ࡱ> {}vwxyz5@ Pbjbj22 %XX1]RRRhH*>JJJ84L>tf ´ششõ~At<sssssss$xR`zt|2õõ t||tH&&& ||s&s&<&b1f||Uo W?JVjr!q`tHt;kz4zUo>>||||z$Uo&Ctt>#?b?:>#bUse of SAML for OGSA AuthorizationStatus of This MemoThis document has been submitted to the Global Grid Forum OGSA Security Working Group for consideration as recommendations document in that area of OGSA authorization.The latest version of this document can be found at:http://www.globus.org/ogsa/Security/Copyright NoticeCopyright Global Grid Forum (2003). All Rights Reserved.AbstractThis document defines an open grid services architecture (OGSA) authorization service based on the use of the security assertion markup language (SAML) as a format for requesting and expressing authorization assertions. Defining standard formats for these messages allows for pluggability of different authorization systems using SAML.Open Issues in this DocumentIntro: Make sure syncs with overview document (Owner: VW)Section 3: Reorganize into Query and Response (Owner: VW)Section: 6.1.3.2 SDE expression isnt right. Need hierarchical resource specification? (Owner: VW)Section 6.1.4: Need to define Evidence element schemas for credentials (Owner: VW)Section 6.1.4: Need explanation of including credentials (Owner: VW)Section 6.1.4: Need explanation of Date,Time,DateTime Evidence. Why are they there, what should PDP do with them (Owner: DC)Section 6.2.1: Can we say anything better about Conditions? (Owner: VW)Section 6.2.2: Need to verify section is correct and remove comment questioning such (Owner: DC)Section 6.2.3: Indeterminate requires Condition? VW says No. (Owner: DC)Section 6.2.6 (and 6.1.4): Resolve differences between xsd:dateTime and ISO 8601 (Owner: DC)Section 7: Finish flushing out GWSDL (Owner: VW)Glossary: Make sure terms sink with overview and authz framework (Owner: VW)References: Complete and verify (Owner: VW)STILL TO DO:Determine how signing is to be signaled in the request. Table of Contents TOC \o "1-2" \h \z  HYPERLINK \l "_Toc56260855" Abstract  PAGEREF _Toc56260855 \h 1 HYPERLINK \l "_Toc56260856" 1. Introduction  PAGEREF _Toc56260856 \h 3 HYPERLINK \l "_Toc56260857" 2. Conventions use in this Specification  PAGEREF _Toc56260857 \h 3 HYPERLINK \l "_Toc56260858" 3. SAML Authorization Overview  PAGEREF _Toc56260858 \h 4 HYPERLINK \l "_Toc56260859" 3.1 SAML Version  PAGEREF _Toc56260859 \h 4 HYPERLINK \l "_Toc56260861" 3.2 SAML Authorization Model  PAGEREF _Toc56260861 \h 4 HYPERLINK \l "_Toc56260862" 3.3 Action Element  PAGEREF _Toc56260862 \h 5 HYPERLINK \l "_Toc56260863" 3.4 Resource Element  PAGEREF _Toc56260863 \h 5 HYPERLINK \l "_Toc56260864" 3.5 Subject and NameIdentifier Elements  PAGEREF _Toc56260864 \h 5 HYPERLINK \l "_Toc56260865" 3.6 AuthorizationDecisionStatement Element  PAGEREF _Toc56260865 \h 6 HYPERLINK \l "_Toc56260866" 3.7 AttributeStatement Element  PAGEREF _Toc56260866 \h 6 HYPERLINK \l "_Toc56260867" 3.8 Assertion Element  PAGEREF _Toc56260867 \h 6 HYPERLINK \l "_Toc56260868" 3.9 Conditions Elements  PAGEREF _Toc56260868 \h 6 HYPERLINK \l "_Toc56260869" 3.10 Advice Elements  PAGEREF _Toc56260869 \h 6 HYPERLINK \l "_Toc56260870" 3.11 AuthorizationDecisionQuery Element  PAGEREF _Toc56260870 \h 6 HYPERLINK \l "_Toc56260871" 3.12 Evidence Elements  PAGEREF _Toc56260871 \h 6 HYPERLINK \l "_Toc56260872" 3.13 ReferenceStatement Element  PAGEREF _Toc56260872 \h 7 HYPERLINK \l "_Toc56260875" 4. Overview of Extensions  PAGEREF _Toc56260875 \h 7 HYPERLINK \l "_Toc56260877" 4.1 Simple Authorization Query Response: New Statement Type  PAGEREF _Toc56260877 \h 7 HYPERLINK \l "_Toc56260878" 4.2 Extenteded Authorization Query  PAGEREF _Toc56260878 \h 7 HYPERLINK \l "_Toc56260883" 5. SAML Extensions  PAGEREF _Toc56260883 \h 8 HYPERLINK \l "_Toc56260884" 5.1 Element  PAGEREF _Toc56260884 \h 8 HYPERLINK \l "_Toc56260885" 5.2 Element  PAGEREF _Toc56260885 \h 9 HYPERLINK \l "_Toc56260896" 6. SAML Authorization Element Usage in OGSA  PAGEREF _Toc56260896 \h 10 HYPERLINK \l "_Toc56260897" 6.1 (Extended)AuthorizationDecisionQuery  PAGEREF _Toc56260897 \h 10 HYPERLINK \l "_Toc56260908" 6.2 Assertion Element  PAGEREF _Toc56260908 \h 13 HYPERLINK \l "_Toc56260910" 7. SAML Authorization Service PortType  PAGEREF _Toc56260910 \h 15 HYPERLINK \l "_Toc56260911" 7.1 Grid Authorization Service SDEs  PAGEREF _Toc56260911 \h 15 HYPERLINK \l "_Toc56260921" 8. Security Considerations  PAGEREF _Toc56260921 \h 16 HYPERLINK \l "_Toc56260922" Author Information  PAGEREF _Toc56260922 \h 16 HYPERLINK \l "_Toc56260923" Glossary  PAGEREF _Toc56260923 \h 16 HYPERLINK \l "_Toc56260924" Intellectual Property Statement  PAGEREF _Toc56260924 \h 17 HYPERLINK \l "_Toc56260925" Full Copyright Notice  PAGEREF _Toc56260925 \h 17 HYPERLINK \l "_Toc56260926" References  PAGEREF _Toc56260926 \h 17 TOC \o "1-2" \h \z  HYPERLINK \l "_Toc42487564" Abstract  PAGEREF _Toc42487564 \h 1 HYPERLINK \l "_Toc42487565" 1. Introduction  PAGEREF _Toc42487565 \h 3 HYPERLINK \l "_Toc42487566" 2. Conventions use in this Specification  PAGEREF _Toc42487566 \h 4 HYPERLINK \l "_Toc42487567" 3. SAML Authorization Overview  PAGEREF _Toc42487567 \h 4 HYPERLINK \l "_Toc42487568" 3.1 SAML Authorization Model  PAGEREF _Toc42487568 \h 4 HYPERLINK \l "_Toc42487569" 3.2 Action Element  PAGEREF _Toc42487569 \h 5 HYPERLINK \l "_Toc42487570" 3.3 Resource Element  PAGEREF _Toc42487570 \h 5 HYPERLINK \l "_Toc42487571" 3.4 Subject and NameIdentifier Elements  PAGEREF _Toc42487571 \h 5 HYPERLINK \l "_Toc42487572" 3.5 AuthorizationDecisionStatement Element  PAGEREF _Toc42487572 \h 6 HYPERLINK \l "_Toc42487573" 3.6 AttributeStatement Element  PAGEREF _Toc42487573 \h 6 HYPERLINK \l "_Toc42487574" 3.7 Assertion Element  PAGEREF _Toc42487574 \h 6 HYPERLINK \l "_Toc42487575" 3.8 Conditions Elements  PAGEREF _Toc42487575 \h 6 HYPERLINK \l "_Toc42487576" 3.9 AuthorizationDecisionQuery Element  PAGEREF _Toc42487576 \h 6 HYPERLINK \l "_Toc42487577" 3.10 Evidence Elements  PAGEREF _Toc42487577 \h 6 HYPERLINK \l "_Toc42487578" 3.11 ReferenceStatement Element  PAGEREF _Toc42487578 \h 6 HYPERLINK \l "_Toc42487579" 3.12 RespondWith Element  PAGEREF _Toc42487579 \h 7 HYPERLINK \l "_Toc42487580" 4. Overview of Extensions  PAGEREF _Toc42487580 \h 7 HYPERLINK \l "_Toc42487581" 4.1 Simple Authorization Query Response  PAGEREF _Toc42487581 \h 7 HYPERLINK \l "_Toc42487582" 4.2 Multi-Stage Authorization  PAGEREF _Toc42487582 \h 7 HYPERLINK \l "_Toc42487584" 5. SAML Extensions  PAGEREF _Toc42487584 \h 7 HYPERLINK \l "_Toc42487585" 5.1 Element  PAGEREF _Toc42487585 \h 7 HYPERLINK \l "_Toc42487586" 5.2 Element  PAGEREF _Toc42487586 \h 8 HYPERLINK \l "_Toc42487587" 6. SAML Authorization Element Usage in OGSA  PAGEREF _Toc42487587 \h 8 HYPERLINK \l "_Toc42487588" 6.1 AuthorizationDecisionsQuery Element  PAGEREF _Toc42487588 \h 8 HYPERLINK \l "_Toc42487589" 6.2 Assertion Element  PAGEREF _Toc42487589 \h 12 HYPERLINK \l "_Toc42487590" 7. SAML Authorization Service PortType  PAGEREF _Toc42487590 \h 13 HYPERLINK \l "_Toc42487591" 8. Commentary  PAGEREF _Toc42487591 \h 13 HYPERLINK \l "_Toc42487592" 8.1 Proposed SAML 1.1 specification  PAGEREF _Toc42487592 \h 13 HYPERLINK \l "_Toc42487593" 9. Security Considerations  PAGEREF _Toc42487593 \h 14 HYPERLINK \l "_Toc42487594" Author Information  PAGEREF _Toc42487594 \h 14 HYPERLINK \l "_Toc42487595" Glossary  PAGEREF _Toc42487595 \h 14 HYPERLINK \l "_Toc42487596" Intellectual Property Statement  PAGEREF _Toc42487596 \h 15 HYPERLINK \l "_Toc42487597" Full Copyright Notice  PAGEREF _Toc42487597 \h 15 HYPERLINK \l "_Toc42487598" References  PAGEREF _Toc42487598 \h 15  IntroductionThere are a number of authorization systems currently available for use on the Grid as well as in other areas of computing, such as Akenti [Akenti], CAS [CAS], PERMIS [PERMIS], VOMS [VOMS] and Cardea [Ref needed]. Some of these systems are normally used in decision push mode by the application [RFC2904] - they act as services and issue their authorization decisions in the form of authorization assertions that are conveyed, or pushed, to the target resource by the initiator. Others are used in decision pull mode by the application - they are normally linked with an application or service and act as a policy decision maker for that application, which pulls a decision from them.On the abstract level both of these types of authorization services have similar semantics - they are given a description of the initiator (which might include the initiators privileges), a description of an action being requested (including its argument), details about the target resource to be accessed, and any contextual information such as time of day, and they provide an authorization decision whether the action should be processed or rejected. These authorization services can themselves act in credential push or pull mode [RFC3281]. In credential push mode, the client provides all the information necessary for a decision to be made. In credential pull mode, the client provides everything except the initiators privileges, and the authorization service then pulls these privilege tokens (or credentials) from some other authority, and bases its decision on them. The client may provide a pointer to the authorization service, giving it a hint where to find the privileges, or the authorization service may be pre-configured with knowledge about where to locate them.With the emergences of OGSA and Grid Services, it is expected that some of these systems will become OGSA authorization services as mentioned in the OGSA Security Roadmap [Roadmap]. OGSA authorization services are Grid Services providing authorization functionality over an exposed Grid Service portType. A client sends a request for an authorization decision to the authorization service and in return receives an authorization assertion or a decision. A client may be the resource itself, an agent of the resource, or an initiator or a proxy for an initiator who passes the assertion on to the resource. This specification defines the use of SAML [SAML] as a message format for requesting and expressing authorization assertions and decisions from an OGSA authorization service. This process can be single or multi-step. In single step authorization, all the information about the requested access is passed in one SAML request to the authorization service. In multi-step authorization, the initial SAML request passes information about the initiator, and subsequent SAML requests pass information about the actions and targets that the initiator wants to access. The SAML AuthorizationDecisionQuery element is defined as the message to request an authorization assertion or decision, the DecisionStatement element is defined as the message to return a simple decision, and the AuthorizationDecisionStatement the method for expressing an authorization assertion. By defining standard message formats the goal is to allow these different authorization services to be pluggable to allow different authorization systems to be used interchangeably in OGSA services and clients.Section  REF _Ref32202492 \r \h 2 describes the conventions and namespaces used in this document. Section  REF _Ref42417020 \r \h 3 contains a non-normative overview of the authorization portions of the SAML specification. Section  REF _Ref42574737 \r \h 4 contains an non-normative description of SAML extensions defined in this document and Section  REF _Ref32927787 \r \h 5 is a normative definition of those extensions. Section  REF _Ref42417114 \r \h 6 is normative and defines how SAML elements should be used to form OGSA authorization assertions and requests. Section  REF _Ref42417137 \r \h 7 contains the WSDL for the authorization service portType. Section  REF _Ref42481321 \r \h 18 contains non-normative commentary. The specification concludes with GGF copyright and intellectual property statements, author affiliation and contact information and a glossary.Conventions use in this SpecificationThe key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119 [RFC2119].This specification uses namespace prefixes throughout; they are listed in  REF _Ref42415853 \h Table 1. Note that the choice of any namespace prefix is arbitrary and not semantically significant.Table  SEQ Table \* ARABIC 1: Namspaces used in this specification.PrefixNamespaceogsa-samlhttp://www.gridforum.org/namespaces/2003/06/ogsa-authz/saml/operationhttp://www.gridforum.org/namespaces/2003/06/ogsa-authz/saml/action/operationsde-readhttp://www.gridforum.org/namespaces/2003/06/ogsa-authz/saml/action/sde/readsde-modify HYPERLINK "http://www.gridforum.org/namespaces/2003/06/ogsa-authz/saml/action/sde/modify" http://www.gridforum.org/namespaces/2003/06/ogsa-authz/saml/action/sde/modifywildcardhttp://www.gridforum.org/namespaces/2003/06/ogsa-authz/saml/action/wildcardsamlurn:oasis:names:tc:SAML:1.0:assertionsamlpurn:oasis:names:tc:SAML:1.0:protocolSAML Authorization OverviewThe SAML specification [SAML] defines a number of elements for making assertions and queries regarding authentication, authorization decisions and attributes. It also supports extensibility by allowing applications to define their own elements. In this section we give a brief non-normative overview of the elements related to authorization, and the additional elements needed for Grid authorization. Readers are encouraged to review the SAML specification for more details.SAML VersionThis specification is based on the SAML v1.01 specification. This specification defines a number of extensions to SAMLv1.01 which are described in Section  REF _Ref56225088 \r \h 4, that are necessary for Grid authorization,. The authors are aware that SAMLv1.1 has been issued and that OASIS is currently working on SAMLv2.0. Indeed, the authors are working closely with the OASIS organization to help ensure that SAMLv2.0 contains the extensions described in this specification (and if not syntactically identical, then at least having the same semantic content). Once SAMLv2.0 has been published, it is the intention of the authors to migrate this specification to SAMLv2.0. The reason that SAMLv1.1 is not being used for the current specification, is that it deprecates one feature (RespondWith) that is essential for Grid authorization.SAML Authorization Model As shown in  REF _Ref32901461 \h Figure 1, SAML defines a message exchange between a policy enforcement point (PEP) and a policy decision point (PDP) consisting of an AuthorizationDecisionQuery (2) flowing from the PEP to the PDP, with an Assertion returned containing some number of AuthorizationDecisionStatements (3). We also define an extensions to SAML to support exchanges in which a client can issue an AuthorizationDecisionQuery to a server, and have an Assertions returned containing either an AttributeStatement or a simple AuthorizationDecision.Figure  SEQ Figure \* ARABIC 1: SAML message flow. (1) A request arrives at the target resource. (2) The Grid Service generates and sends a SAML AuthorizationDecisionQuery to an Authorization Service. (3) The service evaluates the request against policy and returns a response encoded as a SAML Assertion.In the following sections we describe the AuthorizationDecisionQuery and the Assertion element, and the elements that are used to compose these.Action ElementThe Action elements allows for the expression of actions that may be attempted by entities and expressed in policy. This element consists of a string and a URI defining a namespace for the action described in the string.For example the SAML specification defines a namespace for HTTP operations that defines actions of GET, HEAD, PUT, POST.Resource ElementThe Resource element is used to identify the target on which the policy is being asserted or requested. This element is simply a URI.Subject and NameIdentifier ElementsThe Subject element contains a NameIdentifier element as well as some elements outside the scope of this document. In SAML authorization assertions, the NameIdentifer element serves to identify the initiator of the action being authorized. The NameIdentifer element contains a string to hold an identity that has two attributes:The NameQualifier attribute is a string expressing the security or administrative domain that defined the name (e.g. Kerberos realm, CA name).The Format attribute is a URI identifying the format of the name (e.g. X509 subject name).AuthorizationDecisionStatement ElementThe AuthorizationDecisionStatement element contains statements regarding authorization policy. Each of these statements contains a Subject element, identifying the entity whose rights are being expressed, a Resource element, identifying the resource(s) the rights apply to, an optional Evidence element holding the assertions the issuer relied upon in making its decision, any number of Action elements (expressing the allowed or denied operations) and the Decision attribute containing the authorization decision. The assertion may also optionally containhave a Conditions element present expressing the conditions that must be fulfilled before the authorization can be permitted and an Advice element providing additional information related to the authorization decision which may be ignored by the recipient.AttributeStatement ElementThis element supplies a statement by the issuer that the specified subject is associated with the specified attribute(s).Assertion ElementThe Assertion element specifies the basic information that is common to all SAML assertions, and optionally it may be signed. It can contain any number of Statements, for example, AuthorizationDecisionsStatements and AttributeStatements. It is also capable of containing statements related to authentication, but for the purposes of this document we only consider Assertions containing AttributeStatements, AuthorizationDecisions and AuthorizationDecisionStatements.Conditions ElementsEach Assertion element maycan also contain any number of Conditions elements. Conditions elements are specified to express policy restrictions on the assertion such as a validity time of the Assertion, . hHowever they are extendable to express arbitrary conditions on the use of the assertion. Condition elements might typically be added to assertions if the decision engine had insufficient information to be able to evaluate the policy locally.Advice ElementsAn Assertion element may contain any number of Advice elements. Advice elements hold information related to the assertion, but they may be ignored by applications that do not support them. Examples of information that could be included in an Advice element are: an identifier of the policy that was used by the PDP when making its authorization decision, and assertions that were used by the PDP when making its authorization decision.AuthorizationDecisionQuery ElementThe AuthorizationDecisionQuery element allows for the request of AttributeStatements, AuthorizationDecisionStatements and simple AuthorizationDecision responses. It contains a Subject, Resource, optional Evidence, and any number of Action elements that identify the decisions that the initiator wants to be made; as well as a RespondWith element that identifies the type of response that the client wishes to be returned. Evidence ElementsEvidence elements allow for queries to provide information to the PDP that may be useful for its decision-making. They are used to hold the credentials of the initiator, as well as contextual and environmental information. The initiators credentials may be either included directly in the evidence element (as AttributeStatements), or may be included indirectly via a pointer (as ReferenceStatements). This allows the PDP to support both the credential push and pull mode of operation. In responses, they also allow the PDP to express what information it used to make its decision.Each AuthorizationDecisionStatement and AuthorizationDecisionQuery element can contain any number of Evidence elements. Each Evidence element can contain any number of Assertions elements (or references to Assertion elements) that affect the policy decision process. ReferenceStatement ElementThis element allows Authorization Decision Queries to contain a pointer to an external resource, which may contain credentials for the initiator. This is used to flag the credential pull mode of operation.RespondWith ElementThis element is used in queries to tell the service what type of response to provide. It is used by the client to signal if the first step of multi-step authorization is required (RespondWith an Attribute statement), or if a simple decision response should be returned (RespondWith a Decision response), or if an authorization decision assertion should be returned (RespondWith an Authorization decision statement).Overview of ExtensionsThis section provides non-normative discussion of the extensions in this specification.The goals of these extensions are to allow an entity requesting an authorization decision to indicate the following desires in regards to the response and for the responder to oblige those requests if it can and desires:To request a simple decision in regards to that query instead of a list of allowed rights of the subject.To request either the assertion(s) or response be signed.To provide one or more URIs for which attributes regarding the subject may be obtained.VW: Both of these extensions rely on the RespondWith element that is deprecated in the proposed SAML 1.1 protocol. We need to explore how we would implement these features without this element.Simple Authorization Query Response: New Statement TypeIn the SAML authorization query protocol, a resource normally sends a query to the decision service with an enumeration of the actions being attempted by a requestor. The decision service responds with an assertion containing the set of actions that the requestor is authorized to perform.While this functions well for situations where the resource may be interested in knowing what subset of the actions the requestor is allowed to perform, in "all or nothing" situations where the resource is only interested in knowing if the requestor can perform all the enumerated actions, it requires the resource to process the entire list to verify if all the actions originally requested are listed.This specification definesd an new StatementType, the SimpleAuthorizationDecisionStatement element, which contains a reference to the originalan AuthorizationDecisionQuery and a simple boolean decision in regards to that query as a whole. This aAllowsing an easy-to-parse decision to be rendered on the query as a whole, as well as potentially significantly reducing the bandwidth needed to transmit the decision.Extenteded Authorization QueryThis document defines an extended authorization query type which adds the following features:A mechanism to allow a requestor to indicate their interest in a simple authorization response (as described in the previous section) rather than a full set of AuthorizationDecisionStatements.A mechanism to allow a requestor to pass information to the PDP which it may choose to use in making in decision. This document also defines once such element, which allows a requestor to pass a pointer to the source of attribute information regarding the subject.A mechanism to allow a requestor to indicate their preference in regards to whether the response is signed and how. This is useful for saving work on the PDP in situations where some clients may be passing the response on to another party (e.g. in a push mode of operation) while others will be direct consumers and hence dont need any signatures when the transport layer provides sufficient security.VW: Maybe we just want to define a separate type of query to get a AuthorizationDecision instead of overloading AuthorizationDecisionQuery? SimpleAuthorizationDecisionQuery?Multi-Stage AuthorizationAs discussed in [Authz], some Grid authorization scenarios involve the establishment of a session between a requestor and a resource in which the resource may need multiple, different, authorization decisions regarding the same requestor. To optimize processing for both the resource and the authorization decision service, it is helpful to allow the resource and decision service to establish state. The decision service can then process the request's credentials once and maintain state about the user so that subsequent queries can be responded to without reprocessing the user's credentials.VW: I suggest we explore using stateful OGSA service instances for this instead of a context state in an attribute.SAML ExtensionsThis section is normative. It defines the SAML extensions used by OGSA. See the previous section for a non-normative description of these extensions.These extensions are made to the SAML 1.1 schema using the type derivation method as described in Section 6.3 of [SAML].Element The ExtendedAuthorizationDecisionQuery element allows the entity making the query to indicate preferences in the query reply.An ExtendedAuthorizationDecisionQuery element contains the following attributes:RequestSimpleDecision [Optional]This elements indicates that the requestors preference in regards to having the response in the form of a single SimpleAuthorizationDecisionStatement (as defined in this document) instead of as one or more AuthorizationDecisionStatment elements.Recipient [Optional]This element is used to indicate the intented recipient of the response. When a SimpleAuthorizationDecisionStatement is requested, it will be included in that statement to help prevent replay of such an element to entity other than the intended.RequestSigned [Optional]This element is used to request that a signature be included with the response. This element should contain the name of the element to be signed i.e. samlp:Response or saml:Assertion. A responder to a query with this attribute set SHOULD sign the response as request, however is under no obligation to and MAY return a unsigned response (or one signed differently if unable or unwilling to accommodate the ReqestSigned element.An ExtendedAuthorizationDecisionQuery element contains the following elements:AuthorizationAdvice [Optional]This abstract element allows for additional information to be included with the query that the responder MAY use when rendering a decision.The following schema franment defines the element and its ExtendedAuthorizationDecisionQueryType complex type: Element < SubjectAttributeRefeenceAdvice>The element is an extemsion point that allows for additional information to be included with an authorization query that MAY be used by the responder.The following scheme fragment define the element and its AuthorizationAdviceAbstractType complex type: Element The element supplies a statement by the issuer that the designated attributes associated with the specified subject may be obtained from the referenced URI. Its purpose is to advise the PDP where it may find attributes associated with the subject, and it is used to support the credential pull mode of operation. is of type SubjectAttributeRefeenceAdvice Type, which extends the SubjectAttributeRefeenceAdvice AbstractType with the addition of the following:AttributeDesignator [Any number]These elements list the attributes that may be located at the referenced URI. If this component is absent, then it implies that all attributes can be found at the referenced URI.Reference Attribute [Required] This attribute provides the URI from which the attributes may be obtained.The following schema franment defines the element and its AubjectAttributeReferenceAdviceType complex type: Element The element specifies the decision made about the a corresponding SAML AuthorisationDecisionQuery request. Its purpose is to allow the a responses of "permitted or denied"to the statement as a whole without enumeration of the rights in the response, which in turns allows for easier processing of the response by the requestor.. It has the complex type SimpleAuthorizationDecisionStatementType, which extends the ResponseAbstractType StatementAbstractType by adding the Decision attribute to itfollowing to it:Decision [Required]The decision made by the responder.InResponseTo [Required]The RequestID from the query which this statement is in response to. This attribute MUST be present and its value MUST match the value of the RequestID field which this statement is in response to.RecipientIf the ExtendedAuthorizationDecisionQuery that this Statement is in response to, contained a Recipient attribute, this attribute MUST be present and its value MUST match the value of the Recipient field in the query which this statement is in response to..The following schema franment defines the element and its SimpleAuthorizationDecisionStatementType complext type: Note that Decision is in response to the SAML request identified in the InResponseTo attribute, so this attribute MUST be present in the response.Question. The SAML DecisionType actually has three allowed values: Permit, Deny and Indeterminate. We need to disallow the use of Indeterminate in this construct. Is there a formal way in Schema of disallowing an enumerated value, or do we add a comment to the Schema, or should we define a new BooleanDecision type?Element The element supplies a statement by the issuer that the designated attributes associated with the specified subject may be obtained from the referenced URI. Its purpose is to advise the PDP where it may find attributes associated with the subject, and it is used to support the credential pull mode of operation. is of type ReferenceStatementType, which extends the SubjectStatementAbstractType with the addition of the following: Element [Any number] lists the attributes that may be located at the referenced URI. If this component is absent, then it implies that all attributes can be found at the referenced URI. Attribute [Required] provides the URI from which the attributes may be obtained. SAML Authorization Element Usage in OGSAThis section is normative. It describes how SAML Authorization elements are used to meet OSGA requirements for authorization assertions and decisions as described in [Authz]. It first describes the use of the AuthorizationDecisionQuery and ExtendedAuthorizationDecisionQuery elements, which is used by entities to request authorization assertions and or decisions from an authorization service. This is followed by a description of the Attribute Statement, which is used in multi-step authorization to return that the validated credentials of the initiator. Finally, the responsesstatements that can be returned in the response, either an one or more standard AuthorizationDecisionStatement elements or a SimpleAuthorizationDecisionStatement element response or use of thean Assertion element that carryingies the an AauthorizationDecisionStatement. assertion and decision from the authorization service to the resource is described.AuthorizationDecisionQuery Element.(Extended)AuthorizationDecisionQueryA client MUST request an authorization decision using either a AuthorizationDecisionQuery or an ExtendedAuthorizationDecisionQuery. This section describes constraints on fields that are in both of these elements. Fields solely in an ExtendedAuthorizationDecisionQuery are described in Section  REF _Ref56256136 \r \h 5.1.The SAML AuthorizationDecisionQuery element MUST be used by a client to request an authorization service. FourEight different types of authorization service are defined, namely: single step an authorization service operating, in either credential pull or credential push mode, - this is signaled by use of the Reference statementan authorization service returning either a simple AuthorizatonDecision response, or an AuthorizationDecisionStatement assertion this is signaled by appropriate use of the RespondWith element.the first step of multi-step authorization in credential push or pull mode, returning an Attribute Statement; andthe second step of multi-step authorization, returning either a simple AuthorizatonDecision response or an AuthorizationDecisionStatement assertion. The AuthorizationDecisionQueryis element MUST includes the following elements:A Subject element containing a NameIdentifier element specifying the identity of the initiator.A Resource element specifying the resource (or domain of resources) to which the request to be authorized is being made.One or more Action elements specifying the action(s) being requested on the resource(s).A RespondWith element indicating the type of authorization response service that is being requested.The query MAY include the following elements:Optionally one or morean Evidence elements containing one or more supporting credentials about the initiator (or pointers to them), plus any contextual information, plus a public key certificate chain that may be used to authenticate the initiator.The following subsections describe the use of and extensions to these elements for OGSA.Subject ElementThis element contains the name of the initiator. The Subject and contained NameIdentifer elements are unchanged from the SAML specification. The exact use of these elements is driven by the authentication mechanism used by the client. In some scenarios, the authorization service (PDP) MAY require the initiator and client names to be the same. In other scenarios, the authorization service MAY allow trusted clients to request authorization decisions on behalf of any initiator.Proxy Certificate Authentication Method IdentifierThe SAML specification defines how some common identity types are asserted. This document defines how entities authenticated using X.509 Proxy Certificates [ProxyCerts] should be encoded.The Grid Security Infrastructure (GSI) is a common Grid authentication mechanism that uses X.509 based identities. The SAML specification defines a URI for X.509 subject names (#X509SubjectNameurn:oasis:names:tc:SAML:1.1nameid-format:X509SubjectName) that SHOULD MUST be used for GSI X.509 Proxy Certificate authenticated identities with the subject name of the end entity certificate that issued the proxy certificate chain as the identity.Wildcard Subject Identifier. This document defines a method to b one wildcard value for the X509SubjectName of i.e. an empty string, which has the special meaning of anyone (i.e. a decision about public rights is being requested). This wildcard MUST be used in order to obtain public rights, that is, rights available to any subject. To indicate that such a request is being made, the NameIdentifier element MUST be specified as follows:.http://www.gridforum.org/ogsa-authz/saml/2003/06/NameIdentifier/anyResource ElementThe Resource element is defined as a URI. Grid ServicesIn the first step of multi-step authorization, the value of this element SHOULD be ignored by the PDP, and the client MAY put any value, including null, into this element. The following text refers to either single step authorization or the second and subsequent steps of multi-step authorization.If the resource being referred to is a Grid service the resource element MUST contain the Grid Service Handle (GSH) of the service as described in [OGSI].It is also possible that this element could contain a URI referring to things other than GSHs in an OGSA context. For example, a URI could be used to refer to a group of services. However such usage is determined by prior agreement between authorization services, policy makers and resources in a particular domain and is beyond the scope of this document.Wildcard ResourceThis specification also defines a wildcard resource. This has two different meanings depending on whether it is in a query (request to a PDP) or a statement (response from a PDP):In an AuthorizationDecisionQuery, it states a desire to learn the initiators rights on all the resource of which the authorization service is aware. Typically such a query will be used by an initiator who will cache the results and present them to resources later in a decision push mode of authorization.In an AuthorizationDecisionResponseAuthorizationDecisionStatement, it states the initiator has the given privileges on all resources that accept the authorization service as authoritative. This statement may be used when the authorization service is the authority for a group of resources with identical policy.This wildcard URI MUST be specified as follows:http://www.gridforum.org/ogsa-authz/saml/2003/06/resource/anyAction ElementsThe Action element describes the operation or method to be authorized. The Action element is composed of a string describing the operation and a URI specifying the namespace of the action.Grid Service Operation InvocationIn the first step of multi-step authorization, the value of this element SHOULD be ignored by the PDP, and the client MAY put any value, including null, into this element. The following text refers to either single step authorization or the second and subsequent steps of multi-step authorization.This specification defines the following namespaces:http://www.gridforum.org/namespaces/2003/06/ogsa-authz/saml/action/operationThis namespace is used to define an operation invocation on the specified Resource by the specified Subject. The action string should contain the namespace and name of the operation being invoked. Grid Service SDE AccessI agree with Davids comment, this is screwed up. We need some way of specifying a hierarchical resource of GSH and SDE and not overloading Action - VWhttp://www.gridforum.org/namespaces/2003/06/ogsa-authz/saml/action/sde/readThis namespace is used to define the reading of a ServiceDataElement. The action string should contain the QName of the Service Data element being accessed.http://www.gridforum.org/namespaces/2003/06/ogsa-authz/saml/action/sde/modifyThis namespace is used to define the modification of a ServiceDataElement. The action string should contain the QName of the Service Data element being modified.Wildcard ActionThis specification also defines a wildcard action. This action has two different meanings depending on whether it is in a query or an assertion:In an AuthorizationDecisionQuery, it states a desire to learn all of the initiators rights on the specified resource. An example of where this might be used, is by a policy enforcement point co-located with a resource, that after an intiator has set up a session, will cache the results, and do further policy processing without the authorization service.In an AuthorizationDecisionStatement, it states the initiator has all privileges on the resource. This will often be the case where the initiator is the policy authority for the resource in question.This wildcard action MUST be specified as follows. The namespace URI MUST be:http://www.gridforum.org/namespaces/2003/06/ogsa-authz/saml/action/wildcardThe Action sting must be "*", i.e., an asterisk.Evidence ElementsEvidence elements are assertions used to hold, either directly or by reference, supporting credentials regarding the initiator, as well as environmental parameters. In one step authorization the AuthorizationDecisionQuery MAY contain Evidence Elements holding environmental parameters. In the second and subsequent steps of multi-step authorization, the AuthorizationDecisionQuery MUST contain Aan Evidence element may hold for example aning the Attribute Assertion that contains the role of the initiator, or the groups that the initiator is a member of. returned by the PDP in response to the first step of authorization and MAY contain Evidence Elements holding environmental parameters.In one step authorization and the first step of multi-step authorization, the AuthorizationDecisionQuery MAY contain Evidence elements regarding the credentials of the initiator as follows.In the credential push mode of operation this element SHOULD contain the credentials of the initiator. If the initiator does not have any credentials (for example, if default or public access rights are being requested) then there will be no evidence assertions in which the subject name is that of the initiator. When the credentials are in the form of attributes, the precise way in which these are inserted into the AttributeStatements embedded in the Evidence element is specified in [Attributes]In the credential pull mode of operation the Evidenceis element MAY contain a Reference Statement. The precise contents of the Reference Statement are described below.If the client wishes the PDP to operate in both credential push and pull mode, then it MAY include initiator credentials and Reference Statements in the Evidence element. If neither is present, then it is at the discretion of the PDP how to behave (e.g. it may be pre-configured with a resource from which to pull initiator credentials, or it may assume the initiator has no credentials).When the Evidence element is used to hold environmental parameters, these MAY be encoded up as Attribute Statements as follows.The application MAY specify its own AttributeNamespace URI, along with AttributeName strings to represent environmental parameters (e.g. accountCode, callingAddress, currentTime), and appropriate environmental values for each of the AttributeNames (e.g. ABC123, 87.80.7.56, 12:02:35).The following namespace MAY be used to specify a standard set of environmental parameters:http://www.gridforum.org/namespaces/2003/06/ogsa-authz/saml/envThe following AttributeName strings are defined, along with the syntax for their AttributeValues:AttributeNameAttributeValue syntaxAttributeValue ExampleDateccyy-mm-dd2003-02-12Timehh:mm:ss12:05:35DateTimeccyy-mm-ddThh:mm:ss2003-02-12T12:05:35Any others???The Evidence element MAY also contain the X.509 public key certificate chain that was or can be used to authenticate the initiator of the authorization decision request. How this is encoded is TBD.This specification makes no further constraints on the use of this element for specifying credentials. It is expected that specifications for different types of supporting credentials will be developed.ReferenceStatement ElementReference statements MAY be included within Evidence elements, in order to signal the credential pull mode of operation to the PDP. Reference statements MAY be included instead of, or as well as, credentials in Evidence elements, and it is a local matter for the PDP to determine how to handle the presence of one, both or neither elements.If a Reference statement is present, then the Format attribute of the NameIdentifier element of the Subject element of the Reference statement SHOULD be #X509SubjectName, and the value MUST correspond to that of the Subject element of the AuthorizationDecisionQuery.The value of the Reference URI is not further constrained by this specification.RespondWith ElementThis element MUST be used by the client to signal the type of authorization decision service being requested from the PDP. One of the following values MUST be used:saml:AttributeStatement the authorization service is required to perform the first step of multi-stage authorization and return an assertion containing an Attribute Statement.ogsa-saml:AuthorizationDecision The authorization service is required to return a simple Authorization Decision Response to this Authorization Decision Query. saml:AuthorizationDecisionStatement The authorization service is required to return an assertion containing an Authorization Decision Statement.If single step authorization is being requested, and the client wants an AuthorizationDecisionStatement to be returned, then it MUST set the value to saml:AuthorizationDecisionStatement.If single step authorization is being requested, and the client wants a simple AuthorizationDecision Response to be returned, then it MUST set the value to ogsa-saml:AuthorizationDecision.If the first step of multi-step authorization is required, then the client MUST set the value to saml:AttributeStatement.For second and subsequent steps in multi-step authorization, the client SHOULD set the value to either ogsa-saml:AuthorizationDecision or saml:AuthorizationDecisionStatement dependent upon the type of response that is required.If a client follows an AuthorizationDecisionQuery with RespondWith set to Attribute with another AuthorizationDecisionQuery with RespondWith set to saml:AttributeStatement and the subject elements are identical in the two queries, then the Attribute Statement returned on first request is effectively superceded by the Attribute Statement returned in the subsequent request.Assertion ElementThe SAML Assertion element is used by one entity to assert the capabilities of another. While an Assertion element can contain a variety of SAML statements, for the purposes of this document we consider only AuthorizationDecisionStatements, SimpleAuthorizationDecisionStatements (defined in this document) and AttributeStatements. The former first two may beare returned in response to in one-step AuthorizationDecisionQueriesauthorization or the second and subsequent steps of multi-step authorization, whilst the latter are returned in the first step of multi-step authorizationmay be presented in the Evidence elements of (Extended)AuthorizationDecisionQueries.When returned by an authorization service to an entity, the Assertion element will be enveloped in a SAML Response element as described in the SAML specification.The Assertion element includes the following elements:An optional Conditions element specifying the conditions for use of the assertion.An optional Advice element specifying advice for use of the element.Any number of AuthorizationDecisionsStatementsAny number of AttributeStatements in Evidence elementsAn optional Signature element allowing the Assertion to be verified.The following subsections describe the use and extensions to these elements for OGSA. Conditions ElementImplementations are advised to be conservative in their use of this element and only include it when they are confident it will be understood.The Conditions element contains optional time constraints and any number of Condition elements (note difference in plurality between element names) on the returned assertion. Condition elements serve as an abstract element for extension, and should be used to express the policy conditions on operands and context/environment that the authorization service was unable to evaluate due to insufficient information being provided by the client. It is envisioned that future specification will be able to extend the Condition element to return fine-grained policies for parameters on operation invocation and service data access, using for example elements of XACML. Advice ElementThis specification recommends against the use of the Advice element. Implementations SHOULD NOT use this element and MAY only include it when they are confident it will be understood. The Advice element MAY be ignored by the recipient of the assertion, therefore it MUST NOT contain any information essential to the operation of the PEP. Information that MAY be placed into the Advice Element includes: evidence supporting the assertion, and identification of the policy used in making the assertion.The Advice element is itself an assertion, or an assertion reference, or any other element from another namespace. An example of how it might be used is as follows. Suppose the assertion authority operates according to a policy uniquely identified by the Object Identifier 1.2.3.4.5.6. (This could be a PKI Certification Authority or Attribute Authority for example). Identification of the governing policy can be provided in the Advice element by setting the namespace to the OID urn of the policy, namely urn:oid:1.2.3.4.5.6Ed Note Not sure this is quite right.AuthorizationDecisionStatement ElementThe AuthorizationDecisionStatement element contains the same elements as the AuthorizationDecisionQuery, and also includes a Decision attribute.The Decision attribute can take the value of Permit, Deny or Indeterminate. If a value of Indeterminate is returned, then the encapsulating assertion MUST also have a Conditions element present expressing the conditions that MUST be fulfilled before the authorization can be permitted.AttributeStatement ElementThe AttributeStatement element MAYUST be sent in a reply toincluded in the Evidence element of an AuthorizationDecisionQuery, to signify the credential push mode. in which the RespondWith element value was set to Attribute i.e. to the first step of multi-step authorization.The returned Attribute Statement SHOULD contain a PDP encoded cookie that is associated with the initiator (subject element of the AuthorizationDecisionQuery). For example, when RBAC is being used, the attribute statement could contain the list of validated roles of the initiator. Whether the cookie is opaque or understandable by the client is currently out of the scope of this document. However, the returned attribute statement MUST be usable multiple times by the client in subsequent AuthorizationDecisionQueries concerning the same initiator.When the assertion encapsulating the Attribute Statement is returned across an insecure network, it SHOULD be signed by the PDP.The client SHOULD use the returned attribute assertion and insert it into the Evidence element of all subsequent AuthorizationDecisionQueries sent to the same PDP for the same subject/initiator. In subsequent queries the RespondWith element SHOULD be set to Decision or Authorization.Signature ElementThis specification places no constrains on the Signature elements. Implementations SHOULD sign assertions when they do not have an authenticated connection to the evaluator of the assertion.Required Assertion FieldsMajor Revision MUST be set to 1Minor Revision MUST be set to 0AssertionID SHOULD be set to a random 128 bit numberIssuer This SHOULD be the unambiguous name of the issuer. It SHOULD be a URI. Where the Issuer name is an X.500 DN, it MUST have the format as specified in RFC 2255 [RFC 2255]. For example, if the issuer was a PDP with distinguished name of cn=PERMIS ADF, o=University of Michigan, c=us, the URI would be:ldap:///cn=PERMIS%20ADF,o=University%20of%20Michigan,c=USIssuerInstant MUST be the date/time that the Assertion was issued, in ISO 8601 format (i.e. 2003-02-12T12:05:35) and SHOULD be followed by Z to indicate UTC time or the local time zone difference from UTC time.VW: SAML section 1.2.2 and 2.3.2 states this value must be in the xsd:dateTime format. Unless this is identical to ISO 8601 were making a serious change here. Why? If it is identical, lets say so.SAML Authorization Service PortTypeXXX To be definedGood start at message below we can leverage:http://lists.oasis-open.org/archives/security-services/200302/msg00008.htmlGrid Authorization Service SDEsThe following service data elements (SDEs) may be exposed by an Grid Authorization Service.Supported policiesXXX: A list of policy identifiers that the authorization service knows about.Policy of PDP in terms of IndeterminateXXX Whether or not the authorization service supports the Indeterminate response, which some legacy systems may notSignature CapableXXX Whether or not the authorization service support signing of its responses.CommentaryThis section contains non-normative commentary.Proposed SAML 1.1 specificationThe OASIS Security Services Technical Committee (SSTC) [SSTC] has proposed a new version, version 1.1, of SAML. This document proposes changes that would effect the contents of this document.A document describing differences can be found at:http://www.oasis-open.org/committees/download.php/2247/sstc-saml-diff-1.1-draft-01.docThe new SAML 1.1 specification proposes the following changes, which if ratified, should be tracked by this document:The URI to identify X.509 subject names is changed. This specification recommends this URI for GSI subject identities.The RepondWith element is deprecated. This specification uses this element to request an attribute for multi-step authorization and needs to find a different way to accomplish this.Security ConsiderationsThis specification defines an authorization service based on the SAML specification for OGSA and is completely about security. Implementers of this specification need to take be aware that errors in implementation could lead to denial of service or improper granting of service to unauthorized users.In particular, mutual authentication between the client and the PDP is highly desirable and strongly recommended. PDP implementations SHOULD sign assertions when they do not have an authenticated connection to the evaluator of the assertion, and MAY sign them when they do have. PDP implementations MAY be unwilling to respond to authorization decision queries from clients who are not authenticated.XXX Need to be more specific here.Author InformationVon WelchUnivserity of ChicagoNCSAvwelch@mcs.anl.govncsa.uiuc.eduFrank SiebenlistArgonne National Laboratoryfranks@mcs.anl.govSam MederUniversity of Chicagomeder@mcs.anl.govLaura PearlmanInformation Sciences InstituteUniversity of Southern Californialaura@isi.eduDavid ChadwickInformation Systems InstituteUniversity of Salfordd.w.Chadwick@salford.ac.ukGlossaryThe following terms are abbreviations are used in this document.ACI Access Control Information (from ISO 10181-3). Any information used for access control purposes, including contextual information.ADF Access control Decision Function (from ISO 10181-3). A specialized function that makes access control decisions by applying access control policy rules to an access request, ADI (of initiators, targets, access requests, or that retained from prior decisions), and the context in which the access request is made.ADI Access control Decision Information (from ISO 10181-3). The portion (possibly all) of the ACI made available to the ADF in making a particular access control decision.AEF Access control Enforcement Function (from ISO 10181-3). A specialized function that is part of the access path between an initiator and a target on each access request and enforces the decision made by the ADF.Client the entity making a decision request to the ADF (it could be the target, the initiator, or a proxy acting on behalf of the initiator)Contextual information Information about or derived from the context in which an access request is made (e.g. time of day).Environmental parameters same as contextual information.Initiator An entity (e.g. human user or computer-based entity) that attempts to access other entities (from ISO 10181-3).PDP same as ADFPEP same as AEFPrivilege An attribute or property assigned to an entity by an authorityTarget An entity, usually a resource, to which access may be attempted (from ISO 10181-3).Intellectual Property StatementThe GGF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the GGF Secretariat.The GGF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this recommendation. Please address the information to the GGF Executive Director.Full Copyright NoticeCopyright (C) Global Grid Forum (date). All Rights Reserved.This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the GGF or other organizations, except as needed for the purpose of developing Grid Recommendations in which case the procedures for copyrights defined in the GGF Document process must be followed, or as required to translate it into languages other than English.The limited permissions granted above are perpetual and will not be revoked by the GGF or its successors or assigns.This document and the information contained herein is provided on an "AS IS" basis and THE GLOBAL GRID FORUM DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."References[Akenti] Thompson, M., et al., "Certificate-based Access Control for Widely Distributed Resources," in Proc. 8th Usenix Security Symposium. 1999.[Attributes] Mary Thompson et al. OGSA Attributes: Requirements, Definitions, and SAML Profile. GWD-R. Latest version available from https://forge.gridforum.org/projects/ogsa-authz/document/draft-OGSA-attributes-v6/en/1/draft-OGSA-attributes-v6.doc[Authz] Welch, V., et al, OGSA Authorization Requirments, June, 2003.[CAS] Pearlman, L., V. Welch, I. Foster, C. Kesselman, S. Tuecke, "A Community Authorization Service for Group Collaboration," Proceedings of the IEEE 3rd International Workshop on Policies for Distributed Systems and Networks, 2002. [OGSI] Foster, I., C. Kesselman, J. Nick, S. Tuecke, "The Physiology of the Grid: An Open Grid Services Architecture for Distributed Systems Integration," Open Grid Service Infrastructure WG, Global Grid Forum, June 22, 2002.[PERMIS] Chadwick, D.W., O.Otenko, " The PERMIS X.509 Role Based Privilege Management Infrastructure", Proceedings of 7th ACM Symoisium on Access Control Models and Technologies (SACMAT 2002). [ProxyCerts] XXX[Roadmap] Siebenlist, F., et al, "OGSA Security Roadmap," OGSA Security WG, Global Grid Forum, July, 2002.[RFC 2255] T. Howes, M. Smith. "The LDAP URL Format", RFC 2255, Dec 1997[RFC2904] Vollbrecht, J., et al, " AAA Authorization Framework," RFC 2904, August 2000.[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels," BCP 14, RFC 2119, March 1997.[RFC3281] Farrell, S., Housley, R. An Internet Attribute Certificate Profile for Authorization, RFC 3281, May 2002.[SAML] OASIS, Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V1.1, May 2003.[SSTC] OASIS Security Services Technical Committee, http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security, June, 2003.[VOMS] "VOMS Architecture v1.1," http://grid-auth.infn.it/docs/VOMS-v1_1.pdf, February 2003. Editors Note. Alternatively we can indicate that the initiator has no credentials, by setting this element to , and the value of the string to null. This is ISO 8601 format We have to decide on the best way of returning a conditional response. There are a couple of possibilities. I) return Permit with Conditions (but the conditions have to be evaluated to true before the permit is valid) II) return Indeterminate with Conditions (and the decision then depends upon the evaluation of the conditions). II) has been chosen above.GWD-R (proposed) June November 2003welch@mcs.anl.govogsa-authz@gridforum.org  PAGE 2PAGE \# "'Page: '#' '" This seems wrong. Why specify two namespaces for an operation? Either the grid namespace above can pre-define several operations to be used as action strings e.g. Execute, Print, Pause, Resume etc, or grid applications can specify their own namespaces and action strings. I don't believe this is correct. A PDP may also return Indeterminate if the resource is outside of its policy space.#$8: K 8 e q r {  ' оvvvdR@d#HHh2zhU{&ht5>*#HHh2zhU{&hY5>*#HHh2zhU{&ht5>*#HHh2zhT{&hY5>*#HHh2zhT{&hY5>*#HHh2zh5U{&hD[5>*#HHh2zh5U{&hG5>*#HHh2zh(U{&h?5>*HhT{&hY5>*(huhY>*cHdhdhdhS{& hu>* hu5hu$8 : K pDC$EƀT{&H & FC$EƀS{& FO 8 r o$K & F7C$Eƀ5U{&gdYK & F7C$Eƀ(U{&gdYDC$Eƀ2zr ( m iK & F7C$EƀU{&gdYK & F7C$EƀU{&gdYK & F7C$EƀT{&gdY' 7 1268ɷo]Ko9'#HHh2zh#U{&hu5>*#HHh2zh#U{&h5>*#HHh2zhU{&h)b5>*#HHh2zhU{&h)b5>*#HHh2zhU{&h5>*#HHh2zhU{&h5>*#HHh2zhU{&hcK5>*#HHh2zh*U{&hcK5>*#HHh2zh*U{&ht5>*#HHh2zhU{&ht5>*#HHh2zhU{&ht5>*#HHh2zhU{&ht5>*m 2iK & F7C$EƀU{&gdYK & F7C$Eƀ*U{&gdYK & F7C$EƀU{&gdY9jiK & F7C$Eƀ U{&gdYK & F7C$Eƀ#U{&gdYK & F7C$EƀU{&gdY89]ij&ɷo]A&5Hh2zhuh-_>*cHdhdhdhS{&6HHh2zhT{&hYh>*T{&*5#HHh2zhU{&h5>*#HHh2zhU{&h?5>*#HHh2zh(U{&h?5>*#HHh2zh(U{&h:5>*#HHh2zh U{&h?M5>*#HHh2zh U{&h:5>*#HHh2zh U{&hu5>*#HHh2zh#U{&hu5>*#HHh2zh6U{&hXh5>* ji&CEƀ"vfK & F7C$EƀU{&gdYK & F7C$Eƀ(U{&gdY&'(19:;<PQRSnopqyǷxcSc3xc?jHh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu1jHh4U{&hvt1hC0JUmHnHujhC>*UHh4U{&hC>*jHh4U{&hC>*UhChC>*2U{&*>*Hh2U{&hu>*Hh7U{&h!o>* hu>*5Hh4zhuh-_>*cHdhdhdhS{&:;u,HU! C$Eƀ4U{&DC$Eƀ2U{&DC$Eƀ2zyz{Ǹ؎t_O_/_t_?jHh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu j{hCUmHnHu*jHh4U{&hCUmHnHu!Hh4U{&hCmHnHu   2Ǹ؎t_O_/_t_?jHh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu jqhCUmHnHu*jHh4U{&hCUmHnHu!Hh4U{&hCmHnHuS`p:kkkkkkkkkJV ! C$Eƀ4U{&JUX! C$Eƀ4U{& 234MNOPQRSTUpqrsuvǸ؎t_O_/_t_?jHh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu jghCUmHnHu*jHh4U{&hCUmHnHu!Hh4U{&hCmHnHuǸ؎t_O_/_t_?jHh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu j]hCUmHnHu*jHh4U{&hCUmHnHu!Hh4U{&hCmHnHu !"#&'?Ǹ؎t_O_/_t_?jHh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu jShCUmHnHu*jHh4U{&hCUmHnHu!Hh4U{&hCmHnHu?@AZ[\]^_`ab}~Ǹ؎t_O_/_t_?jHh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu jIhCUmHnHu*jHh4U{&hCUmHnHu!Hh4U{&hCmHnHuǸ؎t_O_/_t_?jHh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu j?hCUmHnHu*jHh4U{&hCUmHnHu!Hh4U{&hCmHnHu  %&'(+,OǸ؎t_O_/_t_?jHh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu j5hCUmHnHu*jHh4U{&hCUmHnHu!Hh4U{&hCmHnHuOPQjklmnopqrǸ؎t_O_/_t_?jHh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu j+hCUmHnHu*jHh4U{&hCUmHnHu!Hh4U{&hCmHnHuǸ؎t_O_/_t_?j Hh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu j! hCUmHnHu*jHh4U{&hCUmHnHu!Hh4U{&hCmHnHu456789:;<WXYZ]^oǸ؎t_O_/_t_?j Hh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu j hCUmHnHu*jHh4U{&hCUmHnHu!Hh4U{&hCmHnHuopqǸ؎t_O_/_t_?j Hh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu j hCUmHnHu*jHh4U{&hCUmHnHu!Hh4U{&hCmHnHu Ǹ؎t_O_/_t_?j~ Hh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu j hCUmHnHu*jHh4U{&hCUmHnHu!Hh4U{&hCmHnHu789:;<=>?Z[\]abǸ؎t_O_/_t_?jtHh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu j hCUmHnHu*jHh4U{&hCUmHnHu!Hh4U{&hCmHnHu=\kJUX! C$Eƀ4U{&JV! C$Eƀ4U{&Ǹ؎t_O_/_t_?jjHh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu jhCUmHnHu*jHh4U{&hCUmHnHu!Hh4U{&hCmHnHu !;Ǹ؎t_O_/_t_?j`Hh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu jhCUmHnHu*jHh4U{&hCUmHnHu!Hh4U{&hCmHnHu;<=VWXYZ[\]^yz{|~Ǹ؎t_O_/_t_?jVHh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu jhCUmHnHu*jHh4U{&hCUmHnHu!Hh4U{&hCmHnHuǸ؎t_O_/_t_?jLHh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu jhCUmHnHu*jHh4U{&hCUmHnHu!Hh4U{&hCmHnHu,-./01234OPQRUVtǸ؎t_O_/_t_?jBHh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu jhCUmHnHu*jHh4U{&hCUmHnHu!Hh4U{&hCmHnHu2Y9b#kkkkJUX! C$Eƀ4U{&JV ! C$Eƀ4U{& tuvǸ؎t_O_/_t_?j8Hh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu jhCUmHnHu*jHh4U{&hCUmHnHu!Hh4U{&hCmHnHu  8Ǹ؎t_O_/_t_?j.Hh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu jhCUmHnHu*jHh4U{&hCUmHnHu!Hh4U{&hCmHnHu89:STUVWXYZ[vwxy|}Ǹ؎t_O_/_t_?j$Hh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu jhCUmHnHu*jHh4U{&hCUmHnHu!Hh4U{&hCmHnHuǸ؎t_O_/_t_?jHh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu jhCUmHnHu*jHh4U{&hCUmHnHu!Hh4U{&hCmHnHu2346789:;VWXY\]Ǹ؎t_O_/_t_?jHh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu jhCUmHnHu*jHh4U{&hCUmHnHu!Hh4U{&hCmHnHuǸ؎t_O_/_t_?jHh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu jhCUmHnHu*jHh4U{&hCUmHnHu!Hh4U{&hCmHnHu@Ǹ؎t_O_/_t_?jHh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu jhCUmHnHu*jHh4U{&hCUmHnHu!Hh4U{&hCmHnHu@AB[\]_`abcdǸ؎t_O_/_t_?jHh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu jwhCUmHnHu*jHh4U{&hCUmHnHu!Hh4U{&hCmHnHuǸ؎t_O_/_t_?jHh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu jmhCUmHnHu*jHh4U{&hCUmHnHu!Hh4U{&hCmHnHu !"#$%@ABCUVWǸ؎t_O_/_?jHh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu jchCUmHnHu*jHh4U{&hCUmHnHu!Hh4U{&hCmHnHuWpqrtuvwxyνt_O_/_?jHh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu*jHh4U{&hCUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu jYhCUmHnHu!Hh4U{&hCmHnHu#w"yfPC$Eƀ1U{&gdCo1U{&d&FHU! C$Eƀ4U{&ϹqaqAq00!Hh4U{&hCmHnHu?jHh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu*jHh4U{&hCUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu jOhCUmHnHu !"#$?@ABWXYrϹqaqAq00!Hh4U{&hCmHnHu?jHh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu*jHh4U{&hCUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu jEhCUmHnHurstvwxyz{ϹqaqAq00!Hh4U{&hCmHnHu?jHh4U{&hvt1hC>*B*UmHnHphuHh4U{&hCmHnHu(Hh4U{&hvt1hC0JmHnHu2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu*jHh4U{&hCUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu j;hCUmHnHuϹvjQ*cHdhdhdh1U{&1jhuhC>*UcHdhdhdh1U{&Hh4U{&h\%>*jHh4U{&hC>*U2Hh4U{&hCCJOJPJQJmHnHtHu1jHh4U{&hvt1hC0JUmHnHu*jHh4U{&hCUmHnHu!Hh5U{&h0NmHnHujhCUmHnHu j1 hCUmHnHu  ŬņiO0O<jhuhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHuKj huhC>*B*UcHdhdhdh1U{&mHnHphu0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHu !"#$%&'(CDhM4M0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu?j'!huhCUcHdhdhdh1U{&mHnHu &v>Cu# A!!!\"V! V ! UX! GU! Eƀ4U{&DEFHIUVWpqrstuvٺ~dEd%EdE~?j"huhCUcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHuKj!huhC>*B*UcHdhdhdh1U{&mHnHphuvwxŬņiJi03huhCcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHuKj"huhC>*B*UcHdhdhdh1U{&mHnHphu0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHu ǧiN5N0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHu?j#huhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu 89:;<=>ٺ~dEd%EdE~?j $huhCUcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHuKj#huhC>*B*UcHdhdhdh1U{&mHnHphu>?@[\]^abz{ŬņiJi03huhCcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHuKj$huhC>*B*UcHdhdhdh1U{&mHnHphu0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHu {|ǧiN5N0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHu?j$huhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu ٺ~dEd%EdE~?j%huhCUcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHuKjz%huhC>*B*UcHdhdhdh1U{&mHnHphu  "#ŬņiJi03huhCcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHuKjp&huhC>*B*UcHdhdhdh1U{&mHnHphu0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHu #$=>?@ABCDE`aǧiN5N0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHu?j&huhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu abcfgٺ~dEd%EdE~?j'huhCUcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHuKjf'huhC>*B*UcHdhdhdh1U{&mHnHphuŬņiJi03huhCcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHuKj\(huhC>*B*UcHdhdhdh1U{&mHnHphu0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHu 34ǧiN5N0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHu?j(huhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu 4569:TUVopqrstuٺ~dEd%EdE~?j)huhCUcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHuKjR)huhC>*B*UcHdhdhdh1U{&mHnHphuuvwŬņiJi03huhCcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHuKjH*huhC>*B*UcHdhdhdh1U{&mHnHphu0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHu ǧiN5N0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHu?j*huhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu       ! " # ٺ~dEd%EdE~?j+huhCUcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHuKj>+huhC>*B*UcHdhdhdh1U{&mHnHphu# $ % @ A B C F G i j ŬņiJi03huhCcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHuKj4,huhC>*B*UcHdhdhdh1U{&mHnHphu0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHu j k ǧiN5N0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHu?j,huhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu ٺ~dEd%EdE~?j-huhCUcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHuKj*-huhC>*B*UcHdhdhdh1U{&mHnHphu !!!! !!!ŬņiJi03huhCcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHuKj .huhC>*B*UcHdhdhdh1U{&mHnHphu0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHu !!"!;!!?!@!A!B!C!^!_!ǧiN5N0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHu?j.huhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu _!`!a!e!f!y!z!{!!!!!!!!ٺ~dEd%EdE~?j/huhCUcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHuKj/huhC>*B*UcHdhdhdh1U{&mHnHphu!!!!!!!!!!!ŬņiJi03huhCcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHuKj 0huhC>*B*UcHdhdhdh1U{&mHnHphu0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHu !!!!!!!!!!!""ǧiN5N0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHu?j0huhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu """"";"<"="V"W"X"Y"Z"["\"ٺ~dEd%EdE~?j}1huhCUcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHuKj1huhC>*B*UcHdhdhdh1U{&mHnHphu\"]"^"y"z"{"|"""""ŬņiJi03huhCcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHuKj1huhC>*B*UcHdhdhdh1U{&mHnHphu0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHu """""""""""""ǧiN5N0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHu?js2huhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu \""#q##>$$$e%%&u&&'t''(TU! C$Eƀ/U{&gdCo0U{&d&FU! UX! V ! """"""""## # # # ##ٺ~dEd%EdE~?ji3huhCUcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHuKj2huhC>*B*UcHdhdhdh1U{&mHnHphu###*#+#,#-#0#1#P#Q#ŬņiJi03huhCcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHuKj3huhC>*B*UcHdhdhdh1U{&mHnHphu0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHu Q#R#k#l#m#n#o#p#q#r#s###ǧiN5N0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHu?j_4huhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu ###############ٺ~dEd%EdE~?jU5huhCUcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHuKj4huhC>*B*UcHdhdhdh1U{&mHnHphu#########$$ŬņiJi03huhCcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHuKj5huhC>*B*UcHdhdhdh1U{&mHnHphu0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHu $$8$9$:$;$<$=$>$?$@$[$\$ǧiN5N0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHu?jK6huhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu \$]$^$a$b$$$$$$$$$$$ٺ~dEd%EdE~?jA7huhCUcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHuKj6huhC>*B*UcHdhdhdh1U{&mHnHphu$$$$$$$$$$$ŬņiJi03huhCcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHuKj7huhC>*B*UcHdhdhdh1U{&mHnHphu0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHu $$$$$$$$$$$%%ǧiN5N0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHu?j78huhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu %%%% %C%D%E%^%_%`%b%c%d%e%ٺ~dEd%EdE~?j-9huhCUcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHuKj8huhC>*B*UcHdhdhdh1U{&mHnHphue%f%g%%%%%%%%%ŬņiJi03huhCcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHuKj9huhC>*B*UcHdhdhdh1U{&mHnHphu0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHu %%%%%%%%%%%%%ǧiN5N0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHu?j#:huhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu %%%%%%%%&&&&&&&ٺ~dEd%EdE~?j;huhCUcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHuKj:huhC>*B*UcHdhdhdh1U{&mHnHphu&&&6&7&8&9&;&<&S&T&ŬņiJi03huhCcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHuKj;huhC>*B*UcHdhdhdh1U{&mHnHphu0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHu T&U&n&o&p&r&s&t&u&v&w&&&ǧiN5N0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHu?j<huhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu &&&&&&&&&&&&&&ٺdDdd%<huhCCJOJQJcHdhdhdh1U{&mHnHu?j=huhCUcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHuKj<huhC>*B*UcHdhdhdh1U{&mHnHphu&&&&&&&&& '妇jP1P<jhuhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHuKj=huhC>*B*UcHdhdhdh1U{&mHnHphu0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu '''''''''0'1'hM4M0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu?j=huhCUcHdhdhdh1U{&mHnHu 1'2'3'R'S'T'm'n'o'q'r's't'u'ٺdDdd%<huhCCJOJQJcHdhdhdh1U{&mHnHu?j>huhCUcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHuKjv>huhC>*B*UcHdhdhdh1U{&mHnHphuu'v'''''''''妇jP1P<jhuhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHuKjl?huhC>*B*UcHdhdhdh1U{&mHnHphu0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu '''''''''''hM4M0huhCcHdhdhdh1U{&mHnHu4huhC0JcHdhdhdh1U{&mHnHu<huhCCJOJQJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu?j?huhCUcHdhdhdh1U{&mHnHu ''''''((((((ٺdDdd?j@huhCUcHdhdhdh1U{&mHnHu<jhuhCUcHdhdhdh1U{&mHnHu3huhCcHdhdhdh1U{&mHnHu8huhC0JaJcHdhdhdh1U{&mHnHu=jhuhC0JUcHdhdhdh1U{&mHnHuKjb@huhC>*B*UcHdhdhdh1U{&mHnHphu (((((((((());)*,*,,,-a-u-1123555ƭ{q{j{j{j{j{j{`{P{H{jhuUhucHdhdhdhfzfHhS{&hYtX hu6]HhJzfhuhuHh1U{&huHHh1U{&h1U{&hC(hChC>*cHdhdhdh1U{&1jhuhC>*UcHdhdhdh1U{&%huhCcHdhdhdh1U{&KhChChC0JcHdhdhdh1U{&mHnHu0U{&*0J ((((*,/p135%9b```````NC$Eƀ4U{&gd\%o4U{&d&NEƀJzf.gdCo1U{&d&F 5555566&6'6(6)6*6666666666 7 7#7$7%7&7'7_7`7x7y7z7{7|777 88888S8T8l8m8n8o8Hh5U{&h0Nj:DhuUjChuUjDChuUjBhuUhucHdhdhdhgzfjNBhuUjAhuUhuh0NjhuUjXAhuU/o8p8q8a:b:w:x:y::::::::::&;7;;;9<:<F<<<<<<<<<h=i===>>????ನzpzHhR{&h HhzfhuhuCJOJQJaJh+_h0JjGhUhHh5U{&hjHh5U{&hU hu5\h0NmHnHuh0NjDhuUhujhuU%huhCcHdhdhdh2U{&)%9K9::&;-;7;$If$a$gdCEƀJzf.7;8;B;;$Ifnkd0E$$Ifl0,"X@064 la;;;;$IfnkdE$$Ifl0,"X@064 la;;;-<$IfnkdZF$$Ifl0,"X@064 la-<.<9<<$IfnkdF$$Ifl0,"X@064 la<<<<=$Ifnkd1I$$Ifl0,"X@064 la<===B=h=$IfnkdI$$Ifl0,"X@064 lah=i=o==$Ifnkd[J$$Ifl0,"X@064 la====?FDCEƀJzf.7$8$H$nkdJ$$Ifl0,"X@064 la??BBu0DC$EƀzfDC$EƀzfDC$Eƀzf???????@@@@5@6@N@O@P@Q@R@S@p@}@~@@@@ǽ볙njsasWsMCMHhR{&hHhzfhuHh5U{&h0N"jKHhR{&hjUjHhR{&hjUHhR{&hjHhR{&hjhj2Hhzfhuhr(=cHdhdhdhR{&HhzfhuHhR{&h HhR{&hr(=2Hhzfhuhr(=cHdhdhdhR{&HhzfhuHh,U{&hO3@@@@A A,A1AAAAAA BBCBnBBBBBBܾܴܪܠlRHHhzfhu2Hhzfhuhr(=cHdhdhdhR{&2Hhzfhuhr(=cHdhdhdhR{&2Hhzfhuhr(=cHdhdhdhR{&HhzfhuHhzfhuHhzfhuHhR{&hr(=HhzfhuHhzfhuHhzfhu2Hhzfhuhr(=cHdhdhdhR{&BBCC%C&C'C.C/C0CWDZDcDdDDDDDDE4E5E=E>ETEUEVEWEKLELMLLLLL?MGMMMMMMMMMN蕋{{hucHdhdhdhzzfHhzzfhuHhyzfhu hu6]j{LhuUhucHdhdhdhjzfHhjzfhuh0NmHnHuh0NjLhuUjhuUhu%huhO3cHdhdhdh,U{&.BC4E6EkFF GGaHlCEƀJzf.$a$$$a$CEƀJzf.aHrHHIeJJw0F & F.EƀJzfCEƀJzf.CEƀJzf.JOKvKNN8Ous0sCEƀzf.CEƀJzf.F & F.EƀJzfN&N,N4N{NNOOHQKQNQSQQQQQQRS SSSSSS!TaTTTTTU˷˗ˍyoyoeo[eQeQHhzfhuHhzfhuHhzfhuHhzfhuHhzfhuHhzfhuHhzfhuhucHdhdhdhzfhucHdhdhdhzfHhzfhuhuOJQJaJhuHhxzfhuHhwzfhu#Hhvzfhu6]vzfHhvzfhu8OJOQ1QRSw2DC$EƀzfCEƀJzf.CEƀJzf.STTVVXwu2uCEƀJzf .CEƀJzf .DC$EƀzfU-UeVfVZZZ[[[[[[\)\2\_\l\\\\\\]]]ѼюtюmcYOEHhS{&h9qHhS{&h9qHhS{&h9qHhS{&hu hu5\2Hhzfhuh cHdhdhdhS{&+huh 6]cHdhdhdhS{&/huh 6]cHcHdhdhzfdhS{&)huh cHcHdhdhzfdhS{&%huh cHdhdhdhS{& hu6]huhucHdhdhdhzfXYZZZ\wCEƀJzf .CEƀJzf .\\\]jPC$EƀS{&gd9qoS{&d&FCEƀJzf.]]]]8^W^Z^q^^^____FbIbbbbbbbbbbbbc c,c2c|lbXXb|l|HhR{&h9HhR{&h,hucHdhdhdhzfHhzfhuHhzfhuHhR{&hshuhucHdhdhdhzf" *hucHdhdhdhzfh9qh9qS{&*HhS{&h9qHhS{&h9qHhS{&h9qHhS{&h9qHhS{&h9q]8^r^^__`zbdjhCEƀJzf.PC$EƀS{&gd9qoS{&d&F;2c:c;cicocpctcucxccccddd6d7ddSeTeUe_ffffgghh繯}s}o]MhucHdhdhdhzf" *hucHdhdhdhzfh=nHhR{&h=nHhR{&h=nHhR{&h=nHhR{&h=nHhR{&h=nHhR{&hsHhR{&h=nHhR{&huHhR{&h6$HhzfhuhucHdhdhdhzfhuHhzfhuHhzfhud7ddgGC$EƀR{&gd=nPC$EƀR{&gdsoR{&d&FdVe_f_PC$EƀR{&gd=noR{&d&F;PC$EƀR{&gd=noR{&d&F;_fghhkkjhCEƀJzf.PC$EƀR{&gd=noR{&d&F;hkkkkkk&l'l(lclslyllllllllllllȾyjy[j[LHHhR{&hR{&h9HHhR{&hR{&h<`HHhR{&hR{&h9HHhR{&hR{&h9h !HhT{&hHhS{&hEr}HhT{&hEr}HhS{&h !HhS{&huHhS{&h\HhS{&hUC hu5\hu" *hucHdhdhdhzfhucHdhdhdhzfkk(lllu0DC$EƀR{&DC$EƀS{&CEƀJzf.llJmKmLmNmhmymmmmmnKnnnnnooôåÖ}nn_PA2HHhR{&huS{&hHHhR{&htS{&hHHhR{&htS{&h[HHhR{&hR{&h<`HHhR{&hR{&h<`HhR{&h<`HHhR{&hR{&h<`HHhR{&hR{&h9HHhR{&hR{&h[HHhR{&hR{&h[HHhR{&hR{&h<`HHhR{&hR{&h<`HHhR{&hR{&h9HHhR{&hR{&h*rclLmm_PC$EƀR{&gd9oR{&d&FPC$EƀR{&gd9oR{&d&Fmmn_PC$EƀR{&gd<`oR{&d&FLPC$EƀR{&gd<`oR{&d&Fnno_PC$EƀtS{&gdotS{&d&FLPC$EƀR{&gd[oR{&d&FooooHpopp qqBq_qjqnqqqqqqɺ~~o~oVL=.HHhR{&hS{&h[HHhR{&hR{&h[HhR{&h[0HHhR{&hR{&hhvS{&*HHhR{&hS{&he"HHhR{&hS{&he"HHhR{&hS{&he"HHhR{&hS{&he"HHhR{&hS{&he"HHhR{&hyS{&hHHhR{&hvS{&hHHhR{&htS{&h0HHhR{&htS{&hhtS{&*ooq_PC$EƀvS{&gdovS{&d&FLPC$EƀtS{&gdotS{&d&FqqqgPC$EƀR{&gd[oR{&d&FGC$EƀR{&gd[qrr1r8rBr~rrrs sss"sDsLsnsrsvsssssssᾯukuaWMu@WuWuHhR{&hhHhR{&hHhR{&hHhR{&h9HhR{&h9HhR{&h9#HHhR{&hR{&h[h[HHhR{&hT{&h{HHhR{&hT{&h 3HHhR{&hT{&h 30HHhR{&hR{&he"he"S{&*HhS{&he"HHhR{&hS{&he"HHhR{&hS{&he"qrs_PC$EƀR{&gd[oR{&d&FPC$EƀS{&gde"oS{&d&FLstt t*t?tGtNtUt]t^tttu uuuZuuuuuuu vvv8wù륛}pf}WHHHhR{&hS{&h&HHhR{&hS{&he"HhS{&h&HhS{&h&h&HHhR{&hS{&he"HHhR{&hS{&h9HhR{&hA5HhR{&hA5HhtS{&hHhS{&he"HhsS{&hHhR{&h<`HhR{&hA5HhS{&hHhR{&h9HhR{&h&s ttt9uo'GeC$EƀsS{&gdGeC$EƀS{&gd9GeC$EƀR{&gd99uuuuugPC$EƀS{&gd9oR{&d&FGeC$EƀR{&gd9uvv8w__PC$EƀS{&gd&oS{&d&FPC$EƀS{&gde"oS{&d&F8wFwGwZw[wawbwwwwwwwwwwwwww,x-x6yJy[yyyzy{yyyyyz z!zʹͥukuuaWHhS{&hnKxHhS{&hnKxHhS{&h HhS{&h&HhS{&h&6]HhS{&h&HHhR{&hS{&h&HHhR{&hS{&h&0HHhR{&hS{&h&h&S{&*HHhR{&hS{&h&HhS{&h&HhS{&h&HHhR{&hS{&h&"8www_PC$EƀS{&gd&oS{&d&FPC$EƀS{&gd&oS{&d&FewZyz.zgGC$EƀS{&gd&GC$EƀS{&gd&PC$EƀS{&gd&oS{&d&F!z-z.z|Y|x|||G}H}}wm_HhS{&h&OJQJHhS{&hJVHhS{&hJVHhS{&h&h&HhS{&h&HhT{&h[h 3HhT{&h{HhT{&h 3HhT{&h&HhS{&hKr8HhS{&hKr8HhS{&hnKxHhS{&hnKxHhS{&h HhS{&h& .zz{gGC$EƀS{&gd&PC$EƀS{&gdnKxoS{&d&FL{L{{}gGeC$EƀS{&gd&GC$EƀT{&gd 3PC$EƀS{&gdKr8oS{&d&FL}}~GljjCEƀJzf.PC$EƀS{&gde"oS{&d&F}}}}~~~~#~)~>~G~s~w~y~~~~~~~~?6F܀g㲨㲨㲨㨲㋞㋞wmHhS{&h>HhS{&h>HhS{&h>%huh>cHdhdhdhS{&HhS{&h>HhS{&h%huhcHdhdhdhS{&HhS{&hHhR{&h<`HhR{&h9hu0HHhR{&hR{&he"he"S{&*&G[jNC$EƀS{&gd>oS{&d&PC$EƀS{&gd>oS{&d&FLDC$EƀS{&]gaNC$EƀS{&gd>oS{&d&PC$EƀS{&gd>oS{&d&FLgāfghȂ 5<=BJSTUV\aĺĺĭyfyy\y\II%huh9cHdhdhdhR{&HhR{&h9%huh9cHdhdhdhR{&HhR{&h9%huh9cHdhdhdhR{&hu%h:h:cHdhdhdhT{&HhT{&h[h:HhT{&h:HhT{&h:HhT{&hu%huh>cHdhdhdhS{&HhS{&h>HhS{&h>ghgGC$EƀT{&gd:PC$EƀS{&gd>oS{&d&FLhDeC$EƀR{&ePC$EƀT{&gd>oS{&d&FLabh}ʃԃ؃*:DHՄ/26:tޮޤޤsY2Hhzfhuh>cHdhdhdhS{&%huh>cHdhdhdhS{&HhR{&h9HhR{&h9HhR{&h9HhR{&h9%huh9cHdhdhdhR{&HhR{&h9%huhcHdhdhdhR{&huHhR{&h9%huh9cHdhdhdhR{&tuEbs0CEƀJzf.DC$EƀzfDeC$EƀR{&͆Dċŋy䮛kQ:6/6 hu5\hu-huh-eOJQJcHdhdhdhS{&2Hhzfhuh-ecHdhdhdhS{&2Hhzfhuh-ecHdhdhdhS{&+huh-e6]cHdhdhdhS{&%huh-ecHdhdhdhS{&5Hhzf *huh-ecHdhdhdhS{&5Hhzf *huh-ecHdhdhdhS{&5Hhzf *huh-ecHdhdhdhS{&b< ixyIm]PC$Eƀzfgd-_oS{&d&F gd-_oS{&d&CEƀJzf.e Rَݎ !6CKacv񪠖|bXNDXNNbHhzfhuHhS{&h$Hhzfhu2Hhzfhuh$cHdhdhdhS{&2Hhzfhuh$cHdhdhdhS{&HhzfhuHhS{&h$2Hhzfhuh$cHdhdhdhS{&hucHdhdhdhzf%huh-_cHdhdhdhS{&HhS{&h-_huHhS{&h-_ŏɏ̏яՏ֏Iklmw꽨y_y_yUKA7HhS{&h-_HhT{&h )HhS{&huHhS{&h$2Hhzfhuh$cHdhdhdhS{&)huh$cHcHdhdhzfdhS{&2Hhzfhuh$cHdhdhdhS{&)huh$cHcHdhdhzfdhS{&%huh$cHdhdhdhS{&2Hhzfhuh$cHdhdhdhS{&)huh$cHcHdhdhzfdhS{&mؑljDC$EƀT{&NC$EƀS{&gd-_oS{&d&БёґՑ֑בؑBFKź{fN42HhĴzfhuh5bcHdhdhdhS{&/huh5b6]cHcHdhdhzfdhS{&)huh5bcHcHdhdhzfdhS{&2Hhzfhuh5bcHdhdhdhS{&%huh5bcHdhdhdhS{&Hh5U{&h0Njh]Uj?[huUHhT{&h]jHhT{&h]UHhT{&h]HhT{&h]h-_h-_S{&*ŒՒגؒͳ͙ppSp>)huh5bcHcHdhdh´zfdhS{&8Hh´zfhuh5b6]cHdhdhdhS{&+huh5b6]cHdhdhdhS{&%huh5bcHdhdhdhS{&3huh5bcHcHdhdhzfdhS{&zf2Hhôzfhuh5bcHdhdhdhS{&2Hhzfhuh5bcHdhdhdhS{&/huh5bcHdhdhdhS{&zf"#&4<0 #$̲~n[nWM=W-hucHdhdhdhĴzfhucHdhdhdhŴzfHhŴzfhuhu%hu6]cHdhdhdhzfhucHdhdhdhzf2HhĴzfhuh5bcHdhdhdhS{&2Hhzfhuh5bcHdhdhdhS{&2Hhôzfhuh5bcHdhdhdhS{&2Hhzfhuh5bcHdhdhdhS{&2Hh´zfhuh5bcHdhdhdhS{&#Xp)F & F.EƀJzf-H & F.C$EƀzfF & F.EƀJzf-X=o(F & F"EƀJzfF & F"EƀJzfF & F.EƀJzf-$?F\j"(oq|Ԗ#+,DEwxj`VRhrHhS{&hrHhS{&hu2Hhƴzfh]h`<,cHdhdhdhT{&HhT{&huhucHdhdhdhǴzfHhǴzfhuHhƴzfhu2HhŴzfhuhCcHdhdhdhT{&+huhC6]cHdhdhdhT{&%huhCcHdhdhdhT{& hu6]hu oԖqo'H & F"C$EƀJzfF & F"EƀJzfF & F"EƀJzfUeEeCEƀJzf..U & F"C$EƀT{&gd]oT{&d& & FEx eGeC$EƀT{&gdIFPC$EƀS{&gdroS{&d&FxĚ3 ,3:?KOfg *.B¸߮}siVLHhT{&hIF%huhbcHdhdhdhS{&HhS{&hbHhS{&hb%huhE>/cHdhdhdhS{&HhS{&hrHhS{&hrHhS{&hE>/HhS{&h)HhS{&hiHhS{&h*N%huh*NcHdhdhdhS{&%huh)cHdhdhdhS{&HhS{&h)huBݞ-:;efefwx:Leı|i_[TA%huha9cHdhdhdhT{& hu6]hZ\RHhT{&hu%huh5bcHdhdhdhS{&hucHdhdhdhϴzfHhT{&hZ\RHhT{&hZ\RhuhrhuS{&*%hqhhdLcHdhdhdhT{&HhT{&hIFHhS{&hu%huhIFcHdhdhdhT{&HhT{&hIFHhT{&hIF-ljNC$EƀJzf..gdpoS{&d&DC$EƀS{&-;ffx,_fF & F#EƀJzfPC$EƀT{&gdZ\RoT{&d&FҦefghB()*=񲟕vrhdTD:DHhߴzfhuhucHdhdhdhߴzfhucHdhdhdhܴzfhZ\RHhT{&huhY)HhT{&hYhYT{&* *HhT{&hZ\RHhT{&hu%huhZ\RcHdhdhdhT{&#jHhӴzfhu0Jb<U%huh]jcHdhdhdhT{&hucHdhdhdhѴzfHhT{&hZ\RhuHhT{&ha9_ǥҦqCEƀJzf..eF & F#EƀJzfҦTh[PC$EƀT{&gdZ\RoT{&d&FePC$EƀT{&gdZ\RoT{&d&FdO]PC$EƀT{&gdZ\RoT{&d&FeNC$EƀT{&gdYoT{&d&YqomoeF & F#EƀJzfF & F#EƀJzfBQK3sDC$EƀzfDC$EƀJzf.. =AET[pȱʱP*HIJK!1;=i23]񢘎zj`VLHhzfhuHhzfhuHhzfhuhucHdhdhdhzfHhzfhuHhzfhuHhzfhuHhzfhuHhzfhujhu0JcU hu6]hucHdhdhdhzfHhzfhuHhzfhuhucHdhdhdhߴzfhuHhߴzfhu]jk<=HIKLZ[]|ظڸ۸ 6w׹ٹ$%)/6>?GRù͹}}sissiHh&zfhuHh)zfhuHh%zfhuHh$zfhuHh#zfhuHh"zfhuHh!zfhuHh zfhuHhzfhuHhzfhuHhzfhuHhzfhuHhzfhuHhzfhuHhzfhu)3ܸ7u0DC$Eƀ zfDC$EƀzfDC$Eƀzf7wٹu---G$Eƀ#zfIfDC$EƀzfDeC$Eƀ zf%0~666G$Eƀ#zfIfkd[$$IflF:06    4 la016?H~666G$Eƀ#zfIfkdI\$$IflF:06    4 laHIRg{~666G$Eƀ#zfIfkd\$$IflF:06    4 laRefgz|ں78Sfں{qg]gSISHhܵzfhuHh׵zfhuHhֵzfhuHhյzfhuHh۵zfhu hu6]huHhzf *huHhzfhuHhzfhuHhzfhuHhzfhuHhzfhuHh,zf *huHh+zfhuHh$zfhu jHh)zfhu0JcUHh(zfhu{|~666G$Eƀ#zfIfkdg]$$IflF:06    4 la~9DC$Eƀ#zfkd]$$IflF:06    4 laT:sDC$EƀJzf..DC$EƀzffvVK}k)GNX^akwzԿԪԪԚmcSIcSHhzfhuhucHdhdhdhߵzfHhߵzfhu%huhX_cHdhdhdhU{&HhU{&hX_hucHdhdhdhzfhucHdhdhdhzf)huhtcHcHdhdhzfdhU{&)huhtcHcHdhdhzfdhU{&%huhtcHdhdhdhU{&huHhٵzfhuHhصzfhuVus,F & F4EƀJzfDC$EƀJzf..DC$EƀصzfVHkqoolllC$F & F4EƀJzfF & F4EƀJzf4kqF & F"EƀJzfDC$EƀJzf.<isw12@STǽᩙkT@&HhU{&hRhu U{&*,HhU{&hRhu6] U{&*&HhU{&hRh.] U{&*2HhU{&hRh.]6] U{&*6]hRhu6] U{&*hRhu U{&* hu6]HhU{&h)HhzfhuhucHdhdhdhzfhuhucHdhdhdhzfHhzfhu2iq)H & F"C$EƀU{&F & F"EƀJzfF & F"EƀJzfThiu~N8IlBlnq&/`aԽ{qgq]S{I{?IHhzhuHhzhuHh zhuHhzhuHhzhuHhzhuHhzhuHh zhuHhzfhuHhzfhuHhzfhuhucHdhdhdhzfhucHdhdhdh޵zf hu6]hu&HhU{&hRhu U{&*&Hh U{&hRh.] U{&*i?qDC$EƀJzf..F & F"EƀJzf ?NCRxs.DC$Eƀ#zDC$EƀzDC$EƀJzf..'5>QRwxLMNOͽ|ll|bXbXKHh*zhu6]Hh*zhuHh(zhuhucHdhdhdh&zHh&zhujh*a00Jb<Ujhu0JcU hu6]huHh#zhuHh#z *huhucHdhdhdhzfHhzhuHhzhuHh"zhuHhzhuHhzhux0Pk)JsDC$EƀJzf..DC$EƀS{& !qI$CDEdefw²¢˜jj`VHh!U{&huHhUzfhu2Hh.zfhuhucHdhdhdh U{&Hh U{&huHh\zfhuHh.zfhuhucHdhdhdh(zhucHdhdhdh+zhuhucHdhdhdh'zhucHdhdhdh*zHh*zhuHh*zhu*zJ\5Ds.DC$Eƀ.zfDC$EƀS{&DC$EƀJzf..DVfjDC$Eƀ.zfPC$Eƀ U{&gduo U{&d&FLfwjDC$Eƀ.zfPC$Eƀ U{&gduo U{&d&FL:M]ҸܮlbbE8HhzfhuB*CJOJPJQJ^JmH phsH Hhzfhu2HhzfhuhuBcHdhdhdh%U{&HhǵzfhuHhŵzfhuHhĵzfhuHhzfhuHhzfhu2HhUzfhuh1D cHdhdhdh!U{&Hh!U{&h1D HhUzfhu2HhUzfhuhucHdhdhdh!U{&hFC$EƀzfPC$Eƀ!U{&gduo!U{&d&FLfFC$EƀĵzfRC$Eƀ!U{&gd1D o!U{&d&FL,h#DC$EƀXzfDC$EƀUzfRC$Eƀzfgd^Po!U{&d&FL*+,7=Jgsz$H¸||r|hSGS;SHh&U{& *hEHh%U{& *h~)Hh"U{&huhu#U{&* *Hh"U{&huHhizfhuHhhzfhuHhgzfhuHhfzfhuHhdzfhuHhezfhuHhczfhuHh!U{&h^P2Hh[zfhuh^PcHdhdhdh!U{&HhXzfhu2HhXzfhuhuBcHdhdhdh%U{&,_PC$Eƀ"U{&gd^Po!U{&d&FLPC$Eƀ!U{&gd^Po!U{&d&FLHgDElmABǽ~tj`~Vj`LBL>h_-HhU{&h5bHhU{&h_-HhU{&h5bHhS{&h_-HhU{&h_-HhU{&h5bHhS{&h5bHhS{&h(Hh U{&h(Hh U{&hA0Hh U{&hA0hA0Hh U{&hA0HhU{&hu *huhuhucHdhdhdhzHhgzfhu)Hh#U{&huhu#U{&* *us%NC$Eƀ U{&gdA0o U{&d&DC$EƀJzf.DC$EƀXzfhaPC$Eƀ U{&gdA0o U{&d&FNC$Eƀ U{&gdA0o U{&d&aPC$Eƀ U{&gdA0o U{&d&FNC$Eƀ U{&gd(o U{&d&EmaPC$Eƀ U{&gdA0o U{&d&FNC$EƀU{&gd_-oU{&d&maPC$Eƀ U{&gdA0o U{&d&FNC$EƀU{&gd_-oU{&d&BM}li$DC$EƀJzf.C$DC$EƀJzf.NC$EƀU{&gd_-oU{&d&BcpAF_`a5NVĺκΰΝ{h^^h^YY hu\Hh)U{&h&Z%huh&ZcHdhdhdh)U{&hucHdhdhdh/z" *hucHdhdhdh/z%huh*a0cHdhdhdhU{&Hh0zhuHh/zhuHh.zhuHh-zhuhu%hu5\cHdhdhdh,zhucHdhdhdh,z]]iH & F5C$EƀJzf.H & F5C$EƀJzf.C$C$`ass.DC$EƀS{&DC$Eƀ-zDC$EƀJzf . '=OP_~H & FC$EƀS{&W5j|6V '=H & FC$EƀS{&V'EFLMOVsϰަpRpI?5HhS{&h)HhS{&huhuzf:Hhzfhuh !^JaJcHdhdhdhS{&:Hh zfhuh !^JaJcHdhdhdhS{&Hh zfhu^JaJHhzfhuHh zfhu<Hhzfhuh !cHdhdhdhS{&zfHhzfhuzfHh zfhuHhzfhuhuhuPJnHtH=zP[Hc7$8$C$Eƀ zfH$gd !oS{&d&0x7$8$H$^`0 0^`0H & FC$EƀS{&/;RL0C$EƀS{&^`0 0^`0V0C$Eƀzf^`0gd !oS{&d&:EF01EFX]fl}ĺws`V`VLjhC0JUHh,U{&hC%hCh|:cHdhdhdh,U{&h!oHh)zfhC jHh)zfhC0JcUhCjhC0JcU*j^h vh!o5<KH U\^JaJ h ,HhS{&h ,HhS{&h ,HhS{&huHhƵzfhuPJHhƵzfhuHhŵzfhuhuh);M1ca__)L0C$EƀS{&^`0 0^`0DC$EƀƵzf EFklNOP")C$ NOPhujhC0JbU hC0JbjhCUh!ohCh!o0JmHnHujhC0JU hC0J#0P/ =!"#$%{DyK _Toc56260855{DyK _Toc56260855{DyK _Toc56260856{DyK _Toc56260856{DyK _Toc56260857{DyK _Toc56260857{DyK _Toc56260858{DyK _Toc56260858{DyK _Toc56260859{DyK _Toc56260859{DyK _Toc56260861{DyK _Toc56260861{DyK _Toc56260862{DyK _Toc56260862{DyK _Toc56260863{DyK _Toc56260863{DyK _Toc56260864{DyK _Toc56260864{DyK _Toc56260865{DyK _Toc56260865{DyK _Toc56260866{DyK _Toc56260866{DyK _Toc56260867{DyK _Toc56260867{DyK _Toc56260868{DyK _Toc56260868{DyK _Toc56260869{DyK _Toc56260869{DyK _Toc56260870{DyK _Toc56260870{DyK _Toc56260871{DyK _Toc56260871{DyK _Toc56260872{DyK _Toc56260872{DyK _Toc56260875{DyK _Toc56260875{DyK _Toc56260877{DyK _Toc56260877{DyK _Toc56260878{DyK _Toc56260878{DyK _Toc56260883{DyK _Toc56260883{DyK _Toc56260884{DyK _Toc56260884{DyK _Toc56260885{DyK _Toc56260885{DyK _Toc56260896{DyK _Toc56260896{DyK _Toc56260897{DyK _Toc56260897{DyK _Toc56260908{DyK _Toc56260908{DyK _Toc56260910{DyK _Toc56260910{DyK _Toc56260911{DyK _Toc56260911{DyK _Toc56260921{DyK _Toc56260921{DyK _Toc56260922{DyK _Toc56260922{DyK _Toc56260923{DyK _Toc56260923{DyK _Toc56260924{DyK _Toc56260924{DyK _Toc56260925{DyK _Toc56260925{DyK _Toc56260926{DyK _Toc56260926{DyK _Toc42487564{DyK _Toc42487564{DyK _Toc42487565{DyK _Toc42487565{DyK _Toc42487566{DyK _Toc42487566{DyK _Toc42487567{DyK _Toc42487567{DyK _Toc42487568{DyK _Toc42487568{DyK _Toc42487569{DyK _Toc42487569{DyK _Toc42487570{DyK _Toc42487570{DyK _Toc42487571{DyK _Toc42487571{DyK _Toc42487572{DyK _Toc42487572{DyK _Toc42487573{DyK _Toc42487573{DyK _Toc42487574{DyK _Toc42487574{DyK _Toc42487575{DyK _Toc42487575{DyK _Toc42487576{DyK _Toc42487576{DyK _Toc42487577{DyK _Toc42487577{DyK _Toc42487578{DyK _Toc42487578{DyK _Toc42487579{DyK _Toc42487579{DyK _Toc42487580{DyK _Toc42487580{DyK _Toc42487581{DyK _Toc42487581{DyK _Toc42487582{DyK _Toc42487582{DyK _Toc42487584{DyK _Toc42487584{DyK _Toc42487585{DyK _Toc42487585{DyK _Toc42487586{DyK _Toc42487586{DyK _Toc42487587{DyK _Toc42487587{DyK _Toc42487588{DyK _Toc42487588{DyK _Toc42487589{DyK _Toc42487589{DyK _Toc42487590{DyK _Toc42487590{DyK _Toc42487591{DyK _Toc42487591{DyK _Toc42487592{DyK _Toc42487592{DyK _Toc42487593{DyK _Toc42487593{DyK _Toc42487594{DyK _Toc42487594{DyK _Toc42487595{DyK _Toc42487595{DyK _Toc42487596{DyK _Toc42487596{DyK _Toc42487597{DyK _Toc42487597{DyK _Toc42487598{DyK _Toc42487598{DyK _Ref32202492{DyK _Ref42417020{DyK _Ref42574737{DyK _Ref32927787{DyK _Ref42417114{DyK _Ref42417137{DyK _Ref42481321{DyK _Ref42415853$$If!vh5X5@#vX#v@:V l065X5@4$$If!vh5X5@#vX#v@:V l065X5@4$$If!vh5X5@#vX#v@:V l065X5@4$$If!vh5X5@#vX#v@:V l065X5@4DyK Nhttp://www.gridforum.org/namespaces/2003/06/ogsa-authz/saml/action/sde/modifyyK http://www.gridforum.org/namespaces/2003/06/ogsa-authz/saml/action/sde/modify$$If!vh5X5@#vX#v@:V l065X5@4$$If!vh5X5@#vX#v@:V l065X5@4$$If!vh5X5@#vX#v@:V l065X5@4$$If!vh5X5@#vX#v@:V l065X5@4{DyK _Ref56225088{DyK _Ref32901461Dd@80*XXF  C "A Fig12*4̻0C&L`!4̻0C&#hxZ{xUձf^;DCKb i D EĤ!C0(by6JApjOjcHSsSE,}B?=盬^kfofϚN$0f`bt?N}*¦!ck@'Qa0̜a?$r*CXі? @ϔ3y*ក?JHa]4$[>U#!Q߫o-_ʞv)'òM:xqfvOˏ;v1KW?w.+KCyut|^tE:[)'/D"İ߅Uh0&*94“n#x# A2H>}joR7eDuo&cS/ޞoDzʕpt<'y=i_b9/722U􃨒`i/i Fpm\u|:-e$ރ9Ya^!ʳ>̲Գ(|CdmSO{ۖ|W>Nfi\Eߤ+J{G*_>X|BvrKT6t(aʟ#QVFEXb]u0XT珪|:&1Z2_iR}c3 ǎ9 8w(D^!OQNc-R'8!6TYȄr=kf(|1{CߢO+}r"\iy͛|MrzfžarS;MJ2O( %Z!GPCGu{^Rj!Qs j6:NDDrE!Z U[9i ֿ}SL3ބs8y!/ yzVWԟe7{L[R哭Ѽ*B,ϸ'nCgZ~䱰:BgY-t1>9m1hN*jZQSlM̌af[`&b3)^`])b&SC,yjf=fh4 EY"tknebU!VZe,ݎ".ivvoسz{d;E'EąE]N:}ّZب$뜍zw#uhFY:[_`%~q9}R}oOشNCJ]M<$'sKCU} !"t/gf3B煢y:'t߫9~1σJ/ e_t~G˵/_EeK?_ܰ%R\T{{yNV=ڈ qpI5y܂v12%8Lem;Χ:_MՏ>g:9ȻѠ㷂sߨDnC7[Пwpc!VO 嗤7[6|5O ַ%v a_Aڎ?ٱ ?8% <#N$2^G$rQ~ꑌF*~y?N{-E,!wvQ9LO4K7zk=BNd>t[Agw:v;=}tӰ~݂ϖgdw\v?lkh=LIw DFi_A/R'OXn?Mu: ~g-Y,';i'99Eg8y͹wf4ٍ^mCdNZ }طcp+8%焽 y=  # A"@@b2犝嫲Zn犝嫲PNG  IHDRh6sRGBIDAT8Ocr X"p)8SD?;vh6@!l]*Ȇ2f#YFO5%r` X5`QF AXh]4N**b""8|tm$y:tH"3u"F׀l zfCp|A,5_[IENDB`fH@H NormalxOJQJ_HaJmH sH tH V@V r Heading 1$ & Fx<@&5KH \^JaJ J@J r Heading 2$ & F@&\]^JaJP@P r Heading 3$ & F@&OJQJ\^JaJ@1 r Heading 4  & F@&HS{&$ & F<@&#5CJ^J_HaJmH nH sH tH T@T r Heading 5 & F<@&56CJ\]aJV@V r Heading 6 & F<@&5CJOJQJ\aJL@L r Heading 7 & F<@& CJOJQJR@R r Heading 8 & F<@&6CJOJQJ]L @L r Heading 9 & F<@& CJ^JaJDA@D Default Paragraph FontVi@V  Table Normal :V 44 la (k@(No List .O. nobreak$XOX HTML Body 7$8$H$ CJOJQJ_HaJmH sH tH 8@8 Header!4 @"4 Footer!6U@16 Hyperlink >*B*ph.)@A. Page NumberLT@RL Block Texth]^h CJOJQJ<"@< Caption xx 5\aJ@^@r@ Normal (Web) CJOJQJHZ@H Plain Text ^OJQJ^JaJ2B@2 Body Textx<P@< Body Text 2 dx>Q@> Body Text 3xCJaJPM@P Body Text First Indent `HC@H Body Text Indenthx^hTN@T Body Text First Indent 2 `RR@R Body Text Indent 2hdx^hTS@T Body Text Indent 3 hx^hCJaJ2?@2 Closing !^8@"8  Comment Text"aJ$L@$ Date#RY@BR  Document Map$-D M OJ QJ ^J <[@R< E-mail Signature%8+@b8  Endnote Text&aJd$@rd Envelope Address!'@ &+D/^@ CJ^JB%@B Envelope Return(^JaJ:@: Footnote Text)aJ:`@: HTML Address*6]Ne@N HTML Preformatted+OJQJ^JaJ: @:Index 1,8^`8: @:Index 2-8^`8: @:Index 3.X8^X`8:@:Index 4/ 8^ `8:@:Index 508^`8:@:Index 618^`8:@:Index 72x8^x`8:@:Index 83@8^@`8:@:Index 948^`8@!@@ Index Heading5 5\^J4/@b4 List6h^h`82@r8 List 27^`83@8 List 388^8`84@8 List 49^`85@8 List 5:^`:0@: List Bullet ; & F>6@>List Bullet 2 < & F>7@>List Bullet 3 = & F >8@>List Bullet 4 > & F >9@>List Bullet 5 ? & F BD@B List Continue@hx^hFE@F List Continue 2Ax^FF@"F List Continue 3B8x^8FG@2F List Continue 4Cx^FH@BF List Continue 5Dx^:1@R: List Number E & F >:@b> List Number 2 F & F>;@r> List Number 3 G & F><@> List Number 4 H & F>=@> List Number 5 I & Fl-@l  Macro Text"J ` @ OJQJ^J_HmH sH tH I@ Message HeadergK8$d%d&d'd-DM NOPQ^8`CJ^J>@> Normal Indent L^4O@4 Note HeadingM0K@0 SalutationN6@@6 Signature O^BJ@B SubtitleP$<@&a$CJ^JT,@T Table of AuthoritiesQ8^`8L#@L Table of FiguresRp^`pN>@2N TitleS$<@&a$5CJ KH\^JaJ D.@D  TOA HeadingTx5CJ\^J*@*TOC 1U2@2TOC 2V^2@2TOC 3W^.@.TOC 4 XX^X.@.TOC 5 Y ^ .@.TOC 6 Z^.@.TOC 7 [^.@.TOC 8 \x^x.@.TOC 9 ]@^@FV@F FollowedHyperlink >*B* phH@H  Balloon Text_CJOJ QJ ^J aJ@j@!"@ Comment Subject`5\<O< Appendixa & F!CJ B'@!B Comment ReferenceCJaJ@&@1@ Footnote ReferenceH*XORX wsdl5e$d&d-DM NPHeLP03David Chadwick Von WelcheNPDWCVAVWsZR{&U{&4P$8:K8(m29j;&v>Cu#A\q>eut  Q00000000 00007 07 07 07 07 07 07 07 07 07 07 07 00@0@U0@U0@U0@U0@V0@V0@V0@V0@V0@V0@V0@V0@V0@V0@V0@V0@U0@V0@V0@U0@V0@V0@U0@V0@V0@U0@U0@V0@U0@U0@U0@U0@U0@U0 @ 0O900$8:K8r(m29j:;S `  p : = \2Y9b#w"y&v>Cu#A\q>eut  ( "$'p)+-%1K122&3-37383B3333333-4.494444<5=5B5h5i5o5555577::;4=6=k>> ??a@r@@AeBBOCvCFF8GJGI1IJKLLNNPQRRRTTTU8VrVVWWXzZ\7\\V]_^_``ccc(dddLeeeffggiiijk lll9mmmmmnn8oooZqr.rrsLssuuvwGx[xxx]ygyhz{{||t}u}~Eb< ixyIm؉#X=oԎUeEx -;ffx,_ǝҞThdOYBQK3ܰ7wٱ%016?HIRg{|T:VHk4k2i?NCRx0Pk)J\5DVfw,hEmBM}]]`a '=OP_~W5j|6V '=zP[/;M1EFklNQ0000000000007 07 07 07 07 07 07 07 07 07 0 7 0 7 0 7 0 000U0U0U0U0V0V0V0V0V0V0V0V0V0V0V0V0V0U0V0V0U0V0V0U0V0V0U0V0U0U0U0U0U0U0000000000000000000000000000000000000 00 0 0 0 0 0 0  001010101 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 005 0550x7 05 0550:0:0:0: 0550>0> 0550L@ 0550@. 0@. 0@ 0550:C 0550F 0550#G 0550I 0 550J 0 550L 0 550kN0kN 0 550Q 0 0 00mT0mT ;0mT ;0mT ;0mT 0mT 0mTmT0wW0wW0wW 0mTmT0\ ;0\ ;0\ ;0\ 0 0 0 0 00mc0mc 0mcmc0d0d0dL0d0dL0d0dL0d0d0dL0d0de0de0de0de0de0de0de0d0d( 0dd0m0me0m( 0dd0o0o0oL0o0oL0o0oe0o0o 0mcmc0u0u0uL0u0uL0u0uL0u0ue0ue0ue0ue0u 0 0 0 0 0 0 0 0 0 0 00d0d 0dd0X0X0X0X0X0X0X" 0X" 0X" 0X0X0X" 0X0X0X( 0XX0@8 0@@008 0@@0ؔe0ؔ( 0X( 0XX0ܖ8 0ܖܖ00008 0ܖܖ0Q# 0Q# 0Q0Qe0Q( 0XX08 0000e008 00Se0S0Se0S0S8 00ܣ# 0ܣ# 0ܣ0ܣe0ܣ0ܣ( 0XX0u0u0u0u0u0u0u0u0u0u0ue0u0u0u00u00u00u00u00u00u00u00u00u00u00u00u00u00u00u00u00u00u00u00u0u0u( 0XX0 0 0  0d 0d 0d 0d 0d 0d 0d 0d 0d 0d 0dd0ѽ0ѽ0ѽ" 0ѽ" 0ѽ" 0ѽ" 0ѽ" 0ѽ0ѽ( 0ѽѽ00( 0ѽѽ0*0*0*( 0ѽѽ0c0c( 0ѽѽ0;0;0;0;( 0ѽѽ05( 0ѽѽ0L00L00L00L0L0L000L0L0 0 0000 00S( 0SS0( 0SS00( 0SS0 0 0 0 0 0 0 0 0 0 0000000000000000000000000000000000000000000000000000000000000000000@)0p@)0@)0 0T @0@0@0@0 0@"0@"0 0$8:K8r(m29j:;S `  p : = \2Y9b#w"y&v>Cu#A\q>eut ( "$'p)+-%1K122&3-37383B3333333-4.494444<5=5B5h5i5o5555577::;4=6=k>> ??a@r@@AeBBOCvCFF8GJGI1IJKLLNNPQRRRTTTU8VrVVWWXzZ\7\\V]_^_``ccc(dddLeeeffggiiijk lll9mmmmmnn8oooZqr.rrsLssuuvwGx[xxx]ygyhz{{||t}u}~Eb< ixyIm؉#X=oԎUeEx -;ffx,_ǝҞThdOYBQK3ܰ7wٱ%016?HIRg{|T:VHk4k2i?NCRx0Pk)J\5DVfw,hEmBM}]]`a '=OP_~W5j|6V '=zP[/;M1EFklNQ0000000000007 07 07 07 07 07 07 07 07 07 0 7 0 7 0 7 0 000U0U0U0U0V0V0V0V0V0V0V0V0V0V0V0V0V0U0V0V0U0V0V0U0V0V0U0V0U0U0U0U0U0U0@U0@U0@U0@U0@V0@V0@V0@V0@V0@V0@V0@V0@V0@V0@V0@V0@U0@V0@V0@U0@V0@V0@U0@V0@V0@U0@U0@V0@U0@U0@U0@U0@U0@0@ 00000000 000000000000000000000000000000000000000000000000000000000 004 0440606 0440::0::0::0:: 0440M>0M> 0440? 0440I@. 0I@. 0I@ 0440B 0440E 0440F 0440nH 0 440AJ 0 440L 0 440M0M 0 4406Q 040R 00S0S ;0S ;0S ;0S0S 0SS0V0V0V 0SS0i[ ;0i[ ;0i[ ;0i[0i[ 0S0_0_ 00b0b 0bb0c0c0cL0c0cL0c0cL0c0c0cL0c0ce0ce0ce0ce0ce0ce0ce0c0c( 0cc05m05me05m( 0cc0&o0&o0&oL0&o0&oL0&o0&oe0&o0&o 0bb0@u0@u0@uL0@u0@uL0@u0@uL0@u0@uL0@ue0@ue0@ue0@u0@u0@u0@u 0b0~0~0~0~e0~0~ 00ʃ0ʃ 0ʃʃ00. 0. 0. 0. 00" 0" 0" 0" 00" 000( 008 008 00>e0>0>( 00B8 0BB0~0~0~0~8 0BB0# 0# 00e0( 00V8 0VV0#0#0#e0#0#8 0VV0e00e008 0VV0B# 0B# 0B0Be0B0B( 00ۦ0ۦ0ۦ0ۦ0ۦ0ۦ0ۦ0ۦ0ۦ0ۦ0ۦe0ۦ0ۦ0ۦ0ۦ0ۦ0ۦ0ۦ0ۦ0ۦ0ۦ0ۦ0ۦ0ۦ0ۦ0ۦ0ۦ0ۦ0ۦ0ۦ0ۦ0ۦ0ۦ0ۦ0ۦ0ۦ( 00p0p0p( 00<4 0<4 0<4 0<0<0<0<0<0< 0ʃʃ070707" 07" 07" 07" 07" 0707( 0770V0V( 077000( 07700( 0770000( 0770( 0770lL0l0lL0l0lL0l0lL0l0lL0l0l0lL0lL0l0l 00 0 0  0 0( 005( 00( 002 00 000005 05 0 00000000000000000000000000000^0^0^0^0^0^0^0^0^0^0^0^0^00000x0x0x0x000000000000000000@)0 @)0 @)0 0@0@0@0@00@"0@"00&&\\\_' &y2?Oo;t8@Wr Dv>{#a4u# j !!_!!!"\"""#Q###$\$$$%e%%%&T&&& '1'u'''(5o8?@BNU]2chloqs8w!z}ga$xB=]RfTHBVP  "%')*,-.1569?@FJNPSUY]_fknq r m j#\"(%97;;;-<<<=h==?BaHJ8OSX\]dd_fklmnoqqs9uu8ww.z{}GgbmXE-_Ҧ370H{Vi?xJDf,m=;P   !#$&(+/023478:;<=>ABCDEGHIKLMOQRTVWXZ[\^`abcdeghijlmopO;PQpz 3NPQSr   " @ [ ] ^ `      ' P k m n p  5 7 8 : Y p   8 : ; = \ <WYZ\{-/02Qu9TVWYx3679XA\_`b !#BVqtuw "AXsvwy!#$&EVqstv9;<>]{#>@ACb5Uprsu !#Bj!<>?A`z<WYZ\{  ,Qlnoq9;<>]D_bce8Torsu2Snqrt    ---.'.).... /$/&/_/y/{//00S0m0p0a2x22222944458O8Q8;&;/;==T=V=щՉPX%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%̕X%ĕX%ĕX%ĕX%ĕX%ĕX%ĕX%ĕX%ĕX%ĕX%ĕX%ĕX%ĕX%ĕX%ĕX%ĕX%ĕX%ĕX%ĕX%ĕX%ĕX%ĕX%ĕX%ĕX%ĕX%ĕX%ĕX%ĕX%ĕX%̕X%̕X%ĕX%̕X%ĕX%ĕ̕ttttt tX PWY_!!8@0(  B S  ?_Ref525097868 _Toc42417218 _Toc42417435 _Toc56260855 _Toc33071290 _Toc33071885 _Toc33072048 _Toc33072374 _Toc42414270 _Toc42417219 _Toc42417436 _Toc56260856 _Ref32202492 _Toc33071291 _Toc33071886 _Toc33072049 _Toc33072375 _Toc42414271 _Toc42417220 _Toc42417437 _Toc56260857 _Ref42415853 _Ref32914423 _Toc33071295 _Toc33071890 _Toc33072053 _Toc33072379 _Toc42414283 _Toc42417221 _Toc42417222 _Toc42417223 _Toc42417224 _Toc42417225 _Toc42417226 _Toc42417227 _Toc42417228 _Toc42417229 _Toc42417230 _Toc42417231 _Toc42417232 _Toc42417233 _Toc42417234 _Toc42417235 _Toc42417236 _Ref42417020 _Toc42417237 _Toc42417438 _Toc56260858 _Toc56260859 _Toc56260860 _Toc33071296 _Toc33071891 _Toc33072054 _Toc33072380 _Toc42414284 _Toc42417238 _Toc42417439 _Toc56260861 _Hlt36127421 _Hlt36127422 _Ref32901461 _Toc33071297 _Toc33071892 _Toc33072055 _Toc33072381 _Toc42414285 _Toc42417239 _Toc42417440 _Toc56260862 _Toc33071298 _Toc33071893 _Toc33072056 _Toc33072382 _Toc42414286 _Toc42417240 _Toc42417441 _Toc56260863 _Toc33071299 _Toc33071894 _Toc33072057 _Toc33072383 _Toc42414287 _Toc42417241 _Toc42417442 _Toc56260864 _Toc33071300 _Toc33071895 _Toc33072058 _Toc33072384 _Toc42414288 _Toc42417242 _Toc42417443 _Toc56260865 _Toc42414289 _Toc42417243 _Toc42417444 _Toc56260866 _Toc33071301 _Toc33071896 _Toc33072059 _Toc33072385 _Toc42414290 _Toc42417244 _Toc42417445 _Toc56260867 _Toc33071302 _Toc33071897 _Toc33072060 _Toc33072386 _Toc42414291 _Toc42417245 _Toc42417446 _Toc56260868 _Toc56260869 _Toc33071303 _Toc33071898 _Toc33072061 _Toc33072387 _Toc42414292 _Toc42417246 _Toc42417447 _Toc56260870 _Toc33071304 _Toc33071899 _Toc33072062 _Toc33072388 _Toc42414293 _Toc42417247 _Toc42417448 _Toc56260871 _Toc42414294 _Toc42417248 _Toc42417449 _Toc56260872 _Toc42414295 _Toc42417249 _Toc42417450 _Toc56260873 _Toc56260874 _Toc42417250 _Toc42417451 _Ref42574737 _Ref56225088 _Toc56260875 _Toc56260876 _Toc56260877 _Toc56260878 _Toc56260879 _Toc56260880 _Toc56260881 _Toc56260882 _Ref32927787 _Toc33071305 _Toc33071900 _Toc33072063 _Toc33072389 _Toc42414296 _Toc42417251 _Toc42417452 _Toc56260883 _Toc42414297 _Toc42417252 _Toc42417453 _Ref56256136 _Toc56260884 _Toc56260885 _Toc56260886 _Toc56260887 _Toc56260888 _Toc42414298 _Toc42417253 _Toc42417454 _Toc56260889 _Toc56260890 _Toc56260891 _Toc56260892 _Toc56260893 _Toc56260894 _Toc56260895 _Toc42414299 _Ref42417114 _Toc42417254 _Toc42417455 _Toc56260896 _Toc33071306 _Toc33071901 _Toc33072064 _Toc33072390 _Toc42414300 _Toc42417255 _Toc42417456 _Toc56260897 _Toc42414301 _Toc42417457 _Toc42414302 _Toc42417458 _Toc42414303 _Toc42417459 _Toc42414304 _Toc42417460 _Toc42414305 _Toc42417461 _Toc42414306 _Toc42417462 _Toc56260898 _Toc56260899 _Toc56260900 _Toc56260901 _Toc56260902 _Toc56260903 _Toc56260904 _Toc56260905 _Toc56260906 _Toc56260907 _Toc33071307 _Toc33071902 _Toc33072065 _Toc33072391 _Toc42414307 _Toc42417256 _Toc42417463 _Toc56260908 _Toc42414308 _Toc42417464 _Toc42414309 _Toc42417465 _Toc42414310 _Toc42417466 _Toc42414311 _Toc42417467 _Toc42414312 _Toc42417468 _Toc56260909 _Toc20156277 _Ref42417137 _Toc42417257 _Toc42417469 _Toc56260910 _Toc56260911 _Toc42417258 _Toc42417470 _Ref42481321 _Toc56260912 _Toc56260913 _Toc56260914 _Toc56260915 _Toc56260916 _Toc56260917 _Toc56260918 _Toc56260919 _Toc56260920 _Toc56260921 _Toc42417259 _Toc42417471 _Toc56260922 _Toc42417260 _Toc42417472 _Toc56260923_Toc526008660 _Toc42417261 _Toc42417473 _Toc56260924_Toc526008661 _Toc42417262 _Toc42417474 _Toc56260925 _Toc42417263 _Toc42417475 _Toc56260926_PictureBullets        %1%1%1%1%1%1%1%1%12&3&3&3&3&3&3&3-383B33333.49444=5B5i5o555557:::::::::;;6=>>>>>>>>a@a@a@a@a@a@a@a@@@@@@@@@OCOCOCOCOCOCOCOCFFFF8G8G8G8G8G8G8G8GIIIIIIIIJLLLLLLLLNNNNNNNNQQQQRRRRTTTTTTWW\``cccccccccccdddddut}~DEEEa; hwxyyyyyIIIIIIImUUUGj??xxPPJJhBBBL|\\6666''''PPPQ &'()*+ !"#$%,-./0123456789:@;@<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~    ' ' ' ' ' ' ' ' J1J1J1J1J1J1J1J1J12,363A3~3333,48444;5A5g5n5555555555557:;;;;;;;;0;0;W= ? ? ? ? ? ? ? ?q@q@q@q@q@q@q@q@AAAAAAAAuCuCuCuCuCuCuCuCFFFFIGIGIGIGIGIGIGIG0I0I0I0I0I0I0I0IJLLLLLLLLNNNNNNNNQQQQRRRRTTTTWW6\``ccccccccddvvvvt}~Daaaa; hwxkkkkkkkdd99UGjMMjj[[LL|\\UUUU<<<<ZZZQiNi4iiTii& ili-iii4iDii|iliiܐi$5iLi|?u''5~~Mf)Q    Gz1<<Oo+Q  =*urn:schemas-microsoft-com:office:smarttags PlaceName=*urn:schemas-microsoft-com:office:smarttags PlaceType9*urn:schemas-microsoft-com:office:smarttagsplace8*urn:schemas-microsoft-com:office:smarttagsdate8*urn:schemas-microsoft-com:office:smarttagstime  12172002223556DayHourMinuteMonthYear      VAsZ|eN19 8(@(++,/,w,,A0I03 383A333.414=5A5i5n5;;#<B<<<=2===>>AA;AIAAABBiBvBOCmCzCCFFGH#H6HHHHILLLL-MLMXMmMN(NOOP"PPPQQQQVVZZZZ [%[3[:[\"\5]T]ddddOeqeee0fTfffffg>gggoh}hhhoi{iiiiijjjjjk"kDkLkrkwkkkkkkkl*l?lGlNlllllm m[mxmzmmmmmmm nn&n6n?nnn o)oGoZoboooooooop"p[qyqqqqqqqr rasiswsssssttttBtGtRtYt|ttttt u"u$u-u2u;uuuuuuuuv#vGvvvwwwxxxxx%y.ynyy}zzzzzzzz{S{\{{{{{{{{ |>|v||||||} }U}c}g}r}INs6Tcwш{ \jvZ^2LϢԢģ|Ǭׯ=HLZ^iȱױٱ $6>IQRe1յ~Ⱦ.As1@SxPbow*3?!&\bFL![dio09GMzIN dkFQKp(9 {&&222%377}88[@_@wQQZZi[o[th}hiikldmxmnnkooxx|*|ψЈ()rAQ6? QSW =ddOU$:.1FQ333333333333333333333333333333333333333333333r&2(9 ( %1K1&3B33333.49444=5B5i5o55577:;6=l=> ?a@r@@AOCvCFF8GJGI1IJKLLNNQRRRTT\7\ccddiimmmnoouvEbIg؉UeEx -;fxҞhٱRg:z?NxPkJ\Vh&*DFjlQ11FQDavid ChadwickDavid ChadwickDavid ChadwickDavid ChadwickDavid ChadwickDavid ChadwickDavid ChadwickDavid ChadwickDavid Chadwick Von Welch6|<~I}#H~OGjFԁnb?.6z>*=d< *Eh ;Z!T,O SJŠ7} j\g n7-hk8ɸ?y8(N2!ʰ.#~Yhyg$`N$h6&h:4 a`Zhcl7M4( kj$afQkn7-mo^!`hRoz G\p> r=!_ri/.3sr,yb/*{l -|hB5z}huz^`.^`.88^8`.^`. ^`OJQJo( ^`OJQJo( 88^8`OJQJo( ^`OJQJo(hh^h`. hh^h`OJQJo(h^`.h^`.hpLp^p`L.h@ @ ^@ `.h^`.hL^`L.h^`.h^`.hPLP^P`L.h^`QJo(oh^`.hpLp^p`L.h@ @ ^@ `.h^`.hL^`L.h^`.h^`.hPLP^P`L.h ^`OJQJo(h ^`OJQJo(oh pp^p`OJ QJ o(h @ @ ^@ `OJQJo(h ^`OJQJo(oh ^`OJ QJ o(h ^`OJQJo(h ^`OJQJo(oh PP^P`OJ QJ o(hh^h`o(.0^`0o(..0^`0o(...88^8`o(.... `^``o( ..... `^``o( ...... ^`o(....... pp^p`o(........ pp^p`o(.........h^`.h^`.hpLp^p`L.h@ @ ^@ `.h^`.hL^`L.h^`.h^`.hPLP^P`L.h88^8`.h^`.h L ^ `L.h  ^ `.hxx^x`.hHLH^H`L.h^`.h^`.hL^`L.h ^`OJQJo(h ^`OJQJo(oh pp^p`OJ QJ o(h @ @ ^@ `OJQJo(h ^`OJQJo(oh ^`OJ QJ o(h ^`OJQJo(h ^`OJQJo(oh PP^P`OJ QJ o(h ^`OJQJo(h ^`OJQJo(oh pp^p`OJ QJ o(h @ @ ^@ `OJQJo(h ^`OJQJo(oh ^`OJ QJ o(h ^`OJQJo(h ^`OJQJo(oh PP^P`OJ QJ o(h ^`OJQJo(h ^`OJQJo(oh pp^p`OJ QJ o(h @ @ ^@ `OJQJo(h ^`OJQJo(oh ^`OJ QJ o(h ^`OJQJo(h ^`OJQJo(oh PP^P`OJ QJ o(h   ^ `OJQJo(h ^`OJQJo(oh ^`OJ QJ o(h | | ^| `OJQJo(h LL^L`OJQJo(oh ^`OJ QJ o(h ^`OJQJo(h ^`OJQJo(oh ^`OJ QJ o(hL^`Lo(.h^`.hpLp^p`L.h@ @ ^@ `.h^`.hL^`L.h^`.h^`.hPLP^P`L.hh^h`o(hH.@@^@`o(hH.0^`0o(hH..``^``o(hH... ^`o(hH .... ^`o(hH ..... ^`o(hH...... `^``o(hH....... 00^0`o(hH........ hh^h`hH) ^`hH) 88^8`hH) ^`hH() ^`hH() pp^p`hH()   ^ `hH. @ @ ^@ `hH.   ^ `hH.h ^`OJQJo(h ^`OJQJo(oh pp^p`OJ QJ o(h @ @ ^@ `OJQJo(h ^`OJQJo(oh ^`OJ QJ o(h ^`OJQJo(h ^`OJQJo(oh PP^P`OJ QJ o(h ^`OJQJo(h ^`OJQJo(oh pp^p`OJ QJ o(h @ @ ^@ `OJQJo(h ^`OJQJo(oh ^`OJ QJ o(h ^`OJQJo(h ^`OJQJo(oh PP^P`OJ QJ o(h^`.h^`.hpLp^p`L.h@ @ ^@ `.h^`.hL^`L.h^`.h^`.hPLP^P`L.h ^`OJQJo(h ^`OJQJo(oh pp^p`OJ QJ o(h @ @ ^@ `OJQJo(h ^`OJQJo(oh ^`OJ QJ o(h ^`OJQJo(h ^`OJQJo(oh PP^P`OJ QJ o(h ^`OJQJo(h ^`OJQJo(oh pp^p`OJ QJ o(h @ @ ^@ `OJQJo(h ^`OJQJo(oh ^`OJ QJ o(h ^`OJQJo(h ^`OJQJo(oh PP^P`OJ QJ o(h^`OJQJo(hHh^`OJQJ^Jo(hHohpp^p`OJ QJ o(hHh@ @ ^@ `OJQJo(hHh^`OJQJ^Jo(hHoh^`OJ QJ o(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohPP^P`OJ QJ o(hH0^`0o(.0^`0o(..0^`0o(...``^``o(... ^`o( .... ^`o( ..... ^`o(...... `^``o(....... 00^0`o(........h^`.h^`.hpLp^p`L.h@ @ ^@ `.h^`.hL^`L.h^`.h^`.hPLP^P`L.h ^`OJQJo(h   ^ `OJQJo(oh \\^\`OJ QJ o(h ,,^,`OJQJo(h ^`OJQJo(oh ^`OJ QJ o(h ^`OJQJo(h ll^l`OJQJo(oh <<^<`OJ QJ o(^`OJPJQJ^Jo(-^`OJQJ^Jo(hHopp^p`OJ QJ o(hH@ @ ^@ `OJQJo(hH^`OJQJ^Jo(hHo^`OJ QJ o(hH^`OJQJo(hH^`OJQJ^Jo(hHoPP^P`OJ QJ o(hHh ^`OJQJo(h ^`OJQJo(oh pp^p`OJ QJ o(h @ @ ^@ `OJQJo(h ^`OJQJo(oh ^`OJ QJ o(h ^`OJQJo(h ^`OJQJo(oh PP^P`OJ QJ o(P^`Po(@@^@`o(.0^`0o(..``^``o(... ^`o( .... ^`o( ..... ^`o(...... `^``o(....... 00^0`o(........h88^8`.h^`.h L ^ `L.h  ^ `.hxx^x`.hHLH^H`L.h^`.h^`.hL^`L.^`OJPJQJ^Jo(-^`OJQJ^Jo(hHopp^p`OJ QJ o(hH@ @ ^@ `OJQJo(hH^`OJQJ^Jo(hHo^`OJ QJ o(hH^`OJQJo(hH^`OJQJ^Jo(hHoPP^P`OJ QJ o(hHP^`P@@^@`.0^`0..``^``... ^` .... ^` ..... ^`...... `^``....... 00^0`........^`o(. ^`hH. pLp^p`LhH. @ @ ^@ `hH. ^`hH. L^`LhH. ^`hH. ^`hH. PLP^P`LhH.h^`OJQJo(hHh^`OJQJ^Jo(hHohpp^p`OJ QJ o(hHh@ @ ^@ `OJQJo(hHh^`OJQJ^Jo(hHoh^`OJ QJ o(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohPP^P`OJ QJ o(hHh ^`OJQJo(h ^`OJQJo(oh pp^p`OJ QJ o(h @ @ ^@ `OJQJo(h ^`OJQJo(oh ^`OJ QJ o(h ^`OJQJo(h ^`OJQJo(oh PP^P`OJ QJ o(h ^`hH.h ^`hH.h pLp^p`LhH.h @ @ ^@ `hH.h ^`hH.h L^`LhH.h ^`hH.h ^`hH.h PLP^P`LhH. P^`Po( Appendix .@@^@`o(.0^`0o(..``^``o(... ^`o( .... ^`o( ..... ^`o(...... `^``o(....... 00^0`o(........h^`QJo(oh^`.hpLp^p`L.h@ @ ^@ `.h^`.hL^`L.h^`.h^`.hPLP^P`L.h^`.h^`.hpLp^p`L.h@ @ ^@ `.h^`.hL^`L.h^`.h^`.hPLP^P`L.h   ^ `OJQJo(^`OJPJQJ^Jo(-h ^`OJ QJ o(h | | ^| `OJQJo(h LL^L`OJQJo(oh ^`OJ QJ o(h ^`OJQJo(h ^`OJQJo(oh ^`OJ QJ o(h ^`OJQJo(h ^`OJQJo(oh pp^p`OJ QJ o(h @ @ ^@ `OJQJo(h ^`OJQJo(oh ^`OJ QJ o(h ^`OJQJo(h ^`OJQJo(oh PP^P`OJ QJ o(h^`OJQJo(hH^`OJQJ^Jo(hHopp^p`OJ QJ o(hH@ @ ^@ `OJQJo(hH^`OJQJ^Jo(hHo^`OJ QJ o(hH^`OJQJo(hH^`OJQJ^Jo(hHoPP^P`OJ QJ o(hH^`o(.^`o(.pLp^p`L.@ @ ^@ `.^`.L^`L.^`.^`.PLP^P`L.h^`.h^`.hpLp^p`L.h@ @ ^@ `.h^`.hL^`L.h^`.h^`.hPLP^P`L.^`o(.^`.pLp^p`L.@ @ ^@ `.^`.L^`L.^`.^`.PLP^P`L.h ^`OJQJo(h ^`OJQJo(oh pp^p`OJ QJ o(h @ @ ^@ `OJQJo(h ^`OJQJo(oh ^`OJ QJ o(h ^`OJQJo(h ^`OJQJo(oh PP^P`OJ QJ o(P^`Po(hH@@^@`o(hH.0^`0o(hH..``^``o(hH... ^`o(hH .... ^`o(hH ..... ^`o(hH...... `^``o(hH....... 00^0`o(hH........PP^P`QJo(o ^`OJQJo(o pp^p`OJ QJ o( @ @ ^@ `OJQJo( ^`OJQJo(o ^`OJ QJ o( ^`OJQJo( ^`OJQJo(o PP^P`OJ QJ o(76&!_r::<,y`N$=~}|?\[c7lnPm)@ r0MoY17=5z}.3sI2Pg fQkJhk.#mo4( k-4yg$0R0!)L7} 4( kE iHX*{4/>a`G\pSV 1hRo2!Jp/-|IOyZ!T/*a0O3Kr8|:r(=UCcKdL"NRZ\R}VYtX>5\].]a^X_)b5b*rcXhqh=n!onKxEr}Cb?D[?M^P9q,0NiIF<`pC^ 3)4r&Z%s{]jG[ !uBCu ,(&a9\A5KY>EA0-eJV)::t~=h)*N &rv : ' ( /&3-37383B3333333-4.494444<5=5B5h5i5o555>a@@OCF8GIJLNQR؉7wٱ%016?HIRg{|VHkU<ZFlQCP0CP09}@117 11P@Unknown Von WelchDavid Chadwick kz Times New RomanDevice Font 10cpi5SymbolW& z ArialDevice Font 10cpiG5  hMS Mincho-3 fg7 ArialMTIArial Unicode MS_&  z HelveticaDevice Font 10cpigFComic Sans MSDevice Font 10cpic5  z Courier NewDevice Font 10cpi5& zaTahoma;Wingdings"1hIzf7U{&iF$5~$5~!4d 2qH0?r(=GGF Management - GFD-C.3Charlie Catlett Von Welch6                           ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 Oh+'0 $0 L X dp|GGF Management - GFD-C.3.GF Charlie CatlettharharNormal  Von Welchtl141Microsoft Word 10.0@ne)@1d@ z@]2$5՜.+,D՜.+,l(px  Argonne National Laboratoryn~ GGF Management - GFD-C.3 Title\ 8@ _PID_HLINKSAFVNhttp://www.gridforum.org/namespaces/2003/06/ogsa-authz/saml/action/sde/modify>_Toc42487598>_Toc42487597>_Toc42487596>_Toc42487595>_Toc42487594>y_Toc42487593>s_Toc42487592>m_Toc42487591>g_Toc42487590?a_Toc42487589?[_Toc42487588?U_Toc42487587?O_Toc42487586?I_Toc42487585?C_Toc42487584?=_Toc42487582?7_Toc42487581?1_Toc424875800+_Toc424875790%_Toc424875780_Toc424875770_Toc424875760_Toc424875750_Toc424875740_Toc424875730_Toc424875720_Toc424875710_Toc424875701_Toc424875691_Toc424875681_Toc424875671_Toc424875661_Toc424875651_Toc424875645_Toc562609265_Toc562609255_Toc562609245_Toc562609235_Toc562609225_Toc562609216_Toc562609116_Toc562609107_Toc56260908>_Toc56260897>_Toc56260896?_Toc56260885?_Toc56260884?z_Toc562608830t_Toc562608780n_Toc562608770h_Toc562608750b_Toc562608720\_Toc562608710V_Toc562608701P_Toc562608691J_Toc562608681D_Toc562608671>_Toc5626086618_Toc5626086512_Toc562608641,_Toc562608631&_Toc562608621 _Toc562608612_Toc562608592_Toc562608582_Toc562608572_Toc562608562_Toc56260855  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~     !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrtuvwxyz{|}~     !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`acdefghiklmnopqrstu|Root Entry Fy?~Data sI`1Table{WordDocument%SummaryInformation(bDocumentSummaryInformation8jCompObjj  FMicrosoft Word Document MSWordDocWord.Document.89q