From 684ccb064a9fec6544617fcdce199bd432599a3c Mon Sep 17 00:00:00 2001
From: NiazFK <67277579+NiazFK@users.noreply.github.com>
Date: Mon, 22 Jun 2020 07:42:52 -0700
Subject: [PATCH 01/28] Create keymanagementscenarios.md

Signed-off-by: Niaz Khan <niazfk@amazon.com>
---
 keymanagementscenarios.md | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 keymanagementscenarios.md

diff --git a/keymanagementscenarios.md b/keymanagementscenarios.md
new file mode 100644
index 00000000..36317839
--- /dev/null
+++ b/keymanagementscenarios.md
@@ -0,0 +1,8 @@
+Identify use cases to clarify:
+1. Where can keys be stored? What interfaces need to be supported?
+2. Any limitations ok key types/sizes supported?
+3. How will public keys (root of trust) be distributed?
+4. How will key revocation information be distributed?
+5a. What is the minimum number of keys needed to succesfully sign a container?
+5b. What is the recommended number of keys to sign a container?
+6. Any additional requirements for timestamping?

From f727c701eb7ec95b2b646b44b3ad6fe915fed5e9 Mon Sep 17 00:00:00 2001
From: NiazFK <67277579+NiazFK@users.noreply.github.com>
Date: Fri, 10 Jul 2020 07:15:57 -0700
Subject: [PATCH 02/28] Update keymanagementscenarios.md

Added in initial set of uses cases documented so far in meeting notes.

Signed-off-by: Niaz Khan <niazfk@amazon.com>
---
 keymanagementscenarios.md | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/keymanagementscenarios.md b/keymanagementscenarios.md
index 36317839..7cd6146b 100644
--- a/keymanagementscenarios.md
+++ b/keymanagementscenarios.md
@@ -1,3 +1,35 @@
+Key management for container signing can be broadly categorized into three general use cases:
+- Signing (How are keys made available when Notary v2 signatures are generated?)
+- Trust store configuration (How do runtime environments determine which keys to trust?)
+- Key setup/revocation (How do key owners create/revoke keys? How do runtime environments get this information?)
+
+Signing Use Cases:
+- Developer runs docker build and notary v2 sign on local machine. Keys are stored in key store or plain text on local machine (Need to identify keystores we want to support. Should we preclude signing with plain text keys to improve security posture?).
+- Developer runs docker build and notary v2 sign on local machine. Keys are stored in a USB Token.
+- Developer runs docker build and notary v2 sign on local machine. Keys are stored in a network HSM.
+- Developer runs docker build and notary v2 sign on local machine. Keys are stored in a Cloud Key Management Service.
+- Automated build system runs docker build and notary v2 sign on build machine.
+- Automated build system runs docker build on a build machine. Signing is done on a second machine that verifies the container meets developer's release criteria.
+
+Trust Store Configuration:
+- Developer adds/removes their root public keys to the trust store used on a runtime host. The trust store will validate images pulled from any registry.
+- Developer adds/removes root public keys for third parties they trust to their trust stores. The trust store will validate images pulled from any registry.
+- Enterprises can restrict users to add/remove their root public keys to the trust store used across a fleet of runtime hosts. The trust store will validate images pulled from any registry.
+- Enterprises can restrict users to add/remove root public keys for trusted third parties to their trust stores. The trust store will validate images pulled from any registry.
+- [TBD] Do we envision a scenario where the trust store will need to define subordinate keys in addition to the root?
+
+Key setup/revocation use cases:
+- Developer sets up a single root key and delegates additional keys from it.
+- Developer revokes/rotates chained keys. The revocation/rotation information is automatically available to run time environments.
+- Developer revokes root keys. The run time environment administrator needs to update their trust store.
+- Run time environments can automatically pull revocation lists for keys in their trust store.
+- Air gapped run time environments can periodically pull and cache revocation lists for keys in their trust store.
+
+
+In addition we also need to consider the following for cryptographic security:
+- Supported key types
+- Supported signing algorithms
+
 Identify use cases to clarify:
 1. Where can keys be stored? What interfaces need to be supported?
 2. Any limitations ok key types/sizes supported?

From aceaa7baff87927aa621bd4037715acb36857a5e Mon Sep 17 00:00:00 2001
From: NiazFK <67277579+NiazFK@users.noreply.github.com>
Date: Fri, 17 Jul 2020 07:28:29 -0700
Subject: [PATCH 03/28] Update keymanagementscenarios.md

Signed-off-by: Niaz Khan <niazfk@amazon.com>
---
 keymanagementscenarios.md | 91 +++++++++++++++++++++++++++++++--------
 1 file changed, 74 insertions(+), 17 deletions(-)

diff --git a/keymanagementscenarios.md b/keymanagementscenarios.md
index 7cd6146b..6fe57ebc 100644
--- a/keymanagementscenarios.md
+++ b/keymanagementscenarios.md
@@ -1,30 +1,87 @@
 Key management for container signing can be broadly categorized into three general use cases:
-- Signing (How are keys made available when Notary v2 signatures are generated?)
+- Key Setup/Signing (How are keys set up? How are keys accessed by Notary v2 client when signatures are generated?)
 - Trust store configuration (How do runtime environments determine which keys to trust?)
-- Key setup/revocation (How do key owners create/revoke keys? How do runtime environments get this information?)
+- Revocation (How do key owners create/revoke keys? How do runtime environments get this information?)
+
+Personas:
+- Publisher: User who builds containers.
+- Deployer: User who deploys containers.
 
 Signing Use Cases:
-- Developer runs docker build and notary v2 sign on local machine. Keys are stored in key store or plain text on local machine (Need to identify keystores we want to support. Should we preclude signing with plain text keys to improve security posture?).
-- Developer runs docker build and notary v2 sign on local machine. Keys are stored in a USB Token.
-- Developer runs docker build and notary v2 sign on local machine. Keys are stored in a network HSM.
-- Developer runs docker build and notary v2 sign on local machine. Keys are stored in a Cloud Key Management Service.
-- Automated build system runs docker build and notary v2 sign on build machine.
-- Automated build system runs docker build on a build machine. Signing is done on a second machine that verifies the container meets developer's release criteria.
+- Local Key Store
+    - Publisher creates new root key on local machine. Keys are stored in key store or plain text on local machine (Need to identify keystores we want to support. Should we preclude signing with plain text keys to improve security posture?).
+    - Publisher uploads root public key to registry (registry can verify user for container uploads). 
+    - Publisher shares root public key (other users can verify containers before running).
+    - Publisher creates new delegate keys on local machine that chain to root key.
+    - Publisher runs docker build and notary v2 sign on local machine. Notary v2 client generates signatures with key in memory.
+- USB Token Key Store
+    - Publisher creates new root key on USB token. 
+    - Publisher uploads root public key to registry (registry can verify user for container uploads). 
+    - Publisher shares root public key (other users can verify containers before running).
+    - Publisher creates new delegate keys on USB token that chain to root key.
+    - Publisher runs docker build and notary v2 sign on local machine. Notary v2 client generates signatures with key in USB Token.
+- Network HSM
+    - Publisher creates new root key on Network HSM. 
+    - Publisher uploads root public key to registry (registry can verify user for container uploads). 
+    - Publisher shares root public key (other users can verify containers before running).
+    - Publisher creates new delegate keys on Network HSM that chain to root key.
+    - Publisher runs docker build and notary v2 sign on local machine. Notary v2 client generates signatures with key in Network HSM.
+- Cloud Key Management Service
+    - Publisher creates new root key on Cloud Key Management Service 
+    - Publisher uploads root public key to registry (registry can verify user for container uploads). 
+    - Publisher shares root public key (other users can verify containers before running).
+    - Publisher creates new delegate keys on Cloud Key Management Service that chain to root key.
+    - Publisher runs docker build and notary v2 sign on local machine. Notary v2 client generates signatures with key in Cloud Key Management Service.
+- Hybrid
+    - Publisher creates new root key on USB Token/Network HSM/Cloud Key Management Service 
+    - Publisher uploads root public key to registry (registry can verify user for container uploads). 
+    - Publisher shares root public key (other users can verify containers before running).
+    - Publisher creates new delegate keys on local machine that chain to root key.
+    - Publisher runs docker build and notary v2 sign on local machine. Notary v2 client generates signatures with keys on local machine.
+- Signing by Build Machines
+    - Publisher creates new root, uploads root public key to registry, and shares root public key.
+    - Publisher creates new delegate keys on build machine or on USB Token/Network HSM/Cloud Key Management Service
+    - Publisher configures build scripts with location of delegate keys.
+    - Build machine runs docker build and then notary v2 sign with keys in configured location.
+- Signing by Dedicated Machines
+    - Publisher creates new root, uploads root public key to registry, and shares root public key.
+    - Publisher creates new delegate keys on build machine or on USB Token/Network HSM/Cloud Key Management Service
+    - Publisher configures signing machine with location of delegate keys.
+    - Build machine runs docker build and passes objects to be signed to signing host.
+    - Signing host generates signatures with keys in configured location.
 
 Trust Store Configuration:
-- Developer adds/removes their root public keys to the trust store used on a runtime host. The trust store will validate images pulled from any registry.
-- Developer adds/removes root public keys for third parties they trust to their trust stores. The trust store will validate images pulled from any registry.
+- Specify trusted public root keys
+    - Deployer gets root public key from publisher.
+    - Deployer adds root public key to runtime configuration.
+    - Container pulled from any registry is be validated with listed root public keys before execution.
+- Specify location of trusted public root keys
+    - [TODO]
 - Enterprises can restrict users to add/remove their root public keys to the trust store used across a fleet of runtime hosts. The trust store will validate images pulled from any registry.
 - Enterprises can restrict users to add/remove root public keys for trusted third parties to their trust stores. The trust store will validate images pulled from any registry.
 - [TBD] Do we envision a scenario where the trust store will need to define subordinate keys in addition to the root?
+- Air gapped environments
 
-Key setup/revocation use cases:
-- Developer sets up a single root key and delegates additional keys from it.
-- Developer revokes/rotates chained keys. The revocation/rotation information is automatically available to run time environments.
-- Developer revokes root keys. The run time environment administrator needs to update their trust store.
-- Run time environments can automatically pull revocation lists for keys in their trust store.
-- Air gapped run time environments can periodically pull and cache revocation lists for keys in their trust store.
-
+Key rotation/revocation use cases:
+- Root Revocation
+    - Publisher deletes revoked root public key on registry (registry can stop sharing containers with revoked key).
+    - Registry stops vending containers signed with old root key.
+    - Publisher removes revoked root public key from shared list (other users stop trusting artifacts with revoked key).
+    - Publisher creates new root key.
+    - Publisher uploads new root public key to registry (registry can verify user for container uploads). 
+    - Publisher updates shared root public key (other users can verify containers with new key before running).
+    - Publisher creates new delegate keys.
+- Delegate Key Revocation
+    - Publisher lists revoked delegate keys as untrusted. Revocation list is signed by root key.
+    - Publisher shares revocation list.
+    - Publisher creates new delegate keys from existing root.
+- Root Rotation
+    - Publisher creates new root key.
+    - Publisher uploads new root public key to registry (registry can verify user for container uploads). 
+    - Publisher updates shared root public key (other users can verify containers with new key before running).
+    - Publisher creates new delegate keys.
+- Delegate Key Rotation
+    - Publisher creates new delegate keys from existing root.
 
 In addition we also need to consider the following for cryptographic security:
 - Supported key types

From 6e997da786426c76beb638b2f03df87447a7524a Mon Sep 17 00:00:00 2001
From: NiazFK <67277579+NiazFK@users.noreply.github.com>
Date: Sun, 19 Jul 2020 14:54:01 -0700
Subject: [PATCH 04/28] Update keymanagementscenarios.md

Signed-off-by: Niaz Khan <niazfk@amazon.com>
---
 keymanagementscenarios.md | 88 +++++++++++++++++++++------------------
 1 file changed, 48 insertions(+), 40 deletions(-)

diff --git a/keymanagementscenarios.md b/keymanagementscenarios.md
index 6fe57ebc..3581a791 100644
--- a/keymanagementscenarios.md
+++ b/keymanagementscenarios.md
@@ -4,51 +4,59 @@ Key management for container signing can be broadly categorized into three gener
 - Revocation (How do key owners create/revoke keys? How do runtime environments get this information?)
 
 Personas:
-- Publisher: User who builds containers.
+- Publisher: User who builds and signs containers.
+    - Publisher Admin: In some scenarios a publisher will include a group of users (i.e. teams or enterprises). Admin users (i.e. security administrator) will be responsible for configuring roots, provide access to use or generate delegate keys, and make decisions for key revocation.
+    - Publisher Builder [TODO: better wording]: In some scenarios a publisher will include a group of users (i.e. teams or enterprises). Builders (i.e. developers, build hosts) will be responsible for building contatiner images. 
+    - Publisher Singer [TODO: better wording]: In some scenarios a publisher will include a group of users (i.e. teams or enterprises). Signers (i.e. developers, signing hosts) will be responsible for signing container images.
 - Deployer: User who deploys containers.
 
-Signing Use Cases:
+Signing use cases:
 - Local Key Store
-    - Publisher creates new root key on local machine. Keys are stored in key store or plain text on local machine (Need to identify keystores we want to support. Should we preclude signing with plain text keys to improve security posture?).
+    - Publisher creates new root key on local machine. Keys are stored in key store or plain text on local machine (Need to identify keystores we want to support. We can preclude signing with root keys to improve security posture).
     - Publisher uploads root public key to registry (registry can verify user for container uploads). 
     - Publisher shares root public key (other users can verify containers before running).
-    - Publisher creates new delegate keys on local machine that chain to root key.
+    - Publisher creates new delegate keys on local machine that chain to root key (enabling only delegate keys for signing will help protect the root key).
     - Publisher runs docker build and notary v2 sign on local machine. Notary v2 client generates signatures with key in memory.
 - USB Token Key Store
-    - Publisher creates new root key on USB token. 
+    - Publisher creates new root key on USB token (better security posture as key is not exposed in plain text outside of token). 
     - Publisher uploads root public key to registry (registry can verify user for container uploads). 
     - Publisher shares root public key (other users can verify containers before running).
-    - Publisher creates new delegate keys on USB token that chain to root key.
-    - Publisher runs docker build and notary v2 sign on local machine. Notary v2 client generates signatures with key in USB Token.
+    - Publisher creates new delegate keys on USB token that chain to root key (better security posture as key is not exposed in plain text outside of token).
+    - Publisher runs docker build and notary v2 sign on local machine. Notary v2 client generates signatures with key in USB Token (using a PKCS 11 interface will prevent keys from being exposed in memory).
 - Network HSM
-    - Publisher creates new root key on Network HSM. 
+    - Publisher creates new root key on Network HSM (better security posture as key is not exposed in plain text outside of HSM). 
     - Publisher uploads root public key to registry (registry can verify user for container uploads). 
     - Publisher shares root public key (other users can verify containers before running).
-    - Publisher creates new delegate keys on Network HSM that chain to root key.
+    - Publisher creates new delegate keys on Network HSM that chain to root key (better security posture as key is not exposed in plain text outside of HSM).
     - Publisher runs docker build and notary v2 sign on local machine. Notary v2 client generates signatures with key in Network HSM.
-- Cloud Key Management Service
-    - Publisher creates new root key on Cloud Key Management Service 
+- Cloud Key Management Service (KMS)
+    - Publisher creates new root key on Cloud KMS (better security posture as key is not exposed in plain text outside of Cloud KMS).
     - Publisher uploads root public key to registry (registry can verify user for container uploads). 
     - Publisher shares root public key (other users can verify containers before running).
-    - Publisher creates new delegate keys on Cloud Key Management Service that chain to root key.
-    - Publisher runs docker build and notary v2 sign on local machine. Notary v2 client generates signatures with key in Cloud Key Management Service.
+    - Publisher creates new delegate keys on Cloud KMS that chain to root key (better security posture as key is not exposed in plain text outside of Cloud KMS).
+    - Publisher runs docker build and notary v2 sign on local machine. Notary v2 client generates signatures with key in Cloud KMS.
 - Hybrid
-    - Publisher creates new root key on USB Token/Network HSM/Cloud Key Management Service 
-    - Publisher uploads root public key to registry (registry can verify user for container uploads). 
-    - Publisher shares root public key (other users can verify containers before running).
-    - Publisher creates new delegate keys on local machine that chain to root key.
-    - Publisher runs docker build and notary v2 sign on local machine. Notary v2 client generates signatures with keys on local machine.
+    - Publisher Admin creates new root key on USB Token/Network HSM/Cloud Key Management Service (better security posture as key is never exposed in plain text outside of token).
+    - Publisher Admin uploads root public key to registry (registry can verify user for container uploads). 
+    - Publisher Admin shares root public key (other users can verify containers before running).
+    - Publisher Admin provides access to Publisher Signer to create or retrieve delegate keys (admins can focus on delegating access, signers can use a portal or APIs to register keys and sign without having to repeatedly engage the admin).
+    - Publisher Signer creates new delegate keys on local machine that chain to root key (the root key is not exposed to the signer).
+    - Publisher Signer runs docker build and notary v2 sign on local machine. Notary v2 client generates signatures with keys on local machine.
 - Signing by Build Machines
-    - Publisher creates new root, uploads root public key to registry, and shares root public key.
-    - Publisher creates new delegate keys on build machine or on USB Token/Network HSM/Cloud Key Management Service
-    - Publisher configures build scripts with location of delegate keys.
-    - Build machine runs docker build and then notary v2 sign with keys in configured location.
+    - Publisher Admin creates new root, uploads root public key to registry, and shares root public key (similar justification to earlier scenarios).
+    - Publisher Admin delegates access for build machine (Publisher Builder and Signer in this context) to create new delegate keys to be used on build machine. The delegate key can be stored on the build machine, USB Token, Network HSM, or Cloud Key Management Service (similar justification to earlier scenarios).
+    - Publisher Admin configures build scripts with credentials and if needed location of delegate keys.
+    - Build machine runs docker build and then notary v2 sign with keys from configured location.
 - Signing by Dedicated Machines
-    - Publisher creates new root, uploads root public key to registry, and shares root public key.
-    - Publisher creates new delegate keys on build machine or on USB Token/Network HSM/Cloud Key Management Service
-    - Publisher configures signing machine with location of delegate keys.
-    - Build machine runs docker build and passes objects to be signed to signing host.
+    - Publisher Admin creates new root, uploads root public key to registry, and shares root public key (similar justification to earlier scenarios).
+    - Publisher Admin delegates access for signing machine (Publisher Signer in this context) to create new delegate keys to be used on build machine. The delegate key can be stored on the build machine, USB Token, Network HSM, or Cloud Key Management Service (similar justification to earlier scenarios).
+    - Publisher Admin configures signing machine with credentials and if needed location of delegate keys.
+    - Build machine (Publisher Builder only in this context) runs docker build and passes objects to be signed to signing host (the build machine does not have access to signing keys. This prevents signing keys from being exposed through potential vulnerabilities in build logic).
     - Signing host generates signatures with keys in configured location.
+- Signing in Air Gapped Environments with Shared Root 
+    - Publisher Admin creates new root, uploads root public key to registry, and shares root public key (similar justification to earlier scenarios).
+    - Publisher Admin creates new subordinate key in air gapped environment on a host, USB Token, Network HSM, or Cloud Key Management Service chaining to root (one time operation enables the root to be used by runtime environments outside of the air gapped environment to validate signatures generated inside the environment).
+    - Publisher Admin configures credentials for Publisher Signers in air gapped environment to use sub-ordinate key for delegate keys instead of root key (users in air gapped environment do not need to get keys from outside of the environment). 
 
 Trust Store Configuration:
 - Specify trusted public root keys
@@ -59,29 +67,29 @@ Trust Store Configuration:
     - [TODO]
 - Enterprises can restrict users to add/remove their root public keys to the trust store used across a fleet of runtime hosts. The trust store will validate images pulled from any registry.
 - Enterprises can restrict users to add/remove root public keys for trusted third parties to their trust stores. The trust store will validate images pulled from any registry.
-- [TBD] Do we envision a scenario where the trust store will need to define subordinate keys in addition to the root?
+- Trust store also includes subordinate keys
 - Air gapped environments
 
 Key rotation/revocation use cases:
-- Root Revocation
+- Root Revocation (compromised root should not be needed in process to designate itself as revoked, otherwise attacker can use compromised root for a key rotation locking out publisher)
     - Publisher deletes revoked root public key on registry (registry can stop sharing containers with revoked key).
-    - Registry stops vending containers signed with old root key.
-    - Publisher removes revoked root public key from shared list (other users stop trusting artifacts with revoked key).
-    - Publisher creates new root key.
+    - [TODO: Discuss if we want this] Registry stops vending containers signed with old root key (will prevent revoked artifacts from being used by developers not checking signature).
+    - Publisher removes revoked root public key from shared list (other users stop trusting artifacts with revoked key, provides defense in depth as they are not relying on registry).
+    - Publisher creates new root key following any scenario listed earlier in Signing use cases (starting from scratch as old key can no longer be trusted).
     - Publisher uploads new root public key to registry (registry can verify user for container uploads). 
     - Publisher updates shared root public key (other users can verify containers with new key before running).
-    - Publisher creates new delegate keys.
-- Delegate Key Revocation
-    - Publisher lists revoked delegate keys as untrusted. Revocation list is signed by root key.
-    - Publisher shares revocation list.
-    - Publisher creates new delegate keys from existing root.
-- Root Rotation
-    - Publisher creates new root key.
+    - Publisher creates new delegate keys following any scenario listed earlier in Signing use cases.
+- Delegate Key Revocation (root can be used here for designating delegate keys as revoked as it has not been compromised)
+    - Publisher lists revoked delegate keys as untrusted. Revocation list is signed by root key (Design discussion on whether we use CRLs or some other approach to sharing information on revoked keys).
+    - Publisher shares revocation list (deployer needs to know which keys used prior for generating signatures are no longer trusted).
+    - Publisher creates new delegate keys from existing root following any scenario listed earlier in Signing use cases.
+- Root Rotation (periodic rotation of root will limit blast radius, this process should not revoke existing root as it has not been compromised)
+    - Publisher creates new root key following any scenario listed earlier in Signing use cases.
     - Publisher uploads new root public key to registry (registry can verify user for container uploads). 
     - Publisher updates shared root public key (other users can verify containers with new key before running).
-    - Publisher creates new delegate keys.
+    - Publisher creates new delegate keys from new root following any scenario listed earlier in Signing use cases.
 - Delegate Key Rotation
-    - Publisher creates new delegate keys from existing root.
+    - Publisher creates new delegate keys from existing root following any scenario listed earlier in Signing use cases.
 
 In addition we also need to consider the following for cryptographic security:
 - Supported key types

From 25ea16446ef5e7d56a5cfeb20c8765f0105b4938 Mon Sep 17 00:00:00 2001
From: NiazFK <67277579+NiazFK@users.noreply.github.com>
Date: Mon, 20 Jul 2020 09:47:45 -0700
Subject: [PATCH 05/28] Update keymanagementscenarios.md

Co-authored-by: Trishank Karthik Kuppusamy <33133073+trishankatdatadog@users.noreply.github.com>
Signed-off-by: Niaz Khan <niazfk@amazon.com>
---
 keymanagementscenarios.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/keymanagementscenarios.md b/keymanagementscenarios.md
index 3581a791..a28623f7 100644
--- a/keymanagementscenarios.md
+++ b/keymanagementscenarios.md
@@ -6,7 +6,7 @@ Key management for container signing can be broadly categorized into three gener
 Personas:
 - Publisher: User who builds and signs containers.
     - Publisher Admin: In some scenarios a publisher will include a group of users (i.e. teams or enterprises). Admin users (i.e. security administrator) will be responsible for configuring roots, provide access to use or generate delegate keys, and make decisions for key revocation.
-    - Publisher Builder [TODO: better wording]: In some scenarios a publisher will include a group of users (i.e. teams or enterprises). Builders (i.e. developers, build hosts) will be responsible for building contatiner images. 
+    - Publisher Builder [TODO: better wording]: In some scenarios a publisher will include a group of users (i.e. teams or enterprises). Builders (i.e. developers, build hosts) will be responsible for building container images. 
     - Publisher Singer [TODO: better wording]: In some scenarios a publisher will include a group of users (i.e. teams or enterprises). Signers (i.e. developers, signing hosts) will be responsible for signing container images.
 - Deployer: User who deploys containers.
 

From 3ab610e518a0da46d70ce33579a8b4cbced47730 Mon Sep 17 00:00:00 2001
From: NiazFK <67277579+NiazFK@users.noreply.github.com>
Date: Mon, 20 Jul 2020 09:47:53 -0700
Subject: [PATCH 06/28] Update keymanagementscenarios.md

Co-authored-by: Trishank Karthik Kuppusamy <33133073+trishankatdatadog@users.noreply.github.com>
Signed-off-by: Niaz Khan <niazfk@amazon.com>
---
 keymanagementscenarios.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/keymanagementscenarios.md b/keymanagementscenarios.md
index a28623f7..73adb4b4 100644
--- a/keymanagementscenarios.md
+++ b/keymanagementscenarios.md
@@ -7,7 +7,7 @@ Personas:
 - Publisher: User who builds and signs containers.
     - Publisher Admin: In some scenarios a publisher will include a group of users (i.e. teams or enterprises). Admin users (i.e. security administrator) will be responsible for configuring roots, provide access to use or generate delegate keys, and make decisions for key revocation.
     - Publisher Builder [TODO: better wording]: In some scenarios a publisher will include a group of users (i.e. teams or enterprises). Builders (i.e. developers, build hosts) will be responsible for building container images. 
-    - Publisher Singer [TODO: better wording]: In some scenarios a publisher will include a group of users (i.e. teams or enterprises). Signers (i.e. developers, signing hosts) will be responsible for signing container images.
+    - Publisher Signer [TODO: better wording]: In some scenarios a publisher will include a group of users (i.e. teams or enterprises). Signers (i.e. developers, signing hosts) will be responsible for signing container images.
 - Deployer: User who deploys containers.
 
 Signing use cases:

From 053c97f31d3869da358babcbb9a70eb50a84c13c Mon Sep 17 00:00:00 2001
From: NiazFK <67277579+NiazFK@users.noreply.github.com>
Date: Fri, 25 Sep 2020 08:15:29 -0700
Subject: [PATCH 07/28] Architecture Diagrams

Diagrams to highlight new components based on preliminary discussions.

Signed-off-by: Niaz Khan <niazfk@amazon.com>
---
 ...v2-keymgmt-architecture-provisionkeys-v1.png | Bin 0 -> 26110 bytes
 ...mgmt-architecture-provisiontruststore-v1.png | Bin 0 -> 21581 bytes
 media/nv2-keymgmt-architecture-pull-v1.png      | Bin 0 -> 15535 bytes
 .../nv2-keymgmt-architecture-revokekeys-v1.png  | Bin 0 -> 26344 bytes
 media/nv2-keymgmt-architecture-sign-v1.png      | Bin 0 -> 22871 bytes
 5 files changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 media/nv2-keymgmt-architecture-provisionkeys-v1.png
 create mode 100644 media/nv2-keymgmt-architecture-provisiontruststore-v1.png
 create mode 100644 media/nv2-keymgmt-architecture-pull-v1.png
 create mode 100644 media/nv2-keymgmt-architecture-revokekeys-v1.png
 create mode 100644 media/nv2-keymgmt-architecture-sign-v1.png

diff --git a/media/nv2-keymgmt-architecture-provisionkeys-v1.png b/media/nv2-keymgmt-architecture-provisionkeys-v1.png
new file mode 100644
index 0000000000000000000000000000000000000000..f9028a81d29cd4a5dad2641a9186853b6bba6b85
GIT binary patch
literal 26110
zcmZ_02Rzk({6BgeBcqh9k`-Ac$2_ufaBz%cuk3?kJLfn!WLC;bMI|Mor72WY#*tMi
zqY@&HQIxDAMBLZW_xt_*?*D)9<54<3=QG~pHJ{Jtr*s=@(=FUPxDg1%7IQOWI|PDd
z7XDgta=;PwYts`51XmK(#DyA03kVAJN64xf{rx1XsuCCxNtIPImQ_{tqxi%GMJN*@
zC?sW{FrT=HaQGYsU%**m5q?1dLH>S!&s0@WRoSPay-!uc0i`ahW~jmZp`xygQq^?(
zd%h3RKm4EDT1CVKg@*dbs$w;iRp3_gRz8HFaB4(kpsX4Oem4)N`iH{5a2S5#?cs+D
z{6(oKqcr}WL5YUjYiTR1D8O-3e?mwE+>Ch!{6WDXY!JmiAc6)5nJ4`nK(s$4GAJVa
z?|4zF%IeDKzhC%MeTaXLQiBM#S~MRg8x@L?gO!g}q>nS)jX7ItEXn_$HSv!QBKR|p
zs+qv5`33n9DL$|!Dnb7&MMOkw6wWUyDgdh;poVwaM{<lK{XJdFi9{u6TB(}YsKafs
zQ6!A3Aq{O~9HkMf5*Mu+8LJWQr=cAi6hw42c67CJv^4Px*Ve|l8OE3!hlE*&gb=jj
zV%=1+WNocDEiE5Q#~4DC4<*iyU=b;+ig8pkA!9?_u+esIQFer2=NMmAOJB2Sb-NIY
zSSO-usIz?-9%mjK?qh@rP<OHS!IGV#49zusR850%MkeY$F;rudFrNsL5y}mRv5yQ>
zSM!g>;QX~+t!N=c2TKzRS50dR7&d`m?;Pr9r$%v8Lt~<_>SSkE(@-+a&DPJ!)hOCL
zG}tOg)7-@($_}kbFp0DvyJ$vRn;AJ7`Kv@kJNd#5Z2VOzlt3p_$H-uHKP?N2v588I
zMU;cTh9$+#DNNHj#NNm%L^U)r*iFmL-!;P3+0>SX)pDcwhN7dKeQ_=^CQ*jWaj5v>
z%r(dkf!0Q`R2tqC8x02?tsO~z#v}q--N??)(g|;mCSt>3G0d$f4sKDg*0!4JA;HEt
z6DQYj2g@)t5wC&{cclbGMEGGtVRB%7m?%Gre=I4~NX6GL)I8P#Z(@g1w~4m43WVF+
z8#()6{UZoYVS%Ous|ed@7p)*Xn(U+&Xp0ZDhzJTZ(xwFZYdcXw?c5yIsRT6*S0{{x
zGu+igEyyM$G|Jvp-3=ETMK!`1`G#U0EwsW+Z8Ur|128turdAY8gtbkOqdGRw*~-WW
z??8ml8opMPP@08<t#w$487VH>oMz+eVu}h<51<C4qm2x0;~emgPJy;@mcGG`=5f|`
zZid!wrt0BgX1<YH0a2P!PN)E?ma7)g(lOk|2j%AwWrm00;Ls>45fh-L6$ihVQNqwD
z-`Gf_0GhFNfQ6Q$kF}|aYILMM)zCRC%--LU=nxua=|(ZZkwRR;1EL&>hE@bMzffuj
zHp0x>Jcg?6<c70><)IM$HDNws7~^Psq+vACSdB=GMwytxGid5q-xxz}npvQ^t&>%t
znO|I3kb|mAKrn@>s%eH*$4A?#;G^v|Vy&GBZl>l$J1exmKU$0A62;sWYkPlx(*Obv
zTp1G(>}wfrP4mO3*=tzDxoH^2V2nb2C}D1>2uqtF44xRK9pgu&`G*FAmtw8(HrPO8
zV;@zlk$qT@d5ndXrk{OmOthi3VN4v+!8Za=^AB<Hv5vq}BTa(?Lye-f;Th4k@WaI=
zBHYXpEQ1#2j|m72kJW<v8Dgz$wW5f4D<U>nElvyk0M=Yf-JTL|8wJ-8QB;D8D?}qq
zRIr*E79tE*)lkJzix#5pV{C4SiE;J`h$1)!`560C16>JG#zEF3p9qw-eYBMu$=<}m
z3T;D%Ya;vuBeZEgZZYtg9A>Q^9urO`!_6>SVfL69Kif#xV0Du~2MZ%`e5`*AElkBH
zz|K-L*aoW|7#D@Np@wPMVJKDshS8=*a21&n6sO|rgmQG#v_*xxl0z&loZv!|v9%o@
z8xAKp+ERijQBfqvP!ud0Ccu^CNY$_=hnV=2BPf9}<RFqM8K+@OwRfc1hhgKQNtSrk
zAe4_5))(cY9ZAL6I@&lAgTjohO?=51yarXn-&b438Dos|v5FwtGG{@x^9!^h#}d??
zTsPL%M#CsFfD&P0;}hZ^=i-2OQwb#E49(EdQNdVel5JoV1%r*!)>hL}2VZBpr8O8B
zhN_Kr^2Y~6L`G<YL^wcv$Hd?wY#i{$I6Fg<mM_s6Yv^MVZtkG1?PREGj}P?sGY!ET
z8AjkV2$uHLXgfoceRQOzp>_n`!ItPpHMLR;cT%NjlWlCRj5Vw^)T}JfrZ#pI6@RLw
zhEcQ?(a0L@;^t_l>Z~0TZicrDH-qTtYJ|3+YG7za7XG0$OJ74<tiOY1fUTdcmMe4Z
z{Bg!w)^;wjFlSdBPSYvK*4l_@qa8}Ij4|=2#hF+{h4~p<1)|l=tnqOaOLQ<b$X6xA
zmKu$vqE#ZyOafekw9(N)c39^y&7d%CYgcu9A~`PB)geS9h`E<IYl13KMTJOGHHvh=
zqcoYe<{xfs;}@i%5@>^svk4$*S<+11aM97=+gNLjU?Wotl&z7QEjA(qt&YN4*<n?!
zeAEpI(NsqoQJtzm^fh!eHZ=*b3AfQig_)~F;bI9U#0X7IwK(%ojEy}(RXx&%8l$ak
z78e(bv0=_kEdb@O6=SP{GjhVk1{v8n8ilyT#gGXE4EP8p+KOtU7C|&4*acWdyK4D5
z1)v;pG0XrFN(eU8BAF6=EdrT~g{1|e%)%+e01U?0iD2Ut?W1i*wbu5-SeS)5sD@c!
ztZaN^g8kHjLyVnGje=YPRE$U(Xk1`;pp_5PENsKoq8wt?T}iHRFRX<%4TDm1CfY}u
zTas1njABewgJSRjt`@G8Xg_R>sgWhc-jtbnF<45BFA**w+hOCv>>}J;RHLK)sj>D>
zero>CR#w_!WEHZizfp7qRn6X6mBL(MOFw^S_<;2dFo&Nenvpg*4XS@&6v<!BCE7KR
z=BLK|7Uyh6andr^CTqYiL^QKvP=igw{#zw%lnn6uKed*c$=)y7E(nAq!ra)<fmZPS
za)_nF;?wmc^IVU`Y0s3}%1TeGl6;Y$M{=(W`|%547^k-xWo<uc>YK)4ceVIrMxLK@
zhXnh3H=)Cl86Q^O$GP2gD}LWQ^#Nyl>#3oFNR;3!`DkNrzir#S3sPp**$?j{q82CJ
z)PBb2c$I{F2>alBuS2)KzwzKUHbdi+w|^<l4aFT5_uuEAAs=_tvn~_E#-6*v#(6}N
zKlS->%!8{lp3m|Z^1V&-rEviXH{wN(b8_>e4YwH!ZX2^g$~|Z2Dv;!qevWRt#Abbr
zXX6{Te1!;pG@r5=gUxUo-}B2g<_zO%$rJ&29s>VkPl~|s5jN{>Y<vMVFaPHv(K*@w
zxya|aL~JfSon(lV<2=I2y7o%vA`<^ruJ}qZ;`+Yp@?i?8gI7e>^?vrs%=RALxR-Rw
z3!NRv{ekia?>y-qk3AGBJh3J2^;(=JmoA4C^U=rBwsrqL#P)n2>5~CfC0o>^eP&$5
zz#>EEiPnW3(lIG%X$P4PJDpDA9#}rXf_T3pq<ra>@2Sa-<v3o=)ry9Dv+2Fb%x6gn
z4D(k<?kRVQRI2z^iTs$@xPRx^Gfv~q({!#Qk{B7g%bm!RH47YiISVgy9?!ZF_U+Zo
z9E(5n=AL}GA~r|g+&yM6HCB0&@73|YL#Mnvw7B&$jTe^RU4L=az5e6FeVRPDLpbvh
z6!*sR8jtZ;cP4)F4&IjM|AB~;8SoB1=wl=Wk8iT;_LOzK`N2ggyngA`NT8R#wAseG
zOG%%o;n~66G}`e@1)o*Jj)EmA-=}L{bnNwSOTQ09-(NkI4cV$Plew~C<L!L$_sTV2
zIiKd_*x13e7g8i2`3se_)Zoa>H%I&uRCDIdOGC@3+Cv=nM|)G+KRtM??bVUq;=dbn
z?C&JH&M$s1BWAV=mxPX|>E6-jG5;-7l>0<bUC^v)#$9Np!&v25&EFL=zW)vGI$}4q
z&#d=J+<<`aCHBht!jrKgU((x-DgGL{F=FPfD4q4sa(+aL+^)U6J0RuAaisaN>C9KZ
zaA1@NnuN53j_$htq>I4vcgV(v7?@{|C5L1Za%jq6u{p#3b=wlzIJ+mFKTzeb{_)oe
z%pS5&TRndH+b=K3v9>EX{G7uRovjMH&u;l7bwo04+ZiRKh~K5Vc;OBcQROfD1yfp;
zWk}2~Y%x2lRn`toxK7Vx1!FE%J*b;qKX`kXD|W-Kk1=nn>t}hP!@U$Ka%~!~@s!+@
z=9f_6mlRo7xI6s^*JsRzDW3`C8F=!_J*~PDw$2|TI29(J-yG0T!}Ig>H9SQ}R_Xe7
zNBzG~On*%8v+W@dwYMQ|^-g9*jZj9@_`pp^EW_Fb9&>hSITp2Y{5|!I5u=^2YFgp|
zN;O89;(z$MjDKn5%ex(Cjr&r!q=M_pNXwnw@{c8LtB!2i_qz0p^$49BvGDf1-Py-y
zODbyLnsgqi>9Y-9$(H@ce)8z!@p`7;^#+5(g|1G44ZL!D6<-*0^p@dkzm{yAPAlK5
z6aN@6SHUj-oY>c3;uj7l-d}R9(BBRZE>-(53_g~5{dO%*Iz0O9$65m4Kjx({o8LW%
ziLS6IiIvv;yM$>2$QZ57doN(NzwrGVN77y>M8xDipeeR@PZnmVTvsfP|7U3Pv*)jJ
zc2x~tS+r<(I45qfVJahtq>>242uUsC`h#MdFA+vdtQ%8qnUni1`~@pQNn25DuYAh)
z>aWE%x`YZBb!q9mYI^CBwHsT{R(KbG<2E(bh`CW|KF3x+4dTFAD^98`+%BttP>^3I
zG`w|V!9|;WD<xfvzS}pc$py{be0BNu+jCnto`r>H1(<rg%Ww-7K4orQs;C#eF}o(o
zHSEy$(v^Wh%+s#?W{>?*w{gyU{@$!9H~AA+->ye3Zh29u<~}eM2wj3&LYcYsHs@78
zZ^XbfRKek#4m|^rr%4k{=^g>NzW({r_O4&xa)<9KR`u>xR={yBZ<u(KXbay})8h8;
zSH9d6a3kB7x2dQ}|1*m1?fi?_J5L-{U-IxB+E_HdJ#uoJvQXw-!H=rr7J@rh-tU}W
zI(2V7WqLZiY|@saqBnIT=Bf4d_4Pgs68OEc(ls=6s<2Re?DOXo)baB2@+*sXmbY$c
zzpNwDqPAr}Sf~R=o;fql{Fm+R*r1?Wey&DFtfB<k?|B6TV`Zk^6o=zRXCJk`+4yt3
zg9X8Rf>kGG`WWsyvg2oOHF<YSON))29kNB#LDA9dOuWoojOunp@r(hj(~xMo;GQjC
z-dsYV(P<40h7TV-^69Jax4F}eNZzznJQ;O-%T7%OjK!szB=z>)JCue-DxozyWfbk;
z?0mJnoKNu_x2&wJis)vzM1KGNRtDqB>!D7)3LcdYng8>I=pa^NR`HD+9Eb-|lTNRT
z47}XeyRMpgXASpN5<7z*$tx)E8R#Ugq8${45Rw`ij$Muu|N9nvAL*MoI8;<r5Jwx5
zv$8g$kR5GpjV&j4HZQccw9rM3EG&4?*+w27mzVk;h4j#S=kMr!U}MI9h|G3#HXCNn
z-RQA%>AFQ8U9@p&2^~E>kPg3O6g{e{I*K};p3ddx?_d1%soU!J+2KZ)2i`2ny#h3F
z&S`r)^^N6E9kymHPJd!0Y!0a0&iv3yu8#e=2jSgzexJ+3Kt9Bk+qb#h?g`ib`L#1t
zbEm4Rs*S6*-c*pA+m388ZT{{VeomQL`iA++XMO)3diLBo^YaVy^RUR3#17x!VD7fO
z{hJ7z#adIwV+U#viy%6CdQQB5@9=VIZfz|Q@h)sU3)PGr{`V$L@_TZ*IF7PJKl7*<
z7$#l0bBCv+P_Oa*`?F(}&Sjnr!zAOM>VJ;2iHmLwAH#Q=&bpD@4ds#iH17>_<utkC
zmy-ABtPkW|-5W0FSU2LyW;IpSk+&S;cjRpu_r5s2hK#3s6Y`U7Q!LBIy-d_lsFYke
z{PW;P@aG8X`2G9J2>L~h5ZDS+(@nHOQv!it(+U=POFHg`k`)82Se&S5k5RW~Mgtp_
zGS6BhVKa<BH#avhH1t?^aC3iEM1!c2y}bZ}@oTF8fy)sATtY%E)IkOECJeQ!;dqnj
zz=DnVX!x<e|4d;aZ}#Ye_+<(zZhCUk$kS6Co@#B)J3Umt6;YkEu76(HBO_tumz0Kv
zkgKb!cNX(Q{rZ{??91%xa^zmu3briNwd>c5VciZ~=B;1*t%P8#F8}NdRA<DBPky+^
zv=YRX`}cXbZ{H3_l$`F;XX@9p!BtDUgH>9Z`aVq$)+*hvqI||(c=M&yT}hU6!2Z47
z%48oiXqS|bH`el)sD#9(j-N}jja$j1EnD`wJ><OObnp55_ks`I_E9Jl(!w{#(7p=x
zER@S$;el#0YZfX{eTSGqqL}l2cNW5Ck^P=cv$HDT?mx!3E?&F{(dw?#9hcO>t}d1q
zQC=~0vP9A<-;R?U#P))eHvz02KTGf5$3{k~!Mz{&G;+AybNW75yHmGgbg=d?ZTW|+
zD8Z#FeAkYhJIhJK7(YKh<Iiy~6-W`bF%a71Cm??{8;>$KIgOLN{KH?R#ru&Pi)F`+
z$Np`?4<9~EMsZy2;zV4ycoCvYHEH;WJW0wf<~~N`BfUsB_6WF<O3Q42L_JHg{OrC%
zkIjx9hWQof#`43CKaUwo*n|)j6{UZC6vEuVgKnvwuC83?aI)42f{G{@kC&HMQ(2xn
zvMjg^Q=#7%_I_$w%<av+jI<W>jpBFY#hKl(LCS3%mvzQ9JtjoF;!}2Ng(r`q$)66g
z7v|-i0QY|?7U}DYgs{Xw^Jbw+9TcmOUeBWM^+!%lOr$l*=4=Z~*=d^f;&#W6?NNs@
z(}B9*kc;!Fx0<{Z!W2%<7v+|a*7~E@rXT9+pWoEDFxk@}DsUn;-*S%_nso54aMJRR
z>%Grvo;=yk%E~ImQ&UqTcHpx0z?#?kZxLnBnzT%j{TT|TyLdP8?m95$#DHNyfE$V3
zvUTg|hkJ(}^o2@!@FZPW=1srG#(MIpo)l4in({hr*Vm!bbb*^PIrKKSS2Fcu30%c@
zuUqDHICCArUHhEkxn6NzwVdq;Y;Y?X9lxY<*GVZOBg4kVCK;l(N{fxHEz6}hdv0(~
zeg977t8Vt?Gx%xBc=P5BEJ0QHrz3r#SO`P&aeDgetC82PU89FrU9GQ|2nq_iV34Gr
z{MF&QZbxHyRi=S57zRpH^Z1V+l(|YXwV%8A6;edh1*;Q?%K}k{pC3{eS8&f3Dc}8P
zCqHfEtTBIe)y%XtXUctiTjMj`vnxXKt=YSB{WuQKGFT9d?|qdyir+pxi(y5C57sE~
zp%K?^-ps5J{@5C(xl@!d@%1aqtTh8dfc)OQf{V`ryQH&Dooe(`HN59^bQDbzlZ!6U
ziJO<V+#^6M6uGma74}gkyyK^C;_t6Flj~ztUf1kD!(aXLlvcF*Y-zthVac4?@Q=Zh
zy=T^}u5{ZE-))yh%5_f8=(6oTGwmE?am!^@YR6Ws;rxSTNu`Tzuqn-%BFb&1rlwt8
zT`9%IQbjAX#9hSK0hMjlv$t+3P@|&KyXL|7Ab}zf(a(16-o1O|DQx=0#Kg7}S4>!+
zu!#r0$<W$ixkYByyGQOh50|bgn_|3l4O`rwuZbp`p0KrNtNL{lQ{Q`rmAgI|&f5|m
zvU@i)c(cqdBrQ<tCRC)yp%4r{`G{qvtl@n!#8~n(JU^PtP}7XD#uq9lcSLefs*0Y<
zte5JqlJT}$T)Jrs>9ZK*;;DlYPW*NMKI=N?KvCep(DGYz2A4eB^@AJVe+bkaI7XaE
zR1lEma+jZOp&V|r!y>o(B&0xo7#?msLHqf|YF2Ki6wGiI3W>Ia9f^i;rOR|`cvXLM
zklMM7#^L0~Vb1<FGsY|9bR^Mq=*?YWv-eiWt-gPtK9JnE&q}q9^5^#gZRJ<kgxq?>
zkvEt7`};FjSL5eu)OT$8^}UZ3p&XmYD*Jv)&k%WPbKS9`oE+)pogV_#<@fCqTF<ty
zu&}kUVJwJNMGUpvJ5)6wF%)$8k=w3W^pJNEi;r%l4b%iU98TrHfp1aIN=l^9o_kVO
z*A7)nx_}%qj-yoMsjBU5dg@5{7fpWJg%1*9Vr;GCrKQnRC|%vn&pu_}xUq*Mb|S3*
zaq2ja<kG;CJI-ZT$QGV;@#(|EJ_Xv599gJUI6X(VzG2(9Uxkt>ZAY<J8*UaQW<b^z
z-ONGO+-vw$Pfw3FKXIlfA#|{2J4D>_{*HpGtyo5bKI_-7UwfZMDM2MS_v5pLx~3-N
zLjgH!+NbtB`Y8zm@p58vnmA5`_CVII=^Q=gdoRm5+-Lr<p6>4SO0k61xmGlZfvBjg
zB>$cd>J8P5|M5}|iYYS-3nMG5lhvPU4=+BTezlv`J(bEMG6FSEc;tB8t4SS!!f{(q
zPi5EWiB2hX4GkY(U(D;DlO*&5LMtz1kO}I6?;juW6eaxHj_~fj?a0guPENwK!d3{r
z!z8p!zl1i0t^aXYV}_6t{iiM^G7^{{gm;{3+Bqd>%snT<!nf|Fm7(=)s7g+J{>_@M
zG)s!1ybV-`JDuMvaHIPB*RKt*2M<DeAorKmuVvKK=)y|hy}K6{&Ao<ZTR;whf&?A)
zP4ID8|M9H`tJ^|8+&vRo=5(h#{L=wc64ljpyBO~#tf^^ncd(CYJ^~RjSd-#(#{_Jm
zv*Tb~+|#AK+<QHq3R>hTFVJdIQdk6qgqY>&ix)2tt>hOS9U^j?d~DOJn|r6C&z?Vj
zWIPr^8-vks)aS{5V?U{sO;~p>-TnKwrlzKP_CTS_LD&o<Xn?}SIJU?jN&F_h2o7!8
zvITL23FX{1gtVy{F_?AstYF^2lffUq+x=h>pmZ=WkbrZA$5l8a^GB=e>cqubhX<ZS
z_LdV)RBxHR&;8?dzFO(syMi4(u`5&k%z6^yXMsVI=Z{98pI_cU0w^sjYkhT2sX?@H
zZnU+L@+YN9h<0V`o&Cel1eT!A5G7Q{FRMO|7|MplM<Tv-6rIBBFSEr=4>bJv+{Vn*
zHMBWoY;0`jSL(#KZ_n?0JcBa!2s;ny&+n+0zn;%ujH?xA?zJeP^wurDNIZ{y6n7+L
z{a1g4p#jrE<&~6<LXq|21!v;gG7+{3s`yyl!k2y+TU$O+0?cGndx179*p!0<8{;zl
za#6}|(`?AA?oX-acfa!gn(SEEI-kfloC5VES$4LdK<utp{ov#Q=wnL8<mBW`wsYTg
zf5H!S6D#8V`}YjUo1)vd^LZghM@MtM8AZe<5LNZ{v%h@{o-<`5Y}VG+R=M;hCl3#g
zXXYgGGq7$P+q777$RoGBydEe4WtWp7bt#5}z08#*{oz5({+c=jF3vgcv+$@+CxsQU
zQ5{kFNIpJNo;9=-aA#)OocxeGq36B_lx&b$5R8i2NP%}1{%sF@o4Ly{TYhc7(8tj(
z+Gr|~aEuxAks|yNh<6&!&*O)u+3t4-%XYkE78NZm*!r^iwy0Cj+b&3^Y{I#7)s&WU
z-nw;5xlKZsmTYu_m*qlY@2Oon9Nq^W6+Nq|g1rGN;@9msirV9}y<M=ns-~_TEynxO
zy~XK{&`|u(E$HmV8&;QO_Dd9wlfS-|C4cgG7H!UUzh|<!LwK)CGOUb9icXI)B+X40
z=lAjnNTG{P%>LkMUDz~Y!H7FLIP+5M`6r%Fm+7gSou2Cnv&Bz+)R>!bxYM1Hq@%{J
zyt;+uKC+(jIb*4B`qQ&=?*^nuF?VZ`0x7A8#ryY6%)1*_6Vub!n3yWR>9B}aB}GMy
zxp{i^G{juG=+VYuk`k$yL#cOC;@j`0dGyzV>|*;;4qLG7XwSKZ=ME0gN=jEsadvjj
z)Q-Nauy=106#EFXRE+}%xLZWOO-?osR6#4^;o$+#0G|SHX#unT`0?Wa_rM`fFXCp7
zqcRIc^xKYi9zdFZ*=BmrDboOr@Sghkh#zJxO5<OG@0z06Qr6d2X1ueC@7=RnwY=JO
znyz<6YvRmZJQg76-pJp-`C;cJ4p7a`o|j}mwK-6qB*E+<LP8pu?Z;2u!McQ<r|Fkh
z5(R~YOKNJ|1#frWSy}tD63#w7qlT!CU=^8-u7NaC{z?onA6M(rHfGI$0>AY3ZT_D1
z>1Q*Y0|Va|7mBzRFk7?xygIN>3Fn8Tv(MAn3x*<wl>si0zQ`k%rj~LlI~#M|&S&^}
zDwHt|6BF{*1!yS9Vd*!~HAcYq^?&^M;a%=B%V=PQ5>!ktPB3O>P{>PMKtRBE<xzL=
zxv}<z^F2NJkoO>Pjg60wg3BOogmAnMe$=~1z9wFOb=D~Gk=y+I{FUq1O};;5J+_B*
zq7jluYWE#yLSP_gTy5d)&IA=`IJ`|=n~bNqPGXO)FBh$+G<Y98d{~E9Tvt9l_%gfl
z!v!QAE@>c(LDi_gJSI@C`7)3G4!U_&Rq5=Hfx*Gdb_C3mSd?(QtIPJT+ap~3o+Ggw
zh#BPK#$rLdfDTVL;kO`!65m$q807lU`X4Xoo*DwxODZev-K~v9Y7O_-ZC&MyeaOyh
z*+Ed&9WUP&r6b^s+?4#~O8{gfbH~EUE5}e*kzrwBHn$u`o`RJ(K-b5_6u|j2+O$G@
zCAnz<)9!c(78EEb$`w5)q}*Lx(qN-sihh7rDD84Iw0V#jTx6#$7+`MU?8@`P;o;%J
z_0CY>Ld9WSq`&L&q(lTVCXpppAhudZ`;FKp{iL;c2PdbDqKKh74>7wv)PS*Ah~eou
zBF0anr`+P9pmZtsP3@oR4%UGFu!-<_d_42(p0>8O=Fga$rnxT#=hYZijKOSYh>rK1
zloHQhyr_6%oT|lJQ(x~@u=U6&+I&HW&m-Vf*QFP`_mS`hbU>UlE@c><j|oT!c%L}N
zN|q;i|IS+lgl2B+rNErY*cPZwOizgqFaI1@E?W5YD<jtus^3h#5aO5i1+B8OPvNG{
z&LRhNbeefh)Sg653d2Vf3dMqumzO_iVv^c1GrSd6#5gI*V9%aCD%#pykK9fI@I!Mq
z=wj!su1g+BA6QmP;;fqWs*Ov1{8%%uezB*_D>KP-?K>ghr+|vbBRyT+?-jbeM7l^}
z_9jaMD0{kQ@<$5|l6Wt@`BG63S8RGJ-{44Xx~?5kD_iu8W07oo>6dixt8+35{EGcb
zdehDq8o~g357ekS{#l2GtT^j(6F?rogjN=3OwG-?(AklPc5UBmVq#*3$G1Ykd8Vjn
z>q+cr)JUccTcK-_LXb{Ycgf0$@ZUPSmSf1fe;i~NpZIM|<NBQV^3S4ZrtDXT9Mfg(
zOkI9vM@Y#xeDi7b3o->e3V1Yd4tnB4pK87i|CTaCI!i(nSQ<Vd@gVkR0JHF!nws+I
zUxezt?)NvPyN9Zv9}_#6lvLldz*@VOV*NuR@^jkCXY-pmHUkdd7l-7z+&wXT=yNK1
zrfP+<<1r^~Fnrb9q7EO}lvFY&Q#&ppzJ~o&_;{<S`gFz6>0e(q0aGFkaJC2A^q1z`
zYj{kMMG$?;vwcOb1b?Nc{^4~&_ATt>pIW=7M)n~)?sjZG%r>q3?UzHm$!N~_(ANTH
z>vztEi4hE+gMOssVag_@@FQmGx{p$HG7m{Qq#VwCn!2OHyJQad4j>DpOg=SRHH+W*
za`Ys$!iLX(*7%ih`XJ8_47k_pY-vWOE6?Wdm%xu?=UH2)|A?_NhMi0PlzvE3Fy(N@
zQ(}_dp$dtJ-0G!_mZRxUiQ+?tOrIPal8~8|Bqw%p?SCR`ao#&V-u;Uj&;E2}(y-xA
zA+nBv@!A!KVYydB8Vi_HyzK_bwQxJpl$8u9hASJeqiS<PQO|Vhs<J65fEdh5@_AA@
zjv9(dOc$`f@rb?w$rYlP`HdUUk(U56W@KdKQlD6RLGM;woo9C0XN)wDdqn4ohog8Y
zoz=s@P3F~5RL#Kt>uM0s65&ZUDJwgp4omk2y3>cCyDP>rpD`RO4iQ5{u9Acn8zBx>
zsJ$sNkhp&RI^xDVS=E-=cX)&1k`g43@ZN(K7MT~caa@k)VLng3VDd7Jm!IuPF)cJ}
zPZbY+Kb3y)>YR5;IG&c-lF-d@ntrrNI~K~4p``WNrTnVzmeAZ71FVX;^7yf^SZhOg
z)#&Ic17;6>;J^VD2w0c2BI0%x?b^rh$~YrqGi;h^{QDX2*l(qU#O9rA+yfq(sHCf&
z_=gt{=>;fcw#@07Filpx3TjfWj-M~u+Kzq-Z-vUP;ivBF05!x+Up{!9vh|`11UpzS
z<b^^M&g@aC(;f0G!%(}vkdsTd-0W<92qvFRX_h%|hsVxOv(~de%zZL}b>U<T^bx(i
z5n`=A%RfFN;)z5Y9&c)5!j8@sh!l*WQoX5EK_)nu!nz6S#>Nv{KQB|PPt*VG_B^01
z3p-qFc|>SwL@Bdz4=HBqV_o(P{_qn60QC3PRa{^b4+`L|;w#DJ5m8=x-A-Ma^+7Ek
z>uf1~_w_+ozh+Isitq-UXZcpa3^>ZQ;VGY(6LzUZ@<~1Kc|7uu*`)##z^lM>p(;8o
zDO)0NW+5NQz)#UHcBhyo=kGs&aH;TvNYMz;anE;4zyz~U0En5mM?-0AeqMDv)R(f+
z?lMC|m$dEL{n5{`$i<wxX9EX%UI(R!8FU5?ctB6;j3}&7%YPG4wVdu%pLh~N9%?0@
zUovIIv}PW&c!IVB2B4Hn;?zA27sh{X*!W=2yik59VR099K*jIAj_C{4OQx6}r%iT?
zWp2zM_Lv2uu7sTVhQAXo5+AZxpH}(?cRKs@>45??8Ixn``Vzp@q_juO{W*4sF<mmp
zVbA&{Uaxg#%80M}S>QlXDU+CG=dVt(ftH^0vKi-q_Ku<1w&TfFJdTX^E}BZKT#A69
z5pr>B#MWmzW=lUXwVmh8W!S}WXMQfpkfZ~dZ~)U!ia7UE>(6p=0TOzQ5AG*pw|}0N
z%y!?>jDeCNDb9KDn=_DwiL<ZWl?BH|QmPh$VrhAs;{MzciK7DOB$bj&7kIX6TSt%^
zX|q;1Qu6tXtF`g@{F!ZdWX~TXkw=RzIr=X@!y^^D6fBu%W#WUL7k?i1_<L4FZn1Hr
z?BD3?kqxLu$&cL_AX|G}Ke<2VYSfbyWFt^5xQ?W4LGqy)+U&$qSzt(kVk{az6mmD}
zrMvL`(G|5^F)rQq<u<Q1=|u%#&6iBBAU6%%WMmn?pPE`4&T2_8`80T6gh>D$Ii2dw
zro1g!eL4bs*5)cX>1sG}1I<4s&1u3oINL?LVp~-;x=G;VCjKZLBV>ma%bS0-0H-2L
zxi3qmxkx#r@GR{-d140uSVMuj7fSoL^V159F82a2CG=dDM2}GyyI<PhKUcd&i%0WY
zG(hI#OmrN+R3N3~cag6B<8WdIXW`l+q}I9fC8;Pyl-t_f<j5=hMa>RwJI?2AGvqYJ
zFzC+$b>G@n$pP&I+=FzbzS<b`d1xU;ha-xxlLN*$#vI^3+(L?mLcr>Wn=w)Vng5z{
zQm<6x0H3wz*>hbh$!Ve+D1WQ=`}C8Xa&TGB26)dLS2_u(PiZbLT@^D1nb)ycU>Nu}
zWBz{-{n?#xPxAooTMvr2F{vY6K_&{F2qc_zdf6@0TTAk4`{lWG9~Uc9r3>I@X420P
zgxc3NSB8brCzVc3FMTwN_RU>6(2PmfGGiFaobgC5_YCl~;it_5yp@>2Pj=a>lC&%f
z!(?|CC;AVI6RKN9H|OUYPBlKcP`}F0Yq50Wyo~Q90Fo7@1o^9xI5fNXOGWCFGW)%P
z*L`l?GYO$oeD7&~@^Ft_qutKJF<!PaFN_@-4(yBBE_W|FRFsYx-|F$d`^Yic^{^7*
z-aU$!^pUh6GlnX_M-pe_Jf21!=#!ngN1dep_YI#yis>Eh%d``AWtjs<e%%Bugsu!J
zKkY32YIpj{zlSNHlVD;3ZEP?Nn{QEP4z&ZyowgUwyP`P1WO%E`BwRa}&Lv%On(lw(
zKzV9=Z?9<L`k$C5cq4L;$-#fVY<ftqhk~Ni;r4^+ce{!be=9iMb>aJvkVF3z32=GU
z8$_n?zUP3_upnw{YXPDFLT3ZfhqlhtJ#Q2}r^Y1WgkH6^p|rKPpNVw3eR}M?8dpIY
zn?%C=nX%<)<&|GkJhAKeBK_tkk>fS@|A%Th9$#aV7L-z?pRhx><3v=^bnl}Oksm*Q
zHa^AQ#>8|0n-$L;4}b-vmqq|>0RPHTBeny*#AFEQ59uAy;Ab`;$=mNW0u&dJZ-7Vh
zX%nw=zs%F!lAo_{u~MKN7_j+GR&m&`(E7(@pz5UufR(slxd;A?jg2vJq>=TZnplA!
zYm<|c#ZGr>@BjSPtpp^2YCcBaQ@-gQT|z%T4Im(r*e0lxV>e(HASZM?2%nxtF{u#5
z`|fV3-Md-gNOOje??UKaF5M40<;%NCfAOs4)y`rgXi1PN`)1v4=GXoH{TnhCpd!+g
zcAStMdTjf*Aq7}2nf4j>|C8sjva$jq?#$9M^t4RO3_<Vg-1ec&Yir^7nVg&>zkkO;
zGj$NaWz?SgRm2W)XiA_p`#$hQz~0{e#j969NkNAX1VwVQZvzvpA&b2a*2vza^W|4O
zf&r~v3DN1kJ6C0&*!<!tixj-2<-zNAQd(LfS`mZB8|AJMRO3(~z=$E!&O*t6x!T15
za0p<3z$3c5y92|+vA|MkhV~+o*_5vcra<c4k%eNmfAe48ElpJo$xKqjPMp&J&3V)M
zGA1fY1CYVuu0RzOif_YMz$t6g>=|0&1KTcjXG<6`;W>+ouKPWn%3ynhgoK#PrJI`@
z6P1H)DR+5rcrhHX!^4Zy!$9N0AfVsGT3IpC2mt2EpI-^7w2<aTOaOU=K^Vbs0SIo@
z8j9b|v01HS{Bv8Lca{(A9k6sw&r^BMoH@g{G5K|XOyL{gkK9|xVs*=3b~2MTrQyD3
zZ3X~rBhYXzK|75=0ATL&EP5Z1$1F|f=>o;v2~cPXR(Ae6mz%qLE$1_u7uNj6n>Qw~
zEVRNCxa-fanx5L&Y<}407+tO!Am|V^+^hdr0S43~?sg|IL7Q4cffJAe6cG69VL<hB
z6z8GUdG>x5`Z&UyiyF$~_8UA?D!}@P<OXj*juH|Q3=`I?1((k3Ha!iHwCnl8!t7VC
za6rTR04Sl{Z)s_ncIIj4oPsdBxOvIkNNvK3rYJ#l=g!={9e_RqKFochkx3hnp8&81
z3&sk3WYD`ki2IHcKo&fC@+4=IUV*%$S>4z&TB(ir^@5tIdp)6D>>tm{sTM%Dl1J8w
z+%@;_Tc7<2ogtGGYY_#LgVvq%;75*W5*ipDM2jeF*6)Q$pGR)8$eHio*$9?)LUjo%
z(Lg4?_#FS?zQ^R_pB}(t*bEscvk&(6a%PV*NN5BCtQz<q@Csn&PqYW|eo6W>=~Yde
zlLnrOvqcol1WqFXe$2nL8D_X^#}4oSKq=1c9Y^y*Zz-5m-hNlp>rwEz-VYk~48-hW
z{rWBd{QeCZ=WIBo1y}j1D|Z7ADf#Nj)vK&muU@77`o0~0hhdBB$IJ6Ay}OC;0wNn$
zsz4`(7l=pz8~IZX-E&fD>HP3vk2nz!-QG&#skY^_XU`tI)BTrJ_NCE8natIj0G@9v
ztu=J*Y@<VmE?wKabt_OqVgOyk8bc)GXeB@Bp8~If57p2lLpA;O?b|ColXJ`CMZ0BX
z+2OQ5fBpcP-U!?-%L}Dh!2dZO4%yu4Twm@;id)_5w%-$Q6X>Jn7Z)3S%e^7|mOLD)
zOW=W^QB-sa?1&X1u1iBecU@7Tig<@Kpv_8d=3s?(yc~QBppo0RZ>JTM*`>-<6@W7D
z+MMhxl%6oT-d?7p0wC!$%7?Gi-p64(0i06eUIsL(n);O=j2(J>M@Jzh`Uk6HX>BbH
zff4#t2tUC5UcP*Jq|WJ{TPon1x=CwdVy(s3uQz{=Klb=1pp#iAPZk5brR${9R73yd
zXbKbnQ@wEa7sU0km$``KmoLo$0?U|G2F4jMSe1NBU=_d|php0~0-QC`b+sakb*L&r
zVlZj_PjaeQu-xNo*JNH_)Zl^kJ!TnJW)M&x2$FN+WHGs4c*Ko6eW`^d&;KX_U8i&F
z$<9q{FXf8Z{wVc`;DmApm>Kp=zzsTp_zHYCU~1OZ*-Q5Uur8sOdDSb&o&a2l8v&UD
zP&xo=fPi5#zxVUN?|_bCNp|@Yu9{Dp{IKukVIm|N=<t-sSrL~s!}xnfW5o^r%-eSk
z8Qfr>=7AiRoy}Wybm~oj+Fs#Izdk^(o<4or<Ym;@*r*&<KKwkFzBtu?!nHDB_~=%B
zdeQnSF@B-jnPp1LA!TwQ4z|qT&sY4?sKmNFz*Sx~5DNfQ=hulx6RP^Vy1P?>UP`m-
z9NGWxv~a~`WgSynm%tdV-n+L2j6CNv$S%IK>46U7#8!!?Q-NOwB#80xVz6n6TX=Sg
ziXJpIJ%K)^?K0xVz_qwCIv$7Rru8rPxL!GSRpj^3+Apm+u>zCC6P`8Uw*OQBlF~d}
z?t2Q@>p};0VG}Iurd9?I&kO^Z&W-@BNP1gpv}Z)y(Y}`0<)rn+q|w^N!Q6t5yRMZF
zF8p723BWQS;x|Jmm!PnT^A_x$-KxKYs0?_6fu=D0U1ra|f2X!l6CJy$Ng|$!6cZus
zTuS=WlaxyJ1btp*HTy*Kr1*7Dktd%mk#cD-N?cNY>h6EZ`4bQ<$SDH@0}rgz6`Y;6
zd)0P=ASTmbb$IL2q}Te6&cwzpo<DyUhw{=6N%o3F)C^f%=Qd}SQ0b)I^YSsuZuc}9
z!;gz8APy)${=VqD{~75$Y|1sWd3#;?DP^_!FU~o(43QawE&k7T0~TVj#K)V`I$G=S
z&r)$}{eQ`)o?Na)<p7;C4CDb~warslL2y6mXoIBnz#K3Kb3g0q^qC?n09(h#7~q76
zWMHfc4n*PH@nt=kgz7&p6-N~^U8^f!83*rq3=yK1?>2pO!4qUtl(u|mxGphOJMA<t
zO?7psssQ6g&aUpA8LDR@5Mbw!T-n*#NBnFCE1aJm?orp$BD~Cz4X?~gSpTzVW^T^c
zdf5Q{7(x2>ULmyq@fL~1B`Izm9w5J(V|J<Ny$QaOYo*}EU;-SQ-t)XGLB1P(^yoj4
z2>GoL7=BI;KbhMB0SwqdSJ!+mSO3A9*iqERpk>}V+@4F^e@;<mW4oSPMMrBg*(``b
zn|XOlz;40s1$KK!bWk=pAK>v?AWK6PXY1(rS>y2an}B+yhC`C+Yhwny7E!2Dk^xcl
z29TSH-+{8|!dz&>5%%iDKL>!K+P@|m`}51m3+l4l1ox4O6M*&tfsE(s-Rsvu&LVme
zi+INmYa*iTPXDvA2-FvpDj;^--)=jJciJA|`uh20$30za;vI{2w=g-(dR%${O_Zc6
zYiMX7Y7E){HiT*>rMm3m#T_8dicN5)#r2@8Qgob)BR)NKEI6_gA+8t4)*@P{clbDv
zDX_ETky}SMZOt&R3JwWr{#wUs*u_+e{Rg(xxClwRzt8`ixxWs902R-~LR<k<(@>x$
zC%O99_@j7YobrwDU`~x6zU3hGavzb|pdHhk1?qA0=FN0(70KPZjRZ@ph)+sO&0f23
z*0jYhHH&!B;+Z3(@zXp#3;lw7%F9t84=NaK*VbU7Ivo7KKZaNO{l;`5MGok1*}NHO
zwY^?-V)SQR!(Mgq3IS0;;o&WGIwJY2xjFT~uJe0ck6hM?LC)^KlU21hV7OgTKq2MC
z$MiQ$(4%nX`oEc`n%u*Y2uzYni;BMf^n$Chq9Xse&Zgwi)>B8vW6Nf^@iRN{$e|~Z
zH+zM75dernz2@utJk0Ly{5;jc!2yN=Y&A!`o-ea)HJgI+P88U4!e%HVp<o@^BB<KP
zDRQ#>>pTgu`bzO9IMJ!Un`X<-+cfmQym6W>ab{3YMf38h{{BjLz{s;lXXn4#L)QR;
z55nhH=RAjm3I{dXkumL_(Qqb2U;xmNh{vIQ(l@lD<z@kq%FK<{Ufl8{?*hm~nBpwR
zQzX(hVn^XQhclpHI#h8VdlkrGq4k*vr|tNEjOTXe=<@&DKl6gF9*&EH0vwcuEVRV)
znHd=}uDtKwzHO4aSvdILC^P}XgW5K8@~7^pXE8I#<o>(o|An4pODBt6QdSy))PY)F
zX1fm?loT>XrxELwuV`()nz`PUuVn1xG?UUk|7RvrBGZMRfmUKlxj_2{HBf$=COmI&
zPy^ZC*OnZF+PRsd=n)O1gIOru*dI+pWqYI`nPoEz^Q))y`JXK*3Gr7)_<sIxI`UkG
z4BYUunL4BJaAoQNkIt1eos=pNXwD4Qjxb`c=a@N8H1I3^=R6p5_qzD)kfQQd)Q!J=
z`$igR;xZo-mnX~3x=5WlP~NPAt5x0zWZTZ9vMCG5%>JKUFRbRK|B3b(WFFVICSe2l
zg{Lo=o?vKvzLdKlV}(Bxd2^&rp6f}O$z6~AN76LR7~JyZE~(bd3AX$cuS}O`o@{&}
zr|CjAzU2Ztg%(ZBUnK1For>c#zRO2W5$KZ5LCX2^{F72J$Wv<4uBp~d!vBrTdK)=o
zqnKc(CIRCDX=Yi)#^(xf2M53%$p20hC)&tqV*c&SPt!*?^P{CC|2eycy8!q7+`0o@
z+opIVLW)zGX2x(RwK;R|FF2s+Q2N5DBo#t0m>!5<MIRCPjjt6K(a9VO7&*4F^OgK;
z`s(V(AVYvJR{)!O!ScqHMeYA|k8vI|-@5NGV)Z9Rw;kKh99xv{Zsv6Z$fAoEF<2}I
zbUbrRB^&~ZMW%E%X>Ik&;>t$59KXgXx?{(4rc^+m*Kp~`;4d-<SHZT^huSGTtK&sU
zz@P$@UQtt7DZmsWf+2!V0u-xIFtHbomy<`C<)06f8z488vo1IYNHw!jl`!B%{O>lF
z{(osl5KJzP>0JoY*b6>p5&~Hx0ubppZ<-+hA+D5_Z3QM9qBaopOcf=9nJ8VJQWYSl
zf)@3Cnx~SqW^q+QfuZBXvE%{D`9ln^__@>$#qa+gvfu}9_q?+Vp{0ag+T~HO5VTJc
z60Ok7gL^`k=2O{sr7Q43z?&V+R0%o>$dL_@WUg_8ZWDqP)VE^e9Yvs?WGajQe-)EP
zx|@buSq;&EaiyUF#A(|%3!N==vNR9VJKZJMt{JbcgXp5z?v`;1;KI8QDypiWhKAHJ
zW|!(|Z+{eAhT!MN1_DYx69aoD8$3dO9R4W-L`?rF9=)G_EE<n>uO=A^(trg=@8{t&
z1&mPIdQKK^6cEsqS%56NbqlI?=;w3xCjI%Xp{S@h3!4q04shbR%8;J>DX2Z%1FnT2
zH~KwUri?V8PHdwU0zMS{=;Kv74-Zds!qi{xzX5<BnO)zH{eaxU04#}tR?f*wOC$g1
z0k7=2#%CwX>N6ZawKEe~@S`0-f5FxRVDM<E4~RA<|8L6x)zS!Ynr-mYr!6g_z>J=p
zn<GPu94oj%wkL4Gt01G0fw=B;bAyZkOarnU%&Lg#OW&HXoH9@8EZ%?h;MIp0m0Ma{
zO%$9Q9a#|2@?7Z-W}0_HKqV8-Id|@yCwq9g3urirL^-A~_EkKHFrnEJ-c3tl(?_GB
z;e;jeuIwW*#ScR=q~{{@k58$YF~E#|I6T*`iC^Xi>@3Ft58Z+|#8AYI!^uD=W)uYh
z3BI^^Sdez;&`yM;o}P!`BBZM3Dd39{8%^4bJp&{{?1%!r!%mb$2<IG#ftuJ{Hfvfc
z)3Y{$MvP7FGl5HL5PzXW50~>Iqs5p)8c<#Xo%4B7|HSd*O-YNte)$4Zf`EL=o7v3Y
zxqLD^yX5LsqYC_yS>}sbBZ5yp-<5%&q>I6CGi*}$Hxw0KK_9){$;I+-P{Z347y`Tu
zzl%*GtNN!r4YV%3c^_c)BBP>6QrdfC&XnwHOt5T1b=e$;%kZ-k#)E{Z<jNIL8h)B`
z|BC4B>KgvB_w$!8BX6%;z`F#BAn0uxy>avA=n08L#I`sN)mPqFHe~J8=;qrS5i3%L
zeGSA0<QwWxCk_sJGP^&*gW9fl?~Ve`oQ_Na{aV`rHFkZ_#kGh+qYSbiX#PNc)dh+@
zrranC1=VwEK}weD1-=w`eGA-)tGnlnaP{df9z@;Bv<`~T3<TQ3``ly_qoGkF4=ns6
z024`J>Zw3Z3R0(%v+T<5)yY69f+XES)${;@8LYsgp#{y^?8kgPA^LkVBy)IS0d!2W
zeZ->JH`Ff?9F^_u)_z1HvulSvYyr(qXMg|B`2`tY0mwd03h9!w0MJ0e&J9U3)$Lvj
z1Yi~ffB?sF*ZF(up{0f(2sM-=fOHBQxI?qKCs_Ty_AuoKpweb~3cvy2EKpm3X0i0n
zo!o~<b(~XrdU^m<V4@Q+GQftGmzO=&E-&XcY)07G+uH&s2cllzwbf<u5dO3!pa+OH
zLI<Qyb0Pr<!a{Ne$pD=!20$GsXN4co@s|(CzI>7Z%$+Sm^U@a3ib17;xIv5&pip_H
z7@${f8XLQ2Oo#e*Y4vAEa{?@vjWj7HzkT(k_b<?<19*Dr4F_U`dS7O?=_vDYkmu-m
zx)MZxlN#en?gS`|bUUs-e*D3N5fv5X$zBKArn?@`oZQy|;~S}@0&@n17wd&W|EV{Z
zv_|5f!R>t#DJM!;0&$Hj@=L6Ep0Wpj&!<NrdB%)sRpwN`-zlrZxVc@d9yoMJpKqwM
zU%wq*RX|c=Y%;NOn#2^=gFt>pPkl^f;*D{U5@-_r4!!Nwt1IumHZ82rtgqqY&ufMc
z$Yb9^LL&8BxL>y`uBfn+2Ko3&P)nsxGRFs#Ot)J#Pp16(?h2CxH4B0^H^R=PYxuuX
zO7?O3rHdE6RYXaP(;o4lj|8j&wClcZ9RPbkCzElx8L^0r_zU?!C&IC5Q?rjRU|md6
ziH+KDwWFgWl&=>G3YuWuq3ysM{E^|C1+U=*(Gke^nL&ND`T?i=gjvk|ge^cyqfmiK
zr^qp1vq`fbI}e^T9VE8&_1#StOJ^k>{x4`=ka$ba=8w`r=~fQNGT93byw<<b6)4lH
zPaZioR;_pr_geDHUIxHsS3oJ2g@Ohd%4~4LxWC2?O-%U~eNZE2p{Ox2n-cWWdu2kA
zNw!X3oG&?FYa6}0w?<xxr>93c?SjcP5tV~n%!7utyfV)KI;r`Eg=O~+@GXGYfEie*
zZU>0Fv#&25lre~dhK4K<T37W&@XYQPVk2NDumTfPQ|yG-<FCoat9<9>CK_sDE9yB1
z(slWO{J|WYCfaZz^KxNWObi^F*uR2#h>lV-J>gZ5KfM8<UmD5W&y4h-tT;ZLmF}{8
zOzwq)TZVAUtoO8gZ&r&+fn8v47FPFyj>x{O1_w9A#jnPfT_&3XG(XNRjcYA^wopry
zKb#`*%JZOCVAI;&)}?5pvg*5!+K;pv)HjS44bg+iFA_eYQU)m2)D*n6^$6?}9bQN(
z2LStFRn>{GA?#H?z{KbPfEM>mD*U##!6Y6zHqp=Lja)JFRol_^oJl`Xig533pVHr8
zciwkg7@Zvn554>@TjQ>5X$4`BHU3$#$h|0G{->K@Z%cRzB&Drh;7@N$P&)amuTtO#
zd+~e4d9ONkxNQ1L>eQX@9dTJ9j(=2k{)w2$irHXiB&97}*zPx(^_<Q(-_ObJ9Vj}t
zJxE0EQHk`s<jUsS()}96<`Kt>eb{;wS8Tn4F$uT0PEbFUzEHm+{f=S(<u_(`y4brn
zhj9DZ4B6n#wlq$s%tk^}t$(!6eaByoohtm)g(|q3n0dIIFwJ^O+MuR-=keobRFc%B
z2l@8k^3x$!LLqSU<9JgOn{}b?S2g<`hHOZnQEf0naS@Xj`b(clzuU%F?6!~h;RiQe
z?D$Hh_|>YYz2949M_`XHKHyn}Uf(;b!A~_cE{;u#S$B_3H+|?oaC~IUDgEHquTQT!
zT@MQsO{t?#IF0q({>?gA)IGB8aJ|9W@)pN8a)>p~Rj4bN<z*`wqC9}D=c@;y^M(@c
ziruXTk>l2uR#s9<N<8pZ&5avRE!T0|8aAFHSgjN5b!W5t#bJ8r!zV(^U<Bc^18&5I
zs-1D=29u~?M7>{q?Vbe#io8)PU@z%<*`Q&CQtI%p?`H%7n?1Qx%NJ@1kQD)_4zFC@
zK({=Dmlr@B%L4D9B&<AMGGdZ5)s)ZNprfVD`5qK#+jb1-OY(7d#|c<zlR>Mv%Dv+w
zmatG3I<aJm5*SHlW8d>`fyBvzXfThw+mi$_Lk1JHe@+&IIF`ob%(75fSv4WNBWPZx
zeiK5gTze)6<GVh5I1X+OIe?E3=olALc64U0n~+ol@tcK}VW#WEAI~#E^z(gdCq0IW
z7DVggZ`}<!xOAdSaULYKlCrWUKV0MD4k#)qfeah)eaZHQy2L+m@S+Z&4a^(95Z!?l
z6p4M-=%KEBc2}eXBb2;<^OoI-3)xyb!&KC>(u@W&a@{^n$H3Sheo!Rl?0&9Q#|F5+
zy!p7ch6a1~Xy^O)#{ixxfodLPH|UsYG0=UN6I$Ws#*!(m+bIskI*aJC7wX1;mQpB>
zt3{g4@1d_vVsrK5r+V%^5}x463inT>k>?Nm;42=sV1R6n9o{>kjB$RC)=~DV+nhb>
zUDXe;Q7Su+us28%nbqfu7jz)KfO4XX^0c{6ut^;R8!P#g9u_cfHG2Q%3hVp4i|)p-
z&$uqyW=02k78I}L7Yk6wfi6NK{(*xNnKTR&4!&?d;HG>5aNo1&-2+IG<F?vz+w=Qe
z_YHK#z%E{Bk`XhxZ|(1t$qGK>aX;7Yl4u(Jfy-WaH-nU4;1A}qRU&+zhlW6iNi+Xn
z0DbDE^VGmVdAFOUG6)|&S_nlI*lUH`z(UJiqc_^7D$9t?5z*%&xlDz~xr13F*PO_1
z-8Pvv9?Cb>w`|$1e0k`bg#!0(PHFY$(j-}t=Si?5EEb34!OeZNPuz?A*yy=s|Lay|
zIk30uth-D`;1zkyi{m?k0&S>L@uNz^X`M!gF4XJhTrU6c;QWP;5t1(Zc*Wk<?u=os
z2%&}R2<OGq>}y}fi-bJ*PaeG8c~5xLeCqVgUELz0UDvcs^?IUpdBjL3n-+<B=U2{x
zbiuZiTd#e#O5oD7W4kf^l?9ELM?4tx`A0VkSK!$=7q&tD!;inmrV`IXlrv|D&z>d8
zeC&Fx!*9q)rhYk)@f;q>u>&hiT)K@ZQka1mo0uf0OOx(2OD(fpKPG`^Gi(x;nPqz(
zO!jWA*~A~KbWgysgi|b8CP~|B7PHOx3cRtzIettWcUJ4P3o@ooLR}eNYdL6pjNa;Y
zsH>J%-aGdll8$Id*p{H8bVU;0aYF4~f}+L<Pr&A<^(H|~jRhxrAG`kB&Sc@1&U^37
zaXbX6lcUyv_<n2pqI>;jjzG5V+Okzs##`oVlYHD2JT(dJVnF>PB!5Y6LJ$mDK90ZU
zimR6)DYS<T;ZD}EWHA5FfK?Nxl>RL2LzO*Fc{)7qORodeIUdaz3spZ;oX^)QJZC8l
zD!Z++&z$=9FMb6)fbc?*RQ!9uCqJ8WMM<g4%T=K-=0W!a3^@jUbJc;epuO!vAnPq*
z=MoSW%gC1-Nf~Z?h5e;CFWln&VbbILq2Lf%%2q-CC7lr~M(sU9FKUrRQFROalj8Nm
z{v!SIj5*mZaF-_65i?6a5n2Qp1;aiwe?TH6%mg_1iG9kvarMlnIZgyz-FN?XXR7Nc
zgpvntVu^p`Z9gtXPv;(-8iLeu^gA-fWp7Dns{7z`{i875b@oIc{I8rUHr9>ujchmF
zN0fV<wDz;e(_qo`;gJWaGkhV)h_{zyyR_as$8IxLd7(^Vu?X82mzmjh$o>0coSscQ
zS3HniG(f25^6FP*#|R2sc%<{Ifqrvy^9vdw!oOyQW`0E`86SRJ?fm-sr)ye9Uf%Oh
zPTH~QM=Bo5sDm98Zsyb-0R1*Fk}4q|_QuaPY+CwRw4PN~_ZxS-GE=N@4+XU|Ox`-j
zOAKC8fNB_@^jlzUsny_V+JHnCB&>pc(<UZ2Siq70WO$#GoXxlI3(x;#-KAx?%`kTx
zGU@+m>&(NcT-!Fj)-o+rmLVb2Dn%KKB$6z&qqfKxWu}rTr3_^#^N^WDiLz5>Whm3y
zQYe+Yr3@KD_D&fyMSSP8-}ifu?~m`FIyzWuJ?nm+`?~Jyx_;-`(p-^lZ!CJM%$eG@
zlfoymn#D@&<sAezy06StHAKxbj}0S0#f{lJMQpez8@S#2ilhUF9(7som@u)<!&Bon
zwQ7Iu7zj2UKqnSoDoqCEFlH;7mzKU)K^eiHj`B6Cr+L~tsPos6O7=6B-0Kv_pRe|m
zYd#o7EALqCd|yD)(hhvPLYum7#kV)&R7Gui<HTmf?SeWT8_Msu%6pAwOm>zE3P@LN
z_h*P*kxYp%B<_{3lIJa%@7REPQ<X~Lox{Vod!C;B?{Fr&omXvg!nOA?&vB>e@8LGr
z<0|vBuAXCE`IAG!uCwr1etv%NE0>vVR`!PTKacVw<eVz1xUJS&wPr-H`u*pGA3C%b
zgU?>HJT;{0exnyK<1l`hQ@-<k<%Pkcty^+-?b(xmu-62WoR&S;Vro>qf-;18)h~M0
zn7@}O`+6d0ZSS$(*9&~^IIUpux4g7EBfl>o_ociSS?6h_lP*bb2+v%M8)d^E2JYFK
zJwsk)#2YKIJ8Ek)m*(GdUq&Z#;i<$*aKp-M33)=p#!H(2B4ah@8=KXboPAV#a#GSH
z3XYmcYi9Z>*_~?@#3n=UJJjU}gs@Dg557uKtBAs`rj~OaPk5*_|G4TGNAkNSjD6~#
zZ;_^ihx3{`iR?9~#kr=EI)xUJjTQt~D{l9sLb%(O$$EU!)J-%e{_6XW1aR~`YCYyt
zhjqSs!&u(<qysnm!?#<7`-bH_g483!_&sxHrH8KHn=#8}l0OVywjOP7--$S(b0K8O
zz?`ozQh#7&$2kYy$4&B*rad*XE2s@J#yza_I(pQ%CN5m_<2i_Uz7WcKi+MdxHL4cr
z-g)Cj1>zWJxy-vz@ggw3M>eCcb4Tm^ZQ*X}l}WvKYzl1`6=IhHasR8^PMrSTFs&_l
ze1dS!@XWenm3LTfTBnOU{+UF`7<Zg_m4!MEj$6JD3WV{q4#wqk_xhEm*+rKadQzmk
zCe&U!tTi#*=Su&1-eQ^0H{|V5Wm)h!v!D3b$44S0scig$AyscOu5NI44oo#-TLEoQ
zGDPLwHz+=8Git!6m+Rw@88yR`ipRC(vO24_%yra0tzlkzLc8S!wwS&5=Xclp<Ij^*
zrpYu}ip6vtoys^C>ZWFL`t<%Sru2<Fm08rq2cyqLC<S?+{w?`nl&U%Fx`PF8Q~MUL
zNm3Uh{Ub$+RJ|INA#uBFP&m+AOE@ev^3%C{`zt3-RfTZllUgbBs<CqK_+*KgKgr?B
za%8_t<-_fqN0O^U?=(>umAeM}bY*o!wP|I)`TFO)xm8rHI%#*$?stJKljs+kelg07
zcf#Yjk0iF=I@OWcKg-BIRM(DoS`){DUQ2}Rw$mL6y5mhQ6>6nEuWN?48i@4$Mhl&m
z43SoPol%O-oVIkHBvr|r4Li`<=4-HMtVavoNykrd*hxQqaKz>1x4F_hh4t88GEdaI
zUC$1nglMfZI{J_up<cJrX=`FQ>$rsSJ(*A0vzDFLOz=7Z>5A}*8LP8L&wLCL2#rAj
zQR8&=UmJu*_Q@jvk@(cemqUy<C46>53RdlI><;<;wB}=p)n)d6kH1nMT}-Y;>`cjj
z6DD57IG4lmyz8^gh724<cRMX+#Hl`$GKgY#xwAGtC~$LHr#d%LM0xK1;s5Hic+?*(
zS0q1g6yY$8RO7MtR?zsO$yBtx@oU`Fxk7F7Wx7k*37ib)swWb5JzU$<UydRJ$>eO%
zWmx}c(KmYB&Cz}vMqPvbk-_QavImuhR!ZIeGdK14POnVo3F9BZ_3eLk{84b%W;~Jk
zc)nW8xw)4^&ARu{!$MwGUOs_bK9AEy6~62Jl=AA|NzH%Y(omjx;F<ABq4nB@gCF7$
zsQz8lFcMX@Y4)3)LbP7LIC`GWKs~bNC*_V)TXlo+7d*V_>%2ca_<Yhk3DuzyhsqU6
zr>ose&ITllYV)r6pGT7qiF;rPV^vOGu+q4jT*)JAU+X7>V^g~8xx6i5=;^O;#xNz?
zZpsE&&$msZAmyuOAZaE&{t%`*Wm#xA?k@K9nqS9+_rVRB{b7=kAH$!A@Ebq<<U3<|
z|7ew!=)#4oV@5To-@LO$v}v56G9$N-KhK<a<6rnuybEVbltCx_J5lF#oWIAa-9r3=
zI^t6Lb|3rN1x4HKI?=dAxSc*4QsW85)@L8q@UkZQhPrQ6&C^yc+m@X%Q>tN6gdL7L
z_?)TUB2f|Nd<#3YardjV1GG>+&Mq&;U5(Cek!v%Y++ZD}i-aZbBEk?E@odtWyJLI#
zdr>7#;dS;}a}^H)k#)YSc3cqLZI;f@nxn!Htj?=6k8PBP?VROsjFG4yx15iU!w>iS
zMXBG9<3MaBiqdpZ)YB$wS;3@>cq>Gm^o+qm!3d``HT#=b`N*Cphon9iKRABheFpwg
z_V*oC1qE96^#!>6jdMw}#b&45xNpc0EVuS<6&*<^-uS!!>gZ+II3&cB?&8DQ$6ih*
zn67Nn*<pSBaN<SLx2P%4r2axZaV@ePQJ*M|D>@k+TdAA=xNT#jdze1VwZSD+<L+2m
z8&&#;NA@1+$C6+Fo!&T8Kc`4WBGAGYN}INW`VRvv=|CeORvbqq|8bwV5~=+U0?f*L
zl?W$rF=6Ml8u;|-6GjHNZ|^T(UYHs}g}Se*0jSfHnwqPcwZEZgiN*M$bRr#4v1E#F
z3k8NGWo5?41HXOT0k4`HH=@stzGe&XjZa{v67ymdC4@}`pqvBCmbjKEyaXiFdXOt_
zm46o+E3-klmw4j_7y4V6<3K!r=k8r}P|-{w8i^Rppijd_a_fG?Nf1XQ;AD2_AQECR
zOq>!^Q&Fa&v2qq|R1z^BC%Q`Cda8H;!vT(x6C{ixAm}_+YMV@@Kq@4raUoJ`Qpgby
z4?#x~4Q_r=px=GP#Ki18cD~^Zy0bM||M(oBi+|*&)1_kBl2pbzhM@0}BRn8Z(IFxo
zWDESq)4^+iNj_fZzaAy^$jHe5b#IZxZ@Rj=q9=~)gD&uu3t`Ct{tPrMegsDTEHvW)
zwJ<zJQ+^0diGPoHu;#f;Flb=dt^uaP*9{$Y<qb48H)n_55zZIr4uGQJ!5k#DSNYmd
z<AuFJY&I4aVE5+6KW(gZgr``GUJFG+NQh<|3#~#j_0rp1J&cV~t6#MyOM`(V9V}?a
zIJXqyVN6h2A+`LsPYSxh&u~1L0w4(Kbz<Vhj2v7rfiQ9r>>%?;JUea@6sypqSQd5K
zHEiN#1;T^2;=B7MNh6pkqa~{gx=eTA|MAX&@SF=M>x+4GQt?!Q4keKw@B2@)dto^F
z$R(~?s6=9Sh(eZF{u;9<K$2vP>HaYWaamrS8=uH4QjTR=SmMd*Ip<Sc+Y+|HhLsW`
zd5|8-nz)JmY_!AQe}&6egt^kqbWX^2D&$yIygv4>Ec#}F^`RKc^)Vej-B)5fItstO
zlY46wXKm<kL!$pg=uD?c(2wSKLO(AtGqZ-Xq{1(q>zk>6^YF<NuA7Dt7@SWnrKY67
z>0#pU06i*wwfPpS8VMtLwAc$M$M3w&4>uNeT#gAi7d-#t2ig*BX#Ek|GN@@$<)f!f
z^cOJ`l9HA#xaO%Ogwai9)~jtNf5q;I%#EC#osGX7HN08o<kJ^C55BvtWLG?T1P?qF
z6%{+6dr4A%I+QWTW~X_@B`@sJ<s5qacn?5RkS}QJ=?FYK!P4tN=%gW(&#w&FD~_K{
z59^~93;PGcsf7fD&lt?6<lGQkkwQX3>U?9Ubf+WVjs<JnG*o(?aO>7<mg6NK?i3cT
zDVNhpbCy$3aKJz`Se<EMZjLFGq2W64jQ|Y8+u9B*Juj`Ujs!<Xy%OxD)+uiw>?$E9
z_DPkgXB^t|JzPp(4ZWu3dfjQ>0|yS^sc#<Yn%bASdJ?`cf-zy9OJ6cQCG|Us$$g!j
zf85Bow6$$G6Ri9kt?vby#738g+DTHncZ^BQA3s!t9KC8jLF_%MB{I?bm_?g*Dp!;~
zY}ECT#6c=}|Dr*T%ycN*kCEsbt<|QE4!-j8@`TJxZW5j>K#X7F&Fbx79YRR(o(ru~
zE@O_!s=XhwbVd#h&NgovjH<Z3MqZu}?#{k`ec@xe{=W9cMhd!K*aK<q^78W5;q7eN
z`#n7s8{Qzy{3+DKH=t-+KTN&_lo9OE%5~eoMduHsl9G~$H>0rk<-=s!&n`VB#Z8!g
zbl=q%V_xbvWwviWDi%*;th=hY*6UarU7wF<vZ7)api5mJ!Mj;xP)y>nI|2m>?-p$u
zA|oyC06lsW`eV)WpW54*5d*@G3s9bun_N^T1O`ZUDkAnuLi^^NlXwK8bS0@2%w&q5
zoLH=Fd-du*Wv{$E6!>eG1LNZ2KpBmai`P8U3Yd%K@C6!)<ymmV<f&%<MiZzjus$BW
z)nv&z7LyEV`pccQHj21m3(;J#g_5->#^d+?s6K<bXU$w4pS6m}vv1$zFfd!ph$nF5
zOP0%*3yX^2i`3rqNT;~0EOAwBX7LifaQoQo-t)UTsy}%|pwEg~4{Z%Q5!y3fJy%R7
zpo)FjJn%Icvfm3_Mw_MtuPjWR8c(Uz&+jZ(Y*<dp?wX&Sol<8HY>+@S$(5PT@gDJs
z%w5pVHo?_UO$}1NJvNdFMTWT_o)>puv!I|LDgU?Mdp&j^J$lsijtUG9NPWkX?1}sp
z9C22PPaEu3e_CqlY#+J4zJ8s4QbJl9yQKL=yP3PqulU~|SJ)urh@p6Y)qFIKu}_dq
zt!sC=oTIllUqL}ZO`oFZx~G4i{|rxt?wtlhv;Kp#{#BQIu^7D`^Q(ckAZx{dfXYgF
z(39Gl`X*azwZB<1G@<SQ*|0^`-`_tWF)`;!ry-Rd(VD~Q)zBaR?AbG4t+fnNleyBP
z%E|}P9K4Jc`|=WU-~0C!?yYUW{V}?PYr*JfVtRUWiH@s^2y*S@()Ne1`xRO+LVM`$
zEYG0QhfPXL$bldlF0vzCG~26Y4o>+F%=*9W>f*#e9?aRm@4*e99v{wFc;v^)M-Qb<
z-;WFkj>)agQ+@|^wBP7<Z5jeYVsi4+Dp|9BES?N=XkflSh{MsXXLc6i<ZRQaEOc=%
zpN=_1rB9SkkY5WCHX2`#Al|)Z3Ohm@p#yC+>;iJSQ95A+XtGQBenG+2F1PSM?QWCe
zuL2PdY;~NeWy`bbz9%rCwYsdFl$7-OmkO1heVc`I682;7ky-aLSwcu6A|j^i(P`Rj
zZf;I$qAY`zIB012<)k_S2hJk`17~wtt8GdwUTLFky%lov?aY9H0KcjdpatR!u;+n;
z5(Nql>>k8hU$X`@Z8vFXY|NEublN!xhqPrOjPMZ~kfMnZFuZBLE_lx0;$fwLHw5?$
zVuDb6+uBMXGvi(G=ivMjxvBGR<|~)TT<V>-Ej5XnNS2s;<H<~t(k^)a8B2d1f*ovr
zA;*^2ulxFU-=s16_&(5oc&QayZI*kvvwn3Y0HG4<5t1+e0AvgBYQRedE6TSqhjch6
zK{WK$aYy>xH92qy;$v(Vd^Q$C3Ht*dd8p7FblDDeFa>}a3l#Fe5MNqZ90fd2U|ES-
zS+S>7Uc8w+bLI?s>FmY=i=$`m_05#a%{=*uWdp1YleOk}iP4JbnkP>XU7*WD5Fw26
z;H!aPURfCqZx-YXjPD3+8(<!CM!DP&M&&d;UYxu%7lK&n!^wglNET1D>NMSmW1f?X
z3k6@tAkzSmxXL)VIf8HC#p;_8Z+jn~)D4=(6k<d|m=e)s)9`3DmSjTio!_{+yhtcE
zS!heWg(W3J*+DCV$s)M<9-p4DCAT(7m{?deYuRed-m;(&6B1G|;N<rs*O7K$g2D^*
z8ra>13xXtH%@q)zAsh>EA>$_b!XZgZVQmgS<MWnc^2*QIGf1kSjp`4(!3hq{H#ibd
zCbu#}cK>>&p{`Cc3T}?!8?Y(a@Y^*}Z5+vfpJN<`o9!3u>E?!{GMUPnBz2zxn~KPZ
zhfrZ-=FdjUY|8(!U>=^2%Z-kSF<a}Q`oXmS{(LRpfPqO0ED6m#7jZ5!H8abpsR`(L
z?F6mBUlS7%GSSOBa6+m*FUzJzm$La>zit^1&GI2D8jNg%3CzvSjby~(>+B3WvE`rD
z*f~A}XG`}GgIh!@BIQC)Vix=#kqGkgpqCIZ8w<9DFUl@kn5jQUfFmLTUB7;PfV=|C
zCEt8=Z~f)Wp!y46HA`5lJJQbIBUy-K`tB94j|WdFr>HnX_hZA=3@fP#q<%y?%rcZl
z@18eG_w%pwEgEj?yz&Mkytg@>3x?c%eQRqgHH=|tWp%~8Ak3zOqx4*`mfv(J&r7V;
zq#0Ma9KIc@XhIh2QMJ*kD2-#mux_+}H#2o?48CjHN<vLwr+_I94-XfU3AoXWLm8o5
zCSns)-@&*uL^fR$SQjkZNcoiB5pVjoZBg-sGW<`Gp32;VPl93)iNhYAl3>G@{*rzS
z7woy%Dx`zKk3@Ih{rTl3*6N*p#Q-FBT_PAx(#KuQ6ABx2jYALI=_;wpq%kV>$cA%f
zDk5Rfq@K*TDM?rC>3+4my!X;RiQtb%pCTb2K5~SxfygnUVs!}#(t!ivUoG(<2H7HE
zt&14CDfUj4JB(qfe3RxqAj8yeG)kjc$q7Oy6Pep0t-{A>xff2!l1i}+`n4X>!P(jQ
zud%V1`G3(v6RLAa(xEg49}P<$N=pjHt9uIz3oo@h?LZ*+Gzv~;`Ox3bgUz0PMtBW7
zd{-{MnX^51EUK}wQL{&a9x8f3U|@Lvwy|<-^1+!!B`vLZ$S0JZ&wX>d<l@2}gt`8$
zZ!tJz$Z~mk-^R@Z940C{T($Ts5NIlM#G4#hF=1+zASfU(+3^^b5k#oOGdu-cMEl;q
z?7h8{Chk3YB!Fw*Wo2z`eB#7f5+R=gH-Hlc;-KH}KW<t@@G%bN-X=+NY!~2~`szkV
zsysbQzP9xYO@ZJ>jYr5#wkAhilrJbQ{<8ifSOP?+wt~FHOZ$M;0sxGT<`NJPkfc%f
z3+M@K*f4~kT<h57QKZ93mog@nVRXvZ$l5vvo<V_PwYZ?fgRFo)lBA{#Tn%0xt?G%x
zm<!82HUiKpBi*a++~_)8V_h}TFXZAM)O2Uz{cfk~YHKfj=*+=7%g8WWL%3KewI!;w
zjW6m^zk=EL`(8E-Jj>m!k3evQck5FY^;H&aC@l@Xa)knA0GY%y`Q^(O_cJLIo$4vL
zY1k)wjEahi9`to{=_ldbj-eb5tG<T_&K&|S)~kQYlh=`uq~Mdo;uve&Y)-iZrX+TU
zO~j`W??E_3)l{zA5}Kf^O*UMY(h>d6qiVCznoWFBlR4vHp~Z_Kw3uA_Rl8&<BhanN
zgck5mA(NY@Wy#{m1XKz<<Zw8HAxa3Ih7;ERy$Qt?6=u86%j@%H$Fh@v+YR>U8aENx
z;Q#@j1P0c-+8St0gGdOphD^bhqpzbQ*L8<FYEiq<|6Lya<1OWDuntJ_?p2D4iZHIh
z&H2_^wt`Nxd{xllF(d3#IT<D=o?=#AGLA8!Qj%O=cxt7{#=-pfn=_J<MPpF)_X`Z*
f5kE-z$)nU}=`dG#>>K`H7m~i7p>8q5?#llFyGYS;

literal 0
HcmV?d00001

diff --git a/media/nv2-keymgmt-architecture-provisiontruststore-v1.png b/media/nv2-keymgmt-architecture-provisiontruststore-v1.png
new file mode 100644
index 0000000000000000000000000000000000000000..9e9f3231556959b30b7257867176991976e95517
GIT binary patch
literal 21581
zcmagG2{@GD_cuNwOED;wYOE0vjol>6m@&rK_c5}JeP6~hLzc2MDisRtmb7OrQi)JX
z%GN@uM3zdn5Lw^zsPFgp{{PqeUT>Fb=9zn*=ibgapYu7N+Yu`ZV}W(s)}c@+0TVLO
z28H5a!(SU-Zn&~_bYnjX#oHHYM2!q)`S=HUqh!?xe_zR}V*NrRB4yQxvZ|_H3_8<4
zRM|6>5vEKJrpJbc!0TZ609plydineKdwczDsfty_Dq(R-sv34G>auEhjn#iNl-1O5
zw7>1?zTP4KZfhPI>mL+EmsKTcC}ZJP^5%3;|B%Sg2tQdhLwIiz66qZT|HEbY*U}dL
zp~7Dktg?#6-xiE$c!m~E8M_Ov8+&^OhQiH|7Vx72mq`8$Z=X;WTtpiE?Lf3QBf>v4
z<ZpjfRF&10wf}zL9ZC27H(tEDakQlsR?Wma)P$@-!V!H4f7?XHgn9pK;~nkq>5W`f
zGlE(3@~8VU=rAW(|9?{v6%`(-X{i}Tb_!#d#d=U3w5-GbHrH@qcz8rcs2f>f>Cvok
zO)5*>!$K<(7h|kRq?wQ+Lzom}Cx50&gukD)mvL+~jKmOUZ4zSd7w+Y6qG3yk^!3N9
z`mwxhG&GnrqOTV%$~4*n1{nwqO~a#@(ScDEe|3j|FrO$AT%rc}TWZ<)`uUKFX4VdV
z5wWVFk#vpl5N4#4hgP%|d@+JZG<EWd&}R8Kgqjd61D(i$Di;3qKr=F#U=u(yGW80!
z@QYQoaf*($CxolAXbe9qdsC7Jd{tY;E{H*Oj4|`lgh#QwJsGi98Z?UtTPvH0KtpCE
zF@$bxuZ4FC#;Gy<82-L~3@cStRXUEz^fI=KGP8??dxQmqYT40@Jw1aggS`n@BNYwn
z2peiNCE9~TjHU#^(;ZE{Jpvd`4qB0(kuiQz+KeD8qBq$GZx$KKiX;RF(6r4Qf`f>$
z0VLZ%6AwqamaU_ip&iaMK%Hu4s2yfa^|N8o0{u)JqYX{9m^3>-c&fLxhpLT=Whl|m
z+#)Q%2G3;L7_nGB(IzJL4lG|22H6wmKy|W?^q@spQ>>y1>h>mH^cby3Y6M>0DH@M8
zi3#y$#aiJV!b2HBVH#FZ4q5>WJRyWh2*NV`$woF*ji^w&Xo4rf(8&w$U>FlYrc>2z
z$xbYL0>cCE8%!m6dPWlb{9#)d252Lz97|P+jj~q{r(uIwHs0Z$M$|BMPh&4%6Eibo
zL%gkxT__$)^f9JJhFCFi>RJI*4P$MZIW_=BLx@(7q|qITp0?3Z5pXLKQPaZF&R*M-
z>>XhfqHgXTMPqoYYuOq{c##4LYK{SF^w=<Hho=X`*wDjcRn^TSqsX-I2rSFkM8(WF
zOe4~i7G<QSqUi%$%h1<`q~+yFiw*I!48aBlP{<aR<Z!1*I!nXf+lfe|J33Jr&<o$7
zpb(ExE9*c8%fg?f9YLq4M46IR!_27~;Trzoo}t>_p#*K)U`w!Tl9rRTtqIl6Oe@$#
zL(9+xO9?UdV1z`eBcFwaMTZ7k(QQnP98^^Nux5c+Z#>>q!&=qChoGWqtsP4V^>tM7
z2&CAtNaSduv8t(GxG#~3)36Tmj*N_@#>9kbsgPsC{M2LZwG8dUV$BJfw3tXkb00e#
z&6;Hs<r8hA>ERh|6k|dR@QLui`xEe*HZV|4hC`r*1{2(#p$5$oZ*PPpSVv>c3BGE`
z6;DlTyt*}=Y32jFf*7t9>J&|-d%#*~hIktj{WX1QHYVY;0JBI34||%KZ&ZM$C44Q$
z!Zak()52Z_=Yi7*@DIgmlkK9613cAiJS>dWZSXK&?QmoD$N*KEw|}e!g%}#8;^}W@
z73yt7G@|*0Q`A^0>b`^^Ya)#l5J1%O)_|KbJ-k@pB@G?Sz<H=!M#ZW{`&k*O1(+B{
z1bJB5dXUYXJk&HIf_yAOBEn+rBQ3#Mk;q;_R$l&Esx-Q}Nf?#nXJn;m6k(zoX&V}4
zsu`)GX<_9NhI5S7VAzmw7LfsVh9)Y3u{IXoP67626oRd_m8F%n1<5GXgJtdD4-fZ@
zR5yyDd9!RRqTrpakxGb96cLOqGLoPj80M=MZQ~hc$_RIipqWrjZT+#9s)6AaShG;7
z6*fpq+uDapWmsvN(VaA$%;{EIcIHN!9@toGk1)Eum6f-tQGk`bjj4$vnc-t(Z%pur
zH1sn!VtM*#($&ZWKaYS23f_q7ucbkX4l)a{^z-%7f+4bkS!7KsD~74Hucw)JjFFv%
z1=H716=x37iWFmEtZGEJ3-h&eBF98i%%ij;tv#$QnVvCBx<!m<sJSZLFfxRN!`Ve(
zqeDo>f&SqZp+=@*MyixRONU59b!&ANQ%xlZuT5c@XxM4k)9sil6tXQ{lSGRNqELe^
zHLW6ynBgRCoVrt3j79+T$dDNv?8pj>_0=+?QHbPNmPsHLAH*c7djvQc25LA4v6xO+
z3(sIv62Zwb$|2U66cHJvsTmwajyBc|aIg-ihXn>R!)fHOSeCIPF3>m7mS*iAXd4is
zt*SvWG&8Y@rm6)*sx!QUm?l^UqCYL1X5$^8PWPh5ggb@fSlWSFfyTyG1Sf56vSWxg
zlS0H&qWlQKL`I|?$tDaN<Q?v1sZCV%(Xw=~r#ot?8XHnH4auSAvEkt%6o_et0XC+p
z5p-h*QzpfcWEVwIu{O7lu<`LxH;up&{p}nz5Etg{O~pFW@X^}Q>agia)?UcI4)=>C
z63Fl=-YZs}j3WejGXo5<=Ei0!L`#;LZHStUIl(HH6=S1j>qSs^AVu3#RERh{-e1!c
z9!zpF0$VVO@raFKY4`?Hu$D-;u+X%{v7!MAkes3{kX_BxMq;uW#Awog;_zxvhWG!_
zjGEDu$9xeAC5bX2;_X-$Mjr*6opxMaNz7XE?(v#k_fxN0+&t+l&(uL4zqys2`lt8~
zmGVh738@o1Gd7S-mfklxpBs0m!yl@QDjwrD^gl+uNW14zw&_KipOb^|p~~AIPj6S+
z^x|MNF@z_RqiO5#QsQIRYZ0%Omc;TL8J)4OqO`jBhc$*HTK{0UlXz8s?p{wbd9$-H
zu|&T!^oXP;W_PES!4nC*Fk!TGWohY8?<q-M>6aOpwET@Pb2uyEjVkiS)A`1NsgvdV
z(&0amkJjRoB-1AF49O&mvcU=3XrTLB8QvsbIT;@5Z(Ppk(4{FQnYbJSXoNNV+bC?>
z&A3CO!|1=4<Oj;`-X;F`?ezhq_1{~{53as8K)!i>^>sS|d9A(LrhWB})qh{Fc0v1Z
zo7MK!tFOPTwwGCL^JTSt(cjmr?PdP9S#4jm`uedHP6#izZMDtgwDmYIAD<+Zor(dK
z+lq^eIWEqAs0<X{zI}bCO9-aW2n|D>$g9q1tP1Y2vaw0}{@vfq($X_74igg-<DO3U
z_I^4(b+xD{zo0-Wjrl+&Z6_{6lD9#>pM>`I_O1wqKhVm<V-0Fz^j@zt4!1Q)Qc_Ni
z$MVuX4it6w<_p^4Yu2T%DU|P@=xd}pIpO{NcZqsh$%}B@Gtk`Dv6E*57k<v-<MX~p
zv!5G({@m^3>kFv!;HQU7!VSAMDDizPRFf!LY;VeV-HNzQ^v{E&%ZJ_u7`eEJap4Wj
z%>_R6^b}ahThVAoGc$$dvnh6VcJ9&9nhoRFsx;DSSGAz4zvI#ADsQ^FI8i6Wb&nQ1
z-}|+cxHxHyZNlPke3i80ot-wzAMQsC=Ud66tf<Xyh4!oSa;Z9#U}D1O<Ku%>Q%i;i
z6kWM8nL}`O6-P_xy_|J(a^mph*VWY(;^HtjH(#twT%O8v4_YeEz%1@KhpYwfc-nSc
z_bhIIU4mG;%I%Vp{wGH^K7aLUuv7qzPEt8sS*hXW<&}T+>fyTI->>CKD=Mx>HP^cp
zx~x9l?Bk1qd-t}atGs;m3VD$vnSc2*Cn{{<xv-b7FDL5e&71iSw<f3B^c%fYrIeHe
zva_>M2j9H0d-Lwy;h9HIILjrG>8+Lv8L)D7RqoN$(?d6jmh8X3=GNPzTAx{*=_<TQ
zC~J|9PoD%(XU?57q)?6qB|Mp)RzEmXyRJ#JQanz^0og{pT~AUmHAbafo?c#DK6jj|
zK6#Y8M@EXAI(4dyR$S3FG(1c%r#8f#SFzmPEG3!*>s-I5Zn1y%fB^UJUjHQC(*m+Q
z()+-eGUY$>_D_C&_PniaxY#0_l4^U+f&-OK+9B#GDke6wu$9%)-Yz6T#0%9Y)mmGd
zy>;J&GPqYnh_Q^Jno2%N#&kO!uDGOnZ+7l?Pw0+4dj#7q={ENFODnrP;A#>L`CN0v
zvDCHT(IYX^<&JURFG^s;BJElVlwARe{n>%%Yn6U(@{|k`!KD?Z9X-14eU+u&A1)Uc
z7pk)}fkxYwcVy+2R<ERn#-?q@xf2(9dNXo!c~IAji=UQzKARXiA8IIK6x3TQrlzKb
zdbiN{>(?*IqtdEsY8_o&&q^a^e%KdXy=qwO@O5dnR}O5@w=w>5PEJnYUcEr<){Kq|
zQn&VN6=I}Qi%-}1<FHK`d3h&~ZQ0X5oR>IMYC^wad{Ueq9lbeS<$_-Pwk^v056T~f
zjfDzZoD0V`Sy@{jy5(5P=%W@pTz?w?HeFa*xykqh26iBKGRMY^8{O0U9v|YYW=%>H
ztz{4oFji|F7#OIXxV$f&beZsx2~!28>gUH>C|~&K(WlZtGc&UkFRoMdUXOE1?`hkW
z$gn5+j$s@e9j$F`cbqTCJA3xX{rkAHm>(k}Fn)BxN4J%E$FrEu&d#|&=&Vsff?jNF
z>|@bni))-H=od_CY27l?bpr}zo&M0*llnXVb!2L4$~_%l+SSruyT`4T%ab1_9d+=)
z>{z`!b}s7p(2$Sb!d~ih+l=RH$MY8)I+3mvV|H&|zj^cKxw_+|9m;OC{CFYoP|~Lw
zokJg`>Mwn_jO%^K9DgxjWoP%qO(*JyNc8B3)We6lukE7iE&Nog`7?CB`(CJo{?NjB
z9kLv9KWeR$lat&1)L~jfYbLo@-i|9Qf9UFBfBd)~ne$z{c0GUo9OcOmFXjew-B=%)
zT_rB==~A#EE?>U<yt%nvP=68SuA6Yn<_4_%@A2M~Z{OOZ3~X&T!lb~J&v8@ci@#d-
zh)PJXZEkRRrnfy98yg#1*d!w29um@eZT6#n*GXb<VGHHlfRJ8IcH{HsyrP~JRvS<v
zTej@b(Q)3%W`2(0fng0T?0*z%zmwhH@3DMNhMkkM8QV1R^S#>Vb+w5rdf<`3qEB47
zfJu1SyRyv8;uMZ7{IR|A!Gm?yB9rf&L;J=)J$&BUN(v7z@0l9`Z~6z@5HZ|3sed!D
ztArjNp1E=;Ix1??B%E|Plbv0ZDgO5D+v=F9opuVF5K}tU%w;VCyC8XCc6^7L+D0~7
zEUClqN%JW=siV@d2M$a^Pq0m8i7N?r@7?o!c0#NIdr0o?4%*3V^=7F!mLfZMj~m#^
z!0_<bKU2e~cXw74vMHx?b6W-`U|tP{xFVyX=m7!iZrr#bJ}5b3djS{0z4O$OYsp*1
z#haEEW~F%7g!I-PfB)X8wtEwv>(upm(x>Wh@K<_^p%9v2+lOyY%pQ=e#0E7|suJ^I
zpI5lWW?@cXaMHJ4Iy*auFE7TtY-{^^KD3qt_44IQ_ukrgSa{R`{mP3M6nT+#dNCIB
zMmP<P!O5lA4FvgtjC^y0Rwhn<WY?+e3*(H8Y5NV$^=v&hY|%-FB1vA@GDb#5;3rPa
zFweg7fiN?1;_L0(yVDAJAK%9mZT_CE=;$SN<&>P|8kFm!*i_h3wYqY0>;VI=i_rVG
z@7@_+vB3o~w<J~`?_E>dBDH6a<>tC<#PL8x<idYBwyb@su{M6;!snj$_Kcoc8jkvX
zX3w1abE!u-vEX^llX>{_wF2K?eHWjNFqRq2ckV1O=^DU>em#~~doaXgc#`EdfV$mg
zCN3uSbYcPveHe_)gOGK%va&u%v(cm6;MQA@h2NvDkMafwz4-+Mn&-7-BKKZ&)Hmd9
zkSL^}?}heqd!`F&yd9ajUQ!ahJyF08y=l{?in-Ccm8H=A52FRZ7{2;HQrf&;@6W)-
zYYcfMrBqt+&}?OOby{ny#Tm1!`MS9Vt224IBr|UWI`+6V=VC?cI5Ai{y6PtpoH_r_
zmA&7C`R-x(cXGZs@Zw_hx1L;cw_wJCUVL`47CEMtVrpt_Z@(6HF>Dm>!H-<R3edNm
zr}&a2zr428Pla9h`OyJuD)pP@a=;#*<od^MQzW#_V%42H8zUkj$mZs$4!556F8|h&
zk&|l-()5gt-3GfXu0DUHtCS#Obmo<ha>?)C(YJ5ko|rgv?Y;<1ZK<!K>BjyzrSqjB
zL)q@ocV?`d-^Ps37fvL*@K|>{q)iV+o|P{;`+j+Y1@83hX`RTS(Ao!EVJ#{$-Vfb6
z@4ZkRn^%y*S+;!na$(^bKq`7P8Z9Z>HHmkVwJZdXTenVmljA48aG<&-yH1=ypT(dI
zE_Z|plf&J>(wan@o;~AORA3{a>-zPyJS`oa?YC~-Y9E=gQpnzyvpXs&Pxrv)*hk`p
z^1p<r07&#*MT|Z^h-&$|z(2$Pg)4Z?mSmaSqSCB<v5p5da-(TEvpOP`o9=&X+t`<p
zyyS)d{^)+-pKm#lu)7IKnujEEAr|TEv|~u7QFr`+U2}44;{5cD#%SiG<AIv@&vL-)
zvttAuZe=s&*F1*k>fqpjy8Y~2ZcffzEyO<2ZQJ@A-F1ZnaO8p_n4*}xWII01@8_)E
zIHaTx@q4NJ=3g)7HGeSkb^?}}QQN|y(-KxTl5g2&CH;m`mbd%c?G1HP)97=N=5zhm
z_Jj?87h`|DGW)z$HRw<5`b5q8oMc$$Mz)~87(;p}je-l}GTg;}<*3CuS6OPfZjVV_
z)yBJg$Y3s)2p@kyS`MVmZwkh4Wr;SOw+K35sKnE=IXO7-C|HFim*X1;nUT}VL5c&V
zqe1WaBv}k9m1^MXdg*rM`Rweqk6Z=aA3Y7!Ps0~jeYwc|T>tBr>cN?JqgPCG7i)Qv
zc)79&DZE!O3Orqo6{i%ecg;kSA`ahPOFt%q3>8&(RCf3wh8?dfOu==dS1JWEO?qS}
z-(T$+%NrS9WA<j}ixYP?rO3Q67<8|sW#;5?A15^~RFg=g{0=`>UA7Fnx!DBp_Sg4!
zeEouh*Lw0xB+N;nte$BITa(ek(x(|23Zxzf;^h+ScY=NV$;}60u}k+|d6!(8VuS8X
zlj-TJ$`XYco}61QYGvMdN{3m{Z-H>mWrSvqeFSi@W5<q)(Z<Hc?z%+%oZMXSRoE*;
zz&f837J^X#k18@S(nR?|)Z%=L+YhY_(kM$BMkG?TY0cb>V`XW<6|3g@XmY9D{gIqV
z@|&Hpx>|$)DcOLH_sK!S7Z!U@tZXmCAmLW8`PHT@jJSS6I(Y4U@$(|bj~|cQtPgpK
z^!jEg!xU4r&00ADml-16St>Uz@??iJ&-a84clqMZzv&xm(bfF1&AU(QQ`U*z($O;4
z#KEv%118r_;ex~84L=qoFc_-u-n~OX>h|1_ktS4dI(hoonTy^vo2+ouBT8<e;QX9x
zKQ}0v-zc1p^4NbJB7;|uGap!}suSy&$l;15X4!z1o10*hC}36Zo;>};6KcM#?g<I5
z?}ia<f6X%Q7gy}e%nXW*CVENXh-p?Y@ayi&#AiQglzSj61|6;GXOafpWyf=|XZT?v
zq`%*i$?J87N7;Y;&6ps?{_f5*e$cxTF}lLFn+?l&NG|d2VE@x&V8g7LAK5K>Y(VCx
zb4&NUrof!=A#-Abwh6@lxSp+myJ0)uUWaa`adMyHU@u4U@_pbEzmz%FcF}CVumX-O
zCF8u6Jhds#{}Y)m)AK_Aj1mv3`_Tcd(-heU4<D94c<{pam!o}g+ly#fHh_ZDr%$7(
zxs7=%i@yB){1d90nnSa?!YO-@rM@m#Z}Roe6=CB}-lFCE39bb@12)F|I07+mPF~JL
zp_44<#+Qu=(m8Qu*0(qDi$Ld{+|Q+vXp`IZ8I5;*+cGX*R2s3=4*P=2JtV`kU~=l|
z)2CK9?DkES#pe-ye6IG+5`}6FkTuFlR(Gq9zU~uaiCakp>ukRoN;qF@UNs5>J#^8<
z(zwrjv#oCm1zjcftZEZ8He&CF$|Du`1xm`qek(}vN#V~QoPF3UcoZWuG&IDzv?nP|
z7BPu840qqeS0}x6YW1zprx8~6rtEatIJWOm<7+d_e3#VcqvUyoUHLz67i4ix1R90t
zh`fzv-Mm$F$Y#jlhLMa|kA7F%_>6lO{zWlSXywp=kW_;dPfvR@1S&nTVapHvM_}Q9
zP<?#|ahX9=vL?HpU%6eS;~dSH6#KbXUWatfPA=-nDGaZN7~&Y%n4<P04`(EU924&-
zRn@(Wmp#ou4eU}6TFbF`E=B_)H^dZDr=!Wf_<O-;%<dJPk{v%K1M8m_1!E~R?;R?$
z^DR4OxAg&y%XjMSs}Nb)8Rt35^+DA0wVBt=pKQ^O@0%&NPqwe9R0@hv%KZD>3tvlq
z>32t2y=xu`kZ|K;V-7~uf2fMnjIZPy)E%sznm$3eHQf4Iry^mK3IFel-7-8$RQ7<-
zGja@j-;8m0N${83-B+LfJ{;D}!Ml6ka8Sy|=0lS2q;OAE#`YEj`|2H_UEXVb{@d%a
zcUCh6DG$Nwj`L4>D|srMkj=2xEqG#^8Y-d8c&nncY2kz$Go^S<sVq*2c-_5ko6Xiz
zS(>7d<HdHHa=}gSTlIW=yS`4Q2B*dy*3cPQdeE7<Y{ufV67QIQzk#SNiQ}Rcmai#a
zGJAdgHN@HH!`x+eUixpgO>UMv;PzXoP&0nJ0*@l+In0*bMMVcM>1~J5w#R+omGAe!
z-gWpVYBFr?(}b1%bp+YZu&jzEyHxUYJAZm6W{sw9>{&D(J37r@^QpH-1jAJ>9F_s0
zj{`h{-F}gU?l|=q^_#LJ_b(ZOqh{_p;a6|#cGNB?LM~=oNuYDwcW0?IRudlmS@~YI
zb$Oy|xeU+am|N006K`^*H}xC|eq0)eXW0U#Nq>2MN1A-nz?U86%4}*=uF&;IsNmO(
zX93k2k_~*#^~Pj$W_@mZ#;qv%eF9yTd*0y9gS^OSJ@8`uTVHK;b^KAX_suAK<il90
zSjVrFc$;UsQC1tbZ_P?RnSp6I8JwjXoik~6tAr$V|J<w5AnGl}Oo-!tZ!~O14t1Ah
zVB%5+gc4wmI<AIB%qxC&#aznK%zjtk<Le^$U6xn+#b7%m92b>zE-M(VZI+sEKj9a1
z?D1=iz>V>S-kEYfkIO=pjEtPf(=Q4V#f~18IwQmWMm*QpXP)%9;!?%+Ib~s@`o<{6
zx4e<u;&yLm*kQZ+i+QsM)BUDH)FjD|8|@iop-R;XnL$Pw7~Z6AUScZdW98=kO2myf
z9JpXtr5!hTGWg|YC4#3*7Z---y>DFJ@&2eJP6(DH?F=T;bZ_p)^XO=?NLt@RN}f>b
zf4)T=u+pFos!P-b2i9-O4EcBa6npgY-Oc-j|9kW90T|#oGqC;>&ZScNr>!Q>`YcYo
z(Dp-R&Gql4m1?Ut@9(?4N%$t^{D6Vb6OyC{qkH=8)qHcB>KXp-_Z6q$DwnW~^alob
zbZ*SD|Lc1=7qN8YYM;JvcCsBT@ieZ+3%fP!n;U!oC1}rT_{41b9dUKE{Ncrkyz3ds
zZ;noAG814IKC4VIL8r(SJ&ms^4gzo+{~@o6hxxFyt*++Ug)I%tLK6COm2}OkIwC`I
zpY>;3<?Xc58x`TRV#lsh)Lri_%r6Gd%Ern47<k;eH}BRL<&_Q1hbDO36a{YvNw1H0
z?UPj)l-%Usbmw02+APk#^|cP--n!m3LVeG=hAs0P-HDYzjtoWiW10`~a@)lSr34nb
zqL(*kah400(~4P(b1EcbW4h{D>3E$GmGiGMYu7di$nZ!=;ez(B5nC$k@Ov!!)u_NK
z|L$FpmX?-~lM54#f|I~`tU&=ac(_e}<>U7RV7Y|24&}KCalNlSd-iO_h*}dcP#qsW
ztV7K~+6zqFVr=NLB=4GpxjvrK+1Z&tul=q(mc-5RHcKT;RQ@Vk`nZI@-0|gG$K^AZ
zE;T_sY5)8g-E^kqg=>GZpq>FR3J0Tb7j&4d^gQQ#A%|2Buiv8lWw0feHQB#bd4Dx<
zfq<;%%4KC`k?#Xj1<*MYNSY>5z^Gx9{YGhp-?|P=@wg3s8JQBCp8D|ZuZ`%ZJgn&O
zQ`e69RTShL5~9qAh$yeA;jg3#002ZGcYhP00a<lT7J)?KUbk)?rYa9|Qn$n<4gIRy
zx6OXXIy-L{^*nRt%!CPA&hiow5DDbUKm+n0d%6ZCudGZ0G7<{12rV$$^UQ7gwrveC
zZ}~Pi{_;0uw6z)4HoC`6(GC#fg^c162$B|%GUw?>xGA1A&?(c{Ch(%Ag|5D>{O;Wp
z9p)J9!8dQ;Lar{Hu9AN8BqxfWn^V*ik^<LeybzaPCGB2UZ&mR2&j-eJU$(Y-0CU92
z$@vcypjb-m`g%MNGFPwegcKbTA4uSi*BLj7LVBM9DKNIF{oOlm6o8ZGFJ2fD2%Nob
zTX5}uS0*<6ewy&{%6s%(8NZD+m%K;!ATB|t(5O&T7=nwdsr1Kec6=VEC;xcO6dKr>
zHCf5;gSb8Ud*h~#_l$)0RK4n(|I4*bxS|Cm^oWj*TY$&expOD%6l+)4)?QB|qqV(`
zK$CsEAHkabCJfVh@#0$4^vukk-8|AYL@!xw0J@M@cwVh^2kaPYGOxh*bN7_fhCai~
z9r;B?T%Mkuz+g9ac5X;~<%+&@=Z;<_2B6ULLfuLaec{!4t;v<;-j%P<a!#Li_wnII
zQkJb-@if}GHYN76lM<Kn^A9p(*C$DyN)BGX6F6554UM_QskQ=}8*|aeo`P>?7%KBH
z6Z0WAT;>rY2TIwkU(ik-5PIZie7B-)XLlBFlb`H@9uJ=h8h9a8!jkuBF$Q6u1_r#|
zS3w$wBon^|TNbGcdThu$lT{7_PgFV>_N`qi=+lEuz}BG<io0bX?0ctdZK({;jmG`k
zYWJ$B^xeVu-L+xy-M|!87Je!o#gG-HAK^ZYo)hYP`NKT{M@DxXzaz1|L`L{X2c={H
zk_w<omVf2exyQt81t_N1+y~ebC@di7VOF2Me98Yge%6II=^%6<;r1g8kT><BjUPW^
zlwE6h@j_TER#NddA(;8I`%wJC@5!%g@sEM)n>!G>lLt~$ywJqtGl@n&^?sl<uc5!o
z%gHdpsvPcKtGpQRZv;C8@b~v$`&)lugCTR9AD-t-2yMNT8~pPe#mf}vl#x91(Zr+M
zO~CrX<scEhe*Mc5%BGuC+I2v;t*`TnX+;d0a%BUMfr~T2Jynx#a~r;X{R&Lxi)=+;
zG7Dep@%2QY3`|Ye3(D=vru^)=chYgXWB`Q%x@z&lw&RD7J$ELf`((c{GHB~d6rwGQ
z(;BK8@*zZI8#oL9ZaYR1$)yeVoT{ZHg_y|o42}9q{6PPF`qXH*vhsX<&HJFH%f=@s
z2AVfgi{D9pK6?T9crdl8Kwyj}q;8ENGuYjI#%-2#IlIBMec;RO$}cxr0Y>USwq@p<
zXNY~Z46L{3E82utVt-Sv8I)`;a99>o7}@nz-{Sf&V9g;3E1|77ag)XC6h`49-`Xk~
z&J$+uRZ6<_+E>5Gb4Xd5Dm*ItAndnOkLe*v-Zm~79%gYW?0oOU^pXaZOElrJguaJ?
zO5Lu#F4yjru0~!DecG;WoBWPFnW-ej)Gc*`UrL};6-+ITRu{#Ftz$3`CF3QpdwTW=
zf$3!GIfq^m8tb6+L9QbX=J*5{XG6v^3{>=ZQ^tj!jkS6!)VZ3%t$BlAOd-@RS4pGB
zo!6J}-ra=%=b)U|72FKk=dC}Ji*ScQK`*}t3X1PD2ne|O^BfNv^SC8<59fmuqeWE^
zBQQYI{Cs~$US9q&k3`&;t_ARz1_VNK+p|ne!!b+7#I?#V>k?_gNEGiY*#tiXcuL`}
zds)|hUR%z}%Id#sbMfNER7qae>?dY<bv5su_vs}i%I_CB6H8wMRSSvQ8mi?O^T(TA
zsF7XjMJ8djogY8G^z~jyD&^$$dyIEyDe*Wu**^+asxG{J?IqnS>kdUrq>I^gG)#7T
z7GY87=8Hz#-?qn|CT*0nFetDx5HZ5&#ho#2bjRj{Uucs8wuTdRIw$9shU8CYNu;C$
zVGTp$gV-16n%eBu0Cck86`LcF&0Vr=23`$3Swrf2vV}#{!|__hhpq7MF);eC1I?%6
z#-3>P#wEj(zCb33dbe@XWNPzg)>i?&mWNQ#xqtt@kdZJ{wH|{rP=V^q6&t=LQHV_(
zC|g_G=PfPC@<*S)d`Wb3a}&}RXmDH1N!G7>=ThL@38dgBIULv2d@D^@hNr;|mZ$jE
ztz=2w>o;!T4;;{Oo903NnwkQShLq*{!578p9{z8IY+@j41C;mV6%-f;EVD#QTpzuV
zdstanIaw4BH7202pr%zZ;-|iCe{~qgNpW36h<3}viOW2|L9Jc8Ry(|(3#tS_1%Hkm
zQTq7kz?S##-$MxGMqRg4fYs-j9q)a1VEhpq+@a`k(uI978=&L><8`>T3966)9DwV1
znz_RmN(c1@J6fcV_pahECC;0761ZTKTup3n-WGKn-KUzxNk4f{tou?$-p#iG%A6=|
z<`_m~-P%j~iOS9wc&NEgFX<jYRihQXeSG?%`k_2N{PvdPzT;IyJe~vS`L;p#^Sj%A
z@6E!XB%wa$mheYbe;G<})!|>cMLlay#r`FeIZ#j=M3`zSjn)9n4+|~VQ)XjnDG2fQ
zdnD@J>$J4O=Uw?_h{fd|Y@|Rw$SvZ)czg0oFtxeM+M-I-jQeNMd#K?EP_B~{V_qaE
z@UA&`?%dq+%Hps-_*)=k+ahGbp^}3X?!uJVj}FXA%gR2bFC_B_PBhEq8I*SEWZOew
zF}D$TuRr0n&kL%m9CCu+<{%X+;Qhi*tKrnu)wLhpYtvhJ*%$XlO3ZalPI6r_ucg|#
zN7={=U%-WpP11JR$HA7iZr!@CR|pk1|NR;Scp&e&Jk4@K{bt8L)okp}#smZeJQhXr
zd9R*hM~{~Iwu$fFvj@Ty6k=e-;3qvj9V&dMTl$_!Bn~|LBhBu)7ur%${9`88&e72`
zD2P8@Wq%ER68rGKS^#07EJZ~{!xWHWMZ$RJqfd2-5)gV5^b-?j<p#hP)>cXH8`S@0
zkFLEd4Os#iy?s5PTQ`#8{gwn8kiJle%}ZR~3S_UpzyI~y`z-~az?cjb5b)OhP<sFl
z9yaEGDx7=wheFJQ+A?B4b9352ZcY9f&VxaG{_Ki+{I1v;0fx!-2YCd=!Oju4WHIP|
zK+KYnQBj-#^Mc)Wy!#<@&${*Np#b`7BTq?jaUU4VP~WxxQpL3)PtU6Px~rb8CbHS=
zrG(|>G0W$CH!=Gvr9VsuyAJFBGDd@!zC>Fu!#-{#Z;Xs&uZBkI>C+<bF=<dsM;Z9~
zUfX>qAUs^f(vLa)%^KTup-OzLw@xsdBD?-o_toFxqM`>43%-<&eyCgzrLh49K$X6Q
z53bLmFCit#@p~CS&@#(<YI9*6j{_<_pxP3*P(WY<(nKu0YXt02(AecZ!zj9UOtou6
z-;QsLuy;p+rP7`*CFqHbmtrndO4kG{K^`9lWm@dsy+?s{Wb<D^7ED|`XGWI{rILp)
z69Ot}lMoB{#ZITOV}c+@n1kStTsb*AJhrzL<||GwMd>6|)JE`7%l>6eMry$uJ_BWX
z`0(Mfva&BT8b{hUsN%@QX*cT?g60EGwLRlj;JLAB@~NfUTvR+*v*7WBBfHgUyJ}MG
z(1%V#bt41dR${-(J)3=BN2ac|DPqZJ8MeTBd(HB-kn^Mt7%;la=4dhP-*TTDLKI%#
zd}yGIUhZbp`ren)^VL(QPsg>T0OTLHv+pcr<pZI4n&|AkIkabGq;6TUaF#H4!gANc
zPXK5g!tXiUy;FIG5FXFG^T-4}X>!-DaPq-LmCYRsQgP3Q5!ibleV0X3q&=t&68<BZ
z1Dx2t)-otzri_yrk{&#DxqMOgs3#B?3^}gwONW$e?~<UzoHQY}>o)NTI-!Mw*Fv%3
z{JW%wBRn6DPOQS$)g0J>kuh;?Qy;*EP0M$s<NTGnLC3-Cu|r4%hpMfVUgNJ+{jm04
zF|V8R`YK4I8<_I9MGkP8qc@BtJmt9qA#*hC-RKOb%cB#Jn${A;I?IjQ2T|H9n<S3D
zOH#a0Yyu#)9#TF09J*QRH}4UQ47g8(2pcF~>u85|K*&nKu6P|e$jRf_4U}?Y@}Lk<
z3`owtnjs<C@j;+5R!6f=@u~P~Y6v5@Vn_bOGbV)pbMw_??%z$=$rzvnOscAsH^nsj
zwL(_^guAKzP0F>wL2GM%b91Q!d1yv{zcUC@o-{r7z<#-w&OeRaY(EJ9Q~3{BPE<mD
z49KvIje_(mej>@ml1T!vzCvomdBKdME2&2Hx?DD~m%oVb%g$b2&R>314vf%?*caF5
zoc0%Mm~-WkS0=3|>z+Koj2YMKvJ~bkDxguvoT{`>+O&kkrj?eJEo*0m$nboki01;^
zK&X%C=CFD4MIKC}GITdH30_$9H%mnyndzXw*wZ}7=yKEB*V^Diq6lCUmwp#?vWZD`
zo9Lb$-@oJcz-wq0#*KVswk&IDB=Z5=-7wLc_!42d*EZMle2y6w11ryYea(_5&J&=%
zpPygY!?q6}wzcNz3tsLJotR1cCfA)9mw7_?nV}T$ZgU6g-4D8!vRzA!eSCHvJ$CF*
zom&k{c;dK*mKLaB9(?iz?3S+bZD#&psWDMshTWY_s9|SwYXxU5EnG`a&)>2TNG!$#
zHMh1l^)<5p)Gf@<XPiHO40^CbR(36*YbXT|l`^BFrM0xSpukWMa`K=7_&|y5^8Nc;
z0dhkg=$<~gWN~rt+HA_&RKr66S-{yy@7MuF*P@~#B#i=@0R(?=!hqPLqM|Iuc~C$;
zBSj6U6<b*y1T^EmZ=G~X2FAk?J^5KmOh9($K-lb<3$_VKgU3GNK0*z5U20NY!qR-y
zX9ewuA^wVriuTv9A@!d_rK^bYbN>%k=uKSFC0aj$K#B17c%k-BpN_9q!NW#BXq++I
z3AJUy6`Q`E(7LC<57dhiOihn9F6}$;8zR%s-a3iV(b4X5PadetCr!$y32mU@gz5|#
zVJQP&<Vps>2d+bf3{H$a9G8aTK7l|09m}_G-wt;8olec(wrv{(M^Fj5Yo15MNPszC
zG*H^|^oLb5K)CV@Fb8JrT1CYM2tEL5P*_#fHBF*duU<`>)J_w^Gk66HSjv;)4o44f
zP-6gJveM&<2J~3dpZIHlPkoyJ=${m_=jOhi<aoY-XdEB{)r$glLs)f?YM7y+T;rbJ
z+(3X_)i^r3s&NStpEiHv`Sx}ztT>ObG^9L-E*%3~)t@Ax0URVcIyz1rO$2ENFgIr|
zTp&h8X^48V<|Ycv(69kP+SAa`um*+&G2_RNA6^V_<sb!dcR%Rn3y45F>c{EEC4ju3
zU4dM$!B5=-SO<XN*t2H!EDSMC5|_dgt9$}vO+bBfb8|yQ1~4W_wK6YUc&WGy6$gw?
zG(Qr(vg6&{Bud=s(AFY!&GS&nO@$gc{P_Z~jBIL3fR3%w7!Y@ch82{Ro1nUQX<y75
zSl`#LzlQ1CxEaBnfy)8COMR&kaZkAn8<a#g?`Y^vNNEfN7O(Ozsfo0uHh{UJ42+H0
zw^cRIzXFszKreufC?h~+Y7}5>b+sree>FM+Q3FfHooZM=``S<aOkN%jN<6D`Wait?
zpDB{O`^@b2?*|sAKTID5`jUp(jYh)vLO!i)x-4l(-rd{>z`f!f<NDl}WI<5uNW6(S
z+<)JSJ<Xk+e9z3>94GK;U*a+bs28fMYfiA%`B#7;*Ock?je;dw=p5ey`jwT^k`fOV
ztNT{Ljlb2?h95s}mWHOLp(dr-Y(WXc%911@kGOp2&Z)X+&=CQS2JQxg5L4qmATE)J
zT>>JmKi4gR!+^oNWz|ph<I$jc03ls>ZM@Fjy?a3dw+`}oUESlL)C0Yci_7uzTA?61
zK+<ejNJun*=BNho2nd$Kfrvnr@8DUd2qgt+FVIzibP7_BP+`u4lDyS%e^e1A#re?J
zA3hwN8gBCh{{#Gv02D^YK%xM(OVpDS7$|{o;)yDglI#y3Xy8g(s{GZr**Q2!gDeY#
z1`*mm!NJGxVOQ0DGHfiU7}Ml;iVq-+A7044oQgt$@xVgey0sp32B5C#TUcJ`U1_Qe
z>_TiD7^>H=IU!F21S~T&U;yA+n#X@2GuZmpTgV>-e!PkS2~_q9N9?Jm*=fNZ=IA6z
zcXxLKhs|5I04Wj>7zjHs{A-f{Xxt!)1SJarbSKf#9w8xUPz1CGRL=GEE+2**1vCLr
zgWUm+0653BLOP6m^mhSiHV_g8KsLR8{TksK0bzpP3;Y6*XI7!@V(ZthuV#*mqsA+$
zH<X*-2D*9oA|$GB-n^NhzXuJMexf*P;>TM>kxiQ><AI`rBHcRR8n4(ivkyq%7+laq
z_kgCy6eey-ip=OXV94Kjm|0b&37SL|6^_SI?_Sp}&y>n5DiSO#&_rt@oh}7g5Bl+v
zkiM^z(|B*)NtcJwxL5u2e`S|v+itPIyP&>6Dykj*QxwU};L&*4RHdaS-F!j+a{cDb
zU&G}>Qaf`7zVHDqhJA7^FcY+epuu`x<y7pDe&WQhBj=7CJ0`UtH8ge~kwld~`n_#=
zf~`LnX|YZ*SQ1w=`}qLEihxoR{6N`(*^uRyPcH9XgPR69<GFL&?p9S9-mojYdGp1n
zkiMgn)0MI;@TuP6i26a)Q#<mTQ0>a{fuG&woFK6Sg@JFvs~0aCMtkm+M~yfrKiIOz
zb%HCAI4x|+Nb|X%n+qZA>r9v1v+;ykoyFzZx@TYmTkCcB^<{YWysrvA|9WRce7r7d
z*2xn5*fH=m2_^IMv7o7}7V95YP`nkKmmEy}4s`Rro$FEh%X6SJ1poL1xCzibPQvn_
z9z%lj()gshrsl7?J;L!&bxEE!tMxV8xwa>L&31vT<Xmz*8qD_0*|YVa)`ED#8vLm|
z@*Pp3fVXIi8vm>d(yaHsdG|4^k5t4B3=TGT#vlrl4)Nb&ERe$XeXoHu>jGL<rjRp>
zz{<GPjBc8kA1Q5FKAbppzW1QY;a|TPwTUq?xWrFyqgQA8e^-q@coqAAIqrH%pAXe~
zQHRG`<P&-_B0KwSHpb$DcKw1l$~`Ph2=t}J#W=A~1s#52Loc@i<p(mCL~%Z0ZU`6k
zRf7{9#u9y%U9RgvRV>!Ior-?+=uw>RTITB1tq0cu+YUD9aZ++p(wdsMKb?cC3m6P3
z^wY}!ullss?1mZ+Ni7#m_cR|#)037(WNXj-P0y6il$qwU)c6m8feyFjF+Us<3%a1Y
z#o2^6=}SZ&XEU9%xxVTTFY3Q6A8Nm^E|4F4z(*%4fdvA?fZG3ebPnh$fO!sz2wzfL
zCx7(Y*ckVheNW3>OL;u`K>{{894<tcwqamJ`GFOOAA~A_L~CUhIIcCdf}w}$JtZz1
z0zT^Ip46M?ty>xmoqVRh+;J`9L)VsaKyc5sTUO^41Lmlxs0bS)QoHG`kUrDNNjB(C
z^_r3F<>$}So}q_84+Bg5tz$=M?>1o$X;~iUpRZrf&df*woC0t_0=46V2M<_^n^1do
zbYjvX=yVPs#z4Obq!1}0;?8S&ckAI`UoS6MXh;o#U3|RCHle`lgRzv9w0>Vgm9VpU
ze(hhLJekN^dfCsBMG(yx5K@A8rv)DV;qG7#;fut}n4+0xdxcG~3x=Z~O@o9%Qc>}k
zV7hxcV#9~&54Tk*r3RF`JmfyroU*tW2XQ2BVe}s2(B1SuEhl^wP!t@BIKm{O>0g?T
zZ?BGDh_2o<k_APAxaB{?6`OhB8Fw&HC*sg9$qi9tGkfE=fUg9>PZEf(jg5H#p6tFo
z5YSx(Rt0>?e(nu_{`~2_<9o7ksd~GE_{-sbzJD==cnkBh%k*A00peHbT;9Hz21jMP
z|A9UG1$wHo5ne=MQR*KrqVw_OL;7HSobsi7v_FKFlyqul@~BnYj~@Z9lY#;QbV&Ds
z5CCx+lpBD`Jl$OXwk+5g2W$m6O)U0t=^gM#7xqTI==(R&Nhm=Az?a&wc>wvG9p2X3
z3KI3Rj*B=P4)Kz%wQ<dg3$?X+@3BFSja33jh2{SSO~wvq^Gw}mB_Y5giFa#<JR6i;
zPToP9=VK@bc74Ar^B?3f(VSn^Smq+o!~K|G1N#|(RNQkdPkx~1%c#52vz*o9$V_b*
zhxAMO=n-xltL4p`)34iKL8L|CCdl*NNB7XX#|{VY*}Z#W#m&V96n$mS3T_;nq7Rlx
z;<O=ogix9@Ak>lqScG~686%V@#0@9+UniXV&pR?25F0!}3YWsR+PCH3x`61!?!uOT
zv0H{Gi%|66R0sF(Ry#zpHw%mZ&z(R4Kt^*3t3qnDJ~jK_OX7dNhh#m6Bnw5e2tN(!
zvdFse!^;ihVx5pMA$b#$mE~qmN5V(iJ38xLUY~QLihLwU4%VJ5Wv{VJlEw*b&mlVs
z*)8rlQ20fB&8}5^Bkh8>dS4CszYrH*8yptYBBTzI5WJEkiAkI7pmbP4Pw-DLFb1gj
zrf`Zlz>VO77<?U0C~#OZM9nA-<k(npi@Ob!QYF*oq(3)O>PyaC?h{A8nsR|Po&niC
z96;cJta(hTN?#>O(j$o_s3;KfAtg^$)sO}`*6Lk}8`Wt?Bzcp<4k8^AUem98TSNfq
z9Py<vjP(E27o>+o-n5yrP8;X#)85|JE;%1QB+XwkS?vaOJmYg(yBtY~_#8wS;?qZj
zxr7-Wy0`BNBZ(^)i{^R)IwSr0$RAr0_a&RB=Gw@vrVrKUC<*5#shJ3+AS49uj?Rqd
zJm<9<i(VVeN4s}^pKzZV%HU7E3sAY72gcu!_9mcAls~g}(+QJn1VK+x6HCGO8rKPX
zf9G4KuYQ`QS@d*-078MkSIE~B3l>_C85{)k)t!ty)a&w#LutC-df+8U51hgF_QlN!
z0lvws%`PMK!kL^M+wIZin;mGYDm!stS-rfyLHWH9-wH(s1Qvlbe>4G(q6isvjE`_3
z_4<^|;|gr*kBll>F(e7eq|5bCO5jHU6Ltt*1CzI;H@>*IPt;R<?Hx#7L6iF@{-V3E
zPM#?K2?x|Chru60KI7#@tcqu`L;>nO15OGuD+rGqsfHZZBH?orbO^}qQBep34J;!r
z>(r?NJB4t_N>K(-@)h+Yo0!x?xeN+qndi^1w-!Mp?+CYz3R_u@{|W3I%F5aK7>J$w
z;EX_u{80pVL&X^N|EKCDQ2C{$f{+Yr$Iq+V*w`#4pv$L@2oo`7)`LQ(^eYH|>q)&<
zQUZ7tPJVDhq6#P;5z`_hEx$tcIwd6~giZJ42ZGMe-ycMLpuA0P_DZ5$X@Eoq=?{X#
zAh;ZU8<3rveL_MX&UGj#D1<@k@b_fH|M`>vbNut*tmKhq3B-m;nl~{XM?kO)Il}!<
z#sC!W-aWmt07Y5o&i++7Flx7w64c-&5*It9Zri!JorI9?>F>{%tL)Ohp*$DiC+k`}
zE*odUNrp?8#39dLXxn|@)>}k`4yY{x2Z)k;8uOpsvIHzU(6fL3#Jv9vcl!GBtQsU^
zY)M|ffPnterK!9XP|UZ~S9$oPBUQ|>j7GV<xHZ-ykR03Gh}^|4ER;?tfdeCSm<}LS
zGNN)!2k*4$H3EK+;x&BScBoe1->`Pwo^BM>pO`qQ1b{Nd=Ef5^I+2l?c?baN@`r1A
z2}c1bDzhgi!<Wyg;nI&Ehd}~n@POR`iJbDF)&Bi2+hm*Z>#TKwPas_uh99J+0ow!Y
z$m8E`<^Fd{sqo=LM6O%YP<->|8kC*AJ%H}7aH!*OvzH;vkb<J(rxy^OA@=w6(Ic76
z2x|apt4y<!VCVo=M`wMLXzK+WCxmPuo~I%}T_(-_ozA~><jCBv9XoDP5<R4w>ks?3
zU6O(m0-GyvKohJga!-m-OicPpZ@dkF^yT5{#>bCQtGeP{0I!oJ5+TQf%>XFiBm<5d
ztwrreDB?sAFL0qEBO{T}@Gfoofxsoo^)x`~N}!&G&=<Wo{MG+{xW_dQ(9EF~D5jr8
z1QRH#i%V+#v!F*nGyp2dx~N7)Zj`>eveGC@ikENIn71&;i2r><W*?WoO=JOYE7?E>
zr(;G*s=dAY<~pU{gl+;DaEkD@7u#@<z+!eD-zBoHW~x=E#<p7m^aAbe?I_8+TkT8t
z-|vqUv4J!Q<Q6}>aG$)79$y4+xjhZMh99q@2?K%jpalWjIQ;IN13)#{KJ)RPp_l<D
z!cYaTuG4^(h{RR5h?qj;#8!YI3XmBYLkeU#(1ol-6SxZyfRxGu@5TXTh_h$6!a^bE
ziy$)va{yWSQ%G^JdU~z4ZUaL@d%f(GcJ0DLkqL@X6bc0~JiuD;11G&M_9i>rG6GBp
zk_5yw@4WvRw(|LT9}og?yae)Vt6Oh@dKg%^xHoDYm^-jYauyd3z72?aE)r-Om$)5t
zTfB!c4)Y5tRS|OI#Dp^M_3(ys?=UH=5!OLPN9P!z&cgC?P=>&wu7!-Pf-k5u-RF^O
zo3rS{=uyMKKt<r0AXjl$-xdx^TG$6r6uGw59?1I>4<78rHX%&V$Ov*&Wbz##K`o$k
zfSaK?J0qv*tgZXPR%}|Yfvq(k1*Zc&FR!Ws0_6}SYM^-FymI9V@PLpR&n+*EL;V3x
zn>>?!{pr(a#;$icbIY1S#M8ppF%aY08%3KK46iHf@`FRWf{Mzr;!U7V`r*SlM+PFg
zL46r|b$-#Y2FhrzXej5qxrrDpV~TFy1TKjP%vaFnX+W75eNwXr$^ff633G7(U(y5$
z4=AdE{6n84#I?UR?yTI8hfyP&U;3y)QaUmH-FBU#F!8R?bqs{>2C4-bHIYd|<ty%f
z^5v>|LLPHR6xq_k!UHHx%RIfO$oU!IOWfSXC3$uwX3FsNoEU;ce)-bJ=7O@a42jD&
zH(085pr*OxX9-6*cw3z2p4(DyR8?(mZf>sVf_VlDhq{UtmHNCb{>x(yh>2hZ#Px@s
z*B8AmV5^85R%9nnpZl)=XDQx$M{|8`8*-p%aBy%x+UCJ1fX}l?NmIYc8P{FK3whAC
z?b|t?50*hbT(h#gu<zjyAi$Eqy|Nc(W!R9@0iOYyBlq~@Jiwa0eVcmZ2p<qpbVxb`
z1O$NQ0d5vSP@C6eCX3iqEXu94MtaL$RaEpI{;hTQZe|1JHv`BPJe(saHCy>B9XVUt
zKV*XLDs^MaAH|-3mC#%ODlpiZAhZGQg9N6BBw?!^Ku-36GU?sBh9J$auybG^_}tlQ
zZ*LD}MucTV4!_*Js}5Dd7S*R85Yh*`!H;@_t@6^p65S(k{J3iP+zZl=3|AMI?BG4h
z%7-aeklX?^L4u<qA|fnV9!Ns1MWAxM?**PFNzQ5n<{UUf5L4}Jnb?cNeFtND83A?f
zzJeX#IDu1l*KN6tl+b{Fsy&k#e3k0lzW@Nmnv~CA#Z5>eJo#}8+V}Biu>5c#zjyc(
zFJmI-p9~~2{e4hQ6xYJhw*jdZ*Wg4}n&np4i*&3gR$YAnTMh?Y1rXf?K=ekH)`|z6
z_Yg;x&j2J<Bc1!sBct_u=q(P=Isu|dxTwFafszus>JqsEH(V$v7d|N{{^V;i&&9)M
z<DQ<vSmfy)?{YmLkT};UvA8!;J(9e!7LRzrOzL^5`1xu7n&tVCxliK>Y}l5wh^B67
zul|4W*zV_jz;&zcB8y!)By;+5nGIBCkoo1u?Ni!=jIJU|v?+RQ`oIZJ$y|c9wXkdA
zQq=pR+r5iJT0kf(`~j9>`GHo?k#3~!L6;H2QTe&|byuXWr(<^=ar~j1UZAhiF}}>R
zkke=^5uXA*Rq|8fk^YUO2%>yM^n(V&gqnCo`h$uMOMHCaEX}5Gt?j$nR`0MONpkMf
zu)z~38vz1beu1Z)R5^2cfbskX?7djg<kp>eC-1Sg6;C51#J##DrRBM2`txxi(wYdw
z6`gcM+dSPfXv1J8ByO09(P`_GSeawD4e#{Wh(r|O#KHVMiU3)$i*i~g6&GFBpYtJa
z{N4U<DJD)++j=RN1`N9Y0#GOdI^>5U-*X$39JI_D(m=)-8sRX%aie!kZjIOnP+<Qo
z_}9W+r{h&#{|!!On3I1u==3Xu5|(SW!Qg}~>9Av0CT%B|6n+)l9&-3yp!}aVoe$bR
z=NKq1Kys5;Vl1=)F*}cjx5EZPzgM>atEWq7OpoV=Pzs`jZ6Fsdh+J<wG_iRe9Hi)X
z`bhIsVR2i1@7?XhMZ?v*+oX=REcbnj$d5s%=uQX!J#p@_cC|fBRQZ~C2oC9U3hXdg
z_`f5_BtNHLsmqi5asYO=Bj3WJ5^)i!sbM=C<64SE{9<aDdt%)ZFSao=81fxf)P{}I
z{u^L1hcBeMo?od8opl2-Dc`(0-)ay~z4G#s4!gE@<&xuvuc@ijfWXG&SLZ?2>eznG
zL@2z8lBhpUD3hp^iP{G+#S*zlmuW}4Sq}QVW6hyZ>jjbD3-D}Zsjg$8ZaJ55MYr1j
z)a|clK{uPEXAWDV?}umEp8Bx}R#}Xi<$aJCS$=yhlZKVHzg;i}pB(y)o0gMthyA6v
zw1gh_zfvaw21HCWG~~J@FRZYNTVttyL%1`Md++_if;eMwB%(bxyWRtfLb-mtpA75P
z4z#DE9a4ncFWRX`j9Z-zsQ=VdM?CY4Df2#N>5;LsZR@t}-Vrk5L7&r?Q@EDLA;G#(
zrI6N*<aBfyI|eT)HgrMN#fcBaiu)#17fSHF{PV%)WR3`$(s*Kqm*Eq=)t#;z6hB~9
z##e=rIrPfE@*ABWECe;8dZy%NLwD;%=m~x7*dBKkQTSmcHrY5kxA#g2C#(*m=uBc6
z0SjlHz)9@9hz7JL+S1HXCQkcdX_it_CIn9cr>&B8=|sKx`LfPl!DICY>x+sqo}c6e
z_7kS^a1-fsELL4(ZSh8}GmH$9n8~pE_sIPst+chTv$I7%-aW!TBXeJ<97?K^4e2Fi
z*l$am^)JuLq@E^qzMgcS@=0hLdv_Qf+7~aPo8C8BpInfTPE1?PIkD=RhK|&<%<1WT
zkWe~jD@6Cy9_DebsuoB!k=lt`yp+~`7-lNm0NY5hS>IPb^lEX1=TsKB>>uYPaZh*<
zOW;h}#p9d3NVPc8L%#|0BJKbqD=M?WAPb@`iFA3pxue4`^!F=On$vPS_Xg{VZrk3G
zmw`G~|5)ea4M<FpzF>rY7Tkv20E<1MbmXEA$L+Ql@H|hx64-O;fiBj<^BXr*tBVJ{
zH^k-ibAh{f!U2<dSN!gq*bGAo%q(o60V%nj8q)`b($m;;TwC@a#);-Nn&&s+?QHKU
zzo-+lM&B9G3afP|B~MuY@5iZ_qKOSCr-oV>_QccFAa*-tV_(`FLI8vt$PcvVWjxlo
z{7CmOY1dQ1)!`1^{g7{d{nSx)^%<ydKNB`LF;U)vF4SYMeka9rf8{oDiG9y?Zizj?
z_g$$*ZUh&v48mMDcwnpf_n0)g9a-IgDYixYw_1-rfvIbW_mkcq1Ywl7VOI%Fz$RAU
zOP9!ih0fiL8+X-+G(uOC!XDcv8VW8%{juWfsVst3z~-E4yk~Oid)jKsp280sXZZ;c
zu`3zfPxK}55fqq{$oUUo%|mx-*ESBPeS<>0Pzt}lxu0{<GP}M=hP~uCzi_ci{_i@|
z-B%SqBFny$m?LnG7&4p#`<DOxB8mBU<ZLdSnRXr3x%T$g)5M?Ql^4@okWJ1l1H>s5
zd|K~yy?q-a%LeijL`+;uwQ-r8s2}d14UnnkCo>@3MQ}i~*P1W#JjD*jpdBE0jD7+J
zumylkI6Dr?^nwBoNZwb)vsqaiYL<TYpbi43fGBE#Plj@*6e7UpT?0rScvucpe0)44
zK2N{DzLuGlC4DNn-rWFxH3XuTO_}NtvR;SS#X%V)4TJ;1$Pwg&`_Wn<A3;3}@=_=<
zr5Y9(04_mJ>)9z-!vTCa*#<2ki){?31Q3L60%Z^&u(f!hvWki|{|9(nePC7@>R&hP
z5ZziX{K5cLfQwb3y(d6yN7hr2rmP0mi~-~b8j!H7zmH<qDFXBoQ30qxlFX)DStBW^
zIQr?~7KGLSxhf!cC<if_T6*)}b^u~RAT*F4{{BbuO#h<c7CQWHhQ|;7S0Cpe6J;I8
z@y8@i%uX1PSK2t5&66Jrbp$$6?>dasm5Q8g$5F@(`$0QR+trLYJSJng$<87hjEFS?
z4o+#6aq>g&_Ly40(V}!segydk)Nzz&cq+ZVhi<j3jla3)p6By??)(0{U!V68^aoyF
zov|6H+<i5>Tq7QGLAOyU9cQ+Ij5$AwF>md%Z41*$>MFND6}j_y?Rz6I`ZY;OhTPm(
zakU$(R)C|0&b#BUhCIFzPW(5jyPYkuvI>`;$)($$QLYj-UC^B`sA$&a8BJd(7$0b{
z&fL7lCGh9Ju(Io;h6V*U8o9|;<J!Pmy36ic#A4a~vZ`cyY?0vABg4oJk%opDldNdi
z!=V-)5*=psbzD0${d~DbG#~Ln5?W=Btf~@A)Eu2<Sr!f`KJY2Oy!Z|&HdXljEBN8)
z)ic~b)*M>O?s|&72z9M|dHGLiDJhXtS9FjTwAr~mqlhR}(a9yVr%>6QNfk1PmJaaW
zN>gRiLSSo-!Or{+PO@d1ia)=rz2)gO=j6EETW>poeO~YIR;6_0*s+Mi>!aHhI?n>p
zGahjm6Zfuum<ogB-s$|dxA*tWmFaL0>}PLT_V}={dc`c0uEs`+M8Vz}K{6Aii>gt}
zzKl&T+0RqtbJxsxJhrn-_uo!^*tb5qM4Z3Xg()hGa7eLA5*<XKfRCw2*#29y`uNKr
z^w+`E@Q(aA$dtnoe26}q3KS71GsU&BpX1NMciy<ljyE-Pj|B8@LFS+-@lLhr=^`u!
zB;?)H&cVi<1}cga70ZYxf*BM>-2Yh~>!{+{-~=`<QZQ3m&t@6mSxe`|2liOrkIk*y
zJc%gj>M`A0)Kjf98Xq8UV)C>i?m%id2Bw%@#bo^v2#kQ_qFjU@i>Sr?ZFjl6{rx~0
zt#`9RRE12{cAu<eqQc+@m%X0A5GcZR?3VmkyEy7C(Yo|`=T1M7*p#^HRPZ;K(EsF;
z@U$3IP!2l_J|So#MYfC&B;y{lWI4nGXgl7|i}2NgrEqyCKq?Of8yyZC$|QP{CyaFr
zGQ2A;CTgGPdbSMv!FR6DH?7j9rTHsnz#GXYpwBgK8zDC%T<v=Uvw(MSwDB?Jk_@Td
ztFa5agtUmsJ_1xKYifSAtQ9u<rOGv0ZOn%XgCR5pj=%i14iWA9Z`VYm_3%20HE8xe
z=p|-z%_b#N+4#E4yw<xxs}BX2Cnt}MuSUwkUVaRg;LLmawU7&-&pao<5oh9)j3Fq1
zeE*fv(IHS9>-5y4&I!;X3v>^$2zc&IO$iKtg)-&c5VNqR=4ONycY<%Sb~|1jUcCSe
zF)Kp?xAJ-dfj%eN+Db`hDM{W@DD+L_j+Kg_<5PYKAcr%Pj@s?+F-tH|+-Z&s>)cQc
zIHjqe#aaUs52B+7pR4x@)?Kn@Z*cw~h>D_J?+vtl5prG}&W*(`sSmVAfAfQKjg2m{
zrTgFJ%V!tAshVRpnFNbl^X5Z;cVV_al~Y6<kXCDBq2h(X`BBTnPq2EPf|?O7#6Mox
c?wN(Zy!~^6YvT1w#Dq%EWIbzW)xTK!7rBkfz5oCK

literal 0
HcmV?d00001

diff --git a/media/nv2-keymgmt-architecture-pull-v1.png b/media/nv2-keymgmt-architecture-pull-v1.png
new file mode 100644
index 0000000000000000000000000000000000000000..8632d43d1f9ca5487b8723d023ee311b2eb08041
GIT binary patch
literal 15535
zcmb`ucT`hN*ESvjr3XY5#VCTHC@u6*q$Jc(LoW&hNa!IFY7`JDL9rr&ib_$Grl5#O
z6Crj)6hTA;i4AFjh2Fk><i4Nh_rB}*&$rgMmd50qIWu!+_UwIK*WMnnw>1|QkQ6|n
zP{NiLCJrdnDi-`*&$kAy2v+XWLZSF}Mw+@shQ(5YLMbRYb;8OwIW=rxI3rR{-9%1J
z%|C)16BMrO7al=ZCWn!k;WYRj1~;HpSh#->HHhNB(ozkphE>AqD5+^WscOin8>`{q
zLsLgtT}Rzxr9C--Li?v%n{Z}OXee1u%}i4n3th?Eko|&ak>QL$IdwezwxmT;Lg8Py
z44-z6@Zko3Rk6ydnky|LqM>_j9cAn;xNc7I3kiqLkQVSq6)u?tMNp{Wv2YP-v@(Hc
zN(3V)oVGGwRW)S|W!%aQN+da8<*JQMbgWCbovWL5G%niGDcsqg?z++@GLBC9XH6*4
zL4FkEs=6txntu>EAc72Qf(`m-DTwCQVc`}!p;iP+qy^p9H;zfRTWPN866z0cgtrMZ
zv&X7ZBb_a&l*m|ZvXg(Hnwl@!DZ)ve>}M0=9%yD6!?2Bsu<&=&f#%kDq7?~eyWfdy
zPGP!g=+LZ<HDgE=KZ<sMD-IV-(bmwy`KjVuqOA$k&^VesQv<gj-rUtKgo2BRai<13
z#5o59SiypM_|d~7e2q<_w0w0;1AHSqXi?-48;5YK*bq9N9BXgmYUb+Tgb#4nq{sL(
z%{}ZROdKpCsOGLrOA~DqqCZo|9Ogp~(juCK=otIsEa8`_ZvaEbhDLN@lC&dY1L)xd
zdK@z*COFPll?t~5gKfg1_EY`+oNcY*Jha2;lxX!hO&XaRX65H%XGJy%)ppY$xw^rM
znz=-gL$!nGX7HFRLtV|qREI`!qtYTsSW~kovQ8{9jA5?<cg>6m5vCF0?oI&=2XjAr
z4;x#n*wARChe!`ih7~PB#|-uy?{194`dT|%J4U(&_?fGQ1*iuG1TyWT11<JbNLFU1
zzV5*RbZ8e4M2QFpq=dVKS_c#C?3h-8I5Q_J({QZ_e4w@?m0@b7?!utxFiZldgaA8h
zC#IGQ3>D^wBf0uU(d}p<@C$2&52IkM{4KSdoP)@Iq)>Gi-x!*)sXrdSKa%JY;!L*>
z#k-IKU7fT8%&f5iR1dRI+I~%6rW#&N-7gHQrKZJHvoO`%uNrCsM*wd}!@J>(O@dq*
zT9y_>nn@(yHa0qjM$j>)x>+G7$0LH|sO?}9Xda;zr4eUIinH>Ct8VUYByyy^E8Qk6
z)I8c*dw-;bt7fnZ1+N(tVB#K4voxniQudpgMVed0`rF00l8EG3x@I8Fn2ZgxcD2(E
z!O{r+nkF<N^c8Cv7tEmB;P!_&Av5wYHIJp?1K^u>s5!;j!`j`{mG0+AjgBPPF>paa
zI>t=3Fp>@3S<{3OjHQ{xs0UiBsZ-;etvmv)BBM=-+K#HmVYWIB7A6rkM9pC1aE4=?
zlN!x75XORD<HCs%sxhH{*!>oEM5kbSRFG3lWQb|FML+}*r$xoXOXHcaCDs8^s%DOk
z40i{zzdBjX(a$m5SjXPq+{TWm9$~KK7v&U=h21xEA;dV)V$BF7hK9W}KFraQiNl)G
z9MtXH!qu=&W@J0xXs4K1iiH(nWqfN52NP!p7zD?#qroNrKpXg>Y8vCFY8C6@9AbvF
zGxlY|XOND&e+ZLoi)U)XFLInF%*EO-j?B=A!7^Q4v@Fyu)S}I?{<shd(vyW9)<hk?
z;O%rwDMY%je`pvrP#tUtZ;Tvohd2v@En-n2W>N6d+{Mqz!qkMIqZtw!7>C#=Ax70Y
z(AE!W5)-#SB3#odT1`FB!zRkb#KeKAz2C#yB9`vt?x<yF;Sk}d9YM8+mXZEc#7x5I
zp-fVsj)kj>u@=q5%*{TE5bPcr>Z%cqS0_dKhJ;6HQ(U4+%xGIzroD|C(b8EB-V;ys
zv$Dj8QZ*=cP9|78A|cq#%+Wo>jLI~nxkIm3bn_^pou(!=&fJ2eX&vqw7EFn=aPf7E
za}RR~j&t+3bu<sru<>_tvN5rC*3yF4G}E?<3InHZrfyG<^!JS>SW%6`oa5Adb@0JB
z8*QwXDUKOL^|!JkkttzRXD3^2x>fLgV=@&VuId~|amB^L$uy=}xH~yG_^VN4BV8ig
z!ZaxkY8E(}2E#-Hr{k|~O2oUw;$3}7*vOzLTCk<MzbVdF)rIb;8K-7xAErhm`k96>
zRkbx3;kGo}NSKT!jiITgsu>*Q5odw5Wdt*|-F)#3SO81surSA98!Kl*FpXv$>+I|n
zXbSGk%)-yr#Mm-A%ojNbq(GZ!w?Kv+B_uSQ1i!USu@=@I1Q*rV2wy6LfH)*S4N90l
zjmiwrHichiaeiSTzV3t=SMva0ZSyFCKPkx0GR_~bMJ0H|k{~viMfy2f;Qh4K$QBwV
z1UR22R!&45E(jUh#f{30jfz6fCdJ;_&BP!1V&h1}nqs3hjInCAI&Q{6mO=IwYR>*K
z8gMg$M8&CEIDzp;MFslC7{^jf?L*=;$tKY_FkHMZ(y1{C32Vq7#J>NHW`9E){Qd_M
zsGAmjE2g7R+fbG!#!j&p$NCP0uIoN*II+F2E3Bw@ZSC~Q*;WUcWsc!5bEAc~Vwvkt
zn;w-(k#RINUB8>yS-k$n^Q!l$Hytt+m2z5s><|bd7iiQ_x}1iT3iwF-9W4k(r)&=A
z@-{04Z9T*vCyBqvtF^SWH1Kk-UV`4#%;chlxzb&A_4AwBwFfVrXPAVHD3+FPy=~&|
z;Td3Tl0`G26ba)aZ<)C7RtP&{kY-|{`h@O-6J0y&gTrFd(+|$1uuGjclzWF$`0a03
z9oU36$(lOYLSAHs6xQr2QTpgD#4AHI7h>_LV$$W;VKFif>DvmeAJEf9*-7bYtJu<b
zXz-lp-v+W#I5)-L?;7H;C27Sl4rzzQdwOvx^LzEa`k0T&eLskQs7O!SW%nTs-KxIb
z{doN}BZ9fkD`Ta3Dc#M>lg~-a9e&H&=7=gP?jm&<JERaQ-yiPLKj&1<mqz#`J15xQ
zB1W_1<riTYRi}=QChlEO%8o1d8Z*?tbJG-y5!?CNJ9a}h-AdQO4JRa`Qjk9&(Im03
zuYSRMg8TTkGK$h+&MDl`)YmJ2GHHVW_?CjZ(HM94?ELCfBe8vdhpvmCm2bS-J6jTj
zGja6flO_Ef`D$;@$quW!OL-SklOL%`MTJSfQ{(QEk(9jVyRf<80o~$a<oquZ)3WBb
zV--Cx?9#sdVbY?B)#<VO?rcIIIYaX{AgT;SC+twfL_{!E^&7;`P<qFdL;Llg(k&SO
zolgiFCbM39`Oe*!GCQy5XtIP({pV2)OxEqV-#!o9tfK1$VO0h1S*H=^j!fpLysBkq
zCYTBevE)|^@=AMk%3R1DBP+G~o}c#goKO^E{W&v3|Nck*NYent>qx?KND@c1$exp*
zWnZ06f8y<nyPEfq#cfr(K?#c~6sO_%ILq#-KA%-)72wfz?ez2~gS+l#F2<_DT}zz2
zY1}8B5AV6y(v7MZHP72pDrtnQLVjN9x&;H=6Z%tYA=ZoR(I*)&Mj%`IeGA>f@IP1N
z(ztJkv!$!#=70L)Opb7j6duu^hCWMZ*oY?i;$9K|?T{_NBT3bJ`zZ9p!jX}{MBcRI
z=)>`|u-GyN-<~Dhk`Dj-h=O?Nxv{g^&Sfo$&viY7SP%Kv!}4u#a^54PC!4wGOX&YQ
zY2OF57;^W`2cKo+Jj0sTv8DIp<7aPIc?*?@(JW-=e9z?O3QDJV2(97Xt)TF8w5O^#
zr#5jpVPT|cDa87&2r6OWr+Gz~I6nX0y^XFn_wvs%Y_G4w^SRw{xl>a^$o{%M+^X=T
zt2`Wq)$@n%-hEl>{rzm`hEJNePQr^n<e&T+5_s;Hu2unF=C#D;<mN*s4VN~4{`|Sp
z<3{n#n`w%z@=8j_ndj%H#@O@YO;TsZxDRD#Z{U;0YH6kY{JCF9SeVnM{V_$cm9Bef
zRiZ6FOE2cfz;IXDDcPV$y_w%XuNPoTb3Nbty7^nQm!*;~oZweF(pfvp%1XCB9*yyZ
z!-VrTNK6dn5jbMv9SUzbJTlVgRUbJdmLj@QQj!aGaCve1X<J*WtR*(L?Ox)t!66BW
zkI$bIpWZ(9;lo~xUbN7m7~G#fe|-AtqVB<CsQiM0RdI1~uSO<u^a0dG+nsxrC61YG
zzd!Ry@XNPvpSryhC*N<C!(28@ym|lan>XCjJWM9j-rM_RGOtMK_!j7pB_c(|T}`@|
zlH62VNN5|wz{I<D3kC;2=2mX~h_eoP`yuU-TGOYGZ6B9P%kSI@wC@)SFOz!}@Zwwj
zs`lKk(x<;?9B-n#xw#z@<&seGdN|fwBc1Z#M_>K^-`{LP-{0ZiafY8(vw5fO#Y3`|
z_vjq1mlt)etT`%%b}3t*Da$cj`fP|o!GkHHTu~4Rf`XE4uM?u8s+ntZWcj<gx?&e*
zZgo$|b0+=_IpQ$rW5<pST#D&Wf=#I1`>rNj>UnExSNnKxjmY@@d1bb=@I!q})_Z)u
zN?@^vNzf48I#@92IWc5y|9l2P`?~M5mkFwZ1%n}+^gq7~W&~LhBWrO7rW6fk2Dr;T
zYi#2eUtZD^#rs4?ikn?o3!@Jocydz8+|zUO)L1X;(<fip30Sq_aR~{D1N$D@<rxSk
zH|Kjj+$<@%K)WJ_zAUGrBJweDc@GMU(Z^!ACS1Xh;=2$p;8y)y&!@0NiD$P$iD~7x
zQ+1jw=Q73O@;h=-ZRCguF+AVG+(^Z{+Z4g6(Vi>!wG9nLq<QM<>b6;mUAS=JV0LZz
zM}ydC%z>LBv!-5|vXe3fSnNQ|=CkyB2d0(R@bapvseP(4Xs5rc3J_r@aVA8Pf(3he
z8Uq8*3B-;B7ki}i=oix*HL6!r7LzWN6_%JPe)K+jc9ijocqbm+N-$p8$C*EG?4(l;
zwSH}BPUa;!I27LR?(G$n=Gh=2aXK&W<oov?lZ~*@=u4L_A&dWlS~b`6d$64w_4bA*
zD}H{enL~fTp%1{r--m~P)uqpWu4r$5b3cCG-o@qGQg5i1I%XrfIYh8NI?j70r()*^
z50lEKiR7*g`rT6HZ}d7mc)%&hG<xo`mzNidzooiSXl6QbIR;MnpQ))&?{4{t;s<7a
zenuVo@q=cOnKCsMjZ&dGItOzvFMeD;ULDfy8ymZEad9y?j9o=wwqM@!YABM9!xR@6
zA8Ph_Ffg#~@slTHt=ylm)D<|4!Qvms?~_b8*ah|VoAD6WuCXA>;qx=%D|rVFcgZa9
zyLj^5S@OBm&v`4e5q)Ic4+gpbkE~VOuR#p*&KE97PR7^t9*3j0g}CmNV(a(s-%+Sz
zCr|o~y{{fVuzvk|l-Gh>h5jH`U7g!9)85^kzrOE;@Mf*z5jDx<8@FtkWNvMi`l`b+
z;$U@k1uoh0O7leOZu#~5cVmlj+{+}+DW(jXWdT-f;+cVJsZip%y|PI7J<?lf^77zZ
zuT=Jgf(uK?Q$Sosb~cxGEi<CNZ{yajX<fmoy<;bOruHN*VMMm-rw^$uT26gF`<f$a
z6DEBsFnI0j&JA4rE*X3-8DyL+`iaYPBm}5wVYrT$O46Xob7F4$CCeq{x}R=|l^!Pf
zl}IylO4~}LP?!nXbBe=}1MqTO9^+e^kcdR+Uu2yBU4KI_Ay!jPdHK8JhlVSpq@8dn
zZw%Mo{6?*}V{Bqe&tm@xSnS&nNuQe$ggZ})(yAP;#^}V|?%fCQ<y0GS7a)Y5zky>R
z3+7sIIS{RlDZF7iQwHHNbMwE^i)R;X4*qzeIKTu4cok28E!t@Ws@2rzM|3_CY$G5s
z_SR+j3v@o`3_j=odA}<5t;}e&MD+NH(3fd}>}GEznZF^m_K`Zqt)o5=BDC?d=eP3#
zo#^PCZlAi_K^OgGs`N=E@%+)?MIqLg|3vg6m)S&BH?u$U-hx8B$BBw9WVuw%se@ut
zXvNnOr(aD%u+Jxvajzl(WVFi4aG!7o5F^B!MtE*fqvE||HYag5$0Qv8p{RHE86d=~
z$Nt4J>Z9~Zw{Mz_IF&rHERNBCFp3Ewns+l*&qeOt-q%atvQIpjOWrfqwgP}CVp<AC
zm(zF7^J~4BBw7{M7M`6{U|2n=JJ(i_H$jD11n5eQU+=1;UFVyWHMxpAvjKSdx+Ci|
z@$lb1(g?#xbTNnCb;`7W=ki<zN6P8kpsxz(uJ8WA^C@k_k^oaqe)_cyYyUB*)BnAl
z<<&8^aLf{iI^8AX;^4`5cZnXd_VnBTJic<@9VdTyalKUQd;B(GVMpWcrjDKwIB9^>
z?pwD|i#pf+rlS^?*Grv*220<rdReXjhmNt<9LsmomzbZ#&_};f^#D142Gn}>8WpqR
z^^W$at-w9#hHkNEzc4HEKd%K#vo(#7vNFsH98^Pa^?#w`8IGtlpj^P3DrYL)cTN6<
z-G6UW#G);(|M%&Y-VHdX&b-MeEoCXLA{sZV2(fr9ku9~nPL-RlWyHEUe|4-&wa;jp
z{!AJjeEDc>`VT*E_EQ12v7QhwQ8uUVgtve|!%Mcme3Q8N1B!RgQ;{VsILckg9HS#y
z$C?K=iQamQn1m2)2yv2H6qg~#StVNf!c$Ro@scSp4&WAwq--OGjpL{)#=*5T#-ew(
z!n%Z?BF>>_&q5o=`E-&Q8Fy7Vjhme$PuqwtQRvD&yAf?-c?^bVp>HGl-a@lX63;sp
zyaMYjlzmLM=%f2oiT%@hGkU0Bx-a+Aaa-w5-+fI6--@*Laydp{?DW}5OG%so1t*+h
zq9LhQ)Jk<;34`Wcvt|ueM`u%+saPBt7r1@vyj&kLT*8YNFML|Fl|=EyMa9K@TAqLG
z&??HxpZ*NJ0WWQA*xk{=<(_@TOQdK+TC&zX?}MrsnJ>}x5PC$;JWKhQFfWYqsrDeN
zov)<z)fMOH?b#zNZSwTc`Sa(Sk8jp4{O@zAql~A|e$Gv+tX{3E(%OBxlQZ$g&d``|
zRaw^obo$a#!sxqO+zbW-Km;y!VjFl|fA`0i_Z+|)8lFr|UA^(R*}<jRK?I9=RXizi
zypBSxUcFirzYW6sx^?Tm|M+2MX~_?dT(ilgPYyeyi~<67dc{vVqaGYtw{wESlKOO9
zyZ?}4>$`jVx9`}o1BLSQ^Fw00zq=WkEDe)ijk*^#vVlk>(!V@i`{nD`8~(1R)@($-
z_o>QM>AxXf@cGF}R_I%uxL>lemiYMiJ@4PY&wn#yPa>^iu~$j+0C-g1SC{hZR|KDQ
zWo6|ds~lxxzND&vcHf{N{x!*~!kZSgboKOpF3pc`*VdMx)%2FR4?RfY7RBe+)k(ra
zD#1*mqBK9yv;i*)2nxRL=s3JMKTY6U1>vd8wW72)pJ$z%3hctCTizXw1l>(Uhg5a}
zf#rkUcsSv4phjU~A%1ZhmIkKPNxv8IRRHA^9lZh1_o0^Y<hpywty^pDF6%dsjw&L6
zFYW0s`qTDy*Y4lVyiz_RZ*KrRI4sJ=X0uUV8mZ52A8T5gtO&+^Xgm-jSD&QOLVvY}
z-7Epz_W1GRfXA53_al=#?Jf^|e|_cL<;!WZmbgJx&)0z8`J_`M(U&Et(mV-EvjKVZ
zzW}CHEkzVC@hWyfdAaqzw;VR>=Wtm?VM)oevZ}qi0MR|^Dsz>#>>x(33X(tD!YQk`
zf7teV#%x5+{LJT*KOb)ne;9fG=R1{9m*<uAnc2a-u5VIy-U+jEf0%m!OP@G=n5(n9
zyKFpuswY5x_ihI^IWX|M)aK7SF#yB>{pNTl904l=qz<$k_9)7oh?BQ*I=OYvVK(Ow
zn}b*jSOpyL9WZ*UN>k?-+q#nmb9|mPwBti+?pJ<2qNlfnR5Y$>^g4Os1X@v1u~^~*
zfG?C$SeO!QSi=06wxW`fw4tGtrlzJbyO~x);7bCtj*N^fHokT5UV2SG)9OZC$~yF!
zGiLxZ!MeG5c(kMnN_0}xF%DLBDeMOiPyzx10574xoBQgo-Jc$-`PkxvHOi(SheJ?M
z5Os(#_!1f8w&G_n=LbL<0N37Wfw^5VKWV>r?`W5Q6=Tr$MSDAU?EdTaUS5~yF24?Z
zI5QLbfc|}GXcg+5^$tyOt+4l3mll8#NVlrprS(awVZiKBsE-GKAMc*pq8rJFdez_m
zl5QbAB#O?+$N<EKoSOH&y(F-9%S^0+!HN6#4fv$(U0qpH2{Ws}yaQfdZ0_g~0~>~;
z0d`Jub4%~5kKwks1U}1QO<J;VaIgTtzyztijM}{jLN+ru=S0`Dy}rG8acpjR`bQu8
z!v_q?hfH2I#kaHba&9ic+dHpYZCCYG0&Zb~EdoXtJtd{iN6bvAXj+n-pB|sCD=920
zT7BIv@A02M8u#aa=%F4we8|&(V0;g}CaPo|di2!G0s6M1HIaO*bvtdhX=`_nXoA}U
zh#1;)d-ZtZ^yT(;MP=nuO`*RSk8SLSc-m|<=hfS{Yb-MdB5F|$_o_WIW%o8EYyt8C
zByc!jd3<?EB%uBBqn@e&=@cVZR|(*F09@Z>3G!+wfRgiRM^}q+rYsm+>{&2vLZ<9R
z+<q<~#t5mBwFIvEeRLGQ+>0KQymswcW%QVbhK9yK)6z)ODd5}J-y8vMTfVQ}Wy|Fq
zB+e^X);Cc*^wPLVVpi4kiRpuFlOx?EZ*LLll=s$=bAN(R4*>9!0L~}e1sV=!0`L<K
z+bLQ8OxY5<+2!`-g_Gafbuc;+JSvTU#Fl2B7(R}?^y~yj^jb>`KJQF_phoagcgkQN
zar^e|fx*EYk&9PvI0>-qN2B%T=H?dqAE;_-er2!$xju$H<wWYPLY<T{bQ$M6rkObZ
z_37#Dv9n)uezFV~R#i0o61YD%T$Y~wj9Mhb&jMKOGv430QA+B`%nU9qEv=JW|2e8<
z?z7JBk=fsa1+X8U+CeIpTBOhKn*VZ5)T<zWL3(2wJ05l}pI*H8uJnx?H(=-e{drKY
zUcW9dxKkC@t7UCtvkJBJ+i-c^*|TS1Pfk%b6%`f5{`$gyXh4K_i^0K-V3E3)(7YmB
zQ+mf-%qd$WB^_8@_LswE!2O<vHMY$3(aPPwycCamAmM#5NyKnLH2nVTj_1#x`)EjZ
zkvvunG*0(BN)2530*){3ww)G#61b3_vebc?ruj?V3rfz;&cp5Su{wUwSyfES9Wr}O
z!}8Mnxr-Mce)%E`oW65sQIdqnV}9vMzbEKB)z#!T*KCFtdwXlbS)yE%lamOq_Np)s
z3k!S2N~ZNU@VjU4|NK~3LrV*vDT_FbHX@qE%|dTE3=HPSkH^5`yLi7r!y`7iTFw4y
z&12D@ubeb+*eP2Fo*szL^)-EOt^-wk@U=C^uPSEOHHcjk<vIs{J=+;ORFvbgmoXuf
z;q;Ks_a;qv^Fs7pO)V`hRB&)G5-oW9%Uu*e^4PqY4YZo%<aAZJ48jFOSYs))!<zQ`
zgR^R&Wx#7qOmGMl2E6UmA`yd`2O+l$KyfkROM3m9bnwq>bJ&RXJVRa-2qV^w;|;a7
z?v0F;OcA#6=B25O01Jyu@%?#(Qa@aZ<q+fCxpT;Ag@J)ub!GfMFy1(*tq=BA89yIA
z+E?$o?=2vRPLc!n9?X}BT6+(V(tge@aBg|G&g!$tfLVZ8pRBt$I~zA?@bhcUQeRV|
z_m(Yp%gbMk6D+bYV(Zc44Zlx({Oz7D5%x=A{mV9Sj_sw*g3VK{JM#`6{<yp}J@Y1S
zNql<DVuuh5J3GR#UvtOP&CSTvboDW_E4l*15b^hqz1IY{P6h?a%WvBy-6(<EioEf-
zK(I%^59iLGH+FPf2dLxOnVsBeY#`ZP_jys@$Hr1cxxjHIj0<X?x5hF5$OB~X^z_uI
zPtiD4Ot0)6LkMC|sJx=0NnBj*+&H+fo3VN=wdZ9%lra3HFE0M7X<Ae&q}+DjmCRmY
z!eH|yZ2uZCq=ba6;EG_W!J{DNBx|{G)25_0YVtGxmb+oS6QI%^65;K7`?e4Oow~Yu
z?9ze`EHTN|b#OgeLV2%!_v^ksVarVL@o3b$rbNS|85yf)5(B?iwHrA0I-I2!emPT2
zpKyX`;;gXGplcM|O&3ELg@mM~0yTB@<V$)n_-qQIXD!VBP6)p?5%c@euM);sv>uEP
zelx#&WdE-(mQB6fJoj~Ev*+c+qb&mLaf-`UK7oOJc)o+b+q6-K8V^h}qkMK<YCvA1
z*~k8)XMOaIxo-P>R`S+8OrA@&*Y5|YoyYFkGqxVBl`DK(k?n(h09HTQ?d@u)(yFGb
ztBab+!#tu^0nh@ZWL~9bvHjUbbnEpCjj=xqyJZcLmkn8MesZfRiFEpX!>)%JL&1B(
zukl6xoo)@SPXHvx@uuai-ieEvDWV|YWwuZ8)UQlAjgXc?xCfx%Rd@IG6P6+kd@LBm
z4_5!ml`95@>%MdHA3ZV^5)$$W4OJYNyJ&mem30?(p(|Lpr&(W9b2R{<#mR1Zq9*Z>
zKbn_f#`fV%{HP!I1sUS|$VhVUnAw2?dKfgzwaOtsS4BVf>}CD9!n7n`z+$oUV>R)2
zcfM<rzV$(+pwj&aM>JCm{p?fy_<i={<C`1T=wJDgRn8gE*$F5P7xUvHlhc&Ad|%h@
z2!P{Teos)b(>gqLvn}eFx%v679eW=oaq}YRplVMu4SnQmf@O>lukhZ6*tMY9zGhah
zf(=FIB`(#v9#776EKNxsWS~I$8%}Mis1N~64x)(ZzI|K3L2TSOA;2=y_Kr<URwHGr
zscx9?HG9lviOh%ERpt_WYrQ+R06#fWgvZG<E+WPXI$CXQ?QrVHP_55w5yOW7h&wYD
zZ+O-;(2#vd9qg=qej60SpEE!GJ~SmtWy%(mm9+*OINXO3Yh4r*_)CfQpE<^<JXq>}
z{Y?qlx<sh2Fok_q!L_qn&e9=#XsY47%&RtuL(`qL-8c6+hJOG=-Ozwh&S@R*tV#O&
zy8NkIIv}v$vrMD&b-#Oe?&GywfUf!1ubW@`<-&<mH?4&Azh1i!4u4`|;!{t@Rm<8e
zo)-GVBZP*Ph@(psx6Y@w5s^NCJSERRl0e>46?3O~@lyuJDC;5k+Vm$0<bT=O-ybZE
z6{_~$2RGx36P3Fao5r27ET$0Z0>2&!v!$ch(p>--GB<)ccuM{+$IEaT_Wie$l8lvE
z{|}Ow@$W3`3n5p9JSvvDGJz5WAavy;-B%p>s^9Ha@biN2>X`He%Rk;!MDF0}t<3D$
z#F_sox;uX(I_s8Le3H+R`&f+2367DtQK5>c;_IB6Gd`PL9DszHd`aHYfqZg|OvHJI
z5^5aO#M8Lf7GcnN&Gc<DzncF^m?3jbmmf<JVD*oNx^-8a3>j*BNrhaR+`1cisupQs
zNCN9a(SenA0zg^Y;PIpQIu;?^7M-w5J{=x-MutXA%V}znKdgd`%yC$h^ryT?&**pM
zkX)1bb^6Daj%W5Tv8;%VXrztQ-&I^&v;}6hcJ^FYSn7@2Y9+0qAtBa@0dVcnzEW)k
zip<Kl7>fXzt*SCd^?<B%)@~;rVmUj{6y<N@TsjBzexP8DjX|gjaS!x+yw9s@2d7{_
zMK&EYm2{1(AH?DgOa?0oi|k}FDmC<v^_ICl`RZap41>nPyQ<gZ^j-dLLsAkJxnjkK
zynnCmyYeh1OjOb#SooRQ`33_oL=%a9n64o{-t_7UWna@}j*%DgJFA5A0OS-leOrh9
zwKPI$1P%k|>%o^V{)O764E@dN8lZm&g9ArsYKmy^uHCy2w^1{g=OMD-;^#ClX!BR?
z)pza~Wq&R1UZ;RO09~FUwh=+ypPik>p0}O>0)aw-t`CwwxRnfM?VC4mMDZy?5V<ye
z08BqT`A~qJWI;GDi7x4sUi_Dl4^J`^6AhzB-zC-7>fGC_jM0x31w3_I(GLXNb9s4B
zT3Wb(q!=tOFdz!xE4n{-mN=pg0Sn`kK9!ThI&y?RGA8EA)vG-42mqgZ%*oxT{Hm&T
z75C?MqXr%xSvLcS9-(!>Z9+fXTMHB(b?DYDRRosbR=iSKDGJ`13-zHcN>ENt4j1u-
z@7J$ih5aHWjECtRC{Qc67$)fZSG|O|D{UzTS)11Y*e}_#jvf_&lmwqNaANvUhg?=p
z4zMsFetYX8`SE-g_Z-+@Wo3okD1<oJ*F8N)ravZ1fq$ac_j$DudC?e1nLuovnd%J(
zYE)WQ1`LI)A&HO~$UBXGY?8wBy&H?(+sJh8TO)U_@U*V^F?nJCVBA%Qs*eBXR6H^9
zdH+~6A)B%=S&`_><^W++crSt&9tB3seEir9GGP!NC+E)Ww4?v|PO`SML&%0+jBWh*
z6RE@$QM@p3yI_?lm*Mh4l^yQj+|YG^4S2rqlXHhSi2koUGQnZTPIkGz?(F>1<$f~@
zAkXK2@@Ml&0o<q4Hlm-659TGh<R<FJ1IPzjfxro%sgSd(xIf(!kXKM#Y$41lD3G4q
zlgPp1aD37{_ZNOy0Ye4{yVD1kMcc3^3WXBaMrr|aa>`mAT8x7VnSZ{o1yu_E09jO3
zRRym?H2rIZ<vgg0#wkf4_7LDfNy+!3hlGTzLRD8+V<nFx7F~JgPRhc<!OqT39%0`4
zKD0CsM7h_%4%R&S^hu_lIighkZLKZN+SV4&mjt{RQD6`#kORJlXuJ>qAoFZ0$a|Tk
zZntm0lOE%|zG5z~tUMKbyQh}1^V{Iys)l=x@+vBJ@$G>cz6THL`yd%U6v}$X8A*X$
ztuTkg1YoPMkf03+Z$g88q7DIhcpNg1-lEHc3Jebqz=;-JFlp}<Eq!QJn)-i7ea%NM
z{Y!oQ<TOuiBptmF7G^Unrc&~@+ywUCX3yf#^{dJz0%@>2Vtt`m#Z)=s9^~+M%JDF(
zs>o&K)}><O&l3LiL(e-s-Om&d>KYsS1`AZ-jKuWEnU9H|c>MG!ALOx64`WQakm--_
zv!GUOIxsbQB=~%@*-@K?wcDR>gCs4fg$&6zNXo{-mU(!1Y)g3nwuPCD0HiO{=q0l4
z{`OKWEv?7;n8U}#b7!`jWf`k!VloTdE%|xBy011(NH9RQ<V9OsbD&14#B;#9EwHY>
zzFb?jY(ZQb9J7KqLkJ57kHk$N5Qbk#z@i##F9m~_=)D`3Y<r#E-+18XiW>632Ri_=
z$*>l1W<>pCHf}`@?wg@MJxlZ!vX2iU3<CFsbRmKV3}a>{$Qy;$e2>&cycp<i0axAZ
zkVEuH2J=m6gAlF1JX+?XSJj%|8(NQMpXX->$aCo9{d>TCK7mdZNTa2Ra)C4=ywxya
zbP|>O%cQD}>KL*Sab>U^K5FMrff&kSClOd^<7^7}z4<MqNl^B1AQh&Ff}Mb377K{C
z>;2<L84{ov0F;6U5%F-}zOkys=jZGo=R36<I4i7vGng=lpIWpJ>5xlva&j`tl!fHg
z=WlJf(3LjrgFWHel`CxIC5Ga)MCHz(O=E|KDAc7q$nP0-u1j%y%@8;*j&8N0(Uc)a
z$QEG1f^(q~W;nc)6|unEzH(s7os+G%%irc_k(~4P97uySYQ^<@$eoVGIJwDTVC?VC
zvX(8NzJixF1bWxg<31SxS0JZ$1Kk-j`-_6RWDAF402V0JMTWRRL73Hl5hHY=4VB*?
z#DiiN6@71ec7$1bzO!6ISNABy1O0<DqRaD5%aFR1+`Kuy#duSb1wU{5iEks_6=jR^
z%`F9Y?l>)Og5)jw8)P`k(02l`8xL}|djBRBQ;YspZ}zOHHxQDtva?HD`{BTX3jv(v
zUM`EtPGh~6OL?F2WfS`O0jor*kA@ECJEa>N+Q|U9i%Ux#*v6Y^^FWooI0)&@<JZRM
zhw#9%x3#sQ8rWpW;X?{FPq%IubhTGqU0<sf3t9?p+z`%`ZT=duDpvJLGKe+_i@IiJ
zW=I7B#83^;`m!k(_2V)Dgekg+p^0ZQN5(&oAM5V)X}I<{r02Dk5+wq6u8oQ?+QxHB
zv+aqGKYX~To8ehZM{@7}?rCp^j_t<m-n|=Q7P!xJ(0-tK!_wS{L9f(q3~T~0D*C5~
z{IKK*WQWNNMHb$@yTR1d6vB8jXg^3IxUNpO;<Rs$)!$>Q5au#0#^oq1Y*5jgo7;GJ
zJ1j)`oyy9ANoHJ}4oKCYGQ+X!x^^k7_ipNc=~aplFXiwyISd#Mxu*9Ph#D1Zz0A$c
z<L???9K=AF?Yg#In#UHB>;sSFt8_2f#<%;cm7LiWcS3vwDpsx*fH5}itACYy=5tg`
zN5iATU=$yEs}+X7Qt_<FdvJn|A=&#s>bBS4lx@d308jzJ8B(Qdk53Gr?4y~3<ky}Y
z1^@>^LV(oU+h;a+okaqXizHgPeqZA$1%|48>#@6UQ7KYrB_$<NMY4k+f?#ej`Cj&a
zICh{un$v%CUqbGAnf1FdConpPbG(@Ri3^{lu6QJ<X(*8V5o|`R-g)&Ta?d+qQ{oI;
zYT~&<#Q<o|M}uddy^^*$4Ir_@es>BR*h&N5cu0QVvqKR=tWNfJv#SMeDQtG>?myqY
z#I~`q_u?3x?Ko6F5>3+(g=nOp{Nv(}81QQubF-zTyC?Uw@3`Vq;TQ}UHz-h!GjO|i
z|A971O;K>wT^Y<A(Mo@cY2R{X!?%fNJM#vLa=ebZw<S41!GHxpfuF_caF`s-=@xq&
z671t%Es$MaUK}i%G>6eA;4`ll&tv2v4+h9G3@6X_`$G-jZJ<OoTwAjb@AJ-2KaZYT
z=Q(u7&Y*cbarwZ)kX_=@*q*El$on7F!ej|HsbxD<el=G|dEaZ-Sr`jX%=rJ@h9uQ@
zF|MhmlWprP?l6ph^9OmH_-7jm*1XM_l4+;se~r}=4NB)2l^jOy$O!XN7G%HHruBxr
zEv}eV$Szl`*q_tVSbdgb)cP|NK<-t}z-+#!hMW`c-NXM}I~Ae*nq692`JBk+<QzU+
z`Swbub-Fkb&F*w$#5V|@{@Zm{Tpn9Vq4Aw30PMhcB=nKQ-juc{1?nI{uw^XdRb9LB
zu75+~^#=yL0ut?OWQ3!RNF)!+dFB!Buxa*lpL&e0N`F1P<=J5Mcg6q%eFuZIQN_qR
zPr&S;cF$ooa=}y*?SbTk|KjO%`nejn&Q&u%#@?@gdno?(2BH)aI--s|eeB{9R9h3T
zSLdDJ9^Y@giEyN*#X(;Gf{A3uuk)$2lgs0Kr@Yg+Q(LZBUM=W(>tgf#ONryX$>$2g
zrU#1eh*#aXaj%i7$xdp423b@HMAahX*?m^TC+h4ZJm<A+$19@VLBd(R<%Ra|OV<;B
z)do(3$wld_W8}rR+Q<k8bv>zUcv#oYnHugIKD8OD(H_D`(qCI7#|_fHQi|fyQ2d4U
za!iiPcr+Mup~j6K-mUEBa)bC_Yf&s>jKx+D2X$CQ98NyxmWIC2wmJh|Pm0{$Xg$=x
zkewli?7Tj$^*MI0OB#@+U?2Isf<F%srlQa0!0lAUn(p!=@*A^QgQIP2UhNhiyc#88
zz|O>F2m65<7vmD3#a9brQwfS`(_UU+z9`gm^tek+Z~uqUYA?vImZYtzUN+`mM~q)t
zP>C4yBad>nF@Gi8iR4cL%SWlS_%z(zkesXScduN?F>zK9X16!G{(YWm?|aGLA5Y$S
z0y8?*@l9%E$2m7va%1f#EAS@%6!NRkH4}wF&j9B^H`baO;EUJ1og8_cdj^(cwQ~KI
z#-5)2{DvJ{kz+RXjaohBV;G}My>#!E5bxKU+bQRvpJ4l$vi0D{^R;)Hhxt0Rq&jSd
z)_xG$RL7;#zn-%MS0A;=gctYd`{u(SK=2EeGR+aaR}<pe5VQT!CWuO_U~x7oE2Ty)
z&YjD0J8`#k@4G$olC%o<b$51I2l;a4)7BMffi+8}Q>ro@2w)M_bIUL{X}0lDE@YQ^
zSMK3v>Ys{SXfqCX+@h@HoO@Q$-5vNUHz)=gqOElMA6k+XB_zG80iK@ZXU~6m9;npT
zX5S88k1Q4EC3>h6mWjxH>;BoOe&6PfiHVF055Kjcy!3zjJbT{K*jL}R^CqkHIrtZ%
z@Nqc2^kYRD2ps3W1*(-nV9`{*#x5YZpTVsLpE)yl&x%c<d>1>&r@Rk*Plu6yTDv`$
zaqVO@{WmoVWoQSMJ$%jvW3WAb<u;&wFRlSipO0gjA)U`s^}`FCx29Y{jETtolaIHx
z)HygH@}42PKC1%><ifCB4@Z-9i{xvrErBf^Fn5fOesCoD-QcOM;JU=^^F5Fd)A=$u
zZ@}lbg9joo7$v2BMc$cG!yD@5Kuav@1mQ-eDQm6E;`&GVJ(vmggQCjSz~`S<7*(&K
z#0n2c5l+pIy?XiF_qT(9A5Qf2Nux#neV?S>uy*SYX8ve<`8dC){Qfn4Yx5EoC?H;7
zcd+J_<sPd?<|Yk(+bK$U4<S+JV{VNbw(Hfvbh8dI0qpo!;S2sT%b~>YZ7-*07aAUY
zsxdPzISwZwskzx0@?~?=&luv@Z7&^u9Vj&W8_6LJ4EVgL8Ts@m<7sQF;7ApO?BOql
zt*e=r96(~S;3fi{f?U+K`w73kJgaPx2E1!yW25@<rbWvtl-@aYzLiG6b3q*S0iJUx
z9QVI*u?Yy;kbNDBgwzfU{19+I3Q5Yuj@+n0p&-_})zG#;Y6gqNA`IRlljq9o^pNhG
zt5A>?PtD8}LlQ?&)9A(Vsp%!{-FwV%dA8l-ha}MfIl1y2tcC`NwJac7ToY(khJ*^R
zE<hu9K$*DyrT~)Lpg#ae2VM=?krb#U^z+*e_(Rqb(#^oe5kLjda$!OL{}1*885PAN
zkRJqwU>rgs{ME>xA0KzyyVv^5%|cl))Q&@9XwVNp2E~9v3H4h7NL?T-Ntq!7vSWb#
zQT=U15SgEx*rGQvQqct3HB=2k78l8lyt^B=83D&YrS<g6l&vyl4}xm@H}Ng;Aj7C*
zWD->Rl-GeNY|g9T9Q#bLmY@gfkf;P%Lw?t;p8~u9S*NVzO*3Ty22AwDd_*=0Nr!?K
z4oQonkR(PF4&(|{B0z#~q&i^*#Ue7oz8w=M-yap_f`l$;86Kl(;wofS6-8L}G2^h1
zg@rPjf6LnbcPSs&z!tQlqa$RJtGm6}@a)e=65dD|E}l<6b^--?CE!5HIfAIpZ`T20
z&kOUqXRB&yAtDKg9^S2ec%;zeYSLE@3I$sO^&cFhmH`BDFjXKNY!GZgY3D^jB60)N
zirOc>4b*@MLE;xFi-h*osbIj6=ltKv%>-~>r(7=7L$>JCeM9+KL`NG?!2nK=)V(B$
zj;`ObSu4~&Hx2|O$N{fHNgbS61@hKd!R^~(P=5+(L6BpB>nu-&FJDuxzklB=EL#je
z02L{yLsL^zhhV~~si~lD{p?+vr3OC1^5IytA5<BFodLZYX&f2~sxFboz(Dcw@uU9N
ziop@B=!xkE|L0fVQK($~8F$WRm-z{d`_EtIW@dPFOATb}A(d98exdL&WRF!rV#sY<
zliQXC*;2%;mJ{aw3?0o$Tv~_&B_%)aJk&pka%ts;JsP?40_4i0SHS)t3uC@G{fk7Z
z@NPN*zb6;rNELu0hJw1o|CvF7O5?*`6)aKw;s@YUWb8&@C-jK{<9mHHadB~=UkwfV
z*4EY!Xf=MohGARbG=YBor+yET6HNjs1k4$LJUKX+Sk`B1nF4~Yc`Lj5V{tJ8(U*ZO
z2j4&n4xlmu59w-yx$oOSBCF}$|NWITJPMVY9~$D;feAuxAuu!)Qqxc~`Jl)u2e>{Y
zxo?5q0*XCUA`Czk_7fn1!qPlY?DC~*4^luO%B2@QY6KOzP*#BGGHuhF<sh)ipWsSO
z9xN_SYT>}4c=WzH<aKv9FBE11tp$y)f?9O#+73Qx`u`x4pu$0o3W;rWD{920VR5S0
zpcjms8*)JghXSfSAiMeQo!h|}aXHX^Ntjtd)>pP`Y#O_kG1w`%4CxstMB0{e=)Xyj
ze~2Q1GWwx*9h${fKoTO-DHFk4b)h^P5?}Fm2O-n@yZ3Z|ceg~|786UrE#l^!lw`%$
z;ii${;ZDIsZ*Qq@-@ZXD=uz-$;3lBTcRd<1<w&;l#S0<OP`0(I*<RKkT91Yi0*o5F
zy$%Q?jK1eG$dOTAyr2yL>-h{TF#IAaO9w1=zxZwpk|T~Q+PQNl<fF^HX4<Ig1`87e
z{R30hjqg5!?g@$&lq*58K=F+mkiS|>rBWvrW*J`w2d~_`iJT%l-=FE}vew-yDo>D1
zB_y+<{`Tfg<-9S{+-|5&LMo?*hl8W`Ww|3m-qFWopFBDosS9dmv6kTZHmWA(=HA-E
z`^uJ?x>gq<bEVjdD5IeAz&V}M0Urei31y#qHB@UelKVUHs`LeAETZ<{UEWw#mFhtr
zqZ}3Q6VtRpS+IE`7vw_|a%qsmI(+%^R&dmDjXxrFyMm0MFdP1#?Lf_&SSr<QaT%$?
znVx1vg$zUT7s>X5);m;z4+2JDVqyRjT}e9p^Y!yG_bW!R){zjEO8Ae+C`(gYlbd*-
G!~X}pVL?g&

literal 0
HcmV?d00001

diff --git a/media/nv2-keymgmt-architecture-revokekeys-v1.png b/media/nv2-keymgmt-architecture-revokekeys-v1.png
new file mode 100644
index 0000000000000000000000000000000000000000..78cb78c41ab2b0e554c682ad6cee86c770a8f5f6
GIT binary patch
literal 26344
zcma(32UJth)&-1)2+}Nc5D}yaqSC7(NPy5o30->VHH8wophy=ifJzfAps0X|ptLAW
zML`5asi7!HM^sSSTT$=*?mzzb#&`}|&N=&>z1QA*t-0o0$7C~%-fk9t76byZ+dyB(
z0)e1gf^SErop5ABTJr+}!Q2z9Ya1Lu_Vn@hK!_`7|NTo`Ue-H^6fCZwBQ7uRPIL|P
z36jPI5%JQl0j?22f$(<#oPetWg4}&PeLUR%UMVjtFMCW@?U=lhrJSO;f|e5PhrF7!
zlB&G@-|JnyJOcmS)+8vx$KT&oTpq0?Eep4jG;ziG1O^9@yu}qz@Yx_R*ux)w!(sSo
ziiIDx@GU1REvNMN3SubSUPVn>_AngR^T7E9!Odt_z?U2xLi-RsJcGz^kap4E4upCT
zNj^b=fBP#ZFRdu8`uBuKu&dYKqn55-mP7&?Z-`b!2NOwF5kW?9587yh!|@*fY~m5>
zgY%#rRnP^ix%;?!5naJ1vOfPzLGlfb2sOt$%acQu^#ZL4L<7&@zn806<AZTZBt=~_
zMd&1&gf|F9`9_dz^(~cE!{y{;$*LGNcX4@?vNy_{q^)S@VTZ-Zn|Tu5!mO|;A4^*~
zZTpabfKWYMxe%hYf~%*ewY{r}r+xqd+Q@~Pp%p{TRE(^YP$sr`_Ygxh1vj6NU~f5d
zc$5#;4=<0k1LLBt{emJatxW>uy}WGI{KI{`-H5K<Mp!=;9dm2n5LX={(HG@yVWo?e
zwbw@n8k+{X5iu(Mf$o8}IGnwSIo8<FL<ytpt}2Vh1-qJhg__%jDtpN4h2!m2?G5By
z$vz6!UWVZTHaHT&!zSD~#KS}1%rwBr8y-z`vybre3k`O4Q?P=M?uzaNJy{#FpP#pP
zphcK+n6eqpP01oc+0Dk#)=k;YM$eG8Mgk)2w2WYcM7*+%wV@8$)KA$@Ma$1b$Jof<
z#?;z8EL11L*iX^Jgrq2M;fco^C>XlxYFnGxL0gqDZCkvBft|dmJ_@TvLSb=c_F78e
z<bY76Py=%xA7gWWR~3u!P-`umA6y<`Ym6fWpdu8o1bKIyuAV$fN!1f07lbxL8Oa+2
z8HWZL1QHbWf(=};KFYQs7P>??HG5l6d0C8#sk|!D&|lFt082K<+u2x}S=fephM6k|
zdb)WLLqoI!ZG2I#+N!3(`X0u3tdW~NO4o=WYpbnfNbm{@CMcL&6Ww8k1H9eT6#P{!
zpfd(;*8YYl8*?;FyPl<akgXL)%PJHMfk6>*CLX$WM!_~-5jdp?8!XxmW#CTKa?=jg
zN9&nd1&{)Ku{y3wKEc6we?J{NPj>}1Q(aSSYeS4TSxYg@ThU9;z%NK4L=pBT+C0o%
z+t`Xk#CyA&sLJ_zD590fq3&k#Dzf2tKi43#64^}E)Ys1o>+PdJw8H2cX%hoo)$}Zl
zW#w&sP2|yvRyt-_AJ-tFm$t8pmW744a)f<oDArs%SjpcSgV71L2~tsV!`KGNl2l!T
zQP%R_mKLtA=KkRrWpg{5AS+oLwGfXG6vivuowh3iY=SIp46t$$L28OVik7BY7;9o!
zum#4z)<}t{Nc0J`0TcKc7zX;`3{31ygRodxOO%hPtDl{>t!${azH$hhH?ts;OmPv4
zI^G7ZIw6K;o>-iL4sG?5jj@W@5I>cmKo3=aS=mti0B@X)m9ixsEAOGEU}zn#Y@}vv
z9fS`x(9_ioQXtvsxtZGqxLF3-shRna$Y?tgOLB-CJi$v#UfvTc>rcRvWaX62Nj~<L
z-e@B~uMj<b6j{&H4yO$lk!<wbiD;s#s~1^LCsYM(3-gLX*~>+E`Kg%M<Lni5UA43f
z;26;^IKak38LI_<y9c<@hG40P)w5Iy_p;N+ntPh7$lKd!<2;QbR20a8N+cCq^H4o+
zZ#y$pT}y8ReR&HvZK9&TFAPw}OV&)!#>c|TR3%)=Rm;Ev?}rWW*9#-sDx>8h{PEi1
zW@hr>5z+7n6Eih$dtVPDJ2DZ4_D1W4dTCkcDPS>h*1#TZZtWUkf(`aDbXT%B2u9nh
zf=fneTN%rdtU`&d1O?hWSlL<I=mlzr*^tzXF(HOt!JY&kU2R);vI0StpsWx9m$=E<
z61?RIt|VE#h%f>{AM0!CtxP7_VC`MQ4Zs7VLe$iZh(w~Nt!22sqPv!oJt<5H<AI^=
zM_n^*Q=c%hfsTrPn4f_%#y`*$OAZ2qq1~<By+{OkS4BTpOSlKo9YfMHv-Gl}eZVRQ
zyPF1k+USJ^d(ox=ZL3G{xAyi$+jtXg1Lf_^VY6fWRcyVqee}aZwOm8Z-NJnQf-LRa
za5y<FB@cPMATr8cUK^~0LgUT-$+q(D7J*)RHd-o1IHFRJEm_gRU)2Ebt!zuw^Y*ne
z@bDoiYw41-ELF%vj5S7|sA^`6@iht8!WpOqVLWsKy~rviFjTaPKgrO>2cr~B2vneL
zJu^2QA2oRscMq))?FbLDmZ_JGKh6T}VPvj@4fZt-w^ox6iLmo>vkf=#4{{~QTgv)k
z^@xP9a0L%56<Jdgh$|>VB_jiHt|)n9J0%ZKcOQJ9y&NnAl!1qyv8tAxWhffL3f@51
z*2i2|$=WU?RL?iS$TL96*TUUY7KSZvOw<onG=UZ>G+P;9>_TmV11tmGg515_!j$0<
zhHUDg8XkbRLCNbV!siIx5XGQy64t=R6y>33hSAZF&;<vL*3<X(B^X)->G&8Mg?Qks
z+~sY&<Z=F5vR;0+Cbp*jo<7Q<hRUjb+95dKP?VdYv0;$Di7_TvfvlqE3C|C<P;e#c
zs3<5Yga!I2xGLN0yZM`tjC66ZAW{AXW{R$Un1~>ZngV>3jqvkO2vkxF2*S&$nS^32
zu>>_)S>*s7SxbF4FC7wID;RANY^(3@>h2z{jPjKysD%23DXAIZX|7cz$PcUL8WN`J
z?`j+D6&4yAO7OMOLMcQ<czD?Q*y-S074_823D7AtT3=f(*hi5VXsV~8WEkeI<}Gg$
zY)(RX*oWu@%7vMtO(Q(ODZ_R`2M3!P$QgwN*jTFg$*UO!dD`158{3mf7*FGn2-nbH
z`3T*>AUUN7JFJ<nzPE0mFPRi>uWTFS>1mAD$Ezync$m17iF#_GhL)acCgEW^D02m4
zH4|I6P(VOvyqv5G{GtIJfF1DjKgi<`41v%8@SB3}medF<0&x&wprd6;&YNrS^XK&X
zy&7wj^<*wo&()?Z+=F?NH|8QQ-RFzqw<HZ?E{bpoyR&H)OYN03XP10%=2V&EslDRN
z6-U|bO_~;&v0SC_NSYz(5<GUC!`j;-1NWHq+>$%@#ovvIz=4w(-A<j`CD`s2sg7I!
ztzSbwp=PQs<h=UT?I2V9LHD!KZ`}{;?$$MQ<}Z>p{>ljl_1)ds*R(FFY9S?<;xoCQ
zir`aPm^oCn*v_TZb|??5<JJwvU+rSfJII7WyK}E?>v5QR>Qm{p*yKe@DBD59+v3R*
za$@-SgG~D_VyVr|&0@=9=jkzQ^unS<);zI-`b-KlJXwqfDUmE8@%O^yEDGF|@$XID
z4&yJ8iGLq|(U#Uk{cjT;=D5o(mv{W_i=;SQHLm@qlkDOQ7!Fhazr84a4EIWA{d=$8
zgK(7_>hD$6OmHvqzk8X`9?$dl@#eX-COiH$k)$;_^{)v_o|xeFzb0>?NxRCwCUwwc
z`QKB<wWwmtYv=wBa#;l0Z~W^%nM2h;z42fiC%x87{d#7&ndZOY3qqGO_WtcMM>*WN
zOz7{xULMAavluv>{C8b9z2Jk{gCdCqVBvFVaPa932`!p2lSLYJo?g(2|9e6#WsT$W
zaSrAP4%$pyk{ma>GOI5(ZNNr*aB-51`9sl*|9><r=2;$|dzySNTk48Zmci?{1-V)Q
z<=L|bN3={~LQ&`|T+Z5IJ9r!&xxVl6+daHnV^tSvBlKO2ww835m#^JF<lgUTbRpl(
zSj#$qhh;yD`G950r8W-tK2PD+t0HzXb;|p*T~nnVo?Y5|5|#nezU1n)G*3}aey^1F
zqyCcTUip5jGfBU_)2`ZXTv;Jq!Bug;_-rPnkMZBtx8drW<ojw~Q^uS%9v?-XB#h2I
zRXg_nVP&tr2r(@A^8a0$wZ{K!f6D|s`uUfN<iZ1y5xc6I^5?7PBY)OZ5$3+i5gae~
ziCwH+5<NrzP~)Ge?zc!VMRa~rE3OaNv;Rv$?h(U=HVe^TZyILQ>y%G#ym1^Sb-hjh
z8p8Hm`>#dZgf&+0k%}aq9$e(YvG^WUim54wzPRs3WF5;I*GT9xpw9f8qZU*YDq{t@
zp44H;ZzP7=du~be#^bw|4u^Ec&d2W4r%IjsJDG6di>)K4rRa=xM^V+`l5f;bFoG>w
zw|SMhA_7z-dg=aJ<KpS4Y}by*Go&Kz+=Jg;4hKkO1v_wVnIdf@{!K~X^3zp~RW9<4
zCqbt4uB_|Aab^4eE)kKMwR1DXFxTAshbqeVL4QyKIc6Txr;s)(f7^=jjB_5(<yPiO
z>G+bDfA-U8XLcInYT{ehX5$HCzAX>7oTq!WMB~c#{=FXu>oW7j6*y)75v3Giu5C`4
zA8t=&ogZBYm@T-dTD0e%fseLK9X?Ix>V37GUYv4enjyT-G=HX`^-aU|0{Vx7|2GS1
z>p!_F*Eha^xm%wJeJHwrch_u;twc)Xhngy}iPm8W0(%VG|16BGHGi0}y!;8Paf+p)
z(?>JOJ8aw*sSyut`Ygm3nj22${of=XZJj#2tZT#j>;Cc87J2`RlWeQTNvQuWWU&w9
zRcij1W`c`E2P;e3>+kTM{Q3Q=&QL+ar>tjtL}dTF+?lms)TfW_xkH|Piuu3R4$1eP
zvdx_NJC%~hPIHjQQUBJ8^vAPeOYU*BQ#$cfzXjr|{Oq8eR(VHb0sje1DJRVX=pd;Y
z`*WK_#8jC>qko3rdn!396KSsHB7(e!VZ~}F@e(tslo6{g5hZ-(&k6P^CQ<?8>1b(c
zfswl9FV5G0ykZg#wQptqm}c$zn}E2K$R`S@@IT&$U@X~3Rm#5ZGsw8V0b8Q{<BzLK
z!lLdXP37*a4P|6Lc+)^zaj?B51Eh3awTr|oN-zO4XK0;ZFL|>S`b6g$>`&Q^4r;ai
z(BQ@wWP$c;&*&2!URL4Y9i&c6-Ia1=_~XCE*)I3d-~5zxe&M{2{Es(=U&?+DMMtmd
zpR~^Jdwu<NsgBv7J~1b~b=9^Gu%^tA=!%XF7f#<akqlV0tiN*g<Y90UB44<axqd&;
z;AIo}ZChN6m}qGE?!yj7lxvswH~-C5|L2(GCIUQ4(qs!(pVZk&^FQ1|3A8?Il_E`r
zm4a0yqYdx<i9~RKgY5mMgG^SZkb8Ik@w|rn4jgC=YTCRrt)`madG$aly&(S|XP?#G
z*Ow3<kCbhr@SVk!G<W8ophJY#9Y~XVTvO8#BlzIK1DB(r_6Oq<cm4?>9`_xda{T)B
zYkGFJxy+^<Ki<MD+lK%An%mgenEK(t>59SmM}>^c4#R(XV7aqvMN&p4=jdQltS0~d
z{c;)_7v8)vt|u=e5lfq^qoOBI9@w{U-`aSpOlD!>UW6)n>7d5;2I=VOC%e?UL}g_5
z?%1&dab{%1X>w}n>{R&VmoMYpH}%E|odqXTzkd&&{t@B-u_BIs%NYz_v5**Y@A^tU
z%`8Ro)(;(++xS>mSj-$9)16~Ctu~BHQQMz$oMly2ncDb57e~@>>Se@Fh2sSn5g#9U
zu=3%cr|qAryjq1AE?>U<ZuZB^w{LZ$qfaUa4nYHd<^2UGBX_p(eR$}YIy2+Dq+a+P
zsbXhxH8Sua83WGuLCOm9&xGH@`TOr$|2eOX!Cd&bryw_%wX9EyeeEu`q{8Jnl2CUt
z@~1w1!L@6LW1jf*9OB~Qx^ed|bDEs(Q62<ka#D<3(EgM(h5tTne(Uz_<iV(4pK}b3
zEj_v;UszReSD0Ud7H><Layk-<iiDT9VX7od3+USkYu|fJ#gW_7H#3%Mnl?=wR)5Y9
za>Vg+H+1wgkftz4o$C3#I`i0LxoUHEFz#{r^vJ`uA)>nWZA0YhB@1eSc};n7up)+r
z49wU)tM;YI8C0tw?%P%(S$U<eFl|g^Xtuq-ZPXe9mOsM2mco6crHek!xgml(P44@T
zAI}48ngeSlo}Xpp<KsJJXSZ+H&a<^|HMf6t-Quh*FQqxQ`Y%>C^8dP@R1-7`riZap
zf6VqH&a`I;X_xgC-@k7xvNX}2adtvgQCYdTriS<H*ROO8(vNd(EG;Qxc<Q&$9WH4_
z4<78^E2xfWC)5%qcJ5?kyqKGttB73X4arf=PKuWfkg_uQH<EptTWg|^?T_){sH%Ge
z+KWm{nI<MCE)l4h63)+`Kf8HV{aT@|E5ryxqx&lk1m$Z_iFn`CiO@L&0v5E(t4reJ
z#Iw&cxsc_)cV9pNC^xUEA<5dA+)HXRpy5KPmaoCZ4GjkZ0s^jHy}I=5!Y6;Uw)T!Z
zjD&+UZyH+k+qZA=1KTfOGTEO#Ej~Yw<Vj^{XlP*1k5z54r)ImdKJu&DfgWx&JI<f+
zloIVIo7HmUw#jYcw%T2m)uw<|zmm_%l@95_p`r0|=ilb4+`M;>MZIfcZF$15(E1~}
zQG4==OR0H{%$2mZk^|T$qMN)N<ZoQnO&i4qcGzo^IZ+3NX;|mmuX|c%uO6%St~-CQ
zJj7GIT)4f#2;=`);kx6YQ^URQUv<t+ozRhvqs8E8F9yz#^%u^H(!4zvBnB^Tu`;WN
z8_F{ejaEl;qDp6bzD-MKOop?68~f!j$x*wWq4G0i8u}2WJ3*A2Z#V)ij7s~k%a-|B
zN#`QAhZ9}IdRC+Yq_~Y_Guf_)_pX<>O?lJ|E>FJV+_h(qRJ4@2_Tf0aD$m<Rb#e59
z3%_-Oh2uK3OJ7J78<nm)n{)v~#{>@NlGEhMRF_^@m<oalPO9gSPq(+?+S){hoV+~J
z#rNS4P6>=;_&z6dL+YI0`MH6)q=7PkIUhDFI{gA}Ie<HAf^XDGV+=+_L4gyz&bW>Y
zEOhvHRV7I9Oc*kDYeVh#`g(VNf8y`o5wdMdt4-Sn5SD|VObp_x%J%_`D{iyk{I&(i
zOLl$mlhdjJQbJgAC$qY0@6fAceSyG{dhj@JJgeNpPoLiZ;lAD3ix=6=sW)%lyc8m@
zpioKtY={uUJ0p2t7nh~RUucWg9Tr=X{UA{c23AFFKDxA&MYB%!R0x$qM=0iTW<oB`
z%)Fpd4@N{pm|?Ly+W0Vq8oSTX3+hv!>r6cF%)uZ{QNpDR9Ax~t-yZ3$Ik`(F^%~^|
zPK2H+>G|c@etN$uZr9zrclm^b7$Fj%si<Y;>_O*jc@8rDEN6EDy`VrZ>&eC>o4CT`
zAuMTf^-;ep9&NyeEG;dibmYj02T;NNPJjK%e)&=!T!CO#=K@QNzP-<5*lU8^OW1UY
za7JHF->))W9=qxHaxgtTJ#Ip^x35n(xN)khP!Im~epuPb>>$|NTc)-zx!-A8bMreV
zA5JxPtKL04Bt!}J=AlD}qMpQ+l$6}O?|+XOMt7Z(FdpzlnS*@g!`?fq9*Un}m1?Zd
zRb|%HMf{L@R8=LaG5YwiVxAi5kne2xS#b9=ZeQQue&<_V8@sL1*4EY{K((^6LQt{P
zooDF^V}2h#b2u(&_!;-xw{P8;SM_2P&Fd)5$A}j*k*odd@5k^i&F6PRYkgBw-m)vN
zJ31<3HX{hRPo5}4c=_nBtRDW2{?n&V;6Wl91j80b7!GoiNhF0YZ*wIu9^Q)l7qhc>
zKCn(bcKQkBYjDcCQ<dlL#*J?sH#+-0t6YD5`wR{3AMhmZIe<j?kJQ_xeVm=0b*;9q
z^zD;cQqM?B+ZDC)R>i4*C1kU^cKg&f7KdZ`c}XoL<>h;6uD5sSfn%L@R0h*xR%NB!
ztI#9X_s>9_o}9dOwc$+z1Vkx<8izi$=<jGOGW#KdnL9e}ZsX(U=f`htgv++M)C|%g
zPS*tLdU_seYi}>=_Rh@7Njwp@;Ii`NE%a`4bF-N8)>A?CLNi2gx>NW0N9)35W@cyM
zN;4;?JuXs?LR~A<)6+~dQLHR1H+sI}m&bMU)WbQ_<QyOZz%GITf<NIC5NNrs<d=Ez
zVjSF^+LFu(-ny<Xav-Adp{9M;5jzIKnVhV1<wutXSceak^`(G~m-DljGAY`k!VC*#
ztDjq1==pG$_9bP@IA2im`;ep-Iy*CiK)@najarj^=<pQT#&<q3u{8kt`s%VorEBxf
zqYkxf>Rq_E*OkVnXa<`cJ4u{O`bc^VQ5D*0<uA_mm+QK+La=e^yJv;CWi`=X?yMIX
zc>-*)Jl!n{_+|5V$g7C0hnoDWLI>j**Z=ON-6v&2P{_UM=eTOiM{<UThn*6x(Ljo%
zloX0Ukc;{CnYXfJ3PPUl7>m2R`;AABIQA?1v#nO*$56|pe2mIGpFlg^)qD4Nk6)rc
zJ_=)nsi?MZjSl+sNLM|(j<TPhKQlY~kabQZC;7%~M%#*^Sls@%Z8s!HH=L%I8JHbn
zjIFURkr%Qko3|0^o(6Jv&M8%$t`NILiT=?jux}q7ZdY}6H6SkdlFfbV9TdcfaCk~&
z0BiI=bhND}%OPlx3}#q5hn3Q6c^)EQWhFaw^2~FWQ$|Lqway5d?^E{wcu;VnW;8|{
zi{(6X_vIGEZBw(UBfTt&Dk`ak#~hz=!F19uVcx)f_|ta+?rVGZE|Ywr0J%4K^WsSC
z!DV`l9#u{c6A$yQuVvXzZ%6P?9mYo^?_bT!)3LGP9T*%O!>hV$I@SL~WvBp}X8lzC
zNh?*=8p(@~ZPKlSj4M-#S2a@%8MYX$7Br#`Xs_9`YHWF;{T(>@-?Qa(h@jC%hIWEW
z+St%j(j^bZy@Ka@zUnwS9#Fk-w&&}WV7JpvF((!Ich7~MP!1Z|m5)ihaAD8))zxMf
zS!(lM&6e_}EtY~QIXOA@@4xtW?W6&la;JtDsk|~2Lf#tgAOKOgCs*Qa=DtbvP4+ao
z-u`~053GNOS4qFexZ%vleq-f}j2+KHX2q%xfsJ8nPcJSqB9_|=nuKs&1t(Y3_@76w
zkB_@mW=nFtIPj1>_JUzKQli)TfJT(<hPsMMnEiu`PUXDYjTu6kd(zRI-w4dV<gTZW
zuOH;Q*ltgy^s0Y(v8pau92mx7LEVaQRtEE1y-Aa!fj1aGcfTV*wp$AO5p#nzrcsr!
za3^1~Bd`a?&k?BF+S)MDw{PFB_~ifc)vJs3{so$`7dF>daX)7Ig!31N>%zokYPgSB
zCv|t<G0COyHD6Qks=&4HSr!0Sol#$}UO6xl-EgX3=+!18hbeVI=3uNyPTl36foi{t
z;4ZedVm5vb2B`*5XR5x|njR(0emK^2;JUA$Us0cLL(G@P=vw4nui9}4AJ6%k0i-Yg
zoIhP3zOqv<Lon<6CUog}NnuP1+y-XlW>ppTO`Fp3<0&&UGiQ2IIbM$))`Q2LrZ&c$
z85B^yqL{67bn*Vc{i|CqO(o+PQ+vL)bZKs<@ya;SH>AJy)b{i9dv{VpLPEl|($+;e
zS58fB-@;ww)$41wA3QL5&m+C`?X!{jw2X73j<a(iIcjXQU^aoc`AQn^@|*Q#?#p3K
z*7IfwO`-Glm3Dg6&mB2#B`wR#1b0u*@zzvc@SHDT)X!JcEwEVg)2CBAJ2BqX_Ofji
zfDvmQq#-N_oQ&WC=R)3CtE`O%XOJ!Jm;#9nULX;2sa?Bw(;-+`Sz9j@P%I^0{{H>D
zBJqf)mltit^kf5+O{#WLQ&W>Xb}TDu<lQ?&8y{pAJlPb^BHoC4>Mzlcg)cvI)Ovi3
zpBwNepp~4@?N2Y^!<v1v_)2Peu`3W*gM?SUDX*3245aWPWD$0<bwKv5d0D5_G3WDl
z{f@7Vj_Xbqv8ea{XkZq&I%D>fFoCXQ*~oE@(bCmr_yUuC=guMj(MHJeAiB+ctlR;R
za;!NKe>~qU-6T9*Eg~|qbv`vU73LA#2LVz%h*Pkv5!knK3pe@R_w*3HytxKrA__3x
z?4Dj7AQ6d6pS%iP@p!hgXU}>E2J%QK(6MDxM8lm7w@<c#6mfkV8?zviqfNCsX4T_q
zwxZnh^i*j#be!jCGf!drs&Y`o;~1t(0MY<5YUfXCF1*%S?7&{QbK_Q}*mP63H*?hT
zc&lwqV7?BuFzOpK^r3rTAm!C718@h7p>>WH3DQgsnI-E#TU%S*0(}r4n_`<j3QQPL
zPfa&-Cy>^*))zOO>LN*3BH4?71MzBjrBP3CRD3lo-AshNmMvucc%n=3GS|&TA;ISW
z$e(1O6*U5y*yoQi=~I_=#gL}8OhX;160KL`-`{zkIoL3?DzvMSzTo=x6v!eC={Lq(
zSs@0Tk)t62nWha6L_Ny}1SrHE)+h+F<8lil4XkZ^4$}RKaV2-|U^vN=&D_=Y5Bj5!
zHV+-1-!{rY)cfra;^U)GD2O+n3V;_yQz+UE+mH=N`b!#LZTf1<8%vvM>t0cO5M*l{
zlKeSQ+ryn|y`_UT$zuGb{Bfqn#y4PN&Cy}#^-5PY?FJ~#++nq3P8wR_!;#mPigYND
z&-3lu_Z*;fW!R#VdG84Q)=HP=j;qr6qSpdfuk)w^Hl|p%9MhSH9N2A2|6u)C3OLCE
z<*pYHo58_i3e=e?k^9$R)3oln(VJ{Cyym+jjJM|0Em{V~s^mVVGoh5te~S+*lJd-m
z-zduZZQ}lPiF!&tM&d)cvrOk^$BMf31N#J(pb^AXU+rDJJEt=AYr>`=sp%nZvRrPh
z?P}vOy5vYLkP&hozo0AgJugq->RV4545RJ;u9cTvUG0E>bSN}<7rUi4(inXtG&u76
zG`qBO<F10KvEbu7Sn?)Rfx(ynH1zW2ON!>!@?HdXg^lJ(m2-C|?iI>rQqLPpL4`he
z|K0-f5H}YW1Z`odUf|U8B6F@aC+=-ExNxtm>^UJ%OiqtPsye!lDf!*<2Hl*=5b`3^
zkWKGNptmk<uI09fn<)xndgsHVVh?;qMaPQOQy}k+MV0l9!=8(49y<jj0svj*fB||0
z8F~qD9yL;a>egVL=q-9Kw#j40FN^8HH;tw8NREeYb1*>mvns&&u+O(LaQL{n#ll2w
z&`_;#sM&-nChtQ{UEO~5F71+@WTZ;&+ny&f($eQ4sAOaTl-Np#jNHmW148I@@NskM
z*d7~o!uUD&(p%PLx;Wg;wQvlk^Ra6{ety1-zm(URcLtqRwTq(f*G(JVH8*cER%jAf
z&xtObg7vlNU)x<P5my`-)V|tpE`7yYeT<<o>KC!{x9N?C4>A7j>ywvF@xQ)#Ah7#h
zf`*z2TLCf;7eM0EkhK6TTK+Xvhy$L18ZH<f9uB-froX1L^3DdQ3^1;!k`lN51M4?T
zUx-gDLT0U@yL`KLf>&}(^ByAbt~qc2wjs2sgw=bf)j^goFE8J+?><a)D&Xaz#_0XD
zJmTBR%5#DMBm}Lzp%r3PlypzrJFCxsJfHSwh(k^{%}RO>U+W(g!r^cgwnux;YhB35
zFgh>!jB^363#Xop>K&hx=j;7h&yi&}+R0)#goM@~O9y$!&=W|SA4pQ<Hzmihl2WH8
zCtVgt8esY^x?g_@ouEYkisgPMb9462Ld}ful`qLwX{Vp~11JL|tQz_AD7k>QDwTPV
zl|2pcdS97MrCTdYW%|P>PptC}2h4tW0ND7(4VQtZEXeJ-sxGkxe}*UzwW?44fN>!D
zAP%BkKwuhw{BU()xH(ZMCW(QS=UnhMYz#%-2#|epgw&=`dsSwB>VhLxg#>&<cOuSr
z2Zs|C0m<T7a49K$!N>D4c^M9D6|yFG*;+@MVx2|stCBH2cT9@UoMecZXxojTEG<?1
z31N+E<E(^rc*q)8t=W&eJzsD1&x(h)Y<j41p68^)_B@jY97wU087(dr`TqSo6-EU4
zR*e3t^fd-)i6WN5B<Z4&*a)XeVcWRKjzc{Dy|b*B`z95P?2cYoJi^~~@9npzCNEfr
zJgbs9f}c9n#%vyc|NcDy;GNX`GXRJ#0G~%Vv5L_EBWjtOUtIeHX@0BV^8x^cJ{^3`
zrkb1d1yilQ5r~hC(RI#okfWH+xz^JV3@O&Gla?C8>6SxYT?GsXhq_RcIZ6qPV2XVg
zjp%gK1$ZI>#_}-w{CIh^@_1v7xB6X%&K30wLYmTcp)?*-Ipl8q8Ph_IW3P^X=;;w<
zuZ^6XHKoE{8IOpkRNEi>xi~5#4I8X_R4SOR=$Ye7^cR_qYndlD-W6%Pq=DM2^Jce(
zoLt<OFP``9tAVIl&tD(ngzVf*LLxpX56{pzJyTrDJaoD)^u`2ZkCWgo<;2~o52Z!o
zSZRbO;0d>EG02J%Sb0T6MR!n6(ACt`oRvEd*p;6KR@;SQ1(f1qzjx~aIXOKyr-Q{_
zR&9DL0Txmfa0>uWvvlpVF>ME4`uPLk3|>G2J^bUx52~v4^sga04sylX`lHCRkbm{E
zI_B$GBmihvC_d`4HBfz4EvB@g|K#1uUh;fqPA_tCexAF;jcb5HB9U~vpJhyFgv@Zk
zbhX&s<ikNGxFoeCZj`P6WL10#MhnX!X~k&ePcmzeRez?05*Ie%SQ9Y#MWN#w1=vgq
z-(|7f();(hGCBwXdjwS3-fxP=G3u2f_l87^JbSldA#ssO{gSu(yEi^X0-C+vL#KgX
zSiJ$BE<^C-_3UR@7a)PAI`hwVe2xcy3MmC-i5T}W;_8Cq<LYYHs3-x7CAuUfC8gr$
zXPA?9odXNNW^h2p@9IdSS4w#!qO?Fd>SiNLc9U=Xdfm(pe*iO?OD`w_WZ?1qJssJ{
zn&Wmb!m3~H))Uh87%jo%$D?mP2W(amzTyec?#YuUrE{mLsWOeU41A;^^5!#Vj#_oI
za!-#Ur|B6nd*oiO^g)3qnO~0VU0rJ|UOr{6!mPgQC=ct;h2hj{zy25AifHlQJMVl6
zZ4Ca(0i1>c4Tc>%cFg=!`3dK!Wd?{}0@WlQnx@Krr1%&<sGAI;gJ<lC6Vvms9%0E|
zg&t#cXq3;NMJ1p{zaW@izV7Pya!^+azv``?H*uMgTp=9CnAjv!r=q|18rATwFF6mH
zaZ55hibIuMS!{{QWJN7{XsW{-;WPunE>fbH>3>Wlwxr6Tn$;rxN(@iutVveSVQt;i
zr3OXY3l4vV4L*|~xL<u#SPaiWCgzMD37d0|`gB*<?6E_^=X3SINJcRaEy-xV8NnSU
z1{%2irxu{?ich;l95&g+_4R=h`<$bEIrkjPSRkUD;8t6Qw38Ez9{E<e?0aH-;>lar
z)K?iy%}u*vyh3uHm~a))6^Wd?bqvT>UkR?b9gSE#+TJ4VaH;>@UF1fZ)^n|+IAp`c
z^O9(sglg>Xp28~{3?P-<fI*&F<;o-K3~yZ!dh4xj);qr#bCIUcGwCwvQIQwX6aPH?
zUgeq4KVp+sX}muDo^wL!iTok!Ct_5)$&%(ZC&ZTM6Ysraj!)th;jTSZ(M`Su&Ne>1
ztvUJGurNHcH#z-a5?R<D$%xcz?oN5Od0=!DUxmLJ7^Y8U-UF%$oV<?YT}nIuIptZj
z`6mmt`L&BW!wd9W<S?JZ*ZFR8lzh&RQe~7%wtHq|bn_dB2os$e{hs>Nw$B%yMZ4~M
za<EL96*MV!z2SvS%3ZS}4r}2!&Th1HoP?AZUdpocoRvOR=do~HB3d6=BICcI)$lIa
z`#shgy|@FV4AhVo(iC6Hxu4xcpL#A2xR$f@1=LJRvNx0tOrE0&L4OALKcB&0#)Fvj
zGPxu(g+ImYgC)9E4<1R+t|*2_VUQ*#4aH9_*B6N`t)0IIkD}d2hd|dB3CFs5RMU@S
z%&*z2ov1t<T{vDO209Z8!^P`T&)c=%5SbATCc~JEO6TtWfNOt;wdNs)U(ZiZOdAu%
z$$EJtRPSANI~lr5`t<iZ*<$0l@9$Vhv2$_MvKT5dNPBTVd%t>EFlC^kua}}ox--7o
z+Hlpg^W1|&$6p;_61kRqmvWb7;lQ%3(p^vU!^!rG9i^{s)!yICGQVu_^|THfVK=jb
zus${Uto@=<;`1A|w>Go(oYng8nMn@veHczy>5oRqW794yT5Mz5NE@c7^nzs=|CSTI
z5zbe#6<|6i6X+kZi7mBgJy_NCQM(MJvXefQMaycMcH`9d#6xkM=jt;l-0{aNbvvi0
zC1cj-Rc@PVhpg(J`gi%bJrxv>MD)$%8I6Wz8qEyOCv`@{fI4!wtZZdqR|QZ=_nn&r
z5%2zA>RfAx+67KcT$<L+?i=;>0-T(jkMgSQ6K*}uGoYRmh}u|gzqD8r`Kci?tYtm+
z=iI)|Jhh3ie24}DYDD_bx|8D*x+n+M`e)Dh)w}dU3P&KAo&c4s_?hWF)M_W7`W-A$
zpI>JI#@2Io7IJEcNC0B}jNJJnHV+Y3Io6UnC0wdLy#tQCyzw`1#zPH}HrXWWvP|Tw
zp1dsXipOsX(izjn=y2WzN=HfqhM<ZhNf{6~&}Y*N3+TW=Y3uv8!du%QX0R_dJ$b@o
z|KP*oaY)qZal7Ceb|D!K4r{7ufx1>`s4{RnPUSiE^}wyL=3^KOrYb$(@~5Sz(;=iC
zYR^Ev4SA_YM|N^w)w0+Ud9j5jjS^m<7asm}as`Nwo4|EZu2B4jJb%y3&okh5*_1nF
zea`EXy5;>+;e8X9LseK}VUghvB+ou-7Y_`H=&@tFfyB10#TTvpg3pzIM4@-@*g*7S
zEtt9p7<XX69^@DR_wjOv9@c=e2FMjiVE@4<yCGwG+1a@hx68-J2jK3Rx1P-)SOG)@
z@W1E4@yQ=i2<q16da)O<n|sRo_<#P8xJ7CI|4zty2LwQmBUcw%vyRx%7*_x&ssejp
zz|reJ#{gY}IN1tR6e5$t&?~Y87lA?q+=Hc!%|yR*Y}S1Uv>ID$I2ug-t3~b!K7Ifg
zPY*S(YL;YrjM(u4WK;C|laKd*zEv5eLHhS^A^^_IJ$nf3|HiMC?%v*W^MimtcILi4
z56J$^RJeN78XKU|9bGGH%k4shncl+?71vi6CuaJ}0JTCRysChtq$Djo0*^xYHfbQ|
z0zzqHqXv*CFn2@GLReXOj-K-L^!(Ugn2Bs6erDmr@d*m@<PZcBFH4xZO|+$7+HdXb
zoFS@rfkw>G5_dWT$Pl&-5lWB+AX;)Lmy1}U{r!!(s^0y~%FR8pb?LL}9x(aKjt*^D
zU*rPVSkHkiI@+ODW~DEN7wKLWU;6no6tQ$<$yDPPJ!pzx-ByrV7lxkhs2i5Pi_#>0
z*~N#WK~hleuIJ`<1N^&-irxJE<1v3DSQX%$@4zohYircaZWkhv0|A`Vb3W~$pdee?
zFf>872C7KB13GACXP3OO5p^GS&VVwAjc&K3gQHUP;yMf<_oT^@Fx~?PvW|8EAvU_b
z6$X3~@I}cT^Pwkbsr7}4rLQH0$g55X3&F>Mca!*4tjAf+ayV1H(9?_Y=z}V+)Y+QO
zf&;zE3!wkMOjd~_2}o>>VyV2+4s4(QUo^y-$Ge9<6N@S;*wW-+u4ot}u*Qgf<im%Z
zZC7teMS<Ue#Xk0U#SUO?e`grb1Fnv-D3*=?^2P{RH8tqfyN@4}zI`L|4SjLh>WbYu
z3k1Rh%s1pPK(hla468sQE|M*kcM*0Am@;;|(Os>bKofe_Qv0d~qFPh9-A?C}Q0S;Z
zvFrOGVRWZ0L>O0}8IuS{JbP`OD4?Vxub);|bBl_Kl0l4v&%l`!sE3QNuT^<<y&D`%
z1<f0DpPfKh0p{k28=Mc7ZF@H~bX3p_Q13@TnvYjL)rTv5k2ncLFnrPcS6$fRi!uDU
zkWGRN9tHwe9|kmygwDaV!F&S+Ng)WpAA;&+#DxhwU`pEu*0)MZn!OdFFro33udfuG
z1!?eNLBRz`^ytj2sQ{~m=T+WIeUIH<AJx!I?Mt;O=@Ev41rSq!frWyCRLS}OUn=)5
za7#@a-;99OprP0H3kQI@1<C4BUip7K`4BzFU)rWNWR{1fabLeK_4*T#*}&Gc57q?f
z3TsAuXUdUrh6)QH?n>|7djZoSr>J-?Ihh%FOgBhYp&x(La+9Hc(Ce3G`i{^FFF*vi
zd)H^+7gNAgP2lhg2v8t-wc--AhggSBhv?vNqEI;?VIBF8U8Vr-1Gu^+1Qu8lC{V#+
zVIbAVPpHCj0_6|94x}gc7YS4_bKCl2lhC6~(fO9_OPAvJDR{bo=kCz}<J5pg4!LL)
zTA)376Ep_j(4vykrFz<pF}@>haX}v|gy)=}#+j96{t2>~`%U9UpOW-MjDhDE8gf{6
zbd}}Pi5smYXn)&dSLw!ppd|-?XpkZh%J|dK4l<B3(c%cA@^=HA1EDUfJ`92lT~3G6
zJb2z7Q%&yviEu#>fA+5bp0KCJfqlRc{5bw`#JBo|XO%&=2?hgVzT<|{cW`Jv0hQe^
zawu@0bQlTs>|PCu(Ds_1fM$&PtxdEP{$@85Y}Q204Z5c7%|&sMj323xuJO*#&$}h=
z4TA*(sz>*S4~GWnk3BE87CwB;i$k@D2e{RStux?Rl)%k^bS+{B`@9wN4m<_<+hlV8
z1<!>|0%(};K78Qmt*D5LqkH`1Ns9K>X7M71hn_<WTN^7~;y@CG@JMw}Cv4?3ZRn~q
zhFu)J$y;vID<yXOvoVx#gbT+VIaf!?>C8`suIt~69*tZ)8MQhbhB))+kv!q)yUy95
zaMi(DneEZ-P3QX6k;qFc*W_?JdAd{kkN9$5`acZwLIF8i?Z-P3yS<qty5vn2jEh}*
z&Uh8Bm6DQL5^W$i{AXxdFIfRyMODYurRGi4W)4!er((AxidQ%WD8sGCPRTee{=rpX
z1g)2;zL0p=i;2DgrW6TbH7AF+@336fYbnlB-ro-$>z3+9H}}MDtrThx1Sv)oHEnOL
za{w{5K5p{e>+U~OvIm?K{JfxB-k+#Gq-+6VWh?)Cmq$6TbRC!+$YU~2^{V4ekp+@j
zR);<ks9S9wk)jrH>qcwryW=Frt1SO5vm|BU;c1mK-J_!!AWcAI7tz!lot;Z3%EML?
zirrv8h5ytsiTXj~+QwTB&{P;rNRD-5Vl>DFdJt{|Pe#xqXpAIC9<4vp&^J}jpSXHo
zzVXpj-4kVL4hogJ_6Z9a`V0l7T^0{e7WSPGkOn3vCvWslM1T4Z`M;C08Ws+F1tful
z=Pn2+nmT%vOXBReoQC&<bzdObgP2#@Kj#7br;e}hJ=KK`2(O4UKs}Gs{DGcO^f_Q<
zK$lo{WHdIZ;-7KH-s4%zK6bi=?#GMArIcQB0MKr*k3iK*z5Ebpf0`1VhvY^8(QIyQ
z&0}eO4fxo#H*P%h_vK$HX89It8db9x(C})qH{hDHT^j4VfZGR!R|nW+kUON%l&!`N
zVB3ND7;TI$EiX?5j?v00YjiHFaYPBl{cJce$6Y3JV@-|^2gLn>h2gqHV3!WUHl<O^
zZM4!Gi1zzIfh<_VO#&cvdw<2uteTSW6U1w2r+Uel552wgZG4bFpE*pEAV^c4V_;?Q
zX|UzN&yEXJKX=bs&S^b5VCQkkgqpl@wC~>*C{B;uiCQHBLP2ab(Rz7RGq$m|99x1B
zK5=4jvF=5GU0cKMp$3*{;KIhah7e0&N1$3j3c~?hqJ}%=k!Lz&nz$|p_VxBA^+YGe
z-(x5M^%vaHUd;^<oKvlYUzq$j%D6`WfdFxcFC7ig3s_k?Ch4-YrlX$Sol=+mAt(6X
zKE2ziAuD?Z_B1$t@X;yAAFGbi($YK%Jjg|PAwg9<W$I7Qawsb+E8^I?3l}Z`%KRb_
z)^!)u4_3KMke<I?7gu1r$5Z=m*#{_Vf%Y*_H|duGQELFQ<jOkEGVYa?l|{JtT5z0w
zeg;+vZtzI}BECavLMGMjan<XW;!FA`Du0P`#7TVnpKUNQKmp&mtBns_&qhoRh(E2r
zI_apnL5*}>D>0+oFr$t1jRAwomB$1S_V)H5AFi#{_TRFF@)@WWq19pmiTiR@RGOB!
z_5yR4`24w+Y@3<6IbCA2u*NB2g*1E*U#{U^#)GBz<zXBBxb}D2tf;5PPyXLpn=qm7
z71E%`VSm+bM$`HM@EI7G^9u`sps%=qg7&vJ3&^l8r=Lq>+7O07oJJs^N>B2R+RsBv
zke3+dJ?>}-GOK7wr_i~8<siDk+EtDI{rFajJ4D+{AtA>Pe2-{Y+jgmXz4rR=qPI>c
zc=`X_qQ<$(&#J08)8z6rqWRA(E)ofZO0f>th=^yZlfC_aX3CMe@TudFgv9b#qEN~#
zFkpa#cAV+IpAESTYz$c6uETr#Sk(E@X!N^*0jXC^qL~E+();4+=?kseoOu*XU%ZvN
zY@GiwUbvv}_J4xE1$kYXmzNg@%>gU60@f-Cn3#1OTXYnq7BuX-$^k6#9@|u}YI~6A
zXlm2kZG$AgxJa6cM=ObHmEQ7&>Yl6Q@a+G1b6*r&tvwA)gR^Bk`<(5k1_y=;^w`I0
zzZ_Mv(*rRqcSLPV$A6cE8D~gH2-Me|e_tX@1RYxdBy5hSiH0wj)t&V3VEmIW{6BMD
z`U2Je^Y64sP|9+WU^W|VPIGwinY<jeC^LyC|C=+rN#UhNjMQ23QdWx(U1{W94sBu*
z895kNcB2KyeVlty*F-W}W_&(|U8f$HJFVn)jK5_)uTs(XhNPNxUAE=(b4Urd)I6lb
zIO~6-o&+D!x`=Z*;lBZlSw!o<Jy6vWlQitO2K7SUP)JkRQkHx+v;Xvt9IuuCk%{hq
zZUn5wf7100mOR6atnHieq#G#lk0>^swLdgWv8^zZNR&R+veeA{ehW+8@CB&Ebiw0g
zJ=?{Yo)#5Sn0Nj_Nzh-(uHvWHfM^0)foxlgeC$>fV5r1~uK(ub!;29#mNr~tZh}qc
zAdp5oL)=7Z?cO5`p@0Iab|9}<nk{ca{*ead<z<6L>MK^)LF1NfLvAtA^y&=FExw-w
zCK0ypPfTTj=Q;D9Xl+jgpALDoXO-QfdMKLo`*8m`lp;c9;*)^Eo$2TukWfRZQ`&_K
zZcwob#Z4fKp#khdy4v{b%YMWuNWuAV`bI|0AW8~qL?r>`3t8Y%+X@6A+noq?@)82H
z!JP;Jbut@Gh=YK$^G`TW1RsYu6%-^xlW11di6j!O&;~()fJM{L=SCX#L&ElG<cNqy
zQB8C_a3}vd4DOW4HX(ZYoiOZcTBZwm2$X<)1WXTTo)7o#Yj7<Tfze>yA76$4F=GWl
z70R3-IfhJ}#=AppD8;KV`h0J%B^3J^-g{T${|U;50Ob;X&e=g6fjkCIpvwD2RaAJv
z@*isnkd*-%tc84-yyry*V?3V52QsJpF(OohLPEPzcfqN=9g4nMw_~AR3p!Oy0acC;
z0og00{F>VvE03kVLx33r<q3|p0aK#W9m%4upnz5Hgo+C@GqW=wyh9C8r7gnPY8{*f
z1hix%B#{|k0)#o302zr%#!dQkzP{8Td3XtK6(@Hd5WZn{Q_LnmH#ax=*Eeyfdjff&
zr3+9JWN?!BuyFadC4jajoNGWWfUUtszSSBGPL`Hp3w}VE)5?H=0}}n}B5?%@f2jcO
zsj8UH(>g6`!26vAVv|n%^WF2LHAp*K?gfT{<Ou~GP$&~OH|I~QGufCcD{rJF7rJrq
zwpvPII44<8kC6{o`tV`f$B%pfW20GU+1+>}eH?4wa&&a`--;yi5|wV}&YeI_p8C&{
z2JH$_5&YEx;^k0NEKQXw<|?~)4}pN(2PBQPAN|fyCzN^ZTJr1HhE2$tfBDPq)x}X>
z4-Kdt2bv>=JxUfSBp?9m8cYIwLv7TrN3}t~Y%@g+O7Q*Jw&C~21ZY(kz@i!a_zq&4
z-0|ZqF83J8_V(A;t~r(K#l|+7#;K^N>_EWI(jmy$R-77&8GaT5QY8Ze1Ks}=15ed}
zz=WXWp8zuVobz-*p^F*!ap4=mj7qmpR6fO3+XKY^67r23>al@hP><ab0C1zVNb>g9
z-v|Sp0{lJ#L6aXp`3vWd{woAt7fU(?#i)OLlP_)BMZWJANuvJ`n>fAy%HOBZI6Zn{
zneV#|Wr4pHzVSG3!jXz8=~<kzF3TFY&#Y^{s*=RC4~Q%{^_go82$VY}F_$1!ymqCP
z7ixh3Mnaj?_v1Fl5s*e;)}=w390N`Y&>CRZhvXp;G98`;GoPB=_fqogK6VzG_xR@+
zi7XpXe>HCG1MHonqa#2Mj&_%IsNCU%wO%E;1RFkl07#_RA2Zyrd+b5abOmw<stdGW
z+)z^nbuH)5pBL#oh2Hlj$qY0No%rJOGk#AQq}{(G&nz}=I~miz2U-Evb4uYb@Q4Co
z(Q8YtAc;g@rvMoKSKx2{8VSp|847c{M@FQti5@_p_4Fz|I(Wc~8p&rqb&&Rl+D;H~
zpc()Y<93?V-*l}r{;kW04<F7$?ZB-&cibT8+dd0E{OsAY7mbBFQNUOy(Tne+cLK5o
ze3BcK%fYU(eM%HZ028){mQHSincx`W&LJzi#;B({ROk_>MEKo@4|%4Pd2Jh`)L^GT
zr2%XffGD(=0-*R%f8hCW83l@y;1F!Ovky+!{H5h+9eU-m69HZi4EX|}uN-Lfg-Xmi
zZrcB1k^as&5Sb4Gg>dcKH9#zonLzO0ZAYaQP)!bPee00XjXNQ*2OJ|nJp{I@j#=$l
zLg*5>8=RXPN`wj(I#J85yyF_YM{N&+SY+(=++8+ud7J@g)aEe+f^gghs>4AH__LVU
z^b1U@syt*W@1tnDscWV5?%ivLmS7NT+-r|KIw~T5_!2gOfJ`2}y<a7e2HPpUNBto3
zu=mf-&$mJd0T2iPQylpvToBw8PyaCJvO3fe`Fw`U&*z|=gH}+Rv+ma+!Lk28Tl4E4
z-^%HhFVc7foNNbQWNu?4@%3#3)S@&YWsV#<``m@Ce|t)E`*2JSty%>A9%9nZ0V4-s
zyB|HW5OIO>8lZMlXMta{7r_T5Tf`fjA^!gE18;HUbTA;GSQ+$%!~e64E7{0EX+TNM
z!e~<ljs8oM0~*uJcs3jg*r4zuCBGH1h>Qhi1+Enc4R}37at~*2Ufww<15CWm-2UL+
zJ<uF!Gzg6-;%f$bizBz-Jqu6@yFYzO2A_@>;N^~EJ@B=0>$hKh#19t88|9eQ4L~x1
zB~RO#wdDkAUtb^M&b=%KW|9B^Fqohz)g|C+j@mua8OniSS7m$+KK`l_(C<;ThwyBL
zq^GR4B_)i1QmnYCa9W9JY3a+LJ5??USM!gD82X>>>gr;|?K*Jafa|EKh(_{tO62R;
z@xCjU>eSzMqD}4W9!sYl9Ot>+luBe#x208ebviwV=mSLBe*8(mD<3{st4IEPGj$wD
z4qd2O2YQ$ek&uu8h@R=ULlliof)MrmGx7Nt{zh3DYg*+Qg?9F2J<CR|jHynm4PC0q
z<SQntB2J`XEMwn6yto>u#84yjbMDhw$mifS4xqPm>zzw_n4usOnEEkF+zy(f2kRB%
z+jQ#LmsLvZ9&?$bjV<S?;cbtatKNPIzsTxdd#>|ohxy!nU&2Wmf54gBH%{rv4O(iJ
zJ0hL+gKA;7H%*sk?o~|6;)jsr4r5+_a>UB+f{~~lb#HHf_i1M^>`?o}K$GH)a-_$q
zx-^<$rFFl5&ruzH`Y6xba2>B-|HFiC?_1L+43gLOi|LF$WaIqUk=*R2#Yt144o6GL
z>CGc+>;-DA`!dRTLR@<0c<#HIxMn>d2~E_6ILbO!TznS|PWQ4SIA|62*t6%RPX|1H
zb3N;d3{$mr(Kh}~3N$-+Z0?kY=})Xf*-T;|M^vO&@y&lO-JHFaU(}Ig&C_tu^2}3L
zRhL_im)uag+51Y2o|&B<NJrn~{&L>cp=?esz(>W`sIGGKU0ljh1*u1G=sW_CKFWM4
z*H?f0=U*twY*#Vppdq@DUS*Ge@JQ&(`LT+!rnkGBRUO|aJRk|KbN#YOJ?;|7ci~$W
zd-4TY^Arj2lu#4B*RK#*CspF4KE>FFo}C5Yfc9>yX~#R}<>q0!*>*fd0|C-kef>3V
zuAKa2+U>!g{+p28GTD0<YtFj{uLl4D9u^jMt3;1Ygx2&c#vhtqd824R|7`RfdzDlG
zsaZBHfu~%g$+}PI+t!?N&d2r5uWwZ>l?v(UMVA09A3Sklzd*ZIdH)2E1LF~p$DPBJ
zoCWqCoD0y-$$&s)+n_>3IpDWVJQKXz5?^$S((r2C-edZG+D_}#=CYTo?wUWOTzeSy
zH=gcKfNoYwtou+xe_pzFh)_DXxBb4@Px^7_F~lYaBA1GLzE;o>Z$^gp&2E~j4O<vu
zZzr#=u1<iQ578e8`kQOoG?j)1GylA(5T(!A!FEm)FwA)itLe~Ozw7n;)2($oTl1xR
zrXPoXgGa&q@+Ma4mPu^f`E+b8(2>`wzg;b!vhwYlSi*!VO~`{HKPU`pZeF~8_HX4n
zR8a0CI0XZp@V9<~hALQr8j`Bjs}nzb$m-=_{=oZ%iq@mwW6EF3<0kG?+a4~$f)~1Q
zcUF+?IeRI~CiVGQeG`+csB9>=2fPGA0v8WY3aO&pv5qIS4qk(Mi3IVDkJMZ-BN7xu
zPHjtg6w-;yll~eH3$Aoz**bLxtT95;X@itkvoR`f1LN+ZPhJ*ak7E{Fg0}?>-b1k%
z28dpG6>A*I=%&Hx1Gf)h4e|y8AasBoth9+wmI_`KoZ`0oa#cvv5|a~LB-VOv^ZXt~
z{+s<V0rx7O+j=iced2qafItY;(*9q7m2#fehoVC4`{2Djs1b&E2BgIcc#jGquR!~A
z_ygW@f}FP<o(3<6(BL4vqy_|SoE%Tq(|63MGxP;6EzdY}y}p}FJS_RWqc=O$lr#L5
zF{kbX;gswIWtGNXUsm{A9eoN^Ohx|mH9ItVr&D7Tv&+5f`NepV>zNeJG;dZ1KJ@1T
z_m-+E`^PsIrF%-RwutfT-o<!?=CZ<0yfZ9Ott`h@<O+)Cz`*eUVm9P#P>0y!XaBya
zsK_>7@FKmAF7?heg=NJPr>$BQNuCxg>ikyIs23Mq&SRhEcw4fo@IR0=kW22lhqi}z
zlErWP1o9Pp`1Rn)m15cWgCe3*NE?!HeEX2Bz@x_rk6_<qkv=NciO=*cy@;AKbgOxK
zC*;OWeW)SOPx^>&-o5*tw2li>T!1~on{_3p<I_GrZoibW&GYfYUtYvC*Ab?~6-*R8
z;qr=PTWV0?h-HX@GU_g>X3#;FC%iDU*VY?!WBwI~!Q`WOmk6;&iFI(XI&3<5D645^
zbVdHhdbsyML6*S6m1!j7orRM>h9sCoEQ&>zvhAw4x{l1**?YbfiCd@GytrtqH#h>I
zWykw#vyv=um4G*&T|6wzVeANP1?!%9C4#SeEB=e__IV*wdaV{-u_dt=fh5=2p>~e&
zvIm@2kC+6`h{dXzEP)>@&7@prT0JM|dqpMF0T~u6s3;AiFf&h}=$RY}K58!(svfBx
zCXF_^ll1f2edMZD!osx$>;raZRouI?$9!pT0qKZIN-vF_->E2f9%Oxs>wKx+0%4C>
zhHNC1R}Y`;%fnBC^LfNwO?xL;goBHh+%flQT9yxSYEEkpBKrjjr0WAeV+^PkLxYWd
z{LwqOXm485rxqi_Y>#@o8Q+%<<E>q~*6haYH~LBnA7nLMaI&D!SRNSfz2bG&pUS^~
zg;$8ZB&G00zlS_>Q<&C|9O-tpJNzlEwr`r&ptfYglJrB3?Yg)2T^^g8l;L%;(n@V%
zEw&l-vefrOZ7xduCC6&|di5s-rNoxP#I957jBkECJ|zcUAAS+czF~7I!-WP0hVBQH
znd9}LsDf-`z-;f?mHqv=kkYkx@{!8V3=Ln51i_$Bb3f}F*DsX{cKuL0@ILTkz{49c
zS4!uf!9&f~RiL!tMlHorIal(ua86A{7yf3@L2_I_sQS^nl*Y?Ab0al;#ZOdju8(g2
zTo0Em=011KL9d><zS}!XXH=1O|KIiu{z^*IQiru{43hh$ewcyV0Lgp;Uh8cy-1=UU
zlyUn|6tlxIQc%gQTP|&B`#x5AW%PHQWuO0gNm?!^^kz2;u1K7!><dW9@(EWol$S`~
zV<$fbu@-KFg9d9Lx-0>nXNO`58|vKur>!dwhwA_LW2gqDAz6w<Ls_G2NsF;$t5irT
zGE#OUYo)Sf$u3IrC88`*WKE=!LXl9)Hsni`ElFkRzE0ie-sk?F`=`e-bI$pEKJV?d
z7<l?lM*%@gQo11m&>SMuT;K8wHRC|w93+<O75_c6CUJIk!|??-BrH@YT^=%>$ch_&
zNl_%6<LNAn9TUT@D?!BTn|knvoNdHx`A4%m29XTgSJn$(1t*2eBjx~kb8d_LlBX-0
zo7Qk;ZP*X3mE>`0S#4~Vc+DQs2!V^+7K_AkJw%DL`NT_V7AA0K$E!let7m!a?CkoB
z2!LhQ*J{nn2fst}pUAuoMjgQV?b5~9>Y;h=mvRq~nEELKK!HG6IKe(&U`e%QTL9_`
z+r8ggZxrQ7%QI)LO_&!-A(Q5up^FBtZHvJceDCb5=~J*_6vt3!QdMbj>&t64Wua&F
zSe4$RPXN26wehM?^g4EJiMd@rfC}ZFrHIm&B{P&c0=J43-u!nE%WG2nBxS55t6NcR
z=~Gi%Z3Dw&!ZPy2DIE@7n{ZbkXWjCxTGYwV400L2z@^T!dY$u$iHcd7VB4Iqh%3LV
z%Jhlz5V^{9VLk2_=6&G9tTb=mczC+t_2MxFS08eCX=(9l#7$bGu}Z1`ww6SJauhcf
zn<V@*+ymD>(NzlIK9E)VGWlPRa*GRglF33rS@#qN=9i3Itaf^*FgND&=qZ$`L$Nde
zZ1BAtu9j{s^EqHRP+o@jjG-YHfk8R+3s7huF3C+5^Y}h7EnF~(0MqcF2~Ej8F8v%@
z!GR32;DFrAb7OA5`)Deh-Xgv?-0SOc3qmUook-(DBHblVM}eN(+YJ7nVrPy4i=4XS
zhW>y5?YM%x?h0Fwi+&uvYxnlfy%VNJZ?APcdF<$}AEH(fu{DW@(NddcA5^bC_}Q<0
z1GFR))w}OI*b8e>AE%esuuIBv9;^kuZX(4(N7|j6(*C{2P?0Qn=GNIx^L)>1dXjv-
z8Z$};h-?0cc0zg2#N&JnE*TUS_K}f@(<Frgtn<FiR8%DoZ;CQ32s&ZE4)Z)E!E(jk
z3dOP6$*zk2O>W3Bw~nWNI~JN4SHu2sO?$2#BhJWf+jb*GvYNmlKi9k71!mukK0K91
zM1CTMKb}1<-<PoSpB@f<)`I)hXEL`^{o3f?hVwZjC+HE)E+5%ua=$qx&KsujK+P;A
zLw38iZS^)gJFP_hMGMMXw`PB&@NVxDov|8n<kKzkVocS}hc>*eh)LXzooQ-p%26;#
zH{K<rCeN>8*8XdSi|&;z$0p4#Q#X<iPTd!$(2wdkmydzwYnVw_1-;8tlc6yt`XsPE
zOVnt9&*dRSB-Z?9Ue%PS7PWzQimGDn!U}e4Q(#sYK4kS^?u&;I<mJ}vC>^&b3*f$(
z6rH?i%uVP}rli#$jwHkbslmRb_j5U|FPH1wtYxQ{s`S0DmC+W#F5cyNCcQa1>w)S7
z^Y*db0$m3#$!t3vv6bE?JepA|CR1&%Y}q?aPt&dfw{K!u6#L%&U7@l$4sT+QkJX+i
ztGMUzy>dXxaaGSQYVfbM0qd2<uHC~?P5(Ab(svD59U&KgZL;m_%}Z-3Pzmm3V8=VO
z#>%{^J0!o)=%~!G+`^m(8XsIe`VdLtPp02Gu?#0UoKbH)5CYw8>Vbr@`t!N=&!rDU
zEt8bKmF;aMYoMe%ze}t5M_-bcrK-AZy6$kR1Vw@e52`3&Nh3>N%egagM_`xf)_Xbm
z>t~2|sQZC}!CAHX>qwO0KaYGWlmRo`9tB>q)MYeAx^g@6o~0-2NEg;Py0eh`7)nR)
z^`Un{sr;|n?Fy0IOE|P>s>(bmRClo_16HL?=OV?T4+V{x+LcwH)ynHAsC4i)dgAlq
ztMgNyQs<QRK$N7xk9Kfq>7<1%Q|o$tV}u?Y(%v8Yl4I}?5yh|((HR*?yu!!0=iFIR
zC(&4}dQ@fl)K&JGo{x_c(2acbG!T4Mq({}!F$pvDeP(JqCHs|W=;BcJ=ITl>&8b|s
zly-^w=u)&h$Xe)sLMv>NBwPa5X6V(DFC_nyKSI~hyXwGSM~^uE()ZrJ!IFjr2ho87
zGs&g_+SP_L+3c&dsF$={SURsQ<az$~Pcy}uUASJz;f%Lsr(104@;sY|r)kKD4()@E
zMqJudo&FUo19qft-Zfe3+WghGNrbQ55G_@F#k-5DlfHNMjBScyd_FQ<@<pw7s02B_
z_q94x;)L&Nw>2BhMv!%S^RI7j8}l@{`sOwsEFQxp#-*~!!Lvnaxuv^GQJIzGE;wxa
zY_#84xmy~yM_dqHVdHC=_(0KWF4T4;HUs^w&*ujZdBQv0KACiXamB)j?Ykbn+vT;f
z^T>0LHQqD1Ubb<Ic8J`sGfmj*R{c1uDAmEGOZhM!*OA6}${9D7UC$pi70z{2>awHL
zVu~~pCDBX9Z`$_8D~)puDFHq5?zWh7`MF}&@*@+g94aHO=QeT%nylvK?lM2HPOq<&
zTaZ;GEtp>Jtl9xK(M`9*yQ3IGSmN$Mx{HHP&E%lu=3YCQSu{B4!i}#BH@SKkoCsg>
zw!-x7I@izgabab-r%Fm+p={F0ihjS}BKwE0Tk{*U{d`eI>-cXpDqm`qJSx6-&59@#
zx&eB&6I0c=bc1f&s&E$-m3#aGPf`-I?1yEf(_d^2__Qgi-_mZ!_thH5dC#CRCX!Zr
zhyDi?k}KO9Bf?~ZkMuo>WX>)VjTi0<?io$>i095IkRJ^}bCa__g^wdH2_sg*V1<XE
zuEKjp1n(VQPGRccJlFE0^Rhnwa}kIF80`dqc`gBWFjEYxjlrhrc;F=~WXouAEU|ZX
z<{%LgGms@meF-xZs}ud7KYb$oVJr3*0sg>%4=xYcqG|Aua(yCDJ|Q6|Czl}id+@p&
zCPeJ6uoXD%>FF7K);A5xcyX}3M`k4@Zr-^Ahm(((OAs1aASLE^t(JkE1Res0m_Z-Q
zvqd*r1X!0d*&>y`d?=B1d@e-^3|qv@ouU+i<}AE%xu^zzLQU(NH%w^pn9Ijk@Rk3<
z>=j)mF)x%W>m0R!A{NtmNwQDHk&aTA)fmjcTjbaDXH3H{!I}Vcfqm7O=LG=Q0Kh|H
zeR+Q$Q@K$57_w|Nnd{-LTZ{4Ky^pMmnlN*VyLOEefDt4>U`K(nMzrlf<NMD*4y=a(
zzUlZ%yySa2auX1l?!4XlxG%|2qfZ(<nJ}pJG4gkQU$h8R`|E0Mz)K(_h8+p<)nIm!
zNQ6qCaBLyLtKd0QqpvYo`_BOZ$sbQ<151vMs<Ud)BG3qc0PHpKg~^x;!Dp}O@KZDT
zFoaM0T+U5MGB860l>Zbn*c&bO1cjd%%|$AK<3Ub3QymzY_J8eM#t#y%0U#HYms@;2
zjjj>21xWc_yB}O6XbaHAk$}5tCS18fPWm<ZcMy2fJpwz5F2x|A5pV-<WMq*2O<90W
zF>n9_i(p0Q-PD4n5(7xUYQUhBU_bNfcW=*pRk7ECJL$qgfXD2Se`N$KCZ2GMQ`Px1
zskAVC-XQg$3{TIe(I4m~$J$NaX*dbynCF*V8Odf0jl9hW%V*s7+_Uvl#`UE3-a~C4
zR#na^M%B-r<!w69JU2O7)-H8^_H=;SmU;sQ&*>q}W{>S+QHx<wLJ55uOM}%62bpc@
z^5xp`v>$%k!Cg%<mYM^tXoG@+`Le1_bp+cK${=3WnwTX;a!-$MvH^Z^Vd3yV6;>UP
z6mW&3<M&l+rq67<1fD=Cro%gLwtNvL;N;x6tI5g9+t^c-pz~T@Cp0)XSnGZL6~M+I
zrutG6_BwDI&;?agRKg-6*hyWLKFi~2E%YsP{Wd?Q|J^%x!cNy#RBSQxN7H}-&0ftx
zKyE<&NNw7m*6&HFfu>SPMP*Ub7WE-Q$Eeop#~$%4Fg0}z{5pP3ch>R6)B3<Zkf=$#
zUkT2@UuFh&x^Gp_%(;l;X*io8GXte}>wMeMQSL%H8c*}|@(Q0NxUG?eE^G@RTJW+C
z9XbR~k6;YUcdWlJok&hz<*T^{A4Zdu46kWwZayeqd|=^=ccrfwPbfPk^|?dqf@5P`
ztjQvz_{*2!2yu&x`OluR(Fl{D@ja^u4N+K3%q}M<S&&&ESR)J?F4qTR{;I639JX2P
zqFf^YqE3Mw(kJIZ)NCrOu3o5ii~DlfWCMpmJQFmQ_R$6<lw*0n2*x)w$+BYy4;~E7
z%%t(M8e&R%&(H4W@P+LTSg6lzt7pe5eJpEL!2_uiDzJXUL&DMu?3jCKwXw@p4VX+V
zf1F$+aI;M`gZ=sQYl%DWC3p2P@n-&fBIbjb0{1sE-Q9Vy_M|qp>IV<F>Img;3jiBT
ztTHn*aq+Wfx|pET<7v*Wdda&tXpcg$wso=kkjP)3037hsy=D5}@wB3UR73vHKSHDg
z^8spl<+R70f&vH^pJUR)OW`1t?4Tu0R#*d$!p4JQP$ClkA>synAYKye7on&+pX$gj
z1S#j__o}KYhRv<!p`dohMMFoHCd!Tnc_>8hqEo^{&T%tIK%*G0ykRM?013|lRkX0O
zB7kjzKTP7}<g~Z9r^c8Kt^?=x)~#DLLMu*o6LFAcfM4tc&(O!GEa^g*bWLJ~iJkp#
z%)Z8FRqMBNE)IgM?~bE#oxL){#)fU@fClql4@lXtv<F|AZQQt#-S=#y5`pjP2!+zc
z3Hv4&h`Po_SaAFRV61O!%t1Y*U*W}n@-tlpL-9Hx5FmNJT+pS6k29><yFO1NhJ=x<
z4<9B3^k&wz4T0$dM!b0wiC~7&3@8`rIK!-zj|kO_UYI{HD5**zh^S<f3zO`f8`o`K
z6%}ju^IWgg`;*Xw5~M<?|5Il=ySjpbVRUt+B&C^`ce|E%kBN$@ZQjg&wQ>6KT@O3E
zMevb2|H#^_a+9U9ipuokW-W@iSbvRd;l-ymFJHa{=lN8p;3S5=zi->TC@E3t81=SH
z(#yyI8Yp$yK;_*Yig*h>%arr<E<lC$j*k0}F2g6Z(An^dU=cb$E0{`uA<n;<ZEWi2
zz4CIQ(W_cLt$<0`>N=vi7hjH#-=34l28sOg%%&aU!OmVc*m`<;s%=Aa0OG^AgG3q}
z8bSh+HqZU+sbLBQ{j5x0)9<6PSs59O=X(4!4GaovPnJ)ICheCWJ-{`Ae8Op&uliwQ
z5cTVYv7PLoKa4(F3{2{|jq3Hn;$n`n&M2HdkcV4a*;y|Bzh@)$D)#s~JyYP@X6V0q
z>Eia7T%_5@#}u>45A*VjJZBpk8u$WwU%&RpeqARk%bntZu<3rSzxDQB!T_de3(o!I
zk4f7}5gc}XeSLqNFtFQU2Q>2YcenBL@fq#A?`}eNF*!LIYbT5i3|%s52sR$V6F>b(
z67MpvzdFHevQb{8t5$^U42l@?ETS`wMq?rBC8ef@nCC$g00?o(?B4akes40?uu?p5
zQTunm88*JYLOW?S%NDcals@y$8aeFer@6>C(uDjlH`mZ}oGc;f4Xj<qe+ik5*+jS+
zw6yF4Yi%E+Br_AB7(R#4a(Fr8$oMV%93qHEaEPD^3WhS(<(ejBG0p1gTG~{hKIrXq
z>*Mqp-Siu<*q}*Cp#XwsS495~P+ze-f$u1;ih@6!Hl(r0p@$D^|4F9m-d}_O%CBwQ
z6fLraeD_@hQ9F4=-`<;cer|an^=rNQ1nFdCdPW9)`gZHE=}A_k5;$`GsF1(~uW%HL
zr-hSD6nb+2$GvwBk!$2<DbYEZS!b`p8v-SWPRk0(8tZDmaF{ia;uzAfjAHaW%*@nT
zxq!*PHb^x7FA9sRtE0jHjo7#9QEv<kS!nCmM?5z*GYcp6=3k5E`$Ih=6&Dw0N8e3I
z;6H-u3*ir`{KSdHB%OeC0<-4$0r;Dp02+CljkG@@cJ|%mD6c=hf8HRTM(!G)xe0-<
zS>Y?h2rsXdSdq%g%4hHSsM3`mT3WQ&)@Ub?d@8%u&wSee&MG_%xPl&&(wf(k{cLTu
zi-YXs-mEz9<PRV??3}r&DXXK<mLzd=lVOaTUD${584y+uniaY^Idpd?4{u;AP}Uv(
z^vOh}(O~c1U5Ne~8XDeTj0yDw5MpN2Gux2RP~Bm3E++lOb85Tzw^y%rn;GoJs|V7u
zGoD7!+G;vU2wb7>o$J1RE2eO9O>`8h)F52NB_)O76(A&=`Tw4Hx*RV793dF3m3xmS
z%hZ&mD#@}HB#c&_n^m1VzXJ?CDe@e+@+Q0Q61zymqf(`HANh!b(SyVOvQfLQT)9%a
zoq+9&iX=h?Rw5k4#>nTg6)Y`VINPBK97bANn$)uxkx6jsW`pYAyGRTXYdBe{Qgio6
zMPPZkI!BO}+{TUT#KqZ=o@&O}wu3w!@~@hzYHe}EyU)6?v-xB^bgCjYHg;`v1zyiX
zCx6+g&j6<N)>3PLF#Mq`{zzq8U_E9xTe6u>*+SX3Yyu1^e-FZw(EVBmAYP(IYiJ-n
zT*hRL#@ZVhag(?vEHaKPDe#Lfk|VyGWXcA@Hb8$QCYk{s_fzE8YFq!?Sy|#DJnOb>
zIW)IH-D@O4-8Jy>4f~%t#rMrZN`0JeO)0Py$fY{DxgA`VX8q8Ym-Kxp6A7Sci>F4n
z)_f(WIPKTFfE}m5>b!K2u^vG|(b3UCy1_F6a{_S2=E~(7Jw<<r^Yes)A5$xw+c_$5
z)n(M~{P{IVl{=4*)_(Y~3M@qY4+{TdieXr0LTH1)JbeV~aQYxF@~)hJ<ZaR^BeZn?
zD^L21fJ@<q&d9^4UXUb^R$9()8KCZatHUoSNCc@A4<))bMf`U&L!yTBC-u?7FWEch
zvhXx%0d_ok6~7W&v`Ae%n0kt`&wmA-A|6Uzq#iDvmzVdum7zqZ{50L?e>n*<F&Knw
zP<R(_CkzfxZ`u6SD_118Zav%keHXHW9^0ObJrxR-Fiyf9g7ONw3Wu$8Z&MxIz$S;%
zE{ru+Q^aWkCjOVR4?Jj`o|%d0^xH0GXlTgt)L_&3;3FfiFE0?0y$G6)NFpqQ&XsoV
zyD-!rK(e2mhpcU4w5&G+3Kj5PNdCPSev1~#q3i{e9+v#6vV=!6IMzZ3ccCD(^wNm4
z^||SlV2GHW>@hMjf}Uxh{xZRLK6R?-lcl+pm4eJY+`>8qg*~Q5Q@)xw5g_17N=m|6
zU}AQjl|p<ybnF76jo%$b4JqP<VdRwB;H)f3=!PV=Z?}3GB*@RdmY?hKiTeOy!VDb^
zmz@J`2y8TFlP=p0K-J-VgxH^bNCf8$73`Wm<nW!x?W?l0?VI1G2UGbXHq;oj{hUAF
za&UFnQoFz1;T#B`s8xFl^KW;%65_W{!aNT}qpdA0{GTzjY;43yVI((u`;J1rpH}(W
z*l7Y-nrtWJ=;^mae!&sPq9Zv)TuF5;TMZu}3J1B9EE4uD;?W-rl(FV8=LE>{igh}o
z-e{W<Y{%YfBv9!LUaYxB)=CE$xsd}%^z>Mvk@GM}pu7Y37p+ChIXR)FV?rzx`^O@4
znu-%i%Q?tsK+qmdoT*ZG@8>`%JmdVo?+R3k_SYrgK18&TSl@<Q8LNjxAOI(m{N|_M
zy=Z9IKWa3*3yurouCmh7yzc^V_;W2I_ZS<KI;y-jhzHk7a54Edqs#?Y5XFQ~S9MVl
zxw4z*QSYOT&C@fz7u+i6&sm1@(e;&0{%6<z$0q*&ew<(86hwQoE|%nv|6oHh(A}d`
IKtC4vUp%gkn*aa+

literal 0
HcmV?d00001

diff --git a/media/nv2-keymgmt-architecture-sign-v1.png b/media/nv2-keymgmt-architecture-sign-v1.png
new file mode 100644
index 0000000000000000000000000000000000000000..041cc09dfef384c28a0dfb45635ae08d6b475f6a
GIT binary patch
literal 22871
zcmcG$c{J4F|2I4hm5J;kB*|8Uv5X}pjD6piWE=Z33x=^9iR?**gwVbT6<J55O-V>X
z29=P#ED_Ips_*^#-uL~-bIx<lbB@WF`7GDxy58IC^?qHYTACZ|+#$FFfk5muGQ?UV
z5L@QpCC#!8KDpjfeg%O*?F`d%3=5|C_y>6-B$RajzLQW?@FRqVNho0@6cxQfJR<xF
zayUW=QO+aSBZ`2B_rdT592HFP^7rxg_WFCIqJpBrAqDkAiYm5fWeFv1MK$<GNl{J(
zt?2yscn@E1{J+bZ5u*Hqf;=P?^;P5);8N0N9yot|7$MY8LP-byHo}K_2f=Un82+`e
zfqxv~g;tP5tNcA8BpfcUsxGH+06sVH#sw1KVvHl;2Mr(T`-gb@5Ge2=<DkC-2=@*N
z^(Wx}ju)*cr!1%T_Y3bZ58uC^8hE%x>IUcs8LJQ@ux@0<a0g1*-($ieiQfO_#5>#{
z=gs(3Ne^bt%iqH{!~^C;!T;Y>nE0!yhv_<b2N9LMf(~Jgb@Yt&{vNJsPxQp8gevP>
zDx-aZ9jvqs%wUA*Knw=&fVYkEpx~X=$#|@`o<7<DtEX!jtQfAO92AJvF~X6f42XKc
zYEh1U{uZVok$7))oR?XYQE;S$qK=Y}x-KEgK*h*6+{oI?*fK2AG}Ob&%GVcb8SEHn
z5gDjs=|?tF2qfB)tV2!F0lq#edUm8><q*7yE(xuoXB`+|j#DStQB14|cA+ZDp#-9J
zC|oy8!P~}M#V5>(V&kms>wt5%@l?R8M?{1e8(8?_ap67@wh_U>!S=o$WKaDd15${Y
zoxOgrU7#M?P(@$SG8`Ki<cGC)WDHROr($KK?q?SorAoHYLF1hR^mQCVgR~7I3_Nu$
z)QI+K<{^RMVL@h=Hfq5n8)Ga%RT-nEXyb{+>MEI-=y-$~U{rieL&KfS$X-gm`sxk=
z#>R%`x;Pbrk3GRuS;Y$`GR#}i#MD>K6pz>T_E5p-lWcwU)KmjK{d9sn48tS*?Q~7`
z6md>Qf#G@>BNe4UE3;s|AiS}uhrh29j4{Gq#Rjhsiow_fVRda(^a4CdK0eB7R-wiO
zYqW)Glt0eUQ`esq9OVQDJLxKE2Wy*KIt3ZqPz-dOh_(S?7Fb6!I~-QcPC3fg+A%oF
zGQ!t@;!8Al@K@0zSeYn?_&bv*wyF*WDz;9}L<<9=j}^hgH&EZfLr;~AQPZ}z^|gh^
z2=&l5w$xTI!|D+TSYvI=09A$^>xILZoWkv_B9s|_I^wJheUwzA)D3+d)X=IFa<Co7
zA`BN0Zc8A0L^(w21bAqNhnWTG+C>DAEFAQG^}L9I1Wy%3Q!8DEFh@J*Fm3-ZJ9LPH
zSBSm28e_G+@!&W*{@yCKKDtB|KO?*!#+Kq65UHvf6>4bd9I9iA)d?oq8{tXn)&z90
zuahIu%tOUro8)Za=WS$f?TE7{ki#$`22RA_kWde$05p+8HdG1svv5);>wBu|TIku5
z{k=RRO?CWjoc+Q2l&k`S?3^9YdKMM|>c%ijL_8krWvv+KM^vzMHnWd(wA8V;H;7~`
zPM|$wh2f2@pEl0N$iv6l+rq&?k)&p8=S2x7D(aXi80cXG@FeF*4|6jmZyksq`W9FW
z*%OP=CMqZrw9&!1K(u3IfW9_-V@L`ms40i(S~~lg;qA1ejN!^ED!x{F;i1}&YDPZV
z=00lPo^WG*!(hCje}Ez`D#F~?MBT<qU6(?Ph*I)|6DUqL3M7Acqu}8m0l#p%woyKg
z{vHP5juC#2+WI(k9ekJx5u-~8hrvT&(>L(9^bQU2^n<@VRg6@vm5r3tv^}G&&<d7l
z69;|Ua8G{)4}F5Ep+yMBgsf{9WadF4DN_P`tl?z+0Egi4pr}YE8$&h5czxhSR5taF
z)baOJK<gX&Vtq~EFbD4dQwROfKtnr648d2CVy9*m8HkNk@^A`wHaF8(R1Rm{UC|rk
zL-g<`hY?Iwok`AQT~#>M#uMZ3Ob!q8vemI5Dq3O~o@)m$b9jXqdj?sNRm?FYtT_h$
zCJ_VuY=~Zg#?IE@0@jvzv|~U>NU)-3RG5LWovo6By@QvYle$%aiG_2ZzrK^br9Ix*
z(BDa4-%o*PU}vpN3Aa!Qk03cak#QzrI14Ak$Ox|hymg4VvYMZc63)cL+!uz#m{&hD
zeeaMEYhME$GkbH3P#^CQ+hA=k?_ec7853m^jt^IGu)|Sw^b`ygu~?FUr*fo)ouL;o
z!qHNNq+{rbQ#Nx{hRc{4TjLx|)d^NuwJ-y?v^`cuH(Uk2aD*2TqZkxnuBKuVY3xNr
zlhyEkXq=h3wyCP0nXjH_xO1p8K2TkO;V1SOSPUIwgAhYck`gJBq^e>VVHyys7orjr
ziborgEWMqBY>k|(@jBS>ph!EcVE``3T8E<KtfmyHPavCk;;cQx&75(Okr;CyJ+DwJ
zxLT;cKAz&Fq!a3(tnR68>rc{l(2k12*r_So7%K#NIXXmGL=c@-@rsUSP7KSlQNf2h
z*bqa)Fj$h2xii^55+CH{M~Vnx*me}WZ0)V}OzcVi!G1VXYjd2kd2pz{KE})pV;N#$
z<3n<C2)FgKrJ$882s$QF7N)^U%Hhr!Lt_(j+ekeRT}b`<k-<jhW(Hw?mJ~?#`byyr
zL{;Y?9aX%#f)$>uVq)Ospc|$htQu^kYGaDFvLZP|5+hZem4b-6Dh_00Jxdz}crg7a
zV<JY)$`Y$&jnk(<aMN*AQwk+o=vw<k_!_CH7==<CExer>QP0F6#Fnh*ryt~R4~GSM
zDmg`3VDv-64LpfHcJ|ulp&@30mU@N`eh#{-;S2*b2~#)l_KWoL(1o)JR<?$w5fGU5
z!_^t%jWYLgV$1`^%f^E7%QAwIycs`?qyLk$|0Hnu`(Ndwq!;`^za4=PMHpeVZ7G+&
zH^!UVIBjgkpZ)FiY^Yyo==Il)UTnA4ukG;)$%Km)M!KJapQLc=ygjpzr;M7>rN$GF
zmQ-3{-+%dD`6zSQ3U0kuPxa)~EQziCX^yt{o?Q=GIUeqCeySa3muATN@YMJ?$C5~N
z>7n2Q)6>&aIhU{l1JRwoTVe<M9*;M$Gih@&Yh&~4>O9V!YbfLPym?z_Tl$ibI7_1F
zX!htRUg5o|M4PqCpczsMJ`&?VU1BzeGulMOiQH;%F4sv@zLoV=N!b$t*G9`_T|OB9
zIk2qLmMVWDAS?Vl@9Um1y}zF!QJQLobY^YNBr#Fy_U))kqAZD)%;Ix&Q7R97nwG#U
zA}mf!6lKxjIzu~o^3RQ=krJ$fULo$Q3+6q&I}Pd&3jeunDa*Nob7#*wR7C}U8r)j=
zde3w~4h;pTdS6zi7Millx~|g#-&gCUJC}=OZWo{PX}@7vsv|MOims71qT7_?-6Sq{
zsi7|I;5%rGlx-U<W2Ua9*Hu?(@bP8l(rz-2rRj7W>e^LXaU*)<$#Np5KzQZb{@KLr
zFlCVkj602@>NfSV{7{3QBr%CEl@138A3vXX+2muM?xk$bc-}dtp-nLZWoB2au9U5;
zrg3mj>|sGE#-pxKXX11ApG9&=OtL@tl#|wO#F&-1%WH0*PoJZiNg6!2s%a+wN^8&5
z56oY7=Vm-|(%x?y{OV#7b9HqiP6k6wbGtJ6`6E(F-zyQ)88bDqg>kzF%uRk)GP1jT
z9p496Kdy|4lw!=X*vGfO<wLMaNVoem<*92ku-dZDJ-2391_ur!4^GM&OMHBG%J{p>
zN%6VoTxL`g@70AjmkZwoV^lGOnT5x1)c7g62B{l6_iY$|d**iYt%^XPL{y(BN;5=S
zo1S5&Kb9xgk95v^@p(>=9DPBJU+ui(q5r;SDKA{}nxE#|n2B3_D=xAYN&G6s@+vdA
z7gN8kict;Nuc9uYXK{~ze=(7wc7{ZXHQbnwxk)PNVMA#iwJf7u74x=dRi2cjrqpV3
zx%N<+dTK2Kl9@&JN;}arRHDr`bdVg23s{QP*sAr|(VM%uDKVGBs432d^svPY!2nIS
zfI%r0U1T<gA-zQ#DdmIB95=~ayW(R=pWpJwCfhRp>xO@AGe5^s-A%t-h0bPNS!K~C
zE<X1`JipmUw5mJx*F~iApoEOfN(a7lh6$y)ji@HPGF>w)_NejCIee_U@-3|w0@}6m
z9s934KAR42oi6_UI-Oahka<xRg|(+AY#un~d;DuBhi2jN8#m19*UgKNI5z!qtEEUh
zUhWZoXmYs*hr_9nMw!2dM<4sSga7yM-_p|3v?}jcme$tD>i#vof!^LzgM%&#?KFXt
z=GR+ihU&K<!t3{Bpu@t#k{aVG#p_S8O4$g$3F|)n<LHS7N=}Jty8yHHF=uDNnc?QW
z?|vaJU%R#~H8pkLX52yc6kU6Rc7Y#JN3ukY2rg*U1P>(l-gfA$!^3k+yoKjpKyH^@
z%m*Vsoc;J+8Q#KHYVOvpgK;MxI1hKq<`x#FKY60l+#LJ+mx=)H+e~rcGGCLSv9XS)
zr<i%k(agj|q(b}Lub)%?ukJckZ&O!S|294S^zB<t_;P2vz`Yao$@BB1p1!`$7p(@e
zs6oF6FCWcLUE`XFts{;g;fhmJx^8ZJ<5ottd-?bzqLa6Ch$KCDLu7S{VrdBZvg6mU
zUvmS5<`H_!N%xGAu5yEYcXOG|nSZIGIvQ!ejUL{^=W7LZNKO_{XZW;SHl|L6X$Y`w
zyK}rID}Ls{TnfitF$sySiK53U`o`WA9Y!RaJIAZgekMQv^u|WqV0{Efe}6xx9@p;O
zyKBi)yAbq^-)qm`ylMZ`7@Y&hT)HHDNi*^+;gz4V=a-k~tD??dxKMWaa>8bFW8<Ev
zMv*;x_Ee>8s~Om-&3WyiC?Y{RP5RKG^ReM`bZup2W%r;Uwihp6P*xWt5{x{=B_vwh
z73lCRdgkWr2>SD!{VTtwDk?+17@saX{o_a2kLBgHBiAa$i3rzCmg}FC%OvJ*$~sjg
zvA*deqY&e7ioh67N~e9e@4=*RVBn3c=?{9|(b1+l9K(e03kt%9geYRI+HTq1UTOXQ
zB3EkuXP?_xw}sZzj}HUA$vMn3kB49(SP~OnzBGoxi7F}O#z&05+2iHw%Y@jreS0No
zOdkf4l*H`vIAkmB3Qb8-@l0-RYlUj(_Nin0sLwFebu(nB%v@U9QCUa#(cQfb=t94k
z3G3=%^`}?a@DdUgPaav^;-%>5Af26^X#%Z7^$}Yd_*XuB5KtD}`L4U0w6+w?%f|<~
z<;TyTBVaPHprcRIi5f+3C&C=-!w+4&c=5jXt6k#a;_jZF$Qt}mVoy@+_YY_|38rpN
zLtIL#{K^%qz5Gp-UD}x%!f@8-&t46&YrA&t+!^!OAX|irPQGyAg8$khpVxx0%3!--
z$(pgh&c#a&#gu49CQ_+e6x#1c%(}v|a+gW#a55uuRc+e^j7>~PGlS|C99yf^Hx|AW
zTDlDGnLm5JcVsc!w9a2zk1io0@pkHGT*a$Lk1%kB_{}(%`tY3^MeNrtO1>iZ?%qvp
zaX%InrP1Er{&rx1wOs%c^daHbuP84sFHv>%-H7|4<K{4;3m1|LRS7RA#ZKrxeE9JG
zz_fsX01b?~MWD4cg~Q6mhAC6OHLp49=fMZghY*+V++p+g_xHo&zYYip361p)Y;MeM
zjt)K!ee0+Ep%Q2C_L=;}KDywe3weGnodMFYKp%r<)VXS(j$(~p;`*Z+zo;&Y=ljKM
z#PGa)wH9;l)$vb1o~G}md4+UD4cp2P5fFKffg`)f@$;`d4D5qNo10t9m103QZEmdj
zn|<r;?WHV!-I<({5*hmQ+c#<c+8<4;;3MuCr8PDDv9YnPTV;oY0|Nqp4nm>S;?`?}
z3O;^x7MYI5g@y5+KY!lwQPA!y5$A5+ym{aGt|HaJ!Qs{WO2Y8b0@~F=bwtom9pB@}
zkK?i@g5EgDo^xM5z#D^Fr%{;<4Grg_Pwd*Y>*X7#;NU~%m(-{iFADlSbiQ)!nodRE
zVoK}6LWrNTpsA@T0@2~41aV|yq6Hj$Uz%9^vuD?P_3Dx})1}iiZ!JsBb!u%28yOk-
z1qQaZwK3y|n|9U@Wd#pBdLe>u{xx}fcZDk9#&5wZ?=nuY9>1>FT+LU@OJ4i<)wGM^
zTKtqy#FSYVd%j<P?AERo2y0j?thcuW|4Pn&gOz3OZ6~*U`SPWkISxGjbQw##04$s4
zRymZF&h6eOe##4yF@(?K<G7(ZGG*a2N^>~0-bF5EV|Cm;!=vxs3F2dy?zpM&dbFC_
z^G!m{!2Iv!VO>t<nE9vtiq!aD6W3Q3UdgXk75^N16fCr`xVRcoA2HjW#wW8b(*3qG
zZ$WHsb<wO_?iYROKm$@9k_b5ex@#W9V8`aT-w%f0_w>+g9uPh?Y(d;{YZkH5>k!aA
zeq1PgW^lsh@;epV6DKm?yfF_84<7|rt(uP9vA*!-l?z?ottqL+ogOc<on08A5ZMS%
zI6u5TO^7d?k6P4MuFy`S?O#;g{f1@mc+d3h4&F?+I<MCC)ocD_cFg3GoexjuZD%^7
z_A}cyrX8%TR&H(_+MFwIFQlfTAo?UHZ!4f3K76=EK-bQW4+2?aZi75E@7y_285vd?
z`#W>}SjzNA6^KMfqL-fIJ;6K-O-+CFuL)E3>P2D-nP`)}w{r>#4)Cn_mc%A!Yi;Dq
zhl1-C(2gADdwrL7evy4}QIgAe&$teqJ%y=Ex~#11$t>B)**Wdb9odcg&Gm7uTFSgw
zKtO<Knpjj+)a5QeM$kbVv$EpKem)(3I5|0)2ys!Z=uHCi%qsgJkAF1x+Vbo;k^lzu
z{5gwj1BLo~ZCN)Uyd<ho&z1gz-37(Gpo&Tw-}ASov=_*<FKKP}No$9)GqOl0weITl
zTEImP2|<TOnv|sEnM;@0+67>0=4XZu!<6hd$fA7-DTSP!C<<>{e5xUiEiHvBV=y5F
z*_oO1%bnr%L$_(ij~|b`vN$)QTS3l!^je^Gb#Z(PqO(M6JC2QC&LyEg=<8FZj~C)(
z(!@eSLnE*Jq_;4E$DBKN?m2VZWY2-P#o37oZEI`mL6(?+YzKmBs^z4B9Mxoe8T>{;
zfbDI-!~6X~5aO;~lY~(nj+mhZJQO={00q^{`_ySLjWe!8hOz3CQ&S^EHA`pb9ag*}
zA&-3|h!guBH8qJaF)`ehj_iE-@=2dtd}hS#r}^z8Fmt)I)Pzk*YCmewt*6o7CU1EA
zsbl4&_?)Wd8v~(h8yYXS3T57Qr6VX(qBr@Yz`L%L`edLlsgV-pWmK5LBO><i-+$61
za`EeHm&*|JizSH&NEnQ8JSC+<FrJlxIq0kzabg$IRGY4W+kP=yg^bV1%y7M+AX5zc
z;Fpm3!bd$GMroHCP%e{3-_sqrYk!1I%}Q>O#tE;0+j!lTYr6Le5+t0nIPBx&V?K3?
z9RXo$J$8}bEv6-pUyn=c_Ya-~BdYnHef#!hGA&CG^Io0m>9KWv28Ja!$B66qOeO>u
zCFct6sS?i6aCyhzso!p$k)K?W@QOEbS=Sr;G{+C2rKve9gbD$LhjRHt5az+dhmm_!
zr+5DjCzCzAyqIZTQi_GIBYcXkToLalRy}6eMtM0CU_95uVq0=wPm{@Hh#bWFAqBxq
zLkkOz$U<W^H>$g`GgF-r;^mN3eBagHfS=L7&8{{#?*)QYV9%bNzI<KX-Ava*qj*MP
zpl{#3d$Q^J1clPXpuQ5gSzPHY*dZ!j>8+nIi{|9g)1dPCT0V-}<A_<2qif%lPL~PH
z%i=##mcH*6z)2rGsH3O16-tepHrI7r-R@kHe|hSjt0BGeh09kR06t54(p?m3s~UND
z-VJ9aL%PT1t5>&1FMS^|vOPzO-&ovx?!tx9+Z9bueopoIK9qY{B!8^vZ_TcK8M&-d
z=y(}G(zL}iNiLOiuVz+WaQWx4WB+?`uYH37v3{O<I@<Q`>etK6B5$Un(*bN@pZ{06
z&tgYs-IYZ6Do>bw=*vwJoqfgh<(<U90|zE?qL|lzfsKwwsMyto{@2K_Q;p%5&AzoP
zxh}W)gyI02R!m7ydG?jJFJ5hrwN?_JTXBDc<WLbTIS}f6nek?M7a7d^{^kEUKvWpX
zfq?_uBJU$PBn6lG|E~isAxjPjR@@e1S96P$X1p&sFqws-+E_(c9qc+PXX`mGC{8uV
zf)e;(aaZl@ukBx7x4d56bBlI$ba&=<1`reY4{Uq%vgFDAthd?C)}?_8?~Q-l)8?jp
z&X=JoVRmOa*#7Y7Dx-Z}U6QTlQ^VzUtqgDCclxiP<%kDM`FHhB%bfpK!hf(bWanAh
z{%0;bVlWcI$PzQFbF|dwBf;zeiK569K(m0>ky4r~izS=F(+4@Rrn<|`&jD&N&~DOB
zK+5dgfVKgN1~HH*^Fd<n3oa|_g}mh#k1UW<Vn~%zp0@7{{LA8_VHIzakbJwNgm6)k
zkZO__<mxNOy1ew;`}}_DZQ;o_ea`BW4EQWSW!kt-zZC3L*Ta_nRDEozx++nqdyn6X
zmlxG@g;6eF&d^Yv;eT!?Lqrj5h;Q_IrqhY~V@i5M8(I7)7jH`*4ebtg28_4d%AO=8
z$RR$tRP!5hI2Aio3}+{bt{;QPKnqb#lDIQdxXEi`=lnGDZw&DK4<LWCk0@H}7lUEg
z;&#Ez?Ly>e9i)SLPm=k+VY(pm=J<D}C`~S%>hk+p|JxF<lOg?Jibf^ZzbCGtZJF(w
zbHNTZ-FLj?Sl1)`h;fJ7m;0#y<|Ln$YT^RP^U0~Zp(5n9vW5l@R{lp%{2n9+7l{+k
z>zaLI<`Q7fMO7FZUppV2F+V!J_E?%d_rS-L{Rca)(t257=1<qQ2UnMdu7>o-nxn45
z@7mz%Xam8(e?$w`r5qa>ZLC@R2mHExVNA_RyN9CQiFZopDFNnE488_Fmck^?nMIID
zJzJ01OvuS)EqSB~{2_2|GkBSmWafLae=zpn8ED!^l}W#;<NV+TAJqLfR-_Lc$YxL-
zZBpVyZ?qlVHc^Jb_l$1iuB{TK=F(6cH&8{QF}g^HT?~3@WDD7IKg)23_}u$btX*va
z@?Wo-w7NR;%ZXDr^MJ$P<&UsIRRS%POY3EZXN*zGrCpEPdsl-Kd-)8_jv0(9iC{=i
z`pDpyxcFg3AEL*R+2PmEI7(L@lMO?pg_jmqR29tcSt--2+SD>PLPZzU?W{{a-G2<}
za16yC+Mi^OEP4F)wL^c~6BW}wPA)ca;?{FSbY9U1&ylbE(>khd-aM>*3MX{23Rqiu
zTePPWJuEk}^Y&S84LLLtb;(jld`=q8|4hQ#>>GT+fzk{YrQYU&$`UZAr@Oo8N4r!t
zID{+k*(v6kJ=~P<aA*FLCr>_q@nQ=uBk#cj<*<l|l!iBzm5fw}gbY6$0+@hP5B+&M
ziItmj?)1Yk9pp0m-wUTe^#t&z6%gb^_jLrKx}WW2OM-;Sg`|d0eHCse(U>t^8l5gW
z^Qlp2A^gc!l%{dVQ&OqqkLSRS>@lQIj*OSYZ^N<qRL8K-Lv0cC;r<p#tB^zhM{Eat
z26e5r_7-9G?NE}H_Dzx2S4e=vj@|AZg#-TIVDsghH&IZ#ArQjqA<S;^zg6t-xuC3g
zbBc?z0A?eOL6Qmy34wac+Qx>oxe<$?K>?LhRFv5my)1@Cqd$)wLuPY_l3Z@^9RCbZ
zlU<znlejWBvb*qpw#bnk+MJe7PN{&VpyFp>L43_g^tK}Nl&QW7+|S8gD5e2yz$`Ed
zA$ixN?ujIzO#t?G_4FhiI{rv>-@Yw8JUmsBKcMJ`((2ti>r00t*r7Ch@PHS-fJ(y9
z%uEk(2GnFN0w-VlwB9{lL)mjBCB;&dYJlQi`TmawDm$^0o5H4zbl|8DpH4KtzF42(
zT44Z%<K|{1?io~)wKS-<Q3wGM5twTj`o;H2u25yG5<a<8C;|+uSXOdy4p3`T5!^yd
zRh9qs>(}lXEuNK#{GcVMF~&Pf#*wq%zUB9lPWw|!G{`#yGbO)I6}=qZSW>;?@>ucC
z)TQ(>?kTfxDk>_jdvz3*l&mZ*5r}V-lR7{!%|0mWp12>qjBmOl%2H*1NHBBT)vH$p
z_U<jo)ySpcwsY4;-MDuT##Z6hd?9w@>uaHN=g*Ho9_D1;k|*!>b$F<j#FPOU!Xi?!
zeQv6v*_>yk<>YoiRRTDu507pwE-C5kdk8nU<5-FG?JPb&lzt^-WzJ);j?9`U+VM-R
z?E&rfty^O6c%X(Zdj9(L&M6JtU2idNB!Jq<45VAN&rUD}z{u&PrTaE)W1!YY<RZ0V
ze<=rHgrcION#EY?Q)p+LtbSAJpY4N1omVACTie-fy=$KiMcS1sS1wmoosExxgRfk@
zN}_5-FJ;7!o6(DkiU6A4y0xRcyxh;<fBwK6a9xXJBV^vivFPY%kD3AaVVDJ&CAS*g
zjn1+6DAw3`2eWp9Yen7=t+VLx_9FA`R=kxSt=lrPvXBTlx26nOFTf+`WgHeHow;j6
znB^MX7Cr+Z<>%*zP&hDWk|#Gm3rGUcGtA`pl{dhwQJL?_9o<;LK>-eByk}V0Ig`q=
zG9<#%%4$oaYc^QIlZh}fU<LqO#cjn`_tOM)qoWTC3JE>#c-G#29|#PQmhED5e+Uap
zd;4wIyI;%_pav8t(rRdM1Q^>HaIb+HLivpwK;U1lsNjHF4}4*B<9BWNv|yOV9tH(>
zy&D|S3fu>(dH~O!P(>p=4d|7hl0^KN-w5b}(cHRqYlV{=rOi3l?^`nR`9<!HJ9pZE
zkG$MHp@6|)q{xzgJd)f6i`LO$>a_TyJyQrE0K)WW1HhSuSs)jIri<Cp0CgV1T|uC>
z7PzC8S+IIG2m*zLhs$Zz)zw=NzHct&^b!F0A`)QSxwKf+I(R7znL^2rm;6IIMDqgX
z*AVV`|9-SBm4^bPqnt}EnD^}LGa!sS6a)}$Su|WD&v8-Y-aUK1cwX3$hM3~<(0Pk#
z@pxMs_R96^`&Cr<fZ8eVq64uKY7LbiBlJqy-{xbK(76@0LwF!k=}*)7^YimrC`AyH
z*N0D>I3cim_ZEf7&C32D?Op=Z;V_$3<YZR69qT~V0kSz0>!ToG>FSyVtRTSYxQ_%N
zdni}r$Z=xSW+^c6=w&$p+&aqHv%kuFWng#%h`~c^`+?+H*;t$12amTh%8KYNe0xHU
zAK0)}ren2#L!D0W4Qu+(pFhC|@ijs;ujN>6&bM#hCP19>^7fwh-h|qV4n!FPwhG{Y
z4N4xEZU?W#nKPF0sG1t^4q!OmC9H`F>HP9ff-sN{?)Jw(Xas`r^Q)*G!ic8z1ryoh
zkAlo6P5<PBq>rZ~sc`&-3%i_l3kpJiMJ?nr3-CY;T+D)mH$cY0o0-AKOt*W}0E!4?
z>c^~2*T6(1y!xU8l<nEGXDP-_ey9eZ#O@5RCB^@qa&y(n?olH`XlC%4KYs$0ofk)0
zlpK8u#Kp?t8(<L#goq{u0d9QuEH}gPiF5{k^KoFHGO$n1>DdM1-+c9Fe9=O_eJ~F|
zSSqwra#vD$q!5U)v9af!o#U?nqJdZO4h;=KT!NWP6rH=HJ{-GzqU{-VcBr0zZ_HfF
zCH<bJe69GSUtbrd#I7y9IGTNqc349L?0RLDi<!D?hL9}mzdE1)?(s{wWKmB;Ce!BR
z?FxFB#`u+{KTd3ZBQt;3is?U;Ha+P6(D^!9AMECsfx&i|B!oM}fRAe*h$GXr-{G#{
zU9Bm5<4$Y+p0H3OPuf~ev8Bvq>hEXPrtRHaF<2krh^LEXhe<vvE*1eJq)byrLmt2F
z>Y^?!EvcKl<(B?)SCKXFRCCr3KcZsWj>{a0F4c<P5Qboz`E5zU_7G8G|DIeof!x&N
zb<(;<mOS^&gBVjEc|<%X{&)PQd|YW^hcdu1=wB>30sY1>J6MZS2oRmcN5*W@-q_v$
zva_@Q`8}7%$h-DJmBCQhW^=zozi?-R@#h|~+L(!G&V3y!(>S~}0hXz`WPA0U=Fa%#
z`r#LoKUy|dwH(b=3;Y4$ZU^704(eCrwNTdwR0@19a1w}w_ICZ^Gl9Lg>|#z&G{vr2
zy0~NjM1~OB(4hG#uib650{AA~>)qPrUGC4a_P}(~t8;+v$!LC;+a9+$*UG`LGEtW2
zz$CoNliz}nvM6q2Pzn}Wzj;?zS0Q1?gexL|<cfV8OE#oiJyAjqSNn1tU7??JGN5lR
zYHjjdsEgF6Lt9}VWAV#+YzMFY@3ZnKsGq?Gv$3%OIz8p<#Uz<q55z8nedtv%2#4|C
zjy3o_0yqeUSSSsE*gJUe;JW0-uP=FSP{}}{l|DHc07MBq?WZJs%^w4XXN+E+83E_i
zoOmVQyq=hm!3OOJpefxUqq%47J9KC#I6>Q436qu9=MV&e_+>m)&pe~hAUu0&^EpwJ
z`8T_!u;DCCf|Pgu{1(ekL0-mGW|6}%-+Mcm&5N(r)d?aX4zUAOy!OUW*CIM9>OOu*
z0}|mp+0MaXzl6k7!l=Bz&e@W<Unsde)<cI5QGQOI|GuZzm*>~}yT@0*NgyaczHtfQ
zDD$IRfenNV5!qbCw4Hq}Mj}t{#OVI3iQ1J&em$%AXgYKfVyb=+uRRqO5^4nxYzPl4
zG+E!12g^lYZr(hyv5?n{ePB-WlK%nopOAiB%$9olx8~Wu#<9PVX?AwjAU<9TocwHV
z?&D)nrp?;TL2PBruEh#-gM}~|>W7ll=0Uvb!otGJjl4`DRr6P;pnC&>*6E#eN^8qv
zy6K)QASX?Z$~ecxHT5y$l(=}1dH7#YbkcdUlhSW?KhsM)mX%(C?r&l-;Hj%H(gOUZ
zQf%-i_-Ds9G&1E`D`aP7l|izMYAo*DP*GM+Vo+QYVV=OwR$cl6h6vr2IG*?;;A}^Z
z91#!}ZtJi1h0+HaXOlMc!{OiQvro2Me)y0t1D%nX8Tneu6Y>G1W++b~9R8TMY@ogN
zQL^~Np!GIlzn2F4{YMM%-}P^#Z^FN}lDx07;Hm(gP{akK9OQo>;(x8J#fJOT#%~_2
zs;;htK83iXByw)Z$x|*nUF%%FvEB4|&OcKiAe(`n5x@bj9<!qpieoilb|6-Cc=c*s
z<e>k>o+wHOZ~QhhlicFYV20;lSTN0C#f&yYON(|!cJ_X#K!BmkL#+d=8Y8qkGjvjv
zr8agAgSdSE{u$rYACg4>I-C{nDic;g+L=D^C>Z7l$hWGZ!u)(FnG6B~4h94UM!w@K
ze4SiYCRU8(L%=dySzC`*D<y_Kk#}u44V2xl?;XUc_lFePA@mZVq0?L>@pYkgMfWDs
zVKGviQC-Y^@P({dm7|21``)hv1>o0?-3S^mZ~La$WXWvDYw$&~Mz+@0+=R--^DDQZ
z`5>5?9Pg_j0IkQs0$P22{p#;vXd0EoETG(6dG(3~KOWb)KQn_@Xt#896nHmp`G9s+
z`&R~f9iq!@U;iL5u(G>Y6O6dPWf#Xg#~4kGpb+k#O-)CSnq8`R!%}Qkv7w=4sJfAr
z#g5oGY|`<CG;dHFRT_=M{LiRYO8-)9RSx8-_jh$YJoW*C0)iMlt=hyLpP89CGSZq7
zHw#{965c!kOVJ-xTxoN$H()D{&7xQn71rkk(+Y$=5PB=0b1fjS5I&y6kJ`L~^R^(I
z@9xqs=d!c2gDFSQVMfO@hlgc-Y^2<m`xrK1@*qEx)*B;Y^e5Uk<uKplg>oqYl5hWK
z=aw=*s!34^m=x3=M^``dAn32JHa0dkRO{H-@W97gOeMu%K!}Bg!hPH`cEnu&?v};&
z*$SoB9--#uH{79-E@gUZ8kINa|G9IFjg8Gopbz!y1usEd9$T3ot9pLK(Nl*`Tl1S<
zUtNT576QlS?d=Ucy#{_yC}<Owk8DDmS()31SoxmeUfsV!_)Yf7j~e^?0ASP~lkR<8
zH2hCdvYX08gYiJ+v2EKnh7maBjzbUG>(ykK#<!nQ8}V*MTnR6}+8u~m>@65snjWYU
z(xTT_x4DS$$4futDZJRZ{|{*33DB)XawO&CZ~?vQK_n7CMnDUw%EK^W6P9*rPBp#X
zwt;+sC5ggC5p7%eYlK9dV1O@;q}fkLVwU=SH7)L17o?AswMqW4Og;a<#%NhYJMQd!
z-?vlbC{u=Y>JL)Ep`2ZmJD2{(8mXS-NoEn5wvVLJ7p4vWDP|zLr#@Db3kcB3=KGVH
z|A#-YKV11#@n5k4=<*z}2uy#XmQ;^EcB}c*XcT`=fX?;N#{ZM7a1`BzkL!{PTeQPe
z5_fj1V40avE?Xpaojz6Q_JDOL=DeA#OKaFpt`>!HAmX06U`lzgcYsJa&M$}M!8PRP
z$?c5xKT&&z**s|{cWqk!EAt>`t|{PTZVnsVW@qM-7ANun(Z@2(pjQC%axthcAbxlP
z7y=%w%dw&lEbzG$i<lhHF!13$v412F%z+!#CiU(UUd!zVZO=Jh<h4vG*nzsl0(4Ls
z{NBMge2Urp2IH<TH?JpXSeBOc=pdzfwl#i}gsWYS_+QM9v<KTG?#W{}0Jx@IcKyaY
zA|&zL21OR_fk)M|JZP6Vm&yJ4W|9WyBz0!xU?PmGsepv3(o3IHlkhe-nJUu*syFEE
z9yh%|yjL=CbN?AV<9>hWvxI*`xhxr$IJff;vjYzf5BEe>94vxyGR(mL{PFine@+7R
z4r$BZGl1+$9I4X?<L8&DW9#eHTT|ddGcyJWd>bcr9S{gtPiiLcq;Z!IH>Lg2MYVB+
zJ^MSW%v@T3SV<PKZ7{!}7{amv*Z60`|9oY~%;3usPw)MfRU!6AXf?0vII{xGV9~3*
za&lMMjcfaYPCQ_Nzgj&MPvL4j*#mT>PEUN84%duX;e^gi*S#IuN#~td2g4_<dlt7_
z9J;oZ)xAFKfbg>v(bEFnL?R~yA@_{=vyd8QW@gUxsbet7JW}Q~e9hX4dygLNDw9rb
z*ptYT<b)awu5NkYzUAU>UAM@{+DT=ZUoT%hZX3cJe{fs3gEm$&JUZV=n8&@4ab3Eq
z*<SjkXnj-l;IEaC6OslGZkx6tfN?Q2H)kZJ?&}s?5I)trp^IvAK^7I+2&}|5Tu^&T
z0%WJb#%R^g)0|k*4r99YkD-VDHno#HyJRCH{d{C+B)6SDB^lQ3Ewu6YG3%PO2<}iI
z`^_L{_a|_>TB|Mt9jS(e#ZE1tiK_c$*BU^rA%qE{LGuoZjPUOtwq)uv0V)RKB&C(w
z)nx^dMOZ6N7+Tl>Ce*^e3m`;6HIjjb>{|u_9@3(2csK?qGJXAR_@TP32)}>;M%Y9k
z46=k<7?mlI1CV(EeU`)Vh_~I{Cn3p0YJvXHU~~Ll1QA#-P+H(-KQ%%-Go#02zh{OM
z%H?9Qh5zeb`*O70^{+MoQkdIMQ{(Y7Pu}a@-Dfi3)?asnuRVs<H1FoqQ~96gMp~6H
z9(#{O@dDbfs^SL32r>X@$0QEnf%yV00@PN|Adf>$39b5jZq4lN0&=bmEI<JOB7^pR
z8PIfq0kuJ)At@>8W%dp7ITMZz7$UWZ8DV%lfBysU#pS-KoQoIJppOq=JQ2MOQaj||
zc@0Aj4rcWE`z$X0IWxo)dmz|+2*$66hW2G3KW%g|33p7kogc-!9GFRdj2F0Og4x(q
zDy*}7)RR$l)rVK^$0p}}vX#un?})$$5k;pJ|NmytSjIi}*=_?5l)i}?3VV@k#%k&+
z5!g{p3wyCEWU;1q6nnBO?W9xD2j$^4%p<vgr`Zw}?lq5F8+@^{mM2btcFDCl?$Fx$
z>q1p&8JSk#8X=7W8`RNUPa4}MfODZ2FL-5)z~UE4&Yj%O0m~2dO>aQ#4oxksl8Qhu
z8ple{t#68t$V|CQod<cx7}VaJ%pP(aT%|}uI`+f-E;8XF;mP??kZc6xy`aiG9dh+<
z@~5J-E;Q^|!=Stufq+}MhPMEM1}=;~dNd2vOSbm*3$yHdG?IWpmYV}qI6vEfYN)Q}
z$w1rM*)f<<sP~U<ZHoFC&?IL>w+@XV5ahpyABG=*^lyiUp)G@iNSVZkYx2HWE0mGr
z|L)PiV6D}s@rMPmYopumJ73bSsDAaCeuTbvb3L3rz^sFBZ~QtM5D>5oXbp{*R~>=H
zLfp7<11i90;KU<g8abCPWq>53nW0Jo1`Zq!iXWG+Aa!#D#xI-B#I-`BA)tFGBXhEQ
zq77KN)jDX`i2|FCeNg!J`pf7wgHj_UVP%24-B`vPK*+duDDa^gsl1FM<wAs~+sm;8
zje%gd^#l&`{z{qLPoG>tFZS}{byfTzOA2nG*9?kmZXTZ12+(DLFy-jhPw(C#5zyCm
z83c9L`ZCll$<k@SNETVqLG*=4Q1X5Ae6j{u2Lx?;pvH*amcbZ|^5M!82WE;T2@(zQ
z#m*HE@9c)~vN#en@_l!_U!)Y6?`^TALP~aTfL?TTecxvpplm<}#z0cwI!M=XAmKM7
z931%d_4N@5pds&XEr|F051qvQ?}?f557oTIWR3^epKGf#We?i?rfp~~=knoYG%fFt
z%63ij-zA0hW$%9-<HW`=Qb$*S&a&xC>)QJ&2gxkVgs$2j#T)MSQi2)w`BTYElY0pF
zg!I9j!Qa-83JWYAN{h<h$D(uO3@z2E%l*O2B=37dpx9l1=N)pH=ppkc{s+PrLq2u4
z$v&M&_2pW_%b0E?Po^29^6!jOMs~--C_2|qs?l6jzdwBZ`|W~xT04$8@70&(=-a)<
zvv*Q&Kr4qUv@7Y8cL;qrzGlHl|B?LCkc)7Z-+O%M;`FI<Y_(0nV?4##Vr4r0eAi?7
z3z5L*Klm&KF}CW8Y?HK{oW858h>KiapUVW|?fdtbyIMw|pStJT$Ot^Ze=JN3vTa*m
z8OuiaXff@6?XJ&k;>f(=KJTe%Ze(Q|d7naZ*`euD^uaVQSmEpO#L3d&j_Qu6`tU-b
z0e-Dx{nknr<r)Llk9vgd{67ZcFZGLC1XV-)ArlL?a)@Zs3*G_WTvu0j1_<qE?rUQJ
z^%$6#f2G_Y``RHTJG!o}E)eqp4?&U$T?)nu0!O$4^bpXzbUOWxuW0%1j??a_blQ24
zqf&7-j~O|yWWvJt;7C5-off~MT%VPyt6xt`<jz0sX+rX*reui|{q^M$wIF;fVYyOT
zx}~6?V7(qt=p3o<S@zy%pu@P1S_gR-=qnRlE5@xasKsw++TU@c0tRu)3PV5};sZ#5
z>gwygmCigK!UqjE?SZ)O<mB|>ai~<&>Q|v=rJ}7GC!L`3zHsPxGKl%Ue|*Tw@LqV-
zucMYcJACbt5zev#_ioz+kv1aECQ$aBll)O2DV!7K=LV5`;%u<_;hRQQp?B`6I(Cp-
zyQ6OKwCqPUG&Be^NSNXy(GZC$ft^MiGc(%>eIvIG$T*NS5t6yL?l?a*mYjnY#-g}9
zfELY~#|$~5CD8VHuYkE{)#khpB14y^7^fwX!D`g{%kwh8+(8I?3WYofg7Elz!v$}U
z1ubj{@Z_A5l5C(eJzt!aIC`9$<)>00wfXm|@6!tu9?JcEx&8)BF27vRQwX1@J0IQ+
zr!rOc1-hjgBHe)V0)7=D5*yqQ*eNyPtjk;D7CsyGUm5^O6CD|$Q3Uq|D1?x#t~Uw|
zGns8+-LXUA=utVIxjORH94LMl$Ua_P&zWa}uT>xOQHTZ!C$tE<)mL}u8;=_!vn_6*
zj+jIIHmJX;F2c-?*j}x%iXP5eQ2W@Ms@|Yd%E88Vj91U4F3kTT4dhhc9q2L+_u7EL
zUR`KjUtr~5fvmzHvrT=RqSuyUKMn#P`29mAv|bqaRB=ms+3DL36${=GGlK_sYHR*X
z%J-g|HeeW|C2P@n7B@=nvkaciOPLw<e9CL$>I%N_Rx*shla(*GHE)9?cbcDS@!G|}
zibACDs3Aam>H+-Ijhi=fet!Mb9N+BrPjQtlznLAsev-8TM6Cwzzy_B;nz)pAU2bS_
zk#q-=7V_GH_xlPrc^E{hHL?KlrK3Oz<_^E?wVCQr;hIAm6A;wDCWf47!`OXl*ZktO
zBb}ehbmph2R&}a|=vL63gWxOwwGT8wMxh{sItB9LSa;O>zCN70dqTu6rUupqC`*8>
z0HO}?BfYhaQG#^&tyn7g*Yol50hEOPl>u0r0B&XCdWjcu<43mzv?%9+C{R{a)#Xfr
zl4R0wc_?Do!_SYUBz9>xN;7L8_4erk=A%D<2dX8<oyw(f*ZQVBnoi$~t=B-Gsvyz9
zK7su`FM$FQ9LUK6+Vw1^y>K6>^V}Tl?RS;LnnKIvQ7rU9`@>ZPca~^(*w89m8=ruI
zfG%4)4KfQ5(aVRsoh~co1MRjLG54p0F0HN(&C0@*dVv<;i5pMd(ANt)xoj>rP*=Fs
z5dE#ZTyfAUqWD%EyYDCqqQwG|I`oWzLf4Gn7#vrG1=j}Wh0X#35g8c?>5{cpu8F}#
z0hcopUJt3ZtG9P+`-hBzF&1(e3$^*+0d0Ueem-na(Z78dxp?P2e+6<mWgIIqpk?jT
zHXc}&L*(UF<1)H+`*ta4-9UW#SA_eZrlvEh5%@ufAPnmS#(^=bFvZEG?O0iEG8Ovf
zRR4{bALsMR3()Xyt8)BNk?U8I8qB$Ch3jAM;VHUyXP1-+6ba^O+)5=mwBA=MD<A@$
zHwfyl+6r+E8yL9aGg0j*`=L2r3j>L|yvwjFLYT*ndOTBKS!r9!3uc7h#_VAic+<VU
zdS5Ve-(6MLtuwb772CCyZ$g(@7}64fvV%kuR}qaP$pq!-uqRcYzqFjq<9`=5W=C(*
zsEk~q*q1#QAD!4!J8oHJwrJLMk6oJ+ZD_j{?^?%uq7XB`StI8neY_@e;@z3|Cdj-o
z^@mrj3p=TFEYufF_+1WVG{U*%`OpxB^e9fy6KGoTQ6flaXZ}MAzlKgeP4^DrNT%@B
zR!D|DL=EN>v>~^=yl|1}rPMtvHTq3?TzP~1$KHJ#>F1=q4?-vgO)ZOm(O;2&TZYnA
zF6@1*9o;;A>$TOz>pwMSKQ`=!ce-!9MPQvyp*zbiN`{3FDcs|YXmwHT*gRshOZ_Tp
zu-f9uwN=Td;_voJMrWrSr~iRQY(qmYA8$jEIe)r-voGg@%XHQGalw*Y1`Oy#c4tEJ
zQ-E51K5$w>lcyG|<o~>R<EMP{@OH6}LSJGPPE@r7kjh?tPJk%i&SLM6T)uQn-{_|p
zl4k|V)10$sk=mS4{F6Za*fa>+4obTx80tvihJe8SUx>)uWYd_ldfy~$8`wYJv=CBk
z6Z@$8^lR}sNRy){IgZjwKx63?Y~a5VpyOaXGYy7|`_vHmp@vY>H_OCz7b<U<!S5JV
z_<1BBr!ZDelt2wCoj;^E{IVRl?F{tyPmRazp?|ppf-(lPEmQv_Fj|96v4z?5GgDKo
zz^fyzcuC7MCpJXie)w=2O7oNGWJnd;&O0WH`si>WIaHgNn}9v-C{*QO^Z+(~T-O?b
z@Y!{fE<7TC{+6%B4>Q)X{p{skEYS6QrnSKpztXz*TB@dH*Tt#i)x&egMD)*z&E32i
zG%-}OaE7_KxL8gGP}k+l2<Tn{WNK}ltvC#)f?#*-dw;d2d>!<}OiWl^8>95hzO`K{
zjiN$3&|DIKAf>X#>6GW5cx27MAV3ZAK;!J>w#{FC%?qLQ0}CKlycs3nl=q_ao92%;
zaV3?~y`Z3A)JU_So_+c16}Ws(Uf#3N`-H(-uJHOIX7i5SR{XWCUOM9oU#cP-j`JVV
zansX#KJ|l_5*NqlbV(H^&?B1H_G|*-h1xs;te0v0On=f$aDiMdlgZb+V<nrLi|^;z
z-E;0#kI(yNc);2~jc!IOYlQtwu?Mm%W9OOvpgImQ*d^6FdhSc9+pCKtD1KE+WX=>Y
zySll_7rqGvvK3|oiWpE|8bIw0TL?%?-<<&SLIrh}ma4AHRq)}8C%E8UR{jNs28TMZ
zYhAO~X8#<ccL0WB8OtofVpB-!tMd775}6UdIV6}f9sNIDo2n{Bh6ooMeYI9-Kr0H-
zEg=LIiNaSWpYQqn!BnQ)Bb}g@dYQF$ZR^YYlp;!}DKdU}W)Jk*K%7kvd29)CdTma|
z8!Ia+pd~hTcF&j?Vc3$v2uD!<3E(_loHFMu#+re9dWS5W-TbOu@~bFv!dh8r*E>g|
z+br#fo*YZ!<R|KO<GdGWGs!?FC4h>j(8I`X?}1C$ly`@T7NltI(|&zbU;W7gfP$N6
zpPUyZx-Y0C`?@iwwVyW-9iz#}$V4is<JhFkFCh>=mX@G5J;zvI0GK=7s|t$Bh+=~<
zh6@dvM<Y{J2Qfm~?I)+tAGMMH@!wq*W~acPbQ8%>NpS#)vg6|pPX)gz(b@}*PHLw=
zpD*`a<&-7cH$jsNYlpA0xIA%D)tugP@Jy0&QV7U;LHu5L;gUD(NCCye4~;_;bh`VM
zTLx_?E1p{a7NpZmX#5mMxGClG7|mBOPnZLcJplO&WMZz$;v3ZwV^V~p&thHN@4Dex
zUA`65W}AzkZR4;MCnbs|?h8N?eAqaS{(3&E`0nt6yV5Ny$wzdcVa9C+bAmqpl=^tg
z=OADm_Nc}#pIdGIe!I0fsoZwdPGu*f8)A~w?ODE_Iew|fM~z9U3?SZg?pb%5?~<aM
zcQ-P(bNHYgJwdZ~+WCFPHk_9RFE=ySz!}<D{>`qEb0f0Oj)%;P$6^8s4yqIMCOf{~
zO&a5)xr8X(R+>x=2gdA>*g@j$uG7yB9H3k}tJu#J+k)JPCwyrceH!CZ`@;$Fr>}lg
z$(<{0Vqfb#)*TmK2F_n<eC2liuv@dkf@~1&^I=kFR<JQ14SN@NgAnZ9LiGXaF=WZ^
z&NeaQg6v-~WXJ`phXXrD)g^9K07B~>C*ZVC7l$ShoZZvH$*>Vp&4a5}LTfLG_<Uro
zKOZUNejYBnx++f8qUaC9mIJ<S7oqH;51IuRXD*y=fc<{iP|w_Ch{if2h5@GO)oTdH
zmjx?0uQE$ErB%eH@==*y9#Li1md<uU#nj$oAA0(93;%)ok3m<3{j5HU%NVy*t2-Ob
zCiiL<7+t1d%GUy{U_U0p=fIqMYR_Tf6D?zCX}|tldcl#ac6@3lL-M$hPi7W*et5#L
znJI6F9{rQmE!yv$`wN4uekmxT7za>wW@%%boy&KO(@cdj>?=|opICWHsHgeLBylG%
zaWR*=Jn3dVB5z?eOS_tCZAkxwK2i0e-CX7rkQ(5zPefvc7G=|-Eay{v+tnw*>5{bk
zgek&`<l3{=pLfj`eefEijd!boW^f%ia~lA*PEr+ex%)rbr3F$W3WTdZYZzC^Yjbv`
zFpE3`xJ;E@ba)`~$^C&RFcuzevrA7oc!z|8>%4Mb)DufXTmv~_NM)FU7cQ`aFyp4#
zMB%P{V!2pdx6_3~Dr=W=WY1NRt!{fphaNv<F6{j2Kp?7LS?d>vHAon@iO;EBfA#r{
zQOu!027PH|Rv|cJ9%TF^fHVqF*PKW7MWN_v_f$W*ABKD{Pl*VhkW2}Zl)V{IH?i=&
zu&A{%%aOr=dVkT^+Z!hvc}n-y;oook@g3FDl2S*sIV-nhGD#s!G1sG;c$S0gRRO!E
zvDKThL&)Xlf1kPV4fCo~1-R1ZyGPl5$OrG8PY^x*!TrBbo3pHkhUt83=0cOd*<`WR
zs+MZRh`!$N14EmO5z%X-6C7KNC%zozH=RCm)TUo~I0-l|Aa@M7RJA#)6VImebl)Es
zRI9%E>iTot128MLQnK~0kKA<{9ANWzNUQg#^Rk)N1?1G_VUMg4%mlY7`{1b}*cz5U
z%2WUP_4Ro+<M)eZu%>T;SP(%%2Io{#f8h&d#hHf~%k9drmw0C*lN7Q&>_vNbk$I-_
zRj&g;20C3i^7Hq7?)JjYU7<sB4}3zSvduWLR{%b*y?j-^(KJvE1!gXdudU|}0Y=4J
z<oI+i@L(6;f8@Nqro)L1(jB9vo~8#ktU`D|cVEHZ6DnS6swa8`cGO71ZsmF)E>4fY
z*Vnd6f*%`K?iqw+;hKBz+#wa2M{i(Vw?iwS4B}e<rM@aJ$<<v?v7cd+)91m@pESNb
zeK|PFtbL=9L2foS-qqiaav2FL5O(ExX4u#p4~zIrt2xs#_6qOy_L%fe($Kj>K;=uI
zWvC`Ocu2$}w=5jLxiq=t9Aat<^AWuE2nZ}7tr+H#d_+U_#G?_Qb7CY*=6P$ZowtEn
zOWddE`Ii=hy`=@{u;5Q@DKB`lG)`qeR`2`z8cKPHrP8;^`x2ob%sA=PJ**O){$}|v
znXb83=<8DpsoXw2cXN|Ly?n`7-F4KY-*n)B%ZD^@H(nACbE%`xA>!Yn+G_9Ov=c~c
zGk&!)a|v26<R9}AnSnUP2cgBPGbB;eGx7cvYw|$QH#xavD3NbmcymV<+8C|D<)p^}
zG<;|)kf%T_CBE6lf8%~;<gP*K+5P@dCWl(eg^68L=-auNK|K56NV@X-n91>WO;#vm
z%Uk?TJ;vu>Y)2)Yj{MWFfbHb}cZY+q@%*$v5_D~#<$-31nc)LZPDZ@>yAd5^Nr|Vm
z|36<~AM0OU^z)Z5FOF&ft^XtHcSdtF$fz_9AJ!deumG_WYy}lq`pFFgNIIMUkhU9l
zqoQKG1Xy-uQ7VYrMxnYZ#eV`>GmJ${1dagIyAvdWK&rdf(LmY*OhqYBBEbU~=(_{5
zqM{iEYqf7D>{A>2BZrZ1(&D;0gFtXhGyY$I6=dN1J6jN-An*WYgR!SV<Y>%kAa)@{
zgEA0M69NI-c(cEM4`L{aU>mO@bsz`>Wanrhp$SD+P30s#c42HMb8U)Aou8jqAKnEG
zqXu*!Lj}nOicjdjB0eK4Zr<F2V}s_t0jO7isDUkx9+*NHsugU70_6*6X>A=GaDU3U
z1T^RiQvs>N7*blHJMypK7Shwx1GEoxDr0vnNI)mT7~K*673icu{Q@it8iUzYT&~w~
z`qh^wK;lGBvEkUDYYiJR|7iSld7s`7uDE-5XNFmG#?`6n`uf87rB)8D1cnOt-TmMa
zm{jKuXF6<xu8mn${G&)YWl9HL%&{>_W%D%%PCzn%cwYFn@9y!GokAFf9tHO6f_AsE
zk_+~fv;e_G1P!S|yMm@>N1w!B5uw~1qiLVZu@i;@dw4)E1S-7J88I#-?Bj&fVQc9V
z*a`?h{C?c;sD7qAQ5KH@*UQMfdtFd*B?S+FIdqB3BDW`ieh1n%ubA(3Pk7}B;4+3A
zj%<w^d9oEcL!&<?x*Z<|@PTNBQD6c@xpXvE5E??zUr7vF`?obPNmTE51{$hjko_dp
zrDM-zWMsh8=So?;JX$j_&DelxVv_zn2G~3X0R+nj&jvUH_O5{n2}bVHL>O*51#Dp7
z$H$@LXU?5t1}mv(`W2v0b*l?QWuS#MDVC2+ak%{;ya2U|{axp+pxA>B8g#Xw_f#TZ
z1J7t{Yn$}bk&9Wo<HCJZ18gVCK>rcW$~#ptyT$(G``aLhTbot|N`>hR>);>a6L!}L
zz_!|_FzK-64%IHeH~{ofut^bAlnA=nG%U31R=NM$NO!?9B8P?hfZzpZ-G-6KCeY6O
zpYm-WX-+p6Z;@P6G*pb+SXURoeW)evhaQJ$TA3Tw!PXY02h<cVnr5e`K_&r>yJNAj
zM-*W<GBA4X3w4L&<hCiS&H)X}P)=p(Vj=otp1`Is*n7Pdm%-Wq5+9&6Knl#*TMkst
zAML|2(2isYt3Qdq-8ThPBW!~#){I293uM;~H%4#Q<|KZ8&IJzK)6)YR$KXu`GEbw@
z==C*drj*V|axnuj1MUQz;nBQ#O*iN<fNQMR<DO-Kh;4;$1!l;*oQ+*rjqX5y_fxuY
zG)G!qK1IL01<VXVV<<9{f#MTZBPO^-GbC1hf{cK}a+?Ml4#7G3Ye94ll3OoT>j_C<
znCwCD$m{Cj0(lr{$t)26g9QQZJzG%^x@XlErFP<I8w!zIR2G90Mlckx3IaMqW@0Q5
z6Bx_1KL5;rc+ZijFlU}R5cGg+xqSuEu6u?V52FvmzXH^2C78uVp<CSQ(+V1guv!9W
zB^VoQK~C)fWJBD?sXY^0tUrQgiXHaEy?SH-6&3GSO`ZXGB2dnNo~t?1xFPQMMb-4}
ziLZSaGfFnKkp_JxL=0%QT!@u>@dM(YBK7)TwYL2KQfr%-%`eXmk0a#|9MFdK*?g_F
zF`u2FQ3<<^L7xBrv~lk7Q0HqL|GAVAiYO`)>soS&HfBXMqFj?iQYq;wQ$uA*4MN5>
zom`qlMdK0<Z6UXbWh$o>m7Q8<h*+aTD!H^dpI_~EUgx~l|6}I&{e8dB^L(G@{rQa4
zPtWE0i&CE6e{!^PFFJZy`kp2YIoyXIJU~J)XcNQQx#xNm(Y!2z2jzpjG2gKPk9o<!
zyD?v+4}tm|Y<<YSm0UQAxb5Lh44hUayW==}yFtb7XmNIS#;+tvJgf$mPh#nY@yUUl
zclSP{M{6ma+SIcSvryXRKIi`S2*}@_uGc|~&BNH<uetwt5754gs~tJlulM%1rW1W-
zmWU)sBzj@Z?VX)c!qaEww5Z@5Ht(~<%R?al?Ca_2$rV2XDK%a;XfMJ^M{Z2DT*%*C
zQd6@e!32ZWNBnY4N@Rwd7JZKkqSb+*Af8Z|E9l3>no6aPg8w~O<^^r4v6)%lhm#9g
zv%sj`EZq;Z?!}82##HL^=^cv~y#>AP9R!AJkD*%vS8c8o4s7LtZBfhUh*_9Uw|3tG
zUZ9s~v0x(8bboC?7nal(x(_0^xL5{K+gklCoDM&<Xv4h=J13t;8-Uv#&tgX{3uwiY
zlA;jr*Vf2{`6e9kveMG*%|awI8~7Q3+&2MHhhZRg`r*z}u~SB)g{J8nM_ks1nS3D{
zYUM+itgGgM$Ip{Z<@-jsrh|eUealmSH<EuN2zl;njy23=Fil%X4TJX+fMyi7Nes*|
zFxu>a@TCIxsk0=?t7FQq3{r=Z0Jyn>P~kP2m%9@}os-f4G;hls$p-bS%Xon=mb9h)
z)xM!KNdT~-!u?YDN-*L8!r^iN?RrW|3ODEyjx;6_+Dv;U94JQL_3?jqdvIx?t9S!U
zD1P1^_;WEf0DJy3onTPiO9K4=N3BhC%Y>u94r$L_B>q!(oT0)?m8|!_Ki^vlm;E^C
zbfCeV9NTC0vJ)q-dNf(pBC@RE^J4T}qxIq;;vCQq1+^TDy@G>|qys$#E9h0@IT>;k
z1XQ9@5Wxabz#j)a@!xU-3I$Xd*B~sw@}VJJ74Zj^jCS}Ru2z$h$RXUmjQ8J21gj<9
zNE28zQoM^K52_oKg)*q%D9>VqT8u>*VUN*^ua)1*bX0V33jBT-(l9h8@NuXz>)47j
zF_R>@6tvXH%gW@o?paPQx-062ptN8@bfXtfva(>yaG*ltpFwQ%mJteRwzoCq@A!jL
z(Eu3#G-4P#?3iVH0?LJgl9F>9uG!#=kdbnf22g%EY}|;*i+$Fk*u}PB%>G-&&UzF%
zDtpO+J8(n<Lo!#OukKrO!bZssJ|9M7x~Mg)bc?>Uh=4jk_n@vb{!JoHoHC*d|M=8P
z`n5odH2VTKKei0`AbLh)dAb+42#AR?%7#RS)1?YBZgz)*ome#)^wq$C&?(DAFoDJ=
zBiTVkP0cPOWHl1jL=Z|MUReo56E}9&Wt};Rm^~OwH5^^C<|sk9{6y6jIU=u~SNq{a
zZgusd1QRa<SdgUs&bB_2E%OOOY2qx7(%U!gBt!H>Yv>gh_(<zz%~>`i9NpH&gS7@x
z&1JDzcU4}E@DL#rC6bLVaARX)$hnuQRX8a*YQZrR(#@+#)rgyi$1kyBhs+jda^JyE
zfQtTO;(`^PM20GJ*~7OheU&k=p1^oz-_4HD*B<Fhhb>vlC_9Ahd3rb-{T<QbT%P)w
z1Tf+3wPDXi|MG{{Z39*wfwJM?fdj%qA5sKJQ?&En!>HadI5@bDoMrHM*L>9)=Vgmq
zhff$I_@&^H!3tz@L5D)RkahVox}3-0pa2d3cL6{aK99k+1AF@_$ZVNUH`}bz<g_h8
zs3=d65#!mmU2ij+|14D)OvjE3Q}e6L$~OXY*k%8fY=ox(DI28Z=Tex8<xw1NzO;2-
zglx9>%=pWo)RYtg%58w2<X8+fI1w&WTV9^Jrj^v%YsA262fF}44ro8AT!YS`ipz?R
zM<M!{&p(gPL6y;y=4vJFC2XJm@TE)XvZL-tV8IxvOfQ%K+_29y1GN?n{!R)??dJ5t
zHk@Iy0wL~6c6W8jm3X%9VmYWa)ldKXhcfXt7|tN6k{f3IU373m)uq#0n>nBSNnAW}
zO(3d&zA+6|AH;2vTJ*wqzae(}KO6u-BTh7kj{qzE0_8G7s&ID0LDIcWK*bOo96U-1
zL9sRO<rr_~@JNz(R%fsA*&L(CtG8G&qkK4z=JqPfn<-H(3f$7opT?<drvB<~LyL@%
zT%enJ-Gi-~xW~q=(1S&xYRPG=Y*W)3sJ9c;f84pr?6-k6*XiwVG;}RyIQ%1xA-;q<
zL%h4Y8#t0%@iX}tjXPb2;~zf)Sm{1lHa#6?wm8wXBw*&E=nh?VAX)BE!<?oR(~k3l
zKE_;qg{$vo&e@9fA72!I^<D>sMw_vhrEf}Lv1D%CxUsG?gw1A$e-vnFPI=1GH8rnF
z?m4Tdpr9=;!LDx>i9`)kUI}q=Qzl$}PY#CzkCZgttyP(_Ny*8vw?B`Kt*YP;KYsq5
z=2W4IQ0emEjuYix(V{yCzQ6o9M9ntt%GyLhS69#L*8zHm6%_vPm!-!)eDh{ywERB<
zeRje}$XHeaLu;=6>HQuyMF+FkVGWg)vHAJhea9`FoSij(a(Oj0w5c?$ZJ@lmTDrAj
zca{zz92=XT=`_30V@_IH+Hsw!k)rkI<1R#txs*#cxw-7WoRh=r>G2b!ovi7Kkr!t$
z7zLdo$RAQl_FX^tK>En-z`g$dG#5vPud*%W>7mssF=Eag!f7idI~&9FCO$v&h`|yM
zwN12(TKKJ7Yq~a+d;KyvSP(uhyKUf!=!4txf8-VwvGW#gy<}x=-DKvh7q8iR6r<LD
zN@rA*gkF5)(aIGPmP3?}mh-s0=Tp7Cz1$%;&8u2|XSW;)7o^v{;PO1jhlZ9%%bQcF
zjl;vk>9?|zUUAKw`HSX$s#BYpn4ma!<cg@oJwm|ePafYenfvYY2CYM)=Sc-c@$QAu
zwpY#uQ&+B7D-Z~dMMNYmqgc%{C-OQDdMsZ+(dY{s*5ks3O5XO7U(l`X1s=;KivL=r
z^F<D={j0v%HKqA<Jv+2D=5XCkdrn8{o4tN25sQSdz>v3nzxJTL*iuO`_d=!Hm6biA
zOQ8iyc^Dw&89QG=TUvs>XP>vH;Q6hhqOrYZgqN3BN`roU<e^)02rnO>CS215+c&FE
zwzS052B^eXO4ZlYyxeB;<LT3K!jI3c&}bVQ3C^#f*;2e?qxkC|F)}iut4h_6%<JFj
z>gt+PI+IR5at_`pjdpR}|82^+I6bC{kVd0PzgNy&m+vurLg)&^WMZS83$4_4cjSKn
D_pHcH

literal 0
HcmV?d00001


From 7e7b404bc3ef5b6e45b1cf03e606c3d90e5fb759 Mon Sep 17 00:00:00 2001
From: NiazFK <67277579+NiazFK@users.noreply.github.com>
Date: Fri, 2 Oct 2020 07:25:34 -0700
Subject: [PATCH 08/28] Update keymanagementscenarios.md

Added diagrams, new personas, and placeholders for additional definitions.

Signed-off-by: Niaz Khan <niazfk@amazon.com>
---
 keymanagementscenarios.md | 43 +++++++++++++++++++++++++++++++--------
 1 file changed, 34 insertions(+), 9 deletions(-)

diff --git a/keymanagementscenarios.md b/keymanagementscenarios.md
index 73adb4b4..cebb6755 100644
--- a/keymanagementscenarios.md
+++ b/keymanagementscenarios.md
@@ -6,11 +6,25 @@ Key management for container signing can be broadly categorized into three gener
 Personas:
 - Publisher: User who builds and signs containers.
     - Publisher Admin: In some scenarios a publisher will include a group of users (i.e. teams or enterprises). Admin users (i.e. security administrator) will be responsible for configuring roots, provide access to use or generate delegate keys, and make decisions for key revocation.
-    - Publisher Builder [TODO: better wording]: In some scenarios a publisher will include a group of users (i.e. teams or enterprises). Builders (i.e. developers, build hosts) will be responsible for building container images. 
-    - Publisher Signer [TODO: better wording]: In some scenarios a publisher will include a group of users (i.e. teams or enterprises). Signers (i.e. developers, signing hosts) will be responsible for signing container images.
+    - Publisher Builder: In some scenarios a publisher will include a group of users (i.e. teams or enterprises). Builders (i.e. developers, build hosts) will be responsible for creating artifacts. 
+    - Publisher Signer: In some scenarios a publisher will include a group of users (i.e. teams or enterprises). Signers (i.e. developers, signing hosts) will be responsible for signing artifacts.
 - Deployer: User who deploys containers.
+    - Deployer Admin: In some scenarios a deployer will include a group of users (i.e. teams or enterprises). Admin users (i.e. security administrators) will be responsible for configuring deployment policies, including potentially a set of trusted roots or required signatures. 
+    - Deployer Operator: In some scenarios a publisher will include a group of users (i.e. teams or enterprises). Operators (i.e. developers, deployment hosts) will be responsible for pulling container images from registries, verifying their signatures, and then running them.
+- Repository Owner: In some scenarios a container may be stored in a repository that is managed by the repository owner. The repository may be public or private and could also be air-gapped.
+
+Additional Definitions:
+- Root key: [TODO]
+- Signing key: [TODO]
 
 Signing use cases:
+
+Provisioning Keys for Signing:
+![Notaryv2 Signing Provisioning](./media/nv2-keymgmt-architecture-provisionkeys-v1.png)
+Signing Workflow:
+![Notaryv2 Signing Workflow](./media/nv2-keymgmt-architecture-sign-v1.png)
+
+Detailed Scenarios:
 - Local Key Store
     - Publisher creates new root key on local machine. Keys are stored in key store or plain text on local machine (Need to identify keystores we want to support. We can preclude signing with root keys to improve security posture).
     - Publisher uploads root public key to registry (registry can verify user for container uploads). 
@@ -22,19 +36,19 @@ Signing use cases:
     - Publisher uploads root public key to registry (registry can verify user for container uploads). 
     - Publisher shares root public key (other users can verify containers before running).
     - Publisher creates new delegate keys on USB token that chain to root key (better security posture as key is not exposed in plain text outside of token).
-    - Publisher runs docker build and notary v2 sign on local machine. Notary v2 client generates signatures with key in USB Token (using a PKCS 11 interface will prevent keys from being exposed in memory).
+    - Publisher runs docker build and notary v2 sign on local machine. Notary v2 client generates signature by submitting hash to USB Token (using a PKCS 11 interface will prevent keys from being exposed in memory).
 - Network HSM
     - Publisher creates new root key on Network HSM (better security posture as key is not exposed in plain text outside of HSM). 
     - Publisher uploads root public key to registry (registry can verify user for container uploads). 
     - Publisher shares root public key (other users can verify containers before running).
     - Publisher creates new delegate keys on Network HSM that chain to root key (better security posture as key is not exposed in plain text outside of HSM).
-    - Publisher runs docker build and notary v2 sign on local machine. Notary v2 client generates signatures with key in Network HSM.
+    - Publisher runs docker build and notary v2 sign on local machine. Notary v2 client generates signature by submitting hash to Network HSM.
 - Cloud Key Management Service (KMS)
     - Publisher creates new root key on Cloud KMS (better security posture as key is not exposed in plain text outside of Cloud KMS).
     - Publisher uploads root public key to registry (registry can verify user for container uploads). 
     - Publisher shares root public key (other users can verify containers before running).
     - Publisher creates new delegate keys on Cloud KMS that chain to root key (better security posture as key is not exposed in plain text outside of Cloud KMS).
-    - Publisher runs docker build and notary v2 sign on local machine. Notary v2 client generates signatures with key in Cloud KMS.
+    - Publisher runs docker build and notary v2 sign on local machine. Notary v2 client generates signature by submitting hash to Cloud KMS.
 - Hybrid
     - Publisher Admin creates new root key on USB Token/Network HSM/Cloud Key Management Service (better security posture as key is never exposed in plain text outside of token).
     - Publisher Admin uploads root public key to registry (registry can verify user for container uploads). 
@@ -58,19 +72,30 @@ Signing use cases:
     - Publisher Admin creates new subordinate key in air gapped environment on a host, USB Token, Network HSM, or Cloud Key Management Service chaining to root (one time operation enables the root to be used by runtime environments outside of the air gapped environment to validate signatures generated inside the environment).
     - Publisher Admin configures credentials for Publisher Signers in air gapped environment to use sub-ordinate key for delegate keys instead of root key (users in air gapped environment do not need to get keys from outside of the environment). 
 
-Trust Store Configuration:
+Deployment Use Cases:
+
+Provisioning Truststore for Deployment:
+![Notaryv2 Deployment Provisioning](./media/nv2-nv2-keymgmt-architecture-provisiontruststore-v1.png)
+Deployment Workflow:
+![Notaryv2 Deployment Workflow](./media/nv2-keymgmt-architecture-pull-v1.png)
+
 - Specify trusted public root keys
-    - Deployer gets root public key from publisher.
-    - Deployer adds root public key to runtime configuration.
+    - Deployer Admin gets root public key from publisher.
+    - Deployer Admin adds root public key to runtime configuration.
     - Container pulled from any registry is be validated with listed root public keys before execution.
 - Specify location of trusted public root keys
-    - [TODO]
+    - Deployer Admin gets location of key repository from publisher.
+    - Deployer Admin adds location of key repository to runtime configuration.
+    - Container pulled from any registry is be validated with listed root public keys before execution.
 - Enterprises can restrict users to add/remove their root public keys to the trust store used across a fleet of runtime hosts. The trust store will validate images pulled from any registry.
 - Enterprises can restrict users to add/remove root public keys for trusted third parties to their trust stores. The trust store will validate images pulled from any registry.
 - Trust store also includes subordinate keys
 - Air gapped environments
 
 Key rotation/revocation use cases:
+
+![Notaryv2 Revocation Workflow](./media/nv2-keymgmt-architecture-revokekeys-v1.png)
+
 - Root Revocation (compromised root should not be needed in process to designate itself as revoked, otherwise attacker can use compromised root for a key rotation locking out publisher)
     - Publisher deletes revoked root public key on registry (registry can stop sharing containers with revoked key).
     - [TODO: Discuss if we want this] Registry stops vending containers signed with old root key (will prevent revoked artifacts from being used by developers not checking signature).

From d4ed3cf4c1c19215a0e75f3415357774f7261104 Mon Sep 17 00:00:00 2001
From: NiazFK <67277579+NiazFK@users.noreply.github.com>
Date: Fri, 2 Oct 2020 07:27:17 -0700
Subject: [PATCH 09/28] Update keymanagementscenarios.md

Fixed image rendering

Signed-off-by: Niaz Khan <niazfk@amazon.com>
---
 keymanagementscenarios.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/keymanagementscenarios.md b/keymanagementscenarios.md
index cebb6755..2ea608f6 100644
--- a/keymanagementscenarios.md
+++ b/keymanagementscenarios.md
@@ -21,6 +21,7 @@ Signing use cases:
 
 Provisioning Keys for Signing:
 ![Notaryv2 Signing Provisioning](./media/nv2-keymgmt-architecture-provisionkeys-v1.png)
+
 Signing Workflow:
 ![Notaryv2 Signing Workflow](./media/nv2-keymgmt-architecture-sign-v1.png)
 
@@ -75,10 +76,12 @@ Detailed Scenarios:
 Deployment Use Cases:
 
 Provisioning Truststore for Deployment:
-![Notaryv2 Deployment Provisioning](./media/nv2-nv2-keymgmt-architecture-provisiontruststore-v1.png)
+![Notaryv2 Deployment Provisioning](./media/nv2-keymgmt-architecture-provisiontruststore-v1.png)
+
 Deployment Workflow:
 ![Notaryv2 Deployment Workflow](./media/nv2-keymgmt-architecture-pull-v1.png)
 
+Detailed Usecases:
 - Specify trusted public root keys
     - Deployer Admin gets root public key from publisher.
     - Deployer Admin adds root public key to runtime configuration.
@@ -94,6 +97,7 @@ Deployment Workflow:
 
 Key rotation/revocation use cases:
 
+Key Revocation Workflow:
 ![Notaryv2 Revocation Workflow](./media/nv2-keymgmt-architecture-revokekeys-v1.png)
 
 - Root Revocation (compromised root should not be needed in process to designate itself as revoked, otherwise attacker can use compromised root for a key rotation locking out publisher)

From b0f8718f6d37465dc53f3c8440c49add2232de3a Mon Sep 17 00:00:00 2001
From: NiazFK <67277579+NiazFK@users.noreply.github.com>
Date: Fri, 2 Oct 2020 07:28:24 -0700
Subject: [PATCH 10/28] Update keymanagementscenarios.md

Fixes for image rendering

Signed-off-by: Niaz Khan <niazfk@amazon.com>
---
 keymanagementscenarios.md | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/keymanagementscenarios.md b/keymanagementscenarios.md
index 2ea608f6..dd8b6de6 100644
--- a/keymanagementscenarios.md
+++ b/keymanagementscenarios.md
@@ -19,10 +19,12 @@ Additional Definitions:
 
 Signing use cases:
 
-Provisioning Keys for Signing:
+Provisioning Keys for Signing
+
 ![Notaryv2 Signing Provisioning](./media/nv2-keymgmt-architecture-provisionkeys-v1.png)
 
-Signing Workflow:
+Signing Workflow
+
 ![Notaryv2 Signing Workflow](./media/nv2-keymgmt-architecture-sign-v1.png)
 
 Detailed Scenarios:
@@ -75,10 +77,12 @@ Detailed Scenarios:
 
 Deployment Use Cases:
 
-Provisioning Truststore for Deployment:
+Provisioning Truststore for Deployment
+
 ![Notaryv2 Deployment Provisioning](./media/nv2-keymgmt-architecture-provisiontruststore-v1.png)
 
-Deployment Workflow:
+Deployment Workflow
+
 ![Notaryv2 Deployment Workflow](./media/nv2-keymgmt-architecture-pull-v1.png)
 
 Detailed Usecases:
@@ -97,7 +101,8 @@ Detailed Usecases:
 
 Key rotation/revocation use cases:
 
-Key Revocation Workflow:
+Key Revocation Workflow
+
 ![Notaryv2 Revocation Workflow](./media/nv2-keymgmt-architecture-revokekeys-v1.png)
 
 - Root Revocation (compromised root should not be needed in process to designate itself as revoked, otherwise attacker can use compromised root for a key rotation locking out publisher)

From a5fe2a76d74f84bcb2b1df466b7f6056c5e6be68 Mon Sep 17 00:00:00 2001
From: NiazFK <67277579+NiazFK@users.noreply.github.com>
Date: Mon, 26 Oct 2020 09:00:38 -0700
Subject: [PATCH 11/28] Update keymanagementscenarios.md

Signed-off-by: Niaz Khan <niazfk@amazon.com>
---
 keymanagementscenarios.md | 29 ++++++++++++++++++++++-------
 1 file changed, 22 insertions(+), 7 deletions(-)

diff --git a/keymanagementscenarios.md b/keymanagementscenarios.md
index dd8b6de6..bb625e69 100644
--- a/keymanagementscenarios.md
+++ b/keymanagementscenarios.md
@@ -14,8 +14,14 @@ Personas:
 - Repository Owner: In some scenarios a container may be stored in a repository that is managed by the repository owner. The repository may be public or private and could also be air-gapped.
 
 Additional Definitions:
-- Root key: [TODO]
-- Signing key: [TODO]
+- Root key: A self signed key used for the lowest designation of trust. Root keys can be created by developers, organizations, public/private CAs, and registry operators. The root key should be retrieved from a trusted source that can establish the authenticity of the creator's identity.
+- Signing key: A signing key is used to generate artifact signatures. A signing key should be signed with a root key or one of its intermediaries. The certificate chain with a signing key can be used to verify which root it belongs to. While a root key can be used as a signing key, this is not recommended as it creates a large blast radius and increases the risk of compromising a root key. 
+- Trust Store: The trust store defines the relationship between signing keys and artifacts that are used at validation time to determine whether to trust an artifact with a crytptographically valid signature. The trust store will relate a source (any source, specific registry, specific repository, or specific target) with a certificate (for root key, intermediate, or signing key) or key repository (for automated key distribtuion). It is not recommended to use a signing key as this will cause signature validation to fail if the signing key is rotated. 
+- Trust Store Certificate: The certificate in the trust store will contain:
+    - Public Key: Will be matched against CRL and signature artifact.
+    - Signed CRL URL: Location to retrieve CRL from.
+    - Signed Identity: Identity of creator of the signed certificate.
+    - (Optional) Issuer: If the certificate is an intermediate this will describe the issuer of the certificate.
 
 Signing use cases:
 
@@ -96,8 +102,17 @@ Detailed Usecases:
     - Container pulled from any registry is be validated with listed root public keys before execution.
 - Enterprises can restrict users to add/remove their root public keys to the trust store used across a fleet of runtime hosts. The trust store will validate images pulled from any registry.
 - Enterprises can restrict users to add/remove root public keys for trusted third parties to their trust stores. The trust store will validate images pulled from any registry.
-- Trust store also includes subordinate keys
-- Air gapped environments
+- Air gapped environments can either specify the 
+
+Key Distribution Workflows:
+- Manual Configuration
+    - Publisher places their root certificate in a public location. This could be a website similar to what public CAs today provide.
+    - Developer copies certificate from public location and adds it to their trust store. Developer can configure whether they trust this certificate for all their artifacts, individual registries, individual repositories, or individual targets.
+- Automated Configuration
+    - Publisher gets intermediate certificate from a key distriution service i.e public CA or registry operator.
+    - Developer adds root certificate and location of key respoitory to their trust store. Developer can configure whether they trust certificates for all their artifacts, individual registries, individual repositories, or individual targets.
+- Revocation: Note in the event a root certificate is revoked validations will fail, and developers will need to update their root certificate. The publisher will need to pro-actively communicate a rotation out of bands to prevent an outage.    
+
 
 Key rotation/revocation use cases:
 
@@ -126,10 +141,10 @@ Key Revocation Workflow
     - Publisher creates new delegate keys from existing root following any scenario listed earlier in Signing use cases.
 
 In addition we also need to consider the following for cryptographic security:
-- Supported key types
-- Supported signing algorithms
+- Supported key types [TODO: Pull from NIST recommendations]
+- Supported signing algorithms [TODO: Pull from NIST recommendations]
 
-Identify use cases to clarify:
+Additional questions to clarify as part of implementation (need more research but doesn't impact workflow):
 1. Where can keys be stored? What interfaces need to be supported?
 2. Any limitations ok key types/sizes supported?
 3. How will public keys (root of trust) be distributed?

From 388c9eb0bfa9c29cf831cc5340f2cf3d96f0a38d Mon Sep 17 00:00:00 2001
From: NiazFK <67277579+NiazFK@users.noreply.github.com>
Date: Mon, 2 Nov 2020 08:52:14 -0800
Subject: [PATCH 12/28] Update keymanagementscenarios.md

Signed-off-by: Niaz Khan <niazfk@amazon.com>
---
 keymanagementscenarios.md | 52 +++++++++++++++++++++++++--------------
 1 file changed, 33 insertions(+), 19 deletions(-)

diff --git a/keymanagementscenarios.md b/keymanagementscenarios.md
index bb625e69..cbb42138 100644
--- a/keymanagementscenarios.md
+++ b/keymanagementscenarios.md
@@ -1,9 +1,10 @@
+# Overview
 Key management for container signing can be broadly categorized into three general use cases:
 - Key Setup/Signing (How are keys set up? How are keys accessed by Notary v2 client when signatures are generated?)
 - Trust store configuration (How do runtime environments determine which keys to trust?)
 - Revocation (How do key owners create/revoke keys? How do runtime environments get this information?)
 
-Personas:
+## Personas:
 - Publisher: User who builds and signs containers.
     - Publisher Admin: In some scenarios a publisher will include a group of users (i.e. teams or enterprises). Admin users (i.e. security administrator) will be responsible for configuring roots, provide access to use or generate delegate keys, and make decisions for key revocation.
     - Publisher Builder: In some scenarios a publisher will include a group of users (i.e. teams or enterprises). Builders (i.e. developers, build hosts) will be responsible for creating artifacts. 
@@ -13,7 +14,7 @@ Personas:
     - Deployer Operator: In some scenarios a publisher will include a group of users (i.e. teams or enterprises). Operators (i.e. developers, deployment hosts) will be responsible for pulling container images from registries, verifying their signatures, and then running them.
 - Repository Owner: In some scenarios a container may be stored in a repository that is managed by the repository owner. The repository may be public or private and could also be air-gapped.
 
-Additional Definitions:
+## Definitions:
 - Root key: A self signed key used for the lowest designation of trust. Root keys can be created by developers, organizations, public/private CAs, and registry operators. The root key should be retrieved from a trusted source that can establish the authenticity of the creator's identity.
 - Signing key: A signing key is used to generate artifact signatures. A signing key should be signed with a root key or one of its intermediaries. The certificate chain with a signing key can be used to verify which root it belongs to. While a root key can be used as a signing key, this is not recommended as it creates a large blast radius and increases the risk of compromising a root key. 
 - Trust Store: The trust store defines the relationship between signing keys and artifacts that are used at validation time to determine whether to trust an artifact with a crytptographically valid signature. The trust store will relate a source (any source, specific registry, specific repository, or specific target) with a certificate (for root key, intermediate, or signing key) or key repository (for automated key distribtuion). It is not recommended to use a signing key as this will cause signature validation to fail if the signing key is rotated. 
@@ -23,17 +24,30 @@ Additional Definitions:
     - Signed Identity: Identity of creator of the signed certificate.
     - (Optional) Issuer: If the certificate is an intermediate this will describe the issuer of the certificate.
 
-Signing use cases:
+## Requirements
+- Signing an artifact SHOULD NOT require the publisher to perform additional actions with a registry or registry operator beyond those required to push an unsigned artifact.
+- Validating a signature SHOULD NOT require the deployer to perform additional actions with a registry or registry operator beyond those required to pull an unsigned artifact.
+- Moving an artifact from one repository to another SHOULD NOT invalidate the signature on the artifact.
+- A rotation of the root key SHOULD NOT require the use of the existing root key.
+- Publishers SHOULD be able to sign with keys stored on their local machines, secure tokens, Hardware Security Modules (HSMs), or cloud based Key Management Services.
+- Publishers SHOULD be able to generate multiple signatures for a single artifact.
+- Publishers MUST have a mechanism to revoke signatures to indicate they are no longer trusted. 
+- Trust stores SHOULD be configurable by the deployer.
+- Deployers MUST be able to configure trusted entities for individual repositories and targets.
+- Deployers MUST be able to validate signatures on any version of an artifact including whether they have been revoked by the publisher.
+- Signature validation MUST be enforceable in air-gapped environments with minimal updates. 
 
-Provisioning Keys for Signing
+# Signing use cases:
+
+## Provisioning Keys for Signing
 
 ![Notaryv2 Signing Provisioning](./media/nv2-keymgmt-architecture-provisionkeys-v1.png)
 
-Signing Workflow
+## Signing Workflow
 
 ![Notaryv2 Signing Workflow](./media/nv2-keymgmt-architecture-sign-v1.png)
 
-Detailed Scenarios:
+## Detailed Scenarios:
 - Local Key Store
     - Publisher creates new root key on local machine. Keys are stored in key store or plain text on local machine (Need to identify keystores we want to support. We can preclude signing with root keys to improve security posture).
     - Publisher uploads root public key to registry (registry can verify user for container uploads). 
@@ -81,17 +95,17 @@ Detailed Scenarios:
     - Publisher Admin creates new subordinate key in air gapped environment on a host, USB Token, Network HSM, or Cloud Key Management Service chaining to root (one time operation enables the root to be used by runtime environments outside of the air gapped environment to validate signatures generated inside the environment).
     - Publisher Admin configures credentials for Publisher Signers in air gapped environment to use sub-ordinate key for delegate keys instead of root key (users in air gapped environment do not need to get keys from outside of the environment). 
 
-Deployment Use Cases:
+# Deployment Use Cases:
 
-Provisioning Truststore for Deployment
+## Provisioning Truststore for Deployment
 
 ![Notaryv2 Deployment Provisioning](./media/nv2-keymgmt-architecture-provisiontruststore-v1.png)
 
-Deployment Workflow
+## Deployment Workflow
 
 ![Notaryv2 Deployment Workflow](./media/nv2-keymgmt-architecture-pull-v1.png)
 
-Detailed Usecases:
+## Detailed Usecases:
 - Specify trusted public root keys
     - Deployer Admin gets root public key from publisher.
     - Deployer Admin adds root public key to runtime configuration.
@@ -102,9 +116,9 @@ Detailed Usecases:
     - Container pulled from any registry is be validated with listed root public keys before execution.
 - Enterprises can restrict users to add/remove their root public keys to the trust store used across a fleet of runtime hosts. The trust store will validate images pulled from any registry.
 - Enterprises can restrict users to add/remove root public keys for trusted third parties to their trust stores. The trust store will validate images pulled from any registry.
-- Air gapped environments can either specify the 
+- Air gapped environments can manually specify the trusted keys in their trust stores. Air-gapped operators will need to either maintain an air-gapped copy of the CRL or re-sign artifacts locally within an air-gapped environment.
 
-Key Distribution Workflows:
+# Key Distribution Workflows:
 - Manual Configuration
     - Publisher places their root certificate in a public location. This could be a website similar to what public CAs today provide.
     - Developer copies certificate from public location and adds it to their trust store. Developer can configure whether they trust this certificate for all their artifacts, individual registries, individual repositories, or individual targets.
@@ -113,10 +127,9 @@ Key Distribution Workflows:
     - Developer adds root certificate and location of key respoitory to their trust store. Developer can configure whether they trust certificates for all their artifacts, individual registries, individual repositories, or individual targets.
 - Revocation: Note in the event a root certificate is revoked validations will fail, and developers will need to update their root certificate. The publisher will need to pro-actively communicate a rotation out of bands to prevent an outage.    
 
+# Key rotation/revocation use cases:
 
-Key rotation/revocation use cases:
-
-Key Revocation Workflow
+## Key Revocation Workflow
 
 ![Notaryv2 Revocation Workflow](./media/nv2-keymgmt-architecture-revokekeys-v1.png)
 
@@ -140,10 +153,7 @@ Key Revocation Workflow
 - Delegate Key Rotation
     - Publisher creates new delegate keys from existing root following any scenario listed earlier in Signing use cases.
 
-In addition we also need to consider the following for cryptographic security:
-- Supported key types [TODO: Pull from NIST recommendations]
-- Supported signing algorithms [TODO: Pull from NIST recommendations]
-
+# Follow ups for Implementation 
 Additional questions to clarify as part of implementation (need more research but doesn't impact workflow):
 1. Where can keys be stored? What interfaces need to be supported?
 2. Any limitations ok key types/sizes supported?
@@ -152,3 +162,7 @@ Additional questions to clarify as part of implementation (need more research bu
 5a. What is the minimum number of keys needed to succesfully sign a container?
 5b. What is the recommended number of keys to sign a container?
 6. Any additional requirements for timestamping?
+
+In addition we also need to consider the following for cryptographic security:
+- Supported key types [TODO: Pull from NIST recommendations]
+- Supported signing algorithms [TODO: Pull from NIST recommendations]

From 7808ca7aa983f23c76d2c5b9c81467c5eabccf2d Mon Sep 17 00:00:00 2001
From: NiazFK <67277579+NiazFK@users.noreply.github.com>
Date: Mon, 2 Nov 2020 08:58:00 -0800
Subject: [PATCH 13/28] Update keymanagementscenarios.md

Signed-off-by: Niaz Khan <niazfk@amazon.com>
---
 keymanagementscenarios.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/keymanagementscenarios.md b/keymanagementscenarios.md
index cbb42138..2cec9e24 100644
--- a/keymanagementscenarios.md
+++ b/keymanagementscenarios.md
@@ -25,8 +25,8 @@ Key management for container signing can be broadly categorized into three gener
     - (Optional) Issuer: If the certificate is an intermediate this will describe the issuer of the certificate.
 
 ## Requirements
-- Signing an artifact SHOULD NOT require the publisher to perform additional actions with a registry or registry operator beyond those required to push an unsigned artifact.
-- Validating a signature SHOULD NOT require the deployer to perform additional actions with a registry or registry operator beyond those required to pull an unsigned artifact.
+- Signing an artifact SHOULD NOT require the publisher to perform additional actions with a registry/repository or registry operator beyond those required to push an unsigned artifact.
+- Validating a signature SHOULD NOT require the deployer to perform additional actions with a registry/repository or registry operator beyond those required to pull an unsigned artifact.
 - Moving an artifact from one repository to another SHOULD NOT invalidate the signature on the artifact.
 - A rotation of the root key SHOULD NOT require the use of the existing root key.
 - Publishers SHOULD be able to sign with keys stored on their local machines, secure tokens, Hardware Security Modules (HSMs), or cloud based Key Management Services.

From 203856d5a29142584c97e0e4478f60cd6fe8c1d4 Mon Sep 17 00:00:00 2001
From: NiazFK <67277579+NiazFK@users.noreply.github.com>
Date: Mon, 8 Feb 2021 08:57:38 -0800
Subject: [PATCH 14/28] Update keymanagementscenarios.md

Signed-off-by: Niaz Khan <niazfk@amazon.com>
---
 keymanagementscenarios.md | 32 ++++++++++++++++++++++----------
 1 file changed, 22 insertions(+), 10 deletions(-)

diff --git a/keymanagementscenarios.md b/keymanagementscenarios.md
index 2cec9e24..7d428f6c 100644
--- a/keymanagementscenarios.md
+++ b/keymanagementscenarios.md
@@ -1,8 +1,8 @@
 # Overview
 Key management for container signing can be broadly categorized into three general use cases:
-- Key Setup/Signing (How are keys set up? How are keys accessed by Notary v2 client when signatures are generated?)
-- Trust store configuration (How do runtime environments determine which keys to trust?)
-- Revocation (How do key owners create/revoke keys? How do runtime environments get this information?)
+- Key Setup/Signing (Key managment and integrations with client tooling for generating signatures.)
+- Trust store configuration (Configuring which keys to trust for artifacts from a predefined source.)
+- Signature Validity (Expiry, Revocation and/or Trusted Update List. Mechanism to update information on the validity of signatures.)
 
 ## Personas:
 - Publisher: User who builds and signs containers.
@@ -18,24 +18,36 @@ Key management for container signing can be broadly categorized into three gener
 - Root key: A self signed key used for the lowest designation of trust. Root keys can be created by developers, organizations, public/private CAs, and registry operators. The root key should be retrieved from a trusted source that can establish the authenticity of the creator's identity.
 - Signing key: A signing key is used to generate artifact signatures. A signing key should be signed with a root key or one of its intermediaries. The certificate chain with a signing key can be used to verify which root it belongs to. While a root key can be used as a signing key, this is not recommended as it creates a large blast radius and increases the risk of compromising a root key. 
 - Trust Store: The trust store defines the relationship between signing keys and artifacts that are used at validation time to determine whether to trust an artifact with a crytptographically valid signature. The trust store will relate a source (any source, specific registry, specific repository, or specific target) with a certificate (for root key, intermediate, or signing key) or key repository (for automated key distribtuion). It is not recommended to use a signing key as this will cause signature validation to fail if the signing key is rotated. 
-- Trust Store Certificate: The certificate in the trust store will contain:
-    - Public Key: Will be matched against CRL and signature artifact.
-    - Signed CRL URL: Location to retrieve CRL from.
-    - Signed Identity: Identity of creator of the signed certificate.
-    - (Optional) Issuer: If the certificate is an intermediate this will describe the issuer of the certificate.
+- Trust Store Key Information: The key information configured in the trust store will be cryptographically verifiable and contain:
+    - Public Key: Will be used to verify signed artifacts.
+    - Signed Identity: Identity of creator of the signing key.
+    - (Optional) Issuer: If the key is an intermediate this will describe the owner of the root.
+    - Mechanism to update validity of signatures generated with the signing key.
 
 ## Requirements
 - Signing an artifact SHOULD NOT require the publisher to perform additional actions with a registry/repository or registry operator beyond those required to push an unsigned artifact.
 - Validating a signature SHOULD NOT require the deployer to perform additional actions with a registry/repository or registry operator beyond those required to pull an unsigned artifact.
 - Moving an artifact from one repository to another SHOULD NOT invalidate the signature on the artifact.
-- A rotation of the root key SHOULD NOT require the use of the existing root key.
 - Publishers SHOULD be able to sign with keys stored on their local machines, secure tokens, Hardware Security Modules (HSMs), or cloud based Key Management Services.
 - Publishers SHOULD be able to generate multiple signatures for a single artifact.
 - Publishers MUST have a mechanism to revoke signatures to indicate they are no longer trusted. 
 - Trust stores SHOULD be configurable by the deployer.
 - Deployers MUST be able to configure trusted entities for individual repositories and targets.
 - Deployers MUST be able to validate signatures on any version of an artifact including whether they have been revoked by the publisher.
-- Signature validation MUST be enforceable in air-gapped environments with minimal updates. 
+- Signature validation MUST be enforceable in air-gapped environments. 
+
+## Requirements for discussion
+- Providing a mechanism for rotating a root key: In prior discussions we did not close on whether Notary v2 should provide a mechanism for rotating a root key or not. Tradeoffs are listed below for further discussion.
+    - Adding a mechanism:
+        - Allows for the automatic rotation of keys. Can be used to mass update keys if signing algorithms need to be updated.
+        - Doesn't address the use case of developers losing a root key.
+        - Provides a bad actor mechanism to insert a new root without deployer acknowledgement.
+    - Not adding a mechanism:
+        - Any rotation of root keys will require deployers to acknowledge and make a change.
+        - Doesn't address the use case of developers losing a root key.
+        - Prevents a bad actor from inserting a new root without deployer acknowledgement.
+
+****READ UP TO HERE, SECTIONS BELOW ARE WORK IN PROGRESS****
 
 # Signing use cases:
 

From dc5790eb3b16a0df633086fa5a1568db7282c14e Mon Sep 17 00:00:00 2001
From: NiazFK <67277579+NiazFK@users.noreply.github.com>
Date: Mon, 8 Feb 2021 09:07:40 -0800
Subject: [PATCH 15/28] Update keymanagementscenarios.md

Signed-off-by: Niaz Khan <niazfk@amazon.com>
---
 keymanagementscenarios.md | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/keymanagementscenarios.md b/keymanagementscenarios.md
index 7d428f6c..d9478957 100644
--- a/keymanagementscenarios.md
+++ b/keymanagementscenarios.md
@@ -40,13 +40,20 @@ Key management for container signing can be broadly categorized into three gener
 - Providing a mechanism for rotating a root key: In prior discussions we did not close on whether Notary v2 should provide a mechanism for rotating a root key or not. Tradeoffs are listed below for further discussion.
     - Adding a mechanism:
         - Allows for the automatic rotation of keys. Can be used to mass update keys if signing algorithms need to be updated.
-        - Doesn't address the use case of developers losing a root key.
+        - Doesn't address the use case of publishers losing a root key.
         - Provides a bad actor mechanism to insert a new root without deployer acknowledgement.
     - Not adding a mechanism:
         - Any rotation of root keys will require deployers to acknowledge and make a change.
-        - Doesn't address the use case of developers losing a root key.
+        - Doesn't address the use case of publishers losing a root key.
         - Prevents a bad actor from inserting a new root without deployer acknowledgement.
-
+    - Scenarios to consider:
+        - Publisher loses key.
+        - Publisher needs to update key for reasons beside unauthorized access to a key.
+        - Publisher's root key access is compromised, and they are aware.
+        - Publisher's root key access is compromised, but they are unaware.
+        - Publisher's root key is compromised, and they are aware.
+        - Publisher's root key is compromised, but they are unaware.
+        
 ****READ UP TO HERE, SECTIONS BELOW ARE WORK IN PROGRESS****
 
 # Signing use cases:

From c1bba8be5d33876388b01129117bc84af112b6f8 Mon Sep 17 00:00:00 2001
From: NiazFK <67277579+NiazFK@users.noreply.github.com>
Date: Wed, 3 Mar 2021 07:23:37 -0800
Subject: [PATCH 16/28] Update keymanagementscenarios.md

Signed-off-by: Niaz Khan <niazfk@amazon.com>
---
 keymanagementscenarios.md | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/keymanagementscenarios.md b/keymanagementscenarios.md
index d9478957..e5c41be5 100644
--- a/keymanagementscenarios.md
+++ b/keymanagementscenarios.md
@@ -37,18 +37,23 @@ Key management for container signing can be broadly categorized into three gener
 - Signature validation MUST be enforceable in air-gapped environments. 
 
 ## Requirements for discussion
-- Providing a mechanism for rotating a root key: In prior discussions we did not close on whether Notary v2 should provide a mechanism for rotating a root key or not. Tradeoffs are listed below for further discussion.
-    - Adding a mechanism:
+- Providing a mechanism for configuring/rotating a root key: In prior discussions we did not close on whether Notary v2 should provide a mechanism for rotating a root key or not. Tradeoffs are listed below for further discussion.
+    - Things to consider for dock:
+        - Who is handling roots? 
+        - How are roots being distributed?
+        - What infrastructure requirements for root management  
+    - Adding a mechanism to configure/rotate keys:
         - Allows for the automatic rotation of keys. Can be used to mass update keys if signing algorithms need to be updated.
         - Doesn't address the use case of publishers losing a root key.
         - Provides a bad actor mechanism to insert a new root without deployer acknowledgement.
+        - Consider whether this mechanism needs to rely on existing root or roots. (Make the distinction for multiple roots)
     - Not adding a mechanism:
         - Any rotation of root keys will require deployers to acknowledge and make a change.
         - Doesn't address the use case of publishers losing a root key.
         - Prevents a bad actor from inserting a new root without deployer acknowledgement.
     - Scenarios to consider:
         - Publisher loses key.
-        - Publisher needs to update key for reasons beside unauthorized access to a key.
+        - Publisher needs to update key for reasons beside unauthorized access to a key (includes expiration, new key types).
         - Publisher's root key access is compromised, and they are aware.
         - Publisher's root key access is compromised, but they are unaware.
         - Publisher's root key is compromised, and they are aware.

From c9cdf3a27bfffde4a44cf26702171832957d1c34 Mon Sep 17 00:00:00 2001
From: NiazFK <67277579+NiazFK@users.noreply.github.com>
Date: Mon, 8 Mar 2021 07:58:13 -0800
Subject: [PATCH 17/28] Update and rename keymanagementscenarios.md to
 keymanagementrequirements.md

Signed-off-by: Niaz Khan <niazfk@amazon.com>
---
 keymanagementrequirements.md |  51 ++++++++++
 keymanagementscenarios.md    | 192 -----------------------------------
 2 files changed, 51 insertions(+), 192 deletions(-)
 create mode 100644 keymanagementrequirements.md
 delete mode 100644 keymanagementscenarios.md

diff --git a/keymanagementrequirements.md b/keymanagementrequirements.md
new file mode 100644
index 00000000..480eb4ee
--- /dev/null
+++ b/keymanagementrequirements.md
@@ -0,0 +1,51 @@
+# Overview
+Key management for container signing can be broadly categorized into three general use cases:
+- Key Setup/Signing (Key managment and integrations with client tooling for generating signatures.)
+- Trust store configuration (Configuring which keys to trust for artifacts from a predefined source.)
+- Signature Validity (Expiry, Revocation and/or Trusted Update List. Mechanism to update information on the validity of signatures.)
+
+## Personas:
+- Publisher: User who builds and signs containers.
+    - Publisher Admin: In some scenarios a publisher will include a group of users (i.e. teams or enterprises). Admin users (i.e. security administrator) will be responsible for configuring roots, provide access to use or generate delegate keys, and make decisions for key revocation.
+    - Publisher Builder: In some scenarios a publisher will include a group of users (i.e. teams or enterprises). Builders (i.e. developers, build hosts) will be responsible for creating artifacts. 
+    - Publisher Signer: In some scenarios a publisher will include a group of users (i.e. teams or enterprises). Signers (i.e. developers, signing hosts) will be responsible for signing artifacts.
+- Deployer: User who deploys containers.
+    - Deployer Admin: In some scenarios a deployer will include a group of users (i.e. teams or enterprises). Admin users (i.e. security administrators) will be responsible for configuring deployment policies, including potentially a set of trusted roots or required signatures. 
+    - Deployer Operator: In some scenarios a publisher will include a group of users (i.e. teams or enterprises). Operators (i.e. developers, deployment hosts) will be responsible for pulling container images from registries, verifying their signatures, and then running them.
+- Repository Owner: In some scenarios a container may be stored in a repository that is managed by the repository owner. The repository may be public or private and could also be air-gapped.
+
+## Definitions:
+- Root key: A self signed key used for the lowest designation of trust. Root keys can be created by developers, organizations, public/private CAs, and registry operators. The root key should be retrieved from a trusted source that can establish the authenticity of the creator's identity.
+- Signing key: A signing key is used to generate artifact signatures. A signing key should be signed with a root key or one of its intermediaries. The certificate chain with a signing key can be used to verify which root it belongs to. While a root key can be used as a signing key, this is not recommended as it creates a large blast radius and increases the risk of compromising a root key. 
+- Trust Store: The trust store defines the relationship between signing keys and artifacts that are used at validation time to determine whether to trust an artifact with a crytptographically valid signature. The trust store will relate a source (any source, specific registry, specific repository, or specific target) with a certificate (for root key, intermediate, or signing key) or key repository (for automated key distribtuion). It is not recommended to use a signing key as this will cause signature validation to fail if the signing key is rotated. 
+- Trust Store Key Information: The key information configured in the trust store will be cryptographically verifiable and contain:
+    - Public Key: Will be used to verify signed artifacts.
+    - Signed Identity: Identity of creator of the signing key.
+    - (Optional) Issuer: If the key is an intermediate this will describe the owner of the root.
+    - Mechanism to update validity of signatures generated with the signing key.
+
+## Requirements
+- Signing an artifact MUST NOT require the publisher to perform additional actions with a registry/repository or registry operator. Uploading a signature MAY require additional actions.
+- Retrieving a signature MUST NOT require the deployer to perform additional actions with a registry/repository or registry operator beyond those required to pull an unsigned artifact.
+- Artifact integrity, source, and signature expiry MUST be verifiable from the signature AND NOT require additional calls to the registry/repository.
+- Signature allow list/deny list MAY require additional calls that will be defined in a separate document.
+- Moving an artifact from one repository to another SHOULD NOT invalidate the signature on the artifact.
+- Publishers SHOULD be able to sign with keys stored on their local machines, secure tokens, Hardware Security Modules (HSMs), or cloud based Key Management Services.
+- Publishers SHOULD be able to generate multiple signatures for a single artifact.
+- Publisher admins MUST have a mechanism to revoke signatures to indicate they are no longer trusted. 
+- Trust stores MUST be configurable by the deployer admin.
+- Deployer admins MUST be able to configure trusted entities for individual repositories and targets.
+- Deployers MUST be able to validate signatures on any version of an artifact including whether they have been revoked by the publisher.
+- Signature validation MUST be enforceable in air-gapped environments. 
+
+## Requirements that need further discussion
+- Signature/Key Expiry
+- Root key auto rotation
+- Signature allow list/deny list (trusted updates/revocation list)
+
+## Prototype Stages
+1. Signature generation for each of the key storage scenarios. A succesful prototype should enable signing with keys on each of the following: local host, secure tokens, Hardware Security Modules (HSMs), and cloud based Key Management Services.
+2. Trust store configuration and signature source validation in runtime environments. A succesful prototype should enable configuring a trust store in a runtime environment. The prototype should validate signatures from a trusted source and reject signatures from a source that is not listed. The prototype will not check for other aspects of signature validity (expiry/revocation).
+3. Key rotation. A succesful prototype should meet all requirements from the key rotation document.
+4. Signature/Key Expiration. A succesful prototype should meet all requirements from the signature/key expiration document.
+5. Signature allowlist/denylist. A succesful prototype should meet all requirements from the signatur allowlist/denylist document.
diff --git a/keymanagementscenarios.md b/keymanagementscenarios.md
deleted file mode 100644
index e5c41be5..00000000
--- a/keymanagementscenarios.md
+++ /dev/null
@@ -1,192 +0,0 @@
-# Overview
-Key management for container signing can be broadly categorized into three general use cases:
-- Key Setup/Signing (Key managment and integrations with client tooling for generating signatures.)
-- Trust store configuration (Configuring which keys to trust for artifacts from a predefined source.)
-- Signature Validity (Expiry, Revocation and/or Trusted Update List. Mechanism to update information on the validity of signatures.)
-
-## Personas:
-- Publisher: User who builds and signs containers.
-    - Publisher Admin: In some scenarios a publisher will include a group of users (i.e. teams or enterprises). Admin users (i.e. security administrator) will be responsible for configuring roots, provide access to use or generate delegate keys, and make decisions for key revocation.
-    - Publisher Builder: In some scenarios a publisher will include a group of users (i.e. teams or enterprises). Builders (i.e. developers, build hosts) will be responsible for creating artifacts. 
-    - Publisher Signer: In some scenarios a publisher will include a group of users (i.e. teams or enterprises). Signers (i.e. developers, signing hosts) will be responsible for signing artifacts.
-- Deployer: User who deploys containers.
-    - Deployer Admin: In some scenarios a deployer will include a group of users (i.e. teams or enterprises). Admin users (i.e. security administrators) will be responsible for configuring deployment policies, including potentially a set of trusted roots or required signatures. 
-    - Deployer Operator: In some scenarios a publisher will include a group of users (i.e. teams or enterprises). Operators (i.e. developers, deployment hosts) will be responsible for pulling container images from registries, verifying their signatures, and then running them.
-- Repository Owner: In some scenarios a container may be stored in a repository that is managed by the repository owner. The repository may be public or private and could also be air-gapped.
-
-## Definitions:
-- Root key: A self signed key used for the lowest designation of trust. Root keys can be created by developers, organizations, public/private CAs, and registry operators. The root key should be retrieved from a trusted source that can establish the authenticity of the creator's identity.
-- Signing key: A signing key is used to generate artifact signatures. A signing key should be signed with a root key or one of its intermediaries. The certificate chain with a signing key can be used to verify which root it belongs to. While a root key can be used as a signing key, this is not recommended as it creates a large blast radius and increases the risk of compromising a root key. 
-- Trust Store: The trust store defines the relationship between signing keys and artifacts that are used at validation time to determine whether to trust an artifact with a crytptographically valid signature. The trust store will relate a source (any source, specific registry, specific repository, or specific target) with a certificate (for root key, intermediate, or signing key) or key repository (for automated key distribtuion). It is not recommended to use a signing key as this will cause signature validation to fail if the signing key is rotated. 
-- Trust Store Key Information: The key information configured in the trust store will be cryptographically verifiable and contain:
-    - Public Key: Will be used to verify signed artifacts.
-    - Signed Identity: Identity of creator of the signing key.
-    - (Optional) Issuer: If the key is an intermediate this will describe the owner of the root.
-    - Mechanism to update validity of signatures generated with the signing key.
-
-## Requirements
-- Signing an artifact SHOULD NOT require the publisher to perform additional actions with a registry/repository or registry operator beyond those required to push an unsigned artifact.
-- Validating a signature SHOULD NOT require the deployer to perform additional actions with a registry/repository or registry operator beyond those required to pull an unsigned artifact.
-- Moving an artifact from one repository to another SHOULD NOT invalidate the signature on the artifact.
-- Publishers SHOULD be able to sign with keys stored on their local machines, secure tokens, Hardware Security Modules (HSMs), or cloud based Key Management Services.
-- Publishers SHOULD be able to generate multiple signatures for a single artifact.
-- Publishers MUST have a mechanism to revoke signatures to indicate they are no longer trusted. 
-- Trust stores SHOULD be configurable by the deployer.
-- Deployers MUST be able to configure trusted entities for individual repositories and targets.
-- Deployers MUST be able to validate signatures on any version of an artifact including whether they have been revoked by the publisher.
-- Signature validation MUST be enforceable in air-gapped environments. 
-
-## Requirements for discussion
-- Providing a mechanism for configuring/rotating a root key: In prior discussions we did not close on whether Notary v2 should provide a mechanism for rotating a root key or not. Tradeoffs are listed below for further discussion.
-    - Things to consider for dock:
-        - Who is handling roots? 
-        - How are roots being distributed?
-        - What infrastructure requirements for root management  
-    - Adding a mechanism to configure/rotate keys:
-        - Allows for the automatic rotation of keys. Can be used to mass update keys if signing algorithms need to be updated.
-        - Doesn't address the use case of publishers losing a root key.
-        - Provides a bad actor mechanism to insert a new root without deployer acknowledgement.
-        - Consider whether this mechanism needs to rely on existing root or roots. (Make the distinction for multiple roots)
-    - Not adding a mechanism:
-        - Any rotation of root keys will require deployers to acknowledge and make a change.
-        - Doesn't address the use case of publishers losing a root key.
-        - Prevents a bad actor from inserting a new root without deployer acknowledgement.
-    - Scenarios to consider:
-        - Publisher loses key.
-        - Publisher needs to update key for reasons beside unauthorized access to a key (includes expiration, new key types).
-        - Publisher's root key access is compromised, and they are aware.
-        - Publisher's root key access is compromised, but they are unaware.
-        - Publisher's root key is compromised, and they are aware.
-        - Publisher's root key is compromised, but they are unaware.
-        
-****READ UP TO HERE, SECTIONS BELOW ARE WORK IN PROGRESS****
-
-# Signing use cases:
-
-## Provisioning Keys for Signing
-
-![Notaryv2 Signing Provisioning](./media/nv2-keymgmt-architecture-provisionkeys-v1.png)
-
-## Signing Workflow
-
-![Notaryv2 Signing Workflow](./media/nv2-keymgmt-architecture-sign-v1.png)
-
-## Detailed Scenarios:
-- Local Key Store
-    - Publisher creates new root key on local machine. Keys are stored in key store or plain text on local machine (Need to identify keystores we want to support. We can preclude signing with root keys to improve security posture).
-    - Publisher uploads root public key to registry (registry can verify user for container uploads). 
-    - Publisher shares root public key (other users can verify containers before running).
-    - Publisher creates new delegate keys on local machine that chain to root key (enabling only delegate keys for signing will help protect the root key).
-    - Publisher runs docker build and notary v2 sign on local machine. Notary v2 client generates signatures with key in memory.
-- USB Token Key Store
-    - Publisher creates new root key on USB token (better security posture as key is not exposed in plain text outside of token). 
-    - Publisher uploads root public key to registry (registry can verify user for container uploads). 
-    - Publisher shares root public key (other users can verify containers before running).
-    - Publisher creates new delegate keys on USB token that chain to root key (better security posture as key is not exposed in plain text outside of token).
-    - Publisher runs docker build and notary v2 sign on local machine. Notary v2 client generates signature by submitting hash to USB Token (using a PKCS 11 interface will prevent keys from being exposed in memory).
-- Network HSM
-    - Publisher creates new root key on Network HSM (better security posture as key is not exposed in plain text outside of HSM). 
-    - Publisher uploads root public key to registry (registry can verify user for container uploads). 
-    - Publisher shares root public key (other users can verify containers before running).
-    - Publisher creates new delegate keys on Network HSM that chain to root key (better security posture as key is not exposed in plain text outside of HSM).
-    - Publisher runs docker build and notary v2 sign on local machine. Notary v2 client generates signature by submitting hash to Network HSM.
-- Cloud Key Management Service (KMS)
-    - Publisher creates new root key on Cloud KMS (better security posture as key is not exposed in plain text outside of Cloud KMS).
-    - Publisher uploads root public key to registry (registry can verify user for container uploads). 
-    - Publisher shares root public key (other users can verify containers before running).
-    - Publisher creates new delegate keys on Cloud KMS that chain to root key (better security posture as key is not exposed in plain text outside of Cloud KMS).
-    - Publisher runs docker build and notary v2 sign on local machine. Notary v2 client generates signature by submitting hash to Cloud KMS.
-- Hybrid
-    - Publisher Admin creates new root key on USB Token/Network HSM/Cloud Key Management Service (better security posture as key is never exposed in plain text outside of token).
-    - Publisher Admin uploads root public key to registry (registry can verify user for container uploads). 
-    - Publisher Admin shares root public key (other users can verify containers before running).
-    - Publisher Admin provides access to Publisher Signer to create or retrieve delegate keys (admins can focus on delegating access, signers can use a portal or APIs to register keys and sign without having to repeatedly engage the admin).
-    - Publisher Signer creates new delegate keys on local machine that chain to root key (the root key is not exposed to the signer).
-    - Publisher Signer runs docker build and notary v2 sign on local machine. Notary v2 client generates signatures with keys on local machine.
-- Signing by Build Machines
-    - Publisher Admin creates new root, uploads root public key to registry, and shares root public key (similar justification to earlier scenarios).
-    - Publisher Admin delegates access for build machine (Publisher Builder and Signer in this context) to create new delegate keys to be used on build machine. The delegate key can be stored on the build machine, USB Token, Network HSM, or Cloud Key Management Service (similar justification to earlier scenarios).
-    - Publisher Admin configures build scripts with credentials and if needed location of delegate keys.
-    - Build machine runs docker build and then notary v2 sign with keys from configured location.
-- Signing by Dedicated Machines
-    - Publisher Admin creates new root, uploads root public key to registry, and shares root public key (similar justification to earlier scenarios).
-    - Publisher Admin delegates access for signing machine (Publisher Signer in this context) to create new delegate keys to be used on build machine. The delegate key can be stored on the build machine, USB Token, Network HSM, or Cloud Key Management Service (similar justification to earlier scenarios).
-    - Publisher Admin configures signing machine with credentials and if needed location of delegate keys.
-    - Build machine (Publisher Builder only in this context) runs docker build and passes objects to be signed to signing host (the build machine does not have access to signing keys. This prevents signing keys from being exposed through potential vulnerabilities in build logic).
-    - Signing host generates signatures with keys in configured location.
-- Signing in Air Gapped Environments with Shared Root 
-    - Publisher Admin creates new root, uploads root public key to registry, and shares root public key (similar justification to earlier scenarios).
-    - Publisher Admin creates new subordinate key in air gapped environment on a host, USB Token, Network HSM, or Cloud Key Management Service chaining to root (one time operation enables the root to be used by runtime environments outside of the air gapped environment to validate signatures generated inside the environment).
-    - Publisher Admin configures credentials for Publisher Signers in air gapped environment to use sub-ordinate key for delegate keys instead of root key (users in air gapped environment do not need to get keys from outside of the environment). 
-
-# Deployment Use Cases:
-
-## Provisioning Truststore for Deployment
-
-![Notaryv2 Deployment Provisioning](./media/nv2-keymgmt-architecture-provisiontruststore-v1.png)
-
-## Deployment Workflow
-
-![Notaryv2 Deployment Workflow](./media/nv2-keymgmt-architecture-pull-v1.png)
-
-## Detailed Usecases:
-- Specify trusted public root keys
-    - Deployer Admin gets root public key from publisher.
-    - Deployer Admin adds root public key to runtime configuration.
-    - Container pulled from any registry is be validated with listed root public keys before execution.
-- Specify location of trusted public root keys
-    - Deployer Admin gets location of key repository from publisher.
-    - Deployer Admin adds location of key repository to runtime configuration.
-    - Container pulled from any registry is be validated with listed root public keys before execution.
-- Enterprises can restrict users to add/remove their root public keys to the trust store used across a fleet of runtime hosts. The trust store will validate images pulled from any registry.
-- Enterprises can restrict users to add/remove root public keys for trusted third parties to their trust stores. The trust store will validate images pulled from any registry.
-- Air gapped environments can manually specify the trusted keys in their trust stores. Air-gapped operators will need to either maintain an air-gapped copy of the CRL or re-sign artifacts locally within an air-gapped environment.
-
-# Key Distribution Workflows:
-- Manual Configuration
-    - Publisher places their root certificate in a public location. This could be a website similar to what public CAs today provide.
-    - Developer copies certificate from public location and adds it to their trust store. Developer can configure whether they trust this certificate for all their artifacts, individual registries, individual repositories, or individual targets.
-- Automated Configuration
-    - Publisher gets intermediate certificate from a key distriution service i.e public CA or registry operator.
-    - Developer adds root certificate and location of key respoitory to their trust store. Developer can configure whether they trust certificates for all their artifacts, individual registries, individual repositories, or individual targets.
-- Revocation: Note in the event a root certificate is revoked validations will fail, and developers will need to update their root certificate. The publisher will need to pro-actively communicate a rotation out of bands to prevent an outage.    
-
-# Key rotation/revocation use cases:
-
-## Key Revocation Workflow
-
-![Notaryv2 Revocation Workflow](./media/nv2-keymgmt-architecture-revokekeys-v1.png)
-
-- Root Revocation (compromised root should not be needed in process to designate itself as revoked, otherwise attacker can use compromised root for a key rotation locking out publisher)
-    - Publisher deletes revoked root public key on registry (registry can stop sharing containers with revoked key).
-    - [TODO: Discuss if we want this] Registry stops vending containers signed with old root key (will prevent revoked artifacts from being used by developers not checking signature).
-    - Publisher removes revoked root public key from shared list (other users stop trusting artifacts with revoked key, provides defense in depth as they are not relying on registry).
-    - Publisher creates new root key following any scenario listed earlier in Signing use cases (starting from scratch as old key can no longer be trusted).
-    - Publisher uploads new root public key to registry (registry can verify user for container uploads). 
-    - Publisher updates shared root public key (other users can verify containers with new key before running).
-    - Publisher creates new delegate keys following any scenario listed earlier in Signing use cases.
-- Delegate Key Revocation (root can be used here for designating delegate keys as revoked as it has not been compromised)
-    - Publisher lists revoked delegate keys as untrusted. Revocation list is signed by root key (Design discussion on whether we use CRLs or some other approach to sharing information on revoked keys).
-    - Publisher shares revocation list (deployer needs to know which keys used prior for generating signatures are no longer trusted).
-    - Publisher creates new delegate keys from existing root following any scenario listed earlier in Signing use cases.
-- Root Rotation (periodic rotation of root will limit blast radius, this process should not revoke existing root as it has not been compromised)
-    - Publisher creates new root key following any scenario listed earlier in Signing use cases.
-    - Publisher uploads new root public key to registry (registry can verify user for container uploads). 
-    - Publisher updates shared root public key (other users can verify containers with new key before running).
-    - Publisher creates new delegate keys from new root following any scenario listed earlier in Signing use cases.
-- Delegate Key Rotation
-    - Publisher creates new delegate keys from existing root following any scenario listed earlier in Signing use cases.
-
-# Follow ups for Implementation 
-Additional questions to clarify as part of implementation (need more research but doesn't impact workflow):
-1. Where can keys be stored? What interfaces need to be supported?
-2. Any limitations ok key types/sizes supported?
-3. How will public keys (root of trust) be distributed?
-4. How will key revocation information be distributed?
-5a. What is the minimum number of keys needed to succesfully sign a container?
-5b. What is the recommended number of keys to sign a container?
-6. Any additional requirements for timestamping?
-
-In addition we also need to consider the following for cryptographic security:
-- Supported key types [TODO: Pull from NIST recommendations]
-- Supported signing algorithms [TODO: Pull from NIST recommendations]

From acd25cf563fdfc820ce9c336f0a714b5ea8e6933 Mon Sep 17 00:00:00 2001
From: NiazFK <67277579+NiazFK@users.noreply.github.com>
Date: Mon, 8 Mar 2021 07:58:53 -0800
Subject: [PATCH 18/28] Update keymanagementrequirements.md

Signed-off-by: Niaz Khan <niazfk@amazon.com>
---
 keymanagementrequirements.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/keymanagementrequirements.md b/keymanagementrequirements.md
index 480eb4ee..a88719e9 100644
--- a/keymanagementrequirements.md
+++ b/keymanagementrequirements.md
@@ -47,5 +47,5 @@ Key management for container signing can be broadly categorized into three gener
 1. Signature generation for each of the key storage scenarios. A succesful prototype should enable signing with keys on each of the following: local host, secure tokens, Hardware Security Modules (HSMs), and cloud based Key Management Services.
 2. Trust store configuration and signature source validation in runtime environments. A succesful prototype should enable configuring a trust store in a runtime environment. The prototype should validate signatures from a trusted source and reject signatures from a source that is not listed. The prototype will not check for other aspects of signature validity (expiry/revocation).
 3. Key rotation. A succesful prototype should meet all requirements from the key rotation document.
-4. Signature/Key Expiration. A succesful prototype should meet all requirements from the signature/key expiration document.
+4. Signature/Key Expiration. A succesful prototype should meet all requirements from the signature/key expiry document.
 5. Signature allowlist/denylist. A succesful prototype should meet all requirements from the signatur allowlist/denylist document.

From 16fc214dce99e8e15bba8d6e31f33fff2431be5f Mon Sep 17 00:00:00 2001
From: NiazFK <67277579+NiazFK@users.noreply.github.com>
Date: Fri, 9 Apr 2021 07:59:26 -0700
Subject: [PATCH 19/28] Update keymanagementrequirements.md

Signed-off-by: Niaz Khan <niazfk@amazon.com>
---
 keymanagementrequirements.md | 93 ++++++++++++++++++++++++++++++++++--
 1 file changed, 90 insertions(+), 3 deletions(-)

diff --git a/keymanagementrequirements.md b/keymanagementrequirements.md
index a88719e9..b26b5c57 100644
--- a/keymanagementrequirements.md
+++ b/keymanagementrequirements.md
@@ -39,9 +39,96 @@ Key management for container signing can be broadly categorized into three gener
 - Signature validation MUST be enforceable in air-gapped environments. 
 
 ## Requirements that need further discussion
-- Signature/Key Expiry
-- Root key auto rotation
-- Signature allow list/deny list (trusted updates/revocation list)
+### Signing Key Expiry
+In public key cryptography, a pair of private key a.k.a. signing key and public key a.k.a. verification key is generated, and later the public key is certified by a . The cerificate expiry time does not imply the expiry time of the key pair since the public key can be certified by a CA for multiple times. Moreover, a new key pair is always generated before generating a new certificate in the real world. Therefore, we can consider the key expiry is equivilant to certificate expiry.
+
+### External Timestamp Server
+Time Stamping Authorities (TSAs) defined by RFC3161 provide signed timestamp for a signature in order to prove that the signature was generated during the validity period of a certificate.
+
+#### Scenarios
+With TSA, signature can be considered valid even if the signing cerificate is expired. This technique is widely used by Authenticode with SignTool, NuGet, Adobe Acrobat, and many other industrial products.
+
+In the world of artifacts, including container images, scenarios are
+- Developers sign their artifacts or images with certificates. The certificates MAY have a configurable expiry time.
+- Developers publish their artifacts or images and at a later date stop maintaining them. Content consumers SHOULD be able to verify signatures until they expire and use the artifacts or images
+- Attackers with compromised keys try to sign artifacts or images with timestamps before the key compromise event.
+
+#### Pros and Cons
+
+There are many public TSA servers available on the Internet. The advantages of public timestamp servers are obvious:
+    Public
+    Free
+
+However, those public TSAs also come with disadvantages:
+    Require Internet access for signing
+        It is not really a disadvantage since public TSAs are online services. Devices in the air-gapped environment SHALL access the Internet for timestamp signing services.
+    Out of the control of the signer
+        External dependency
+        Availability is not assured. No SLA on signing.
+            Not all TSAs are available in all regions.
+            Some regions may have high latency.
+        The certificates of TSAs MAY be revoked at any time without notices.
+            The removal of trust of VeriSign broke .NET 5+ NuGet. Thus Microsoft has to disable the package verification with a new release to unblock customers.
+
+Implications of not using a signed timestamp for a signature
+    In the absense of additional timestamp signature, the signature is only considered valid till key expiry. This may limit the use of short lived keys.
+    In case of key compromise it’s not possible to revoke signatures from a point in time where the time of compromise is known, as an attacker can create signatures with any signature time (by changing local time)
+
+### Signature Expiry
+
+Signatures can expire if
+
+    The certificate of the signing key or the timestamp key (whichever is longer) expires
+    The signed content indicates a expiry time
+
+In this section, the #2 scenario is focused.
+Scenarios
+
+The main scenario for using a configurable signature expiry is for the publisher to indicate how long they plan to maintain the signature on the artifact for. For example if a publisher signs an artifact with an expiry for 6 months, they are indicating that if within 6 months they identfy a reason that deployers should no longer trust the artifact they will rescind the signature.
+
+An added benefit is to defend against freeze attack. Since the signature expires in a short time although the signing key can live longer, the verifiers have to obtain the latest signature to verify, which implies that the verifies have access to the latest content.
+
+    Freeze Attack Similar to a replay attack, a freeze attack works by providing metadata that is not current. However, in a freeze attack, the attacker freezes the information a client sees at the current point in time to prevent the client from seeing updates, rather than providing the client older versions than the client has already seen. As with replay attacks, the attacker’s goal is ultimately to compromise a client who has vulnerable versions of packages installed. A freeze attack may be used to prevent updates in addition to having an installed package be out of date.
+
+### Transparent Root key auto rotation
+Root keys form the basis of hierarchical trust systems, where intermediate and leaf keys chain back to a root key, and leaf keys are used to generate signatures. Consumers of signed artifacts associate a baseline level of trust with signatures that chain to roots they trust. In the scenario that a root key is no longer trusted, all signed artifacts chaining back to the root are no longer trusted. The conditions which render the root keys to be no longer trusted, are disclosed to the customer through some other channel (CVE, internal security audit, etc.). Safe rotation of keys require a overlap period where both new and old root keys are trusted. This is always not possible, such as when a root key is compromised.
+
+#### Scenarios
+1. A public root associated with a key a Publisher uses to sign artifacts is compromised. The access to root key is compromised, rather than the root key itself being stolen, allowing an attacker to create new intermediate and leaf trusted keys.
+2. An internal root used by an organization is due to expire. A new root is created and rotated before the existing root expires.
+3. An internal root used by an organization is not stored securely and the private key is lost. A new root is created to continue operations.
+4. A cryptographic algorithm is deprecated, or a compliance standard requires a customer to upgrade their key strength. The customer wants to safely rotate a root key without rendering existing signatures invalid and disrupting operations.
+
+### Rescinding Signature Validity
+Artifact Publishers need mechanisms to indicate that a signature they generated is still trustworthy. 
+
+#### Scenarios
+- A Publisher vends a new version of an artifact, and wants to indicate the new version as trusted in addition to older versions already published.
+
+#### Discussion Areas
+- Code signing is a mechanism for Publishers to explicitly indicate trust which is implicitly trusted by Consumer given some conditions are satisfied (based on trust policy, signature being valid and unrevoked)
+    - An explicit allowlist is not required
+    - A denylist is required in addition to indicate which artifacts are no longer trusted
+
+- Signature Allowlist explicitly specifies the list of trusted artifacts.
+    - Pros
+        - Anything not in the list is implicitly untrusted, no separate revocation mechanism is required
+        - If signed allowlist are used, the artifacts themselves may not need to be signed.
+    - Cons
+        - The allowlist needs to be updated for every version of artifact being published
+        - May need to maintain a large allowlist which may be an overhead to distribute
+- Signature Denylist
+    - For Consumers, denylist allows explicitly indicating that an artifact or dependency is untrusted
+    - For Publishers, this allows communicating to Consumers that specific versions of artifact are untrusted.
+
+- Centralized/local public/private lists
+    - The list can be local to repository, requiring update to the list in each repository, and requires keeping track of all repositories where the artifact needs to be published/revoked.
+    - The list can be centralized
+        - Centralized deny list (e.g. CRL maintaned by public CAs) can be used. The endpoint infomation is included in the signature, and signature verification step checks against this list.
+            - Customers can define network topology with restricted network access, where these endpoints may not be accesible for hosts where signature verification occurs.
+            - These endpoints may not be available in air-gapped environments.
+    - Public lists (e.g. transparency logs) may not be suitable for enterprise customers who don’t want their artifact updates to be disclosed publicly.
+
 
 ## Prototype Stages
 1. Signature generation for each of the key storage scenarios. A succesful prototype should enable signing with keys on each of the following: local host, secure tokens, Hardware Security Modules (HSMs), and cloud based Key Management Services.

From 6c7c202b2aac145e89d78e06944967b773da56ac Mon Sep 17 00:00:00 2001
From: NiazFK <67277579+NiazFK@users.noreply.github.com>
Date: Fri, 9 Apr 2021 08:13:30 -0700
Subject: [PATCH 20/28] Update keymanagementrequirements.md

Signed-off-by: Niaz Khan <niazfk@amazon.com>
---
 keymanagementrequirements.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/keymanagementrequirements.md b/keymanagementrequirements.md
index b26b5c57..70c933ad 100644
--- a/keymanagementrequirements.md
+++ b/keymanagementrequirements.md
@@ -40,7 +40,7 @@ Key management for container signing can be broadly categorized into three gener
 
 ## Requirements that need further discussion
 ### Signing Key Expiry
-In public key cryptography, a pair of private key a.k.a. signing key and public key a.k.a. verification key is generated, and later the public key is certified by a . The cerificate expiry time does not imply the expiry time of the key pair since the public key can be certified by a CA for multiple times. Moreover, a new key pair is always generated before generating a new certificate in the real world. Therefore, we can consider the key expiry is equivilant to certificate expiry.
+In public key cryptography, a pair of private key a.k.a. signing key and public key a.k.a. verification key is generated, and later the public key is certified by a higher key in the hierarchy. The certification of the signing key has a validity period to designate how long it is valid for. This section will discuss tradeoff and recommendations for expiry times and signing key rotation.
 
 ### External Timestamp Server
 Time Stamping Authorities (TSAs) defined by RFC3161 provide signed timestamp for a signature in order to prove that the signature was generated during the validity period of a certificate.

From 4cd1eb36e17177ea518e20c15acc20242a98c17d Mon Sep 17 00:00:00 2001
From: NiazFK <67277579+NiazFK@users.noreply.github.com>
Date: Fri, 16 Apr 2021 07:39:27 -0700
Subject: [PATCH 21/28] Update keymanagementrequirements.md

Co-authored-by: Brandon Mitchell <git@bmitch.net>
Signed-off-by: Niaz Khan <niazfk@amazon.com>
---
 keymanagementrequirements.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/keymanagementrequirements.md b/keymanagementrequirements.md
index 70c933ad..577c0098 100644
--- a/keymanagementrequirements.md
+++ b/keymanagementrequirements.md
@@ -29,7 +29,7 @@ Key management for container signing can be broadly categorized into three gener
 - Retrieving a signature MUST NOT require the deployer to perform additional actions with a registry/repository or registry operator beyond those required to pull an unsigned artifact.
 - Artifact integrity, source, and signature expiry MUST be verifiable from the signature AND NOT require additional calls to the registry/repository.
 - Signature allow list/deny list MAY require additional calls that will be defined in a separate document.
-- Moving an artifact from one repository to another SHOULD NOT invalidate the signature on the artifact.
+- Copying an artifact from one repository to another SHOULD NOT invalidate the signature on the artifact.
 - Publishers SHOULD be able to sign with keys stored on their local machines, secure tokens, Hardware Security Modules (HSMs), or cloud based Key Management Services.
 - Publishers SHOULD be able to generate multiple signatures for a single artifact.
 - Publisher admins MUST have a mechanism to revoke signatures to indicate they are no longer trusted. 

From 269140c23b51b03939134c078b00a52db76c1517 Mon Sep 17 00:00:00 2001
From: NiazFK <67277579+NiazFK@users.noreply.github.com>
Date: Fri, 16 Apr 2021 07:40:43 -0700
Subject: [PATCH 22/28] Update keymanagementrequirements.md

Co-authored-by: Brandon Mitchell <git@bmitch.net>
Signed-off-by: Niaz Khan <niazfk@amazon.com>
---
 keymanagementrequirements.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/keymanagementrequirements.md b/keymanagementrequirements.md
index 577c0098..232720df 100644
--- a/keymanagementrequirements.md
+++ b/keymanagementrequirements.md
@@ -78,8 +78,8 @@ Implications of not using a signed timestamp for a signature
 
 Signatures can expire if
 
-    The certificate of the signing key or the timestamp key (whichever is longer) expires
-    The signed content indicates a expiry time
+1. The certificate of the signing key expires
+2. The signed content indicates a expiry time
 
 In this section, the #2 scenario is focused.
 Scenarios

From 6157b487ae78479f30b59a7b42b41c1be70851ca Mon Sep 17 00:00:00 2001
From: NiazFK <67277579+NiazFK@users.noreply.github.com>
Date: Fri, 16 Apr 2021 07:58:13 -0700
Subject: [PATCH 23/28] Update keymanagementrequirements.md

Signed-off-by: Niaz Khan <niazfk@amazon.com>
---
 keymanagementrequirements.md | 36 ++++++++++++++++++++++++++++++------
 1 file changed, 30 insertions(+), 6 deletions(-)

diff --git a/keymanagementrequirements.md b/keymanagementrequirements.md
index 232720df..488f096b 100644
--- a/keymanagementrequirements.md
+++ b/keymanagementrequirements.md
@@ -22,7 +22,7 @@ Key management for container signing can be broadly categorized into three gener
     - Public Key: Will be used to verify signed artifacts.
     - Signed Identity: Identity of creator of the signing key.
     - (Optional) Issuer: If the key is an intermediate this will describe the owner of the root.
-    - Mechanism to update validity of signatures generated with the signing key.
+    - (Optional) Mechanism to check whether signatures generated with the signing key have been rescinded.
 
 ## Requirements
 - Signing an artifact MUST NOT require the publisher to perform additional actions with a registry/repository or registry operator. Uploading a signature MAY require additional actions.
@@ -90,14 +90,38 @@ An added benefit is to defend against freeze attack. Since the signature expires
 
     Freeze Attack Similar to a replay attack, a freeze attack works by providing metadata that is not current. However, in a freeze attack, the attacker freezes the information a client sees at the current point in time to prevent the client from seeing updates, rather than providing the client older versions than the client has already seen. As with replay attacks, the attacker’s goal is ultimately to compromise a client who has vulnerable versions of packages installed. A freeze attack may be used to prevent updates in addition to having an installed package be out of date.
 
-### Transparent Root key auto rotation
+### Trust Policy Management and Trust Store Updates
+
+Deployers who consume signed artifacts from a registry require that only artifacts from trusted parties are deployed and executed. The trusted parties are specified in some form of a trust policy against which the signed artifacts are validated. The trust policy can include a trust store with trusted root and leaf keys/certificates which represent the Publisher identities the Deployer trusts. This section covers where the trust policies should be stored, and how they are distributed/updated.
+
 Root keys form the basis of hierarchical trust systems, where intermediate and leaf keys chain back to a root key, and leaf keys are used to generate signatures. Consumers of signed artifacts associate a baseline level of trust with signatures that chain to roots they trust. In the scenario that a root key is no longer trusted, all signed artifacts chaining back to the root are no longer trusted. The conditions which render the root keys to be no longer trusted, are disclosed to the customer through some other channel (CVE, internal security audit, etc.). Safe rotation of keys require a overlap period where both new and old root keys are trusted. This is always not possible, such as when a root key is compromised.
 
 #### Scenarios
-1. A public root associated with a key a Publisher uses to sign artifacts is compromised. The access to root key is compromised, rather than the root key itself being stolen, allowing an attacker to create new intermediate and leaf trusted keys.
-2. An internal root used by an organization is due to expire. A new root is created and rotated before the existing root expires.
-3. An internal root used by an organization is not stored securely and the private key is lost. A new root is created to continue operations.
-4. A cryptographic algorithm is deprecated, or a compliance standard requires a customer to upgrade their key strength. The customer wants to safely rotate a root key without rendering existing signatures invalid and disrupting operations.
+1. A Deployer consumes artifacts from a third party Publisher and wants to configure the trusted publishers in a policy. The Deployer is not the same user/organization as Publisher and wants to independently define the trusted publishers.
+2. A Publisher’s repository may contain a mix of artifacts, published by different teams using different keys. The Deployer wants to trust only artifacts signed by specific keys.
+    - E.g. A group may include the MySQL image from docker hub, and the MySQL Helm chart from another group in the same registry/repo. These are signed by different entities, and valid to be placed in the same repository.
+    
+#### Scenarios for Trust Store Updates
+1. A Deployer updates their dependencies and no longer consumes artifacts from particular Publisher
+2. A public root associated with a signing key a Publisher uses to sign artifacts is compromised.
+3. An root key used by a Publisher is close to expiry. A new key is created and rotated before the existing root expires.
+4. An root key used by a Publisher is not stored securely and the private key is lost. A new key pair is created to continue operations.
+5. A cryptographic algorithm is deprecated, or a compliance standard requires a Publisher to upgrade their key strength.
+
+#### Approaches
+1. Storage and distribution of trust policies from registry
+Pros
+- Trust policies need not be stored in another location
+- Allows in band/automated distribution and update of trust policies to consumers.
+Cons
+- Automated update of trust policies can be disruptive to Deployers that consume artifacts. Deployers should be able to control when trust policies are updated.
+- Only allows Publishers to define the trust policy. It works well when Publisher and Deployer are the same user/organization.
+    - This model does not allow Deployers to independently define trust policies. Furthermore, it may be required that Deployer Admins define trusted publishers, and Deployer Operators only specify/configure which artifacts (from repositories) are deployed.
+
+#### Recommendation
+- Trust policies SHOULD NOT be stored in the registry. Multiple Deployers can consume artifacts from the same repository, and may need to define trust policies independently.
+- Trust policies SHOULD be configured, distributed/updated out of band from artifact updates from registry.
+
 
 ### Rescinding Signature Validity
 Artifact Publishers need mechanisms to indicate that a signature they generated is still trustworthy. 

From 4fcb03dbece26697e56388eab705823f62511a43 Mon Sep 17 00:00:00 2001
From: NiazFK <67277579+NiazFK@users.noreply.github.com>
Date: Thu, 22 Apr 2021 16:59:11 -0700
Subject: [PATCH 24/28] Update keymanagementrequirements.md

Signed-off-by: Niaz Khan <niazfk@amazon.com>
---
 keymanagementrequirements.md | 179 ++++++++++++++---------------------
 1 file changed, 73 insertions(+), 106 deletions(-)

diff --git a/keymanagementrequirements.md b/keymanagementrequirements.md
index 488f096b..321ec08c 100644
--- a/keymanagementrequirements.md
+++ b/keymanagementrequirements.md
@@ -1,7 +1,7 @@
 # Overview
 Key management for container signing can be broadly categorized into three general use cases:
 - Key Setup/Signing (Key managment and integrations with client tooling for generating signatures.)
-- Trust store configuration (Configuring which keys to trust for artifacts from a predefined source.)
+- Deployment configurations (Configuring trust policies and which keys to trust for artifacts.)
 - Signature Validity (Expiry, Revocation and/or Trusted Update List. Mechanism to update information on the validity of signatures.)
 
 ## Personas:
@@ -17,7 +17,78 @@ Key management for container signing can be broadly categorized into three gener
 ## Definitions:
 - Root key: A self signed key used for the lowest designation of trust. Root keys can be created by developers, organizations, public/private CAs, and registry operators. The root key should be retrieved from a trusted source that can establish the authenticity of the creator's identity.
 - Signing key: A signing key is used to generate artifact signatures. A signing key should be signed with a root key or one of its intermediaries. The certificate chain with a signing key can be used to verify which root it belongs to. While a root key can be used as a signing key, this is not recommended as it creates a large blast radius and increases the risk of compromising a root key. 
-- Trust Store: The trust store defines the relationship between signing keys and artifacts that are used at validation time to determine whether to trust an artifact with a crytptographically valid signature. The trust store will relate a source (any source, specific registry, specific repository, or specific target) with a certificate (for root key, intermediate, or signing key) or key repository (for automated key distribtuion). It is not recommended to use a signing key as this will cause signature validation to fail if the signing key is rotated. 
+- Trust Policy: The trust policy defines whether to enable signature validation and which checks need to be run. An example trust policy:
+            {
+                trustPolicy: {
+                    signatureCheck: true,
+                    optionalChecks: {
+                        signatureExpiry: true,
+                        signatureRescinded: false
+                    },
+                    trustStore: "truststore.json"
+                }
+            }
+- Trust Store: The trust store defines the relationship between signing keys and artifacts that are used at validation time to determine whether to trust an artifact with a crytptographically valid signature. The trust store will relate a scope (any source, specific registry, specific repository, or specific target) with a certificate (for root key, intermediate, or signing key) or key repository (for automated key distribtuion). It is not recommended to use a signing key as this will cause signature validation to fail if the signing key is rotated. An example trustStore where the first root is trusted for artifacts from any registry and the second root is only trusted for artifacts from "registry.wabbit-networks.io" :
+            {
+                trustedRoots: [
+                    {
+                        root: "-----BEGIN CERTIFICATE-----
+                            MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF
+                            ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
+                            b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL
+                            MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
+                            b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj
+                            ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM
+                            9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw
+                            IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6
+                            VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L
+                            93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm
+                            jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
+                            AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA
+                            A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI
+                            U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs
+                            N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv
+                            o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU
+                            5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy
+                            rqXRfboQnoZsG4q5WTP468SQvvG5
+                            -----END CERTIFICATE-----"
+                    },
+                    {
+                        root: "-----BEGIN CERTIFICATE-----
+                            MIIFQTCCAymgAwIBAgITBmyf0pY1hp8KD+WGePhbJruKNzANBgkqhkiG9w0BAQwF
+                            ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
+                            b24gUm9vdCBDQSAyMB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTEL
+                            MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
+                            b3QgQ0EgMjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK2Wny2cSkxK
+                            gXlRmeyKy2tgURO8TW0G/LAIjd0ZEGrHJgw12MBvIITplLGbhQPDW9tK6Mj4kHbZ
+                            W0/jTOgGNk3Mmqw9DJArktQGGWCsN0R5hYGCrVo34A3MnaZMUnbqQ523BNFQ9lXg
+                            1dKmSYXpN+nKfq5clU1Imj+uIFptiJXZNLhSGkOQsL9sBbm2eLfq0OQ6PBJTYv9K
+                            8nu+NQWpEjTj82R0Yiw9AElaKP4yRLuH3WUnAnE72kr3H9rN9yFVkE8P7K6C4Z9r
+                            2UXTu/Bfh+08LDmG2j/e7HJV63mjrdvdfLC6HM783k81ds8P+HgfajZRRidhW+me
+                            z/CiVX18JYpvL7TFz4QuK/0NURBs+18bvBt+xa47mAExkv8LV/SasrlX6avvDXbR
+                            8O70zoan4G7ptGmh32n2M8ZpLpcTnqWHsFcQgTfJU7O7f/aS0ZzQGPSSbtqDT6Zj
+                            mUyl+17vIWR6IF9sZIUVyzfpYgwLKhbcAS4y2j5L9Z469hdAlO+ekQiG+r5jqFoz
+                            7Mt0Q5X5bGlSNscpb/xVA1wf+5+9R+vnSUeVC06JIglJ4PVhHvG/LopyboBZ/1c6
+                            +XUyo05f7O0oYtlNc/LMgRdg7c3r3NunysV+Ar3yVAhU/bQtCSwXVEqY0VThUWcI
+                            0u1ufm8/0i2BWSlmy5A5lREedCf+3euvAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMB
+                            Af8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBSwDPBMMPQFWAJI/TPlUq9LhONm
+                            UjANBgkqhkiG9w0BAQwFAAOCAgEAqqiAjw54o+Ci1M3m9Zh6O+oAA7CXDpO8Wqj2
+                            LIxyh6mx/H9z/WNxeKWHWc8w4Q0QshNabYL1auaAn6AFC2jkR2vHat+2/XcycuUY
+                            +gn0oJMsXdKMdYV2ZZAMA3m3MSNjrXiDCYZohMr/+c8mmpJ5581LxedhpxfL86kS
+                            k5Nrp+gvU5LEYFiwzAJRGFuFjWJZY7attN6a+yb3ACfAXVU3dJnJUH/jWS5E4ywl
+                            7uxMMne0nxrpS10gxdr9HIcWxkPo1LsmmkVwXqkLN1PiRnsn/eBG8om3zEK2yygm
+                            btmlyTrIQRNg91CMFa6ybRoVGld45pIq2WWQgj9sAq+uEjonljYE1x2igGOpm/Hl
+                            urR8FLBOybEfdF849lHqm/osohHUqS0nGkWxr7JOcQ3AWEbWaQbLU8uz/mtBzUF+
+                            fUwPfHJ5elnNXkoOrJupmHN5fLT0zLm4BwyydFy4x2+IoZCn9Kr5v2c69BoVYh63
+                            n749sSmvZ6ES8lgQGVMDMBu4Gon2nL2XA46jCfMdiyHxtN/kHNGfZQIG6lzWE7OE
+                            76KlXIx3KadowGuuQNKotOrN8I1LOJwZmhsoVLiJkO/KdYE+HvJkJMcYr07/R54H
+                            9jVlpNMKVv/1F2Rs76giJUmTtt8AF9pYfl3uxRuw0dFfIRDH+fO6AgonB8Xx1sfT
+                            4PsJYGw=
+                            -----END CERTIFICATE-----",
+                        scope: "registry.wabbit-networks.io"
+                    }
+                ]
+            }
 - Trust Store Key Information: The key information configured in the trust store will be cryptographically verifiable and contain:
     - Public Key: Will be used to verify signed artifacts.
     - Signed Identity: Identity of creator of the signing key.
@@ -40,118 +111,14 @@ Key management for container signing can be broadly categorized into three gener
 
 ## Requirements that need further discussion
 ### Signing Key Expiry
-In public key cryptography, a pair of private key a.k.a. signing key and public key a.k.a. verification key is generated, and later the public key is certified by a higher key in the hierarchy. The certification of the signing key has a validity period to designate how long it is valid for. This section will discuss tradeoff and recommendations for expiry times and signing key rotation.
 
 ### External Timestamp Server
-Time Stamping Authorities (TSAs) defined by RFC3161 provide signed timestamp for a signature in order to prove that the signature was generated during the validity period of a certificate.
-
-#### Scenarios
-With TSA, signature can be considered valid even if the signing cerificate is expired. This technique is widely used by Authenticode with SignTool, NuGet, Adobe Acrobat, and many other industrial products.
-
-In the world of artifacts, including container images, scenarios are
-- Developers sign their artifacts or images with certificates. The certificates MAY have a configurable expiry time.
-- Developers publish their artifacts or images and at a later date stop maintaining them. Content consumers SHOULD be able to verify signatures until they expire and use the artifacts or images
-- Attackers with compromised keys try to sign artifacts or images with timestamps before the key compromise event.
-
-#### Pros and Cons
-
-There are many public TSA servers available on the Internet. The advantages of public timestamp servers are obvious:
-    Public
-    Free
-
-However, those public TSAs also come with disadvantages:
-    Require Internet access for signing
-        It is not really a disadvantage since public TSAs are online services. Devices in the air-gapped environment SHALL access the Internet for timestamp signing services.
-    Out of the control of the signer
-        External dependency
-        Availability is not assured. No SLA on signing.
-            Not all TSAs are available in all regions.
-            Some regions may have high latency.
-        The certificates of TSAs MAY be revoked at any time without notices.
-            The removal of trust of VeriSign broke .NET 5+ NuGet. Thus Microsoft has to disable the package verification with a new release to unblock customers.
-
-Implications of not using a signed timestamp for a signature
-    In the absense of additional timestamp signature, the signature is only considered valid till key expiry. This may limit the use of short lived keys.
-    In case of key compromise it’s not possible to revoke signatures from a point in time where the time of compromise is known, as an attacker can create signatures with any signature time (by changing local time)
 
 ### Signature Expiry
 
-Signatures can expire if
-
-1. The certificate of the signing key expires
-2. The signed content indicates a expiry time
-
-In this section, the #2 scenario is focused.
-Scenarios
-
-The main scenario for using a configurable signature expiry is for the publisher to indicate how long they plan to maintain the signature on the artifact for. For example if a publisher signs an artifact with an expiry for 6 months, they are indicating that if within 6 months they identfy a reason that deployers should no longer trust the artifact they will rescind the signature.
-
-An added benefit is to defend against freeze attack. Since the signature expires in a short time although the signing key can live longer, the verifiers have to obtain the latest signature to verify, which implies that the verifies have access to the latest content.
-
-    Freeze Attack Similar to a replay attack, a freeze attack works by providing metadata that is not current. However, in a freeze attack, the attacker freezes the information a client sees at the current point in time to prevent the client from seeing updates, rather than providing the client older versions than the client has already seen. As with replay attacks, the attacker’s goal is ultimately to compromise a client who has vulnerable versions of packages installed. A freeze attack may be used to prevent updates in addition to having an installed package be out of date.
-
 ### Trust Policy Management and Trust Store Updates
 
-Deployers who consume signed artifacts from a registry require that only artifacts from trusted parties are deployed and executed. The trusted parties are specified in some form of a trust policy against which the signed artifacts are validated. The trust policy can include a trust store with trusted root and leaf keys/certificates which represent the Publisher identities the Deployer trusts. This section covers where the trust policies should be stored, and how they are distributed/updated.
-
-Root keys form the basis of hierarchical trust systems, where intermediate and leaf keys chain back to a root key, and leaf keys are used to generate signatures. Consumers of signed artifacts associate a baseline level of trust with signatures that chain to roots they trust. In the scenario that a root key is no longer trusted, all signed artifacts chaining back to the root are no longer trusted. The conditions which render the root keys to be no longer trusted, are disclosed to the customer through some other channel (CVE, internal security audit, etc.). Safe rotation of keys require a overlap period where both new and old root keys are trusted. This is always not possible, such as when a root key is compromised.
-
-#### Scenarios
-1. A Deployer consumes artifacts from a third party Publisher and wants to configure the trusted publishers in a policy. The Deployer is not the same user/organization as Publisher and wants to independently define the trusted publishers.
-2. A Publisher’s repository may contain a mix of artifacts, published by different teams using different keys. The Deployer wants to trust only artifacts signed by specific keys.
-    - E.g. A group may include the MySQL image from docker hub, and the MySQL Helm chart from another group in the same registry/repo. These are signed by different entities, and valid to be placed in the same repository.
-    
-#### Scenarios for Trust Store Updates
-1. A Deployer updates their dependencies and no longer consumes artifacts from particular Publisher
-2. A public root associated with a signing key a Publisher uses to sign artifacts is compromised.
-3. An root key used by a Publisher is close to expiry. A new key is created and rotated before the existing root expires.
-4. An root key used by a Publisher is not stored securely and the private key is lost. A new key pair is created to continue operations.
-5. A cryptographic algorithm is deprecated, or a compliance standard requires a Publisher to upgrade their key strength.
-
-#### Approaches
-1. Storage and distribution of trust policies from registry
-Pros
-- Trust policies need not be stored in another location
-- Allows in band/automated distribution and update of trust policies to consumers.
-Cons
-- Automated update of trust policies can be disruptive to Deployers that consume artifacts. Deployers should be able to control when trust policies are updated.
-- Only allows Publishers to define the trust policy. It works well when Publisher and Deployer are the same user/organization.
-    - This model does not allow Deployers to independently define trust policies. Furthermore, it may be required that Deployer Admins define trusted publishers, and Deployer Operators only specify/configure which artifacts (from repositories) are deployed.
-
-#### Recommendation
-- Trust policies SHOULD NOT be stored in the registry. Multiple Deployers can consume artifacts from the same repository, and may need to define trust policies independently.
-- Trust policies SHOULD be configured, distributed/updated out of band from artifact updates from registry.
-
-
 ### Rescinding Signature Validity
-Artifact Publishers need mechanisms to indicate that a signature they generated is still trustworthy. 
-
-#### Scenarios
-- A Publisher vends a new version of an artifact, and wants to indicate the new version as trusted in addition to older versions already published.
-
-#### Discussion Areas
-- Code signing is a mechanism for Publishers to explicitly indicate trust which is implicitly trusted by Consumer given some conditions are satisfied (based on trust policy, signature being valid and unrevoked)
-    - An explicit allowlist is not required
-    - A denylist is required in addition to indicate which artifacts are no longer trusted
-
-- Signature Allowlist explicitly specifies the list of trusted artifacts.
-    - Pros
-        - Anything not in the list is implicitly untrusted, no separate revocation mechanism is required
-        - If signed allowlist are used, the artifacts themselves may not need to be signed.
-    - Cons
-        - The allowlist needs to be updated for every version of artifact being published
-        - May need to maintain a large allowlist which may be an overhead to distribute
-- Signature Denylist
-    - For Consumers, denylist allows explicitly indicating that an artifact or dependency is untrusted
-    - For Publishers, this allows communicating to Consumers that specific versions of artifact are untrusted.
-
-- Centralized/local public/private lists
-    - The list can be local to repository, requiring update to the list in each repository, and requires keeping track of all repositories where the artifact needs to be published/revoked.
-    - The list can be centralized
-        - Centralized deny list (e.g. CRL maintaned by public CAs) can be used. The endpoint infomation is included in the signature, and signature verification step checks against this list.
-            - Customers can define network topology with restricted network access, where these endpoints may not be accesible for hosts where signature verification occurs.
-            - These endpoints may not be available in air-gapped environments.
-    - Public lists (e.g. transparency logs) may not be suitable for enterprise customers who don’t want their artifact updates to be disclosed publicly.
 
 
 ## Prototype Stages

From 928d70b69ad7a52002109cddf4b5006f810ef191 Mon Sep 17 00:00:00 2001
From: NiazFK <67277579+NiazFK@users.noreply.github.com>
Date: Thu, 22 Apr 2021 17:07:59 -0700
Subject: [PATCH 25/28] Update keymanagementrequirements.md

Signed-off-by: Niaz Khan <niazfk@amazon.com>
---
 keymanagementrequirements.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/keymanagementrequirements.md b/keymanagementrequirements.md
index 321ec08c..6e1abbd0 100644
--- a/keymanagementrequirements.md
+++ b/keymanagementrequirements.md
@@ -18,6 +18,7 @@ Key management for container signing can be broadly categorized into three gener
 - Root key: A self signed key used for the lowest designation of trust. Root keys can be created by developers, organizations, public/private CAs, and registry operators. The root key should be retrieved from a trusted source that can establish the authenticity of the creator's identity.
 - Signing key: A signing key is used to generate artifact signatures. A signing key should be signed with a root key or one of its intermediaries. The certificate chain with a signing key can be used to verify which root it belongs to. While a root key can be used as a signing key, this is not recommended as it creates a large blast radius and increases the risk of compromising a root key. 
 - Trust Policy: The trust policy defines whether to enable signature validation and which checks need to be run. An example trust policy:
+```
             {
                 trustPolicy: {
                     signatureCheck: true,
@@ -28,7 +29,9 @@ Key management for container signing can be broadly categorized into three gener
                     trustStore: "truststore.json"
                 }
             }
+```
 - Trust Store: The trust store defines the relationship between signing keys and artifacts that are used at validation time to determine whether to trust an artifact with a crytptographically valid signature. The trust store will relate a scope (any source, specific registry, specific repository, or specific target) with a certificate (for root key, intermediate, or signing key) or key repository (for automated key distribtuion). It is not recommended to use a signing key as this will cause signature validation to fail if the signing key is rotated. An example trustStore where the first root is trusted for artifacts from any registry and the second root is only trusted for artifacts from "registry.wabbit-networks.io" :
+```
             {
                 trustedRoots: [
                     {
@@ -89,6 +92,7 @@ Key management for container signing can be broadly categorized into three gener
                     }
                 ]
             }
+```
 - Trust Store Key Information: The key information configured in the trust store will be cryptographically verifiable and contain:
     - Public Key: Will be used to verify signed artifacts.
     - Signed Identity: Identity of creator of the signing key.

From 7d00034fa024a5842df8005b548825aa4715d342 Mon Sep 17 00:00:00 2001
From: NiazFK <67277579+NiazFK@users.noreply.github.com>
Date: Fri, 23 Apr 2021 07:58:50 -0700
Subject: [PATCH 26/28] Update keymanagementrequirements.md

Signed-off-by: Niaz Khan <niazfk@amazon.com>
---
 keymanagementrequirements.md | 45 +++++++++++++++++++++---------------
 1 file changed, 26 insertions(+), 19 deletions(-)

diff --git a/keymanagementrequirements.md b/keymanagementrequirements.md
index 6e1abbd0..908614c3 100644
--- a/keymanagementrequirements.md
+++ b/keymanagementrequirements.md
@@ -20,22 +20,32 @@ Key management for container signing can be broadly categorized into three gener
 - Trust Policy: The trust policy defines whether to enable signature validation and which checks need to be run. An example trust policy:
 ```
             {
-                trustPolicy: {
-                    signatureCheck: true,
-                    optionalChecks: {
-                        signatureExpiry: true,
-                        signatureRescinded: false
+                "trustPolicy": {
+                    "signatureCheck": true,
+                    "optionalChecks": {
+                        "signatureExpiry": true,
+                        "signatureRescinded": false
                     },
-                    trustStore: "truststore.json"
+                    "trustStore": [
+                        "truststore.json",
+                        {
+                            "trustedRoots": [
+                                {
+                                    "root": "test.crt"
+                                }
+                            ]
+                        }
+                    ],
+                    "trustedArtifacts": []
                 }
             }
 ```
 - Trust Store: The trust store defines the relationship between signing keys and artifacts that are used at validation time to determine whether to trust an artifact with a crytptographically valid signature. The trust store will relate a scope (any source, specific registry, specific repository, or specific target) with a certificate (for root key, intermediate, or signing key) or key repository (for automated key distribtuion). It is not recommended to use a signing key as this will cause signature validation to fail if the signing key is rotated. An example trustStore where the first root is trusted for artifacts from any registry and the second root is only trusted for artifacts from "registry.wabbit-networks.io" :
 ```
             {
-                trustedRoots: [
+                "trustedRoots": [
                     {
-                        root: "-----BEGIN CERTIFICATE-----
+                        "root": "-----BEGIN CERTIFICATE-----
                             MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF
                             ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
                             b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL
@@ -57,7 +67,7 @@ Key management for container signing can be broadly categorized into three gener
                             -----END CERTIFICATE-----"
                     },
                     {
-                        root: "-----BEGIN CERTIFICATE-----
+                        "root": "-----BEGIN CERTIFICATE-----
                             MIIFQTCCAymgAwIBAgITBmyf0pY1hp8KD+WGePhbJruKNzANBgkqhkiG9w0BAQwF
                             ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
                             b24gUm9vdCBDQSAyMB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTEL
@@ -88,7 +98,7 @@ Key management for container signing can be broadly categorized into three gener
                             9jVlpNMKVv/1F2Rs76giJUmTtt8AF9pYfl3uxRuw0dFfIRDH+fO6AgonB8Xx1sfT
                             4PsJYGw=
                             -----END CERTIFICATE-----",
-                        scope: "registry.wabbit-networks.io"
+                        "scope": "registry.wabbit-networks.io"
                     }
                 ]
             }
@@ -114,15 +124,12 @@ Key management for container signing can be broadly categorized into three gener
 - Signature validation MUST be enforceable in air-gapped environments. 
 
 ## Requirements that need further discussion
-### Signing Key Expiry
-
-### External Timestamp Server
-
-### Signature Expiry
-
-### Trust Policy Management and Trust Store Updates
-
-### Rescinding Signature Validity
+### Signing Key Expiry - https://hackmd.io/n82ZTBv3TK2Y4rujlnW3ng
+### External Timestamp Server - https://hackmd.io/WvoBFNg2TR-ooTe14a6pfw
+### Signature Expiry - https://hackmd.io/pT4IicsQRlGhR9szlrIUWQ
+### Trust Policy Management and Trust Store Updates - Trust Policy Management and Trust Store Updates
+### Rescinding Signature Validity - https://hackmd.io/TnX8l31CQnGPRujZ_gLGJA
+### Multiple Signatures 
 
 
 ## Prototype Stages

From 7a6e9d510833267b1912c12353eff81958263229 Mon Sep 17 00:00:00 2001
From: Niaz Khan <67277579+NiazFK@users.noreply.github.com>
Date: Fri, 30 Apr 2021 05:31:41 -0700
Subject: [PATCH 27/28] Moving links to issues

Removed links for additional requirements docs.

Signed-off-by: Niaz Khan <niazfk@amazon.com>
---
 keymanagementrequirements.md | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/keymanagementrequirements.md b/keymanagementrequirements.md
index 908614c3..680f402f 100644
--- a/keymanagementrequirements.md
+++ b/keymanagementrequirements.md
@@ -123,15 +123,6 @@ Key management for container signing can be broadly categorized into three gener
 - Deployers MUST be able to validate signatures on any version of an artifact including whether they have been revoked by the publisher.
 - Signature validation MUST be enforceable in air-gapped environments. 
 
-## Requirements that need further discussion
-### Signing Key Expiry - https://hackmd.io/n82ZTBv3TK2Y4rujlnW3ng
-### External Timestamp Server - https://hackmd.io/WvoBFNg2TR-ooTe14a6pfw
-### Signature Expiry - https://hackmd.io/pT4IicsQRlGhR9szlrIUWQ
-### Trust Policy Management and Trust Store Updates - Trust Policy Management and Trust Store Updates
-### Rescinding Signature Validity - https://hackmd.io/TnX8l31CQnGPRujZ_gLGJA
-### Multiple Signatures 
-
-
 ## Prototype Stages
 1. Signature generation for each of the key storage scenarios. A succesful prototype should enable signing with keys on each of the following: local host, secure tokens, Hardware Security Modules (HSMs), and cloud based Key Management Services.
 2. Trust store configuration and signature source validation in runtime environments. A succesful prototype should enable configuring a trust store in a runtime environment. The prototype should validate signatures from a trusted source and reject signatures from a source that is not listed. The prototype will not check for other aspects of signature validity (expiry/revocation).

From 2c04195a784876bce94e649d3393028b7e50b97a Mon Sep 17 00:00:00 2001
From: Niaz Khan <niazfk@amazon.com>
Date: Wed, 30 Jun 2021 18:19:51 -0700
Subject: [PATCH 28/28] Updated with proper JSON.

Signed-off-by: Niaz Khan <niazfk@amazon.com>
---
 keymanagementrequirements.md | 108 +++++++++--------------------------
 1 file changed, 28 insertions(+), 80 deletions(-)

diff --git a/keymanagementrequirements.md b/keymanagementrequirements.md
index 680f402f..50c07812 100644
--- a/keymanagementrequirements.md
+++ b/keymanagementrequirements.md
@@ -19,89 +19,37 @@ Key management for container signing can be broadly categorized into three gener
 - Signing key: A signing key is used to generate artifact signatures. A signing key should be signed with a root key or one of its intermediaries. The certificate chain with a signing key can be used to verify which root it belongs to. While a root key can be used as a signing key, this is not recommended as it creates a large blast radius and increases the risk of compromising a root key. 
 - Trust Policy: The trust policy defines whether to enable signature validation and which checks need to be run. An example trust policy:
 ```
-            {
-                "trustPolicy": {
-                    "signatureCheck": true,
-                    "optionalChecks": {
-                        "signatureExpiry": true,
-                        "signatureRescinded": false
-                    },
-                    "trustStore": [
-                        "truststore.json",
-                        {
-                            "trustedRoots": [
-                                {
-                                    "root": "test.crt"
-                                }
-                            ]
-                        }
-                    ],
-                    "trustedArtifacts": []
-                }
-            }
+    {
+        "trustPolicy": {
+            "signatureCheck": true,
+            "optionalChecks": {
+            	"signatureExpiry": true,
+            	"signatureRescinded": false
+            },
+            "trustStore": [
+            	"truststore.json",
+            	{
+            		"trustedRoots": [{
+            			"root": "test.crt"
+            		}]
+            	}
+            ],
+            "trustedArtifacts": []
+        }
+    }
 ```
 - Trust Store: The trust store defines the relationship between signing keys and artifacts that are used at validation time to determine whether to trust an artifact with a crytptographically valid signature. The trust store will relate a scope (any source, specific registry, specific repository, or specific target) with a certificate (for root key, intermediate, or signing key) or key repository (for automated key distribtuion). It is not recommended to use a signing key as this will cause signature validation to fail if the signing key is rotated. An example trustStore where the first root is trusted for artifacts from any registry and the second root is only trusted for artifacts from "registry.wabbit-networks.io" :
 ```
-            {
-                "trustedRoots": [
-                    {
-                        "root": "-----BEGIN CERTIFICATE-----
-                            MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF
-                            ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
-                            b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL
-                            MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
-                            b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj
-                            ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM
-                            9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw
-                            IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6
-                            VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L
-                            93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm
-                            jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
-                            AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA
-                            A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI
-                            U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs
-                            N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv
-                            o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU
-                            5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy
-                            rqXRfboQnoZsG4q5WTP468SQvvG5
-                            -----END CERTIFICATE-----"
-                    },
-                    {
-                        "root": "-----BEGIN CERTIFICATE-----
-                            MIIFQTCCAymgAwIBAgITBmyf0pY1hp8KD+WGePhbJruKNzANBgkqhkiG9w0BAQwF
-                            ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
-                            b24gUm9vdCBDQSAyMB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTEL
-                            MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
-                            b3QgQ0EgMjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK2Wny2cSkxK
-                            gXlRmeyKy2tgURO8TW0G/LAIjd0ZEGrHJgw12MBvIITplLGbhQPDW9tK6Mj4kHbZ
-                            W0/jTOgGNk3Mmqw9DJArktQGGWCsN0R5hYGCrVo34A3MnaZMUnbqQ523BNFQ9lXg
-                            1dKmSYXpN+nKfq5clU1Imj+uIFptiJXZNLhSGkOQsL9sBbm2eLfq0OQ6PBJTYv9K
-                            8nu+NQWpEjTj82R0Yiw9AElaKP4yRLuH3WUnAnE72kr3H9rN9yFVkE8P7K6C4Z9r
-                            2UXTu/Bfh+08LDmG2j/e7HJV63mjrdvdfLC6HM783k81ds8P+HgfajZRRidhW+me
-                            z/CiVX18JYpvL7TFz4QuK/0NURBs+18bvBt+xa47mAExkv8LV/SasrlX6avvDXbR
-                            8O70zoan4G7ptGmh32n2M8ZpLpcTnqWHsFcQgTfJU7O7f/aS0ZzQGPSSbtqDT6Zj
-                            mUyl+17vIWR6IF9sZIUVyzfpYgwLKhbcAS4y2j5L9Z469hdAlO+ekQiG+r5jqFoz
-                            7Mt0Q5X5bGlSNscpb/xVA1wf+5+9R+vnSUeVC06JIglJ4PVhHvG/LopyboBZ/1c6
-                            +XUyo05f7O0oYtlNc/LMgRdg7c3r3NunysV+Ar3yVAhU/bQtCSwXVEqY0VThUWcI
-                            0u1ufm8/0i2BWSlmy5A5lREedCf+3euvAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMB
-                            Af8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBSwDPBMMPQFWAJI/TPlUq9LhONm
-                            UjANBgkqhkiG9w0BAQwFAAOCAgEAqqiAjw54o+Ci1M3m9Zh6O+oAA7CXDpO8Wqj2
-                            LIxyh6mx/H9z/WNxeKWHWc8w4Q0QshNabYL1auaAn6AFC2jkR2vHat+2/XcycuUY
-                            +gn0oJMsXdKMdYV2ZZAMA3m3MSNjrXiDCYZohMr/+c8mmpJ5581LxedhpxfL86kS
-                            k5Nrp+gvU5LEYFiwzAJRGFuFjWJZY7attN6a+yb3ACfAXVU3dJnJUH/jWS5E4ywl
-                            7uxMMne0nxrpS10gxdr9HIcWxkPo1LsmmkVwXqkLN1PiRnsn/eBG8om3zEK2yygm
-                            btmlyTrIQRNg91CMFa6ybRoVGld45pIq2WWQgj9sAq+uEjonljYE1x2igGOpm/Hl
-                            urR8FLBOybEfdF849lHqm/osohHUqS0nGkWxr7JOcQ3AWEbWaQbLU8uz/mtBzUF+
-                            fUwPfHJ5elnNXkoOrJupmHN5fLT0zLm4BwyydFy4x2+IoZCn9Kr5v2c69BoVYh63
-                            n749sSmvZ6ES8lgQGVMDMBu4Gon2nL2XA46jCfMdiyHxtN/kHNGfZQIG6lzWE7OE
-                            76KlXIx3KadowGuuQNKotOrN8I1LOJwZmhsoVLiJkO/KdYE+HvJkJMcYr07/R54H
-                            9jVlpNMKVv/1F2Rs76giJUmTtt8AF9pYfl3uxRuw0dFfIRDH+fO6AgonB8Xx1sfT
-                            4PsJYGw=
-                            -----END CERTIFICATE-----",
-                        "scope": "registry.wabbit-networks.io"
-                    }
-                ]
-            }
+    {
+    	"trustedRoots": [{
+ 	    		"root": "-----BEGIN CERTIFICATE-----examplecertificate-----END CERTIFICATE-----"
+ 	    	},
+ 	    	{
+ 	    		"root": "-----BEGIN CERTIFICATE-----examplecertificate-----END CERTIFICATE-----",
+ 	    		"scope": "registry.wabbit-networks.io"
+ 	    	}
+ 	    ]
+    }
 ```
 - Trust Store Key Information: The key information configured in the trust store will be cryptographically verifiable and contain:
     - Public Key: Will be used to verify signed artifacts.