<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ni-batch-authorization-delegation-00" category="info" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title>Batch Authorization Delegation</title>
    <seriesInfo name="Internet-Draft" value="draft-ni-batch-authorization-delegation-00"/>
    <author initials="Y." surname="Ni" fullname="Yuan Ni">
      <organization>Huawei</organization>
      <address>
        <email>niyuan1@huawei.com</email>
      </address>
    </author>
    <author initials="C. P." surname="Liu" fullname="Chunchi Peter Liu">
      <organization>Huawei</organization>
      <address>
        <email>liuchunchi@huawei.com</email>
      </address>
    </author>
    <date year="2026" month="June" day="30"/>
    <keyword>Rich Authorization Request</keyword>
    <keyword>Token Exchange</keyword>
    <keyword>Identity Chaining</keyword>
    <keyword>Identity Assertion</keyword>
    <keyword>Batch Authorization Delegation</keyword>
    <abstract>
      <?line 57?>

<t>This document describes a mechanism for Batch Authorization Delegation, which enables a batch of fine-grained, actor-bound permissions in a single request and securely delegates them to multiple collaborating actors.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://NiYuan224.github.io/draft-ni-batch-authorization-delegation/draft-ni-batch-authorization-delegation.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ni-batch-authorization-delegation/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/NiYuan224/draft-ni-batch-authorization-delegation"/>.</t>
    </note>
  </front>
  <middle>
    <?line 62?>

<section anchor="intro">
      <name>Introduction</name>
      <t>Due to the rise of collaborative service ecosystems and AI Agents, resource access patterns are shifting from a traditional, linear, single client-server model to complex multi-entity orchestration. A task may consists of a batch of sub-tasks, which may require authorizations to different resources. Although a human user can request authorization for each resource, this work is usually carried out by a principal personal assistant AI Agent. While authorizing total privileges to the personal assistant agent is doable, it risks granting excessive privileges to it, thus oppose to the minimal privilege principle. On the other hand, if the principal agent request human authorization for every resource, it will reduce automated efficiency.</t>
      <t>Therefore, the core challenge is to request access permissions to a batch of resources from the user at once, while precisely delegating fine-grained privileges to the respective sub-agent responsible for executing each sub-task.</t>
      <t>Certain use cases include:</t>
      <t><strong>(1) China UnionPay APOP (Agentic Payment Open Protocol) Framework:</strong> A central agent from China UnionPay coordinates with multiple bank-specific sub-agents to calculate the best user discounts. The central agent requests a one-time batch authorization for all linked accounts from the user, and precisely delegates privileges so that each sub-agent only receives query and payment access for its respective bank. This strictly preventa one bank from leaking or spying on another bank's account existence, financial balances, or transaction histories.</t>
      <t><strong>(2) Office Agent Orchestration:</strong> An office agent coordinates the generation of a market insight report slide by deploying three specialized sub-agents in parallel based on a one-time batch approval from the user. It strictly delegates privileges to each sub-agent: the finance sub-agent is granted access to internal financial records, the internet search sub-agent is completely barred from seeing any intranet data to prevent confidential leaks during web queries, and the slide generator sub-agent is authorized to generate and save the final presentation using the aggregated outputs. Without batch authorization, the workflow would stall whenever a sub-agent reaches its specific sub-task and attempts to request its required permission, such as fetching external web resources or requesting file-write permissions. Asynchronously prompting the user for these consents would inevitably cause task blockages and ruin the automated multi-agent experience, which is unacceptable.</t>
      <t>While the existing OAuth 2.0 protocol and its extensions provide a foundation for authorization, they lack native support for efficient, secure delegation for a batch of coordinated tasks:</t>
      <t><strong>(1) OAuth 2.0<xref target="RFC6749"/>:</strong>  The OAuth 2.0 authorization framework enables a client to obtain limited access to protected resources on behalf of a resource owner. However, in a multi-entity collaboration scenario, this requires each entity to independently initiate its own authorization flow. This results in multiple user interactions, introducing significant end-to-end latency and severe user fatigue.</t>
      <t><strong>(2) OAuth 2.0 Token Exchange<xref target="RFC8693"/>:</strong> Token Exchange defines a delegation mechanism and introduces the <tt>may_act</tt> claim to authorize an actor to act on behalf of a subject. However, the <tt>may_act</tt> claim only determines who is authorized to act. It does not provide a way to link or specify which subset of permissions are being delegated to this actor.</t>
      <t><strong>(3) OAuth 2.0 Rich Authorization Request (RAR) <xref target="RFC9396"/>:</strong> RAR introduces a new parameter <tt>authorization_details</tt> to allow clients to express their fine-grained authorization requirements using the JSON structures. Such a parameter allows several fine-grained permissions to be included in a single authorization request, as well as the issued access token. However, RAR does not currently specify how these structured permissions can be partitioned and delegated to different actors during a subsequent token exchange.</t>
      <t>In summary, the existing OAuth 2.0 protocol and its extensions lack a mechanism to express, partition, and delegate fine-grained structured permissions across multiple collaborating entities.</t>
      <t>To bridge this gap, this document adds the delegation information directly to the multiple fine-grained permissions in the RAR. By extending the <tt>authorization_details</tt> with a <tt>may_act</tt> field, a client can request a comprehensive set of permissions, each of which specify which actor is authorized to exercise such privilege. The Authorization Server (AS) then responds this request with a Batch Token, which contains the above permissions and their corresponding designated actors. When an actor performs a token exchange using the Batch Token, the AS applies a downscoping strategy, filtering the permissions based on the consistency of the <tt>may_act</tt> field and actor's identity. This ensures a convenient authorization experience for the user while strictly enforcing the principle of minimal privilege across multiple collaborating entities.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here.</t>
      <t>This document uses common OAuth and token processing terms such as "access token", "authorization server" (AS), "resource server" (RS), "authorization request", "access token response" defined by <xref target="RFC6749"/>, "Trust Domain", "JWT Authorization Grant" defined by <xref target="I-D.ietf-oauth-identity-chaining"/>, "identity assertion" defined by <xref target="I-D.ietf-oauth-identity-assertion-authz-grant"/>.</t>
      <t>In addition, the following terms are defined for this document:</t>
      <t>Leader-Client:  The entity responsible for coordinating tasks and requesting permissions in a batch on behalf of Sub-Clients. The Leader-Client initiates rich authorization requests to the AS, and sends the obtained Batch Token to Sub-Clients. According to examples listed above, Leader-Client is the principal personal assistant agent, a microservice orchestrator, or an API gateway.</t>
      <t>Sub-Client:  The entity that is subordinate to the Leader-Client and redeem access tokens to Resource Servers (RS) to perform specific sub-tasks. The Sub-Client exchanges the received Batch Token for a downscoped access token with partial privileges. Sub-clients could be sub-agents and microservices.</t>
      <t>Batch Authorization Delegation: A mechanism proposed in this document that a Leader-Client requests permissions in a batch and delegates them to its subordinate Sub-Clients.</t>
      <t>Authorization Item: An authorization item defines one permission per one corresponding designated actor. There may be multiple Authorization Items within one <tt>authorization_details</tt>, which is later encapsulated in the rich authorization request and the issued Batch Token.</t>
      <t>Batch Token: A special JWT access token issued by the AS to the Leader-Client. It encapsulates multiple Authorization Items, enabling subsequent delegation.</t>
      <t>Designated Actor: The <tt>may_act</tt> field within an authorization item that specifies the Sub-Client authorized to exercise that permission.</t>
      <t>Downscoped Token: The access token issued to a Sub-Client as a result of token exchange, which is to be used at the RS to access protected resources. It contains only a subset of authorization items whose designated actors match the requesting Sub-Client's identity.</t>
    </section>
    <section anchor="basic">
      <name>Batch Authorization Delegation</name>
      <t>This document specifies a mechanism combining OAuth RAR <xref target="RFC9396"/> and Token Exchange <xref target="RFC8693"/> to achieve Batch Authorization Delegation.</t>
      <t>The Leader-Client sends a rich authorization request with multiple authorization items to the AS. Each authorization item not only describes the required permission but also declares the Sub-Client to which the permission can be delegated to via designated actors. Upon user confirmation, the AS issues a Batch Token to the Leader-Client, which encapsulates the authorization items confirmed by the user. The Leader-Client distributes the Batch Token to Sub-Clients.</t>
      <t>The Sub-Client initiates a token exchange request to the AS. The AS verifies the Sub-Client's identity against the Designated Actors in the Batch Token, and then filters out one or more authorization items corresponding to this specific Sub-Client. Then the AS generates a Downscoped Token containing only the permissions from the filtered authorization items.</t>
      <t>Such a mechanism enables the Leader-Client to perform a one-time batch authorization as well as ensuring each Sub-Client obtains an access token containing only the permissions it requires, thereby realizing both efficiency and security.</t>
      <section anchor="overview">
        <name>Overview</name>
        <t>Figure 1 shows the flow of Batch Authorization Delegation. Note that a Leader-Client MAY coordinate several Sub-Clients. For simplicity, only one Sub-Client is shown in Figure 1.</t>
        <artwork><![CDATA[
+----++-------------+    +----+      +----------++----+
|User||Leader-Client|    | AS |      |Sub-Client|| RS |
+-+--++------+------+    +--+-+      +-----+----++--+-+
  |          |(1)RAR        |              |        |
  |          |(with may_act)|              |        |
  |          +-------------->              |        |
  |          |(2)Ask for    |              |        |
  |          | consent      |              |        |
  <----------+--------------+              |        |
  |(3)Consent|              |              |        |
  +----------+-------------->              |        |
  |          |(4)Issue      |              |        |
  |          | Batch Token  |              |        |
  |          <--------------+              |        |
  |          |(5)Distribute |              |        |
  |          | Batch Token  |              |        |
  |          |--------------+-------------->        |
  |          |              |(6)Token      |        |
  |          |              | exchange     |        |
  |          |              | request      |        |
  |          |              <--------------+        |
  |          |              | <Batch Token>|        |
  |          |              |              |        |
  |          |              |(7)Verify     |        |
  |          |              +-+ identity   |        |
  |          |              | | &Downscope |        |
  |          |              <-+            |        |
  |          |              |(8)Downscoped |        |
  |          |              |   Token      |        |
  |          |              +-------------->        |
  |          |              |              |(9)Access
  |          |              |              |-------->
  |          |              |              |        |
]]></artwork>
        <t><em>Figure 1: Batch Authorization Delegation Flow</em></t>
        <t>(1) The Leader-Client sends a rich authorization request containing multiple authorization items to the AS. Each authorization item includes a fine-grained permission (described by several fields defined in <xref target="RFC9396"/>, e.g., <tt>type</tt>, <tt>actions</tt>, <tt>locations</tt>, etc.) and a designated actor that uses the <tt>may_act</tt> field. to designate which Sub-Client is authorized for the permission.</t>
        <t>(2) After receiving the rich authorization request, the AS presents all authorization items in the request to the user for consent.</t>
        <t>(3) The user confirms all or some of the authorization items and sends the result back to the AS.</t>
        <t>(4) The AS generates a Batch Token, which encapsulates the authorization items confirmed by the user and issues it to the Leader-Client.</t>
        <t>(5) The Leader-Client distributes the Batch Token to the Sub-Client.</t>
        <t>(6) The Sub-Client initiates a token exchange request to the AS to exchange the Batch Token to a Downscoped Token.</t>
        <t>(7) The AS verifies the identity of Sub-Client against the designated actors in the Batch Token to filter the authorization items corresponding to the Sub-Client.</t>
        <t>(8) The AS generates a Downscoped Token that only contains the permissions in the filtered authorization items and send it to the Sub-Client.</t>
        <t>(9) The Sub-Client accesses the RS with the Downscoped Token.</t>
        <t>This mechanism offers two key advantages.</t>
        <ul spacing="normal">
          <li>
            <t>First, it fully reuses existing standards, combining RAR's flexible permission definitions with Token Exchange's delegation semantics by simply moving the <tt>may_act</tt> claim from the entity level down to individual authorization items without altering its original meaning. This slight change effectively fulfills the expression, partition, and delegation purpose of fine-grained structured permissions across multiple collaborating entities.</t>
          </li>
          <li>
            <t>Second, the final Downscoped Token introduces no new claims or structural changes. Since RS deployments are often numerous and costly to upgrade, this design ensures zero modification to existing RSs, enabling smooth adoption with minimal reconfiguration.</t>
          </li>
        </ul>
      </section>
      <section anchor="batch-token">
        <name>Batch Token</name>
        <section anchor="rar-extension-with-the-mayact-field">
          <name>RAR Extension with the may_act field</name>
          <t>In <xref target="RFC8693"/>, the may_act is a top-level claim, which makes a statement of one party is authorized to become the actor and act on behalf of another party. It is an entity-level delegation, without further distinguishing the permission subsets.</t>
          <t>In contrast, this document leverages <tt>authorization_details</tt> defined in <xref target="RFC9396"/> to describe multiple authorization items, each of which contains a permission and a nested <tt>may_act</tt> field serving as a designated actor. This helps to define who is authorized to perform which permission, thus changing the entity-level delegation into an item-level delegation.</t>
          <t><strong>may_act</strong><br/>
            <strong>REQUIRED.</strong> A JSON object that identifies the specific Sub-Client authorized to exercise the permission.</t>
          <t>The <tt>may_act</tt> JSON object contains fields that specify the intended actor for a particular authorization item. This document defines the following two fields:</t>
          <t><strong>sub</strong><br/>
            <strong>REQUIRED.</strong> A string that uniquely identifies the Sub-Client authorized to exercise the permission.</t>
          <t><strong>aud</strong><br/>
            <strong>OPTIONAL.</strong> A string that identifies the AS of the trust domain where the Sub-Client resides. If the Sub-Client and the Leader-Client are located in different Trust Domains, this field MUST be present to specify the target AS. If this field is omitted, it MUST be assumed that the Sub-Client and the Leader-Client reside in the same trust domain.</t>
          <t>Figure 2 shows an example of <tt>authorization_details</tt> containing the <tt>may_act</tt> field. It represents a typical travel management scenario in which the Leader-Client requests two distinct authorization items: a flight booking permission delegated to the Flight-Agent, and a hotel reservation permission delegated to the Hotel-Agent. Both Sub-Clients are located in the same trust domain as the Leader-Client so that the <tt>may_act.aud</tt> field is omitted. This structure demonstrates how multiple permissions can be bound to different actors within a single authorization request.</t>
          <artwork><![CDATA[
[
  {
    "type": "flight_booking",
    "actions": ["search", "book"],
    "locations": ["https://example.com/flights"],
    "may_act": {
        "sub": "flight_agent@example.com"
    }
  },
  {
    "type": "hotel_reservation",
    "actions": ["search", "book"],
    "locations": ["https://example.com/hotels"],
    "may_act": {
        "sub": "hotel_agent@example.com"
    }
  }
]
]]></artwork>
          <t><em>Figure 2: authorization_details with the <tt>may_act</tt> field</em></t>
        </section>
        <section anchor="requesting-and-issuing-a-batch-token">
          <name>Requesting and Issuing a Batch Token</name>
          <t>The lead-client sends an authorization request that contains <tt>authorization_details</tt> with <tt>may_act</tt> fields to the AS. The AS MUST ask the user for consent to the requested authorization items. The general processing rules of the AS defined in <xref target="RFC9396"/> apply, with the following extensions:</t>
          <ul spacing="normal">
            <li>
              <t>The AS MUST validate that the Sub-Client identified in the <tt>may_act.sub</tt> field is known. If the <tt>may_act.aud</tt> field is present, the AS MUST validate that the target AS is reachable and trusted according to local policies.</t>
            </li>
            <li>
              <t>The AS MUST present all the authorization items, including the requested permissions and their corresponding intended Sub-Clients to the user. The user MAY:  </t>
              <ul spacing="normal">
                <li>
                  <t>Grant all requested authorization items.</t>
                </li>
                <li>
                  <t>Grant only a subset of the authorization items.</t>
                </li>
              </ul>
            </li>
            <li>
              <t>The AS MUST record the consented authorization items, including the <tt>may_act</tt> fields, as part of a grant (e.g., the authorization code).</t>
            </li>
          </ul>
          <t>After user consent, the AS issues an authorization code as a grant to the Leader-Client. The Leader-Client then exchanges the authorization code for a Batch Token, following the standard authorization response and token request flow as defined in <xref target="RFC6749"/>.</t>
          <t>Subsequently, the AS generates a Batch Token and returns it to the Leader-Client in the Token response. The Batch Token is a JWT access token conforming to <xref target="RFC9068"/>, with the following claims and values.</t>
        </section>
        <section anchor="batch-token-claims">
          <name>Batch Token Claims</name>
          <t><strong>iss</strong><br/>
            <strong>REQUIRED.</strong> The identifier of the AS.</t>
          <t><strong>sub</strong><br/>
            <strong>REQUIRED.</strong> The identifier of the user who grants the consent.</t>
          <t><strong>aud</strong><br/>
            <strong>REQUIRED.</strong> MUST be set to the AS itself, as the Batch Token is intended only for token exchange at the AS and cannot be directly used at the RS.</t>
          <t><strong>client_id</strong><br/>
            <strong>REQUIRED.</strong> The identifier of the Leader-Client that initiated the authorization request.</t>
          <t><strong>authorization_details</strong><br/>
            <strong>REQUIRED.</strong> An JSON array containing all the consented authorization items, including the permission descriptions and their corresponding <tt>may_act</tt> Designated Actors.</t>
          <t>Figure 3 shows an example of the Batch Token JWT payload, which encapsulates all consented authorization items from Figure 2. The <tt>sub</tt> claim identifies the user who consents, the <tt>client_id</tt> claim identifies the travel assistant as the Leader-Client that initiates the request, each <tt>may_act.sub</tt> field identifies the Sub-Client authorized to exercise the corresponding permission. The <tt>aud</tt> claim is set to the AS itself, as the Batch Token will be presented back to the AS for further token exchange.</t>
          <artwork><![CDATA[
{
  "iss": "https://as.example.com",
  "sub": "user@example.com",
  "aud": "https://as.example.com",
  "client_id": "travel_assistant@example.com",
  "exp": 1777881600,
  "iat": 1777795200,
  "jti": "batch-token-8b4729cc-32e4-4370-8cf0-5796154d1296",
  "authorization_details": [
    {
      "type": "flight_booking",
      "actions": ["search", "book"],
      "locations": ["https://example.com/flights"],
      "may_act": {
        "sub": "flight_agent@example.com"
      }
    },
    {
      "type": "hotel_reservation",
      "actions": ["search", "book"],
      "locations": ["https://example.com/hotels"],
      "may_act": {
        "sub": "hotel_agent@example.com"
      }
    }
  ]
}
]]></artwork>
          <t><em>Figure 3: Batch Token JWT Payload</em></t>
        </section>
      </section>
      <section anchor="downscoped-token">
        <name>Downscoped Token</name>
        <section anchor="token-exchange-request">
          <name>Token Exchange Request</name>
          <t>When a Sub-Client receives a Batch Token from the Leader-Client, it MUST perform a token exchange request to the AS to obtain a Downscoped Token. The Batch Token MUST NOT be used directly to the RS to redeem resources by anyone. Within the token exchange request, the parameters described in section 2.1 of <xref target="RFC8693"/> apply with the following additional requirements:</t>
          <t><strong>resource</strong><br/>
            <strong>OPTIONAL.</strong> The URI of the target RS where the Sub-Client intends to use the Downscoped Token.</t>
          <t><strong>audience</strong><br/>
            <strong>OPTIONAL.</strong> The well-known/logical name of the target RS where the Sub-Client intends to use the Downscoped Token.</t>
          <t><strong>subject_token</strong><br/>
            <strong>REQUIRED.</strong> The Batch Token received from the Leader-Client.</t>
          <t><strong>subject_token_type</strong><br/>
            <strong>REQUIRED.</strong> urn:ietf:params:oauth:token-type:jwt.</t>
          <t>Since the AS has to identify the requesting Sub-Client to filter the authorization items, it MUST authenticate the Sub-Client. The AS MAY use the following authentication methods:</t>
          <ul spacing="normal">
            <li>
              <t>Password-based authentication as defined in Section 2.3.1 of <xref target="RFC6749"/>.</t>
            </li>
            <li>
              <t>Bearer JWT-based authentication as defined in <xref target="RFC7523"/>.</t>
            </li>
            <li>
              <t>WIMSE-based authentication methods, as defined in <xref target="I-D.ietf-wimse-wpt"/>, <xref target="I-D.ietf-wimse-http-signature"/>, and <xref target="I-D.ietf-wimse-mutual-tls"/>.</t>
            </li>
            <li>
              <t>Actor token as defined in <xref target="RFC8693"/>.</t>
            </li>
          </ul>
          <t>Figure 4 shows a token exchange request initiated by the Flight-Agent. In this request, the Flight-Agent provides the received Batch Token from Figure 3 as the <tt>subject_token</tt>. To satisfy the requirement for client authentication, the Flight-Agent provides its own identity token as an <tt>actor_token</tt>.</t>
          <artwork><![CDATA[
 POST /as/token.oauth2 HTTP/1.1
 Host: as.example.com
 Content-Type: application/x-www-form-urlencoded

 grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange
 &subject_token=<Encoded Batch Token>
 &subject_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Ajwt
 &actor_token=eyJhb...
 &actor_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Ajwt
]]></artwork>
          <t><em>Figure 4: Token Exchange Request</em></t>
          <t>The claims of the <tt>actor_token</tt> are detailed in Figure 5.</t>
          <artwork><![CDATA[
{
  "aud":"https://as.example.com",
  "iss":"https://original-issuer.example.net",
  "exp": 1778400000,
  "sub":"flight_agent@example.net"
}
]]></artwork>
          <t><em>Figure 5: Actor Token Claims</em></t>
        </section>
        <section anchor="processing-rules-of-the-authorization-server">
          <name>Processing Rules of the Authorization Server</name>
          <t>In addition to authenticating the requesting Sub-Client, the AS MUST</t>
          <ul spacing="normal">
            <li>
              <t>Validate the Batch Token provided in the <tt>subject_token</tt>.</t>
            </li>
            <li>
              <t>Retrieve the <tt>authorization_details</tt> from the Batch Token's payload and filter only those authorization items whose <tt>may_act.sub</tt> fields exactly matches the authenticated Sub-Client's identity.</t>
            </li>
          </ul>
        </section>
        <section anchor="downscoped-token-claims">
          <name>Downscoped Token Claims</name>
          <t>The AS generates a Downscoped Token that only contains the permissions in the filtered authorization items. The format of this token MAY be a JWT access token conforming to <xref target="RFC9068"/> or any other format at the AS's discretion. If a JWT Downscoped Token is used, the following constraints on its claim values apply:</t>
          <t><strong>sub</strong><br/>
            <strong>REQUIRED.</strong> The owner who grants the consent (copied from the <tt>sub</tt> claim of the Batch Token in the <tt>subject_token</tt> parameter).</t>
          <t><strong>client_id</strong><br/>
            <strong>REQUIRED.</strong> The identifier of the authenticated sub-client.</t>
          <t><strong>aud</strong><br/>
            <strong>OPTIONAL.</strong> The target RS where the Sub-Client intends to use the Downscoped Token.</t>
          <t><strong>authorization_details</strong><br/>
            <strong>OPTIONAL.</strong> A JSON array containing the permissions from the filtered authorization items. Since the <tt>may_act</tt> field has already been enforced as a designated actor by the AS during token exchange, it MAY be omitted in the Downscoped Token.</t>
          <t>Figure 6 shows a Downscoped Token issued to the Flight-Agent after token exchange. Its <tt>sub</tt> claim identifies the end-user who grants the consent, its <tt>aud</tt> claim points directly to target service (https://example.com/flights), and the <tt>client_id</tt> identifies the Flight-Agent. The <tt>authorization_details</tt> array contains only the flight-booking permission, with the <tt>may_act</tt> field removed.</t>
          <artwork><![CDATA[
{
  "iss": "https://as.example.com",
  "sub": "user@example.com",
  "aud": "https://example.com/flights",
  "client_id": "flight_agent@example.com",
  "exp": 1777881600,
  "iat": 1777795210,
  "jti": "downscoped-token-7c8d9a2e-4b12-4a3f-8e6c-2f9a8b3c7d5e",
  "authorization_details": [
    {
      "type": "flight_booking",
      "actions": ["search", "book"],
      "locations": ["https://example.com/flights"],
    }
  ]
}
]]></artwork>
          <t><em>Figure 6: Downscoped Token Payload</em></t>
        </section>
      </section>
    </section>
    <section anchor="derivative-scenarios">
      <name>Derivative Scenarios</name>
      <t>Until now, the main procedures of the Batch Authorization Delegation is done. There are some more derivative scenarios with detailed additional steps and considerations, including:</t>
      <ul spacing="normal">
        <li>
          <t>Single-Domain Batch Authorization Delegation: The user, Leader-Client, and Sub-Clients all reside within the same trust domain managed by a single AS.</t>
        </li>
        <li>
          <t>Batch Authorization Delegation with Cross-Domain Sub-Clients: The user and Leader-Client belong to the same trust domain, but Sub-Clients reside in one or more other trust domains, each managed by its own AS.</t>
        </li>
        <li>
          <t>Batch Authorization Delegation with a Cross-Domain User: The Leader-Client and Sub-Clients belong to the same trust domain, while the user resides in another trust domain, each managed by its own AS.</t>
        </li>
        <li>
          <t>Combined Cross-Domain Scenario: The user, Leader-Client, and Sub-Clients each reside in different trust domains, each managed by its own AS.</t>
        </li>
      </ul>
      <section anchor="single-domain-batch-authorization-delegation">
        <name>Single-Domain Batch Authorization Delegation</name>
        <t>In this case, the workflow and the examples are already given in <xref target="basic"/> Figures. 1-6.</t>
      </section>
      <section anchor="batch-authorization-delegation-with-cross-domain-sub-clients">
        <name>Batch Authorization Delegation with Cross-Domain Sub-Clients</name>
        <section anchor="workflow">
          <name>Workflow</name>
          <t>The workflow in this case is a combination of Batch Authorization Delegation and identity chaining <xref target="I-D.ietf-oauth-identity-chaining"/>.</t>
          <t>Since the Sub-Client and Leader-Client reside in different trust domains, the Leader-Client in Domain A requests JWT Authorization Grants (JAGs) from the AS in Domain A via token exchange. The AS in Domain A inspects both the <tt>may_act.aud</tt> and <tt>may_act.sub</tt> fields within the Batch Token, filters and splits the authorization items to generates an actor-specific JAG for each designated Sub-Client.</t>
          <t>Taking the Sub-Client in Domain B as an example, the Leader-Client then presents the corresponding JAG as an assertion to the AS in Domain B to obtain an access token, which is subsequently exchanged by the specific Sub-Client in Domain B for a final Downscoped Token. This token exchange ensures that the final Downscoped Token is bound to the Sub-Client's own identity and contains only the specific permissions it required.</t>
          <artwork><![CDATA[
+--------++-------------+  +--------++--------+ +----------+ +--------+
|  User  ||Leader-Client|  |   AS   ||   AS   | |Sub-Client| |   RS   |
|Domain A||   Domain A  |  |Domain A||Domain B| | Domain B | |Domain B|
+---+----++------+------+  +-----+--++---+----+ +-----+----+ +---+----+
    |            |(1)RAR         |       |            |          |
    |            |(with may_act) |       |            |          |
    |            +--------------->       |            |          |
    |            |(2)Ask for     |       |            |          |
    |            | consent       |       |            |          |
    <------------+---------------+       |            |          |
    |(3)Consent  |               |       |            |          |
    +------------+--------------->       |            |          |
    |            |(4)Issue       |       |            |          |
    |            | Batch Token   |       |            |          |
    |            <---------------+       |            |          |
    |            |(a)Token       |       |            |          |
    |            | exchange      |       |            |          |
    |            | request       |       |            |          |
    |            |--------------->       |            |          |
    |            |(b)Verify      |       |            |          |
    |            |   &Downscope  |       |            |          |
    |            |             +-+       |            |          |
    |            |             | |       |            |          |
    |            |(c)JAGs      +->       |            |          |
    |            <---------------+       |            |          |
    |            |(d)JAG         |       |            |          |
    |            +---------------+------->            |          |
    |            |(e)Access Token|       |            |          |
    |            <---------------+-------+            |          |
    |            |(f)Access Token|       |            |          |
    |            +---------------+-------+------------>          |
    |            |               |       |(6)Token    |          |
    |            |               |       | exchange   |          |
    |            |               |       | Request    |          |
    |            |               |       <------------|          |
    |            |               |       |(8)Downscope|          |
    |            |               |       | Token      |          |
    |            |               |       +------------>          |
    |            |               |       |            |(9)access |
    |            |               |       |            +---------->
    |            |               |       |            |          |
]]></artwork>
          <t><em>Figure 7: Batch Authorization Delegation with Cross-Domain Sub-Clients</em></t>
          <t>Steps (1)-(4) are the same as in Figure 1.</t>
          <t>(a) The Leader-Client in Domain A exchanges the Batch Token with the AS in Domain A for actor-specific JAGs that can be used in the AS in Domain B.</t>
          <t>(b) The AS of Domain A inspects the may_act fields within the Batch Token, filtering and splitting the authorization items down to each target actor in Domain B.</t>
          <t>(c) The AS of Domain A issues actor-specific JAGs, with the nested <tt>may_act</tt> field in the <tt>authorization_details</tt> removed. This step requires trust relationship between the ASs in Domain A and Domain B.  See Section 2.1 of <xref target="I-D.ietf-oauth-identity-chaining"/> for the trust relationship establishment.</t>
          <t>(d) The Leader-Client in Domain A presents the JAG for the specific Sub-Client as an assertion to the AS of Domain B.</t>
          <t>(e) The AS of Domain B validates the JAG, extracts and encapsulates the filtered authorization items in an access token and sends it to the Leader-Client.</t>
          <t>(f) The Leader-Client sends the access token to the Sub-Client.</t>
          <t>Steps (6)-(9) are the same as in Figure 1.</t>
          <t>By splitting and filtering batch tokens entirely within the Domain A, the key advantage of the above mechanism is the AS of Domain B is relieved from handling complex batch authorization processing. This minimizes upgrade overhead for downstream ASs, ensuring rapid and seamless compatibility with existing cross-domain OAuth deployments.</t>
        </section>
        <section anchor="examples">
          <name>Examples</name>
          <t>The following shows some typical examples in the workflow of Figure 7, which is correspond to the use case (1) in <xref target="intro"/>.</t>
          <section anchor="batch-token-1">
            <name>Batch Token</name>
            <t>Figure 8 illustrates a Batch Token payload issued by a leading Chinese Financial Alliance's AS in step (4).</t>
            <t>The Batch Token contains two authorization items: one for searching and calculating max availble coupons at Bank_A (benefit_agent), and another for the same actions at Bank_B. The <tt>may_act.aud</tt> field specifies the AS location, while the <tt>may_act.sub</tt> field specifies the designated actor.</t>
            <artwork><![CDATA[
{
  "iss": "https://as.alliance.example.com",
  "sub": "user@alliance.example.com",
  "aud": "https://as.alliance.example.com",
  "client_id": "finance_assistant@alliance.example.com",
  "exp": 1777881600,
  "iat": 1777795200,
  "jti": "4a7b203c-e591-4916-b8df-d2b389f4621c",
  "authorization_details": [
    {
      "type": "benefit_bank_a",
      "actions": ["search", "calculate"],
      "locations": ["https://bank_a.example.com/benefits"],
      "may_act": {
        "sub": "benefit_agent@bank_a.example.com",
        "aud": "https://as.bank_a.example.com"
      }
    },
    {
      "type": "benefit_bank_b",
      "actions": ["search", "calculate"],
      "locations": ["https://bank_b.example.com/benefits"],
      "may_act": {
        "sub": "benefit_agent@bank_b.example.com",
        "aud": "https://as.bank_b.example.com"
      }
    }
  ]
}
]]></artwork>
            <t><em>Figure 8: Batch Token Payload</em></t>
          </section>
          <section anchor="jwt-authorization-grant">
            <name>JWT Authorization Grant</name>
            <t>Figure 9 shows the JAG payload issued by the Finance Alliance AS in step (c), specifically filtered for Bank_A's benefit_agent.</t>
            <t>In accordance with step (b), the Finance Alliance AS inspects the <tt>may_act</tt> fields of the Batch Token (Figure 8), extracts and encapsulates the benefit_bank_a item into the JAG, with the <tt>may_act</tt> field removed.</t>
            <artwork><![CDATA[
{
  "iss": "https://as.alliance.example.com",
  "sub": "user@alliance.example.com",
  "aud": "https://as.bank_a.example.com",
  "client_id": "finance_assistant@alliance.example.com",
  "iat": 1777795210,
  "exp": 1777795300,
  "authorization_details": [
    {
      "type": "benefit_bank_a",
      "actions": ["search", "calculate"],
      "locations": ["https://bank_a.example.com/benefits"],
    }
  ]
}
]]></artwork>
            <t><em>Figure 9: JAG Payload</em></t>
            <t>The subsequent formats of the access token, token exchange requests, and downscoped tokens fully reuse the standard profiles defined in Section 3 of <xref target="I-D.ietf-oauth-identity-chaining"/>, and are therefore omitted here.</t>
          </section>
        </section>
      </section>
      <section anchor="batch-authorization-delegation-with-the-cross-domain-user">
        <name>Batch Authorization Delegation with the Cross-Domain User</name>
        <t>When the user resides in a different trust domain from the clients, one potential approach is to explore the combination of batch authorization delegation and identity assertion <xref target="I-D.ietf-oauth-identity-assertion-authz-grant"/>. The user's client could obtain an Identity Assertion from its local IdP, exchange it for an Identity Assertion JWT Authorization Grant (ID-JAG) targeting the AS of the leader-client's domain, and then exchange it into an access token for the Leader-Client; the Leader-Client might then exchange this access token to a batch token. Because this pattern introduces the delegation of user's intent, the specific workflow require further analysis and are open for working group discussion.</t>
      </section>
      <section anchor="combined-cross-domain-scenario">
        <name>Combined Cross-Domain Scenario</name>
        <t>In some deployments, the user, the leader-client, and the sub-clients may each reside in different trust domains. A combination of the workflows defined in Sections 4.2 and 4.3 directly supports this scenario.</t>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>TODO Security</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document has no IANA actions.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC6749">
          <front>
            <title>The OAuth 2.0 Authorization Framework</title>
            <author fullname="D. Hardt" initials="D." role="editor" surname="Hardt"/>
            <date month="October" year="2012"/>
            <abstract>
              <t>The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6749"/>
          <seriesInfo name="DOI" value="10.17487/RFC6749"/>
        </reference>
        <reference anchor="RFC9396">
          <front>
            <title>OAuth 2.0 Rich Authorization Requests</title>
            <author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
            <author fullname="J. Richer" initials="J." surname="Richer"/>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <date month="May" year="2023"/>
            <abstract>
              <t>This document specifies a new parameter authorization_details that is used to carry fine-grained authorization data in OAuth messages.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9396"/>
          <seriesInfo name="DOI" value="10.17487/RFC9396"/>
        </reference>
        <reference anchor="RFC8693">
          <front>
            <title>OAuth 2.0 Token Exchange</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="A. Nadalin" initials="A." surname="Nadalin"/>
            <author fullname="B. Campbell" initials="B." role="editor" surname="Campbell"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="C. Mortimore" initials="C." surname="Mortimore"/>
            <date month="January" year="2020"/>
            <abstract>
              <t>This specification defines a protocol for an HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8693"/>
          <seriesInfo name="DOI" value="10.17487/RFC8693"/>
        </reference>
        <reference anchor="RFC7523">
          <front>
            <title>JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <author fullname="C. Mortimore" initials="C." surname="Mortimore"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>This specification defines the use of a JSON Web Token (JWT) Bearer Token as a means for requesting an OAuth 2.0 access token as well as for client authentication.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7523"/>
          <seriesInfo name="DOI" value="10.17487/RFC7523"/>
        </reference>
        <reference anchor="RFC9068">
          <front>
            <title>JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens</title>
            <author fullname="V. Bertocci" initials="V." surname="Bertocci"/>
            <date month="October" year="2021"/>
            <abstract>
              <t>This specification defines a profile for issuing OAuth 2.0 access tokens in JSON Web Token (JWT) format. Authorization servers and resource servers from different vendors can leverage this profile to issue and consume access tokens in an interoperable manner.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9068"/>
          <seriesInfo name="DOI" value="10.17487/RFC9068"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="I-D.ietf-oauth-identity-chaining">
          <front>
            <title>OAuth Identity and Authorization Chaining Across Domains</title>
            <author fullname="Arndt Schwenkschuster" initials="A." surname="Schwenkschuster">
              <organization>Defakto Security</organization>
            </author>
            <author fullname="Pieter Kasselman" initials="P." surname="Kasselman">
              <organization>Defakto Security</organization>
            </author>
            <author fullname="Kelley Burgin" initials="K." surname="Burgin">
              <organization>MITRE</organization>
            </author>
            <author fullname="Michael J. Jenkins" initials="M. J." surname="Jenkins">
              <organization>NSA-CCSS</organization>
            </author>
            <author fullname="Brian Campbell" initials="B." surname="Campbell">
              <organization>Ping Identity</organization>
            </author>
            <author fullname="Aaron Parecki" initials="A." surname="Parecki">
              <organization>Okta</organization>
            </author>
            <date day="26" month="June" year="2026"/>
            <abstract>
              <t>   This specification describes a mechanism for preserving identity and
   authorization information across trust domains that use the OAuth 2.0
   Framework.  A JSON Web Token (JWT) authorization grant, obtained
   through an intra-domain OAuth 2.0 Token Exchange, facilitates the
   cross-domain acquisition of an access token.  The relevant identity
   and authorization information is chained throughout the flow by being
   conveyed in the respective artifacts exchanged at each step of the
   process.  Chaining across multiple domains is achieved by using the
   same protocol every time a trust domain boundary is crossed.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-identity-chaining-16"/>
        </reference>
        <reference anchor="I-D.ietf-oauth-identity-assertion-authz-grant">
          <front>
            <title>Identity Assertion JWT Authorization Grant</title>
            <author fullname="Aaron Parecki" initials="A." surname="Parecki">
              <organization>Okta</organization>
            </author>
            <author fullname="Karl McGuinness" initials="K." surname="McGuinness">
              <organization>Independent</organization>
            </author>
            <author fullname="Brian Campbell" initials="B." surname="Campbell">
              <organization>Ping Identity</organization>
            </author>
            <date day="21" month="May" year="2026"/>
            <abstract>
              <t>   This specification provides a mechanism for an application to use an
   identity assertion to obtain an access token for a third-party API by
   coordinating through an identity provider that the downstream
   Resource Authorization Server already trusts for single sign-on
   (SSO), using Token Exchange [RFC8693] and JWT Profile for OAuth 2.0
   Authorization Grants [RFC7523].  This pattern is informally referred
   to as Cross-App Access (XAA).

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-identity-assertion-authz-grant-04"/>
        </reference>
        <reference anchor="I-D.ietf-wimse-wpt">
          <front>
            <title>WIMSE Workload Proof Token</title>
            <author fullname="Brian Campbell" initials="B." surname="Campbell">
              <organization>Ping Identity</organization>
            </author>
            <author fullname="Arndt Schwenkschuster" initials="A." surname="Schwenkschuster">
              <organization>Defakto Security</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   The WIMSE architecture defines authentication and authorization for
   software workloads in a variety of runtime environments, from basic
   deployments to complex multi-service, multi-cloud, multi-tenant
   systems.  This document specifies the Workload Proof Token (WPT), a
   mechanism for workloads to prove possession of the private key
   associated with a Workload Identity Token (WIT).  The WPT is a signed
   JWT that binds the workload's authentication to a specific HTTP
   request, providing application-level proof of possession for
   workload-to-workload communication.  This specification is designed
   to work alongside the WIT credential format defined in draft-ietf-
   wimse-workload-creds and can be combined with other WIMSE protocols
   in multi-hop call chains.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-wpt-01"/>
        </reference>
        <reference anchor="I-D.ietf-wimse-http-signature">
          <front>
            <title>WIMSE Workload-to-Workload Authentication with HTTP Signatures</title>
            <author fullname="Joseph A. Salowey" initials="J. A." surname="Salowey">
              <organization>CyberArk</organization>
            </author>
            <author fullname="Yaron Sheffer" initials="Y." surname="Sheffer">
              <organization>Intuit</organization>
            </author>
            <date day="7" month="April" year="2026"/>
            <abstract>
              <t>   The WIMSE architecture defines authentication and authorization for
   software workloads in a variety of runtime environments, from the
   most basic ones to complex multi-service, multi-cloud, multi-tenant
   deployments.  This document defines one of the mechanisms to provide
   workload authentication, using HTTP Signatures.  While only
   applicable to HTTP traffic, the protocol provides end-to-end
   protection of requests (and optionally, responses), even when service
   traffic is not end-to-end encrypted, that is, when TLS proxies and
   load balancers are used.  Authentication is based on the Workload
   Identity Token (WIT).

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-http-signature-03"/>
        </reference>
        <reference anchor="I-D.ietf-wimse-mutual-tls">
          <front>
            <title>Workload Authentication Using Mutual TLS</title>
            <author fullname="Joseph A. Salowey" initials="J. A." surname="Salowey">
              <organization>CyberArk</organization>
            </author>
            <author fullname="Yaroslav Rosomakho" initials="Y." surname="Rosomakho">
              <organization>Zscaler</organization>
            </author>
            <date day="5" month="May" year="2026"/>
            <abstract>
              <t>   The WIMSE architecture defines authentication and authorization for
   software workloads in a variety of runtime environments, from the
   most basic ones to complex multi-service, multi-cloud, multi-tenant
   deployments.  This document profiles a workload authentication based
   on X.509 workload identity certificates using mutual TLS (mTLS).

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-mutual-tls-01"/>
        </reference>
      </references>
    </references>
    <?line 582?>

<section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>TODO acknowledge.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA9U9aXPbRpbf+Su65NqJZJO0dViWuEkq9JUolVheSZ5UamrK
BoGmiBEIcNGAZCby/PZ9R58ASFGK58P6g0WCQPfrd1/dGAwGvSqtMjkSWy+j
Kp6JcV3NijL9I6rSIhevZSYv6eNWL44qeVmUy5FI82nR6yVFnEdzeDIpo2k1
yNPBBEcYRP4Ig8SOMHj2rKfqyTxVCr5VywU8evLm4q0Qj0SUqQJASPNELiT8
l1dbfbElk7SCkaIMv5yMX8KfooRPZxdvt3p5PZ/IctRLAKxRLy5yJXNVq5Go
ylr2rkdivwfjljIaifHZmzF8uSnKq8uyqBcj8duP4jf4luaX4ke80ruSS/g5
GfWEGIiztIWIM/m/tVQV/XxRXMlcvPkcz6L8UtKlEwQ5rZbi1SxKcxg2vDpW
SpY4Dl1ej+he71rmNSzpkRAWWvzCGAvBhsvzKM1GokCs/5DKajosyku8HpXx
bCRmVbVQo6dP5edovsjkMC7mT2E4GDqtZvUEcP4u/b2O8r29g6cb0nELns4A
6aqCp834dpQhDzxMi03H2/S+4ayaZ1u9Hv8OlBoAIMyBOLd4l8J3WHyU62dH
4qc6upF4WTKW8nQJd+7+MKPriIyeP8yrWZ3Hs1S8l5UsxS9pfeeAWVrH/FAw
Zl6Uc3jiWiI/nb19tbe7e6w/Hu2+ONAfD18cmKvH+8eH5obD43398cXzPfPx
+Nnh0ajXQ8nzhj4ZvB4izQdE/kGq+W0Qay5cd09keJIQ/sfgsozyKnjgJp0r
ObhZdF1Fug9UeplHVV3KjhvmdVVH2aDKFIA9HA57vcFgIKKJqsoornq9i1mq
BKiQeg7wiESquEwnUolIzCUKVqrmAtZ6h7D0xc0MhVXm0SSjp4mHRDEV0zSX
uCj4k/QFzFmUg0lR54lYyFIrIQWqDJ5RgKpMipJlXERwj5IxrCtbCs1/MHY1
k3NRFWJeZ1UKsiTiIsuiSVECJCCQNIOCddJC52mSZLIHgniSV2WR1DFB/uej
FL9+6fVe1xIHg0FFmSqJEHvjXUuAoLxOYylkXKilquRcEWDjEzG+BJSpPsCr
irqEW6I4lkqJRVQB38KiQOsJNUunBNe0LOawRkA7aFOAIcr6wLa5jMq+WXic
pTDiAGcEvp8XsGaEDVgZlvmZFzzQqqwAtSKRiCSSYiyqSF2BEloKVMGpqhQu
xaMDqPwB3qMMrfBeRHUKUAayrnDSJJ1OZYk8YZanYJYMbqsvZzDurJ6DrNcA
q4jhg6VZwCDIODKCucwYfUA08BtaAAF/awW8CcSNo7JMZSKKuhKTJYy+KNM8
ThdRhkyiEFkC5ARWBbJhUT8Uv83SzAGPWK6KCh8q02v45VIqQ9uOYSIcQxD3
I9P2RVohC1wpQSKIo8nPSFDkgnDEtMKF1IDixaJQloHmIOxzf3qzDlD44jSn
ewr4rxQgWCAM6ZRhs4tlkAwuGcUdGAXuWHooBbhv0iyDK8DehI4CVBOgU06n
aQwsFS+HKOhATnicaIBCA2QHAc8yCcYT0QCLsFTUjOwJKPzqMZPlCWZrHJBY
IapEkSNMN0SZRSljEConviQInkLooBQMvZAxix6wrEGJWiBbA50YBZ9BLzCJ
kL0Mb8MyX4EyhaERHGArJVG1xFmdgG7sPX68vbsD1iXNI/Ehh2W9BxEYvz99
L7aJodJYwBVShKfg/oj3ZVEVoA12xNsSDBNy7ejxY5C1GG4pLb0IBY1R4wK8
GLiCCusGLLHTVpMovxrgElMgjlsirT+OsrhGm06YmCApCK1JqmJQmRWI4AXS
LpheEw2VbgGYrdK51IRqsw6QG5XOFWAeaExDhhTsk3Jr0Q1W4VFKIaWA1Bb3
DEiRZ8iWsQTaKQFAAZfSaBqnmqsQjhTm9QiNOMGlAReCSkvjCgYCGMABq2hR
dAMDmsmI/C4YRC2W9AlkJGexwtu+UWZpwCUg6pL4EZguAiEDpE2iDD5JRT4s
oDFXEdsEmB29XIm2Azhlb0ecovxIVjbi1Fe4xAY5SALdwMv3SY7ohIuS72ZN
PI/KKwkKB9j4coZkWxRlJVQGngAqPfC4s4IWVM1KCcyPLBJl6R9AK49LgLUX
UYlii0tRqDTzDsovFmVxDasNiDsUJ5VDcCdpgQlDqo7oaUafL5GpVpPMSUhX
1Is5Gj6c1qIb+AHQoljp8O+ABCXRLQ6HYzNXIddNwB7AwAS8kpLMer7Ex2FK
eBxijQjn0zyCJm/KDhXMiBwCSr0u8bEbOSFOTJHgyIwIBuNc0wcZyQfDCA3M
DzPomyQ7I9G1tOhANS8VciiRuFZMOuSGy5IQS/ZsUaPU/pai4ay65JIxg7pl
mhU38KHOYKYKJfVmBrOjKxAFqjBCRiQRCtQIOQAIJrof80UVaHQWODL2vuMF
rkeNAIFUSoCMbZ6mIaLO6XlAkx6LdXgGHmmZVtI3EuAgqCU44WWRF7UiGQaa
VgYxpMpQ+uELamcKFSullwzm4DqtwBKjO4Dam9YzyYr4KkLOxJWVdcpW1Nk4
dooYNfLzAiltDBAsDH2MHPlzgSNLkGx2GXAM0g4I2yl6tWJv+AzhJYVPkyHK
EBk5G0AUKGSbCJYA3qunU1vUXEJcFl9BMKOt2IIkneyWtsjgP7BnK1xcxYM5
G+v0SUK4UNaCWYD//FOHL1++oEYi4+BW01D/xoR5Tjo7nMgnxYSsZpbO01Ck
ESWgpeGaxws52CZwHaas2Kz/W9zkqGR+Km6Qa/vs1Adeq+dawyAKDFlUpoX2
CjV/KtZA+gnSKjYbkaESAPcZJRLpAzM2lwlCpE0JDAVzk8q01pd4kNQQa33V
J62CgQGyAkZSKFDoH8KMg6oAyBMKs8GL0hEJrM0wM8x5WUtnMCzuw9wE0QkD
SqZT+COwALpESA+PGVz0RbyoYdSm5RP47h9hAZ+AglFK0ZBVWwJ9RoyB6Gpc
NakFquJfQFCPTF0jki1PMP6eE2w3s6KtHCMcBkxKUsAdYII9GbmJiHToa7Cp
RkW11FIJICjQ4gCO72FitDQhXW8sU8I+Ic6LC2I07/toXp0hEttn47MdQZjH
qJ4xD9d8XEYilzdkT+eUavgU8NJHWH+UZuoTrTVD7cwCw2byM+p/okdahk5t
yJGaref0oDMTP5+fvkNjDBEp6AHQneekiT1oaErFDMc21fObQ9d8Io2bmwSh
dBsSQE0f9f2NzDAYYrOsVO0LPXCnxx6IM0th0Fkly6Eh6QzQwgrdLiYED8ND
gA/WVVHgizMBSwdEdtEmh+/GfEfMKwA2qSkUG6nFBrjhBFRIPQe/atl/iEYn
Je3nORxV+w7cfgBtSIUVK47isgBErkhQkGJjN/MCKFemyaVkLr+MFloV2oRM
lCRMI0812OQTfE6As8ibMyGomXMlt2gLClQdipdLxkdimHKVAFAIE3laYprK
DNM5xoQEOQBy5Uo5Q0RTBqUp631W8XBRK4RAPbD2amkbiPlKjErYZbE+K4dE
oQ445wzK9vh8B5eV6/iRUKkNDQKqV8WpLVLKxm8A3wTtIaMeSHctQwKzIwly
D86tHpsVF6fiSJgoDSV+w+mtSoZBkHaoeUJu9hRDAA5eGJ+jPw94JhMBJg+C
wQVZK4xG5OUSw5sMNIYZwQfVxggc9FNqiGxZMW0ofiIpO5AIK8RRJkep7Snm
9Uv2G4oc/G4ifKhhnAdmHD02lJwOsKGHRA6OLbgmSYIwtXMoG0tT75F4RYBV
lkiv0bSSGCvKgIgrcM6wwKDE1q8fzi+woIF/xbtT+nz25n8+nJy9eY2fz38a
//KL/WDuOP/p9MMvr90n9+Sr019/ffPuNT8MV0Xj0q/j37dYmWydvr84OX03
/mWLpTEQ+FJahQ4kBTEiblI2NUsK/uWr92L3gK0bJrW/fOHPmNWGzxg48FRk
x/krOabASBB6kY0A/R9HC3C5M0UWQc3Qm8Is0bCZFq4xjwJCPQcSs24lCSAO
Bg1LSTIkpkTWNhHFlm9PEAEhq3CWc4uEFH60TqS9fkbXOy0YjeaNbvJDcks7
UwlG1J53DPdflDWI/GsIG1KC5uffLhpa40eMZxsj3JXZp6HNVWFz+RuO0pn7
//KFTRuo/tQFiNMCvQGH5aiUdg4WNY9gECn8IqNEloNXpJ5HHBpoKJvJNBto
0OgYaXCw5cK9VqZeBym+Z3kOISjPprNUAQTWbQftm7ZSUzaFpa3Y+Lyvfe1c
mz+OT2CtnnbEu4NZx3FMK7lkc0GVNjDzqPES1uL9JlSqkYFdlSdGUzdPURPp
coDLvxclpZJAx4/fnwh0EsD5BRI60EL0U+oMM131xAR4Zt0hcEyERMp54JoR
ls6MuLCpUyQuFK+xhWmnBjRVHFTW9iidd6XEXYhhDkmNzWn4iGw/yVEKcu5D
msS4yjFF9xPpJ7FwZT42UXuvLzCNxNhz1EDnYN49aatPQm7UQKRlrxV87Dt4
rr5ECRaPRj6r9XohoCeVnI8wIxjyNcTScxveYR7TAYAf6dJ6D4KIBqKOxZqJ
5961p+c8M6wKB13hx3lpEQxpS2BJMAGKUs6J8QxXy6dNoOmAweMUS0D6htTS
+UuBejbgGv3wZGmcmy7mp7jSg06tXXqfcxrkE7l4wStZ93qvHWLHiNgRSUPT
+9EobJVdiJDEW1qutNB40rTCWaWHHNkREidNGlkISReKqObiT6E42wKYIPct
8CA92rL/UKOARBV7++ccr3NZp53SIXRbp5echsgL09vIoIyAkm2PFzgV2YA1
ijUgbhG+W4ke23qxF38+Agc2jb80PRJHBj+AAxdlQmZZeykYunoZAOLfRvLF
S80wimYphL13gMXltIaWYWMVrZOfsBLUhVVrAIfiTdQah9gQw3CdnjHFeoPt
RnZXTOqKWnrg1jiLyjbTwnTMNWHYYGL2IEa/TqOuAOfDojB1YMzC68DURi7E
yiqMsjol3rUQeEKvc70tNOmpnBrh8kabKEmKQQfgQQ+2xn1gmnrIcS5LK1oz
BPXIdcHrBWPcpR48tgeHAqWMBbOplmx8HkSBWu/mOs5TVChHPV9gm0Czfm9x
5BsWk0mzfoGDjWDPDcFMxQNX3VRVRkVw2S1btqJNW25iQFu5MIKMfCPKdTnJ
NTnpthfk+TR3FDi9rBaFqrY87NGU/UjFEbmnce9aWFrZ9DSxdikn6EhjfQ6f
mRQg2K7c7lpXtJp7JE6v0dWRN73e2/QSE/+7FHDxiqnyA3r2Dq0j3hWV7HZx
ILj0CgY2Zxi4x28xEZuCUwxQVss+LxS5yOd5EwcCGxpAYQH//ve/e08G8O8J
/W//PRHw74n9pD/r3/h67/YDyObtbQDvLd57i+x2y8/dOhhub9Fc3cJ8T9x8
T8L5noTzWdDgek+YMWnc7d0dtALmqwj+2a+3zadYU7NzsLPhUyFqBt9vOtfe
zlhdkat9DwhN+ezudX3rkSSE8Mm6ubb3d17xFKsG73jqycq5NsbGwc4Jmoy7
5wqw4ev1TZ/69h7Y8CF8vvPaWpX/LIS3DQhXoLQ1Vzj49uGOnnY9hA2QrLG7
11PGMt7nqVWEuGuubz2cfr8xhN1f78Lhi52/o2Vf3ucp1FLW6t8Dh7fib9by
bo7DgH83XtfRjmfk74HD+3PUA7m3CfDxzpgM972espM+kDfQ/vUeG4M4uitq
eQv2/HGvh7X6B8UJnjfyV6MFXRbECVeUhMS2Sy2DU+PKjRAQK5tjBH/Ai6Qg
4B5eDvviEzbDf4K/upqOH7MijswXWcXDHa4ptGIHdmQotdxRiBhSWdA8omOD
0FHxIm5TbAgCbazIj6eY5uDclqk3rEa8jVp0a4+iLHkX5k2uJIwDbIeLNs4I
xD7zgB8h8bDojRVzaQoxXbOEOVAd+U+wbOkoD1Mc7Jjow3feO8paD4+tuH7K
sVxadadsAJLnXQx/RwwWBko4yuFOM1V5n1CM0y/614752mENzvlipzOCs+o7
yHAHIVw7BdIO4XBeDonWoL0VrjXxctRJ51aQRnJFzn1QxuwoAq+L0izzefQO
wTlukYlDKo06cOLJi6Ywt41xyue4ALDABgB48KagGl2UXEcA+yV3Y0IoUqJ0
AiTTOqMuU9IbtuCPmfokoj5DlwMCvx/C7mkGd2Gpw9N4iSsLMoxhUugb5Zfb
lZxjO3isSDti/LSEoNtqk2bnjA2BNeNkoE8zSqHrXiZQREkddauVG90nGJly
LjU5leklNRzOZYQLM52yGfWRakaH4JObaQE6wBFQNlO6KYI6Gign093UQNno
uqRO9saGjb/c4fBYnEvgwqTv9U22GNbryMkLaskhVFLToQEAntPViqE4T7HA
DPzFPbPcWYMFsQK0fS7yei7LomYOjgul2yPqBSwqMVsQWGptTfsPeAJ3XFDz
F2GEtIhmr7PzIMU8LzDcj5JiQXdyrKjr1tjvCvoTHAWTKXz0yNcE+P0RJSbf
mE4UJyaaldgCUhHQS0/2g1tSVoWLAfMXIczt7LgizQBSUVHfEZKVyg9A/2W7
s2ICMM9ZV7Jl1k0AjdYx3WRNg1DCOKU8iq5laj73twRpZp7WJT2YMDbrVM3a
nQo626y49omKq4zYIPtp34ycEyxZrepU6fZXtDNBXs5al6rZmWI1aOTDyg5N
Lqmw2KwhUE0Le5dUh9OjZXcmswVvsyFwu9vrTNqLIfGbdmnvCYmDQeQKIqBo
FUgkXFzrV2qo09A/fvztpPwevpsWiCHtdKAutYI6BnXhkgyitY8d6cTVlZCG
fxYWYPyZLNa1E+pVXpa2kTxPrCfJZUrSbrh/ouygrEa8t9ONq3KN2vpNoeek
ZlvgyRV4QY+GUI8ubJ6CC4KtqSFuHoASmCeqEzun6RNpz9mYClwC7UZW1OaQ
UJsDNn6UsgkLqDt4Gks+0xaYur7XqEPDGOTUs1i5Xj2/pUJpUWUZoJ6aiTR+
NC7aJ18VlZeyoriFgLDPwYdinlYVbhUEY2+GicDxRIeUlr4RzLxI4+eoaB5i
ZmjTsHs6DYuKjDsGEJOrtIsXmHXGLCe0r8MGD7hXGOxJhvtMUPTAkQDlxQUs
3fssiEymBLOibo1sydozbnZckdYaYXTH7sCkKK7Clo1mO62E8BRvHYx1YwMp
s1lRSbReqL20S7BmhJ/w7oHehfcSraGXaW4yTCcFTO9pIzYuHI0NcocgEZ9a
/OG2C7F/AjDOwTOp2CvGplSr5juaUXkDalfjqakAr+2g1Rnxf/SE+LOHGYIt
jIO3RmKLqfBRU2Grz7/q6Bhu+McWb33BDiS8aeuf+hYbNdNNXdvFeWhln9Do
gfsZBroIGssDg9otfvAG2aI7v8D/X/pt4IkHPno88FXhp9E3A58BWQd9759E
AZOS2RuJTol1rlVDVB9rP8yVqFEMMPPMbce+x4Z2KgM21S0tJoHT7BGwgSgy
sLVgaztqG0CpjnoiqUDcCdOVX3B7JmnqFeU2Goojxsxv1ytrrLhpuzE+X+U6
Ye/psu8w6ayl66VGaxlAfB1laRKZalVDZVvjZdWDlXVgAE/Wr3IIFayhWqEQ
tLq1uZsV81ubI6gDGLw8rDiy+UC9pLdE2v4xZGhAV4HVMh3K+As0lg0zOStC
+r5Ovtm8k6XSJr3E1sXxNauXZxq6tNKv49+BAEI85hZGgmk9S/h3t7o9Viyn
hQLe2ke3a37snq2JhybXU/cpOm+8QYWaIMU2JxjbsMRFInewAYsyeyatFnCA
6TloSig+ym45z9HdeNROYFHpPeyW6xiYndAg6+Y5lmgDdZKipTe4d9XrqTWq
hOrCUTsJy02t3GOou52ypV3+iiSg7icEY5mvzOEZebwIumoZJ/5QFH22Orsw
8i1wwxAJEOuQZ4dHGLp2aA8d4yNUIK01ydijMFgWr+gedIuBpp2u+IVN0gEz
lU6bDdf5790P6U71grlD+Yw9bHrm/mjGS0XxcVnItFIym/aNn9PAnpVukj5K
X4dpTa21sPcfsxhRjm0/2JJjNnyE7V0EINunj2k3mN2LbnJ65JKtSQenOwcI
8dFh2brjpZzDu6gso6XvRBvteS/9ETimGNMvqrWa1OmbVreNiwP2O+OAJuWQ
5RfRMiuipDOnTk3169bC6UHjtbBgfSKjx9nDRlxnWdJsltW79SylVzyn4w2v
ibmztcantusio0IIpUE6zfJDgtyQIF7Iywggg64XojaXIzr1wkWZWLEIaiMk
Vyb71No9hv4jup5bAMqWd4RSpIa+z4nuqvFLkRw/tH4E6O963tILb2TifLTE
aY8oPy/gxt0XL14cHe0ePntGF4FI+uKL4+d7+uK/qhSH5BObaImDo8nBi73j
OB7s78mDwcH+i2eDo3j6bPD8xfHh7vODZHfv+NAA3iHA6L+Tn23c8vWxzUbR
wUPim78U4XCUoKOcjqWsinS+3mrCaOevxDt2LfD/P3tfgrhnf9RST+9ZPVGA
00q199jENnpgzaFqPd6sFiaL9HEeoSthixyNFk6Ts3Ede5tU6/Tm847CXMvx
MJu1bINzcwMkdzrrbRNuyzqeKpQvi1zyWQzazekGjnWs3Yfb2HqlJB8Xsjfc
RQvh9w9TpNTl6pitPFEW7AamHKOBsTPph8v/cHZik3scw2BlrSuzx04FRQm1
VrwdhTdyZGiP3sopsY1yQMHX06y4pAwWnsz2lcHQO9E/EhVWuiw+9e0elW7+
a4/6EQW+c2jwgke4JWtEdFYj2pk1Yg1KJ/z96wbH63GtSfPqLOJjTtgELn2L
GXa5313vdbKCP+J4sTn3p9GZS/HW+HeLS4+t3JMpHRkAs3DmWoAaUAo3Og54
A2jj1jCmOLcsve8xtQ0yYLSXoAhhLaBfNhmPHsdD88zjv538ev6m+0kNdL81
RPv4O4wjWtfDA/DwFnQDW7e5Y/AMTGN9RgJFRm3wWaSdf3hg/MNVGs15zbpt
ws+yDsWJ3qkU6Bj/FnN4wrrdWJ7vuG8cok8Bw38ClimEAtwqjz+1wuHUkXPW
HBnWgWPO2bCtEBZn4Ct/orSpmZudKvH+FNga/KCnfJQAidae+Oni4v3T3eFu
T/xU4JmVoZ/Uw727oDeqwQWdr0k7nhm4p58HNzc3AzQog7rMQHNBuJ30ehyn
kYh/B+L8X/tjJDj8YZGGDzQz/KUbSazhC8u4tMeG/i1A4HffvuHxfcx/37xr
k0mdLoEvoE1gDA9Z38nlz7MJHsgYXH7QwL5HcDBaYd0fc8HNVNZ1Ss0nn95T
il4gC4Ie8rnvLJOzu9bXJXfa3mGaFwaUlCnt7bmsGr7u0cEz/Of87W4fDx9s
eEHPR1qa/aTBY+3rvHcJz7Mg4dlxYkCw79acqmKkJMzihfo+SD6ievm7yz+G
JkyLlct8NsQXHz6TVUm7kJhE3QlkawK90b9RJjolLagtkN7QgO0dqzdydYR6
2F8TkW9Fe7q8zJcxV8nqjV0dzqfN5ly081T/oSYmNqB8XAYTPjXJKjSpWFq8
RxqLt/ku9RmOelSbqMGuoRQcRcl7NU6meux2u4si17W5rzvm8lWKqSeCX+mQ
mLNj7F2uLUvjWukMphVZLLGNB0f47pOfeuhId3TzqHONdx6cdgq5SNn9wq1E
W9M1/Wou8LrcVVh3705dNblxs61PwvmTzb4RdC6jrASHFrf6ootBp2Tw6Q8d
7bNuA60+LKe5HzStDJPrmqmhZwdGtCY9tF5OB9eaPaktVyGiVHwjwSJOgPnW
pLbweK01Gdc+CYCfGVoUJBpBwMfMYPbkb69JK+y44//87FkDqNBnu1ijfgN+
UG7TGE83aJfh+ytrkWBS5gX4ev/BnFRXnqWdmFqZU9k0KbUbJKXcsQE6M/Ui
PkqOoz05OJjs7g0Oov3p4EgexoO96XF0NNmPXyTP5f+DzFRXIuZw1JYYLxMj
XssyvebzAM915wcYwg/AexBaFzemty/V56kk1JQYaOSVmw2oqymX5qQAOnQa
2/loY2ji5jUdJ7oobh09LzmhKrkwbZM5NtBwE6Ofgafo8px6Iwbc+XMHfCNb
p+w3s0U4UdA3QnVLaty5cUmadusIt9EkfFS07tPgis9duKKVv8LeVQO8N7+D
lCALc+UTmRWuL7sFU5/2WvuLcR1I/kZddh38J03LobcoE3HdY01RuCrccjnq
qGQ2MX7nqm7scZmEF907Rodn5O213LmUV9ScDT+FNNCceQ9WMaeKaxS7Np77
oBZ81Ptwcs/E8HiudOPYVmNb7KkzKIbGml+C+OWcWeDTDL7o0Ar8gd3Bod8j
/DDOZX/7Nw0M+dcWstQDmuu23CHPw9656Zg3fpjQ3xx7tNHJSGH6rNGyt6pd
byUlO2vVGhVj1yq34lgnJbZ/Hv+odpybhqUlbwA83aDpwVy0bwNQ8NBqxTu+
fWPOXSm4tM5QylNoYYuA3tFPuy0WWVqt3pjjHUes7JFy7ihxWJ87cN/zFoNN
Gxd8enbLazYrfKnzOpqPu9COjrvbINWu7iEcPIg93sov53lTean/cDu+d5aJ
8jocLGlsjq2r/difgXsyurcd6A7CRjrPbAiwfUOr9iwo10QYYvObRrpMm9OG
n2gh7z5lAJ1Bt+vebG8PN8l2/PQk2IHt3dG7FWQUhGjvxMd9jkAZ/Ml+Cjbk
0x1ndL13a0SBbrZygbd4PxkC4KOWGLfCXad1BScKuB3+dk//E3dTsNFfuOvk
kAX7Nhs7/u2P4U3ex64hgu3/DxmisdnV7na9FxTBwQAPWkh4SsCGQwTbsZsL
ebLREN7pAa1ttRtC8WQdFA9CZ3CywMPQGWzif8gQja3um6IzXEjk7+d/2EKC
zf0PGyLY6f+gIb4GUSf+vvyHLUT42+0fOoT79+RBRBXhtwdprXgHfRwDxQPQ
+VW4M0EoWnf/Bd35pMEfG0Eh9TEBLKxfQ1IbONkIiulfhWIVLoLr368dYqX6
9c8FuQ93+kT19MhDhzhzeuRhQwSUeiAU/jkYD11I15EY9xriaxA1uLh9vKPd
6ocO4YH0/UOh8Bfi58xe3HmOxtqg9zFEl5SvAodvgGcgRLocQGmMSDWOsAKr
2XksrfNhww7vsNFQB3uNaJDCi1YUpoMHvdWoVi7xHsY/CNTEbumHSLwdZXJW
0NsUfFcgaXayUChpa5Zd0aTZkU7hok6k65PXQxDjbhB1j3179V6ie8UOWVNW
WpFaN+lws8NLLtyrQTgpUMqME5OzdAE4rm6kPb9OBQSiM8DNWoQ4l9JrdtGt
LncnMuzxIh2zwwpxW7iazTnABvN3B5sFobMJ2lcFs6sDaUcMopLsoNJLuw3G
TtbHTTv47hPOOLQOBFl7IkQ7UPdOKFl9KkgPzODKc3CIPf0Ru46a0HJ+CHJ+
fJecv1x6zO+q4HRKHx9NyocoI5XpzZKeQBkacdojOIfCFi7pZQDu3IpUdRCE
txhlWMPXxVZ84V/GVV5+mWPXAYZub5bmfTpUIP0DaKMPLxAweTkDNBLTUIGl
KmU0R8bvu1MPy2iRJpo20TxD5OK8MMskzTAnQRJqjzegwxwGOrnOJ6d6Jyvo
av4bndnk8r0rW3PBkCoOZrerTYJqtNpcJKDI6H4vxePSR97+Js5X4glKlDfl
13V+YVgaByroIY9EmmW12QEa9quargh39nBEW/pwAfjmPnx9yVv7zrJxlqX4
urNvlNbYpIPAxOhN6/7IrjvhpugSmhGl/5FaXIAyXGle9UdnPEWfRXQNym9C
R2nUC9rNUME8+dXHsdieyFxOU12Y04VMk363yoOEIdY7IfSzL4fBKcf+xrnw
HGNYpimD+Tn/rv7/8MHW+Qa9tUXMSGN2fTVz9V3tVvvV94alTX6Bndd0v/rB
e3ffH0QvJnvP9uOBfH68Ozg43j0cTI6S6SDZm+wfHU8PDvd24wfVNQ3h8b2G
H6O76pr27ZF3Fjd5PH/lT/VUm3asByz5Q3s8C2sn0Tru36htP8DH5CvjY/KV
8TG5Jz4ma/DRUXE+Clv/XbGZNeSKOohRlsfe6bPog7QVJLVD6Nc+GoUYqMMY
NJFxWegtvtZ34PdFo+76BkuMHmb0my1ony0NSIaIx5vs9NdM6jnErV3THZ1L
2wZLO3d5PKGMmUPztCEij+mv9W18fZW3QtoervA6mzicFoSL+1rh/f/RX10i
czwiXneigsbRe2EAd/RZfgorUt1t3/qtot4bMrR76Z1TxvbZbP4FJw/fntnZ
gL+/aUSifQB2hPm1zrbJS7/BZ9OaMgLX6h3QW4E66/4rSrSusqrf/NHnI6cK
bOpGr4reSRvZNxQAf2VFabYHBhXpLt84WVGRdqHR/V+zY9sNvlH2PWb0thJX
lTwx84ztPLROrNPyCQEnyfu+Y4uUm+y7n1yhk8X2yesBMOaODsNN1O4O9ck4
cIpNfdF0W9hz4f35zZFPQVRl3MQgBPvvjurunE6RCQfVr2AMg7TID6eG4qXU
b23Fexf4CtoyONiNnUVLQ1iYRjx1bOoGahsB24jBvKDe7OKM8ihbqlRZ/i8W
enX4CGLusgQHmjpxa3Oq0qNHdzSe8KsEMYTx4p6+Zf9+mwjey4S9d93gW1o2
60wZ4lvEQ673I6Uu7aDEwXCPpj0Y7rs2SP16Wf1qO9PkRe/WONcn0OPWCq+b
C/Te6etT+yu9OO1k/G7cvi04MQv7U/OC79QKHNXMYDCgbbc4yjjGTWOZTC4J
g70/R3k9n6BP8N3WNMqU3PqiJ4/snaCr/g8FhVvn/oYAAA==

-->

</rfc>
