From nobody Thu Aug 5 05:39:34 2004 Received: (qmail 26018 invoked from network); 5 Aug 2004 09:23:42 -0000 Received: from deer.cs.biu.ac.il (root@132.70.1.11) by mozdev.org with SMTP; 5 Aug 2004 09:23:42 -0000 Received: from [132.70.4.58] (herzbea [132.70.4.58]) by deer.cs.biu.ac.il with ESMTP id i7597c4i000779 for ; Thu, 5 Aug 2004 12:07:38 +0300 Message-ID: <411208D1.3090202@cs.biu.ac.il> Date: Thu, 05 Aug 2004 12:15:45 +0200 Organization: Computer Science Dept., Bar Ilan University User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.1) Gecko/20040707 X-Accept-Language: en-us, en MIME-Version: 1.0 To: trustbar@mozdev.org Content-Type: multipart/mixed; boundary="------------020008060000010602060903" X-Mailman-Approved-At: Thu, 05 Aug 2004 05:39:33 -0400 From: trustbar@mozdev.org Subject: [TrustBar] test message X-BeenThere: trustbar@mozdev.org X-Mailman-Version: 2.1.2 Precedence: list Reply-To: trustbar@mozdev.org List-Id: Discuss TrustBar , secure area for logos and credentials of web sites List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Aug 2004 09:23:43 -0000 This is a multi-part message in MIME format. --------------020008060000010602060903 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit -- Best regards, Amir Herzberg Associate Professor, Computer Science Dept., Bar Ilan University http://amirherzberg.com (information and lectures in cryptography & security) Mirror site: http://www.mfn.org/~herzbea/ --------------020008060000010602060903 Content-Type: text/x-vcard; charset=utf-8; name="herzbea.vcf" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="herzbea.vcf" begin:vcard fn:Amir Herzberg n:Herzberg;Amir org:Bar Ilan University;Computer Science adr:;;;Ramat Gan ;;52900;Israel email;internet:herzbea@cs.biu.ac.il title:Associate Professor tel;work:+972-3-531-8863 tel;fax:+972-3-531-8863 x-mozilla-html:FALSE url:http://AmirHerzberg.com , mirror: http://www.mfn.org/~herzbea/ version:2.1 end:vcard --------------020008060000010602060903-- From nobody Fri Aug 27 04:14:27 2004 Received: (qmail 11105 invoked from network); 27 Aug 2004 08:13:54 -0000 Received: from deer.cs.biu.ac.il (root@132.70.1.11) by mozdev.org with SMTP; 27 Aug 2004 08:13:54 -0000 Received: from [132.70.4.58] (herzbea [132.70.4.58]) by deer.cs.biu.ac.il with ESMTP id i7R7v0oZ015935 for ; Fri, 27 Aug 2004 10:57:00 +0300 Message-ID: <412EF967.6000206@cs.biu.ac.il> Date: Fri, 27 Aug 2004 11:05:43 +0200 Organization: Computer Science Dept., Bar Ilan University User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.1) Gecko/20040707 X-Accept-Language: en-us, en MIME-Version: 1.0 To: trustbar@mozdev.org Content-Type: multipart/mixed; boundary="------------040106090001090506090501" From: trustbar@mozdev.org Subject: [TrustBar] Test-drive TrustBar open source anti-spoofing/phishing tool X-BeenThere: trustbar@mozdev.org X-Mailman-Version: 2.1.2 Precedence: list Reply-To: trustbar@mozdev.org List-Id: Discuss TrustBar , secure area for logos and credentials of web sites List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2004 08:13:54 -0000 This is a multi-part message in MIME format. --------------040106090001090506090501 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit TrustBar (http://TrustBar.MozDev.org) is a Mozilla extension that appears as a bar at the top of every Mozilla browser window, containing site identification by name/logo of the site's owner and of the certifying authority (the entity that identified that owner of the site), or a warning `This site is not protected` for unprotected sites (where TrustBar cannot securely identify the owner). This should help protect users against spoofing and phishing attacks, which usually use unprotected sites which appear like the correct login sites. We have been using our prototype personally for some time and it seems to work well on several platforms, so we now want to offer it to experienced, security-aware users, for feedback and improvements; our development is open code so you can also take our code as basis to your own design. Download and see more info at http://TrustBar.MozDev.org. -- Best regards, Amir Herzberg Associate Professor, Computer Science Dept., Bar Ilan University http://amirherzberg.com (information and lectures in cryptography & security) Mirror site: http://www.mfn.org/~herzbea/ -- Best regards, Amir Herzberg Associate Professor, Computer Science Dept., Bar Ilan University http://amirherzberg.com (information and lectures in cryptography & security) Mirror site: http://www.mfn.org/~herzbea/ --------------040106090001090506090501 Content-Type: text/x-vcard; charset=utf-8; name="herzbea.vcf" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="herzbea.vcf" begin:vcard fn:Amir Herzberg n:Herzberg;Amir org:Bar Ilan University;Computer Science adr:;;;Ramat Gan ;;52900;Israel email;internet:herzbea@cs.biu.ac.il title:Associate Professor tel;work:+972-3-531-8863 tel;fax:+972-3-531-8863 x-mozilla-html:FALSE url:http://AmirHerzberg.com , mirror: http://www.mfn.org/~herzbea/ version:2.1 end:vcard --------------040106090001090506090501-- From nobody Fri Aug 27 05:03:50 2004 Received: (qmail 16410 invoked from network); 27 Aug 2004 09:03:17 -0000 Received: from mailgate.enhyper.com (HELO www.enhyper.com) (62.49.250.18) by mozdev.org with SMTP; 27 Aug 2004 09:03:17 -0000 Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by www.enhyper.com (8.11.6/8.11.6) with SMTP id i7R8jct12122; Fri, 27 Aug 2004 09:45:54 +0100 X-Authentication-Warning: www.enhyper.com: localhost.localdomain [127.0.0.1] didn't use HELO protocol Message-ID: <412EF4E9.9080308@iang.org> Date: Fri, 27 Aug 2004 09:46:33 +0100 User-Agent: Mozilla Thunderbird 0.7.1 (X11/20040707) X-Accept-Language: en-us, en MIME-Version: 1.0 To: trustbar@mozdev.org Subject: Re: [TrustBar] Test-drive TrustBar open source anti-spoofing/phishing tool References: <412EF967.6000206@cs.biu.ac.il> In-Reply-To: <412EF967.6000206@cs.biu.ac.il> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit From: trustbar@mozdev.org X-BeenThere: trustbar@mozdev.org X-Mailman-Version: 2.1.2 Precedence: list Reply-To: trustbar@mozdev.org List-Id: Discuss TrustBar , secure area for logos and credentials of web sites List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2004 09:03:18 -0000 Congratulations! I poked around on the site and found the Installation page. Am I to gather that I should click _here_ where it says, and it does it all automatically? When I did it in Konqueror - thinking I could download first - that didn't help! So firing up Firefox, and trying that, it does nothing, and the JavaScript console says that it is void, whatever that means. trustbar@mozdev.org wrote: > TrustBar (http://TrustBar.MozDev.org) is a Mozilla extension that > appears as a bar at the top of every Mozilla browser window, containing > site identification by name/logo of the site's owner and of the > certifying authority (the entity that identified that owner of the > site), or a warning `This site is not protected` for unprotected sites > (where TrustBar cannot securely identify the owner). This should help > protect users against spoofing and phishing attacks, which usually use > unprotected sites which appear like the correct login sites. > > We have been using our prototype personally for some time and it seems > to work well on several platforms, so we now want to offer it to > experienced, security-aware users, for feedback and improvements; our > development is open code so you can also take our code as basis to your > own design. Download and see more info at http://TrustBar.MozDev.org. > > > ------------------------------------------------------------------------ > > _______________________________________________ > TrustBar mailing list > TrustBar@mozdev.org > http://mozdev.org/mailman/listinfo/trustbar From nobody Fri Aug 27 05:14:16 2004 Received: (qmail 17316 invoked from network); 27 Aug 2004 09:13:44 -0000 Received: from mailgate.enhyper.com (HELO www.enhyper.com) (62.49.250.18) by mozdev.org with SMTP; 27 Aug 2004 09:13:44 -0000 Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by www.enhyper.com (8.11.6/8.11.6) with SMTP id i7R8uGt12180; Fri, 27 Aug 2004 09:56:21 +0100 X-Authentication-Warning: www.enhyper.com: localhost.localdomain [127.0.0.1] didn't use HELO protocol Message-ID: <412EF766.5040100@iang.org> Date: Fri, 27 Aug 2004 09:57:10 +0100 User-Agent: Mozilla Thunderbird 0.7.1 (X11/20040707) X-Accept-Language: en-us, en MIME-Version: 1.0 To: trustbar@mozdev.org References: <412EF967.6000206@cs.biu.ac.il> <412EF4E9.9080308@iang.org> In-Reply-To: <412EF4E9.9080308@iang.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit From: trustbar@mozdev.org Subject: [TrustBar] anonymous posting? X-BeenThere: trustbar@mozdev.org X-Mailman-Version: 2.1.2 Precedence: list Reply-To: trustbar@mozdev.org List-Id: Discuss TrustBar , secure area for logos and credentials of web sites List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2004 09:13:44 -0000 Amir, you seem to have the list set up for anonymous posting ?! And I forgot to put on my sig, so it worked well. Anyway, FTR, the previous message came from me. iang trustbar@mozdev.org allegedly wrote: > Congratulations! From nobody Fri Aug 27 05:55:07 2004 Received: (qmail 20396 invoked from network); 27 Aug 2004 09:54:18 -0000 Received: from deer.cs.biu.ac.il (root@132.70.1.11) by mozdev.org with SMTP; 27 Aug 2004 09:54:18 -0000 Received: from [132.70.4.58] (herzbea [132.70.4.58]) by deer.cs.biu.ac.il with ESMTP id i7R9bOoZ017278; Fri, 27 Aug 2004 12:37:24 +0300 Message-ID: <412F10EF.4070301@cs.biu.ac.il> Date: Fri, 27 Aug 2004 12:46:07 +0200 From: Amir Herzberg Organization: Computer Science Dept., Bar Ilan University User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.1) Gecko/20040707 X-Accept-Language: en-us, en MIME-Version: 1.0 To: trustbar@mozdev.org, Ian Grigg , ahmad gbara Subject: Re: [TrustBar] Test-drive TrustBar open source anti-spoofing/phishingtool References: <412EF967.6000206@cs.biu.ac.il> <412EF4E9.9080308@iang.org> In-Reply-To: <412EF4E9.9080308@iang.org> Content-Type: multipart/mixed; boundary="------------030708060906000306090509" Cc: X-BeenThere: trustbar@mozdev.org X-Mailman-Version: 2.1.2 Precedence: list List-Id: Discuss TrustBar , secure area for logos and credentials of web sites List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2004 09:54:18 -0000 This is a multi-part message in MIME format. --------------030708060906000306090509 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Ian, thanks. I've removed the anonymous posting option for now so your future mails should be with the sender's e-mail - I don't particularly like the idea of hiding sender's address to hide from spam anyway. Yes, installation is as easy as `click here`, but - currently TrustBar is a Mozilla extension, so it definitely shouldn't be used on other browsers. We can probably extend to Firefly, but I think it's best someone else take the lead in providing similar functionality for other browsers, possibly of course using our code as a starting point. Hope you can try on Mozilla. Ahmad, please mention the fact we currently require Mozilla in our download pages... Best, Amir Herzberg trustbar@mozdev.org wrote: > Congratulations! > > I poked around on the site and found the Installation > page. Am I to gather that I should click _here_ where > it says, and it does it all automatically? > > When I did it in Konqueror - thinking I could download > first - that didn't help! > > So firing up Firefox, and trying that, it does nothing, > and the JavaScript console says that it is void, whatever > that means. > > trustbar@mozdev.org wrote: > >> TrustBar (http://TrustBar.MozDev.org) is a Mozilla extension that >> appears as a bar at the top of every Mozilla browser window, >> containing site identification by name/logo of the site's owner and of >> the certifying authority (the entity that identified that owner of the >> site), or a warning `This site is not protected` for unprotected sites >> (where TrustBar cannot securely identify the owner). This should help >> protect users against spoofing and phishing attacks, which usually use >> unprotected sites which appear like the correct login sites. >> >> We have been using our prototype personally for some time and it seems >> to work well on several platforms, so we now want to offer it to >> experienced, security-aware users, for feedback and improvements; our >> development is open code so you can also take our code as basis to >> your own design. Download and see more info at >> http://TrustBar.MozDev.org. >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> TrustBar mailing list >> TrustBar@mozdev.org >> http://mozdev.org/mailman/listinfo/trustbar > > _______________________________________________ > TrustBar mailing list > TrustBar@mozdev.org > http://mozdev.org/mailman/listinfo/trustbar > > . > -- Best regards, Amir Herzberg Associate Professor, Computer Science Dept., Bar Ilan University http://amirherzberg.com (information and lectures in cryptography & security) Mirror site: http://www.mfn.org/~herzbea/ --------------030708060906000306090509 Content-Type: text/x-vcard; charset=utf-8; name="herzbea.vcf" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="herzbea.vcf" begin:vcard fn:Amir Herzberg n:Herzberg;Amir org:Bar Ilan University;Computer Science adr:;;;Ramat Gan ;;52900;Israel email;internet:herzbea@cs.biu.ac.il title:Associate Professor tel;work:+972-3-531-8863 tel;fax:+972-3-531-8863 x-mozilla-html:FALSE url:http://AmirHerzberg.com , mirror: http://www.mfn.org/~herzbea/ version:2.1 end:vcard --------------030708060906000306090509-- From nobody Fri Aug 27 06:51:33 2004 Received: (qmail 25830 invoked from network); 27 Aug 2004 10:50:53 -0000 Received: from mailgate.enhyper.com (HELO www.enhyper.com) (62.49.250.18) by mozdev.org with SMTP; 27 Aug 2004 10:50:53 -0000 Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by www.enhyper.com (8.11.6/8.11.6) with SMTP id i7RAXOt12551; Fri, 27 Aug 2004 11:33:29 +0100 X-Authentication-Warning: www.enhyper.com: localhost.localdomain [127.0.0.1] didn't use HELO protocol Message-ID: <412F0E2A.2050205@iang.org> Date: Fri, 27 Aug 2004 11:34:18 +0100 From: Ian Grigg User-Agent: Mozilla Thunderbird 0.7.1 (X11/20040707) X-Accept-Language: en-us, en MIME-Version: 1.0 To: trustbar@mozdev.org Subject: Re: [TrustBar] Test-drive TrustBar open source anti-spoofing/phishingtool References: <412EF967.6000206@cs.biu.ac.il> <412EF4E9.9080308@iang.org> <412F10EF.4070301@cs.biu.ac.il> In-Reply-To: <412F10EF.4070301@cs.biu.ac.il> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: trustbar@mozdev.org X-Mailman-Version: 2.1.2 Precedence: list List-Id: Discuss TrustBar , secure area for logos and credentials of web sites List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2004 10:50:54 -0000 Amir (resend), Amir Herzberg wrote: > Yes, installation is as easy as `click here`, but - currently TrustBar is a Mozilla extension, so it definitely shouldn't be used on other browsers. We can probably extend to Firefly, but I think it's best someone else take the lead in providing similar functionality for other browsers, possibly of course using our code as a starting point. Hope you can try on Mozilla. You do understand that FireFox is the *replacement* for Mozilla? I.e., Mozilla split into the Thunderbird mailer and the FireFox browser, and everyone is moving to these two and gradually migrating away from Mozilla? > Ahmad, please mention the fact we currently require Mozilla in our download pages... Also, can you list the paper on the page? iang From nobody Fri Aug 27 07:43:26 2004 Received: (qmail 25682 invoked from network); 27 Aug 2004 10:48:21 -0000 Received: from mailgate.enhyper.com (HELO www.enhyper.com) (62.49.250.18) by mozdev.org with SMTP; 27 Aug 2004 10:48:21 -0000 Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by www.enhyper.com (8.11.6/8.11.6) with SMTP id i7RATZt12532; Fri, 27 Aug 2004 11:29:40 +0100 X-Authentication-Warning: www.enhyper.com: localhost.localdomain [127.0.0.1] didn't use HELO protocol Message-ID: <412F0D46.7080700@systemics.com> Date: Fri, 27 Aug 2004 11:30:30 +0100 From: Ian Grigg User-Agent: Mozilla Thunderbird 0.7.1 (X11/20040707) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Amir Herzberg Subject: Re: [TrustBar] Test-drive TrustBar open source anti-spoofing/phishingtool References: <412EF967.6000206@cs.biu.ac.il> <412EF4E9.9080308@iang.org> <412F10EF.4070301@cs.biu.ac.il> In-Reply-To: <412F10EF.4070301@cs.biu.ac.il> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Fri, 27 Aug 2004 07:43:26 -0400 Cc: trustbar@mozdev.org, ahmad gbara X-BeenThere: trustbar@mozdev.org X-Mailman-Version: 2.1.2 Precedence: list List-Id: Discuss TrustBar , secure area for logos and credentials of web sites List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2004 10:48:22 -0000 Amir Herzberg wrote: > Yes, installation is as easy as `click here`, but - currently TrustBar > is a Mozilla extension, so it definitely shouldn't be used on other > browsers. We can probably extend to Firefly, but I think it's best > someone else take the lead in providing similar functionality for other > browsers, possibly of course using our code as a starting point. Hope > you can try on Mozilla. You do understand that FireFox is the *replacement* for Mozilla? I.e., Mozilla split into the Thunderbird mailer and the FireFox browser, and everyone is moving to these two and gradually migrating away from Mozilla? > Ahmad, please mention the fact we currently require Mozilla in our > download pages... Also, can you list the paper on the page? iang From nobody Fri Aug 27 07:46:49 2004 Received: (qmail 29432 invoked from network); 27 Aug 2004 11:46:16 -0000 Received: from deer.cs.biu.ac.il (root@132.70.1.11) by mozdev.org with SMTP; 27 Aug 2004 11:46:16 -0000 Received: from [132.70.4.58] (herzbea [132.70.4.58]) by deer.cs.biu.ac.il with ESMTP id i7RBTLoZ018949; Fri, 27 Aug 2004 14:29:21 +0300 Message-ID: <412F2B2D.6000205@cs.biu.ac.il> Date: Fri, 27 Aug 2004 14:38:05 +0200 From: Amir Herzberg Organization: Computer Science Dept., Bar Ilan University User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.1) Gecko/20040707 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Ian Grigg Subject: Re: [TrustBar] Test-drive TrustBar open source anti-spoofing/phishingtool References: <412EF967.6000206@cs.biu.ac.il> <412EF4E9.9080308@iang.org> <412F10EF.4070301@cs.biu.ac.il> <412F0D46.7080700@systemics.com> In-Reply-To: <412F0D46.7080700@systemics.com> Content-Type: multipart/mixed; boundary="------------040403080605070506030401" Cc: trustbar@mozdev.org, ahmad gbara , Amir Herzberg X-BeenThere: trustbar@mozdev.org X-Mailman-Version: 2.1.2 Precedence: list List-Id: Discuss TrustBar , secure area for logos and credentials of web sites List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2004 11:46:17 -0000 This is a multi-part message in MIME format. --------------040403080605070506030401 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Ian Grigg wrote: > You do understand that FireFox is the *replacement* > for Mozilla? I.e., Mozilla split into the Thunderbird > mailer and the FireFox browser, and everyone is moving > to these two and gradually migrating away from Mozilla? Well, I guess we should move to Firefly as well... > >> Ahmad, please mention the fact we currently require Mozilla in our >> download pages... > > > Also, can you list the paper on the page? It is actually mentioned now but a bit obscurely. Ahamd, can you change this into proper reference (put name of paper with the link)... > > iang > > . > -- Best regards, Amir Herzberg Associate Professor, Computer Science Dept., Bar Ilan University http://amirherzberg.com (information and lectures in cryptography & security) Mirror site: http://www.mfn.org/~herzbea/ --------------040403080605070506030401 Content-Type: text/x-vcard; charset=utf-8; name="herzbea.vcf" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="herzbea.vcf" begin:vcard fn:Amir Herzberg n:Herzberg;Amir org:Bar Ilan University;Computer Science adr:;;;Ramat Gan ;;52900;Israel email;internet:herzbea@cs.biu.ac.il title:Associate Professor tel;work:+972-3-531-8863 tel;fax:+972-3-531-8863 x-mozilla-html:FALSE url:http://AmirHerzberg.com , mirror: http://www.mfn.org/~herzbea/ version:2.1 end:vcard --------------040403080605070506030401-- From nobody Sat Jan 1 05:37:23 2005 Received: (qmail 98696 invoked from network); 1 Jan 2005 10:36:50 -0000 Received: from mailgate.enhyper.com (HELO www.enhyper.com) (62.49.250.18) by mozdev.org with SMTP; 1 Jan 2005 10:36:50 -0000 Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by www.enhyper.com (8.11.6/8.11.6) with SMTP id j01AXY230448 for ; Sat, 1 Jan 2005 10:33:50 GMT X-Authentication-Warning: www.enhyper.com: localhost.localdomain [127.0.0.1] didn't use HELO protocol Message-ID: <41D67DD5.4010704@iang.org> Date: Sat, 01 Jan 2005 10:39:17 +0000 From: Ian G Organization: http://iang.org/ User-Agent: Mozilla Thunderbird 1.0 (X11/20041216) X-Accept-Language: en-us, en MIME-Version: 1.0 To: trustbar@mozdev.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [TrustBar] Netcraft breaks ranks and points the crooked black claw of doom at the SSL security model X-BeenThere: trustbar@mozdev.org X-Mailman-Version: 2.1.2 Precedence: list List-Id: Discuss TrustBar , secure area for logos and credentials of web sites List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Jan 2005 10:36:51 -0000 For those not watching my blog, here is what I think to be a remarkably different approach to addressing phishing from Netcraft. It competes quite well with the trustbar approach; if the paper's not in 'final' it might be worth a small section on its alternate use of a centralised database and intention to create a feedback mechanism into that database by the users. iang -------- Original Message -------- Financial Cryptography Update: Netcraft breaks ranks and points the crooked black claw of doom at the SSL security model December 30, 2004 ------------------------------------------------------------------------ http://www.financialcryptography.com/mt/archives/000287.html ------------------------------------------------------------------------ In a show of remarkable adeptness, Netcraft have released an anti-phishing plugin for IE. Firefox is coming, so they say. This was exciting enough to make it on Slashdot, as David at Mozilla pointed out to me. http://news.netcraft.com/archives/2004/12/28/netcraft_antiphishing_toolbar_available_for_download.html http://slashdot.org/article.pl?sid=04/12/30/146245 There are now dozens of plugins floating around designed to address phishing. (If that doesn't say this is a browser issue, I don't know what will. Yes, the phish are growing wings and trialling cell phones, pagers and any other thing they can get at, but the main casting action is still a browser game.) The trustbar one is my favourite, although it doesn't work on my Firefox. So, what about Netcraft? Well, it's quite inspired. Netcraft have this big database of all the webservers in existance, and quite a few that are not. The plugin simply pops on over to the Netcraft database and asks for the vital stats on that website. Well, hey ho! Why didn't we think of that? There's a very good reason why not. Several in fact. Firstly, this puts Netcraft into your browser in an important position; if they succeed at this, then they have entre into the user's hearts and minds. That means some sort of advertising revenue model, etc etc, as clearly permitted in their licence. Or worse, like their own little spyware programs which may or may not be permitted under their Privacy clause. (So one reason we didn't think of that is because we all hate advertising models ... just so we're clear on that point!) But more interesting is that Netcraft is a player in the security industry. At least, they are a collector of CA and SSL statistics, and their reports sell for mighty big bucks. So one might expect them to pay attention to those suggestions that supported the SSL industry, like the ones that I frequently propose. But, no. What they have done is completely bypassed the SSL security model and crafted a new one based on a database of known information. If one has followed the CA security debate, it bears a stunning similarity to the notions of what we'd do if we were attempting to fix the model. It's the endgame: to fix the revocation problem you add online checking which means you don't need the CAs any more. Boom. If Netcraft succeeds in this approach (and there is no reason why others can't copy it!) then we don't need CAs any more. Well, that's not quite true, what this implies is that Netcraft just became a CA. But, they are a CA according to their rules, not those historical artifacts popularised by accounting entities such as WebTrust. So it's another way to become a CA: give away the service for free, acquire the user base, and figure out how to charge for it later. A classic dotcom boom strategy, right? Bypass the browser policy completely because they are struggling under the weight of the WebTrust legacy, and can't see the wood for the trees. (Now, some will be scratching their heads about the apparent lack of a cert in the plugin. Don't worry, that's an implementation detail. They can add that later, for now they offer a free certificate service with no cert. Think of the upgrade potential here. The important thing is to see if this works as a *business* model first.) So this takes aim at the very group that they sell reports to. Of course, the people who want to buy reports on certificate use are the CAs, and their various suppliers of CA toolkits. That's why it's a significant event. (And another reason why we didn't think of it!) Netcraft have obviously worked out several things: the CAs are powerless to do anything about phishing, and that's a much bigger revenue stream than a few boring reports. Further, the security model is stagnant at best and a crock at worst, so why not try something new? And, the browser manufacturers aren't playing their part, with narry a one admitting that the problem is in their patch. So their users are also vulnerable to a takeover by someone with some marketing and security sense. Well done Netcraft, is all I can say! Which is to say that I have no idea whether the plugin itself will work as advertised. But the concept, now, that's grand! -- Powered by Movable Type Version 2.64 http://www.movabletype.org/ -- News and views on what matters in finance+crypto: http://financialcryptography.com/ From nobody Tue Feb 15 07:10:14 2005 Received: (qmail 38501 invoked from network); 15 Feb 2005 12:09:41 -0000 Received: from mail.aus-biz.com (HELO wodka.aus-biz.com) (204.209.140.71) by mozdev.org with SMTP; 15 Feb 2005 12:09:41 -0000 Received: by wodka.aus-biz.com (Postfix, from userid 65534) id E31192CA2B2; Tue, 15 Feb 2005 05:05:35 -0700 (MST) Received: from [192.168.99.112] (192-172-93-202.dsl.nbdsl.net [202.93.172.192]) by wodka.aus-biz.com (Postfix) with ESMTP id 7B06C2CA2A6 for ; Tue, 15 Feb 2005 05:05:33 -0700 (MST) Message-ID: <4211E563.1060803@cacert.org> Date: Tue, 15 Feb 2005 23:04:51 +1100 From: Duane User-Agent: Mozilla Thunderbird 1.0 (X11/20041218) X-Accept-Language: en-us, en MIME-Version: 1.0 To: trustbar@mozdev.org X-Enigmail-Version: 0.90.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: multipart/mixed; boundary="------------000906020203050703030203" X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on wodka.aus-biz.com X-Spam-Level: X-Spam-Status: No, score=-2.3 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.0.2 Subject: [TrustBar] [Fwd: Re: Low assurance SSL CAs] X-BeenThere: trustbar@mozdev.org X-Mailman-Version: 2.1.2 Precedence: list List-Id: Discuss TrustBar , secure area for logos and credentials of web sites List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Feb 2005 12:09:42 -0000 This is a multi-part message in MIME format. --------------000906020203050703030203 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Someone suggested I post my ideas in the hope they might be incorporated into this plug-in... There is a discussion going on the netscape news groups at present over how current browser security is binary, either on or off in the form of seeing a lock or no lock. My thinking is that this isn't good enough, and there is no standard way to represent different grades of how much trust should be put into certificate providers. Even though some providers have "Class 1/2/3" on their root certificate this isn't standardised in any way, even web trust doesn't sanitise the information on root certificates, it judges what's listed in CPS documents and verify they match the CA practise. Below is my suggestions on how it might be better handled. Question I have is, is my ideas are feasible at all? -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." --------------000906020203050703030203 Content-Type: message/rfc822; name="Re: Low assurance SSL CAs" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="Re: Low assurance SSL CAs" Path: secnews.netscape.com!not-for-mail From: Duane Newsgroups: netscape.public.mozilla.crypto Subject: Re: Low assurance SSL CAs Date: Tue, 15 Feb 2005 21:50:55 +1100 Organization: Another Netscape Collabra Server User Message-ID: References: NNTP-Posting-Host: 192-172-93-202.dsl.nbdsl.net Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit User-Agent: Mozilla Thunderbird 1.0 (X11/20041218) X-Accept-Language: en-us, en In-Reply-To: X-Enigmail-Version: 0.90.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Xref: secnews.netscape.com netscape.public.mozilla.crypto:9350 Nelson Bolyard wrote: > I think we (er, MF) *could*, if MF was willing to require, in its CA cert > policy, that CAs for SSL and Code Signing must use a specified minimum > level of authentication in the issuance of those certs. But presently, > it seems the policy is willing to give any WebTrust-attested CA whatever > trust bits they request. So, at the moment, no, I cannot say it is still > the case. To kill 2 birds with one stone I'll respond to Julian's posting as well... Is it a safe assumption to make that generally while the class system is mostly informational and that it is slightly standardised, or worst case someone could make a judgement to sanitise the CAs slightly based on their own CPS. I do realise this would require a fair bit of work for someone, or maybe hassle the CAs for the information and their own sanitising otherwise they get set to class one equivalency until they do provide the information to the contrary. Nelson, I'm guessing you'd be a good person to make lines in the sand as to what is and what isn't acceptable, for example. Perhaps the current class system isn't granular enough, and we need to have classes 0 to 10, to better describe how much trust you should put in each CA root certificate based on the policies they issue certificates for. Perhaps instead of using the existing class system and confusing things more come up with a different naming scheme, like IDVL (IDentity Verification Level), so this strictly relates to how well or how poorly each CA does verification checking on each type of certificate issued under what root certificate. No verification = IDVL 0 email only verification = IDVL 1 faxed in verification (photo copied ID etc) = IDVL 2 web of trust like CAcert runs with in person meetings and formalised documentation and policies = IDVL 3 public notary and original documents sent in or meet in person at the CA office = IDVL 4 police ID check = IDVL 5 government/military background checking via police and other sources = IDVL 6 Basically anything exceeding the above checks would be rounded down to the closest variation, these are only example suggestions and they may be too strict or too loose, I'll leave the specifics up to someone else to comment on, however if we get some balance that everyone mostly agrees on, even if it isn't implemented in the browser itself could it be implemented as a plug-in? (more below) > Yes. I very much wish we could get the UI czars for FF/TB engaged in > the discussions in n.p.m.security, but I'm not optimistic. Ignoring the main interface, how hard/easy would it be to do something like this as a plug-in instead? Or maybe this is something someone can make to incorporate both (Ian?) have a system of interacting with the root certs, and based on finger print of the root certs have a stored set of information (something like the above IDVL examples), after judging the CPS (see above) and then have it show information on the chrome etc... If the main developers don't want to do it surely there is someone that can? Obviously if a user wishes to bump a CA into a different category they should be allowed to, the whole point of suggesting all this is to give more decision making power to the user. Perhaps this plug-in could also track certificate finger prints and do warnings if they change, or allow the new finger print to also be added to the plug-in database as also acceptable... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." --------------000906020203050703030203-- From nobody Tue Feb 15 07:33:17 2005 Received: (qmail 42639 invoked from network); 15 Feb 2005 12:32:44 -0000 Received: from mailgate.enhyper.com (HELO www.enhyper.com) (62.49.250.18) by mozdev.org with SMTP; 15 Feb 2005 12:32:44 -0000 Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by www.enhyper.com (8.11.6/8.11.6) with SMTP id j1FDRTr02245; Tue, 15 Feb 2005 13:27:45 GMT X-Authentication-Warning: www.enhyper.com: localhost.localdomain [127.0.0.1] didn't use HELO protocol Message-ID: <4211EBD5.8040301@iang.org> Date: Tue, 15 Feb 2005 12:32:21 +0000 From: Ian G Organization: http://iang.org/ User-Agent: Mozilla Thunderbird 1.0 (X11/20050108) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Duane Subject: Re: [TrustBar] [Fwd: Re: Low assurance SSL CAs] References: <4211E563.1060803@cacert.org> In-Reply-To: <4211E563.1060803@cacert.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: trustbar@mozdev.org X-BeenThere: trustbar@mozdev.org X-Mailman-Version: 2.1.2 Precedence: list List-Id: Discuss TrustBar , secure area for logos and credentials of web sites List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Feb 2005 12:32:44 -0000 Duane wrote: > My thinking is that this isn't good enough, and there is no standard > way to represent different grades of how much trust should be put into > certificate providers. Even though some providers have "Class 1/2/3" > on their root certificate this isn't standardised in any way, even web > trust doesn't sanitise the information on root certificates, it judges > what's listed in CPS documents and verify they match the CA practise. > Below is my suggestions on how it might be better handled. Assume N levels of "trust". Instead of directly looking at that, can you suggest anwhere where such a scheme exists? Is there an analogue? More points if the scheme is run outside the 'public sector' a.k.a. government and outside any other centralised agency. iang > > No verification = IDVL 0 > email only verification = IDVL 1 > faxed in verification (photo copied ID etc) = IDVL 2 > web of trust like CAcert runs with in person meetings and formalised > documentation and policies = IDVL 3 > public notary and original documents sent in or meet in person at the > CA office = IDVL 4 > police ID check = IDVL 5 > government/military background checking via police and other sources = > IDVL 6 -- News and views on what matters in finance+crypto: http://financialcryptography.com/ From nobody Tue Feb 15 07:38:45 2005 Received: (qmail 43448 invoked from network); 15 Feb 2005 12:38:12 -0000 Received: from mail.aus-biz.com (HELO wodka.aus-biz.com) (204.209.140.71) by mozdev.org with SMTP; 15 Feb 2005 12:38:12 -0000 Received: by wodka.aus-biz.com (Postfix, from userid 65534) id C60472CA2BC; Tue, 15 Feb 2005 05:34:06 -0700 (MST) Received: from [192.168.99.112] (192-172-93-202.dsl.nbdsl.net [202.93.172.192]) by wodka.aus-biz.com (Postfix) with ESMTP id CA9602CA2BA; Tue, 15 Feb 2005 05:34:01 -0700 (MST) Message-ID: <4211EC0F.8070608@cacert.org> Date: Tue, 15 Feb 2005 23:33:19 +1100 From: Duane User-Agent: Mozilla Thunderbird 1.0 (X11/20041218) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Ian G , trustbar@mozdev.org Subject: Re: [TrustBar] [Fwd: Re: Low assurance SSL CAs] References: <4211E563.1060803@cacert.org> <4211EBD5.8040301@iang.org> In-Reply-To: <4211EBD5.8040301@iang.org> X-Enigmail-Version: 0.90.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on wodka.aus-biz.com X-Spam-Level: X-Spam-Status: No, score=-2.3 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.0.2 Cc: X-BeenThere: trustbar@mozdev.org X-Mailman-Version: 2.1.2 Precedence: list List-Id: Discuss TrustBar , secure area for logos and credentials of web sites List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Feb 2005 12:38:12 -0000 Ian G wrote: > Assume N levels of "trust". Instead of directly > looking at that, can you suggest anwhere where > such a scheme exists? > > Is there an analogue? More points if the scheme > is run outside the 'public sector' a.k.a. government > and outside any other centralised agency. bit hard to make direct comparisons with this since email doesn't generally exist off the net... but yes there are similar systems... signing up to a university course in Australia requires minimum levels of ID checking... signing up for a drivers license needs a little more signing up for a passport generally requires more signing up for a bank account leverage's passport and drivers license or other govt id... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." From nobody Tue Feb 15 07:48:47 2005 Received: (qmail 44546 invoked from network); 15 Feb 2005 12:48:14 -0000 Received: from mailgate.enhyper.com (HELO www.enhyper.com) (62.49.250.18) by mozdev.org with SMTP; 15 Feb 2005 12:48:14 -0000 Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by www.enhyper.com (8.11.6/8.11.6) with SMTP id j1FDgnr02333; Tue, 15 Feb 2005 13:42:56 GMT X-Authentication-Warning: www.enhyper.com: localhost.localdomain [127.0.0.1] didn't use HELO protocol Message-ID: <4211EF6D.5010807@iang.org> Date: Tue, 15 Feb 2005 12:47:41 +0000 From: Ian G Organization: http://iang.org/ User-Agent: Mozilla Thunderbird 1.0 (X11/20050108) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Duane Subject: Re: [TrustBar] [Fwd: Re: Low assurance SSL CAs] References: <4211E563.1060803@cacert.org> <4211EBD5.8040301@iang.org> <4211EC0F.8070608@cacert.org> In-Reply-To: <4211EC0F.8070608@cacert.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: trustbar@mozdev.org X-BeenThere: trustbar@mozdev.org X-Mailman-Version: 2.1.2 Precedence: list List-Id: Discuss TrustBar , secure area for logos and credentials of web sites List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Feb 2005 12:48:15 -0000 Duane wrote: > Ian G wrote: > >> Assume N levels of "trust". Instead of directly >> looking at that, can you suggest anwhere where >> such a scheme exists? >> >> Is there an analogue? More points if the scheme >> is run outside the 'public sector' a.k.a. government >> and outside any other centralised agency. > > > bit hard to make direct comparisons with this since email doesn't > generally exist off the net... > > but yes there are similar systems... > > signing up to a university course in Australia requires minimum levels > of ID checking... > > signing up for a drivers license needs a little more > > signing up for a passport generally requires more > > signing up for a bank account leverage's passport and drivers license > or other govt id... No, I'd say not. Each of those systems use their own metrics, you can't generally rate them as 1 - n. In fact, each go to a great extent to decide on their own ways of doing things, so much so that often, due diligence from one place is worthless in another place. Also, bear in mind that for examples 1, 4, the relying party is the institution doing the checking, whereas for CAs, the relying party is some other user. So one could look at DLs and passports, but they are government run. iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/ From nobody Tue Feb 15 08:09:49 2005 Received: (qmail 48666 invoked from network); 15 Feb 2005 13:09:16 -0000 Received: from mail.aus-biz.com (HELO wodka.aus-biz.com) (204.209.140.71) by mozdev.org with SMTP; 15 Feb 2005 13:09:16 -0000 Received: by wodka.aus-biz.com (Postfix, from userid 65534) id CBAFD2CA2D3; Tue, 15 Feb 2005 06:05:10 -0700 (MST) Received: from [192.168.99.112] (192-172-93-202.dsl.nbdsl.net [202.93.172.192]) by wodka.aus-biz.com (Postfix) with ESMTP id D3EBE2CA2CF; Tue, 15 Feb 2005 06:05:06 -0700 (MST) Message-ID: <4211F358.8000005@cacert.org> Date: Wed, 16 Feb 2005 00:04:24 +1100 From: Duane User-Agent: Mozilla Thunderbird 1.0 (X11/20041218) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Ian G , trustbar@mozdev.org Subject: Re: [TrustBar] [Fwd: Re: Low assurance SSL CAs] References: <4211E563.1060803@cacert.org> <4211EBD5.8040301@iang.org> <4211EC0F.8070608@cacert.org> <4211EF6D.5010807@iang.org> In-Reply-To: <4211EF6D.5010807@iang.org> X-Enigmail-Version: 0.90.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on wodka.aus-biz.com X-Spam-Level: X-Spam-Status: No, score=-2.2 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.0.2 Cc: X-BeenThere: trustbar@mozdev.org X-Mailman-Version: 2.1.2 Precedence: list List-Id: Discuss TrustBar , secure area for logos and credentials of web sites List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Feb 2005 13:09:16 -0000 Ian G wrote: > In fact, each go to a great extent to decide on > their own ways of doing things, so much so that > often, due diligence from one place is worthless > in another place. My ID wasn't even checked (ever) by the Uni I attended... The accepted as valid the information I provided to them. > Also, bear in mind that for examples 1, 4, the > relying party is the institution doing the checking, > whereas for CAs, the relying party is some other > user. So one could look at DLs and passports, > but they are government run. In this case there is a common entity/database... the browser... In the case of my passport (less then 2 years ago) it wasn't done in person at the govt office (it's done via the post office), I gave them a bunch of info on a form and had someone sign the back of my passport photo stating it was a valid likeness to me... The guy at the post office again never checked my ID to verify any information I was submitting (obviously the photos could be quickly compared against me)... Drivers licenses are always fun, birth certificate + someone declaring that they know me and think I'm fit to be on the road, and my birth certificate isn't exactly recently issued, so by the time someone is 40 or 50 and had a easily faked birth certificate and stole someone's ID to forge the referring person you could literally exist without a trace... We don't have a government wide system like SSN's, we do have tax file numbers (TFN's) but these are only for employment/income/social security, banking and taxation... Although they did try to bring in the Australia card in 1980ish which would have done the same thing as SSN's, but was thrown out at a referendum... You have to apply for a TFN when you turn 14 so you can start to work legally etc, it isn't automatically issued at birth... Banks solely have to rely on 3rd party information, and once you have a fake birth certificate and drivers license (you don't even have to supply TFN's to the bank, they just with-hold 48% tax after a certain threshold), you can get a bank account and well on your way to accruing enough personal ID to get a passport to go with it... But yea anyway these systems are perfectly secure *grin* not to mention the article in the papers a while back about screwing up passports, some woman of anglo origin ended up with the photo of an asian man on hers ;) -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." From nobody Tue Feb 15 08:30:39 2005 Received: (qmail 52013 invoked from network); 15 Feb 2005 13:30:04 -0000 Received: from mailgate.enhyper.com (HELO www.enhyper.com) (62.49.250.18) by mozdev.org with SMTP; 15 Feb 2005 13:30:04 -0000 Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by www.enhyper.com (8.11.6/8.11.6) with SMTP id j1FDOtr02813; Tue, 15 Feb 2005 13:25:01 GMT X-Authentication-Warning: www.enhyper.com: localhost.localdomain [127.0.0.1] didn't use HELO protocol Message-ID: <4211F94B.2020107@iang.org> Date: Tue, 15 Feb 2005 13:29:47 +0000 From: Ian G Organization: http://iang.org/ User-Agent: Mozilla Thunderbird 1.0 (X11/20050108) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Duane Subject: Re: [TrustBar] [Fwd: Re: Low assurance SSL CAs] References: <4211E563.1060803@cacert.org> <4211EBD5.8040301@iang.org> <4211EC0F.8070608@cacert.org> <4211EF6D.5010807@iang.org> <4211F358.8000005@cacert.org> In-Reply-To: <4211F358.8000005@cacert.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: trustbar@mozdev.org X-BeenThere: trustbar@mozdev.org X-Mailman-Version: 2.1.2 Precedence: list List-Id: Discuss TrustBar , secure area for logos and credentials of web sites List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Feb 2005 13:30:06 -0000 Duane wrote: > Ian G wrote: > >> In fact, each go to a great extent to decide on >> their own ways of doing things, so much so that >> often, due diligence from one place is worthless >> in another place. > > > My ID wasn't even checked (ever) by the Uni I attended... The accepted > as valid the information I provided to them. Well, is that quite true? Normally to get into Uni you have to show passed some standardised tests, and show school grades. That's Id. The fact that someone else might have walked in and got your degree in your name doesn't change that. You have your idea about what Id is but that's not relevent, what's important is whether the Uni approves ... Consider someone steals your identity, goes and gets a PhD in astrophysics, and then what? Are you ... unhappy about that? Different standards for different purposes. >> Also, bear in mind that for examples 1, 4, the >> relying party is the institution doing the checking, >> whereas for CAs, the relying party is some other >> user. So one could look at DLs and passports, >> but they are government run. > > > In this case there is a common entity/database... the browser... > > In the case of my passport (less then 2 years ago) it wasn't done in > person at the govt office (it's done via the post office), I gave them > a bunch of info on a form and had someone sign the back of my passport > photo stating it was a valid likeness to me... The guy at the post > office again never checked my ID to verify any information I was > submitting (obviously the photos could be quickly compared against me)... Huh. I thought they were supposed to take you through a series of questions. Well, OK. So with any given system there are weaknesses! Let's not get distracted: passports are federally controlled although certain aspects might be outsourced. > But yea anyway these systems are perfectly secure *grin* not to > mention the article in the papers a while back about screwing up > passports, some woman of anglo origin ended up with the photo of an > asian man on hers ;) Right. So the point is here: if you require a centralised system, then you end up with a system that doesn't do what you thought it would. So the challenge is to find a system that is not centralised. This is a 'known problem' in computer science, and it's not solved by asking someone else to solve it ;) You might like to look at the following essay: http://zooko.com/distnames.html This is known as Zooko's Triangle. iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/ From nobody Tue Feb 15 08:45:07 2005 Received: (qmail 54228 invoked from network); 15 Feb 2005 13:44:34 -0000 Received: from mail.aus-biz.com (HELO wodka.aus-biz.com) (204.209.140.71) by mozdev.org with SMTP; 15 Feb 2005 13:44:34 -0000 Received: by wodka.aus-biz.com (Postfix, from userid 65534) id 0C40F2CA2D6; Tue, 15 Feb 2005 06:40:29 -0700 (MST) Received: from wodka.aus-biz.com (localhost [127.0.0.1]) by wodka.aus-biz.com (Postfix) with ESMTP id 760C02CA2D4; Tue, 15 Feb 2005 06:40:26 -0700 (MST) Received: from 192-172-93-202.dsl.nbdsl.net ([202.93.172.192]) (SquirrelMail authenticated user postmaster@groth.net) by wodka.aus-biz.com with HTTP; Wed, 16 Feb 2005 00:40:26 +1100 (EST) Message-ID: <50819.202.93.172.192.1108474826.squirrel@wodka.aus-biz.com> In-Reply-To: <4211F94B.2020107@iang.org> References: <4211E563.1060803@cacert.org> <4211EBD5.8040301@iang.org> <4211EC0F.8070608@cacert.org> <4211EF6D.5010807@iang.org> <4211F358.8000005@cacert.org> <4211F94B.2020107@iang.org> Date: Wed, 16 Feb 2005 00:40:26 +1100 (EST) Subject: Re: [TrustBar] [Fwd: Re: Low assurance SSL CAs] From: "Duane" To: "Ian G" User-Agent: SquirrelMail/1.4.4 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on wodka.aus-biz.com X-Spam-Level: X-Spam-Status: No, score=-5.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.0.2 Cc: trustbar@mozdev.org X-BeenThere: trustbar@mozdev.org X-Mailman-Version: 2.1.2 Precedence: list List-Id: Discuss TrustBar , secure area for logos and credentials of web sites List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Feb 2005 13:44:35 -0000 On Wed, February 16, 2005 0:29, Ian G said: > Consider someone steals your identity, goes and > gets a PhD in astrophysics, and then what? Are > you ... unhappy about that? Different standards > for different purposes. The point was they don't do any qualifying checks to cross reference the name on the results really is me... > Right. So the point is here: if you require a > centralised system, then you end up with a > system that doesn't do what you thought it > would. And then they want to wrap it in biometrics to make it more secure? > So the challenge is to find a system that is > not centralised. This is a 'known problem' > in computer science, and it's not solved by > asking someone else to solve it ;) You might > like to look at the following essay: There is no point in decentralising it, if you do that we'll end up with a worst system then we currently have. We don't necisarily need a centralised system, just a metric that the CA policy for ID checks can be weighed against and if a user thinks it is unfair should be able to alter the weighting. -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." From nobody Tue Feb 15 09:55:59 2005 Received: (qmail 66498 invoked from network); 15 Feb 2005 14:55:27 -0000 Received: from mailgate.enhyper.com (HELO www.enhyper.com) (62.49.250.18) by mozdev.org with SMTP; 15 Feb 2005 14:55:27 -0000 Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by www.enhyper.com (8.11.6/8.11.6) with SMTP id j1FEoFr03218; Tue, 15 Feb 2005 14:50:30 GMT X-Authentication-Warning: www.enhyper.com: localhost.localdomain [127.0.0.1] didn't use HELO protocol Message-ID: <42120D4B.8090903@iang.org> Date: Tue, 15 Feb 2005 14:55:07 +0000 From: Ian G Organization: http://iang.org/ User-Agent: Mozilla Thunderbird 1.0 (X11/20050108) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Duane Subject: Re: [TrustBar] [Fwd: Re: Low assurance SSL CAs] References: <4211E563.1060803@cacert.org> <4211EBD5.8040301@iang.org> <4211EC0F.8070608@cacert.org> <4211EF6D.5010807@iang.org> <4211F358.8000005@cacert.org> <4211F94B.2020107@iang.org> <50819.202.93.172.192.1108474826.squirrel@wodka.aus-biz.com> In-Reply-To: <50819.202.93.172.192.1108474826.squirrel@wodka.aus-biz.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: trustbar@mozdev.org X-BeenThere: trustbar@mozdev.org X-Mailman-Version: 2.1.2 Precedence: list List-Id: Discuss TrustBar , secure area for logos and credentials of web sites List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Feb 2005 14:55:28 -0000 Duane wrote: >On Wed, February 16, 2005 0:29, Ian G said: > > >There is no point in decentralising it, if you do that we'll end up with a >worst system then we currently have. We don't necisarily need a >centralised system, just a metric that the CA policy for ID checks can be >weighed against and if a user thinks it is unfair should be able to alter >the weighting. > > The 'metric' has to be either centralised - agreed to some standard - or decentralised so the user judges it on a per-CA basis. Pick one! Standards based or per-CA? iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/ From nobody Tue Feb 15 10:08:44 2005 Received: (qmail 75321 invoked from network); 15 Feb 2005 15:08:08 -0000 Received: from mail.aus-biz.com (HELO wodka.aus-biz.com) (204.209.140.71) by mozdev.org with SMTP; 15 Feb 2005 15:08:08 -0000 Received: by wodka.aus-biz.com (Postfix, from userid 65534) id DFB202CA238; Tue, 15 Feb 2005 08:04:02 -0700 (MST) Received: from [192.168.99.112] (192-172-93-202.dsl.nbdsl.net [202.93.172.192]) by wodka.aus-biz.com (Postfix) with ESMTP id BC59F2CA227; Tue, 15 Feb 2005 08:03:58 -0700 (MST) Message-ID: <42120F33.4090800@cacert.org> Date: Wed, 16 Feb 2005 02:03:15 +1100 From: Duane User-Agent: Mozilla Thunderbird 1.0 (X11/20041218) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Ian G Subject: Re: [TrustBar] [Fwd: Re: Low assurance SSL CAs] References: <4211E563.1060803@cacert.org> <4211EBD5.8040301@iang.org> <4211EC0F.8070608@cacert.org> <4211EF6D.5010807@iang.org> <4211F358.8000005@cacert.org> <4211F94B.2020107@iang.org> <50819.202.93.172.192.1108474826.squirrel@wodka.aus-biz.com> <42120D4B.8090903@iang.org> In-Reply-To: <42120D4B.8090903@iang.org> X-Enigmail-Version: 0.90.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on wodka.aus-biz.com X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham version=3.0.2 Cc: trustbar@mozdev.org X-BeenThere: trustbar@mozdev.org X-Mailman-Version: 2.1.2 Precedence: list List-Id: Discuss TrustBar , secure area for logos and credentials of web sites List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Feb 2005 15:08:09 -0000 Ian G wrote: > The 'metric' has to be either centralised - > agreed to some standard - or decentralised > so the user judges it on a per-CA basis. Except in MS IE, I can turn off the CAs in my browsers, so even though it starts out centralised it can be over ridden (perhaps we're coming up with the same answer from different angles?) So basically my original email covered this, set of predefined settings, that the user is able to tweak after the fact... I can add to the list in MS IE, but I can't remove this isn't exactly an ideal situation that I want to be dealing with... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." From nobody Tue Feb 15 10:54:22 2005 Received: (qmail 5257 invoked from network); 15 Feb 2005 15:53:46 -0000 Received: from mailgate.enhyper.com (HELO www.enhyper.com) (62.49.250.18) by mozdev.org with SMTP; 15 Feb 2005 15:53:46 -0000 Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by www.enhyper.com (8.11.6/8.11.6) with SMTP id j1FFmer03564; Tue, 15 Feb 2005 15:48:45 GMT X-Authentication-Warning: www.enhyper.com: localhost.localdomain [127.0.0.1] didn't use HELO protocol Message-ID: <42121AFC.9080204@iang.org> Date: Tue, 15 Feb 2005 15:53:32 +0000 From: Ian G Organization: http://iang.org/ User-Agent: Mozilla Thunderbird 1.0 (X11/20050108) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Duane Subject: Re: [TrustBar] [Fwd: Re: Low assurance SSL CAs] References: <4211E563.1060803@cacert.org> <4211EBD5.8040301@iang.org> <4211EC0F.8070608@cacert.org> <4211EF6D.5010807@iang.org> <4211F358.8000005@cacert.org> <4211F94B.2020107@iang.org> <50819.202.93.172.192.1108474826.squirrel@wodka.aus-biz.com> <42120D4B.8090903@iang.org> <42120F33.4090800@cacert.org> In-Reply-To: <42120F33.4090800@cacert.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: trustbar@mozdev.org X-BeenThere: trustbar@mozdev.org X-Mailman-Version: 2.1.2 Precedence: list List-Id: Discuss TrustBar , secure area for logos and credentials of web sites List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Feb 2005 15:53:47 -0000 Duane wrote: > Ian G wrote: > >> The 'metric' has to be either centralised - >> agreed to some standard - or decentralised >> so the user judges it on a per-CA basis. > > > Except in MS IE, I can turn off the CAs in my browsers, so even though > it starts out centralised it can be over ridden (perhaps we're coming > up with the same answer from different angles?) > > So basically my original email covered this, set of predefined > settings, that the user is able to tweak after the fact... I can add > to the list in MS IE, but I can't remove this isn't exactly an ideal > situation that I want to be dealing with... Well, if the metric is centralised, sure, the issue isn't whether the user can avoid its ramications (that's always possible, just don't browse...) but... The issue is who sets up the metric? Who says I am a 1, you are a 2? I'm as happy as Larry if it's me that tells you what you are, but I'm damn sure, I'm not happy if anyone else says I'm a 3. iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/ From nobody Tue Feb 22 03:50:18 2005 Received: (qmail 64317 invoked from network); 12 Feb 2005 01:10:52 -0000 Received: from rproxy.gmail.com (64.233.170.202) by mozdev.org with SMTP; 12 Feb 2005 01:10:52 -0000 Received: by rproxy.gmail.com with SMTP id b11so396658rne for ; Fri, 11 Feb 2005 17:06:47 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=j0SQbHoOIx1MJn1M1cRf4JASVWF7gYd2mJZNwxgRGzuPWP36NbkuKD6yvm9yEqmsHTbKVb5pAlHDTC3UL9xM0nJcZJsdgHWvGuOlCZWqqc9dpsktgUgXtYVeSGzEbL+qHL6jgKbukeJm88EVw7AB/QvJUIKS5MdHIYCj33bDAtI= Received: by 10.38.59.60 with SMTP id h60mr340831rna; Fri, 11 Feb 2005 17:06:47 -0800 (PST) Received: by 10.38.77.45 with HTTP; Fri, 11 Feb 2005 17:06:47 -0800 (PST) Message-ID: Date: Fri, 11 Feb 2005 17:06:47 -0800 From: Ram A M To: trustbar@mozdev.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Tue, 22 Feb 2005 03:49:57 -0500 Subject: [TrustBar] issuer logo X-BeenThere: trustbar@mozdev.org X-Mailman-Version: 2.1.2 Precedence: list Reply-To: Ram A M List-Id: Discuss TrustBar , secure area for logos and credentials of web sites List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Feb 2005 01:10:52 -0000 Hey there, Great tool! Is the logo you display the one that is pointed at in the SSL server certificate? ram From nobody Tue Feb 22 04:21:29 2005 Received: (qmail 52991 invoked from network); 22 Feb 2005 09:20:36 -0000 Received: from ismss-1.biu.ac.il (132.70.46.150) by mozdev.org with SMTP; 22 Feb 2005 09:20:36 -0000 Received: from deer.cs.biu.ac.il ([132.70.1.11]) by ismss-1.biu.ac.il with InterScan Messaging Security Suite; Tue, 22 Feb 2005 11:16:31 +0200 Received: from [132.70.4.39] (herzbea-lt [132.70.4.39]) by deer.cs.biu.ac.il with ESMTP id j1M9G5Zw015754; Tue, 22 Feb 2005 11:16:06 +0200 Message-ID: <421AF83A.1040705@cs.biu.ac.il> Date: Tue, 22 Feb 2005 11:15:38 +0200 From: Amir Herzberg User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Duane Subject: Re: [TrustBar] [Fwd: Re: Low assurance SSL CAs] References: <4211E563.1060803@cacert.org> In-Reply-To: <4211E563.1060803@cacert.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-imss-version: 2.022 X-imss-result: Passed X-imss-scores: Clean:99.90000 C:2 M:3 S:5 R:5 X-imss-settings: Baseline:3 C:1 M:1 S:1 R:1 (0.5000 0.5000) Cc: trustbar@mozdev.org X-BeenThere: trustbar@mozdev.org X-Mailman-Version: 2.1.2 Precedence: list List-Id: Discuss TrustBar , secure area for logos and credentials of web sites List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Feb 2005 09:20:47 -0000 Duane, If I understand correctly, your proposal can be broken down to two: 1. You suggest that browsers should expose to users the different level of assurances of different certificates. 2. You suggest a particular scheme of levels/grades of assurances. I am very supportive of your first proposal. In fact, what TrustBar already does is allow the user to select name/logo for each CA (by default this is the name of the CA, or logo if it is a CA we took the trouble of putting the logo in our code - currently only for VeriSign but we hope to add few more soon; and it is very easy to select a logo by the user). This already allows user to distinguish between more trusted and less trusted identifications (e.g. by verisign cf. to by some of the less careful CAs - and many CAs make very limited validations). Furthermore, I just discussed this matter with folks from VeriSign, and indeed they are very anxious to allow users to differentiate between their different products (and levels of assurance). The best solution may be to allow the CA to choose a `product` or `assurance level` logo which TrustBar will display adjacent to the CA logo. What do you think (of the current TrustBar UI and of this possible improvement)? Best, Prof. Amir Herzberg Dept. of computer science, Bar Ilan University http://AmirHerzberg.com Duane wrote: > > Someone suggested I post my ideas in the hope they might be incorporated > into this plug-in... > > There is a discussion going on the netscape news groups at present over > how current browser security is binary, either on or off in the form of > seeing a lock or no lock. > > My thinking is that this isn't good enough, and there is no standard way > to represent different grades of how much trust should be put into > certificate providers. Even though some providers have "Class 1/2/3" on > their root certificate this isn't standardised in any way, even web > trust doesn't sanitise the information on root certificates, it judges > what's listed in CPS documents and verify they match the CA practise. > Below is my suggestions on how it might be better handled. > > Question I have is, is my ideas are feasible at all? > > > ------------------------------------------------------------------------ > > Subject: > Re: Low assurance SSL CAs > From: > Duane > Date: > Tue, 15 Feb 2005 21:50:55 +1100 > > Newsgroups: > netscape.public.mozilla.crypto > > > Nelson Bolyard wrote: > >> I think we (er, MF) *could*, if MF was willing to require, in its CA cert >> policy, that CAs for SSL and Code Signing must use a specified minimum >> level of authentication in the issuance of those certs. But presently, >> it seems the policy is willing to give any WebTrust-attested CA whatever >> trust bits they request. So, at the moment, no, I cannot say it is still >> the case. > > > To kill 2 birds with one stone I'll respond to Julian's posting as well... > > Is it a safe assumption to make that generally while the class system is > mostly informational and that it is slightly standardised, or worst case > someone could make a judgement to sanitise the CAs slightly based on > their own CPS. I do realise this would require a fair bit of work for > someone, or maybe hassle the CAs for the information and their own > sanitising otherwise they get set to class one equivalency until they do > provide the information to the contrary. > > Nelson, I'm guessing you'd be a good person to make lines in the sand as > to what is and what isn't acceptable, for example. > > Perhaps the current class system isn't granular enough, and we need to > have classes 0 to 10, to better describe how much trust you should put > in each CA root certificate based on the policies they issue > certificates for. > > Perhaps instead of using the existing class system and confusing things > more come up with a different naming scheme, like IDVL (IDentity > Verification Level), so this strictly relates to how well or how poorly > each CA does verification checking on each type of certificate issued > under what root certificate. > > No verification = IDVL 0 > email only verification = IDVL 1 > faxed in verification (photo copied ID etc) = IDVL 2 > web of trust like CAcert runs with in person meetings and formalised > documentation and policies = IDVL 3 > public notary and original documents sent in or meet in person at the CA > office = IDVL 4 > police ID check = IDVL 5 > government/military background checking via police and other sources = > IDVL 6 > > Basically anything exceeding the above checks would be rounded down to > the closest variation, these are only example suggestions and they may > be too strict or too loose, I'll leave the specifics up to someone else > to comment on, however if we get some balance that everyone mostly > agrees on, even if it isn't implemented in the browser itself could it > be implemented as a plug-in? (more below) > >> Yes. I very much wish we could get the UI czars for FF/TB engaged in >> the discussions in n.p.m.security, but I'm not optimistic. > > > Ignoring the main interface, how hard/easy would it be to do something > like this as a plug-in instead? Or maybe this is something someone can > make to incorporate both (Ian?) have a system of interacting with the > root certs, and based on finger print of the root certs have a stored > set of information (something like the above IDVL examples), after > judging the CPS (see above) and then have it show information on the > chrome etc... > > If the main developers don't want to do it surely there is someone that > can? Obviously if a user wishes to bump a CA into a different category > they should be allowed to, the whole point of suggesting all this is to > give more decision making power to the user. Perhaps this plug-in could > also track certificate finger prints and do warnings if they change, or > allow the new finger print to also be added to the plug-in database as > also acceptable... > > > ------------------------------------------------------------------------ > > _______________________________________________ > TrustBar mailing list > TrustBar@mozdev.org > http://mozdev.org/mailman/listinfo/trustbar From nobody Tue Feb 22 06:47:27 2005 Received: (qmail 72281 invoked from network); 22 Feb 2005 11:46:35 -0000 Received: from mail.aus-biz.com (HELO wodka.aus-biz.com) (204.209.140.71) by mozdev.org with SMTP; 22 Feb 2005 11:46:35 -0000 Received: by wodka.aus-biz.com (Postfix, from userid 65534) id E8E8C2CAC2D; Tue, 22 Feb 2005 04:42:20 -0700 (MST) Received: from wodka.aus-biz.com (localhost [127.0.0.1]) by wodka.aus-biz.com (Postfix) with ESMTP id A608F2CAC2B; Tue, 22 Feb 2005 04:42:17 -0700 (MST) Received: from 192-172-93-202.dsl.nbdsl.net ([202.93.172.192]) (SquirrelMail authenticated user postmaster@groth.net) by wodka.aus-biz.com with HTTP; Tue, 22 Feb 2005 22:42:17 +1100 (EST) Message-ID: <53483.202.93.172.192.1109072537.squirrel@wodka.aus-biz.com> In-Reply-To: <421AF83A.1040705@cs.biu.ac.il> References: <4211E563.1060803@cacert.org> <421AF83A.1040705@cs.biu.ac.il> Date: Tue, 22 Feb 2005 22:42:17 +1100 (EST) Subject: Re: [TrustBar] [Fwd: Re: Low assurance SSL CAs] From: "Duane" To: "Amir Herzberg" User-Agent: SquirrelMail/1.4.4 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on wodka.aus-biz.com X-Spam-Level: X-Spam-Status: No, score=-5.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.0.2 Cc: trustbar@mozdev.org X-BeenThere: trustbar@mozdev.org X-Mailman-Version: 2.1.2 Precedence: list List-Id: Discuss TrustBar , secure area for logos and credentials of web sites List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Feb 2005 11:46:36 -0000 On Tue, February 22, 2005 20:15, Amir Herzberg said: > I am very supportive of your first proposal. In fact, what TrustBar > already does is allow the user to select name/logo for each CA (by > default this is the name of the CA, or logo if it is a CA we took the > trouble of putting the logo in our code - currently only for VeriSign > but we hope to add few more soon; and it is very easy to select a logo > by the user). This already allows user to distinguish between more > trusted and less trusted identifications (e.g. by verisign cf. to by > some of the less careful CAs - and many CAs make very limited > validations). Any chance of adding a logo for CAcert by default as well? :) > Furthermore, I just discussed this matter with folks from VeriSign, and > indeed they are very anxious to allow users to differentiate between > their different products (and levels of assurance). The best solution > may be to allow the CA to choose a `product` or `assurance level` logo > which TrustBar will display adjacent to the CA logo. I think for this to be useful it needs some sane defaults, and leaving it up to the CAs won't be the most useful imho, they could possibly overstate how much they really should be trusted. Ideally (and I've said this a number of times to the mozilla news groups) we need more then binary security, the original design didn't eventuate how anyone thought it might, we have to deal with how things turned out not bury our heads in the sand and hoped they were better. At present there is a bunch of certificates in browsers, they state many many different things and it's all simple marketing, unless people actually read the CPSs they won't know how much is truth and how much is over stated, and it's left me with the feeling SSL is as Ian put it a "placebo security" because it's not really practical to attack the encrypted stream, but much easier to attack servers, CAs and social attacks on people. For the most part it's also very difficult to attack CAs, people have to own the DNS and while DNS spoofing is possible, there are easier and more wide spread social attacks on people using what looks like the real DNS... I'm getting a little side tracked, but what is needed is a way to quantify CAs, and more to the point, the practises that lead to issuing a certificate, how much checking is performed, or how little which ever is more rellivant. I've even seen some home brew CAs wanting to get their root certificates in browsers and they're not only doing no checking but issuing the private key to their users, I'd like to black list any certificate they issued. I'm sure there is a point in there somewhere :) > What do you think (of the current TrustBar UI and of this possible > improvement)? At present it could be extended a little to incorporate my suggestions without too much effort from what I've seen... It comes across a certificate issued by a CA... in the defaults that root certificate according to the CPS the CA was auditted on says they require the person to front up to a police station and do an aferdavid out to make a sworn statement (with some police verification) they are who they say they are. I'd say this was due diligence and the root CA should be issued with a reasonable level of trust... On the other hand the same CA issues certificates from a different root certificate that only required email confirmation, I only expect to trust this certificate for things like webmail and smtp/imap etc, both are valid means to check verification, but the uses and amount of faith placed in the certificate should also be relivant, not simply ignored or written off as marketing and ignored by the security guys because they're too busy with their heads in the sand that one size fits all... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." From nobody Tue Feb 22 10:54:06 2005 Received: (qmail 14116 invoked from network); 22 Feb 2005 15:53:25 -0000 Received: from mailgate.enhyper.com (HELO www.enhyper.com) (62.49.250.18) by mozdev.org with SMTP; 22 Feb 2005 15:53:25 -0000 Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by www.enhyper.com (8.11.6/8.11.6) with SMTP id j1MGkaa19794; Tue, 22 Feb 2005 16:46:47 GMT X-Authentication-Warning: www.enhyper.com: localhost.localdomain [127.0.0.1] didn't use HELO protocol Message-ID: <421B54F9.80106@iang.org> Date: Tue, 22 Feb 2005 15:51:21 +0000 From: Ian G Organization: http://iang.org/ User-Agent: Mozilla Thunderbird 1.0 (X11/20050219) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Duane Subject: Re: [TrustBar] [Fwd: Re: Low assurance SSL CAs] References: <4211E563.1060803@cacert.org> <421AF83A.1040705@cs.biu.ac.il> <53483.202.93.172.192.1109072537.squirrel@wodka.aus-biz.com> In-Reply-To: <53483.202.93.172.192.1109072537.squirrel@wodka.aus-biz.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: trustbar@mozdev.org, Ahmad Jbara , Amir Herzberg X-BeenThere: trustbar@mozdev.org X-Mailman-Version: 2.1.2 Precedence: list List-Id: Discuss TrustBar , secure area for logos and credentials of web sites List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Feb 2005 15:53:29 -0000 Duane wrote: >On Tue, February 22, 2005 20:15, Amir Herzberg said: > > > >>I am very supportive of your first proposal. In fact, what TrustBar >>already does is allow the user to select name/logo for each CA (by >>default this is the name of the CA, or logo if it is a CA we took the >>trouble of putting the logo in our code - currently only for VeriSign >>but we hope to add few more soon; and it is very easy to select a logo >>by the user). This already allows user to distinguish between more >>trusted and less trusted identifications (e.g. by verisign cf. to by >>some of the less careful CAs - and many CAs make very limited >>validations). >> >> > >Any chance of adding a logo for CAcert by default as well? :) > > Duane! Don't ask for these things... Just do them! Download the plugin, figure out what size logo is applicable by copying the VeriSign sizes, and send the appropriate set to Amir and Ahmad. :-) In all seriousness, Amir and Ahmad haven't the time to create a policy as to how to do all this, so do the heavy lifting for them; get your logos over to them, and help them by trialling the TrustBar so configured with your users. [ I suppose someone has to figure out how to bind the logo to the root cert. Some sort of sig process would be nice. It's not essential, it can be simulated by the product distributor just including them in the package (now WebTrust, later on Mozilla). Something for the future. ] iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/ From nobody Wed Feb 23 09:38:47 2005 Received: (qmail 71736 invoked from network); 22 Feb 2005 21:36:02 -0000 Received: from mcr.comodogroup.com (HELO robbie.comodo.net) (217.169.21.2) by mozdev.org with SMTP; 22 Feb 2005 21:36:02 -0000 Received: (qmail 16573 invoked by uid 1114); 22 Feb 2005 21:26:34 +0000 Received: from host81-139-188-99.in-addr.btopenworld.com (HELO snuggles) (81.139.188.99) by robbie.comodo.net (qpsmtpd/0.28) with ESMTP; Tue, 22 Feb 2005 21:26:33 +0000 From: "Steve Roylance" To: "'Ian G'" , "'Duane'" , "'Ahmad Jbara'" , "'Amir Herzberg'" , "'Nelson B. Bolyard'" Subject: RE: [TrustBar] [Fwd: Re: Low assurance SSL CAs] Date: Tue, 22 Feb 2005 21:29:30 -0000 Message-ID: <003b01c51925$9d725f90$0402a8c0@comodo.net> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_003C_01C51925.9D725F90" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 In-Reply-To: <421B54F9.80106@iang.org> X-Comodo-ClamAV-Virus-Check-By: robbie.comodo.net - PASSED! X-Comodo-ClamAV-Virus-Version: ClamAV 0.80/721/Tue Feb 22 14:01:26 2005 X-Comodo-F-Prot-Virus-Check-By: robbie.comodo.net - PASSED! X-Comodo-F-Prot-Virus-Program: F-PROT ANTIVIRUS Program version: 4.5.3 Engine version: 3.16.1 X-Mailman-Approved-At: Wed, 23 Feb 2005 09:38:36 -0500 Cc: trustbar@mozdev.org X-BeenThere: trustbar@mozdev.org X-Mailman-Version: 2.1.2 Precedence: list List-Id: Discuss TrustBar , secure area for logos and credentials of web sites List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Feb 2005 21:42:59 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_003C_01C51925.9D725F90 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Dear all, I guess you'll see this as throwing the cat(s) among the pigeons, but it's got the potential to benefit us all with a far faster time to market for the trustbar. Comodo has developed a series of security tools on the back of patent applications made from 1998 onwards. In some cases it may be possible the planned changes to the moz trustbar could infringe some of those patents but that discussion is not the purpose of this e-mail. I'd like to propose that you look at our proof of concept solutions with a view to Comodo providing some of our existing infrastructure and solutions to the trustbar cause. As we've already accumulated the databases, made the patent applications and delivered a portfolio of proven tools for the IE platform, I would hope that we could really bring this knowledge to good effect in the new trustbar. I hope Nelson will vouch for our polices as a CA and our quest for high level assurance SSL issuance etc from past discussions. I've attached a white paper that will be going out to as many places as we can push it on this subject, but focusing mainly on the content attacks wrought by the Phishing scams. We've looked to the next stage in the evolution of browsers and seen what we need to do. If you have access to IE (:-0) and can download the plugin products and look at the related sites I hope you'll see a good deal of the work has already been done. I really look forward to the feedback! www.trusttoolbar.com www.vengine.com www.Idauthority.com www.trustlogo.com Kind Regards Steve Roylance Technical Marketing Director - Comodo -----Original Message----- From: trustbar-bounces@mozdev.org [mailto:trustbar-bounces@mozdev.org] On Behalf Of Ian G Sent: 22 February 2005 15:51 To: Duane Cc: trustbar@mozdev.org; Ahmad Jbara; Amir Herzberg Subject: Re: [TrustBar] [Fwd: Re: Low assurance SSL CAs] Duane wrote: >On Tue, February 22, 2005 20:15, Amir Herzberg said: > > > >>I am very supportive of your first proposal. In fact, what TrustBar >>already does is allow the user to select name/logo for each CA (by >>default this is the name of the CA, or logo if it is a CA we took the >>trouble of putting the logo in our code - currently only for VeriSign >>but we hope to add few more soon; and it is very easy to select a logo >>by the user). This already allows user to distinguish between more >>trusted and less trusted identifications (e.g. by verisign cf. to by >>some of the less careful CAs - and many CAs make very limited >>validations). >> >> > >Any chance of adding a logo for CAcert by default as well? :) > > Duane! Don't ask for these things... Just do them! Download the plugin, figure out what size logo is applicable by copying the VeriSign sizes, and send the appropriate set to Amir and Ahmad. :-) In all seriousness, Amir and Ahmad haven't the time to create a policy as to how to do all this, so do the heavy lifting for them; get your logos over to them, and help them by trialling the TrustBar so configured with your users. [ I suppose someone has to figure out how to bind the logo to the root cert. Some sort of sig process would be nice. It's not essential, it can be simulated by the product distributor just including them in the package (now WebTrust, later on Mozilla). Something for the future. ] iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/ _______________________________________________ TrustBar mailing list TrustBar@mozdev.org http://mozdev.org/mailman/listinfo/trustbar ------=_NextPart_000_003C_01C51925.9D725F90 Content-Type: application/pdf; name="Identity Assurance on the Internet - A Comodo White Paper.pdf" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="Identity Assurance on the Internet - A Comodo White Paper.pdf" JVBERi0xLjUNJeLjz9MNCjEgMCBvYmo8PC9Db250ZW50cyAzIDAgUi9UeXBlL1BhZ2UvUGFyZW50 IDE4NSAwIFIvUm90YXRlIDAvTWVkaWFCb3hbMCAwIDU5NSA4NDJdL0Nyb3BCb3hbMCAwIDU5NSA4 NDJdL1Jlc291cmNlcyAyIDAgUj4+DWVuZG9iag0yIDAgb2JqPDwvQ29sb3JTcGFjZTw8L0NzNiAx OTYgMCBSL0NzOCAxNDEgMCBSPj4vRm9udDw8L1RUMiAxOTUgMCBSL1RUNCAyMDAgMCBSL1RUNiAx NDAgMCBSL1RUMTAgMTQ0IDAgUi9UVDEyIDE0NSAwIFIvVFQxNCAxNTAgMCBSPj4vWE9iamVjdDw8 L0ltMiAxNTEgMCBSL0ltMyAxNDIgMCBSPj4vUHJvY1NldFsvUERGL1RleHQvSW1hZ2VDL0ltYWdl SV0vRXh0R1N0YXRlPDwvR1MxIDE5OCAwIFI+Pj4+DWVuZG9iag0zIDAgb2JqPDwvTGVuZ3RoIDcx NDUvRmlsdGVyL0ZsYXRlRGVjb2RlPj5zdHJlYW0NCkiJfFfbktu4EX2fr8BLqsjNiCZ45+PGdrYm 2VScWFt5SOWBIiGJMUVqCXAUfYadqvxD/jKn0QBHM56JxmVKJNjdOH36dOPXOyl6cReLosqjIhN5 nUdxImReRGkhZnX3NzHiaZUl/tGmymRU8bMf6CFu1vgIul9Xz5bhpzPx7qfPUhz03a93eV1Elazr rBAx/qynvK6rXGxgij6JCyZOE9Ge7t49nBLxYbr7C/68md9t795tt4hTbPd3MmFLiUhrGSWiLMoo S+JUbE8I/XCXRGUuti2+by93fw8EfcKkzONAhP/Y/oEsFWypZEu45NlLS+/e60K0mhZEaV3EFa6V 0C3BA+NBEm7/SaYyFxThwnHZb0meEhxpGZXxU2h2x5Let5tPcg7xvyKJ41y8n04hwAqmbhIPYxut 4cqYnWwSiiUHYGmUJLTLD2woztYNB5/++vH3P77/KFx80qFWUjh2t/Qlq6MCZvI8ynx4MCNrawbf csmRPXRqNL25CnNUeyOOjRbNcGmuWoSbMsqDnVKjOPaHow1V5lFVWVARGJlBRp3BtHLZmMIiGMM4 KgOyKZqDGrvG3t2HmzSSgWjGq2jnnrBIgn5sBgBBvhiOjXeykZEs8sy7ktK5yiuH6p/HVonrtCDq RziigNOgbZXWwkxC0+8imELkKTipcFPjOo3KbyTPqvppI3G5Wq/Z+jctzmrWE+ITbKprTIPgO9rX 6O6dpnCTBY/hBkEHcAJypDcbsU5oI3lZv43ZLWT0XThsrP/1WWPCDWorUOSfF9xj+3juEBhVMyO+ pzeuDmJKr7XbTid/y71JJqtgpkvh4o6/Q/6Je5Q2FVnq2WW1LFO3rC6kT4sS094mnzl0mjRCr6Is EOd5GnrcBRcSbKVvRWNM035hzzKLqqSUT1mRHqq6YNsnZY5Th/ySvRTAwSY7mXbGMoAYBd+9BhxE hWa++nQ46y93VzkfaZ6yE5tnmAYijwgTeZ3FudFGSM558ltxwtMq4DWjOWpbODcVQ5v/hCCO/Xhg bvM+IyE+n1Xb73vOZctZtwFuf3jO8yR2TORXUZjAviOmlWTOIfrLH8WuGb+QH9xIkONFm+kE5ojm zIvP4IXqHGHNdGlmQhARojKduWcBFByAzCoHCLIJ/UrvRT+2s2o0nIlLb46iEY9qPKiGCrFbZrpv jiFRSYl9PwOy02ThcTna3zLspiR8nmWRluwyIcmjWtNGNV0/WIGC771RM0B8CCvgP6LeiEWmbwa7 YloOR0PkQzb+7egwDAiT/e8X7VThdaZXVeYQ302LEeNkKH/fmG1JcCR34JcWkBEwYjZ9uwzWjaQS kqR4iNEIcz0rsRFf2e0nkCgPHBu+CaLmdMHy7DnucbX2DemAP2LvQz9SaV/IK7SZigkb6hrCxDEO GdGR7YLrrm4KM5ZO22TszG6hiSltBx2PtnM59oY2BL0RmunZNgMWZQH/f6WdI9ym62bUlNKid30D yca2LcUbrZfZUoHqIqfskH1mRAlGvKEuhVfe2On6w4gkj8rcU+MJSx9qHQzoQ4ZJhnDJSxYYxBFS ApgDnXpEpTZ2VcsrRq1+XRTi0oJvoA9lK+m/5+JTFlw8ZuqaK9rBbp4uGhAx6maaBqEVaILWYttM FRgSONsM8qDvfKcp6/KlpG18Xsg+xUo9kcWN6MseHtVsM2H6aYwcbznoj1sMXonkiStBY6MPN31p Z7eswkYLtJrSTVwpT1yYs57PCUmR06Dg1/Mcs8q9FfpNUkZxUZYEVIGJzO8kcUIlycvKq5KTlSHf y9ipebDAEIF4n3NLZGvNMjNPaqSD2GhzCoTtrUsIBgeEdW+0YhNuWc/SdVHNF6W5bRnCJnuze+Uu TBm7dnue+hHkupCgoFm4MofZxthx4qtW6psVONtKVJgT8j77bTOKnXqumNUTZGaG/qru9R65YpZm NAW8gtmL3ermBO/SThaR63XoSr1eGl4HSUax7BtU3aIh8gqkQRU0V7HDv37gVT3DOmrhhyIGfiPl i0K4BS5dG2PlicqFSa4QVsaipy3pIQiaSqGCQTIvfWP2LduqsleIxo5olMhHp59D3/VOZ63aVG/W p+vXWSkzPz5RGwZiTKLWt2UoAzJFqX3s1QXg/IebCCuwXSRculy7XygNZWDOi+XU29DwOB7laZ35 waQ9NmOvT/e3PqxM+tGmjpP0ZuCsVxOuzdsxfIUoxMywGuXhNueGh0H0aaKxRl+daPgA4hTfxrTn Tc60yZzHyDkkYb7B40ZzGEVGhOQneKu9eAHPnDM/+OAw1ZysFc0Dqh2N3AwBza6DPpQB1u2clB8F FZya/UtermkGE+PCt3dqtoPB65mJ/fBSZy4zA0piIPbp6YzATM9Qsqze+znGJ6nIiuJGrCtvzZer BYyyUAYt8UubpbvakZoKzvbBnzAYjNRJjwwhiVlhxW/NmvXygtfJ2galzxn0SE920oQKsFuwIi9d Zf0ppDYGDKlPD1ZHel4+il8+i4ebap1dBrht73tlDzFixojcn82rWKZx+SRrVGQpzja2zOIakwAu BUlKmNQlpUfhRgbJ2tgHOBjZ9VXgF/a42nEMV4BFl5q6JN6vEfiI3zle/4IrzbXeXGd/Y9fGLqjW OBABvQlN/GQjOjoD3o+2j+V3972jA8UFgXXhtvZaruH68CP3XHy271Oz4TgWt3EfoLfvA/eGxc4t uNoH5dNOfGT+DfEjfEobIpv2C73pzavHBJlmL8ruwmfe+Ys4zF6Q6cbCTeTMVGjdTG4fje2w0NI6 6Cw1iHlcvKTvbmmDwwqiE9deDZ1YziThOR/EfkMykb42z6J4qqJczxEY0iBrOJYdwD4anMDqxBYT eKjvbWWjOVx6LkickZL0RjXlatLPZkdrks6l/djwIDCEZBGnG/D/PPcYV3Fy2fvqcybfmBLiIi9v JJOkUS97KGJP1Y7TjLrStnfr2bbp/Nf9PJ3c1zUV7uhmmwJ2yxJu+fwMqdLXfuV6gT5PE6bUYI9s XNROaO6NFcNVBbC4n5ulWwbb5JpxVB6wosqSG8Dy1bSTFahnB5U3PY5xEK48OFjQSThSGqWoNxxJ vvhOi7n6CTpr/KVw+TkhKV0DwJkQhxZ0krCGBdtCErihUSZlGUsA72QnG9RPQPkeQkocynmnmLM8 z5x4FTKxn+0Yb2jR1R8t+KnYL5D4hw+E8t5Eb/SpZM2w03LWTyer5sjS2VnyaKH+hV5BqT7P/OAR gUI+0Su+dooKi0qUBkV+TAMbdO3liMOy7HwccFIlJW8g2TJoac7h49P/HVzTlRVUP54OiubX0c3C OwANOKDzjzQzg7Nh6cgStIvN8kxMsr1uFJ8/h8Sln58Psck67jl3LbHEDgPqXuwWoAFaixMP3kRz soUN80xp1SUNTmfqq0zW/zFfdctpI2n0fp6ir1LyBYx+W9LVFsZOhYrHphD21lauZJBtbUBySSKO H2AfIH7iPV93S2oECWjWzE6qYoQQH/2dPn2+c6SQIP9J6jKtIHuJ6yJ7Vc111AFX3nJZZ11YJMRC siOPTxrasnR9BnCivF2rhaJ14pLTn8UbbHshhQ/ua8jYuXT5JVvmLetFua4NVWfWcgNFp0zG3oot 04cHaAcGLTV6n1Qv5HuQZZ/IIHCDjttKPvyCBKOTRpIN0U+wEH1jJXEmNfZnlqfxX6ZXW570a/IC 3SMHum3CG1YLn/faJFQ71ES2Dimm6YYyBhLLYmQ2SMEil8Y6l9x7hpDLrDOo6/xMWV1HKdDooSIP B9lOq7cSUChNfFRDRNjEMk5Vw7/P5/Db+O7Dbxa0zwr3ba3vqIzyY1mXeyP3v0ph/xQIlI1ExXBo 255m88x6ib6r9vKVCFZhE1wDZBMT8hHZkAqD6fBN8fKtWZwtFxfotGsDoQTHIQm2eRecGmrbMRXf S5nN6n0T+kZ6gVh0T+Kj389pGHASx/q9KyZ4kWGFGfJUnfvIVxfJKm5uUJVQ6Kf4MdrJxi7uTqZB rQ9oB652g+l/n/xniONCven7A6QCIGAyeeV7kFtmm0hrgQkhXv/2+7jkbFEytIz/3HRCenVCDrdQ LjLNOAxqbuNHaVO17Yyz10qM19d8A9FL3uplqJ0AEx3HDfZvBT1n1nSSa7WZGw45vhzQFJMLNdmj +oJFN+WD4ko9y5FRXfnsoNVPY3R+Pru8m4zmk5vriHUW5tfwiAtVyIXAcPWjjQRq3X8xxppuTvNV qvzYK8k7oyHiuzSqx9NfxlVZMtwtOYIKYka4Rl5QBEVBDw4JfBqP9kyIQa1+22VITqcFRCKFjEUV 6q5JJmB6MIPF4qJtZvG2mLW7plnyLVdVryBZUqJpabbnk4kdzzrTy2nLBbvlovQxS88C6UYs4UZm ZCfKStR0QNTQGEczHUBd7FtG2srjjGW4k2J4R2oqUZB3SclgYfQl4HfgkAL89vhu/EspH9TKQL/z 6fUZRZLvFZsLh1HI0nFWYsYAcfpBF1IllByfODzQhK3deLP2EIt8JY2AJFEUXdFVaNoo/mk+n54N CIuonn6qZGehUncHNbmo8ERFy3q0ZuR34e8Qa4icwh5wctV4Sj2DJzii2+SDfET+pAPRtQPOfGSP INh3grdgk7dqFuwSvZG1COaIuHkmDLrAzRZz1hVzlhjmCoY5lNccYxJNtxm2uzc39/9OFhWrO0cR Tq4HNXyMPeMGjnSrwu7qbrIVnLLGkzMKn/IAbUqyAxVtGKKAXFzoIrTejKPpz4i6Kx7TzT0Ug31G cJlkCA1lVWwwyotE9sqp7ennyR5GDtqK9YmlgrOElsPhZlHqbODg+zEpkfR9DmXe0UZeVER6vD7J t7l6HCpDJaR4uZwTMWbbWrOHYFGyoFVH+eIrtnMVvwq8LVHEA0kBvSCzqjLYmuw0mUWVef7MrqgD 45v4u5KEuMiJ9zbyXCqHPLUixdVzSXDmVxed0trZUny4zdIH6tGivLOGwpR0BmzMZWLZpgD7rkjV mmeE+Mijd9sRNH0IKsnRVCZjl8hYdIKhaGInMUFgRo27y9Y07Uw5IrbLPOBtawPHtJrzBVm7uZ5f Xs8j2ihfncjtqaWKYOIEgTb+ZLwyprPLj6PxpZp7XK4AJzn0vK4sfTGGJ/oHXMgO2TUSdhcIzwXk wVYTQmR2HMLe1h1vyN0ufl9o8sPNYytnsGuhIUyAPCmTM9rsG8LUM66lEEb14nj9S57j7Ej3+2Ik cLGPwEXv8HhcbD50dEdkK2DGN3S2fAPMIjx8gsDBaZ13MYBbdIDmX8OTo0mitdUDDJgec8seNimt tjuTi0upggIOx5hPoBbG/F90E15nTmRyjE/k8W1DPfpREkp9xj4wvQgkBaBOmgpywI+iSKrQLTkH Etr60bGIFZedTbDwrLVDRCUPR3PMOQirBlAH1sYsK9stLhyYelh6D+h6geaWG5Vs0iV7LGQaekkx 4y0oOeIHDF8OoffVu8Gq/iwQ83YhXnNCKDDW600mP66EL3mte2lTjsVtt4XItXtBdBBBhFOs8TCE OhZ9IGzjmIDQazHkWxhyhSEXqIUCQzKw8p3EkD4LsdqEEVgBRj19Jr+dEJ4UXz3wsOqiiOdgKU4E 4p8AU0PleDDd0B46tn7O27ltqrk9fUpLiqt0LGFXPpEacgPuKS+61PKHthM6pwblzyGkt9oHoQDy pCNkN57MVM7ukhBxjO/0Ehjx+hknlRsrEjnfSBRs0SJel2ydPhYwQBJMeO0qpwtIIYKFenAip7Dw ojjC6jYygLzY4SEOkW29z2musXQPYqmB0gdLnw9NrmPpNlgqskXP8ZoJZzugyeGToxVIwpbHJYtx TAeEbkH3QsqRz7mcIAXGgW9UbC2+XT2p28suXoiHgR2+L0ePB05DoA9wHLOZ//qYjmDYY4IKyNFa xGX6kLD6/LJLOX0FTy3i6SrpgmNLQ3mqA1zj5B3ESWu4D05eOAxM3dZrOcyWXfwzuR/cx2WyZBfJ SkKRnpFH+YZAZhGHuqqG2epYJ5f6DkT8IERar70gQos6RJbfUkkImvEx/pqw8zjLkoKNloClSkuS LFn9/zL/jkCjbasPGi4yzZbPbQljKsJM5MCbUfCxjDGLsyVT9zLSKM8oqzir2B+JTEglDIWPv+RO 40epQgRf56hhvRDukwJYo+cfRE+DoQ96CFruVmQKGz0P1GmTQD1JaF7pnWewtJRjjkOegapjJFmV VvWno7LciBUHLcV+QtUizhYJK3OWrp/zgrbhH9s0DYemZ72XoB2PpwZMHzxtfzuCYuVNwwrQu6RI H9IFTESesTQj48B+FEL5Cbw3whOz8iUv1J0lPG9gDLv0AytPdH6PR0lrtw9KiHhWoLPOb1jXBIAi kcZKTERKky/CD3hGoW4sWfKdJqS0a3JcUpZSfkw9/SBDJ/sx3lTi4E/jUjiQ5sm3LrD4zPPfm3HB QSw1UDpYmjWWYaCwxIWD8OXiW+bQ3iJcg6SnkJwTi3xjPiJ8AmP8md3Js3xJL9wYq88hd4FxA/bR KJ2dURCN2AcW3UjTcUUvvnFL2HnGfKJuX0uTF9Xt8cakmVD0FkTT/V/YiR/1sKrwMIgtHH0IaULL g/2uI1TH9o84G6TZAKd1sE6XS4wI21DuI2GjqooXX8tdM2Y6rn3KCVHT6zAyWotHIWOHQ+4yhMEh 18OT3MdGzKmRi+uIjePF0xkRA241T8s8SzPx9lHSg+XFG4Ohp0UCFSvk+lTY4/HKaphm6Rt7SFcJ g/5xxIgsfd6shGx2cTaHfuj2TARHI6dD0Ae5ANpt/8qmfTHOi/ylhEebFjl5epquQrvGefZwFhop eQ9jU+ztGUbf8U8g/8fjojXYBxcfM2MrCdktLqHwBLezK3Zz/7Ap5ZDc9gOQej/4a7z88VBoPfWB gkNEdCjsoFFvdbbm8EflcyyHoUt21cFLRYxpsiCnAKQe6EoQZopv6ifDOoVH5aSClnkQJq3fHurs cNh2sw9jGj3eDjwoEwR/GyzapvpQxnOo6868l1eWgOI8XrKLfB3DWV7H66SDAZTU5KfFoBcKWjt9 UHBdBIv987qeIB+LNMmWakK/SsfDrvJH4CLmCSjzhhHl/M2PjNZpH4AcPvRdGjPrlhyLhjGgyfwp LZYDKEv1yqInJK8kS5aMQOmemp1B8x5wSATsYxDQWumDgI1N3kLAa0VDhYxPRA7HyIkc4EHFrlXk OLNBlnVCkiJ83oZcjGXU82jHfXiBZZ+KMA1XrINIaS33QsqEyr7jQD6FpPRFom2pDxLguvNf5stm uU0kisL7eYpeNgsTmn9WUxpZSVwTj1NGTirlFZLaFmVHqAA55XmMWczzzukfiZZIjHtiueKFBXSD uJ/uPffcJ0lc0zORIhk9dUT2inyhe43nnLfLatEbBKD1YRQch5EFFiM+m/7rha6/52TjDoueMsd1 1TQnTdlyks/rct2qYbNc3YriyuiPJ6SAxUernY6NP8jGCNIiZfwM7ss3ZSbo2OjJ8WPNG96SnDfN 1psI4Unp/K7XepIgOmIlPR+HGZcNjjRxM9PRemnXdwKpJe/LxYL/wKHFboY6eQUpMVAEgyiMmGxQ JJmbxkZmfMejvBdiktAS/canEsvbWnq2/bT4NbEY8VlhYW7ytJm/eOB1XS6gHeRjccvJuFrBnbR9 M398SX0GhS4cGwpxACP+ZJ28q4v1spwX9yTfzJq2bDf91gvr4bGEHS8zLEAYEVn0Fj/CR2imQ1cl nq6Si1nD6wfZSqDRlIw3TVt95TU5Fe1XmDVGIam9lhsm3hHRGHDCQThGlDZZEmI+MeH40ntf0z85 BpqInghbmtD76vZWCwkY7WOAS8HfIYWXVg1rHkZgNjwCzGamP/M6I8K0EYH7cMSoxyGm79Rhgf8h nc36dF7fug6jMWK0QsNcb8+69sed8b2wHcgSiCms2oKTTxt9aeXEQMTrYlZuN7Vlrw8xoXVZ+MKj YMfHfxafLtADPt6WT5ZqPpnwdakLPD5EYm8aVK9uGvvTiZCTv4RfZXQKn5/Cok2/qMoio9w5yWh+ demcJFgfOR4Gxb/G8h6SX4hy/CDIMXoldmR4gryon5dv44p1XBHUkhk9/f+zxNdJdNEgOgOCjUQz KHv6VK+6ptNqUTz+05B1Vbc3lUghaWoCWhEHQymtMC5l9MZhuEQatWHjnECjqehqvUQDstgPj1OY u1ocBmZEbgPMi9zInJe8RImuKEAxPIoCfHOFptYX67hn846j1fYsjKAsdIll0Fj/Kbt3TU9FiQSU i26W0uaurdbkXzJZLdZVCdsHk4P6y/l8U5fto9ib4lTmENJHZlGqssg9TCO8SZz+tF7txGkQkhmt DaQ0wy+vb9tnFOgCOy2dEIxu1UeL/6Kvibe6v38kuV518PXQcg8Vp66o41vCT5wMS1/VLWoNAAPa qzwPpj44kq3u0i0eJGkisSGJscAg6bEdSV+7SVl30kdOFpt5gUMmswcp9w6QEpGHDHRXepvacS8S 0ElFunlYVEsljIVP20cy+qZ2qct8xZtDrr7nMvTOjmuQPZ+rwhZQlgxjM+K3wJYEApahWJ17YNo9 TJeczJcyw6pyzkl1Q850joEXGIIXE1Zcn/OW/FFX3/oqB1HN4ih9QRexK9BhPkagForOYsi21zOe cJtcWcwHBz+7OnwzWbX6cK0+yoYfIEhhYaLXUPpdwQ2TMUK0yZwodhNzRPE67WJa36V0g0RGOXR7 fgdHEIn0+CCMeUofOcxnQtUOMubqoHWEbSpvyrnapc55X+Mj9+Us6S6R0kFcRtw2uEK4oT0fmnTt MFRvPdq0SxgEBA5ZEu0uEiUlzBTRpzdQdbjOYrW9UMNrhVQMgZArsXNV/q1svDo1HvRr0DMwWNGD 9prJ9h16edlyCJP0Bgsh1kgawBTGQYgVGTXNpi5WELBppaFIJ5H1WyESDg39ZaedLSPfG2bUBWvD KMAPvjcIZkpbRLghCgnRxoAyK+rDgFFm8i1ey35uxekZLIygbFj4aMd7LDptYup3PC9WxS1fkLMF VEi1rpiKdDESBSL/gI7Xy4/Yjbww+Pn82OUEG+RgBGTDAa/KfMMVxZ0rStT7fppcwmjTMzWtvpVu Rp9MIM+BMOnCFZHZo5roPp3lowMgiZvEXnKYQC9kHb+XN8O8zMAteHlo0Cavrqf52o+fj/Lp5HIs UYwuT0k+kRPu+AoGKaaXk/GFdEqnk8OkYW6WsehlRaWD8qwkMqN7PpQsw2Rgdq6s015trT8LjY3p UnSriErFRcaUDSlbsq6appxp8eFKeElbEX1F9ClGN6v5krRL3NHqu9fSaBZtW8zvfj/01Mz1AdPe U2/9tO8PsTKCtkHFRCV0suNLN212qc+i5fiClKiwoiVFzUXADAaoUp0KLlJdWalNra47cTGleq2W Bkm2d23FA/mM7XKLdeckQWbOt1+llxo5GR4iZXh/L07tkR6ADQbBdogOwHpbsFmqweIgQM6GJPX3 ueoGlV+dn4sgU1Til+0Xx+oxoZtEzBi7VL0dp6nhHWQFhkPBG3EYwU+mv/03AOjDVpwKDQplbmRz dHJlYW0NZW5kb2JqDTQgMCBvYmo8PC9Db250ZW50cyA2IDAgUi9UeXBlL1BhZ2UvUGFyZW50IDE4 NSAwIFIvUm90YXRlIDAvTWVkaWFCb3hbMCAwIDU5NSA4NDJdL0Nyb3BCb3hbMCAwIDU5NSA4NDJd L1Jlc291cmNlcyA1IDAgUj4+DWVuZG9iag01IDAgb2JqPDwvQ29sb3JTcGFjZTw8L0NzNiAxOTYg MCBSPj4vRm9udDw8L1RUMiAxOTUgMCBSL1RUNCAyMDAgMCBSL1RUNiAxNDAgMCBSL1RUMTAgMTQ0 IDAgUi9UVDEyIDE0NSAwIFIvVFQxNCAxNTAgMCBSL1RUMTYgMTUzIDAgUj4+L1hPYmplY3Q8PC9J bTIgMTUxIDAgUj4+L1Byb2NTZXRbL1BERi9UZXh0L0ltYWdlQ10vRXh0R1N0YXRlPDwvR1MxIDE5 OCAwIFI+Pj4+DWVuZG9iag02IDAgb2JqPDwvTGVuZ3RoIDczMTUvRmlsdGVyL0ZsYXRlRGVjb2Rl Pj5zdHJlYW0NCkiJjFfbjtvIEX2fr6iHICAXFs375dFrO8kEyGITa7EIdvNAka1h7/Ai8yKt/Ef5 y5yqbkoaebzIGLAkNru6LqdOnf78EJCmB5/SPPHSmJIi8fyQgiT1opRG9fAz9VjN43Bd2uRx4OVm 7TtexMMCf8TPi/zFa/hpTbz966eAnqaHzw9JkXp5UBRxSj7+yUlJUeQJbWCK/0LrjB+FVHUPbx+7 kD4MD//Ev9XM99uHt9st/KTt/iEIjaWQoiLwQsrSzItDP6JtB9efHkIvS2hb4fv29PCLQ/znhlni O+T+Z/t3tpQaS5mxhI8kvrf09v2UUjXxC15UpH6Oz5ymitMD407kbn9jU7F1ivNi/JJvYRJxOqLM y/yraxJxwPsl+DAxLv6XQt9P6P3QuUiWM9QDPfaVd3E38O8jjwsvRd7SwotjY14MBjEbdB4/fPxh +7j9N23/9vEvW/ozPX5gbwvUMcH+7Qfz9o0nMMkb7bZ3nz799K93P7z/SDbIwKY+45gkZfzFOoFI /dTGyKZSSb6XpEFuwts2ivql26mR3E3mJc6wp3Key+rZ/j6qah7GiXZnOjW6aujR3SRIRO2GXuSo ftb7M82N2s+kJ94S2FL6tAm8IMkKjmlNAB8OmJmzD2o8qHksZ1VjL2l3k3qZ07u8z6lGVU66f/KQ 7lofdb2U7URlX/PxsUM4GdtHPSk8bfUzwlDK3SBsce2lF2kSX7ywKQj9PDZuzAPtZCeslqdyVNdM IC6azwcccU0Oe5k7SJHYDxKvSOLCVA5Wgxt0Vy4O8Qrn2Q0BvBTW8aCAaz0+2Rwc9SMvdGiUB5mj 8Jli4bPsyJzFvqhlY+zcv1fb92jmo5wBP0NPPv0E1WnxO8DyJI7k5jWf47AvUmMPWA1ihx/Do8Pq mQS5WaO8y6WfXkEa2GQ2qqPyOOia8wQDO4UiUklHXc2687jf7zvnrj0tdOFxEN70D39dD7MAekdP 43ByY+SYDxn6Tat7RdXQdYsbGSxxmHo+X0/9g3ZJCmA6vrYLiEWw4ueBxcrHaS53rZ4aQPak54Zh gyBLmtSoARMAZDoMIx47Za0r+m3pDhfwHNFkjKi2nGaqVVXW6o3xa/udwWa0YtP0/C8Iq2qXmoND UIdWzYjuXLXmpB23AhczBqaGjpvDHrVbcMIey3ZxpK7sz1Tfbpip4pcj/NxEwFb30pXEhp4mmUUz HCh7BPlGgpiWqlKT+ME/H7kdezVTiXakTtV66diDWOAY4xgTe1dOYImAH788r7DkEFtiqlWLEqaA foDNSN2Z2E7m7PEY3W2XwU6jeY5ac5Mh6ZV9MIMjEGSO/aWLruvN8xmYRPoRSg04bmEmcRqzWVG5 0/ZcYGY2G146avyMEvaYHQVPgRVLemqHXckZjdFFEjeVKJ3qKwVkkl2S1wyDli1G1mVHyG1NjSDH RR4cpPageuBsOZj3bW3Lb9DrBawJw4g965Z21vNSKy5SD4pDf4XOiYAOtAlq1w31+rRFWSUQvMo8 z2flTkMN6jkdyhM7oufpFVI1zWm5PU5yOzeHkzRf4XA54H/gdJ1ipBVgsQ1HWzHRg9uQAianluyy fT7QdOYHiTPNdqVDlkCjKIul3rQoopV6L6WJk8ySEUB6QDfOgrzD0ra0HwXtGUyhFr06mZlzpTmx eEdzltS9IMhsL6jO5YjU+MStaX4AYsjj+Kw4nMKZTRGF8KRuPwNLicA5AUuKS2bhMAiDTZM22MvX l84rcci6NBO45va0id1P8eFzou/8mG2PvnjnFsp+dqEb23SMUwPkCzYzRrMES+ozZnB7Fn2gexyW OeXOlCJF44bFtRQrHkJJHptuFe2HUWiMC26oOXAsacIuTfoLyIWzF18KYu3ez/C1IGmUr+S0gB0N J0tq4eNYYuIcFSPdldbDOZ3uITNQfg5QzZvlAI+mGeAPY/qdshf5Cdey+7ahuBA5z0buVegWbR70 wryzKZYwCQYqzDNKeDC1MovOpPtpJSPmX41JIivKAJ7KA+SQBsUbs0x0oXODgdw5upBcIwbY94Av owTMYWzooeesfkt62VD8cBU9h4HZUSMNFWbF0KnR8vpej5wuwI9Q7hGsznkLuaJTeYL/cFQmGZiR /qHb1pzs5d8UXBYKfpHYYqHtqB46YIj6UqqhcDd50tMsOe2tJ41+aqC5Y0dhmOFd45UswGOeBzx6 zBsuz7VXBoqR8kZ5azuipCWtdv5DCRInsRentxLkRpTnLyQIN8itBJkbjIX5/xIdcZR7aX6j0VfY RVF61ei3eHZZ211HrwGIHbkQyRfAOMLepX2hlnYWZhjRa5gKyOnclDNXL/rGNA4yO+Uu8x200Bm+ emMqclnZmWmJ78YWhnzKOuJKCherubV6GsYOdo56XCYWFttx+K3k+n86nKHEDZOqlQysvXt8faVU uBuN5phNMzaIeG9VSCc0PN20VYRO446GNml1pc2jBT2JtyaTM/sap8qRG0JTHnHhsIdA5QGhneV3 ptlxtKeBkqREr7AKbqHG3afRNPcJ/YyLRSPoP5sjzMpiwpgPZSVj2LPe0zuX70K9WSb1+zwK56iV cdql4paCITvzhX94FNzJLz+9KF0Lum7geROwDhMlCXuDyzoRfDA+lUKjOPQLHKpG3UHJCveukzlM o/DrysN8dLkn0JWDcAWzs3AcjgzN/dKz6n05DKzVe2575UKHrGEbcDmar7gmzjcV54vUhu9NHMcX y+M2jwJsUbRGddmHFuMnEB5kA/Of0X2sifZQFoBLcBES3+TAJI+TlX9dnuZrApa+ZUG27PTnRc9m bZlIG3liLrT8KjQBBPQylr3wXoVKYiII9pgFZaTOjdlvdoEARpNGueOmr6rZy5SuEVoL3Vlbycmt JJUORDFhxrJelO9wB7WHu2a54jwFzjPrg2ocpsmIB0ml1Vy9mXOXS5pRd2xr6bXQUOKcTQxAeBhe KF3yWQRZdD/PwiJIVn6iA6aVrpa2HM1YCFnOQwC1ZlTbAQLS/BEDpJFbKYRM9TyhkU8AMQjbUqvt rtdqGeSpvZo1qqwlEoyzicydSiKU+2BdamRiV056uoqSFicwEDOUYa8F4aCYxuw9iSpgt74xw1d5 n9sObQdwpqA65aj+lPi+KXQnSuunTwyenPV3Py18r5CqjSxJzaZ3pk0Ap6M6Xw0Fb4z4j6IERohh D3Ye+dqWXAbF1xBPLuQerZpMOLCvl4qRssN9Cll/prnk/5COH+0LylCn/YWr5MTXFuggKZgl7oUl FqaVjFaUKTV4vp/66/UMstF4gSG3H5aRfnWylA5qBDAQQwX0/uoSUzl0mgYtongARI+hyEgwipHP QTVhYjoMw14g05uhVBtKfHn4ykRBYufbBWmwClrrQRblGgeyK/HBJ3EHhFIpfXQDX8T2/n+Ml91u 48gRhV+l4ZulAFsgmxR/crNwMkk2C+86QAbYi+SGElsSIYpUSMqC9i12xph53Zyq6iapHwO5sSVK Irurq875Tr4DcVNlYg+91FGApONkS4vuT/HYGthBDxhB9MzVyZgdkAd1VUEW+epTzg0InVW/2VP/ JT+2WMbhuKywYBwW1q1WFaTGTfelhYX2gUFmLbdDzASQMQcRty5k8FdypRYteOIO3/OMGZmUevjN UyQ/MXlboU/PQE5+ZOSQiV8EKVQhVTqDLE6ZSSrAmIfZB9xdklaQwsVj/Cych5xN9h/sQ/0FJ3Fs z3MuV9krrKgwHRxuiapYH8K9ojS4nk+dTddgBsSMLWLO00RbSxSYTOn7//b+eD72zabNqZu1d9h+ uYZGWLzGBv1rw/OT0Kr2o1AKzhqzTu162pbwJpExWssfwz3jEXhjpNlxOdaiePn7vN19ceu3q9Dz OMymqwiGVdimU2Un3YQVYOYJfRqA5qZGNxHlO0eQKupbBbGQoGOnIPmxF6ZEeQ5bJa/ZkGPa7KHE xNir1HSBBw+gEcdzMhSFHN6WAu2MOpBpZiSIciO4eM+r5LcEyreYpkM/dqllIzTGwQ29vTX/PRo0 yq8O30QRmKoJFI3Swd0WhpyhhWPISDS2cDRpn66/18KQdvxqMUQSXmUwLNMaIWsJOlggxlYwsxUk nmD8y7yxmelYr48iHJjaKtnSkIzBB4DWOFASwYQhGX23MZQKKjMxfidQYPYs05MMECTDnaORBIcM 8Q0zN6Ne7tS+KXANCXFvrEp9G/NUJE355O5/tX496gGLMMfDDjwUefYN2PJqzEIhDP+SMYhEcBZP 9lPiEB+nceXJYWwn8Tdn9RRe1dqwuOXt0xrZDZ4MQW1WZS4V6h0rh8EiHZ7rpgmFZm44oKIl9dvg JZTAusdZckHGfI/rU9SDGdrlCbl3jEOdtCk6l0yV3CYfIdxmRQ6cqoNjrzgu4pPe4CJWgU2WDJbX RHmjCyuko2YPgPhC/ts1NXi3rDlTaM4UyEt7LIk0Qt5aj2V7liJhbuMsmwQKF/oS5/NVuYOnhB6o q+foAj1cMq3SafNHa+j5uiXuROXogPhqS02cDqW0T/qAbnSWWqegiKUZub03I286pnEFhOrbow0c MadRh0JrgoCVAxdWClQRCNK+lSsDMoPpgEEArHSXOxYPA7eGuy3XfA6uuiqvKrMp6aQQYA4tA7Cc FgY23+QlsEodLppoKsjuObzRJ6uAHAQZzvIZie5Zou7SEL3TZd4/GmcHgCwMGIfuzc3OG+aYlfJO aQFD36hKPj/nVQ+vHUbRH91Js/TJqwi5BVMKxfSt6YuDRsNaXQwYhuQnJD5W+6Y9q+tRv1RWe/eF hq1PkCK1HZY5oXpty02J5mW8kb9n6p1QwOXUMKu1hfrqqvwuBx9zDVNhHvggmpD8YfqRiLW7uXyy mfko+GlrMAXL8+UpaUd8vtVnwqaz01EmrN7WftVyVCz3HAppA53ouNmDK1UF8uvYAz1ZuHTtVnb2 rgi/PaAhpOvEL2XmC+f1F8uyNQsYhtjB0fzgZnQlpdyCGTb2+lzmkHdur2EIcpdBePuEhDQlgzdw CJmrz6gUXqrLb2Hp79MV3canyMG50+p1jqJTVsTEfV2/z8i7YTscihoulp3hBYsLyou4t3PAgLY/ NAekTZKtVm0RJHEzuBX/vpxR7WEyjCIfRaZ4OMXFJDJFRCY1xlZe0zFmaJruCI7JO/X1nwhA+a57 V6cZqeRWvkCU07c5ph+pc7WbZdxVcg+B6pAGzi60uzw3R14JTIQXctpaKDpR95X1W1O9YeeYYxSa Hs/d/U2sDnekkbsAsZ41MZaej4G1F/DGChhcNU84AaBz15t9J97LdWP3pbqxKfP1EHaukXiS6K7r jbNBHYMe2qsTyrdqylp2grXzoCAVZfEs5nqVe7NuiTiWY6VQCynD/VP040GanTb3Jq+oIs/Q5XLF Xoqbv9a4aBBEn19fKHvK5dWqOVIuxAM799X9nn5tzZgHr5V0UNCskNEIAt8KN/e3be9WNHZPJqeO dXfsDta7nxkJX+loIu8Fb3AUdrrkoVSxg/ycWrwtSS/ko3XZYiwm6m87Fe5mv2HfkU4svPuylQY3 7HehWWR+snun53R0e0slBbPINQuCZCOcxYgI6dhPsBnECt+/yjTRJASx4zmqQFSzNG3nepYwRZy6 TdvwSo8Q54OLMihjEiYfjbcOUzveWPXPeX3MYUncc7SZR7VtTuaNhQhtimuBDA1REbZMffhmbDmW xtRWvCERd5Ruatw09CXuK61u1WpUKmymMj1qr75Sad7ns2TAoNuRkzoqySXWnPlFqDXZ5yLDAEVT c05Hc7Zx7h+9rB2xcGlId3t1bo6YyCPvugIRegW2vHPUh6yD2HMTUuX+lsNgJcyuMkcUTp5xt5C6 W2M/L6prFN2ZfeWJMI1S4ALuijeU+roRovlpfIranqIOtFVEWuk2L8A6q9YUIMlVDqvfmBqwBrSf uxXHYO1xwTp1UxnZIqifmE5j72TofwR6lP/to3p+FXB9YXKliytaZQT6Ijnf24uq2+dtPx/XTc/k JgjTsVTJ4MV22H4Vq+QqLLwTNcWZLkEd3nD/iNqOPKIt1+66sR+07gJvmnNJDpupdypfUwehHLDO 3n7rwPo6V5/ofsQ5UIoON8pGNZAjzMYW0Y4Xzg00cse9WNMYYMEnNSPkgCjk0AHie9S9J1CmU8c4 ph4f/Wjn10Cpsa80iqedNHEbJzJX6oC1E22OgsI/8X5U7nv25k8acxxHyAx6jrIH0zl0zWqP4Pue OjHzdpzeFvQm9TJf/j+qBzQABbIXqiNmcd0Iu4GWjPnxAYgv+g8xk5+QpNnf/owCh4zpKBxLjP1O ar/BgSCwj4T48Ith3LF0n2Tqdtw/5ObQT+eRWmgYk5bB9+749TQS+gvryH8WAXwUMSrc9Hbis7Tp kM0Fe1+bthXNwKQ+8FE9PCriyiXfJCGfCe9THw7DTh3/Tu6OcFKiygHFtjMGjUNJmxemGEUnXIzH 7ow1SBxP4Ef9iZR4K6CVeIQJWF7OtEwjJP6o5N3aHudEZ/CAC7fQkXVtU8Gj2wv0K1cIeSgCGh0A tUJe4pTDaMIEKN8+VoWyPzzC5WlzvC1kKMkmkBjmtAtHtlQcxrH1qGem8lcZvRdKBRMnlv1pCQHD R7k6lGYlRK5lt5k3YGFnL/envHU+1rSK3v0OGOosTVfMjaaWeHG5yGDUCS4TOPlwRhrb9tQ7h0MF yKKY23FfbMBv3X9mc/VBNzpQSsNk5EMxy0uyKUqIfdnnA+CgKJ5qDbUkd41cVlNIqb+4W9AoIieR lycfJoBRIgJeDAkZQtkveQucp+7+02QTfpb+334c4V+UTvzYbRslXIzbBnLuSbpXOXtk4tl/bAUB 3PhaScF0aaAnQupH43J+cJX44Qa0wgghYyK/N6tR32mCwCpryUxWktlBSAgVm0sg9gX+kkhK4Qt0 XDyq5bGfBT43pYyZnmc6DKZ2/jTNqH4S25EDFpOuehWaqSjXOF2kr+psvfa76vKyUJ/RBUKfeZ0P eJLoeDHdVTzc20aBv3O6Dbzjo3orMSKH1nRlYcit1thsb3iHQL2ZRsuU/XkUCb73jauP/WItBUU4 tnmNe1ORCPSamg9RI4RqPBp2CrSnp8+naj81Kt8KtI61lbjvfy3Uv/q87kz1yGKpHj6xKjf1D6xD /YxQin14lR8xiWqJ8ntnEu2EhC9G87OAoaco9txYMhRVp9NOssQy6SRI3J1OSuJgos7aLd3lHgSr BVMejd+mKu3oUt7ckH4lXO4gHBVZY1x98Nl1sW/4xHOUWdYo9p415/HhmgcCyp5ZeocCR2r9W0Wd 27RlYQFPfaZGibySo9me3vyP8WrZbdyGovt8BZcyELuWZFP2skinwBTooOi0q6YLRmZsJXq4IpXE n9Eu+r09915Ssp1Op4sAjkTxcXnPi1FI9XPzX9uKxrGFxY3eMkFI54AmNI3W8ABsk1L5j5VRj1T6 FRXPNYREC11c88sl+dAhYoxbp6FdviXlFmDCHda1wt/gPKdWDSbkY/g4IgQSlNAfygildLOMohtn j8a1a6qW+gqmHa0s9rWk2stDdxtUxR/kQRiiduHHY/y8oo3oZPqUg2YEHO/gmqAjMlaRp14ptpTQ Gl/5wVvuNVL+n6IIGO+hfJA/sCq86B6s0nG8qxqYD9a3bSTWIHCxnnodTmzfjlAyfPlgTx0LMn2X 7GYMLk5O2DmDnd/2dLA8qfZVa0hIMagM35X2SFEBBdLM+LDrDQz5tN/3Sku1j5G1hfsug2jPqN9e yHeEU8gTH2YH75zizwdvqpZmH2Skow1C3vsxqO2sNzQYu66d0Ld4CgywDmFC/u2k7y92GSRnkear QLMGLXfExjocnzyAYEnh4sGMFZ7tjDcwBJ8oS0Q46ADXYlFc8JDAHtOv8pBK/kSliVJBg0hez7Tt TfLXNa4A3KJYTdSUjdvMwjZVZfnSPraeaYi8ASbtW7BooCJc8Hq7urSxE8vhXsJUAzj9lpS77Sj0 UrE2CVu+ih01tKWDVTnWJ3EqyhIWkSHZbBnUXCqck3sEj+O6otGDopCk4spSPvIXrEuoUrbd5DG7 7VQJr155iYl0wxV1o07kghUBlMTEnhR5QRJDSKGdwSZJqHRH6tqCbj3DZh9xkFm2ZaW5TI6hT/O4 trCPTh5c5cNPrCm4x0+PBjER9lpgL4joJWV0T4a2tgbOAh9l2VqfyYyOC8ZEoQ7BUzvEVXua1/Lv fs9ZAKVwqEXw7OLjJ6bhua/rOXJqKhbXHP2AAknWaUw7r9o5mmfeVLtdbdHRxM0p+jxLJz2MBOLh yfvuDY5W/Y2LqCvAllLUoe8g1oLJuJ8wxfV+ilH8sixe8ElN+WQt59pwPpEHTcO3N7Tix88HEYlo kiv517QIKIuz1jpz6LwJWu+7wVLnEmLGxHOA61duEI6Y0RX2xlsqkrJv3raOst2GIxH8R/y8rNHU FbaQrkaHuHwHsuhJV3l6lho5w5BNbsXuv6KtmBFTzixZMuxQZVpF8ANkXuW+R/Ns1RO9LRJ5gzYV cfZUDiiWC5/0oVqXo2NqOp8VNtUthEC/gtCU/YdkuzWGH2eEAQ5NrXeMRKAQ/jCAkI6CszIO9GIJ UptwsNRxzlXsNKBqwlNjngl0W0ICkRuAa1TdjRIxjutae5oakBe53n6gzyW5RF4qhk+FZj6puvIe OHgND5/R6E/wHERBaD4SYtXaV/Vg2mcWHR4G5blV3nAw5Ss7F78iYHydxgWHdudEbg/mxUKNLVoK bttRBIwsC767T6aGWCUsXwdb9ZMmXchXvJc0DY1edk1ToUG79n4m8rUmfIIcd7TRihgetpZ6wEV+ yrM8P+OndJwziza45YDRt0J8lEIokmZJraT64HjosbTWXPptoiie/hog7ykhAAszCtgxbW3EvKJ2 tuc62/LQVn9QPBikva2DFl8HArLNkmPllxjTdJNRyc5y7LiHZTCfnztxwiz0H1rxfHBClpYP/6nv Tem7mLXoqtz/8sWpRt2iL6bV87Ep84gpojz2fA6CCwlmy1MQzBK6tlDhpnqLMH6UksiwajTAWbF5 LzgjdktyMba0aIbQIcCWk7YT6eHz23Y8OfHL/sze0vxfoIjlKBzHHoUCF+CGPopNb8wTcoo/Tbsv jWM3QUWkEeJ40UsN4Y96fjA7djoz/SWyjSDIt0VYGQkVFpkYm9q2paaFap9oPiQFkawG5YTxIVnD PgyHgABQjh3/ToTBPGmti3hIMccvM7jPXSTuaDzlnQiWToKNfsQ47ImeAUc1J0Cx3uSmTXwTRi/U nfxq6G3UQ/bwl5QT0+tyE6/5wNLoSOMOjPkNML9MFIQfbuoWOethfqTr1wznPNmTR/j48x37hAq5 BKyuGpzEoBP2YrguF42ttSE2p0VR0he6c3Fl0k3HoTY9NwGZa7ry0Gzneqwa1tlBDA4uv5IHzHs8 TfA+0GjFvHBdgICnVaZDAXyPJgK1um7oSysSf5/YxX7BDbUm/T7Y+ohwF4AzuneeJlyxew4JCSz8 MNsCaFQtMNQzvMLgu8bQIiM4aI7LrknzAHA3HI9IqsA23Gnrgo9Wj33XhPkfzQtdSC5hBfcNuMAD tDWQiM+83GJVk2O3vlyA5NHRk/68B8d6JLlrcJD4A/gPsHT2hfIDHWpBRY7s/eGXm2/unFZ3nxVN kG/B1e9/fL77dJOqH1C4Jzws1upVbdSP6rffl2qHF5W6Wa/TRaHVKl+jU9Q8W2GPCCZ6u8g1TnWT Y2mdxffNzSF+oWGyiv/4IrxvbtzNPwMAtRkqLQoNCmVuZHN0cmVhbQ1lbmRvYmoNNyAwIG9iajw8 L0NvbnRlbnRzIDkgMCBSL1R5cGUvUGFnZS9QYXJlbnQgMTg1IDAgUi9Sb3RhdGUgMC9NZWRpYUJv eFswIDAgNTk1IDg0Ml0vQ3JvcEJveFswIDAgNTk1IDg0Ml0vUmVzb3VyY2VzIDggMCBSPj4NZW5k b2JqDTggMCBvYmo8PC9Db2xvclNwYWNlPDwvQ3M2IDE5NiAwIFI+Pi9Gb250PDwvVFQyIDE5NSAw IFIvVFQ0IDIwMCAwIFIvVFQ2IDE0MCAwIFIvVFQxMCAxNDQgMCBSL1RUMTIgMTQ1IDAgUi9UVDE2 IDE1MyAwIFIvVFQxNyAxNTkgMCBSPj4vWE9iamVjdDw8L0ltMiAxNTEgMCBSPj4vUHJvY1NldFsv UERGL1RleHQvSW1hZ2VDXS9FeHRHU3RhdGU8PC9HUzEgMTk4IDAgUj4+Pj4NZW5kb2JqDTkgMCBv Ymo8PC9MZW5ndGggNjk3My9GaWx0ZXIvRmxhdGVEZWNvZGU+PnN0cmVhbQ0KSImEV8uS28gRvM9X 9EXhhmIIoRtvn+yVYr3aUOzKEhV7kHzAAE0SGhKg0MCM6c9YO/QP/ktndTX4ksY7OohsAtVVWVVZ WV9ulGjFTSSyIg2zRKRlGkZaqDQL40wM5uY30eHXItHzT4siUWHBvz2nH3FY4k/QeVlcPIav3sSL v71XYm1vvtykZRYWqiyTTET4525Ky7JIxQKm6E97Z6JYi3p38+L1TotX/c3f8W8288Py5sVyCT/F cnWjNFvSIi5VqEWe5WGio1gsd3B9faPDPBXLGp+XjzcfpaC/QOdpJEXwj+XPZCljSzlbwn9pcm3p xUubidrSA2FcZlGB/wtha4IHxmUSLD+TqcQ7RbiwX+6TTmOCI87DPDq55iJW9L4LXqfs4n+FjqJU vOx3AcCSfdOL110dHt1VPvKcTDqP6UNShhmwy+MwSvwVsKkSF3sYpYVm68teNMEiDRNZBVGYytHc inFjxK63o7BTXRtrV9NWvN20dtN2a1GNY1XfW7GpHoy4M6YTbdeObTUab4cdi8RChSpLceErvrqY r84LvvruIMxiFyQIiu4uZbsNYrggvorHjRmCXBrnirvaxW4CGM3lIFp+bW8G2+NTJrsAmOUSXlj3 jg2KUM3Pd41zfBo3/PBAD6eyHQ+wqr3Dy+fsZsxu5rGH/5M04ToUdt/3KwQoyZS7oZ+G2gizc2+r NCySkqrYhxuVRzsJG6raragcRqVsBsAqqq6h9xcxfLozTdMGixz+dOtgURyBXMymr/CMPJ4qV5m/ YL8f+v1AqRA1mUKxBGR72PcDHW57Zzn1x/ZTABeCRYk7G7Gdhjm0h9a/PhJ+WrY7MfaiAgbBIpPA gXCN6C36fgmfPtavyskt+WjuhG1Hg4LlnlAR16urkDJCrc4Rxcd3I18i71H0wNw4f8XA3vO32nSj IDdTacdqbO3YoiE/yeecD4VeLc7ywY7Rp9Tb/rFdT0iDWPWDCMjMr/XY35mB2g1xIfwEAF13GdDK ksxlo1R5fDSfnOIu2f4v046s9StR1WP7YE4tRHDY57gzB3hAsiw1rlcKvPpE7+QnVvB9+9cgRYE/ BOAzaYZqTR3bjZvtQayH/nHcCJfxnyccIJ5kgeDcB9wa061xkhZAUafPvlP+i7lhfRzomljeBVpS PPiipGsF8cOAEgYVtJ9BCaYR6GgEyeBZtLSSLt6XFVvYw0LVrjv7HA7oNIrhe5Jc3M9VvZhdOcOx XYk7uo5KzlIDo0Hqfod6t3Pdjv1eFNEzuIiWKuEjeruuqEYyuXO1e7w9SaiGssvYsxPKiu9+SdEm curG4SA2/AWF5u/bOTaZT+f8cvOuyUXcj/LndGPMLFJdxjj88B7Zu+DJNC+PuS5PXiRnXoDGxqrt hOUvdHfJBIfOWPHhQLGW/jeqvLEa1mYUXbUzoGnn9Id3uPsNQVCm9JhGmp49UXffy0YPHOzYzbAa 8XlC7FUnXr8FvTliYy+otFUSAeX42f/niI/yrRmon6mM4bUDTHT9KCaXW9DXSKiicIsIZotSE/sr Hepnf5RBQpq6JPNdMracNYccgeSy58ZHKbdtZxjLBEOmco5QGDrKU+QtCxPRVAf7Rx3zpu/WBqDg LuMpqu+87QuzWhUyVmc2aVxhMp8T41GsSEeg0feZB+2gMw/mjxSARgDmn67xErmnwYpxiNFOOKIt KXocENUzIuimwdQGPEVzicYSnVUtvwklsN+zWWsaPjuI1cC1zj+4QaZOMuqC5+eqYnbPzxSYnbhb 0Z+UF3AEvriEuxHzF/e9uvMT6S6grFU0tGLKGjl5H4IHrnkaL6dJUZ4NgFn6FPNwwbCovGZpcIuS bii3lme9acD+j+0lYDz5p7vPBnTqMurT5m+75m3Fd8a69LT9J2tqDNrxIKZ9A4YOqK5+vwX2XyYz MwtUCXLjhu6q3277R+G6DeX/4d0bP4pRQgRC+S3eM5PqM5AfHx/DipMFGgeONZF06b+QCCDhdb94 oOOY8OV2IBfD1v+8AvaU7GukNdfjCWkPdJnpE9C+D5p+RyTG9JEQfYybaoSO3KJnLMUGhCn1R/Xj rV8j+23XsTDFpPjqqIMydVd1907kNALSiKJIQAYLwrxtnLhsB/cQ4f729S+im1wVa8ixITwjxXOZ wsPYCVk/6X+iBkihdB7McHuSrHBlU1k3JXKncAvZHQQ/OxLCsaRnOrOqhpaPJzrG7PQvOZKCDNvw r1SlmDTexMp1hiC2lXxStxXlL5dbagz1hBIvIj9WTLdGBZuhhVYuZgW9PlEC+dF2SImdhsF0DZ7s WFxlYRrHxbdiNyrmMbHGbO5WALnDarCFmRU3GilPzKkdBBuLXT7oQvGaXE+l06PqmH1/01X2vZbT 2bzFEOaDqbbOGPNeCtajBYXPehfPI2eHOkfSE0xvuaO+dt+SokT781nrqv3ev3+Y+793iw8ZOJsC qY499/J9hXsbSvUBosgVOFf/ZcEBlN5N6mHnxBww4e8d1Q3BgcnuNqwJpOtNQGJ9O0vB/mpuA9vv TN85cigAxdYa4YcnjEuxx9YC60ZM3INa0lo0tP/CDdYMXvon0thQLDd+QDBZuNaIn9Qtvu2VUj4p j/20pfARAHrT7PYjwVf7gRgQ6WPk19Sq8w6VQyCdEUk5mzyWLA+m0mcO+FhXmDDsGmbGlEqMRZCj E6ooeE8q4LRUubueWFJVHvmlijfGVRAz97Pz3B2UY03Lx/18TkRTV11t/CJ7emOEdLW0B/h1NRSv zN7wYjrtL3bY2eXrxdS3WJx5ZWP3KNoVLT0k9NzOu6CVoiYzqKbd7dn9MyEhJ1S7W7c3NKLy79yD ok8bYwHtsKd+LUhRKiqdB+JLtyxCMpGWoU/nRH2hwIgco5Td/LebeOY/pITFvgLXaLk2YOWjzuLm RQMGNM+AqqRGHPlnMR72ZkHaFZuLm8M0maiNai/djiwTnKrzqjtUNvdnYyCit7Qn2qneIP5Zs96K ejBNO4q5FKNC51yKH2VdDQ3NBtpDfNd0DAw1jR/odd9AYB3Ly71/3SMzOto3qxnr8FNwS30x0PSw hheZY7V0Pn9f6Xww6H481a4O8wqypcXSYKYye26fWiC9DilKnxUfNU1mGo6cbM79yGhicbRm6zO9 5rl0BKeM9VmfRsXRfD7zcWtdLw5MtWS3cuH0HdNR7m6jfmQ6oPBOrLqY77iIQ6lyLv1qtwNafrZX WwteqfYjEgFcTIci93MqztNzDTjXgyp8e6837CYPJGI5YsnOERWWy62BUvcZP40kZ/S7Um8xZxly nebReSbD7+j3K3F/puJyFAkcj4T7kAHAROgCUjQhLtx5IX3aFWfSfc/i9M/iN7TbT72TlCxpoIvE tXbzLB4XR22uTitf5Gf5O9oLQN5OQBEXknIRb6vD/3iv0t22sSv8KjfAoKCAWCOR4iK0KJBxEnSA pGmdpIMg84cmKYljLhouVvQYTYI8b7+zXJKS7GmBtmPANkWR9557lm8R+V1Kb9DM/j29uf9EvQQt LRWARQs9XyogvsybyNI3tCLLHCKDeHd4tf4U8wKBk8blq5tnpArs996MRP9fZf3Xy+bVKBF5E66I O9qMaUk4x8+zuIFpAc+nT8dinByfUOukjB+ddzvwtTnWUOUgS7Zwx7pvDJAMdkXp9MmAO1cTgbKA KbOLYCBKTFy8pax5cia0f86iF2v5jjSiOYoREhrrVT4Mc4eoxmSKCqZ97GQc+a16RloLMdZNqir0 lqwGUlmZZrZcSgCkH9nypTRGrAKn44etLlKqk47kKIIdQMQoEf/BJqSzExyT1ARkRcf3tVHmtCM0 1AfKXixHQrSL9Wp6pNWwg3J+ktS9CLPbTJsZJEn78BJrcM3Sm64QDiswGjkSDtXtuxCiyJfaX7lY J1iEj7QAroJA0YxeJQNDBfdMWVfdznRZU87pKPCIRUH8NWPZJGfM7wcAQv4mwQ1KOQiXVtLE0Ed6 yDbr+r1IZ4Ykwv8BdWil84IsgrFffVsRoG/F7FBln2R0Oub7E+U2nXl3nHnuIwc77FCl1tBiQMi2 a3oGMYiNirJHtuy0FxfhGIlWDmvMAufAjjWhrpDB4cPOhETpLwUXOPOJ4Xuo9YayRJ623o8bWk9m h0Q5Enk0v/ZSh1aibbItuJtYwRYk8NwpHi1Ww7Kn3HVf5wn4HBQQM1G12YwF+SbLCoAIu4KMtPVy yXI2GMTHld3lIs9jhgSQUGgWwD1kCBRPdgchAeMJ5pmQxekABkNzK7L8NMETgHy835OWisFbPHbk sNj3IvG3fQvDhzIQaRbK+fWdzcza9ZaTzHgWXJaREgFJNgH3AwmiTj9hNraC2Q2b3Iz2BZyLoGS2 98liye1CpfKMtC7pYV6jkj5td/n+yZhFjmiSRS7YmEXXnSL0B6pB5PRPTzTQtIMu2ZIczjsU1hkz b97NQhljBFk+MDJj10gQOnZvbp6/QABL58a8ff/69bObGRmwDw8Eo+R3ZX+4genisfl8YLQm7D7H z4xSenIxN9+5BHaPJuOS6N4S+MzlZ0au4OxSL8x3Hr31KJh4I5hEQrs19GllbrJtDhxhVLMRykLo dBAnAoi5KX3LTa15jj7WKEibnVyZRfT9YvW9S8V47JAjsFmClGB4ncgeUC70n6nidtdSR0H70s2E z10/1AqPtlXdyVEwHH9rgCNDJj1neqGE9Gj4Y5ctFZyuafDewRLZBaOxShr/P/I2HoWeysnlwupJ ufIW0XxlQEJzd0U6r5wm7KPz4lNM4te8TWKWDSWN5xIFwaiU+ZaKyEKjEuzAKusTFl9E51C3JRYg TvqxwqBVWTcIXtcK3nWkghcXGp8PHbOQ+HjWFKxdVXQfnb/AFJmYfgHMB4wcWI7UjwuZyvqKtizl Dp76J4lyRI66HPSmfEw/mzaJy1bkFrNJJQ8cHrFUrnoqdx1pLOWMCg7/ig6mFGWpmNi1c3rwtM/Y zYrGW7OWuYcwgyNlkpS7G7Gz9GYrd4DqJ/5uNJZr34qJaguEh0NEJhhUF0D+LcgFNHMH65hoQA19 4zotWR4kqSeBpLgMaqA9M4haIiW5e9jlyc6Q7eIzwmxV9MXaecxvjiCwVLaGNmzJI6ANcN6C3VaE U15h3ClZvKsEiuB9qweoQ0LpEMh832dhsMbMnNinPwEjoz9LQ63U2sxXfqQC5cJdLechrOql6gSr Ktc9S+/pjHTaRBgsMy9Fx2ZCdpl5Jd/XoLLAsU+35x4LpoXmYTShutVqqVvNDVaiZlXW2eZdXsKF EkUuLX/qd6aAeckgzNIar0RO9ZnUQx8XBdh+TbUU8tRNz8pixc5qaX1J3N6xMu73kDR4a+VAkpDG aecG+go1wdTkLWvU/b7Ik7ijx9DmkKa1vjJ4n1OL4CpmodwzcjQJUz46nOQYtnhquAk8OiJ1IzkG frCnz6FT2J5E69xnzVE/tcgNTo4jw9FW8kZHX2H0d32VNlkqMxRIm/vOw0MzlWPK4RmNYQfl22IM sMjGpKqSONlFETftZV9e/X8ac8RRJMddKbX8UG+hFum4gXONo+adYU54s9mgLc57D2LaXXgPyF13 ubAi/co808x+2dZF+pXLynbhS5sX92g84PvK0Ztf6Z9HCKA3UlR1VL6y3zkaqCNzV/7aQiWxR8xy 8ShF9J2O/ONhR/3uOTH1NTU6mZk7JJ0CfNnEfdoXBCOJnD2hs9v2Oz1huNAev89EXFaiKiRge8gW aCRXqkRLdiN5a89tNCuSotPcUPuuHV3+txPUkmeQfUpdq4x/oeWW3PvTEZrqPS07nzNv2z6jDvxp R4PHScJstnWZATEy4WKE4q2ncONeiIhW2kfDgF3I8nsQwDeTb8hDyVDzUEbOjoaVeEDqq6ufTdJg olyrJWU6CTjIG0RID42Qa2ca1NfohfYYyQtKBp68SmoWT8CiRr9JQapEO7u42eotKT3TNdgItpQQ cJLLS8K22mEkJOY9psTIgTs6UqSBY+TG/QyuqtmTfEvNtq5TKmENAhRSTvhyP6OSImmfmUvDf1vI +lDRKSOKfxCJlBvg/u8KLdZJeqGnCfmB7SHrA6iQN/s965+aqamhYrnSFPCSFShKnzR/MBjLKtnR yPCdCxCK5uCCSUuKYsbWvjtgEJwYl29p2/JlBp6zgufKrnEO4epR/fVae/tdE6eZua7LEtOiIqOu PrfmZ+flu+ufZxQsbcDqCLrV4cDNDVAFFvXXPm8yHo/Vo9JmOfSRgtnGHt+QeLqlkobEYYQelFGS dPt93XS9TEIlX+XdEYqoKBjkahkTF/KRGAvy81jr46cdpalzo5WqhzTr4rxAix5gYTvwV15tCFbo 1XJGwMSO64+q1+6QEokgoF40MZ8W7RibL2neylNJUbd9MxZkSu+qXvxA+SOtk74EIj/9SjBRkESK rFqJ2w5+w6TxsQW2IyxK0RF6vMqsXAHn94Wy7OlGgcXxQMUtpr/aZhDn4Oa5dsmLTwlaERBFM7si OUnEQlRoAVvvu7T+Lt8yvaC4DcxuU5mSdULMyuSIGB8QNK47jBwUQgMx4ztVRn9ZpwDaf3tuw3A1 DO5/q1Mt0HreIrRDeyTel/xdFz2z1tK5xYHdy1GE2lpE3jiJrq/rLXxtJ/NNNJl5j8zgbABegsGW xZmP617ySrbJBS57DLhWpsUH8mLQTV8OmTyRyFvkG1jERoMeu9JgHhELC98qlD0sQbyFIv1q3irV tdAJ1G11fSesB+BZ4zAXELPwLfDykI2BgjFIMdHNX+qcBiIY1bNd7jw06xJcq2NiYg3KTlL0twOt H02cdKzJtaOwMIGOA6XTgU6Etbqdfke8xeKVXOdDwx56/srSKgxsejRZBQtV2AFNn5j3rdaoF3kO no2LA80dXpC4iEMpEAzgyZxd6gN4i5WDqeYCZqJnqo5gBPcrkwg+xqxrmmzT46BP/uMR+J/IYm3b YOWr3riGMiBAfZvE1GMi48LLAQhHPTwSNBbyBjn8TXMJu9PUcbIDst4eTV9t4jIv8liMRiNZ1nYJ HxS9rh2twB/wqyHebBX0bIWwR3JH7VCauu/m5nUN2GyRb2Ei/wwX19Y/2pCVtsyw/oyIRHRNSEi3 zdsOrX7Iux1vwzTNZLVhhoQso4moeku3Z1gfBcNORGMc/4FAF/9owSMJKVHoaV0x3QATOY1KLpco f+nG7MRGYTR6U06DkZM0Ij7AMaRI5F4SyyfIMf5ctb0cD+cV3xmKOQycLOEGpodoIRqFbVYlVA8O fSdfHhgnHqR+cWNXVnhQjNuMBhk6l1m3jDvqvtBBBn5fMWdNzypQuLv+F+vVsqO4EUX3/RW1iYSl huAHxmynNVEmUqJIjJTFTBYGCvA0toltIP0ZmcwH55x7q9xu6E422YBdtutxH+chzVuTD0PRASm0 Kiir0/awLqLC7+9RP3xYqpGxPkjs+07qZFlv3YcE+BuBN6efHKKv5+4oeXaZH7aqjBT46MRM6zcj twJovGhoHBwSu6nfaK4w8uKgb9DG+cZ8lxeV7zRtMWkAV1ENyGOdq6o9vN5gi9gLj9dqS5VSX2EM 5L9UGINI1/Au0AiL/urYlaq62/attvAnnXsiewdllp8mwoWOcn6zK9MWwAtwiB7p/OwGw3l8mxlM 57rMTbG1drMC0RqXJcr+ZNScylZ16T0Yt1jvh/po7Ge/Nloe+aLMBxB0i248Fxt6LkIO2hG8IV2D wmtKsRpADi7OqEJimXw1EFmd4U0X0ODtbeN2fRQdRhOG8rHqwa7x0nvTdOZObP882qZAYigjii5I 8fGeGUErHPMGDH06oIycNp8MuNVjNqNAdYU9xMPVwsQduF51rD5mXMHnuH9qC4CVyQUFAZQNc86y 8C9AFJvqJD0YQaKgCdS9OJ8Cv9iKYBh4zIEm1Eu//NYcUOXazg2bCh+xZEOGr16JcqAHKYkPi/9S sP8jWI2H9B1HsYPRH/JHmLa9xpWtulxrWPLyhsJBvNkQbHrsW2RZDzb69Y9WHAfY+7GqBRDheDSv zgZcdFjIKYx6tzV2i7xoxjCJ4oEVqIMwmaFmtviP2UHu3wZhnCFvDe6nQDv+oUzwesw9mSPfg3pC sWAHTxjmoeEbOdzf6gHW8hYqXoazfm4//oh/h6QcCPtNgSTDOBX/owOVm2En25lRkOoG8GXMbd9M Ucp/3K/ptlTKObKbif1r/QkKmY8aTOc1F9lsOPIPNED+O8jTeNY37y33Ss2MCFGTm/rCCxEKArdy BVsxQV0uYswAYfaxdGUXP9O3k43LY14aOy7zAp2JdjRdk1ftMaC+hdIxcBt7QBPUxsbcSslFJovK hVtzDkTIdM2BgprGnqZkwYM92wNWazx+V9BR0OWXPet15aB7NkmiMNQ6/zTqLtZWJpl9p5jBr+a4 QafDZ+AIKrTkIA6c3ffX4NyrLCf2Ab2UCYSIMzUdGyIbnQO6PgGwDxVoqrKdrHkvy1+CBQoDeUSY QKn7YoedB+QdEWdzJbgZWEhvW8A2Ckin3qpn/KuPZ6rxjJJJkqbRjTjnNkf5qatLUZZfffJdGlAz WerhQGpEymMc0/xF6esajnTgRW1RnevD2W48pRxOsIoeikxld4diVwAyITHbzrvNeZxmAwiK+km9 2exnLbqvrRHgzpxlap8oMVtrQamwcgGbbNwbT5n5Wu7cKHFJdNGqG0HdHuHDFNTQV1iVhVv7I0GZ uqtfIVX3QmpgNWa7s+t9VfxxUoniBNoL+kx7+nRnE1+RjPSX+Y2VCZFTKC9xS0t1FUfOB1qnaiJw 8FcqA6TU3l9tqS/6aXorVxBYZ6IMtcTGK8bi3EtGdK0s6gbWlA2zUYHueDLrJt927sGGyQhpJMbP jTJNr3VX37oR9aAPOSpDFVAdKFkoJBaHA8gamFi1mgL2pT47CAsnox2cWek4Gbzzt35wDkLVvxz8 xtCgTdwtRXs4EmTipPFoA82gj9rWX4imhdLIzdYNXXTdN2DUnQqy2WUTqgbi5jPQjotg9bKo1CSA yVpzkirZwEA2xUr920l7u0OqPzb1F6SD4CAfXKTP6+ax/RxMAByIldeXJfDtZWF5YTvzloUCB2VB zDlgQWfLiHAbUUuyHayK5tlYpl7xSQqIu7SSoYAJDV8W8XTxjPyugQi+x1Oz3uecctvUpUzW5m67 uKxPzHVIAUWgo1wER6zr6mwrIhHUXHv074uunwyiLsr4hWxSYHr/8e77hzY1D0vD/cQLyOXbi+XD L3eh+Qmd8AWD85m5mMz8bD79PjUbPCjMXbSAsyPvoEoSM44oMlDF0RR6JjGNvZvFkyzyz8u79u6f AQAK6XxxCg0KZW5kc3RyZWFtDWVuZG9iag0xMCAwIG9iajw8L0NvbnRlbnRzIDEyIDAgUi9UeXBl L1BhZ2UvUGFyZW50IDE4NSAwIFIvUm90YXRlIDAvTWVkaWFCb3hbMCAwIDU5NSA4NDJdL0Nyb3BC b3hbMCAwIDU5NSA4NDJdL1Jlc291cmNlcyAxMSAwIFI+Pg1lbmRvYmoNMTEgMCBvYmo8PC9Db2xv clNwYWNlPDwvQ3M2IDE5NiAwIFI+Pi9Gb250PDwvVFQyIDE5NSAwIFIvVFQ0IDIwMCAwIFIvVFQ2 IDE0MCAwIFIvVFQxMCAxNDQgMCBSL1RUMTIgMTQ1IDAgUi9UVDE2IDE1MyAwIFIvVFQxNyAxNTkg MCBSPj4vWE9iamVjdDw8L0ltMiAxNTEgMCBSPj4vUHJvY1NldFsvUERGL1RleHQvSW1hZ2VDXS9F eHRHU3RhdGU8PC9HUzEgMTk4IDAgUj4+Pj4NZW5kb2JqDTEyIDAgb2JqPDwvTGVuZ3RoIDYwNzMv RmlsdGVyL0ZsYXRlRGVjb2RlPj5zdHJlYW0NCkiJvFfbjtvIEX2fr+i3NBcWzfvFCQLs2uvEwTqZ 2DL8sM5Di2xJ3KFImaSszP6GjfxD/jKnqpqSZuzZBHDgGUAku8m69alTVe+vQtWoq0BlRepniUrL 1A8iFaaZH2dqsFdvVYfdIonmrUWRhH4he9/RJhZL/ClaL4s7r+HRiXj8p9eh2oxX76/SMvOLsCyT TAX4Z01pWRapWkAU/UXOmCCOVLW7evxiF6ln/dXf8T+L+WF59Xi5hJ1qub4KI5EUqbgM/UjlWe4n URCr5Q6mb64iP0/VssL98nj1s1b050V5Gmjl/WP5F5KUiaRcJOGSJvclPX46Zqoa6QU/LrOgwLVQ Y0XhgXCdestfSFTijKK4iF18F6UxhSPO/Tw4m8Yeh/Q9Ox+lYuK/VRQEqXra7zwES/d1r150lX8y N3Se5ySSLaabpPQzxC6P/SBxKkh8wb77eRKL8DdT0za/Nt1GHW3rLVLNP+qm64+dtyj9SKt1a46j t4BUrZpOTVurqn636+f9nWloN8ankY9vRztgR3/wgAxtB7EzUIvQD7M0Uctn4l6QiCkIaSm2QKq3 SKBmB0GZPniLCA+dXKAj1JWZmt4tKFKa6f1Aj7nup74itX2r3unX3qKAaS+X3gKA0tfvPLH1kbre OnGju7HeAmehnRT4GUKoMu7Z7SqzaufbqVfV3V1DH8V6wmMY+okD0vK7OxGPc2Cc3bQIWDuqYzNt 1drckIkhiSKJ6uNLbKrnQ7978omcgC1ba2o7jMp0tWq8HEHdeTF+91jsOzNZ7NySf8VdzcAFaw5z uiPN/bAxXfMrB5HO8VZV274frQ9AqbHf4WDNaMdHvOelpBz6Ur0zt8q0Y4+jnfj8L9XMWsK8EC0f X+HTUD+9XsJMiFj2XgLbnnxS68a2NQLIz7Ba2Z2XajiMF+G7qevBjqOS/TUWgS6oawaykxcbjwJc WZyxLHRWHbdNhcOcvRekpXlJSOM4ZGIhAuKAJq5D/76pbg57RlKKc4HEzJkTA/eDoIgUJVo233m/ p5dh15FUYt0OdnVLJ6CqwzhdvgvoD3Yvwho7KrcJj9yXCFOuv5AebHTpwhpELqz7LTBLicp2ls7O bM6Do3u8s7iyOLJuEtXQNckyDAjIQBHkKzqo9LSqNkN/JEV7Po1Kvv1gB7Ohz8lwSZI7YAvF3igO HW31+EKdjDaTOD2Z6mZUWzOqnTUdrZWaMGUmtetH95KEcsegH6yCIMZ3ei+z5hBFKFWs8miGW9Wv wWAkBJ7XUD2L7Lt1I2dXe2Q+4tKYFozm3u8ZhMMO2SGvyUIHqI2HautAAsP3ZhyPlLXg4qGmvCTj QoiFnPJeWFxUstAl//WLv84qY9ZQnFWGbqF75ylginlC/Utt+6OlWDaTGsHWrWIyzokfQ1hUVTil 9YE8ARXLCXG47p9Qeq4sZIvmXPdR/aRUha7sMRTLACXEQTE4fxiKE0tbbbvm/cGOkiHqMNpaqJZp DZZczwc/5xZx3pPPapYoC/OYlZ3qsj4Zlct7kR+lacYvozfAu38Igrz4450ii1KSFtRHYPssYG4L /LzMZY99ys8+OXL823rdVIQIqoDuLFLd3zB6JeIdRbzQNbjywNiiM5KtxgMQNWj95KGzfPGZ6Wc3 v9KJKHcJUEaumj/twSmp3hPdyO2aShSQ0DL3WErxQm+aqdkx+xgu0hNVdH592Lsr3Ek01ZYTN/Lr jcgZPUKelDB5QfYbFO6QwpQzulmSekP1oNA/PUTPxfnYq63pNrD93uk/EMOvDJ9T7KdZ6XD9ZyLC RL/8SYh6hQSplZXWYcflRkg3FcQLneZcIBzlpu5hxa3Q+jBWFMPJDBtUzjdMza+o0md3w3FB/EF2 0Z2CKfoTPaQMyQSM9D9i7GvjE51zJBd7Xk9oQsxQqw/NcBgfMwuyyyAx+A0mMBMYngtcoWWJO5tY d5NUQC31K9LUNWbgy/+SM3me/F+TJkzOXrl24HvpR7hUoxObuNeI9GAujjRCJkXcGXZcpELOeHw1 7s2O4bKo7WQrtFb8dueat6arROxhnHe+KUdIkVzMnjNJDGY9EXn1a/XRNZFtAzx/Uv2gDp0rf6B3 V4JchqPMGE7Ob2h9PncVpTP+ubmxao9OAQ4QoHCPmUHvD60ZFJlIjSDMVKveSHGupcGmMaV17UD2 UKsYXHARQjJ9IyaaiRwz0TyWASqpo1l7ovJ4HnvwQHH4+NKjzmVmZR4bmIfRa7tmGs7PrC8ThKsQ zCQWHcNFGcBRD1ZEycLt+BBJfY4qEJWqm3FzaEbCFjW51BRZqpUDGnaAjSYHhyiSehnL3+gAAhcy KIt4vJU7mW/jFH4UMt/ezWn1ypp20TZrq649AsDWC2jqa7jnhYU//tNwXdpxeu5b+1lzgom3YI18 4xTGaKATml13F3QChKax48glvFz3bSs9dDNKMXTTDseWiS/X7UVvHulTHZXwoyxpzBQzF3GvF2on zG3XMioRNS3IKfXWjtOeGhJduSnlgeEimvGWuuFiZTpudFzjLdPk4JRSZ/kSI2AEfPrOzrdb9HMy DLao2QdhfDIs1hs6dOr8p6aSWfPch0ZR7FQ2I+cuN1kDmmwZTfYAXqmHfmXEg1VLvmX6VtXgo8l9 wHpd9XFWNhNa5K6f1MrObSdmOdXBgA9W/SiJjw4NLF4SDsTg3+QBAZTLyHFvkXLDO+8RmAQnM9iq QZ9FZe2IGRBNOTXwExkTaerSuceHb31ra/+MrWDGlkNzfgZzVGIoSATM9zMhwmuUK7iG