<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-chen-oauth-agent-authz-use-cases-00" category="std" consensus="true" submissionType="IETF" xml:lang="en" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="Authorization use cases">Agent Authorization use cases and gap analysis</title>
    <seriesInfo name="Internet-Draft" value="draft-chen-oauth-agent-authz-use-cases-00"/>
    <author initials="M." surname="Chen" fullname="Meiling Chen">
      <organization>China Mobile</organization>
      <address>
        <postal>
          <city>BeiJing</city>
          <country>China</country>
        </postal>
        <email>chenmeiling@chinamobile.com</email>
      </address>
    </author>
    <author initials="J." surname="Chen" fullname="Jia Chen">
      <organization>China Mobile</organization>
      <address>
        <postal>
          <city>BeiJing</city>
          <country>China</country>
        </postal>
        <email>chenjia@chinamobile.com</email>
      </address>
    </author>
    <author initials="J." surname="Yao" fullname="Jiankang Yao">
      <organization>CNNIC</organization>
      <address>
        <postal>
          <city>BeiJing</city>
          <country>China</country>
        </postal>
        <email>yaojk@cnnic.cn</email>
      </address>
    </author>
    <author initials="Y." surname="Jiang" fullname="Yuning Jiang">
      <organization/>
      <address>
        <email>jiangyuning2@h-partners.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="05"/>
    <area>Security</area>
    <workgroup>OAuth Working Group</workgroup>
    <keyword>OAuth</keyword>
    <keyword>Agent</keyword>
    <keyword>AI</keyword>
    <keyword>Artificial Intelligence</keyword>
    <keyword>Authorization</keyword>
    <keyword>Delegation</keyword>
    <keyword>Revocation</keyword>
    <keyword>Gap Analysis</keyword>
    <abstract>
      <?line 53?>

<t>This document provides a systematic analysis of these emerging agent-based use cases. It categorizes them into distinct scenarios, details their specific authorization requirements, and performs a comprehensive gap analysis against the existing OAuth 2.0 framework <xref target="RFC6749"/> and its common extensions. The analysis identifies fundamental mismatches, the goal of this document is to articulate these gaps clearly, providing a foundation for future work on new extensions within the OAuth Working Group to address the authorization needs of the next generation of ai agents.</t>
    </abstract>
  </front>
  <middle>
    <?line 57?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>The OAuth 2.0 Authorization Framework <xref target="RFC6749"/> has become the de facto standard for delegated authorization on the internet. Its success is rooted in a well-defined model where a resource owner grants a third-party client limited access to their resources without sharing their credentials. This model primarily assumes a user-present, interactive flow where a static set of permissions (scopes) is approved upfront.</t>
      <t>However, the landscape is rapidly evolving with the advent of sophisticated AI-driven "Agents". These are not simple clients but autonomous or semi-autonomous entities that perform complex, multi-step tasks on behalf of a user or another system. Their operational characteristics include:</t>
      <ul spacing="normal">
        <li>
          <t><strong>Delegated Autonomy:</strong> Agents act with authority delegated from a principal (user or system) over extended periods.</t>
        </li>
        <li>
          <t><strong>Complex Task Decomposition:</strong> An agent might take a high-level instruction (e.g., "plan my business trip") and decompose it into numerous discrete actions involving multiple resource servers.</t>
        </li>
        <li>
          <t><strong>Asynchronous &amp; Long-Running Operations:</strong> Tasks may run for hours, days, or indefinitely, often without direct, real-time supervision from the principal.</t>
        </li>
        <li>
          <t><strong>Dynamic &amp; Emergent Needs:</strong> The exact permissions required may not be known at the start of a task but emerge as the agent plans and executes its steps.</t>
        </li>
        <li>
          <t><strong>Composition &amp; Chaining:</strong> Agents may delegate sub-tasks to other agents, forming a chain of authority.</t>
        </li>
      </ul>
      <t>This document does not propose new solutions or protocols. Instead, its purpose is to:
*   Define the key actors and concepts in agent-based authorization scenarios.
*   Describe a set of core use cases that exemplify the new challenges.
*   Conduct a gap analysis for each use case, identifying where the current OAuth 2.0 framework and its extensions fall short.
*   Summarize the key security considerations.</t>
      <t>By clearly articulating these gaps, this document aims to provide a shared understanding of the problem space and stimulate focused work on developing interoperable solutions for the next generation of delegated authorization.</t>
    </section>
    <section anchor="terminology">
      <name>Terminology</name>
      <t>In addition to the terms defined in <xref target="RFC6749"/>, this document uses the following terms:</t>
      <dl>
        <dt><strong>User (Resource Owner):</strong></dt>
        <dd>
          <t>An entity capable of granting access to a protected resource. In the context of this document, the user is the person who delegates authority to an agent. Conforms to the definition of "Resource Owner" in <xref target="RFC6749"/>.</t>
        </dd>
        <dt><strong>Authorization Server (AS):</strong></dt>
        <dd>
          <t>The server that authenticates the User and issues access tokens to the Agent after obtaining the User's authorization. Conforms to the definition in <xref target="RFC6749"/>.</t>
        </dd>
        <dt><strong>Resource Server (RS):</strong></dt>
        <dd>
          <t>The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens. Conforms to the definition in <xref target="RFC6749"/>.</t>
        </dd>
        <dt><strong>Delegation Chain:</strong></dt>
        <dd>
          <t>A sequence of delegation events, where one actor grants a subset of its authority to another. For example: User -&gt; Agent A -&gt; Agent B.</t>
        </dd>
        <dt><strong>Intent:</strong></dt>
        <dd>
          <t>A high-level description of a goal or task that the user wants the agent to accomplish (e.g., "book me a flight to Hawaii for next week").</t>
        </dd>
        <dt><strong>Tool:</strong></dt>
        <dd>
          <t>A specific API or function that an agent can call to perform an action (e.g., a <tt>search_flights</tt> API, a <tt>send_email</tt> function).</t>
        </dd>
      </dl>
    </section>
    <section anchor="core-use-cases-and-gap-analysis">
      <name>Core Use Cases and Gap Analysis</name>
      <t>This section explores different categories of use cases, providing a concrete example for each, and analyzes the gaps in the existing OAuth 2.x framework. For each use case, we examine what can be achieved with existing tools and, more importantly, what is missing.</t>
      <section anchor="category-1-personal-consumer-scenarios">
        <name>Category 1: Personal &amp; Consumer Scenarios</name>
        <section anchor="use-case-1-personal-digital-assistant">
          <name>Use Case 1: Personal Digital Assistant</name>
          <ul spacing="normal">
            <li>
              <t><strong>Scenario Description:</strong> A user gives a high-level, natural language command to their AI assistant. The assistant must decompose this command into multiple steps and interact with various services to fulfill the request.</t>
            </li>
            <li>
              <t><strong>Example:</strong> Alice tells her AI assistant, <em>"Help me plan a picnic for this Saturday."</em> The assistant needs to:
              </t>
              <ol spacing="normal" type="1"><li>
                  <t>Check Alice's calendar for availability (requires <tt>calendar.read</tt>).</t>
                </li>
                <li>
                  <t>Check the weather forecast for Saturday (requires <tt>weather.read</tt>).</t>
                </li>
                <li>
                  <t>If the weather is good, suggest nearby parks (requires <tt>maps.search</tt>).</t>
                </li>
                <li>
                  <t>After Alice chooses a park, book a picnic spot if required (requires <tt>parks.book</tt>).</t>
                </li>
                <li>
                  <t>Finally, add the event to Alice's calendar (requires <tt>calendar.write</tt>).</t>
                </li>
              </ol>
            </li>
            <li>
              <t><strong>Authorization Requirements:</strong>
              </t>
              <ul spacing="normal">
                <li>
                  <t><strong>Intent-to-Permission Translation:</strong> The system must translate the high-level intent ("plan a picnic") into a series of specific, just-in-time permission requests.</t>
                </li>
                <li>
                  <t><strong>Interactive, Multi-Step Consent:</strong> The agent needs to "talk back" to the user for intermediate decisions (e.g., "The weather looks great! I found three parks nearby. Which one do you prefer?"). Authorization for the next step (booking) should only be granted after the user's choice.</t>
                </li>
                <li>
                  <t><strong>Task-Level Revocation:</strong> Alice should be able to say, <em>"Cancel the picnic planning,"</em> and have all permissions related to this specific task instantly revoked, without affecting other tasks the agent might be performing.</t>
                </li>
              </ul>
            </li>
            <li>
              <t><strong>Gap Analysis:</strong>
              </t>
              <ul spacing="normal">
                <li>
                  <t><strong>What Works (Partially):</strong> The OAuth Authorization Code flow can be used to get the initial permissions (like <tt>calendar.read</tt>). Refresh Tokens can keep the agent's session alive.</t>
                </li>
                <li>
                  <t><strong>What's Missing (The Gap):</strong>
                  </t>
                  <ul spacing="normal">
                    <li>
                      <t><strong>Fundamental Paradigm Mismatch:</strong> OAuth is a <strong>"pre-authorization"</strong> model. It asks the user to approve a static list of scopes (<tt>calendar.read</tt>, <tt>weather.read</tt>, <tt>maps.search</tt>, etc.) all at once at the beginning. It cannot understand the <em>intent</em> ("plan a picnic") and dynamically grant permissions as the task unfolds. This is the core gap.</t>
                    </li>
                    <li>
                      <t><strong>No Standardized Interactive Flow:</strong> There is no standard OAuth mechanism for an agent to "pause" a task, ask the user for a decision, and then use that decision to request a new, specific permission. This logic is currently left to complex, proprietary application-layer implementations.</t>
                    </li>
                    <li>
                      <t><strong>Impractical Revocation:</strong> OAuth Token Revocation (<xref target="RFC7009"/>) revokes a single token. To achieve task-level revocation, the application would need to manage a complex mapping of tasks to tokens. There is no standard way to say "revoke everything related to 'picnic planning'."</t>
                    </li>
                  </ul>
                </li>
              </ul>
            </li>
          </ul>
        </section>
        <section anchor="use-case-2-smart-home-automation">
          <name>Use Case 2: Smart Home &amp; Automation</name>
          <ul spacing="normal">
            <li>
              <t><strong>Scenario Description:</strong> A central home hub agent manages various IoT devices based on pre-defined rules or real-time events.</t>
            </li>
            <li>
              <t><strong>Example:</strong> Bob sets up a "Good Morning" routine. When his alarm goes off at 7 AM on a weekday, the home hub agent is authorized to:
              </t>
              <ol spacing="normal" type="1"><li>
                  <t>Slowly turn on the bedroom lights (device: <tt>bedroom_light</tt>, capability: <tt>brightness</tt>).</t>
                </li>
                <li>
                  <t>Set the thermostat to 70°F (device: <tt>thermostat</tt>, capability: <tt>set_temperature</tt>).</t>
                </li>
                <li>
                  <t>Start the coffee maker (device: <tt>coffee_maker</tt>, capability: <tt>on_off</tt>).</t>
                </li>
              </ol>
            </li>
            <li>
              <t><strong>Authorization Requirements:</strong>
              </t>
              <ul spacing="normal">
                <li>
                  <t><strong>Persistent Delegation:</strong> After a one-time setup, the agent must be able to perform these actions daily without Bob's intervention.</t>
                </li>
                <li>
                  <t><strong>Fine-Grained Device &amp; Capability Permissions:</strong> The agent should be authorized to control the <tt>brightness</tt> of the <tt>bedroom_light</tt>, but not, for example, to unlock the <tt>front_door</tt>.</t>
                </li>
                <li>
                  <t><strong>Conditional or Event-Driven Authorization:</strong> The permissions should only be usable when specific conditions are met (e.g., <tt>time=7AM</tt> AND <tt>day=weekday</tt>).</t>
                </li>
                <li>
                  <t><strong>Bulk Revocation:</strong> When Bob sells his house, he needs a simple way to revoke all permissions for all devices from his home hub with a single action.</t>
                </li>
              </ul>
            </li>
            <li>
              <t><strong>Gap Analysis:</strong>
              </t>
              <ul spacing="normal">
                <li>
                  <t><strong>What Works (Partially):</strong> Refresh Tokens are well-suited for persistent delegation. Scopes can be defined with high granularity (e.g., <tt>device:bedroom_light:brightness</tt>).</t>
                </li>
                <li>
                  <t><strong>What's Missing (The Gap):</strong>      </t>
                  <ul spacing="normal">
                    <li>
                      <t><strong>"Scope Explosion" and Usability:</strong> In a home with hundreds of devices and capabilities, presenting the user with a list of thousands of scopes to approve is unmanageable. The OAuth consent screen was not designed for this scale.</t>
                    </li>
                    <li>
                      <t><strong>No Standardized Policy Enforcement:</strong> OAuth grants <em>what</em> an agent can do, but not <em>when</em> or <em>under what conditions</em>. The logic to enforce <tt>time=7AM</tt> is outside the protocol and must be custom-built into the agent or the device's resource server, leading to inconsistent and non-interoperable implementations.</t>
                    </li>
                    <li>
                      <t><strong>No Standardized Bulk Revocation:</strong> <xref target="RFC7009"/> is for revoking one token at a time. There is no standard API to "revoke all tokens for user Bob" or "revoke all tokens issued to the home hub client." This is a critical administrative and security gap, forcing reliance on proprietary AS-specific APIs.</t>
                    </li>
                  </ul>
                </li>
              </ul>
            </li>
          </ul>
        </section>
        <section anchor="use-case-3-agent-as-users-full-proxy-to-access-third-party-tools">
          <name>Use Case 3: Agent as User's Full Proxy to Access Third-Party Tools</name>
          <ul spacing="normal">
            <li>
              <t><strong>Scenario Description:</strong> A user authorizes an agent to use a third-party service on their behalf. The service, however, was designed for human interaction and has no built-in awareness of automated agents, leading to potential misuse or policy violations.</t>
            </li>
            <li>
              <t><strong>Example:</strong>  Charlie authorizes his personal research assistant agent to use his subscription to an academic paper database. The agent, acting as Charlie, begins downloading hundreds of papers for a literature review. The database service detects this high-frequency activity, flags it as a potential DDoS attack or data scraping, and temporarily locks Charlie's account, disrupting both the agent's task and Charlie's own access.</t>
            </li>
            <li>
              <t><strong>Authorization Requirements:</strong>
              </t>
              <ul spacing="normal">
                <li>
                  <t><strong>Agent-User Differentiation:</strong> : The third-party service must be able to reliably distinguish between requests coming directly from Charlie and requests made by his agent.</t>
                </li>
                <li>
                  <t><strong>Agent-Specific Policies:</strong> The service needs a way to apply different policies (e.g., stricter rate limits, restricted API access) to the agent without impacting the human user's normal access rights.</t>
                </li>
                <li>
                  <t><strong>Delegated Authority with Constraints:</strong> The authorization given to the agent should be a constrained subset of the user's full permissions (e.g., "can search and download, but no more than 100 papers per hour").</t>
                </li>
              </ul>
            </li>
            <li>
              <t><strong>Gap Analysis:</strong>
              </t>
              <ul spacing="normal">
                <li>
                  <t><strong>What (partially) works:</strong>  OAuth allows a user to delegate access to a client (the agent). The scope parameter can limit which APIs the agent can call.      </t>
                  <ul spacing="normal">
                    <li>
                      <t><strong>What Works (Partially):</strong> OAuth allows a user to delegate access to a client (the agent). The <tt>scope</tt> parameter can limit which APIs the agent can call.</t>
                    </li>
                  </ul>
                </li>
                <li>
                  <t><strong>What's Missing (The Gap):</strong>      </t>
                  <ul spacing="normal">
                    <li>
                      <t><strong>No Standard Agent Identifier:</strong> There is no standard OAuth claim or parameter that explicitly signals "this request is from an automated agent." Resource servers are left to guess based on non-standard signals like User-Agent strings or unusual traffic patterns.</t>
                    </li>
                    <li>
                      <t><strong>Inability to Express Constraints:</strong> The standard <tt>scope</tt> mechanism is binary (permission is granted or not). It cannot express or enforce nuanced constraints like rate limits, data volume caps, or time-of-day restrictions as part of the authorization grant itself.</t>
                    </li>
                    <li>
                      <t><strong>Confused Deputy Risk:</strong> Without clear differentiation, the service provider cannot tell if high-volume activity is malicious (account takeover) or a legitimate but overly aggressive agent. Their only recourse is often to block the user's account entirely.</t>
                    </li>
                  </ul>
                </li>
              </ul>
            </li>
          </ul>
        </section>
        <section anchor="use-case-4-agent-as-users-proxy-to-access-operating-system-resources">
          <name>Use Case 4: Agent as User's Proxy to Access Operating System Resources</name>
          <ul spacing="normal">
            <li>
              <t><strong>Scenario Description:</strong> An agent running on a user's device (e.g., a laptop or smartphone) needs to perform tasks that require access to local resources like files, applications, or system settings.</t>
            </li>
            <li>
              <t><strong>Example:</strong> Diana asks her desktop agent, <em>"Clean up my downloads folder and free up disk space."</em> To do this, the agent needs permission to read and delete files within <tt>/home/diana/downloads</tt>. However, to be "helpful," the agent might also try to clear system-wide caches, which requires elevated, system-level permissions.</t>
            </li>
            <li>
              <t><strong>Authorization Requirements:</strong>
              </t>
              <ul spacing="normal">
                <li>
                  <t><strong>Fine-Grained Resource Access:</strong> The agent should be granted access only to the specific files or settings needed for a task (e.g., a single folder), not the user's entire home directory or full system access.</t>
                </li>
                <li>
                  <t><strong>Task-Scoped Permissions:</strong> Permissions should be granted for the duration of a specific task ("clean downloads folder") and automatically revoked upon completion.</t>
                </li>
                <li>
                  <t><strong>Secure Privilege Escalation:</strong> If a task requires elevated permissions, there must be a secure, user-approved mechanism for the agent to request them just-in-time, rather than running with high privileges constantly.</t>
                </li>
              </ul>
            </li>
            <li>
              <t><strong>Gap Analysis:</strong>
              </t>
              <ul spacing="normal">
                <li>
                  <t><strong>What Works (Partially):</strong> Modern operating systems have their own permission models (e.g., app sandboxing, runtime permission prompts).</t>
                </li>
                <li>
                  <t><strong>What's Missing (The Gap):</strong>
                  </t>
                  <ul spacing="normal">
                    <li>
                      <t><strong>Architectural Mismatch:</strong> OAuth is a framework for network-based delegated authorization. It is not designed to manage local, process-level OS permissions. There is a fundamental mismatch between the two models.</t>
                    </li>
                    <li>
                      <t><strong>Lack of a Standard Bridge:</strong> There is no standard protocol to connect an agent's high-level intent (often determined in the cloud) to a secure, fine-grained grant of local OS permissions on the device.</t>
                    </li>
                    <li>
                      <t><strong>Over-Privileging by Default:</strong> Due to the lack of a standard bridge, developers often resort to a dangerous workaround: the agent's local component is installed with broad, persistent permissions (e.g., running with the user's full rights or even as a system service). This completely bypasses the principle of least privilege and creates a significant security risk.</t>
                    </li>
                  </ul>
                </li>
              </ul>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="category-2-enterprise-business-process-scenarios">
        <name>Category 2: Enterprise &amp; Business Process Scenarios</name>
        <section anchor="use-case-5-complex-business-process-automation">
          <name>Use Case 5: Complex Business Process Automation</name>
          <ul spacing="normal">
            <li>
              <t><strong>Scenario Description:</strong> A task is passed through a chain of specialized agents, each performing one step of a larger business process.</t>
            </li>
            <li>
              <t><strong>Example:</strong> An automated insurance claim process:
              </t>
              <ol spacing="normal" type="1"><li>
                  <t><strong>Agent A (Intake):</strong> Receives a claim from a customer and is authorized to read the customer's policy. It passes the claim to the next agent.</t>
                </li>
                <li>
                  <t><strong>Agent B (Verification):</strong> Receives the claim from Agent A. It is authorized to access external databases to verify the details of the incident. It then passes the verified claim to Agent C.</t>
                </li>
                <li>
                  <t><strong>Agent C (Adjudication):</strong> Receives the verified claim from Agent B. It is authorized to run a risk assessment and approve or deny the claim. If approved, it delegates the final action to Agent D.</t>
                </li>
                <li>
                  <t><strong>Agent D (Payment):</strong> Receives the approved claim from Agent C. It is authorized <em>only</em> to execute a payment to the customer's bank account for the approved amount.</t>
                </li>
              </ol>
            </li>
            <li>
              <t><strong>Authorization Requirements:</strong>
              </t>
              <ul spacing="normal">
                <li>
                  <t><strong>Verifiable Delegation Chain:</strong> The final agent (Payment Agent D) and the resource server (the bank's API) must be able to cryptographically verify the entire authorization path: <tt>Customer -&gt; Agent A -&gt; Agent B -&gt; Agent C -&gt; Agent D</tt>.</t>
                </li>
                <li>
                  <t><strong>Principle of Least Privilege at Each Step:</strong> Agent B should have no payment authority, and Agent D should have no access to the customer's policy details. The permissions must be strictly constrained at each step in the chain.</t>
                </li>
                <li>
                  <t><strong>Auditable Context:</strong> The entire process must be tied to a single, auditable <tt>claim_id</tt> that is securely passed along the chain.</t>
                </li>
              </ul>
            </li>
            <li>
              <t><strong>Gap Analysis:</strong>
              </t>
              <ul spacing="normal">
                <li>
                  <t><strong>What Works (Partially):</strong> OAuth 2.0 Token Exchange <xref target="RFC8693"/> introduces the <tt>act</tt> (actor) claim, which provides a primitive to show that one agent is acting on behalf of another. This is a foundational building block.</t>
                </li>
                <li>
                  <t><strong>What's Missing (The Gap):</strong>
                  </t>
                  <ul spacing="normal">
                    <li>
                      <t><strong>No Native Support for Chains:</strong> A standard OAuth token represents a simple, two-party delegation (User -&gt; Agent A). It cannot natively represent a multi-step chain (<tt>User -&gt; A -&gt; B -&gt; C</tt>). While the <tt>act</tt> claim from <xref target="RFC8693"/> helps, there is no standard for how to nest these claims to create a verifiable, multi-hop chain. This is a major architectural gap.</t>
                    </li>
                    <li>
                      <t><strong>Lack of Standardized Context Passing:</strong> There is no standard field in an OAuth token to carry the <tt>claim_id</tt> securely through the process. Developers resort to custom claims in a JWT, which harms interoperability.</t>
                    </li>
                  </ul>
                </li>
              </ul>
            </li>
          </ul>
        </section>
        <section anchor="use-case-6-coordinated-task-group">
          <name>Use Case 6: Coordinated Task Group</name>
          <ul spacing="normal">
            <li>
              <t><strong>Scenario Description:</strong> A coordinating agent decomposes a user's request into subtasks and assembles a group of specialized sub-agents to execute them. Unlike the delegation chain in Use Case 5, where each agent derives its authority from the previous agent hop by hop, here every member's authority stems from a single grant obtained centrally by the coordinator <xref target="I-D.song-oauth-ai-agent-collaborate-authz"/>. The execution order of subtasks (sequential, parallel, or mixed) is independent of this authorization structure.</t>
            </li>
            <li>
              <t><strong>Example:</strong> A user asks a health assistant for real-time health advice. A leading agent resolves the request into three subtasks: collecting the user's health data, predicting the user's health status, and generating advice. It selects a sub-agent for each subtask, each needing access to different resource servers (a wearable data API, a prediction service, a guideline repository). Sub-agents may all be selected upfront, or incrementally during execution as intermediate results reveal which further subtasks are needed.</t>
            </li>
            <li>
              <t><strong>Authorization Requirements:</strong>
              </t>
              <ul spacing="normal">
                <li>
                  <t><strong>One Grant, Many Members:</strong> The coordinator must be able to obtain authorization once, on behalf of the whole group, rather than each member running its own flow against the authorization server and the user.</t>
                </li>
                <li>
                  <t><strong>Member-Level Least Privilege:</strong> Each member must be confined to its own subject-audience-scope binding within the group's overall authority.</t>
                </li>
                <li>
                  <t><strong>Late Binding of Members:</strong> Members selected mid-execution must be able to receive authority under the existing grant without a full re-authorization round trip.</t>
                </li>
                <li>
                  <t><strong>Group Lifecycle:</strong> When the task completes or the coordinator is compromised, the entire group's authority must be terminable as one unit.</t>
                </li>
              </ul>
            </li>
            <li>
              <t><strong>Gap Analysis:</strong>
              </t>
              <ul spacing="normal">
                <li>
                  <t><strong>What Works (Partially):</strong> The Client Credentials grant and Token Exchange <xref target="RFC8693"/> allow individual agents to obtain tokens, and Rich Authorization Requests <xref target="RFC9396"/> can express fine-grained permissions per request.</t>
                </li>
                <li>
                  <t><strong>What's Missing (The Gap):</strong>
                  </t>
                  <ul spacing="normal">
                    <li>
                      <t><strong>Per-Member Authorization Does Not Scale:</strong> N members individually authenticating and obtaining tokens for what is logically one user grant means N authorization server interactions and potentially N consent prompts for a single request. There is no standard way for one party to request authorization on behalf of an enumerated set of clients.</t>
                    </li>
                    <li>
                      <t><strong>No Group Construct in the Token Model:</strong> Tokens describe one client acting for one subject. There is no standard representation of group membership, nor of per-member subject-audience-scope bindings under a common grant, that a resource server could verify.</t>
                    </li>
                    <li>
                      <t><strong>No Late Binding of Members:</strong> Members that cannot be enumerated at grant time have no standard way to be admitted to the group's authority, for example via a verifiable task assignment bound to the original grant.</t>
                    </li>
                    <li>
                      <t><strong>No Group Lifecycle Management:</strong> There is no standard way to terminate a group's authority atomically, nor an enforced rule that a member's effective permissions remain a subset of the group's.</t>
                    </li>
                  </ul>
                </li>
              </ul>
            </li>
          </ul>
        </section>
        <section anchor="use-case-7-automated-dnssec-ds-record-maintenance-agent">
          <name>Use Case 7: Automated DNSSEC DS Record Maintenance Agent</name>
          <ul spacing="normal">
            <li>
              <t><strong>Scenario Description:</strong> This case follows the multi-agent RRR (Registrant-Registrar-Registry) model defined in <tt>draft-ietf-dnsop-ds-automation-09</tt>. A corporate domain owner deploys chained agents to fully automate DS record updates during DNSSEC KSK rollovers, zone bootstrapping, and zone deletion, relying on CDS/CDNSKEY signals between child authoritative zones and parent registry systems.</t>
            </li>
            <li>
              <t><strong>Example:</strong> The whole workflow runs unattended under a one-time delegated permission from the domain registrant, forming a delegation chain: <strong>Registrant --&gt; Registrar Agent --&gt; Registry Agent.</strong>
              </t>
              <ul spacing="normal">
                <li>
                  <t><strong>Zone Agent:</strong> Publishes consistent CDS/CDNSKEY records on all name servers after key rollover.</t>
                </li>
                <li>
                  <t><strong>Registrar Agent:</strong> Pulls and validates CDS data, forwards DS update requests to the registry.</t>
                </li>
                <li>
                  <t><strong>Registry Agent:</strong> Applies DS records to the parent zone and sends operation notifications.</t>
                </li>
              </ul>
            </li>
            <li>
              <t><strong>Authorization Requirements:</strong>
              </t>
              <ul spacing="normal">
                <li>
                  <t>Cryptographically verifiable multi-hop delegation chain for a full audit trail.</t>
                </li>
                <li>
                  <t>Fine-grained permission limited to a fixed set of domains, only allowing DS updating without modifying other DNS records.</t>
                </li>
                <li>
                  <t>Support task-specific revocation: revoke all DS automation permissions without affecting other agent workflows.</t>
                </li>
                <li>
                  <t>Standard audit context identifier passed across all agent hops for compliance logging.</t>
                </li>
              </ul>
            </li>
            <li>
              <t><strong>Gap Analysis:</strong>
              </t>
              <ul spacing="normal">
                <li>
                  <t><strong>What Works (Partially):</strong> Client Credentials can assign identities to registry/registrar agents. RFC 8693 token exchange supports simple single-hop agent delegation.</t>
                </li>
                <li>
                  <t>**What's Missing (The Gap)      </t>
                  <ul spacing="normal">
                    <li>
                      <t>**Current DS automation does not use OAuth. OAuth only supports two-party delegation and lacks standard multi-hop RRR delegation syntax; proprietary JWT claims hurt interoperability.</t>
                    </li>
                    <li>
                      <t>**OAuth has no standardized task/bulk revocation. Securing DS automation via OAuth would require repetitive single-token revocation in incidents.</t>
                    </li>
                    <li>
                      <t>**No reserved OAuth JWT claim for cross-agent audit IDs, breaking consistent compliance logging for DS automation.</t>
                    </li>
                  </ul>
                </li>
              </ul>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="category-3-security-administrative-scenarios">
        <name>Category 3: Security &amp; Administrative Scenarios</name>
        <section anchor="use-case-8-automated-security-incident-response">
          <name>Use Case 8: Automated Security Incident Response</name>
          <ul spacing="normal">
            <li>
              <t><strong>Scenario Description:</strong> A security agent detects a security threat and must take immediate, automated action to contain it.</t>
            </li>
            <li>
              <t><strong>Example:</strong> A security system detects that an employee's laptop has been compromised by malware. An automated security agent is triggered to:
              </t>
              <ol spacing="normal" type="1"><li>
                  <t>Immediately revoke all active login sessions for that employee across all company applications (e.g., email, code repository, HR system).</t>
                </li>
                <li>
                  <t>Isolate the compromised laptop from the corporate network.</t>
                </li>
                <li>
                  <t>Temporarily suspend the user's account to prevent further unauthorized access.</t>
                </li>
              </ol>
            </li>
            <li>
              <t><strong>Authorization Requirements:</strong>
              </t>
              <ul spacing="normal">
                <li>
                  <t><strong>Privileged, System-Level Authority:</strong> The security agent needs broad, pre-approved authority to perform high-impact administrative actions.</t>
                </li>
                <li>
                  <t><strong>Global Token Revocation API:</strong> The agent must be able to make a single API call to the Authorization Server to "immediately revoke all access and refresh tokens associated with user ID <tt>employee-123</tt>."</t>
                </li>
              </ul>
            </li>
            <li>
              <t><strong>Gap Analysis:</strong>
              </t>
              <ul spacing="normal">
                <li>
                  <t><strong>What Works (Partially):</strong> The OAuth Client Credentials grant is suitable for giving the security agent its own system-level identity and authority.</t>
                </li>
                <li>
                  <t><strong>What's Missing (The Gap):</strong>
                  </t>
                  <ul spacing="normal">
                    <li>
                      <t><strong>Critically Inadequate Revocation API:</strong> This is the most significant gap for this use case. The one-token-at-a-time revocation endpoint in <xref target="RFC7009"/> is completely insufficient for a security incident. The need to make potentially thousands of individual API calls to revoke tokens is too slow and unreliable during an active attack. The lack of a standardized bulk revocation API is a major operational and security failure point.</t>
                    </li>
                  </ul>
                </li>
              </ul>
            </li>
          </ul>
        </section>
      </section>
    </section>
    <section anchor="summary-of-major-gaps">
      <name>Summary of Major Gaps</name>
      <t>The use cases above highlight several fundamental gaps between the needs of AI agents and the capabilities of the standard OAuth 2.x framework:</t>
      <ol spacing="normal" type="1"><li>
          <t><strong>From 'Pre-Approval' to 'Continuous Dialogue': A Paradigm Shift.</strong> OAuth's model is to get all permissions upfront. Agents need a continuous, interactive authorization model where permissions are granted dynamically and just-in-time as a task evolves from a high-level intent.</t>
        </li>
        <li>
          <t><strong>Lack of a Standardized Interactive Channel.</strong> The framework has no built-in mechanism for an agent to "pause" and securely ask the user for an intermediate decision or to respond to a real-time authorization challenge from a resource server.</t>
        </li>
        <li>
          <t><strong>Inability to Represent Delegation Chains.</strong> Standard tokens cannot securely represent a multi-step delegation chain (<tt>User -&gt; Agent A -&gt; Agent B</tt>). This is a critical blocker for automating complex, multi-agent business processes.</t>
        </li>
        <li>
          <t><strong>Insufficient Revocation Mechanisms.</strong> The single-token revocation API is inadequate. The lack of standardized APIs for task-level and bulk (per-user or per-client) revocation is a major operational and security deficiency.</t>
        </li>
        <li>
          <t><strong>Authorization Is Modeled Per-Client, Not Per-Group.</strong> OAuth has no notion of a set of clients acting as one task group under a single grant: no group membership representation, no admission of late-selected members, and no group-level lifecycle or atomic revocation.</t>
        </li>
      </ol>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>As we design new authorization mechanisms for agents, security must be the primary concern. The autonomy of agents amplifies the risk of any vulnerability.</t>
      <ul spacing="normal">
        <li>
          <t><strong>Risk of Over-Privileging:</strong> The current lack of dynamic authorization tempts developers to request broad, long-lived permissions ("god tokens"), dramatically increasing the damage if an agent is compromised. Future solutions must make it easy to follow the Principle of Least Privilege.</t>
        </li>
        <li>
          <t><strong>Delegation Chain Vulnerabilities:</strong> Without a standard for secure delegation chains, custom implementations are prone to "Confused Deputy" attacks, where an agent is tricked into misusing its authority.</t>
        </li>
        <li>
          <t><strong>Revocation Timeliness:</strong> In a world of powerful, autonomous agents, the ability to instantly and completely revoke all permissions for a compromised user or agent is not a "nice-to-have"; it is an absolute necessity.</t>
        </li>
        <li>
          <t><strong>Non-Repudiation:</strong> For enterprise and B2B scenarios, actions taken by agents must be cryptographically auditable and non-repudiable, creating a strong digital paper trail.</t>
        </li>
        <li>
          <t><strong>Coordinator as a Single Point of Authority:</strong> In coordinated task groups, the leading agent both requests authorization on behalf of all members and assigns their tasks. If the coordinator is compromised, the blast radius covers the entire group; its authority to act as an applier for others must therefore be separately authenticated, authorized, and auditable.</t>
        </li>
      </ul>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document has no IANA actions.</t>
    </section>
    <section anchor="acknowledgements">
      <name>Acknowledgements</name>
      <t>The analysis and use cases in this document are derived from observations of emerging AI agent technologies and their application trends across various industries. Thanks are due to the OAuth community for their past and ongoing efforts in building a secure and interoperable authorization framework, upon which this work is built.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-informative-references">
      <name>Informative References</name>
      <reference anchor="RFC2119">
        <front>
          <title>Key words for use in RFCs to Indicate Requirement Levels</title>
          <author fullname="S. Bradner" initials="S." surname="Bradner"/>
          <date month="March" year="1997"/>
          <abstract>
            <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="2119"/>
        <seriesInfo name="DOI" value="10.17487/RFC2119"/>
      </reference>
      <reference anchor="RFC8174">
        <front>
          <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
          <author fullname="B. Leiba" initials="B." surname="Leiba"/>
          <date month="May" year="2017"/>
          <abstract>
            <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="8174"/>
        <seriesInfo name="DOI" value="10.17487/RFC8174"/>
      </reference>
      <reference anchor="RFC7009">
        <front>
          <title>OAuth 2.0 Token Revocation</title>
          <author fullname="T. Lodderstedt" initials="T." role="editor" surname="Lodderstedt"/>
          <author fullname="S. Dronia" initials="S." surname="Dronia"/>
          <author fullname="M. Scurtescu" initials="M." surname="Scurtescu"/>
          <date month="August" year="2013"/>
          <abstract>
            <t>This document proposes an additional endpoint for OAuth authorization servers, which allows clients to notify the authorization server that a previously obtained refresh or access token is no longer needed. This allows the authorization server to clean up security credentials. A revocation request will invalidate the actual token and, if applicable, other tokens based on the same authorization grant.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="7009"/>
        <seriesInfo name="DOI" value="10.17487/RFC7009"/>
      </reference>
      <reference anchor="RFC6749">
        <front>
          <title>The OAuth 2.0 Authorization Framework</title>
          <author fullname="D. Hardt" initials="D." role="editor" surname="Hardt"/>
          <date month="October" year="2012"/>
          <abstract>
            <t>The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK]</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="6749"/>
        <seriesInfo name="DOI" value="10.17487/RFC6749"/>
      </reference>
      <reference anchor="RFC8693">
        <front>
          <title>OAuth 2.0 Token Exchange</title>
          <author fullname="M. Jones" initials="M." surname="Jones"/>
          <author fullname="A. Nadalin" initials="A." surname="Nadalin"/>
          <author fullname="B. Campbell" initials="B." role="editor" surname="Campbell"/>
          <author fullname="J. Bradley" initials="J." surname="Bradley"/>
          <author fullname="C. Mortimore" initials="C." surname="Mortimore"/>
          <date month="January" year="2020"/>
          <abstract>
            <t>This specification defines a protocol for an HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="8693"/>
        <seriesInfo name="DOI" value="10.17487/RFC8693"/>
      </reference>
      <reference anchor="RFC9396">
        <front>
          <title>OAuth 2.0 Rich Authorization Requests</title>
          <author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
          <author fullname="J. Richer" initials="J." surname="Richer"/>
          <author fullname="B. Campbell" initials="B." surname="Campbell"/>
          <date month="May" year="2023"/>
          <abstract>
            <t>This document specifies a new parameter authorization_details that is used to carry fine-grained authorization data in OAuth messages.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="9396"/>
        <seriesInfo name="DOI" value="10.17487/RFC9396"/>
      </reference>
      <reference anchor="I-D.song-oauth-ai-agent-collaborate-authz">
        <front>
          <title>OAuth2.0 Extension for Multi-AI Agent Collaboration</title>
          <author fullname="Yurong Song" initials="Y." surname="Song">
            <organization>Huawei</organization>
          </author>
          <author fullname="LUN LI" initials="L." surname="Lun">
            <organization>Huawei</organization>
          </author>
          <author fullname="Yuning Jiang" initials="Y." surname="Jiang">
            <organization>Huawei Singapore</organization>
          </author>
          <author fullname="Faye Liu" initials="F." surname="Liu">
            <organization>Huawei Singapore</organization>
          </author>
          <date day="30" month="June" year="2026"/>
          <abstract>
            <t>   This method extends OAuth 2.0 by adding fields to token and message
   flows, enabling sub-agents to act as a task group.  It simplifies
   authorization for task groups, avoids repeated interactions between
   sub-agents and the authorization server, and bounds the authority
   delegated to the group and to each member while maintaining
   compatibility with existing OAuth 2.0 workflows.


            </t>
          </abstract>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-song-oauth-ai-agent-collaborate-authz-02"/>
      </reference>
    </references>
    <?line 312?>

<section anchor="references">
      <name>References</name>
      <dl>
        <dt><xref target="RFC6749"/></dt>
        <dd>
          <t>Hardt, J., Ed., "The OAuth 2.0 Authorization Framework", RFC 6749, DOI 10.17487/RFC6749, October 2012, <eref target="https://www.rfc-editor.org/info/rfc6749">https://www.rfc-editor.org/info/rfc6749</eref>.</t>
        </dd>
        <dt><xref target="RFC7009"/></dt>
        <dd>
          <t>Lodderstedt, T., Ed., Dronia, S., and M. Scurtescu, "OAuth 2.0 Token Revocation", RFC 7009, DOI 10.17487/RFC7009, August 2013, <eref target="https://www.rfc-editor.org/info/rfc7009">https://www.rfc-editor.org/info/rfc7009</eref>.</t>
        </dd>
        <dt><xref target="RFC8693"/></dt>
        <dd>
          <t>Jones, M., Nadalin, A., Campbell, B., Ed., Bradley, J., and C. Mortimore, "OAuth 2.0 Token Exchange", RFC 8693, DOI 10.17487/RFC8693, January 2020, <eref target="https://www.rfc-editor.org/info/rfc8693">https://www.rfc-editor.org/info/rfc8693</eref>.</t>
        </dd>
        <dt><xref target="RFC9396"/></dt>
        <dd>
          <t>Lodderstedt, T., Richer, J., and B. Campbell, "OAuth 2.0 Rich Authorization Requests", RFC 9396, DOI 10.17487/RFC9396, May 2023, <eref target="https://www.rfc-editor.org/info/rfc9396">https://www.rfc-editor.org/info/rfc9396</eref>.</t>
        </dd>
        <dt><xref target="I-D.song-oauth-ai-agent-collaborate-authz"/></dt>
        <dd>
          <t>Song, Y., Li, L., Jiang, Y., and F. Liu, "OAuth2.0 Extension for Multi-AI Agent Collaboration", Work in Progress, Internet-Draft, draft-song-oauth-ai-agent-collaborate-authz-01, 28 February 2026, <eref target="https://datatracker.ietf.org/doc/html/draft-song-oauth-ai-agent-collaborate-authz-01">https://datatracker.ietf.org/doc/html/draft-song-oauth-ai-agent-collaborate-authz-01</eref>.</t>
        </dd>
      </dl>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA61963IbR7Lmf0XoHWoxESOSAUAXe6wxZ8/sUKRk02PJCpFz
HLMOh1joLgBtNrp7+0IIfqp9hn2yzS8zq7q6AcqSPSfOOaZwqa7KysuXV8xm
s4cPmtYW6Xubl4U7NW3duYcPsqrmP5v22ZMnXz959vBBYttT07QpfbxbbLKm
ycqi3VX0jcuX168ePrC1s6fmyiVdnbW7hw+2q1Pzw1nXrs2PZX2bFSvzTV12
1cMHDx+kZVLYDX0zre2ynSVrV8xKSx+d2ZUr2hn+/HXWNW6W2MY1sydP8K02
a3P6zhk+YrBwWWe/2pa2Yeijhj9q6CBmZSv6r813TdbQvhaL2t2d3veNhw9y
W9BWXfHwwe329OEDY2ayb/mTH6d/Xup/6zZbZklmc3NZtC7PM/pM4vTN+DHy
0oXL3Sr69zt3VybRv7+h/Z6F/dKOeQnayswImV67LAcBz9eOv1LWtOHzdVZY
87pcZDk/OiGqn5oXLvuOPsovlF3R1jv9JF5xG5vlpwb03siS/0jw3oYXmSfl
pn/md5n9Tz7vl8x+9FnFLd2C+bct++e9eXN5/nkP2tnyl9t/JEWRJfOk6Nf/
d1eAfHjMKvr4L/j3jt979o/1rLJ1W7i6kb0Z+h8Sg2JZ1hu6qzvHrPHu1fmz
p0+/9n//9enzL/3fz0lO/N9fPf+y/8xXX3/h//76i6+/4r8vZxfzpixWnu0z
5fykzHO7KGvbOpGCUzAEnWQ2M3bRtLVNWvz7ep01hsSo20AYqrq8y1Jwv2l2
Teuw4SSIgCmXpl07Yni3cfUKlJCHLYj/014S5uaypb9atwL/0mr0pY3JirY0
ada0WZG0pklcYeusbKYmdS1RkT+V1aapXAKhMHYgZrX7P11WO+ySvgLhrFwN
kmKvROeqdsQcDZF3ILW0QZsVTYvFjfvAT1+pNnk2f2KWNd3rltSK+Ump/TMv
nrUNVt3Qk92HFguXBZ3rmlYJSxOhCsgvHXDZFanF3kiSSaMR2YhVaZ946qqk
F5lyMaXpbyIHMUqWdDmRSglLe6cH587W+W6q18F0NssSz2Ba0LHpiW1XO8Nb
p5cKt402arYZPa3gxx/QnPzkNK1dw0QfUbpwLvVXTf/40Bq6Y1fLm/SyzeTW
m7nnp02WphDlhw/+BD1Wl2mXiFICf7mI3EPV+eoA8de2MQtHpGeKEG+YJXFq
adiy2Drlw6eiB4nnhlsv5cjEaa4uXAs+bEzTJQlOShSvyxJfIspYsyV1O0vd
MivolU1JS5rt2hFJLfFaU3Z14ky5pYObVW3ptPQ60bROWbp3dEcZrjHPNhnv
Q55BGxUu9kvIVZQdMfya2J1uQN5PasfcY3PmKtqbbKGqsw19Lt8Z2zTEKXgs
yVU9I/5u6AtTORyRBJy+zMtt2DVRCMLauBa3RNKhprUxR01SVq45BglsBaaC
tFbLmuwuX+K35dbduVr4laxY2iS2ckwxW2Up7YYMTX6H7eM4wjTpHQhAj2rK
ag3BSvhGzi5naU2bK8yELV4zYbEh3ia7boqSKJFtqtwpBem2iTh0jWVRbsqO
GI9UgNtks+glEKrNWI/Y1ss9C33uPkzNpsvbbEbaihjbNrcN2GDh1jZfMrsy
/bCspYcTrVSz8a7oJogywtskpQndEZHW1XwcYpkiybvUseo8ITV+cnIROO9M
9rc7PTkR0060Jb3G9FGuJDbpOZWovaHN0AUXSVbRw478vmQ/x4aupRYhTh2r
t6xMIWTy5HM5rrmmIxIQwOnLJsPGeQeFCCXJ4mpN2s7egiXW9I9ZTlebGyjB
WsTSHLn5aj41k4qu2mx2dAMNSQHYt86qyTErwFSfQFzQiuouiB1rXAfpcGJf
UlmWlwOZPHfwVeBygwjRGe9gCv0xzppdkayJ87DSn833MF3vuoLN6g/+Khoc
6ZrvcmN3pu5E55Ec1bAXdkf/n/6dFSy/JIBQluWSKBfELSVjkZC4EJbMZ21G
6qTpaPm7rGENissAF4frCBu82JGpJzn6s3kJIweavoFG5C2xEcE1x+Klpinl
vYLBF87cFqQ7jBW7Q5JZt8KLYFDmeLagRELVwPwc3IcAT/eB0G9LHA87BM4e
8oFePO3xfE3mjWgXcSF24dmODr2YiVDQDQr7i/KegqIbMS0JFuH9eb6d70OD
tKTt4HSkP5gvYHKaMu+EB+g66I22JNwB+0/c5mw65f1XXS2MhE2cyjkuWPHy
2W/dDpxU1nL0pCQEXLUNa+kIXQw1fYAPc78e8WS2YD0oCjApSd30cJ5VB5GV
hChb7tS2bXH0PHfFyvmFzssC1ovWGcAIsJ+zyTqsOPXmf8dakXUwFiWnpQa5
DkEMDywiQ72kx5NpKOtWn3/VbWAAfu1p06gjBMo09FAVEb6iFzsPFnoooUZG
wcR0hDtstmFeUKQHepHSgz0gYarZymIBNf/0qUVO2K2pbOJ4/6QYNwJYlrQk
LsZDkBR6pqzwbbZRrFjp2xGTgIr3oIp7TPpcUMU1xK0o83K1wwuXBfCLyICY
XEMPpIN5e068EyDFmAKdsAMOkJP9ZHLhy6LlT/4FrXz0zuuvHwABjkm8Hj44
hZZlW0RUtxWfjXbO8IAFKWAAy7JA+oe24jUhhEI4hKwuzj+GhGJ92ShkskEi
IEF7Yq4ykKeJbAsepDIyB98KGlZ6qGZU6k6G55kMCDSXgw+x2RXrbXN0duUP
D+Un2lyECRsBNRLeFp7JpGMmJ+yCrXqC3BK7+42J103eOozfohX1Fb7+qBnd
/8cOduAQ4Zx+/+8O7X9dNl5MDtwUyUx0vThEJfdb8GeqUkREhGj0XTYGriEh
h01dDUnwuYfp3X3R854L6Rj0kCJxkeDgQ+5ONLtoo7Jwold7AEvWQLUj1NCI
k9g6zM0raLoPFmDjVG509ncfKun/fKFbRNiiaMPGIsCRskaugtegflAtJpA5
KPD7lvfXG0LsJ2F8lzXrAFcWZXlrNlBZy1xQTmm+tVubZaxYWKlsnbudHOvm
rssy72nm/cqzt5eGHahC0JAws8dPCf2VQCnjehVp4s0BcrLmpiGtm6zfy06a
G6yqrxfpew4L3IRHHKsWo+uvmc3NeQgxjUM2bHRJ5cuFfqhy+gog13Lpatmf
uNWOXbRg34a+ImwoIzS9yGC+xHNmq6Z+uXic6ivuOcgfeuulnDG0gVt5BEz5
FmQE9WCEk3Xm4GQwGg6rtnQffGrC7KAE+QFk+OjuAd/4+/CDAKuKlZDsT0Qp
Pu/OPD01b1kfEhf9GYIE96g2Vx4IyOf/FMg7+MJFtsrgm5/R2rBxbY/o/QIK
IaqAqIU1V+TKNAMoPTWFJd+bVkO8ryO24UgBCBvcv7NL+G/yKI0a+H8SRm7a
CF6zDfALMNAOIJqBn9HX2ekTgt5hv13D2iyDj0lfWnb5MgPbroMOmveHfKkC
jXPl9BWDYGNjAAfjrU7NyeRbl1eQMnYOyJBlSUFCI5abdnqFsxMCn09ORueS
uAEjPIS8ns4Nwn7JrTyRFDuJlYMPz4vZOxIRu8hy6J8jhdCNufEfmhNwT28g
OVjsWVgM59s6y0iW1nHEhy0v6DcWL6YfHK71Ba11uRwsROdalSWxZdOtCAri
LLZe7Ay5+oScowU3JCxzEf2w3pe03hmbMyFtsi5Llm7++tSw2gqEJPNBbL7s
nYZodX7cHJ8Pi/+FFn+VEQtDRAjziJjeqZLco+whQm5Jxbub44gbhpb+XRRZ
Y22J58oHRbvP2nL2Nvg75pqsSZNbLydsVtmDFc5u9W0BsAMPFIuZo8mAs8jd
ZKYHbvdazavqqfmFVpxlhThwvc8VrOx8vFuNjEzNaw4KXCEoAF0hRko4lvW8
51YzIb1ALplNbifeKrPgL9nBBDJ0aYbjkMhmGk9Rg3QdsVBOt0ZcRJzW/g9z
KdE6Wqx2TrlIWGpuflxnpEJhnNPS7MqOFLcj3f6/yGqNwmMDtMzhjSPwBinH
Y7gMXZ7SMoT8SeGyhQd2Zj70ZwBnrEtikQGZ4FfPvucr6fMHvWbQlaHFgYAQ
erM7KIZzS4hDFIzyMi4S6G1KugBaam3v6FukhIbecc6wnmkL2+btMOMAhCXY
ANDn7ggkkQx6D96SyUvYbojfqm5suEGJdCycN9PeaMgpY7s64uofYWkQEKWb
fAu3CdJ17NlDTN/wJs7LVINtauDY8aETrVyrEccMywyjbnl26/YVGhF9SQK6
NtcCi7HirUPsyp/sETS78LnNiZnn483TB16LlTRH2DKd9Ticsf/oqygoTee0
abba4IscncZx5agICtKnJ8SHswH2ntBHOCrJ8fxAfZYOSKxEEvvII4E1iQdy
tNEcjY4+Henj6VCdTo1rk/kx8w/dD6IAPn6ycKuMGU0TCwXCEL2/yp85EfVy
ckC/cDhLojq4aRGWwVVpFIY5siOEnqc+KqueGAcTCCnNxzR+U5orjUyTz56a
SAeZV8QwylU1Rz+KKIwttN+4ZG0LuhKxiUWPfyeVJUJPNGQ0NQKaI91kg0IS
UAdnjJEZ41n/HpZSZUnfKNx22gtgTwE9LLnX9DLgiAQxiFa5W/J2QrAV0R/S
060lSEYckGeiP2a53cGQ4lPMcj5GMSTX5aZi6tBFjJSP0INlInrHHP2kCbGf
j1VDsB9DvMC6iT5Ney894GRaqbmpwyLiWEebNVtWcTABOBshL4A46w9JL1SV
D4L42Jn34A5e5tbuVFGaiewSNrreIQmzijXgo5HmfDSf7OHWZ6fmaoOA4bdI
gvyZA80b6/MpvwVa6Y0W2HSNL6+7hVeWfMYmQMfL8hoBG0aPEl8jskAD+AhK
3eWOo3p9AFXcy8Oo8kW5QOCN3N6KCDn5htCUeV3WOOPE1KTOaVHYPrpdcJrN
LflVq5Lt/RJy/tycvcYeLLtwKUwO44fhMbI+PMAEjbDmFUkbMSyBwJAHWri0
LsuNER/NHMmBT82NvvGe37hRd5+hKN6s8Sri4QP4eaWqHgpsU0Ll4UKfP/l/
//dVtHL/7nhZos57Akkc4u5qN4CjVxwgFkVDVs/Rdd0ieBGWlZff88vjhcvi
Pb37+wAeHCTS2iBtH2xgRmIgYYFTNHru2q6axuYXYC9CCd5ZltCjTw2kFrks
b9KJSx41gqrASxLfiwwWMcnsm9oyA17w2eHqhcOaHoU2QzQXgZaYPTjWVpcC
WuKL9fHNPU5AaJ6sy1Q8ZuHvKVbqirxU9+OGE2fv07Ksbwb7R+w401QSff0l
zji7kGTY4Er85mMbNEJ0XcOE3UJigsZO/AMaTqZtiCUVi97gkv7r+dnrG3P2
5sLckAD9lwpS4DTZ5IuO4O5Q97JYigSzV0hSRpuBf8/oE0DZ+qydqjrVcmOw
x4Ypz4Nq4TyLrKdyLPkxr8GFTf4obBshKpCGs7tNx7lZbKrqGb0PmM3NlUAV
RXVe9/Ee4bkwVOhIV7GTqpRWoRxwzulIafxOxDbh/ZiXCPuAoBO27P9qvLDT
WRH6FmrKLgkG1Zqv90TnLIoXmkxiQ5w89iFPibnJRXjQBgFtkPmNEFwE8ugK
u0KMCPhyHkHlRNwrg6QgEnBW0kSpa7JVoeQX5A88+JsI6m1JZnpnXiJQmrDS
6uGBBjJPECs6Gcbs0jIIL953xQlE8IRRosamgvCcyPYF7tAhnTwrFiIUu3Qt
0i0hSIzUFtPWa76E/ltuZosuyzVF2mtHdd3kSh4143zolICV9VHkrODMjnAn
HlAQnhqmUH4LV42JeEDIA5Ayms5iEWaYUyiUgh0mvElEuAfnIHQKbBpJvwb3
sSCzFamRCU5/4DOcFfBBsl4jSB3AfBIANwExEjjGiDYlty5DtRIjak5A+XQY
wXFW04lirMxyRLwYQNSzq1kc+G3me3DrC18ISHyrGYhXHW36bV1+YFV3JiH8
ay7+eMvFHwgsN58cQgwmqRkgfGD1YU2JxvMUvmS1VjHMQ+qC3iSd7Is1IGkD
KVt3JKF9gQjQFHvlfInMpjMkVbekIDndLxlfgEuEDjQtHDFmVbZSo4KgLLYL
RSrieZeVeZSH3MODSFjUdLHx4XG9lY/IQiPB74sCiAPKsMLoFn0OQbNdiU0d
0vOVpaUIXrQW8HXeY4EpGxWEwRu/ial4kEi1bcmMy/lizcmLqfUijdgqRoOI
ZG4ri/tHhVtKHXI/jeg2jnMta8nLcD47uyMmJQbN7QppfGzHRhS9uCivSN5a
S6CilINAg1o4HurQOYTHpRgI2CMc5xFn1lC6OEUtRt1JempR+socDSKwO4uV
+u9xUQLz89wXJn42ZmRpmXFm6MKnJbKgZiTPdoirx4CRRXZBh5OawFWHXM/C
tVtYkZBGI58Mh5NyDvowI4rAXJyR009uiDPMYif+BSdF93d95XUBWxmyjSGC
qZv0aEdhDpzGXZR9qfRrHgyQZspQL2RQZynFYA1qTvR10ZhC8GMzMBAeEpNm
V35lpcgSrLG7AgWjuU8hMsAYBjwHxUiaymOzjohnCxzd9jh5cL0rxqSDDUUQ
mk16qzi8zxlGYcVlNwJ+PiQKU+wFG2EXFThvmyXv067pU0+fPPFyVzmp7Zkc
fwYSPKoCBuQSBD6p4gSLxL4vncMxQz1MnKPXEr6jQINj1bQMwmh5SwCbvo8z
8dUSjkDsFnYkIpzPGAaJGprm+2Hrf2KvN7zZm9+928+GqBHSULt56ctg698I
diW5zTZsQ8JmtSoHkZkM0g1jZskFmbBS9YGrTB0J6P+hvSLU8G5Uacbw34et
Vh0oGAIcAFZhU/5ZHKaFOpvJeSC7xYpjH13RNR2JIMnCkiNmpLBdfSiuVXgX
lR5K8J1Law9IYXi4v7c+AEiHXGQFMMtRlOhAZkpj+0hxl7j3Pgbq9EnwVRXD
Fh1gUNqLcKsnHGgoNjd3Zd5tkMmtpJwOwG9WLmdIonkV5sOjlVaw7ZcLSzSV
VnWEVMZ0Qb0Dx8ovXNURdd5lzS17nKr9uHip169ZFK/zGlkLlWp/ZmQukUBj
i6tH8OaW88cWzIQY15FaSa6GRHHlsREDT2CAzgp6QCvhHdRPrVagJcNMKanR
+tCCkxMJag+ZsaXOkO55ESICqhX983ASsm6oojN7ePPLfbw5hppaB0mSeCWJ
Nc/jn4I5PcKstaiSY2q6QXFH+iqG3FZtWXENKiKO1ZpcgeM+NRZCOhr7J1nV
/GKkm4gIAue03pmZbZnl8DujmKuwmCYKyaDgeI0QaA88XhCUt5JwQOKHMO4t
tqnw7mRyTlxTINK42QULA/SWp1p/tETajd4nZHErtWucri6RcoNmieNYctpI
5Bia2FSrYHOUUfBxfFH9zWO4Lo9TbPJxePzN3PRV1CXM6GTt8ooM5XSyl7Qi
tUMbqfnORQSEMLMtHM7ESvOA6O+Q0aWt3EHzTf2HJc4dWeGYnJ8M5wZBt6BM
hRPvC7KFdKNwAYuIgongbQnNuJpbLpsprZ6KFsIGRtRwkFzh8ZS9+EiwRKDE
ZRQkiIoQLuJB+aQw1QDXRqlOjqmk49jh2/3QW3Qwn3pNu6jvYZS6PJokzIdj
DtSMk1oqzTlpdpOYkhaTPMNe+JM73hxpA9JlpKOceYmISUDWl6F+eI8lYiZg
3q4juC0eMzlB3EcQ6v+HqadB7ZW3uy3aduIU/BRWZC12uwgapg+XVX7rjdgf
zuzGXPm7wnuvS6Jq4Qv16YFy4Y3km8VThmMTyTCnLQMqpTMbxLYW5Qf2rmjj
44ICIsqmapvj3wuLzgjxZvAHuTDoniRrXwks9Wot/tby5vvqX2Hts1FErc9Z
sfLlpBx4XzXCD1cDpdBDMnuwTyn4XJzd2JZKvD1b/j27qmDCAABf1Fm6cvfC
vhA1k0h84ZK+0O5Rc6g2RGwrPGvk86WQl9Miedmlx0brRISdEaudrVRxCQqh
3Yk5GpLA54PE/O0d7AdS2jMvdexJ71CfbrucQ48XnfPKLQ8kCGdcMAmmvvoZ
AFQOAYtYSykjwa1iJb0TuHFbozjkdOCry7a5JqzQRBeXRuS5j0cvavajokD2
Af9rIJJjf008SAaL8P5s3+XnwdaxJoJVQTmkInaVbXzFtHZLSGEsKb+m7UVe
ws6of9EU7aqArsS1hJBdTfa4B0V9bd+zU/MSUStarEHK54VvSHkrjP2RKr+/
nBrfGbP3rc/LnEo9CqBuw9Uda7qm1Tpuj2D9T/Dy1yhcxgWRfQUKB1O5VofZ
JLc1XXzfYKOCek9lXuze0O2TKkFEU9wm/WaU8NSYBu386LIAxNVcSOK0ZFG+
qH1HEqwO9dmjPBkDHhY0/RjxjET6WAFFLCCLqjxwZVIca3kW7euFOfpvVzMP
cBHsYHf9Urw/PYnXdsPNKcpA10SN0KGPxDH8vMMjdire0keqbgpYNWUgf9lK
dUR0DP5aBj/Jn0e2cB5lZf1Bzs3RWfpLl957kNFi0YleHD4RGposS4PhLTUb
H/r3+RZucix2PZ3mbP/VeKOvJmoJwIeWKBL0ZcrhOBdRjaI/zgXs6w5P3D9J
QAd7Jzk/cJITAL8TzqBIvxLXPPLSnkMiflrY4ja4SAFz+AfaDV7/PTlsYTKO
Kh4omGf8qsThg/jDewod++qZcY5Ggi3YNW3+7O3l8V4EM6l35D+R6anWCvMi
blTMOnSWK4JPp+bm3AvjwdL6/s/z/s+LYar5bayJv2dN3ONGAlIvoZZQ/Rga
w2hdxbkMm8hO+6sKfQASd/ZcMvr0oMN1X0946ZvvJbY91SSgkO8G0UWEf7BV
Vpne2OPqhsFbEr6WqX4uzTOhGU+IrMoxPKrNVHOoY0EHCyvcMGu/z9Ib8Wil
3L6Dv+5VP+ZXrAZb+UP4tW8Fk/Kmlx+AvOmeftKm/p+Bf7hrWsXwhuT4BvEL
8nOORRa9Oxh16KNXOOO8GGqP1uVWDsR9H6FaRisoBx2xvtWjT7j1zeUkJ8gU
cYqEAxx/IFD4RrJ2V12FOn+WeRbLRgzuKDwoKcjaabK6rzmYApVqMiHqdjka
NacMImMFP5odL12PlosahcWmH92ENfD/WPLOUaP54zrLXXQVkTrsLw3+fXC3
RtBX2lW3uJlCXalGNXkjqsNxiFdtBzjTNzKvS91efEEb+wvc5oGXcage0YP0
QTZYhca8tXxt9+J1smG5dMcXgzvBfm1di16L5CfIjcdKmipniIMCHo+Ieyws
esMTghvxv/vx2jP32tabJu4e5Jjqfs72K4C+kk5XMFbilugwE+Y3K+T8N8P8
ir4bo+ljZSH4jMR+0y0kCMY2mpTEZpHzh1c8T2GEDdF0K/gwto3wpufmXwUH
yASvBF4WdqT/7XGtb+Ni9ei3WbOlHjZvRb3M5N/AyZBPg4+QDisr1PHUWpJI
fv9mEffZIUPH3rQCRQ3FqEPFDXrAA1JWyA6BFqopFYktf/rkISQ/z7WHGiTh
uEqNmB3o5yl8JM1t0J9TzhSQC5Rz8HCTfXDpsbhGqavQJl/0bZSj/mBudifu
vAdqa2aer5SoY/M2zkQvB3WP/u2UvUf6rk+Ra6CVmDv3AGrANVL+7092akAO
lwzKcOAGy/JAtVypk2b3fQRlhZ1OP/Hds9iGbuwSnlbOOWnb82DfuqwbUZ8F
0bhh12qf5hx375MpQqOD1KJw7kDb3fx2QXFfn0BC0ZGFytEURtoXverk45FS
verFAj3qqAwBLOAt9wMptLM/EbDHLJd2PDmj5xrbDFszaL+kOiGzd0QpVSbL
ruZYVS+7tdMY5O+BmT/Qcb6puUnqtSVk/prlKIRIY3kY40SRor1ZJSDWwDDj
xrfrkqWvRLVlHG3jSxPhDW4+FAEiX9yaEE+6GQmD4FmPc8FUA6suR9GekBGY
xPleRo8OxU9lIcVyKGDSbRClf6G7nAFsoT11JpnURSYNs9FQGj4f6hFoX1zw
Hw0eiI0Z3e2LLHSkRyTXP3vu2WTprGeQ/VoDdnIinSeFYW3c9CgqL7SfaNBk
1BRhaunsIZMy2KsM1vk+W7pkl4iS4bLK0FfgYyqNrw2LOUZjLqSBswbuXeRA
eFL1Ww8ol4NkfETbMOzriqz9o2gVzHwu2ebzfkiNEgcsdC+I5Uw2dDOxTtp5
h6uJJEAKwUSBvePk9J70cSnHTzrh6mdOV/ss5yDgF3sYqB/oex5/F1p9S/wv
PDXa0wVq1N8QorxC9SII9EZFoYmOivxh3w7vm8Wj9va+Ss73uXL1IX+Tb67x
g4ZodUwBeXNYhqPiLgEjoaKIFnoTajE1nK25FjXpnkT39zDg49iNYO24dWQ8
Zin2JohT0YrLUMwP35DZPofqFEVQJDeOQRuqEYSrEOrPmQuFYKkf64FdaQ2E
ujR+r6p07jlVgP8hjSOITa9wnVVINtU6MWmmSu7jiqxR5WH9hLCVmAVpJN8L
IyTsRktk4BBBPkHLtdpbrcNlInrT68I1glTUVx83pkATpuQrhj68A2plUPJu
7jI7cE60mKxBWJeDBgtRg7IYLbDiEAvv5f5bD+oRJpS0g6/u/VhTjWo5dpb2
dSFpT23rkntkbuRKCGlh8ZcSUK+TrsI7N2pS3LCFHlU76fP2HZDnpz64jNqG
N1dXL8/NxRViaaTT6XCcz+DorU59/C23RMLuWFqmkgiaFIdQYNy7d+8wlmTF
1bCErf2ftf9rd6wzxKIhKDcyFzNz7XKWFk1ZzdJmZkNYfPbk65s5u0R1xSjd
pCUTQgafEcjOy10j3kmIeWu3uag8JgGOXsvRuyrlkKRCNiXNP6/+SXaTzgUw
OTW/Qm4XZdli/1Vf8civc8qdq0DgWmrw4vzi6vE5LfbPl/8OdTs+bUUucR6y
Zq2EHLCS6keriFZo5HOHh92C6wDAkKdhVEVQC/KOwh8ey+VFPzTG9Im7KJ0Y
fDKlZx3uLZ67NHYATw0GmPhPmtns7ybcskY5otd28tLcG7MZfft/g4L8Mue4
uwUGaGg2VrNGMSnl0jg/BhSGGZd9GRV3AGEAkb+5ef+c0bbkYbkMdzB35AYL
F9Cz1K+hQ28tHkWvCI/0hZuqRPwV7T9m1z/lDBUlruk5LnxdL5p5SOrEuZnB
jxRDBjXkIprPcwBmhIQORnpFNfZhmz2PXuwvA0mOQKKSLMvDCV8dRjRhqiCH
MJdwe71hFX5CMQ1qLqwfYOSp6mE2ACwpA51OJf3TdOeeZmEDPjTHfZOhvKFv
nTyNG33oIb3qGKjP+1q2tdRVZSl6rNfxQhQ/ESkM1KxDJDapy6aRnmAf1BBU
I9NhWMUSklr9B5q/D4BeoE+xebo3mUJYBl59XAdB0JmYGM5qgIc1duY8Tm6E
1I1vpBJQxmzjozuhL+nTGoj2iu109NjwnsLcNlTVc1RvrsE9ZqGwrYMxVggS
kt5Nb5Z7bodFij7b7AhlffjboP3iux+vfaxvTe74odDe8AyyM21ZaOIgJlj0
8QJ9LT17znVKtEhAdGjAF1lKWn192RrBQddKzFzp76POoeOY43CSOTyIXwEn
a2SsZP1wQuFKsKsabOHtywsS1kXtLLfaRHp4n4F5hcE59obgfNHPxUZn8LA7
5v4k+V9juBIWuNRjouqrguPwKdHTkMv3TNv6gJN/A1Ev2/adUjyLMttorGYa
l/CGbCU0AEdA7xta0y+vFQt994VMb8Jgv3Ln0OSgVY0ySdYVsWeN6OXG5uiA
mQ/z7aNzZTwMc7Vy9bjP+NKfJFR1iXoSUAmvrvDjG/zAOyS5dHuxRsO+EEmK
qyR9IQdPkJrSR9I4iDY1377z40KjjPtlU4aBK/FhlRABjPQwT2uPomT3ddRt
0nQNoquHSlt56JnMn/HxNQJHfUo4FOF9fiuyjzilUy171YBU6G3oezUGVyUF
nL48BvGakFOOB5z5YlauOpKui732siTurlNTkpcLcmz2BhOcvb0cVkeOQ04b
GcGqvjf6QPxYMZD14LA9tNZl97EXR2ml4UW6XTWmQPapTDLmYa764UjC5YW5
8Sw3e/rsixuZM/AHw0Ki8e4NDnHHlmZZwfir7M7HscfS5QOGcSGrWtidr548
EBD8jIDOubYQ5tBzNiW+A98fusB+ygca9weFSxgBGtpX/dQzSWEw/scNzGw7
s+IKRFaExKcqs6L1Y/1C52VUWoUSH7QVZD5KHynRvnjlWnuwA0/FEZ9B124U
efPs1kS92qELE3PYTMMh4wIOjTZiOe+06bg7CAT3p2m37F7tGwv8yCLzk6OM
ZTxdedC9uST9hmpXppLOx5PZpzsOgvC36W4bP0Q8+mWGBSpkIMcyBrBxHEUe
FDfyVLu4sDFMNce8Mx3XrCou7pX2nv8oNz2YhMeDQqUC6xVU66O3pHTOWOnY
/BGP+UDGNSs6JOMu6KbKVeceYQhhGMNztc6WcN1k/Ud+/LdMhcdUoXFnvR/X
7af8Mktwp5Y+aDgZfBiwi8ebD+be1H3JczwhB5QZjN7iWkEOAfEgcBeyhXs1
nHyVUga2XzC6NyLnnLBx4fK5r9MJBbLjptVPGJTjucvx8PTxtJzi8DAvDsaX
fqynOFx95m9IxTAr2B9+FOnjo0vh2KAf6F0oQRjXJzU4eHCG2jAQiqek+7Pc
U8Gw52tGxQx7JUU3x3ExQWiv5gIPTyFFnYxSB5PVhdTjGkYnVv5LPW+kyiIl
+9pfW+Ov+D7YrXojC7p6qHUGOodb2pY6SlS5D9fPugjdUzM/Wh1/S9j4eIDx
P0FBIYqG8yRSf/CX+T6aoV1wwFq6C2ZiGKecLcC/OeYZZNyzNOIQoaFgEC2P
Gpe5JR9MLNFqH3SKc/OnWGwczB7Fu6dcuJX6sAKKdpGK75Nm8sWpTh2Q5ZSg
eYjVgjk4zBp7XqqxPbXOB7Op8eZZg+mgUrPOo7ZHKilwhnCfltMG8ockl5Qd
s13g0eB1MfcNrTx/nympCp2He2c+FY/ySk5Q7MxdlxfDehJBCe/0M+MS8JDV
VZfas6EqydFZ0KndNnEJeJQ6UWCKkrIZprkNU1dHk1XpJX9yPMXvGPVNI5wF
t40HUWTcUPOfLXv9N8wbzs0r+VWQfuI2k5FhQ4ZKu4YVkoSYec2P1RH2I/FH
asv8d0RObaL+MaRNBzVQosX2lBVGLEsl0GiyBZskOg+PpDCTUf/gRBFJmHEc
EwLlhbfOz1DFwAKfIo/BpN57rwuuSdHnrNnCeBWyQJjEsyRwsiWvocun8Q9U
eFblPHuv5ftJhjLFPsC8j43KGbhr4Xcq/IlgBqyZFFkChTlDdmfyN/49Bpkk
seB7BraBQo7P96YsZmR2urRvzOfpvX2RPTb54tmL+Hd4fFoRDnsBT9kXa/iU
/14QtK+q9GNLankol7NxjZtEusnFKrmLX8bwyvAGHwv1raJ9OpzhxpUou7cM
owHcYj/wsujz5xocEu2lFzMs0eHRCCHe/LFkJl2Sz+5qqRepL//TRFxGMvfD
Y38rf7/IIU3Aex3evZNE3jCv/7cDg7gTmRVRSFxArTPHU/UquOAQs2+lfAY1
Usxo8UD2dBoVauvUZ39Zqrsvz96cHdDbw199UKPFn+3dY3z9LMFvXJDtkzRe
wOn9Ly8V0U9CSZp38EMErBZq1oiMp8oFYJSqAbqL8BtTHrGTnk3W/CMAmQvo
na4lnuzX1hz21yiLn3ZHnlGH8mPH5cm20GKgtO/s8aOMNhvUUOx8fXrGkWgJ
ZhEDl1yGtFxywJROFCplfVdSP6w5jO4ZcltAuFNpBZRSJaYM4150gQPzht9W
wmBaIfg7x9VZ2gUcZsVjuvm3pG4JeHw3n5qXqZ9M+5u/ujSZcrAaq0zNxQ+X
5umT+dPnX/71+WNde2p+SNoSCfFnT54+m5r/uW7bqjl9/Hi73c7rZTIjME3c
Py/r1WP8vtljeg3f+/vc75DdXuzw+zLlcZ0O+7z2+7wgrZDZqbmaC4u+xkSu
rm5dk3R0inHhdK+1detYfn/r8upZt4Kw0M6/+LSd42v9zrmkBTv/DqnEKW2N
gJ1NLZkKWpv+cU5oY+Fysg0v/HFekLDnbicXwYNX5hiCSK5EiYa1vfP4Gho9
DR65fxp59TtbdIBAz548e/Jpx8H3+uNwNc3Bi0AdDpqW/Z5fzKOjRVv+SL2O
7h/P2N+/vPra8t4/8SrwHd37p5eW4nRXJXLJ/6ajfJ/R/9F/+af65CWc7tWc
3gm8hXO99D/GwjIvY6NJ42gDRniKMN2PLKMFOsx4WsBUvNnCYc6fXbZT/SHK
T9rx7MnTqXn2V/PKLWp/uV9FBELmFL/TRx7aHBl8JhHpz8frdpM//rwHgZr/
H+NOK4uicwAA

-->

</rfc>
