From 4a29bfc23cd7beee33190e6722443e0a61776bff Mon Sep 17 00:00:00 2001 From: Sebastian Steinbuss <23654606+ssteinbuss@users.noreply.github.com> Date: Tue, 11 Oct 2022 16:27:28 +0200 Subject: [PATCH 01/22] Editorial Update Sec 1 Editorial Update Section 1 by fixing some formatting. --- ..._Goals_of_the_International_Data_Spaces.md | 39 +++++++++---------- ...2_Purpose_and_Structure_of_the_document.md | 35 ++++++++++------- 2 files changed, 40 insertions(+), 34 deletions(-) diff --git a/documentation/1_Introduction/1_1_Goals_of_the_International_Data_Spaces.md b/documentation/1_Introduction/1_1_Goals_of_the_International_Data_Spaces.md index 6b2fc28e..067a84be 100644 --- a/documentation/1_Introduction/1_1_Goals_of_the_International_Data_Spaces.md +++ b/documentation/1_Introduction/1_1_Goals_of_the_International_Data_Spaces.md @@ -1,4 +1,4 @@ -# Introduction {#sec:introduction} +# Introduction # **THE INTERNATIONAL DATA SPACES (IDS) IS A VIRTUAL DATA SPACE LEVERAGING EXISTING STANDARDS AND TECHNOLOGIES, AS WELL AS GOVERNANCE MODELS @@ -8,7 +8,7 @@ THEREBY PROVIDES A BASIS FOR CREATING SMART-SERVICE SCENARIOS AND FACILITATING INNOVATIVE CROSS-COMPANY BUSINESS PROCESSES, WHILE AT THE SAME TIME GUARANTEEING DATA SOVEREIGNTY FOR DATA OWNERS.** -## Goals of the International Data Spaces {#subsec:Goals_of_IDS} +## Goals of the International Data Spaces ## Data sovereignty is a central aspect of the International Data Spaces. It can be defined as a natural person's or corporate entity's capability @@ -21,17 +21,15 @@ ecosystems. Overall, there are three types of activities in which the work of the International Data Spaces initiative can be grouped: 1) research activities, 2) standardization activities, and 3) activities for the -development of products and solutions for the market (see Figure -[1](#fig:_Three_types_of_activities_of_the_International_Data_Spaces){reference-type="ref" -reference="fig:_Three_types_of_activities_of_the_International_Data_Spaces"}): +development of products and solutions for the market (see Figure below): -1. The research activities are based on the first Industrial Data Space +1. The research activities are based on the first Industrial Data Space research projects conducted by Fraunhofer. They are being continued on a broad scale in a large number of projects. Each of these projects makes its own contribution to the IDS-RAM, IDS implementations, IDS use cases, and other IDS documents. -2. The International Data Spaces Association (IDSA), a non-profit +2. The International Data Spaces Association (IDSA), a non-profit organization, aims at promoting the IDS-RAM in order to establish an international standard. To achieve this goal, the Association pools the requirements from various industries and provides use cases to @@ -44,7 +42,7 @@ reference="fig:_Three_types_of_activities_of_the_International_Data_Spaces"}): countries. In addition, the activities of the IDSA aim at supporting the adoption of IDS concepts and technologies in the market. -3. Actors in the market can make use of the International Data Spaces +3. Actors in the market can make use of the International Data Spaces standard for providing software services and technology to the market. These products and solutions form the operational IDS ecosystem. As each offering must comply with the International Data @@ -52,20 +50,19 @@ reference="fig:_Three_types_of_activities_of_the_International_Data_Spaces"}): the market requires offerings from evaluation and certification facilities. - -::: Center ![ Three types of activities of the International Data Spaces](../media/image10.png) -::: +*Figure: Three types of activities of the International Data +Spaces* The International Data Spaces aims at meeting the following strategic requirements: -- **Trust**: Trust is the basis of the International Data Spaces. Each +- **Trust**: Trust is the basis of the International Data Spaces. Each participant is evaluated and certified before being granted access to the trusted business ecosystem. -- **Security and data sovereignty**: All components of the +- **Security and data sovereignty**: All components of the International Data Spaces rely on state-of-the-art security measures. Apart from architectural specifications, security is mainly ensured by the evaluation and certification of each technical @@ -76,7 +73,7 @@ requirements: data, the data consumer must fully accept the data owner's usage policy. -- **Ecosystem of data**: The architecture of the International Data +- **Ecosystem of data**: The architecture of the International Data Spaces does not require central data storage capabilities. Instead, it pursues the idea of decentralization of data storage, which means that data physically remains with the respective data owner until it @@ -86,21 +83,21 @@ requirements: integrate domain-specific data vocabularies. In addition, brokers in the ecosystem provide services for real-time data search. -- **Standardized interoperability**: The International Data Spaces +- **Standardized interoperability**: The International Data Spaces Connector, being a central component of the architecture, is implemented in different variants and can be acquired from different vendors. Nevertheless, each Connector is able to communicate with any other Connector (or other technical component) in the ecosystem of the International Data Space. -- **Value adding apps:** The International Data Spaces allows to +- **Value adding apps:** The International Data Spaces allows to inject apps into the IDS Connectors in order to provide services on top of data exchange processes. This includes services for data processing, data format alignment, and data exchange protocols, for example. Furthermore, data analytics services can be provided by remote execution of algorithms. -- **Data markets**: The International Data Space enables the creation +- **Data markets**: The International Data Space enables the creation of novel, data-driven services that make use of data apps. It also fosters new business models for these services by providing clearing mechanisms and billing functions, and by creating domain-specific @@ -119,12 +116,12 @@ software products and service offerings.** with regard to standardization, are driven by the following guidelines:** -- **Open development process**: The International Data Spaces +- **Open development process**: The International Data Spaces Association is a non-profit organization institutionalized under the German law of associations. Every organization is invited to participate, as long as it adheres to the common principles of work. -- **Re-use of existing technologies**: Inter-organizational +- **Re-use of existing technologies**: Inter-organizational information systems, data interoperability, and information security are well-established fields of research and development, with plenty of technologies available in the market. The work of the @@ -133,9 +130,9 @@ guidelines:** from the open-source domain) and standards (e.g., semantic standards of the W3C) to the extent possible. -- **Contribution to standardization**: Aiming at establishing an +- **Contribution to standardization**: Aiming at establishing an international standard itself, the International Data Spaces initiative supports the idea of standardized architecture stacks. -- **Open Standard**: The IDS-RAM and the specifications associated +- **Open Standard**: The IDS-RAM and the specifications associated with it are publicly available and open for being used. diff --git a/documentation/1_Introduction/1_2_Purpose_and_Structure_of_the_document.md b/documentation/1_Introduction/1_2_Purpose_and_Structure_of_the_document.md index 4b1c3b68..ad78e0ff 100644 --- a/documentation/1_Introduction/1_2_Purpose_and_Structure_of_the_document.md +++ b/documentation/1_Introduction/1_2_Purpose_and_Structure_of_the_document.md @@ -1,7 +1,7 @@ -## Purpose and Structure of the Reference Architecture Model {#subsec:purpose_of_ram} +## Purpose and Structure of the Reference Architecture ## Focusing on the generalization of concepts, functionality, and overall -processes involved in the creation of a secure ''$network of trusted +processes involved in the creation of a secure 'network of trusted data' , the IDS-RAM resides at a higher abstraction level than common architecture models of concrete software solutions do. The document provides an overview supplemented by dedicated architecture @@ -14,28 +14,37 @@ a five-layer structure expressing various stakeholders' concerns and viewpoints at different levels of granularity. The general structure of the Reference Architecture Model is illustrated -in Figure [2] -[2]. The model is made up of five layers: The *Business Layer* specifies and +in the figure below. The model is made up of five layers: + +The *Business Layer* specifies and categorizes the different roles which the participants of the International Data Spaces can assume, and it specifies the main -activities and interactions connected with each of these roles. The -*Functional Layer* defines the functional requirements of the +activities and interactions connected with each of these roles. + +The *Functional Layer* defines the functional requirements of the International Data Spaces, plus the concrete features to be derived from -these. The *Process Layer* specifies the interactions taking place +these. + +The *Process Layer* specifies the interactions taking place between the different components of the International Data Spaces; using the BPMN notation, it provides a dynamic view of the Reference -Architecture Model. The *Information Layer* defines a conceptual model +Architecture Model. + +The *Information Layer* defines a conceptual model which makes use of linked-data principles for describing both the static and the dynamic aspects of the International Data Space's constituents. + The *System Layer* is concerned with the decomposition of the logical software components, considering aspects such as integration, configuration, deployment, and extensibility of these components. In addition, the Reference Architecture Model comprises three -perspectives that need to be implemented across all five layers: -*Security*, *Certification*, and *Governance*. - +*perspectives* that need to be implemented across all five layers: +- *Security*, +- *Certification*, and +- *Governance*. ![ General structure of Reference Architecture -Model](../media/image11.png){#fig:_General_structure_of_Reference_Architecture_Model -} +Model](../media/image11.png) +*Figure: General structure of the IDS Reference Architecture +Model* From 0d65e538247c79300f96b7594659dd951ee1acc8 Mon Sep 17 00:00:00 2001 From: Sebastian Steinbuss <23654606+ssteinbuss@users.noreply.github.com> Date: Tue, 11 Oct 2022 16:36:01 +0200 Subject: [PATCH 02/22] Editorial Update sec 1 Adding formatings and updating the Readme of sec 1 --- .../1_2_Purpose_and_Structure_of_the_document.md | 11 ++++++----- documentation/1_Introduction/README.md | 14 ++++++++++++++ 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/documentation/1_Introduction/1_2_Purpose_and_Structure_of_the_document.md b/documentation/1_Introduction/1_2_Purpose_and_Structure_of_the_document.md index ad78e0ff..70d5b8de 100644 --- a/documentation/1_Introduction/1_2_Purpose_and_Structure_of_the_document.md +++ b/documentation/1_Introduction/1_2_Purpose_and_Structure_of_the_document.md @@ -14,21 +14,21 @@ a five-layer structure expressing various stakeholders' concerns and viewpoints at different levels of granularity. The general structure of the Reference Architecture Model is illustrated -in the figure below. The model is made up of five layers: +in the figure below. The model is made up of five layers: The *Business Layer* specifies and categorizes the different roles which the participants of the International Data Spaces can assume, and it specifies the main -activities and interactions connected with each of these roles. +activities and interactions connected with each of these roles. The *Functional Layer* defines the functional requirements of the International Data Spaces, plus the concrete features to be derived from -these. +these. The *Process Layer* specifies the interactions taking place between the different components of the International Data Spaces; using the BPMN notation, it provides a dynamic view of the Reference -Architecture Model. +Architecture Model. The *Information Layer* defines a conceptual model which makes use of linked-data principles for describing both the static @@ -40,8 +40,9 @@ configuration, deployment, and extensibility of these components. In addition, the Reference Architecture Model comprises three *perspectives* that need to be implemented across all five layers: + - *Security*, -- *Certification*, and +- *Certification*, and - *Governance*. ![ General structure of Reference Architecture diff --git a/documentation/1_Introduction/README.md b/documentation/1_Introduction/README.md index e69de29b..07988fc3 100644 --- a/documentation/1_Introduction/README.md +++ b/documentation/1_Introduction/README.md @@ -0,0 +1,14 @@ +# Introduction # + +## Table of Content ## + +[1. Introduction](.\1_1_Goals_of_the_International_Data_Spaces.md) + +[1.1 Goals of the International Data Spaces](.\1_1_Goals_of_the_International_Data_Spaces.md) + +[1.2 Purpose and Structure of the Reference Architecture](.\1_2_Purpose_and_Structure_of_the_document.md) + +## Files ## + +- [1_1_Goals_of_the_International_Data_Spaces.md](.\1_1_Goals_of_the_International_Data_Spaces.md) +- [1_2_Purpose_and_Structure_of_the_document.md](.\1_2_Purpose_and_Structure_of_the_document.md) From 9e0e3489c460541045eda27a52da405a7cb3c82c Mon Sep 17 00:00:00 2001 From: Sebastian Steinbuss <23654606+ssteinbuss@users.noreply.github.com> Date: Tue, 11 Oct 2022 16:43:19 +0200 Subject: [PATCH 03/22] Update README.md Update links --- documentation/1_Introduction/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/documentation/1_Introduction/README.md b/documentation/1_Introduction/README.md index 07988fc3..30290de8 100644 --- a/documentation/1_Introduction/README.md +++ b/documentation/1_Introduction/README.md @@ -2,11 +2,11 @@ ## Table of Content ## -[1. Introduction](.\1_1_Goals_of_the_International_Data_Spaces.md) +[1. Introduction](.\1_1_Goals_of_the_International_Data_Spaces.md#introduction) -[1.1 Goals of the International Data Spaces](.\1_1_Goals_of_the_International_Data_Spaces.md) +[1.1 Goals of the International Data Spaces](.\1_1_Goals_of_the_International_Data_Spaces.md#goals-of-the-international-data-spaces) -[1.2 Purpose and Structure of the Reference Architecture](.\1_2_Purpose_and_Structure_of_the_document.md) +[1.2 Purpose and Structure of the Reference Architecture](.\1_2_Purpose_and_Structure_of_the_document.md#purpose-and-structure-of-the-reference-architecture) ## Files ## From 46c79296128c1b5d987a68942119f3dea4e4d5e1 Mon Sep 17 00:00:00 2001 From: Sebastian Steinbuss <23654606+ssteinbuss@users.noreply.github.com> Date: Tue, 11 Oct 2022 17:37:20 +0200 Subject: [PATCH 04/22] Editorial Update Section 2 Fixing links and formatting for section 2 --- ...2_10_General_Data_Protection_Regulation.md | 6 +- ...S_to_Industry_4_0_and_the_Data_Economy.md} | 61 +++++++--------- .../2_12_Privacy_Preserving_Technologies.md | 0 ...=> 2_12_Privacy_in_the_Connected_World.md} | 70 +++++++++---------- ...=> 2_1_Data-Driven-Business_Ecosystems.md} | 18 ++--- ..._2_Data_Sovereignty_as_a_key_capability.md | 18 +++-- .../2_3_Data_as_an_economic_good.md | 6 +- .../2_4_Data_Exchange_and_Data_Sharing.md | 26 +++---- .../2_5_Industrial_Cloud_Platforms.md | 2 +- ..._6_Big_Data_and_Artificial_Intelligence.md | 2 +- ...s_and_the_Industrial_Internet_of_Things.md | 2 +- .../2_8_Blockchain.md | 20 +++--- ...frameworks_for_data_sharing_agreements.md} | 7 +- .../README.md | 48 +++++++++++++ 14 files changed, 162 insertions(+), 124 deletions(-) rename documentation/2_Context_of_the_International_Data_Spaces/{2_11_Contribution of_the_IDS_to_Industry_4_0_and_the_Data_Economy.md => 2_11_Contribution_of_the_IDS_to_Industry_4_0_and_the_Data_Economy.md} (64%) delete mode 100644 documentation/2_Context_of_the_International_Data_Spaces/2_12_Privacy_Preserving_Technologies.md rename documentation/2_Context_of_the_International_Data_Spaces/{2_x_Privacy_in_the_Connected_World.md => 2_12_Privacy_in_the_Connected_World.md} (75%) rename documentation/2_Context_of_the_International_Data_Spaces/{2_1_Data_in_the_Smart_Service_Welt.md => 2_1_Data-Driven-Business_Ecosystems.md} (67%) rename documentation/2_Context_of_the_International_Data_Spaces/{2_9_Towards_legal_interoperability_federated_frameworks_for_data_sharing_agreements .md => 2_9_Towards_legal_interoperability_federated_frameworks_for_data_sharing_agreements.md} (90%) diff --git a/documentation/2_Context_of_the_International_Data_Spaces/2_10_General_Data_Protection_Regulation.md b/documentation/2_Context_of_the_International_Data_Spaces/2_10_General_Data_Protection_Regulation.md index a74c8c1c..2fc57790 100644 --- a/documentation/2_Context_of_the_International_Data_Spaces/2_10_General_Data_Protection_Regulation.md +++ b/documentation/2_Context_of_the_International_Data_Spaces/2_10_General_Data_Protection_Regulation.md @@ -1,4 +1,4 @@ -## General Data Protection Regulation {#subsec:gdpr} +## General Data Protection Regulation ## Compliance of an organization with the European Union's General Data Protection Regulation (GDPR) can only be ensured by the implementation @@ -24,5 +24,5 @@ technical measures and offer advice regarding the implementation of organizational measures. As a result, the IDS participant is enabled to implement appropriate measures for GDPR-compliant processing and transfer of personal data within the scope of the IDS technology and -related features (see also: GDPR-related Requirements and -Recommendations for the IDS Reference Architecture Model [^3]). +related features (see also: [GDPR-related Requirements and +Recommendations for the IDS Reference Architecture Model](https://internationaldataspaces.org/download/16445/) ). diff --git a/documentation/2_Context_of_the_International_Data_Spaces/2_11_Contribution of_the_IDS_to_Industry_4_0_and_the_Data_Economy.md b/documentation/2_Context_of_the_International_Data_Spaces/2_11_Contribution_of_the_IDS_to_Industry_4_0_and_the_Data_Economy.md similarity index 64% rename from documentation/2_Context_of_the_International_Data_Spaces/2_11_Contribution of_the_IDS_to_Industry_4_0_and_the_Data_Economy.md rename to documentation/2_Context_of_the_International_Data_Spaces/2_11_Contribution_of_the_IDS_to_Industry_4_0_and_the_Data_Economy.md index 26f3fffc..b2ceff12 100644 --- a/documentation/2_Context_of_the_International_Data_Spaces/2_11_Contribution of_the_IDS_to_Industry_4_0_and_the_Data_Economy.md +++ b/documentation/2_Context_of_the_International_Data_Spaces/2_11_Contribution_of_the_IDS_to_Industry_4_0_and_the_Data_Economy.md @@ -1,4 +1,4 @@ -## Contribution of the International Data Spaces to Industry 4.0 and the Data Economy {#subsec:contribution_to_industry40} +## Contribution of the International Data Spaces to Industry 4.0 and the Data Economy ## By proposing an architecture for secure data exchange and trusted data sharing, the International Data Spaces contributes to the design of @@ -6,9 +6,8 @@ enterprise architectures in commercial and industrial digitization scenarios. It does so by bridging the gaps between research, industrial stakeholders, political stakeholders, and standards bodies. The architecture is designed with the objective to overcome the differences -between top-down approaches and bottom-up approaches. Figure -[5](#fig:5_Typical_enterprise_architecture_stack){reference-type="ref" -reference="fig:5_Typical_enterprise_architecture_stack"} shows a typical +between top-down approaches and bottom-up approaches. The figure +below shows a typical architecture stack of the digital industrial enterprise. The International Data Spaces connects the lower-level architectures for communication and basic data services with more abstract architectures @@ -16,30 +15,26 @@ for smart data services. It therefore supports the establishment of secure data supply chains from data source to data use, while at the same time making sure data sovereignty is guaranteed for data owners. - ![ Typical enterprise architecture -stack](../media/image16.png){#fig:5_Typical_enterprise_architecture_stack -} - +stack](../media/image16.png) +*Figure: Typical enterprise architecture +stack* In broadening the perspective from an individual use case scenario to a platform landscape view, the International Data Spaces positions itself as an architecture that links different cloud platforms through policies and mechanisms for secure data exchange and trusted data sharing (or, in -other words, through the principle of data sovereignty).  +other words, through the principle of data sovereignty). Over the IDS Connector, the International Data Space's central component, industrial data clouds, as well as individual enterprise clouds, on-premises applications and individual, connected devices can -be connected to the International Data Spaces (see Figure -[6](#fig:6_International_Data_Spaces_connecting_different_cloud_platforms){reference-type="ref" -reference="fig:6_International_Data_Spaces_connecting_different_cloud_platforms"}). - +be connected to the International Data Spaces. ![ International Data Spaces connecting different cloud -platforms](../media/image17.png){#fig:6_International_Data_Spaces_connecting_different_cloud_platforms -} - +platforms](../media/image17.png) +*Figure: International Data Spaces connecting different cloud +platforms* With this integrating ambition, the International Data Spaces initiative positions itself in the context of cognate initiatives on both national @@ -51,31 +46,33 @@ working group. The International Data Spaces initiative has established, and will continue to establish, liaisons with other initiatives, among them -- Alliance for Internet of Things Innovation, +- Alliance for Internet of Things Innovation, -- Big Data Value Association, +- Big Data Value Association, -- Data Market Austria, +- Data Market Austria, -- Data Trading Alliance +- Data Trading Alliance -- eCl\@ss, +- eCl@ss, -- FIWARE Foundation, +- FIWARE Foundation, -- Industrial Internet Consortium, +- Gaia-X AISBL -- iSHARE +- Industrial Internet Consortium, -- Industrial Valuechain Initative +- iSHARE -- OPC Foundation, +- Industrial Valuechain Initative -- Plattform Industrie 4.0, +- OPC Foundation, -- Standardization Council Industrie 4.0, and +- Plattform Industrie 4.0, -- World Wide Web Consortium. +- Standardization Council Industrie 4.0, and + +- World Wide Web Consortium. Furthermore, the International Data Spaces initiative seeks collaboration and exchange of ideas with existing research and @@ -85,9 +82,3 @@ industry, politics, and standards bodies, aligning the requirements of the economy and society, and fostering ties with other initiatives, the International Data Spaces can be considered a unique initiative in the landscape of *Industry 4.0*. - -[^1]: https://www.digitale-technologien.de/DT/Redaktion/DE/Downloads/Publikation/SSWII_Programmbroschuere.pdf - -[^2]: https://www.ishareworks.org/ - -[^3]: https://www.internationaldataspaces.org/ressource-hub/publications-ids/ diff --git a/documentation/2_Context_of_the_International_Data_Spaces/2_12_Privacy_Preserving_Technologies.md b/documentation/2_Context_of_the_International_Data_Spaces/2_12_Privacy_Preserving_Technologies.md deleted file mode 100644 index e69de29b..00000000 diff --git a/documentation/2_Context_of_the_International_Data_Spaces/2_x_Privacy_in_the_Connected_World.md b/documentation/2_Context_of_the_International_Data_Spaces/2_12_Privacy_in_the_Connected_World.md similarity index 75% rename from documentation/2_Context_of_the_International_Data_Spaces/2_x_Privacy_in_the_Connected_World.md rename to documentation/2_Context_of_the_International_Data_Spaces/2_12_Privacy_in_the_Connected_World.md index ff1c6dfe..f70cc7b0 100644 --- a/documentation/2_Context_of_the_International_Data_Spaces/2_x_Privacy_in_the_Connected_World.md +++ b/documentation/2_Context_of_the_International_Data_Spaces/2_12_Privacy_in_the_Connected_World.md @@ -1,61 +1,61 @@ -# Privacy in the connected world +## Privacy in the connected world ## -## Digital Services and Markets +### Digital Services and Markets ### The efficient markets hypothesis states that the market finds the correct price based on available information. -Financial Markets only work when information is freely available for all or gathered under the same rules. However, +Financial Markets only work when information is freely available for all or gathered under the same rules. However, we have to face the fact that information in the internet is not equally available or distributed in the ecosystem. Personal information is -gathered by multiple means, correlated within huge databases and analyzed with the available big data algorithms. -On the upside this information gathering allows to analyze and human behavior for a social benefit. On the other side -this data can be exploited by entities to gain an advantage over competitors in the market, and most importantly, -by combining several sources, behavior can be traced back or attributed to a single person. - -The [digital markets act](https://www.consilium.europa.eu/media/56086/st08722-xx22.pdf) thus looks out to enforce privacy -by so called „soft“ privacy means, which is based on compliance, consent, controls and audits. If a user has given -consent to a certain type of data processing, companies make sure that their service offering complies with +gathered by multiple means, correlated within huge databases and analyzed with the available big data algorithms. +On the upside this information gathering allows to analyze and human behavior for a social benefit. On the other side +this data can be exploited by entities to gain an advantage over competitors in the market, and most importantly, +by combining several sources, behavior can be traced back or attributed to a single person. + +The [digital markets act](https://www.consilium.europa.eu/media/56086/st08722-xx22.pdf) thus looks out to enforce privacy +by so called „soft“ privacy means, which is based on compliance, consent, controls and audits. If a user has given +consent to a certain type of data processing, companies make sure that their service offering complies with the the official regulations. Service provider are seen as „trusted“ entities. Personal data is characterized by asymmetric interest. For each single person it’s own data is very important and -valued high. For companies a single dataset is rather uninteresting, but rather Metadata is available and can be gathered +valued high. For companies a single dataset is rather uninteresting, but rather Metadata is available and can be gathered from many sources. Looking at it from a different angle: (Protocol-) Metadata can be used in various ways to combine data sources and to draw conclusions, and it is the most underestimated privacy risk that currently exists in reality. -It remains thus doubtful if a single entity would be willing to sell it’s data to companies, as the expected price will not be paid. -For economic reasons there will always be an over-supply of personal data, and thus the price of each single data set can +It remains thus doubtful if a single entity would be willing to sell it’s data to companies, as the expected price will not be paid. +For economic reasons there will always be an over-supply of personal data, and thus the price of each single data set can be expected to be very low. Individuals will thus not be able to „sell“ their data, except when special circumstance are in place -(e.g. VIP persons need additional protection). Unfortunately, for this kind of special data, it is in consequence highly desirable +(e.g. VIP persons need additional protection). Unfortunately, for this kind of special data, it is in consequence highly desirable to apply stronger protective means. -For these cases so called „hard“ privacy means need to be enforced, which go beyond the standard [GDPR](#) regulations. These +For these cases so called „hard“ privacy means need to be enforced, which go beyond the standard [GDPR](./2_10_General_Data_Protection_Regulation.md) regulations. These technologies do not establish „trusted“ entities, instead data is protected by reducing and minimizing data and trusted parties, possibly working in/on encrypted data and platforms. -## The problem of collusion +### The problem of collusion ### The underlying problem of many data sources emanates from the fact that the collection and correlation of data allows companies to draw conclusions even if each data record has been pseudonymized. The effect is called collusion and exists also as an cybersecurity threat: over time multiple sources or access rights are collected, which in the end may lead to more -knowledge than required, also known as "access creep". - -Even for companies the problem of meta-data and collusion exists: In common B2B scenarios transactions are covered by -contractual work and terms of service. However, as companies grow, they also become attractive for a take over of e.g. -competitors. Although the primary business objective could still be covered by the contract, the now available metadata -could be an attractive source of information. In addition, the terms of service could be changed on the longer term. How -fast can companies switch their technology to an alternative provider, e.g. if an supplier has been bought by an competitor? -Hence in addition we can identify the need data portability and of course for common rules and guidelines as they are defined -by the IDSA. Although this example may sound artificially constructed, companies to have the obligation to protect the personal -data of their customers. - -In addition companies not only have to protect the data of their customers. Also the data of their employees need protection -for two reasons: +knowledge than required, also known as "access creep". + +Even for companies the problem of meta-data and collusion exists: In common B2B scenarios transactions are covered by +contractual work and terms of service. However, as companies grow, they also become attractive for a take over of e.g. +competitors. Although the primary business objective could still be covered by the contract, the now available metadata +could be an attractive source of information. In addition, the terms of service could be changed on the longer term. How +fast can companies switch their technology to an alternative provider, e.g. if an supplier has been bought by an competitor? +Hence in addition we can identify the need data portability and of course for common rules and guidelines as they are defined +by the IDSA. Although this example may sound artificially constructed, companies to have the obligation to protect the personal +data of their customers. + +In addition companies not only have to protect the data of their customers. Also the data of their employees need protection +for two reasons: First of all being able to track employees and their activities at each step during a process can be seen as a mode of surveillance. Although an enterprise needs to know how well it’s processes are running to improve over time, it should not be -possible to attribute it to a single person, but rather on groups. E.g. during the preparation/execution of a phishing simulation, +possible to attribute it to a single person, but rather on groups. E.g. during the preparation/execution of a phishing simulation, it must be ensured that the results conform to the privacy regulations of the EU. At least in Germany the workforce is organized by intra-company work council, which has to be involved whenever data is collected and possible surveillance scenarios emerge. Secondly, protecting the privacy of the workforce also protects the customers. As an example: a military camp has been discovered -in the internet only because the location of fitness trackers of the employees have been mapped to a card [reference required](#). The regular updates -showed the running path in the midst of a forest, where usually no such activities would take place. In addition in cybersecurity -settings operators of service providers usually have access to the data of the customer. Protecting the privacy of the workforce -minimizes the impact of potential fraud or blackmailing. Furthermore good security practices like four-eye principle and separation +in the internet only because the location of fitness trackers of the employees have been mapped to a card. The regular updates +showed the running path in the midst of a forest, where usually no such activities would take place. In addition in cybersecurity +settings operators of service providers usually have access to the data of the customer. Protecting the privacy of the workforce +minimizes the impact of potential fraud or blackmailing. Furthermore good security practices like four-eye principle and separation of duties ensure that data or money loss can be avoided. diff --git a/documentation/2_Context_of_the_International_Data_Spaces/2_1_Data_in_the_Smart_Service_Welt.md b/documentation/2_Context_of_the_International_Data_Spaces/2_1_Data-Driven-Business_Ecosystems.md similarity index 67% rename from documentation/2_Context_of_the_International_Data_Spaces/2_1_Data_in_the_Smart_Service_Welt.md rename to documentation/2_Context_of_the_International_Data_Spaces/2_1_Data-Driven-Business_Ecosystems.md index 81b39228..2304a46c 100644 --- a/documentation/2_Context_of_the_International_Data_Spaces/2_1_Data_in_the_Smart_Service_Welt.md +++ b/documentation/2_Context_of_the_International_Data_Spaces/2_1_Data-Driven-Business_Ecosystems.md @@ -1,6 +1,6 @@ -# Context of the International Data Spaces {#sec:context} +# Context of the International Data Spaces # -## Data-Driven Business Ecosystems and the Smart Service Welt {#subsec:data_driven_business_ecosystems} +## Data-Driven Business Ecosystems # Novel digital products and services often emerge in business ecosystems, which organizations enter to jointly fulfill the needs of customers @@ -18,20 +18,14 @@ to team up. In other words: Every member has to contribute something for the benefit of all. Ideally, ecosystems function in an equilibrium state of mutual benefits for all members. -Examples of business ecosystems are numerous and can be found across all -industries. Many of them have been analyzed and documented by the Smart -Service Welt working group[^1]. - A data-driven business ecosystem is an ecosystem in which data is the strategic resource used by the members to jointly create innovative value offerings. Key to success is to share and jointly maintain data within such an ecosystem, as end-to-end customer process support can only be achieved if the partners team up and jointly utilize their data -resource (as shown by a number of examples in Figure -[1](#fig:_Data-Driven_Business_Ecosystems_examples){reference-type="ref" -reference="fig:_Data-Driven_Business_Ecosystems_examples"}). - +resource (as shown by a number of examples in the Figure below). ![Data Sharing in -Ecosystems](../media/image12.png){#fig:_Data-Driven_Business_Ecosystems_examples -} +Ecosystems](../media/image12.png) +*Figure: Data Sharing in +Ecosystems* diff --git a/documentation/2_Context_of_the_International_Data_Spaces/2_2_Data_Sovereignty_as_a_key_capability.md b/documentation/2_Context_of_the_International_Data_Spaces/2_2_Data_Sovereignty_as_a_key_capability.md index 99ed27e0..f9855256 100644 --- a/documentation/2_Context_of_the_International_Data_Spaces/2_2_Data_Sovereignty_as_a_key_capability.md +++ b/documentation/2_Context_of_the_International_Data_Spaces/2_2_Data_Sovereignty_as_a_key_capability.md @@ -1,8 +1,13 @@ -## Data Sovereignty as a Key Capability {#subsec:datasovereignty_as_key_enabler} +## Data Sovereignty as a Key Capability ## -From these two developments -- 1) data turning into a strategic -resource, and 2) companies increasingly collaborating in business -ecosystems -- results a fundamental conflict of goals as a main +From these two developments + +1. data turning into a strategic +resource, and +2. companies increasingly collaborating in business +ecosystems + +results a fundamental conflict of goals as a main characteristic of the digital economy: on the one hand, companies increasingly need to exchange data in business ecosystems; on the other hand, they feel they need to protect their data more than ever before, @@ -20,3 +25,8 @@ To find that balance, it is important to take a close look at the data itself, as not all data requires the same level of protection, and as the value contribution of data varies, depending on what class or category it can be subsumed under. + +**Definition of Data Sovereignty:** + +``Data Sovereignty is the ability of a natural or legal person to exclusively and sovereignly decide concerning the usage of data as an economic asset.`` + diff --git a/documentation/2_Context_of_the_International_Data_Spaces/2_3_Data_as_an_economic_good.md b/documentation/2_Context_of_the_International_Data_Spaces/2_3_Data_as_an_economic_good.md index aa57e002..17d29da0 100644 --- a/documentation/2_Context_of_the_International_Data_Spaces/2_3_Data_as_an_economic_good.md +++ b/documentation/2_Context_of_the_International_Data_Spaces/2_3_Data_as_an_economic_good.md @@ -1,4 +1,4 @@ -## Data as an Economic Good {#subsec:data_as_economic_good} +## Data as an Economic Good ## It is indisputable that data has a value, and that data management generates costs. Today, data is traded in the market like a commodity; @@ -21,5 +21,5 @@ level of protection than private data or club data. Because of these differences and distinctions made with regard to data, a generally accepted understanding of the value of data has not been established so far. Nevertheless, there is a growing need to determine -the value of data, given the rapid developments taking place in the -Smart Service Welt. +the value of data, given the rapid developments taking place Data-driven +Business Ecosystems. diff --git a/documentation/2_Context_of_the_International_Data_Spaces/2_4_Data_Exchange_and_Data_Sharing.md b/documentation/2_Context_of_the_International_Data_Spaces/2_4_Data_Exchange_and_Data_Sharing.md index 1109a5c5..eed1b250 100644 --- a/documentation/2_Context_of_the_International_Data_Spaces/2_4_Data_Exchange_and_Data_Sharing.md +++ b/documentation/2_Context_of_the_International_Data_Spaces/2_4_Data_Exchange_and_Data_Sharing.md @@ -1,4 +1,4 @@ -## Data Exchange and Data Sharing {#subsec:data_exchange_and_data_sharing} +## Data Exchange and Data Sharing ## Cross-company data exchange with the help of inter-organizational information systems is not a new topic; it has been around for decades. @@ -7,17 +7,15 @@ With the proliferation of Electronic Data Interchange (EDI) in the which were accompanied by the development of certain technical standards. - ![Evolution of technical standards for data -exchange](../media/image13.png){#fig:Datadriven_business_ecosystems -} - +exchange](../media/image13.png) +*Figure: Evolution of technical standards for data +exchange* -Figure [2](#fig:Datadriven_business_ecosystems){reference-type="ref" -reference="fig:Datadriven_business_ecosystems"} shows the evolution of +The Figure above shows the evolution of technical standards for data exchange since the 1980s, using the example of automotive logistics. Data sovereignty, which is one of the main -goals of the International Data Spaces, materializes in '$terms and +goals of the International Data Spaces, materializes in 'terms and conditions' that are linked to data before it is exchanged and shared. However, these terms and conditions (such as time to live, forwarding rights, pricing information etc.) have not been standardized yet. In @@ -29,21 +27,19 @@ This does not mean that existing standards will become obsolete. Instead, the overall set of standards companies need to comply with when exchanging and sharing data needs to be extended. It is therefore necessary to distinguish between data exchange and data sharing (see -also Figure [3](#fig:dataexchange_vs_sharing){reference-type="ref" -reference="fig:dataexchange_vs_sharing"}): +also the Figure below: -- Data exchange takes place in the *vertical cooperation* between +- Data exchange takes place in the *vertical cooperation* between companies to support, enable or optimize value chains and supply chains (e.g. EDI messages in logistics or HL7 in medical scenarios). -- Data sharing takes place in the *vertical and horizontal +- Data sharing takes place in the *vertical and horizontal collaboration* between companies to achieve a common goal (e.g. predictive maintenance scenarios in manufacturing) or to enable new business models by generating additional value out of data (e.g. in data marketplaces). Furthermore, data sharing implies a mode of collaboration towards coopetition. - ![Data exchange vs. data -sharing](../media/image14.png){#fig:dataexchange_vs_sharing -} +sharing](../media/image14.png) +*Figure: Data Exchange and Data Sharing* diff --git a/documentation/2_Context_of_the_International_Data_Spaces/2_5_Industrial_Cloud_Platforms.md b/documentation/2_Context_of_the_International_Data_Spaces/2_5_Industrial_Cloud_Platforms.md index d70ea5ae..1bf2e973 100644 --- a/documentation/2_Context_of_the_International_Data_Spaces/2_5_Industrial_Cloud_Platforms.md +++ b/documentation/2_Context_of_the_International_Data_Spaces/2_5_Industrial_Cloud_Platforms.md @@ -1,4 +1,4 @@ -## Industrial Cloud Platforms {#subsec:industrial_cloud} +## Industrial Cloud Platforms ## The growing number of industrial cloud platforms will also drive the need for a standard for data sovereignty. With a lot of different diff --git a/documentation/2_Context_of_the_International_Data_Spaces/2_6_Big_Data_and_Artificial_Intelligence.md b/documentation/2_Context_of_the_International_Data_Spaces/2_6_Big_Data_and_Artificial_Intelligence.md index 85015925..b9552618 100644 --- a/documentation/2_Context_of_the_International_Data_Spaces/2_6_Big_Data_and_Artificial_Intelligence.md +++ b/documentation/2_Context_of_the_International_Data_Spaces/2_6_Big_Data_and_Artificial_Intelligence.md @@ -1,4 +1,4 @@ -## Big Data and Artificial Intelligence {#subsec:bigdata_ai} +## Big Data and Artificial Intelligence ## Today companies make a wide use of Big Data applications. The common use case is to complement data available within the company by additional diff --git a/documentation/2_Context_of_the_International_Data_Spaces/2_7_The_Internet_of_Things_and_the_Industrial_Internet_of_Things.md b/documentation/2_Context_of_the_International_Data_Spaces/2_7_The_Internet_of_Things_and_the_Industrial_Internet_of_Things.md index 04344d12..fe34e430 100644 --- a/documentation/2_Context_of_the_International_Data_Spaces/2_7_The_Internet_of_Things_and_the_Industrial_Internet_of_Things.md +++ b/documentation/2_Context_of_the_International_Data_Spaces/2_7_The_Internet_of_Things_and_the_Industrial_Internet_of_Things.md @@ -1,4 +1,4 @@ -## The Internet of Things and the Industrial Internet of Things {#subsec:iiot} +## The Internet of Things and the Industrial Internet of Things ## The Internet of Things (IoT) and the Industrial Internet of Things (IIoT), respectively, comprises an ever-growing number of devices diff --git a/documentation/2_Context_of_the_International_Data_Spaces/2_8_Blockchain.md b/documentation/2_Context_of_the_International_Data_Spaces/2_8_Blockchain.md index 48d6dad4..74e02a90 100644 --- a/documentation/2_Context_of_the_International_Data_Spaces/2_8_Blockchain.md +++ b/documentation/2_Context_of_the_International_Data_Spaces/2_8_Blockchain.md @@ -1,4 +1,4 @@ -## Blockchain {#subsec:blockchain} +## Blockchain ## The core purpose of the International Data Spaces is to enable controlled exchange and sharing of data between organizations -- @@ -12,11 +12,11 @@ in the IDS ecosystem, while data sovereignty is ensured at any time. In the use cases of the International Data Spaces, two basic patterns of data sharing can be found: -- Data is shared to feed new, data-driven services, such as using the +- Data is shared to feed new, data-driven services, such as using the data in a new app, smart algorithm, or other digital service in which data of different sources/providers is combined. -- Data is shared for some form of business process synchronization, +- Data is shared for some form of business process synchronization, such as using the data to execute transactions (e.g. exchange orders), enable production (e.g. exchange product data), check quality (e.g. monitor the temperature of perishable goods), or @@ -29,13 +29,13 @@ organizations. Two examples: -- As perishable goods were exposed to improper ambient temperatures, +- As perishable goods were exposed to improper ambient temperatures, the company ordering the goods refuses acceptance. The temperature data thereby becomes a shared data asset that can be stored in a shared environment which acts as a trusted record keeper of such quality data. -- Several companies want to share their capabilities in order to +- Several companies want to share their capabilities in order to produce a certain type of good. In this case, the capability of each company becomes a shared data asset to be stored in shared 'yellow pages' accessible for all participants in the ecosystem. @@ -55,11 +55,9 @@ In general, the use of Blockchain technology can ensure data consistency and transparency in combination with the general IDS approach for data sovereignty and secure data exchange and sharing. In contrast, typical Data Lakes focus on the integration of data for the purpose of knowledge -extraction (see Figure -[4](#fig:_general_architectural_patterns_for_data_exchange_and_data_sharing){reference-type="ref" -reference="fig:_general_architectural_patterns_for_data_exchange_and_data_sharing"}). - +extraction (see Figure below). ![ General architectural patterns for data exchange and data -sharing](../media/image15.png){#fig:_general_architectural_patterns_for_data_exchange_and_data_sharing -} +sharing](../media/image15.png) +*Figure: General architectural patterns for data exchange and data +sharing* diff --git a/documentation/2_Context_of_the_International_Data_Spaces/2_9_Towards_legal_interoperability_federated_frameworks_for_data_sharing_agreements .md b/documentation/2_Context_of_the_International_Data_Spaces/2_9_Towards_legal_interoperability_federated_frameworks_for_data_sharing_agreements.md similarity index 90% rename from documentation/2_Context_of_the_International_Data_Spaces/2_9_Towards_legal_interoperability_federated_frameworks_for_data_sharing_agreements .md rename to documentation/2_Context_of_the_International_Data_Spaces/2_9_Towards_legal_interoperability_federated_frameworks_for_data_sharing_agreements.md index aeb07579..fa14c2a4 100644 --- a/documentation/2_Context_of_the_International_Data_Spaces/2_9_Towards_legal_interoperability_federated_frameworks_for_data_sharing_agreements .md +++ b/documentation/2_Context_of_the_International_Data_Spaces/2_9_Towards_legal_interoperability_federated_frameworks_for_data_sharing_agreements.md @@ -1,11 +1,12 @@ -## Towards legal interoperability: federated frameworks for data sharing agreements and terms-of-use {#subsection:schemeowner} +## Towards legal interoperability: federated frameworks for data sharing agreements and terms-of-use ## IDS provides a federated data-sharing environment that poses strong requirements with regard to interoperability on each of the levels distinguished in the new European Interoperability Framework (as developed by the European Commission ); i.e., legal, organizational, semantic and technical interoperability, under an overarching integrated -governance approach.\ +governance approach. + Interoperability of the legal concepts applies to both the data-sharing agreements (including legal, commercial and service-level conditions) and the terms of use (i.e., usage contracts consisting of access and @@ -21,6 +22,6 @@ key to unambiguously understanding and agreement and adequately ensuring legal compliance of data-sharing transactions taking place between parties operating in different industries, countries, and/or jurisdictions. As a result of the co-operation between IDS and -iSHARE[^2], appropriate steps can be taken to address this challenge by +iSHARE, appropriate steps can be taken to address this challenge by defining the IDS approach to support federation of legal frameworks and semantic interoperability on legal conditions. diff --git a/documentation/2_Context_of_the_International_Data_Spaces/README.md b/documentation/2_Context_of_the_International_Data_Spaces/README.md index e69de29b..d25c9f74 100644 --- a/documentation/2_Context_of_the_International_Data_Spaces/README.md +++ b/documentation/2_Context_of_the_International_Data_Spaces/README.md @@ -0,0 +1,48 @@ +# Context of the International Data Spaces # + +## Table of Content ## + +[2. Context of the International Data Spaces](./2_1_Data-Driven-Business_Ecosystems.md#context-of-the-international-data-spaces) + +[2.1 Data-Driven Business Ecosystems](./2_1_Data-Driven-Business_Ecosystems.md#data-driven-business-ecosystems) + +[2.2 Data Sovereignty as a Key Capability](./2_2_Data_Sovereignty_as_a_key_capability.md#data-sovereignty-as-a-key-capability) + +[2.3 Data as an Economic Good](./2_3_Data_as_an_economic_good.md#data-as-an-economic-good) + +[2.4 Data Exchange and Data Sharing](./2_4_Data_Exchange_and_Data_Sharing.md#data-exchange-and-data-sharing) + +[2.5 Industrial Cloud Platforms](./2_5_Industrial_Cloud_Platforms.md#industrial-cloud-platforms) + +[2.6 Big Data and Artificial Intelligence](./2_6_Big_Data_and_Artificial_Intelligence.md#big-data-and-artificial-intelligence) + +[2.7 The Internet of Things and the Industrial Internet of Things](./2_7_The_Internet_of_Things_and_the_Industrial_Internet_of_Things.md#the-internet-of-things-and-the-industrial-internet-of-things) + +[2.8 Blockchain](./2_8_Blockchain.md#blockchain) + +[2.9 Towards legal interoperability: federated frameworks for data sharing agreements and terms-of-use](./2_9_Towards_legal_interoperability_federated_frameworks_for_data_sharing_agreements.md) + +[2.10 General Data Protection Regulation](./2_10_General_Data_Protection_Regulation.md#general-data-protection-regulation) + +[2.11 Contribution of the International Data Spaces to Industry 4.0 and the Data Economy](./2_11_Contribution_of_the_IDS_to_Industry_4_0_and_the_Data_Economy.md#contribution-of-the-international-data-spaces-to-industry-40-and-the-data-economy) + +[2.12 Privacy in the connected world](./2_12_Privacy_in_the_Connected_World.md#privacy-in-the-connected-world) + +[2.12.1 Digital Services and Markets](./2_12_Privacy_in_the_Connected_World.md#digital-services-and-markets) + +[2.12.2 The problem of collusion](./2_12_Privacy_in_the_Connected_World.md#the-problem-of-collusion) + +## Files ## + +- [2_1_Data-Driven-Business_Ecosystems.md](./2_1_Data-Driven-Business_Ecosystems.md) +- [2_2_Data_Sovereignty_as_a_key_capability.md](./2_2_Data_Sovereignty_as_a_key_capability.md) +- [2_3_Data_as_an_economic_good.md](./2_3_Data_as_an_economic_good.md) +- [2_4_Data_Exchange_and_Data_Sharing.md](./2_4_Data_Exchange_and_Data_Sharing.md) +- [2_5_Industrial_Cloud_Platforms.md](./2_5_Industrial_Cloud_Platforms.md) +- [2_6_Big_Data_and_Artificial_Intelligence.md](./2_6_Big_Data_and_Artificial_Intelligence.md) +- [2_7_The_Internet_of_Things_and_the_Industrial_Internet_of_Things.md](./2_7_The_Internet_of_Things_and_the_Industrial_Internet_of_Things.md) +- [2_8_Blockchain.md](./2_8_Blockchain.md) +- [2_9_Towards_legal_interoperability_federated_frameworks_for_data_sharing_agreements.md](./2_9_Towards_legal_interoperability_federated_frameworks_for_data_sharing_agreements.md) +- [2_10_General_Data_Protection_Regulation.md](./2_10_General_Data_Protection_Regulation.md) +- [2_11_Contribution%20of_the_IDS_to_Industry_4_0_and_the_Data_Economy.md](./2_11_Contribution%20of_the_IDS_to_Industry_4_0_and_the_Data_Economy.md) +- [2_12_Privacy_in_the_Connected_World.md#privacy-in-the-connected-world](./2_12_Privacy_in_the_Connected_World.md) \ No newline at end of file From 7ddd29badbd53647516913c4690b9598766e77cd Mon Sep 17 00:00:00 2001 From: Sebastian Steinbuss <23654606+ssteinbuss@users.noreply.github.com> Date: Wed, 12 Oct 2022 09:34:28 +0200 Subject: [PATCH 05/22] Editorial Update Governance Section --- .../4_1_Security_Perspective/README.md | 5 ++ ...IDS_RuleBook.md => 4_3_10_IDS_RuleBook.md} | 39 +++++---- ...ctive.md => 4_3_11_Privacy_Perspective.md} | 81 ++++++++++--------- .../4_3_1_Layers.md | 30 +++---- .../4_3_2_Data_Governance_Model.md | 57 ++++++------- .../4_3_4_Data_as_an_economic_good.md | 2 +- .../4_3_5_Data_Ownership.md | 6 +- .../4_3_6_Data_Sovereignty.md | 2 +- .../4_3_7_Data_Quality.md | 2 +- .../4_3_8_Data_Provenance.md | 2 +- .../4_3_9_data_spaces_instances.md | 12 +-- .../4_3_Governance_Perspective.md | 18 ++--- .../4_3_Governance_Perspective/README.md | 77 ++++++++++++++++++ .../README.md | 5 ++ 14 files changed, 218 insertions(+), 120 deletions(-) rename documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/{4_3_x_IDS_RuleBook.md => 4_3_10_IDS_RuleBook.md} (89%) rename documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/{4_3_x_Privacy_Perspective.md => 4_3_11_Privacy_Perspective.md} (82%) diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/README.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/README.md index e69de29b..cea22253 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/README.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/README.md @@ -0,0 +1,5 @@ +# Security Perspective # + +## Table of Content ## + +## Files ## diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_x_IDS_RuleBook.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_10_IDS_RuleBook.md similarity index 89% rename from documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_x_IDS_RuleBook.md rename to documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_10_IDS_RuleBook.md index 57a9b861..b05e9833 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_x_IDS_RuleBook.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_10_IDS_RuleBook.md @@ -1,4 +1,4 @@ -## IDSA Rulebook +### IDSA Rulebook ### It is all about data. If you are going to build or use data driven ecosystems or data driven business models, you should strongly consider data sovereignty[^1] @@ -16,7 +16,7 @@ This Rulebook addresses: 5. Data driven business models -## Goals and scope of the IDSA Rulebook +#### Goals and scope of the IDSA Rulebook #### The overall goal is to make more data available to more organizations and ecosystems being aware, that data availability and exchange become a critical success factor for national and international @@ -32,6 +32,7 @@ or shared. It thereby constitutes the basis for developing and offering smart se establishing innovative business processes. ![Overview IDS enabled ecosystems](./media/Overview_IDS_enabled_ecosystems.png) +*Figure: Overview IDS enabled ecosystems* The IDS initiative aims at defining the technical base and set of agreements for secure and trusted data spaces, in which companies of any size and from any industry can manage their data assets in a @@ -40,7 +41,7 @@ IDSA already counts over one-hundred member organizations from twenty countries. all these companies. Members, guest and data sovereignty suppliers and appliers, will fulfil the common value proposition of generating business value from data. -#### The Purpose and Scope of the Rulebook +#### The Purpose and Scope of the Rulebook #### Rules of the game: The purpose of this Rulebook is, to describe clearly what rules and guidance all participants have to follow to achieve the goal of the common interplay in upcoming data @@ -61,15 +62,15 @@ for the realization of use cases on the foundation of a trustworthy infrastructu 4. The interaction of all is structured and guided within this Rulebook. ![Overview Rulebook scope and goals](./media/Overview_Rulebook_scope_and_goals.png) +*Figure: Overview Rulebook scope and goals* -#### Scope / Non Scope in detail +#### Scope / Non Scope in detail #### The IDSA Rulebook defines structures and processes for the implementation of the IDS-Reference Architecture Model in real-world scenarios. This includes the realization of the essential service as well as the definition of processes for the relevant processes, e.g. admission and withdrawal of participants. - Cross Industry Approach: This approach on data sovereignty is not industry specific, it is applicable in all economic sectors. Therefore, sector specific rules are not described in the Rulebook. In consequence, all rules and guidelines could be applied @@ -77,8 +78,8 @@ in all economic sectors and – more over – across these sectors to establish exchange among different industries. IDS is a horizontal approach. On its foundation data sovereignty call build in and across all industries. - The scope of this document in detail covers: + 1. Functional agreements: Guidance on functionality of common services as well as definition, processes and services of dedicated roles @@ -103,20 +104,18 @@ Liaisons agreements are about guiding principles guard railing for these collabo provides processes and measures to actively contribute to liaisons and to provide value for the IDSA Liaison partners. - -### How to use IDS? Competitive Advantage with Data Sovereignty! +#### How to use IDS? Competitive Advantage with Data Sovereignty #### Using IDS, IDS based frameworks, services and offerings means, to make use of trusted data sovereignty for your business or your own offerings. So, using IDS in detail is depending on the role, you are going to play in the dedicated data driven continuum. - Overall, there are some rules and guidelines in common: -1. Life cycle is defined: There is a common definition on life cycle agreements for IDS based assets, +1. Life cycle is defined: There is a common definition on life cycle agreements for IDS based assets, e.g. the IDS standards and services. See attachment “Operational Agreements, Life Cycle” -2. Processes: There are some common definitions of necessary processes e.g. for development, +2. Processes: There are some common definitions of necessary processes e.g. for development, certification, onboarding, operation and usage. See attachment “Operational Agreements. Processes” Typical roles anticipated in an IDS based data driven continuum are described in more detail. Included @@ -125,29 +124,27 @@ App-Provider, Appstore Provider, and basic roles like ID Provider, Certification House and Vocabulary Provider. In summary, using IDS and make use of data sovereignty as competitive advantage for the own business -is quite easy, because everything is well prepared. The guiding website https://www.internationaldataspaces.org +is quite easy, because everything is well prepared. The guiding website provides all information. -### Guiding principles +#### Guiding principles #### Guiding principles were leading the team in structuring the complete IDS ecosystem, it´s roles and this Rulebook. -- Do not reinvent the wheel +- Do not reinvent the wheel -- Integrate into existing systems, +- Integrate into existing systems, -- Integrate or use existing standards, +- Integrate or use existing standards, -- Be industry agnostic, but applicable in all verticals as horizontal standard +- Be industry agnostic, but applicable in all verticals as horizontal standard -- Be easy usable and applicable by individual companies and initiatives/ecosystems +- Be easy usable and applicable by individual companies and initiatives/ecosystems -- Overall: Create a new global open standard for data sovereignty: +- Overall: Create a new global open standard for data sovereignty: Open standard generally implies: 1) free to use for everyone (although in some sectors this is interpreted in different ways ...), 2) an open process through which everyone can participate, 3) transparent decision making (preferably by consensus or otherwise through a pre-defined structure). - - [^1]: https://github.com/International-Data-Spaces-Association/IDS-G/tree/master/glossary#data-sovereignty diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_x_Privacy_Perspective.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_11_Privacy_Perspective.md similarity index 82% rename from documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_x_Privacy_Perspective.md rename to documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_11_Privacy_Perspective.md index 404e5579..4d85cdb4 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_x_Privacy_Perspective.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_11_Privacy_Perspective.md @@ -1,80 +1,87 @@ -# Privacy consequences +### Privacy consequences ### Enterprises are advised well enough to start early on with good privacy practices. One of the activities that every Company can do is the proper data classification and separation of data. The following is a list of more advanced privacy enhancing technologies that currently exists, but experts in any of these technologies are rare and hard to find. -## PET (Privacy Enhancing Technologies) +#### PET (Privacy Enhancing Technologies) #### -Please also refer to [the publication of the European Union Agency for Cybersecurity](https://www.enisa.europa.eu/publications/data-protection-engineering). +Please also refer to [the publication of the European Union Agency for Cybersecurity](https://www.enisa.europa.eu/publications/data-protection-engineering). -### Divide and conquer -One of the things that every company can do: Data records are not stored together, but rather divided up into several chunks. +##### Divide and conquer ##### + +One of the things that every company can do: Data records are not stored together, but rather divided up into several chunks. correlation of data is then ensured by special pseudonymization/anonymization techniques. Even if one data set is lost, an attacker cannot draw further conclusions and the user/employee record stays protected. -### Obfuscation +##### Obfuscation ##### + Adding random data or noise data to existing records in order to disturb certain kind of computations or to distract an potential attacker. Obfuscation is not a strong privacy-preserving technique, but allows to „cloak“ data with a certain degree of uncertainty. E.g. hashing content effectively hides that data content, but as soon as the initial data is known, hashing can be repeated and looses it’s protective power. -### TLS / E2E encryption -Although TLS does protect data in transit in an efficient and widely accepted way, it is not the best measure in terms of +##### TLS / E2E encryption ##### + +Although TLS does protect data in transit in an efficient and widely accepted way, it is not the best measure in terms of privacy protection. E.g. scinetist were able to identify Google search queries from the size of data TLS protected data packets in the internet due to the still available metadata. The need for End2End encryption arises out of the privacy risks mentioned above. As Intermediate broker / provider are able to see customer data, it is only prudent to encrypt the data in a way that allows the use for the primary purpose only. -### Transport Layer Privacy / Source Anonymitiy -helps to achieve untracability, without loosing the access to the data itself. Protocol metadata is one important source to draw -conclusion and to correlate data, transport layer privacy or source anonymity is another important aspect to consider. For highly -confidential data it is therefore required to hide/obfuscate source information from the data set. Although there can be no data -exchange to the right destination without metadata, there are existing technologies that do obfuscate and therefore limit the -ability of each company to draw conclusions that may impact privacy. +##### Transport Layer Privacy / Source Anonymitiy ##### + +helps to achieve untracability, without loosing the access to the data itself. Protocol metadata is one important source to draw +conclusion and to correlate data, transport layer privacy or source anonymity is another important aspect to consider. For highly +confidential data it is therefore required to hide/obfuscate source information from the data set. Although there can be no data +exchange to the right destination without metadata, there are existing technologies that do obfuscate and therefore limit the +ability of each company to draw conclusions that may impact privacy. -### Secure Multiparty Computation -A set of algorithm that allows to compute e.g. the mean of a dataset, without exposing each single record. Multiparty computations +##### Secure Multiparty Computation ##### + +A set of algorithm that allows to compute e.g. the mean of a dataset, without exposing each single record. Multiparty computations exists for a variety of problems, but do not protect single records or entities. -### Pseudonymization -Replaces the information about a user with a random identitfier to prevent correlation of data and to discourage an attacker. +##### Pseudonymization ##### + +Replaces the information about a user with a random identitfier to prevent correlation of data and to discourage an attacker. Pseudonyms can be placed either on groups or on individual records. -### PPRL (Privacy preserving record linkage) / Enhanced Privacy ID (EPID) +##### PPRL (Privacy preserving record linkage) / Enhanced Privacy ID (EPID) ##### + PPRL links allow to create an identifier which resembles a data record. This PPRL link can then be shared to link data records -during analytics, but it is not possible to link back to the initial data record. In a similar way +during analytics, but it is not possible to link back to the initial data record. In a similar way + +##### Zero-Knowledge Proof ##### -### Zero-Knowledge Proof Prove to another party that you are who you are, without revealing the information (the "proof“), but rather the fact that you certainly know the information. -### (Fully-) homomorphic encryption +##### (Fully-) homomorphic encryption ##### + As set of encryption algorithms that allows a limited set of computations on the encrypted data without destroying the encryption. -### Functional encryption +##### Functional encryption ##### + A more general term for any advanced encryption scheme. The required key size is usually larger, the possible applications have to be choosen from the variety of possible algorithms. e.g. proxy re-encryption allows to send a message to an intermediate broker, but the message can be re-encrypted to a final recipient at a later point in time. +#### Minimum required risk mitigations #### - -## Minimum required risk mitigations - -While the above „hard“ privacy technologies are means that need to be tailored towards a specific use case, enterprise are -advised to not rely on these technologies only, but rather look out to strengthen their organization capabilities. +While the above „hard“ privacy technologies are means that need to be tailored towards a specific use case, enterprise are +advised to not rely on these technologies only, but rather look out to strengthen their organization capabilities. As already mentioned, applying a data classification scheme that is aligned with the business goal helps. Companies have started to assign the role of the Chief Information Security Officer (CISO) as a response to the increasing need to protect their company from -cybersecurity attacks and fraud. In addition, companies should think about assigning the role of a Chief Privacy Officer (CPO) +cybersecurity attacks and fraud. In addition, companies should think about assigning the role of a Chief Privacy Officer (CPO) to reflect on the increasing need to address risks in relation with privacy laws and regulations. -When looking at the current state of technology, then companies should at least be familiar with the guidelines and rules that have been set +When looking at the current state of technology, then companies should at least be familiar with the guidelines and rules that have been set out by the [OWASP TopTen privacy risks]((https://owasp.org/www-project-top-10-privacy-risks/)). Addressing these TopTen is certainly a good step into the right direction: - -| 2021 | Title / Description | F | R | T -| ------- | ----------------------------------------------- | --- | --- | --- -| P1 | Web Application Vulnerabilities | H | VH | T +| 2021 | Title / Description | F | R | T +| ------- | ----------------------------------------------- | --- | --- | --- +| P1 | Web Application Vulnerabilities | H | VH | T | | Apply SDLC principles and use external pentesters to boost application security | | | | P2 | Operator-sided Data Leakage | H | VH | O+T | | Audit the operator on a regular basis / encrypt data | | | @@ -86,7 +93,7 @@ out by the [OWASP TopTen privacy risks]((https://owasp.org/www-project-top-10-pr | | lack of transparency leads to distrust and a deep sense of insecurity | | | | P6 | Insufficient Deletion of User Data | H | H | O+T | | Deletion of data after use | | | -| P7 | Insufficient Data Quality | M | H | O+T +| P7 | Insufficient Data Quality | M | H | O+T | | provide update forms / ask the user | | | | P8 | Missing or Insufficient Session Expiration | M | VH | T | | automatically log our after x-hours / user education | | | @@ -95,12 +102,12 @@ out by the [OWASP TopTen privacy risks]((https://owasp.org/www-project-top-10-pr | P10 | Collection of Data Not Required for the User-Consented Purpose | H | H | O | | define purpose and and collect / use only data needed / data minimization | | | +**Legend** -### Legend F = Frequency / T = Technical Measure / O = Organizational Measure / L = Low is considered as an limited and calculated risks / M = Medium risk/ frequency , impact is causing serious problems / -H = High risks / frequency is likely to happen, and the impact is devastating +H = High risks / frequency is likely to happen, and the impact is devastating VH = Very high risk / frequency almost certain to happen, impact is devastating diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_1_Layers.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_1_Layers.md index 8c6ece59..788992d2 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_1_Layers.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_1_Layers.md @@ -1,6 +1,6 @@ -### Governance Aspects Addressed by the Different Layers of the IDS-RAM +### Governance Aspects Addressed by the Different Layers of the IDS-RAM ### -#### Business Layer +#### Business Layer #### The Business Layer (see Chapter 3.1) facilitates the development and use of new, digital business models to be applied by the Participants in the @@ -10,7 +10,7 @@ considering the business point of view regarding data ownership, data provision, and data consumption, and by describing core service concepts such as data brokerage. -#### Functional Layer +#### Functional Layer #### The Functional Layer (see Chapter 3.2) defines the functional requirements of the International Data Spaces, and the concrete features @@ -23,17 +23,7 @@ the relation to governance is obvious, also the functionality of certain technical core components (e.g., the App Store or the Connector) relates to the Governance Perspective. -#### Process Layer - -Providing a dynamic view of the architecture, the Process Layer (see -Chapter 3.3) describes the interactions taking place between the -different components of the International Data Spaces. The three major -processes described in the Process Layer section (onboarding, exchanging -data, and publishing and using Data Apps) are directly related to the -Governance Perspective, as they define its scope regarding the technical -architecture. - -#### Information Layer +#### Information Layer #### The Information Layer (see Chapter 3.4) specifies the Information Model, which provides a common vocabulary for Participants to express their @@ -43,7 +33,17 @@ establishing individual agreements and contracts. The vocabulary plays a key role in the Governance Perspective because of its relevance for describing data by metadata in the International Data Spaces. -#### System Layer +#### Process Layer #### + +Providing a dynamic view of the architecture, the Process Layer (see +Chapter 3.3) describes the interactions taking place between the +different components of the International Data Spaces. The three major +processes described in the Process Layer section (onboarding, exchanging +data, and publishing and using Data Apps) are directly related to the +Governance Perspective, as they define its scope regarding the technical +architecture. + +#### System Layer #### The System Layer (see Chapter 3.5) relates to the Governance Perspective due to its technical implementation of different security levels for diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_2_Data_Governance_Model.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_2_Data_Governance_Model.md index efcf4566..0d82efce 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_2_Data_Governance_Model.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_2_Data_Governance_Model.md @@ -1,14 +1,14 @@ -### Data Governance +### Data Governance ### -#### Key Roles and Correlating Data Governance and Management Activities +#### Key Roles and Correlating Data Governance and Management Activities #### The following subsections list what data governance / data management activities central roles in the IDS ecosystem are occupied with, and what IDS components are involved. -##### Data Owner / Data Provider +##### Data Owner / Data Provider ##### -###### DG/DM activities +**DG/DM activities** - Define usage constraints for data resources - Publish metadata including usage constraints to Broker @@ -20,66 +20,69 @@ what IDS components are involved. - Describe the data source - Authorize Data Provider, if Data Provider is not the Data Owner -###### Enabling/Supporting IDS Component +**Enabling/Supporting IDS Component** + - IDS Connector - Catalogue of rules allowing Data Owners to configure usage conditions related to their own requirements -- Define pricing model and pricing (see section 3.4.3.9) - +- Define pricing model and pricing (see section 3.4.3.9) +##### Data Consumer ##### -##### Data Consumer}}} & +**DG/DM activities** -###### DG/DM activities - Use data in compliance with usage constraints} - Search for existing datasets by making an inquiry at a Broker Service Provider - Nominate Data Users (if needed) -- Receive information about data transaction from Clearing House +- Receive information about data transaction from Clearing House - Monitor policy enforcement -###### Enabling/Supporting IDS Component: +**Enabling/Supporting IDS Component:** + - IDS Connector - Catalogue of rules to act in compliance with usage constraints specified by Data Owner -##### Broker Service Provider +##### Meta Data Broker Service Provider ##### + +**DG/DM activities** -###### DG/DM activities - Match demand and supply of data - Provide Data Consumer with metadata -###### Enabling/Supporting IDS Component: -- Broker Service Provider component +**Enabling/Supporting IDS Component:** + +- Meta Data Broker Service Provider component - Core of the metadata model must be specified by the International Data Spaces (by the Information Model) - Provide registration interface for Data Provider - Provide query interface for Data Consumer - Store metadata in internal repository for being queried by Data Consumers +##### Clearing House ##### +**Data-related activities** -##### Clearing House -###### Data-related activities - Monitor and log data transactions and data value chains -- Monitor policy enforcement -- Provide data accounting platform +- Monitor policy enforcement +- Provide data accounting platform -###### Enabling/Supporting IDS Component: +**Enabling/Supporting IDS Component:** - Clearing House component - Logging data +##### App Store Provider ##### +**Data-related activities** -##### App Store Provider -###### Data-related activities -- Offer Data Services (e.g. for data visualization, data quality, data transformation, data governance) +- Offer Data Services (e.g. for data visualization, data quality, data transformation, data governance) - Provide Data Apps - Provide metadata and a contract based on the metadata for app user -###### Enabling/Supporting IDS Component: -- App Store Provider component -- Interfaces for publishing and retrieving Data Apps plus corresponding data +**Enabling/Supporting IDS Component:** +- App Store Provider component +- Interfaces for publishing and retrieving Data Apps plus corresponding data -#### IDS Data Governance Model +#### IDS Data Governance Model #### The IDS Data Governance Model defines a framework of decision-making rights and processes with regard to the definition, creation, diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_4_Data_as_an_economic_good.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_4_Data_as_an_economic_good.md index a4b5f875..11f7b54d 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_4_Data_as_an_economic_good.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_4_Data_as_an_economic_good.md @@ -1,4 +1,4 @@ -### Data as an Economic Good +### Data as an Economic Good ### As data can be decoupled from specific hardware and software implementations, it turns into an independent economic good. While this diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_5_Data_Ownership.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_5_Data_Ownership.md index 393094a4..18d81390 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_5_Data_Ownership.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_5_Data_Ownership.md @@ -1,4 +1,4 @@ -### Data Ownership +### Data Ownership ### In the material world, the difference between the terms possession and property is an abstract, yet necessary @@ -44,6 +44,8 @@ it supports these important aspects over the entire data lifecycle. Furthermore, it supports the arrangement of collaborative solutions by providing an appropriate technical infrastructure. -[^1]: Regulation (EU) 2018/1807 of the European Parliament and of the + +[^1]: [Regulation (EU) 2018/1807] +(https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32018R1807) of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_6_Data_Sovereignty.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_6_Data_Sovereignty.md index 0395c3f5..53fb3f3b 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_6_Data_Sovereignty.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_6_Data_Sovereignty.md @@ -1,4 +1,4 @@ -### Data Sovereignty +### Data Sovereignty ### Data sovereignty is a natural person's or corporate entity's capability of being entirely self-determined with regard to its data. The Reference diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_7_Data_Quality.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_7_Data_Quality.md index c2915649..4fd98fee 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_7_Data_Quality.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_7_Data_Quality.md @@ -1,4 +1,4 @@ -### Data Quality +### Data Quality ### Because of the correlation between good data quality and maximizing the value of data as an economic good, the International Data Spaces diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_8_Data_Provenance.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_8_Data_Provenance.md index 5c71ddb0..74ee0c3e 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_8_Data_Provenance.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_8_Data_Provenance.md @@ -1,4 +1,4 @@ -### Data Provenance +### Data Provenance ### By creating transparency and offering clearing functionality, the International Data Spaces provides a way to track the provenance and diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_9_data_spaces_instances.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_9_data_spaces_instances.md index 3e5ebc37..01024e65 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_9_data_spaces_instances.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_9_data_spaces_instances.md @@ -1,20 +1,22 @@ -### Data Spaces Instances +### Data Spaces Instances ### + Data spaces are emerging in various sectors, each with their own community of stakeholders, domain-specific use-cases and governance models. The IDSA will not only play a major role in the development (of the reference implementation for) for data spaces instances, but also for the interoperability between data space instances. As such, the role of IDSA is key for realizing the European data strategy, which can shortly be phrased as ‘Towards a Federation of Interoperable Data Spaces’. -Consequently, the IDSA will consider (the governance of) its development and deployment initiatives in the broader context of both: +Consequently, the IDSA will consider (the governance of) its development and deployment initiatives in the broader context of both: -1. striving for interoperability within data spaces instances (also known as to as ‘federations’ or ‘intra data space interoperability’) which is defined as interoperability between the data space authority, processing and data sharing building blocks within a single data space instance. This implies that the IDSA should ensure that the implementation components of the IDS architecture are developed in coherence and provide a gradual migration and growth path. -2. preparing for interoperability between multiple data spaces instances (also known as ‘federation of federations’ or ‘inter data space interoperability’), to pave the way towards the federation of interoperable data spaces as pursued by the European data strategy. +1. striving for interoperability within data spaces instances (also known as to as ‘federations’ or ‘intra data space interoperability’) which is defined as interoperability between the data space authority, processing and data sharing building blocks within a single data space instance. This implies that the IDSA should ensure that the implementation components of the IDS architecture are developed in coherence and provide a gradual migration and growth path. +2. preparing for interoperability between multiple data spaces instances (also known as ‘federation of federations’ or ‘inter data space interoperability’), to pave the way towards the federation of interoperable data spaces as pursued by the European data strategy. The governance of both intra and inter data space interoperability focuses on the set of commonly agreed principles and architectures, covering more than merely the technical aspects. A framework for addressing all aspects to be governed is provided by the new European Interoperability Framework (EIF) as developed by the European Commission. The EIF distinguishes four interoperability levels (legal, organizational, semantic, technical) under an overarching integrated governance approach (Fig [4.3.9.1](#interoperability-levels-as-distinguished-in-the-new-european-interoperability-framework.png)): ![Interoperability levels as distinguished in the New European Interoperability Framework](./media/interoperability-levels-as-distinguished-in-the-new-european-interoperability-framework.png.png) -#### _Fig. 4.3.9.1: Interoperability levels as distinguished in the New European Interoperability Framework._ +*Figure 4.3.9.1: Interoperability levels as distinguished in the New European Interoperability Framework.* For both intra and inter data space interoperability the IDSA has defined its approach on the governance for development and deployment on the various aspects for each of the interoperability levels in the IDSA Whitepaper ‘Governance for Data Spaces Instances’[^2]. It clarifies the roles and responsibilities. In certain cases, the data space instance itself will fill in domain-specific details, while in other cases, the IDSA can propose inter data space standards. It is to be noted that in previous releases of the IDSA RAM, the focus has been on the development of intra data space interoperability. In the meantime, the inter data space interoperability has been gaining major interest[^1], as exemplified by the work of the Data Sharing Coalition on the Data Sharing Canvas[^3] and within the EU Project Trusts[^4]. With such initiatives, the IDSA will keep close alignment. + [^1]: European Union (2017). “New European Interoperability Framework (EIF) – Promoting seamless services and data flows for European public administrations”. URL: https://ec.europa.eu/isa2/sites/isa/files/eif_brochure_final.pdf. [^2]: IDSA Whitepaper. ‘Governance for Data Spaces Instances’. 2021. What is the status of this? Is it made publicly available? As addendum for the RAMv4 or the Rule book? diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_Governance_Perspective.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_Governance_Perspective.md index 392d3557..326af23b 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_Governance_Perspective.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_Governance_Perspective.md @@ -1,4 +1,4 @@ -## Governance Perspective +## Governance Perspective ## The Governance Perspective of the Reference Architecture Model defines the roles, functions, and processes of the International Data Spaces @@ -19,24 +19,24 @@ organizations according to their individual requirements. The International Data Spaces supports governance issues by -- providing an infrastructure for data exchange, corporate +- providing an infrastructure for data exchange, corporate interoperability, and the use of new, digital business models; -- establishing trustworthy relationships between Data Owners, Data +- establishing trustworthy relationships between Data Owners, Data Providers, and Data Consumers; -- acting as a trustee for mediation between participants; +- acting as a trustee for mediation between participants; -- facilitating negotiation of agreements and contracts; +- facilitating negotiation of agreements and contracts; -- aiming at transparency and traceability of data exchange and data +- aiming at transparency and traceability of data exchange and data use; -- allowing private and public data exchange; +- allowing private and public data exchange; -- taking into account individual requirements of the participants; and +- taking into account individual requirements of the participants; and -- offering a decentralized architecture that does not require a +- offering a decentralized architecture that does not require a central authority. The Governance Perspective in the context of the IDS-RAM relates to diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/README.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/README.md index e69de29b..2dd5a0f8 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/README.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/README.md @@ -0,0 +1,77 @@ +# Governance Perspective # + +## Table of Content ## + +[4.3 Governance Perspective](./4_3_Governance_Perspective.md#governance-perspective) + +[4.3.1 Governance Aspects Addressed by the Different Layers of the IDS-RAM](./4_3_1_Layers.md#governance-aspects-addressed-by-the-different-layers-of-the-ids-ram) + +[4.3.1.1 Business Layer](./4_3_1_Layers.md#business-layer) + +[4.3.1.2 Functional Layer](./4_3_1_Layers.md#functional-layer) + +[4.3.1.3 Information Layer](./4_3_1_Layers.md#information-layer) + +[4.3.1.4 Process Layer](./4_3_1_Layers.md#process-layer) + +[4.3.1.5 System Layer](./4_3_1_Layers.md#system-layer) + +[4.3.2 Data Governance Aspects](./4_3_2_Data_Governance_Model.md#data-governance) + +[4.3.2.1 Key Roles and Correlating Data Governance and Management Activities](./4_3_2_Data_Governance_Model.md#key-roles-and-correlating-data-governance-and-management-activities) + +[4.3.2.1.1 Data Owner/Data Provider](./4_3_2_Data_Governance_Model.md#data-owner--data-provider) + +[4.3.2.1.2 Data Consumer](./4_3_2_Data_Governance_Model.md#data-consumer) + +[4.3.2.1.3 Meta Data Broker Service Provider](./4_3_2_Data_Governance_Model.md#meta-data-broker-service-provider) + +[4.3.2.1.4 Clearing House](./4_3_2_Data_Governance_Model.md#clearing-house) + +[4.3.2.1.5 App Store Provider](./4_3_2_Data_Governance_Model.md#app-store-provider) + +[4.3.2.2 IDS Data Governance Model](./4_3_2_Data_Governance_Model.md#ids-data-governance-model) + +[4.3.3 Data as an Economic Good](./4_3_4_Data_as_an_economic_good.md#data-as-an-economic-good) + +[4.3.4 Data Ownership](./4_3_5_Data_Ownership.md#data-ownership) + +[4.3.5 Data Sovereignty](./4_3_6_Data_Sovereignty.md#data-sovereignty) + +[4.3.6 Data Quality](./4_3_7_Data_Quality.md#data-quality) + +[4.3.7 Data Provenance](./4_3_8_Data_Provenance.md#data-provenance) + +[4.3.8 Data Space Instances](./4_3_9_data_spaces_instances.md#data-spaces-instances) + +[4.3.9 IDSA Rulebook](./4_3_10_IDS_RuleBook.md#idsa-rulebook) + +[4.3.9.1 Goals and Scope of the IDSA Rulebook](./4_3_10_IDS_RuleBook.md#goals-and-scope-of-the-idsa-rulebook) + +[4.3.9.2 The purpose and scope of the Rulebook](./4_3_10_IDS_RuleBook.md#the-purpose-and-scope-of-the-rulebook) + +[4.3.9.3 Scope / Non-Scope in Detail](./4_3_10_IDS_RuleBook.md#scope--non-scope-in-detail) + +[4.3.9.4 How to use IDS? Competitive Advantage with Data Sovereignty](./4_3_10_IDS_RuleBook.md#how-to-use-ids-competitive-advantage-with-data-sovereignty) + +[4.3.9.5 Guiding principles](./4_3_10_IDS_RuleBook.md#guiding-principles) + +[4.3.10 Privacy Consequences](./4_3_11_Privacy_Perspective.md#privacy-consequences) + +[4.3.10.1 PET (Privacy Enhancing Technologies)](./4_3_11_Privacy_Perspective.md#pet-privacy-enhancing-technologies) + +[4.3.10.2 Minimum required risk mitigations](./4_3_11_Privacy_Perspective.md#minimum-required-risk-mitigations) + +## Files ## + +- [4_3_Governance_Perspective.md](./4_3_Governance_Perspective.md) +- [4_3_1_Layers.md](./4_3_1_Layers.md) +- [4_3_2_Data_Governance_Model.md](./4_3_2_Data_Governance_Model.md) +- [4_3_4_Data_as_an_economic_good.md](./4_3_4_Data_as_an_economic_good.md) +- [4_3_5_Data_Ownership.md](./4_3_5_Data_Ownership.md) +- [4_3_6_Data_Sovereignty.md](./4_3_6_Data_Sovereignty.md) +- [4_3_7_Data_Quality.md](./4_3_7_Data_Quality.md) +- [4_3_8_Data_Provenance.md](./4_3_8_Data_Provenance.md) +- [4_3_9_data_spaces_instances.md](./4_3_9_data_spaces_instances.md) +- [4_3_10_IDS_RuleBook.md](./4_3_10_IDS_RuleBook.md) +- [4_3_11_Privacy_Perspective.md](./4_3_11_Privacy_Perspective.md) diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/README.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/README.md index e69de29b..7013eae0 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/README.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/README.md @@ -0,0 +1,5 @@ +# Perspectives of the Reference Architecture # + +## Table of Content ## + +## Files ## From 79b6a501207b8d2c11c1e221dfaef13e9987c472 Mon Sep 17 00:00:00 2001 From: Sebastian Steinbuss <23654606+ssteinbuss@users.noreply.github.com> Date: Wed, 12 Oct 2022 11:45:15 +0200 Subject: [PATCH 06/22] Editorial Update Security Perspective --- ...spects_adressed_by_the_different_layers.md | 19 ++- .../4_1_2_Identity_and_Trust_Management.md | 28 ++-- .../4_1_3_Securing_the_Platform.md | 24 +++- .../4_1_4_Securing_Applications.md | 12 +- ...ring_Interaction_between_IDS_components.md | 13 +- .../4_1_6_Usage_Control.md | 58 ++++----- .../4_1_Security_Perspective.md | 6 +- .../4_1_Security_Perspective/README.md | 122 ++++++++++++++++++ 8 files changed, 218 insertions(+), 64 deletions(-) diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_1_Security_Aspects_adressed_by_the_different_layers.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_1_Security_Aspects_adressed_by_the_different_layers.md index 42821b38..2c57ac13 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_1_Security_Aspects_adressed_by_the_different_layers.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_1_Security_Aspects_adressed_by_the_different_layers.md @@ -1,19 +1,24 @@ -# SECURITY ASPECTS ADDRESSED BY THE DIFFERENT LAYERS OF THE IDS-RAM +### SECURITY ASPECTS ADDRESSED BY THE DIFFERENT LAYERS OF THE IDS-RAM ### Since security generally covers non-functional aspects, security and trust serve as an enabler for functionalities such as data exchange. This results in security being a cross-cutting concern for the layers discussed in the core chapters of the RAM. -## BUSINESS LAYER +#### BUSINESS LAYER #### + Security delivers the means to establish trust in the ecosystem which is the basis for the sovereign data exchange and processing targeted. The roles that are established in [Section 3.1](../../3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/) are either responsible for setting up this trustworthy ecosystem as described in the trust model in [Section 4.1.2](./4_1_2_Identity_and_Trust_Management.md) or for adding services in the IDS that support the establishment of data value chains. -## FUNCTIONAL LAYER +#### FUNCTIONAL LAYER #### + The IDS is intended as a trustworthy ecosystem for sovereign data exchange. This leads to various functional requirements regarding data exchange and data processing which are defined in [Section 3.2](../../3_Layers_of_the_Reference_Architecture_Model/3_2_Functional_Layer/). Security aspects and the trust model used in the IDS [Section 4.1.2](./4_1_2_Identity_and_Trust_Management.md) shape these requirements by enabling or restricting some transactions or operations in the International Data Spaces. Without security, many use cases would not be possible (e.g., offering sensitive data to trusted business partners). The concept of data usage control described in [Section 4.1.6](./4_1_6_Usage_Control.md) allows Data Providers to attach data usage policy information to their data in order to define how a Data Consumer may use the data. -## PROCESS LAYER -To take security aspects into account on the Process Layer([Section 3.3](../../3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/)), it is important that existing processes reflect the defined Trust Model ([Section 4.1.2](./4_1_2_Identity_and_Trust_Management.md)) and are permanently monitored, validated, and redesigned, if need be. For example, to allow trustworthy identification and authentication of components using a public key infrastructure (PKI), the operator of this component must generate a key pair on the component, apply for a public key certificate from the Certificate Authority (CA) and provision this certificate onto the component. For dynamic attribute support, the provider of the Dynamic Attribute Provisioning Service (DAPS) needs to verify the attributes which it will confirm with the Dynamic Attribute Tokens (DATs). The same is true for trustworthy operations of an App Store, for which data must be verified and signed by a trusted entity before it can be uploaded. +#### INFORMATION LAYER #### -## INFORMATION LAYER The Information Layer ([Section 3.4](../../3_Layers_of_the_Reference_Architecture_Model/3_4_Information_Layer/)) provides the means for participants to use a common vocabulary and common semantics to express concepts and relationships between them. In doing so, it is possible to, e.g., describe a connector setup or specify access and usage control policies in a way that these are understood by all participants. -## SYSTEM LAYER +#### PROCESS LAYER #### + +To take security aspects into account on the Process Layer([Section 3.3](../../3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/)), it is important that existing processes reflect the defined Trust Model ([Section 4.1.2](./4_1_2_Identity_and_Trust_Management.md)) and are permanently monitored, validated, and redesigned, if need be. For example, to allow trustworthy identification and authentication of components using a public key infrastructure (PKI), the operator of this component must generate a key pair on the component, apply for a public key certificate from the Certificate Authority (CA) and provision this certificate onto the component. For dynamic attribute support, the provider of the Dynamic Attribute Provisioning Service (DAPS) needs to verify the attributes which it will confirm with the Dynamic Attribute Tokens (DATs). The same is true for trustworthy operations of an App Store, for which data must be verified and signed by a trusted entity before it can be uploaded. + +#### SYSTEM LAYER #### + The IDS components described in the System Layer ([Section 3.5](../../3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/))) form the IDS ecosystems. While the System Layer focuses on the general setup and functionality of these components, the security requirements and concepts for these components are mostly equivalent for the different components which are in essence either IDS connectors or specific types of connectors. The security perspective adds the overall view on the concepts used to ensure trust and security for all these components. diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_2_Identity_and_Trust_Management.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_2_Identity_and_Trust_Management.md index 44d68637..febd4de5 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_2_Identity_and_Trust_Management.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_2_Identity_and_Trust_Management.md @@ -1,12 +1,13 @@ -# Identity and Trust Management +### Identity and Trust Management ### The International Data Spaces allow participants a cross-company data exchange. In many cases, the participants intending to exchange data have no prior knowledge about the other company and its utilized components to properly assess the consequences of such a data exchange. Thus, the IDS offers mechanisms to gain reliable information which help to establish trust and enable participants to make sovereign and informed decisions. -Identity and trust management is rooted in the components described in ([Chapter 3.5.1](../../3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_1_Identity_Provider.md)). +Identity and trust management is rooted in the components described in ([Section 3.5.1](../../3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_1_Identity_Provider.md)). -## Identities for Devices +#### Identities for Devices #### The IDS Connector is the central device to establish trust on a technical level and to ensure a secure data exchange across domain boundaries. In the IDS, each connector instance possesses it's own identity. Each connector instance is made up of several aspects: + * The platform the IDS Connector instance depends on. A platform consists of hardware, firmware, operating system and (container) run-time environment. * The Connector Core Services software artifacts that provide management functionality and IDS interoperability. * The configuration of an IDS Connector (defined data routes, configured Usage Control framework). @@ -22,7 +23,7 @@ One component always is characterized by the combination of platform and service ![Components SW Stack](./media/SW_Stack_Components_connector_blueprint.png) #### _Figure 4.1.2.1: Components of the Software Stack of an IDS Connector_ -### Component Identifier +##### Component Identifier ##### The identity of a combination of platform and service instance is bound to an identifier for the service instance. @@ -31,6 +32,7 @@ The identity of a combination of platform and service instance is bound to an id * Each C_UID is mapped to a Connector Instance Key (CIK) pair which is typically used for TLS but possibly also data signing and other identity proofs. Each Service Instance needs to be mapped to one platform it utilizes: + * Each platform blueprint gets a unique identifier during the component certification. * For a component with Trust level 1, the concrete platform instantiation (running version of this blueprint) does NOT get a specific platform UID (P_UID) as well as key and certificate for this platform instance. Instead, the connector description solely references the (unique) identifier of the certified blueprint (and the operator needs to be trusted to ensure its correct instantiation). * For components with Trust Level 2 or 3, each platform instantiation needs to be uniquely identified with a UID (P_UID). This UID is required to provide a mapping from service instance to platform. @@ -44,11 +46,14 @@ Each Service Instance needs to be mapped to one platform it utilizes: ![Identity mapping for different scenarios](./media/identity_mapping.png) #### _Figure 4.1.2.2: Identities for IDS Connector Services and Platforms_ -(Remark: The platforms in the image may always be either physical devices or protected VMs) -### Describing Metadata +*(Remark: The platforms in the image may always be either physical devices or protected VMs)* + +##### Describing Metadata ##### + The IDS targets sovereign data exchange, which does not only comprise a secure exchange of data but also a trustworthy environment for data processing honoring the defined usage control policies. To achieve this goal, it is not sufficient to only know the identity of another IDS component, but additional information about the company operating the component and the utilized software stack is required. This information is provided in form of the following describing artifacts: + * A **Company Description** for each company operating an IDS component which contains verified information about the company as well as information about its Operational Environment Certification (explained in [Chapter 4.2.3](../4_2_Certification_Perspective/4_2_3_Operational_Environment_Certification.md)). * **Software Manifests** for the utilized software components which have been evaluated in the Component Certification explained in [Chapter 4.2.4](../4_2_Certification_Perspective/4_2_4_Component_Certification.md)). In addition to the awarded certification levels, the manifests for components with Trust Level 2 and 3 contain verified measurements which can be used to validate that the described software is truly running on the device. To support re-usability of components, the description of each software stack consists of three types of Software Manifests used for describing different layers: * A **Root of Trust for Measurement (RTM) Manifest** for components of the boot stage, @@ -59,7 +64,7 @@ In addition to these static artifacts, the connector operator may add additional All this metadata is provided in machine-readable form. Manifest information for each artifact, such as manifests for all software components, operating system or apps are attached to the artifact itself and will be provided by the IDS Connector that hosts the artifact. Verified Company Descriptions are also provided by IDS Connectors itself, since the ParIS only provides unverified information. Dynamic attributes for each IDS Connector as well as revocation information for Software Manifests are provided by the DAPS. -### Interactions between IDS Connectors and Identity Components +##### Interactions between IDS Connectors and Identity Components ##### To establish a trusted connection, each connector needs the identity information of the corresponding connector to perform access and usage control decisions. The interactions can be depicted as follows: @@ -72,12 +77,13 @@ To establish a trusted connection, each connector needs the identity information To reduce the risk of an attacker abusing a DAT, these DATs should only be disclosed to other communication partnes at will. To further protect from attacks performed with leaked DATs, each Connector has to validate the certificate used for the TLS connection against the DAT in one of the following two ways: + * Option 1. The connector uses its identity certificate for TLS connections. In this case, the corresponding IDS connector must assure the identifier in the DAT matches the presented certificate. * Option 2. The connector uses a separate certificate for TLS connections (e.g., issued by a CA such as Let's Encrypt). In this case, the corresponding IDS Connector must assure the certificate fingerprint matches the one that is embedded in the DAT. The ParIS only serves untrusted information and thus is not part of this interaction. The DAT will be refreshed on a regular basis, since the token lifetime is limited to a short timeframe. The device identity will be provisioned and refreshed only after expiration (with a long time frame) or in case of revocation. -### Component (Identity) Lifecycle +##### Component (Identity) Lifecycle ##### | Phase | When does it happen | How is the component identity affected | What about the data? | | --- | --- | --- | --- | @@ -85,13 +91,15 @@ The ParIS only serves untrusted information and thus is not part of this interac | **Maintaining** | New versions of utilized software are distributed, configuration of the component changes | As long as the trust level of the SW stack AND the operator remain unchanged, the overall connector identity does NOT need to change. In case significant attributes of the component (e.g. trust level) change, the identity as the sum of all attributes changes but the unique identifiers may be used further. | Data already stored on the connector MUST adhere to the defined Usage Control policies so update or migration strategies need to ensure their fulfillment by deleting/removing/making data inaccessible. | | **Out of service (Decommissioning)** | Component is sold/transferred to another operator, component is not offered/available any longer | The component identity needs to be decommissioned (either only the C_UID or C_UID and P_UID), certificate(s) of the component(s) is(are) revoked. | All data currently on/in the connector needs to be removed (if necessary transfer them to other connectors beforehand). | -## Identities for Participants +#### Identities for Participants #### + The IDS can have many participants interacting ranging from large enterprises and organizations to individuals. Means for identifying those participants are required, since they are responsible for (at least) operating (or using) an IDS component (e.g., a connector) and thus the actions taken by this component and managing provided data (quality, content, updates, decision on usage policies). Thus, each participants gets a unique identifier (O_UID). Based on this, an identity management for participants can either be based on identities for the organizations themselves or for the human users working for this organizations. Identities are typically bound to private-public key pairs generated for each identity and confirmed by the Identity Provider. Respective processes are required to ensure correct mapping of the key pairs and the identities to be utilized in the IDS. This, however, requires a CA that provides identity certificates for employees of Participants. This is yet to be defined in detail. -## Trust Bootstrapping and Trust Chains +#### Trust Bootstrapping and Trust Chains #### + Identifying and authenticating an IDS connector requires an evaluation of many complementary aspects. The following table provides an overview of these aspects and the entities responsible for them. | High-Level Aspect | Detailed Aspect | Trust Level | Entity Responsible | Validation necessary for issuing proof | Proof the IDS connector needs to validate | diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_3_Securing_the_Platform.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_3_Securing_the_Platform.md index 8c4d7d3c..1aa6bfd2 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_3_Securing_the_Platform.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_3_Securing_the_Platform.md @@ -1,18 +1,23 @@ -# Securing the Platform +### Securing the Platform ### Security of data processing in an IDS Component depends on the system security of the utilized software stack consisting of different hardware and software components. Those hardware and software components that are critical for ensuring the confidentiality and integrity of the transmitted and processed data form the Trusted Computing Base (TCB). Different deployment scenarios and their respective TCBs are described in the [first subsection](#deployment-scenarios). The [following subsection](#hardware-security-features) provides some background on hardware security features that might be used for securing the platform. Finally, the [last subsection](#platform-security-requirements) provides an overview of essential security requirements and how to achieve them. -## Deployment Scenarios +## Deployment Scenarios ## + In general, there are three different possibilities for the combinations of platform and connector service instances: + * A 1:1 mapping with a connector being a single device consisting of one platform instance and one connector service instance * A 1:n mapping with multiple connectors on one physical device, i.e., a system with one platform instance and multiple connector service instances * A n:m mapping with multiple devices offering a distributed deployment for multiple connector service instances (e.g. with Kubernetes) The figure below shows the three options with their respective trusted computing bases: + ![Deployment Scenarios](./media/deployment_scenarios.png) + #### _Fig. 4.1.3.1: Deployment Scenarios_ The TCB consists of the following components: + * All **hardware** components with access to unencrypted app data. * **Firmware / bootloader / UEFI** representing all software components used to bootstrap the system and initialize the hardware before starting the kernel. * Optionally a **hypervisor** which may be used to isolate multiple connectors on a device by providing a Virtual Machine (VM) for each of them. The impact on the TCB is illustrated for the 1:n mapping in a comparison to a solution with OS-level virtualization, i.e., containers. @@ -25,27 +30,32 @@ Additionally, the TCB may include **external components** in the surrounding inf It is important to note that from a component security perspective there is no need to address the usage of cloud solutions differently than an on-premise deployment. In both cases, the TCB includes all components that are required to ensure the confidentiality and integrity of the transmitted and processed data and needs to fulfill all requirements defined in the certification criteria catalog. The only differences lie in the responsibility for the different layers of the software stack and ensuring their conformity. -## Hardware Security Features +#### Hardware Security Features #### In the following, we provide a brief overview on three hardware security features that might help fulfilling the requirements introduced in the [subsection below](#platform-security-requirements). For complete fulfillment of certification requirements, a combination of the mentioned techniques might need to be applied. -### Hardware Security Module (HSM) +##### Hardware Security Module (HSM) ##### + A Hardware Security Module (HSM) is a physical device containing one or more secure cryptoprocessor(s). It typically provides secure key generation, storage and management and supports using those keys for performing encryption or digital signing. Additionally, most HSMs provide tamper protection, ranging from a notification of detected tampering attempts to deleting the keys upon tamper detection. A HSM can either be directly integrated or attached to the hardware of one device or deployed as a network device which is shared by multiple clients in the network. The components necessary to manage and access the HSM belong to the TCB of the device using the HSM, even if they are deployed on other devices in the network (e.g. in case of a HSM as a network device). -### Trusted Platform Module (TPM) +##### Trusted Platform Module (TPM) ##### + Trusted Platform Module (TPM) is a specification for secure cryptoprocessors with the newest version being the [TPM 2.0 Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/) from the Trusted Computing Group. The TPM API can be implemented in a Secure Element, in the Platform-Firmware, inside a Trusted Execution Environment (TEE), or in form of a pure Software TPM. A TPM can provide a root of trust for measurement (RTM), reporting and storage based on the Endorsement Key (EK) which was securely provisioned by the TPM manufacturer. It can generate, securely store and mange keys similarly to a HSM but is typically more strongly integrated into one host system only securing the keys for this device. Additionally, a TPM can be used to bind keys to the integrity of the utilized software stack and to securely store measurements of software components. If the TPM measurements include all components of the TCB they can be used as proof of the system's integrity for remote attestation. -### Confidential Computing +##### Confidential Computing ##### + Confidential Computing approaches have been introduced with the goal to reduce the size of the TCB in the light of increasingly complex software stacks. They remove processes and components from the TCB by setting up hardware-supported isolated runtime environments, i.e., Trusted Execution Environments (TEE). The CPU utilized in the device must provide the necessary hardware features to support this approach. The hardware cryptographically protects confidentiality and integrity protection for process memory from higher-privileged access. Depending on the utilized CPU, there are different confidential computing approaches offered by the major hardware manufacturers: + * AMD offers a VM-based solution called Secure Encrypted Virtualization ([SEV](https://www.amd.com/en/processors/amd-secure-encrypted-virtualization)) with its newest version being [SEV-SNP](https://www.amd.com/system/files/TechDocs/56860.pdf) (Secure Nested Paging). * After starting with the process-based Software Guard Extensions ([SGX](https://software.intel.com/content/www/us/en/develop/topics/software-guard-extensions.html)), Intel is now developing a VM-based solution called Trust Domain Extensions ([TDX](https://software.intel.com/content/www/us/en/develop/articles/intel-trust-domain-extensions.html)). * Likewise, Arm is working on their own VM-based Confidential Computing Architecture ([CCA](https://www.arm.com/why-arm/architecture/security-features/arm-confidential-compute-architecture)). To prove the correct setup of a TEE, each of the mentioned approaches offers some kind of remote attestation with proof of the integrity of the initial software components required. However, currently available implementations do not offer an attestation for the entire software stack, i.e., the TCB. -## Platform Security Requirements +#### Platform Security Requirements #### + The Certification Criteria Catalog for Components defines various requirements for interoperability and security of an IDS Connector. It provides three different Trust Levels with an increasing number of requirements as explained in [Section 4.2.4](../4_2_Certification_Perspective/4_2_4_Component_Certification.md). The following paragraphs provide an overview of important security requirements affecting the platform of an IDS connector and possible approaches for fulfilling them: diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_4_Securing_Applications.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_4_Securing_Applications.md index e219c202..72e61d18 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_4_Securing_Applications.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_4_Securing_Applications.md @@ -1,18 +1,21 @@ -# Securing Applications +### Securing Applications ### A secure platform is needed to guarantee the secure and isolated execution of all applications. This platform provides security mechanisms and enable applications to fulfill their security requirements. Building on a secure platform, all applications deployed on the connector need to integrate into the utilized security mechanisms and fulfill security requirements themselves. -## Security Measures in the Platform +#### Security Measures in the Platform #### + Security measures in the platform are responsible for ensuring a secure deployment of provided applications. The platform verifies authenticity and integrity of all applications by checking the signatures in the provided App Manifests before starting the applications. In case the IDS App is supplemented with usage control policies for licensing purposes (e.g., only allowing usage of the software for a certain amount of time or limiting the number of simultaneously running instances), the platform is responsible for enforcing those policies and only starting the application if the defined conditions are met. Additionally, the platform enforces isolation, communication routes and privileges for all applications based on configuration from the Connector Core Services and/or Control Apps. While some configuration attributes may be set freely, security-critical configuration aspects (which were also assessed during certification) need to be: + * set to fixed values embedded in the utilized software images (not allowing configuring through applications at runtime), * limited to a pre-defined set of options, * or validated by certified code (in the Connector Core Services or platform component) before coming into effect. -## Connector Core Services and Control Apps +#### Connector Core Services and Control Apps #### + The Connector Core Services (or respective Core Services for other IDS components) and Control Apps are responsible for offering IDS-specific interfaces, configuring the entire connector stack securely and managing data exchange and processing on the connector. These applications often have higher privileges on the IDS Connector which are required to use and configure functionalities offered by runtime and kernel of the platform. The criteria for the certification of an IDS connector apply for these applications and need to be fulfilled by the combination of platform, Connector Core Services and (optionally) Control App. @@ -27,6 +30,7 @@ During certification, the applications must be evaluated as a part of the overal To reduce the attack surface, different functionalities should be split into modular and isolated applications interacting only via defined interfaces. The privileges for the applications should be reduced to those required for the respective functionality in accordance with the principle of least privilege. -## Adapter and Data Apps +#### Adapter and Data Apps #### + In contrast to Connector Core Services and Control Apps, Adapter and Data Apps are unprivileged and isolated containers which cannot modify the connector functionalities but rely on them to provide their app functionality. They need to fulfill specific app requirements, e.g. containing all necessary dependencies to form an independent container, conducting input validation for offered interfaces, and having a description matching the functionality provided by the application. However, they rely on the certified connector for securing communication channels to the outside world as well as authentication and authorization of users requesting access to provided interfaces. diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_5_Securing_Interaction_between_IDS_components.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_5_Securing_Interaction_between_IDS_components.md index b3df0c7b..40485e0f 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_5_Securing_Interaction_between_IDS_components.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_5_Securing_Interaction_between_IDS_components.md @@ -1,4 +1,4 @@ -# Securing Interaction between IDS Components +### Securing Interaction between IDS Components ### Data transfer in the IDS needs be secured by protecting the communication between IDS components, i.e. enabling identification, authentication, and authorization for components as well as providing confidentiality and integrity protection for the transferred data. This chapter explains the following aspects about establishing and using a secure communication channel between IDS components: @@ -7,12 +7,13 @@ Data transfer in the IDS needs be secured by protecting the communication betwee * Using the communication channel for [data transfer](#data-transfer-using-this-communication-channel) Additionally, we address the topic of [Dynamic Trust Monitoring](#dynamic-trust-monitoring) which may be used to continuously track the current status of IDS components. -## Preparation of Required Information +#### Preparation of Required Information #### In preparation for the establishment of a secure communication channel, an IDS component needs to be have a set of information available as shown in the image below. ![Overview Required Information](./media/information_for_communication_channel.png) Most of the information is provisioned onto the component when it is initially taken into service and only updated occasionally when things change: + * A private key called **Identity Key** is used to identify the component ([Chapter 4.1.2.](./4_1_2_Identity_and_Trust_Management.md)). The key needs to be protected on the device and shall be only known to this specific component. * The **Device Identity Certificate** maps the public key (corresponding to the private key) to a UID and the responsible company (operator) as described in [Chapter 4.1.2.](./4_1_2_Identity_and_Trust_Management.md). * The **Company Description** contains metadata concerning the responsible company (as described in [Chapter 4.1.2.](./4_1_2_Identity_and_Trust_Management.md)), in particular its certification level from the Operational Environment Certification ([Chapter 4.2.3](../4_2_Certification_Perspective/4_2_3_Operational_Environment_Certification.md)). @@ -20,10 +21,12 @@ Most of the information is provisioned onto the component when it is initially t * The **CA Trust List** contains information about all Certificate Authorities (CAs) used in the IDS which issue identity certificates for devices and users as described in [Chapter 4.1.2.](./4_1_2_Identity_and_Trust_Management.md). It is used as a trust anchor for validating signatures based on the utilized certificate and certificate chain. Additionally, the IDS component requires two artifacts for the establishment of a secure communication channel that need to be requested regularly during connector operation: + * The **Dynamic Attribute Token (DAT)** contains up-to-date revocation information about the utilized Company Descriptions and Software Manifests as well as dynamic attributes for the component. It is only valid for a short amount of time and the component regularly needs to request it from the Dynamic Attribute Provisioning Server (DAPS) to be able to prove current attributes and the up-to-dateness of the utilized software stack. * The integrity of the software stack can only be proven (as requested for Trust Level 2 and 3) with **Measurements** collected during a measured boot as described in [Chapter 4.1.3](./4_1_3_Securing_the_Platform.md). Those measurements are stored in an integrity protected way and get provided upon request (with a Nonce for freshness) by the hardware trust anchor with a signature proving their correctness. -## Establishment of a Secure Communication Channel +#### Establishment of a Secure Communication Channel #### + The establishment of a secure communication channel requires five essential steps which use the information described above. The image below shows the necessary information for the different validation steps separately to show the logic behind the validations. However, in an implementation of the protocol, necessary information may be transferred in a combined Attestation Report. ![Communication Channel Establishment](./media/communication_channel_establishment.png) @@ -38,10 +41,10 @@ The establishment of a secure communication channel requires five essential step Based on these steps, each component has transparent information about their communication partner and can sovereignly decide about (the terms for) data sharing. -## Data Transfer using this Communication Channel +#### Data Transfer using this Communication Channel #### After establishing the secure communication channel, it can be used to transfer arbitrary data with the desired protocols on the application layer. As long as the communication remains bound to this communication channel, the transferred (attestation) information can be used to assess the consequences of the data transfer. It is in general possible to change from this channel to another way of communication for the further data exchange. In such a case, it is essential to ensure that the new communication channel is bound to the exact same communication partner as during this communication channel establishment. In case this is not the case, the involved parties should be aware that the security guarantees offered by the successful remote attestation may not hold for the new data communication or exchange channel. -## Dynamic Trust Monitoring +#### Dynamic Trust Monitoring #### The information provided during the establishment of a secure communication channel may be used by a Dynamic Trust Monitoring service which provides an overview of deployed components in the data space. The attestation report and DAT can provide status information about the utilized software (versions) and possible security issues. As an alternative or addition, the Dynamic Trust Monitoring may provide black box testing of components such as checking of used communication protocol versions or port scans. For the collection of more in-depth information about the monitored components, it is possibly to deploy monitoring clients on the different connectors which continously provide the Dynamic Trust Monitoring with relevant status information. diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_6_Usage_Control.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_6_Usage_Control.md index 052ffcc3..227b4787 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_6_Usage_Control.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_6_Usage_Control.md @@ -1,6 +1,6 @@ -### **DATA USAGE CONTROL** +### Data Usage Control ### -#### **INTRODUCTION** +#### Introduction #### In information security, Access Control restricts access to resources. Authorization is the process of granting permission to resources. There are several models of Access Control, such as Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), etc. RBAC and ABAC are the most frequently used models. @@ -70,7 +70,8 @@ The following examples illustrate security requirements that cannot be achieved It is important to note that the purpose of Data Usage Control is to allow the specification of such constraints and enforcing them in the respective system. A precondition of Data Usage Control is that the enforcement mechanism itself is trusted; i.e., Data Usage Control itself does not establish trust in an endpoint, but rather builds upon an existing trust relationship and facilitates enforcement of legal or technical requirements, such as Service Level Agreements (SLAs) or data privacy regulations. Thus, users must be aware that Data Usage Control will only provide certain enforcement guarantees if applied on highly trusted platforms, such as Trusted Connectors in the International Data Spaces [Section 3.2](../../3_Layers_of_the_Reference_Architecture_Model/3_2_Functional_Layer)) -#### **ORGANIZATIONAL RULES AND LEGAL CONTRACTS** +#### Organizational Rules and Legal Contracts #### + Data Usage Control can be implemented by means of a machine-readable contract, which is expected to be fulfilled by a party. It is a way to track and trace data as it is used within different systems and to collect evidence of the violation of agreed usage constraints. With that in mind, solutions range from organizational rules or legal contracts to completely technical ways of enforcing usage restrictions. For example, an organizational rule (e.g. a company policy) could state that employees must not use removable storage devices, such as USB sticks. Similarly, a technical form of enforcement, such as group policies specified by the Windows operating system, can prevent employees from using removable storage devices. In some scenarios, organizational rules, legal contracts, and technical rules can be used interchangeably. In other scenarios, the three forms can be used to complement each other. In the long run, it can be expected that organizational rules and legal contracts will increasingly be replaced by technical forms of enforcement (as illustrated in [Figure 4.1.6.3](media/Technical_vs_Organizational.drawio.png)). @@ -78,31 +79,31 @@ Data Usage Control can be implemented by means of a machine-readable contract, w _Figure 4.1.6.3: Technical enforcement vs. organizational/legal enforcement_ -#### **ROLES INVOLVED IN USAGE CONTROL** +#### Roles involved in Usage Control #### Usage Control is a cross-sectional concept and technology, which involves several IDS roles. -##### **BROKER** +##### Meta Data Broker ##### The IDS Broker manages Connector self-descriptions that can contain usage policies. Therefore the Broker must be able to support usage policies. In addition the Connector self-description itself may be subject of usage policies. -##### **CONNECTOR** +##### Connector ##### The Connector is the main technical component for implementing Usage Control. Hence, Usage Control enhanced Connectors, such as the Trusted Connector, contain relevant components to perform Usage Control enforcement as Data Consumer (PEPs, Interceptors; PDPs, PMPs). However, PMPs and PDPs do not need to be part of the Connector. In addition, Connectors as Data Providers should provide the technology-dependent policies to the data they provide – for all kinds of systems and enforcement technologies that are part of the ecosystem. -##### **CLEARING HOUSE** +##### Clearing House ##### By means of Data Provenance Tracking (as described in the next section), it is possible to track the usage of data and the enforcement of usage restrictions. The Clearing House is able to use this data later on. -##### **APP STORE** +##### App Store ##### Data Apps can take advantage of Usage Control technology. The IDS App Store needs to be able to provide information as to whether a Data App implements such technology. -##### **APP PROVIDER** +##### App Provider ##### For Data Apps to take advantage of Usage Control technology, App Providers need to implement certain components, such as control points (i.e., PEPs), into their application. -#### **IDS USAGE CONTROL LANGUAGE** +#### IDS Usage Control Language #### The IDS Information Model is a modular meta-model (ontology) describing the capabilities of IDS infrastructure components, such as the Connector or the Data Endpoints. Descriptions of data provided by Data Endpoints are published at dedicated Broker registries, allowing potential Data Consumers to search for and identify data that is relevant (semantics) and applicable (quality) for their particular purpose, and to assess in advance data’s affordability (price) and usability (restrictions). @@ -120,7 +121,7 @@ For example, the ODRL Constraint class expresses logical conditions that govern _Figure 4.1.6.5: Examples of mapping among policy language levels_ -#### **IDS USAGE CONTROL POLICIES AND POLICY CLASSES** +#### IDS Usage Control Policies and Policy Classes #### IDS Policy Classes are atomic policy templates that refer to specific restrictions on data usage. They are specified in IDS Usage Control Language and define the relevant operands, operators, values and data types for addressing such restrictions. Listing these predefined templates not only supports the stakeholders to know how to specify specific usage restrictions using IDS Usage Control Language, but also let them trace the usage control coverage of their systems. This means that they will know in advance which restrictions may be specified and they can plan the enforcement of these restrictions. @@ -130,7 +131,7 @@ These Policy Classes can be instantiated and combined to form an identified IDS Overall, an IDS Contract wraps a usage policy with additional information about the involved parties (i.e. the Data Provider and the Data Consumer) and the contract metadata (e.g. issued date). After a successful Contract Negotiation process, the involved parties agree on a set of usage restrictions (i.e. usage policy) as part of their Contract Agreement. Thus, they must assure that these usage restrictions are enforced into their systems (i.e. Connectors). The [Usage Control in IDS](https://internationaldataspaces.org/data-sovereignty-updated-position-paper-on-data-usage-control-in-the-ids/) provides the possibilities to support the IDS Participants to specify and negotiate their usage policies as well as technically enforcing them via various technologies (e.g. [MYDATA Control Technologies](https://www.mydata-control.de/), LUCON, etc.) -#### **MANAGEMENT** +#### Management #### A Policy Management Point (PMP) is responsible for the management of usage policies. Hence, the component is concerned with the policy’s lifecycle. This includes instantiation, deployment, and revocation of usage restrictions, as well as conflict detection and resolution. @@ -142,7 +143,7 @@ There are two ways to make usage restriction information available: The management of usage policies becomes especially important when data is to be exchanged across system boundaries. Every time data crosses system boundaries, the target system must be prepared for the protection of incoming data (i.e. it has to deploy the corresponding policy). -#### **USAGE CONTROL IN A CONNECTOR** +#### Usage Control in a Connector #### Usage Control only makes sense in an ecosystem where a certain level of trust can be established and maintained for all participants. To enable the establishment of trusted relationships, the central technological components used for data processing and data exchange need to be trustworthy. The IDS Connector is the central component for data exchange and data processing in the International Data Spaces, and thus a central component that needs to be trusted. @@ -160,7 +161,7 @@ Instances of the Trusted Connector enable remote integrity verification, so the The Trusted Connector guarantees a controlled execution environment for data services and supports the creation of trusted relationships. A general constraint is one that remains for all deployed IT systems: As long as physical or logical access is granted to administrators, protection against data theft by malicious partners is almost impossible to prevent. The International Data Spaces is seen as a network of partners that are provided with the technical means to fulfill their obligations and support in deciding what partners to trust and to define reasonable access conditions. -#### **MESSAGE ROUTER and INTERCEPTOR (EXAMPLE)** +#### Message Router and Interceptor (Example) #### An IDS Connector may use Message Router to coordinate the data flow between different systems and applications. From a technical point of view, the developer does this by using pipelining, which is a usually a paradigm of Message Routers for connecting different nodes in a route definition. The basic idea of a pipeline is that Message Routers uses the output of one node as input to the next node. Every node in such a route is a processor, except for the initial endpoint (as shown in [Figure 4.1.6.6](media/intercepting-data-flow-data-flow.drawio.png)). @@ -184,7 +185,7 @@ Depending on the policies available, this way of enforcement is not enough to co _Figure 4.1.6.8: Data flow across company borders_ -#### **CONTEXT INFORMATION AND OBLIGATION FULLFILLMENT** +#### Context Information and Obligation Fulfillment #### Context information is the information such as time, location, states of systems, etc, that is required for the evaluation of a usage policy. In IDS, one can basically distinguish two types of information; the local information that is obtained from the IDS Connector and the global information (see [Figure 4.1.6.9](media/Context-information-and-execution-point-PIP.drawio.png)). The information that can be obtained from a resource inside the IDS Connector itself, such as a system state, is referred to as an IDS local context information. On the other hand, the information that contains, for example, information from the IDS ParIS or the state of a payment that is provided by an IDS compliant resource is referred to as an IDS global context information. The IDS Usage Control language provides ways to address and use these context infomation. For example, They shall be provided by an IDS Policy Information Point (IDS PIP). A Usage Control technology can then use these context information for enforcement by connecting the PIPs. @@ -198,7 +199,7 @@ Moreover, an IDS Contract can contain obligations that have to be fulfilled. For _Figure 4.1.6.10: IDS Execution Point_ -#### **DATA PROVENANCE TRACKING** +#### Data Provenance Tracking #### Data provenance tracking is closely related, but also complementary to distributed Data Usage Control. It has its origins in the domain of scientific computing, where it was introduced to trace the lineage of data. Data Provenance Tracking thereby allows finding out when, how and by whom data was modified, and which other data influenced the process of creating new data items. @@ -206,11 +207,11 @@ This kind of traceability is similar to the data protection requirements a data However, while distributed Data Usage Control is concerned with the enforcement of rights and duties when exchanging data across system boundaries, the focus of Data Provenance Tracking is on transparency and accountability. In other words: While a Policy Enforcement Point (PEP) serving for distributed Data Usage Control in most cases needs to be able to proactively intercept data usage actions within the control flow (i.e. preventive enforcement), a PEP for data provenance tracking only needs to passively observe, interpret and log data exchange transactions and data usage for retrospective examination (in terms of Usage Control, this kind of enforcement is denoted as “detective enforcement”). Despite this fact, a data provenance tracking infrastructure can be built upon the same PEPs as distributed Data Usage Control. Furthermore, Data Provenance Tracking does not require a policy specification language, but rather a specification of how observed actions are to be interpreted in terms of data flow or data usage (i.e., a so-called data flow semantics specification). By this, data provenance tracking maintains a data flow model that keeps track of the particular representations of data items. This kind of information can also be leveraged for Data Usage Control enforcement; i.e., the data flow model is implemented as a Policy Information Point (PIP). -##### **OPERATING PRINCIPLE** +##### Operating Principle ##### The operating principle of data provenance tracking is very similar to the operating principle of distributed Data Usage Control. Data Provenance Tracking relies on passive monitoring technology (e.g., PEPs), which deliver events indicating data usage or data flows for being logged. For this, a PEP needs to convey a semantic description of the data usage or data flows its events indicate. The Data Provenance Tracking infrastructure provides a data flow tracking component, which understands such semantics specifications. The PEP also needs to forward events together with metadata (including a unique identifier of the data’s content), so that logged transactions can be attributed to data content when data provenance is aggregated or queried. -##### **ARCHITECTURE** +##### Architecture ##### The PEP resides within the message routing component of the Connector (or Data App). It is registered at the data flow tracking component via a registry component (i.e., a local Policy Management Point, PMP). The same applies for the data flow tracking component. Thereby a PEP can query the local PMP for the communication interface of the local data flow tracking component, which is then used to deploy semantics specifications for its observed events and to forward actual events during operation. @@ -228,36 +229,35 @@ _Figure 4.1.6.11: Architecture with centralized component for provenance informa _Figure 4.1.6.12: Architecture with distributed component for provenance information storage_ -##### **COMMUNICATION** +##### Communication ##### The local data flow tracking component inside the Connector has to be able to communicate with the centralized data provenance infrastructure (i.e., ProSP or ProCP). For this, a so-called Root-PMP is attached to the Clearing House. Here, the central components register their communication interfaces, and so do the local PMPs of the Connectors. Using these interfaces, provenance information is passed on to the central ProSP/ProCP. Analogous to this hierarchical communication infrastructure, the provenance information of each unit of data content is a tree, a so-called provenance graph. It is either maintained at a central ProSP or at the distributed ProSPs located inside the Connectors. In the latter case, a centralized ProCP at the Clearing House aggregates the various sub-trees for a unique data content identifier from distributed ProSPs (i.e. it consolidates the provenance information by merging the subtrees). -##### **INTEGRATION WITH DISTRIBUTED USAGE CONTROL** +##### Integration with Distributed Usage Control ##### In complex Usage Control scenarios, such as establishing data sovereignty for managing globally distributed supply chains, data is passed on from one Data Consumer to another. Depending on the usage policy in place, data may be forwarded in its original form, or it may be somehow processed, aggregated, or anonymized before being forwarded. This indicates the relevance of establishing transparency concerning data flows and data usage in compliance with usage policies, business contracts, or legal regulations. For this purpose, distributed Data Usage Control and Data Provenance Tracking complement each other. As explained before, the PEPs used for Usage Control (detective enforcement) can also serve as a basis for Data Provenance Tracking, whereas in turn data provenance information can be fed back into Usage Control enforcement (i.e., a PDP can query for all locations of representations of some given data content protected by a usage policy). Further synergies can be exploited by employing the same communication infrastructure for distributed Data Usage Control and Data Provenance Tracking. The hierarchical PMP structure (as described in the previous section) can also enable Usage Control components to interact across different IDS Connectors (e.g., for shipping policies to other Connectors, deploying and revoking policies, etc.). -#### **DATA PROVENANCE TRACKING ADDRESSED BY THE DIFFERENT LAYERS** +#### Data Provenance Tracking addressed by the different Layers #### -##### **BUSINESS LAYER** +##### Business Layer ##### Data Provenance Tracking primarily supports the work of the Clearing House. It provides the means to establish a centralized audit log aggregating tracking information concerning data exchange transactions and data usage. -##### **FUNCTIONAL LAYER** +##### Functional Layer ##### Data Provenance Tracking does not directly affect the core functionality of the IDS, since it is typically implemented on top of a Usage control infrastructure, or based on passive monitoring technology. However, data provenance tracking may enhance the functionality of the IDS by offering functions for clearing and accounting, provided tracking is sufficiently accurate (e.g., in terms of delivering concrete numbers of data users or a concrete duration of data use). Data Apps might also be considered as content/data the usage of which can be tracked by data provenance technology. -##### **PROCESS LAYER** - -Data Provenance Tracking is integrated in the “Exchange Data” process (or, to be more precise, in the “Query Data” sub-process). Data Provenance Tracking components in the Connector of the Data Provider as well as in the Connector of the Data Consumer signal to the data provenance storage component at the Clearing House that data has been successfully sent or received, respectively. This signaling is implemented based on events intercepted by PEPs for distributed Data Usage Control. - -##### **INFORMATION LAYER** +##### Information Layer ##### Data Provenance Tracking can be orchestrated for different purposes. Regarding the IDS, the most important goals are establishing transparency and being able to prove compliance to contracts, agreements, or legal regulations. Reliability of content is a secondary goal of data provenance tracking in the IDS. While making the lineage of data traceable is the original purpose of Data Provenance Tracking, this requires ei- ther specific, data provenance enabled Data Apps or the use of dedicated PEPs for these Data Apps. +##### Process Layer ##### + +Data Provenance Tracking is integrated in the “Exchange Data” process (or, to be more precise, in the “Query Data” sub-process). Data Provenance Tracking components in the Connector of the Data Provider as well as in the Connector of the Data Consumer signal to the data provenance storage component at the Clearing House that data has been successfully sent or received, respectively. This signaling is implemented based on events intercepted by PEPs for distributed Data Usage Control. -##### **SYSTEM LAYER** +##### System Layer ##### Reliability of data provenance information strongly depends on trustworthy Connectors and Data Apps (including their PEPs). It is recommended to integrate Data Provenance Tracking into Trusted Connectors and to certify Data Apps that are enabled for data provenance tracking and Data Usage Control. diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_Security_Perspective.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_Security_Perspective.md index b2277fba..0bc9c074 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_Security_Perspective.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_Security_Perspective.md @@ -1,5 +1,7 @@ -# SECURITY PERSPECTIVE +## SECURITY PERSPECTIVE ## As stated in [Section 1.1](../../1_Introduction/1_1_Goals_of_the_International_Data_Spaces.md), one strategic requirement of the International Data Spaces is to provide secure data supply chains. This is critical for establishing and maintaining trust among Participants that want to exchange and share data and use Data Apps. The IDS Security Architecture provides means to identify devices in the IDS, protect communication and data exchange transactions, and control the use of data after it has been exchanged. -IDS Connectors ensure that the specifications and requirements of the Security Architecture materialize in everyday interactions and operations in the International Data Spaces. The [first section](./4_1_1_Security_Aspects_Addressed_by_the_Different_Layers.md) further explains the relations of the Security Perspective and the different layers of the IDS RAM. The remaining aspects for the security perspective are separated into multiple sections: + +IDS Connectors ensure that the specifications and requirements of the Security Architecture materialize in everyday interactions and operations in the International Data Spaces. The [first section](./4_1_1_Security_Aspects_Addressed_by_the_Different_Layers.md) further explains the relations of the Security Perspective and the different layers of the IDS RAM. The remaining aspects for the security perspective are separated into multiple sections: + Identity and trust management for devices and involved entities in the IDS is explained in [Section 4.1.2](./4_1_2_Identity_and_Trust_Management.md). Security requirements and concepts for different aspects and layers of an IDS connector are explained as well: They are split into security measures necessary on the platform layer in [Section 4.1.3](./4_1_3_Securing_the_Platform.md) and on the application layer in [Section 4.1.4](./4_1_4_Securing_Applications.md). The security of communication between multiple secured components is addressed in [Section 4.1.5](./4_1_5_Securing_Interaction_between_IDS_components.md). Finally, [Section 4.1.6](./4_1_6_Usage_Control.md) concludes the security perspective by explaining usage control and its realization based on a properly secured IDS component. diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/README.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/README.md index cea22253..fb2d2ab6 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/README.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/README.md @@ -2,4 +2,126 @@ ## Table of Content ## +[4.1 Security Perspective](./4_1_Security_Perspective.md#security-perspective) + +[4.1.1 Security Aspects adressed by the different layers](./4_1_1_Security_Aspects_adressed_by_the_different_layers.md#security-aspects-addressed-by-the-different-layers-of-the-ids-ram) + +[4.1.1.1 Business Layer](./4_1_1_Security_Aspects_adressed_by_the_different_layers.md#business-layer) + +[4.1.1.2 Functional Layer](./4_1_1_Security_Aspects_adressed_by_the_different_layers.md#functional-layer) + +[4.1.1.3 Information Layer](./4_1_1_Security_Aspects_adressed_by_the_different_layers.md#information-layer) + +[4.1.1.4 Process Layer](./4_1_1_Security_Aspects_adressed_by_the_different_layers.md#process-layer) + +[4.1.1.5 System Layer](./4_1_1_Security_Aspects_adressed_by_the_different_layers.md#system-layer) + +[4.1.2 Identity and Trust Management](./4_1_2_Identity_and_Trust_Management.md#identity-and-trust-management) + +[4.1.2.1 Identities for Devices](./4_1_2_Identity_and_Trust_Management.md#identities-for-devices) + +[4.1.2.1.2 Component Identfier](./4_1_2_Identity_and_Trust_Management.md#component-identifier) + +[4.1.2.1.3 Describing Metadata](./4_1_2_Identity_and_Trust_Management.md#describing-metadata) + +[4.1.2.1.4 Interactions between IDS Connectors and Identity Components](./4_1_2_Identity_and_Trust_Management.md#interactions-between-ids-connectors-and-identity-components) + +[4.1.2.1.5 Component (Identity) Lifecycle](./4_1_2_Identity_and_Trust_Management.md#component-identity-lifecycle) + +[4.1.2.2 Identities for Participants](./4_1_2_Identity_and_Trust_Management.md#identities-for-participants) + +[4.1.2.3 Trust Bootstrapping and Trust Chains](./4_1_2_Identity_and_Trust_Management.md#trust-bootstrapping-and-trust-chains) + +[4.1.3 Securing the Platform](./4_1_3_Securing_the_Platform.md#securing-the-platform) + +[4.1.3.1 Deployment Scenarios](./4_1_3_Securing_the_Platform.md#deployment-scenarios) + +[4.1.3.2 Hardware Security Features](./4_1_3_Securing_the_Platform.md#hardware-security-features) + +[4.1.3.2.1 Hardware Security Module (HSM)](./4_1_3_Securing_the_Platform.md#hardware-security-module-hsm) + +[4.1.3.2.2 Trusted Platform Module (TPM)](./4_1_3_Securing_the_Platform.md#trusted-platform-module-tpm) + +[4.1.3.2.3 Confidential Computing](./4_1_3_Securing_the_Platform.md#confidential-computing) + +[4.1.3.3 Platform Security Requirements](./4_1_3_Securing_the_Platform.md#platform-security-requirements) + +[4.1.4 Securing Applications](./4_1_4_Securing_Applications.md#securing-applications) + +[4.1.4.1 Security Measures in the Platform](./4_1_4_Securing_Applications.md#security-measures-in-the-platform) + +[4.1.4.2 Connector Core Services and Control Apps](./4_1_4_Securing_Applications.md#connector-core-services-and-control-apps) + +[4.1.4.3 Adapter and Data Apps](./4_1_4_Securing_Applications.md#adapter-and-data-apps) + + +[4.1.5 Securing Interaction between IDS Components](./4_1_5_Securing_Interaction_between_IDS_components.md#securing-interaction-between-ids-components) + +[4.1.5.1 Preparation of Required Information](./4_1_5_Securing_Interaction_between_IDS_components.md#preparation-of-required-information) + +[4.1.5.2 Establishment of a Secure Communication Channel](./4_1_5_Securing_Interaction_between_IDS_components.md#establishment-of-a-secure-communication-channel) + +[4.1.5.3 Data Transfer using this Communication Channel](./4_1_5_Securing_Interaction_between_IDS_components.md#data-transfer-using-this-communication-channel) + +[4.1.5.4 Dynamic Trust Monitoring](./4_1_5_Securing_Interaction_between_IDS_components.md#dynamic-trust-monitoring) + +[4.1.6 Data Usage Control](./4_1_6_Usage_Control.md#data-usage-control) + +[4.1.6.1 Introduction](./4_1_6_Usage_Control.md#introduction) + +[4.1.6.2 Organizational Rules and Legal Contracts](./4_1_6_Usage_Control.md#organizational-rules-and-legal-contracts) + +[4.1.6.3 Roles involved in Usage Control](./4_1_6_Usage_Control.md#roles-involved-in-usage-control) + +[4.1.6.3.1 Meta Data Broker](./4_1_6_Usage_Control.md#meta-data-broker) + +[4.1.6.3.2 Connector](./4_1_6_Usage_Control.md#connector) + +[4.1.6.3.3 Clearing House](./4_1_6_Usage_Control.md#clearing-house) + +[4.1.6.3.4 App Store](./4_1_6_Usage_Control.md#app-store) + +[4.1.6.3.5 App Provider](./4_1_6_Usage_Control.md#app-provider) + +[4.1.6.4 IDS Usage Control Language](./4_1_6_Usage_Control.md#ids-usage-control-language) + +[4.1.6.5 IDS Usage Control Policies and Policy Classes ](./4_1_6_Usage_Control.md#ids-usage-control-policies-and-policy-classes) + +[4.1.6.6 Management](./4_1_6_Usage_Control.md#management) + +[4.1.6.7 Usage Control in a Connector](./4_1_6_Usage_Control.md#usage-control-in-a-connector) + +[4.1.6.8 Message Router and Interceptor (Example)](./4_1_6_Usage_Control.md#message-router-and-interceptor-example) + +[4.1.6.9 Context Information and Obligation Fulfillment](./4_1_6_Usage_Control.md#context-information-and-obligation-fulfillment) + +[4.1.7 Data Provenance Tracking](./4_1_6_Usage_Control.md#data-provenance-tracking) + +[4.1.7.1 Operating Principle](./4_1_6_Usage_Control.md#operating-principle) + +[4.1.7.2 Architecture](./4_1_6_Usage_Control.md#architecture) + +[4.1.7.3 Communication](./4_1_6_Usage_Control.md#communication) + +[4.1.7.4 Integration with Distributed Usage Control](./4_1_6_Usage_Control.md#integration-with-distributed-usage-control) + +[4.1.8 Data Provenance Tracking addressed by the different Layers](./4_1_6_Usage_Control.md#data-provenance-tracking-addressed-by-the-different-layers) + +[4.1.8.1 Business Layer](./4_1_6_Usage_Control.md#business-layer) + +[4.1.8.2 Functional Layer](./4_1_6_Usage_Control.md#functional-layer) + +[4.1.8.3 Information Layer](./4_1_6_Usage_Control.md#information-layer) + +[4.1.8.4 Process Layer](./4_1_6_Usage_Control.md#process-layer) + +[4.1.8.5 System Layer](./4_1_6_Usage_Control.md#system-layer) ## Files ## + +- [4_1_Security_Perspective.md](./4_1_Security_Perspective.md) +- [4_1_1_Security_Aspects_adressed_by_the_different_layers.md](./4_1_1_Security_Aspects_adressed_by_the_different_layers.md) +- [4_1_2_Identity_and_Trust_Management.md](./4_1_2_Identity_and_Trust_Management.md) +- [4_1_3_Securing_the_Platform.md](./4_1_3_Securing_the_Platform.md) +- [4_1_4_Securing_Applications.md](./4_1_4_Securing_Applications.md) +- [4_1_5_Securing_Interaction_between_IDS_components.md](./4_1_5_Securing_Interaction_between_IDS_components.md) +- [4_1_6_Usage_Control.md](./4_1_6_Usage_Control.md) \ No newline at end of file From 6cb0822a1a2f51455304e93c6a9b5d41a8e70415 Mon Sep 17 00:00:00 2001 From: Sebastian Steinbuss <23654606+ssteinbuss@users.noreply.github.com> Date: Wed, 12 Oct 2022 12:11:58 +0200 Subject: [PATCH 07/22] Editorial Update Certification Perspectove --- ...ddressed_by_Different_Layers_of_IDS-RAM.md | 18 ++--- .../4_2_2_Roles.md | 9 +-- ...3_Operational_Environment_Certification.md | 5 +- .../4_2_4_Component_Certification.md | 13 ++-- .../4_2_5_Processes.md | 23 +++--- .../4_2_Certification_Perspective.md | 2 +- .../4_2_Certification_Perspective/README.md | 71 +++++++++++++++---- 7 files changed, 95 insertions(+), 46 deletions(-) diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_1_Certification_Aspects_Addressed_by_Different_Layers_of_IDS-RAM.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_1_Certification_Aspects_Addressed_by_Different_Layers_of_IDS-RAM.md index 8af4584a..450bbc5e 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_1_Certification_Aspects_Addressed_by_Different_Layers_of_IDS-RAM.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_1_Certification_Aspects_Addressed_by_Different_Layers_of_IDS-RAM.md @@ -1,25 +1,25 @@ -# Certification Aspects Addressed by the Different Layers of the IDS-RAM +### Certification Aspects Addressed by the Different Layers of the IDS-RAM ### Certification is an essential mechanism in the IDS which supports the establishment of trust and, thus, an ecosystem which can be used for cross-company data exchange and processing. Therefore, it has relations to the different layers of the IDS RAM as explained below. -## Business Layer +#### Business Layer #### The Certification Body and Evaluation Facilities are in charge of the certification process. Their interactions and responsibilities in this process are described in [Section 4.2.2](./4_2_2_Roles.md) and [Section 4.2.5](./4_2_5_Processes.md). Both entities belong to the "Governance Body" category specified on the Business Layer (see [Section 3.1.1.](../../3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_1_Roles.md)) Organizations assuming a role under one of the three categories "Core Participant", "Intermediary", and "Software/Service Provider" (see [Section 3.1.1.](../../3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_1_Roles.md)) are potential targets of certification, i.e. may act as Applicant for the Certification. The [Certification Scheme](./CertificationScheme) describes for each role what level of certification is required and what the focus of the certification is. -## Functional Layer +#### Functional Layer #### The functional requirements of the International Data Spaces defined in [Section 3.2](../../3_Layers_of_the_Reference_Architecture_Model/3_2_Functional_Layer/3_2_Functional_Layer.md) are the core requirements expected to be implemented by the technical core components (e.g., the Connector or the Clearing House). Therefore, compatibility of each such implementation with these functional requirements forms the basis of the compliance part of a core component's certification. The security part of the certification focuses on security specific requirements. The security requirements are mainly related to the System Layer and the Security Perspective provided in [Section 4.1](../4_1_Security_Perspective/4_1_Security_Perspective.md). -## Process Layer - -The Process Layer ([Section 3.3.](../../3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/3_3_Process_Layer.md)) defines relevant processes for onboarding and using components in the IDS. Where those processes are relevant for the compliance of a component or organization, they are also evaluated during certification with regards to the adherence with those processes. - -## Information Layer +#### Information Layer #### Certification of a core component comprises also its compliance with the Reference Architecture Model regarding functionality, protocols, etc. Whenever relevant, evaluation of a core component's compliance also refers to its compatibility with the Information Model defined in the Information Layer ([Section 3.4.](../../3_Layers_of_the_Reference_Architecture_Model/3_4_Information_Layer/3_4_Information_Layer.md)). -## System Layer +#### Process Layer #### + +The Process Layer ([Section 3.3.](../../3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/3_3_Process_Layer.md)) defines relevant processes for onboarding and using components in the IDS. Where those processes are relevant for the compliance of a component or organization, they are also evaluated during certification with regards to the adherence with those processes. + +#### System Layer #### The System Layer ([Section 3.5.](../../3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_System_Layer.md)) defines the possible interactions between the components, detailed requirements for the Connector, and specific types of Connector implementations. The System Layer is the predominant layer regarding the security requirements with the Component Certification. diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_2_Roles.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_2_Roles.md index 7746604c..06e0eb36 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_2_Roles.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_2_Roles.md @@ -1,6 +1,7 @@ -# Roles +### Roles ### The realization of the IDS Certification schema requires different roles responsible for different tasks: + * Applicants, * Evaluation Facilities, and * one Certification Body @@ -9,17 +10,17 @@ It should be noted that all roles described in this section are specific to the The defined roles and their main tasks are described below, while additional details on their tasks and interactions are described in [Section 4.2.5](./4_2_5_Processes.md). -## Certification Body +#### Certification Body #### The Certification Body oversees the certification process regarding quality assurance and framework governance. It defines standard evaluation procedures and supervises the actions of the Evaluation Facilities. A certificate is granted only if both the Evaluation Facility and the Certification Body have come to the conclusion that all preconditions for certification are fulfilled. -## Evaluation Facility +#### Evaluation Facility #### Contracted by an Applicant (see below), the Evaluation Facility is responsible for carrying out the detailed technical and/or organizational evaluation work during a certification process. The Evaluation Facility issues an evaluation report for the respective organization/individual or core component, listing details regarding the evaluation process and an assessment whether all requirements are properly fulfilled. The term "Evaluation Facility" refers both to authorized auditors for management system evaluations (i.e., for Operational Environment Certification) as well as approved evaluators for software stacks (i.e., for Component Certification). Hence, the Certification Body oversees and cooperates with multiple Evaluation Facilities. However, only one Evaluation Facility is involved in each evaluation of an organization/individual or core component. -## Applicant +#### Applicant #### The Applicant is not just the subject of the evaluation and certification process, but plays an active part in it. An Applicant needs to actively submit an application to trigger the certification process. This applies to organizations/individuals that develop software components intended to be deployed within the International Data Spaces (i.e., prospective Software Providers) and to organizations that intend to operate components in the IDS. diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_3_Operational_Environment_Certification.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_3_Operational_Environment_Certification.md index 8851745a..ebe08fd3 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_3_Operational_Environment_Certification.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_3_Operational_Environment_Certification.md @@ -1,11 +1,11 @@ -# Operational Environment Certification +### Operational Environment Certification ### Participants in the International Data Spaces share valuable data. It is essential that all participant's organizational processes and operational environments are trustworthy. This trustworthiness is evaluated in the IDS Operational Environment Certification. - Central elements of the IDS Operational Environment Certification are the different Trust Levels and Assurance Levels. The IDS established these levels to offer suitable certification profiles for different use case requirements. On one side, the following three Trust Levels are established: + + Trust Level 1: Entry into data sharing + Trust Level 2: Providing reliable services + Trust Level 3: Offering trust-building services @@ -13,6 +13,7 @@ On one side, the following three Trust Levels are established: Higher Trust Level represent the increasing amount of criteria which needs to be fulfilled for a successful certification. On the other side, the following three Assurance Levels are established: + + Assurance Level 1: Self-Assessment + Assurance Level 2: External evaluation of corporate policies and processes + Assurance Level 3: External audit of measures controlling the adherence to corporate policies diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_4_Component_Certification.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_4_Component_Certification.md index 60754372..a3555f57 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_4_Component_Certification.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_4_Component_Certification.md @@ -1,20 +1,24 @@ -# Component Certification +### Component Certification ### Trustful cross-company information exchange requires secure soft- and hardware components. All IDS components have to meet a list of certification criteria to prove the provision of the required functionality, interoperability and level of security. The evaluation of these certification criteria is conducted in the IDS Core Component Certification. Within the next two subsections, three different levels of assurance and trust for the certification of components are defined. -## Component Assurance Levels: +#### Component Assurance Levels: #### + The depth and rigor of a component evaluation consists of the following three assurance levels, independent on the type of component that is being certified (e.g. Connector, Broker, etc.): + * Assurance Level 1: Checklist self-assessment and automated interoperability testing * Assurance Level 2: External concept review including functional and security testing * Assurance Level 3: External evaluation including concept review, testing and source code audit -## Connector Trust Levels +#### Connector Trust Levels #### + The criteria that make up each of the three trust levels for a Connector are defined in such a way that they are specific enough to ensure interoperability with the functional requirements of an IDS Connector, yet general enough, to allow the use of a Connector in different deployment scenarios without having to define different criteria catalogues for each separate use case. The following three trust levels are defined for the certification of a Connector: + * Trust Level 1: Data space interoperability * Trust Level 2: Feature complete for data usage control * Trust Level 3: Additional protection from internal attacks @@ -26,5 +30,6 @@ This matrix approach allows the component developer to select a combination of a An in-depth description of the Component Certification and its Assurance and Trust Levels can be found in the [Certification Scheme](./CertificationScheme). The Criteria Catalogue for Components can be requested on the [IDSA homepage](https://internationaldataspaces.org/publications/white-papers/). -## Certification of other components +#### Certification of other components #### + As the Broker, App Store, Clearing House, ParIS and Vocabulary Provider components are at their core also a Connector, the general certification process and assurance levels apply to them as well, in addition to component specific functional profiles. As an example for these profiles, the criteria catalogue "Components-Broker" can be requested on the [IDSA Homepage](https://internationaldataspaces.org/publications/white-papers/). diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_5_Processes.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_5_Processes.md index b91ff6e1..cc02fc52 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_5_Processes.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_5_Processes.md @@ -1,22 +1,25 @@ -# Certification Processes +### Certification Processes ### Participants and core components within the IDS ecosystem shall fulfill common requirements to ensure the security of data being processed in the IDS. Therefore, the certification of operational environments (as explained in [Section 4.2.3](../4_2_3_Operational_Environment_Certification.md)) and core components (as explained in [Section 4.2.4](../4_2_4_Component_Certification.md)) is mandatory. Involved partners are the Applicant, Evaluation Facility and the Certification Body which were introduced in [Section 4.2.2](../4_2_2_Roles.md). -## Approval of Evaluation Facilities +#### Approval of Evaluation Facilities #### -In order to ensure the high quality and transparency of the IDS certification process all Evaluation Facilites need to be approved by the impartial [Certification Body](https://github.com/International-Data-Spaces-Association/IDS-G/tree/main/glossary#certification-body) first. +In order to ensure the high quality and transparency of the IDS certification process all Evaluation Facilites need to be approved by the impartial [Certification Body](https://github.com/International-Data-Spaces-Association/IDS-G/tree/main/glossary#certification-body) first. The approval process is structured in the same way for both types of future Evaluation Facilities (operational environment and components) and includes the following phases: + 1. Preparatory Phase 2. Audit Phase 3. Approval Phase -These phases will be described in the following sections. +These phases will be described in the following sections. + +##### 1. Preparatory Phase: ##### -### 1. Preparatory Phase: This phase serves to collect all important documents and information needed for a smooth approval process, but also to discuss the process flow. This phase also offers the opportunity to clarify any questions related to the process within an (optional) inquiry meeting. It begins with the completion of an application form and the signing of a contract between the potential Evaluation Facility and the IDS Certification Body. -### 2. Audit Phase +##### 2. Audit Phase ##### + Each Evaluation Facility is audited in order to ensure that it will conduct evaluations in adherence with the IDS certification scheme. The audit has the aim to check that the requirements for a proper IDS certification are implemented and effective. It consists of collecting evidence in form of documentation and interviews with employees in four different assessments: 1. Quality Management System @@ -26,19 +29,17 @@ Each Evaluation Facility is audited in order to ensure that it will conduct eval Based on the audit the Certification Body prepares a report including the deviations and potential improvements which will be communicated in a final discussion. Deviations related to the Management System which could affect its effectiveness must be corrected before closing the audit phase within a two-month period at most, with exceptions for critical deviations. If necessary, the correction of the deviations can be verified by an additional audit. -### 3. Approval Phase +##### 3. Approval Phase ##### + On the basis of the audit report, the Certification Body decides on the approval of the applying Evaluation Facility. The decision is made in an objective and comprehensible manner, i.e. exclusively on the basis of the documented criteria. In case of a positive decision, the Certification Body issues an approval statement. The approval is valid for a limited time period of two years. If a negative approval decision is made, the applying Evaluation Facility is informed of the reasons for the rejection before the application is formally rejected. - For quality assurance of the certification process, the approval regularly needs to be renewed. In addition, it is possible to restrict, suspend or withdraw approval in case of major compliance issues. The full approval scheme can be found [here](./ApprovalScheme) - - -## Certification Process for Operational Environments and Core Components +#### Certification Process for Operational Environments and Core Components #### The certification follows the same process for all certification profiles in Operational Environment and Component Certification. It consists of the following three phases: diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_Certification_Perspective.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_Certification_Perspective.md index 556e2c21..e9ab52de 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_Certification_Perspective.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_Certification_Perspective.md @@ -1,4 +1,4 @@ -# Certification Perspective +## Certification Perspective## Data security and data sovereignty are the fundamental value propositions of the International Data Spaces. Data sovereignty can be defined as a natural person's or legal entity's capability of being in full control of its data. To enable this control, each participant needs to follow the agreed rules for the IDS and requires reliable information about the guarantees offered by potential business partners. The adherence to rules is ensured by the certification which affects different layers of the IDS RAM as described in [Section 4.2.1](./4_2_1_Certification_Aspects_Addressed_by_Different_Layers_of_IDS-RAM.md). The certification based on the defined standards is conducted by the three roles explained in [Section 4.2.2](./4_2_2_Roles.md). diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/README.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/README.md index 88f0af5c..8b55478a 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/README.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/README.md @@ -1,15 +1,56 @@ -# Content - -This folder contains the Certification Perspective with: -* Content for the RAM: - * [4.2. Introduction](./4_2_Certification_Perspective.md) - * [4.2.1. Certification Aspects Addressed by Different Layers of IDS-RAM](./4_2_1_Certification_Aspects_Adressed_by_Different_Layers_of_IDS-RAM.md) - * [4.2.2. Roles](./4_2_2_Roles.md) - * [4.2.3. Operational Environment Certification](./4_2_3_Operational_Environment_Certification.md) - * [4.2.4. Component Certification](./4_2_4_Component_Certification.md) - * [4.2.5. Processes](./4_2_5_Processes.md) - * 4.2.5.1. Approval Process - * 4.2.5.2. Certification Process -* Details on the [Certification Scheme](./CertificationScheme/) aka "the Certification Whitepaper" (currently in Version 2.0, but in preparation for version 3.0) -* [Approval Scheme](./ApprovalScheme/) for an Approval of Evaluation Facilities -* [Rules of Procedure](./RulesOfProcedure/) for the entire Certification +# Certifiaction Perspective + +## Table of Content ## + +[4.2. Introduction](./4_2_Certification_Perspective.md) + +[4.2.1. Certification Aspects Addressed by Different Layers of IDS-RAM](./4_2_1_Certification_Aspects_Addressed_by_Different_Layers_of_IDS-RAM.md#certification-aspects-addressed-by-the-different-layers-of-the-ids-ram) + +[4.2.1.1 Business Layer](./4_2_1_Certification_Aspects_Addressed_by_Different_Layers_of_IDS-RAM.md#business-layer) + +[4.2.1.2 Functional Layer](./4_2_1_Certification_Aspects_Addressed_by_Different_Layers_of_IDS-RAM.md#functional-layer) + +[4.2.1.3 Information Layer](./4_2_1_Certification_Aspects_Addressed_by_Different_Layers_of_IDS-RAM.md#information-layer) + +[4.2.1.4 Process Layer](./4_2_1_Certification_Aspects_Addressed_by_Different_Layers_of_IDS-RAM.md#process-layer) + +[4.2.1.5 System Layer](./4_2_1_Certification_Aspects_Addressed_by_Different_Layers_of_IDS-RAM.md#system-layer) + +[4.2.2 Roles](./4_2_2_Roles.md#roles) + +[4.2.2.1 Certification Body](./4_2_2_Roles.md#certification-body) + +[4.2.2.2 Evaluation Facility](./4_2_2_Roles.md#evaluation-facility) + +[4.2.2.3 Applicant](./4_2_2_Roles.md#applicant) + +[4.2.3. Operational Environment Certification](./4_2_3_Operational_Environment_Certification.md) + +[4.2.4 Component Certification](./4_2_4_Component_Certification.md#component-certification) + +[4.2.4.1 Component Assurance Levels](./4_2_4_Component_Certification.md#component-assurance-levels) + +[4.2.4.2 Connector Trust Levels](./4_2_4_Component_Certification.md#connector-trust-levels) + +[4.2.4.3 Certification of other Components](./4_2_4_Component_Certification.md#certification-of-other-components) + +[4.2.5. Processes](./4_2_5_Processes.md#certification-processes) + +[4.2.5.1. Approval Process](./4_2_5_Processes.md#approval-of-evaluation-facilities) + +[4.2.5.2. Certification Process](./4_2_5_Processes.md#certification-process-for-operational-environments-and-core-components) + +### Appendix ### + +- Details on the [Certification Scheme](./CertificationScheme/) aka "the Certification Whitepaper" (currently in Version 2.0, but in preparation for version 3.0) +- [Approval Scheme](./ApprovalScheme/) for an Approval of Evaluation Facilities +- [Rules of Procedure](./RulesOfProcedure/) for the entire Certification + +## Files ## + +- [4_2_Certification_Perspective.md](./4_2_Certification_Perspective.md) +- [4_2_1_Certification_Aspects_Addressed_by_Different_Layers_of_IDS-RAM.md](./4_2_1_Certification_Aspects_Addressed_by_Different_Layers_of_IDS-RAM.md) +- [4_2_2_Roles.md](./4_2_2_Roles.md) +- [4_2_3_Operational_Environment_Certification.md](./4_2_3_Operational_Environment_Certification.md) +- [4_2_4_Component_Certification.md](./4_2_4_Component_Certification.md) +- [4_2_5_Processes.md](./4_2_5_Processes.md) \ No newline at end of file From 47387008f65a5f2f54e78306b0ba03dd7f5e5fab Mon Sep 17 00:00:00 2001 From: Sebastian Steinbuss <23654606+ssteinbuss@users.noreply.github.com> Date: Wed, 12 Oct 2022 13:43:49 +0200 Subject: [PATCH 08/22] editorial update Perspectives --- .../4_Perspectives.md | 3 +++ .../README.md | 10 ++++++++++ 2 files changed, 13 insertions(+) create mode 100644 documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_Perspectives.md diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_Perspectives.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_Perspectives.md new file mode 100644 index 00000000..40673eda --- /dev/null +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_Perspectives.md @@ -0,0 +1,3 @@ +# Perspectives of the Reference Architecture Model # + +Directly related to the five layers of the IDS-RAM are three cross-sectional perspectives: Security, Certification, and Governance. These are described in detail in the following sections. \ No newline at end of file diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/README.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/README.md index 7013eae0..95e647d1 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/README.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/README.md @@ -2,4 +2,14 @@ ## Table of Content ## +[Perspectives of the Reference Architecture Model](./4_Perspectives.md) + +[Security Perspective](./4_1_Security_Perspective/README.md) + +[Certification Perspective](./4_2_Certification_Perspective/README.md) + +[Governance Perspective](./4_3_Governance_Perspective/README.md) + ## Files ## + +- [4_Perspectives.md](./4_Perspectives.md) \ No newline at end of file From 63a425cb9f2a9f0db9bb6dded821919ce08f16ea Mon Sep 17 00:00:00 2001 From: Sebastian Steinbuss <23654606+ssteinbuss@users.noreply.github.com> Date: Wed, 12 Oct 2022 16:22:37 +0200 Subject: [PATCH 09/22] editorial updates --- .../3_2_FunctionalLayer.md | 55 ++++++++-------- .../3_2_Functional_Layer/README.md | 62 +++++++++++++++++-- .../3_Layers.md | 3 + .../README.md | 8 +++ 4 files changed, 96 insertions(+), 32 deletions(-) create mode 100644 documentation/3_Layers_of_the_Reference_Architecture_Model/3_Layers.md diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_2_Functional_Layer/3_2_FunctionalLayer.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_2_Functional_Layer/3_2_FunctionalLayer.md index aa00a41b..45c1e7a1 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_2_Functional_Layer/3_2_FunctionalLayer.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_2_Functional_Layer/3_2_FunctionalLayer.md @@ -1,10 +1,9 @@ -## Functional Layer +## Functional Layer ## The Functional Layer defines -- irrespective of existing technologies and applications -- the functional requirements of the International Data Spaces, and the features to be implemented resulting thereof. - ![ Functional architecture of the International Data Spaces](./media/image21.png) @@ -18,7 +17,7 @@ requirements outlined in Section The following subsections give a brief summary of these functional requirements. -### Trust +### Trust ## Although requirements related to trust are usually non-functional, they are addressed by the Functional Layer, since they represent fundamental @@ -27,7 +26,7 @@ comprises three main aspects (roles, identity management, and user certification), which are complemented by governance aspects (see Section on [Data Governance](../../4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_1_Layers.md). -#### Roles +#### Roles ### Each role in the International Data Spaces has certain rights and duties. For example, the Identity Provider is responsible for offering @@ -35,20 +34,20 @@ services to create, maintain, manage, monitor, and validate identity information of and for participants in the International Data Spaces. More information about the roles is given in the [Business Layer](#). -#### Identity Management +#### Identity Management ### Every Connector participating in the International Data Spaces must have a unique identifier and a valid certificate. In addition, each Connector must be able to verify the identity of other Connectors (with special conditions being applied here; e.g., security profiles). -#### User Certification +#### User Certification #### Each participant in the International Data Spaces must undergo certification in order to establish trust among all participants. More information about the certification process is given in the [Certification Perspective](../../4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_Certification_Perspective.md). -### Security and Data Sovereignty +### Security and Data Sovereignty ### Like requirements related to trust, requirements related to security and data sovereignty are also usually non-functional, but are still @@ -58,7 +57,7 @@ sovereignty group contains four major aspects: authentication authorization; usage policies usage enforcement; trustworthy communication security by design; and technical certification. -#### Authentication & Authorization +#### Authentication & Authorization #### Each Connector must have a valid X.509 certificate (or equivalent). With the help of this certificate, each participant in the International Data Spaces that @@ -70,7 +69,7 @@ The Connector serving as the data source must be able to verify the receiving Connector's capabilities and security features as well as its identity. More information about authorization is given in the [Security Perspective](../../4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_Security_Perspective.md). -#### Usage Policies & Usage Enforcement +#### Usage Policies & Usage Enforcement #### In the IDS, Data Owners and Data Providers can always be sure their data is handled by a Data Consumer according to the usage policies specified. @@ -80,7 +79,7 @@ persistence of data, or disallowing transfer of data to other parties, for example. More information about usage policies and usage enforcement is given in the [Security Perspective](../../4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_Security_Perspective.md). -#### Trustworthy Communication & Security by Design +#### Trustworthy Communication & Security by Design #### Connectors, App Stores, and Brokers can check if the Connector of the connecting party is running a trusted (i.e. certified) software stack. @@ -96,14 +95,14 @@ Connectors by deploying Connectors supporting the selected security profile. More information about trustworthy communication and security by design is given in the [Security Perspective](../../4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_Security_Perspective.md). -#### Technical Certification +#### Technical Certification #### The core components of the International Data Spaces, and especially the Connectors, require certification from the Certification Body in order to establish trust among all participants. More information about technical certification is given in the [Certification Perspective](../../4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_Certification_Perspective.md). -### Ecosystem of Data +### Ecosystem of Data ### Being able to describe, find and correctly interpret data is another key aspect of the International Data Spaces. Therefore, every data source in @@ -113,7 +112,7 @@ section 3.4). The Ecosystem of Data group comprises three major aspects: data source description, brokering, and vocabularies. -#### Data Source Description +#### Data Source Description #### Participants must have the opportunity to describe, publish, maintain and manage different versions of metadata. Metadata should describe the @@ -124,7 +123,7 @@ the pricing model, and the usage policies regarding certain data. More information about data source description is given in the [Information Layer](#). -#### Brokering +#### Brokering #### The operator of a Connector must be able to provide an interface for data and metadata access. Each Connector must be able to transmit @@ -135,7 +134,7 @@ Furthermore, each participant must be able to browse the list of participants registered at a broker. More information about brokering is given in the [Process Layer](#). -#### Vocabularies +#### Vocabularies #### To create and structure metadata, the operator of a Connector may use vocabularies. In doing so, an operator of a Connector can use existing @@ -148,13 +147,13 @@ identification, and unused vocabularies. Vocabulary hubs need to be managed. More information about vocabularies is given in the [Information Layer](#). -### Standardized Interoperability +### Standardized Interoperability ### Standardized data exchange between participants is the fundamental aspect of the International Data Spaces. The IDS Connector is the main technical component for this purpose. -#### Operation +#### Operation #### Participants should be able to run the Connector software in their own IT environment. Alternatively, they can run a Connector on mobile or @@ -166,7 +165,7 @@ should be logged. Using this logging data, it should be possible to draw up statistical evaluations on data usage etc. Notifications about incidents should be sent automatically. -#### Data Exchange +#### Data Exchange #### The Connector must receive data from an enterprise backend system, either through a push-mechanism or a pull-mechanism. The data can be @@ -175,7 +174,7 @@ do so, each Connector must be uniquely identifiable. Other Connectors can subscribe to data sources or pull data from these sources. Data can be written into the backend system of other participants. -### Value Adding Apps +### Value Adding Apps ### Before or after the actual data exchange, data may need to be processed or transformed. For this purpose, the International Data Spaces offers @@ -184,7 +183,7 @@ provision in the App Store, installation, and support. The App Store should therefore be clearly visible and recognizable to every participant. -#### Data Processing and Transformation +#### Data Processing and Transformation #### A data processing app (which is a subtype of a Data App) should provide a single, clearly defined processing function to be applied on input @@ -195,14 +194,14 @@ requirements of the Data Consumer (without any substantial change made to the information contained in the data; i.e., loss-less transformation). -#### Data App Implementation +#### Data App Implementation #### The developers of Data Apps should be able to annotate the software with metadata (about functions and interfaces, pricing models, licenses, etc.). Data Apps must explicitly define their interfaces, dependencies, and access requirements. -#### Providing Data Apps +#### Providing Data Apps #### Any authorized Data App developer can initiate a software provision process (App Store publication). Prior to publication in the App Store, @@ -213,7 +212,7 @@ adequate fashion. Access of privileged users (e.g., administrators or operators) should require strong authentication (e.g., 2-factor authentication). -#### Installing and Supporting Data Apps +#### Installing and Supporting Data Apps #### A dedicated Connector service should support authorized users in (un-)installing Data Apps not originating from an official App Store. In @@ -221,26 +220,26 @@ addition, it should support authorized users in searching, installing, and managing (e.g., removal or automated updates) Data Apps retrieved from an App Store. -### Data Markets +### Data Markets ### Data to be exchanged in the International Data Spaces may have monetary value. Therefore, the International Data Spaces has to integrate data market concepts, like clearing and billing, but also governance. -#### Clearing & Billing +#### Clearing & Billing #### The Data Owner can define the pricing model (e.g. pay per transfer, pay per access, pay per day/month/year), and the price of data. Any transaction of any participant can be logged. The clearing and billing process must be simple and standardized. -#### Usage restrictions, and governance - +#### Usage restrictions and governance #### + Governance in the International Data Spaces comprises five aspects: data as an economic good, data ownership, data sovereignty, data quality, and data provenance. More information about governance is given in [Governance Perspective](../../4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_1_Layers.md). -#### Legal aspects +#### Legal aspects #### Trading data on a data marketplace requires legal contracts and conditions that can be negotiated in an automated way. Therefore, diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_2_Functional_Layer/README.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_2_Functional_Layer/README.md index 59cb8e54..11fe12e2 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_2_Functional_Layer/README.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_2_Functional_Layer/README.md @@ -1,5 +1,59 @@ -# Functional Layer +# Functional Layer # -The Functional Layer defines -- irrespective of existing technologies -and applications -- the functional requirements of the International -Data Spaces, and the features to be implemented resulting thereof in [this document](./3_2_FunctionalLayer.md). +## Table of Content ## + +[3.2 Functional Layer](./3_2_FunctionalLayer.md#functional-layer) + +[3.2.1 Trust](./3_2_FunctionalLayer.md#trust) + +[3.2.1.1 Roles](./3_2_FunctionalLayer.md#roles) + +[3.2.1.2 Identity Management](./3_2_FunctionalLayer.md#identity-management) + +[3.2.1.3 User Certification](./3_2_FunctionalLayer.md#user-certification) + +[3.2.2 Security and Data Sovereignty](./3_2_FunctionalLayer.md#security-and-data-sovereignty) + +[3.2.2.1 Authentication & Authorization](./3_2_FunctionalLayer.md#authentication--authorization) + +[3.2.2.2 Usage Policies & Usage Enforcement](./3_2_FunctionalLayer.md#usage-policies--usage-enforcement) + +[3.2.2.3 Trustworthy Communication & Security by Design](./3_2_FunctionalLayer.md#trustworthy-communication--security-by-design) + +[3.2.2.4 Technical Certification](./3_2_FunctionalLayer.md#technical-certification) + +[3.2.3 Ecosystem of Data](./3_2_FunctionalLayer.md#ecosystem-of-data) + +[3.2.3.1 Data Source Description](./3_2_FunctionalLayer.md#data-source-description) + +[3.2.3.2](./3_2_FunctionalLayer.md#brokering) + +[3.2.3.3 Vocabularies](./3_2_FunctionalLayer.md#vocabularies) + +[3.2.3 Standardized Interoperability](./3_2_FunctionalLayer.md#standardized-interoperability) + +[3.2.3.1 Operation](./3_2_FunctionalLayer.md#operation) + +[3.2.3.2 Data Exchange](./3_2_FunctionalLayer.md#data-exchange) + +[3.2.4 Value Adding Apps](./3_2_FunctionalLayer.md#value-adding-apps) + +[3.2.4.1 Data Processing and Transformation](./3_2_FunctionalLayer.md#data-processing-and-transformation) + +[3.2.4.2 Data App Implementation](./3_2_FunctionalLayer.md#data-app-implementation) + +[3.2.4.3 Providing Data Apps](./3_2_FunctionalLayer.md#providing-data-apps) + +[3.2.4.4 Installing and Supporting Data Apps](./3_2_FunctionalLayer.md#installing-and-supporting-data-apps) + +[3.2.4 Data Markets](./3_2_FunctionalLayer.md#data-markets) + +[3.2.4.1 Clearing & Billing](./3_2_FunctionalLayer.md#clearing--billing) + +[3.2.4.2 Usage restrictions and governance](./3_2_FunctionalLayer.md#usage-restrictions-and-governance) + +[3.2.4.3 Legal aspects](./3_2_FunctionalLayer.md#legal-aspects) + +## Files ## + +-[3_2_FunctionalLayer.md](./3_2_FunctionalLayer.md) diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_Layers.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_Layers.md new file mode 100644 index 00000000..6cb0b9bf --- /dev/null +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_Layers.md @@ -0,0 +1,3 @@ +# Layers of the Reference Architecture Model # + +The five layers of the Reference Architecture Model are presented in detail in the following subsections. \ No newline at end of file diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/README.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/README.md index e69de29b..12a353ee 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/README.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/README.md @@ -0,0 +1,8 @@ +# Layers of the Reference Architecture Model # + +## Table of Content ## + +[3 Layers of the Reference Architecture Model](./3_Layers.md) +## Files ## + +- [3_Layers.md](./3_Layers.md) \ No newline at end of file From f3deac977012f63c7be8d892a71712c120c8a1c2 Mon Sep 17 00:00:00 2001 From: Sebastian Steinbuss <23654606+ssteinbuss@users.noreply.github.com> Date: Wed, 12 Oct 2022 17:39:36 +0200 Subject: [PATCH 10/22] editorial update and switching section 3.3 and 3.4 --- .../3_3_InformationLayer.md} | 31 +++--- .../3_3_Information_Layer/README.md | 30 +++++ .../media/image31.png | Bin .../media/image32.png | Bin .../media/image53.png | Bin .../3_3_Process_Layer/README.md | 8 -- .../3_4_Information_Layer/README.md | 3 - .../3_4_1_Onboarding.md} | 16 ++- .../3_4_2_Data_Offering.md} | 13 ++- .../3_4_3_Contract_Negotiation.md} | 104 +++++++++--------- .../3_4_4_Exchanging_Data.md} | 15 +-- .../3_4_5_Publishing_and_using_Data_Apps.md} | 2 +- .../3_4_6_Policy_Enforcement.md} | 20 ++-- .../3_4_Process_Layer.md} | 3 +- .../3_4_Process_Layer/README.md | 74 +++++++++++++ .../media/Communication-PEP-and-PDP.drawio | 0 .../Communication-PEP-and-PDP.drawio.png | Bin .../media/communication-phases.drawio | 0 .../media/communication-phases.png | Bin .../media/crawling.png | Bin .../media/data-transfer.drawio | 0 .../media/data-transfer.png | Bin .../media/find-ids-app-process.drawio | 0 .../media/find-ids-app-process.png | Bin .../media/ids-app-publication-process.drawio | 0 .../media/ids-app-publication-process.png | Bin .../media/onboarding_process.drawio | 0 .../media/onboarding_process.png | Bin .../policy-negotiation-sequence-1.drawio | 0 .../media/policy-negotiation-sequence-1.png | Bin .../policy-negotiation-sequence-2.drawio | 0 .../media/policy-negotiation-sequence-2.png | Bin .../policy-negotiation-sequence-3.drawio | 0 .../media/policy-negotiation-sequence-3.png | Bin .../policy-negotiation-sequence-4.drawio | 0 .../media/policy-negotiation-sequence-4.png | Bin .../media/query-at-broker-activity.drawio | 0 .../media/query-at-broker-activity.png | Bin .../media/register-at-broker-activity.drawio | 0 .../media/register-at-broker-activity.png | Bin .../media/retrieve-ids-app-process.drawio | 0 .../media/retrieve-ids-app-process.png | Bin .../media/uc-example-Components.drawio.png | Bin .../media/uc-example-Sequence.drawio.png | Bin .../media/uc-example.drawio | 0 .../media/usage-control-conditions.drawio | 0 .../media/usage-control-conditions.drawio.png | Bin .../media/use-ids-app-process.drawio | 0 .../media/use-ids-app-process.png | Bin 49 files changed, 214 insertions(+), 105 deletions(-) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_4_Information_Layer/3_4_InformationLayer.md => 3_3_Information_Layer/3_3_InformationLayer.md} (96%) create mode 100644 documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Information_Layer/README.md rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_4_Information_Layer => 3_3_Information_Layer}/media/image31.png (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_4_Information_Layer => 3_3_Information_Layer}/media/image32.png (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_4_Information_Layer => 3_3_Information_Layer}/media/image53.png (100%) delete mode 100644 documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/README.md delete mode 100644 documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Information_Layer/README.md rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer/3_3_1_Onboarding.md => 3_4_Process_Layer/3_4_1_Onboarding.md} (93%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer/3_3_2_Data_Offering.md => 3_4_Process_Layer/3_4_2_Data_Offering.md} (97%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer/3_3_3_Contract_Negotiation.md => 3_4_Process_Layer/3_4_3_Contract_Negotiation.md} (72%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer/3_3_4_Exchanging_Data.md => 3_4_Process_Layer/3_4_4_Exchanging_Data.md} (91%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer/3_3_5_Publishing_and_using_Data_Apps.md => 3_4_Process_Layer/3_4_5_Publishing_and_using_Data_Apps.md} (98%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer/3_3_6_Policy_Enforcement.md => 3_4_Process_Layer/3_4_6_Policy_Enforcement.md} (96%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer/3_3_Process_Layer.md => 3_4_Process_Layer/3_4_Process_Layer.md} (97%) create mode 100644 documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/README.md rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/Communication-PEP-and-PDP.drawio (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/Communication-PEP-and-PDP.drawio.png (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/communication-phases.drawio (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/communication-phases.png (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/crawling.png (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/data-transfer.drawio (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/data-transfer.png (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/find-ids-app-process.drawio (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/find-ids-app-process.png (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/ids-app-publication-process.drawio (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/ids-app-publication-process.png (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/onboarding_process.drawio (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/onboarding_process.png (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/policy-negotiation-sequence-1.drawio (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/policy-negotiation-sequence-1.png (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/policy-negotiation-sequence-2.drawio (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/policy-negotiation-sequence-2.png (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/policy-negotiation-sequence-3.drawio (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/policy-negotiation-sequence-3.png (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/policy-negotiation-sequence-4.drawio (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/policy-negotiation-sequence-4.png (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/query-at-broker-activity.drawio (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/query-at-broker-activity.png (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/register-at-broker-activity.drawio (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/register-at-broker-activity.png (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/retrieve-ids-app-process.drawio (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/retrieve-ids-app-process.png (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/uc-example-Components.drawio.png (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/uc-example-Sequence.drawio.png (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/uc-example.drawio (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/usage-control-conditions.drawio (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/usage-control-conditions.drawio.png (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/use-ids-app-process.drawio (100%) rename documentation/3_Layers_of_the_Reference_Architecture_Model/{3_3_Process_Layer => 3_4_Process_Layer}/media/use-ids-app-process.png (100%) diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Information_Layer/3_4_InformationLayer.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Information_Layer/3_3_InformationLayer.md similarity index 96% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Information_Layer/3_4_InformationLayer.md rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Information_Layer/3_3_InformationLayer.md index 8c317a38..0be715b4 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Information_Layer/3_4_InformationLayer.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Information_Layer/3_3_InformationLayer.md @@ -1,4 +1,4 @@ -## Information Layer +## Information Layer ## The Information Layer specifies the Information Model, the domain-agnostic, common language of the International Data Spaces. The @@ -20,7 +20,7 @@ components, and its processes. The Information Model is evolved and maintained by the IDSA Sub-Working Group 4.[^1] -### Scope +### Scope ### The Information Model is a generic model, with no commitment to any particular domain. Domain modeling is delegated to shared vocabularies @@ -33,7 +33,7 @@ Information Model therefore does not deal with the side effects of data exchange (e.g., in scenarios in which data is used for time-critical machine operations). -### Model Representations +### Model Representations ### The Information Model has been specified at three levels of formalization. Each level corresponds to a digital representation, @@ -48,7 +48,7 @@ guidance documents, reference examples, validation tools, and editing tools intended to support a competent, appropriate, and consistent usage of the IDS Vocabulary). -#### Conceptual Representation +#### Conceptual Representation #### The Conceptual Representation of the Information Model presents a high-level overview of the main, largely invariant concepts, with no @@ -60,7 +60,7 @@ references to related elements of the Declarative Representation and a Programmatic Representation are provided, encouraging the reader to take a look at these alternative implementations. -#### Declarative Representation +#### Declarative Representation #### The Declarative Representation (IDS Vocabulary) provides a normative view of the Information Model of the International Data Spaces.[^4] It @@ -82,7 +82,7 @@ vocabularies in order to express domain-specific facts. According to the common practice, existing domain vocabularies and standards are reused where possible, fostering acceptance and interoperability. -#### Programmatic Representation +#### Programmatic Representation #### The Programmatic Representation of the Information Model targets Software Providers by supporting seamless integration of the Information @@ -102,14 +102,14 @@ intricacies of ontology processing. #### _Fig. 3.4.1: Representations of the Information Model_ -### Conceptual Representation of a Digital Resource in the IDS +### Conceptual Representation of a Digital Resource in the IDS ### In the following, the pivotal concept of a Digital Resource is introduced, segregated into modules in accordance with the separation of concerns principle (SoC principle). To do so, a set of six broad concerns (“concern hexagon”) is provided. -#### Version Note +#### Version Note #### Since version 3.0 of the IDS-RAM, this section of the document has been reduced to the same high level of abstraction as the other sections. @@ -118,7 +118,7 @@ information is available from the repository that hosts the source code of the normative Declarative Representation as well as documentation covering further details on the Conceptual Representation.[^10] The remaining text has been edited to better present the Information Layer in the context of the other layers, and to provide up-to-date pointers to external standards reused. -#### (Digital) Resource +#### (Digital) Resource #### A (Digital) Resource in the context of the International Data Spaces is a uniquely identifiable, valuable, digital (i.e., non-physical) commodity @@ -133,7 +133,7 @@ with a particular demand for modeling related, complementary aspects specified here by applying the separation of concerns (SoC) paradigm[^12]. -#### Separation of Concerns (SoC) +#### Separation of Concerns (SoC) #### Following the separation of concerns design principle, only one dimension of a subject matter is considered at a time, for the sake of @@ -152,7 +152,7 @@ and maintenance of models can be substantially simplified. #### _Fig. 3.4.2: Outline of the Concern-Basic concern hexagon_ -#### Concern Hexagon +#### Concern Hexagon #### To illustrate the main modeling [c]{.underline}oncerns of Digital Resources in a way easy to memorize, the mnemonic hexagonal arrangement @@ -162,18 +162,21 @@ Figure [3.4.2](#_fig-342-outline-of-the-concern-basic-concern-hexagon_). As a Resource's content is its most essential aspect, *C*ontent is located at the top of the hexagon. The *Content* concern deals with + 1. the description of a Resource's abstract substance, 2. its serialization as a representation in a machine-interpretable format, and 3. the materializations of these representations at certain points in time as one or more instances (e.g., values or artifacts). Content is interpretable by references to a shared, formally defined *C*oncept, which may cover the meaning, annotation and interpretation of entities by, e.g., + 1. natural language keywords, 2. terms defined in curated sources such as controlled vocabularies, or 3. types defined in type systems or ontologies. On the other hand, links to a particular *C*ontext (in terms of, e.g., + * time, * place, or * real-world entities) @@ -188,17 +191,18 @@ to the “how” aspects; i.e., how the content is exchanged The *Communication* concern deals with means to communicate a Resource's Content in one of the Representations available, e.g., + * by sending messages in some communication protocol * to a resource or service endpoint or to an IDS Connector * in order to perform an operation. The *Commodity* concern helps to address the value and utility of a Resource in terms of, e.g., + * its provenance, * its quality, and * the (usage) policies attached to it, e.g., the obligation to pay a certain price for its consumption. -The -*C*ommunity of Trust concern refers to the distinctive feature of the +The *C*ommunity of Trust concern refers to the distinctive feature of the International Data Spaces being an ecosystem of certified participants operating certified components, such as Connectors. Using such components, Participants exchange and share Digital Resources in a secure and trusted way in accordance with contracts composed of usage policies, thus ensuring data sovereignty. @@ -207,7 +211,6 @@ with contracts composed of usage policies, thus ensuring data sovereignty. #### _Fig. 3.4.3: Detailed Concern Hexagon_ - The level of detail differs across the individual concerns. The selection of their constituting aspects may change in light of new requirements and insights; Fig. [3.4.3](#_fig-343-detailed-concern-hexagon_) suggests one such expansion of the C-Hexagon to one more level of detail. diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Information_Layer/README.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Information_Layer/README.md new file mode 100644 index 00000000..be165cd8 --- /dev/null +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Information_Layer/README.md @@ -0,0 +1,30 @@ +# Information layer ## + +## Table of Content ## + +[3.3 Information Layer](./3_3_InformationLayer.md#information-layer) + +[3.3.1 Scope](./3_3_InformationLayer.md#scope) + +[3.3.2 Model Representations](./3_3_InformationLayer.md#model-representations) + +[3.3.2.1 Conceptual Representation](./3_3_InformationLayer.md#conceptual-representation) + +[3.3.2.2 Declarative Representation](./3_3_InformationLayer.md#declarative-representation) + +[3.3.2.3 Programmatic Representation](./3_3_InformationLayer.md#programmatic-representation) + +[3.3.3 Conceptual Representation of a Digital Resource in the IDS](./3_3_InformationLayer.md#conceptual-representation) + +[3.3.3.1 Version Note](./3_3_InformationLayer.md#version-note) + +[3.3.3.2 (Digital) Resource](./3_3_InformationLayer.md#digital-resource) + +[3.3.3.3 Separation of Concerns (SoC)](./3_3_InformationLayer.md#separation-of-concerns-soc) + +[3.3.3.4 Concern Hexagon](./3_3_InformationLayer.md#concern-hexagon) + + +## Files ## + +- [3_3_InformationLayer.md](./3_3_InformationLayer.md) diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Information_Layer/media/image31.png b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Information_Layer/media/image31.png similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Information_Layer/media/image31.png rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Information_Layer/media/image31.png diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Information_Layer/media/image32.png b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Information_Layer/media/image32.png similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Information_Layer/media/image32.png rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Information_Layer/media/image32.png diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Information_Layer/media/image53.png b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Information_Layer/media/image53.png similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Information_Layer/media/image53.png rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Information_Layer/media/image53.png diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/README.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/README.md deleted file mode 100644 index 836eaf4e..00000000 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/README.md +++ /dev/null @@ -1,8 +0,0 @@ -# Process Layer - -- [Introduction](3_3_Process_Layer.md) -- [Onboarding](3_3_1_Onboarding.md) -- [Data Offering](3_3_2_Data_Offering.md) -- [Contract Negotiation](3_3_3_Contract_Negotiation.md) -- [Exchanging Data](3_3_4_Exchanging_Data.md) -- [Publishing and using Data Apps](3_3_5_Publishing_and_using_Data_Apps.md) diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Information_Layer/README.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Information_Layer/README.md deleted file mode 100644 index cd6c5877..00000000 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Information_Layer/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# Information layer - -The information layer can be found [here](./3_4_InformationLayer.md) diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/3_3_1_Onboarding.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_1_Onboarding.md similarity index 93% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/3_3_1_Onboarding.md rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_1_Onboarding.md index bcd7f54d..8231592b 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/3_3_1_Onboarding.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_1_Onboarding.md @@ -1,10 +1,12 @@ -## Onboarding of an IDS Connector and its Operator +### Onboarding of an IDS Connector and its Operator ### The overall 'Onboarding' process requires of two preparational steps required for an organization to act as Data Provider or Data Consumer in the International Data Spaces: + 1. Registration and certification of the organization. 2. Acquiring a certified IDS connector. Based on those prerequisites, an organization can instantiate an arbitrary number of IDS connector instances with the following steps: + 1. Provisioning and configuring the connector. 2. Availability setup. @@ -13,14 +15,16 @@ All necessary steps are illustrated in the following figure. ![Onboarding process](./media/onboarding_process.png) #### _Fig. 3.3.1.1: Onboarding process_ -### Preparation: Registration and Certification of the Organization +#### Preparation: Registration and Certification of the Organization #### Any organization that wants to operate an IDS Connector (in order to exchange data in the International Data Spaces) as a Data provider, Data Consumer or provide an additional IDS component needs to pass the Operational Environment Certification (see [Section 4.2.3](../../4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_3_Operational_Environment_Certification.md)). The Identity Provider is informed that this organization is allowed to operate components in the IDS and request component identity certificates. Additionally, the organization is registered in the Participant Information Service (ParIS). The initial population of a Participant entry is conducted directly after the certification. The Support Organization is informed about the successful steps and provided with the corresponding metadata about the new IDS entity. The provisioning of this information is not part of the IDS interactions and must be managed through communication measures. The Support Organization checks the correctness of the claims, verifies the information, and equips the dedicated ParIS with the new IDS Participant instance. It is further recommended that each Participant also hosts its Self-Description on a publicly accessible endpoint of its choice. Preferably the locator of its Self-Description document, an HTTP URL, is identical with the used Participant URI. This best practice enables the lookup or referencing of the Participant Identifier through every HTTP client and thereby eases the discovery of relevant information. Nevertheless, in case the own supplied Participant Self-Description and the metadata at the ParIS deviate, the latter is more trusted as its claims have been verified through the Support Organization beforehand. -### Preparation: Acquiring a Certified IDS Connector +#### Preparation: Acquiring a Certified IDS Connector #### + The organization needs to either request an IDS Connector from a Software Provider, or implement its own one. The IDS Connector is the core technical component for becoming part of the IDS. It must pass the IDS Component Certification (see [Section 4.2.4](../../4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_4_Component_Certification.md)) to ensure an adequate level of security and interoperability before it can be instantiated and used in the IDS. -### Connector Configuration and Provisioning +#### Connector Configuration and Provisioning #### + Each IDS Connector that participates in an IDS ecosystem must have a unique identity in the IDS which is issued or confirmed by the IDS Identity Provider. The required trust anchors for the Identity Provider (e.g. root certificate for CA) must be provisioned onto the connector to enable verification of identity information provided by communication partners. @@ -28,6 +32,6 @@ Additionally, each connector shall provide a Self-Description for other IDS Part Another mandatory step for the organization is to configure and connect their own existing systems to the IDS Connector. Therefore it is important that the appropriate IDS metadata (Usage Policies, etc.) is created and that data exchange is enabled (for details see section [3.3.4](../3_3_4_Exchanging_Data.md)). IDS Apps can be used for this purpose, see section [3.3.5](../3_3_5_Publishing_and_using_Data_Apps.md). -### Availability Setup +#### Availability Setup #### -An IDS Connector must be made available for other IDS Participants in the data ecosystem. Each Data Provider and Data Consumer can decide whether they want to announce their IDS Connector and their data resources publicly in the data ecosystem. This is described in the next section [3.3.2](../3_3_2_Data_Offering.md). +An IDS Connector must be made available for other IDS Participants in the data ecosystem. Each Data Provider and Data Consumer can decide whether they want to announce their IDS Connector and their data resources publicly in the data ecosystem. This is described in the next section [3.4.2](./3_4_2_Data_Offering.md). diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/3_3_2_Data_Offering.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_2_Data_Offering.md similarity index 97% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/3_3_2_Data_Offering.md rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_2_Data_Offering.md index 77af630d..818def37 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/3_3_2_Data_Offering.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_2_Data_Offering.md @@ -1,4 +1,5 @@ -# Data Offering +### Data Offering ### + A Participant who wants to offer data artifacts in a data space needs to conduct several steps to make it available to potential Data Consumers. In the most simplistic way, the Data Provider knows the Data Consumer at the beginning and directly provides information about available data assets, the selected endpoints, and the access mechanisms. This bidirectional data exchange bypasses most of the IDS infrastructure components and keeps the additional efforts to a minimum. However, in typical data spaces use cases, a Data Provider does not know which other Participant is interested in the provided data offering, or even does not know about the existence of the later Data Consumer at the time when the data set is published. In such cases, the proper description and advertisement at the right locations is critical to enable a business transaction. @@ -7,13 +8,13 @@ The IDS define manners to tackle these challenges by specifying a technology-agn Apart from such edge cases, the Data Provider has the interest to correctly and comprehensively describe its data assets to maximize the amount of interested Data Consumers. It further wants to stick to commonly accepted and understood standards to simplify its discovery for potential business partners. The IDS Information Model provides the schema for Self-Descriptions and their basic building blocks, like for instance Usage Contracts, endpoint descriptions, or the internal structure of data assets. -## Self-Description at Data Provider +#### Self-Description at Data Provider #### The first step in a typical data publication process is therefore the proper creation of a data asset Self-Description. Usually, IDS Connectors provide the technical manners to create and maintain them, e.g. through suitable GUIs. After reaching a syntactically and semantically correct Self-Description, they are then deployed at the Data Providers IDS Connector and can be accessed by other IDS Connectors via its endpoints. Depending on the requesting IDS Connector, the returned Self-Description may differ. Thus, the offering IDS Connector could offer different data at different conditions for different Participants of an IDS ecosystem. Self-Descriptions may also include elements of domain specific ontologies or generic key/values depending on the domain of the ecosystem. -## IDS Metadata Broker +#### IDS Metadata Broker #### The Data Provider may want to announce the created Self-Descriptions at a central component in a data space instead of just offering it in its own IDS Connector instance. Therefore, the Data Provider can send the Self-Descriptions to a responsible central IDS infrastructure component, the IDS Metadata Broker. The IDS Metadata Broker is a component in a data space that allows the publication of Self-Descriptions for IDS Resources and IDS Connectors, besides the original IDS Connector itself. Data Consumers can find suitable data offers while not knowing the existence or the location of the Data Providers. @@ -25,7 +26,7 @@ Nevertheless, the Data Provider has the interest to also maintain the distribute However, no Data Provider is obliged to publish any data assets at any IDS Metadata Broker. Neither is a Data Consumer forced to start its integration process at an IDS Metadata Broker, if it has other options to find and locate its data exchange partners. Still, both have the opportunity to interact with an IDS Metadata Broker using the following main interaction patterns. -### Data Provider registering Self-Descriptions +##### Data Provider registering Self-Descriptions ##### As shown in Figure [3.3.2.1](#PublishSelf-Description), the Data Provider can send Self-Description documents to an IDS Metadata Broker. The Self-Description must be self-containing and compliant to the specifications of the IDS Information Model. Usually representations of the RDF classes [ids:Connector](https://w3id.org/idsa/core/Connector) and [ids:Resource](https://w3id.org/idsa/core/Resource) are used. The IDS Metadata Broker then checks the Self-Description syntactic correctness and persists it in its local database. It does not check the semantic correctness, or the plausibility of the supplied information. @@ -36,7 +37,7 @@ Different to other ecosystems, an IDS Metadata Broker does not actively crawl fo Data Providers may be offered to restrict the publication of their Self-Descriptions based on certain Usage Control patterns. A Data Provider may for instance prohibit the presentation of its Self-Descriptions to its competitors IDS Connectors by delivering a list in a Usage Contract together with its Self-Descriptions. IDS Metadata Brokers might provide respective control features for domains, where publishing the metadata already uncovers critical business information. -### Data Consumer searching for Self-Descriptions +##### Data Consumer searching for Self-Descriptions ##### To find a Data Provider, the Data Consumer may search in the catalogs of an IDS Metadata Broker. Therefore, the Data Consumer needs to select a suitable IDS Metadata Broker and determine the query capabilities. They can e.g. differ by thematic coverage of the published metadata, or their query capabilities including graphical search interfaces or domain-specific query languages. @@ -45,7 +46,7 @@ The IDS Metadata Broker then returns the query result to the Data Consumer. The ![Query Self-Descriptions](media/query-at-broker-activity.png) #### _Fig. 3.3.2.2: Query IDS Metadata Broker_ -## Crawling Self-Descriptions +#### Crawling Self-Descriptions #### Another possible approach to find relevant data offers in a data ecosystem is a federated catalog. This approach is based on a crawler architecture implementing a federated cache node (FCN) and a federated cache crawler (FCC). The FCN of an IDS Connector makes data offers public to other Participants, as part of its Self-Description. In addition, further information describing the contents can be requested directly. This way, another IDS Connector can cache all available data offerings by crawling known Data Providers via its FCC. After that, the Data Consumer can search for available offers by querying its cache, that is updated by the FCC periodically or event-driven. Both the FCN and the FCC can be deployed as part of the IDS Connector or as a separate service. Having multiple 'snapshots' of available data offers in one ecosystem, the federated architecture allows implementing distributed queries. Depending on the size of the data space, a Data Consumer may use multiple crawlers. This would allow the partitioning of large data spaces into crawler-regions. Furthermore, it can be part of a hybrid setup covering the peer-to-peer crawling of IDS Connectors, completed by the crawling of IDS Metadata Brokers. diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/3_3_3_Contract_Negotiation.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_3_Contract_Negotiation.md similarity index 72% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/3_3_3_Contract_Negotiation.md rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_3_Contract_Negotiation.md index 6f6df845..7641a85d 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/3_3_3_Contract_Negotiation.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_3_Contract_Negotiation.md @@ -1,22 +1,22 @@ -# Contract Negotiation +### Contract Negotiation ### -While a Connector Self-Description basically contains descriptive information about available -data assets, these also include Usage Control information in form of a Contract Offer. A Contract -Offer describes under what conditions the Data Provider is willing to make its data available to the -Data Consumer. This can range from simple access restrictions to complex pre- and post-duties. See -more details in Section [3.4](../3_4_Information_Layer). +While a Connector Self-Description basically contains descriptive information about available +data assets, these also include Usage Control information in form of a Contract Offer. A Contract +Offer describes under what conditions the Data Provider is willing to make its data available to the +Data Consumer. This can range from simple access restrictions to complex pre- and post-duties. See +more details in Section [3.3](../3_3_Information_Layer). -In a (semi-)automated negotiation process performed by the Usage Control frameworks of the +In a (semi-)automated negotiation process performed by the Usage Control frameworks of the participating IDS Connectors, the Data Consumer and the Data Provider need to agree on a Data Usage -Contract, respectively Contract Agreement. The following sequence diagrams visualize this process in +Contract, respectively Contract Agreement. The following sequence diagrams visualize this process in more detail. -## Basic Flow +#### Basic Flow #### -Figure [3.3.3.1](#_fig-3331-simple-contract-negotiation_) shows the most simple version of the sequence -that is at least necessary to reach a Contract Agreement. In advance, the Data Provider has attached -a Contract Offer to a data offer. As described in Section [3.3.2](3_3_2_Data_Offering.md), this is -returned to the Data Consumer as part of the IDS Connector's Self-Description. However, the Data +Figure [3.3.3.1](#_fig-3331-simple-contract-negotiation_) shows the most simple version of the sequence +that is at least necessary to reach a Contract Agreement. In advance, the Data Provider has attached +a Contract Offer to a data offer. As described in Section [3.3.4.2](3_4_2_Data_Offering.md), this is +returned to the Data Consumer as part of the IDS Connector's Self-Description. However, the Data Consumer can submit a Contract Request at any time, even if no Contract Offer exists yet. _Please note, as this is a technology-independent message flow, appropriate responses were not @@ -24,71 +24,75 @@ considered. The illustrated processes can run synchronously as well as asynchron cancelled at any time._ ![Simple Contract Negotiation](media/policy-negotiation-sequence-1.png) + #### _Fig. 3.3.3.1: Simple Contract Negotiation_ -In Figure [3.3.3.1](#_fig-3331-simple-contract-negotiation_), the negotiation sequence is initiated by the -Data Consumer's IDS Connector sending a Contract Request to the Data Provider. The content of this -Contract Request can differ from the Contract Offer, or it can adopt it as it is. The -meta-information in the contract is modified accordingly (e.g., the date, the term, or the -signature). As soon as the Data Provider's IDS Connector receives the Contract Request, its validity -is checked by means of syntax, content, and signature. As Figure [3.3.3.1](#_fig-3331-simple-contract-negotiation_) -concentrates on the simple flow, it covers no counter Contract Offers. Thus, the Contract Request is +In Figure [3.3.3.1](#_fig-3331-simple-contract-negotiation_), the negotiation sequence is initiated by the +Data Consumer's IDS Connector sending a Contract Request to the Data Provider. The content of this +Contract Request can differ from the Contract Offer, or it can adopt it as it is. The +meta-information in the contract is modified accordingly (e.g., the date, the term, or the +signature). As soon as the Data Provider's IDS Connector receives the Contract Request, its validity +is checked by means of syntax, content, and signature. As Figure [3.3.3.1](#_fig-3331-simple-contract-negotiation_) +concentrates on the simple flow, it covers no counter Contract Offers. Thus, the Contract Request is either rejected or accepted. -In the case of a Contract Agreement, this is also signed by the Data Provider's IDS Connector and, +In the case of a Contract Agreement, this is also signed by the Data Provider's IDS Connector and, for confirmation, the Data Consumer is informed about the Contract Agreement. Again, content and -signature are validated. If this fails, the Data Consumer simply does not invoke any subsequent +signature are validated. If this fails, the Data Consumer simply does not invoke any subsequent Data Operations referring to this Contract Agreement (see Section [3.3.4](3_3_4_Exchanging_Data.md)). -As soon as a Contract Agreement has been reached, this is instantiated and deployed inside both IDS -Connectors. This means it needs to be persisted on both sides. This way, both IDS Connectors have +As soon as a Contract Agreement has been reached, this is instantiated and deployed inside both IDS +Connectors. This means it needs to be persisted on both sides. This way, both IDS Connectors have all necessary information for later Policy Enforcement. -If, at any time during the sequence, a participant does not agree with the shared content, the -Contract can be rejected. In the case of a Contract Rejection, the sequence is aborted. Connected -systems or users are notified and previously saved Contract Agreements are revoked. A negotiation +If, at any time during the sequence, a participant does not agree with the shared content, the +Contract can be rejected. In the case of a Contract Rejection, the sequence is aborted. Connected +systems or users are notified and previously saved Contract Agreements are revoked. A negotiation sequence is never reactivated, but a new one can be started at any time. -## Clearing House +#### Clearing House #### In addition, for separate trust or for regulation in some data spaces, the approval of a Contract Request or Offer may be extended by -involving the Clearing House. After a successful Contract Request validation, the Data Provider +involving the Clearing House. After a successful Contract Request validation, the Data Provider signed and stored the Contract Agreement locally. Next, this is additionally sent to the Clearing House (as shown in Figure [3.3.3.2](#_fig-3332-contract-agreement-with-clearing-house-involvement_)). -After receiving the Contract Agreement from the Data Provider, the Clearing House first checks the -signature of both involved Connectors and then signs the Contract Agreement itself. The Provider -Connector returns the triple signed Contract Agreement to the Data Consumer, that can finally check +After receiving the Contract Agreement from the Data Provider, the Clearing House first checks the +signature of both involved Connectors and then signs the Contract Agreement itself. The Provider +Connector returns the triple signed Contract Agreement to the Data Consumer, that can finally check all signatures to be sure that the Contract Agreement contains the requested content. ![Clearing House Involvement](media/policy-negotiation-sequence-4.png) + #### _Fig. 3.3.3.2: Contract Agreement with Clearing House Involvement_ -## Reversed Sequence +#### Reversed Sequence #### -Figure [3.3.3.3](#_fig-cc-contract-negotiation---initiation-by-data-provider_) depicts the simple -negotiation flow of Figure [3.3.3.1](#_fig-3331-contract-negotiation---initiation-by-data-provider_). -In this case, however, the sequence is reversed and the Data Provider initiates the negotiation. -Nevertheless, it should be noted that, since the Data Provider is the one who makes the data offer, -it is always the one who signs the Contract Agreement last, and sends it to the Clearing House if +Figure [3.3.3.3](#_fig-cc-contract-negotiation---initiation-by-data-provider_) depicts the simple +negotiation flow of Figure [3.3.3.1](#_fig-3331-contract-negotiation---initiation-by-data-provider_). +In this case, however, the sequence is reversed and the Data Provider initiates the negotiation. +Nevertheless, it should be noted that, since the Data Provider is the one who makes the data offer, +it is always the one who signs the Contract Agreement last, and sends it to the Clearing House if this is involved (as described in the previous subsection). ![Contract Negotiation: Initiation by Data Provider](media/policy-negotiation-sequence-2.png) + #### _Fig. 3.3.3.3: Contract Negotiation - Initiation by Data Provider_ -## Counter Offers - -Figure [3.3.3.4](#_fig-3334-contract-negotiation---counter-offers_) illustrates a more complex negotiation -flow that covers counter Contract Offers and external input. As soon as the Data Provider's IDS -Connector receives a valid Contract Request, it may notify interested users or systems and provide -an interface for input. Thus, the IDS Connector, if it does not already do so by default, can be -extended by the functionality to automatically negotiate contracts within a certain range (e.g., -using an AI service). Alternatively, a service or a user can interact and directly affect the -negotiation by rejecting or agreeing to the received Contracts as well as proposing counter -Contract Offers or Requests. Further steps take place as already described above: Incoming Contracts -are validated and as soon as a Contract Agreement has been reached, it is persisted and enforced by -both IDS Connectors. How this Policy Enforcement will be ensured is explained in Section +#### Counter Offers #### + +Figure [3.3.3.4](#_fig-3334-contract-negotiation---counter-offers_) illustrates a more complex negotiation +flow that covers counter Contract Offers and external input. As soon as the Data Provider's IDS +Connector receives a valid Contract Request, it may notify interested users or systems and provide +an interface for input. Thus, the IDS Connector, if it does not already do so by default, can be +extended by the functionality to automatically negotiate contracts within a certain range (e.g., +using an AI service). Alternatively, a service or a user can interact and directly affect the +negotiation by rejecting or agreeing to the received Contracts as well as proposing counter +Contract Offers or Requests. Further steps take place as already described above: Incoming Contracts +are validated and as soon as a Contract Agreement has been reached, it is persisted and enforced by +both IDS Connectors. How this Policy Enforcement will be ensured is explained in Section [3.3.6](3_3_6_Policy_Enforcement.md). ![Contract Negotiation: Counter Offers](media/policy-negotiation-sequence-3.png) + #### _Fig. 3.3.3.4: Contract Negotiation - Counter Offers_ diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/3_3_4_Exchanging_Data.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_4_Exchanging_Data.md similarity index 91% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/3_3_4_Exchanging_Data.md rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_4_Exchanging_Data.md index c973356b..7b4e37af 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/3_3_4_Exchanging_Data.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_4_Exchanging_Data.md @@ -1,7 +1,4 @@ -# Data Exchange - - - +### Data Exchange ### After a successful Onboarding (see Section [3.3.1](3_3_1_Onboarding.md)), the operations of a Data Consumer or Data Provider can be assigned to two phases: the Control Phase and the Transfer Phase. @@ -25,7 +22,7 @@ be bound to neither a communication protocol nor to a communication pattern, thi differently, as stated in the following. For this to work, a Data Operation request requires information that enables technical automation (e.g., authentication information, or protocol details). -## Communication Pattern +#### Communication Pattern #### Communication between the Connectors can be synchronous or asynchronous (i.e., the Data Consumer does not have to wait for the result to arrive, but will be notified by the Data Provider as soon as @@ -41,20 +38,20 @@ of a pull-request, the Data Consumer can repeat the last part of the process to The description of the communication pattern itself is not part of this document, as this is covered by existing standards (e.g. DIN SPEC 16593-1:2018-04) or as best practices in industry. -## Communication Protocol +#### Communication Protocol #### To meet various requirements regarding data volume and transfer in real time, the Transfer Process is not restricted to a specific protocol. This way, technical limitations are bound to those of the applied systems and not to the Connector component. -### Data Transfer via the Same Infrastructure and Protocol +##### Data Transfer via the Same Infrastructure and Protocol ##### Either synchronously or asynchronously, the Data Provider's Connector may respond with the Data Operation result without using a proprietary system or protocol. In the course of this, all information flows that are shown in Figure [3.3.4.1](#_fig-3341-communication-phases_) would run directly between the two Connectors using an IDS protocol. -### Data Transfer via Another Infrastructure or Protocol +##### Data Transfer via Another Infrastructure or Protocol ##### Alternatively to the previously described process, after the Data Operation invocation, the Data Consumer's Connector can take the provided information and establish a connection directly between @@ -65,7 +62,7 @@ to switch from data pulling to data pushing easily. The sequence is depicted in ![Out-of-band Data Exchange](media/data-transfer.png) #### _Fig. 3.3.4.2: Out-of-band Data Exchange_ -## Usage Control +#### Usage Control #### All communication patterns and protocols must ensure that usage control, covering the contents of the negotiated Contract Agreement, is enforced, and that the involved Connectors are included in the diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/3_3_5_Publishing_and_using_Data_Apps.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_5_Publishing_and_using_Data_Apps.md similarity index 98% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/3_3_5_Publishing_and_using_Data_Apps.md rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_5_Publishing_and_using_Data_Apps.md index 6eea789f..209651bc 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/3_3_5_Publishing_and_using_Data_Apps.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_5_Publishing_and_using_Data_Apps.md @@ -1,4 +1,4 @@ -## Publishing and using IDS Apps +### Publishing and using IDS Apps ## IDS Apps can be used by IDS Connectors for specific data processing or transformation tasks. They can perform tasks of different complexity, ranging from simple data transformation to complex data analytics. An example of data transformation may be a IDS App parsing a single string field with address information and producing a data structure consisting of street name and number, zip code, name of the city, and name of the country. diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/3_3_6_Policy_Enforcement.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_6_Policy_Enforcement.md similarity index 96% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/3_3_6_Policy_Enforcement.md rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_6_Policy_Enforcement.md index 52ae0a40..97974e2f 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/3_3_6_Policy_Enforcement.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_6_Policy_Enforcement.md @@ -1,33 +1,39 @@ -# Policy Enforcement +### Policy Enforcement ### Enforcement of data usage restrictions (Policy Enforcement) can be characterized and implemented in different forms. Organizational rules or legal contracts can be substituted, or at least accompanied, by technical solutions, which introduce a new level of security. Vice versa, technical solutions can be accompanied by organizational rules or legal contracts (e.g., to compensate missing capabilities of the technical solution). Although it is a commonly used solution to address data usage control restrictions by organizational rules, the IDS focuses on technical enforcement. To enforce data usage restrictions, a system’s actions need to be monitored and potentially intercepted by control points (i.e., Policy Enforcement Points). These actions must be judged by a decision engine (i.e., a Policy Decision Point) for requesting permission or denial. In addition to just allowing or denying an action, the decision engine may also require modification of the action. A PEP component encapsulates the enforcement. -## Policy Enforcement Point (PEP) +#### Policy Enforcement Point (PEP) #### + **The Policy Enforcement Point (PEP)** has two main tasks. First, it is the entry point for enforcement, meaning it is the point where data or metadata is stopped and transferred to the PDP, the PDP makes a decision and returns it to the PEP. Secondly, the PEP will subsequently manipulate or lock the data according to the decision. ![image](media/Communication-PEP-and-PDP.drawio.png) _Figure 3.3.6.1: Communication Policy Enforcement Point and Policy Decision Point_ -## Policy Decision Point (PDP) +#### Policy Decision Point (PDP) #### + As mentioned before, the **Policy Decision Point (PDP)** makes the decision based on the data sent by the PEP and the deposited policies. The policies specifies the conditions and obligations. The result of the evaluation is send to the PEP for enforcement (see [Figure 3.3.6.1](media/Communication-PEP-and-PDP.drawio.png)). The PDP also interprets the policies in terms of context information and instructions. This means the policy decision may also depend on additional information that is not present in the intercepted system action itself. This includes information about the context, such as data flows or the geographical location of an entity. It is also possible to specify pre- or post-conditions that have to hold before (e.g., integrity check of the environment) and after (e.g., data item is deleted after usage) decision-making. In addition, it is possible to define on-conditions that have to hold during usage (e.g., only during business hours). These conditions usually specify constraints and permissions that have to be fulfilled before, during, and after using data (see [Figure 3.3.6.2](media/usage-control-conditions.drawio.png)). This is linked to the other components presented in this section. ![image](media/usage-control-conditions.drawio.png) _Figure 3.3.6.2: Usage Control Pre-, On-, and Post-Conditions_ -## Policy Information Point (PIP) +#### Policy Information Point (PIP) #### + **The Policy Information Point (PIP)** is the component to determine information such as context information during policy evaluation. This information can then be used in the PDP for decision making. (More about context information in [Section 4.1.6](../../4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_6_Usage_Control.md)) -## Policy Execution Point (PXP) +#### Policy Execution Point (PXP) #### + **The Policy Execution Point (PXP)** is the components for implementing instructions or requirements these can be before a decision and their successful execution can be included as a condition, or they can be executed after a decision has been made. (More about the execution of instructions in [Section 4.1.6](../../4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_6_Usage_Control.md)) -## Policy Management Point (PMP) and Policy Administration Point (PAP) +#### Policy Management Point (PMP) and Policy Administration Point (PAP) #### + **The Policy Management Point (PMP)** and **the Policy Administration Point (PAP)** are not components that are directly needed for enforcement, but should be briefly mentioned here. These components are important for specification and management of usage policies. The PMP, as the name implies, is responsible for the management or handling of the policies. It makes the policies available to the PDP, activates, deactivates and deletes them. The PAP is used to support the creation and specification of usage policies often via a user-friendly graphical interface. -## Interaction in the IDS Connector +#### Interaction in the IDS Connector #### + **An example process** in the IDS Connector. Let's assume there is a policy describing that data can only be used when the connector is in the EU (Locale) and the usage is sent to the Clearing House after the data has been used (Log). We assume that such a policy is deposited (negotiated) for the PDP and the components to implement it are available. Now a process may exist to enforce Access Control, on the Data Provider side. It basically does not matter if it is a send or fetch of the data. To implement Data Usage Control, there must also be a process on the Data Consumer side. We want to focus here on the case of Usage Control on the Data Consumer side, which can be used very similarly also for Access Control, since the Data Provider, has a high interest to enforce this as early as possible. [Figure 3.3.6.3](media/uc-example-Components.drawio.png) is a component diagram of an IDS Connector that receives data and Components for Usage Contral with an standalone Usage Control Container.The IDS Components (IDS PEP, IDS PIP, IDS PXP) are more generic and standardized components, these are connected to a specific implmentations (PXP, PIP, PXP) of a policy engine or framework to be able to enforce it. The core component - IDS Connector Core - of the IDS Connector (see [Section 3.5.2](../3_5_System_Layer/3_5_2_IDS_Connector.md)) is of central importance. It knows the routes of the data and can thus integrate the PEPs at appropriate points. This can be done when the data leaves the IDS Connector Core or e.g. via Interceptor Pattern for completely controlled data flows. If data is to flow to a data sink (app, storage), the IDS Connector Core knows the destination and it knows the identifications of the data, which are transferred in the form of metadata. Before the data flows directly, the PEP acts in front of it and sends all the required information to the PDP. The implementation of the solution can be implemented in the IDS Connector Core or as a standalone application (runs as an IDS Connector App), but the principle remains the same. The PDP analyzes the policy and must be connected via the IDS Connector Core to a system that can provide a statement about the IDS Connector location. For example the IDS ParIS is used to resolve the location information. If the IDS Connector is located in the EU, the data is released and the PEP does not have to change anything. The PDP informs the PEP about this decision. Now there is the instruction to log the data usage information in the Clearing House. A PXP which is connected to the Clearing House is responsible for logging the usage information via the IDS Connector Core. Using this PXP, the PDP can log important information and parameters provided by the PEP and PIP. More details about different types of context information and the execution of instructions can be found in [Section 4.1.6](../../4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_6_Usage_Control.md). [Figure 3.3.6.4](media/uc-example-Sequence.drawio.png) shows a sequence like discribed in the example within the procedure calls between the Components. ![image](media/uc-example-Components.drawio.png) diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/3_3_Process_Layer.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_Process_Layer.md similarity index 97% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/3_3_Process_Layer.md rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_Process_Layer.md index 82b8d11c..3bd4c0dc 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/3_3_Process_Layer.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_Process_Layer.md @@ -1,8 +1,9 @@ -# Process Layer +## Process Layer ## The Process Layer specifies the interactions taking place between the different components of the International Data Spaces. It thereby provides a dynamic view of the Reference Architecture Model. The following processes and their sub-processes are described: + 1. **Onboarding**, i.e. what to do to be granted access to the International Data Spaces as a Data Provider or Data Consumer. 2. **Data Offering**, i.e. offering data or searching for a suitable data. 3. **Contract Negotiation**, i.e. accept data offers by negotiating the usage policies. diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/README.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/README.md new file mode 100644 index 00000000..53470d51 --- /dev/null +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/README.md @@ -0,0 +1,74 @@ +# Process Layer # + +## Table of Content ## + +[3.4 Process Layer](3_4_Process_Layer.md#process-layer) + +[3.4.1 Onboarding of an IDS Connector and its Operator](3_4_1_Onboarding.md#onboarding-of-an-ids-connector-and-its-operator) + +[3.4.1.1 Preparation: Registration and Certification of the Organization](3_4_1_Onboarding.md#preparation-registration-and-certification-of-the-organization) + +[3.4.1.2 Preparation: Acquiring a Certified IDS Connector](3_4_1_Onboarding.md#preparation-acquiring-a-certified-ids-connector) + +[3.4.1.3 Connector Configuration and Provisioning](3_4_1_Onboarding.md#connector-configuration-and-provisioning) + +[3.4.1.4 Availability Setup](3_4_1_Onboarding.md#availability-setup) + +[3.4.2 Data Offering](3_4_2_Data_Offering.md#data-offering) + +[3.4.2.1 Self-Description at Data Provider](3_4_2_Data_Offering.md#self-description-at-data-provider) + +[3.4.2.2 IDS Metadata Broker](3_4_2_Data_Offering.md#ids-metadata-broker) + +[3.4.2.2.1 Data Provider registering Self-Descriptions](3_4_2_Data_Offering.md#data-provider-registering-self-descriptions) + +[3.4.2.2.2 Data Consumer searching for Self-Descriptions](3_4_2_Data_Offering.md#data-consumer-searching-for-self-descriptions) + +[3.4.2.3 Crawling Self-Descriptions](3_4_2_Data_Offering.md#crawling-self-descriptions) + +[3.4.3 Contract Negotiation](3_4_3_Contract_Negotiation.md#contract-negotiation) + +[3.4.3.1 Basic Flow](3_4_3_Contract_Negotiation.md#basic-flow) + +[3.4.3.2 Clearing House](3_4_3_Contract_Negotiation.md#clearing-house) + +[3.4.3.3 Reversed Sequence](3_4_3_Contract_Negotiation.md#reversed-sequence) + +[3.4.3.4 Counter Offers](3_4_3_Contract_Negotiation.md#counter-offers) + +[3.4.4 Data Exchange](3_4_4_Exchanging_Data.md#data-exchange) + +[3.4.4.1 Communication Pattern](3_4_4_Exchanging_Data.md#communication-pattern) + +[3.4.4.2 Communication Protocol](3_4_4_Exchanging_Data.md#communication-protocol) + +[3.4.4.2.1 Data Transfer via the Same Infrastructure and Protocol](3_4_4_Exchanging_Data.md#data-transfer-via-the-same-infrastructure-and-protocol) + +[3.4.4.2.2 Data Transfer via Another Infrastructure or Protocol](3_4_4_Exchanging_Data.md#data-transfer-via-another-infrastructure-or-protocol) + +[3.4.4.3 Usage Control](3_4_4_Exchanging_Data.md) + +[3.4.5 Publishing and using Data Apps](3_4_5_Publishing_and_using_Data_Apps.md#publishing-and-using-ids-apps) + +[3.4.6 Policy Enforcement](./3_4_6_Policy_Enforcement.md#policy-enforcement) + +[3.4.6.1 Policy Enforcement Point (PEP)](./3_4_6_Policy_Enforcement.md#policy-enforcement-point-pep) + +[3.4.6.2 Policy Decision Point (PDP)](./3_4_6_Policy_Enforcement.md#policy-decision-point-pdp) + +[3.4.6.3 Policy Information Point (PIP)](./3_4_6_Policy_Enforcement.md#policy-information-point-pip) + +[3.4.6.4 Policy Execution Point (PXP)](./3_4_6_Policy_Enforcement.md#policy-execution-point-pxp) + +[3.4.6.5 Policy Management Point (PMP) and Policy Administration Point (PAP)](./3_4_6_Policy_Enforcement.md#policy-management-point-pmp-and-policy-administration-point-pap) + +[3.4.6.6 Interaction in the IDS Connector](./3_4_6_Policy_Enforcement.md#interaction-in-the-ids-connector) + +## Files ## + +- [3_4_Process_Layer.md](./3_4_Process_Layer.md) +- [3_4_1_Onboarding.md](./3_4_1_Onboarding.md) +- [3_4_2_Data_Offering.md](3_4_2_Data_Offering.md) +- [3_4_3_Contract_Negotiation.md](./3_4_3_Contract_Negotiation.md) +- [3_4_4_Exchanging_Data.md](./3_4_4_Exchanging_Data.md) +- [3_4_5_Publishing_and_using_Data_Apps.md](./3_4_5_Publishing_and_using_Data_Apps.md) \ No newline at end of file diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/Communication-PEP-and-PDP.drawio b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/Communication-PEP-and-PDP.drawio similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/Communication-PEP-and-PDP.drawio rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/Communication-PEP-and-PDP.drawio diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/Communication-PEP-and-PDP.drawio.png b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/Communication-PEP-and-PDP.drawio.png similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/Communication-PEP-and-PDP.drawio.png rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/Communication-PEP-and-PDP.drawio.png diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/communication-phases.drawio b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/communication-phases.drawio similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/communication-phases.drawio rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/communication-phases.drawio diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/communication-phases.png b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/communication-phases.png similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/communication-phases.png rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/communication-phases.png diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/crawling.png b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/crawling.png similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/crawling.png rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/crawling.png diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/data-transfer.drawio b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/data-transfer.drawio similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/data-transfer.drawio rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/data-transfer.drawio diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/data-transfer.png b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/data-transfer.png similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/data-transfer.png rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/data-transfer.png diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/find-ids-app-process.drawio b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/find-ids-app-process.drawio similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/find-ids-app-process.drawio rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/find-ids-app-process.drawio diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/find-ids-app-process.png b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/find-ids-app-process.png similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/find-ids-app-process.png rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/find-ids-app-process.png diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/ids-app-publication-process.drawio b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/ids-app-publication-process.drawio similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/ids-app-publication-process.drawio rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/ids-app-publication-process.drawio diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/ids-app-publication-process.png b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/ids-app-publication-process.png similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/ids-app-publication-process.png rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/ids-app-publication-process.png diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/onboarding_process.drawio b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/onboarding_process.drawio similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/onboarding_process.drawio rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/onboarding_process.drawio diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/onboarding_process.png b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/onboarding_process.png similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/onboarding_process.png rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/onboarding_process.png diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/policy-negotiation-sequence-1.drawio b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/policy-negotiation-sequence-1.drawio similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/policy-negotiation-sequence-1.drawio rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/policy-negotiation-sequence-1.drawio diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/policy-negotiation-sequence-1.png b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/policy-negotiation-sequence-1.png similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/policy-negotiation-sequence-1.png rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/policy-negotiation-sequence-1.png diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/policy-negotiation-sequence-2.drawio b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/policy-negotiation-sequence-2.drawio similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/policy-negotiation-sequence-2.drawio rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/policy-negotiation-sequence-2.drawio diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/policy-negotiation-sequence-2.png b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/policy-negotiation-sequence-2.png similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/policy-negotiation-sequence-2.png rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/policy-negotiation-sequence-2.png diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/policy-negotiation-sequence-3.drawio b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/policy-negotiation-sequence-3.drawio similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/policy-negotiation-sequence-3.drawio rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/policy-negotiation-sequence-3.drawio diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/policy-negotiation-sequence-3.png b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/policy-negotiation-sequence-3.png similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/policy-negotiation-sequence-3.png rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/policy-negotiation-sequence-3.png diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/policy-negotiation-sequence-4.drawio b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/policy-negotiation-sequence-4.drawio similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/policy-negotiation-sequence-4.drawio rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/policy-negotiation-sequence-4.drawio diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/policy-negotiation-sequence-4.png b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/policy-negotiation-sequence-4.png similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/policy-negotiation-sequence-4.png rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/policy-negotiation-sequence-4.png diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/query-at-broker-activity.drawio b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/query-at-broker-activity.drawio similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/query-at-broker-activity.drawio rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/query-at-broker-activity.drawio diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/query-at-broker-activity.png b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/query-at-broker-activity.png similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/query-at-broker-activity.png rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/query-at-broker-activity.png diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/register-at-broker-activity.drawio b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/register-at-broker-activity.drawio similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/register-at-broker-activity.drawio rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/register-at-broker-activity.drawio diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/register-at-broker-activity.png b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/register-at-broker-activity.png similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/register-at-broker-activity.png rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/register-at-broker-activity.png diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/retrieve-ids-app-process.drawio b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/retrieve-ids-app-process.drawio similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/retrieve-ids-app-process.drawio rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/retrieve-ids-app-process.drawio diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/retrieve-ids-app-process.png b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/retrieve-ids-app-process.png similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/retrieve-ids-app-process.png rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/retrieve-ids-app-process.png diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/uc-example-Components.drawio.png b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/uc-example-Components.drawio.png similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/uc-example-Components.drawio.png rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/uc-example-Components.drawio.png diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/uc-example-Sequence.drawio.png b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/uc-example-Sequence.drawio.png similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/uc-example-Sequence.drawio.png rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/uc-example-Sequence.drawio.png diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/uc-example.drawio b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/uc-example.drawio similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/uc-example.drawio rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/uc-example.drawio diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/usage-control-conditions.drawio b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/usage-control-conditions.drawio similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/usage-control-conditions.drawio rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/usage-control-conditions.drawio diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/usage-control-conditions.drawio.png b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/usage-control-conditions.drawio.png similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/usage-control-conditions.drawio.png rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/usage-control-conditions.drawio.png diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/use-ids-app-process.drawio b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/use-ids-app-process.drawio similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/use-ids-app-process.drawio rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/use-ids-app-process.drawio diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/use-ids-app-process.png b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/use-ids-app-process.png similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/media/use-ids-app-process.png rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/media/use-ids-app-process.png From d18008859b4b4e68e989489abfe9836a0145832c Mon Sep 17 00:00:00 2001 From: Sebastian Steinbuss <23654606+ssteinbuss@users.noreply.github.com> Date: Thu, 13 Oct 2022 14:42:15 +0200 Subject: [PATCH 11/22] editorial updates --- .../3_3_Information_Layer/3_3_InformationLayer.md | 1 - 1 file changed, 1 deletion(-) diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Information_Layer/3_3_InformationLayer.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Information_Layer/3_3_InformationLayer.md index 0be715b4..4caeb670 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Information_Layer/3_3_InformationLayer.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Information_Layer/3_3_InformationLayer.md @@ -147,7 +147,6 @@ any modification of a single element of the overall model does not require a change in other, logically unrelated parts, the development and maintenance of models can be substantially simplified. - ![Outline of the Concern-Basic concern hexagon](./media/image32.png) #### _Fig. 3.4.2: Outline of the Concern-Basic concern hexagon_ From 57363ca78608e965c7b2e6dff972ab6fd765b028 Mon Sep 17 00:00:00 2001 From: Sebastian Steinbuss <23654606+ssteinbuss@users.noreply.github.com> Date: Thu, 13 Oct 2022 15:10:41 +0200 Subject: [PATCH 12/22] ediorial update --- .../3_5_System_Layer/3_5_0_System_Layer.md | 2 +- .../3_5_1_Identity_Provider.md | 30 ++++---- .../3_5_System_Layer/3_5_2_IDS_Connector.md | 16 +++-- .../3_5_3_App_Store_and_Data_Apps.md | 6 +- .../3_5_System_Layer/3_5_4_Metadata_Broker.md | 12 ++-- .../3_5_System_Layer/3_5_5_Clearing_House.md | 3 +- .../3_5_System_Layer/3_5_6_Vocabulary_Hub.md | 10 ++- .../3_5_System_Layer/README.md | 72 ++++++++++++++++--- 8 files changed, 103 insertions(+), 48 deletions(-) diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_0_System_Layer.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_0_System_Layer.md index 13113684..3ee131f4 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_0_System_Layer.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_0_System_Layer.md @@ -1,4 +1,4 @@ -# System Layer +## System Layer ## The processes defined in the [Process Layer](../3_3_Process_Layer) are summarized in Figure 3.5.0.1 as interactions between the IDS Components. Please note that the Identity Provider is not shown in the figure in order to maintain readability. diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_1_Identity_Provider.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_1_Identity_Provider.md index db6a089e..d1bedc58 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_1_Identity_Provider.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_1_Identity_Provider.md @@ -1,12 +1,14 @@ -# Identity Provider +### Identity Provider ### + To be able to make access control related decisions that are based on reliable identities and properties of Participants, a concept for Identity and Access Management (IAM) is mandatory. To access ressources in the IDS, aspects of identification (i.e., claiming an identity), authentication (i.e., verifying an identity), and authorization (i.e., making access decisions based on an identity) need to be defined. The Identity Provider in the IDS consists of three complementary components: Certificate Authorities (CAs) are responsible for issue and manage technical identity claims, the Dynamic Attribute Provisioning Service (DAPS) provides short-lived tokens with up-to-date information about connectors, and the Participant Information Service (ParIS) provides business-related information of IDS Participants in machine- and human-readable manners. Further details about trust management can be found in ([Chapter 4.1.2.](/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_2_Identity_and_Trust_Management.md)). -## Certificate Authorities (CAs) +#### Certificate Authorities (CAs) #### One or multiple CAs issue identity certificates for connector instances by signing Certificate Signing Requests (CSRs) that have been handed in by valid connector instances. They revoke certificates that become invalid and, for higher trust levels, assure that private keys are properly stored in hardware modules (such as a TPM or HSM). They are essential trust building entities responsible for ensuring that only registered organizations may operate components in the IDS. -## Dynamic Attribute Provisioning Service (DAPS) +#### Dynamic Attribute Provisioning Service (DAPS) #### + A DAPS enriches connector identities by issuing up-to-date information in form of signed claims. It embeds them into **Dynamic Attribute Tokens (DATs)** which are handed out to requesting IDS Connector instances. The DAPS verifies the current status/validity of Software Manifests and Company Descriptions which contain metadata regarding passed IDS certifications (see [4.1.2](../../4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_2_Identity_and_Trust_Management.md#describing-metadata). Simultaneously it delivers dynamic attributes, such as device location or currently supported transport certificates, which may dynamically change over time and are linked to the connector identity based on the DAT. Thus, a Dynamic Attribute Provisioning Service (DAPS) is used to provide dynamic, up-to-date attribute information about Participants and Connectors. Using a service to hand out attributes in a dynamic fashion reduces the need for certificate revocation and enables more flexible attribute handling for participants in the International Data Spaces. This allows dynamic assignment of attributes and status flags to Connector instances. Exemplary use cases are: @@ -20,33 +22,33 @@ Using a service to hand out attributes in a dynamic fashion reduces the need for This concept avoids revocation of Connector identity certificates in most cases, as it allows to include or change attributes if need arises. The DAPS is used as part of the bootstrapping of trust and is not a connector itself but an external service (such as the PKI services). -## Participant Information Service (ParIS) +#### Participant Information Service (ParIS) #### The ParIS is a vital part of the Identity Provider. It provides business-related information about participants in the IDS that have been checked by the Support Organization. From a System Layer view, the internal architecture components and endpoints of a ParIS are very similar to the ones of an IDS Metadata Broker. Both need to receive, persist, and make IDS Self-Descriptions available for other IDS Connectors to query them. The main difference is the type of Self-Description they manage - Connectors and Resources by the Metadata Brokers and Participants by the ParIS. -### Components +##### Components ##### A ParIS typically consists of the following functional building blocks, which can be implemented using different technology stacks and hosting solutions: -- _Server_ to host the IDS Endpoints. -- _Database_ to persist the RDF Self-Descriptions of the registered IDS Participants. -- _IAM_ for checking the identity claims of clients and to validate their authorization using the IDS DAT. Can be located at the surrounding Identity Provider. -- _Index_ (optional) to increase the speed for read requests. -- _Website_ (optional) for human interactions with the ParIS. +* _Server_ to host the IDS Endpoints. +* _Database_ to persist the RDF Self-Descriptions of the registered IDS Participants. +* _IAM_ for checking the identity claims of clients and to validate their authorization using the IDS DAT. Can be located at the surrounding Identity Provider. +* _Index_ (optional) to increase the speed for read requests. +* _Website_ (optional) for human interactions with the ParIS. -### Endpoints +##### Endpoints ##### The interactions with a ParIS can be distinguished into two main categories. The first one is related to the initial provisioning of Participant information during their onboarding in an IDS as well as the according updates through the operators of the general Identity Provider. As this workflow is completely component-internal, proprietary or custom patterns might be used. The necessity for this internal endpoint is due to the required higher trust in the Participant metadata. For instance, an incorrect VAT-ID or jurisdiction has direct and concrete legal consequences, therefore a certain validation workflow at the Identity Provider operator must be enabled. In addition, an IDS compliant endpoint must be exposed for the communications with IDS Connectors. While this endpoint could also - given proper authentication and authorization procedures - serve for the purpose described above, its main concern is the provisioning of querying capabilities and to allow individual Participants to adjust their own Self-Description. -### Search and Querying +##### Search and Querying ##### Each ParIS instance must provide IDS compliant functions to dereference Participant identifiers. A dereferencation function accepts the Participant identifier, an IRI according to the IDS Information Model, and returns the related Self-Description document. In addition, a ParIS may provide further search capabilities, like full-text search, attribute-based or facet search, or even expose expressive query language like SPARQL. In any case, the respective capabilities must be outlined in the Self-Description of the ParIS itself, to make them discoverable for IDS Connectors. -### Life Cycle of Participant's Self-Description +##### Life Cycle of Participant's Self-Description ##### Similar to Connector and Resource Self-Descriptions, also Participant Self-Descriptions (SD) pass different lifecycle stages. The initial version is provided by the Participant itself, either directly as an IDS Information Model instance or as a filled form during the onboarding process. This SD is then, after the IDS identity of the new Participant has been created, populated at the according ParIS. @@ -54,6 +56,6 @@ In case mistakes in this SD are noticed or attributes of the Participant change, In case a Participant temporarily or completely leaves an IDS, the according Self-Description can also be made unavailable. An unavailable SD is not exposed to the regular search and query functionalities anymore. Nevertheless, the ParIS should still keep the SD or at least its identifier, to enable potential later reactivations and especially prevent identity hijacking attempts. In such an attack, a newly onboarded Participant could try to use an identifier of another Participant that has left the IDS already, and thereby claim the access and usage permissions of the latter. -### Data Synchronization between ParIS instances +##### Data Synchronization between ParIS instances ##### The core attributes of an IDS Participant, e.g., its identifier, need to be maintained comprehensively between different components. Apart from that, no further synchronization between different ParIS instances are enforced. diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_2_IDS_Connector.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_2_IDS_Connector.md index e4dfeb31..6bb30833 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_2_IDS_Connector.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_2_IDS_Connector.md @@ -1,6 +1,6 @@ -# IDS Connector +### IDS Connector ### -The International Data Spaces network is constituted by the total of its IDS Connectors. Each IDS Connector allows the exchange of data via the Data Endpoints it exposes. Applying this principle, there is no need for a central instance for data storage. An IDS Connector must be reachable by IDS connectors from other organisations. Due to organizational security policies, this may require changing firewall policies or establishing a demilitarized zone (DMZ). It should be possible to reach an IDS Connector using the standard Internet Protocol (IP), and to operate it in any appropriate environment. A Participant may operate multiple IDS Connectors (e.g., to meet load balancing or data partitioning requirements). IDS Connectors can be operated on-premises or in a cloud environment. +The International Data Spaces network is constituted by the total of its IDS Connectors. Each IDS Connector allows the exchange of data via the Data Endpoints it exposes. Applying this principle, there is no need for a central instance for data storage. An IDS Connector must be reachable by IDS connectors from other organisations. Due to organizational security policies, this may require changing firewall policies or establishing a demilitarized zone (DMZ). It should be possible to reach an IDS Connector using the standard Internet Protocol (IP), and to operate it in any appropriate environment. A Participant may operate multiple IDS Connectors (e.g., to meet load balancing or data partitioning requirements). IDS Connectors can be operated on-premises or in a cloud environment. The IDS Connector Architecture uses application container management technology to ensure an isolated and secure environment for individual IDS Apps and IDS Connector functionalities. An IDS App matches an application which offers an API to store, access, or process data. To ensure privacy of sensitive data, its processing should take place as close to the data source as possible. Any data preprocessing (e.g., filtering, anonymization, or analysis) should be performed by the backend services or IDS Apps. Only data intended for being made available to other Participants should be offered by Connectors. @@ -8,14 +8,15 @@ IDS Apps are services for realizing business logic inside the IDS Connector. IDS The [IDS App Store](3_5_3_App_Store_and_Data_Apps.md), [Metadata Broker](3_5_4_Broker.md), and [Clearing House](3_5_5_Clearing_House.md) are based on the IDS Connector architecture (which is described in detail in the following section) in order to support secure and trusted data exchange with these services. -## IDS Connector Architecture +#### IDS Connector Architecture #### -The Connector consists of one or more computers/virtual machines, operating systems running on them, an Application Container Management, and the Connector Core Service(s) built on top of it. +The Connector consists of one or more computers/virtual machines, operating systems running on them, an Application Container Management, and the Connector Core Service(s) built on top of it. ![Connector Architecture](media/3.5.2.1_connector_architecture.png) #### _Fig. 3.5.2.1: Connector Architecture_ The individual elements of the deployment are shown in Figure 3.5.2.1 and described below: + - _Application Container Management_: In most cases, the deployment of the Connector Core Service(s) and selected IDS Apps is based on application containers. See Section [3.5.2.3](#special-connectors) for specialized IDS Connectors. IDS Apps are isolated from each other by containers in order to prevent unintended interdependencies. Using Application Container Management, extended control of IDS Apps and containers can be enforced. During development, and in case of systems with limited resources, Application Container Management can be omitted. - A _Certified Core Container_ contains one _Connector Core Service_ which provides components like Data Management, Metadata Management, Contract and Policy Management, IDS App Management, IDS Protocols Authentication, and many more. Detailed explanations to the IDS Connector's functionalities are given in the following Section [3.5.2.2](#ids-connector-functions). - An _Certified App Container_ is a certified container downloaded from the App Store, providing a specific IDS App to the IDS Connector. @@ -23,7 +24,7 @@ The individual elements of the deployment are shown in Figure 3.5.2.1 and descri - An _IDS App_ defines a public API, which is invoked from the IDS Connector. This API is formally specified in a meta-description that is imported during the deployment phase of an IDS App. The tasks to be executed by IDS Apps may vary. IDS Apps can be implemented in any programming language and target different runtime environments. Existing components can be reused to simplify a migration from other integration platforms. A detailed description of how to use IDS Apps can be found in Section [3.3.5](../../3_3_Process_Layer/3_3_5_Publishing_and_using_Data_Apps.md), the deployment of IDS Apps is explained in Section [3.5.3](3_5_3_App_Store_and_Data_Apps.md). - The _Runtime_ of a Custom/Certified App/Certified Core Container depends on the selected technology and programming language. The Runtime, along with the application, constitutes the main part of a container. Different containers may use different runtimes. What runtimes are available depends only on the base operating system of the host computer. From the runtimes available, a service architect may select the one deemed most suitable. -## IDS Connector Functionalities +#### IDS Connector Functionalities #### The IDS Connector must include some essential functionality in its _Connector Core Service(s)_. The functionalities can be implemented in individual micro services or as a single comprehensive software block. In addition, the services do not have to be deployed in the same infrastructure. @@ -36,10 +37,13 @@ The components are described below: - The _Authentication Service_ holds the necessary information to authenticate the IDS Connector from/to other backend systems and/or authorize the system access from/to the IDS Connector from other IDS participants. For security reasons, a clear separation of the internal and external access credentials is recommended. The _Authentication Service_ provides interfaces for configuration and to connect custom authentication services. In order to authorize incoming and outgoing connections it holds + - the Key/Trust Store for the _IDS Protocol(s)_, - the credentials for the access of the _Data Management_ and _Data Exchange_ to external systems, and - the information for the access control of the _Data Exchange_ and _Data Management_ to the IDS. + This is shown via the solid line inside the IDS Connector. + - The _Data Exchange_ component provides or requires interfaces to exchange data with other IDS Participants (providers/consumers). It can be deployed on another infrastructure than the IDS Protocol(s) component and it is possible to have more then one Data Exchange component to support multiple protocol bindings. The _Data Exchange_ component does not support IDS-specific interfaces nor does it interpret the IDS Information Model. - The _IDS Protocol(s)_ component supports at least one IDS specific interface defined in [IDS-G](https://github.com/International-Data-Spaces-Association/IDS-G) to realize the processes defined in the Section [3.3](../../3_3_Process_Layer). All components interact with the IDS Protocol component as shown by the dashed lines. - The _Remote Attestation_ component is used to increase the trust between the participating components. It can be used to detect whether the software has been modified at the other party's end (see Section [4.1](../../../4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective) for more information). The component is needed for certification level 2 or higher (see Section [4.2.4](../../../4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_4_Component_Certification.md)). @@ -55,7 +59,7 @@ This is shown via the solid line inside the IDS Connector. There may be different types of implementations of an IDS Connector, based on different technologies and depending on what specific functionality is required regarding the purpose of the Connector. IDS Connectors are distinguish according to their certification level defined in Section [4.2](../../4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/), which indicates, among other things, which security and data sovereignty criteria the IDS Connector implements. -## Special Connectors +#### Special Connectors #### What type of IDS Connector is to be implemented may depend on various aspects, such as the execution environment given or the current developmental stage regarding used Data Services or applyed Data Flows. In the following, three exemplary scenarios are outlined: diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_3_App_Store_and_Data_Apps.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_3_App_Store_and_Data_Apps.md index e9e66ef5..23a01ff6 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_3_App_Store_and_Data_Apps.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_3_App_Store_and_Data_Apps.md @@ -1,15 +1,17 @@ -# App Store and IDS Apps +### App Store and IDS Apps #### An IDS App is an independent, functional, and re-usable software asset that is deployable, executable, and manageable on an IDS Connector. As described in [Section 3.5.2](3_5_2_0_Connector.md) IDS Connectors can make use of IDS Apps for several purposes. Three types of IDS Apps can be distinguished, namely Data App, Adapter App, and Control App, each performing different tasks in the IDS ecosystem. Applications of all types can be downloaded and fully managed by the IDS Connector: + * Data App: Applications of type Data App are re-usable, interchangeable, and connector-independent and perform small processing tasks, e.g., transform, clean, or analyse data. In other words, applications of this type manipulate the available data in some way. To define a data flow, the inputs and outputs of the components involved (Data App and IDS Connector) as well as of the backend system must be joined. To summarize multiple processing steps on the same data, Data Apps can be chained on the same data route. * Adapter App: Applications of type Adapter App are re-usable, interchangeable, and connector-independent and provide access to enterprise information systems, making them available to the underlying Connector. As the Data App type, the data flow of Adapter Apps is defined by joining matching inputs and outputs of the involved components (Adapter App, IDS Connector, and data sink/source or external service). Accordingly, Adapter Apps are used especially when the routing framework is not inherently capable of supporting the endpoints or protocols provided by external services. * Control App: Applications of type Control App allow to control the Connector from external systems and are used to connect backend systems, which may consist of a single or a cluster of applications and services, to an IDS ecoystem. Therefore, in contrast to the types introduced before, the Control App works on the administrative control flow and is connector-specific as it requires programming against the respective API of a Connector in a specific version for its implementation. Furthermore, the different IDS App types can be bundled, which allows building a data processing chain with several apps from all types chained together. -To integrate IDS Apps in an IDS ecosystem or to join them with other components as described above, an IDS App can be equipped with various endpoints. The endpoints for exchanging data between apps and between apps and connectors are mainly divided into those that consume data and those that provide data. A distinction is also made between endpoints that communicate exclusively internally and those that communicate with external components: +To integrate IDS Apps in an IDS ecosystem or to join them with other components as described above, an IDS App can be equipped with various endpoints. The endpoints for exchanging data between apps and between apps and connectors are mainly divided into those that consume data and those that provide data. A distinction is also made between endpoints that communicate exclusively internally and those that communicate with external components: + * INPUT: The input endpoint is considered mandatory for all IDS App types that work with data or data streams. The data input endpoint describes an interface through which data can be transported to an app within the connector's environment. * INPUT EXTERNAL: The input external endpoint serves as an interface to connect to external data sources or data streams outside the actual connector environment. This endpoint is particularly relevant for IDS Apps of type Adapter App. * OUTPUT: The output endpoint is also considered mandatory for IDS App types that transmit data or data streams to other apps or connectors. The output endpoint describes an interface through which data can be consumed within the connector environment by apps or the connector itself. diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_4_Metadata_Broker.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_4_Metadata_Broker.md index a955eda9..78d14687 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_4_Metadata_Broker.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_4_Metadata_Broker.md @@ -1,4 +1,4 @@ -# Metadata Broker +### Metadata Broker ### The IDS Metadata Broker consists of an IDS Connector (see Section [3.5.2.0](./3_5_2_0_Connector.md)), an endpoint for the registration, publication, maintenance, and query of Self-Descriptions. Therefore, for any interaction with the IDS Metadata Broker, the processes defined on the Process Layer, the descriptions defined on the Information Layer, and descriptions defined on the System Layer can be applied. The Information Layer describes the message types for registration and query. An IDS Metadata Broker may provide additional services that in term must be described by using terms from the IDS Information Model in the respective Metadata Broker's Self-Description document. @@ -12,27 +12,25 @@ Furthermore, a Metadata Broker implementation might add indexing or caching modu Additionally, most use cases for Metadata Brokers require a human-oriented interface to the Self-Descriptions. A website with fulltext and facet search capabilities is therefore usually provided. The website might further provide the creation and management of the locally stored Self-Descriptions. However, as the registration and updating process at the Metadata Broker is centered around Connectors, the authority of the human website user and the asset-hosting Connector must be ensured. -## Endpoints +#### Endpoints #### Metadata Brokers must provide remote endpoints to their own Self-Description (read-only) as well as to the locally persisted Self-Description graph (read/write for the hosting Connectors, read-only for the others). The server hosting these endpoints translates incoming requests, performs the necessary IDS identity and validity checks, and translates them into operations to the database. A Metadata Broker might support endpoints for different IDS protocol bindings. In any case, the content of the responses are protocol-independent. That means a successful read operation using one binding must also be successful through any other if targeting the same Self-Description. A Metadata Broker may however discriminate based on the identity of the requester, providing responses to one Connector while rejecting another due to IDS Usage Control configurations. - -## Search and Querying +#### Search and Querying #### The main purpose of a Metadata Broker is the provisioning of remote search functionalities. This can be done in a resource-oriented manner if the identifiers of the targeted Self-Descriptions are already known in advance. Alternatively, full-text or complex queries might be used. A complex query in this sense is any query that combines filters, aggregations or traverses the Self-Description graph to search for information. Which query language is supported by which Metadata Broker instance is outlined in its own Self-Description. The IDS Information Model provides the scheme for the searches. The knowledge of the Information Model can be used by querying Connectors to formulate their inquiries. Metadata Brokers may also provide additional templates or preformulated queries to support the Connectors. - -## Self-Description Life Cycle +#### Self-Description Life Cycle #### Self-Descriptions go through a life cycle. Created Self-Descriptions are in the `active` state as long as they are not put to `unavailable` by its sovereign. It's important to note that the later state is different to a deletion. It is important to track the usage of Self-Descriptions, in particular their unique identifier, to avoid name clashes or false flag attacks. A Connector therefore can ask to not publicly provide a Self-Description anymore by setting it to `unavailable` but it cannot force the Metadata Broker or any other Connector to completely delete the information from its internal databases. A Self-Description can be made `active` at any time again by the respective Connector. In addition, it can overwrite already active Self-Descriptions with a new one. The update of a previously `unavailable` Self-Description however will set it back to `active` automatically. Furthermore, new Self-Descriptions must not use the identifier of already existing ones. -## Data Synchronization +#### Data Synchronization #### The Metadata Broker is an optional component in a data space. That of course means that there can be data spaces that completely operate without any Metadata Broker. There can be however also data spaces where several Metadata Broker instances are provided. In such use cases, the synchronization between these instances becomes a topic, in particular to avoid redundant or conflicting information. diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_5_Clearing_House.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_5_Clearing_House.md index edf066a8..166449b9 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_5_Clearing_House.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_5_Clearing_House.md @@ -1,4 +1,5 @@ -# Clearing House +### Clearing House ### + The IDS Clearing House consists of an IDS Connector (see section 3.5.1) and bases all its functions on a logging service that records information relevant for clearing and billing as well as usage control. The information sent to the Clearing House is defined in the Process Layer. ![Clearing House Architecture](media/clearing_house_architecture.png) diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_6_Vocabulary_Hub.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_6_Vocabulary_Hub.md index e8e6dce2..781a789b 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_6_Vocabulary_Hub.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_6_Vocabulary_Hub.md @@ -1,4 +1,4 @@ -# Vocabulary Hub +### Vocabulary Hub ### The interoperability requirements in the IDS directly lead to the usage of commonly known, standardized terms to describe data, services, contracts, and so on. Collection of these standardized identifiers form so-called vocabularies. In the most basic appearance, any list of controlled terms can be a vocabulary. To make use of their content, the respective vocabulary documents need to be shared between the relevant parties. This can be done through digital catalogs but also in printed forms like for instance a language dictionary. @@ -8,16 +8,14 @@ Nevertheless, the IDS Information Model only represents the lowest common denomi To do so, a certain service is needed to provide a platform to host, maintain, publish, and document the additional vocabularies. This service is the IDS Vocabulary Hub. It provides IDS-conform endpoints to enable the seamless communication with IDS Connectors and infrastructure components. Vocabulary Hubs give access to the defined terms and their descriptions, present changes and outline the different versions. They act as the management platforms for data schemes that can be used in IDS use cases. - -## Maintaining vocabularies +#### Maintaining vocabularies #### IDS Vocabulary Hubs give the developer of domain-specific vocabularies the tools and functions to create, improve, and publish their terms. While it is expected that these vocabularies follow the RDF pattern, further requirements like the Linked Data concepts or even formal ontologies are not enforced. The experts can use the Vocabulary Hub to collaboratively work on their definitions, document or visualize them, and at some point publish them to a data space. They may also import existing, third-party vocabularies into the Vocabulary Hub and thereby making them usable by Connectors. The Vocabulary Hub then provides access to the whole vocabulary, parts of it, or directly to individual terms. - -## Runtime Lookups +#### Runtime Lookups #### As soon as a vocabulary is settled, Connectors might use it to increase the information content of their asset's Self-Descriptions. In the IDS world, this happens by introducing new attributes or values with previously unknown URIs/IRIs. Connectors that read those Self-Descriptions face the challenge of not knowing their semantic meaning at first. They can now lookup (or 'dereference') the attribute's identifier at the Vocabulary Hub. The Vocabulary Hub responds with small RDF document explaining the attribute. This usually includes the type or class of the entity, its label in different languages, and a short description, also possibly in several languages. The Connector can integrate these explanations into its workflows and thereby present the newly discovered meaning to its users. -There are also further processes possible. For instance, it is a common practice to organize digital vocabularies in namespaces, where each namespace contains a terms for a specific purpose. The IDS Information Model for instance uses the namespaces `ids` (http://w3id.org/idsa/core/) and `idsc` (http://w3id.org/idsa/code/). A Connector can also ask for a complete vocabulary defined by a previously unknown namespace. In that case, the Vocabulary Hub will return the complete vocabulary document including all terms and their relations among each other. While this document has in general a bigger size, it can be stored or cached at the Connector and thereby reduce the number of overall required interactions - presenting a more effective way for the Connector. +There are also further processes possible. For instance, it is a common practice to organize digital vocabularies in namespaces, where each namespace contains a terms for a specific purpose. The IDS Information Model for instance uses the namespaces `ids` [http://w3id.org/idsa/core/](http://w3id.org/idsa/core/) and `idsc` [http://w3id.org/idsa/code/](http://w3id.org/idsa/code/). A Connector can also ask for a complete vocabulary defined by a previously unknown namespace. In that case, the Vocabulary Hub will return the complete vocabulary document including all terms and their relations among each other. While this document has in general a bigger size, it can be stored or cached at the Connector and thereby reduce the number of overall required interactions - presenting a more effective way for the Connector. diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/README.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/README.md index 7413cb0a..a3cad3f7 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/README.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/README.md @@ -1,11 +1,61 @@ -# System Layer - -- [Introduction](3_5_0_System_Layer.md) -- [Identity Provider](3_5_1_Identity_Provider.md) - - [ParIS](3_5_1_2_ParIS.md) -- [Connector](3_5_2_0_Connector.md) - - [Special Connectors](3_5_2_1_Special_Connectors.md) -- [App Store and Data Apps](3_5_3_App_Store_and_Data_Apps.md) -- [Metadata Broker](3_5_4_Metadata_Broker.md) -- [Clearing House](3_5_5_Clearing_House.md) -- [Vocabulary Hub](3_5_6_Vocabulary_Hub.md) +# System Layer # + +## Table of Content ## + +[3.5 System Layer](./3_5_0_System_Layer.md#system-layer) + +[3.5.1 Identity Provider](3_5_1_Identity_Provider.md#identity-provider) + +[3.5.1.1 Certificate Authorities (CAs)](./3_5_1_Identity_Provider.md#certificate-authorities-cas) + +[3.5.1.2 Dynamic Attribute Provisioning Service (DAPS)](./3_5_1_Identity_Provider.md#dynamic-attribute-provisioning-service-daps) + +[3.5.1.3 Participant Information Service (ParIS)](./3_5_1_Identity_Provider.md#participant-information-service-paris) + +[3.5.1.3.1 Components](./3_5_1_Identity_Provider.md#components) + +[3.5.1.3.2 Endpoints](./3_5_1_Identity_Provider.md#endpoints) + +[3.5.1.3.3 Search and Querying](./3_5_1_Identity_Provider.md#search-and-querying) + +[3.5.1.3.4 Life Cycle of Participant's Self-Description](./3_5_1_Identity_Provider.md#life-cycle-of-participants-self-description) + +[3.5.1.3.5 Data Synchronization between ParIS instances](./3_5_1_Identity_Provider.md#data-synchronization-between-paris-instances) + +[3.5.2 Connector](./3_5_2_IDS_Connector.md#ids-connector) + +[3.5.2.1 IDS Connector Architecture](./3_5_2_IDS_Connector.md#ids-connector-architecture) + +[3.5.2.2 IDS Connector Functionalities](./3_5_2_IDS_Connector.md#ids-connector-functionalities) + +[3.5.2.3 Special Connectors](./3_5_2_IDS_Connector.md#special-connectors) + +[3.5.3 App Store and IDS Apps](./3_5_3_App_Store_and_Data_Apps.md#app-store-and-ids-apps) + +[3.5.4 Metadata Broker](./3_5_4_Metadata_Broker.md#metadata-broker) + +[3.5.4.1 Endpoints](./3_5_4_Metadata_Broker.md#endpoints) + +[3.5.4.2 Search and Querying](./3_5_4_Metadata_Broker.md#search-and-querying) + +[3.5.4.3 Self-Description Life Cycle](./3_5_4_Metadata_Broker.md#self-description-life-cycle) + +[3.5.4.4 Data Synchronization](./3_5_4_Metadata_Broker.md#data-synchronization) + +[3.5.5 Clearing House](./3_5_5_Clearing_House.md#clearing-house) + +[3.5.6 Vocabulary Hub](./3_5_6_Vocabulary_Hub.md#vocabulary-hub) + +[3.5.6.1 Maintaining vocabularies](./3_5_6_Vocabulary_Hub.md#maintaining-vocabularies) + +[3.5.6.1 Runtime Lookups](./3_5_6_Vocabulary_Hub.md#runtime-lookups) + +## Files ## + +- [3_5_0_System_Layer.md](./3_5_0_System_Layer.md) +- [3_5_1_Identity_Provider.md](./3_5_1_Identity_Provider.md) +- [3_5_2_IDS_Connector.md](./3_5_2_IDS_Connector.md) +- [3_5_3_App_Store_and_Data_Apps.md](./3_5_3_App_Store_and_Data_Apps.md) +- [3_5_4_Metadata_Broker.md](./3_5_4_Metadata_Broker.md) +- [3_5_5_Clearing_House.md](./3_5_5_Clearing_House.md) +- [3_5_6_Vocabulary_Hub.md](./3_5_6_Vocabulary_Hub.md) \ No newline at end of file From bbfcc834057ec50193d8e7a98c8c6a6120bb39dc Mon Sep 17 00:00:00 2001 From: Sebastian Steinbuss <23654606+ssteinbuss@users.noreply.github.com> Date: Thu, 13 Oct 2022 15:52:21 +0200 Subject: [PATCH 13/22] ediotrial update --- .../README.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/README.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/README.md index 12a353ee..d49e2d59 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/README.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/README.md @@ -3,6 +3,16 @@ ## Table of Content ## [3 Layers of the Reference Architecture Model](./3_Layers.md) + +[3.1 Business Layer](./3_1_Business_Layer/README.md) + +[3.2 Functional Layer](./3_2_Functional_Layer/README.md) + +[3.3 Information Layer](./3_3_Information_Layer/README.md) + +[3.4 Process Layer](./3_4_Process_Layer/README.md) + +[3.5 System Layer](./3_5_System_Layer/README.md) ## Files ## - [3_Layers.md](./3_Layers.md) \ No newline at end of file From 4e93e8bdbcbe5d7801056e1ff86c5420d1871063 Mon Sep 17 00:00:00 2001 From: Sebastian Steinbuss <23654606+ssteinbuss@users.noreply.github.com> Date: Thu, 13 Oct 2022 18:38:21 +0200 Subject: [PATCH 14/22] editorial update Adding Fronst Matter License CC-BY 4.0 Update Authors, Contributors, Maintainers --- README.md | 78 ++++----- content.md | 273 -------------------------------- documentation/FrontMatter.md | 152 ++++++++++++++++++ documentation/README.md | 15 +- maintainers_and_contributors.md | 32 ---- 5 files changed, 192 insertions(+), 358 deletions(-) delete mode 100644 content.md create mode 100644 documentation/FrontMatter.md delete mode 100644 maintainers_and_contributors.md diff --git a/README.md b/README.md index ef323a82..27a4eeb2 100644 --- a/README.md +++ b/README.md @@ -1,24 +1,15 @@ -# IDS RAM 4.0 (Public preview) +# IDS RAM 4.0 # -Welcome to the IDS RAM 4.0 repository of the [IDSA](../../../idsa). This repository is the working -version of the IDS RAM 4.0. It was initialized with [IDS RAM 3.0](https://internationaldataspaces.org/download/16630/). +Welcome to the IDS RAM 4.0 repository of the [IDSA](../../../idsa). -Most relevant content is already added to this repository, but some aspects are still in progress. You can today: -- Read the [current version in Markdown](https://github.com/International-Data-Spaces-Association/IDS-RAM_4_0/tree/main/documentation) -- Raise an [issue](https://github.com/International-Data-Spaces-Association/IDS-RAM_4_0/issues) on existing content or new content -- Check the open [pull requests](https://github.com/International-Data-Spaces-Association/IDS-RAM_4_0/pulls) - - - -_Please note that this is not yet the official and approved version of the IDS RAM 4.0._ - -## Overview +## Overview ## Please consider the following information: + - [Code of Conduct](./CODE_OF_CONDUCT.md), - [How to Contribute](./CONTRIBUTING.md), - [License](./LICENSE.md), -- [Changelog](./CHANGELOG.md), +- [Changelog](./CHANGELOG.md), and check the open [issues](https://github.com/International-Data-Spaces-Association/IDS-RAM_4_0/issues) and [pull requests](https://github.com/International-Data-Spaces-Association/IDS-RAM_4_0/pulls). @@ -26,44 +17,37 @@ and [pull requests](https://github.com/International-Data-Spaces-Association/IDS The [IDS-G](https://github.com/International-Data-Spaces-Association/IDS-G) provides additional information to the IDS RAM. -## Schedule -The IDS RAM 4.0 should be released end of April 2022. - -Regular touchpoints will be conducted starting from October 25th 2021: -- Mondays 4 pm to 4:30 pm (weekly) - - -## Scope +## Scope ## The IDS RAM is complemented with additional documents and repositories. Most relevant in this -context is the IDS-G (including IDS-G-pre). +context is the [IDS-G](https://github.com/International-Data-Spaces-Association/IDS-G). + In general, the IDS RAM contains the conceptual level including technology-agnostic specifications. The general outline of the IDS RAM is based on the five layers and the three perspectives. Each layer should reflect the main components and aspects of the IDS. The IDS-G contains specific details on specifications, e.g. APIs and their descriptions. -The IDS RAM 4.0 will be created as an online document and does not target a printed document, at first. -This enables the use of linking contents more easily, e.g. creating references to the IDS-G. -After that, a printable White Paper of the IDS RAM should be generated from this repository. -There, the main outline of the concepts shall be described. - -## Structure - -The [content](./content.md) describes the target structure of the document. -The following list provides direct links to the existing chapters. - -### Sections of the RAM -// TODO to be completed -- [Section 1: Introduction](./documentation/1_Introduction/) -- [Section 2: Context of IDS](./documentation/2_Context_of_the_International_Data_Spaces/) -- [Section 3: Layers of the RAM ](./documentation/3_Layers_of_the_Reference_Architecture_Model/) - - [Section 3.1: Business Layer](./documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/) - - [Section 3.2: Functional Layer](./documentation/3_Layers_of_the_Reference_Architecture_Model/3_2_Functional_Layer/) - - [Section 3.3: Process Layer](./documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/) - - [Section 3.4: Information Layer](./documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Information_Layer/) - - [Section 3.5: System Layer](./documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/) -- [Section 4: Perspectives of the RAM](./documentation/4_Perspectives_of_the_Reference_Architecture_Model/) - - [Section 4.1: Security Perspective](./documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/) - - [Section 4.2: Certification Perspective](./documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/) - - [Section 4.3: Governance Perspective](./documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Government_Perspective/) +## Structure ## + +- [Front Matter](./documentation/FrontMatter.md) +- [Section 1: Introduction](./documentation/1_Introduction/README.md) +- [Section 2: Context of IDS](./documentation/2_Context_of_the_International_Data_Spaces/README.md) +- [Section 3: Layers of the RAM](./documentation/3_Layers_of_the_Reference_Architecture_Model/README.md) + - [Section 3.1: Business Layer](./documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/README.md) + - [Section 3.2: Functional Layer](./documentation/3_Layers_of_the_Reference_Architecture_Model/3_2_Functional_Layer/README.md) + - [Section 3.3: Information Layer](./documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Information_Layer/README.md) + - [Section 3.4: Process Layer](./documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/README.md) + - [Section 3.5: System Layer](./documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/README.md) +- [Section 4: Perspectives of the RAM](./documentation/4_Perspectives_of_the_Reference_Architecture_Model/README.md) + - [Section 4.1: Security Perspective](./documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/README.md) + - [Section 4.2: Certification Perspective](./documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/README.md) + - [Section 4.3: Governance Perspective](./documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/README.md) + +**Appendix** + +- [Glossary](https://github.com/International-Data-Spaces-Association/IDS-G/tree/main/Glossary) + +## Previous Versions ## + +- [IDS RAM 3.0](https://internationaldataspaces.org/download/16630/) \ No newline at end of file diff --git a/content.md b/content.md deleted file mode 100644 index 0efda053..00000000 --- a/content.md +++ /dev/null @@ -1,273 +0,0 @@ -# Table of content IDS-RAM - - -## 1 Introduction - -1.1 Goals of the International Data Space - -1.2 Purpose and Structure of the Document - - -## 2 Context of the International Data Space - -2.1 Data in the Smart Service Welt - -2.2 Data Sovereignty as a Key Capability - -2.3 Data as an Economic Good - -2.4 Data Exchange and Data Sharing - -2.5 Industrial Cloud Platforms - -2.6 Big Data and Artificial Intelligence - -2.7 The Internet of Things and the Industrial Internet of Things - -2.8 Blockchain - -2.9 Towards legal interoperability: federated frameworks for data sharing agreements and terms-of-use - -2.10 General Data Protection Regulation - -2.11 Contribution of the International Data Space to Industry 4.0 and the Data Economy - - -## 3 Layers of the Reference Architecture Model - -### 3.1 Business Layer - - -3.1.1 Roles in the International Data Space - > Definition of each role - > each component should be introduced here - -3.1.2 Interaction of Roles -> verify this general interaction scheme - -3.1.3 Digital Identities - -3.1.3 Usage Contracts - -### 3.2 Functional Layer - -3.2.1 Trust - -3.2.2 Security - -3.2.3 Ecosystem of Data - -3.2.4 Standard Connectivity - -3.2.5 Value Adding Apps - -3.2.6 Data Markets - -### 3.3 Process Layer - -> We should consider to describe here the interactions for each component - -3.3.1 Onboarding - -3.3.2 Exchanging Data - -3.3.3 Publishing and Using Data Apps - -> Definition of interactions between Connectors, Meta Data Broker, Clearing House, App Store, Vocabulary Provider, Identity Provider - - -### 3.4 Information Layer - -3.4.1 Scope - -3.4.2 Model Representations - -3.4.3 Overview - -3.4.4 Content - -3.4.5 Context - -3.4.6 Concept - -3.4.7 Communication - -3.4.8 Commodity - -3.4.9 Connector - -3.4.10 Certification - -3.4.12 Contract - -3.4.13 Summary - -*3.4.14 Vocabularies* - -> Vocabularies and vocabulary provider have to be more detailed - -3.4.15 App Interfaces - - -### 3.5 System Layer - -> Each component described in one subsection, Connector, Meta Data Broker, App Store, Clearing House, Vocabulary Provider - -3.5.1 Connector Architecture - -3.5.1.2 Configuration Model -> let's discuss if we need this - -3.5.1.3 Special Connector Implementations -> let's discuss if we need this - -3.5.4 Meta Data Broker - -3.5.5 Data Apps and App Store - -3.5.6 Clearing House - -3.5.7 Vocabulary Provider - -3.5.8 Identity Provider - -3.5.8.1 CA (unsure?) - -3.5.8.2 DAPS - -3.5.8.3 ParIS - - - - -## 4 Perspectives of the Reference Architecture Model - -### 4.1 Security Perspective - -4.1.1 Security Aspects on the Different Architectural Layers - -4.1.2 General Security Principles - -4.1.3 Key Security Concepts - - 4.1.3.1 Secure Communication - - 4.1.3.2 Identity Management - - > General outline: - > Need for mapping between operational environment/component certification to identies (relation to Conformity assessment and IDS Certification) - > requirements for identities including 2 options centralized (PKI) vs decentralized (DID) - > describing on different levels: Organizations, Connectors /Execution environments and individuals - > and - > claim management, including 2 options DAPS and Verifiable Credentials - > and - > need for interoperability between the approaches - - Mapping of Participant Certification and Connector Certification to Identity Management - - Proposed PKI Structure - - Connector Certificate Deployment - - Using the Dynamic Attribute Provisioning Service (DAPS) for Identity Management - - Using an Authorization Service for Resource Access Control - - Trust Management - - PKI Rollout - - Identity Provider - - Software Provider - - Connector - - App Store - - App Provider - - Certification Body - - Connector Manifestations - - Configuration - - CA Certificates - - Apps - - App Development and Deployment - - Delivery of Connectors - - Connector Security Profiles - - 4.1.3.3 Trusted Platform - - Isolation and Remote Execution Guarantee - - Remote Integrity Verification - - NEW: Distributed deployments e.g. K8N - - Dynamic Trust Monitoring - > does this section fit here? - - -4.1.5 Data Access Control and Data Usage Control - - 4.1.7 Usage Control building blocks in the International Dataspace - - 4.1.8 Involved Roles in the Usage Control Process - - 4.1.9 Data Provenance Tracking - - 4.1.10 Data Provenance on the Different Architectural Layers - -### 4.2 Certification Perspective - -4.2.1 Certification Aspects on the different Architectural Layers - -4.2.2 Roles in the Certification Process - -4.2.3 Core Component Certification - -4.2.4 IDS Certification Process - - -### 4.3 Governance Perspective - -4.3.1 NEW: Governance for Data Space Instances (Federations) and Federation of Data Spaces (Federation of Federations) - > Links to implications that arise out of this in the different sections/layers/perspectives should be added here - -NEW 4.3.1 IDS Governance aspects of the IDSA Rule Book - -4.3.1 Data Governance Aspects - - Key roles and Correlating Data Governance and Management Activities - - IDS Data Governance Model - -4.3.2 Data as an Economic Good - - -4.3.3 Data Ownership - - -4.3.4 Data Sovereignty - -4.3.5 Data Quality - -4.3.6 Data Provenance - -4.3.7 NEW: Data Privacy - > Is this really and only a Governance aspect, it also has security concerns? - > let's outline the need from a governance aspect and then show the implications to the technical sections - > before including the security perspective. Add it also in the context to make clear what ids covers and what not. - > - > maybe this should be part of data sovereignty or data ownership? - - -### Appendix A: Glossary -> Glossary should be linked to IDS-G Glossary diff --git a/documentation/FrontMatter.md b/documentation/FrontMatter.md new file mode 100644 index 00000000..1bf34df3 --- /dev/null +++ b/documentation/FrontMatter.md @@ -0,0 +1,152 @@ +# IDS Reference Architecture Model # +# Version 4.0 # + + +## Publisher ## + +International Data Spaces Association + +Anna-Louisa-Karsch-Str. 2 + +10178 Berlin + +Germany + +### Editor ### + +Sebastian Steinbuss, + +International Data Spaces Association + +## Copyright ## + +International Data Spaces Association, + +Dortmund, Germany, 2022 + +![Creative Commons License](https://i.creativecommons.org/l/by/4.0/88x31.png) + +This work is licensed under a [Creative Commons Attribution 4.0 International License](http://creativecommons.org/licenses/by/4.0/). + + +## Authors and Contributors ## + +* Prof. Dr.-Ing. Boris Otto, Fraunhofer ISST +* Sebastian Steinbuß, International Data Spaces Association +* Andreas Teuscher, SICK +* Sebastian Bader, Fraunhofer IESE + +
+ +* Prof. Dr. Sören Auer, L3S Research Center +* Sebastian Bader, Fraunhofer IAIS +* Harrie Bastiaansen, TNO +* Hannes Bauer, orbiter +* Tim Berthold, sovity +* Pascal Birnstil, Fraunhofer IOSB +* Martin Böhmer, Fraunhofer IML +* Dr. Jürgen Bohn, Schaeffler +* Gernot Böge, FIWARE Foundation +* Robin Brandsätter, Fraunhofer IESE +* Gerd Brost, Fraunhofer AISEC +* Juan Ceballos, Deutsche Telekom +* Dr.-Ing. Jan Cirullies, Fraunhofer ISST +* Constantin Ciureanu, T-Systems +* Eva Corsi, Boehringer Ingelheim +* Simon Dalmolen, TNO +* Søren Danielsen, GateHouse Logistics +* AlexanderDuisberg, Bird \& Bird +* Andreas Eitel, Fraunhofer IESE +* Thilo Ernst, Fraunhofer FOKUS +* Kim Fidomski, Fraunhofer FIT +* Fabiana Fournier, IBM +* Marquart Franz, Siemens AG +* Mark Gall, Fraunhofer AISEC +* Dr. Sandra Geisler, Fraunhofer FIT +* Joshua Gelhaar, Fraunhofer ISST +* Roland Gude, Fraunhofer IAIS +* Dr.-Ing. Christian Haas, Fraunhofer IOSB +* Jürgen Heiles, Siemens +* Burkhard Heisen, cybus +* Juanjo Hierro, FIWARE +* Joachim Hoernle, ATOS +* Arghavan Hosseinzadeh, Fraunhofer IESE +* Manuel Huber, Fraunhofer AISEC +* Monika Huber, Fraunhofr AISEC +* Sonia Jimenez, International Data Spaces Association +* Christian Jung, Fraunhofer IESE +* Prof. Dr. Jan Jürjens, Fraunhofer ISST +* Dr. Anna Kasprzik, L3S Research Center +* Dr. Markus Ketterl, msg systems +* Judith Koetzsch, Rittal +* Jacob Köhler, Deloitte +* Dr. Christoph Lange, Fraunhofer IAIS +* Dorothea Langer, Deloitte +* Jörg Langkau, nicos +* Dominik Lis, Fraunhofer ISST +* Sven Löffler, T-Systems +* Dr.-Ing. Steffen Lohmann, Fraunhofer IAIS +* Dr. Ulrich Löwen, Siemens +* Dr. Christian Mader, Fraunhofer IAIS +* Bernhard Müller, SICK +* Nadja Menz, Fraunhofer FOKUS +* Christoph Mertens, International Data Spaces Association +* Andreas Müller, Schaeffler +* Lars Nagel, International Data Spaces Association +* Dr. Ralf Nagel, Fraunhofer ISST +* Harri Nieminen, Fastems +* Thomas Reitelbach, Bosch +* Aleksei Resetko, PricewaterhouseCoopers +* Daniel Pakkala, VTT Technical Research Centre of Finland +* Julia Pampus, Fraunhofer ISST +* Florian Patzer, Fraunhofer IOSB +* Heinrich Pettenpohl, Fraunhofer ISST +* René Pietzsch, eccenca +* Jaroslav Pullmann, Fraunhofer FIT +* Matthijs Punter, TNO +* Dr. Christoph Quix, Fraunhofer FIT +* Aleksei Resetko, PwC +* Dr. Dominik Rohrmus, Siemens +* Lena Romer, Boehringer Ingelheim +* Mike de Roode, TNO +* Jörg Sandlöhken, REWE Systems +* Patrick Schöwe, agma data +* Daniel Schulz, Fraunhofer IAIS +* Dr. Julian Schütte, Fraunhofer AISEC +* Dr. Karsten Schweichhart, Deutsche Telekom +* Stefan Schwichtenberg, Pi-Lar +* Natalia Simon, International Data Spaces Association +* Inna Skarbowski, IBM +* Prof. Egbert-Jan Sol, TNO +* Peter Sorowka, Cybus +* Prof. Dr.-Ing. Gernot Spiegelberg, Siemens +* Markus Spiekermann, Fraunhofer ISST +* Christian Spohn, ATOS +* Gerrit Stöhr, GESIS +* Erwin Tanger, ATOS +* Dr. Michael Theß, Signal Cruncher +* Rizkallah Touma, I2CAT +* Dr. Sebastian Tramp, eccenca +* Anil Turkmayali, International Data Spaces Association +* Dr. Mona Wappler, thyssenkrupp +* Ann-Christin Weiergräber, Uniklinik RWTH Aachen +* Dr. Sven Wenzel, Fraunhofer ISST +* Aram Wiencke, GEC +* Jonas Winkel, PwC +* Oliver Wolff, Advaneo +* Heike Wörner, DB Schenker + +## Maintainers ## + +| Section | Maintainers| +| --- | --- | +| [1. Introduction](./1_Introduction/README.md) | Sebastian Steinbuss | +| [2. Context of the International Data Spaces](./2_Context_of_the_International_Data_Spaces/README.md) | Sebastian Steinbuss | +| [3.1. Business Layer](./3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/README.md) | Sebastian Steinbuss | +| [3.2. Functional Layer](./3_Layers_of_the_Reference_Architecture_Model/3_2_Functional_Layer/README.md) | Sebastian Steinbuss | +| [3.3. Information Layer](./3_Layers_of_the_Reference_Architecture_Model/3_3_Information_Layer/README.md) | Christoph Lange-Bever | +| [3.4. Process Layer](./3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/README.md) | Heinrich Pettenpohl, Sebastian Bader | +| [3.5. System Layer](./3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/README.md) | Heinrich Pettenpohl, Sebastian Bader | +| [4.1 Security Perspective](./4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/README.md) | Gerd Brost, Monika Huber, Jörg Langkau, Robin Brandstätter +| [4.2 Certification Perspective](./4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/README.md) | Monika Huber, Andreas Teuscher, Sebastian Steinbuss| +| [4.3 Governance Perspective](./4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/README.md)| Sebastian Steinbuss, Andreas Teuscher | diff --git a/documentation/README.md b/documentation/README.md index 624b2f46..bac78f29 100644 --- a/documentation/README.md +++ b/documentation/README.md @@ -1,7 +1,8 @@ -# IDS-RAM 4.0 (markdown) -This folder contains the working document for the IDS-RAM 4.0. It is organized in folders for each section. +# IDS-RAM 4.0 # -## Structure +## Table of Content ## + +[Front Matter](./FrontMatter.md) [1. Introduction](./1_Introduction/README.md) @@ -13,9 +14,9 @@ This folder contains the working document for the IDS-RAM 4.0. It is organized i [3.2. Functional Layer](./3_Layers_of_the_Reference_Architecture_Model/3_2_Functional_Layer/README.md) -[3.3. Process Layer](./3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/README.md) +[3.3. Information Layer](./3_Layers_of_the_Reference_Architecture_Model/3_3_Information_Layer/README.md) -[3.4. Information Layer](./3_Layers_of_the_Reference_Architecture_Model/3_4_Information_Layer/README.md) +[3.4. Process Layer](./3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/README.md) [3.5. System Layer](./3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/README.md) @@ -27,4 +28,6 @@ This folder contains the working document for the IDS-RAM 4.0. It is organized i [4.3 Governance Perspective](./4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/README.md) -[Glossary](https://github.com/International-Data-Spaces-Association/IDS-G/tree/main/glossary) +[Glossary](https://github.com/International-Data-Spaces-Association/IDS-G/tree/main/Glossary) + + diff --git a/maintainers_and_contributors.md b/maintainers_and_contributors.md deleted file mode 100644 index 7560a3cd..00000000 --- a/maintainers_and_contributors.md +++ /dev/null @@ -1,32 +0,0 @@ -# Maintainers -Maintainers are responsible persons for each section of the RAM. Maintainers and may merge with the main branch - -1 introduction --> Sebastian Steinbuss, - -2 context --> Sebastian Steinbuss, - -3.1 business layer --> Sebastian Steinbuss, - -3.2 functional layer --> Sebastian Steinbuss, - -3.3 process layer --> Heinrich Pettenpohl, Sebastian Bader - -3.4 information layer --> Christoph Lange - -3.5 system layer --> Heinrich Pettenpohl, Sebastian Bader - -4.1 security perspective --> Gerd Brost, Monika Huber, Jörg Langkau - -4.1.x Usage Control -> IESE , Robin , Jörg Langkau - -4.2 Certification --> Monika Huber, Andreas Teuscher, Sebastian Steinbuss - -4.3 Governance --> Sebastian Steinbuss, Andreas Teuscher, - - -# Contributors -Contributors can volunteer to work on the issues,e.g. - -- create issue : Data privacy in section 4.3.x --> assign this to Stephan Schwichtenberg -- -- create issue : DID in section 4.1.x --> assign this to Stephan Schwichtenberg and Peter Koen From af321a3a1b527f37eb896de03e8ae8cace28634a Mon Sep 17 00:00:00 2001 From: Sebastian Steinbuss <23654606+ssteinbuss@users.noreply.github.com> Date: Fri, 14 Oct 2022 12:06:07 +0200 Subject: [PATCH 15/22] 64 business layer (#158) (#192) * Integrating ParIS section into the Business Layer. * Minor spelling changes to prepare the PR. * Update 3_1_x_ParIS.md chore: Add link to IDS Rule Book; Insert Certification Authority * Adding layers of the RAM * Create 3-1-Business-layer.md Adding basic content from RAM3 * editorial update removing remainder of functinal layer * dividing file into subsections splitted the section into files * Editorial changes Business Layer * editorial changes * Editorial changes * Update Business Lager Usage Contracts Adding connection to Rule Book in the Business Layer with regard the usage contracts * editorial changes moving fihgures and changing links * editorial changes * Editorial changes Editorial changes * Update Role model updating role model * editorial changes updating links * Merging ParIS Merging ParIS file to difgital identities section. * Update Changelog Adding Changes on Business Layer * Fix formatting Co-authored-by: Sebastian Bader Co-authored-by: HeinrichPet <59964830+HeinrichPet@users.noreply.github.com> Co-authored-by: Sebastian Bader Co-authored-by: HeinrichPet <59964830+HeinrichPet@users.noreply.github.com> --- CHANGELOG.md | 7 + .../3_1_Business_Layer/3-1-Business-layer.md | 16 + .../3_1_1_Roles_in_the_IDS.md | 557 ++++++++++++++++++ .../3_1_2_Interaction_of_Roles,md | 42 ++ .../3_1_3_Digital_Identities.md | 100 ++++ .../3_1_4_Usage_Contracts.md | 37 ++ .../3_1_Business_Layer/3_1_x_ParIS.md | 7 - .../media/DigitalIdentities.png | Bin .../3_1_Business_Layer}/media/image18.png | Bin .../3_1_Business_Layer/media/image20_new.png | Bin 0 -> 10580 bytes .../3_Layers-of-the-RAM | 5 + .../media/image11.png | Bin 0 -> 50908 bytes 12 files changed, 764 insertions(+), 7 deletions(-) create mode 100644 documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3-1-Business-layer.md create mode 100644 documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_1_Roles_in_the_IDS.md create mode 100644 documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_2_Interaction_of_Roles,md create mode 100644 documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_3_Digital_Identities.md create mode 100644 documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_4_Usage_Contracts.md delete mode 100644 documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_x_ParIS.md rename documentation/{ => 3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer}/media/DigitalIdentities.png (100%) rename documentation/{ => 3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer}/media/image18.png (100%) create mode 100644 documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/media/image20_new.png create mode 100644 documentation/3_Layers_of_the_Reference_Architecture_Model/3_Layers-of-the-RAM create mode 100644 documentation/3_Layers_of_the_Reference_Architecture_Model/media/image11.png diff --git a/CHANGELOG.md b/CHANGELOG.md index 665f909f..1507c4a9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,10 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] ### Added + +- none +- Business Layer: Adding Participant Information Service +- Business Layer: Adding activities in relation to roles. - IDSA Rulebook + ### Changed - none +- Business Layer: editorial changes. ### Removed - none @@ -20,6 +26,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Fixed - none +- Business Layer: fixed consistency in Role Interaction table. ### Security - none diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3-1-Business-layer.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3-1-Business-layer.md new file mode 100644 index 00000000..847c7536 --- /dev/null +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3-1-Business-layer.md @@ -0,0 +1,16 @@ +## Business Layer ## + +The Business Layer of the Reference Architecture Model defines and +categorizes the different roles the participants in the International +Data Spaces may assume. Furthermore, it specifies basic patterns of +interaction taking place between these roles. It thereby contributes to +the development of innovative business models and digital, data-driven +services to be used by the participants in the International Data +Spaces. + +While the Business Layer provides an abstract description of the roles +in the International Data Spaces, it can be considered a blueprint for +the other, more technical layers. The Business Layer can therefore be +used to verify the technical architecture of the International Data +Spaces. In this sense, the Business Layer specifies the requirements to +be addressed by the [Functional Layer](../../3_2_Functional_Layer/3_2_FunctionalLayer.md). diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_1_Roles_in_the_IDS.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_1_Roles_in_the_IDS.md new file mode 100644 index 00000000..29957c2e --- /dev/null +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_1_Roles_in_the_IDS.md @@ -0,0 +1,557 @@ +### ROLES IN THE INTERNATIONAL DATA SPACES ### + +In the following, each role a participant can assume in the +International Data Spaces is described in detail, together with the +tasks assigned to it. The Reference Architecture model distinguishes +four "categories" containing "business roles" that, depending on the +individual business model, can assume one or more of the "basic roles". + +#### Basic Roles in the International Data Space ### + +The ecosystem of the IDS comprises several basic tasks being carried out +by the various participants. The set of these tasks can be derived from +relevant objects in the IDS and the activities along the respective life +cycle. IDS objects that participants in the IDS have to handle are: + +1. **Connector**: technical core component required for a participant + to join the International Data Spaces + +2. **Data**: here synonym to Data Asset, i.e. content exposed for + exchange by the Data Provider + +3. **Vocabulary**: ontologies, reference data models, or metadata + elements that can be used to annotate and describe datasets, usage + policies, apps, services data sources etc. + +4. **Identity**: information of and for participants in the IDS + +5. **App**: applications that can be deployed inside the connector. + Apps facilitate data processing workflows. They may be certified by + a Certification Body, following the certification procedures defined + in the [Certification Perspective](../../4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/README.md). + +6. **Transaction**: comprises all activities performed in the course of + a data exchange + +7. **Service**: software running in a connector and provided as a + service (algorithm and computing time) + +For each of these IDS objects, the Reference Architecture Model defines +activities along the life cycle define. The set of activities, or a +subset of it, that describe the life cycle of the objects are: + +1. **Create**: create an object, e.g. software by programming or data + from reading a sensor + +2. **Own**: own an object or hold the corresponding license or right + according to local rules and regulations + +3. **Certify/verify**: e.g. certify software according to the IDS + certification scheme or verify authenticity of data + +4. **Publish**: share meta data on objects such as data, apps, services + etc. + +5. **Provide**: technically provide the object + +6. **Consume**: technically receive the object + +7. **Use**: make use of an object in a business model that does not + consist of an intermediary function (see below) + +8. **Delete**: Delete, eliminate or turn object off + +Each activity along the life cycle of an IDS object is carried out by a +participant of the IDS. A role that a participant takes to carry out +these activities is called "basic role". As some combinations from an +IDS object and an activity (e.g. "verify data", "delete identity") may +be relevant in other contexts than the IDS RAM or may become relevant in +the future, some potential basic roles are declared as (currently) "out +of IDS RAM scope". The table below shows the basic roles defined in the IDS. + +| | **Create** | **Own** | **Certify / Verify** | **Publish** | **Provide** | **Consume | **Use** | **Delete** | | | | | | +|-----------------|:---------------------:|:------------------:|:--------------------:|:-----------------------:|:----------------------:|:-------------------:|:-----------------------:|:-------------------:|:-:|:-:|:-:|:-:|:-:| +| **Connector** | Connector Creator | Connector Owner | Connector Certifier | Connector Publisher | Connector Provider | (Out of RAM scope) | Connector User | (Out of RAM scope) | | | | | | +| **Data** | Data Creator | Data Owner | (Out of RAM scope) | Connector / Data Broker | Data Provider | Data Consumer | Data User | Data Eraser | | | | | | +| **Vocabulary** | Vocabulary Creator | Vocabulary Owner | (Out of RAM scope) | Vocabulary Publisher | Vocabulary Provider | Vocabulary Consumer | Vocabulary User | (Out of RAM scope) | | | | | | +| **Identity** | Identity Creator | Identity Owner | Identity Verificator | Identitiy Publisher | Identity Authenticator | (Out of RAM scope) | Identity User | Identity Eliminator | | | | | | +| **App** | App Creator | App Owner | App Certifier | App Broker | App Provider | App Consumer | App User | App Deleter (?) | | | | | | +| **Transaction** | Transaction Initiator | (Out of RAM scope) | Transaction Clearer | (Out of RAM scope) | (Out of RAM scope) | (Out of RAM scope) | Transaction Participant | (Out of RAM scope) | | | | | | +| **Service** | Service Creator | Service Owner | Service Certifier | Service Broker | Service Provider | Service Consumer | Service User | (Out of RAM scope) | | | | | | + +These basic roles are suitable to define technical tasks in the IDS and +roles of the participants in detail. As this quite large number is, +however, bulky especially for early discussions, grouping basic roles to +business roles is advisable. The basic roles are explained in a suitable +context of the business roles. + +#### Business Roles in the International Data Space #### + +On the level of the business layer, depending on the use case, it might +not be crucial to distinguish between basic roles. E.g. if an industrial +company intends to provide quality check data to a supply chain partner, +the distinction between data owner and data creator is unnecessary. +Hence, business roles are introduced. Business roles comprise one or +more basic role. Their exact scope of comprised basic roles depends on +the individual business model of the participant as individual business +models (including pricing models) may be applied as deemed appropriate. +E.g. a data intermediary (see details below) operating a data hub may +store data as a trustee, act as a broker or do both -- depending on the +business model. Therefore, as the assignment of basic roles to a +business role may vary, the assignment is marked with the following +symbols: + +- **T** (typical): basic role typically taken by a business role + +- **M** (mandatory): required role from a technical perspective + +There are four categories of roles: + +» Category 1: Core Participant + +» Category 2: Intermediary + +» Category 3: Software Developer + +» Category 4: Governance Body + +#### CATEGORY 1: CORE PARTICIPANT #### + +Core Participants are involved and required every time data is exchanged +in the International Data Spaces. Roles assigned to this category are +Data Supplier and Data Customer. The role of a Core Participant can be +assumed by any organization that owns, wants to provide, and/or wants to +consume or use data. + +Benefit for participants in the International Data Spaces is created by +these roles as they create, potentially own and possibly provide data as +well as receive, process and most likely at some point in time delete +data. + +##### DATA SUPPLIER #### + +The Data Supplier is a role that induces data into the IDS ecosystem. +Depending on the individual business and technical operation model, the +business role Data Supplier typically assumes the basic roles Data +Creator, Data Owner, and/or Data Provider. + +The **Data Creator** creates data, e.g. by generating data such as from +a sensor or accessing data in backend IT systems. + +As the legal situation regarding data ownership is very complicated (as +discussed in the [Governance Perspective](#)), the term '**Data Owner'** is not used in a +legal understanding in this document. The Reference Architecture Model +takes an operational data management perspective, defining a Data Owner +as a legal entity or natural person executing control over data. This +enables the Data Owner to define Data Usage Policies and provide access +to its data. Data Ownership includes at least two major concepts: + +» having the (technical) means and the responsibility to define Usage +Contracts and Usage Policies, and to provide access to data; and + +» having the (technical) means and the responsibility to define the +Payment Model, including the model for reuse of data by third parties. + +The **Data Provider** makes data technically available in the IDS for +being transmitted to a Data Customer on behalf of the Data Owner. To +submit metadata to a Broker, or exchange data with a Data Consumer, the +Data Provider uses software components that are compliant with the +Reference Architecture Model of the International Data Spaces. Compliant +software is available from Software Developers and App Developers. + +Usually, a participant acting as a Data Creator automatically assumes +the role of the Data Owner. However, if rights or licenses on data are +given to different participant, the same assumes the role of the Data +Owner. In this case, Data Owner and Data Creator would be different +participants. + +Initially, a participant acting as a Data Creator automatically assumes +the role of the Data Provider as well. However, there may be cases in +which the Data Provider is not the Data Creator, e.g. if the data is +technically managed by a different entity than the Data Creator. This +can be the case of a company using an external IT service provider for +data management, or if data management activities are handed over to a +Data Intermediary (cf. below) as a data trustee. + +In cases in which the Data Owner does not act as the Data Provider at +the same time, the only activity of the Data Owner is to authorize a +Data Provider to make its data available to be used by a Data Consumer. +Any such authorization should be documented by a contract, which should +include data usage policy information for the data provided (see +[Usage Control in IDS](#)). The contract needs not necessarily be a paper +document, but may be an electronic file as well. + +At the end of a complete or partial data transaction, for example, the +Data Provider may log the details of the successful (or unsuccessful) +completion of the transaction at a Clearing House (see below) to +facilitate billing or resolve a conflict. Furthermore, the Data Provider +can use Apps in the IDS connector to enrich or transform the data in +some way, or to improve its quality. Data Apps are specific applications +that can be loaded into the IDS connector and, thus, linked into the +data exchange workflow. + +##### DATA CUSTOMER ##### + +The **Data Consumer** receives data from a Data Provider. From a +business process modeling perspective, the Data Consumer is the mirror +entity of the Data Provider; the activities performed by the Data +Consumer are therefore similar to the activities performed by the Data +Provider. + +If data is processed by a Service Provider (see below), the Data +Customer takes the role of a **Service Consumer**. This constellation my +occur, e.g. when the Data Owner/Provider attaches usage policies to the +data that require data being processed by a third-party service (i.e. +Service Provider) before being handed to the consumer. Then, the Data +Customer is both Data Consumer and Service Consumer. + +Similar to the Data Owner being the legal entity that has the legal +control over its data, the **Data User** is the legal entity that has +the legal right to use the data of a Data Owner as specified by the +usage policy. The Data User can be identical with the Data Consumer. +However, there may be scenarios in which these roles are assumed by +different participants. For example, a patient could use a web-based +software system to manage their personal health data and grant access to +this data to a health coach. The data could be received from a hospital. +In this case, the health coach would be the Data User and the provider +of the web-based software system would be the Data Consumer. + +In existing, mostly quite static relations, the Data Customer and Data +Supplier already know each other and intend to exchange specific data +sets (e.g. capacity information for a particular part to be produced). +In these cases, the Data Consumer directly requests data (and the +corresponding metadata) from the Data Provider or the Data Provider +pushes data directly to the Data Consumer. + +If the Data Customer searches for a type of data that is provided by +many suppliers, .e.g. weather data, the Data Consumer can search for +existing datasets by making an inquiry at a Data Intermediary that +assumes the basic role of a Data Broker (cf. according section below). +The Data Intermediary (Data Broker) then provides the required metadata +for the Data Consumer to connect to a Data Provider. + +Like a Data Provider, the Data Consumer may log the details of a +successful (or unsuccessful) data exchange transaction at a Clearing +House, use Apps to enrich, transform, etc. the data received, or use a +Data Broker to retrieve data sources. + +#### CATEGORY 2: INTERMEDIARY ##### + +Intermediaries act as trusted entities and are commonly considered as +"platforms". They assume a rather central role compared to the great +number of data suppliers and customers, though multiple, especially +competitive platforms of the same role may and shall exist. Business +Roles assigned to this category are Data Intermediary, Services +Intermediary, App Store, Vocabulary Intermediary, Clearing House, and +Identity Authority. Most likely, the business models of intermediaries +will lead to a combination of some of the business roles, e.g. act as +both Data and Service Intermediary. + +The Intermediary roles may be assumed only by trusted organizations. +They create benefit for participants in the IDS by establishing trust, +providing metadata, and creating a business model around their services. + +##### Data Intermediary ##### + +The Data Intermediary is a platform operator that assumes mainly the +data-related basic roles Data Provider/Data Consumer and Data Broker. + +Assuming the basic role of a **Data Provider** or **Data Consumer**, the +Data Intermediary is responsible for the execution of the data exchange +on behalf of the Data Owner or User respectively. Providing a Data +Consumer with data is, hence, the main activity of the Data Provider. + +To facilitate a data request from a Data Consumer, the Data Intermediary +would provide a **Data Broker** with proper metadata about the data. +Acting as a Data Broker, the Data Intermediary stores and manages +information about the data sources available in the International Data +Spaces. An organization offering data brokering in the International +Data Spaces may assume other intermediary basic roles at the same time +(e.g. Service Broker, Clearing House or Identity Authority, see below). +Assuming further basic roles consequently means additional tasks a +participant has to execute. + +The activities of the Data Broker mainly focus on receiving and +providing metadata. The Data Broker must provide an interface for Data +Creators to send their metadata. The metadata should be stored in an +internal repository for being queried by Data Consumers in a structured +manner. While the core of the metadata model must be specified by the +International Data Spaces (i.e. by the Information Model, see + [Information Layer](#)), a Data Broker may extend the metadata model to manage additional +metadata elements. + +After the Data Broker has provided the Data Consumer with the metadata +about a certain Data Provider, it is not involved in the subsequent data +exchange process. + +##### Service Intermediary ##### + +A service offers e.g. data analysis, data integration, data cleansing, +or semantic enrichment to improve the quality of the data exchanged in +the International Data Spaces. Analogously to the Data Intermediary, the +Service Intermediary is a platform operator providing metadata on +services, the services itself (i.e. app including computing time as a +trustee), or both. Hence, the Service Intermediary typically assumes +mainly the service-related basic roles of the Service Provider and/or +Service Broker. + +A **Service Provider** receives data from a Data Provider (or another +Service Provider) and either returns the calculation result to the same +or directs it to an indicated Data Consumer (which then is a Service +Consumer at the same time). The participant who receives processed data +from a Service Intermediary could be again a Service Intermediary as +data can be routed through an arbitrary number of instances of services +in the IDS. + +In order to provide the service, the Service Provider installs apps in +its IDS connector that can be developed by the participant himself or +from a third-party App Provider. The Service Intermediary is then an App +Consumer. Just like in the case of data, the Service Owner might be a +different organization than the Service Provider. The Service Provider +then operates the service on behalf of the owner. + +To allow other participants in the IDS to retrieve available services, +Service Intermediaries may also assume the role of the **Service +Broker**. The Service Broker provides metadata on present services in +the IDS analogously to the Data Broker. + +##### APP STORE ##### + +The business role of the App Store is responsible to distribute data +apps. In contrary to the Service Provider, the algorithm is not executed +in the platform of the App Store, but provided for download to the IDS +connector of the App Consumer. App Consumer and App Owner may be +different, if the owner acquires (purchases) an app, but lets it be +distributed to Service Provider. The App Store role typically comprises +the basic roles of the App Broker and App Provider. Apps are programmed +by the App Creator that can, but does not have to be identical to the +App Owner (cf. Data Owner/Creator above). + +The App Store is first responsible for managing information about apps. +This is the **Data Broker** role. The App Store should provide +interfaces for publishing and retrieving apps plus corresponding +metadata. In most cases, the App Store will, secondly, also assume the +basic role of the **App Provider** as it is common for mobile phone app +stores. The App Store then technically provides the app on behalf of the +App Owner. However, not only data, but also apps may be sensitive and, +therefore, shall be stored in the sphere of the App Owner. In this case, +the App Broker and App Provider roles would be taken be different +participants. + +Depending on the business model, an App Store could also comprise the +**App Owner** role as the store may own the license for particular apps. +As the App Store might take responsibility for the validity and +functionality of the apps provided, the App Store could also act as an +**App Certifier**. + +##### VOCABULARY Intermediary ##### + +The Vocabulary Intermediary technically manages and offers vocabularies +(i.e. ontologies, reference data models, or metadata elements). The +Vocabulary Intermediary typically assumes the basis roles of the +Vocabulary Publisher and Vocabulary Provider. Vocabularies are owned and +governed by the according Standardization Organization (cf. category 4). + +Vocabularies can be used to annotate and describe data assets. These +data assets may comprise at least: + +- **Information Model** of the International Data Spaces, which is the + basis for the description of data sources (see [Information Layer](#)). There + is only one information model in the IDS governed by the IDSA. + +- **Domain-specific vocabularies**: They are essential for the + scalability and success of the IDS. Domains are e.g. represented in + the very common set of linked open data (LOD). For example, "gene + ontology" is a unified vocabulary for parts of life sciences, "GAO" + for the automotive industry, etc. + +- **Legal terms**: To describe usage policies and to enable smart + contracting, legal terms must be coded in a machine-readable and + -understandable manner. The IDS Information Model defines the Open + Digital Rights Language (ODRL) to describe usage policies. Still, + IDS communities such as a (closed) supply chain network or a + domain-specific IDS initiative could define additional + (complementary or alternative) vocabularies, e.g. depict the + International Commercial Terms (Incoterms) as an ontology or + reference to the iShare Scheme. + +There is no dedicated or exclusive role that creates vocabularies. +Usually, standardization organizations such as ISO, EN, IEEE etc., but +also industrial associations define standards that can be formulated as +a vocabulary (Vocabulary Creators and Owners). Except the IDS +information model, there can be multiple vocabularies describing the +same context (e.g. different types of smart contracts or usage policy +descriptions). A single vocabulary for the same context support +standardization and, thus, compatibility efforts. Multiple vocabularies +provide flexibility and competitiveness. + +To find the right and latest vocabulary, they must be retrievable with +the help of a **Vocabulary Publisher**. This is a repository of +vocabulary metadata. In most cases, as vocabularies are usually (for the +sake of their purpose) open, the Vocabulary Intermediary will also act +as a **Vocabulary Provider**, i.e. providing the vocabulary technically +for download. + +Vocabulary Users are all instances using vocabularies, e.g. Data +Suppliers, Data Customers, Service Intermediaries, Data Intermediaries, +App Stores, etc. Also the Vocabulary Intermediary possibly may use a +vocabulary to describe the vocabulary repository. + +##### CLEARING HOUSE ##### + +The Clearing House is an intermediary that provides clearing and +settlement services for all financial and data exchange transactions. In +the International Data Spaces, clearing activities are separated from +broker services, since these activities are technically different from +maintaining a metadata repository. As already stated above, it might +still be possible that the role Clearing House and other intermediary +roles are assumed by the same organization, as both roles require acting +as a trusted intermediary between the Data Supplier and the Data +Customer. + +The Clearing House logs all activities performed in the course of a data +exchange, thus, assuming the role of the **Transaction Clearer**. After +a data exchange, or parts of it, has been completed, both the Data +Supplier and the Data Customer confirm the data transfer by logging the +details of the transaction at the Clearing House, e.g. by means of +distributed ledger technologies. Based on this logging information, the +transaction can then be billed. The logging information can also be used +to resolve conflicts (e.g., to clarify whether a data package has been +received by the Data Customer or not). The Clearing House also provides +reports on the performed (logged) transactions for billing, conflict +resolution, etc. + +##### Identity Authority ##### + +The Identity Authority should offer a service to create, maintain, +manage, monitor, and validate identity information of and for +participants in the International Data Spaces. This is imperative for +secure operation of the International Data Spaces and to avoid +unauthorized access to data. Hence, every participant in the IDS +inevitably owns an identity (describing the respective participant) and +uses an identity for authentication. + +The Identity Authority consist of a Certification Authority (managing +digital certificates for the participants of the International Data +Spaces), a Dynamic Attribute Provisioning Service (DAPS, managing the +dynamic attributes of the participants), and a service named Dynamic +Trust Monitoring (DTM, for continuous monitoring of the security and +behavior of the network. More details about identity management can be +found in the [security perspective](#). + +Typically, identities are created by the Identity Authority, then acting +as an **Identity Creator**. In the sense of a directory, the authority +would also publish the identity if desired by the owner and especially +provide certificates, DAPS etc. for authentication purposes. These are +the basic roles **Identity Publisher** and **Identity Authenticator**. + +#### CATEGORY 3: SOFTWARE DEVELOPER #### + +This category comprises IT companies providing software to the +participants of the International Data Spaces. Roles subsumed under this +category are the business roles App Developer and Connector Developer. + +Benefit is created by these roles by providing software to the +participants of the International Data Spaces. Please note that the +process of providing software to be used for establishing the endpoints +of a data exchange transaction (e.g. Enterprise Systems like ERP or MES, +or other platforms) is not part of the International Data Spaces, as it +takes place before an organization joins the IDS. + +##### App Developer ##### + +App Developers develop data apps to be used in an IDS Connector. Thus, +the App Developer typically covers the basic roles **App Creator** and, +as long as the data app is not created on behalf, **App Owner**. + +To be deployable, a data app has to be compliant with the system +architecture of the International Data Spaces (see [system layer](#)). In +addition, data Apps can be certified by a Certification Body in order to +increase trust in these applications (especially with regard to Data +Apps processing sensitive information). + +Data apps are published and most likely provided in the App Store to +Data Customers, Data Suppliers, or Intermediaries. App Developers should +describe each Data App using metadata (in compliance with a metadata +model) with regard to its semantics, functionality, interfaces, etc. + +##### Connector Developer ##### + +A Connector Developer provides software for implementing the +functionality required by the International Data Spaces (i.e., through +software components, as described in the [system layer](#)). Unlike Data Apps, +software is not provided by the App Store, but delivered over the +Connector Developer's usual distribution channels, and used on the basis +of individual agreements between the Connector Developer and the user +(e.g., a Data Customer, a Data Supplier, or an Intermediary). This +procedure implies that the agreements (e.g. licenses) for deployment and +software usage remain outside the scope of the International Data +Spaces. + +The Connector Developer typically assumes the basic roles **Connector +Creator**, **Connector Owner**, and -- considering the way of software +distribution described above -- **Connector Provider**. + +#### CATEGORY 4: GOVERNANCE BODY ##### + +Governance Bodies in the IDS have the authority and task to set and +enforce guidelines to standardize data exchange, to create trust and, in +the end, to enable sustainable operation of the IDS. The Certification +Body, Evaluation Facilities, Standardization Organizations, and the +International Data Spaces Association are the business roles in the +category of Governance Bodies. + +##### CERTIFICATION BODY AND EVALUATION FACILITIES ##### + +The participants in the International Data Spaces benefit from the +Certification Body and the Evaluation Facilities as these roles take +care of the certification process and issue certificates (both with +regard to organizations that want to participate and with regard to +software components that are to be used). + +The Certification Body, together with selected Evaluation Facilities, is +in charge of the certification of the participants and the core +technical components in the International Data Spaces. These Governance +Bodies make sure that only compliant organizations are granted access to +the trusted business ecosystem. In this process, the Certification Body +supervises the actions and decisions of the Evaluation Facilities. + +Thus, from the technical perspective, the basic roles **Connector +Certifier**, **App Certifier** and **Service Certifier**. + +The Certification Scheme applied in the process is described in the [Certification Perspective](#). + +##### Standardization Organization ##### + +Standardization Organizations govern standards that are typically +describe as an ontology or vocabulary. In general, there is neither a +claim for exclusiveness of a standard nor an obligation apply it. One +example could be the International Commercial Terms (Incoterms) that are +a common legal foundation in logistics, but does have to be applied. A +domain-specific Standardization Organization is, e.g., Odette, a +European organization setting data standards for the automotive +industry. + +The business role Standardization Organization, therefore, comprises the +basic roles **Vocabulary Creator** and **Vocabulary Owner**. + +Among the standardization organizations, the IDSA assumes a special +role, as it is exclusively entitled to govern the IDS Reference +Architecture Model and the Information Model. + +##### INTERNATIONAL DATA SPACES ASSOCIATION (IDSA) ##### + +The International Data Spaces Association (IDSA) is a non-profit +organization promoting the continuous development of the International +Data Spaces. More specifically, it supports and governs the continuous +development of the Reference Architecture Model and the participant +certification process. The International Data Spaces Association is +currently organized across several working groups, each one addressing a +specific topic (e.g., architecture, use cases and requirements, or +certification). Members of the Association are primarily large +industrial enterprises, IT companies, SMEs, research institutions, and +industry associations. + +As the International Data Spaces Association is not directly involved in +the data exchange activities of the International Data Spaces, its role +will not be further addressed in the sections on the other Layers. diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_2_Interaction_of_Roles,md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_2_Interaction_of_Roles,md new file mode 100644 index 00000000..edcb4380 --- /dev/null +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_2_Interaction_of_Roles,md @@ -0,0 +1,42 @@ +### Interaction of Roles ### + +#### Basic interactions for data exchange and data sharing in the International Data Spaces #### + +The figure below gives an overview of the roles and the interactions taking place between +them. As some of the roles (Certification Body and Evaluation +Facilities) are not actively involved in the everyday operations of the +International Data Spaces, they are omitted from the illustration. Also, +the figure does not include Software Providers and Identity Providers, +because of the necessary connection of those roles with all other roles. +The Software Provider would be connected to all other roles with the +relation _provides software_. Likewise, the Identity Provider +would be connected to all other roles with the relation _provides +identity_. + +![ Roles and interactions in the International Data +Spaces](./media/image18.png) + +This shows only the basic interactions taking place between the different +roles in the International Data Spaces. For data exchange, additional, +more specific interactions are necessary. These interactions are +described in the [Process Layer](#) section of the Reference Architecture +Model. + +The table below gives an overview of possible (mandatory are marked with X +or optional marked with (X)) interactions taking place in the IDS. + +| | Data Owner | Data Provider | Data Consumer | Data User | Broker | Clearing House | Identity Provider | Service Provider | App Provider | App Store | Vocabulary Provider | Certification Body | Evaluation Facility | +|------------------------- |:----------: |:-------------: |:-------------: |:---------: |:------: |:--------------: |:-----------------: |:----------------: |:------------: |:---------: |:------------------: |:------------------: |:--------------------: | +| **Data Owner** | - | X | - | - | - | (X) | - | (X) | (X) | (X) | (X) | - | (X) | +| **Data Provider** | X | - | X | - | X | (X) | X | (X) | (X) | (X) | (X) | - | X | +| **Data Consumer** | - | X | - | X | (X) | (X) | X | (X) | (X) | (X) | (X) | - | X | +| **Data User** | - | - | X | - | - | (X) | - | (X) | (X) | (X) | (X) | - | (X) | +| **Broker** | - | (X) | (X) | - | - | - | X | (X) | - | - | ? | - | X | +| **Clearing House** | (X) | (X) | (X) | (X) | - | - | X | (X) | (X) | (X) | (X) | - | X | +| **Identity Provider** | - | X | X | - | X | X | Federation | - | (X)? | (X)? | - | - | X | +| **Service Provider** | (X) | (X) | (X) | (X) | (X) | (X) | - | - | (X) | (X) | (X) | - | X | +| **App Provider** | (X) | (X) | (X) | (X) | - | (X) | (X) | (X) | - | (X) | - | - | (X) | +| **App Store** | (X) | (X) | (X) | (X) | - | (X) | (X) | (X) | (X) | - | (X) | - | (X) | +| **Vocabulary Provider** | (X) | (X) | (X) | (X) | ? | (X) | (X) | (X) | (X) | (X) | - | - | X | +| **Certification Body** | - | - | - | - | - | - | - | - | - | - | - | - | X | +| **Evaluation Facility** | (X) | X | X | X | X | X | X | X | (X) | X | X | X | - | diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_3_Digital_Identities.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_3_Digital_Identities.md new file mode 100644 index 00000000..05f32109 --- /dev/null +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_3_Digital_Identities.md @@ -0,0 +1,100 @@ +### Digital Identities ### + +Establishing trust for data sharing and data exchange is a fundamental +requirement. The IDS-RAM defines two basic types of trust: 1) Static +Trust, based on the certification of operational environment and core technical +components, and 2) Dynamic Trust, based on active monitoring of +operational environment and core technical components. For data sharing and data +exchange in the IDS, some preliminary actions and interactions are +required. These are necessary for every participant, and involve the +Certification Body, Evaluation Facilities, the Dynamic Attribute +Provisioning Service (DAPS), and the Participant Information Service (ParIS). +The figure below illustrates the roles and interactions required for issuing a digital +identity in the IDS. + +![ Interactions required for issuing a digital identity in the +IDS](./media/DigitalIdentities.png) + +#### Participant #### + +Certification is required for every participant and the majority of +roles in the IDS, as defined above. Certification refers both to the +organizational capabilities of the participant and the technical +capabilities of the core technical components. + +#### Certification #### + +Certification of a operational environment or core component involves the +[Certification Body](#) and an [Evaluation Facility](#). +Evaluation of a operational environment or a core component is executed upon request +of the participant and relies on the contract between the participant +and the Evaluation Facility. In the same way, a Service Provider can +request evaluation of a component. In this process, the Certification +Body is responsible for supervision of the Evaluation Facility involved. + +#### Certificate Authority #### + +The Certificate Authority is responsible for issuing, validating and +revoking [digital certificates](#). A digital certificate +is provided for a participant if both a valid certification for the +operational environment and a valid certification for the core component is +available. This means that the Certificate Authority provides an +IDS-ID for a combination of operational environment and core component. The digital +certificate is valid not exceeding the validity of both certifications, +operational environment certification and the certification of core component used +by the participant. The Certification Authority provides the digital +certificate to the participant upon request. + +#### Dynamic Attribute Provisioning Service (DAPS) #### + +The information resulting from the certification process is passed on to +the Dynamic Attribute Provisioning Service (DAPS). This includes master +data and information on [security profiles](#). The CA provides the details on the digital certificate +(public key and IDS-ID). The participant registers at the DAPS after +successfully deploying the digital certificate inside the component. + +#### Participant Information Service (ParIS) #### + +One of the most important value propositions of the IDS is the enablement of business interactions between previously unrelated Participants. That aims in particular at companies that have not met before in the digital or non-digital world but now start business agreements solely relying on the IDS. The therefore necessary trust in the opposite party is technically achieved by a verifiable identity management process through the Certification Authority and the DAPS. Both components equip each Participant with the necessary attributes and cryptographic proofs for the IDS handshakes. The establishment of a secure and uncompromised communication channel is however only the necessary requirement for a business interaction. In addition, the respective Participants need to understand their opposite’s state in regards of business workflows. For instance, every business actor needs to know its customers tax identification or VAT number to create correct invoices. Furthermore, the registered address is critical to understand the responsible jurisdiction for the unfortunate cases when only courts can solve conflicts. + +Such information is provided and maintained by a support organization in an IDS, a legal entity that administers the ecosystem (see [IDSA Rule Book section 4.2.1.1.1](https://internationaldataspaces.org/download/19008/)). This organization introduces a new Participant by creating its digital identity and at the same time registers security-critical at the DAPS and business-relevant attributes at another technical component. This component is the Participant Information Service. The ParIS provides access to these attributes to the other IDS Participants and components and connects the unique Participant identifier – a URI – with additional metadata. Usually, each IDS ecosystem operates only a small number of ParIS instances, usually only one. IDS Participants therefore know the location where to ask for more information about a potential business partner and can decide whether to start a data exchange. + +Different to other IDS components, the trustworthiness of ParIS' provisioned information is not grounded on technical measures, like for instance signatures or certificates, but on the administrative process controlled by the Support Organization. A direct consequence of this process is the necessity that each change request is manually verified before added to the ParIS database. + +#### Dynamic Trust Monitoring (DTM) #### + +Continuous monitoring of participants is necessary for classification of +the trustworthiness of all participants in the ecosystem. Dynamic Trust +Monitoring (DTM) implements a monitoring function for every IDS +Component. The DTM shares information with the DAPS to notify each of +the two participant in a data exchange transaction of the current level +of trustworthiness of the other participant. + +#### Interactions #### + +The roles described above interact with each other in a structured way. +In the following, a brief description of these interactions is given +(they are described in more detail in the remaining layers and perspectives of the RAM): + +1. **Certification request:** This is a direct interaction between a + participant and an evaluation facility to trigger an evaluation + process based on IDS certification criteria. + +2. **Notification of successful certification:** The Certification Body + notifies the Certificate Authority of the successful certification + of the Operational Environment and the Core Component. Validity of both + certifications must be provided. + +3. **Generating the IDS-ID:** The CA generates a unique ID for the pair + (operational environment and component) and issues a digital certificate. + +4. **Provisioning of X.509 Certificate:** The Certification Authority + sends a digital certificate (X.509) to the participant in a secure + and trustworthy way and notifies the DAPS. + +5. **Register:** After the digital certificate (X.509) is deployed + inside the component, the component registers at the DAPS. + +6. **DTM Interaction**: The DTM and the DAPS exchange information on + the behavior of the component, e.g. about security issues + (vulnerabilities) or attempted attacks. diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_4_Usage_Contracts.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_4_Usage_Contracts.md new file mode 100644 index 00000000..14c0ecd7 --- /dev/null +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_4_Usage_Contracts.md @@ -0,0 +1,37 @@ +### Usage Contracts ### + +A legally valid contract is the foundation of any business transaction. +The IDS cannot, and does not intend to, replace legal contracts or +licensing agreements. Instead, the IDS provides a technical framework +for technically enforced agreements in addition to existing, legally +binding contracts. The connection of legally binding contracts and Usage +Contracts is part of the [IDSA Rulebook](#). + +Many details of a business relationship cannot be modeled in +machine-readable form. Nevertheless, the IDS specifies methods to define +categories of applicable contracts, and it presents patterns to observe +their usage and report validations. For this purpose, the IDS makes use +of the [Information Layer](#). + +![Technical Enforcement and organizational enforcement of usage +policies](./media/image20_new.png) + + +A Usage Contract comprises a set of Usage Policies. Each policy +describes a certain permission or obligation of an [IDS Resource](). +Usage Contracts are written in a machine-readable +format (according to the [IDS Usage Policy Language](#)) and must +be interpreted as defined in [section 4.1.3.6](#). In any +case, a Usage Contract must always be regarded as an extension of an +existing legal agreement between two IDS participants, which can be +overruled by them. As neither the IDS nor any other known technology +stack can sufficiently interpret legal texts, any Usage Contract must +always be in line with the concluded agreements. Each contract between +IDS participants consists of a technical part and a non-technical part. +The technical part focuses on the description of technical interfaces +(Application Programming Interfaces) and the Usage Policy. Negotiation +of the technical part of a contract must be supported by the Information +Layer of the IDS-RAM. The non-technical part focuses on legal aspects of +the intended data exchange. For automatic negotiation of contracts and +conditions standard contracts are necessary (but not yet available +today). diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_x_ParIS.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_x_ParIS.md deleted file mode 100644 index 3d8ba64e..00000000 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_x_ParIS.md +++ /dev/null @@ -1,7 +0,0 @@ -# Participant Information Service (ParIS) - -One of the most important value propositions of the IDS is the enablement of business interactions between previously unrelated Participants. That aims in particular at companies that have not met before in the digital or non-digital world but now start business agreements solely relying on the IDS. The therefore necessary trust in the opposite party is technically achieved by a verifiable identity management process through the Certification Authority and the DAPS. Both components equip each Participant with the necessary attributes and cryptographic proofs for the IDS handshakes. The establishment of a secure and uncompromised communication channel is however only the necessary requirement for a business interaction. In addition, the respective Participants need to understand their opposite’s state in regards of business workflows. For instance, every business actor needs to know its customers tax identification or VAT number to create correct invoices. Furthermore, the registered address is critical to understand the responsible jurisdiction for the unfortunate cases when only courts can solve conflicts. - -Such information is provided and maintained by a support organization in an IDS, a legal entity that administers the ecosystem (see [IDSA Rule Book section 4.2.1.1.1](https://internationaldataspaces.org/download/19008/)). This organization introduces a new Participant by creating its digital identity and at the same time registers security-critical at the DAPS and business-relevant attributes at another technical component. This component is the Participant Information Service. The ParIS provides access to these attributes to the other IDS Participants and components and connects the unique Participant identifier – a URI – with additional metadata. Usually, each IDS ecosystem operates only a small number of ParIS instances, usually only one. IDS Participants therefore know the location where to ask for more information about a potential business partner and can decide whether to start a data exchange. - -Different to other IDS components, the trustworthiness of ParIS' provisioned information is not grounded on technical measures, like for instance signatures or certificates, but on the administrative process controlled by the Support Organization. A direct consequence of this process is the necessity that each change request is manually verified before added to the ParIS database. diff --git a/documentation/media/DigitalIdentities.png b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/media/DigitalIdentities.png similarity index 100% rename from documentation/media/DigitalIdentities.png rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/media/DigitalIdentities.png diff --git a/documentation/media/image18.png b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/media/image18.png similarity index 100% rename from documentation/media/image18.png rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/media/image18.png diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/media/image20_new.png b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/media/image20_new.png new file mode 100644 index 0000000000000000000000000000000000000000..40a1979ca6545e671806aaaa91089f9f9e212bab GIT binary patch literal 10580 zcmeG?XH-*Lv$3LJ7e#}@MO1nyh9(dc1tfHkCRGArq}Kp3fCZHjkd8t?#Q@R+(o1Y4 zbR<-1QGp;3Kw2URfp@rY@B8!pd27A(e!a66hkfSEp1$|lGnoh@1MP#{U~UiybWrEU zbrTS17Zwj|T-Cn{0uf?))^6_sp7(p*u<`|g z4t?JI+d=lsbpnAzr*y7gy%}gXJHjbGV}T)ilb?V>_4UI|sk>Rf6~C;?8eAB<5--Sl z^>b~9k_moLix(K|8QLL!fob;;&qx`F<6eIaKTs`Ifw#-K$#*NAYXcu(rvYc>M! z-$prq4SD__LbE2W+un5F zjCof_R~M=(EKB=bt96Z{Kq__U$zRnHdw!T+6WwQG2cfIWsMj$+-1lWxC?89^V>bHd ztLja*YlcSe>Tn#A4^!mU9Ke|y^QoN!s8C5|I-~G=AZOTWGrPTw>#_m!B0zNv8PS z!Z3!}5X2xoSS1y5(I)5BWjam3vOFl*-^3q8neanFpevoC*r=<>1501;&phRk^aw~B zcAzV$U4F~K{uqGC^q+aTu)x7zuVYQk! zs?>Ub*>EmuaYj(csl8{x^F>AVcK8^z$n$nAz=JxUfrQkhX!#z z3km6`V%H?G*ZR=NI?r`_ZGQcbTkDmeLy0J;`iU2NUqK;8?&KYyu((%H4@tPNRwPB~ zNIC8R2-G(ajrVq;rZjbxQH z{u!j5)kEsd&zpW+H&7d$QLpc9P^=WkdX8SQ_frq8TUeOl{N%V(y)u2+EVXa*iY;Tk zA@`Z>-inN7^q5o7+^G;#5~neHf_KPLeH2GzU9Xr)yiB9kc{?=puu=ov>MGm4Pm}jB z!D7h?r+oXT!0styqx;DtRU-@DeDnH=3v^!g{0CLn&bTKNXHxw6CLK7X?xCslo?`daBOk-!eCH+7*EAX3xH^K8dr4d}AZCk<-ST z*{MaVkF%UNf+OS)p-@H)CWGzq;wpW8z1!<-!1}1*A;8Z81rqGBejYS)Ke1 zRO3F|B$A>t{fC_UCyHhJC7tO&Lk!E+7_R~&) z3+y=rto>BueoAgmLTMl(bov~6X7*`9yfEK-mx`Z{?1o^kPqgHu9jD`SM?>O;%5>D> zcswDpfD9|8k?SsW|8istiAU!_FHR2&^-{wk0Yrf z@MMJGZn4=!Ks6gwb73gCN;7 zjg@`&tBs5w;eo~YE(m#4R<}B3PD3_)4F&hJSdTj{B$BSjx%LK~ zQA^Y^8>ZKQbu;jS#@M8`^ofZgYtyB{{(!3&CD3Qp49Lnxr~ID zRSu1`xo)x4(ik}XCWT_T!Eu1?)8^KnsgdXWP>}N+%XzL4Co5SFojzPSZ^Xw!#FgTZlK77FKTm;uI7yua!tZ z5z(SEjPUHwH8aa~)%N|b-zU|L=9peEAaU;7k7Yx5j@?Ax-U-_K)>^2?eonnpI8U?L zJ4#2|#XdV>rG0HG|C$)Krbj2z{Gs_X3Pi@tFZ||{aFc!nIy9P%%fprM!fdnNF zrZ=JV$&}N}IlQbTYEiZu^I}eTiH%;N&JS2gZ zuhOB?A+&*T>9EGu_11kLnWsglqbq*Ls+-oQ=R#y=8@| zh5TGJiMYcGT^Y|;dYDWfU4*-`g52C>NR|3G#Zs!Fj!tn4?tE}cS3F@dku-?NRxoj+ z*NBkWpPRErO&g7)-ktD2O= zlBuk_i@Cp_mNp0iXQlV#Dhj=1fPuhcByTjv3 z*Q>o&=PaxiE|DQdI|`(^FM_@}C6Y8&f8AYnY{UP#6*H1N(WJ@gU@t_mY6Y8=9G8lb zNXaIKhoXn)+E0`&BpabQ(y>&4%c&8r&ZSg&Lh5n^#5~%sz_ZGI9Xf`{>7Q|vK1^G5 zzv3y^8>9?tFptT)T>^)8rx33c@B^0T9b0^n7RoJFT0Dq25=~wg{@CN~M{JGER1WCc?{G#m74-FEN5i*xo~28Sxa;g+ zDQl7&ot-Q>g^fB{~&*B6t~Ys~$t8)Oc%CuH2EJ!WXBdyY6Wk@cp1Lxz%rv0{z~ zx)fW`x|W9e2Np@Nr?U>jCKPjpIY&vky|o*r_h{)^&wLRUWvbS+t78Ov~ z#A|>`Shz2cj{^&4&jFA_>ZULb7q=&g?f?}iZVHpTnX&^Yje9{3f6E&kHuK7z5(hZBjb$YzuAu4HwAa#U?~DbsMq>kjmYJw0+nTC{$<{sAT^p zL}`mXTlXX=O!l?SPLM*zKa&6*y@5#oaLZ>)AbVglbO_mmIBc6sS{V?;W)q@Oy=6dY z2w=NS$Q6Yx19F@JG77u)90wVBZIh7!$lM2bmwen(fsq1Kb*>}`1G6lpx5bG9-1O>j zqAuvvzHK@?fZ|4p+a}Im+mP1>0bWi3q-lK16Y9@^TtZf z+8L(*V;fHf!225gaKA(0wjzhG0{oUIO#x#0v~8pT08|17AUyv}D*zxeZh%l$+k!tm z0zeeF0EU0pRO(+j?Bs9Rwy-7e3gj-D`T@M{Pr*&Vl}y-*E%(I|lPx{b#=w~$l)s4N zzW7yrORah%K)5jfD<5}X-nM(xW?5$d%BvUsa!V~cBLMKh(ilRB+ZIG)hYTd^YUu|Q+YN*~^3Lm{*^^2;Q(Kx| zK&O;Q7sg$?U*K!9TjdOKhbLJ>Di7Mhxhsw*^iu-qiK~MrHeyA^)YLQ15ZFJ*dKJ`y zCWMy)oWRjTt)W3*&Okci#%QkUv@<(^HQ6S=y*)jGY1*E#78!&*cZ)FU?hL5hou6n1 zCf~b?_ioTOm4YLP_=P(9=U#PI(A1019%(JLFL`%97R7@4c1-w$Z<|17W_nM_QX_%m zq$5v_7*)4D7Ihs-cM!sNorG1+yR4H>!iDii5!aEsOOT?eYTKLKj=V0^=}Xd%uJaF~ z8~WWl=>}?ptlZi@ zHE{h-zhzE-Gm&y)q{G4bjpI_#B74|fi)t$@ zBEM3i@wJD-8Phk}Fu!7R_uE_ti{(KQfM<3 z`Jy#hK1e&v+gS9HDv)-GmMekr_HlcwbYcGO0X+2NSV^llip!a(nlvEI=r+pfGi_H_ z<6Ix_$SRl&Ckqsh^7H#HBdw!*RE4aVKL!VY?c*sT&bbaxs&my%aI?Q(Z%u2?MhIOH zQ!7>q$XiWEH^%mlI7=j>lxpg->^HtSossIU?+uuPw%PyDP@WsFzDLF=onmJGscrG^ z@*Pi-u3gQ^DGp+pE%j}51Pbi>@Z_}nN58EPOHBH69^$k#&Pu@4?S*|xSbjwOO$pK9 zpid$1$~hJTPl`cZv5nI^ZJw`kQp);6An~!?3NgxZG1;|c`gjD1qSUXDw*Y+sc1>C2 z9THHlc$cZY{@~-ZH>SM?24DFmM;`<|rRhf8bixSMf)&W=7@d*>65PY<_ z&$Aikj=|+gf0v%iouVq9<$obvlljCFT->zK%f1lYv3KSr9!hG#QJ=D08i68<`1KT$ z#AHqia*AT9ufB?L!tW0N5_tt)? zl4DZ))zGF%u@q%+F%;=9E>sVSW?5y5%D`VPOJwUNbU}mtLGUcd{nF4Pz0ly9Ic0w?iPHPFtZCE{sUVy=YVapj%CbXxW}W34 zfw;8F+g0im-u>)jl9r-fr7DKp7IK>iQF>>nHOt7*I$g>8?B0g<+{MA#2jvD-8D^1s3S3MXxonZ0MQ8d)UHkfp_^84I)q5XWWtgh92)br1>#6QBC~3RaL>A&9_c2C^n~v2Mn(t%1Uf(UGTO*aJOby zBx$J^`3!n)1o}jy@TaEbR>vo(TCu0+k-Nis!T0|Oz`YjBn!(pT-lbSBe>(QH>X4bL zN%y;We&Vwf9^AW3+8fBHzy}@r9Q*3~1hWDNE6^-M2DAe9n1n5gKPt9Lnv-iTX9-+I(J4nIQd@6nYWS z5z^)JWza$AKPvvRBFFKq-0&>_4K=ak#0Rk+4t}S*9cw7;(BN@0>W$+TQX^7_fKm|m&O8b zkU=bi+w9<(o;rPYmkD0xmYzRSFHt;Sca=LQ4H7;L$%0~d=vjYCFdvU$e!#jw`2>kF{*$G$^T6Zw<@)kEbC zR=S9%KdrjW@0uaqYS5MvDW&O7QxOD25w~e;oqKmh5?njwWBSxRXG6ZK>^Cmu`a|a8 z5_!2Mz)y8Y3nwUBOIf1e7tf#5(hdGdw_rmATNCy4+$(N)N>m_w{R-QAd2l@L%j+a9 zPL&hWQMOwlaukl}Q;5ut|2ElhSdw9L7omG|G%)R*$;H+g8?ZCF<=magsKhKVXI}{< zHF%_=Dt7{ni=4Q=Ja98M2l5&kAm$(jXo~Bfc%RgE8jcwAlV#0)Cz#Tje^t}m&B%Tk zlvH`!yta2#fBwp}WWbh|ud#prN{8@`)Px!6hn88N7SHbHtJ7IJ86KjW6_RN;)9@0- zuW65$bsgSQPW|Lt)QRzwnzgwr)Vkp8z7Fgf0&qmk_adh;t{(#!JIs+7dcWn5rEXk$ z9Z?QT`8CD76fkthDkm|?M^IZpV%Bo+%nU9IN;_qOY`cow4J!Eh6Q0%ZXU;?*`+Zv` zx=X6t5bjppmPHk|998u9K>G~Vw=+I$CTHs{3spu~c~dvcBp|a2oN)fDu?1s7oo&K^bP? zS&`HRzY8HT;Qp9*EW4_+5C}u&Fhx|!)M0iNG zJVS!lq_t~LpNH=Kn!eJWpf*erDV=PB9wfzd-+WndEpwOcs7p;E*)#hUSd8A(aQZH4mRhbrBo`CXe2{vDbq`PuQEAr>1F zbL~Y-QBM}--ctr z7~dszZ9XNNB4d@o4*BBsvItKQy>zeM%2~5BjqQK-fpfB!?f2oTT2J4w%}|bSOxAiW zJwB^>b=n)|X<@6!7kV@slIshpS&@syDY*3Fc-T{sc7ArcotZVYHzkny(pc;s@$6!E zUaOgoftc}zBjrmM6>R@8*8bqLaxv?W-*=?2MeofJFMk|0GwZv9#^tS=qQK5XGgOb8 z&TFVvHd26D1h(+G{36>Ld7v-tew&|RcEXZwO#XU3=Ux;eNX7CVQj$EIa;aZ9k4Fs4 zsJ#%X@;T@*Xuyd_8n9)rGUMUzbPR$>Jd()s*_W>^!mH*9d1Db$BaFBq1~Gp$(F+fg z(qJ)tWV7aAN#-_Se?k`@^=NM?dr<53Jn7qt1s}&kT5o=+5A%i*e#>qJy-H1aXef(4 z+1tS2P&&hv>SNhxXfIH7Cl#q*xic94{ZK`QMbkQZO5{gH(&Wd8pO4%>sYFhzVcm}v zck2ixa!k;MS!xOiDsgzA0%l5cJq!DFejRM@fs{-(9jTTeuTu4`-oH z7e-So(a;LZ`BlgI_4%i|(u0Q;eTbRjPgovfPNRd1v&zgCO&}*_2+EJAM~%eU_#g|Y z?&;CB4br_;f?{N~@?x|kw)`AB+>|z?9zgy+t-186*UF9y6sBMLm~z)SQ6XnV<1+J& zb#^}=+x?SsU*z-5>s0zJzt1H5Jz0eN(YKq8ec)NSBlT`Zi9KFcta@zWu~-769?H!bC7DN%EdkjZq1rd& zdg&uyf2o4P2$m*D$t2XNbD=_FjpP-P)@Sj)U4^>Zd5=$^&iS2A4H0~W*)3;oN4MC? zizwHlh_Ft@%P-H3u%h}Q`4U=k$*l#D$N3A>4V9a{U(dr{YODvw+kcKql)~X?q zpD5*t@}5Pth_0~<>;iE~&DH%O_WR~f8SoieUvX?KQ&Ol%H=D7#iIimC?q>8K%!S@s zyoDC3%E~=qfBYzaak3RqE_{;#r&ne*+ID998&LNgl#fB5z!OSb>>#As82iV9sO8j^ zTi|fDy`eullOjZN^VkYeU)}uB>DNz?sh}!L^|Z*YlC_65~6Yg%LzHY zT#judNNI+uKWeV-p7(M2Np{@eXLEKgZ;V9qI5DFzYs172L^rRW6?XW+0X031Ws4{S!Erd0#WBm8aM;Tlcpmhk zp#I9@92_VUI>3ZQu{HZz!UKNRdol=raRln<%ojU!OUz@l?{sN?Z7}G}vCj#v`TocY zp!Jn_G*QbKBdVjQZRoKiAbQ|AZ+?O`?U$@~5yyC@JWG9F&Z8_5d)I1Vpqdy4i_U`H z0+Qy-Esa1QLbrtaYP?GHhZf%AZt{?Qjwy9xAAqEJ+7Nl*kKq%E#+)4`x9SXlijTSH z`>mdzuQ9-W23$AZKmk!fpm-q72d=R5zy}Jr{)+g|uisX0y?6Kw6nT<0|vrIA;z z{L{kZB>unK&h$U(efp2cr;T9f)fnYv!^(Egjo%UM=6nCPRz2U*n4;y`I}t~@vDuXc z=&%cJ3AV5m5W{ZwUdg?B3(u;gFW&g48|(QFd?7TrRXp}zHBTGWBx`wgO?cBNr}!l| z?cpF#6OSdb!m9&ji0w0;p?6{H1Dv+-EsOFyB`*ff)^4~7aMI>qTnqJYU;8W#Qy^MI zz53e|ANI2JwSwMmjhnW*vOuOj0*3YMd@fptv|y?rW|Av`@@HN!bwd@%aE!Maw{|%Z zQxYbw`c_TUublbC<$YQ(>W9@~xsohSd|oj(m1-fn7p z?)0CL@0fszE(RR7VB0(_fcX5s#Tc(<7jHPimMW>z@Uhp#4aKGDjr(^!HWnXL`?|*d z%VM05wn}6_PYHvo+`Wmx6j+p)5f=yT)ZnFiBbAQHvm|2~n}MmLX>h$r!{On70d`C~asU7T literal 0 HcmV?d00001 diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_Layers-of-the-RAM b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_Layers-of-the-RAM new file mode 100644 index 00000000..dac9bbd8 --- /dev/null +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_Layers-of-the-RAM @@ -0,0 +1,5 @@ +#Layers of the Reference Architecture Model + +The five layers of the Reference Architecture Model are presented in detail in the following subsections. + +![](./media/image11.png) diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/media/image11.png b/documentation/3_Layers_of_the_Reference_Architecture_Model/media/image11.png new file mode 100644 index 0000000000000000000000000000000000000000..fcf8c378fe2dc2342bdd0a91faf05023eda0180b GIT binary patch literal 50908 zcmb@ucU+U*(k=|5U<2$ZT~I&~P>i923J6j~Km??Tl+cyl5)h?`G-*SbUcig$gun;hHlu9;;ct<^)2+AQ*M2Ai|5BmubHN@ z9}i49@@^n_!mK5g_Ex~9MYY|u>;8)BCqiG21s~u^V10HboZ~e`eC(k4`-Z{R%iqm= z8IPoWzaQ{&@qOgQ;K)OvB?tX?%(mb3*pE203Dqw@+FF8F>tl^O*%ow{)A_#9sXZl?kMG~~VQnXbMGFpz*M}ou z_^>SLLT@CoPX`uLdDh~%+r*hJy1h4?cRo##h?Mz{R+TWE%N54z%?{X$O;VksO;`sG zpM88M`QnuTHY??JaoBFl?)Zg1q%j3XqC5gKT@cmEl)SWbmrX3I?2fe7hl>!Fq0d*c z7=MKv?d#Pf?|7T-WS48O)m7W9NUE@XJ$*Kh*AELL5DK#>l*LJx%PT9p{Veg>!`3Na zF9LXw65+d3s*2tWbuFeeufXQmAVVm-xAki z3pPN68P_usj3;q4;BZIez?>KbzbFs)*jm&UL5ddgUmdsy3Ghh2>-vneEk~IsVu0ec z`R4`@mA#Vo_;veL3b~B@WqVVOLT;Uqdwew@>`-Jy0g8T2;q{QUHe+Xb8<@#xuLF6M zaM^Qh6}DHAVQclyGu?TaiiW5A=CZySobF3d4P8Fh`(_fA{wZW0k9rFH?#xnj54Bc& z0qN~maP@)|1HY$H={1UFJXK}Zw&{{}Wsia1&XC?0Ow8H*>7HgJIq~;D&yJMg)3Np^ zJ}C8+?6rQ{IcqAK!2U}Qwam`W z{)D{x?8Rk^!;c)+yq(S>hq(=+fVQ`^Qj87qf!|eSvkoW!y=#{XAsSrBwbiMQ*PhCF zPK?)V^>A>&2cD|dK6mj^pZ1LEat;KwB{9QPm5p*vyISGe@HI-JSf3ueg5W#VP~nD> zOpb?J&nxn^dnX1W!m+*Yj+n4`?BF5qvf8BiS;CD+g^C&CHlD=aU|GD_QN6qnbUQU$ zcj+8KMF9}knyUygV1foSy`RORVzIo{t8?bq^a{*`?bj6 zF#1FVO&#_g>hXxN16ypqF=}zAYZHHxp6^O9nb~np*KL=i3P9CMGPjZ zsVPg|MyQ|F1UV-qV*DhrpW2Fcc9%?4MMs{qS2s2h2KKpD_N#bUP`SDkPJL{D`Sk_S z(b4#YAP%7IM}!)n1+&2&Oj*R=+v@3?O^HQPg{93WRBgDobrsF?Z5S7_1ywEUPXz*t0VJdNhxW#M;%2vb zglWfO#4k}+GPUOqAzH!)!o#sDh;~=mgqd?Fkkq|-g%OtUaL3`2Ns4aS9o78E!h=k% zIFL~F%O9{qOC{j;5(kBjbyrO8MLC!BFxSQL_(Q|*W%4=E5u^2WAjT{ew=kc}MNfAP zj_rx-t`DyGqh94BIs6U*$A%?(Hx~Lq(1Ozo?F)f`y{zvT2u(Oi`X1$ASA%Cp!_jTL zB&F05c|V`Yaf<&aemr7%5>}mGluJCi9&26x^z7uu6tJAOg{H`a!k}|PeD=xQClp!N zT|}c$$&r?99j!Bvfc@>;uGY}hL>EnmA-)+*EQsBb^_^g}A9TSqud#jWL58w1th3Pr zU9GvEz5l1F7kiQX1F=*+dKA$%V81WMs6BbJD`F_#Tg&#f&{ptUaw1@N|DnazTk zXvOv|_^AD3LQt3=d^9G16bFBUQ-9>(H19njO`O1N+1L%OqBpS!f9WnwB8b?9%rKwZ zq%1qaTrXp%JvTPw)RB6rP)Kg)qrRQqvi6-N+G1*zxG6{Yg^BL* z&2X7`LWva#Vq+MDsrGD zsL(qfS$53+=POimYsgWi`!(O2)dlR|Cg+SrmgRzXTT6R_=3F<7;3T#8^;fdOqE4T+ z<1wYc)=g?v1kE6vf@qy2>x?6{Tjl!s7T6YAIJsSHhD)&I#is4ldc=7QjA*0>F`ra8 zlysO&Z0G9=`M%Ai`tF145e(!nR_9EzZ1U90dXJej-6iISZ8L>ajG125GE?x#1Wog% zL5AdOBkg0nN{<{k_D0UO%SA7>UY`*0y6;o6u4q!1yg3LaZ%n|L}7A`1qo8cKcS=@o(7{5mkq>C=AiW?U8f6 z?H+%)$N%koMGLt&Oa_o0ow7_WO6dbx5p;7(k(?}bQ70VfV@UjsE$_m$;O7i!9XI3? z>^Nujff*7?u7^bk#Fnik#(4952?~ES-xPH1k#R+3Q41<4!Lmbm_xfp6)=zU2mQj`0 zCX_ESLiOH*N6*~>` z&5DKBZ8@X2W4A|b2fD)}BG9n!*58hM)`abGi>Gxb6YiyohVMIRNuldLzs=v2Vl`yXYQu-jFFJ`<@hRD-)V>fkIeB;xM)hMN zco|0|fZxEx_8@knxak@3bCi03=V%slUCOD7V3Q-q#f*+i>^9v499&pohx@hYbHg$u zmBBX{5kMH`8;|P(H3xn>oEoKi9wRoUJvxAauqBf#Ktla~7|6Qd=0zT|X-|0x^GVt( z&cUiD!OYW?vEJuXt3jfK7XJtFpJ-mmKS;i~%68cP)JU)AvT60ayh4s%jBMw#jhOpZ zO_$@cm~WcNd|dP=)z+&sch!ySeE~DomsaJT#cjxoC$>lA0C??VbYj)ae{X(w4*w#R z0dBJJBb9&D3y&c#3Ox$r;2A!N8F%plC8bKM^2NqU!zq~N`*0e0FE8zy$?>KFXe!XNz&pTLjk#vMW`8{WS98wiG^LRFZ8|UmWM1(a4wL z&6Xa!_6GsjXSeN9jBD&-9^A&oVJ}T!uPg^Y;3`7?qlaerZe`(oHY4ws@#pPMfDZCg z-PaQ5|A}q?Cl=iUe9xW(I&o^vemtI8z-CbeG4jTfH#sD|xnQhRf^%7%4b`S+1@|&k zQW8OeDG?&?#_9C+U~`&r?fJYvf(p|WJ$15+7sY3-HwjYA*}WGT1sx~RvpJkZJ1*H? ztL^oMY+SXSv8I-9B=)&aHGDHhePZ|>xG;+dSyT{%EeT%X;AXVHna?h(X+7u@7<&Rm?;vJk?&= z<(ewYiQT#J_;$se0D=o}xMxi!F`(6_CJ)b7f%%;eZouD;(9VwpLw+NCVD9OV)nce+ct zFFrBK?I-UXpAdiI^P~e>I|V9T;_o?H7DF`$C}iv|N@W*pVe$y;`umL%Mz%KDVT#m> zuMF8hpZFR|QN=#KkE7JYB|dkO0s=W=KgQj6{pK76O9&Im#KH*!CK^b&jfIsIUuu{p z_smU9pJSI|g3;btlVn|Lmd9GE!srC~}vLR6jwtcn#WeKjd!x#N;-97ROU_yNotb z<>P!x4sn5=Gw3V!FBUbuhi_d< zYF>E|0`{8&!Y?x~;l2GySWlUnLnBnte0z_c7r1<9QmFF)2d&g@Vxcn}#*%VSM!AS3 z@jx|fqvK=8il%K*`Ab7IQT1Cxw?f%^^zqXReU%XP7m$hHSBLLF6qEvfKeK_GX)4*1!OIhD+|7;S30JN%{JC#7!qPrlqpyQR zG`oSoypqAQ9f}o~l#Rj8q+9JEUvQFTs+?SW45zCeWh|1mHZmp_9DxS)B+VOI`uarj zSnt~KI`J`{)Ri$2s+ACn#q7XM^&eY8FjH8xHC?U88V~v2q{Ro;j)dXeupkkxTV>`Y zb@>BA1g@bQHqmo$Xu{B-TOC^`oHCB$FYumvbVA~F zwo|fKDK6`WQEdu|dWGM{iv61c+I;VO7htZy^i~490ZWLw9aHc(^NY?E$ZpHhwLga} zeUhl*h)8K#x$UsCp5$nZN6#S_6_&rugiI|-_R?QJo1)mUXSjUBZ5`d2o_jmf7SpsK zP6yaD-vcn9)YP>=;BM?mqw^nFbCv!y4!4I5E%e#7*D|Ri^F?DJZ-$tEOQD3(va)#C zt*u{m!|G~j=N$Fl?5CDsba~sbu5sXKu4!?{+tiTrhDdVFgt9ttSl(Ctc;1lTTq{#{F)W#=+`ap9hxY1 zW9ibaFxItKsG(x7?!sA2ar@>wIFoby11W>l*s!64X3sXyaAeqozKJ$H~?RZ>|<#-qd%B;C}ai)j-)7$Edq6Cl&;3yq2kKGCx zJ!+Mnb7SFWm0a{@B+ViS%h9c%W!_)q99D~$Yr+e=Y{c(gQgh@P zLlnzWS(YkfVRp5RrJIw|IM5`075&&Pu@*fw^o-$E>Ta*t7kowgup@eQaZ~Q0eri19 zRceO%azs0*B85I>qT8{n{u6BHlYU~0rlIV#KTYF5Y9Sd#n;l^cRYzE&A9FQLzwU<3*Okt!bj6vk|G4i>g!?>)47t^( zTP&9~e@0J2B0UpB;k$R|6}BDOIB|~=ex0FDh*Nz{!XMGztcHBG2i$m6VfX~h_=A+4 zMKMjWsZ`YZk{C-rT5~wfbb;ww4<(3XI)Mg~%$3->Q|^fv*n-RIT>x60ped+MCZ7WvTKiW5=dcnB< zVw2g)kEJP-Z8Mhkl_?`!s1MyG98Ck2IMxmg^OQb#TZx7#p}*?+>;XGTIpP%a)U~eZ z%BkD^xg^rL&%~xW$qjUBf?;{LKlW zuW8e)5Tm)2>f(H^DaBGI_rhr{*>Z1Gm;Q10#Enc#H3h$Xg#)<0H89vdpC2`1)ee9wko7 zoy6TWpoWqt`mv>`WLvSii_)W^G2=N_BTGogf|yzmV;s7l22Mgctv8Pu5eYqe95~BD zc5|*L)pz#vN;je=hPrxpp;95Hp3Zxl3zT8UU8Fz{G!(TCAvz+Fs|nwjqT>mRdi4^T zY%c+!+&rUc&KsL$rc?wu&raY=YH7baKv|o4gsP6*>*RVR;G2`pd4bg+JF$x`tvZ_f*auG1~j9WpdS47pk+wUYjC0ir0 zYXP?in`FEulDJ7J4*RscRloVk(@R)R6AlPVjY}%5MU%+Hyz;cA_B%lKG3H+zri-QD zJ`T)sy?o1@r+vksSA*_?V$l7DmQcC%Mcka29EhH>jx#a5-vs*_4UjM#1CL%!gH`yWNWFN3)><5uQnar{Xa>VeiNH?&@cBen^?WRG09{ z|2K~xC@Iscre1F1DYD;Io{38Qn0)xam_ntIpeUWj6if9?#->3Cex(ZFxMz?R+N~=m zp(51UMNHDnf;1#Z+l)2sEqs%}zz|&n@ltZH{#!%3HPB6&fy~&HX307;pvIPR6j`GE zvr**sXb^w2pkzYp0_GOr4iz3Aa!y*4iz*SH`j7Sd)4^TWpPxkuw|4eb2fTT zYFlKkQeo?1Gt;TR#0!Wh@CQE-NL|tetp7BG&OOnH=YRVs?=BT4Gd%~@90mBY4|#Sw zjx;La?&8A<(ND<2igDKa+#>pJ)pt7M$}=V^FRh%1DB@Zjt1EbMvay~8ZR?{^WiIEs z*I#-rZk@OPT2iEzsn4b|o$#rtx1;8sL(n!3;d=)dFWy!82FK2Dw1Is=*Av||Uo;&3!%~0px{8HiJ zH&gdSATooxZ7q*nR-7tJ9gPIXaHjgMl-okAu1MCtD!Yn0w7+%y2l^F;9(+doV8hr{ z(efi}@eSWp$;0oBK9}?DiT}74f>udM2@*rEb>S02ER!+zMp&+Z20Cx3G{n$gefZf> zLrV7PqwcJs3~J&}Z~%k+{n8a|h?;?}_j*dR1FFo>?0T5!`(~jVSC&k@-l0I`Rnv8~ zbq52Z&*bLy8;nkd-T8~x)ORQ15(yypL=Ay3h_M_DDqC01RLO@5M7^KpU;cUDUQR}a z5qI%Zo=kt0k(Dt9vU+Tq;|cuZjZSpu!grIR_g0AoSGISgYwFQHlkKr(#kXUa0fCJ` z(jtuN@@yYeGu81>r9Q9x(I#SLENxWd<}mGBNvW`p?whu*bG5`t$TdC>()QZJYMmRi zDcRwBf;+PenzoSEk^qLS4+yB8P?G9OZyFxy?&!gAa|Bt(XQLO~5H7tMrSGjO-GLCr zI4cZ4gY~jaoo06D&V3pw#n^DfFF7ZF4`+t>54`znFY#3C68H(Zu6#D7VRb)%=6<+r zrbgXCRu5J=GM$*CuzJ!T^B{b~q1~Hvj1|)mVCfwN$x0nEr^mrwKc`J3B6d@aJ+_x+AQKxoYGt%`O_P&T z+*{T({l_-%vDpqA!!!*BcaJaNhp;3in4nGk75=Ny14)#;rL3^IwWxa)n!fTohj*?_i1sjv}nfa{$nkcD@udjL&y zm<61Hf3hc{Cld{YOV=(x*Dq9Nv-t+v3+_4g<=CJD%JaN`R_Y{L+GCY_Ya|m9F5J0%F0X#v4y0sCB~|AQV?^kE}T^Mzu7 z`Q>d6YS69nssE&#M!y-wzAf2K!PeQ$q32vl2UJVN?3RHj4}j69t2Y>b`SFO*?M*bt zl_!mAKi`X^@dcK!iA$;ey+|BK1C+M@s2}0oOP~8lckz@=z3oN1Uix627u9a7QtGjL znsR(*wR2U9k@FfFIj*67kO@a(NT2U4Jq9d!lKDve%u;0&uxf61)+hI|K`gdoOgL&B z-ibry4QW@PX(lH=+>}_X4ud3Lzn$1+MVUeW(vMsJdTfgM)6&)bnL0^zQ8OG+92+<^ za}S4ppeGfk_F={EjkKz8?o%hJFe8bG){eV-V%>>=DEp=}nyx=rYfIu_@bsX+HMr)j zIP{sgSe(5E9 zJs)*XREprt^6s`n6jM_Yw>;#@i(BG{@E+cB(9=pSa}v;>4h6`$fKqUTx?z1R!)G!Z z^7AJ)Waw1qjJnm>q&pPcwQFcB8_~DXm@(lZba*Vzne^+NJCKf4wJ+Ovht+R!u`lyF zXAu|AKPR@jFdSUDJ~2?JS4OMW;Gif{?T@3wZkbSwJ~>-@mpwNlK5Iz_t3XTYFtiHx zc%-F?ApaS!MAD6Ml6@?n&bwjg4Vlt9#|%t;Uf6mKO3tok+mi~ajBeZM{F)bkC`tlu zFLK28kt@AQ-ucCG{n1U*H}8F8$O^JjM{m6+X20nL5JQ(Nl)PU;my4f==Y#>xHd#IGJd z^UWMcn#p{&fu*fjcS|IzS^87rili9afXtmA3D%n!D1$azb#4l6_nbZsq z?M;TN!iyT_5eFVC3GUQ~?)d~%)6GRv+H8sykO1R!X|FXOD#Jp?%px5$?RGrd-B?|A zb9SX=vZ|C0e@5HA2Ht*h9+d8*yk{L0{sUCA0_fehH1|YFl$V$M(1~RbR7vTYIh~(~ z`R}A`NamY6%OI^8)_LIUfc$6lcFp-kSebF;@8tC*-QzD1YgW5zm#t_3n*=%_2T5$!c6>z zdVQ&a$n_q##7VQ`$bhkF4bo1T@4kfhMsHemV>KOZN*x2)S>CU_f`GRRQf-@W&M{V(O>DJzx@?iN5@rM z?Sx+!R@6G9sQA#mH_=gQ%XuXQc+%3zMGf001|-OGC%%e(2z(GTQ02^Z#y2VFq!ZXN zxLzthCSBl7dTnna<>ObKP@#W zvus1@7U?Bt`jlP3#4O2f`T*D7v4ak~LwaANPftgn>X_g@AIhHSagyZUIgsY#wT-llquPfK>6VY^^fe1=B4f@> zC0vIM2VBde>%}a_^H>G&nlzz`CSDFBJtZ{*ZiAf6PDm5x;lf$|Gb_H%vP<#NTv=?) z;Vc2y=MUEZB*V(ti%lg(v?uNC2(n$P5NqdDOS^R6w6M}f(<7Z1M+u+MXJ-x@`^*^% zLVCd;(fvA#Ru?NL1P)Yn?TrrYt16WaDYH#XTJeCK`-*-bz?7ks0o)U z4tJZde#4po5m}vII5u+x+$UQUUfLG1dLwMgOh1b5U{tAp-jD%bDSs>4M?%2;Kz2z* z06(1A{LoXxkB+@_;n3E^oJj`Uc7Vp`dhy59wiy}UC>q|8tj zC_Cj`yVS(1)|v9}0i`%OFPF`o5sFB%`U1=Ir`ckPFbzD50#==BS{kd2jv*)dl35zv z%jj=vQ;jWwdYX%4>`U)j-!W#BR4pAYl*4BQo$&OW-OQS4ukV-#zA822r?e#Ar0+y8 zCoTZiwsB=CP*q_{;LW^dwQT`I3S%Flj7|7tY=%Id++0BwrwdpI{x6-pZN&I#l1AaL zJav$JUpVC7MTTty$*2o)SQaBn3tWmADo1pTM-@=d^i~r=d2IU~9UB3%aUPr6$X(<4 zAF>>1E+XD49_2F{1lz&pXObt89O96YfbZ9SQkoYNgRLfj^`Wcz4-L;9cZUVNzV1uv_AG8wv#A{f=*&)w7o{LTFbl<6mD{*Y@!sM2!5n? zSGl#PV_a^Vnv|OZoQ9ULVN0jEa2=Nlb>8IQNva^vS?zAb&p@hf%g)Xam5oIXA`YyE zLTn>M%(o#wraHDa_a>B=9L7N)l}4j8eK-}arrA^<7PJ~Hi(isPt_PVg;Ol##Q{tequ6Tqzkbh2!Qa=2aYXS8?$$MJtM?ON+R8t!}}Hs%E?O z%2dUvDsE3!kC{0{N@L6I#CYht&|K?Uol0xP=x|&!lRKc5dgRA*u&hwYS%J_r9>tUB z!7M=S-hRW3m7R41i@-815arjtGDHO&7;H@EIO<9x#o?cF&a75W#%!?cNN)_+HK%&k zv4QwuvEO^$=L&XHIYvflTpaiN2Isu$3>MERCgcmt6}IpkSXkMOiC&U(5^%dt9~6oG zZu(ySj$yAX+!6Pf44{&eWN-JqNdz)qCZ}W5o&E97=Gd9c^0QM5;!VZ(-Mco<2b5wm zonpR*f0o!AO=&}rw>@LiWX}xLeKEb-F-qmpZcUfdU+5qKS=dmhi}~+u=>Ff!EYF_R zuKcVjt-sv$S<<%4+EcJZbpTcI_FQoz`X`^Sa*}*2^rY)%!R4;B(j$wg@-m?eMZ4Qp z@~suYlHLRFEWcw8y3H93#r5)l(@HNsGgL^av%PD{B{ znHOBZ{zlbt6&7W|jI(x!G3T_bRt!+bC6gM2jZ}w44ZhO5fSbo%c7803nZD2~1qc4{ zURX6%S&=;T56$1U9^qEUKjA+DQTTzWi30_6^A-J`IBiOp)}$TvaH{KzX`f5;y=|}5 zxCowWlrhsC1^y_QCM8wAY_g*r-=#Cth>zvFPiQL^q4P{V|v`MDG5c(8#)A)ic`wK!(=_J{jm`9t(pS|cp zEHu=)7zi=$Hr9@zfMac8wal7)de=vqG0F*(wJs&6t`KW;q|-C_T%$JrVH0j#Kde-O z)^12{X>{2+5T$zcbn-p9Vz6N!f6f;HGV|SF#GBDi#>5-#FU@# zE-{IFoEX`E*p*jyq5m-7yA_K6DSF0>!#wkgMyiQ-tWFPR*+LBOg%0|42S(cer9=;v zfD|N9fzaq~51tOqq^>@oJh^MDmb{4>sd4WCQj@IH1F>K$=US+X&oOKgbYi^2J(YkTygKe?@Irx=8mb_ayE;M+Tta z-B`l2dfC#s&hTyZLpFoPyOk?VA8}`fpt3!zzT4%)lrcvIw_Fr(O0F9?^W9VnzH6BO zseh$wvp*=x!QwjOH2T=E$i}$qj*MOG(Zh|>x!9&@h(X1jFi*Q{$~aSaucvV^qk#mQ z9m6Vc?EnQ@C5)|2w5UQXR2VNm!|rRs^^zlt53{JpUY=XswERl{DVcG5u@O0SzM)V_k+pSOa-5z4UyZN7+KFWRj?}nc%_#~!V zLROZkBkum50e{lWh#fgY{(**Q8i&hmGQ;^L*nPQD1b@fVmGKGJzk*G3H$P$vB4BSc^SN|@V@LhDS z;-24}kA$f2(-pN)Tg*&oiMt66~U zag^QwX7<^EaP!>G{M0PXGaiv9Q+DeXG;Jnc9}vR)jw=s|cqwuI-27-uG{(*^r?j#c z4qN!-5@SCW_vB|HTWr_AAolkm%-DsbpS|8rMnZ`q@4yI?cKSzc(RVy065lJHcknBm zuzM-WIXQ(Wjf|6G%jK6bwa%=(qsr!rYLAg*qi{_!g?3x|0)o@@p%>H-D!t2@OLq@7(GzQ2Q}f?|h3vA}qF^pA+93Gv1p@~SiE1Ks-geP>1@F1WJGNH16c&+g z>^6Ju@|>k|QmMpfkytw?2e$uGZ4_Ps1 zmR~cDce|#6t9B!VjZ@cdCbo>K5T|?B6cc0_r}b+wkNW9wKC83hG7A&a_Z>qIiIShh z)p>Mm0Hq%&r?*sonJYB3Ol_j80LRAl0ImjCNpK-lGr9sc)D9g? zFfNgq_D^wnu?EK4aXNY@K(8eZE5tc-;5zL^I+*R?J<+3gZ7W*5o=PUo=qGTDNY5>O zqnV1I?iCAG0-Si=ra7f)CQC?_Y@9tqe*P`|u4zly#<(dbHfYW5*B7YC_aGoMpYm!c zerMH|LWm&8whF7iV!3nf%2h5%e?@$RnIVZmv7!ZxY6C^&6fr9S{lMQ$lW)LVc2?P# zv32mHhXqzA=v2Hpk3{8o-*K*nD& zlZ_hoOc#lOv-|ZyvOn&_;G=H(@Nd|# zP2f6E+cKv~y~=Mq95~q!kgR2_y-#s|oNPtN)E>)|efpQi^j!q(>+f{rj-XY5cBk(5 zx#-^0e-f#Omw!$jOqXsgm{R~yjmoLM?66Dcs`bL;7m*bNk7$xu1 z1Efss;)yJ!e<6rtj0f%|+@zVN5~I2^+Wa$@_|qKUG{=KO=f$jE?>HYaS@Kz4*m!J= z5wlgU1ej!ap7nO(87e`HI!;o;KMwi>RnlCa1z17S0doYTMQ=l9d)bK0QDdDPakpN@ z#=k~4xa<;W%)u0w-5B??0xNQ;=_`gzb8&x>m?s`k^AYC0*xw6GW^`a`fRu<*0U|kM zm$C6ye4c3V!}*v-7U_&0kcccx-IEqOOmtFfha4TF65o`g0xk+l-4WX3P_5A|{I#i?>1yx|@w(*`ReDeI2guG2m4Ibf~0Aw`AsMy0rG60Cj0_)WNerRY&vE-fQ_& zb|>lv2W*5G8J?*-hW1aNC^4bRU>S>qyIu8bWbSd0TaDqO1}+`w``zw03s(?bg^L}wJ6C*%+A2Q`-i=$^w1Pk4v+thvFyCa|xOo^I zI$++D?XNzuF)SH2ki;ugr@~Q4t`L1s4-S(~k?kvM_guU+w~n2@?;e9$Kwea%OKP?q zB!l{op)GK;lkL(Tw?2zx6nZev6b}S;hR1fQECOd=#&4_FrL`#`}jvSHXdWlKk~xT zcbkOWC1@%FVMe{Zy&ZCTySEyf#DTkU_Kdm`4q!y^dxBEs5XY$k!LrcEI^Ow3*Mp1n zwCrXxg%22@)oQ5Y_kg$~PscTY#yDokN$M?YF<_FVxh$x}GKp7am1CWZ^4rRbukJA%Qz0w5mS2rh2Zn1I4U*7Y z9_LZ2(YDUB#_5n1`QfvxS5szbwMzirAaW|0a}wkfis+rZ@BW)Qd=Z*C|AS-|JglO~c)^|2N0@CRvw-)LgsU6C<0#*)^TgcSQx;ABFecw1reiUpJY)CMR*bSFocL^a)p> zc(b%j5yWp_U%0`ZRf2BI?K8KQ9rBSDyy@!?f)1G`8hl7L^s((3r@YLrITp6tuA=^Bq_UxF_Am7Kn_Br8YcaXGwd}j0DDnp9 z@pZwCKD7@01b%@CkfD0m5h5mhd*)dt8x|;Vvprz!ty85z49oo_v`DXM2#74j&t)B&9JZTsS~AJh zsbJypI*8PRWv>&}1T$LVx{||4!gZg9Zodi?xW^wqeIxSRr=ItJg^{_Z!n4T`*0Gc@ zqoRtreU(VtfPfx?2U{v4ATu{S2K(|L5B^lvFtw=k(N#g6anMt?`eXKvd#Sv%nyk zg}B#yFbDKMxRsnY3JXl4n~%YvrtQM12We~yE1L1PN-d5Ah$-5Uodf%0&Rku!unGyB z73ga>WgP^qy9^nR7)kU1hjQnfy9Giakcm)`FMhoswh>eWfee3u*8^NE17su`p;6Gy zi&V7;5AP9CKL!rlxiRuR-2Hk=kG5G0o21e3W)+9xoUnwQl3)NZm~|!m9vj*vf#aJj z)F8$o|8YXg@QoyXAgcK|dz#LE$4OQ*Nw)S8vWHmo0AvrK7z{UQ#Zz;p4T-;joI2NY z8xtxyZs%hh8#fGI*(xU%Eo?!CcAPNMp0I0+TbF$w+wGcyM@&iIJ&UAOPqTsQ?{Fh= z*Jglo(BnS;5%TF_y_XEC=@=2N{e%~Yy|9HB7l>NFq@GT|jqwLfcJs1D+{$#1;_1m8r(d z;w#8X99QHUjtOlzZZCuUKqeaT&sF)Y&<^#AY%GxXTxg$i%Jsi2=FenPTXDSg&K-{J zIZVeDmhdAQ2M8Vn3+TL%j~0Sh0$eYB7Z(rPxEcGL=?J$F>{VkiCDH$kGs zZR7_!?`>A7`DXT{V&-Y7BurAQtEfVJIp{$rif`_s4)0Z^z&n3I_f&JfqHaznMh*PM=g0pkfYajE%L(b#l9XHYbCLR?r|%eL$C;A4{nk-+G=uj2 zc!1VxYL`BkN)DfV{b-hq+BkrkIa-J0#%fsUZH1SdezX2Ry;{SQKBfcfwFLI!J^I8Wj zzLF4wZgdFZJZt5PX@58q#o{%${Cp&!#>t%P$xz#>6l={_Qxny9UQN-(6hj0|_*xmz zKz+<+!J6A|wmG|)#17{&8_w4-bjGZo_@+QO(E#oq4&2zB0;*(Q&%d(gUY&Xq9)81vcE#g_7I2@@W4+4pT9!Az1>_OJ{n7bZ+?@lH zh?v`FdVvC&-G$wqAV#%agKoaz%7P49urI|#h9iA6wZHo8j^tE(LY|j?M)T>J-DmTFCKT5hzpT&r>Br{f&M@g|q zZe3R0>gGRHR5205Dey-20n=pfS$4T1h!bgQdY~f5L6N%i>t#L-MR$4-u@bE8`aIZU zK%pTt{8b12x^-kj?uE{P>H$}fr^_MzvZv@IJ8U)wBfY_okl+Tp<(W#5T!db%Q0OcF z(ROdPm)2|n(j@}6-U%t(QX4^p+M?r;@pRiO3u%G8`%C+@U|keo?$kOJq1-4L-po#O z+weM^!)ONA=L*vDUU$VlBfgn`X;(F>Y|vcD}rtOi~=qFA(||BgOxqrB|n1 zMlyEVVxYs$xR5l&&CaTEgjF_zH4wPzs&+56q97yJc|quLOYbE5M7F;sohyg>k7Yw- zy^k*>dPy+v*i~nco60P3L)3_&H0kQPwo+Pn2Cb`|e%8;6emqJ6CEF&5r2&}5xsYw2 zLh1Q@!3JA!)1EoCqUXgE(=*g+Ho%%ahx%PXgxrF3Z7Xoj)Et!1zii!rV@Uw^0UX{O zKB^U;H8sG)Eu}s=BQj)}7A{nmuB~}bcB$}m!UR}qz+S3#c-HYJ&F9o<+{c427*sbz z_Qlip93;+2UzG7Hh9Uf_P)`y1dMiVcw5#O|_J+r=FQT_)S8*7>1g@?C9|AoOn;>&7 z4)cr%OzW_?qRF`>y2pAyARV;OBHY!~$kl7iOl;e&#SX*d%~gsJ z)-J@Wh-t7QFqYQ(qY0A(sL03WJk^TL8rm6z7QYg5`HpicZ$VCIKulX+uS>Jr5Bd3- ztOTc7OPtWiQt0^7YX?P~qCcLDRpO-A`pFSr$oy>SwkQ0Y5SPVufg!(`8OIV|Mc0Ju zNIlFUyWx9}Ioo*{(Vnj!m33X$ffprN-=y0dQ_vDrj12)0GG{0~$TtH`T zxd2~C2?OF{t)8{c;b7rlRAdCe>_<4&&jbQr*t7txwB&&=$|rtzmmTOpLd!`Lb4_3( zof$jlIMidmyQ>dCcb&}=if2nr2-6rWWl7|<=Z{SVC2e`?Z4e1MEzZ8mS?fHVuhc3t zP}){x2pWT@Bo}0A51-{wXYB1guI~cUJplbq{?0$D4rz!V=J%ak<67Lw#g~T zAPgeplH6vwNLjFWH%nDYfhIJ2HRjNC8}7PeFNA55;9{66f+Hihm0sgk;J{c1Ycu@6 zuQX5#;@7g|#dS&4+s^NpK4|J=!!@q(azR>gb8%J_Eqd~gnVGu;IEke&ZZqqNlYo|y zxFY?7AQRzT!%Oiqo)={*8ByOk;nT0Zde1FJL>aYQlT2jIo3Q2~bstUFI0~IMfqBZ3 zsW+-)rU}$){S0B7xd?ZGdJ{v{bFhlnZj^imkkakt6Zw>e@yD$6D0aNB9M|nCwBs&h zhuOzC-2D{yd`3M?{(Po0bf&IQB-Y=D?Rcirpmc*q3h=*CG|**J31b32)l1HtiwJ0H zFprhYz24p*4>**fxh{~Yw`D*POK0ley0g9y0rmaA@AG`m+_`h-es{hZhMDA??6c3>Yp?ZNb)y8szF|!)362e% zl-!ymA22GZd&D?CL27~6Rm>nor_*+;G*CG#lwCpf>wM5Fn==vaNydhvC%do-S3B9+ zH;vk|Nt0i~&7~Y-&IGIKnF~NsW=>v_e9D3)J-AMj^}GFCe&@>EPCDjkj=?v)^d2gzs=5~}1ZdLi5WoMLESE6a4#^q$7Wt-9&y`=PV zHglBHy=Ha+g(#>#lk;&|N?%Q>Vb`I#vu$Z}8;f>p0Q*LiK3gMLg;wBh0V2N6eID{u zw&3>TIE*BNdO347k(1X99$;K z_Jx#PAD3`BQP|9Kg`{1slcbm>zLOx#T0Tz)!`_o)n$vQq161no)sq{tp8;r)oqKzi zpSWs)x?Q%gA9^W_0$x&lZ+l_vT=nseI9b-v!|lB9=fiR@8Qg}&=8%R!lF)XgIA{qg z#~xhCni1GnMsh5Zy?$3cm>P0a8=&sNbt9KNc1mx-*&=UeKF4puhbrurBNDLRWzFsx03(KWhVn8>f%7oRWEv_@;TM}ism`0Pn zYM%N)WyayN{l3+6=eP##>#C3C&dAetus>Gk@f`#A(Cog7wi0$~@SIH6W!$NswGIj^ z8)IW`V~@<5e&sd8*5x?7^G2IZ*et+`CPWBxd%j(VJqi#Y(l$|iO&vqprIfp=2mEkiJ2Ty^O1C)1IdeR9``!jN=h3z7R(gM799?p5x@QL!_Cpw^a3c+AM=zKnF+J!ju8& zc8&Pe=I+mDQQ23An;rEQw9Dw(y9>$Ga03SsQQ17q+qW+dQ~?^3K1={T67v5*?*0+u zWoKYl|Ct5x$JA;2dVk`Bm!GPLrMyzS5TmxDciOkGypsiURrp;!60Usrh4_QMKYg z4?%nVLlHD@z;kaGD2kMJI1_@!e)Po|_B~Hwr($d9B2UPWOM&Y|m9<@a0Zj$+Dz5(9 zoA1c7ptXS5a7|p!8GXiop=Yy~6qk;WASfp@RzeZsvT*^m?($muLN`-NhWL{= zvEhL%T-|Kl#9FkvuB;oJ{=0qN{^tAz%P%v+T-IO+txknO1JWrVA%)TLI6q|e&`T>v zi}X;P9~zGLTNlM!G?L?NJWY09yDzjsL9||y`|pYhQ>)*o1CFyd!m(N zppAOfmP6Xtg(cDAKjl~8ID7$ye5%e*=V;+a*YvKg9rG#j^!e+O^XE6l624$Ow88PV zgz0l=zF6vi;ahQGnDrJZ`?O zSs7~j3>vp)h?@OrXmkuDtnjfPG5to14pI-~8uLUb7ceEW6_<_WSZQzV^@csgxxo#uzw-RTG}6) z`a`q1lxkTed$r+%gW?UL_?$aXWs%3F3j?pa{H~%~K;OUx?HBP)3J!F^(sE(G^s_N5 z|FVEc$ngJ<xL?yaSkc#F3-EXZg+NBTF2tEf}r6z zYvt&@@#Jp852T?=0=z!Cp1q+vc3hvU-p||rAUxD6g)S49IkYggdxO9R^!!B3(L@xE z{2b#!^DEly5Zy#Zgtm19U=Rx|A|>aRtepEzo903_Lb zQs@k-?ApX9?RcoyTmEQ9)YI&E*u+BpHx}cnVlkK;oz%zA=7c`Slwx->R(~Z#?G#6z ziVGU*w)WMUZZ!)sX()C0vbn9`6dD^;y!`bnINa!o+ls7(`yIxe#SYu{4{*!>131P8u<#3S|F_2-(M2LOv z&7KGfbu>L#7C9Ng-qS0YR33G{$30$V^!;tv#iUj+_tLF7snaV0hpsBu308{z-r?-7 zDHO2Q%YCJLPKlcG>2OE0`Iy-)WO!hTlw#^U&{6=L9vWPw1Bu%;RYsOSFsKA=u4 z!L5IFcCaNn3u&&wKi^->n0-eX{&xA7-R>s^%+F?aZ@`0oQYP<$RnG;#wF$(}yB!rc z!RwOu7oRUP_Ps|ex&UG=FM|(cLiKaN)aA8)BX)P?g*;2!yfKi9@lQ?49(Lo&lRFj^ zL}haEOKYJ8e6%r}8B6<;`?qk+%TPZ2YVJt83-qmP+IxJ&$rsl$D(rLKc)>tGg4KM# z5fFXGzSzG4m0|BDdFrAM^LaWabff?@_ZzyCoK_MXQUGbW;LsNQU!zw0t=<$w6{!$K zuhSCXZC^CA)1!3riRy^^A5;7f%08|s4BZj_!P}jd!M*$FkA^G+ibs{u z+3oKm`l-}lbfZ~@Mt*U#epyDu2N87hzVfP?F=H9Maq z&P{V8=&~EHISi4VA1La0tv(8jbmHy)@qCZ2FX2Z9J4t6&hGX>K-;-F}J3AW$RGq%! zoTWb!-FbM3j2HKJ;m%$_89vUywvRJiVWotkHvVXe0lhCIV3wNn$3#J&)d2K#ZB~#k zV4hV6Wd102CI$k4=By1a<5Ng~#31J$OZsE0BNsZ>88#s!6)?sW)pOX>y* z-TKst%D`a{ISm+i>8aWmPJ8& za4Ab($ChGt_^a1B-QYPSYhEF4-EpV8LkmC?H!379x^5oYq+Gg!kfqGbN~FI>*{lB{ z(c1sfp$8MHAc}fJD+;K=nq|}CCoo!`xY5677;Se!Ux^*=oM~O*Db?EAiW|^+HF#|# z8GCj(Gb%LX^jPP(0NZamxdMHH6^6eFJoD@TWFsAnj%x0Eptol^o6mW3NCbvY>VH-1P zCbtg1u}bjxO(<$pqt#+*fcb|fev*v3BH)^BXJ$9ENDLg+rW`{}d#~K%;176EK99nA zqv~4kWcpuTaL^Be^lv|TM46cs`*z8Jw$>pC*kdk~xFOc+Ysh&S1-M(mm$~Qhe>A+v z6xY(sj9S2IiaCXC}tJop$JIpR_~1x@d)pvh&ht9bf1s zsay!}9hx(&?XWn;(MNDOF8}J$Qo6~pROc4Oh7UK~T5;HW6hKp$H{&xG#U}^~G-C&_ z!*%QiFBH|y%^u(i1I<6kkOQSMmYX}>W9g2A;~#uPdBT2%z#Ju`Jz!j|KVHS?u9`tZHeO%pWfHAdS$_@ z;AOBmnRYa(V|Xa|$lz6Fzi5ZEpd*-_3TSd^T@mHbk%Cpp1gR5asu>qbt^;XoV<%bI z&V42d)3}iLj?CB^U@?!4lv;Y2fe)PT^>5~+%}OE}r=^`e-hhJNX1>=um}LU#0YIiU zONpgMtJ{nN>hny1!0~Lg;7{j7|A6XaDYtwr3Y{y;B}YxN_<=WAN^#PaoQ z9Rfm)B8jcGW@*0B|85Epvz8C3F4avL`z-T_P{+@ZZ&I3dZybwmHITQ_}cU1PyM6Wg@v0u_SlK7?cKOQuBv5K76COS&W9+B~dv;yq~ zIsbyF0v)swc4pJ=Xy`s9@#%)A2OWS^^uKrsm_Uo$olA7??u9x4I6t9YbfN@8o>6n+ zNCwj@6;YYhm|uD&^+$-LLPs-yQ-d_5!r)Rv66qp94*hLV(vl_$Ta;lM*k>Y*Rw`TF zq3Z+xF)7)Ns60sAX`bSbhc$|5dk=Uo0Ea|i2IoZk>%$_kAfQ)FpAZX~<1=p;iz7e6 zBH1g&eVUH*DOyB1CV0xDN|q>rTg2ERwfSszcy)L(FZI2z`0ij)>;GjTO#3(eDyu1H zI1@3(pGi_JxQTShYGNhblb>J4kbFo-@LZRCJntY?l9)4f2(;l*NY;+BpXJBddQN&k zYwdkhBv$uayC1)*U+tV+PqsrRY3HokAaGg!k25di*h3Sv=iNtdm)c85uRrl#j!cDi zPV5`Pj^$)whmzVL7wQOVyy~#nH&B;y2Ot#*dnDzMQaAXXEG1kMXhvAXvx=YX#KEy! zpQQQ>NE?%%E7RK#hR)4OuQtcF(`y0pO25}tYr3BF$rHcvy8_6#rvE`nN~-RxIg|jaZ1>991M(EpLGCpjmh&` z>4j@&ODHw{>{>*pOd6taR#3U_`6o7V1R6T#h?@32q+Vu7rnUPgY$#tZy~7c7;5dd0 z0RaIR?Z*pN!N&aaTw~f^%-?Cp@f+Q9w|%d*2)pl`-2PCi(WD)#x?M1+zxjB!{V+K4 z`dQ-JN|FGE#LM5vAmX4QB{J`-1uUG%!mk8(6q=zg?Uu_kVgzh(-)nDIVB3qIb0dm8 zcC`3~+Kbo`y!!|}4jcn+sDKUbZ5)}`9)Q+5S|;AJg|%B6*uwT#?Y)*q>=D=Gcz2g% ztO^*fBqLFwCGQeiE7QQT2k}Y{Qauffmse@$m2>?z(ZMy|k%!4X)}AqIivDb>Fa+z- z3g|a(PxIJ&$k@&h=mD#=8gR%;$9YF)rCqv_>I_BuDJ5#hJZ035b4-Z~ajK9Qb(BuE z?-5p>y|$wY^%a8kuaysL{)Su)@+^~tLBMAXm~Ja$E8R@VZ@~^C21B~vJSky@n~N;p ztU@K!J72D|dWiY%mWZ2g&bWDB4V%4V0Y48?A&%zd>8Zb?$nrv2%>+n61%%33@-6<) zVZD|HzX3spCG2Wjc1+aRj$LR8;m|{^(t>VQ{r7uW4Q8utockZ5#~Fq!a=C_}wNOPa zk?UFT9`7~Y-73f1>Cn?hOC7)VfrRZAX~>I5WTlO)r8tMS18(-}xQsA5Qaz4KQ4i8r zGu8el@VKauw)_*2Ki7ZFcK%c9N_d#_`${d}IvCKF()k0hq_-eR``(FvFxJ=zRs~DJ-l?5OfBheLIIGFLBMjbuWYq?Uz%UnolUddYT*(oNgU@NK`Qn4}35x2uc%{4W@ zw*L%?j_QvPcikbjS?$iAsI_-Y0IT<_6KVj6g4F>fT{G3Pwy@0ZQ8?116;xL2?xSZ8*w<{Gr{1Y^|q`dU9Q|XTLR!v})W?sRmAf|KhqW&ji z3P8HttU{skrH$QO8W`aCgu!<_SVxIk81Zb!qd7R$#ZrbLt*(Ku>>(r}!U50VrGY9n zg@LRSrc@<1v7K2tJL3C*<0!C^cq~X;AmK7s=V7x0N9Gc5$2S+K&InhDFgn?Fz>1^P zlpk9@n!bHCB>}d0Yp2pIe|kYShz>GCX!D#spCjBK zWgPxEYSHoSog_`4k3=^JHzPN|*gd`S)V58*5k`tX)RfY3YYpVUHf`Fqx}>-ta_$El z0tHS+c%7@$3shTypJ&YArNMm%bvtWj`xf!l-<~`&e1fShB}6$Kyc`8!g5ky`jLaFT z5!9~$4StGU54Qm9UgJtSfc?^gMe~=Niz~G6?l{RtgZhJk#yRE2Roz6_6_0=&2tPf#15a!+Klw*y>>hslfQJMim(w>>p>;s3`a_03HVs zWeH<}e*l99xA{`XR2u#ncD=YifWr4zNp63AN%j@u*3_KM2nd{&66{y|YY5Cbtl3m4 zi+}=^8dzO}%o2}(mx!Y6wmdfXt_&p97rbc)bz1!6H_HOldJ$uF;Ra-zTBLvFXx__c zlk@5X!y|s@nbn3IvL@GM0x$&7WnU{U?;3#R;JxO~N8%egGSFIXNSu@z#jeKi66&uL zr@Aa-_zwb@>Zzj&W<46udP-#pn*nQYWYYWa*N!<32rTBdlia*Y9LtFu8!@)%KFKhj z>+*Nw-X6tH)+qaC3-pfbQj8?`V1HXDGWT*~pAj7+d3b}ir#4?d%$lOGsTteAF-W$X zaUF^HBJ-PJh`Cfl21mShsE=~8cAvqt4Mw9CfaK5W@^S7Y4c(;IEDDbWe`aArZNRUl znqx1Ppe##GaCUcdB4DEJ%drGPhwCar?u#KFHyUG{V&+C;8h84 z5y=KWa8bd+(6sw&6iFLIl;^Q$1o%FWbcfl40v=Sbqy|b{0mg&v4vHY5rq0&kJ=~u1 zhK6u5Hb~9&*W{p*8)}$_&RhU0@V0kDD1}7pf9XC!mw4eSsDXnygm;OUf?e%w*f&+w zz&2Aq$1ByOtU|hhDIL;hJb@IQ8U)Q05zxkP2+iXA5+KOpb@1b2D4A|we-u)Kdg*DK zfbC1UzW1zhCu|I z%^gV#+b091de*2!(TkVtm<5)F9 z7*LnI7dNTL45WrtJ>M4k8kSAZLcQ$}q5aics*}J}_gszzolKV%dCU~-Q>0DVMJm4; z-lo@e$Qc*b3!(aP%%u5y6iG4p_}Wb7-5H0Q5N|P|3U7ZAwv+gs&}RPiJi!6cGx=%i>>_W8_lpjE zy?B4TPd0I`zayDZB!y=tLw-0cCIj8QiGJF6TGJg!ylQMw7Yf*#P!`$Hz%-X72a-Ou zB9F#BVy$*T{|!G|ZusG)u=QLeFTuw;vE|wF-;3W3dwVJr)ntf6!X(`4F2F!yk=}bS z`My#$t&0X}|9s?{u5g2M$eJ$+Nvrjs8%v#Y#P2xU`n*Hen*NoxM9!m9R5%2*qoLsoC^U7OwuMCf*3h?@7+L!T+R{wGMNegf+p;`!4qbnc`K`6Kg0o>5fBPe+ey2(!Ne_Bfh;j(i}9 z40GM|3=vt<4+nJN*W0ivdS-u}RKIV_Yfn4HQj--1(4_O(Gd9i4?3k=S)*sFRtYQ;; zUYfZyRMFnxXdB$LvHbEJ@3}H_Lz;Y;x9|P$Tf&aK@|~ydFTPU>gP%UN7Hap(z9b2p zF51uV*E~HA=*KJ*D2%PVz?;v7o@)GM;k>+u0VDsz=Gq3xJc!@I5@D4`}@c z)TP@TVXO4}DH+p*8~qR9ma_hd9G-zdNG<1vtyve+XRW{CD5OU7y5rCqE)VYqO4b1f z!!g{d6G4`s;(;oMsv`tejp&maNyyIXj(_YZChFy#ti&UhS}0DlJe_lgFzg*P+UdF4 zmHm1?uQ;Q}U?S?}>+$T!5>&ZVFQjmST0Q{CQ(w{NEKF|QXw6!o-? zX4gwwV7++iZ1v^h{bs-Zink-{ckFjVb_yjtpva5@Hd4f5bZP`H6M*C?UbwAGK4fB065F>m>??_8JQJZ zFn683utfoIjX95sr{+Y#&4$Or@CiEny>IIB5kOOeP1iZZgdfL21u;GUj``)!PpV7y ztAb=puE(v>S~0`x7IRVTV%JCU!S#jgPwaNn5hs!c&W<-(740{Qx-qDz(Zv-2!gXBc z%H|2&kb;j4(Sbq_mZEgg?O!FaJ#x1E|2ItoNT}$1Et;zAohp~&h&REIJN|1PMKF6L z^tCY*@dHRrxXsobguX=)SaCQxX@w&?k{n-$1xSeU>rOhh89a1JehCE4Gcj05)W z*~=5j^~g3aF?2GAR*oo8i|MDmRsXIXBd|Yd_0oci%*G#QI0ocGpz0$uI>tVE(&WTi zTiOBD8y&0RIzmpDasQg00lbD(ZfBZEOsnQqyBush4~OiD8+7(-WP}{bQ-gu)?w&FT zH6F)aV$#G8$Cjf0Lg7%>1_|IeJAsoNRtKQEu8)&Co;{QII)@+`8hIAWe2DqMX%V2kZAD!^~hf51(hl522 zry|8^on7dw1qs1e1U5+zNzBVW`a>rItU6PKErEcH$shb3;zL$Tl1mHkCfe_`ly1vS)c;19fRE zaQ-jN9*o6WEceat=R5uSm_{tmA^zo}8IV90`tb)}GfF4oca4iZ?&uU|ny7k)_@f_z zrO!!Q)oxH&4m5vYPKfHz+sy*ny*+mOiNVAc9XOiU30LioS{mI*MzhztFbp*K`p6#O zEA+?Q59xkbS}-c_Ke9PAwiGR&##Qw6{5X7Dl!87qyafSBXna@qsvhWOs%m$?vKgDn z#9mp^L)%<`C#M@O^Tacay^FVic7PX!B^k=7obW;OEk(iG%RuM9_FI)F9##dBIM!_S zRrC}pthD^NI@bI7P$6M+nr0caYdYB`{vbWK?i28)U}3QIF84@DtqlFZz_8z53CW4n z+;4o+AM3(|ZgN;WdL!V(NTdk(T@}QxB6wfO?7K^_9cR5PMdavJg~~5r`+Nd4ZExA- zOfF`b>rCe+#5u)2WUss9Ee&>Ol0?#yF+?WFKxVB8`duz6eKY~+WxX=-oF;JaeU>HT zt%9G37#GEi(T6WK7bGo}<$I(BHQtE$oo4Jm!SMj`13+V}4dB5^@lXaPA>A4SWe3;L(2BWJfWN&i) zkI2ZtR>==-2-^!wtw)1=XqevZ%=j%yrtO%sreC+}0`$)1Jc85YRK&uvnp#e#zF3n2wPLuC;qa}M1O=EC&Re76{-$eLBAL-&cL~v@5wSjMee(;OP zS(%_YvL&mTpwkGT{6~gwvSAEqC6MnPyOaXCxnOQ`Y2;x!cbh~pJAV7J^jGdRaVsy1 zgU^;&8dr4Ey5%#Lw@d@N1EEI08oD?YNMr|c*=Eq?(+o_=iJS=))5*$ zzt9@nHL@C!9dVB4K^aktm#Q^$TRFW0XjQg^vSRQ`kAmsqke^|S>Z&Sni|?vALppZk z9&%mK867a0N7@hd&jW(u7O-)g8aikS#n|JVJtv=FK7xA^uGyyXLCov4yBOns=6lY$ zQrlGAK|=BNBN64j*+>>P8&=s)^gOJIG%gHOpb(O~>D_WApkvuF@J_nf@A`zKu^|qftHmByAn)R$wyPQ^BlmSmEwcXQvrWTO&(5jSN2mg& z5hmM>M%c#du}Fxe{V=IxEK;O?FMIvWz(5&k$CRLkHy5K`X^;&2z?RSjpOxuB<{8MF zt7Vo+btJP(tY2>PhD=hVBQC#p(@jdVGw8H{<@Q5pxM&VgZt|S(7&qSf46+kgwpIy? zZAAtK&k9=_+^{Uu;fe132hIASN+WjeI9y)j;y)pUN@Hg1Hi&8-hCi(I6U z@c3HUwt3J{nA-)=AmmzgVeQ+(ACzB$U3X5*jFLTzPZd%QND;;K*1gBsx?gcXh8-#u z;mQf33~lbt-v+8GhW%<}6u+uB)h+IxdYZBXY+lnN;u9Y$_Y=8&+ZH4+3S`AolP69sdLdB=-uk6;bkc!ytJwaFhcR~i^PckIV zsf!#7kZ*bPz^mg!2Odfy!PM(}q}RO<0}sTYBYNJnNblshOa5&&-C@gou9HPhR_JsP zr#okc!>&}BE!wA@rpLpBd3cnQ@`TpBZQ7fWBDiH}Agik3&Tj$y*XHCVasUk`!oFbbmAkDshg?RLyrb%RcnM+ZHP< zF(LwFfPF>fD|Gs~Zjl~+o8Gx2$tWUgql0a1=cCc6O-G*Pf#!yKgj6bz-Ud^%q(f2f zq8# zxo;bw^rwaZDiYb3sJmE=IR?~h0bL|>0nk0fuUv^+?Af9|@jsxhMk)b`aPCVM@jr06 z?B3KilL8DR9aQ)vT_8X2_t(TL{Y24tG=$!O_Mh>A&+;O_M+PpglvzKm%6OWdp2O5brK9-*zc3X3NLg_> zVLyK;nkp-QXu01tycDuK-#Z?%QgnFXuNEh`rqeuC5@?#`J}EQ7vqMw2k3Za6+&!#N z#v@k`C-&Av{%GS|-LsN`tsA2u`|=0Bln+7_4lVa)ex)8N?<>0}@BTWp57D-!{K)cD zuAE_jguQAFJ;K4HR#P zDj$}WQoRq#2rQ~U9JPe*KI%st3(515@i49$G^y z#^{kOPKwgxPD*?Ihu3cOYynkltno-C{1#20i1QhyA~7X(LgHtJ<`(O&SWD@h#E|{j ztZlKB?~{t6^Qs&zw(p`-871CXyvw*f)~4!j2;(j79ECyk&0wBq`OT3I{0(*jDx`Wjxczz0h#duWVW5jZtA?*m-q4l0SZhFqs^v5_aeSVk3EY zI6h^awn0b=)CKWVz)nrR5^rm6w^rOIJrTbGlJ7!FXuyKDqDM79AAF0^tL7t;-s$YX zqztc)H*J)}0SQARsDR0e)<2H* zzcz65Sw4}6TV~joWN1Dvv90Y23CGakqgX+nDXWknLD+N5lN1GI8mC2Br(`rf>KrmK z4wT_*MCp{fG1EE@wQ{)#mHox4{EYD= zPu!`~ zo7Doyo1>irMhdcJ)f?WvhV|5q4r>(e{Z(<6OQ4;w&-^Z%>*-IQS=Gqiw`Y@WyhWuS zl;?w}os0p^Zl)8w{OSG^kO|!bDz^J~YuZ|~H4bbv>C*3gPJ^EBj5u6edc@-=7K ziF_u{OZud*#AmzId1OuY{eXbflPItgU&v&=n=WWug-39@C|O;pb+quJUdY2(>}IT2On&`=oQ9IxDLM|11SLGaqQu*5yrlSal)`K8*ru@pUQ zD?hm!9GAHAxB;bAma;cwE|vWyPC2~fN1`X^Km;<0Q#vYc@UOXgIuvyyJiwiQlRyRN`iDu@!PAF4_PzLc>jbBfc$ zP^6XSE7Rou>}E+oL9Jv1NmbAA8#q|n;=p1pfAoAVH=tC@Qe>D1wvb!-qv83b?P)EY zsqN8)9QQj?=)>?r0^7~o;~JeS3LUDQ$5( z%V#$A`p9NU?$|lvwm0L?%?of;3R%)d&swd4WI?!56QAr>nlz?0FMCGvrI?&Da;J2E z&o8xifokAmE-Lduvb3c#w=(bKgAmUL^%7-N;pq3h6{67M-iuY=ANnSRkf?_}R*t#Z z%GkgVLvyvNeq?~J_@|$gq3aT#YGjDaxs4rHW1mkwyS76ZC)R75d6=;v5~DJu0a*Yr zjU?1q7ex4J9QcZZ?4Q-pH8Are%VFM%_^@37cP6JBznFVKz-t#h+xvPd7p_Y;mh)Un z-fQlT3TBC@WOCpTY1)=)hnkD$q1Olaa@!lXI2El)pIMxk{OL-P+q?H943`h`+d}iz zr7a6;j?H_gyOM{@1)Xmom#=;>U2!!w4U8{$`fmLOK<&H5cZ%G58tIGjRgze8jEUKKKP&5etXH){mYf=Vy#k$eWw`NwDLnzMHHlI za%oUbkdC}uwOUV^?d(Iz$AAlPKCMplw^F=$JIsw|AX*$^P1B;IARl(fl-d#hM8Vm3 z>^)0UV5KW%=UOm{BR1l;CqlS88VIi;t3DUXObY~(KHz%W8K^q8nfRHnwDBul@TtS8 z!{X--9CY~i3SE$iP|L0B^-4FD4d*gy-qqw41c`}$J+<_(eAwS;TQiwS&6I3(Z0=K) z(eT4`;N1d5DVKe}lGhVm4~ELX-1L%O@pt41I4Khs#d)eLIwVOa7UOX43sEf(@Xdzf zFFqU55zl?Isi{6$cgvy*=s*Dgj4)V>^xa5noTPjRj+2)Hp9-mx1h zkeZ&m4=^9#1F<0DV*ulP1vKOTTOYqzJ@~(IwgN4LBeX{I!tHZ0KRqqZZA6GKx}IUa zY^2xh>ofIrBC=NjaFZzG#!|hTl_vVrqX{h;to{{GtE|dNT8WXEG%cRk4 zmc;aUpRbMFja?w;r7YZfIUn5>UpD4q=HsRdb@_I*AXl`!^$MUo-`VA4d)D0`DS?=mF9p)i@qV!8J8TsLa6!#%0QP z%fGd=7fcJrXPIU>B+YfU(q}^n*87>uK1n*forU$cuK1GwhZg`uF`KYxhc*y(IZN2X zt>^JQn$(Priv#_Pi{#o+P8swO3wpHkaxEk#IQ`T7tPoyLlTrp78(KC);9GeKqNX|GgY53!(hj4-$D>b9pFyTK&cn;^uC2Wj?7IxkD* zy5;3IaaZf$FJ5H-2j2b(Y4UFgQTJ_lj$AIWH=6TlS1spzq!D~am#4GZ8nI0uC#Y}E zxDgMQHk*5FClV&a6(JD|K`HRxzHNF^jUOAwb8F>2RP9FNnGrjLi6y-7WVt7y0BDXF zqz-mD-T<{7hb`_3Ach!t2{Sx$O_aV)?@0v1!?Y0>z$W z3sR0z?jgekPIcda9_8>@x|i{V(5y*;PNC+x8w9+FyAAJuc%%0q8;#g2>w=AYi70`} z#KE#_y4G7Hwidq7Anw`bw?b)mbPZT&O+JX_-m7@}g?=O((~A|lau5$)Q0o}K81R*B ziJ|L>`N9wN-m_;)mj1(oenMJMhEF-PdOLK00%1hY`69twQ-uiqa|8F+cP0JCL@XsH z7BPYX(~Dzwbusrh?F>{uE;FNXB63-(il5D zn_CggB~>auqZsYhnpEbuS!D;;A1s0+RVz@##^= z1C=hic=NuQ;e1z3S7-l}URYb<|5_?rEB~J(cA3?52|%G*(B}KM#;h0f?cx7WUh=d9 zKvgTT1K|dc8qm}dytc6A`byOlZbrHdv?#R1w$qO*Kl8 z22FdGfTP0~W(1vLOJ*A^@(M1Uc|}lU@ZC<+)=i&ygVxQq)uzoh(ItMkizrc1eyP}ha@cOU)U^4s z;{CnKcN5mkOPjmU{WF~nP~6PvudB`?IVWcZ-|w?ntIn%-13l31`TG0&mtWEwb9Op2 z;GleQw8h8OvMSPfy%jp`@kypontISQ>MJ&!=2pc-Glx(7w5w=P+UvBrzNx8UEH-9y z*%oN!U!{Mr0rXf-Q9!)Jb13?kzN{w?mpi>X!&SMqHcN+1e7!1_mtnh|-iks4-;6;J z%sAN!Dfyo*&96lR>$K|o-aYhgaaOW4`oPweGmPm;m>)Fj0V-PMxgCXMVzwFNU5eST zUfpnwZTYvhH{%JyqSJoBfm|g@(NgkfMEEOeGtpan-}oH){kF~Q9OX`x7nQV!&+*x$ zRlYaN9^ng?!yk(EGAi~jt2yjuOpl__4GIWm_uV$W^sL#m6$EqQYLy*7uWS1ztxMK$ znM*V-P9hN$Q`-No>*WfTzhsX-Nv-pzwJQ54OolujBgLR%By(n#_<3H&)GX>vBy{xoo7 zS9^Q-k28`$y;l5#IO6%BIDyps%)x9eX%XXEYEhm7r;J+Oh9+{3?y7f+OU! zgu0%DuhvWkopYarhrSsM%Y0hinPi*2Io9_js#CRE+9&)%lA$n=@8KkpL((Z)(tgcF z)KDZReC53Y-0Z{(2I@4N2^t;5@%zO0o7Rh3(Ulir*g831uDsp3j-IVqm8Urzb)e*p z+SRfwa%rgUtIVYae8i4*Y_Mfz^l76`)v=q|9eh454}5llV&A8QuVm49GYm{RMcjV> z@gUSOHQEY%?v(V4Q);%hBbr@jMj~miw1vJPO{z%E`^fePVqkO5n`K}!o;ehQ)eG+Z zE=km&D)y?~G~a3xH&2BM$smH!X)W4kU93a?4NS%DC9<%ElAe^+3y!|4E9sd@e0bpe zrwB)7lKUxqy+x;;i0z*7jX-%JeY`1*2wor3N_hVRSfRnvoADT+N_lZ=h%)(JOQSiR z`bH68KM*I9(>t&=f0yJ$aE%6NmwZRILG%RID|HSxBf{h}9m8K$|87cBxflJL4Or86 z2G1QKXn-kN)`0^i=2W%V*Uld0O1*P7_;HgXz-HRilTCBM(l0fL$!#=+>hr%xl{b67R$iU4M~!e zr0|Y&?I8q5R%5RtTOsfJ!kWI_r1B@ z+Jy~)dd&l)&*qhP0RRV>Lkq&WKPU3!XQf;2v+7?bl-yDy`q%sqWW^^h&oR?YD2$ zexhS32;7=So^YW<@ZQcw>FWKpGuoDJ086Y5eWAX|4bSfm9Dg?2$9w2FEFo4ur`);@ zm=K$d-kwebVQ2gnKFQreOOhcpuzFFSS5CJ+tfbCW9S_07sn@c81k|Ny^@`r!`8;ao zed^>*LdjW=?ri?vZ+jN}w#HZwbsSKgd#>y9U}NJtdHfrUFxCc5J`DaZn33t7=6D~zPUB;IKo5lI z7f0-$0#hGq%x5o-ziyu>nd%p-3U3UP%Y{~MlEVAvLx9`?jS+>m7l%TPv9JyWomn97 z8jeEBm?&bZo{bvXP6*Nt3CBx+0KjVg*TfgDJRsj3z<=4{5uq|XnzF`Xu0V;N@GN#c zGR2d6kSw`4#sSg?iRCngzomi|t!g(dFThzC*@S}l9tr!DipI2TVJ1`PXPWpAZAom- z`mTYj9VedVg91aoT#Y^57{@4-RPW7YKA3}I)2~>;2+2c?v&Q`N*B-6hH4}FJRA{uM z)m9!u8bDi-I@QHW-M367bEYzcrI*@eNxJ;VY|jQr@Dd%<5~sC}*jtrtvp*7TG-eTe|9N|i9 zL}thpS=4G)OsCzF3ZXkDQR7Kz(C^(sNaG7xtEY0U^D?+Vlp))V?=)haBvUJ9;>9O9 zJq9x`u$(+MYwRR-|C!r-e!41aN6~D-Q$i}>A#F~K&UYh_D!Nj z#qT}xq~m`p!~I_q;vsaUlDE@zP_dmf7Rgvn`)1&i7HvMrupw1##I31ScKh1MgverhzLA{nz%M&u$-7T?$TQJ$ua3m^5&3L&IBihC~q2OJf%- zCe)WXvH+UfWDu1X2wqGTI#c@+G_~DKfG(Z2h0LZvAv-&t4rgVi3LFnUoH;{1;1mCF zyl!qjAZ4y`M`O3lqyQ9H;Cx0vrN8}s{axFaJAH4nycXZR4GT1$c)8y)wgYlI*Iu*D~%Ja%jin1tOo&c zKdLJQZE9RMP8EKv<&ngtiJ_uY1~ zT%fZ8aXwH{y+R+MABq$b!^sr2TbI)Gs~g9uRQ0{=n1VYwD*o8A?XC-xtT45OTw%sW z4uHv-JdD5uCtq&(*RrVnVhfBdPebzXiB0VCw!eC(Q&rDH7Z&DXc`7H8@xaHsDHZpe zNeh=rzSYsrzP?T*=C`#?%x^CZTFC&EN;1j$*mE=yxHkRU*#^9K!#!2k-j*p%$`cIV zUNX!U@f3I<#0MI|}Dh#~bQ#24-t{SfRgv6flAH!J(edsn)C#xu8HYdaX9_W;Gr3B_8?T}ih z$v=?Icz7DvK7Ie{U}d+kU`5msOLyNyvLrv+>}?z>cquEn(!WGz?6=n`UB1S4;+T;L zLef`>oFY&ujh~F@uwG``OI~l>zwm`zt1@r|FpgS)EXGm zjbp~0!9-CflMUEOge=4&1l2_wYXBshoV-?9awowOfUDYKYn+!;SvhpzdRKCC7VwS@z904JU0NA4;&jj@jJ3bkoovs8$l>^T`xkaE)!>LNXQy^^*mv}?Jp zT|8i~-giYvr+%PvN#p6hofBKOU;nKkvd&FI%T{oqYMG`8fQO%4$0f%vZ)J8w%x=od z$yTy20wfVbTUf3deI>UGGKG$8g3hOOK_n?1utHD2x8%Izp$pN2- zUH8-Q2C`Dpl_;k!E4G)WNt&|*rxyAqNZYx+lEcdMDoc#D*fGrf*SplWUm^qBCd+4I zy(;hJXokO;%-Xf_PwbsIS4xwE9@MViK-)X|f90s(tu5Z6?c}VB*&$?Ye~m+F5}u!) z8wrddpj2Rc3jU8RjyOEI6up$!VKVE8q=9xV|C_CiPn%~U+?Pj^0T zAp)9jx$u@?;R;3_pTssYvYgpk;?}xLIM3{xX`ewWV4&Liwu^%T9B?X@Qs3<~5HK(u zO_~BAZz>YPg{1GhMBES?`}rl6_WgcdE6ljYSh*=;Eu=jZwuti4@%ImS-%@Wy77~!T zc!Li6N!hu6(@S8tvu$M$JiQkHnx973}#jpz|YGB+vX%*Fbf z`c0ylMaO?D58k#4)Tfq&E0-U^ybcu#{G)0`$j!1BFAXL^ccy&f_GwPIe2r`=JmgvB za}_k%@5nWxiB2z}+C=Nj$?&NJfR|rDhKR^&`g%8b`}wcHIE+V`AvR}fCdqK#6=cKp zL2?;X!Sgsm?Gq=84#8dnHWXHek3>g~Sj$!JLt_ei+?c|&Gb;ae(UDJ6pbp10wYac< z*t=`sdD@N9R^2xD&>tUB`G@%Ohj3mazmRzMQ$+h*fR!_ws~p2YK+J%M5HtPCN69+c zu~H(=gH1(ke~>Bo&%qPGn)ojCQvd+Czy1$Du;eQV#QknA7$TUH7$j-0p%n9W)f(Pq~X5L zrK#5VCG}V(NszKX+;;iULhwMONVF5432tYpTU!!3k%alS3ONXv;4rbyL*SvV zau|BNV3KDdK_Oo3=uV^%GdU)2MwDdJP|=g}mh&9J5k%?O*BIDy-|ZM@gGrUw(S7va3xP+@Ab1r=3W z%_aCaR4*++ly`1hMe0h2M%fOo2HYFT7yk4VOX>ZobwsRbb+*eK-)?M6;Zg45t3CdZ zpsw8!KsFf7D6HuhE^dsvG=HtHW~fO>0&lIWVUEwZi#Q>}VntLmHLC@uWb@MUH{VdD z-X2Ni7^uHk`{XnZk##Nf5z4gY{kKqh4M+WR2;QrR^(h4~YFQ=A{YC-<>*XA2%{Qb( z9PpC%Bu>T8E`TZutYUC|@MNX`*?|x_Ba+9GdPFgNeIR-(Qo={W9x|Z1ipfeYE^mEU zKp}~tM=NOlWF+I@!#YHAM{I&nt8U;=CtZz#!%S6=z45Gjvu^z5tY3~QMY+Gu_1%;U zuXv53aAu86FeP#xd9wM8V-EAtI^-@Zs3X_&TO2)bq)fGw^agxKo}`K0A~(zWMHn0T zg>pk4BkXZ9*;B(d6&K7OR1o3x_18=j7tnf{H9taXV$R=-4a zBE`7O7atvEMu4Lz@oe8n;8Fp3Y7@sTM_o%8nMhTVqfVXl$z=o4S3e-Ibi+E`oBLkf zGu6qsfR7z>K&~b&mHu6QeAO_oORYQbXUpdwZdRtzH8q*`$iw10nSgzMf6k; zcKgbyp!%RS(w~)^)-EcCwu|?Nh`R&=|C}5`I^a#63DP-2DzX*#jvbXUx_6FHam=JY zxwxu_>J(K_()58CIeN0HsCBl)j}rE&qyMb-8LQ_2pXR#AVO}4c6>3*GlgEcx04F3u zZZlu4N+MQutootrWszjC{n705S7AM=uNA1}ImeQBFVY(7X8d?^y_0aSt894(?deBZ zlF&Cli0K64tWqbYe~NZ{yhUa7(TRW@1F2kOHopuaq4)m!E1nx1-9fM-Q+!d7phZU z((s&MlXDd}$_79S`V#7+$>>;Lp-leTi!qD1*D-!+K=L}(Qt=|bElp8=408sv=B z4sJh3!;o2H$(p7M<;(SU=8fuNPeqZUAhY>hp@2sbMD*#=j!$G#=z6PxHiBQ0_AuBl zW)*-=X8V(J_omy`WJ6iBy@?3U*UH0d3Eun_`oW)@ilf(w#a!F#V}3mB|Mo38+^$Yj z{Qwm@oy%)XQYIP4nWW7pwZr2|?qB`QP+IJWWg}C1DIDgLEBN1Cd-MxW`O`W)I{gdE zbJyoIeRZ%0L4f2Bk_Su5ccGCnW#^hccthTO?<6un!1|^Ek95*odv&XGSqe1625?I< zWPmDN)JhTKEBx>^Uj9|8Re)CT)7jLw7}}WM`FsBOzKOCq|0>2&_Y)<*2VXbnJS1_I z4%n!h$Z$w|Gnt-^vT0Lz7k|IddX{hcZK6a^VK|bauhvT9yz$gS4S~Q7QZKcwGZO`B zDQDi4zuS?0NG;6!jQ@HcPvyG_y`fi55~J%E46GTBCnI+Fq4vx}=Y5;k?Zk#kswpa( zJ=z3}+u56ulhPgA6tmYxVCL0O9VdTVhQuO6kWX7mXxG{IDp;%HcC*6wl(-?pFtxMBVdj>%Z8`%mdUR;52RRpV+ zBb)8e?DqYmR zFCJ(*z~+jQPf2?`!hY>qrZf-1q%3Hrl8p*hMK7i(+>N;d5n+xo8}(viku;i3%s$szH`0!XANAMrl&;OLP`q5 zVBHY60EeUgH~e6}G9cqbCR-9)>B=@Ji7LQs&N~b}Xy(SbfAM}!dxu>Fe4sj5{{BK1 z5um%}>@;u>yf#WZhk1F!3gAhgwn;OQ$Ll))t&SJn+(e{94d=se1IK`sy#x*~yJ7s5 zb5z6=^w+%EwAX5Eh8>-q#+`<7QqN5Xiav^`V;%qrt`4ed;t!=sz9~b~ZwO{*ctV*( zPA#6nK(_5>e9Ud34;EbaUe+`IjCyv_dCnrBPzY#k@=iC~v`EnQ^TeGS0S|O5XiZN= zkg7ULkBYHJyj-q}(R`&blX~XOT1WvpGByGzOsqXVW65f@k~hhA$V1beQQ}SNt-|y8 zDkYT-zrtoqD1}{q47ktaF(yQrNvE44m4U0Q`=pxTr@y4Pbv_u}ac4$Y7_rMq#m}H#3rXKIaCM&`MD-Roa~=I{r9Jl$%>$x!*z>`5+QNBpLrkC1 zRPrBV;LVV!$|;OWA?SIQYKi*PPJS9+6Q&f8y*uMr44(j#Tc+{t-$>Lnxf6c!%Mu69 zIMFHfLs)YlLW)RDliTXc=iqnCSxr(Gpyf)|D7SM>ayP;-?rtUJ0%1ZvWGyb^v(bl% zv2@)=s=(nGn!jckNK&r_-h3yMCEy}E2gnU>Tc(kQc z>l91#RJjtGC)~Wf=CO~sj|=)(HH`XbhZ)>s)#D&-C5Dx)?2Tts1xa26Yz$bYCOjsq zhgDzF*>!w!n67OLiTK>)F2+tPNV|;u6Ip!8jFT8|rNO5{VYN|NQ^7QT#449p?JB9! z0B?F9XDJms)iY4wKq#BaloYZO%)P~Fd#Uy-YrW1MI2LZLP_Yd2e3sIqL?0p|eot@h z&D6!&&DevpN9YyGT6>!s`FJdi8MhxGYkod< z3IayRmk;+Uh@G{*Q>Ihp123F9JsOR^R_0rI4}G{zzlBBu#-jmBX};+(AQ}uD?(ML11;y!rb%A9BnF^rtq8`DF@Fv4sh~%FL!kRN_EiO-d?63*7vf+{kpaSX&y@L<~V_K{JmSF?(feuHoWHleV3t z_L>eG(Sr~OUMo_XH&>NQJh;Mr4pi-}Bg%NM%Fp^+SgV5=Y@t2AVC?Cb9@L&=$1Zxj zC)n4lc~$OFB3wp}u^co;3<6E*S0OW=o~pe~W?;X90ao!!_;Fj zR4-9F@3elD39QlgTzikO{l4+KxbB7}y~k6ryk}wUQa_kVteYFH_ntmx|3~rYl|W}m zz~Jc|NFO>g@NJn0ev<&2Q~N@%;^gLGcD+$@6SCof^U6cG*uAVjSFGZ*p8MUJNV9So zr3J)Pa5xXDh;z0X2K@mkMi4HRSwV;_0qv|T7Z1*1g9RWm0c>#9Mnqv*7@(Y2tqsn2 zCk;js*~}R*lAjoJCUJhRRkhnO8&%vwSLXazG0Zy>5i`&TZ(_g0n{kg3((My1;nLP< zG-o$TeN>p@uN^jRv%?4j$=k6QyagT#M!yQ1H5V1yf)5RLKutRgJG==f#rJ}*MGdYX zk4*Nz|3h0}C@X4=s^rbbwCM}=`8z^nCN=Jdr5FPsBu#&QD)}{GS%G@X?-rS2W=KJr zPMX&rr1rb|7LkqU&`Qi!c9)q{WpC)OEapk4+9FMeG&cm+C3)}E{#&_jpx@PGT{224x#PUZVm zax%F(Rnh3RkZ6dA&u&%7qOg+n5c%#`fQAnRtlvgmWR_3JQSE+?uUnZsp33ZirftwS zJAvJZkVIzbQFJ5@7NuHH63XJ)+CkF4w#bCS!3`cA5>}!aVAAw8dG*`JsM6LWl#Yj{ znC1YwP-e37Kt@DR0&4?*nojj0hV&TwzBvmn=(};vR_NWfJYtH|`I&&V^{Fi5lToAXwgY`RlPQ_ox0oZDb$W^M>`NX8^5bTM0J+V!PVg3CbEw(_S8 zE?WWhSqq_;9?<8$xZvh?9~J<-OMQqwjV=t4E?dR`-W(V70z_4%{D z9vDmTmL#ISF~V(HR_JFn`p&V|jt{D!=eycFP#;Nbj=&vqG+4OhS%p}KV)|;o6Y*1TfH{Eg!0vU!LD_=@>AuPLYA}zrB4H|Vero>X9Dkfp-N6hIL2(CWiLZH;L#hP1hRJ} zq*s)O!=qF>Ew=?y%y)gZ!LaljaSkom^D8*p_fNaKyUSgr{njp!{-}x%+a(b=*|3&y z{zh`~+DR2m51jN&q(pMllg1G0`hj2sp%&Qwwv=Y6sCmBrfV%IVAMf!kLJiwjETl1m zBf;kHpo!*#A?YuB1ig|IIIdk9yyj_I0WExPbM94g*AEm9$Rups`HDHuXA!{+VXn>%mA1 z2{ia^ya2@6yd}jeK@bgD0&9Q{yGM<&^y85$rKp^7PqPNtRK+h}b7eAX5qy%WKt-Sn zL+7k}*<1Nr_6+k0FnFHjwjR9j5@gkA4?m&{vV5h5RHO*MTd95cRpkQEQq!VZR?ax) zRf!DEH2Sz+?1x@-J~TqfxoMkq+zsawyZfqTy<}t$5_D#k8BSmP1)Eh!1^wd7Wyh1< z9@gi0ft0cFNaX}Ol#wSis%|_ZZfcAABz=j)nEC{3%*IbAU71mJ_8iehcX#-$LD|yg z7WdFA=W+5g!~pJT3<%Jbb7t8Sty8D-J)Rvd{|EYk1}JCYOY1@choID?dbdzToHMFj zk~t(euOLkPI0%!Vc}J4M!CT>vHuSq41mp_D%m*^k{{sy=Px1GfEV~I-gIev&KP^M7eMf`x_6B;e}{lfY2S?q+;t;gIYzi@7GC`>X--xhuto0!%yopL&)) zRfVyVkTR8Pxlrbky^ zxSL<|(gYYIhG|i!E3@)!u8k>BD(26ZnK>5Uvrs~FXB3oBhM@|3GtN49e^a+GYp%Z! z29Jt9zb`4FJT!?;>2Q3@Xyq$b@k7|>HD*m$rkkPX*-(6+qkBJ+alccaS1f_A_O5Su zoZepn01)qoY1jcLtNb8m%ECS9L4!<&bk~IOXH=~7XqidFC42>-J`H3KCS4n-(QT{H z*ht-}=U)u5m+a8Yn1mK{=LphU44}wU<7`@7pQ#h3@=sfAIp~;$G9qcRFPEx2-?O%< zPuSMI?yy*Rin*$FNCuwl&6J!V>3KXn?%4nMI-44rlHbkhRziq>d{Q!yrZRPoEAv~D zmFSybqye)yFNB$Esu|Ygb?TkQ5>t~}Cp7|UKW6(4sRJhaa z-sSBrujs(}Cm;Qdr4DW0Qtd_!EZC%s2{J9z9OAP^CT#lRt)So{v1aBO`}<5d;8Dnx z`2;AC*1Z8}^al}jTy^A!(0d{>*9wA!OonCeciy(BDj&g!Q>PTj#CtIq+O4WB~M=#>A$*ozQ zl9C@~$!LC;G<3cR2bWdIktxQo{YU#8>|$5g@@m-94EXAI_l)iCvkmR6m*JbJdKJUc zKYrMu9|mEUOdSNDwwCd`>G*Cx5RbJ!bd8SDE=4Nb_-2M1rZh2In- zH@fsG>rot-Zw`7a0GJqW`d2gJl~It=kPAFMRkvITIj8YrZfD>|!Jze)76GoUTmt4}STNM$DmLOaWhTvuD@(M}lxV-SGeA zp`ruCyIR6$xvU)jsx Date: Fri, 14 Oct 2022 15:02:09 +0200 Subject: [PATCH 16/22] editorial update --- ...Roles,md => 3_1_2_Interaction_of_Roles.md} | 0 .../3_1_Business_Layer/README.md | 75 +++++++++++++++++++ 2 files changed, 75 insertions(+) rename documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/{3_1_2_Interaction_of_Roles,md => 3_1_2_Interaction_of_Roles.md} (100%) diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_2_Interaction_of_Roles,md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_2_Interaction_of_Roles.md similarity index 100% rename from documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_2_Interaction_of_Roles,md rename to documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_2_Interaction_of_Roles.md diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/README.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/README.md index e69de29b..1558e3be 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/README.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/README.md @@ -0,0 +1,75 @@ +# Business Layer # + +## Table of Content ## + +[3.1 Business Layer](./3-1-Business-layer.md#business-layer) + +[3.1.1 Roles in the IDS](./3_1_1_Roles_in_the_IDS.md#roles-in-the-international-data-spaces) + +[3.1.1.1 Basic Roles in the International Data Space](./3_1_1_Roles_in_the_IDS.md#basic-roles-in-the-international-data-space) + +[3.1.1.2 Business Roles in the International Data Space](./3_1_1_Roles_in_the_IDS.md#business-roles-in-the-international-data-space) + +[3.1.1.3 Category 1: Core Participant](./3_1_1_Roles_in_the_IDS.md#category-1-core-participant) + +[3.1.1.3.1 Data Supplier](./3_1_1_Roles_in_the_IDS.md#data-supplier) + +[3.1.1.3.2 Data Customer](./3_1_1_Roles_in_the_IDS.md#data-customer) + +[3.1.1.4 Category 2: Intermediary](./3_1_1_Roles_in_the_IDS.md#category-2-intermediary) + +[3.1.1.4.1 Data Intermediary](./3_1_1_Roles_in_the_IDS.md#data-intermediary) + +[3.1.1.4.2 Service Intermediary](./3_1_1_Roles_in_the_IDS.md#service-intermediary) + +[3.1.1.4.3 App Store](./3_1_1_Roles_in_the_IDS.md#app-store) + +[3.1.1.4.4 Vocabulary Intermediary](./3_1_1_Roles_in_the_IDS.md#vocabulary-intermediary) + +[3.1.1.4.5 Clearing House](./3_1_1_Roles_in_the_IDS.md#clearing-house) + +[3.1.1.4.6 Identity Authority](./3_1_1_Roles_in_the_IDS.md#identity-authority) + +[3.1.1.5 Category 3: Software Developer](./3_1_1_Roles_in_the_IDS.md#category-3-software-developer) + +[3.1.1.5.1 App Developer](./3_1_1_Roles_in_the_IDS.md#app-developer) + +[3.1.1.5.2 Connector Developer](./3_1_1_Roles_in_the_IDS.md#connector-developer) + +[3.1.1.6 Category 4: Governance Body](./3_1_1_Roles_in_the_IDS.md#category-4-governance-body) + +[3.1.1.6.1 Certification Body and Evaluation Facilities](./3_1_1_Roles_in_the_IDS.md#certification-body-and-evaluation-facilities) + +[3.1.1.6.2 Standardization Organization](./3_1_1_Roles_in_the_IDS.md#standardization-organization) + +[3.1.1.6.3 International Data Spaces Association (IDSA)](./3_1_1_Roles_in_the_IDS.md#international-data-spaces-association-idsa) + +[3.1.2 Interaction of Roles](./3_1_2_Interaction_of_Roles.md#interaction-of-roles) + +[3.1.2.1 Basic interactions for data exchange and data sharing in the International Data Spaces](./3_1_2_Interaction_of_Roles.md#basic-interactions-for-data-exchange-and-data-sharing-in-the-international-data-spaces) + +[3.1.3 Digital Identities](./3_1_3_Digital_Identities.md#digital-identities) + +[3.1.3.1 Participant](./3_1_3_Digital_Identities.md#participant) + +[3.1.3.2 Certification](./3_1_3_Digital_Identities.md#certification) + +[3.1.3.3 Certification Authority](./3_1_3_Digital_Identities.md#certificate-authority) + +[3.1.3.4 Dynamic Attribute Provisioning Service](./3_1_3_Digital_Identities.md#dynamic-attribute-provisioning-service-daps) + +[3.1.3.5 Participant Information Service](./3_1_3_Digital_Identities.md#participant-information-service-paris) + +[3.1.3.6 Dynamic Trust Monitoring](./3_1_3_Digital_Identities.md#dynamic-trust-monitoring-dtm) + +[3.1.4 Interactions](./3_1_3_Digital_Identities.md#interactions) + +[3.1.4 Usage Contracts](./3_1_4_Usage_Contracts.md#usage-contracts) + +## Files ## + +- [3-1-Business-layer.md](./3-1-Business-layer.md) +- [3_1_1_Roles_in_the_IDS.md](./3_1_1_Roles_in_the_IDS.md) +- [3_1_2_Interaction_of_Roles.md](./3_1_2_Interaction_of_Roles.md) +- [3_1_3_Digital_Identities.md](./3_1_3_Digital_Identities.md) +- [3_1_4_Usage_Contracts.md](./3_1_4_Usage_Contracts.md) \ No newline at end of file From 1c82c011c9718a3db36469c3b7c4f9aec29f0e8c Mon Sep 17 00:00:00 2001 From: Sebastian Steinbuss <23654606+ssteinbuss@users.noreply.github.com> Date: Fri, 14 Oct 2022 15:17:28 +0200 Subject: [PATCH 17/22] editorial update --- .../1_1_Goals_of_the_International_Data_Spaces.md | 4 ++-- .../1_2_Purpose_and_Structure_of_the_document.md | 3 +-- .../2_10_General_Data_Protection_Regulation.md | 4 ++-- ...ution_of_the_IDS_to_Industry_4_0_and_the_Data_Economy.md | 6 ++---- .../2_1_Data-Driven-Business_Ecosystems.md | 3 +-- .../2_2_Data_Sovereignty_as_a_key_capability.md | 2 +- .../2_4_Data_Exchange_and_Data_Sharing.md | 5 ++--- .../2_8_Blockchain.md | 3 +-- 8 files changed, 12 insertions(+), 18 deletions(-) diff --git a/documentation/1_Introduction/1_1_Goals_of_the_International_Data_Spaces.md b/documentation/1_Introduction/1_1_Goals_of_the_International_Data_Spaces.md index 067a84be..bb08526e 100644 --- a/documentation/1_Introduction/1_1_Goals_of_the_International_Data_Spaces.md +++ b/documentation/1_Introduction/1_1_Goals_of_the_International_Data_Spaces.md @@ -52,8 +52,8 @@ development of products and solutions for the market (see Figure below): ![ Three types of activities of the International Data Spaces](../media/image10.png) -*Figure: Three types of activities of the International Data -Spaces* + +### Figure 1.1 : Three types of activities of the International Data Spaces The International Data Spaces aims at meeting the following strategic requirements: diff --git a/documentation/1_Introduction/1_2_Purpose_and_Structure_of_the_document.md b/documentation/1_Introduction/1_2_Purpose_and_Structure_of_the_document.md index 70d5b8de..2ff0bbf1 100644 --- a/documentation/1_Introduction/1_2_Purpose_and_Structure_of_the_document.md +++ b/documentation/1_Introduction/1_2_Purpose_and_Structure_of_the_document.md @@ -47,5 +47,4 @@ In addition, the Reference Architecture Model comprises three ![ General structure of Reference Architecture Model](../media/image11.png) -*Figure: General structure of the IDS Reference Architecture -Model* +#### Figure 1.2: General structure of the IDS Reference Architecture Model diff --git a/documentation/2_Context_of_the_International_Data_Spaces/2_10_General_Data_Protection_Regulation.md b/documentation/2_Context_of_the_International_Data_Spaces/2_10_General_Data_Protection_Regulation.md index 2fc57790..ce18f745 100644 --- a/documentation/2_Context_of_the_International_Data_Spaces/2_10_General_Data_Protection_Regulation.md +++ b/documentation/2_Context_of_the_International_Data_Spaces/2_10_General_Data_Protection_Regulation.md @@ -24,5 +24,5 @@ technical measures and offer advice regarding the implementation of organizational measures. As a result, the IDS participant is enabled to implement appropriate measures for GDPR-compliant processing and transfer of personal data within the scope of the IDS technology and -related features (see also: [GDPR-related Requirements and -Recommendations for the IDS Reference Architecture Model](https://internationaldataspaces.org/download/16445/) ). +related features (see also: +[GDPR-related Requirements and Recommendations for the IDS Reference Architecture Model](https://internationaldataspaces.org/download/16445/). diff --git a/documentation/2_Context_of_the_International_Data_Spaces/2_11_Contribution_of_the_IDS_to_Industry_4_0_and_the_Data_Economy.md b/documentation/2_Context_of_the_International_Data_Spaces/2_11_Contribution_of_the_IDS_to_Industry_4_0_and_the_Data_Economy.md index b2ceff12..a63fe2bb 100644 --- a/documentation/2_Context_of_the_International_Data_Spaces/2_11_Contribution_of_the_IDS_to_Industry_4_0_and_the_Data_Economy.md +++ b/documentation/2_Context_of_the_International_Data_Spaces/2_11_Contribution_of_the_IDS_to_Industry_4_0_and_the_Data_Economy.md @@ -17,8 +17,7 @@ same time making sure data sovereignty is guaranteed for data owners. ![ Typical enterprise architecture stack](../media/image16.png) -*Figure: Typical enterprise architecture -stack* +### Figure 2.11.1: Typical enterprise architecture stack In broadening the perspective from an individual use case scenario to a platform landscape view, the International Data Spaces positions itself @@ -33,8 +32,7 @@ be connected to the International Data Spaces. ![ International Data Spaces connecting different cloud platforms](../media/image17.png) -*Figure: International Data Spaces connecting different cloud -platforms* +### Figure 2.11.2: International Data Spaces connecting different cloud platforms With this integrating ambition, the International Data Spaces initiative positions itself in the context of cognate initiatives on both national diff --git a/documentation/2_Context_of_the_International_Data_Spaces/2_1_Data-Driven-Business_Ecosystems.md b/documentation/2_Context_of_the_International_Data_Spaces/2_1_Data-Driven-Business_Ecosystems.md index 2304a46c..b10b384f 100644 --- a/documentation/2_Context_of_the_International_Data_Spaces/2_1_Data-Driven-Business_Ecosystems.md +++ b/documentation/2_Context_of_the_International_Data_Spaces/2_1_Data-Driven-Business_Ecosystems.md @@ -27,5 +27,4 @@ resource (as shown by a number of examples in the Figure below). ![Data Sharing in Ecosystems](../media/image12.png) -*Figure: Data Sharing in -Ecosystems* +### Figure 2.1: Data Sharing in Ecosystems diff --git a/documentation/2_Context_of_the_International_Data_Spaces/2_2_Data_Sovereignty_as_a_key_capability.md b/documentation/2_Context_of_the_International_Data_Spaces/2_2_Data_Sovereignty_as_a_key_capability.md index f9855256..c7264e7d 100644 --- a/documentation/2_Context_of_the_International_Data_Spaces/2_2_Data_Sovereignty_as_a_key_capability.md +++ b/documentation/2_Context_of_the_International_Data_Spaces/2_2_Data_Sovereignty_as_a_key_capability.md @@ -26,7 +26,7 @@ itself, as not all data requires the same level of protection, and as the value contribution of data varies, depending on what class or category it can be subsumed under. -**Definition of Data Sovereignty:** +## Definition of Data Sovereignty ## ``Data Sovereignty is the ability of a natural or legal person to exclusively and sovereignly decide concerning the usage of data as an economic asset.`` diff --git a/documentation/2_Context_of_the_International_Data_Spaces/2_4_Data_Exchange_and_Data_Sharing.md b/documentation/2_Context_of_the_International_Data_Spaces/2_4_Data_Exchange_and_Data_Sharing.md index eed1b250..fc17716e 100644 --- a/documentation/2_Context_of_the_International_Data_Spaces/2_4_Data_Exchange_and_Data_Sharing.md +++ b/documentation/2_Context_of_the_International_Data_Spaces/2_4_Data_Exchange_and_Data_Sharing.md @@ -9,8 +9,7 @@ standards. ![Evolution of technical standards for data exchange](../media/image13.png) -*Figure: Evolution of technical standards for data -exchange* +### Figure 2.4.1: Evolution of technical standards for data exchange The Figure above shows the evolution of technical standards for data exchange since the 1980s, using the example @@ -42,4 +41,4 @@ also the Figure below: ![Data exchange vs. data sharing](../media/image14.png) -*Figure: Data Exchange and Data Sharing* +### Figure 2.4.2 : Data Exchange and Data Sharing diff --git a/documentation/2_Context_of_the_International_Data_Spaces/2_8_Blockchain.md b/documentation/2_Context_of_the_International_Data_Spaces/2_8_Blockchain.md index 74e02a90..0b00d40b 100644 --- a/documentation/2_Context_of_the_International_Data_Spaces/2_8_Blockchain.md +++ b/documentation/2_Context_of_the_International_Data_Spaces/2_8_Blockchain.md @@ -59,5 +59,4 @@ extraction (see Figure below). ![ General architectural patterns for data exchange and data sharing](../media/image15.png) -*Figure: General architectural patterns for data exchange and data -sharing* +### Figure 2.8 : General architectural patterns for data exchange and data sharing From 5681f42e3a14806a1c14ea2298f1fc1b1928631e Mon Sep 17 00:00:00 2001 From: Sebastian Steinbuss <23654606+ssteinbuss@users.noreply.github.com> Date: Mon, 17 Oct 2022 09:38:17 +0200 Subject: [PATCH 18/22] editorial updates fixing links --- .../3_1_1_Roles_in_the_IDS.md | 16 ++++----- .../3_1_2_Interaction_of_Roles.md | 3 +- .../3_1_3_Digital_Identities.md | 7 ++-- .../3_1_4_Usage_Contracts.md | 10 +++--- .../3_2_FunctionalLayer.md | 11 +++--- .../3_3_InformationLayer.md | 36 +++++++++---------- .../3_4_Process_Layer/3_4_1_Onboarding.md | 12 +++---- .../3_4_Process_Layer/3_4_2_Data_Offering.md | 9 ++--- .../3_4_3_Contract_Negotiation.md | 30 ++++++++-------- .../3_4_4_Exchanging_Data.md | 19 +++++----- .../3_4_5_Publishing_and_using_Data_Apps.md | 14 ++++---- .../3_4_6_Policy_Enforcement.md | 23 ++++++------ .../3_5_System_Layer/3_5_0_System_Layer.md | 19 +++++----- .../3_5_System_Layer/3_5_2_IDS_Connector.md | 28 +++++++-------- .../3_5_3_App_Store_and_Data_Apps.md | 20 +++++------ .../3_5_System_Layer/3_5_4_Metadata_Broker.md | 2 +- .../3_5_System_Layer/3_5_5_Clearing_House.md | 4 ++- 17 files changed, 134 insertions(+), 129 deletions(-) diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_1_Roles_in_the_IDS.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_1_Roles_in_the_IDS.md index 29957c2e..becec0dd 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_1_Roles_in_the_IDS.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_1_Roles_in_the_IDS.md @@ -139,7 +139,7 @@ The **Data Creator** creates data, e.g. by generating data such as from a sensor or accessing data in backend IT systems. As the legal situation regarding data ownership is very complicated (as -discussed in the [Governance Perspective](#)), the term '**Data Owner'** is not used in a +discussed in the [Governance Perspective](../../4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_Governance_Perspective.md)), the term '**Data Owner'** is not used in a legal understanding in this document. The Reference Architecture Model takes an operational data management perspective, defining a Data Owner as a legal entity or natural person executing control over data. This @@ -178,7 +178,7 @@ the same time, the only activity of the Data Owner is to authorize a Data Provider to make its data available to be used by a Data Consumer. Any such authorization should be documented by a contract, which should include data usage policy information for the data provided (see -[Usage Control in IDS](#)). The contract needs not necessarily be a paper +[Usage Control in IDS](../../4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_6_Usage_Control.md)). The contract needs not necessarily be a paper document, but may be an electronic file as well. At the end of a complete or partial data transaction, for example, the @@ -277,7 +277,7 @@ Creators to send their metadata. The metadata should be stored in an internal repository for being queried by Data Consumers in a structured manner. While the core of the metadata model must be specified by the International Data Spaces (i.e. by the Information Model, see - [Information Layer](#)), a Data Broker may extend the metadata model to manage additional + [Information Layer](../3_3_Information_Layer/README.md)), a Metadata Broker may extend the metadata model to manage additional metadata elements. After the Data Broker has provided the Data Consumer with the metadata @@ -356,7 +356,7 @@ Vocabularies can be used to annotate and describe data assets. These data assets may comprise at least: - **Information Model** of the International Data Spaces, which is the - basis for the description of data sources (see [Information Layer](#)). There + basis for the description of data sources (see [Information Layer](../3_3_Information_Layer/README.md)). There is only one information model in the IDS governed by the IDSA. - **Domain-specific vocabularies**: They are essential for the @@ -437,7 +437,7 @@ Spaces), a Dynamic Attribute Provisioning Service (DAPS, managing the dynamic attributes of the participants), and a service named Dynamic Trust Monitoring (DTM, for continuous monitoring of the security and behavior of the network. More details about identity management can be -found in the [security perspective](#). +found in the [security perspective](../../4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/README.md). Typically, identities are created by the Identity Authority, then acting as an **Identity Creator**. In the sense of a directory, the authority @@ -465,7 +465,7 @@ the App Developer typically covers the basic roles **App Creator** and, as long as the data app is not created on behalf, **App Owner**. To be deployable, a data app has to be compliant with the system -architecture of the International Data Spaces (see [system layer](#)). In +architecture of the International Data Spaces (see [system layer](../3_5_System_Layer/README.md)). In addition, data Apps can be certified by a Certification Body in order to increase trust in these applications (especially with regard to Data Apps processing sensitive information). @@ -479,7 +479,7 @@ model) with regard to its semantics, functionality, interfaces, etc. A Connector Developer provides software for implementing the functionality required by the International Data Spaces (i.e., through -software components, as described in the [system layer](#)). Unlike Data Apps, +software components, as described in the [system layer](../3_5_System_Layer/README.md)). Unlike Data Apps, software is not provided by the App Store, but delivered over the Connector Developer's usual distribution channels, and used on the basis of individual agreements between the Connector Developer and the user @@ -519,7 +519,7 @@ supervises the actions and decisions of the Evaluation Facilities. Thus, from the technical perspective, the basic roles **Connector Certifier**, **App Certifier** and **Service Certifier**. -The Certification Scheme applied in the process is described in the [Certification Perspective](#). +The Certification Scheme applied in the process is described in the [Certification Perspective](../../4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/README.md). ##### Standardization Organization ##### diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_2_Interaction_of_Roles.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_2_Interaction_of_Roles.md index edcb4380..f1c10b75 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_2_Interaction_of_Roles.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_2_Interaction_of_Roles.md @@ -15,11 +15,12 @@ identity_. ![ Roles and interactions in the International Data Spaces](./media/image18.png) +### Figure 3.1.2: Roles and interactions in the International Data Spaces This shows only the basic interactions taking place between the different roles in the International Data Spaces. For data exchange, additional, more specific interactions are necessary. These interactions are -described in the [Process Layer](#) section of the Reference Architecture +described in the [Process Layer](../3_4_Process_Layer/README.md) section of the Reference Architecture Model. The table below gives an overview of possible (mandatory are marked with X diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_3_Digital_Identities.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_3_Digital_Identities.md index 05f32109..bce1b6ed 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_3_Digital_Identities.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_3_Digital_Identities.md @@ -14,6 +14,7 @@ identity in the IDS. ![ Interactions required for issuing a digital identity in the IDS](./media/DigitalIdentities.png) +### Figure 3.1.3: Interactions required for issuing a digital identity in the IDS #### Participant #### @@ -25,7 +26,7 @@ capabilities of the core technical components. #### Certification #### Certification of a operational environment or core component involves the -[Certification Body](#) and an [Evaluation Facility](#). +[Certification Body](../../4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_2_Roles.md) and an [Evaluation Facility](../../4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_2_Roles.md). Evaluation of a operational environment or a core component is executed upon request of the participant and relies on the contract between the participant and the Evaluation Facility. In the same way, a Service Provider can @@ -35,7 +36,7 @@ Body is responsible for supervision of the Evaluation Facility involved. #### Certificate Authority #### The Certificate Authority is responsible for issuing, validating and -revoking [digital certificates](#). A digital certificate +revoking [digital certificates](../../4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_2_Identity_and_Trust_Management.md). A digital certificate is provided for a participant if both a valid certification for the operational environment and a valid certification for the core component is available. This means that the Certificate Authority provides an @@ -49,7 +50,7 @@ certificate to the participant upon request. The information resulting from the certification process is passed on to the Dynamic Attribute Provisioning Service (DAPS). This includes master -data and information on [security profiles](#). The CA provides the details on the digital certificate +data and information on [security profiles](../../4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_4_Component_Certification.md#connector-trust-levels). The CA provides the details on the digital certificate (public key and IDS-ID). The participant registers at the DAPS after successfully deploying the digital certificate inside the component. diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_4_Usage_Contracts.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_4_Usage_Contracts.md index 14c0ecd7..c38e5691 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_4_Usage_Contracts.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_4_Usage_Contracts.md @@ -5,23 +5,23 @@ The IDS cannot, and does not intend to, replace legal contracts or licensing agreements. Instead, the IDS provides a technical framework for technically enforced agreements in addition to existing, legally binding contracts. The connection of legally binding contracts and Usage -Contracts is part of the [IDSA Rulebook](#). +Contracts is part of the [IDSA Rulebook](https://internationaldataspaces.org/download/19008/). Many details of a business relationship cannot be modeled in machine-readable form. Nevertheless, the IDS specifies methods to define categories of applicable contracts, and it presents patterns to observe their usage and report validations. For this purpose, the IDS makes use -of the [Information Layer](#). +of the [Information Layer](../3_3_Information_Layer/README.md). ![Technical Enforcement and organizational enforcement of usage policies](./media/image20_new.png) A Usage Contract comprises a set of Usage Policies. Each policy -describes a certain permission or obligation of an [IDS Resource](). +describes a certain permission or obligation of an [IDS Resource](../3_3_Information_Layer/3_3_InformationLayer.md#digital-resource). Usage Contracts are written in a machine-readable -format (according to the [IDS Usage Policy Language](#)) and must -be interpreted as defined in [section 4.1.3.6](#). In any +format (according to the [IDS Usage Policy Language](../../4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_6_Usage_Control.md#ids-usage-control-language)) and must +be interpreted as [defined](../3_4_Process_Layer/3_4_6_Policy_Enforcement.md). In any case, a Usage Contract must always be regarded as an extension of an existing legal agreement between two IDS participants, which can be overruled by them. As neither the IDS nor any other known technology diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_2_Functional_Layer/3_2_FunctionalLayer.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_2_Functional_Layer/3_2_FunctionalLayer.md index 45c1e7a1..4f729752 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_2_Functional_Layer/3_2_FunctionalLayer.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_2_Functional_Layer/3_2_FunctionalLayer.md @@ -6,6 +6,7 @@ Data Spaces, and the features to be implemented resulting thereof. ![ Functional architecture of the International Data Spaces](./media/image21.png) +### Figure 3.2: Functional architecture of the International Data Spaces The figure above shows the functional architecture of the International Data Spaces, @@ -32,7 +33,7 @@ Each role in the International Data Spaces has certain rights and duties. For example, the Identity Provider is responsible for offering services to create, maintain, manage, monitor, and validate identity information of and for participants in the International Data Spaces. -More information about the roles is given in the [Business Layer](#). +More information about the roles is given in the [Business Layer](../3_1_Business_Layer/3_1_1_Roles_in_the_IDS.md). #### Identity Management ### @@ -107,7 +108,7 @@ technical certification is given in the [Certification Perspective](../../4_Pers Being able to describe, find and correctly interpret data is another key aspect of the International Data Spaces. Therefore, every data source in the International Data Spaces is described on the Information Layer (see -section 3.4). +[section 3.3](../3_3_Information_Layer/README.md)). The Ecosystem of Data group comprises three major aspects: data source description, brokering, and vocabularies. @@ -121,7 +122,7 @@ Furthermore, metadata should describe the application domain of the data source. The operator of a Connector must be able to define the price, the pricing model, and the usage policies regarding certain data. More information about data source description is given in the -[Information Layer](#). +[Information Layer](../3_3_Information_Layer/README.md). #### Brokering #### @@ -132,7 +133,7 @@ must be able to browse and search metadata in the metadata repository, provided the participant has the right to access the metadata. Furthermore, each participant must be able to browse the list of participants registered at a broker. More information about brokering is -given in the [Process Layer](#). +given in the [Process Layer](../3_4_Process_Layer/README.md). #### Vocabularies #### @@ -145,7 +146,7 @@ Collaboration may comprise search, selection, matching, updating, requests for changes, version management, deletion, duplicate identification, and unused vocabularies. Vocabulary hubs need to be managed. More information about vocabularies is given in the -[Information Layer](#). +[Information Layer](../3_3_Information_Layer/README.md). ### Standardized Interoperability ### diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Information_Layer/3_3_InformationLayer.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Information_Layer/3_3_InformationLayer.md index 4caeb670..41a965ca 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Information_Layer/3_3_InformationLayer.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_3_Information_Layer/3_3_InformationLayer.md @@ -39,7 +39,7 @@ The Information Model has been specified at three levels of formalization. Each level corresponds to a digital representation, ranging from this high-level, conceptual document down to the level of operational code, as depicted in Figure -[3.4.1](#_fig-341-representations-of-the-information-model_). Every +[3.3.1](#figure-331-representations-of-the-information-model_). Every representation depicts the complete Information Model in its particular way. Among the different representations, the Declarative Representation (IDS Vocabulary) is the only normative specification of the Information @@ -97,10 +97,9 @@ allows developers to easily create instances of the Information Model that are compliant with the IDS Vocabulary, relieving them from the intricacies of ontology processing. - ![Representations of the Information Model](./media/image31.png) -#### _Fig. 3.4.1: Representations of the Information Model_ +#### Figure. 3.3.1: Representations of the Information Model_ ### Conceptual Representation of a Digital Resource in the IDS ### @@ -149,36 +148,36 @@ and maintenance of models can be substantially simplified. ![Outline of the Concern-Basic concern hexagon](./media/image32.png) -#### _Fig. 3.4.2: Outline of the Concern-Basic concern hexagon_ +#### Figure 3.3.2: Outline of the Concern-Basic concern hexagon_ #### Concern Hexagon #### To illustrate the main modeling [c]{.underline}oncerns of Digital Resources in a way easy to memorize, the mnemonic hexagonal arrangement of [c]{.underline}arbon atoms can be used (“C-Hexagon”), as shown in -Figure [3.4.2](#_fig-342-outline-of-the-concern-basic-concern-hexagon_). +Figure [3.3.2](#figure-332-outline-of-the-concern-basic-concern-hexagon_). -As a -Resource's content is its most essential aspect, *C*ontent is located at -the top of the hexagon. The *Content* concern deals with +As a Resource's content is its most essential aspect, *C*ontent is located at +the top of the hexagon. The *Content* concern deals with -1. the description of a Resource's abstract substance, +1. the description of a Resource's abstract substance, 2. its serialization as a representation in a machine-interpretable format, and 3. the materializations of these representations at certain points in time as one or more instances (e.g., values or artifacts). Content is interpretable by references to a shared, formally defined *C*oncept, which may cover the meaning, annotation and interpretation of entities by, e.g., -1. natural language keywords, +1. natural language keywords, 2. terms defined in curated sources such as controlled vocabularies, or 3. types defined in type systems or ontologies. On the other hand, links to a particular *C*ontext (in terms of, e.g., -* time, -* place, or +* time, +* place, or * real-world entities) + make the Content potentially relevant for certain Data Consumers. @@ -186,10 +185,10 @@ Thus, the upper part of the C-Hexagon deals with the “what” aspects, independently of Data Exchange, Data Sharing or Data Utilization. The lower part relates to the “how” aspects; i.e., how the content is exchanged -(*C*ommunication) and under which conditions (*C*ommodity). +(*C*ommunication) and under which conditions (*C*ommodity). The *Communication* concern deals with means to communicate a Resource's Content in one of the Representations -available, e.g., +available, e.g., * by sending messages in some communication protocol * to a resource or service endpoint or to an IDS Connector @@ -208,18 +207,18 @@ with contracts composed of usage policies, thus ensuring data sovereignty. ![Detailed Concern Hexagon](./media/image53.png) -#### _Fig. 3.4.3: Detailed Concern Hexagon_ +#### Figure 3.3.3: Detailed Concern Hexagon_ The level of detail differs across the individual concerns. The selection of their constituting aspects may change in light of new -requirements and insights; Fig. [3.4.3](#_fig-343-detailed-concern-hexagon_) suggests one such expansion of the C-Hexagon to one more level of detail. +requirements and insights; Fig. [3.3.3](#figure-333-detailed-concern-hexagon_) suggests one such expansion of the C-Hexagon to one more level of detail. Modeling concerns may inform, but do not necessarily correspond to any physical organization of the model (e.g., modules or directories). [^1]: IDSA members may find further information at - https://industrialdataspace.jiveon.com/community/workinggroups/architecture/swg4-information-model/. + [GitHub Repository](https://github.com/International-Data-Spaces-Association/InformationModel). [^2]: https://www.odata.org/ @@ -252,8 +251,7 @@ modules or directories). [^11]: R. Fielding. \"Architectural Styles and the Design of Network-based Software Architectures,\" 2000. PhD thesis. Table 5-1 - \"REST Data Elements\". Available: https://www.ics.uci.edu/$\sim$ - fielding/pubs/dissertation/rest_arch_style.htm$\#$ tab_5\_1 + "REST Data Elements". Available: https://www.ics.uci.edu/fielding/pubs/dissertation/rest_arch_style.htm$ tab_5 [^12]: E. W. Dijkstra. \"On the role of scientific thought,\" EWD 447, 2000. Available: diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_1_Onboarding.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_1_Onboarding.md index 8231592b..374ff727 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_1_Onboarding.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_1_Onboarding.md @@ -13,25 +13,25 @@ Based on those prerequisites, an organization can instantiate an arbitrary numbe All necessary steps are illustrated in the following figure. ![Onboarding process](./media/onboarding_process.png) -#### _Fig. 3.3.1.1: Onboarding process_ +#### _Fig. 3.4.1.1: Onboarding process_ #### Preparation: Registration and Certification of the Organization #### -Any organization that wants to operate an IDS Connector (in order to exchange data in the International Data Spaces) as a Data provider, Data Consumer or provide an additional IDS component needs to pass the Operational Environment Certification (see [Section 4.2.3](../../4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_3_Operational_Environment_Certification.md)). The Identity Provider is informed that this organization is allowed to operate components in the IDS and request component identity certificates. Additionally, the organization is registered in the Participant Information Service (ParIS). The initial population of a Participant entry is conducted directly after the certification. The Support Organization is informed about the successful steps and provided with the corresponding metadata about the new IDS entity. The provisioning of this information is not part of the IDS interactions and must be managed through communication measures. The Support Organization checks the correctness of the claims, verifies the information, and equips the dedicated ParIS with the new IDS Participant instance. It is further recommended that each Participant also hosts its Self-Description on a publicly accessible endpoint of its choice. Preferably the locator of its Self-Description document, an HTTP URL, is identical with the used Participant URI. This best practice enables the lookup or referencing of the Participant Identifier through every HTTP client and thereby eases the discovery of relevant information. Nevertheless, in case the own supplied Participant Self-Description and the metadata at the ParIS deviate, the latter is more trusted as its claims have been verified through the Support Organization beforehand. +Any organization that wants to operate an IDS Connector (in order to exchange data in the International Data Spaces) as a Data provider, Data Consumer or provide an additional IDS component needs to pass the Operational Environment Certification (see [Section 4.2.3](../../4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_3_Operational_Environment_Certification.md#operational-environment-certification)). The Identity Provider is informed that this organization is allowed to operate components in the IDS and request component identity certificates. Additionally, the organization is registered in the Participant Information Service (ParIS). The initial population of a Participant entry is conducted directly after the certification. The Support Organization is informed about the successful steps and provided with the corresponding metadata about the new IDS entity. The provisioning of this information is not part of the IDS interactions and must be managed through communication measures. The Support Organization checks the correctness of the claims, verifies the information, and equips the dedicated ParIS with the new IDS Participant instance. It is further recommended that each Participant also hosts its Self-Description on a publicly accessible endpoint of its choice. Preferably the locator of its Self-Description document, an HTTP URL, is identical with the used Participant URI. This best practice enables the lookup or referencing of the Participant Identifier through every HTTP client and thereby eases the discovery of relevant information. Nevertheless, in case the own supplied Participant Self-Description and the metadata at the ParIS deviate, the latter is more trusted as its claims have been verified through the Support Organization beforehand. #### Preparation: Acquiring a Certified IDS Connector #### -The organization needs to either request an IDS Connector from a Software Provider, or implement its own one. The IDS Connector is the core technical component for becoming part of the IDS. It must pass the IDS Component Certification (see [Section 4.2.4](../../4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_4_Component_Certification.md)) to ensure an adequate level of security and interoperability before it can be instantiated and used in the IDS. +The organization needs to either request an IDS Connector from a Software Provider, or implement its own one. The IDS Connector is the core technical component for becoming part of the IDS. It must pass the IDS Component Certification (see [Section 4.2.4](../../4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_4_Component_Certification.md#component-certification)) to ensure an adequate level of security and interoperability before it can be instantiated and used in the IDS. #### Connector Configuration and Provisioning #### Each IDS Connector that participates in an IDS ecosystem must have a unique identity in the IDS which is issued or confirmed by the IDS Identity Provider. The required trust anchors for the Identity Provider (e.g. root certificate for CA) must be provisioned onto the connector to enable verification of identity information provided by communication partners. -Additionally, each connector shall provide a Self-Description for other IDS Participants to read. The respective organization needs to create this description at the beginning of the IDS Connector configuration and provisioning process. For higher Trust Levels (see [Section 4.2.4](../../4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_4_Component_Certification.md)), signed metadata shall be provisioned onto the connector which can be used for proving the certification levels of the IDS connector and the organization operating it. +Additionally, each connector shall provide a Self-Description for other IDS Participants to read. The respective organization needs to create this description at the beginning of the IDS Connector configuration and provisioning process. For higher Trust Levels (see [Section 4.2.4](../../4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_4_Component_Certification.md#connector-trust-levels)), signed metadata shall be provisioned onto the connector which can be used for proving the certification levels of the IDS connector and the organization operating it. -Another mandatory step for the organization is to configure and connect their own existing systems to the IDS Connector. Therefore it is important that the appropriate IDS metadata (Usage Policies, etc.) is created and that data exchange is enabled (for details see section [3.3.4](../3_3_4_Exchanging_Data.md)). IDS Apps can be used for this purpose, see section [3.3.5](../3_3_5_Publishing_and_using_Data_Apps.md). +Another mandatory step for the organization is to configure and connect their own existing systems to the IDS Connector. Therefore it is important that the appropriate IDS metadata (Usage Policies, etc.) is created and that data exchange is enabled (for details see section [3.4.4](./3_4_4_Exchanging_Data.md#data-exchange)). IDS Apps can be used for this purpose, see section [3.4.5](./3_4_5_Publishing_and_using_Data_Apps.md#publishing-and-using-ids-apps). #### Availability Setup #### -An IDS Connector must be made available for other IDS Participants in the data ecosystem. Each Data Provider and Data Consumer can decide whether they want to announce their IDS Connector and their data resources publicly in the data ecosystem. This is described in the next section [3.4.2](./3_4_2_Data_Offering.md). +An IDS Connector must be made available for other IDS Participants in the data ecosystem. Each Data Provider and Data Consumer can decide whether they want to announce their IDS Connector and their data resources publicly in the data ecosystem. This is described in the next section [3.4.2](./3_4_2_Data_Offering.md#data-offering). diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_2_Data_Offering.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_2_Data_Offering.md index 818def37..bfc4d22f 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_2_Data_Offering.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_2_Data_Offering.md @@ -28,10 +28,10 @@ However, no Data Provider is obliged to publish any data assets at any IDS Metad ##### Data Provider registering Self-Descriptions ##### -As shown in Figure [3.3.2.1](#PublishSelf-Description), the Data Provider can send Self-Description documents to an IDS Metadata Broker. The Self-Description must be self-containing and compliant to the specifications of the IDS Information Model. Usually representations of the RDF classes [ids:Connector](https://w3id.org/idsa/core/Connector) and [ids:Resource](https://w3id.org/idsa/core/Resource) are used. The IDS Metadata Broker then checks the Self-Description syntactic correctness and persists it in its local database. It does not check the semantic correctness, or the plausibility of the supplied information. +As shown in Figure [3.4.2.1](#figure-3421-register-self-description-at-ids-metadata-broker), the Data Provider can send Self-Description documents to an IDS Metadata Broker. The Self-Description must be self-containing and compliant to the specifications of the IDS Information Model. Usually representations of the RDF classes [ids:Connector](https://w3id.org/idsa/core/Connector) and [ids:Resource](https://w3id.org/idsa/core/Resource) are used. The IDS Metadata Broker then checks the Self-Description syntactic correctness and persists it in its local database. It does not check the semantic correctness, or the plausibility of the supplied information. ![PublishSelf-Description](media/register-at-broker-activity.png) -#### _Fig. 3.3.2.1: Register Self-Description at IDS Metadata Broker_ +#### Figure 3.4.2.1: Register Self-Description at IDS Metadata Broker Different to other ecosystems, an IDS Metadata Broker does not actively crawl for Self-Descriptions or searches for updates. The IDS Metadata Broker relies on notifications from the original Data Providers. In case the Data Provider misses an update, the IDS Metadata Broker can therefore not be made responsible for outdated or wrong information. @@ -44,9 +44,10 @@ To find a Data Provider, the Data Consumer may search in the catalogs of an IDS The IDS Metadata Broker then returns the query result to the Data Consumer. The query result may differ depending on the requesting IDS Connector due to filtering of the displayed data according to usage policies defined by the Data Provider. The Data Consumer needs to interpret the result to find out about the different data sources available. Each query result must provide information about each IDS Connector capable of providing the desired data, so the Data Consumer can access each IDS Connector’s Self-Description to learn more about how to receive the desired dataset. The Data Provider may serve the same data using different representations or pricing options, so the Data Consumer may select a suitable offer from the Data Provider. ![Query Self-Descriptions](media/query-at-broker-activity.png) -#### _Fig. 3.3.2.2: Query IDS Metadata Broker_ +#### Figure 3.4.2.2: Query IDS Metadata Broker #### Crawling Self-Descriptions #### + Another possible approach to find relevant data offers in a data ecosystem is a federated catalog. This approach is based on a crawler architecture implementing a federated cache node (FCN) and a federated cache crawler (FCC). The FCN of an IDS Connector makes data offers public to other Participants, as part of its Self-Description. In addition, further information describing the contents can be requested directly. This way, another IDS Connector can cache all available data offerings by crawling known Data Providers via its FCC. After that, the Data Consumer can search for available offers by querying its cache, that is updated by the FCC periodically or event-driven. Both the FCN and the FCC can be deployed as part of the IDS Connector or as a separate service. Having multiple 'snapshots' of available data offers in one ecosystem, the federated architecture allows implementing distributed queries. Depending on the size of the data space, a Data Consumer may use multiple crawlers. This would allow the partitioning of large data spaces into crawler-regions. Furthermore, it can be part of a hybrid setup covering the peer-to-peer crawling of IDS Connectors, completed by the crawling of IDS Metadata Brokers. @@ -54,4 +55,4 @@ After that, the Data Consumer can search for available offers by querying its ca For each of these approaches, an overview of all Participants in the data ecosystem would be required for the FCC to get into exchange with running IDS Connectors. Such an initial overview of other Participants can be obtained by querying central IDS entities about their known Participants. For example, an IDS Metadata Broker can be queried for other IDS Connectors that have published offered resources. If other IDS components provide interfaces to query their active participants, an overview can also be derived from this. For example, an IDS component could provide an interface on which IDS Connectors have been actively communicating with it for within a certain period of last days. An FCC could then prioritize crawling active Participants. ![Crawling Self-Descriptions](media/crawling.png) -#### _Fig. 3.3.2.3: Hybrid setup - Crawling Self-Descriptions and Metadata Broker_ +#### Figure 3.4.2.3: Hybrid setup - Crawling Self-Descriptions and Metadata Broker diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_3_Contract_Negotiation.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_3_Contract_Negotiation.md index 7641a85d..212b0dc8 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_3_Contract_Negotiation.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_3_Contract_Negotiation.md @@ -4,7 +4,7 @@ While a Connector Self-Description basically contains descriptive information ab data assets, these also include Usage Control information in form of a Contract Offer. A Contract Offer describes under what conditions the Data Provider is willing to make its data available to the Data Consumer. This can range from simple access restrictions to complex pre- and post-duties. See -more details in Section [3.3](../3_3_Information_Layer). +more details in Section [3.3](../3_3_Information_Layer/3_3_InformationLayer.md#information-layer). In a (semi-)automated negotiation process performed by the Usage Control frameworks of the participating IDS Connectors, the Data Consumer and the Data Provider need to agree on a Data Usage @@ -13,9 +13,9 @@ more detail. #### Basic Flow #### -Figure [3.3.3.1](#_fig-3331-simple-contract-negotiation_) shows the most simple version of the sequence +Figure [3.4.3.1](#figure-3431-simple-contract-negotiation) shows the most simple version of the sequence that is at least necessary to reach a Contract Agreement. In advance, the Data Provider has attached -a Contract Offer to a data offer. As described in Section [3.3.4.2](3_4_2_Data_Offering.md), this is +a Contract Offer to a data offer. As described in Section [3.4.4.2](./3_4_2_Data_Offering.md#data-offering), this is returned to the Data Consumer as part of the IDS Connector's Self-Description. However, the Data Consumer can submit a Contract Request at any time, even if no Contract Offer exists yet. @@ -25,21 +25,21 @@ cancelled at any time._ ![Simple Contract Negotiation](media/policy-negotiation-sequence-1.png) -#### _Fig. 3.3.3.1: Simple Contract Negotiation_ +#### Figure 3.4.3.1: Simple Contract Negotiation -In Figure [3.3.3.1](#_fig-3331-simple-contract-negotiation_), the negotiation sequence is initiated by the +In Figure [3.4.3.1](#figure-3431-simple-contract-negotiation), the negotiation sequence is initiated by the Data Consumer's IDS Connector sending a Contract Request to the Data Provider. The content of this Contract Request can differ from the Contract Offer, or it can adopt it as it is. The meta-information in the contract is modified accordingly (e.g., the date, the term, or the signature). As soon as the Data Provider's IDS Connector receives the Contract Request, its validity -is checked by means of syntax, content, and signature. As Figure [3.3.3.1](#_fig-3331-simple-contract-negotiation_) +is checked by means of syntax, content, and signature. As Figure [3.4.3.1](#figure-3431-simple-contract-negotiation) concentrates on the simple flow, it covers no counter Contract Offers. Thus, the Contract Request is either rejected or accepted. In the case of a Contract Agreement, this is also signed by the Data Provider's IDS Connector and, for confirmation, the Data Consumer is informed about the Contract Agreement. Again, content and signature are validated. If this fails, the Data Consumer simply does not invoke any subsequent -Data Operations referring to this Contract Agreement (see Section [3.3.4](3_3_4_Exchanging_Data.md)). +Data Operations referring to this Contract Agreement (see Section [3.4.4](./3_4_4_Exchanging_Data.md)). As soon as a Contract Agreement has been reached, this is instantiated and deployed inside both IDS Connectors. This means it needs to be persisted on both sides. This way, both IDS Connectors have @@ -55,7 +55,7 @@ sequence is never reactivated, but a new one can be started at any time. In addition, for separate trust or for regulation in some data spaces, the approval of a Contract Request or Offer may be extended by involving the Clearing House. After a successful Contract Request validation, the Data Provider signed and stored the Contract Agreement locally. Next, this is additionally sent to the Clearing -House (as shown in Figure [3.3.3.2](#_fig-3332-contract-agreement-with-clearing-house-involvement_)). +House (as shown in Figure [3.4.3.2](#figure-3432-contract-agreement-with-clearing-house-involvement)). After receiving the Contract Agreement from the Data Provider, the Clearing House first checks the signature of both involved Connectors and then signs the Contract Agreement itself. The Provider @@ -64,12 +64,12 @@ all signatures to be sure that the Contract Agreement contains the requested con ![Clearing House Involvement](media/policy-negotiation-sequence-4.png) -#### _Fig. 3.3.3.2: Contract Agreement with Clearing House Involvement_ +#### Figure 3.4.3.2: Contract Agreement with Clearing House Involvement #### Reversed Sequence #### -Figure [3.3.3.3](#_fig-cc-contract-negotiation---initiation-by-data-provider_) depicts the simple -negotiation flow of Figure [3.3.3.1](#_fig-3331-contract-negotiation---initiation-by-data-provider_). +Figure [3.4.3.3](#figure-3433-contract-negotiation---initiation-by-data-provider) depicts the simple +negotiation flow of Figure [3.4.3.1](#figure-3433-contract-negotiation---initiation-by-data-provider). In this case, however, the sequence is reversed and the Data Provider initiates the negotiation. Nevertheless, it should be noted that, since the Data Provider is the one who makes the data offer, it is always the one who signs the Contract Agreement last, and sends it to the Clearing House if @@ -77,11 +77,11 @@ this is involved (as described in the previous subsection). ![Contract Negotiation: Initiation by Data Provider](media/policy-negotiation-sequence-2.png) -#### _Fig. 3.3.3.3: Contract Negotiation - Initiation by Data Provider_ +#### Figure 3.4.3.3: Contract Negotiation - Initiation by Data Provider #### Counter Offers #### -Figure [3.3.3.4](#_fig-3334-contract-negotiation---counter-offers_) illustrates a more complex negotiation +Figure [3.4.3.4](#figure-3434-contract-negotiation---counter-offers) illustrates a more complex negotiation flow that covers counter Contract Offers and external input. As soon as the Data Provider's IDS Connector receives a valid Contract Request, it may notify interested users or systems and provide an interface for input. Thus, the IDS Connector, if it does not already do so by default, can be @@ -91,8 +91,8 @@ negotiation by rejecting or agreeing to the received Contracts as well as propos Contract Offers or Requests. Further steps take place as already described above: Incoming Contracts are validated and as soon as a Contract Agreement has been reached, it is persisted and enforced by both IDS Connectors. How this Policy Enforcement will be ensured is explained in Section -[3.3.6](3_3_6_Policy_Enforcement.md). +[3.4.6](./3_4_6_Policy_Enforcement.md). ![Contract Negotiation: Counter Offers](media/policy-negotiation-sequence-3.png) -#### _Fig. 3.3.3.4: Contract Negotiation - Counter Offers_ +#### Figure 3.4.3.4: Contract Negotiation - Counter Offers diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_4_Exchanging_Data.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_4_Exchanging_Data.md index 7b4e37af..a5608002 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_4_Exchanging_Data.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_4_Exchanging_Data.md @@ -1,10 +1,9 @@ ### Data Exchange ### -After a successful Onboarding (see Section [3.3.1](3_3_1_Onboarding.md)), the operations of a Data -Consumer or Data Provider can be assigned to two phases: the Control Phase and the Transfer Phase. +After a successful Onboarding (see Section [3.4.1](./3_4_1_Onboarding.md#onboarding-of-an-ids-connector-and-its-operator)), the operations of a Data Consumer or Data Provider can be assigned to two phases: the Control Phase and the Transfer Phase. In the Control Phase, both Participants pass multiple processes (Data Offering -(see Section [3.3.2](3_3_2_Data_Offering.md)) and Contract Negotiation (see Section -[3.3.3](3_3_3_Contract_Negotiation.md))) to prepare the data transfer, using an IDS-specific +(see Section [3.4.2](./3_4_2_Data_Offering.md#data-offering)) and Contract Negotiation (see Section +[3.4.3](./3_4_3_Contract_Negotiation.md)) to prepare the data transfer, using an IDS-specific communication protocol. The respective protocol bindings are defined in the [IDS-G](https://github.com/International-Data-Spaces-Association/IDS-G). @@ -14,9 +13,9 @@ upload or download, data transformation, or data query) via their IDS Connectors done is described in the following. ![Communication Phases](media/communication-phases.png) -#### _Fig. 3.3.4.1: Communication Phases_ +#### Figure 3.4.4.1: Communication Phases -The invocation of a Data Operation is part of the Control Phase, as shown in Figure [3.3.4.1](#_fig-3341-communication-phases_), and +The invocation of a Data Operation is part of the Control Phase, as shown in Figure [3.4.4.1](#figure-3441-communication-phases), and initiated by a Connector that refers to a Contract Agreement. As the subsequent sequence should not be bound to neither a communication protocol nor to a communication pattern, this can be implemented differently, as stated in the following. For this to work, a Data Operation request requires @@ -48,7 +47,7 @@ applied systems and not to the Connector component. Either synchronously or asynchronously, the Data Provider's Connector may respond with the Data Operation result without using a proprietary system or protocol. In the course of this, all -information flows that are shown in Figure [3.3.4.1](#_fig-3341-communication-phases_) +information flows that are shown in Figure [3.4.4.1](#figure-3441-communication-phases) would run directly between the two Connectors using an IDS protocol. ##### Data Transfer via Another Infrastructure or Protocol ##### @@ -57,14 +56,14 @@ Alternatively to the previously described process, after the Data Operation invo Consumer's Connector can take the provided information and establish a connection directly between the Data Provider’s system acting as a data source, and a system on the consumer-side acting as the data sink. This offers the possibility for the Connector to establish and leave connections open, or -to switch from data pulling to data pushing easily. The sequence is depicted in Figure [3.3.4.2](#_fig-3.3.4.2-out-of-band-data-exchange_). +to switch from data pulling to data pushing easily. The sequence is depicted in Figure [3.4.4.2](#figure-3442-out-of-band-data-exchange). ![Out-of-band Data Exchange](media/data-transfer.png) -#### _Fig. 3.3.4.2: Out-of-band Data Exchange_ +#### Figure 3.4.4.2: Out-of-band Data Exchange #### Usage Control #### All communication patterns and protocols must ensure that usage control, covering the contents of the negotiated Contract Agreement, is enforced, and that the involved Connectors are included in the data transfer, at least by event-based notifications. More details about Policy Enforcement are -described in Section [3.3.6](3_3_6_Policy_Enforcement.md). +described in Section [3.4.6](./3_4_6_Policy_Enforcement.md#policy-enforcement). diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_5_Publishing_and_using_Data_Apps.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_5_Publishing_and_using_Data_Apps.md index 209651bc..9c30f97d 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_5_Publishing_and_using_Data_Apps.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_5_Publishing_and_using_Data_Apps.md @@ -2,21 +2,21 @@ IDS Apps can be used by IDS Connectors for specific data processing or transformation tasks. They can perform tasks of different complexity, ranging from simple data transformation to complex data analytics. An example of data transformation may be a IDS App parsing a single string field with address information and producing a data structure consisting of street name and number, zip code, name of the city, and name of the country. -IDS Apps are created by an App Provider and then published at an IDS App Store, as depicted by the "IDS App Publication Process" in Figure [3.3.5.1](#PublishingIDSApp). In order to be published, certain IDS Apps require certification from the Certification Body (see [Section 4.2](../../4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective)), as depicted in the first step of the "IDS App Publication Process". Whether a certification is needed or not, publishing an IDS App requires the App Provider to push the app image to the app store's App Container Registry and then publish the app metadata. For each IDS App that was successfully published, the corresponding metadata and app image are stored in the IDS App Store and can be retrieved by IDS Participants via a search interface offered by the App Store. +IDS Apps are created by an App Provider and then published at an IDS App Store, as depicted by the "IDS App Publication Process" in Figure [3.4.5.1](#figure-3451-ids-app-publication-process). In order to be published, certain IDS Apps require certification from the Certification Body (see [Section 4.2](../../4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_2_Roles.md#certification-body)), as depicted in the first step of the "IDS App Publication Process". Whether a certification is needed or not, publishing an IDS App requires the App Provider to push the app image to the app store's App Container Registry and then publish the app metadata. For each IDS App that was successfully published, the corresponding metadata and app image are stored in the IDS App Store and can be retrieved by IDS Participants via a search interface offered by the App Store. ![PublishingIDSApp](./media/ids-app-publication-process.png) -#### _Fig. 3.3.5.1: "IDS App Publication" Process_ +#### Figure 3.4.5.1: "IDS App Publication" Process -When it comes to using a IDS App that is offered by an IDS App Store, IDS Participants need to execute the process that is depicted in Figure [3.3.5.2](#UseIDSApp). An IDS Participant, here called "App User", can use the search interface of the IDS App Store to look for a suitable IDS App through its IDS Connector, as depicted by the "Find IDS App" subprocess in Figure [3.3.5.3](#FindIDSApp). After the "Find IDS App" process is finished, the App User might need to pay for the selected IDS App. This is indicated by the "IDS App Payment" subprocess, which is conceptually similar to the Contract Negotiation detailed in Section [3.3.3](3_3_3_Contract_Negotiation.md) and can be done directly between the App User and App Provider or through a Clearing House if necessary. +When it comes to using a IDS App that is offered by an IDS App Store, IDS Participants need to execute the process that is depicted in Figure [3.4.5.2](#figure-3452-use-ids-app-process). An IDS Participant, here called "App User", can use the search interface of the IDS App Store to look for a suitable IDS App through its IDS Connector, as depicted by the "Find IDS App" subprocess in Figure [3.4.5.3](#figure-3453-find-ids-app-process). After the "Find IDS App" process is finished, the App User might need to pay for the selected IDS App. This is indicated by the "IDS App Payment" subprocess, which is conceptually similar to the Contract Negotiation detailed in Section [3.4.3](./3_4_3_Contract_Negotiation.md) and can be done directly between the App User and App Provider or through a Clearing House if necessary. ![UseIDSApp](./media/use-ids-app-process.png) -#### _Fig. 3.3.5.2: "Use IDS App" Process_ +#### Figure 3.4.5.2: "Use IDS App" Process ![FindIDSApp](./media/find-ids-app-process.png) -#### _Fig. 3.3.5.3: "Find IDS App" Process_ +#### Figure 3.4.5.3: "Find IDS App" Process -If the participant finds a suitable IDS App in an IDS App Store, e.g. matching in functionality and compatible with the App User's IDS Connector technical requirements, the IDS App can then be requested through the "Retrieve IDS App" subprocess depicted in Figure [3.3.5.4](#RetrieveIDSApp). This subprocess consists of two main interactions of the App User with the App Store, first to retrieve the IDS App's metadata and then to pull its image before deploying it in the App User's IDS Connector. +If the participant finds a suitable IDS App in an IDS App Store, e.g. matching in functionality and compatible with the App User's IDS Connector technical requirements, the IDS App can then be requested through the "Retrieve IDS App" subprocess depicted in Figure [3.4.5.4](#figure-3454-retrieve-ids-app-process). This subprocess consists of two main interactions of the App User with the App Store, first to retrieve the IDS App's metadata and then to pull its image before deploying it in the App User's IDS Connector. ![RetrieveIDSApp](./media/retrieve-ids-app-process.png) -#### _Fig. 3.3.5.4: "Retrieve IDS App" Process_ +#### Figure 3.4.5.4: "Retrieve IDS App" Process diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_6_Policy_Enforcement.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_6_Policy_Enforcement.md index 97974e2f..d224ae80 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_6_Policy_Enforcement.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_6_Policy_Enforcement.md @@ -1,4 +1,5 @@ ### Policy Enforcement ### + Enforcement of data usage restrictions (Policy Enforcement) can be characterized and implemented in different forms. Organizational rules or legal contracts can be substituted, or at least accompanied, by technical solutions, which introduce a new level of security. Vice versa, technical solutions can be accompanied by organizational rules or legal contracts (e.g., to compensate missing capabilities of the technical solution). Although it is a commonly used solution to address data usage control restrictions by organizational rules, the IDS focuses on technical enforcement. @@ -8,25 +9,25 @@ To enforce data usage restrictions, a system’s actions need to be monitored an **The Policy Enforcement Point (PEP)** has two main tasks. First, it is the entry point for enforcement, meaning it is the point where data or metadata is stopped and transferred to the PDP, the PDP makes a decision and returns it to the PEP. Secondly, the PEP will subsequently manipulate or lock the data according to the decision. -![image](media/Communication-PEP-and-PDP.drawio.png) +![Communication Policy Enforcement Point and Policy Decision Point](media/Communication-PEP-and-PDP.drawio.png) -_Figure 3.3.6.1: Communication Policy Enforcement Point and Policy Decision Point_ +### Figure 3.4.6.1: Communication Policy Enforcement Point and Policy Decision Point #### Policy Decision Point (PDP) #### -As mentioned before, the **Policy Decision Point (PDP)** makes the decision based on the data sent by the PEP and the deposited policies. The policies specifies the conditions and obligations. The result of the evaluation is send to the PEP for enforcement (see [Figure 3.3.6.1](media/Communication-PEP-and-PDP.drawio.png)). The PDP also interprets the policies in terms of context information and instructions. This means the policy decision may also depend on additional information that is not present in the intercepted system action itself. This includes information about the context, such as data flows or the geographical location of an entity. It is also possible to specify pre- or post-conditions that have to hold before (e.g., integrity check of the environment) and after (e.g., data item is deleted after usage) decision-making. In addition, it is possible to define on-conditions that have to hold during usage (e.g., only during business hours). These conditions usually specify constraints and permissions that have to be fulfilled before, during, and after using data (see [Figure 3.3.6.2](media/usage-control-conditions.drawio.png)). This is linked to the other components presented in this section. +As mentioned before, the **Policy Decision Point (PDP)** makes the decision based on the data sent by the PEP and the deposited policies. The policies specifies the conditions and obligations. The result of the evaluation is send to the PEP for enforcement (see [Figure 3.4.6.1](#figure-3461-communication-policy-enforcement-point-and-policy-decision-point)). The PDP also interprets the policies in terms of context information and instructions. This means the policy decision may also depend on additional information that is not present in the intercepted system action itself. This includes information about the context, such as data flows or the geographical location of an entity. It is also possible to specify pre- or post-conditions that have to hold before (e.g., integrity check of the environment) and after (e.g., data item is deleted after usage) decision-making. In addition, it is possible to define on-conditions that have to hold during usage (e.g., only during business hours). These conditions usually specify constraints and permissions that have to be fulfilled before, during, and after using data (see [Figure 3.4.6.2](#figure-3462-usage-control-pre--on--and-post-conditions)). This is linked to the other components presented in this section. ![image](media/usage-control-conditions.drawio.png) -_Figure 3.3.6.2: Usage Control Pre-, On-, and Post-Conditions_ +### Figure 3.4.6.2: Usage Control Pre-, On-, and Post-Conditions #### Policy Information Point (PIP) #### -**The Policy Information Point (PIP)** is the component to determine information such as context information during policy evaluation. This information can then be used in the PDP for decision making. (More about context information in [Section 4.1.6](../../4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_6_Usage_Control.md)) +**The Policy Information Point (PIP)** is the component to determine information such as context information during policy evaluation. This information can then be used in the PDP for decision making. (More about context information in [Section 4.1.6](../../4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_6_Usage_Control.md#context-information-and-obligation-fulfillment)) #### Policy Execution Point (PXP) #### -**The Policy Execution Point (PXP)** is the components for implementing instructions or requirements these can be before a decision and their successful execution can be included as a condition, or they can be executed after a decision has been made. (More about the execution of instructions in [Section 4.1.6](../../4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_6_Usage_Control.md)) +**The Policy Execution Point (PXP)** is the components for implementing instructions or requirements these can be before a decision and their successful execution can be included as a condition, or they can be executed after a decision has been made. (More about the execution of instructions in [Section 4.1.6](../../4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_6_Usage_Control.md#usage-control-in-a-connector)) #### Policy Management Point (PMP) and Policy Administration Point (PAP) #### @@ -34,12 +35,12 @@ _Figure 3.3.6.2: Usage Control Pre-, On-, and Post-Conditions_ #### Interaction in the IDS Connector #### -**An example process** in the IDS Connector. Let's assume there is a policy describing that data can only be used when the connector is in the EU (Locale) and the usage is sent to the Clearing House after the data has been used (Log). We assume that such a policy is deposited (negotiated) for the PDP and the components to implement it are available. Now a process may exist to enforce Access Control, on the Data Provider side. It basically does not matter if it is a send or fetch of the data. To implement Data Usage Control, there must also be a process on the Data Consumer side. We want to focus here on the case of Usage Control on the Data Consumer side, which can be used very similarly also for Access Control, since the Data Provider, has a high interest to enforce this as early as possible. [Figure 3.3.6.3](media/uc-example-Components.drawio.png) is a component diagram of an IDS Connector that receives data and Components for Usage Contral with an standalone Usage Control Container.The IDS Components (IDS PEP, IDS PIP, IDS PXP) are more generic and standardized components, these are connected to a specific implmentations (PXP, PIP, PXP) of a policy engine or framework to be able to enforce it. The core component - IDS Connector Core - of the IDS Connector (see [Section 3.5.2](../3_5_System_Layer/3_5_2_IDS_Connector.md)) is of central importance. It knows the routes of the data and can thus integrate the PEPs at appropriate points. This can be done when the data leaves the IDS Connector Core or e.g. via Interceptor Pattern for completely controlled data flows. If data is to flow to a data sink (app, storage), the IDS Connector Core knows the destination and it knows the identifications of the data, which are transferred in the form of metadata. Before the data flows directly, the PEP acts in front of it and sends all the required information to the PDP. The implementation of the solution can be implemented in the IDS Connector Core or as a standalone application (runs as an IDS Connector App), but the principle remains the same. The PDP analyzes the policy and must be connected via the IDS Connector Core to a system that can provide a statement about the IDS Connector location. For example the IDS ParIS is used to resolve the location information. If the IDS Connector is located in the EU, the data is released and the PEP does not have to change anything. The PDP informs the PEP about this decision. Now there is the instruction to log the data usage information in the Clearing House. A PXP which is connected to the Clearing House is responsible for logging the usage information via the IDS Connector Core. Using this PXP, the PDP can log important information and parameters provided by the PEP and PIP. More details about different types of context information and the execution of instructions can be found in [Section 4.1.6](../../4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_6_Usage_Control.md). [Figure 3.3.6.4](media/uc-example-Sequence.drawio.png) shows a sequence like discribed in the example within the procedure calls between the Components. +**An example process** in the IDS Connector. Let's assume there is a policy describing that data can only be used when the connector is in the EU (Locale) and the usage is sent to the Clearing House after the data has been used (Log). We assume that such a policy is deposited (negotiated) for the PDP and the components to implement it are available. Now a process may exist to enforce Access Control, on the Data Provider side. It basically does not matter if it is a send or fetch of the data. To implement Data Usage Control, there must also be a process on the Data Consumer side. We want to focus here on the case of Usage Control on the Data Consumer side, which can be used very similarly also for Access Control, since the Data Provider, has a high interest to enforce this as early as possible. [Figure 3.4.6.3](#figure-3463-usage-control-components-inside-an-ids-connector) is a component diagram of an IDS Connector that receives data and Components for Usage Contral with an standalone Usage Control Container.The IDS Components (IDS PEP, IDS PIP, IDS PXP) are more generic and standardized components, these are connected to a specific implmentations (PXP, PIP, PXP) of a policy engine or framework to be able to enforce it. The core component - IDS Connector Core - of the IDS Connector (see [Section 3.5.2](../3_5_System_Layer/3_5_2_IDS_Connector.md#ids-connector)) is of central importance. It knows the routes of the data and can thus integrate the PEPs at appropriate points. This can be done when the data leaves the IDS Connector Core or e.g. via Interceptor Pattern for completely controlled data flows. If data is to flow to a data sink (app, storage), the IDS Connector Core knows the destination and it knows the identifications of the data, which are transferred in the form of metadata. Before the data flows directly, the PEP acts in front of it and sends all the required information to the PDP. The implementation of the solution can be implemented in the IDS Connector Core or as a standalone application (runs as an IDS Connector App), but the principle remains the same. The PDP analyzes the policy and must be connected via the IDS Connector Core to a system that can provide a statement about the IDS Connector location. For example the IDS ParIS is used to resolve the location information. If the IDS Connector is located in the EU, the data is released and the PEP does not have to change anything. The PDP informs the PEP about this decision. Now there is the instruction to log the data usage information in the Clearing House. A PXP which is connected to the Clearing House is responsible for logging the usage information via the IDS Connector Core. Using this PXP, the PDP can log important information and parameters provided by the PEP and PIP. More details about different types of context information and the execution of instructions can be found in [Section 4.1.6](../../4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_6_Usage_Control.md#usage-control-in-a-connector). [Figure 3.4.6.4](#figure-3464-usage-control-example-sequence-with-context-information-pip-and-execution-pxp-call) shows a sequence like discribed in the example within the procedure calls between the Components. -![image](media/uc-example-Components.drawio.png) +![Usage Control Components inside an IDS Connector](media/uc-example-Components.drawio.png) -_Figure 3.3.6.3: Usage Control Components inside an IDS Connector_ +### Figure 3.4.6.3: Usage Control Components inside an IDS Connector -![image](media/uc-example-Sequence.drawio.png) +![Usage Control Example Sequence with Context Information (PIP) and Execution (PXP) call](media/uc-example-Sequence.drawio.png) -_Figure 3.3.6.4: Usage Control Example Sequence with Context Information (PIP) and Execution (PXP) call_ +### Figure 3.4.6.4: Usage Control Example Sequence with Context Information (PIP) and Execution (PXP) call diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_0_System_Layer.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_0_System_Layer.md index 3ee131f4..ecc8d1a8 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_0_System_Layer.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_0_System_Layer.md @@ -1,18 +1,19 @@ ## System Layer ## -The processes defined in the [Process Layer](../3_3_Process_Layer) are summarized in Figure 3.5.0.1 as interactions between the IDS Components. Please note that the Identity Provider is not shown in the figure in order to maintain readability. +The processes defined in the [Process Layer](../3_4_Process_Layer/3_4_Process_Layer.md) are summarized in [Figure 3.5.0.1](#figure-3501-interaction-of-technical-components) as interactions between the IDS Components. Please note that the Identity Provider is not shown in the figure in order to maintain readability. ![Interaction of technical components](./media/3.5.0.1_interaction_between_technical_components.png) -#### _Fig. 3.5.0.1: Interaction of technical components_ +#### Figure 3.5.0.1: Interaction of technical components -A distributed network like the International Data Spaces relies on the connection of different participants where IDS Connectors or other core components are hosted (an IDS Connector comprising one or more Data Endpoints). The IDS Connector is responsible initiating a data exchange (see [Section 3.3.4](../../3_3_Process_Layer/3_3_4_Exchanging_Data.md)) from and to the internal data resources and enterprise systems of the participating organizations and the International Data Spaces. It provides metadata to the Metadata Broker as specified in the IDS Connector self-description, e.g. technical interface description, authentication mechanism, and associated data usage policies. Usage Contracts can be transferred via the IDS Connector to the Clearing House to ensure trust. Also, the data transfer can be logged at the Clearing House for trust reasons, or for clearing reasons. Vocabularies can be interpreted by getting more details from the Vocabulary Hub. Additional IDS Apps can be downloaded to the IDS Connector to run operations on the data. +A distributed network like the International Data Spaces relies on the connection of different participants where IDS Connectors or other core components are hosted (an IDS Connector comprising one or more Data Endpoints). The IDS Connector is responsible initiating a data exchange (see [Section 3.4.4](../3_4_Process_Layer/3_4_4_Exchanging_Data.md#data-exchange)) from and to the internal data resources and enterprise systems of the participating organizations and the International Data Spaces. It provides metadata to the Metadata Broker as specified in the IDS Connector self-description, e.g. technical interface description, authentication mechanism, and associated data usage policies. Usage Contracts can be transferred via the IDS Connector to the Clearing House to ensure trust. Also, the data transfer can be logged at the Clearing House for trust reasons, or for clearing reasons. Vocabularies can be interpreted by getting more details from the Vocabulary Hub. Additional IDS Apps can be downloaded to the IDS Connector to run operations on the data. On the System Layer, the roles specified on the Business Layer and the processes defined in the Process Layer are mapped onto a concrete data and service architecture, resulting in what can be considered the technical core of the International Data Spaces. The IDS consists of the following core components: -- the [Identity Provider](./3_5_1_Identity_Provider.md) (consisting of CA, DAPS and ParIS), -- the [IDS Connector](./3_5_2_Connector.md), -- the [App Store and Data Apps](./3_5_3_App_Store_and_Data_Apps.md), -- the [Metadata Broker](./3_5_4_Metadata_Broker.md), -- the [Clearing House](./3_5_5_Clearing_House.md), and -- the [Vocabulary Hub](./3_5_6_Vocabulary_Hub.md). + +- the [Identity Provider](./3_5_1_Identity_Provider.md#identity-provider) (consisting of [CA](./3_5_1_Identity_Provider.md#certificate-authorities-cas), [DAPS](./3_5_1_Identity_Provider.md#dynamic-attribute-provisioning-service-daps) and [ParIS](./3_5_1_Identity_Provider.md#participant-information-service-paris)), +- the [IDS Connector](./3_5_2_IDS_Connector.md#ids-connector), +- the [App Store and Data Apps](./3_5_3_App_Store_and_Data_Apps.md#app-store-and-ids-apps), +- the [Metadata Broker](./3_5_4_Metadata_Broker.md#metadata-broker), +- the [Clearing House](./3_5_5_Clearing_House.md#clearing-house), and +- the [Vocabulary Hub](./3_5_6_Vocabulary_Hub.md#vocabulary-hub). diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_2_IDS_Connector.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_2_IDS_Connector.md index 6bb30833..6cb19f0b 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_2_IDS_Connector.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_2_IDS_Connector.md @@ -6,30 +6,30 @@ The IDS Connector Architecture uses application container management technology IDS Apps are services for realizing business logic inside the IDS Connector. IDS Apps can be used to process data, connect to external systems, or control the IDS Connector. Therefore, they can be downloaded via the IDS App Store and deployed by the IDS Connector. -The [IDS App Store](3_5_3_App_Store_and_Data_Apps.md), [Metadata Broker](3_5_4_Broker.md), and [Clearing House](3_5_5_Clearing_House.md) are based on the IDS Connector architecture (which is described in detail in the following section) in order to support secure and trusted data exchange with these services. +The [IDS App Store](./3_5_3_App_Store_and_Data_Apps.md#app-store-and-ids-apps), [Metadata Broker](./3_5_4_Metadata_Broker.md#metadata-broker), and [Clearing House](./3_5_5_Clearing_House.md) are based on the IDS Connector architecture (which is described in detail in the following section) in order to support secure and trusted data exchange with these services. #### IDS Connector Architecture #### The Connector consists of one or more computers/virtual machines, operating systems running on them, an Application Container Management, and the Connector Core Service(s) built on top of it. ![Connector Architecture](media/3.5.2.1_connector_architecture.png) -#### _Fig. 3.5.2.1: Connector Architecture_ +#### Figure 3.5.2.1: Connector Architecture The individual elements of the deployment are shown in Figure 3.5.2.1 and described below: - _Application Container Management_: In most cases, the deployment of the Connector Core Service(s) and selected IDS Apps is based on application containers. See Section [3.5.2.3](#special-connectors) for specialized IDS Connectors. IDS Apps are isolated from each other by containers in order to prevent unintended interdependencies. Using Application Container Management, extended control of IDS Apps and containers can be enforced. During development, and in case of systems with limited resources, Application Container Management can be omitted. -- A _Certified Core Container_ contains one _Connector Core Service_ which provides components like Data Management, Metadata Management, Contract and Policy Management, IDS App Management, IDS Protocols Authentication, and many more. Detailed explanations to the IDS Connector's functionalities are given in the following Section [3.5.2.2](#ids-connector-functions). +- A _Certified Core Container_ contains one _Connector Core Service_ which provides components like Data Management, Metadata Management, Contract and Policy Management, IDS App Management, IDS Protocols Authentication, and many more. Detailed explanations to the IDS Connector's functionalities are given in the following Section [3.5.2.2](#ids-connector-functionalities). - An _Certified App Container_ is a certified container downloaded from the App Store, providing a specific IDS App to the IDS Connector. - A _Custom Container_ provides a self-developed Custom App. Custom containers usually require no certification. -- An _IDS App_ defines a public API, which is invoked from the IDS Connector. This API is formally specified in a meta-description that is imported during the deployment phase of an IDS App. The tasks to be executed by IDS Apps may vary. IDS Apps can be implemented in any programming language and target different runtime environments. Existing components can be reused to simplify a migration from other integration platforms. A detailed description of how to use IDS Apps can be found in Section [3.3.5](../../3_3_Process_Layer/3_3_5_Publishing_and_using_Data_Apps.md), the deployment of IDS Apps is explained in Section [3.5.3](3_5_3_App_Store_and_Data_Apps.md). +- An _IDS App_ defines a public API, which is invoked from the IDS Connector. This API is formally specified in a meta-description that is imported during the deployment phase of an IDS App. The tasks to be executed by IDS Apps may vary. IDS Apps can be implemented in any programming language and target different runtime environments. Existing components can be reused to simplify a migration from other integration platforms. A detailed description of how to use IDS Apps can be found in Section [3.4.5](../3_4_Process_Layer/3_4_5_Publishing_and_using_Data_Apps.md#publishing-and-using-ids-apps), the deployment of IDS Apps is explained in Section [3.5.3](./3_5_3_App_Store_and_Data_Apps.md#app-store-and-ids-apps). - The _Runtime_ of a Custom/Certified App/Certified Core Container depends on the selected technology and programming language. The Runtime, along with the application, constitutes the main part of a container. Different containers may use different runtimes. What runtimes are available depends only on the base operating system of the host computer. From the runtimes available, a service architect may select the one deemed most suitable. #### IDS Connector Functionalities #### -The IDS Connector must include some essential functionality in its _Connector Core Service(s)_. The functionalities can be implemented in individual micro services or as a single comprehensive software block. In addition, the services do not have to be deployed in the same infrastructure. +The IDS Connector must include some essential functionality in its _Connector Core Service(s)_. The functionalities can be implemented in individual micro services or as a single comprehensive software block. In addition, the services do not have to be deployed in the same infrastructure. ![Connector Functional View](media/3.5.2.2_connector_functional_view.png) -#### _Fig. 3.5.2.2: Connector Functional View_ +#### Figure 3.5.2.2: Connector Functional View The individual functionalities of the _Connector Core Service(s)_ are shown in Figure 3.5.2.2 as an [UML deployment diagram](https://www.omg.org/spec/UML/2.5.1/) that depicts each functionality as one component. The figure intentionally does specify the external interfaces of components but not the internal ones as these vary from implementation to implementation. Also, the image does not include all the interactions between the components for the sake of clarity. @@ -38,26 +38,26 @@ The components are described below: - The _Authentication Service_ holds the necessary information to authenticate the IDS Connector from/to other backend systems and/or authorize the system access from/to the IDS Connector from other IDS participants. For security reasons, a clear separation of the internal and external access credentials is recommended. The _Authentication Service_ provides interfaces for configuration and to connect custom authentication services. In order to authorize incoming and outgoing connections it holds - - the Key/Trust Store for the _IDS Protocol(s)_, - - the credentials for the access of the _Data Management_ and _Data Exchange_ to external systems, and - - the information for the access control of the _Data Exchange_ and _Data Management_ to the IDS. +- the Key/Trust Store for the _IDS Protocol(s)_, +- the credentials for the access of the _Data Management_ and _Data Exchange_ to external systems, and +- the information for the access control of the _Data Exchange_ and _Data Management_ to the IDS. This is shown via the solid line inside the IDS Connector. - The _Data Exchange_ component provides or requires interfaces to exchange data with other IDS Participants (providers/consumers). It can be deployed on another infrastructure than the IDS Protocol(s) component and it is possible to have more then one Data Exchange component to support multiple protocol bindings. The _Data Exchange_ component does not support IDS-specific interfaces nor does it interpret the IDS Information Model. -- The _IDS Protocol(s)_ component supports at least one IDS specific interface defined in [IDS-G](https://github.com/International-Data-Spaces-Association/IDS-G) to realize the processes defined in the Section [3.3](../../3_3_Process_Layer). All components interact with the IDS Protocol component as shown by the dashed lines. -- The _Remote Attestation_ component is used to increase the trust between the participating components. It can be used to detect whether the software has been modified at the other party's end (see Section [4.1](../../../4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective) for more information). The component is needed for certification level 2 or higher (see Section [4.2.4](../../../4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_4_Component_Certification.md)). +- The _IDS Protocol(s)_ component supports at least one IDS specific interface defined in [IDS-G](https://github.com/International-Data-Spaces-Association/IDS-G) to realize the processes defined in the Section [3.4](../3_4_Process_Layer/3_4_Process_Layer.md). All components interact with the IDS Protocol component as shown by the dashed lines. +- The _Remote Attestation_ component is used to increase the trust between the participating components. It can be used to detect whether the software has been modified at the other party's end (see Section [4.1](../../4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_Security_Perspective.md) for more information). The component is needed for certification level 2 or higher (see Section [4.2.4](../../4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_4_Component_Certification.md#component-certification)). - The _(Audit) Logging Service_ is responsible for the logging of all relevant information during the operation of the component. For example, changes to settings, error messages, data accesses, and policy implementations should be logged. The information can also be passed on to corresponding systems that take over the (auditable) logging. Therefore, the component provides or requires an interface to this systems. - The _Monitoring Service_ is used to monitor the status of the component. It can be used to check, e.g., if the IDS Connector is running, remains in an error state, or is offline. - The _Data App Management_ component supports the download, deployment, and integration of IDS Apps in the IDS Connector. -- The _Policy Engine_ summarizes all components used for enforcing the IDS Usage Control Policies (part of an IDS Contract). These cover the Policy Administration Point (PAP), the Policy Enforcement Point (PEP), the Policy Information Point (PIP), the Policy Execution Point (PXP), the Policy Management Point (PMP), and the Policy Decision Point (PDP). All are described in detail in Section [4.1.6](../../../4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_6_Usage_Control.md). -- The _Contract Management_ component is responsible for managing the contract negotiation between Participants (see Section [3.3.3](../../3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/3_3_3_Contract_Negotiation.md)) and storing the IDS Contract Agreements afterwards. Contract management can be seen as part of _Metadata Management. However, it is visualized as a separate component due to the importance of Usage Control in IDS. +- The _Policy Engine_ summarizes all components used for enforcing the IDS Usage Control Policies (part of an IDS Contract). These cover the Policy Administration Point (PAP), the Policy Enforcement Point (PEP), the Policy Information Point (PIP), the Policy Execution Point (PXP), the Policy Management Point (PMP), and the Policy Decision Point (PDP). All are described in detail in Section [4.1.6](../../4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_6_Usage_Control.md#usage-control-in-a-connector). +- The _Contract Management_ component is responsible for managing the contract negotiation between Participants (see Section [3.4.3](../3_4_Process_Layer/3_4_3_Contract_Negotiation.md#contract-negotiation)) and storing the IDS Contract Agreements afterwards. Contract management can be seen as part of _Metadata Management. However, it is visualized as a separate component due to the importance of Usage Control in IDS. - The _Metadata Management_ component holds the metadata of provided and consumed data assets. The metadata is mainly defined by the IDS Information Model, however, it can be further enriched with additional information. The metadata is coupled with the contracts from the Contract Management component and the data from the Data Management component. - The _Data Management_ component holds the data assets itself or holds a link to the data sources, data sinks, or IDS Apps to get or send the data assets to their interface dynamically. - The _Configuration Management_ component contains the configuration parameters for the IDS Protocols and all components in general. - The _User Management_ component is responsible for providing user authentication for every interface of the components. Therefore, the User Management can use external Identity Services or provide this service by itself. It also can be configured via an interface. -There may be different types of implementations of an IDS Connector, based on different technologies and depending on what specific functionality is required regarding the purpose of the Connector. IDS Connectors are distinguish according to their certification level defined in Section [4.2](../../4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/), which indicates, among other things, which security and data sovereignty criteria the IDS Connector implements. +There may be different types of implementations of an IDS Connector, based on different technologies and depending on what specific functionality is required regarding the purpose of the Connector. IDS Connectors are distinguish according to their certification level defined in Section [4.2](../../4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_Certification_Perspective.md#certification-perspective), which indicates, among other things, which security and data sovereignty criteria the IDS Connector implements. #### Special Connectors #### diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_3_App_Store_and_Data_Apps.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_3_App_Store_and_Data_Apps.md index 23a01ff6..397d8870 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_3_App_Store_and_Data_Apps.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_3_App_Store_and_Data_Apps.md @@ -2,26 +2,26 @@ An IDS App is an independent, functional, and re-usable software asset that is deployable, executable, and manageable on an IDS Connector. -As described in [Section 3.5.2](3_5_2_0_Connector.md) IDS Connectors can make use of IDS Apps for several purposes. Three types of IDS Apps can be distinguished, namely Data App, Adapter App, and Control App, each performing different tasks in the IDS ecosystem. Applications of all types can be downloaded and fully managed by the IDS Connector: +As described in [Section 3.5.2](./3_5_2_IDS_Connector.md#ids-connector) IDS Connectors can make use of IDS Apps for several purposes. Three types of IDS Apps can be distinguished, namely Data App, Adapter App, and Control App, each performing different tasks in the IDS ecosystem. Applications of all types can be downloaded and fully managed by the IDS Connector: -* Data App: Applications of type Data App are re-usable, interchangeable, and connector-independent and perform small processing tasks, e.g., transform, clean, or analyse data. In other words, applications of this type manipulate the available data in some way. To define a data flow, the inputs and outputs of the components involved (Data App and IDS Connector) as well as of the backend system must be joined. To summarize multiple processing steps on the same data, Data Apps can be chained on the same data route. -* Adapter App: Applications of type Adapter App are re-usable, interchangeable, and connector-independent and provide access to enterprise information systems, making them available to the underlying Connector. As the Data App type, the data flow of Adapter Apps is defined by joining matching inputs and outputs of the involved components (Adapter App, IDS Connector, and data sink/source or external service). Accordingly, Adapter Apps are used especially when the routing framework is not inherently capable of supporting the endpoints or protocols provided by external services. -* Control App: Applications of type Control App allow to control the Connector from external systems and are used to connect backend systems, which may consist of a single or a cluster of applications and services, to an IDS ecoystem. Therefore, in contrast to the types introduced before, the Control App works on the administrative control flow and is connector-specific as it requires programming against the respective API of a Connector in a specific version for its implementation. +* _Data App:_ Applications of type Data App are re-usable, interchangeable, and connector-independent and perform small processing tasks, e.g., transform, clean, or analyse data. In other words, applications of this type manipulate the available data in some way. To define a data flow, the inputs and outputs of the components involved (Data App and IDS Connector) as well as of the backend system must be joined. To summarize multiple processing steps on the same data, Data Apps can be chained on the same data route. +* _Adapter App:_ Applications of type Adapter App are re-usable, interchangeable, and connector-independent and provide access to enterprise information systems, making them available to the underlying Connector. As the Data App type, the data flow of Adapter Apps is defined by joining matching inputs and outputs of the involved components (Adapter App, IDS Connector, and data sink/source or external service). Accordingly, Adapter Apps are used especially when the routing framework is not inherently capable of supporting the endpoints or protocols provided by external services. +* _Control App:_ Applications of type Control App allow to control the Connector from external systems and are used to connect backend systems, which may consist of a single or a cluster of applications and services, to an IDS ecoystem. Therefore, in contrast to the types introduced before, the Control App works on the administrative control flow and is connector-specific as it requires programming against the respective API of a Connector in a specific version for its implementation. Furthermore, the different IDS App types can be bundled, which allows building a data processing chain with several apps from all types chained together. To integrate IDS Apps in an IDS ecosystem or to join them with other components as described above, an IDS App can be equipped with various endpoints. The endpoints for exchanging data between apps and between apps and connectors are mainly divided into those that consume data and those that provide data. A distinction is also made between endpoints that communicate exclusively internally and those that communicate with external components: -* INPUT: The input endpoint is considered mandatory for all IDS App types that work with data or data streams. The data input endpoint describes an interface through which data can be transported to an app within the connector's environment. -* INPUT EXTERNAL: The input external endpoint serves as an interface to connect to external data sources or data streams outside the actual connector environment. This endpoint is particularly relevant for IDS Apps of type Adapter App. -* OUTPUT: The output endpoint is also considered mandatory for IDS App types that transmit data or data streams to other apps or connectors. The output endpoint describes an interface through which data can be consumed within the connector environment by apps or the connector itself. -* OUTPUT EXTERNAL: At this endpoint, communication is established beyond the boundaries of the Connector. This special form of output endpoint is primarily relevant for Adapter Apps that establish a connection to an external data source. Reading data from external data sources is made possible by this endpoint. +* _INPUT:_ The input endpoint is considered mandatory for all IDS App types that work with data or data streams. The data input endpoint describes an interface through which data can be transported to an app within the connector's environment. +* _INPUT EXTERNAL:_ The input external endpoint serves as an interface to connect to external data sources or data streams outside the actual connector environment. This endpoint is particularly relevant for IDS Apps of type Adapter App. +* _OUTPUT:_ The output endpoint is also considered mandatory for IDS App types that transmit data or data streams to other apps or connectors. The output endpoint describes an interface through which data can be consumed within the connector environment by apps or the connector itself. +* _OUTPUT EXTERNAL:_ At this endpoint, communication is established beyond the boundaries of the Connector. This special form of output endpoint is primarily relevant for Adapter Apps that establish a connection to an external data source. Reading data from external data sources is made possible by this endpoint. Further endpoints, besides the ones listed above, are the config endpoint and the status endpoint. The config endpoint can be used to actively set or change configuration parameters during the runtime of an IDS App. Optional is the so-called status endpoint, which can be used to retrieve status information from an IDS App during runtime. -The IDS App Store is a secure platform for distributing IDS Apps. An IDS App Store consists of a registry for available IDS Apps in this App Store. It also features the capabilty to search for IDS Apps using different search options (e.g. by functional or non-functional properties, pricing model, certification status, community ratings, etc.). Therefore, an App Store must support operations for App registration, publication, maintenance, and query, as well as operations for the provisioning of an App to a connector to App Users as depicted in Figure [3.5.3.1](#AppStoreArchitecture). These basic operations can be optionally complemented by additional services, e.g. billing or support activities. The processes of publishing, finding and using IDS Apps are documented in detail in Section [3.3.5](../3_3_Process_Layer/3_3_5_Publishing_and_using_Data_Apps.md). +The IDS App Store is a secure platform for distributing IDS Apps. An IDS App Store consists of a registry for available IDS Apps in this App Store. It also features the capabilty to search for IDS Apps using different search options (e.g. by functional or non-functional properties, pricing model, certification status, community ratings, etc.). Therefore, an App Store must support operations for App registration, publication, maintenance, and query, as well as operations for the provisioning of an App to a connector to App Users as depicted in Figure [3.5.3.1](#figure-3531-app-store-architecture). These basic operations can be optionally complemented by additional services, e.g. billing or support activities. The processes of publishing, finding and using IDS Apps are documented in detail in Section [3.4.5](../3_4_Process_Layer/3_4_5_Publishing_and_using_Data_Apps.md#publishing-and-using-ids-apps). ![AppStoreArchitecture](./media/app-store-architecture.png) -#### _Fig. 3.5.3.1: App Store Architecture_ +#### Figure 3.5.3.1: App Store Architecture An IDS App Store also consists of an IDS Connector in order to communicate with the Connectors of App Providers and App Users within the Data Space. As a consequence, each instance of an App Store must be compliant to the Connector Certification criteria an provide the functionalities and endpoints of general Connectors together with the above-mentioned operations (e.g. provide a Self-Description, have a valid IDS Identity and use a valid DAT in its communication). diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_4_Metadata_Broker.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_4_Metadata_Broker.md index 78d14687..9e9932cf 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_4_Metadata_Broker.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_4_Metadata_Broker.md @@ -1,6 +1,6 @@ ### Metadata Broker ### -The IDS Metadata Broker consists of an IDS Connector (see Section [3.5.2.0](./3_5_2_0_Connector.md)), an endpoint for the registration, publication, maintenance, and query of Self-Descriptions. Therefore, for any interaction with the IDS Metadata Broker, the processes defined on the Process Layer, the descriptions defined on the Information Layer, and descriptions defined on the System Layer can be applied. The Information Layer describes the message types for registration and query. An IDS Metadata Broker may provide additional services that in term must be described by using terms from the IDS Information Model in the respective Metadata Broker's Self-Description document. +The IDS Metadata Broker consists of an IDS Connector (see Section [3.5.2](./3_5_2_IDS_Connector.md#ids-connector)), an endpoint for the registration, publication, maintenance, and query of Self-Descriptions. Therefore, for any interaction with the IDS Metadata Broker, the processes defined on the Process Layer, the descriptions defined on the Information Layer, and descriptions defined on the System Layer can be applied. The Information Layer describes the message types for registration and query. An IDS Metadata Broker may provide additional services that in term must be described by using terms from the IDS Information Model in the respective Metadata Broker's Self-Description document. **Note: Even though the name might indicate a different purpose, an IDS Metadata Broker is *not* a message broker or provides any similar functions to distribute data assets actively by itself.** diff --git a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_5_Clearing_House.md b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_5_Clearing_House.md index 166449b9..f742bd06 100644 --- a/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_5_Clearing_House.md +++ b/documentation/3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_5_Clearing_House.md @@ -1,7 +1,9 @@ ### Clearing House ### -The IDS Clearing House consists of an IDS Connector (see section 3.5.1) and bases all its functions on a logging service that records information relevant for clearing and billing as well as usage control. The information sent to the Clearing House is defined in the Process Layer. +The IDS Clearing House consists of an IDS Connector (see section [3.5.2](./3_5_2_IDS_Connector.md#ids-connector)) and bases all its functions on a logging service that records information relevant for clearing and billing as well as usage control. The information sent to the Clearing House is defined in the Process Layer. ![Clearing House Architecture](media/clearing_house_architecture.png) +### Figure 3.5.5.1: Clearing House Architecture + The Clearing House uses this information to provide a Clearing and Settlement Service on the basis of usage contracts and helps with the automization of payments between Data Provider and Data Consumer. It can also use this information to provide a Billing Service to allow the Data Space Operator the billing of the participants. The UC Claim Validation service uses the logged usage control data to allow the validation of usage claims on resources. From df6efdd5fdb160cb728c914b33e9f6bfc7de16a1 Mon Sep 17 00:00:00 2001 From: Sebastian Steinbuss <23654606+ssteinbuss@users.noreply.github.com> Date: Mon, 17 Oct 2022 10:24:36 +0200 Subject: [PATCH 19/22] editorial update --- README.md | 4 +- ...spects_adressed_by_the_different_layers.md | 10 +- .../4_1_2_Identity_and_Trust_Management.md | 18 +-- .../4_1_3_Securing_the_Platform.md | 8 +- .../4_1_4_Securing_Applications.md | 2 +- ...ring_Interaction_between_IDS_components.md | 7 +- .../4_1_6_Usage_Control.md | 116 +++++++++--------- .../4_1_Security_Perspective.md | 2 +- ...ddressed_by_Different_Layers_of_IDS-RAM.md | 10 +- .../4_2_2_Roles.md | 2 +- ...3_Operational_Environment_Certification.md | 7 +- .../4_2_4_Component_Certification.md | 5 +- .../4_2_5_Processes.md | 22 ++-- .../4_3_10_IDS_RuleBook.md | 3 +- .../4_3_1_Layers.md | 10 +- .../4_3_2_Data_Governance_Model.md | 6 +- .../4_3_7_Data_Quality.md | 2 +- .../4_3_8_Data_Provenance.md | 2 +- .../4_3_9_data_spaces_instances.md | 7 +- 19 files changed, 127 insertions(+), 116 deletions(-) diff --git a/README.md b/README.md index 27a4eeb2..c1197085 100644 --- a/README.md +++ b/README.md @@ -50,4 +50,6 @@ The IDS-G contains specific details on specifications, e.g. APIs and their descr ## Previous Versions ## -- [IDS RAM 3.0](https://internationaldataspaces.org/download/16630/) \ No newline at end of file +- [IDS RAM 3.0](https://internationaldataspaces.org/download/16630/) +- [IDS RAM 2.0](https://internationaldataspaces.org/download/16641/) +- [IDS RAM 1.0](https://internationaldataspaces.org/download/16652/) \ No newline at end of file diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_1_Security_Aspects_adressed_by_the_different_layers.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_1_Security_Aspects_adressed_by_the_different_layers.md index 2c57ac13..6f2255b7 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_1_Security_Aspects_adressed_by_the_different_layers.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_1_Security_Aspects_adressed_by_the_different_layers.md @@ -4,21 +4,21 @@ Since security generally covers non-functional aspects, security and trust serve #### BUSINESS LAYER #### -Security delivers the means to establish trust in the ecosystem which is the basis for the sovereign data exchange and processing targeted. The roles that are established in [Section 3.1](../../3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/) are either responsible for setting up this trustworthy ecosystem as described in the trust model in [Section 4.1.2](./4_1_2_Identity_and_Trust_Management.md) or for adding services in the IDS that support the establishment of data value chains. +Security delivers the means to establish trust in the ecosystem which is the basis for the sovereign data exchange and processing targeted. The roles that are established in [Section 3.1](../../3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3-1-Business-layer.md) are either responsible for setting up this trustworthy ecosystem as described in the trust model in [Section 4.1.2](./4_1_2_Identity_and_Trust_Management.md) or for adding services in the IDS that support the establishment of data value chains. #### FUNCTIONAL LAYER #### -The IDS is intended as a trustworthy ecosystem for sovereign data exchange. This leads to various functional requirements regarding data exchange and data processing which are defined in [Section 3.2](../../3_Layers_of_the_Reference_Architecture_Model/3_2_Functional_Layer/). Security aspects and the trust model used in the IDS [Section 4.1.2](./4_1_2_Identity_and_Trust_Management.md) shape these requirements by enabling or restricting some transactions or operations in the International Data Spaces. Without security, many use cases would not be possible (e.g., offering sensitive data to trusted business partners). The concept of +The IDS is intended as a trustworthy ecosystem for sovereign data exchange. This leads to various functional requirements regarding data exchange and data processing which are defined in [Section 3.2](../../3_Layers_of_the_Reference_Architecture_Model/3_2_Functional_Layer/3_2_FunctionalLayer.md). Security aspects and the trust model used in the IDS [Section 4.1.2](./4_1_2_Identity_and_Trust_Management.md) shape these requirements by enabling or restricting some transactions or operations in the International Data Spaces. Without security, many use cases would not be possible (e.g., offering sensitive data to trusted business partners). The concept of data usage control described in [Section 4.1.6](./4_1_6_Usage_Control.md) allows Data Providers to attach data usage policy information to their data in order to define how a Data Consumer may use the data. #### INFORMATION LAYER #### -The Information Layer ([Section 3.4](../../3_Layers_of_the_Reference_Architecture_Model/3_4_Information_Layer/)) provides the means for participants to use a common vocabulary and common semantics to express concepts and relationships between them. In doing so, it is possible to, e.g., describe a connector setup or specify access and usage control policies in a way that these are understood by all participants. +The Information Layer ([Section 3.3](../../3_Layers_of_the_Reference_Architecture_Model/3_3_Information_Layer/3_3_InformationLayer.md)) provides the means for participants to use a common vocabulary and common semantics to express concepts and relationships between them. In doing so, it is possible to, e.g., describe a connector setup or specify access and usage control policies in a way that these are understood by all participants. #### PROCESS LAYER #### -To take security aspects into account on the Process Layer([Section 3.3](../../3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/)), it is important that existing processes reflect the defined Trust Model ([Section 4.1.2](./4_1_2_Identity_and_Trust_Management.md)) and are permanently monitored, validated, and redesigned, if need be. For example, to allow trustworthy identification and authentication of components using a public key infrastructure (PKI), the operator of this component must generate a key pair on the component, apply for a public key certificate from the Certificate Authority (CA) and provision this certificate onto the component. For dynamic attribute support, the provider of the Dynamic Attribute Provisioning Service (DAPS) needs to verify the attributes which it will confirm with the Dynamic Attribute Tokens (DATs). The same is true for trustworthy operations of an App Store, for which data must be verified and signed by a trusted entity before it can be uploaded. +To take security aspects into account on the Process Layer([Section 3.4](../../3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_Process_Layer.md)), it is important that existing processes reflect the defined Trust Model ([Section 4.1.2](./4_1_2_Identity_and_Trust_Management.md)) and are permanently monitored, validated, and redesigned, if need be. For example, to allow trustworthy identification and authentication of components using a public key infrastructure (PKI), the operator of this component must generate a key pair on the component, apply for a public key certificate from the Certificate Authority (CA) and provision this certificate onto the component. For dynamic attribute support, the provider of the Dynamic Attribute Provisioning Service (DAPS) needs to verify the attributes which it will confirm with the Dynamic Attribute Tokens (DATs). The same is true for trustworthy operations of an App Store, for which data must be verified and signed by a trusted entity before it can be uploaded. #### SYSTEM LAYER #### -The IDS components described in the System Layer ([Section 3.5](../../3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/))) form the IDS ecosystems. While the System Layer focuses on the general setup and functionality of these components, the security requirements and concepts for these components are mostly equivalent for the different components which are in essence either IDS connectors or specific types of connectors. The security perspective adds the overall view on the concepts used to ensure trust and security for all these components. +The IDS components described in the System Layer ([Section 3.5](../../3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_0_System_Layer.md)) form the IDS ecosystems. While the System Layer focuses on the general setup and functionality of these components, the security requirements and concepts for these components are mostly equivalent for the different components which are in essence either IDS connectors or specific types of connectors. The security perspective adds the overall view on the concepts used to ensure trust and security for all these components. diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_2_Identity_and_Trust_Management.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_2_Identity_and_Trust_Management.md index febd4de5..056bfd3e 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_2_Identity_and_Trust_Management.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_2_Identity_and_Trust_Management.md @@ -1,7 +1,7 @@ ### Identity and Trust Management ### The International Data Spaces allow participants a cross-company data exchange. In many cases, the participants intending to exchange data have no prior knowledge about the other company and its utilized components to properly assess the consequences of such a data exchange. Thus, the IDS offers mechanisms to gain reliable information which help to establish trust and enable participants to make sovereign and informed decisions. -Identity and trust management is rooted in the components described in ([Section 3.5.1](../../3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_1_Identity_Provider.md)). +Identity and trust management is rooted in the components described in ([Section 3.5.1](../../3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_1_Identity_Provider.md#identity-provider)). #### Identities for Devices #### @@ -12,16 +12,16 @@ In the IDS, each connector instance possesses it's own identity. Each connector * The Connector Core Services software artifacts that provide management functionality and IDS interoperability. * The configuration of an IDS Connector (defined data routes, configured Usage Control framework). * The IDS Apps or other services (e.g., Clearing House services) that are bound to this connector instance. -[Section 3.5.2](../../../3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_2_0_Connector.md) provides more details for the different parts of a connector. +[Section 3.5.2](../../3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_2_IDS_Connector.md#ids-connector) provides more details for the different parts of a connector. -The IDS Certification is explained in [Section 4.2](../4_2_Certification_Perspective/4_2_Certification_Perspective.md). It is always conducted for a blueprint of the entire stack consisting of platform and Connector Core Services. Each such certified blueprint can be instantiated multiple times. +The IDS Certification is explained in [Section 4.2](../4_2_Certification_Perspective/4_2_Certification_Perspective.md#certification-perspective). It is always conducted for a blueprint of the entire stack consisting of platform and Connector Core Services. Each such certified blueprint can be instantiated multiple times. The IDS Connector identity serves to uniquely identify one such instance of the Connector Core Services with their IDS Apps on qualified platforms. The identity concept is equally used for other technical components such as Broker, DAPS, ... in the IDS which have their own Core Services (represented by one or multiple containers) running on a comparable platform. One component always is characterized by the combination of platform and service instances. As an example, this Connector instance is running several data apps. The identity is comprised of the platform, the Connector Core Services and the deployed Data Apps. ![Components SW Stack](./media/SW_Stack_Components_connector_blueprint.png) -#### _Figure 4.1.2.1: Components of the Software Stack of an IDS Connector_ +#### Figure 4.1.2.1: Components of the Software Stack of an IDS Connector ##### Component Identifier ##### @@ -42,10 +42,10 @@ Each Service Instance needs to be mapped to one platform it utilizes: * For distributed platform setups (e.g. with kubernetes): 1 P_UID for the setup maps to n PIKs for the servers in this distributed platform. * If connector is run in one protected VM (e.g. SEV SNP): 1 P_UID is mapped to 1 PIK for this SEV-SNP VM. * If multiple protected VMs (e.g. SEV SNP) form a distributed platform setup: 1 UID for the setup maps to n PIKs for the VMs which comprise this setup. - * Valid P_UIDs are mapped to a C_UID in the DAPS. The platform information is verified by another IDS Connector using remote attestation. + * Valid P_UIDs are mapped to a C_UID in the DAPS. The platform information is verified by another IDS Connector using remote attestation. ![Identity mapping for different scenarios](./media/identity_mapping.png) -#### _Figure 4.1.2.2: Identities for IDS Connector Services and Platforms_ +#### Figure 4.1.2.2: Identities for IDS Connector Services and Platforms *(Remark: The platforms in the image may always be either physical devices or protected VMs)* @@ -54,8 +54,8 @@ Each Service Instance needs to be mapped to one platform it utilizes: The IDS targets sovereign data exchange, which does not only comprise a secure exchange of data but also a trustworthy environment for data processing honoring the defined usage control policies. To achieve this goal, it is not sufficient to only know the identity of another IDS component, but additional information about the company operating the component and the utilized software stack is required. This information is provided in form of the following describing artifacts: -* A **Company Description** for each company operating an IDS component which contains verified information about the company as well as information about its Operational Environment Certification (explained in [Chapter 4.2.3](../4_2_Certification_Perspective/4_2_3_Operational_Environment_Certification.md)). -* **Software Manifests** for the utilized software components which have been evaluated in the Component Certification explained in [Chapter 4.2.4](../4_2_Certification_Perspective/4_2_4_Component_Certification.md)). In addition to the awarded certification levels, the manifests for components with Trust Level 2 and 3 contain verified measurements which can be used to validate that the described software is truly running on the device. To support re-usability of components, the description of each software stack consists of three types of Software Manifests used for describing different layers: +* A **Company Description** for each company operating an IDS component which contains verified information about the company as well as information about its Operational Environment Certification (explained in [Chapter 4.2.3](../4_2_Certification_Perspective/4_2_3_Operational_Environment_Certification.md#operational-environment-certification)). +* **Software Manifests** for the utilized software components which have been evaluated in the Component Certification explained in [Chapter 4.2.4](../4_2_Certification_Perspective/4_2_4_Component_Certification.md#component-certification)). In addition to the awarded certification levels, the manifests for components with Trust Level 2 and 3 contain verified measurements which can be used to validate that the described software is truly running on the device. To support re-usability of components, the description of each software stack consists of three types of Software Manifests used for describing different layers: * A **Root of Trust for Measurement (RTM) Manifest** for components of the boot stage, * an **Operating System (OS) Manifest** for utilized kernel and user space components, including the container run time enabling the execution of different isolated containers/apps, and * an arbitrary number of **App Manifests** per component identifying the utilized containers/apps. @@ -69,7 +69,7 @@ All this metadata is provided in machine-readable form. Manifest information for To establish a trusted connection, each connector needs the identity information of the corresponding connector to perform access and usage control decisions. The interactions can be depicted as follows: ![Interaction between IDS Connectors and Identity Components](./media/IdM_Interactions.png) -#### _Figure 4.1.2.3: Interaction between IDS Connectors and Identity Components_ +#### Figure 4.1.2.3: Interaction between IDS Connectors and Identity Components 1. Each IDS Connector acquires a valid identity certificate from the IDS Device CA. 2. Each IDS Connector requests a current Dynamic Attibute Token from DAPS. diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_3_Securing_the_Platform.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_3_Securing_the_Platform.md index 1aa6bfd2..02432a33 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_3_Securing_the_Platform.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_3_Securing_the_Platform.md @@ -14,7 +14,7 @@ The figure below shows the three options with their respective trusted computing ![Deployment Scenarios](./media/deployment_scenarios.png) -#### _Fig. 4.1.3.1: Deployment Scenarios_ +#### Fig. 4.1.3.1: Deployment Scenarios The TCB consists of the following components: @@ -23,8 +23,8 @@ The TCB consists of the following components: * Optionally a **hypervisor** which may be used to isolate multiple connectors on a device by providing a Virtual Machine (VM) for each of them. The impact on the TCB is illustrated for the 1:n mapping in a comparison to a solution with OS-level virtualization, i.e., containers. * The **kernel** connects user space software to the hardware of the device. * A (container) **runtime** responsible for starting the execution of applications on the system. -* The **connector core services** taking care of essential connector functionalities as explained in the [System Layer](../../3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_2_IDS_Connector.md). -* An arbitrary number of **apps** as introduced in the [System Layer](../../3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_3_App_Store_and_Data_Apps.md). +* The **connector core services** taking care of essential connector functionalities as explained in the [System Layer](../../3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_2_IDS_Connector.md#ids-connector). +* An arbitrary number of **apps** as introduced in the [System Layer](../../3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_3_App_Store_and_Data_Apps.md#app-store-and-ids-apps). Additionally, the TCB may include **external components** in the surrounding infrastructure of a connector which are used for security-relevant tasks, e.g. an authorization server. @@ -56,7 +56,7 @@ To prove the correct setup of a TEE, each of the mentioned approaches offers som #### Platform Security Requirements #### -The Certification Criteria Catalog for Components defines various requirements for interoperability and security of an IDS Connector. It provides three different Trust Levels with an increasing number of requirements as explained in [Section 4.2.4](../4_2_Certification_Perspective/4_2_4_Component_Certification.md). +The Certification Criteria Catalog for Components defines various requirements for interoperability and security of an IDS Connector. It provides three different Trust Levels with an increasing number of requirements as explained in [Section 4.2.4](../4_2_Certification_Perspective/4_2_4_Component_Certification.md#component-certification). The following paragraphs provide an overview of important security requirements affecting the platform of an IDS connector and possible approaches for fulfilling them: diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_4_Securing_Applications.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_4_Securing_Applications.md index 72e61d18..3236c5f4 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_4_Securing_Applications.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_4_Securing_Applications.md @@ -23,7 +23,7 @@ During certification, the applications must be evaluated as a part of the overal * Authentication and authorization for external interfaces. * Ensuring integrity and confidentiality for all communication channels and sessions (see also [Section 4.1.5](./4_1_5_Securing_Interaction_between_IDS_components.md)). -* Supporting negotiation and enforcement of usage control policies (see also [Section 4.1.6](./4_1_6_Usage_Control.md)). +* Supporting negotiation and enforcement of usage control policies (see also [Section 4.1.6](./4_1_6_Usage_Control.md#usage-control-in-a-connector)). * Securely configuring the entire connector stack including the allowed communication routes between apps. * Logging relevant aspects, e.g., configuration changes, access control decisions, access to data resources. * For higher Trust Levels: Interacting with responsible kernel/runtime component for using key material protected by hardware mechanisms. diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_5_Securing_Interaction_between_IDS_components.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_5_Securing_Interaction_between_IDS_components.md index 40485e0f..c7d92ff2 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_5_Securing_Interaction_between_IDS_components.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_5_Securing_Interaction_between_IDS_components.md @@ -2,7 +2,7 @@ Data transfer in the IDS needs be secured by protecting the communication between IDS components, i.e. enabling identification, authentication, and authorization for components as well as providing confidentiality and integrity protection for the transferred data. This chapter explains the following aspects about establishing and using a secure communication channel between IDS components: -* Ensuring availability of [all required information](preparation-of-required-information) on the component, +* Ensuring availability of [all required information](#preparation-of-required-information) on the component, * [Establishing of a secure communication channel](#establishment-of-a-secure-communication-channel), and * Using the communication channel for [data transfer](#data-transfer-using-this-communication-channel) Additionally, we address the topic of [Dynamic Trust Monitoring](#dynamic-trust-monitoring) which may be used to continuously track the current status of IDS components. @@ -12,6 +12,8 @@ Additionally, we address the topic of [Dynamic Trust Monitoring](#dynamic-trust- In preparation for the establishment of a secure communication channel, an IDS component needs to be have a set of information available as shown in the image below. ![Overview Required Information](./media/information_for_communication_channel.png) +### Figure 4.1.5.1: Overview Required Information + Most of the information is provisioned onto the component when it is initially taken into service and only updated occasionally when things change: * A private key called **Identity Key** is used to identify the component ([Chapter 4.1.2.](./4_1_2_Identity_and_Trust_Management.md)). The key needs to be protected on the device and shall be only known to this specific component. @@ -30,7 +32,7 @@ Additionally, the IDS component requires two artifacts for the establishment of The establishment of a secure communication channel requires five essential steps which use the information described above. The image below shows the necessary information for the different validation steps separately to show the logic behind the validations. However, in an implementation of the protocol, necessary information may be transferred in a combined Attestation Report. ![Communication Channel Establishment](./media/communication_channel_establishment.png) -#### _Fig. 4.1.5.1: Establishing a Secure Communication Channel_ +#### Fig. 4.1.5.2: Establishing a Secure Communication Channel 1. **TLS Handshake**: The communication channel builds on an existing standard to achieve communication security: Transport Layer Security (TLS, currently in [Version 3](https://datatracker.ietf.org/doc/html/rfc8446)). The TLS handshake protocol is used to set up an authenticated, confidential and integrity-protected communication channel based on the Identity Device Certificates (before transferring all other information using the TLS record protocol). @@ -47,4 +49,5 @@ After establishing the secure communication channel, it can be used to transfer As long as the communication remains bound to this communication channel, the transferred (attestation) information can be used to assess the consequences of the data transfer. It is in general possible to change from this channel to another way of communication for the further data exchange. In such a case, it is essential to ensure that the new communication channel is bound to the exact same communication partner as during this communication channel establishment. In case this is not the case, the involved parties should be aware that the security guarantees offered by the successful remote attestation may not hold for the new data communication or exchange channel. #### Dynamic Trust Monitoring #### + The information provided during the establishment of a secure communication channel may be used by a Dynamic Trust Monitoring service which provides an overview of deployed components in the data space. The attestation report and DAT can provide status information about the utilized software (versions) and possible security issues. As an alternative or addition, the Dynamic Trust Monitoring may provide black box testing of components such as checking of used communication protocol versions or port scans. For the collection of more in-depth information about the monitored components, it is possibly to deploy monitoring clients on the different connectors which continously provide the Dynamic Trust Monitoring with relevant status information. diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_6_Usage_Control.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_6_Usage_Control.md index 227b4787..e5727869 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_6_Usage_Control.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_6_Usage_Control.md @@ -6,25 +6,25 @@ In information security, Access Control restricts access to resources. Authoriza The [XACML](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html) (eXtensible Access Control Markup Language) standard is used to introduce commonly used terms in the field of Access Control. XACML is a policy language to express ABAC rules. The main building blocks of the language are subject, action, resource, and environment: -» The subject describes who is accessing a data asset (e.g., a user). +* The subject describes who is accessing a data asset (e.g., a user). -» The action describes what the subject wants to do with the data asset (e.g., read, write). +* The action describes what the subject wants to do with the data asset (e.g., read, write). -» The resource describes the data asset. +* The resource describes the data asset. -» The environment specifies the context of the action (e.g., time, location). +* The environment specifies the context of the action (e.g., time, location). -[Figure 4.1.6.1](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en_files/image002.gif) illustrates the XACML data flow diagram and the main actors or components to implement it: the Policy Enforcement Point (PEP), the Policy Decision Point (PDP), the Policy Information Point (PIP), and the Policy Administration Point (PAP). +[Figure 4.1.6.1](#figure-4161-xacml-data-flow-diagram-source-extensible-access-control-markup-language-xacml-version-30) illustrates the XACML data flow diagram and the main actors or components to implement it: the Policy Enforcement Point (PEP), the Policy Decision Point (PDP), the Policy Information Point (PIP), and the Policy Administration Point (PAP). In general, attributes can describe anything or anyone. Nevertheless, they can be divided into four major categories: -» Subject attributes, describing the user by e.g. their age, role, or clearance; +* Subject attributes, describing the user by e.g. their age, role, or clearance; -» Action attributes, describing the intended action (e.g. read, write, or delete); +* Action attributes, describing the intended action (e.g. read, write, or delete); -» Resource (or object) attributes, describing the resource itself (e.g. object type, location, or classification); +* Resource (or object) attributes, describing the resource itself (e.g. object type, location, or classification); -» Context (or environment) attributes, addressing time, location, or other dynamic aspects. +* Context (or environment) attributes, addressing time, location, or other dynamic aspects. In the IDS, Access Control is a resource-centric regulation of access requests from subjects (i.e., IDS Participants) to resources (i.e., Data Services). Data Owners define Attribute-Based Access Control policies for their endpoints. In addition, they define the attribute values a subject must attest in order to grant access to the resource. These attributes may include: @@ -34,19 +34,19 @@ In the IDS, Access Control is a resource-centric regulation of access requests f » Security profile requirements (only access requests from a Connector that meets specific security requirements will be granted; e.g., having a TPM >= 1.2 and doing application isolation). -![image](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en_files/image002.gif) +![XACML data flow diagram](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en_files/image002.gif) -_Figure 4.1.6.1: XACML data flow diagram [Source: eXtensible Access Control Markup Language (XACML) Version 3.0 ]_ +### Figure 4.1.6.1: XACML data flow diagram [Source: eXtensible Access Control Markup Language (XACML) Version 3.0 ] The actual Access Control decision has to be made within the Connector and can be implemented using technologies such as XACML or JAAS, depending on the implementation of the Connector. The IDS Security Architecture does not dictate a specific Access Control enforcement language or implementation. Alongside with data _Access_ Control, regulating access to specific digital resources (e.g., a service or a file), the IDS Security Architecture also supports data _Usage_ Control. In general, the overall goal is to enforce data usage restrictions on the Data Consumer side after access to data has been granted. -As shown in [Figure 4.1.6.2](media/UC-Definition.drawio.png), Usage Control is an extension of Access Control. It is about the specification and enforcement of restrictions regulating what may be done with a data asset, and what not. Thus, Usage Control is concerned with requirements that pertain to data processing (obligations) rather than data access (provisions). Usage Control is relevant in the context of intellectual property protection, regulatory compliance, and digital rights management. +As shown in [Figure 4.1.6.2](#figure-4162-data-usage-control-–-an-extension-of-data-access-control), Usage Control is an extension of Access Control. It is about the specification and enforcement of restrictions regulating what may be done with a data asset, and what not. Thus, Usage Control is concerned with requirements that pertain to data processing (obligations) rather than data access (provisions). Usage Control is relevant in the context of intellectual property protection, regulatory compliance, and digital rights management. -![image](media/UC-Definition.drawio.png) +![Data usage control – an extension of data access control](media/UC-Definition.drawio.png) -_Figure 4.1.6.2: Data usage control – an extension of data access control_ +### Figure 4.1.6.2: Data usage control – an extension of data access control Data Usage Control in the IDS basically works by attaching data usage policy information to data being exchanged and continuously controlling the way data is processed, aggregated, or forwarded to other endpoints. This data-centric perspective allows Data Providers to continuously control _data flows_, rather than _accesses to services_. At configuration time, data usage policies support developers and administrators in setting up correct data flows. @@ -54,30 +54,29 @@ At runtime, Data Usage Control enforcement prevents IDS Connectors from handling The following examples illustrate security requirements that cannot be achieved by Access Control, but require data-centric Usage Control: -» **SECRECY:** Classified data must not be forwarded to nodes which do not have the respective clearance. +* **SECRECY:** Classified data must not be forwarded to nodes which do not have the respective clearance. -» **INTEGRITY:** Critical data must not be modified by untrusted nodes, as otherwise its integrity cannot be guaranteed anymore. +* **INTEGRITY:** Critical data must not be modified by untrusted nodes, as otherwise its integrity cannot be guaranteed anymore. -» **TIME TO LIVE:** Data must be deleted from storage after a certain period of time. +* **TIME TO LIVE:** Data must be deleted from storage after a certain period of time. -» **ANONYMIZATION BY DATA AGGREGATION:** Personal data may be used only in an aggregated form by untrusted parties. To do so, a sufficient number of distinct data records must be aggregated in order to prevent deanonymization of individual records. +* **ANONYMIZATION BY DATA AGGREGATION:** Personal data may be used only in an aggregated form by untrusted parties. To do so, a sufficient number of distinct data records must be aggregated in order to prevent deanonymization of individual records. -» **ANONYMIZATION BY DATA SUBSTITUTION**: Data allowing personal identification (e.g., faces in video files) must be replaced by an adequate substitute (e.g., pixelized) in order to guarantee that individuals cannot be deanonymized. +* **ANONYMIZATION BY DATA SUBSTITUTION**: Data allowing personal identification (e.g., faces in video files) must be replaced by an adequate substitute (e.g., pixelized) in order to guarantee that individuals cannot be deanonymized. -» **SEPARATION OF DUTY**: Two datasets from competitive entities (e.g., two automotive OEMs) must never be aggregated or processed by the same service. +* **SEPARATION OF DUTY**: Two datasets from competitive entities (e.g., two automotive OEMs) must never be aggregated or processed by the same service. -» **USAGE SCOPE:** Data may only serve as input for data pipes within the Connector; it must never leave the Connector and be sent to an external endpoint. +* **USAGE SCOPE:** Data may only serve as input for data pipes within the Connector; it must never leave the Connector and be sent to an external endpoint. -It is important to note that the purpose of Data Usage Control is to allow the specification of such constraints and enforcing them in the respective system. A precondition of Data Usage Control is that the enforcement mechanism itself is trusted; i.e., Data Usage Control itself does not establish trust in an endpoint, but rather builds upon an existing trust relationship and facilitates enforcement of legal or technical requirements, such as Service Level Agreements (SLAs) or data privacy regulations. Thus, users must be aware that Data Usage Control will only provide certain enforcement guarantees if applied on highly trusted platforms, such as Trusted Connectors in the International Data Spaces [Section 3.2](../../3_Layers_of_the_Reference_Architecture_Model/3_2_Functional_Layer)) +It is important to note that the purpose of Data Usage Control is to allow the specification of such constraints and enforcing them in the respective system. A precondition of Data Usage Control is that the enforcement mechanism itself is trusted; i.e., Data Usage Control itself does not establish trust in an endpoint, but rather builds upon an existing trust relationship and facilitates enforcement of legal or technical requirements, such as Service Level Agreements (SLAs) or data privacy regulations. Thus, users must be aware that Data Usage Control will only provide certain enforcement guarantees if applied on highly trusted platforms, such as Trusted Connectors in the International Data Spaces [Section 3.2](../../3_Layers_of_the_Reference_Architecture_Model/3_2_Functional_Layer/3_2_FunctionalLayer.md#functional-layer)) #### Organizational Rules and Legal Contracts #### +Data Usage Control can be implemented by means of a machine-readable contract, which is expected to be fulfilled by a party. It is a way to track and trace data as it is used within different systems and to collect evidence of the violation of agreed usage constraints. With that in mind, solutions range from organizational rules or legal contracts to completely technical ways of enforcing usage restrictions. For example, an organizational rule (e.g. a company policy) could state that employees must not use removable storage devices, such as USB sticks. Similarly, a technical form of enforcement, such as group policies specified by the Windows operating system, can prevent employees from using removable storage devices. In some scenarios, organizational rules, legal contracts, and technical rules can be used interchangeably. In other scenarios, the three forms can be used to complement each other. In the long run, it can be expected that organizational rules and legal contracts will increasingly be replaced by technical forms of enforcement (as illustrated in [Figure 4.1.6.3](#figure-4163-technical-enforcement-vs-organizationallegal-enforcement)). -Data Usage Control can be implemented by means of a machine-readable contract, which is expected to be fulfilled by a party. It is a way to track and trace data as it is used within different systems and to collect evidence of the violation of agreed usage constraints. With that in mind, solutions range from organizational rules or legal contracts to completely technical ways of enforcing usage restrictions. For example, an organizational rule (e.g. a company policy) could state that employees must not use removable storage devices, such as USB sticks. Similarly, a technical form of enforcement, such as group policies specified by the Windows operating system, can prevent employees from using removable storage devices. In some scenarios, organizational rules, legal contracts, and technical rules can be used interchangeably. In other scenarios, the three forms can be used to complement each other. In the long run, it can be expected that organizational rules and legal contracts will increasingly be replaced by technical forms of enforcement (as illustrated in [Figure 4.1.6.3](media/Technical_vs_Organizational.drawio.png)). +![Technical enforcement vs. organizational/legal enforcement](media/Technical_vs_Organizational.drawio.png) -![image](media/Technical_vs_Organizational.drawio.png) - -_Figure 4.1.6.3: Technical enforcement vs. organizational/legal enforcement_ +### Figure 4.1.6.3: Technical enforcement vs. organizational/legal enforcement #### Roles involved in Usage Control #### @@ -107,19 +106,19 @@ For Data Apps to take advantage of Usage Control technology, App Providers need The IDS Information Model is a modular meta-model (ontology) describing the capabilities of IDS infrastructure components, such as the Connector or the Data Endpoints. Descriptions of data provided by Data Endpoints are published at dedicated Broker registries, allowing potential Data Consumers to search for and identify data that is relevant (semantics) and applicable (quality) for their particular purpose, and to assess in advance data’s affordability (price) and usability (restrictions). -The IDS Usage Control Language refers to an extension of the Open Digital Rights Language ([ODRL](https://www.w3.org/community/odrl/)), a W3C standard. The Information Model’s Usage Control module uses this language to provide machine-readable specifications of Usage Control policies. These specifications define actions that a party is prohibited or permitted to operate with regard to a given data asset. In addition, they codify any potentially involved duties. Despite a simple core model, which is depicted in [Figure 4.1.6.4](https://www.w3.org/TR/odrl-model/00Model.png), ODRL policies are a formal way to declaratively express Usage Control policies at a specification level. This way, the Information Model provides a technology-agnostic, consistent representation of policies across the International Data Spaces. +The IDS Usage Control Language refers to an extension of the Open Digital Rights Language ([ODRL](https://www.w3.org/community/odrl/)), a W3C standard. The Information Model’s Usage Control module uses this language to provide machine-readable specifications of Usage Control policies. These specifications define actions that a party is prohibited or permitted to operate with regard to a given data asset. In addition, they codify any potentially involved duties. Despite a simple core model, which is depicted in [Figure 4.1.6.4](#figure-4164-odrl-information-model), ODRL policies are a formal way to declaratively express Usage Control policies at a specification level. This way, the Information Model provides a technology-agnostic, consistent representation of policies across the International Data Spaces. -![odrl](https://www.w3.org/TR/odrl-model/00Model.png) +![Figure 4.1.6.4: ODRL Information Model](https://www.w3.org/TR/odrl-model/00Model.png) -_Figure 4.1.6.4: ODRL Information Model_ +### Figure 4.1.6.4: ODRL Information Model In order to implement and enforce usage policies at a specification level within individual target environments, it is necessary to map organizational and technical measures to the individual target environments. While organizational measures are out of scope here, technical measures involve a variety of additional information sources (PIPs) and tight integration with the host environment (PEPs). Here, the Information Model enhances ODRL constructs via predefined extension “hooks” to support mapping onto lower-level, implementation-oriented policy languages (e.g., MYDATA Control Technologies XML). -For example, the ODRL Constraint class expresses logical conditions that govern the applicability of a Rule. Here, an Operator _(eq)_ relates the Left Operand (a predicate like _Geospatial Named Area_) to a Right Operand (dynamic or predefined value). On the one side, the IDS Usage Control Language extends the group of [predefined predicates](http://www.w3.org/TR/odrl-vocab/#term-LeftOperand) in order to support decision-making in particular scenarios of the IDS, such as [data residency;](http://www.omg.org/data-residency/) on the other side, it defines a configuration overlay (b) to tie the abstract predicates (a) to an operable programming logic supplied by the respective target environment (c), as illustrated by [Figure 4.1.6.5](media/mapping-of-policy-languages.drawio.png). +For example, the ODRL Constraint class expresses logical conditions that govern the applicability of a Rule. Here, an Operator _(eq)_ relates the Left Operand (a predicate like _Geospatial Named Area_) to a Right Operand (dynamic or predefined value). On the one side, the IDS Usage Control Language extends the group of [predefined predicates](http://www.w3.org/TR/odrl-vocab/#term-LeftOperand) in order to support decision-making in particular scenarios of the IDS, such as [data residency;](http://www.omg.org/data-residency/) on the other side, it defines a configuration overlay (b) to tie the abstract predicates (a) to an operable programming logic supplied by the respective target environment (c), as illustrated by [Figure 4.1.6.5](#figure-4165-examples-of-mapping-among-policy-language-levels). -![image](media/mapping-of-policy-languages.drawio.png) +![imaFigure 4.1.6.4: ODRL Information Modelge](media/mapping-of-policy-languages.drawio.png) -_Figure 4.1.6.5: Examples of mapping among policy language levels_ +### Figure 4.1.6.5: Examples of mapping among policy language levels #### IDS Usage Control Policies and Policy Classes #### @@ -149,13 +148,13 @@ Usage Control only makes sense in an ecosystem where a certain level of trust ca The IDS Connector focuses on security and delivers a trusted platform, incorporating crucial building blocks: -» identity & trust management for authenticating communicating parties (e.g., other Connectors) and shaping trusted relationships between partners; +* identity & trust management for authenticating communicating parties (e.g., other Connectors) and shaping trusted relationships between partners; -» a trusted platform as a baseline for secure data processing; +* a trusted platform as a baseline for secure data processing; -» trustworthy communication based on authenticated and encrypted connections; and +* trustworthy communication based on authenticated and encrypted connections; and -» Access & Usage Control. +* Access & Usage Control. Instances of the Trusted Connector enable remote integrity verification, so the integrity of the deployed software stack can be guaranteed before granting access to data. @@ -163,41 +162,41 @@ The Trusted Connector guarantees a controlled execution environment for data ser #### Message Router and Interceptor (Example) #### -An IDS Connector may use Message Router to coordinate the data flow between different systems and applications. From a technical point of view, the developer does this by using pipelining, which is a usually a paradigm of Message Routers for connecting different nodes in a route definition. The basic idea of a pipeline is that Message Routers uses the output of one node as input to the next node. Every node in such a route is a processor, except for the initial endpoint (as shown in [Figure 4.1.6.6](media/intercepting-data-flow-data-flow.drawio.png)). +An IDS Connector may use Message Router to coordinate the data flow between different systems and applications. From a technical point of view, the developer does this by using pipelining, which is a usually a paradigm of Message Routers for connecting different nodes in a route definition. The basic idea of a pipeline is that Message Routers uses the output of one node as input to the next node. Every node in such a route is a processor, except for the initial endpoint (as shown in [Figure 4.1.6.6](#figure-4166-message-router-pipeline-example)). -![image](media/intercepting-data-flow-data-flow.drawio.png) +![Message Router pipeline (example)](media/intercepting-data-flow-data-flow.drawio.png) -_Figure 4.1.6.6: Message Router pipeline (example)_ +### Figure 4.1.6.6: Message Router pipeline (example) -In order to control the usage of data, one approach can be to intercept the data flow between the services and applications. [Figure 4.1.6.7](media/intercepting-data-flow-interceptor-data-flow.drawio.png) shows as example of how developers can do this. A Message Router offers the possibility to integrate interceptors (Interceptor Pattern) that it executes between nodes. +In order to control the usage of data, one approach can be to intercept the data flow between the services and applications. [Figure 4.1.6.7](#figure-4167-intercepting-message-router-data-flows) shows as example of how developers can do this. A Message Router offers the possibility to integrate interceptors (Interceptor Pattern) that it executes between nodes. -As the International Data Spaces provides an Information Model (see [Section 3.1](../../3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/)), additional metadata enhances the data transferred via the route, thereby enabling better Usage Control enforcement. The Connector attaches the metadata to the data package, as explained in [Section 3.4](../../3_Layers_of_the_Reference_Architecture_Model/3_4_Information_Layer/). In addition, a PIP is able to resolve more metadata during the decision-making process if necessary. +As the International Data Spaces provides an Information Model (see [Section 3.1](../../3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3-1-Business-layer.md#business-layer)), additional metadata enhances the data transferred via the route, thereby enabling better Usage Control enforcement. The Connector attaches the metadata to the data package, as explained in [Section 3.3](../../3_Layers_of_the_Reference_Architecture_Model/3_3_Information_Layer/3_3_InformationLayer.md#information-layer). In addition, a PIP is able to resolve more metadata during the decision-making process if necessary. -![image](media/intercepting-data-flow-interceptor-data-flow.drawio.png) +![Intercepting Message Router data flows](media/intercepting-data-flow-interceptor-data-flow.drawio.png) -_Figure 4.1.6.7: Intercepting Message Router data flows_ +### Figure 4.1.6.7: Intercepting Message Router data flows -This paradigm also works across company borders, as data always flows through the IDS Connector and the Interceptor Pattern, respectively (as shown in [Figure 4.1.6.8](media/Data-flow-across-company-borders.png)). When reaching the receiving Connector, the respective policy to protect the data is automatically instantiated. +This paradigm also works across company borders, as data always flows through the IDS Connector and the Interceptor Pattern, respectively (as shown in [Figure 4.1.6.8](#figure-4168-data-flow-across-company-borders)). When reaching the receiving Connector, the respective policy to protect the data is automatically instantiated. Depending on the policies available, this way of enforcement is not enough to cover all possible use cases and full Usage Control. -![image](media/Data-flow-across-company-borders.png) +![Data flow across company borders](media/Data-flow-across-company-borders.png) -_Figure 4.1.6.8: Data flow across company borders_ +### Figure 4.1.6.8: Data flow across company borders #### Context Information and Obligation Fulfillment #### -Context information is the information such as time, location, states of systems, etc, that is required for the evaluation of a usage policy. In IDS, one can basically distinguish two types of information; the local information that is obtained from the IDS Connector and the global information (see [Figure 4.1.6.9](media/Context-information-and-execution-point-PIP.drawio.png)). The information that can be obtained from a resource inside the IDS Connector itself, such as a system state, is referred to as an IDS local context information. On the other hand, the information that contains, for example, information from the IDS ParIS or the state of a payment that is provided by an IDS compliant resource is referred to as an IDS global context information. The IDS Usage Control language provides ways to address and use these context infomation. For example, They shall be provided by an IDS Policy Information Point (IDS PIP). A Usage Control technology can then use these context information for enforcement by connecting the PIPs. +Context information is the information such as time, location, states of systems, etc, that is required for the evaluation of a usage policy. In IDS, one can basically distinguish two types of information; the local information that is obtained from the IDS Connector and the global information (see [Figure 4.1.6.9](#figure-4169-ids-information-point)). The information that can be obtained from a resource inside the IDS Connector itself, such as a system state, is referred to as an IDS local context information. On the other hand, the information that contains, for example, information from the IDS ParIS or the state of a payment that is provided by an IDS compliant resource is referred to as an IDS global context information. The IDS Usage Control language provides ways to address and use these context infomation. For example, They shall be provided by an IDS Policy Information Point (IDS PIP). A Usage Control technology can then use these context information for enforcement by connecting the PIPs. -![image](media/Context-information-and-execution-point-PIP.drawio.png) +![Figure 4.1.6.9: IDS Information Point](media/Context-information-and-execution-point-PIP.drawio.png) -_Figure 4.1.6.9: IDS Information Point_ +### Figure 4.1.6.9: IDS Information Point -Moreover, an IDS Contract can contain obligations that have to be fulfilled. For example, logging in the Clearing House or deleting the stored data. Here, also, there is a difference between an internal (inside the Connector) and an external (outside the connector) execution points (see [Figure 4.1.6.10](media/Context-information-and-execution-point-PXP.drawio.png)). While deleting data stored in the Connector is an internal execution, logging to an external destination is an example of an external execution. The components with interfaces for executing such duties are called Policy Execution Points (PXPs). These IDS PXPs can be connected to the enforcement framework and used accordingly. +Moreover, an IDS Contract can contain obligations that have to be fulfilled. For example, logging in the Clearing House or deleting the stored data. Here, also, there is a difference between an internal (inside the Connector) and an external (outside the connector) execution points (see [Figure 4.1.6.10](#figure-41610-ids-execution-point)). While deleting data stored in the Connector is an internal execution, logging to an external destination is an example of an external execution. The components with interfaces for executing such duties are called Policy Execution Points (PXPs). These IDS PXPs can be connected to the enforcement framework and used accordingly. -![image](media/Context-information-and-execution-point-PXP.drawio.png) +![Figure 4.1.6.10: IDS Execution Point](media/Context-information-and-execution-point-PXP.drawio.png) -_Figure 4.1.6.10: IDS Execution Point_ +### Figure 4.1.6.10: IDS Execution Point #### Data Provenance Tracking #### @@ -217,17 +216,17 @@ The PEP resides within the message routing component of the Connector (or Data A Data provenance information is queried at a Privacy Dashboard, which is accessible via a Clearing House. The Privacy Dashboard returns a provenance graph for the unique identifier of data content. There are two options for storing data provenance information: -» Centralized architecture (see [Figure 4.1.6.11](media/provenance-tracking-architecture1.png)): A Provenance Storage Point (ProSP) is attached to the Clearing House. After data usage or a data flow has been observed by the data flow tracking component inside the Connector, the transaction is logged at this ProSP. +* Centralized architecture (see [Figure 4.1.6.11](#figure-41611-architecture-with-centralized-component-for-provenance-information-storage)): A Provenance Storage Point (ProSP) is attached to the Clearing House. After data usage or a data flow has been observed by the data flow tracking component inside the Connector, the transaction is logged at this ProSP. -» Distributed architecture (see [Figure 4.1.6.12](media/provenance-tracking-architecture2.png)): Each Connector is equipped with a ProSP, which is directly connected to the data flow tracking component. The Clearing House accommodates only a stateless Provenance Collection Point (ProCP), which aggregates provenance information coming in from the distributed ProSPs whenever a query occurs at the Privacy Dashboard. +* Distributed architecture (see [Figure 4.1.6.12](#figure-41612-architecture-with-distributed-component-for-provenance-information-storage)): Each Connector is equipped with a ProSP, which is directly connected to the data flow tracking component. The Clearing House accommodates only a stateless Provenance Collection Point (ProCP), which aggregates provenance information coming in from the distributed ProSPs whenever a query occurs at the Privacy Dashboard. -![image](media/provenance-tracking-architecture1.png) +![Figure 4.1.6.11: Architecture with centralized component for provenance information storage](media/provenance-tracking-architecture1.png) -_Figure 4.1.6.11: Architecture with centralized component for provenance information storage_ +### Figure 4.1.6.11: Architecture with centralized component for provenance information storage -![image](media/provenance-tracking-architecture2.png) +![Figure 4.1.6.12: Architecture with distributed component for provenance information storage](media/provenance-tracking-architecture2.png) -_Figure 4.1.6.12: Architecture with distributed component for provenance information storage_ +### Figure 4.1.6.12: Architecture with distributed component for provenance information storage ##### Communication ##### @@ -254,6 +253,7 @@ Data Provenance Tracking does not directly affect the core functionality of the ##### Information Layer ##### Data Provenance Tracking can be orchestrated for different purposes. Regarding the IDS, the most important goals are establishing transparency and being able to prove compliance to contracts, agreements, or legal regulations. Reliability of content is a secondary goal of data provenance tracking in the IDS. While making the lineage of data traceable is the original purpose of Data Provenance Tracking, this requires ei- ther specific, data provenance enabled Data Apps or the use of dedicated PEPs for these Data Apps. + ##### Process Layer ##### Data Provenance Tracking is integrated in the “Exchange Data” process (or, to be more precise, in the “Query Data” sub-process). Data Provenance Tracking components in the Connector of the Data Provider as well as in the Connector of the Data Consumer signal to the data provenance storage component at the Clearing House that data has been successfully sent or received, respectively. This signaling is implemented based on events intercepted by PEPs for distributed Data Usage Control. diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_Security_Perspective.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_Security_Perspective.md index 0bc9c074..25114f69 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_Security_Perspective.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_1_Security_Perspective/4_1_Security_Perspective.md @@ -2,6 +2,6 @@ As stated in [Section 1.1](../../1_Introduction/1_1_Goals_of_the_International_Data_Spaces.md), one strategic requirement of the International Data Spaces is to provide secure data supply chains. This is critical for establishing and maintaining trust among Participants that want to exchange and share data and use Data Apps. The IDS Security Architecture provides means to identify devices in the IDS, protect communication and data exchange transactions, and control the use of data after it has been exchanged. -IDS Connectors ensure that the specifications and requirements of the Security Architecture materialize in everyday interactions and operations in the International Data Spaces. The [first section](./4_1_1_Security_Aspects_Addressed_by_the_Different_Layers.md) further explains the relations of the Security Perspective and the different layers of the IDS RAM. The remaining aspects for the security perspective are separated into multiple sections: +IDS Connectors ensure that the specifications and requirements of the Security Architecture materialize in everyday interactions and operations in the International Data Spaces. The [first section](./4_1_1_Security_Aspects_adressed_by_the_different_layers.md) further explains the relations of the Security Perspective and the different layers of the IDS RAM. The remaining aspects for the security perspective are separated into multiple sections: Identity and trust management for devices and involved entities in the IDS is explained in [Section 4.1.2](./4_1_2_Identity_and_Trust_Management.md). Security requirements and concepts for different aspects and layers of an IDS connector are explained as well: They are split into security measures necessary on the platform layer in [Section 4.1.3](./4_1_3_Securing_the_Platform.md) and on the application layer in [Section 4.1.4](./4_1_4_Securing_Applications.md). The security of communication between multiple secured components is addressed in [Section 4.1.5](./4_1_5_Securing_Interaction_between_IDS_components.md). Finally, [Section 4.1.6](./4_1_6_Usage_Control.md) concludes the security perspective by explaining usage control and its realization based on a properly secured IDS component. diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_1_Certification_Aspects_Addressed_by_Different_Layers_of_IDS-RAM.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_1_Certification_Aspects_Addressed_by_Different_Layers_of_IDS-RAM.md index 450bbc5e..6ed54903 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_1_Certification_Aspects_Addressed_by_Different_Layers_of_IDS-RAM.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_1_Certification_Aspects_Addressed_by_Different_Layers_of_IDS-RAM.md @@ -5,21 +5,21 @@ Certification is an essential mechanism in the IDS which supports the establishm #### Business Layer #### The Certification Body and Evaluation Facilities are in charge of the certification process. Their interactions and responsibilities in this process are described in [Section 4.2.2](./4_2_2_Roles.md) and [Section 4.2.5](./4_2_5_Processes.md). Both entities belong to the "Governance Body" category specified on the Business Layer (see [Section 3.1.1.](../../3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_1_Roles.md)) -Organizations assuming a role under one of the three categories "Core Participant", "Intermediary", and "Software/Service Provider" (see [Section 3.1.1.](../../3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_1_Roles.md)) are potential targets of certification, i.e. may act as Applicant for the Certification. The [Certification Scheme](./CertificationScheme) describes for each role what level of certification is required and what the focus of the certification is. +Organizations assuming a role under one of the three categories "Core Participant", "Intermediary", and "Software/Service Provider" (see [Section 3.1.1.](../../3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_1_Roles_in_the_IDS.md)) are potential targets of certification, i.e. may act as Applicant for the Certification. The [Certification Scheme](./CertificationScheme/README.md) describes for each role what level of certification is required and what the focus of the certification is. #### Functional Layer #### -The functional requirements of the International Data Spaces defined in [Section 3.2](../../3_Layers_of_the_Reference_Architecture_Model/3_2_Functional_Layer/3_2_Functional_Layer.md) are the core requirements expected to be implemented by the technical core components (e.g., the Connector or the Clearing House). Therefore, compatibility of each such implementation with these functional requirements forms the basis of the compliance part of a core component's certification. The security part of the certification focuses on security specific requirements. The security requirements are mainly related to the System Layer and the Security Perspective provided in [Section 4.1](../4_1_Security_Perspective/4_1_Security_Perspective.md). +The functional requirements of the International Data Spaces defined in [Section 3.2](../../3_Layers_of_the_Reference_Architecture_Model/3_2_Functional_Layer/3_2_FunctionalLayer.md#functional-layer) are the core requirements expected to be implemented by the technical core components (e.g., the Connector or the Clearing House). Therefore, compatibility of each such implementation with these functional requirements forms the basis of the compliance part of a core component's certification. The security part of the certification focuses on security specific requirements. The security requirements are mainly related to the System Layer and the Security Perspective provided in [Section 4.1](../4_1_Security_Perspective/4_1_Security_Perspective.md#security-perspective). #### Information Layer #### Certification of a core component comprises also its compliance with the Reference Architecture Model regarding functionality, protocols, etc. -Whenever relevant, evaluation of a core component's compliance also refers to its compatibility with the Information Model defined in the Information Layer ([Section 3.4.](../../3_Layers_of_the_Reference_Architecture_Model/3_4_Information_Layer/3_4_Information_Layer.md)). +Whenever relevant, evaluation of a core component's compliance also refers to its compatibility with the Information Model defined in the Information Layer ([Section 3.3.](../../3_Layers_of_the_Reference_Architecture_Model/3_3_Information_Layer/3_3_InformationLayer.md#information-layer)). #### Process Layer #### -The Process Layer ([Section 3.3.](../../3_Layers_of_the_Reference_Architecture_Model/3_3_Process_Layer/3_3_Process_Layer.md)) defines relevant processes for onboarding and using components in the IDS. Where those processes are relevant for the compliance of a component or organization, they are also evaluated during certification with regards to the adherence with those processes. +The Process Layer ([Section 3.4.](../../3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_Process_Layer.md#process-layer)) defines relevant processes for onboarding and using components in the IDS. Where those processes are relevant for the compliance of a component or organization, they are also evaluated during certification with regards to the adherence with those processes. #### System Layer #### -The System Layer ([Section 3.5.](../../3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_System_Layer.md)) defines the possible interactions between the components, detailed requirements for the Connector, and specific types of Connector implementations. The System Layer is the predominant layer regarding the security requirements with the Component Certification. +The System Layer ([Section 3.5.](../../3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_0_System_Layer.md#system-layer)) defines the possible interactions between the components, detailed requirements for the Connector, and specific types of Connector implementations. The System Layer is the predominant layer regarding the security requirements with the Component Certification. diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_2_Roles.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_2_Roles.md index 06e0eb36..77c2a7b4 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_2_Roles.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_2_Roles.md @@ -8,7 +8,7 @@ The realization of the IDS Certification schema requires different roles respons It should be noted that all roles described in this section are specific to the International Data Spaces (i.e. terms such as "Certification Body" should not be misunderstood to refer to an existing organization already granting certificates). -The defined roles and their main tasks are described below, while additional details on their tasks and interactions are described in [Section 4.2.5](./4_2_5_Processes.md). +The defined roles and their main tasks are described below, while additional details on their tasks and interactions are described in [Section 4.2.5](./4_2_5_Processes.md#certification-processes). #### Certification Body #### diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_3_Operational_Environment_Certification.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_3_Operational_Environment_Certification.md index ebe08fd3..bb446a7c 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_3_Operational_Environment_Certification.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_3_Operational_Environment_Certification.md @@ -4,7 +4,7 @@ Participants in the International Data Spaces share valuable data. It is essenti Central elements of the IDS Operational Environment Certification are the different Trust Levels and Assurance Levels. The IDS established these levels to offer suitable certification profiles for different use case requirements. -On one side, the following three Trust Levels are established: +On one side, the following three Trust Levels are established: + Trust Level 1: Entry into data sharing + Trust Level 2: Providing reliable services @@ -21,7 +21,8 @@ On the other side, the following three Assurance Levels are established: Higher Assurance Level represent the increasing demand for more reliable evidence that needs to be presented in different evaluation methods to prove compliance with the certification criteria. The following figure illustrates all possible combinations of assurance and trust level, that an applicant can choose from. The combinations not marked with a tick, e.g. Assurance Level 1 and Trust Level 3 can not be selected, due to incompatible purposes. + ![Operational Environment Certification Matrix](./media/2022_Operational_Environment_Certification_Matrix.png) -#### _Fig. 4.2.3.1: Overview on Certification Levels for Operational Environment Certification_ +#### Figure 4.2.3.1: Overview on Certification Levels for Operational Environment Certification -An in-depth description of the Operational Environment Certification can be found in the [IDS Certification Scheme](./CertificationScheme). The Criteria Catalogue for Operational Environment Certification can be requested on the [IDSA homepage](https://internationaldataspaces.org/publications/white-papers/). +An in-depth description of the Operational Environment Certification can be found in the [IDS Certification Scheme](./CertificationScheme/README.md). The Criteria Catalogue for Operational Environment Certification can be requested on the [IDSA homepage](https://internationaldataspaces.org/publications/white-papers/). diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_4_Component_Certification.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_4_Component_Certification.md index a3555f57..0a81ed29 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_4_Component_Certification.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_4_Component_Certification.md @@ -6,7 +6,7 @@ Within the next two subsections, three different levels of assurance and trust f #### Component Assurance Levels: #### -The depth and rigor of a component evaluation consists of the following three assurance levels, +The depth and rigor of a component evaluation consists of the following three assurance levels, independent on the type of component that is being certified (e.g. Connector, Broker, etc.): * Assurance Level 1: Checklist self-assessment and automated interoperability testing @@ -25,8 +25,9 @@ The following three trust levels are defined for the certification of a Connecto The following figure illustrates all possible combinations of assurance and trust level, that an applicant can choose from. This matrix approach allows the component developer to select a combination of assurance and trust level for their component that best correspond with the intended use cases. On the one hand, this ensures a low entry barrier specifically suitable for SMEs. On the other hand, a scalable certification to meet high information security requirements becomes possible. The combinations not marked with a tick, e.g. Assurance Level 1 and Trust Level 3 can not be selected, due to incompatible purposes. + ![Component Certification Matrix](./media/2022_Component_Certification_Matrix.png) -#### _Fig. 4.2.4.1: Overview on Certification Levels for Component Certification_ +#### Figure 4.2.4.1: Overview on Certification Levels for Component Certification An in-depth description of the Component Certification and its Assurance and Trust Levels can be found in the [Certification Scheme](./CertificationScheme). The Criteria Catalogue for Components can be requested on the [IDSA homepage](https://internationaldataspaces.org/publications/white-papers/). diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_5_Processes.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_5_Processes.md index cc02fc52..2e6a7ca0 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_5_Processes.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_2_Certification_Perspective/4_2_5_Processes.md @@ -1,6 +1,6 @@ ### Certification Processes ### -Participants and core components within the IDS ecosystem shall fulfill common requirements to ensure the security of data being processed in the IDS. Therefore, the certification of operational environments (as explained in [Section 4.2.3](../4_2_3_Operational_Environment_Certification.md)) and core components (as explained in [Section 4.2.4](../4_2_4_Component_Certification.md)) is mandatory. Involved partners are the Applicant, Evaluation Facility and the Certification Body which were introduced in [Section 4.2.2](../4_2_2_Roles.md). +Participants and core components within the IDS ecosystem shall fulfill common requirements to ensure the security of data being processed in the IDS. Therefore, the certification of operational environments (as explained in [Section 4.2.3](./4_2_3_Operational_Environment_Certification.md)) and core components (as explained in [Section 4.2.4](./4_2_4_Component_Certification.md)) is mandatory. Involved partners are the Applicant, Evaluation Facility and the Certification Body which were introduced in [Section 4.2.2](./4_2_2_Roles.md). #### Approval of Evaluation Facilities #### @@ -14,7 +14,7 @@ The approval process is structured in the same way for both types of future Eval These phases will be described in the following sections. -##### 1. Preparatory Phase: ##### +##### 1. Preparatory Phase ##### This phase serves to collect all important documents and information needed for a smooth approval process, but also to discuss the process flow. This phase also offers the opportunity to clarify any questions related to the process within an (optional) inquiry meeting. It begins with the completion of an application form and the signing of a contract between the potential Evaluation Facility and the IDS Certification Body. @@ -37,20 +37,20 @@ If a negative approval decision is made, the applying Evaluation Facility is inf For quality assurance of the certification process, the approval regularly needs to be renewed. In addition, it is possible to restrict, suspend or withdraw approval in case of major compliance issues. -The full approval scheme can be found [here](./ApprovalScheme) +The full approval scheme can be found [here](./ApprovalScheme/approval_scheme_for_evaluators.md) #### Certification Process for Operational Environments and Core Components #### The certification follows the same process for all certification profiles in Operational Environment and Component Certification. It consists of the following three phases: -1. Application Phase: The main goal of this stage is the successful +1. Application Phase: The main goal of this stage is the successful start of the IDS evaluation and certification process. -2. Evaluation Phase: The main goal of this stage is the evaluation of +2. Evaluation Phase: The main goal of this stage is the evaluation of an applicant or core component based on the defined evaluation criteria. -3. Certification Phase: The main goal of this stage is the examination +3. Certification Phase: The main goal of this stage is the examination of the evaluation report by the certification body, which issues a certificate if the result of the evaluation process is positive. @@ -58,14 +58,16 @@ However, the details for each phase differ slightly between the Assurance Levels For Assurance Level 1, the Applicant must apply directly to the Certification Body to trigger the start of the certification process. Once the Certification Body accepts the application, the Applicant is responsible for the Evaluation Phase by conducting a self-assessment and providing the results to the Certification Body. In the Certification Phase, the Certification Body reviews the self-assessment and issues the certificate, if the self-assessment meets the defined requirements. ![Certification Process Assurance Level 1](./media/Certification_Processes_Assurance_Level_1.png) -#### _Fig. 4.2.5.1: Certification Process for Assurance Level 1_ + +#### Figure 4.2.5.1: Certification Process for Assurance Level 1 Assurance Level 2 and 3 require an independent Evaluation Facility to conduct the evaluation of the component or operational environment. The Applicant must contract an Evaluation Facility which was approved as described in the first section of this chapter. Together, Applicant and Evaluation Facility finalize the application for certification with the Certification Body. Afterwards, the Evaluation Facility is responsible for carrying out the evaluation according to the IDS certification schema. The Evaluation Facility documents their progress and findings in an evaluation report which is passed on to the Certification Body at the end of the Evaluation Phase. In the Certification Phase, the Certification Body examines the evaluation report and issues a certificate, if the evaluation was conducted properly and led to a positive evaluation result. ![Certification Process Assurance Level 2 and 3](./media/Certification_Processes_Assurance_Level_2_3.png) -#### _Fig. 4.2.5.2: Certification Process for Assurance Level 2 and 3_ + +#### Figure 4.2.5.2: Certification Process for Assurance Level 2 and 3 After a successfully completed evaluation process, the Certification Body awards an International Data Spaces certificate to the Applicant. -This certificate has a limited validity period. If changes become necessary during this period, a Change Certification Process can be followed to get the proposed changes evaluated with reduced effort. +This certificate has a limited validity period. If changes become necessary during this period, a Change Certification Process can be followed to get the proposed changes evaluated with reduced effort. The validity of the certification can be renewed after a re-assessment of the component or operational environment with regards to changes in the IDS certification schema and current state-of-the-art solutions. -More details on those processes are provided in the [Certification Scheme](./CertificationScheme) and the IDSA Rule Book. +More details on those processes are provided in the [Certification Scheme](./CertificationScheme/README.md) and the IDSA Rule Book. diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_10_IDS_RuleBook.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_10_IDS_RuleBook.md index b05e9833..9046f873 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_10_IDS_RuleBook.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_10_IDS_RuleBook.md @@ -62,7 +62,8 @@ for the realization of use cases on the foundation of a trustworthy infrastructu 4. The interaction of all is structured and guided within this Rulebook. ![Overview Rulebook scope and goals](./media/Overview_Rulebook_scope_and_goals.png) -*Figure: Overview Rulebook scope and goals* + +### Figure 4.3.10.1: Overview Rulebook scope and goals #### Scope / Non Scope in detail #### diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_1_Layers.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_1_Layers.md index 788992d2..523097ba 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_1_Layers.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_1_Layers.md @@ -2,7 +2,7 @@ #### Business Layer #### -The Business Layer (see Chapter 3.1) facilitates the development and use +The Business Layer (see [Section 3.1](../../3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3-1-Business-layer.md#business-layer)) facilitates the development and use of new, digital business models to be applied by the Participants in the International Data Spaces. It also specifies the roles within the IDS. Thereby, it is directly related to the Governance Perspective by @@ -12,7 +12,7 @@ such as data brokerage. #### Functional Layer #### -The Functional Layer (see Chapter 3.2) defines the functional +The Functional Layer (see [Section 3.2](../../3_Layers_of_the_Reference_Architecture_Model/3_2_Functional_Layer/3_2_FunctionalLayer.md#functional-layer)) defines the functional requirements of the International Data Spaces, and the concrete features resulting from them, in a technology-independent way. The IDS Connector represents the main interface to enable participation in the ecosystem. @@ -25,7 +25,7 @@ to the Governance Perspective. #### Information Layer #### -The Information Layer (see Chapter 3.4) specifies the Information Model, +The Information Layer (see [Section 3.3](../../3_Layers_of_the_Reference_Architecture_Model/3_3_Information_Layer/3_3_InformationLayer.md#information-layer)) specifies the Information Model, which provides a common vocabulary for Participants to express their concepts. It thereby defines a framework for standardized collaboration and for using the infrastructure of the International Data Spaces for @@ -36,7 +36,7 @@ describing data by metadata in the International Data Spaces. #### Process Layer #### Providing a dynamic view of the architecture, the Process Layer (see -Chapter 3.3) describes the interactions taking place between the +[Section 3.4](../../3_Layers_of_the_Reference_Architecture_Model/3_4_Process_Layer/3_4_Process_Layer.md#process-layer)) describes the interactions taking place between the different components of the International Data Spaces. The three major processes described in the Process Layer section (onboarding, exchanging data, and publishing and using Data Apps) are directly related to the @@ -45,7 +45,7 @@ architecture. #### System Layer #### -The System Layer (see Chapter 3.5) relates to the Governance Perspective +The System Layer (see [Section 3.5](../../3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_0_System_Layer.md#system-layer)) relates to the Governance Perspective due to its technical implementation of different security levels for data exchange between the Data Endpoints in the International Data Spaces. diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_2_Data_Governance_Model.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_2_Data_Governance_Model.md index 0d82efce..0efbe531 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_2_Data_Governance_Model.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_2_Data_Governance_Model.md @@ -24,7 +24,7 @@ what IDS components are involved. - IDS Connector - Catalogue of rules allowing Data Owners to configure usage conditions related to their own requirements -- Define pricing model and pricing (see section 3.4.3.9) +- Define pricing model and pricing (see [Section 3.3.3](../../3_Layers_of_the_Reference_Architecture_Model/3_3_Information_Layer/3_3_InformationLayer.md#digital-resource)) ##### Data Consumer ##### @@ -125,9 +125,9 @@ notation 'S', which stands for supported. | Distribute and provide data | R, A | - | S | - | | Link data | S | S | R, A | - | -
Table: Roles responsible, accountable and supporting in data governance
+### Table4.3.2.1: Roles responsible, accountable and supporting in data governance + -
The following subsections describe five topics that are addressed by the Governance Perspective. These topics play an important role when it diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_7_Data_Quality.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_7_Data_Quality.md index 4fd98fee..5370eda6 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_7_Data_Quality.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_7_Data_Quality.md @@ -9,5 +9,5 @@ the transparency it provides with regard to the brokerage functionality it offers. Especially in competitive environments, this transparency may force Data Providers to take data maintenance more seriously. By extending the functionality of the Connector with self-implemented Data -Apps (see Chapter 3.2.4), the International Data Spaces lays the +Apps (see [Section 3.2.4](../../3_Layers_of_the_Reference_Architecture_Model/3_2_Functional_Layer/3_2_FunctionalLayer.md#value-adding-apps)), the International Data Spaces lays the foundation for automated data (quality) management. diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_8_Data_Provenance.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_8_Data_Provenance.md index 74ee0c3e..2f8da8ef 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_8_Data_Provenance.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_8_Data_Provenance.md @@ -6,7 +6,7 @@ lineage of data. This is strongly linked to the topics of data ownership and data sovereignty. Data provenance tracking can be implemented with local tracking components integrated into IDS Connectors and a centralized provenance storage component attached to the Clearing House -(see Chapter 3.1.1), which receives all logs concerning activities +(see [Section 3.1.1](../../3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_1_Roles_in_the_IDS.md#clearing-house)), which receives all logs concerning activities performed in the course of a data exchange transaction, and requests confirmations of successful data exchange from the Data Provider and the Data Consumer. In doing so, data provenance is always recursively diff --git a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_9_data_spaces_instances.md b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_9_data_spaces_instances.md index 01024e65..b7d84fc2 100644 --- a/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_9_data_spaces_instances.md +++ b/documentation/4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_9_data_spaces_instances.md @@ -7,12 +7,13 @@ Consequently, the IDSA will consider (the governance of) its development and dep 1. striving for interoperability within data spaces instances (also known as to as ‘federations’ or ‘intra data space interoperability’) which is defined as interoperability between the data space authority, processing and data sharing building blocks within a single data space instance. This implies that the IDSA should ensure that the implementation components of the IDS architecture are developed in coherence and provide a gradual migration and growth path. 2. preparing for interoperability between multiple data spaces instances (also known as ‘federation of federations’ or ‘inter data space interoperability’), to pave the way towards the federation of interoperable data spaces as pursued by the European data strategy. -The governance of both intra and inter data space interoperability focuses on the set of commonly agreed principles and architectures, covering more than merely the technical aspects. A framework for addressing all aspects to be governed is provided by the new European Interoperability Framework (EIF) as developed by the European Commission. The EIF distinguishes four interoperability levels (legal, organizational, semantic, technical) under an overarching integrated governance approach (Fig [4.3.9.1](#interoperability-levels-as-distinguished-in-the-new-european-interoperability-framework.png)): +The governance of both intra and inter data space interoperability focuses on the set of commonly agreed principles and architectures, covering more than merely the technical aspects. A framework for addressing all aspects to be governed is provided by the new European Interoperability Framework (EIF) as developed by the European Commission. The EIF distinguishes four interoperability levels (legal, organizational, semantic, technical) under an overarching integrated governance approach (Fig [4.3.9.1](#figure-4391-interoperability-levels-as-distinguished-in-the-new-european-interoperability-framework)): ![Interoperability levels as distinguished in the New European Interoperability Framework](./media/interoperability-levels-as-distinguished-in-the-new-european-interoperability-framework.png.png) -*Figure 4.3.9.1: Interoperability levels as distinguished in the New European Interoperability Framework.* -For both intra and inter data space interoperability the IDSA has defined its approach on the governance for development and deployment on the various aspects for each of the interoperability levels in the IDSA Whitepaper ‘Governance for Data Spaces Instances’[^2]. It clarifies the roles and responsibilities. In certain cases, the data space instance itself will fill in domain-specific details, while in other cases, the IDSA can propose inter data space standards. +### Figure 4.3.9.1: Interoperability levels as distinguished in the New European Interoperability Framework. + +For both intra and inter data space interoperability the IDSA has defined its approach on the governance for development and deployment on the various aspects for each of the interoperability levels in the IDSA Whitepaper ‘Governance for Data Spaces Instances’[^2]. It clarifies the roles and responsibilities. In certain cases, the data space instance itself will fill in domain-specific details, while in other cases, the IDSA can propose inter data space standards. It is to be noted that in previous releases of the IDSA RAM, the focus has been on the development of intra data space interoperability. In the meantime, the inter data space interoperability has been gaining major interest[^1], as exemplified by the work of the Data Sharing Coalition on the Data Sharing Canvas[^3] and within the EU Project Trusts[^4]. With such initiatives, the IDSA will keep close alignment. From 78d35a639d914be8bef1db0d31134a54ecff8499 Mon Sep 17 00:00:00 2001 From: Sebastian Steinbuss <23654606+ssteinbuss@users.noreply.github.com> Date: Mon, 17 Oct 2022 10:36:33 +0200 Subject: [PATCH 20/22] editorial update Adding magic triangle --- .../1_3_Relation_to_other_assets | 9 +++++++++ .../media/IDSA_Magic_Triangle.png | Bin 0 -> 309300 bytes 2 files changed, 9 insertions(+) create mode 100644 documentation/1_Introduction/1_3_Relation_to_other_assets create mode 100644 documentation/1_Introduction/media/IDSA_Magic_Triangle.png diff --git a/documentation/1_Introduction/1_3_Relation_to_other_assets b/documentation/1_Introduction/1_3_Relation_to_other_assets new file mode 100644 index 00000000..0f296e68 --- /dev/null +++ b/documentation/1_Introduction/1_3_Relation_to_other_assets @@ -0,0 +1,9 @@ +## Relation to other IDSA assets + +Based on this Reference Architecture Model a Certification Scheme is derived that validates the compliance of [participants](../3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_1_Roles_in_the_IDS.md) and [components](../3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_0_System_Layer.md) to this Reference Architecture Model. Such components can be provided as Free and Open Source Software or proprietary software. The operation of a data space instance is described in the [IDSA Rulebook](../4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_10_IDS_RuleBook.md) based on the BLOFT (**B**usiness, **L**egal, **O**perational, **F**unctional, **T**echnical) aspects of a data space. + +The [Role of IDSA](../3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_1_Roles_in_the_IDS.md#category-4-governance-body) as an association and governance body is to keep those artifacts consitent while contiuously updating them based on the technological developments and user requirements. This is the IDSA magic triangle as depicted in figure [1.3.1]. + +![IDSA Magic Triangle](./media/IDSA_Magic_Triangle.png) + +### Figure 1.3.1: IDSA Magic Triangle diff --git a/documentation/1_Introduction/media/IDSA_Magic_Triangle.png b/documentation/1_Introduction/media/IDSA_Magic_Triangle.png new file mode 100644 index 0000000000000000000000000000000000000000..97bcddc05c24297c11aa0469ca0858650a658ad6 GIT binary patch literal 309300 zcmeFZ30RY7);DgaojOY$tGI%~v8=>s+gKot&XCmsC6G_rRauId12gn2mWMxN%f)ged=kWOTTv0Alx)o z6t}e0#lhs0Cr>s`%;FcGKdb1-S3emjlb7tfk{lZV_dp};Jkb~OEA8n~L-t#+L-vDSDq`q2`yheApjQ^!*K9ds%H8Hk_NVixrVc1b5a&kL}l>t)*43iKSndtaIf? z<9ZPfRJRyJ9J2s#c-I)7Fpj(bN2%kD*uGY?F(yd3AT9u)HmuEf9-#lJbmTsll^{cKVC$5w6(ff78q4YT-fu+y6E%Pg`v4vfio_(2$Lf%CcN< zb_x-G6qmV~tsj!|5ABwAs5#C>(-c>tFh~2S`wD*=cvnv{*5G6R9XiuH(<Vhv$Pze)emTgxg8K6KP*xHNsTJ+I_3kT3poAH(+<);zrZ zCJ1Ed2mNQ$4QcHEFIoOimmF8^W3)MBkI!-9e}~5YPo*?On^pH8Zg5sBRO$Q^5G5C* z0>__?vl>A}+{*VOb(1UoN;-2vxMUi_Wd!HOZoh_-ZF`=yv=I8fdNYy z2LPi!BNO%fjfQ~o-jMU^; z0xQ#7r3|Ey!2SSW&A=>4`cP>lt^SuD*D|d6I1>O1cbHM&-Xxf7+S0;&rMjV^A*@dx znEEvC{uRe8Q|Qg5r%gWx&0f#WW+~s@p7oOn7=~bqJo~O%QAF$;c>x%>1mj;}mXb=?3Ae~6FtFzDqK z31c7x800z&M;BH-{3zyspiIzn-#v^{9kK1T{X4zuj~V#^sT(vI$rE`2S<`*{^a1^U z2pW0dJ{$Tf*#1-W{WGBaKm786z?XO%B>rD2OUy-)|T zro~VC6#%{dKS64EjY3cXk}}fkf05dXmHjVL`(LE?KLDKmKZDd_yTjk*mbi5-J?*Hi zt>sVSp{Wb!KwX$T^JHMwFAspNf0|-+4==25NOR(L8tOua8?P}cdTQn+d|2T`re0B5 zFBu;_NO*;0^c2jP#R~b*3b>h9tke|1M2y82{*RMs z@<#YOwt1| z+%Nd5|3L_GpJZ&_)0Ob>-StaieDs?H=kZa%lWoR6!rDm)DyDpQk1MEU z56bS}*bM}W`xgXj>avXexIg*%ci)2WIZR%=-t=_oqo#jB%FFBgnGvAYoGMrB|Lre| zd0Dib`d-b+ey}8Fc4&n$XnMT*A&2v1{^l8M{~rYPj)l94dw&;Fq1ZqC>XYD?hYL-v zS;qcx7azF)`ao0P@i$+4^Srum-X+$Zy8Wop=Kg#80@l6u-WrarTwS$+_}%TbjgOR! zF;^G-%#%RxoS+~QyqLjJhB*sjbD>&Vgo!nn)GAk9el+&y*@Zc^yo9rt6kylL>hlX>l-`Q!U3CMy zqXF0SXY*C1+f)P^0zapGQz*Xqren=z$1F3q&ZVbvu!?7^+K>0Z&so+lypufr__PYL?!MJlF|c=OT>$gw`0?Dz^o%QctNBCON!~kjccaa?6G;WJ zuQnU}awZj4;zB?DRDy-!1e6*3{+P-_tYta#wqdxxM>r zh9fYCyj68^_hMC;ou|=e?Xgv*0MU<`!OAl0%Ghcf7J|%r#g{!^2_V0`+wC`R;%)x# z-0r#O<5}zVozF-5!ac&bKY4y8rtlXwbHStn4@|@Qmuv!cF}O56!+Gzjw%u5_JvJRg z+PYOk3+%?=^?dbr-`)Yu*ILK*rY_&OcSo&idK*ki@!dOs<#?@XIse4}Hx-rrpzV8Z zE?s_NQ>*u?_bMHEr#$_4(UGf#ipvoPvUgeKUt85CL1Z4NJ-585bwhtuV>dCL<(6t= zEA2S2Ut%%;|$lgyzr@ zn{>zZX09E8%PmwJItd{ytJ=pu$-TcE1l*~PlXGer->n#zm^d38mX%l18h_;TzMsqE zprie%$ExvSkNx48(!XwB-CEYWK7Sb4v8WMU^2{=2W?0&Wccy@C2P$~{!)^DT8wg+c z_D+}X#xmzy#-bqY+wZc7V~u`g3$Wk5jFg`i|C6kJ{zMG9*SMnMBcshPuc^~#()`j_ zCi_9{g7WY)%pWJ`;FphP%e>CC^>!k49h;(-U#92tiFz>dea1hp`@0r13>*B-^$9a0 z>Tj#G@Kkv)fu&_41*gGJ$$Mc#oU^By~x7 z{@r|KUo7Xs+Vvo(3RbLp>OwouJ@8R}MGhA7NsdFMVzDx_{Tr9;VaV2U>DkJo*~=lX zkXz7hJu>@IT+-eSjVraH(i1F97AiImV9$ht)1@>f!X>r>&#yTf~>Am4qfowF@LQ|0QPJZ)|rxA4Bdj&ldSw{ z=@9wQSW3Vvr+ety+UIlJ!WXJ)N)7P&XhJr@?b~s*xlK0INwDg5=_AwbQB>*I3F&xL z=g|C1$sXDpkmxf^K7MIo4)jlQdaCpJ;}g3Z;QkNyuY@o0S|;iJ%F`ZJh+L1d>OEL_ z@mR>r!M1E|R9k>QW$b9IcQ z`#fo}v6m`%u#WCI*k3p+K77J+3zJ@tju#==9MG%L$?#J%@eu@)}g;DL_HpG zhukfMT5_WikqL1|fypPgBVtQ>xqT&OI!cw+n_QY+!*haM3YJ?+Mr%2C9F#mIJ|c}# zr6w1RR}VX8=ffMBe8n-%Z(c09)%hn5oAMon`0kj;+y|W}b4$8;7q8SjMvnV-hpY=A zy#d?dtSb7Oe*HpT-7>EyL!uV+6sm(G5sD3{$$j!R>5iTe{4N?*c$$AU-jCOyYtt|$ ziQ(-O6bGMPuP!1NOUEN7#*e%VTp#6z7wY&RM_)T^UcOiz zR-Rzh_dQ;1UB8c+UURR9l2MI|k2&7@mGpev60EK|hFw@sJvsOn5`|VYq1;fO>lnpk z*gy3K2GTz*s*<1VVK2FOaD&J0E}dYi8c^pHlDYzTEt1Kiz}dO@i+ z(_8puE^uAWOV`D_<%X*_q=1bmjLvdIxjwh$Mz`3n3ptAYz+P+3Q+!+vH7O%OP(#jA zVZKmn)h95QO4@NZysw7A;!P5lo7_-{m_|%&TCIc-ripHB({OB@x&=YPqR9&FOC$LE z>W?n^9p3GhZPS9aCbl$q@XVjJ@1!?56qqY>j&)|%%Hm)4t^rY@_N7cU)> zoExVN#AerbPLQ3WnkU;P>?wBBV?ey!By+;<!l2+1QIn?_ihlDiF-s4pGIaI#Weza)@pt3|Ja30VxQ9}G z>G>l}2rLtA6{LPf$SpbIcf+$WZoxWtGHCGKKW~j9i-x>&*mhUSp|EyWCV@N=?Jp@I z2?&{$nm-YevhGRv&iswA)aovrS#G2w%e~;_E`t4)040VVtrYEPv*1ZS-xwf&Al#pn ze*L8Eq--RUe(=(BMM!pnZ<}6H^UJ$x+V`U72R>`^Y1^#~ZaIba;})*Ob#aG2nEj|g z1u@pF)0TMNENTumV?Q!;+T`tui0aJ!mDU)PH)IDHZqERbm-9X$Y2Q)bEGFkuuEdAr ze^&IQ-m#A~(A#tG{XP<2$~fqei}j9_6HI`27kgc;hA5zBkldLee$RuYEr}E?3R|SP zJb14VjxRlUc8BQTH=S^!;nB@nK`Q1D|AWA#x{DVngDC#k3sDV($GBlK>(#J<0Ac9$ zHBPX9t1rg@ZKJR2w4d*)q1v$D@k$sZy(u93Zm)E(h2l9MHcAfAr8~3|#eb|?Ls;Z{1kWwd%u#b+1j;Dz z>VsygboqBD%hM;9F6-jD7?wC|_#GQu);OK;Wx9Tx^%dU&>X#n_|3eS2ze;32zec$V zxzn_u!IY-27zJN4GKKG6Cnb0*U}|GQi0@`ElC!^RP9DmjJj2WQ?aL_5!9EN^)o#C= zkh+hjKqrVa44kV4UV5Bz|12%v1jBYfaXhm`EuQ2aQ=j7yp8bZ?r8nJrB|Xf2U(O+m z6%A*xLgqK_`r+A^CGiiyrS?PB+8M&3r0ge)d%8R^clv~He<4ZW-=!pKd!R< z?iPCd%ICP&EAFeCcQ4-9FDr5>d)5##X)LkGYc(rRp!N?6R^Z`O#!s{B2S&q9`?->5 z1O!(|h{TTU&5XHxuLp%dt9|V~OrUse2hNtD5*kAhoceH0$`-iR!K9Xiox-S0>k0-< zWq%^LUZJCg%?W-cGO@XDS&H|v$KX4Eu1x)+WRd+51iyUoOU)=SA9OD)o;&ZeM|~N) zXMn(UASJoQV-d%6?HYUTO8Wnl1f=W922i^`K64dX3qV;$^`|~YM?fs5klaD&*)jNC zz>K~3j2;t??QNMt-0uUDE1wItp=Usl+BLZyqnuN;bz#^2S)hi+#YoynI+0En&nDwp ze4PNgGH?{iLdcJ zQx_y}pBIVUhvA3Qt358(_nu=NWRblzQ%nTfe7KM(a>gr0-E$@==2A|Ie&fVFi^}3b z$D*oCwws5l-ERY#Z|d`Y`CRqRvV%lxK!c)j@WQJ2K9}bWhP`=U!T!OX5ew{z$~V|I+)sL4rzNF=#60LQ2tIcK>Wut;k{C#fDeV-Gx!jMp|l z*@>Oh`eBwVQ%{O}ppOn}PIK-RR`qgon^m2Uchwy8Do9HY3P_(uLgfipi&D~vxD;8n z936$-pHra-%*W^u{!@UL#Nxn9hz0gn9Y+ zWn*PNEAwPAVv0~89CzR{Wx@Pi@RDgHp;*?s`H3_xoE!heG zy z6DI5sJ^4tlsd zOm-S0Xd`Fr&kG{xWK4Njy<n@R26gtT1UNOci%AHc$#e`v zs+@90MCh&yiru9)7r&YTxb&y(m z6mzBoe%FlKXOWJm2wTAjbAZ+b=lYV8(()9EnVROrb(7m;(!tfHfxlRpDQ_-n2QyV9^71pG#P1r;-eu@CY za%gVh4;l{FTbkH*?$xQcVNqsLZ4mqzL`yi+`yk&-HI*zAJLmQ^4vgn(XQqq{o+8tG zilKYODNHK~)3-EUGy_%w{R8)5=do>2tSvWtWPhc%eU^1*%qK8&y^3b@kWJ$1{2S1* zo;F@pprnXhNs=5GBqV8_E|3T7jR& zf5BMb*~6@GbuT%q2q{Y0La$~4!q_HK(SeP-RGUBeDuqG-&X2)n$Zi7_tzOK?0Oyp>1?`iCo>XxwC#bwZJ zTzA{h9#vs*d)(5q60aE!eJ5&)c|@1e-R4NES-3+G$f-FihE>YSHoNCK(|oxuM!bucPyW zt8h1XlQq1Q){+UNziV&FmHi9|``57S1bn2b0EN##CgEou*veEpp8!!CFQc6-X384x zwiTDQ{i%-|(I*gr{Az-lN|m=LF{%`vB1V;uCEV1w)F6~cvT`aWtBlab=?HoGLr64lmeObH!s1ROVY zt3ZeO2UUGXR$Gh4tCD%E2 z`6qj(n+gb`5vMFG6Redlvx_ND%YcRoZ%EW9%9g?k1177+IZA}HCWMR!Ijt@0Hlge) zb>hOLX4K2f2Zq$^A z1rbAo1nDv*Le06Y23;_`^mM?#*Z~1r0-j`S*|dOV70zv;4?HAOht^O5+X|~gpADkL z2h3_Hw~Z%?vFo-^$mlWV(&CyH`gk;=|44n}B$Uo`7@IC3+|_y?Q3VCW4=!mq<;c1k zT>rF~Jk7Cg+&x)1d>Q$k>w$8{MdM0PZy+WS-$@*#Z_WZ0A<%PcQjR+NZYOZURAJ7( zngt3fECT$_bq!Hb`8qx?6wMZi?9}(p0=zPic{0M+{t|-oY>QIo6&EO#WF{&KH6!z! z`ecF=e}|Ci*zG9Nxgf`j|B8%8Fn31}4+#PKT&0T(0(X{7 z=6VYgH7C1zY%mx$c)NO>yzbWm9WBVYayrGHbKIMhmN^>^hpWiG%xHM2wllg7UDu`y zi0@m{EOo+Zl}vzvzh%iu3fW- zr|D*AkdVeu*^>%M36sIH9CJH~%V93>+HoLDqiDEa+?3=>P>!DvESag7ifWK@)tC7J zkI1NS<*f5(_Z=lP?Gk2jv6&~-MkY?7K|!cV5xWOSRPQU7v05%*|DxANzxs*`>p8Ube1alynYUi% zM_q!0)!1XQDz4MzAR-E5THo^9dSn4qjG3P1K8 zy-RIrksP2VvVD`Kc-7%tQ4bYYdvl$R0D2hRmK+bRtK=eB6EF2vi0i?9juuT>!>F0l zW6YV)HNrMd49gP1jVW=HUXUl%wc%7S>~JP7Q;Rff&^k=$2%7IU$-BDk)Th-_P5a3f z3U*vF<3xG1s60ogLk02}?%Qd1hg3pIMXo)D+t#9?=z;|Tv5r{YkhFlHkMC^vRGNA# z4=2YT)hVdh-ey#CzbhS)b1x3Ig2m$vJ%+}S9m8@!^u$nJr^cW99FGbkq~xb%RQ#KD zd`+xm2o2~HSBsAvQ2S%;XQ zj8=KF0(w1Jg0=UdW*;>!o|_+O^H4fODJ%obCRCfTDhW+mGuqgeI3`~d7;8?CjbR)1 z3v>k6e7Ej-3^madE}t66gi9SJD)i z67-<`5Ad?9X*brrB_KCBL}#K3U8S6Wf;)v&yxx4V4oTsD2^uNyP%mKMcGmKJK=l>e zC>WI3^-nMtskD%Z;|8gx${~{jQ^VqX z0@F=*nhBh8O#Nj_i}uhdxr?vka*`NJE~|gkuEnQ0M^`71$~`hEPwLCqaA!WxQPvr_ z-Hm`DP0Qf?Z}khtaPz$&8ej*v>$?u{W5=jC@28G;qDuVy4;X^AZgnQv?LoNujnv#O zNH4)FJ2^h)qoCRj1Xud`ehK>Yj(gJFZab_^n;<`cI@7?^M958NItf{eHi+!x=<&vM z{7HNiqS?R4<==`%#w3t1eN<`?p zRKpQ{BtEKWEbWRbW?9P8jAW;4 zpHFR!a%BnkOOFkD!1DI{Chv1Dd9l=?v;eHzi2^U(ly&a`LC1k|j=eUBDL-)1YmT-t z(JXiZiRK(bgkuK8)iM0)on~d+`*cePztxunZF@UFYW9w=P!Hn0d!J{)zH4C3O0sI(l&EVP+ z$sMu~;83pOF!i@{61}JnVd-r`;4&>2p}uoV6lmO7_#=agx$(|Zj+}uL6GTFn8%XgD zOYe)W(A6WsoImoQ%^t z^aynZ68~1rt9}DbI!5AyIh9vacIUnFhxrUS#(BIQme)2J+%@HHv3 zn{MKzEi8Pq@L3adGC7)4IJUNOVRXZ257s{iFPa;6=ngjM@oOLbwy!d*XmaNM%fXI) zqZG3XNCcaBTI||2^K6DP8kycaDpZpB`<=vye8+lAq352+k>0l~9R5 zO{pR#^>x|`2sVE2=@t_*=mtqYE&4J43@Q&VhHP!W(n0S}Ve?h4x)I{ko8MW&*j{Gt z3~rvoC4g{Z8+i6N>PE{f1(I2PrsUbdmy6EmMTE2k#82)(=hTPK2~NO!;JTE(&Ucvd z5otY9OPyo&FYahsBO6Tb)h$^cJ752 zDT-0_ISU>yS)t1G)@6!5v#;4-DRTAH>+rnJ>fbjs`tX7B*{LMW8~F6{ta=eno07ew zq>*~UzURT(?_ea^^UF@6l8tcJNQ~RBRNIk#rcq6^@&sV0b>H$jm{GD%N%lB&YID>+ z02}RE$jja*($c5Zj;In05E0L())STUEb&GeS?5^Clm#F^?Mt47<_VnnBl~4>p+^<< zxOMRls5nET^Zej_&|&qq^!Wq@`n&H-T~ZgG&sR2n-{aLQoRyjnoxPTrZlMH8<0wbk zE=9-{2<65ou>~yNPm)a$*GV>_+#Yf?F@5+(A|{7v2v*qm7OB$4c`Yh(4$j*T&%#p5 z5DMzsutiAkbF5It?`U@sNgKD9vBTlG{?MW{g_tiq>&BO;71lXH@WDb|Hj~ESDWH(t zo{@2hbwT0SiKve1o4J$44=CdS#o-3~<>^i2H41*snth>~&u7T<3DZNKk0E&1sZnqXsRIvN*$qTpq`Hm&&-f)}UPvg3^2k|(*-yeX||6ZY#9 zMd1-_d^F0xloh5sSLbkvjxDI^>UjV-23S!*WHJOVqmZaQJ{)4b4T6E)Yqz^S3vf!% zL`p@fEt;9;B}}k*4I3dFdXG5Glz$41%d?$Q>Gbf*z zD6ntzNM?z*CH%oll`-BE6r8s|9xfkh$CuO!WnR{7LlghJ+5mn)BxHi2*IeoAb9o^* z6>olvhzEd`mbC;DS#4MlJnO8HrH??Wx^iy4FkOz)~8qn6$9ikp0@J za&7Kx{Bqp_wlRNe8Bun8XMozupOuf7jx0`BLS#p`Vs^cvV-R7Z$GAA7I*$6Q%AH? zI_*$5)FXHI6w>!OF6w)L?qAbZVCd4J!Oi zJ3ZQ_r2`S4nwW-!Wv+Il!40IQ-;gyfyp;yB{u zDcHEN(s(vlo!MFfljLeKu<>&2a4gpgV?7+Ol+rg+>C|Y@@eciT{xygr7-&Q-LGkS5 z?;d{sJ!D+7=1}88pIlKkH9er_WexGG0L#$dfZdbUsWG1}t*^a099)yuN4Ot_B0iOi z38|`@V8V&CIafD9@nzTfnZs7&E!<(G9JsbN6WSAg zOmdCs#`$(6IeXz|G*%VVo|ULP+C0vq%AXr#6vw~Lt#e=F*1_Ap)r+^vVm~9S zm`!|^KL7q`AYsj#Tb6S{W)G8o_^E$w7ES+{`>gpjj4NY(28qrP48+;n-IY?f#WT7~;_ndgZ{DkGk^KwuUZ*8BP|Q7n$p`-j62j zS9@{=I7D$e5qo?C*3>OEWpVHa!?~+1v}e=n!~3h=@_W)_b-Di8;MC73$JxvUet6o6U@dha&d<<09NzUF26PtjO%+a_EGkc`=^TI zc8XflJ<8)u16C#`z~{wvKLM>%xplB;%Y}M(d6ayl2aPGUN<+OGVLXF1(1JgIxTDqi zXn;4*deEruM*S%hZFzdlf=_h$2_IM`AbA=f;E{$O++iT+Yt!GiM*R!-Hboau_OQ3l z^zptX6`f9kVc%}ChYovCm_6nvizO|8pkAUJ%Ty#PG3_Z z3hW08M9KD;$-^3KtlLB0ixn`EaZKthSmb@vWhQl&oTF_{#x43%gy`qXD`S^ubg!4! zv#*!e`$YP2dSBt`4P`Eay14ZD1)n{nKPg?Z(8iYIIeW&vA#dfB@MZYI&ztOo`9-*5 zzuZCROW1;7n!T@`3~yQ?{e)k8*KughnjO>E(K`Zq#o5%khB(_6O1CIU((3$Z?a;)X zr#5C^<*k3jNd2rnee$fy$xMM3E5dWeDcK`u-S*utrySwPN0ud*Wwq{(IA*V|Z6Ay;e>)-HPgSoxzyfZ;DKl^iX|_%WwbD zgh6s>oGz&}-g>kSosp0F;t8n@7tLi1G>ji3p|g>oPeI}K#3E{bs~=GuX-Wf_d7xp= zv{%gFRC+i!B3MNk)$@cgMsx|DWzDs@KP?QRT|{wj^A;VtlP^@IMDBEp24tM5nL2C! zombMwq`d^CuKaRhZmXRA>%7mlw0TocRbH$pMo)=U2t%-m_x(vw%&TRb+GS<7h~zdW zT&1rwfhNw_(iX;~Al9#Rn-M%YaN6BCKNQtL**hgBn0n8D-= zmIPwQXl7Y@tS*>xhp0Q9`j}8Cm82D?4 z_*%W0KBlk$cTI>1>)=~;F(V_jZDsw3`kZ%3B?ZtikAeV|tIZKr>P#o5hH3$Jx;1@q z@4(=#K_QA8(X3L{p9TMFafO+$91>^HiYa#1Q1YBA^YRVz-@LjPp zP3E@~x^5p6+KMA_-@Dncg;d|8PW}3biSge7wlyPuL;))=}qO|TXMNF9hXJN!i)wai zpiJJ69jdszpKA=eahEF3JCcIY$h@du;e2{^2Lv?2-J#%UZnQto#-t3lvvQKubl@8! z0W6kfwY+1NLqIpHs_|ooa8fuEkt@rMOlI93a*70>pY|h4{?0P&qc_AqN7h@?jg+e= zxbXqlK4Du6>XS#?q87>>H5K2UjJJd@7Q+?Ux+TwZZcnCxV>eQw- zv+-RT=`IOu2*&|k2Rb_EnMf=7s+?GbYU&mT=Q$+RV?@CoSUMj9op7w3bg7VjomZ{R z-jkNpfH#CPU%hP)?6vp&NiLpvy7;#=U(sW`&F~ox#wT*!IwoW&Keq02FJV%RU1yOX zrsU&sDdB$o?CK`~NZc=b%m6bz{w97+_hu+J%87f&k;!(NZDpkDo2Ao|={U{OO?${B z4LTt0xi`}=dpxz`MRZ`fw@4UIJE&Qj!@_AUDklp)zRiLctER2LC~EU19^X+S*ci~O zdxTX6)6-nH0m(;wYmsAb!cnIK80Y- zz~s($(sjOlLU!7|b-z_|`JD(K>|d_2EqWz(o4rs$k{c6IRDO`xxI2>#Me!X>%&(Y2 zvE&<2x6LS%$ljYXbvTs-9rKN)N}n0nrkYGa03nyLDQc&X+PB~p3FeseBi39K-91-H z=w1^9o5h$Im)N`MK55mCKYiYxoBx2f-R%p>v|WdOe_02@N9{2%c=r>8as-SpMFO4$7Qe-7oh4INR!J?N43$GbQSAW&<91Aq zR07#cop7C*EN108Dwq=eEUDZyDj7R)Ai5d12pz94HWzgyJibIjFA44NZuS_rw@Z{-+_rE;@9O$#k4H6FBk}+XQ+zsND^Jz)1HpY4Z^F2k})ME zqD#-k!qY6a22Cn=J{A%0)611Mb6NQ&hkAwzw+hs#h@;MxlCiAr2ZcR1^I~n&B(;m7 zfmj-D2!~ADf{0g^wI$?A=+S6{ug2fd2lsYWrw*L#mPK@c))wFIDsg7OGe-Y?fZrc_ zYqe&w*Ff<_2;O8df@IT_(Bu$kepu6BjUO9pkMx494iWlZy)OTKE~DD~|oCxO!ndn=@&rJhC3 z+J-&A)`I!GYHfMov`Ac-)YQ8R2c2wuJ@o;$CTYPz`e-Irq>ZZWX%`(vwChyd#DMU7z4EYcJ1opaz6`rbrJ^ zSH6zIa@mxA@<%*So`o)`izL}~0b2COQb~eWU5v1bcQwsQ(BAZfe)3Hpl>&W=oc0aqK3Cbz9>LOc+iVKvx8d1cabq>1?Hi%keL$CGp7tIp9Zf%u8>R~z zT96z#8L6HU$n6`o#dekM-1hj0@TLw4ZYp65qgOgw+ux3K6Fx)iX!n2;utu^kT?VB& zPhgETSM6p~oEs^QfdVl;3MHsz?;U7getGC~@o78@23S1#C}B$D$_fOh5b7mu*$#9`TOBj&h^jb*CIwS5WIE884Q?Lf zcugMh?;@S;c~J+L7e9nlQJQAQpE6w~l=*k(N7hpb@)4^dZK2~wWs!!NRG}WV? zhYfn}!|>GwNcQqY|JUoN9Za9!gRTWkd>nhk1AIfTB!O4Q2HZ#S`@tyb*;qpH=iaJf z#ps;~E`b7aL^s+AL+&v#acx1nO`_d4P0fAK$}S+NaFny5WZGU1*Wj3=B z&;@N0bwbAJ;`zD;Du4UE8J?j1Qa1&a2NrxpcV5XfbSKJZS)e#7@cWK2U&>B5-$CEmdqk=^fK#ba7*yv zO?3T;7c!w%LG+ThAJJtZ#s)#+m!K%cv}m$MVAJK77svEFl58){eUejLU?I@?CU7#T zE2~$gMyo=5VGmY@#{!m@cXDQ(4G`d=y}tYKgRgpdxL+J;{sAeh^7P2%CTf#IIWY0l zrM;t%VezsN=RAmSh zrs8FN%NWYN-}AKi@MoN?A`xV7!qud@@@JYldVSPW^BJaQaT|Pc49`LMrnhOucRQQ8 zISwAqJnA@GfMrUXReKVyN|N5>G0SC!eDG<{9`lr`5a}X>vuO1oIxER)6qEuUC z(pz#Bb2fzbXeDE1Hu+ZQ-}EfN>)(%XE9#!>H*UBY`|IS=Q|7%ry^pe+wDd32t#Cz! z!FX9yG_yr0e<#v6VYfD<-CDoF{mEr>50jpnk0}Hi#J6pBO<5_jxW#Rq#R2Iy8e<|NWVrgz0ivMXNWN-ZRC>#yYmCOaC2Ljhe(dSdrjfm6*MW_g(%&~TD0G|J3ANi6c zTosVee=`yp4W|7hGSqswtc|}N-d^%du#rHf(NSNYRH7tBP-m@+-VbkuUe~V#9P7Vu z@|i}2F#{~!j8#QP%G@-)BVYaa{tbC$*!N%3a7)P-g(OTqK}R?ox#N*d%IUT=*#_20 zt$137%gXCf?5qS}#7foQbGi)2!~_I*sX|)pzpK-mF!_-$z-U+=Kr}5=xAjg7CeMYU z^`DJjYI`QbBAU&%*b?7iYQ~?&Hm=XdJUaXYG{B#R(kxN@zY~}8*N zZ9cBJH>_(ggE?tX2}MSTBsd?M3Zo-c#c&-$vtqc{^})I#dsh`b?ape%`5E14q|pZ^ zP~U;CH$)+#5_;dhsE^e#^CPvNSK!E$p4^&_1K<#>WVX}C$A*a&2yfAPRt#I<9Lg1$v>5^EUx@rl=Y zR%ITMoE9)J_-;bRMN$=`x)Rv{k5Zu!K7*{VbqAT_b+97I?9?bXpg*D3keHa952TxL zO`!B7_JgG!!+|Lhlge2S^))3}qVCxl-RPZYGTKA-Xoc^8sZmRyWK+$R+V@hrkhvs8lGy z(274}X&|Y;|8Amq1~{}UyG-%87;rGoojIQ8kfR8FvB%O)>&z#L0dlDmaIL#YSO`5* z#d$QO761>&tNJZDN4WX0FcbJ>L(?;%13!8EGra33@ov3nw@$R%wyEvrgbKQJ{ApFO zU%HJjfiw5s%of7%&ib7+Vv;JKhFlZ`Vf{HC>DHK-Mus6Vt*jiyWmfsxMQ16NqWz@| zO&FN`(h=S(LfJ>_`XvKSG6`D0bag*3)mNt|Opd=cY`>MY;Ja6!q}Zubvm9^dtZ8n5 zFu5PnWTCz3M4zUuX$1g9yCQxb+N0qONm)62K@Cdc|18+7R6JR>6!?aZ7Q_8TQ(dvEPH?dt!xqOC!82 zk;B}p%2L5-W~}}LaGj%)hLX0OXy0WwNy*V7k>y%%x<;seVID5MZhkQ`JFS9Tj|z{H zU+WeZ8o0NRzv`PFKl=8Vc!mP8Y|T69=6%114SLhebtZ5VGQP+sHjc<8E1JwC?kSy-P5S ztN>!>=Lv<(o@TXGum6&u48%1j^=kwYsOXOAERqmd%EY z1gr?sq<64`Q~?#~Dj8K}vwof}$WT5fDNzLI^$7P!f{!yir_q z{l4>^e}_L@TqN)Nw3)f*o_S`(|51kVYV+meIow&skFg&<^E_yzl_WHnD~sy*5UgqS zhvL532-Q4He6zZ5x>|&Cb{S<%%{Z%!>em3Q`FJEe*i*pGt29=VLb=`Aib2>7uxN_Zla$rQ5_SEN5Cw1T4bK_EbaL?S=6VI8q(6->oIMkZiAEws! z&GN_iS{GziJ};Y`x6)Q?k8zkAw~2N`%N1`SU#V@So!{eDl?$vboU>ygSI0(cn$ud#x=Z4oM^ESkVWU`U;FJfQ1y*GhaDglLr)q6oR%FH$Dtlr6 zNnXMBgJ#V;jewpSiFKKDBUHJhUe#;XM5yW5P@fo&j$?)_#Ig_}B!dr8E*a08^T?-7 ziQ{FUvWT@=+bB)5_5 z6AbmVtKf4Q*f7WKbV8I`g$HbH8XB_wum3}WXyK?=F*d|SL5SMA3nz&tb>D^ z5CV1r;DV)LkBO_kOOIkKmJ`{j5zVDh8_SotU@c!LxPqESuU9#!W&^U%_zK1rcHUx5y@`>gI?|Kobg*Z1#9pHt?VGW41Aq+thRvo<@ z>j7Aye2Pjz>vu?o#4AxR2YcDth^^?0QqvI=$SQl^I7&`I7)?rA?Bp2N zVE9~|f<8HD=w!zc#*LAI4(jc$BMdQyUkw1-MC6nz$w>Xq6CflY6LdNkL+LKG;V+^1 z#zc=N&Lx-itby4S0L06xRqlEsb#OAR>Kcb>YBHE=uYOhCcAxl%H!OYZ#x%%#e4TaG zTEco^9|R~8t&{eC1ywn@auLm~h-C}hu9@Mz+MB8 zTKFVc%D39I`P2nlo6HAk7*!IZ1*}VJTGS06!n>RxeK$(GZYlv|iVBX% z2g&naosVSbu8fa0;Kfu6Jtf0i71hmcGB9J^>b_^mSMWdu*}9Eia4?PTRL3m{>@hZI z844e6FI4NX%dy-?4_co39z|c@QxEmRj65PWZ20*+01Xjs2h}=5UmJ@z; zvOBV8=%rlFkQkuVlNU0vy`YxK2!94S6L@5qrj<&C6QwygYGUsUVS?cEo?KU5G_f15 zzRpQwQru>~ZLD&@bFy&hAz@d_m@O&~~@kI&kwIsAUR$)q(NQbt5!c#b0GQh?S|h>1LV6d=ay4oQ<=AXHbeh z3#ET4036H0nc01gbaEVL_@f9Dh8s<4n%A8Ch8S2KKDW;uVj5^2nBbg)8HI-t+C16z zjCNn*=kCdcDEfFelvBwP7=S$*Tr#A4npE-@#7X&2lpdL9#oDysJx09FfV-Un@O;@b zOSAH+??LWmvez|G6Cab*~GT-ucr!ls2|!yT30A z!nhjJBsX9QM+yM_XhkVQ$@%oej;K|uffKT`jMjFB;#+`r+k^A+_raTm5vw}nEL=PB ze6)vx%>{z3ROHKO|5A%Y@&NgD>`4TY+CSal#jP;CZ%!bE`f?$5qPVc}0AC{ghF&+R zU0L72$~(oM9OX}#(GiQR&B&2m@XYcd?{U+f%WT9hkO0UNA1x(j>RcRavML}{D_#q# zCHUx)&}k*A=G7xL@LrPyuks6~#56CAocP4?kclhV((<hYBF3ZfD|e=pPExCAADk zn#)&3mAx*Qw69Og8H#bVEJ^5Y#*j;DhmK;X^Ra5a#+X^L9J^rXAgyyUgZ!cYTu5tO zVO`YFgRG#VI<2z7wn6M=OQ{a>iUmpugA!SeU_l@;^S9>B^NO*->MO@^o%JIsJ~`wQBK5{r?Ta<0pbc7A?YXvJ3L5k3mJI5U_OGF%H%#t@)4T3ei&8bTYO3kiMN`YXb zC|+NOl@7U&Gi0i;!)%Ic>X21Fh0;y9q2VAFl;hc8*3JuDlcREh)L0!i$9Tyck2uyk zD~N;Rxh4=AP?9by8xjG3F07H=*gXE$D|G(Ivn==nwN}ie<%4nlLtlJHKM<$ z$hm>ZG8SJVyuwO%v`2V!(Gt+JO=d(7k+CwOdS3Q;Vh5nR_7vtyY0n`8EF4#E7DuEf zpW;z?qL$1*um>#SAzynw5B@J^?}cq_$J*e*N}q=00cr<4_BP4gdb=?-T!O#-6D7{XB@FseaMp5@8&XI-F%v`sms_2@Ic0wW?ekY zZNf@U6Vz>UJYqpg%Kpy0wEJY&I;%pr2{p1*>iaN^@&xLl59ZHh0*@0rT zH;NKz>I#5ZrV^Lj(5NH)Ql5NuOinJFxm%*ReYPqte^Wa>Wk1?9tZ)u}(Ll}kNjpKf zvopDE%rf~NwD?O)9d5=~$GTVtloez;!^+M&5@c-p&wWAg-$Lu9B1PJ3?EBW>BuPEX z+v5ku+|VauE4x&+b^V3Qs{}yFC&TIy{(&7KW}_XtEoN5<{*k^!M?rWnDr*}vch0y5Fq$>-QhPM`1Ed9cHG;|nnnOk0-U0s61|}R6x;-9ORSGn7(#3S zt72{55UM2Y=X+D@0>pd1S9S`4yrF;P(5|ca3$a>6Q&AgArulaT)60((WDQvZU$+Me zwoilFttQip(*q{cpu5-DcuvIZ+(0)4fT(Xj$R012BlQRu-0Tv6+-AcUw^)qb@)~G;OZwp zo-9J6@ML;fEM%Kwxl{q2iiR|}Le zPBfWj&?u-5tqV4_)nKvBtm?hN`I|TX;UdoJ60&lKrIKY&Wv%d~JdBtHr*$m8{6ANv zUz1H8Q0G2B<9w66RLF_&pNGRL{qRq421M&A^IVPdV}M=|gtP2s$!k}DC* zc?1sJv}U{jq13@JsoG0+_0pc+n%*Yf_TFBRCnH%DH#D2EpYmbXby>yJhDWD{nh^qw zVHH7sMm)1&wi1C_BvmrM5Kz-oaMbXYK-@ehb0+JdbgFcrbhR{5nk)^F$lSEY_dMNG zEG3kq^mF|wfTVgJ1zQUshjeGrs(#(po9_7zc1m z2U-{tE+-5(Y-Od0f@$}uLn`B^vX<-m=E@gEdzI*)N_rLP`1s|~enGnNLLtmSgz;8m zey&;W2)J?nH3JrAc-7${p@B=t-BO@8QSPFwr0Oc~H4?O`XM zDyr9Zgvm+3Ex*--1S4dHFn+2Exh}x5w)fFob-dre6b?C+oZnC0GYx0FCu=y0EsLX; zbOL)B1J+7(xW+7|61R{ixQFqncX4W}5;e;gh+CdB;b2afl>0AYv;ApPgSRs(?KPGc zrx@9O1ijFE7Iq)k+iACmWie4h+2!QmkoyE7Z zfB&j~v$jyWm@gfJ5M)f?sPmQCw0_AXJyqZL%wYp0V+yydW35c@iC^mIr}ZukPxbnd z%md9oAI6xbz4~nAa0C;|tCQ8vJHFj6xYjCEjYY77cNaB46aBF-#z+4p6Lod^+j!>G zlm-*Ho!4S*1_T%TCHFA0HI`Z`<8RIcRW@@ATI1#!!gApqb-W>%kFCRP!oDWdH{*xC z&8Wf=D$x5wKyqEh7;+JT1UtPVYONpb`s4v~8pT+uq%1zj-oqG{M7l3V3p$L#RvI|7 zIeHiH3LLnBYTV3-nH~J5Zit$=@2Z|~HfLR6`JYRFJ1f$gHkkx6X$GkIDKBOpxrr@C zd|HFf6|X_3^wMYgIah)>IdN0;(Ph24<-6owb$Tk$1*z~$;F{uqxFNM@+@sxXRVrBA zPlQp_%l}k1-Z{Q(r3LI00pTy_SYXP>EYnzSuSBfmND4AEf;ANBOm&`c|4=#L3AYwy zdK7GeCyx6ot!~LWg?&FE>Y`u)|0VN4=0LQyJ|Dcbia8@$j#@l`TWswAP%W9Q35rU) z%+E||_ACuIV+d4R$B?|KVV&M$0se18?o)+!8DtQxcDV?k4OYkd&rT7Tp_0i#vhXho z^x?cp=9qoFV9(0bsE@6acKhvIZsu^Xs@{TwUP#_Fmo2$7Tze-nu^%7l2O2e z`$B%DL??5Z6iJ*S-5AyX2$raepi>y5;hY*XHHsEtx%PIHT(yZHSI=4=Rzw6mMe*)0 zf+7JW!+||3RsATceW8NE$_rHgN+oJ$R#2dvkwvix{+J9RxYXQnSOHPZ5Z{DiD9C-k zTEeQ;@HKz`*BY=-!h04d1>6Y15fQhXr9n-u4A!6x&0p`5vqRJg*!%W!k#2;_tj_XH z;IE)**YDP}Rxb|RSZaBceEHmaW`BdEAY_z^1%gV@;P8Pfuyd!B;H3Jm&~)9pJ*>-C zKUF_p7e1-6ayOU*wZMs#aP%~Nh#JYt-qXYAD9qOUQZC|ajX&loAC?e<)tFOIFBMoV zd;hg8`~P^Etj}m=j@GM6Z)TEcu-kP;^j_p>Mxa+5fmye2GT8O6+Q^UiTB8t|OZffY zPD=&L1z2+-Xq6LO)2JsvXZFiLcpz%UzC27mzy1SiAs9)W@)h)-n8G6b{M2@oqGN(w z&(xaM;6GW=;qgnOsrIZZBH$e_O&}=$!)2k0LrV+ZP9_z# zGG7^vTZ$bsylkZ;N~#aZdl8$KCTu@T1G3|@^V@&}y#Ecz!~5)U%M+D|r8;YEK9iv@ zz4YvI)&)WL)t>$Rq!Cz#S802h0Z)dqft98W|(q%6%^ ztCr4xKv)H@BOBr^lziJGV;;H|)bXr>Ct;S@gKj=88M69zP$AJ(uch#VK{>ObQiGlv zpVDyHlpc#3cMD`Lk~K>4_oAmap(ZO02vQJFH)hm914L%S}^L6qjb%e_(d542WR<| zD6!qSBqYxif8Em)39{ei0J*VS|bHo69`1l-_6G!e1syU;(TH^7n&<&wDaH- zx^B6y-lzLo_xvTI?g@+kiA?^5Gbd_2BT&Ar9))Q@lKv8dBR?+3bDu< zTHl|cjI(}kk&pMHBPT9K{+aD`G^2}~GZ;sm7`ssm<^gmtJs|3G2X6T!%G zL-S%{r^RadMZCUNUk2FY>%E*`)QDb-dB{`4b>N712ri%KkZr2!W%$Rd(JLhV-D5X< zom6Tj-LSVW4{|lBja^;*$pYvItZh%QF2I=fD4rQwna#LGNN(8gNFUN*eyAj%x_jSM zcAv+4Dh;%^BNDqJadS1@-yehi#bcIV7?eMgzi&J3t3KN@CRWs0Yf6|r_7{m`^;=%X zkbM0YVzwfUeprKfrDG?U%Jd4DN}nWbXFpQJzC31STtDA%a>uuW?7Z-^FO)h(Ss9~j0NSd@n$U{HqVnWzJr2Z$)~mAkC;_uCaQpBW={D`17#1R1~>H~zdbRicY#=rjQ!n~k;Pmd8|j7(#M5W3>2s5- zyAv+@3zn&Gck+V)2>;~QBnF|F6J(-kMGUhq8}+p3l{~UCShYoKbz!;1Ab*H;-Tc>= zbOW-=XJFjMilZw>rd+W$@4J%`bmq&uA1NWC7|wK zxr^&QjcF_`aWJUF?kc?%(2vesN5 zB{zoSJQiCtrm*?P4^#;FI0!(sD&5faw1)LYSWDyY$n z5&ocQ)bez;g~n>rlCHm4!v9m(xh&??bRdlD%wyDaHgahh)+aCQC0&vs#i*~7yp zda|lL3ZZ-2->Pnbwi;GUchjHl2ppRi6~w91PohS*zy?l#)v#aHMLkXzdyYJH`h4dTyf}#mtsk$6r+!Ty7|xCzRFPYW`~L1qrc+CD^}*3 zDJW6Ll>5_=j|vX5&c#Vr&uSY#$o2YXeynSnYgp4FlvTOv9!8^}ca*%*=S4l#d^ixzgEr&DO-{nNy9e{g8ILsTp$Jw3_r zklt1C`C66yS5h26BjHwR3!8=>>;^=MCiM2R*v|IY;ORW;mSd}q9r;(n+a-x3Nuop? zV_r{Z)8|aG<2OzwxK`(tSPvA^lNZ3B-v+J^#Xf%y$rNdXG5(4|eIclpAa@ki)mjpe zn?5f>zSjJUZ{MpBVco|0FTEtYI3?AQ-itKGAi4S816~%A1`{yFjjznbCe7C#@G@r%kn_uD`_zTK)M=LI2CSKp*_Ils^N;yekSCyok_rjN zLBjzG-6meeZ^WeB4XnRlh>G{pWca@8&7-4Z&|1Q3= zCXx_PG65K=C7}n9_f!fNI=Ge+Fz$6Sh&jitUW{CYh;1yX`N8pZ_VR~>m)@eI&2dm3jlUtNjr)_f0NaYRtFfizHOx zmZ4Rx@t@5?_>WChGui}I=y}X>pxrESV_y8AW@FiyM!)(I+?L$l?Q*r0)d5~cv5eS% z4op>a&kZ#%;Vg$JD}amhTXaN~)ceofmGtYM+Qg_3RHPSMFN|>@N~fz*r^|Y2Wr6X_ zY4OT_WEDI#4epTM&Fz$j;KZz!#9*~(TU#xrC>q%uPrKUj2iOzl7a%9D)*)_|M_Z=wx*b$aJ^aa(5R*;7>iEjGRPa%gn_ayO1% zU&;dB;suYJy%nK)V0ICPUyAd^k$Yxido6or&lo+@F>LOW6zbS4XoT_qi8?sy46D067Jt`_vj8yk8w(y^CIegL>-Q?V|NziYvl$2DD zR?^{O`J&dXIQOqN5x+gv{)s5L-$XIPBwK!;FisxPE5$Lxz7D3D1T^4x;r{&@gPS! zRuK>MBK#g`>{{*oDf^S(iVzh~oWJjbepDj~{qI=E3~gD_e(`O#$1!t+J%oN;*&!w4U#|?gbR>|{RI}@+AU?F0h@>q3g z@I|goH3#Lj)|h+HC(Jv{z3U^qt2hCA4}L3a0@!!w9_%}HSGLYWYKevawN$DcRr|K8 zEzY-E6rW4pWM1eLO0-5<)`p3XZPkRqj@8b)nUL_Y=23ERA<*W8>a-pfi{6EndoO7T zU!4K?U4bIkdM}dxR60~8AY)g%lal&iwpush=&fzL5~9bh&ag=Cr=DH%$Y`0Vm!YXl zT<*$V%hyfCI3~k9&U=WbCQ>F7cEMnN?ls@%$Cu)$G`v-1vBjGzfiOrq9mv5ijqt-< zZ~S6AEb_|9xWjT3NP6h{4QyIKqIDx`G1kr(GA`<=)5c}mi(C@D>a;T48=SKaA@#cb zK6S3rbI{ZehJvFP&VT=5h}ykvyP6JtKWdIezE>9|&YSU31?R!8<@wV*mqt?Klgumox}$0{rvIS0llY3;H{Z>7c-==C@5VuGuLcT2g33s@UNcjPg{qh z`ptCcO>(Q$67*`i0y-wpI$8mtZn~_-j{EZEOKIb)aUdpA>j!pR4FXFrJX9P(XC2{F zxb{vCrIQ>;H5s>5AY)PNeDWV3NtW;4anm)F?REP3wEY@Pdfpz@-5sZ|Pjq0KQuO$0 zq7|~;{G3BYjL!%e#OXdg!rqLj#H1|B`O@|w44@Hw`+2$(8i;&J1CbudsVq7`*h39LTqkC@-1mOdWonhQ*7qiT25>7uF9B!Pl ztf5YH9v1YUd$w5%`-IEl_bq>gFjpw39ejLa{Oe&4(EMn*50aL?t1kz?k2PUk1(5CI zM|bW!vUmM=k#sjNntdbF)n^hoqEf2%ENpJF+dTb3#!q^uS*6M!ENxg2iO`wl#0m;suf<8O?uh|Eb>( zR;-@0`%b}ny(3%Y7ctJ<>jU#`ThcEy<=W|pT+ECZk?{Cphx+?Mp_AoOf1sc(5pCJC zeZSjyo757Gf=f0|)qgH&txnFFs0AW$KF#R#@&X0X6L7NQ75qNjaaxDCcg@?M%0lbi zUmvGN%da%770A0eeU*}W>kq?yqgV+c9P5*f@Rptf_;a_dIdyv`Cmvi+eVZg@Q}xlY zuzP5$)bHVJ@d7vd)V`X3gK4IQt zs=xxQHc5n@ujtPj!nTCpcJzHeW7+mh-J&fm)}0*QzWbvbI}7y6mxlPT)DC#;+vL6@ zrnyO_Gqs|*S3mqo`GeWOSfSbVRopVdA^mG2q!MT4F?8n(w|@J5Fw#Cw3emRD@qd5s zBV)FSz93Lm1h z@$p&xj$LCDg}q_9c6ImIjh2!-B}>Mod1S9Y9dFC2RQW9-6fJ_rRAu+W2TIkxc}LLF zA4{@O;>7K@^NM)*d8i>ecHqZ-Pn&-~f!}-k;y|N$S=qKA4ncLXlYtze;4mv!o_%|v z$oa}h7dG!kM}CcawzktIPJxhKBu#IWm`y3wK>PIH<+hz4ZRy#*Ez8}}B}>UH>u}S` zx5kXn%LAH8K*jG8G1+}Y>dxz@*Zw(g_Ox4x_-(hXttEnhzRPbf_Q)t@ERVT@Cn{HJ zz4aJL4zI1awZV?kQzo+G z(K}qGA_@;f@BQ|3{|;p6lPs>he!nf@L=@@!(TgW=ZI&KaKlOAUFIZ-4SE8lY*;gm- z#vDIbl50`(A_>GI}PqN?Z@+Ep6=FlGY76!rOs|HkJF+?w`;EAS?79J6~;)%fMh;j!loD zQM|`kYYjZROz6YIU2gc3b#bZp-j&lPRoY9v^Sm~m+F%K{fIqz$jx8xGTQm1#SE22= z;i>2VRim*B43-Bp`LI^LD;ejs#}bc+YLEN9zvxled7uo85(lb-b#!$fL-m`U z%fT<&zZ5QV`22cbuitFY9!2L0745kQ4ODrTYn}M^-_!D)ibsSZRlRdJU)kr;jH$w~ zEy+mxI(AyBbFtep&%zvg}mD$RMaF)5=WPIAjiZFM-7-g%6HFNBMR#txIug0 z01S}r$byut7Rf|$Iq=4W3pD~@cSQEFY6Hbh_pkk9i4{E)9&QCXTI{<2QH@;O(c2-Z zmPx>I+k_oW&)7d%JNIsjqr{!<79mNhOJc@B+m*}R{9F7kWH!rxU zdCVaR{sb=G)P#As`)k$tuPebC&!3tb3{yL=Xt&$^C22LjBD?Je=&!uhtgM&k;uKtO zd^^B^LI5VsH0emz+~u|s24Kwn-aP=MyIwHSW|(xp<&o6fE0t`NKVX%wP6k3+i3Nzj zvV1JPE$TJd1u65oq_ZyoK)^K0Rb&2Il3RQqwaTVLgW53!DN2qX5lNBFJ9+za$H#_p zfO38s1<9U(|D0h>xMaMHa1v?L18IA_SYfwkG#y+IPYLxgOYX)%H*Q2s&=w!D&Mg?C zm8d_B8p^NY2`xqfJQ%Lm)Fj6O*5A&=!TQkIDbYPA&L8{jyE^zRIXUcNuk|*Ya&Z#4 z5Dwe;_(Uu3vA?Ja;?udel}C5C@GGsjti#bJ3NipR2yDjgrgQDQhJ07SZOr1WVH0o7st_4d(dwPH4GtB|;5$(msu zy9vq2GuOMXcAUKbCoF7LI-f3=DccvyynN|FWCC^luHBu!=mLa1O?CdWF@D=QXS=JI4U0L)*${UouHVeGseUpF`_&*P*g)gU_=iH}d_h~DHWQ;hk>M}5Aq|uCQPc{^Q4zB=A zxv8n;4H}Jy6?=?D(OfIp6(Tsycr%sxK%37a8uY2#=K**dRK*^#F86CnGd|o7^sZ?M zL6OvaCBZAKXFU#$TX_=245Fmx`4vj~r|8Rs%Ods*@ z*uXM17y0p?GIQuGh+Ieyk(uJMh?KT_PQfv)JSV$GfQ{7y=GLsxN&JvbSjdqJ=^p|4 z=~%2BJ8|@R592Y9Op?n$6@Kw zouRvZ>qA70fro(?l)3V5BXGc-zU!D#>R7R&{n6tY^?gA-R*HN>_*hYeZub|1_}EUK zxklxME;j>4iGHlIv{RSjY`C9M2axO}5MVJ%(d7}j^yXzLeWp$tVE;E)(Ay83`6xqB zJz!JycpCYfo}WmBT(RVEE9reAG}U6rQxhs}#i3A2ei29e+mqnW;6XqPS0fzI(2H0u z$*tE~?KS|PS-P$Q1fxQ-{e&wUSN>#tX?N!qk+U1lcIc%azsYr?11am(^@fU ztl~L-)H2ts;D!j$N8!pIqaO(x%sp>{B`wy8Vy|;&l}r}v{P~yIuqwgKQ{iYV<>m3) zwhNQpz-8YNMp61=kw|aCtUVTYTp`2Rent34{S5yYwSqtP_r(vd_<&vLlHHih|0GHl zwqsk*W)lF+!p)tqry-*T)3;V}lFcUZ)3<-N&C4^Jv65s!#l z)~%7bW5U1kaJ9 zbnY4<&Oi5EBSp7uU|b6Df>i3Cr`9@YT4m{+!7gk&^2@Ey+J_GoxD1@Z0;=v1FzxuK z`py?JFBt;kXn#UeL~p}+9Ah~H5K-^C!nv*e3>hoLm11iZ6_1go)2>7Hu;L3Il%8%n zX`kAeqy91z**L~?04O8hv?KGCuYssO=>?mE4^HjP92hK71xa zbOEe<)@Y@Ix9=JkZ(THt&*c4ExtqiI*ZzH4^RmBY?3InU)+&K%>M7UVGS?oDsE0z3 z@>sP*x2B4cIB*^AJTvOR$Era5g3$PdT-&o;yd7n}g@tlY*W4Z-4cW$($ z&Rt8HPe?E7U=W`|7?9N(J%#Rr!1n&ZH^>V_)xw(;`uwng0IavXtUg{t;|5V|Lfr#& zSkeKsLDIE`sF^xR+#U97us&TvJK!oy;}7Bh9_5j92m#7ye9*>a5=&-NmG^`ZS%M2# zt#SVKHOGlU#Hi$C_-fD(8vh@I|3+`4pOGE<_S=q+)$pj4l{pKI@acl4)I}CI`|slS z>N~SIN)G-bG-|S+qAhT9o3gDn(g2#=d|C~_32CoM3q*$Z$vRs2$1rj8BsdXmlzv_$ z4QSD&1#s5NvThC4M;@^Do4y+v9Tx}!4BycGo36ez$OSmEC=0J{j~O5!zUD^w zOw+vjuGyi6F~7(8fH(o4O+v0LHx(j!-}Fn-6^iAttzzPqtI=*~PRI6s<*)l+YdQ9m zwktgWv~1jWD5QMobEDnV=nAl%TvST0Bt!?w!kSJ=+kV`(T{-v0aN&sUultt9&6;(%K5t-WG|LkB#MkL6CeX8WBa?J~^FNavr9b2@a%vmhUCA z6!;5xLsPhF2g{cMRzB!*6l06D9Q3C%N}!wz!h3g zUE_MPyTt8Hobu#j!88!cjp}rP6r66ny5(d!%?YBfK4+RXdkX>-dR_T)d*O?iIZxo^ z3IP_qECwWkGHAI#m+HOmwP7gjT8q1os|-t;f{|Ig%X$H18N8?$mX z9OtO-P%eNngy_1F;gAEG99-!+CA+ZcKJ%ks7V3$dyv-lU9g8rZHq+0-1>VRdjJ7g5j0@F;&$S(i0BwJtssNHZK z3GDlrV0p)mj|GmMrJ&f6i5UCE5o~vkjpoDO(^v%CtxW@HbC*51e{PtUWLA>z?zlF(l3E0j(7!-@ z@ql}9XWN#q%*51nZaKT1oBJ?mIv~X#m1|q`Wot{@g(R)*BcO}ijkY&$RZajO2p+cC z*AAFKh?SSI$8Y7MHdYt`a-?C!sk0!fK2}BH2KVcpGG86Qa2*5|Yi2x;P>Z%KiMf&r zPOcV{u|kT1qou0LmWHAm_->#F^kWnaM?a_8{0-wBTn3v<0`>HJT0@e9p_*f)<*{sq z*pl&T*`m3wQFUOd!gq;Y1n#BL$p6zUuh|qRZ}`J(!^NhWLuo+62^natc14u?@y`agbvn8j>rmOgjGA~Irr)i(G2J$&uz}AGm z$gk{vlt1~130e$Llvy`=%Yk%W2baZ~5>9UsIrlOk->KV7oj!Haw8;6@tU5%gKpGX> z_xBdv!|5#GKf36ex&%3Qmc3oT|6(utQI&w@~IT-Ac1!%i9+_ zveFT~<+;FOgRcVyuf~m_X8*T2dhbQoC15!8$XOr)qAW=1D<03S8w66cg-_z-JNF>h zEK9TEf;A8%!1yb@7MKR^LEO~Pi$HFAFTnj^;Bd@_Q!?Lmtw(zi^RA; z>)VEIbE+R*p9mbhsHeIoy6@M9h#UZjxpXAST^>XNkF(SzAk{u+nVSF*w0{%Fo~eSk z1cWQ>XeMxiQZhdCdv)ytB-ug%+rvkXWcpKhFqa4Q86o89SC3pBc(@F>Jx0&lVwQ0o!{RY7j|5@lbv0AJ0GMyd^c0s1d~ z?0oJzr@mD{^%9@~?eXDbIfXi8M#Tosh`s#!!O)SYle8RIRbAlsG1XsUVN0RvJ??Cr z`DnUaRp*umjRho~aEVZbUcY9Z=bO>M6l%vRd+4?Sso3|6CqnYz zsS=Kc7$swfO0+*JRFpsV!qX^9+U_ABYcL@EJkniKXiJE*{BzflgCLzGY-DaQVf{gN zJ=jg4&WvV0a9iIr|7~Ou`28RK7rO0-F6CWo2v}-=n*eyN$l2uBgnXSBp5bOdqzmOf z0i`w=YGNgIJfkUDCvf732k<8%0Y9ob^YOqC6~h(biOxk3Q`bwE;n0pXSAgbd!oW@3 z7~^2FOZ;`Reyynnf)D}#!hVK$gvgtc3}4F|-iHF#yPhz%w>PtEiul$8H@_^NZU3pe zugR-)c9H~w&^fSG;Ck5{Q34@(C-D|ADr_}&;g)~xc(@t8l}9?_W&IY((!J60jx&HG zx`?(Afqa#PR98~1G+-$ZI(yjVk6ftVBd43vf0&z{ z4Q3)b@jlry8Dx3dv_l|$ey2v?XF%XUge{Z{Aq{U8o6WoIW3BmQ4@_V~*@`)$ti}Dk zYhy(xICKY^Qw_q~+AdL2YYZp@Z?04(UH$NIJ>h|Ka(_X%l~0X3y(vd40(}83r>jF$ zTywg&5q<&HN&O=IDn)aq&t3PuxSkKT=0$9^4!FTzv07}%skfC0j#bi-{IKBgrYW&#_)T zB3rm6WG!F$QC;Tc<(yN zXa4DH{h|}V%)u81>QdxN6#7mEh+}ExT>UTzvN_p1ySH3z{ZD5e4|Jd2AGO&H(F*aI zciL>gu^st|uC+X}wS5pAeDMx%&l5svk@sGfuTaggLs4*jw%7DGAsG*MitI;}FQsfg z+V?Vu1?9!(@2>`?mj0d<6f7-W1pCuUF zOOSnux%~Dw1iWv8(w1}5%5VC#h(*yGuuf+{tcoAv4S=J15997T(v;lbGT$qDF>|Vb zZL~Qxc=Ku4QQec)yu+@IeTLaqWl5lf>a|{QYw}o_r1hjDdug`FSqc$EF!nb@$+@W` z{>}jHo`zK6i(6m)N4@tfS4H=<_HARd%TLjZQJ29Y#gm(m6V3e2&+nm%-ADF=K!7@r z(`N3Mz`nfzGFpAdzu?B%C4EI+t)@3b52EGaNE!Puz@|r^3jr5uCc3c3plipK6Z(*P zhJxVhj~|F;*u4UDV+F7hsLgs|5u?}DL zgc17a`Ky4@Z1{)K3=Z{u=YHW+w7!T=_P1q%3l+-Ry_I;Zz0|3!1RSFbo^ zi#=Vnop}FT1}9u^ulC8a;0za!_zmW5IL|BV!&oBgky9Z}0O(6^>Fc%>FG$-1%aZTV zq75STj>;}8Q2iPAgx3WX90I|?@m$}0 zE-G#S@O+U^BRoI+nWDi5I1-47s>i{aQ?3N3t(R6afjl(GgO_$2s^7WAa0xg(2SFfA z?zp5z2)9H`_`Z{DTv}tmrU7$(Q!}7Rt_~9h8!=m(hXaz?>|?(B(LTDpuAg`mKcy>N z%_}rnPT3a?c;=|54G+RgA6x|Bl>{tc2sl4Jnp&nEBd|{|j~iuN6t8)47#wQs^-tHE zlFowQUtt8=R2c`N%Qww8j417vw!MEIHzF)h`Rr|5p8RjuW5?uJ)8!{@ zUZ5cIhUUhR_jTPHMS;QzMJukmvaWEx`L61e8M9ySrPW*M)jUxHi&KZ}GEp zz;31ivvlRQJ~Up_k!jhT^OGeMZIIFj45ykkZ$Q(hkhoxgLL&MuDDu7p>NfnKJw9fr z6gE|Rnv4N?e%^hzHr2bxeN66`GZ zr~sw9HE~#&iP+&|lw7O%y*8>Az65mv3dVUroBL3jT|s5&h55PSPzZD<|ODwnB{U!b! zaA6TNx0VYgHLpQeimY28EP7d4eFO>I`!FE-_ahs%w`j~2&=`Pq^ z2ts)&Cyk2Sa{QKDvCE?w4dnnJxV51#YOCmj)SmW@_wqM{-OIKBx<&{jg2`6j0QM5H z#hp7G+TL6-N;5hHfsT>$fU2~}528a{6ISo6PYG{8Gxp#`A1il>4u2?fp=W#3Vaq%V zcw}p#DD?*l^J)2i3V;O1ZCQX8L6Q#KVNrjjn^P}Gnv&KZn1E8Goc<041mwu)v=^HX zV~Yh2DNH<1S|C!wS^(`}nsfE8Ooc4)vC>TQQXmWfg~yxcA$Fsu_1J+kkB`Qt=3Z+! zB3U~1x6(C5z-&l$XM@BSAqa;;Nj2UyA16TO!rkyte&I+@S&0&&|9ZvQ4GyHb@Ni%* zns}(nfYa z&z5u3KFfQb6|Jik&ED#b|2tCO2dF%F?#cjh#SVnnl)7PsTe91&~uY9AC! zZ_=QTLO~{jixw6!3d$jBLf{AZoS7iYW?T0^f!u*mrIOfN8?qM2lzFPQMr*dUB&0+` z#7vubE>7!|Fo&5JL3nhTIw5LaaAO+aQCYFM&&CF40Yj>LU+d&?s(;RHT}}=98w=;R zzZ)f-+6-vCH$kGq`LJdoC^2ZK*rjt4#l!nYh}rQ=k&oD3PL|H$5W7 zZUWzgdJEc8r6yLTaI+ssrcm7*VcQ!Hj@;Rm<$1lMukGr>q&>$kafP{h&$pN~*t`OP zA%57oT6;mDVk4U}O=Y+gLCV83h%UNQYylG8Buy+_?nV+J&(DpFXYb4sRf1LMsa#P5 zh0^yC)J$MUC&J8~&c3mMh`=zoc(ae4=VjsZz4?}9KA7>2Q1!}$e`GFTt`6YYx@%q$ zO&V-`n^%x`)g*TOY|$H$9US(3$Hp@3a(b*rD&tWM5h(7kQ^e>!&$-QL7O?jGlUO5+ zZHSOMX_kN8MYPTPCcoTQ)8}R4re-TNC!pVmx+ z{M!~);IIm<8%hAg_44om5pcKQeERvb0w}smv;W};PgPzJOi)Vk%x}VL0z}X62cXfu za7)j~okz}pbpP9|#51c=bSia<5g>=s z4uA>}ryFqiBORcl=Q8&CTt!Vzmw5yJOevfPViotou!pi(@;5fN`Z4zXXz`UlDCophAANEX9wL4`)lK2Dj6OB&rBk4^qL)mWR za~Wv^T03_0QP|Uz>x~IBfPSk3uPy@=t0MUObjn!By}yC4d{tR>>D4|J)ujGpKs!c0 zeI@`R9laiG&p$)KXpl-Q&!0RO0mTbIPU2@^;ul)b`XEZFurCG5m(8`&^i$YNqs}+v zt@_$0u0Vq3H`|~9)FtmtJ}55Y)O862n1vviT;2~w3L`;kWS2`dKNJXRzB>wh4M4_0 zR7`BH69~z<)q`k#WR5zmeAEVQSvIE%!LE(jM$dcVJm*~1ByZ~oE&$fl;xDmF+o)37 zaQ6n+EITuHhT^WcE!S|~eCX)4VHVh3R-g;ylyfZlsevrE6^RFRKjsZT_4&*YuL6K- z*}nP;B0JyU|1kFEaWSv&|F|_mI6@4iEG?o%g;p(=cC?6;ver}*jY*}2l3n|z6|HDN zdz6G|ZwBq9gKApQrjmZodphUH`}6zb`~KrR-hXsD(`#P$bzj$WyF8?U#0LRQ5Bd7` zYH-G3EsuSat&G$v6nedw5^pba$UmnqP~ew6^VtV@OEG3Ha4TsK0`k61OqQKMeWn=} z^oL;Z3Lr>$SG>wSQ2sMKz0Nzi#_f(0gLXkuWewNLOLG^pPN(a?LsxBE9!&p1*84_Wu=4jbc`kAtTYAQ=be#laTm4eo3 z2KWd?o?9KQw%;k5T>x`BGRv9{-Rat5vxaLgt8Z_LhLOd8wk*7(dQyby`O{{h=Uw8) zx$3U*W6?3sgaEJ0=(krf{}Lgpb9YUlNZ*JP zh$PxdwFQc6S8TEE2d+Cs9|u?G9LmCZ!GP9|`>{|8+1MJb;^9)@qDa4SEMKs4tGS#Z z%aL*GFu@Htt!6Uq(}8HRD(`sI?v_7JRTf>zRYHBP(5RT`l{Q`|@9$IYji=9K zehpHJ{M9FRhvD8xWDukt-|};vIL2bD_$XO@wWn$#b*~ijP3qy5(}?|I&gF$me5U*d zZVqJix9OBWzwn{sneQb|#v-mH0%6dWYd%~PXa;yW7!1MfJ(ZzxhhuSmOGvw|Dh&?F zr6#%xqhBm8!d4}!QR3l3FUNzbIw2ATG%Lmw|E3|k3o8_PfaPU!QcO?3S`s&EnB{Yo zBLbx&GespH!+rUT=O(D~LUdYI5HgnBxeEm!dp{VpnziBC zm_?M!J}6BV4`$UxXinG0of2Gq$hnM`{@D9VeHztY0h5*B;yBY-j(N-YA3b_RYNRH! zC|&u&wASW2mPmtSx_>Z74QY;;hphns;Rosx?*pc29h7m8zmPGmT4+X^B*+{D?@E}V zl zYf@Eu^2c56M}d1qu%0gwdyac%E4Mjg50R)Ghn%uJ*_=Wn+P%-Ep-fMI4lc^#&6cs= zxn2eRg99~`ho>)@SiO_r zO_mn^vdLwHmJLc%XI27;ptq0}w9k{H?z)dZ*^~@9+=Gny`|FOEyie5h&~zGynap`#9R$JXd>HM`Oe$_OM2WfNtysU88&juKo*Zv=d)wviCmy0akD`EMMFn%=#B02ASxnLH-uIaUKimr{AAN_TIt$(gIH z#RG(1eSI@tZc%N~yCO|BYf2NN{7_@ALvVz=13FStx%gn8@t?Z+S#$Dm=TQ_N>Au%d zjc?b7cs2LCT2+g3IkD`av9+kv(W)3Xa~u1@J5`fi5Mr%O^|G3t>fBH|<-bXH=)H0v z@5G9jiBkJfn+%7V9c_)StX1MS1Gb%b;mP^uM7XBfp$89o?c!Qvx|cq+>qaRat|F7;6k-Ry)#;iSdexnY@ay~(dlOxQ-bLwR-mpqmz#pe5Zu!WGnaMFepBdqP8_N; zEZ*Ur=u8YqzhjBYej~!?})g-`h49so#PYFl>JZL z%S4bcR(m$4i}+Z?{`0XU&JwuKj5ke;JpWyTd4Tm&>*IDUH6t=7NU5h24AsZ)l$$*n&18k(K5#y` zyNch}i{1ngjfg>lPxcsQ&*oYe4QjmbvlORMG79|!4s-_aCo~OmM%_1J3naUr$Bd7* zMY)l0X^OV@y*B-!XJqvJQL2lzKl{F*)&(XV%yh!Xu#Y|bfRIC;krb#AuBouc$HFvdXWf5ST$c+xG z9p&FXN!PBtmhi$|70GM<*JP z%wA_VX+Jskb`iiz=h8uFOt$az=8G^F)+kiVN#SsjKDW3W<;&(G#=8gmlC*ym@9@}3 z$bZfmRQC?I@zE&GE7_Lu2?Q4-^!CkTkTo;~?ZFix*%*!+PZ)pL{QCErZFSJYa2GSg z_G3Q2Efo+0@zF+fR>{Z8Zolt(Q1HagG(By4HRuMo~4ut9Z!SnUH3aSxNJ1IcT6 zy75lh!2o(AqsNG7m@y!Pw7FmBsDU2bvfK?=$8pGKnu7HEWup%#K!FoFwpxU%Cket< z`DrGDt7LmjO5mE9+nT?8g@~Km#_lUiMVw8tZXGM=A3p9qNjUORn{A}2jXEgQ*4FsH zNX6c+%Uq-f?NRGdUhp^7VjY)WgIyt4d8L*eUVSad08YHnM@2~oB~sabOTI^fH?V8Z ztyO7^9*wclpIoIB26N1Sq~p{c}DzjVjy;9gjq&8C2u& z1NwE($L0(>vsUOP`r)I_xnGdR?>18=uJ3q42eL=sJfKr`yQJTKh0_?nCX{<^Vn#qvl zeJvMv616{M3L&Zb827Xjw5A^}z)Z7&+`rJj>=t|0ugCqF)4@z;&)v)iDi1)6Hqj0+ zQhh4&QYbYHiGauj-OFN6HY|XJ;Urf-EK5_4kn% zhYDz2?o+47pi_t&4Wc_R%J(J@_crG@dw!V1BWA;wg0+HgQ0mE*xdDPZHdIGU6M5sm zob977mPKtdBO-14$cs@cT!#zRyKKPcUQaFv)N5$3RVRk_SdLTugK}TU10D=}nkch< zNe^XGC3sG_^W#spWeQIAz^W@2FQ{#wx6*Pfx7Wa8?OGc&%5g{apE(Vvs!F!phq{6E zI=!}7={yy5Roluieb5~@v^z6wPZ0g~nPE_lMDr%7OhXwAvAYUblgy3KR&nlN zL4Wv-=d`t{1h#-VlT+f=bU!X*(c!(e8T!T+D=Y!!6}*P=z1BG2UuYYx*kSS0={; zybs56+-7d$`S~5}R$T`QOZF->l%u!gsy8Kl-*(9>p+Eb6?5X~dFHSupKgZJhv#q_g zt|;oN>H6O2lW#N*=v+gheZ3-x^Zr1Zr7!7?b~wS< z1a3~=kXpT#%YL{^;!2*#02E1Kd-Tu>5HC<1)9-pyq?cbBw;#Q14iAl?Yv>fVXg=@Qkr=NX z|Ii$&uN1O@S`RFkzxT6ML1zphtI)35U}8D1g~dki)<^B{eDP>}+CIA}Vk=$jtND0D zo-Os?RL*y=k-0i{)H-#&iTS_59_S8yei0?#C4W3$?z^h*Ceb$~ZdXs^=>~PlbwTZQ z=hTlhn_4|gv?ngA3mp=?9Kd^*u;Vdq5Y-3@o0 zKc^hEy^TmK0D?I=hu_Ui!Q(M@G6M_X#I1LxYELohRB5+$O()8A03Zld0t!%J8b8yqIuE$W1p z-7~>`M%KUP^u%4=%>)>zRk^Z0F|EYUD;ytI!NUBtAtjD6{@zwY>O|?+TZ`4z3`tQU zrIr7KsYBzs2>}3vbiwnMNhq_MR85AiLEVzKubML<0U(M{rht}*Y5~|lKqeumqek5| z$7V&?$UF2%Ul8G1$C9j1x8}*vM;Dyq&}*AxKspmz`k9$Z(jnlP*Avb{N4S%SJ&{gd zg`2SVLEeSxoU_*4a~^1C0%Sl$%_8N z778RlzNd+4WVcctXJFGdu4Am>>YjbB=jO*xFhOVEp9*{SOcij{qPvsKl`&@t7~k@T zwSE$+T*)OQBAxIRouDRA5A9j2yCoJUuQ9X(uXlimA9zK4IP8f$j+?I-0S+|Wot{x9 zxCX4{_`z_7^n+FiN%gtTL63ADp>lt&n!=2aa4=p6LHKLhy9{F6o&XY$>kAyK@e<`a3VNx& z)NHy1daO0u1Glqz)g%r#n{R`fHBg64YkGb&K=Jhw<#|PXJc+Id1< z@W6nIs6v+}^Z>uj`Ra;2;i+XnlPMYW{7jzJu_|FujXa+bA+7ul1UYxVBW9O~skc8e z?8@QyTAvTai*mb0q1=`RJCEArmJM8#OP%Ybz(F$4Y7Cu(>KPL@zm24qCA{BP1k9Za*k2&aOv?oTqU*_bt(K#U5|=h(2LQo zMsYe&-3ea)^pfk~iZ*sndVR)Zj6~U( zErLsoIsZ$0GDc!YUkSnKXthXpd^Z7|@{D(G30J4K@pFA3@Dkw;6V3ATFu=DSix=do zwhY;o8F8*Q-28ZHNY#wgLoNe`+^?4@ozH^(uh{dl^vZxe!kR@uQffSJ9&#N%&Ykyo zy0)vby4nuXr$RwjNmK2pOMmbX9kh*omAh|Krf723iy2uaDr+J-0ht_@Gox;8Cvw0$ z!qs^c_YS~7pDUu8yPD&7N2NyGC7NS=nbESXxHxRfJ4qM`fdA;wa|E zF`yD6_IzpHz+^Cg+&*=AF1bV|6-$mY87Dc>F;?p5ic`0&HxkxBaNO<_N=|0@6(?WU6@5obhQ_Hl zT(sM2;00XTfZHQRp+hg5ktO{U-V`E-f|q3gEXN%+#Wts&xr>GQD-`-}5Qom^5GPaO zj#3y*E|Sa=%l^Db?r7*kG~ntq^5R}O2hjMqzm8Xgdb8LXx3n~;Vg2aMZ3qv=Q zkIRvTadPTi0Prg88~lKV+7Yl^bT2>9XUA>L)Q%DR{S7|FI=J_mXEWVH>1P>z?;#cl zh5SEL=Bo*{G7$>#xarj}DI8PX+ah;-vlGO)G6NTe1m=y2}io)Rsd5^`!XZ~lP94m z?(HNL1m)JRTT)~Asq_D0RG;mk`Rg_F9X{ds5Ongu*LS>4hi1nKM2P48P=$-pQjS7> zqn^7v+mc_SP^(Tu1SmQqjjGSxyC}<3CsO5vJo#pqh1kLUQ_4%=$hU`|IOU&VE&qhwVgyX57t^aYd=}>CY{zt0B zUeDc7RjyhWtF9(jKq6x5Gf!=~5JEaFWVg+V|g6ERNL?7_1` z59*bP&I~5zH%R{h2J6DhKTRg2@Q$s(?-Uo)yYI=L*i&p?USNW&VYYpZ8wM^>z91*Li=^~>|acuMqJ5M+k7(GL!sVl zc|qDH1I8AnfG7k%db#wI#DIw_s;L_Mh!*}sIp*B5iwp`Z|x)NNbs7R%r`oH`ANWp#=YH2eiY%~C59P)o`e z>Z)SI6=g0FUHL4(ZmPy~h24q+0i5fz+Z#a5UJy3i1#AU~xg9FekWD>Hc?xpUDT(jPHw_vQ3% z%xpN47f}Q~|vY@D+Dtr>x zji6=xoekYH;toHvOX~}zt1x?x1NJbfNj=~c!&V6}(#z>`oiP_;!QV!0%QvA_?I1x*B_!{M$mCQuD(*b; zK1PF^=(`WiUVB>1+&AVeYx8=06A!)CeC+xAbzWtUw_tarQsM(vrG5d()Zj^ZEdh} z*P4E;u0W&)X8#A^ z8unetrz=JmDnN8~85~5VB)f}}#wfCa{;)MG*)euk&c5sq68RT{A2SaKxsXJrZ(XM+ zS}Z_fU|OFC6iCAvw3~E|f6+l+*!EiWpo57Pe zdXnaVNF%+2m0F451;bg0?mnl7o|(hLaw1f$4H!%q& z3-Bmzak>R_y$DJ0;Ix~0`NcnmLfUrkOZ$NDti@P#;up&1sf$w|qi)`Q9s!J_$PS+J z!?~9LG^rDgl)8zH%1~Y!E5?PQY z2rYeY37HVC3PlnPk`_Fcg>+5ES3`2y4GDGMA3)IM%$3ZzZEhGmwa>Axi6;91ck}Ab z0P?h!m=`&XsTL`|Yj(-0*^D%N;1A`9m)=iMWN!00N+~E$Y}O5OSqSSj;&mgA;ht~$ zp#S<7uPE?{P4<};xews9J|?$^Dy)muIpX;%2j$*J2hnFSpR?orP!j`j_K8J7Vn@_L zCvC1rto&eN+qk6jk44Kwb@c%u57yD6-q!>2M8X4*DF~|Is z?daCq4ynnyo{NWTikQ%e4fm zk=2fB1+Vycdgk{3=aCD}RomkfuM$S+vgn%};YgVnOl|bcIMr;MvymE{0NYX6*Glx) z8wfK!xOGSFTAfIR10akxU=;I5SuQ4FzhsW*REjwFHo}tnm5PDl@u_B|-h^+B-u)Iv zre_0*spDe6b(g1B7VQA~`H|5VJ5?~ko0sn~ zTpy`~;vP-p4Ux8t`DB{r5kN0y)aUgxw7%fx9Rh{hmWK)jTp2ic+aMs$u+)%~cv)Hp z)4~Ef8|q@)b{5(@)sNJ`O|y$6-1Mqnpt+9xv~0{FEZi(HuB$Vf^B8-=ls4DR6vZrf zhN-iK*uS18&EECL8~)ebIRj>`8JIbHCsI2nF6g&qY;Dya5i$B*Tjs1zhst{GO(y?q zqInyaiybd^DgSukLnAkL&qqH#>Ov%ox=Ku?aLssz)Sp&KPCE1rOlk+}$rj%0Y*jZT z@0^+t09is9p@%d(=6e?51i(s%oy?_oZ;E&z{V)KY7mI{lCA}drra{t`ghD~LfBh$b z0eCL0{phMN*-I92p@yLPXzvo~hQ>9L#s@Ll$m<|_31ieA@)vpB;CzhH=*Fo25T{kY zhVsX8;#rbyWnn_>J6V#ovMV~6H;oZp1^G2q^)ShgLK_yEY%W&!-U?Ta;LBEr=f?T2 z&oX5qIqLe$@-Xf4e-6*lJkQU|Fzc3Vkt@wcvpHbqI%_R9g9~Q2EluuR^}9d%Sjx_0 zFhGMef5>smp^mzbeZVxc^piRs|&d|5$a?;B$70fy~E zu2fIkECB2PshE2(a-J648avtq2(Vmi6J;sdkx&!o?)28d0TWO8IEw6< z7?MTd`8e%KFvm5M{x&C9>4kBJ1-Tv(!VH5)t`+Iy1Owt4@1{L4lHiiXuP-evQgTcF zKHX+Q@j^#vXE9#2T<~%a4}JdQZ=tW)8O#@v~{%iz;(puZL;Z z-vNQK$dSy>*_H?uizbpi)m|tjGd_VRAz2q_XhM7fnjC^L815sEaR`GY4kz2)S(>UKT*^`i>3Eu)SFGkMez>QY#4=KYOC zfP4*t5-yj7E@QlUVgRhVth*WwOq^~+$4S{8-th(N8inr6H#5!w_u0`Z`F`9M%nm|G z-^%L=cfWg&_Txz}i5yMd=2D&o6#3&Z;cgT%doSLRl{+ndC|ft(sx04O$NajdBxs{f zA}te`QHjWG4e@cKl$3?6U$nZLUw@(G!18lWz3%{zqu+d3TAH&8p|j6nsEQ$2+? zr`oUsC*7Bv@#n!_g=s4Sz3!X1j*mHzkQ~`eH0~a|>bi@+5H~AtZrb$sL_iG{$Q;h6 ztg-6)54QUX+C;NxVrVnuY7Mmt58%-E-&(9$aWAq$!STB~xtQI{&YBHm6R#T+KIc{U z*j~uLL`?6QSO*6spDfU|h)AohR;N}9i=dMe`6mAy6v7kPE#1>*|33UbdM7k4RA^i@ ziY;FJkBQB_-y9LSLT2r|ikrO*$u>544LwdT#sn-=Wvc? zX%=;!-uH0-;ad+PLP-)Ke$WpLU6F#@i?f>Wccf_Z2y)G&#>XHgOg?u9wI~U5rx{zM znyrzmd1>wr7cjc5ArzVu&JXdfwJLDbBYlbVizJ*^lSD2<_2)Oi6%wl|pX2AhNccDL zD1XQ0K^!N~lDDO>=Y2e2$YX7eKw)y;4MjIRB?OI-(!Cu0SunSE~ zf5(@EDb1QqdG(}d$9jre{v=d<8ry>x#oSr^Cql@8I^;v>mKi@8{D=>3Umc=&0_`kG zjrV5y=*E1qY2L7)`EBfQ77#=AHzZagINq+!R85H_vIwl=YMsX`Cv6kIzB@?DvXUPj z)(forG!mJPO9JJvg_mmy)gcbh)2tbZFD`lfjIt;R(gCq7Yk{yAZPu6zfI?`hHjq^0 zVW`BWO*2u77{a(MKm^0tDa3yvaL2rEs;0+IHluR_XZ|yq*MST##?g+SG66ADH;tX* zQ8XfXm)S0g$#jQ_#E8hIT@l`N-#JRFlGpFO>ltc~+d$`>RwtxmX3sx;*~UQ$U=-=) zIw8TVkT$^h8eHM}5HsSjoTJpO#3PQt%=pwh(%W^bg{$k32^OYP-G*ttd*D6ay^1!w zyI&mK70dbjm$pu#8)uUMg_2+4AAa4~EW3>xsVti&2WQ4?88kac(oBb#o~*FhgIVg- zU3X$`j9S+VSWHoQ(6yUH{w=0FUM_jW6EZiuM8p{!&Rs6TRmV=WL1-H@Q9XAXqU~V# zzQ)0e!Qq(PjxTThcah*=qTK``9wvd|q>VF(e#Z$(f7%wy<)!Zo4H5mskkJq<9-%N{ zyabf$hI}yF7l#O|k9@UIpBe-!5FA$0ZM1s}b8J0;GQwgAEt|7qvrR~7E=NM-xxcTb zM%+)6DuWeB^muWA1^d{Z$YWf~B=~J+t>Bu+ zrdtNnM)k4)><6I~Hf?D%lh+;|ty2+wwi`4|hK=K6{UDC_HaYq9&N@4a+ir@EI%t^M*Z&b>7@@TOzNm?QH@NAb0QA_iW9XeYhXfa#GdLjsp zm!g}4RQ4F${+oaffX0^Yy4S+n9TXFBjR<6kv6XO-9wft!7%C8-8KSF0aeqv`9EZkH z3)u$YcLZ{!ZO+yn4}J>=#tAtIRs|8nEeA2|khTZmFLKL2GIVw3F5U1o!;>-J0F29) z(T2K3d zP+7NIRsSC!na|Sp71QHKFPgD}nQR@A*;;R~W6d$@>Z4To2$dO0LKa;}YhzVDufW}@ zv*n&$+c-r15(1)Jy$y)=+eEIMrm9qfRK!}p!4z|Rnk)qIL~*Lq>OmD^ngHA-gy5pkR!)rv_tm%XWw0=E|o~@x!?cmQz_%0=eP7K0Y0hU9Nfh> zPDW}LI$kLb3XkHPtfo>n_QC6>Wd217iHf2oyLi?%-r|-23_&i!p026qoga=Nl915= zQH5ACV<+yt=fyeFfa^BS-e2@72^M9MAP_NXa12SUKI*MV-y}^#z+>dk%m>LRILj5C z(j3zCr5D3BFbZ_daJd{UVIoAVS)e4oq7PF|?Tjl(X<@tBNL(`%(RQJ9H&_a=2*VHL zt-#vFUzkU&hD5oXS>w7$@&cj#l)!S?xvfi0pf{H+V)Pkcrvh`Y6=vk}DZvc>8sb<5 zz!eAqk_jo+cG~2qXn(|v_G9OW-3GbP`n-HB4OZ(1=Yq>|Pa36!{ zQBJL)7U4zjdiEj$DG*SaY}@f_xGMP3Zv;Y4#t7GUnMcb*&|_28G}h63ypL(WoDSg< zSF25X%e?g7dTW{*B-j0UP{%2vf3!R!y~^JzNQU$P$hE2$dXxqI9;hwr!QLfPs6 zrmU+c;eD`}Cdyun(*p7!lxNVj_GtgsmiFMx!kf@o?wl^Iu{?gN@5|SQSd{)iYkYQY z4*zLl-69etTOFv$zoEM3YU{ukM^hl#Lne3!1s9{5Aia_u(E*?~Y|3sA4z6QBQksI! z)wO68Zi8q}IwC;#>G|EM#F|ZTj{dG%eKG9y=xZi%c#dM(5BEQMF(aL@-h=PUjVb%> zs-ElPZCgtcI0!}cNUS7SJQ(T#HPXa$pJzyrS?g)iH`*a^1Y7LOp*gS@qoZ2rCL_BQ zA!tbbB0|~=V!8JMco#Co^cE=g`#8>nwo)9QZ%%!pW<_?BR}cFA-rEB+-o}q#``Xxd ze}TiSzfE)=tG*g!ef3egOfs#gb!myL^D!+EKuHOd zaitv^wjd($p&1e<7*WB1kO!XO3j}ZvG%inl?Dl3A!(m%%R%k$y;%?Ed(cNJIg33-u zShKf?_@qF7PQ3xRS`%5QWsh=ctVJ0fH-62$M*>tyXw0-@lz=%+Miu(l?DQG9(fsV@ ziFG3+gAe&TdU@v^VHB`$>9C5Go)U+!f&(nsEMx&6M-LBgd32zcWLnsMpxm*@FB5zi z=Y9S0P+@4SwVyS~Al@Lt810?Hh*q9z@liM{Ij3ViI?3&C9?4kt6A7e`e^WE6&>P}9B1G{I zz<4_DBH&L1XZsO#zr3oKedaiK6G~Vtr$H@EiL$s8UR%xsEEi&mRO`t!!?FyC z%m;TKl6-7j>LhUrVGt0D&r5?=&0b7qaUgOHiE@TyOLoro!K#k&evR!a2H*zzA2EwM zNd|f5J>D!L6MX6OlcsYf$15CP)TmocL*<75~~E^b)GB@Wm9_*_)PLgF+F-F;-}U?B{dhW8C5 z4{sQAz+ovH-b(KZad@eZsD8-Voo@Bl)ERc-w-04_-QIi>iQkNuD~H%DsZ7i~)9WVI z0cQU`qGgjujw*I$8;qh!z}hBlaNgJ>sSeoHV3 zbXVgvHrsf8VDLp~9PiCEDFbAPeg@PRJT_YBz^MA_PxnVRMk)yBuPjxSI#!}XZ&Pbl z-6Iwni2%HEjt5`SjL5Ln0LOUiexXB*%Nz5V7;PKZ5*tbb8tPVyI!P<^%;oh)XpR-p z-#v127Q^|JiU8J$Pe?XrXqy+unch$93-ZcX)S>VtnEr;{YGNumgDxhFKiKQJ$&jI2 zT=h#LfO?HB5lkT3yQUu-*-yRFMdY__dh+@L$J>oR8{bQ#am^hx`=F7(dWlZ{^qIaA5tSN53BW`Ovi7{Ne`}{|sm67H#IO zy_B_#kGg0ZhnUKgAacR21;oQH8`tVE)*%o8$VLoqxD#gZ&Li=U`~DdgK*Yu3hkhRW zA$-SO53&nwy997Z3<$jJPhOh4fJC$ErCIKMGLAC01~u<=Pdz-gB%p~!KZ_>zEruj* z;kR*ZtczM}R|(l|t`Yw* z?B}S^Xx3|;YF7P9)`QddIB|xkYBFwVBQxi*0txgR^`+ZTkgp~6^d4^@#{xc^oNZM1 zc4*%)nzU{$)ROxJ-EjaS0}O~>KF65KlfW(B&ApN9uSSGTl&AVCrQj%8=NzO~T0VE5 zdbse=h)H#Q_0i1;Oqr2nBNv6%crURF%nUSKrb7>^YoYtTIhKvZ(MyGzD-(8gX# zru{6?uCVe0Evhz@kQ|8dOUEj+tur5DU^;iu*N?XGOwwNC9Iu(9;+-*OzN;-4vyqYC zWxHIAfU7a*ZLR)XA!y;@I$W26OShOE(xcjibJd;4eTzf?#m%`q<)~ozpZjUfM@11m z4P*nxShYy*0$zI#?w`h~QmJYS{k*;6`^(mKmj@uEgn2a)lF9FY`OZ1ds3U349R`Gq znR*}jHwgJ!1o5wnt0e*KzKK+FtqsK&UChuBVa;*ZI`0Z_=MUsqF5QJVQnJnkV(q+%$ss?be3#lGUs@ESp11)> z^k3;SVgoOjwTc~-y@rEvODg9X0{w{LUdm`Jl(@Wt*lxB2ZSPUA-*3SzJWblVLdkSd zr%6~Ety^@9IU~Lcvlw1s@%uF;FCmY;FC0CaG5m7Q7KJ%%Vwq#@wZJJOq66+V`D*t8n_>mY1@4434AY zqNCp7bLu~KRVr6PGNL^@0id4X;(-SH3fWw7Rvu-}clq@sAwuQS6B|1HELnlT8ku%6Zws~)2EBeMPb0w6oXX^>lztH z+sCcWX{sGY&*l#x@eSUor}t)(5V2DDAW7%X{gFg8*L40MA?#45YvM=CP7@c(=9gXp zvDV(nD#>ImPx8yJ^87$-vH|2yR+jq&{i7Pn7MZLXQWqPXYd7{72IkWvs!EGSUb`!b z>5a_niMjElXzfsgK||H2a`%g7%}EVy-B+KetSTW(R$(&`C!0qF;?Xe|159|Ps9W`w z0j zI=}{!#=yCD3D!0_4fULKwLOTKHj>X<{we!DP6i|Ouo~HK1$U7i#;YZRvdJnXY;+fyR*r*E%kr4ZQ-6zjfW*0KCvC#y2eNjV?}=ME7TeZSpd6==WX4m zChRrxGz!E`GNgsK0@sD1mH|UwZ8zBksOUUHymY2z5I|!ZpVqH1Gf3L#8Ti4p0O@}wvL({W3^l@jhE=llo_+*d0aPN<5@Wye zu#gey=~^AznOj~1h2rB*J=2}?#UYN-vmbgjKhpWI4QuofBnXtIe|*yWgkHw53!=Yc z+%g>Lh1dr}@kY}e0|4%vPg0t^==F1WvOn8ET`cA4#TgK2HJ+-4<|;D z?HXI#X7S=r3;9-4^c0HS`A6=Wp6kj#wn)U~LL?DXkws$Lbiz?IL}W9I;(P5lmZn+# za$5iV;uE;wk3L2oAosNUU}jl$??~4=merm|?!f?{OaM2Is_IS%AxH4mBMgO00nJhQ zjFA2;oM<0R^{dzRe_qd}JkV9k^b{zqN4fKd_!8@XgzV^4c>I<>!QwRPSV zkbu){S0dRDL?$u|qm44ii(%H1nT+gzC?-y`jp{dPWv7#N80YM(P5V^CN_M!`JQZDR z>BdO>5kxpTNkcQy&R&ClV++?1kz4*=0v;|_eZB4F*L8h+G(ziNhCr!((M&3nuYd4m zZ5;1D>F}7tvFP!%h-H3PocT!b1#kcs7k3gwkL)pn#E}@QuWUNoVZeN^nX5t-CMhG3 zMH8(m;lKSvjl?WwYnCi9qR#Gw!8{Q5gUwiCjio|WGYb0M2J%5ZSk@Kh0-JhENG}qZ z92(qI4l5N}v$mr6h&X7{grWWRA)IOb{=D1m8Lyp#E3*^6#)=PUaoKl~gMV#Q+3KK zFMhCpLPzekOl46P6rSJVFm>9-N&EPGDtB5=i`NQm;Y1S8Z|`3Ml=c`DuYx{-5QRGu zP8l));5H=m7aG(J{8N^gaGp(^lZ=K_10IW5=b;|5uz?%lS20&PY1v&3*-Y9;vX_h` zXnzOn6E?a^+rt11N&sN5LeCeP0m1?#(PE{7`Z9@h_TEb>i?ZYfzV48N!p_>7S#Hs2mvTc&caieA(g!qUovGs#=pWB?|S!l<{n-i)0R6)4%i(qjgnUSB< zrs)?1qRGm}&z7Bps!xv{j(7rL6y>?^l_}TQQzKEsqw4zT9#DFgg4=;KPlzP+*2-_S5QD4d@GX9c(=(AxjerKL;(M!IZ82BGvLgD`=Hd zO>N5?WsZu;6WuAS-Q)Qr6|FMMV{K4cuy; z3bnNF5nG&SjnFWTMCg=1k1hUP;QXT4ih$*oPy}cUHv~*xUSu=!<*`5`MJCLVjq=H z@i5C>aEarjj~uqks1Q%)Feam8AQhW-f0EZ2P7`H)Xs|09s?awOHJA?~l{(MyUJo`FHtoZP--9OBx6Go%IZaa*75-P!g8l57 zcCx?UfVD!zvk*2mY;nfb*69xpcnZ(xD=D*=O1bt#4mZTq&sep!W1hs10r)ks>~$wT zsZ@nX6mK*Mb>Ngot8Zxg^xIBiOj#*MdjnqmR~NuiX>6a+f3JqDLSjHiR^guaWZ&Yy z_xJsMNmkR0+h)v6gt%PnWL=ssS^p=N_u~lnU6L46I>r@Oak5+ZERof~@%$MMVj_x> zlRwV8)lQi#Iu*g@8_wfr+baub>8kxz>95jTf24o<$eOivn0H|@Utt4IyYokx*S|;Wjr$lLdQZ zqbX1-$OK}^zDt~Ff-^luyYkqv@5CuaJ6%aKX@dXIJF-SEp@K?Ft znVhSO>Ze4-_6opS4GrFC;BL3&>B#TGshpmU?J?6RU zG_I86Nc5)%vcu;S5;33)@_*@Qk3qFwjT_9LD9G?d9|QQ*6r?=zG<@snyDY1-<+5!d zJ`hwsd75-2a+G4rsAtYMAj#68a_tb1jyUO(`n~|jFiLRjg-CW2=blE;l#kDR(FBYW z!9@(v$NNpoz(MA zWUOr-wJ-hrv!VY7r{I-o+eQCLsC4h&k-zM`oZErzthw#XvFmG#`RUnaM$2NJl6(gsx*G_+jy1$(qts|HpdsdLE($l* z8B)T5e`7u&{y_8ufe@yu0|@v+q+V!}9S`oVg=-xx_bbmt>BWXvO+b=Xuokwy{?lR? zK01k<%%tTLfBka7%CEtELkJp>a~vfJ_I-nYnbLGlC&?J+ES>qJS{~blo)k%DrcJh9 zAgUhWeOv$My?5_d%iUco?z!d_&m*5$Vc?F%I?>E`83Zx0ON(Sn(e6@`$0s z$ZlXD%kN3luU^ucZM-A>wHlIF?hNdvf|618j)$~z^`dIZr{Lrr|6O6FHz)h7$QI2M zJHI}AeJrbW`q%Npnq~HK{t_K~`?L3q(}%7|Rer3V?w{%GyxN##^AK1DLppnFE|#LK z+r0ThJ*6FBAsap|hs8^Z$h8E+zmUBSBH;ZIcUS0{oVFr}p8A+&j}04l2)4`|>mZ~{ zW7mr+TVqOi4k5e%J7Uv;HVIwNTvDa|e?R@klarbI)x`X=L>Ki|b5e=||JY-*#n$et zNk@f!HnJL@5DD!UgP|gAbEdhs&hD%g?_Zc+C|I`Lo7|nAcL@)tx|b4TfA$)qM;{BN z0!Uz_OEVlqBvmpm@k{sVYdxbcxp%8WpcqRm7-+&m+U!!v;!N~gI>PsX<9tUxWieZe z*vci0UFcTf}WFLb%pi`Y8(w4oMQ27DvT1(tr1_^r# zXwN$svDdSg`ed}%wHWLFWTXo%`Z<3#yM4uajQ{R%b#Zc=tp*t*S?KcTJJnqSm}!{t z$dr?_sXEy+Yp@#Iqa!kRC7|@k7Fn_~?D|8JC5<^xclR2pnv7b<#${(ulX;T4>I}!q zpH3%Qb#drt67u+;?Mx>i`>CO_%}L6X7i8#;A^dGuKPEC+c|+v1>47CYp}LQRyCEu~ zm>uF7ZyB5jofwgmoOp4NOkjAin(D8m?W~?(ef#g~u9KIaDssO@kAm;U+AV+4-*sl9 zGG&vLt1sBbfqp3s=WV%u-?Ld5%D|uJ{Hy1PQB2NX=(o&eDseR}>n>j?;vD|V&|e+R zeqd1BiCpKuH(R_ZNZ}gwc5+^Qn^*SCcD9oeeJF8KGKjF5x;~^Q^W3*1j__o!!(XiT z%<1ef?0(Sk{kW5WuSFdl=@(+`nqboYm~NE&v5Gx? zDCK3X_%&er-DA?H2ebZJ%16KdsAz{3Z08yj3-80W-(H_o_&87D$G``Sk&)`xrD>Hg z+7fFe!6gunxJ>q(MCw7G+X{}4NoP)$WstXmWl4bCQ`YDAl#H8oTSC^g2?Qd^Q9!Ig zk;ww}dRmfQl7K7AnET%$eBNZ9!c)y)^QhF@i5BJ1;+aS$xc*k0{Bc!BVLSwv)NsYD za{cHI3A24SF(;kl3bi=0Dj4X8Jhxd=>%GrEIBv6Y!E?IdBWYy{0Wh()<$eaV`uiXrp*(m#N~#;^OVY$pa0q!C`-GiX$^=LM4P}FfZ-ZY zkQ_sPF)|-vF%!jw{FHM$THFJuBZ3n=%5BM`UZ5Hj^)M0>SHpRXQtVxhq6|6HH73@V z&2nC60p?$9KleDkum8UODL7SIKmBXLzN-ed+3{Ovu&Zo!3J!>q^QFf{mJ3Vx0ADts zy`u7FIAY-1!^2cr9e-`DA&FJF7zM`J0}@pUU*XL+)x^3sh>B(%Y8 zQZ@Hx&n6?Y?8f9GK(C_#u!{n8C3k@hBFO%g!a2!Dhw z9)m718|oXGrii0{ z>5L!Ztd@{1Z#&{Z=5Z2eX`pyb2E$VWK>rVjj*tT9&0V0f1Ze&=1Pg!J(bd$diTL5H z@1L&Kc^NCQT^~dDSzxsS-Ta{e0TVL|lM;WT$RPX8f2(O$We%?`k8r+MRdwv9*(cTC zzc_?{K6uSC;x$Lp`vf&ongdeQU0~3ZVDkeo$@~0XhfK(K10=0&M0+rypRa*S3&*bl5gitE4sV|${8}i;Z(*<_6>cfsj2z-cjJ?Q**ek+ zYzdG+WV~L>+(<1g$V89$`P9??kAV`E*pW-{L(R41fPrlO47!;{6*w-=k`A*7nQTo@2(i?$I1-tS~H6Iz%Afy zf@a2pZ>V`_Gs?)WtC2t;d`qF}GJw>XAibiMApSAbs*hND*7u5Qb<8K13vCqxLG1=g z77H~>DqC!!EdTI`(p&c!m@42C=g0dUw){d2__cpclgx)R#1+t^GbMYxaLrkB2IvLdTH^jA=N`)gfC@q zMljT^51JwOA+da8sJNdzmE(jrycS&YEx1+s_A0FOgWMM5fHV)dngh2M0?pxcXa(+! zu^w9L0Y=p>b;ln{o$ULDJgE2kXiah`?&m0f%TKC@zc_#yv_$^1ooIAUFhFyY+#15j zZRV7IAv?7Azdx~0V4te=OxZlP8Jbs|%im*L6EsIb7TYdP5d)yaI~7h|JIn49U?3$1XkZ0Mf1mW+)U_JngBC^^9MjU?d3OA|dHC5TY5CiA z$)A0n=Pl)ORa$pZ+7Z6duGNm8(r#-gFL_zRj>=DHk;Lv>x0=`cXSit@Pas!GE_=Ux}dJwWe(kytq<1aVy?+=`a{?x0u z=JXbE&iWJIRq?w8D}U=WiA*=z{lTfhDl{DX)#12_^`Qt!WS5D5VdcOeurJwBkuA_2 ztWqF5sVfKR)}0TCBpp^R8a+n; zT?YIA0Yx1-x^}@I5Msg^{WqFXf{>Wa(@nEdDlyFI+^w(n1-1FQ5Kv5GK}v}ll&L8! zAeF<)eMfJ0{1JvLERAy&>Rns{{D}2luRXSXBK%jr=PI1W!0aq z!r6|G&{x0lWd|2a9C$C%?)zHr0A7m-EC=%AYb=$rt4kuNiwhb@YM|_|_5_ym>;uU2 z54u2aW@z*2#jzQ`{j(-3eKp3(SmkjFl2+o|S>nuDiNP)h0qR$*Y9Me5ZvJnLl#pgG z2wI1L7S_*70AsY#Mm@cH@{7jtq1t4ZEAe~ z)C8%C>{lOctO7}YJAjj5M@4(K319SbJ$JbsU?rv7)W>tZn z!#2)>@^hche@7iK9Z?k-ZGCjERdM54Nlw84LWQ2dHhQ;Tc@{v2Adib>Yiz; zlCwRWKV&>yO_GLByjXu}@38T&C+B06OmeeGR{-YqL03lH8C!S$DSeHyoBlxGOD|D>+J$%b||?NbG>I!{_X#!UUe_t|B%;8ln3@f=`K z*Q-D#2ko&;%Crz1T2?|h(cw*fM$a!T-sZzPC2Lc!eON(}Q(q_h`**qVe)D?vykx+O zKOtJSN^K%77(okZ?hJp$F%J-}|8dJg_=AYiBT4{kbXlDOKe(}@(<@GyQLsx088hoz zn<0v`m5za~%gf@2#&X6ieBtQuI?ux3-}6+RJA^$2Qs4wn8c`e(%qIxE0gK1SU8m;l zZ~9LceNvgkKN$l-yi$y-jK=Z1{5Lh`&z0bCMz6gGSPZbxvafvG}(liLr5NmQI$ep4rf7K;vu**;xhexdAz4y-?3?w-YV^J4`hWjmFptj26(;lrmE2~1Fj|hIKYs(@@MV3cl4DSU2Dx)f zd9q)=$CO{xzY9nE&Fk~?5_rA8P_ztst-)$fep+eYt;)$Q>mS+-xqMtJ;}IccSq5;X zf8IQ5tK?a3?UF}J$uM1fXT0p?4{qRM*LkGkmrSXXxoDWxBi(%-ka*u}tlfh9E*+8% zfM!N4Bpm>UmtR#ifz;xux^@J2=kOtmSW3}DFbfcrwcvt6yE7--zh7jI%AM@{#uS6^ zg_{Pv;u`EfKm2uH(A>4Mhxbap)^q*j;lKUuj!K{+#?1b6;{DwhOV`;q2Zfe>b&Hsl zR@#P%XA9rl)#h@q9c^-XE(c}gF(bEKNi%a;5i`na{}wa$wXzI%O#N;c7zXW^sTf%bj@TYtsphx1Q9oIx1~P8nz_MaCcE9ZIWseTwhv%=jsY@<- z;>s@)#?#6RpWlk_cd^^r-l*XH8#-G>O5riX848adfDB~O>Hcai_UaWk8*~iwV{<+~ zQ){^tgXk{l7yuUi{X|+IA}(aL&KE*e%oXUe7cfZR%w~YEL#6{hkfUTampuP#K>Fsz z+Hh+*+-hQ)QmU!GXX*OCgtY2C=zm1_<}lNE>s3oGZ!YON2T0~4w<})g0H#k-v^-QU zg@JNej+vJoP{z#vup=+q?fSFO7l==0>0HXQqX8+wGojAXjrvb{1&^*?E!svb+_M6C z;h8WxV7&Tzbvw^kHtJYmNz@_*i~v*J1~hY5IZptxN30(m%tovI))Fg9)dF%13?8@X7FI3 z_XvO737Eb0681$pkkW+<5kM|?0OwA-Z4e52m>E&*5qp!7OR>AlN5+X!_sINLnZe7W zH*}bJ4y1*y^kJE$6UVV91e@4(lhOMmuMV2fHHZs^bt>q=+vu3Mfnbo;bvogpN>6X* zu~H~nl($9U>LRgVZ)#5#W*7*~1vOpT?Qg_ntC=^wY3Wvu zp(?4H%`1ns##<~6%$@SzPX2?tc`0B207;7#z%KJ)Erg)g_37hR9SZ0bwRygAswd7* zkQ2A80slKXMEu)r&2ZTdb!reXk)vrpjJ%0yPa%)gH=3g_-1;YYLcWeD|4?V39j)c< z_u{N)68HPK+*ipP;dWR@g9YS0niUqPQ)(luYG($aZg1FnBP(>*ODI1L$p+~2yQnlf zt6u}G(XyY_v?e9sUhDolyrt%5O`WET$?#w3oUi)pS~h9gO|%#nc{L{Vm(HJI_u6!bU$YO9_DO7t15CiL zQT)|~0V^p!TiKQcW3E~E@cAdq=2MUw>|AB5dR*?)2d4R!?kmdC3}WucUh{hvADVST zV)wR+ugr!LN4`4#yk(u>tPSs5wD?l+_Pmu^dyda~@8xa|1PcI+am_{7#||wE4es~N zp_Rn*LfCBs?4Q9WSt>s1oMd?eaB0j0yL=qD1>un{DirWiC|vGJ&|q6=FJB|ESDb(C zcuAufde6|x&>W$!psIM}t2g~$GqWzyAC$LLO&<z@5Y&NTwrx@}nnAKz z!WkO^M-77-9nK5?@oSCEiswhCBQ4p7Oo+B_)>^sL+e1;>Pb)^gdXE{YK?l<_%ZE*m zSEwCdXIY5>CX(RiK7Pv}-x8sG%vylS=T202-CDec4j`c4pJ@vMhM$gH%HOETvgr&C z*<~h}jeMakI?Q_*+Icc`$?>()E`t%X#P(2BmTyRlZT5hPAn^~;?RY;OVqbawQKj8# zgLdmKvQl$w(fSpo0XaWv49rHNR{zxo+g8t>_H#14UFPA200VtEV)n&ufW}=H15T{0 z*d7a7KO78`I2|1qhruiT%-7rtPs~SR%FHKjw~OKE0&^7&^UdVIO$O!-HiK2o&>?i+ zm>%nA#vi=10O&sp;$|G$mdoVFkV#=7r!233bt6%63?1*y=&u(MeC|F`zsh!Mg1L(Z z+jJy+m0a2CZQGkJKa9HGIGU?&dgsh&&CvF9p~S#vEnf??j_~qD-7cZQ;B?#skK6zU zPv_wmo*PXEi_LIFMaKvTL0vYYj)MjjCjAFRjc9{ zPZ9C8KDWe|4`+;ZP}e*BYqAk?UNTc{w^}e16};)dcZH3A+smZESeSqKCdD!|kIOvd zvLn1&!k72G3A0l-t5z??~DDgLtpfsL!bog?RJzQTa19Pw8&U-PF zjf&TTqSfLP@eOp=z==RSUK|8=IGXHZ^g&xCcV9_A!|zE=aeiY52vu*j*Bs#)&3wL+ zXeAy<4Bq@?{jf2LfD#zvlQZ>0TJFC8zxlwoAgC6k?{3?RA!0s#1TBUB2@aa*sWT{Y zU$LKgT89X0>F7=?jIWF+GU1Lv|7ySiLu_1Ty=$Us`4hbvw1lVD8!Yb0!($c?Ht*&o2 zzjpzO(Qf&(>tm!m4G=W$;tmgkFd`yMr?kR=qjtIuOy7CGNpQnpS)wlaqh4s(i$Vgf zCwBAl1Q4&5)xSj6h}Mgc93-pi{J`M?)aMPk1KwMdUGEkp2X!1A)gl@e=T$ zJNN&2c`l4~$P8O;E^vVWL1YEkM)thtkF2`pgrAAk&6xfW+-LpEvt3V^MU)Tr|B$>QYdAI|uTT!hFvB+KmFz`q(=@Vc|3x&t_3 z9+Vy|gf?OGLbMt7RQhP;b9QDExTUL8wBgBJ(J<()iwxS!HwUza^kPk0zCD@;avHf= zXSR^0E|+iB%<~z4Yvi@rYFd=u_2GL$`^?8r?%naa#WjEQT_D(E!GVL&5)-FSDF-CZx=>C_X+u{8}f#%-2gmBs*o8)RqMbIuy@08wbco)QRqXuh%FX zaOmU&zn-QLFlg;`osOgJY|qPN%6Lovk~;}q#`i4xn!q-K6`W3oSyT zg2ZxtiI0aXP=w2L(EoM@H~^qsjtuCQa4Yu`vV=um9s^qhiSBW-7ipwwUih0rbn5h9v*ylLOLw@6*hFS3 zXfoc4Rpa=w+z7L+<9z5{3Im5v!TL_=QD-GoDx*R23(G>`B;f4}G3i;sc)!I3<8_NO znH#?~#+oLGF1P8+e#qV%at)4k+Mvt)vAEjPS2JfXHe{D9F^fIL9)iz^J9@iJapcG~ z=S)N{MCRQ|7hioWpY8kf2y>i|rA}fC1Njfsai1J@!QROdH^}2Smo3ytg;4VLANho; ziHXUOm2D^}j!?S&HVAONGDTdTk9xB)cdjBy-T>FSPrNSn^rej_m`3@HHWZODhf;>se4GA>SzE89|ROX(ZJg81EH=9a`3bspXrkDrUd*T8Cyl#(&$RR&quV3P9uu4@M6owWSP9A?i+1CBHvW@sg-96+7FQ{A#fg*3020LF- zVnAhBA`246g+@1J<8rs9JERvTbeT=XQ1|w)EI(H0HQi;9$g|5R!GBwmNm(;&{DI<_ zmqb~{ujtrMZ^P84Sn!C&oZLG7%laVfY)WF(qaE`D3+ zpLG^H-6J$QUs>vgCM*$D>?|HOp2X_zake^Tgp<-Gl-_Uc!+sCm9w}u;;iRvI2jD3% zMW9lo9m=k4FBGW44T|rICaOrUR;@lrSL80V3+?J?$IglM7hSi2Dg~6H2D-~171=N! z^Yj_UoKfIvr$)1=M_vt0S9a~jFb}~Ttu!4owSCR|xxNo_hATV?Ro{#EW=&!nfsT7e z)vQ$Dnwdb46qOY=fK)_~sL1?R$nz5ALhi{w|EHIV3j#2s*xpR?Yz?oVup})5h6^tQ z#g7bF@umZuWoT0XxH8UPUiZK&{0t*Ltf&OD$);X=t(hDI2i%@iGvcFr7Q?x1zS&h$ zuU>P-a8odMR{E-!e@IY-S1YW)S*-0Q=t#LsAq^Y1|5-|{#!n4zs0K?u!RFaB=&5Dnk6s)XY@&|oQ%`25<0p>bcgqrvPh+(yzt%4A zmEj7Y`kXHxo^2fku6hgQrb(}`vMk+i<<}YpipqK0ztoPaNk24SYV%b<8BJxZ_wV`- zy&j@^sI^xVc7-NbXTc)q1(jQgxbF>W58>z z#x|Fm1${a`!0f#x*d!_xQ>STE@?LvcNDDtE^Ez`tfO3%4&<9Cxax3qmH8RRgDa;-q zrf;u_{MCr*vdE7Zrav#DsIyRoq&<1j>4|LH=ONpMBM! zXCKM29r?+YDekAjOfaljb2GExen08323tFyZifu%YV_&GHstuSeE&lJfHP>rHtI^> z>Y_3$qoz`#oUNK9IS_attK>E97vPL@+n|GN8$+I{SMn@zFXA64{xFB-=Q_ID^~COd z9#G82lu-J55?2taUuqW(y5L1)>UJ#>s_wn%b}Sk{-PS*Tq1F#S)BhL8WOCG&Q7gLn z8*TBAsNjD#P>J~sVs8kiFz01N-QzFJqqXL6hT8T;%if3As zaFhS{)gBK5lkgfLxPfY$KTABYMe?jYUjQ_ppBQt9KmaYHIdc46e?wydXhSD{ti7n( zP~411Mm6+eXGD6TDqhKAdjjSB*xkx*i>W%^Nb1=rEDJr|VOv6#zV7W~W@bQ1x9KD! zegu}0JDkcc<^S#qcf%S^y*dQjg?V#D=X7QRJ*?hn=#U@}cu#rAlSdU%(oniu>dR54 zE0Phry~`Za{R8zu0d;mlQoWk$??HplCvwMnpi-MLu-BzcsO%O}*J|D;s-NoAkcTQL z2yY+`sxZKo0ZMbWXfAN?c13h#Hxc(MRTYjePl2ZJL{{L^t7j1TI+W-qYjg zQMf}gi^zdJ!F}LoJJW7vYFnEp<39QN-T)3_G7LuT-DLP!S55A~^C)h4-a*HQ1c#x@O(<3>X~!?5guJ+J$@D(ml$HxUkei zter$Rj|M+SF?&4^+qlB@%k$!Kai$=`OZv&j-S;6>yUzjUL{IA$&5}`{{Fp~+TUR=$ zd1uv~@>cr`PA~r|8uroap9ZS>UEQMb_41hFn5al8BZ4}{ZgyK=o{Azt z1CYF|N~%vrp-{!uI~$fgvS3&GG&Hw64WSb{%`j{SQ+t>s0oJ>6^mR?`$FYrxf*DS_ z9v#CRZA4QiMUAeJpWpRbRz^ew1YFZA@`L-O`*Hj5_Pba`Ba7!rsg_?dW~Y<=2gd?wx|nE|I; z_;ST7Bls`SA{S#(U{br`^mD^^uJ_cjwL#j??8cCZj)+=xwz){ImUuSuL6-VmfKoqU z<=+q)@`6JK8L2T{R(gL&EYM?D7J$!&50x~BGwQVy1)Y=Mg+B56P6*=Gd7^0Tq0RQ< z^n_!PU-+i>S<;f8L|1Y@sZo|8%1&$XApq<(q+7u-g3$zf6Mx`_-ZvU0y6IAU19%N1 zX`PqF!@aLrM;t_6*w?k5v<_ms8%3lgIxET$b&^)XQ;OT#QJnWE&d*IEiuO|THHc5V zoOd1FM?uEiIW!Gj(K2*sq+XfTfUuNpKWjR=UESJlvFu-KcJA{qMhmbXO`r1aIgab> z1@>{2a4o47uo8<6+ciO@|`O+%dX)wFMy!w;MI+9WA^sw&VCUWYS>iM zYo;^)A$#fQ%TSUuXk2;{0A6A!t(#*vUUPsxt1w-|4J31ypt(x`d~eGFF~d)WTtE>7 z#%FbOJW6>rhlr`NkP`EsXw`Z zcgqUlVb{sNm(~Pv9?TaL;T^Y_-6mKNE1xR3qx%Wqx`GD~?_mgsy5AzpyTFLeN?{UF zJsc-4_nMuN3bWh1by=_a*I5H^74J|?AUNT2_xN{3e8~>AMFxJl*?1r-l-Bzps{Xjc zDa&cPf05`mU!UWJ=y?AQ6p#f&0i6?P1Tm9$zN8PpdW>LhV-WVnaNEM~!QGMZCJ;Gh z;7jUi(kvMDIc9y@5wZL+ENBopiHRw|jAc=eI)_ZGwX%MhHmUYW6fwB>$#`qe^Y=?) z@(8B-AgNR*r^q79lMEe3UVq zuJ@RvN10(f$FB42?6Si93=%D)!n4hfmuoi3!pC`u`x>%dAUm6tHIcK~VPJ;Mc9Fgc zVK+>w5HSicv$BX4qK|%5UswtZF?e0hm^eR4P1l&e7Ta0t&v`G+dxW{i{Jd6NhR-hV z$1M#Hzf!Y01Q~uz!{XVSR;HHq>D1VX;Fohd^_PsDlI@dHMst6~d|ZTf!nxn?a&(i8 z#O88m0MK+7%)aY-3{X#j803G3(r1m0Wn2ucS94~lqxTO&^)o8!(A-(uvOOwZ zkH7E*L+tq#Fhz&|k6)!OS=BDAODav@E}8I7 z==#aoMl!tg{I|qDDDdy}Y+JHbQr4<-6N0N*Bj8$xM$n+aqY6Xow7vAu<^cn;d}X@R zDkF9J^J-IDoyk0P``S;&v`J2(a@;Ve+vaD*j%GtFk8OK70Zpo;O8IcXQmT|gMHnXa zVD~9YTec=zDX+*4NhJ>W>sv=;THBL9hWJj}~P)pRQm0jexSo zjCD`q+{Y@SFhOGu=smkIFL(*ZYQF@V+Ubm?X>L}JV8rT8V*6tC@Ke{-?O;NW*^^09 zmQESLve(%3G|eSJ$PVlXWCgMVIeYyOBs+K|>I#Z>JZN@2O|=}I>}O)Jx?8;jj1L|v z{jqzgf_#&S7WjJHeeq7_X8Tt=CrqAg^I=CHPgzpzadMZI!`}TK#tBPGyMCRS{_+3c z!aVl#_4Q@ge$Q1&dMmR5YcFfN$&CcS7<)F0%JVIY!|lUfS?ioMNc{L88<;ohvo7Y* zLl`xwz;?Yj*Eenzz7Tw>RcTiSwNV>U7*lAa7Fy zK-79TMMC?-C$(- z!13IwbRxSamwvmXX1`c#FeC_*saiU75I(c)3w~@cFpcrsY@b!MEbT%t zqk>-Rx^1f_p|O)pl(O(rR=ebdFLFFB{BedT>Elz#IYRmnKs#2|vK;T39`0cf)lS@N z{p1_L`(R{SJc+K)Y?1LKj1!hAD!jua6d zZ-CdSY#kyJTDea%5lnt@8C?|GW&hSrU?@S0E4+kEqSF-i zQEfDLqV7l2nE3)Se>bQ95Ll1s0w5prH=8RdU1I#KBxP1`ic`c;e&kRuPJne4o{`5s z#ZdudrWhvuA3_C>#AggPzsZ*YE^j5qg1wyvgmu zI72>@m_AZL_P8Ld`i&Zwr#W47*ywdn*lv`Qw=E~;fKE2%NM*LWRla1We<5s*ZbDL| zElrf}&5qhcKksUoBw~l>7uUFJ+T`MPMqSI}mv8NAX$=HObuf0|cw;!<_e5JjTUK2G zt#%i%leBhMqQAuD2f?18$F0X?N!hs&MWGn`w?ff`8=K=j+}{Wor?$S|D@Cm3H7DnQ zWxx~NLV*@VM!Y)kj>3(FiOuubViMbcr8Az|a9Xe~A)Mok8QrTe8q*+> zLyy|qu!yPfV5{D*CR$uq9A?2c?l4@(oFhQx_U`V}BQzqEON=^>N5yi{&aLu(G3^cYp)HYK( z6XePva>qNs-*-oPe&ypuTGk_k)b2JC-Qx1>MT~TCSE*Fi=ea}^@gD`?@F~^FC{|E( z(@ar$Y>z_Z29<+1HgUj3ffV7)D33bB6P`5Ve|V};rp=W;PJW!g6s6^uPNbByagfE| z4_3!&Eqf!JKrrpJvoW8_2a7eHdUZa9uo}i}lJ=Nq%ndmevhL7#+OB+Ngsr?n$3G z1B1KHyf=XVto_wte17lq+U;oLoFD{lnR@HMlc7S|&a~x%Fxwtfw!>N^)geXN9SROd zsrZx8#GUP~#OA^9VFALM$|%QWZg*|XPD5@6ew?z2)$o*hqmpie&qmAdw3F@s(ZPyh zfFWmgO?>+-b*|>S8=3mCU#`5P+j(%xyzGNFz9?U^wQk`P9m;SGp%I6K$g%s&EiXcs z88Tdjpxl_xPQr-snWp=C7`xO@B(1cnP+Pl>qX$AgOWbdHqqlf-F=kaGKgT)RP ztaJ^k^X~Ph(@Lljezl6w%?83>r=$U?W z33aGvKHeT8jk;@^qoeB!yLRmN=(jxV;XvempG!U9v!2kPf43ALzXs8kQ@3=JWn0iX z)x#kOFzujwBCSD@t!8R!QVFf#mu&W++wQ_3$88sY9_w3BjQiq~ux|Pr=Amr5fA~2IK1n#QI2bYMRInfO$Hj>br4m27= zxdEUrG+s`G6(;imq}EaW?MM6B3HvzlLM$#0AOXqlF&GHPHQ}z9ej~iI;qCuepfIpN zyY_qdacuBqN1M~C+|zA#C9iaA9@i))e!1s++t{``qWioG!(+#N-sj(|BXSZ3d$NL} z&wct$1>uAj=1SvW2g`=as5Q0QEs*uFhH84?#GrRua8wS>&YUzjR_2FJ85kn^B~A!E z7>puG=rIW`M^ZFlc>r7F*(fJa`Ws|rG`k(Z9WBb5o%^$`|CZ8z*feZ?R|FuA3jpG1 zm`R#C$p(s2jN_Jc9N_EDL3~}`Q?og4O@}5Lx0)S?3k(Snefm5?xgx9reh-`mI?+>e zBO3bX-TPM?aDGafjPPbfzuQexL!wXF|!QXP># zQN<>PI+KosM@--z00D(JI1YJI5Alc*zjUZ3Qf3i5TovjOW%yY|dhSKDLRCS#1C%4K z4kr6Nz~0KKo{j07J+V!vvQAPOI(f*+wCOf0=_x70vwAyJeJd2D&h36~y=wHZ3QgeO zPy^)H$6|LwDgQ(+8A;fIm>ymY`FPHFF7ING+RE3vRPVPA@ONpvA*oeoz`W9Oy>WxE zA)`xglS=3XDA%0iK8@y|wL5-wrd!->Ba0AtKC|yAmL1gG>ftP?8gNFj+B^m>NAwF_ zymyHdpO_{LR%~#cTnNHLE2-A+>)v>Zkt0f8>xdAw*+6ZC5Swor=CUOB@r$Ge%aO|r zY;y`AyqK=2Jl;nrq=D^+KnIUzlY`v%H=Jk|`}-`ZPPmvy?<`^;S8sI=O^HBKoyINf z3Y#KzKx!lhqS!%*+PDb}$G_FSGTWP)L(84;?M z=BBB(P8_LOGvr>wExSe$Z_E)Fi+EV#T)mA)sqc42N%RpRIt^Y(LXw_aw`-mN)}~W< zCs59rs49fCi@$gHVR7W~t+|#E2Be#5C$Z56ef>_l3J~6gA4J--&x3JLh7--@%EmE% z01$21tRDIKO5tSsX4vR80Prn%KzY>`|A*-wP*$u2{DPkJzwgW6;!k4HxRx1o*II% zcAz@z&b0RkjMGmk87?gm`%$-}8D5kE-{kGIa6&1@kuzhHlG!kNkLjD+*fE(hSVJ%W zo1;r=^@ZoAl_-;<(Zo0scX_sVd2ISZn?vB+18Y%T6X)tqqX6;Iut4#+HHtukRM^-x z{FiGCNef|Sh|r!uTJT~}S#`imb1C{#eW8c;!=YVob`v%fyvjl+ciTDmBnQ9F?hh_< zbeL9MBg<$^Co2c5Bi16&txS*NVaq+au9G4}nio58Vjby|HPajV^0u8r`Uv|YGrL3a zsIndc{d^xqFK@66#6AbSus~q|+s4TSsHj}PbdQ!&L;LvMkP+0kXVcxH3?EoJZW@sH z^lD^5N!?u}XDcH}8n4t&aTif8glX7jTS7q&s+35*Wg} zRHEg88J!hAJ5@*(7mD?p7rZ=>`GP{d{+VW)EUBwj)lkc&{gmQ3cszw!^D1rfGppd5 z)$;jWC-?CwXq{?q4uR&9E79w6OhDCaH{zSM64VbcS;3S+6FC2!(gGZHRd>Y6PkXVa zr6-~+$hjRGZ(vi+#c1I%6vwn1xTt%zl4IB+n-=*vg&h`hMKsBwU{Mhn-Sy$s?Tw81 zC`YJt)@{~?MTGfQm9xWW4L&^vXb;ZY7o=`pDG>Yu0r8yn*V@y3AS19KU3<9lMDXCz zxSr&-tTFJ%b%CsyyqY!UQtxMvX*yLfd7nO&LBDqvCuC@u=D$jIniC?wn)?CYVe*4@ zgyhRto3iS#{sg}cpNoL-JKbm^)P9o|`rw{aHOE+>`KE^3DNtKELD^!J1QV1O4U+O{ zJlk26=`=6!%;TU-=aA0%Z-ZTe%|>WJH^eqTViVrVv>v<_o5rl=K_xgRg z;Ivy2r0*Im+S7FwFH}r8U7iYb$y#j)Ck6vta3xffpWluJ?Qn4e&@zb6X18W-pPk(x8s=0cfP<1QZ+Lh%A`25ra%jz;A#GrIpT4VeXa3^) zr^toGtQA!xO1P7?49Q!}K&F$`-prCXP$SI?LSz*puFOCmeGYgGz|=$vFzG%gs{NcA zS0ynkf2er0p?v3cd;^3=L2ICgh}7Y{^D;li&KB^+VH^{egzcOOE!;8#ajVcJxT~Q| zgca*#!&?7{zr(k$L?f^4L_{L5&MgA2)?2a>5$Q4#H04}bd3x^HuybfPy%h&%O_E&2 zR1Rf^!m5LyHlCTaR<8e^n15Qn(LYPxL?vTv`!kzsNmDxsKuiK4CT04RMU)9@gtZgP zqdqSeIn(K&>Zld3{wtqY?&w7C2vDP$TJeOi#geOs1&vB7@WDo=a+b# z42^>**0vm4%EYlm?tNEr#-OM{nh4|8*Xn*E+S0$%b^QkdjSmKaqihI!LwuO&aL39L znQN`H6=!fJcnY&&NbWWH31qD{(gxWwU3rs?r=<;H_ zF@$m;UPV=wFbu3u5(Q1os+Yztc+O`dfnX#$O82gfH~qhsgNn$h2?z97m;(?-9+K?w zpVy}ne&KkeARH;CQeKplu-PzjG_J7rq*kRu)^xiWpbNAYn#sVK#yqNCdED6+&Ll_C zTFEhwZ17$u7?Y{R)nBT%wUg2N?3ddY<&B1mxv9Fjbf@quk!?R+;eK`MMPd@p1Fo8GO~n?hZmQx8=u()?nV@y zNy>n_RzRy*7|0E`F$UH<0F|njDekKso{El^8gz8cJ#%Y<(Q(aDJ zd@%o(z|F4xyn=dZj2R_m%5w*q3CSB84SqnM0p~#D;m~;cy*#z8>)`c1NbBFZAz{Yg zMl&74N71B#z>JbM`Gi&Q1do9zvFcE_sB56sqql`>{!DP1MH1<)sKd*D5vw}CzMx~R z!`3Y%I47KN@}7Y;JfXwJm$`{mGbdP)2v|FL*If&Hwvj<-xA65=#DK+3I$0E$zEfb> z7K(3nbCm%h(NoYl0P505;;G|8rYP3ALCF$f9$8j&Wz1Td(7rFC?kD1-%X3Q_tfC z22NWnTS5M?PKv!2WZp`pW2yGwqR%THdk-RVr;duKlY2ik(R>nu8D5fLOmPX%o{11^ z;ljzm%>gA7Ec@|2(6$~kYKQXSGR&~AY*TkcDQ&7!KI}*Xa?Rsi(~u6z>W(>>T`t_P zHQ7Ly2L^mWSdLl9a0jW@gdNJSV6G9OB3E*NAkv*Cc|~HgAQ3&PtK;*-wUkH5=lOqI zmu_iSx9vVYK0ACW-+=!v#t70noO{XdxXV|F(`0qw&zE(0N(@1=jf8&+Tnq zsZH%EFnf3f%GEmr?(c{o)db;3^hU>>i=6$RPIiF0;nyUQb8yvfT+QE~3~j~fP`s%$ z(Wk(iii?Bqf9pma#@G35z6qJZ9VSlfGIGagY)rInFO*0{xa4x)Q~Yfvt=Ue*mOSPm z=H%nBVH=V$f@yKneh_vNDe|tbhT=rB$XN~(WI}CSCo8)`IF7+pGkE}O4U(eDAippd zD2Db#PJd~qYMh__9=k=FqBrcC_3L@l6+j9o`OKJ;Av>C;8&pn}mJ|qu!XW{m#pesE zd|#4N?N}0A00+gRm8%e9_aIFuR5KQMaE@^A-*C#UGeQdNPN#f$Ncv-wBu(wKabIOa z&9vU;V$k4(6s{AEh0*y8a(kuCNBZ8ZJY;W z+kj>B$B`+(URpkn2g!@JC9kI-MjSWA<2Br^-9Lr zHLC({8san*+7I{fiAE79C)*fUW zIiTteBVvgCFR>$e&qG9kH-UTHHR*pz@Lcnk!!-ZYgg%_5V|ThFelo%l5hi(F5On4o zmy9a4nd~cPz94F4Z*S%Qis{O4pl4<4qg{oKozQvGhZ90AhIbZE@LUiiTr$_2bKZg2 zEUNHs&60n-9|dqCxopvI+u(Z1lfi{|_@JqG*f7!mP-FE*ew)pBQpRSv8-@KBHRQSA zyAjVuFY21w%Uc^&lVnJ}+6o9|A_*btW)4!ws%7Z_L7k)Eyn57^Ix~Oc#g=jFhLhVm z$bsGoxo{O!1>rO-Blt{_ZOUK8t<2~C=dF4`LZvqz^!Y`BK05WjuaHt|H5L$5)!4ne zuj8?%TDutJaC?;pfAuWHzvxnGSRE4(=LpmPq{b9UJ#bCURO) znV{y1+sQXHqQS;RNlxZMq%2}Q^X~=cDQ4{3ZDw;v>-&;+6%rLeYn1Gr|Joz z_K5SuDhEzT$U4sWS3X zMUtXlcy?r_Y?q(FAt({Ft{+@nYd!M;=;>TLs!g*w5CpUEr`UCu=QVZ^Taez5o)w`h zxpc^tuAV&bKYXc&&cigJ=`MqSt3K?=VWPo!e{uHX9sVNZMbo-`(=Is6&9QS^cYLK) zPh`2YYjwlLshozt%u7%WMFQXR-{cYuk#2wavt5xbsc2`U{4$K;WeR5L#A0UYN!nA) zu6eEFIB1#MS+W%!-E>jCLC$h0Fnz*{*(s}8FCLC>8Z~YjCs9?L8ph4 z!$PhIKRX_k1th%za9zds$Y^L8{ndZFm^M)P0JC%#(tx%qNlm>O8=X)4d>l_4Fl0rU zTfT7Td@3${ta8q@l)l3S5osrfT~w+edTCIYCliWsz_n^h(y1G5_4Uh4?b~HiE!n%Q zxsAf%aJ>4Ah5S#^r*SWte|LC{-t-z+cm;119gnaXL+!n;D3TK0BJYoeSebjztmdoIAi75`VJ3Dk?-Uyv(hXDIpsRE$l8pW4D73{(az zo;^JqB^5H3YZexkRQm*g83M&VKVXY)YMHfyDFU*d!Q18$UoN?IgUK_zT!s8(%|*QE zhFQ9l9^0JY?~oZaGv$B>x|uQ1xoIG4#?7~+-QrgeaQt>j*Lc<>xgY`5YS6F@fxLYl zP9o{3s65g7=#_FtB-N6=ql(7AWEw`(=J5EY0^4B>hr@%#Yg}zXQGraE2I`olA~q?v(jFm0qI%5ma}9t7eWqB z&l;Bw_kSmUopawn`CKkDErxtBIHYZ}ikqT0aR;*VT&kj5pxe%??61eo38+M<$>{dJ zMGw74l(RS7N!M9kloFP$cwP+7^X-MXNwn7Tj*<4=y~bOWS~PlIs>RHCZoWH&B+k*M z^7#VJd45p#)Eig(DXw6WI^JSVcxvwrxstgy+HJm|f8dGH$Jw%LFX!f?$9#m+uJB^- zSH7o}Q`OkWj?(mRj(X#97q_0*eGc_{rFP6ES@kKhbET&RIvo}`ssuk;3cpF8&>5~f zUED1$7N58YUkEk^SQ6+#6@w*xa_r+k640&6kMy};A?FBsD;JdlouHK$IqO}0M|}@a zsP-R`qrotiiB*AvF)F(0k`nV3;E8=3hrHW$>ydI+tWa?1f_#bgbEM-Dt1|g!s(?Xi z{~17Od@y!fh|klXitYg|omuie(7`kmxO3w+0ab4wEn&6nM@Z13wzXJd!_r$B+M|iR26t3|B9NJ<_ra z4=QAL5KF;@oz+Mj827Yg2owqLNHD&)#Oa->i3v36M%FOS2_quHKKuzc?Y^Y+)UEE= ziELd2#W0dniQ|x9H|5!_j4D4$;-ION888p>%(Bth?iY)#4YZOflXKC1`Lkl{Et2DH z`E>tfpFnf{JfbZZ=Wja-^_Kc~g}KoHQY~|u3fcZ}kck9egP*#Gccxg)&_Uqh9WwLR zk+B-N@@X_{lA0qo$|+H3RYKN6Yx3B+rE zrrn(ubFDwFkM95(U^59!F1ab+(z#U1qfta2uq1>N$UqQf1V;G()X@AuSo1dLE%ft4ks3h+pyRu!`SFwT#^L`d ze$tBm9-C^w1yPleD?n2LB>P(YyT_YEKra?F_9WJ_D7<_6gYL`+@mnyNV9p>E0~OYq-W$fI>P!iJD;(q%QLQip8T1`1>KE^xgmF75XlL$>)vWQpQ4XiQsAJ#TNgS zH-f>{4#hf!pfK+WW(tSevgFP5K$)%yrbdwtOB{_k{SBoB;A*+&b~s0fqnoR}_esjV z{8*8*lTlGTTu^r{j^W16x74ZxUG}nWc%Uh#@A9mXia5MOau)&q`J@2K&cZ222*zrd zc%MZ@aKM`==?AFIF`I9Phf#{b^b3t4U^tRV0Rf_%Akb&4CzyD^S$}`1b?qYme`6;H z>Q6o`$W@PczqIg=z+CVq^YeZ{o1kB`9F>CJq>v_~Y+c%JF(0+~7c4swT{Sy&==c9@F-Of5@`&g|WEYOdpZZ{H2l{g3r>6n(lA(^|G zE9`f9nM3m+7Upagtq0yFxz*R!8kr4z;G6*GNyISVz;w^v5Ou_Z&SpAnchVE}^9w33 zwegs_+T1q}<-7K|9bd7*pNF%I$q zU@*=jWw)d2zeCaE%n5MkOn+hQ1>Jg!e*ICBt2o!Sfa@l}(6M$iqq?)Dk-Oh75BxUFDRSH)se1X`-)8 zPlr}zL4C&lh&O`PhRgDV2g-bFwxpwI8+Asn4oOAJBi}C{T6uGRf`dEg;DhU`Y`fm| z%HPBEO#_{RWHEb)ZQKUWzOJ+Aga?Rfs6WQylW&vHr*Yl5(l)_buEYW|ewF#b2B*DD zQIUGf>uK`Ng>$7~wn0JE%MVb6y|HbOI&*vol-?BaaNTh{Y%a>dMSi2E$DLW|!&~@9 zf2%XynndcepVbqw-0>`iWW;cG%+M(zS4MLvVvI~oT7WiDG2a-u>;}UldNbd^pym(D zm0MYoG{*7aDinena`)XEQ;y)pUZ*8stN#VoKPCeG{Ns-O@`eAXD3sgZ1;t-i3OW~F zs%v$g(@^k{ZCMY9tX=84RRz}pM}Yh8Z)If%Q3^Trc8MUJJCP@TTO)HObI1TB);rzp zrvh?ivtQbOmiMkT)3()}D%E)C0;;C---y$QX#2I{$ntGa_045yxnQ8q z6Qg0TRmGWF53d_1oG-wr9(Pv5l~F1)%RIZ)z|OClF!p#^^>n?)Ls@`4H>xO#eSNAA zf&_W4U;ms}hiw>l`7Lk2&>ipwopo08lj{BtXWt#y)Y-T1^Vp|$2-;dFB2}v>GE@Z0 zw#8KxQJIQ>%90VN>|wxG3swcHEFnNtWRJ)&NPwVqAO?&EA%p;_f9W5&T=d99gbI-r$xlhu#N_9g@h2w9CN(hQp zd=ABRiT3h~KJ%76jGTILEP8DL@D#lh^{%_R#XFF9WEHF0PLlWwEh;N1Q!0j?EJyaX zW3SHqInYc`v|){ZtDf?=W5y23f~5HEG~>}6&}G|7NK$58catGfSs%`{gr$F9kU7_E;mH*1V}XuW~T?aVXb=$@SFJ#&TT(gfs)ADpdh7alH-hF$QUtcNC2 z;u|$5tb~wZU@)hN+H*ftf-h8GAiD9VLbSL=cKInXvUCq1uD?;nH7JoSQ zcEDGv%{;V3-$Y&1+_j7_+QIow6PhBHfp0Ny9AGZ9G)KIq{GJ($|96@C~Xt}}t5>qw(Eg7r0?NVJ?t z91sa6s8Nx%JwSB>@8{9T(9IOB4!M5IkFhwqh2{Kyy$yq8J8>^e_-*m`*KdLNK-1P; zchhQIt^*_S;U)YcFCO=4foA_Tp>6{(4u-@c!pvZ3Z6|6n5 z6G3_{38dGADXQjwpunChIyhtEL}>vuuP;d&__EyC8Si88K@hE1bJOY1dPzJF{*w3M z7uD*A-;5NE8@>BHq0*E$kx_YOVSN(?m#lZatdRje#iDE50iZCQe2mvQg+5N@g^=zr zrUA{ZI9OY0-Vpz$!eV>wt8@EE##kpk&yt**pE*1y=TM%!<$8~FEjWYiGKjHf8HExO zazqT*!&TkHa87AiJ(q*crdD35_dZ&oJQBJ(x+|*7`+-BQMlQvks$Mhpq;JeWcb3rt z+RZGd`ZMrqrBz(eJ%fbJF^>+NTKV7_2^9tI)uXiih2!spfL=&2i&1RZ|5oY}D4CeA z%&bdGOvVqlY_-YXwpvfi;~4nRm2jk>dJyeq>T#OU)Rpbd);OtmE0=S}>rLk?@}Svb zrzc-~#`jj3MhO2bJR0+P&QSCMl6AAU8n$c4-juQD-9b#9zIDzi7>+OV-8IZ{>vtub z(t(logLs#&`pw2#LZ2*5f=P^xoo5tV{{$s_rFj80@<4pmyDbsq9PWF*Co>@E<%a5a z(2TQ1eRz?9q=Io+P6lIzB0$$AjE2et#v4EF(jN*EQU07H5JwB}8<>@moJw2X>-exn zmx4O**kXSO4}TRN-aN(+6a{L|dcrrm{iXb{V#Tdh$)YPav-Kh^wfFmN=Jk%`C=J)T z3A@zmHena6qh;Q+tm(tqn!Q`kyB?UIL$?;xq}`<4Fe@SpZ(y#w98;)b*^s(E97`p3 zp3$e?@*fW~&TUCvue0CpbKcqhXAyBZBagbd&DYYg@gYSegz=n!v+dr0I#@D=yMOoO z_!QiOHdF}u)K3syUPR|gzDBleuj#o8k?jQl@EC-To+g-7-)D#`WJn+vti}WjJG47| zrf7s#E1oCUP7YI4$Lpp=h2uji!cvvOI$8-;Lb369>XSWRdqh(hYi;JC4O)*{4#zf} z-@Jiiu8+ z58I=#2o}aA!^E#6Qp=_B9Tq4v&dV)?%!0rSvvlqJzzhswX>pFI^l3-4lj#OdIU&hB z0>^)#P74aeDge0%|IjcJlT&Lux}rjPL7`^-I%9rmCDkA;vv60+q=oaiQ@z}-$R~R5 zu}CYC-x>C+MfV>dL|;i{#!jIDfQay!P>QsmQ02BT}=bc;lbBZ2)o)7dWm(+ zfQU3-zRH^qK&uo~)CA>H9(g_cqc@hqVc~{Dg+{i3=r6APiPTh@w*C3#N)u5v#*U=W z<#Lt(WR+S-JCo>`&C6Q>^_aV3$uN7Qghmf;rw2_ZzIUq5Zg(2brjdzPx`s46Q*zk%QU>We3XAo8 zEmJUCy8@CfayZS*MB`=XK0(ten*wgy;e?!7XQ{V4*}*q8y!i&UHXi_k4uBoJ=d>QaMzh6hjDP&47Y0N0vJVz9a(TL0(DJm2%l940+m?Ck|a+spVK8 z=Q@vdP5tKl;kN{&7V4yy!hZ}s;N8R;DMYa)u^5_B8ihgcZ+Tdc#m7$=giKsBuPnD9 z`4nXs`8wrP_)Oo%<_9X52Cs8qd;hw&;LK3mNmy+KN@U54GF;RCCK~g%ko6HbPd$P| zQpcmZ&$@`o`yx&SHM9iPJx6d*1YF>zb++tt=ZE;%24X1ZT^Xx(ESSwxbF?ce;dK1o zK?JN+4$s?=%PxQCDHx2|#BEj!4FkpZSJQZ)YI4cwI>XiO`ODZ6S3=QCrH>@; zqXWY3ZrK-An9k4iG`;yIfE4i-@*u^nhN2gT=d$+(OPk^kf?|%%ZE?6W7l@hG6rKA< zC;|=xDg1Lhiqu3U+jU%tYXN^Zxd&QY{-lzOr%x8QcnymW)0QctuL>!#Z^}o5uPUy# z4?4*^+7)oSW&Bgo(Kcc>^YA+EX72uMq1#u&od9L;3(_X6UEnueiH*n6rv^w}M{h%j z<8=kV73DzWdPNK)usmUMrhEFHl)GNfQcMUfMI`r3y1p;1FO7ffddSphl{?l%?C0-; zpZ|xacNYB1RieJZ`hAHi(3CPjBG17&|NMeQ`~gXVJ>(8uN9!cTLkRLn0<(b5W9DuT z!|BP9!tu!n&_qpuYGo%BaK*pkkz1Ce*chn%$#7;?exh&pia1<~syK>IFAn@HZpO%L ziHyF|@^<6c(eUc)bOmnLycjz(g@d6r7`3bX(av!;IYamO)Mn_A$OS(z@3W$R+Kz1-AFTc%6BdXN6aqGIeGc|cSZ2yr^=l<}LY(|a- zYa_PAGfYqu+#Y%qT^f5t0~MN}SHw-wUJw5hH4@?7UeH4L+2u6KOYu+@7iWI^fV4pi zfn_drVL)2(P%UFbkZZ^B5$~$xpI<>|mm4L5+MPthtbTZAWcaoYK>U#$pk=76&-++B z#4^b~=LuQ|Cc)%ZMuHSo(zL+tA+YM7IHUEA}8mzUWG%` zpVg_R#W%}tlNRdcRpj#c&m-(_TmY^MmFQq8Fv12Z5B8T0?qCNfjHTh~!)bl?IUPg| zTfUKPm+&{62C%@X8~S!QJ~w76I@(t5SMiHbWa^Q8n343iIT{XXOfYMmTuL`xg@?U5c+qLcP)#@o3G8Wi6^NeeAp=Oc`_$IIWy(G_8vWIW{~G?)ZL zkcH4SjTgMiZFTm1BBlWvCN)Lxs5yD5A{gKufkL1AoA?%1f^=f~-pZGp{aX}sPCKV` z+Zwz|v^8?K&GuoC&8+z$epNYTqV2rb8w}ks=YMK`CWu*;*UrX_WNH`F))r{$o8trY zF5=g_1XUe9i$(~E3(XSW`wr04=;2@@4z1(9ym?7eJT}1odut3#vPqe4&oInWlw1Pynp#-wZDR|dim#?}?CCE(;{MD)LdK4`&oV)-J~(l}*9+s>UUp+<~| z^6$pt@HPll4g}b1t>3-Mw~EDjJWtP0c_ud0%zI^zSv%c=K*aa}6pY?V9T?J=P-8lD z4JQ}#<|A^M4p0L_JA}DqBGG?L-zb{g9?PsZKIwqBanN<>ipZ>>{p-ulJrr9KR&Q#k zkSGXLs_k}vxCyM08zl_>hg@-L4|j{cuVc)$v}gR-67P0z|855L3|>`3xu3n=I-%7l z+Q&TJ(^E%TXp-#4tm!i^?6D7QI$!-5zxLGK&R3af*_D?AjW;}84A%Z$eH#7!&LzBP z(bt}qEbf5?TYGE$jFIz9z>QuX>wKpFPhN>A&|})b?DJ~RVou$g6NB^3p}buh^+R1EGF&0k257j4^VO98)?-4H zYHpT`;-`m9iDZ>YaYrstLR({2`DE7xZBn%BC$*P_QD56IcV2Ykj5u6H*45VFlOx-U z-i&3xRmeGD=+JY70@8pNgV+SGC`WmL zLoS_eT|QW6^G#IbMK`^O6j;^7kdcYS98V?M3jaU;bnpW_Gf%gD>n|o$_48k32V!lp zaUKFve|2ZqlwW&Fm-m@WokyJZ+Z?vw7^9(sSj_egJjNL2r(>O%Knr4x6j+mDyU6>T zv)H=X^|?Lz?ffvoS=$lX+v~TPhy5qh0>ety4lj~lTm;jg=Qh(~dJ!w)eA%(W9Bmzy zA7He$wiaCG&7n3T?dsHWV?=#~ta|nx6u5hOalm_(1zLtFn2T_3&o9H6ElbAeDIQkP z33UNH+POyrbB%+~_n%1Q_s+(-wvIPhw`^5{oN zO~CRsOkx`99xJ6Mk8Eeqo8RWXd|OO%peECsP1&}Yp_ffE zqA#9^>BvRBh&m$jiKuAGpY%;3prbhOaK2u&7^tbfUsox;ee!xm&`^f7>n!C1Qu*&= zOlt(>_pB*q6lBiQ02EypH9}o}yFIZ}cb5+J=68gyshU1ZtVQxW{Mv$7x1tkI1(g=T zg5eRT4`O6h_GDwlWcbH3&Iv&*I~f%$D?Y>csNIXD}Y&82(AMft+M z$|{bxTdsdD!D359QJ_#*LktQlB=_0mU&9tUdmGr%iZ+YV#)IBsfJkYU;&KfDt3%$j zw^inGKiQcXsiI3kk!WXga^z4Cr1Hx*1Sf$Lv>Ft|BSBqXGGa)|7QDLS4oDA@hV}LbF_1;rv%!hc2W*g7b&M=mEr}S=3#vH}uV>u8az> z8XO75dL}JQY%}nQ3Kdz5Svrs3YiQ{+DNy5aoEXFd5f<-y7Td7jTfo*bDhRA@Ec3eY;D@Vpypl&F2Rik9J7bxE~*6&_^jIocsdj~}$s>-us>ybazZ zjjSu(St)KQ4MohFC7|ONZ2Sa0YAx&H{746r-o@l_f1)lh&ZYHThY$q|OshXk{Fqgy zgn$n8sLd|PncsEP_M!!LCeHM_c7_Ch^+Nc5Yb+lPO(aMWb(|<GwFlp4Gp(%~hSi_- zV?!Ywgc>FaNkmX1Ad;MQ*rwU{3LSx+$bhwC=ucn+Ivjwt#bhGE6vW`hYjPtil*NS3 zg{j4q7tsnwPS=iHb?#(We(TA2Ve=D_##It7PAUeT-F`fU;x2r^X)fzd=I5K7H)?IZ z%^A6CoH7)iR)AqK$z_BHtc6Z2z1f;_57VU^q#xNF*Xg_5)cHwT@cG&_s9^JQM#4;@ zaHG)?TZCl&Pa?Vk9XHT2$;^~@eMdiCYR-ljWi@?t#aO2=qy$__AY*s!Mvtq$0eHH( zV6|CaX1##cw+V?+u+&1$b|(s(-rir;!C$>0H82b?_q;&EqV@`IN(sp*Wju4Mccif{ zI`nHE8vhm@!O*Xy?QoR0>st+Z=O66|K7SG%B-{V+G2!4tOBf9%orH0-9EuaWTORX` zBlv*>e^-D()9RomzA>~bTE?%$n2g?Zkfl=jYs-U_e@@-YzTaHolg*^>*p*Zkl&GlA z-np+?HyrEvm_=%N!Wk*B=pbKvpu1G~MmHF1kvJIPfM}&*?&VQV9AGTm!3 zD{8PjjlLxMW$vKIe~LBrE>mgDC)KadCM)$_odu|a&`}TAV-#N0c{(^ z88E>a6t$G?udJkcZvb%j+HB5%VAW8ZcZ2tLTy}(0P*RB=tv-i)e)M?U=r(MPMY~ly zePbutld6xLTdby|ZmW8)=qzggt{}LmEwxitKY|p9DXy*Dk7WXIM_&p5sl0iSa`r66 z$~#DHqBO5S6T4@o>M)D-ro+qtQSS+wmWVbWe1g!S?BtgcFx}6h)oDM(doqF_E^evW z{)D@wfu3AU@%|C-k)}ES2a6iF+5v+XRwN82toChf`|lWSC(C1OVp2)9cTT5TdQatpeZdBHu7&uw&wmbgW2|b$N4M{tF?%ydm%Vhm}%g0<}(c{9e6r0Z+v;qP_Wh zg!6z@d!id#-A=eCd##$6mRuYtd}6fA#vpGyY%nAr^Q}u(tbIhj7whP>#IbGLaOT4; zyimovjyV)!SaKM1o!>;oXwWv!(2tst&#$=YorOS5&yBT+_QS9C*{lT~RSiyI%&p&0 zT0I;+EmQDItx43ryNj5OE*Xw7>(WAnbr|Pxiq4=3wk<21u6v}~Q(!HGt8?b;MhF(;sDWGvIfQXSo2wi)vKD^6Z& z<^}__Ha6y3;!6r*u`ezzO{pxK+K6h~8%FSbYON1Ol#m7rFj!0l4;an00-%Y6sW6hY z0OfVFAab%ks-_e`Isp8F&bb)N%p7nN=HmtV#k}>XEdJQtm#Eegypgxqa(B-5$(Oml z;hp&BiLj- z`Y40VpQ!LL?F#1O$$+Zg-%ieOUNTauFpgcBm_H$-yAQmy3sm(QJ?y(ulL!EnFVbnZ8-Q`t=sN)QCrnitiVSJvRvw0lXmUWTr^GadCcs4oA{yqe zd4H|}sW=tOV3XvdowwwvqtrT#wNICGGGPmj%P7ZtNQ#qJb*Dx-ioMP-)zQ?oo+UsABh6$?*P0YSp<2P-|OmT|0NeQTb zw9t$<5@;wS+b&CGM#Lr-)pIV}l;N8*$-;s~o%|hp*};#n94L9Z*7R*=#2;?<&e@fg zO$oQcW)^xnC$G6Yx*|soWwn{Ns$~bZ1ee)aF_F4@g_dN-05ZGIAS!fg`$MVPYM22y%lOA~H}9iyoa8@;@yudM6<2*w7qv$)B90c66_Zo?Tz>XRaUdDj% z8Nx%K;gdC`6$gIr(yFGs<|PL4+Ip>P3wCp(2u4H<#bDQ4jXoRaLK5a`WsRNLq6=L2 zA#D#Nc(!gg^nQ$M5)NkuB&*fFj9k|B$Bz&>Q_o%aDdv-9R~h{VcYQ=83kyO_;HI0r z;0R$|pmUD!dExb341>&cQgd`>(akIJI-0|onXK(O&gFHMSrmsR5`pyoQ%n(wtQt-| z*`jxOER33~!wr2jP^K_qP;bHNOWPY9p~!1PD_3F+$+PM`Iu>w7<638Y5^|R#G5^gCtIgmOZa^K&(063TzTa!e6*a83CGifP5&Kh4g4!f-6NN_VLs0a&zm=FrFG-8r8-7Iyp`3!_xZ6*Pgk^UL&0~CQ@$F?v zhS*r$B#m4KjeKovU>KAd?Xqi%9K(1~BjL^?nGwgv9LJHBi0>P?W{iy_EJu8-I3@uy zVvv;_QN?X^CY4{9!M(O$GhZ{0$0*O8F)31bZhNl!>VHAe~XyZX487f6k z?@iS_k2W<6axeUS9fI}o%+{FB$De*X2su5D#oZIKMJTuxv*Bkw=5+9Cnu|8E`)g-E z&*bZ>?q$a|Tz=MBp%{@q5>jd&KT(jH9I;dz10V`r)Jf zwmSM^7KVP(%v>kFlXwRlt? z@O)Q_ap=*&+ny~>hGf!jBN`6Df5g*x=M-Q1pHKZ~w`loFP+O1*$MSFHSjtq36q2B2 zKgyX)r$ls#0J+|q=Dl&8M6WI286pEzo}LLn2E3ZNZ&6Nu|LHF@A17z4T2UC45T4_< zrIVcVgCabTNv6`l8V|`jRKQ4~CpS%zC$8oK5b4Or9-z!U;_()z(lJqA z{8WGZB_W`lDK~M$;0#t0qpjskG@A~8FP@DsM=QDu1UZE!>r}*X3dy0fL zzbkw|?pbf)j#t6Ey8^=A9___ku6f%`qkE-vLsd>pyMtTrMI@s>*8BcdQ)P`b(Lulv z7^F1VAq5c0kHc`KXao@ZjQaFjKn_PxL`|y^v=B7kU4~i(3M}1V9%E`Aop*qJ?pl(< zW($fg=jTfy9W{}tWN}2?O{awNnvLy=5L)L_4q4ijyE`HG3RUjDe*ear2QrlW*40Rr z?jvxHd$`DN?=1QZ9sP9zp@R)ZSAkX=(%eLep^Zc`*$Ir%dFy7GCy?t1#_BWmu+4fl ztjlX)id$=Z(LvpKv7)D$JFf5kmEt}wHG<4!SvQw88H6U3J=jE`Z*d5DRS^qil%Yyr zol-1kEL#V&Z+GRHWV&k#*0VoDb(0Atgou_xYf3O zXp98QfBy~Am7#G=H-J+OYMw1j3eOe#*OM1Bb2SOx2*J)R3Lh;kKuVtx(VJ{!Ktn=z z;#aK?zYYjrqMVBO8St;Am9A3F`{=baHRW4nWjELI^lJq5^=CVY+yhPCA2tpP(#-J$ zPo#N}qi{HB&HO@LQY^feYM=Ndg(DVL2A{dM=w57gW124rC;2$w+`4qT$8NvP=yQDj z;M(}-(nGLS1vvzx0?W^V$SGg=y5EV~U)k)l8(7CO7?9}ZFyA_2JXu8H&1DiHIC>W< z(T_zg=Iz%CYuHZ&VMz(tcZb^+<;hJe<6evft(>~UQd}xDaQGM za)q8^+dLA;NcOCfK95)>Ncw){{YgkUuKAQBSla~XwEEg8ac2>5=FWtG_X88@lE*cy z07mn@jpNy&$4qdpkiR`$24fTc%|%l(S6n9dH^|gl$8+^+*%l61gb0JAd8{Ia`2u&v zB4c+4{9bwp*KaCWXk@We7^vi;>o?))R#oKlA&WBaVzT1-)4H8|2wKI6)z)#pY#wi> zPH{ChsJYGjKwdt5Flb>()q6Hm5I6xD9FvwwE2Cd*8KX|HpNE|aW2OuQ7ZAdxW&^lezE73zh;@7t9p32Re z9a_U{`i9jM{rYvEKp^`)uWT$F?RvGB<(oXzcJyxl`7#D4a^Fe_>Gx9l>u~Y|j!IdY z)0g?MX9;@6M3)yjG6sxT{nVm*&s*58qk}nKFzU zBW6`!rUMpl0K-xW>H;L8rhAia&*G${@#7Y5W~)kp{Dd1nVa~ooyA_kSY}+{(&S@7W z(aOxanP{PL%K5RH^1DmPLCl(|iX3BSc9jd@awOF9dFOl)sJB)cryl+hI$^EY-zG3Wi&s_ z%pI*-X1vQSdd>aRzQr~vzodBr%R}whqdP}fKiqKZ(B)wf z$AX->eAszM2^fCXDxVF0+Hgeh!=EPhFgIKcp%ap1bi(dNesX1voA!KM%3mQ?I&hNl`wA9>yD?g^pFIBGh!ZJ}$%H#*I9ajQr@w%U3%~pXEiP z7)>d^$oGABaLvx`H8q0vi+Fq~%g1>{$5}gQ7TH&Vo=?%3`t&jN!xd^?^!R#c@q((8 zH*xpE!<`@M3I6!<{5LOtODX2Ph*OMFhstv)_Jy9e12Q+Gu`FX`#huh~a#>$meQ>H< zyDo2n29g6Wb(TnP?z-tmI#ksbz)*qd;zn{YzQEPN*_q%A)3_X<4+Wf4+1NNS);X;V z3p88@zVQL*G6S4D4MF%Ob0MO5YeKL)<7mM!k2zZemS&@p!ODk=ZCsfzf=)c%V)z_% zKsjl_9V8_Ft$*|^8Bf1)#Fa`9GK3P4!}Q|hlh8)CphOghtH;w>*4b1UXYUz8sQ`4c zyfzF?UI>N8>PgAL;Ppe5Xy-V|+K^B{5D&Vi~l?QXl&biXCk?_OG_41u3K!W0VMy!;5U3oiBV};VN9$8D~!-Eb~mQlnvXv zg3K^Nr^r)%%k;lFQ6UDJ-1iMeM#@f?{RorRUO@DrsBB;j`fpNjDKOxX$&RaT7y#Dh zvQP{_hB#HOgQ3UwA&Q2CjLS}=w*)WG%^?c+&&+K+jUdC2iD(C#ZL)Ur1KU1TsEceoK)$)dxxWZ`24e; zXy*x)#pa+JQ+>D?$?+8ekQ`q^6LN2IKW~LoIa%O!3z;`Go6Cf9A@>sr6KRBeavfG! z85MyH=9x2@pY#CV%Dn0;*2IM}o4AH8VjO6*0cXt>VU=xXd6I zTym3rV4`4W4ObOQv`A-a+FY5jraF0 zLT5NqEVQI38SnV<1+XF_vk{nr$ni9KO->}zQkxrXRgJYeaP~@l&b${%u+{ey8WNFl zU2@#eb2cHpjj0%wFFr1EF=yQR&2mhnPrerxTWcl7*vSYNDvVwn*CUGWQOFCM=0n@O zK?wYVfzny{eCi9vV1O+CpC>>hC_tg@3@nL3bwlr=b1x<2-@-WDd#UKS(srDv7bGuW zN)yuC(w-$wjOvo$qKG^}39o=WZajQ7zDR{}P~LL_F$ke&N^j!2Ad&EkCDZujd< zE7v|~<{YpNAp-+!QpmGZJx~jUnPR-V*B#feJZfmU9cwysI5GECe3!+XDQp77qBm2kMU1t!)Zl}4jOh4_NpO(Omo!j zAlW#Cf(Y|^Fp$U+*0NxCeyEHRR*oH!(^+57d^0oF`$oFN{L1gg&YT|b&%%43$D@z6 zw;by5I*Nx@qTbgGW)nzi9_0%eXop0Q`9Z2wZxatBLKzIu;jFIg>?I;f0CNb-cbJK1 zKYI_dU9ZKIv`1(}xGft-_{lSW5jf$|GHfRu>o|rT!qrXSI50m?CYT@ZbD270@cfZn z3Gg`b=i9aknO-FwQ~rf?O!-{xtlfy4XRW%S#(gV^kL8U#K+Ajx;Vp$5VJr;Z5gRqh z#!s=OKvy|F?*i!~iw9)D1Qz97wmdERj+c07dc8%c6gQd_-pO&Q)Y%EVN13&e7;}lX z0?h}udQ|Bcb~uS})(z=fNjRO-#g<-m-gU&t*&-);Hb0~A(WiO6Lu*g0^8HgRt+3_p zGZ0xx^HDey#0Kabx_xIq@JN~HPp!!x$7+Y6!$R+Y=fxM)|E;<*LrO>0UqQ4hu6Y(0 z*?vQ1hyVVd`PW-tKaAlJdJkqArD~{9{u%2(lw9fcj2Ob}8pwGc@LazhLG}T*-^5nQ zFKkPhJd7U@{c-}q%Tl=xbz=^Nyi{}^u2xkBeF-WqT(6;3CjSjO{5kHQ=Di&gs9y|r z8Q#rIx9XhD?P-HwMU)QE37AUy4H54!@qxrk96lj9?<5V-6@_tnbGfS0ahw8IAz}v_ zq9(Mavjyad9#zw-DNsh5qp;yvCUX-f4B`DHJ0)z+HpZ45=FU>kwclMH`PrQ}GEWJd zctij#322*=EFL|Ya=cj}K?^&1nP+LL*dt@25xb}{JI)6Gxt@xBZN^M8QMPW{0Yo)Q zp8WRrYeSFpE0_R(`tMw52@F$jKQX0t(9MChcY1&@RS>TJH&qY0Iq!FnCho`GBPdk; zqkEKSK<#!%W@&WKvyqpkklaS)AcM@QCKn2v1Y!8`ummN)n$jsRZO7$cyrp(qA!B9* zxMtSog!+YH%6+qP*E<9E4$H*MOHc^~9GTwQIzXt99v?YJ5WAMSUS;CxK*Ycj{D((^ z!lqemCAko7UUc5Msu8i?Mq!*%i`3^slt(6* zaE?+7Qr@Gn`Ny6I^p^tqG7cc%mM71BKlQF&>od|fF)-h(=w1zQN9F=+snAFyLQk3u zGb@OB@u-HNN57Ad&jq0oQqMIg8qLUli4AvAIFa=smenSh5|pLX7J=WKrOy;7=LQxX z2IVS@L(5x(I6k<%p!B9SGfEUYA}22cV>`T`CoX%o|uX^R`duA!E|P zF&Th%fpi$@R(HXCEQl!Xxr=J1SpI~f6hD-Lg`P`tRbd2M5)mo?mhpCojSe6q;pqE6 z$bx3@T`y-uiGtTlQqFGB2bYc(cL{o^pywm}g$!|8)-f@*{uok}%>Ky5?1+R9mk4=e zRwTl5s=XjHCI7`^-BBBj5gyqazlPfq@_4D;DCpZD+|>Akxd`y}6un5W$gpq3q!OsQyko+GIq0(znR+CZ&zR>z1RD z7XB$b8Hsozq?YXZY5f&7I zXuUK`+dN~k2c6I^1-7Jqhhx3mtS8&6Qz!iNVCI#H@Z2FpVKLSV6c*747Eyh4EJp`r z#CrXq_HhapvN)79E~0@vR{Pmh_b=hzOMFGqkH{tqVz{MX#1gp(C`gK+mlna{`klPU@t(->YUeT02PO>e zM8-CukQce}X2eMt@i`zXu+2l*HQ97m1Og(@{=2W1HfDBisorbJ{jZFG(Zpq@-r_cy z?4jTcNQE;R8BXtiUG9T*p6UeYW5E_~pd+eeBufW>7<^qR5txJR_6fWR_1cYA<`IJ9 z@~`4a4=67uH0N5{1;L9Kyi6DUrNSvFENLGo1?g!hny`VBPpq|2R59sjL)DZk)gd}M z1<}z;+2k#xYCKb1&g{(Ou7r8)t>b-L2sLG((itfyy~yJY1MId^l8zg8_9y@h~aE1iq~zLF#s=Z8BunW@ww_A%}a zX#THN;Pt0mm@O4vC->|p-xipN`uCcqbrXM=iOecwaN9~<#_-6oM}LB~kWhxk*=FW6 z>s{=My56@(M=bS3W@uLRTq}lov+`C)GWKSz!+Y>2KK{H2R<$4!%g#=jH85l^aS8=O z3oNBqoL7zXc=xl%uCFD`GO=!YzXXY1cb$&!ykZNZZqM)jTzCU&8`40-TNvW&|VNKppIh`J)PWhYxZ4>#?HF8nR#|`}BST9Kpg_8o~*)hy{HlBDf zY)p$$(S#$a!V4 zb4OCi{B5ogf@ZuE)(=z(c&1?wmAVd@8c0ChuqiWj;U+=TFdDKYLfbI75}S%qFG%8go?SIQqHM-!GOIB!D*7|OfJB*cC(YglHQmG`bG=IPO4(_HoBo>E(YrUM02B<9_$&X1tE(|I z>n4YbdE-#RE*7JK(1jO231=o3J7I(7V(sQgE;cKeaYv4pZ^5M?n4eLM$QL3N0YI^o z6$2y%X`lj%vVQ9E^hW6fjqQ-EMHc{S@>JyD9XAC{G4oT_$dVk#?KfihOyWnLo;BLEG zA!ptSIdi5+I8H}GO{AQY=flTs(lymR0QiT2z5kwDSwf0T3$JoPlcBtkCvIL1JI?_Fot6zz)(loWZOl#tr zRz7)p`maS(f58+=S$cf6safx%7n8Sx2S#JUe67VobuWED)-USdtW->r6v8v}&h{Cq zP7gSX3J3bm<(i7v4ss>y^|)LRf|LB5vk{B+qN_X8pS-`F(bkqXy(6RZlh(1Ah%Dpa zhoJRdzG&Ho!Sk2IqTI+K$0LKy!Q#k2i0ru)aNG^h`fsJqhm5XpO|y98i*KKe;|?;) z5iwiIPhpd!fA_uoO`N=__N_!KmF@$9^yW1;w#%*A%%$*L)yOxh1^Ca`e7L{hARsBE zM_ug91n!6`plFlyYWKY)MMC*p?9Ktw!=7_HIsL4n^SdC(jC@+em8v(xr4?|X zW~mh(JtePJNZ27RjDKcR`&Pq`(F$TGQsrK815+&Gd#Vik{=7G^L4RdZ%l^ru(PG0$=CcvZiSdWG)R&Bxr`__NTlPD`;cpp8Tp;6}94 zV`us`MH`VtfKsMQT8Vr#N7)m#sSnA`0sc^lL$j#8=Npi5gZsqgcKCCtOp|1~0g_KN zflAMq_QMn`BgMkEX6VTq6KOpPLAd!oed3oTOIs!KCDgI&Ih7PkEHztjqKWk=y7`Ah<`BgtIcY}U+))H7MfBx9g{ZCetBy8wcvcV9~fUC22US(c{7G@X2Cdf*+% zi`tr+P7Z5L`%5HrrPC-&vr~+9N5iAj^|A09E9c~d56p(EWc!Xn3 z_6}^DQ!tf<9QK%h@U+1+DB-Ij>Cm)p#?;SI^8RHOYv2sZwpGFdYv8fGX+xV-;CTia znW8}tJJbDQ%5AigZ=Q;RT(#z(jIf8E&G}9D?Ip)BqoTC*L9CZ}c!*;e!!NUaa?>G& zBeO(!B{4RjfXT0w$TtP4Z-(Nd&WiTkmuee>g}}}jrJ}FJ*^=7qY$^Df=+N_6FF?gW z=beVc(B>(Xa@hx3iv|;CyO#MfYp*JPdIIk(I(}y8@p8JX5e?8)OAzps{uDk!vhz{W zv)KkP!yoEU)_VR3@xEozXlZ-fFiOXNh4v@0?EwR?^276wPih=>V)c4lK;#0^M^wNy zne_Wcev${MlPiBK$H7CwG#3p({I*h;Yhl^@3uXOkhy?z5xn~AsoycV@>UNyYp6_D% zVjPO^LOTMe)r&X_H;Cg}_a@>*_cRfmP$4GjG8K!5tuoYWZLy7f!Xbn1;$8`rVwRyD!U0{fZc%eV9Jb7t5Q-!Aa9orp0vzs8*wIw=EDp=bhQz~-DWJBkq_XXx&Rs_>xBI>pcwLC0u zpf9e^bb4Y&M-**}$&A_7NI2R>N3bP@vx{WOu~Xvx4dp)HrRAVfYdUOq7r><*%Yh;^ zr^_XG>HHkD9Y>6u3PqEca6L(({Qv8+2-Qe$D;}m=WC+&Hot`6Kh-@!&3}y|)DNaoG6-tNns&Kqvdeg!aM$`+ADPI;PP6h`BgmJxJH`$oe- zsYg6O6WUtAR^seki}~%+dW}BWluW4}7WByAqbmjaTW5=q?{lSix0GW!m66_KjF=h{t*FT$BuTF>F^+= z8|`)zl<*{cOgtJ~^Y6l+$i^&v#QS6(E$cix(v*PCP@t|i<-3^LY9-B4yZ1_x+qb_U zF&b6pYb5va06lfN6l2{sAc;si?vK%sn~x^EGh-3wW}K-yOb3>rwHUu2C>W8s;p&jF z%B(&(-&blLGAFcRJ`#4|y}xU3?wb{f?i-33JkpUT?%h=?m0_kXvJe?>WXkP~puap% z6}gSZ^-RCXCw@Mnv%_&AHCd6PzH_iL#r`ukXd42Ofw4!op!p{s@)-UQwU1R76$Lu3 z?IHi@{D??2p6`3e3E*lV5ienc%4`M-4ao7a#12>$;t#J8yofpITPNZphJ0p3+T*wJ zFp$Gk771-dirb(DWCMk!*(Jla&jn`sdIf+a1NVb~l8RZwFS0E^dR3y2v#7<{QItNM z!J5cuVHwM*!~;?YQErzZg+R>~O8ALRcC(u@cb1IC`1@L;2#5X9`w8(rH&8~=-16=t zXcTbtm2SfO3rx07R9Fft2KthaWIun+emMty91r7Y#6RcUkaYG)c&sZVvvQfv!8zGQmsyPz>z$gCu6qOIP<))Zv|BX_s;AhP}v`4)i7 zAo49|bmin*&Skjk83&0{6t9RDvk;)ZbFF4JmQT=5{1)xY42hw^>zIBZ8$AbC5hICQ z(Xu1naj^0T!!LJM(Kn$%Ii%z8vB$pn9;L6D@L>%lIyoi!qNc`oYv%@TIn5UN2aM=8TadhT0*9y zPH(1;+)B(o^x3GT=P&=>pssk~lOH`_{ZW?u^(Jqt#TP!wOx*B|`H|#P$wxk`_|DDq z#!i)|z261<)c;<-_ot%2d=BpVdM{)3W~U8=GS{D+zT-^xbp*suHm9>1)2jmZrWp!q zoC&PUp+$suXM_5lh1?t8XV@J7MZ-d2)72{bz%O5Fe5cKAmASqfrz?WiM4oc1DmlV7 zP`sRXD75`S51@BW5KpTz@3!Hp%6eR%bcHV6-#e&u!G8Pl%f4$xVvRH&|qPwB+j31Ie849UUFjZ~a*6xgY_i=A2`!vut#MfN-BX@~^H| zH~hzXDuD98Uia4S%Z*kbDAr@t=REb+nO2v7MI?7;cW2Ol=hnSw4g1jGAG^!F4BBO1 zE&amM@cJYeoyKKhr`B9nY7yV_rS>KhCxal%Cz?6Ku5lu`7j@EauF<}6jW5M3JF^6r zTDhz#E-Qx`f-tm4{elK7|7d*CbX6bLWqDynwG8I+%`e2~4=t0uzuTVhcJ}JGC7dx` zvSdlKw!VI9HifY@xxyLYePD+9g*`u0|L_UGK3`RI9@IaIHLPZuI&Sxc2-3*XD4 zJ$eeA$a+if<6LWY@yPr2Ah^*~6Q^x+O?}tDE}2VS&ws*>Ja0M<>yMcVB6|JcZ{%WJ;XpVpt~NocOiKls00?%_JMZ!&|oPQdHB{^juP zbX*l|apq+I#^r|?tUWeg3gIXP2Drxg1~$K#`M9H<3sueh31lQ#k5T_%IrZQ)aeI{p zU#W9P;FqvTq>nc5SPH!T`0of;cZ|rt{2MC=8;HgeaVIT%ImSO#4#pli>c8E^ukF%? zfWRzVPM2@C)tKwxDK-4bI^>vi{g~<=f{d8Yp~g&gn@+9AR_M;GzU;ugc!nH% zHP7Cl)yodwd|z?CVbQ#KJG;P)Ut8ki+j|Qa?RyYjo&Uo-A_eR14`EZyc}nDg%U^PV z5FX`!aJ0z7n6gk&F(=AOd1g^$q2y^dml3WtJx=9I%91=eMw8aGM$Y$OK3+@AM-5|% zx8eNx^BXJ^#;qDYeE1OfB(CvFTwIRI(z3dtf+HoXQjb>pI_4mI^LIA9+6g_vKR$2^ zHwWiy9=RmR*c7A+O_E&O{7%9b+yuK9h{JdCc`SUSY{<_}?`E(o`L|Q)XY6_{n3&_YiM1~ zZ06I;e0#wmfWf|O^9pv;NWqtR>U@WbVA_!<0SkUhd^3oJ>tALt_R1Px=i(Q?_%rbIZ^kd8gScz^FH)ET~N(z;RRqCF__OaElm z@2)lqeX%;M=W0V(GY;x^{pqTekI{n>*Z3G&uw!?T(NN9PvZUd(@DhlhMYoms^~=2G6_66GpM*hT z%X6t&&y7YJVGH-bc9?O42MU8-z7i`=z%6Y0H?j%gjks>4%rZ7k;4Ye{X$)M}WLx}L zGo79Sel9Su;*{^%vqqx4KN{O`Ij(TH9FWtAdam z)0Kf=WL|MRkbP2i-sBxl<*7iuB7qXHgyOaPQ~WqkcCFR6QCnrO4@$Mgy{s2et$o_Fi|n zHd2fXSPOcq4j}{LSHR`VMT`|+Ajio(4RW;I)|-sDCx&6Q|4@xcNWixg+Tq^4d&kbd z9Y{7_ud2DcIfLL-DVftxNzY@*Jm$deXkwg86+B`7gl*mPHn93Drp=m{+P40 znlZg(y1_Ei-@j|D$uCm-sm*%Xo2ZZroNaGHY-aV7Hlh1KQd`ibohKze*S%D=Wq6j0 zYyIo56X0Th+^&r$G3w28I~v*^TVHE@EN92T;z>P<*azgdB3c@$Cez1CPd&bJT;4-n zqRG7eiIUUc^&efM?>lAlPhPIYywkwI;MISulmC}1wr~rbMPB}j{3{+t50Asd(ICIe zBAGWVx;3-4uWvzYdufl(HT!>ba(B)3s(&sBBxR`Ira`vw&mQ(#>UCdeidH8Cl>X<- zWv^;A7&?cd!n(S~&Ad$y&D<4j2B=H!kibP>zxTGhH%`)EmbU{Fx$#V;P` zh<$z80Eg4VvL22jU$atR{T-(wE0xUVlQXM2SE!Qo?zBLHV z80BnOQFwUxz0@rm&_p!V_MNT4bjU7kgIvO8x1)@}H3ShH_UiwZUKh7{0jJ)z!69wWHJ(k|P~<*4>7V_wRoeoDPCS zPTLV&pXW0!bAs)7e~ zckD=%caz9D+Xw2)aNOmBx>XOFj*CN;-CT&C8>m|X2LG0mAO!(EmFi-L%I8M#S}mW` z$^5&7Qr0(;u-3aC4IyVhlgG|~JT>|X=9@Pt?2jD$y$VkY3ltn)n|ic5n0w{8&h|7@5{VrvdV{CNU%q*>Fhf`Vqo<{BA!`go?3JE{e#iNeB2&1XEh9w?e^14KbApR z4u68fRrTj=K8Bv~jmNA1C|EX=?8&Fvsl3jv>8WwmzMlzEB2M$(HosM<3*vUj4CxIU z>6QdFt>c3|EcgwTu!VdiR?zlWK zB!v3?>$nZtB9RC=Hphz|Ja}+GAIWKyNgBuR{T%+UB*z19(GVSskaUYms#%f@shGwk zGJSC-cp;4GO*9#RN`N$JvPqmdyaBtB!<$^Q=j%e+ta#KoIy#y*T@WihJg1uWRMI>H zw+C-aYDD5;H1(3CFSG99?vYCT^kiRiUyxpBpp{^gP@23}+3#k{GVZN*XrT=X8Ktvx zlUG>;f|iKT4n_-&uQhGUt6|d|fTRRAqPWZ?&2?t^$h;QN^()6)Jm+S@<#AA<|1KW3 z+5hdKgSqWV9T$2$0t0u5a4!U79FMa_>0TA_<5sc!q2R%hyhkQc8ZI%uudTDNHF)@o zN^QH&!9Vk9n*+CJ@`oY|UYc|%3N==fenb9&_6L&FsjyQLHYSIAG)y!5KhJu|h9ldt*7Cos|s_a%w(<$NSf@Xs87 zs}-e>9bF7|SuO!9ZkL^q|H~#EL5SZexbVN-!B^G)kFzh2 zYwFtCZhODhdtY0x4i78A5XeZ_i*gd5~KaVjJrXD10Os_aEEP=WWE^VbQ) zzpM=V!cbx~n3djW?m34{<|c9X?c3KluOa6rC@zOUK$Pl_>@WQ1`(J1%65;26pG7vj zi*clP<5m6yBSZI5+bJ3d~wcwa~um#j=T-ts= z%nn>njw2svJ9l6$poi@<=wVu~_11f)k3PG|Anxa%?1+1_)sS3ZI=(A`*^v7NCEyuK zhvMDdT1Y~|ARHEhLDA=i>Y*e4RPPd>j#y(mEBD%Z_rV)uh-X=!O=AJ3+G7fR)* z1J7cwl%3UsBO~?K_5Gn%>-hAicJme zLnnLG@FNwnk=_D;FtDx&>PoQ)OM||J%f>6Vi&|1Q)~vBXs2|yGxa91MUwbp!v0`br zqNG@gT4LuCV6;Du^`mgJEp8X6${7jOB@J&zpT#EP58KrnvHs{AY$p+cn ze0_aLhuG+2ebcQ5(2B>0XE8*qerP#^{@{UpGa5UjKuA3ns6VwqkhlZ`eGO?_={5# zB^T#9`BEv)zvl4@qpd`fbz}tf`~=+yR@|Ro#CExkRRFD16n&yod-3?uYgEU7T6nhJ zb%--@q%c2PxiT}_&dYkz10A&OO@mwn^io`mcI|?uBzh=RiY{u5&Gg8+d^%*7 zl14(;nzuK1P|@2l;#o~~oto@717Nd+gG_84YlU#{_w*OO@|}d?Q1{%^m1)v zbTs=}4fEBjQxi77R8&-4Ej@!BerW7Ce{DN;@z7sAN}U!hN!?UhQ$qx{)Dx>| z^aXe=Y_6|&obV@zV;1Uf!E0su5S;EE|EBppjoAQ)+Bu8C&6yt-a!tS}XjA_U>+p%D zIBLCJ1a?Sfi5d=N0IAI$H>RSU2MEkvNWB&m0L5o@?a_mhb8)GusWq$|tf_XSnuNN| ze^I#BD6k*xGt;y+i!RZ^fT4kb{c3aBf0D|dfSpkFBn$QjY$Zo{EQK8**vMIjZy)Bm z*Y6s-JMdP%2Ki>7a%$3cO7)hwj#7N%wfL#fvl{ZcPZlGNtPy=^EQ^1qe`q>9A~iF$vSxkBsW|Clkt~k+ zIznxSnsc}JR8Pgn{x-a%QeO_KX!>~B=Rbu;E&QpxG@R)~Lv#k)f(-=bu?Exvooo2n zwa%Z(qW$##hd>cgSwa!H;ew$*GqvK8A;39PUB31Jhzqe%%tpiwBdL6qHsAc6)%oqm zrzT@BWtz)A^>yce6rpBgx=)!LBC2H#R-f7k=Jei&b2wf&PCO~zGuG9-l$S6To#@A5 z8s+nFR$s8_`1TW1;)??Q?qeL54A*s{`@x%U{3l;7iYC0@+5~HqM)Yv^x5T2($eO~sn!+8l#)Mq=yQqr#EgpOa; z;~Uv`pRoIASXVN#>ri0B727*bTH6z=UyG+2+j2s~-_!_`Cx2Dhqg$e9&+WDiK6Z-D zwq|haU5sKwT}pFH2le$0J=Tmz#=EeMSPh9Qw?y2yKdrNQlqg^A1U*Bp2Wjf}tWxjl ze~)#z4|!H*jEBnQ%uAzjuCB!XYw}|elN0PdN$i=OI{$#98;Hi48ibM764ulU3TUwD?bDg}PKF-X9RDujaa%|(b>FMdK{d;

NK_EHD1~|7o7Sckb}+2+vCocCL1zr9Pw{c4L<#22 z?4~m!p@&nf*)i8rZ<-;Vn^o#2o4W7dUA{$7ezN9+@lvnU=)0YUZchF!0yCw2d#Y=z zlooRF2Va&aE%I+a@Q0mL^~3#%RHBeL;h!QPHpFW2)$B&MD|OLskKj7{-MS_x4Mv8( ztc;rESOSx%FhG$-H=6>hM4!eZ8Obbbpx8-c7N4QXWh+yi=GxvnD1=DP?2fhi5{2%W z?C1-7!3Vee#J3!$ngO*bnxhc4a|4dmK}rWr9*B~j+GQO-9lqVfao0fgIM5mxU~}Fg zF*?|1b|kh7&pTSWPi}0M)bD)1BUIRWjNfS)(&XtMQm#TeS2#9=Ted8W@^XIUuu!<1E4(X0d zd8|r$^J4#k;^v&|7}2XK znpUo4liHXOku}A*5|Pzi8IW7Xy2<*)<8}08@-ulx-&%vMH?M9)bO`Md&TqfnAWn&> z)RgL}ao6du(horStlZEc(RS_bhBcM z9V37L(6iM)3=)d!|52y}?sGH@(-T4AGc^G z^wTd79@Z2d+Z$N_w~%JRzlcZo#5^n+ow5rg+*aJEgjMo|fhoTJ4fgVU8Sn1rDc(juA zGvEX>dB52Rx+^xql_ebdLc$4k-s{o-tGT&Xs3ip9s9LFkP3pu@D$0baIhy|PZoPP> zSQd1b>k{6vB~aOnnxE^uih)7{e@Jumpo@AzuXjW^T?I=sT725?J%WJ>?EUrr(=XJf zKHsH2$D~3<%Jl0!d-g1#^0CrkVNK79R~Y@F!@r>8L8&1*4>aomYw;>px34FQj_$RE z&%4?noG@^qG;ip6+otFq!7H>wP49N=L0S@6uJw%gaZ7l2rMk4-&&i=o&MlNRvw17v zwTD7bQ}CUd5m|YIWgU}KQe}9+ zVQG(rzItWq(5uxyWc1YL^2hBzOit8N{wh46W{v2&XzUtJU?LyXC*VJE5U-Gq#r`ds?eE*nir6 z7=K9Urt}^oXuwf4<>AfZ#q-_lP28vY^0<8J==$xM2~#6~GZ^_QJP^X&T{B8EyM;-t z4&*fEe`f+4P-noN78hs|IFuKlS?{cZ*Qxm3W?br#ss^{jtzf{uJ#UANcrsm&F<2?Y z(R-yhk&FMpN8BcML8GLm;mVgqIQL(jy9_+7bQtx~bie1ueO=>&{dqg|mFZ{$d!Cy< zD%69LWD0n<868}c$rmft`zzo$-ZDJ@`)}7~p`0z=e?Y@v+X89)k7(HW@w6|TW&v#b zZbbduh=C!}Xj(*88gVLEG;Bt>$zNF?;uE}rel~q#Tj#0KJL}f^DwBHseQr5vZoR3| zPxHv^^cKE&@efhaC2%;Vj^SEHvd3Z%kJzmsqW~)=ia}3AUMGN*Y%Ze-W?b98xjhx z##ej$J=!eQzB$44-7{d9Qo5_#C02yLIbridM3(B>v_qzN7tw7xf%3!Qfv2_4`rDsL zYA7FwH&>n>c2F9Oh(qhM@)S)SB5*IEb^|1T*%vtg7XU{Ne)|QX!1djb=gmQ z1_#8hD|;&+Hn2+>BjbmzghmlVsq0mgb^G&_b#+Pu>aO*lP_ik8Qvpd9BX|HlcO2(T z)o2{S{bD%%@p|sdG8pwqZ0diEP=nanjSml)y&IVOioY%xpF%IfAukYkzPh%;$_pE2 zTIK7cam$9SFGg+l7ps5zD4}EG-1u(WjZIf& zzWc+ccIVVI3WjCo&4S)-IVYeMhUZy*Gy z(EpyjM!LR^E)T0;9y}QuY-U}^I7$qs8hZgZ<&Io^6krk6Wv5A^ z-bc%YtI8>qrdz*rqoMlLW7Ek!MMROOnDQ+W0IlbGR?anSzV5#7J+M^8aA6A{fLMRT zyNndHc65-tww_V?zG{XfP2;1CN_+=G22I;F6PMFKY`w`ESmPPX-bSco;HsFsEzPg) z*KWve>n*=LnDPNU->&|Cw|+e(Q)33>DC>=hq2KY^Njb~NVejgHhhsSELCwGrq)SLq zt_1&+6O~^ou&E_^V8X~!*!a{*tLu8(t69zgO{gzsjr*k79}2SD^UPP)D5L|!hb>!i z{eir6oM!ae)T9G6zssRf1u{WW3e*H*@h@Y#LyA}5+$Ys`oT&MsL&-*E=g!-t`hER5 znk!X|3iwTu{cCJi`&YsNL#^*?H~@3`V1eP{N18hH@k#!?;Auqh#ZC^)K+^L`umCalJ*solM-n6HZOyDAJ5 zT3VC^DhJGC1e3hqO2iZA7K^w}Bh0DjA`fH%^pwndDf$vl385Spz5EcI-i97&Z z^9)_2r$VJ3NGx%v0ZD2-Z%BqzcflYx7e&up0ztU&2=d|7IkxTB_2h@TeY)lK#4 zV@r?Dv&UzT^*f$%1TC&Ls2X-HVGjKY;Tyu#z9FpNZHbAkE<V_e6r8tjchK;>MTFeBM+LMpVFaWf-YSb(vEmV~cWb^Yb?VC< zyLKgaoxc?+rym&ZZ{AKo1R`s_&T0;DhKji8K0a(EJ8v{hJNs&l75usE&OZ3Z$_L&* zOr&MUoUW3$UV~7>$;p^>>$^^YU5?9dFdQAJ_9I#n(22c1-+ha-m=RQGACf!y>!v+{@DW!Bo z+}T#4Z-_T}{bW^3Gz|nfi+E733#zl$6k2~ocE8m}J$!A<1 zq>g-=T#$?I;6%}eY^w1CETt~s;?}okq96c~yHShzM6$pC2_-1Ym3CK@+(&6-J39^g zU!TRD{kgt^&SL(4>)`MGrX~gWaHFvMyUT1h%t=0y1@oY^1G;FQ4Xr6abfCpB`#TX? zD-=SLCxmr6)~azBoPwYS z)MGttJ&!PKMOQ>`V8qd-_<3gLCFQj56*^TZx&bdE_*_BGM|rv8#Jj;e&u;M@?Y$1s ziogGM0jIV{kJx1ksn0HXJy%hP4dp+h*>8-<(vPyrrs_sZyHp@2TJb`53krcj_b7Cu zMVJ}5Re){%rv65DC|~!7+4=($`rOH!54mePAv6ig%(gBe7avEAs-5SeS~wiam+HFS zt#|hWOrm3M}+s0~u-7@~pO%Mxgc!%}2w><0LNs$SZHQTb- z#W7z(0N%(|?M|J>e;!=rCsDpEJa4JWcwo)l*NQ;BnRKq;)yL=_ue^NVsz6^qX8PM* zhF;xH@=s&g=S;$=%#e>;KDJP$6fll%e_V-3+PS;SQbFZgV>o`US|!os2l9v-%r)i~aKSCxe9Se&! zJ5tq!kAJS!e1JOx9qFjW zXzE+j-$p~c-}i#*?jL(IF+SMyH*d~Y0YTawv8FpfCWNu3fdHBX!VK21-7a}b!G+pb zjGtuos${ZY+e`*1DDO@k^!Ig#x1UtZ$(3~BNz>&Y4T{&1E!}X`-q*>-Vj&9(9xLgF zYzRV84l#Hgz?yb*wL^DIyA?Ht%F@Ww%Wj26i3Viu09i%36nH!p_m()mmfcbzzu=90 zWlo!<%imO+rkSuSzyhuV|3C0z5kI|!!*V%3*Lgkl0s0a(Q$O!C9S0tyA^A>#O6GOw z!(X*jNP<2{2R z+50k9OE|GplOcA{0{Bu>?Fg;q*`##!4+CB+Yx+N>^QQdz)&v@%WW&}_x}HKTmsi#1 zqMg>cAsY&UgrE?gfbXFQOtwF!e@fdb+>N}0T49ZXbD&3c+Tz^SzbrL)@J>ys*ur(< zdl;6=98H~L=ef_bU;s~cEc;VDnU#;A+SD`iD*=SPBQtp`S5<|4h}QHfg|6-VX%F`B zQBH<8aOy)St98rw$u&FD3O&6%(uik0Cy(oC=kuvG_0i;nNzI1rlOwdF7_7=K<0yCk zez7-H7B(8IJREVVuz}G>6 zr)fq&Eg94T9@9){G@$z=w=s8ZM3&>ZN+25jtz0R+a>LC zG2gr74ySgPy0#NVkykrXkwpz_Qj^s=57-I9}<5Hj15xt#CSa-7>U$ zww5v+#a32i071w-+Pvc{jHb7Z`}6f&E4+isTFC5e(QUm>`7Ee`)&`BFVaZ$+U4zHl zJ07=8vWaSs1Fj`U_5s$a(oGZz&4!q!uIKFca2*F^y;ltS=|=^6bq2Sor6ukCU%Vcj zIc_#(k=L#zA@_cZ`fBUl&9$J#hZpjduizN~!ud6{;sN~4;GPz#xHjbD_;FU+ zi9n~^?S#)ep*-5>Igh^*|m(hZZceTZ|`DyW>6Rc5l;_PLJnCc&2% z5c}u*aYpDuBXTz+ERkl5+T5adC!~DFDKLE$3S#5n?AL3Nivij1ZInl}3-uZW?QYSQ zxaX6D_La$`y_aV=PiQ+bO3cHoTb^ByBW%CD-wGlx;^ty z_VUS3KERF%=l!~#%eSYY^tQ%uV!7*^Z;ODFzT?F+L`g9u1H&?%!^E|e%uXnN=jV8+ zYop6?4X>cT(DH_vZJV<|-jT4|Fu^qJGdnyU5AyHD`s*m%FLx1*GBdn(H^wO}4x-%- zlj>+^D-cUW5eUl@Y_E3Sc4|W0Tp`tiAK^&ASv%*bxBmHu=YSV5huAx_Y{$MbsG zb2pn&kRr{sB4FI9xkWyUMvL5(uMjI-IdZ?6CcZuk8U-(|7 z9d?C3b&1=iz@IEfTX{Tunw06a1*l5kbPAOE*(e2U@I;F26^TH&_-lK4dXp9&SO^)-up~o~)g^D5{%G8$Z^#2*7WR-JhqXzk9K8Ls@ zP1bU_?r3-p)nteav1(I9*1B-Z)|s+0o_>rZ?Q7~6D7l87!>%_4Bb)$Tu!UlX`BGs4 z?QI>9vJvIeU)*bSaW^>;a=m?bKy!eob&j;gFFm${PXJL7;}4JF5_8q;Q8ASJ0QgP) zJb&%}z*e!)b!ic5_;(KpZ{&Cc36n z7MC`*$$wfd$pk*FLIW@tuuhr$Ri;;Lj>(7*oCbbSqxpJ;qT$P6=(eu*wyN;RB%YQ0 z`+m#k!l8!Ywq8zN=S>sZ-6jp_42N27Q?ilbH1)4h+U}kb@D7aMYHaU!h-}SGfYW>L zvIeisT}z?aFX3EKPfJR9TnVyFOVe*rSVd+s>(;G1Fg-VK^)oe8oBkPlK!apZd7;({ zy4DDV!=A5rs{B0k#BS@+S;vgTnZDo7JR@h!z=qM+c~a-5u)aKKZhBT+Hqjft(za(rx_=D6K8E=h`b>b&5q0SRS+;6{`hQ6YnjBp z;!#(jdNszy`e4~I#KltnD*~$&H$7%Oy#phTY5;{2;dExB2y}vta~0CkJ@(_2)hpLe zINEKjRArGYD|(Vc!#NF^`0m(QmPrEYb4o_KzHjqq7CB9){lkAEbq`-s-$dm&vn{l_ zCjpDw!Y+2s#U;asm=x$yn)@k%wMsTMzQr#k`z<`*&^Umh6z`*X=aoL46yv7}ekS4K z4zEl#!?>BXXLa_^)kV*~g$r*9xO_ocllFBrtX!D6^2rhf3FNdDKr$$N`JP7P9N)C~ z0L^pj%`;VUyC-Hx*cGRWq`wPgOk$h7>pTc{k8;SYbk3P85toGFy_pFG#_>YfY!EB z)l=z@CVQ@?-QVwvEnq_Iym!0=Q1jGtRb8<8#OrsSstDm-CJr>dJ6>Af63Q<*HlW)K zeTh%j*sz{da#4K`in=ghvRKy(sFL#j&EfX{nAOevKRl=!%!$bicMRKYI7hU_GI5Ri z6hDjc_tjmBT;ot6pO`GH=V{S(BJB$?(y!ME-6 zNkoYg$!L{wK@C-JPGGY@<_iRhw_@LX9iq@1Z-v6? z0>T2qD07;9U;O&hqxUq(5mhskV$E-9qt0Q82$B6#ou;HYDsP2rW4Qc9>?LNcGA^yD ztry6jN2pG%(&k*cr;m4D8DjvB$tv5n1V&ANJm<{q(aj*(#!rpri@1pn{2l|`eyWXc z0rysLMPkZ%|BB`R$F(T*@C4aAA}s2Y=?VoJQ0zvlicq3>8TYKMAx^FJN{Im{D1Z`Y z^S1@QcAqU@m{~Qov@8&5i0sqVYY7i9wPtQB=IVA3b9I{|O<_r`Z8@>ZEIK&?U#{hA zN103ppks1UWzV3fc9)u4#~U z;n2=F0ga81-&Xs0or+3sk}}94K`w$Y>b!DFCAkpH738n>fDaHDbD>m9U@!5(Ake;E zF<@&fxtK~bzG>37FC#QWXlT;dhSxqHz$^y}&~pFY$*RKY44Qo;G-u1VOnbDr4T@@Z zjXuE1uKA*b@tVjW3p%>P-Qi!g+u2kkhKl%s{FO=rjO1;XbX-imx$b$BA^QQ}atR#x z#f6Z4XKcMx0_J>(B-?=-4Q`{y`cFSzY1(zr%FgA~R)0XnXi!DWezaz~0-#t?R*iIqP!lz+b|B;Q<9-k2!{;qR6S~pbG6`V(3 zx|xJm|D4Qrn<5OzYs4q}U~dlwLdSaZ(E6a3R>bC5k8ca)WKMb_qfJBf z@7vxjBvz7tzI^;{py==vV-v7f&9@SLo{CQbc^VqHtAJ~yAWeFvJK5VO5?@ESrld@B zB=2pTF`Svz^XAmeOWr<9P$ZxZn51`Umb^o)3|t=}n`_xHBVEFh^OOdq$RlCW34 zp2*C!o7}=Z;0xcbk`q7rYqFQ~y)U^}b(N|)H;3>xC>Bj?cczfU%$(GjgWZ`lY6A)Y{~^36}gUst95T)y%ROps1QClpgTzOrLN{yRt4 z$;CcfEcVeBhz5_J)3rZk5}=u?u@9PBvukGnsZv9BJ&tWNBrc{0uS@vo7Bwv6CP`;Nnfx8eEvZ#6Un;UtJy4=# zVN#7HbJ;udYd!@bWg^a1T5F%dTj?CwVmn~|YW9bh2%6_#_kw)?>y04iu(T|2uTKlD zzNan%mO%Fx@jy=$l{%T5SA&d8A!agg({?h=tH?a#4xpIU0K3vl4_cX_bynm4db@NS z#1AyIDCaCWkR|xb>&uu zPKO;_%-;Ham6r$Wf&^BkAwYZb3>uA>z^)y z{+v20v`Z=>$Id>VUjtMv#8mAp;B2d2A6IVhCZ}>DMUg`dP+aPAGx6q;AGy`Wk zwEl2O``%b~fdkhi(4k`a52V+>pPC@&0E+nq&muwZMaV^}d|4)3(j|!So0MOpK!D+K z3q9(XMZjX1yz5u78r=gbURl_uUNWma`4+ z3+1Tui4m3$Z=PQM#dd}70G|r#jxv();cvhFb`7*?b!kU{TyroyJRFG6+m*a40yR_D zeXzg==HzO|Qc^_vsJMQJmP4gA7>;MKbV~sHl8afq4|6y;_u>A#x7Sv427*@HVXF@r z3qmEG&r57AV<1;LSH(Re+1H;|_)|a;SAaMXRQuL1UH5K=N}|SZlB0r-1y~cF&P+`x zw?E(2qw0l5Cd|3^fygcE?~9nM7Lq?QS&vVh__*bBk;2MBZwC^XnZKG%y9%y$W4(t? zF?5Jt0qd{)R#>+&pO;@2793JA*n!tH7_p^so|R7&{(G#*zV%v#hHBkv2ps;^ zG;ATEh}{R9ja?$f($_C1m{P7obO8$ zpF>09N_?NA`R#=!pkGbjyFB=_v@y4+$bW)%sO8sLWt{EUA~c*M;ZG~44wnZsq&IOQ zY}q8`_0%IY&a0GS!Y1y2v`2dcDa#~T?DQCErqRV_-fPfHz(GzIdUvik}UxC(|p zvIaj`T^?Nu&H~li8HI*3&^`!FM#QN(qu(Qx1M;1deGFc5!R6XmSV}i^AMm!O;pw7y zIsu{+r&gpVExawA`as=Osr#%`*-xFoYoT#Aw*^snrg+B0`gP>xYATkrm(Ti-vL&C$ zO0677))_d`$(E3EF0fvn8%1~cAJ^diCoir4RZEiq5ewLwL*<^*j4|D|HL~@$%PXy0 zH~3F-1PWu43^EteIM%4Vdvx=t8X}X-%P87#^Bb@beZrVFt&=r>u!8<7Trc>h&n0BT z8=Fma&04Ga>Ahv@B4Gp_W-ix+VB z@x3unOCxFPErhaQM8tH;HVc{1_3wuv11~D&RTTI|&hsr}hv=-s^-a*&oE*XvGM#EA zdWI&39%;lETLLLWrYy1BzRmxdK-@yV)FSBH2E0m3+RdE)kSk&-uP7kbA>ddErBt-5 zJC9dr9fpgnrzp|oSn^bcnsl=uFPR0D%ae0DkDR~|37wZ(p1Jeo<&7DN7APct8#itQ zi<le#A2EIQ6Nr(vy!ax_Th(!?(or^fdv3ZGxUHVdmkHG%d5$j z7EY{hpFBDAxa7w&M!DAuE}hlNSk{y~s1e99)<0bl+J+k!@eO&yhGWW=8h7AJl|%}q z-$|_eIVEAIH*A9c$?Mi)52`fXB3U$XUqrR%Civ(iKyiivgp>Zgyb%RjY&YBrp33s6 zmvB88BiTrRrYE4Ivvt)4yI+o3NPrE#X0ed`9wZ)d%F&bUt9(oqicIjA(%>KHZ@|Qv zz=pzH)`2K-(@&J^G%%(^)(Mx^!M~in_yTl29j3Epcxhs;a%=Vsy`~jsq1K)abWN#5 zwl7(j9O~Le2n=B*wYgSQg^rJKGra4%-QR61VZ=Q(_2vjBI3xNNxPficVIl_qniDO# zP4Bc#vi?dOtV-|BEjYcM`Wmbd3)ydp(btlvcE_FWjN#NyB$se|2=b*Akbz`%W~lVA*7#PaqHqK^cR*VNcSJm5`iKyXpQ* zl2ao!oP7plfg={9_O!(6>(lz`()C3nG%O>~qln5aN|Mx5Y5V2$j-;St;@_|3@83%P za@ysluexW{QIq2)Au{cv@&KQe0@M4ILqy9c%Y)=9xf?&7Yt-V~yE{BwR3A|1FALkg zpj4=;oH4v*4T{0UbUQKsHSG3hcfn%ZIFxn-ppqcyLZ;5!zRJJOy?Vh@9fy7 zUb~JAK9(H9so*s zuClIa$f@Sg(TW)NhGuVwi2xm&+86PkYK1hl!fJuW)Z!Y~g4u?g9>;~hRtk?P=j{Ze zlT3{KiM2p-QBpR$JjKWTGw42&$rtQuADQ=Vzt2RS!xban=lV7O<3c;RXo|3i7I*Pp5NKFb~;KWNW25=U8cY zXO^T9V~vqCwv}+s+51A``O3JjJks-w2KVywS0owTLvn}X-7ggtnr(MU$aj-UKJg6^ z?6mjYHRhC6i#X{9TEwrzqA+6dlgb%cK2RsF3c!`Ba6qDFk+78--FU!IQBMINE31=;iC)5hi{L4N?s1k{#x>^44Mx7B`F*Df^llGjAdL)l zmAZvb*e2~KS)Pm!*J&te!-;ZvA7%;y7lXg2FX6zH+#pW!nKcN6nWg<{NR#;AKjUrS zh|yN{Ibt@1M1`Go$YML|P1uIV2;955-Sjb1Acx2lHdZ7G+wu0?HhkJGpB$C`ON@}l z{I9>8ecTQ!5$)KEZ!7$kJZ>TmIiST!Ht2+O)G4l35Fq|H$$aH-XR&7Km8?)iD8@X) zkFeSc!tJlfQyibpQ-%edg8NNY7C6WI>7dPgwWe`~XMDOJSNTA5nzz1LQCI?d#8O&a zdxzg`KEYCRzJaeqk^oC!L6(a-WLlm*t)Ol1SVOus)2GJ0n+2A*uJtD(h?YL?AlD)9j(0o#Q>< znIFcYz~+JcsVD5|1q}z7qF2wW=S7K=|9DS~h{T4nxWAu7W>nv%0XQRQM|BNYWXgSy z%wTK^Kh$SRW?qd3}>`y-^ZX;6JyP$bIt`N1v) zr&1k)<=OYo`3i?n^6$$LY@a6dsWiF9L5rD)DRwA!Fnq^4h&NNOBsX|AYZ zK0xE(=)MzSHQ=MWaYnfD=ZNnj<6z)uyqY6uYy=wq`I^wNbT!L`?q=>_h&{_9E)0<6 zQ;e8l&R4W#TN()|V;4k1wv}LJ72+ zXK}y(P%lwzMqw3GBwM(>ZMT4z07ST5zl@1ry-SkhJ zaa)220GP*YF7%E&mJ8)O!T5>AE|RUte_>TW5*Gr=WZs(rlNJ&N71y5-H*XviAt<@8 zGi|2*M{==lS=dz6=i|iQZC-afQgLR`OlNQ_!unDbwg>~(c1HZrE%nuxqZLEETlPJ8Z5P*5+lz2|A) zM;9eC1eO0ebW}0D25}k=Ve=M-s~3nZPR`=8(8+wNp276j?!0A^Xv~j!aV5awbI4f& zWF2}rthz*;9Sy2UXq%Ah3?A^(j#!Z_lV3CThM1V8(46V452LIza=*>RsK$bE;4C3S zpo6z@(YwV-hQs$B$AXY`N|+c|4K5$x|LeTOvtd31o39TsLUe93%fxP1t_A8-LHapE zkFA3L+*XVT-9=^c!5EwI(%x<1B>|st4**Vim-_+XBMP2pbTW;RMO^+!nCzv~=`%HM z@YwUz^rQRxzaw}*mBjYsb!MB;ZeBZPTuP0tPUnB zd1Au^m>&O4c733~yk>u~TF9zc1dajm407z%{&8{f;gtU{eZV9IS)Vx33BE`2RLbJ5 z2LAK@5irD?_4aMY)u|~Tp5bfM4{>4sG1j|a4U1d7;k>J()Ow79>+|=y?<7$PB3rx4 zk6UPG1b0_am|pp$hh5(XM>&+WOe8nU7`=HaGFEjs!y+s%cUN_O*U2@e_tQNM@@E)6 zuU0#G`dH7U%8qnSP=zS9mr=Kh`ev{HP%h016CeJol*4CHn&#)LoVtc8U-$6uQmDas zfneDJV^$8=Li#vsg1$qjzOtSAAJJ4t*68NP z%QBdfwy30yI?9Kr)6Q(FcE?E*;*fTcUr+bgS|t&7zFdN;j+bp#)CZVRwBs)v-n5*j zK6)Z**I?Gz$KXPZv8Ho^a!Pi7IGab_P<;!{V$ML~OgUyScX1~4G+3_UV8CE9j3mO` zLTcTnPWC}}sSJEEtB%k?z{22at5G9hXDsL@HV(J>9%QuW5A z(0BA3QEq%tQl%?_N*p(f&XRk&b>H)Q9$MrTG%!Td3G>wT81Ss=g2D%gBikfSTNOr1 z5kn>6)1)F4hr^ir)l;t{{yYXWc#kicSQFXs7er=zH)QVm({d#kZw3z`#rFH|J zO18&n#C+*K_B~=#|Ova%A&M$nJ*OkJlPn~m7U;Xe?^tD=*FT!Jg5plVA(%DMiZrH<@-Qnt*TNgR60T&-Nq z8qAe3f1s-~TN!blC(lfc&^}6!^K5x&;@^_N@Z3M0ByHK4&aYJcbQ_P3f0A;4(na*> zwuBs=FeQn|X{D%1Mz&RMmCIi?Rv#-pmtRUep5L)^U3c%X(@rgC%aP>+;u@n&+%rJd zl26i;SMbY*@+{N>u~s-nqF&@^p%{0!#L#vz;|QpAiK zczU4hSEY)d%V|X9S_{sUjS9h`#<%lVkuhc$SL>IXzQ}Mq$ra>vhcy*WfoE&Z&q)oD zRsnoK=2tcs?Pumhk2`OTCqn89{-vu|C3Rt^4U;i$irseEj#VGrh3 zj+vtBaTema$Tt5^@Z1jGfxd9v)dt2e9)QCgzHY^hEr__I5u?TiNEiDZ)V;uDzcWT> zn293xy%*S}7311mLIh*7RAg)$)*Q1IV<`eC-0Cy$q5ljskNhLe;GKCRi$2IVef2=F zw*7JBnfbXB=zIV5%V-hEc+(_d8cfyg4`OnIc&R3xs$7j2Ol-Rd++O%H=CAk*!MU!L z-CZH0jGCHpaK0fYB_*Yu8LpPakZWpcz&4EF6z{im{GSg&_R8Eex$EHh;ezTdrG!Dd zG?*%5tgsW?gHa2Jn7j>eKOjQ{h_E+Wb19~EecQra~)gY zzP=S1j`s#GC$esW4fPVE(*Sv4pSu)w)E2`4tN zj<@QFeO*czKxow4+)iizbe+Ichrd3s*``KDT^aUjPmS9rinHi0(BHm2*2MAH0(nOP zdc;kN2h2Dyyz5^#?kU`;A3Fc6-Y1fJYL{NfhU#cnwdMIgO!k2ie1S=(6``oI;|Q3!w|2Tu{q~!hOq_PeCiIp@H7;?|=1LQB)z) zmg|(Cosd7Tjn_oVXykqRU#*T+O!R5IyRO}<-pSxh#W>}J{{hJgQAQ3eIdN;pNs`1~ z+40PS zg;8R$>jwR)MxcyRDW&u>8qg3+lkIWXl!$ar7h#Uq`wUGnS=!0(@cA@#htgeTz09fL zM2CBK$4NQOK9K@k%ZP_{%Bu&VW*Qsb%(`7HS;u0usz?=BwWd| zCD~p}?YoM7VsDR1PX__7k_R&rw;aZtc0U>QI(znPFtqFghgv;qKl<>)y?tP?;nka< zeQXy{+0i!xSJ(}NI5L5Q-wvS&oHmwz+c_iL($Zm1o#$^P`vIQTY5Z|UX!gH--wQa& z)DNCj6X*OVRQB*eBbK%NVp6ADB|+?csxm?B-FZ-`zUfJ!`jmqom&+yl-9B984uXN9 ziCia#61bnRUdW8W>x>uc%vH1S?#;>KlHNR4v#NA0lZ!cV)o6?hs^^N9ywE=?-Y@7v zb1JW62M$^3WVrR+DEsX4>CoY}R#K#(t&_wO-AZM)ZKoLc!+4XgNzoD!0rf z7KkwNr*7)G&jqM70mC9R6mhMxvW41ia2iAlSnP6uMpP}e%6b^;8Lrb<73RhdJH}~w z-?V63xL*z5{X_$=`yMyNug=QHX@hAwJA5<9lsgMWPGDr+D_TX4^T$u(c$+iiIz7=F*0jvz_kWMY z>}kjULKq>y6x(F5>~{wU%b~;f%^c35m=6Vuj|PqCJS*#AXh73L6VaU(Bi0EZ%P5I^ zcbn&a`c-%k_y$%PU1D0Rw!7tZ?Zl1n0v}$p>XlKF)}5e6gjtD8JNi#ibHeJyrQWGR zRl3fwNr7z3O5v04?jvhvW+U6@g}xi_g=c0bWyqUHpro5X895av&cK6J< z&32Y@-dA!yo+iAWxoMP&{POhVe@|8Dg~0K2_+{2HI^lNo96^ZbitKoW$p4?}xKxct?1C0P;Yg-NEz$~#id$_b*|u)g<)_Ob8;@Uy#brJ>7t zL?}r0G2k>1S}HyuUgMe*Tsy)NY}4`Y4fmc)PnP=+1Z)LQuLCc)lw-iXp(4?qPrQ)U z9&OZ_j1@amt8a5+H=|BC*ob3e9I<&O3p2v6;?OjW@-3@S!#Mrq+?3Ae^@QQn9j0Mt zqYbCBzX>d`N-sLzu|`COCa1;3Q|7}r?qw~~$Al8DpzR?^>wdmXx|<}Gdx_xMn%-dW zE3xm7Ozd(t@j>{puw-mWr7q01m5lc7en1K&{5f)kQ*zG+3Ejnzg`qXjL=dNMc@IkFOc*pp5>Z0p=YwlJko3#sEe z93~w5rYYIOCdD%SR`AaDE9yW#hXO$=mhBZ740_Z^qo;e-P03wjUP|Aeo)l@aJJ!yy zT>V>ER;UgC@oYf=*}6hk_4c&SQy(NOmiPnRhgCv`3kJ;VH~AwAV)qOOE*ksOD}iyf zCUf@E7lN^AZj7iN^*X)m@40-hKM&?lFsbSoKN?Um?T0nnbso4E4U`ivNu_&2 zn2&)yk?_x<7cc(CS6UgJ3{ugUP_5$pa|s2q_7QJ7+YJV%o_%UZRAeQs=WR<9dY)WgEIy8+Vq!KHJKJJ!r0!hc=_k6ThP?!rePeB zQ#yJ>%Buex{~{}d^>S*PC~nz4CXJ-)V-hYqB%Izh$qM8!sjl0OM>%dgzGkc1cch=| zmMh`)*^Ejy7*kSy-A(tEYFw}26@Axm43B*pKGHV&W>%>$} z(339viSlQO^5o9^T=_aqesRglK^6L_!27d(z!@8(yrVf3dB!U>uoY%&pc)_Zc|EsE zb!LJzlp}A=1L`^j2~IdNDLfD;Uboa%gBBNgSPkmgCd&u{1ACuO4W`E*s$v2DZ(!y; zq^-7t?Qos9vbx4?SX98SGclDJ3q-|ij!8IYE{nNggTl@CFqqvT&j$R+XU6${k*#MW zro`C^4&l$<2^zLmH3{Not)=`XPV6{Y*(&zNRf;=J;9q#3V2R}eUTpJL<(31Pt~Kqv zeN~p{u`c7B_x>Lo`N0ENj!prIiZt2^*%~>xYl&40BuH#nezF#W}o(BX3Y%&m| z`&(KRmc9Wovv9!7iVLFo%?v_aR9`G8HS${MjG<$r2fDps&Z5p$$1Y^NRoAT*!J!Fs zr_b>&8@`zE1x`M#6(66RTfp!Qmj&K)o%i`VgQ^~2w(5a=c6NBT**Q6%!N=oI`MhqX zIu~|?zKHtVU)kW^{jGHTut}lp0OwMHo2#Z+FHT*`|AuaZO$H3!+ylW9>9x>>yLdv* z+^`%92WPGlctl7V;*OGnCTQ{CF|HLt`&2RvMi5=}>d+hBbYlHYY3Zr#*7p1e`9ynu zoIH5$CjJiX9_T!;LnGwRV<7wmyP&Fz=R_smCD{hQJgL8g2lwymCM&O2jp))x?}x23 z5*NFBJEPMl$n1iKlxKip-yh&-0%wtGXS4o z%}*=i+$?4ix|8q~{(H!mo@b@VVxwB-()G&mu+ffV(wlY80Oq)o{9F@eb_!gTG&Wx; zcm++Yya+DilK-#e08n}V!<~STiZt|mozcHff9wMEJAfPS82RwRyN=R6lq0c=Fn8UU zunUH*A1lwx>D}A-#kew)IAmSgFd@Ut#!7%FhrWsD@?wu;PUtZwXSJqA-p4w-aDaIlY7C^b>Prw^xLG?hUOo z?Tt^8o)o?>Gx|z58ERb+Sy_6el!VDB#dM7J*t%b)+$}cfPA<0UD}s^d?zs*ft0%vW zu1y#avn+U^5E)J07AZlsEz&L6E+_n#AHPEEvwce#8OVtlgYtAx6S~m2(7e#P5FK-e zI2S2F9I~riIFh^sungRhWxgOIjZ{vsR{PD;T&jMz;7!Oa98p2D+=~dv#2b!wRY=X- zSU5W9ce-Vk(;3xNv=3V!<@SiXWNvPLbyDxlnKQGfwmKA3m-yHJP3rvwyj+(Gkx>?P zE;+{jBJ5BZz@o1pV*@5x_6UuY9VMf^GR>d3yie>$UGVr6%1r1T-E)CX0LS|H`4t;} zH`$CAlC0#i;mO>lmW7(bhNfbe%I@==>AYxU0 zV!~T#VIH<9AT;qS3u~T7_4UMTH=ARfO~lsO0X_!`cHU%$eklxF9Q*lJ)+^qsN~grF zQxbCj-1%F59%Z&+7g6GY?(7&xV!na?F1&R@JGLX%ji=ohTHKH^TpreFHme-e$Hig2 zhDSp&IFwY*(zt|`NcSJOQdlAD?*uaIu(D(1_QHw~WVWwf`m^CeE!b{gP~i;v4M2&> zW5J9ONPlA4=fMnucI6&nxQUVXoQRtr+30t65)1XI$kXpCF8Dp@Mmtb&^Bb4m(^nBe z8+s^TWVnIy_2o-Mj6ao2p24JkorQKKu9CjT8XLu7*gS{@{D z4lm-22{QLlX()HKNORqy_pWi~g}9tCgV~FogTvO<6=uWMXIvE2_mc7A9^DqR7q1~B z{}4rRf0Vygm-wE4PPzUz3%#V4J5s5?H-aqe{JN z&7+M0G9~rqH0V?qc5Pubc&{cg+|l6PJ>1dc&YYixZqFg(M$t>JrgQ|c$%ztWBvD&- z)v9cY9l>oCqHHwL6UoBJ3J09MXSM2^nhJ+u>$5Jl>Wt(|<>mtmQ@O2YDpp_2HB&(P z2vFkUk0md4FD^<*hgHM!KYHE&A#5-14QIB;@YS8-B3DlL!@MQ8N(hGGPoF*o^}mK) zmvxUrqsFuZx_r{tRC|&8K{%lH^0}Hgaa>l?dE9-gg4NR}Ho!$W6gAE8ogk zzmzDXLqodl9mN5YKK}@0fBswfGzZu(&%d}E$43q6`GI4&s-1x!$*E;YvmS44uC2i^ zW?8w8x8@%0GLbBHPAa~#xe{j~jLVuy(il5ev4D3^F&`ePs$g0ACMT?sB}cHlA<;~4 zdGaX_GYZiDdVH}xZ$BFxRw|UD=%UK) zXNl(T93kwTCPt6B!kiq_ft#C;o~0y;!dQS2x*-_l-3a+daz$2#d5`@oVPr*2MEWF^ z?>>FvkjMKtzCQT>B>L2fI4P8+Fd^B ziTKjVXVug5p|&E#>&E(0OBNL?gk%@c6SN#FOk9IDB!W=b)?}20#pGj|D2#{H8wJL2 zZ7DYc#feL;dU1GcN0D1b?FT{~(ha{zqx^9%>KBa%b_ESF3twZ{H>dQ>wigzt!{X8; z49@z@-b*L!n^Tzy^?o>yN!m+yx&s_MtjHo}!$WT>o(vEDO6@VsOW-ZJN!x?|(3$q|dU&>XjUaO_<03G3V}^%0?TKZy;)IoqWxK7Js`{SVIfCz%L!XQfgHvAzca za1lMeQF$1I9=WK}0n_v%yA=dPgiL{N-aqYTkwJ>PFB~z}C1698e@%HulNTUCl^8US z)~CV`#R2AtcAH&;U~dv6^K4wEh_!oVsl$CRjb24X?d2lNozHB@-Bhm58iO3DU)fEmS)>#JMcTe?m zlaS1FIWT|Zm#5jY2$iN2t@>;0>aNabWMu{Xrs*VL@E>oME<`Z3r;YTZ3}9k8xQ^$< zy&W|y2Z>rK)fKpR?!MAI;3qG+B7X8DjGbCkiv9%+{Ugt7b-i@7WC#q;VSyAwaT29Z zdv7N#oll_zqI(6>D{9k)&*%voEDU_C-~7h&DskFKAB7)E0Y}HN^ad8&5KknVsfrn~A|0WV!j9Y{-^*`0?h#k~P1)|#Ntc`~OESJ)Z}PKo0Idr~?Nwv&|E8apgYu}c zZe;fy%wa~)x1%Fs7N(Nqj>2v=B-Rw8_5wnAf4KQ`NZ(``M?XiAx{UiJI2Hy!1h*2Y{96J_x#82$N zbriVyS!c~p9BDA)bcDZ@$Sg0l`C+shGp-|;D4HhBI@A+b=Du{zPe>xh z1B^SO{9Ja;Tb~!9<;x9EMYW7!LlQlSX8J>TzF0qr+eU9tN0%@2{#ndl+VlO7uoEGU zK#hKe)$JNQG{~MG2Ug4-REEV>`0k zn3oRQvt|+RK!RghydbRpN#oh7^$E=K?yFWM6U=EwmC=t5$C&G7zt@>MjJjapo|EN7 z#&`JNgM(J#ned}VDK`HxTK$S)#TtVJ4kMQ)ODoBxpmA5dAYv*C{BaLGfpw>J(^0hkuchODrKa}_RQ+0OQ-NleHx3vuzl zL{Cz61#yHgmYESOIK`@;k=E`>{PIQAzi77K>#0G``|SSFb1;OKL@ca~Hi0dwfz9Mv zAfMFTDzz*x6q_dD1cf8qH^h>LhejTO#~aFl^UHU0`*nUc$hVFM7x`RgnTw3QH=pum ztjsP7XaB(j020>w^;zx>cOy=l>)*i-sWOsh3$pB&{DqPf_zPG%9z3DiG>w8SdJv(O zFCG7UVSf6;wAtMWs79QLTxEbWJ|(76U&~^gk3}7xUYMdfZ#JxG6oBkKP<)+@+FZZ5 zVGfy>_h+i@ea8HcDaNN#5gsO@6n9^t?e#+JUa8(M+?mG`L_r#fsdo=h+&Lz<|2-?q zE$MchY^;M-REwjsqOD&af@<@4{vCRf$vxkcB+av!FQ~3c1^Hl~-I3?DdI>&iL9Tr}tuJ5ZRn7d%zSmzI z`#*vX!QLN3h4s!}2N5rO0LbaPD{c%toLx|iIv7e54(xw|T~S``x3_#MmrHVd?x)yLmx z{vWIN0FdP0moAO~K9Cw#F_mBjd({Q_`MP0m3NN}?bd+M8W3MuEK|oZwuW{eIo5MrI zxHO04ENk20D~18TXuMb?kA-FBw$-WE=0RqASbVYQ6y7U&qt9WQut99qL;|z9`*4ny zA5k`e&hE*Ue*GYS79KN!|nXWpuNWb;xXK1YezLOm(l|3mvtskgPROI!^`%ADJzd`X3&8ncAuy^h? zB8cAb>gUkD{~8iMvp9d*Kbe;#!2>CWAKLXGq#ULJeko()c_Kz6&tlWd`tXoV6;DQn zF1eHg?)#NoES8=X^R2Z*-avObT31&W%rIw>x2T$%0s%lPxh(<+-nwPBoto29N}bxe&=zvIh;UkQvDnNpZP@Z0`s@LC($^ z3NA^bWV4G9iCCn?6z`jy`x2}Ahx|dx4qXV!0U{zq zhK$7bsN)VxApF0n4M0fIQMqs(=EMgs$T_y-@f3=03~P^65XAmz@8%&Lmw9XZ_DlZ1 z@U}Pt*}|>0Kf|#9W$whlorLptX=SAE7oT~iKUo#jHF?eM=3&UV+5ik zEYmDke(DNScAl`W5)77T&oj<;9nR6-ic-A2EJXa_$HMlpcBjd0)8*PE*I5m^+pCDj z-}wi?@1_0qdn11T-rp(qyM^{)EP4^fvac7ZbT$!GSQWmN7~bM9BSOUH*Iq^<*1uQa zLV2{C&q&AZQYG9PDoh#ctRLXEzTLcgm5aDVtsDttD8&BbOM%lsviS!ShkT*mc^tko z?%*!Mq4NdFD2_LXki2=FC+->%Z#W(P$T+~z>N8Xr@RZ&=%r1{{eM`kMPm(NRI{Azo(SN5+5vB(Dx4!Qb@W+KM^>&OiCWA>P3a;K)GY#Eu zwSErbbvd;$65E!%W;o3sPG~;8r$n)wbmFa8R%a-jkcLr!!bo_CalkkOQNeF6Wk*g) zX{o?xlf}yF}a8@Mdf#+$nhAp*-K#3mV*R~V~b?k z$EqfQV^|9o0y}GL0?xRVB@NFvT+1?)e|gemNfZE$&;MB5OJpu_yVkaCS|a>0O1Hdi z7+Xt|w0f^;z(E&r%i0Jg7oA_v@pkb!s`Y4sR~|>L2+goETJWJgP~TtAthF#DYPIE6^4x0GY2Eprr0isF(>_EF$0Y&i4@D^*m0z z@w_&~p{$P7H6m@f^mv}c#dI#~UiD&bTvAfDA+^`yo2DjOL2B=bK&-K*SmHd^xYwQL?*3keD?cl; z|E>0gkuAI`HJULWRjyxVa^K11`-#X^4^b|zxITHYh5or@NP(A3`rRUb@TX^r`3^Z) z;u9r;$^7%~DEaX!p03BDw%dR(%=+QsD@wS$$2B1pykej|7_WzgSdv!BP@r z9|=N^1g6O%QbKU#Kc^=CS>INO`^v7HZKviIb7%nJWF2jKV<1Z2mv}oop2&RX>hP7N zD%AQUE6jGOVeQ5a9+O(SVBT1j!Y|7Osi z#dhi`)>uod;4^k?{d6|^cE4g245(Z=crgmvGy;K<{i%-pb2{8;2h%S6)5fyu2O?on z`D;p3kCW#`Ws?z#>Pe+*w6xn-ua-Hv{lzT<|04{1XVlcHh9eKw(9SEJelHZ8$)I(T z&+wGwN17wlchBw&JS_Lz^DJG86#6>KK9M|C-sU(O9U(Tk@MJ(-)P6{<<7ICN|Ksg3)W{#H*N`Su|1Jy+Jyh8c8J;fM3e8|xJFqBwcs&yX6v z9Aa!`TVv_yUicENP=5ekmJeMve%rFUB;T?lGkTAdd)dWG_i_p+=lKtM?W0#L!*}Tz zPMGZe`U)!^&uVOJv-bgy@06hpOLIUDpYYZiI+NI`3 zBVli^_jVPXsq0wz4Kv3^jh8*)#{Ka}V!w*734SwUSnNuX-9cODvh;v;gvJ^sK7*%` zr?+F}^p6s?gP*_grRB!JM0P`~j!fGEoEf8Pj**ON!a3T>dhV=nsfF*a&@%Nqi<0tP zBzQ5K!Wnf8{^RooVcki_!MK@n(x81vUf52JxkI;10>YB!p7w+_UuNxdXJ0zg#nYW& zRv6e3e!7CD;WHWKn|!t>u3O$~$0;~nmIcFvNb&6q4#xAA)v}dBoYoJRM4B~XQZMDF z;wBW`_NQIUO)Lg^d1Jg>@LYR*x~Ge1_l2+FjQl4h**-q4TQ7b~PD=CPwTOE$Qzvi6 zbN~HpHyGbP;KmSjXUf>-fr59AOrWHk5&3hN{v750)tcBtgOiW)GIw?9iS9Ucm1R0@*jVQ%7=6azO8>+>ql_Bc*n7LgDtM`W)?MzMvFuyVx|r8k!E>KKqF>Q9 z^|hro&$d(ez>}Z?@@Q!kailZqSjG33bJH-}2F1DgLr?ptljW{34tk|}s)Ove`B$33 z-yih>j}VQY?o-J#a;1}{wC>iY&dPa{l}i;9K34qYg!jM+Ycc)RCTfel!%{b`_3D;% zF76F_bja-OW6LK_ggy4}PEw`3OsPU_g4}Cc*xk^`U(kH9!VZ@J8b0%qwzfx#_e4Zy+rBpxR@H_n+n+E9=jJsxS;KO>-)>jt*%*CyQZ>caIX;H_J{?c}n*hXa zA2dqO7Qe(kL!R_bj?-BwO$P1VOKxO<+W0>Fx3e+Ldl`?DhYk(qsv1za7geQWzlHTi zZdbuq&EF%dm3pjw<#yq>$3qPHAma2i`JDpjW)}Poa0Sg+pi~Xu`cB*_t<=tB-?+}9 z<;`dJ^D1;z+j@WqdzhkMS;6Id&MJgUou5a$K(I+-<}s~#;2hOVnK1o2ho*2^_XZPQ zKEWTpu8FpW&gb8s{#;^?gs@%0EQZbYTUOVj+Yg(!jjE0;gxn@auRL-Ta^#sN6D&NV zEAJy!Tv)p1uC;4Ahq_5-Uqwg5bu<_REgpV-_f+~BwVHaGhPnq$r&*M3!GeePhOL-3 zO?}&%0M;>9zkcqbfh%Ly_NNTO#e!bGe)m5PchPcm3~iL*;1}I`40pt9BCaccFgGYK zi562^xLj#9lOxzQv%&?Qm3#_*+y2m37s2g+IcM*d4Lr)hYu31!*0Z{w4{AE1 zU4TJ636sa%xX)>&D+MD3osn)c-5rl%$t~eFqa8261@%tL_6j!_foorsa_yKMJKvf+ z&(GZvE*SIqYag9H1=4V6#!_WL>OURu--t6avKuk?V zCFf(&-pw6${N#$6wAu9C*lG$o1&k@^*oTU?(SfSVy?qNDE8cQqJ>uwH!w9}pb^Y_5 z5BEzSes+N5_v2c`Pfg-mTMyi;q|q5JWFytXynx0z(qtpF-5GFcW~Tc-d07CSJ_?Wq zc51M#VGdfy%*H=e6JjWHNtW2`r+B^G;0vO4uHQf2AwvY~xlh!)-5gf;j&_UoXJe>Kb#UikoDR@E1)DGj=xp7szWh^U|!iU;9a( ziIW@UE6&@?%$iKt1upXk=TH=ed>w@~8;AYJG`{o5RZP5~VhwN4&=%8-#hZrdVqpD* zrCDR7sjw}+e@3P1_EtuWW3QXJUFE!kYQ`m@{DABcm>^3CI)9YUxaPsrhg^y;bYdHK zco`nulxtM&n?WOyxo*U;*Mm|{>6|(%r6y_ru}O+@q<^4ZQEL8CV9cMf)AFFn!@PDN zLp|nxyoAVmTk&`s&-`tfj*lcRvs%v-3Sy{MnCe-}Gc8W**aOGjUnMQrPSP#hdFU!z z8nNc!t?eq#dn$OZUypF>A-BPzzsW)Vc#{Yzj|y5*Ak}sAvt$pR{>EyNIgK{=nhz3-#O-Nii+FPl7T4sV}#EkmE_ETrS zevUszpLUG0*2R9-s`5}Bhp=6j1-InM6Y5V-tyh1yTUhN;$(LvMF|d5baACGVVtlO! z+YEwlEL&=do7Gzq6%-2Xx-syDhG$MqtjBD^>+E14JmNhm#HHE)YWFT_iGKsV7yWrY zgbLD@GnUPyUCa}{)E4nbg6@cx!GSNA# zQ`PA!SyD%}mr)kTiDv>>9C$v1Qv7J%s4{e9*~99SC_tM{Wivf48d^opLMYC9$IJTG zGo^wUn!nh*%s<+^sL1&JR`q0et%CPxxd|T#m=Q1xv4`n$)oP!eH&iZ0i(Z%St#E6c zot9CY(#o?4bOHy4Ss;(aXcVnaQ%eaF8BC7Dn8&!8)n1rbi`j~Q4CX+$wYX)S!;{Oa zX_Ue7ir+Q;#Nqbv3q*%sV0_8G|8@+DCD;pdMuD?TyRm(Js`o3-E_gLseY<(NIbM#? zi0aLYYF7iN^1SA0hWBv!Ob;^FBG)LjE|?=K;e42x>AcUQEk%|2WJ%sXo&nvNzg~yF z+~O2RMK^=tb8s2xA3pHz4&c_zeEfW;nt|A8QJiIOMR~@)5WA!iwsftWms^;QzkBRN zh%oE4EzGYycPKekE9V*RdWUY~S{iW!$0Ho1)r5_gh4-XuO*TT?j~8lMMd zxpxviXB323%QOql=%*^J;NZ-BG@+xQuO|ON0<^jM=3q zZrE`_*v{n8ch@yD#SRpz+fHjH*ROO8_;=tKsskGw@9$O)EIael&6j+i?YKU8exZtm zxt2?f^l})Ns{qwT1(@9d&NY4)cfM6yec9YZgW3CMGVaHUjS<`HaT&|sbOx{WQUmg6 z`K-=$pcf;|F8ZYA zd3Tq3eE&#g57r(5lPpr}jyLa1$HUZg%=#C-!dU^fSn;di=EU5HCjP%KtGz(A>RntkFzRK~l?LVebB?FjpgZ zxq?9~gddyRTlN^Gor=Ek>0Y8r!a1LIF5iYoVOuK@V;ybD(w7o2e7R1nV0x&79Cs*T zYuA{94>ZaL8M)@wh|-~1K=BsL^NoSa9sz?^I(&=s_^ccz8&S2PR}Uqu#q7cB?8M%cac-vH zB^~!81znj)JmC2SQ|%#P`US;hK7MJUOKB4GnvTk^LCc*JNS?T*U|9ucZGl2tb{1sd z>`F&kh3?63VSF8*w*ARlrS(Ighj>1-nJdn)i&v%O3(7iQly%*0C-0TOKmh>;IsntP zyGmu2kusbTI{bna)U-AWkqVIZ?In#A_R44Jm8T!JYLKeD-~fquB&yf7<;cb7@u!3B zvKuA=#4B`U>K1A=oeR^tbvm)nU+gW63Z#s?>`&Ob_~r}*CO=5YvHfQnRi5V49HG7B z!cen=DyU76l|k}8urlxQRH4)v5)X1@{BmS?XfKhg;LqLRD@caF5>8pOYH{Ted28r| zYUuLSEJoIz_i1OT!9Ih(;Qw+nNO^~UrBY2th>)vHYZCR+JhW26j_aOj^TT!Qyln4OaT7b=ILWF%+ai?D*lLz$)W z(A?I>#@L82M58xs-D{$esq=M4W#R;8dbD&b@}U3mQ_S{QF12I>xLsyQ1;6y*$yJVq zMB`@kLagQglI&dZvwb_LVAfGM zJ@B}SJq!D#kUe2XdP3QF4P${QYMmT;tg+~^HJ{bE*~@UDN_+)xdF#;z;R66{#LN^whZx>2#ERz@W@!%+>Vc z{CH>Lr6rY$e`oi9NOuwTQ+<+9d2HM6vJ!R#DJnfs}Ny+&TYZ z*^Qh%qSum(C*O)SuBKv&&E#a`vzbyUzG}+-1n)Eu-3Yv^on6_uY`(1lv*@+#AzFr( zu3~$Iu%o)ek!JuNHyYkyHXCe9Gbf*_jI2z1da6zN3^R5U~t{s94c=5T( zJ>4jgsdv&D27_>G3e@A2qOB0P0z8)xz3#QZ!I;;GdqK6laDE5j!3y;;Lfq*&GY6+0 zFRR7mX@hXZ718ivkSvlZa1N4D;hUohze(Nd7x;NqgG>pjQf>6#y{X=i_Vrk?Z~~7x+ce_G{bhMayevNJ3VDQ_75c#KwrS6FeyU zfEV^RKSIhdmhI^gDNr-OIds~#O?$`RmSlD6-!WOo5rY+?y8BFthv|b@9BG|Hvm6I* zI%0NuC`x*p$m_W=%0gBIpYiSax2vbTeU$~w-wMLFE~Ry|oR6grC6bSKUa4hntRRnC zUn;P%6m=Z6nI(=`6PjYs0dl@~8g3s|AGlw|oAnoKyoXrh&ayM!pC?vAiX(-77j%8B zFwI-R*EPpJR{_}B7OQuIqYAorw<2IiWCoO#yBa6lX8Nkf{lP&%Z1vn z4IIRF?+Gb7TX$1LCd%3%{Ju_=x26GhoN?15uY^;xNG5;5y=W#rW-3C+I<%Lo9-nV* zJg=he9lS`$|Bs?VhU@FZ_fXB7c4E)w;3z6Td_ZOZU|Y6P;=NrQ_(s*tqEFPhKs=-j zt&!V8o92KsrB_YU;Ax4M+trd|d}b0JFv7Hj|iKhd!QGIal0uHzJujEoi~nZG`uF~({6 zuxJ{}TAe1bJd}9RJwdh)`@OqwHE^+d%;j{4>}gBPv)^8@SI8Q)TC654P^7Yd(DB-X-GfgT%an#=m0jTWBnL%LB;Ibc&Q6^8c!%}UYSkd2Th|Vx-al4>#YEA&aojY1 zz$(=P6}t8UG4Pd*aK+O!+G@g`r@k0=h=70GE+U(F+gBTgi-giXXpE8SCAqWJRf#`s zWX(2~((W%@8K-?&f0nWe&n_#(9;!`{1}HOPXj^gVQ{jO_)j<3;ij9@2CJ(BJBIV5P zlMJ*`^`clG5>#RHN{<;QS&X=zmA?8O#;}@Hn__b!A8iTO&J&@!EyB4;ev994VDhJ$ z6>>h6&3m=0IFRxipV##FD{cCh)6eUTobsW2|Bb=leScR|$xwH3i``YF`?JAk& z#7mQdX<3oVak3Y8D6`W>G~Y`Wz4pZb0j7n-swPO`gr*1E7W3?4C_oHn`bBzD&(PJ} zYqZ}cHq6@sf_QFcXQ1d5hT1dQjM@2Y)VwDzRl2*`w>RO|>YF%r=3qY6R}Yij25H8(QuWY^P1G-z@ofnqGN{2vD9Q;V#pIrVw*VPZ@JW zcmb>7BOFk*@KzyXMW}wX9SV5a$FGuBvh}w$n>X&!u>0PCmh+7Q{DM0j677JmH)THr%qsgFmSukNQrFbl<#H?5B@R4 zmPGkL8qG_eE;2PYg@9F=_TL$^V*d$q{#1?pTft0Uv?4O5gu1P-uUPI(ffm3Pw~HH2 zHn%8B*}}f#ExCXk)0&8KwpryweuYRuK1kdOXpb1q9}4zWy%N7mS=Vj4P2=t@hRV5# z^Y-l*%_FSZQX?vXY|+@AZ}@6MB}V{~9AF-cw9LUkG=50v@@bQm?w!|e(8{+8A%Vr) z=#xhZV=Qsc6KK^=#^yu8DXs5b?zc#4;Sq%6qqTH{;9y1^#$A*^f8L6r$BXa8YECvZ z5zel#;&U{MWmE8!oA0`;y#KH2^pC3Ox4t^cT7W^z`0iqRZ{XP57a&!k^!yywguelq zEc(QacoFn6M=HZ6HV55BbT!;u!2{fHQ#CTIAi$WzPGw5CLR428Yv40)5!omggYYPR znV%TxUyHy$j-B&8B}$9#CMU{A7&#M%EfHW|d#%q8l}ej^SrUo0 zqSpsa7N89$V(qr$RZ~M9O>^UCuJ!G39aGM*?$C7LRyX zPv!d8YMf+q8PA?5(W^nPn5_1Z?qwxpumF zr{2e&^tPE!K{CC^ka#(4(c(B2vmKS8TiOmwe3~^EGMh^y z8leh4QhaFi+McMAy|e`8m688A0Wa-h=#E|u0lr_JkGZbgjUgI znws{-pV&TC!-!sl8q}Wq9Ijs6wMkoRdmdbF?Wa3aQ4*B7Ne!i2_1&N>nF)BT4Y5vX zPn!GuER036%k34}`1qxKIPZ(Ds|`GfK%r{HPc?Zgv}k;xhWY4gO7|!NH$E)O55>&F zJz@^&8H2PNLQ1oW346KUhyn*cJPvN$c__)RrER++B(Vs8j08obJ~o^yh9b)~z0CJW znUpgKcU8*I1D&;oh&XoVblP($$XbZ z!JPe9le0$#-^Wooe!u?#&!tt+X5&hvIy*l*urug2h; zO#NHz@>53gH?m`~()goXzO%yta+5)U^9GI&^hOKWzMeRA`0fK}0cYm^AoBf#x2+8O z2u}RoQ|jwLf?^=KvXQxnghUdQ?9ZEcKe~2+Yoq@H46?ya`|?&&7D`D_ufo6{SR?MM z`A|TtnE=TSiAP+i*sA|cV8P3FN%F8U0xKrr&*6Rb3^mfV3}g5eA4aIAoer;bHTIG7NL@Gg>AIHl-2CnS+wo=hgFk6enqvVX_Cty>Ub8*MtQG!rE}=y1U-xY|Cw5OPRBSW zD7r;IQ8H_tuzed4VLJ)Ha0@~qD(}-1IN%y_fUS$9L`-$?C15jc)f2iMIvc4yAqg;L zzwkI&!;tF&m^b1wTrRLhq0quG7E2giIbT3~djHXlDS3mcT1nq08jdwq)9c%y9(cX8 z0=%=3v_7`UX_64pQ|=N4P94kD4T(txLM!w>^ZeWp76t#<$ONa1Q0$49@~sx@Ki{FT}I^tlG@ zp{kF0<N8%()i|`?-&1)snG$FO>O0`aQ}os-jEYgG9G>SUcIWJ&S^F5zSI0p z6DA0OskOQVj>&ET%0r#uFUJjR`+xv0u$BW}HM{M}OZC(>?DF9TnI(fDuJ0pPue)#B zGP!+a4U7rl`}v(H>~4s&as7UIxwDac=$e2BJParNjvdEXi&1|Zmw2&J%$0aTglRqWA{F9!rH-t9w*i0};*etv_H&@~*6 z$=`v?n(s|KGdsUf+NpDgN*EM54!F0k6@Tep|Di@$@SIt@YP$C|`qbJe`76@v)E+w{ zHD`oq+KaNYv1(7ZXaLSKI*(@=`@nxtB?Y|hWg8yY{8EQo>5oa0gqpJGX>VI zHB-j{eIYuWoUFlGn<$zT<6dG*wHg$=^TT^p86F2fouFRB>!ouu6qjxE`K_$?wj?Q{ z5YI|`oEZkLFBS%@L{DFs9B3-MnFMaPn~0R(g`Ti!K-R8(Xbu3C5Zuzq0@d z`lBc2vOMPR%N@G7PEG@xQ49&3<$5)*{mMfyS>LbwV}!{z0+a1g>Miyf4F5@45=fKd z<>z55+%}6*jZrnwq=YrySq&j9_tVomEY5F`DmTG%?Y7JAJr_*XQ`K_R(~nlpUDfvb z3Q2b!Bj(ZVpUB*0B%kPVH?;%4LM+1jq+_=jCCUY}lgf8{Qd@!y_8C&GqUFC1DUy3w zeyU3H+;vDr!VzT~!XOn;QdE;>W9U3nb=Pj#!VBVqif$7^tE!?9crSbSo2llDM%D@YAe4cMx`GfMZzJYu+6uCOAA%5&l&}IG1B1yE2FMX z9K?ZO6X27e4zau*?5e|Sk}`XW#eqQK8P^W95xDZ{bQIHbaIh(x*bF;?QEY@D8+w@U z0b3swV4v4X;Yl6oP&h)^+CnjjFv6`2*LC&*!W=Jn&3yuCROPo!{}z|7AToZXqonPO zHyq6d6)YSyO&aTc&O&QXzMke4KrlI%+&tMGc|T*?Hl6gcXlfkTJ~(@6AnIv#4lTZ0w3Y zZpej%GAb@W5|0qvW=Kwbf6c!7!Op_PdipTC)FS(#@8cD_=~*V+|1Rn$NKs1WqTB2g zUx4_;-R>zWqYTIeqRxeIrR0?Copt{lqKTRK++f@Fc?X6AFAj;~!4(LTtz%Jy^uy+t zOXYUcSfgw;^j}jE+aI)n_K{~_!3(>JJ4{#a;@rt2Z6<-)>gihVr-pF?SwXiZcFZYD zf*URE%sqddcVp+}tvS+DKp*zaoO-^Rz+!s=Y+jS;#>Vrrm)HMPgijy{vsZ$CnNSwd z+yC9)nC>sIr>aGtvL|+Q-I4_ySQrjewX|EP1D`m$uQJ*9+ITg6=k-U$_5*~^8`!^| zRs)C4i)51Xl(fu}dIUbs9N9AZ6hv^i;j+oM#L8qQ+6_13U?2omh%H@R4TuWrl*^-n z`|3;J+(+;=U^D1y?MRDFA*r`%SnbmEPwu-8CE!_xgKT zseN{8*^A-EyRH>;i9w)p-tU-_SK+q zXp~wQr-@p(n{8c!!0@^Ux}o{eK5}+dM={6Br-G0gLZKejuscuIdF(!47t-f2+ve?@ zqTw#QRF?L;kQ4rol+@17xwfcQ^WdskjDb3XT&+K|?Rw4;l1TK)?`!vOqP73wqP#It`p!194^>`J+&E5xq#pxSAv9$413G-e;6-^6?-+6X$}^Bd zP=|Zx6>qv-%)Jfds=rdrKk}Z4yU@41H&R@e)@r^BJ359D7*bVh;0e&NZxkvp3L*}t z;}E9^%Vw_G*D^bXqk3+<(lDNd8qJU8L}hfwM6~+E0L8jeT+_n;AsS zpY=}rIIW+&FFaPodkoq@mf@7*CArc{OTIieaKAO|TQWu}Qyxk}7V+i{8uIuH?#omef0V4nxZdN*9N~+p&WgFl zqAdJc61VO^>a~#MRLv|qA93@?S8h8ErX-~snB$&5FMO&fx`VcT`^zhF_0x!~(#KTm zAdKM29d2608VKbIxqlHYXZPh-TQv@Y``{|ORt7p2`Nl{gTbGS7d1KuM89$I^2}w9l@ggJxqKiWMWe(oV1_|FqkGm=FWW{I<iD0N=dHAuykHO>v)sCGJ=9t30+6XFv_CYuq9oW4?K7YB zUyhM`vfR0YIFk)p6BQVvz6WMb?B25JG{O%7-Mn+XTEg~WD}UW!D0iw&&sr9=To8+Z z(poM1i9k%1PJE*>FUIibn>(EBx1ImoAM!UwHinzDGpc63H%lo-&VXuaVD_FY*N!&O z-q}0>dMV>&EL5R8DWU3+#w53{%g+5o8i+xA1SmLc*v4c5QHq8fvF>I(1@t}|chwL{ z9843rbTUMP(+W7$L_`w-Jbs~iEW&}0o$>ql>P{5G*Al;P7jpyUYEH)hsB`j9aZdqW z>A*AZf3=2-*M06rOPb~}B(v_^YK|oMs8kZmVr@-U!z@R=a7 zBFn#e2WqYuT2jy3kd?BwAeYhEqmrAx)PHQ4(_rHSjF`QNbCHa^=hz_SWVy9;JrwO* zc6UCyy3dYL!a1)P!gM2W60v#>+500lZc@^B9rx+oEccT3RcMO+Zp5Z141MoC{n1kJ zON8^!!%VR1*jGgZe9%31d^%|P<%QIYZ*w`7E8F$rIgou z4;t6B$LVKfs<~|r$4BpCkWpK2@Z>!K`oTC>I1e_>MG;xx*oe-(l`MF1Qd`pIwy?46 zj-(8tb|9O4v}l_+6jKs`D$ov=Y*v3N3S6g+N*#cE0{Cn(Y&Qw=jprRsknE^tr3r4# zL@MnIGai(VbghrNkI8~Mn^+)O3+7|26$Z1I7=_OAS{nf(^? z{N}e>NLCA?(@t#J$yP@#jp-3xg*u5rdnhBWQ0^6hu(XHfN>WP=rkxW_8s`ZWk$9o)4l(M$o z(qnb~<|W~dC^*2_7xj|)k)o+8h-irb{BKU}oiBp`$@!rG-+hT^Gvg-Z)1NmG_Sh~! z8ozs4c)YbeX!CLcg^Ax}BXpirE;S{FRu3(x=$B9lkIeYFpa1j{^fJS&*AS5?qG67l z+fktF*xg2*{80YYt%q}K>&|0EN`W9DUb5;qZi6&*A(~Po?}bwHgv)`Ha3VQokcpOo z@SN?JVDrDV5h-50zxCSQ@u=A&Ys5zFXRd^y4nO1C7k!s{=qwxqKT->WKxTJ(_xkrc zQiTn-J_FvhK&1^DM6B5rBKr#uue!Mi1(5=#8KjAMZK>dooE8ZNnbpbbgn@0a|L8-H zw_g83ow6`LueiA?lJ>Ry7pjmfB=~ZlGn6;HJO{tyZ5L#i8WwF(R@dgV{#j;Z^SwSJ6A#A2&9uE`JHG?$+4O4ly5OFc|2 z|3n<8bETR#5lWzmfE)<(GrcoX_iol}A@XAN(oQH!xkGh_5{xu3JiE)aIvkznwDGnR z^(5^|1GQalpv$#uK(8l%9z5@;Wj?Ami1esoKqzYt*f4|L)#A3UORwvs!gYFsAP<|K zGTafJqIZibHrNfUlvQj7^NpV=9KE?QAU<&tH7-_Zd~~z->Gb1DC%0^h^a8)FsLfN> zS$KN(gY)@HwX>Cb1k6nOIoueuTcO#yU=?&(L$B8#nLcgY{gIKcX>9`!tLV~AeLf!l zVW)$z5ek<3VT_AD8Z9YSRMuKQc(oX+!{-}8HZuh)5G`@XKv_5OUW zbwII-x6#`5NqAk0DhH3h1@^5q|!7 zE%arD^?(R1>`EL}=8goWT}}iM9Hdv^BK{Ac+hK_iU=+%C4U=X3tJ|1f*V!u_`E?;! zD`7C*kENWjB!8&n7%{d!gLJoeaL0ijL@1w$YI)ss@2_cKP@XCCeLoFIQJyVoVL+?) z`EWo-V_)xU)psXqFhY@cFc4>Swc5^m4%LjZV# zKBgZOeg$eBdC|qIE7bq|3Dfkg+efH=JY@H=c9$xm{g*}ddc$x}x~uS$?K3x`4K()% zC|AHET@rBtI@umYu)CEnR!&0MA^}5^W$;u#fLm{nrV!2ERiS0+UX<^Lz)BG(BrW*g zg_rmHN$SQqS#HhA$;x}-y1Lt<%-){*ubW6}guiIlljs6{OC59lpCj}A5l(aQO7fp9MCV3bq5B`BDBwyrE5euYX`(>k zKZ(9mv2a^I->$4i;4^I)d+$(Dx`T7-^4>{a+cs~^`AGA)(!i8v)Y3)B0?Nf$NOrUO z;qUI^|CPd#yxdi4*+L2*xXVVKg@+&w5!9L>a3YoXBb&aH_dya)UTs^0O1HAjZBJ+s z<_z%K##5s&T|=T7>OY_chSiGK5on}uB*)n*U!rV8fF znD`GL{n)$De{)havZM>VdJU5PND%(17O|UOO`U*+h$p2NNDE|%CjonTRaygqq=$){COq-U)6=*L_uT|0o-Nr55~yu-ts2 z1c~XpdNI#rjMHR1t1rbLpw9~bRW9hj32aqjFgEX_K!Qnn5`JVYyD5+XIC_J7xb z2L4e8vO~EFn-M4Te625TpY}GsgG$IkVC+*>=ZMLB{Lt%R=yeqyT#(;R+%r!Exi${M zYvQ5PJhT1Lhhn4{sFipa>NN1;(wI%b=>=^f-h8;!F_5h`=G%ckjN$(z5o4W-B`s!# zdF-$F-*h^Arnj?rZNI+$Y$T#i4z38$g!S>RzEAQh`#u(ofQz2Rt%=6S?7JDrS^~DzP;zCv-&qF?f2Fvt3S_y(KqHpLwr9S)7~(Tg}+kE>RW&(j+ac z{iHS@iJowiOBqH9kSnUAajq2f4%v5Sz>^V_{eEX;cc%{-lTY%A2BqB)-MzY^X&O_7 z3R_Kya8IT`KU^MPXpeE%khZB>eS4AB@a_D{Fr3y^h_%QBKX>OoB5$}cS?C;{_S^FA%Aol;SutGDE3fMJhHTqUuO8_%eMP+(zbZh zo27SQHq|3@xiv#4(?-4tM3<_gv0P93Q-4t_;?OEWP762bPAMBGw%c~|rQ@M%<&g{J zI)*8a)a|Qj^CeyAN!!)kkv7O@Bu&J-+;NTub6@)qtz|2ey5=>fPj+CVv z1P_|*?nc;$B8wMKTnc(}AuS-aL`i2JDOhmTw&tio+15asdgKDdCj52^b&AhReWqK1 zk$Q%^cf!d#gX7jy@&|tZxX`t43YQ*vUg#&2(MSrm`ucMLFd(4?SYOxI*fr2Og2;o}UNZ*ttjNr}g~~!k3M1Pp9fucfbVM!9pM)CU4SrH6XWgvnl6{kJmda ztw6+bBYghlxoF`@cpURCXNy9)T0lQ+-IHN)US`AG37Cs~8Xdo1M?BY!ur}Zn^Mmuu z_uBC~@KtFW!Xr3@>`0h$3^i2Nw*v~luBS-8JzGGQyPsbjd*nYeWrZMvh5gf8IBPI7 z`LL6KWkSM@(4@ubpTtl<6p3Pz_hz%@;7H&p<*%h6PjLl@rDws{7a8CstbD_{h4k~P z7dW%sbH~U@uDbtN3*pv_V)*m8|G%}lwb?ke8Syiw;(FWDFS*l`0y6Hx+ysSo=qeGx zr&Ao2jL1x^xS-??b1`K0T61cIa0+uJtuJ`BDIgjRW@utQ4OMx13i^2;oVhRFCJNwn z!o`Z?ul5F<)kAauB8t^edcsuO6ZA?zmjW))kr?aTieAJeBEb&f#|81UzBSIL=`#!4 zjyHFwYc)KE16Xo)-G_u$(@q%Ll@l@kMH~F0EoK`&x*E?965e4+u z_Z(LsX3LK5kFNp+`YNPsB?rDp(NNSmUUPe&qFw3f?;<~wx*GLRIiB-w-6iK=$jadh zxg)tV&CdPbM*M?Is5|3)O{_fQDU3bYIh` z(sL|<>T;;=*|I=#EpuwCv1p5}F#9j?Po?19q3y4xQ$c^&?EX^b{!>s(>$Am{@2yM- ziyH|_xd#`Jk$}di(W&Zh(5uHl>Dm&MjP|G%Z+64LI_vH<+wOP&0p#1cbZ6cINv11P ziM|9LRBWT=Vb1v9%3xMvsL_i$#eD>)uKLdC!B8MKT`xC5>eF33n?ztBR^W+n+qiDX z{{s|;m&rl_PuQDC?~R*n<0WT-X|opV97V49ric7%PTDmYMr8%J&zsU|q)sM~-UGn-y3DNew}m_Su%tI<29P>ElyD`OEa(#Z z)0m9X(*AE(=|kUsyREfjtGDo6-aKj#U;qCGi`--l1)M}?)sL^$nR}u&TG$a=35ePiijk*nAf^BtDRPn3;TojMglb|?*mv**& zFTef}Exm#Ol62kdINKlaG#fnCX3X+LeOFLP-o^!_(;khcFNSzC6>1&oYPXbDtvseG zX^W_oxUWxWng+cPO(yZ0U@^c>Ou z|C5hPOZSGM7?!kbH%3&C1jrG$fwb(RUYo~MK5 z3^@{7p@Fr?)by>1tB0@@3vl{f>cMZUiPm9H(wpf7;j`8DE7!`R1K^MiH!b1!Zv{J6sz$aCuv zzwpF&Vvf&bEh^Xd-i^A_!N*Uoq>cU%_^q+8_(+w?zsa*dUZ3RJ`Mk-a5WSJzB%(yG zLEr)k+MqeLE#D>0ol^zvU_w$2V?8<7);#F?w&!57m`hIQq$uNLY05kQ0(dPy?Al)Q z4!Z1B=KY~Yd?`}q&m^M%tinVDP}F9K7V2)N%UI(}j6B^uwDjxk068EQxeHH#K3Q^H zi_xb0UXwPWYoIp^l>(Ya73ec0gl_F)rIMjwlNlbqJ)5mdo*iBU6|o(&dyJ;Q z^Go?MYY2n~jIRU6oy=^9la?R3U~eeGl?M{)1b!P?ML2TzcyGM()liHgH)6_e(&FV5 z`0n!~u#lUR!PYIEeEe>W2-W;(=9=s`zEBi{eLX?zul7B@%%7ldh?>q^M!D8p{PW7|F70x(N4S#7?3S)A7~}EN*9rc4MUA3 znuS)rM7Pc(SKn6;LL^KQX$5jc3ThdH5K;00Sv?U={cD^-#voi2RRBY1pNH1$@OTid zL`ay_h$cqyMi8?VV5n@vyHA-$oR9IDeMI*ybCtd%#eGWtL}X@u#Ldx%MXHMD(H}?6 z2-SBcqQ=>Dd<`nTI+6^d2e?FAo~QJ`Cwb*tnN_zJh-~a{r1YLWtE};0T~@V?f?GCR zKI7BK^A!BuOJ6r>;g2jOEP%5qbjvW6rlv z*J-2CIGTY2|C{cKubEK2p01uKgW6sR{&z}l{`j18blL8Nz#;UPosEBE8Z#cjiCXTa zpV2pe@^F8+EdI<$@1o_z52Fmtp8Un0%IUlE=2v8zUols5FSR z0A|vuynXTyZ){t3=JtkNQOR`|erxbig)f1Wd`gD)W~(xDEO(l}lB%d44mr&rULt#$ z@vO)R-dJrm%NoXsMdfLNz9Vk)B>bdv#YMA>bm9 zAeZ0@%-^Aoq0>b?J~@*_3$Jpc1pL1KxD_QySPME&hI4d?Hjvi40ed|WbwbQ^F0$^$g>XNKlKck?{d@u#~e8PeJhr9k!FntrqNsMCH+ z$;H@O>(d2+Ypwxg7-}8K(UYS5Ztn;2D@FP1o*v}$e4iu8p(IDE@nBi$`=(g}wh84| z!D`+cABDmCc+4KtJfh+=A@a*rKi8G!=_dAm;&X>$!18GrNVDFV!yp4qx#24EeZW|$ z=wTykCo1de4@dH;uZ5j%;#9tIK+HSZ6CQN4m3AVX)sfYR*(znA+@ zGK-|h{iKBN&+et)LwQ-nwPa5xk@S~x&h79Elenx@sek4m{)YhFW@j6m%-!KE8B6>U za~5A_6?o?MFaXh%vZwAYjA^6knOGn#3=2wUM7prC=Py8EUNlRI1xiI>7yNtpHf=4y z<#!kv^Wt%l7wcn}{u^TPYuyLSPvb0gBlpTB&uwRLU@(KQ`&F}0FZa@909Po=yeyW{ zr@RO@K0wpHKO575(Sz#v+YnnGA!0tumKaQCrS%m4X=V;Z)I)aQpE?i|_6njw<^&?lW;fZO?c_mhg7UCw`$gQjfjC zoMWM0E*Kp8`wuS_EmCnPahx#uDy_3aY~mU18I2Wjt|M>%zX@q`-ma5_&EKleZl>P0 zf@$|PU|){W@|`cTMH4653y?H%)s>)k(3;S(6~=G+Q5od8j>ZtHrUpxOpVT>jUoefn z%6(uP{23l1Z+XS7<}q-usN0aMTfpyhWmn{+>g|v}vMhha8UK5Nn&D(V!F_{*OYU#) zS}{q4cmJ#qbpTLkNmdGO0RveJGJp7<2e~}!7Id;bGwJ~990ge*gI;RBY$`$5$G52$ z^L`4N(kpharg?`fk%%MSe&QMFlYJtWZ2FF{zs*24Rk&y7ON)O{GLb(WJFa+<>h{xJ zNN9nn-JYj9c^%|~$pyXVL@LZ(6Y35+n!KFasxMnt;CGrs{SFtn@kSWw!rNtK7La`ERysogK! zi5E+3V%6+wT@}kGv84CBU8{Y?sxJ3_VremJ8TbyJ5Vf>&+E4EE1b$G;zam8cH>LRV z@shiq>X1}nR^7HSNb64J`fIKX8*fDs!e`Z!5#_!h3sqpt*U>lbi?|LVNYKb(LM4M; zi}$Yo9s%;+_)8F$k=-B(OdHaeu#^LSZy9@z_j{7$ENGtwTkq9of%gx^W)H*SDVObW z$Se_qWb)JIA-D~GvWgfgI}Tp$7Saq+d{c$}L1{sIC;4nYdSfmL@*63MbRJAQDD%hX zALg^W*HJ~6GMKs6b5^-l{t!d$c4Q|Rfe81|S81i%zLC!(JlM((tK9sng`2zFtz6RM z%;#}glZlrCBQV6_Xe5&U&U$O&!I~wvw;LR^-bIMCD3PA=a~~sD;RlR#yZ3{u%8nQS zUrvbM1DJNzECFkIPok2~d8RwRCkeUW@9f)yp^;ca zv4%FQ*4pq+X5jpR zCM?jAPJ3!HZn2IDXJJl#S%r{-jGkNv6HP^(8?Wvgr?(l3wpjD{^2R7z&}q?$fE&R` z9!B_QYCZi+xik5wr5a0AXhw~H@bR4cUS2(`6hvC3#qG8oxiy4MFZ)RY{gZApw>&*u zJkxxmzwF+#^5#cpU@m;&WEu#rR{#$#;$-BG%Q9IckwBrJh+5dr)XUA;^ruh}Q#MBv z;rV+L45gE3NE!9c;ZU(Pvjq2nlhDQ>KawxLHoQL)U`;7g6F#fcaUZ@AEf)uk2;Uen zoCb^XbkBd0Q~k@LJfB~@zf>PCstRc*7?YKvSu2#6{SQ;2m_+lqjQ*?8yG{Z~C5i=F ze0HGykK@;R-tQbJO3SO7hs#%_z;lB*F;B~^G?}TlkiAGgF|A;4N2JkI1cJ_xBflFw z5_Si_ftO@pMu*D97YzXCjyIxQlT39?7l$nc9(_f*%ltKz1eAbqH@nx;;*~+Ha8*_7 ze5KL1qSwrNJt{6p7)a~$$w^-&RF?4>b9D1fqg)LuYM#$SH?^qU>^0p%sjzXY`Xm?@ zwQy5O>Jj&XB&NA{>AKphS%T&@DIwAtXZ54!X?V6=i4){HA1E@ef*N{KV+6;GGApH~ zl={Ve9?>mfLz12J(8zf+EBppZHgWpVwY=rCuNGA#a!eeV-w@1~b2i*<7gw4+X87>Y z%8L+=E+@ar+9{!c`r>x&sT9e!GcjK!&t4|SDi-Lfj1gR}cp~Wdca*98Tf&*Qf!rPRHCK}aI)K{NeJ2uikkBuMO1t#3PR14n=xB)=VrkLwJ5P=E ztf)T1UI9n+)?bgu31knt*7ZC@jT0^SnqQZj#XC(MMKmd7D|`==L&nASJm%ZX z&xq+iyuPUB_~*>KoQG@uYYWFr;9RH~vC?P$@r2RWod;{sS7_5}Gmz`z2+W?4DRC0U zBQI-{MX7k?M15BYvW$(dH}aIUAGJ=#J*8dr3It1=L}V(V7jI2CIRr&WR^%#FfDnx$ zRniVRWxE~kvuqQLD%EY48}H>xM&j*WHHI3Sfi-nh62UEny6wCXd@T__AZ)-YGe2wh~E>GdXX`$h5liU*YbmR_S?_ zc~liRW^pfF+Zo6!y}9x^u4ZI4&etoq*RsEMyF4MjdTe2InKa=Mrv*57*{i8jM=F;;k-20MP+CP^^ld9osGEZ!7 zj=rYrbH(@h@t}`jH}{EUt5I0)#;XHu=Z**c*zyhI`Jv*xQ#9^7`5rUrc=m}hRNN4HFP0ZP^SN2b;|VZ$*B&XLPHq`qe^s{xAU zLipCM3I>ELCrR(g4zl|lM@bf;RjA;TF)+bc!&rC&vH`7JiFi{P=H8vS(!%HjElNCi z+vF-9Vcxio7BmYNs%S+3C^}%A2o6>|C0(iutq`#6(NN?8J^wA!w$4d0#>rQr$}#r~ zAr24&*5D;W#hMez8`WPgGJnxpf#jb5CNmK5F!<}wL_)LR17^VnkTi(?b;@S{ewbH& zd3n(E4 z<2OUPyUsKL1&CoEngW={Qc!0bM(g0!a;V_QIu65MTWR7POL{j|L{W9C6$bJZ zL&u0CfwEc;(OL(T5>pARh^znT}pK-XyG)+_F z8Vl?I(425I^}0~4lSC!KJzpL~A$HR5NS~RPMClNWEsY`#PBtNv~_C zjHybSQYqv$)61BssI6tzYtt2h#sn&b8=4zME`HMF7*atdN)U>mg83t6p1b^nC|Gqk zS$b_RYu~uQTEk|XuBZ(tRyn;CN37y9$QA}T^llG`eI_ChY~}XKJ`eV@38KtV1In zRFT1UklGxJMSibV=x>I1x}+)le^V(qCA=-FUi$ySmCxP^q}XM<@}<@p4&ht?jz$N) z3gxfKAPlvy)CYM}gtEJA!rnp)0*(F~pYt173#-WRM(KOgg#exHHNMJEW1Zp&<+0uPnO3G{+8^l~d@%FJT z&e_L%6ctt|4cTuvNL67p6ibviyy^o*jH>V)`(*XTeSP_7^tCh|kMQ?NisfrJ5X7lV z2rZPBy}I({*ifI4=(qTV6K9PUy^`9KL!}ok39I|;5(b{TPRT{v+_mv;C-T=}{4Pzg zZ|5XA$!2GfgjZP-&zEyfQu}0_c;?~-bgiz^Cb=inaZk&r%R2_M7_}K@%uZeZa75Os zVE2aY=cB6rlS~Y`%}Yxc1&*-kojbalBF%SwZhDYc%5!v)bCYm7l)5O=XULR!(Dh^h zN6%sNUB~&(RUD_245J=nIZ^x6X(G3;x!1Gw`P!@@nmBw5rRP0rydymwIbq*gZTT*o z14_HCU-|M8#yLMGkF6>lpDRxPY#2`ci8J{C#t9N!Q+|DU~%Rb(6c}dceI33bJ>*W3xp!02)oQaRdJ&Rh7ut8^F9jvaB@7`s4H5J1oIE~tb-)87omUEI`-M?E=f<0 zgHXUD1hf1y=UmVswchK`;u1q|4|KZoBoG`S+Ksr3iwKQ97B&E*qxnIG&2D^k==jBu z>NroE?+zNdi#vW#DP$usOR;&u^W27Vw|?D%ihCjzwZjFC2=>Ru2*%m><36~zcCo+K zJHRL~V$6pjXX?oLiHOXl+FCm2EJr$>?&OOZKX{@?%=9zNtmg~i4s5AE+Pu0!Ce(B5 zVd+P_FCvB`#VI381&We2EVAXCv^`xsQO#!D99mT=@5ZaY8ok&S4wbC&YTkG_MeUcU z#UeO-X|s%KjjSPqMRrTNjz?{iXrCRIT5^4)z>ap3{eb#+{Q+*bk146I_I(#(w0yN> zHO2e&oO9^J;o8aDc5ggJ^FK|MR*r>IBuajwEy=6uCERx`G~$HksM#~wjq*>HB%6D8 z_rCKm9jz2E+xzuFRj@SQ)y&mBV|-}-V(dPwfRS!9(TEsB)FeBS=Ksif}Brj!b?u_HW}HTY&hS+jP44g0MQIA zt;6H>QhG(+6s-v;Uc`DHUGzRd!ad|)M_h*J%97-M0Bq*8HOQrpKTBqe@JXTCTYg%0 z^UJffLCy!{BMfedwT;S1<#u``5nUtNm+Ji&(gu@YWT5#^*(99q%N!D0o-qw?>-82Z z7k_w@%GI&_?BQMkerroGixu9jdt2;YLREiUhUO9;wv`G7ZTj-~*& zpl0d0!`QbD?Vsow)>|p4Nwra>3M7yh83tFm1<{|E;nl_sN8Qc|14(K=G16xneiZIy zq=K~#&a3CHIWE!b{CN%!4A2z&9E#fWg1f5O;D?RA(d&WAD`hgS7^j+5)^}^J*{{8( z_Hjq~@9rospSZVv&&$NF^n{U(n$;NP;+z^zfBWJIgMNfH_hNaq*mi=l(|!ew zP>P`CC%8QBJGJBfChtumR`!_7b{cJVw3&&9R*O|62>WbD3`cf~q}x9qr_kzN_SV%2WL~q>{+(`GQd9H)nl>@%c@N^5{kX|Xa3_omgD&c_ zZrKPzn(B|WdD~7J8vpQ5N3gc2+7m$KTpRgKw=t%fP}rYSMh2!fOAc5WcJ~p$Pa9BD zVWTPj5eEJCdJoKnP@Jn$h8C&-ZgqJmE9~30VS7RJOnK*zqo1y^U6_EYF zx(u3u)Y>aK$zqV_`e!t$lzhFuSk?NFxNz+!u0_EY5Q4!fNEZoa$4Jf$p{1twCHnHi zRrGuYmn*NRDDsza2JXSJ#p{v@E7Y!y-qR{#qY@h85&<_~Z3D@{jCVZf&221U=bK*V z3QXM;E~}$<^T+KPOerWGx3)!>U-Jv==lesWLybP-rMIj;{w%KCBrku{NYgzcnVsp%ZplI~gOw@M7ry^_FKcO?6w@KCb(%KQE}+>%djbgHcV@SaG0 z`SEshmPyq|dkse7CGg)Qtx+P&?XMe-M^47)@O0GAC1d|QAVG646&k}BEka@4L=jVy zwv~*@aPwd1te5HQYs$m)5}hQ$eqT}C`uu4Ts*6D7_uQE2ZbT}Fy~dslb&M@ePxgC0 zd~FnwWV{lQl-vzWS}PhK^oi%~_^f7hJUjE_5NY*NelHFOodj(yuN;K3<*icQ8|T81 zjlXgBJ2(sUz&9A5DQOSjtvrBX*p9; z#&gw2U93i}Q;StB({p&<6`AOZ=BSzp3bHpE{uttH6H_CNZg8AdU=@E7BX{m@JI|;Y z!6TA5Qw}|!u*h%6p|8nPNOqr!NHSi$G4eokbmdZa%-H+4aiEz@b$uRuOTEx+@fyRX z-+7phXK!m?R5G(3*Kl<6M%UXt=Qb+{4P;fu0-4B!NH8YRD|aP2`5H@8O*BoYWJ;QE z@(jda^?l6}Y#QpsoqwBzUjM?k#F@b_crY0knn1|)EWCw6Fd;`n4cw_MX!rsz<=CA& zBnNS*8rkyztcf7VxI6Kw^-w_?t5r zF>x<`fPOE(@e=gHPoW7uNISbe=7s+P5!cPXO z!Er}LvrLd1Z%xwiQ{{^Q0cq2O&Pfr*$(LibI>UR;@o~O8Iv8{0+_CcvPvu|997#-$ z;q|FzOyQx{_i<0P`m}B!i@En+fy?cFb&*W1U+IyN>e^4P@DGETGPxV2e69NU?=vS# z?Ccq6v&h02HRO1i`Kzt;2=%N6;U!wR`?h{Qan-}|(add(s!Fb>fT&9=UsU~*LYq** zMCB+^kwaGUw;69SM^_p}P8ZiX>kD^;>OC~ya4=Ci+2?3}{c#>;R$A?z4P#;!Ub;`lrR#s~^%HJoZkBLa$+oJuD*KfFN#|5rF8xHYZ#Kg|zzwqodyww{aiI zl&kC;SHHY}I+^!ouU31-m9+CN$Z(y)8vFX&O1tckHGvnii`4>HBW=WJXc8}slI!G# zn-Xd~auNEimp%W}PjlmI^}c>&TA&rd3&!g+*i=cpSa@Y4JK3}?V5N)ZJ#I>S1kX9r z4G2*FKVQ~}5YPRq1Dtt1p4Yh|Rezx~Fly>TnJV_id+HSWFA&x8Yd@?#eG=%35P_iD zo)xD`0Y(kBh85F(AMoSclsp$|WdmxaLG^tBDsTL2$28Jw={2XQ0uz zzy$|tOljTY9JW@zCvuF`3k+snsWf-+OD_pVSJsxU&0qJxyMFYeO$dFWwTGkMI4{oj zi{%^cdqO)YKU8KD-ET7G+&BI-&EanKYJ#^F^ayZZb{pZdtJ4T zdRa23@v{Mqj2m8LB1Uz2%7`;8GGyG!anf5glxv7cSG%@PI8r9K^GyFSy(uPWJ{;z3 zXm&nY&N8a}Ab;s^A^&_`{`rW1=k=YUCClTX4zjUsRd4!m9^LrZJ`v{=7C*tPT$NIZ zqcqJm7vESFiF9IqL#%P=W*?P)glll8`X(@-f4342@bu&~t>`xJaYyl?@C6uS(n=!Q z$aTF3?SevO&;WeaHk$9jeq+W9Rxb{TjNMiKrdT=7lQP-6zB5GA;A<|Rz zb1)1UcznHye-d1iM*wb*tJsTq&(~XtcvQn4(uPIYfBELdop=} zfPy1W=}(cTUGQzvy_%SD90wyag*kj9d0wh zsMGXy3X3~>i8su-E~#ye2^bJ3`X^tik_-|%tykm}8)C-2o%60FPqp2ubDYq8^NGNr zDUtYb;`PYJV&X8iM-NqVRKAz0ycLEbj*z>;4rj0eyL|MY5_Y)DyU#6gx;Gx@+4zCher@#TZsVrWZURyd(Fr9xUNi{SwQ zJqW$=z^(%;$Bj&0g8v(kBmLP@k`3t*H%;}79DVo0k_V2%wD=m(%T}cuzRdaXbOTwp zpPdOizu_)-y#vXxu7Mt_J$mzYoyrlNp(MW*a~7nLmws*V`Nt))KkK_kw`@j)402@* zt3!9)9*hKW|1wOVV8$QY1h73iANM&7LqFP;;^Jt5fqmYRX0D~wVN_mF|2P;o=MCt3 zQ!b>#2>2;l+6zNe>O!bo2b}{@DBGq#npe-$>hyH*MP$LkyicGx`{+_hq8VL@=DyyS zC^c;t~{I>&ELc8lESAx$-!_c9aakF^M@sYVvy2D9I z6#{N{hABzC@z!4bqin4O&fC|$n%DcCw{ql@wbzxH2THGeS6%54;?EhsSN|Y*>GN{j z1edZRCEufSPHNwx;Y39ajlaD+(mdYWem(HSULmU!n29oytb?B(SHHI(F1t6nK27|C z?x=2f_RTl$rJ;xBq6G`+Ed{PSlg~>>2009=R`HFFzj8Yx_k8MU(c>zcP_AKh-agK* zS@uRneL5Mti2QTt7K^>)pJ&3`fHn;Od_Vs!1j}V$_QOr;o+b*_(|e#^OA}s2kDVfY zBUHxOr88)20q_CEfxKy_@#R!wkfSu{3{~qK*tD@xPEc_fMw)+hf+x3U+?tT12fEE} zvj^Qt$GcIo6AG;sRPAcB@6S6Y=5jd!B|8P@H=a<|^u9_;ayjjauVRv<7gNqph6hq+ z;w5iDAW$5X-S2tXalT(`@B`(_OX^&FvuVt%*ney8!$AvJ_T@PdoypvwLdgo%I*Pul zypI{Q17R;j1X`T@GYm;H1~iO;5F@1$RhB(_cE718%4s`RMz?c{O-OEA0q9;rayZ-)^~R`NSgkGZIkx1iYO?MAJTP zL%}gb;pNhgAws!R`Z#@1$lB7|V?FC<2`2?@S?{4&G=h64T06ONmND{EC*NS*)8alM zS~)G|9QiQS&{&EG=VFXPjxm`zZ=bI@OBTT7m;c6yKq9A4DBAnU*y}5?ADs+L;_B-c zkIVGU;#|L_2K&Sr_XyhijEh{Wea$NoK9;AAe>uI>IghZ>V;6M$Fiji=9R-l_im zMA_qes{Em5pJy0V+HFg-XV;IZK41EERT-}1WACbWZ*O%>7T@p*3tkxu`gU$cP-QS| zpXKurPpoEk2x(@p|NC!wJ?7EZ+)G+=o6gJGZPLMwes1 z__4yaSimij-8&vEz9Y4GI*mn#e^-7n6K`~kaO3>GIT4Ixt8V4(dGcSIz#jJX-&Qxt zhCA)}&daaj(vJQ=O<)c=7kHSMW=#v}1N^~iaa8aKsr>|A-eI!33zA_|kDWsI%ea*a zBzYgqu1918E2OgQDd9*>!%cs_wC;(( zrR<6;11BtVQxFNR5$jss7zPHg2-Ab=0 z&9hbY4f-Ey+;Ex~?}}MrIbjbtOyi@k>?XtwVNRNKMNV-!>aBd~WkxUa)HTcqc=#Dr z1}hJmD+EOB9gr2$8dYYTKahG{Pi62qXP48XX;*jEf8ApTEM$xMx1X_-M6HzcM82I2`jL)RGC*p=3 zuuX!uyV_E(AcG@`A`NjW8dt`D!hg_%a29;%>3`;(hbaJWu{$M2XJ9gcv^r@>93X(4J-qDuyzdH@x%qj>ImFsBmieidpFF+`6h;i*HI^Why?+Its)8Zfn?J9~WSnp>h zjw;wIyXCNgppPK^1B|j6>ev;5Fx!$4wvp$mzf>y152wi0^QHWg2Gf|SAUr)sysQ+O z)j|&L#yZXVOt_=sp}2pXn_{joLBk7=;ah#DL+?~bLnAX6%dE+B8X7j#&pKWzRDDb2 zV3S>yS0B>RBir~r==k&HQ<5Dlx(UP$p_X~cdp!GOmhQ}Ny$~xplkC~w&NEZD#EV2UavB4@mimT`MehNko4#}B$6KZ1sjedPMoYCj!Eiy&MoNXLCjNqX`ClmZlh zy!QecT$Shes`(=>@@UR<*9(XeQW7<>T45w#F>?GQV0V{?zTBM5R;V76?n7d5r?nt( zwzz5HxW%7`sCX^z^MSfCfxS)LM!6S-mCkNBwElL0HUwv4n#e}0lnQuc-VxR2kMGYq zSUr-ep8ezqF_i<$`|~U9ii{jXZ;Cu3lPmg~>E<8TY0!C{=6wf`+|9D%elC}^jDK+3 zYCULlrGtl#^vA>Q4YIJ2qjnTOZ=q@D@T*hoETiMRWvocUX9RVFh6^j<|6FP@aYtHj z?C%aIm-JrC=B4=Xok1mn5y`3lV~Gu`Jhw#axEdb|m(beCWq%ZKu} z+;9c0*&?tU1aTLF3g$uoZ^u!l@@Ag_3^*@PMox^T?mCX9vTu_qP!M5i2Ws;d%NJz? zlY`Ig*#rgMHX>Yt6-gG>JHuIR*kNb&$+VM3sS2Ci7n7nrZsx&m^Z$FugiLT|HsFnp zTBeG3b0I5Th#%>;B$&IR$A%s5*#;L2XnATM<5R|qYWy3u%B`9X6A2D^D;(PhG z{W4RcTWzb~V~xZISarMg<@7~y1xZIM$KEp9MO)W42nMBbg?>F;;LP^QgAXsFNKJ`% zL?ir3OuGan}ly_eOlD`iy)hLh;dCQcflw z5r#YA`U%ZI`@W;71{ICL(%+FJZPDqYLD(DYzl=$<3R8nLXEb@W!TE93MSDwb_}9_0 zslHd7D0*|P;T0~v3e|DYumses$oGrYk!C@qZZ2r4kmOTLShlt&uMJ0oPT=h5rV%X1 zLBk`LLxSWPInUrqm@TI05LO7TvZ?_sv z;oLvT|4(<=fO0{*p80Sdcf0d}QAIa>MrN*I-f1Ziq8iuolHZaVjj4GDhjR=+m#oZ< zeY}`50Y!SQMyc)dkx13?#&6O(25lx1Rfz>``q29^O)13}c2dg-w*?ErwUv9iR5rvR z-lioCTRll52}|sjJ)e8T)(7hE7kx&~xJ4b;F*! z+iQ#lVyYL3q*=zp<`9jDtgQ)=H*{X-X^H3T7r0Ac%6Db%y&H=6q3%KmmutWyTtSkY z5j1l~!7GNV*x*L#i=h2!yiEOO|7Fa75`IVzBF*TRr-!W(;Q z99hEi{jRx&Y#C+v%;PEUCj>}@(ccHqrv`FO)Z!Pfv>!XSN5}`JAoHa3> zt9o>fr=Oc&uZ)byG~=!~jmjr=u@JtlMQtk}e%6%s`_Ba0psXZ>}Pp;fjg|8Vkj=I!RrKwtQ}$8$5g=@{w@TN%nXIi(cwE;DjJ zOFATQb`>b`EQ8`EcqOPNO`|`dH<0)KsjK1+pHA&|9aMgZl5^-cY^t``B&bPnpL}I} zX5#&{&W5deI7vL_lUr zpgaQ$wzSkwTA-LYEfmrE!MQIMqH#74B_qnd$bRJG8US#%E5LkR9F1p=KLU1#$?T6Q zZ5DZc+t12f&*i<5V6DWx7jsxt?aMxP_pdDB$nuq@h-T;=b@4cVJA$ytCmGqn2q3>~ zl4BcUeuL2zU?2N-kYEWQa+_8BNj)!Mh(=On`_1q{3K#_{VCH&dWBIekYymK&JyCj> z%2uV=ysJ@h=8hg<5OCltEMoIW1x>3pl#eK?At;DLE!?z>Wql3Fk2`im#c4)Lm?`xoAP zj`MZ@`dD9Ebj_hkiD%g4=HunUvCW)G&Nk7qaa8;%LXfL+6?KeiCJ|^dyc6&>y<=y8i^IlO@Yk ziiaV$C=Knz+_icL%48ezC6~l$!bqkS*@nVg#{&6IzfIeZFE6PJ>rLnLVbNTR94^ge zSL!$p%nMX5=~=iD;j-7&!XlRg-i-6GpQ9kq-LX*`xPDQTolQT4A-bx)H*(t-$tkwU zw4oyqdooMuplbX0&nW=8lQE4qi-4&Cy(GnnJQZ0z4;cU4-%4qRAAWIH;^cpDw4q4v zXQgJ5%$sNdFRp|I0T|dL&MNwjC|oGKF|AqUJiz-TAOj-Z*Njf>aRxKd;EWa(561lz z?GENmG{kufqfjfCR$Qh^H;DGydEt98&(zEK%+=x2e1wH!$H9~BVY&`}2gzn>BxN#^ zp5f9fUWAC%bwfJBSuQF$x!1m{Vz8H|6RUf$k)b-t@qcO79}z(s79(_gPL?V-c6 zQJ>|FX#6uvpGkIv{=-SMx!C=dcS@h7tGM zi`DzAjdV$N4{3J$th#YB-_gLQRK7w6$MIaWMEd*Caj}Iw%1wR&%o0vkn$LLT6rbDc zlqq4YBFRGcIV0vbtJ3@=FWbM}q1o3_`q6OkmID%Kzrsl11@LIGM!~AN_Y|cmr-|8) zH5P}%tvOB{c81fFZRbA1H}J8OrsWD_*j0d%kE#rb8%=&KPap7Ak(&k&>mbZq<`>Gv zZsA>i1laBnw!g^KYv0+0+v;-EH|*O52-XMZ{qpe$yx{e@YRWK=2MALD8X$0T zK$Sd#5~F(C!sftVSK?s_ihuKqMbz<*J{K?JhzcNWpGzBN=6la?U855ra&IrGLNk=HP zgr3oYVW0KnaU%2UBMehVokEV??~T3!#JEV~MzeE^g_o)#u0^23T%IaPFrR7M7Y-== zHhM$HIqwtyFz0+n{49irsctp)Eb#;D2}ew9fJWzod9zXvJ|2~!2I@-PoP4^^()4SB zfh!Da{7sDJvU#dGO3(Y`yvLhlOyO)XOx4q)_9FDFGsz}-!=n&0EEztB;?*M|#-{8S z9OUwMIOuI~8t)dksvW2`Ad9oj-WDyiE8!&o{;cT)bd&ks2ftCs(cw#dA(CgCqhXE? z$Ib6W3WDpG5760Vzdyq&Z3<>{v;(xbeB+wgUZ&8HCqX~f7fqBWA{T`&7Sti7L!yQ- zP%7Z)cl*a29YlSqx;Ss7yiCz7w76U<5z^+bLhK*T)z7Z=morr5a^#UYHj(7G zm$xHf0`=LC$u5sRsL0ar1g#0At2iFQh?^--a=&ewa8S6rp#t#+d=+OV?2d=C!22C zoEet8XTP8Z-MCA>I0Ln8@1HAt7m-L(;YpTHb=96q4rroi(HlHL_~wM(kYIVXUhYciYfIqjjAZq zb3&}yRN4})6Lb1Xg=o&-@V5|%dv~Tb|4jjpSimgbu&`C9M?c%7*kqo%L{8y8SBXsu zGFESy&x>MZ=auBj^$HG^5;quko0)g&_49Sj?w2vi={qM)l=IMUg@IK;qw>Yi_5(&w z9SbWkBZ!|kZf@3cz#wsSHY#Kz7~N_X*u|9pV9*!lbI(_H58TUC;_&1ryn%)K>T+Ok zY=CLqZ}}MG=?U+ofum};DGj&Jo~_-MSaDk#avII>6W$Y1Y#!fh04WQ|sN9%j>Vjw; zRK5weAyeeVm*=Zae>bBIJd6b=ac;uv6nbCUCe4W8FjxVwlhViX1%c5N@FSAp`R`LUUfQ^nsP%6>=&GOle2 zG^u1&@_K!Lu;~=#U-4U|%aX&4v&|=*jm|$p+v~l`h_oN}*T#;zaM~@#k{Pc0y2eL4 zG0$@N5Q&?XO-%LAb^WoP;GLTMW76lwYHdtda`(@%8@}Ncrf%oJhV4&5gy{(ptFbj%cR?G~1g!3#IO9n5P+7F!x2P(^gec*qh^SF-*r z8};YRbO%&re-4BOqw$gp&ER0bBYW==;dLW5kdAY875}Tv1v?4_X^Xe2g>^aq= z#4oEpp2dkZ+k$mI`cv3>!Sl%x=Yk&)ol=8L`mS}fr!VCvsiO*qM41pKHySEtTIQeV z!SgcSQ4EoG*u3?(WkS%DMg%(KT_Q%h0F1(_;c{I~=582nkbdPk59k zUiJ7v3t*26Xfu=pnHWdCYH=s3*0gLzD?n-aMN^{p70?_*TEsI9=Fd64ls49Xi`j(L zrFlHk@ZOb8u~_rx=>s~+>CiM71<{Y%d30X4`&?uOB}lE#A}|%wQZcs~2~ie5&(9lG zbxiQmPn3m<%C|kjuq{@Q9&D4MAxWY>;5FEwZR1B)X#9+ehF6V4&-+3yn>gjSfk&ZB zGXrL_zNt?#9uWH!%eJOXB)TqOY{iy3n^$mUF+oYahwsk74IIvW;fmF347 z>U&o8*!&eHciG^;En;i6H;GuLGo1_cq+2GNLS#X;tV_rlb2jvdP_0?_T=}j zY!l9Hn-R?oe2fhX2tn@M@xx$n)nbCjUIt9l&VSC4TFX~FNu?7Z!N;N3P~FX=4ZBFm15ifPY|AMW#`C)4iJ)_yL}hv32NY=p8; zyO8)%1l5%^K^Rb+!0{(uth2=dGwMZ_8k{e1f{(KIEROpYAPI}kE-rM+fgJPKjTOW+ z@_zOa?W;{RA2T0@xPgOYX4!uO75}ec@{dP9s!=nm^*XFE#S^XDSzq)z;?h-K`*QGL zl~tJ`;z%6x(8c|1>g&Kj$6QlS@;-?4zKnz>W{QoNWroBJ(DXcGl@oV|hSguNnH)$* zGCB8E5WvZ4#wBN|#TlyeG?pLk5oK+uLrF9BiB167n8$cDzU~TjPETh06>Ag%`-jU2 z(sks{OMa>SEn_+>Mjax~;mLCft0QQU=0zae;B9Pj;Kc}sRND*2Vui*K@;L$ASs{mF z32y3MVR_5U>>ZgKvC|Sf<}`&=CHS5`{rQv{y__hfN7v*Z9jUv^d9T;)K+}Yy!kUo1 zkh^Tl8>`sq(TiE;WFu*zH6f%dt06GOo{lAp^?aZzgJmJ3=z$shJ`XvXwf13*YsT+Wn zN9@Lycks4kMbv>a(BYxaOkbf2W5Eo+N=|_KSNL?uXMrd|8@jGUWHBY@K}N7{w>dN) zKt&A_tP;ggFqh$i*@HDB@>^_9kCDWY=m*T zp|P;@xc9M^iYHK>=zDol`_2|Sz8QyULLzgE^CM3LnaaF-+ICSdg47ksq*`SXJ?hPN z=Jk!hQ#XA2hQjl<7H>a0X$m1#Z~B%Fg>*t3HJ0-w5+2C^6rp0d!bRDF_?%aORv@|qCe^wpsQg&3E)2}sjBrFS4&Ek zVK6vnnR=P{Qb~u#3#o|2#V5~w$u)9_knXZxHzeC1X#>4ti&U%8%6p4xq|1Y^AzQ(UL(W$b+78yeCQg!dZ`D}C~NAdrJvD-W#BwNpt(0P=s-j;$>O#W3(Cfz0byl?M5 z+cMsx*_|(Yani@Fes}#%4}U~$qqoAA&!Jz>8X1*4dMSiQ03%h^*25A`=`J1CEq7zf zb}fHh(&78koSSlC_&}#{Z}6bMpfSPrN_bd!$-PS|#Y%tEN1*+h9^ZKVnn%;>MP+iAR$onZnj} zo?aUgug2Ie!_$A9`ClfNndb}?fZ!3hBpY1S(UvnSXi+_4V=_Rs&mhwM(+EL%<8LEG z>o)zRYo*Q#w{Ocj9+K5a12vXZf!F!Wx^PXX| z5<=tf5SO}bAV=p*HOVZiHT_=dDbkmTWI}*v@p>q|*Y|jYu{*~WuXB8N>PYY;buZZ` zc_b@fNQL2aITXsNDv}XpGO)VM;ezmq^b zNY`0J8bI@pjhfz5Jzt1gm;L{Q|3ZBf(g3LB7#Mgu{R_dV7LYe*2@ewcSmMVC>5gfz zE;B-4;}8!C;}{dz!!G0g(QeWOA{l@YBg8!*|bm-ySvegK$1cS&@UK6$N)ZYfo zI+numc@vw0-n;eYa}O;*zr{Ey{+#Z6C#JL6M9&RCVSjXSjr~)9Wj=L0w(Ac3vf)u+(Hx{X=6+w0i!ayiwEd^Pe!V26c zQBb_Corkoz&~qAiXpy)dGyqdJzuzI*OHlFQKgTG0QO3!lKRiuh$k`r#Z@fatCd+NyxHQx407K8o6f0rQdjsjS_E~6ARwE70UC`o zt!1^5Pwql81wWDl2AY^qFP|ePExnbe=z6DNWbqRUT4zS8NG6b8XNc?**lN zIQTai>wZ726ZF&mHwApqB`0Tv-ERoyGO|ib`21>PX)>BKyHwn@m~s}*DkeiSV&}&c z_h}C7>>{`ibVe9@9wNTVE1~T*1GNbIfK+#=L7xHw%JI3mphHkI#}Pe$)KJP!aXsKQ)*4SkFCQ!F}c*QHGsWR5>Iliz}jq|)*2Ej_b7qQvHO1(3vM=#KDVLyaZyROUjI&;3#|pi9q$PI$qE%Rpq}013OWr^~pNMw7&nw((MX$B4^EOf7 z#VNA22n&%B-Z3+}2d>F1nHP?){Y{y{YXao?pHMzu+5Mt1AFeRBdSlQ1^!_9yF@D0| z<^H7Hmw#@V;Erw4&w$47Se^%DbH&yTLR_uV;isjar$KO=5bx7Y~<$vFIn2ae#ga#mE)V#OebYJo^VRvDX z*dI)8~GlY1Q!cv4(K#ki!q=_@*5>KINUmDDs458J`l4ToAX3A>lIkHgMmf z)U+eiSDS6Di%$hm7 z^)#Mke*{+l`;Gh0JKErfneND`+<%0Hi9IF~qo!6lkgN8SJ>~Tsq#B3Q*9mwZ<3lPk z0x*X@%48*xJ)L^pD_zQlHaS=Kk{3T5?bC;;m4cs8lY|Ujvg zEzET5_3dXyzRsfuZLcacgy#41JSk%hqhv%s;Ga>l<0>ZNWD6lq4y_@9c{TYRj z$Y>HP9;A#-{5)xNoz>CxA@HGFUitVGTECaJA)ovQs>|ch;byQu+}nEZgVxHZ8<3=5 zzY|F4dS{2oN)$G`ywjOHrP5IItXj~-UGWMb@ZW(0$`m3%99+e9d+Yijp4tl0AywQX z77IV_eESRzlt=?(mXimg2h6*RWUjx;DRiXpam+6KhWlu!E`R#q1^?g+5oP{=ox|h5 zWWKzTQ~e&ge0}^*X558IOiNpel*&Tdx7Q=p1Ct%0F(i?~V;8x2z<4^p3xj8uOJz1|!0C6Vkr=_xifp2nuDhZ-DXk!62BetVyChjt^Ie@)ad-L6uB zjVfc$03DKWJyc!7TjZOvBx&qzx^GZ9I;ii63C?^7Qj9@zl|FWQaR&7>p&l2>sEvc~ z=EKI1Gk$Tk!3F#t2nh`=p4g!?q>mur#B9(I3YJYr-}{BIo!F)jJ5Fr@#j{L)m$0ep zUg>hs1zSia@_{T{GFI5N8ItBFFUEQJ&Otj-e#PZyG;ZY(DHi4tJZsx7NvD0PbD*f* zUy@*wWJm0%_l#FkT$azX^>hN_IEy2S>qQ@Xrz`h~5^E$NvXu&( zCa9DrU+%kzI3ygnromBIkZ|G4`P-~6b*OFxC+2j5*Js1D<_Te*m3nH=iy|uZ!gMg& zK(wTDGc=qU_d2qrmS?|tUZXsIvb)Dma7pvN>LdbPbx5har{#Vrp+}&1h*-8+Lm(ce z#x&A1WKsUoqYdGQL!Mj3%C@R;H=v$W6>JDeyW8A#Vsfm~+x+cQfpq;5g}l6~v~F8~LRMrb!e+7t0eIa;)O!qZ{n5poY! z-^cqtpJxfhhk2gRPa&eeQIu~%%;QnAB|t5=Vx?+Zs->B1yiPs>Xt1P#xK{n=9u8rl z&WTtE(wQ*^uvDnrz^donk+i?wk(==g8tRNU*A`f0M{8ReA(JD&Hyeb^4s_UU?jvk; zhb9k2)ZLY2FFTArs0EYI>;2H%ZieoB)`aI7;{29f7dY=_=vNe1-Yjjfsjz-D)5Aq= z3@eLunNmr!#sJd^t@5;h|1pI_&KZmI{ZT_TCaGSa37rzhmB-7#Z1Q7?i$a|7`q)c* zP!im{HqB#t!ofCPwot5hyAtI|ATCpA< z$@b=Yb7ITqz0%dS5^HR1T-4J&+T@95POSq;p?Lu5_M0uO`zHLpJjj9jK>a2Yhvl(H zf2waS4v}s3Q**`TC>%UY_|u*im2~-in1pZK$}#@sDEZ6Bg5C#`xmtkK=sQ!{YSjJ( zb^G$wl8$dP4_$h-4jf*azTBYDO0-?LtI9Ciej(fH<)>Ffwv|9@G7Ii+F52NXVcX|^ zA12)k4y;~x8Ly_)2uvdB+3yb_XymztxqpwQN6Y0^EPfwP%P0vafrA8@;=D+T@zwqE z@6>RwAtz6AbyahO)j&#JqOk{lH6gi@FxKm&2Hu76hkb=gcUJIgk0GZNrPz6Qomb#n z>VM;YYPmMM<*3wcCa{zNa>v{R@c`Bl=SZsnlQDTDFb`DG(3?_-R=0e|!=7FDq7ep) zY6i%MAGUH3J5A*!10IVvS@dTckC_2jEws&clmQVwPe82)28mjyeLAuohYBZtuL}Fj zWkh!`o`Q6f`46L^sP*m#t-fxC-f5Wc_@Fi&3Er-vlX)x-78DYmBTVP@Tsa8H#Bb@_ zN1!+X9x|T%v+`ixmd%`)SViB+ru);A<=RRv=!e?*DfH<*xKI5S2>yY?GlL(Mr#O|x z*ceL)QVu9Z{D;1%demQWaDB8*=|p-fT`oIksix|22w=Ml9CxDdaGkOvs{2*bHRSEI zlgyqJZSz_o#4bOC`tJd9<+;I<5-Zi)x${qo&iIDr-h7H-VbkH(EpEO)@|65msffx7 zBjcJ;B8$2+Isf6%Z*GkXr{32A{3#scx~g3yccMo-H|Ef(9wfh`(FrKLfjp}?juRXf z$<)2Ix$_ox0lEX)px`N+Ht6;P z-G09W>xIF3(RXNwU9K484pj_(b-?EM?vu_ZtgvQQ@xry8P0NL(J5RuPp&6zo%DP@F zuA}2^6D5V-Vd#jr?!XK%%x~}A8 zmyROjY~yO+_i*(J2m%!vB)1M`A`+vNkkILnC*UwVR1q$wp5*sfnRXiTTV>e4lIg;0 zm(?aeAO4y>HPm~_Pwv)0ULElWJ;xJ}F5e3Itb3F${xWR~Rp`U{@|o>r@b}M*EW<3e3h)TJUPIub0Pg)=! zh{&^z;D1)j(|A_$zYJiB{+@IR9<=%sQr?{JPtG#a-)tirgbX~UG@N=5{E_@^t8OSnHIH*WNj#E9hvpxOXfWOwENH>aQ36_47Ur zJ>d&~=H$dSHtuCt$vhhpd~4J=xF~n+n1(kwE%tO1q^o70i)NKQ=)pew4&lOZNEYh3 z;NOVrZ1Z#dCwT=wk**7x=fPO&^QDO80?*sXWZc*RRWqEY{kM#1$heUtS;e>gkcNWQ zlX>em!$>A{^w-D7Y8oCM@ND7r+;>*;1Su+>c$XoF?)*K9_9zD?i=%8v4X0-6iLc%a zu408gHnERK{U$)WpqxWf<0$HJjM`V(H65Do__bx^`Nd5#Kxo*bxhSrY1{YMzIY>E^ zXFGD6&iuXC!r>O{F9N|ARv~bCU?yn&0siM3(nf^tZD@gchq#_8^7zKlhNN2!Z)^XG z8)G!?Gy)Lzuh=KVb97!78+!QJMGeU0VZn26Hk=wi>3h3yax=8k5(A#K5Gs zAXX?_$k5gKMcu;>oxj4I4jna4M|-5&PFP(97&%`*h17G&UlUU=Q3Pacrd1n8UFz5QzDIi<;abzy}T_5oQuiLkH zh4R$Ka|gadQm|q{YmRXdeCr)PwdGgN`$VsMVqOAwe z;3|~4DW*#9rL7eQMFg?h(8>xDxf2()j5sAvO&>aqL!@U&z*5`In#*t%hXyMUo$7r` z!fXyezNBug9FZ({pEi9$CddH>(-j0rkRH8OvA%T8EX$UwlT1tSRa+M-&jTmu5*T1# zApu$&TB!%Tmv~G*AFrkh0vf!3Dez?AFkKep|l zR6x_$^6R^@>EUYk_>=i2)v2UDpN)=6h`sW*F={m5j?a1eL#@xc9KKFHlL(?UnhKYO zdLYZ+ZVXwsjd8lkXPi%xnv$qYL^oMCI%%ir)`ZABNfiERum8`AmO=aB?YF{)(7pOO zeMr&-3Mw7Kj?FR9`QW90W^%>mG$C6(62V^v?RImU1U<~THxo5t>o%1EhO<6&fi$#5 zcniy!O76Krw#{sHB$e%Jx&~*(e9{V;iaIQunIFlmXj0z^K^Yj>W^;uP5cWV2%>7=& z+)vG*Ey&DH`KFV=A*HPQdw7(S;Fv~kltLeCf_PCTQV3Lh_D{vYRpgum3)H!X zsbs1xD$k0NemZyDlp20FDHVZmkY?L|KROhKr3S7cN33{R%Z;ra&wwT*fsyO#!8<2O zQ-*w(xDUpJr{v4S=V^x3 zRsC>%U@uc~$XSR!MjO=-AZvPmx+;`g7bgffX0cW8Ze~pP7o;fO0n74c&)rxaft1pl zK!HZnDq)aY9{ykQPG1Wk(#Q{9_Nr3B%m7$4TyC`laCdSH(cdnc^R+j>$}<1A4YL({ zTkDWpcCLIbRC*L)G_TI)*6)YmP3rkREw`Jd*8P-v5iv;BJ9WS}2HUHE&SmbdbbeG3 zMaf@VOMDTDZdxNuPcjZ;$y6~4JDDkIVWdww$=pk9#Q|fys<-C)$?P*dQ9L)XzKI(C zbr`S5e;H6`)*6{l_*w*R2$Aq$6}#Na`Yg$oTeB>n%fW$!oWT}>Y(|O>^gM-%_t*j59G+1wzfi(T7rKss~$+#f@xcB zHzUQGL$o^2SrCoW_SWzoKQt8O=M@3+&CE$K_Kcp>h5G>K!fB3Xm4Pp`^b-QI9f+<| zDn$6-J3apCZGukfawUH{<}W)Zy-6ewwRV6dy0CSAz?PfBiXk6or(G{8;T`BW$`PKp zxdvU5<@RID>QNp1USccfNb{5x86%Q&vpww(E5@w?nm$Nr)n*3bD(qQnMbSgNG#rn6 zVXV8yeXt#r>I1HR&fCygk!y7(mB$DFB-etXNBn^D2Kk+fb4)d?2@vZUL~czg@uk#E z;T`MorN0KyPcVQAd)OWs2|pL(@yiL27P5nCX%ok{_sc)o*#C(qw*DJWOu4eTlU}9p zEO5`-6X*=^njZQ^=`bjXIl~sO5Gy={v|Oz6`6ei*k-B<4ePRhI?LBlF(KrYS_vW!- z{dHJ88X}xqp$+-dJnEfM?Ex@^$K7}F@nR!QP*x%T#C7z*hhysax>DYkxuUX{0kF3P zP9Y`h_}MuaWlHK;+1bSFj)b}d$0cr<`wXSRb2cwSeay=Ykz91g^Ki3~iYX^Q9ZR^@ zgJ{4(J3&`baQUE0shf@H1<1s2?B^AIy#i}eI+?W0l;emuT{B{6t!7LmIB{N&C^gvo zvBMV|Y2Byf3E8Y-WIJbWs!!G3#E;k>({iL!x&5MJf}4J#7+gCZBZt(CYy=+=eNlR< z)CWb$W+Qdp3>zcP6Qj?z&*7VRJ247T(*b8R&yacBXeKXUOAmv2PJ46p$PxW}z$O}?E9f>*rX?lIwdT|6Vr*Jz0T)SyBQnHpK#u3%*SUYF~Y67ifmoL~B)$ z+0r&6LSSz_o9^@nJ4m?a;H87NWH!ZyeNRz@`as3o6~+61%}rsa$aHkXI$j}lJr5` zte=6D*PPT-&WpNBY!DhxjgEO!G^wWr$}y}-QvPOUG%UO;2hKhs%|~-; zexN9$y!J@C65^>Rf7NzkMp#Ri+!NyqID9nY{dev6U0pf zgEjFHrYUzFdh9t*%G=70>4+^0WcFO@Ho6`w^qExg=@AahxxbF~)a9<;2=)9ezu7+! zqojNKKGl-4zm5v8bv%aAR~AI(cMfsj&^vJKy^u_t zmvB3FK=`Fy~GsF>3u8Z{DC)eE?%uF$>e^R)MYOT#sI44R@@qCZNw2t z$imkNEL8N-3#4?;Po=+p|z% za|I~hMG?$iY~>a~SW^0?NQ>2R zB2H9UO!DmHMU~rzY?H6+srmCA`ze!WmPbp7- zm0gu`?-j__1mJq$t~M5lX2QEa4}n-Tz@dVk4lZg3E%%ty-QQd z+Jyhvz(f8^v_%mrx>5M};@5b2No$iXO;g)cF0&=o6-(<|N(NJI4a!)@+V2gj^b|s` z?^dq#*osVYESK$=iEL@FIy$pic1t8bEA4Y;rPH@lS?@{_ju_f&bEO}r`!InXvTffv zDAX*q_R!xh=niz6jKuD3n>kS3XmXo1W@%!sQ+sW%yAakwi+`Q9CEyhNd_Lvz!gFS) zL{oNrOg0J0G;;?iEVP{-1RC5B>CDsuXj6kfBcg=rxKnQPTGd+RXJ;Yvo4uS1*WR|- zA0Z$hsFZeJ7_9bNxo;YKKshp-<-?4>+goQV_&c5>D~|7FOsY%dHCBd3^T%KAWf3i3 zTDa>^NHF!nm^n4(lgXgG^cw3S${)%%ny$@c@_lPi)kqzYQW_ANFCCL3lI!}OU>X@& zwVd3K)v%n(n70M3*-BzRcI;V-c9&GGWMwimcT@?%gjxrJ?pVrZq;a``P~tyj+oVB7)lOt+=RS_;cJBsU%)+I@>mE6~8#wip+llnWeDYL`n8uBE_+l~f z_ZfNScF1v>P#r9Xp_Q?kL1tzUA}RA%EHu*$_cnX`w?^6>+?Eqr@TOjyH6+5pLqvpB{9jp4a^28)8^?rld#U0-#!&Y^6dZcLLBvUQo;Kgv*afm=P+vMWliz z3N;N;?F=Q3WrFzg{!SMm+}sq{;>ZA$-709v1jWa7tM#-5ovzYE9klZJbHnY?C)&Xm zG2?pRCmInP-nhxHWeVC{K~pz(e`7JuISVxcfm;?UiEL<_^)A;hp(M+GlX6Q~*S`2#JcZ zF{?qi1oTfCqVTWFZ?AZFDv7v?8tWwyXTn`5;i$La$91!R<@|XMCH}sP z_AjU)Ih`J#oGYqen>~lsaSF%6~X-%K^G({&y%%7c#2{sKV|5}~$1!`*go7PAd`?cNamK1gv#a$3(wy;+#U-h8ug0&2o< zz+sC1eVDe-;;YqT(eB?VH7z2EXH(^TSmwDURCY;`~oj%5Bn!UOj zcBy(WEiqcT`QRQdlMFo**&e|X_@UgeiHae(TnNtinG5TrnIckQsn(M@-fl#Lf0dMS z-D>D_J9tfPG=33=~tM*CMw}%jh!tbX0_8bSEBAM`Jx|&kJy;Zgm)A;L@6pOp` zRbVZtOA*WDjqk({pVC^nbMMD%k+s458}pDw#q*vW($*AsV^k}tVh)Xb`(2y1$>^rz=qEVJz zKNHUX$}XG0B@;3mq~4Yd+LkeiQJHMJL zEq*!4-tx(F;u7=K3mB`kiP2pdGRl_r0A)$sDa)d6%_ibr^IQ=9b{8aBtX`me-(J&>5hD8~Rbbw^dyacHS>L zX=37n^QFeC!WJhk3sLHLzCLZ85;O4*4xsQ5Q#VHsWFcae!>@e2U)Wysslt@qPEr0t zT<;$*kM!@?2YaMw9Lo&9kZ0+S$7lZmLSCii8`fVZGpO{py|%P(*tD0L3HQbeV`g18 znhYI8wi^0CeP0K#NAE}at2!7J*Pos&6!5t!Z*}8$*2!B9BJSLV54y$FaB)?dH)dzn?Aev-4SYXA z+^A?7)U5L`qLalijM!W;0qA<GtsfV#QLXqV)30VC{)KGPNCzCDKBGv9&R zN2wnETVg1`FCwj8x1l$x>8ny@1CStL7-d>;XIw&30s0jTbQa*fjm22@r-)g-y+lcD z*^NCBTa{^g9Uq=dMFy3t)|n=DoxhJy!GPn#vK{5O#Er+VrND`K6J)=LZGla*Yu&<% zKWHEof8+Oj{I5UrbrsRhxsBVc75I#{u0@z_iV1BpWi!M-kM%ZA{UsG!DUH)qRCj9g zXT~l)rE+0Ka)Ojv!?TFr0_e&bZLPaT({(&qyS(z*@RVB+vrFQZicX5DeDws*3i-}V zrp=E{#f#}IAk*Gw=S!A7n*+U7Ck(bn>7JFm8|UhuaYmnsU>;3$)+)b}(0l8KM&>w# z-hZBFoQ_e>bNf&MkNATDixiWl1XuT}HQBYzIx=jb>|%3E8r1xlr$hGv9sx@`pRk*2mu#LpLx z-km{c=7@qTX}@HZj(!DOOo8di@w5#YMcokV;&Q0_E?{_tW(*^KmwI&u=4PvH{*;u{ z8S%1;(w3h&=4lui@0H%>*L~?KG#3qnGba|t*?t8@rvr>!xErRJU+%wEcerxWNwv`Qay=goAD3cmt*Q0{Z@Ep#cYB#_iEE4#cirz;|WYUQi_pokw;Y zWT}|FE%dd@5u^?IE<*)6aApcfIs#4#u1*ubm08p1YF_qJaygw@*df<1L@y*@4*5t# z^JNk`K?b^OQp=*OLII8U43nPqOu2Sae04H^G2c5?rRd^1w6)n}xI5azYz#vMz9-0O ze>5T2AO7>*No|^0^1Tf+ZuthX6=@P|M*T6Dw2s+EmKvrvKDKMA5j&9>by6Zh?3Bo6 zdr;lr*VSUIL&EqTyA^}ZDquEE#A%34qQ4b})ExI6E8{Gpv^*KSsMF^h;@C_`eIJ3h zcB3;;>rRO*k$#uUa?7JCzG&AUi7Y$jJwMeX6@}nlc)*`3Inz61evUoJRJ0sgE$eSp zEkyh0if!+%1O9&vD#8ajCtA5&tB) zR&2lxW4|*>SDor|Cx4f|mo*ESq@%Os`0gPsnt{VFEey?bTcsGS!!bE&>^~6a%eKR} zD#Jo^mEt!5!P#m?qSDYZvS?))K5dJmDjEg)yrXJwsDzf=j$JXr<}$x2=&RKH(1yX6 z@9l0e?&V;%P6deNbWOzn-i4&C|NZCAo7R$z!dg4IQ7125YLy9a>S9YGDR>;~XFL^C zYxK3rpex<)#~91rWBxI<5N4x9lB_9Vzj^P+%gRjn&1JYzg`>UY_#7SAte1aABe!C| z!l0AP3udXrr3T?|=Q`@`AlhIU%l~lb{wdKa^{PW}x@7|SP%il&PUzlM z)QPq()-DC1ryhpucpDW;5foKye`!f{9UC!2=^47(Qz2|CK$ZlokG?q>~^t& zr#ajNsOZ8Wmd&{i~p=py#&e~0HPYLO3EtBLD_oTMVC}DbL_4k%U z_QI?)q?C2kYZb$9@Jz`Q?AFy^uTXmA+g~|6S8~Z^0E(;G{kA|AH?FLm7%lwSbOD$O+_xIs{y(<2? zLUi}KH0?H$4$V(eelVTfh%HbF5>9cBeQrFpR60)?z=rI^;5#Oqd^Ue|s>%cP99$MZ$?R_xS8i$FYbLEx&omeWOW=_(z-l=L$D=JJ-LK z7j9Tyd;mC^nRxWP>7_2=l-bu$$B78q^tbe`)bHHU&+F~pRk-oE0fJ=cs&-d$Dm+E} zk45{VFG%olJ1QNFxn^&<4%5L)jJD8PSu5r6M$4lwgj^xS&n%tm(&VQSsJpj{6fIx+^GT$A zQXp~$o~awYAcs#}{D?|GcWQpAf+FnlUxWED*_?LS8XP`y$#q)3z=xAk*k94cDG>DA z7cz?nER}i(InX?^_y+@xcw&+lrq249p-N45J1)+SXQ>Xc%BMD2HP5$BOp$G-VPkqJ zrr=WeYaErbX8zZoD|Mm+tS%d`J%8CqEu3K=@HN`LM>}QO(*oVOge-atJ2@IO5zLzj zPWDO?jTQ5^-_7VRkb@cMPS5M4sO&R422|Zwzda$!f3`Zc>&a}X_IgLwPDG|m_kN{) zF*jb^9+-Z#+ZM%;ZhIvw{!3PGw`&^AQ^H6yOyF5!7+TBM;-B@TK9%Q7b>`Et@L2+} z`o(D4FByV9%;JgTFoY_V-*oJ~dn zrQaiBd&ig^y#!`0@5CVCYwwocEVwv*lP=JHwJeBfo&{IQ2%=EPJnIE~Fh7!Ys~r{r zcvzU%io^&996`f;)3f*sv?QHKsaW9f5zu;+&aQO1B>Aui_20rv7i)jwpGP8@`!nS% zy*jYEfXl1C;!XULbQ*Qn_T#B%UPvHEe^|&G2!S8qF}+?eTJ~p&_?VWcQliY4;0+P6 zlIggpTufY{Xi4807J>OD9eC4HqVro^y3d))^Oh~D1re5|kStS>BH&!;?gp=ospktc zV>mJMbY+_5L^(8y71TKmnhaII27G0h47LV(P1mB)G!gTU9#bW@&yL3KE~nJXab|@N6{zrOXwVFTU_83A zsweGP?-b$HuR9EQOW0j^I5GhexrgU3eBFD{2VE}g*vsXejXpeYPr;~yz;UBW= zd;kJvQ_uU?QJISfxbP0pkyhf%)9fE1mdav0JQekL34h;>FGEtv7a}4&3*KI)oKm?F zaqAHUhAImgOt|hl%CF)q?=G4TTSgB9qHHp_{7K2}@@oX+s44w89}CgV-Uyi2zuV3l z4{xV)O(*U-+E=!~(ZVp@2f4>V=tk3DkHCMJDeWtY&1as+J`l0JaMP{yOOl7vG65~# zd}x;NB5p&QPx%)9!q9zKR;O#PS?YD{Pz|ZIUsOhR?0hLU`88SLl{6(2suxI6Vt!P@ zySEpHtU7jH6!qwEMr+HhX})v5R32*sof4Xl^6m|UwxY^hw} z9?)HfxiAd#{opfqIOu=?jABdVt@Kc6E$R)j{0NYo~LB%==6nBho6L= z7XEmNMkZT@;@7B(E*Cq{QeOc;OYDl}l!|c>@yzy```)8cWJ-h8O6iJb=PO($daT2F zcc|7|JP<_?U9ufHV1RESoOzR3VhE`O= zcgSt}OnhV-W9*uRn?l=0;TlJ;wS5_8el=r|c)Z*vIhQ5d4x60snAR1nbzVt{CMV47 z4+=&_m*F?a^?xxo40A=UYnu%7lSe)T-DhUNU#}Ez^k7z9gez!p=SyZAg%s@Y&Sw&< zi!2jVv&yRz7)qB#UjZqY7jm@?zDtq#fGm@D&dio>9hE2WaaqLa*2VpA7v12$7N)5s zkr9~Hl=wNz=MP(GW}F_fRq2doPD&&hO=X{fso&O&tCz@p7e=JPg+gPcU34XCijKa%*%ydX83!U--SE&N<&$iJTSOYm5yc=|*df!!>W; zBauX$IKG!A{{k5z@?Jg#bzCq;G;MmStkv~iA7H?B8n^V3ciu9|38cLR6N!=UzMs`z z3PDw*|hSV zTqfp!!lhTrgZRa6gG8p4xZj+$U5w>pV0$Zn!k=OHn=Bow?Donah@0SdE^Pvd)0cI{n+48_ zuLXFc&+1Y=X%`AYAS9ysN{RAb8^BWU@?mFcFPGEVb*V^W+ysN?i7Z}Tz`G>_S|;)k z5-Rv%-moq(Rq7Qwi@7_!VqYy;pkwj&L5_j9sY&k*k95;R(kT7dcQY@=doctAZ71PF zKDnu9HN2Hh@Z-nYn4j&z`n1Qd+a(SWh(`T~!|-OU&t>hf!-s1risl!+9a0Hp3sfy8 zk{nQJT_2Ogcu?!q7QxL3h?L177kCXvX#xIbcsuk#3frHlrV|?@-~yN55v|x{)AN{n z7BvAV7ZBJ#yIAcX!;{JIs*npZhAjmkw}_+I67&jAa{Dd=$Rl? zLYL8MXY4MT(Jq-G6-^*h@Ia$|D`DayCb4qfKBp<>TjsfoL6)6Z4IAAqo)aYG_}5qY zwm}Wm)N^~r@dFXMnX`wyS--+8tlD+Afl`E5I2 z;5r&l8(dgRHoW{Gl^M3V33rVlY} zX?e4t6*mX0C91-H_|6B~TNKF7whqT40+UWVZ3byNH~Y*J1M{8F;7s0Gp11&vuEKaZ zRg!j-J8ViOe9q2j!F7a4o89d|xQGX!z%gAj>tapbx@mwXA2KWlTq~cXJ5KnYKk!o# z!kq(aLq0E_(r;c-mi{$BeWTGpr_<-c| zbhp~S;qJKdzdOf4Nw5jSK`6$^;zSn9_BWCdusbj)d!AHCLJ1?=n38x;vnIq{i;wRf z6T)k6sRUX(JuEP7>v+Q23JR5Q%=Ih?EbQN05pI}B0gzpUQKDe77i=RY_#IWWO(FyS`u z%WEPwFiDm4oa)*yVfn_knh4WIX%X{oiK5P%f)S|1?~vd75tV6|BSF-#%tMbKIKB`x zCG3leKyQVcKG|F?seXgMJU&!_#Cq1jpF|Y??g~)hSD650x&5WoX1?+arI8xZAdHYd zenNz`u$BL!DS+S_PVVUFh?hI?V1`##Ap*182$z7$c!#rhpD2jk!4@CsN|_0LROug& zOchfvu2HJkKWy8(v-FITcq%c>zxO5mPKU$?cr+S*kr0Sl8N^BlXbx9PI$UM6uhL}_ zbhrrT<^KM8;XxO_Gs@pOTQRD%7H)+E(rUFxOo^^n*46R%DgMQ|X5bZhwMLdQ@F~&L; zj&N6VGVy5)i^T?vjw#bL9+)^OBGVWkz$%J9tbdslj^xUb;_XgOIcTo@0+)mSIRQ8G zjd7Mn+$p3Ni)_KEw<7;s3bKUv)4ZG`I91_Z7z5I}OVMOC1-^;Ac^pE+NIf3ck zDlVzydJP%4{VZd+JUP#Z!Z-Ms1igS9*Ey^Ht=`OOif%i~#cV}#{fZxLBA_?pMS7S>YF;oGE`43Ax}vL@!)P{MynK||x)os!a>3|nLiH6<n-LJiIsZUQbbk`tD_AJ=sNI-C4?SmRHrugtWxpplN$P`Y zWF;WTLTEPCDtFHOtH?>=Go|?3NpW*oy14e-;lq)=TW+5(4kT))EkBDvz3Dn$v@PPU ztuEx(+W`0q3V`wa1{`t6ljA~UNF+`(s*u0`ZrB5O485VCJ_WSN=kNy*YWNHx zPMxp)JR&$7jK82U4v#M0)Yu8;!dRiJT6}kffGvX^SFeP))x0${SZ$Pp(cH4m!!=(?JY;Bq_RKnL^ zFCKXTnUwI*D8_BKq6Z77OLz=G}IcUAD@9^arT~&GVVR#V**|QwX6=VO*M>_!_U*_Czt_jiy|=k@@BQ6x zj~+9o{4vhw{dvD$ujlr{DdehhP8aJD7(cu5!(l3qIf{ST;rW(iA?l$3FcuByb{(!k z_ix)ds)YB&NSK@UJy()^a#po{54P!`hTe`Haeq1%nfG@Gw#g@2@7NL6cw{6$)o8tQ zq$$)l;y_FLE9?Bwi*h4*m=kl z9Dv629i%EVOZXLVht!D2Ha>|c?E+00=7hupw3&`_H$or7M1!)+d!CDBoiT$1ChEhq zRG`i5hz1JdvTbhk`)MoqM0E~BxG0d}>pj?fUO}(cYeYW}&yt$4d=pJJ$a;Cs?pdth2<>vdNW?_*$p+t5@#p%wRAsnYTe9HJJW zhB%%;2_i%7(@rOCzgyQ9g0S%&HG64;KE1@0M<=}@6Sb1Fu%qS?FhYk&Y+2#U6KQAG zy<^LjB|RM*Z!6qVWjwA0Qj;WkpFVDpEYTg1#XQY>&OD)-{^%k_68cRAPrmf2PfzP6 z6~+|U@NUshdEVPxzp#&c#|~ShlElpoVz-4F{{*+vB!b_bVMMI*HYvR3nN7|-@VNVN z=@+Gtt7JXQ+0KW*pp33)$oj26V|{7=42yfPEQMAmti-Z@gl0eWZEqQJixH3OD~uY_ zWfAGf0iuDKTf_V#LckIKZ*FsQ)M`sUMB{ZN6XGc^1Qm`{8L3Ki7kEHBYRf{E`iKTY za#Y#g%$Mg7`CG3?7W9|ilY>G4WrQT+Qc8nngvmRyv+-h>qRs*{Kk@E%KoIS0Jsqs# z(IwkrD2}s>m}6n_T`h)~>Q^5p`$o(kT2J)ZQaKG}Xdb#FIfc}7sBg2|pW83#Ouiie zBJ_7AT{|iKk0C>-?CY;r44rXzpW9DAjG(m%OEk98+m5DKWVf{gkCwxfl@CLA_nx?_ zrLdxRIKQqGM$eHrA)gHY^Einq!@6~SFqw&zgumm;lU0-ScQi(sOe)5pN6Mv|86aE~ zut31x<|!ivU#`?rxzJih_EFltj)R9bS{x0!cLDZtPPjxv`@fSrVVid`@OF;%@%c2#(HU7*2x`w(l}h%3eNecN{>9;WPs((rSE)J4og0~--l;_Y8V1S>7>HTvwk3lc_mZ35LMu-CaJtJ zDjuBYCr$E(g(5*>Y(6{ZzcUrq7~VyqCXk74+bzOf5Lf`;NMjq)dAOCVlK& zhrYkwARhEXW3-^DaR^_n)SWAYVpx|F_E1wU?{>LZ4JT|UwJ)E+8rBmRZ;ho`dt z`g|9dGM534{OT5O&9fPQZduvnb91lOshLvHp`%%BpxnD}^LF}~s^`65OUpFZ>6I^txB$`OwD9Zq^6t+a=_%VE&@f)91k z;Z7H9ao}kMrCE-he`i;WfEA%rvy07vYeT z8;O*}wfcmvPT)q&BdjNI`ZtxXNt~8~8~8uK%E+JB>nAZ}XOk!`x0J$<)w+?F8+9h` ztr?q><#AD0IVBeq{f{sET5_JdpE}6AntxPG;if8MKh)%LP|}mpk$!a3LB3wg;Em~* z=KuvW9I0qKyVN2{^cMuXy6;;5;O5vsf8sgc+g`#GFx~n~(|ZspM)Dq^nnnOe;!fs= zw@-L_YGv8Oz9ec39e357aaHf3cZ|BEPyWtp&DQfC3X4U$Sl8Qy->ml)xIPg+S};En zFR|rQr@jA0`_ucoMW>mCR#u9qzaRh3Z)ek?KN`7$wT-0oKf#L1s!QwD>zNC)3A0$s z!Pr$cjy|G&M>+^Zcy4OQ=Sd2Q0)vx(3r7EV5G&?zZUHjR4w~d~;>*jXF3)Xy=Wp8O zmyj>v+$Irfu=h$S!jx%A7%XXXqwF>o6YAIzVJwlF21z~yClyh37CRI2rL3GEc{Gyc zP{>k)Ay{ef=3;-5^E$LPf{?EGWje+-1{ya+j@9#&0y6|at7Yf>-Yoz-$AzE{PQi}X zI}jPGQ~Q%%LSm-k+DlF}QO!Z#6jfHU5arsEGLOXN$XM)5PIrvfO}YKIa|HdI<44`GLw2-y_~BYvs~r6vAVlpP0K{yP8!HDOqnzR$^xNcsniKumNY~#lBLq^) z>kp>73$!uQ>+lkp%2sNI++WVLMcGZh?cJ6H2b?4*l>_hd(J7ly8AayHUDmU87GVjl zQl$vYnPgt^#g(usmox9}?g%Hy`AVy5wQJcf;rYIe_$QL|=R*E_QP(8&8c5w3_>n=p z5*eO)tzW2Al_BKe`YBXAAdP8!E-ZclchAolw6)3J1J9)#y9eTWvR++jl$?hTGRTBNlCC0`ZZ=oL%{c@MqN@W##OrM;s`$d8i@%7G2+2 zU?fyH4sSV!YcR8)IMca`_!9v`1Wv8znqKjJHF~db6-4By8Z?XL7yQopN_9eJV*0XG z$~HX=unbG<0kT+@|4E=g{Jexm*_75UtS+k(MAaC|e^`GqzWSQ(DI~JCe_#Z)1 zZ2VJI8SYZ~6{`)f4TTp3jjo}HMt-5c+ETgU8{3cYMai9T#m%@<(OkI^u>M@nP=`e;5!UWN6k!wRFw8-*& zov!->id6U8?E@Av!tum~n@^8cG)&Jd$k2>drE3?N8>(fp>ru{lE@H9$InFNO3`OaY zlY?S%g{{)>uW0uOw2Ms%IW|DtY#P<8TNZ87AxHB3z=JYXmG9T~uA^u(o)BfRF1_z$ zhsEJfRkrHZ{KauS9j!qNNwL^&3 z-sz-+zaVK1A^n95{dc8yOaQoNvuc7V*BR;A*4ysjllO9x=I_Bd7EQXO@*r1cQmv4j zDur*3FS8wm-^(0Q)3}xAWPyjh5tMgbvWB2~`HTDKpQY!YL{-~aX2<7QyB`~>>}~~T zCN1CMMg8ELO17D(y(83~&g9x?kArRl1N7={gcd$K_SmL`$xHBQIQ|L{pRs{(?Tkcp zQXlw#Uhz2=#GWK1;<4mAAY-vzo)@HvuY-E1YmF?~{WKR{0Mv0CRT(X1+Ko(N({`8r zXrSdC5ltB}JrCZ#e754RPxW12v<$;_!<zZ0}w|*ZJ#q?X|b3<@%!HC@03cKbsa+?!7FJ^)zs1SPd{VkJr}Cs2o=g zj8xYT${%?~qd3?ei}ufdEKJW^5-Mf(d2%zfr+gjVxo8EC+&?AGTjXF84d`NF48>B? z-peHBPdXOK6kVVGl=NA817Cy^VQEld#|{-a#6%*-tTD&qzZTx4dAGIXd=MYBdBQkr z`HGVpMMrkS4MAfY;6rV;FsO1H31uZsOx9IV_oa3hig4z?ysEXY_u&&ymdQ9>&0R$F zXY#RkU0vZQ$1a2npNBqG>51P|-i_H0&p{z1ZRcP`M!I;8@($f_kk$|?oHG4ZiK)pw znc2rta+5LUF{^iRbyDA7X`V!tYVaNN1P;hxZ(OIjW(E*HMQHJL$Ciq6o{jDeX^usq!H@s;77hB?g z;KcRox{vDeobXh7_`1?{KXIRT#H{*+;-!3Qu1D~B#^Gh(IttL>eogWNu{8hotwE12 zje77FQr`$%iMqyPcIyHn9eagH5p(QTR?&_mXz=U3>zK4>KyQSJ>Sjv?$vudt0&PwV zZ=1NFSVbA`U^m8JAnG+Fk`YM237r>rR}JSzQ(R^X$)Lx0n*$cX(@qG(-&N~qwom_N z$^muOGPvUPd=R01PKVo4{78kSW@g)E=?dQBa^8V65+*f872^HcD;A|0Mj^e%-K~lX zL4ywZo;fO#`l#2>%F0a)m?s}4^keFd_xVO~4LH8$ovqTfu&kq(57Yg}Bb&yKRT&>2 zeTT)HuVg%*_lF|Uf9JMMJ60C7g_ zyCByD{M1*9Pb;5*`SiE5Jo8xbt#D(XFdS=Xt_0%wI8LiBzQG?1>eZbxu=>CejC7k1 zIPPiNbRqa5NC0G{dd;#E^Ol!~C_sV^0mx;$26K}@5%?S$UD-N!B!dD$B4EbRvY9W+ z0*0P&h)+3p?eXbD{BLen6!PLY=pn*itfc3gGRBT+G_2Dtx8(Z6U>*9;{VDne#zz8R z7~KsmySL5TyWJC6O7U<<^gH=-oI}17x8VZup~i=ML8L70orGO@GJa0P>DfzGD!akz z+cy0u(+PHSn`+0Hik06=Z5^d{V4HhY0;VJcv#mqpTwa*cp0MbFnR^w{ z8%XztX|}I4kxq$v(7stuq#Wxm{Qb(}V#Cn~*H36S@IMw>(&1V{oh3bzlZ_=4JDmLW zgY}ci7N))pqe(N(>1dW7U2b=U0ebF$!JK~!U8<(2*Eypyuwk%2w{u$IT45P)-dt#c z-PX*^oWa}$!Bv$0LyHWo1qnZ^*HAs|-(Jv&r?`}pldlKRx+z3i3BuZ(W)I&WKYzoA z;W=kLQ5T}QA<;(L*QBx8Io{6KcXe=JGruoKT70Z8*w9&5pJTyux(&a2wWqedtxvnf zwJh2?N&=5LiP0zJtlChgFf>2xcCwLJH^ z-RIzorj1a%4)lV+!m05H2M!E9K|jLwG@8-KdG+`cZ}}cVWI*Z(Lk?3&&oPqbZ6aE| z{Ke^fD}?X~0o1p79P#SzMr_Ti@(SF>8u|@0#l<}arlAKU(KnlU5Ftp?)u}y}YZq5N zMz{^lB+kwGwl(8QksMC%^D*|OJ!i|o31P>)BIyHSH4WkOZF^b6{XdI0U>VI+rC$nM%S*XQW~Zi zb^w6*cIW+mJYQev;A2l- ze}1XCq0ZDgb1yH0^+tt`h-&rDfxPF#J$d%!so3Un$*0wi`44*viZb8k=OsHk*->Be zwn(cbGm7j_H)%<<)ym8`)mu?1TBAM5Rpf?q{GxQ;7DYn-8ZM9dZj8(380O?y^qBkW zq9&Dhi7gcs_KX3cuL`rDNH12}w|53&39ZER{dX-);#9T|fJ zf-o2?Wquzlg}U~iaI3o)vtXDLyOWj!=jmV{I?35Y@xJj7Yy}8h@*Nb5IX=gQWVglx z)B+6?izw~&dJmBOAj99wGkjJVBH!m&U@_7#PapMzvXb5SKGDI^`sE zmD`_=L%;2uQ-J6-4#bKFkUyn&TDNa+&n*!1-rMGOE{pqVJILdQfn3MS-}#P~6^olW4@`L4uhE^(iidtQMa zWF=)&U=YE8emfvj^d+xiHeoMIKJ5u|D^8#xF zzl%Q*$w8%z2X+Azd-ByY&aQhv@q2Spv;l{j0w0%)w9gna#`XTX4038)E!kBw$j7EW zj4?EE$Z|@?_;j8yHc;EwlLOFFV`tlSbH9rv=;F?O(ZK-5*piJA3TAZmSKRM-B8R!( zFC{7W3aA+fY3Zc2?K`|?FyM7;x+}JfbDM}III=n4`29BGsygaB&4$-wXFvHbUP`3L z*Z#xhzis{hhXJ$o3f|c(f_hua_kHl%cXG<9%@CfOg4%fBwqP+)8-_N-5`SJn+;L!; zbbO3*G_aX`g3juLV!kb*oZcymllYLq_GTi8+@!R*Fb}E;nE+@o_JXv3;|?|F5<_eG zqX2oWW~o))Zv5UjtT28z%ZX@eZWNaFzO$ep=ST)BV+Bpl$v*oQ+1g^|yg+vbJ=$9V znz8-uG2QH+P`mUm)5Z?R8} zE%ph9K3KxT67ld5no8)Zs@R-@y+~bdWl>d=C1KW4i#AgEIK$q1(0hHuu|b}p13C-$ zjF;UeGFq%lRVl+&Ve0}5y{PvaKV%3te2DYIHd!VIS}k#tF$|3Jc*@PpC&PYRA+pg> z;PMb_-b~QeQR$r4uXK+u=4F{3W0r3$QHeXhufMAGW3Q7sV31k%S4J-}J;fQ(n%R#FO_b!25&(dbnD>b%J&z=!_Q?^Qy)rIfoNg75LhhYXctuJYFJ z6LY)gGer*N7pt*&EdTroTHT`Vd3`C*sqR~djo7mg;PP#uBj&f!;GgYS9!UNA&VPfq z_^z6y(F}+{hq`sOI1sF$d@uV+bKPo34R-T~1z@^(wjA{1-!6Q={hR&ha+Z2W`BqWT z`+7U^kwcQoLx3PR3#AO#*hw#+k4GLDmBq$S10X6CmUbWw-PLb|uIOfl_vHFc!QAKmSi#?GB!^}4hOD1C`A#il z(S?HH*7>|-Jctx~#R;tZeeuHJJE51ca>c#(X@s+uO?`e4n9&5MVUGw;LFtjk(Xy}P`=)xf7yK6r{S|DK|qIlVPx zRiWL{$~0`zXIDuc$*ZhR*UWfzYXPIF-J;!{N2-kW8rbsUZoA)2DUp>3E9tHB)q!sf z^R6xh0B{joHU4Wwk(V#s-Y!**L@{)&13FaU%yH^>d3|$>>Vv0z{2SJGORC>*Ge>@t5wWffb$l;xOu#AQEYDLKorq zdaq}INa6J)0;wAxMtB!WiKK?_0*+FBG-+o({wO;Ka&n?BQqq5#tNHo6Uk+~n=Djv? z;mGACrL&ZcCqLQ@e>oC$q~j#+?G;Y14rTLd#>p_ntvZAo5qgkLP4olS3J>&~Bq=A2 z`VzG#PKcNIl9m4+qUtj~{7~q;ZYJ9sBuilr66R2kuyvYehwc^J#b1fiLR7KR8J`VI zogb0+>Svy#@plBKBElV#s|Vz}O9dr$`GE@F@+OCl1&8$Vya3rKw6$}kk+ip=eP#EA zp;uV0fdpUsrEl45yx1bu-JW^N+{X52@fHkAOPSia$&Qxmm|2AMW0f3_dJ1zhG~R6r z@Acy67G++?G7FPGp!>}2+H{+v^o6ZeM@nbNfA3%=Kj1$GMg9w9l#$aP!vBoG6mIN-!CZ&J<` zK-Xe?m1wC??#@h21!=*Jj40`MDRI*^7Li&IdO*FV3md$y^nRDcibq6|kAlzAMLQAY z`8K)h+=PrOPDxTvuSDJS6I%o|h)@uq2hR!P4NHLi6;Rb>Ug&IDsd`VC44d0nPng7k z;<*YaZayVv@|fpReUkn6Cdudis5E~yRwCgus?LWA<=?8uhbE++ZrvzIKl{Z6EjgRL z_LK+pIrsS$#y8b%YpXlO04VjZhjk~vp^mIzp$uWdIwMUn*(Ly3zVaVfO1bqZR<(+V zaj+B!{<1)Q`ZMafL$(;lK`})x)va2nImAX0lr88M7#av5+xX+>jr|Jjo(rt;GP-7pB}zmk2G`)8!Y*Ai&5rvUT@DS-1^Apd{S5s%U3oY)J&MHU z>=T2IeX;|E)|yjHgYMZ)p~zv!EEgi#L4=U&QYft|foqE$u9~XmX_zrAZSJoib0rk| zvtNBzHI+gkb5Ud-gSPVbs$($4a5aErl79+bhF0c5-61||Gws(<+V~r<3mS%aAdrc?#VRPTMDBsZnHwqBMVZ1gJSW=|05(rPzf8 zNWF1@ypg>C+j-e&*z)DNHy*IN8S-msHS6*;%tch)co=>sV#c)sr*vl>ebct>2uB@% z%*XFiR;Bzn$G1j#|{VbTyr@Q>eA)Zi}N)hV*FEA zoDpth2o|`s2~~CO0Tn~dXR>RnkigO}Jk8&$lR4N4M!iQYzTwVl3Cx{o^_7gm&G=1pE?T#k;>wPm15~ZV8>~T=!zL>1Eg0A zo43GN@n7|*StwH8ZJu){sJ9JH-%Xvahw1pe8)iQwINCnb&~r<|Huuj=94%C;HE`qS zTCcG_oAhE>ak0F(RT1Ae?n$8(p;z8JPpo<^vv8Cc*xxFB#qU&f<-p$vUtGrD+j1xK zcF%Aq5=>l4EIl)urDfc7m-4-&C+XM+@fC#=vyzuZ-ZPHb)->44yRmyk zMDKD=z3AyzCWaFX)|SX|p*1*9j4c=k6m~n8%g%h_?kVgUJEmi4+05-OpJt?*zp_7} zkhGP#kB(<58V#(JB@UN}jvGB1uBr}fk7CqT*1oKc*|8&152zIO{N%a8bh)p6KlO6} z_oYTn6(veNUEYmiK@w@HT_FiuBIUOB<;OT&jKTU|57W>W56KRg9qJ*n;s*oR@-`1C z2-4GVtx$EbD@}M+trMFc*_0lWe<_2j0!=nEAuw>#%ggrUr?BFs!k~zW46Q&Rn3kX9 z6Ih0JQX-OH=9FU}4(zDXYuk9Ft8cUEEB92U8N(Bswt}Qq>;;ea^-;R@#01~4xhX)9 zdf|%q$^ht=nkdmsA$NRi(~}lo@yYz}md=gqNs1Z!&CdkgW%?dzbnZ&b^FKCm_WHvZ zG;UFGj>l$+EYrq!-!Cl|57f!UC~Y`pmamp4gCrv{_cE(A%mxd3{YL5Gayl0aC?bh3<)L%5FYrCc zQ6vje$a*Bxpy2JKWa{T@h-A6sXh8z-DYNv~?OhQ)Z#*CbQl?k>0bkX!)F)_(#rors zA>7zKp7r%*zOySJ?UF43cyrc~OPQz@2r*S_Jm-5H5Q8S2e_3}PLJ!a0>@7`h#_+Fsn`zaORp z%@3rzoj}UgjmF5ukV{he-CJMUz$fiND0wGF-J&SlRVS9MEP(^$2+1%#vD$Mmd#W}X z4co7I>Ucr$P%v$w8H?WRy!KI)VcvZnu>k0|dPTqN@@yn+9`gwNX5E}bmZ{Hk=~9!x zp^Cd5zQ=eAH%?rV)SywyJ7&GQsjA6NXE7BAnpH$rpIZ!?dXsK2+OBlo-$@f?DT!d2 zkx$k&Gw2X)SScq8>a#RQG;>o2ed`jS9WI@b&f#4TeCJn{RjH8IuOmZvgd7{kZhJdw zTKm+7=KVOnsZT!G{{Cq*{(@o09);epDubj9Uh?=Ak=~yBHkt%SN?Pvl3_&xDQM*4O zPuE7xYkyP7dJf&Mg1LOPqZ+%p zKbDtQ?XL!LgyZl2!#KWS*1uDOkGD7D?u{#xwRdLu3t*CFnPqwZjPbYbr4ZZM$$Wt zTj%TYx;~ugCJQHHOzw9S#Aef2)2hhlB&MWSCRW&(eGOLvEyLY~J%^2QNo`p!l1BRM zXj8u^)<7P%mX_Lj@3EJ)Yw%aiduU1Oe8p_oLN=c+iaFVVK=q@+N| za72G>6^G}N$-+PzI*M=RM8C$s=k^oJK~0S6HPY{=q$zuocCvwj_b=f1`@N!BkiW0# zNd+gq)Ze9?e}IWAxkjog)&xq8524f^fg1FmiCfEIN!cfF*FB9{NT$DIInxd*)@ zRt6hXq~n9aSQ{o|1`x}H@xFN0sQ@5xIdyY1olpEwk|QGQ_WB3Jh#Wy0u(ogShH#8V zr(5k{p6@f-;}=>aIDk6RsG-Y)if@@TYJUpxSn?{|g86bO*6#)UtM@ycHrBV0lpY5H z0srXV1&{pRA9s%(&?xhb5~Q_%Hn5x7!#PMZq}KfAT|FX5EzkxeFI;}9 zqLmXRHv?*SssfKf^%zXqsz#*~iERUz>$>$+L_OjyAF%*~#&O5l&f3e2iS=P~Z|jNm zzb%tATfgt-NVdm`st}!Bb1qz=F9cCsGNr{Y)830n=&+9~E(RHj=qZ!r^wlM%oYV;m ztO5P)2XAxy+IxH8>9Sl%YXnQv9~aC_uVaF~53_x9fIq;ZAg4!8XEi5lg`2*3vDt@! zoD9ZlRE~?qaePhXESi~-Y)i_bGVz0=rNPzCjuit)ZK|AE_pacw%%3fm?k?*SXaE3E zuDD23z;f4<{IUoG&%g6Yev4-=d&I|eVun?T!N%U=zNim zaHm7guKuRC4?luyckMDS2%v0Eetz);HZL4105**}hk7~&noAD#gj3EZV$~heJFgkW z_onTQDtZ zPOIC3nw!Nm`P|3udWd{PK2ooTtIUP{Z{^Xj=NnB=EwwZy)YK zL>!yI<=rGobF4&OMVvo?>lV1FF;w@TGUJ8G+R|3?GPs7@nuXYH=Grd#@kXJ)9fV8h z70}UN=D{+ifWW>ixb&Y283n}F-SDmcC6uo7KhwJImnwNEjYFg6*88je2SxFer6=Pz znR>)fo;i**qDSCDkv#TftLvt%WV=>%V|4cfT2j9P7b@2Qo*#QVVK3rcwb+uAdCc60 z8mcCSITT8?W^Fl7@zny$$+@KA!Q<dRe~NE2N?Z+r9DLrA9khK#Mfq zXZ4qZQZ*McIuj!1SErLO6E{rH5|Si)*d#+sEQP3x^gw>Dr~h?JTr+}yyN4z|W%Fe| zI}t#Rh-Ik}P{|w(m{hlX$Jz^a_*>HI4>v2sNA*TEV6)qp#Yu|ZL2<2J`CF8Az6{Zw%@Cib+ zZS;J%?zyN6o=M!0xw^I4#_Ly&zp+ea7cySvawpaQ&-}YmPj*;*`rzP3CiC;~JP0Pbv7;d}B_!GVUdCqgFf5MgRJp6>i}S0J*X>QqwNyZ%~h zdscjublIWC?Y?dweRABZtCoqH$BHU?pzZbI zNvL2Fj5WLjcQ+R)cicBAOKw={W1jlc%Gtl|u##E;&q5{yGG*b{zY;o5oa{F@ zP~h)**A%m-YyV<5)goJjYY@~4Ll2bq?t&C9y1L9S)z=R{Vr{VB(FQ*F{fZF26AG>Y zQRYZ@#sxHD8}NaPeWFM_toJZ1=}?z`V3+mCU^l$2UTet5ZgsE=fZPWPZpIvX1Af-; z!=52g5!*>$9?vE;sthKO1H)C-tJk4nI2WRQTsr)2+J6ZG{z?jj55kj^qA*`RG|bvP z<`q$tA{74|_S@`XpeggB^!$Ep24tV_RLyc{BVQHh%X)wr6AS`iCCs~qZhj-#v-hpg z>5P#9M{E@=9jix@^5zlesZ+_@qeF;}$!qJi^yT|Px7{HRA{=RQk|fMDbaGPsFui)V z;N0Rc&g0PAO}6(02;!da(%CVR28DahZ=cPV4~s0(FrK?)Xz1H3B->}>NeT-qHWPyl zo|A+6aW)CgBGZn3b*}s0Ic6n0FZJf2pLRPtW+%@)OQRSRrMD_BTA!xtTI?35>~RjE z+{vaa#EYv;tuEud*sA@f*x#J0b;)sGW;``FNK5s+=vGt68sXn>P2HdrWLs~P3xWJc z#JB0!pGFmsMz_3=qU{#!fibNK?6~Ge)f5cL!@{=4t@NsK1@nhy?YlkNlmCq>)?sGq}%PhmZ3+gVU2`*n zC;(#kTOUc=JnB^qZNLIU?6=JUkSQY_B;O9I6am4J!N_u8+FIc=+`R zG))^VqBFMooVdwMMBEIfJlcy9Ytd$!8Z>q?^+)BhHeE;OvZ6Q>-SQkB?k#kl z=(wHKhP$h@H^t3jauT_uN)9Yng8-A-wpmS;7Hc|XS{D6s@2?ClOL>(F5EZQ`6fhOb zbjs! zrqD3T<{s@~ZJvB~Y`Mxy5V^pzYr{Rc9rf753|%WAo#Ux6VwHpr77ZLHN#xHY`GkTn z>C-NTx_^V1NYozp6l-aGkXw(wp{<50!LKJ@O(qm?4W*!kbrV*L)D*{m4`K|#Q*~b! z=Yg9L^)D$#KSzXRGhl7P`C*U3`JzL+&29Q_C|%F8{=Ya`RZN^Oizs~vFnFAljo{*GKiXOGL2tGO zLt1BV;9i>6dzgmm!6=Zd(4KWRNjC?vwYmR>PV3xwG%Sro3$)-+#~sbKC7MVI_&xYu z1vqkoQAbkJY+?P=!ZTPpev_;VP_u#byoh3{N-1m?bbkfflt*Nr9*pz?Z<}wcdr2Yz z32tu0wL4d(_)rpgtAutQ?y$m{;L|m2eyvEs+k0=|fi_o~k^ZhMeP(H~+Wx2~3D>hf ztGX?@Pc_;8lvvnp++?>Rk9boAmuP=a3^ur;RDRw#^#+!H<$y;KWzs9!T)NS!M=-$R z!)j$}gpzA^B_Y4}hu{H+28wp+(t+}5=vjKloat7K2=9Ul&?kL%nGRMV*ePogmI#$`Z1qhPA&TnM%nDzaVK^=256iq z1F!g?f<*W~MEes8<4THy8=Z=cJ7pyK^_7qm%vVUp#xwBhJaS>z4`rRUR}mxIqg)57 zr{6YiJ8%-8)`F+>9wO$PeA|Y^Wxs;PXsKYAy3~~kaNuzu0*1vMLL6swh&_mXVkgTl z?Ie$=`659Hk0^)m|FcZOp^RIh%){7c^!~_)Hc2eO>~o8<>gi=E(}%28xxQ~mF&{(G zSr99RD>G%tRi#09gKj{=>g!?6J^z8WN^k+cLNZm!p9-1c31+viK9+Syk5sUjgXMR7 zDv(}U1JyV0cD|j4Zal6a2ynqLSmGk-@2v17yHcT{{S1tLLYt~}kb(X^I#W|~vHj#po{N;>j*oY%mE<2$la_@|lV1$CM}m*Z#iGEu*4E;+}VEEGix!e;2c*X`Dbd z{MB6bi?NIkirp)?TqmH$E4t0vWy)Vat97A!b}{*rvnvTi6@N_Ot5$>cXe{B8UjbF1 z;X37a4r}st)l@BKyaffCrfbO?(nbvw{uX~rvxM~IZT-Y6Bq!>R1G4w)1EL{Z`OHsR ztl?x=3cQ{cpuPcRDNvM#Nc<9w|B^*D#I5WRX1;HFwQZ=D7Uj@fhvcwFs51^PpfW8k zTHD|11mpDnvDV}y=Wy0#`=@P4LWqJkwRyoBJUQRVe7L1-RQjt(AcMu6zuHlS-P{xl z`nr_HttE%2w(KYQZ2%jII`YorgZ?PWv5_bXW)8jwlt{8a5apOrNFqNzuFYR|8JLON z;KG7zj+nmOlO?_gd;{XGcfQ@yiltIM{;0Yk8BX*K1bg>{P}9(^7D=01lPSAB!?2MC&T8D6~!ea}9P`gJ%3=8d1n z$1x*>ov>mM5J3(lEl4oh>f(K*ov1CCqR zytvM}tVLCgWdxNywA8aRZ+L=SEBSST7PUWRg~`bZ3ATAD(9YFHAcyAtABSc}U}V7m zgJzI+vM0AY>z`{=^(ejC1yt8!Q`6#eygKY-XTRBDmAMG*a`)#=GRU%B+cP#hwk%wO zOP=B;_=G0$j3B8Yd@O*y!|>?H~Py1lFctA*9# zPL)cl{5y-;kl10;(e={VLM*U7|BrC5|LE6rzDe0n>q&n;ltf{73VYeEtK5mG!^%Ny z%c#AmUjW|N8xX?8jwCIgg@4pnx+Q;3NryHWx@NhLXS+Y&0_l}qlob-0yavr#0@AiH zWlbt@PqqW@Ip1_dnyf~=MbfyRcywMxm@O|P<>v#1fGwj~$TyRaFlxv8>z~I^W8 z>vjq-H(6i;wIwXI?UEwq^r!r$K6zlhr*mp+m%LCGG=6^&-4cc>(KC z0LUSoWZm`IQO3>)vj~!L^T$AcmhW9=Gv8P3c$wW?7u)yQ>gWH3xa2G|CRs?3H=Op3 z42kf_#J|2(1q1G@aK+`cXOKrpVjOVdnhUmP%|*gUlddx1#U`UA^Yh`^gEL}3M4CRT z2}6JAZRtm>cs~981N${)N4XddQM%dJcIBi7`S}3!C~WchonaU#ZQ)+QFHzt)5DJD zC{GhPV%c1JII9)Un${f{*Jsrop`n-8-`(nVa6k^*;X1YV!|I}SCj0ACdq2(^L?Z&J zEX-3M5|&=fe3m>@Oh2X~cCx?KQEj1&i)H|2g>8%{CXshW%J4lyRAtJGYpKtd_7d;^ z!CB03e$pO=zqu~zAi1;gp6EfP_~mdw7E-}7|?f;XaK*kZZndt z3|B~g`KLMDkHYHp)m*HY?6)6ROvGO0%!87_~hMnBeTNTQK^Ee@n@{=noYyhywiy!bGc9rjD8JU)Hn zqEX4st2X3Gpsx`ykXm4f+rYqTre^f6L1;SbVf3Nb4t#q1uzn|-zyrt{XDvp;SRG$= zw&-DA$$_D!FU3L$|A>JmRg|+>v39VbLJwV%8>ABsEAnbjKWD z^f6p+)ej-g>1s69yg7gQC~M`OOFdB&GWslO`K&sQzOD~^7Z7A^*88|Bj$_pY)lM=p zWiKR}hfw$CR|;Ea&T=}4wE4Gjd#+v}VF}dMAS`}Bd868xLx0YYwo$-~4MgkrSdoe0#FK)}@D@NeBN-F{$T4hPL^S)1L!E(SF+W zM!sBhobCrrR|U^#;M4dnc*>?F6$r3(AJG*F& zgck5U1IqpggCViZL@YzIbJ%Unx_a7He9tz6l6mzZpJ{jyJZkT#U(+0~O2UFPMX9Xz z@Y6{NY9XgUyDh-6dCm5}8uGgh%Imi@Je5XXKbA@jZ(iOl$Zwb8i+&G^;t&3ug%>4l z2({}|Hz2*Xg)b7>VRQ?^rb7Y1z%T43Z_lv(gX_H&ufVq4IS&zX@?SRQf;l0S(wjdQ zLFwlaG@rz_gfNp&;FTUink8i6LP_Is=M14sfUTZu3M@o#Cn-S`JM3WMgd}A9>Yu_o zGe4_;pkHM-_ug?%IZ7(TVRj)?dR!01@VJ=6fA8iq4uydd{v~;nrsnp&SHX|PsWqmpCnlsKldF~+X?e~?wANs% z812rbY@ScnjvR9b5rSAR#YG{VQbxa?i75-_HaQx`@V`9eRpD1-K;X8_SzD??(gF@6 zF@oD6wO_sX{VkW(>-lmbz3bXz+{pV_>=G^ncj!iHfiCPBz)A@&0={WsB4mpmjDhHe zMYCTWaRJE=c7peeI<1TBlW^i*zhAU-pzKgs(V?n%DH|nTiPLfaKHT^3)gDGo!)qoV zgIez|j3n8i;xCCmRtgS+l79RZ;u`&8#e?MJz;c5^PCAN-bo;DjaIB{>cy;=bEfR=+N%;$ z`DR?^0222<&9YQRYgj4U=Q(w%$mUs-mY`=e(4MAdJLmoT!6`8Bg z2z<5;Jb1CM23{}K^`}vY%{>4j3s!!MJM=PiG{B;K4Cp#38Zm;dzT$4S^)yy#KiB16cuLm)Uc) z-@*i-*5jH2Jm@kX`@e-Xme@A)ZHc>P%OSyJ;pK=tXjb7qejfMRcCgP7XYkno$oS#} zcW>J(L~eQuRwRdm%JQsy`BAMDfoP@8HJua=h){_?fihKCcnvDL4+t*q)jIL=3=+Dy z26$#7`PZz`L1gh3wDlRKDPGD1W|4QzaS+)ly_v0hzi}@uhaOtQKd^GCcqU7iPyL(R z-}*{_tato1?LPJ>9<5!bkn(cY9hWm>l8sF^UEv+;XgI$nrW$dV9r;{ zRMxguMbNL8X0$3^?{-k*jU1+Pt_HTR^2AUK(njgM=4O=Zb9HazXYsFQZN$ZqRy}3d zU!UNsMqHDdVM!=i=YrzU`!{f6Yl5Bi#&GqUHv<@e{RI@CzeN;Ybw6 z4Wt&}9#**#kUW50aESchgKU&G*t8w_i)3dPP}QQ0kS_c^!f?S~QWj=9*QFxXAj1$2 z#$Ne*5F&~%Rz3Z}qh`M7u*9hYN_E9Q-$Co}8**7FU&D;3$wMQRet#-4x35h~+fxR4 z(H^lX`G@4KEXCC=F+(wVczq?^$mP2q@dS+U>y6W$1B_$6Gd+qr^ysDl{hB){zP4D4 zhwFoRn#pzK0rvrjXlHFgrf4K>85X>J4j#F?Il8S2-WXaJ1)6EqroeA;?X>4kEeoMt z%X)K2NgGlYUcYYSko8DSCWVz>-1n{eD+JWNHQ+n`d(FX5sLG9d&iYgC@m6`2stbor zBP8P!FWeGnnM32rugf{l2yk2s;BaTDq9@24hZi*b;B#w0@>{F42)N&Z@jv< zJ-86%eHmh``w%#6n>H+Pc*_io90&daAw64%5fKl}0zK7Q^F+#Dv=7JRul9u#)M&@oO5L{f;|l~Ku>;bpAuaz1=*wB#Wxt7+GRW+T?5(Wdc9lY2PgtIAjw(?v03*lOS-$?hTXguUa`0E-w z{R&6BFG2%InCm+%POsUn9;I@af~8`J10wUCZK)M(lp z;l+pP>j3>}vLB~u8eBeq{(Ppr9rB$1vZio3b>>tO}1IK9ob$M zij1<7t!EE^aBow%0jX2Q94%|Keh>5cA|443^PMUz{Z41z8++;`-QdzEJnH+BKB2;* zE-tO@neo>Cw2JyZeUaYZSK^#DLdHg>xrtbk?)X;*>8D#CBr-npZ0&a4&$nC$JAcm# z+ z8KtpI8Xy9(?Qo+t2x=FIK0EyDErb*8cdb)EEZ67YwKiVjS+Cbj&~hjI@zD^pGc_gk zF^8{3;u{}&QMzW!F&ku@8{92w)uT1JO9N$&rBd2iy?NVj)sBh%aJ__WoI3f4oVWD# zJ({|=+BTk<6&wkw{8O-wF-JV+l3&$A9fUJJ19L&x|0C_q2C4Ks`ogE1xzGclIm{j!{N zK4uycpp3`U(K^Y!+a+M-WH!(wg43!Mc=&N zmd#!8v(*PK?wfFuuu$bx!vD9}(602~u67=6hv{bUwz zF^+y`cF1ZB{Y~iJ<`_*d3+17nY|I#yE)&yZe-O9npjscnwh-frpC33H@BG8VPPBYi zYe!C{?Ti41mEwjLbvOkw`1H=MAm0<_TKa{^OTRU?E#*XRTe$ewcg<0gBnZK<-NGKF2|v}K~|&ZnrYcsNjbsseP13Ag?>3pLnZif@c8R{uG^ zgHkG@O8k$R;1x;9!Zp$SoB0$V*}c*?Dy&$L<~JPql0t4$!o6md~Z>PE=Lj9&4=zU8Bm%pO)jArkXIkLngn!q zHdX4-e523f2A0eG8h>Ut`3nwIS=w4Vg#L!!S-`zyf4LQML~e|yMF&2W_G$q~)?&OYWU`?Xmza zr?{C9eRb`8K@im-G{*J@sM#|M-~V`#`ohDR+=_d4UYnZxtNUb+(+6uF-)F%|PYGE) zaX?wXPXjceOXH&>7ra0Pf&X_q_WOm@U`fOk1<1{&;ME%Xz6v zNn1zj3mZ0Yt#I63H#|%}?C1WTO55g>c*<`F`h8lU%PE8|2i6_dNncq#S4zZRL^%V= zX+JrkrvNj+=}<6;^fz!ii@#BGJ+$guOY`8jK=+ib=nciMib%WNL5l;-@7GpuLgJ*K zL9pw@Ra+{zTC8q80hzZ&%B`PEEyWr3zK8Ep16LXDZ+UL<{AB6C)VoE zr60m$0Bn-SQzSUiC(mw2iTFY>w-wV5yMilEg*VD~@} z_X90wJFIP-pF{FP=L#?eKsJ3um)NgWSPoc}z;|ut1E}ukjc(_(3yL)a`{ zCWrDb)mT=dK_ij0Zm8%07%%e6tp{4vat~pkjJ}m5WlBAdZ2rmELQX)Hn|!jcPwe^CWu4Sp=BRHF{hW3{CL* z7WX)S)Ck5Z_=G|u7&;BMJ04R9V-=*pv;{*@*ah(PBTU(b2{?2@(oMo zmMaTGMZIAMHigQ_SK*n;fw?=@mpgNG)lb6km&b*Hq;$BjLeyt|iKoU&w~g|d{?BEj zxLdcmX`!iEVXqWrdzGcmYX5#7!tw^_0d!Q#p~3XkqB4NNEiejGq@VghS-aMA(P3Bh`#BBpH;;M9C!)Z*ym_Yl zzgb%sIv%K|8o%hMMyQ&*f#tDu^tkz6iWlV2uZZ7GS7;W?)c$V-@Ab=;KiG8b@Z!?cp?+k0Ai*-eDWNuG-;Pf&BPYPX zjLgS&NM}&`uhTZcdSUI-&0Ib|;=dy5gu(&yVmS7Mh}^)Ulg;q&3hhN(PBYrQCgTTS zZh#_e^?OEy;#_f#lCfNsze$m4%ARk>v{#2=eC(G&=v*BE{J5vT5v*4}Sqv?2ERIPy zCn)cM+HPq1;rjZ(slO+P&bBaVdsU1}m}Xn-+A9O3)x~WIO~vt=ZCPKz*p|=E$-rkF z(Ka~n{pM}EsmgU7Mz@omA)6Jpgd`!0`MI_Km60%|XddUK?9r>oMjC{oTAuvy{J1Fz zSpKS3uWTk!A(LyMIyh{db`{VlyzgiO^+^C9 z(eqs{QiKpvYwR;-OXvY1j~lncxPcnBgH6vO-JHjTm;@z3c|+O@?a)@;QIL61 z^7{EMw+yL5Z~lY+8Xq5U)cwjr+_JtOey6o48IhOf2v2 z;eHK`bc6Xx&zk}>Iw&SOcfLq;rfQyjgI0?;Yd2XQspI|`Pqh45tk0$3E2kcGLAfIAUe|MK!*6H$I9r7Tz(tvqQn zT=4xiNL%R3YvY;3K!OM0^A|Oc44B%JQW}(1BC)#$v#n{d~|2rSUeo&=DZhJ%q648U%4vS0Dzkg`EiF# zM~x&BZBH0OBAM4Vm&xo@@V6dQ1R}X;{jKzvxs-8iMlkPpQh~_Pbo0K0Zre2_#(w$x z6Pv|lrfJCNF4UM%d+GalYnYpsLB6Qz70m?2QiFub|3GMxm1cBE zhx|*22c-6Z&rtBdG&VH0_?L>Q&e6msW$)h3x^^yfv-@#@pHP0Z&x<~@tLtT}UE$!_ zU0rX~zC6#&37-gq*^Nh9M*rZi+kblt%-pAMc(AX2RPI-<;=Ioc$0}wBhJx}{Ks5c0Uh$L} zhISu3>bv*YRLG$7*)brE)Yh5*Y7Kb;^D!m_Y^_?B{6LDn?=m0|o=;ez`44s0h`#$` z_JDRtz>Z+o$pECF5!aQmxM@O~)tFFcX-_EoOxm6e>Im`#|KyiIQN;Q%zH~!4)(_3R z#6~_1V+=@Q^MSASoY|(JjTo!o26u0_e)qp6)(`nz-u&Msr9QN4Y%9MEer7vr7q=uOzIN{u0u%5!rzslR&Huu4SvbxdsF$%{2Pp3O1Z40$5-}M-8ZOsDP^GF} z8a7CPwEir<&&J?}+8$dD?Y5>aUxHuf`XPQ7rSu9k$qP+F%c7=H6<0FHX6$r$Ue2ht$R> z#v(yVRo0Ib)BM>OfHe9Bw&L|a^E=?;Ked{&v9V!>@h4C8NuqSbHUl0_pH_z88fgeQC=af^CjZRz6+?Ovnt{;(y_ zmN+#ay<;B7o}6KCjmfx`bf%-}Lvj$5?9pG%g(&C54pe;>TKmyFcC+gi@!hK0K}sWo zUSZ`n>B#>*YKWb($T4=k&q zeQqS)1GYphDx`th2_M?f+$&9CzeT|Ko_RAJS0k6F?ynK8v^_*K9B=#&7T8{zBRTMF z7w1}WnhEEpb9s~5CBpjT)@?ELW3|^0~A zO#0zmb;g53m3i*HB|dVLj!$R`+|6d7^a@t*<+Jg=WuPUh&>~#&uC`L{EqJM7 zvEe9&(1)|s%jGhX`TaXiSRrNZOFnMyxc7Yb{13Jpl;B^8%xXpEff?D~LZxHzlASe8 zBjLM{=o8>=@rlQ4%jZ=vo9p~7T9nkmY}*IiNqLv~;>`C5ym8)w+2@~khK{n2r|h50 zYAp!pnu6D52ozeF8kTd;Hjx(|+1tDz?>>?j$;o;;k-BW?s$^W8USe9_c7#$!4myenKje~Vc&8iGTjCG#^3pm$mR4rj(b=Mf& z{ys68;FqE4jt6b=bA-Bk(f$Xos~rWL?IPno9|_We@)D3UnA!2++5OGkfR0$&v$Fry zN7%&nI7S_OFWY9KvUT3cT%qk^KcZklL`*8UnGdsjKrq(A&Lps))ao!>Kb;+!Oql+W z*Nz@s7EH?|ZK)k0g=tN9_iO2m&rEj`I1b}J7;o_|UrpddYC%(azH}nFuB-$uP+WB_ z(5hnSj_Y9RJu2+i+Yipv7ltDkPb2~fd*Y>0Ql16>nzZ(sPb#t}`)j+ZPUP`+yjVXR4NC?UUu8GqO2iePJRS|=W6!?-u@%JgcutM}AAKejGX^=;5IGAO? ztA{B{dn`}hjl&}J$@^5RwDr5*4&v2(5DX7k76q%tG*?hdFUC#zee`ol>Gzcts=tu$ ze$K3RRxe&`!|v}gb9?h2&By37Ks5gHGK60K)7DATfQqL^VHfww*PoVnr3Ig!_V37_ z6dpDo6KX5HA_H0?Btf1l-Fm8TLaheWgKR}FTlG}fIuXFcNxfq(?Wq?ocmXDPQIN^a zz{G(FW<}`#;W3!VP&3mko3@#>gfpLa9J(Wz-tF(nEonSn;nl&vtB=_jNKlQB0Iqeh z9`A2Nu9>Xc49b3Qj>|cP%{?Ks5S`ii`BHYwyirzG*(}pG4-R^+N{7mHS$B(-8ne;7 zZ47JkW2mAd1zxZiOiD?flf4O`r+sWkYhBJGapNnSaZ=FnV-){0-@`TJav{ zehOrvl=$I&V6B4xHw?Jt-fU7K?laQpF!hdGqNr>v=mucY7U(_g-t^0}w=|!&0s5`tZ&Psx8&>FQPTI*`- zn{Qf!3H##ZD0A0Usfh#tS!^|#DW2ULz~||_rF&nB~I z#}K`J&jk<4YgLeFM{^I&;%V<;JZkAhDZSG&yQyaV%x4oQkdX|G1UU^c{qli(7rHjY zZ(I}e!%E1$GuzE87QnN+b1y6LJnziU!dQ8CyftZC{4Pw-4k4a|w|_Xr|9&q0Qp1@q zMl&&XO*(PYZz|OG-a0C;UBOJ}15;#{03|gA`(NpIrv5I)DOuA$<2EHdA!-fZ-EC2& zUpavV3A^Gc+hB61qXo~oU25gzUnuT4&eHiVWtUp8O$G8hy!%CZKv(9X9@{s#ZOYY5 zQR_;#R9t-!8}P0ZBhhhgHzBr9@*qZCYBx2WO`;3cP-sPwAQ*3TfRwBrs&Ys6{02Sy z@|r30b@hveQ<%iJLM!#}>)+rt>$5y~ypw?U0_Kw34tN#$uOZD!_6ADL!UoKw_uef& z`1X9-$$38!k@4>QEt?Q>F%M5Ri@#cb*@5jDm9_ZjqsTrl>hQ^bg%B_H6laOv+;|(`|^#pJ#pl0~`K@S7#cRJFimbB^ zK$WkrNL8B4!39-ZE_|fE9_Tw&{@~mF^Ud+vWmF9*w}f#YkaxyA+^s&11p4zfBlyv6 z8tSGZJtw`yNkT>(mF)WLv3v1_s^X^f_k~wX0kgl0;KZb$ixNJIP~`5Ya*pm4P@Llj zDUigdTImqr zk{@~F-H~uu(3%0ayOX&s3RZA?FwI)0KGh?~;BNTbt7{*we?_RZ@z+v9^W-zfv~4C z1N5DK$P)OVq8C65A$K@hq&hEO<8hDO4ZM&gc9aXQKS4_b-fv)MqJT?Gb}zCliHLNM zLZp=>bo%x*AoxPH5ci6~pDl6T;vN(7JySFgF}p#}KZW370!xpta?T8mqzxz`oSCmkA0w?fhBVV%tmuYuh%DggrbwIP3z0l1GsfR+uy(Bhy4=Iuu>BR z(m^N9ser0zP;INK{H?YVvzD^*d0bqlT{;HFkGXmN?&a!>;qLb+nBI>vix)^8xHydh z&9i_qQ_IDqoP0f6-_6RKq%#Vut(Hm!wxGU!g7#6ygEqK~Q6 z{G2r;wom29T(4@Ei<`>M)yIV^F`ndX6(-BqDS=sVZ@8!W0nkLdz9-*WuBu(Sh^9STbY<98#w7U*C|Oo zV*9RcEM?fdzRJTK1R%S>%k}N&o3Svp0L;?02);|qbB;>2Hf6FeD*FQuW2kBVM3_yPyBxYw3IM{4&+W-+3$hh1S3U>M zMW0tJJ~-KZ%ghe7{Gvyj7MfY=hbW2eMVYajtP+YXIccERhBkFC$%m1hu@~WwWtSc` zM!;QFj&Ns}#8WC6cZX9War=n6voU~=W*Oz?s1Qu!4`vcfiXtD(n?r9W1}X;>3?NWU zPO(kX@nz0;V-_nJ_gl^YMv(lX*UMq^A*&o;(w!Sn(h1HbuTdWrF2(4{-YQ%pAEnz1 zOsM4Be;mrVTB-J~OY%rlQ5^kH-XYSsX$C76B}%1CGit$4&44hRcDb4)`LbeazgKn% z!62YJq{%}*xUBbsj-J!$3&Jlg-X06|vnb|&7LRCWOcn%d9RW0M`G$SrwoNeUM+{$` zY_`k+uysfp`kYAGD}Ns!W$%5SBxeAA{2Ku zZ_He|kqc~o@-E1cy9Q)oVnDYVYTeBFmQP4nL;iV%HO6SHr%S4DJ20J_0wMm+f37C0 zA~r7$-!7f9yCC6SeiQwqyrg-@lhdNDu6Xj}j=o{aws<+<<5lIf-rY1x&&8Jbq^Gvr= zqA`zP=c#+{EBBn~tq2&#!O4OlWUi}Mnsk#hbI!87>3Lbep_tlDaxGht2_W;ktyM%= zK|Zj;I@@UMD&9J9;I$l>#XA{rZmTb_&71Gre=vvYcW3Tog7nJg5d81{3<^C80J1bi zy(mF(C#2r!dVe?U(zE4p&u&+`FvEPz2Ux5{ySpcNBwak>Ye)77VM<5n?`2 zsa4J~4CAgvc_!IhiM>tgeeOJ!J>)(%pdUoWB66BmTk~RTxE4a)RS6Z5?jCOALY^&)5AI~|1P9&m7tVB&d$lUEMo>HP z-S*UsV0|rteGr|5B;u!LJ&-XuS05TK%y^QuRXFyLvZ>ND>H~F=24zLbm%smWyTl59 z661&X=)Y^<9er&Ph96;O=tFs;)Aer_Y4=C!^F4gLlbEVhAc$ky$98jPdsyA_DyKPl z%)MGU3vSTv!+!};i}GsAYEUEf9(1utt56I6@+|no8Mxh<^{3+z^iIEmE0lEelUfys zjBH>p**U9zLiiARLPVP`)PyhC0S;cic@1N|AtA%Jof$2@O{K&#P$47PD92}^uY zZQwLBN~ZfiJgL^I_4mW~F!&tzf)NeU3b5ExFfk0fV+W69>fa7x{ftflHMf~}leLz# zki;7*F6eyPo{s9i+Gdr2Z}8{q>CT2)9uaT}H}kOtpqv+v;m#xpyZZ(k@P60d6KFdj zlisPHgXyX~pM=^?gr_|IljaiL&BKt!>{IFTF z^_lgV`a2#ug~7nuie`b0&r-2xiN7puiazc%9{_k6MkWPvd&V0`#9!bs}}JJW;W*H z1la`cJ6bNP$0#t6iMpI~9LFzqmv}hI9=E*qQqZvo_5AL#`Zt#=*|kImHa-uFp-4$x zt)2Bkxgo3e5>0TT_%#8^735T{z7xoiWL^d4fKO{ZS%c`k*|gmK&DxORXZwVFm*Za4 z9U1O_wHGr)BVO9!(d?6ze=rn=W}tXH>(#PbrP#$=Mq%BZBEHvNXkR~Xv!S>H8b?fz zMXXI^{ya_V9|Dj0G}tM`WW|fd3xKj9*<8rAB@*Zm4`Ek!O_nDGb_C}U9R+EQ>6V$>UHp&5IC#WP7943xw`VI!oEV^K>e0KY)7@>3 zCJNJK1`6cMrdp)|U0O=smfhZ9I7bFo@mYfWgwIIx8T8m@h!!VvnDo* z3*KrpIc<>5?TF9g|&f2kb( z5oQ7T0Nz4d0CwL!jD%P9;-!h&@M!I(o43qUhOgA8d-S1`h7+v$L1S>Opp(jzO*B+D zaU220L@1q;b1Mf>*TwXfi~8K;-&Tmc3ytma>)Kj>8=qP~Iu4}1n({o4a ztimh>&3OU&m_xpdJD>Ni4|YDI07X_uIsFD;Y}ba;&P)ubLGzfHJyL#?!Kbh=(7B@F z!QR`vv)Mh~4BfN9L&$#>BMXn>3?>00F0Pud8-%q6t8qv#N?vq{8~0Pj1TW*Q-NknC z`Q7VNZc@_9K3lHnZI3SUW~RfW;zMMW%Mi#PysdxMbUc;2Rpd{KX6`S6xGs!ohqz2!vCz$M)50o`f~ zM(i$IUaO*?X1MY9&=Ru=;DKBmyV@?*b)2##$Ux@1JV3|mK(&1V^1O+FlNW4y4d3^5 z$a|2G5781-kjS~&ev-}1+6N`SO;0-ei3#$d<(J%q(Dmv2$=blt~HI|@8kEW=fG@i=5C9nmckp9kF(FJ#*{j|srdBFBy08h%f-DrgfscBUEL63 zepLw&#HA=WRwNF8(y4!RF-$2pZf{+SN&D5!t-kUUDEjwS1W_(rcmUEC%$PkS;TO48 z>=4@h2ko~mKemYOCQeA7KQ!T-)^oqz(V~!9dgLR^3_Dv`uGyaHJA!~WqJ#4+*uIV) z7F{FsyiVeDk(63C$}=z9-oxLEe3|NdvH94y-^&rz0W(N<^a}-#r&>?!330&Vi)PQWWnG@!|nG+%qpRhI|1C)}SJzLg-vM>b1axGkEQ%)1kuLgpaxn(s&VJQwt44UbEPX zqZ5br21=MKm)IVywWVrqt*W$khbE;r3Ol2B%$ScUO;fVn&(_!JN8T&GK=9)#U1zlb zB!lJC9iw|C%oX=bbb&4zT~KFS!B+hP;sipixs}6ch55{CkP7usAsW?V#&3+=`M=6gS;O~2t2>GG{=`^+zE!f#)ew1zvGJ&+_~}lkk*9)To$wFBRrqaCYW^G-l0if84y@GUI3^qU&muu=|`*wvE#|Imb1$uok_BfX;PuWyw)p8Q1 zH@j`g1X!>w<>6TfXFGpy&Plc6h+Wek_vq7FTj(@2xz({8W0hO&O?PKG2*>w?4=OW) z^ITH&D{qD{j)7GD4JcKA6;+v%#ayi##{Xx%YFJg~Fp>NMf_mQ;qSqZ-RyrWWZtatF znJ%a!wIN7E5|spIzqUJ%T`h4SCD)PeMK8X51*!M-O6EUh=ru4H`@V_;gU1Yu{4J~# zX|{Lxw?)Iczv)aLK3^Z{5hokcpBIxLTm_!0Tft@mzLjCEw`d-$;*!4Um7tRake(mK zY<{nF8zB{{E>wmmXY6uO~0L7o`YeK;nHdHLs7G>#vFW>WwG1RePs+{MMITz>7lE~Xtzw{}RFqZdkEfVTK;{$u>eWvwjv0Wt+b$R0f8ilaysD>3qghJyu#e&voL?jhRKH0Gx}I zKCE8C6=YN#k?nn@6{BV)S`8)h_lr zTJ+eE!#ZQg{m+xNDpWFgck4*VAUk#JENV#;PVg?jEUa*F8OLa%@_CrStU)G+G(8Ir zoh@`E!CJo!5zrrQeu{C0X1^D;Vh6P#pwyc5Y^ZHM7y`5(_m(UD)UFOc0wBEz`FsLE zNS-jfv<>t*J9}P(Y3kF_*H}YNmkEUBr%`kb7g6H(_8-%X1BC3aa$9>+AwcTmgds)_12P=e^&)s`}w##qPa-b&x_;4mcD`Y z9ia32AR0c)gUYoP(IDJtj zJMXG$wyzF#c29uA`3%mI8`?rv*XMZG<$J71vj{86dX23N+3f16M3A_1Qo&(`8)=<> z{Efq}9gEGgKXK&Ax{56od|Ly0!)@zz6()q5&e1CpVH3_EJ9;`D3P5t?2XsJB--@ek zzV2#Y`vvOvv8-=OFAY%U-bG71_0uG(Yvx9^DziETiN@ZxJE*16&=;K#8{3HyV{m4l3f#44 zaQS&zVo+?Y2_c3ryn@|OXMC$bj1eCR3ck}F;%R=IUzh z#mJDiFJ7u*%&=ag_FCk9is|1;WOO+dTV_xKYzuky$ytfD2x0n=-$z#4<*7tla$7Tk zKX*7)A3yI~4A_mEjk9MO-QCVkxOTdLlFqFMEq@WFHatImb?1`LKpe>EA1vQ|hFefD zUP;P_M&ciYbTVLn5Xh59XV`Y-`abg=q^G80W{$JWYRKj{iZ!Pjq*`9glds z%_VdC#zVOTsh@=0*^!oQ?W0(8OSe|n8)Ifz>~OV$dCcALs*ZXVF~AAvhm~*4a6NGP zT;+ag?+U7N)h*6X_rNBvU_tk2y7qTub9vc?4|PumU*8)IBtMtf8lwKPIHBW8Qm~7XNx4!XDAhKNjRBQg?q{B`m7E1asW5x%&4s{7$YIm*} z2Ic0EXzgvBfs@igC`R0k!IHVbDWCyMl{zic5N$9Aa$y+B0D&#)&(7>fVxMIMQDPsw z_2Y7YUCn(nniiwzbrVx@EU%)#AYrAB`!4{s^;+DlDx$gXSA-5rau);ZmhIUUG+ceA z`0Z9OFc*=-EB2IPhaW%>;D?j+$4+)k16OqQ3ycDemY9A#BO|NQ|1*?UGREP%woGg4 z-Ij<djJ>-}3|_-BR50jxu$CD< zp7*TiCTMj49S;$p5u)P1q(;!{0D2{q)j%V}R>xyoaF0Qg=Jgg6HJAvz7h|N4JS zjwjg?;(9-6;!>vKcfn4=lQ~9;2PmF(cU~-qN!K)Y?3L}l@Ar(Y!HA`(Fnl$?7nYOv zTR;BOE)X!fhw*z%ep7D-@UuX91qiHvIgqfdfGP3ng0a+Kg5YHsol?sh!N2pZ+T-AV6^5p|04)64 z;-4kdQ%`&kn2+Ur=o9>wDOj4yTkxtYez+?aJjtS|JMCuB$`*=j4D-+(D$ zt*eLYne?cH(O&1cvcp2mmwg`=1#Ry{EWg9{C zhjOl${xYEq6%82b?2v>TD&*o_*>N(;KEps`E+0H$pTnM-~H;%nyk}~HL38NzV*L@4k1^a)hJk58Dt6h z<&b11Tz#qZU#<3~PQR|DEtvlLRC{nT+zrE15vwkED7 zQ~8ubqVIlaolLKm)fVSj_VMvMIePolpofPN|Mn6ugHNQcj+%XSmv~LgPM)fuB}P^s zq-t$-IR&@!1VEjdnDp=+*$Ilu6(3)_TBZ$)w47ZAC^rVht?rJK(a2##T5DOM7RDqm ziP#RGz~OjFdwC={XYOta{I^;RRIgFBFmZ!oZ2+4cg^@eMJeH9+p=QBe-@CoquBu7G zBny%Y$)6NKS;7dS6KDO_P35hnl}KRHL#=-yJopbV8$f+rQ_1+cdI0dUj-joV9)76z zPT*lwJ;R16Y{f7SfkMo3!i)XlSI_D`PFqY`OkV83_~wC$X%g#VGo}sHIjB|Hbv83L zNIBOS@BHOm!_YKQ?hmyY1q;~5TZ*yLpg9&4Zvk{F@2yEeD*D~y=BK~fG~NQxs=uq* ztpA*~P9)+p&Fe4z109lj1q*RL-8h3;GApm+`w;D{Q*s*0mSt0II zYaf(1wd|{)IKF6S*_Rjkk_h?OuTlNlOQU+`u0~Bp-I|8}|u-5(E-N~_dq4Z{@o-1I4qcSxhtCu0JgX3`mjzi=k|JYydKoU)lV*3YJMb_{y^Y!0QBv&_3EXS=~uA= zSfGHj`kj`BbQ=e+1M!q7WPQ=Y$tAhadH%8E3(*_9q1*}7zVbh%h%4M3Y3GKiC$=xg zyx1>Z;tw5Qe-C)3HGVFSpx(_d?qm?E zi`Ol~5&!S&IfWdR@sqzPZX)7AxVn2KG2VekR_}0*<1Z4GmW7`;o_$Y=!Cxe&(A!xK z3OGE;8BsN{epCS4z2cZr4zD<7d;WkrfjX6C!@~oX0F`1SZepOcTSL^*3YxjCO+5_I zJ1aFwJ7ghVAMiirH-0UI2O@v&&!GdZR>Z<}x2Kgi97+)Lx`UvRtr`lG0b=I*r&HlZ(IxsNWM z;MUXwSPW4pu@8#yU+yt-@x{Z&QOTE*cK<>{3iJRkbYYUDoXhq+pxpFk-1I|uTavsw z_~9QghYcP!z$8Ke-Q$(M&3706t#31~StAV70SXKbIbeQxKbn)7Ijom z!QIIQaF#%79CSAQBblQ*uKB5S`m`YUtf(;?WGJ%Cod@)fD2l#DN80OI&Lz zxsbiGOORjGN(OacgKd{JZ4T=MJD@fz);fYfC(4@9-QLhAB$MPG=SU!v>sii(=a+OsvF+aY=4L`=r~ zK25#T>>CJxgBFAMDQo-&R;<>aFu+_h(Xaeo>PUM2`n9c<>y{RJVPgmYPr`Kk)@3HM zbq2Kg-I^LCfz~RupEu+PHZ;_NW4Bqcj|p!V{aI7?_0D1!b|V(e{7sf0iI8q3{^vVB zzHhiCFVgSbmhrO}p7oUJP%rz4kvZmjwqgI%x6NkyImX+*bMxLO7Wv?p11?fE!Cv@I z*gj+@EXd0-_H~81V{FJN@CQYlrj@w_uDMnS{2_sKP%1B)G-?%2;^KPeQ0@T3z>~{P zgndIz3)-4npBKjU68UJ>tMfi17F`?nfb9~KaS}ginYD@QW$6MmGTu7iS`eEtu)M^g zlU1xWn~zL0TU2(8)W(s?WRBP<;HoXIt!PP984#8Iyp$&?MP3P{PJ`N&wY=3KD{3Pg zvsV@)F`9u$NH1c*IkQ9yMg*`c$WpK8DcIhHx4N;UU;p^=Vil=71_w^~ zNCPaB5rotHNY8ieSSD21i@c63tRa6uv?=m6c-mGE)do0ut7Z0FmUPv=u2%^qc{!D+p93C!k6qr{!` z(y9FPTmd|*TPHcLMfE84WC1rGo-o3yQ_cI9>t#kxONyFXgF=>oQe}TBhkfK^-s-J- z^(vl9|En!**cq9br@0yQe%k$7@RM>Kscx3lLlV#LI@}7=FH{lj7fnPN{S$wkSqb=?bk&O(ecu&U>uMe~B6Vp7E z)N&DwxuOEQGC9`UQ)uCfGkm@xYW~NCTpI*BdyJXl>2e}Bk8^RIcmN5e+JH`Ng~(^I z^zvPtN3r+CRgX6O#YJq`1-Ku(42+LIs5ncPrhcFFdSxR8w=3<${L0%Z7w5)o=W@D_ zn@~++L>;fIv|O*J2id1Sw;!Kpv~^dy`?7MV?J?blRR&U;MN37otJeajc4L+C@W|%2 z6uirXPw%NNWV7F1v0P*XZW>LU%y$!ZbZW-g(1nWY%)PtA3*EyH40$;Vm%GPfhrNfB zy1(Iicf}}CJKBRH@2ep8QWCA{26?RsTfv|0GwDDr{PY&SV+r%-i#og zD9@$aP0Nd8%)Bp!9-#9f@V%w_HhrE>Z+qKw&jg9k=ep*HR3w@cn~hQo75u}}WRE7= z(e#wb4@WR&5y{}UVH&!v5cJ@Ox-<)gsl%vTSfdv!_l%&1*T^Rrsc-VhPB`@&t`Co{ z`-;d$nKBn+4<6N$@P6XR#r45w#^+VTYsJ_@U0?2XU8j9M0;MiUuZ23tXwp&yXR)pm z%LCX!rEndq8J_~%Te2fUZFcAaGm#LHAaU~P6FX+=27U3R zn69ajigaUON8{Qwu@1i49j80Pb*&k7%P{{LAC~hQ{|w%RXhH|frXIM53Pi)Qof^8a_3d~pHO3Yx(XXNti)AZ25*>~&XVA)1 zh0D{I?sXH%Lm)r@7%1768faf`*8U1wL3rLB=M?J3 z<|g}puS)M7+8GVo8ai4$iyNNt83?M6zS=HQ>^>QlLwSHa?m8}upCRef`3|rWOx#b5 zU}bIkNpT{*rufn}ic|r!pM&>lku4w1+oaxkQ&WuH5#yedfa^nIxVQ*E)0i3g?_(GP zD=JWYT?H~{25atZRQFT;M?(7| z+R})*j`fG9e`vYr&X{>KA>yUX%C+#G9P{l|Ajtaj^7%T8Ui5Z8aN>a(4MQttFL805 z41n}{-UAOk4aR_sjw`yiMi1yWYQt#5sWk-wnf^?~31DV-GSQg`V7ykYfvB-=#X936 zL{%sdBU4K~xRS*TwYxjTNK$Goc8tIUIPCIo>M~mk=ak@`A{Lc~xI~OYi?@R>2_^2D z`9KyP!D#6H^`^*E_s}+176nU}m1q;o_NMtYTxUkN{OTRv-(IfeO+-eB(M}n=JBtyE zaUO3|5+t~8rT+phqwQEFc>*`Hq`7NPdbH9dSuQTm1gC_!uRC;LbWbg@SgfT)aQ0r1 z(-7gD;8M?zIBj3guat-v{7B{w-l-1L(E}Tp6i!j93{I?Vk*3d!n?-wG3KHvn;j_i5 z{y5lBgvyX&c!@g@!FFS3hr9-ZuwHrA$*d_Q;&jHT5K2C2R^0WqukLkRbWd4?=-DD= z^*ADh!+ZnZ&h&LKf zdP{SC*}=^``3Wr3?z;Q+kHIsMLoX)hP%y4+k%8g+aKl3D&;&B&;A1CYZy|kl0;edR z`H=d8y?|vNb8YC;@y0ufV_vDAnwT#tKod=Aid-WO?Z+n@H2eQo6SiAjc59(^4%kI~ z?X37I4V4fQ(%d-2y<(?#<*rcYQgu0Ri7nk;h4O@wjRsSqw{6qW1Vh&fc*Wjf&v)E0M~IM~xmfSLu0s_qF9eHzUFtTcQ(g zAMX_?)TtA}A5y!{6#dEDynCWCd<)mfa!4b;QOE+4G{6rJ|7;vTR`_yQlPg2UDk6hZInOcBeL*%O~lq?*jfaL4zH0(p{jGh>_|Runz~l66PT|=Ha3I18R)=v5a|0-ys+=kGzJa51>(j zTosBiZNgg6_1QuBlk4X7mb3(A(Uw3-*>h>tfQ*q{)nc{=yT`RLPu*1Y(-u4Df>%#4 zRM09npqoA|YO{ogvZy-VPC;#)XIv22&$fDtXFn?6hg9}o^6~FnH;*8)Ysy%&H=WOmLf5ROHiDW> zA6Q--V5k7tQuN^S-a=(kPHVU{=`#2STAA4MyG5NT{P~#cdoP?d4!)-ag^~I>T<2#; znpt_SckDryeLVtho+zMoq+q<^2?xBVBJen+M+JN7rL`r$ z8HG%WWapz=BFegr8NTK$ksVw&xFJvba3#5HlvC{DF}0+$jc{zm!92Ynq4{X}<8Kik z4;&qxJ!VyNHnatGAVuv1f8&-z{_doo$Kv6 zfR5P_u9$~;{-h)dgb4|{74G!etC8_7W4^79_5EcMq~VB@5h=N5(52yswzQ=tpxTP2 zFkVrUr7Em$R%?OxU7I`%K!+=~u;!yq4tY76!7*g1V!|R1QHbkW z-v9L`?^}dACFp(W6@GcPkPqpx;#eJ6HSX;$^|M~n*}?mf%Swfl ziV-EmEceMaoCPurN64M+e$wj&9BwnnZZyaaY%u4)jqJ!8-j`-BMeQ&5U?)0r9wc`uYFy(fO(!C3CTycFk z!CTWCPJ%OJMfOlnS|vQN*b=^k`w`?G-hlkZOfaJeeH_0b0J+~NdeP1zwCJ_ax()o3 zHw$Gm{BlbG+EQ-o9KPW5B5MM$SErH9xw;k?BhyG4>L z9I#*c{>XF;ZOpZafKl6JPlT7btB2}L`nqG8j5hOtHVZM}*_sS=Pe)j~XnND}btwhZ z94ayFfS7fdG7Z>nBX9>PhCanz@bL|S;Ay?37s?!~!ULl{Yi`KDU%*rn9P)@KGc@O2 zLwAl0kkxV4^i%1-y2M&oH@}&)MIyqaA7T%{Zw4**r6}dG64^3(*PDM3W9t_g;D-yn zqH|pz#J9XD0qZX$dchF|z%S}wS--nakd93SW{%ZJkP@`JK54~}t^6%6z3z=yF||(t zSZH9F8vptVz!Z>Z71(#S`3Ds$>tZH9?Ho~zS^#sm9khZzVh=dRHihRw|LG2CG^xld zr{RD7x7WHD`XYzTPW*=JWm6QwQ?xByiX?OSI<>Py@$#q>(<D!WDy7{OF#$#W<;VaN!bz-AfX}&3L!usF)YdZ zoFqVS>2!YY`}v)}T1igMd6s**?(4pu%1dS#G8#Xa+ULe92YJlkvncZlawA(NjV;?z zl1HpKBnxF^rU#5$BhgV4@Mq}0C%v#i6xYMOtDxyr*;D@R3PE<&cprw&2K|abcqO7( z#%vk!Pj0|csMNkgkLy(F@R{37_#HKA7RQaymO%`|N?OB=A8qUtC{$qmN zGEe^esa1Ip?)RfSAeKW?(GH9G< znx83t*|!_OJ6=k7=Q3>iFDEU4Vlu#Ce^dAgp*}toD-i1_fH5p*ndl9V6wX&ZO*qm4 zhMMx_x!}Fnq&Qy$EloT~`LqdM<`r$`$z zCch_-Hx@{_o;Pk{UR<-x@QxF5MjRPLcq(x`$LEHDkV=*|mQ>0xNXA8JD-#`LL#=>C zOX4S!x-fw!FcCuBO-!JO#0D$&pJ2u6pld%tNfzz=JG)lUo3T%tys3#x^YWfBOA$DX zPnui4Ff-a7gQjvD6YSE|ulUZGfv+@1`0}D7-xBW@!X?En3XGMQW+Me~aM;C%_vr*q z+*wwHFwQKPW)k_s&AIJ1ijwW)#S0bn&pBioj^Ks)$P2fd4e!pUMth0(JmvGeFpT=3 zuDuKZ5SY-CvlqrZ4ZnS!-9C*W1*a1ow3^vxL4un1Dt!EP+(V1{3~vg#fOkf0st97@ z0Z8EPq~Runt+E-$sJN?h+UW^>H(|i7?F<6-SeD{>H{6o-tRT0<}&}HomT!sV|`8hsCK!$5b%&uY+dFFk|j#Rq0r(`Jggd z(M229XyQS`f0}Mj!`)LMCCj+zyKy;3;On95@>OU9kHKaRglfhQ%^Sgz*E^`n{Fh%_ zjp4l|>cK(5J#=mO6auS|&lCE)H8A?i`RSdv+4xd3%c9Ur6Q79Nwt|y=)y1{nWYp2c zobZSUkpgtuLzls6XazTJ8vg|4$Zev=%{g!SM3AA(g@?~uU0Kd0R|yv76yw51kbjimBMiAiV?ugS3OhK+Ko`7Z;JMIhRQvU~x^j8AsB13w3H=1wt4 z9e42|%L82m0t9o$@7%(>>H|39Jh=p_l&D=P@`mE<4OL~XJpNk{nX4_aZ&P9dv@YMV zyOjT|o?lm2mF;*0Y=>|lXW`Ul>mnuOrN!FP^aER`oxRVS7G&z5q3d#f9cIZXt$`ro|J%D1S*-_j7U;@83F)XxS;GnnE^ndqI;q2cs3 z5_PS?e(eh<5dB*;4C}is3|z4MkfzYQ&+4L6*P1`evwr`s>DRIS4S9}@nwX_do>)&X z)diZi+V$|_-%eRYO0J_vZ}^bzuu4PMZGZZ!41u)0<;^~fU=-T2HG;QjH_xvdF2N%+>gXWrc3nZ<&kk<0> z*#(HXu+Z7r83TSKNX2jHhWHIJH&zPCS{q&{#0;%820;mSHkyr3odY%FH{>*5+4&iWHvNNZxcRfH1y=W_kh?|>w8tU2e(2A2~Twz-^W4%p?=RS?-m z`btY5iUXhu;uhF)txb#mqoCbu2cJFrYfeJBx*1Ph`U8Fbw&@dZ$4#G1-C5NAee=z? zJ>~N98)SAHrH8;9w!2-4=2hWc|A4fEnb+T22rqv8Rqtc?>Yn#E9?3ZA!TMf|VgKxsy%Tx=Q1_^nhXbFAU;3K+F$RM6wdj+D?DNE=Kbz-&_g?JRiR*ti{J(0W z%gf-Jg{&l***F){^2&y&Pw%)t{TQfqG_!~H=@DUW|2n(xbFI{;(8QXm0=%VxZpz^m z62|4K8-CAKQQc{fzuwx4YWtwi_dgcy)HVn{$2pL=7zN`Mum57O*M;r9#{R6d|pt7jGpD#KPN}vyl;dA=Q#I@8~Jq> z9$t*ta8}Kwk64*lWTT`$gTV|vrVwA8~}^xZ7_wX94~B!GCE-0IC$eMe>#1GzyJR#KRV6g?raZ;QoD)>6em zZ8pNYRjp%#$dQQ$SfQ?jL*ZfsgY{e|9@2wL=&uySBLTGpvXvm*ew+rl zO)_Sr%*;OPN?#0JF@~WW+J@>K%Z63L2D?+-SP{>Cb?-K{5g6PtDu2Tg(j%j4XGXGj zmadk)A+&n{ug|hbDrM$rpfvV7BY2HVlZbCfuk+m|+wm5>QLs@pSVnI$Z|0z6$=(N4 z5r-;2LUXLJWyG zUBlng1uE8VW<)n!932th*TY<@j0!hyW5fwPShf+8Djh20bkvJE6F@4G9IK%>wRo-{ ztupiQO}3UZD=_7*8Ck?A#^7jBUw5QeK-w5w(S@;FKqr4OX@Hp&5$oC+((~f>Iw1MZ zu$jnd>er1x(zW3R^Q_8=SMZx`6bX>mhhddNt`bL5&OQczON`s~vxyiU+k$oh49 z8L%r;X#nGou5xKY>ZRhX6d4RmwGC2_(~kD8WLpoUZFgwrTcBDQZ3+w8<7)w}6_sba z+M|;t@$C*4qxg!E3d^F?c7C`58+^HwEEHjP`e{;bA2x-9bUQ0Jmg40#J|oVIaj7We zim%gX4F+L}4=l@FYsydBknZT^v$}P>#I2|@8Vzec{V|jIjZil&w-05mpcGOaVa{A8 z^(GOKL~bbVL^93>XBVImiIj7Qs69DYS(y{2+}L6v^azGv8OI_$nL(tXJdU?UFvyM( zONX-tQat472N|J4;^WPk!G+!xD9Bs4pz}j6TdCU!Gu~>emvXbs?3j@_+dyvRxvnaJ2PG+ ziwLG!MD{Lqp>UjRU1}v7Ia_`*Iyaf?2a}Y4dy2-?aT?@3?uK)X+ILqJ$;%|rojC*O z+8KPglz^@xPu8)nhsxpRoqrrgKZW)dd!d#njRs@V1X!rl57qV8X4DqNZr#zQlCJ#t zuRvDYhVKATpu0T!GURPFVw$zUTpGuD6KLeW;Jd$b2T#|?aeq*%4*SOjU}r@iES|FS z73~n7vZFsa5m(m&M-)OGND1CK`&aS^y413&*0rw|NMLKq;h z%>|(%a5sr8u3u>tniWWk7!7o!^`b%7XIF__gf-8n;U-fp>ZeQRRrbRuq1|x zX+x<3^aEO#X8rWEww2r2K;&Q)H)X|vLD6vj;-o#RX+y!`_^2SyMR>9`81XR3Xz z2NiEGV#gvJnQ;g^-y}1S6rK_D?8vN6XQ|_4q!wYhjO*3Af``Y_pWzQ=`Mwj}K+~Zh zR1mYtO2&NHaxhGvu4`6fbvr04k7X4pwGHWr&ek@Pcz=I0%DXa%n_vEzV8b|fzb2m< zB}(WbAd?W)0Y0|ejOg;Npx7fd1gDOQm=4J+h^olMU^|~o_LzCljgb!p1`hLbb4TWn z@W!1xdze+xh7%q|W*9#FWn3yj@nkMZ();ITF;s>E0H$WrXK`5eJ^hvOPp3Q3(#fHv zq5*$j(gwo=>qg(6_iIL&m@yEaUKZDVm=%xkt~8}SyfhL?nn@_iDT=SzVOLAcHW1#) zN5=MA35=++lzIXtmvj^5gLQ;O}yM^Psm2ht)D zX)aIL{O8)E4`D3p+Pv+kOY2j0i+pm)xB+3NcjZ$IW8NUjtPK`HGmSj5eFL%gXYNQo z%m?MeB9J8g7Y*>%B`F3QELmj!lgV_Lu)>J-AP4o_qkWQO#yayTx}jih3?7~uy1u4$ z2(x$#7-}Es&2b-cK>C?VK|c(GH7hmGamcD|F&_V8Ga53hagU|ZfNrM|{WokL-SBCZ zMS_=q$}&RmYhW>$x2pPJt5+%EZRKs!e@1uAc#yupvI7UhXC{+~=oC)cPzX)m=TUSv ze0&QTSz8l~3CxkU+%h6P_FRu7J6yTwG7cx?h&*R|yUWMVFJTBHaGIo^S(O<~dJLPq zi|nk3$>9VzmG^8U2TD6Kkb|4xWbYAqIVTcSu!@hy%*)j(Vi$mr+%spPg?1o=MLAtCuT7BmpgxQdO7$tv zug$fA8Fv~QaC0?dHEbP-tPKfCHB6w#y)1tg$+~9j*WDP7U?i07(=AT z4#NDO!oXIJ*)n>kYkY5>_alP%x*MaSbGM>lv^Z)=tY3@Dc-RYT_3oyla0?@zsEN9x zj|lpl?~fsCGc(_kS7$5m>#4s9#8)DXmj%K?_7jSLa-{ING^MVl;^AUh_%8a4 zw8MQn*_84LZI5OB#`^6+r37PPeRfDv3VIMN^mU6Ct>bZ_5Pf~ zcC;$Q$#zT-Qo=F%#F<}$^^hpA{jgD!D zC3cQIFs5vEVwzROn2i96A=vH>(+{;-u?N0bUgZ<@h6O%~Jt_4xtyo=Xl^cnK{&WIw zZ^$aOQ;UaNg zfwl*zgtM79;3FP-26&!LEMUu(4H3J7RS@>8dAEtK0$t zZGqDPknJiWec6R{_npP18ZlHXv$ufKVWP{R7iYTCrP(R;D803xqcgKBBh5BUuk%Kx zM0XIQB2o=yutKVpk@QS7Bh)5teU&m!2uJ2%l6!j$94;u&KvCS|{RlZofpgGKlU1KlSaD3V(gjXRBkjFdTWI@rIVfZdhX4lU@tv(G5L<9ZSNj2{ zsFgOCMA(FU6Tdx95Hob(y|~AKr?l?Hy%pNuYsL4wd!hMn@ZR5fWk@?eZoigcg-u;2 zcy0D8^=p5@xCR)$ojn+zX(B_1U6vgt z_t6z}cRuw<7J8m&CJNad4_dq!2d%3@N-4GdC7DFpZ#Ms%6GX zk1<4XWKZX#Ku-FwaAI3Orn9D+#qYLpYz;v+jgL*Xc`sH6Lbd=WR%44cOGC$2kmk443G1REBiSC+6WUL# zh#8qAxG>ot%y4CuF0HVdR_hS==u%?Br9o@QBr5Ai4(0#?XU=7rlvEcG^UMlcsW5oG+snov5Dw>2LXINrOL{=Y{{b1=^hc8gmrokO1{@=PjX zC8p84PNJD>wvA4wn#1mDVIdw%g1)7mMg>xfNG^0 z;qFi7iIMSZ^ObZ59d$MDSI}?enhb>2q|T__;ne7Z(Mja>jI)E1SK3|~Ga;clA}HkX zSOV=oajd33f~#we2SC~20DdBl*!Plkp5nwzYtI@&0Usc5ID)NV)%1@!l>H>nQfdp? zCr*CYCR%7~Xh|ERo~%Y=_(YD(X|m#r2>tw)i~{oRF3d;l2IDx^r|m=Tita@!r{U)K z>16LmRz-ZF&DD#c+kwL>PxO&q*>=vC?Xu;LVjw?7h`jC!`V zvU7>uKf1`Y`nEP8w6E&EPZrlU;Ak>&(G%o|#mI`FpBSuEMg!qyGmXKM) z5%cz9)B7roDYYXG_%o$D?HXGMV!!$ijG2?E{=srMYxve+F&xi@U9+*QnQ2GYup-6> ztH$Av6s0kH|+ zQh1>s8_3!pG3fvlUS46tZ@Ey|=eRQ-pxMB(O~g+wrA0!E^!UK#N|0&9!-*<(cD`5=#hVI zlpfobPt0#Q=wVCJ^%D3U;9Y#74~yep=PVMCoDfE^$YwJ;0U8zjBG*>321x8dmeH!ZO4+i{~iYrp0hlje*_2*NnmJ?kwLb zixe*qWH}V4phpo%Py_#!_N(Q*0n}ChC#ENKkjQgkT1f#wA+j3n4^1W)>)ogtB-W*J z(sEu93$hv0h6O#)5uhq#Oj1ZGHr%kc;EF z#O>dJH_;=?1-sb~U1Al=LqdA>wZqZRg1NLZSQgWWS-rVW$%vW~kG z?z|+-1ckiow7!6GUEfE{gv8D|LoXucfn-Lk9n=(4g(($qnDbS04+8A3&b{{y)Nf$a zC<0Up$)dq=jS|$D6m-=tPCu?}#asBvlREs{*`9RtacCfX-LSJ_)_%b6d4CMU~mtAWXfNkA~^Lf7;exP~FKape_<>kwf z(|;*kPkkq9+`Cei{jw?RCsXPVfT&N<1xh>39!kvqRm#+w0>8B*dk;nWm!OTPwpJ$8 zkIxpmHQLiO^flg$fiY0l(m%2z)Y$?E?p!Vc1%FTkeoKI2xw=^2yo>TCqW`~c0)aua zt?jxH4PY;`B|8@@N1Kp3hHgt`Vu5JJpB~Y)6pig26bgm@+{|}zG{nb47HAIgNGyYcsnhUqGxycIXca>wZ8zWJgpRrV`rgjTuH!r$v2pBr5!;l8Wg8e$-^mK4x^nQy%> zsEOdYS*t~|3klQhe8SdtNB}|z`XSQSQ$dS_va$ZnUg2eD1%V;TUL7qb1O^X%tVr!4K)o$0f%EYW8fdLBwuI6n}(fk<( zs8a+zr#@I|MFn>P%$%pFr0u32Z8=yHPViocw5mcYv%S>}=fF;Uhf_tDqlv$_j znz?~i70XuX31FPWfH+PB{d+(O2dq^fKSRKV0ko5+&;iO}&}Ch#8WQXIa7#Y%Lz`7( z(Y_4oY?S&fjGb(3fzU;e@$#_sX8eTt*%$JjD9~0bGuI&ct}!(o+d_6L4yY-;s;Kq+ z^Py+pa8W?F@p2o^RyBxEO||ik{v@~&{B70DJL~Go`~-T|X0b~9glm@4upczfsI?@9 zr_;`r_<}Y4t~S$b6`2d%K~?xyJ&F73@-;ZU==GqjaL9MMJxo?PkROju0p&Nx;dhg; z#DkDof-d@QH5}O9aRFkGj^h0Q zgLDDt`aq^kEMHo<_l`b;hO5QILr>KjjK0gV82gu^1&yElfo`hWL9RW7ri35klW>ak zfBsiJf*|CAu2@s0#d>D<)E6Pr7)@)3taMe25VYEsflW<1X;g-qKzdmKfmA?H;r0Z1 zmV07_^mbWX<$+dhjCUD4W#l((DqAK=8oJ3H7_QXD^1Wc;JyLhD{S{+I)m(Y{^6@75 zxLgs|-Z&U;suu_0BJ4ARyZPxB&jF$D-C-9LatqdxhqzoW7R=#P_2Umpbag`shAbfX zJ*@0eaO56o1=>@EBwuRxN+ZRvEXnT&4Eq}VKeQ2X5B5sd&S*}Cz%0=e&^rHXL|55^GrZ3EQLjtSH&sEK zwg`Uq4S>V}wKf^tw`H!UeZ(~4r_Q!_2(f^#3bgee>|@!x&dn2E z*y7JMUL;HcP2=GXXf3+M??iWM`sx38x2fvE?Bb-7>;VrtsH=Q~P(^!xCCS#jKQZ(f zak|IVVQKmg^$@dmoYWLO3KX2?APpH1X8>*^fEu@oCmV0CDu}(wZFde+fHoYAl96tG zHS6cJ6VFWd@5p)K4aUAk#eO|HlPPk6SO(?Gf&!QE`SG%$1-~t(ZCl5b{DMn0S+I{;1hs(4j;b(82GuQI;L0}4XE|C`^s~Nu;|BAb5qDcgF##1_jt~qO*m?FGEIVz-FBmx)RL?}PtO?#ee-|eaaRapgEuwyRA)nFY82{Vh54J5Uhpv<5mjZKD|Xu8SI?>sj5S% zWnAj?F@Y|wEI28yTquBdIz1+{koSX4T0OUep~h#AXXNMhX;Y=HmbOl~*hY-cMeLmK z!qq#VLmCA&Ahg8XMLvtPbmV3M^9*89wIJS?ZjD+&inBM(K#T5;>^rCBr91w!jsFyi z6Jkx141z=MPT9eDZ&5J*kzvPh&=SdyIVD_`wNE!Pe$Fr7*qL)WTZ0aDh#&3O) zrj3ls9`y`j?F22F;lZqX%rx9qL0h6hK$tLJNhUOEvI@o3!D1NMNK`1!4{GmLR%m!< zB~bIJPaVHOvw2GE&tQB0heq20cZe5^aBB=0S{M3~p}W_=>Pwjd;j)FD4J#+YMKcT} zZ|}fJ0QcaTkmfUXB1v|YWgMevJ2H%$2S30++a{RfKDaqrOY7}NnLFh!xH)fUXL|`e z#WmGY=?xQA#-sKCqGHl3uG3g`__XQDIg<)nx6Y`z0A-#_i(;1$eI5}T3OH>+zG@VK^%Y_VaIf-deB5W{{B}< zgu=_ATp+L`#uW>w%&)uJ=yRXy8k+m$mwlVx>S=_S)fw;OO9;sEbu8Pg2v;hc#*8|1 zolEwp&#mblk@Ti__F)K!ISGI3*<|ua)i@KA8%P#gj|t&65zF(kG&)Du6*`I z&r;Di2%Tqqd`YztypI5Mu^d>x1)E2=DPshsi9gI-_jAAlw{Kk^9kG&|R}%P|Z9cybr!**aEz_6S+f#xIU+S*nIPK4q6Cv*|r3!$7pLloc6>1GZ0Hlf?RpsV^Yy8G}EowP&=xI4hny82`dN^o!iL_C`T{Aj)j+$F|Im z;`YGKO+>ZmY$$*;2!$zb?D>>^f8PU3_ZAP9cG)3~i_V$Ic>uib=T%qBv`aUIi+o(9>w-RC^xaPFVSuzD;LR)vD3#&HVUhBjoRN zg0*bi_kM*TutE$>Id#s-ZNSf3@HN6F0{myP77@KDw9 zxj*}qPM$l)n*Wq z0H_vf&fG+WAR>HB)}51twz~V~1Tx4Fg0Uzch-eyuBH=Gn%iQkK+}3Nc&g;~lxZ8B- zLB%2F*zsq&F1n9lnY%gDZTe0&abS@fG01cMton`wq0HGw_zE9Fqs;1(S>L>{O&iIm zruoJly&G+2QFl~$#uyl2f;!+hdS)dj&?+wwAYwqzN?`dL+yVPqjv771ltrSCc&KbiB=JNU}0sCjn{8Ra!@w@1Z&@RowMyMTgln9HUJU64ZMU8MJIi~ z!GWARM#KeLt7dPjQz+>>1XLJ^HYVH~$AQIu9-+5avd`@hdvUZ1+0Gx*%ZEkOwb~2s zVDxSqTm)lA1vA*js^2vdBnA?mhCWyG34O(I9>KCUWFo1+Pp=Z$aB0GrW0L|D)d@w= zN+W>;1R?ribvq1y+8=n}9q~`jJt&rvnDXYrKd_p~B`1|6Q)}<$>-)V711hatZGlN- z@Fq7)TYf+pSWlLoif!dly{PiJMTrTmHo!ZCF<&i?IJ~Wt$(Dz{U|pH$N1hj0+b+)@ z75HOw>L%t&-hcV(H@9WWf=jQZhN`xi{-SsmWn2Ff?1=zJE39lnx3bQ^w-tBMJNlzh zfpD7jvB1QQ{^Gb%zyT)cgVQ#eb70o_m1HCAAX?Kz!`=eAmGn4uyy_G}=8+V)-E*|c zD(C^frd6BuGuh-d3$xxv)?C9b0SkeO?=P7?+FG{EH#pVp7$3CU1vZW|JzlF zfz*R3OGy@hpuAy|(S;G0p3Ogx6t^Y=;xI2*Y9i>TpFA+0L+Wfg)pIaA|B%Nx0+%d1 z1K@J!Nla#qibkd4lH{D+E!vEEVM_s7z@A9|_&oJU|?q4Q>t$Hp{ERr1^ zD24O1G4K=bKkgC-BC}!CL#cJXmPIYhx*8DCN}s%ZX;W*&%m=iMcFZU9+ zqpwRr?N3=m40uirhBN@F8p3&61_xz-_Z}tH?OBN$gKovO(@F07PYrxDn8j zlsaJmZfSya!l0e{CKksOFIYbqy;j3_QJvb zg^s|v37^}=+jo0qh0>{Y{!FrVKvCkHm$VN?zLpyg{_7I(^IxKMZyxtZ^y$>Z;KO~0;`Uehm^YIVQi4Sd~vH8~gb9F&|Qm zggUN|LfFqCsVr{LxfcdHb-8h(_E0+9k#6IK*LE8B0TDy73X0&xb;kUAwPY~W+hQ>} zdLuq{=8x|K&(3a!L!Eh!GjH??bfC(i-EkEUGXSHcuN);(*FS%zR|w*(3X`Y-6X~#< z6FCtN9^5~)4eNqgJP4LpQ|;s(%6>&Riidpe%UkH!1N*CxXqpuhoE%E$dRC!BLUEBT zsH(Fs79G>4<3N6X8KrKhwEK1ySB(vMhL6hXc!L+O(kjy0V1fM8SeMoAWUF0)V!!-* zKW6*cF-{q|-5l++uD8jLdYa9yZ|yHxvSjVn3rMBeOR0{n;S6F+ro;o+1+;#bs%Oj0 zw>O;~Z}iEuXq%CgM|xC|>nbq?@k~_WNt>FKs+}7EH(iZYta-5O0AEqOstmtf_lEwk zSc%OJ|B~JbR4(>@nOb8R5OMo&>77{ImA{8VOb4Ho2tDIUY-1rA}lydeuMH7tMfF|4Apq(S&Dig&%ZC;t<-Quz~%P?Qu7c`E}w0;f$ z`bcZPC;p3YFQlsvkOWw!xqOIR>FI2Cm-s2>{F<<@rhZ|ZnE~*SLt{VdnvF8}c0(0- zAWb7&I%G0I?$sGkz2c=8y+Ox9KjFyb01TFsuuJ3eoxn-k!#o~+m0I@8w}-40WZge! zWZF7|Mk&yUMt`v6Arm0IY;$$zvhgXUg8oF`a$W|xu9i=|1k&B)XnKKd2EFvq_J9|6 zt~M|M*=bsT00oqjeA!i*@R+$E%gO+7uP~3y{8o{n7R5VBlPG$Ajz1wku?Cftod%5C=OI}l=HRFJsG4JR^F={y0YP3lE{sh?S)5 z@e_Td;55lKwQD|Pwj=6=zHxa}1h7b#)L2XYTDQ({Tl{;(`%7;njws2dp!si*=)m5W6uosWf^Q8@lYGl8>p;q}=y8<3B?x}&EOVoG3iQ450$T5r% zhA!(otC&Twc?LYVBj3L|sy%Uuce=z0>qx8rRRhRU<}4 z{AqSSp=(^pzdD1KeYCi_50#iKP6Q*vH&ZkOacQVv_>7TSY_|0!)a;_VJVQsc$tT5?*5>bexA$11)S1F?^W#X-Y zwBa4;NU8%s_!lI?|Ev=4O0Kze8d|-V@drV{UCX{4>;eev7RjTFX74ozs|e#-=3=E_ z`))I8o8f`vU(XfGA#r06|9`(aet<;y1D+eR>Swg@UHYHDC9_*TjMR0RQT9uLbZ9jW zX+FE}j~#De6R3-Y%{@@f7MQD}u`d#8SB?FJvR7CCqP7fY-(P}6!SrMp)zK)gm(7#{ z0t)B_z!e*+%oJk&4N6uC(lt%`mjfODx7^S4PQGKf%a3SER0Xgr_T{Q{~|jb5v8 zfc2@x@Bh^K-rEw5)oSnX3#d67SfdnR2q>$D;PN;cOl}PJ^RC^mOO~jW@s{hBYJIVw zh_DE5gKTMpmMYCvJ($*1uWFN;%Q8h25C%sa{tl&*rO@(bkecN63mZPWekb4Nn>GCo zqPjld2%)Q4rYiarwFJP@c@#kI`Zap=D#y$RMJ(dBRaC- zP|g5d7Y;zPXVQphBj$IC3>^|1pq4G@QfbOSswA4TQsgr7Xc-}Z%wzVw8t#bd3tH9?z@gk%tB`^g z!3wuw)lRFGwUu8`bzy;;)tWVfe|2@+ibTj9*pT-cK)wB2bytdJt$7?0Jyc$*CSXVq zq+#~;n{CxKeB*3|(;9CJ@*U{9j5mSm+{owDx$ZRv$Qz1lugzS2%YD>~M5_*RssPtv zBGwF*cpeazrk&Dud`EQrF79i+|E^X;Qzo;@XS)vFKmL!@9R^zizz!7(iK`@=Df_gh zoRZUvq$g=jFA7d~>{h@s0YG_LcJS^pF1cE3zRzz!i}_Lzvid1`Z_wSpG*>!eA1UOB zDSp(rf)(i?AT^Gce|zLZm+h}_VIZ%Uu=r{k9IK?fE-SHySCjRSxDuYU3cmf?4buj|I7 zk8vJ3sHtA3^fllKy_ND!4Ne zeYUb7Ey-FowMZ99xz%RYZnde+!DsHS z(u+w|P)~*OVz@vntIKmlLB&=fUI3x62=aU*8_vh|Is9yT@7uG$oh{27 z8|1A_S~&C)(@SwA;HOuI>@rFvV>T2a#U7F=rUvT-zl_dHgaaZ#R$DS^Q}`X1PZhO- zQ+Zx3DEY!b?G!+D2ho;A*@9a@nDH#MAxizZC?Lcy7xEGn4hn%{aijY2r*1(m_!&m_ z>Zm+(VY6IP3+bP$3cwe9EAHOEQmCDBym4Lnf+>aJzX*YwPf92ZqyuEsu~-)jg|Im6pce9B@(OgJE&Kqs#?oQP>U{L$gyev?jP z*RP@z3-117JeY-Xecv@}K(FG+13BKH+!T3&vx#Nj6na2v{}Wg^%T6vr9acam!hpjR zl-D=PDXD+%lZab26c&9$5jVHe0u<}5**3u@b>-1i!@Q&r(-8MQplHjs$AH*#s#m!n zuB5=s!ghEf zf7~^9*2Qx)7txzbTevW5A6F;%j`p!a>&V^|&KJtoSmi4X$3Y7YvCr*a*OjW5%A4{Y zd+v1%)d?1dq_uuTXp+>6f}gRoyhM~Z(OK+Y-1RV`M_)*~tw)0}IR1O~QKJz&Q|w<{ zlOQrWI3jN^9hw*VLFOs>IfxYkUBlDR3d=a3_xDefrrx)N!uzc02E6lgMCYDNC-57Y zepN{!Pmhndu;@+L(Dd3k#d|DybLZ&dEzmt*l}M3mI)c}zv^J!9m3 z-LUJw*qhh!@z2jOGatm!=ojC6m@>0p(W|({pu~tK!MQ4mzkCTYj!@k5beoX*#D^l3X^_{pCqvu)q!4~ZI3^B`BOatgm zTY~lc{`|Ajsf~i)H`gd+xr#akcA(OsjFZ=Oeo`r}ro68bBm?a|iSN6du=iRWM2m0( zpcnlwG1FH>3(qUzR3JiObLp~yY+~zfEdyWKz(3k}{wMSBj`?+Ok!KA2Yl#)LiFHC)qk&pczjz1~3NcpB zSaJxvfgL_6*8;Vz@sqkZFf^bMCDotnP9*O8cX~f&NIfVjnucYi>!oqqEmShL_Y59C1Fs_4V zFfSg72JO4EnU$!?E`G~G@uK2tgWx^-eJfvKu+DXyBQW@Nic14yhQsMLA!&6O+={=r zPz{-pL06DBO|ZY$kRDU-3!}{9INEvf%clF`u#44-FTCV+@It37cUoubz;#5XbDZ93 zPO)GhQQi&EwlB`vxng*SgcV*ihnfikVHdwww`#iPZ$==ER$opK8Vp2Le__M|Bb_@9 zvF!lO5hA~WZjv8Xq7#)d6ZuCRL@>2_OFMVt^x>WQAX!yaT!tMp4P|8?=&3=1cirsDZoOPEtghv0kp#07WE3(oJ}+`kfUc^ zrD=2sS2959jA&K6os@j?z>P{qrFg81pH?w|4HuMT=prP&O;)Yl4MLl90TVV?-S8dg zBjKb8LVw7s;8aq@B{PE_4-q)TLw!9_riK0Mz~QE+0-C8)3l;?5-3oyLY%Lg z-xc2)1jk=?f`cV>>KLS7lBM7bF7>rXiQYq=bdq2E8NUHwDDocBN<)LvmiTTixaVK} z;kn=jYD%aH+Y4cnDAMtub3Z8gtd!C+HrGFL%f{mAP(U?%C*?qxee~Ww_T=j5oKgCd zyftIfVB(mGEy-`StGpK&D34AiUbzLjL-Q*g?_E8AzAliCxG2>LgDloRM{B3gbRG<% z2v#Op>23o+3&xq7kZSdCLH&Z+%s)+BHe<3ZDP!boEaNT>p27qCLxmC*k{6$xlKm&OAK{R3cv%1 zQ|U;0wg2n6`KezHW)>~yMQR&Z20NM7iqjswqa7BG&My5Qo>j2d1OH6kma9dt|K4b^agaq7II&1%e1q1si|qba>&mMY%05os3~FIl$$TV)>tG;I_hj&=DiwV z)ZVb%>$e-%RMS$eE@eNs_guGgXJi9t#@QjXciKOnwopJNurf=d3Ngztmzp|TxuXc; z`T5qZIkIBeDpUhsxr05Ar&DPbHtq+H*q66#Tz`nAgK9TM`Q92RO_qHu-pr=@JR7tPIs&j-^uA!X-N4a3H)l~4P_j*{{0 z2s_%reX?rlS4l{p8+(Vu%Ue$CCu1nde#|dc>4~eA4_`$KKA`V`sQ$}->PU~19rIMc zVay^TG|x6qc7MCLV82`XbUEB<2W11P&->CFPnq|+6@nfQ93-dlcu%`JcX|jnbbWs5 zX*T{jIPl71`WOdoL2X35xm-7A-Fq!w`^S!wCCR?DY9Nqs=+putJgBH+e- z;F$A5!)lp9!S@*0Q`lC3t<5_box~YKIfS_dKVH5llNY~cWfHgMuit4LAvzyI~Yp9=yYPLH9NDc)y(q zZVdY5O0Ll)`b~w~OIyI8woNu^=d&&yiZ=8e_skY*JUvXA0%sO~b69gL-G5<({N_b) z$$6Bco-Lhu>=u#rWN_4zJd*bC)W}igfY!9tpB?wei*adR%x4{FE2ojm58Lpf%YkU! z`5}yk*La&*##I<3jygt zq8X3ZT!K4_9+;q`d5?|+YHn%C%_iPPH!D2-QA z_FAR2j7Xn<;z6}E5B}gKs19RL2&!?-Bt;iP3fNZ5&zP2$^SbBy?dS&VZ18hbf}RE4kWiYgQ=tf%)C4 zPWY}i4$k{gw982BXpr#EXl@m&!g53j{8i;P7kj$be9bhL;gI+*z z$hf_EE9is0h;11JEr=QXK@DoM$_wfjeCL0ETmJSSU^_b28;6BQwAgTRscAb(DnD@Q z%^Y&bccTZ-9^j00Xqe7w=yBP+&17Q`f9*bv^3{OUl$O8F&iN5AZhM3ep;aGYVk)i) zC_9WH2pPEnn@%YiyyHWjt9FXsQWrTFWanx@@ zB!>woKliRUFRg6Iy%=5ZbX!v(n-!M9VtA3^V{PU&CK31F_I6-G~0LTRBI~ z+m=9z)dv;()K|8r>XyfrHyOAG1^ZZL?(DuAPB!0F##XAMPe4P*>;gc-70Jfn)Q1IN zNWdg<4d>v?W?suW3qpsPhfW??eRS*FU>~&J>i#`h8gXZrKYgG!LgcWtvK_RtJ0Uf1 z52zHRzM9$4kFKVW;B7uAX#y#t6cQ~^UrJhUtG3IDpFUHzXW8HH{ymH{n+7|UzWfp8 zs6bBtjXkJkf1iSd$@a$SmH^P}szVAOFtssOLL4o+5`NyTxtCO5@ks7Ianfi3t)~lV z&a1A=dm&Q&TK5ce<|qAJKKgJy)V-s+RA=-o``z|6epf5@e<2u{q9}Z@$N9kWH^51x z&;cjc)-I5#Ga(22Jl#*qJZ$JZ`_%!l-w&D0{*U{1L!9ix>cYy(z3dwxa}@mdl4&3= zfb>23ceWd6s)b7{Z5})3P7=0nw#jlirlVzHa2#RV_5lj z06eHt{}te2^-q8sq=Zy3m<6XzCvZUdad8{cpU!YlWNWkzuYP`ms>x2i-ks_^aw20T zQe6FndRRzh+d^*a*hL_!juBb;d-J0=S48v3{4d}T3I*s;n^_o&0Oi~WnV^UdF;)yg zYf3i6T2Wtk$g2jr9EDUY;1AXw&ud>!;gtkU_k#BL<&SGwD~DYfbpe}vQ@P)#VmbW# zx~{^Ad|(1rK6yd82tu#D`~(OPOn;`Fzu{@kd&Sm4mP6Sc4o+BE2!cX|0~m9D16CoY zG{8Ou2kfd&tGP^b&n%csEKQtQ?+jJom#-A%F>ud#pU=JMDOzx4DbG7lu9)V#s^5!z z>{!yBJ=-haQu4P=eHCpmbEN0$%cvf}P1AI3aXCRd&jJ$v%fF%3phUbiQ?hSv>?jFn zf$af}_$#0Ctx;MYh`Sh`@)pYz+I1)@`Qa5~sNSuhol~n&J4FQ4rclMLU=!IQ)2fLYmjWWPg$_Zs08wIC5(Q`MQE4G5 zDxd^H6=hFSmOx_&*e3!mNy-vJf&?p?2qB~plE@Nxzl$1hUgA6Foq6xPKjt3(Ktt~R z?zjEE{Y#NTC|U@l{kZD`vCCuI++P+UdJD8926q=cI(-go4l5eF4btWi(}5KyU0x=A z*?TQx*yi|BXxPE4yPwY61f{+p<^uIT8=&jt&z!1b#UP%To%(v;g@xTnss^2+; zQynnM>Zn;)6jBK$7`dWGy0-_dY~EQ=%fM(F1C68tIlQ-6m?sEKOJeFOBp$*5;ooQ; zt)1kYpIY-b1qR=@&Z|=1z>~fi$-kpr@4ex8xoc~uM{ZGQ;=#zl4o$wK#9tY!EGOC{ zK{L|JYYVhL`gLdLh%e&&fYG{U!@aXwEPkmK7@*oo)s0WZASu8;G;(h zqwq`7LeEyl^dny>mm1qPR9;-z%x~7ql@yI8_DL$aUG*|~2z)*5d<{_!d`CRk(N#OY zX*dW*Z^us{4ue9U8Dw?x#hFegV>U5H>9DdmnOT8ohURGH2zbev))Yyzb1F=m(_0%E zpP(T##Uv(?&^8i(&jy)ii&u8bViUP%Yvjj;$ZB9*;(3vj!L@W^4bfgq?ec4r8R6u3 zJ!@cxVBrY#fz%>CQD#l-(ch_mZFb9=;h3Oxs{|m}(pSUrK~kGZBaDIGJj76&Xjn;6 zV1sHI;AEn3xJTvnCDtT4hdbDaX^YSD2^UR$gu(k?6E?u32)Dna2Pm-g=2qYRNG=#v zA_5%(v>qFrIwX9fxG#vD#yX1UHw>#d2vLt6JeL&!t;3T~KYC{Yl~t+P%u|hV_?n23BrGBM?&Nk}ENK(!{g?1%eV*8Buq+O&E z>pG_C6wl<9Td3RSpmlv)Z5&9LQS9&U{#Kdn#Lhidq zNJ_s|^;Z@aw*@?ZGwr%mgMb7fd7a zO&p%ob(>;5OXkhm>a`W18>{xCYExI!UrC1hcQ*DQm<_`vK9+5hBk}QM;pOG(p4(cAkJZxDXXC&|pqI4%1iXSD66YK?hYH9diwh~sfm3P#R z`d=ZaJsR+}2F5dFlMVlUHL|XBmS2N!Ds7eHR!=cD$_kLAP(R8kOeVzTE_Cn|()t>F zQ274buF8S{4cDZt=FR6fII=6GPUFS&Prwl9%((3$q3*)|DJ1uf@8HfXc~H$mhd^uw z79)7ek<2F5pDo5WD`ipm=9~eCFfhpS&JM3tYCFE+NqcGp-aTC*-!2IxZ4FfPiN{40CC2IjmNXIqHSe%SEUTmWZM9_?Y)m zeVx1H$hnG8+PNdzZ1?cA42BAELAx9^n&Ak>3&JC{21R|1GAX8Dq?Zv!Ga>5HI>>5R z3{GET+Jw`1(u{RpyD$}BYutTc!>ZyIhhnpZo<{L-| zCERwS4Bk)K52iLd#S3?L`LOwhUMx%(g=&qVHS0N}r0)C`FTe;(?5C)J$ql;QUtTZL z*ct&C{+qBA(0^w8KrB^E7Nee{$(;89)8@AuA%V0Vs1rhF1$S zQlt*ye@Lx&pFQucM|^45@yYkV0Y}YcyPy(-)cHBRc#TJW8?_)A48qp;^0Qo*jl~^O zleiICGswKrTHy&J9>TXuuro*re+!CksemoniDdM=)hDl`Wly2jy&9C5EQU#q4uem_C z?k5>AEpZp0cd+2-`k_8ZL3VsfSYK~ii<6O0+#IvbV5r*T)zo68b>O^>k-@k4D7>6| zdYFaD8Zu`R-QRG<_r9DfE3i3!s^(@b{wL0MHD}|X_oc)Hysl?m+X%B*VgF&UgjEPk zn})r@-Brx}lc|&hfW3RY!LrHwLD-5+7uU%8zXVQnFWBVsvjRYk)ifB#G#Cy#$hR2K z51<0m7*JMgsx8{m*T2OoU|@w@c)UgNJe&Y)Uxdw36E^SWTRH6Y)W~(QTDJ7FYC~E( z>x+ZfoTmilLCPldXd$c)pK~W@6D{@NU(^pJjcmPJVkku1##W0T6PAG>j7xpBApAyPEEBbrUf@PU*kc5wFF!5o`V zRbqOC$`5xU#01Pbh?XzUXmpL~jQ*{Lv;Q4QbmmVzcG40(939u`UGcl((2I=y&rNu7 zkL9C6JTz8#F$NH$YT0sJ1VlvC6!$KbqqAR;AWzUq`b7Ade; zAIKd0-mu&Rg=le%yI~>5jjhMWg%H39VlcXQ>9`skYJZQ&dK*Sp8W4gNuK=lvp{dJt z@2DFo5>=2PK2l^n){=S@7sotE-~wJ;8PEiW%jb*5P^PeYEfH*=eA>!Q0f>sD_IIO;qB&DJL%aurc0mJt>W*| z5x7}K$rWdZu*c_9X+fY}8e|k#-zX$%$f1Kxp*701b|Ib(266%c1fzvDA%69nF>p>> zPRcrUqvU3({vJcc7wyXqJ;$&$gfu%yk!jbHMoRSyX{{IiZi^1wN27Tem4vsw$<*wn zhInDSyPY`tmxSLmi{ZXEIZSQ&qCjN_MxhIpMh7qT2DV7&HFacjz2V0=8oFdzPjU&zKRUoCAVv58BS+jfmk0QsVY@C zF5_T#c?unIo1{eVI>Ye{x%MtAG>hp1%{?x}!c=r|Jwk|k2q6nDInKt6GCvOPvPR-B z3POQyjWGNyvw<0c#xAj8CRmm8IXK_^AN0WU-1Pt|_cfL-02dzfhiS%A#nWDnU>yA* zJHAsR{UNMQON%3m5YK3F|3OeaD_{GHpEd;^$dKa$#Q0vKTpa>a`PUf)?J3~9L57FR zFnI3K_3YNeNVNyh?V#m}raX)jbdsx>r%G5D&1AjgW{Y2Sol~#@l`Zx!j@sWhy#b|> zQ47)w8%kT9JtYiVlU=vwwcO_E*q9GaPM(ZElOjEdB{m>#;F+MOwUOl-q@*w z2|0yr41vL)_dasfZ-Zlw)XRo4__J)dLw9e*jVG-{jl0GzEhAf3AtP1#Z1;XFjcyyb zxjI)ERoBWTDG#7OSZ*~F0@co7r0)^)0) z(C-)?G7@N<;yFpj9BVjPvQ!F-0uGlRI}^%(greWoVCq~|JG7jyqZ2h@`&0?fO>27E z3Hpd0e0UTbn9i$425lVc5&cmz89D#G$FHCk3yXHSm!R}oYoxMYky#Z`M;Z-Q@{@$| z!XD%Ip=WIHO5g4G#~XT-=ar=a1)rj-Dt9LB%RnmY5eKr0l@G=-b;OC8o5$(^b6D@1 z4m@ZtHF8dD9<$387K3#Yxk+*xzBUf&`8u>68xZJ!%AYbhg2%x=i6BFY&XA{GgXRAf zm4DDR-iX})_A9M7(!sdBd!l>$h1#bVh+)C1q=!JddG81Nh`^BGpduKf2z#8tcS*#m zr)VvV=}H4=D*Kb-1GP zyRG;8UcjXe;aB_L&IdzZaVPA_3Kf4D>u(}*9sZZu#!@P08n5AwaF^YycKmb|eiMql zfUWtw!)tcOt^Asw8{-nfWD&qy4i}Z^_7%eDr6-eG?7Wb8LjZsEFjC*`)m__B%)n6I zCmDqmtY15AB~#Rp!E;TY)^b@sk}?jZvc(6qO8c}X#1~>FrDYyTh*_V7<9gm9%!a#z zMKBcoq_`k}jWw0`E%7R;PhGz#dv{t1MY*k3T_fKCiQ2~9FDi2#E-ngnVJo1Z@$2!z zB`NzB#rsmqp+ot`yA=!5OQS@03P4nO41^2eN<#WH-Bcfa3%4j3c?$zo>zrSR6y~&+ zUzUJck|%e;8fA zE>mtuU-#Bu+SR5@&KN~O4P#po5zBaE$o%70`*Xgf`FR(n-& zJ8gzn!kp#I6Z;lIsNmDV8--|ifb9+>Zs#3d4z=8bYVg_Djdj|x&i0`zvw|dEd{|NC zHoBno{I?`b+aZ(qfj|2UD@#3OTocQh&9eG%wXa9XLi80peXLVhJp3mgqK=SR_Wb)! z7k}^#)0LT*hm|dP%x!ps}&>A)nsKcexhcZ|2Ya*>mU0yN0@(4tN%c zk~NB-W;#mN{di#L@ zm^RQP-+C=vX9fx}40Y(Uwf24sCOn8ZroA!%9S}_r>igoS zr$YGBI0WiYRj@hyyoq4`-skfx(*eJnyJQA`WTV^g2@ejtOQ_WL^V~P5*RB6^m7lq1 zSf&BlXmjuUpPjCoc{zDP15XDUissH962kyWlQmP@*le~sz>ryXgl~qqb?v0(oQc&X ztf_6&#->yJsGWC)&0!5~fmO&Y79inH9q$fl8+5Tu#hCYWnN}Za4x4%T{0&)G87|iz z_wO|$OCYhzgWs479RS5oeOqSrASL!(am>xer#it5n>!o*y0;qX>ZHD=?EwS?9SET+ z*9>8%zUU4yu7WvlzitLg;$_zq!vlb$)|$f&)|={4ctEYH(@vf=Bv9|Kj{o-eD)Yp* zNI0zbS=Vd-c-PDeR2Z~MQ83h6!tYZjAQQPEqjDYL{c}5}#YhYMk4&`xVw3S)dF8Ai zt(g#}S?N>oF2lLb3J8E99`LkE=Sn2cgH)eQB*PhT2>_xpf zJTPLI*6SEnA6Dj>;Y$Y#w6IJ(cf0rJvVN!-97}-|DUgn_LJRj+4A1>7mZdu8%(tj& z|EEG4^JHS*TqLi*o-Gp71(84<-ZUpVY0KdObKuZiw%!~8&XjSdwxJH4+-;6|Q@rFd zjiCV>7S^X~))BB+?5KSIklYgINak*L51oh&D=ic$dCA0(*=WBNM@r4mMXYN3%EIZT zn{v5i_2ItVW|R_bB#C!tu;ISQ?N(SAUc~ty2Y@B)ZuFRo!5Q&2whg z5C894u0Z#p3lEg)NwUe4O_YDR{uEDx!hI%~f-oajCp9>5LpDRk&bixHjl&joDVO>~ z?(FSu|GCKKfd;lko9MhHA-6HF%HaXt)O=NnS8K8bZhE6VL%iYAy%lw+G1!cjbIvMY z3=PCJ^yzh6a;-GZ0x{ogpS)4YhN8a`1NxA-Au>pfZcm>DHq2iBS|2GT0jQso`3Gto_pZwF$&_LA-`TnQ>2mk#4^wHa3 e#mMZk^zYvL>%i2W94HL4XV-z9tS`U*$A1E{Fr6^~ literal 0 HcmV?d00001 From f5a544aaad6ee5d2c105764a5200d6e1438987bc Mon Sep 17 00:00:00 2001 From: Sebastian Steinbuss <23654606+ssteinbuss@users.noreply.github.com> Date: Mon, 17 Oct 2022 10:58:49 +0200 Subject: [PATCH 21/22] update Changelog --- CHANGELOG.md | 99 ++++++++++++++++--- .../1_3_Relation_to_other_assets | 2 +- 2 files changed, 89 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1507c4a9..e83052fb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,29 +4,106 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -## [Unreleased] +## Version 4.1 -### Added +### Added ### + +- Section 1.3 Relation to other IDSA assets +- Minor editorial changes + + +### Changed ### + +- Updating front matter with Maintainers and Contributors +- Proving RAM 4.1 as GitBook + +### Removed ### + +- none + +### Deprecated ### + +- none + +### Fixed ### + +- Fixing links, Figure numbering and typos. + + +### Security ### - none -- Business Layer: Adding Participant Information Service -- Business Layer: Adding activities in relation to roles. -- IDSA Rulebook +## Version 4.0 + +### Added ### + +- Section 2.12: Privacy in the Connected World +- Section 3.5: Adding Functional Architecture of a connector and Data Exchange Services view +- Section 3.5: Adding out of Band transfer +- Section 3.4.2: Adding Crawling for self-descriptions +- Section 4.3.9. adding Data Space instances +- Section 4.3.10: Adding IDS Rulebook +- Section 4.3.11: Adding Privacy Perspective +- Added structural elements in README files ### Changed + +- Section 1.1: Editorial Changess +- Section 1.2.: Editorial Changes +- Section 2: Editorial Changes +- Changed Information layer from section 3.4 to section 3.3 +- Changed Process Layer from section 3.3 to section 3.4 +- Information Layer is shortend and references to Information Model documentation +- Updates on Process Layer adding various details to processes +- Section 3.1: updating Business Layer descriptions +- Section 3.2: Editorial Updates +- Section 3.5: adding various details +- Section 4.1: major rework of structure and adding various details +- Section 4.2: Major rework to align with current status of IDS Certification +- Section 4.3: Editorial Updates +- Updating front matter with Maintainers and Contributors + +### Removed ### + - none -- Business Layer: editorial changes. -### Removed +### Deprecated ### + - none -### Deprecated +### Fixed ### + +- Fixing links, Figure numbering and typos. + + +### Security ### + +- none + +## [Unreleased] ## + +### Added ### + - none -### Fixed +### Changed ### - none -- Business Layer: fixed consistency in Role Interaction table. -### Security + +### Removed ### + - none + +### Deprecated ### + +- none + +### Fixed ### + +- none + + +### Security ### + +- none \ No newline at end of file diff --git a/documentation/1_Introduction/1_3_Relation_to_other_assets b/documentation/1_Introduction/1_3_Relation_to_other_assets index 0f296e68..cbbddc7b 100644 --- a/documentation/1_Introduction/1_3_Relation_to_other_assets +++ b/documentation/1_Introduction/1_3_Relation_to_other_assets @@ -1,4 +1,4 @@ -## Relation to other IDSA assets +## Relation to other IDSA assets ## Based on this Reference Architecture Model a Certification Scheme is derived that validates the compliance of [participants](../3_Layers_of_the_Reference_Architecture_Model/3_1_Business_Layer/3_1_1_Roles_in_the_IDS.md) and [components](../3_Layers_of_the_Reference_Architecture_Model/3_5_System_Layer/3_5_0_System_Layer.md) to this Reference Architecture Model. Such components can be provided as Free and Open Source Software or proprietary software. The operation of a data space instance is described in the [IDSA Rulebook](../4_Perspectives_of_the_Reference_Architecture_Model/4_3_Governance_Perspective/4_3_10_IDS_RuleBook.md) based on the BLOFT (**B**usiness, **L**egal, **O**perational, **F**unctional, **T**echnical) aspects of a data space. From a5cfcb9f890094205eb516f9c71c1c168f468431 Mon Sep 17 00:00:00 2001 From: Sebastian Steinbuss <23654606+ssteinbuss@users.noreply.github.com> Date: Mon, 17 Oct 2022 12:03:16 +0200 Subject: [PATCH 22/22] Update CHANGELOG.md --- CHANGELOG.md | 1 - 1 file changed, 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e83052fb..852a98b1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,7 +11,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Section 1.3 Relation to other IDSA assets - Minor editorial changes - ### Changed ### - Updating front matter with Maintainers and Contributors