zLEygwhW}+?Xe3e;k4K23{{#$;7N^7zn4jX(Rx>dC0T&YfXIwbS#eX*v|1n_*aX3T{ z7Ji^d?35L&D#W{t?u z-yuW)Ix+;Ff&!0*p~Nx2a|Vqe9*;poF)VJ)oMFC0hWTY=XdE0u21i5upne}s3>*%P zFdPoWAS3z7Xd3=3&miyp!_II&Oho^&Iw8}B_(4Nc1q#Zk-|`Ga(E=JJ4k1IL*NhDN z9kL%B{69v9#8bQrjY2|m3Kq&U44g8vU@6FOSf~X5S)TorGu(H`etil+z)_F_a40+s z2`K>i6&V7Ff<_pN$5N(1EJPXv_j_^v6xw%_0Pg>TNdOB;5*ke`;s@tIeK!-}e|;uEi&I7qE{=ym&IM6~!=i97G>#%# zI1&XzK+^b%_%GAv&!z&@cT)j$&#~%i%1*9iXx0`}c7^Vp6bZIOJHj7#E+`bF?BDNQ z{8FYY%%gV|dj_Ukwzbmtn(yzYmaA-5E!@Du5L0$MonWfZp_uDf7T8d+`OIUDnHSj( z_OE0MsQq7al=$cD4LqpC*?mBrf4R7dzUQs){Iesy@uMh0_;I2!2V|o7JWZltT zLGHqBo17QlP4%S*6_-^kE@)5F#9!EJm>87l8x(z9y{m8i^`o8ojb~R@_y^pjW~x8> z68jsc7AyKp*CoejKRli6tNJ+5H#HRBjhC?fYW<3`t3$a0dOPylkUD7K{FC*#? zxa82FOWp-mYfaLhy4rvGdWuQHI3dR}{>c6P7W3+r1?Ga!2r~t?D|V^|OYf$qAG1sJ zp6c!o@D*Y%6cBgu&8b#o5+lA1EL~)xlA@BPQQZK0{JN)P<-y|nzP<}Ve!Rk$!_;vu z^6Ps`IAv+puY+x;I>o?31?!c|HY%dk<&l-5zNSJ&h(a#0$>OQLaHr2*_NDpauEj0t z`gZw20B8Es88=I3Jx1A{;bLVfk*K7>myQ?B&TXgC-za|9%17igCsT*d!yO~MY}d?~ z)g1PX>PA1b3Yg504m3E~{skTxdXiH@mM>swl6jrGnh3(BmZYm^I80jogaxi9N@kBT=4jhTJ`dz# zjGUBJ%36^1s^s^gO0((Sd7Ope?6MX)X`cGHCY|86bYlj|Jx%Ev7U^?0PZ(xBO}Q#Q zM|~ux53a&*!#}*l9AL!o&dGT2%<%E3SsAJ9r=O;6`A$@&?=?9mXIyv0F1VrH{fLp( z{&cF_&c{tu0z)2rXj2J$8@eoA7ucs$*WX^ut3lgG_f|s6rLOhKz=z%)of=3qH$gQZ z^Rs-}#~WW3RjV`hT@DC4=6}ZaIP&U~`ffj-vW;^!5907m$KGoO=JC5Uz1BdwdAA|% zCtXRseioN@x3AZDZ)fmFvqmdz0znHk91Dv>M2J=8RY~YooEK!)xsW*yQ=7{%F`7E6 z#Ygh1-Fh|r;=T+=a_n9_FG`VzX?s!Mx~jK+?`~&Q+xlCWY#7gsXxvTj=@jzXMx|}~ z>1Fn^D}oVep>>DaB6_Lo$zgA1g3T`oPFf(P>W}(lSDt4ysMl3GYR6nzU7dX1=i}H} zua1*;rSF~~&Z``J6&$a>-qU94LpZ}@l~)mQ{mn+DXA(6(G|Vl>m{RW{$n~Y2S9ht|_uV;~K}+i5 zW-6YQ5TvR802`f!e#rAK^pv#D<2+46qSA?>U^DxJF{~k{kICrm+}5FL;)TX-$l$vX z(ea>5Btj}L;(~>OiO(kMzM_G#dk*75H@c;`Z*+*A-X(fdYq!S*JD%R~Gxymu<>4g; zH|s1tV~BFcFSIOQ;EwN&9*ZL{H|+F^O>%J9lgy+ucX;s8u2Y`UJ0j2Iy|wiWI=RJ9 zQelvNX7Lo9KAK+Wg?n>B*TV-UHzWEAx^9+?KDSsbVs<^lO7DCAdI#*O{d=w}x9*v6 zg|I8Kv}|E%oTK&1+I{(WLCFc9T}Xy<9dF&k{X5cA%FYX@^I4Yfy6d!w{CY|ASgmsw z^|&MX0S~FFVnlE9&dqJ-RPu+6*PYtL9OKYl53Qy}M_-%{hSM5Arkt9j*Er%j(+ zr!viS${ko=hi^+vXgO&(%wzs(ackbBbDz^a=9wq+GqHktDr$$#7I6aXxjhG0OwR}8 zdY2dE$DbHQR~Q@V4HT}sxM(6&crUZAqy5#FqgEbPjr}Si3fTRk(oGUBy29>9zX%6i zA<59*t>JR`B<3D%fw7Bzr*2{)>@o33t4@%?mNA!O&Tn~2Y{f!3Ry?1Mdp!3-Nq=A_ z-yxt!^@XWq-C)nLN~MC1y^^`qA^5b81DBW- z(Fu*41$ZL296!(IEx0c_nX1VAWd8$I^gL{@TO>ASO!gFGyC`~3%=lb;LT@UEnN@~A zdzi}3-KD#Ity2o-cHTSiswijtp~XHm7YXme5wouAK{g-jxX*T|*0}G=;COtkHm}qh zwvRd7f^l0Zx=!Ov1eKKdF|GsLIl4y36ESEdPFz{1q(E~UeQu=Rle-aj_&9n90X2NK z_1%s&(?xD7qCOGgMwRyjeO~p}T@?0FdxOMu)@oBvR(bEf^knKLYnD|kr`}V|tu@ab zHLqtr&3kH<6`tc2-*OdU_}QY){BcN4vh#C6Q6tn1kJ6;GdblHkO4W2<(tQWC^t96a zi%wMYn4jdUZehDhK%A`pBFd+gB(nIj>aKBM-AhDpm(~Q*pL4UcR&QKy2VUYjBVP!M zlmuJbE)yG1os4DKSH?=E;dgsXU-;jR_7 z;mr;k>`SiW2*p*RJ+{)&_gx%fF~3&Fi48t8M!N;UXsAx;h3B6xT=z(7 znF7i&XSkL2rp)%9uotdUO%sSHEvmbsszm2-&n1!9VW8WVRFJHybPnsTc!2b|&D56k z-o-`pwyeWhh2B947fD7#x{Zd4{MW+7by=^-hG0!{GPq5KB~PnY&3feCKZi4T%)`q) zTshs(?a($B!?G!Ewvl&HV-&}*x7bSeu;iiB?yjkluBp-sGuUg3O2MXFy7b}P z4&|*IX}P4`=@mm%m~Jy-w?24@YY^5y5hJO@=@0d=Gz|5CdwSjN9#F5lV8&O!3{r`r9IO8A3|o2u%=j*X@-p~l8w$wrnj7lef`W- zPfVrhl;ZRW_7B%LYlq?1YlrpTWM^yR?yThXpYHcDYR^q28M+J#+FZlf@=+NZs`GU|v`!ReN$(?jY`Rt!_->#oor zK&c0~6zesz?A;XFW@c@zg&`{Pr+J(9hc@54(-s~ zldgN_RqMpP+H?~C=ibk#cFhRSYs|X};xsk0I%@+>Z@hZYB^vSgfs1_~rf~WNk=*-C z(P)>?Hfj10TSjxiV?yhQ61@0XUSK`-j&#uWG3Dy2xBcYu2r}en0x*v zrnqa4lp$F0pr}i6GJ$=Uf5#L_fR&*sTyc8;U5>8$GDY5+GR5hk!va2@Vyq0Fx0qfR zCf~!dnD%OnUb@}&iq)Q3ozP5vcRKE@u$0}^Ymp%rMWo&BhZv(15&L`XPR|Y=56z?{Gy-dk73c8LEY+wJJ1;buK98RYq-u#>M81$^htPV9@N?|deX6`tAOwMY?UTNxn#Xr_OU9DtYx*W;! zI0u!r^(vQ^f~cTX{%JK238kze{= z>^U)Sv&9ji_f1uyJKx71IN`dP<5kODhsDGDh@&Clx)(Sf3JD3`+my_AYDnmoVb?oX zANssq>3I@lwSwo&u~~F!DdT(blG@XG<;BBFq0#gy$6gv?1<(n{?rfeN+U7?u8y9Sq zFXElNLrdet==u#)cGh*rEjTyc7JWWpQ?b9!yVIku$a136-mCR^Z?wysPrW4z>vJSE zPNCVx+zoc*ewGPVdWXMMMsrDJ+ud0?f5YTxy{q?+wdTQ`MDI6=e~59@DmaRH$T9lS zti}u`@pXcQ!)MGmbcY241KQe82Xcs zqg2T)g*NpYZOTS-0}`{<2ZO{C=Z=iN?e~~E93;QM#?x?YTdSDAi+)g(T!X^R_d{DW zmLD}^n`Hv$*_6%t;>pj1Zd+wsxBe2S=bBJUW~jRk-Aev8wq^|CAq-PK(J!3^u0F+9 zpOh#mRgftAXfXP+AtOui@%Yo@lBt%YeS((%4|`t%2vzsSJ$9)q2~n6Rr3JGYV;flu zkv$UGm&(3onKmhFqC}QT5|TtISt_CI5{m5mmhAh?cSog!w^zNr-~0W)>+P+3&pr3f z<9B}NoM+B`&hJ^bzmkH@#bV&r!TNSvQlnAfms_b-TxXjKcd2s?q`y!pY7-B=-<7r9 zsi@_C?8EJXMTWZ0Yn3y`cCx>7(DD;hYSr_s@ToIvexLC~;_1VW0<-~IDqC2Z(-eo0=?n5_TVtWy9 zq2zT*L&*z%yDT1R7)lZE*PjZ#AoS|=7CYxF609|y>h!i3)%LXU#YuXVsl9b;khX`Z zMDzzTK2eCLmcF8T!_Qi6M-F z+_?*`L8>=O$6OOaXf*g%`Dgq48k{@te113lNyt5wf_Rc1p(-;w-neN+KCXZR1>GNg zDBBgIPwaoWrw0}E^zBhDCoLqst&I#>P~A>8QvWjnsq9^Ca*vhbG9FK*nhuM;o^7q< z4Ln;WDrhOLfbgDhP`cZOh_;Q4k-kFjXUzNH@u63?mJm!@Rs~l;aEu7s`45`|a!Fc* zHklk|e3G4YZo639=VR|p-ioE~_5|co+SzTrY}MT5bMDO(d83q^taE|s;j4t6MZA1z z>GWEqdUSI*v;702S3zT6%KY|d@#|1{hua3(amWz6uxq$R!Z9xyHcAe91`)cwxzEVB zS|GmXKe$TF6;W|qJa>vp`Xygt$ayjWF1yvTr}CfemFgt9EO+%$XU4miO(nNk)u#%0 zbXZqi3vqvYjFg2oB}~ud^?_5vktBPA82oPWK6thf$z|v*%SK5{&p;I?asERjX~p#^ zHK_EaCWfG+qFnOca&w0wqBqMDm{gqk%2jmZi=R=ntkp~qvN=__VF!g4x9E<{_}l&; z15eomXjR%akuzb~czT$ik-Md|PTumm-k)8_AiVm<^h=F>jdW``gYQaNl(C(5H@hut zArY--zq7=1i%%Na2AbjVFems}p)SHf1BiXFdrMw(+a)p|iI zTJbQsO}F7_%q>`{{Y23h=g2pMg7#tv-+``+>r3eORUn^lQOTHb z=b}Bmk86CdkK!A1;Vm+iP>Ua@vSXRhZ3Nxy8lQcP{tfvo8RYP|- zpLk@Lv-yMv0vUHur`FG4932h2>BCSR-C9w5`Bv1#AoZ%kw6HeO8@Fa3z3n-(EloZu zhr6AU^_106_xX^tb?HYa?y7M;yvI11FuOy|Fgmlgh|!WtHIk?Fo=XsR>t%B3nFf!U z1gpux=IQvZz6)K*dZ*aHGpl4AF0`JibD3cmC!;B7Iq|NTo8Yro0KK+cho-c78|^sgt{@3|SMqwz)?zu)T6; z-P8PA3M9GBEPBy9ic&Oibfp`zu5ll-9WfD#s(+r7uH{jF6Pv;4&d^)S%@@<`Od5!z zN_iP>y>GIU?P}#}wKqN=DqPL8-*nz8mq80g{d@3m)I~tNY@Z`hH!;5DX0{2UP>{Hs}nf|dQRVzJ$BIEtB{qA{3<7q<4 z+bc))%ao4`RjOn*>1(S;Kg;1#kYL{Iz7t{cC?Y95Y^Sq|wwMUR)SLAs#`jS*S}-BY zQit@)966rckOTbkhsr+$<+(;qhPhxTPuRby_~d2f@kzMk!j5LW8Wk?(*B1Vk!GbaV z?^K$(j^B&9^+7n||91)SN_Q;>7cglTM}l{LP#cL3)?7%kxRJdu+% zS=mS!g3%M&>yimm{ZzE9X=#r(?k`flr=%#8F|gUgLEJK2E-uN~7wU4~>yfd4=1LyRi-iA@J5TtqkhlEN)k`oCtBmFdL?XS(U+M?$#*+-klq>P;Z-c>Sg+aF zhRizPp_Fzq+hG4Q?jnkhDe3tltJZ1T2(vzxZ@HMikG|*J>9DaotTl1|anq4bNtrSI zcPa(bB46zjQ_4sT=6WN14#zOXy-iK8n?2UCg#HwLyH!I-^X zpZp;7Y6LY+HacWthiQ`!%iu_*GN<)87x~`HXjk#snQMpo;?LMVIbuncjOME^j!-hI zJl19}8li#euli7`hmK3Vz*+;j_ijjA!+y{EqSC^*luGYuZI2gg4auNxX_T+WP@5V@VP$%$9Y=$3ew;u98vU~5@j6WOinu6J){4$5j~!PpqYq8>aZctx@CYJlkQj=rJ`!wD@@?I*S9w4NM#&O}o~DNT`$Xy|Fz(yn8mXWX!zZ38p&1{n8N z_U*z5F;NWg?oVQ`u9AebmJC|xz;P8VeM2*IGx7blt~SOlx+Z2uglCY|)TFl5r%6Z{ zAcU8Yjlh#h$%vmZ|3g7ZLP|zX1zg-p4}35g83hUP=ks-vb?a4_V1}gR6pV1PJq(+< z2(=Ju;zcZEa-wWPRc+TBRqzKuAaC2mv$Z#|HF|-iCUtS?VR&>vwN1(0riT&Csi&)L zbV^riKR+t8+l&G%0+IMLoXBNPJ(qPjtzfVydFZNbPd5R=MlRy%f$h8HX4Q~9jNgi* zeQ_snVsvDpadN0pvBe@{KjOk|TVyFu*vm?xa5F}*2t?w~a3b%*V1yp7u7CgudVqM+ zZ$W_ITKLDh2#~EES6ICh(*ws0#9DJU^jsxCe9<%0 zfVS-F?axg%?24fPi$Em)3@38+?iFH7qBwd}&tD)wdgU6mrMl*X{5+Z(cK z5p-rpGj}!cyBwOq74zVBN3za4zrT85QS(3~Yx1&IApxQxKHZ}d>6T{7QCj1oovHUJ zeS!eFs)#=%4FA=q&)-*>Z0zhdyd(KCKEY%BZH(}^`5XgNU9y_32MG{?u$e~=#`Cp* z@qi>w@72fg4h{XCv+C0W@v@E|E3UeU9BwupbbHa*iZ?(^9_xDbi_f0FjZ7&ksD7Y0 zAzN!Ie!NlDueUx%V9e?1i;|XcubhIJ7iL56D=yC0{>1~zNH^}MjbR$@$)jom*|DrO zPh}1I`klS5<-V^SSdI2= zU?xB~hgU@xnaN7bSO3KWHpjkz0Z$W+p`0q^?5Pkly?$2j)Q1hs)-0L3@z@SV?3Gf# zlfU@v`P-1a@7Wt>3KQFL3DF*-+e^W&G7rtt2VhrO8kc2C!LG6lFv}E!v&u5SELRN9 zD$60WbU8SyERD;urJw`0EHq1903EQUP+7hVbikI!X2~m{1GXeA%N2qS*mB4$T@E^6 zOXIR^Dd>PL3(b-jKnH9|Se7pY9kAuGS>g)lfGq*aUlf53*k6FN)FsdXTMCtB%RmQg zS!kBL@c)kkmOb}gWl0cLQixh&319y>c8pn>wFa-aI~zOV1ALHY5MFqCbF?wXE3u1i z(6K#zXWmmipaW0;C(+m(XpHKe<(`op&$*?xBR!-Sh_(wFfIdSOg;Rk8|P* zf6VR^(?AFiTF%*{Pf>YR%iY^nYZ`c;j_*yL4Rgszw-k18#9bO2BS5mSowM>zv!lR2 zZW*GXlbriU#T9$p{gs2_hfw0Oaj)J^vPE;NwON8iAQJyLCloE+!$)2Dl=%l536PWw z#N&^az=+y|9R&tfll+6M7pyC5@FEWQVa}SpAI)~vD=EakcEs?-ZGGF85fQ3(smJax zSOg;RXE>1}R@@$^HGr74>zU=zy^X7euo583BX<(yZ-IaQ0|*3;29B)6pI@#n$>rh01tb%{?w}z`uL2)L zlx5ou?A(FEffL}RqVNwU=HUp6MO0UMKmeMt*9CQ*@)lLGsab^-g6Amo&!q-67Z zmq^Lgf=I~LGcl`Dq7b$)yHgYl>ljtI48CnoxvB6-tbVB##tu)sP8Sg1?y0L@;x*4N<&KaFds`tQN ztSHWt%T4ZoyPP3=Pfu!&?!ia663*I+Ch@X~x1VN&|Mu<6RirM1j%qjF+jR)r5!i43 ziPLPx(#4Z~x!QlboZRfQkR7+ke z-W*>YNHT`YkMnLWU#|AwE|+zsN+_MRH3Z0o#2uA8IgM>q%l*{#x9?xBBDd(7Dl^Z= zDaQzqaO}gFXCBdm@y!zs%T@o|Y>bQ_2`fNsNQHh^x!91ft{0Kfpc z4WIi2=r+vZ0J;rC82%l%L7$@Z%+8r;0>sw9yY9dXYwlV1iyx}m)X#M!bKOFtT$wgM zNqiN*wnR^6ua)J{4k>%BAk~fGnLc185CV_|U`O~*js-EIr>(gyOLOtBa18 zh6G|X5eTRthL}fN&d%D==38F*xle6NeX4+`XUHz5Xp zDwfhQy0IeN z-o1`#$luQ~1~(s136{(9122LgfK2#LcL$Tn`tH!<1!ESWxrZ600cG!zktxH(k(Wbn zggF%-+T|gTFIweN{n*4Jj#TuuQU;oBK)MM%k9nWJmZMa_e9ZO?co75vWWs;CJM1`7 zqxjG&Pi=iJx<_4xrRRKG_cb5Sht_4syC*XD&dvG1^VepDnz2!L6EQ7Ytr{_et#WnJ zWPcWx<-+egbM9Vp-V^wSWWTtCk2|J1Z(H$BRpp4K$F&SXfBVT^{Q7lOgCV1b^YnE` zO7gHe>79>8X7slF_JiqTd#6ui!=n-(C-z2#J&x_M#03D2PSbz@3H!MI0;~N$b&{zHj2IydX!vb_LzF`467~ik}9gJ^S zfDXntEIm!T1gf(82fy2IydX!{T3bFmfV+b>$QP=(=)pSzJ|}XBZH9 zcwnY;%KX~;g3+#)3{z}({ieu@*Wh0u2LBZv1RsWRj&>3tGWc+=Je66KEcxu|QANAS z<5lm~6)Hxe(zPaYf>2^>bKVvl!&y4_Bir2eV>l|66(B`QcFfn!vu&?!q$eCG@_#X>aI2>Q2xc?xBpty zG=>;8O^gR#5H$_Q08!HdfYdA!iGZR7{-m-k>TA?A1`yH(J{I`2pGQq&mW`T*0fE;) zpu6&@>Ca8HFlrhmKs59x&GtjoG#ZGM-fLoEX6^umAq8N6E^HbOM+^LGVbc_@)Th4- znIQYoa(!>*u-EdX2fCN-Aged2Zls!HY#~$}kmlsPx>A zZUg@UG5AmLpgoyo_s9_b9c|D95r%U`GcH&q+Dq-b5VQnHAf5KvYO+ryF#N8oyVfhp zOlqAB?>Zpk0~Ucu{25M|Mz~OSKftn_I)4Gs_wV!E z$ge+0a-pdkK4@!|D=^v|GwT(2#m4dKAy-^GtI>=iUO&Xav42nPnTJ%Cv~St(h#YXb z4xaw+qH(lfQcl_mJ>>Tw(O$WfJ0ZzGAVSr@wLVc`%)r^}+U0@OIR3%2W$mfgzjMfc z?XV`$*a@Alp>%Xs1Jy)Q4zg=$T$U~c z*|jt-%awxcS`L||%0YH5h05|}AiI{wX7Lq}U5hdKs}hi1e}&GE*Fbjth{#``gY5ci zd=_2>*|iXlpPhm1`WZssUkBOsJsLkh2HEv+hiSwGPOxuSop8 ze?fNrJ)Az*0@<|^v>*_WT`R#0WYo(S_xhtyHI@B+uKmEZ-kYb9ubW7o>i0@<}Pyuh(*C3u1CS_xX< z*tIgWKz6MRFL3Ny30@$(R)Q8dcC8F8kX;sxC6e`e38gt=PxzX0(=*`7e-{I`!NCG)Cxj2YFsWplquRzV8WEZtClq&WdOCW( zEA5CajDfR9Z8%?UfBjCbc4OVUzL$gS9`I?(6ux?*%>ovINc}?F}OstGt0V!yp zMB2p3!pKC<&Hy;y2X(M>G!Yl4;a4=VGIKD83JQvgL+u^xObm|G*wVmZz-JMK!*>&v zq@i%&jQDv!lgcIW&Gt~z!6c#8n_$zBf`HTl}&7>AEmNUKR$S|!ubzU z*$DVIscZxi^XH_pVL}Kv;v2GrcZ4Pgy}ax`SqM?a8c?i;KnQgZDG2@QHMDDJ=xNu| zu4ABQ+_0T(12gjm82488?ZOB#Q4B%|EwNWuNkUpn1}${pxQdp(p_#dv_iGstRc3K?qkFH+fTz>@)`?1fUh8tI8dq~?ng%v&IzDULQTlk3 zmv#-=#YEvIJ0>$-TFJY;r(S79+F)o>?@@tOKwLmFfSu$Ij12Bq{7de>?Rgs~E8w?1 zcPjCX_l$)s0|BCN_<1n_!WJRCj03QOV*gBf0;Di_Z%u-8@xe6wDE6q#7YKeI1L~sZmz5@c znWG!x`pq9>qFdFxO)>3szSY6=pjWEN?>9?~$s!<$VVIDaK}_7y!~smkOgO@(ppdA`a6YGY}-o5}{`b7QVARdGdSewnQ516NZl zW_vuVeb0p9Q9=$5D|*0El^H_M>;Sn6auwt%IIe=@Dmbo!J^<(gfc`4zuY&&SQr_~4 z%E0ed;CCzVyA`+&0ImaoYgXWz6}V;vuCIdYtKho;@Ld4-E&zOQwW2SQOH~HnTY>Mb zz;~?RJ613r0E`C!;{m|f6)<)MjI#pctiU)cFeVU;30&&?;!4WEm_RUo6^vg6W39nh zYcSRt+!p}u3jp`9fO}ZLJuKjUtABdGRaEmEuZ;@$))@licFd|b1W0t}+EQee&4*Tn z8t?!F0b~N$3;tuhpnjuu$&HOWoQFcN`PhEHGGK$}xJHsvLL~tb5^fvAi5LHHqI`(g z%Bb2qNWq>XP1NVm)zKSmsvioH=(w(Qh?%>tPlxqNy^4JjsKX(%yBMqtq5*OP>?z<- z@ShwQ8+hta-D%vC5mPE>aW$iy8we1iS>I*Epag%eDD)OTu7BotJnWRyfTC|;r( z6rcqKh(SRp$>!cIk&u!xAysWDm?_B_)@|m3?NMQbOMX*=Dr>l;5{?@?)4=&WaRaV* zeO*uQx<;*oSEe#vrdL&O&Aykid(`oQb>dwGkHdzCz>6RVAQS$R-9d%3NyD1}fw?Hl zT3{RK(6Otq1)|Vt&egeIt_G~J9x~W6)wA~r5JmQxS@t9D;Qt^7AO}DW{J?>hxXyUl zgTT5kUHG{Bc9km#g`KU~AY}rCeed&uPO0f+ex2w}-WQw&p))znBb>j#VT9Co1li2l zT7uXAR5-g2m)y4ht!vo2(L_%-4n6*LD~XO-vM#mi^u(}j$kY=?$Fi^>ex3Brl=hZE z=#q6;Qs~8>6NqM2P7FfpPJ-rw=z?T`fL(2F00Bn^A`BoIKr+lB0Fq%I25@8m$pDgJ z9s!UH^H6{z14sst4D$$pWSEBn92r0|fMl3Q03^da6yV4Jk^v;cJOUsY=Ai&b29OLO z8RiiH$uJKEI5L1_0Ld_q07!;;D8P{cBm+o>c?3W*%tHZ=3?LamGRz|Yl3^YSaAW|< z0Fq%I0gw#yP=F%?NCuD$^9X=sn1=!!89*|CWSB<)B*Q!u;K%@y;s1Ry=y|%AU&%}f zoJ|X)tBh4Td*82IS8sbi>7blBi;svzrb;bEOF%jQdZ$w^F=?yw*sp^ZK@dPD{HMDE zh4RDhH}R6@lI94Uyo<7)c`m;3(!Q8oxW`yWex)QK+<|a@g}mc8^>!X#H+aZA)Td55 zQ?qt!%cBZ@rbicClG4D7AP686{@dMQII+7bo~{QWGhr5mD41SOOAPaKL8^aEOH7EU zB}P=pTA(Ec#}Ku|;DFE=5=qn&!yx{kmKbVYOH2^32KZ#+=lxtuOlWy6F&I&sY=Pw0 zuV{%8o9PEFF&ON}2k)`6vUZ^1S93IUaJ4ak@+(?c9i`!yg(7MAC9Um@P3)kDh{gy2 z_^Fy0IY18qI%#}xq@W-aje_ybDY@~Xk%BNd6fKD4gQI|Y(kAu}P<{hLLpyzSWf|bv z4t9=44hIbEOspKBFcbnIE>2@&Wla42;4t9EAAZ%9TZBXdCICjDp=g8<6o!WLAu)nL z6QEH7eCQu6lHGSeZLvwn1tuYW+av@6#fQNlP*6cZ3}6BREd)iNgaEVP7$K;j5S$Ms z0F?a=tWXOKL;kj5a10W_3Q4pKB?vUvoMkW}pbQ~|oU>M7v1LnRCb+;fqMY9X#;&{> zVFCbVLU5o7QAoirsKEsQE0Kb5I247#{D7LQl$ySj@&P^=AB-C=tEM2exLwf;Y+R&) zxMCa8Fu+8NfFNLw0Gdxg0O$iym>`NsKLH^@C<^wawdY%Q&PIj(^ENIv5s=UOt~V?a z5nQo}2mus;7!rnr0v!TqVWNo$46)C`VS-SkkiciN7g(q&DW@-UP@NC9*gVVv^A<@F zuGl;z1~3XKAOMFV;eb(d=AqyMd`KY-3NQ}|`@y`qVPucY;y#NMSYX+rIcdd~!O+C6 zAt;1_0^kAkBLW8(Bz9UrA`%Hl1MCBe7U1^R>_fu7w-CN)Okc5u-`Ix$ns&|{C=3H9 zT1{+ZplRpuoHub%Ya-zbEcz!V0~m3vMWdjIxq)u3KYVA=kFB}bq6L!y(9M5$6cIuJ z1_`0jfT}0ZWCFnaBKUm|MIeYhbWuAJd+6L4ve>`{Qv>|>r-ttggdzA)pA7^?IlyWJ z0u5LV40ynFDmdSYpC?kaC3?Vu$pQWkOb!SHFub7zk$@KiOsPaGpl}qCUnszpLIC6Q zoVkC)vITPkaPL3Ys&FB|%b2qa26P92`53?l0j!;C>3PeD!|w8f8gjw30Q{1_YaR>$ z4j9*K@NFJ?#A4?h7_g~M*!6r)?)$BsrD4rBu@@z08gFeAo85!LWt^2sxbU zD!Qt2isV`f8vSNZP$fxtMLPP8CMM94p688h%C(wDKF7@T(H{KA>3u_x;q z1zr%@Y8~|YfjArOJy`r<<{AuJ-yyQvjmPs&=~4)HaiX`J`t}5ZA;mm?T(SAcaMyiddpRvOSr;BnaQ~Bt|2sxXM3--6=I#9+vc0B z^=5tOXmL`;i1!o*y!)HFV{((W?euu?MnCbgsoQ#blA*Q`D(Mb^6e)^|4XLu$BO~>e z=U!aRFO)Jl+RC7NAOAWkx^MDz6lYZw%dxQIef5^Owb@*-z>g^p1C9^-_H274lsd|o zL*j-{^V-yFXlXraoMa3c=!gz~*`a-qbxZ6e2F-wCKnHy3&Ts}VzDHCp48lHrFLvl#W;W*(uVBM~D>y*k09xJ%KoBhZhA zUq`U;s)FRJHK8!9TKRcdS+dFaAiYgALM1OKc3WYar7Pxk;b(FdP)jp$yYXt~~Xuq&2lb;es`vD-IyUGzvx*d?=#ytl1gi$CKk`q9mzNt463 zO>gd&M42Vssd@Y8(z`ABUaZ#PZy&=y_VbA}-rkj>aow-~Qq@|Mr_37mcV;X6q7Mf? z;3_jsVAZ|FXJT`?(e>Et0nzXYcEl^;+O}IJk$DGSbnOog*25H9JbBQ%e<$~~;sf-n zYTw*UNZpjgl~hTP)V>}&dDaqcES`}tZ2VAJb9!S+ZFNV)7F#Fn3ry06r{C)IODaBn zF>R{Nz_+^Qk^udoyum^Jd)33n?aG>XjLsx&k!6MB(F@bUdgDWy>WS>)(>_jlZCaiP zx5-hTk9t?=D_qAov4oLP?{R|5u)$P|uNf|rkj@eul|3``F>kj2<7of;of3#sk$O1X znJ01dJe})pcL^RGt5r^Jtj{iI)3-dHS?!*T5?9XIb9BEB0*A@MTgP8Lg<7Z3-94%w z$KT5>%iMFO~%(UTL%kEx2D`Zc2*|_djKkWz!Q1P zC95UUKlPG&0L2xp;+|t4ADSkiiUzdy)jK{6y3@ilJMO7DYbYXg?N#;q4qGMr4NnQ; z7D({5Q`)|Dl3772yY_khjhtNPcle)o-H?%G*eEJC`Cc* zOe%J+(P_=9-r{tG&LMx(L2+_*aZS?NtuOsfKBRoZ7BS;-e@%MP^@1B-_us!ioVSj- zI{a>G=boFP&nCnCKrm?iuzb0#tMNzFkd*2H@;#Sw z{EszXirZ|}5`u|xdAX*wO7C`x!(`wU%-JofLsmSy5;pA8@VmMZdhe70#IM!yZb+jM!b9=JD}(NHY%e$8-`U-9*6p5f=j!)Ne7ccI zuB2)narNTN_fq|z9X{i&pN(Tqzrym#@cA^3P*hhqsv1*~qW?~ND{AIqI0MYzbtKp? z$Rr^0PARVd)JTsC^Ej-)FNiyWKIHPNx3^UahM-5u(K&sWWiP?fO11YInfK2;;JG<- zeU%-_VT|wQq?XH$w#D}y!{1!3u{B9P`S7`@$#q_#_EjCSM_7XM|s}P#cbrkN!O0YRIRP5SkVsd)e>)fmL7EaFbXM_d= zn8^J}LKRJ8+sV)9*j{B%u?_0IRyRe$E5CbN%R9EGx|iDDndv=v?$31d+7;y9xb=7M zpyX=}TI<&8`{`b}dSwRTgG?4W9ujhsD{f=ZhCQx2KBekU!nN;dd^FXuls$pFA!QQl z^=NB^PORb`{43yrJ{rN8szP5c|yI#gPDMkM1r}07KeO?Zq zGzcyPshaw5GUwIhQ+28ewRM48p$Ksrgk(pY(pgn<@PeY3h{V>UQ?JsvaOY@lZV-Bx zTK*y-Cd*!hrR{i0$mM9(=hLX?F_VWya_S@Uud5_>D>QF2Qy$;Hr%UxYA(0XmyFg&q4Cj;E+eNpYe|u-=r#qV+m^fBR zdD#Y$TurcZj%`|XviFi1<2v07z5;$sf>(84nBT7#$;Om4%N-bbpj@XSoXupeJEdTXeQrB>YFJy~j18DFau zLs>Vk0QDG?;DD}=*I-#{_a8ULPv7%l>2+3O;n(EjEw#m++vvLO(I6Xdq1W5vYb!2s zkd#n&QAt>E_mRm_4^nUD*gO(e{{F)I@*TNH`#VFUYvwyh=CI!nItSeR8m;fD=E6e_H6b zDO+rsf8@l8L3`aH%k;7A=0`;z&u`vDzP;o|($?|&!BIs#mUi#9a8BJ{Z&OyE&%bHp zi0DZ#am8%rw_a;)f(AGoPUWoTQbKYTChq?vJEpk0UFCUPWFy4mCg1Znw~a%bd`ser zBgAs=k%`@eQ$5@8Lb0G>P{@?a*{%NY21x5RnG6Xuq;Q+n)H4Rj98T4Y$mxLgVcy48 zS@szo>UP0y_TA+-m2%!s9`=XJm-$-R(dVe{O)bP#d#6WchpvNts0w)DJwkr`s58s7 z)nk82KB`+CcX-{J58QE9cTis)R5r9L*N3WFat)^@_0V{(jywAO@i^g4O_mWl}d*x zC#05&mflcI;{52`r1;U|(THSHe}XiJT+NGsQs#qv`L`MCFKavAd%h{}99=hE*;72( zqw5!o)?TxZRwU!!?_uD2T&*SJ!C2;-l)z3U_rZ77rI^uJ?Fy;5imP(Z1R$k84P+VO zM&D>*9yc_I9g1M&s2zfHA4}}r|LB1|;aKmfdoB`_WAc@-O7d|syZ1ZL z>H4Fu#0o{ZTmz##ZVeU`@(5{Zb*v2-U#&u^NcLfaKPQAiPC^8d&t1Z2bGCfIJH(SL z`a)7h+JS+}*W{d+o!5B1QBdzJd-8JX8LnPHbxmE(%(D-X75TdP28gB&*GLN9t&x5u zO22tn;_NXw>h}ziPIC?#`tcS1i*cq6vVqD20diZ>PQ(5dwLOC;cE0QCx$sEqaoXA- zt6JupHOlC7p0iJ-?_n59L!Lz)jopx9(j;76DN1^d#O8_~9njXBHjhkij>W-AV{Nl6 z8z&F9+-Z|GS5Q6{NjR1l@1B?|c=@onxaI34Z>@VrSQN|^-W!Vb3cRi6*9viS&sBb^ zI|SijnRQ-0D_ruVQeLZNm{POFjzwAUL&Ezg&9$M~JOk0bslr2>hL)1c&+x_TixX+3+3Qvb#JKf@<+t@SW zdJU6cvU^PaXx+^cDV?n!69e>*DN2;sp`K#0c9^y9Z{NVq4NH6vV6 z44FEStJ2Qp(3;=xem)TKFx@fz^dYNC#pp8lV=iP)rZdBlG1*Wq4t-iq@tY)Zjiz-k z(IsA&9_@Bv?7fvw_NmajWYRdBq4{X=^Ns+O%AF4mQKu-B(qS(+pSw63?_b)u9q0K(I>Zc8Vzy+4kNFyBTWiD&Yeiv z-5Ab$v_rkKD_3JoUjMRVbdP;N=W4QUC#}$iz>#y0Y=x}ePiOBfI?`KRlXvxF=#%R` zx+%RMr1BIpk}>G_9!Cc}2Q!|~Pq|mnKOY{ygl_B?$=v8H8_e%s_g1*p{j~orsn5Ue2%lQV8%swr@i~M^s}p0< zjrdQk%8i~AgPqa0&GZSa{G2UKIiBPF`Z;cmsy#gAg%8|Uy-22ERO6L_;{U6=G0^-U1tn+dAo>e&e_>f=RT{G zwyfp#WXb$W+3Ar^N%3;7jhth*dkm`@&62I-#Bvqa?$sI_YEbvs^Q7pxyfa-79%BHf8YIpi)@!`3zC zt3twavwa@<^0%d2r4c?k!u#p{VeOAE19l%VNb5ZK#v?|-wOM1vTdT<>K|T9jb5*^@ zN4^hCr}Y^RlKQb}zZ4?F-7w4xyYm9JeV_cb@|%a&oP4TS{XF8z8+I=zP0?w)nQgd} z%>2$rp;QmgY$0u~B9Oh~A>kmt{{ONBJ0BJUyfyk^ZTY83|Ik35zr7|FX66pSYWp9| z`G-bffED_$i^ha^geC~RyzD+%2#|0ONXrNOMW};FLFiYnpChCK~_^k z+Ne)|m-3I4jQAPzKNOTCq~v5&K+3My<3rpv;+@8 z5Pp*hik2m)Q8$ag!S>!6H9AhMxRLVB{S&j;Cwr%@twVe9TX9tP3%T*av)GLU2=>a1 znVMgZZKM(+KHpKOG>-Lct8fHZ1S0WgIB{1w-_ag#9XKoZ2JvB97l#{Unatvhw^vw` zn^;%y(Lijl@tl|%=b-7BUNsLlek+#qL10Z~rTq3cKFFK?+hf235QN`l!qJ{Fm8mJ4 z>0~noMgoMXF=&RNdzJvnv#+1Rsck1f^y@SY-uHVpn@l_=K<=lz<8H#v7PO4Wb$6fL zum}9}A3#7#U+X4z?|^HUpNZzAvT|+wfDr+r>OVT0X38E_^O4!wciJnbl>oV_i06-s zfzJD|zj&}#47Yc{ZKg1BD5ocGASYh-1iltQTXuAOH9BwhMdKg=Qp|&6sjRs8i_f3G zjWR0dmU9-~L}OBaRBgQRZHyT1IIFkW!)dQ;E%;{Z2?C^p5$oIC^=kf(UpydF)_)_? zK!Cs#W|F7krw4jeqH-Sj<)+roz9<>Q*`&|lhF3-Bjf@!o;`8TkBZ*7yW*@+XX?SYQ zs?Uy(ZZFfXlb!2brV}}j58<(sXUkfqPQd4H_|=2TnvsCo%jUL>8TL2}q5gUyUmu zKm@{O^p#~Le(?k5Z(}=w4{8{nysXuZt5R;nsrrFEX&#%O9DqIPCjc#f8SF{RWAoE1 z|JUcF=;_t`d1bS}JUgr6$Ae`_#EaPhfv4cl(cV$qOXsXnT!)78s4?8=_D15g zSJ~e=DsbQ3xqVh~w_fgtm(sYm1uf$$Q`0BTnx^Y%Bt1)rBCzL9&Kc3DyuV+?Xxz^L&6x(B6JKbl9?NJz<3GESY zh=?|I6))KKu5Ef#v{7)MokxIj%Ih%y{6I(Rp=!tcN;WNac@G|dAp9;9QpBf@ zw@!+ED4S}Zi4OPB?~ShNnN1_PdZnWGiu)zkEkpa-f?sdDq`W0+pD1|xKaGZ=hh4SF z$)Eb&f1?5?;r)_tnHTLZT>O^#-%|1*?vsSgz4rdBS-~$UY3%|%1P7!Ogn(UIz$Q0f z2P$z_tel;-qYYG4lwW;Luww2M*sTcVSGO~;vbQ11Oc=S+@Jj(D(k4z8MkaE02Eh3~ zC?G>&0_=bOy7@^E*v$3yEw(M7L;-vdaev-!;N>~6aSae`0Jh5;9j76d0XiCTbN>iH z?aTlR5KuFF8vcWG_DWmRsL(74?xHP{zaZiP>_TWM?n0zMxb024w1;8-8C zwo|h)Fai`mz6VLt!omK4iJg@7aT{wZqFe_MNAPt6nY5Jp*X?6-x6i?CYHfEMDlm^J zQUDF?c>Id$AC3)pLaqKKHh>j~I#?JQ03o5Iq96w%19kwB0T3z(DG3FH45&lwD?rcy zGmEMk86^sau(dly!LW{T^B$FN;Q@CDkaNHyJa$q(a7I;bR>tstg7YZ@^#Rfs@eLGS zYMHBP;#`=Sls@g+5!rN5L*yBF8H5F-!~bkIc;1;blHnt7F;lspZgdy6Hc>QZSk#07 z8MGYX4925`JpRV~`;#j69%ouI8}A-Wj~-B-)DfdIHgbi3lz24zQ zmFJpsFvS|%5IvN3g6=f|!WJQZ;ivcgtO6C{o%qg@sXSj-{0ISZIi}oGdE#yJ$ljmb z_tWc`sON)v*44WXm5s;EBypS>!sW-&-IVz0eLtx{QancIGwhjS*nrEzwwr$;+Pa_I z_4CWLX7}B-u8sOK56^ZJAUox*&qNQ#=XU+}TSADv7|7r`_(2ALW+BMnFTL@9WDGv} z<=6T3e=ynK4V76r%{hh2c)kPYJFRm;RC5h%1 zO%|*y5v819fJ`EwK?O+dV2El?e`;xIPQ(aUS_0NypmPdR7|hR?mN3if!vexoKdb=# z!qU=Q6MaTxe%lFhkpSP~X4`k%zzmQO(y}lH6olY_%GvzV5?lZfko;3iODMDuAlvpY zEiJvKHvewh32{@&mt7@9+LKUF0ozU}zic}J)|7}#Po%)!l(~y!Osb?vTM9~Y21fX1 zE*03fb)^|PZ@)?9DesKr;zzFt5ZhM%+hQMH2Rg%z>Wit-Q1PMn%2R#bctL53M`1aGbs`PyUw8z|ExVb8>no-A%BGeXbt%lTihM)k!ns z$*qGfzrW5W89F|T#ll=Cw%tE+iy0`i-MA+3@J9G12TNGi62vy_$Hpn!$<8-(LdWtT2tw3C&lV z$}R}4!Gh$5KtOUY;wwn*MUa3a_aaCZjNG=9srZ~%zyOPj9J&DP7Ak0&gf6;cr3GHw zMmSVBTY=d@KOQ?U6Ud*;KQV?YFjg4Hmf>ss^*F@E^_1V%OgohM;reMG#rLdDIB~`@ z>UwS59YOE}!~o>M@AripWzqeW9N01M4jgW5=Gdp9!NDO<#+gKH+XIt9j~)VKTWLH2 z@-j;go9G}n8!KGn$n&s%Uy`%x(Zg@U!4nVzkO%)jUkK!{$}qye8LGo8N9N#*vw?m0 zzyI|JLbA;3kVUBi7O$)STY?ACdY2 zed&GbpYw4ok&z3vAbAaPkxtleWR(&W05aCh<-LLd3D|(#H9$@xs2~jWLrSi%InCfp zS+^j64RTR@`HHPW0a?P(a~U##oETp+|9s1kff4{ROc7HkEzGR5WWqYsf&@0mMbX(S zHx08`1TvlgsZf?mm!z~$O?^>r9l-?&Y=CrQKfK*rv1xD& zF_#_^=rllDzb~dCU}$1e8zCUa6p$}ziA+vQo34QkPA-IbdLV1>k>P)H~ONPdDA z1ey>?Lqwz-kcTT7iU=$T#(BQ_4_jd3dld0tjFfLtu!x{D3rEC;+p$ETL#(+DKv;2O1#ZV$hbdY{4Xe`u#}&*ewKb3I((w z42hg;O~5iZF!lq9^nk>7Fk)^lz%s<&NcM_eFbe>H|8{c%77+nLe{UNK7;7;?LO>^2 zk!=g60l|M@8UQj_0*PpW>~BEgD`F=AU_%H369N(rWb^}4I{ygUSFhu9w%0uhi%5rF zFdYc~6Vm|(Xhk@XOiK{(i{=^;$e#*yPow~_PYoDLKASz?QGagXf@uLrB0Jx}U-wuo zm845h00aDHUjtu&BwdFO1=c?f^2FvymXSyX=e4Zeu%^7;s*LZx_Axl+kZ8BxHpVou z3pK9qa5>xcd@t?oo(OnMrs$rrJt!|@FmavCs`AZv>mXlUPyTn&e9wkHO%0X#s>&V| zP?%&%d+_2M#P>=y&CxA<*0}5$S6BN}^wQLt=S~bBl_g6iH%B_T-c^5kvgXB^>Jt^J zKG#D8SG(-Ib&j5S_Z}hj2L7hVPnsLEM0L}o4K_h{HJ!On61&y(?C^DFYSn|RNIo6P z8aZ^rC2-T#Lir{mg2?Yr+qzaClL2GGElW^U9n#$4_Ubl1^c2a4fVa zmGfCfdnh56Q{HWgqLhD&Qu_=k{eXu|iIQqBXY_jfR;C6tlh;vImrn|BGZAWzBHMdp zWpdKgeO32nJ-eCd`es}!)|z+M_M{UY8+YGYeL^K=Qljxu&&C)xs)yTI-A+;5nmRaT zmEnDo2T$k_FAP(6~?Y##veV#@z{N7#42WB+J zhYzK?X7<(AM6rI{*jJr4u6soJI-N0X(Y05Q>#G7VS~2at42VRp1TW3fppOxdfn68K zy#$fGf)(<;Gcl^ExV`?b?woA$a$tTZ6rm~P<6*i3G1G%|ODjcRQ+JB*$0zxPBTyoV zk(oUCcLn5w??^m8;_>Doqu!Lzd)a!kGwQ=-zRWZikDb;{#;aVN5Zi0L#;0i&VwF@v z2Z0dBd1W_D_&!fE(jcW8^Ymaci&1bHe(<$+bi`<5jkfP0RYn&IQ`;9iAyPcuYxd~I zCRz+=_x5V=7oWdY#&UkKz+{iEnOX!oe)jF>T?^AEy|p4hg@J=3hDn3dv5{{W&8er4+@PvlHEw! zGaEBwmz`wK60(kc3}eU^DW!ypB$X&FvLs7(+9^b`WQ|fPLPC+^x%ie+y8rX9-|zL@ z&-XcV->!4HmSf)6aeU5mt~pM#H=1X?P|-adv1qESqd>c|6cLtRCj~2%x60(PrIu9% zimG{ycnZs>)JZwZH$>sdIZ)u3X#e_*$W5{cDX)jQVzs@~zb(HCB7Q=}nZ}&l`s8?c$x}Y+hnjBy^}x z%5VAFQ%`VLvic9C@nBAVTDAUWY`);CjKsC@&7C6E7u!7jBie3mkaKnMJhWfiGlz)j zEa=EDUdcn}O%@ZQB)gsOdun$4c6t7~>`&M%3#B1mCi~#P58XG)Cr7$ELKVs^E2f6p zM2DtFCs!p5-?*_mWLNR-fPfDwbduGQNE>UD4fGlJii=(oPF-T51WbNIF6AMWb#caweoWG@y9qPS;aZBu5_q-EiE&LNN~dEjrhX+%`(6d}8}(4IuHA1Tn(nsW$ez8t<8I6Y4~@VUI_s5}h2E2&TylR; z?Nw0Je{gyFxo@UuKm73h>T$_YyHQ`v;lwvehs14OVYU_G&Tm%?4xO=hTC}NYRBvo% zJfUg>HEI7)Rn2^Vh zF<-1nNl-S_zIalTr@#JC(+azap72}|>s?_hME2#}FUh%`azK_2*{hocBON}2an@Mk zp5+(Js6k+ZwdyxBv(`P4Q9H+{k`@qfFn3hVc#Fz9sVG|oKCvu~N83e1mKCMqjaN*0 zS=gj(lH9GCf8d#$*7_(@SFK8`9X6%f%7~SNm$%C3Sw+a*Qr6o0j6NKZzvGa=UIep{ zdKZ;G%zUS8*Os)%{YQB$SLl;ErK-Pl9&Fd@?1byrZeSVc4DMK6d~T&Tb^7SNmH@pK zUauT1R@h}=hO+VxmPZ~w$;@9@p!9Sa6ItNTNs52|%+#`=+Teb(Y&J$ur>Mq`?{Rtx z`OPpN<#-eQmH=no;J@2z(pzV_LYzR{0Mi}T{(}uVZA0`$`q8lzhh-Hww?rov6<6+?uR{vfTwk8bse5gsg;3_<6ZNeg zV?0raksWK}g|ZF>XdiK}JzS8f`KhkN@WgOY<_)bGF6(a5YyE@_zlZ59OWr>iA>>sZ zZo8EdvO!e1?5NguH^sC-J*@0&g3um?r=!T{Q`! zyJ6UE{G?6J34h=F{XQFuxG*LLQ(h_Q?*`btvNwyLi((Dck#&)N&LxbHX-6h1(w`%1_A{FhwJwQ6W6VI9HQdE1qCc7)^Y`9+dW}xMTvzvcPu^#ba#IW)!}+@$yrZSzGkYoN`SRU_ zf)2!cVeDh))QU!leo=Mj{f+Nfjg}n^_w&yd6*?QAC>Or$VcS4jT$FnJI47bmxo1`U zsMr?EWY;CT#iQSuTqtHfc8K?w*(C|oHj~>fiCSr=wYaL)PaS!E#^tEaiDM_cuXy@hS zI;cLO^8TaidGqWu`n=zeQmHqy(%9||W})s4=A!C17j28{2;^e+IkXBtB)9E$XHBG} zmnQMR`uNxrhIhS~V06?&Av)=M-;&bvxDH0-pLe;TVZal6g`L;C&}kfHZg;q}Ao!wz zh}?za^{!296RKfMc#lDc0m~(R5jjsqU)cBb2cOdjYBS}&^BlXm`lhYZp=RQWn8AIg zRv<_24e+7TWx|QQZ10&iw^aw%997=AnI*EpLw&Pv_JrK3gW^|&Z}|w8p?CvxnqyB9 zFWx>a{^CB*o_jsI368?exR=KwRSzD@9jwBB=5_*0%0E zuY^$;LUC7qOOA%Qw5+tdR9+>@^}?%-y_Ni`c9jMv(POK_&EjesmmLWtJ{);aZJi$A z8std&^qT9~@!MAvjvNxvo{2RpD_XTC@!hsfaKlyWmbn@#T+X~TLN8Oh5>^_#C7}4h z%7X=UE03Fva4}WMt8G0(;3KSBHK^dk8Htn5Zroqg5D+KH>6;|UNlKDTD|$kKO4s#Q zuG)W*rFvj{$)l?-t@$4sl{blAyVX^>W8XazoK1Q30WPiU?qfti?9OCKH8gaV3r7^K zT>|5_=j|?0&fi{=V%2(qMXlo!i<>^3kVq4E<*mZ;@PC zVG@_Ns6;-&B_6EFfBg}cxLoa&-bnkJ)V#zKz1Oo^wACV?6ttnVbi*Ft+}G}4w=0-j zYM5%%+NY#;cuT_?{f+rnq@0Iq59xTftjXTKpGQtNgl+QDi}8ZeRq9N4Qv9p4-nyON`YlFZx#9E_+vWj!yP|cgdGLM7iBBgbC$O9h=|YA?{YEPG4OczgG=^ z>AZDrKyBq2ov?`dEtlRkZ8JTg+;T|WDaUK%0gnLb@DsI~E%}WHb)OY9o^cF}x5(Z$ zN_i8VI>z}hjV(SpEz$DXq0_`?NrGOdCGg{`IQlr%-5&Vd)~VQRh2Pc_Q_0%6elVlD zG);qR^%=>)J=E)WH($g_xQTk)oHUmRu0d@K?Q_Im^O4)SJKwJM^@)##0cRg3D{b1P z_}p69<^JO}2hMEv78V}2eDA$>G%0BPsW`jGX=9lU+XS{e6mVv}6(y$NpjFQoxcqj; zgA+>P$1Q`Ho)w%t(os_HXixeSd?swK@z~Q|bw@!l%8FxEN81j-eNSV9lH9$H`$Qb~ zsp))`rI(ZSJck}*p_^X(?x~Z~hm%F`_yQ`n=KEWuQ~S;HQ<+$$BP!hK^7TKJV(wZ6 zn@46oA+wRL%&cpw{IKmA&L`-}r$f(6-_)d<++44JrG~o)UY>kJJ@BEaMM)p;WGw1H zkwDNv_qV*y1xoi9tx-bvaz1I&boWrlPx1@dOhk9vTlIcKT^+eS#{9(JZa0TlbT>m$ zW!3Iy!gc3%U4p|gcF~>=8}AriXJRC^nX{f=afvUy<_tEi%BdA)w_@qOnC*_Nj+izK zVMqQ=JNM=jnV+oaEFB7Oww&C2P1=d0RUnV9U`(S%pjDugp@0!;@8O*8TZm^0dbhk@8_nw!?f3Y#6KgTQs%PcVWJq$(F)U*vH9jh} zOxsO9ZALegdUt2gTAdd2h&25WMW+5r{jid3SoJw4j6+n+$ZmpZl!)rs$K9d>3|k5v zb~~rkeq3|ceW%n-tB+{v_|T|PYL!ry-^_YjnQHbE?(YQ6_41`RJ>kT~JD(?Qs8_Sv ze)jqaK@&YGRLK77Ly;nKR(ewIIShSjH5@~HjN<+2?}fB8-)A;9@-vRMuV7in@#m%a{O=R}TQ@01W9 z;B?F5RBcO!@=47iHkDWOp3LP}=y#booisYaB`dN5XYr`vl=#@Aop}n}vW0>V+s`|^ zzrCOJ-sLCIpB`XWyWF#4k39?d+R+v-Oc?a5A#f)tGX? z(x=INbGd)~Q0G3)o`;!eU4eaPrAxfUh4BQ}GpGwM!_Va>hZ5q~ibW096n+#twcmRG z{*g4^l=zHdTfyGZz0bx@13Ir z>(*I5UABX7*F$!}t_$d)Q^L4Y7QNwO;%iy?WgK1$CcbJlyRG-R8m9W?)6ky%_tYPIqZK@VTE))o9Aoz`I6Wd}7xdC5Cl)-R-<# zswLu7%-VfVKd*adBpW<|JDVh$8fMCp8r5t)Y?QY|o@tMfNsr$4YD}|>8Tm!aRA)8+ z$LjP7q?XVyMR72H{O#3xE)RCPJ@?{L_QnKuDAo15x6|!hx$I7Lw{G|KlRgPmy`OVb zsrlAR>wFV8*Pj!%3|Re&9-H;>ap&%>I7JG-w5)CMtcj?p?#(&RLo;c1K%Czgk<#)dc09A6Ge{^Tw+-JL=rA zPH)X2!_6mM2?9HvnufIOunB}MYhJfeO7v`p{+;SvwE~VnuJpfLPnoHy2?44;64^t znH_y@OO(%;%weJ4^m}LDFWKeAZvTk7q~wEjeFu}LbHk~uH_oq=UhWSsO;XLM=Mg=V zZh1ObfcUXtQ_=-FPsrf3hj!w1(CD>)c9Qi7kEy?PE-*92&Z2lj`3b$CYf^H@%&L5X zj%<3}W3@G~O+m>e@APt=-6IFYoj#Nv?v$WB9T~SfeDaCJ!4oSkTn|^=(wfBmUdCu| zu9fwxGZNa@v4S~s|9MmF^Ox1I3a(|9*o5^sgBr`K^||KgZ}TxYc+)HS(DP+BX{U}~n>4HtK3{42Fm_*WFjMxk+7~;0;;yjPi%gboX*Nra9`2jW ztkd)vi1~PDI2$pw(r6q$By;3)-HlzN5tM`D4bBdOt?G4`f~YUrZ>n2$3~%3M7k}~7 zUGxFb7aPt+SFv0z%Q|&!Dp&nZg{^;!`fJ3VjrtWh5_`nCmyT&Ky*z!|Ke}mJTCRQC z&GxF^@mNJ)Lf5qiudv1El(blgpEGx6m#E^$Myrn33g!25R0V{O4cY}n_sC;*IJFek zN^j4wJksg;s&05L1}>X76Zs+a^ukKUk;}a4 zHI}@qbp5b2_H#M6?EAJrhAcYGU9B0Vm{hsjDPqYX#e*9(nX-%?!VO&Emh_40vYBp9=?mgZyQ?e(~GRasIFrc)?}7D0a4D1 zXQ~cv%-(>I!n*a@Hqx4j$*tGW-Y=;{}#gkMsmTWopZbQC4qM5O8Qhot-o= z6(5~EdG!O=V0Db6@AXO6S9YF^wy=@6 zY{{C}$+u=IH-6x>wdz7yF=UHcO*K$t$1XM0R*iTyH6P6wkq!Dnk)_m@F}*o;J-Dga z+;GV48pett!d`#fLzdya_!RwhZc<0Qg^G9V^NK6poAR3PbMJjw0YOhqjL`FgVmOiZ zjz@u4cNQKvFHreh%*;Vm$jvY9rdVm&#!nkQd76#2?YH&|P+fcX>c-udZuvWv$iLlC zN>=P4P0{xi-%CDnYpvFy(TYRwZ^`YZT3^|s8bUdHJ6@XM?R`Pn%L;2_p9$YdG_x?g zb^A*1Rmz~VrfK05okA9~l+S^CSJ+B9a(OcbU$Vc)Z}Kc^`SIfz7xX5^v}x9A@8klH zdp+g1+fI{0Ztd%q&kPf4V$X$Zna*$+TlyI;_E+O@zkKrfYo^doD{z1O;x_^g`@gpY zR|+MK`Qf98|J^_D#)AAmef1l|l5b!AMn}iA^oJ$7bZF>X-*_;F_6%IyE4D0O_|$`y3sbmqjz&j?dpL?ahzasDx8B#NRKa0DBLMQRbcVKzrQv?(6+coA z9-7`*w7+|_dm{U(hhL)q;PwpEcvtEa%Nl-%vfCXIW4-xn0<8&e2YUBaF~x8Qi4f$y z{Ch@jf$D!Rjh1dbIdO71;d6CXr1_EljNLIU7X>}DEFy9T%q^~!-0qHe6JDEzG*GgwkJZK%~5kzY)P+b{BaX7T@Yh5v!CTPsxa{ivH>l-;cNCEf5uf5XWj$?N-1 zvt(|b2sx=cmi9mJt$SO+i}?A*E>@QUcVaOtKesUeclsI0qIKX-i(>h?5xCROL>8|D zcUqjwPp!b6egg8FDsZRYfLYiK+-V_?-_?LS{f^9ncHmA6aQwCc-08Pye(V75^dpVm zmw`L|p3M(Ez@2`8@ef7dPX7Ssdlzu0?=1eQ1l;ML=*;&4cbZ4>j|JdP|A^;XCvc~4 zB>s5|-07eBeC-A9L=z?$a3`8L0e7Ma6L2TmFadX>jT2BOnm7S>q6rgFC)zLpccP6G zP$!x=0e7Ma6Hq7GFadX>jT2BOnm7S>q6rgFC)zLpccP6GP$!x=0e7Ma6Hq7GFadX> zjT2BOnm7S>q6rgFC)zLpccP6GP$!x=0e7Ma6Hq7GFadX>jT2BOnm7S>q6rgFC)zLp zccP6GP$!x=0e7Ma6Hq7GFadX>jT2BOnm7S>q6rgFC)zLpccP6GP$!x=0e7Ma6Hq7G zFadX>jT2BOnm7S>q6rgFC)zLpccP6GP$!x=0e7Ma6Hq7GFadX>jT2BOnm7S>q6rgF zC)zLpccP6GP$!x=0e7Ma6Hq7GFadX>jT2BOnm7S>q6rgFC)zLpccP6GP$!x=0e7Ma z6Hq7GFadX>jT2BOnm7S>q6rgFC)zLpccP6GP$!x=0e7Ma6Hq7GFadX>jT2BOnm7S> zq6rgFC)zLpccP6GP$!x=0e7Ma6Hq7GFadX>jT2BOnm7S>q6rgFC)zLpccP6GP$!x= z0e7Ma6Hq7GF#Z3-o%YZMflT9@eQOm#uvaEgkEuS~ol9MGju(9dQJ0f$A*T^PC^!hr;zZH4U8oZFxf6lcf= zEW+6bdJS_ntC8V`@I?XRphFe_o~HpByv@$X{rk(9t&5M2+Y`b|ij1e2%yivJXWj}N*eQ> z>`d!S4~$bsLt6tzM+bw^K|ipW4wx#8lZBO?70$`d#=e}3lbdgy03RA@vr8G7=$6nkK%E;op=JiCI=9c<9(43e7#Mk^jgN7mv3A~+Fy5uh#kQ`Zh$MGzU}x4d4v_ z6|pdC)+JCaw=Bykf^UoUDbZfO+e#zuMX25{O3`|p5e(t%oCM`(VDn#qU<<#$7{})f z^7ss_*1Y`2j?j(jw`!-Q2^8x0q2murTnYO&6pSC{EgaB)=~5(r#3l%scBm1Z4nm>-Y z=2pCA;Jw3^Ep6~s`0v*3UCWCCA;~tVfZF+cL;%7In7q9>DT;C59 zM>1|F4e)Lzwzu)0Pq9=JOKa? ztH8smKbuSca1?l01)i&d=c?c%0Pqn2_y_=eS_M9>0w1h`4_3hkt3OPT|ELIZ06-1^ z$N>Q9Dj;12WLAO9Dv((Pk^n&xAjnt!qp9?d2Z4N5kgp0-t3hftNUa8|0Kh5$uwVr& zSOE)Gz}l)GXUKn42C3B`wHl;WgVbt}S`AXGL25Nftp=&pAhjB#R{zmd`p1JnYBfl$ z2C3B`wHl;WgVbt}S`AXGL25Nftp=&pKhBWpne>8VKx#Eetp=&pAhjB#R)f@PkXj8=t3hftNUa8`)eEM`e^LRd)gZMR zq*jB}YLHqDQma8~HAt-nsnsC08l+bL$xM2|F(9=Xq*jB}YLHqzn_8XQX=$L8j zbDQMyTg@812DTO-xzv*2Bf2e1vQP2!4(r<8xct(SpGdB|&|~e7haBEqzt~yT=ni%R zK!AsUSom)ghc4kS{p|rWumsXF5-}>YQfWM zw$ale-S<*wmC3-i;+QKfr+tKtvv7T~mv@kAef9D?PJ-P45a1yo7XC}cp~5LM?X3B2 zcZ*aGqF7hH5ba2_C9=I69D~LY5GcfKQC=Qt65vHdAkFpd-G~lUIMUeH zo;uf}L8g%4NF$;T*_Yx#^g%$o8c@g%#zZQ@5^12Ofk2uN{iz6~Hp$MJsPc8I`gN;q z4M(c`Q#FmLc2wf*p_*6(7P_X9q9Xj;wPu^mAzSc>xnFagv)w8xWPgMu7KKJ&@i+uV z3JV>ICJ>-AYEsC)UbBb&$L6^zWHDq3#m>{m%Z@_ybO?YWRiPF&qMxe+QIlc^)wK~+ ziZ5~Y)Vf4ZXQ~SVhf`EUd}ZPd;lN@b(@==b7y=rDn7c4^J%j@ZKHCb}r8&1jAt=s} z4OoP;5A+)5Y*r(~4dIIdmVpjg0C=7TWbigSANTJsW41Q;Ds+8GuAXEcS1M$)<}8%i zy95z~ET6w~_*sJ%ocPx}H+M(iNHbSQ=(S?d(ik{Wi|Fd?LPcN*SQNyE>_Mg&d)YZa z_x(psDy~!?10qG0O!6Xo5Omz^p#4-$)QApbN8;DR=ZHH&E`oqg_!TQw z8iU4vCp*(R(*xtw(a_d_(b2(RbkGlMrURx5<78oFXN7aJv#~Gd;^gLAC&0(c%ZC=1 z5MC#XRgjm#67b4eR(i^6X6kr?0m;zJ#@^Y*S#g_pfS04c717yY<|d4VnT4I%g^rF3 zHggvy2%VXM4*K`~p$gqnCVB?OB~a&DPNMncl_>#N58+{K|nhtPBWwos3x6IVT z6q=tQdgc&7H^2hi;lDBr&byObRHt)70+Z_%lqSP>B5ht>p4K_KZ_op$?Y?!{rTB54 zw^DYSlqUC8z>k;&dB7Yhe`8<#rILs3O;Q+#6-WkB?0Kx%;0|*9DKsd}h0~j4ZIDl{f;V@4CgaZhNd1nBl0|*BY4j>%n34m|_ z;V|zEU~~ZC0Kx%;!#sii&xeD}?03j^JLk2%{Sc&ZwjLDz8G@VTw0t`eZ*{0(WO_q# zZw7P4P($!#l_)X(6Ui4Ywllq1?-%w-$2uh>Ho-*{GyopJ9Y8evPl^G&BkMzw8#;W= zzGq4m7dDti*?zuuBy9$EIrB!Nk$Gs^y(dr1^7XG~yChrhY)~vIKfl{INbOVqhePAd zgWLld?Q20dzyjRizd8)89)6Kt6EPLF(=f_G^utUWoapK3L!}VyNV6rfy&D{Z#-kA^ z#B5Ps9%&NbMMNOY_3hn=4pcbO*w>yq*P=nDkl;uoq7T`Z;z0C4K)V`H$PUItD#8+J zpr(O9nh^b|2&6X2&Y7t4b*uVyt8EQOs{2zljj482;_RWCSOgZjrjeo|{M)r=o6R9x zP>8u-bDgu@Dk@}uge67>jlklt2#k~zbSPQ|3!PDuLiY8VJ?uX=&s8CdAxkKBo<3f7 z6r!g?034|bwWtyOTpfs-6g#M{ji6F|iLFAQA|;Xs1VwnBDk&TUW#iZf&b7UApzy@olP)yQx|_@aPk&$s~aJPpX;ZFWBH z-(SXTZSGa*`jT8d$v&=B$Y#x1D6@A7A_iIh{m#u&TyWwoo}T0%@0+fxCv-XugcL-Q zOmQSq5SDW<1L9`{-C=|!9xW*&BZIO%fxC{*@Pg zfpxh5N$YS@b9W2kg~H96jK$(1lks!F2=mt2+1pcWOpJ|xHI1;qH2hziCXJGj#9(Cz zXar8`8#rkUWDizGN(u_RpSk_sGMNRI5&qgTtTajzBZWod5IF2NXi`$MZD@a*)N08|Fx8%(O5{!2xvSW zAx-#t0}*J*Tp1a>3>xBy`YI<2BVjRU*afEjBH#blrb$EYFGC>6NdI7&G!D{REI}F) zki`vKEJO)X3oQG4{YRs)b4nqDkRr%Hw-XPk{twKgQE2FXLX8WVndqzk>S+rG0>a-9 z1Q_((K!AouU>Q6lY_q0eApeq)k;X|Oq|i{b(rDR&0fF%M0|Ex}e2kRz?A$JH4Tj=%#Kw!X#`dZ zGMq-!77PZ2zaI=R(5ymAMhZ(nV4%?ngM(ZPnp#Ogw-XD^uP|uH`yh}qG(cN07!dw` zFo5QFkYzY283Y;+4OnxQLGwV!G8_ssHyc8sA#4B7mdPv_1PFgW2w?EDf)7nI5Oeo% z)-vcOLUI8$VzAKc3k}`k*~W#o>1i(_YBCE(0-67TkpP+kL0*rNf~FhN(9QdganKA2 zFNKkY<{-24$vKM`8n>8s$SfEOpt$j> zjin24Dydj=c>JpUv1H}{9Cb+{>uUvM=y~(y^P&y$X`6qq#J; zUM~ys87+MIO3);HuYujqH^`b@{ueTHQfz@$dA)ob?~7@GcG5 z79zHOKNF(-XgvLy0v2r^(=Z>RHjf+uouf;>%bp zxGQfh74BIX6KW!qa2sKuOut`8=*j8}Lmj zK2oDUqZ{1#qAP~{djIybtx{>s;RPW_I5(_1r<~5_V`3Z*br}cQkCwTz30n+BUe-LAdxHVMm#6 z<)?ZZ>W9O1AMBF|+_+^A^kq(;s{TyoUZx$mkSUvPXL&PmrSqBgDL(=wwe@(Y0CGB_#-$*3-@&@Wp;Iqk-KYrt zIIwFtA-f`QrwRQ zQZ+NT4;=4n-+1b98%izW^tf#^M(TDpmzY^@8Z5uq``+s3bZu`{Do2ht7_NDC&8Nkp+dGd% z{7V9du;r+bm}aH6C$5*%_RQm`GcxOr4^&(3)q0Aul|buMa~VYM@q{fAqSIvFExYxN z_Qn8lp_1l%Gag=b(5B zKTHW19w1^zt}6QGl?icX8X-K0%ffM2_9t~8@5_}x_EY51xuP>B95>&YJc;t zgyOvJN80Wb)=kEb6S*ta?bprQ%ecgh&%q<<>{Pi%fYq0|kJR~%-ZUhS@|9GRhGP{w&(>y$TBMYCYPOy-7kQey z>z?TqhjLrfG`T3(9lm>6jzz?|V387nhcyvNX=#so{PGNmW~&-}Uy%DtDha1bOw-PM zij#Vkm*C76cdTq{D*xu{-~|5*)cOeA|K>REb@M6b+4+5G$k{{gYRo+mHnITml_>r7_8&$Y(xam>9KigL*5 zyF+J5hHKnB>>E#WBTtSzI`huXZ~fJhy$qsW8}E$ioC~P4QXFi|#3addHor;Q@R@W< z#&ZAmk5k?|@?DG5-)^vUT9qxPeO+wrYK4+ZJf9BqpL(3w%HeZ~{hSn+hU@T+D_oD* z_MDSyU^+#|smc6|SxiW5EHN|h^tuD=8P|EM9oI;tNaAjy?&zH3QIb~4(^+zqN3WR@ znD(J)v)^md4qR_!x7VFmxo{)md*|b2!-cy-c1bgy6V?rjb-FQf0hf`WsI}TQ>(ua> zEQQ{yV@r1})o6)TiRb9M(9$^OU|Qe0ZK&s1lJshMdQD1`MI7+}B`R(ze5ap%l~A07 z=E>+8F{fNpH*_hdEZOr`<^?QVEJG?mOUW>iL2ab`sBV4fAC} zt5Lse@B{zTyvJe!JVhti`Jale+N`kR$SA=AQ%=z=kzeyNxMX96y{N%MoJr)Rq`}?& zebHE%`!7vQHaeB8NVa=j_=a9OdXFEB^$Tuy53?9n<$et3C*78|X7`JC-Z-Zu2`R3> zaLFQoH|wc~cA}4YiR+7E3#MEV-dE@FmMFL#rPz-p)YO?XhLMx3cSc}$iIM!R$1}q2 zU8^NJwU-^A-XCalutTNhSan#6?@oaY%<3E?K|!n~M&)9Y=K^&#pV~)vIt|=cU()1x zFF(tlK!1wv(VT*ahj%iI;ZGz9id*`00a?IZUDvcSv`LU8)V^|9H_E}vIZ=+H&De##7mjUyJ znBi;dgKDcSCDX2F&<=)Y-?y=R2z-}X(=NM^Aj=>e~HUeQc zv&8*Moj)mKVX;DV&CCQ9t!Pdo@o>dB-wz!p&fF}2C;zZX|8(MU?zU3S`nbboJ98$k z=Da*Be%UHFe*0FXpd02L8;d=OunSz0`NoQEuy=a}2Q&}dd?YQr4%=GbKsakq{Yld(BgR#h4Kyve1j9!~{}XBHgTw|dDgDaU)H@X zE^EqrC)V4?uh^zm8fmjq-n%zH$%wB$KV7xgAb9c|Cx7F9ABn;0G9`=2bk#3`yO=K= zH9f%XQCiNLm$he{v~GFK*ho~5g!j7Bba@q8JI{FXJXJQ@RF-q_ZO=+U;lrDio+tGIV>R-f{cM``J!iNsFQ7w z>rE6r*0^_Bg6;MQTTz=DkGl-YO=s*xIB#Bz@n`d^m)vL~t8?$mjM(1vKtVsLvTP4M zQpQ<19buVmPaQH6ts846o0bJs6^ICI@joVYIV684tb8Ez*lAW`+XlAvg_|O4HCgP3 z?@O$Ce3dxeHpTB$a;gxC_VaOb8GZ|lnm0( z`hh7;}t0hDosEa^txXT%CAt$RR zcB0@zQ;2)E$2sZ86GGI!eQZn)W7p!TI>i@Xnl!}6Ik&P$Kpz9EaTyBI-v*Cy@Xl!hFQ-BosYU6cA&kUJS;(qBB@zSAl`-GMQocISrP_bqbqajbo( zE4xI^boGleHzb~Q`>c}RaMslO+ICZ}V|@wI2IBpXr*@yWZi+`%*g7*!*mZRIxuh=X z=-4UjDf#OB`xmgSyfLoDM%G2Djr^Z%FB?0z4K*+K?Y*Sj{d&O7ny2XUU{px4;i{d- zU+BuI8|FMqWszb?IU$}R08OD1xm29OA35jNO?Mr7W;7~&r}xvlwPl7}&t0l5Uu7Fl0&si9Cngt^lb z5j)#NFfTU@E5GCQl-^14%ZoeJ#ReBxVk>eC=%WwMUtAx_?zNtr`DMTBm* zD4z)19)@sE4d&fz2HxsKr|xT#e_%V%M!Lkj`Z3*fc?x5^vR@f?I7DMA_`}%63d$OZ z&iL`W?n`}(_s}=V+TU1O$P~4?$Qp8C2Nutj1eJpt%vZQnk{`&vN6?qwe+HHSILRx0|LU2vwfo_ z4UX&yfqib}?C0Hbd~<|&V$?kc1#EwPV54f-JrVUQp{B3zjIUuIZ9n6qIHn&`=rFMn zUAPpx@oZF}zXd)trQoNYj@i0y<0bgGnLX5RyjeMs-l>8K$yGlo5 zDsr`T1)uX5(x;1Zg~Ly0CcYGANL5VVmB1(nC2q7ot= zm*az(5TdfG5-jZ}Q%i3qB;=F~+BKh+x8U6fTa9RELwuyfEnTC-p)xUqopKyW)S_#< zF1y`PEJ^a(ZGX+!qbv5vv6v+a^TgQfm8E;FeWc&8TrS|M8B11Kqfz}Ut*%H-#Vb?n zC9*85&V8(VmyvLG8*j+G`97!lKIYRd?7EH!6u_p#Nk?jyHlKdlN(yx#R7yT&td z-zL{91^D+Dmul`XB*%!P+;}gU75IGgO!|i?3NbLhWRqf-?}ffksX1@sF1TmwNXG3u zc=XvOt%*&ZJvuxi?`n|4^_pCWt*#S=k8V^{4Kea1&{>Q6@1{@`cC|NOdRjg8;Tqm# zWkyAE`H)^vWMYX__Qd%dM0`tSpN@xF=hm3)@oJHartUQ?_Z=I&Ph@{ix(!$0 zE95V%APzo^-lZVm*L%>@qcgtn>X_9BOKT%vk~efhgr7_Y(RQV^;&Gn}h2tX?(UMGW z4;BeV*1_@}&euGYJXtW2f_-cLY5lAES3NAOZ~QIQCSS;fygjg&9kv>4_N;^Pv|kj1 zpH5KB>MnfAMr1x*LX>6noYB&ATQW*Bnz|A>QvRjvsR#R9vY(21JS~ zndC+Goc-7yI`G?rI5kz1Z;#>T4xh`OaDvi35UB4D=CIOO=;MHIPv&M?XL?|qIvUy< zFgiLIj1KyN&2+$2VVo?i?5uE3b~g6qT%6o|>je0CdHK-d62j|bu?q4sSOQ*I%SumK z%}gCnFd!M4+1NX~I4f@R4)AjHw<0<_%-n>rFtcKq_tMdE!DjBl1fet2Gt6FN{@+qY zI{GCHOi<@)PUyn)j8OOd4s=V<^h=lXU#!cL0JFk>&B_fkhAP|sTIkHs&d;M&5<`~I2)m=f*;&pqyMoSNyPlKF^7Ci(qOBvISj68|hJOd*X zjwi3poK$drFrcV!@jkFVt|jgzW+g5)IO3@6=&a>v7#z|fO zYnmf(&a-j4>{Am!G%y~N+5#&7UIuL5wnv`J<}GoJx0Jf$YgC}rZ&)tlkY*-9KGMCm@Sgfix}7<)>C4 zO+Nuyyb7dgaV`s6fix}T@tYcurr&^B*bJm;A&=kGfHeIE%z|bhO$%`Rt^%a#cVrf{ z18G`-<98JxO}``aV>^(hA8Guy45aC|XnyPf()1&Z-8+yteYQ58r+uJLd%{oCb{m$iLGWDnA6dM&>$?*S{F8Lq5UD+dMh5r*cx{a#nKP1ZUdEnJA)HzxkX!Od*|@ad(q9b!HJ%ZK2!?Pjx<{$+q=OrXc;^Lg_teM z%Ogz!yod;-xxT#{(SZs_8vEK)=UOz#6cQY1MD!v1QXGgr2xwOW3faM!NJUs84b(Ic zNE4zz6@kOZ0T6x*%{kMMcC{B;F7W=t?N)XEPR!!60U@ zJ9|BZ0|`Fc3Yn!jw?QE&&X5gQgtHIy66Q=+Bf|~hi}Ia4;{v|(Fd&1s+4;DCe;Kp2 zxmTgA;d%-$pj7-aeP8z=MgiGRIub2kKzG;?)?UMmKT#lVqTL|11Q zDgukbOF?|d9%PEKmz@K2+kfPw;!5=~AW~GxBrmcj(UXcGz>ylR9#kR)+E3L)jp#sj zBz`@7j<^%#AqdnwR;)CEfd5W*rgf$V#;K#BtpTH>gTd&aAJ|L>Ocln-!phDH=VWJN zU(UtJ&9_c~kC&GZEiNIvP8O>mFM}oEm9?z&l-11C@dN{sp_z@nvx~FhHtzs0M}I4# zv%}0y7z;BiJ+lcN9T#loE=&MAGXvf1HRk`(F)}TsUjp^5I*u{Qytr~TCTehEMhifl`8dh zw!OY?C9L0T9HTrhcz;@uDcq-%HLz(%h3}1x>bIJvr3o*N{^_~qkMlt?##^?SUk@G# zF+IHR%4aw42Z;I3KP~j_WZO`fnd3Iu@;PfIlkr4TZ>;j4p6lCjbhTvy+sPL8&7)b9 zJ0#gJk6fu*z2{r!pKciv{iV{M=HAPAW%)k;Kle%dPtP@f924f9>-KWuVY9lzmo7!J z$(5IdV&^;mw7^d6d7Keg!<(H%u5R%1Rf^V=S^cNynmKuw`h52)#%%IMeQfSQ6q9}N0nZaViK0;nla)4w19-a>)5 zP~e?Dc&88E>4OJSe=&^w=TPuK3OqLj&rQK|Q}B2nJl_B7!32B?1wMrWpF)8TOTmYw z;4}Td9ZbMy`rtEtka_}APe6tg$dLNmu>=M(q(CAcNaO?grXb%G}#BkQS)$Yh}bC|BFT^ltX2mS*D0D*-BVx0oZZp^g7iJp!=R0`3KG+QFu zyTLIS6bgYt%ogS4ktP9NL|ji!A}o;xY8nWn3DKX5Kx&ihoQW!5x2j*a+SYKSx<6IZm}*BQ&K|0XMPQ+88YwEm zzg=s#*&KtGkwMJ;n(O?3*n1OrDBJdZe8`?;DMiU3OBAz@v1i}+HCilV-wmO?&?Xcj z*~(V75?TmRNVbq&n>9;GmLkjlo}TBKczWvXt?&E$zn}MWX_@=Juet9z=D3dIJkOc? z`Z&qMii#foa7#1-2}dF^a1;g∨u{gs!OO?cwW5KJ5?8Uv?qH5E5@|cOOq{Z=$1q35bPxsr(9(DRgx zm5H_@SIOa(8g?`B}O*T%uoK~Bdj zz|+p(is)dw^Z>S+fti)Tk&229w)6t|D3QM9PHb%83mfavfYT>)28F;b zU;~KZf5{7_zHZS@4`)!7uM^d4cpsPGX05RS*1V(YdEMKLuWYy7zF}ja+&=3!v&T-R z4AN~0j|IDc4Iqa9DKA_vvD{{K1!KLPtK^Bg#vVtdIZK@2sOjw60RQ{yU(1PK+~U(Z z(tbHKeKZem)eSBSNB~Lzb^tK}3Z{SrK*Aq66(|8H0Vv@Q27nTP5`YpY3;;U-J5a;` z>I7g1U;UWl z>_A}v*a6sqA_kBhfE|DxfE_3d06PFXP{aVT1F!?I1F!>y0bmDU2Z|U#b^vw&b^vyu zFaYcT>_8C%$PT~`zz)C;6b67DfE_4e0NDZ90oVc9fx-Z=1F!={3?MrII{-TXJ5U$^ zb^vyuhyi2=UB3s<*&`Mr?^twX|bq3R`kZRAE!7g9}h~a<93&t;UNtya_ ztZ~dQ24sY9V5}Dcw#K2VXV&_PCG7H?4{ADuUSFbIXFAP+w0x#r>0tnN0UJOJ|4Uv_ znauLZGUPoUC&4^f<-b_D)X7A2xAP%+6Rq9ITOKyfOehor4M)Jqn=&#I#sQv0xP-Z$ zjWf}f#3W(lYeV{SMAgIFjY-0g=;Pt*ZANB_OLY~lHisS`pT+s31gx^2`-`G zX6-;!{PR)i&qs~jOcE;oBsC+FHHk<*RSgX%zowy_9MfN~MLui}VL`#a{P$&$Jglhb z;SaY&5s+{s0t-iBFwm(;0vfuanzx6qC;7BLFn`&F5JO13t=)Y*t-XovwgF5MO3)Ey zqMws3QO(;L+Sh=SynTt}OKTI|9Y~IF98OLS{wF71OeiE41wli=cc2lHl5p}1lV1;R z>&8Sr3gJ@w@_>MQJ3tuFa0eggJ$%8e?7?Kf^p6B%pi@>5Oko28tYhut^7UX&K z65u!#@?QeNArLD75q=vG65@zJz~OLktRxZwgvLYeL6R}ykSI8ofDuO^pkphM>1r4m z|D7uw0=XO-lC0Mi=J~fZj=>NhXh_6zXc#VB71IHq8;si;8B!mo&{%K^`70A8`(f>X&ipnqqC~QIVhFw0F z5Js{o{&lRtA)tixHO3=V3>41b7y=Yte-hb>P>=lm zP!D+$noUVG8V|>yQGY>0kwY6^5{H3fFqoglwj$^we?RD>@pygA_t&;KL?;8>*#hD4K%fyWVWa5RQ& zjBi={Cu}RS0P6R%01}!pD5;a@4hfY&e?WsgfFa-@%c3Ep{?mN^6S5U~0QLKM00pTW zDiR5VFXiDM9zdbVc^*sF92DKYp#7WD{t4NNJb?N?$OA}nv_(Q69*~ky?nEL{1SndN zm4-w^Xc18EgeoG!Pas>72Ov-VZcbmOG$aZqjvzxrEteV+D*o|gaHyX^w;~syem@tW zkmRU_LlEE)u0ME#J`AGCVGWCeV4|>p5cf0KR^$TI@8^QAYQszZ#oJf45ugC~v#hPi z1*m1YK-I~W1bsY{P<4eqBr6kbJ?w~-kEmD#3VKI>eMt3>f6LRIyBYi8Q0djA^PUIG z)Y+N|k?~`4H+R9=8@I=tie}JaSo`^-Sn=C;x4KQHn(hPeFWfZ*?Eq-S*gSf6Z z=h4fNBu9LeB>s4~J4v@JJ_u2#iH?40$XM&j;BDBm%YIFJOYykgUOf+dIMa4vCd0Ttu5W-artpI>gtH)}2$uD>yHf1aU^tJ7<$r&sxRl#i!Y)@YyY=Ra&{rLFizQuk5)@XN@J z4cY57VK$*QJ+y@}8;e;}TB>M}jEPmJ?*<&9MY28It9yp=`iW+z<^kS;=Xz;Raq8*D z{rl{r3_0ePVs50r<>eR=z1oLK$_`(OF?xULoOZ`zj?%pR;lrO>KkqL)^!ae$;(X`O zP+3{*r>RbdaEXSD>h=r=J;f1?j^XLG!bq+7*m&C~Gy~e3U%nZh*2@@*7puN^xZmnP z!@am8mml0~iyswkIF}^9sruge_)Tbe2iLG$(r}+DY%^em^kUQrp;AGR+=P5_MWrgt)Pb9?-Ag@6qqs|-VZm3u{H}RG?eTRlJnouXG!Qqs7HwuY z&3VQxxW6ggdVOS@@;!#?I4UUe(%}VE3){qD^NG`a>18V1J!{(d#V%dl z%sF6_&mTxVK38gZ?94W?^@7ZkR^6)CCEqI=pe9#$A*``?G6TyclY5f`L(vY?8M|{9 zpRo9~zO0=e3n(^ns)VJTm1@n(j1KdeMIGv&AAZ_Ex5v+PC}4NWg<6)}tT)>u>Fy`HSl=7`L* zr`I_PrMvJ12^=-lS5Tr_MPe|8%j*h{K03Mboi#OoyM$MG_7&jO)pfklQvZn z)-cB4fIM0gQM1dpV*lBgxWxL&cQ_gS6OM3Xr@lx{_UZ@v3d#l2S8Ypf5eGIE-r3&# zP}5jZPC`{V@LKTp9>HP3(`QU*qXQ;oC(B0}tc(N7hvVJMt1_;MU|ZbRacn6yjrYPU zwDTCm?Sz+WsP652?k_RZf}1I3G-&p4yvSvG?8on z9`*b+4~V7~{P{~~cgb9YQAt_Rbx@TA3L3b2>kBeFm?- z-Su$9k)g`5_JKIZDy*AzuuqD`71eiA>3DVJnla5Ncpr28kdl{YL@uJDMYC2>Aaj;J zEMU{+Zf5Br2Od^Jevuea)^|ckF;OYoWi3Aci9x@^#c9{wSABTSn%!>q&RsXud*0{D z2fZm{nIV4VwGJ!^Io732RYjXEw4z>HzV3L^az(Z!eXKL*16#1iPUXZZ!j19~{`h_2 zoFAXHpVsAx?O-qoOddTRdf}4b=dAd|nsLkRda#nzqZeW6b^J`JtV}eDKK5*a19ER3 zoh!1(rtBS1VnAw!de@W0EcKT-1)}V--*B`{Bqxo8n)e+!6y8f9iGgg%Rn8Q?h2>5X3Uw&isqDc zx>%wAKmnF^^=KGOl!;G;FZGKILWfdWwI9dzMa6QI)R=LnDL)c9zrD~#xBg166n$Kg z^N9;mzO;|-OY&3QoU7FRlwIJqPf8`0_`#sEu3xm(hAmlbb-c>vdrc!3dkXVtl(@7I zQC`r4+8+;keEr*ksDqy-JUy*(Hcyo6*sfi%bP{nDx%W;9E;jr7nfW%Gez-5BeR1PWe!oYux7!r>STCH0In+El8bVD+ z{bpN`Ot5}3YY~Ukwl$cOQ~JHREea_`8qXAvdo3F;1r5lo)~aEPW>P!d=+{~l{BrLd zMysy1&x~&?GfIqz&^@t}sIG8JFw4|DrQdWk_oN^$?L*)OWpk74?gKA#3Op8X*Y+`< zE%kE3Zx(fyd`c!f<=SfnrYj13>;7=vOUc{O_r(g%Z7z(6dljp>b8Rg9R*#C!CpL?0 zDV#m##yE5|iQ{ftvh6u_Nta^b*9X0*GNy8Uc{VFy9@+0rc~jc#ai``2d~Wk#4{rP@ zvvvz9>tcHKo|YW{V;k^ss?r+NYwME*7RSNwjU!nI6|pDeNLS#f+?%yRqZ3{88Mt2toC6^W@hJ zE{Kv;>4xOZ zhltSn)HD`S%5M((Qc{yJp+H$uW~5h211}_SH9e zWmy>+H#>^#gC9*)d~C$cSekv%(qaDzR>5^y zo7KzW3h(u!vsB74cXWdMBIi$R@APJ~tH|6`cV?ega(_IvGt(Q!WH{@EUG{eW1obWh4P(tV?YlHa$+yb-U%9qpJ+H1Y`kYI}{_!wFl8c(aUKdPo zYD(Gpq<|~83JkF|WP1 zpY&%CSGu9Gz0B358d1o2`kmih;SgJu0T{u1U#?{7>PuU*$kFd}iGH8(F2uYZ9H6-D(T#J=$ms*B# z5bAo&)k{&vSKprBGj?s9B_Y5~&Zp}*Lx%7zR+eCVI!Nx?7*50zR(K$+b z_wMHQJvuFgjgT?IzMJYx;xn@H_(>bHHpRVs0-0gGsepyP2QeRp@dQL)no^V8$ z7t^(E$-+nX7%sC`!QK~L&0%z@gQDv*LuBX5FZyAixwJlii2vbyo3Io~IcGX%@_`ln zWXOR&{*2pGO_S|A#o2mGFB_N^&KLKPj$1_rWe#iQqcWp33mUSTiC#Pm$p-75vMGp( zz=I>wSiRRN?pGAfq$#jI2eZoXRdpNbx@7nw^5iX4Y;l{N3(ZGu?vrUQRUZrAESL$> z+#^LWH%i+lDdNK7X>{#;2Zxy}%ECA@ScMxp*bb$L51f%Z`8>xnXKmqV@13)S<{HeR z+Z;p#eIxu=_cFQmt9WTp?Vt+%81-5~hiY5UqEu?~aM!EOF;YQ%OsdP{&XoR;3uoLy zZWxE}UTZ3xj`8j8^fqtDk6gQK#B;^+!&WJi)`-Gp6_(FX2r@ERLn}qSQ3Q&_e}q1- zTH%f3B5f|&Z$)%$?(UN@+s&QWo=|ZzS6+gt=fu9ARYqAu4?ic%zrG%DKx2C5-2;)t zLh3bil~pD=h?6n_yr*){&Nzz@KggN|-fr*8uGJT;>87a*_S>XYI`%X??L()|S2 z1DAUE)~9JPY`c(arv4T+9LOA7$H`PcqwmF}PR>4phRyR%NC&K5E=JwMlR*Z2=8p_OXb*kpdH+ z2H#f3pm)K#_Z#ib@tYnl);)bLuq<`TwYE>|$OgX*qXW-M(dktCMYKAHZFIaOw{=bxuL?-$;e!_a1bbW?Xi(djkD-Eo@M_k{EIzqEEP zpF1JZyxpI-D?&JV*kDkyz#!0#RlbfbhNJY}OrYM8(WL&1^J^xbd!pOux=J#GR*jDj zu*mmcsIs~Fepu4Ap-K2=-KJq%mF@d08BAZU_GxlXn)p=W8d?XG&+Z%2+LeGZgunO4bob1|#X z*PRe$Vfs4nMsz!=A#aCoW%}AO$FwE}ld{AtiG-7iCca(!-zn^3c+oU-yD9Y59RBWH z^zihf0Kd{(mX@XNSl)xT4>H2;FyC9pWb(S&uiB%CS>oC3bFH;Uab58tYEw%gCdX3r zpS!kdP;aMY)3aI)rM-8tjb+CXYUi@^Eb?q3gdI$vfJ10dt5lKe<(*Jm2PCqAfecedzP8k;rXrV zoRko)9giO;rCH%dtR6l+e1hgm@3u1TBCd+v488WmkAu#P`N3Cb-kjZ_;y_cb8AI}{ zIrX5JkEO@&M9z!%s+tCt*GH&>WI0z&+=>`UWD9XC-kwQ2;`fZFo3GZIaXe&Cz3N5& z?R(GChCh(FXKTP=YnQZ%r7=9AU$*LlL87yu?ASO$ZB9CL{E)>fzKn`z3p`c(8@JaT zTDuX^I6|EtZ)%kSDf&AT@ar4e0(WHv8@o{qpEB;>D1)kaa9tzTrlLO78 zue8-uy_VM+rN6IvvhLBrSWedZHCf$#cMd;1f03oQ%5Bu0vG873Ug3VVl=Q4P1#Ktl z^HP01Iry}`EgKO$9~F*;!P5J-h(stpHe?`tsUwz9G?9g2B|2kvAv@p=QG?!=Cv|zH z6&|3rjKK0VkBq@)%f?}Os*C4&;OXz6jot*djR;@WnX8NA z$*UfT6ALW66WlNK+tNQy)1mh}{Y=j9==^IQco?r+^=t>#hjJ-}QprPJa|4fr#V%cn znjDsX9%Wmz_0U4i)XY?^MjqkaK+7EY+YXsSpFXr=j`)8ZoEnRcdoeH79e;BF_>uY7 zmpl9KFODB6O-fvtyo{GGT^L*lmoH05JT%>1_98=m@$F}i($9-L7*%)ncnc22QwzSW zPVN5Z>gotKIL{E;;d4f#g4K!*LzCt=D*^?~j#j<6dGaKxV-pqCdttk4-T^QDSfUM5K9VK)c)PChRHP8s?vzcj#{~8~YH5@& zdpWMcP@4Ms@Y>mjJ8&cWHq#~J-hb+UVmr7lS}4@piq}Tziur55nY)Ba8gvF#c!#&E z$ibA&w~MZYrr=n2`z4~4UeNM>ept0BxarvF`G?XXyeLx?!>HLnh>NMK`|PP4z7e(L zQsfg4k&l~iTfQ;8Qnay>$w8Uq(6mOmDOf3hcTTC3b?%L#LgA@aedo3C!{=1Z-ZFJN z@DA^|n?Z`1IO(H6ZTq0d!9X&gkhfKznu>wtSv2<4I0IGm(|4BaQ){9=5OZvfKR7+1 ze{VV?-!xp!?2e(?gzF)tSH1hP6IDK-`^TfQJNir{1)BF8P`6XBDfSV%np*oF+1DO= z{nLV&r}4dy1IBweGXuHmk1>1G2dwVhwXpV(GvnHSS_Xpt<}Sv!>ukQPpJ9?PbFzb0 zra<31N-{~P6P+9!Nze`o39V-FaP{yu^0c;vR_QEX)uQM`^3f-HD|xtidbpFf#n579A+l)ky56pr|48M2 zgZHYux7vpa^ zwTQShVbK)v^|`;cMHf33)-VxmX0l*B*^|Z<_Ll2pzL>v7L2<>)jESJeGYz3ff9=9w z&%#vO`RxzQEV?n0kvJeyx8Jc&_L5~qecB7o1^G~+gQg_Auh0FpEvj^Bf&BYKlhz|9 zG9S08+7_!?k3D(8=_daE&hWf7x;H-s{%aThde$0bCr?73Xl~Zr^`U#3Xr3ATdd7y#wd3Oc^K1InlGQnO+Jlus+@`0frU zpT0}YiUCkQt)Sz(JD_~}E;Y*sK>4(sjqh)R^6C5BEFS^o({eVxzYWT#?{l+!1e8z9 z+4%l8D4)L1&GHdYJ}qbC``e&=`aUE(MpnUofJCrd{K2fOn;RYz5en<~x5R^|8 zDt@>D%BLUFLm33+6NQQ&Zh-RXhxAYeLHR_X;)ffceEK0he+`22=`SXJ{0PdYAM^9q zC@7!)V&cb-pnUoF0O?<>36xJi#}g=@evT(lKK&F=pnUo%nn3yVb2NeS=_h#t<PoRAIDVjj}^m8#!`C_tF-UG4K2I z)@pq@`1@bLz(Z~SzE5EdeP^H^5Xjxe4UG$$c%H8OwQ46ee6W_zn7tmm1T#Gt=FTs$ zpyi*RH(z{vMjD^jSrS%1=I3FXe}Lz5$JmQ%dvFjC^4}?jg6f3ufu_#7er>(EoDssQ z%7rDENl%;nSZ(E*w`zJ@B>GcPF9MGwjacqT%$Qv)>A*_#dy{64Xn&SZ>0H>-_-5va zTK=4DQq$OCxWm)|a1apkUnmBrvqp0PGIJ+q#Lv_XIxjB4uDukOAG@oy3Mn3oT!Qhu zw-=J%ZHtx7FHY=y-e~{s0N$swII+HG#(gM%zwG6EW8fel&8Sr3c*tQ@_>MQJ3tuFa0egg zEqsBj?7?Kf^pE_api@@xOCbXStYhut^7U5E?b@&&zRQIeAz1+5aS5k?5^wn1*N4Vpqq<-;IUr%GG zEl)EFtUPP#I^Eh;X5Os0o=IbRkmDfMF%v63Xxvf*FbWQze(1yTi41yL15RS;D{0RRdBP^*Gk_19|2WoLm} z6@07$AFIGO0N@({@C^X?vI=}z1-`5T->ZV}RhJdWzqAQ%0f1Wo;1&S5TLtb`fg7vf z#wxh63f2ICH2`1@z%P~3%TEH!Rlsr;u(ArQtO6^mz#>4f2oS7SB`*R7YXFv4NWZiV z)&PJt0ALLOSOWmo0Dv_BU=09R0|3?lfHeSM4Ztsz(#uW)YXHC+0I&uCtN{RP0Kggm zum%9E0RU?Nz#0Is24Go%{A-(F4FFgJ0M-D2H2`1@09XS6)&PJt0ALLO_?=bY*Q@SUbvz)?0!Vv;+j0xEL4iQrA<#5aW1z4L8I!1<51R(XuJ^ z$V+dxIE6MkPHNj9P>ZugcgeJHB{mJl*3E=tsvHUez>@$4Kn1`E|BbPrQOEhk4by9V zf`Z$dE{fc(o{_)torW-&f8AH)|5-yAG`ac7pWR}dt19gOf#!yHC>Oa^K z22JkYLhc9yHB5n%Uzq%Q|GFa#8vgx`FxbBn{3{({$g}kKjxe~tU-(~kguyQF2t&aB z2Rp*x(MZDovyLzl42~;0!chIy@P+&x5EU&w^(s1YM;IY;M;JP4a>tmzo&j})!5Dhc zu4h}vNk_xJ(*TM3+70Ftmtbhq1pT|TDwFGL5f>$N6K^A>0y`cJkJ@r%PR7=5c%7(T!^?I!QO;avkGa}nLD<^RG{d00(3@7IDX(KKO;z-IY8!cE zH}36^7``Q#E~0#E?)8ZacAL&m-!Iy;^>;4$GFaX3rp#nq(AO;`?3Ijk46e>Vu0Ac`QpfCW$K%oLe1|S9?1_}c}3=}FrWB_6S zVxTYp#6Y0}LG zFaX3rp#nq(AO;`?3Ijk46e>Vu0Ac`QpfCW$K%oLe1|S9?1_}c}3=}FrWB_6SVxTYp z#6Y0}L9s|NJiw`!@7pWIPK&^m`e(CPN-v3&BRs1sZZ!zG@{m~ zM~d+32?3@~igFpKa!S ze0}YVaK4d9V!ig&16b7Qv1d=fE?@(Q;eW#my#2=EpEty})Z-T`YroSk4gasZZv8*& zmxd$vOCz@d`=d3OgrcH{Kim>Ufcm8&uu#7=47s5i0`VX0mxiVEOCvxp2)!`*_5O9g zG~5sRrAhvs;9u#NMxLd=_e&%E{lYul-91Q55=Oo@qySGMTteH)-Gxa)6^>z&Q1tM& zBYMLv$<5%%{23B$NpMRHPEs6?LEvz3JQ696K%k)}aTo$p9ECxk;CK{T9FK(#K~GmE z`jFrf);2cYdyVx}pqC(d``VK9t-XovBsda>LPFi`i0*bCHqJ~a=;Yr9hQeYYU|1vp zjzi=A1ct(6#4!X61QCaUVE+R$BcpGTp;jP6{x&i+4hJDaNurk_LrW4M%1~&`cai-Q zXXq8k$hsrbCnF3<{3MLW$rHWRMRa(-I)CP$Kvin5u^UxA7LeA`@VLKNCojDU-zG32+n? zW&hv|i6C<(i6TJQ5U8IfZAB`8l<~V!4RR-0S>#Tx6lhS&630Wq10wRDk^M7kD{{e? z8szr^E)q$ePe~LMJ&=-+GjUjQ>sJKi2@Dj0p)K+xL&qpmTj7L%@B(^8O2GbpO28u_ zfCL0Y6cPg^2Qok`90{d(C|yYspqc^!O*Z-9SBOeRdzJL`#gXDj0hFq`wU6UBjzzCX z57^&N4=BVJK#)(N0`w2cpt2A}j>1?-l1L~L{sEnW@{4DU)OUW1ZAF5B(%$dN?<+Q_ zV*7)u<kCKz_GN)qI;+wKB(*P zrnWobzvDsU3ybdJV_U1w%;y` z{C#_OA01e%A80>osA`VTnq7S@`zGImmVcKW#DF_vq#C#SUn zJ~k%D=WD8`mIm*96uh)_LrW!+J2s3CFWsbBiy70~z;XMghs4Xo z2L}TV9Ai~xFb$b|zlmooV9~c4q>EoFpCXIYY;{ z+T5yaY&!)Q>XfuzV@5h0j$Qo#f4~)I!&kl~d;U;~(yjKGBU_O$ezTi6^d36xyUOzw z)F|`Uj4j%SxY7oow=t|_Cuy#>{m8@`81*6Qp%`^twWU?jk_)|?JTJs0aV=V+?t6$b zt5ryRqD`GtELs&JeT^AE#hA7$s`=U4N8*Wu#cf_zOsknp8of>^79Cyv`1o*C-)-+6 zwe@SA4Nx;mo7WCrmwa*ev;AJv(@zX`)wA|!sD~5@@g<+{*ny2?eR?g(>k9P18q}hk zD#~}hlCI^1h4M_$v3?gZ$r}>I?6-wa6|)zwf6KF`Lts!=DX5ZEH{OLW?*i>v48S@@%(V_qk4A=%b0l%)SJ7 zROZ;u?$4Io*xfcLQ>g%@Qx?|iR1KSiZEf+o{=+SHVkF*kJ!2|I1n_UvlpGn(>12TtMp)QGMA&2)SQ*3qM~28Z%TLNq)xCQ9!vHAtE7c$@Do zKRN^bSLpsRL0R@d{>+_H&mx5b$mbhI+-Aym&^u?`x!AWqxtsU)E8E?5OF35Ym}Uu& zX0;rzfI~>-I@aUoSXo(mY|{;A9XDj>afueD2=h1( zO+GyvJpX#p&|V2OgkZRtj%hYq#qO_1P9>ozrL(iB6<)ZXf14bfEM`$HkZD7Vc{=G31VKtx+2JoE8=G zqVZ6>mwWeqjN#R2_NkcKtfkWA>89dd{ur|(drKcnSaVDIZD~#p@y#r2c>JwTw6++)o&dvKZsR2|G7z5Di-6XfNOx>Lvhp-tQlDu=uw`jygmd!LG+hI{Wf#sT&@Fsq)9^myHwC@9=PU|! zkR1IR3$;fYUzK7i8#gx|d*+)YeSfuA*<$VUL?xrnD_r9oUbN~~`waNmWNvs>WH*Iv z%8ANXm34`S+qKg0WeG7H5}({Wd|_hGz6efflP7dtF{ycPM5!w`((}{MBhQ=24L(|k zIN+D-e5M|^qm$KzHZAwfrQp4%1C7rb`90Fwd;im_oY6kTu%2oo6;_uOvelqUNBn@2RzCHIAQ_qO%vcnWPz%H{r%x z7n9g`qit2%L8b~5hqvhSW82U)*Mif{2OluYiraUez8tOc`n2ld&64tYFUGB3N9*Tp zCxpFdM0Qs^rcN^2H?Az|h?|!6wD5m*E8f--B{5r|iH<{ZJ% zo3Z4%4l3LGy&qStjyl}Du`k*>B>{6h9^1e=*QZU~8deahggsEkrY3qfS$1C$A;K?6 zq2m#({v#E)(W48w%I$7}yc>;p)JxwNXm^Ds;+(a)-RiQD+T1%DxSyvs)w6n|gL;^+ zG}^TNGs?pjuq zJn`~Axz2ge&;@;a@}wi~^>N$$g1V%hn-#rp*B6bTuk4%+s!41zd2y>M+V~pW;ap(b zo9c6L>o&=q49{rz^f`hOPa~SV2i(G*+#lvz9-vJ#{c-IN+VoduXqEQEhCFSmYHAYcDpJ$+ECk zrq1j9mZ+N@+M-!47i5Gc*ETa~1V3KK4x8cu z)thSl8!R~Rsux=}rg2$Z1JfoST^2q+-Vm(<&pKq&vqwALG+VPTkRWzZCxkqe z!si(BtGE;cLn0FSrnG~+w%SFnck&7n`*i)00#B<)4$Fiqlb>xJ`h-zPP5Z4%BYXC` z#}`o_2Ny2)hecT|6doeox^wvT)DxciCr=KTjz{G+AL?LJ((MU~QAn#ltQX-CtH$x} zcI|GNcb$2m_QEjKOoRX#6b?Z>|UydWyGm+Iyy zUSL0Gt?P{P!TDHi+I0(uuj%m#U2aa$^eZdgI2yH2vSuyM!Kv6W_0K!n55GqwXn6*R z7rd5P%&%wnSoM^@FiiDo_oCcr!HQLmi<2-I@`f6hJ2NSn8 z^4bsSGd_0?WsOCIkJMPfPbiFZRVsZ)KbJIH=i z&*D-%5`R53p|D;{%>@~zcE5tHJ^Z43p<+8Fhu9|u<4z5Rr9snqV-$2HfvLv$iHUkzuNed_o5!@Hr^c|j@pab20*5jew0 z=`-HC<_cYIyeIa>lo@rtzD@V2oN-si7%oZkI!3Kn-bzaGqa(ImlB==6$L{3tZHF|f z1FCQIYBEez{|NobzT3X11Lb%_|U>i=-7v?-F7(^GapRK!-5ydVb?kf&FES zt6{D0hdJ1b+=d$`l$(YMTW5mrx0f~M-8eN=Te`XQhH^|$bpE?D&F;co^OEgzFce40 zF2(4In)+L~Bjx*P-Q1cd*n0Mr)a<&$b=FHUZO#1yT(#S=&*q}~Hy-AkS30@N_j-!F z99_RsS{K2QbT01VnNwZT%2zFVAMbuwx?2);yU5*!blUIp=a0{_o9eh9rZ&CG_6mte z;IngJI3zT=*#o*`A-1|bs+wnuoaiPO%Nd~wr2MY*yEBnypYCzO6K=^AK4{`KT|KbNo4tmyG|vZ4$K&e113Dl?55!> zOsGHaA(F)zW+nEnx@w}L!r=0yf?zMp2O8Zp8w7L{r@WkSe$dbsH>cDX6OJs@H zge3ZwVO;4wHIm^2UTyZA6#U+P&1U=R@%7EobHy7hJsh3iS8-7A%FAmAD&A z2+9cdtskCvGDP?Uiq~RR#Ja z9AjglQut_uRiqyp-OO(gsxa^&XZXB7jp0s35xA&&bxfMd8uQsJ7nApYvKO@-ml&mw zYSnsqo}F~wQa<%+(rtAmR8Q~vUM+e0t|wfk`R5p211~qJ2o;g0B9D)>$fl*iPi)y% zZ_dv+kmiu!dNBI*jdSDP!-4{3FKhI9u1DSu<=F5fG*Gz2_d-IvgEwg|qNdGBSI{%V z_R@OmT2yWhiEU1A=uXG0rd++WyXDjGtPi+GDet6zh`;Q*<$fn!v9rK};hARYNtFo! zVP}%hRe~kVA^ybex7P#O3L-WHVXm3K7QWYg|B3KZdZ%5g@!{tztxbnsb#50(WPO9` z60=M}>*eUebHr|KwrZDM|Kx(}{(L93cWQQHXRg~nJk&LrpzbiAdqZ}ltXtI)|FP^S zXVyCxspHwrc?XPNy}2qwNZ{5KyrBG{$w8$fr8|9MR3Mb)#^(ssOZIky{$o2YZ=th3 z1Y`Tm658DE+R}tb%Z(O&8Q)s3oZC`bvgu}S$yjFAV!d*EXRDBQ{(h@8{e3*8vOynI zyxlwEJBR}9TFknwCl6)RrB{X3R14qmZtuR> zEB#eeh@#IQa4McOEmec(b;70@GDEfH4HV0npGLB#gi z?V1BN^~}Wi@rcN6VIx9(wvW%Kxt=g#TGgq^5EN6JL?bdp(s}(GLcEq;} z#08p4(cNmSN^z*G^*7hePhCrUNi~v@ECRRCF|FK7rRjmcbxoU7S8lz)y~L-QB1ywN zl2>g!JA8DJrI~f@Py7p~ZW&0uGBj4}?KRc!wXx72qV5r@Q7MTyu}%33cYD0*-dx*Y zj=+=FA$d{9YtNU6@NHcfL6zhkS+!f}$zj{M!eoP#%NTB~OFW;QJwqp#Vp5IF$(R}I z>1;RO=jm71z7ZJrF3^Ix$_!q;IV!(}8an`g)6xE^q1`+UR~oW!i8WaJI^IF37s%E$6vca4m`QIf*f@ubOI5FZw@Z+3%# z^t1k|CiA)T1<}y)wkB56TStc5ei$09%HS{ol&g%+JX=kL8CRfQB=;r9XDqR-c~@fZ znxw{>oAzIV|COm#(6%RiPsl%Sp_>w4eLLE$;I4 zT_X8~cHF0?l&)pAn;0KxplfaGOzx7}MBX%+KcwzXiU{BiD$FR4j=9c*7_APm@w>%e zIp(C2Xt4*UW1k|nGj_*~AY1nkk^8!i>|&9@2^({tyUpRdjPfPU4d=iqmkZay)I zs%#pqAbD0t6wq`)*+ zE9bd=MT%G5{at$U35lXd+>#&GYCj1U#E;!e$vPF9(Eg6iIpMywp-Y$X@O-Ac)FE>x zthxFSo=>;3yPOuN%-g$bmJNeOU0`$*KzqbOn z%FkLt#LIe9)ZLqFG_5*TYg(B*JP@Da^0bf{aY9A&TAx@~g~457&ULiy+Yk=* zLbW}Cf~$R&&L2Evr)c*=S?D}(*5lLA3y3Wf&RJK_0~bJU@w94 zvfp$`GXI=*eCKKCpQ_M#?Mpcg+5C|mj|CsP3Pj@AH{hUA(GjbI^?U3LYs#m}-6!`# z=Ck?Jd?fZu9S=j(15kVSr@1|`f4Qf$WIph`mQ2*qtu6{jR7jD3esg?*^WwGcnc>Cy zPcdx*Rrv82OOqMA>=ic_$B!Jg+B4t2R(@&n?b`9B+1l=b%Kb}o-Jcoe@9-Y^^f`R| zlX1`0)SE(V=}XpPU6(HlU+|k~);x`$svUDXCbOg3sK>G7SX;81M@P%ns5V#D%lDJ~6wsMto2(>&?dDHY zE2wDNm=ZEkcd~%{bfZyb7sr!mo~Dt4Ps~Hs?sQe&+83^rWC}ZJvhK8exD9=f9q%c0 z#(%a}V*Expzj5)+8QV86J8ajk3T;`V#Or_9b4p;p)U))ay6PFvXRWMRc}cS4x@u=G z>1|G$7)Z&j3iTEkVeviqX4OeMJ%hLnFK9hrH}*Yq++r*39e2VrGVgeDwnvqltA(2F z(3+dln9Wse4?FxtJd}nBZ|{Vpa(DIencD8$?CtmX0bkL5vGIq8&2T}7NC8S}k8;KC zr~T_|ztb~VI++k~jV;H$(eMu1Y)ULUi?I!sqQZ%6I2vx8eOD;cQ1C)g`gAvx^1JZWc=4nn=hvudt1Bv z*n4=p!J!NOc^e0fMd6?u-S9s#FLf-vg0X6R$fUCqqG%*4vF zhJ~Gtm1Cm__eM_6jYt7O9uXI`^kr3i+uplyxNAh^cM&=j*i`%YAY| z3(0poNBJ3-R$tm(hMu9)w7b+vE4X*M+JQ~L;eT2LWh%ZqiSmK3J6TvK4RYSQyiFP+ z^UIB{I{e7cn%Bp6`qtfjhBf9+WfNM_0{$j~l}C0o@SfkK>3w=YrX@6=#(pVy`>&<3 zFJ?mPI7?G|bnr>NT=jTG`}|>4zF@1D{rycM`Fl^%XKftw48AYmuj@biO=7Vdj81jD zfvxM$ZD7|EZB6BJ&gR-rY`mCf?zOjssdY)>@s;7b7JKPW=V1!vz1}-!T*=8-pSq?M z(_44K+r)t$x7^V9&D6z{JzB5seL8ZnuM{etN~YeGnFl}U4uTKyeTtwazR%{1JwQ%h z!1%!?kkb#~eBK4*^qIwvwt$>|L}zv%kkc%RA8r6S{SeQmoj^{XNc{K}$mz#?{@x4Z zv>;3{Ag2X!0&-dqCLpJUVFGem7$*>&7Q_k2X+fAkbXpiDAg6_K0?}zfoPeAbgb75a zg<%46S{Nq~ofgCi$Z0{CKy+FdCLpJUaRSk4L7ae`7K8~zr-fkxa#|QC5SeGWX+fNToEC%$M5l#e0&-dyClH+$#0ki0L6|^vS{NoEr-g9>(P=@P zfSeYD2}GxbVFGem7$*>&7Q_k2X+fAkbXpiDAg6_K0?}zfoPeAbgb75ag<%46S{Nq~ zofgCi$Z0{CKy+FdCLpJUaRSk4L7ae`7K8~zr-fkxa#|QC5SeGWX+fNToEC%$M5l#e0&-dyClH+$#0ki0L6|^vS{NoEr-g9>(P=@PfSeYD2}Gxb zVFGem7$*>&7Q_k2X+fAkbXpiDAg6_K0?}zfoPeAbgb75ag<%46S{Nq~ofgCi$Z0{C zKy+FdCLpJUaRSk4L7ae`7K8~zr-fkxa#|QC5SHn>q#%EwBR6WziM(%^3`}eD} zuTHPY$(wjCOxfZ2C5A`t)F7(n!(>jbC9rw9fOkBPtx1 zygaYXz`9!tQv*+oj)u$n*=Q!J$@*cJyl7Y#1vUYP|9KItV@}+mKUgpMB*Ec!%V=k> zam^0xoA*_0^P_BgRncvU>ir3iH(m0vdR@^LRkY3Uddrek@UR zad)B<)h2qlc)42=J>bxxn(i)^Iz&&nv8blJB3x9L=<5j=-Rfj+LzMmdRqpTCttND$ z3cj97I-cg9MAE5BXgC_Wr?#Xd-KTqziVaaHtQh>`e;;>}cFW4T_`;1*cmfn=!Vcc(*59;PIRPF$S$RiF9^81 z4P*lvZsP%chL1MOyU=OTeG@PeI%N*vSsIYRYUUmepFala-N#R%>g8nT?BZeP3E8X! zLHSrq5HZN|&ozho`oi;T?qiM6i5l2hL7x?cM5E|Lw-D`YY(3#9G>!oAadC8U*Ksws zgzEiEPO^5M9-2gVITt5a7iXfgCmcFf(azD6=nfqxrz=mibg?4-efme@){sQth*_*C zJc2;@Om?Pu<|&L>S#hf(jEoEhBZL0HW?Er#FlKs&r3`e;OBt6gV_|0H6y)aQ;NV2A z;pY_;M{kx8Llf}QTeho9%Nr=*37Sq?2BsD^wls_pHi73*@L<1~*zv_V;K3ez zQvzQ-!FTyDLc*dpL2?9Sn?SY+r0*6LJU*WUk|Q8F0+J&jIr2FoENTlRM?i7}Bu7AU zWKqH6^GP5%0+J&jIRcU+pCiKJwm@Xr0?84O90AD@kQ|u}2#ebQ z$q|qo0m%`N99dlSm^}+5M?i7}Bu7AUWHulyaswnsKym~mM?i99k>TUhX&^ZQk|Q8F z0+J)2;=v+cL2?8nM?i7}Bu5q*K0ciWk|Q8F0+J&jIr1qUEcO*7M?i7}Bu7AUWU=w% z@AE)%1SCg5as(ttelv`K2k|Q8F0+J&jIr5uf1SCg5a-@xal4iJLXtTydN#|7d4(XAVGT<*D00_(>AW?Ep ze+Kq?Le)LEe!8TR?_n%@`FQ7H(dj$iSxAhusMnlzuI4XC^-nD%hC`9o%p$Fi_1BtN ze=j74Mj+t?(z;$4G_(d8l0f)_3yGmgcPA|*2CcINC*7EIzn?B72HE`mg~Tvl176HR zVt+5aHfJF*?AI5bUvpnAB!>NRAu$5(&n+Ydk;9<=v4zC6X>I>rNQ~#Ng~YyGN{oz( zhMa|#*U!LCC_EpT_7CpW-NRRS(TJESED&eVE7W}cmSOOCXi1ooA>XpY z7bW?5&2}n_-yDnf+C3!LNAX;%k>+-C78BSFumCyyE8SqJO|DjW$w=s1eBav3DRFkh zAf5@k8CaS&BEZ;uI{564e2o>6%+r3st>!6R9w{Ys##ap^te>zoki z-FR}@NT%kxU>j2yVxC3y9SpvWvfIG~J z0kjUl9e_IkcbFvr+yS`5tQbJ+0Neq%18|2~0>B-BJIsm!v<|=>fI9$pm?Z$*0l34g z7(nX)+yS@)aEDm}z#V`)%!&cD4!|9NI{B>>z3xWlX%KkxU>j2yVxC3y9SpvWvfIG~J0kjUl9e_IkcbFvr+yS`5 ztQbJ+0Neq%18|2~0>B-BJIsm!v<|=>fI9$pm?Z$*0l34g7(nX)+yS@)aEDm}|A;$m z%$w4A?u)aI)9X6p{Bo7V%9Dp8xU;HROjL*O_K4@P)w#WKl%=Ik|iO540@Gl>8 z7Pr0sJIe;+e!lqZKelWzmb7dzX*JwA%Lb#wpk;#*cxc&R3~AY5G4vl?HW)j*Y%l=_ zC*7EIzn?D~jQzo~!T7HMFJ{?bQZ4-jh3ITWTICr6Mfm!{GS1E}o^+x*UKXByu0*(~ zs-3d~ov0!lLnkWh;%-HBhZ~dDL`FdTw279UaAPzID}oUtt&ogI5=5{FG#*+j8H*5s z7HCG|;CM7r1cgQ8QPA=7L=R86sJVrOyQ$(VDWIA80w>Gq!pz9GEGre(^P(|uBn2dt_X6zdB`u# z!;>h?St|RN$>EVAVq#(lXuW70l0*rQMZ%GgQFsgv+QOkQA_xRjHf!E|i=b7N>1OK^ zkNj!hhK`Bm(`>3bZP&gzC2Z#Pa;>U|2P;d<75eOty@U?A<^J^48$F_NG(J$ME!a!Aq z!D8WPNM87lmZ5M6$XBrlF*sTbFM?g5VT3t`&5Pl`ZWtC1)g2azf&wi5lVx~3RL2-R zR0b(+p_YlwvF!I70VIK>Djc5Fwn8@k#SDQYg)%f`85*(B%EZoT10c8m-2j3?q98s< z0#uu`mSLbKOH2%jg&L}FTc)WwPi5FS(Vy`9(H{x9Borf%80Z-Rhk|Mj3%Mi;O)A9V zpe;P)u{fw~)&WdCP3JdC*f~uA;Xlv>d^QUyhJ~t)WEK)lYBce93<{1ykd*hOU4I9S z`HqR5(-;tbzcKg%8L6fE8W~ayvT}}T5Hi&Knw--D5PrV}K$9LMFenrOjzmIjHj;ox z6QBS_iWo@f>F;AyBbkMrt;+8so6`gk{sT?G7u5+p4PpN>?z7C0P&*Gj1wt0j8V5l` z&xbar0f4;ecl{EHCbdm?JSlLYKS4ucNhI-T92|p%R5r(~?=zbd|Di|jS<@8l96g~2 zR#8Pqb5Ei?(bC0=NGGaFbhh!dg=3-T97##Iho?Ky+=rc+1aQcrw#GI2}4HZYX-%c}a^8^;S=1aKQ_t;hsxAE@QYD6EF369iwBu4K73J~aOgd1i9e1hwaaB?9lc_GB`|2(yG;KKeicunOip4n< zIG=~GCD3ttK9gL#YP#nXaq3O)-J*3Jr{7i`nW^G?U^l%-Qdsg}MLLGCN`vLbmdWHug5dr*PMS1? z%9BWPK0BFVnbP#zCdYj*d8@MdCGO{6`NUXxdu6p?xQK{Uu(o?1o7@_Fc;%@r7F?K= z<0H8Ww2a44+~Lx^YL}GysKTfOP996Fc@W_y%JleT!x`iS#@2n0A}`5#Sa_ewtz$aP zRdV^<9`UYw+J>~nx1RF8Enm;GDagREY>=*ck{YEbT?co_mCHT6hdumZJXgz=1C_@u z&%dZ_KSrmBawC(Kt=ZsYpduftZlrc2RR7q)9-}QY#cNXQtMh z62okd&CH~^#B4?wp>n-iuJ|5!#j)IWNW|qq@T5h)Y1U|7VN3bTU7iO;QUb-DrUS{<+|e$4Yc_n^zBtI^R< zI`*d7a%{g|xh^ki<~1r#Nk~?~b$c1m4soH1VnJ3^{zcOd$nBHN^vSeC&b)0Wa*D_D zQCm=7&}4O!Sqq7A`10Eg_YGrX3)V|N^j({}QS-iLO#-tX+=+f|^?v)Q8y5~J7n$vR zOP?JQ)>z?p`O?0NllSkwkk;I=cDYsd`qPRZo>NM>;0`)k}+ zYN)5*-D!(bimuQ6k*=x*`jY?p1H~(04U<%>4<}rN`>w&6^m*1JaHa#J=FTVGiznAqmPwO{!W_akVUix^5x?aVLwaOs)p zAMkvRdgUD}bKy!j>@?%9f{3bS4d)jx3X-s>Q89WMqfYB_x0z|FMBaqamIDUt)$(ZEHK~g zcbgB~BW`l<^YHePRHK?hGh-)OK7+cxhS67*BD%pAdw}!K}6^(+xB#g6?Nl9recNH zPNIw7MO!@ISmgWkAQyYu`-_!p#U#hYERQ0XWF^Nvyb{Sjypy1{FMH`)g?<=z&c={N zcvs-P_~FOn?K!SdVur3*bwW=_Y^z69(uNfp9+GQCxZ%eunG{l==DNOjG-haFb3*dg zUXETSb>2cm-O+T%6d{_g22a4XSm`XI8KoDN!)*_Ry~;~^Gadjtoi-VWRfVN8ZmDXB ztKM$W)+nsl{BV0~xW42yW^Tt?r@qFgYdQO|gv*f^DK-)#>odB9aHOCy88IQ!CgKK;;y9yV?#>MYELOR zZr} zoX)1#z2fh175U0lIt)%-c0M^aG**9P#(!k0JbYP<)c6K!!^Ek$nBr{$o4upmA5$R5 zq7ZijR?+fUt?hDu6*7*#M589*q0aK&U8@^Th8cZU<&|c%8eQvW{qD6Og25kUz0T52 zg2N7lD^)0?JXsrZAVq@HHA7;@K9v{Fw549fXXERR;PS%m3f{<@$WL4S#P7+i43z1_ z6h}t#kwQKl}-55%f zTd^NDV$=6VIvNVZXZz_J#yHq>o-=g0x`9{hn7KVB^}V7E(p^>E_t|rPzHK?%8}lA+ z?P=6W8&NEJ-mA4SiJw4mVd%V5;?-+AwEflMyO=VepB-*Kj#vw(vWSptOtg0QZod^2 z*b-UXaX$7#9#yVVt9OZzU-MPs3Hq2bCg-=sy<|LScKuA9YfGDN<*w0#VS9XSSKBy5 z$8VKO>}uXyUIA|!Dh~}p-Mbsm`7tDrK34IO=3}q?)|C1RjOOjpV|{r+P;911kXg^= zCGJSfjn)gU-ueY?drh3i3-^VYh?os3xG@Z0=}^^)z4gA7YrD`bY<`0C;be>LXpOK| z6&cegvl^@-9+u!@px`4rYRKYQ%cGjAL6^(<84Z1iIDdap`cvh@z3xQ?JvTABJ#v+6OKz z0UI=;4o#bkj>THpzdFsXP^R>{C!K9I?GxoYXYdaZJea&v1ebg~V-53JF4-g|Avq0( z3oA5J3AU~uhmE1{F3AVpvvL)CG?^_+EBqn%DaK9~aw!U7)6;)yCzD~XBnnje)=#oi&Wu*0n2EJ?im1Ky8 z3i@ZQM+|x{4eqU4`eA%&VLA`@Gw;^{(Yrj~@lo~0wz)b+9q?H(`N5ZeZ16>5ftaBl zPutc@ZwrX|sQqoRX>rf1JKM853}3pO>E6FzHjV0>%B4&ihuA3NP3yNNiuJU_GI52L zv8`d3R}Af=MsmN4D%EA?T3W+=>*MDvTg#9&TqACO`Q>Q#c(LUvQ6o=fp#*;~xC}x2 znXZ+CR_Cj>;-DSFA`Wk{#rO=V_vhT%xcb+$q0b!`&v9DYm>~1`B;D-aKu_9;hD!Sz zOJuI;7-tL!v%XGZzqWCA%XnS=^UYW3M?7TF;uii@Q)%a?{FNv=GzXY`6h*yz;TKtp z25W5j6|W8UDr>}+ah`0CnR=MNYC^;d-`U(bdhUSRxT4t+oM0!>=NZeeOKg;m(?GEp zT)cOgP)UWdr$b;R5Aj%zHD8a6-PFOpV z+D{P?9a+k1NRwb+0f#tK#NJi%96Wg~9MihL@*IxbOQ@2wTBB zdMx1`?1w}sn)-qn8acv6-YV`m^spKoK@}s=MV~miIpwbH^=pmOluetQtGAyJDWmF- zQP}%}XVUYUiB0Yq`Lsj6DVs9J8#9^GDX+V2NvjH6%Cn=_lL=vQ_q}INBb1yBS!36` z{>|WPZ>eXkj%`+oLtZn^=4Cm@@6pq*jgZ|Iyy4y%&z=iw5*qxQ@+?`akXr@>F-wZD;d(F4TU zSN#o?*L5}`M=qG|NE ze9Y>L!lkF{r_yk7>mPO+A1->pyXW2Q@zysCef!Y(s3LzJJ*nRIf~Hg*^!g1~*$V`& z?#m0ZlrGB+SoIj5$a45)0)f3STXY~eI^cS>*XdL12lsCaP=jFut}0Z2=+)5co|eou zxI9YB00oS7C9GMsvGy|g0Y{FtVec5S?K62Dk5oCk`5JZM=0QZNHru{*6`dE6)85g` z+bSPMZo0Ew{;`{y=G9FIab-Iu6}L@{T-V*sj7FsO9(6;!w&q#d^4Kh%VYpSaJQTf0 zQpnLIPo2gWa1J>jj$9xM)^b5NqXov@J#DBBAK}M*Ln7x z16umkPfhfzZ<79vbeXEf+%~(B-|<4byeQ6os9Pj;$9{zy1!}9^H(fQWAj996KYOJP z9;v)FXNxqx{eZ4l=h-a|{C5@Tinr1nesMnYe9_Lh-9bu*#eRakRi8DmT#wH;;Fxt9Pb|$u{rWAYe?dYhL`>K&U<`TAKHleJ0B-d!~8+=KB7|lf&vG>W2Y=T2c?qqvc0#!{0yA#tc zMt{?6v!@rfnNz&ZWM_~#uaEFG$iBFH^bsBPO5F{d#hLmDR|Dt>nf#E_Kql#su$3?# zRnv>jL94Z&i^pzB?7GBX)&7RHVoWh?%M<=bt1CJPYb(ikL=}3ZhfSina9pLwFkbAw z26@m;tj#I<9XOzy7$JO{D9i$%yoVv)oVG4~T3}sz)TBCO_lGztIUg*2U#EZ_--oz6 z;=Z|h|j5XFd41C_8zpx|oH%Fg_D)1BH=wgKW_#?~31zji01nNW#sfz#sXf*1?>>D){_W+Q zr&Gt#?FBn`r!2KBVcJoAMSv%|XJEuRq)@(iuv4PyCZ$fH!RefiRcI}#teK~eCqA5H z2<3Yh95bPhX}vZ4A)Kqp{hh-@)JWhdKBD#vHGAC=lv0U6^h7~L2O_>igCRPW;KXR3=h$+)k=jIMZps59!7HEp0|O1Lp) z0sg_&wkmmzDF1+#keeHeTSn;}jix5jYRt_0jK?&%@~EN=mbeV1RXYZn4^H&FbGrFH zXUELDvce4)M5hOXZDKjQ=k>&j zro*B~H;+vEhYsV_+|7^91fgfrqqyJaH13OMyK3gfgGgTYq$|DuRTzQup6Ia-4LyMZW?FQhH)G<6;0AJk&eyv zLNYVc)k?shu(=(jr)+tGKs;QDem>zkv`k~YgT+O&+NOKEJ9enQG~ab$%>#=P3H9geP}w+%7G;pJVB=3?{_cA9&=Obp1xcVTSs# zs(^9ZjNH?c2a4o)_+IapE6CB>rdfK|?3goi!-2!Od{>2Kifawc8$=vyocfKF96IY+ znD)EfM&MTVwrU253>wSnGX@SZXXdV6%D;*2DYJ=~9_^6t`sJO-YwoAbEzs<3D6>#a zlOFH!SAAOo5d=4i!E@E77gjBK(NdLru<{O%A4aFAR66KRL+^!n-rI-WPa|7e4N*HS zw)l0iH|1TIOj>WiywrE(-FhD$pS|MmC>vpxhlI7`cMql;x~b?s%T`|}vHCLSxwdPY zS$JxDwq#RjiEU_~aP><*z0=o_LM)xviUpA~%~#muNk{ta_1`Jj+23Om=KVU#P{YC= z>T3Wcr9bsb*y?0%1LblJ?5vcL>=>7hw2syScN6wTrtG95I_T zhJIy)hkmK?DQi5_Jo6OBtgN_I5k^J^gONdhU^A^SIT$lN!%_x1=B12Fm$5Ljatd;D za&T}W*YNWSilaA6h@lC1=`GvUrR5D2@B~dKEdx^v8(SMmH8($3E8p!z8_SuSFnU@F z8`=;uG8Wj(Z5R)9WpWDAJ!XHXsL9AFC~2Ub{LIje$*HKwpr5~Yld)-0E@MYpkW;a+ zq9|lmt)6Lt(USH`!N$jGLxp0DDv79*s^@fsqQSOKRJyL z7k(UPl&gXhvc4nSoO+5a&mzWAyZRs~0wn&7Cai_5tNkz5^W7CGsWiWvnN}vf-=#L~ zeu``J&UUHWInQ=gvrKOe+*~+0?sCozQzLNlc0D1^hE?^sUA!7P3={zpe@GLzM{7i- z23jW-@7-5lE}As7{DY@&Y@DI>$}9=L6B^!w<>Ke0?wq398+Kp@wk#=;PQtNAfkW`@ z9X7+WhuE|%4hm~292Cq2MS#Q~(nM1x)k>VNn<3#q(vZn(sXd-hr)c*3rW#?-%ix?*ZzX&*VoXKwUqg^YuQUuCIyw_&re9 zkNM2q3)D52$IspYb^VOcm-~UbzNGQ>gxHstJ<$z@SDdn`hV<2ru#bYTKeIMXqz1a zT>EnvrTT>f^Kx$AYHgi?84fK;sv0@MbM1rKXz4&`D@_5Dby~r5+ujiZ}pu)YdMEk(6-mJFoD# zVfD*1%dxaq&nr~RirBMwXda5&vmF!yApebGsL#2g6j3);?5V0Tkz+X|Ry+ecze21QjR4JvCkqBllmUlJ=v)^Fe0LudavOsckCMN7xvpDRF0*)V?hxh z@n%Hk!|j5e-Zy>q6ZeCS%U3&B%Rf1P>Nu!K>a#*ZO% z?c)3PVhDtJa~97ZzWz@wh5!wvho+?^ji;Zx7y>j!KWP^Ri-U_{#h{sAmE2vtT;UQD zqPia^{r~tD8g364{WuEVl{7=YB{Y6s4l4O_JpEQUG=o18noIiAtg1L@Zrx9#WSP7Roz^$!1`wM!@A4uRLikuiUoC_H&C@$OZR}qR z=GWR+lMbMvsf9mHI)H*E68K}24xsQTXjbe`SpV>(0}`~lUragx%{eeTsQ~nylZu*# zH0uB~>3}da=>Uw9ih}C%yaeQwI>*Q;*f_MQ*|A8poBM7mmSr+ptZP2cJ#c;o#yF`P zT&Wt|MJ?61f#cT6?%fy9`8{z5I{^INdY`3fae5~4nRyG zK>#s2TxuP>z%pU_99cxqo_iEU$;+WHe<~o z|2Ce4cIC_XO~uD;oqhb)gTnw2pb+2-|H|MH-pkbWVrUwT1FX@=>Z_!pYW=`17wq$T6+HBkv^T_M zO&r?}4gv^(3VXpja8p$Kr&ZK1pUbdV5a@b?D^p}(fPh(SUhtLW=N zLYS{F{L?`~*e?bNVX%L2kPsS&LjGfegw$wlzduNbjEaVwl7bo0Wm4*ogNXhf zMnp!gO+m$u(Q;eH%0bOSiA0%y9v(Ew$X2a0xxa{B_|EMk{W_xOjzl=dNn$VAjx|;! zcNztcaO{mn>;%i%|aZ{5Cm&icf5+c8{e z^3zu8BcYDml8hI@TR;Pd;osy7x6;I`5EtL9KXH!h22oz?h^~@=(Ur7JjlK2V;h!Q{&KoVaO0Fw9$2#69u z5JjlK2V;h!Q{&KoVaO0Fw9$$p3tl z$Q*BjdZcK7^|5~a?H9iZ?GSy_^ejSk1~zgo$YtuXzg^ggpcv%&6Em=jNlq(D2a->0 zzU)C$aM*0L?*7UavCvi}M1bu}Ca??80NVI7?hsafcFlCz+m5p{FejE!-C*+**6ib* zkC0W>3OmqKduvSM4W?aQ_=zHBU|PC5GqAK^9XucS3kU!LUl1VVjIgT)_o$rc#zHRg zVWqNiZ(PQ7Rn$b1P?w}fMYlvE_zy7nFVR7zL|SxkaPoIX>S2FASLsgk? zPk5X#;}sXT9}VK$KNY+zc)#TgOm_yhvgQbn;k%v!H(ZUtsSxh6Yq|?r)ST_zk=Gvt4TlsIwi&&z-RmGpkr-=_cLx7Or*c>&<^h#tveC0$<#H^x5Tw@ zYzB5hb$Ukv*P<@{)d}|lb*te+suncJIhj`}i1R9&qLSV?P1(_3r;aGm6EW9K?(4Lcw!LTB zjGoSv)EEiN$ZhvB$oTks#-%f`BYOOzkKgmX)ff?LdEfDtW%_#CN|nh8m#f2gNyYAa zPsVwY)_A;d-WgGQ3={zpe@GK|4I*C*zh5bvE7iNa_;pEdN$>J2eOXl%j|R?nq-7k@ z==u;`JJL7#q2fqimQQ_*OE>@Ii<0=*w~^ECrZp<#6~SVnpa_uoGn&{s*ewzm*k3!+ zH5CxnJ6(J|(90u+?6Mc`@Kr2-!dC3shA3?{@bbTpAO_2yHG)Ll{QB8_G4G|mGgO1{ z^FIIo*ia2TX{ZKi5W?J{8h8R6g+oItE@7}ZI2wigj}F$rejZieMu$Q|_xiZ35;U3t zj)LBhZuj%i8u%ZK))4y|@M1=5kgS?JS_6$B+38|oPbVQEs_W-Ugp2-kvKd)HGz26wp|Wb)>Nxl+gC)BgiNyIkc(Ck!Y-&`)(?hWiqU& z&!aWcW?)Q{CK_EL7RRxP1V)#>8Q2vcvg~3`MyIDY9bBj>jC~Q@t);sf+Zm_}-k4zv zL%~h}0Vv_W(;bF``ET_-ZuQciftfz>ygQmc;yD9LOb?rZ9Wo^w4USOX^hL~A;W}k)x0LXLJ}@Jeq6^-k|iCsp7MH7rQ}QBh#B1 zNIYcl)@w3*1w^ji%L2!#Ef<%TQXfpSvT} zw#NxQ%9)gFmkM>fJAElp@`+XFK)E`20SJH!{(BsO$T~?6O)z=C7+asIG`|1T!wA0d zz5{`=A#dD*P9$tI)iCYOh(ON3IDMLW%9oa?BfKWuLUZcFd4uB3`rdWYn5J=xPZ3JN zP5=QY;lI-z+-$lt63~zf?`%qVqoscGQJPAp)G^ZuZ`I9{p20pn6Ad#kvF%Dj?`B|y zQ<9+*vtNT3y`dGf?@CfdL%;n*cX(zC}ba)XS{RI0Ccta4{gZf0K+SHIoFqms>iJ!8dN z7J0$Xr>#=yo(eSO(l|bf4fFt_h5=E3)&{f%L_G%w3`FX=JV2zL%L7E}xjbOt@na4U z@c1zY2Mj!Z%;fI{l13Z4r&CfDa;8f*;)2sM_XX)&@HP1fYcfYIlh3o;FChG{DN5 zpcL}gvvt%&Y$W77Okq^YvBiI$#lVcP~p%O>=jmvnL#h!-`2te$kV3 z-b&%WZVws_-5!s}qu@9K29Cs{L{Jz!8VART;Y9GCtueQ-a5vS}QJiNH4w_=>3ybE> zWA^J7eI|s%BSf$WG-=|oSxPtp`YTG<`8FZv*fekIuV1zajYEluiJ=H$a2x_Hg7|0> znt&jcLF&ap7UQvynX`5GeOgd2*w3_}InBO`1ix$<5=pXxfI<`CP_;p1AXULp2pm+4 zI1~zwA>bf$p|V-i6m>OC<+tjZDj4dDAVrY#*`eoHIIlDKFI$L5LI#Qs0;AhN2J{ zl2IsVayu~uRG}XYMH5KgiN(M%P{n^Ve%8>BmApkwMsB`oP#5wqYI$C_?B6jBkN;H3 zv!;>EomC_n(GkrO{FPr)zq1V3=&0RM!-U?KBP1p5^@I&8rs4jNkc6lbHAaqZ<>am(=Z@^zhOWj5TvMvhT2T1 zrNl#~L32YApqj;Cp!!5Xj)6r&WwZV{C(_L$ho93%K#}NoBk|`rhs25fWeOZAh9ZR& zNO(vB)Uc9Fo;7d2MRVE))PJCDARwW-#Nn}UBuQ@{fqiKa)RN5sHs7K-Z2{`{+XBMJ zhaWsNsV77NvIvVnLbVA+R#IyP6=G0-fkVwwQvB2!{ID&+&uI&wcJFs96N48c#R&|A z4hc0-e;Eq-1*s4TJtjfcL#9K2XAS)ra&>g)Gn~^FpnktC_<|t=W3QB|U|ji)Ufhb4S5 zn8!DMVDsa{EAWwnBkbc6H#MygzGVBzysCypF6K3J(Z9LjkGa7Sc|G|!-{|1-QuIAl zROYsg8Qj&1f!dHjFS3Fr7txtwLE;{&yyGROkF(<_n=fD1 zH(cWu@P44HZy=3+4_x*ls$qY}>m9*5tG4+uKV@)s5!uDPhkDNvjIB_-+^JpKaPd5< z?7f!`_)}1>3t@7m=iZBx2?#kut4J1l{e~^q9&eN&b)ZMxL%QzW6#4Sz+qsSD<)h8( zm+g`3n&P;;Oy4fqGFF>1_3~qK%3guyY}Z@PWbp{~zHH<=W{Z^(Z9Dib_E&f9uWAZj z?JS-ma42G=GWo&NvX^yqd_(uMVzokoKe(&#wFd_Kjq)272F^&mBMV8Kg~3)ncK z^;KIG>3c%jci!<3axzZkm6Fjs6`9M|ED?7%(tFLTfmJfQv{b5*S=ZZ6A0A>1n^9hE zBWlkdPOrzz=@<46MqMq>fh~JA_F_;49dtnT+z^?X>;06aMo%Wpnms7QL)_hVEr0mf z(y*M~ZI}3}Y!3l9Bm1>n$L$WdUA-kPVj$@Dc*&a@dupfXLN`K|*}I8dO4a+~V)Uqs z`IluOly&g>oR@FFpQRp=$Gk#XZpF+L+n#}imfO0IsK`98g|*O#dYc+Lx%U+C^3eJS{q6#3)gRr>pw9rtiPyXmA)XO~jHs_X%Eh!DkTuYF`! z21f2ElPT73qEuknzSEe7={)*AmjAY6LlW>*tRYb<6Yv>Z;=o;0$HyJWfMH9Vbt8Uk@nwXqRXMKZY z%UU8EO3z@w#GdNdBMG!&=q*i_jB(egBd9yn;Ze5sE#%-nHgTm(MN{K2{%2$TGzYjWaOIFrMhRyd@$@XX$nb)%Q~z5*lSE^)F0YcnIS zC_I;5+Anf3v5hM3F)!;~YNsXEJZYiC@Ev)&?_$_j)Ep1ByNtZVzlVjz#v|-3n}@$G zt6kqTD}V5=(mO9Sj_W;S5_~D~xIe0TTEwxS@Jj9k_mK3!#Dv4TRJq52ZF;*~uVgbg z+Vl6+ANNTVo~*bvGh;MHR<-T8m(9MrbnWqk*oLPqRT6bf&6U?nDCkSB?+S?KmiJ7Y zYVGK7ObQ(B7kxi7VG-5Zoz!vtN{OIddgY4n154sD>D-iDTQ+&G)-x zlZrrw6p3JN_J8xx2Em?4Yr9tPRHBz`$YJTzy;9b2!&94%Zga>eRzgrWN6SAGrtC&P zxJD^&>2#6nRmdUU)0&Ff>B74yB2xD@9qeCKW|6inMP}#Dh=K`U)Kx%B1Ufx8js zOUn?#v=1(nX@r?MWeK2^&pXpfukX;xrljspeN9N&qc5T_%O!eTQ$}{z?m^`(nJk{` z*7&Ve)1y)!WIQ6+@~X*a-z|qtOT$;I^;1N0s#H>lZKKRoeCQ=Cl(v-fl&7^$=Q)mT z1I-txs+q$ERAuAdv{M_|3)m+pR9}{H39XD)7ay^w@Xjzi+815$;DL~Dav^%(ty49Q zbjvrfI;)|`5uSIL8r@E7F_|LqKZ5r&eIz4RV`o4F#Kb8DR zblZ+VA1ym65ho@Ox8rpzf$Eh5k6Np2wC&%IkM@>`sKY7y5+1)8?d5B=(LNjd&`>BM zO50v&)s`jt%1){B_mX6kvn^@b>4~Pnj(MYzMcdz+f< z_79&-CcYuu41B4~#mV}7=xv~Y>^e$1*2=eC0nzd={T+*3R5t{&*~vebn--2*onAB= zD3l&MeziNos9avaR?S0juiAF^)OuxAjzX@hPN>*bETN`WV^soMWmAd^*I4!Eia*8vNn5D6qTFAd7B3y5r>kWBv2*peyFOj%0 zX{zM|$Jqos(@lak6)(uHzU>v(YZI9{oO;qp^1#|O-X_lDTQ*Egp1GINf8EtJck3aS z`lE0r?2ENAb^JPqkQeA9m%UeWS|7z0rMx#1d#m|CrecY0xYqdPIuY&xx-(Ksg>)+F zr46D#W_IMBAi9;u+rL)}W;#X6+>96aLA>$YkWR_eil8 z{z=OAPj82+M4qjC1N}3T2rfsX$XBkNlswzMZjz;ZS&-2wIQ#Nd@O1I{6?_{n@)e<$#l|4Bk;51VZnyROIt3!H<`Ie~ig~ ztqCvxq~wiztU-JqI&we0d3K%glCEllz3P~bM;gjL>CIcRO?tW?_LS5;5V|6+JjUZ9 zp0_*jR;^h3Ny}r0#Uhi5XLqcf9F5tNbaXPGH7FQmdTj&iw4#dIm=s)M--cVAJclUE zvT2ze2`>gj8dug=BO8eWMOSLTtz5&u{>(a2^YGoBoM}E5x@r>qS{GKYpw|#}VdZKp9y(ochEkcH zX4NHe>EUDR$@n7g4n0WFPtVeMmO+^;IPIslmrH$B&1Og!&-oIJ`ozSL{t{nOjaTi@nudIw8n*IZ5>t)?`2C9D^@{mz*fxM3->*YV=ai zdx<;s=qEKd$FoUC)gS|GQ3=EcR-XSER{JV zO=euA&$Yfti+vVnN>4rMlkniW6fJrQ*@n;OL&p+SS|z5Q*cew@v)BwQ6Yu4yw%kes zFT2a^K`YU#{ftbq!Fx}=1aHr|eD=EsLT(|gM*MLb*&XXvng&Y>hCp@YGCIscY0lTcZAVw$sUU^=_SigD#>%y zadwmhZ*-1d-h1b=;`!4YOFEYz94wC^_H461fXGftf@~KE@PSC@QU2~UGQn9TT^inuQ9-2u^8QqmVa<1`6L~8oM;FZT}%pc!6w5- znzjc@CD@Ks$Y-)8*(F#6q5ORkrq+&^e2}21_YqCK;SjJRg@d-TC^XJ=()j<_`wn=j z+xP!tm$p%)j1)x~=h*9%L`m5@gpQd#GUAjGWi^d5Dy!_hrHF(`HX+Gg+54RT=Xjnc zRMfZU>HB;B-`DNwaqiE3f5zo~U-##Fb6xj!bw?}?7gK+1CEIAyuV^hQuoo3#f8@qt zQp};r$9rQdkF``+2ctjm!H$;8oyiP zCNG7q+%@NGw~$^TkrWDv)4~!=c%8CDgK1LJvZBwEKBW<A?D*LzzIaB_63??+K1tqKJl9Lb zsO#++jD{26VGKiU7R)}Xz_&d(?y-{-b=X6LCj+G~72m-hzu^c!PMiG5A3r(NjUs9C zrT^Om{Y`oq=2MX>$@*N~U7s}fA6ghZ;USe2NThziPd#x@Bte3>$-xA3qC*LRMD_`V zK2iyT?hF7d%Y)@fzdr!)cDOwu8-QnYqMCXvTu1msI_r&ZvjhJd#)Rw^@cHtHlV$I@k z=NuZw5^!cvNSgB_`UHDsn_!N}me-WT$OreHJS84nJWO*VmS%AA;)zgJ z4rsJ&yWS3m5q)Zp>|2zoAFh^eChsq+YObtu5qdvy|MH7C&N&yuaCI(mEe?}&3>TC( zG*OD$y5Cf1_@uNUn^IIdZ_ywxzp(1sXL_V#PVvq8CV`SiVd=BIHy_Naw$G}{B#oyM z(je4i1WXCLQ;A;K`ubl94<~XLlsKK_BzgL6bv4;V>omgC#*CMF4jAN}$~cqtP%6Zy z&uRoEZ~UN2oy4TO=QuZA^-ZH^5e)5lTbWa5qf2gfzuMh-->Yj+LPGKl7yGwNa8>u_ zc@>u}B0KLkccl=v^rR3H`KU{~deiti8g*UuJ8jCbiAY*F2{_Tz$Toysxb2 zT3b;}k;%@cO;Wq>>8L5#w%D#M zv>84Yz1jnZI#M|s?)557G3S3cy;*;;(82wN?+pq`qpC%h!ln%l*ZEHoOkQy~$A5l6 z#75%=u@h&o1fM$p+pPV!*f=CT#00vNhw^R4V|G{J2m9n{YSxOxbI+T8vTo~)>q&Lx z6nK&^8f?y`_PjNTiFOo<^c_hlQHW3^4p+K}W@lXA)=-*8I=)FO8CjYJiO-t{{TP@MENx=jr0xtYg?0KKFvJw>^QAx8p@% zSe&oUSxP?a}harO33-( z(3I?t28zNajy#A!IHEDjkmB&3xu&cwDO|%sX(7DLSt!fqCC;j_$t_NefsoZLG%(4N zv^P_Fp_l0+p6`4br(#%hS=C*C{;2- z+?jb;4;8I`45cMRn>#o(ca56yZb~3q2PfjF?Z=wZ89~v@28FYSS>OZjHmL-$n{_{l zuqx6QPMo&pB}-3`U#xqOlUl2Q(KOA=V#?rUrg`?LZa+c4eaT}L z_dLt0{9JE(iiRSCjuE7}KU_7lELd}R)1lYB<~E})*eCtFD|VPE?<#rU>w3Xi z`QA&FWI-d1sGbjnfrZgAxiKO1z7p4m%Uk!%Hs0UGhT+l^4zevi!`nc6fNfW?b;GEN zt&nP}l~iubi#pM#!xOFv8wFH+vitd_`yz4@w8wNkPI~Npc&>@SD^||oZ1lWJFY}R{ z@?$WPyT`|0PLi>e=QAySBwUOMK7PolFv-bglw|*r`&*!pO0@zWF~^BDrWtlUqGxR%kFMI|4YO&*QN zdQr5vLn-G(xLmAwYX4M?AAkIfQ+rb-S_dA-PBXCY5N~fe7Nh$mF%#S}7x0zb7OY<5YLH z_?MIYs1crOShyZI?v9}Z&(O0E0}$iIl_0TNuF*KsTjv@1Q-h zl!kg%Z9%w0<>jOJ2DuK(Er_8P)D6+D0mf(h$Tpir@Y6AlBsZ3C9AWOg|JZZ4=x2ZI z^Q!Q^!n?lwUGf5YDvv_mj>7z61> zc`ww5(>PFGq^nNKiMFPeRyJ|aTbVbu>h9L@%W&07Rd`6E?J>fxc$&A8FB!A0sz3G& zKw=j#a|cCV@80i3I{(0N(C~_dRZ%TTn@H9a;*vmm6m{45ta*JMMQnCherrhOW<`iZA6(jHI?VAtfE1SvmIXtdp%?#N=LDdfz_d!(z=aPL{v z3%jVC%gvEt9Q<;0pZztqUb;8lqic?TNLxfnR>Y3kFM*ZYuoP)}D~i>aDLH&7p)NP* zKn-uyU1iPcXFH-RbITOH2sB$;%UVry@Vg}NjjvSi^Pfu{2^!Il^qPxwGF%c@=6-9V76Peh$q#h-dwG6lj;j&z9afXaUarycY-c}#P89G z&1#jqXAPr}zMAN}MScN(GjADM#z(O*6k}9P9R~d}vEyM3BSzR+BolKvvqj*6zWl|0 zlaMp1Pcv+IDx;ceK^H*cH|d0qlfH7;)Fc-6$=tiP&kzeke`KHfjD;QO_NVrUm8Kgk zbZl_u?1C~F?ljry&%}s1fE1=c2Mef*Z#wt_MRhow=3$sQQ!uK_`QIi%}n6~L8W``6Ll6?afw)dcm zC;0boK)|@GgYKiCY6nGG{E(2nB6l(t_Eda!tUAz59W`iGk{i=n5t@+g|Dw4ExubhCPLX>f6jRY zk*DJJ;0IX;M=&Gnfb-1|P_1tuS-S(M*4o&7I|5YeTTIsM0jjkoG~XEjs`VXE*6ISP zwH7kp>j$d!Jyh1{1FE$KFyHM4s`Xu1zTXK{>-)HTzZa<1_i_1dFHo)T!m>suP^~q9 z`Cd0rt?!|-Rv%EUwUGHvKTxgjfU;&6P^~qg`E~%P*0-3f-2+r>ZEU_70jl*4BIv)(fY^W>+$2LXU?)1Mw@4{QZdhJ%J0dm zBj@g#;e4Xe(p?xS=EX|`7^x$>w@8UeEJ``6WkH4PY;wI*ZK&D857b`B@eYu^-4E9g zKmFu2=mJRm2A#0*4|Tw4orE#BEGKeObxJEwdL9c?%-0H-?_wtjI3l4{Rlac7KVUja z7ZYWj)31ZFgMMYU?VWbt!X$#O!EEovSCi=zT@RXGJMy#Z9~k_U z9~_W+d&*L?@-*lINc{6U@hmt!Un8~{s81ls%I!0;eWap3ISi<3&qLv`}RWd@pAn4wn7mA}lPg673)(r(`$) zKPJ1pALN(FSHeUh`=F011Q7)%39baY+C*# zB5I(%zu#{l3Yo5)7`@=o6ODy=DZTiFh3yWu{S|||>KZ(nEWUWNAf0B6X@Rl$pLexh zb;_?C?0DdMqkh)^NMiTERN6&a>CvaJ^pF0^jaFWRM-5~JxB?vjIskM4=m5|GpaVb$ zfDQm106GA40O$bF0iXjw2Y?O$9RNB2bO7i8(1HJNb$}WROIU{{r z!i*qK1Ut?XF@c5cTJTRCP2Uk4i5%ZVVOCb^x1ilJmP*B5R&l<7mD6P*u4EH91ZV(d z_+MBH9s#pkI+WF=>%!|6#cWtL%oJBh z9?IJMSAkEl;|hP3_guPsDZoq5%+iFO<4Y75R9zGSRrCETkn1;RU$)y|up;~NQg-EK zn~6t60%cz&hJua`LP1CPOSzfxVZ?t19T8B<;d5CK5fknpW7x-eOqLujx*Tz|ux%@% z4E@BZ?sEA>zhS=enr*fz+Qaoy!p*Nea#cB|jhSeNE)=!K1v;kR0Yd-{pc}t+IgDp^ ztDi$#m1u1fAumKfbwVP&EepJ*7t{Pa##vH)5klG)9?>cs69dGwA?J%~;;0;KT(_M~ z((bF@EG+N>3;{HNZv58eps<)2q-bp!*txmA&)j#{m?!khY_~1nTwQ^1L+8g)`emd1 zi!FEd_JOg{yNjBy*v~CgzM@mh?8#ZUthxUeZ?}Be_Q?4~XH9rmY-86zSWsi(lE6b<+S__||0G(J~B0uT4C*NvZaF3Hwd+5OEsNLVrkP8zH7@3^4D|1fN4M=d- z*Y%56A8&OQVJG`FIage@L2eOKz)me)H)uIoRWWEW8SCtr_^SBh(G}~y4%W&7*0>mE##q)%E{#oNJR3h`uN%50=iw-SDy1r zZNfv&SeRCTcXa<0ze5kuWuVJ{su9rTmFo$-mzU81@8xAIzE0XRxra1@`AFPW`ne1^Q76b5Ax>TC0~OloRvhQdqRXS?7?4RW)hUbGEL?vv2kL znl~>B9)tQ36GOyc2%rIU;~!oQJD|m7rQgfqi@-c_)*oIh&GlmwvPV)bcp=AB;bRWU zm)Pir*u(waW-wx5hG)fxB1&7+f@m`CFxtMmVA?F@({k!ot|6S)gb54*G=OgWp5-96 zxJe%>&}*lP7D11&Gp`Z)i}-QYy8l+LK`5RTj#vt6T^0HZ=Z8XnIk=(FUoKqe@9#`D z$o*I7FHRKbvCz|g82SsHx@NLL1lQN-{z~XCZi>DR{pJ4p#y<@G<%L3cPofO<4Xo)o z`F>;QFE1zmiWH8&H}V&jvB70UhoDkV-&UlT` z{JAgHjv{=%^AejkbX?uT0lEMZzegu_JE5;q%t&CgI>f}Vu;NQobUs+veJt!H$)`n% zAUjN=e_T<+Of^(l=fa|XwW@pOBo=0h9N!q0KJ_?kYsQC6qO2n?OgEXUyS(2C4*tCu z)C|naie2hngpy!a#1y2>?PG~`zKEVY*q+!G%Q5B5KDmjvAERxyh{jFr=iX%!{EIE_ zIn0js2McAf^IDVg3nTrqVOr(l+Jg&PfvN?{X(` zurR^7yZQ}d)q#%4UEMp)>J|#y=diGDa-?xb_1_N9Cl1pp6dXqfDWZ)rG3by*NyNac zL4|Ob*ZAs*D*eTu<;!IR(uo~=XA2;uNQVmUAS*GE)RPNodbCx=v+fTj(HxnWf?2n! z<{9e?UoQE@23~Z-XWxbPZbhwTEG#Ch2QBA4hfzap)Bm_o_-3vkP#ubtUntZcx-0ao;cPa}k~oB}lO8X4D(-}as$HdyI&14KYE>M;!V)psh^c3Lsh2PL#g^gZ z0%HO1>^9FT3n>cb4YR7?1p?i_xV`(zjB= z7(q9{IRgT63SB+7nVb4sU*$Ip>@sAkhY;%2L+~O}!-y zXO0q^C=CrFui58tL0am1ALs%|{3e|!5u3a|KaLy-tD9z0ld5}yr(~q?R4!8T9?Spu zht9)oYj~r1e(cu#uX&>(k23;+^Ruq@Mng5|5FGG7Yu_Q@od0MlD(>Z+Nh^!rK@Quc z;&-^m{n#PRy^cfro6>^6;*iG8($@~@Z_4WZ&>_8|`W+{N^Y`VV;^yVxT!!^GJEUE| zRKKJ7qx#*S?&hW6FLBlHAa^t5kY4H91XbqfvEl?l*^|evWg>Ku?7*(=kSLezFd}?0d)W);o(a zfwLkKr(Tuz@y+f9LjVn+8^2{ayq+CxzoBb>X=mH3ZCKcuuo(Onu8bDwPm`b1F+?c; zZuC4;G|Jy_ZnrAq>HUTmd=B4=yv>y&?tk*#YtRLd_-#6Iih7pF-$J>477H6N-c_*J zi-o0!f2M63i{dVKju)P|)iVjSN`auFx}vg*_$>#%N6( zlMgG$c!HAw8bCL|N&&Bef8C2w!TD0ic{9tFM*3&hT1-49>h5T%#}6ts@doN-(4fa! zE;_d6O`Du)sj^Uj8kC>`KmeKmR>8k)6=aMFUc|y0<72zm@Lll#i+mT5djf&L{Yie6 z?*doN0>Qz}`$rWG1ScQgKUqfOE8oS^Mn0&F2K2Z6r7{}0$NkuM!MC>Wg6o?qCBNdk zz|GQEz6-8z3UvI?cd??51}7K)Z}eU8@$voFd>8kASVn^w=eszB+e}ADfCq#AEx9jX zFvzPRD@O)-E{M1+pi&wPobY25EB4b>wPg&}X<-;f==^dyv9P%4%KW%co1qKiiN?$! zj;cZf&98ej>!k&zQtTVj?|?x70?>qi=W@8d;MC~1i0ZH`wuOQuw=u_iIR)&a)1RSx zQQWT+^VI1?!T8i;D41r}Lz5^(TZAa&{O7|1BvhBSg=-RtQPv+XZx^nzmUYf(ZWrtKQ9JqkK?F$H6XFzM3c z{vVN@HCUJ#<{wG<)O+wc7UrkCSTIvoa7cO)`AKn6q7$hTHlT!s3D4omSN;>#9MH(Q zNi?-|7g{HAAgsi>7+D{Wah&YK{3B&EFzCsC3_Pq1Q>@j1^j^Gyj#pop9;jLPN9vO- zKz|pnTRcou@>f!yu-h88#blPn7;= zDwRM1%8AOOcQMLSEST&C{XzLfqxPNx&9Hx_CQJ_&rkU7zXd!V>anWj~sxcZWI8)`E zkNjs!mQ-Q#wMyh?wHjmRdPc*Nr6*(2p^Faaf2KA}*rG#$cl206vhrjV(DuJvecL1d z*R;K$CknX$y~Ln!e6KdyJ9jU1QS*zR1q}egKcflv*n7H>3zKL_zy5rkbYNj*JsOPx zO&Ip^iN^FDuXQIW2Axg_(#f8ERV$wi4gdx~5B|Beus{ceDjhpBFTW>j7ZeOMV$u}Q z4H4S#cWe!GGk2$zg9KwMLh8ED_K!2$*x$*?d)=yeVK@G4!UAS;5`+iUa`@gki1ac(65lh~LRc;qtCP4%T7p{0Yl)(_e$&dJrZkNAO7(#A| zr4)v^$NkXl0?E8)4ns)fuK@l9x69HjeeHJnCOP6UQ&Tf*Qg(S89cz1Ys3N(Pp{X%c zcbuM!lwH)!@&d||ULEHH!tJ<`L+M)6t8>9Q*m$`(dFgq0x!E{4c)2<0xwtsk;9Q(= zsE?1Ajh7qhgH9JiSy|JwYwPG(YAMKzLyxeww9&Pe(YD0ZHs|Ewg`6y;DANl#J%VQN zo8*fBxnO*JkQ5wno)waD!{Kba2!8Ih1Uq@=*zs>A<6kA&H~XXhW68MT{A^r&{E%~y zhli7mdkHgc9t0adA0IC#BrO*k{9DYvD;ghE;C%&X-|Q^Eh zyqu7L{2V-RdMCZ?8#W z^^W?FC4;n%jfyoMH7?%4rY)ae1&A+n5SQm zj0>7NZb<162;6jXLtcD1FB}4miw`m^T;H9}6UW8mk9|9zJga2;=FR>e%ZA{=y?~b{ z?~7~*K5hs#XqMNK?d&Oeg>OaUT_xJzw++jx2EBK=mrz@wYB)XQfskB1pWj~utBeEp z-!~2`RE>lGuL)gNH8>}<3ceBTyQ;RzIB@@c;{fNt8BZQ)eZmo(e@Vs%nFKDbKcYsy zl5Eur_?s!^Uu7Vm8~oih%E`|IX%-KpSaiAR##UaPKwT66NNAmH{6>KRqWu?zQ&Kgnm!1RhEGJ?^}XpdxhgioP4~H zY31aHVB+F|UYR(41d${JE(+)mg7obat}*~Tf8PLb@^Rv(ke8dDmls-rUrWRXt<)b# zwCcsr^Y>r;OK&SaUS8-W&-LfiaS5_ z(Hf$$?BW--tx;kqU9$@)Qg$hnslK%VJr5T*gf_jEwIxd1gw!s0NVp|of2PGq59?gh zmFx?YUb~KRBsoSX;=eq0k^Mtnnei#vB-Y{^3pWe4-DuFcbVu0A_Q2_}9Z3R+V$+o2 zI2KKDypoCbDBk=(X)Cl5SOYE2CvvOJu=*ehN=V zfm2{_OVJ2X1&vI-yJt%-vCRYC2rm0wJhf^kbZ_#Q<>B}2;H`a_$IWoDO)N5eo2}#g zm1dT)^V;JN72VDYGlpM=rP_0_s7$0i@+HmpC7YVUJFG(a`pT7Ox=)lj#n>O7mt{2; zj?@m`a`o6l4xfuI_#by=m6M(zKYEopH{aM>(6z2$B{5 z8Bi{Y8yHNt#*5ydVwtzO{gDpYKISn};A}U_&sX5ISg?S{@R|9uwyvo6wg=&*BhJNd zG_3~cLWwYb6f=zqM3t7;sCbmG7+-aKf-g}NCiCD8Rr%ucZf{5bnJUSTYWy4q;@8Pp zh8RtKcjR+fjNE@|0v|Qt371DE@w@pQ7-egn?ujWAI$I_w|M?*UQNR1OD<>4{4OqDd z5AQx9;=3Dv=i@P+$8T@$*AaD=^PG9IIZjKW*nZkPMqB@eT|$aPmk7cIaqSt(z46(Z z4Ob$2-R*5u>_q}yjNH{u5MD#|P!f)C_=sERGi>2eIqAA{Q?)_-6&Lr1X_x3rZYAB2 z?N2@G-p`xL@4BVFDch2CXoSwb_RZ4))qzjKjNKH}6>;wjBzZN7_L3#NeZ< zWOJh@Pmt!k+^v}-SG+1&_wt*{xp_WVz(TnBKELq1R4K^ZmhB?j2ffE{#OFQqjh!;; zwGz{naz8P7vV9hcbHSs(@u24Hj_?-ic`1$dk(?cBhvR97j%DKAedPT%)d|@$o$7?P zp5Gawpzc`k;8ODI98n2HVdX(xrhWM&YG!_Iox9Gr7tG35TZ`Po4{j5B`5|Mvi!lkG z9Dyk5B@<)a=4_>A_>NZhs_Lt=s?_*L4|BjOeS?*bmX6qYGR07-z({prUPRp?x>Q7C zFDR&HZ?;d-R?A$~;aa$`nUh++8?zK2;@jjpVbrbT@2 z^VFl8x*w-}k*wwlG_$N%iJQoa^1_MBbsb{w@$B|_?yC*kyDiE^yIzHWAb+z>vqA)! zK2>+TvC#Rg@WYL@EOu|+8iZSjvTWR`nHyd1V0 zy(4wCI4*1;n{na|L29jIUH$g(lf3m8s~hegF*>NIPA-!6c>M5ZKi1C#i?RwPTL_EO z-CK+@lyJji*#_lZFZ8cs;|MilGoBn_2_Vw+%D5I?#CkRJc6_l~$_W#bgr?o|)%B>G zd$)0Pji6<9P8)_(sGnh<=Mdg;Z^Pu>^zb(Mma{t2E`o@*8?{-8;nqWf?f3S`vPc)( zUPym9SbN`rnENVEbc(B5F4qSo&|7Tx=71 z^z@{=BxeZeNY!!stZnaOi->FV=QfrLRxx2Ne#E*lITxmA>a{-T$iC*KdTxUeZzi34 z^SLs1)Xsu}D~|qq_g~apn7`DH>GK%DVx~NX?nrAcU`Dl&trJtZ?fG*PqaAe*Ja#2+ zX?&A4^hS9blUW<$!L%V#rMcoG{zbDkjfKCe0+# zM7+a{9r|UC3FySCNPVdiVPW}_*qOR1H>*e7KD^Yfy_Z@ZV4dlc%J^ejqcVBXts;ju zG@m_Zzg?D^&c6DXNGU~Bb<2~!j;glz`%fj>+=_?@oR>UzWKY7olP2uU@1ESg-1Jm> z=+5Rp&vEd+^oj1cT^YDw<)A z?Fq@<$qc^xTXeQ(P#r~WOkMDfSD@TgUJ#?=Oo3E%j~L5j$r&N8Q=w&ftv1j=ZsGip zf!F38zL|DliIGVmVKgFigREka>9t}f%5WD1CId49_c`yinca{}^d6D#ZDMEM#l^S} zV|)U)m?VxE*q|x`!jB7v&+7_)B#qrV`-E{%!1&B)tJJXf?dVf)Z!D$n)H!=8^$0n zMAaMNeG==3#IX76 zNgs^zl-W>;9v|56Qoo~feP7whFCT?Cc)iJP*Oso6M;M5YGJB?*Ka^^SexyD8T(!%- zfq?Ch;7dkU4?*(|(cH_`Y-SwgbG7{DYVEtHZ96RLdUyF4o_?8jOUZ}T?IY=BKEv)V82_|ZHJ8Y}t)xEb#`EPpQPx_+qibH+H`t2*H2d+@Sip z(}MTuwSq1yi0U!h%Ou*D~}_Ah;RpJGXca`$Q95D9B3ofk=-(T*z*WR_b`H^hD9~eh4$?5k9fqx z5*xe6DO=^B>yy^U>ZHLUxrL=#ZoNta)-%lBd+c>SNX#EisP8<^F0WFRJ9os_>+Wu26l3gtA}ns3vesyCpX->mrf9@`ztGJj7?jo{Su*3`Hs zOiWJ~t_q998o%xv5jlI=<)E3yP@d9@tTc%fai2Xoz9NbBoReyCY5_IYmbE7~Z{oh@ zzTnGy=o(785OMrq(sOl7s*==;F2`=%r}FRa#4jJEJZ|63c2p#I15ee+Mz=%fbX9H; zk{%|p-Q0B(Z`0lOVhWYoOS2c4=t<~NDhe;oJ5cf~bZ`d{c9nC&=uaRvUZ`o93(~r> zha_F;j&9^5f;+A;tujpRTE{*{SlwmX-f-wXLJ*((m6OQUxVMKy(r)Vt5Z!jH?5D7l z+!1KEkEPXZc1jydC?R@WLV!rhMojrUf7))@a^^S0WamDa>+i2GCad2fWx+`_K`8BNY`-HIiSwwf&Gs0%Ds*dL3Spy=gm-fVsC`nSi!$EJqT{kg?=7$en zu=PWiW=1Tx_Sjie!;x18!w;}?&+G^Lo_*db_$p&&G2E`|wlhEF_z}DL3FBdTtJxQO zc=X2z9B6sw87}gOc_amC<6V2w^qF>0qqZXHcx}aVjoOQ)bdU9}?G4wv)_p#bgnM%* zeyq1MmH+8v_*oqTF=}4sll|--YS#+cY=@;MuEbB)5D4<0--ah>B&;yFf8wDWSxZq> zr9W*H&+z01HOp+GXJ_{86ET&mITNP~dy}LAGbyFTH@LQ!z~GuCrBwt>KHVyUQX1;9 zB(nKL8znkWsxL(Rwr_Jk+Z7%+(HK7Bx7o5R#Ly+2w`%y`xTZo)gLHr`6W?~RRYr#(s&J+k%Tko2CTso~sVZM#cfdYx|;h(C9T!@3`t z6?avcgsPPA-lmt9??dnKs7ORF`jcD6yh>{TxowC2^iDo)VUZ{!mvSYgW5s3y+I}KTBm*hM z_epg!`)-^e3DGRuIdY9TMW4P&c8cDXS7(Zwz^Lhf>Q%I@hOLCYrKR?H&(H4n%nDC$ z!sv|%oP7M=94;xv8}!Vn5qYb^x%c(cE2g|r@_8?K{hDrB@#_b0$=FH}Br9k%KBp*4 zZFnwNrbxuRkQV(>n8Z-VHr2KENjaC+CZ3bR#xly@&Bx^)wVsr#VUd)hW9^r-61*k% zidE3foIuANzsGVYXo{5fU+7Mt9X&Md~{5O4b? zX@S1dOCr^F`z41-q&EztE-X%Y<2N@&J7r*NrLf(n$c%l8$68grU#mVgwr^K6evk6- zpC+uNS$w>sB4&wbn7eOJz-hZsOXkH*N`ia1rV=jF^%(`#hzd_Kl$^X@ffcRHRv&zw zo~qJs@JJa?(>3f39NAI6i2a)dq5mf+pziInOydkGx{aL7+6KOOj&Y?)3K2UDHx~IC zZajX;@D%>_G&ieR&Le%&6GyXbYHP^&b+*L|nhFz+a7~=okZXB72d$KaOH-3v$Huam zDbDQMH)`Ngb0$SsuQ16;5C6%wAm~;>(5-?t9#yrv`%+ZswG`F;GLG9$dloFS#V;^z zMreoK=dcdD4|~a`?3r7;Ka;e}Ksc>dZ0muEc!mQLDGcmfDmM>V=W~h$x`}*Zy8S|! zx9@Qh^FBs~S{lncYGBHdT`g?Xo&iq zFMgz7g4Lx$hxi(;svHT@wZtngT zL2i0@Bacsh?EaI=k4k08_RmYJl1-Q!pSpSe@W#2C@a{-o9%FB>l5-LdxaaJ3pN7BL z9k5~1=w$ZO{f!Y$R;O;V?drR5D#^Ge|G*2o#*?-#<#h?I&$tA~-wW*w1o#Bf5ZA%j4u8hD5GLO)fboOI|eS+Co z&KE}bN4832WV9}ZNatfFnO^ba!UjI(C5DLK&lF(VM8Ao2mxRf?XQfpF8bhMwN9>Y% z0`{^Wdm3#$()}pUEvs#OR;4Wy6@8{-q{CO)zFIO8m1Q<_jxAvBc3W;xLxzU%LSxsn zf|*f;ZA>1H(YsC{OVf89k#qoW{r8|xRx6bWM>k^QupHZBc zlzXOf!=u+;GwchC9GA`-?RAL?hvGeE(Q?hAOki2lp_?19A1|$jvRKm`n%}3kZ!GtM0^T zc1NjG{$U}>*{WhHBm6O^VX5WkQFiwZdI{bbI(s6_ZseR3R&Fqzr$YjX9#XDX++)9q zf=Es{>soQw1S7Yq*yUcc&ur%}eUj+dN!RskLJ}YQ_J$3MU3tOv2ONW1!jZ9W51VXv zl4*W7*CS7c)I^U@wijSi5aIs5nhVT?`A%~hyT{tJjQJC7<1#m73$pD#@oZ+UpS0qf z;3ZQ2nc~hN?HWf;!PFqz{74Or-f`)>`{-U#pQ^ zxHwJQ$%fq%Pk0rzZ%CCsTP@FKWK1))db*Y7_^y&3`qut)hd^EcC9MPA{VuR)`OUciB zI&|sf<)}MFS-&m6o*JBbp+8aWqlT-e^}daEeM5{=1k++W5)0;sJzByygtrhKK)Nr! z(H}ItVsWX+dTSoqd~<4_wb2%=+Er6(yOU~723$x+gb+&X#Y--p(Eb($$KlY- zsJQ!c9}g*6od}k+WqE!mCnc7i?F4O(C1+?jD-AKzR*jA$TPWQ6B{PlRXU`oqcOvS| zc&+8ju<=v>%j_FvFG%b+YXqG-o-M(e%PMiFQI==3xFgN!C^M-;W_gkg?m+_ylEr;) z%8A2W!ygi6__}?c?>s+Iy04h}GdU%z>2;RNbBBy?KPu)L;^}lL&Xe}&8WV3~eLt7N zIv@6_yk>XliJ^y{SL`RTql=lNIKTU!{*y1!JWyc97x#<8QdrRscXzKSl?vzJ{Ef9z z5gZ(d72D>2Z*E$W_dhC@N=Se!mU;lUzZ;JPS1R?d4Hr}MXtI1S z;)8yjiBUrsL$h(dFvNB64PfxE&;u`WTMMh{1T1Wa7%HmVqiS?lTkj~Fp?08+YG*~E z!|>oMg;%3`$*MX!$m?fYZwSfu-S+Xmd+|cJ?g1L=gN?7nOC)*VvdN$m0P^othBppz zvLAhE6n*zG&m^=7d-jblC?9bWVUk_6F{%(eobK*F;5T@r0WGHO_R9FNkTAzFm(APH zyAo2-zaZWK4*tCuFeECA*-5AiFm8@%h(4ou`Xc(N_+(u;$6!kRPUD26%+@(=M00rc z->+I4VlAO=T^8$riLo7$^B#y5*KR_^9d6LjHp`tT)K8cA2a2!?^!jG>-BX%eR2XWG zq;631E=nm^QBBAxY`@g!R%PV(4^))3sorZ+!xBF*_p~Kl5|I#3?Sb-7O4YD&e>PIH zF|>~MA1LKH@K~TFN>ROGQa;n@uD*sEVr%&kZM~dgOxdHdVBrV3g6h&@0>4?Vscb)_y?-2CU_2*1}U0p)tzmPkqxmiSb9m^ABa0L z?HnjI^Lc#$J$NVfOy7r;H6!x*1~ zQp`sy3fevuw*kxIuix6g`rHkc#aD=|aaaSE#Tv-0?j{D-Vl^OZ9dQ9`u@*F|`thQH zwO9qnS_fMIiCPPq)%}KmM6Cv7jUxg;qSip>t8PG|z5-;eLqMX|LS}V8AW^IFSn~*w zs5PNkH2_G|Dmd0Y03>Q{Y*vi`6157BH4gxZS`(Vp1As)W#$(MRK%&-!X4L>7QLErs z`v8!rwXs<_0!Y+KG}dVY615IED~AAyT8YNmZ9t;d#%9$BAW^H}So;8wsI{?KIRZ%3 zN;KAK0}{0kI4gz#iCO{1dQCv0)i{ zfJChTW4$IIQR|_zJO)VAG8XH$0Et=`p5;M6qL#5(uLVfddg!be10-q%80$3wiCPbx zo)+2S|6V;qku$xfnwbTAW`eWvpfh$)G`+9wg8D* z7oIPJfJA+PV*LgnQS0OL*C-%SeydSQwPEe6FB^$x%b=RkZ)*P-*5nuRo313xUR3AovTV5A6B8w<6gaA!p~s8h%ntIYs4&&jwL;JY1-`E+ z=?0wukbkE#qz$CKx)C1lA6SH}(-|8Po5jTPJWCXo`_LaNN86f^NOmXX(&q}ay#Hxi zD!=~Inf7Rw$+^pZ(WT%Uz~En@2d|?wx)y3brnS-Ppr4#Z#qJ90XDn#wM!h+_&Ax!%4^Dd&u;%5LXNi1F;Okcx$2{T?f%V9@M)&$Q}qyOu$ z24<^#VXXw`gv28-y#r}BeS#JaQHuq#sR+z$-5!CN9umY-+tkWj z+Y)7}Yfs949O@B6*&6DiBrLU|<5Tq3mNqEdouyEw`ql>YJUk*I^nVt~wIGFaLQmp= z{yT!JbW4wWF7A2sx+bK!UPvs7r4J5zOMOTN1iii$^dl^ZEM`V3OZr`Wd7w+obc{&9 z2>S&LNZ>QtR>sRe2JUF-r;xHSF*G%^GPH(dmcU_xnQmh$G>x~SDSi5gm4$)GHco0*uKnW9Xs>G??6#SJf7qb#BG zjw^_vbj>cH{=9q%aXm;w=sCW?3WxKG(5Z{JfE?R}uw3fDV8MPzSIY{;`+Ac)LMv@w*{Y zn^>7eRgWRXO#PV_pRhiohc-x`vwPPy?>{wYWweFmQk+T}X0m|w1i{kHF{TYk7 z-Z{XU0&5DaDX^x%ngVMItm%4|@@K|?H3ilbSW{q4fi(rz6j;-rv6$u%^J8u4gHKW(-(UU`>HF1=bW;Q(#SjHT@Zjx!yUzngVMItSPXjz?uSU3asgR zmhxxDfHeiy6j)PWO@TE9))ZLNpRt(hodc}tU)Gcz{Q(POH6B&YI^%{kzJM&H8&3;< z@ex7dSwYLlVdo8+0EhnpC1Ca&vq_KbdiVYT91GJbql<*MCUzNdV&1OzmiW1`ZENKJ z#$~)-m7n_CG}8aI{NKE|T-Ug~)_>%>{xknKf`gNulM~7f&V@kG!#Vg6zcB$g0uDVL zN&t?_k4=wzFz$IjP5{nJzjgv}{;vW4l?33pS^6pgI4@4nAI#iRMs`wmWy1?lvU4~m z_sRs|eB8e=0XR1|58}U;0Q|)UgFh31)BKSDd}Ru7JR%Z&LSh0a1vn!v1vm*bMgaZy z#}^(x0VS851ragf4mdf3>~ik!8R`Sx)r-f5BfAx!ZhL>gYa+G2{y=C(^5Mz!>-zC= zr-e;)R0oX7s?=5d9hzT)K>z~Kgn#vNV6RLJQVK>|__J>w6F-T0JTW^~Xf#%coQ$w@ zMzP#I;Ei(mSS6vd(?Q^QYIQwPsBhBY37f0>;c=UU_nuen9l!^J00f{3|LWzy;*lUA)d&?(7AAywuXMw|LLZ29Zt1 zUY-)l)7-z#1wS{mJ#u=qyYtYbCDT9{VxMNZS?H?(ua{ST?&7u2!l!tK5qggjNf2wb z>b`KgK7PD$Y}D@WS0@k+Xn*ykf6#9BDP#$<~(RCr38O&CiTm+?~rN zx2X!c#jciFrCVP7@#s%pz2<3nq*`cNQ+Sy2KGSTVxcYTV7x%URZ(SS;;H`^8 z0T2cp3V<-+PymDhhXM?6T^tI4>*7!VgaL;FAPhJZ0AawP00;vP1wa^ZC;-BMLje$m zB@_T*z`+0r0}cg17;q>6!hk~o5C$9yfH2@t0E7XD0w4@aC;-BMg8>i*914Ii;7|aB z0fz!03^)`3VZfmP2m=lUKp2)#0E7Vt10W1I6aZnsp#TU24h29Ma3}!6fI|Tg1{?~2 zFf5?}2m=lVKp1c+0K$Mn0T2cp3V<-+PymDhhXNoBI1~V3SV9311{@54FyK%CgaL;F zAPhJZ0AawP00;vP1wa^ZC;-B+gaRN8I2Zt7z@Y#L0}cg17;q>6!hk~o5QhK9-h04B zk!@|i2&g2LAP6YXh>}A`nkGt+43a@Wg5;c|1VsdqoO4iuL_x9yQBaAJL86F=C_w}y zr?1*GiE;d1J>K))bMLR58N0ixy6frxUVH7QYuBuer2rZRECtXoe5C*y1}p~9FkmTw zh5<_fGz?e@pkcsL01X3{0%#bp6hOo9l>%rOuoytYfTaK$1}p{8FkmVCFBk@ohr2#N zY03rxB-6(7lGpzO^%J8%F#C%DH3^GVL>gL>i_ueR`#5yc7uVB;=4BLROp?s{Tj!NS z8v5z3ted;v^@eL^IdKJD2DlT107k-pXLmT$HP_=Wk}GWX zK`47YfTwol@vJQ>ryEP)|7!`fHh^HC}2$)Bz8?14D>&^rVQ$jHD&mK69Om3 zp6`ELQwGrd-8E&<*iSsL^vl1orp(t?`umzPh`)cZsI9G?GZBxf%T;F&dlLwcyoIe5 z5sxGUNyH;&=V)x=2+_f=Lxbg~Vq)YB(Ltgy+!zcLiGrX}Fm4nCiGg8X1MByod6C?3 z6mXz~iIX#g$MEV^M}1W_;Io|_U5uQS3>{5uogpw@3|d&2$i&td`~85XL;kWNJ`^_+ z!-qy=AZP?1(CWO{mk0zJ5D4W)|4opZs_M6j_zoyS{jwrB6b@+MMZh3vIFcI$MWFd0 za5#(`jzj_BfkvRe;q;HPFb8Du{<16>>?kT`&|9(27O?4af_F{!8q^ zHoPbiDpc^pzSCg{6kTd{qp^lKexQzOz2>x3XXd zWPP*x)lbWU15u8_px`J7>Q7aC7=RfP=mS`e2UUFy`|luwAJF#A!cjl34TFs{BoOs~ zYD2()=mIvOzo$)7M(LX_fQACAIsMrw`Mz0t>Zhf_c(L6O4FzPNvAytXr~#=0j^srl z0lA2OiZn%;Z}SBjiaa3go3ZDor6EulKn5HGQ2Rp~f)5I`G8{4?0_x+q*!1G`=bj0{SyiWw*9pWpug<`ya#0cddf%e@?nATL6AVRp}&ek zV1PzN!hsA2w@mpaBGC$w1XMO~d4^V-CVIW8p@9)ZhHbr9KXfy=L zi}@#I|JafTMgU+K|J7uMg7I-<_%OWizbFIx05=+e0XF@!Ff~=lZ;>4s1NeS@41gn$ z05TL-7!vV&gaPo77!(W`%zFUv-%|U>F%xzm{R92_*R^2> zAwD=Tp2J}PK|mV@c!tfiz*E3M0+|-jhWVpKC6(0l)zl^QFKVfA!?_XP#@vCC0Q2i3 z0SplHyFw_y>|Y82#|;eYa6loT8cXjl3e}YKC1ljTDui*vzEyZ&NWlF1kbuUzH4GGJ zN*FKTW??8Okk(*)a9}Gh@User20Ab=u<=iZ;;Q=Mmz1~xbxd$cRSPo>6UT359vB}m zzdk;|`LO*IiR6Qz0jrA@gn}SoSnUW51_JB^HUR(rq4I0r{pTKXV1&T@`UnC168I_u z@mFbZpz~r70M+kEQ&swg8T`Nif%(e-A!%Xl4E(UsC|jxEdu)>5r8oTlraVy9^g;M6R*%k!+2(Kk%O zQJqaYyBXC~waLZ|S3F{I`S`1b6sW9>xX$TZKfdIfJoau)>gk^Ip~_cwwjyIO@J7Gk zwuX#YN?!b-@^TF=CWmX=0}I8YZfF8ge*=@;6AhTUJ)2wR)1ucA)!x_e`XNXNNd_d9 zd}NCx7Pp7S&vG*4)oBPHnU_7jI9Z4Wex^PV_57+rJES~X6!xJC%~fPi&raHybDn5w z`3-B9t7{**zxcG!(+k&~A4;+LsqnvLy5%}(bBo*+&!S$5kG$!-=Orid+Q;eI8b+(id!^xvxQ<-Ilg&_j z%`oPS>w0@hBdJ;Md4wIePrX~aOBlm!d$b|Xpx)l`sm;;Y(HlM%dA!*XTZd-PdKs@5 z2aT&}DQUx8Pjh7vd#c`jBWzN|HLn;Fn8ADANaUHV-Ro1eqam+TItid{d6>Y8s?+_j z#=C>Ku@Z{<{j$`j_$6_~NRQt%JrnF_=%V)?u^8mg`;zAb38|0CxIE#g*-MlNjibvb2>xJ(s zt1>bh-NLamC(@wKc6vpW{ZiWfW8XRUFDWI@k{E2YS)XLUEOmD?Axl!-Dwa$sOe`|g zMXN9N_q)>Vqzw9X6l%;H-}q<-M2NwRkBVbGbC2ez^F7IXgL_r{v%f zfg`8J6wRI8%PATTdG9q{x|8DqtE_T#y3KBF*L$g`^)1a=Q-Y_Gx5*TzOtT{-`RU*! zsZ0rQ9BngdbCr`Ehp88yTx6YwTurZV zN`yyD%kD^)xscvU)6>Ac0=X-z6cm=`Oq<#zZb!8o{;CRoy3|SWD0y?Qv@dPMlWS)a z%5oZe6OLy`+(BlYm4aLkIP&s_L9UW0TE|a2k4Q0+8{f&CkI`5#xsOlxaPrnQaq3g1 zB9W(_`JFp81gGI1u^G`NB)U;uN=o)f7Nz1e%^^Q2tDT@ZkQi6ckn&=;M_6dPYq4Rw zJ=|`8b*p(H`cm5N$E68`k5Rers}Mo1EbGOVz4WolL4`J=H{nal!_E4gGrOlIvrjOc4_G^1 zPc^zeHEkx#u(Ua&@-{O@QYNTt#R(bqa#6(e48!PzgM4y2ipDJY&4=Zoh%LdUOyO<# zetUD<;=mq*)UH=e{np~BS+Q+8ATi`3ds&NYY69fK>@nW+BLH%NlhGkDt=Xj0u(Kcmzv#Eism+~Wx)m$HB zM)6ObXKC5tW+tN{q0cexz(W`*`^@|GxCh2MtE6ek7`-JW^&hwZ=d9B7oe(x;J~k>Y z%|WtS>B~AoVNm&UdY?Yr_5RRMwl~bf@d7bo@(f{tXQSVdL4s{b0SgI?)w9c)>BuA+ zv4-@#5Q*bR0*+{k{@}6mL6yWoN2dIhPx3E)(zFtaZ>W7WQL;jLXHBrw%-TniIsI;1 zO;^n%x0X%w{l_Jg$Gy_{1-n$eJJbfR1&Hl8veel>w@kMDCyPT$L} zcMeRNUT=wJo++_&u7oW+Jr~GN>71h6$v3N7IWA>ntZIpKtKwatld5Hj0=GzRg;Fct zn-f$FC865X-a*j=(Qgnh3h{0=-a0*ICuE;#zwD9hJ&<|yJsvw;({L{19U@(&yMr&@aHLO6J=5+xJ4(a9_P<#NHc6c zo4%}fdGc7ZG~p$DTc+n#czsF}qht5-9KzOy1cclqgY&)5b6-nrE}^h-digd+n0n2i z?t;{feG-o_Nf)7NF65vuurxK8oucFgdU5_QJ2xx_OO#}GC5uf}#? z^(`|qTcctb?XwIDP&Ve_5ze-Aky^t1q5f7QyCr#@H^p-$!!*=%keWF( zMurC6N!myw#wSi-MvzD&W*QKY%4lpx;C*g~M|`7)DE}l{i}&QKUO7Sy*_KX$H?kE5 z57jv4jACWnrrt>_sp>@)+1U3yYT>9SZrm0pNY)5HzPP_JT6JtHid{MCEytqhvrvQH zENfjt6W=4-jS@lGP;)OJ&a;b_%xgf2Lxn^}WzRoH5$yglw zQCoP_J0B4THrBp0eglapTp`<(I2Ch?HHmn!O?jsm^fKml0+O;X%n~;{Bt&fmJlIm5 zOVyj_o|R+_5?UvUvW(eOrk*|7=1i+2^Qp7W#cia2#xlp{h7A&MH=BP9e+9 zJ7yC9{n^FKF`|-0Vx`%}Qe?|^5h^UBGxbUVr$sJ4Ad$_3G(i+%!e5wtFP?EnDOs!~siWef&!sl5a*fPWF(R`Su0;>ePu&*^J1jMG>q83X3q{(z zcLKIw`*jVCm~B8rI^&l}0wbBhBZ}uZ9~gy~+g_1=Ur-Wt)y|SPUCu#on?6fTRJIK_ zH%0D^m0=z;jV3&fES=QHBh^AzAZwd%8{UlTb-Yb4~{PfdKUNfK@A|H1UcX%>PTDG+?i zfbOI4uDehVid(I2rCI8OBXY^){cT2Sito5WtwXd$TkojD+wkKb>E)=kZpyJatp;++ z^xG$+((c192Rsy(T1+-(d^a^*RFdwMRbTj_Fwwb2EZr z8Zm|zL8;|Cxe^hrEJpmIK0{51^+~>nF?6>k4UBvgH%MF-bsRO4gug=QuN$e{3gPO6+oExF7d1?W{`Ib?uAnhu@X!&vd}p)CJvC^mVUY zlI0&c%W-M!{>==So;jjqr1FuB$Fy?B+CZ!JHphANt1J%3>4!49nt5mvJB~&lJC&YC z>_yq{H(n30HF=L-+dOHT{3PYc;U<#XWptNWuCZ$j^vVqq^*ZS?NWZsA{fwDg#BgXY z^WQbjt_$8q#F+>^QD3;5SyJ47{iB#8!Sr2A&v<32D*eHp;lu}xn@;_(C(bS*q&pA8 zL@%6p%wvq-ra4bcgD=QtOzN)L0wE+NcaEO}y1c7q%WZ?cSlHQ?E$+TEhRy7f_>1|} zgoF9i<%9G2)bo*X%y!-t{+?*-&N}oLZJ)=T_e_>+H!BN8GLIFUP&-?yf_op$A%J|{ zg5b_?`*7vh&Fg`*k_4Z$njmjvj@^8MeW8J0utj_1&=tX*o&hL9NaBaQ08vtvI}ZXx zpBNpxnGr~PgpQLHMY2_2V3=j9(PW-lLVM(N_yCmFvM`{>^ob?4S0(U-wT~@WU=Yez zFL2(unO1V@o=HerKh&VYElTG?jLN>HCAF!^sOGSeMw0=B94bT(!&Kn=DW!*}ENGb? zjeowsNN%y(a#1K?{Axir;RU4*inx z1u^g8T!$J%I*sN<<12J<3q^|Jr3f2~vD0}cHA84$7Q*Cdrwk_yr$`tPUv+nD-J}?d zq?^8Dk9k_CdH57kgKygH&fsN{G!1nMvw0QeCBn2w?&p+N%pGN>je=Gz9c8YKf^)zt z+dJKMgrk!VhN{87y2smdqD$V6=XV=kVZ9|XxDUJc$Zp#H{cAk(o20q){sytl+x}JW zNbefBYR9`6_EOt9QuEfx7}dlY_4A3d%9Hjwe$5kxubND@928v0FDzpY42|{51hrffNPO z9FfIg8~lVbo%C`1E^o3G)gv-HGsX5&8L-;t{Dy6g@m90H*OZ6I3`DDHE(9M#_kM}+TSr}z_irhbY$)(}Z^{j?py1ZCzQBEl z62o2Ya$NVxu-7BF+K7Ecp4vP17p$EF4;`CRmU`eCm+quh*JRwSy8L3t@=jWNZED=8 z{pFrAg+eN!i84Fg;`ZC!v<-817 z7EW&*pbNvS4xFD;SmgOE;aOi`H{$Cta_mxueJ62sy- zl)~>H6}tM!bI9B@6bS0}fhJ%i_xU;k-{^2+z3^V`dRokQllmRq9>!W{BbL)nls6iR zcTs_d*Bcu>=DL*~t)&eLzQ$jm}1{8N%3@A~oYo-j#kii%lR&T}rFT2FCns&S*uG`ZOacdaYW z<^8lkk$X8a5fva~ROfbW=&PfgB)J`f(um}@qTxyGwQ8fJQdwdHLhpBy)WPfyGZ*G7-N zD;_f#EgGt+U~I_iU0>9H9@-~XPtEN6@VxKTx@byh>jbGbQIG*WFRq2vRU$coQzulq zU*f=rKFE`Eo`;CvCM^6iOf+-#L6o08VOw^Ux4dNlY4p_|2WG9Ba(4d&5snioTbvsS zX6;QI2`b0ZR2;c;C<)_Kip!r*Nc;Dibf2a>+|BO2aTC&?PLapK&qt~&M>=@ay8T?7 zt#t=xknr77VMdq5kv9p63C}_T$~&Jt^I|a&QSVd9jAhN4R^nKam#c!qlj9PLNS-oH z$WPDBjXqB86#ufDkRU!Ug~W^xO_^RbEln5SdEaAOnNXH0bfx#XiO??8ROyr-w8%%_65pUDmt;>5TI)> zB#?@8Fi{xREsZ?;&JMQ%xEO?}BhllwQXPBk`FxP)O7GnWt0Lix{0>4ZDzkwaQBi5> zIUyV=t^0$wb~osv$$BksATv5&-E~ZvZoj*W=pJpjF13B?v%$W!2yp2M$(V+j+fb+} zsq%G>kuA{klcu=38yKuDj2MtHE|J=nY9qTe;-aE>Kev35#K2x%CTjOBtwgA9d)u}y z!>F{b6S1Oh6Y-}ps&W~}0_B#cMRJU%tHeW}j9sPFcoS)q2@kKR(~iEr*@xhLsxls0!`hLetO>P-1K2^TfnOhtB& z?C{==v0VQ((IgGIR&@c6j!$ohlTDsc_z|vIT7~-d=Bk*7ehJ-5+VM$ap-5S#8p-8< z34g}3@hM!iQ1N1t?fttL0!ipun}Lhh=)DWK7ID?DY1Mvkf_ksNTKuSYY#~RrPlZrv zyH&w$jZ64lwup{l`Ig#|UYgG-8zv_`n!DF!D+uYl8y4nCj0vk}QS#vn5(O2BGE#7D&Qc5!^uX=;QZZ3~JLQpy!)^G`b$Al_9@~eN+C*QFe@G?OiqJCa=I4 z`A^z`bs=G?BMPcf#2>_@NNKKIoF`z(RDE>czK)U>!=c7!m{=(9?L8_Ys;B%)*)gr{ zHg8i@^1xKwnNpwQtqyZ$I=Xdf+^sb8ALG4Vr1cIzn!g-X*PUkbB!MU~FLp{sElDZn zc=bkqWOWK?#;4k{1s(e4g9}_eT=ta&Lz5Sb zlXv@yR%Yvhl=Tc=JH38kv$i=rGxDOig#MU|0}kV-qtJ+`B7^AL)g-~%cG0Y&{@L&7 zpGtqQ4#+l0$hgRVWBJz7Blf0<-aGgOy~iI@L)*XLs^pV%_AyAaDfmU+qtuf1AurEA z_l%QmD62gG`qjY8MU1nz6=dydS)v@Eb(zKz_UNl{w2*Bpry)Af_=!Dw)O^-UiprFX zcs1dnshT2h<&@N(gk2Z`|rB$OiYlCpzw$rXoPmI%QTH_>)FHvw8y>V&X5h7V#cH&uGpV4!VvQ9Zd zy;&vX?ohbCGa0Ob<6fdRrI!0x+rG)s&V*OG^$D^-)-I{@s@xK$iIEIq?pw`f=DH-z zwaUjj5Xz&b>dcr_J5vVb2!2E~O=5m`<;4i^bWM7IU7UBI&RSUQAx(ivYP`>RH>UTj z-|RWwEQ_|7tFT)Q63%Km!k_xg(#d^!WJV*oAvEgV{n6}2?dpL+tIUx>t3k9$J3Y^s z*|f%lH*fBxt$5AHNpl*)39wlbw`e;Jy;M=B0-kK@s6p|4RHxYp|Mu-G!@C-l)32)x z6D&fC68(ZF40L5{Iq2gR=aN>y~2JiIuk7A6p!8d3;E|cie++ZO=gk;ZA4;8zfLe(12t(GRpeOQI~TaGf#t*%EM zzMWp7G~-Dk$ZO~kdNc;t%OE|<*U^7Iekr``l_9U?4sD~+D0ks5>Q=MQ>SbMe`YMbd zMsTfN2^!dJ(;+wcP(R>0r=Y2~{;}{~c=pT2slom1&qKvK7WDLpvEqPcAD4^7C&Cl! zgkgg8zL|T$qo=AEY#oDh(p?u+E??|BQdp%wzPA;)P&;}8&81Rw(RSh09Gc~tcQvK= z-deM-&#p<*R>A&udU2)M{^~S(f9F#>!~W*3+h|$C&YYcye7vp3TQ9pL_Mo=$aTb{W^I;$`-TQ|3NOLiOXP)N}+J-P85 zLj$M-=Y02|Ro-W@CTUN5iPgzB80MZvgU^yltJIs7$xP{OVWoIAIRy6tNChV>dC3d5 zO$_N|pC!!X%GP zC7!TAk*BZcSuQF+n7^&z7Tje||9$l?unl}RCE-)b!tTxC4>(ZfE$dgTC2S?Fc zn?si4>W>xQ_-mY4SE)j1X6*R*4LmhZyZ8n1#!Oa2cZoekdFdYKdu@`YPjTn8zgSFt z(p{+4o1AUe$Xb+Njt|5{T>JznyKcU^kF-B?2zw*nZxg70+-D2SD*x^F1g%R~ErC0F zfqC2C@BNjrF*E~aVl^#{fr(f+3=Q1GB5h(}W)9r7i+}-l7l_+g+c~P*8yW%k2}_u` zS{Ru~IU0HZHws%gJ1Lnsird-P+u34o@&(@b`y8)?xZ3YCykFn0=4fc^WNPPV1A+cA z=L?4cw^#l->AOF){|1LtR#HY1=g=YGf4v6&!Py_h5yv4VCOJ+*M0)(#adI+J3Tjqb zYAPyf7}I$=R(^z#AO^VS@q)Cj;spuKi)cP28)Z%Xt7hhA!U_%^_QvkICT2$aPjH9{ z4l@$?9XdpYv;Pd|H1Nr|c-V9N@#pZ7L%4YOM}eKpq`--B4<9~+{qwK=hfXTvA10@S z;Znd2ui}Z4F`nHY!6Crz6~WouK0!jRbV&d6k&P)CV!tkkh%^Bzn^a;PS z^FB`L+T=dYG5whxnaR)m4P6^+UrZY2-D_;pnTMCbzd#269dYogfNRsk*ZSz@873ID zjmYAT)LtsXyGL>)O+6bx5SI}a9-YiL+T*M~b4FfjN6tr!dLM_+B_sGG*;PMIrHgk6 z9*R=2o_&t51#SXK{D)$~;??!=6@MR|!(?kp zk5f`=lFBgOI2ym_uqS4=yfd}qvhZ~DX4O&K<70Hy0`{(Nz?c93rD64Ivw0)*#hycs zx^>?@k=cUK@RfY!danvo`VJmwnTc29MEpjh+45xfALjhuePZ>hQQ-6x`va?8wWZf8 zA#>B2&^1GkTge>nsdgG(P>94I54ryDe)jM0L(Waog)YTvqW1FL7uh6TmU|MeLF*b{ z#;y?i=uZ)*w+BjI`2E;__mS4+bJ&ZGwt}R69N@l!m`wgn^A4c|JwwyB&07sTOa5Kc zO_`8?_rrgG-!c9TDI+fv^_RZ+X##D^sb1xOZ;+l}t~zog)r;xjV|f1ihJj0T)2yA3 zwGk&wPbFL~eQapgzGH~kwExiZyPkjd5l`_k+0X=yx|9Cw{jlX2Gkq?az%t?v&S8CM z)$|@Tai`kZ_}~5P-`{uWzCOXcT}b|;;#JjV4_QQUTu9UKt@l*c#R)pg`#99{d%FDa z-w*z`ANz{^UC}Spbzg1eP1R-7ylR&;oNrtq=GE-r+Vl-!_T{Fd`L{p&_cvOAUF3HZ z|MMf*MgC_-zaIg1k>5%D$Rjw4{0ODrjsZuJpMZq}jv_x!3p83k&I$)KT0a2`2Q*qg zK?^imKMo5tT0hPT2M07-KS2vLT0a2`G+I9a3p83k0Sh!*KLHCgT0a8|G+IAS3p83k z&I&YIKf?+KG+IA{3%sKB!?=#eXk@yT$stzPIPi)GT6kkZJ1jcEA0f z&{`h*ILuTewX3)Hai~I$GoNMJ%N7wd_D!kLxY*Y6=<+F!v(v`9g~73rj-}k-CXmE` zC?+aqUr24XHw8bJ_|mnjvBEII0u;Z&&#giN84x-)0z3P-Q@H#a1%)4KNAxRK^=Q(cB9aJoU6XG9F%tk z_V#i5FD<^>>!_=jKUQP5~r~j99_?S9E;eV)UiiCc%Qth`jO(lU+qeMI^CQf!Pjz%U<5J5p6B}Y3WRTF234v&(AB!oxJ z#N8Rf^R@P=*l&;GzdgzT>u+9kca~Ch1{SKszEuiXYZs`assb#q&GXy2u$#5u*i}2f z{`GYycDIDHh82*4 zEskn$=xAbV1e8@32e$mR%&H8;+0n%W``N#(mB|Y%@A~^nnGQtQf~|lyD1-}Jtrdbj zGxmHCBO4;@RzR54*9R!X(G1XlfS5S}U*fB12|FTXqJJd(&4Rms-~a?G7&=+~`8BYw zzJ3dN7aI#(J0}Zg;5$eGU;Jw`0m%NcDmfDR&1$*dHr?OK(IVh~mZOF90x$kkvR;MtiUv?a@Q{ctAB;4s11AoTG$akN8(FIfRFQ z_y`#l3YQ#)P*yc`xZz02C@MzrXGz-Z;Yt^-%u6TLltT*19On8MCL;@8lZ5JhHnv>9 z$)s6FLtFo*Wnl4$WU)IOb?qs*6NCUp!hdIX@F-Z9e59H&l06b~m2y0HJTVBk#8G>b zdc>DDMZ&=F2r2mQe+2=8_NQb!>gd&d9QgB(o1;F1!8h}EEFGTydJRKKy<_ajE1cTt zsZ|T+)%@u%?w_Iio?H6i?f52ddh;6K&+|a3AXP9{!EOa6D=@EuqZK%?{;-4i-hrT9 z0i6}-S3zqH{$K%rTYjPF#W$mp}R&^1H`@6PMt`B{*>jPF#W$m*B)D zIB^M1T!Isq;KU_3aS2Xbf)khj-!yrecUvD1F){*2AGC+D_UQdjmqPVY^tV_6UE%4-9F z|DsH{7j@mm2A1QZ5=Vc@*LP6SYV1jfhrA1ok(z@8pk zKm@3-0l}Ubd%pjvfCyIf_X~(1|4#VdDIoG&&6NWML{NYK;BTAmZv{k9e=Q)w2mKEg z5JB@n|JMqL9L6Cq|E++?>E8;7{H21(p~FXU@$ioT6-1bU3L-d1f$Ac-hYtUCz#&{b zN~DUz;UoBDa0*74sPfrAi-&Z*F8^>zbw~6|`}=_qkq}kuqCz<$vIZOp|tp0D)pczoQ)Nx1lSb;r}UKaW7f>di*f zU>t=4$Lh%)T4)@@=FM74Is>iTIo#(`T2$=(PaY}{9=;P+!l~wR<7#FhF}M?i07k-p zWp}t4v_lJv-*~!Ne61-iCR%~B_?eG_$jAN=`q$PXzL7lI_d8n&d;}XtcX^(C_s)kO z-Eq=a^c>U1im%<5wt8uwhO@Sr9WC)iIx`Qa-!4IZ^h3UT+%2Ala5T-Of=IOPW+M4& zf!CT~o!+_c9{!^{NVC_M-cPZuIx^3tBhKno*rhec2S2<1qi_G-akwWR?+K2X2tSY* zcY1FuH(0bXw7ldV@x8-;c)M8qM00Y;{ehO`2VNaPo&%4s(d+S$|M1(tcOZev_Qr}s z%+@0cm##!0EULPU+MmC@@V&!-bo(J9eP4Q8c)I3U+ea(#^K%-T^B(SX(m(q4?;gh} zw>b6kh3f1(g;&C+67`l7Lg758g1&qBkM6){^WO2OZu8a+s+j>p7Yto6baB9}i%lM2 z*2Pi)vo4kbXc({*K*NBg02&4?1<>naDS%!VO93yCh|P>W;vLI^~hWZ^OEIPP*Q3&nzc?PM4v_x_}Gr1R;Qt@L$~> z*u9GtV`VACC`6ODR2w~4BpFthWsoM}pH9@o-`7YHQA*;Gdv0@2kHdz1Nyj|?&ZtD4 z#>n}%l|4L^l|k-B<={>b0vHMZ-Q8iO;Nw8viGI`I$u##ahB5u`lmg=YpX-F96MP2qssW$x?C4_TtYqkDV(Scnq2cfY1&T1gtO`JmRl$e+T@?Zjh(Vxuzb8vo z>042VzlwrkzxIKGS3ivki9m8=fG7k+z+ez03Il+HVkN>6+-TH6Op-E6s^2O?9#91P zWkm=C>MIrqFCYzQJ3tZ!1IM5syht=R{D&l=4oJd={;xrTBlv)pL!pomUN{T_2NVIX zpcp{mw~!=M|A7(j0YTrCDf{VGg9B*LNEA@kix-LpAi>da01}c91_*?H1L>l;gsSMb z4TnA;>YK`5KP?Ku3k5`dZK3u6AFX;YbZf^ ze=xd%!e2yxq$b!mqsmVU`ZJVJd{Au5{Sizk4C0%X`=?++Ko3azCJq0*Bq$IvNL~aA zf`Y=iQBVXLki~~hlt>gBf`S3v5rshinKC8Sl=LNJ)buZEsd2-;2`dEbfV^K%<}eI4 zdGi8c1jP66@}StHzzah{kQhKHAn$K^;UDrj;y^x!{dzt}0;3ED1I3C!0h#J6Hxv|z zc|HsVg5<>}s~^&JAf>~9J*A_uvM^9=%|9eBpbHoSu{8&QzR3$b!{$>s3fT5XZvVCk z52SP;gaHi)G$9aI2qYiS@&2X=$Qw|s%KwX^0~sCu>lyuPYT`qqF+g2J-hZ7P z81ex!K)dl_>m>e5_+*1~W zM#Jc;A{S>kwlEiRuTmCYH#9KKa-bUGvGfHuHX9Abmn0xa_iOa4}&Tt`H>U^C;lBmM?AJ24FmUSvp$${09_`(x7z2M7Ry+yfg;pDUy@)t8wlBu7oD`_a#A&+=c4aRVhuTI{OJvaN$2_d_^qs~zKpFF%MYT@cp9o3 z*e4#Ql(}29*eZJQTnzqm0x3!^6`jf_xKo9g zSdM0;&R9In5o#K$nJ4GpO0z;^q@l!~V{I>#>jk`KP=U6NQrY$qwag&{pUDFUDn;c(+ei4ZnWdEkhJCUqq1~ zU~JBkBR+Yau|m1+nFe1_Zj+aJ-F50~Wvhb28_}U6!y8=`@tJf{rL#|thokDAJ8$MR+bJ|+p$76qI(s6%z zd0zS6NY=34<3}z1q*14}xl#s_)g==brq|%=NHBaDzHF= zY{F+*Ty47azU%PNnZuBa)U;L#0e4}WS29S8D3En>jkI5;uS}hlwlE@U5lxEo@4p}{ zF7!6w$StNsLFen6_`$(0q!VI{p{hC8&KesEKl;QUbyAxwe>_D6l9I9(0cRU3mQI#c~22`djUXnXi~SQUo6VVp~7tOp!lu zIags`CNRk|hU^~sg6Z2D4e7VEm!)TFMyXmW>Pl`7iy3OeX&a2};5_4mVsr%Zh)ADn zn>FVm@!YJd1tbG0G^a~8JX(UXY{H;?ac{(zA|K_>8^juJ+(;H59n*Dg8~#YeBH(tj zzOUeTvcUG|4)(5+;34A+#93#O*##QQ`M1^6KJjA>=Pc_|&mC&=b!h=n zNe+gyt0W&;q!COl9R#HazqABsCtt-KE}!{W2JZ*w?yd5~yyW53J<2lw&h}1%cbs)! zrS-}b-Q+P1?(wtYJIGfwY>{oZyUiKh5-!pU^l#)uij7o{U(qiYtTV7n&U8t%zV0@6n6_ZecC4>H!Q# z6V*H(NkuzPd^zMotm^5jatyef?*tA}IjYAS4mPVD(h(!ifHggfDL)x;DPyB5D33iS zrP=jT)>w-(Ud6dPmlAuqUXjK3mimyf-H5K8egPD+4uf$qS(8{lVw!PogFlkaYKS|d z)&oQYLqy_he#OqnWq;--WUHVd6W7d@adJn`L9R+>M>-wHwpR~%?g!9iiXZ<7&rFtf zEFBI~L_f7mJ*;!SxJnPxhNBxgqNY1Zq^t`gUedia3V&33Dgc_y>NWMEkFVopVT%~u zZF$69pKBh7FVqFhq$|`pS*GSH_u0;0=(!d_oE>hw>iFdoqd-(^lT>=!wWBdY+u|#J zY&x<7Rj162RJ4vfoA=6Wdim0SHeqok<9(bd2Un@H$pz|ECZj9f$4-V9GWMc`G*%uY zp|tt$D!q81maHkPkESx7xLop({F4Cjp~^*0t)pV>uUx2bIkzJ<6b>6W^A&z5Rn)7X z!kw?FAkD~&Fgo(i*zrzbEvdnP;zxSX}h+~iipv?PNg%vx4%#{&FKMwF#;j~x-FRIQdhsoEhc zsA^a#pEDoJ_>!4@R6FnnBEe&xoyY|Of9YTI3EHy4b!1L9|CDEShehV87$W>n<*Ox6 zA1zxIh^2?L&7d&KWnv;*8pkpiRG!=>QeO&Xd8DFWftmDq@L&SDl<}#)W(%E{kh*jI&8uStiLxcKV)An+-2=uJZ%ZdJF5m|_2J|D|g+P+XB))beTee&SVs;xv-q8BIY>1}N z;cO-IJU1r^h2#6W`SVs(v|CQX>$AFZs4?Fh*@-|Uqj0xi+rkw)`y*O9Z0iN}uX|}O zu=FKMElb=tlNJ&61kOQC6E<}zLee1;0V_i_|Y zv|ji`iMZY*%W^tFplTs#NS!6@Lq0!YiMPvJ=_?D@jtmVvHpBU}CPeqK;O)654}zm{ z7S@IEjH?!DE=<;`=_djW1`mR0B=W&)+p>gudf)IX707RdaFspCs=%-7o*;L5+?mva z4k&-tuw0~0kkU{Tmm6h(l8UBQOI%ZzxxP?9F6FKs3pBSnc}8viv&g!9Ss>8Z3A?@3 z$qlyifpfYF;o0lQ@I}ezIBLe6t~riAY5(e`VV zNm;*T(g#-LoX05TCxgcB5?A>6IU~hK2z%RU93>;tNhP3+w++NdTM0$;7WpJP2^whv z)2R2`p*~k`3FHeXa=VC)(l4`z6kII2WZrb~(YRo`T1Tc{+Hs_q4$DW+PEi;G(fsy+ zC@-?2P0h%aW16`o1w|5J>em6YzMev6Y>GcjBf8H#cjlFYY`3D5oxqD4O93{k+2LkA zRU@%v0mMkvppt@@rVyDkaeKe4-taz)9psH;!+6d~N{OsGb7kn*J8^H^UG!LopXoVcF%2Jl8wPEjkb&tS;MLGtNmBwg>--C_1FVFm=i=N~^L|5Qi#NKf(x?r=% zrE^0g)#h;2N8nLm%Zv#yC93<@{^dr-pVCAB6-Sr>qQYL`aiXm0_h;-5^V-x@P=2^{ zMwQ8Jt2?Op{^3`du9qWUhqHOpQ5++F?ig#6$IS$fc2KbCes9zIDI}O?BAjs3c1K|G zWLjH)Ov;1!l8Zi=~<}waG$Z>D|NQpFD~=HAw=iod&uD;s}xPIBF7M#pUAs@2;ZSHWmq*~yEOE2yEh=Itu+%}F(%+mGpm zEs_3DXpE_GlN*iqVG$!cRd^ZO+9(- z<#->Qz*WB@HyC-lui5ePten>(vREBsp!Dj4Rz}jt8x}Pg@>AYIiOy>GC+Oe2HGFT6 zTeY&X)UojC(}L7#JhL2&j>qIfYz?}l%1l?TE=J11ZzHl2A%v#VDABzU0)7nzrYjrx z?-em!k4(`nF9QlAmO6x+BzXC`1!2+x)#q6Y zFHOWaXSbNu^V3}0eA&a-T?_>!7x0VS=bi0cVhbsW=kuGIFuoJdJ4NlP9^;X`P^_Gl z*SykHc*ffp>9qCo^7&}#i>+-eOl!~6+cvwzTG{Q6+n$>%bx|GET;|Xb)4vl;swhwG z%6{rHCHnL`b`Qd?aYRAv+~G62F`^&wWk2UPux1WlOl+QPkGmRaB2{Ir7%biT)^1UY zea$_ile7K~$4V__LF%2h7sIh9gy5msLvnUk*HH~IjRwP&6c&9OQ$6j4yZ}CLJ_2Ni{Z)b(jQKp< zIX&m*5JL9uZD7Y1x73}PI*Uuft2fnl+cL2Y_w;a zBJaUex&n4LXU^D-s}8TduW`>Y?=BFk){4kF0y%wcAxt34)u(M zUvl?ZL$MCKt7Ms(oT)5jb#&J(@nnm6GisLV$63~wtuyrLS|?YOc8PFbSEQ*Za2sz{ zKeOx{xRGM3=rq>0N22_sjJ0GIq3~+dGX^FbgY?jcgbA;kCaiONzYM(T8SqN<{PO(0 zSLR`73S6o&44tRG+^Dl6&6)FXuBi7(s4lJ?6Ob7c2=RK}R>q4L{bC+Z(k$6tQ~Sv$ zBsW*nlVfprr8T%hr}#xPI`#~1@@Bi0CV9EME=bm$YLQT6=B@}-`8d}vN$$_XKEKjX zX6eK#)=n}6o7J*(EtgSZi`s6yJE(KQ#yKs9QkAQ|sG!oH|NZmFfv%>3Tc49PLboDr zv$nU-GrcVq@pK8UVABc5O<9e0tEY50LU~>rJrw0$NKPwW&DVRgH2CEsEmS$*8*kOT z>NAz?!k3(`c{?Z$Ro8c6^h6So>{WK8*H&0QQoJmAevRkkV=wBxaO=jZi(8lAbK003 z{r1u?pLPQmUwcK@J!{|J-kw_+_Vry^t7Uk+`FT8C#JcP8-p68wv!72CH*Aj1t&jN* zDFj?{%IZq{a-Y7Da4^M-d9}AOvo9{mR#sk?qb~A=g*5@nvuR8)hQ5CC=xwialb*S~ zZ8d2|)lX*7sxIhzmPilo`l1MO<7z84vhFzr<%C=zRvUiO-JsdBZrswdo}u}~=J1La z0=QzPsGGM6&K`${UC5`n9l4fE_9`$s{sU9_vf@p>uEO05(g59&sJTQ9VL9NU2(k#)XxSiXY$Rs0w z;P94$$Sp5L)$I^Z6Un-o%iaNV-EMeh7}M5n{ehFk=g98b)Ee@oZqPJ7;kx{6DqO^e zFa4r)hW6Ml$r?Irs0n|{^cnQXYhlbIWj;FXKJ#fKUp`t(=>fjZ*Yt`~0f{G2W902p z;-QC4>=ZQuVD>GpE$a1UuPw4D{Ai1e=A~@oAg@jGyXB^moK9aG>=|RWr+)uJ z-21d;*GmVhmi)Us^eQNgXLpSQanD4x2Re2#oG_^qVUB0wXLc3uq49T>cX>1#`(Det zJJD78lkVpkr_YB2{5G{NZoW$uthxIRCsM>XWh}Pm=2#>Xf2L4#)a2==SWUg>i>UTh zrAIgIpA>BWANI}!p33d}|Ho94iWEw6nlun+9uS38l6lIQ;TST{lxUJqkmPf|(=A}ulP_(g?x_n`%$6I<`%)aV3BFl$bOy-%F zNj_T6e(#HKK;t7hm~YF9c(8^E*5bdfD~`S#eU0K$RM@6~0%cY}Ef(-&v<4-I;+oAlmy?5Q?wq;v zxw&}w*DU7e<>kk&SS7ed0>42DyunM}xYa;;qrA>$GDX!+O~=^O(#leLhm)71xu*fm z(rok()NFS4rR)bM)OlfML9Q|O#WsV9nU!TGsPnQ4)Oi7IQ0Zl?p9!nR%C->4%)&jN zXMyRaWfRK03=Wja-RwENSGoLVk0kstT?QE;<#8y|(a!$YEl;!WIQGc|H_s+nRz@vN ze%WtPm_*vJ^G0WJsJ88%bThaS0{M43!Pnt6qR{&5@qZ;SgUUvhlu z^ENjB+6tyR?jg7LEjh(0A4^Xv4HDoF$lzb$2d2)Y5i*kE9Samp9ka82kKXr~xy@xe zXI|1gK?|O04`Iq>nLyI)**x4siq7xVo`}H;}&^${6R^Yb}?mlqM6ySA~_^wk-r7+^>mt>UygXqtQf7O zLHoz<2Y$0bXuc>Za7)YJMZZR&eYmBd9)9lA^(GcYU9)|RZ}CVaZdml2Cmuh{x=`Mo zY@3*QturB{ZcT~AO$)&@db!1?s(6QTY=ylv_u$6&{moW+$kA^5YAqMzN)^E@wP-i1 zr;?ZqzbKL9^@Bbyl|EegX#Sfg9y^RFL6G}pU0PymPGXFtYaFGs?2NmK&1{m6uKtJN z>ya&L?T^Ox{mll8vc!rTcWGM1zFJc59STmBahUGhDqh>v>$h9Jn&6A#%BEdrYDTo{ z7Blyvq_ZQ5o;}Zlnv)dhQKZ_?#No-OT+35i;?Tco{Mcc0DD5EyJ*RYt!+Vd;%58|~Ib6CfRAJ-TzQ5U6>{KQgT(d6K=F8RQ+lqKNEq=ujPK#fWnYW$1k5j5%o(n zlRBV?nuO!mPoRkUHJgb&P()3nF-04Ss43t~?1Ca{B8^|Sp@{l5n@K%TL`}l+>nBh| z{hH0h9w?$F(wL$RMbs2$KqBEfnil_-Nrf5PDH3giBT~I_#q%lPs zil`~zOz46lY66U@novYdMQ6MZil}iGQ?{Upni9`=ClpcRET(Ef5j7Q^34KsRO@J{~ z6N;#*=#2M45jDX$yP()3MXS@@NsBsok zwxEcb63K~7La zF$fB-L@@{oiYUfFK@r6mCn%yA@Vh|KuiDC>C6j6+Ef-6xBa)K*S41$6p zia}8SAK%Vv`wIS&zf3F7lB**d_MB5r(70OB=_UaizlKnGZOJH#`(^bg3YTb+uB9T7 zrFIWg6p*-H{@ld$3H6*X@6()ff-An9X>nZp= z@}km^>XF33Skmgm8$nH757)ev$XNF7aZ|@yZ$6n@W?y0-G~YFqxvFerCb+J@!n8Gx zkI0{Sld$d=OYm)!M&@P_gjmMYy{f&4q2p^(>v z?9%6yE|a>{eYt0jLA1A_ku!@`Q+qx2qR+&#TG(niWq z@9A|0?}nz_ZQf}0Ppd*x&=|CX>23}wDRE6NM^M-K$Ewf@pjb19xH`?n!Ohu>=7I*h zsyaKEY0zBJ`r@kc3TSannx`vTe4Cw#B~A9*qujU0ZH64;n>}5(XtsXt+T7j2>$4w~b zjVJzd<-EaAktdM-XUlod>|@vbR?d4dC=?E=d5@Lr1`~p5#!NP5R#44*4XEagVwuSX zdRe|r6eeDEW)@bq8QerHUd_q*zqB-hB{k2=dSzO zDylb%%652FcHT>-AYpC*Lq|@v(@eaolTHKH^u=(OPgO9>;}Igob?a0IFw{pqd+6Bx z!9d=eclw`hS}j%Sy_$D%BSS|{u@lqNiX~c~pXz3eqV_ao#BKcG8>}oie~JSb>zZqE zzUkV1(}&l-Rt={to_TU;w`2RXtAV0ih%*=N>*HPTTYtO9>X}q*vxdL?e#Q*?^CdrI_~uzFf4x70Jxhu=Jv8=y7-;-C<*OcH-s*vh#xgX6$NqY^*4@xw zp}#_Zh4B@}R~TQR9)NlP>H(++pdNsF0O|p#2cRB+dI0JHs0W}PfO-Jx0jLL{9)NlP z>H(++pdNsF0O|p#2cRB+dI0JHs0W}PfO-Jx0jLL{9)NlP>H(++pdNsF0O|p#2cRB+ zdI0JHs0W}PfO-Jx0jLL{9)NlP>H(++pdNsF0O|p#2cRB+dI0JHs0W}PfO-Jx0jLL{ z9)NlP>H(++pdNsF0O|p#2cRB+dI0KyaXoO`Y87I|;_>IC7^ile2;R&RA$D|YgZQ%*x#KIFq>_1p|fXVJ1{Y`5Y(O6 z7S33}%gxHO5~pS|f4uO-5a)>ktC3A_;|sK|&U?9?uRI|oNIB*fR$|Y~{EjX&9{3c} zfX?uLX)YK`+@t9^4hP-vv^;^^@V3KNvs|Mn%SBFNuWpCxKZ$SJ`0H95 zjP)>a82QxO;bOF#>@u6hR@G?tc6qtpn|`&IW!p<@iZ5#v)$X`0Ma#dtyMBX%Sj6;8 z)3C1f`s#JF$V)%qR$I`W2s{14l$PhcXvSXa6npuJ%Q%oCRYaUfwY?GZdy+i+?`0WH zzlsW1d|OXz`PvqH;hGp+lVOI#(%TW+^Y>3-2t!@W3+@fydqtB<$**xKFxY-8rMc=u zhv)PQ)W}A}-i}gAICUq=-t$R-d*!`7^@ifpucpJU-uJ1`I{d?J9=lTLy3lo@>%yo@ zk8?2UA{b!QMJPbQfKY&f0igf|14036U4#PEx(Ed*7!V35C>Rh5P%t1ApkP2KK*4}e zfPw*`00jd=0SX3$0u&4g1t=Kk6rf;0FhIe8P=JB~p#TK~LIDZ}gaQ-{2n8q@5DHK* z&?!K{fM9@v0igf|1401`2803>33I>D%6buLj zC>Rh5P%t1ApkP2KK*2z#00jer0SX3$0u&4g1t=I03Q#a06rf;0C_ur0P=JDgP5}xA z1OpTd2n8q@5DHK*AQYfrKqx@LfKY&f0igf|1DygC33I;j_C>Rh7P%t1ApkP2KK*4}efPw*`00jd=0SX3$0u&5%3Q#a07@%N4 zC_ur0P=JB~q3~D1pi^iz4E~(xC8Td!U%<(lzyIM+ZyA4$FK#A6U&_2)!cQz{IgOW5 z6YsmKAk@P8^=8_Ex6g}a-rc@tX^-gnz3?fd0iEIh!dzJH(58M^rf6QV7vEZC!sXLE zo1%S53H>4pGW~6beV2dsicJ`X1E7v!QQuFxe<{SY3Lk7?Xpbz}T2LdC9 zjwPFnsA>C(pSWuL`IFT>?$B;u)oDqTKM(#zaVNsxmk9bFEA9kpHz5U_Fz89eop4l8 z+zCSjeFUVq6Or@}7Iz|!6?Ygwf4LyId}+uLx6E1(G+;<66T<}_!tK2o^~1Nf=a%v{m>SS(SDK&4;_ zBs7_b6(eHsWE>hx#EDUOWg|J>0?BrtGf3>i(vlEpB<&nRdt6$?<35NtTA7+_=Ra2TYoYIh?6Ws0?9O? zjn7UJoxIbqh1&yar z5n^}(8ZnhVz+-072UAmJ^N*I1Ct3DGCi;&pn-I^46yW$o5Y^CF9AHNvQ!zL+kxB%} zz{bh8ZBzfzG*FsuJf4A2INia-k%5mB2qY4E+%h}{2V9TvOS^u`j5^7%|7s2(;wayk zje8jp_}gS;Akbn#UBJI20OF(sK$w04AYibFM`6)K(D-vC2{;09JS+)p!xH{t)i0fl zI4K2y;5hA(1ep?~02~!fz+uG5B;a3Y92t*{E(MDQ`h{W3CM5t+Lvp&7O>loan4?52 z-L$cQfkZVNV(ystBSQ)5J^pnlCq;kae zOtS0OgE=YsgUS8hM1}<;_orzD0E$2+;effMzaXQV_S2+EoD~1*LUOwCAIU-#93IJ) z6o3uP1T+pq0W3*aGEk<7_knF=!>J&rVXUF4V!T;bQw%HilQ}vm6A-7L39!I~?-l|P zMEqtUU`8O}fRdz=0li5UYN{H`Z`1s>g_AM@kOtEoUosLzs2DJmSOVcsghU`$k?|#g zln=!HpA5%EE&@?bMHKJaUgPZW;->-NI3j5&oHF zKO4+RDFSGP=}rOM*kF>7fJ-5RcsxEkLE>k0a*`$`2oRE{YZ)Hs4`gzZ(c_lkL6`&E zfI9hwWj`OxNtuB({mg(TAlV&6kBO#{kXsiV72H+*9NN!Db5cSeO+O)wk0!7X_t((` z95GmAgvWB~FGDR-yn6f&0ZgdrkLLHOIc^!ANFQM=3BmX?%YHtZld=G~<(RfUNA7A~3(*1peHzpA05>QU)MRKLd;pCQ#i!Oicm_OijiHlRPN{kfxsj@Hia6gC`^E z_Pb@soB(TMAkF{6vY!qnc~S}>{TEUI@F`#h@Tm!=k&rb%90lCd{2bcPMsrdEAWujD z3f8u+V6jnL!Pdl;CQmbSFsE^dE79yNU9Hd*a0@(M_1!bN$I!4;@OJQhnH5CSMfqM)+MB8W&KMw_1K8BVQWrYTpD&l zVgKA-Uw^4Lz4{MET$w^5t~rd}SxY<2<`V9^Nkqh!-OTo&)_e;U1H-MfI+!!OQConx1#D6mziqa{wBEi$ASjdz%T>il%OCe~N3$#v^yUX3tLi4RR`R__~8 z);EuD`nud_QN}=FY3Rphe+P$H@3~ci4I?Lg(5zqBN`%y6N`%mc-h%?`JWd?T8MxAG ztln&=R(3}?c;<7y;oRB5l4};f=#4ntsmgJ6>G^d}x17q+Sr?IeqC)Rf`7`%TLg;|< zq)l&awK4+^NnMe9tUK>&?G=ys4;tCm+6olaLt1yAep4Wit2`&nd?jP!s<24*^V+$0 zo}FdSBs3nsq`6~d=gam1^BZB2#N!8oPxp0_h&LiveIg0iED7F=n_=MY!Hd5G0lu7LFczFdP*dzN5>O>yM(m zo#EzBdJ|?)jOsXN;ScXxv3b_ax7XFTt~fV0@(77*$0Ae;evT%^s6KhYE<(1P=GudS z4qdOA+%8j_11!7=m*w##3AfLc>qRP6ZYn$ZU?wg}p2bCX)yBA#;59+wA_v5{Y`1F$ zgv7WmK3BR!i1$Ni#O>z-UiU6GFek6|`z?pMs?ECf86Cg_tfIAAkFq+ZZQ6%k zyiW7k$J1A|6LU4fXO}H`wT|h8P??m3jleb@;x5(G9V?&9vOjWdQ>E2Cmt2=LR2eK2 z_?-PwN`yp!#U%&5)o1aUy}81Qd*7#`2bmV0Rptqf+3vvG%T+n>(LHQ=S#*Iyy?oy* z;drfLu2a0ZN?u_LUT@9X-0?^hJ?ib&T&23SSUXSTX{%QCwjC~#qDszt*Pm-Vz0W-= z^uThow08Si>5GY%2A_$nYm~crC3UXF*|ZVDoZ0g4K0fyK8Lf-;8EP~Z_m%Sbd{<@U z{ZNCUjtduRrB1BH`81o!4fB$gjWUee()w{CkBAijO^B-n87IMAi z&lQxrWA><!BHCP=*O0xlYAWSRX+`Uh>B9Qp2v|*y-@DbTi5*L#qEY| zvy2q4s~7JRk8~ch3crA(@d6iD{e< z7ai9jSFPDJuyNZ-gSqAxXZp%tyfvfzBzo(h{6`#D{#JSU58LE#EtT4_Cahb@yJD*< zX+xqPt6;z`!OhA%VbS_~jCZG;+$OLd^T&mi9G1%{u>n=9mM^wBR4gyf!?Gqk?22Oc zn~qZzxi*_UqmJ^=5+1$maZ|M_PBL(lCuhN}Q~NPj9>~2wvp-91R0`N-7oDgpWTnph zEV1j_eE#T&tgztudYP2s7+FnOwpmOPULwm<6rKg!zflTITz9s!YtgI!jnsF6bUWnz$-DoS6 zvKSk!S8zPTd+{dG*30T5jTUaV3fEsxE3nJ>w7-VfwO)ut3s<~rEzWjE)!KI!T)cH> zB6-(qd~C39NWORa{s+Ba4+80KN|PIF>#CRSZYTC0JYKsdQ}ytWz@>`E@4UprFR&?l z8LwTtQ1L1{r%x(#qhM3tQKwC_3=b(N_OH$MY>ex@c>A^5O~Lrx>7hnCHqIGb&(GgT zADnqmpRZF2!{=wA!%y4U~sd04_%aSrb& zRegBlK*I7rzH%MS6ODVxPQ2Xbn|a{TdgAN1?^!R1?)Ogh&Px1fqH)F|M(ct;pX^yL zZ9jn{8}0d-GtAmqI@+F}z87%ojey4Ub@QzB=j=^?8ll6lP7N!cpB!xU`Jwq^r9A4o z7LCQb2u4SF3yTA#p1Cd^A>BO`l+^r(=EJAeE+6l2dn+d$yJ2r-&iulo*w%Hg?M*k< zu36|5rPS>l4S8 z=4Ees&wqG%Mu{L?<8UdVBe>wYz3@4luA*%+XEJ4xpTUE`3f*(!)rZY(eXix#8cC7X zvOUVaxNXt)(4z2TZI?6^%jYlXQ9?bW0oY2 z9&e34!KVDtBKJ(V$~&XnLxVl>vuEUUSza9(9;6y^csBPvF;I<*PgxMZu6?ggUSO{l zTEKnyXpWGE#hgUT3yVywzsd`Vrg35tU6$N`{PL-q=qouZy(LPGd(Sl+EqHS9@VyM4 z1IsOX4zWt32bVmGM77p_d?j%z>qE)Bho9H%imc1A)^2~zs(My~Y*2S&0oI8B=-n#) zYsd42H^-feUD0yk`eQGOWnuJ8ZvSY17yGAPTuvwY(9W@ajyJVCU6#tT+I)?k8MY&; z7k#4N&it&^$-^_lST;tzKbnssE>Vt3%(_%K$R3y!d+G+4l*66;PLV^R7mdF>Fde;D zD5~P9=ucaa$iMT$f$h<&)+zTqid?Ft{G?`eXx96EIsU&S_g8A7- z(}Lug5gvHX;xqk}46DeC4_o%SAdz<3h3bVzc3h~zzH#Rqr2A(?8B1JxlC6T$hne@g=ZKM1 z#CV5J%`trVrmQeMqi&60ft*of^_|E}mtt%*lkL`W)WA(av{Nrr59-SOD^g}92l~RD z=M-&iv?5Xb_w2mlEY9a2v-i;ouNK86ar&ntPF27BqfSJZZP_Y`JuikeGJA6IK1G^M zx^=A;7gnkkowMxky~Tqf?+Rol>!c*G02O2LFsS{lQ-P= z>CF9%wX<7OMLeEvCGg!f>F@6={i4Qu#4q*E<#ij&9`rqS;j&%$xt<#$}xymQy7# zX!B}uj#w?f{41C1qP19a_iqzFLVv+c?pY3wdHY1zXXtEOVYj1Bree-%)7P|Hr>YN0 zkdp2vWHe@m7Jp1l?!rdj z_;fJQnYQ>Lf5n|3Or9LKMb`cml9haGZ>uxE`O-0@Uvt-l-K%n&Xe(b3Moz$Ft}APD zD2As@PGHyE^93k8_i84K<>j-|gm3YpSkEQxZgP~5mOm39)t$Jy>3UMk(UWL=n7?5^ zlWVZl5l^W*vy?8I^4^ycF$q(y-!&^BCi=#sj_R4bw3cBSceMsd)P1jF*h8<({GCbz z6(P}A)U-Bx^wO5k?QJw3;CWU3jalHf z=+L}GL40`}EwNtyOydQ17gV3mmNVCGQFF7oThkL(<=$%$e5oApwb-ZmQtoI-u2b6^ zT=h<7SF4+mn0j~1$CXEp^H8J+u`@-FuVLfTEs51y`hp|0dmI0%i>jZW#fvSDX?Zy- z^NB@>IZvl^_T62XG?5$URoA?D^VC-?<%;C37mk|R+5>KV@^ja&lol$#o)US+epF?a zXT_N>!bjZaHM3akbB$G9Dye)TG{$_5ZqV%GA?kfCvYOi|aRJ_hYlrM~>aSSLlHHmX zo#LT%cDs(By~dS_)Mwos9-I$Cmc7J$yztRw(T#*lvh@nSAFB;KiakAZXu{ao9 zRk`(^QIV(k5iKQwC5saZ3%!qtWCr!v-!^Akb^_qs3gW#h}* z?7_qQWH9V(!upy|oKJ3q?>p2Qy&)#`lYsrrMRn>5zS326A?3;JGNQ4(4{8_?FZKGUQQ3TmlO;vui)-EEiWTe9)fZy)KkTcu z>Je=}#Aj)C$;&0qAh9`SINtS1aCCR0mBFTWf$z;b6+LuF+;tm^4+>viQ0FgO-F{%L z?Otu~Elfrm6!vHg?=H@>psir3;W_9KS0s5+zdm5DfroN(!-5UnoDHjD-tPM2AZA97 zxxR-3|2sV?k<~=KK{E+rr(LbB+fGr;ll5tfm@i;0&oAJ4Uy(wYAyWAPVvHuTqpC}-ZS;eq;Ui#k2-xt}#a!MzvC1$+l#eVN=f7lU`7X0#dnkSnzC7c< z6Z7WL8QZfahvY(%!#wdzoWSOfR*{Jw9x5Bs-2PY>{>~$$yR#LwudPQTIiY_+fn>da zzB5N_z%nnlf{}!;qkEUe-1f|Vz5n^?3XNsEH)5-ccM1fRGYKf-&x|LsY*|ct=)-Dy2K@o+CBCLD8;j-B^4j$ z=vKeI_{#hAM{{wn0JgsJBB?72V)sdesqMIaYFP4pyRb)6w4t3d+46d$eb^lASO2_L zA5Jqv*7@PRvQ6!Sx+@#^sJuV(tm`x17UiAJ+^^cBoqc$t_PCUCsqSCw@pz$*#j(NS zi;0{&W%!#ln5u;b$cp67v==Lklx?g7U)yd;)B1Ktm*4?>ZYX3~&Ywzk|I>>7_4biI z8HbLTKIrH~)mum}xYRtju=P~bp;>8n%QxMcYv#4wkw@}=+uPHF&vDdn+=Wc^tCI`U zX9ZuciP!K_ob#BkF2_6RAnks}fZ>x@c*FZwGY^}_-$|=R8|~f^>k?(SazQAyBDWgr z|EJ%Z+%xpqdB=?1gR>FbO3L1O=N-VNWj|+6yX>ZY8R7>@X3BEh=u>EVRq!T7-h(Zi z*}qs<* zMe1E6j9>R)6L)nr$tOTLR7U4Pjc`}POow-`gP+Lm%L>9@Omr$3xFHZ_e`{W2kTzE^ zvxa@SsOKG2wY$)d+zg|%k=uneTN?wJl(~Pz0&mjNk^0Wt7GQp0@ob1 zT3f*@%UKydvzXhPv;7T;PJkh*}<8_bgPbF$(qWMAAKQfIoV}K z|C#;8i$;?Y{|G2js_b~8KZ@FX{?)PP#16ZYEeidoZ@UieDW7@L-r8Z0O_AT*U`?f? zy|)!S->f`k|Ik)8q=U$T?PwiTa1z!`IeYx3UWPKQ7E|=K_HfDRJ1Gle&TQhX%4~@_ z_l9JYU&iStdduROCKEYNBx!ljx@Hz4+nmQT$BxU`yN&eb-QKP2pD z7pt1F&8#HUr)haw{|(#d5Z(`55?n!a>~;?1MauadbT>!yCLlDd531M8*WF% zg65X7Nj!bNCP-}c+u;il)PV;611hmMcLzO8@@&0~6}cunw=Burw^k|pSVvI7`Rt!XLs^{OnmCJ)K%9XfXpMJ8oB#<)TxyH14McV?5 zklE&iCYpt#CQ!bT_O-th9xAEGlcGqW!WfK3!!s1AhoFWfoh);a3tX ztG`~pePC0gOrhz1G1fyaZSOleG*HXgt#7K|+K1*_cVXZ0)*$6KPs0`#sCn#rQM06o zPhunHLA|~npFFMk%H@>!vo~BbiX07eEuJ}Ha#u4g!W)_xR5pl8^k4+bGDB{CN!yj= zl+a=*q_e}{?!`?_TAPf`zKE~SV-0Uwy}6aX80&*EAg?zPH%ishs_`*hy6e7m|NU#_ z2KCR9D|RjI+FqKfSN_#UcfGUi!K+;lH`LuxjJ>E~Rw;L@1Am$)YKcQmar6qGm$u09ME1H3ZA!w2 zOJ7Dftva7&uc(K=^Nd}-AcM_0^YI<_juw$-XFm~HzkpnGEo6eSnzUbD&ZqJzg4gcy zD%JY5*5%#~SsRTxNm)Ij`vfRr?29ivi`bujJgNIqut<P}YJsgV|!E<@Tq~)@^^fM5ODf67I~#aFO1stXiU-h&Ru!p^g~zM0AG71d-uqv zT10gAr~Jp3!&sIbBBCyrqu-QEtu@Fwf8OHpYsvkI>)H8F`bW0Ox()Gvm35c+T4TLT z@#Vr-J1(5Kn>$DDiaU^>Ake=wNZ~Cyr(dfl^kwO(Yy;jK&4QK!FSHG+)?6XKW%3x| z`2Mdm+YAKz6yX!0dfDM4m06t43CA9|Di#aPDj$^j)QH(7#A*{__=V``zTR<$B(vpt z715h_7S$e&da%P0e}{>Dh)=zm*XLPVZSXrM{3VeKi#M_u=?1R3|Ja{;J^Rgv^ zeA$l^U(S_2B={PCNkyFSe$i7-=|hVe@vqrqnJnKgay(qRe}(sqrx%8_S5TTPH(u81 zevjW37;D2;d#vR0o$N;T^CEq<2c2e|PulqMC}zcei}|gGlG~YAufr={l|=REqf!z) zQq3ze*C;8wXtk64X1S#T-5x0@mlKm(%XB_t5C2C0EhyI%8Rm9NDs{Q9DXPbO_J%ai z8Qpin1dD=kYWCp)yW^BJ1!xyvVObGb30BLxQLbFNj;a||{-~RGB`AT5 zO4EFJCfaBXS4Q1Y)|ON*4?iD`f&18-r|+HHIwFSZNiE@h?!Q?np={0`_jz%a{_FQB zEGfgEThsjvf0lbgT;zGntnR!4Ug@~tsO^j2A8_Y&FPPtE<~YNy_T_Vw(9QHmctP#* z`v*$fm5=(R`j^}YKX6lz>5xnE+8IOZG&s@Pt&76V>&(xma~wWUzK(JvD)O+(J$=mw zCQfB%lGpV(;+ytIsfC(YR^V%c_T(3{udr7*(`a${-r3hphdj^Oi&!DgxXCN@=Ph%+ zv*^OZ;tXbcX-r=6skQdU{k-h6KvN5CE85OY#?R_&j4%AdMJv)ovF^2nrCx1NUy@Rq zW~<*U+flzvw!+@;o_E7bAx)$GiUguLSZSLF)= zpEfN*#~C~kn`y4&=VN$=B`rzz?pjTOBhDM$weFa;$8ove*~y`CTq~oh(6O(@vck%F zzxzGI8poZnrp?-Wj&lgyKEbDylpC!7;9Tt9cl@u|hW2JQ_(cv^?od0r=6Pe6c7i}{ zw@^W`QO2D}dvv!`x}VeCBb6&0g=3{qmJ)5x{m!iqsUeD%=FXpv0u?!pz znRD^|m2~0;*HjfuvUaD*`4Hlx*T%Hq2l=nqW~|w1x#(lEsR>uc*3bi%!Yw=>dEFds z4Jw6`OeH@mCHP2uRPy)vas@BQQ+8oXsjKD90^SY!op(AVL@e8@i?}!FQ!iSItd1fj zFL{uDN+~6crS!&e{Ub{r^i|I%lc=U`MG|CVYF>%f5?jiGtG!MxMG>JGVnK9LE~iGv z49UG#H`3h%{s0~w;z{>t#|a*N;9Sby1(IKrbd?UBvl(_PFDT`9`J`)Baw5QTf3VN` zyPPB1e(oAq-XOmDZ4LR$n!|$bpH{o4R(;`e|DSZeC14?t}Cf8$7=OJ_7(h1As38z(-aCz#jl$ z_Kahp7c7O_0AN1=c;V`#-I5=>TlU8o@|%^4JvA*A3%X(1R`@c#5C2gq;z0jiQnb)# zTZ&BJ21%J*%QlsV5)BV5+w=zvM0RQCpEdoY9ck*mGt!dxY1U)gY>qce=4;v8c4KCx zt7*F(;5oJEa)qGJ-1R=6$^(;d?FI{kuVt=tjmmvfpaW1n4Y^>fqVx8T(t4?5v3Xhs zmmid7j2w(L>#iQkAD~uTll2c)bbWb+wMAjo8uGeLnQF5V{|wPbF3gLMwOOF#!Q&x3 z%*8%8qD_6-zS4`tE*lN0&kgVL<2{<5OFA_w``#&U_*(Ex?}N$m!Mpn%@6?8dC~v%f z_pnXB-7PU+r>{+)LZhTihXU+1&vz0HdFXE$kG2lH{S>ONsKCY3b}i!CYQFj2A2Oxy z4_kINqzm~BeI*;mzuh;OGuqeR``CA1e@{cs*UrKm-_g3>$FU>*5kf0^8}5&EUNav3 zLsI#()oh#RQVl+K2kt*QzQMI~KR44or?U<0$L*QV?>g5%qlDQY+e9d}D7l_J@Su0j zQ(dj4Cr*-13l4oWNsURlqeqO{Q8_FA((bEdofB5RD zJuWfDwXa@hR9KQZMI}Nu3%=U3eqp`Z^|Yl1+xAs^4oV!s@ZSq-%?cjcc~nhh!23b! z+9Ow%u{tceE0VsamiP3q?q~1n(1kiye8ZkBVWOGpIp?=xq+W$)1V|^pqBV!s*xSiT z+O15JG;v%dlD*qZ>-yV4b#0M8uL!vw!B?jYA9tGc?fjG{rB8X1vGw%GZWOoclNzSQ z^^Xbf*^hbl4u6)Z4_zK!(UNvK)@&%nvU}AZo_BUpXG+)K`IOY*N%fcp291J1OIE$m2NgV;7#5VDcBMMD;-CRgrho zEDi{IZNgi<<9Ylcm{yvU+$7l6nU&~0>x;a$N~q#(C!O=&4G%al%I4foGlrBN9NVkv zhgW=dF?>^COPYR0tfAqHZ60zqS!cptaD2XRyE)6`SkAqm0|xnX(>S(jkIr0D?2Si0 zQsm<5Of#_?|8NobrL4bvf=5@ybT{}7F7Qdl@4xG{&CbLUe9A({+8lhy0*572IK;Qo ztSzlv(KtK?d=yyD!Pdc9!_mYH{9c$m&E49Jw#C`R3;bf3wX2IN%~{UD&e6dh`CTq> z;P=mO$jfPd|MUj^a7||udlw4_XFD|bEt7Ab=Kvqx#)D7Xp}*NY`f~I&ic3*pn*xf7 z3H)gu@QoU+LCK-GW^>Nvue@dRPEGsj7=@AETwlic{!SU8qh4wM*l#~W@jH}Kgh(yjT+5I34k**vmn$&&q5qC%Ysd&%jPdP8GVIfM>=Itg9D547vLA2 zKpcuQpVa%l@2AGI&IpJP4bR!~c3G zIDLPo!zgO0u{+Dwi;~<&Mp3bahpHPdWp3xp%SkBQdAN$DY!sy-)b#k^1NnU40Ap=t zLfq{KywdD9-fs>)DC*5^_Bv3ARd--{A>0Uo{5ze2(D#Qz_?D*kSZllAIZ9EQ-2j`xsa8NGD3* ze*4tl4=gV^+U>AY%f+}-MevncjGNV8hr;~(p1=FZlyHvwWqn#=YffT}{fHR>BPKyaJrfR}$F%_NhKA0`WSxni2*Mby-MzV|{A^_|4uJVFumH-Nr(LlO0z#MF;aL`}_StQU%? zF%(lbpop59&-Y#^qP~;(n@1?3{sz#uZYZJ{miYUf7p`eIj5EK+q zjDdn8iZM37y|`G6l0v=N)&^fpon4+6kLg75ENXAVhj`%QH*hdD^Uz`f-6xB zf`TH7K~QidiZM`7L@~w*u0%1&39dvj2nvcQ20_76oa6kh++^FT!~@~6cka6ae^yR403`iQ4E5D zB8ov!a3zXCQ2&CJsE(`f>+01cW9lgC$Ffo7Be{jAy*e?9=`{HLBOe zN6g`2@jzw{AGxV@$e25(H;R`5~zGao%Hfg2%^ zf2T9pw48ZZFQqIkyn1+(*$tWgYhMoJ4|d^ty|k`$G`7T5cYGd2m3B3B7ChZ-*o=+3 z^~R!Y1(~`i^HFh$g1s}|B`hjBs1|O7K>nT1;Jz9gmAMz&ht&zJ3m8RRd*NT*mVD<4 z3wC{6sX}khnPIzZGP$*NsJ0<0s?Wv8-l4d7Ff#{kf+YSipXj*D(-UAmh;(G}4rk64&%{q@l%iRZMr&%v?FdHQY>H z>01;Wob5Qo)oCscZq8;j7c|&a)!D&JgXW6X7gv>6K#ObAJYCV^+w4p%X|mrQ<-R>` zGvpB8?CH8i!_~xutu+Dv~6EC!Z1o7lTJnmE(!&Ad3o<-itsn!B|bZHu!Bc)kto z>g+~CPOU_b0^g|78k8K0Yc}UxP7bcQbLP(H=HlUBvzVWkmmj-gmEal) z{01p1o#@fU(!Ynyw91op6rg;3G8-9l9rCPH8I+67CSHI8f?3u?dHpk}bjyh`v2 zn$hdf*c7#YVpLRWWl*_s~i5_QeSbwSds<(!2>9*fBaO}95xbx6ZNEG_0#t}G~ z#-hS+HDGvx0Uu^2nCoF2{jKmhb`XrCFpk1F3gak@qhlfQw;C{x!Z-@!D2$^pj{a8o z96JccQ5Z*I9EEWd#?i5m_*)GaM`0X=aTLZ;7)O6Ae2yIi<0y=yFpk1F3ghTlNc^n^ zjH57)!Z-@!D2$`O6+Xuff^ihaQ5Z*I9EEXoEF}I`1IAGpM`0X=aTLbU-wK~&2f;WB z<0y=yFpk1FIu;Uts{!LEjH57)!Z-@!=x>G3v4db7g>e+dQ5Z*I932aZztw0$!<0y=yFpiFe#NTSbI11w^jH57)!Z`X{;dAUD7)N0og>e+d zQ5Z+ZLgH^VU>t>U^q+~Nw@uFs@AQrE9z}^h^1av=D&}n(?d8(Uv(#W9zc4}?i)|?l zQi2;G59khXHvBh&fhVZJn4VRis-TaT0C?X=&c#z6FpnlPKi6W$05EYMu? zR-&ku-RfJ3B7tuuiYC-3Vq%-gJcET5)F=`GHHw&++1NmhB4%b5`rKe9I5DxX@v6<3 z&!cX-kaZLHvgOzXIN9+cMWqc}&5L~d554n$@8Xm_~8$Y) zANDztMpRN~G(7JAqh?V0j)3p#7c35MzPz>@iZz%6cY$1>Gr&pm4@8D$d_vld5SiWw ztr>N*InOk&dDtuy7Sa5)aAt#Y-cVaXk4ggWecnLtD9X6}neX&(f7tj`TN*=qTSjs& z>m+U&@?EZ@5UD1RVIPwa91$?_KIymGtZUuAcP=xPq^AlYufl*r^a2b^pxZ*Xg>DO@EsVA(7;Ql|fg%AwfFc2ff+7Jp0@Stu z0@SuB6ucz^jsS1TP*5ZQKY$_ufdEAU6bXnQK#_nzfFc2k1jG-ZNB|7rN&!1}GAsNTAOK_;v%p07U{63G~?jMFJEF zbVq<90bqb40g43rY=9yGV1Ob4iUj&>fFc2k1iB+YkpM72kpM*keKtUm05Cw207U|Q zHb9X8MFQOsphy51ph$osfj%3cNB|h1NPr@NJ{zD&fFgnJ2v8&d3{WIMkwBjfP$U2h zP$WQ+K%WgzBtVfscLXRB00t-$ph%$41}G8$1}GAsNTAOKC=#GZpgRH-2>=5W2~Z@^ zX9E-o00R^WP$bZ20~85RB+wlJiUfcGiUcSU=(7Qe1c2c$B0(b|VTnwr(C1-ssjxR6 zww!#tRAr?XY(ftIXPlsA$F&m5C~B$kyDv07@Yn8#Mo|S%ds|HcE3NA`jiN#$jtG`E zWZe(0{AhnI&TXGSQhS}TLgyEOw-WY>(SRo zN(P-ho}9dIaPGsKcM+?-GbLLdH;5_2jS$Gc+ZoKLX2Y4jzbOAn{re)4|6}DpDM=DF2B=N`n%R@}E@vKUn^gI9C3X1dIU}My~hw@()l~( zKao-TOZiU<_OB=2WN+`_$|0`dX6owYNJEP&S=-xih%2B89OAML&gL{{v_4`C2Jlm- znYp6%aTtskjzGc_(PS)6jEKPl_&5pyY$FiKXflo{h9iP)V1IdsWPC3PN(y>;BKpBU2DlNK`b5iv4aLXpsp7 z0uD{a07EC4XJTsVY^K6wXc&2t zVT9=$hNXy6DO3`$j7SzEBXrP2JXH*bM~o$7{)9L-o^)WE8VWxeMww(7QjvFhLy5;x z#i&#~5ey~a+pwVtz~=~5EQLrn7K3=-m}Lrb8pd+lcZgwE;1o2r|7ag|l6^mvF#eBS zjYuFO;6T0Kar=lQfDlhXYz8nV+xMrdDX9No83i-RvL9;y{>PT#kRhcKsU$QBkNGyF zcnl6~BVftETKr$e6d|XfyzLirl!BdP-VYUo|6}vWSYQcK>=#X>Af}LsSTvT319OxF zTEJ{DN5QtSf&CE}C=)y(YW$Fn{$q=<6fAHn5-1~0q!0nHzgmP0<~!TcnCvvQ0P-T75izd66$kH`p<44i%*m|!57r{4w< zLqe>^1aq&B2e%YJl)*Mp7v{Mlkxy{`gs5k0O1HYA`wlX zkiJ19&`rZ(@Mr?{+aOPdro8PZxsx&}6Huq02?!W6Fbzv3Pc#jOj3)?ZzpzY0^~X6d zDFcA$INi}C;*kVS1@+(YNS?%EaU?J`u^@F)D4-HN2yQqM*fts2&vGYqQU(C8bGnw{ zsNmW_`x4Q3BoEOo!(-^u2tz^RNmMcNkCv(ah>SWZ_JhbXUBkvF03J{JW*8P2MkY{j zU;^L?p!uU^KbxD>NlAb@{Um?~S(8k_QwZR$0r(b)2r@e!2qCbIfJFn@2u2uen>?C7 zwQOQCAY!JU3TAkOE2wL#11bVbHRPSpa!`(;ZF%7*CMO@o4&O z0o^bnNCH3>As9jMWz?{VIe>`yFXR9$J%M5gB#<_dd5FAPEO0rH7)W61V?m5#)V7I9 z0Nn6Q8``*|fg%0VG%!!cJPk`C{%IPK0au%t1&EmcMixK<2aZ4mu#l+;uz`et!2@nM z3>l3D(TzR}7_n_)8X#h(p9XM;KmqD1#^`|0XG2v8+rhp$v8G0R zSCrH$WYFx_jrO|CG?@3IYU4Y*v%>ZqtL^ud1b+QA)A|y3d>8?LH^l5+=Elx_`Iak> zU0U;Db;!~KMTMj5umAC3?*nPQ&?g=;bwgbWit9N$SB(ZLE;hMWxcLA!*Xn#r-Dk4z zPM`am)YmMSZ*M$e{dpiNW%D+F=9J4V#dG$E-y^@CnPRkaQ-Sppz2c^Yvn;cTfy`V+ zit&8cRQYFb3}jw#`jSha4m$e7o73;?7aV^^df#3)8`Wla=IHggElp*!-WPRlKEPLW zu+6Ta4!vyFwN+_VH9c@m%2Ss9qL z=lYfntd4i$ni0<-b^QIdX1!V0jn*H1#FjNmz=!4`$Dv~z1l7|2^-Dma~Bor_4QZ1OCdfMSio(w znZs89knNKC)6`@8E>{(8wpH)A?R>Rca4nDdnP?Wi$nxC0todQj*w>%3(<7fsdwb}_ zh+EuY`47jM7S~F@iT}7)bLlpY1X|M|QbF@4DDx<&nEjY(J?VepHe^>ixAZ zwjt+h%iYgUbc{EA&8y4F(cLxprK?T+t$j>RmY4fAKI_vuGPREua-InMsCU>qfAIL8vGx%2JZ0XpxXeA{1r$-|_jRP5tMW z-|zAJJifnUdUVfupL_0o-{(E=*O|HZzGt+z>xRA8fIZJ`i>)i2hb+=rq_a8y(MaSK z?ZUm=$3GW^j*Wcil~hN$J}()+?Lu80x7KXwl_N{7%0oMxRTVSgXIKwO=&`_h?wBO) z(-09jXCvb?uYa$6m;S|rpS+e`lUn`UEzUoFXxrg{_)-hOa(k+EB4%4*c1~C1!|i3l z7IN8EhqV4HXjjV5K zkG61OwT`k$d?|@E;Lga{RkX9KsV(s$?4=IZC%;>ZYYPpcYh@g4f~`h7Bda5}T*UV_ z*p5hr5(;i5vkhk>>^H&T4_RKi*lZr{gEbBfXynPl_nb*G={m4xKJoz8W$Sr(zK8E- znVQuvlC+&2KIYU7mA#g<&poo(BOs`jeAR8Aw&2b$FY-BZuHDJ9DZngjZr&AXzSZg3 z+IX7a()K9NWkx*tXkGL^cHz^edU>xcj#qmpY9^MXIi;HDYld9S?eKA;8{bc85ou1m zzt<;Cj3?48@IFu6MSJdgfx4-X&*Z^*MQBj-ReU^b0V)3>5S@i|0uWWwQYO$Z4Y=o8Cki<{sZdq)& zmaMQlFxTvi$iy82(`R+;l`9}Jm z;$nC2*dEzj+xl_;4yOmwzAOuM_6m?LNWC)3_mVMrqK`#MuUVeReke)h;|H3vV)xD~ ziAkFT9yADVkRj*z+|@tUS#lniT8(}#+>L3jJIwZ)^F{Dg+LJc?NYtCVMqFMd1%jtj zl-;}HPsw2ucDfGO@KuYLFFd|Mn|H?}yyh0$$SaSyx{o~0Tp4sFtKmgub)V0&#Fdgq zch!W@cHYunQ~H3^ac+bY9eH^3D5m(`4(>U!uqd>Co8w34 z7=qUA5a$jLnsbnAloacM#bxG>JR4S&;CmK3-hNbATTHsuDlC7ZP^tS^pf>0JYP|-Z z`L8i=7B=9YaBMU5^WK5*ID3NknziNOYO7m$*Elw(Jlf@VJE5F2)$DO}@xdieVEwlD z@OcLflx%$3QV(>*kZ*<{;GqkQ?Gj&a*HVH!*Xt>wfvU~JjAc8P~^Zay}#erU>GNDDPoX>9;Rnt@)lB} z9kC7`a%A}O0*;{ldIqgNH^%hfumLpAD$}E;0d}Z;a&1>;;L?) z-bwdQ+xX7)eR`_@M7!oVwdPXym4}6eW=3i}S8@X8gqE`5&4>Bjq!Ui1K-w25gD?c9iWRLAOX0vw< zS!{da`kg~^cJt|p^A{Xb*BL7QM4JE3mV+HnSpUL*tgXN9q9M1d_=oErTg^+@91@C* z5)!j4bAZYY~r1WUauk?7s0RDP6*wNWNvh$D$T}*?W|5%9i7K@A-|Z zIUc7dgjS2(U6(SnDH^x#BsWvQBRu^Y7GC;5d>T9cl{tO$Jm z;>_x)y$$U7g{QP_^VXf1X;z+42~%NHeM1zMsSm)1KBBTh?7seuK2zKv=s@;Ano&yfo5{?2ayB*}jqchNl<0 zIi`7WX7LdvBjsh!Jl}SieLL!ol<@F6@61n+e9sn`1t~-aZpI6E3S}lY5FEE;dS8;9 z=*zo$=Rm?z^N;><;zC?kMoQ&+=_@7zbnIzcgwAEC4HLWFF5nhXi}p%<2{gF%S;wd5 zPNsls;2!aTTW9I9!^0Kz;=HG0#xpbo|GJX5u6UFN(o_kDqDWL{K z#AFA-);&i#Gh+@2`le2D*Ui&^^soslV8fxGIBx}aAN&3YnOj0{N7^_?OU*5pvkCXf zx79daxP1s;8**TIS?j*ZT&Wa&sZ-^RN_+i`9Ms@#YZe}nz535CFc|@YOK1R%*UI0uH(yOL{>g0S5jg}H8420=fedyX|+r3Hc#VQwD>>9_)fIhC!m(*vzfo4v zU@Lq3a$z-jMJz(8 zaYv;`c87!NNtL$_Ct!A$`J=C(Ie4Ny%|j*PZTQnT@3;F4G@mR|QeC|0si|0pg;&6( z7)t{$N9JP zMvJzrJaY+QUFC7Z=1`GRiA$Ng^xn92qMZiu2BCVf(IsbL>74dw#okb?eGg9ddwfbb zv_s_tr9Ga)(G1sK&5D({qF1m6d)zPJpcmP)e07@UCd^X(7-1zd0R(*oP2iF20c_Wv zEk_(Iu&M$L7+FQE;mNa?6Q7xp);|qS;PGfyaJr8@-*>IHa0BalOp{v`CP#SP;VoA< z^L^=SBlj);{9av`y8#zqw?^h__Q+GNg|ZHusK~~O#ZDJC$=Y4tq{VXfxp0)FqfZFC z<2!C2?$)QvNK=YC?xu(d-FYuB^x)iL1vk?-q(vhegjAL$qYoSSbSIf&U+s~K!|qFc zV7IS0Enut_?)&82W$`VSXr{?o-QwqmHrwa%+VDw)c;DSycxA-Tzs`Eterz7wm}-h` z%cQ^DboB0C$5%vVBSlM)yOGs$h2>KPD?6YAG2SEY@{vy zdA@a>$fJLD*QKW*SwGa}-tLQ_yy&Tf2QK}eNJI>(q@kv>`o5m zVNDV9?Xz7nuO5m@j~#gs=#CsK*ih~H_`-2Zvv}<3RQ`!Q#ryV3zlxGdX1uAO`G#Dr zIgq2HS#{K?0#!`V+;E{kYTnx^ z!_yC!5PkG-u)jPaVIZ=?Y2ah>mM40#cgq`BT~yw2yRQ6+Tz$9IIN?m!g&nz!Kk3^*6-zj^w$eeQG~+E##OIYrrz28MdoR)2c&LXM?@<&|`0wvA#qRU0 zet6_qwQ`i<6U*L%6(>I3!XL_AdR$3j)AR5G$NqGdOOMxmVz+@ zjwH(tuaGLuFoDYDqG!}q_7%Ox6`o;@YFsB7QE55i@9CQz8>m;YAw^x~bdcf$vE(f{ zs^_!zl2i4ePhXX2(l&OKT#jxpX-`aH?^bjrD8Fi6#JXhc(&A$)$I-C-+C4i@gf(-E zCx^vyl({>$MX)@w&?7aa1nGU`lvaCL zaV_`5q-5-T*8q;EsBQ_FL7AswV!;V-$Oq?V^WC$5uQ=YDG@x;GI}7T;i~Fuh*v76! z-jbXu#B_GIDc`JKm*WpDCmTE2m&H-*K30(p`6nyGUuS=gey9EN0i<*i^!|;LN=MZm z4WSpb$2iZI-dKIHVvi(sXT`~fk$IN$Zl>q#*Eu+$a{a~j$E1n319+luTj|tb1l8f@ zaBuk3*u;mvn>V&ibkw!om>PUnSCg+h_2KcS%Y#t$Bem^jhs26A8s%>eT`OiU;#q{3 zW2N=P!DB6*>^B}e`t|@Tf_lbZlxwHS+N2tno_fLUdZwS!`>wCv8cdFApXciQx;N-f zlji_E{HT!4F75-}COcYv^KKcvz2)ab_A`rBNn>4M6;xV5$lp6$qqR=ty zwJCX;@%{*z6UeBX2ooDg-qhRrr>a)*d=BRJ;Rro_9e!O??6krA6Yc7&!<3yw9uT#L z+OKnJB}?N zsbbO=Ty4}j>2mCFj?(cuKZzc-ywdz7k?wCU7QR7o@VDcegzZN43wN%tzBBQ(=zSfY zU!XBDENst+`isjE@Jdp--+~gIVp{q;dU3J|R`SbjYX`#%m0$Ws-q8z`8)|S4A3s<- z5RF?7(<3&A6?5=b+%Tb7;@+Mx2{f=y4~d$%N8)+q^9oVQy=8^u*5>*rqhT_)2}{sX z(Gefj3Q}vnG+Wsjx@vWLdG9y8&ntv;Kf0wW<^2|+?MJTGD9PCw_J{jdLq+w)G=N_;6RKco&1MRiy>-Q?? zt%$w8T6LcIdhMGE&#PTd(cjH0f~6Y?qaT#T&RdsqKp|&i`1xIXg>M%)HFL;y=oqed zGMWsz82qt)yhd}pU5cHyLtI8^-uekikt)dzjHg%rz3%+=={M;1@wdy?cGC~zIj(i{ zf*!hqZe)LbJkQLBK!z@0J5b!A>(>~xIu3y{B~i$pbm*Z&3)#GO<*C$npMb6pI>U} zR4a^=(Wna>8?767L`kG4TP!-gtT4&N6s+M05i~z`gb1<0ukTZ%iGjt^!$88rZaSV@Uk$9n{+hW>a z+dCP4z?F^teC*)k2*oKFu4p7pE@w=eT=iCG?fMU)bw`@RQu8~35disb4u(Xzm16;8 zc~h{?^^0xSocl7lbo_~K-0Q@}5%yZ)9)c}f_My$gBUOb~n&U^~2kY@4>MY{v-s$Ni zaWVNfEqIe^O*QNKyqIWU1VH|qgJJW*gSv@+P1bjereFvAi7%sc+XkJpZ;v0tcU)gb zXjv1yo>n{sBly+~m?W78U&0UeoaW*4+-)R^tY_b^q7N$nT?RbwJz?jPYSYmA?$r&pr~t{fPIx;e`w|n|6dl^llo$EI}|Q#{+#)k7VohNy44t8 zwD@Ju&&#wzLT;Ogw;$*jOs&$ZpPQc!1w z_TrgU|F%Ghx!3ywllA&$)`>04O^DY`riXss_42l(gL~=@)|u%2?Uujx6D8(p7DZ)U zz1VxsrP?|PoQSVreq4eR@gtAfYak+K=kk*kNYhV1X0HNinw`r}Rv=A30hzT5q-jv2EKq(m0crY`$t)HiO|wAx#RR13 z7bLS8fHciU*FsR3#F4VWLy zK$?EQ@w*C;rr(kI!49P92OPhv0BQOineXjDn!cy;+cJ=*-=g`x0Z7yLG=5tK()3$2 z-!%Yf`VPkLi$I!w&*r-pAWh%F_qjl~~IK$`vl=UWqyrf)3%Py*8Q z2RJiLK$>Py{HXw>=}&ZK+JH38p!ib(NYkI_d~E~L^p(UPmq42Si05k~kfyIB{PC%NNp#-FfDM~<^n8O65i5X5nnwX&kq=_j?K$@7t1f+=>PC%NNp#-Ff zDM~<^n8O65i5X5nnwX&kq=_j?K$@7t1f+=>PC%NNp#-FfDM~<^n8O65i5X5nnwX&k zq=_j?K$@7t1f+=>PC%NNp#-FfDM~<^n8O65i5X5nnwX&kq=_j?K$@7t1f+=>PC%NN zp#-FfDM~<^n8O65i5X5nnwX&kq=_j?K$@7t1f+=>PC%NNp#-FfDM~<^n8O65i5X5n znwX&kq=_j?K$@7t1f+=>PC%NNp#-FfDM~<^n8WmcPnyD?IOUDI4$Y4hmY>uP6pc1X zw?5zKr3wnahmd(e%k`CJ(W3F{>|~3k)%`Y6cY~sCUq}u=!o};C`q}BIL#*&A(>ZZ3$NYuUg z7>>{XtPP9+$bWJ$^c<+2Ot}$u`-|Y@X@%Y^;o*(iCc1q!M+8~Ju;W`t#~UI>8g^w7 zN8SqMKV8+*_oB|@<5udKKn(+E)A3`wU2k{DYyC;5`;o=7z{9UbJqNc<5PG_)sW z=%t87V=zd@ei{2i5`7R1E94e_dZCP@ks%+jNOAyl2-7YbQ4!XNS@|-K^#{H)Fd&C5 z2mzbF9R{N|eH7+_J``VS0EG_ujAt-moFoVsTIcJok?WkR2htmlbeOp4i4vsP2GWsLR)5qGxjm_2WRJCW0?oF$@4+`g|p3vn!mQg zSy|YHv8waf_|euj{fE<0H{1xkxx)BXL8%b1j)oe>R z{jxV)G=*k5)A+XqjiX?gf?*1VDNs{r)&pw#w=()~KcJ>y(g%}1cyBuW83L#&P}4aO z03V^iM=0<~AAHgWpY*{6sX0s||8xZxq`-AkaNQJKHwBmX!R7rqPbT0l6u1io?m~f^ zrQl{MxTinY$pqZf2lw>BqbK0e6Yzu-ctUEfa|sMQAq5`f0}t|n=S{)$rr>$gIZr0w zv1ssEGsfFu);WHQ&e1O}2!K#~baG66{@Ajt$Inap`I0ZAqx$pj>s zfFu);WCD^*<~o^xBomNi0+LKXk_kvM0ZArvol8KH3HY{X@NLoHOU=QTnu9MjN6vXN z0ZAqx$pj>sfFu);WCD^*<~o^xBomNi0+LKXk_kvM0ZArvol8KH3HbRk@bhKhSN6cK z?15j|)0^vL0+LKXk_kvM0ZAqx$pj>s%yljSNhaVIpusOdgI|FDfBT2ZpI=*59`pX` z&9hsbrM5-3T@Uss_uu|*VpGMJqLJN;`rDehU9X2bqJasJ0Am7#!v6?SkmMaLUBzC1 zy|>}AZFFV~U#(Z|hHNk5WKFGH)W{L=4-fzZek2g*5n6I{ss%yvbq}D^NCY27iR$Ks zz^I~Ck;+I$QA-PD7ve`kq8!({d69^81j;thjXrHLq0)R1C>v4$HIPOm1t6hSt!PxD zEs2hFLRlG^AW?RtU^)_I=0hNp4E|jj{<}1DL73CZ@flgv{#bc3JXrDGZI*70P zVwfEvUsRCO|4lbCnhgx7!AK{pG8&0yw5edBu4o(%+9IAt4fJDl`^V?$D&#Tb360A_Y;1Bs`4()y*b#K4fk9(2kZa0F zMXa*A3X-v7#{Q5*9|Xe+`GuceC?jcP$OkNv8~`1|w9iIVgf(JTz-myJ9{|tLfE>0U z1Z@6x7>wHVQJ4q%P<*KY6guQHo&kk%mLOt~=iknp`p+Bw^~_D55d_MC;tm}v2Ca%g zpiD^=vL_unHXIJ(L-nT8Z2bsC=)8Z=$$&x+up-e6sXl&GUy?5!39V~F@urh#(0Yb; zMkFHDo%C<_Y2qHx5J4)>V8yDdV$k2nPCc1=3FBLBVrBw^!(lKu^ny)2g&D&5xVU+_ z5q!KnyaN1uf+F&wBErHVXlYq-c}=XgmIfB5u4n3Osb}P1td6ttv378EBYTo{Ec`?K z+=HD-Wa3mAjEj?-kJA$l=Z8(*fr&v|W`#q4->xpe**I9{v9d#rl6;VvfxDHX!X#iiAzW*a>XKRc<(zFjx=E+n|b^xNBszbr|u34eS% zD&y^Cb?2vGvj74Z2_PJRCO~2eAOHye%&A}`fRO-3!aoGSNB|=NjD#5iARItA%nSzb zJ^_RS2nP@jGXy|5fN+=@3}AKu;Q+z`gu@I05Dp+5W(EV89Y8pMZ~);jLjZ&W2#1-$ z0A>de4j>#rILr_L;Q+#6W-x%+0fYkx2M`W31VA`|aF`hkV0HlE0Kx%;!wdls4j>$6 z1_PKKKsbPK0O2r00E7bwhnc|uW(N=sARItA%n$(K0K#ErFo4+sgaZf%5Dqg0KsbPK zm>CRUb^zf3!U2TC3;_@hARJ}}1DG8^IDl{f;V?r0gaZhNnZW>N2M`V*96&hC5CGu- z!eM4GfY||r0|*BY4l@KmIDl}N84O@{0O0__0ffU00T2!#9A*Xsm>obkfN%ieFhc-@ z0|bF#J!71-lm)=vh|De97D|y0qjjst_hZWRfv=KQ0Jdabknt_@4T0SfNs* z+I1s>Xs1T=3aT}z0vcd2{7;GnQf!(#VhxSR^?BI)-VVji?A~#H@fdpe{cEo}mFb zY(WUv{OvFpwdtcU5A>n1O zkSY*KD$SilLpn_#2E@+>I>SgOtcI$Rh6V<$fmByTE2$z?&}vE;6|_23S5r~Ks6s0m zkpiGIOK@|ex#}C+Le4<|iF7LlU^)_wQ&#!GCG?zK!eCUD)Kye*NOg<~IY&rn9OMEPr-D>d(NI!V#;W6xSgZ!arh+?xno4Y z+}u)C)=D7Rk){H9tBS+@<1G`O;ePN;b0T6yyb@72mst)li0p z8f5(cKcQ&!53c<(_53dj7+M1j4J$QBwJ|tlB~>&UqlUylClrzm3}k~^l^HfBJj49p z*)N(s7tbKoV0fYNy=SVBk}zycc!vGnGwj?&AFaU%Pc_C#guGB!gS>!Hp|K33vKkT% zMJltd{UH9>xr;wE>oQaVn(M!F4U5r$j968T|0UOcm<6zNp9Q{22O84;X+W6oqX2s6 zpoE!b$;2uBVJ^VVeJ)T@W}H%tvN{qCO;)OCRb@0ZnPV7|i&j%XqOoY^efwcHz$x|3$!MycS`p<(*TJMpK!;zffKVHG+YocE<7)XS8S zRf$d~mnYxROBKKCZ!2T@3a9tw6Wi6!4|%Jeou$iYtVW#CdDRye(Cvp?gOPF>ZM!3< zv+cn_-Dtsv<7t*RQ(+4m3@mzFrS!4yQj%mICsQi?KM#ByzCXNuMBdT;5p2u-^fZh2 zYs--VmYZwEBku0yS?iRMYn@4y82HlLr7|@-&_CRH_Mu1Ur{hzn^gg?mKdEXp+j05G zJgM=TwynkO660Osk6xvm+k1VNa1X`*BT~_1Wr63^8d?(U;inFNY;f8gzYI20`Tf>$ z{vDmxZo>vqT)X_0;R_~$pXHRYp(Sp+u8rHNCx_;~Hh%cUg!9QmWyd}sYUAT+3R6?r zM;or8H%T;Ea$CZbz4BBd3dfPscDU^7)cpA#<;qChkvD@1 z9Ej1R{jsUxD4(N?$x(GDQ~9m8`yESLVA{G^Dr#chJY#Re2ZNf0$Hpd%&r6aTm)kzGM4RPQ<5fJ2JSWsd~U@_5yg9p(xsqKey@Ya_t@p;(xJ5 zGwj4eoz8hG1N$A7mBo1QmHHP84|DBq-5=!}y*D6?zr9LqlS+a6Ax+WawG-^OEh@LK z7ui~~XOCf@`fxf%!VwqM$v2Lzs#3(Axp`6A5LM{ULzjJa>7)0G8%8%0>Y7xd=i{Hq zEIBxT*_v>|lfJ9b?wiVll>+_K5A+&@-ZFlGQg{%5NZ#k&@EBZIKHZEn8vEJlwS2)l zSo9lsActqjf+vReKJtZXow3rCqwn9NzfNJxlLfD0Bp31~`3#42v2F1fq!s#}xL+Nx z@lLmkT}biH1~Xn6QS?Ucm@D0|+ik=Lu)w%lq3%cb{RJ^x#=(WOJ2g3%7C)yv*wfIQ z({X)CT7Bxx?h$=%Ov=FPw>^q62`Q;H#XDauS=s&4gUv9(@Y?k<)SziW`31L^XsONS z=#Z56Xw0S~W3097DgA*0W#;l>XYua0iq-CykbvZdCl(6$)YQ~ zGhSxX#Hv%>$3@}0WAk{9UXp4b!n^N7wSO>{%H88dWnW>iHt=vD&dl>{gJw2qX%k|f zMxv6bCM=d2c;k-QD;|!mGXx7eC*uixt;9t-Tvk-1akK0mT}V(WeBm$sRK1s{z9F|i#y!X+ArO%u*s^leD&Qp-I z7p!gzp6GL)ig?%|wb#a*qIg@`WnJht`Zn(^eeC)U;%(dZDHpZLv_Dq*5|$#CxbZ0Q zRAXN1^Vs?~FNbXJeSWUC!_}?Hk}sFLW1U9dzDE{I7x)JRhRYo8KK;OJVgC8TKI6J0 zTyVP*jyn<$gLYhtIMgpS9Bg{3Z%z9C$mfqrcvmSrd8*Uciau-XQ+nmPXaL;4aCh>t zy2D>q^||dYNeic{R5ZGvBu#h_-r!K3D(onMhwT+BQzc{82^0!dpCwx+Ueo1FQEG ztWZojUiFl_^!CBy^OAY_PIB03Z(1N#um6Vsu)+JoirCG~_c{cNp4A60=N{tnb{Yw% za`7A^zIybz+ce(M`z80q5hhqw@Q4 z?vxF@TUDI__3R7Z;RVl>?>n%1FTc_x?w zeBQ=#;c?Fym#OPVAFRCEU8Yn&a*TM8!~9da!uI#FO35u@=~!9&pAlbcuPHe5yVx74KJ+kr9_?)>3AJc$?$!jDtY(J*mNlZVuzV#FBRVQ~0X+gDcMzJTK&} zeSfd&+^6Alhr69*@kMbhV!SyBvyZ~7^k1`n$WJ+^+#h2oVwLDGd9+%01NRW6QW|mW zN_n|P$6->AVMFbqWqG_%8bk9lvb8xvR6A9WVFvX$AUa zp9#t5Dr=G8QBQXh&!*Ab=MOs%os;0?FbZ-?J#*=E0PB>f{B77#shZ zUeSGO{Z8X99ozKp#(JAy;Bgs$d1`gq>aw@)C!7Uc5Eh z@J5p&u`8@S&tnxh$-7c%NK}hxc%$W>{@lB`KiS%axh)>0~Im zu`0jXW?=1x#06X@jZ7X01vw@LHH!Bu*vKh4J}8H;s!7!-o4?HT?uXhdxx2QUI?Yv~ zWVhv%OOE@Z6)hF3gD%Ip95DGsJ*{yaC&~`FrI=cg3P)SIXWJGk+#9m0Vo6 z>=;%_w$lFnvPbwYW^2+^{MTr(;m4G-vhz)D)qH$-uId3^fbB?4=9lPQ_Tp@t>m&P2 z&%ZIa%+=)L`OP!;McFrl1CtyKt^Gb~ZQ)~kd)(;O{PdfrU+RV}9KXb$HCE8DC;S!X zh=d2d`qCCGL41n`yV{2dj@COSlX}KBPH71`3l!H}4o%A_e7fI9>g9_dxAVt}qXKgW zt@d3~O;&p{V(zM$a&k${`*%YhkgUCe&+IDuljaBL#VOh=H4D!}iMzS9TuMRkf6{X} z{@4L;xmA9zg48y-)Eg+b)--`_XT~QJn}Thq_6^TNG&WwvFH!41j)-x3Z`*e1)lH{G z%Fg3zXIN=tI+Hq)U3bdV_pMWMozyWEs&^3|^)GN6T}PH(7}l!s1*x%lWpKiPmw$?Q z*P+z)$gF*&3l>9NqwC_yy1w=;XKX!d`*KAWSS9x76kk7=khv#d<4&{dW7dNucb4uf zWaW;O5jej}uTN^v^n2gVdWBte-Q)zXpyFk={U;7Ad#Ehk&F0a6Q?ZIW{QWkWtH}}{ z{nk_@M)Lcl;)%{2o}>kyntB|J`RK9Xo54c{5|zY-x0~OKJKQVX9C0X8w&Qa8p%Yg( zZ;46FTj`0v5pvo~{!_-LEY<*(mGN6`p}8U8s`~uCO+%y0wQL^7gpGDO9gt>w7qa7I z$|Cfk{TyP?3r>o&?f(4a_NiS#SGRClRGdEhVocw_dS!F%Q45jnLaY+C+r%e=rykVh z99bTC@Yadb&$Nc^{99Omo+w?@x|32DXRR4CM`=+O>bPNKv-i@HHl!?ACF3Imq;l9v6dY(N;1uf;!<9+(nBkHr_ z&h(cSB-I0v342K~4$Vnt(hED!b6Iau8aw3s{-L(~bJvZo+}oUuuPyCNSYfl|@r8Tp zg+)B;E1Fstja82L7@oR%)#skVg~c2$k=5!KsA7owD;zq-9H7;Fi6-miGeO~< z>JRRzUr0Ipp=5Kv7$W-Zmwg69)r*(kwDdi3nEK4mb##`(QjN z(YcaR|M~P{=gcU_FQ?r~Rtr|N3Xu>B6T(gxVt-Y6sPwdZMWOG)#@YTXkFYe}ci+&mqcKZBE@?4J2z_ZUKA)^^0*@=SL4&6PABH)Tks28rRw=`8sEbTm3 zdV0N1_K<1r^@0ek{=|7T9f|!WA{E6l)VuQvmt=1<7s(t#t#wV^u03eRm9dPna_IQ| zN0%<~O}x(Undo_Z#C?cYCGEpSb=|!~Nu$F}HI&K0_UAoSYcxu~_yj2}lGK?Tn0VV# zRPwnEMLj1s6*|!$@#&)O73`*d4mEYxb+AP#bKrT6gJ5w0P zDgm=<-M#Q})vX5K<+g9a!U}awv>t6%lq*^K(B6#ytlxv)4>|YpdsxgkEHunG_6m9J ziV?fC=MF;RkZgU;f`|IqZ!URO-MSmNWwD`XChoQRE7f?hlDI~Zg*!4*I)%>abgNv! z_9kQmtLEs)i1+UDOH^578h#~ZWy&s2$%M5A2lLHYrLFIb)aiz6Nf^Uib(F3z_>xZc z#*~S$9}0Lm`tp%Y!*Ytn!ma|{GuM`0KHc3i*b|Sb4KDA$=WH2h%vEjmOx7nQh1IOE z&N`XYjC=d(*he%ZhjW&0 zLmv>z-G9d23?BC;(PjPH!t0M7_@q0rC@fp&QY8%|aWyGEzfgC~Co}evrsVrT?+>WE z^7DryyL^NcIWBfu2eQqB1-D-)Sn76Hz-sY3bmAfEp?FluhxG{7FD@0_F# zu9%YAX!ufKQ|G;y^c$UtrnORLjvp0bZsc@W zZXd%OV{NGtH{uW8I3fA*T>t0U?gv7*vVOYt^Xm=Q=^LpClmo>bxt#D5L%XjR?WVg= z-zfEf?(8C!zg@<|s$!vgE?=+XO+A@<3FBLBVrBw^!(lKu^ny)2g&D&5xVU+_5q!Kn zyaN1uf+F&wBErHVXlYq-c}=Xg7IgnfUC-3nQqRc2SRH5OW9{JTM)oA@Sonwdxd%Iw z$i%5K7#AluhI1Dj&JUZq0~3R`%)-jp$IKraJDg=6D+kml!w2n{g&k_1Sphx|&B7+I z5M#|Mr^Zg^i8Y4LqVG(vvNg9Wgueh@t`te}YhXWVDRuwC+V`35}zL zq9JLOgKM<0S5l*MhJDECo3+K(ziF*AX%1D(uLni|%zeli#hDqp5{~1x3zj&B zN3%%0(9&%&ZLsZ~3_sw?#(q9_@NtCV6bx51k|vikrcJJTtFw0fhtRqs&0(qeoxliy z{5JbdtE3{F@fMNwub$b$wn;G%x}n|INX$`QSm_M878MJ4REmgZ;#pQMzq| z&e^xekKsG6uOqaq30_Yto`Mm4YX(e`%!4oC2YXKQ@Okbw5=GXt?^n?WmH#dS9{)|T zuQc=LQ4*X~ZU@>F>h@X}_tz%{*}M?;zA#YKHBP|3%CA2(^M?N~3+zdKF}WQI7dC&+ zd`ye?SXJO59$&Qg_=*z6v2YRd(VSuTzufRlH+aS>>FnU@?BvO;z-MO{$Glq{K~ik@ zsD972-L+CsXNC6SnN|O`K#956`vQ~o`exRNEz3=a*G;B}e%|%+wxff4>JHYK=>6@M zzxER)=4lp1WnI14d(NfWItiSJuV8*$f)nv0kJ)P=B4+3ElNCtQPe5j`0%@9^%THDy zO+NvdwF;zZRxCdofi(S0WY#*6rdhH4Yy{HuGm+WqK$>Qw@{0{f(=SM7GXQCtjmj@J zAWgp@nZ*F4X%;BInt(L@%48M`kfvFn{AvQy^edBJEkK%nWipEeNYgA(el-DU`jyEn z79dTtK>5W4r0EwVvl)Oi%|_)H8<3`7kj!QP(li^DpKU;zekL+&9Z1uxSbjDFY5JMS ztaTtwvts$l2&CyJAhTD2G|kTCCo7PqpMcC>1=2J-mmjS_nttT*n;MX&-+=ki45aBt z9>1vpY5EPAAIw0Se!%g&3XrDXk@>+6r0EA7zpDUg`W>0??LeBor}5h|kfz_F`Mv>2 z)AuxfTL#kfTQuJ_0BQOT#_x+jntspbyA~i#-@*8O5lGYT*?emO()5kRA4))){s8A& z6Og8FEdEde()0&7GfhC6W>Ea80Ho zOhB5Lp#-FfDM~<^n8O65i5X5nnwX&kq=_j?K$@7t1f+=>PC%NNp#-FfDM~<^n8O65 zi5X5nnwX&kq=_j?K$@7t1f+=>PC%NNp#-FfDM~<^n8O65i5X5nnwX&kq=_j?K$@7t z1f+=>PC%NNp#-FfDM~<^n8O65i5X5nnwX&kq=_j?K$@7t1f+=>PC%NNp#-FfDM~<^ zn8O65i5X5nnwX&kq=_j?K$@7t1f+=>PC%NNp#-FfDM~<^n8O65i5X5nnwX&kq=_j? zK$@7t1f+=>PC%NNp#-FfDM~<^n8O65i5X5nnwX&kq=_j?K$@7t^nXv9!k;+hjk^xb zj}?}m)D9GlHc7WW-{_?Z3crVtc|ptdm1fbR@#^eki>B56Hc@wjqHbSE4nM-h>(se_ zQgNXwKfh$J(_MSXno@P^mTNKh8-sk)^8>|?pYMB)_vl>(i~z`gb1=NSpm2WD<(7l3 z;J)yt&6p2&reOBTwXV->V(tdz+S*1%5mgJ<4C#rWm$f$^SWKkV_f5u< zhqvmcw@gUXz4;i9&;P6qi~z`gaxnB9sGUr?5qA5F;N)qA-YenZjoK!H!@gpHoj%(e#NJKgUWgF;5pSGA#X+8*)4Jm*c zNF$O0kkG1DG%C@SL`OQItc*;MC_7Rx9f>mYA&^N1|1J&xU7EQdP{zS@ye*wTCo#I> zu}CbmPa7Q_#MgZ>%#M&RYRKvTrW+Z}1_sn%q!UIRhs5EK7!_4DBo>2KhBk<&Q3L%L zz5a1|x(YcAIYJ}&2KW(ZBwu0(0%ZtUj7UKgA_-3;Ky@=Dofb%9Y}uUTOQw4w)zox! zkpCj_M_|y<>xwK`^Y4TlndPGLlAye83{f0ni~#yKF>7SR-cT z%h=)%d}m-l4qFfcHh((|Ms4~i%maNWzSIB;9r78^V8S>_5HQH|ZzoRU=MDdQ;-*gs z0_8w)hmIA4#$pgCQxb*jNk?Lp)m0!qRBtNH){j7hPW$(q3@G#fD-z9+>f=ZCCHc~k zI0VXs;!P*fp!E#xj7UVPJL%u<)5JZX5rR~n!HQMI;ncs8oq96$62`aM#LNT+hr?iS z=mnd43NwW9adGo3oQxH8VdwjOny8^ZlGS$x5+dO~ z+5?*u&)wi=EBJJ4M`7xyvT#EiJ4@@%M;0^5%-O_}UKJ7`++6``dy>(eBl`Z&z-(5qNWj@vX*5Rb1zx zzuneMzW@|_f>X2Om9V$l*G2Bm9QX3CLe4b)ZQ=Ds9)+Tu%U)y6f%)BeJ<7?yJE?JKSt7N^%tH|zl`cUxCc{2OkZO!!K zzzk6AOG%Lq4~n`xi#5|K&n=0YY5dy)FX`o@?9dwFizlen^?rf6(UuxAf4i-jeoJa@ zon1GQsOYNMmT>xIZ@6d*&2*;mZwnen!7v5G6bw_KrqHYh)bwv<^xu9!O~IrOCVlYU zbow&{P*b3$b07ddLV=G^;FCW1qz^vng9}n~m`48T3NA>2>!#qkDY$M5F7JcO`*WU5 zz+EVC7Yf{k0yj&+%~Ehrf3A}WxTg>9>4Qg4z@sPN2`TV|)LiEh7>0G66{@Ajt$InSdk{kYoaqOy)Y5fFu*}ZPDP{qQRG% zgD*7)Uuuq=^JD^&OhA$eNHPIQCLqZKB$>>0G66{@Ajt$InSdk{kYoaqOy)Y5fFu*} z^JU=Y%fPSffnV7Jzp|${*U1DVnSdk{kYoaqOhA$eNHUr0Tmq6zz%M|9Uw{U`0R8{= z50yW^wyHel{nMLgw>nF0i)_0d>{0H&{oTZ-iZ4YYyBGDhHFLXO4|hZZ6CeS`1PF!y z5uzZ;J6gJmz5aS{!)4p(%ox5}ui6dSUc||oTDho^Bj6t(00{g@AkHJSKS zK&O!iK8zC8%?p81RZ&JNBN;_4EtFk|9|?(aTcG7hHWZRrF$iP060 zMPi|S+UV#YzV3@*cEqS+HIUQ)O*b-{4GgHkNGGf^8i_`$ATcUfs4E(WgSLpLQ3L%L z-Tv`;x(ay=c|s%j2KW(ZBwu0(0%ZtUj7UKgA_-3;Ky@=Dofb%9Y}%aUOQw4w)zox! zkpD9AM_|xc4CILVn?=7s^N)8S(*(BnLppFzvGu6=98- z6)+m=@&n)*8j!;lgn-T84uesfJ__?dABrzEfI^3S#zRo1&k{ro^8DMGW4QXmhJQVC z(`N*Ma-g_F$BIF#Vh|`(5{2wZhmH-0gZNOrsWe+Z0uegz-*Ymc&;zVUG()P7AJv!S zOGiTMnozvyBpS4yp`8(lNOdRu+kKk22Q);G$}?E8>Z%y@H?mVtre4DMR-2faz~FEg z3=X|uQ%_-rFg`ABUTy>*FAuK(KcAq8yr_tRR-hY5 zcpGvcBKP$&Pz5x=VECUD3pWCN5-7JnVk+8GO{*mDm8y*qR6_`oZ%r>hU2b=3C2{2< zkx-pYgg0Y5Bhp|0f9$;pJXGHw|3ApmSRy5qOrp<#pYG6{jxZZ`!?kaN7w}#5DfoIT3GNdibt4HD>NEGGb&TOmZ+Qgv_J{QzFn24|0Z6*gf(^k4>y&PK*;$$|2P7&7v2 zcaHe?1J4f*W_*9&Z0Nzr;Vdv(2uTLhm&(L=a4!Sl=Y-s0j0aAOsG+5+L&Om<+C*&) zJP|2kaN0x-9W5PAk~Ts|S3^@1sYH61Q(4F@Cj0m>z2`4*Mn;K{q_7=0q}do838(wR z*tGw6Y$VRmNIE*Y7%h^vh9(Y&*G8g%gba;@ClN46n}&`yQu%*9G`!{yL(}==q2aU$ z8h9-oA`uxI0jGiI3~ABLv;$3w$wY9V(|o5KnjKZt!zQLBtTXHIYh^4#H1I2Z=TQplSUuG~BnLSI0MO)?LM2BOI#&dJ-yV`ENPcy~X zE4-rBd7y?tBV@mzep zpW6Gl5xMbu(pWxwr|eDZ42T%*di&9ME(2@qts<0m&?T*OIQD(7n<Mcj)p@3`lS z(W`4OzAyV|ylkprd}ZutfqeNS%K5W9-49M&cmL6(p2#OU`x$ncSBiS33TGYAy4Gl7 zL7u>p!YwRM)ryp9ktCOjC#Dhg`l~n1xw7_Rw(*$IF^br`=`_Nvj>E%!nhQhwbA^1&^#TK4h3~lwoi%4K?bzhzqpY{>#@A~E~#_-gPRQz_wI?D8yy&mnis2VJXqOpZ!dRc&FB7} z_-}Bb(xA-sY^Gw?l`(Y-(dx-$VcB~w!vd^rCl|~dt2rZj z&t0pYl-(WY?n!Ho6>)I6JVqo&Tvf4Hs7) z)TO3VE@^I092>G|o|IzezF>39Qi)5C=R3+Op2%LhO}kd}R#^H2T|3x_ipV8Gt01jI6c+Jyp65r*ZpFz z(%u7u%KIPf&xk5mHuZCVW5a8sqS20yty3g0BAXhX@3&lqxi5IhAZqP~iMpTsR~)!M z?MdWor^=^X6VLNTSz7|mD^sH(KdqjaQx-P)Ab4WrpEYkD=Vq}RzG+|+(h zbufX|al7!zNA))4nv|H&t6QpPH3?3v+p_4B@2;VXZ|0hJu4grq-(=K`OK#ZiAN*Mb zpO-v&?z_9DPpXQQr=3#Ub>MzT{IXq7-z*L~)b^$-Y_WG-qUGXQ#7(VJw4R47QYp%P z9XW4}V4YQPlD6EPp{_*wIfbgnE{Y!}gx_Y186@@Ur1zvczuT2+4313 zGI2djZx!4 zy)o%U%QjW1=54Ct^q^)({-!~|C zib$lEX+_qsbfl(}%E_WaE05~U$C3hWt0=kFE!uU>>g?{ROJugE>0H}pAY|e2M8d+< zzfW_8*QCyDwlhBd5>um5u|;TM`nahJFdN4hUSdk+j*F{aj*&3Sn0ZT8_fA{io1~K7 zK$jR`2z++e+EHdZk_LtFn&{Oq3IwWHa5heP4$B1f8@KT_^0vJKVS$fg4+X zeRZD7n`3RH+^suyB$J}iKF8BMrq7Sck3M|oC{uHRUt2~fBN?|T_s-*+Ay(VMqAw?> zO}Oaga>6~SInechI+l4N+NHXyOx2 zX!wp1=vRr`zv&+Y5(GB;{(^_@c8 zqHt7r>P7Qaitd*B#_3Bw-#ub}{MN(^(bu|C3k-JJyn3(h%v$=TcnV!I|W9;tbJ*WlU z*#$!9b|0ATwB5bC^5&%nrDmqirtVu%MIS2Wcy}Ge!~}L(y=glPgB@(e(+4*)#;pMU06t^n}xDi@{_B|83l4Rd{ zXms-;i^>fqu|tpNA97ygc%v?~YwdoQ!k4$o-%qexa_~&Lq_p_tpvd&<>V|_){TrI8 zhQ%q`!6END7Rh_wR+bJf*ms7eleykmjPOGFlJ)Vu?Dfqf`Ra*#-G%AVRklv%3A1Ta zdJ@Jh9^b8Sa?nfp_MQcbi@0KbBrUtQ7`^RdLtSXW;ED-*lmqsn?LVxs zoAOcjM&-Jkc^Bp>$i;tFS=aD{7CSC!oOrw5z3`#NK&|P4#I78R{96Bu@^}x4wYo>E z#)+%2(tP(s-sqDrS|uSVcR)()%3GtUS($+bSFXyPJQtj*wEg1XuIJ*bF1r#;S&Nt3 zJe#%odSF5B0b|N2A*14v(B9?l>G`sKQg5$%91nSouFQ3J60ba?=kyqxXdsiQ(4vrv*U z2)7u-oJ(yq2q~I^fAL~&UTbdqO`Y=PV|Dz7ZE&t0%PUr-#+wK|JR2!mjtsVsoq+cb=((eE{CdTd-FvUCetaM;c+J+{&MtTT{p69lfpsf85`XIIxu z-;vW^Cr7Npzo%Uor+sDbQI99B&--tUx<)PbEm9~Oes6FgXWnI@h}+8sJdSH@%%HmM z4EImFXBc#_KYDX#m)QQ#`Sr)I#MTD(7*r#vaeWhVw6gRN8 zqC5ETWV_483NIb^$eyH$&aBfeuI=m$8ad+o2Q)3XX4O1*!@5(ai?(h&cKTBOz0UqILab19-*L>V__*HN z&uR^avl|~5O&ej1m8fC0?2CRk+tltl6^|~>&YrX8oZy*dD_lS6tTfj?vMb2=X4P`k zD zht|6v@y)t%Z^Y8NFaE*6Hrb}LdIQ~wHi6OO=MZcQ((k=U#dlYq>++j&`LbQ1K_RtK zxme|C9$oK1zjAV9R?^;@bmHXQQWq8bUDH!^6t7(0)AE;I{S=qpy7s9u^@WZ8)S#6$ zChG}87n5!c?SJDUgL!SXQYN!rjpRLC_e#An{{ZcIe6wu1(SzffTb`lYju9GjG&elv zl=8TxCbaC$>Ksiwy+@5`*=?VZ#_TM8vf$XDuoad^mgJ_WlLZS3#`_&lP$wU3Eh-ql z#lR_d%IviXmDZW$wt2IniYm$zKHc20 zN7AcFRCZg>TI3wBdN++N8!$)aaDiG>By~` ziA@D@acP%Mw&7wjCTh+*oq7AFMYQ0fp2~}!6WtQ-uJ!CM)5x8(p|St)hR5Ec3O9TD z58I8c6LqzpGRDIh*^*3d=4=1K>W-?E1!URk;fMbmLC$NMv7nKw1%;v7SH<#yFAQ;q(ojm3V!6Y_`rwNYlm0q zrEc0!I(@qTcB*&HQ}oMy=i<%YdXkuh*BvHk?^Am@??mrjE8`7svzWK$JFee&x%E!v zizvHt!TEMevkc=d%(-Deldw@Qq4cNJ?b1lQ^Wvct{_=&Y9kbFr9%1(xgr0GD+rBdG z*f7p)e~prIC+mjjz|*Fe&pZz+Y)fC$yQXiy|M<(Q_cr$)S@dE+CRu|?)4H%{154`m zlzT1-)HM3;o3_r&AIjJ!S|@3p9$#EHs=snEcZZCx?KwO zh?HIX@%U-oCz6RLym5}Z-STitEMs47E4%M8u;z8!Nxd;0l*eo0OD_b<9d9j~6FE)>P4cqaT#&ZcT{sM^Sah16dtml)%no7pkz{%?6v9Dk*{Oki+>zk zwd}>PIQHS;WmgnNL}K2op1ZO8S<&d5y6#C?&y7Z3U-h0BJMy9R#^GmIKE0_c%&$y; zy>4K{3^UUAV5jo3;tZo6nygt5ZClR!iR)%sk37c8k#xxy_I5ZZl|?dNuF|<1;HY^2 zm83yq!lB}pS(0aCvR=<=lxvE`O?-2Uo*V4vSuL`^@3Otfwd*(XpI%#W)mlon$a1|v zr%tKyy|pWgOp^OIZae34{pLJ9^@0hVUBjirQfD`>Mn@>&MOz+6< zjEve9p0$jj8kTw{D}KhpmV*mQdaH8o43)UV6tp|*`gzVicr$cdf=$6jZ^xOT)}f{` z1v?LE_psl*yOMHak3~T4?a8Lq?3px5m11X{eHf8-c=HKO8>;I2B!x+&r7Lg=)Y zY`qk}xSF<>?5x>t?+jKOrQVt4mwiw_zLMruElKrzl6t3)E_E<-?E-q@lD2HQx9ijV zm{n~z>Eb(5ZYG2@S1$T6qdPD#RKKoef~C#bzWYrlp0V^8wu_0o%bjyOV@MZX-Cys# zlJ55Ka;V#jrw6>AILtoVwQwr^ZsH{k$-;G(e(gpjJ_Bn#Zp0ZYZ9>18R7sh1e3RRU zlb1JIo6VJ4S~{_7?8;-34~`k0hKs|#G5s428- z<6OZz(ue7Jtzwy)iY1~EW0qd)@!eRSy6rqc>$U7m598<~#XHimluu90T(R~aO;&!8 zIy$x}cSLl;ryagOd*n^z<2?oLdj)8$8{HRq3XjL>kkD8wDxK!fMxMCi@yL^VMj(Uf z973ib??`V0s zR8rF;7#ipjNIE7~o^~eYZVPls4ndA?-aa&cnvrd2M2K&=CzVDSy@nDOlfa8@6cCU> zjh3M%BS#h#;+%u`B`hK!I7UbmX;hI$PAn*bH1l2{Fa{?mJbnV+QD~yie3@y}N1vd? zIE}`rfloDW?$Hz3$+olNt&iQKYeC^x5Gvw7U6VX&eA;uW?*5C45r-@K78w#Q9NL}z zK8TjS!f^7E7f)&|9!6^C)j}lz`ELe;O%UzGrBf%2r@9Y2kDKBiwOerNGXvv#t2*bd zk*Mw7!XhVQ`yOqbH;N+V_a9cx9x$Zc>Nc`p@;0(2{^6QKdF@aMK>nM-kf=I$fHiP# z6xF^&!Ff@}(8%=R$HsA;i3(d68$|iZ*00)vvx(YCoH*CU^3%S)TFbXJw)@zD>FHFZ z$!ag^EiG>AX*<@Qi`fm80OY?J3@di*Fis44;80CKs6dCck5tOlZxk-NQ5dzgZAD@G2&!ZBFir!BdZz`~39J`zh_q zk4{l9nl}(7Z}Tbpz3*=xnAc6%g{+af zp#txvzgwWk-0XUW&+NRKnYwDW1*On}8~W!8OPcogZLZl-V`1{UNB-JRk#bHie^+L~ z>8=c~+l~j|MtlYH;}&kjk34?92a5PPm%r6QYWf?HpYK9y`Z<@s)k13e8<3ywLTdUc zmcLg*YWh2opYB6y`YD#bS3+v~JCUF5Lu&dNm4DPhYWfF~pH)C=`Wcmf)InL=3z#3OAvOJg{sp%JRcukO+cqo2VfYkIWI=nVWO*|C8DnM%b6`ikbkea@d_~jN- z(=YLSZG_bHmBcT%keYsp=Sw4`CVnWPAT{xY2~rbZm>@Org9%a-Ka?Of@kI#*sfjO6 zkec|x1gVK1N|2iPq6DdlKTMFC_~8Vpi62Ukn)spwsfj;Kkec}61gVK1N|2iPq6Ddl zKTMFC_~8Vpi62Ukn)spwsfj;Kkec}61gVK1N|2iPq6DdlKTMFC_~8Vpi62Ukn)spw zsfj;Kkec}61gVK1N|2iPq6DdlKTMFC_~8Vpi62Ukn)spwsfj;Kkec}61gVK1N|2iP zq6DdlKTMFC_~8Vpi62Ukn)spwsfj;Kkec}61gVK1N|2iPq6DdlKTMFC_~8Vpi62Uk zn)spwsfj;Kkec}61gVK1N|2iPq6DdlKTMFC_~8Vpi62Ukn)spwsfj;K|L>)ysK*}X zhP~g7jg?ayF$`1OZISMH@_qmj3jYq_RIY({t6u)3;oDiswhtEeI_aeIOTR9Cs01MY&0y%sopW-; z>$;n>?3SnpEAVg2Mp28CtGu5&#oSn#UD{B-b71z;g}aSw`iZvQCuV$J*<5w?j_v2e zwXa5EY42AXr`La;TJz#Vlx5zaAyfj8|70+{++HMcp^FFn(1T zFDtZ$FueNHaNXAax{aBX{_cr+4f^%3p4Iq$Sgn&+Uwo+g)dvPGZ?$0xR05FyW-wHI zSWVw?j@Dn({_YO;k+y;Nql4?K76ma^#Cs;UKbloQyp?MUJO6bCiK?>75BdAe;n%Mc z7_CQBgMC?SCY2n-DKUHk(0C$I3!{nQ6b%fpE)gMA4A$M=CxA*}qp{9mK5TA{1%nxc z#yU}1j4&pJ%EBNobzm|m&QvzW1M6UJfx)^^!`T?Dbr6|GHT|+R`?9t6LSq+%vn`$3 zWHy!4)slcAAm?;4GD3en7pK}C84Cf!{lRVIG@F_-!Z99r9TJ8_!r--t+86>Jr->ZU zlF0}Q;q>}z$lP6Iz{o(DgiD3k#5jT&u0nW3b`C8Q+K(o&LA<7K2}<<%7B<>cgXGiEBO=@ASKbO|IK6DvlUDnm^6RHZ&r{H{6p-ql{idiHk`Hin#~~$e>2cP>RTrg#4bHOT=Z`)?iE&1fi!+wptIQ{h|cnNTUU;vT) zKa?4^)?9pAobFqn^YB6dX-UkSoI>Nyr}Zx`cq-YqImejr65j6?bn`bY%;}!H^h(%O z^##}Oj}S@idw%y=ynZaKNP@>h_X}&f*SYT8bZR&t^cIHK_`8M9Ws-C9v(E+$JRHuM zBep{T$?;h)GKY^+u#l?&zJ`djI3@p`<%IG_FLuLKf#^2ovC53BcK08;Q_1xp_ z`M>Uy_3s{w*H0AxhQ7F%y3_4Weuw`hy~7n5Q{s4yzgv)^Hs8yNtdu*Q%D7z{5@x*H zPFLl3kHzaZrSkf5*Z#zL-g-?5N1MB%6b~}3c#XeX(A^JV3SkOi3fUBy^&p%6ZW{g4 z53(st`Y`E(H|72g0ofF?=^qe)U!mYvDELhue$$8F^x=WjA50^Eb%h5~@Z1!ho5FKb zc)Smf_y2e@fp?+cT_|`L3f?S*H%s9?{Xd;d;5~hKPai&d0v|nrPe{Qhr2cd+LBS`a z;DdbdK|c7rDSX}(K5zQRlL>q*8a@^cpWcU0@586}VUfw7PA0I(1lB^qS}0fx1xxl| zk;$LVB`8>A0*g#wkqIm^fkh^;0QyfS6If&di%ejV2`n;!MJBMwmQwl|A??dnSK6nZP0wSY!f=Okj}-EHZ&bCVx7Yz#Ju&eH@^X^kI(p3RfOS1wfBb8OEyZYnd9}oZnKN5)Z zi!8c2T92j%`?A<*B0{Jbth>EW0F}ZXvoTofATo_=`ekeOWozw)#x4kF zTROAJY$~U#B>_V~&go=ig#LOiPPIES7Htgo2e*;aY--8~$9NDlaTpv<3xn4pAYE}J z5^_XKCL=6_)9tS@b9a#uBO_swgIOVDCN-E6fySC4HRjZnbPCmyNk;aqF>GcSm2+qt zYA}uMkI~jPGQxae5{ky-2zX>@nwWV6O&u)^=fs@zVJJapPAxJnOYTM!!=xc&AYf=L z1>t* zm1)KZ3Sk6OgV`A5wHEY1HkFCI&dkM}N@4g?zjWsk_d`MiqshZc&>`Y+-^h+W9&JWR zFSM|>KnVz-Py)y|YP11mhLRSSkdi=4OG!$Nmywp0S5uUilat5In5m?uM=&(dC6IJX ztUT>Z%-t5~kQ{;>-MoEh{xl=o(1;MYe`pmD6cV1O73w4+<2d>RCC2Gzj2f1RtMDJ0-+MeT%Sri6 zBKE}8`~wFfpZSoxBerkN>6`_-Km&r|e@P2h!h#a$r62I+Er+abDc>yC9v~AV$jaST zXB%d_q|K$wog^P=w4D56V8hn*PLZjx2VfUyKrsAIY2j3{$86^`E%IE2;@ei%%lyp- zJ+xY7HA^{=+B7sK$TaS;viPoYWe389wI)@L{X#g)`x3AVG$0uMm$cyW zESH_>kSv`n@vOr@^|TiGbA(DV{>F!KVd|+%Lxwlkt|d$?Hm`E+m&JM9w<%{h!Y79)&Fp|UW@OC6XDiZhjs@xVHmTVSv*)NnQi zYaK+UQBA*W&Ax1{z0lYN;cQE1HknQ3bhRX42*^2|jEvA<&&8>B#}kRV814^lBd6Ka zlo5{c!0X~LI87o3ucd`_#px1|BU&;UVIiDue~p>Di;Nf<36mVm3L!J8!ITIz)(ojJ zr>>+^sFqAJvTu!HGsCEyL)%b;X>5OtwziQG<_nWhG#*F9BSX`~%p+)$NEptEIp@Pr zg3z2=WL%cqjV6XkL&iYB&{)VdaK~)UKs%y;3K)lU`2jGG1~OnqDEfFZ(yMz!!M*i*2afbTCf#(MYGrqrXHuPZRa26OXgd~IMOJ!m_xR-(O zb3*Pg#)E*@*3i`@XcI96ZIT9_s6#|9SWAafheuG8a2lGLNFDNeb1DnD!DJsFruX~> z&d3-Mjuf^7hcg?4BjFK@-;IoOfB$S`B%+3vE=fm67emn0*3i+$;kA(%AZh4mk?zSm7CKsv>S<2M9&^nyFG2xsQJkP?fTQJ<(4ofm?W+9&2yh@ z>>5fJk24x!Y!FVwjv1mG&TAS8A9y6}C~g)xJIeZ~OvUP@D)KXSiCidJy>_7TbYlMg zD6eBCPRlZ_&Wxx9UBz_lJ6BR*;^9BLqhxf{9=kuNrSLVjX4&nIp(yX{jpcel%hSsB z(T!IM{IAX%YU_wqC3!y!UbY}(^Lep#7?mY6i*)=Z?riODZ*8!Xr-e)q-i=0A3o!@ox~AW)jGZ)Q-gG?&4R(8?yV`Eom$u_iI;9CQ zva6#PR(3R4T_Z7@nP(ro^pe~>t5{ul&#q|S><4ou#o>}rRpeskgheLtIxm~)HNW8Riber4{q%>7)_wai%^dC8gD36sXJ zzMziPlsK|z#k3BgrbR0jb+|dJAGR%yG|TSPaNZvB(MO5tmR%K^k%JErrM-Q7-65<_ zBIRhg-?kh@#um!in5p%(n$Dv=Z#&=izwXtjSvOkOV0<;|<6%aVo8~nMk^IvdHOnxk zgsb0nRSP@cls@wieX968z34#4gV_C80Tn@i!MkEdB-S%gPf*P))E@77r$^S+S{&K9 ze)XB6!Qg@M>nE&_+&i+tMw0EX_U@{QgOGoU*qoH6$!xjXGv@8DWH1XG%ysUU&O<#z zne>ih)W1_&?TS(xc&&y~P~Wyod-3`=K6O^BuA1Fgl~hnz=DtSCv@vJn0$cK{_HMUZ z_$fzD3Hx`8qJlo7jwp$_JdTJJO567gbzX=ZwzWn|^wTScJu4@#SxLG^+gjq@C9=n? z#f0&uKJCrDFjS8`N&m_EyzUJJ<6ES!>t(w;>9*~0rZ&GRYwvJy4J)00T5WIJj5?hg z_W~x%FOkVgTfO|^I#ks|$@TSmX~&yTd0|4!FS>@$)4!FYB$#)>RJVLX{nBakS1rwV zZI;`gqttxvLRLafV>2_mGuLT*NdD5HwyEw*+O8~}*}Sg$SO?`uz?N}|nPx_34qO?) zWM8bEp|0rnLdiWbV|o24!Ak9oJ0|W}Be7MSIXeLp*Fq4M960hwv@Op|pR}toael_( z@h!d_JMMVb^TJnWV~f)Hu`C^TRS;EN^?3-+uSct$Rw5nopb)((Qho2(XYKy@N+ImTxzhy?ji(zvlH9n#H*M|k5OL=W zp;;}nSF3xxS{qNlyCdpsjnCDMYtMA0HB+#oi-&8cM3rb2-Z=U|IBJbb_vUwYw}Quu zeGoG+H@>faHNweZ*?XDQ3aO4hc^7+W0IsLVc0LmIu}mv0J8i9H2?}qaOG6Po_W3+4In5XYuI!&w3TKM=KKtduv~WEiP5_ zd;Q|-bh4y>ZsNeY^d_N%$=?%g#nHWN#`R zj6U6Z#c;#W!vkAejMf(&eY2x=DSLD5#!LD_t;^P`U`8B5*38|ruIpAi8PmJRXwxTE zbgNwnO*(42^hZ^br}Uxa(uYY)1Q>S(b98#AP9v3!{j}09YVMo0%!cOpO+7EA^@Rkc zw$nb1n71^@uG{ijbt9up_ES&7YRz>Sj#>HYGXu9J9AB!ca&m~Qn|h7OsJ^kWL-lOu zs6^?C+ib^jA^NxSN!{f6?x<~W9_;_mPy?aANh1FhquNZrU_H-scI2~j*8((rVBza@qIJ^45=U106i=26| zRljs0fqgK1U0!@7u}GIle6Vlix%gJ8i&4k+jZ*A_67(qgo^?Yr$aQm{w&=h8oU7k7 zp#18N(EjT=JyM64gm2dLUG-4+lF}2U{k6WEr@vyI5xSvx$uu9WPkov^I!=-ha+Ks= zaIIb--MP~tTT1)toQry$YfrQrO`4o)|D+{dv3!cb#c1ki)s|ah6O?TyNUiF6ZZuVTN$sj(o5Wf!J@jX24Hs8b z_f-puy1P-CHzJ7s_adSXK7W~{t(q2azq?2?DA|JASk~UQI5@S4`FhKi+4ieUa0dq@ z44spUOF9%DO)*NnJ%096FGq}0)6o!{@B@?