??ࡱ?>?? ??????%&???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????F?/EP~ m???2?!???????JFIF,,???Photoshop 3.08BIM?,,8BIM x8BIM8BIM? 8BIM 8BIM' 8BIM?H/fflff/ff???2Z5-8BIM?p????????????????????????????????????????????????????????????????????????????????????????????8BIM@@8BIM8BIMurX Untitled-1Xr8BIM8BIM8BIM DpEPZ? (????JFIFHH??Adobed????            ??Ep"?????   3!1AQa"q?2???B#$R?b34r??C%?S???cs5???&D?TdE£t6?U?e???u??F'???????????????Vfv????????7GWgw????????5!1AQaq"2????B#?R??3$b?r??CScs4?%???&5??D?T?dEU6te????u??F???????????????Vfv????????'7GWgw??????? ??ߝ?r?X ?ֵ??Oc??ysH???6??U񺥹USeT???;2{Λ?{??f???(?8?h?????ݴ7Og?????§?5??W?n? a??? ??o???Ѡ????1 ?~?u??TV?????W[?}??} ??O?WP?;c??^?A???=}??ݳ?????+??K?+sY????p???u?IM?|?2?????m?8????7{kw?؆޵??ە?d#!?A˾??qh??e??????Z?9?[m???M?v????????܆?$??'v??cݵ%6?? ???w?v???۾'????'ve??kiv??!??Hvk???*ȥ????d??~????EHӑd??-????? v???椥euF?m???hh???)????n]?m/??:?Vv????V?X>??X?幌k??.???]1????5????=????k]e?~???ވ ???o٫??E?=?)???l??99]C?-[u{??ge,n?+??????e?񕧣?eQs/h?ur???I?_^??m;=?Qu?Tfu+3[?c*6?kK??M??q?????7!????;?[j??np;lcv??~???N?b??"??yhy %?o?%?n-g?~꺰?\k?? s?? %?,!?̲?1?ik??7l??????7????fC??O??9mo??¤w?;?,jo??X?P????&? }1?-????,`?2-??Xꪶ??n?H?,K?M????؂?ė9?̷?ڭ??c??Ϋ.???;?ovuԷ??s? Y????v]crH[??)?5?e???O?z>?Jv?\ñ?e?gvE??c[?Q??vuW??/?????? ?2?M?g???^?Z??{*ʻ!?s??)?Ib?1?妫.s\H"r?3????????z??-?b?Yp??6?n??}?%???ZJwX?N?W???oc??^??T??N?}:^?9??}V?c߇???????????C?K??}?g???6zI)?????}~??Wu??M{[???~?LO?G?{c??????Fc??Eo-s?淋s-k??????V?;?g?X?E???c?..????????p??z&???J?Y3??p?"'?R;?v?[{ ?? `_~Emf?{~??I??f;????? ?v]y?Sǧ?%͚?/{?w??????^Y$??_?;? ???M}???X??i?ҪF??ư?? %??Iy???Y?_????*????Xm??z?hi???[????Vϡ???? ?_??ʷ??O??R?+???ͳd?ٶ?????7???[Xn?t ??????hw?=??c?ck????. ??1ξ?{??w?%$??U?????v?S ?Ӟ?Ai??$ZJ??«?????kv??4?6?;?3??єֆ?? {????sw9%#?j?????O??Kը??9?O???????e???;? ?W?;k???w?A%99???=?4l? ??HsY?W?;kX׳??ߡc?b??/??ӏ???F?6??o?6?n?7}??M.?K????s??1?C?`\ݿ????w?/ҡt?*6??z?3?????????n? )???/c.?y?7????v:??ua??r???Z?>????{??L{\?^?g?n&??s????̳?m??G??}Q??W???S?=???f?????I?z???g?PgN??pp?qk??mp??????f?E??$??b??8{?????g??k??V?C?E?????????>Ǔ??_}?ʖ'Q????l??k??%??l???}??/???=X?3?z??_??P??b?? (??2???????×?s?ǟ???6_J?5?fH??????֐? 72??9Wgպ?g?V??????w??c?67k??)???z}U?a`sN??v??{X???E*??o;???e?}? 9????3n???H͛???Տ??_????? ۯ?q???Q??J߫?ݷ?mGcC?hӹ?ې>??J[????˺?+?.?7?;? ??l~?????N~_???? ???5?!?k?/??ֺ???c?ݶ?؞???/nML?\Ϣ?n&;n?{?m???II~Ǔ??_}?ʓp?I??V?t?*??g????J?)??i????D??c]m???w?m?l}? \?m?|05????jL? ç3{??ʩ?6?32??k???7?rЯ?eS??*??c????c`h???~??O?_F-8??ʭz?A Zrv????M%????T?ʩ$?ꤗʩ$?꥟?=S??^?vϲ??ǻ?g?l??[???eI%?F?}??????}???>??????o?'??ϲ???"Dn?G?'?[?"??$??߲m?g?X?7??????~?o??W:O???z_m? ???l?w?G?G??3? ??愒S?RK?T?S?RK?T?S??8BIM!UAdobe PhotoshopAdobe Photoshop 6.08BIM??Adobed???         ??rX??K???  s!1AQa"q?2???B#?R??3b?$r??%C4S???cs?5D'???6Tdt???&? ??EF??V?U(???????eu????????fv????????7GWgw????????8HXhx????????)9IYiy????????*:JZjz????????m!1AQa"q??2??????#BRbr?3$4C??S%?c??s?5?D?T? &6E'dtU7??()??󄔤?????eu????????FVfv????????GWgw????????8HXhx????????9IYiy????????*:JZjz?????????? ??N*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث???N*??k?^???z???yKT??Jh?????a??fQ?0?e?a?B%)N0??s1 ????????_????k?~C??5?????????? ??^??????x{??m???-ƿ??׏?1???^???[~i??q?????5?? ?׀w??Vߚ??k??0??x?C??5?????????? ??^??????x{??m???-ƿ??׏?1???^???[~i??q?????5?? ?׀w??Vߚ??k??0??x?C??5?????????? ??^??????xzR???t? ? G?孍???B"?O?Q?gn(?W??????\ߕ??2Y??7??]?+????K??&?????s~V???g???w??o????,????b?????[?S%??LU??+?d???o銻?W7?o?L??M?1W????????? ??*??\ߕ??2Y??7??]?+????K??&?????s~V???g???w??o????,????b?????[?S%??LU??+?d???o銻?W7?o?L??M?1W????????? ??*??\ߕ??2Y??7??Y>???z֛??]Gy?܂?\?y#?b??ٔ?UO^????6MOZ???O???s;q@]??'??4?X???o????,????b?????[?S%??LU??+?d???o銻?W7?o?L??M?1W????????? ??*??\ߕ??2Y??7??]?+????K??&?????s~V???g???w??o????,????b?????[?S%??LU??i?^j?????kַ7?LR??󑂖!A??????U???N*????????i?t???O?X??/?l??(~SyG?w??S??????&ҭ?Y????ئ???K?,g?/ɟ?/i??m?4b?G???\?4+?1O??r? 8V???%֟??.?R???Co????????B???1U???H2ƃ? c??? ?`H?Zb???^L??{L??+??w?/ɟ?/i??m?4b???3???3?????U?_??[?柢yn?O?l?????J??????L?Q?Z???:????O????37??????C?y??k?l?????|?\??Q.l?qБ?-?????D˕!???*?Gw#????]???qWr8??U܎*?Gw#???;??a??A???^??Q??V?^{?RH??????u)?VaɱWrlUİ?*?M???b??ث?6*?M???b??ث?6*?M?? 0?????_???J??&??Y??M????^?#Q?g[???qWr8??U܎*?Gw#????]???qWr8??U܎*?Gw#????Q???c???.4???}?Q??7???K????lX??????3???qWr8??U܎*?G?~?d????V?U܎*?Ga^5?g????e??u?*?U???N*????????i?t???O?X??/?l??#?'??Ty????? ?`˱V?O,???ϟ??֖?N???m.??Xe0?u?9|5?N??>??y?&*??|???,S?PZ^Ente?-??2^%?????d?掍'?????Ҭ???i???/i?5???????U3FRY?9|??o |mS?|Y?,UR???K?????]b?mF?$???Ks?9da??y*?Un-????)??q?????7CO???Df????pt??2"???*zq3|X????Z=???ѭ??m?E.z?Ί?/&汻#(??qU 8.a?????b?[Akrn?_ё/T?"7?f]?O??[?6??e??ߦ?qgqomsijk*5??????"HԐ?n?g?b?ɇ+?i????v*?/?S?a??V5?/???M?????>*???G?䱗??Zg?FŊ????o??Vb??X??Z??o&_X?r??mK??|?Gp?&???(??c???^d?@?b?t?&?SN??lm>??]??g?M>a4?]??凛/???LU?Ɠ?????M?Y_?\Ga?[٠H>?I????mx??;??=o?\U?_?v>b??? }|??^:5??%-B???)N?e?U?b??]?????Y?u?m??s??'???N*????????i?t???O?X??/?l??#?'??Ty????? ?`˱V???]???Z?6???????_RQzM??I#^&&??T?&\UB?ν?[ccu,w?V?w????C?74) ??????_????o?7??8m?O??.??%d???(̯ B??????Ibub??_????.?7--n?^??Z??w??Ш?Y???T0?n5?I?8Ɋ??????~ 4?An!iWQ???/g?O??zIƈ??ߺi9#?\U?CLU?U????yo?}'?N?*?;?S???`_????????fP?i?????6??037?/?K??????Kyg?1O?Q2?Hz>*??qV?T??$?އq?G-?X?9?4kmD??-????3JT(?J?T??*??]??lb?*???a??c?b?K????Zx??€̂y??%???G????W??S6???H?k??۴(?`?U?(?)gS???ddVelU.??????_Yi???F>?ڽ???)d?R?C/?`??yse?P?染?m??ׂ??ᵞf?r}pHѢ¼??'???*???*\_??????yt??F'???U8?*?~??&\U8?X????????_???J??&??Y??M????^?'???8??Uث?V ??NyGV֮5?׻mZ??/Z?LG?/@[,`z~???f???m??UJ??*,? wW?}1Z2?e?Է?x?-m1p?ȫ?¾?%??b?w??R?MU??*??????҈?IVixava+??3?????%|???:6????s?"%??,le ΂ibg???????œWL???Ҥ?.?(?-F????_?E????B/G?~+?Q?/8?_I?~%?R?'?_?zm֟t/?????y?#????4[?cZƋs#r??f???l?%|?iy???}}?M??۳Dc???B????*?vY8??b?r?F?NV??/?1I??$|-?-?????t^^?H?>lU?K1cԚ?b??]??????X~?U?~K????5??Gϊ?????,e?????Q?b??O??qU???Wb?C?c?ڗ???w??r,Z?????p?&?)???(?t?_????T?(|??p?5??=??j?[??~?????T??/????mUWfx??Wb??XW???,??????N??^??????N*????????i?t???O?X??/?l??*?Qj?R~U?F7??IJ?WG?5`Bt ?9???~?????i?I?X?G>??yq?nqc.?d?f???S,+?9/W?g?G????X?Z??H??c?Cp.?CuP?*?+/¼??_?pn<1U3?/?c??O??.d???}??#![?汘??ĭ?z8??ǖ?-?%?I?ӥi?g?5•-p??0_S??4??/????V????? ?b??6?H^?*Y?iVy?????4????%?X??cG?????$E?5b??/???????"???W??{?t???? ??i'?R????????????h???c3{;??Y?9??w??6??͏?L ???????????O???Y??S??L?R?????U???d?????Q?pu?4?]?bb??4?"w?Iː???>*??k???K???լͭ?????hܿ????M ??1D?)????*?????b ?P?ů??M?B??w7?I? ~???+????+???i?ܱ???X???=7Ky?????=?[#,?2!Wy.???[???_??????;?:???j?V?\????z??+n?)?fA$-?q???b?U=N*?*??^y?8????O???C??%?^??????Q)?????J|U?B?*???O+Z?R?W??V" o??C0??K?ZrR??3ʿ?)?b?t???$yj?ܝE?`?V???o?%????ςqL?9????lUU(C??2??劤???????z????t?D"????,?@??FT?????V??'? ???^??9??&???[ո?%uY=?V5?_ݺ?Jثc?Aզ?ooK??%?V?ј??,?=*??u"???ˌ|?$?P???_?p?Z??մ????|??m?Xe?$+???????|I???*?i??~_?d?kIn,'???"????խ# U? ????⬳bZg?N?????6|U*?????e?oM7???z,??7??1Wb??R?5^??y[Y??n6?S???"?? ;ц*?/)~g??,Z??Ok?jz?g q{l?pi?^?O?#?I?2,3??b?`???[??w??a?/ ?]:;ٌ??sb???S???I8z1|\9b????z녞 ???ƙ\??I?>?nn?q????Q???L?*????P?}DE??\[??&?K?I?.}Hê3ٱ??IU9??*?{???-0^?K@?o?-?D-nenS؈???%n??>/??UX?=u??[B?????E?g?O?<5?Ee`h&_Q??lU??W??Y??no??m??u?B????b??)?$?N/?X?.?]??v*?/?S?a??V5?/???M?????>*???G?䱗??Zg?FŊ????o??^k??nI???S?n?c?m??l?ۦf?p??&??3[%?J???O?[F? ?u?KԤ??koіb8D?Q^FZP????/U???qTt??XMOԡ?n??ͪ??P7??[?!?gP??p?[?*?O?o+j1?[-????[S2 ?&?ke(8?!VY?7???|X???͟%L;H&?V???E$k?~???C??6????xs?P???1?ޥ,?O?}*;9n@?e?T?y?G+?9???????E?ۥ?\[æi??S 6VB?0?݄?":???Q??ː؛˘.??C#??S???u<)S?D?sUF???d~Y?E??m?%??ki,.Z????(t?Qd??u!?Dm?H???)g????e??u?*??U???N*?o?_?(?7???:????b???eʐ?|U?H?*?U?>8??|qWT????'uO?*?U?Uثcy????J ??b????z?*??ʯ?D??????u)?V_???t?n?o+j}? ?ȍv?E??bvN??b?G?G???1?c6?"??\*I,?'??1?;?!?=?<2???n??|???9d?UZ?U??C$?Į.???E~?V?hV7??q?X֗??=N??O??R}????i4?iqEu/?,n????m?;?5g????V??M?r?Y??&???UX?.|???Z4???!g"?=?"W?d?$?H?7?lU?ߗF????G?cyb?d&F_Ru?ј?cYdTO????*?k?e?+X?+}(??Z<ćx~?Ǒr??e????^y%?wm"?0Y?^?#?Ï.*?$m"??~'?S];G?4?tl-????nn????X???????[???~]?v_??\?I?_???N*?o?_?(?7??G??Q?ퟗ4?K???xt???+ƙ??i*?@Zղ?'???&?????&?w???ɿ?n?????]?3?ro?[???"o?W~???????(?ț?Uߣ??&?????&?w???ɿ?n?????]?3?ro?[???"o?W~???????(?ț?Uߣ??&?????&?w???ɿ?n?????]?3?ro?[???"o?W~???????(?ț?U??OyR?O??|???Cu} ?O-?a+??Z/0??M?*?1W??[???-?t?6/\??۫yng?I?]??p?DS???~U0????,>X???C???????,>X???C???????,>X???C???????,>X???C???????,>X???C???????,>X???C???????,>X???C???????,>X???C???????,>X???C???????,>X???C???????,>X???C???????,>X???C??⪾P?Ϟ???f?8?"???t?{}2K?????.?tO??6?T?=???y???k ?뺌Wv?Ik?c2-??#*??yPw?R?????f'?Ue???Ա?Z???????????8???`~i?嬾????*??X??k/??)c???V??Z????X????????????8???`~i?嬾????*??X??k/??)c???V??Z????X????????????8???`~i?嬾????*??X??k/??)c???V??Z????X????????????8???`~i?嬾????*??X??k/??)c????_?j???V_lk?KU??Siz??? 2?W?6:???n,ٕ?fk?e Y V?]zb?O?*k~i?,?V?sj[???)d+-??JÙ? xb?\??,O?&???P?]?k?/?????1?P?]?k?/?????1?P?]?k?/?????1?P?]?k?/?????1?P?]?k?/?????1?P?]?k?/?????1?P?]?k?/?????1?P?]?k?/?????1?P?]?k?/?????1?P?R??7?_?G?.o???a??/}sq?B;?ekI? ??Q??U;???N*?#Q?L?接 $????#m????Gc?3???c???ݳ? ??Ǜ?8????3^????6ڥ?wp?,׾???? ?2??G0X&??;???_?:???b??!???,?Z?????Kw????f???????X??H~v?7???u??R?]?C??Y???#???*?????????T?W~?????o-?????????g??yk?G_??,U%?G?槕#??5{ {CS??ZMveSv?y?"*? ??#????O????37??????C?%?????W????ɥ?|?\??Q.i?T?b??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]?????N*????????i?t???O?X??/?l??#?'??Ty????? ?`˱Vs????????7?Z?ۻ@H??u[??C??cϟ?7????~m贱?????{r-?e??1+ٵ?s????$+U??}???S;/??,͠Xk?±] Qr"oP[Iy??l??S"???z~l?|?Enb??^ ?????q!??K????DP?ח??x?z???t?4??[??HmnS?'x?ZE???Qj`???g??Vcksլ7P?P??;U\??U1W??~??9?? ???:ث)????O????37??????C?%?????W????ɥ?|?\??Q.i?T?b??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]?????N*????????i?t???O?X??/?l??#?'??Ty????? ?`???? ??41??eT?f??W??~????wr?s6??Os%????p?L?\?????#??z|?gj????3?j?n=) ?6I?F mnmc?????rbu?2/??U??7?'???f]:3?I V?ۊ?x??"? ????h?ܱU?y/?Rkqk?g??xd?P?5?2[??‹ ?%)?X?T?)??'[e????)???0/??f?w????(sd?Z??sJ??;?4??????%?2ʐ?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb????N*????????i?t???O?X??/?l??#?'??Ty????? ?`??2,?˯??T??? ^? 6??????????[?(ԙ??⫵-???K???-N???z?w?N?U?w>??[?oݢ??NX???7?z??om%?????K???Fw????Y??O???yz???????E??V??g?]?Oyh?_]w???(???bј??r??s???9reSA????뚥????9??}FqrYco?>??a???|W??????˦?61??@??[?^o?_?(?5]s?8????M?&?T?????????I?Q?O?-?\??M??⽹?? ?J??$?????i$SZ]m??????@ͬ~v????c?%M*?L?*I?B???Nӫ?'??1q??D??k?X?Zi????XQ_Q{?a(ENjZ?\?ޟ?*???8WC?x??:?ޢ\E?(DVv????U??+?X?3???? *?-Ϙ?ϔ??#t?#k?nh???֎  ??Yy?g???N*??󕖽??J???MTO~????Ѳ?????2?O?$7???6I???_?t???%??????#u;h^?&TҀ?%?X???D??2???????Ѵ?8????n???5 ??????E$??H%??_?O?????G?~f??S????>??}YY????H?k?o9F?r?W?S?6Ue?ߛ??Z?????????(m?Y kY???D??K?L?l?>?Ŋ?b͙??ٌٙhY?ONBx??J???8?????s?&_J?"??O?G?ٰ??U#??????_?o????бU??x%E?N??_? U????$?*?q?Oλk=B?{?? ɵg?D??X?V???Mr???㜑???O??X?e??55??5²\qY5(??dH?K?°G??????r???Dk?Q???4?_Q?P?!?3E ??3/?d?HcNM??6??,U?~N??'? ?X????/??+?$?d?{?6?d??:???\zR\?,??V$_??????? ??r?c?։???_??)?-?)##?sm?u?RhDEZ?[?z?>??U??*?p??D??_F?k}=ţOnZ'mQ$?ꥉX?&?iۑoO??\[?*?{???[C??????D????Y?Y?.$?+a?I$??U?? s|U }g???-di?kp?MqZT??ӷ??~9????,?}_?k??lU??O?????????t?Ÿ???KX? 1????Y/~ œE.???>???ީmvb?\Z??"i?ʲ'(??&?"?S????#?^???????R??>???J?c?_Z?~?9}??Gb?;L?????ů?Gϊ??????i??M??C?*?~Q?????,???⬳m~??^??~qi???y??^??+MFio>?,????"لG???"??H޲|_gOl????e??5mQ??q??Ɔ`?^{?,??ѭ~??"??>?*???}?Q?`Ig?Y?? ??mmZi???F?;C?o????kd?????}??/-=?b?kh?y??H?s???????7??0????v*?U?k??4|?????1*?UǦ*????????????d???qWb?:???????????????M??_????? ?J?]?????Y?u?m??s??'???N*????F?;???ӡ??O?X??/?l??=#??h??ͳ??t? ?*?4 ?5??|;Z3j2^??T?J?K/խR????I#?L??,??*?]?L??x??gcͯ ?W?[?i?(?|??$?????WDj?B?N??j?ZJCw??z?ZF?o꛹.??W???fh_??????zF??ǣ?Tne[(#??Ē??'??&?Qث?W??o??G?e??D??i?VO?????????fog?2?6K??G4??????K????X?\?u???j? 7??9Ro?8???gʿ? '?DK?? ?kv*????4??I?Ȗ?]4jh?!??TƘ???珖?k9?5[Kx???G?????&?4O???D??hxs???TD?>R}R{s*?????A????cѠ???????-??Im?$??-ځd^??yb??oͭ5}OK?????N??h^I????i??q^?y???_*?9??????ir?X,?D?l?$?2+*^?P?/??????? ?Q?6?x?\-??p3C?ho ??' ?ʇс???>)????u??^????Oo?ް?b'궑??=9]J[̧???ToΟ.??? ????:?%E@$???Aɇ?I.????W㊣?/?)5?4[h??o?_Mw4?!xn,/??D%]9??_???Y?*?_???H?,??(??M6*??;?S???`_????????fP??|??(??0v??is7?/?K????MC?a???g*C?????L?W?a????qW???]???+56?N??-?`??b??p? 7??m????o-?????bm)4?I,/t?Kk??!6??EJ;?2JY>Ų?$??|qV|I&???Z?]??@y??Q?W?`????G?W?I?(??6Պ????;?+????Pcz*?U*?f?????Uت???O????^u?8??(~?????'?*??9??V???`???U??1V?Wb?'??? ??2?w??Ki?i????????\?.?"Ƞ???"Q?K??=k?;W????N???Ӯ????}d?sf????u??6?=H?r????Uv??3?[/3E?I{?j}nY???u??I??Kl??O?#??g?\U;??򞭣???ԅ?p?9??-oY?ҭ?y"WP?Fi%}?rh?_??6???r^??n?ZZ}b S}]??z???1Wb??X????G???X??b?A?\zb???p??Oc?1???FI??7v*?.?G?????;??~]????????3???*??Uث ??????_?ݗ???8??qW???N*????F?;???ӡ??O?X??/?l??=#??h??ͳ??t??򇕮?%???m?????????TI ??Q+?5?VG?(?w=?z=?]]J??L???,r??????D????Z|????]~??Vu???0"dij???dy??v?R}?ɚe?????R?Q?)?K?N ?G?cX?+?=[?7/??Sۯ(yZ???Γm/??9F/?B?M_??$O?B?????'G?3݈?̞????+???G?6?YW??>^???t?#??i? ?Z:5?s? ????o?V*?b?5???????????b????%?????X??????el??_?i_?o?&?1?}r??D??/???eqkˇ??Ε?5+Z}9R7?~H?hyG?Ѵ??mt?%)mn4?g???ݘ?Lz?U0??a????Vo??Y??X???X~s??՛???V*??V???uf??E??Պ??U????]Y??g?5b???a????Vo??Y??X???X~s??՛???V*??V???uf??E??Պ??U????]Y??g?5b???a????Vo??Y??X???X~s??՛???V*??V???uf??E??Պ??~T~p???o7术 ??ʟ?-Q?V7pqW?y?ʾP?|?.>?4?d?%}>|?k?[??*??2?-5?5?:???????hY????%??ZE??T| GF?X?I?*???.???????Wʰ???˫7??,??U???9?????p????w???????"??j?]?*???.???????Wʰ???˫7??,??U???9?????p????w???????"??j?[??????V??ڢ??j?YO?g?&?7???.53?\\^O}=?@ZK??gF*???˷^d?n??ZL??:??? ?Q?,??X7?o?r7??/?>_늻?7?9?S????/??]?????????????? ??F?????????qW???#?g????????????3?{????\U??????????p??*?????o?L?^??|??w?o?r7??/?>_늻?7?9?S????/??S?!?'??q??7?5[ F??O?N?]>?*E3MV ??F?Y??y??*k:=??s?67?;׊??2)jv?b?9??7????h#ʺU?ҭ!?Vt2z(???T??M?J?s?ԝ??a??w?_????????????+???Rv??q???\Uߥ9??Nҿ?0??K???????I?W????qW~???????[t?s/?d???J?s?ԝ??a??w?_????????????+???Rv??q???\UKL??1?_=?:ƽ???:~??f??k????DQ??<?u/???? 5>???p????u?>C?iR???????-??@&???"7??9*?yo_?״?ԭ?h??U???L??#F????ǜU??U4?]?????R??/? !??M???????h???c3{;??Y?9?_-?9?????\???????eHv*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?UǦ*????????????d??Ҥ?????4q?^.ꦟ"F*??^dҵMOV?l?2\h?E ???x????!?????Xo????????????T?.??m~j??n??PgV????4?O.??w?]mL????v?[t??$>?gXd?*??1V;?a?????6ڎ?s??c??^?Z??t?ll??~:dpUG ??K???*?|??)g????e??u?*??U???N*????F?;???ӡ??O?X??/?l??=#??h??ͳ??t? :?????k?B??X/ś?3s???7$?1 ?o?qT??W?Z??l???/V?? ?.?%-0h#f?W???Z??qT??.??҄??o??(??`??Հm???? B???-???W?sp?Z??U:?F??T,μ?B?o?*????T??V??M?u?05̱?ߝ ???*????? Rѭ5^?R?XE,1FФע??? ?5L????¿???? ??,???Q >^?b????%?????X??????el??_?i_?o?&?1?}r??D??YR?-?%?J??T?t???5mQ^???)d!o(,?[a????V_???*????ӊ??U???J?O?!A?4???e?o?R???HP?8???Y~[?ԫ????N*??V_???*????ӊ??U???J?O?!A?4???e?o?R???HP?8???Y~[?ԫ????N*??V_???*????ӊ??U???J?O?!A?4???e?o?R???HP?8???Y~[?ԫ????N*??V_???*????ӊ??U???J?O?!A?4???e?o?R???HP?8???Y~[?ԫ????N*??V_???*????ӊ??U???J?O?!A?4???e?o?R???HP?8???Y~[?ԫ????N*??V_???*????ӊ??U???J?O?!A?4???e?o?R???HP?8???Y~[?ԫ????N*??V_???*????ӊ??U???J?O?!A?4???e?o?R???HP?8???Y~[?ԫ????N*??V_???*????ӊ??U???J?O?!A?4???e?o?R???HP?8???Y~[?ԫ????N*??V_???*????ӊ??U???J?O?!A?4???e?o?R???HP?8???Y~[?ԫ????N*??V_???*????ӊ??U???J?O?!A?4???e?o?R???HP?8???Y~[?ԫ????N*??V_???*????ӊ??U???J?O?!A?4???e?o?R???HP?8???Y~[?ԫ????N*??V_???*????ӊ??U???J?O?!A?4???e?o?R???HP?8???Y~[?ԫ????N*?g򿖴???#????i?qo? ͤ)0??Ǘ9q??*???x????J{????2LU/???N?e?94????h?#XC%?i:P????&[?h?eS?/??劽?ZE?]&;7i-?1??vZlZ????*??X?????????????T?.??m~j??n??PgF~o?p?:?o`???:?6?oszt???Ш???c W????8???? {-W??S??4c?Ntxm.??Z??P???Y???ޟ/???qU??Y?u?m??s??'???N*????F?;???ӡ??O?X??/?l??=#??h??ͳ??t? ?*?Uث?Wb??]??y??????_?C?&?d????)???0/??f?w????(sd?Z??sJ??;?4??????%?2ʐ???????m}[??_z&*?Uث?Wb??]??v*?Uث?T5???iѬ???Q9?\H?)jV???U^b?$? XdP??FSЫ ?1U?i??[?~?_?z????χ???????|X?&??????????+[u 4Ӻƀ??,? ?U?:???Bg??7-??*?!"??&???qWb?W76ֱz?2?UWԕ?/'?*?~Lj?????-??ѭ??O??涵??Ɠ*1???Ǐ U???K?.???/?ӮqW?????N*????>iԿ4??aԼ??N????]?\ڋ?X#6?(y?%U?? ?????X???9?GM?????k:]??v?:4J???n ???k?Gh?G~?W??????d?!Ӝ^O???? m̃???????K??WY7?|???#??V]l?h????c?/%?3 ?????:,??/???????????w?3?i?Kq?y?.?۝M??]K?\ ???2,5+???p?R?f=[y?'A?G?-??N?iph????d???Ƌg'?{?Un??y??ϓ?? ƶ?ٯ?䱴+??N+zu*????N??~ U)?!?Ҹ?֫c{??ηzL?sy?]oA?Qo2?HG9Z $?U??*?I/??-D?~?mHŮYd_??/???2???????,U??\?y??V?-??u ???_?Ů?&?8???`????ث?,.?9???}$???? -U?????.?9$E^Kly?"????qT^?c????J????/?޵???Kw7(?p???%?;N97??e?U4󟖵??'iqi?a6??ֱZ???X??֭?????M?*?ա?寓?????m??p?i?=??"?@ӿG?????m8?????,U??wK???ϕb???[{It8 ֊YM???J?!?$|-)"?}V??O???Q֖??׺M????ݱ??ןԋ?RI?*???????;L????.*??ߜ_?'i??o?%?]?[????3?? ?d???K~qԝ??a??w?o?/??????7????-???Rv??q???\Uߥ?8??N???0??K??????I?g????qW~?????;L????.*??ߜ_?'i??o?%?]?[????3?? ?d???K~qԝ??a??w?o?/??????7????-???Rv??q???\Uߥ?8??N???0??K??????I?g????qW~?????;L????.*??ߜ_?'i??o?%?]?[????3?? ?d???K~qԝ??a??w?o?/??????7????-???Rv??q???\Uߥ?8??N???0??K??????I?g????qW~?????;L????.*??ߜ_?'i??o?%?]?[????3?? ?d???K~qԝ??a??w?o?/??????7????-???Rv??q???\Uߥ?8??N???0??K??????I?g????qW~?????;L????.*??ߜ_?'i??o?%?]?[????3?? ?d???K~qԝ??a??w?o?/??????7????-???Rv??q???\Uߥ?8??N???0??K??????I?g????qW~?????;L????.*??ߜ_?'i??o?%?]?[????3?? ?d???K~qԝ??a??w?o?/??????7????-???Rv??q???\Uߥ?8??N???0??K??????I?g????qT>??~b?ߘ^????I??Ho????ݼ?y"?&??1??M=1W??8䧱???G??$?P??vZ?????m???K$?@???_W??Lek??ߺ?e~q????^??H?????|?(?\??%?d03?????~?*ü????_?l???*??w??k?W?ct???8?;?FoF??2Y?ɩy?=NI42[@?-?? ̮?If?l??s?7O?+MA/l??h?ma????Uj????qU?~J_?GO??U??OӵY?K[E???&?K?N??!???>8?Qa?E??5}>uM.??"????Z?Or?t?????J??????*??Xh?? ĀZƢ?'??+{?^>N??Y?^?? ?~?*????i&yu?+˥ŧ d ????0?խϤdXپ??7NJ?Z7?W?7Y????^??S? ! /??*#??Dx?n????^???????Q?-??O?????YO?o?J4? ???????????/???ҿ???M.c????b?sL??;v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*??x????J{????2LU??#????s37?$??W?ys?Z?̿????UK???&??????qTo???M"?Ki5&??S.????LW?<^9??:??~?*?????P???5?B???????O?4?m6F??EKG?????????⩧???,??????N??^??????N*?N}O??j8??d??YT)?K?<9fv???՗??r??????9!??/????ZK=.?;[y&?鑣?qR?9|?`?L~??99?~??}???????}?ث???99?~??}???????}?ث???99?~??}???????}?ث???99?~??}???????}?تY?y???r?^c?ːi6:???3??o??U~T_P5????%?????X??????el??_?i_?o?&?1?}r??D????_:y???????D?5?fY?+ynV?5??#,?d`´?2?1??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4??W?????~?????*??I?Z\]??[?%?E?9r???X?ԏLU????)??7Q???1W???^u???h?2??;a?'qU/˿??_??????P???r??Uo,iV???;k?h`?E????Wp?0??YU?G????_ ⩧??ئ??ƶڍ?????ծ??Q?^?`G"z>? ?????)g????e??u?*??U???N*?m????g?늚~?k?i??+o??R??#?? ??J??e???ZՖ?w?1ͣi????}?5??ߤe$?b?/?W?W@뿙?n?5?)4?1??q|??&???s?Y?ܧ? ?>?????U ?ẉE????4?z???w??7b2??ܲqg? x|1?????*???٫??[?h>]??c????VK??@???b??oU???W??X???|????6m+KF->U???xZ_??????????2?4rI? ????y?m?{,?r?R6?i?Mo?5?G_?O??V?ǔ??ώ*?,?9??i??!??j'?Ť?b?H?????-?\U"???QZ?v?iqs?^?????????G,K,??s???:????7 x??9????uI???ˆP?!Di???T+?Sy??ӆ?a}??*-??n?ߵ:??'?????U};??ɚq?6?N???{Z?+q?Rs%?5o??c??c?1V?o????????X?鶺Q?R;?vf?Ńz?ȿZU?%??p?>.X?#??o?";!u??[Ef?1?bd????5H&??[?w^??S?5?+??iKO??K????/-???? qc?u?>??8?W?*???[i???[??ķ???uኢ1Wb??]??v*?Uث?Wb??]??v*?Uث?Wb?8???????lmO?$1W????ǿ???S???n??Q?b?M?]???˟???e??v??N?_??6?5?7L??3??+v*¼??)g????e??u?*??U???N*???Ɗ$9^\~U4????%?ڄ6??2ɥ?%?????$??@?$aŞ.k??[?i?^\Z??î۵??s?Jy(X?4?֠z???/????>?*??2??th???!?M???Bi?4????$I)?,????3ȉ?E??b??1??E?4????3z?]8rE?X?w?~A??N?}r?b??I?:??u?#&> ׋???????h?u?.u$H?Z??g"J(Յ????_?~?Ŋ?y??ɞZ?[]sU???? ?g0?)?Q| ??o???U????$??0h?k6??"K?byE*N@?Rޡn8?S???}o??[[?Ԗ?-!4??+ dW{?}??"????)?LU#?ܞr/$??IrHٹ?*???.u???U?}^?e?h??O?$??M???3:~?*??4G?)?b???&??m???(?,???b?M_?7?:>??N????j:G4?J??z??d???V??w???5??1??d !??&??/??(????*֡?????a-޹n?jq ?9W?????3 a\?rq^_*????qy? ?A????????w?X?I????՞D??m?h???NE??I&????~}???U1?ߛ|??kyg??? p?( ???%?º?H?x???U ?~a?+Q?gѬ?he?m?_R??P?_???I???x;p??Uf????MN?P?????KOV?v&4?#P%???E?9#7??W鿘^Kԭmn??X????i???oy,U??~%?gR??3|??@g?֠?!s5?O"M͵=h@?"r?R{??O-?זV???}CU??m???u_?(-,?U)??}?6*??~`?v=u6?=R[?;??6????d+?CDž8?c?σN?}Z?X?,?k?,?#??r(Lr?e???E??]??v*?Uث?Wb??]???\?ֆ?O???????^?zb???p??Oc?1???FI??7v*?.?G?????;??~]????????3???*??Uث ??????_?ݗ???8??qW???N*??Q[D? ? >??j9Aߦ?_?.|?????\U???_?(5O?????2,U?~t???7??7???????el??_?i_?o?&?1?}r??D??:???????@?? ?v*?Uث?Wb??]??az?x???V??D?????]?V.t ?E?6?#?2ʯ?%Cq ?qT?J?????\??ͥ??։?h?nw.Xݷ8???ҁ+???UE?-?T?U??ԯ-L+q??[?Ж??x?{+?1r??mƈ?ެm????}?'BЭ????2???Q?????Q"0??K??,\?)$??~?*???Uy?N???6׺|?lMV?V??E?i?j0?0???XՖn?NJ????Mw??s˺?????m?1x?(7Z???&?MBCċS?Dy˞u??????5]B?k????[\s?B娉 ??.#?%?R?AU?Tߔ>l?t?????:????X?~??6BU??s΄?G?c??v??U??MR?o4???Z}???k4???*c?dH??/ٗ??7NJ?V>@?N??ۻ?.?Oo/jW????^@f???`XZ(j=/ބf'??U+??(|?ms?i????kD????:h?A?K=ש???؍ ??:?iW?*???h? "?A?V?e??+?/??\???6??۽GT? ?jw?mlZ?k??qh?'9n?ؒI(???/??b?b??g? ?KٛP???.??&[p?j(??J?mn???ە?YqT5??V?/?uM'S????M6?J?/?k?? I??^d???D??œS??تy????????uu?E? ;Z??-- ?D?)m?c?`=y$???F_???UK???֝?iZ??{gt?Z֭???IſI?#E?84h???qU??U?????Pӯ,????=ߘ"???X? ??/I?G!"?o??T???[?O?Ͼh????L?+???V??K????c??0?^??S?D??qW??_?~?˾F?t+? u?????? W?$b??*?Uث?Wb??]??v*?Uث?5??ho$??S?? U?g?*????????????d???qWb?:???????????????M??_????? ?J?]?????Y?u?m??s??'???N*?|???????????Ӣ??O?X??/?l????a?y?j3?Z??l.??Hk??`F?ʀ??SEb?_?S???*???w???ʿ??t??GO銢?????'P?Q?|?ailK[??,?H*J?|$?U?????N*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث???N*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث???N*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb? ?_?????????t3??>??5???Ӥl??O??j?R?<|?e??:?????!???[H?9???_ԉ?t?>k??????qT???WE????N??????Kk?F?C?6???z?d??U=o??M/??Z?[5????օ/?????X]?d??4???c??U/???o?G?{?KmSI?ֵ8l??ݒ?n?y=*???+?IS?V???lUOA??m 5?oH????_?A?????? r\ *???8^lkI-29?(?f19?-H?z|_ᅨB?V/6??_I?/??u ?????ƶk?e?֜׌LQe23r??A?~uy^? . ? i?zƞ?S?.??C???W?$?9'Ŋ?r?B?n++?ٴ?J;{[m>?fd???S`?KA)ߛ|Q??U6??94+S?,?lo=.Mc?|^?I?????y?:K??NI??#???̚??E?????,?A ???^???ng?I8?i>U.??=??? id?????4??Z ???????1\?F?2??v??U4????E ????O??$H???P????8S??*?????T.?;E̞]?G?&?M_[??/c?h????1?-????7.??qT??_???2*????Z????????@??g?$?o?켵ko-ż?-s!?5?G+I?i?B???7?o????/?????-???5???e̋FM??݉}?8????͊???.?????[ܭ?Omgtx?-???&x?????? h?vU劤??m?ߔ?=^??V?l?e0K??ki?&??-?%G???????N8?ow????Mr?I????T??n?8E???|?"?sdoۢ|????áj?b??l쮟????????6}.??/?*?????U???]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?W???N*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb?N???}}ko?\X]?$????F?)R?X?VW????]?'4CL??ҵ]*K?>?i?N/?ԹI?h?2??8F???b??3??L???cQ?????^&]SH??K?OM???E??]?T?E???4????2Ť\h?#CH?n??i??[?v?g?L??E]?ZH???N???Nz??F?R?&?(?Ũx?RmG?O-^?B??]WB? ?????Om???????o?~/QqV6??ϡ??ql?iOo?I-\UZ8?8?Q??$???J?W??Ѭ? [?LV(????E?T3}????%?䟕?????0????4?-???&H~???U??S??P7_?>X?Ӯ??5+??r???in܃?}?K???Pi?Q?y???k??^X?%?d?8?#?????]??/??^<=D?Y"~Q?e5?~?2??6?? z?7zOr?^u??,e?5??㊠4?ȿ)??i?=??妛?_i+m;G?[mFF?q!DF?ɾV^8??_??pд}?[Ԯ?t?mCKiZ??L?$??8ֻ???>*??? ?X?}B?;??Z?????????2 |=' g??>*????V^l?G?????]?5&???ވ???I9*??8?_??V??H?jz?p??+??H?a??X4?c1~??y??,U)o?????Pk??ߖ??P?֦??XM?~??"?ee??'??Y???e?k?5?_]ZK??????m?d?xE#V?Wf??9??*???ހ?C??_ׯ?F??=????$?䪟O?U??*???[???׷??މo?k-n`?Y?ӄAw??_???G?O!?a?t:??vޅ??Է???Z?ӻ5"?????"?u'?????^???v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??_???N*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث???N*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث??n??g?|?I>?\?r? K??PNG  IHDR??ܙ^rPLTE$$ $$$(((<<,,,$00000044(88444088,<<PP8880<<0@@<<<@@@]]aaDDDHHHLLLPPPuuUUU}}YYY]]]??aaa????iii??qqquuuyyyu}}??}}}???????????????Α??????ڙ??????桡?????򮮮?????????????????????????????????????????j?.tbKGD?H cmPPJCmp0712Hs??IDATx^? c?8r???VE????i?>?ڮ?s?Q?Z??pj.M+?????%G??A????(2 ??h@`0??qST%??RnT۫?????c?.???wL?g?1?j???@?4?z7 Bu?ȝ၀P?A?.????0??u??yU꫙?>?F ??y?':??OM1!asx?E????|_?l2B;?}'d1 nq' ????? ?"??` ??j#,%ίG0Ҕʞ?`???Z??u>??f4_??????????z>?ܳ ???!#Kx??žև????Tp?????=?p??2?kڤ?O?{?pzo??>? ???38?+l.??#?n??)V"??r:ag ???z??i?A?Z????|?+{~???C@z֙5_?? lj??ͺ??L??xf?(?????(??Q?V5??9E? B!?Bl?T???Y???w????????BE??l?`?Br|ʼ ?7z+??%?H+??2B??E?XbE??>_rCg}:4G ? ??"??9? ,"??? ???0?N'?+h?? nlxc??ѓ?4??^q?x ?*ʧ} B?ː?p????.??)T???p&o??"?%???Y4?N?^?=?ˬ? p?p?x?A?{???i>?3pD>??9 ?d#??W:!&?v7??x ڡ8e?F?v?.9??c?k?q??}??H?3Rh ypOq?iqK???x+C?y1Ļ?-Ü?`Z??6?????a????B?;<????y7?H?a4 ?L? ?5? o??9?'0????M?x?~x K?U?@??Y;?t?/? B?Б??"?0?q3<'N=??9??? ?????Ϥv[?z???;?????G??????&9U?B?H1\2?A?h3?a Ap??2Y)?*hp?@?q??Ď ?3????1??k?Kk???K? ?;e(???0?@?x????'??_?9?o'????$b??~???.s,???Il??0p??@6[??????w?L?????]ez???? ???8??o??"?K0#?`?G ??? ?????A??wf?/?Z???%/v??x???P?q?Z;?;???QFTmT?b ?8??q?0??-R?B?~??E?Ͼ@in?X+????9??X??V?H^????K?S?P????e_~?l???z??CN B?}???? n?^?mޝ:_??z5#i9?,?EŶ-??Rc?Q???A?H?ŋ?? X?JՏ??^?HZ????k?82[?*??? >??P?B??j?SdzS'N??&?v? S????uu?q?"?K?a?Iu??Vܵ????????%\U?O?GR?U=؎e?)f??q?e?q?^?:"?.|?2??Z?g??As???#?/???ɉ???1.:k?|???c]?&U???;7??{????,C????i?^j?J?l??&?[?????~?S?d^?ђg??vv?h_Q??L??Gc?J?tk??/n\?n~?????R??]!??N?!??u ??̇kZ?8;??? ??@*#??k~P-L??̔??!?`)?Z??Nn???! ??v??r???αp???Ի%k?????7??P??#??x? ?d?6?^Z????~?b;?w? ˜??y?2ܒ?IY?rg H?f?A??s?h?Z??px?z?2Е?"?_??E??¿?ͷs ? g???\ ?C*O?????OӒ???/??????ױ?73?Ҍ4C??me?/FUǒBQGH@??[ϙ????E?>???1??? ?d$I???,m???{?\??0=w??#??Mym1??cw?`?k?He???s?f?w?3????6?P??2?j5??4???PFz???j?y?;?HM????^?;ȷ?& ?Vx?f??E??_yw??vЄ??j???,4s?ˢ???u#|l胸?婼?ށ?tЄ:?ܩa?δm??v?DS??o+?V?k?u ??h%?CA?Y??8d?\?pWv ???1R?#?P?T???v?ď?0?x?`?S? |:?Nq????h`!(??9s74;?oM?-?ݱ?s?????^?!Ġ?.?1]??? ?ȷ?&~??? ?"p?p{??sXh????????A?B?f D???Oq !???o????fFJ??M?O?? ?+??H?o&?????~n$B???V?6b??cyܵm?D?kx?R?L????t??h??.???C?n?8??UM?6?k?/W?kJ???n?????;i???]=??#?B?jG?U! uM=ȷ?&Z#T???|??mr??7YM4?O???X???p?lZ?(;?????:h?QJo ?_T??F???f?^?????? ?R?B?/?X?-???3Ut?0????p?gGe??Ax???G+?-$?n`???$??d*V?۪ojF?;N??pR??J ???}"{??QM????i+?2B?qm?"3?"??clڠ>??B??E??s,*Q?鬶@?F?j?^???].̒1?? B??Rr?\y!?k????RSz?ՙga l۷V?H7Y?0sD?.?H??xab?2Bʩ? ??!?"??xA?#Q????Zxq?????0?&??HTS???0M {?6_7}?0??@?L?y?n??? ۷?Y?????.y?)?0B? k66ð?m?¼?s?g?t???^??"D??nj?u]?4??|?X? ?b?\?x?????????{??KWm?$?(L?`??M?????/?>???㹯?B&?%sUz??˩?^????&`??_?? ?~ ??~t?E????h???}??,6?gaV?????Y*& x??Y(??I> ɕ ?h)&?x?%?i[?\ԸN?&??ˎ\ )\??????\??s)?i$T>??!??.!p??]?x?b??e?4??B??h?&+> ?a`E6?f ӝ"?m1? B1%t1tZ?Ͱ??c??K??"??B??H(?,}=????? ?Y??7?"???y??V?????n?B?I5?N_‡湇W??!MCΜ??~^?@?0 ??!?_??v??!9?) ??? FN?x?????ܡ;?f?NA?0I*;~*?|?[(kE?M?Z?_ߪXvO????A[o?V???fZ??I?S?P5g??_?b??վ??ej?̩U???ڟ?OO?Ց8???P???͉R6C1W?~|??0??(l ?R???$B?2 ?U???^??zJk??hqg?8?6FҚe@ !|.?l?$b?T???????d??9m?-???&[!\?7^??Z???nn?c?-?M΄zQ3??ѣ??[!C??????h??!,w5a%۬HuM?/???&??%????-ԉ???]jaE?F ?#5?˴? Ž???J?p??|`?ud??O?YhR??*j?DH>?E???ȶX ?N?H4R=?"??OA:]??v?>???F?PB??\R???ıH?c?۶??ҹ??8!??r?刭39V#Dw?k?yHN?N5"??A?G'sBl???V??Ϝ???Q??fFjb?????tR?G?ϊ?!5?g5?s?*"?}OB?????ƿ??W.`?2?s?q??W?Ii?s? Mhǡ??,.?m?4?g?y?뾧aB B?1t)?C???Qn~?2?s?q?ԧl?1Z?"?]?c?B???iv*?]4f?B???YD:vy????֕=?'??|??j+ ??(?K+@? 4?Ve ???0???%?#[(?G?R)?˞?`???Bl1@?Zad#w?QXxJ?b??d?j??I??`?2?s???r?#u??☹?Ch??]??U??Q??%sZ)?r4P?a?ӻ?S:?@?)J?????!phч?@???# ;??-%[???.B>?bp?ͦʃa ?Eon? ?Ⱥ??? ?;??î?yg?C??Y?c"???@?>??y?8ށ??L?ꎯ?Q?????}!P??????q? ?x 2?? ?z???J?????I?v8p?gm?t?|H??8?o96?ޫ4~????*??????܁)?2oA?v??C:?l???????;?ϯ?c$????c??;0?x?-????8??.???????9??8Q?Է6?m?;??T?vP??????8Km???M?K??S?ǃ??g????s????????qe?oP?y?? ҉=??Е?~???H?I??????1?w߆~M?K???u????[??>??yk?XI?q???mm??0?U?{MU)??1???Q?ψ??x?vv???????өF9"ćJ??_X?U?#8~??1???^n??`;<1?v?=?P?b??IB?er???e??>^?^??,?l?N??c??m|?}?AL#???u??x^?ϸ}@W????anCE?J??|A???c?ϗ??6տ?~?????V?)??= @??4`?  @??4`?  @??4`?  @??4`?  @??4`? ?H.??l?^@?x9q B????מ?}?q̗ P?ߓ?C?Hr !@g?8&L?s"y ?$?8??e?z???g? ?D????8??5y?1??л6N$ !??>??? ??]'??A?w??q?1?et?@??8?Љ?_?s?d ? `?D? ???W?7ὧ^8@?]':q?????q?{j?????@??8?,`? ~?6?l?|?m??m??^???????A?A>??f?0a?On?s??G???R????8?"?^?xMH???} ~箺}M??Uԯ??~?86???~??:?8?L?3?c0?c?:?$?Ɖr?6?+???ܮ?????r???-?? ??^????~?8??E/????u?q>? ?~ޣ??( ?8?'R??V?????,????? ?XT?7??ck[??T??oA?"a?|?? G?????8?'R??6???h/?7??Q???x??'H???l?H!?Kj?vs? ???y?Q??4?0?[Vt????`pF6N???D???Шt??.??8????]?!Dvq66N$???ڮ?l???????8?r????'?h??$?ƉPӿWڮ??v????????(?????r|A?Oah??@?s???p"?8@ǡ G????? ?^^????q?~ 2@ǹ G???:?"?Ɖd????)?\8??ms??}?a?y?u??H.?"?Ɖ?ϫ&sm,ފ?}??Ձ??zm??0?m\??ߊa?Oa_?? ??Y?8?,-??z?/ֈ*@?n?tZKq?l??ٜ????Tl??8?7??8??)?+?{8??'??y???????yo??k??ܼ\].??kk??}? ??~3?m?????;;8?/'??K?|?\"????=o????mL????g?q?|?????ۆu>?????A+??e??=4`?  @??4`?  @??4`?  @??4`?  @??4`?  @??4??r????3??W?'B?Ҏ?k&a?p?~??????iP"\?~O???l?t\??V???3$=?????????g??^?k^?j???~?d????*???? ?C/?5????? ?G/?????ںX??픺??@??b$a^Ȅ??G#???%?Tu?r7 F^?S.?? ?~C???????????kA?6??]?ۙn???p??{?~o??z?پB?????ڎ?ec??????)???z?y??Z?v&?[?y[ۉzZ??`?s??@6?{p???8?sY?=n??!@???z?? ?!??c?ڎ???u?q? ?*???ZCZ\???m?9@ga??z????v.b?~???=?F? ~??d?g?@??5?U???:??? ?=???2???ۯ???????d?עVn?3xݎ???g?I??~?U?\ ?ް?ۇ??(?;?u??????d??¸`G?ۆ???߻ .T?~~??z?^?? 뵕{?0??sx?@??c??4`?  @??4`?  @??4`?  @??4`?  @??4`?  @??4`?  @??4`?  @??4`?  @??4`?  @??4`?  @?#r??e?v??5?<?@????l???dxxx?|??l?l??m???&???????ݸ?75L????'????6????u??v?X"@@?ܸq? ????N -?KZ?????y?dk{?_:^???????|????????c,?w???ϫ???sn\?<??5?k?~?:;@d??`:J{??Yy?NȜ;?Njjkn??@d?u?sx2d?k??6?n???Y??c???Ȉ\?z?@(?? :??????;??????m?փ[???=2?ؠl?6}p?y?+??&-{6Ic{??b??{?@?A!@@?i`?O??? :???y?w?92+a?m?/????j?r?_2?ˆ~?`??-h?]?S2?;?9? ???m?Z?l?????g~?&A?B??ЅZ C+S?"??????#???S??L?7??B???t????c>s?m?]?t ?z??? !ҩ'_??,?s???-̐Xx?| ?1???h[.?~|??@Yh????e?&Y?????8? ?I?AU?s?GV???RxJ"@@?????SVv???{;#[H?6ok?@? ?^?9'q G?5???=.d@???t*F?d??⹜t?]?4_?~}??F~????Ƃ??[??6???v3m?Zӹ?i??Q?V[#?m????P/?T?Ja??t?U8??:???????Fx0 @U?{???a?M???_W+wnosZZ?"?????c?䎶???????P@ECG???%[l?C_?~?X?o??p??zi\???g֩?2??ϟ?C???????5P?쮕??Yδ??E???N?????k???>gm??[wlp?rMm?3?gk???? 9{?????s?D?0?????I??y??E??o? ??uĺ??????ֺm?X?m?c??A6?tnq??p??)ܦ6 ÅM?q??Z?y??? ??ؘ?????gʹ2}?M@&Dǣ?Ga?????C?9Ự?/?Y???߶i?,YtG????;????N ?0\???? `ҵkפ??.?9̄?t??'r?c?}??[oM6?[H:4?Iz???z4?Z???{?M П|? '?D#@??w??`\???_j1????n???}?r???yWzLa?.? {?H皦)Z0?dh?????oΌ4@? ?n??ɢF7??`/_??r??ǎC??=?k??/???@b?L:???Μո?@?T??1y?^??Qw???9?L??th??:?V^?s??R?N??Xݎx?>?:?sȏ???????w?}?@b?L?Z?C???>@?S???d???i7s???Wq ??[fˑ#G?hm??9?$?8-]?s???}R??l?zf?6@?,?S??vv\?^?e??Z9s?L??BBIE?2H/Z1::*}[:??ϺpPˍ???9i[?/s?+?F??K-?Q???{???R%? ?~y?$"@s??E?????ʕ??G??_?3@???I????i???? ??N???????@"????Q??;dp?Šy?????0??Ev&e?lV?0?/ms?G?/@s?s???6y??e4s?$??kڿ?n???W??x.???n?0?.??p?h??% ??#'??rҶ|??:ujZx>w?'&??"@)711!?w????DsSy?dns?? ??.???^?^??m??cxy9'??~???q?zeô??GqrH,4?b:mc`?=Ψr\G*i޿???y???ζ??????w??????????sNP?E?R?????_?!p?C ??=??N?:'w4̙RΎv?? ?ԕ+W?????????].??D#@)t??%???sZtKֹ?>?m?:t?????8Q$H!?,??Z?4??????29?????d?Hh e??FS?|?~??F?W????M?Ԃf*?$"@)3>>.?? l?X?e??S.???] i?@?0???ַa? 1 ??@ʌ???Уu?5Z,?c;gɓO>9?*?BH4?2hZ?ۉ?g?????????@?????*?jq-=U~!'???S?6]? IA?RfbbB???MT?$@????KN^?A?R?~?D??#\f?}}_? N П~?)'.?? @)4x?A?x.9???ֿe?9rdZ???/~?? 1?@ ]?zU??.L?? t?Z??r???i??>???h ???w???1??l????????ۜ?͝)gΜ???}?]NZ?A?R??ŋ2?ka"???in?????s?}/?????ۘ|???ݑ??'n?ب???????k[???|?? @)v??e??9? Е?n??????ȸ???J????R???[A??X4???`??߿? ??@? ??K??6?%???d?!?R "@??j7??tη??Bt?????'?p?H 4?!?o?"?DV??Mp?????0?????>ёh???賶˗/s?H 4?1??rB??&????;?΃u[??t??9?q?A?F?????OW??m??s???w??''?? @??|;?P???ړ??%???? 9?ntP??M???*?? H??^?m? ۋ?5?Сe?l??SGf??{?W ??Ν???(h #&&&?s??~yj???????[-?N}=>?ϴ?j??K[ۮ????)?w6??\x?v??ug????O???(h #??񘌽U??g?????@7??h??6yA???E?:??ƶ4?w?/?ӧOW ????? d?իW?{??X,????k??6]???L^???W????Q????x??2']??ĉU?3?7$Ȁ?g?t?-ġtЋ???n??T??{??s??u?K?1? ??@?ݸqC??O?????L??7Z?z9^t????V?ȷ?>??@"????t? l?O|xf?9??W???no?a??o?J?&Ws??????? ??@ʍ??ȩgf?"@?-G?״????s;???esd`O??????ߦ?3?D#@)w??e??t;?+҂?ơ??o?l??^#???????/????hh ?Ҳ??^sJеM?????_g?,??q???АQpf?3?? @)G???6 ʺ?P??;Gk??s?,Z8K??3q?7?&?H???a?*?C?I?y?m??i??޳N???/ǎ???Mk?@Z?????O?%ҌF?u??O`ηs??ɵk?8? H???q?l_@0??nW?r?ze???????ƩCiC?2??k?s?8?!?mi:]$?58?????????xR? d??߼/???#?\5??c?}F?Yk;k? ?3?, @?????.v?i՚?wvS?N?7???N]g?j?4?/^??] ?4_ uzƗ_~)ׯ_??Yh Cv?ʥj ???M/?????? ?G?2Df??v?Se??H+?:W͖?Ǐ? ?_}?'??#@??????.??$,Ҧ????!??m?8?E?@?2ibbB??w???:?#mr???;?^????#'??#@6??+??Q'? ?? ̖?;P??3? d?իW???.g???9??K?#???_&|?l:?&??5w?F?n??j?:?-hr??5??w?#[??(? see?,9??L~!?4 t???TN?䤳-'MKr2??>p?ܵ?O?/2a=?g??]??-wu?j=?-h????ɰt?? ???~?u?ir.޺|???$????r?BW??4?fmZbp?????6e.7m㫯??? ???ˎU ?|ۨ?R??^??.????9۩n?7??mz?n???? ????????{?JSS?ܹb?ܵr?37?0??/'?Er³?cvSR?p?Iۼy?̝;W??ڜ????m??????????ȈrBܫ??*;?!˛?˲?Z9??Lg??i??JZ?M?OhՉE g??{7?????????"?R?u?ssS%C/dR??i???#??u?6??^MR??_??_? ????@uhF|?A????J????)??+?}??gS????\\?⡁Z?/æ??4????t[kk97?>??jzP7??ˎ?ȳ^ ??ov5????~U??`ѢE????\"@pEG8u~s>t???M?䯋>\v!???Jsw?eش???|Ӡ????b{YD?AU?^?$????s]q????????:g]???????ߜ?6?_?6m?$?????U?T?_??_N?ʇ, a?i&t????~Iy6 ?z????Q?h?>?V???s?_? G%?t?j???_ ??o??????Ғg3f?p????ѣG}o?w????p????sg???SbO+v?Y??m?lW??lO?0?#?:M?????ѩ??f5X?R:?C?G???ہg?Q|U???1?b?η?)Ag]$?s???V???Q?~??D??~q?B @??!???|??󛃤 ???Kgz?׋?_M?/??8?AK?[딊|Us?u??_g??M]$?f?cq???%j???i(? ?? ˴?F??{ KQ?)??4[?,??r+?????b_?r?)?f?… S????-???f8??ut?Z?֋??b??8?Ѳz???8^0E?Pĉi???Z???TH24?q??}a@????J T??b?8qBv???Ԗ??i ?Ny?????4d?߫Ɔ?΅b???益s??_?L߫??f?4?4eΗ1???,^HC???n?R??rz?m????t???(i?.??g?g?)d ? ??\X?y?޽???U?=?~F?? ?--iX?ud????nݺ?У#??.~?EZ??x?uM?nOLL??=? ?ṰN8??v????\?V|[ۏ]Jn?U?????o??q?>נ?|?š???^?N??U$ߴ\?nSI??O?A?o?-?- ????"?<D?\5??v?? ?pO?Hk?/??un??ֲz:M$ 4H???? ?=?ߢ?҄???\l?*???)u???s?AT???n_?v?>??l???R?NJ??Is?kh? ʍ!*??<???Y?λ???V?$ :#l|U? ??m???Ad?!?u;A͇4??? K?iXa?????Z2?8HW?7N???~ H"tFx?0)u_?ە???ܽJ?~?ۺ????J??f??^?MZ????XЗ?Li???4_{\ۦM??i????[@R?3??Q?m??N??????m?dZ??????lӠ\x n (@??"??Uᇮ^??EI@ri?ֺ??sZ?I@14???Ç?\????@z? ? ???y,?G? ????+\??ϼ@z????چӧO??G?\????????5??l?????)C"H?F?\x饗??t??]0\? ??j?o?? T?#̅5?u?:?t?YG? ?@6??tN??m.?w?\HP??RGa%? ??@????@?*Zm*? ?A?5@z??I?fm??v??|?*mZߙ??L???z?|????? ??????????:?ڵ??t<ѾC?bX??B?????.?  ?W????_p)߯???#@#? /?[j??@l??=:]?8HS?H.42???????H?@P40???M????? $?]?vM._???V??!ٲ?T?sa{≫???'W?^?  ?U?Z[???-???# ?dɒn?55?C?# Bh8?u$vϞ? υ::;??W???? RT=???q???:???\X???s@~??Q ????,? Ӱ?\?;?m==????SBC?# y???}????#8Om<0B?????L?ъ???/;w???? BT=???!W?\?U??ep? !? "Bգ?H<tF?|玎~9rd?pl??|ժ>???E?#?!??????o!???ҟ[?+?Q??A?N1-?????,?#?o?s?.?ST=??҅?R:?L???e:j?M_n?>??j?B?#?!??!?U???]? O???n?????μ]?kFm?8pI6m?w?2H? ?g?Q??E??A?Z???8??/a?';/tPs??tҳ׬r???!???\kr???Yz????? H??辇v8??2?R]ܢ蠵]8(???ضn=-O=5D??????b??TD)SZO?? 湛Sgs??????A?lZJ?z??={?\U?Њ???_I-߾??kҳ?wJ?oX\:?????N???;wL?????X?/?3?s?*tP?Q?T?֐?\????k?l\~"?w????N8? ????p????????KZ?dYW?dkٳI???L???J?+??? ???_(?6}pt???|wߔm????"?79????٠nR???i??3keI?ZY??6'h&=,??j}?-?ke??yN??'U?????Өz??e.@?\?%?Vev??k??$??1????+ ?l???v9s???R#??Cm?t??=?0]?? ?9??i?????Өz??e?B*??/d???????[?????j!???rU"?u7?p?A?\??YG?u:??`U? ??=??̝~??{?????Q???쥼???{R?????,???R{W?l??-+S*ʅ?r?????h??9???5?Z??st??ڷE???#???9???F?#?+?Z]?tI???ϩ???2sa??)/??+?v??s?1???8́?Q?Yu??{d(?N??(s??? t?A&??N_;?$M4?s?3U??zDգ?#@W???????߽?W?,?s~NtFAN???(^`??N??k?.in~??s?[o?Y?Z??=?A?#?Q?(??1D??wӟ[?r~R?|}03?WL?~?=?'??????? ??S???ە???ە??????q?????GT=??Q????i>?,i?(??????=?MKG??? K?5?g?B&&&bqN? ?&???c?????????R???GI?z?h:t?Ϧ??????a??L?U?8??y??zY??.???? t?)&? ???&??????S???G??M?N?8j? ????-m??{7L?O?t]????????o]????񩗕?XI??j۲??n???4??T=Jfգ? @ӡ?Bl?_???'|j???9?T/Ϫ?????Кo:?[???M????Ϗ?|Hnmos??>?|?? ?tA?@?x?r?d!?-!??GI?z?h:t??'f?JY~_???液?^?$UXb?T??|?v?tzE????????o??SƮ?c?-cW??!??-m??8?%??QV??Э-jIs? +@_?~? ?t??L?j?????!@?W??"@'?Q?(9U???C???{T!?\??z?CCC???? @?-=NJk???ըz??GYA???$h???????ۿyYE^?>?t>8?? Cϭ?yV? ?ɝ?A?#D?CY?Kꦞ?????¿?]?i4Z?M???'O?SШz4???f ??m=??9???#mmm?-¦?࣏>J?Ni????؍@???T`6????W?????UȠ?h???[??YϽ$Xd?Q?h?.@?L}j?͇O?tq?f4 =? ?s???4߰4?:??m>G:?9?6???u??s?Q??"@?ܣ ?h?CI???L??t?j6?pxy?Qh??T="@#??t??Hڢ:t??6N??y?^????h:t4??M?"B???"Zh:t4???q?H?#?[???F??o>???Hp??6???ih??6?s??Z???M?N?܆??????'۾}??????OJ݂?i??\5??>???1Y??+mzq??o?zD?F??cڡww?Nܢ???H?9?Z;b ??A۹?yil?l??wMyOjfϓ???ɶ????a{>|?j+?Ϛ????6?m??L?^?6?\?ί? ?z\?E$4d߸q? ֜??? :??_?.????s?h?~RLC??"{?\t>P?:eI?F?1?,jp°???l?dמy?U??u? M>O}?;68!???F?;??ŗNL^nvbb??B?&@^?c??g???؏g6@???S-4,??xb2(/??M?t?u???c?????؆c?m??G?`?zp????????륵?M>s???v?'"R?M?? @??O:*??N?Kʢ??š?7?v??>?ƙj?aYd???i[?Ã??\?3Z]?? ?˛???2::*??㜔H֜?/? ?_]?ի??? ??mL??U?7?"s6?̺ٲ?k?3CC"a?]?z?3ߺs?,imr?~ {^?\??ɉ?#@?/? ?#????B??."?[z?V?ңGoH???>w??[?:!?0lo?~ i?lsF????M?z ???nT=BT? ?? ?m?={?b9.Z?g̘U#?6?r]??M+??Z?Al3???G?8S=?o??L???H ?E?h???1U?w??񩧆d˖S???[+gh?:?a?32??'??I ?A6?G?L?X?(?~|???@?#?Q?^???Fd???????gv?o?S?T??S%@???9?#????????Z?'G?L$>?T=??U?P??b?????d߾?? ??˼?M?2???????/r?"1?z????_?zDգ0?SN??=?Рl?~6q??֭#???&?fJ???hk/')??G????u???5'T=B:#N??????a{????*-dq?????E??[???????-n??G???|???^?????N?{?iiy???,T1?[?=?SA:??Fy%?U?hqkT=???I???n]???9V?{ckﭟ?"Е??.b!@?jkn?/??C?Q?????8?%??J!@c ]\???/;w?ƪ???;V[]P?֨??e=@w?#?~? ?A?#?ťQ??.4Jz???e˩X͇^?b??9q ?=????|0?ya????'2??GT=??Q??>4?z?????B}?mۥi?&?W?r??bPU8*??J?E*m????j??"???w³V)???G?-?zL??}hT??_]r???t??v| s????]?!H?Ǫ'????UΟ???U????U??U????涒??Q????????~v$@{o??sIk??|?{̹?P??_hu?o?h?O?1U?A?F??*????֝e??#nZGV?x?????ҨzDգP?d???T???6gԳ??Vg?mWQDZu?sXZ??H??. ?D?#?٨z,4REGu^|??7,??;???~.P[yl??7.o?3?x????GT=????g???Ժt?|?̝?ϩ??m????H?~!iݱ??'z??A?=?U??zd?Q?(<h??v"Zb????4?j?!Pà?B?q???????:Ҭ_H???X??G?9?Өz.42G?h?0??Й7?s?3%????L?e?????{?E?:¬?3?K?v?8@?zD?6mT=???X?Q?$?߼??Xu?zYW?,߷?Y??T&???/ ?????-??Ցy]8<?vQ?,  O?R?$/EP~ m???2?!?????3?$?3b?$?g?|?I>?\?r? K? ??3b?$???gC6?n5?dh??,???O??3S ?~??????????1???????????0? ??????n?@???????8???????g??4PdPdd? 0?????????p?pp?0 ? <?4BdBdH??@ 0???u?ʚ;2N??ʚ;<?4!d!dH??= 04?<?4ddddH??= 04??F?>?___PPT9? /? 0?z????-?0June 19, 2003 RELARN2003 ?RAuthN/AuthZ Services and Network IdentityO? ?=??p????@E8B5:BC@0 !5@28A>2 CB5=B8D8:0F88 8 2B>@870F88 8 A5B520O 845=B8D8:0F8O 2 =B5@=5B?$UT$?T???RELARN2003 19 8N=O, 2003 Yuri Demchenko, NLnet Labs <demch@NLnetLabs.nl>?"L1"??            ??g??!>45@60=85? ??&#A;C38 CB5=B8D8:0F88 (AuthN) 8 2B>@870F88 (AuthZ) 2 =0CG=KE 8 >1@07>20B5;L=KE A5BOE @E8B5:BC@0 157>?0A=>AB8 =0 >A=>25 XML #?@02;5=85 4>ABC?>< =0 >A=>25 @>;59 (RBAC) !5B520O 845=B8D8:0F8O 8 Liberty Alliance Project @8<5@K A8AB5< @0A?@545;5==>9 0CB5=B8D8:0F88 8 02B>@870F88???!#$;?????ZAuthN/AuthZ 2 =0CG=KE 8 >1@07>20B5;L=KE A5BOE?:!???>ABC? : <=>3>A09B>2K< 51/=B5@=5B @5AC@A0< 5@5=0?@02;5=85 + cookie (SSO) 56C=825@A8B5BA:85 @5AC@AK 8 4>ABC? : 2=5H=8< @5AC@A0< 8;8 ?@54>AB02;5=85 4>ABC?0 4;O 2=5H=8E ?>;L7>20B5;59 0A?@545;5==K5 C=825@A8B5BA:85 :0<?CAK 8 48AB0=F8>==>5 >1CG5=85 @84-F5=B@K 8 @84-?@8;>65=8O 07;8G=K5 04<8=8AB@0B82=K5 4><5=K 8 4><5=K 157>?0A=>AB8 @>4>;68B5;L=K5 (B@0=78B82=K5) 7040G8 8=0<8G5A:85 @5AC@AK !8AB5<K @0A?@545;5==KE 8=B5@0:B82=KE 035=B>2 (IIDS  Interactive Intelligent Disctributed Systems)?`-?tc-?tc?:? j6?????\!>2@5<5==0O 0@E8B5:BC@0 A5@28A>2 AuthN 8 AuthZ?D!??6@>1;5<K =>65AB2> ;>38=>2/?0@>;59  =0 :064K9 @5AC@A/A09B 3@0=8G5=85 >4=8< 4><5=>< 157>?0A=>AB8 8;8 <=>65AB2> A5@B8D8:0B>2 >B:@KBKE :;NG59 !;>6=>ABL G0AB8G=>9 48=0<8G5A:>9 45;530F88 ?>;=><>G89 "@51>20=8O : A>2@5<5==>9 0@E8B5:BC@5 AuthN/Z 0745;5=85 A5@28A>2 0CB5=B8D8:0F88 (AuthN) 8 02B>@870F88 (AuthZ) CB5=B8D8:0F8O 2 ?4><0H=59? >@30=870F88 2B>@870F8O @5AC@A>< >=D845=F80;L=>ABL, ?@820B=>ABL 8 0=>=8<=>ABL #?@02;5=85 4>ABC?>< =0 >A=>25 @>;59 8 ?>;8B8:8 157>?0A=>AB8 (RBAC) A?>;L7>20=85 8=D@0AB@C:BC@K C?@02;5=8O ?@825;538O<8 (PMI) ?t ?-A=? ?-A=????%$k<6??W??P>20O ?0@0483<0 157>?0A=>AB8 ?@8;>65=89 ?)(#?(???57>?0A=>ABL ?@8;>65=89 =0 >A=>25 XML 8 B@048F8>==0O <>45;L A5B52>9 157>?0A=>B8 "@048F8>==0O <>45;L 157>?0A=5AB8 (ISO7498-2): Host-to-host 8;8 point-to-point security @85=B8@>20==0O =0 0@E8B5:BC@C Client/server A=>20==K5 =0 A>548=5=85 (connection-oriented) 8 =5B (connectionless)  >1I5< A;CG05 548=K9 4>25@8B5;L=K9 4><5= (=0 >A=>25 PKI) 57>?0A=>ABL ?@8;>65=89 >A=>25 XML 57>?0A=>ABL <564C :>=5G=K<8 B>G:0<8 ?@8;>65=89 (End-to-end) @85=B8@>20==0O =0 4>:C<5=B (8;8 A5<0=B8G5A:89 >1L5:B) 0=40BK 8 <0@:5@K 157>?0A=>AB8 <>3CB 1KBL 0AA>F88@>20=K A 4>:C<5=B>< 8;8 A>>1I5=85< 8;8 8E G0ABLN >B5=F80;L=> @01>B05B <564C 4><5=0<8 04<8=8AB@0B82=K<8 8 157>?0A=>AB8 >72>;O5B A>74020BL 48=0<8G5A:85 8 28@BC0;L=K5 0AA>F80F88??~?$tb?~?$tb???")"# 5  1 6aE9?????P><?>=5=BK 157>?0A=>AB8 XML - ?@8;>65=89?: " ??pXML Signature XML Encryption 5:;0@0F88 157>?0A=>AB8 (Security Assertions) SAML (Security Assertion Mark-up Language) XrML (XML Right Mark-up Language) XACML (XML Access Control Mark-up Language) XKMS (XML Key Management Specification) @E8B5:BC@=K5 @0AH8@5=8O Web Services Security (WS-Security) OGSA Security ?hKzA2KzA2 ?J?3?????4A=>2=K5 G5@BK XML-?>4?8A8?,???$C=40<5=B0;L=0O G5@B0: 2>7<>6=>ABL ?>4?8AK20BL >B45;L=K5 G0AB8 4>:C<5=B0 B0: 65 :0: 8 F5;K9 4>:C<5=B. XML-4>:C<5=B <>65B 8<5BL 4;8==CN 8AB>@8N, ?@8 MB>< @07;8G=K5 G0AB8 4>:C<5?=B0 <>3CB A>74020BLAO 8 2878@>20BLAO @07;8G=K<8 AC1L5:B0<8 8 2 @07;8G=>5 2@5<O 07;8G=K5 AB>@>=K/AC1L5:BK <>3CB 8<5BL ?>;=><>G8O ?>4?8AK20BL B>;L:> @07;8G=K5 G0AB8 4>:C<5=B0 >72>;O5B A>E@0=OBL F5;>AB=>ABL >4=8E G0AB59 4>:C<5=B0 8 8<5BL 2>7<>6=>ABL 87<5=OBL 4@C385 G0AB8 4>:C<5=B0 >72>;ONB ?@8A>548=OBL <0@:5@K/<0=40BK 157>?0A=>AB8 : 4>:C<5=BC 2 >B;8G85 >B 8A?>;L7>20=8O 157>?0A=>3> A>548=5=8O :;85=B/A5@25@ XML-?>4?8AL >15A?5G8205B A5@28AK 157>?0A=>AB8 4;O ?@>B:>;>2, >A=>20==KE =0 XML  B0:65 >A=>2C 4;O 2:;NG5=8O 8=D>@<0F88 > A>AB>O=88 ?Nf24f24 ??M?^jH3?????*!B@C:BC@0 XML-?>4?8A8?, ???? ? ? (? ()?? ? ? )+? ? ()?? ()*? ??$?Z?%??? /   $?????N 0AH8@5=85 0@E8B5:BC@K XML-157>?0A=>AB8?2 ??4WS-Security (Web Services Security) 0AH8@5=8O : D>@<0BC A>>1I5=89 SOAP (Simple Object Access Protocol) !B0=40@B=K5 703>;>2:8 4;O 0CB5=B8D8:0F88 8 02B>@870F88, 0C48B0, 0AA>F80F89 157>?0A=>AB8, ?@820B=>AB8 1<5=0 C4>AB>25@ONI8<8 <0=40B0<8/<0@:5@0<8 2 D>@<0B5 X.509 PKC, SAML, XrML, XCBF &8D@>20O ?>4?8AL, H8D@>20=85 @>B>:>;K 4;O A8=E@>==>3> 8 0A8=E@>==>3> >1<5=0 A>>1I5=8O<8 8 >@30=870F88 <564><5==KE :>>?5@0B82=KE 51-A5@28A>2 OGSA Security (Open Grid Services Architecture) >AB@>5=0 =0 >A=>25 WS-Security $C=:F8>=0;L=>ABL 4;O A>740=8O 28@BC0;L=KE >@30=870F89 () 5;538@>20=8O ?>;=><>G89 (credentials) 8 D545@0F8O 845=B8D8:0B>@>2 AC1L5:B0 =>=8<=>ABL/?@820B=>ABL, 0AA>F80F88 4;O C?@02;5=8O 4>ABC?>< >445@6:0 B@0=78B82=KE ?@>F5AA>2 A :>=5G=K<8 A>AB>O=8O<8 (transitional stateful processes)??$DeQq0[?[$De5   q0[?[??$$??1 U ?!?????F#?@02;5=85 4>ABC?>< =0 >A=>25 @>;59?#???RBAC  Role Based Access Control >;L >?8AK205B DC=:F8N @020 >?@545;ONB 4>ABC? : @5AC@AC 2 >?@545;5==>< @568<5 @58<CI5AB20 RBAC 53:> C?@02;OBL 8 :>=B@>;8@>20BL 0745;L=>5 =07=0G5=85 @>;8-?>;L7>20B5;8 8 @>;8-?@828;5388 0AHB018@C5<>ABL >445@68205B ?@8=F8? <8=8<0;L=> =5>1E>48<KE ?@828;5389 0A;54>20=85 8 03@538@>20=85 ?@828;5389/?@02 >7<>6=>ABL 45;538@>20=8O ?L!O?!O??H!O "??????N=D@0AB@C:BC@0 C?@02;5=8O ?@828;538O<8 ?'???PMI  Privilege Management Infrastructure !B@>8BAO =0 >A=>25 !5@B8D8:0B>2 B@81CB>2 (AC  Attribute Certificate) ! A>2<5AB=> A ! >?@545;5=K AB0=40@B>< X.509 version 4 ! 8A?>;L7C5BAO 4;O 0CB5=B8D8:0F88, ! 8A?>;L7C5BAO 4;O 02B>@870F88 PMI :0: >A=>20 4;O ?>AB@>5=8O RBAC ! ?>72>;O5B A2O70BL 845=B8D8:0B>@ ?>;L7>20B5;O A @>;O<8 8 @>;8 A ?@828;538O<8 >445@68205B 85@0@E8G5A:85 A8AB5<K RBAC, ?@54>AB02;OO 2>7<>6=>ABL >1L548=5=8O @>;L 8 4>?>;=8B5;L=KE ?@828;5389 3@0=8G8205B 3;C18=C 45;538@>20=8O >;8B8:0 PMI A?>;L7C5BAO 4;O :>=B@>;O 4>ABC?0 : @5AC@A0< =0 >A=>25 @>;59 @028;0 >?@545;5=8O @>;59 4;O ?>;L7>20B5;59 8 ?@828;5389 4;O ?>;L7>20B5;59 0745;L=K5 ?>;8B8:8 4;O AC1L5:B0, SOA, 85@0@E8O @>;59, 45;538@>20=85, 4@.??*?E#? ?*?E#? ???***Fst=m#?????PLiberty Alliance 8 A5B520O 845=B8D8:0F8O?)) ?$??xLiberty Alliance Project (LAP) LAP 22>48B ?>=OB8O ?@>20945@0 845=B8D8:0F88 (identity provider) 8 :@C30 4>25@8O (trust circle) LAP >15A?5G8205B ?>;=K9 :>=B@>;L 70 A2>8< 845=B8D8:0B>@>< 8 0AA>F80F8O<8/D545@0F8O<8, :>B>@K5 <>3CB A>74020BLAO ?@>20945@0<8 845=B8D8:0F88  =0 >A=>20=88 ?@5420@8B5;L=>3> A>3;0A8O ?>;L7>20B5;O LAP 8A?>;L7C5B SAML 8 @0AH8@O5B 53> =>2K<8 M;5<5=B0<8 8 ?@>B>:>;0<8 LAP >?@545;O5B B@8 <>45;8 4>25@8O, >A=>20==K5 =0 PKI 8;8 187=5A->B=>H5=8OE: 2708<=>5, G5@57 ?>A@54=8:0-1@>:5@0 8 A@548 A>>1I5AB20 A=>2=K5 DC=:F88 LAP: $545@0F8O 845=B8D8:0F88; @54AB02;5=85 ?@>20945@0 845=B8D8:0F88; 0CB5=B8D8:0F8O; 8A?>;L7>20=85 ?A524>=8<>2 8 ?>445@6:0 0=>=8<=>AB8; 3;>10;L=K9 2KE>4 87 A8AB5<K ?:???()? 0-^??????@OB:@KBK5 A8AB5<K 4;O AuthN/AuthZ?0 ??? 07@01>B0=K 2 @0<:0E ?@>5:B>2 Internet2, FP5 8 =0F8>=0;L=KE =0CG=KE A5B59 PERMIS Shibboleth A-Select SPOCP?&J!J!?@ ?????D@C3;K9 AB>;  @84 8 157>?0A=>ABL?"??RLJG, EGEE and RDIG Technologies for GRID  promotion, experience exchange, implementaion Virtual Organisations  reality vs virtuality Security technologies for modern networking infrastrcuture and applications Terminology on GRID and Security Gloriad@gloriad.org - closed Discussion@gloriad.org ?**?0?!??Sm 0???????*!?@02>G=0O 8=D>@<0F8O???6XML Web Services WS-Security OGSA basics OGSA Security?77?????J@E8B5:BC@0 =0 >A=>25 XML Web Service?"??X?8A0=85 =0 >A=>25 WSDL (Web Services Description Language) 1<5= A>>1I5=8O<8 2 D>@<0B5 SOAP ?@8 ?><>I8 ?@>B>:>;>2 HTTP, SMTP, TCP, etc. C1;8:0F8O 8 ?>8A: ?>A@54AB2>< UDDI????z?????B>45;L 157>?0A=>AB8 Web Services? ?? ?????LWS-Security: 0AH8@5=8O : D>@<0BC SOAP? ??URI: http://schemas.xmlsoap.org/ws/2002/04/secext @>AB@0=AB20 8<5=, 8A?>;L7C5<K5 2 WS-Security: SOAP S http://www.w3.org/2001/12/soap-envelope XML Digital Sign ds http://www.w3.org/2000/09/xmldsig# XML Encryption xenc http://www.w3.org/2001/04/xmlenc# XML/SOAP Routing m http://schemas.xmlsoap.org/rp WSSL wsse http://schemas.xmlsoap.org/ws/2002/04/secext ????" "KJ  ?????&Open Grid Services Architecture (OGSA)???WSDL extensions to describe specifics of Grid Services Defines new portType - GridService Provides mechanism to create Virtual Organisation Provides mechanism to create transient services - Factories Provides soft-state registration of GSH - Registry Grid services can maintain internal state for the lifetime of the service. The existence of state distinguishes one instance of a service from another that provides the same interface. OGSA services can be created and destroyed dynamically Grid Service is assigned globally (persistent) unique name, the Grid service handle (GSH) Grid services may be upgraded during their lifetime and referenced by Grid (dynamic) service reference (GSR) ?67??7???,C  _?????L@E8B5:BC@0 157>?0A=>AB8 OGSA Security???>>AB@>5=0 =0 >A=>25 WS-Security?$ ??}??Proxy Certificate Profile???Impersonation  used for Single-Sign-On and Delegation Unrestricted Impersonation Restricted Impersonation defined by policy Proxy with Unique Name Allows using in conjunction with Attribute Cert Used when proxy identity is referenced to 3rd party, or interact with VO policy Limited validity time  approx. 24 hours Proxy Certificate (PC) properties: It is signed by either an X.509 End Entity Certificate (EEC), or by another PC. This EEC or PC is referred to as the Proxy Issuer (PI). It can sign only another PC. It cannot sign an EEC. It has its own public and private key pair, distinct from any other EEC or PC. It has an identity derived from the identity of the EEC that signed the PC. Although its identity is derived from the EEC's identity, it is also unique. It contains a new X.509 extension to identify it as a PC and to place policies on the use of the PC. This new extension, along with other X.509 fields and extensions, are used to enable proper path validation and use of the PC. ??7ZFZZ?Z)Z$Z?Z7F[ #)$??d"L?4O??????Reference: PKI Basics???TPKI (Public Key Infrastructure)  =D@0AB@C:BC@0 >B:@KBKE :;NG59 () !2O7K205B 845=B8D8:0B>@ (8<O A>1AB25==>5, distinguished name) AC1L5:B0 A 53> >B:@KBK< :;NG>< A=>20   !5@B8D8:0B >B:@KB>3> :;NG0 (!, PKC - Public Key Certificate) CRL  Certificate Revocation List ><?>=5=BK  Identification Service (IS) Registration Authority (RA) Certification Authority (CA) Certificate Repository (CR), normally built on LDAP ?bG?"?G?"? ??"O .!U5?????Reference: PKC vs AC: Purposes??X.509 PKC binds an identity and a public key AC is a component of X.509 Role-based PMI AC contains no public key AC may contain attributes that specify group membership, role, security clearance, or other authorisation information associated with the AC holder Analogy: PKC is like passport, and AC is like entry visa PKC is used for Authentication and AC is used for Authorisation AC may be included into Authentication message PKC relies on Certification Authority and AC requires Attribute Authority (AA) ??W?@/OW?@/O?????!PKC vs AC: Certificates structure?"" ??}X.509 PKC Version Serial number Signature Issuer Validity Subject Subject Public key info Issuer unique identifier Extensions?* t t ??`AC Version Holder Issuer Signature Serial number Validity Attributes Issuer unique ID Extensions?*^^?????TX.509 PKC Fields and Extensions  RFC 3280?++ ??\X.509 PKC Fields Serial Number Subject Subject Public Key Issuer Unique ID Subject Unique ID?&LL ??:X.509 PKC Extensions Standard Extensions Authority Key Identifier Subject Key Identifier Key Usage Extended Key Usage CRL Distribution List Private Key Usage Period Certificate Policies Policy Mappings Subject Alternative Name Issuer Alternative Name Subject Directory Attributes Basic Constraints Name Constraints?:?????$AC Attribute Types and AC Extensions??|AC Attribute Types Service Authentication Information Access Identity Charging Identity Group Role Clearance Profile of AC ?*jj ???AC Extensions Audit Identity To protect privacy and provide anonymity May be traceable via AC issuer AC Targeting Authority Key Identifier Authority Information Access CRL Distribution Points?VI[I[/?? P?????P? `? ????????f??????`? ???3?????????????`? ???___?????????????>???" dd=??????????????" dd?=?????????????uA?4? d?O?" ?i ?n???" dd??????????   @@``P?P   4 O i`? p?@??@    ? ?)? ?( ? ??p ? ? ?H??????d???? ?'W??? ? ? ?Z?4FZ?a????a?????????? ??x8???? Z ?T?? Click to edit Master title style?!? !?: ? ? ?T?\?5?a????a????????? ??Sg??? Z ???RClick to edit Master text styles Second Level Third Level Fourth Level Fifth Level?!    ? S? ?  ?`??5?a????a??????????? ?? ????? 5 ?`??*? ???=44OOii?  ?   ?`??5?a????a??????????? ?? `???  5 ?b??*? ???=44OOii?$ ?!  ?`???5?a????a??????????? ??!????? 5 ?|??Slide_*?( ???=44OOii?Z?F ?1?lY ?$ ??~???~ ?" ? ?N?????????2?????1?l$?~ ?# ? ?N?????????2?????1IlY??F ??? ?) ???c?8 ?% s ?B?C{DE?8F?@??????????????????@????????F??h??=?Zhz?zFz?\F3? @???????????????????0 ?& s ?B?C?DE?4F?<??????????????????@????? ????i??<?????<??#i?????@???????????????g?5?0 ?' s ?B-C?DE?4F?<??????????????????@????? ??o?????*l??,J??????Jz?o@???????????????Arn*? ?( ? ??BKCoDE?4F?<?????????? ??(%+(J27JQ+E%nEQ7@???????????????????H ? ? ?0??@??޽h??? ?? ??????????f?????? ?International?? ? ??@?% ?E?( ??4p? ~?p? ? ?^ ? ? ?6??????? ?@_??p ? ? ?H??????d???? ??_??? ? ? ?Z??S?a????a?????????? ????????  ?T?? Click to edit Master title style?!? !?? ? ? ?Z?TV?a????a?????????? ??HZjG ??  ?W??#Click to edit Master subtitle style?$? $? ?  ?`?D`?a????a??????????? ????????  ?\??*????=44OOii? ?  ?`?\a?a????a??????????? ???S ???   ?^??*????=44OOii? ?  ?`??s?a????a??????????? ????????  ?n??Slide 2_*?  ???=44OOii?H ? ? ?0??@??޽h??? ?? ??????????f?????????? 0 ??`??*?( ? ?? ? ? ?T???jJ??jJ??????? ???? K1??   ?h??*? ?? ? ??? ? ? ?T? ?jJ??jJ??????? ????? ?1??  ?j??*? ?? ? ???p ? ? ?0?????1? ???B?L ?? ?: ? ? ?T??)??g?ֳ??g?ֳ?????? ??? V???  ???RClick to edit Master text styles Second level Third level Fourth level Fifth level?!    ? S?  ? ? ?Z?D4?jJ??jJ???????? ??? K???   ?h??*? ?? ? ???  ? ? ?Z??4?jJ??jJ???????? ???? ????  ?j??*? ?? ? ???H ? ? ?0??޽h?9???? ?? ??????̙33????????? ?????0?( ? ??H ? ? ?0???޽h?9??? ?? ??????̙33??????????? 0?(0????( ? ??? ? # ?l??{?g????g????????????? ? ??x$??  ? ??? ? # ?l??|?g????g????????????? ? ???????  ? ??H ? ? ?0???@??޽h?? ?? ??????????f????????? ? ???p??$?( ? ??r ? S ??X?5???x8????  5 ? ??r ? S ??(?5???Sg??? 5 ? ??H ? ? ?0???@??޽h?? ?? ??????????f????????? ? ?????,?$?( ? ?,?r ?, S ??D?5???x8????  5 ? ??r ?, S ??|?5???Sg??? 5 ? ??H ?, ? ?0???@??޽h?? ?? ??????????f????????? ? ?????(?$?( ? ?(?r ?( S ???p5???x8????  5 ? ??r ?( S ??0?5???Sg??? 5 ? ??H ?( ? ?0???@??޽h?? ?? ??????????f????????? ? ???????$?( ? ???r ?? S ???G????x8????  ? ? ??r ?? S ??TH????Sg??? ? ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ???????$?( ? ???r ?? S ??5???x8????  5 ? ??r ?? S ??`5???Sg??? 5 ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ??????0?( ? ???x ?? c ?$??A?????x8????  ? ? ??x ?? c ?$?DB?????Sg??? ? ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ??????0?( ? ???x ?? c ?$????????x8????  ? ? ??x ?? c ?$?|??????Sg??? ? ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ?????0?$?( ? ?0?r ?0 S ??`[5???x8????  5 ? ??r ?0 S ???\5???Sg??? 5 ? ??H ?0 ? ?0???@??޽h?? ?? ??????????f????????? ? ????8?$?( ? ?8?r ?8 S ???Z5???x8????  5 ? ??r ?8 S ??465???Sg??? 5 ? ??H ?8 ? ?0???@??޽h?? ?? ??????????f????????? ? ????<?$?( ? ?<?r ?< S ???N5???x8????  5 ? ??r ?< S ??O5???Sg??? 5 ? ??H ?< ? ?0???@??޽h?? ?? ??????????f????????? ? ??? ?D?$?( ? ?D?r ?D S ????5???x8????  5 ? ??r ?D S ????5???Sg??? 5 ? ??H ?D ? ?0???@??޽h?? ?? ??????????f????????? ? ??? ?H?$?( ? ?H?r ?H S ??`?Z???x8????  Z ? ??r ?H S ???Z???Sg??? Z ? ??H ?H ? ?0???@??޽h?? ?? ??????????f????????? ? ?????L?$?( ? ?L?r ?L S ???Z???x8????  Z ? ??r ?L S ????5???Sg??? 5 ? ??H ?L ? ?0???@??޽h?? ?? ??????????f????????? ? ???0?4?$?( ? ?4?r ?4 S ???}Z???x8????  Z ? ??r ?4 S ??oZ???Sg??? Z ? ??H ?4 ? ?0???@??޽h?? ?? ??????????f???????"? ? ???@? ??b?( ? ???x ?? c ?$? uZ????x8????  Z ? ????8 ?)r~ ?????? ?? ?? C ????A?lD:\My Documents\demch_html\grid\archive\peer2peer.png?)r~?~ ?? ? ?N???????1??????? Q* r?x ?? c ?$??vZ????S??u ?? Z ? ?? ?? ? ?T??iZ?a????a????????? ??{ ?5  ???t51-A5@28A  ?@>3@0<<=0O A8AB5<0, 845=B8D8F8@C5<0O URI, 8=B5@D59A 2=5H=53> 4>ABC?0 :>B>@>9 and bindings >?8AK20NBAO ?@8 ?><>I8 XML. @C385 ?@>3@0<<=K5 A8AB5<K <>3CB >1=0@C6820BL 8 2708<>459AB2>20BL A 51-A5@28A0<8 2 A>>B25BAB288 A 8E >?8A0=85< =0 >A=>25 8A?>;L7>20=8O XML-A>>1I5=89 ?>A@54AB2>< ?@>B>:>;>2 =B5@=5B.?; ;?n3# ?+?H ?? ? ?0???@??޽h?? ?? ??????????f???????}? ? -?%P????( ? ???x ?? c ?$??^Z????x8????  Z ? ???? ??  ????0e????0e???A?L???????????????D:\My Documents\ws-security-model.gif?\?; ?? Z?? ?? ? ?T?l`Z???????1???????????  ????Security token types Username/password X.509 PKC SAML XrML XCBF?6 2+ 2+?? ?? ? ?T??fZ?a????a????????? ?? o? ?p???WS-Security: describes how to attach signature and encryption headers to SOAP messages. In addition, it describes how to attach security tokens, including binary security tokens such as X.509 certificates, SAML, Kerberos tickets and others, to messages. Core Specification - Web Services Security: SOAP Message Security http://www.oasis-open.org/committees/download.php/1043/WSS-SOAPMessageSecurity-11-0303.pdf ??A\?2,Z??Km 0?@??Lm 0?A??H ?? ? ?0???@??޽h?? ?? ??????????f???????? ? ???`????O?( ? ???x ?? c ?$?,bZ????x8????  Z ? ?? ?8 ???H ? ?????H ??? ?? ? ?Z????????1??????????H ??:? ?? ? ?Z?\5???????1????????V?? ???.03>;>2>: SOAP (Header)??> ?D? ?? ? ?Z??M5???????1????????^'?? ???80@H@CB870F8O SOAP (Routing)??>?8? ?? ? ?Z?\????????1????????V/?? ???@0@:5@K/<0=40BK (Security token)?!!?*?? ?? ? ?Z????????1????????X8?P ?? ? ?  ?f?Ġ?????????1??????????Y ?r?? &8D@>20O ?>4?8AL???? ? ? ? ?Z????????1?????????@?? ?3? ? ?  ?f?$8?????????1?????????Gu?  ???GDigSignature description: Normalisation Transformation Signed elements?HH? <??? ? ? ? ?Z??D????????1?????????7 ?  ?`??DigSignature value?? ??? ? ? ? ?Z??ؼ???????1?????????G ?#  ?l??Ref to DSign Sec token?? ?`? ?? ? ?Z???????????1????????^? ? ????P!>45@60=85 A>>1I5=8O SOAP (SOAP Payload)?))?B? ??  ?`?(\?a????a????????? ????? ?; ??  ? ??T ?? ? ?T??߼?a????a????????? ???  ?? ????-;5<5=BK 157>?0A=>AB8 03>;>2>: >?@545;O5B :>=5G=>3> ?>;CG0B5;O/8A?>;=8B5;O >?CA:0NBAO <=>65AB25==K5 703>;>2:8/?>;CG0B5;8 >2K5 703>;>2:8 ?<vv?X5.?H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ???p??$?( ? ??r ? S ????????x8????  ? ? ??r ? S ????????Sg??? ? ? ??H ? ? ?0???@??޽h?? ?? ??????????f????????? ? j?b??????( ? ???r ?? S ??ż???x8????  ? ? ??r ?? S ???ż???eg??? ? ? ???? ?? C ???A??D:\My Documents\demch_html\grid\archive\ogsa-sec\ogas-sec-layering.jpg??????H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ????`?0?( ? ?`?x ?` c ?$??ʼ????x8????  ? ? ??x ?` c ?$??ͼ????Sg??? ? ? ??H ?` ? ?0???@??޽h?? ?? ??????????f????????? ? ?????@?$?( ? ?@?r ?@ S ???Z???x8????  Z ? ??r ?@ S ??ԺZ???Sg??? Z ? ??H ?@ ? ?0???@??޽h?? ?? ??????????f????????? ? ?????0?( ? ??x ? c ?$??Z????x8????  Z ? ??x ? c ?$?ؿZ????Sg??? Z ? ??H ? ? ?0???@??޽h?? ?? ??????????f????????? ? 8?0?????( ? ??x ? c ?$???Z????x8????  Z ? ??? ? ? ?0???Z???? ??Sg? ?? Z ? ??? ? ? ?0??Z???? ??SY ??? Z ? ??H ? ? ?0???@??޽h?? ?? ??????????f????????? ? ?????+?( ? ??x ? c ?$???Z????x8????  Z ? ??? ? ? ?0???Z???? ??H? C ?? Z ? ??? ? ? ?0?l?Z???? ??SY ??? Z ? ??[ ? ? ?T???Z?a????a????????? ??? ? ? ????mX.509 PKC Fields Private Extensions Authority Information Access Subject Information Access Custom Extensions?N88?H ? ? ?0???@??޽h?? ?? ??????????f????????? ? 8?0?? ???( ? ? ?x ?  c ?$?4?????x8????   ? ??? ?  ? ?0?ė???? ??Sg? ??  ? ??? ?  ? ?0?l????? ??SY ???  ? ??H ?  ? ?0???@??޽h?? ?? ??????????f????????? 0 ???P??? ?( ????? ???X ?? C ?????B?L ??  ?? ?? S ???I???? V???   ?"?? ?H ?? ? ?0???޽h?9??? ?? ??????̙33???????r?`J?,??=?? ???P????? ?????;??@J?Liberty Alliance и сетевая идентификация2Oткрытые системы для AuthN/AuthZAКруглый стол – Грид и безопасность*Справочная информация9Архитектура на основе XML Web Service4Модель безопасности Web Services9WS-Security: Расширения к формату SOAP'Open Grid Services Architecture (OGSA)>Архитектура безопасности OGSA SecurityProxy Certificate ProfileReference: PKI BasicsReference: PKC vs AC: Purposes"PKC vs AC: Certificates structure-X.509 PKC Fields and Extensions – RFC 3280%AC Attribute Types and AC Extensions  Fonts UsedDesign Template Slide Titles 8@ _PID_HLINKS??A?[http://www.oasis-open.org/committees/download.php/1043/WSS-SOAPMessageSecurity-11-0303.pdf[http://www.oasis-open.org/committees/download.php/1043/WSS-SOAPMessageSecurity-11-0303.pdfmailto:Gloriad@gloriad.orgmailto:Discussion@gloriad.org?%_???T? ??Ted LindgreenTed Lindgreen.????@Times New RomanS??w\??w0-? .2 ?Yuri  .ecurity-11-0303.pdf?:?S?&Gloriad@gloriad.org?@?W?,Discussion@gloriad.org??/? 0????DTimes New Roman`??`?H?d? 0`? & 0,?DSymbolew Roman`??`?H?d? 0`? & 0, ?DMonotype Sorts`??`?H?d? 0`? & 0,0?DVerdana Sorts`??`?H?d? 0`? & 0,"@?DArial Unicode MS?`?H?d? 0`? & 0P?DArialMTicode MS?`?H?d? 0`? & 0??f???? ? .??@  @@``???  @?n???" dd@?????????  @@``?? " ? ?T?*&3?2   W     P >,  O?R?$/EP~ m???2?!???????$??b?$?g?|?I>?\?r? K? ???b?$???gC6?n5?dh??,???O???S ?~??????????1???????????0? ??????n?@???????8???????g??4PdPdd? 0T?????????p?pp?0 ? <?4BdBd???@ 0??u?ʚ;2N??ʚ;<?4!d!d???= 0l?<?4dddd???= 0l??F?>?___PPT9? /? 0?z????-?0June 19, 2003 RELARN2003 ?RAuthN/AuthZ Services and Network IdentityO? ?=?4v????@E8B5:BC@0 !5@28A>2 CB5=B8D8:0F88 8 2B>@870F88 8 A5B520O 845=B8D8:0F8O 2 =B5@=5B?$UT$?T???RELARN2003 19 8N=O, 2003 Yuri Demchenko, NLnet Labs <demch@NLnetLabs.nl>?"L1"??            ??g??!>45@60=85? ???#A;C38 CB5=B8D8:0F88 (AuthN) 8 2B>@870F88 (AuthZ) 2 =0CG=KE 8 >1@07>20B5;L=KE A5BOE @E8B5:BC@0 157>?0A=>AB8 =0 >A=>25 XML #?@02;5=85 4>ABC?>< =0 >A=>25 @>;59 (RBAC) !5B520O 845=B8D8:0F8O 8 Liberty Alliance Project @8<5@K A8AB5< @0A?@545;5==>9 0CB5=B8D8:0F88 8 02B>@870F88 @C3;K9 AB>;  @84 8 157>?0A=>ABL !?@02>G=0O 8=D>@<0F8O?&M"?!#$:"?????ZAuthN/AuthZ 2 =0CG=KE 8 >1@07>20B5;L=KE A5BOE?:!???>ABC? : <=>3>A09B>2K< 51/=B5@=5B @5AC@A0< 5@5=0?@02;5=85 + cookie (SSO) 56C=825@A8B5BA:85 @5AC@AK 8 4>ABC? : 2=5H=8< @5AC@A0< 8;8 ?@54>AB02;5=85 4>ABC?0 4;O 2=5H=8E ?>;L7>20B5;59 0A?@545;5==K5 C=825@A8B5BA:85 :0<?CAK 8 48AB0=F8>==>5 >1CG5=85 @84-F5=B@K 8 @84-?@8;>65=8O 07;8G=K5 04<8=8AB@0B82=K5 4><5=K 8 4><5=K 157>?0A=>AB8 @>4>;68B5;L=K5 (B@0=78B82=K5) 7040G8 8=0<8G5A:85 @5AC@AK !8AB5<K @0A?@545;5==KE 8=B5@0:B82=KE 035=B>2 (IIDS  Interactive Intelligent Disctributed Systems)?`-?tc-?tc?:? j6?????\!>2@5<5==0O 0@E8B5:BC@0 A5@28A>2 AuthN 8 AuthZ?D!??6@>1;5<K =>65AB2> ;>38=>2/?0@>;59  =0 :064K9 @5AC@A/A09B 3@0=8G5=85 >4=8< 4><5=>< 157>?0A=>AB8 8;8 <=>65AB2> A5@B8D8:0B>2 >B:@KBKE :;NG59 !;>6=>ABL G0AB8G=>9 48=0<8G5A:>9 45;530F88 ?>;=><>G89 "@51>20=8O : A>2@5<5==>9 0@E8B5:BC@5 AuthN/Z 0745;5=85 A5@28A>2 0CB5=B8D8:0F88 (AuthN) 8 02B>@???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????870F88 (AuthZ) CB5=B8D8:0F8O 2 ?4><0H=59? >@30=870F88 2B>@870F8O @5AC@A>< >=D845=F80;L=>ABL, ?@820B=>ABL 8 0=>=8<=>ABL #?@02;5=85 4>ABC?>< =0 >A=>25 @>;59 8 ?>;8B8:8 157>?0A=>AB8 (RBAC) A?>;L7>20=85 8=D@0AB@C:BC@K C?@02;5=8O ?@825;538O<8 (PMI) ?t   !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????    *???? !"$????{????????????)????+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopq????tuvwxyz |}~?Root Entry??????????d?O?????)???@?;?s?Pictures?????????$Current User????????????lGSummaryInformation(?????PowerPoint Document(?????????????x?DocumentSummaryInformation8?????????@ ?????????????????????????K??http://www.oasis-open.org/committees/download.php/1043/WSS-SOAPMessageSecurity-11-0303.pdf???L??http://www.oasis-open.org/committees/download.php/1043/WSS-SOAPMessageSecurity-11-0303.pdf?:?S?&Gloriad@gloriad.org?@?W?,Discussion@gloriad.org??/? 0????DTimes New Roman`??`?H?d? 0`? & 0,?DSymbolew Roman`??`?H?d? 0`? & 0, ?DMonotype Sorts`??`?H?d? 0`? & 0,0?DVerdana Sorts`??`?H?d? 0`? & 0,"@?DArial Unicode MS?`?H?d? 0`? & 0P?DArialMTicode MS?`?H?d? 0`? & 0??f???? ? .??@  @@``???  @?n???" dd@?????????  @@``?? " ? ?T?*&3?2   W     P >,  O?R?$/EP~ m???2?!???????$??b?$?g?|?I>?\?r? K? ???b?$???gC6?n5?dh??,???O???S ?~??????????1???????????0? ??????n?@???????8???????g??4PdPdd? 0T?????????p?pp?0 ? <?4BdBd???@ 0??u?ʚ;2N??ʚ;<?4!d!d???= 0l?<?4dddd???= 0l??F?>?___PPT9? /? 0?z????-?0June 19, 2003 RELARN2003 ?RAuthN/AuthZ Services and Network IdentityO? ?=??u????@E8B5:BC@0 !5@28A>2 CB5=B8D8:0F88 8 2B>@870F88 8 A5B520O 845=B8D8:0F8O 2 =B5@=5B?$UT$?T???RELARN2003 19 8N=O, 2003 Yuri Demchenko, NLnet Labs <demch@NLnetLabs.nl>?"L1"??            ??g??!>45@60=85? ??R#A;C38 CB5=B8D8:0F88 (AuthN) 8 2B>@870F88 (AuthZ) 2 =0CG=KE 8 >1@07>20B5;L=KE A5BOE @E8B5:BC@0 157>?0A=>AB8 =0 >A=>25 XML #?@02;5=85 4>ABC?>< =0 >A=>25 @>;59 (RBAC) !5B520O 845=B8D8:0F8O 8 Liberty Alliance Project @8<5@K A8AB5< @0A?@545;5==>9 0CB5=B8D8:0F88 8 02B>@870F88 !?@02>G=0O 8=D>@<0F8O?**??!#$:?????ZAuthN/AuthZ 2 =0CG=KE 8 >1@07>20B5;L=KE A5BOE?:!???>ABC? : <=>3>A09B>2K< 51/=B5@=5B @5AC@A0< 5@5=0?@02;5=85 + cookie (SSO) 56C=825@A8B5BA:85 @5AC@AK 8 4>ABC? : 2=5H=8< @5AC@A0< 8;8 ?@54>AB02;5=85 4>ABC?0 4;O 2=5H=8E ?>;L7>20B5;59 0A?@545;5==K5 C=825@A8B5BA:85 :0<?CAK 8 48AB0=F8>==>5 >1CG5=85 @84-F5=B@K 8 @84-?@8;>65=8O 07;8G=K5 04<8=8AB@0B82=K5 4><5=K 8 4><5=K 157>?0A=>AB8 @>4>;68B5;L=K5 (B@0=78B82=K5) 7040G8 8=0<8G5A:85 @5AC@AK !8AB5<K @0A?@545;5==KE 8=B5@0:B82=KE 035=B>2 (IIDS  Interactive Intelligent Disctributed Systems)?`-?tc-?tc?:? j6?????\!>2@5<5==0O 0@E8B5:BC@0 A5@28A>2 AuthN 8 AuthZ?D!??6@>1;5<K =>65AB2> ;>38=>2/?0@>;59  =0 :064K9 @5AC@A/A09B 3@0=8G5=85 >4=8< 4><5=>< 157>?0A=>AB8 8;8 <=>65AB2> A5@B8D8:0B>2 >B:@KBKE :;NG59 !;>6=>ABL G0AB8G=>9 48=0<8G5A:>9 45;530F88 ?>;=><>G89 "@51>20=8O : A>2@5<5==>9 0@E8B5:BC@5 AuthN/Z 0745;5=85 A5@28A>2 0CB5=B8D8:0F88 (AuthN) 8 02B>@870F88 (AuthZ) CB5=B8D8:0F8O 2 ?4><0H=59? >@30=870F88 2B>@870F8O @5AC@A>< >=D845=F80;L=>ABL, ?@820B=>ABL 8 0=>=8<=>ABL #?@02;5=85 4>ABC?>< =0 >A=>25 @>;59 8 ?>;8B8:8 157>?0A=>AB8 (RBAC) A?>;L7>20=85 8=D@0AB@C:BC@K C?@02;5=8O ?@825;538O<8 (PMI) ?t ?-A=? ?-A=????%$k<6??W??P>20O ?0@0483<0 157>?0A=>AB8 ?@8;>65=89 ?)(#?(???57>?0A=>ABL ?@8;>65=89 =0 >A=>25 XML 8 B@048F8>==0O <>45;L A5B52>9 157>?0A=>B8 "@048F8>==0O <>45;L 157>?0A=5AB8 (ISO7498-2): Host-to-host 8;8 point-to-point security @85=B8@>20==0O =0 0@E8B5:BC@C Client/server A=>20==K5 =0 A>548=5=85 (connection-oriented) 8 =5B (connectionless)  >1I5< A;CG05 548=K9 4>25@8B5;L=K9 4><5= (=0 >A=>25 PKI) 57>?0A=>ABL ?@8;>65=89 >A=>25 XML 57>?0A=>ABL <564C :>=5G=K<8 B>G:0<8 ?@8;>65=89 (End-to-end) @85=B8@>20==0O =0 4>:C<5=B (8;8 A5<0=B8G5A:89 >1L5:B) 0=40BK 8 <0@:5@K 157>?0A=>AB8 <>3CB 1KBL 0AA>F88@>20=K A 4>:C<5=B>< 8;8 A>>1I5=85< 8;8 8E G0ABLN >B5=F80;L=> @01>B05B <564C 4><5=0<8 04<8=8AB@0B82=K<8 8 157>?0A=>AB8 >72>;O5B A>74020BL 48=0<8G5A:85 8 28@BC0;L=K5 0AA>F80F88??~?$tb?~?$tb???")"# 5  1 6aE9?????P><?>=5=BK 157>?0A=>AB8 XML - ?@8;>65=89?: " ??pXML Signature XML Encryption 5:;0@0F88 157>?0A=>AB8 (Security Assertions) SAML (Security Assertion Mark-up Language) XrML (XML Right Mark-up Language) XACML (XML Access Control Mark-up Language) XKMS (XML Key Management Specification) @E8B5:BC@=K5 @0AH8@5=8O Web Services Security (WS-Security) OGSA Security ?hKzA2KzA2 ?J?3?????4A=>2=K5 G5@BK XML-?>4?8A8?,???$C=40<5=B0;L=0O G5@B0: 2>7<>6=>ABL ?>4?8AK20BL >B45;L=K5 G0AB8 4>:C<5=B0 B0: 65 :0: 8 F5;K9 4>:C<5=B. XML-4>:C<5=B <>65B 8<5BL 4;8==CN 8AB>@8N, ?@8 MB>< @07;8G=K5 G0AB8 4>:C<5?=B0 <>3CB A>74020BLAO 8 2878@>20BLAO @07;8G=K<8 AC1L5:B0<8 8 2 @07;8G=>5 2@5<O 07;8G=K5 AB>@>=K/AC1L5:BK <>3CB 8<5BL ?>;=><>G8O ?>4?8AK20BL B>;L:> @07;8G=K5 G0AB8 4>:C<5=B0 >72>;O5B A>E@0=OBL F5;>AB=>ABL >4=8E G0AB59 4>:C<5=B0 8 8<5BL 2>7<>6=>ABL 87<5=OBL 4@C385 G0AB8 4>:C<5=B0 >72>;ONB ?@8A>548=OBL <0@:5@K/<0=40BK 157>?0A=>AB8 : 4>:C<5=BC 2 >B;8G85 >B 8A?>;L7>20=8O 157>?0A=>3> A>548=5=8O :;85=B/A5@25@ XML-?>4?8AL >15A?5G8205B A5@28AK 157>?0A=>AB8 4;O ?@>B:>;>2, >A=>20==KE =0 XML  B0:65 >A=>2C 4;O 2:;NG5=8O 8=D>@<0F88 > A>AB>O=88 ?Nf24f24 ??M?^jH3?????*!B@C:BC@0 XML-?>4?8A8?, ???? ? ? (? ()?? ? ? )+? ? ()?? ()*? ??$?Z?%??? /   $?????N 0AH8@5=85 0@E8B5:BC@K XML-157>?0A=>AB8?2 ??4WS-Security (Web Services Security) 0AH8@5=8O : D>@<0BC A>>1I5=89 SOAP (Simple Object Access Protocol) !B0=40@B=K5 703>;>2:8 4;O 0CB5=B8D8:0F88 8 02B>@870F88, 0C48B0, 0AA>F80F89 157>?0A=>AB8, ?@820B=>AB8 1<5=0 C4>AB>25@ONI8<8 <0=40B0<8/<0@:5@0<8 2 D>@<0B5 X.509 PKC, SAML, XrML, XCBF &8D@>20O ?>4?8AL, H8D@>20=85 @>B>:>;K 4;O A8=E@>==>3> 8 0A8=E@>==>3> >1<5=0 A>>1I5=8O<8 8 >@30=870F88 <564><5==KE :>>?5@0B82=KE 51-A5@28A>2 OGSA Security (Open Grid Services Architecture) >AB@>5=0 =0 >A=>25 WS-Security $C=:F8>=0;L=>ABL 4;O A>740=8O 28@BC0;L=KE >@30=870F89 () 5;538@>20=8O ?>;=><>G89 (credentials) 8 D545@0F8O 845=B8D8:0B>@>2 AC1L5:B0 =>=8<=>ABL/?@820B=>ABL, 0AA>F80F88 4;O C?@02;5=8O 4>ABC?>< >445@6:0 B@0=78B82=KE ?@>F5AA>2 A :>=5G=K<8 A>AB>O=8O<8 (transitional stateful processes)??$DeQq0[?[$De5   q0[?[??$$??1 U ?!?????F#?@02;5=85 4>ABC?>< =0 >A=>25 @>;59?#???RBAC  Role Based Access Control >;L >?8AK205B DC=:F8N @020 >?@545;ONB 4>ABC? : @5AC@AC 2 >?@545;5==>< @568<5 @58<CI5AB20 RBAC 53:> C?@02;OBL 8 :>=B@>;8@>20BL 0745;L=>5 =07=0G5=85 @>;8-?>;L7>20B5;8 8 @>;8-?@828;5388 0AHB018@C5<>ABL >445@68205B ?@8=F8? <8=8<0;L=> =5>1E>48<KE ?@828;5389 0A;54>20=85 8 03@538@>20=85 ?@828;5389/?@02 >7<>6=>ABL 45;538@>20=8O ?L!O?!O??H!O "??????N=D@0AB@C:BC@0 C?@02;5=8O ?@828;538O<8 ?'???PMI  Privilege Management Infrastructure !B@>8BAO =0 >A=>25 !5@B8D8:0B>2 B@81CB>2 (AC  Attribute Certificate) ! A>2<5AB=> A ! >?@545;5=K AB0=40@B>< X.509 version 4 ! 8A?>;L7C5BAO 4;O 0CB5=B8D8:0F88, ! 8A?>;L7C5BAO 4;O 02B>@870F88 PMI :0: >A=>20 4;O ?>AB@>5=8O RBAC ! ?>72>;O5B A2O70BL 845=B8D8:0B>@ ?>;L7>20B5;O A @>;O<8 8 @>;8 A ?@828;538O<8 >445@68205B 85@0@E8G5A:85 A8AB5<K RBAC, ?@54>AB02;OO 2>7<>6=>ABL >1L548=5=8O @>;L 8 4>?>;=8B5;L=KE ?@828;5389 3@0=8G8205B 3;C18=C 45;538@>20=8O >;8B8:0 PMI A?>;L7C5BAO 4;O :>=B@>;O 4>ABC?0 : @5AC@A0< =0 >A=>25 @>;59 @028;0 >?@545;5=8O @>;59 4;O ?>;L7>20B5;59 8 ?@828;5389 4;O ?>;L7>20B5;59 0745;L=K5 ?>;8B8:8 4;O AC1L5:B0, SOA, 85@0@E8O @>;59, 45;538@>20=85, 4@.??*?E#? ?*?E#? ???***Fst=m#?????PLiberty Alliance 8 A5B520O 845=B8D8:0F8O?)) ?$??xLiberty Alliance Project (LAP) LAP 22>48B ?>=OB8O ?@>20945@0 845=B8D8:0F88 (identity provider) 8 :@C30 4>25@8O (trust circle) LAP >15A?5G8205B ?>;=K9 :>=B@>;L 70 A2>8< 845=B8D8:0B>@>< 8 0AA>F80F8O<8/D545@0F8O<8, :>B>@K5 <>3CB A>74020BLAO ?@>20945@0<8 845=B8D8:0F88  =0 >A=>20=88 ?@5420@8B5;L=>3> A>3;0A8O ?>;L7>20B5;O LAP 8A?>;L7C5B SAML 8 @0AH8@O5B 53> =>2K<8 M;5<5=B0<8 8 ?@>B>:>;0<8 LAP >?@545;O5B B@8 <>45;8 4>25@8O, >A=>20==K5 =0 PKI 8;8 187=5A->B=>H5=8OE: 2708<=>5, G5@57 ?>A@54=8:0-1@>:5@0 8 A@548 A>>1I5AB20 A=>2=K5 DC=:F88 LAP: $545@0F8O 845=B8D8:0F88; @54AB02;5=85 ?@>20945@0 845=B8D8:0F88; 0CB5=B8D8:0F8O; 8A?>;L7>20=85 ?A524>=8<>2 8 ?>445@6:0 0=>=8<=>AB8; 3;>10;L=K9 2KE>4 87 A8AB5<K ?:???)? 0-^??????@OB:@KBK5 A8AB5<K 4;O AuthN/AuthZ?0 ??* 07@01>B0=K 2 @0<:0E ?@>5:B>2 Internet2, FP5 8 =0F8>=0;L=KE =0CG=KE A5B59 PERMIS (PrivilEge and Role Management Infrastructure Standards validation) - http://www.permis.org/ Shibboleth - http://shibboleth.internet2.edu/ A-Select - http://a-select.surfnet.nl/ FEIDE (Federated Identity for Education) - http://www.feide.no/ PAPI - http://www.rediris.es/app/papi/index.en.html SPOCP - http://www.spocp.org/ ?~JLJ[  ? ??f" , ?????D@C3;K9 AB>;  @84 8 157>?0A=>ABL?"???LJG, EGEE and RDIG Technologies for GRID  promotion, experience exchange, implementaion Virtual Organisations  reality vs virtuality Security technologies for modern networking infrastrcuture and applications Terminology on GRID and Security GLORIAD Project  http://www.gloriad.org/ Mailing lists: Gloriad@gloriad.org - closed Discussion@gloriad.org - open ?kk?L/ ??Sm 0?/B??Wm 0?Lb?????*!?@02>G=0O 8=D>@<0F8O???6XML Web Services WS-Security OGSA basics OGSA Security?77?????J@E8B5:BC@0 =0 >A=>25 XML Web Service?"??X?8A0=85 =0 >A=>25 WSDL (Web Services Description Language) 1<5= A>>1I5=8O<8 2 D>@<0B5 SOAP ?@8 ?><>I8 ?@>B>:>;>2 HTTP, SMTP, TCP, etc. C1;8:0F8O 8 ?>8A: ?>A@54AB2>< UDDI????z?????B>45;L 157>?0A=>AB8 Web Services? ?? ?????LWS-Security: 0AH8@5=8O : D>@<0BC SOAP? ??URI: http://schemas.xmlsoap.org/ws/2002/04/secext @>AB@0=AB20 8<5=, 8A?>;L7C5<K5 2 WS-Security: SOAP S http://www.w3.org/2001/12/soap-envelope XML Digital Sign ds http://www.w3.org/2000/09/xmldsig# XML Encryption xenc http://www.w3.org/2001/04/xmlenc# XML/SOAP Routing m http://schemas.xmlsoap.org/rp WSSL wsse http://schemas.xmlsoap.org/ws/2002/04/secext ????" "KJ  ?????&Open Grid Services Architecture (OGSA)???WSDL extensions to describe specifics of Grid Services Defines new portType - GridService Provides mechanism to create Virtual Organisation Provides mechanism to create transient services - Factories Provides soft-state registration of GSH - Registry Grid services can maintain internal state for the lifetime of the service. The existence of state distinguishes one instance of a service from another that provides the same interface. OGSA services can be created and destroyed dynamically Grid Service is assigned globally (persistent) unique name, the Grid service handle (GSH) Grid services may be upgraded during their lifetime and referenced by Grid (dynamic) service reference (GSR) ?67??7???,C  _?????L@E8B5:BC@0 157>?0A=>AB8 OGSA Security???>>AB@>5=0 =0 >A=>25 WS-Security?$ ??}??Proxy Certificate Profile???Impersonation  used for Single-Sign-On and Delegation Unrestricted Impersonation Restricted Impersonation defined by policy Proxy with Unique Name Allows using in conjunction with Attribute Cert Used when proxy identity is referenced to 3rd party, or interact with VO policy Limited validity time  approx. 24 hours Proxy Certificate (PC) properties: It is signed by either an X.509 End Entity Certificate (EEC), or by another PC. This EEC or PC is referred to as the Proxy Issuer (PI). It can sign only another PC. It cannot sign an EEC. It has its own public and private key pair, distinct from any other EEC or PC. It has an identity derived from the identity of the EEC that signed the PC. Although its identity is derived from the EEC's identity, it is also unique. It contains a new X.509 extension to identify it as a PC and to place policies on the use of the PC. This new extension, along with other X.509 fields and extensions, are used to enable proper path validation and use of the PC. ??7ZFZZ?Z)Z$Z?Z7F[ #)$??d"L?4O??????Reference: PKI Basics???TPKI (Public Key Infrastructure)  =D@0AB@C:BC@0 >B:@KBKE :;NG59 () !2O7K205B 845=B8D8:0B>@ (8<O A>1AB25==>5, distinguished name) AC1L5:B0 A 53> >B:@KBK< :;NG>< A=>20   !5@B8D8:0B >B:@KB>3> :;NG0 (!, PKC - Public Key Certificate) CRL  Certificate Revocation List ><?>=5=BK  Identification Service (IS) Registration Authority (RA) Certification Authority (CA) Certificate Repository (CR), normally built on LDAP ?bG?"?G?"? ??"O .!U5?????Reference: PKC vs AC: Purposes??X.509 PKC binds an identity and a public key AC is a component of X.509 Role-based PMI AC contains no public key AC may contain attributes that specify group membership, role, security clearance, or other authorisation information associated with the AC holder Analogy: PKC is like passport, and AC is like entry visa PKC is used for Authentication and AC is used for Authorisation AC may be included into Authentication message PKC relies on Certification Authority and AC requires Attribute Authority (AA) ??W?@/OW?@/O?????!PKC vs AC: Certificates structure?"" ??}X.509 PKC Version Serial number Signature Issuer Validity Subject Subject Public key info Issuer unique identifier Extensions?* t t ??`AC Version Holder Issuer Signature Serial number Validity Attributes Issuer unique ID Extensions?*^^?????TX.509 PKC Fields and Extensions  RFC 3280?++ ??\X.509 PKC Fields Serial Number Subject Subject Public Key Issuer Unique ID Subject Unique ID?&LL ??:X.509 PKC Extensions Standard Extensions Authority Key Identifier Subject Key Identifier Key Usage Extended Key Usage CRL Distribution List Private Key Usage Period Certificate Policies Policy Mappings Subject Alternative Name Issuer Alternative Name Subject Directory Attributes Basic Constraints Name Constraints?:?????$AC Attribute Types and AC Extensions??|AC Attribute Types Service Authentication Information Access Identity Charging Identity Group Role Clearance Profile of AC ?*jj ???AC Extensions Audit Identity To protect privacy and provide anonymity May be traceable via AC issuer AC Targeting Authority Key Identifier Authority Information Access CRL Distribution Points?VI[I[/?? P??????? ? ???p??$?( ? ??r ? S ???E????x8????  ? ? ??r ? S ???K????Sg??? ? ? ??H ? ? ?0???@??޽h?? ?? ??????????f????????? ? ???0?H?$?( ? ?H?r ?H S ??ü???x8????  ? ? ??r ?H S ??Ѽ???Sg??? ? ? ??H ?H ? ?0???@??޽h?? ?? ??????????f????????? ? ??? ?L?$?( ? ?L?r ?L S ????????x8????  ? ? ??r ?L S ??X@????Sg??? ? ? ??H ?L ? ?0???@??޽h?? ?? ??????????f??????r???.|? ~???????????(`???  6 W???K??http://www.oasis-open.org/committees/download.php/1043/WSS-SOAPMessageSecurity-11-0303.pdf???L??http://www.oasis-open.org/committees/download.php/1043/WSS-SOAPMessageS  !"#$%&'()*+,-./0123456789:;<=>????@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijk????m???????????????????????????????????????????????????????????????????????????????????Oh??+'??0? px??? ? ( 4 @ LX`?? HTTP и CGI TP=D:\msoffice\Templates\Presentation Designs\International.pot?Ted Lindgreenmp518Microsoft PowerPoint 7.0sen@`??i? @??G?}Y?@`??X7?@?7 @?;??G"?????y   7&?????? &????&#????TNPP??2??OMi & TNPP? &????&TNPP   ?? ????-?-- !???-????-??-????--- !?T?F--?-&????u??&????-?-????- $u?u?~~????-? $~?~???????-? $???????>>?-? $????????-? $??????-?--&????&????--BPM:--??r}?w@? GS??w\??w0- ????@Times New RomanS??w\??w0-? .???????@Times New RomanS??w\??w0-.'2 ????????????? ????????   .-?. .?e?????@Times New RomanS??w\??w0-.62 ?e?????????????? ? ??????????? ?     .-?. . Z?????@Times New RomanS??w\??w0-.72 Z ??????? ????????????? ? ????????   #.-?.--O )l-- ????@Times New RomanS??w\??w0-? .2 pO RELARN2003. . 2 ?T19. .??????@Times New RomanS??w\??w0-. 2 ?????.-?. .2 ??, 2003 .????@Times New RomanS??w\??w0-? .2 ?Yuri  . .2 ?C Demchenko3   . .2 ?? , NLnet Labs    . . 2 !#<9. .2 !4demch  . . 2 !?@9. .2 !? NLnetLabs3   . . 2 !#.9. . 2 !+nl. . 2 !A>l.--??"System 0-?&TNPP &????????՜.??+,??D??՜.??+,???-A=? ?-A=????%$k<6??W??P>20O ?0@0483<0 157>?0A=>AB8 ?@8;>65=89 ?)(#?(???57>?0A=>ABL ?@8;>65=89 =0 >A=>25 XML 8 B@048F8>==0O <>45;L A5B52>9 157>?0A=>B8 "@048F8>==0O <>45;L 157>?0A=5AB8 (ISO7498-2): Host-to-host 8;8 point-to-point security @85=B8@>20==0O =0 0@E8B5:BC@C Client/server A=>20==K5 =0 A>548=5=85 (connection-oriented) 8 =5B (connectionless)  >1I5< A;CG05 548=K9 4>25@8B5;L=K9 4><5= (=0 >A=>25 PKI) 57>?0A=>ABL ?@8;>65=89 >A=>25 XML 57>?0A=>ABL <564C :>=5G=K<8 B>G:0<8 ?@8;>65=89 (End-to-end) @85=B8@>20==0O =0 4>:C<5=B (8;8 A5<0=B8G5A:89 >1L5:B) 0=40BK 8 <0@:5@K 157>?0A=>AB8 <>3CB 1KBL 0AA>F88@>20=K A 4>:C<5=B>< 8;8 A>>1I5=85< 8;8 8E G0ABLN >B5=F80;L=> @01>B05B <564C 4><5=0<8 04<8=8AB@0B82=K<8 8 157>?0A=>AB8 >72>;O5B A>74020BL 48=0<8G5A:85 8 28@BC0;L=K5 0AA>F80F88??~?$tb?~?$tb???")"# 5  1 6aE9?????P><?>=5=BK 157>?0A=>AB8 XML - ?@8;>65=89?: " ??pXML Signature XML Encryption 5:;0@0F88 157>?0A=>AB8 (Security Assertions) SAML (Security Assertion Mark-up Language) XrML (XML Right Mark-up Language) XACML (XML Access Control Mark-up Language) XKMS (XML Key Management Specification) @E8B5:BC@=K5 @0AH8@5=8O Web Services Security (WS-Security) OGSA Security ?hKzA2KzA2 ?J?3?????4A=>2=K5 G5@BK XML-?>4?8A8?,???$C=40<5=B0;L=0O G5@B0: 2>7<>6=>ABL ?>4?8AK20BL >B45;L=K5 G0AB8 4>:C<5=B0 B0: 65 :0: 8 F5;K9 4>:C<5=B. XML-4>:C<5=B <>65B 8<5BL 4;8==CN 8AB>@8N, ?@8 MB>< @07;8G=K5 G0AB8 4>:C<5?=B0 <>3CB A>74020BLAO 8 2878@>20BLAO @07;8G=K<8 AC1L5:B0<8 8 2 @07;8G=>5 2@5<O 07;8G=K5 AB>@>=K/AC1L5:BK <>3CB 8<5BL ?>;=><>G8O ?>4?8AK20BL B>;L:> @07;8G=K5 G0AB8 4>:C<5=B0 >72>;O5B A>E@0=OBL F5;>AB=>ABL >4=8E G0AB59 4>:C<5=B0 8 8<5BL 2>7<>6=>ABL 87<5=OBL 4@C385 G0AB8 4>:C<5=B0 >72>;ONB ?@8A>548=OBL <0@:5@K/<0=40BK 157>?0A=>AB8 : 4>:C<5=BC 2 >B;8G85 >B 8A?>;L7>20=8O 157>?0A=>3> A>548=5=8O :;85=B/A5@25@ XML-?>4?8AL >15A?5G8205B A5@28AK 157>?0A=>AB8 4;O ?@>B:>;>2, >A=>20==KE =0 XML  B0:65 >A=>2C 4;O 2:;NG5=8O 8=D>@<0F88 > A>AB>O=88 ?Nf24f24 ??M?^jH3?????*!B@C:BC@0 XML-?>4?8A8?, ???? ? ? (? ()?? ? ? )+? ? ()?? ()*? ??$?Z?%??? /   $?????N 0AH8@5=85 0@E8B5:BC@K XML-157>?0A=>AB8?2 ??4WS-Security (Web Services Security) 0AH8@5=8O : D>@<0BC A>>1I5=89 SOAP (Simple Object Access Protocol) !B0=40@B=K5 703>;>2:8 4;O 0CB5=B8D8:0F88 8 02B>@870F88, 0C48B0, 0AA>F80F89 157>?0A=>AB8, ?@820B=>AB8 1<5=0 C4>AB>25@ONI8<8 <0=40B0<8/<0@:5@0<8 2 D>@<0B5 X.509 PKC, SAML, XrML, XCBF &8D@>20O ?>4?8AL, H8D@>20=85 @>B>:>;K 4;O A8=E@>==>3> 8 0A8=E@>==>3> >1<5=0 A>>1I5=8O<8 8 >@30=870F88 <564><5==KE :>>?5@0B82=KE 51-A5@28A>2 OGSA Security (Open Grid Services Architecture) >AB@>5=0 =0 >A=>25 WS-Security $C=:F8>=0;L=>ABL 4;O A>740=8O 28@BC0;L=KE >@30=870F89 () 5;538@>20=8O ?>;=><>G89 (credentials) 8 D545@0F8O 845=B8D8:0B>@>2 AC1L5:B0 =>=8<=>ABL/?@820B=>ABL, 0AA>F80F88 4;O C?@02;5=8O 4>ABC?>< >445@6:0 B@0=78B82=KE ?@>F5AA>2 A :>=5G=K<8 A>AB>O=8O<8 (transitional stateful processes)??$DeQq0[?[$De5   q0[?[??$$??1 U ?!?????F#?@02;5=85 4>ABC?>< =0 >A=>25 @>;59?#???RBAC  Role Based Access Control >;L >?8AK205B DC=:F8N @020 >?@545;ONB 4>ABC? : @5AC@AC 2 >?@545;5==>< @568<5 @58<CI5AB20 RBAC 53:> C?@02;OBL 8 :>=B@>;8@>20BL 0745;L=>5 =07=0G5=85 @>;8-?>;L7>20B5;8 8 @>;8-?@828;5388 0AHB018@C5<>ABL >445@68205B ?@8=F8? <8=8<0;L=> =5>1E>48<KE ?@828;5389 0A;54>20=85 8 03@538@>20=85 ?@828;5389/?@02 >7<>6=>ABL 45;538@>20=8O ?L!O?!O??H!O "??????N=D@0AB@C:BC@0 C?@02;5=8O ?@828;538O<8 ?'???PMI  Privilege Management Infrastructure !B@>8BAO =0 >A=>25 !5@B8D8:0B>2 B@81CB>2 (AC  Attribute Certificate) ! A>2<5AB=> A ! >?@545;5=K AB0=40@B>< X.509 version 4 ! 8A?>;L7C5BAO 4;O 0CB5=B8D8:0F88, ! 8A?>;L7C5BAO 4;O 02B>@870F88 PMI :0: >A=>20 4;O ?>AB@>5=8O RBAC ! ?>72>;O5B A2O70BL 845=B8D8:0B>@ ?>;L7>20B5;O A @>;O<8 8 @>;8 A ?@828;538O<8 >445@68205B 85@0@E8G5A:85 A8AB5<K RBAC, ?@54>AB02;OO 2>7<>6=>ABL >1L548=5=8O @>;L 8 4>?>;=8B5;L=KE ?@828;5389 3@0=8G8205B 3;C18=C 45;538@>20=8O >;8B8:0 PMI A?>;L7C5BAO 4;O :>=B@>;O 4>ABC?0 : @5AC@A0< =0 >A=>25 @>;59 @028;0 >?@545;5=8O @>;59 4;O ?>;L7>20B5;59 8 ?@828;5389 4;O ?>;L7>20B5;59 0745;L=K5 ?>;8B8:8 4;O AC1L5:B0, SOA, 85@0@E8O @>;59, 45;538@>20=85, 4@.??*?E#? ?*?E#? ???***Fst=m#?????PLiberty Alliance 8 A5B520O 845=B8D8:0F8O?)) ?$??xLiberty Alliance Project (LAP) LAP 22>48B ?>=OB8O ?@>20945@0 845=B8D8:0F88 (identity provider) 8 :@C30 4>25@8O (trust circle) LAP >15A?5G8205B ?>;=K9 :>=B@>;L 70 A2>8< 845=B8D8:0B>@>< 8 0AA>F80F8O<8/D545@0F8O<8, :>B>@K5 <>3CB A>74020BLAO ?@>20945@0<8 845=B8D8:0F88  =0 >A=>20=88 ?@5420@8B5;L=>3> A>3;0A8O ?>;L7>20B5;O LAP 8A?>;L7C5B SAML 8 @0AH8@O5B 53> =>2K<8 M;5<5=B0<8 8 ?@>B>:>;0<8 LAP >?@545;O5B B@8 <>45;8 4>25@8O, >A=>20==K5 =0 PKI 8;8 187=5A->B=>H5=8OE: 2708<=>5, G5@57 ?>A@54=8:0-1@>:5@0 8 A@548 A>>1I5AB20 A=>2=K5 DC=:F88 LAP: $545@0F8O 845=B8D8:0F88; @54AB02;5=85 ?@>20945@0 845=B8D8:0F88; 0CB5=B8D8:0F8O; 8A?>;L7>20=85 ?A524>=8<>2 8 ?>445@6:0 0=>=8<=>AB8; 3;>10;L=K9 2KE>4 87 A8AB5<K ?:???)? 0-^??????@OB:@KBK5 A8AB5<K 4;O AuthN/AuthZ?0 ??* 07@01>B0=K 2 @0<:0E ?@>5:B>2 Internet2, FP5 8 =0F8>=0;L=KE =0CG=KE A5B59 PERMIS (PrivilEge and Role Management Infrastructure Standards validation) - http://www.permis.org/ Shibboleth - http://shibboleth.internet2.edu/ A-Select - http://a-select.surfnet.nl/ FEIDE (Federated Identity for Education) - http://www.feide.no/ PAPI - http://www.rediris.es/app/papi/index.en.html SPOCP - http://www.spocp.org/ ?~JLJ[  ? ??f" , ?????D@C3;K9 AB>;  @84 8 157>?0A=>ABL?"???LJG, EGEE and RDIG Technologies for GRID  promotion, experience exchange, implementaion Virtual Organisations  reality vs virtuality Security technologies for modern networking infrastrcuture and applications Terminology on GRID and Security GLORIAD Project  http://www.gloriad.org/ Mailing lists: Gloriad@gloriad.org - closed Discussion@gloriad.org - open ?kk?L/ ??Sm 0?/B??Wm 0?Lb?????*!?@02>G=0O 8=D>@<0F8O???6XML Web Services WS-Security OGSA basics OGSA Security?77?????J@E8B5:BC@0 =0 >A=>25 XML Web Service?"??X?8A0=85 =0 >A=>25 WSDL (Web Services Description Language) 1<5= A>>1I5=8O<8 2 D>@<0B5 SOAP ?@8 ?><>I8 ?@>B>:>;>2 HTTP, SMTP, TCP, etc. C1;8:0F8O 8 ?>8A: ?>A@54AB2>< UDDI????z?????B>45;L 157>?0A=>AB8 Web Services? ?? ?????LWS-Security: 0AH8@5=8O : D>@<0BC SOAP? ??URI: http://schemas.xmlsoap.org/ws/2002/04/secext @>AB@0=AB20 8<5=, 8A?>;L7C5<K5 2 WS-Security: SOAP S http://www.w3.org/2001/12/soap-envelope XML Digital Sign ds http://www.w3.org/2000/09/xmldsig# XML Encryption xenc http://www.w3.org/2001/04/xmlenc# XML/SOAP Routing m http://schemas.xmlsoap.org/rp WSSL wsse http://schemas.xmlsoap.org/ws/2002/04/secext ????" "KJ  ?????&Open Grid Services Architecture (OGSA)???WSDL extensions to describe specifics of Grid Services Defines new portType - GridService Provides mechanism to create Virtual Organisation Provides mechanism to create transient services - Factories Provides soft-state registration of GSH - Registry Grid services can maintain internal state for the lifetime of the service. The existence of state distinguishes one instance of a service from another that provides the same interface. OGSA services can be created and destroyed dynamically Grid Service is assigned globally (persistent) unique name, the Grid service handle (GSH) Grid services may be upgraded during their lifetime and referenced by Grid (dynamic) service reference (GSR) ?67??7???,C  _?????L@E8B5:BC@0 157>?0A=>AB8 OGSA Security???>>AB@>5=0 =0 >A=>25 WS-Security?$ ??}??Proxy Certificate Profile???Impersonation  used for Single-Sign-On and Delegation Unrestricted Impersonation Restricted Impersonation defined by policy Proxy with Unique Name Allows using in conjunction with Attribute Cert Used when proxy identity is referenced to 3rd party, or interact with VO policy Limited validity time  approx. 24 hours Proxy Certificate (PC) properties: It is signed by either an X.509 End Entity Certificate (EEC), or by another PC. This EEC or PC is referred to as the Proxy Issuer (PI). It can sign only another PC. It cannot sign an EEC. It has its own public and private key pair, distinct from any other EEC or PC. It has an identity derived from the identity of the EEC that signed the PC. Although its identity is derived from the EEC's identity, it is also unique. It contains a new X.509 extension to identify it as a PC and to place policies on the use of the PC. This new extension, along with other X.509 fields and extensions, are used to enable proper path validation and use of the PC. ??7ZFZZ?Z)Z$Z?Z7F[ #)$??d"L?4O??????Reference: PKI Basics???TPKI (Public Key Infrastructure)  =D@0AB@C:BC@0 >B:@KBKE :;NG59 () !2O7K205B 845=B8D8:0B>@ (8<O A>1AB25==>5, distinguished name) AC1L5:B0 A 53> >B:@KBK< :;NG>< A=>20   !5@B8D8:0B >B:@KB>3> :;NG0 (!, PKC - Public Key Certificate) CRL  Certificate Revocation List ><?>=5=BK  Identification Service (IS) Registration Authority (RA) Certification Authority (CA) Certificate Repository (CR), normally built on LDAP ?bG?"?G?"? ??"O .!U5?????Reference: PKC vs AC: Purposes??X.509 PKC binds an identity and a public key AC is a component of X.509 Role-based PMI AC contains no public key AC may contain attributes that specify group membership, role, security clearance, or other authorisation information associated with the AC holder Analogy: PKC is like passport, and AC is like entry visa PKC is used for Authentication and AC is used for Authorisation AC may be included into Authentication message PKC relies on Certification Authority and AC requires Attribute Authority (AA) ??W?@/OW?@/O?????!PKC vs AC: Certificates structure?"" ??}X.509 PKC Version Serial number Signature Issuer Validity Subject Subject Public key info Issuer unique identifier Extensions?* t t ??`AC Version Holder Issuer Signature Serial number Validity Attributes Issuer unique ID Extensions?*^^?????TX.509 PKC Fields and Extensions  RFC 3280?++ ??\X.509 PKC Fields Serial Number Subject Subject Public Key Issuer Unique ID Subject Unique ID?&LL ??:X.509 PKC Extensions Standard Extensions Authority Key Identifier Subject Key Identifier Key Usage Extended Key Usage CRL Distribution List Private Key Usage Period Certificate Policies Policy Mappings Subject Alternative Name Issuer Alternative Name Subject Directory Attributes Basic Constraints Name Constraints?:?????$AC Attribute Types and AC Extensions??|AC Attribute Types Service Authentication Information Access Identity Charging Identity Group Role Clearance Profile of AC ?*jj ???AC Extensions Audit Identity To protect privacy and provide anonymity May be traceable via AC issuer AC Targeting Authority Key Identifier Authority Information Access CRL Distribution Points?VI[I[/?? P??????? ? ???p??$?( ? ??r ? S ???E????x8????  ? ? ??r ? S ???K????Sg??? ? ? ??H ? ? ?0???@??޽h?? ?? ??????????f??????r:??+ ?g?? ????(`???  6 W???K??http://www.oasis-open.org/committees/download.php/1043/WSS-SOAPMessageSecurity-11-0303.pdf???L??http://www.oasis-open.org/committees/download.php/1043/WSS-SOAPMessageSecurity-11-0303.pdf?:?S?&Gloriad@gloriad.org?@?W?,Discussion@gloriad.org??/? 0????DTimes New Roman`??`?H?d? 0`? & 0,?DSymbolew Roman`??`?H?d? 0`? & 0, ?DMonotype Sorts`??`?H?d? 0`? & 0,0?DVerdana Sorts`??`?H?d? 0`? & 0,"@?DArial Unicode MS?`?H?d? 0`? & 0P?DArialMTicode MS?`?H?d? 0`? & 0??f???? ? .??@  @@``???  @?n???" dd@?????????  @@``?? " ? ?T?*&3?2   W     P >,  O?R?$/EP~ m???2?!???????$??b?$?g?|?I>?\?r? K? ???b?$???gC6?n5?dh??,???O???S ?~??????????1???????????0? ??????n?@???????8???????g??4PdPdd? 0T?????????p?pp?0 ? <?4BdBd???@ 0??u?ʚ;2N??ʚ;<?4!d!d???= 0l?<?4dddd???= 0l??F?>?___PPT9? /? 0?z????-?0June 19, 2003 RELARN2003 ?RAuthN/AuthZ Services and Network IdentityO? ?=?4v????@E8B5:BC@0 !5@28A>2 CB5=B8D8:0F88 8 2B>@870F88 8 A5B520O 845=B8D8:0F8O 2 =B5@=5B?$UT$?T???RELARN2003 19 8N=O, 2003 Yuri Demchenko, NLnet Labs <demch@NLnetLabs.nl>?"L1"??            ??g??!>45@60=85? ???#A;C38 CB5=B8D8:0F88 (AuthN) 8 2B>@870F88 (AuthZ) 2 =0CG=KE 8 >1@07>20B5;L=KE A5BOE @E8B5:BC@0 157>?0A=>AB8 =0 >A=>25 XML #?@02;5=85 4>ABC?>< =0 >A=>25 @>;59 (RBAC) !5B520O 845=B8D8:0F8O 8 Liberty Alliance Project @8<5@K A8AB5< @0A?@545;5==>9 0CB5=B8D8:0F88 8 02B>@870F88 @C3;K9 AB>;  @84 8 157>?0A=>ABL !?@02>G=0O 8=D>@<0F8O?&M"?!#$:"?????ZAuthN/AuthZ 2 =0CG=KE 8 >1@07>20B5;L=KE A5BOE?:!???>ABC? : <=>3>A09B>2K< 51/=B5@=5B @5AC@A0< 5@5=0?@02;5=85 + cookie (SSO) 56C=825@A8B5BA:85 @5AC@AK 8 4>ABC? : 2=5H=8< @5AC@A0< 8;8 ?@54>AB02;5=85 4>ABC?0 4;O 2=5H=8E ?>;L7>20B5;59 0A?@545;5==K5 C=825@A8B5BA:85 :0<?CAK 8 48AB0=F8>==>5 >1CG5=85 @84-F5=B@K 8 @84-?@8;>65=8O 07;8G=K5 04<8=8AB@0B82=K5 4><5=K 8 4><5=K 157>?0A=>AB8 @>4>;68B5;L=K5 (B@0=78B82=K5) 7040G8 8=0<8G5A:85 @5AC@AK !8AB5<K @0A?@545;5==KE 8=B5@0:B82=KE 035=B>2 (IIDS  Interactive Intelligent Disctributed Systems)?`-?tc-?tc?:? j6?????\!>2@5<5==0O 0@E8B5:BC@0 A5@28A>2 AuthN 8 AuthZ?D!??6@>1;5<K =>65AB2> ;>38=>2/?0@>;59  =0 :064K9 @5AC@A/A09B 3@0=8G5=85 >4=8< 4><5=>< 157>?0A=>AB8 8;8 <=>65AB2> A5@B8D8:0B>2 >B:@KBKE :;NG59 !;>6=>ABL G0AB8G=>9 48=0<8G5A:>9 45;530F88 ?>;=><>G89 "@51>20=8O : A>2@5<5==>9 0@E8B5:BC@5 AuthN/Z 0745;5=85 A5@28A>2 0CB5=B8D8:0F88 (AuthN) 8 02B>@870F88 (AuthZ) CB5=B8D8:0F8O 2 ?4><0H=59? >@30=870F88 2B>@870F8O @5AC@A>< >=D845=F80;L=>ABL, ?@820B=>ABL 8 0=>=8<=>ABL #?@02;5=85 4>ABC?>< =0 >A=>25 @>;59 8 ?>;8B8:8 157>?0A=>AB8 (RBAC) A?>;L7>20=85 8=D@0AB@C:BC@K C?@02;5=8O ?@825;538O<8 (PMI) ?t ?-A=? ?-A=????%$k<6??W??P>20O ?0@0483<0 157>?0A=>AB8 ?@8;>65=89 ?)(#?(???57>?0A=>ABL ?@8;>65=89 =0 >A=>25 XML 8 B@048F8>==0O <>45;L A5B52>9 157>?0A=>B8 "@048F8>==0O <>45;L 157>?0A=5AB8 (ISO7498-2): Host-to-host 8;8 point-to-point security @85=B8@>20==0O =0 0@E8B5:BC@C Client/server A=>20==K5 =0 A>548=5=85 (connection-oriented) 8 =5B (connectionless)  >1I5< A;CG05 548=K9 4>25@8B5;L=K9 4><5= (=0 >A=>25 PKI) 57>?0A=>ABL ?@8;>65=89 >A=>25 XML 57>?0A=>ABL <564C :>=5G=K<8 B>G:0<8 ?@8;>65=89 (End-to-end) @85=B8@>20==0O =0 4>:C<5=B (8;8 A5<0=B8G5A:89 >1L5:B) 0=40BK 8 <0@:5@K 157>?0A=>AB8 <>3CB 1KBL 0AA>F88@>20=K A 4>:C<5=B>< 8;8 A>>1I5=85< 8;8 8E G0ABLN >B5=F80;L=> @01>B05B <564C 4><5=0<8 04<8=8AB@0B82=K<8 8 157>?0A=>AB8 >72>;O5B A>74020BL 48=0<8G5A:85 8 28@BC0;L=K5 0AA>F80F88??~?$tb?~?$tb???")"# 5  1 6aE9?????P><?>=5=BK 157>?0A=>AB8 XML - ?@8;>65=89?: " ??pXML Signature XML Encryption 5:;0@0F88 157>?0A=>AB8 (Security Assertions) SAML (Security Assertion Mark-up Language) XrML (XML Right Mark-up Language) XACML (XML Access Control Mark-up Language) XKMS (XML Key Management Specification) @E8B5:BC@=K5 @0AH8@5=8O Web Services Security (WS-Security) OGSA Security ?hKzA2KzA2 ?J?3?????4A=>2=K5 G5@BK XML-?>4?8A8?,???$C=40<5=B0;L=0O G5@B0: 2>7<>6=>ABL ?>4?8AK20BL >B45;L=K5 G0AB8 4>:C<5=B0 B0: 65 :0: 8 F5;K9 4>:C<5=B. XML-4>:C<5=B <>65B 8<5BL 4;8==CN 8AB>@8N, ?@8 MB>< @07;8G=K5 G0AB8 4>:C<5?=B0 <>3CB A>74020BLAO 8 2878@>20BLAO @07;8G=K<8 AC1L5:B0<8 8 2 @07;8G=>5 2@5<O 07;8G=K5 AB>@>=K/AC1L5:BK <>3CB 8<5BL ?>;=><>G8O ?>4?8AK20BL B>;L:> @07;8G=K5 G0AB8 4>:C<5=B0 >72>;O5B A>E@0=OBL F5;>AB=>ABL >4=8E G0AB59 4>:C<5=B0 8 8<5BL 2>7<>6=>ABL 87<5=OBL 4@C385 G0AB8 4>:C<5=B0 >72>;ONB ?@8A>548=OBL <0@:5@K/<0=40BK 157>?0A=>AB8 : 4>:C<5=BC 2 >B;8G85 >B 8A?>;L7>20=8O 157>?0A=>3> A>548=5=8O :;85=B/A5@25@ XML-?>4?8AL >15A?5G8205B A5@28AK 157>?0A=>AB8 4;O ?@>B:>;>2, >A=>20==KE =0 XML  B0:65 >A=>2C 4;O 2:;NG5=8O 8=D>@<0F88 > A>AB>O=88 ?Nf24f24 ??M?^jH3?????*!B@C:BC@0 XML-?>4?8A8?, ???? ? ? (? ()?? ? ? )+? ? ()?? ()*? ??$?Z?%??? /   $?????N 0AH8@5=85 0@E8B5:BC@K XML-157>?0A=>AB8?2 ??4WS-Security (Web Services Security) 0AH8@5=8O : D>@<0BC A>>1I5=89 SOAP (Simple Object Access Protocol) !B0=40@B=K5 703>;>2:8 4;O 0CB5=B8D8:0F88 8 02B>@870F88, 0C48B0, 0AA>F80F89 157>?0A=>AB8, ?@820B=>AB8 1<5=0 C4>AB>25@ONI8<8 <0=40B0<8/<0@:5@0<8 2 D>@<0B5 X.509 PKC, SAML, XrML, XCBF &8D@>20O ?>4?8AL, H8D@>20=85 @>B>:>;K 4;O A8=E@>==>3> 8 0A8=E@>==>3> >1<5=0 A>>1I5=8O<8 8 >@30=870F88 <564><5==KE :>>?5@0B82=KE 51-A5@28A>2 OGSA Security (Open Grid Services Architecture) >AB@>5=0 =0 >A=>25 WS-Security $C=:F8>=0;L=>ABL 4;O A>740=8O 28@BC0;L=KE >@30=870F89 () 5;538@>20=8O ?>;=><>G89 (credentials) 8 D545@0F8O 845=B8D8:0B>@>2 AC1L5:B0 =>=8<=>ABL/?@820B=>ABL, 0AA>F80F88 4;O C?@02;5=8O 4>ABC?>< >445@6:0 B@0=78B82=KE ?@>F5AA>2 A :>=5G=K<8 A>AB>O=8O<8 (transitional stateful processes)??$DeQq0[?[$De5   q0[?[??$$??1 U ?!?????F#?@02;5=85 4>ABC?>< =0 >A=>25 @>;59?#???RBAC  Role Based Access Control >;L >?8AK205B DC=:F8N @020 >?@545;ONB 4>ABC? : @5AC@AC 2 >?@545;5==>< @568<5 @58<CI5AB20 RBAC 53:> C?@02;OBL 8 :>=B@>;8@>20BL 0745;L=>5 =07=0G5=85 @>;8-?>;L7>20B5;8 8 @>;8-?@828;5388 0AHB018@C5<>ABL >445@68205B ?@8=F8? <8=8<0;L=> =5>1E>48<KE ?@828;5389 0A;54>20=85 8 03@538@>20=85 ?@828;5389/?@02 >7<>6=>ABL 45;538@>20=8O ?L!O?!O??H!O "??????N=D@0AB@C:BC@0 C?@02;5=8O ?@828;538O<8 ?'???PMI  Privilege Management Infrastructure !B@>8BAO =0 >A=>25 !5@B8D8:0B>2 B@81CB>2 (AC  Attribute Certificate) ! A>2<5AB=> A ! >?@545;5=K AB0=40@B>< X.509 version 4 ! 8A?>;L7C5BAO 4;O 0CB5=B8D8:0F88, ! 8A?>;L7C5BAO 4;O 02B>@870F88 PMI :0: >A=>20 4;O ?>AB@>5=8O RBAC ! ?>72>;O5B A2O70BL 845=B8D8:0B>@ ?>;L7>20B5;O A @>;O<8 8 @>;8 A ?@828;538O<8 >445@68205B 85@0@E8G5A:85 A8AB5<K RBAC, ?@54>AB02;OO 2>7<>6=>ABL >1L548=5=8O @>;L 8 4>?>;=8B5;L=KE ?@828;5389 3@0=8G8205B 3;C18=C 45;538@>20=8O >;8B8:0 PMI A?>;L7C5BAO 4;O :>=B@>;O 4>ABC?0 : @5AC@A0< =0 >A=>25 @>;59 @028;0 >?@545;5=8O @>;59 4;O ?>;L7>20B5;59 8 ?@828;5389 4;O ?>;L7>20B5;59 0745;L=K5 ?>;8B8:8 4;O AC1L5:B0, SOA, 85@0@E8O @>;59, 45;538@>20=85, 4@.??*?E#? ?*?E#? ???***Fst=m#?????PLiberty Alliance 8 A5B520O 845=B8D8:0F8O?)) ?$??xLiberty Alliance Project (LAP) LAP 22>48B ?>=OB8O ?@>20945@0 845=B8D8:0F88 (identity provider) 8 :@C30 4>25@8O (trust circle) LAP >15A?5G8205B ?>;=K9 :>=B@>;L 70 A2>8< 845=B8D8:0B>@>< 8 0AA>F80F8O<8/D545@0F8O<8, :>B>@K5 <>3CB A>74020BLAO ?@>20945@0<8 845=B8D8:0F88  =0 >A=>20=88 ?@5420@8B5;L=>3> A>3;0A8O ?>;L7>20B5;O LAP 8A?>;L7C5B SAML 8 @0AH8@O5B 53> =>2K<8 M;5<5=B0<8 8 ?@>B>:>;0<8 LAP >?@545;O5B B@8 <>45;8 4>25@8O, >A=>20==K5 =0 PKI 8;8 187=5A->B=>H5=8OE: 2708<=>5, G5@57 ?>A@54=8:0-1@>:5@0 8 A@548 A>>1I5AB20 A=>2=K5 DC=:F88 LAP: $545@0F8O 845=B8D8:0F88; @54AB02;5=85 ?@>20945@0 845=B8D8:0F88; 0CB5=B8D8:0F8O; 8A?>;L7>20=85 ?A524>=8<>2 8 ?>445@6:0 0=>=8<=>AB8; 3;>10;L=K9 2KE>4 87 A8AB5<K ?:???)? 0-^??????@OB:@KBK5 A8AB5<K 4;O AuthN/AuthZ?0 ??* 07@01>B0=K 2 @0<:0E ?@>5:B>2 Internet2, FP5 8 =0F8>=0;L=KE =0CG=KE A5B59 PERMIS (PrivilEge and Role Management Infrastructure Standards validation) - http://www.permis.org/ Shibboleth - http://shibboleth.internet2.edu/ A-Select - http://a-select.surfnet.nl/ FEIDE (Federated Identity for Education) - http://www.feide.no/ PAPI - http://www.rediris.es/app/papi/index.en.html SPOCP - http://www.spocp.org/ ?~JLJ[  ? ??f" , ?????D@C3;K9 AB>;  @84 8 157>?0A=>ABL?"???LJG, EGEE and RDIG Technologies for GRID  promotion, experience exchange, implementaion Virtual Organisations  reality vs virtuality Security technologies for modern networking infrastrcuture and applications Terminology on GRID and Security GLORIAD Project  http://www.gloriad.org/ Mailing lists: Gloriad@gloriad.org - closed Discussion@gloriad.org - open ?kk?L/ ??Sm 0?/B??Wm 0?Lb?????*!?@02>G=0O 8=D>@<0F8O???6XML Web Services WS-Security OGSA basics OGSA Security?77?????J@E8B5:BC@0 =0 >A=>25 XML Web Service?"??X?8A0=85 =0 >A=>25 WSDL (Web Services Description Language) 1<5= A>>1I5=8O<8 2 D>@<0B5 SOAP ?@8 ?><>I8 ?@>B>:>;>2 HTTP, SMTP, TCP, etc. C1;8:0F8O 8 ?>8A: ?>A@54AB2>< UDDI????z?????B>45;L 157>?0A=>AB8 Web Services? ?? ?????LWS-Security: 0AH8@5=8O : D>@<0BC SOAP? ??URI: http://schemas.xmlsoap.org/ws/2002/04/secext @>AB@0=AB20 8<5=, 8A?>;L7C5<K5 2 WS-Security: SOAP S http://www.w3.org/2001/12/soap-envelope XML Digital Sign ds http://www.w3.org/2000/09/xmldsig# XML Encryption xenc http://www.w3.org/2001/04/xmlenc# XML/SOAP Routing m http://schemas.xmlsoap.org/rp WSSL wsse http://schemas.xmlsoap.org/ws/2002/04/secext ????" "KJ  ?????&Open Grid Services Architecture (OGSA)???WSDL extensions to describe specifics of Grid Services Defines new portType - GridService Provides mechanism to create Virtual Organisation Provides mechanism to create transient services - Factories Provides soft-state registration of GSH - Registry Grid services can maintain internal state for the lifetime of the service. The existence of state distinguishes one instance of a service from another that provides the same interface. OGSA services can be created and destroyed dynamically Grid Service is assigned globally (persistent) unique name, the Grid service handle (GSH) Grid services may be upgraded during their lifetime and referenced by Grid (dynamic) service reference (GSR) ?67??7???,C  _?????L@E8B5:BC@0 157>?0A=>AB8 OGSA Security???>>AB@>5=0 =0 >A=>25 WS-Security?$ ??}??Proxy Certificate Profile???Impersonation  used for Single-Sign-On and Delegation Unrestricted Impersonation Restricted Impersonation defined by policy Proxy with Unique Name Allows using in conjunction with Attribute Cert Used when proxy identity is referenced to 3rd party, or interact with VO policy Limited validity time  approx. 24 hours Proxy Certificate (PC) properties: It is signed by either an X.509 End Entity Certificate (EEC), or by another PC. This EEC or PC is referred to as the Proxy Issuer (PI). It can sign only another PC. It cannot sign an EEC. It has its own public and private key pair, distinct from any other EEC or PC. It has an identity derived from the identity of the EEC that signed the PC. Although its identity is derived from the EEC's identity, it is also unique. It contains a new X.509 extension to identify it as a PC and to place policies on the use of the PC. This new extension, along with other X.509 fields and extensions, are used to enable proper path validation and use of the PC. ??7ZFZZ?Z)Z$Z?Z7F[ #)$??d"L?4O??????Reference: PKI Basics???TPKI (Public Key Infrastructure)  =D@0AB@C:BC@0 >B:@KBKE :;NG59 () !2O7K205B 845=B8D8:0B>@ (8<O A>1AB25==>5, distinguished name) AC1L5:B0 A 53> >B:@KBK< :;NG>< A=>20   !5@B8D8:0B >B:@KB>3> :;NG0 (!, PKC - Public Key Certificate) CRL  Certificate Revocation List ><?>=5=BK  Identification Service (IS) Registration Authority (RA) Certification Authority (CA) Certificate Repository (CR), normally built on LDAP ?bG?"?G?"? ??"O .!U5?????Reference: PKC vs AC: Purposes??X.509 PKC binds an identity and a public key AC is a component of X.509 Role-based PMI AC contains no public key AC may contain attributes that specify group membership, role, security clearance, or other authorisation information associated with the AC holder Analogy: PKC is like passport, and AC is like entry visa PKC is used for Authentication and AC is used for Authorisation AC may be included into Authentication message PKC relies on Certification Authority and AC requires Attribute Authority (AA) ??W?@/OW?@/O?????!PKC vs AC: Certificates structure?"" ??}X.509 PKC Version Serial number Signature Issuer Validity Subject Subject Public key info Issuer unique identifier Extensions?* t t ??`AC Version Holder Issuer Signature Serial number Validity Attributes Issuer unique ID Extensions?*^^?????TX.509 PKC Fields and Extensions  RFC 3280?++ ??\X.509 PKC Fields Serial Number Subject Subject Public Key Issuer Unique ID Subject Unique ID?&LL ??:X.509 PKC Extensions Standard Extensions Authority Key Identifier Subject Key Identifier Key Usage Extended Key Usage CRL Distribution List Private Key Usage Period Certificate Policies Policy Mappings Subject Alternative Name Issuer Alternative Name Subject Directory Attributes Basic Constraints Name Constraints?:?????$AC Attribute Types and AC Extensions??|AC Attribute Types Service Authentication Information Access Identity Charging Identity Group Role Clearance Profile of AC ?*jj ???AC Extensions Audit Identity To protect privacy and provide anonymity May be traceable via AC issuer AC Targeting Authority Key Identifier Authority Information Access CRL Distribution Points?VI[I[/?? P????rS ?g?/ D??Root Entry??????????d?O?????)?jϯ??s?Pictures?????????$Current User????????????lJSummaryInformation(????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????)????????????????????????????????????????????    *????? !"$????{????????????????????+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopq????tuvwxyz |}~?  !"#$%&'()*+,-./0123456789:;<=>????@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijk????m????????????????????????????????????????????????????????????????????????????1-0303.pdfmailto:Gloriad@gloriad.orgmailto:Discussion@gloriad.org?&_???T???Yuri DemchenkoYuri Demchenko.????@Times New RomanS??w\??w0-? .2 ?Yuri  .