<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ni-oauth-batch-authorization-delegation-00" category="info" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title>Batch Authorization Delegation</title>
    <seriesInfo name="Internet-Draft" value="draft-ni-oauth-batch-authorization-delegation-00"/>
    <author initials="Y." surname="Ni" fullname="Yuan Ni">
      <organization>Huawei</organization>
      <address>
        <email>niyuan1@huawei.com</email>
      </address>
    </author>
    <author initials="C. P." surname="Liu" fullname="Chunchi Peter Liu">
      <organization>Huawei</organization>
      <address>
        <email>liuchunchi@huawei.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="03"/>
    <keyword>Rich Authorization Request</keyword>
    <keyword>Token Exchange</keyword>
    <keyword>Identity Chaining</keyword>
    <keyword>Identity Assertion</keyword>
    <keyword>Batch Authorization Delegation</keyword>
    <abstract>
      <?line 57?>

<t>This document describes a mechanism for Batch Authorization Delegation, which enables a batch of fine-grained, actor-bound permissions in a single request and securely delegates them to multiple collaborating actors.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://NiYuan224.github.io/draft-ni-oauth-batch-authorization-delegation/draft-ni-oauth-batch-authorization-delegation.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ni-oauth-batch-authorization-delegation/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/NiYuan224/draft-ni-oauth-batch-authorization-delegation"/>.</t>
    </note>
  </front>
  <middle>
    <?line 62?>

<section anchor="intro">
      <name>Introduction</name>
      <t>Due to the rise of collaborative service ecosystems and AI Agents, resource access patterns are shifting from a traditional, linear, single client-server model to complex multi-entity orchestration. A task may consists of a batch of sub-tasks, which may require authorizations to different resources. Although a human user can request authorization for each resource, this work is usually carried out by a principal personal assistant AI Agent. While authorizing total privileges to the personal assistant agent is doable, it risks granting excessive privileges to it, thus oppose to the minimal privilege principle. On the other hand, if the principal agent request human authorization for every resource, it will reduce automated efficiency.</t>
      <t>Therefore, the core challenge is to request access permissions to a batch of resources from the user at once, while precisely delegating fine-grained privileges to the respective sub-agent responsible for executing each sub-task.</t>
      <t>Certain use cases include:</t>
      <t><strong>(1) China UnionPay APOP (Agentic Payment Open Protocol) Framework:</strong> A central agent from China UnionPay coordinates with multiple bank-specific sub-agents to calculate the best user discounts. The central agent requests a one-time batch authorization for all linked accounts from the user, and precisely delegates privileges so that each sub-agent only receives query and payment access for its respective bank. This strictly preventa one bank from leaking or spying on another bank's account existence, financial balances, or transaction histories.</t>
      <t><strong>(2) Office Agent Orchestration:</strong> An office agent coordinates the generation of a market insight report slide by deploying three specialized sub-agents in parallel based on a one-time batch approval from the user. It strictly delegates privileges to each sub-agent: the finance sub-agent is granted access to internal financial records, the internet search sub-agent is completely barred from seeing any intranet data to prevent confidential leaks during web queries, and the slide generator sub-agent is authorized to generate and save the final presentation using the aggregated outputs. Without batch authorization, the workflow would stall whenever a sub-agent reaches its specific sub-task and attempts to request its required permission, such as fetching external web resources or requesting file-write permissions. Asynchronously prompting the user for these consents would inevitably cause task blockages and ruin the automated multi-agent experience, which is unacceptable.</t>
      <t>While the existing OAuth 2.0 protocol and its extensions provide a foundation for authorization, they lack native support for efficient, secure delegation for a batch of coordinated tasks:</t>
      <t><strong>(1) OAuth 2.0<xref target="RFC6749"/>:</strong>  The OAuth 2.0 authorization framework enables a client to obtain limited access to protected resources on behalf of a resource owner. However, in a multi-entity collaboration scenario, this requires each entity to independently initiate its own authorization flow. This results in multiple user interactions, introducing significant end-to-end latency and severe user fatigue.</t>
      <t><strong>(2) OAuth 2.0 Token Exchange<xref target="RFC8693"/>:</strong> Token Exchange defines a delegation mechanism and introduces the <tt>may_act</tt> claim to authorize an actor to act on behalf of a subject. However, the <tt>may_act</tt> claim only determines who is authorized to act. It does not provide a way to link or specify which subset of permissions are being delegated to this actor.</t>
      <t><strong>(3) OAuth 2.0 Rich Authorization Request (RAR) <xref target="RFC9396"/>:</strong> RAR introduces a new parameter <tt>authorization_details</tt> to allow clients to express their fine-grained authorization requirements using the JSON structures. Such a parameter allows several fine-grained permissions to be included in a single authorization request, as well as the issued access token. However, RAR does not currently specify how these structured permissions can be partitioned and delegated to different actors during a subsequent token exchange.</t>
      <t>In summary, the existing OAuth 2.0 protocol and its extensions lack a mechanism to express, partition, and delegate fine-grained structured permissions across multiple collaborating entities.</t>
      <t>To bridge this gap, this document adds the delegation information directly to the multiple fine-grained permissions in the RAR. By extending the <tt>authorization_details</tt> with a <tt>may_act</tt> field, a client can request a comprehensive set of permissions, each of which specify which actor is authorized to exercise such privilege. The Authorization Server (AS) then responds this request with a Batch Token, which contains the above permissions and their corresponding designated actors. When an actor performs a token exchange using the Batch Token, the AS applies a downscoping strategy, filtering the permissions based on the consistency of the <tt>may_act</tt> field and actor's identity. This ensures a convenient authorization experience for the user while strictly enforcing the principle of minimal privilege across multiple collaborating entities.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here.</t>
      <t>This document uses common OAuth and token processing terms such as "access token", "authorization server" (AS), "resource server" (RS), "authorization request", "access token response" defined by <xref target="RFC6749"/>, "Trust Domain", "JWT Authorization Grant" defined by <xref target="I-D.ietf-oauth-identity-chaining"/>, "identity assertion" defined by <xref target="I-D.ietf-oauth-identity-assertion-authz-grant"/>.</t>
      <t>In addition, the following terms are defined for this document:</t>
      <t>Leader-Client:  The entity responsible for coordinating tasks and requesting permissions in a batch on behalf of Sub-Clients. The Leader-Client initiates rich authorization requests to the AS, and sends the obtained Batch Token to Sub-Clients. According to examples listed above, Leader-Client is the principal personal assistant agent, a microservice orchestrator, or an API gateway.</t>
      <t>Sub-Client:  The entity that is subordinate to the Leader-Client and redeem access tokens to Resource Servers (RS) to perform specific sub-tasks. The Sub-Client exchanges the received Batch Token for a downscoped access token with partial privileges. Sub-clients could be sub-agents and microservices.</t>
      <t>Batch Authorization Delegation: A mechanism proposed in this document that a Leader-Client requests permissions in a batch and delegates them to its subordinate Sub-Clients.</t>
      <t>Authorization Item: An authorization item defines one permission per one corresponding designated actor. There may be multiple Authorization Items within one <tt>authorization_details</tt>, which is later encapsulated in the rich authorization request and the issued Batch Token.</t>
      <t>Batch Token: A special JWT access token issued by the AS to the Leader-Client. It encapsulates multiple Authorization Items, enabling subsequent delegation.</t>
      <t>Designated Actor: The <tt>may_act</tt> field within an authorization item that specifies the Sub-Client authorized to exercise that permission.</t>
      <t>Downscoped Token: The access token issued to a Sub-Client as a result of token exchange, which is to be used at the RS to access protected resources. It contains only a subset of authorization items whose designated actors match the requesting Sub-Client's identity.</t>
    </section>
    <section anchor="basic">
      <name>Batch Authorization Delegation</name>
      <t>This document specifies a mechanism combining OAuth RAR <xref target="RFC9396"/> and Token Exchange <xref target="RFC8693"/> to achieve Batch Authorization Delegation.</t>
      <t>The Leader-Client sends a rich authorization request with multiple authorization items to the AS. Each authorization item not only describes the required permission but also declares the Sub-Client to which the permission can be delegated to via designated actors. Upon user confirmation, the AS issues a Batch Token to the Leader-Client, which encapsulates the authorization items confirmed by the user. The Leader-Client distributes the Batch Token to Sub-Clients.</t>
      <t>The Sub-Client initiates a token exchange request to the AS. The AS verifies the Sub-Client's identity against the Designated Actors in the Batch Token, and then filters out one or more authorization items corresponding to this specific Sub-Client. Then the AS generates a Downscoped Token containing only the permissions from the filtered authorization items.</t>
      <t>Such a mechanism enables the Leader-Client to perform a one-time batch authorization as well as ensuring each Sub-Client obtains an access token containing only the permissions it requires, thereby realizing both efficiency and security.</t>
      <section anchor="overview">
        <name>Overview</name>
        <t>Figure 1 shows the flow of Batch Authorization Delegation. Note that a Leader-Client MAY coordinate several Sub-Clients. For simplicity, only one Sub-Client is shown in Figure 1.</t>
        <artwork><![CDATA[
+----++-------------+    +----+      +----------++----+
|User||Leader-Client|    | AS |      |Sub-Client|| RS |
+-+--++------+------+    +--+-+      +-----+----++--+-+
  |          |(1)RAR        |              |        |
  |          |(with may_act)|              |        |
  |          +-------------->              |        |
  |          |(2)Ask for    |              |        |
  |          | consent      |              |        |
  <----------+--------------+              |        |
  |(3)Consent|              |              |        |
  +----------+-------------->              |        |
  |          |(4)Issue      |              |        |
  |          | Batch Token  |              |        |
  |          <--------------+              |        |
  |          |(5)Distribute |              |        |
  |          | Batch Token  |              |        |
  |          |--------------+-------------->        |
  |          |              |(6)Token      |        |
  |          |              | exchange     |        |
  |          |              | request      |        |
  |          |              <--------------+        |
  |          |              | <Batch Token>|        |
  |          |              |              |        |
  |          |              |(7)Verify     |        |
  |          |              +-+ identity   |        |
  |          |              | | &Downscope |        |
  |          |              <-+            |        |
  |          |              |(8)Downscoped |        |
  |          |              |   Token      |        |
  |          |              +-------------->        |
  |          |              |              |(9)Access
  |          |              |              |-------->
  |          |              |              |        |
]]></artwork>
        <t><em>Figure 1: Batch Authorization Delegation Flow</em></t>
        <t>(1) The Leader-Client sends a rich authorization request containing multiple authorization items to the AS. Each authorization item includes a fine-grained permission (described by several fields defined in <xref target="RFC9396"/>, e.g., <tt>type</tt>, <tt>actions</tt>, <tt>locations</tt>, etc.) and a designated actor that uses the <tt>may_act</tt> field. to designate which Sub-Client is authorized for the permission.</t>
        <t>(2) After receiving the rich authorization request, the AS presents all authorization items in the request to the user for consent.</t>
        <t>(3) The user confirms all or some of the authorization items and sends the result back to the AS.</t>
        <t>(4) The AS generates a Batch Token, which encapsulates the authorization items confirmed by the user and issues it to the Leader-Client.</t>
        <t>(5) The Leader-Client distributes the Batch Token to the Sub-Client.</t>
        <t>(6) The Sub-Client initiates a token exchange request to the AS to exchange the Batch Token to a Downscoped Token.</t>
        <t>(7) The AS verifies the identity of Sub-Client against the designated actors in the Batch Token to filter the authorization items corresponding to the Sub-Client.</t>
        <t>(8) The AS generates a Downscoped Token that only contains the permissions in the filtered authorization items and send it to the Sub-Client.</t>
        <t>(9) The Sub-Client accesses the RS with the Downscoped Token.</t>
        <t>This mechanism offers two key advantages.</t>
        <ul spacing="normal">
          <li>
            <t>First, it fully reuses existing standards, combining RAR's flexible permission definitions with Token Exchange's delegation semantics by simply moving the <tt>may_act</tt> claim from the entity level down to individual authorization items without altering its original meaning. This slight change effectively fulfills the expression, partition, and delegation purpose of fine-grained structured permissions across multiple collaborating entities.</t>
          </li>
          <li>
            <t>Second, the final Downscoped Token introduces no new claims or structural changes. Since RS deployments are often numerous and costly to upgrade, this design ensures zero modification to existing RSs, enabling smooth adoption with minimal reconfiguration.</t>
          </li>
        </ul>
      </section>
      <section anchor="batch-token">
        <name>Batch Token</name>
        <section anchor="rar-extension-with-the-mayact-field">
          <name>RAR Extension with the may_act field</name>
          <t>In <xref target="RFC8693"/>, the may_act is a top-level claim, which makes a statement of one party is authorized to become the actor and act on behalf of another party. It is an entity-level delegation, without further distinguishing the permission subsets.</t>
          <t>In contrast, this document leverages <tt>authorization_details</tt> defined in <xref target="RFC9396"/> to describe multiple authorization items, each of which contains a permission and a nested <tt>may_act</tt> field serving as a designated actor. This helps to define who is authorized to perform which permission, thus changing the entity-level delegation into an item-level delegation.</t>
          <t><strong>may_act</strong><br/>
            <strong>REQUIRED.</strong> A JSON object that identifies the specific Sub-Client authorized to exercise the permission.</t>
          <t>The <tt>may_act</tt> JSON object contains fields that specify the intended actor for a particular authorization item. This document defines the following two fields:</t>
          <t><strong>sub</strong><br/>
            <strong>REQUIRED.</strong> A string that uniquely identifies the Sub-Client authorized to exercise the permission.</t>
          <t><strong>aud</strong><br/>
            <strong>OPTIONAL.</strong> A string that identifies the AS of the trust domain where the Sub-Client resides. If the Sub-Client and the Leader-Client are located in different Trust Domains, this field MUST be present to specify the target AS. If this field is omitted, it MUST be assumed that the Sub-Client and the Leader-Client reside in the same trust domain.</t>
          <t>Figure 2 shows an example of <tt>authorization_details</tt> containing the <tt>may_act</tt> field. It represents a typical travel management scenario in which the Leader-Client requests two distinct authorization items: a flight booking permission delegated to the Flight-Agent, and a hotel reservation permission delegated to the Hotel-Agent. Both Sub-Clients are located in the same trust domain as the Leader-Client so that the <tt>may_act.aud</tt> field is omitted. This structure demonstrates how multiple permissions can be bound to different actors within a single authorization request.</t>
          <artwork><![CDATA[
[
  {
    "type": "flight_booking",
    "actions": ["search", "book"],
    "locations": ["https://example.com/flights"],
    "may_act": {
        "sub": "flight_agent@example.com"
    }
  },
  {
    "type": "hotel_reservation",
    "actions": ["search", "book"],
    "locations": ["https://example.com/hotels"],
    "may_act": {
        "sub": "hotel_agent@example.com"
    }
  }
]
]]></artwork>
          <t><em>Figure 2: authorization_details with the <tt>may_act</tt> field</em></t>
        </section>
        <section anchor="requesting-and-issuing-a-batch-token">
          <name>Requesting and Issuing a Batch Token</name>
          <t>The lead-client sends an authorization request that contains <tt>authorization_details</tt> with <tt>may_act</tt> fields to the AS. The AS MUST ask the user for consent to the requested authorization items. The general processing rules of the AS defined in <xref target="RFC9396"/> apply, with the following extensions:</t>
          <ul spacing="normal">
            <li>
              <t>The AS MUST validate that the Sub-Client identified in the <tt>may_act.sub</tt> field is known. If the <tt>may_act.aud</tt> field is present, the AS MUST validate that the target AS is reachable and trusted according to local policies.</t>
            </li>
            <li>
              <t>The AS MUST present all the authorization items, including the requested permissions and their corresponding intended Sub-Clients to the user. The user MAY:  </t>
              <ul spacing="normal">
                <li>
                  <t>Grant all requested authorization items.</t>
                </li>
                <li>
                  <t>Grant only a subset of the authorization items.</t>
                </li>
              </ul>
            </li>
            <li>
              <t>The AS MUST record the consented authorization items, including the <tt>may_act</tt> fields, as part of a grant (e.g., the authorization code).</t>
            </li>
          </ul>
          <t>After user consent, the AS issues an authorization code as a grant to the Leader-Client. The Leader-Client then exchanges the authorization code for a Batch Token, following the standard authorization response and token request flow as defined in <xref target="RFC6749"/>.</t>
          <t>Subsequently, the AS generates a Batch Token and returns it to the Leader-Client in the Token response. The Batch Token is a JWT access token conforming to <xref target="RFC9068"/>, with the following claims and values.</t>
        </section>
        <section anchor="batch-token-claims">
          <name>Batch Token Claims</name>
          <t><strong>iss</strong><br/>
            <strong>REQUIRED.</strong> The identifier of the AS.</t>
          <t><strong>sub</strong><br/>
            <strong>REQUIRED.</strong> The identifier of the user who grants the consent.</t>
          <t><strong>aud</strong><br/>
            <strong>REQUIRED.</strong> MUST be set to the AS itself, as the Batch Token is intended only for token exchange at the AS and cannot be directly used at the RS.</t>
          <t><strong>client_id</strong><br/>
            <strong>REQUIRED.</strong> The identifier of the Leader-Client that initiated the authorization request.</t>
          <t><strong>authorization_details</strong><br/>
            <strong>REQUIRED.</strong> An JSON array containing all the consented authorization items, including the permission descriptions and their corresponding <tt>may_act</tt> Designated Actors.</t>
          <t>Figure 3 shows an example of the Batch Token JWT payload, which encapsulates all consented authorization items from Figure 2. The <tt>sub</tt> claim identifies the user who consents, the <tt>client_id</tt> claim identifies the travel assistant as the Leader-Client that initiates the request, each <tt>may_act.sub</tt> field identifies the Sub-Client authorized to exercise the corresponding permission. The <tt>aud</tt> claim is set to the AS itself, as the Batch Token will be presented back to the AS for further token exchange.</t>
          <artwork><![CDATA[
{
  "iss": "https://as.example.com",
  "sub": "user@example.com",
  "aud": "https://as.example.com",
  "client_id": "travel_assistant@example.com",
  "exp": 1777881600,
  "iat": 1777795200,
  "jti": "batch-token-8b4729cc-32e4-4370-8cf0-5796154d1296",
  "authorization_details": [
    {
      "type": "flight_booking",
      "actions": ["search", "book"],
      "locations": ["https://example.com/flights"],
      "may_act": {
        "sub": "flight_agent@example.com"
      }
    },
    {
      "type": "hotel_reservation",
      "actions": ["search", "book"],
      "locations": ["https://example.com/hotels"],
      "may_act": {
        "sub": "hotel_agent@example.com"
      }
    }
  ]
}
]]></artwork>
          <t><em>Figure 3: Batch Token JWT Payload</em></t>
        </section>
      </section>
      <section anchor="downscoped-token">
        <name>Downscoped Token</name>
        <section anchor="token-exchange-request">
          <name>Token Exchange Request</name>
          <t>When a Sub-Client receives a Batch Token from the Leader-Client, it MUST perform a token exchange request to the AS to obtain a Downscoped Token. The Batch Token MUST NOT be used directly to the RS to redeem resources by anyone. Within the token exchange request, the parameters described in section 2.1 of <xref target="RFC8693"/> apply with the following additional requirements:</t>
          <t><strong>resource</strong><br/>
            <strong>OPTIONAL.</strong> The URI of the target RS where the Sub-Client intends to use the Downscoped Token.</t>
          <t><strong>audience</strong><br/>
            <strong>OPTIONAL.</strong> The well-known/logical name of the target RS where the Sub-Client intends to use the Downscoped Token.</t>
          <t><strong>subject_token</strong><br/>
            <strong>REQUIRED.</strong> The Batch Token received from the Leader-Client.</t>
          <t><strong>subject_token_type</strong><br/>
            <strong>REQUIRED.</strong> urn:ietf:params:oauth:token-type:jwt.</t>
          <t>Since the AS has to identify the requesting Sub-Client to filter the authorization items, it MUST authenticate the Sub-Client. The AS MAY use the following authentication methods:</t>
          <ul spacing="normal">
            <li>
              <t>Password-based authentication as defined in Section 2.3.1 of <xref target="RFC6749"/>.</t>
            </li>
            <li>
              <t>Bearer JWT-based authentication as defined in <xref target="RFC7523"/>.</t>
            </li>
            <li>
              <t>WIMSE-based authentication methods, as defined in <xref target="I-D.ietf-wimse-wpt"/>, <xref target="I-D.ietf-wimse-http-signature"/>, and <xref target="I-D.ietf-wimse-mutual-tls"/>.</t>
            </li>
            <li>
              <t>Actor token as defined in <xref target="RFC8693"/>.</t>
            </li>
          </ul>
          <t>Figure 4 shows a token exchange request initiated by the Flight-Agent. In this request, the Flight-Agent provides the received Batch Token from Figure 3 as the <tt>subject_token</tt>. To satisfy the requirement for client authentication, the Flight-Agent provides its own identity token as an <tt>actor_token</tt>.</t>
          <artwork><![CDATA[
 POST /as/token.oauth2 HTTP/1.1
 Host: as.example.com
 Content-Type: application/x-www-form-urlencoded

 grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange
 &subject_token=<Encoded Batch Token>
 &subject_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Ajwt
 &actor_token=eyJhb...
 &actor_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Ajwt
]]></artwork>
          <t><em>Figure 4: Token Exchange Request</em></t>
          <t>The claims of the <tt>actor_token</tt> are detailed in Figure 5.</t>
          <artwork><![CDATA[
{
  "aud":"https://as.example.com",
  "iss":"https://original-issuer.example.net",
  "exp": 1778400000,
  "sub":"flight_agent@example.net"
}
]]></artwork>
          <t><em>Figure 5: Actor Token Claims</em></t>
        </section>
        <section anchor="processing-rules-of-the-authorization-server">
          <name>Processing Rules of the Authorization Server</name>
          <t>In addition to authenticating the requesting Sub-Client, the AS MUST</t>
          <ul spacing="normal">
            <li>
              <t>Validate the Batch Token provided in the <tt>subject_token</tt>.</t>
            </li>
            <li>
              <t>Retrieve the <tt>authorization_details</tt> from the Batch Token's payload and filter only those authorization items whose <tt>may_act.sub</tt> fields exactly matches the authenticated Sub-Client's identity.</t>
            </li>
          </ul>
        </section>
        <section anchor="downscoped-token-claims">
          <name>Downscoped Token Claims</name>
          <t>The AS generates a Downscoped Token that only contains the permissions in the filtered authorization items. The format of this token MAY be a JWT access token conforming to <xref target="RFC9068"/> or any other format at the AS's discretion. If a JWT Downscoped Token is used, the following constraints on its claim values apply:</t>
          <t><strong>sub</strong><br/>
            <strong>REQUIRED.</strong> The owner who grants the consent (copied from the <tt>sub</tt> claim of the Batch Token in the <tt>subject_token</tt> parameter).</t>
          <t><strong>client_id</strong><br/>
            <strong>REQUIRED.</strong> The identifier of the authenticated sub-client.</t>
          <t><strong>aud</strong><br/>
            <strong>OPTIONAL.</strong> The target RS where the Sub-Client intends to use the Downscoped Token.</t>
          <t><strong>authorization_details</strong><br/>
            <strong>OPTIONAL.</strong> A JSON array containing the permissions from the filtered authorization items. Since the <tt>may_act</tt> field has already been enforced as a designated actor by the AS during token exchange, it MAY be omitted in the Downscoped Token.</t>
          <t>Figure 6 shows a Downscoped Token issued to the Flight-Agent after token exchange. Its <tt>sub</tt> claim identifies the end-user who grants the consent, its <tt>aud</tt> claim points directly to target service (https://example.com/flights), and the <tt>client_id</tt> identifies the Flight-Agent. The <tt>authorization_details</tt> array contains only the flight-booking permission, with the <tt>may_act</tt> field removed.</t>
          <artwork><![CDATA[
{
  "iss": "https://as.example.com",
  "sub": "user@example.com",
  "aud": "https://example.com/flights",
  "client_id": "flight_agent@example.com",
  "exp": 1777881600,
  "iat": 1777795210,
  "jti": "downscoped-token-7c8d9a2e-4b12-4a3f-8e6c-2f9a8b3c7d5e",
  "authorization_details": [
    {
      "type": "flight_booking",
      "actions": ["search", "book"],
      "locations": ["https://example.com/flights"],
    }
  ]
}
]]></artwork>
          <t><em>Figure 6: Downscoped Token Payload</em></t>
        </section>
      </section>
    </section>
    <section anchor="derivative-scenarios">
      <name>Derivative Scenarios</name>
      <t>Until now, the main procedures of the Batch Authorization Delegation is done. There are some more derivative scenarios with detailed additional steps and considerations, including:</t>
      <ul spacing="normal">
        <li>
          <t>Single-Domain Batch Authorization Delegation: The user, Leader-Client, and Sub-Clients all reside within the same trust domain managed by a single AS.</t>
        </li>
        <li>
          <t>Batch Authorization Delegation with Cross-Domain Sub-Clients: The user and Leader-Client belong to the same trust domain, but Sub-Clients reside in one or more other trust domains, each managed by its own AS.</t>
        </li>
        <li>
          <t>Batch Authorization Delegation with a Cross-Domain User: The Leader-Client and Sub-Clients belong to the same trust domain, while the user resides in another trust domain, each managed by its own AS.</t>
        </li>
        <li>
          <t>Combined Cross-Domain Scenario: The user, Leader-Client, and Sub-Clients each reside in different trust domains, each managed by its own AS.</t>
        </li>
      </ul>
      <section anchor="single-domain-batch-authorization-delegation">
        <name>Single-Domain Batch Authorization Delegation</name>
        <t>In this case, the workflow and the examples are already given in <xref target="basic"/> Figures. 1-6.</t>
      </section>
      <section anchor="batch-authorization-delegation-with-cross-domain-sub-clients">
        <name>Batch Authorization Delegation with Cross-Domain Sub-Clients</name>
        <section anchor="workflow">
          <name>Workflow</name>
          <t>The workflow in this case is a combination of Batch Authorization Delegation and identity chaining <xref target="I-D.ietf-oauth-identity-chaining"/>.</t>
          <t>Since the Sub-Client and Leader-Client reside in different trust domains, the Leader-Client in Domain A requests JWT Authorization Grants (JAGs) from the AS in Domain A via token exchange. The AS in Domain A inspects both the <tt>may_act.aud</tt> and <tt>may_act.sub</tt> fields within the Batch Token, filters and splits the authorization items to generates an actor-specific JAG for each designated Sub-Client.</t>
          <t>Taking the Sub-Client in Domain B as an example, the Leader-Client then presents the corresponding JAG as an assertion to the AS in Domain B to obtain an access token, which is subsequently exchanged by the specific Sub-Client in Domain B for a final Downscoped Token. This token exchange ensures that the final Downscoped Token is bound to the Sub-Client's own identity and contains only the specific permissions it required.</t>
          <artwork><![CDATA[
+--------++-------------+  +--------++--------+ +----------+ +--------+
|  User  ||Leader-Client|  |   AS   ||   AS   | |Sub-Client| |   RS   |
|Domain A||   Domain A  |  |Domain A||Domain B| | Domain B | |Domain B|
+---+----++------+------+  +-----+--++---+----+ +-----+----+ +---+----+
    |            |(1)RAR         |       |            |          |
    |            |(with may_act) |       |            |          |
    |            +--------------->       |            |          |
    |            |(2)Ask for     |       |            |          |
    |            | consent       |       |            |          |
    <------------+---------------+       |            |          |
    |(3)Consent  |               |       |            |          |
    +------------+--------------->       |            |          |
    |            |(4)Issue       |       |            |          |
    |            | Batch Token   |       |            |          |
    |            <---------------+       |            |          |
    |            |(a)Token       |       |            |          |
    |            | exchange      |       |            |          |
    |            | request       |       |            |          |
    |            |--------------->       |            |          |
    |            |(b)Verify      |       |            |          |
    |            |   &Downscope  |       |            |          |
    |            |             +-+       |            |          |
    |            |             | |       |            |          |
    |            |(c)JAGs      +->       |            |          |
    |            <---------------+       |            |          |
    |            |(d)JAG         |       |            |          |
    |            +---------------+------->            |          |
    |            |(e)Access Token|       |            |          |
    |            <---------------+-------+            |          |
    |            |(f)Access Token|       |            |          |
    |            +---------------+-------+------------>          |
    |            |               |       |(6)Token    |          |
    |            |               |       | exchange   |          |
    |            |               |       | Request    |          |
    |            |               |       <------------|          |
    |            |               |       |(8)Downscope|          |
    |            |               |       | Token      |          |
    |            |               |       +------------>          |
    |            |               |       |            |(9)access |
    |            |               |       |            +---------->
    |            |               |       |            |          |
]]></artwork>
          <t><em>Figure 7: Batch Authorization Delegation with Cross-Domain Sub-Clients</em></t>
          <t>Steps (1)-(4) are the same as in Figure 1.</t>
          <t>(a) The Leader-Client in Domain A exchanges the Batch Token with the AS in Domain A for actor-specific JAGs that can be used in the AS in Domain B.</t>
          <t>(b) The AS of Domain A inspects the may_act fields within the Batch Token, filtering and splitting the authorization items down to each target actor in Domain B.</t>
          <t>(c) The AS of Domain A issues actor-specific JAGs, with the nested <tt>may_act</tt> field in the <tt>authorization_details</tt> removed. This step requires trust relationship between the ASs in Domain A and Domain B.  See Section 2.1 of <xref target="I-D.ietf-oauth-identity-chaining"/> for the trust relationship establishment.</t>
          <t>(d) The Leader-Client in Domain A presents the JAG for the specific Sub-Client as an assertion to the AS of Domain B.</t>
          <t>(e) The AS of Domain B validates the JAG, extracts and encapsulates the filtered authorization items in an access token and sends it to the Leader-Client.</t>
          <t>(f) The Leader-Client sends the access token to the Sub-Client.</t>
          <t>Steps (6)-(9) are the same as in Figure 1.</t>
          <t>By splitting and filtering batch tokens entirely within the Domain A, the key advantage of the above mechanism is the AS of Domain B is relieved from handling complex batch authorization processing. This minimizes upgrade overhead for downstream ASs, ensuring rapid and seamless compatibility with existing cross-domain OAuth deployments.</t>
        </section>
        <section anchor="examples">
          <name>Examples</name>
          <t>The following shows some typical examples in the workflow of Figure 7, which is correspond to the use case (1) in <xref target="intro"/>.</t>
          <section anchor="batch-token-1">
            <name>Batch Token</name>
            <t>Figure 8 illustrates a Batch Token payload issued by a leading Chinese Financial Alliance's AS in step (4).</t>
            <t>The Batch Token contains two authorization items: one for searching and calculating max availble coupons at Bank_A (benefit_agent), and another for the same actions at Bank_B. The <tt>may_act.aud</tt> field specifies the AS location, while the <tt>may_act.sub</tt> field specifies the designated actor.</t>
            <artwork><![CDATA[
{
  "iss": "https://as.alliance.example.com",
  "sub": "user@alliance.example.com",
  "aud": "https://as.alliance.example.com",
  "client_id": "finance_assistant@alliance.example.com",
  "exp": 1777881600,
  "iat": 1777795200,
  "jti": "4a7b203c-e591-4916-b8df-d2b389f4621c",
  "authorization_details": [
    {
      "type": "benefit_bank_a",
      "actions": ["search", "calculate"],
      "locations": ["https://bank_a.example.com/benefits"],
      "may_act": {
        "sub": "benefit_agent@bank_a.example.com",
        "aud": "https://as.bank_a.example.com"
      }
    },
    {
      "type": "benefit_bank_b",
      "actions": ["search", "calculate"],
      "locations": ["https://bank_b.example.com/benefits"],
      "may_act": {
        "sub": "benefit_agent@bank_b.example.com",
        "aud": "https://as.bank_b.example.com"
      }
    }
  ]
}
]]></artwork>
            <t><em>Figure 8: Batch Token Payload</em></t>
          </section>
          <section anchor="jwt-authorization-grant">
            <name>JWT Authorization Grant</name>
            <t>Figure 9 shows the JAG payload issued by the Finance Alliance AS in step (c), specifically filtered for Bank_A's benefit_agent.</t>
            <t>In accordance with step (b), the Finance Alliance AS inspects the <tt>may_act</tt> fields of the Batch Token (Figure 8), extracts and encapsulates the benefit_bank_a item into the JAG, with the <tt>may_act</tt> field removed.</t>
            <artwork><![CDATA[
{
  "iss": "https://as.alliance.example.com",
  "sub": "user@alliance.example.com",
  "aud": "https://as.bank_a.example.com",
  "client_id": "finance_assistant@alliance.example.com",
  "iat": 1777795210,
  "exp": 1777795300,
  "authorization_details": [
    {
      "type": "benefit_bank_a",
      "actions": ["search", "calculate"],
      "locations": ["https://bank_a.example.com/benefits"],
    }
  ]
}
]]></artwork>
            <t><em>Figure 9: JAG Payload</em></t>
            <t>The subsequent formats of the access token, token exchange requests, and downscoped tokens fully reuse the standard profiles defined in Section 3 of <xref target="I-D.ietf-oauth-identity-chaining"/>, and are therefore omitted here.</t>
          </section>
        </section>
      </section>
      <section anchor="batch-authorization-delegation-with-the-cross-domain-user">
        <name>Batch Authorization Delegation with the Cross-Domain User</name>
        <t>When the user resides in a different trust domain from the clients, one potential approach is to explore the combination of batch authorization delegation and identity assertion <xref target="I-D.ietf-oauth-identity-assertion-authz-grant"/>. The user's client could obtain an Identity Assertion from its local IdP, exchange it for an Identity Assertion JWT Authorization Grant (ID-JAG) targeting the AS of the leader-client's domain, and then exchange it into an access token for the Leader-Client; the Leader-Client might then exchange this access token to a batch token. Because this pattern introduces the delegation of user's intent, the specific workflow require further analysis and are open for working group discussion.</t>
      </section>
      <section anchor="combined-cross-domain-scenario">
        <name>Combined Cross-Domain Scenario</name>
        <t>In some deployments, the user, the leader-client, and the sub-clients may each reside in different trust domains. A combination of the workflows defined in Sections 4.2 and 4.3 directly supports this scenario.</t>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>TODO Security</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document has no IANA actions.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC6749">
          <front>
            <title>The OAuth 2.0 Authorization Framework</title>
            <author fullname="D. Hardt" initials="D." role="editor" surname="Hardt"/>
            <date month="October" year="2012"/>
            <abstract>
              <t>The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6749"/>
          <seriesInfo name="DOI" value="10.17487/RFC6749"/>
        </reference>
        <reference anchor="RFC9396">
          <front>
            <title>OAuth 2.0 Rich Authorization Requests</title>
            <author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
            <author fullname="J. Richer" initials="J." surname="Richer"/>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <date month="May" year="2023"/>
            <abstract>
              <t>This document specifies a new parameter authorization_details that is used to carry fine-grained authorization data in OAuth messages.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9396"/>
          <seriesInfo name="DOI" value="10.17487/RFC9396"/>
        </reference>
        <reference anchor="RFC8693">
          <front>
            <title>OAuth 2.0 Token Exchange</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="A. Nadalin" initials="A." surname="Nadalin"/>
            <author fullname="B. Campbell" initials="B." role="editor" surname="Campbell"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="C. Mortimore" initials="C." surname="Mortimore"/>
            <date month="January" year="2020"/>
            <abstract>
              <t>This specification defines a protocol for an HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8693"/>
          <seriesInfo name="DOI" value="10.17487/RFC8693"/>
        </reference>
        <reference anchor="RFC7523">
          <front>
            <title>JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <author fullname="C. Mortimore" initials="C." surname="Mortimore"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>This specification defines the use of a JSON Web Token (JWT) Bearer Token as a means for requesting an OAuth 2.0 access token as well as for client authentication.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7523"/>
          <seriesInfo name="DOI" value="10.17487/RFC7523"/>
        </reference>
        <reference anchor="RFC9068">
          <front>
            <title>JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens</title>
            <author fullname="V. Bertocci" initials="V." surname="Bertocci"/>
            <date month="October" year="2021"/>
            <abstract>
              <t>This specification defines a profile for issuing OAuth 2.0 access tokens in JSON Web Token (JWT) format. Authorization servers and resource servers from different vendors can leverage this profile to issue and consume access tokens in an interoperable manner.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9068"/>
          <seriesInfo name="DOI" value="10.17487/RFC9068"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="I-D.ietf-oauth-identity-chaining">
          <front>
            <title>OAuth Identity and Authorization Chaining Across Domains</title>
            <author fullname="Arndt Schwenkschuster" initials="A." surname="Schwenkschuster">
              <organization>Defakto Security</organization>
            </author>
            <author fullname="Pieter Kasselman" initials="P." surname="Kasselman">
              <organization>Defakto Security</organization>
            </author>
            <author fullname="Kelley Burgin" initials="K." surname="Burgin">
              <organization>MITRE</organization>
            </author>
            <author fullname="Michael J. Jenkins" initials="M. J." surname="Jenkins">
              <organization>NSA-CCSS</organization>
            </author>
            <author fullname="Brian Campbell" initials="B." surname="Campbell">
              <organization>Ping Identity</organization>
            </author>
            <author fullname="Aaron Parecki" initials="A." surname="Parecki">
              <organization>Okta</organization>
            </author>
            <date day="26" month="June" year="2026"/>
            <abstract>
              <t>   This specification describes a mechanism for preserving identity and
   authorization information across trust domains that use the OAuth 2.0
   Framework.  A JSON Web Token (JWT) authorization grant, obtained
   through an intra-domain OAuth 2.0 Token Exchange, facilitates the
   cross-domain acquisition of an access token.  The relevant identity
   and authorization information is chained throughout the flow by being
   conveyed in the respective artifacts exchanged at each step of the
   process.  Chaining across multiple domains is achieved by using the
   same protocol every time a trust domain boundary is crossed.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-identity-chaining-16"/>
        </reference>
        <reference anchor="I-D.ietf-oauth-identity-assertion-authz-grant">
          <front>
            <title>Identity Assertion JWT Authorization Grant</title>
            <author fullname="Aaron Parecki" initials="A." surname="Parecki">
              <organization>Okta</organization>
            </author>
            <author fullname="Karl McGuinness" initials="K." surname="McGuinness">
              <organization>Independent</organization>
            </author>
            <author fullname="Brian Campbell" initials="B." surname="Campbell">
              <organization>Ping Identity</organization>
            </author>
            <date day="21" month="May" year="2026"/>
            <abstract>
              <t>   This specification provides a mechanism for an application to use an
   identity assertion to obtain an access token for a third-party API by
   coordinating through an identity provider that the downstream
   Resource Authorization Server already trusts for single sign-on
   (SSO), using Token Exchange [RFC8693] and JWT Profile for OAuth 2.0
   Authorization Grants [RFC7523].  This pattern is informally referred
   to as Cross-App Access (XAA).

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-identity-assertion-authz-grant-04"/>
        </reference>
        <reference anchor="I-D.ietf-wimse-wpt">
          <front>
            <title>WIMSE Workload Proof Token</title>
            <author fullname="Brian Campbell" initials="B." surname="Campbell">
              <organization>Ping Identity</organization>
            </author>
            <author fullname="Arndt Schwenkschuster" initials="A." surname="Schwenkschuster">
              <organization>Defakto Security</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   The WIMSE architecture defines authentication and authorization for
   software workloads in a variety of runtime environments, from basic
   deployments to complex multi-service, multi-cloud, multi-tenant
   systems.  This document specifies the Workload Proof Token (WPT), a
   mechanism for workloads to prove possession of the private key
   associated with a Workload Identity Token (WIT).  The WPT is a signed
   JWT that binds the workload's authentication to a specific HTTP
   request, providing application-level proof of possession for
   workload-to-workload communication.  This specification is designed
   to work alongside the WIT credential format defined in draft-ietf-
   wimse-workload-creds and can be combined with other WIMSE protocols
   in multi-hop call chains.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-wpt-01"/>
        </reference>
        <reference anchor="I-D.ietf-wimse-http-signature">
          <front>
            <title>WIMSE Workload-to-Workload Authentication with HTTP Signatures</title>
            <author fullname="Joseph A. Salowey" initials="J. A." surname="Salowey">
              <organization>CyberArk</organization>
            </author>
            <author fullname="Yaron Sheffer" initials="Y." surname="Sheffer">
              <organization>Intuit</organization>
            </author>
            <date day="7" month="April" year="2026"/>
            <abstract>
              <t>   The WIMSE architecture defines authentication and authorization for
   software workloads in a variety of runtime environments, from the
   most basic ones to complex multi-service, multi-cloud, multi-tenant
   deployments.  This document defines one of the mechanisms to provide
   workload authentication, using HTTP Signatures.  While only
   applicable to HTTP traffic, the protocol provides end-to-end
   protection of requests (and optionally, responses), even when service
   traffic is not end-to-end encrypted, that is, when TLS proxies and
   load balancers are used.  Authentication is based on the Workload
   Identity Token (WIT).

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-http-signature-03"/>
        </reference>
        <reference anchor="I-D.ietf-wimse-mutual-tls">
          <front>
            <title>Workload Authentication Using Mutual TLS</title>
            <author fullname="Joseph A. Salowey" initials="J. A." surname="Salowey">
              <organization>CyberArk</organization>
            </author>
            <author fullname="Yaroslav Rosomakho" initials="Y." surname="Rosomakho">
              <organization>Zscaler</organization>
            </author>
            <date day="5" month="May" year="2026"/>
            <abstract>
              <t>   The WIMSE architecture defines authentication and authorization for
   software workloads in a variety of runtime environments, from the
   most basic ones to complex multi-service, multi-cloud, multi-tenant
   deployments.  This document profiles a workload authentication based
   on X.509 workload identity certificates using mutual TLS (mTLS).

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-mutual-tls-01"/>
        </reference>
      </references>
    </references>
    <?line 582?>

<section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>TODO acknowledge.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA9U9aXPbRpbf+Su65NqJZJO0dViWuEkq9JUolVheSZ5UamrK
BoGmiBEIcNGAZCby/PZ9R58ASEmM58P6g0WCQPfrd1/dGAwGvSqtMjkSWy+j
Kp6JcV3NijL9I6rSIhevZSYv6eNWL44qeVmUy5FI82nR6yVFnEdzeDIpo2k1
yNNBEcHDgwmOM4j8cQaJHWfw7FlP1ZN5qhR8q5YLGODkzcVbIR6JKFMFAJLm
iVxI+C+vtvpiSyZpBSNFGX45Gb+EP0UJn84u3m718no+keWolwBwo15c5Erm
qlYjUZW17F2PxH4Pxi1lNBLjszdj+HJTlFeXZVEvRuK3H8Vv8C3NL8WPeKV3
JZfwczLqCTEQZ2kLHWfyf2upKvr5oriSuXjzOZ5F+aWkSycIclotxatZlOYw
bHh1rJQscRy6vB7dvd61zGtY0iMhLLT4hTEWgg2X51GajQQR4IdUVtNhUV7i
9aiMZyMxq6qFGj19Kj9H80Umh3ExfwrDwdBpNasngPN36e91lO/tHTx9EDW3
YIwMUK8qGMPMYsca8vDDtHjYqA+7ezir5tlWr8e/A+0GABRzJsIh3qXwHdAR
5frZkfipjm4kXpaMtzxdwp27P8zoOqKn5w/zalbn8SwV72UlS/FLWt85YJbW
MT8UjJkX5RyeuJbIYWdvX+3t7h7rj0e7Lw70x8MXB+bq8f7xobnh8Hhff3zx
fM98PH52eDTq9VAivaFPBq+HyAUaf6nmwEGs+XLdPZHhUkL4H4PLMsqr4IGb
dK7k4GbRdRV5YKDSyzyq6lJ23DCvqzrKBlWmAOzhcNjrDQYDEU1UVUZx1etd
zFIlQLXUc4BHJFLFZTqRSkRiLlHUUjUXsNY7xKcvbmYovjKPJhk9TTwkiqmY
prnERcGfpC9gzqIcTIo6T8RCllotKVBx8IwCVGVSlCz1IoJ7lIxhXdlSaP6D
sauZnIuqEPM6q1KQLhEXWRZNihIgARGlGRSskxY6T5Mkkz0QzZO8Koukjgny
Px+l+PVLr/e6ljgYDCrKVEmE2BvvWgIE5XUaSyHjQi1VJeeKABufiPEloEz1
AV5V1CXcEsWxVEosogr4FhYFelCoWToluKZlMYc1AtpBvwIMUdYHts1lVPbN
wuMshREHOCPw/byANSNswMqwzM+84IFWbgUoGolEJJEUY1FF6grU0lKgUk5V
pXApHh3ACAzwHmVohfciqlOAMpB1hZMm6XQqS+QJszwFs2RwW305g3Fn9Rxk
vQZYRQwfLM0CBkHGkRHMZcboA6KB39AmCPhbK+BNIG4clWUqE1HUlZgsYfRF
meZxuogyZBKFyBIgJ7AqkA2L+qH4bZZmDnjEclVU+FCZXsMvl1IZ2nYME+EY
grgfmbYv0gpZ4EoJEkEcTX5GgiIXhCOmFS6kBhQvFoWyDDQHYZ/705t1gAkQ
pzndU8B/pQDBAmFIpwybXSyDZHDJKO7AKHDH0kMpwH2TZhlcAfYmdBSgmgCd
cjpNY2CpeDlEQQdywuNEAxQaIDsIeJZJMKeIBliEpaJmZE9A4VePmSxPMFvj
gMQKUSWKHGG6IcosShmDUDnxJUHwFEIHpWDohYxZ9IBlDUrUAtka6MQo+Ax6
gUmE7GV4G5b5CpQpDI3gAFspiaolzuoEdGPv8ePt3R2wLmkeiQ85LOs9iMD4
/el7sU0MlcYCrpAiPAWHSLwvi6oAbbAj3pZgmJBrR48fg6zFcEtp6UUoaIwa
F+DXwBVUWDdglZ22mkT51QCXmAJx3BJp/XGUxTXad8LEBElBaE1SFYPKrEAE
L5B2wfSaaKh0C8Bslc6lJlSbdYDcqHSuAPNAYxoypGCflFuLbrAKj1IKKQWk
trhnQIo8Q7aMJdBOCQAKuJRG0zjVXIVwpDCvR2jECS4NuBBUWhpXMBDAAC5Z
RYuiGxjQTEbkicEgarGkTyAjOYsV3vaNMksDLgFRl8SPwHQRCBkgbRJl8Ekq
8moBjbmK2CbA7Oj3SrQdwCl7O+IU5UeyshGnvsIlNshBEugGXr5PckQnXJR8
N2vieVReSVA4wMaXMyTboigroTLwBFDpgQ+eFbSgalZKYH5kkShL/wBaeVwC
rL2IShRbXIpCpZl3UH6xKItrWG1A3KE4qRyCO0kLTBhSdURPM/p8iUy1mmRO
QrqiXszR8OG0Ft3AD4AWxUqHfwckKImOcjgcm7kKuW4C9gAGJuCVlGTW8yU+
DlPC4xB9RDif5hE0eVN2qGBG5BBQ6nWJj93ICXFiigRHZkQwGOeaPshIPhhG
aGB+mEHfJNkZia6lRQeqeamQQ4nEtWLSITdcloRYsmeLGqX2txQNZ9Ull4wZ
1C3TrLiBD3UGM1UoqTczmB1dgShQhREyIolQoEbIAUAw0f2YL6pAo7PAkbH3
HS9wPWoECKRSAmRs8zQNEXVOzwOa9FiswzPwSMu0kr6RAAdBLcEJL4u8qBXJ
MNC0MoghVYbSD19QO1PwWCm9ZDAH12kFlhjdAdTetJ5JVsRXEXImrqysU7ai
zsaxU8SokZ8XSGljgGBh6GPkyJ8LHFmCZLPLgGOQdkDYTtGrFXvDZwgvKXya
DFGGyMjZAKJAIdtEsATwXj2d2qLmEmK0+AqCGW3FFiTpZLe0RQb/gT1b4eIq
HszZWKdPEsKFshbMAvznnzp8+fIFNRIZB7eahvo3Jsxz0tnhRD4pJmQ1s3Se
hiKNKAEtDdc8XsjBNoHrMGXFZv3f4iZHJfNTcYNc22enPvBaPdcaBlFgyKIy
LbRXqPlTsQbST5BWsfmJDJUAuM8okUgfmLG5TBAibUpgKJibVKa1vsSDpIZY
66s+aRUMDJAVMJJCgUL/EGYcVAVAnlDIDV6UjkhgbYaZYc7LWjqDYXEfZiuI
ThhQMp3CH4EF0CVCenjM4KIv4kUNozYtn8B3/wgL+AQUjFKKhqzaEugzYgxE
V+OqSS1QFf8Cgnpk6hqRbHmC8fecYLuZFW3lGOEwYFKSAu4AE+zJyE1EpENf
g001KqqllkoAQYEWB3B8DxOjpQnpemOZEvYJcV5cEKN530fz6pyR2D4bn+0I
wjxG9Yx5uObjMhK5vCF7OqdUw6eAlz7C+qM0U59orRlqZxYYNpOfUf8TPdIy
dGpDjtRsPacHnZn4+fz0HRpjiEhBD4DuPCdN7EFDUypmOLapnt8cuuYTadzc
JAil25AAavqo729khsEQm2Wlal/ogTs99kCcWQqDzipZDg1JZ4AWVuh2MSF4
GB4CfLCuigJfnAlYOiCyizY5fDfmO2JeAbBJTaHYSC02wA0noELqOfhVy/4m
Gp2UtJ/ncFTtO3D7AbQhFVasOIrLAhC5IkFBio3dzAugXJkml5K5/DJaaFVo
EzJRkjCNPNVgk0/wOQHOIm/OhKBmzpXcoi0oUHUoXi4ZH4lhylUCQCFM5GmJ
aSozTOcYExLkAMiVK+UMEU0ZlKas91nFw0WtEAL1wNqrpW0g5isxKmGXxfqs
HBKFOuCcMyjb4/MdXFau40dCpTY0CKheFae2SCkbvwF8E7SHjHog3bUMCcyO
JMg9OLd6bFZcnIojYaI0lPgNp7cqGQZB2qHmCbnZUwwBOHhhfI7+POCZTASY
PAgGF2StMBqRl0sMbzLQGGYEH1QbI3DQT6khsmXFtKH4iaTsQCKsEEeZHKW2
p5jpL9lvKHLwu4nwoYZxHphx9NhQcjrAhh4SOTi24JokCcLUzqHcW5p6j8Qr
AqyyRHqNppXEWFEGRFyBc4YlByW2fv1wfoElDvwr3p3S57M3//Ph5OzNa/x8
/tP4l1/sB3PH+U+nH3557T65J1+d/vrrm3ev+WG4KhqXfh3/vsXKZOv0/cXJ
6bvxL1ssjYHAl9IqdCApiBFxk7KpWVLwL1+9F7sHbN0wqf3lC3/GrDZ8xsCB
pyI7zl/JMQVGgtCLbATo/zhagMudKbIIaobeFGaJhs20cI15FBDqOZCYdStJ
AHEwaFhKkiExJbK2iSi2fHuCCAhZhbOcWySk8KN1Iu31M7reacFoNG90kx+S
W9qZSjCi9rxjuP+irEHkX0PYkBI0P/920dAaP2I82xjhrsw+DW2uCpvLv+co
nbn/L1/YtIHqT12AOC3QG3BYjkpp52BR8wgGkcIvMkpkOXhF6nnEoYGGsplM
s4EGjY6RBgdbLtxrZep1kOJ7lucQgvJsOksVQGDddtC+aSs1ZVNY2oqNz/va
1861+eP4BNbqaUe8O5h1HMe0kks2F1R7AzOPGi9hLd5vQqUaGdhVeWI0dfMU
NZEuB7j8e1FSKgl0/Pj9iUAnAZxfIKEDLUQ/pc4w01VPTIBn1h0Cx0RIpJwH
rhlh6cyIC5s6ReJC8RpbmHZqQFPFQWVtj9J5V0rchRjmkNTYnIaPyPaTHKUg
5z6kSYyrHFN0P5F+EgtX5mMTtff6AtNIjD1HDXQO5t2Ttvok5EYNRFr2WsHH
voPn6kuUYPFo5LNarxcCelLJ+QgzgiFfQyw9t+Ed5jEdAPiRLq33IIhoIOpY
rJl47l17es4zw6pw0BV+nJcWwZC2BJYEE6Ao5ZwYz3C1fNoEmg4YPE6xBKRv
SC2dvxSoZwOu0Q9Plsa56WJ+iis96NTapfc5p0E+kYsXvJJ1r/faIXaMiB2R
NDS9H43CVtmFCEm8peVKC40nTSucVXrIkR0hcdKkkYWQdKGIai7+FIqzLYAJ
ct8CD9KjLfsPNQpIVLG3f87xOpd12ikdQrd1eslpiLwwvY0Myggo2fZ4gVOR
DVijWAPiFuG7leixrRd78ecjcGDT+EvTI3Fk8AM4cFEmZJa1l4Khq5cBIP5t
JF+81AyjaJZC2HsHWFxOa2gZNlbROvkJK0FdWLUGcCjeRK1xiA0xDNfpGVOs
N9huZHfFpK6oyQdujbOobDMtTMdcE4YNJmYPYvTrNOoKcD4sClMHxiy8Dkxt
5EKsrMIoq1PiXQuBJ/Q619tCk57KqREub7SJkqQYdAAe9GBr3AemqYcc57K0
ojVDUI9cF7xeMMZd6sFje3AoUMpYMJtqycbnQRSo9W6u4zxFhXLU8wW2CTTr
9xZHvmExmTTrFzjYCPbcEMxUPHDVTVVlVASX3bJlK9q05SYGtJULI8jIN6Jc
l5Nck5Nue0GeT3NHgdPLalGoasvDHk3Zj1QckXsa966FpZVNTxNrl3KCjjTW
5/CZSQGC7crtrnVFq7lH4vQaXR150+u9TS8x8b9LARevmCo/oGfv0DriXVHJ
bhcHgkuvYGBzhoF7/BYTsSk4xQBltezzQpGLfJ43cSCwoQEUFvDvf/+792QA
/57Q//bfEwH/nthP+rP+ja/3bj+AbN7eBvDe4r23yG63/Nytg+H2Fs3VLcz3
xM33JJzvSTifBQ2u94QZk8bd3t1BK2C+iuCf/XrbfIo1NTsHO/d8KkTN4Pv7
zrW3M1ZX5Go/AEJTPrt7Xd96JAkhfLJuru39nVc8xarBO556snKue2PjYOcE
TcbdcwXY8PX6fZ/69gHY8CF8vvPaWpX/LIS3DQhXoLQ1Vzj49uGOnnY9hA2Q
rLF70FPGMj7kqVWEuGuubz2cfn9vCLu/3oXDFzt/R8u+fMhTqKWs1X8ADm/F
36zlvT8OA/6997qOdjwj/wAcPpyjNuTeJsDHO2My3A96yk66IW+g/es9NgZx
dFfU8hbs+eNeD2v1G8UJnjfyV6MFXRbECVeUhMS2Sy2DU+PKjRAQK5tjBH/A
i6Qg4B5eDvviE7bHf4K/upqOH7MijswXWcXDHa4ptGIHdmQotdxRiBhSWdA8
omOD0FHxIm5TbAgCbazIj6eY5uDclqk3rEa8jVp0a4+iLHkX5k2uJIwDbIeL
Ns4IxD7zgB8h8bDojRVzaQoxXbOEOVAd+U+wbOkoD1Mc7Jjow3feO8pam8dW
XD/lWC6tulM2AMnzLoa/IwYLAyUc5XCnmap8SCjG6Rf9a8d87bAG53yx0xnB
WfUdZLiDEK6dAmmHcDgvh0Rr0N4K15p4OeqkcytII7ki5z4oY3YUgddFaZb5
PHqH4By3yMQhlUYdOPHkRVOY28Y45XNcAFhgAwA8eFNQjS5KriOA/ZK7MSEU
KVE6AZJpnVGXKekNW/DHTH0SUZ+hywGB3w9h9zSDu7DU4Wm8xJUFGcYwKfSN
8svtSs6xHTxWpB0xflpC0G21SbNzxobAmnEy0KcZpdB1LxMooqSOutXKje4T
jEw5l5qcyvSSGg7nMsKFmU7ZjPpINaND8MnNtAAd4AgomyndFEEdDZST6W5q
oGx0XVIne2PDxl/ucHgsziVwYdL3+iZbDOt15OQFteQQKqnp0AAAz+lqxVCc
p1hgBv7inlnurMGCWAHaPhd5PZdlUTMHx4XS7RH1AhaVmC0ILLW2pv0HPIE7
Lqj5izBCWkSz19l5kGKeFxjuR0mxoDs5VtR1a+x3Bf0JjoLJFD565GsC/P6I
EpNvTCeKExPNSmwBqQjopSf7wS0pq8LFgPmLEOZ2dlyRZgCpqKjvCMlK5Qeg
/7LdWTEBmOesK9ky6yaARuuYbrKmQShhnFIeRdcyNZ/7W4I0M0/rkh5MGJt1
qmbtTgWdbVZc+0TFVUZskP20b0bOCZasVnWqdPsr2pkgL2etS9XsTLEaNPJh
ZYcml1RYbNYQqKaFvUuqw+nRsjuT2YK32RC43e11Ju3FkPhNu7T3hMTBIHIF
EVC0CiQSLq71KzXUaegfP/52Un4P300LxJB2OlCXWkEdg7pwSQbR2seOdOLq
SkjDPwsLMP5MFuvaCfUqL0vbSJ4n1pPkMiVpN9w/UXZQViPe2+nGVblGbf2m
0HNSsy3w5Aq8oEdDqEcXNk/BBcHW1BA3G6AE5onqxM5p+kTaczamApdAu5EV
tTkk1OaAjR+lbMIC6g6expLPtAWmru816tAwBjn1LFauV89vqVBaVFkGqKdm
Io0fjYv2yVdF5aWsKG4hIOxz8KGYp1WFWwXB2JthInA80SGlpd8LZl6k8XNU
NA8xM7Rp2D2dhkVFxh0DiMlV2sULzDpjlhPa12GDB9w9DPYkw30mKHrgSIDy
4gKW7n0WRCZTgllRt0a2ZO0ZNzuuSGuNMLpjd2BSFFdhy0aznVZCeIq3Dsa6
sYGU2ayoJFov1F7aJVgzwk9490DvwnuJ1tDLNDcZppMCpve0ERsXjsYGuUOQ
iE8t/nDbhdg/ARjn4JlU7BVjU6pV8x3NqLwBtavx1FSA13bQ6oz4P3pC/NnD
DMEWxsFbI7HFVPioqbDV5191dAw3/GOLt75gBxLetPVPfYuNmummrg3kPLSy
T2j0wP0MA10EjeWBQe0WP3iDbNGdX+D/L/028MQDHz0e+Krw0+j3A58BWQd9
759EAZOS2RuJTol1rlVDVB9rP8yVqFEMMPPMbce+x4Z2KgM21S0tJoHT7BGw
gSgysLVgaztqG0CpjnoiqUDcCdOVX3B7JmnqFeU2Goojxsxv1ytrrLhpuzE+
X+U6Ye/psu8w6ayl66VGaxlAfB1laRKZalVDZVvjZdWDlXVgAE/Wr3IIFayh
WqEQtLq1uZsV81ubI6gDGLw8rDiy+UC9pLdE2v4xZGhAV4HVMh3K+As0lg0z
OStC+r5Ovtm8k6XSfXqJrYvja1YvzzR0aaVfx78DAYR4zC2MBNN6lvDvbnV7
rFhOCwW8tY9u1/zYPVsTD02up+5TdN54gwo1QYptTjC2YYmLRO5gAxZl9kxa
LeAA03PQlFB8lN1ynqO78aidwKLSe9gt1zEwO6FB1s1zLNEG6iRFS29w76rX
U2tUCdWFo3YSlptaucdQdztlS7v8FUlA3U8IxjJfmcMz8ngRdNUyTvyhKPps
dXZh5FvghiESINYhzw6PMHTt0B46xkeoQFprkrFHYbAsXtE96BYDTTtd8Qub
pANmKp02G67z37sf0p3qBXOH8hl72PTM/dGMl4ri47KQaaVkNu0bP6eBPSvd
JH2Uvg7TmlprYe8/ZjGiHNt+sCXHbPgI27sIQLZPH9NuMLsX3eT0yCVbkw5O
dw4Q4qPDsnXHSzmHd1FZRkvfiTba80H6I3BMMaZfVGs1qdM3rW4bFwfsd8YB
Tcohyy+iZVZESWdOnZrq162F04PGa2HB+kRGj7OHjbjOsqTZLKt361lKr3hO
xxteE3Nna41PbddFRoUQSoN0muVNgtyQIF7Iywggg64Xou4vR3TqhYsysWIR
1EZIrkz2qbV7DP1HdD23AJQt7zilSA19nxPdVeOXIjl+aP0I0N/1vKUX3sjE
+WiJ0x5Rfl7AjbsvXrw4Oto9fPaMLgKR9MUXx8/39MV/VSkOySc20RIHR5OD
F3vHcTzY35MHg4P9F88GR/H02eD5i+PD3ecHye7e8aEBvEOA0X8nP9u45etj
m3tFB5vEN38pwuEoQUc5HUtZFel8vdWE0c5fiXfsWuD/f/a+BHHP/qilnt6z
eqIAp5Vq77GJbfTAmmPWerxZLUwW6eM8QlfCFjkaLZwmZ+M69u5TrdObzzsK
cy3Hw2zWsg3OzQ2Q3Omst024Let4qlC+LHLJZzFoN6cbONaxdh9uY+uVknxc
yN5wFy2E3z9MkVKXq2O28kRZsBuYcowGxs6kHy7/w9mJTe5xDIOVta7MHjsV
FCXUWvF2FN7IkaE9eiunxDbKAQVfT7PikjJYeDLbVwZD70T/SFRY6bL41Ld7
VLr5rz3qRxT4zqHBCx7hlqwR0VmNaGfWiDUonfn3rxscr8e1Js2rs4iPOWET
uPQtZtjlfne918kK/ojjxebcn0ZnLsVb498tLj22ck+mdGQAzMKZawFqQCnc
6DjgDaCNW8OY4tyy9L7H1DbIgNFegiKEtYB+uc949Dgemmce/+3k1/M33U9q
oPutIdrH32Ec0boeHoCHt6Ab2LrNHYNnYBrrMxIoMmqDzyLt/MMD4x+u0mjO
a9ZtE36WdShO9E6lQMf4t5jDE9btxvJ8x33jEH0KGP4TsEwhFOBWefypFQ6n
jpyz5siwDhxzzoZthbA4A1/5E6VNzdzsVIn3p8DW4Ac95aMESLT2xE8XF++f
7g53e+KnAs+vDP2kHu7dBb1RDS7oxE3a8czAPf08uLm5GaBBGdRlBpoLwu2k
1+M4jUT8OxDn/9ofI8HhD4s0fKCZ4S/dSGINX1jGpT1I9G8BAr/79g2P72P+
++Zd95nU6RL4AtoExvCQ9Z1c/jyb4IGMweWNBvY9goPRCuv+mAtuprKuU2o+
+fSeUvQCWRD0kM99Z5mc3bW+LrnT9g7TvDCgpExpb89l1fB1jw6e4T/nb3f7
ePhgwwt6PtLS7CcNHmtf571LeJ4FCc+OEwOCfbfmVBUjJWEWL9T3QfIR1cvf
Xf4xNGFarFzmsyG++PCZrErahcQk6k4gWxPojf6NMtEpaUFtgfSGBmzvWL2R
qyPUw/6aiHwr2tPlZb6MuUpWb+zqcD5tNueinaf6DzUxsQHl4zKY8KlJVqFJ
xdLiA9JYvM13qc9w1KPaRA12DaXgKEreq3Ey1WO3210Uua7Nfd0xl69STD0R
/EqHxJwdY+9ybVka10pnMK3IYoltPDjCd5/81ENHuqObR51rvLNx2inkImX3
C7cSbU3X9Ku5wOtyV2HdvTt11eTG+219Es6fbPaNoHMZZSU4tLjVF10MOiWD
T3/oaJ91G2j1YTnN/aBpZZhc10wNPTswojXpofVyOrjW7EltuQoRpeIbCRZx
Asy3JrWFx2utybj2SQD8zNCiINEIAj5mBrMnf3tNWmHHHf/nZ88aQIU+28Ua
9Rvwg3Kbxni6QbsM319ZiwSTMi/A1/sP5qS68iztxNTKnMp9k1K7QVLKHRug
M1Mv4qPkONqTg4PJ7t7gINqfDo7kYTzYmx5HR5P9+EXyXP4/yEx1JWIOR22J
8TIx4rUs02s+D/Bcd36AIfwAvAehdXFjevtSfZ5KQk2JgUZeudmAuppyaU4K
oEOnsZ2PNoYmbl7TcaKL4tbR85ITqpIL0zaZYwMNNzH6GXiKLs+pN2LAnT93
wDeydcp+M1uEEwV9I1S3pMadG5ekabeOcBtNwkdF6z4NrvjchSta+SvsXTXA
e/M7SAmyMFc+kVnh+rJbMPVpr7W/GNeB5G/UZdfBf9K0HHqLMhHXA9YUhavC
LZejjkpmE+N3rurGHpdJeNG9Y3R4Rt5ey51LeUXN2fBTSAPNmQ9gFXOquEax
a+N5CGrBR30IJ/dMDI/nSjeObTW2xZ46g2JorPkliF/OmQU+zeCLDq3AH9gd
HPo9wptxLvvbv2lgyL+2kKUe0Fy35Q55HvbOTce88cOE/ubYo3udjBSmzxot
e6va9VZSsrNWrVExdq1yK451UmL75/GPase5aVha8gbA0w2aHsxF+zYABQ+t
Vrzj2zfm3JWCS+sMpTyFFrYI6B39tNtikaXV6o053nHEyh4p544Sh/W5A/c9
bzHYtHHBp2e3vGazwpc6r6P5uAvt6Li7DVLt6h7CwYPY4638cp43lZf6D7fj
e2eZKK/DwZLG5ti62o/9Gbgno3vbge4gbKTzzIYA2ze0as+Cck2EITa/aaTL
tDlt+IkW8u5TBtAZdLvuzfb2cJNsx09Pgh3Y3h29W0FGQYj2Tnzc5wiUwZ/s
p2BDPt1xRtd7t0YU6GYrF3iL95MhAD5qiXEr3HVaV3CigNvhb/f0P3E3BRv9
hbtODlmwb7Ox49/+GN7kfewaItj+v8kQjc2udrfrg6AIDgbYaCHhKQH3HCLY
jt1cyJN7DeGdHtDaVntPKJ6sg2IjdAYnC2yGzmAT/yZDNLa63xed4UIifz//
ZgsJNvdvNkSw03+jIb4GUSf+vvzNFiL87fabDuH+PdmIqCL8tpHWinfQxzFQ
bIDOr8KdCULRuvsv6M4nDf64FxRSHxPAwvo1JLWBk3tBMf2rUKzCRXD9+7VD
rFS//rkgD+FOn6ieHtl0iDOnRzYbIqDUhlD452BsupCuIzEeNMTXIGpwcft4
R7vVmw7hgfT9plD4C/FzZi/uPEdjbdD7GKJLyleBwzfAMxAiXQ6gNEakGkdY
gdXsPJbW+bBhh3fYaKiDvUY0SOFFKwrTwYPealQrl3gP4x8EamK39EMk3o4y
OSvobQq+K5A0O1kolLQ1y65o0uxIp3BRJ9L1yeshiHE3iLrHvr16L9G9Yoes
KSutSK2bdLjZ4SUX7tUgnBQoZcaJyVm6ABxXN9KeX6cCAtEZ4GYtQpxL6TW7
6FaXuxMZ9niRjtlhhbgtXM3mHGCD+buDzYLQ2QTtq4LZ1YG0IwZRSXZQ6aXd
BmMn6+OmHXz3CWccWgeCrD0Roh2oeyeUrD4VpAdmcOU5OMSe/ohdR01oOT8E
OT++S85fLj3md1VwOqWPjyblQ5SRyvRmSU+gDI047RGcQ2ELl/QyAHduRao6
CMJbjDKs4etiK77wL+MqL7/MsesAQ7c3S/M+HSqQ/gG00YcXCJi8nAEaiWmo
wFKVMpoj4/fdqYdltEgTTZtoniFycV6YZZJmmJMgCbXHG9BhDgOdXOeTU72T
FXQ1/43ObHL53pWtuWBIFQez29UmQTVabS4SUGR0v5ficekjb38T5yvxBCXK
m/LrOr8wLI0DFfSQRyLNstrsAA37VU1XhDt7OKItfbgAfHMfvr7krX1n2TjL
Unzd2TdKa2zSQWBi9KZ1f2TXnXBTdAnNiNL/SC0uQBmuNK/6ozOeos8iugbl
N6GjNOoF7WaoYJ786uNYbE9kLqepLszpQqZJv1vlQcIQ650Q+tmXw+CUY3/j
XHiOMSzTlMH8nH9X/3/4YOt8g97aImakMbu+mrn6rnar/ep7w9Imv8DOa7pf
/eCDu+8PoheTvWf78UA+P94dHBzvHg4mR8l0kOxN9o+OpweHe7vxRnVNQ3h8
r+HH6K66pn175J3FTR7PX/lTPdV9O9YDlvyhPZ6FtZNoHfffq20/wMfkK+Nj
8pXxMXkgPiZr8NFRcT4KW/9dsZk15Io6iFGWx97ps+iDtBUktUPo1z4ahRio
wxg0kXFZ6C2+1nfg90Wj7voGS4weZvSbLWifLQ1IhojHm+z010zqOcStXdMd
nUvbBks7d3k8oYyZQ/O0ISKP6a/1bXx9lbdC2jZXeJ1NHE4LwsV9rfD+/+iv
LpE5HhGvO1FB4+i9MIA7+iw/hRWp7rZv/VZR7w0Z2r30zilj+2w2/4KTh2/P
7GzA379vRKJ9AHaE+bXOtslLv8HnvjVlBK7VO6C3AnXW/VeUaF1lVb/5o89H
ThXY1I1eFb2TNrJvKAD+yorSbA8MKtJdvnGyoiLtQqOHv2bHtht8o+x7zOht
Ja4qeWLmGdt5aJ1Yp+UTAk6S933HFik32Xc/uUIni+2T1wNgzB0dhpuo3R3q
k3HgFJv6oum2sOfC+/ObI5+CqMq4iUEI9t8d1d05nSITDqpfwRgGaZEfTg3F
S6nf2or3LvAVtGVwsBs7i5aGsDCNeOrY1A3UNgK2EYN5Qb3ZxRnlUbZUqbL8
Xyz06vARxNxlCQ40deLW5lSlR4/uaDzhVwliCOPFPX3L/v02EbyXCXvvusG3
tNyvM2WIbxEPud6PlLq0gxIHwz2a9mC479og9etl9avtTJMXvVvjXJ9Aj1sr
vG4u0Hunr0/tr/TitJPxu3H7tuDELOxPzQu+UytwVDODwYC23eIo4xg3jWUy
uSQM9v4c5fV8gj7Bd1vTKFNy64uePLJ3gq76Px/V4lgWhwAA

-->

</rfc>
