[OpenAFS] [Fwd: Kerberos for Windows 3.2 is released]

Jeffrey Altman jaltman@secure-endpoints.com
Fri, 04 May 2007 00:47:38 -0400


This is a cryptographically signed message in MIME format.

--------------ms030606030206000204000808
Content-Type: multipart/mixed;
 boundary="------------030207040903030204050805"

This is a multi-part message in MIME format.
--------------030207040903030204050805
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

The version of Network Identity Manager in KFW 3.2 contains numerous
improvements to the end user experience.  It is the best version of KFW
for use with OpenAFS 1.5.19. 

Jeffrey Altman
Secure Endpoints Inc.


--------------030207040903030204050805
Content-Type: message/rfc822;
 name="Kerberos for Windows 3.2 is released.eml"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="Kerberos for Windows 3.2 is released.eml"

Return-path: <kerberos-bounces@MIT.EDU>
X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13)
X-Spam-Level: 
X-Spam-Status: No, score=-4.0 required=5.0 tests=BAYES_00
	autolearn=unavailable version=3.1.8
X-Spam-Report: 
	* -4.0 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
	*      [score: 0.0000]
Authentication-Results: www.secure-endpoints.com
	smtp.mail=kerberos-bounces@MIT.EDU; spf=pass; ip-match=fail
X-MDSPF-Result: unapproved (www.secure-endpoints.com)
Received-SPF: pass (www.secure-endpoints.com: domain of kerberos-bounces@MIT.EDU
	designates 18.7.21.90 as permitted sender)
	x-spf-client=MDaemon.PRO.v9.5.6
	receiver=www.secure-endpoints.com
	client-ip=18.7.21.90
	envelope-from=<kerberos-bounces@MIT.EDU>
	helo=pch.mit.edu
Received: from pch.mit.edu (pch.mit.edu [18.7.21.90])
	by secure-endpoints.com (www.secure-endpoints.com)
	(MDaemon PRO v9.5.6)
	with ESMTP id md50000051935.msg
	for <jaltman@secure-endpoints.com>; Thu, 03 May 2007 18:15:35 -0400
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id l43M0x4t018183;
	Thu, 3 May 2007 18:01:15 -0400
Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU
	[18.7.21.82])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id l43M0vPd018170;
	Thu, 3 May 2007 18:00:57 -0400
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
	by grand-central-station.mit.edu (8.13.6/8.9.2) with ESMTP id
	l43M0iL7019663; Thu, 3 May 2007 18:00:44 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id l43M0gU7018137;
	Thu, 3 May 2007 18:00:42 -0400
Received: from biscayne-one-station.mit.edu (BISCAYNE-ONE-STATION.MIT.EDU
	[18.7.7.80])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id l43M04kG018031
	for <kerberos-announce@PCH.mit.edu>; Thu, 3 May 2007 18:00:04 -0400
Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103])
	by biscayne-one-station.mit.edu (8.13.6/8.9.2) with ESMTP id
	l43M046b019564
	for <kerberos-announce@mit.edu>; Thu, 3 May 2007 18:00:04 -0400 (EDT)
Received: from cathode-dark-space.mit.edu (CATHODE-DARK-SPACE.MIT.EDU
	[18.18.1.96]) (authenticated bits=56)
	(User authenticated as tlyu@ATHENA.MIT.EDU)
	by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id l43M02E5008255
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
	for <kerberos-announce@MIT.EDU>; Thu, 3 May 2007 18:00:03 -0400 (EDT)
Received: (from tlyu@localhost) by cathode-dark-space.mit.edu (8.12.9.20060308)
	id l43M02bW005677; Thu, 3 May 2007 18:00:02 -0400 (EDT)
To: kerberos-announce@MIT.EDU
Subject: Kerberos for Windows 3.2 is released
From: Tom Yu <tlyu@MIT.EDU>
Date: Thu, 03 May 2007 17:59:59 -0400
Message-ID: <ldvk5vptvog.fsf@cathode-dark-space.mit.edu>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.42
X-MIME-Autoconverted: from quoted-printable to 8bit by pch.mit.edu id
	l43M04kG018031
X-Mailman-Approved-At: Thu, 03 May 2007 18:00:42 -0400
X-BeenThere: kerberos-announce@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
X-BeenThere: kerberos@mit.edu
Reply-To: kerberos@MIT.EDU
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request@mit.edu?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: kerberos-bounces@MIT.EDU
Errors-To: kerberos-bounces@MIT.EDU
X-Lookup-Warning: MAIL lookup on kerberos-bounces@MIT.EDU does not match 18.7.21.90
X-MDRcpt-To: jaltman@secure-endpoints.com
X-Rcpt-To: jaltman@secure-endpoints.com
X-MDRemoteIP: 18.7.21.90
X-Return-Path: kerberos-bounces@MIT.EDU
X-Envelope-From: kerberos-bounces@MIT.EDU
X-MDaemon-Deliver-To: jaltman@secure-endpoints.com
X-Spam-Processed: www.secure-endpoints.com, Thu, 03 May 2007 18:15:36 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The MIT Kerberos Development Team and Secure Endpoints Inc. are proud to 
announce the release of MIT's Kerberos for Windows product, Version 3.2.

Supported Versions of Microsoft Windows
=======================================

This release requires 32-bit editions of Microsoft Windows 2000 and
higher or the WOW64 environment of 64-bit editions of Microsoft 
Windows XP and higher.  There is no native 64-bit library support in
this release.


Downloads
=========

Binaries and source code can be downloaded from the MIT Kerberos web site:
   http://web.mit.edu/kerberos/dist/index.html


What's New in KFW 3.2:
======================

  * Network Identity Manager Application
     o A simplified basic mode has been added to the "obtain new 
       credentials dialog".  The basic mode replaces the credential 
       browser with a button that can be used to access the advanced 
       configuration functions.  This advanced mode provides the 
       credential browser and a tabbed view of the configuration 
       dialogs for each of the available credential providers.
     o A simplified default application view that shows only the 
       status of the active identities.
     o A new command-line option to netidmgr.exe is available to 
       shutdown a running instance of Network Identity Manager.  
       Specify "-x" or "--exit" to force the existing instance to 
       terminate.
     o The use of ellipsis on menu items now follows the Windows 
       Style Guide.  Ellipsis is only used when additional information 
       is required from the user before carrying out the designated 
       action.  If displaying a dialog is the action, no ellipsis 
       is used.
     o Improved handling of window focus when opening and closing 
       modal dialogs.
     o Reduce the number of alerts presented to the user by combining 
       duplicates into a single alert.
     o Do not generate alerts if there is nothing that the user 
       can do to correct the situation.  Alerts that are displayed 
       provide actions the user can take if desired.
     o Renew and Destroy menus provide "All" and "Individual identity 
       names" as choices.
     o The Renew and Destroy toolbar buttons provide dropdown menus 
       permitting the action to be applied to either "All" or one 
       specific identity.
     o The "default" action of left clicking the notification icon 
       is now configurable.  The default configuration is "open/close 
       NIM window".  The alternate is to open the new credentials 
       dialog.  This can be specified by the user on the General 
       Options page.
     o The alerter window can now display multiple alerts simultaneously.
     o Ensure that the NIM window is displayed on an active desktop.
       If not, move it to the primary desktop and center it.
     o New Basic mode display that shows only the state of the 
       identity and its expiration time.  Use F7 or View->Advanced 
       to switch to the previous display that is configurable by the
       user to show details about each credential.
     o New Color Scheme derived from current Windows Desktop Color 
       Scheme.
     o Improved display updating algorithms reduce flicker
     o The proper icon sizes are now used in the information bubble 
       and the status bar.
     o Task Bar buttons are created for visible windows and dialogs
     o Plug-in Help can now be added to the Help menu
     o Improved HtmlHelp user documentation with Indexing
     o Improved HtmlHelp developer documentation with Indexing
     o Improved PDF user documentation
  * Network Identity Manager Kerberos v5 Support
     o Do not show cached prompts to user if they have expired
     o Correct the possibility that a krb5_ccache handle might be 
       freed twice.
     o Import settings from Kerberos Profile if there are no equivalent 
       defaults specified in the registry.  Support per-realm settings.
     o An identity that matches the MSLSA will not renew its credentials 
       from the MSLSA if the user obtained the credentials from 
       elsewhere.
     o When importing an identity from the MSLSA that has never been 
       seen before, create an entry in the identity database.
     o Do not attempt to renew non-renewable identities
     o Permit an identity to be configured as the default identity 
       even if it doesn't have any credentials.
  * Kerberos v5 Library Improvements
     o Based on MIT release 1.6+
     o On Vista MSLSA: krb5_ccache can be used to store tickets 
       including TGTs for alternative principals to the LSA credential 
       cache
     o On Vista a more efficient interface for enumerating the contents 
       of the LSA credential cache is available.
     o Vista support is only built if the Vista SDK version of 
       NTSecAPI.H is used.
     o On Vista, if a process is UAC limited, the MSLSA will report 
       that no tickets are present in the cache rather than return 
       tickets with invalid session keys.
     o get_os_ccname() uses GetEnvironmentVariable() instead of 
       getenv() to read the KRB5CCNAME environment variable.  This 
       allows the correct default credential cache name to be returned 
       by krb5_cc_default_name().   This works around a problem where a 
       gssapi application would trigger an Obtain New Credentials prompt 
       from NIM only to have it obtain the wrong credential cache.
  * Winsock Helper Library Improvements
     o DNS queries that terminate with a dot would not properly match 
       the hostnames listed within the DNS response preventing a 
       successful return.   This resulted in "kinit -4" failing to find 
       the KDCs.
  * Integrated Logon Improvements
     o Remove the reliance on the Windows Logon Event handler and 
       replace it with a LogonScript that executes kfwlogon.dll via a 
       call to rundll32.exe.  This change permits the integrated logon 
       functionality to work on all supported platforms: Windows 2000 
       to Windows Vista.
     o Disable the use of integrated logon if the Network Provider is 
       called as a result of a non-interactive logon.  The non-interactive 
       logon does not process the specified LogonScript.  As a result, 
       the intermediate credential cache file would not be processed 
       nor cleaned up.
     o Obtained credentials are stored into an API credential cache 
       whose name is API:<principal>
     o Add a debugging mode which when activated logs to the Windows 
       Application Event Log.  
       [HKLM\System\CurrentControlSet\Services\MIT Kerberos\NetworkProvider] 
         DWORD "Debug"
  * Leash32 Library Changes
     o Modify the leash functions to use krb5_string_to_deltat() to 
       parse ticket_lifetime and renew_lifetime from the profile.  
       Previously the leash functions expected those fields to be 
       integer representation of minutes without the use of any units.  
       This change is for consistency with KFM and the rest of the krb5 
       library.
     o Modify the private functions acquire_tkt_for_princ() and 
       acquire_tkt_no_princ() that are called from gssapi32.dll so that 
       they will work on Windows Vista and so that the MSLSA: principal 
       is only imported if it matches the default identity and no 
       credentials for that identity are present.
     o Remove all AFS functionality.


Microsoft Vista User Account Control (UAC) Restrictions
=======================================================

Microsoft Vista UAC mode prevents accounts that are members of the
local Administrators group from accessing Kerberos session keys from
the LSA credentials cache.  The MIT Kerberos MSLSA krb5_ccache type
will not report the existence of Kerberos tickets which do not have
valid session keys.  

Users are encouraged to login to Microsoft Vista with accounts 
that are not members of the local machine Administrators group in 
order to obtain the best single sign-on experience with MIT Kerberos
for Windows and Network Identity Manager.


Acknowledgments
===============

Thanks to Stanford University for funding Secure Endpoints Inc.'s
implementation of many of the Network Identity Manager user experience 
improvements including the user configurable default action, the
revised "Obtain New Credentials" dialog, the new default application
view, and the improved alert management.

Secure Endpoints Inc. wishes to acknowledge the work of Asanka Herath
on Network Identity Manager (NIM).  NIM would not be the same without 
him.  For information on Secure Endpoints Inc.'s future plans for NIM
please see 

  http://www.secure-endpoints.com/netidmgr/roadmap.html

A special thanks to Kevin Koch, the newest member of the MIT Kerberos
team, for his work on the automated build scripts used to produce this
release.


Important notice regarding Kerberos 4 support in MIT Kerberos 
=============================================================

In the past few years, several developments have shown the inadequacy
of the security of version 4 of the Kerberos protocol.  These
developments have led the MIT Kerberos Team to begin the process of
ending support for version 4 of the Kerberos protocol.  The plan
involves the eventual removal of Kerberos 4 support from the MIT
implementation of Kerberos.

The Data Encryption Standard (DES) has reached the end of its useful
life.  DES is the only encryption algorithm supported by Kerberos 4,
and the increasingly obvious inadequacy of DES motivates the
retirement of the Kerberos 4 protocol.  The National Institute of
Standards and Technology (NIST), which had previously certified DES as
a US government encryption standard, has officially announced[1] the
withdrawal of the Federal Information Processing Standards (FIPS) for
DES.

NIST's action reflects the long-held opinion of the cryptographic
community that DES has too small a key space to be secure.  Breaking
DES encryption by an exhaustive search of its key space is within the
means of some individuals, many companies, and all major governments.
Consequently, DES cannot be considered secure for any long-term keys,
particularly the ticket-granting key that is central to Kerberos.

Serious protocol flaws[2] have been found in Kerberos 4.  These flaws
permit attacks which require far less effort than an exhaustive search
of the DES key space.  These flaws make Kerberos 4 cross-realm
authentication an unacceptable security risk and raise serious
questions about the security of the entire Kerberos 4 protocol.

The known insecurity of DES, combined with the recently discovered
protocol flaws, make it extremely inadvisable to rely on the security
of version 4 of the Kerberos protocol.  These factors motivate the MIT
Kerberos Team to remove support for Kerberos version 4 from the MIT
implementation of Kerberos.

The process of ending Kerberos 4 support began with release 1.3 of MIT
Kerberos 5. In release 1.3, the default run-time configuration of the 
KDC disables support for version 4 of the Kerberos protocol. Release 1.4
of MIT Kerberos continues to include Kerberos 4 support (also disabled
in the KDC with the default run-time configuration), but we intend to 
completely remove Kerberos 4 support from some future release of MIT 
Kerberos.

The MIT Kerberos Team has ended active development of Kerberos 4,
except for the eventual removal of all Kerberos 4 functionality.  We
will continue to provide critical security fixes for Kerberos 4, but
routine bug fixes and feature enhancements are at an end.

** The MIT Kerberos Team has decided that the MIT Kerberos for 
** Windows 3.x release series will be the last versions to contain
** Kerberos 4 support.  Beginning with 4.0 release, MIT Kerberos for
** Windows will be Kerberos 5 only.  At that time MIT will repackage
** the existing Kerberos 4 libraries in a stand-alone installer for
** those organizations that require continued use of Kerberos 4.
** MIT KFW 4.0 is targeted for release during the first quarter of
** 2008.

We recommend that any sites which have not already done so begin a
migration to Kerberos 5.  Kerberos 5 provides significant advantages
over Kerberos 4, including support for strong encryption,
extensibility, improved cross-vendor interoperability, and ongoing
development and enhancement.

If you have questions or issues regarding migration to Kerberos 5, we
recommend discussing them on the kerberos@mit.edu mailing list.

                               References

[1] National Institute of Standards and Technology.  Announcing
     Approval of the Withdrawal of Federal Information Processing
     Standard (FIPS) 43-3, Data Encryption Standard (DES); FIPS 74,
     Guidelines for Implementing and Using the NBS Data Encryption
     Standard; and FIPS 81, DES Modes of Operation.  Federal Register
     05-9945, 70 FR 28907-28908, 19 May 2005.  DOCID:fr19my05-45

[2] Tom Yu, Sam Hartman, and Ken Raeburn. The Perils of
     Unauthenticated Encryption: Kerberos Version 4. In Proceedings of
     the Network and Distributed Systems Security Symposium. The
     Internet Society, February 2004.
     http://web.mit.edu/tlyu/papers/krb4peril-ndss04.pdf


Changes since Beta 3
====================
  (1) The krb5 api functions krb5_get_init_creds_password and 
      krb5_get_init_creds_keytab permit the krb5_get_init_creds_opt
      pointer to be NULL.  This case was not handled properly.

Changes since Beta 2
====================
  (1) A race condition in krb5_get_creds_from_kdc_opt() resulting in a 
      memory access error was fixed that could be triggered if two service
      tickets are being obtained simultaneously via a cross-realm path of 
      three or more realms and if the KDC rejects requests with the 
      canonicalize flag (MIT Kerberos v5 releases older than 1.3.2)

  (2) The profile library when storing a profile from memory to a file 
      failed to double quote the null string value on the right hand side 
      of an entry.  This would result in a profile file that could not be
      parsed.

Changes since Beta 1
====================
  (1) Updated HtmlHelp user documentation with basic indexing

  (2) Updated PDF user documentation

  (3) Fix the Kerberos v4 configuration panel in the Obtain New
      Credentials dialog so that it works even if the global use 
      Kerberos v4 flag says not to.

  (4) Initialize the default identity from existing credentials if 
      there has never been a default identity specified before

  (5) Renew identities that are imported from MSLSA by importing if 
      and only if the user did not manually obtain credentials for the 
      same identity later on.

  (6) When renewing an identity that was imported from the MSLSA, if 
      the credentials are expired (or otherwise not useful) initialize 
      the MSLSA ccache and try again.

  (7) Improvements in hot spot handling

  (8) Improvements in Advanced view column sort order handling

  (9) Add a Taskbar button to the main window and the obtain new
      credentials and change password dialogs

 (10) Add a vertical scrollbar to the realm list in the Obtain New
      Credentials and Change Password dialogs

 (11) File Version information was missing from a number of the 
      Kerberos utility commands.

 (12) The NIM About dialog could not be closed via Alt-F4

 (13) The Integrated Logon Event Log name was changed to "MIT Kerberos".
      Logging of failure to find the "Debug" registry value was removed.  
      Use case-insensitive tests for the Windows Station to ensure that 
      the "interactive" state can be properly determined on Vista.   
      Clean up orphaned cache files (older than five minutes.)  Properly 
      find the kfwcpcc.exe executable.

 (14) Significantly improved Network Identity Manager Developer
      documentation.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (SunOS)

iQCVAwUBRjpbYqbDgE/zdoE9AQKbfgP/f+T/6ZAcvdZR3fA6at8sxkl8lOngkT69
1GfuG4nO18JWVlC0qASRZ6kqeidZ1+XMM3qWvdLbyut2GrxEpcuGYmr3x2JKXSKO
bTbNpZIZXlFjYVzSAfLYokKgqOjC06CVlXC/Vb0G1L0syYC0hXdeofmJC5guMqGo
EYIxBlopK9I=
=Ba0e
-----END PGP SIGNATURE-----

_______________________________________________
kerberos-announce mailing list
kerberos-announce@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos-announce
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

--------------030207040903030204050805--

--------------ms030606030206000204000808
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJeTCC
AxcwggKAoAMCAQICEBW00lKwoWJXt8wbmTl1M0kwDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA2MDUyNzIyMDMzMloX
DTA3MDUyNzIyMDMzMlowczEPMA0GA1UEBBMGQWx0bWFuMRUwEwYDVQQqEwxKZWZmcmV5IEVy
aWMxHDAaBgNVBAMTE0plZmZyZXkgRXJpYyBBbHRtYW4xKzApBgkqhkiG9w0BCQEWHGphbHRt
YW5Ac2VjdXJlLWVuZHBvaW50cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC19SD7DncCP/+wfQlLzAAcxf1nJ/7UQgh4o/nxzvuY55XwHdLQjqWuFUnM5vecfyZKwq0o
fGCucDfcQbSIrkhHD9z4TZ8vDaYWVY9Foz8Rp8G0PNdbRFoFtfJbaeVBX5hG3aQXIc/T1b9U
8uN3kLyqXAFIGWKO8DJVGTKKtOiPVOp1U+9CwujyYmUSKF+suutKABhhK1ZGHsTnFczLZ2g0
ma0H7PiFJ2kLfOf///07E1fbr4IRb+cd87kpWLcjtEZ0rbBr9HlOy9dkeEii/qFoo1ahfKCD
A9bNErMiOXA3dudaNNzXlN/70slq5fboBXbepamJGrsnXYcCsS9+LtCTAgMBAAGjOTA3MCcG
A1UdEQQgMB6BHGphbHRtYW5Ac2VjdXJlLWVuZHBvaW50cy5jb20wDAYDVR0TAQH/BAIwADAN
BgkqhkiG9w0BAQQFAAOBgQDBzWhkrW+ol3iyT1rV8ZBQB0+z/6dFH3djQfNf7jDXNoXx4Vbo
pA7BAR4ihAPibv7j7ZaxmyMxWiDACRGS934uvUS0K6L6q14hTWMostJgFsAEDArrmbrES03v
L3EVETiGFqTB2sLp5MLc6+z+72pLXRuDPL3lO2GOQuBbILswRzCCAxcwggKAoAMCAQICEBW0
0lKwoWJXt8wbmTl1M0kwDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoT
HFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25h
bCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA2MDUyNzIyMDMzMloXDTA3MDUyNzIyMDMzMlow
czEPMA0GA1UEBBMGQWx0bWFuMRUwEwYDVQQqEwxKZWZmcmV5IEVyaWMxHDAaBgNVBAMTE0pl
ZmZyZXkgRXJpYyBBbHRtYW4xKzApBgkqhkiG9w0BCQEWHGphbHRtYW5Ac2VjdXJlLWVuZHBv
aW50cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC19SD7DncCP/+wfQlL
zAAcxf1nJ/7UQgh4o/nxzvuY55XwHdLQjqWuFUnM5vecfyZKwq0ofGCucDfcQbSIrkhHD9z4
TZ8vDaYWVY9Foz8Rp8G0PNdbRFoFtfJbaeVBX5hG3aQXIc/T1b9U8uN3kLyqXAFIGWKO8DJV
GTKKtOiPVOp1U+9CwujyYmUSKF+suutKABhhK1ZGHsTnFczLZ2g0ma0H7PiFJ2kLfOf///07
E1fbr4IRb+cd87kpWLcjtEZ0rbBr9HlOy9dkeEii/qFoo1ahfKCDA9bNErMiOXA3dudaNNzX
lN/70slq5fboBXbepamJGrsnXYcCsS9+LtCTAgMBAAGjOTA3MCcGA1UdEQQgMB6BHGphbHRt
YW5Ac2VjdXJlLWVuZHBvaW50cy5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOB
gQDBzWhkrW+ol3iyT1rV8ZBQB0+z/6dFH3djQfNf7jDXNoXx4VbopA7BAR4ihAPibv7j7Zax
myMxWiDACRGS934uvUS0K6L6q14hTWMostJgFsAEDArrmbrES03vL3EVETiGFqTB2sLp5MLc
6+z+72pLXRuDPL3lO2GOQuBbILswRzCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAw
gdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUg
VG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRp
b24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFp
bCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0w
MzA3MTcwMDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxU
aGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwg
RnJlZW1haWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV
+065yplaHmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfAr
hVqqP3FWy688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/
p7bRPGEEQB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8
MDowOKA2oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWls
Q0EuY3JsMAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxh
YmVsMi0xMzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/
TCG4+DYfqi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amc
OY6MIE9lX5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggNkMIID
YAIBATB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5
KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQ
FbTSUrChYle3zBuZOXUzSTAJBgUrDgMCGgUAoIIBwzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN
AQcBMBwGCSqGSIb3DQEJBTEPFw0wNzA1MDQwNDQ3MzhaMCMGCSqGSIb3DQEJBDEWBBQwkAVB
9mU/7xtJ6sQ496SYaorfljBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3
DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBhQYJKwYB
BAGCNxAEMXgwdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcg
KFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vpbmcg
Q0ECEBW00lKwoWJXt8wbmTl1M0kwgYcGCyqGSIb3DQEJEAILMXigdjBiMQswCQYDVQQGEwJa
QTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhh
d3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEBW00lKwoWJXt8wbmTl1M0kwDQYJ
KoZIhvcNAQEBBQAEggEARv8l2rPzAweMtp+UqIkzGFdbbHZ5qQns4eqcBRcG/F0YCO5kPUOe
EVwS8gtme0PbGwjl9cihmGIa5XKEXJX8rzHDZn9uiWu2CSbLA2LvpKSUUTLLM1/RfcM7DGN+
DeXCWKIeRc+K/LdKDSn4hPz2sVcO061zqEKQJE9hKTAu8P6oN0SGYi8bJD8I2lCaYDA20M6C
wpmq7k1VG6qt0wmH2wBXLEoFp95pDdy5d6rUpgyFjvhEXKDg+HZUh9+I3/4J9zPTOT+gtF2G
cMDggewr71mvObuIaoKW0R88TiFrtgRxBmlNiQ1FR4jNpOqlr+5pDTOo5WHsIXv3+IgwiP0e
eQAAAAAAAA==
--------------ms030606030206000204000808--