From 0598bebd571d0f61b9c1d0c941914a370f5c2293 Mon Sep 17 00:00:00 2001 From: Heather Flanagan Date: Mon, 10 Apr 2023 15:04:13 -0700 Subject: [PATCH] Updates for Issue 11 --- ...-future-of-decentralized-identity-final.md | 158 +++--- Digital Identity/fig1-identityproofing.png | Bin 0 -> 82404 bytes Digital Identity/identity-proofing-final.md | 502 ++++++++++++++++++ .../non-human-account-management-final.md | 278 +++++----- terminology.md | 333 +++++++----- 5 files changed, 921 insertions(+), 350 deletions(-) create mode 100644 Digital Identity/fig1-identityproofing.png create mode 100644 Digital Identity/identity-proofing-final.md diff --git a/Digital Identity/a-peek-into-the-future-of-decentralized-identity-final.md b/Digital Identity/a-peek-into-the-future-of-decentralized-identity-final.md index a0cd468..c8c9872 100644 --- a/Digital Identity/a-peek-into-the-future-of-decentralized-identity-final.md +++ b/Digital Identity/a-peek-into-the-future-of-decentralized-identity-final.md @@ -258,40 +258,40 @@ decentralized identity flow. Suppose Sam wants to purchase vehicle insurance from Example Insurance, but to get a good rate, Example Insurance requires proof that Sam is a -graduate of A University. In our decentralized identity scenario, the +graduate of ABC University. In our decentralized identity scenario, the actors are as follows: - Sam as the verifiable credential subject and holder. -- A University as the verifiable credential issuer. +- ABC University as the verifiable credential issuer. - Example Insurance as the verifiable credential verifier. The following sequence of steps represents a flow where the end-goal is -for Sam to receive a digital diploma from A University and then present -it for verification to Example Insurance in order to claim the +for Sam to receive a digital diploma from ABC University and then +present it for verification to Example Insurance in order to claim the automobile insurance discount: -1. Sam receives an email from A University congratulating Sam on +1. Sam receives an email from ABC University congratulating Sam on graduating while also providing a QR code Sam can use to scan with Sam’s mobile phone. Sam has an app on Sam’s phone that is registered to handle such a request. This app represents Sam's *digital wallet* that will hold all the *digital cards* that were collected over time. Sam scans the QR code, the digital wallet app launches, and Sam is informed that in order to receive Sam’s digital diploma Sam - needs to sign-in to the A University website. + needs to sign-in to the ABC University website. 2. In our case, Sam presses on the link and enters Sam’s existing credentials to authenticate on the University's website or if Sam didn't have such a credential, Sam may be asked to come in person to the registrar's office to do ID proofing and receive their credentials. Once Sam provides their existing credentials, Sam is - informed that Sam can go ahead and *accept* this digital card from A - University. Once Sam accepts the card, Sam is asked to secure this - operation with a biometric, such as a fingerprint, face, or even a - PIN. After Sam performs this action, the card is now securely stored - in Sam's digital wallet. Sam can inspect the card, view the data - that the card has about Sam (which was attested to by the + informed that Sam can go ahead and *accept* this digital card from + ABC University. Once Sam accepts the card, Sam is asked to secure + this operation with a biometric, such as a fingerprint, face, or + even a PIN. After Sam performs this action, the card is now securely + stored in Sam's digital wallet. Sam can inspect the card, view the + data that the card has about Sam (which was attested to by the university), such as Sam’s full name, major, graduation date, and issue date. Also, Sam can view the activity that this card was involved in, such as when it was issued, to whom it was presented, @@ -307,19 +307,19 @@ automobile insurance discount: website on Sam’s mobile phone and notices the *Verify Credentials* button. This is a deep link and when Sam presses it, the digital wallet app opens with a permission request. The permission request - indicates that Example Insurance needs to receive a A University + indicates that Example Insurance needs to receive a ABC University alumni digital card for Sam to get Sam’s discount. Note that Sam doesn't have to authenticate to Example Insurance with a username and password nor use a federated IdP. Sam can simply present the digital diploma Sam already possesses in Sam’s digital wallet. In - our scenario, Sam only presents Sam’s A University alumni digital + our scenario, Sam only presents Sam’s ABC University alumni digital card to Example Insurance, but Sam could also present other digital cards Sam has in Sam’s digital wallet such as a digital card that proves Sam is a resident of a specific territory or to prove Sam’s current address. Once Sam authorizes the permission request with Sam’s biometric such as a fingerprint scan, Example Insurance now receives the digital card and is able to verify that it was indeed - issued to Sam by A University, and it is indeed Sam who is + issued to Sam by ABC University, and it is indeed Sam who is presenting this digital card to Example. Once Example Insurance completes the verification, it can now offer a discount to Sam! Sam can now view that Sam’s digital wallet app has a receipt for this @@ -337,20 +337,20 @@ automobile insurance discount: 4. Sam can collect many such digital cards in Sam’s digital wallet and at some point may even need to present multiple cards, such as in the case if Sam wants to attend an advanced enterprise architecture - training academy, both proving Sam is a A University alumni as well - as a certified enterprise architect. The academy can then instantly - verify both credentials presented and enable Sam to access Sam’s - advanced training material. + training academy, both proving Sam is a ABC University alumni as + well as a certified enterprise architect. The academy can then + instantly verify both credentials presented and enable Sam to access + Sam’s advanced training material. It is important to clarify that Sam sends a *verifiable presentation* to Example Insurance. The verifiable presentation contains a nested -artifact which is the *verifiable credential* Sam has received from A +artifact which is the *verifiable credential* Sam has received from ABC University. In this manner, Example Insurance that is acting as the verifier, can verify the following two critical elements: - Based on the digital signature of the *verifiable credential*, Example Insurance verifies that the verifiable credential is - authentic and was indeed issued by A University to Sam + authentic and was indeed issued by ABC University to Sam - Based on the digital signature of the *verifiable presentation*, Example Insurance verifies that it is indeed Sam who is performing @@ -371,25 +371,25 @@ and will not be detailed here. ### Setup -1. A University represents the issuer. A generates a decentralized +1. ABC University represents the issuer. A generates a decentralized identifier (DID) tied to a public/private key pair and registers - their DID on the dPKI. The private key is stored by the A University - IT team in a Key Vault or Hardware Security Module. The + their DID on the dPKI. The private key is stored by the ABC + University IT team in a Key Vault or Hardware Security Module. The corresponding public key is published to a decentralized ledger such as a blockchain so that anyone can find it. -2. A University IT publishes a DID document that associates its DID to - the registered public Domain Name System (DNS) domain, such as - A.edu. This represents a domain linkage verifiable credential. A +2. ABC University IT publishes a DID document that associates its DID + to the registered public Domain Name System (DNS) domain, such as + A.edu. This represents a domain linkage verifiable credential. ABC University IT can host this file on their website which both proves ownership of the domain and the specific DID. The verifier (such as Example Insurance) can use this DID document to confirm the DID - ownership for A University and ensure that the verifiable credential - it receives is indeed issued by A University and not by some other - issuer claiming to be A University. + ownership for ABC University and ensure that the verifiable + credential it receives is indeed issued by ABC University and not by + some other issuer claiming to be ABC University. -3. A University IT develop a contract that describes the requirements - for the issuance of the verifiable credential. For example, A +3. ABC University IT develop a contract that describes the requirements + for the issuance of the verifiable credential. For example, ABC University IT can specify which attestations should be self-issued directly by the user, and which other verifiable credentials, if any, the individual must first provide. In our scenario, the IT team @@ -398,18 +398,18 @@ and will not be detailed here. receive a security token and extract claims from it, such as first name, last name, and student number. The issuer will then be able to map it to attributes it will issue in the verifiable credential. - Importantly, A University will indicate the schema(s) to which the + Importantly, ABC University will indicate the schema(s) to which the verifiable credential will conform, so that other verifiers around the world will be able to consume the content of the verifiable credential those verifiers receive. -4. Finally, A University IT administrators can setup and customize the - branding of the soon-to-be-issued verifiable credential cards such - as card color, logos, icons, images, and helpful text. The +4. Finally, ABC University IT administrators can setup and customize + the branding of the soon-to-be-issued verifiable credential cards + such as card color, logos, icons, images, and helpful text. The administrators can customize the helpful text strings via metadata that will appear as part of the cards based on the attestations issued with the card for credential data. This will help design the - look and feel of verifiable credential alumni cards issued by A + look and feel of verifiable credential alumni cards issued by ABC University, and ensure the issued digital cards reflect the brand of the university. In the future, these graphical elements should be standardized so that students enjoy a consistent digital card visual @@ -425,31 +425,31 @@ and will not be detailed here. Sam’s user agent to retrieve the requirements for credential issuance as dictated by the issuer and to display the appropriate UX to the user via the user agent. As such, the QR code is displayed on - the A University website and scanning the QR code opens Sam's + the ABC University website and scanning the QR code opens Sam's digital wallet mobile app and triggers an issuance request retrieval - operation from the user agent to A University. Once the user agent - receives the issuance request from A University, it begins the flow - to issue the credential. The issuance request is digitally signed by - A University and the user agent can verify the authenticity of such - a request. The issuance request includes a reference to the contract - that describes how the user agent should render the UX and what - information Sam needs to provide in order to be given a verifiable - alumni credential. + operation from the user agent to ABC University. Once the user agent + receives the issuance request from ABC University, it begins the + flow to issue the credential. The issuance request is digitally + signed by ABC University and the user agent can verify the + authenticity of such a request. The issuance request includes a + reference to the contract that describes how the user agent should + render the UX and what information Sam needs to provide in order to + be given a verifiable alumni credential. 2. After the user agent verifies that the request is genuine, it renders the UX to Sam. Because of the specific requirement that A has for issuing digital alumni cards in our scenario, Sam needs to - sign in with Sam’s existing A University account, which, in turn, + sign in with Sam’s existing ABC University account, which, in turn, will issue a security token to the user agent with claims such as Sam's first name and last name, degree, and graduation date. (Note that during setup above, the issuer can be configured to accept security tokens from any trusted and compliant OpenID Connect identity provider and the user agent will use this identity provider during the issuance process.) Therefore, when the individual presses - ‘Login to A University’ on the user agent, the user agent can + ‘Login to ABC University’ on the user agent, the user agent can redirect the individual to authenticate with the IdP, and it is there the individual can perform standard authentication tasks such - as entering their username and password, performing Multi Factor + as entering their username and password, performing Multi-Factor Authentication (MFA), accepting terms of service, or even paying for their credential. All this activity occurs on the client side via the user agent (e.g., a mobile app). When the user agent finally @@ -475,15 +475,15 @@ and will not be detailed here. Sam’s DID and issues the digital card to Sam who then receives the verifiable credential, which is a JSON Web Token (JWT) following the W3C standard for verifiable credentials. The JWT includes both the - DID of the subject, Sam, and the DID of the issuer, A University, as - well as the type of the credential, and any attestations such as + DID of the subject, Sam, and the DID of the issuer, ABC University, + as well as the type of the credential, and any attestations such as first name, last name, major, and graduation date. It also contains a way to find out the credential's revocation status in case the - credential is later revoked by the issuer - A University. This + credential is later revoked by the issuer - ABC University. This verifiable credential is digitally signed by the issuer's DID. 5. Once the user agent validates the verifiable credential received - from A University, it inserts this digital card into Sam's digital + from ABC University, it inserts this digital card into Sam's digital wallet as a card Sam can now present to other organizations such as Example Insurance. @@ -494,25 +494,25 @@ and will not be detailed here. ‘Verify Credentials’ button on the Example website (which is a deep link) or simply scans a QR code generated by Example via their mobile phone. This generates a presentation/verification request for - Sam to verify Sam’s A University alumni status. The request + Sam to verify Sam’s ABC University alumni status. The request describes the type of card(s) that Sam should present to Example - Insurance, such as Sam’s digital alumni card from A University, and - this request is digitally signed by the verifier's DID, which in our - case, is Example Insurance. The presentation request can also + Insurance, such as Sam’s digital alumni card from ABC University, + and this request is digitally signed by the verifier's DID, which in + our case, is Example Insurance. The presentation request can also include Example's terms of service. 2. After the signature of the request is verified by the user agent, Sam is presented with a UI on the user agent indicating that Example - Insurance is requesting permission to see Sam’s A University alumni - card with a reason as to why Example needs to see it (such as for - Sam to be able to receive their discount). + Insurance is requesting permission to see Sam’s ABC University + alumni card with a reason as to why Example needs to see it (such as + for Sam to be able to receive their discount). 3. After Sam approves the request with a biometric gesture, such as with a fingerprint scan on the mobile phone, the verification response, which is essentially a presentation of a credential response (also known as a verifiable presentation), is sent to Example Insurance. The response is signed by Sam's private key and - includes the verifiable credential issued by A University to Sam + includes the verifiable credential issued by ABC University to Sam nested inside the JWT payload. 4. Example Insurance attempts to match the person performing the @@ -522,18 +522,18 @@ and will not be detailed here. the DID of Sam is present in both the outer JWT payload since Sam is performing the presentation of the credential, as well as inside the nested JWT payload as the subject of the verifiable credential - issued by A University. Once Example Insurance confirms that the DID - in the presentation matches the subject of the issued credential, - Sam is both authenticated to the Example Insurance website and - authorized to claim Sam’s discount! This is much better than simply - possessing a username and password, since, in this mechanism, - Example Insurance knows that the person presenting this credential - is the same person to whom the card was issued. With a username and - password, someone else can use it to impersonate you. In this - architecture, however, this is significantly harder to do. Someone - else will need to take control of Sam's private key stored on Sam’s - phone's secure enclave to be able to accomplish this malevolent - task. + issued by ABC University. Once Example Insurance confirms that the + DID in the presentation matches the subject of the issued + credential, Sam is both authenticated to the Example Insurance + website and authorized to claim Sam’s discount! This is much better + than simply possessing a username and password, since, in this + mechanism, Example Insurance knows that the person presenting this + credential is the same person to whom the card was issued. With a + username and password, someone else can use it to impersonate you. + In this architecture, however, this is significantly harder to do. + Someone else will need to take control of Sam's private key stored + on Sam’s phone's secure enclave to be able to accomplish this + malevolent task. 5. At last, Example Insurance can extract the data it requires from the verifiable credential such as Sam's first name, last name, major, @@ -551,7 +551,7 @@ and will not be detailed here. and will always be under Sam's possession. 7. Some implementations may further enable Sam to go ahead and decide - to revoke Example's access to Sam’s A University digital alumni + to revoke Example's access to Sam’s ABC University digital alumni card. Example should thus implement the necessary revocation measures to ensure it complies with Sam's request. The verifier should then cease to use the data from the card Sam presented to it. @@ -564,7 +564,7 @@ and will not be detailed here. ### Scenario Summary In our simple use-case above, the issuer of a verifiable credential was -A University, but in other contexts, the issuer can be an employer, a +ABC University, but in other contexts, the issuer can be an employer, a government agency, a device, a daemon process, or even the individual. Likewise, a verifier can also be any of the previously mentioned actors. The decentralized identity ecosystem is very broad and the standards @@ -753,10 +753,10 @@ experiences and unlock more value for everyone. Change Log ========== -| Date | Change | -|------------|----------------------------------------------------------------------------------------| -| 2020-10-30 | V1 published | -| 2022-02-28 | Editorial changes only (changed example business names to non-Microsoft specific ones) | +| Date | Change | +|------------------------|--------------------------------------------------------------------------------------------------------------------------------| +| 2020-10-30 | V1 published | +| 2022-02-28, 2023-03-31 | Editorial changes only (changed example business names to non-Microsoft specific ones; changed A University to ABC University) | Author Bio ========== diff --git a/Digital Identity/fig1-identityproofing.png b/Digital Identity/fig1-identityproofing.png new file mode 100644 index 0000000000000000000000000000000000000000..5b3b75e0c7c98d1157281ae65bcd39cef4e9da38 GIT binary patch literal 82404 zcmbrmby(A38$Y@+Iz>Q08Wa#IL1LpuhmwLIt%3+LKo}xDLb@j1DJh|pG>UY0cWi)w zFc9f8P~Z1Gzw^hru5PKRW`66Kqnn#IY3Dt<2v>iTq{|1SpeWuB+2PhJnZj84k}Na003Ib%O7ADCq@PU zxcH!|AglY<^hYW|0=3?+U+%hscLPT8oN$1$&?v?iZctrnYK|-%Vqel8(lr`IMM|Rg z*()hd0l)wt9u*JI+Lw^0CeE{GMGTE6snzJ=xtf{nlD<)4l&1$v%JxQ=^QL}YpVT%TM@)Br($jx$8;r z`45rWFYZnv$gvA&>E7Oh3pLNE`!mizcSAtVY5vHj%lHG%02`K=2f#jLt#8oVii7>v zrofGLYNvCSw$s1#2q_ofz*SgHR^(L7fEMkz(U~T!%L-L^-^&gs$hqn>@dr{ZUBC3cm)vUe-iGI#u~3?bPY=T?iyhBq54;_ zuM<`JvgA?_IBRQB&DpV#M0w?27q{16Yh8i8!+{^4a65j$J<4ykWg48vL9-{LV+e5| zh?|rS3Jt)q-`)U-&Xbwk0&~Lv#~!gU^89~$QeE!Z83U;0_6MLC@?!WI@A|k z03I5_cMdp}|JY|o^mQn$s|qPvoR%s!0%t(^mekaLR#`^^YCGhgK{YKJ#o5sbEKsJ4 zkUw_tK?C@c3EHNTYS$3%L5S6NNx-qox)rG0`8z_R?K5nXx{CvMqq`!?_giHTSmZYI z>(#i2MGHe=VFzbiN1DG`Ti!`?r$>KMuU_y&+06u-}FI+{oX=vk>CB)GT*3o8FsP7HoA0%#4zQv3Z zT@a*%gi0oz^3Y@ay}A0?$8T}TtpW!Q`n$T`V9D1uhD4sa2+bSAci0cPxHgm?-B|5p zcmObsr>a*P&5X$H&!?uf<){*w+M>4fheMSMAJpsVqwl|7i_RzJpY3>&Z0*JaHjRxZ zJZ2S=cAq+WfR$ud%{O4J-OS4fHZG(1C`zPTcuL4>joz1oy^-*D+&LN_qsUbHZb3EM zk3)1go9}}lc{Sf}Dx%QfzE2A9Yom*&d_sGZ0;J-B5A!U3y3Yj|=$QhpY&VH+VAt@M zqsKKZOUEqx`*!zJ!Yp0M1{!Kj0}0ELRGX8nH}9$?0?_c6esVliC0`vt*C+ik#14I0 z5pPH_5qfS~9J=lfxQWxG<*@L_SOY?;=#tYA4?H;z=cFMk1h}OT6V&fd-nN)wE&gVY zJD|vnBtl<{WZtNn2lkPylx~XjFXO?h7mEGznP(Qz5>xM~I!^J)mF~}__CtE|b-26KzOb%P)OIBV_M4DLtnlI(|U?nQY+T>>DQNjoGKH zCneYe<*I`OFcCXvKV1ySba}s|-lUtGa<4uFD*p0{c#X1b^l|JAaR00LgW?9msAKnN zpIjpoic213!}&Och?i!#{@dd&{mII;K~(I^o4SswHN6MU9H#+ZcM+zd@9JMeDjoxS zC{^2?eY`2ztTL1dv^*lbVHDqflg_sfeKMeUJi+`+eOIKoI@zr*qniHZD>~K#SEo9H zWEjAg!M=#;WDzwQ9*b)rdZ_57JCx0bh>LrO>0?uVS~)a^J8dzDsV6wKxlCj)HyTr(Vy!#+R{) zX|aFnns9FS`JDB-9hSp5EwK;>v5uGaN{@k$K?62Q1Cbo_a?-*-wcALhxe=x>@D|8v zKD4<2oKCxk2dx)QLkYnPjN}Icffcl;{D$k=YeD1eonv-W(ti7I)aLCP_&)i3D25S_ zo4zyD;GUe)^GxkIyJmfUEDa|?+x^n}*nJtuGue$@S zVj#*XEjq7r=oX@}Gn@{;J+q%_cWZF&OEFgXfCgSQK*Pgs(J8L1xs*V=(1=Z(vgZ(^ zo1|V08+8t97Pzxxq7zeOc8B|}XrU&T@`%haAgou!B5boPv}a57W3^QM!)ebJ+Y9w~ z$8%L0gFlK4;_qU^e41_rqE8ISRNF!?M#v=i^cm0m2aDuyKCmyzINzI`LFhrzvBk0O z`d~CBVhx|Zx0gEydjc(?fR`ydziE|fN&LXgvs=4slJE+m-%_LwsQU>)6!ii7ucmwL zVdJohaaTzMb0Ms}mnwZ7263!HA;GXgtf@JNRGezfw@-7n)f!{t+g{ELPVFS!1|mX< zk&-qU+=Zv2#Ps@Mf0eTbDM1#}PWRME48g3f%R*djx~6_>j3Ec$7IPgcQ2tFM48w#U z1Ipi}pNe+suzMFIQ33);o2Q01z3%(|KCo~6S&rxZl5%J;FsN9EwAS)Pm|0Tnw!)9y{!!7Fna%`28E(l#VTL~M^ zB*$^j!7wz9bFBXMWG^9V*dlS3%IaNwHD+s+-OyJvTV6TnHr=+Bwk2#*wIe@EAlG}> z*oe{k=+wx-o@E(E_1xs2cQLWw-)}Pr)G~Tbr38wJ}7JXVmGmv8R8Y#e<}?R*SIz_rcH6X zk@+eAT?U(5+QRHicQaaEo_vv)oYf=A!c5Dmb{ym`g& zW}^0!3%trl^2F?)Wfp#!h=bJyE4cgl+hU$h+9^Gzq|eZ0&k!*s+^v7fAQ2NEh;+Oa z5eLc#P6FhOtTb{87LpdMqs$__k6eDIas1>3$e=#7{PuRbSv~ZiC*U&?N~>bLW^Q|Z z)zW$MXHQ6l*Kuv8$x;TeN2KMzQVE163_(-esZHmYo)et<^`PQ}XT}j3Vr}$CxDf6@ z$9!4G9wnwZ#kHf?ekB5+`OV6q-T-|9BT=zjJ3C^x82|7Cl+twl(~X}c)5c0)4v3wp zg4ghgZsQKH`HpFJx?5*w7waJJWx-mKaYnQVqJp~u00Sxyi0~#v7iFn4$e`^_zo&b5 zuH9d-Y&{kXT>u@Ap<&$2_4gbmT4SR~1=pCINHLEK{W|&I}@^HzhOt2fSspK2v!e-@)^}i&mV8f3;5Yo)Jpw^b3 zVL2%?RHXz_R-B`qLpa3Vs5VdIetm0B-L#I|iDsj?_zFE1&@9Bx+RbyO*9*G`Y1e$yxyh3v;)~zJ7IOr@wIRdlN1GeU4))4+K$=B)J z4Vskop<&VrIH*fh+2!%)Yl3n&aTYpXF$q)l9xl24&8x7n_B{_iywrK$5-Q-__ZKC) z%I(TkVo|h=_H#hl2GPX(-=g+AA+Xw3x6Abar50c7EP2C-?{bl6;lb;s)@hc3hAGpE-5?iRhy|^bVofm z%uuG*t~q;CsGD@d)uNfElct08hsQr*S*D%7yR9kS{OAj2{70jr{-82~v6&ncNhF0M z&0h2np;2XxY>$rQV0j>&L~4M-JZAlyaIM`TMA`c8-;mNbdte59vyk1vm}!Bg{7E?( zqqkwK=3||hhrCdbP7IquA)HgHkB@jzg@0t@xe+**%Wd0`HEt5)}7!8i?8B|pm z!5dP{bzo+EArb%H+Hmc|%7c#44ivH|3b-z=zYD#i{a5L8`nSZbKtr3e; zO7~4zO)QApFC3=9F%O4@rr)2f?CUBnveZmW%14Z`m`8t7okMEAl=3q?39nMm zUg3t9H)xSS8FUO+6#q~xKeQ>rLxesmLIpBp5)~ccL~YG~g_W^y))yEorjV(Wj&85J zTR+z8v_fLJtabP?3`C1X1J{FcIA-y{>uB+i4SqClh$LKE?63CgGv6+z@I_&bo$-*v z7Nstv-d!K=0ixI5k6Wo-A?fUpZ?7qEq5hkGt2JH6L)rSkwF$8ju;-druv4~ERAR0r zN9RLsA^sE%IvCXMr<7y2zk&VE4l76R>P<({BO#$y!)S*O22}QSR0Jh{+=}Lqd5IbL6~m;<0JpHYx8Oq{eP?I zO2^*0dLs6pC+9KN4t-c_(BGkai zRQt(nLY(&D=KN;UgV-|Te~Ma_Beg;ZDkM_Elt$$z z#I-xjy(2ZK4JQ?B^6_AzUx3rph}6)~BTNI0!#zZwly3MET*L3#<01HX=2+2IUZUZ1Mp9I{2-$f1)8ZQSWf|GadaYyYbL0B;!uFsEa^z2=$UfyF=fuU$h4 zs%4f%QPbuGWwhL8Wf};b**+efmYnGRBVGo2Yd(aNLN8Daq1b$V$PTdj_ANksQFiIN zP#53QA`X)xa_L#onvUH_y}9S=%r}!^*ooLp)c$N$?z#H%%>mv|GOyFj(;eZdvP>tU z^e6iNPD2fn91Y+D5CBMNv;gZ?QOHnoErJANZ4GER=C7w|8WbQw8YLwxL{yyuGW%f4Am0#$~^YZ|0~7Hs7{!qhX9Z^U3mQvmfK$ z3FQ+pj*Z~C_J2OCE0%5ucoVxTEi02lDB*o56BGw6RX!JL!pP=^4s7n6q+=| z7!zlq@EW)VxUJBI?D8cD?y}IelQkp(-C8h?Op7Oh+Jnufwa>k7Q`w%}r|j#SuFq84 zB7e*M?Fboi#{1XT{+(r0zyr3^Ptzu4|pkf^gCtjp7H z%Hrg^UKT>Y{=;1=DXrsdDbijf@z;Oy8C5UA_TE!eq;w-FRWm#^i?Ka9U%s= zDR({nDB%Y-mR_hgSI&gV)b1|Su;kBsU8EnM$y_{2#czC;+P0SKB9N#a+IDY{B?-G( zLf~Ilo8@>n;7J0I_6?#zai_8vCKydRyhk@s%9h;+##fhfBLNT%8Y=W2)LYFSzlm{W z`Z#voGjL#A-b`QO@J#(v79RZfvx_rvjr?DJz>EEIf7G$vo7(+W2>6+WF ztepbkPt2e1UIK!!4&dH0?SBgud=#tb&^S{?AwP-h^q3bh$78=tP(hB+&tU-$QL2s) zoBRaO^narKhtWP0Iyf670huZ%wD*ueCh#7q_v&Lh`jM&&Tf38H{>lrC8IHJD{xcx_ z%bH%Kj9L*6Lh+UfOY5jdP>A9`8Noi* zz_;`CtToz<$X9Z*yU34;GN=TU2cP3T`RC8rLvaTh3V5gVWs*+#V}NLT?_-L}!bh3mh83gJR2;wnRb1-Ozc0i*f^;rcl>(_N>CJi?2GAOQ% zFs++yrZl)M)b(_Xm17i-qn16Subt;c0?mK;#=hX*wMV;6XZ`1mxr*r}sR|AK_s9*M zK-ctZ*qTq49k@#wClg1U@5Mq2JEL2*q-p;J4OBZ_xGXV6%T zA11kt=jMLL>!s79rSlEwkNWqgIW#`5--I#%HYq$wH*wZ4@edE?I`l9uWqDD6ck-_a zy?Q}Lqca7XMIW33^2xf}^G%ZT3aSrzb<&&al+L!w*$?{d)kb!_-Pf;Wv|c2)-T!fM z{`)iNSCu8_FeHPvIBfxNd{Qd#$gH8s^z8Sl=z;hAw&NJdW?pG2%pIOj&D94dW7KR* zCf$DxC8n9e#dr3(g1ND-SYv)LvDSixoR6n|ncUZ)&Y1t*;U;qOE^lP%Nq>R!1LdOk z;g3d)1o*Vl8ynO-FV=4ybo(%oXMkQhza3q?G5Xc&VGD# zzs^oWmG0R=gY!mUe>H@H(Lms1dShcf8E4rv;1Of``c3ihFzr`JM}IFM!WmIJCkFkK zDp+FczjN6q_vHa+;U*YzARMq6l~@oN#5L`gyRCci+bys>wWC@&0-`+OtWxchD=s=L z;&A8ax=`U}in7u>rtRj?U$R-3W$Rl!!G#@0<#(=9iukW#Rt~&ZM^H%a zQUy+u9W==Y#;-$R7d6i8fQJ6&Nt$U$u+qtCV4cOAzKcjR7(R-;d7%G)OG)n2{_%~m z)|a+Oihldf`=N&Hu2GdIx@{K+(sfsZ`NaRxfkLTYqx&W)fdQp9e!e3U93S2ck(Q5f zU08XxS>N!(Oa5^Y>=jqR(n0iSpZcTJExeD*nYd9ATS{FdIwt$?!*I~S!l@_!&upj* zhFe1O$MvLK$`>CF_mwDoJr3ToJsAjJ#@i1}Pt3`Ua5wHvI*lKQ8DH)>qN5r+nuH_FLqTby(V9xd~h?)bq3*FNfBFZ z$spT!a`bgs&5!Fd?JA{WQIv}Is!9y6+2~!-GfEE1+W)153m^U?aJd{K+F!lZZc#g& zT{IH&DH6QS=afsT```ry(OP=8AG+PX7|u##&72ZQ1|`VHF#v7>3>1=@-ntZT$h--4 z2AevT=EXq{1_$YHtV;r%p%7*@(;1=ONjm_99o^A@#g?{p0JmrAsIx7LhH&U*E~kvd zyDEj~zPOFpmU>$E>8zt%>Q{`7dZESP>~RvzjI#x6bsyWp-M$5PMpwchyAt(?u0}(q>IDV9n!O1;=Y_TWtD7<;h_h(i{SURRd$v;iJ0382vjvh^e z38zxiN+x7vqvxB%#WRqNTUUxYe8~~D=12xk_Mksv|NPhf-(mH`g-VD*21dMhjO~L> z9q4$=?z&W+C90S?U%V0V_-#(mhjfqV%M41(u4mVgG8IVNTzTr`7Mi#OT)sHqhGg{u z+!WGT=qm?nXW+H%2*ti%OE4e^QssJ(MQPJrxT}$8pwKTfad!}-o7m@CL0KJDdK+8$ z!R7&%Rhil3pl>3o>y{j|_ zLVkd|_;7{TgT5@4Kv}$)vr>L-ipUvr6EDcj*{-4n4~3d4yKe-+^_(xP4VJ@QuQk*t zAVH0XQ#w|4uvB^M5w(ZR|5Zf^Ru$?@*A=<+rGM>{*i@lw+!|m_ZOcX%pLN3Nci#dY zQ+zw}UH41r;$zScb1qC|4PoSW>vL$0B6qM-Y2TmssOT(6CGSwCm!Eda8JcA=%QvMP zmib);sQLAlRn~^2iXJ2c?Az7y2_%uUa5!^Pg{hXT8`EAv2<@6UK&^|V(x4{W^RhUb z%4r#QGmZHyP}Lbj`1Gt<&asq;s`||X?ynnPH8RUNW$68#R?Imn@nVgxDJq2!IQGK^ zon|39PSOxorlV<71RPt1uEs++jkpn{JWtlvc)!TF+3&z#z}G2~x_pVV@;$5>L~N!# z8(a77Wf!t@2r(4A1mXD|by(+Gvd;}c;GW<+XY{j;i*MxcsBg^Qw|n>|Jg92`$7BEDmQAe^HXoIhp^Op5u>W0+#mYz!FjXugFT5-+d z^;2w8Mix@FiAOz=Ir8PdILj7=n<@-8nAp@tj-C6ZwdGY5ze5^*u9M*=o|77^Y3@+RHTDH%0m|LviY7F>=$)xbz(En%wY~z zYU{f}QJ}U(`sg$*;dNn!9+akg+d5rvKDe+lL!KL=jHBx;KK_722~>z3?(o6%+)J&y z68(?Rg$dPH_cFjQkEPkx`4b{x=fDTGp<-AA^jwdM@XVISmY)idn^6q!jiQ`7>3lwc zG8jY}fC~uimAGZI)A0WIUZ%pw{B+x-a^JIGWEqku^(yp%p?ZN%Qah42wbaFONK&lg z)@QEZ>8d<#2Z%6=@?P~EsKiI{uu5)yYcJ4MHr?hX|qWbub~<;s>+ zXo?MAzDZvy$Fh&pn_5=yeMK3m4o{7NqF971m12a5GOW_*hCW4V z`BI*c48rl9Bl6S3YgZAP2m#iV@TOgGehBQt7@#-xBx@0(^VzKGDho=u8ef~0=9&P=kGY{$@PJU z3~e(S5@&`{CkeUo5aRlJVIS8o6>*=W=h+Q`_fzcNsj$f4etBZ0{p>a(?MMh)mm!bx zqDC+*5P=Yrr}Q9jPXTWMz-czvcYixl;JUZ~$A2~hbOI(FYNi3E3LhxdBX9Lk)GTen z%6d5$-fZM7n@u17Q1)mPxF_RSkg{aPdW$HTr+lcrOIMe(?1O88^q&c8|bykLY+K>EUoooT{=J1AJ*YLk(UB zfe=k>lkyQDo)`iTEGK)f1N*4V8#T9CaNA}r$B*N~l37>;k3-tzKcd5~i72_DdZoyW%tq zS})m;au3XquyDRHY|=TBB&5Q29Nspn9y8CWu=q(MYox;mbJ^TDB5|qDlZRtV;?z*h zMxpBiPphN6F3Kv&{Ywph*Be5tf((V+gA7Go@`ZH@|5r>n4j^;q%n%YlJ14?Ld}1}I z-joP`IC28pP|<47_GrXY&{~sZ=Mzhz`)Q(=N!j}0V~Vtq&2N$iq7$r;#9T{~3@$Tz z5_B1Z3W3LSg^}L7?L`OON|)IW_`>dqi0RhMeZ7XqLduspYqKkU(%(~dPcHkNMrtjf zB{ORSnKh_Epe=;*h*t|`14PC+MVvY#z+TyT6%NW{2A0zr+Bl;h$CIK@-$^JInMvTA)9^u^d3RWWFob8L@qfHGeWn)DGUq)Y z2KEd<@OJvULvc%4^o?av-}A8k>a^T;Nq9$Oj3Jfk?zt(o;gfS;rgylVGD!m|YQt`X zmpoFS9k^AL6&Qb>oo{xJG|rMRu_}LOyja?y_{IOotiJB?f~36qA4lCqILSVGZ9$Sc zqpl#t_jpG9q2;!HRZ)+Rc)eb^{k1Q*hgQ^Aim3*>INEt)}FWn z(WOE_bQ#e)0tOXRl0VyY-yGpOd0ap-Z?N4AIah=;r9aOZNk6Z}1_sc7_uFgDbg<@C z(F=~T(cv)+r<7|UlcR29e5a{E4jy{5ABeC0qigSQ(sX>j)S`|oX4ukD0Jy(W)B}KE zBeFTez!^5DyUKpG_ey0ZG8)~y8!!S_?kYQnIK?XMpIgQX(Hh^yD28!?i3naJZ}kC& z+|1ai^tiFFmcD~*J}r|*lo-(P!<1KadP&Cge;rQW8^rHe7cEW$xb5lX0+>YE&c=64 zb(RK;ad08edF8{IEIUwV7(a^QZm?iHr6GE~3f z5eVstiqO`&IBVHv&Bq2Tj%Ou);K(@a(SGvZqrG0GC$?zpq>u)bKsZ79bKB=tLW$O8 zapxC@47E@x+(a0c8Nanx$q`cBsN{@(88xT&$F_dl5Lcdl$rNi7yi2_ip#|k3eh?^Q zS>M=K;{{3KfBK3=VZvLM2L3_m;lrXn#jgo1~?hcRtN?1-X(5l z@DXry^=@Fzyo)!Z1!2cD0$a1TZR)qcg2XSwkH_lvpP`Cpy!%hIqdlJ!b@!9bYK8Ex zoArWSV+U?47IEc&)%*os5qowRabrMuu)^~anQ~hXWio^lGAukbyfD2;y#wXDS(>on zuk4Fq-e*$xQ=*X5r4kGe0uSi`P`_!@ISTtO3RQ7;s*bG3*qF56rp0p;KMgvc`Iahd z3;3bOf{QT<9NL&yR9azN=lim|G-D%g_ps3)+sM-0d%Y53VN6@~3c8~4@_`OH+HK#M zeYNuw;HnT4VoGix;nzYU|?6Em%~;A@+1&`&cxF%&ZMch7>n)esrh0+qJ+P)jP{Ms zTJd__BeL}f5;#nVQG5%hkA<>OD)wJpwbDKA9X;IZTzTH{h4c3*ZEJ1?sFnf2J1O3p z7>CJ5R(t7upi1dqn6|IsS&{tJRI6aJXwR5(!*23pnxVA)1l#b2Rw!gWRBwNv>hw1hm*86CXIl=&ZbAL0_UI72`(!s!?Ue2mg9iM1Mq*YViw+iwrCET+~ z)%P$pH>W$a+$MhDwTH4#pRGsj-FIVk@`CSRB96C-j357 z5%}9fVDNrWS35Df4`MD|b<|=Yojdq3ZxArDo7h~N>8Fh`87@Xe5-{QPye?NXB(eK4 z9z6&i(Nx;Us;5JyJ^WBXs07rwOPtYOQUQR>2<(V9mJ~yaj0jp~L2d-zdC6=#7fkY2 z+|O&O)`10w@VfJ;b>LUX#0I9_WoA+@(AWu*+`o$9F%rr5sRFn2wLOM6A+uK(^u(e)$3A6gO z$F2+)H*k6+qF-k>_{^k*)ngbPsf79#3oR7-!3}s6`8ep^yD&sV7uyS5I#-mamX+4Z zI=oClH@<23ZWFpmwp}?*AnPzYQ2N@b-Fb!V*Ln29D_Ty)##`F)VL_0qf#Tt z@wJY3vn7Ew4Q?^BTaLXjSNDE)6h;f{12S6d4&8awyRTB-Pu=NF+4^>ieP*!c>qSQU zhM^Jgx1*6S*%5e@io#jUR9|ef+rkm9zWDuqV@$a0+;JN`r05ULNoz%Ubr17a)dB~& zSHke!=KHK*sK9Yj!P2?oOzVm%muTQxhp?5PGK8eCl69W(4qtI+{?t%ZSO<9F)K(~7 z|9edYfsPO6cdRHh5E$#WfoJ=mX+Tz+;EAa6vh$Y;&$c#482Be?0cY4$?uEsCA#26- zSTIw!8+!WHx6&Ywaxm7ZjZE<@yy(bbiSM|r%&Fu4a>Oc$F zCNuQRK#yUi+1p@tRQ`;wQ;JjnZMQ4GJ$VUA4r)+qtfb$nf*kYV!~qY^O(TT@L$;?7BfsdU z{k56kPgkOwKD{z6nEzhOT;ITH++r6;l6<0Y5mDXBmr*ynvv$}i%4c+$+beQ4gMnS5 zR0h|#uz+(X&GalJsY2zxN>IL&|2?}PB495O9$aNXlE?ChAg?DGl7rh{AX51+L|f`6l!7ROxaq1F2D!&8|zUL{O{E!KX~e>^@mX z4diW^Sv^&**ulBqq-D0!255W0Gm}V_X$I?>vSe5=?Er^oy6y1iE65C2d$BSDFPdXe zdx=CtUGTw^$TojaZAWUXR!8y@m}wDUESaSDn9 zux^!if3(@rFry$oEnW6t>*AD_M)l%s{^HSDUgN9O!0kV+$T25ppeVKluZ4(MU6jbV zn{XW(`G}zCBIZXWle>U8m-loNf5WfI5BGds`972N)NtHCmieAqb^9|GlQt4?Y1YBx3tbQ{GgC?PcD&qJeEWC~RL#dI=2__%$EdMqHVN zyy*Y|(?{8X;JgI4ucfvng;~RiGTJj!zHMPIPe_5;Uy}Q{rfvolLu!ZUJ+1ZB1$Pw2 zzA{?My{5uT$S$cNT6@)f&sG9>utFTkV7?4cY8Qbq}&d#f2#UW}ACUATRC4f5- zDaZ7*9KICS7GPQ+$FjoNzm|ML5^_=O1CBf=5^QIcCtWk{p21%m?Vzh-v3_EA3Bz{P z7&4spMPguOWKj(tHJniw0wr#C1?w+ ztqf%>!Ip-Nmjs9KhLPI%(I-z!oxVR_kN1{vI6v_|&x4S8v_ecON?b>mBZmqzkaD+} z*7;Rv1sMtzfRKR0_6ty(c2QC*G-AhB{*2(9rY1@sgEjp4SxGz0u6M~Bmf{!Uf=vNE z=5sNmg36r=3<=ApxCzUQG=iGNLpW$brElLml1P&Uq1Un>Ip)L_gNmd-b6&g{Tgg*X zFHMeb8E(n!XU{I3wj?vA_`TJl7CcPD9cX34 zPCs4`7BU5vea4CC?Zn-m+QP@l0;rmzhy2WL6q&OR=_9Rt|AT)ff)qvX=# zb`(>7Q&OSm1$lSB`5e*~gn7`J*_=W!d|mJ`;J@pdJURcy!~u(<>VjnKoUB-F-v3l< zUES*bGPUFuwtro~N&6mKsuwf(1fXQ)i(@EXr^2Dh6%y5h(fWQ z8sbso0rR6y0GF;aIF!@?hx;{uEkZkK70U$Y?2Sg)Iw0hI@E4*vsGVk83rioLBtQsj zKU9MKlGuqL`KzL=W$kCe&sEb1u9y}eCg7-4vT`_j0-r=?ZGxJD zh8KRAG6-O>vp#5nnam-qn>V`9lR7-7uP~kMgrqo)Fjn@Ia#nM4=oL`XGa+BSe=Vmb5g97!HXmw$ES)-*bNQZ{y!cIK^L+IW$D zycRf*^YT3K8Q)ixP5(g#%B>Y{hz`XyMVWUWDN_3^x4z$jch`&5ock`Zbmm9Be=N4u zxF5Z&S^5i5OuLXWY)IFqor-rx_OmQc|HYzgfL5Ynzc7W^aUP=P5IYptXYev4_+60u!EhZMr_k_wC>sKo?HxzLj-}0ks3)$O-C|z%)tuV9J@+&*j53x zO=T9%Wry>0APlo;4 zk)pk;0fA!q^x5f;NH`;Pi>x$trsMmy-9sPeN4~LtOz>+wZx* zUd^k|(paJDc{Zj2guj+kN6B=(&GIEV7GG$~mxrJ-Niy6Y;h>koME;bGxpNqy_KDS> z%E{uMJ4+(G=Bdibf&1g4*!EQPbI67EZS-{^3RGkegf*3*?LBv`3-&ntS7}|qeUj;4 zV76)pRH>+W#MldRw+awF8G|Ht9x+7-+m`hS`SOEZsRS=)8UIOek2W0JA;0{u|7B+- z1Zz9$qUNGx00A$I{l=oIJa0pt=p7`TVpr`=4Jq`pb%NUF3y)-EGa zIRJAW$PQ0KNlELgGwt?Z+s<>`hIjOgzpLI$J&_EeWMx9abLvtaoKw+XPQ%W{0&2yd z|1A*^-@%91x5;qkW&Gx25Z@GiWFWU5d*~HbSpTf=$A*5Y`Qa0Z9q*1?3nqv=jD?pGJy$)aN1ggf!E{m-aB{_c z##NeX{?reqlV5Zjs$a=tmuF#la9$(+DHmg6_df9-mDcXq5g!Gx7({5uSgYoL+OuRI zsTN=D%zsRy7r&n{m4!;PHx}oklTtpo!C%U~&bOqH+~-`Q`U2Z!X{CP!arv-C8LU9* ztU{e?d^9mEkUyD)+Bgtxj%XK?sZa}lyQV7gv?F@s-6DZR0Q+TobF9~0mZnrZ!QC`2 z3-xy4OC3htrnP5xY$tjPE-+t|i!uH`h(z86i%AG6Up7*k|EG~EIuX&PKd+y&$Koj) z?)hui&w)88ML4B2QFu}nCc7Hv^5&zn+FkZT$uTroiA8GtJJrB7LzC*qWO=sPTh+n$ zdHPd4l`O3i+nJpzgxL#WwHDyn?!(X4=^g4qPXF8hED{S6Z%c(l1OUl!ZDiBsOJ0wt z>LradSw7Q87n zTFI&MsIUq>u74SOyx0)W)V$J{$tdeWrFcl3(L!;szQ~I~HXa%@Y5L#Gc(h|z{iOOX zO?SV-urxB+V(p(#nPSG`Yc*1|@!%?*kdDcKfw@KN&6VSo8&+dB-YyLh99AMbpH5Tb z4ogm^aQ9xZOk~-)zKq=%^{#T;C|IA*S<;#Fz=4ZMz}a~JJh5CYgO(Mv)F9K>4Y>wO&gHGi zP>zq0d23N??cMo*%8V}nexF!lQgKh!f@x?l=sp+f{k<;_lpVQ71ky$Kp5XkHwb}cb zN7P18*x8~by=yIE`JGiHR?>6dJWq!N;>VvRWLTUc^7T&M7w1XagP~f*4KiO0h3QO= zv^T6SdTP%x)v$2Ie|eNbVywv9^O#fi*hnLZ#MZZ#tPyu$YdH8qa7*C-G*WHVK=?}b zW>f?`-ev`|qGSGSN7TR_tn`0F(Rq3FD zma1_E2ZFDV1#>txXqx-bI6Q3eTOutDQ#0O|YRnUxiy<3l#_13kkSA#zUVM_?k1DmN z$jw9#+Zx_Csk9#D6}SJQxQySIjGtEBc%J*3SB@|J?9J}YO(BPe2kYjZ(ke1b&H(~7 zUu@c>2nXG||EmFat|yn4LLF<1WtDa%Cta~kB~+x7&iT_FFagp5u~GPhYE;d4SH#mj z|6r@svA$r@(uU-#k@i8Mjl@@>42cvMGY_QO(a-}m&nlVHI*`Ah5_M~aVoGvfsBdgRj=TNAMkwVYXqbscB+ED{Qy;Zz$pioIUZIReaUN`Pcc}(# za5vEr4>>niK8cLm9IndSYPKRB;Dm2bzQRaI=KORyKE(pi{`N3~=c>p6+)t+VTsH zk*#6B0w25%uJC{}ul9cuP$u`d|C>p^QJQ5Ug?2~AsiEH1(Cohy+UW}c8l?Wp`Jsw( zIQF^%mpWVilPyf|)DMiOh2Ofxmz=%z4Zq%QCKW|bI0C}HLAw5;_Q8Dwxv&RL9MY|2 z(8&qHWb6FaavBQ0&Z-Qml=SwB5|nWvK`-Wx&oiUD2M>|w=GSf9N|VR*0aE{*(sZ~7 z13e;5KCTLT)nD-gYfk@%Ha~<1S~Pu!fdQKLO~7=~#W7dr?d$C0AC)j!6&IccIuQN6 zjATLjE{MhFUR|1muT#I6daf0Dvycz86tj#GWfwh*V$1o6reNF!Kz`}xt9azk`yYof z*&UgR6qjP#xPLv+p`D}Ep0fo2QkbJUjlIBTeCJhWzsr4DS25qcEm7<>Hy27R>^#2` z_6B^H{k-dX)YmY;I<|Q6QMvM|k-y~ijOj)S0`%fqHVC{oV88C*EJ!P*jj)?mn%H_% zhAp7n!OqNFLXmALi&0oUP7f(`PGc+H3lA92}3AF z<#y&8g)#`sH%Pgh30o!64*45jjG)^ZN+(WuHEd5VOIu7?yf_#mq5v6@MR6N_h&HTP zTOHO|RXpV|9d6Uxf@jnE`>D;*{%f1biccDRaMXOkbH;2pBKLJHDiZb8NgE%d($KnF zJD+*uA#=fv_xE}WC#goUP>IRG^VPJ?!EU#r20!)>6gXH7z67M^eK@;@>lmPoIV2qu zwDERQcZ9-nHn_0bYD|~5aro(!M!`rt0K*JTmB5m+Q+wBGGz-}eagg>NB1D-{4FKC&wkDSVce?mDT+wKiuBcbSEqTm* zV~aYPpie%0Uj0W49Te?Nwp3}^cyP~D^B$IIU+bC|wKb$nUnWnZt`UDc@CmRLoo7}c zK}$C9sqNqm*J9@}{sESgXiCK$Ii(Xn%G!I49f=lU6267jL%)I)R<%2Xxvr)4Lm9(? zs~FG5g9eYr6YIzNz$E=1#?m;-7*GZ5TEvbP5_cH5w9D}J;D@TL{jJ{$Q{5XVeDUGE z`Wpnz%uTJ_IY#k)I(6fG{})YH84y+X^p}>Fl3Y?Hq?@HBMFA;68bJwZc4-7ex&`TO z5D7)Pk%pzabAgpy!Ucr);`4vM?AN_#?m2Vk%rC~3t1*S_)CMDygeRfFm3RX3( z0tyz;lwNm$_wwX)aj?%F?}>JJxz%LJ&*HWih&l;P<6IGDhhn`K%m4DdYq%F1`j>@G zH_N9{9r-vQtKr{8PZRRv;045=3DAk*cSq4Sh$iaXSaE z!ejFPKTEXE-mc2VeuKjALqg-XKVn3>_R|2@4#A~2nPklZH+^eXcTN?bj8Uf83vFpf zVEA*tR&b_oE92>v=;qfxkQ-4|09^%G;%NnzM3=Z6!;wkzn;5RwA|rwCbuHwv8NkwJ zca?3UZK~z9tW1|j3JDgjgOTV0TKcAY?b==)u`e1E^7KXqVqq-6_!aFThpO7k?Z;Ek~p* z4oJde(At0?%t#RPo>;;d*`d2&OkMpo9jw=4)6epuCeedW-kUA`!JDD**55^7k%e>p zeiT62n`yj!rgt?jUuLM$)>30!PIyqLes@0Ac!3```h8MdBFb>Zw_53btv%R_6;EpJ z54EX#hzi>PtssB5wC6^0674X=9$MoQ{mW>`R)B4Qc)(@;QhKJZOMu9@Hox(0vX6&2 zY-kSP?pP+id=bgPtsr@$WGW%k3tegcn@1sGEsj`3S#?Tq2bj9Q=p{qc19CiqQA{}% zI#6D;KWp~$)=!IJQ5|M4!B}xI3@hn<0Wbz97qrOuvsDeNs7-uxJmw8z0lS0?$+qLA z%BjXn{Es_|SI_jmF6orHHw6Mq+~rrCYO+X#wDm7V+BAr(7{x1WkaqCs#4#Od=WHBbxqP{ozn{t!zOZcIB?n39^Lf--}XWoaDZ0?$ze02mJ1@FDR~ra zY^umMrp)p=MwAc(hrzmf)(iE#N1B+;YgtuUGN6vzBmS_Z#OpAb&q3DU(R_ew{lQrm zSiI7I5PPZ$B@9zuLT2Y}y=iByk*AIWPKan&{th5=(0Z*c?A$tvFj^QzAXR0td^g@b zAQ*D%H*(DOSfEGfd|P=V5qIpNxdxCDp=&;{YMtP@u$!^NWpp4eYUAMz6yS({s< ze2=7yRNxI+)1L|CsFT5W4XCUJ%<|QG=FYIsP!9FbjSvlYk-h+Ejh3p1?K5S5j9vro z5ErJP^t% z42{JX^3sYJk$r2F3w71i9g|OEVTgC6c^Mt%!Li}v?G76xQBUBk1drcV^vk_X0|4&kUPS8_L z6$#USv|&M#DRjJzBe80Ocfa3J?|4UTpMLSYvsk^6mpMfvpa~3}XnIgumpAxg zPyduC%6o}#V1Ry3)6Y~ARuMGL2P5!8*Ql9oL$E_sjoaNqYIbco1Wyul#c5T8#d~KsdV8muL|jFU z@MKhL9~6xVdBtKE6M|1nNyh~OENSTOE#6y;=#R0-f-n4pyPLz`@x{JM<&~W*4*lW8 zxa$*pb_Gqvu{3Sx=LRFF7j>DuL_2*>OxPZ0af#O8^ zQj2{d)Gf8XX;e*=A7K4s>eyMod*3<6|5(iX zTRt0ycg;pP7+fZPmpp7JN1a`|+Qm8uME^W1fR!MDo1=z`t}ltRim>~r*(LadzWSnE zp_=AI%ota$;@G}&=s6tmrL>bCJD4`u>tL4Fl*sq-3?-Os(2V|9uO%VQ=v zQ@Wu!fMBNzlaF?%w2u21FWpTP)qH@l2Qxy7GGoJSk^nb@xe!N>v@8xdM08lf#*55H z!-x0iuOANlW4NR`L=i=XHKe+Ck(%E@>V0ek%PW00c%bfj_AISJjjP8J=!M&Nm@q*G z;C}`<5&8KJPe+L^-ojPxgaXY)JlIs&s}?BuPm2f60%+z3a>E8eOjv8BH_*9x^^}h1s5}>cWvQ!XqguYnqXb= z?w=GWEV7X6KF>9NR9t*?T6_Il6GUapRqO6H8`q#F08xB#v-ea73&>dX4;s!Z=|@?yr8s~3%4xDTpzBT zlesfAG#&HK2FQYcFev(96d9Gd&&GCj4)2$BN#MQ%W#r>>^ZG&+J0>Jt55;GUW7E>r zAURz`OI0MfqAG+t-j_to$&$Hy=3lWcCrGKWi)S2=QKenn+h2nk9l%vX2boR;8eKi! zyUf4eWh!7a-Wa7<`+FI>$v95)eD?bAXX#@I?))iD z)+WM1>;!b8x4qQ}c`u!*Kd6Dg@%loBQO$1jqe@si-ijW58>ES8?m+b)3WD$%;b|-O zp(VkMuo8baWSK(IOrUA#JFu<*Y0RWb6I@horVcAp1?_h2zS*u4w6cp{8!JzzNA_Zn zcyK2;{D5UwU!l)Nn-4+rEQ|f zT50=ZWM&q3>o;rmA(P^^*hB%1eHb1~1UAA3PzKLr_jQ?^a$-Pf%!^eDEQ}(QgahCb zV}H1famc{-4im?MwB~1TQzsV2rA|w}w@P37dipF@{2(43KASAA;~|WBx5P@@CJ>v8 z-j?^T5?E1vIA6o?4?uk;s*1;Oi>{Y7({0gP?n%De5i@OGorEB?Ylp?g1irgH#3T+ybBHT7oUWrqb8Y%o+>pvAjyUscUMxU zXXqymU$=?Z%Xp5i{~frRAC}q>;ZeD}M>miuK<2TUEtI|SFYWY7wd)i%fDe$_Tn;2Y zNtZglZzDqYXSa5>Ql(qWn7oUN8{A9EnWT_mbPj@zTxB56K_MO=rN^UH0~|k8Rxa>> zE8LY&Yf>fODid}%PD?Q4ghn(k)CvKOi*!=PTF=ZsZdukPp<#+?No;o*@S<8Mw1(Jt zZfj`oCUm|yZ^9%eiTD)GR@|d0rH3aUF~JJ{!nqkO-H0oC=~rxpN+Xg0&lA?c ztVnYTDx~zX68zg4v$ZSf0Q8Dpb`oXY@joJ4x-~9?i7(kO8u7CoCtl80KXtB$#o&wr z0YNtIlGGiZ`2`0?9#y7lBydlBzjFi85`LqK7~r*G&(O$E_V8XKqt|7hCx*1}CnU{; zao-&Pl|lmSdgkw_-HG{9Q|=x&gQ=aC)6^8?xLJK^$E ztj{A3Q$7me#AOt=ihCpPoqLyRq_7u{M2&$Bod@N*FHQOywgXsZu<<dS@?Kvu*}LB_8JS`Bg0K1 zuD$kpQ*E-U<%q=qAaUv1%U5LJGaehaKf{C497XcQL@t8>$CkrW@@B`a^GCQsY?)^qVeIsV1}l%A8Ou61LW0O zzf=yn&}!M!46l@#%$1m;DM7z0w-v29X$>`cb@ z)PrJj1BlusZXBLF%1`SU9bNK}c_AAA1F(wz5#bmGa+p5HF6T@T`rYNVY@;?IOlWRd zqblGutCm!IUwpPb!!LOxStTJ?h(l%M`1XTq$zqM7Y1KbO5v=nsLsrrN%LR=Gp?7$E zDopHv7u4uAqUSXB{iQPPJ~gR%0p4aoSBYvOc5cl&5q(M*(zlh=hEB*krfp21hL^TV zD>$l*r{8nyzwV&GKR7=;j%3$HEDrC(-tJUoNos^{@}9ob2{sQY7R@f_H;&sd!MJe? z-G^#5n3)O+Brk-4UQf(pp?m~K%VZn?H`4H&>Yf~LT0!XmM+bl-@L&8C!&$&`MEuJ1 zu7)l2y^FSYPpWqqZN});nH@JDaja36phby!@nM&ri~N!N4ukhs;-R%~GAoCQ1?zd6Y*ztLzE0?y(o;!m;cvA3H+qbR~ z#WAHkY=T`LLVITtzEgDAO6CBM@dd*dqd1?K9SKNe!8$%b6ZsD%mj3zXrD*hD`hkE< z8;5k#g<4;OhiadkdDo;AngXvXbi9v8MCPYe-OHY9+?@MoK^=qAZM+sOD4j;N3~8N4 z&uU-5J>oeua=oATohCiaJ|s(1uJozUcf_z_zF^QC=^v7JqhqDN4(m1*yWW~^ZH?gl5gwAq5}PTLE~hL#UCC~0Ggn8&uaac6ikwD+`*ITH>#ND zT3UVv4V-IdSOy5Mt^@KVqbkG>>OFBc#tp&Q840QWAzr{97aG4KT(D~p{Ul-!71?dc zBVb<4ZfnVItNJ4$=izA4Z!KD-8bSEHHFxWv5559(2AuS`Z}~Zle0M-L)R7<#dv0 z)XX9lo=xmzD#Y($wzr49;rIc?P0dbo!BU&X2}cv;SXX&`d!2J|;G1A5;MRP0_1*sN zmb*a_^gan|1HIsQcBiz!a3PfP><3C~pPdd1clX0+>9j>rdWXj`KS>Tm%}E{kUOyyY z&tQZ9jc0fPlUOTHqkbqkRXAtz+!S~qN*BLRTAWQB%K+DvPylGUs{YXOt&L~!L%vPn-qOCP9sog~p;Ri9FAs8Mq%;1W zsIK^^`I$1lSl|gb&>;D=z3J384ya?CUxQ9m0gsrGB$r|Diu$b~WijSU8iH9DNB-aU zj>2B7Wwd*JL_JQ~`@B@QW3u3t%u)Bd<;K#GM2**NuKPz{aa`f=JXOlj@6%{s5qonI zw%d#%{N&}&5%65@p#`@9)9R-J!-~iCA9#{KR>@So0Jr2HefR~jtVg0W}ZHYO@AIBc8U0=L!K&?a$$3nET~^8f?8@As_X#Mytb@ zI$Pf$qsOewn6poHg(=I0N(iyPIIaDWyigN_Q?XAK>K&@nJ0J}5GA2BbD^D2xxiCGY zoLSmTG~JKy#g`0my$4F^5nRNPaJCbzI#$l=HA>X#bas1>r&P@;5Kyl<*z&$dXuLYJ zn}N25-eIk!8E2|-^m|uzkuxQt-_mdpgen7}D!*2)quabTv{6enHjS`W07R$C2vL#y znaZSXN^?_#s&i<{d+p&TBinr8$`8ZsX+2#xA_RDer$GaD)9;6$0nRv$msk6~{q8@g znf5Y1u9F&`8cbDQPW^R(J6mN=m_uJ$-y^@z)z(?f_hrxZj{UK|AGN=zmI#=S4X_#} zz5eiefHy)>V6Tcb+vzhge9hWVrny!Sk9}QA=-^xC?>(OKC=6(b-hv0@g=mFY9c78o zQ0P_5@|<=oT&O0*HQA_wPbAy9ZA{W-kCc9jSE_CDat|2_>p4I2;J*oB!|<*_R*V$; zAks-vmupwX9Skc^NOoS|$SfeYA0%=2-I-PG@XFUpaC?qn?k* z&d(rk$2{|s=;hX<&YD=AU1bN80Pd=yLZh`#NWL?ATqjT!qo1;3rYs%}^1h?;>X{e6 zBFdT{VlH@nbBUG_ab3;tIE3cR_y?U$`U~0a=oA8m97}b{n0AUw3g67?ciMeqmbS zc2U%fKBxElffN&JjbrlEl>eKK7Zwx)MM<0U0lhyls?28oMtKTnas9Jf^*`_I*;ryi%E9sp!M^CCg}}21&qYoUM`R@l59uwbpKvkfy+ikOsKR2wlX7R zI@@iG0%yl@2AmD}q-f)HNMR|Tb0gvXE9dU{ygv>LEXfHbU1D6)d2$jxk3R%^nRS75 zCN3{756K@55e{}#_jewBkW34H(@ ztf=*r6AV^l;qF2Kelm$wB$;D!0t?t$A)4TuB{@fKbE42lXH?@u`cVgd-hcxh5k3Pm z34m8fv@mR#A!B_p_x;Vc5FELp}^FvNr3DXBmPYfth* z3d}ME(DqdGUlAP%SoE@8Gore#8@hH%=e*JrE<=#()1*@BgJbzSpCft6m2%79%Bh>@2_OW zon{?t1sLUG-!55TKu0+4WG~c9afAEqPff+tkRnY!=$r)JlGrgY#$HA~Jo6bX0R=|T zmbM1ZZ4j1yL*14L?s4I>Ne+G&VgBG3MQk{naObkxkU$xb5yNEx( zcCQBPA1=mRs~q0(HtIsj!i_oTj+WO(WzF@ z^S`*TcD%oZW~C!gxh?V#(YUGn^IWdn6l7^-B$~crJ>b{UqO_bqj-_czrH*^G(#VvKJu-nK+XT_mTEmb@e_sjFxHBs%v7(rFA2NiKg9V4l z^@6Zzdc?pl1K(O<1O2Xu%L|C}k28&A(Ld7`G$daL@@Dkw=3Zz8dV$r2jMI^k*KXxc zTHDSV-Qm{T5M=xCHjD&kdaMHQnYsKVA98Oq)67?*M z_m7$L^!*du)E|y-8kh58fVEDa^z-!Rf~2XaQzq)~Qf&aO=a)W$2N5 znWR-2?U)|R!}V=pI4rwpSWCT{H*6DinYZoL`*i`ktyeWOg(;|NKNoY%eOYG62_W^s z5o_&`G#IsXuh+WRiqjZr`myY6fOcZ6#KU8BW3g$;Xso~MH|yy%d2^h`?;XS92rLmlB*gyEgkX0Bq9hqCWp1~8@Ms65MX# zLoHtUfrba%S3IdjmV)UIqHFF)Np|)=GF2sAzUr^{XY!XnZxKnLRdO1&Js}55%;&5T zra@8rYaEc;;1RxfRYd~Rf&~C61MYTWD75#eFy_u1my9AeF-wq%w&6gr(b-%LV(3yV zH!X}&y{_<8L0-#66ejG(M7pHb&per~c2(hQ>Y|OyME3f+$*=_(uy?fMh&+6X2AmFU z#CRXGiC~u&hJS)e`C6EMF+4Ywov6K5oTa_Ft=GB#+cISJgT3dI0MwJ|{rlkq1%EK5 z-vIQJBA^V?kXZ>5j!s?gl-L2DsQURtLpoUiFDK8|0>CA6`+MK+GSdc9{3=I*W&TnT zsyih7w!zN;C*}71>K0SgamN4l;#T*z^w7}X$?a=%G}9;~=UY1{FaV0(dkUp)y;XLT z`gq|l7=v_4hA~VG0MFEL0P89mb>*L3+p@AJ+&e+$#}`MiDYA|{@eF)`_WcS3i2BlZ zWL((ugm~r|CAAk9FZcgw!y{OY1vO!F>Ww@M3dPvkWTVsh?y!=?WI-N4^RpmZL?*Fv zi{`^1k}ctD{VRKRtbZ$oJ@0=za;sY$SZRQ;bQ}K4=%4rsXCH@kSNyT3v*1FMO)QR( z9DhVsX5HHs2Xr`p-cAjXv!amTfbY7xl$)Z|0tRVb1AoN9d^x2)+` zLKoNySt|-MDq}0K?R6uvV%2mgy4;yy+?(*W+@C4IV5hZtYe{-ivC~#q9=|Fw=l> zU{hR&Pu;PWu=BJIc&I7F)nBXZL*=vzaH^!|(N|7m-D9a1l_$k4)g7@0zhM&%NKQGG zw*-Jhv}Idem%CO1PzmZ&|E#BW(vG(acdIQ&6j}qOA5k^?kp^JW9I^dcPttD`+9vUP zpZnA}QW)DdI4++-%M%^|-S(xI1;dTBH)gsdj{7r@2uwqE?I6}d~<=|^cBlYwXQ zfJOR0=S|sPZ-lzv{>^eKp9psS&w$e*^fmsYWd=vwQ*+7|uZyjVg=rQt5_`PmKDTU9 zjnpl%lhSqkcsweS(c>jiLB}Hgtkb8!i+l(5T($LQmsOlDUR&X1N1}RaF5+KHW!h@k zjv=su(?58w-g+6D>_|r+dK&%dEU%wKq&onWYvM>>Ru@?fQYQRFUdegznd-09{A5Qjt;EgHh@9N4Y$Zo$vfWWx~3#iuOr!yiN-r zto^?&sOWP>q!!fgR>cyaWOWNj9o+fK{Xy0FBLIEW=d}TmilO|iPZ4?PhBUo`wOYLUAs)E?znvLA5xfU@S&&2|2_WMzSMmmSIq9oUFrY7a_hxW%^7E;e zl?!o3-R_L=#e4$YT#RuG#OmL^@rM+~y$fV`gZ(B3f4keg}UPBn$vtuZKP7ktOw zg}204BxBX?$MihT=p~o7j!hLbZsGUHNUM9(XsB0X;NaucGLLesp1+uTviBFusYJ8Y zU&ZhI;_n`cX+_8E`n1)6;m7W^$|}_~Q{v|j>IH>KqJJLI5ai`-_ z?J$Ee-viZgsQm;=@NDE`fQAe(xb9+tB_Inn8vGg_pwvgdL07bR1^MD-32&VL-}Y;X zj?$mZ@DG=7gUV?d;+4w58x-N)_#&*kQ*KP{LF}wKZ}G=7ee&;=V-8JAjWZ~xM7jbF zM)9`GKnJ^1!mi1JIm^l4g*sCw(S(ypOYbM2J2~k%efX}@a&bn#w{f@(Fz4>XV{DR` zPC}z?7&Af#nnZignu@wG8i^a#VuQ@^oz}Am|E6{?aj8s)s!dMt%Lq8&Y1BAAa z`MH0@{c}Hz`{!9$*W@%oXlVl#$%6Vs3Rp>N`x#T27*)VQ`4d`pQf>P_??pFfmVQQiE>0tZ)A=P*~6=lxKj!g`!)6zb6HZ^y# zh9_uvz&9jUEggadu9A@~F3VOJ@rZI%>szqn(Kw541|=Zl^>4^=5i8Jt0|FNqt!8z_ z#n5{{e%k0}R)81xrPjfHBb8o;)Eq6}jfFUZ#oE7QV<*<5u#R~pMBSE?Q;dQ84fR)|GTF2|Yz)K>OMVE=f2 zx}sQ)TI1o91D6+@P2jg>IRL8Yx&=z=g_@#qoSpl8SZ!;!Gj7|jXFF`fpWK(vXx`mn zYhCiS$HD6p1Dk0%KmvW&W{C(>Xn zSTOfHS_S=)|3uFG$=FPHsL!gdZF7&kt-0o}`4<~~hcCCZ!~Viv54~t;^}-q1W#tak zTO)}$@XYgS=oqEODcJDRBShHKqIb7o7ZpT%v2H!RDW{Vp2zuz#u^HU$li(ucdfotW&0o zajy5sY<)xTJ@ik~kV70+XS((0GICV8RVP#*s8mW-tk*6E_GtGk($zK zJd$T6PPTOIxUug-Amv0fvn0Zu{kTws#mA^(@n-i9EX)`RZAXxF*o!x}>nxbya zmL}+RQEA>Lmm0N@ug2q!(mWdyg6-GOPR#m(HyN!Ihse&93@O^lOVz~>s$eGFEYYa@ z2sZfhjBIgDm)7;>ZghI$2L`B4w$t(^5S_-YmiK0|mzzQ^POBNvAJ~?Hhos?@)5k~u zw3lfyQ{J3P9P@^VHK|qf7!Z%dRQPS;a-{)afE89*n4b{rM$U>-|@T z{Apc@S1{RX%%qO9=kMc(wc7vay%YTPFX?EydWyFvfMf8pPLF7**oMBnTJb#kt3!qF63KD`o;Esr?2-(}i)}_r+_) z&J`!by#;ksZjD-_#UEuU8uA%P&#s84nBMs9pE5U|C1LISCmOBY7hXD8OHMTX_Gmu- zX%{*TFLJWVC5WV7UL_)O6Hu^PKrVDHdy;|CM=YEA$kk{L)~;&&iM}6}9M(?kGY@|N zR`EkROdOo#IiYD;g}|(%yx-;KmWnd&Q`xcTPK*uA=L2twz-qBqfU39jCKDja^zaGY zK`9O<-SN>Vf!&t%zvu<}=il6_sqe-=kdAYP*OhznD=oN?ryi1-hMsC)`~tfCb@mG- z3q#VkYlxL8{gqp~aWmg5{|e@tJ-pg7L=Vxc5ltH7GLp*yp2*2*X=Dau$I0*V`=tC` zo?I?2+%xbZqmzSw5o1FZL3gCf&Z=7{lFXdf>p&-4)Oy;3Utehtmg#9f=c_14(v^Lt z{?&WkM;JVAd>VuclCS)$+uSobLru(~K^Z_o=PyU9!C3zM@zpP&q2USx?z%g^U!1dz z3rQeBtafm)ybDY1^tZ zB{mu0jF7fSG?V)J3J=PKIL9U}^W^U~vLxAjh>{_TRa>H2JR)ON(9FvbVgQ+_bP;FPFWOAwv=LMw82=X1a$rXRx!ex~q=?j##|a;&c-dq@t<| zeKT+MGAc>(S)=L2Luow6Y#5iC29EWpr)AJ}O394aC&4gHJwjw=*#qNq_MbU7*^{T< z#UG4H*VjD1ufy}g;&P5fNR7XOXQ0uL0(2|2xaH{!cQa^k{=!#|JD;b5cD9+%(F4#eQfD0 z*>cTV5pK1@{)TEAe}-$m%~G>;xZn zqGx*H#5v#cYX5_^PwBPWE;E-#;%v&_VIanhd}9Y)o6&8L@NRko_83mK`OZdbHPt-K48D_L@k-J|z3a*;?`vWLMXJ zjpPeaw!7BgO$`x|%qM+=9m)ZTcbBU=z8J2FgTU8)$06&h%kvX>x9PgT~8(W z1%Acvk3P}*EMR2Nnd`?_n`#KreeY5Lo0MD-eLU`PxKeRR3f^v)@F4l8#ip)I&!0Xt zsBmv?+0zbW4qek6AFBW#HcDW^{)~;;s6l(M+$P2otcPBR^%vC%v8JVh19h$qqLdGgyk#IO z6hT^0*DXuUww!m7Szjq+)SP-l^-FuReYB+|*EvP3h9>sV_;@--FB{&%zn9w0g`hPK z8hE@-zk5W2ywjq;Cz~8LNbj8?_Cxqeyg!s~gl#xoseiw70K3Q;Wp<(bJKI>yVDi@P zE0@#AQT8qf9W`xTwyU2}SX3wdT)pYUUSz-Qhu&?`7wfT_J|z|CCrO%jYAVcpd;FM{ zBlg6e%`(OEKovR}TwYw4LqSan3BG=*7@?h-_b@{K4i27=sW$knXSQrRKm>u24Ry>C z^r@)KX;mWfEiTaOecnf3g+mS7_fYc*RSIRn*1#uGbJ-jQyy^f9|J7> za8%>^-lFzI@c`iIbjlGt^Rc8BBTg+z{7nFuv|Xm!zf0Cc_8U)!I0kz1D_l#bQbtAH z)}tcLb+}>PIxsr2mr{84JsGCQEbvMSHR~0p4~y8+M~%>|k-G+zyGdT5dy0 zqi=Jyr{;Eptqyok>U`1j9pe#!i*5kWB&S(viE(P;^gyC_KgBZUm5;19=O2kfLcqv_ zfb*Ud0Wi4zO{lYpTU{ZAC6&9l%2;Mt$Ig=xQ;Ds4*#KWxypuCT=`-+%euAU8S#-nA zb=yptt1!t!I#UKkMrmFh+@hn1@1Ln?9XuDHi7VJSp--|ui7}nL+;Vu^|MF)21?)#t zaxQpXtO9tqO_tNZ&&HS9Pz+$T2Abu3)ASvJiE;LFj$X>&-Z#xOefR|+X-RDpC(AIi z^o5w~lbG0YZ4;*KZwLPG>gmLPyPORjVeGvQK$jFx0d?Y3$uot_41oNX+Hz{XnX$&u zb=h`)!^{2?2h{h)2&fIgpD-?4u9h~gi5Fb6wWi5dFj&pJDj$ls;O8xvnpPTKrsE)R z#O%Bq67up#NZko{w!h;^-zxIsD4OZ()-;s;rGg{2J&FX#-+zOMJXe2TVJUnSHZ!)Z z%E?uG53(G#Sv%|^^Tb#DFm9!wv*tJ8Kp0zLOV@SEmbZhmTS$J907%?8ju7#T-uT)LHAR*`}Yw9{w}%}$6) z><^J(+PQFdU^4O9suI_`3O-N;%?BYA0@3!+75;v<}tvUC;Yd>?DQYl z@accMV~<)9NM^F(+C*vWF69mU#0$J;#p~-`agV2)X(*%f@X-@FhuhiNC)@3&TOYFIQS`sb56&9>Lh1d{BHTmh}ablahuf92|RRg9+0jO?FGlCNW!jp&AkmP?PY zI259GA5`x&*Yfy}gk~j{U(MCMm`B|>(`?)P=f`ZCi%e5e)bbRJp4R0QdWhgTFi|FYBsY;X8hz zvp7Go$cO=GDM}gTx?~@ElPbYvl=kc{6gZ;-veIRw>GA%5J34*Y;G4^7ONl5S}C;+zPtqw%7z z`if3%&7(vIQ2ZD8bZpXxBx4`Bx(-TeeT2=WK$~nnlP}p0OLLV^%S)9{%Sy8j{lXg$ zw+Z>pgqv-u#F>@`$H@3Np1fvzihDAmWm+vnTWMO!n!ia)x*tnV1UcL5RoP^D*89@s zwIC$wRmC*!u6xGbM-J#?UDy~)=3zAGK{H0X0&Xo9GuF$>Hg6<3UZWN(87O8)oSu{W z&etEJI1~@pzMg-~ZWjZ%`cHpkumNSKPUm6im2>hwR-I=~z!(#C0y{b!ku(J#I|n!h zO*qR9tq3Tpcn4UZL=~H2JN+03Aip=nRIS(j!lgWxO_%W;5$X5-i&`9Q!#n3Cxp$t{ zax;O9{6wHPe?;?-9E*opETI}VB%s(f2{9Rl95#J$+lK!!ZMn)C2IA7Sno$aDj|FuM zt0J}$*L2W1oE!{+Ro>{g{|WQK??drwja)P+5+52pCmyLR456BIUpzdw)3Nb}s~`e7 z@4MVrts_Juo|V2gX*pBy{2F+T(%3}yd;X2UC~~$` z(@uc5v#k)=`a(6kvX$|&E2u$}*)i-RSh?T7wL)oYS^>q2R=M9t`2K6|UtT?h!zNwg zhPD{G6FKnNq5@3MqHd3G^fW;3w;6+husP;#=)l}ae?;7?iVu&LJCAVK^F!aI6j+wj zmp5Kg#pXDS_m1)7@t@fF{JKzi5zu^qM&`STR z!SEEJ6fAf~V$$IX{;T)Z9TLCa%GL3V>{|o(w3osel>S3l{abqtf)W;_yy`AsX=F_RF#g`oCeE#-AW3WK=^`L`Z z(?kA&^((fhGr&^63ujq8n`rg}aw0i1OdLdk-jtvCHxvU>@SS;tfy@opEhY`{2p2aA zs0b=bO#mNU>0&kBFk2XDPV8bs4MI;}PCT5b83Hou@Z;u?k7gkzK(Q7~HH{&eX3Mf* zU9JdfbO8JxA-|&UPZQ&HKZCJkPvz@OEeBz2U@$XH-U^EBR1Z!H#m?xD5S3JBeaH*+ zzU;@{8&g5HOw}m8J)Ngkt$Xr>-T&%KExkdr zx*<_10puk886$GVwC?yS|bcsmk zMvWE)6ai5}x$Y;( zA5lg@q2!};|tqE9mbTS8~xA*Uy~fA{7J0ogUAN#~wV^(nbBH)QjQZ`iJ0Q&c@aesOHoh-X=~s}q;NoPK7U(s&D!a@6milUe z#To3g@t4_iqWp;c+};1D$MaQdGp`4u>EIyh%s<&TmGFBq^uMQgowv9c{HB2#E|JVf z1ZOz_V?18f-JK=8h{yej*|THzdc-mrwX}ASnhKc@;Z|a9*M`yDiT%BB*{q?&U{TC zs3mhed?TZsd&B(<;D&g|J!M!+PYI5;lRQpg3#9T#6@FJLq0qpU1sembdD^-DqU_EO$h z5<>Q)4pFS{k0I6XV9AqGMq~5O;sdktLAq;+0$Zsbc)|LGf~LcIM1!{d+fSEixqW=* z_@p6?j8?LD8(npIaWr?$EylCQ43k@uf}*1h`E0#-j8-%JbZqXUpliXbmm3J}W-F=!?rY`)Ep(<9@Fo!Ik6dGaRKUtrJ}O;gal!x8!+=ol-q=aTsQvm*$YaqJ z=i1A!yc{kr)v%c@W=6$OJ7F36qHH{5*Y~VGElk8gZ7u53eaq?hrHelnI_1)6&a5QK zI&z%Ezxo6K?;4`r+0mP@MYD|e%xr2&kI(A&^?7pe<;-x~6rIby*EIm!I9q{tE$`#E7x)RUY&APEQ2r zQ8`I#-3jv)*?FliYnB=K8OWlCuD`qSO@;OSL{7Jt7Qg!Y)0ezOC#lk1%9HG5;eX=_Wv*4RlDK?MN3Gp z4iqv9b`v`VFEecQi2%#wD01V8i7e`II~J55(V1C+FGMxKVLgw3T{-XbD{j3Ma0F5^ z_&6w@#c)&i_V0|GPi4O|{8ax13}F|a2E)XNqq{6ycCFVX7x>}}BYSu_yHaiBNMD3%wPLFf$sbH!u^ga%yF>4Y9CB`UutjqG24nooM|f2fdT z72V^;5hstDSY2Z+Ysp@ur%9OF8eWQ&lAnD6 z3E7c5n2|gabSA#-s)o*b!LZa29*(luoYfVQ-CUaO*-Y$jXOW#Fl&;pmXk=Ooapug@t@{}j>rf}L?R(_nxtH0y~feo|c+h$aS z5^uxg*w{!!1Kl4Jhp z#xP3`9)fd(bzD8XAB5i0yMJY!Oy~Pp8{Q&tQdT6Rz{Th2FWEFt_4u@3>A4B+L5_RI zVSU;33G$I*Jh(_qr|WIvpA?W(gt<-Q&ewjsLf@5nI)CC9x<17A1KZyfAp&Kw=s;t@W+KgZfue9b

~wI%1_-a3&wya1dW&jP%ymzsUtN}2bJfoGCGYaz0Nx8?Ld1wV^0f{-dLYmymH#s3geq`^@TT*&$Kwv!VXRt?{ z=4*G4))R5+@jq?~?O2p4(K3w^TY2xrXQu#UHADe_2{shz1p1g9- zSVIsETaG!62ETJ+OhR7SO(2+#5B7NR_q+ovS&ue3L%t@pN6#j6g+NWVtmbf`Kz}D( z5E$@I){xvRMOIK_X-#EMd z!>*t+PY&xxtV@19bURk)Dqwp5b@I z_#)V?tAdCH^1`a)T{Z0bb?LC7jmR*tqhAq7gg6= z!Yw8j)+IU&;^^9`>KN&ymwvhfyfZ~UF03zZxT%^1RhM;s|KyAc(Pb2r$RBjjXR`WU z_^U)uEe$S%@*Wj#ZnQdzgs?K&R(N>5CApR9=QNLqg}2c$f(}d}1UX|-<>6{r&&{(t z-&AahI`7&6IR%TcvqTA@*13#dMZf2ZiDgln~+(go`d2x(hlt2Yn!a!0U$OkmHdvKL;5s z;$=T?%{t|h9F=j<)VyG#m9!ftr*Zpri>qlV8z8Cah^yv$Wk4A=h26~2rELFC?PtGD zwPgG)Q?6DBWFN#S(LU9lyciZ>CBOP=0*@hg@NCrr%H=-xL@2R+Sr9*8{#}-G-HaW) zlUB41LtqAB`&X;iO+8|}T(?l?H;WA>!RUt_mmQuCF3jN@XD3RT#2cqVG>FoIjeeV@ z{Za)am?!o8Wyv)bAX(VMHwmw}oy{xTzVrb{(+N~ae*M)VsDyf%MZi`#j!UnH&K)k1 zU30^YM5yGE1e^{QR21tDaQY*LsT5Up^r)^-E}mQYM|X?mE5rm+SBDy;f2IJj5<4hg zFM$**oKp3DBW6%biaoA$^U(% zZTLirGn!UvC|}vluO!q3IIwnAE*pZ(!Y#T5>QHo;`_ly!XGqv?no^C`F#z`_@FY6Ub8dz*g)p&T@Eg2CwyOM)%|HX@-ko*6?9D&H95 z!M+i#9(N)smw}iM7b=P%0ZIyCiFF;Wu(@J;Nrj8*paXPGVy^ow`6aGhl0mcS1L{s7 zs)6Nt_iEN!?lapml^sPe$r<=hMDOA}s63h?OboOuN9A$uf_s(%+_*i+PocDz4S6yd z%AUDD{~N`@TG#h$qj`e_7j@fwtkHc~Dp~$c-5g1K`?YAAJ&I@u?GeXyQ<>}wxujE9 zMX@9UJVsQ0$}zZ98)7A;@1anjtBBPtFw--IdhUwR%4;V^q-Tf2qh`W8zkc{Y7wn>r zNJ1lvik=qa6J`C~ql!2Xqbgb~S5q1NPX*RTQZoKfE<3Ezf*y52J>-PjyxWSB+6v{~ zdp6f2RBV&;n3u`q#rufM_8%C}e)(~?iChbiG*ng(s?uvwxpxLs?7do>e`%Ce1D@IY zi&}f&bgY#z&}h-jU}}5gSbEx3%ubdR^W-)~zu9sMzOU!B*a%-#SpBN|uHI88%Tjy{ zVB|w*9Oe=HfODF9Q7QsbLk9-mT6oG06>DWw*8lPHj5X>(e%B_b_cQHs_#w$89jx;K zU98G$Sb4NmgO4R#P4g?ZUw)%Ox=RfA0_T$A*WYbqa+ta(B$C4U|L{d$9n85n>4)ih1g2Qn zFT_51qmPOy?Oiyn6Jrf!&jaF64qAa_v}j-%=Omuz6Yw%ES{r*(|B5P_W5#Jt;f;Fy zV=~4~zMczXy>*EMQ2;pl^2Y?Jt;E&3u*l}BKHpmqOnaL+Zps{xo%Z+RPGDwSb^C6~ z>E`qo+fSRhQx*BvAMga%a>U~=2w*jI$iugy$7W>RZjb@_M-GfXgCCkzN2R@3ho$g;6 zv?Yye4({{a-hS-KYd&4=58lx)+*}xaBSsLJ_O@DU`L<$43_POzd)iwl87iq~q#>jd zN_j~+=WRE6_5{cV&hK4Ls<9aSz>aJGCIzGN;;+uO8l#M`pm5(-sk*h+=u6V=QrQQp zp$fNTF0JyW`oBnVp*L}=TBpUL@k`C#fuT>fq@8$cbO+S&^rFcrKdgQhg#-exgZteS zck0-K=)11EN*wG8u?m&PG@-2T8h9LW#Lc(8MK*$WF6xz~_fG|cMikz>Q&S-^5GHZG zN8d7gvRWJBN_)o~9^PxO0T*u(PXtqDp3lptjZwQI>UpG>7$oQOQ)Jyz7AI(^6DV z7kNOcu?!@}fH`_~Q~^k6VUs`5uJu4E2wC}669SnR7+`G#b2izI8#a8>0MLDc?+i6- z{sknflr&2FdxmVprxxli_EutaQsRo6cnsp;q z*OZ(0!qV=l_eHLgW7_lHSQ-Ht696dp@YlQMl5J2!b4eB})Jezn_<~;i<$(ZjL?&Gx zmZ*J|ztPB3V~F_vScUTe^ur@AJLNv`Iv?Te$EAi#ZgvxKS%zipg87C1ZPlMfNK5l!QN&~QuP3#uj>6#N)&1l<0 z;0Nv4r;YGauVBK?;<-LkK>b*Z{fucF88?Ib$-#(_0lc-HYA+_m^E$Wo63;n{7+Cfr zsCItHa_T#x?$_;ZiWqSU81$QS>amORgy%fR@1%*%aE;L0o53@LJ);g}$y|DFK|R4a zi7}K07@@p6_NQ;!hF?F1VQ{mUey~wWtlURFc$Y26c9^9L?_|RJSR7b@TkQYoVQXUl z>0z^GNXAFCL1>n*1Fys;NI%g@zn+n*nBuKI3md?gYIszwi`uCgkBNR08^br}BA^kwRI zMmrFp)P13t-gWO-g8y^X^sBr1COSJdx8a?Y`K715hjMhmP+H)5@I@R9at%P49QDu8 z2I=ib;ds*&+a*4PyD+;&VRtbb*(LjWCSf%r2uT78kOs#|WrmYzdU1l&PFMY;)1XC7 zP#!11R`00cGcC8wzzax&b0Zn1=SynVv00p6(_Wht#LmN{SyIpRif)&J!Z1r3)!@&o zbhhYw5}}fFjF#z8K3Z;bxw06VVaZ)GT4uXHv3njX+|K=f=E#ROlgFP^YSNa+kPW4I zs(12b(?}1DKPE0mQhiY)2xqo1bb75Z8c4-F@f~fGI#{}OK6SDBpSvDt<3*KPn5I&E zFr1{%oXY3o_o&wvB;jLNH6&%8Fk{U|9jI-FX@$!(H~=~TVH(D(Ts8garlzL&NUtu5m7F~3$pYME^#Y`$0<;Essb zr0B|&1`!W5MO;ly`6{}7Q|4XlvUe^W;>RYUvn0Na65FRoZ5azj6KmLHK9$~_%Gr80 z=Fdgwh?6aj#DmPvqesj1^^>yblmif_;)UC%-Sqn^sn5!yNr1CO!|`j~RVc>!$_6=R z8{M3KbOazFa3@ZdCGsC$0|9zg3Y`BqKxNe@Q^zS5t7f-J{_XLUxPZ386zJT^e6s2J zRQl+A$@~{u-R@99qZ64r+`damS!$3MS~G8b2f8qV9SO~ z6H2Lp3ZDx(kQDsLX5M=m+Cp199kJkl=QjqR>EY&XYb*g?K}dCg3g9)*$O)UL<7hS=G4 zo(`pOTYi-??Tbf#n^QVKtP-z%>sW1VT$c7FA0P`_#s@m%5}k6} z*%!31Tr`(jAf$^{Vf%?RuRn>sv$Oob36fIdUyxXIzNGeP-bd}N(k9>S+gb}l${Ug% zlg>aM*mU3+YH(jU^}oE5nee4Bw+Ta&dL=kO`zVqYH(>mHG%z7CT!<~UcoKw zK5d-MuwxFf8bzV45sq5U`dg{V*MU4hH}iu;ICsT_MpOhkD)R+D6Z~1B7%RoqGKU}~ zx0{65@0_i!)a2#AHhv~i?j>w|+XUE@z6{6&nZ4>LPkSg$<4WSzzNR2sLMF`?w1|jX zfTS*taKPy)NLnvvE*929my@90)T`q>(fM3g+iwdJ;KtuNU{77&=}+e!$32s_Gfr(C z_l{Tvy*|8EgGTkKjc#o`t)k)?I?;usxxPdd+(G`i4%co;MZ`pp#Vl{r^Nym9E+>k; zcD8|Wqc)t`5Pv172@ML9toSTpA)g8hno%z2;B>8UwI_78(JSMWnY<6*v@^prKh({> zR-T?NsCk%l2gyKMZWW&57Ck5$OCA#a5u^dS1An@?Q`qin6bn%U1D@Mew1 zinX1GQjyNHl@M3na@yFcnA!P}yOy8#GnzM{j`6iC4meFd^Nj!UBGiPJG{{p=HzVnU zq}*a2w1IvFOy2#u^Vd+9%dx~IZVQtj!M*5#Qg5O)a(!;*O)a|Smwt_W zM*9Zmb?BTc_BFe-L9%pr3@2YU(A=2tC3?trL?nrPF;|QIXJ<8L5{^*3B@tsB-cxxA z*<_{_s@5r%Q!&PI`rU*=oXHN?@&|Y%1r_>lQ;rY#?7o906@Grj9G=eh^O!Ct!mDcf z^@3+SlYy)jag5^j_w6Nr%`YJvG&UDprSa$tiHZ%W15w_-rNy!{Usad~wN5o^47_qJ znWJ=~Mt%nRQjN6%Az#s^Z6uWa`-a?kM{P~Q5zDtx`$iZ}Pvu9Fl~f>L_Ic;SPTL zg8VyS56Sw^KTxhnP~IFGD8?@T;R#@@IZJW206uiq)M#g{-v+!1{}`Mw5a;Nbh;lLo znk2#|{SaNG2e9bV!q4RcQ$yqre9T)6}m zA*{S!VHnNoC6V&x8M#~5TG;stnm~e2a+XQ}Mk)fnEyc`UxtWx3dQ~&*8Uy+{RW>1_ zD4S8nOTybh1Zxb6UAjJ}p(+@^;nDZVQyRA?-ZeGw|-x z{k*X}YoT-En(SStt2kH&!aZSSYi`QTeb0H9A(owyHaZ*uO34@o^Bs`e+}q?xNMsHxP?>lEn^l zz1hEU|J#T^F3`4i1wr|@m9D;2N$iPPYCtMAe4rnkhRAg&Df6{yF54R~L9UeDFm?+?p@G8~11! zJQu-YKm4JiU%8#fEwB)&+SRPENZTz}()JBMw%J&?yI&JPyPq0QyssHf!J+8m22nT@ z=iD-_tjuoN+%u{_RVxv$?~(3`9|YK_e%W6{9ok* zaLqfvErTE*woPn<@VEYD8`g#tfV^B8@C=)eFuZ2}15cA5!-1-(&QkI5#N)r|7@d>8r-G!=l%fwP$J*n_B@HMtQ4ml2p@3@d z7xo%za<`h+7^T>0g^*Ynny;!pWsQ$dvp}NP58l$ETB}b(9!990o@JbW(Slf1XyHAr zbM@l9r;g{fSDW3Bi?I<)t+K>$02x_4$u*L1j15ESoz(@sa2j+A_d06C!`Y^dxG#5=8i)WU{*D-RHB63qz$i z_a6@$!kpHbH|)(FX8$*>k@Gb7mw>_Vu~qF);O^aF29UHl8Rt-N*!w2}xzE*+0B}<) zryDOP>#DHk?bJoGA@^;>M1)2!Qerbhdgm&1&SYAXaM-#_zn?led!gaTcY5mXe zFGkOZEE4Bb9>UHNk-i3dRACKZtN9?_&)$oWqWP);i?iC)m_WT+cLCN)810^t=J|WA z6x21?bqXy2&^m1z)V2qtE|1tP>rXD<2;TVCCi5#L6`=}}Z4w4!j-zk|&o)jbZ$?$0 z4||tjEv1D}D;G?J3qikOfx9rPoDAxIuJx=H8*9*D9&bi$OWm$_jWx;ajz+t$NE)kB zm-_)C(r;|N_vdWbkQG?9cJ@Pd1vw$mSk7Adp4(>q86b@#8m5k9x;A@w$b+zFqE>sMJg_@u`!=0dnVK*ju1YU;ufQ>i z3F#kL1!JzWFNkE#TG^5kyP@Pd8n6-xz)SA(zDt*Zt0bv_k(hP6~$f|2_` z;Bf{FZ;7IYt9U+W;!xg(l#M)$xkPA`GvQ(==wJ(I9N6xfMVH7Oo~5yu3m0B^1Z+G* zFCPumhOjjn6Mxy2gO;+g@!bQ9gjXQrljo|mUN`zu5*tUnoaS&UB1YQSxtFgZ#EPK$ z&K_ggiN;IL`jP>)4)*u96&lD1;vazQA20dNbKLe_Dxhq*8?8+F(9AR%BaoS+_v=-* z;E1^V3B%_jc0$-4N4sawi~u7{Jh2TS&-d-#=Ptl<6bi7?a1ZSPI77JEGZEt3Wh>j| zumQ-E&NIt6O6dE9_hQkGS=LUpq_X`yIYIFT4uI`rr0kma`BB5<`H1=M%$RE-ZL=>n z#FN|;E|u1J6dX=Mu(~FOUP`|?0l@l1^v7dgZq&2Ns*uqFyg22 zhX4^p(92YUR(((B^zx>Q@1|7zw72^AAyZO}tl%GFdyjPHnvnfvxA$6~igkiZRWh8v z`}amCiP=GG?=2q{05=4RcsIH|x1KwWqac_w%M4Ra)FZaLi1KV?t-BRK+fiedc-!%1 z>q5^16r4Xs@2>Q$t`AtaTf#Co6o)B?{%PyW!a*of4zx`z&BJw30EaNH`a(>w# z#W$SH9{KC`m3+Uo#f%Xk??^Z)Q4gQCUz0NI9HGxUK~`JDta;C zM3^;1&I|3>zoPWXeTOAYanPOoN`!LcnuYp?ugB|vx6C1*B4=y^U1Ha7w2jFa+LCC7 zio>)fdctb8gX%kEzv=^?+gB5oIfFNRC4#U!~f4R^hH ztAL2p$a3Onp>vs&PU8%}URjgD!bJ~My|WOtcL5KnOu!}UlFhCWh6hLP?>5sk1rdpw zk-Qd*q!x@3dAIrknL0@POWJ$&?jQBk%!q6@#QyJRXy-1<4Y8~amt^v;t`&ZiZ^6$p zkG0=B(f3U6=mgPv%r*SK>?3}vO#elO9@Q+8?i-CSXNb_uxMfz^ zRUOr8_XMk%MqHZJ%Y|TQ(9)@t04(k5~wwU|L@JYPza3u}#e_NTe$d}eQ-OXovCzw^) z2uNxbmjjL6XlrN(V7X{A^yHvDxlWit;FM+jaaz(XNsJQt0c%Rj?{^tMOs90PNX<2w z+*QVSq|yD4BS6#9(Mnc-Ra6h?kIa`CFw@`f7eBJCyHsc5u0OFZrAUI;Cy`>=C<$R* zr>)iQ`MAO~1cu!XEqo6^co`aZeoI=9ynpkF<-ZXGoanlAbL%k|d$)p}DYVC8YFU{1 zPuuQf8qM6|4ui-u6pD)6Wv-z-_`x65kjfuDl3FiPi&gfGFsP_?!#2t3ukz|x3Hy7y zE;kNQpGt}PMAo|`zJzUB<6FSYwaQ5BxdRMo1*9QGoMb-GB7voF;T2OKPo@Q2F71ym zTm=Q7jV01p0qp@~B_fw=n(UvO$m%@;zZ$+2*e`5$(?6PYkfYqrK8m$qMPBX#O;UAj zi~haC5TJ57j$4JApfV#Z?)_oirwvA7Di)dVK7$-a2Oi9HdiU%0H3&Whw2EIVkDcC1 z_i+nF0MIJ$H$+8HTHGbL3Yth4DfiBW1B@I`n9MnEmO(<_2n0vJvysY#umXfO zJ{wyIZ-vBlR#D&2$r6ZadL@f$uNvbP>-x#WaWp7J~0z7|Zs1S#b%zP^h_S^oi*mQ@Ce&oAoRhkSEg3)C#2Fbp!{JV@dcZJB-^^Ct{ zwr7$(XA!OOb>n+))vOBY7SW!bwml@@u9&@%(f-~41R zlS1R2>ZL54tIm8e%>u`xQ@F3zkrY7!|gMY zE94KntB*N8O&1>z?Gu=Q3hA4%3m?_s7J3h!!h#muizc}lbEz3>(JdNj=1bbEh1St} zjush?Y5B!Bg#sTXI)ZA89=_oku2Tw?ZKPG!@b7<&NUE`XWn7L*Fm4P;x)Z1gl4XL8 z+FGpzieW;_*mQz8HAB;EmoqFhE-IC@USAC!f4gE=T&_{u|HA4tjlACG7;$GJnvq3S zy&-yP1Mtt9^*MBYq7Tg9Z!$XvQttp{El_`qE2irW-pFHWTY3ug6MxMq!$~^OrfnW% zMxobTtN>jDL6f%Z``b;)nc z?5UIakt0p(4d9N?-cp>S!NmOfMCmo%+IjAxfPxxmX3BBvUGmJBw439jD#KAw!1o1?epIy`w);pHw~ln_#X%3qs4W7lONrvCzr@M@Ae-_cx_}oyB~6dj zyc)mQI&zQ;=n;$bmAqq&&VY|lDFa4K>n4!sRzmX7xZ*GZCrhR?s6Uqwg4ok)b*dOB=F0PHR zd7vEi-t#Y-k$$?zioQJ*ADiYOi3o_8au4UZ| zZ?!L6Nzd4gBPQK^ieJBUoic`$0I0+W&Xctsa`=E&T+F&-fV28qO`A(Tq?H)BeCmRu zXbOzoyZvWRqSFDqbMSkrn<}At!Z}ptbMx5UI(Fw=x_a_M{s*)=adFV>vlAHFgUb7? zNIZ4BL8@zX_KPcq6>r-23|jxW$MEUl}}n) zgge2aZ)!PXCyLPHfsT_?UMKlmZ~amS4!mX95CMht zGZ_Y|%r0KMGONoq-J^6cELKmxo+C-+il!P_VgjTFwzO&Rpl#HR=Q{wI71#eV4Nf!F z=70SBE;Pef@HwZyh?o1r$hS+@U zd1tj4@kC;hnNn*JxOMmo&Fu;oVEbC`mz0%338-6g!>Cpi>C8IvK$;02Q>{JCs&d+B z2fV~Hra)3&ERY8C=iAgC+z&W0O^`*GLJ)o!?jp?Gt0>**I@nlX(2~s~aFv&Yb5-Id zfcI=*o^kVFS}G3?>`^+kPhQh1HeK83abd~1*Wz5{FeC~hgvS|IZ|1m_VgtK5ljR{& z{gFq%b>agQzr+L7mdo{TxMzVNx1m#264snG2M}yDm&sVaow`Z{o>kirHJ_hkfTe0t^%0 zoJO6Rw^Us8z}9X zCW+%2uO~z6gB#@5f5}#*p2t+XEZ5+iOeiF-`Vhq$)1X1T5DXXW|Na|HIZHZlVHbD$ zKw*K|5>dQ*15*K!)Vq8|-7a_7qC5vPYS~a>*`5&9M?Qqwg(hxpA8ohsb!{wGILxX>dh8MWMAE@MJ)CMoat9U^s&PUolNt!DZi#Q zMB&{HOnty32i{s&)%6{<<7HF)7g8j-1ih-S6uC6{L;7o0)TQlPiFe>*Eo*@mwzkaQ zL&RBVGs7nX5x9#*bCr_d62le58VUFvU==VXQ~BfMzUAZu7xLThj3~Z-`!T~YT#Q>| zz|2RU?pv$ciZl~IukYLfa4!*EniMDlT976JngkhPV2Q%`2^X1?8p@22fLby4RphK0OlftLlWV_kWeE|eoR zK*6XVS?bQJ9H)VY%M@@JG>=|PtcvNx>HsGOGwDl{FCOyx;H9)hGa;9Ek0ygRCz!in zBr!s2EDxN%cjE)SJkIC#U97H-I(l(Ebb%mo$fF~nxJk}G`HN)88%uOwM;b6mv`#KT zB3N!FOpYV~PWac6_I$P9JB87xvBzXcfS~HgH$C}2{m~#u%9L2t#g_N9tp>30yzoa) z;f?45oxWpp?xKe7z}!IS<)@GuUM7smOyh=QviLpzGVkm=WgeyLFTDjyouvbxSB!5E znZ5neOJN{Xp*yRa#hg3q^X5%%Rl`6%FuFJiY!;&tc`hVRTIU=5_Ql1)5^O&E#yM=9 zofhDoNYUFd!7%jZC0rMZ9Fs>Yoi!(q`HbPNgN_26-){&&cbh5#rf#aTefWNt_wh6Q zu>+fLeuk+IsH^n%a9Kd(@iV|H=OCdi zDgh$`+Iiu5wJ%$FTcs)%X^l1)EV|;4nzQIXe*{=i`483a-rs_9w%xc79WitJXvrMw zO31U@vYNJi0hD-|yA2pgvSCFO;4OtpGp`j5+(W(&JB8OmLCC2eO;SVVzE7`U5SQQ0 z)?OsmOecqV&QeNmlCthF5iZI3xPRbO1x>$+eMx_(tWkzps9$nZs9^jSQ22MT;q_}a zjTNUlI%QIL!^Zq6G~0utA4JYe^(dC4eqW!c2^)&Cbvcj;UR2XGJ2v`qgsuRg*1aGq zmhs(%s;~SVavg=7P)qSV$Z>QP;@tXOP_7wT{Hgu_PT0dLLaf33BP>X(fOimudEHAny3ijKjsMM z3Y<4KF&!%n_^HgG8dHpUN&BrXemn@3Xw^4R8NxbsQB*8KV;Q4zb);vd!^GuIB*;B? zLbah{=Ki%%`_B-kA0!0LMuC|}Yp<=+w$-YjN#Uh0)5*OjF0^4%JH!ev z^lQylln9-8(tm(ej?F8&$Xq9O&iCoZKx%}Ri{-jjc*P&C%L&zoonFOrQU>Yq+E{iJ zl0cF+Gz5qT=)myEIU$gb{L1@uElL&r*fP&4Z=1QuP}jCQ=IAtAz1N1OesTG13*B zf4}RVeE`eiD^t3H<`glp3ncK(swK;7un*Dti8nNetu!=gU+RWA<(u4X@8s6!`UUw; z*SYM3Cn~;@S`PI!$fc;Ps3A_TUGNCRopcI0*7`2%+{ne3!~}VTH8H|#wM`PHb9+w4 zR*VOwBUaO9(UY~xAhSP47q?D|k3Us*l9x8EAaVyAj|B$ZtSGWor17>mkEk5`@>Cl< z!-kBdBfs+~vA-|HCEMk}KulVGr*=}=%U+YbgyNY}F(*IGb)Q4o-CsD1B60bHXXxXV z*%7~t^WvHF1-8{t!63Rw>kIIvi{&Xe%u1F{JgB!Fyz^4lVCuQ_EP4abdXoF+lz@=o zubfXcO+|?J92wy91VD591|By9)PBt>1X=R~!9bOA5bDI^-WE<-%NZoS`=|P&vvr4q&tDw={H}LcOlk6O0sQ^+)mAm~U6VgcgpGTOu}Q|7ZRON-|0u7B)xXnrtA*gLgBc z;e#TkRI;XDI_yBFZb5C)@im=#wJFT1oGuSwtTV-7(I|zebO{s9q;L9t7B!DcCYnr~ z{Z?S#@O=Zr%$os=prf;aKtO@kd;ZrTrK5R9NF#f-hK!weGD{eqsk_Ay=lLa4D-o#f-(Ge2Juq1 zOigH_dKW-qm9_q_LDYonK)GIJiE}}FhzKJxbv`;<#^IKC>RU0|X(N}Orl>S$n*0rY z@R6)Gza%Nfz}f#o9C!_T7?X0&{h}%AA+JbNEJ-eLH?EMc0TCd+R?!rC@lk8=j$5m} z7xlNFH7vadg~7zt3$><(XZe#aDG#FEol+%Uhe(WKJth*x89BNVO;t< zUfOAJ_&;7IaHlA%QT{{&S4mqaYd#k(_MFde%McVioRqS_#>hzn#(b#{fc9Ue^I?7? z2lL?~Q|;RQVQ>Am+mpt8)>f=x{`b`Pj~Pz*W`lJyc+53+xCwm`S5f^vvF)RkwJ_hk zjH3+>Vkj5bQ=|teEbk?A+_olnHo(X@BzpDEIg4vu)8`?G_iz7XI)rda;!wGY>>h>k4etWsOgy(4*|kuO_6Q5w!|$8*zJ2C zL+@#YtxTyry%k6N!F>B7-4Yz42z~!_^~hz!yGI{)xcL;grGbTSY^d=CA90>nafvkH8JameKk^Q)EL*q-5dzqY5?T1 zc5G(MsX@_4_@h=wYAW+y`S4Un6JV<%OTj0BP|tseZ*eugcS*O#ZU1RymyofHJv$Pd zJSwM#Qr-qL3TAry`6mHo_tz6eP4-l;GrH?(;N`}?P~>ubj9z=J&8$AWhBUSPJP;ez z*xOT)c5d#O4VF!|=LAfJ4bjQ_4lWSG8;PAu% zc<8kKLI&`~1c85e54F!Lbp;&p2As!27}K=iV^6dm3YcUl$Gl9Tv#ni^J(D&OnKX5k z&AT;fqddvD{fD9q2hI zu@T!3Du^)-Q=VGVCXm(9ZO{=Kvi!w1Ec(en)aP8~=!`EsS|+(K1x&vtl;E<&u5UhV zG(XlsAN5;|G{-a>9Lt|xEaod%- zP$E+Le%UICo|&U#(oB|7)#g&KQ;xZedfwa0`%KfgrZh*EQlgtUm3x&h+Xi?%^^nPX z{e%P0YCHpmv7?tx->ilQ1uUk97Q3ErzhP=z1h2U|XEarT#=70OB1sD~J9=M}l9`a5?L8&ddeVh1UDY7z%ufDGA&=pNv-GHR7 zbiI+)Frzm|7y(?GzwMIxBE}ZHCUH`uHeoo%?F|Y+=|=5A zZKMF`O79NCPTAkTTW1ZwL^I{>F==4ea$r~Ji<)(pY8ax8vB-2ut^lzeNl)y!IN*h)r| z5DJO1&j(fLqOM&#kxRcMFiDMRn8eI!Zc0ji_LD=L zty=D|jF{9lW#`sL&^t?wJ)tD%Y#lXc`j%Clyy0${D5VvYGz*4y(UZm4pgnOOeY?Js zoWm9Ogom0VfQ2_vU^cv}+rZ%C##uV^>Nsh}2)FiO&J+u1Yb8+|Vhw$|j=_IbW?S-R zPM4P~9jGDA%y9hS$wAQUm+P*YULLde*#ekk*U7h{ZP5Gcjv}YGzU`&mRB-EpkTm0V ze=>oAOHBlc2E`LCkIf<@S<`Fiq3XG@AKLkJ;z*_Z5DhO!%5St3OCb&P!}Otz6_C_=Uw zjqHpFV=x9YW-yp%>U;n0=l9&d`}xc3<@Nf^bG~Fta0XNI zv+%(f+n4>%>?>8G4O#M45|y*{FDdK#ZW>Dkx0X0GW zw9A43@t0yOl~ttoXGx1Z__9IG2FKYHt0b<; zU&*ktou@XLSQ-^$7M-#YxF@F-qJ!-VK6fNnc({Xct=sYbk77CwjwjxS|EcQDKRl)1 zJo;s2hmSjh^?2`NgaTwr0hs%Y!M^oH32050?tG-@;190BJ98TeL8Pb&T07tAi!bKY zFeB^z*AhNwC8&sNqKeI@h;-gg|p?d&t$K9O@WT(mR2Ox8VCK_q!yph(s$#MVWPHG%8&Bl5dFz%u~!>gN-!CqUH><|`t3qc3Itc3jd$hYkMHY z5W3|{%YBY=f-Kjo%L@v$=X+khYem4j&&ezjt>}pLC{-D7t^ckG!)pFS3C0Cu*x}80 zdwF+NerZ-}P^_?fR+V-W`W00L0fOJ&Q1xOLSf2J`y*z}mW9FmmCIpji{j+54AnLSK z!pG0QLI7D@^PNY#y3B-CnSWvoXHMb9!yh4!2MZh&MLd^Ea#!PM*N;6z4clZKSynC0zj%svQkBOC3>n)t^Upu$Nm!o~8s|XcN4pA)i1w+7PCy(2eHAcp>J%@3tk-FiHWPE zZb7|InQ)3{d?voz{)(SFp`b)UfPxUCTKWEC#3};h|%G5#KEf0aD`HL?!X`)*x^B` zH4J9>{k5_W|^ky-E#3KIm+`0#Xyyx8(HB6IK7WH;w?zl@9y zIlNOFam>ymAk}_sKkc~bpbwQ7lz3cLIc1ry);kT9KCh5W1xg*fB=gXEGs|w<7Zs@- z?XEAecOH0TWJV;oBh6G)@hwu1zd_rH1>{d#9#U|OpFoB&UcQv_>5Pr&o4;nHzIdhf z9{w|$`^|7tX9;<@j#1=dDmole!@*~OKVxDR6Q#K>hQ+@AzF4fE+&WR=O&pkklmix3 zB7T=N7R+|fTO)QK1zQg6e3U|Q6WpbtYxlD9#bOehX3DSlnLE#K%DFErX8#h|HwX|k zG;|wWi_Nk6;Er^JV;;NzGC3WBZ^?3CYs*&$*`^nY^}P2~Oe@6jusfkk8!Lt*pL@%D zy7#2jF^Ud-r=w7djtXn&rg5Sg3%rk@f$9Qt&E3s0lveX6*5 z11imri4}2v`?h7tTGXj}jxDN?a{SG=X2xrNFc8Ywe7K&yDzdL9vKlAPASIoky8+Xg zYw*YL*EYep#tSfO0OY3cJ#bolj2|`QUt+PJQ%T|PAzGUlbZooKRFAsvHO4R3G2Wt? z3-j5OXjz?9dU}EaW5OR%q`Te)v4VO5;W-S!xgU(#-nO99>jGweMqb`95Zf&#b1UP= zX#(g}mCZ2B)?`wW)nc{Y&{75dOn z8IpaB{e|8rsWrdWIbk7exZ#rgn$NQ(S#ITao|`jqfwiCC#~MpYo8{ga_e#(h8BJ@C z!B~+iBou)b@&Q&DF5ZxjsR#F^BRQ&~gfK>zDb&X@O=t{`AdU7FIzG zw|Mh5iF2xSq^69H&_E6!B)v4&DBW0l?292Dpmi#A%n(9WQuNiW+AUBA>DNLF#dP>? zs!EAVV$;h?;XpQlkdHt`;ABf}s`BA+yjd&vcq-%?$Nhl~$@HNYuZTYgyI4H~Mnmb7 z#_0}8O*0NGL_d}Kt^C9K-G*>}cJa4wlZ&r}d^q>!pfO%uJl5j<2~&v6YsD3S>xE~u zfoCTKR^w6UQwrI+FWa8?GfzesL|aik8=9sW+nVPYq($unlP~Wbe6|AVH&Udte##0g!|cw=b2(@$~23+^Jbi$viFb*mPtN^|cH7 zxx-xqH;0rj6TtA&+<`0$v8(%JqFh2$4pji5>gC9=8>$GoUqvo45=~zE$&ukrRB7=q zn@eVNI?Vv*uEZNf?h#tWb~tUbz}|r_<%L*1es!hHob}?xUAL=@ zO&cEe+wGEUY$GL(adr`InB&13h^x+9Kgb{8UZV$%G8GIlyFrrk<@~L5^Ga%Q0UnRP z`!1(f9dSEn7`I8$>4BEva&sDB4B_Hw$9%-&NDme#*R1Jq+)4)?L3F|E=_` z)#LSR6yiA`NvRpCLpxXf=&2in@X?EBtIBM4>6IBVbq4u%&*vKnTV~UL#?~ImDA$L9 znQ1zwX846mE`2eRz}B>Sw_-$1C~!8)1K*V&C+!#^rqaOq(di$*UlUD8saO3~DtD-U zY+2c7M0M(DezlHXA)0a*i41654IgS8bx@;CK`JRqSlJ6WrfU`YOoU>3|90cgil;-V zn;%*H%Bs?Ut`8&8#HCa}^s@n*O7aYDORP=bL6SI0XJw)Zn52%e3hi<<=}xfy{M=Sa zCuR2QAuMJIgg$(Jd_$s*SEjeiC-=`S!>t zR{;=<0L@RYYG-=74ccZFWRlp zvI60KbYL*1OMy04M`ScY2zy1?BQKlKmpi0byV7RDllcyvalthmJ_m|g-35icV{5>( zpY<=-2SyJ*a@&ZOJFOwY#%Xq8=v?uUycPSphz~1o7TE#H*_u>dIZvknHCfB_RODwN zF1|i(V~X16VAif!Nk%iEgU-DQu<(xJ*;OIdBLb6i<$v+iF}CrwtYM}5OMA?OO(2l; zAyBaC&c=w zSJP8PALIgNnrjsG`>=)(1#Y+cl7#ILoiG&Jbn_W_&RGuXQYYHr7$4E0 zEm@!R&8Vgj>MF&xntE&0erqIM}>kMD? z@h~K9Sav=YEZnjH3n^(fGF2fRvo#c|lNbUm*BqvbX}ELgi`F)}knw0P_%pAOHv=UN zIc@A!CZXRNk=an#Noo_MKRhg{D48$_-d-dgFm{FtgTiE`RjG#`lhZnnk&vC6t7cO7 z1%uZcuJ(sS9BL2`eEw13<)5`_?DVRFk-JP1eA-o!fkBJtHRdr|k_2zUG+g3%)T)rv zzSZm04+lnRv+(vMHY6S?+>vgFqg zbQWD_--1V`gF$ zv5YfFo0zAx|4Ow@iah?-m6giZ$EZ8q2!tFfFt_RXCc!()cxe*XQEz5S>cE2gqFPN8 zEe~Vmc4?jy z2&jEt(+0?4exOd5swiX}kD9E5k?<1JmpZzpxrIqDItZR~@)Tx&Ob4$~O9t#dHrxUc zsqd4~@@;8CS4T}m>SYz;0!Y$6VkgVQgpY2(ZUqi-zN!kvwS=~*cTxC{(kJfQ9g-{h zYXu|lWqVu|MqT_#rSMel97R%{+NaI_{Px}Dz}8? zWBnlFfvU)-D=cE(In>RgelzNUZvA4jfk1LcxJT28wr>*}Bf%F7CywV-I`Z48Js+|2 zOkV0hWXw_oshM$f@H1C(53r@PQ)npyVHGIE5OGiD=#=4n!I8s1D+l{aI7ljZ8|??x zBiFNsXI|6*bMGo=>I@cS!X=_wIX}-~>GCJGH-CGrH?z%x zaMN(JU0e|3Wo6Gt+6kTTBx4r8XFQ~%te1kG{1n_c?(*jYC+*f$WaDN;FMNDFw3m&< z#m4VoD1teo;HzL&?~hR~yNQF%E^+3@6!r~R`(!j*Z*ORiQ5n544mNp(m|ImZ-5Afp zVVK2wbE$}pfNzkJ+FfE#`d>GX>JkJ1D$Uzv!4Tg4+f4o|A1-NtQS8chR~m563+kn2 zU~bmSLlnz%^FBy;|FPH{6QXN4rnSawR^t8M-D z(ok%2rPpIKv~RG_DA#DJm5_mfcOdzwA&nzh8JyXw)Ued#G&P7f%W6rFFHGC;CmK@x zi->Q?9Lj4%_a8O~s1UK;C$49YCRw$r1$t)DAv4{5!uK*hM?>W{!pOK?GM{*}{QBYG zM{lhuW=P8!_^-W=b&3Q!;#xBxOuZHTnZ z!YqbMtC9zUs&k-ojXFAYmjQp1DZhnR7VJit3Y~KlPv?abkD&?xK`!y{3QcQawr{nyON z3di0In}}y97Q89VfynIo`ESAHsh79qbn^JLmpIcJvqtNqEWR9-O1r$-%AzPO1( zbP~V$42@6u=Zy78ef(J1rWBj1SATESKe%?Q zKKpxLc~U-UCqqya_gCL#bx9-g*HU795VUnrfzH_}jBc$LVteRrDJhMgVjs2iDFwfV zd>3CtcuK@kju=&*&duoW-Ke77-QAlC>CB54k9wH$RG`i|VO+$1Qxt zV{L>E7xBm+7o>g$OyQ^0?L9L>N358TF@hI`hIf@SbT<6c>kCg)#3&z<1yz$K<@Ql2 zX)^l<(}!_y73gL^naw$aExQ}fywP}**}3!aNo`I{43;H@%VJ4|@O9W0IqNIeW@pf9^;CaNX*7OFP_r<>Dg;fv(9&HOmt&KFs*-qhO# zy?#-Am$Cwam$8IgTIOBtfYc`+3`sr)58Mr`37Enxrlk6nDbu@nRB0nDW|PJ$-CP^x zrfu#!GT@9OZCxTa?_6qmNcw69g|a!gcf&c$l_L?((9rtZVHY11dfSDY9(-OPjFYT8 z^cM2hh^2j-j7q)La$e95J5j;E%Qlo=V@{A)Xq}jQNc@xey4u*sKPY|Y#=;DAaV#px z|C%_q=!Hs39GyY9XMI=9dI^UL4Wv?Ia!-S!PjP-^VAKWFcjf8MHjoK@?`+t5d6GXr zz^uWc*g7A25D?k~yZdA-K>~JECb`O_qd;*M!6x3Aa*HkCPpaf>BjTkwOs+5{Fg+di zE%;b1nC?4p!_BTJfAlyvE&nvMY3h8daXXD;p>ZA&)<1pw6?lFbyjK=@uL}NtPwcgE zu^NrVO7iO@uJrXYKqIns+8Ekm(SfzUVY84vv4^Inm0Y`PPx#>sZ9@Ve~}E^i)$WkW^ht=m`cebb6Jgc8t~1UHWhhzDmf>7S-v=?xD^$?tV$Asd>?*iI|eht`V%3 zM-Is25&|?sJd%7ax7*UUqL%(@;%)oQiA$Txd?((}BvozoNVDGJxyY5kEYhb6a0GJ@ zXrTo>C|@QKbA|XxPQlDPUpS=m6W!eU*D6Lvd{&05t>b;LLv~SjU#;YOY@jB6iF zex*J-SdU~5f4Q{;QewHRu-kXRSxM0h1as~9=>RRVKEvgnL1e2DqmXGyJe{j>fv;hd4)9n zP<$J?F&4gYI5_{kJ*(-8B?3Teu{WFjoEpdCBGpe42(gY%aSrD?&wfH}x&iQ$yFhFs z2Ll_rhX_f(>Zj&SvZZhuhK1m3kWZuZyE1fwLtTcq*AJTxcEfLk1Gel=PO`zI+b`K& zUbUBUmKP>j4rq^j6$As5v_T(tn^#BL$fC(o@80I34pHk%@;tQ-+8^o1W!2K_&*u=|OUX zn#fIMGrgnyXvfXSwQAHyhe`EvoIls5t^BW~zZybT@Z| zsF07&eoSiSrRI&$@-ULUHiPiH(+N~%zft;NWmf647ho^sCvfR?;N~!T^VqZBvr-jt7>`cPvY;T6i{gdjI`!| z4U((-U#7A76U-oN88N-)%t0oDuuQN-8*aqoo9NXNcB-IIpboa&VQ4V|wsCJmmXg>F z^3}0yN6*ql-FbJDasu}{K$TJm9N;jF+rNcyBJ7FTv%)Hg=+C?43LcoaRbDmT}t~N4)Mq6Fu zSN+HOf4ROH+M;@Yi{0OLG+A7wuG-svTFGVgSCfp$C*6p!o+RFm9M1-JP0YY8Bu;N+`$-hgJnKt)8IeH$Uj4ySbf0D``rvt zC#w{_9I?cbUD?`Izg1kIhe9vv!l-a<%kfGHPG*RdE2FCmD=kZlLFOR=oENX>RcZKi z+`@J|;ZaQ<{!%3JG4KC^^B<0MSZ@SeT}t_7wDv9-H)D=UW!EKNg5f}h$TSx?Q<`d7 z5XyJ8njCdiwE?~&K84iIwy=D@P6H7{4x$K&xPR?#x-YZvTrzDwO@#jh6Pr@H%Ip)O zI?{d9K;Nr=FSL>4Wv;rm+3v{}08rD1YZ3aLMhu;C{Y5ChqWrR5ZdbG;#K;_>HskV! z&3za?kuOLIvDj1Ex84u!PGuX*n}84xg;mXR75=q^d(J#EikBbv%A+waBG`8QwRhdA z?2!1nrkFBx8}<1d1UH4<(jFD-72nr-%$Ctr=Cgr{knwkTD$n4cFP|W#@UV?!N%%C8 zk4!<1Rv2E?rD4e0$2Jf}fSj>$Tl<^nClF6uW#!cnT`_M1Zbn{yl%1dey=S^ppAkcj zu{Cqg45^)S=sQy63h%r47PRo&p#vdQBQ)una@AML)&2*c%X9mdaOgdJ=m&vC!?8ne;dL>&&Y2OeE6GWj+?gFT>AJ%N*Y>qFhq}25 zhC@{{^AlY^--?eRFq2U$hS_6_Gi-I%ur;Viqo{ecc0Jt86A9<07=Ll!UMkY5Ka_Coja z_uBVn_YU_s_mya%P9?md`J>!F1Xjd;GO}b@SaQo3o!dU(|1s}hT%tUrP5y7H^l#{{ zIRlWB#A1(uMa>!HZdcHLPS2pNrG@$Gn<>@GK+P-U={o!>LmQ9cZ+Z7}$5S7^jpDN1 zr0|o0Lrx)#^1*K!>J1$WbccfHgQ@$RdrIy3F-Xz;A`SS;JKffZyRNEaRGN9Pc5Qun zZ~U2~w*LvsjKYaTa`nyutp?!=+OB6WU!Cdds^1TtA1P z|M*b`CJo)a5;pCEB;f5_)4;tmAuI4@$(8&EVOzrYR-~mdVVEO~?=QkH-)$c@$X_uG zK*t{ca866Nyj813&0dNawD?b9vHrHO$e(si&z^%6&m0~KGeSE!ryw-y<|+C3vKJYF zQ8A!GaCK6FImka*+rRlsF;(adn#nr6`ZM9TZ=By9E~*SkRuE)wZ~m#t=>DUg+)qQf zJqW@~P)T^}?yEDOf()J7exFz1UZ+0qi-Y&;w2(6!4unSq?}#x(sRZ)`s|4G@`;@Nu zD$^-5DrbGl@0pQK$(G~BD*u>03oy&kt#0q})|J@LZ{B>&cI@tQ3n7UvDx@A5c$YW7 zqdy>;)oRmDD~u6AAbgdI-S&)dDxDo%87@vK`x2wfQzrYTvih%J{x8TK(8x1FN6-{Q z!|R^{Yd;@WL}^QiXLb`KD8Rb)*Q^ROr{D;G12|TF{A^H~m@cESI8NJj_oAb!(@m@p z{i(9r-tx}kje2M)v>eZ2KgA*~o3bHpi(nz;CiDsdsP_U@lW8>HfYo7r_4n8v&dY}v zz1id2RBWrwlt}G$luWC7T;ih<4bZE2`uD|Ge5>blM%Ecq&3KH+G)6+=&c{b`3?D6w z3sk+glrxVerk~|G22@}31!DL&LqCwWgjJIIfuiN)tqNs)=n`1BQuHq#raX3YcRp3j zmgP_HM2Y8%2ipZj1VMs2gXV*%K|Ju@c4Y@ic_brtAKJp8@UowDhaE4H8I^ zuF4qFM%!5l%vfzUTg~M-#s9NarsZ4za@K;Ymnv$D^(BZanLzROW<{&)th}9zps1XW zZJjZ>?mG8HmhZo)xdc=8syMEgpIu%RWzenSd{duMt7Q;YP)7DWFAra`?O-9L`$jJ9 z5|p>Xw>q|tx0JWTw>!3vx0QFocRF;2@(TXM3cII~qTcS`tRbT75%}Q3A>T&r<)CLZ_n|3G>0`B7StuglwsP;E33+* zyPd(@PRi`(G>oIdR$+5VZKY3_-J1RG)0R3QDPonKw#X=X*#hi0(?4v4FLrx3t8BHl zDB@p^r`IU*`0rl#s0pkGRt(-B|9cd=R}wkB&j`6 zd2LgJRxt~gdfZ8iGi=JKdikbPQ~7j6Rw7 z9y}&!`f)RdMl@7Ckb6_eim!>-F4@Nd>t~F;{xke|hdLB*j>^=71PLz*XcWUxDxrPi zr*T^~f5oF)fbSRIl#+6*&WP?;Hh%sT!Wd%7;#d@*cqLHTOn}2;X91aq}>+pk|F)d}?VRlh0ip@o)vFe+m z>F>>-DI)PsPDM{p!Vaa?=rO@T$^}^%SH($gSOU&b(dPS9xGfztcA{tfxBnYs1mz3m zE2WFVO3Lgj*GSSA4(k>W{0du>83ijJYE~$o#vf9H~L6!UB*qVS~SJ^Ay zatb^Ja&3W;PgvQG`+K2;86TBR=O zO<3inhj`1=P{A0=%|g7X=gCd-(fgk^qzBnoX^)G}op%P4A-U_H0s&V7>)17+sG% zyi=H3;Km*}prsaEQ49W;3^KQ6%s!*N2ai6hB(v(=NB+KvAT)5%Dp@_GI&jf@fb?O``L3P)gNzBv7#WfLA)V_FSVP*mPM9j`$u`_ZD#iYz4K8r4cqIVxtcNIH0EJp+qx^5y8uZ;+IiZ6 zC?fYx^?SlW5V&bKoz*CROI~{>}c#$j<=&VJj=9=Uq2d&fhCK$N3fUX7EUM7L6aISzbvpnJ4}}trq_| zu_4UU_3`(&otoOg*e+KgRjJ}V-k;Fp-K@1%(#rqhK^AYOo1lFSL^jafn}X7kxFPz@ zMTBcCZ(DoYm(jF$58J-8x__aEwDd_4X7<89cQSm|y}z(;{cS4Auy;xyHWBh&TVzQf zbgsDZ7vaxlxZpqI=c3RRGv(8akvGyvhO_FyjAzkNhHXQb_<5mr2t$y_!Z!^iq2DY! zJ26O;$lANX{~7Fb6AV4~AJ_NCE2?Iyzb5nkw6|`wfpt6K*ONJv4IY03ECeL%L?X@p zKVL%(!vUeTb)O%)vc|)N0~A?8tXXC*8y#;=P3VqXEi+6h{I~2sqcBTK+8%LLdEV2Z zdGP9w(4v|@eMX7@zRjsQV{^Vv;m^O{ow1?)Nlk3BqHkq#@PA(@rg4M5mG(!F!=stS zkMG;s->#PP2SD=d`&q*KGw_z1s%AR0rXyxzw>ZVp?*)t6Pj*^QQDe(X)V+S%6*Sqi zl#x=W6;`safdm*V9-FMjh zB$(EXQVEn$4esWumZiX|^93GG!fAe)>efEgN$^-T@h0u?Lq0wggHZVsP=WEBn_b@X*^0?n_-r(#}w+cM1ojkSPzup-v9lTJ3 zNj)p2oHAr_TPFC$=Fdh~*4M>ZX~t)w<5k1rQ6nR7p6fP>PO||MVVZd*xF6@-5*oEV z+E|EpVuN3$Tr-_?6y1PW!0Kphhf7uCi2B>}KdiL1Pda@2rBwDpzN;%KsPQbb@;3GG z#qf`sTfJekv=%3tB2VX~JDV{|^NW$nLtS5A1MTxBWnn4bV4ZbpGbNW$py3k#6DL%^ zYd=(d!seFNs5dPF%#hWcDZ4b9={DL39QK!pjx!Qgji43q1iZtDK0By3-LxL45_tR+ zGW_7{ll;}WhsBkwF0f0q&Y_Xa=O&F3)7OCSWVQbMI_($70|Zx{^+i@y>O7xKb)g2- z^zfT(XX0#ioZ>)sF2jZwZUj77v`c3iE15W+BDpql`Atz9XQ&?p=BJ7%3r!VN0hEw9mN`W7$~rhB7YLU$yF>7G$ZVTJ!{#If_vSDyLD z=>4UPMp9r;UP7vdO2nP3LZEx1fI{VL)zG0v8Vzw{ngtjS)3{Mm^JC?CNTcfXO(1Go zveR}{l;)yL-m@#W-xK$+9BKK;tRt6K_S_nyOWx zG6>}rJDY#y=FILjh4})46GNF0(TRWg`%XdTG249aBuUQnc~qmuv;Z(oR>!Jr7!}~w z-RL}h7ibkJNwaQSVZ=U=OF{4~(Yj;jc;`v_>Tv1OtJY`d@O(y(qbmMClGdJq54}{y zsF%8Ap-zB!TI`}*bJUjimA>&XXz-63w$f$-Up0~k&OnP#|3(1u%XL?XhDE zKdJley%*&utj+owIP_li`3ap-CoKlG*0i(oKyU0p3B>c0)e-$UR}kyU|oKahl|#DmmprLnhvl=SES zj7P23{Ra>u5kYq)#?4k})kHkM;HmGIqi{?-Aff#)8RbY2TQspE^PTucqLr1UztUDK z1C8br5`73_%p>;=2XKD*dQ#Qf(ao($?nban+oUoq4fhV7GyB>n9kqNN&`g-5{AY)adZ<{Rgzklu0%4`Ybbyo!RQiFR7z5xS9X1lOd2gZUk(_Bg z?#X$+wF`Y0lXN*t?uYx#ejuoYsaS@Tuv#(RUvHRP^xFSku87}_1mK+pxiYOJagP$l4C`KV6? za^)6nix`m$kedIs|5hS@=e-o8CxoGiN$tw%qQVJ}q7FQ?h4fXC@jj(#ve;|?(IB@l z+!d+oy|0&fLwv$ATQ9+uAS2-@9w!g4{=UaY>yM4Ge4sCC-DnPB5>ykxe!r~(lz!y< zQMnrAHDNYoR}RVKWNTSCf*Umd8eZ}rcO1+Qb}Lb^Y4gf6nW>< zj~=QAYbUTNnr>LiyY%B7?|`9=96=`m@`pb)C1@v7D9ypztxUz{FI17orz}R*!obsi z*hx?3=Frm7g}_4(+@4}=3246w)hw%FEUKLC5CfWm9FJD)Sb9nXJaI$6L z^rpO*k>nTYYEV&!q}Hsw80?i*N4;AfykeSA;HWxKC5@R>nC*IHu$IE?Yj^u{Favwy z;Dp0VolzlR0vioi58wVuEx=uxZlC#K^4Fx1rTBWX#zoV`hhI-d8!ays8eQg0_2YYJ z!pbctFUu##sfc~@Yp?&6Vv^mBKt-47ZyUwH{UJn10U;59Kf?fD<}|=cyZ)ip((4Vo zBC{Kc@2cs$@kJ4tVWE;&D(;5;wX9}Py+svw7`Z4J&5?!;6@2dpnbJs=j26-C`Yi-V z_ItsrkiNnPpzXyDCNt{J&g^6$v}SiR0aASi5XqD(mN2x3`%sl?d1#MEGP6%ooutRU zC9l3{!He*UFqFOrtz4v>=)0MuExE>768_WmTbjBfL({StJa(8em^?9)Sm68ZP=H}soR}*kmVgY# zH3Yn{E|a@w&6)IDnd`1jFdd(8qY1k&*d#{8p^NpBqL)A5U^>sU(|10_pp)ev?NoBM z(m3aj1+n|D$v?U&YYSlrp?2kV2-9%NMmXUpK83*`QDP($nq5e3>mk9VK4G}siza3( z^qdgu0EzGNr_WSrpix~?rQu4$1G&b>{oI587uk!yZ>L>UyiJE&0}cQjlvyAmZino^#r*J}Enva_Xcrd8(g^Qs&2) zG!KMq3h#I#6E5!*x1_O2XlnN%bbSBP5 zX7S6v9H`ND=Cm#22#sQ7a!zojIW z^H+|pe_O43xhil+dy=ua8h+_^n}nHN7V``*(iuaMPUznmWuyr6wLj zCksvk=ngXh1_ehiHkMNGk5KDc%X=8_IC%2AoDTki;PHa^>t>*}Rig@`AZK(rZ4@p& zBVYaLjo{-W5>XPPE?#{Z^vd~F42P9@bR373Z1X3ToprXp7q|qPLPAc0bFKmQuM=>T z#B6Hl#+g*SpRy+lT#JTSmH9P+CmPBjhz6{@A1REK-m#~B|6QIkt5E=vr+H(q{5|1s zd%Zz&zK3BYliFQhHEqlTR*U!k0jZzEayUBB9da78pNbUTO#9voaJ*|c4iM*+e#m6{x)fNlPDxL?srr;9{-`j7Kxs`Vew^$uG%)Sg!B zn@HL1t;6}$3l)u)>837lx8~(JVb29A5d^$E&y&ph3%?c zdcrD5zfNb~RsaEFVjlgeGdt!n4akp*ayx8uSb@x^Ekq<74`a{8T;O{s^Gy(Zx>L8+ zpz|~EW5@5y?h4v=Bs~nj5X56fRf``fp& z@csw!OK^i@+cJ#y&M@_8e(AfeoyBrM3yM%WMcl)A*~`+i(}8xoAhUv(idPpHyqEWu zp?%ZA9Z~tzXT$!nGcLTCp~=X6ieG$)c_i8+w4UOR6Kggr%ojp>aQmCnf z^7b2W8}U$!g9U{fml|;k6@k!%T~&`%IwKY$PeW-_6DGMH*T#eec%myfF z{IOUDa&nQ9MRl({(ml_Y%TZM7T4CqeqSwbys=jtK%i|zipjL|9s$c{DtjBo4B#5_S z8s4VU9=Zf*O3ulW!tV-1AwbgmGxO9rUR7a55|{65V5*cH!c#Gnt&th}F5^L5ahWI^ z?+!1Eo zIXWCBv0#l|xG1$8z(TQg)TgqM3MZPs#rVmuZ3e^iLM-<<&~%@q+oC}~G>k@{FfcJ^ zZb4HCFER}6;^L0z4>Q1UqmfzaK%*FOsX;$~U6DFQ#S{aOz zAKxnPMaRAo;Cx^?uUcF>(Vu*Tg1Ol-*rl#&xSFz0$4nG^XtEo5-d)R@Jvb*n|6&l~ zIvw!MlzulRZZfOu&%sQ!^L(bSSx+u}d-Z~^qvO3%%AC z`$5EzjNe&OZ{c*iZ;=U`cT36nL=I`H%#4uf{nCl#9HB}LOahBaA3;#tS+e-~BUg8h z=1~1=3HF;unv#dN-ut?!sv)|cs!`0}6TlK1T2n2E-Gp=|wYZF5(O=&3iD55V-nyVI ze39EGBn>Cu5)-B6DBNtU^tBA4y8PLB*LLilxO4x`041Vkf^*gWRZv`BZ=D7TtWoHDUROu-L3zUQncw~GE+bT^Xq zv~XN;Cb5Gb64pSYWQeOP*Oe?kz_D10-NcxB_Y#ZWxi<)_?O;&YM!5f5AnRyX-4*%M zGuc1Re*IMuJgu=Ob`JQ4Y-eX&IfNEQ-g$fg`5H&%$Lj7iSo+*ZfD(TF zb`$txVRyldhq|VykApU{=-}jd+PM3?0mZkThy>FdTzZ3N$hBu022b?-v1L9e-FeFK z@5~6!kl}mIt4&Zr-TA|MP)hMeD)lzCOhprKWpXajt{^{P8`$4sHkW1%`mNsot*zjZ zSHv^7JN}4|{ZYvFtRc(887IV!0Z#XeYkxcY@q4B1MNEACbluS_sTqO8#pVHa{D+>{ zTqkEkgNKOZI!^nS@|Y~)rTm@S=PW4qb6XGkZq^F9$PwZ9T%e)ifBww>2^fA_hxaI^UsX%}C0)mZio7 zFI_~(;^xxg4em#^Ifp?$Gl@O@fMj^8(rs#1e+e=yd&q+1wzC&MPirsJOu*4?^o1^H zI!r;BE!cPcB3v%?^jb<47TG^|p1^gG?>b|WmLJ&k`H!7-5iv|^Kl4&khy&8P)Y;=N z9!b^HwVwUDFgbYkOH~L*2>8;lFZ8HI2f412Hh5ftG!U{5^6()o2MV&=$N^ehP_s+p z6m~%qm(Kj5Y-$qy0j(!Pr=*W`+C|phZbetFjQ2ZemmNRw1Nm-M#Va^1qmgMvo>m_< zW%Uf{s?Rh;h>3p>wn~5|4y`XVJ^CZg-RxWe09Y81K{SDcD+Zhr^9$fn@YqqvYes*C ziCOKW)@+N9vpU>bz3P}{%^DJRN$>vHA|_(r41O+=+vi}`>F{i`fU8Zo>#bF@d1>Jm z=jkq|f$A)pSZD{zNwvWTI=wXNKlNAvrqLWFS9y&v`HvxSN1?$ z3hnrG2#&2PBy-C`%{H3u-TlbF+6VTJXezY3zkR&)LGl08_T}MFum9hjQ?^5)g|v`R z#1K;1&nTxXSu18RPS#_Ov1Ay^QliMxjD5=*8S7YwvTJPFg+XHMV;RQoxrfg0`F(%S z^<3BU&(nWh<8y!R`+dLf_x;{puMcky7j;IP0D&5;oE%~YcNFUr5}NUmW1ssdv0{y9 znTi9))5;+rEnASV?aW@42&-1ULM9;*aq;w|AdpUU8nVz?jV#!MU*(K+3QFkwBLOH- z&7#uJy;X;}Y4mFEz1^SD5KobeQ-VXa_}%>dvPs`J1pG@2H+AE`5|BvvkCW@kIrXY7 z9`=0GHYrT8=}SYd3S-~9y%H42bJdwj2@l^OEc~j|)Q%BW!#%_c7GzsaijPw0O@OU^ zdXe$Sop6xw2>9p5?U;JOgvc0$l&hfomdV2Lp zmo1cX%j(-mL4Q|r>E*6#i zj6kkCwUh(P_*eQ(wM<7>?1ERkw`;?+>RKXEp6|&Ko2EOCQx;#3=uItH9m(!U*0Cqd z?Cs@!GjC?&GI?E{ah_8G_~=m68co%kiR_4<8iWmMBLz zM*Jkn*4*dy-ZD8wWtVA71vxMD*k=bhKJ=YeM{)aJz_qwK5*mY<_vsQ)ql{}uCrb#I zC7051Cin;9V z9n(fF_Xpuhb&2sMkNO2*4AS7b0@LpGbA;uXQGdYaw(dZ2ueb89RCL&M2%5JO#Cd$b zw6*YHhr{DN)(9<@w>mWQl2#r{&7@4Wpu=hs6{z#uu}mf{8t_MNe9ilJ^X|)CcxKWy zlRp#*Vt^|kR=O^oDY*NWk`ZKjR2@}y{MKI}64>=1BI+EAb|s^bT#G8ei^%^Q?i3<1 zs!gcU-u#$IziSy9v~M&Ex|~;+n-q*sbKhImzBNa(o1PCWIAy9|uZ7T0}#GKDNh(2nu2nV0z~&6KqFkJRk^>z094 z$1HKD>^x<5#vrA_>HZdTqLS`zdDpZ}QU9je5ESbzI{j+6@MChAk2ub+{r9`!z0mMg ze@OEtFBfB>RM7j03r+Gq39DdoeZmJi?>BKZF*gkvq2dF3nPk)Tol-~QT@55Tk{WS zC4OGX^?m^x@7e&%Ue02ZmbJ{ENi*r$L_{quLV|VfQ_X`{pSIs3sE+pA=cSJ}NvLZn zO>9|EWvPk2w{G89P)xdUtK9Q@?a#b>rVl+sB4|K%+(HZMH6N4xND~1ul)GG)%-ldP zbF*i9`m1z;<-HJMISz3l)FwQdZpmCgKWGbcp$6rKbXHpTb;n|J%8P~@&w9*%-+@;` z4RrL+wa1YjT1qG|bu=NtSL_^zQ5`qY_Y}AF?1#<^c!l}O$!->(kJPm`je8?Yd-=2Y zV|homB8{{v&ufg)Ojxz;orlCCbX!bgRXUNHAEsG37R;Z_>@9L}>8iAs7I(7n%W?zN z>M2XBG`?Im{_#WWQtj9`UND6lnmB#lq(a!xt}xN&YazEUpQje-4&I-4ZvmC4usuHD zj?-G_Q@+aM{=K)Qx#->M#}_G&(jiz9RmWu^VYDxCba%R=W=_#`CEUtMcLk&JhnzpO zbkV!M1n+B^scR96G=1KTT^#K#Bm|l=qLV#0R1x&ZBvqJ2=;D{w_N7`)rcaQI@)zBk z9yC10YR%X0XNun&_4?=_;9ou9SZ#5-V!mPYj@FL1+TZdULS{{Pe{scL!AbuCeE(Ii zx4z=CE;|V=LESjbzY=657i6tsU}S*R2~V(WpjM>e5MIZC4X>4G`-I@trWF1 z-B)?h=Pu}O^EoN+dDCs{EqrP9Bfus$=6#w^FVJq?<6Tjx@};8;d{N$(YkBw6z*s3+W7 zi<=qy#)qp>qc}Ec`3kz9guJ9Gt_@m$r+6HfzGXo~tUzWJFupCzdfX)W4A%(*<|)&~ zl9m(in_SN-EH5H5TRk&7f;N*ZOMS-zR9mV~C2F3CyDlKROf`xKxArz_m)eS-t2wjE z>Zqnwv$5_fyU!|YSH7I`b5?#T%|&ZOmbj(uJG<~+-RPlL-cRYx)2`}p_j&m(tsxJW z-neZ|h!W`hj_q)6mwB?SsCYp^UGb{&MGr^CvE1(Yv~AjeTFKd3 z*H;(U0b1$AxV^;YX*XZWGh<)MjzQ3@9zUyob%9CGS3PNsh52{O+@$z7@|28+wIZgQ zH*b9(y_N1ZMU5^}pN3tTBAd8ryL?-d?)ojI)uY|-ZnG>hQQLRr)5CT&TvfsW6xlb` ztB)m!oHm;8eAV!^Dox0krw1s-bz$j}C5@yGXI}9?1rLtUiiK(sig5hkgfR-o5?ZOW9Lkt8r}xL0;q$R&OI&MM&K!m zws@I4JeKwKZrh}>Z^Ngsj7hQnkzEV9v($AaOa?Nc=q#rU@EY5LLCBV_W1|Tz9onsI zOC&!iMPC-PdEx{5{JnjU)dPk0zJ^Y`Cm1c0Rwc#`qC3mLkPHpE!WqTdCnhK(4Xi`u z1rL=wj8HB)Hx4(%>TF`qE@5K1YM8-!%z(LitTRrlT&E;UyK3&WYw%qwvlNd*DxO=z ztFGV86N5JeB+>{|n(58PWOj+2dg#T6;r zol^x~gk_k9t>(>{Pk(42>*ID2^$| zuMvpg4^fJuoxBc7FFk1~-XJVvb49)Zl}RF({G@2mo+eDmJ?U1NJS z)!ol=h694wES%O%NR5*MV_3t)3aLEHfR?47QOhRAM!j3BxC6FD*?}}S!v>*78-#2| zgniV2-?;S9CO9`VS--2xu}0K-Q0X1S=1GfBhR$$*?djmCVpsge&Qw%Lps0VLlO@dn zNFsHf#qyMAdg(PW&+&knqAJ(#bd}zI^K5oxo~7Kd+v#T!vf@N}SW;I}y2Ku`JZWQ2 zbZ)PjllK*^T@`ekyfu6n#OrL^5>6+VlI<6m1cG7iX^6Kuo#WL8NTp7trTn@ct!$Pf zxJ(O^c*3GLn=^HW`)YC8N;RIjY3X^}8Nk-+a#>hPi+L`?5Vv2rTu%S1_+Dn+Vp+}r z)4P`i4!gxPkyUYr67tN>Wu5L^iM8DAjUA=`ZO z2l%e0inxeDu$UVsNQ@+I+73B3jaWD+8rdxprkD&F;ocZbep&-|o@QF?U6a$XcO?Ks zbLVeMRzzo{+GIN)nUOnBxsgTu=F#!y_0xh(m*ExM_FLnnzk$n|@~XqD*QDqC_ndZz z{--l}5J{+BREDO5U-eK*shAOx(AET(zt@gjicv4NVhC*&_kc2W_ySO$_cvLdG<1$8=Er72@=YnKKgqCKf$E@#G7vIja zPtu_2B^$kxhM43AQ(gYV~(TiCDaX>Kh38lrzG-^wAkAVb5NqEGBmsC%b)nTTZ&Tr^l{c@(zJ+=k6vxRSR3o*w&Pw zCNKQG3{A5c)F?Hl_)1-=N>2>_7LqhAZBJUdc&(BDs`nF^{DA}u*5wDPg#!G82hjNzwpR2%*1{yrALyPnal|5sQ{M_jvclTuKW2v2t* zcA+Bac13@F(`fK(N7*zpYAV?)X=5NDdP7)Uq<+1-QmiLI+MFna>4sz)p5+Jz<+!Nj zD?55qtFc8LK=VGz04JG0_FeuhMKP}wCWx4qjSVb&-tv`_fR+TH-FH)c40{8}x1v<+ z_tR)QR>VhKDBy-?76-<>eTQW9lOhH1zz3Sp2yjs7d#vh53oXyGCL*FEB;o63*#p(I zd}%M>Ff2sRW6VIpD7$H0!?pwcRJer9#%6g%VCq&T`GTzV`W4%@LHd%<>HQigKtqm& zh?s_%e>Ti3o^b5EHvw|1j7D zGGEy&yDjaq=>K7mjNZr6!x0YE09veb1aMs&ti6_1LpNr;!xp@b%jZO?5-u>H7guXE z#DV{u<~G#cY~+R?Ky9a)jeTj!Z2&n#+*v8FnWmPGn|6ZtNWu=!ctPzA9bek|)s%aEWkM3>g@n;%w(d%?zGT+mBks0^KV47Nc?^KnmIAvd?1Rp8Q#w4Hd~ zU^&9Gqx6#XJZP7y;fkCvyI;<{6^+Dc2bL-ciBZdtd;vb+tNL>^Gzz;k6}Q*r7h)0j z@HT^TvXogb1C*EwJGv(FA-Q)C)S04{i(LCm0Bn=SOoUWxU_$*z&lZ z3*HL9s+HxFo4=m$C2M@4R^qsVwfoXF-^lOBMkG4kD>7cxMGwtSuqpiAe63UhgWBnR zOW?|QWIMHI1FwEVQxy}FWHXX(wGPK%)a zgfpu(o{j>v5R;IU8~vF4TjybI>ng8)=Ueyd{;-JM787OO@_BXKL@g_`-BX6_-uv*! z$y3y)Mm!3$*wx9OQOnpzrsN1dr4ubm7~hzzj_pUe1^v!`lftZPQ|N&$k0Uv{C0tKqBL~RLo<;z9I#;I(<)N@5(%aQqI~KSEHxY!IAWt} zl@W!IitPs+6&2{RPvff_6Bb@ykt5X)&2j!;Qd-f~H4WTX&Fldl6X?c2fAu`-iSd9wHsaO z*?H3>ROv(0GP@EVX#PkWRyUsQ7Px@Px8OeZ2Lqvl*I$1ow1H?=Tga($QI56>r#7CX z8Y`|B^mn~EwtJR!HR&LM%&hxBcy_$!4NRBT#hqbo@kQYA70YTX#uCp26nw9653>-q z@NDcjjds3#Ok1+RF&FIDDem?yHt*b=4(dUhP(~z5U>@$|kEGbW_8NRpWip7+^XGv83?j5x($$ zVv2V|gXT)ZZ-#|nWG!PkmO}60AY_gK=i5($@JKLcW2rqqqsJAYo6VlydwlEoSEZ~J zAOrJ`i>Kz6Snub-j0;UU1gAk4InbC~b>UgT({5bao39yO41E4EDPaVI!>1pO_WIdh z-_{t&sm56@g`P3T&G@wLYS2q))|%CG5iTcPEo9Zpv@Ne82(Uv6MV76_#eQ`mxpk>t0O3M6wPxRef)`cW%qfEGhWE(PNdt4nl~@Q1>qP0`5=Fy+rKomb=+ zB=Z(X+z)0@R07fL2VflKup=IBcMl5%a<7`(XjmCPMt7eXx=qrfBz)OLGd=zC_Z2Zyi)(dLU3;E1eT3 zG07H0?RS$~^^}hNu%b?ZL?LW`5oEYY<4IxI1I*pRo*zTo8G#I;&rWcuxWKG?^%$cs zi;K@yyV&3keW&lZgVQ4{z+q+)tus4*sTbj{LUBVUH^ny*)o&Aeneo0nOHEUrg_mZG z`5YrBCM60^MzdhTAihPN8oYhEmAOu~&_2(%nj=BEr6C7CRPL@iz2Foi^_z_4?bJC zD2ly&y?M+1KbL&vnS{)K-!Z~)v!g>j9>}*M3RiAMPNUsi@s+E$8d+4bdO0k!*QUCm0B5~QpExx0nl6UgFU_v5Q=9kXa9O!H++n=bS^s9p>-@p5Q7rXrwZJ4NsMbN~k&#dP< zH!pwFfrdF4V2Zi_=PI>k2e*(CS6@RrWczy`+WHy3a=Cc^2K+o5{J7=tT-Tgjn>kyx zV9!H42>_gt`&YwXPZTD+C&i+w!sme>;5D}EOrTX{YzF|Y;U^u{%2sGWWsS#MMRagZ z=)bD`<7b3}g!$|DWj`afIIuJMS_vzs(<;UN-rhwHEo~CGmGBSTgdRKb(GfcT`$dsC z;*}XvToS(7YQ-i?bxmvJRBrixbop_@)F9c)tI$&V_zQ9dUXdFRIi#8Y*B+G57KRVz zatL$|SBoE&L6cT=x=f18FL2)b8SXYq9AwO!SgzZCN-#y}l!=CxCIsTq5?3OL+#7vE-jNh&S z8jh3o75L$;yQFt6K)$aik(JlW4e{zf9`WmF1u8MM^}{dp8HksjaM;cc*AY38)i>U4 z>FAehnb3hw7wvxOlV&pZdqbI$VxJrTY1gr30#kwnW3y}uZJ5awl<>@FMW=_cWZQov zz|H*Mrgf~Vm4z1;dVJbm7zV|O9_MuZlj>RhoiU*CKL&4os&%^tuH?__w3(DY8*{59jI znr75}5(7cpWwCtyo7zFEhh`iNweoq#^a{wLURroSi{MrRMA-#azwXFS77Pg_m!$LP zg1|GXoX&ez;rv%|eh5BUnz76(29(7R_cPkjkc9`C^QsYfr}cAfemR4pDaqX$p;4>1 zLYM;6A!5QmyH0qXqP}b{CkHb*sbA?Z4j+~$bGJ}4NtiTI)iZXaUvds+m8)F{Vf<#t zTZf&o4i~&j_{M;C11lYTb3Rf{ItdH@n%nLN^VSm#8glr|U1#Xk`?q}ij}hh(D_vQB zq_bds_Kn9|(q3Wi37G&2vW#GvResDJh`$&bauG6QBuKw(1F{+!5-L^)>>-k67lkC= zUYUL?LQZ_xm4oWaR9M0p4NmeLci->1?c>r!20X#`@asMt?7u)5m4ONYlKa@;R8`jRkPl%4Yr z6SPy1+Or3PO7|QLUgzBm_}Pzi7!A#dSSQUXRpO2tG@a%8k@#txXf&{MyK6W%uMy zK=}e=rE5S5Al*MO4!UE0q47(nl#fpKDQ}X3?dbAcm(QGtbTL4Uo zEg5@uE>9W3-=)756IY*uO%n{FykANr-n#W8bH4{ zXrj;2chPZmzPedfk=)u<`=^dN9Q5}A=ty_u>u7+uJDFOHVSxQ8KO>X`ZDvuN5}ztY z(<_Rg@)?}ZebE_)tbem-P!9&W@RZ~jHiQO6Qrq^J_E2bYRPiM;HFm$}hb03{S1(HC z7{7;zhvZ>uGd1feG#f+J=NkagK|p`h(e_b?ypjG)y|l&n?1gAWe<-Rax-z~yGG>AB zFiNFisPZ0NcT@iX59vxX8J~+>ij~^%(?ZTyYi2fo?tH;D6;JB@Au6NSrGf*_aH=3! zEqJ2&1x?tehVxj$mz3PT=7+&ir8*v36wflf4~IrlB?#X9D%r_$uroEi2Y8zFqkc7L zb)RQ#>A8j(koILiQr!=~c2~fmrm|4})#z~8EI=PZKT1Ff%!jH^Pni8XvZ=%-K7OD625$BTL6NH^Z(ayLA__FAHqFVD5PP|N8yg5j|+>r7q?*ZHSSf zd!cK=L&Now3uY;$@v*D?kM>t?VUdcZ6YIla+pD+#UCr!k)-Cn}$fv#4;J2=CT|+A9 z%{@Q}#eTe&{;iDR&>`d@t$;$_zrvHFn@-3a{3hPs?#W-6JWMs_H#()S-_n17g92|@ zWqII`qd6yCk{qcpq@Pehm2JvTK}NqlG%-xf&gf>bPDY`>r2%WYDBF>A>;)d${}>_0 zI@{s=;eHCMO{eTh5S7K0C;Z@9A<3`YrlZnxt!$tMGLd7sN;3y`RSXY}$>_4`SC z;(4yb$fo73)l(4rI#sS$iEB?VriN$#p{K*ZuB%08L+{1TEbqMzJm z&fyL!VCAO!@~j z3gk0WgFo(jsbr_qzN_v*h!!EE*vajgO{>mnwMSTj(>Q8x*RIzxAkhUi6w_k)v4PM0 z^`sW@Z&u&|$aYf-0!ppV8!j~qDXcTpPb%hG(rp>oB(>Kpa*CudBV)fioHVHjolf)A zxl+}|7%5IQ+Lr|5#%n1G?B!o-Cz};6YiAkJ$a1wOF?b7xi!SfWdfYutG`xOo7Biis zmcu4Pfvp8o)+1OUz8ECwx8N6QC@{~PVL)xNkW+Oe=0YS3UV?gCy(2|&Zrt)<1}ZmX zLE=ZVqR4Ntbh6NRIT3hQcXGL^s%uTU7tC>2cUCSP?%+3$$o|+_Jd#C@u)uDZwcGv@ z{`8+~P<9RXvUaEQN=XOjmqQh**?DIs&+aw&WC|=+y^~+eW_jQ4DS&OzPq&5|lm(n%NWjPX(R7jt=q8BY^zr6GpLrAz^829{tOB{NchPH*dqz5a;>TB(zA1klv6!T<87M zK}-u2HJjMD)jvMyM2?VHYVOyg1`nU%V5qNQuCIPW-wZItKkgff;=TYZ2>rh|IHT%x z!WJzh2Bpp&{(SehWt3a(n;Qoe`NKc@_2A*G4`p!pL(ml~ed3?Qn=_`r{_pqYT1NFB z!umpacFUe^GH$7dGCA+<)@E;*v42EEl0)nLMxx~l27Vf`Wa-_npH-mN(4?ojNoMa% zKOH$dO`sY+Jt)OVN!V-b3S^B9(&=O;|9&{buQA4cd*;Ne7@apJ-}#E3D%;lXKiQ07 zcsC;|h7i>fes5#mqK6%NnGShUbyabg_iB~B5%I^zn$1+nFA+jj$Dfqw`m*)n={aMS zAiqeEmQ(B(&(k(CCYf~JNxAn@UeoQf{KQ}p&C^o);D|#whc%f3kduMAHpK%f!drWaV{gSs9 zGvBS@&?Vx(XZdt|bh49;v*&RMkIlB=91VxZ!Teq(Xh&8+tGguCT&=bL`^lkDW1Rkh z_=Bn@ew@>Ij6k;Fh>nI~ixv!(N~M9`tSEc=Uj{z4g_!}Z`Y3Bn34Hpa8)OIf>8N=6 z{DOmX%lhs*0D|1Y_glkUD%RK=2Ww7MjH%3Lc#fC%T3mk~E@ z34ge+r{6SkxH30j5Hn|DYU&WPTf;X^{Z9DsEH8}h?;YlUz-<=a2sqByv2l>$M(MVb zMp;>TrEQtXb%~fI;uj7LhhGa}*8S7F-PN=Jz<24B(>*c`p*>Q&_*i0%cg;SGa3D{P z%VEz%h+bT??Ix`)rw@EAU`L+oFzpuub+=4NbUW09|5GFXud4e0`a_h^{^&k!|EN$c Wk6+`b6w@Q%pPH)H-8_}Q{r(pv)=WYG literal 0 HcmV?d00001 diff --git a/Digital Identity/identity-proofing-final.md b/Digital Identity/identity-proofing-final.md new file mode 100644 index 0000000..b808334 --- /dev/null +++ b/Digital Identity/identity-proofing-final.md @@ -0,0 +1,502 @@ +

+ +Russ Reopell, Sandy Christopher, and Lorrayne Auld + +© 2023 IDPro, Russ Reopell, Sandy Christopher, and Lorrayne Auld + +To comment on this article, please visit our [GitHub +repository](https://github.com/IDPros/bok) and submit an +[issue](https://docs.github.com/en/github/managing-your-work-on-github/opening-an-issue-from-code). + +Abstract +======== + +Identity proofing, process by which a credential service provider +collects, validates, and verifies information about a person, is a +critical step for many identity systems. This article explores identity +proofing in general and why current practices are challenging. While the +article is largely informed by the identity proofing examples within the +United States, the concepts are globally applicable. + +Introduction +============ + +Whether you’re purchasing merchandise online or requesting financial or +medical services from the federal government or health care providers, +being able to prove you are who you claim to be and are indeed entitled +to the goods and services you are attempting to access has become a +crucial and required fact of everyday life. This article helps readers +understand the difficulties and challenges they may face in registering +for online goods and services. + +Terminology +----------- + +**Applicant** : A subject undergoing the processes of enrollment and +identity proofing. + +**Binding** : Associating an authenticator with an identity. + +**Claimant** : A subject whose identity is to be verified by using one +or more authentication protocols. + +**Claimed Identity** : An applicant’s declaration of unvalidated and +unverified personal attributes. + +**Credential** : An object or data structure that authoritatively binds +an identity—via an identifier or identifiers—and (optionally) additional +attributes to at least one authenticator possessed and controlled by a +subscriber. + +**Credential Service Provider (CSP)** : A trusted entity that issues or +registers subscriber authenticators and issues electronic credentials to +subscribers. A CSP may be an independent third party or may issue +credentials for its own use. + +**Enrollment** : Also known as Registration. Enrollment is concerned +with the proofing and lifecycle aspects of the principal (or subject). +The entity that performs enrollment has sometimes been known as a +Registration Authority, but we (following NIST SP.800-63-3) will use the +term Credential Service Provider. + +**Identity** : An attribute or set of attributes that uniquely describes +a subject within a given context. + +**Identity Evidence** : Information or documentation the applicant +provides to support the claimed identity. Identity evidence may be +physical (e.g., a driver’s license) or digital (e.g., an assertion +generated and issued by a CSP based on the applicant successfully +authenticating to the CSP). + +**Identity Proofing** : The process by which a CSP collects, validates, +and verifies information about a person. + +**Identity Provider (IdP)** : The party that manages the subscriber’s +primary authentication credentials and issues assertions derived from +those credentials. This is commonly the CSP as discussed within this +article. + +**Knowledge-Based Authentication (KBA)** : Identity-verification method +based on knowledge of private information associated with the claimed +identity. This is often referred to as knowledge-based verification +(KBV) or knowledge-based proofing (KBP). + +**Registration** : See Enrollment. + +**Remote** *: In the context of remote authentication or remote +transaction* , an information exchange between network-connected devices +where the information cannot be reliably protected end to end by a +single organization’s security controls. + +**Subscriber** : A party enrolled in the CSP identity service. + +Why do we need identity proofing? +================================= + +Today, many companies and government agencies rely heavily on accurately +identifying, credentialing, monitoring, and managing user access to +information and information systems across their enterprise to ensure +they know who is accessing their data. One of the challenges of digital +identity is associating a set of online activities with a specific +entity. There are numerous situations where it is important to reliably +establish an association of a digital identity with a real-life subject. +Examples include obtaining health care and executing financial +transactions. There are also situations where the association is +required for regulatory reasons (e.g., the financial industry’s Know +Your Customer (KYC) requirements, established in the implementation of +the USA PATRIOT Act of 2001) +1 or to +establish accountability for high-risk actions (e.g., changing the +release rate of water from a dam). + +*Identity proofing* establishes that a person is who they say they are +based on the validity of one or more pieces of identity evidence. The +more due diligence incorporated into the identity-proofing process, the +higher the confidence that the applicant is who they claim to be. For +example, one would place little confidence in self-asserted identity (“I +say I am Santa Claus, therefore I am Santa Claus”). However, suppose I +claim to be Mother Nature and can provide written and corroborated +identity evidence proving I am Mother Nature. In that case, there is a +much higher level of confidence placed in that identity. If I provide +all that documentation to the CSP in person, you can be sure I am who I +claim to be. + +What is identity proofing? +========================== + +Identity proofing is the process used by a *credential service provider +(CSP)* to collect, validate, and verify the identity evidence provided +by an applicant to establish a subscriber’s digital identity. The +*identity provider (IdP)* manages the subscriber’s primary +authenticators and, in federation agreements, issues assertions derived +from the subscriber’s account. When an applicant is identity proofed, +the expected outcomes are: + +- The *claimed identity* (a set of unvalidated and unverified personal + attributes) is resolved to a single, unique identity within the + context of the population of users the IdP/CSP serves and has been + validated to exist in the real world. + +- All supplied identity evidence is validated to be correct and + genuine (e.g., not counterfeit or misappropriated). + +- The CSP/IdP verifies that the claimed identity is associated with + the real person who supplied the identity evidence. + +When conducting an online transaction, a digital identity represents the +person trying to access the digital service. + +How is a Digital Identity created? +================================== + +A digital *identity* is created based on a positive verification of an +applicant from the identity proofing process. Identity proofing starts +during the initial enrollment/registration process and may be updated at +various stages of the digital identity lifecycle where life events +warrant it. Figure 1 shows the Digital Identity Lifecycle and the events +that take place during the creation, ongoing maintenance, and the +suspension or expiration of a digital identity. +2 Identity +proofing can be performed remotely via the Internet or in person at a +physical building with individuals hired and trained to perform proper +proofing. + +A diagram of the digital identity lifecycles tarting with onboarding and sponsorship; enrollment and registration,;creation; updates; expiration, suspension, and revocation; and destruction. + +Figure - Identity Proofing in the Digital Identity Life Cycle + +Identity proofing is thought to be done once, at the time of +enrollment/registration. But that may not be the only case and may be +required at various stages of the digital identity lifecycle where life +events warrant it. As illustrated in Figure 1, the following are the +digital identity lifecycle processes: + +1. Sponsorship: The onboarding process to obtain a digital identity. + This process may require the applicant to either have or create an + account with the CSP prior to sponsorship. This is the first step in + the digital identity lifecycle. + +2. Enrollment and Registration: The process through which an applicant + applies to become a subscriber of the CSP and the CSP validates the + applicant’s identity. This is generally done via an in-person or + remote identity-proofing process. + +3. Creation: After a successful Identity Proofing event, the CSP + provisions a credential by binding the credential to the + subscriber’s digital identity. + +4. Updates: The act or process by which a requirement to be identity + proofed after the initial digital identity is established. Examples + of identity-proofing updates include: + + 1. Per policy, an organization may require identity proofing of + their users every three years, such as a government employee who + needs to renew the certificates on their smart card. + + 2. Change in name or gender may require the subscriber to be + identity proofed again. + + 3. The subscriber may initially have been identity proofed at a + lower assurance level but, based on required access to + higher-risk transactions, the subscriber may be asked to be + identity proofed at a higher level of assurance. + + 4. There are several scenarios, including times of emergency or + transactions between strangers, when one may need to be identity + proofed to ensure that that digital identity still belongs to + that real-life person who was identity proofed at enrollment. + +5. Suspension/Revocation: Revocation is the process of permanently + changing the status of a credential to invalid (e.g., the credential + has been compromised or the status of the sponsor has changed). + There may also be an expiration of the credential bound to the + subscriber, which may either trigger another identity-proofing event + to renew the credential or surrender the credential housed on a + smart card to the CSP. Reasons for suspending or revoking a + credential include: + + 1. Lost/stolen device. + + 2. Death of the subscriber. + +What is the difference Between In-Person Proofing and Remote Proofing? +====================================================================== + +In-person identity proofing is when individuals are required to present +themselves and their documentation directly to a person. Remote identity +proofing is used when individuals are not expected to present themselves +or their documents in person and, instead, provide it online. In either +case, this traditionally involves validating and verifying presented +data against one or more corroborating authoritative sources of data. + +Why is remote identity proofing hard and what are the challenges? +================================================================= + +Historically, IdPs/CSPs who offered remote identity proofing services +typically relied on *knowledge-based authentication (KBA),* where +applicants were asked static questions about themselves and expected to +be the only ones to know the answers to such questions, such as job +history, credit report data or credit history, their mother’s maiden +name, their date of birth, etc. IDPs/CSPs used data collection +companies, such as the credit bureaus, Lexis/Nexis, SEON Technologies, +Silent Eight, and others, as authoritative sources of identity +information to verify the applicant’s responses. If applicants responded +correctly to these questions, the credit bureaus would provide a scoring +to indicate the assurance of that identity based upon the answers +provided. The CSPs, in turn, used those scores in determining the +acceptable level of assurance that the identity was verified. However, +due to recent data breaches, massive amounts of personally identifiable +information (PII) have been stolen and made available from multiple +sources, including those on the dark web. Reports of fraud activity +clearly show that significant amounts of PII have fallen into the hands +of criminals and are being used for identity-related crimes, such as +stealing services, assets, or benefits. The recent Twitter, LastPass, +and AT&T data breaches, as reported by the Identity Theft Resource +Center, are good examples of these types of compromised identity data. +3 As a +result, solely relying on the use of KBA is insufficient for +corroborating an individual’s claimed identity. + +Successful remote identity proofing is contingent on the user having +technical knowledge of the process and what is needed to accomplish it +successfully (e.g., the user has a smartphone and the ability to use it +to capture images/pictures and has valid identification that can be +verified with the issuing authority). Online remote identity proofing is +difficult because the validation and verification process can be +cumbersome and challenging. Identity documentation may not be available, +or the documentation provided by the applicant may be insufficient. +Further difficulties arise when not all applicants have a smartphone or +government-issued identification card that can be remotely validated. +Some may find the identity validation and verification process can be +too time-consuming or difficult. This increased user friction causes +applicants to get frustrated and abandon the service. + +The U.S. Government Accountability Office (GAO) released a remote +identity proofing report that identified four out of six federal +agencies that are still relying on PII-related KBA. +4 The GAO +report cites high costs and implementation challenges for certain +segments of the public as reasons why some agencies have not adopted +alternative identity-proofing methods to KBA. For example, the lack of a +mobile phone for some applicant populations was given as a key +implementation challenge. Organizations still using KBA should evaluate +the value of their KBA solutions and, where possible, replace them with +a more dynamic KBA. Additionally, the European Union Agency for +Cybersecurity, ENISA, which is dedicated to achieving a common +level-high of cybersecurity across Europe, also published a remote I.D. +proofing report in March 2021. +5 In their +report, they’ve identified similar gaps with a lack of awareness and +understanding of the remote proofing process, the variation in quality +and completeness of identity evidence across the many European +countries, and the desire to use physical presence as the benchmark, +which, while tempting, cannot be reasonable when considering the +variables introduced in remote proofing. + +Over the last few years, there have been multiple government efforts to +offer the public secure and private online access to participating +government programs both here in the U.S. and abroad. The goal was to +make managing government-provided benefits, services, and applications +easier and more secure for the populations they were designed to serve. +Whether agency applications and services would need to integrate with a +single government authentication service is still in question. A single +authentication entity for government services would require users to +first be redirected to this central authentication service via secure +protocols to register, be identity proofed, and assigned an +authenticator (either remotely or in-person). Once the user has been +identity proofed and acquired an authenticator, the authenticator could +be presented to any Government online application or service that +accepts them, provided they meet the required identity assurance level +of that application or service. Gaining consensus across multiple +agencies of the one government to use a common authentication service +has proven to be much more difficult than anticipated. + +Another remote proofing challenge is that there are too many +misperceptions about why personal information, especially biometrics, is +being requested and used. Many citizens do not trust the government to +protect their personal information and question how it is being used. As +a result, many people are reluctant to share their personal information +for fear that the information will be used for more than the specified +purposes. By not carefully explaining why data is being collected, how +it is being used, and whether or not the data is stored or destroyed +after remote identity proofing is complete, individuals may not provide +the required information and will therefore fail remote identity +proofing. + +According to concerns expressed by the GAO report, additional work is +needed to ensure that a fraudulent image, such as a photo of a mask, is +not being provided in lieu of a live image — a threat known as a +“presentation attack.” Keeping up with ever-evolving threats to remote +identity proofing and implementing the proper security controls to +mitigate those threats is an ongoing challenge. + +Challenges with remote identity proofing extend to other countries as +well. The United Kingdom (U.K.) was among the first to try remote +identity proofing, but it has been plagued with performance issues. One +of their key problems was centered around the datasets used by the +identity providers when trying to confirm a user’s identity. Applicant +data used for verification did not match what was on the government’s +systems, resulting in the U.K. government not being able to create and +manage the system. Due to these problems, private industry is taking +over the effort with the first task addressing the issue of the +mismatched datasets used by the identity providers. + +Summary +======= + +Today, many organizations and government agencies rely heavily on being +able to accurately identify, credential, monitor, and manage user access +to information and information systems across their enterprise to ensure +they know who is accessing their data. There are numerous situations +where it is important to reliably establish an association of a digital +identity with a real-life subject. Identity proofing establishes that a +person is who they say they are based on the validity of one or more +pieces of identity evidence. The more due diligence incorporated into +the identity-proofing process, the higher the confidence that the +applicant is who they claim to be. + +Historically, those who offered remote identity proofing services +typically relied on knowledge-based authentication (KBA), where +applicants were asked static questions about themselves (such as their +mother’s maiden name, the street they grew up on, or their father’s date +of birth) and expected to be the only one to know the answers to such +questions. However, vast amounts of data about an individual have been +stolen in data breaches and are readily available to purchase online. +This stolen data can be used by fraudsters to then obtain access to your +bank account, receive your stimulus check, or your tax returns. It is +due to this high increase in stolen identities that organizations are +finding that they no longer trust that digital identity and must improve +their remote identity-proofing efforts to more effectively thwart +fraudsters. + +The use of online remote identity proofing services is difficult because +the validation and verification process can be cumbersome and +challenging. Identity documentation may not be available, or the +documentation provided by the applicant may be insufficient. Further +difficulties arise when not all applicants have a smartphone or +government-issued identity card that can be remotely validated. Some may +find the identity validation and verification process can be too +time-consuming or difficult. This increased user friction causes +applicants to get frustrated and abandon the service. + + + +Authors +======= + +**Lorrayne Auld** + +**Principal Cybersecurity Engineer, MITRE Corporation** + +Lorrayne has over 25 years of experience in the area of identity and +access management, secure web, portal, and Public Key Infrastructure +(PKI) technologies supporting the Federal Government. She has worked +both as a hands-on integrator and as a cybersecurity engineer providing +guidance to the government. She has helped multiple agencies with their +Identity, Credential, and Access Management (ICAM) strategies, +implementation guidance, and best practices. + +Lorrayne serves as the focal point for researching, understanding, and +applying ICAM emerging technologies while ensuring ongoing growth within +this area. She also serves as the senior advisor to the ICAM capability +area as well as a mentor to junior staff. She has spoken at conferences +on higher assurance identity proofing and next-generation authentication +technologies. Lorrayne is a member of Kantara, IDPro, Women in Identity, +and the FIDO Alliance. + +**Sandy Christopher** + +**Senior Communications Advisor, MITRE Corporation** + +Building on 20+ years of leading communication and change, Sandy +delivers holistic communication programs that measurably engage +stakeholders and achieve business goals. Throughout her career, Sandy +has worked with executive leadership to create strategic communication +plans that align employees with the priorities of the organization. She +is an innovative problem solver with extensive domestic and +international communication experience on a wide range of issues, +including organizational change, crisis communications, healthcare, +information technology, ethics, operational risk, quality, deregulation +of the utility industry, human resources, environmental, and financial +services. + +**Russ Reopell** + +**Principal Cybersecurity Engineer, MITRE Corporation** + +With over 25 years of experience in identity and access management, +Public Key Infrastructure (PKI) technologies, and web services focused +on identity, authentication, and authorization, Mr. Reopell has +supported the Federal Government, Department of Defense, and +Telecommunication companies. He began his career as a programmer and +quickly became involved in the design, development, integration, and +testing of various Air Force and Naval support systems. In the early +80s, he began working on information security systems and helped deploy +security solutions in federal and commercial spaces until finally +focusing on Identity, Credential, and Access Management (ICAM) +strategies, implementation guidance, and best practices. + +Russ worked closely with other MITRE staff and served as MITRE’s ICAM +Capability Area Lead for many years. Russ was the go-to person across +MITRE to assist with or guide staff in the design and integration of +ICAM capabilities to the many sponsors MITRE supports. He is responsible +for researching, understanding, and applying ICAM emerging technologies +and helped to grow work in this ever-evolving area. Russ is a member of +IDPro and enjoys mentoring junior staff to increase their knowledge as +well as pique their curiosity about the many exciting innovations in the +ICAM space. + +
+ +------------------------------------------------------------------------ + +1.
+ + Dow Jones, “Understanding the Steps of a “Know Your Customer” + Process,” Risk and Compliance Glossary, n.d., + + (accessed 27 March 2023). [↩](#fnref1) + +
+ +2.
+ + For more on the digital identity lifecycle, see Cameron, A. & Grewe, + O., (2022) “An Overview of the Digital Identity Lifecycle (v2)”, + *IDPro Body of Knowledge* 1(7). doi: + [↩](#fnref2) + +
+ +3.
+ + Identity Theft Resource Center, *2022 Data Breach Report* , January + 2023. + + (accessed 24 March 2023). [↩](#fnref3) + +
+ +4.
+ + U.S. Government Accountability Office (U.S. GAO), *DATA PROTECTION + Federal Agencies Need to Strengthen Online Identity Verification + Processes* , May 2019. + (accessed24 + March 2023). [↩](#fnref4) + +
+ +5.
+ + European Union Agency for Cybersecurity, *REMOTE ID PROOFING + Analysis of methods to carry out identity proofing remotely,* March + 2021. + + (accessed 24 March 2023). [↩](#fnref5) + +
+ +
diff --git a/Non-Human Entities/non-human-account-management-final.md b/Non-Human Entities/non-human-account-management-final.md index be788d4..e64d389 100644 --- a/Non-Human Entities/non-human-account-management-final.md +++ b/Non-Human Entities/non-human-account-management-final.md @@ -1,28 +1,37 @@ + + By Graham Williamson, André Koot, Gloria Lee -© 2022 IDPro, Graham Williamson, André Koot, Gloria Lee +© 2023 IDPro, Graham Williamson, André Koot, Gloria Lee Introduction ============ -A non-human identity is associated with a service or device rather than -a human user. Identity in this context is defined by the identifier(s) -of the device. A device must be identifiable for that device to interact -with corporate systems. For example, a building management system might -need to periodically log into another system to write environmental data -into a corporate monitoring system database. +A non-human account is usually associated with a service or device +rather than a human user. An example is a machine-to-machine service, +such as a backup routine that runs during non-business hours to create +an offline copy of production data. In this instance, the account +permissions should be restricted, i.e., they should not have standard +user access nor general Administrator privileges. + +Devices such as sensors that provide data to be monitored are sometimes +deployed with access to an account so that they can write to a database. +Again, such an account should have limited privileges. -In this document, ‘non-human accounts’ include computer system accounts -that are not associated with a person, such as a backup routine that -runs during non-business hours to create an off-line copy of production -data. Such accounts should be restricted to the specific purpose for -which they are created and suspended if used interactively. +Fortunately, the use of such accounts is diminishing as the use of APIs +becomes more sophisticated, providing better security and eliminating +the practice of hardcoding usernames and passwords in connection +routines. While IAM professionals typically focus on user accounts, these non-human accounts represent a potential attack vector for organizations. These accounts should be considered when formulating -policies for access to computer systems. A comparison between the -characteristics of these accounts is shown below: +policies for access to computer systems. + +A comparison between the characteristics of these accounts is shown +below: @@ -32,7 +41,7 @@ characteristics of these accounts is shown below: - + @@ -41,12 +50,11 @@ characteristics of these accounts is shown below: - + - + @@ -56,7 +64,7 @@ characteristics of these accounts is shown below: +endpoints @@ -68,13 +76,13 @@ end-points There are two broad categories of non-human accounts that IAM practitioners should differentiate: -- accounts used by devices or services to perform a specific function; - these accounts should be monitored and alarm on any incident that is - an anomaly to the expected operation; +- Machine-to-machine accounts used by devices or services to perform a + specific function; these ‘server’ accounts should be monitored and + alarm on any incident that is an anomaly to the expected operation. -- accounts that have access to system functions but are not assigned - to a specific individual, including administrative accounts with - elevated privileges. +- Accounts that have access to system functions but are not assigned + to a specific individual; these ‘system’ accounts include + administrator accounts with elevated privileges. Terminology ----------- @@ -97,11 +105,11 @@ Terminology - Non-human/person account – any account not used by a person, including accounts used for devices, services, and servers. -- Server account – an account with privileged access rights to a - server’s operation typically used for configuration purposes. - -- Service account – an account used by a computer application to - access another application or service for a specific purpose. +- Server account – an account established with access rights to a + specific server operation; this includes service accounts used by a + computer application to access another application or service or an + account used for a device connection. Note: these accounts are + username accounts typically secure via a password. - System account – a generic term for a privileged account that has extensive permissions that enable system configuration changes. @@ -125,9 +133,13 @@ process, turning something on or off. They may be used to open or close a valve by pulsing a servo motor a sufficient number of times until the desired aperture is reached. In many cases, devices are remotely located and connected via a controller to the supervisory system located in a -central location. +central location. It is noted that IoT devices are becoming increasingly +sophisticated with control capabilities and communication facilities +built-in. This eliminates the need for a username/password account as +IoT devices typically communicate to an API with encryption and digital +signing functionality. -In a typical IoT configuration there are three zones: +In a typical IoT configuration, there are three zones: 1. IoT devices (sensors & actuators). Managing access to and from devices should be governed by a policy that imposes requirements for @@ -140,10 +152,10 @@ In a typical IoT configuration there are three zones: rotated. The selected security requirement must match the capability of the devices, but technical limitations often constrain IoT devices. “Terminology for Constrained-Node Networks" (RFC 7228) - nominates three classes of - devices:2 + nominates three classes of devices: + 2 - 1. Class 0 – no capacity to support configurable authentication + 1. Class 0 – no capacity to support configurable authentication. 2. Class 1 – limited capacity for key management, token support, etc. @@ -160,7 +172,7 @@ In a typical IoT configuration there are three zones: 3. Human-Machine interface application (HMI) such as a controller app or a SCADA app monitoring or controlling the IoT devices. In some cases, sensors will write data directly to a database that is read - by another application such as a SCADA app or similar human-machine + by another application, such as a SCADA app or similar human-machine interface (HMI). Access to these applications will be by humans and should be managed via the IDM environment. @@ -183,10 +195,12 @@ Access Management system. There is increasing concern regarding the provenance of IoT devices and tracking devices throughout the supply chain to ensure no modifications -have been made that could potentially deploy ‘back-door’ -access.3 -The IAM practitioner may wish to ensure corporate policy defines the -certification processes to be employed for IoT devices. +have been made that could potentially deploy ‘back-door’ access. +3 The IAM +practitioner may wish to ensure corporate policy defines the +certification processes to be employed for IoT devices and ensure that +compliance with software supply chain policy is in place. This is +increasingly important in regulated industries. Just as important as securing the device itself is protecting the IoT device data. In many cases, databases with IoT devices are not @@ -202,29 +216,29 @@ Vulnerability Mitigation There is no ‘correct answer’ when it comes to deciding the involvement of IAM practitioners in the management of IoT devices. At one end of the -spectrum is the use-case whereby all IoT deployments and management are +spectrum is the use case whereby all IoT deployments and management are the domain of OT personnel. In this case, the IAM involvement will be restricted to the human accounts that access the OT systems. Group management of entitlements to accounts that can configure IoT systems will heighten the level of security. -At the midpoint of the spectrum, a human identity is responsible for IoT -devices. The IAM provisioning workflow will route configuration -requests, and potentially password rotation requests, to the responsible -person. The IoT devices will participate in both attestation reporting -to the responsible manager and compliance management with integration to -the Security Operations Center (SOC) and possibly the Security -Information and Event Management (SIEM) system. +At the midpoint of the spectrum, components of the IoT configuration and +operation will fall under IAM services. The IAM provisioning workflow +will route configuration requests and potentially password rotation +requests, to the responsible person. The IoT devices will participate in +both attestation reporting to the responsible manager and compliance +management with integration to the Security Operations Center (SOC) and +possibly the Security Information and Event Management (SIEM) system. At the other end of the spectrum, the provisioning of devices is included in the identity management infrastructure. IoT devices are treated the same way as individuals, applying a ‘digital identity’ to devices. Their entitlements can be set via the normal account provisioning workflows, and their access control can use the same -protocols. Most modern API systems, including gateways, use OAuth for -machine-to-machine communications, while Open ID Connect can be -appropriate for IoT device controller -authentication.4 +protocols. Most modern API systems, including gateways, use OAuth 2.0 +for machine-to-machine communications, while Open ID Connect can be +appropriate for IoT device controller authentication. +4 Service Accounts ---------------- @@ -234,7 +248,7 @@ processes that are periodically run on an automated basis, e.g., via a UNIX cron job or Windows Task Scheduler. Auditors often overlook the accounts used by these processes because they are not accessed by users interactively. Since users do not log into them, they are typically -quite basic, single-purpose accounts with restricted privileges. +basic, single-purpose accounts with restricted privileges. Examples include: @@ -254,42 +268,31 @@ Vulnerability Mitigation Service accounts are a significant source of concern for many organizations because they are often established with a static password -that, if not encrypted, can be read by any system administrator. These -accounts can then be used interactively by a malicious actor and -possibly used for lateral movement to other servers in the organization. -Including service accounts in the corporate data loss protection tools, -such as authentication monitoring for anomalies, can guard against such -vulnerabilities. A better practice is to migrate static service accounts -to APIs that typically impose a strict security and monitoring regime. - -Note: the term ‘service account’ (a non-human account) is sometimes -misused to describe an account accessed periodically by a service -person, e.g., an HVAC technician. Such accounts are user accounts and -are not addressed in this document. Note that because these personnel -are often external to a company and therefore not in the IAM data store, -a ‘generic account’ is sometimes established for any person in the -service company to use. This convenient approach is an issue for the IAM -environment. There is no place for generic accounts in the modern -organization and they should not be used. - -Options include: - -- Federated authentication with the service company - -- Self-service password management with approval workflow - -- MFA device issuance to the service company - -- Deployment of an API to manage and monitor service company access. +that, if not encrypted, can be read by any system administrator. If +their access rights are not tightly scoped, these accounts can then be +used interactively by a malicious actor and possibly used for lateral +movement to other servers in the organization’s network. If corporate +data loss protection extends to service accounts, tools such as +authentication monitoring for anomalies can guard against such +vulnerabilities. User behavior analysis tools baseline the normal +activity on an account; any deviation from this will generate an alert +to the event monitoring system. Alternatively, static service accounts +can be migrated to APIs that typically impose a strict security and +monitoring regime. + +Note: the term ‘service account’ is sometimes used to describe an +account accessed periodically by a service person, e.g., an HVAC +technician. Such accounts are user accounts and should be addressed in a +company’s IAM strategy. They are not addressed in this document. Bots ---- The term ‘bot’ has come from the Robotic Process Automation (RPA) sector that had its genesis in plant automation, where software routines are -deployed for repetitive -processes.5 -Bots are now used for everything from website crawlers to retrieve usage +deployed for repetitive processes. +5 Bots are +now used for everything from website crawlers to retrieve usage information to denial-of-service malware. Increasingly they are being used by organizations to automate repetitive tasks such as retrieval of building information management data or consolidating customer @@ -304,7 +307,7 @@ protection. A common form of malicious activity is ‘credential stuffing,’ whereby a hacker alters login credentials to take control of a session. -Organizations need to prepare for external use of bots. Bots will +Organizations need to prepare for the external use of bots. Bots will exhibit different characteristics compared to ‘normal’ non-human access to a process or service. For the IAM practitioner, user behavior analysis can be used to identify access anomalies. @@ -333,11 +336,11 @@ Client Devices Traditionally identities are people; they have identifiers stored in an identity datastore and then used to authenticate users to protected resources. It is increasingly necessary to also track the endpoint -devices that users employ to access corporate resources such as laptops, -tablets, or smartphones. To track those devices, an object is created in -the organization’s directory or other data stores that record the detail -for each device. This data allows us to grant access to a resource based -on the device being used to access it. +devices that users employ to access corporate resources, such as +laptops, tablets, or smartphones. To track those devices, an object is +created in the organization’s directory or other data stores that record +the detail for each device. This data allows us to grant access to a +resource based on the device being used to access it. There are several benefits to registering client devices: @@ -372,8 +375,8 @@ biometric check for an ‘inherence’ factor. Some organizations use a Mobile Device Management (MDM) tool to manage client devices. MDM facilitates the tracking and management of devices and will typically include a self-service module to allow users to -register and deregister their devices as new devices are acquired, or -old devices are lost or retired. +register and deregister their devices as new devices are acquired or old +devices are lost or retired. Selecting and deploying the appropriate solution for managing client device ‘identities’ is a core capability in enabling non-human access @@ -454,8 +457,8 @@ devices that have connections to the Internet. Recent incidents include: (DDoS) attacks. Most jurisdictions are now requiring products to adhere to an -appropriate set of standards that typically -include:6 +appropriate set of standards that typically include: +6 - Ending the use of default passwords. All devices are shipped with a unique password that is not resettable to a common default setting. @@ -509,22 +512,22 @@ Vulnerability Mitigation IAM practitioners should assist in the protection of access to all system accounts. In a UNIX environment, this might be via the removal of -the -‘[etc/passwd](https://www.google.com/search?sxsrf=ALeKk00EXgVcYJud1c2wvEi6kTkygI3HFQ:1588810082250&q=unix+root+access+sudo+etc+passwd&spell=1&sa=X&ved=2ahUKEwjKo8XkuqDpAhXPXisKHVrJBoIQBSgAegQIDRAn)’ -file and the use of SUDO for privilege escalation. In a Microsoft +the ‘ +[etc/passwd](https://www.google.com/search?sxsrf=ALeKk00EXgVcYJud1c2wvEi6kTkygI3HFQ:1588810082250&q=unix+root+access+sudo+etc+passwd&spell=1&sa=X&ved=2ahUKEwjKo8XkuqDpAhXPXisKHVrJBoIQBSgAegQIDRAn) +’ file and the use of SUDO for privilege escalation. In a Microsoft Windows environment, a privileged access management (PAM) system is a common solution. In this case, system passwords are made specifically complex and rotated as appropriate. Access to such an account is via a PAM system, which restricts access to specific individuals with the appropriate entitlements and logs all access events. -If a PAM is not used, Windows supports time-limited elevation of account -privileges, with notification to management. Manual intervention that -ensures appropriate use and management of system and server accounts is -also good practice, as is including server accounts in corporate audits. -This level of management will require corporate policy to be established -for server accounts which will heighten visibility of account management -practices. +If a PAM is not used, Windows supports the time-limited elevation of +account privileges, with notification to management. Manual intervention +that ensures appropriate use and management of system and server +accounts is also good practice, as is including server accounts in +corporate audits. This level of management will require corporate policy +to be established for server accounts which will heighten the visibility +of account management practices. Increasingly, applications are being deployed on cloud services requiring an access control environment that suits each deployment. This @@ -559,15 +562,15 @@ that communicate identity data. The use of bots will also continue to accelerate; deployment of behavioral analytics and gateway technology should be considered. The US -Department of Homeland -Security7 -advises the following: +Department of Homeland Security +7 advises +the following: - Nefarious bot developers will target new IoT devices for vulnerabilities as they are released to the market and will compete with each other to deploy malware. -- Bot code-size will get smaller and more sophisticated to avoid +- Bot code size will get smaller and more sophisticated to avoid detection and frustrate defenses. - Botnets will be extended and better monetized, likely through @@ -594,16 +597,14 @@ frustrates the governance task. At the very least, the IAM practitioner should ask the appropriate questions as to how IoT devices are being secured, how server accounts are being managed, and what defenses are in place to thwart malicious bots. It is preferable that the IAM and -InfoSec teams within an organization work together to ensure consistent -application of cybersecurity controls that are aligned with corporate -policy. - -  +InfoSec teams within an organization work together to ensure the +consistent application of cybersecurity controls that are aligned with +corporate policy. Author Bios ----------- -![Author photo](gwilliamson.jpg)Graham Williamson +![Author photo](gwilliamson.jpg) Graham Williamson Graham Williamson is an IAM consultant working with commercial and government organizations for over 20 years with expertise in identity @@ -622,22 +623,22 @@ Toronto and a Master of Business Administration from Bond University. As a member of the IDPro Body of Knowledge Committee, he looks forward to helping create the definitive body of knowledge for the IAM sector. -![Author photo](akoot.jpg)André Koot +![Author photo](akoot.jpg) André Koot André Koot is IAM Strategist and Chief Customer Success Officer at Sonic Bee. His IAM experience comes from a financial accounting and auditing -background. This background of anti-fraud detection and prevention +background. This background in anti-fraud detection and prevention business processes led to research in the area of authorization principles. -![Author photo](glee.jpg)Gloria Lee +![Author photo](glee.jpg) Gloria Lee Gloria Lee is a Senior Program Manager in the Azure AD Engineering team at Microsoft. As part of the customer experience team for Identity and -Network Access, her role is driving customer success in Azure Identity -division. Gloria is focused on helping customers increase security -posture with deployment of Azure Active Directory, Azure hybrid -cloud-based solutions to provide identity management. +Network Access, her role is driving customer success in the Azure +Identity division. Gloria is focused on helping customers increase +security posture with the deployment of Azure Active Directory, Azure +hybrid cloud-based solutions to provide identity management. Prior to joining Microsoft, Gloria was a seasoned engineer/architect with 18+ years of experience in the areas of Identity, security, @@ -647,18 +648,17 @@ Microsoft Identity Driven Airlift Conference for partners, GrayHat 2020, and Texas Security Summit. Outside of technology, she enjoys spending time with her kids/family and travel bargain hunting. -  - Change Log ========== -| Date | Change | -|------------|------------------------------------------------------------------| -| 2022-02-28 | Added a section on client devices; added Gloria Lee as an author | -| 2021-04-19 | Author affiliation change | -| 2020-10-30 | V1 published | +| Date | Change | +|------------|--------------------------------------------------------------------------------------------------------------| +| 2020-10-30 | V1 published | +| 2021-04-19 | Author affiliation change | +| 2022-02-28 | Added a section on client devices; added Gloria Lee as an author | +| 2023-03-31 | Various changes to improve the clarity of the article such as the addition of device vs. service information | -
+
------------------------------------------------------------------------ @@ -666,7 +666,7 @@ Change Log Cameron, Andrew and Olaf Grewe, “An Overview of the Digital Identity Lifecycle,” IDPro Body of Knowledge, 30 October 2020, - .↩︎ + . [↩](#fnref1)
@@ -674,8 +674,8 @@ Change Log Bormann, C., Ersue, M., and A. Keranen, "Terminology for Constrained-Node Networks", RFC 7228, DOI 10.17487/RFC7228, May - 2014, - <>.↩︎ + 2014, < >. + [↩](#fnref2)
@@ -684,8 +684,8 @@ Change Log Hashemi, Soheil, and Mani Zarei. “Internet of Things Backdoors: Resource Management Issues, Security Challenges, and Detection Methods.” Transactions on Emerging Telecommunications Technologies. - Wiley, October 12, 2020. - .↩︎ + Wiley, October 12, 2020. . + [↩](#fnref3) @@ -694,15 +694,15 @@ Change Log See section ‘Mobile & API Innovation Gave Us OAuth & Delegated Authorization Frameworks’ in Dingle, Pamela, “Introduction to Identity - Part 2: Access Management,” IDPro Body of Knowledge, 17 - June 2020, - .↩︎ + June 2020, . [↩](#fnref4) 5.
“What is a bot in RPA?,” n.d., - .↩︎ + . + [↩](#fnref5)
@@ -710,7 +710,8 @@ Change Log For example, see Fernandez, Angel, "New IoT security regulations: what you need to know,” Allot blog, 30 January 2020, - [https://www.allot.com/blog/new-iot-security-regulations-what-you-need-to-know/\#](https://www.allot.com/blog/new-iot-security-regulations-what-you-need-to-know/).↩︎ + [https://www.allot.com/blog/new-iot-security-regulations-what-you-need-to-know/\#](https://www.allot.com/blog/new-iot-security-regulations-what-you-need-to-know/) + . [↩](#fnref6) @@ -718,7 +719,8 @@ Change Log Botnet Roadmap Status Update, Department of Commerce and Homeland Security, July 2020, - .↩︎ + + . [↩](#fnref7) diff --git a/terminology.md b/terminology.md index 42623b8..f8d2061 100644 --- a/terminology.md +++ b/terminology.md @@ -1,4 +1,4 @@ -Heather Flanagan, editor - @ 2022 IDPro +Heather Flanagan, editor - ©2023 IDPro ***Editor’s Note:** This is a consolidated list of the terminology highlighted in each of the articles published in the Body of Knowledge @@ -139,206 +139,227 @@ via the IDPro GitHub repository: .* + + + + + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + + + + + + + + + + + - + - + - + - + - + - + - + - + - + + + + + + @@ -350,225 +371,236 @@ via the IDPro GitHub repository: .* + + + + + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + + + + + + @@ -595,51 +627,61 @@ via the IDPro GitHub repository: .* + + + + + - + - + - + - + - + - + - + - + + + + + + @@ -651,85 +693,95 @@ via the IDPro GitHub repository: .* + + + + + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + + + + + + @@ -753,7 +805,7 @@ via the IDPro GitHub repository: .* - + @@ -931,15 +983,25 @@ via the IDPro GitHub repository: .* + + + + + - + + + + + + @@ -1091,126 +1153,131 @@ via the IDPro GitHub repository: .* + + + + + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +
Person Identity Non-human Identity
Usage Multi-faceted, must accommodate multiple access requirements to many applications or protected resources

Purpose-specific,

-

single requirement for each deployment

Purpose-specific, with a single requirement for each deployment
LifecycleCreated during the ‘joiner’ process, modified when ‘moves’ occur, continually monitored for compliance, disabled, and then deleted according to the ‘leaver’ process.1Created during the ‘joiner’ process, modified when ‘moves’ occur, continually monitored for compliance, disabled, and then deleted according to the ‘leaver’ process. 1 Created on deployment of the device/service, deleted on termination.
Access
-end-points		 Users typically access computer services from smartphones, PCs, and laptops on an interactive basis. Endpoints are typically devices or device controllers. They can also be computer applications, service routines, or Internet bots.
Strategic Alignment and Access Governance
ApplicantA subject undergoing the processes of enrollment and identity proofing.Defining the Problem – Identity Proofing Challenges
Architecture Framework for the design, deployment, and operation of an information technology infrastructure. It provides a structure whereby an organization can standardize the technology it uses and align its IT infrastructure with digital transformation policy, IT development plans, and business goals. Introduction to IAM Architecture
Architecture Overview Describes the architecture components required for supporting IAM across the enterprise. Introduction to IAM Architecture
Architecture Patterns Identifies the essential patterns that categorize the IT infrastructure architecture in an organization and will guide the deployment choices for IAM solutions. Introduction to IAM Architecture
Assertion A formal message or token that conveys information about a principal, typically including a level of assurance about an authentication event and sometimes additional attribute information. Sometimes this is called a Security Token. IAM Reference Architecture
Assurance Level A category describing the strength of the identity proofing process and/or the authentication process. See NIST SP.800-63-3 for further information. IAM Reference Architecture
Asymmetric Cryptography Any cryptographic algorithm which depends on pairs of keys for encryption and decryption. The entity that generates the keys shares one (see Public Key) and holds and protects the other (see Private Key). They are referred to as asymmetric because one key encrypts, and the other decrypts. Practical Implications of Public Key Infrastructure for Identity Professionals
Attribute Provider Sometimes the authority for attributes is distinguished from the authority for identities. In this case, the term Attribute Provider is sometimes used. It is a subset or type of an Identity Information Authority. IAM Reference Architecture
Attribute-Based Access Control (“ABAC”) / Claims-Based Access Control (“CBAC”) a pattern of access control system involving dynamic definitions of permissions based on information (“attributes”, or “claims”), such as job code, department, or group membership. Introduction to Policy-Based Access Controls (v2)
Attributes Key/value pairs relevant for the digital identity (username, first name, last name, etc.). An Overview of the Digital Identity Lifecycle (v2)
Audit Repository A component that stores records about all sorts of events that may be useful later to determine if operations are according to policy, support forensic investigations, and allow for pattern analysis. Typically, this is highly controlled to prevent tampering. Audit Repository is the ISO name for this concept and is localized to the IDM. In this model, the term is generalized to indicate a service that supports event records from any part of the ecosystem. IAM Reference Architecture
Authentication Authentication is the process of proving that the user with a digital identity who is requesting access is the rightful owner of that identity. Depending on the use-case, an ‘identity’ may represent a human or a non-human entity; may be either individual or organizational; and may be verified in the real world to a varying degree, including not at all.

Introduction to Access Control (v3),

Authentication and Authorization
Authentication (AuthN) The act of determining that to a level of assurance, the principal/subject is authentic. IAM Reference Architecture
Authenticator The means used to confirm the identity of a user, processor, or device, such as a username and password, a one-time pin, or a smart card. Identity and Access Management Workforce Planning
AuthN Assertion A security token whereby the IDP provides identity and authentication information securely to the RP. IAM Reference Architecture
Authoritative Source The system of record (SOR) for identity data; an organization may have more than one authoritative source of data in their environment. User Provisioning in the Enterprise
Authorization Determining a user’s rights to access functionality with a computer application and the level at which that access should be granted. In most cases, an ‘authority’ defines and grants access, but in some cases, access is granted because of inherent rights (like patient access to their own medical data) Introduction to Access Control, Authentication and Authorization
Authorization (AuthZ) Authorization is how a decision is made at run-time to allow access to a resource. We break this down into two types: shared and local. The FICAM framework includes this as a subcomponent of the Access Management System. AuthZ is not included in the ISO or Internet2 models. IAM Reference Architecture
Automatic Certificate Management Environment (ACME) A communication protocol for automating lifecycle management of PKI certificates. Significant providers like Let's Encrypt leverage ACME to support issuing TLS certificates for web servers. Practical Implications of Public Key Infrastructure for Identity Professionals
Bilateral Federation A bilateral federation is one that consists of only two entities: one Identity Provider (IdP) and one Service Provider (SP). This is the most common model for an enterprise identity federation. Federation Simplified (v2)
Binding Associating an authenticator with an identity.Identity and Access Management Workforce Planning

Identity and Access Management Workforce Planning,

+

Defining the Problem – Identity Proofing Challenges
Bot Sometimes called an Internet bot, short for ‘robot’ but referring to a software routine that performs automated tasks over the Internet or a web robot referring to an autonomous network application, or simply a ‘bot’ referring to an automated, typically repetitive, task used for a specific purpose. Non-Human Account Management (v2)
Ceremonies Predictable interactions that users can infrequently navigate in a well-watched place Introduction to Identity – Part 2: Access Management
Certificate Authority Trust List (CTL) A client maintains a list of trusted Certificate Authorities created and managed by the software provider or local administrators. The client will only trust certificates issued under one of the CAs in the CTL, so the CTL serves as a "safe list." Practical Implications of Public Key Infrastructure for Identity Professionals
Certificate Management System (CMS) A system that provides management and reporting layers for certificate issuance and revocation. A CMS integrates CA products with Identity Governance and Administration (IGA) systems as well as Service Desk systems. Practical Implications of Public Key Infrastructure for Identity Professionals
Certificate Policy (CP) A document that defines the high-level policy requirement for a PKI. RFC 3647 identifies a PKI's policy framework and describes a CP's contents and outline. An enterprise operating a CA will often publish its certificate policy to external parties so they can determine whether to trust certificates issued by the CA. Practical Implications of Public Key Infrastructure for Identity Professionals
Certificate Practices Statement (CPS) A CP identifies the requirements for managing a CA and issuing PKI certificates. A CPS describes how a CA implements those requirements. The CPS uses the same outline as the CP, defined in RFC 3647. Unlike the CP, enterprises rarely publish their CPS in unredacted form. Practical Implications of Public Key Infrastructure for Identity Professionals
Certificate Revocation List (CRL) A certificate authority will publish a list of revoked certificates, called a CRL so that clients can verify that a certificate is still good. Practical Implications of Public Key Infrastructure for Identity Professionals
Certificate Signing Request (CSR) When requesting a certificate, the requesting entity provides a copy of the public key, their identifiers, and other information in a specially formatted binary object called a CSR. Practical Implications of Public Key Infrastructure for Identity Professionals
Channel The communication avenue between you and your end-user, or your agent and their customer. This could be phone, chat, social media, or others.  Managing Identity in Customer Service Operations
CIA Triad The fundamental Information security concepts of risk classification of resources from the perspectives of Confidentiality, Integrity, and Availability. Non-Human Account Management (v2)
ClaimantA subject whose identity is to be verified by using one or more authentication protocols.Defining the Problem – Identity Proofing Challenges
Claimed IdentityAn applicant’s declaration of unvalidated and unverified personal attributes.Defining the Problem – Identity Proofing Challenges
Claims-Based Access Control (CBAC) See Attribute-Based Access Control (ABAC) Introduction to Policy-Based Access Controls (v2)
Classical Computer A computer that uses binary encoding and Boolean logic to make calculations in a deterministic way. We use the term Classical Computers in contrast with Quantum Computers. Practical Implications of Public Key Infrastructure for Identity Professionals
Cloud Infrastructure Entitlement Management (CIEM) a categorization of technologies focused on managing the granting, verification, and refinement of permissions for cloud and hybrid technologies. CIEM is often seen as a component of Identity Governance and Administration (IGA) Techniques To Approach Least Privilege
Competency Model A collection of tasks, knowledge, and skills (TKS) needed for effective job performance. A competency model is part of a workforce framework. Identity and Access Management Workforce Planning
Consent Permission for something to happen or agreement to do something. Introduction to Privacy and Compliance for Consumers
Consumer Protection Law Laws and regulations that are designed to protect the rights of individual consumers and to stop unfair, deceptive, and fraudulent business practices. Laws Governing Identity Systems
Context conditions under which an action on a resource is authorized for a subject, such as time of access, location of access, or a compliance state. Introduction to Policy-Based Access Controls (v2)
Continuous Authentication Continuous authentication is a mechanism that uses a variety of signals and measurements to determine during a user session if there is any change in the confidence that it is still the same user that authenticated at the beginning of the session, and trigger an authentication action if there is a drop in confidence. Designing MFA for Humans
Contract Law Laws that relate to making and enforcing agreements between or among separate parties. Laws Governing Identity Systems
Credential A credential allows for authentication of an entity by binding an identity to an authenticator. IAM Reference Architecture
CredentialAn object or data structure that authoritatively binds an identity—via an identifier or identifiers—and (optionally) additional attributes to at least one authenticator possessed and controlled by a subscriber.Defining the Problem – Identity Proofing Challenges
Credential Management How to issue, manage, and revoke authenticators bound to identities. Credential Management roughly corresponds to the IDPro term for Credential Services; we use the term Credential Management here to correlate to the Federal Identity, Credential, and Access Management (FICAM) initiative’s terms.IAM Reference Architecture
Credential Service ProviderA trusted entity that issues or registers subscriber authenticators and issues electronic credentials to subscribers. A CSP may be an independent third party or may issue credentials for its own use.Defining the Problem – Identity Proofing Challenges
Credential Services Credential Services issue or register the subscriber authenticators, deliver the credential for use, and subsequently manage the credentials. We include PKI information for IAM architectures that must include system components that need certificates and private keys. This roughly corresponds to the FICAM component called Credential Management Systems. IAM Reference Architecture
Credentials Any attribute or shared secret that can be used to authenticate a user. Account Recovery (v2)
Cryptographic Module A hardware or software component that securely performs cryptographic operations within a logical boundary. Cryptographic Modules store private keys within this boundary and use them for cryptographic functions at the request of an authorized user or process. Practical Implications of Public Key Infrastructure for Identity Professionals
Cryptographic Module Validation Program (CMVP) A program allowing cryptographic module developers to test their modules against the requirements defined in FIPS-140. The computer security resource center under the United States National Institute of Standards and Technology (NIST) maintains a publicly available list of validated modules. Practical Implications of Public Key Infrastructure for Identity Professionals
Data Controller Defined in Article 4(7) of the GDPR: “‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;”. This article uses the term “organisation” as a synonym for “data controller”, since organisations involved in IAM will normally be data controllers. An Introduction to the GDPR
Data Mapping “a system of cataloguing what data you collect, how it’s used, where it’s stored, and how it travels throughout your organization and beyond.” Impact of GDPR on Identity and Access Management
Data Processor Defined in Article 4(8) of the GDPR for situations where an organisation processes personal data solely on the instructions of others. A Data Processor must not determine the purposes of processing, for example by processing in its own interests, or, beyond limited technical choices, the means of doing so. Data Processors are regulated by Article 28: in particular they must have a contract with the Data Controller that covers all the subjects listed in Article 28(3). Data Processors are excluded from some, but not all, of the liabilities and duties of Data Controllers. An Introduction to the GDPR
Data Protection by Design Data protection through technology design. See GDPR Article 25 for more detail Impact of GDPR on Identity and Access Management
Data Protection Officer An individual who must be appointed in any organization that processes any data defined by the GDPR as sensitive. The DPO is responsible for “Working towards the compliance with all relevant data protection laws, monitoring specific processes, such as data protection impact assessments, increasing employee awareness for data protection and training them accordingly, as well as collaborating with the supervisory authorities.”(See GDPR Articles 35, 37, 38, and 39 for more detail) Impact of GDPR on Identity and Access Management
Data Subject Defined in Article 4(1) of the GDPR (see “Personal Data” above) as the formal term for the human to whom personal data relates. This article uses the term “individual” as a synonym for “data subject”. An Introduction to the GDPR
Decentralized Identifier (DID) An identifier that is created and anchored in a decentralized system such as a blockchain or ledger and can represent any entity in the ecosystem – an issuer, a holder, a verifier, and even an identity hub. A Peek into the Future of Decentralized Identity
Delegated Authorization Framework An access control framework that decouples authentication from authorization, allowing the password to stay local and protected Introduction to Identity – Part 2: Access Management
Digital Cards Represent verifiable credentials that users collect over time and are stored as part of the user agent or the identity hub of the user. It’s somewhat simpler to refer to them as digital cards rather than verifiable credentials when speaking about them. A Peek into the Future of Decentralized Identity
Digital Identity the combination of a unique identifier together with relevant attributes that uniquely identifies an entity.. An Overview of the Digital Identity Lifecycle (v2)
Digital Wallet represents a digital metaphor for a physical wallet and is generally represented by the combination of the user agent and the underlying capabilities of the computing device, such as secure storage and secure enclaves on a mobile phone. The digital wallet contains digital cards. A Peek into the Future of Decentralized Identity
Directory A directory is a central repository for user identities and the attributes that make up those identities. A user identity might be John Smith with firstName attribute as John, lastName attribute as Smith, title attribute as Director, and Department attribute as Marketing. The attributes in the directory can be used to make authorization decisions about what this user should have access to in applications. Authentication and Authorization
Discretionary Access Control a pattern of access control system involving static, manual definitions of permissions assigned directly to users. Introduction to Policy-Based Access Controls (v2)
dPKI A decentralized public key infrastructure and is usually implemented via an immutable blockchain or ledger – a place where DIDs can be registered and looked up alongside the associated public keys of the DID and its metadata. dPKI can be described more generally as the verifiable data registry, as the dPKI is just one of many possible implementations for a verifiable data registry. While this paper refers to dPKI, the reader should be aware that a verifiable data registry need not necessarily be “decentralized”. A Peek into the Future of Decentralized Identity
Electronic Identification, Authentication, and Trust Services (eIDAS) European legislation gives legal standing to electronic signatures under eIDAS. This legislation also documents providing legally binding digital signatures with X.509 certificates to comply with Qualified Signature requirements. Practical Implications of Public Key Infrastructure for Identity Professionals
Electronic Identification, Authentication and Trust Services (eIDAS) European legislation that gives legal standing to electronic signatures. This legislation also documents how to provide legally binding digital signatures with X.509 certificates to comply with Qualified Signature. Practical Implications of Public Key Infrastructure for Identity Professionals
Elliptic Curve Cryptography (ECC) An asymmetric cryptosystem based on calculating points along elliptic curves. Practical Implications of Public Key Infrastructure for Identity Professionals
Encryption Processing data using a cryptographic algorithm to provide confidentiality assurance. Practical Implications of Public Key Infrastructure for Identity Professionals
Enforcement The mechanism that ensures an individual cannot perform an action or access a system when prohibited by policy. IAM Reference Architecture
Enrollment Also known as Registration. Enrollment is concerned with the proofing and lifecycle aspects of the principal (or subject). The entity that performs enrollment has sometimes been known as a Registration Authority, but we (following NIST SP.800-63-3) will use the term Credential Service Provider.IAM Reference Architecture

IAM Reference Architecture,

+

Defining the Problem – Identity Proofing Challenges
Enterprise Architecture An architecture covering all components of the information technology (IT) environment Introduction to IAM Architecture
Entitlement The artifact that allows access to a resource by a principal. This artifact is also known as a privilege, access right, permission, or an authorization. An entitlement can be implemented in a variety of ways. IAM Reference Architecture
Entitlement Catalog A database of entitlements and their related metadata. The catalog includes an index of entitlement data pulled from business systems, applications, and platforms, as well as technical and business descriptions of the entitlements or their use User Provisioning in the Enterprise
Entitlement Management Cataloging and managing all the accesses an account may have. This is the business process to provision access. Introduction to Identity - Part 1: Admin-time (v2)
External identifier The means by which a person in control of a digital identity refers to that identity when interacting with a system Identifiers and Usernames
Federal Agency Smart Credential Number (FASC-N) A unique identifier associated with a smart card. FASC-N is used in the US Federal Government PIV standard to support Physical Access. Practical Implications of Public Key Infrastructure for Identity Professionals
Federal Information Processing Standard (“FIPS”) 140 A NIST standard defining “Security Requirements for Cryptographic Modules. Practical Implications of Public Key Infrastructure for Identity Professionals
Federated Access Controls an access control architecture that accommodates separation of user/subject authority and resource/object authority. Introduction to Policy-Based Access Controls (v2)
Federated Identity The means of linking a person’s electronic identity and attributes, stored across multiple distinct identity management systems Introduction to Identity – Part 2: Access Management
Fractured Identity A case where a single end-user has multiple disparate digital identities. Managing Identity in Customer Service Operations
Fraud Law Laws that protect against the intentional misrepresentation of information made by one person to another, with knowledge of its falsity and for the purpose of inducing the other person to act, and upon which the other person relies with resulting injury or damage. Laws Governing Identity Systems
Gantt Chart A popular schedule format that displays both activity and timeframes in a single chart Introduction to Project Management for IAM Projects
General Data Protection Act (GDPR) Formally, Regulation 2016/679 of the European Union, in force May 25, 2018. Available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679 An Introduction to the GDPR
Governance Making sure that accountable owners are demonstrably in control. Strategic Alignment and Access Governance
Groups A set of identities with defined permissions. In this specific context, a group contains many individuals, but the group identity is opaque, and no information is available regarding which group member took an individual action. Practical Implications of Public Key Infrastructure for Identity Professionals
Hardware Security Module (HSM) A hardware device that generates and protects cryptographic keys. Practical Implications of Public Key Infrastructure for Identity Professionals
Holder The entity that holds verifiable credentials. Holders are typically users but can also be organizations or devices. A Peek into the Future of Decentralized Identity
Identification Uniquely establish a user of a system or application. Introduction to Access Control
Identifier The way a system refers to a digital identity. PKI Certificates support both internal and external identifiers. See Ian Glazer’s article, “Identifiers and Usernames,” for a generic overview of identifiers. Practical Implications of Public Key Infrastructure for Identity Professionals
Identity Defining attributes for a human user that may vary across domains, e.g., a user’s digital identity will have a different definition in a work environment as opposed to the user’s bank. A device identifier is sometimes referred to as its identity. Non-Human Account Management (v2)
IdentityAn attribute or set of attributes that uniquely describes a subject within a given context.Defining the Problem – Identity Proofing Challenges
Identity Analytics and Intelligence (IdA) Identity analytics and intelligence mean looking at entitlement data, looking at the assignment of that, and trying to figure out and define what risk looks like. IdA provides a risk-based approach for managing system identities and access, with the intention of centralizing governance, visibility, and reporting for access-based risk.Identity and Access Management Workforce Planning
Identity EvidenceInformation or documentation the applicant provides to support the claimed identity. Identity evidence may be physical (e.g., a driver’s license) or digital (e.g., an assertion generated and issued by a CSP based on the applicant successfully authenticating to the CSP).Defining the Problem – Identity Proofing Challenges
Identity Federation

An identity federation is a group of computing or network providers that agree to operate using standard protocols and trust agreements. In a Single Sign-On (SSO) scenario, identity federation occurs when an Identity Provider (IdP) and Service Provider (SP) agree to communicate via a specific, standard protocol. The enterprise user will log into the application using their credentials from the enterprise rather than creating new, specific credentials within the application. By using one set of credentials, users need to manage only one credential, credential issues (such as password resets) can be managed in one location, and applications can rely on the appropriate enterprise systems (such as the HR system) to be the source of truth for a user’s status and affiliation.

Identity federations can take several forms. In academia, multilateral federations, where a trusted third party manages the metadata of multiple IdPs and SPs, are fairly common. 1 This article focuses, however, on the enterprise use case where bilateral federation arrangements, where the agreements are one-to-one between an IdP and an SP, are the most common form of identity federation in use today.

 Federation Simplified (v2)
Identity Governance and Administration (IGA) a discipline that focuses on identity life cycle management and access control from an administrative perspective. Introduction to Identity - Part 1: Admin-time (v2)
Identity Governance and Administration (IGA) Includes the collection and use of identity information as well as the governance processes that ensure the right person has the right access to the right systems at the right time. Introduction to IAM Architecture
Identity Governance and Administration (IGA) a solution for automating user management and authorizations in target systems, building on the organization’s customer and human resource processes. Strategic Alignment and Access Governance
Identity Hub or Repository The place where users can store their encrypted identity-related information. An identity hub can be anywhere – on the edge, on the cloud, or on your own server. Its purpose is to store personal data. Some implementations may allow other entities to access the identity hub of the user if the user specifically grants such access. You can think of an identity hub as the individual’s personal data store. A Peek into the Future of Decentralized Identity
Identity Information Authority (IIA) This represents one or more data sources used by the IDM as the basis for the master set of principal/subject identity records. Each IIA may supply a subset of records and a subset of attributes. Sometimes the IIA is distinguished from the Identity Information Provider or IIP. We use IIA to include the service that actually provides the information as well as the root authority. This corresponds to Identity Information Source in ISO/IEC 24760-2 and Identity Sources in Internet2. IAM Reference Architecture
Identity Lifecycle Management A process that detects changes in authoritative systems of record and updates identity records based on policies. User Provisioning in the Enterprise
Identity Management (IDM) A set of policies, procedures, technology, and other resources for maintaining identity information. The IDM contains information about principals/subjects, including credentials. It also includes other data such as metadata to enable interoperability with other components. The IDM is shown with a dotted line to indicate that it is a conceptual grouping of components, not a full-fledged system in itself. IAM Reference Architecture
Identity Proofing accruing evidence to support “who this is.” Identity proofing is the last, but not the least, important part of this admin-time section. This is the process of collecting and verifying information about a person for the purpose of providing an account or a corresponding credential. This is typically performed before an account is created or the credential is issued, or a special privilege is granted. Introduction to Identity - Part 1: Admin-time (v2)
Identity ProofingThe process by which a CSP collects, validates, and verifies information about a person.Defining the Problem – Identity Proofing Challenges
Identity Provider (IdP) An Identity Provider (IdP) performs a service that sends information about a user to an application. This information is typically held in a user store, so an identity provider will often take that information and transform it to be able to be passed to the service providers, AKA apps. The OASIS organization, which is responsible for the SAML specifications, defines an IdP as “A kind of SP that creates, maintains, and manages identity information for principals and provides principal authentication to other SPs within a federation, such as with web browser profiles.”IAM Reference Architecture
Identity Provider (IdP)The party that manages the subscriber’s primary authentication credentials and issues assertions derived from those credentials. This is commonly the CSP as discussed within this article.Defining the Problem – Identity Proofing Challenges
Identity Register This is the datastore that contains the enrolled entities and their attributes, including credentials. See the IDM section for elaboration. The terms Directory, Identity Repository, and Attribute Store are sometimes used as synonyms. IAM Reference Architecture
Identity Repository The identity repository is a directory or a database that can be referenced by external systems and services (such as authentication or authorization services). User Provisioning in the Enterprise
Identity Theft Law Laws governing crimes in which the perpetrator gains access to sensitive personal information belonging to the victim (such as birth dates, passwords, email addresses, driver's license numbers, social security numbers, financial records, etc.), and then uses this information to impersonate the victim for personal gain, such as to commit fraud, establish credit in the victim’s name, or access the victim’s accounts. Laws Governing Identity Systems
Impersonation A scenario where a user is able to perform actions as though they are a known user other than themself. Managing Identity in Customer Service Operations
Infrastructure-as-code the process of managing and provisioning computer data centers through machine-readable definition files rather than physical hardware configuration or interactive configuration tools. Techniques To Approach Least Privilege
Internet Key Exchange (IKE) A subordinate standard under IPsec specifying how to use X.509 certificates to establish symmetric keys for an IPsec tunnel.certificates to establish symmetric keys for an IPsec tunnel. Practical Implications of Public Key Infrastructure for Identity Professionals
Internet Protocol Security (IPsec) A standard for communication between two machines providing confidentiality and integrity over the Internet Protocol. Practical Implications of Public Key Infrastructure for Identity Professionals
Intra-organizational (Single Sign-On): A central digital identity, such as an account in a directory, is linked by downstream systems as authoritative for authentication. An Overview of the Digital Identity Lifecycle (v2)
Inter-organizational (Federation) An organization relies on another organization’s digital identity and lifecycle management processes. An Overview of the Digital Identity Lifecycle (v2)
Internal identifier The way an identity management system refers to a digital identity Identifiers and Usernames
Issuer The entity that issues verifiable credentials about subjects to holders. Issuers are typically a government entity or corporation, but an issuer can also be a person or device. A Peek into the Future of Decentralized Identity
Joiner/Mover/Leaver The joiner/mover/leaver lifecycle of an employee identity considers three stages in the life cycle: joining the organization, moving within the organization, and leaving the organization. Introduction to Identity - Part 1: Admin-time (v2)
Journey-based Creation The process that guides a customer through a series of interactions prior to establishing a digital identity. For example, capturing the minimum basic information needed from a customer to enable creation of an identity. An Overview of the Digital Identity Lifecycle (v2)
Just-in-time (JIT) Access a technique where a credential or a permission is granted to a principal for a temporary timeframe when they need the permission to perform an activity. Access is revoked once the activity is complete, limiting its usage. Techniques To Approach Least Privilege
Key In a cryptosystem, a Key is a piece of information used to encrypt or decrypt data in a cryptographic algorithm. Practical Implications of Public Key Infrastructure for Identity Professionals
Knowledge-Based Authentication (KBA) A method of authentication that uses information known by both the end-user and the authentication service but is not necessarily a secret. Account Recovery (v2), Managing Identity in Customer Service Operations
Knowledge-Based Authentication (KBA)Identity-verification method based on knowledge of private information associated with the claimed identity. This is often referred to as knowledge-based verification (KBV) or knowledge-based proofing (KBP).Defining the Problem – Identity Proofing Challenges
Least Privilege Also known as the Principle of Least Privilege; a resource, such as a user, must only be able to access the resources (e.g., applications, data) that are necessary for it to function.
MFA Prompt Bombing Also known as MFA fatigue, MFA prompt bombing is a cyber-attack technique that describes when an attacker bombards a user with mobile-based push notifications, which sometimes leads to the user to approve the request out of annoyance which might lead to an account takeover.Multi-factor AuthenticationMulti-factor Authentication
Multi-Factor Authentication (MFA)User Provisioning in the Enterprise
RegistrationSee EnrollmentDefining the Problem – Identity Proofing Challenges
Registration Authority (RA) An individual, system, or business function which provides registration and identity proofing for entities receiving certificates and manages the certificate issuance and renewal process. The most important responsibilities of an RA include identity proofing and binding the private key to the identity. Practical Implications of Public Key Infrastructure for Identity Professionals
Relying Party (RP) A component, system, or application that uses the IDP to identify its users. The RP has its own resources and logic. Note that the term ‘relying service’ is used in the ISO/IEC standards to encompass all types of components that use identity services, including systems, sub-systems, and applications, independent of the domain or operator. We will use the more common Relying Party (or RP). An RP roughly corresponds to the Agency Endpoint in the FICAM model or to Identity Consumers in the Internet2 model. IAM Reference Architecture
RemoteIn the context of remote authentication or remote transaction, an information exchange between network-connected devices where the information cannot be reliably protected end to end by a single organization’s security controls.Defining the Problem – Identity Proofing Challenges
Resource or Object an asset protected by access controls, such as an application, system, or door.Practical Implications of Public Key Infrastructure for Identity Professionals
SubscriberA party enrolled in the CSP identity service.Defining the Problem – Identity Proofing Challenges
System Account A generic term for a privileged account that has extensive permissions that enable system configuration changes. Non-Human Account Management (v2)
Task Lowest level of defined activity; multiple tasks will typically be grouped into stages of project phases Introduction to Project Management for IAM Projects
Threat Modeling Threat modeling is an analysis technique used to help identify threats, attacks, vulnerabilities, and countermeasures that could impact an application or process. Account Recovery (v2), Designing MFA for Humans
Tort Law The body of law that covers situations where one person’s behavior causes injury, suffering, unfair loss, or harm to another person, giving the injured person (or the person suffering damages) a right to bring a civil lawsuit for compensation from the person who caused the injury. Examples include battery, fraud, defamation, negligence, and strict liability. Laws Governing Identity Systems
Transport Layer Security (“TLS” ) A cryptographic protocol designed to provide confidentiality and integrity of communications between two endpoints. Practical Implications of Public Key Infrastructure for Identity Professionals
Trust Federation a trust framework between multiple entities with the purpose of leveraging identity and access management information in a controlled fashion Introduction to Identity – Part 2: Access Management
Trust Framework This component represents the legal, organizational, and technical apparatus that enables trust between the IDM and the RPs. IAM Reference Architecture
Trust Root A technical structure that provides the IDP and RP the ability to recognize each other with a high degree of certainty. This is similar to the concept of Trust Anchor (NIST SP.800-63-3), but we allow for a structure that relies on a mutually agreed-upon third party. A trust root derives from the operation of a Trust Framework. IAM Reference Architecture
Two-Factor Authentication (2FA) A specific case of Multi-Factor Authentication (see: IDPro’s Consolidated Terminology) where two factors must be checked to validate a user’s identity. Designing MFA for Humans
Universal Resolver An identifier resolver that works with any decentralized identifier system through DID drivers. The purpose of a universal resolver is to return a DID document containing DID metadata when given a specific DID value. This capability is very useful because DIDs can be anchored on any number of disparate dPKI implementations. A Peek into the Future of Decentralized Identity
User or Subject a person or entity who may receive access within an access control system. Introduction to Policy-Based Access Controls (v2)
User Agent A user agent is any software that retrieves, renders, and facilitates end-user interaction with Web content. Cloud Service Authenticates Via Delegation – SAML
User Provisioning The means by which user accounts are created, maintained, and deactivated/deleted in a system according to defined policies. User Provisioning in the Enterprise
User Provisioning and Lifecycle Management how user records get where they need to be but only as long as they are needed Introduction to Identity - Part 1: Admin-time (v2)
Username a common term used for an external identifier Identifiers and Usernames
Username An identifier unique to the authentication service used in conjunction with a shared secret to authenticate a user. Account Recovery (v2), Managing Identity in Customer Service Operations
Validator An entity that verifies a certificate and confirms that the other party controls the private key in the transaction. Practical Implications of Public Key Infrastructure for Identity Professionals
Verifiable Credentials Attestations that an issuer makes about a subject. Verifiable credentials are digitally signed by the issuer. A Peek into the Future of Decentralized Identity
Verifiable Presentations The packaging of verifiable credentials, self-issued attestations, or other such artifacts that are then presented to verifiers for verification. Verifiable presentations are digitally signed by the holder and can encapsulate all the information that a verifier is requesting in a single package. This is also the place where holders can describe the specific terms of use under which the presentation is performed. A Peek into the Future of Decentralized Identity
Verifier The entity that verifies verifiable credentials so that it can provide services to a holder. A Peek into the Future of Decentralized Identity
Workforce Framework An outline of the job categories, work roles, and competency models needed to execute workforce planning. Identity and Access Management Workforce Planning
Workforce Planning Activities that ensure an organization has the right talent to execute business and technical objectives. Identity and Access Management Workforce Planning
X.509 An ISO standard from the X.500 series that defines the basic rules for encoding public key certificates. Practical Implications of Public Key Infrastructure for Identity Professionals
Zero Standing Privilege (ZSP) a state where JIT access is used for all permissions and no long-standing permissions are assigned to principals. Techniques To Approach Least Privilege
Zero Trust From NIST Draft Special Publication 800-207, “Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet)” Introduction to Identity – Part 2: Access Management