From 375ecf325782444ced125c7bdcb03a97beb5b473 Mon Sep 17 00:00:00 2001 From: infominer Date: Tue, 4 Jun 2019 10:01:03 -0400 Subject: [PATCH] I accept! --- _config.yml | 18 +- ...18-W3C-Authentication-Identity-Workshop.md | 15 - .../01-Day-1-Welcome-and-Procedural_1.html | 19 - ...-Understanding-Verifiable-Credentials.html | 26 - .../03-Day-1-Understanding-DIDs.html | 672 ------------------ .../04-Day-1-Understanding-DID-Auth.html | 26 - ...uthn-CTAP-EAT-FIDO-and-Authenticators.html | 32 - ...-JWT_CWT-OpenID-and-Related-Ecosystem.html | 43 -- .../07-Day-1-Breakout-Sessions.html | 13 - ...rstanding-Current-and-Future-Problems.html | 55 -- .../09-Day-2-Procedural-Agenda-Gardening.html | 14 - ...ng-Cultural-and-Economic-Perspectives.html | 32 - .../10.3-Day-2-PindarWong_1.html | 31 - ...ay-2-Avoiding-Mistakes-and-Minefields.html | 28 - .../12-Day-2-Breakouts.html | 10 - ...r-Roadmap-DIDs_-VCs_-and-Attestations.html | 15 - .../13.5-Day-2-Attestation-Arm.html | 13 - ...4-Day-2-5-Year-Roadmap-Authenticators.html | 20 - ...-Year-Roadmap-Authenticators_-Gemalto.html | 15 - ...work-with-Authentication-and-Identity.html | 36 - .../Health-Care-IDology.html | 16 - ...se-21-with-FIDO-Proof-of-Presence-Key.html | 14 - ...tication and Identity Workshop Report.docx | Bin 43258 -> 0 bytes 23 files changed, 1 insertion(+), 1162 deletions(-) delete mode 100644 _pages/2018-W3C-Authentication-Identity-Workshop.md delete mode 100644 collections/_2018-W3C-Authentication-Identity-Workshop/01-Day-1-Welcome-and-Procedural_1.html delete mode 100644 collections/_2018-W3C-Authentication-Identity-Workshop/02-Day-1-Understanding-Verifiable-Credentials.html delete mode 100644 collections/_2018-W3C-Authentication-Identity-Workshop/03-Day-1-Understanding-DIDs.html delete mode 100644 collections/_2018-W3C-Authentication-Identity-Workshop/04-Day-1-Understanding-DID-Auth.html delete mode 100644 collections/_2018-W3C-Authentication-Identity-Workshop/05-Day-1-Understanding-WebAuthn-CTAP-EAT-FIDO-and-Authenticators.html delete mode 100644 collections/_2018-W3C-Authentication-Identity-Workshop/06-Day-1-Understanding-JWT_CWT-OpenID-and-Related-Ecosystem.html delete mode 100644 collections/_2018-W3C-Authentication-Identity-Workshop/07-Day-1-Breakout-Sessions.html delete mode 100644 collections/_2018-W3C-Authentication-Identity-Workshop/08-Day-1-Market-Verticals-Understanding-Current-and-Future-Problems.html delete mode 100644 collections/_2018-W3C-Authentication-Identity-Workshop/09-Day-2-Procedural-Agenda-Gardening.html delete mode 100644 collections/_2018-W3C-Authentication-Identity-Workshop/10-Day-2-Exploring-Cultural-and-Economic-Perspectives.html delete mode 100644 collections/_2018-W3C-Authentication-Identity-Workshop/10.3-Day-2-PindarWong_1.html delete mode 100644 collections/_2018-W3C-Authentication-Identity-Workshop/11-Day-2-Avoiding-Mistakes-and-Minefields.html delete mode 100644 collections/_2018-W3C-Authentication-Identity-Workshop/12-Day-2-Breakouts.html delete mode 100644 collections/_2018-W3C-Authentication-Identity-Workshop/13-Day-2-5-Year-Roadmap-DIDs_-VCs_-and-Attestations.html delete mode 100644 collections/_2018-W3C-Authentication-Identity-Workshop/13.5-Day-2-Attestation-Arm.html delete mode 100644 collections/_2018-W3C-Authentication-Identity-Workshop/14-Day-2-5-Year-Roadmap-Authenticators.html delete mode 100644 collections/_2018-W3C-Authentication-Identity-Workshop/14.5-Day-2-5-Year-Roadmap-Authenticators_-Gemalto.html delete mode 100644 collections/_2018-W3C-Authentication-Identity-Workshop/15-Day-2-Browsers-work-with-Authentication-and-Identity.html delete mode 100644 collections/_2018-W3C-Authentication-Identity-Workshop/Health-Care-IDology.html delete mode 100644 collections/_2018-W3C-Authentication-Identity-Workshop/Use-Case-21-with-FIDO-Proof-of-Presence-Key.html delete mode 100644 collections/_2018-W3C-Authentication-Identity-Workshop/W3C Strong Authentication and Identity Workshop Report.docx diff --git a/_config.yml b/_config.yml index 3e6cc308..418f00d3 100644 --- a/_config.yml +++ b/_config.yml @@ -345,20 +345,4 @@ defaults: toc_sticky : true twitter: card: summary_large_image - # _2018-W3C-Authentication-Identity-Workshop - - scope: - path: "" - type: 2018-W3C-Authentication-Identity-Workshop - values: - layout: single - author_profile: false - read_time: false - comments: # true - share: true - related: true - idwkshp: true - sidebar: - title: DIDecentralized - nav: "didnav" - twitter: - card: summary_large_image + \ No newline at end of file diff --git a/_pages/2018-W3C-Authentication-Identity-Workshop.md b/_pages/2018-W3C-Authentication-Identity-Workshop.md deleted file mode 100644 index 24e9633e..00000000 --- a/_pages/2018-W3C-Authentication-Identity-Workshop.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: "2018 W3C Strong Authentication and Identity Workshop" -layout: collection -permalink: /2018-W3C-Authentication-Identity-Workshop/ -collection: 2018-W3C-Authentication-Identity-Workshop -entries_layout: grid -classes: wide -sidebar: - nav: didnav -author_profile: false -#: 7 -share: true ---- - -## 2018 W3C Strong Authentication and Identity Workshop \ No newline at end of file diff --git a/collections/_2018-W3C-Authentication-Identity-Workshop/01-Day-1-Welcome-and-Procedural_1.html b/collections/_2018-W3C-Authentication-Identity-Workshop/01-Day-1-Welcome-and-Procedural_1.html deleted file mode 100644 index 2301bec2..00000000 --- a/collections/_2018-W3C-Authentication-Identity-Workshop/01-Day-1-Welcome-and-Procedural_1.html +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: "01) Day 1. Welcome and Procedural" -header: - teaser: /images/strong-authentication-identity-workshop-w3c.png ---- - - - -
Strong Authentication and
Identity Workshop
https://www.w3.org/Security/strong-authentication-and-identity-workshop/
real-time chat & minutes (irc): http://irc.w3.org/ #auth-id
-
-
World Wide Web Consortium
“Leading the Web to its full potential.” Voluntary consensus standards:
cooperative solutions for open, interoperable platform improvement.
The Art of Consensus.
Web for all. Accessible, Internationalized, Secure, Private
Royalty-free patent policy.
475 members as of December 2018, including technology builders and users;
for-profit companies, academics, non-profits, and government agencies.
Code of Ethics and Professional Conduct: Treat each other with respect
-
Standards work well for
Shared technical problem
Good enough technical solution
Ecosystem interest in common resolution
W3C provides the forum and process: community and
membership develop the specifications.
-
Workshop Agenda
2 days of mixed presentation and discussion.
Experimenting with multiple modes of hearing
from everyone in the room: cards, dots, and
breakouts.
Cards: Write down your questions and concerns
during sessions, and we’ll gather them as
sessions conclude.
Dinner tonight:
Who’s in for an on-campus dinner?
Who needs a shuttle (about ½ mile)?
-
Minutes and reporting
This workshop is invite-only. We’ll follow with a
public report.
We take minutes in irc:
http://irc.w3.org (yes, it’s http)
channel #auth-id
Please state your name when speaking
q+ to say something new adds you
to the speaker queue
scribing conventions
speaker: what they said
use @@1..n if you miss a name or phrase
while scribing
s/@@1/Name/ replaces @@1 in the
meeting record
-
Thanks!
Program Committee:
Manu Sporny, Digital Bazaar
Paul Grassi, Easy Dynamics
Drummond Reed, Evernym
Christiaan Brand, Google
Kaliya Young, Internet Identity Workshop
Tony Nadalin, Microsoft
JC Jones, Mozilla
Pindar Wong, VeriFi
W3C Team: Sam Weiler, Karen Myers, Wendy Seltzer
Host:
- -
- -
diff --git a/collections/_2018-W3C-Authentication-Identity-Workshop/02-Day-1-Understanding-Verifiable-Credentials.html b/collections/_2018-W3C-Authentication-Identity-Workshop/02-Day-1-Understanding-Verifiable-Credentials.html deleted file mode 100644 index 5ce37e53..00000000 --- a/collections/_2018-W3C-Authentication-Identity-Workshop/02-Day-1-Understanding-Verifiable-Credentials.html +++ /dev/null @@ -1,26 +0,0 @@ ---- -title: "02) Day 1. Understanding Verifiable Credentials" -header: - teaser: /images/understanding-verifiable-credentials.png - ---- - - - -
Understanding Verifiable
Credentials
Dr. Daniel C. Burnett, PegaSys Blockchain Standards Architect, W3C VCWG Co-
chair
W3C Workshop on Strong Authentication & Identity
Redmond, WA, Dec 10-11, 2018
-
Credentials
2
<passport photo>
<driver’s license photo>
-
(Cryptographically) Verifiable Credentials
We aim to provide the same thing, but
electronically
A Verifiable Credential is
Issued by an Issuer (school, corp, govt, ind.)
Held by a Holder (student, employee, customer)
Presented to a Verifier (employers, security, websites)
A Verifiable Credential contains
An Identifier
Optional metadata
One or more claims
A proof section
Identifiers can be cryptographically controlled
3
-
Claims & Proofs
A Claim is
One statement about a Subject
A Claim contains
A Subject
A Property
A Value for the property
The Proof section contains
Signatures over the claims
ZKP info (work in progress)
4
-
VC Example in JSON-LD syntax
{
"@context": [
"https://w3.org/2018/credentials/v1",
"https://example.com/examples/v1"
],
"id": "http://dmv.example.gov/credentials/3732",
"type": ["VerifiableCredential", "ProofOfAgeCredential"],
"issuer": "https://dmv.example.gov/issuers/14",
"issuanceDate": "2010-01-01T19:73:24Z",
"credentialSubject": {
"id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
"ageOver": 21
},
"proof": { ... }
}
5
-
VC - signature-based proof example
{ "@context": [...],
"id": "http://dmv.example.gov/credentials/3732",
"type": ["VerifiableCredential", "ProofOfAgeCredential"],
"issuer": "https://dmv.example.gov/issuers/14",
"issuanceDate": "2010-01-01T19:73:24Z",
"credentialSubject": {...},
"proof": {
"type": "RsaSignature2018",
"created": "2017-06-18T21:19:10Z",
"creator": "https://example.com/jdoe/keys/1",
"nonce": "c0ae1c8e-c7e7-469f-b252-86e6a0e7387e",
"signatureValue": "BavEll0/I1zpYw8XNi1bgVg/sCneO4Jugez8RwDg/+
MCRVpjOboDoe4SxxKjkCOvKiCHGDvc4krqi6Z1n0UfqzxGfmatCuFibcC1wps
PRdW+gGsutPTLzvueMWmFhwYmfIFpbBu95t501+rSLHIEuujM/+PXr9Cky6Ed
+W3JT24="
}}
6
-
Verifiable Presentations
A Verifiable Presentation is
Presented by a Holder to a Verifier
Composed from multiple VCs
Often from different Issuers
Often about the same subject
A Verifiable Presentation contains
An identifier
Optional metadata
One or more claims or whole VCs
A proof section
7
-
Verifiable Credentials are (not)?
Verifiable Credentials allow
An issuing party to express a statement as a fact, ie “make a claim
A holding party to present the statement (in whole or in part) to a third party
A verifying party to validate the statement hasn’t been tampered with
Verifiable Credentials DON’T
Represent averified truth
It is the issuance of a claim that is verifiable, not the semantics of the claim
8
-
Standardization: W3C Verifiable Claims Working Group
In Scope
Recommend a data model and syntax(es) for the expression of verifiable claims, including one
or more core vocabularies
Create a note specifying one or more of these:
How these data models should be used with existing attribute exchange protocols
A suggestion that existing protocols be modified
A suggestion that a new protocol is required
Out of Scope
Define browser-based APIs for interacting with verifiable claims. This work may be performed
by a future Working Group if there is interest, but is not required for the Working Group to be
successful
Define a new protocol for attribute exchange. This work may be performed by a future Working
Group if there is interest, but is not required for the Working Group to be successful
Attempt to address the larger problem of "Identity on the Web/Internet"
Attempt to lead the creation of a specific style of supporting infrastructure, other than a data
model and syntax(es), for a verifiable claims ecosystem
9
-
VCWG Work Status
Verifiable Claims Data Model and Representationsspecification
FPWD long past, wrapping up ZKP and JWT support
Informal reviews already from PING, WAI, others
CR expected early 2019
Editors’ Draft: https://w3c.github.io/vc-data-model/
GitHub: https://github.com/w3c/vc-data-model
Test Suite
Almost all tests written
GitHub:
https://github.com/w3c/vc-test-suite
Use cases
Editors’ Draft:
https://w3c.github.io/vc-use-cases/
GitHub: https://github.com/w3c/vc-use-cases
10
-
2018 VC Adoption in Commerce
(Financial Services)
11
Deployed Today by:
Governments
Banks
Websites
DID issuers
Details are W3C M ember Confidential
-
2018 VC Adoption in Commerce
(Trade)
12
Deployed Today for:
Authorized Importer
Authorized Exporter
Certificate of Origin
Details are W3C M ember Confidential
-
Questions?
13
-
VCWG Mission and Goals
It is currently difficult to express claims regarding education qualifications,
healthcare data, banking account information, and other sorts of machine-
readable personal information that has been verified by a 3rd party on the
Web
VCWG mission is to make expressing and exchanging claims that have been
verified by a third party easier and more secure on the Web
Our charter specifies that education related uses is our first focus but allows
that other uses can be addressed such as digital offers, receipts, and loyalty
programs and other areas if there is significant industry participation
14
- -
- diff --git a/collections/_2018-W3C-Authentication-Identity-Workshop/03-Day-1-Understanding-DIDs.html b/collections/_2018-W3C-Authentication-Identity-Workshop/03-Day-1-Understanding-DIDs.html deleted file mode 100644 index ae740cef..00000000 --- a/collections/_2018-W3C-Authentication-Identity-Workshop/03-Day-1-Understanding-DIDs.html +++ /dev/null @@ -1,672 +0,0 @@ ---- -title: "03) Day 1. Understanding DIDs" -header: - teaser: /images/understanding-dids.png - ---- - - - - - - - - - -
Understanding
Decentralized Identifiers
Kim Hamilton Duffy
CTO Learning Machine
Co-chair W3C Credentials Community Group
Decentralized Identity Foundation Steering Committee
1
-
What is a Decentralized Identifier?
A new type of URL that is:
globally unique,
highly available,
persistent
cryptographically verifiable, and
does not require a central admin
2
did:btcr:txtest1:8kyt-fzzq-qqqq-ase0-d8
-
We use DIDs in Verifiable Credentials
3
-
DID Implementations (Methods)
4
did:example:123456789abcdefghijk
Scheme
DID
Method
DID Method Specific String
did:v1:nym:BcNkgGmGEpCGSJSMPB4BvWvwVM6YeTR52BSWcZTbzU23
did:btcr:txtest1:8kyt-fzzq-qqqq-ase0-d8
Examples:
-
DIDs Resolve to DID Documents
5
{
"@context": "https://w3id.org/veres-one/v1",
"id": "did:v1:nym:DwkYwcoyUXHNkpj3whn4DgXB4fcg9gj95vKxYN2apkZD",
"authentication": [{
"type": "Ed25519SignatureAuthentication2018",
"publicKey": [{
"id": "did:v1:test:nym:DwkYwcoyUXHNkpj3whn4DgXB4fcg9gj95vKxYN2apkZD#authn -key-1",
"type": "Ed25519VerificationKey2018",
"controller": "did:v1:nym:DwkYwcoyUXHNkpj3whn4DgXB4fcg9gj95vKxYN2apkZD",
"publicKeyBase58": "DwkYwcoyUXHNkpj3whn4DgXB4fcg9gj95vKxYN2apkZD"
}]
}],
"service": [{
"type": "ExampleMessagingService2018",
"serviceEndpoint":https://example.com/services/messages
}],
more DID-specific information here
}
1. Authentication Mechanisms
3. Service Discovery
2. Public Key Material
-
did:btcr:xkyt-fzgq-qq87-xnhn
Universal Resolver
DID RESOLUTION
DID Method Spec
DID Document
DID
-
{
"@context": "https://w3id.org/did/v1",
"id": "did:example:123456789abcdefghi",
"publicKey": [{
"id": "did:example:123456789abcdefghi#keys-1",
"type": "RsaSigningKey2018",
"owner": "did:example:123456789abcdefghi",
"publicKeyPem": "-----BEGIN PUBLIC KEY...END PUBLIC KEY-----\r\n"
}],
"authentication": [{
"type": "RsaSignatureAuthentication2018",
"publicKey": "did:example:123456789abcdefghi#keys-1"
}],
"service": [{
"type": "ExampleService",
"serviceEndpoint": "https://example.com/endpoint/8377464"
}],
"created": "2002-10-10T17:00:00Z",
"updated": "2016-10-17T02:41:00Z",
"signature": {
"type": "RsaSignature2016",
"created": "2016-02-08T16:02:20Z",
"creator": "did:sov:8uQhQMGzWxR8vw5P3UWH1j#key/1",
"signatureValue": "IOmA4R7TfhkYTYW87z640O3GYFldw0
yqie9Wl1kZ5OBYNAKOwG5uOsPRK8/2
C4STOWF+83cMcbZ3CBMq2/gi25s=“
}
}
}
DID DOCUMENT
1. DID (for self-description)
2. Public keys (for verification)
3. Auth methods (for authentication)
4. Service endpoints (for interaction)
5. Timestamp (for audit history)
6. Signature (for integrity)
-
Status
8
Incubated at RWOT, IIW
Currently:
Draft report in W3C Credentials Community
Group
Protocols and prototypes at DIF
DID Method Registry
DID Auth, DID Resolver
To Discuss: DID Working Group
-
DID & VC Architecture
Roadmap 2018+
Christopher Allen
Principal Architect & Founder Blockchain Commons
W3C Credentials CG Chair
9
-
Current W3C Standards Track Efforts
10
Verifiable Claims WG, Verifiable Credentials
Anyone can verifiably say anything about anyone.
Identity emerges from evaluating multiple sources of
information, across multiple interactions
Decentralized Identifiers (DIDs), draft WG
Anyone can publicly manage provable identifiers without
administrative interference
Move beyond centrally administered IDs
Provide for a plurality of authorities
-
Decentralized Identity Stack
11
DIDs Root Identifiers
DID Universal Resolvers support interoperability between
multiple DID methods.
DID Methods Specific approaches using different blockchains
DID Documents Proof of Control & Service References
+
-
Decentralized Identity Stack
12
DIDs Root Identifiers …
Raw Data Observed facts & transactions
Verifiable Credentials Assertions by knowable authorities
Profiles / Presentations / Persona Representations of individuals
Consent Records of authorization
Reasoning Interpretation & Analysis
Evaluation Risk Analysis & Reputation
Understanding Internal knowledge representation
Services Interactions of value
-
Potential Standards for Future Work
13
DID-Auth (Authn/Authz)
OCAP (Authz through Object Capabilities)
Credential Requests & Exchange
Data Minimization & Selective Disclosure
Consent & Consent Receipts
Storage (Identity Hubs) & Internal Representations
Analytics & Algorithms for Evaluation
Cryptographic Proofs
Signature, Encryption, Signcryption Suites
Time-stamping
Zero-knowledge proofs
-
https://w3c-ccg.github.io/roadmap/diagram.html
-
-
- diff --git a/collections/_2018-W3C-Authentication-Identity-Workshop/04-Day-1-Understanding-DID-Auth.html b/collections/_2018-W3C-Authentication-Identity-Workshop/04-Day-1-Understanding-DID-Auth.html deleted file mode 100644 index 2762dbbf..00000000 --- a/collections/_2018-W3C-Authentication-Identity-Workshop/04-Day-1-Understanding-DID-Auth.html +++ /dev/null @@ -1,26 +0,0 @@ ---- -title: "04) Day 1. Understanding DID Auth" -header: - teaser: /images/understanding-did-auth.png ---- - - - -
Markus Sabadello
Danube Tech, DIF, Sovrin,
W3C CCG, W3C VCWG, OASIS XDI TC
https://danubetech.com/
W3C Workshop on Strong Authentication & Identification
Redmond, WA, USA 10
th
December 2018
-
DID Auth
Background
Decentralized Identifiers (DIDs)
Decentralized Public Key Infrastructure (DPKI)
DID Auth
Prove that the DID subject controls its DID
A concept, with different architectures and implementations
-
DID Document
DID Document tells us how control of the DID can be proven
DID Document contains service endpoints, public keys, authentication
methods
{
"@context": "https://w3id.org/did/v1",
"id": "did:sov:WRfXPg8dantKVubE3HX8pw",
"service": {
"type": "hub",
"serviceEndpoint": "https://azure.microsoft.com/dif/hub/did:sov:WRfXPg8dantKVubE3H"
},
"publicKey": [
{
"id": "did:sov:WRfXPg8dantKVubE3HX8pw#key-1",
"type": "Ed25519VerificationKey2018",
"publicKeyBase58": "H3C2AVvLMv6gmMNam3uVAjZpfkcJCwDmqPV"
}
],
"authentication": {
"type": "Ed25519SignatureAuthentication2018",
"publicKey": [
"did:sov:WRfXPg8dantKVubE3HX8pw#key-1"
]
}
}
-
DID Document
DID Document tells us how control of the DID can be proven
DID Document contains service endpoints, public keys, authentication
methods
{
"@context": "https://w3id.org/did/v1",
"id": "did:sov:WRfXPg8dantKVubE3HX8pw",
"service": {
"type": "hub",
"serviceEndpoint": "https://azure.microsoft.com/dif/hub/did:sov:WRfXPg8dantKVubE3H"
},
"publicKey": [
{
"id": "did:sov:WRfXPg8dantKVubE3HX8pw#key-1",
"type": "Ed25519VerificationKey2018",
"publicKeyBase58": "H3C2AVvLMv6gmMNam3uVAjZpfkcJCwDmqPV"
}
],
"authentication": {
"type": "Ed25519SignatureAuthentication2018",
"publicKey": [
"did:sov:WRfXPg8dantKVubE3HX8pw#key-1"
]
}
}
-
DID Auth Example Architecture
-
Challenges, Responses, Transports
Challenge-response flow to prove that the DID subject controls its DID.
Transports: HTTP POST, QR code, Mobile deep link, JavaScript browser
API, Bluetooth, NFC, etc.
Transports may require additional information such as endpoint URIs that
may be included in the challenge, or discoverable from a DID.
Challenge:
Identity owner’s DID may or not be
known.
May or may not contain proof of control
of a DID of the relying party.
Response:
Linked to a challenge (e.g. using a
nonce).
Contains proof of control of a DID of the
identity owner.
-
DID Auth Example Architectures
-
DID Auth Data Formats
Example JWT:
Example JSON-LD VC:
{
"header": {
"typ": "JWT",
"alg": "ES256"
},
"payload": {
"iss":
"did:example:123456789abcdefg",
"sub":
"did:example:123456789abcdefg",
"iat": 1479850830,
"exp": 1511305200,
},
"signature": "..."
}
{
"type": ["Credential"],
"issuer": "did:example:123456789abcdefg",
"issued": "2018-03-07",
"credentialSubject": {
"id": "did:example:123456789abcdefg",
"publicKey": "did:example:123456789abcdefg#ke
},
"proof": {
"type": "Ed25519Signature2018",
"created": "2018-01-01T21:19:10Z",
"creator": "did:example:123456789abcdefg#keys
"nonce": "c0ae1c8e-c7e7-469f-b252-86e6a0
"signatureValue": "..."
}
}
-
DID Auth Data Formats
Example JWT:
Example JSON-LD VC:
{
"header": {
"typ": "JWT",
"alg": "ES256"
},
"payload": {
"iss":
"did:example:123456789abcdefg",
"sub":
"did:example:123456789abcdefg",
"iat": 1479850830,
"exp": 1511305200,
},
"signature": "..."
}
{
"type": ["Credential"],
"issuer": "did:example:123456789abcdefg",
"issued": "2018-03-07",
"credentialSubject": {
"id": "did:example:123456789abcdefg",
"publicKey": "did:example:123456789abcdefg#ke
},
"proof": {
"type": "Ed25519Signature2018",
"created": "2018-01-01T21:19:10Z",
"creator": "did:example:123456789abcdefg#keys
"nonce": "c0ae1c8e-c7e7-469f-b252-86e6a0
"signatureValue": "..."
}
}
-
Relation to OIDC, WebAuthn
OIDC + DID
Self-Issued OpenID Provider
Discover OIDC endpoint from DID
WebAuthn + DID
Registration
Register(Account, Origin)
Registration Response (without DID)
RegisterResponse(PublicKeyCredential,
Attestation, Origin)
Registration Response (with DID)
RegisterResponse(DIDCredential,
Attestation, Origin)
{
"@context": "https://w3id.org/did/v1",
"id": "did:example:123456789abcdefg",
"service": [{
"id": "did:example:123456789abcdefg;openid",
"type": "OpenIdConnectVersion1.0Service",
"serviceEndpoint": "https://openid.example.com/"
}]
}
And more! DID-TLS, DID-HTTP-Signatures, DID-PGP, DID-
SSH
-
For the Workshop
Come up with a list of core DID Auth principles
1) The identifier that is being authenticated is a DID.
2) All elements of the DID Document can change, the DID stays the same.
3) DID Resolution is performed to discover how to authenticate the DID.
4) … more?
Workshop Question #1: Relation to OIDC, FIDO, WebAuthn?
Workshop Question #2: Relation to VC exchange protocols?
-
Community Resources
W3C Credentials Community Group
https://www.w3.org/community/credentials/
Decentralized Identity Foundation
http://identity.foundation/
Rebooting-the-Web-of-Trust
http://www.weboftrust.info/
Internet Identity Workshop
http://internetidentityworkshop.com/
Thank You
Markus Sabadello
Danube Tech
https://danubetech.com/
markus@danubetech.com
z
-
Backup Slides
-
Rebooting-the-Web-of-Trust
Internet Identity Workshop
DIDs: W3C Credentials CG
v0.11 Draft Community Report
DIDs: W3C DID WG
Charter now being written
Yadis, XRI, XRD, XRDS,
JRD, Webfinger
DID registered
prov. URI scheme
DID method specs
W3C Web Payments CG
OASIS XDI TC
W3C JSON-LD 1.1
W3C Cryptographic Suites
RFC 7517: JWK
Verifiable Credentials
DKMS, DID Auth
Hubs, Agents, XDI
-
DID Universal Resolver
Looks up (“resolves”) DID to its
DID Document.
Provides a universal API that works
with all DID methods.
Uses a set of configurable “drivers”
that know how to connect to the
target system.
https://uniresolver.io/
-
-
- diff --git a/collections/_2018-W3C-Authentication-Identity-Workshop/05-Day-1-Understanding-WebAuthn-CTAP-EAT-FIDO-and-Authenticators.html b/collections/_2018-W3C-Authentication-Identity-Workshop/05-Day-1-Understanding-WebAuthn-CTAP-EAT-FIDO-and-Authenticators.html deleted file mode 100644 index f3bc1b65..00000000 --- a/collections/_2018-W3C-Authentication-Identity-Workshop/05-Day-1-Understanding-WebAuthn-CTAP-EAT-FIDO-and-Authenticators.html +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: "05) Day 1. Understanding WebAuthn CTAP EAT FIDO and Authenticators" -header: - teaser: /images/webauthn-ctap.png ---- - - - -
WebAuthn / CTAP
Modern Authentication
-
challenge, “google.com
Server
How Security Keys work
Who’s calling?
sign:
{challenge, “
google.com”}
{challenge, “google.com”}
signed
Alice’s
Security
Key
Challenge was: 123456
Origin was: google.com
Alices Key
https://www.google.com
USB/NFC/BLE
5
challenge
1
6
2
3
4
-
3
© 2018 Yubico © 2016 Yubico
Registration Recap
1. Relying Party generates challenge
Prevents replay
2. Client validates origin
Prevents phishing
3. Authenticator checks user presence and consent
Prevents silent tracking
4. Authenticator creates key pair
No secret is shared with Relying Party
5. Relying Party verifies attestation signature
Prevents phishing
Proof that private key is safe
-
4
© 2018 Yubico © 2016 Yubico
What is CTAP?
Authenticator
Browser
Client/Platform
Platform
Application
CTAP1 and/or CTAP2
Authenticator generates and securely stores credentials
Communicates over USB, NFC, or Bluetooth
Private keys, PINs, and biometric information never leave the
authenticator
CTAP2 Data format: Concise Binary Object Representation (CBOR)
-
5
© 2018 Yubico © 2016 Yubico
What is WebAuthn?
FIDO2 Server
Browser
Client/Platform
Platform
Application
We bAuthn
WebAuthn (JavaScript) API lets Browser, Client talk about external
or platform (embedded) authenticators. It is 2-party interaction.
Enables the creation and use of strong, attested, scoped, public
key-based credentials for use by web applications.
Strongly authenticates users.
All major browsers are on track to implement full Web
Authentication APIs. Chrome, Edge, Mozilla all support now.
-
6
© 2018 Yubico
Evolution of FIDO Authentication to FIDO2
U2F
User Agent
U2F.js
CTAP1
FIDO2
Platform
WebAuthn
CTAP1
FIDO U2F
Authenticator
FIDO2
Authenticator
CTAP2
U2F
Phishing resistant authentication with
user intent
Multi-Factor Authentication (MFA)
Subset
Authenticator - something you
have
Password - something you know
FIDO2
True MFA
Authenticator - something you
have
User verification - something you
know (PIN) or are (Biometrics)
-
7
© 2018 Yubico
WebAuthn and CTAP2
-
8
© 2018 Yubico © 2016 Yubico
State of state
CTAP2 in final review at FIDO; standardization soon
WebAuthn clearing up some issues for move to PR (resolution
soon, PR early 2019?).
New FIDO2 (CTAP2/WebAuthn) features:
Resident Keys provide first-factor, high assurance MFA, and
enable passwordless authentication
HMAC support to enable offline authentication
Migration path to WebAuthn exists for U2F devices, credentials
FIDO UAF features, such as transactions, part of Level 2 W3C
work
-
EAT
Entity Attestation Token
IETF Internet Draft
-
EAT (more)
Web Authn WG looking at this in IETF
Key use is with payment handlers that open a new window
We don’t anticipate any extra work in CredMan
Been seeking guidance via Mike West
-
All Rights Reserved | FIDO Alliance | Copyright 2018
FIDO and
Authenticators
Dr. Rae Hayward
Certification Director
FIDO Alliance
-
All Rights Reserved | FIDO Alliance | Copyright 2018 12
BENEFITS TO CERTIFICATION
Validation Interoperable
Rigorous
testing
Trust
Competitive
edge
Market
expansion
-
All Rights Reserved | FIDO Alliance | Copyright 2018 13
-
All Rights Reserved | FIDO Alliance |
Copyright 2018
14
FIDO AUTHENTICATOR CERTIFICATION
Validates the security characteristics
of authenticator implementations
Functional is a prerequisite
All Rights Reserved | FIDO Alliance | Copyright 2018
-
All Rights Reserved | FIDO Alliance | Copyright 2018
15
A COMPREHENSIVE SET OF LEVELS FOR ALL USES CASES
SAMPLE DEVICE HARDWARE &
SOFTWARE REQUIREMENTS
DEFENDS AGAINST
Protection against chip fault injection,
invasive attacks…
L3+
Captured devices
(chip-level attacks)
Circuit board potting, package on
package memory, encrypted RAM
L3
Captured devices
(circuit board level attacks)
Restricted Operating Environment (ROE)
(e.g., TEE or Secure Element in a
phone, USB token or Smart Card which
are intrinsically ROEs, other…)
L2+
Device OS compromise
(defended by ROE)
L2
Any device HW or SW
L1+
Device OS compromise
(defended by white-box cryptography)
L1
Phishing, server credential
breaches & MiTM attacks
(better than passwords)
-
All Rights Reserved | FIDO Alliance | Copyright 2018 16
LEVEL 1
Examples
Android or IoS applications
Platform built-in authenticators
Level 2- or Level 3-capable
authenticators not yet certified at
Level 2 or Level 3
Certification Process
Vendor documents their design in detail
L1+ only: Evaluation by FIDO
-accredited lab,
penetration testing (L1+ program still in
development)
Evaluation by FIDO Alliance Security Secretariat
Better than passwords
FIDO is unfishable and biometrics are
more convenient
Keys and biometric templates are
protected similar to passwords
stored by a browser or password
manager app
Requires best facilities offered by
hosting OS
L1+ adds white-box cryptography
(obfuscation and other techniques)
to defend against compromise of
hosting OS
-
All Rights Reserved | FIDO Alliance | Copyright 2018 17
LEVEL 2
In addition to L1
A restricted operating
environment like a TEE gives
security even if OS is
compromised.
Separate USB, BLE and NFC
authenticators are considered
to use a restricted operating
environment
Gives defense against larger
scale attacks
Additional assurance at L2+
Certification Process
Vendor documents their design in detail
L2+ only: Vendor submits source code (L2+ program
still in development)
Evaluation by a FIDO
-accredited lab
L2+ only: Attack potential calculation, pen testing
Examples
Android apps using FIDO Level 2 certified
phone (there arent any yet)
USB, BLE and NFC Security Keys
Level 3-capable authenticators that
haven’t yet been certified at Level 3
-
All Rights Reserved | FIDO Alliance | Copyright 2018 18
LEVEL 3
In addition to L2
Defends against physically captured
authenticators
Defenses against disassembling,
probing, glitch and other such
physical attacks
L3+ adds defense against chip-level
physical attacks, such as decapping
and probing the chip
Certification Process
Vendor documents their design in detail
Vendor submits source code
Evaluation by a FIDO
-accredited lab (l3, L3+)
Attack potential calculation and penetration testing
L3+ only: Higher attack potential requirements
Examples
USB, BLE and NFC Security Keys using
Secure Elements or other means of
defending HW attacks
In some case phone or platform
authenticators may achieve L3, but is
difficult
-
All Rights Reserved | FIDO Alliance | Copyright 2018 19
COMPANION PROGRAMS
Re use as much as possible from other programs like Common Criteria
Reduces time, effort and cost of certification for authenticator
vendors, sometimes by quite a lot
Companion programs never cover all FIDO requirements; they were not
developed specifically for authenticators
Even with advanced companion programs, vendors will have to go
through additional certification with the FIDO Alliance
Companion Program
FIDO Security
Level
Program Status
Common Criteria AVA_VAN 3
L3
Operating
Common Criteria AVA_VAN 4
L3+
Operating
FIPS
L2+, L3
In development
Global Platform TEE Protection
Profile
L2+
In development
Authentication-
specific
Companion program
All FIDO Security Requirements
End-device
configuration
Cryptographic
algorithms
FIDO Specific
-
20
FIDO ACCREDITED LABS
L2
L3, L3+
All Rights Reserved | FIDO Alliance | Copyright 2018
-
All Rights Reserved | FIDO Alliance | Copyright 2018 21
EXPIRATION, DERIVATIVE & DELTA CERTIFICATION
xPhone Asteroid1 32GB
Authenticator v1
xPhone Asteroid1 64GB
Authenticator v1
xPhone Asteroid2 32GB
Authenticator v1
xPhone Asteroid3 32GB
Authenticator v2
Security Requirements 1.2
Security Requirements 1.3
xPhone Asteroid1 64GB
Authenticator v1
Delta Certification
When the FIDO functionality changes
Recertification against new
requirements
After fix to close a vulnerability
Reevaluation of security is required
Derivative certification
No change to FIDO functionality allowed
Surrounding functionality may change
Packaging & product name may change
No re evaluation of security
No Expiration
Certification of a given product never
expires
Recertification against new versions
of the requirements is optional
Derivative
Delta
Derivative
Delta
xPhone Asteroid1 64GB
Authenticator v1.1
(fixed)
Delta
-
-
- diff --git a/collections/_2018-W3C-Authentication-Identity-Workshop/06-Day-1-Understanding-JWT_CWT-OpenID-and-Related-Ecosystem.html b/collections/_2018-W3C-Authentication-Identity-Workshop/06-Day-1-Understanding-JWT_CWT-OpenID-and-Related-Ecosystem.html deleted file mode 100644 index c40b381c..00000000 --- a/collections/_2018-W3C-Authentication-Identity-Workshop/06-Day-1-Understanding-JWT_CWT-OpenID-and-Related-Ecosystem.html +++ /dev/null @@ -1,43 +0,0 @@ ---- -title: "06) Day 1. Understanding JWT CWT" -header: - teaser: /images/Understanding-JWT-CWT-OpenID-and-Related-Ecosystem.png ---- - - - - -
Understanding JWT/CWT, OpenID
and Related Ecosystem
Michael Jones, John Bradley
Aaron Parecki
-
JWT, OpenID Connect,
CWT, and Verifiable Claims
Michael B. Jones Microsoft and John Bradley Yubico
W3C Workshop on Strong Authentication and Identity
December 10, 2018
-
JSON Web Token (JWT) RFC 7519
Representation of claims in JSON
Can be signed with JSON Web Signature (JWS) RFC 7515
Can be encrypted with JSON Web Encryption (JWE) RFC 7516
Algorithms used extensible using IANA JOSE Algorithms Registry
For instance, ed25519 added and secp256k1 being added
By design, does not use any form of JSON canonicalization
Base64url encodes values to maintain content integrity instead
JWTs used by OpenID Connect, many other applications
-
ID Token Claims Example
{
"iss": "https://server.example.com",
"sub": "248289761001",
"aud": "0acf77d4-b486-4c99-bd76-074ed6a64ddf",
"iat": 1311280970,
"exp": 1311281970,
"nonce": "n-0S6_WzA2Mj"
}
-
Working Together
OpenID Connect
-
What is OpenID Connect?
Simple identity layer on top of OAuth 2.0
Enables RPs to verify identity of end-user
Enables RPs to obtain basic profile info
REST/JSON interfaces low barrier to entry
Described at
http://openid.net/connect/
-
You’re Probably Already Using OpenID Connect!
If you have an Android phone or log in at AOL, Deutsche Telekom, Google,
Microsoft, NEC, NTT, Salesforce, Softbank, Symantec, Verizon, or Yahoo! Japan,
you’re already using OpenID Connect
Many other sites and apps large and small also use OpenID Connect
-
OpenID Connect and Verifiable Claims
Aggregated and Distributed Claims
Self-Issued Identities
Representation of Claim Verification Information
-
OpenID Connect: Aggregated and Distributed Claims
OpenID Connect Core §5.6.2
Defines how JWTs can contain claims signed by others
Issuers of aggregated and distributed claims can be different than JWT issuer
For example, credit score signed by credit agency and payment information
signed by bank
Aggregated claims pass 3
rd
party claims by value
Distributed claims pass 3
rd
party claims by reference
-
OpenID Connect: Self-Issued Identities
OpenID Connect Core §7
Digital identity controlled directly by you
Backed by public/private key pair
Sometimes called “user-centric identity” or “self-sovereign identity”
Claims in self-issued identities
Self-issued claims signed by you
Aggregated and distributed claims signed by 3
rd
parties
Implementations in Japan and at Microsoft
-
OpenID Connect: Representation of Claim Verification Information
Syntax for providing metadata about claims along with claims
For instance, saying that name, address, and payment info validated by a
particular bank
At a particular time
In a particular jurisdiction
Under a particular legal framework
Also ways of requesting claims with particular validation information
New work proposed by Torsten Lodderstedt at most recent IIW
Ideas contributed to OpenID Connect working group
-
CBOR Web Token (CWT) RFC 8392
Binary equivalent of JWT
Uses CBOR RFC 7049 instead of JSON
Secured with CBOR Object Signing and Encryption (COSE) RFC 8152
Can be more compact than JWTs because no base64url encoding
Good fit for IoT applications and bandwidth-constrained channels
-
IndieAuth
OAuth for the Open Web
Aaron Parecki
aaronpk.com
-
W3C Social Web Working Group
Chartered to create open APIs for social networking,
to enable social communication on the web
Active from July 2014 to February 2018
Identity and authentication was out of scope for REC-track documents
https://www.w3.org/wiki/Socialwg
-
W3C Social Web Working Group
W3C Recommendations Published:
Webmention
Linked Data Notifications
Micropub
Activity Streams
WebSub
ActivityPub
https://www.w3.org/wiki/Socialwg#Specifications
W3C Notes Published:
Social Web Protocols
JF2
Post Type Discovery
IndieAuth
-
aaron.pk/reader
-
monocle.p3k.io
aaronparecki.com
micro.blog
-
Follow me from Mastodon: aaronpk@aaronparecki.com
-
How can I comment on this
without having an account there?
[blog post, photo, issue, etc]
-
How can I sign in to an app
that lets me post to my account?
-
-
Traditional OAuth
-
IndieAuth: Bring your own identity
-
URLs for Identity
aaronparecki.com
mastodon.social/@aaronpk
gitlab.com/aaronpk
twitter.com/aaronpk
-
IndieAuth Summary
User IDs are URLs bring your own identity
Applications are identified by URLs no pre-registration
necessary
Authorization server is discovered from the user’s URL
User ID is returned at the end of the OAuth exchange
-
aperture.p3k.io
-
aaronparecki.com
-
aperture.p3k.io
-
IndieAuth Providers
WordPress Plugin Drupal Plugin
micro.blog withknown.com
Selfauth PHP
Dobrado PHP
Acquiescence Ruby
Cellar Door Node.js
Microblog.pub Python
indieweb.org/IndieAuth
-
IndieAuth Summary
An extension to the OAuth authorization code flow
Prompt user for their identity (URL input, browser extension
auto-fill, etc)
Discover user’s authorization endpoint
Send the user there to ask their permission
On the redirect back, exchange the authorization code for an
access token and the user’s canonical URL
-
indieweb.org aaronpk.com
Learn More
https://indieauth.net
https://aaronparecki.com/2018/07/07/7/oauth-for-the-open-web
-
-
- diff --git a/collections/_2018-W3C-Authentication-Identity-Workshop/07-Day-1-Breakout-Sessions.html b/collections/_2018-W3C-Authentication-Identity-Workshop/07-Day-1-Breakout-Sessions.html deleted file mode 100644 index e1b7be5c..00000000 --- a/collections/_2018-W3C-Authentication-Identity-Workshop/07-Day-1-Breakout-Sessions.html +++ /dev/null @@ -1,13 +0,0 @@ ---- -title: "07) Day 1. Breakout Sessions" ---- - - - -
Questions for breakout discussion
From where youre coming from, what do you want to see happen in the next 2-5
years?
What is the biggest concern you have with regard to what you heard this morning?
-
Breakout groups: 6 people/session
Introduce yourself
Read your card, respond to clarifying questions
Identify shared thoughts/concerns
Each person has 2 unique votes to give to others’ ideas
Tally the votes each card receives, on the card
Write down new ideas on new cards
-
Report-out from breakouts
Identification != authentication. Getting the world to understand the difference.
Separation of concerns: authentication and attribute-provisioning ceremonies
Privacy. Needs more discussion of privacy concerns and considerations
Privacy by design
Identity assurance. How do you get to trusting the issuer or assurer? Moving
from technology to service
Want browser/device to know who I am and be my agent in revealing that
Bridging WebAuthn and OAuth
RPs have a rich choice of federation, and user-access to those
Also data storage
Coexistence, not choosing between paradigms. Discovery, registration,
resolution.
-
Align WebAuthn and DIDs for unified experience
Reuse mature standards
Industry adoption of DID-based identities
What does interop mean for DIDs?
DID WG formed at W3C
Usability
Selective permissionless delegation
OpenID Connect community working with Ethereum community re
gamification and incentives.
Value propositions; sub-data flows for business modeling around them
[missed some, they’re captured on the boards up-front]
we have cameras and will photograph the boards
-
-
- diff --git a/collections/_2018-W3C-Authentication-Identity-Workshop/08-Day-1-Market-Verticals-Understanding-Current-and-Future-Problems.html b/collections/_2018-W3C-Authentication-Identity-Workshop/08-Day-1-Market-Verticals-Understanding-Current-and-Future-Problems.html deleted file mode 100644 index 8d608f7b..00000000 --- a/collections/_2018-W3C-Authentication-Identity-Workshop/08-Day-1-Market-Verticals-Understanding-Current-and-Future-Problems.html +++ /dev/null @@ -1,55 +0,0 @@ ---- -title: "08) Day 1. Market Verticals Understanding Current and Future Problems" ---- - - - -
Market Verticals: Current
and Future Challenges
-
Government
Peter Watkins
Province of British Columbia
-
Strong Authentication and
Identity Information
Understanding current and future
problems from a government
perspective
-
Province of British Columbia: 4.8 million residents
(small)
Federal
Government of Canada
Provincial
Government of British Columbia (BCGov)
Municipal
Vancouver, Victoria, ...
Indigenous
Nisga’a Lisims Government, Esquimalt First Nations,
Broader Public
Sector
Regional Health Authorities, WorkSafeBC, Technical Safety BC
ICBC (DMV and Insurance), BC Ferries, ...
Context: Many Levels of Government
Me!
4
-
Context: Government of British Columbia (BCGov) *.gov.bc.ca
Health, Education, Transportation*, Natural Resources, Justice, Social, Economic
Development, Employment…
Vital events for people -- birth and death registrations, name changes
Legal events for organizations -- registration and de-registration etc.
Professional designations -- regulating bodies, Doctors, Lawyers, Engineers,
Forresters, Architects, Accountants,
Licenses and permits -- driving (personal, commercial), harvesting, building,
gasfitting, welding
Important Assets - Land Title, Liens, etc
We provide the foundational identity information for our
society and economy.
5
-
Context: BCGov on Digital Authentication and Digital Identity Information
Current (legacy?):
30,000 Employees: userid/password
1 million accounts for Individual or Business users: BCeID userid/password
Active directory, enterprise web single sign on paradigm
New:
BC Services Card as Provincial Identity Information Program
Fully subscribed* 4.3 million registered people
Gov mobile app and gov issued EMV chip card - DL or Services Card
Registered name, date of birth, address as verified identity information
Careful privacy design, pairwise identifier scheme, conservative roll-out
Newest:
Verifiable Organizations Network: Hyperledger Indy and friends: vonx.io
orgbook.gov.bc.ca : Corporate registrations ---> licences, permits, and more
6
-
Perspectives on Strong Authentication
Damned if we (gov) don’t do it
Corporate controlled or other government
controlled
No effective recourse or accountability
Challenges with recovery when lost - if they never
really knew you - how can they fix it?
Authn services can be a party to every transaction
UX and public perception
Damned if you do it - self provisioned
One does not simply “self-provision” (U2F,
SmartPhone Apps for TOTP) - UX
Challenges with recovery when lost -- who knows
you that can help you?
We still need to bind your authentication to our
records related to you
7
Damned if we (gov) do it
Protection / defense obligations are off-the-scale
Low usage rates -- gov specific secrets forgotten
Authn services can be party to every transaction
If we verified your identity at our counter then we
do know you and can help recover lost / stolen --
but is that a bug or a feature?
There are always users outside our borders -- we
can’t bring everyone to a registration counter
And lastly - lending problem when tied to benefits.
-
Perspectives on Digital Identity Information
8
guid1, Bob, May 15, 1972
guid2, Lou, Dec 9, 1989
guid3, Sam, Jun 21, 1955
Digital-Service.com
api.somegov/idim/namedob
or a callback (same effect)
Lou
Request +
Authorization
Response +
Data
This is a problem even when it’s Digital-Service.gov
The apis know whos calling/called. Event data is not fun to
manage when personal information is involved
Calling AnyCompany.com everytime is not much better
Scaling this into digital economy will be a problem
Need to issue to Lou and enable Lou to share government
issued identity information without calling back to the gov
every time
Approve Cancel
Hi there! It’s us here at the gov.
Thanks for authenticating now we
remember you. Hi Lou!
Do you want to authorize Digital-
Service.com to call us right now
and get your name and date of
birth?
-
Perspectives on Digital Services, Digital Government, Digital Economy
9
Things you can do that
are not very important
or valuable
Things you need
to do that are
very important
or valuable
Face-to-face
Papers
Fax
Awesome
Digital Services
That Work Great
meh
grrrr
Sweet!
Not possible without
strong authentication and
digital identity information
-- standards and interop --
-
Healthcare
(see PDF)
-
Supply Chain
Jim Masloski
-
W3C WORKSHOP ON STRONG AUTHENTICATION & IDENTITY
SUPPLY CHAIN
(IDENTITY/VERIFIABLE CLAIMS )
INVOLVEMENT OF
ACTORS
PARTIES IN TRANSACTIONS
PARTICIPATION AT
THE PARTY LEVEL
CODIFYING
THE IDENTITIES OF PARTIES AND
THE ABILITY TO MAINTAIN
CONFIDENTIALITY
-
CONSIDERATIONS ON VERIFIABLE
CREDENTIALS
Availability to the information
Cross platform application
Number of parties needing access to different pieces of the
data
Ability to authenticate the information by responsible parties
Out of the box thinking on how to build this out in the supply
chain industry
Take into consideration the legal requirements as they
currently stand in the supply chain arena
-
Legal
Scott David @ScottLDavid
Director of Policy
Center for Information Assurance and Cybersecurity
University of Washington - Applied Physics
Laboratory
-
Law and DIDs
S.O.D.D.I.* in Seattle
Presentation to W3C Strong Authentication and Identity Workshop
By Scott L. David
University of Washington Applied Physics Laboratory
Information Risk Research Initiative
December 10, 2018
*SODDI Is a criminal defense of Mistaken identity: Some other dude did it”
-
DID Law Fork - Mild vs. Wild Paths
Two faces of DID legal setting
Mild or
Wild
-
Mild DID Law Path
-
Mild DID Law Challenge/Opportunity
Practice = Compliance
Navigate existing (anachronistic) laws, rules and contracts in DID
Authority = Past as Precedent (Kojeve)
Existing law and legal paradigms/institutions
Varies among national jurisdictions
Many artifacts of appropriations of capitalism and centralizations of nation state
Focus on traditional embodiments of value
“Property” concepts (IP, data “ownership,” etc.)
Hierarchical governance/liability in organizations based on “causation”
Value = cost savings of de-risking
Identity is emerging cost center” for organization
Jurisdictional arbitrage-venue shopping
Zero-sum game gestalt
Identity = locus of (duty and liability) and (rights and value)
Today’s duties are derived from yesterday’s problems
Analogies in property law
GDPR from 1970s era FIPPs
-
Wild DID Law
-
Wild DID Law Challenge
Secondary effects of Moore’s law (etc.) yielded
downstream
exponential increase in interaction volumes
and densities
Interactions breed risk
Risk is increasing exponentially
Existing laws/institutions are not built to de-risk these new
interaction phase spaces
Distributed flows blind hierarchical organizations
Yesterday’s Institutional (and individual) existential
narratives dissipate
Challenge/Opportunity is to “re-intermediate” interactions
with new DID-based structures and narratives
-
Wild DID Law Opportunity
Practice = Innovation
Create new containers and pathways for intangible value flows
Authority = Future Opportunities (Kojeve)
New unmappedcomplex shared risk space
Bridge from old solutions to new solutions
Old laws to new contracts
Old institutions to distributed organizations
Bridge as capitalism and nation state cede power/meaning to distributed structures
Focus on newly available measurements to establish value
Focus on measuring relationship (metrics for edges, not nodes)
Focus on value extraction when data is converted into information Meaning integrity
Value = profit center of leveraging relationships (and de-risking)
Efficiencies of avoiding avoidable harms
Identity as profit center for organization
Contracts to release legal jurisdictional arbitrage
“Non-Zero-sum game gestalt in new complex interaction spaces
Identity = embodiment of relationship
Information creates us, not vice versa
Duties are derived from projections of tomorrows opportunities
Analogies in early IP, derivatives markets, arbitrage instruments
-
Wild DID Law Identities are Key
Identities (of people, entities and things) are the key in distributed
systems.
Each has multiple simultaneous identities (all relationship based)
Why dididentity” get distributed?
Paul Baran diagram (shown later) shows dissipated institutional power
Much identity” is based on relationships with institutions.
With DIDs, distributed power/institutional structures
Not a lot of precedent
Not like co-ops not hierarchical
Need new institutional information and risk sharing structures
Biological systems yield helpful models
Resilient distributed structures grow organically
Self-assembly among multiple similarly situated stakeholders. (COIs)
Recognize that not starting from entirely clean slate
Appropriations of late capitalism will continue to operate (In our souls)
If aware of this, can design to harness that “energy of mutual appropriation”
-
Risks Create Organisms and Organizations
What are current and emerging DID practices?
What are processes to create feedback loops
to refine and develop those practices?
“Rule of law is as much about process as
substance
Due process (5
th
and 14
th
amend).
Substantive
Procedural
-
4 Step Ladder of Institutional Construction
Processes of institutional construction/law are
built from practices
Practices
Adopt as rule (legislative/contract process)
To get
Best Practices
Apply enforcement (judicial/enforcement process)
To get
Standards
Include operations (executive/operating process)
To get
Institutions
-
How harvest/create practices for
socio-technical DID systems?
Tools and Rules
Technology Tools
Legal Rules
For “Tools” measure performance of tech against
specifications
Process is Technical Standard setting
Output is specifications (and IP DMZ)
For “Rules” measure performance of people and
institutions against rules, laws, norms, etc.
Process is creating public and private enforceable duties
Legislative processes (and APA for regulations)
Contract negotiation processes
-
What Measurements Needed for DID Tools and
Rules Development?
What risks and what performance metrics are relevant for reliable DID systems?
Data?
Information?
Identity?
Other?
You can’t protect it if you don’t know (or agree) what IT is
We measure risk into existence
The threat is present in the system
Our measurement/observation allows us to perceive and mitigate risk
Carcinogens capacity to mutate is already present in system
All financial collapses in US and UK since 1800 Seeds of all financial collapse
are sown in response to prior crisis
All IP Create property narrative to enable accumulation (retard dissipation)
-
So, what specifically should we measure
to reduce emerging DID interaction risks?
(recalling that what gets measured gets done”)
-
DID Stakeholders need reliable and shared
qualitative metrics to reduce risk
-
Sic Hunt Dracones
-
Taming the DID Wild Law Path
Risks compel de-risking
practices
What do different sorts of
emerging threats and
vulnerabilities suggest
about future DID
practices?
Invite DID solutions for
13 information risk trends
-
Global Identity/Information Risk Trends
13 global risk trends include:
Secrecy is Dead (but privacy and security are not)
Distributed Information Architecture (blinds hierarchical organizations)
Complexity (is its own “sovereignty”)
Socio-Technical Systems (force non-technical variables into system design)
Information Democratization (collapses scale & alters security paradigms)
Data Technology is Dual-Use (it can be used for bad or good)
People are “Data Producers (without institutional support)
Big Data Insights Invert (and Re-Invent?) Critical Analysis
“Synthetic Intelligence(is a Counterforce to AI)
The Internet Is Not a Public Park (it is privately operated commercial space)
Data is Not Information
Power Laws In Bureaucracies Make Security-By-Secrecy Un-Economic
AAA Risks Threaten Information Systems
-
Death of Secrecy
(the insight/intrusion “slider”)
Secrecy died from vast system technical
interoperability and collective quest for
insight
Insight of observer is intrusion to observed
-
Distributed Information Architectures
Render hierarchies blind
-
The Sovereignty of Complexity
Statistical outliers can be artifacts of misapplied Gaussian
distribution models
-
Socio-Technical Systems -
force non-technical variables into security design
-
Information Democratization Collapses Scale
Invites consideration of scale-independent policies
for fractal structures
-
Data Technology is “dual use
It can do harm or good
(Like Nitrogen-Based Fertilizer)
-
People are Data Producers”
Without Institutional Support
-
Big Data Insights Invert
(and Re-Invent?) Critical Analysis
-
Synthetic Intelligence
Is a counterforce to the existential anxiety caused by AI
-
The Internet is Not a Public Park
It is a privately-operated commercial space
-
“Data” is Not Information
Many system architecture problems dissipate when the
distinction is applied
-
Power Laws In Bureaucracies Raise
Secrecy/Reliability Costs
-
“AAAA” Threats to Identity/Information
Systems
Attacks, Accidents and Acts of Nature
-
Good Luck
Let’s continue the conversation
sldavid@uw.edu
@ScottLDavid
-
John Fontana
-
-
- diff --git a/collections/_2018-W3C-Authentication-Identity-Workshop/09-Day-2-Procedural-Agenda-Gardening.html b/collections/_2018-W3C-Authentication-Identity-Workshop/09-Day-2-Procedural-Agenda-Gardening.html deleted file mode 100644 index 41611796..00000000 --- a/collections/_2018-W3C-Authentication-Identity-Workshop/09-Day-2-Procedural-Agenda-Gardening.html +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: "09) Day 2. Procedural Agenda Gardening" ---- - - - -
Agenda Gardening, Day 2
-
Agenda Gardening, Day 2
https://www.w3.org/Security/strong-authentication-and-identity-
workshop/schedule.html
9:00 AM Procedural / Agenda Gardening
9:30 AM Dot voting: Concerns and Potential Work Items
9:45 AM
Exploring Cultural and Economic Perspectives
10:15 AM Avoiding mistakes and minefields
10:35 AM T-ID? Use case
11:00 AM Breakout #3: Work that needs to be incubated
11:30 AM Breakout #4: Work that is ready for a Working Group
1:00 PM Dot voting: Work for Incubation / Work for Working Groups
1:30 PM Entire Group: Discussion on warnings/objections on incubation / WGs
2:15 PM 5 Year Roadmap: DIDs, VCs, Attestation
2:45 PM 5 Year Roadmap: Authenticators
3:15 PM Browsers, Identity and Authentication
3:45 PM W3C Next Steps / Wrap up / close
4:00 PM Finish
-
Breakout Gardening
Dot-voting gave us several clusters:
Confusion
Review quickly to see whether the group wants to spend time improving understanding
General consensus
Contentious items
Chartering
-
Manu re Credentials CG and DID chartering proposal
CCG proposed DID WG charter, focused on data model
https://w3c-ccg.github.io/did-wg-charter/
CG is also doing experiments around protocol, resolution
About 15 different DID methods, think we’re ready to standardize data model
Slide deck on DID progress,
https://docs.google.com/presentation/d/18cDpqkPhlGKcOlgnbt2_2PbFoNv0vryXo
pp5rIG8A0o/edit#slide=id.gc6f80d1ff_0_0
-
-
-
- diff --git a/collections/_2018-W3C-Authentication-Identity-Workshop/10-Day-2-Exploring-Cultural-and-Economic-Perspectives.html b/collections/_2018-W3C-Authentication-Identity-Workshop/10-Day-2-Exploring-Cultural-and-Economic-Perspectives.html deleted file mode 100644 index c8367c63..00000000 --- a/collections/_2018-W3C-Authentication-Identity-Workshop/10-Day-2-Exploring-Cultural-and-Economic-Perspectives.html +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: "10-Day-2-Exploring-Cultural-and-Economic-Perspectives" -description: "Current Situation of Japanese Fragmented ID Platforms" -"--- - - - -
Current Situation of
Japanese fragmented ID Platforms
Dec. 2018
JCB Co., Ltd.
*The opinions expressed in this article are the author's own
and do not reflect the view of JCB Co., Ltd.
-
2
Agenda
1. Japanese "fragmented" ID Platforms
“Fragmented" ID Platforms established by Japanese big companies
Lack of Interoperability between platforms
2. Lack of Central Social ID system in Japan
Heavily dependent on Driving License for KYC process
Failed "My number (Japanese social security and tax number system)" expansion
3. My Opinion
Necessity of “loose” ID federation in Japan Market
Basic use case
-
3
Japanese "fragmented" ID Platforms
Fragmented ID Platforms established by Japanese big companies
Japanese Big Companies have tendency to establish their own “Platform”.
(E-commerce, SNS, Mobile Carrier, Automotive, Railways, Airlines, Department Store… )
Toyota
”My Toyota”
NTT Docomo
”d Account”
Yahoo Japan
”Yahoo ID”
JR East
(Former National Railway)
”JRE Point”
Rakuten
”My Rakuten
-
4
Japanese "fragmented" ID Platforms
Fragmented ID Platforms established by Japanese big companies (Cont.)
Japanese Big Companies often become to diversified “Conglomerate”.
(…and often issue their own credit card as issuer and provide mileage to their users.)
This situation is mainly due to “loose” regulation to prohibit other business for Big Companies
in Japan.
Department Store
Supermarket
Real Estate
Developer
Construction
company
Bus Operator
International
AirPort
Ex.1: Railways Company
Ex.2: Mobile Carrier
Hotels
Education
(Univ. etc)
Electricity
Railways
Mobile Carrier
Retail Financial
service
Online Banking
Cable TV
Life Insurance
E-Commerce
Electricity
Non-life
Insurance
Education
E-Money
-
5
Japanese "fragmented" ID Platforms
Fragmented ID Platforms established by Japanese big companies (Cont.)
In some area, Japanese local services can compete against Facebook and Amazon today.
Based on this situation, Japanese “old typebig companies think;
“GAFA is very strong, but Japanese market have not occupied by them.”
E-Commerce (Share of B2C Trading volume )
SNS (Monthly Active Users)
<
30,000,000 76,000,000
20% 20%
[Sources]Gaiax (2018), Jetro (2017)
-
6
Japanese "fragmented" ID Platforms
Fragmented ID Platforms established by Japanese big companies (Cont.)
..as the result, everything become “fragmented in Japan.
(when they want to tie their customer to their ecosystem, the easiest way is tying their customer to their payment method with
their own mileage program.)
..and today, third party QR Payments are additionally joined.
Rakuten
Ex.: Payment Method Acceptance (at Seven-Eleven)
(Prepaid)
(Credit Card including Contactless)
Railways
Seven-Eleven
-
7
Japanese "fragmented" ID Platforms
Lack of Interoperability between Platforms
Japanese Big Companies like to establish their “Original Format” Platform.
And they want to keep(enclose) their data on their Platform.
Ex: Large Railways said
we connected our mobile
APP to share time table of
every companies!
…but just jumped to each
companies website...
[Source]app-renkei.jp
-
8
Lack of Central Social ID system in Japan
Heavily dependent on Driving License for KYC process
Almost of KYC process in Japan, Driving license has taken up dominant position.
Ex: Issuing Credit Card
First Priority:
Driving license
If don’t have Driving license,
can choose from; passport,
My Number” card,
residence certificate etc.
[Source]JCB
-
9
Lack of Central Social ID system in Japan
Failed "My number (Japanese social security and tax number system)" expansion
Japanese government want to expanding usage of “My Number” card for Japanese Social ID
system.
…but today, almost of Japanese people dont use “My Number” as Social ID card.
(Only 10% of Japanese people have “My number” card.)
Storing Digital
Signature that can
use Public KYC
…and it can be
readable from some
of Android devices by
using NFC reader.
It is able to request
issuing “My number”
card from vending photo
machine.
(It sounds convenient! )
…but it takes about 1.5
months to get “My
number” card from local
government.
[Sources] Ministry of Internal Affairs and Communications, DNP
-
10
My Opinion
Necessity of “loose” ID federation in Japan Market
<From Companies Strategy>
Some companies (I assume NTT docomo, Yahoo Japan and Line) want to take up a dominant position of
Social ID login. (of course, including Facebook and Google)
But, I assume Japanese old type big companies don’t want to establish external strongly centralized ID
Hub because they want to stand directly in front of their customer.
<From current situation of KYC process in Japan>
Japanese KYC Process is heavily depend on drivers license andverified (and met AML law regulation)
KYC data is stored only at Banks or Credit card Companies in general.
When the sharing economy is expanding, I assume AML regulation is critical problem, but most of
companies (expecting Financial Institutions) dont have such data.
In Japan, I assume LooseID federation between companies, financial intuitions and
governmental bodies is needed.
To realize this concept, the scheme for DIDs and Self sovereign (especially on consent
management) will become Key Module.
-
11
My Opinion
Basic use case
Car Share Platform
Car Owner
Register to Car Share Platform
User
Use the car through the Platform
Pay Fees
Today, Boryokudan (Japanese Mafias) isn’t prohibited strictly buying cars from car dealers.
(Actually in Japan, Boryokudan member ride cars normally)
When the scheme described above is worked, Boryokudan can get money by lending their car.
(From AML view, this is not permitted)
I assume Car Share Platform Provider want to get KYC information of Car Owner and User
easily.
Get Money
-
Thank you for your attention!
-
Automatic Identification Standards
Shigeya Suzuki, Ph.D
Associate Director, Technology Officer, Blockchain Laboratory, Keio Research Institute at SFC
Associate Director, Auto-ID Lab Japan, Keio Research Institute at SFC
Project Associate Professor, Graduate School of Media and Governance, Keio University
shigeya@wide.ad.jp
11 November, 2018 @ W3C Workshop on Strong Authentication and Identity
-
UPC
-
2016
UPC to Product Information
323900039629”
15
https://www.target.com/p/vicks-vapocool-medicated-throat-drops-menthol-50ct/-/A-75557582
-
2016
GS1 Standards
Identify, Capture, and Share
Identify: Standards for the identification of items, locations,
shipments, assets, etc. and its associated data
Capture: Standards for encoding and capturing data in physical
data carriers
Share: Standards for sharing data between parties
16
https://www.gs1.org/docs/architecture/GS1_System_Landscape.pdf
-
2016
GS1 Identification Key
Identify either class or instance
Unique and unambiguous within their domains
Domains includes, not limited to:
Trade items (i.e., Global Trade Item Number GTIN)
Logistic units (i.e., Serial Shipping Container Code SSCC)
Assets (i.e., Global Individual Asset Identifier GIAI)
Locations (i.e., Global Location Number GLN)
17
-
2016
GS1 Identification Key
Trade items (i.e., Global Trade Item Number GTIN)
Logistic units (i.e., Serial Shipping Container Code SSCC)
Assets (i.e., Global Individual Asset Identifier GIAI)
Locations (i.e., Global Location Number GLN)
18
urn:epc:id:sgtin:CompanyPrefix.IndicatorPlusItemReference.SerialReference
urn:epc:id:sscc:CompanyPrefix.ExtensionPlusSerialReference
urn:epc:id:giai:CompanyPrefix.Individual AssetReference
urn:epc:id:sgln:CompanyPrefix.LocationReference.Extension
-
2016
Physical Representation
Barcode
RFID
19
-
2016
Application: Authenticity Verification
New, soon-to-be-standard:
GS1 Lightweight Messaging Standard for Verification”
REST-like query interface,
results in JSON (new in GS1 Standards),
GS1 Keys embedded in URL
Resolver resolve the results
Use case: US Drug Supply Chain Security Act (DSCSA)
compliance
20
-
2016
Difficulty on Resolving Services
Object Naming System (ONS)
DNS Based (part of) GS1 Key to server mapping service
Not used other than research purpose
Discovery Services
Centralized service to provide GS1 Key to servers mapping service
Design work suspended until there is a well-defined demands from
industry
But.. Lately, there is renewed interest in mapping between
identifiers and associated data, together with verification of
identifiers
21
-
2016
Difficulty and Possibility
GS1 is the standard on product and business entity identification
DID focuses on digital identity
We need cyber-physical link other than human
Allow to use broader range of IDs (including GS1 Keys) in id
fields makes DID related standards more interesting
There is a good intersection between both of the works
i.e., Product authenticity proof without accessing servers
22
-
-
- diff --git a/collections/_2018-W3C-Authentication-Identity-Workshop/10.3-Day-2-PindarWong_1.html b/collections/_2018-W3C-Authentication-Identity-Workshop/10.3-Day-2-PindarWong_1.html deleted file mode 100644 index b75fef54..00000000 --- a/collections/_2018-W3C-Authentication-Identity-Workshop/10.3-Day-2-PindarWong_1.html +++ /dev/null @@ -1,31 +0,0 @@ ---- -title: "10.3 Day 2 Pindar Wong" ---- - - -
Law and Borders:
Self-Administered IDentifiers
and
NExTPats: NETizen eXpatriates
黃平達
Pindar.Wong@gmail.com
VeriFi (Hong Kong) Limited
20181127
CC BY-NC 4.0
-
Source: http://i.imgur.com/MWnlkbo.jpg
There are more people living inside
this circle than outside of it
-
The Right to Work Online
Data Model:
Legal Identifiers with Legal Standing
1) Natural Persons (Privacy Constrained)
2) Legal Persons
other types( AI, IoT (50 billion), Smart Contracts)
Data Model:
Non-Lawful Identifiers (does not require the law for
legitimacy)
Netizen Expatriates (NETizen Expatriates)
Displaced People
(Now 70 million: More than post WWII
Future: 700 million -> billion in a generation)
Internally Displaced Persons
Externally Displaced - Forced Migrants
Migrant Workers
-
Scaling The Next Billion+:
Sovereign Identifier Systems - India
Aadhaar, 10 year old, 12 Digit Identifier
Stats:
https://uidai.gov.in/aadhaar_dashboard/auth_trend.php
https://uidai.gov.in/
http://indiastack.org/
Supreme Court Constitutional Ruling:
“It is better to be unique than the best. Because, being the best makes
you the number one, but being unique makes you the only one.--
26 Sept Supreme Court of India Judgement - Constitutionality
-
Scaling The Next Billion++
Sovereign Identifier Systems - China
社會信用體系 - Social Credit System (Public Private Partnership)
Real Name Electronic ID ( http://eid.cn/ ) and CTID (CyberTrusted ID)
Deployment Pathways: TechFin
Alibaba (AntFinancial - Technology Provider (Alipay)):
Tencent (WeChat Pay - WeiXin 800 million active users)
Deployment Pathways: FinTech ( Traditional Banks - Union Pay)
Common CLOUD and Carrier Services (Mobile)->
De-risking and Externalizing Costs associated with Identity Responsibility and Risk for Digital
Generation (DiDs)
Identities issued by the government to citizens for identifying identity
online and offline
Bank Smart Card (Distributors)
SIMeID (Mobile)
Hong Kong new e-ID Card: Deployment Starting this month (8 million)
-
Source: http://beltandroad.hktdc.com/en/belt-and-road-basics
Belt and Road Blockchain
Soft Infrastructure for China’s Belt and Road Initiative (BRI)
EG. 90% By Sea
Tradelens by Modern Terminal +
Maersk + IBM
-
CHANGING ARCHITECTURE: Game Changer?
Hong Kong Barnyz CC-BY-NC-ND 2016
Change in
1) Market Structure,
2) Business Models and
3) Competitive Landscape
-
WHAT ARE FUNDAMENTAL TENSIONS?
TensionDomiriel CC-BY-NC 2012
-
Liberté, égalité, fraterni
WestPhalia
1648
Ice
Fire
EastPhalia
2047
?
Bordered and Sovereign:
Territoriality Principle
No One Above The Law
Borderless and Self-
Administered: ‘Functionality
Principle
No Nation Below Mathematics
-
The Belt and Road Blockchain :
Public Governance Private Business
BLEI
BLEI BLEI BLEI
BLEI
BLEI
Public Governance - BRBC Immutable Change of State for Liability
Private Business - Detailed Transaction Data ( Halal Blockchain A)
Private Business - Detailed Transaction Data ( Blockchain B)
Private Business - Detailed Transaction Data ( Blockchain C) etc.
Private Business: Your Transaction Blockchain/Settlement Network
SA-IDs
-
Hong Kong: Emerging Separation of Concerns
1) Public and Border Security: Public Governance (‘Golden Source’)
Legal Identifier, Accountability and Confidence (tangible physical border)
2) Commercial and Day-to-Day: Private Business (‘Golden Copies’)
Functional Identifier(may or may not necessary have PII),
Self-Administered Identifier (Cloud+Mobile)
Cryptographic Consistency and ‘Confidistance’ - (Intangible data border)
-
Borderless
Communities:
‘Ice
Cryptographically
Strong
Static Violence’
Sovereign
States:
‘Fire’
Dynamic
‘Violence
-
Legal Certainty
“Rule of Law’
Eastphalia 2047: The Internet’s New Legal Layer
Cryptographic
Consistency
“Rule of Code”
-
Law and Borders: Lawful Legal Standing
Legal Person
Natural Person
Algorithmic Liability ( Estonia ‘Kratt Law)
A different ordering principle?
Decentralized != Disorganised
Coordinate without Communicating
-
The Post-Internet, Post-Bitcoin Era
-
Distance != Cost
Centralized != Trusted
Time !=
Money
The Fundamental Assumptions ...
-
Changing Architecture: PULL → PUSH
PUSHDaremoshiranai CC-BY-NC 2014
Analog Supply Chains -> Digital Demand Chains
-
3D Printing Technology @ Siggraph , 8 August 2011 by Kyle Pierce https://creativecommons.org/licenses/by-
sa/2.0/
Digitizing Global Trade
ICE: 23/11
Black Friday ->
Cyber Monday
USD 7.8 Billion?
FIRE: 11/11
Singles Day
USD 30 Billion?
-
Kaizen: Japanese (Change for Better)
Predictable Incremental Improvements over
Time -> Incremental Efficiency
Low Risk
FIRE
-
Unpredictable Breakthrough Improvement
Proposals -> Massive Efficiency and Massive Risk
http://tw.tartoo.com/self-breakthrough.html
ICE
-
Fire and Ice
Poem by Robert Frost ( 1874-1963)
Some say the world will end in fire,
Some say in ice.
From what I’ve tasted of desire
I hold with those who favor fire.
But if it had to perish twice,
I think I know enough of hate
To know that for destruction ice
Is also great
And would suffice
-
ConfiDistance
Selective Transparency
Don’t Trust Verify
22
Emerging Principles?
-
End References
https://www.coindesk.com/blockchains-
killer-app-making-trade-wars-obsolete/
https://www.youtube.com/watch?time_c
ontinue=9&v=L7CuuLYi0Ik
https://youtu.be/e7Pq6WQuVTQ?t=276
37
a) Making Trade Wars Obsolete
a) CES 2018 - HK Belt and Road
Blockchain Consortium
a) Berlin T20/G20 Process 2017
-
-
- diff --git a/collections/_2018-W3C-Authentication-Identity-Workshop/11-Day-2-Avoiding-Mistakes-and-Minefields.html b/collections/_2018-W3C-Authentication-Identity-Workshop/11-Day-2-Avoiding-Mistakes-and-Minefields.html deleted file mode 100644 index 50d7705c..00000000 --- a/collections/_2018-W3C-Authentication-Identity-Workshop/11-Day-2-Avoiding-Mistakes-and-Minefields.html +++ /dev/null @@ -1,28 +0,0 @@ ---- -title: "11) Day 2 Avoiding Mistakes and Minefields" ---- - - - -
Avoiding Mistakes and
Minefields
Jeff Hodges
W3C Strong Authentication and Identity Workshop
10,11-Dec-2018
-
"common mistakes and minefields while building Strong Auth
and Identity technologies" -- Which context?
i.e. at..
protocol/system design time,
component implementation time (eg, in libraries/packagers, clients, servers),
deployment time (i.e., by Relying Parties and Service Providers)
..?
-
"common mistakes and minefields while building Strong Auth
and Identity technologies" -- Which context?
i.e. at..
protocol/system design time,
component implementation time (eg, in libraries/packages, clients, servers),
deployment time (i.e., by Relying Parties, Service Providers, Identity Providers)
..?
NOTE: the above are "motherhood & apple pie" aspects of building anything
-
Protocol / System Design Time
Carefully define terminology and use it consistently
e.g., do you use the terms names and identifiers ?
Are they explicitly the same?
If not, what are the precise differences?
-
Protocol / System Design Time
Carefully define terminology and use it consistently
e.g., do you use the terms names and identifiers ?
Are they explicitly the same?
If not, what are the precise differences?
E.g.: names are fungible and non-unique, while identifiers are unique and
persistent
-
Protocol / System Design Time
Carefully define terminology and use it consistently
e.g., do you use the terms names and identifiers ?
Are they explicitly the same?
If not, what are the precise differences?
E.g.: names are fungible and non-unique, while identifiers are unique and
persistent
e.g.:
https://www.w3.org/TR/webauthn/#terminology
https://w3c-ccg.github.io/did-spec/#terminology
http://docs.oasis-open.org/security/saml/v2.0/saml-glossary-2.0-os.pdf
-
Component Implementation Time
(eg, in libraries/packages, clients, servers)
c.f. The Most Dangerous Code in the World:
Validating SSL Certificates in Non-Browser Software
We demonstrate that SSL certificate validation is completely broken
in many security-critical applications and libraries. [...]
[...] The root causes of these vulnerabilities are badly designed APIs
of SSL implementations (such as JSSE, OpenSSL, and GnuTLS)
and data-transport libraries (such as cURL) which present developers
with a confusing array of settings and options.
-
Deployment Time
(i.e., by Relying Parties, Service Providers, Identity Providers)
are the employed underlying technologies secure? (see prior slide)
-
Deployment Time
(i.e., by Relying Parties, Service Providers, Identity Providers)
are the employed underlying technologies secure and securely employed?
(see prior slide)
Having a carefully designed deployment architecture...
even though given high-level authentication and identity technologies, integrating them into
delivered systems is typically non-trivial
e.g.:
Stanford Registry & Directory Infrastructure: A Case History
-
Deployment Time
(i.e., by Relying Parties, Service Providers, Identity Providers)
are the employed underlying technologies secure and securely employed?
(see prior slide)
-
Deployment Time
(i.e., by Relying Parties, Service Providers, Identity Providers)
are the employed underlying technologies secure? (see prior slide)
Having a carefully designed deployment architecture...
even though given high-level authentication and identity technologies, integrating them into
delivered systems is typically non-trivial
c.f.: Stanford Registry & Directory Infrastructure: A Case History
Specific actual examples on following slides from deployer of federated
identity
-
Deployment Time
(i.e., by Relying Parties, Service Providers, Identity Providers)
1) SP's requesting ForceAuthN but then not checking the concurrency of the values sent
back by the IdP (ie its not a fresh re-auth) but assuming it is (oops!) [see prior slide 7]
2) SPs assuming "principal name" is an email address - or using such fields as the prime
account ID where recycling of those values can occur at the IdP end over time...
3) the particular values of eduPersonAffiliation (student,staff,faculty,employee etc) are
arbitrarily decided by each site in a federated world and dont mean the same thing across
regions.
4) assuming all federations operate in the same way across the world (particularly when
interfederated with eduGAIN - other rules of play are involved
-
Deployment Time
(i.e., by Relying Parties, Service Providers, Identity Providers)
5) wanting to use the best and up to date security algorithms
loads of partners in federation space are not following BCP and there's a lowering of
average level (for those with REALLY out of date stuff, you just have to remove them
from your relationship)
6) users are easily confused with all the stuff
the interface MUST be simple for selection of Identity Provider and logging in page.
Decent education is needed to ensure users dont just think they can type institutional
id/password into any random user/pass field on the internet!
-
Overall: Trust Does Not Scale
i.e.:
"trust does not automagically scale across arbitrary policy domains"
-
Overall: Trust Does Not Scale
i.e.:
"trust does not automagically scale across arbitrary policy domains"
corollary:
"scaling trust across distinct policy domains requires specific agreements
between the policy domains regarding (at least) the definition of trust,
requirements for attaining degrees of trust, and what it is that is trusted."
-
Overall: Trust Does Not Scale
i.e.:
"trust does not automagically scale across arbitrary policy domains"
corollary:
"scaling trust across distinct policy domains requires specific agreements
between the policy domains regarding (at least) the definition of trust,
requirements for attaining degrees of trust, and what it is that is trusted."
e.g.:
NIST.SP.800-63-3 is an attempt at defining such policy agreements
across USGov agencies.
-
Further thoughts...
Consider implementing a simple design satisfying simple use case(s), and trying it
out in practice, before attempting to "finalize" the specification. Iterate WRT
satisfying more complex use cases and updating the specification.
-
flexitility -- build something that is nominally useful yet malleable such that
can evolve to satisfy further use cases
-
TODO: Diagram: (hourglass shape)
1995: 10s of home-grown web SSO and identity approaches
2001: SAML v1
Now: fewer than some number, say ~ 10 or 15?
SAMLv2
OIDC
WS-Federation et al
OpenID v2 and v1
?
-
-
- diff --git a/collections/_2018-W3C-Authentication-Identity-Workshop/12-Day-2-Breakouts.html b/collections/_2018-W3C-Authentication-Identity-Workshop/12-Day-2-Breakouts.html deleted file mode 100644 index be1a5f8f..00000000 --- a/collections/_2018-W3C-Authentication-Identity-Workshop/12-Day-2-Breakouts.html +++ /dev/null @@ -1,10 +0,0 @@ ---- -title: "Breakouts" ---- - - - -
-
-
- diff --git a/collections/_2018-W3C-Authentication-Identity-Workshop/13-Day-2-5-Year-Roadmap-DIDs_-VCs_-and-Attestations.html b/collections/_2018-W3C-Authentication-Identity-Workshop/13-Day-2-5-Year-Roadmap-DIDs_-VCs_-and-Attestations.html deleted file mode 100644 index 737b866c..00000000 --- a/collections/_2018-W3C-Authentication-Identity-Workshop/13-Day-2-5-Year-Roadmap-DIDs_-VCs_-and-Attestations.html +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: "13) Day 2. 5 Year Roadmap DIDs VCs, and Attestations" ---- - - - -
DID & VC Architecture
Roadmap 2018+
Christopher Allen
Principal Architect & Founder Blockchain Commons
W3C Credentials CG Chair
1
-
Current Efforts at W3C
2
Verifiable Claims WG, Verifiable Credentials
Anyone can verifiably say anything about anyone.
Identity emerges from evaluating multiple sources of
information, across multiple interactions
Decentralized Identifiers (DIDs), draft WG
Anyone can publicly manage provable identifiers without
administrative interference
Move beyond centrally administered IDs
Provide for a plurality of authorities
-
Decentralized Identity Stack
3
DIDs Root Identifiers
DID Universal Resolvers support interoperability between
multiple DID methods.
DID Methods Specific approaches using different blockchains
DID Documents Proof of Control & Service References
+
-
Decentralized Identity Stack
4
DIDs Root Identifiers
Raw Data Observed facts & transactions
Verifiable Credentials Assertions by knowable authorities
Profiles / Presentations / Persona Representations of individuals
Consent Records of authorization
Reasoning Interpretation & Analysis
Evaluation Risk Analysis & Reputation
Understanding Internal knowledge representation
Services Interactions of value
-
Potential Technologies for Future Work
5
DID-Auth (Authn/Authz)
OCAP (Authz through Object Capabilities)
Credential Requests & Exchange
Data Minimization & Selective Disclosure
Consent & Consent Receipts
Storage (Identity Hubs) & Internal Representations
Analytics & Algorithms for Evaluation
Cryptographic Proofs
Signature, Encryption, Signcryption Suites
Time-stamping
Zero-knowledge proofs
-
https://w3c-ccg.github.io/roadmap/diagram.html
-
-
- diff --git a/collections/_2018-W3C-Authentication-Identity-Workshop/13.5-Day-2-Attestation-Arm.html b/collections/_2018-W3C-Authentication-Identity-Workshop/13.5-Day-2-Attestation-Arm.html deleted file mode 100644 index 74a96628..00000000 --- a/collections/_2018-W3C-Authentication-Identity-Workshop/13.5-Day-2-Attestation-Arm.html +++ /dev/null @@ -1,13 +0,0 @@ ---- -title: "13) Day 2 Attestation Arm" ---- - - -
Attestation Roadmap
Mathias Brossard
mathias.brossard@arm.com
W3C Workshop on Strong
Authentication & Identity
December 10th and 11th, 2018
-
Platform Security Architecture (PSA)
IoT security desperately
needed.
PSA aims to offer guidance +
designs + software
Open Source project: Arm
Trusted Firmware-M
Arm v8-M with TrustZone
support
APIs currently being defined
Crypto API published
Attestation API planned for 1Q
2019
SECURE STATES NON-SECURE STATES
TrustZone for Arm v8-M
Secure
App/Libs
Secure OS
parts
Non-secure
OS parts
Non-secure
App
APIs
-
Attestation
Many existing attestation efforts:
Trusted Computing Group (TCG): Trusted Platform
Module (TPM)
Android
FIDO
Global Platform
Expressed interest for some convergence towards IETF
EAT
CWT / JWT based container
CWT preferred in constrained environments
(token size, RAM/Code requirements)
-
Roadmap
EAT is the starting point
Interoperability Model
Trust Model(s)
Protocols
Remote Attestation
Integration with Enrollment / Credentialing /
On-boarding
Integration with Authentication
Integration with Authorization
-
Parting thoughts
Increasingly disaggregated systems (Cloud, IoT,
Web) with many components.
Attestation is a building block for trust in
connected systems.
-
-
- diff --git a/collections/_2018-W3C-Authentication-Identity-Workshop/14-Day-2-5-Year-Roadmap-Authenticators.html b/collections/_2018-W3C-Authentication-Identity-Workshop/14-Day-2-5-Year-Roadmap-Authenticators.html deleted file mode 100644 index 8d6b13a6..00000000 --- a/collections/_2018-W3C-Authentication-Identity-Workshop/14-Day-2-5-Year-Roadmap-Authenticators.html +++ /dev/null @@ -1,20 +0,0 @@ ---- -title: "14) Day 2. 5 Year Roadmap Authenticators" ---- - - - -
©Veridium All Rights Reserved
Authenticators
-
Convergence
2
-
-
Source:
StorageCraft
-
2410-2017 platform configuration options (ISO 24745)
5
Storage
Matching
Mobile
Server
Mobile
(FIDO UAF, WebAuthN)
Server
Shares
(both mobile and server)
©Veridium All Ri ghts Reserved
-
6
©Veridium All Ri ghts Reserved
Storage
Matching
Mobile
Server
Mobile
(FIDO UAF, WebAuthN)
Server
Shares
(both mobile and server)
2410-2017 platform configuration options (ISO 24745)
-
Storage
Matching
Mobile
Server
Mobile
(FIDO UAF, WebAuthN)
Server
Shares
(both mobile and server)
7
©Veridium All Ri ghts Reserved
2410-2017 platform configuration options (ISO 24745)
-
-
1. Biometrics Should Be Stored at the Edge
2. Biometrics Should Never Be Stored on a Blockchain
3. Biometrics Can Be Accessed Via a Blockchain
4. Biometrics Should Be Under A User’s Control
5. Biometrics Traits Should Be Reliable
6. Biometrics Are Part of an Ecosystem
-
Biometric DID Authentication with IEEE 2410-2017
© 2018 Veridium IP Ltd. All Rights Reserved. 10
RP
DID
(with VID address,
uid & JWT
encrypted with
privkey & RP’s
pubkey)
uses
did-auth-relyingparty
Universal
Resolver
DID
DID doc
(with pubkey)
VeridiumID
uid
(decrypted with
pubkey in DID doc
and server privkey)
session
push notification
blockchain
1
2
3
4
5
7
6
auth result
-
11
©Veridium Al l Ri ghts Reserved
-
-
- diff --git a/collections/_2018-W3C-Authentication-Identity-Workshop/14.5-Day-2-5-Year-Roadmap-Authenticators_-Gemalto.html b/collections/_2018-W3C-Authentication-Identity-Workshop/14.5-Day-2-5-Year-Roadmap-Authenticators_-Gemalto.html deleted file mode 100644 index 67fe2a5f..00000000 --- a/collections/_2018-W3C-Authentication-Identity-Workshop/14.5-Day-2-5-Year-Roadmap-Authenticators_-Gemalto.html +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: "14.5) Day-2. 5 Year Roadmap Authenticators - Gemalto" ---- - - -
The impacts of European regulation PSD2 and
Strong Customer Authentication on e-commerce
Marie Lathière, Digital Strategy Banking & Payments
-
Mandates
Objectives
PSD2 will come into force in September 2019
Foster innovation
Protect customers
Issuers must open APIs for account
consultation and payment initiation
e-transactions must be protected by
Strong Customer Authentication
-
Strong Customer Authentication (SCA) and Dynamic
Linking requirements
Dynamic Link
Fingerprint
Face
Voice
What I Am
(inherence)
PIN / Password
What I Know
Device, token, card
What I Have
(possession)
and/or
and/o
r
Strong Customer Authentication (SCA)
and
Transaction
value
Transaction
Payee
Authentication code generation
-
3D Secure, the natural solution to comply with PSD2
E-SHOP
ISSUER
CUSTOMER
1. Checkout
DIRECTORY
SERVER
2. Authentication request
3. Authentication
4. Authorization Request
NETWORK
4. Authorization
Request
-
« Due to 3DSecure for PSD2, we expect our
conversion rate to decrease by up to 10-15% »
Bilal El Kouche, Head of Payments at vente-privee
(#3 online retailer in France)
-
The real solution: let Merchants keep control of the
UX:
Delegated authentication
-
-
-
- diff --git a/collections/_2018-W3C-Authentication-Identity-Workshop/15-Day-2-Browsers-work-with-Authentication-and-Identity.html b/collections/_2018-W3C-Authentication-Identity-Workshop/15-Day-2-Browsers-work-with-Authentication-and-Identity.html deleted file mode 100644 index 98f861a3..00000000 --- a/collections/_2018-W3C-Authentication-Identity-Workshop/15-Day-2-Browsers-work-with-Authentication-and-Identity.html +++ /dev/null @@ -1,36 +0,0 @@ ---- -title: "15) Day 2. Browsers work with Authentication and Identity" ---- - - - -
-
Web Authentication
User Journeys
Simple Secure Authentication
Steven Soneff - sso@google.com
Dec 2018
Original Authors:
UX: tringuye@
PM: cbrand@
-
WebAuthn enables user journeys that are
WebAuthn / What is WebAuthn?
Simple intuitive and easy for user
Secure resistant to phishing, re-use, etc.
-
Authentication has two core user journeys
WebAuthn / FIDO2 enables multiple use cases
02
Re-Authentication
User does a repeat authentication to a service
...The next slides will walk through these user journeys as a user might
encounter them on the web
01
Bootstrap
User authenticates to a service for the first time
-
Elisa opens launches her
mobile browser, Chrome,
and goes to
Tri-Bank
1. Registering built-in authenticator for reAuth
(mobile web)
Request
UV=true
X-Plat=false
Result
credential
(internal,caBLE)
-
Request
UV=true
X-Plat=false
Result
credential
(internal,caBLE)
1. Registering built-in authenticator for reAuth
(mobile web)
She signs in with her
username and password
(+potentially other factors)
-
1. Registering built-in authenticator for reAuth
(mobile web)
Tri-Bank shows a promo
asking Elisa if she wants to
opt-in to use Fingerprint
to sign-in.
-
Elisa comes back to Tri-Bank in another session
-
2a. Using built-in authenticator for reAuth
(mobile web)
The next time Elisa
opens Tri-Bank on
mobile browser, she
gets a fingerprint dialog
Request
credentialId
(internal)
-
2a. Using built-in authenticator for reAuth
(mobile web)
Using only her fingerprint,
she’s able to sign-in
without using her
username + password on
mobile web
Request
credentialId
(internal)
-
11
Using built-in authenticator for reAuth (native mobile app)
Elisa downloads Tri bank from
the Play Store, she
launches
the app for the first time
to
sign in
to check her funds
-
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable
SK
Request
UV=true
X-Plat=false
Result
credential
(internal,caBLE)
2b. Using built-in authenticator for reAuth
(native mobile app)
She installs Tri Bank from
Google Play Store and
opens the app
-
2b. Using built-in authenticator for reAuth
(native mobile app)
Elisa chooses sign in
and also
chooses an
account.
Request
credentialId
(internal)
-
2b. Using built-in authenticator for reAuth
(native mobile app)
Elisa now is asked to
authenticate
with the
fingerprint dialog
-
15
Cross-Platform Bootstrap
Elisa wants to sign in
to her bank on her
desktop computer
-
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable
SK
3i. Cross-Platform bootstrap
Elisa chooses to sign-in
on her
desktop browser
-
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable
SK
3i. Cross-Platform bootstrap
Elisa enters her account
username and chooses
to proceed ‘next
-
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable
SK
3i. Cross-Platform bootstrap
She’s asked to verify
the new device using
her phone fingerprint
that she’s been using
to sign-in to Tri-Bank
-
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable
SK
3ii. Cross-Platform bootstrap
Because Elisa has a
Macbook with Touch ID,
Tri-bank can asks her if
she wants to use local
fingerprint on the
device.
-
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable
SK
3ii. Cross-Platform bootstrap
Elisa gets prompted to
try using the local
fingerprint on the
device.
-
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable
SK
3ii. Cross-Platform bootstrap
She opts-in and
continues to her
account
-
...when Elisa comes back to Tri-Bank on the Macbook Pro
-
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable
SK
4. Using built-in authenticator for reAuth
Elisa comes back to
sign-in
on her desktop
browser
-
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable
SK
4. Using built-in authenticator for reAuth
A fingerprint dialog
appears
above the sign-
in page and
Elisa
touches the sensor
-
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable
SK
4. Using built-in authenticator for reAuth
Elisa’s identity is
accepted
and she’s
signed in!
-
Note that we’re inheriting the
strength of the credentials from
the initial bootstrap.
-
Summary
Web Authentication
Simple - avoid typing, avoid passwords, minimal decisions
Secure - passwordless, multi-factor, phishing-resistant
Steven Soneff -
sso@google.com
Web Platform Product Manager
-
-
- diff --git a/collections/_2018-W3C-Authentication-Identity-Workshop/Health-Care-IDology.html b/collections/_2018-W3C-Authentication-Identity-Workshop/Health-Care-IDology.html deleted file mode 100644 index b1eb8e9b..00000000 --- a/collections/_2018-W3C-Authentication-Identity-Workshop/Health-Care-IDology.html +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: "Health Care IDology" ---- - - - -
Health Care IDology
Allen L. Brown, Jr., Ph.D.
Deixis, PBC
Seattle, WA
abrown@deixis.digital
W3C Workshop Redmond
December 10-11, 2018
1/3
-
What needs an identity?
§
payers
§
providers
§
data
§
patients
2/3
-
What needs an identity?
§
payers
§
providers
§
data
§
patients
2/3
-
What needs an identity?
§
payers
§
providers
§
data
§
patients
2/3
-
What needs an identity?
§
payers
§
providers
§
data
§
patients
2/3
-
What needs an identity?
§
payers
§
providers
§
data
§
patients
2/3
-
δεῖξις (1) mode of proof; (2) proof, specimen; (3) display,
exhibition
deixis (1) designating words relating to the time and place
of utterance; (2) proving directly
2/3
-
-
- diff --git a/collections/_2018-W3C-Authentication-Identity-Workshop/Use-Case-21-with-FIDO-Proof-of-Presence-Key.html b/collections/_2018-W3C-Authentication-Identity-Workshop/Use-Case-21-with-FIDO-Proof-of-Presence-Key.html deleted file mode 100644 index 924ea7c6..00000000 --- a/collections/_2018-W3C-Authentication-Identity-Workshop/Use-Case-21-with-FIDO-Proof-of-Presence-Key.html +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: "Use Case 20 with FIDO Proof of Presence Key" ---- - - - -
Use Case: Over 21 with Proof of Presence Token
Purpose:
To provide reasonably high assurance that a claim of majority is valid for acquiring
restricted resources.
Goal:
To allow online purchases of legally restricted resources like alcoholic beverages in an
environment where user identity attributes are distributed among many providers.
Actor: Consumer of restricted resources.
Actor: Supplier of restricted resources.
Actor: Verifier of claim of majority (also can validate binding to subject)
Actor: Provider(s) of late binding tokens and client-side code
Preconditions:
1. The Consumer has acquired a late binding token from any provider at all.
2. The Consumer has registered an over-21 claim with verifier using token.
3. The Consumer has established an account with supplier using a DID or other
persistent ID.
Scenario: Consumer signs into supplier and has never purchased liquor from this site.
1. Consumer selects to purchase liquor item
2. Supplier asks user for over 21 proof with a nonce.
3. Consumer sends verifiable claim of over 21 they acquired from verifier.
4. Supplier asks verifier for proof. (This would be by redirect to verifier through user
browser)
5. Verifier supplies validated claim (or statement of non-revocation) bound to nonce
by redirect to Supplier, if this VC is bound to the users session with supplier, it
can have a lifetime of the duration of bound session.
6. Monetization is by direct micro payment (on the order of $.05) from supplier to
verifier.
Alternative Paths:
1. Consumer selects to purchase liquor item.
2. Supplier asks user for over 21 proof with a nonce.
3. Consumer asks verifier directly for proof with nonce from Supplier.
4. Verifier asks consumer to enter token for proof of presence.
-
5. Verifier send validated claim with nonce of supplier with short expiration time (10-
20 mins - alternate life time of duration of session).
6. Consumer sends verified claim to supplier.
7. Monetization is by advertising from verifier to consumer.
A different path using biometrics:
Yoti, a London-based startup which wants to become the worlds trusted identity
platform, is one of many attempts to provide such a service. Its system stores
government id documents and biometrics. If a user wants to buy a bottle of wine
at a supermarket self-check-out and needs to prove their age, they scan a qr
code and take a selfie using Yotis app. The retailer can be sure of their age, but
no one has seen their name or nationality.
From the Financial TimesTRAFFIC
LIGHT PROTOCOL (TLP)
FIRST Standards Definitions and Usage Guidance Version 1.0
1. Introduction
a. The Traffic Light Protocol (TLP) was created in order to facilitate greater sharing
of information. TLP is a set of designations used to ensure that sensitive information is
shared with the appropriate audience. It employs four colors to indicate expected
sharing boundaries to be applied by the recipient(s). TLP only has four colors; any
designations not listed in this standard are not considered valid by FIRST.
b. TLP provides a simple and intuitive schema for indicating when and how
sensitive information can be shared, facilitating more frequent and effective
collaboration. TLP is not a control marking or classification scheme. TLP was not
designed to handle licensing terms, handling and encryption rules, and restrictions on
action or instrumentation of information. TLP labels and their definitions are not
intended to have any effect on freedom of information or sunshine laws in any
jurisdiction.
c. TLP is optimized for ease of adoption, human readability and person-to-person
sharing; it may be used in automated sharing exchanges, but is not optimized for that
use.
d. TLP is distinct from the Chatham House Rule (when a meeting, or part thereof, is
held under the Chatham House Rule, participants are free to use the information
received, but neither the identity nor the affiliation of the speaker(s), nor that of any
other participant, may be revealed.), but may be used in conjunction if it is deemed
appropriate by participants in an information exchange.
e. The source is responsible for ensuring that recipients of TLP information
understand and can follow TLP sharing guidance.
-
f. If a recipient needs to share the information more widely than indicated by the
original TLP designation, they must obtain explicit permission from the original source.
2. Usage
a. How to use TLP in email
TLP-designated email correspondence should indicate the TLP color of the information
in the Subject line and in the body of the email, prior to the designated information itself.
The TLP color must be in capital letters: TLP:RED, TLP:AMBER, TLP:GREEN, or
TLP:WHITE.
a. How to use TLP in documents
TLP-designated documents should indicate the TLP color of the information in the
header and footer of each page. To avoid confusion with existing control marking
schemes, it is advisable to right-justify TLP designations. The TLP color should appear
in capital letters and in 12 point type or greater.
RGB:
TLP:RED : R=255, G=0, B=51, background: R=0, G=0, B=0
TLP:AMBER : R=255, G=192, B=0, background: R=0, G=0, B=0TLP:RED
TLP:GREEN : R=51, G=255, B=0, background: R=0, G=0, B=0
TLP:WHITE : R=255, G=255, B=255, background: R=0, G=0, B=0TLP:AMBER
CMYK: TLP:GREEN
TLP:RED : C=0, M=100, Y=79, K=0, background: C=0, M=0, Y=0, K=100
TLP:AMBER : C=0, M=25, Y=100, K=0, background: C=0, M=0, Y=0, K=100
TLP:GREEN : C=79, M=0, Y=100, K=0, background: C=0, M=0, Y=0,
K=100TLP:WHITE
3.
TLP:WHITE : C=0, M=0, Y=0, K=0, background: C=0, M=0, Y=0, K=100TLP definitions
a. TLP:RED = Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by
additional parties, and could lead to impacts on a party's privacy, reputation, or
operations if misused. Recipients may not share TLP:RED information with any parties
outside of the specific exchange, meeting, or conversation in which it was originally
disclosed. In the context of a meeting, for example, TLP:RED information is limited to
those present at the meeting. In most circumstances, TLP:RED should be exchanged
verbally or in person.
a. TLP:AMBER = Limited disclosure, restricted to participants organizations.
Sources may use TLP:AMBER when information requires support to be effectively
acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the
-
organizations involved. Recipients may only share TLP:AMBER information with
members of their own organization, and with clients or customers who need to know the
information to protect themselves or prevent further harm. Sources are at liberty to
specify additional intended limits of the sharing: these must be adhered to.
b. TLP:GREEN = Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all
participating organizations as well as with peers within the broader community or sector.
Recipients may share TLP:GREEN information with peers and partner organizations
within their sector or community, but not via publicly accessible channels. Information in
this category can be circulated widely within a particular community. TLP:GREEN
information may not be released outside of the community.
c. TLP:WHITE = Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk
of misuse, in accordance with applicable rules and procedures for public release.
Subject to standard copyright rules, TLP:WHITE information may be distributed without
restriction.
Notes:
1. This document uses should and must as defined by RFC-2119.
2. Comments or suggestions on this document can be sent to tlp-sig@first.org.
.
Failed Paths:
1. User does not get verified claim for some reason.
2. Verified claims fails validation at supplier.
Accepted Risks:
1. The consumer is not over-21 and has buddys token to enter into computer.
2. Session hijacking mitigated with HTTPS and session cookies.
3. MitM attacks mitigated by hardware token bound to origin URL of verifier.
4. Note that the late binding token could be bound to supplier as well as needed.
5. The identity of the verifier/validator is discoverable by the supplier.
6. User makes choices on which attributes are trusted for sharing with the supplier.
Post Condition:
1. If validation accepted, and consumer completes payment, the restricted goods
are shipped to the consumer by the supplier.
Formatiert: Schriftartfarbe:
Benutzerdefinierte
Farbe(RGB(17;85;204))
Formatiert: Mit Gliederung + Ebene:
1 + Nummerierungsformatvorlage:
Aufzählungszeichen + Ausgerichtet an:
0,63 cm + Einzug bei: 1,27 cm
-
2. Note that at the end of the process of validating the users age, the state issued
license to sell alcoholic beverages will determine which path to use. The penalty
for the supplier using the wrong path is loss of the license to sell alcohol.
Examples:
1. Late binding token - FIDO U2F token, TEE TPM VSC, etc.
2. Client side code - javascript in a browser, native app, etc.
Dependencies::
1. Web Sites must be trusted before any user information is released.
2. Trust federations can be used to help users make informed decisions.
3. User consent and trust must begin with no user information transferred.
4. Standards exist to collect needed attributes where-ever they may be.
Workflow Diagram:
TK
Formatiert: Mit Gliederung + Ebene:
1 + Nummerierungsformatvorlage:
Aufzählungszeichen + Ausgerichtet an:
0,63 cm + Einzug bei: 1,27 cm
-
-
- diff --git a/collections/_2018-W3C-Authentication-Identity-Workshop/W3C Strong Authentication and Identity Workshop Report.docx b/collections/_2018-W3C-Authentication-Identity-Workshop/W3C Strong Authentication and Identity Workshop Report.docx deleted file mode 100644 index 339ccc283f5a99a6920ad3f24185ab9fb018a0a3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 43258 zcma%hW0Ymhwrm+)wyVpwZQHhOyUVt1+qP}nc9*OARe$%KGw%EG&UpLJ&b`K3Idab# zGa_TIl#>JoK?Z<;fB=|A8ju0_Umy7Iv8%0v5v_@>t&_0>J&l{SRaMf4%?2HGaE{)M z-YHKVj?sYLB6+Y0CDZ64{#hwvU6CMLdDs!fU^T*xkE$dh*S+ZXtvP z-$avyI9H4qK=@f?1p%>dGp~uRxE_u&28ss11gzfJ=lQ}G&lnCEkJ_40ePZHt8WA)# zCBFja3Rt4+F($F|7cFXD;fq!p#=^YZh^v;JD+HSSV~`ViR{Rg;d3=+2#zmErYDjUX zY)7!IdC^_uEf%9Hbz=Uu0)tRIFIbJWc&v?u!z!j5Do-)*s!)w^pPg+f`H9%;&xF`~ zly%EVXbZ4qkBfF^*g>}R*-Fp-V>hK-_&Nf;yE?od}tSm?e!KlSE-RlXh>`*`j`Or8?s zOFP6&H3C|hY-prqEl16XH?gu|ve6HW4anwm)J>z%CRoB?SSECj4=m1=@%$t0N@dvH^ zRmrl0+ryd$vr#Qa&6LE6w^GP&TuA-&C&@!A^OO_oH&9dwiiL+~=R57*`A<1Xa0tqT z#!6@)0041t006oFCz25VjU*dqYXf5ka~spYSh~uXh+d~d4$jHF@gs0%KNLVD!%P(x zRcyjkR_62uNI*A;qK!M~y@l3xTCsVz@{UjE>o>-Omq;{sRzcw5>G96Yc^He(+To&K zPd7+|?*k9sYK}xb{sjS<107id=c>wGkVG~pC~rC)Z^)CeN` zMumB)|SRG)9kD>5Zl9>uUHp0~X10*7jfKVVTJtNxqbyz|KI#TKW zOJYAfjxSs&a*3dbcGwVccZqN&wxqH{sttvIoKAHuym(OQhX0m`z&^gB&T+|!Zd|z7 zSXc^U>SStPQ3Z-P{mjwCsclwjlrEW|S3F3o)<%o+cpLF|+qOFj5{OpJitw;Rf7*xlxMBYyXydUr{NQJu}nj1g9uAH%!RNdcJTzqp1p~!z)ZKa>XK{N70j17_;W; zI=i6x4z97w0!W62Zjl>43Xxbom#4V0>Gy?qX@)sVkW3jY!Y4Yq3QPV*nUaT9_^ClW zyB5m=rwVkmf<&E$h|@l>4~0OFuMh1oFUTv|(81EgPv8sD z#W~K7#w2sZn8T}>BXc$9r-cYAL&K6wL>;aCWJ~$bYPF^$^E7Dr>s^HfbM)1Uf^-Q& z0ehDY^-^mTo3w3rvPGvz=CRB98ITX5%tNI|J6{VziTl>~cMU?x>vd7PUt7>(L8r4{ zORwfG^)0F!R43^6^7IDmzlK1zzgl`X*4;1u8T|W}s;rjnwN4m&KJS z=MOUwOD0w+H0B~w_8V#E^VaYt@67gd#DcWOHwu|r%q?6`7^P~U{Ul|Cl=3RQ5u7=`7%2b^kQpv4N92VUG}m$o)F0{P-D`U3suDpg{u7sj;b$r z@D|G}57+1T3WQ)Jy@9{4w4*F_N{I~1+g!;lv`%gQMRHx_Zis|e5`()>}_ zssElm2)cOZQm;32M-|ZZ@xi*&q@nmFc(*{yviMgg_%AFv8h{sWkm}pG_!~S~IvB<> z)2IiSFuGEh&~Hjt{9~289XZhrC{0-P#k($Bpn)^u?G1M|g_UZ}13n6@ccO}yhtjy& z)vte(sN*yQ`GM>^rI`45tUocd;Io?AN4tUNn~3+3;n)PPi=5Y0#%$$d?>&A1QXGx<5# z{}+Y~ZLO`1ZJhqW(3QrN!v+hykAF9C@QOyh*ck7g&~)ol;Z$UThm|wK0v1TM&>&tf zAm7~mf@vS`T4Oqe6&%Mbc$}7A52!2J`!By8UpEQRH9r=uu{N|wQe40>rO6|Y>(8ba zw)Wf5I;CMHGDt^TsNr|J*NJxm0}5$=4MBMRbTVT{+B%j9ubo;D1&d({;IJslB1MZk z`I^tf^ARqrJR1>eU5CD_WjN9V#+qPxN7@yJa(oeTQw@x!dKqGc3KUa0T}&A7&@G80 zk-E*Ow#HLScs4L%>3+tA+#>I}T6%Ln7G94qX^M0oVVBS*wFRJoxbShgJf}?ap{h@+j3d~#gMa3TP zF361`yt?P6AGuW5c)7__&Ka@ZcxnPo)&N33LGo4!2UnDA%rYkL-g2F;@rE+1nWbID zEqo~I`wA0i;2@{;LYlv9&3Y`8Ogo%%e)D_M0|zYR07GE;O=v?B2@5%9kW~t)BGx!a z5)JvE-Is^DaXp({lN6(#Kp1plN%zaU)j^QXJrbm6eQEm}uYyk4dGS7z{LWF0u;J@O z+3rHw+UX5H?!Pu~Tc`=_qZ%(Q&e_+%3@ll~yKd~@0y5Iw9qU>P=Ge&I3AJqlS%^d9 zQWn87zq@e%>r1VsqDXLc~3i-X{m4*ESsu>_Q z#OcZP#xx!sOI1sck|e;Qg8@)UbrcqkakXe-+`k$y#m}*hK7jqe!DyLh^90CZ5HUc~ zbcDTZnQW)BTi4$D(i&2};}4eQ@Sc)|t`hz7&m==z>`47g!*dInAVK}(Az(Sf8t4*Q zp|K<;>p$bhS-B6>4dP|+D@+&1QFZCO0-~dda_vdVkea`JYzp;P#j2%MlUwNfe@kp# z`K|6Ej_N>mCrfX{W7+|h9%yk)*^-8S%}s7H2I$W8;Q#Q>_nWS-nTXhFpKJHnmRgkx z0PF(1xrgGDsw7~F9#d7*(N9V~L}kGf6RVBoMYI`3T-K7vOeF7c-4vH~fzTFqfeCkK06Y>oDn9 z+S(yCBLI;vHLq@Aov^yzAtz4(o_+_Z{s((F)E6mZ8Qj^>O%`nU%M(9!WRSTtd%ND( zUO-@Q=q1x#zk(&QU2Q0Km?jYQ&Um-KHA_PJW98DF3>0+W(Bha z{{;UG~BMMZb;?x&i{Yp3&&!95S8+0n#maAv0ZFo1`L(iCG0Zl;l_Vn> zv>M3~C~Hb6u{GJY)yc$|_nym;^%2O5J7elzGl?r>lHfsSDq+b?a}Z16XD4?6Qa6oj z#|a$ypZjuptZrpY-24^TSSFvEZ4dx}C&K?mj{n)_n%LSnDd`(n8ULfOiR#}93m+^y z%L(DtLJTS{4-prT&+nh_eeU2#&mJFYHxOHIf!yV3ZYi0SFQ>$9ws-r-gzaN!qvNLr zF*p%z6}fu%l$w9ACcd`wURd9Fd@ww3nGEx+;swj51vvk8QT$%2j`5l%i=Ne(2E&lws@d3>hh|Vh zVXZPTJ8Xyyt{w6iFsyaUjLAUX*R&1EF+H(U2aa0PG))LH-JRos(oEBoOUQ zsH!)iEaJUUhew|1?dQI*R8uHSHvy?|V&ac9$4a39CZyxTNT}IFPb^0`Y0iS%D|l|e$Rd6kf^x~cc`pFR010WrU8B=z zMEH3mvkl^(6)r3@G?({HfFX>3<&|)4dCH|nN6_;L{Ft={SS!kJ%kGOVD1NVHfZTHS-0L6MQ&lvGh__$dm7BjF>TA;+Yll}AsL1@GJAx>&NX+ipFJ5T zv5e>b9ZK1g9h6r zUFAgI!Ybm9q~A~MLx1FG2ZxWo3?#0vTdeQ??A-XldHF*4DE`OpV_n7ds9X{i?!6j( z1o6I6?Eco?XM_8fB4L`@R6njwr5*OqU{{^7_2_9y`4xD1xCV81kwv-(k@chgc@p}S zsLG-ATDh0PLATR)(aIhe^cyMHbgspPMsU||l&_d9LoJ}5W4krA%NQi|2DOJ$5*9dK z@w=iV+n-kyB@+@&j1hhZey*S+wts_AR+3!Y{{0upz60_9ws&y<4uYeTyOr@jTY@E3 zYuRtme}TTkDR&FbKN>3w^Ft4^gw;W=!nG3F81AhmUo|G`@^XeH92Y5*iP62xZfD)J zJvf@ad$`FSqPir_r3@Lr7#m$%9+&oGTGWRbXCuj#k$O0~47}nBgJXB+{ zj-(!anth-?8lx-C26+t7!ch7}ELO`PuQn0vkwxL1@(SZYk5jvYA4f2r65C=+4 zrYmN~_H?!f=Jza9N`!HT7D5k@ zL-oTB;8S}E%%{w?B+Fpe_-%0lrVyx4j8~Sf)LmXLSTjchM{lQ;SG67dq+Oe+dd0&7 zW_#B9lKNweF}+b>SpBoe zagVd$G>6UT8s{wMw&cx=KJ1X+=j7w)r5wvR7Q?5{H& zj*>r=S*?H{_>VjWMJ3_Oow4S;sVnADD=R%G39$7fwgeaWFiNDlMSB6{Sg)e?%a~`N z)1u>6xh?(EY_`fSsWV0`%Zu8y8m@{l9LLr2Gi{bLa+z@DQ5=`i6Y6{@v0i`PCIaqy zOfzix3cx@7F{L(8R3k5S?Smj*LD>lo*1P9aW;mzDV^6TS1@8>OsF(Io02RZDLslR< z!{Pc{e-CatET9xUWpMog|69W1v3?c7-`A#imf4rfQt)cVZjr~6j8t*HIjn?#I zluPd1dgX?(Na~9PUDG!y^7;g}EGMnHjxJNzW*L4WB771^Oc3IUp0__*eM(a*S-P5z zIHuQyHAXvVc;w@8*cwbOge7QTELeavg7eZ{}OTY@=l%Nq7?GI#S z4Pw>Bk}xAQK=@!oU?_m<9@&u=-ZMnCa3c&W-SNP+re8B%{N6%avmTVCRlvY8X<3DB zBNZk9`$5Z&902&N_C(qvuzk{Y9A8j5_7=t&4>}8mKum~B`nuIWvJK;deZ-2f^BeJi zZgeJN@Yy|`_6#JL5PC9zMBuFs8CMdK&BMrt>Uy^bq%Q?M!=~CFlI}YU8JoNPp_(qbVM7PDCC!cp>W#mIg!RrFnE=j@|KQ^W< zh&5l~h!q0YF@(=8W%6duObSZ>DdZXPMAP-29Y+FlI*`eIc9iA3W$?&K$dILDqJIwQ)-j#BySL8&W)$Ew{g^^EB_eJpoD`5;Duk_Dr3EJ<=9<;SQLR2sB+s6yR zoS0R=;$IrK6J?p4t7bokmFAIp*w$yG!eooS9E*zq11v|7v%RL3dvz{%;dDDca=~+l z3fU=Si9fc;X>OqG!|=R|`SA9DWI=3OrE0ZlCs*JaUr^`ZO+IyNzzNK+W1fU&3*Ax; z7bdSBHgH70KH%=Fztm@A9=c+iwEoERf9bp}bFR_8taPS=5-wJ{1*TthY4c}PZFQC9 z#K;-0K`^t}2Wp_i$VpzWV5w&REHq4tk#qdM%xWLFjuJDgESCeKLuz8K6e(x92GR6= zGsh0Azzb>Hn6Fjy6x^6JZ5pqN$MX&P^aNjXO_w~U*;UA^U2_VI=@alRAkjyTIg`e+Apuiw)bOfS;aQLDb_D= zs^izIH9zrLUiH^6SJu5Tl?q~MGp`OvSr$LZ^jRv_y%521g*rU6DqMC&1tGzC=_Lq_ zaqcR9q#xe)`v-u`#ApIKB!mbFGgPPw#{M7+KQgL|={J??ES>Squ?x=M2z9FebUE&# z(c=T-&iU=o>GtSSA%gx)!fPoWhR_iQ<7y{TfJ@=Jd)DDP+W_!`RPU58Sh(xN#_oYh zNf=<_^?Or<9e}$=Sd2%MOCU)Qx1OI5KfriU2t&;jk{n{mN(i?;ZL-c5A9^B62*)Wa z%4bo~r(22REXwwp-|o;Q<@Vy(wCRG8ytQ$M?4I&qiHN#P>e!c=xA*L$f}H#U`n9Gj zCE&CA=ACoQWs+oy3-vA)FQOgQj0MBI4m9{Ai14a;m~UC&bi;Wz9fSL^T1{59M2}N% zN{pxS+p)!<%CRS@_+YNq`6{TREqz|SxY#LM{6Z_7{G<`?lMt+sG#85?X*HCfhFTzQ zP<8F6V-jtrB7C&$CvB0ftvNg$JN4nU3u%V@jLaAFzN$HXLEDo;_l?Y%`z?M)1Ss$V zC0u0wC((OGPvqf197`7f%Ad0#eoNMy)eo&i(cD%$ksO#nkh#s37;uTP*fSJeo)SQ8 zfOZP09eeH|AeK?n9e|S~aBp?*JEJcjehd&FTcJCiwGzju7H^hA`E4q^<&#`WYW>`k z9FId?(L-Iu`x@5tXjHUK`#*vDEfwriIc0PSf|%}vfYzUu_eEJuHH*qUyqCOHJP%vz zYd?GbXcmC|`S`RYMJUDfInV3A<2oM%#*}@RZMX61>CJT6!S&_w5j-A76+ZP09Ko$K z+nS&BRZD3Y-O-Y8dVHkYs^le>x!|?cQx_x-Bf&l4?K+K46C#M%hPO3>OB z!cQc}^wlZgqcOmWc7zN#h#7kzY{yYAlF(p=e=r&cL30AqRhGboy643%rvte`K!KG*{m?J3IJ_Co`zYrQ$&U z_wP*m=R^I2v!x=|yP8zA%}Q7}%>{Z-D!2(LgC3Dum2)rA%-A0KF>tL8P0#om%vx|WpOq&q`Gh;@?i973}sghr7qgvP&<5t)Ji9y`Ljj@kI?J}|8Sk5A8OLcL>z z){jn{jAxPp8uuH3JUp5klfNIQZ&FSK@=Vi!6vLL+R6KJOs^Z9BwiB}EHr?b7(_nzs z=m4(nH#=o7ZuTH6OVjYgSL9@GPhz}mU89KZ=-RA|#EH(VDtlpfP{Coh=n_;&i>X|M46i?gE-&D zud2XuNo;5AWe;K_J!D%4f5`##3=L9!1hMHc-TFRUCj23(dr9Af#>s28WcZ{8)Y1{! z+ttIibEXZT`i|UidN^9!g!B>x*yPA%jUwEuldTerFtYGZ(EG9v%x8KR)}u?RP9i%< zWuXdWK8u<6#V<%)xU7H6DLgcC4=i|;CANwpBG$8#Un2?v9QpeR3npW8STu(h*w8Xl z5{49*SW@^zrz?w2aj3{ObQKqvprp+fXL)BgYT9!dxA(1&|1c}09|A4$zVnM zRqd~?OZJYx>_V)jeCN#ZZKe!g3?tWQ` zDy27f<%mwN!WA)Dtn3O*^VSo5lgcRWxZ6gSU=f5C9bHy>L5=9`CN!Gi8->Nj*POv{ z-HEN+$}n>qFh_o$HdOze%AFnW%tXu?jhs+-2+2v5Ll6_EYlwg#G3|c(kxI#a`gC8< zV8>?CT)cmhs_r~lX$i{c=$@REHts*X{ksUA{!i{+>Ni4+Dw<`ZYYg2`G6T8!ekslK zm1y945+LF~kCG>dPjU^7OrlU}j{Ohd2M`*WQFujX%L&bDs_@LFom5cxv6fwx;hWo( zqUs3EDnjDZEo38*iQtO@KYetowSIZcI*E-xxt`(?Fv9h=3PMSG6iOX92-8 zRkKKz*g~+TfwI`ny<=ttm0Ff zM!`AeqNi2_4EB6S`c>@xu8j4KW9_K^CaA9VTy3=ug=%srU3sW~-^G`1I|Eu%=Ms^z z0=Gdlw{RMWjShuz+Bn_Jw}>UKtc=jGf^GUKzK%hKjp2LwEou<3*chH*3{S&xb^nln zA=Tq>pWCf*=ZX_aUHQmmol)g?=lIiht8Ui=d@_bh{xP0-UF-?LhI^OFZhL$Q+u5^B z9fKX4`R_kjtYolQuH>}%r=SB8X<|qW6r1BhzH3iTTzs*=ShpQ?HH;j7#mb{({B6?nm2d^@CRR zNn!^nMg-Qt8yU*>YKXoLMyl3d>A;w9V3Z{o3a(#`KJ))Q=LjjgZz04}i~qa$&?=qm zxYKzO?Pty=|#DD!mzB?X2~x#(Ory1ZNVj1k2< z+-+-*TMLh=>#D4bM2b%ORvv2-O3!LEhD*3F zX|E;VKI6FY9u2-99mWdiIc4T@Vh@}m_7!O&{9`WTjrp{L#$rcDY558W)Q`5YBgUDq z-9EWPEuq1))V|W)jS0s|?dQ)S-dvM;I2~&slQyoEWBO+yKWSiGtLhqd@w2pAN(XniMFwPnD-lZPKpjiA0b|t} zCJzf@7}6cXQzqv!2D&21-Hwe*?NxmAyzQKGGk1xc?!oGmz2K`fD1Ps_}XFU zYO@ZmT%t2M^UiYD#e(`6%{$?|mFwlUm3c?MjL@C~*dN(M)n;meeLDOOkPO2s&R8g< zX+JG3WM21=(DIq9S}%nL0JT=LJE)#aN;*;JP3P4Bgr(}^Xd6)&#&$-%y2p6Xn*za) zd0u8kb=J`&!fxZxECr7UYe0`s4$rn+wLdoss<&Uu58nNr6ywSb0>M7gUx(1W0i0+9 zZCZ44whH01TjJke>>+$T3Fr#8OK+Sl-aDq=uD|+hN)}cv(>15F7R|447B!+gDz>(5 zubrP<(J~jfN?R|sP!dizCK?hG zrWk$C7gbA;`0is6G1VW1`hcSl2g=khpA8P>)e4E_vJH|%(h_mmXOfmG_h5YkWUSy@ z*o}s;&70U>6w@~!JT?rfoM{_aoM}1F(ztzh&v2T~^PjDF`2*CCuvpoESRAleRztxv zR-;HsD9M}nrcz}9#eM@nLQt0UhN=gCXx8m3h36IK!M2`A(1ZEu-xHqd)ne0U{y4}r zCC)XS;g6}Bb+l7+rHC8|KCji^(GRFvwd(_t4U{U`1QfnY&5?Lh)`<%E0gf^Qi~augf$VaR}|;K zpQx^m1da{MRt^}Q4GgRK>mXF*(3yg;IB`J-d$y8o7Mne{4#f->mQ%*lepL>KrImqT z*SI#SArTf#v80SGRoyz(yu%-7xnHWlXVtDe9602> zw@nx7aRqaqWo9*R27Flw~`;Ub}=M-f%ka>9=wdDy;;M)Swq`z=1Nhl zSq&|>RN#;weSJ$8-_PnuiqPUPuo;ztVX(AlgiuZ#kvybJo2beRtQ&XF*@<7lVwZz} ztKRl&*rh&eO}fln{a>b_FkxE~3kmAXzYaT7350ZMY4r3&){U?3BPuw>5#d`)7E1tg zb`ZYOmdeJBmr*QhRYYQ1JBez{>2l|${DrF==IqCwm&2z`$45CivgFPNMir*vCZ?K+hq zBd{06yQgeo$YXb@TYD_nlXor)NEhst!?4?xB4TU(sA<}@^TGjVVt8K&1Dvb7BTzn! zB!ckrwlip??aElKh645=4S>n{Jc&lQSJs;d6ovPa87y z$CL=9ZS9Q)#ikqz)y)>YbEK9*n3PLCJJUT>?N;Hv*zkrd*kku9LDA8$ZfN+K8=Mi8 z9I#oH{=m|@?`m45Td+@;8L_8pn5R2XxTy+CE19*|qDlcywE!G0y3vH9lRg>w#w;;Q zYowQD-5z5^kkTQN8M{QRp`02Kp>2_v;iBUYXD~@GwxD7CaPHK731+njavI4Y{3%TQ zsK2P5Z_Ioi))x#~t-T1hSBrqLd0-ELMj;qDR@ryECrT385VmVu(>k+qVWzLtKGB@+ z*sINxu(DI8svH7~&66x1wUyd0cHkFi9`mAhq)mz!mUw3cE0Z85tV90PtFtU{kauK8 zs6=V62fM8;=oxXi!Q1T#W_86Eek(wQ~>}@tVta zN}7nBIBrx6<`KpvG^ZjE2;0Y}vGtIJx8jH@Rou@))P=EVMV7XdKOnka5E>K40&9~a z2w|uQWT07F&`31rWcB|`A$`VX-}yz0AI@!x#hJ&cA1yhg1`UgO(cYVarNP$v5Nox2 zO@8VJ)f-IAtmE6FJ8MJ*XQqT@rtx0TC_QThfe3+7HVBX$Xhg;G_$8Jq2o?gpgg0

u!uPhT);b$4E)Y6wj6$5W{2oOT{GEFL!BhnSz;*!VKgU`gns8F~rinu|s_a5@Tj z`joVZs}C$I_*H5^h9*ew6#u`5LVIHYuA5H_|LB0Wb-;~pg3tEpFx*n{jAHVOQ@e0< z>PY{$kj%*yun(;xz=p_Qgve)TV)XrIhF`tHmmOoBCJAdx;I+%fE`E0`+Gw^1wRr?q zc95UnOk0MG`=BTetZF@qAIu!OH~"E_Cse~N>D>UbHZ7S{r{R-{}}3!6nL5avBY zGq~5oiVZP5G6<-Qm#E8O`N2Hyx7RQA8B&^yHGDB=i2ZOfwFo@k1wYxcwcE>%->F^A z3x?S9N?}aZ-TqBtj&`fpY~075b@&*scJqGVcFTN!RJ9I4BPAZhLhxcl;8hv=G(gz9 zqxHe|VCT8fwXUl9wNF-&;vm{YW%Q#5Cl$RWGwTn?#DoF%&neWP@J=4%NeE?l?n8q& zho{`0wdcE<<{eq~1;N_y)jbk4+7ceVj!6_WX}Lbsm3VZc%0d;>)jnoyWG zYkGX!kiKpy%1dQ5ux2ViW?IwlRqi*ao~+@`G`GSi}pNk(ITCXy}LcM1^1W9NwyiVz$NZL5MsCiIQcF;)3w)!D*B?G+tlDmO>W- zJCg~-OCPO~f2K@YR=sp4S&8`^e-X6Vqau$usDvH0KI&TP7l#2RP5bZH=22L!ZboWf z)a^Bc7G;zpTyyTp6Bjb3vyGNQFlhPLHO1cPL=w!pmHn(Oi~3O`$3CMMJPu2xof!vbX8&IECvh@O3VTG|KKdYDt_m~*%x3LOiUby`ydNwjz=E0uTQpo! zWLqN6U=&ielS#ZaG*l2O1T`sF*wyhtzDhI#3iVadVHn7H;1KC*{!9rCoNWmxdLpd} z)lO@?av)fuuCHkFn~S!7889FcIDk4~iztO5(6~P>CpwS&WlUCZq-oz*HbMDJ1o?1S zl_GwtMrG4#t};Lz1=`WsY#xEr>gJ+a30Uht^>;+B*|FG?CENQCImFLa4F$7u?T1wq zoaN>bn5}LO-hp2Lyp;S@qcd@Y?3z8z8s{jzuTGUzikw+w(sM7^p+5&UU^+f@1xa8f zqqI>(1u>{sTYeMJ3Rcp|CZ}Mm^cXPCXK?bb`Du1XosX~At6Ot~#z)+g1ENa!?G3Bm z*_%`U=baC)*JyGzkMGBqZ58In!*fs8ew~?oQ?oQu**2?ixq0xFP2=XPjyR@l4NX^= z?@;G1NlIaWalDgW5D{|})hFg&f2CPqmavauJRIAVAnOy+1ASK(SVU!ZQp|^ZQENMw zm61IfVm3S`!rY&JE@3ivQlL|p{l2!4&e82V-V)cvDOl1Xp<#Yfs6yo`jqHoYmEN$bW62v}W;990(xeFqX@N+H*V2C_$;SdMAa88&r^^RF($Z-gooq z+0lQol-5w}l@>*@aG4<7X^;z^SRB}Az{^2_Djm{2j5$eH9U`a(%O$?Z)|ohuPlGIM zH86JxO!W_jI6kmnqCNdc%P6l_k-#UpexDvE!Y%N@z$iAQT6mj=v}OB8Q}-txj6b=! zeJFF&Edvg|A*LO!xPtUXvtHAKI&>n4`!ruTyxDwWqAq_uzHDNq4T`M5a-b3f8w%5k zAPsA8xcse7875>JYw#@{teTpc^V=h@&mXv43&K6pZ#4P-YAy;R_-o(&MkK&o*Zf5l zd?O0$YI^W(f!lj`zkuwfHX~;775ERc==4LR;{09(4`bTVcFE}o2+$ebekjmdP0J6T z0tyQFxo|D_s!17Sq}zvf7R84Fis)Mon5kmL&>%7Rlr23N?n5rZj)>5)MDGfr z?|Bq>yAl|OE1k+nHFaq1YkXMM;BfC!{QHm8T61DUT#EfVIJYkdl%21Ind?neQgU5e zY&s|qD__SkIBs1|a$5werG;zC?-g!O%Q>P=?K1J!)iuBIT1~(o^sg?ZGf3^I@%ppt zICdx^f;G3)Ov!Jk_jm>4yYla->rmcM0JmH0j^$CQYYmD=oMDkeUz##O{ne(C0=bNV zX*YN`Uz3)8$GJR)2pD26N&Vil@_xnmxN-DJT7@&XUQJ$O!ablJDo>4O5mK#~VaQvs zI)0p{g^u++81z9IkPbn0Kk*CV=C?uo^?f%0u^4fN_UqKlO+&w^_19hfMu<7s4agG# z6Oz4&x)sDMpl7 z39f`wFl!uK&aR#c!=mK^bPa&zK%9FB)08_TEYB&v&?-k@t2e9Evwu#TnB$qVL&1#_K3Tk-=HQ>rI?2d%-`y2x7 z+_?@Alb!56PeU=kN!hK?q+L;F?RO`yVQhdfW}GY{bIc$Dl>%oiu+hHnR2fUeL|Ih{ z>!m>nddGhnKFK*jb3RB&ChfNnxb`oXK6#~yAK<|o_|YYCB;g3d_43lt`pUnc2-SWG z5XF2|X7hf)MIbUTc@q}O_}5xypE92$KNaZpg#!Ev5v#i=tCuAe<^ELT%ek%!WkC8B z9D!NMU7Bk=0nIc`#eN)!AglpZ0nLL*v-1?lbYt81Xo`BaNEzpU>Skk6D_Kk z2U4|yCI-}b3wY8j03^qG*o?YLTYz{?d#_WQpQ%7}I}>JEXkYZPW@zJ#6C6-R_F9BG8rM^)84co@9$j#_D;T&*`~Ww z=%ooVkGB~sFhp5!R_ZK)OR?gQO{J}KMzAPQ8e7v?47Hi`tm(c_yj^f=HM~<6xzajM z*&HxAT(1cz9p~fvGUub)nwT7aa$LOokKmU*)HIvA%`Z#85IU$23>ZF1gZ+r%AQ zzoNQ3Iy{a6JhHk5*JuHhS4q@2UeH7Gi?nF%hNR{NW=W=}<{B}aE!4u5Yx70DqmrXV z3%M^vS{%F!Z`HwOE^ofP;)!o4qePsUdy8N=c{M4bXjN+q__ z@IOC-oQ26>#T`5rrS?J|$uqftc}#deH~`UVbMH_o22HO{!J1Aac{}pr)i=81gR}JLO67~Zx zIR%F}%8#iHu)zZ6&bGWUvMc1Y0;I*N|IZ zDg+G~a*-oa#Gu$N)c=R)qGFy#*nXk9Mf9+QWmzk~STLuR`3L&4>6Eg`(i+JMNc(R}s99SgL zruu42Dz8sk$tMOuo+5{Ga|{Sa8h$|Xr!!ePQ??DyWmTUD6Etc#BZx>0jqOcG1IX|D zP#ai`Fzz=VBu@xHTsyVXBKj{$kgrgx{f_o8y5c0Nakif<69Z%?VWe9lFq9dq$>Ck3 zd*zOd3d57G$5d}vxF<9I^i=UZAEsh-M=4f+Vc4{l1lP&nOuPNr`O`^cw29e35;zq$ z=c#RQyx99(+XlfU3L$S`W9Bx{_L`3yZpvJO)|1K8zZ&s}WJai8DcG^IRbambl#bdG zN(UTh;F83R?xlyq=lA$#lCmey$zGxbJ$0Juw~ zP+1Jr+qT^E_yTH|<&aW*z*l)Lj9=Mkh59*)c%+2kkg6P6g>sby!ylE2M)YA8hlEbZ zG5k`_%MmOfzT(8PUf0I<%08hP?__ChvbS$k1<9RR@5uI0qR+N z@ql~^Xa8hzdLL)SaSDT%PC74|;tl~YNpCW>^*8=xN-VJo5p|bgw4>!PA_25hb9!;X z-B)wE%n{>N#(*kZCmbAE%t)^lo;ojy2bm~ z(FI$TV*}SSfmY4m0;%?yB<>}1Gr)_r_6nMq7_&o7P^jEWj}KNYYw5v$>2^sbkj4;2 z*|~t3Aw8)_B7%+(>FnhT052SlNNB7u6O0uAF`alz<;mASeErbOk6bRX+gD2^8|nSH_KQR1J!7)){#cBT#I z$x3-^i^$)AUQHyq7IJ}*X+JibjwD>3Q$Qp43^?56UfoL^lUu=WvLCHpWs zDG9UJ4x{C}=n9MjjvMEzT|a@aNv*qU$9^k~6H73#AXMWlSrY+yX^#ogYLv9XY~8+$ zsh<15;jImb?%Tqc_wdrEPg$W1)^~;khZ1TFUdXj~e?Qb?BNQdxu|STRQk0>~a=H5H zP_wL4-%OQAgcZCvznZ`(OC}sm7JK6*-M3}pwp$PdIfvFQQ(r^(^EW|XU1oeJLxpN& zUJ|;imBZy!vo}Y^tVFH19mIgeaW{KyR}Eid&Qe63ClZV;pKtVM+MUT6Y#j_|bLduu zGt(xnX!w}geIQP}EPC9hWh9G(!?YllG{;EtwfNumgTH6}LTEfbDrKKR3SZn2GPzfS zU~!}b&S?m-!YEqYIE0%Uq74F0OI{U^x)rC0quzIuIrEHKJ0TF(Is0|8K0&#AGA~o? z5z7cGB@Rw>YhfR^y?sFl>zQ=8`)Ak~)rMAzC;50@ej9J3wD%2WHQbFI3?F2$GEoGC zJmSE)cN_`2PbwxFY;haXl~~EVtiuq|3YU|HO7X@iP6}U6uA*W?qyc_8Uaof>yV?Ej z$J$mc6{*H3pDfT6c*J6_F+!h!IkUl0xRdG2po#unb{6B4ZviExSOOLNbEu5?!Jkz! ziJhlWUj5pkl-xR3Z*sk-pG@~nm2FP6Gao4w-1qN?YG@~XbZ7i%B@B*7xB~zYv7U#G zQufx^d$uK)y!e_J|3188Pv0*|S|UBkR`gQXzlf1Jv#?@q-jYTa;^G@uPjhGA})CJzF1Dbc=P;PCzovd@(>fs z0vtMo5I{^QXBAgo;ckO+mlQ#5@ywVEdqnZ*wqM_#^M(jOnyEj2ovC6AIlR(?xbYbA zw3lUg%I1Vb+<--;3g4CdDRHRlXG5p$qf(lhG9rW?asw)KYL4|U3&Y6%yN32c@Q?JJ z&;a}Wx!T^aq9X3}q?9MVOfv(XOumFV)l1meqlD}uqxs=qO^dSL-+e`vqC=`KaoUMg zxx|HMQzU3^K)S5QYHPl;oor?a5TE0auiuTLZ%XHWcS5prg=CfBi8_O7IxEOUOMus< z*(6e;4!?r)Ng^?bg)XoFm|ij~BQuJI%fR0gRV(hrY%mO|66r)?E zXab+=quVGlOeRI3A;gPkA--}Yv!C4I0igdNC3AK%J(cU#W{IxUYgYW)2FXTfRl36h zu>L=My+fF00h4Z9mA0))^Gn;dZQC|0ZQHhO+qP|+r~2>P_c@c(lRe*)h#e8@UE2j$ zk)*BIFMa0@1R^KInIWzBc54ixEp_lqu5k$Jw~kQzB`LT;n0*P<*A9?t2IQ&GO-cTX zeQNrBuPOzA2qSM}rLXsNgq(pBBt0ts>XHGF5U-(*c{e5aHC%;C?P_P~@h6@UrPxM2 zRVLb`Kd|K6!OPo60yXnv;;t>O>_>exQBw;F(PMcY+`fYs<3>7|nwG|EYN}|BU7EAr z5l#vtVH-4WRZL3SdJtIBd-9}quoGQA_~;LP?PJz$U9K`xgk-X90NunwFA*ue5)}jo zy^^m0eDF9}zMXCE$?xlGN0|o>h_z{MA00*lVNqojo@}w>I}AZ7XHd{d$yxkmX32L*`Lv*IHVpXg$d`1+@gAnSYIS#mERiFTuIHB?=aGKC zLDAgbj||`#dVe|WwnVshqpEn!SupS^iQY}@`P$|hBPWKlfrKoKK1W(fMkm2FX+mm3 z47w}Rn|Fl>Rq<031uQC0;FDhq1zm~s7F!AJ>!Gx#;j-6Vfsz^<2f7a!1A{< zM$rLt?)JoYX1N7IhLEgFX+CzoYRq82JC4T>i_Ti*DeO*!-6pQCCdVV?YfC4Ld`!9q zARC25<4iOeWYU1V!8`^M!K9sq6}VOaBvz4}Q+WdMz0hO<6qtny=UZ zTG^2;NA5me*O{xrS69+qTK}yj$|9v+8*`kZG#WT_Xo6E7vU#7o8t^-1-x=&z#!~Hc zspUqZw92`5(54AiSKVwqql3?yW`>XZt4I+w3iUxTZD}9|AlmC)JjVuR50i$wlVN?d zy*#Hc+NeIs`YxUCWl0_DE&5p6Imrl9qm5>ae^?9e^wxYgVMHFoJhqH!NDkbz3qkHp4 zv&Fb$xlzy54zKA2B(e@O662=k_@Ocq=X3bEsnm=J+0oNWsQM3uwAMo)`zy5XD{LE& z#dNKTUVa@ihQg{{u1FSp{|ezBKN|v{&o^4`EaJy|)5)ul1kH)%+`u*)Z)%fz*pLVEZdg#z9z@Z5<-Rdit{WWG^0KuWFi-r-T?z=f zt(ebV2CYA^>y8bx4bf)GhC4a?A5u-nDr7?=ojdJE0T4-I6%Kow%=*_zd#VW?7gok2C5AZO+a(sX zjY(4t|IdBUIv%vvzpa;qNMxDk)%T)KmEPS0BI!#o3ah)2C0nuYJ~aK#`rl2n!A(Z~kd^b#0?`VwmLb*6o_CHcQy z1v!!&J5!r=EB8RBO-_p5EUBLt8DtkNNbsga*H-<^KA)6xd6TUL^J87+c}m+AR(x9) z-7Jbc(FyWz>0FGD3{%Gp1sHB*xlQH`pC`KI3*(v%Pi2(Sei*$jOA&d%rVzYQm5;l} z{RY*P%{{tb$QkQ#*x2t&Mkb@)_vj{q*)!VEwGSYf*{=Ad@T5jD$q`4cF}s;l-&TpB z_k@|+^g!M1wt>&w0_a;8?@b+}`y^{)9u$62@P#*;W$jSf_od{nhrR{U<-Ab)UWR5E zSb8qVgtacamKH9KehKV}2QZeVU{!x`b3+ANw2S`v$s?7cvRbQU9NbRJR!>+S?epm!zh%$;ml43$rlqYvBSb9w98EM;wd zbNV!zu=&~;Y$AA*2ud4r)Zto)dN28@D$O(!O4=v?WwENC2QjikBlbM^OEz(#SgacH z921%Ak->y?n3BvnOJ6AHsRDt&oj@=A@+RoDgbWG|Mf-TYn(<1k6bFV(CDz6wMYIed zl7kf@GK7^jyi-Wh`L_AR@bqSx!VfhkMB! zc>4`(hQ3JJr}5bOd3O=Ot`r3jQ>soRTchrZ*c4V3JH@(2oVLN%qJmZs%kB}RHKl1C zUrJp7tn|=47-YJotux|d5E7q%JwL?I>g~l_!z1uyHAEQX&=5i+{8}^up{L_#Vi%p) zxbBz)hx=oulf$Ns!wsc%*_m|RnS`Zzm47m96BI`i+VyAU%fSXuG@tHl2VYi7BNBGV z)9N&HsT?3e!w(A94%3h1Z8&73^7NGbX{J(6tr2Vnrtb8&4Kbu#9;41g((G|_=;8gtOd20$*3#`x6Z`dyR zEB=dav4*KWJ@ydh&^!IWH{JGFAw-CrCI4WSg*+p`1SZWpv<;Yao>AyIuM;Y4 z`1#`dq*Vq(YiCW%_TtxQK5^ESXPedQ(|#JZv=<}0L$m=BO8pURw0^SYp=E|-vjZxC zbS8P(xrV4xu8{BQ&plrbH=_Bj;YK~wI^%;t1?xo+wN{&RNd}bIu`}XLU7v?)>wH@S z>!NmAk^*ynj6**W1_)J32!;nClgL6^;X$nH}ED>u&yRu(QZKFLoXrt@E82xt@&a{=JQi6TDt+7$qLNsSJbNI z`3Z1NAFPnx(s~s-H0d`55Hn$}Knuq(RNu<}cUs?j#)jeSoPT~*MN3>t4(;F@)#2lx zG7##nx-Eh4C#>#TKB30ov1&#~sHN&gwiZqNx%_r=Qm-)j4}Qim>i)(Xkq-06=Fm1) z%TYpHS!1g|X*1}hx{1ajxg62m*pU-+IJ!5rY!8a47Tr-!6>}~?t!lsK#%PI(O=Kpy zgpf#Tpu+|EG@kM;=0#^m)5(MX*n8ptG~TgI6R77e@-0T}b*1YknUs?dNol>YImf6UjW#8V>lbmj#f6Y zGSM?Trwr@pw$7NvzXaoT@G?N_wBS#*wCYcnyo=W@mUzZXG{oHftdQLdqZpY>A=x+k zfH}P>NFg`$m6SWxs+OfT92u?8q&_yec_)h3P0^r+#9q8umSl=<|Dk>^E;Vn>8bx;3 z+&jd|W7Def)?<;39slUPIU#VUiyjFl^i4qnl?pXk8v0XV1*D3QiL}Aj{*AG1FKqaK zC_$Z)1q(+~;oX%qZO-f+V^{f3VL;v^XM*~B-@HN*HMT_3HRcGs1-GO&MFt7IkqTWHYVA!y9mB)2LDxA1u*dA0EUHI9RpYU%^&ij*kBg@QvzzVpd7Z}W zlSPn(bZMcm<{%qU0ekoX!r@G5xH0e22@BMui85$~uR<1c^YMA+O4ffv!^iIz7lSWT zPJ;yN#>jtx)2IN}${t{8YtD~p;1b=YxOo-lp}B(C(za$XB{+E24cIe6%s=$aDUsMs z9F+@;m+aA;lV^InGm}CouNsU!DMjv0;}J=KDH5uO)eRAAOU)7PnqU^=vBC-#iRJQY zw+Hf1^GfP(6!XKa1!Uyf$ntF>1d}EStt9R~Okj?mPDXw2NWN$*P;}fHX`1bQzP`Ct z0L(#gnQHf#hWmmrI@-T}!dzkPoV9*1N`cqPX=*p2lKpmj(+0h`(259B6p~sPuRN;u^(8B3Y zp_5H>feVzAniiNcjky2a-Q_=YQG%|H7j|~+=H?Rc1uto7+Eevm29%RA<-*PTTSH`) zvMLc`ucVn>GR*CHDAM>_+P0MYgTr9av>wA^LF9qiv!B-74Nf}X&(p9ZV{%f@8XV6~ z&N+PdtpZHx&%=MmoF&IlSWCHn{fcJ=`Cm*0IR9fR_-|dq{~dPzkF8-z!&>oN1mzp_ z3m)#vq8?<{;v`>?Uz6j>f_nT>(Ig?0n3J?4Z7WL5*Lwym&aI1%c%H9k)QE^|CgCBo zMY~(8yKrodQEUk0rUj>Civ#F7!tbth$0Jos)3l1Hhyvb>knK^^QLbtt;!pRcpa8Rv z=nz0r)GV;VhiaMQBMsqbBv!#V0)}lHGDxaySQ0ZX@?Dk*Xx_XP z%?{@QVa70{hkZZ@lLk+;cS2$Jm1P=>K|L0DN5&*!4C0}$lDEZIZ(2)4kPl*|TNnX~ z6i(dRBAEH$@;LK&k;HrwP;zZnj>qw7`I54olQqKIzOZojR1~eOJAsp2Y%AnfTBE}x zCX;}sK2WoO(4)T6;>BA}RD7`6kcO`?i(iBZi4jFCeWg|+E_^GaxNFLoVGj((1bzD< zHDfBkQ>JDV)Ihm^%^b*C1jw6@iE6|+t*tdf3nd$p`W^S0TE5#60)$su9sbowa0#hs zX0l8TfJGxlX`AQ@d?Tjf0l+a%ghEJjo~-P~xpZt*AcK-g7m=5jC8zT9SK}Z-dL-xx6Oa5I}6Ou$orpmy- zWTFr9zkqy-k7wOZX8FrzTTPraKG$H2`B#%df~727bs7sGRHJU}AZxNar!~?^xt{aw zOY2sW4iVHllB8^2%~~9ib*z?Mf+rR^gc{gVB#rN)(Uq7@CMN?w^i({;N}7>0`UAw9 zvT8-3LE&bE*_QD;lwU1QLos2UWpUl*C2Ada;7nO&u7g>O zdCAIFu-q~yk&9)PoWCpfjIWrvm6^rErf-UZ(GzXbim#P*b!dT1jwYBu#|{FM_-{FX zQyJPtp|yIR;w>?()E{r(gmE#n9e9iy@f^Q7A2<@J_lCJ zV%-PZATMd6L|Fmc#qe=}Y_fR?H_%RJG2y9?5tc%UcH9MzW<0#Y@Mlj}V$7Bv)3j0uxDAWJlu9E7tm5sY@13D58|Ef%hibrBohLWm77fVvSnoBHGFB8f z+A0py9q7rf>X!Tk(~_JIp1Gm16|{a%`aHZLGQy2D6+fpx}D;|F){VZ~=cUZciq3c+Q(!H2rjehG= z8`5{3ya6qVKzWDoY?uDDDQl~UnS#55YYe1<$qVo|IcN^3D^H$E*oUKkWo(Q2|omjc~Amp;iG@|vSP$3 zL2TDz?H?e*GkR06> zvTPArF7rkLgrN3eeTj~%is^@eDuv_VPR0!HX2LYai%byih*)RE)h$fj*uA_`^HgAU zs<5&8kgqXUBXeS0ZthK|_c6%2VT2K-^o*?^rKKKC75zX*)L(9Ky#Mj|P@ByV*8O`A z%KueigZe*>!O6_n+L-n~&;JN-uhb=NH&}3b;8$JoootQQRL()1!&mDzs-&@rZ9?$O z!;)9!^7-b)y|C90{C*F#>xZDOT8HRs{zY3Y`e0h)u)>|KsqMi_rpTBskZysif@cx` z`n~}df4ff_2+i{*BtEj=aG+TR2pPnDFu|=aU-AD4Ob96Kt&T*F6k1D%Hda^qzV;b+ z77HLDf;`q~4OmktQK~mspY<^$qq_?jxUuXL_CpmD)_VVi_p=?m^r&h!5KSFM3%3Wc zvW*g1Br=PwZ(J^!^n~d)AXxy73Dc%cC{;94^PLg*Jrr_D8vegl3>d z={DPJu{Kh_Lc2kNs3>X1-0t&CaS8?GTa!H(rl*F)@pXJ&G!^g5ebN(p@#L|Ut$082 zYxSX5!SwgWWlQFCVhPxINJM7`bIWq&KJ#}J=%+==g1su$>oClYR&R?1)l`%R=uYO| zmhcxR_SUro=*{#k74++O(NdBLYR+E)k%KN!C#)F;1`?yeHD;nt(A#CE-zMam6V;hK zDiaRW{V%Pj!1&NKDoi34@v(@{zgC7K;XtK9cbWa0$ll_~(32I^#XS5;%dNdL^-4oA z504uD=<;~_M_==DxBpDc1%Qjb__D}p57_4_cD;T_^!)J-|Ms}wiU`q7yHgnX`Cc&X z`FbzHEOpv_sQL4A_jvbU%k%RP5(4%b+$)I7lZzO4O3Kd1$pth312ig^8D)TAP_Ae- z_;-+A#vJA}8;a^Q19`Ic_X>eB{5Ik&kW_EQfhTH^t029~;;&9T5!79@lgfdhx#Ej5 zz!vlY8yz&dA#O{+UAMT4D@}KoJy4sJG@yf^th8+k|BwxzUY^{0_yvMKcB`mye}(!S zlIBe;uLH%Ij=9~4FJxTGDM|z(B}|+@)OCne(^W2n5&1*9URPK^Sy^-gVX zw3I$NHM;Y!vYCQ|D`98&K#{)~c%c2_Ls%kdx~74G{0m1Toa1WCDseesP`)SWA?##Z z^yZ=G7J_J)yeU=)$1_nII7Rpzi>e5TTa&;%`{3^p$pP;WBBzvd719sVi`qsc8klVbw(v8%CG1qr+swpJ zCPQ=HxlQR{C$M4S6c-Fo4014%nLjdzvG0mKNlB(h#+pFMHX@b=_s?N)8>^ICt~Evn z#5b_|%prs2fj*7a&FP@`n~%yidlM|}r}vc|RoIzb)A~>m!(uIvC+JGX@uYQ&1{uFD zY#5&g-Z1pcNJ|#-=N!HTsW0DVOM|J#^`_do6Czl3p)wEQl{4*I6X)DFg`&Q|&kG)_(?Ro>u!io)MNlbwfMjncLo z^=n3~Yw4H8Hnspw@`?U=PfZVGd4!^H|M2}hAgI#ZQnG#h-=H1&*|4%VCt)7X4R|NA z@TkJ#-#ck3mnJEIp`Dzgj1<)q#+|q3w3jT%eh30sjVQLp(zZHZKt<_EX{Jn*t98ARaV-q&thgi6pn{L{ZZNJ(3e;al8^-qcjmF(_j z%)AM3g20fOOoux{w(6i0Zy?RJN%xegQi-n#l-F-g0d!sZ3deD$X&X=UJjs^6x>*1l z{%Wh`uDfs0SEl+y3LwFPfj8j6S1|O$c)QX<#XKm>`q$1Z3HJoMc6Uv-C0(li$g2*Mt$RPF4b&rJ%0chGjNd*r=~qeqNyhJSDD~^=$8K`qZ=g$ErKn zw}X>2j|5z3a36#b?${>S z_B#a~nx`LoD)|<}O1a&!;hr+QqQz$$C_+ zmGsa-t>rAqxhY&R?G3gfShraswm48jx!doO+f^r{$9q0s62!5fq}Nc{SA=W(nC~1~ zEPTCyY>dT$R!@Zx*lr*!7WAWT`!|GF9^dF_0}FrGGwT5^N!(ePu!?0|Q=5go@{)m8 zTC3nSCwF?KMO$gx8{re|!N?9BK|Pl~xWt37Z0yV!G&ww*5}5IPNwE4wMkEkzDs`S- z?-3ku0f6gr!w&5jG$q5e4{Cny%VBS z2+WM%Y*+6WrQORezdE`r-b6bprzswG7W-XA(9c%R9l6#H+zRVRH9Vg+KN5&5?Dz3< zrC}DjDJ)iGmMw33-A@m6PkJi*JBC(H(8xj8p`;mEU=~fw?ocn2YZxa6i>3v=9i`Q8 zQgu7;gmH!uee?2jr_=tuauiXvk@^iIEG|6|Jl@hXDB*wxI$a{i;}q1bf^l052V%1;@#{l4+yycK&Knoc|%fx`r-0?ZgFXmTO`_?Sm) zeg4V6@7>QkAKRUDKkO>n8U+*h*$YHR?C{|5^%ScGcbQjlpMwPbFb@{T>4h!QG?jbk zBuPH_`>9CQ{e)sAnL?ACkg7x#DRvH)^;P1gR1!hK`b-L_4I^p#EbdW8QR*>1Gw#irIM1 z41e9zygGn-GOf|r5Ka0#k!vyW~h_VDlJc_yQ)F2w8t`YMNTEO>{T&ExijW53F0fAANPC@QEWRqtkS0q4AIYkh7YC&7H zG@momvag~Nw}R1T=V=!#CS^iWxAuLVnUac!~6GA92AZwa5NAcEeSb zqstom2AjcgHd948JDI1A?VbKRc2kA~i4)fX0kNFR#Br(=j)MUNchB-O> znFHojP)c^Hm6400by54%e5!KzY5SLry1moOTjt?pgkNFr{L8Aw&oIR`Y4`n_^IS{4HC*@0^?l2wA+N4^bo(AMSkXjyhLC3@0c zO(?V%5hZCcN@P#?;_eC2hrQ?8Si;vIpVVX%;hBBpS2(lZ=kWe(q!h8Jz6fJOe|F23 zmO3gbJb54`1BTc}@s{9X?&rauN@VZ(p^xK%Z*e?bquTh?oC0#5?W0Oiz zl<|r8aPfd-pA?_j@@8ujZ1_Yzc_deBhDk|z@b?!lLa1@9zPdFo3BOo%o7@E0*xr`! zSa<5q96Zw{7yzkP8thYPCJRQ#&8|91jOX`PD?c|1SB_un3etv-Oy%|dc^A!8y;p{Bx}Z*jWo3OmP^cd z>Ul`Y_=pTeZuY^JXO?A)+D&O<=`5_5w%4z<9hSQvOpxDDz<+~riHQnF0;4qySxKn) z2CR)dH?2j&icEBeq(ojgW$1c1sLq7fKv3(-&q9i5!scQm5Y4p2B+u)Qtd{FBAL6q?vj6bwXR=-9VZu zua;J5DNV=D69d;hqEWm`)Lc$DNJMjs?rtOK*c5=p?C!HfT3fTNV_D3nnFO-&r%3C zcJn4245<*}>w3i)AWIpy$Pou2mzX)h=N?k>FryWUtXRTn%*Lnmft5iaSuaHZvC^I; zr=x?mWRKz>G9=vex!am?xztv0Fqbck+-qYOi1< zHQ4xW^r|cY43kCs1vd4=0s94I_n{bLpw#qv+ta%w=oK%EafSL;b~Ptc)iF+!+|F^E zil%W;SPo5qUS@YCXzSAwd{8hlze`{hIzOraMyLC3v1^ z!pNY$B?v_w=`M6m&`&e^B|7EOaiHCr7v8}d?oY@Vf8Tl;w2%qnaa&u`)PvWiPBL|P z$Fwu8mwADi>uv1Eh@KbQCd(OzZR$u5>{%n$}h`mqk+;M@0~tP>J?*u0<#8%p_-dPlrnB88VEc9R9l({X{WB*Y6zX6 zK)LTud-G$4G9{Bu#Fb}hCs8iOhBU_qy;I)&(es{yJ+e_Lqc#8tyHW7<)i4{dx%Y! zHGiv*@1fb|OWX~wKJCsv41wdrEAW;p zPW8@u!S>Wgu~YR9yu{Z@2+o%=j{SRe2e`qXAt2ii%ysT=d-tAEaH%ZtctIanoIx`D z_c9MBJQ%kyQ{ zl^u4UJ2%Y=D&-`Zb%DLk_x!XdWH6dZOqCiel?6F1ZMqH%gA1)W={ck%d`QW@n3DjU zN4wQAD|TeyUIWbFmx${1;Vk{dw#YMT^E1kOh(8b0XJb;H9&>cc2MFQ4Fxl_ebH^_3 zV$qNt8Q-8ti^`S>YWN65_T0lid6eoFBMRA?p4vT->{CMh{4eY#i-&6YvqhNoD=~n1 zAR4*l)`bl8x2t$;sk6QeAI$~pgL5LXa0}cZlOp;a!}D9w^GT(EvXd~sK^&04wJiw# z#n#rSB5kyW?S1&5r$ts?aaiv-$>u7rb6z7Ch}oKoqjZHr98r@V zQZn=*phuJ>CS%(}UEp`yz9O_LEkM!-ki?WAIqrvGaP7|S3OMpAKfPQ)y5GUw(fsiD z@%z{OkPWRPTQ--t>D#L(aZ6-Rgfp7WF92mWfDQKx!ID#kH)3ZhM26o4C^vH9=j<<( zhS)Dmcbr%y0u&Y(NugAyBp3ta>-%tvO8sG`zDL2Haq8O-5qhaNnWxX`lO=UfDYN0t z`Y>!i$IFB8_& zK}V=4s0YVn9}%;SFSu3KU(W)oXZ>V$U4fjFBq}7hA-AT4DrO@m9uRCXISHod;iF?y z84&8^{RNjB9eF|<)W^at|2{EU&S3&$yh0s`#c*B-8Tk$>0Sr+eHmuExOXb7IRz0AG zM+e&q1qyKA?~f}gpH_z{Yq<&oc6}V)g*>HL_ zqKLEAu_!hr-%zfn4?`^~?6xil!djxoHw7$4!4tO9sv({8Yj^7E8)ZJv%eT}XApkxD zcAdO2`**yRAlDNYSP2s6&()9R4=(3>f^}TPsn~C=fc%fUxziUhxH>#*)MYv0tQlIw z@MG>ep;?KdbfhpP=&KLg{(^u*YmRL_zv4&D<|`u5GF4=s7MdsH+UM(2@lO~ZTnS)k zbOY^=+@U=aqF;G**zJhcI=R7q*o~nBY_?HO%|V(KC2m zQ91mGTI9!edA#D_^3?&cRGwUIYgui#G6!(=hdeU|pX)?-s&#_0t4Zfb9i)qv<2)@C<8}it^6Z zV%?2lpCee+&QA6P(wT{AIOb}iu<`R0pVnpfQad-(er+)*ILpn;Q&vCQ; z^t0<@-P}2NE*OIlc>W+C5zhYL{S@i?Eh!7$z=8hnju!bhQdW!U&Z3F(5%$-RVHk~- za;(S;t|4Fn2I<4037t0c!%#24=txwR>Mtw1Qe|@tYN1djI0?_GJ#WXQj*sD+Ed_gSS%UC-vE%sFj zRj_4AkMSL>Yy&6SZH>N&@i>C=hU)vbN7Uv}u*pg&DXebw9^VPUEH%+)N zD>BLoXF)mCJs_YBjW@~%=v5y|@P?6dB&I3V;R2ke$$81oozZf{MdsDM@9k-=6Z zpIeu$^grlR^>X4)pyklhk3<#CCUZFHlzIXiJrQlixfEOT$`Y%14ThwIwN;X%lSLJi zC(dRZo3nH_p&ik!7&yWlI6G))uC$izngGf_tRBFaS1~@VvXJML-My;^_^dt*N1B#{ z_~szRgdTYXV(^EK(z=YCR6JQeE<=&4TN|>Hf++-;e zqBtVFN#COzjl$GOCgP0aGdy}-Eh%PYfItbQ?TqN=s-u9^BWJcJSxL4lMgk{e%`HJ`m&+xOG6c5mQ`{|I5wCDQhcAl=?jhmpp*Eh{7sHefA zR%%U!sl#d1So6ZQHs*;5k_3H@N*LdS^4%2nUd& zqX_*b1U}p~B;ku0+CT&-82(gRD`Tx@qf~~#*v-lp#6(m7Fy`XK*i`t zta&M2c_er8$#z#js!QCCN@3UP2MvKNZGd%J1sOd9X=g9qCB1Zsk=e@L*Qvs%6QSM9 zi}LFk%3@7Iy$=_Np)Djvh64|oIU)$J2DqJtLAvc$F>}#(gH}k9HQmJ>K*QY!Y=5Vv zd%ytTjEBLnfN2_Dw?U{LDi+URr>dc(N#_J-43-r-xp^zN=&ZUKi4fchoW?RTXn8ys zxul`cu2tRA{fA52?rid>t#Y3royY1ZuCLAHAmoKSf4H7tLGvicQslK#A*8tnE6Chi(F z<@o>+PSK54m|3bj4Yecflk+w=!TbvnZ(dsD6Eka#X+ZJy3QG?Skm|D6k!bm~Xn7nA zR@Q)B0Hp}eV=1WdX30W!nm1H?n=7i&G+JY=W(~bszst~@%;jlXiBmS{O<0yqO`BH? zFyJ)Xld%3Zr3h~!AHxaQ0kh1lwq47i;4DC7{*v&z>{<}#LUe=SHnP(HD{*5(u(Cz{ zxEGr)D|y$90%F1hv&A5kM4F=Mkj}O34r`5lr=Pb?@N&{NAI>=8knstum=S)&Zcd}D zBf_td)G)L|I({v_853D#YfKHtVKmTLl(8JbF0RNWby(HNDK?+kiaxTA9>*A zPEv02_BhAd6kvLI`zrC~=cATH)~8wnfvQ>GHQA9#Z1RcaChW#D>KUmjLK>)D*?>VI zs(wF!%or%4ux7R!%&`tYQl~b?9VseNH!ID{1mrkBEv+T$##mjO%77IYE(?}{SUh2VQ+cN3x-$5reN~POLelJJwN?brjzx~)_z&o9o7(v(yNgcD5?V_@ zuJF2|nKrax+57gVfvzk0TWb>&@-lPMW;k=Ob>Ywk#Iu#|bQp-YR-nkp3FHhcDVHL0 zIDv7eX-%Nk8YIK0(V6Zdx&I1RA9QD)&r{8)u^GXpW~j>@bzpB6?T$OR7_4`rrj6k8 zXBA4;Prn!XFwI@^6((u)Jr3~`@zZNS>(G{ArJmI{FeloFdmyT_>}|QduyBj9gi1*+ zZ}({Hn`%0V-W?x~esL_S*4L6bH&#vWw6kJB&*T~~G@^}PeBn;y@4+als78>gJXh!Z zGnTI_)t~O%ID-n>af`b9mu2}uB!DMwi;FEJ^#Z1&L)~|l#gsquEQk?|6;oPd7DrG+ zGQ!dBFX{5HSDr2g2MATO18O^GlrFjQOdolaL3b15lM*RkCYgal;N)U^<2xn2){QYw$ViK4UV*W}C z-J!GD$S_Innt+(5l4dO#oc_Y@>o(BB9hXqnU>re7TcE;Tv{qd7FJ~)qpZydcH#pLk z22J9RFG(y`Vj?$%jKl4uZUB?bHrMjFiMpRF;LXwu4Z?LuSkgj2Ic)sE{zL~q?;luI-Kn2XuNTF_DrRBoRBWGA)m)BCU}S>OUeS}r z>;U3??`tdjS~c4=_kyy(%>O23NdZSF&}l#f9l zqieG^ev??gmw>%`3mI~=U&C5;XbPtQ+7^#UlIiMp?yyf_X*L|O{ph5hd;9mAAhFZA z_D3o?9<&T>jklsshj695?B-?}lz$N{+FZ!{ON5K~9)U-g_sm&<3D*}qJucXvX$InU z;jd6==cyzg3zPCd&=ea2n(nQ?X#SSKG1THN_O0uhdDYh@WfxI}PH~m2YTE@ZoHf944yAzh7iPkN`Qg}|t8JGrOM8&VP?pJWEnPEhKD2}c=~P8R!TB$_V0WFaZQi+d z?y%Haj*@3(8LUNGSYkA%&&-6DbfEo8nT#DMp!Wb!;?%mM9U=F)xnx!= zN+li*mg)U{C-d&Jwtv2bwE&h1@n`lh5nTy27Kkv8j|?kAA|&ZGQ@tK4ivc+1RL=BP z&GL)BE@*t<{*gjqfhy3#PO_pxT^EC@E@YFxt0lX> zT2usog55skdk%^G)_v^Iqe;3?*avZ5^Yd+L=q;VnLG*3V{@Q@dlm_j-+-mq+IiLZH zdKrmj{~dTb_+-8@eh`Npt#%~)B8C}lT8FOx7{9nN-Gp}V)EJfI4fOmzIG?Yqq!US3 zl_zK>X_*QAj=kQ&(%hoFCAWB<&mRDve5*zlEo87;F%#+hVWnDv7W?5MsVh^YdP-QL zeuBCGG&D3R2RF-Z71d`7KzJ&d_q&M zP$-@3N!eVY#$E1p0&(f%4>tH>MKdJ<6N8>uYQ+v)<_>TX8}TI@IDO3kO;nPKb5cYG zNsa}J@mNQZS;?Xh@bEBBXtX(~oZZw7QV|uu?$tMkFNH=4m!ze2SSP!p$;jbEdN)$l z&0$?6j&|w^T0Wq($P?tgSKA3csnfw`kDB0=n*}29^)p@s?I%-QU*Bjk0#aPD z6xWdDsL-hVwVjz0)qw)HEWi{rm4vbOvztZ|td0mf`r;brqr+-h#50@FwH4bD7MPV4 z=8{3)P0HTh(NJ)@{BoIUq@^-TtVy3kt*FbsBGItWy?3`~>W-GJDMkJLUaA3voT>oP zAc>UyGuyu+Y9R z@sN6y>M%#ZVXtOr@w;&)FhkKFmHqC41Q3T%u_@C1~MwbcXPn+?_I* z(++Ku-Mj4b3C3O#X)r+(D5z*Gl7GjH_IyCXt`y<*LpGQZoO#eLdqN|$^EzTFhG7>N zEppW9*;o#0dg>v{do^=qdfYYLxU8=YFx>1qvI02i9OaVhm6{=a?|CSm^Wp5 zZ*Kq`+`UYB7pprMd=tK4Oz2MX*1(8Fca^fc;u-orQ=V+DMZPjW*Pp=a)6*$>+W>S- zCT607Cef?BaUxPz)SZ01Ao(945yo<`r=_+DGt4e9OgQ0%SncCaiW*GBJLsy6Qa?{Z z#^#d3X0#9kR4$R;gNtjWnvRP~*2*UrDyt_OEB`IIZ?Xc*3tMRl^Cn%4fV?}%8n`Ymzhp#tDLpz6<;KMeKPScXlq|#lnR1A0n8&~OAX9kvN zOlgPg&plgqN+nhb&FiVlf*d_f691L^V9Ehls_eLUrA;q}2C4%;siP!84JDrvo*=Tp zd7_C&+9&P?g$bP@*f?6>m4-{1&_XjCJ97h@+74Hcy*|?!v}NO1wa`56mZF+LeZnSE zus=E#d$g^&u9WnM4X%CniE})Cf2MX&VGsUH>>D@V_dB}ZZRKBm{wM*@Wq#*jN$H_I z_gnI%3q@ep^zoPSfBoda?u)#_E9Z0Br2O!4A3JZD*O6N0kvc2+{+MZdWDM~t75#=x zzK0)O(F{vY2z~3vH&$nw+10`v(2;uDvvMC`px-#STpK_ia^R;awUUpYQF+F%^K^Z# zuOpzzGB|VM5!`N*yov8`_>F;p-t4GPev=Fc&&MIAf^Lg@*<=&wB0jaU8%GAOn2tVu z7RnP#4bd;?W*Xyy;ZS6MQ-a~Je4AXu0K((u7z=~}_4#_zab)P90eeZto=#1a|FSx* zHVKbBf)^Y_5s>y}3utwPao)omS|J`(x{hqD;MbJgA)36hX`0XZXX&$;XH;;H)QA+Aj_qfz?7gCv= zR$fhL_@UDG)|&&5bfYZka-NNr&>*gFLXbvKBQ*fN=b0O4owVKrx!miGC*XPfe7XzA7?vx}&K)JvQY9 zQ&3j#nmRH)?BY_%0Uys`T!up=x?df$g#yEP;Y+`^R#Li-{ki7LM|qC27QtzcKp#Kb zAcs%PsoJ7cqdWx%hx0E-kE@WsPr__%P8PmRU!u!GGo0>!(A;?F801Z_*syuQPWSwc zLtm?s5+%*syM~;98?!s*8Ev~X7CUU1MH8_`z8oLR%N4}>Xk*SXNIB5kca-BzrnEnS zI4P<0bIp6n+}ocpguyX=0&VAu3&@?Kd`USwr^O~=NR>{Qs|pz87v8WP3`)ZO z9L49wnNvy_R_`_Ds#2ni_UTwiRr{hgz@_Br`DEROpo#plwQ@7EL;he2mIEcbN(wC_ z?pq;K0*H8TRWi48K-J=~%Dq5JFEa%#NQ@7vzN4jNhGwJLtO5T+&O=;}6Dj6*JOozviTd=w(N zb}X`g!~wt4&|%K3F;ap!O$s*-8|L2Y>)Qk^#FNB&pvjlASUStFrjfyL3o-B5o3VY=*lGn=o|Fd3P9MGj*HO zjr|hk=r(f@V%g1B(w8~4U)iVNQd|86cb!Lp<%Ct+{IGd<7N6}x3szCn{k3D{piv@4 zcTP}mj{p3{h@Rq+@Xu+6sNa37RUOWn7coYG7IiO{WC*ee7i3kuk{V8mhpmXC#_#-p z$RnpMo?O`GOq`-{t`j2#j9GW>R9y&sP_Z$cLuRLos?sX^IjyulCcITB%nzoDih(M5CSlQE5X6qGD)mvxz7IfX98XO?WpM>{F? zr+9r!aR|sT3iVqU0*yY>tBt0l3f5U;7U6q5Z|9hqRfw_IV$}J9UsZJ-`i^BM@`Apu zwx-1wp!gIm#AXGrHnE6!4N5l72_Q;fCCaLmv(T-I`sfxb$*n4U^~3V@EpG2huwsU- zduaqKWt~3I)gUf!+m00Qr4CrA+yd0#`rNt+uXo-^ZUsLYSYWhbwz!=S>+rz(Z5 zeU`iOL(MOXeGa>LiRej30MZ>UgV$+O1GmVa`?0CeO=}o&-lh}EXlQfx zblV%bLr+3nbZ<1Mx1&p{{Uv5i-|7fAIV|L;zF?mLI;hT_fw(#C2~0FIYFKvC9E-9E zCM?+}>;WD(tTPjdK3;72w*#LclPs2QPq==R^@wA%)3|GMO4>9=)qwX0Bk^APLnQNP zKF(t+d$yfkK6(c;b?J{pRSVinYSk(YKNAa=6vH1NcDAY=-K#VGheIn_kj(=aIH@iG z7M0Uhb($qvnL}L2@nB&-31}Ms6}L)(IJv{Wto07Aitw7UF~{L1v(l0vFx}xEX@P$x z`R03=pLmP+S4~5=6WY9?+w%VN1J^3D!`~W&%Q1w57sBDmjPK~AAKea{;|%Tld{{@R zE8A*0taXl5cl>4Z$)n$G5pp3vh<#bYFknEMpH`U3-Ek{TVk5}+7*1kX8&mG^MD?LA z1kC;Bx9Qdt7=R4!H?zSDEO52_@-7URC~IXjW=Wt(@I7YO;B?8e^QVvHyNDuOp5Y+G zK_|^I6J;cz5LVBvsGmpH9yJ})@lv7m;nE8ggfV}hqN713t!*KrH=Mb;^lmUGFu ze&M+1Wzy{=hjZc5ym`M^*b*}G9ZG3)PnSGmxZyWWVPWN6cJ`|}L4hbr;chE9kLq`| zAeSC2hYzkjW&l!AO~jBq$&l6-nR_|UHE#+T!6NbBNC#O6+PeGxnX|yqH;yBedVB>g z&gp|~qV3Kw8zX&R4H@KI+>nhDY^-qOxQJ@Eh2l!rZ&!kwJvAz*(KS>;0^Ks~FoF56 zP>frj5CB_{N+x>YUN#oI3wbx?w+0_FNAlQBqRtS3GHugQtSR~#{;c%dS8S&9vCB$s zded{SvpzpmEY75j){(t$605?X3SeZ+!O%iJ*==grOAw72_vcKWGb zA&2HAtKh?dvNQjrodRlE=^5p*nS0c4Ssma^?7cNJai-H--NdWhuyF4k^0z(Y&mD+6 zbE2&KF2{b?XAn@Mpu)%`lvk*55Iq`k2j`>X+9utee@82H^*HN>2k~<@*Luu4Z;o!* zefSOY7s{J{(_l?Lx!vqBOsS|tBoKW>>!ogIUEmTW_|mx!e}0@GV__1*JJ-rn!-)H64(4e=MV8+KDcxK!3T;0*j1(_ZJDG;Jt5~DyNIjqlvHN zYIF2xs8@gDH+}_}+wYK0(?)tLk!<8~VlErZ%O8{CTtB`BYZH8%-sa}QOz*Q-_s`wB z7O|@QXd&DqLNkrFH)T!d-=i`A%C+VD;1|{?y~XX5Sd1-)!gj&5j_cuQEjR0%wYr^((BFnhtS0Z8BRUPnLxQ zm|Ny=pXW%=Q?1F#;a3qRRD)eB^}LPrr)`AWv6gBRXPU3bu_}0m8FYdWYZ&=eg?dOL zGG4)0mbz2?NrM4DEXUzN1Ibq<+dNb7m~{1y_==fRV5WSQLmXg&FObof#~?>5k!Q5_ z1M0~U5@jv6T#{5Xq!nw6tU5HYM69<~*PL6`!;%!?D`0fqe^a~#+*$d`zFwa(h?#Dc z89I#|RVPvxVaF@fTF7Jn5I0jsTJg}fRA)KHJt-PAp2rAvw z7x!^)?16nlx`7LYoWNV{`wK1caWCG>2=cPV>y}B10Sjnmx)np#)NWSEom1|nqegPT6x91lXJWk|?zbAjm0Q$6M4-B!Jd2PJ=mO;<@JuQ>w zyKIdDl%+73ql4h+nYnCE{t;y?dOchF9-h3_qUFW?K1#bycI;M(;+vLU{r4Q+12q7O6w7=~IO z^8+)y6&vq2$pr@*Vnc3OK7}1!OP$r*ed6U&>9o>!yW$n%rpYnRrI@(pYqS)y>XfTb zNg$8ylucc{Fp!!H0ok{Au9@iSYIW{@3dLWReXMH=JgJ+`ou-`1r}W*#j~T=f#=UER zZ@wM{An8}!4PsEIT}z*!05PHIG(%`JLFAnxmv=~?_NgAJFG&IHJ>+XgFLNHn+CsM? zmyiuDysmR|nk))e36E-wmKHBY)7kpp9nTI4&l23Qobsm>>_ADI-ekpnDzJu(!jzAn z98r#tLQM6+d7-kqm)PH#i7>_7G|*cRxnpYk2~Q2E^dqomKD|Mc!A39Ei&rKn)?bZy z#Ll^xW?Y%aZpwjcUn~Z1cZ2!|D+@pLbx)gqT($BBD}%i;^Q;<^ba{WRVF@S)e#i$l zmgl-AvM5@={rbGiNGsd8dTgZ>H>+o?v_kXq^8%Rl>z}XLN|kfdQ%YH$ky@3{4CL25 z@e)}KgX$=aOlh+U`|8b{T7^1-_&dB7XA1EO#Xm4?M_!7vua{auD6^Cjt8vGyM^;wR z+ea9AnZF%yR!Wp{4Ntv9&yts*#f5NXDaoqS<%}_EQ~;S`)r)IS6XK`JoN^vjo*$B; zIA$wUOL23985GJ4UuRfL5D#cJYvg}coZ24M;LbvCRVW=&AMr+^CnyJGupY+%!{zNV ztlw*BxL(-4pRG8U=L%<*{yd~TbaRd=u4+otL=a2$!FuTYeesX31&{@?Ywidm;!ChB zbpviYnZIgb$?&yi`I{xtg9zIxM>#wDdyJTN zH2>^2lwbA9^Dz{A<^6RHUC}>0o>Ho$XFcd-r_x=^h&qx`ryrx%J*KWhIgugYB2!KWqd>kvbo#|i@!bdFV5xG8UeRn|}d zrz!8n8&~&4WH~nLM4kGHgZD{tYDzT~DctczI-}?F_yBg0;cr~K@)<)4>^iiDRX#!j z1VZFm#tX9eDPD#!iX1RSCRZ@va;aLU{#I#Pej=i51bOm1iLwvQ_aS(%MPfzDHNUM= z3PFvJ6DyJ#$jAn?IYpvV4Qkvug&6gHiuO7H| z*+R&V-t$WdsR4*EpK0g5&Wd{>$)1~Gr($?}7Q+DWXjvUg6Fm{+{#CNZ=xS!!Jo3{{ z4RX@?I-1r@P4!cns9U(b^!j|wRrK>$omOM(#ri0Po!+ScTEC9)MI0R!Hv19G-~aXIbLVW2Ax zh0`O88I(VEKd$|*b>K3wDx!*8Z*rdQ^3~-<~&>+xE=_v$sY&ywgXo1h3pHx}(S? zN=0=AL%Ie!H^s(uA(K-{TaTTjAEl*VQUi5wO(;*NZ}To`g0ectgT6c+J-)p!LwM{8 z>(UAq4lYA@LiH!Sf6c|=&RB)!#0E+qXT7WNm$;ddOT~(-xoIjv~ zGR+n+H@8=cyF$lcorR8$=F*(7*IU?v&##&D66(CdcqGV*LfNT>&vH>X&sUWd{zZ*A z6UI`4B!_avpY-x@d@!Sss||N^)r#*h#7{&ftSyx9UKsb-8p;@mJMmUri;t8wq#A4F zZK;2x19sFY59!d@#1qoh{fl_|;zA)(b@AqR#FMZ`mIBR^g1aWnjv4WGPBlE%59I~p zHmyRzHR0=N-c&0YMLQdUn#9EtBW?pnw0+P%6&u8XCnWRxw^Z{oE{|9A^ELL03slKA zq+$l}dW@YPa8eIGIdom;%SFHvt6l(ykd}k2{S(hRdDTRqtedh3P@V#Z{&|Ev>CLEy z%~o(Lum)wW@L-0H8DcC&EF5=7L#axk%A;L`Ih&67i5!CInv{!AOP*(f`;cZA^BA)P z5LAlZ9Xdstf8i>#gKSf#ZLz+D7|=o#56Dh1LCKT6bL)k=*C1J(aYH_5K?vrCWE|m& zF5n#^8fVt(VN)E7g&T0LYujoR-^u5%saIr!3d9RYGZ3qTk3?oC;44r_5?Fp3J4aG? z_H4^S@u9L!?0wL}upk_%C*LXHhWVd@$?(Q*quUfc!7_1D?K2bPe|7MkDs>c-u7d5@) zUBMIru=g^bSeDYvtS_5$@QhrvWdEu&OL~B1A^6P*b8Us3ByuTvtCk;~oHb!M zVdA$=Q1l~xw2WR>DCYIrJN=wkRoKH06s6T?-2>mY+AW#{op z9c91?)S9yW3F=4L{s8?**?tUdr(C>-UQljeh{^{EgdRPW1tqS-wC?C;Xsp()RcjPB zjvwBvgB}u+NiO@2kUE~YFLNc~leA7+kv24O?$`hZX@qwZy(bZ~Ufk#_!{wCvQ3Qpf z5OXflaj7~8Ze!6pS1OhPC6jpRu^!U$UGWYKmkUty5z}k-)sGG&R&eLszOU~xuD1%{ zv}alUayyu&Zgp1Tx)IK!Cogg_e=_g;%L&%tyL}s?oK_+mj+U1qWxdJtP1f*|Kajn~ zB8xpY#4h%qPZix>9x^j5e0A{gVhICWOlJ~NlR z|GOWYZC=Na>U>#txiQw?HP;`Z0Nog4vCIb*}a3b7W(qnQvx z)vO!5<6WMWL(HVij6%z0fMe%mpg4@V%PJ}mxxIf9@*8GVPZssyN;O)0A8bi{6#4K4 z%sUTTHgiIGpJ1G*UmOWl<(q=%La?Fz%}dg_zH*OLkiRPQz`CQOdpN{#>62O`it)B+ z5)xX28Ez*77azBTctsK6ht=DDry6xaZ}J8(pQ? zNDy;!tPkrbi??%TJ1!!sPj)TFb&ubjLxs>$gu@5$ry9d+0_yQ#mQ-{(bHO8UM*Q~7 z;0mx~_`?FY5%B1_zp5fO=9GTS05^C7hAX zO)6prVuX?E4>QIc)KqsQ1px#)^5B#NxJDze1EJ{xVAd1D3A(hFXB^BaA6W;V@)ZbSGA1Jai#wDM+HZ&OaRy2I3);Rho^A}i*e?VwI2$5}bAey*A>u6v z@*w6HOo8l+1XC+O6hjH7KoLNY>QaQ}M}yWE^tghH?usLeWs69Q1iRE}Z%|Gd9Ir0< zd^PWpY-OCc18tT|o>pS8R^23fl6#@m(CYRY1y^1n54UF&p{w0_U~P`$ma?m<;yMvY zKN9Y}ToGY2&i#;86sWvx5kaJBp-d=aMGMuN?)Clf%4hUz_g=~fYrhp>{0<*uacYCe zg(bXH&?ql3NS(0`xX;C^15Vk|@8j*Ej8K0tIS?!%a2WiEmeM3(x* z>0d@<0R)gA4V&@N0wa+wU02Wvi}nf#x+n*+oq_O!*w_(bBiP44c&rnBntBJk`{AyP z`mSxb>kr~pJV24i-uyV}_e9hUC&$es*R*1N-zf6raom6$gV>71<`mRm;o~vCR~5

>l#!yuQl4+S@$!O2fjGZ0oC#-H_*C`=>RRM=7iqU+WVgoi_)BGlsLc$BA##mr zlKW!Ty9D4ept$hP$Om^TU1q7G&e{X2bJF8?RDG|Is5MCtFJwD=tx2V%kS6lOCSPIe z;Wnitj5a=s{(*l3j?N+I%fP`g#{B;%HF(dI8Ux8^LXD-PyNRZcv!$C6o412~L#m=< z&l~KBw-7<8CGF_K*oq2NmRsFMBM2gqHBkE@MOd{dU{GF+i5fR8TY2L|6!f$$zcy#? zr2I8Bv)+sQqc)y4_(KQO(Wq{6)9$7#Caj0M#~X!PP|Q5`X58KfH3^-`^RpFc-|>)7 z3TZ91mI#xlk?A6vVmv#$AJ_g0;?s<~aQ_wJ?JUUoEgTslH@ ztOiKCZC`%>joa9l&&+9)BISW;+t=Brxpos1&yO7C)R{aC4(@W_xBW{#?H{Xz#Uo#ehYgHYm!|A44AM)nzoPSH_@#-4Z9Cl>7!~Ezqi&D~x>2jXC5{gTqaaGcRr6G| zpHjRsZak{r8G8IFR|N#VIzKJPcC^#MwhbU&qfJD2QLlm=at^)Tq~uRJ%nDxpu6{*! zMU%8-Wwyf3S0RhEw3Km1`A0IkvTI%|J=5u&0DmL{9^ob2OE^?iRJaMeUKQpK^;JLw zI5>F}I5_O*bo|}CoLnu~t(=_PEnWYF)%{bAL5iIsg9rzAF8~LJ`!}h=bId>0jvfx? zmaevr)_-L7pZbKl-V(s`KX;#jMmT@dL!RsUr{2xd-ThhZ_HXheuD~x#&yc}Ont#e) zqW(wz&dI^y`R@8xx!;tFaNTpi{C>XH-)qnD;y>~~@JX6x=JuBVcKOd`>7QDjYt8r^ z