ࡱ>     5@ 0*bjbj22 S2XX}TTTdttt$ r r rPprLu49w Ѓ: dS8888888$q<R>8Qt8tt 9:t t 88,tt5 w թ$~ rJ1r6?9H91>M?M?5ttttM?t5V]Q883M$(MGGF DOCUMENT SUBMISSION CHECKLIST (include as front page of submission)COMPLETED (X) - Date1. Author name(s), institution(s), and contact informationX2. Date (original and, where applicable, latest revision date)X3. Title, table of contents, clearly numbered sections X4. Security Considerations section X5. GGF Copyright statement inserted (See below)X6. GGF Intellectual Property statement inserted. (See below) NOTE that authors should read the statement. X7. Document format - The GGF document format to be used for both GWD's and GFD's is available in  HYPERLINK "http://www.ggf.org/documents/formats/gwd-template.doc" MSWord,  HYPERLINK "http://www.ggf.org/documents/formats/gwd-template.rtf" RTF, and  HYPERLINK "http://www.ggf.org/documents/formats/gwd-template.pdf" PDF formats. (note that font type is not part of the requirement, however authors should avoid font sizes smaller than 10pt).X GWD-I (proposed) Von Welch, NCSA Frank Siebenlist, Argonne National Laboratory David Chadwick, University of Salford Sam Meder, University of Chicago Laura Pearlman, Information Sciences Institute September, 2003 Use of SAML for OGSA Authorization Status of This Memo This document has been submitted to the Global Grid Forum OGSA Security Working Group for consideration as recommendations document in that area of OGSA authorization. The latest version of this document can be found at: http://www.globus.org/ogsa/Security/ Copyright Notice Copyright Global Grid Forum (2003). All Rights Reserved. Abstract This document defines an open grid services architecture (OGSA) authorization service based on the use of the security assertion markup language (SAML) as a format for requesting and expressing authorization assertions. Defining standard formats for these messages allows for pluggability of different authorization systems using SAML. Contents  TOC \o "1-2" \h \z  HYPERLINK \l "_Toc51662254" Abstract  PAGEREF _Toc51662254 \h 1  HYPERLINK \l "_Toc51662255" 1. Introduction  PAGEREF _Toc51662255 \h 2  HYPERLINK \l "_Toc51662256" 2. Conventions use in this Specification  PAGEREF _Toc51662256 \h 3  HYPERLINK \l "_Toc51662257" 3. SAML Authorization Overview  PAGEREF _Toc51662257 \h 4  HYPERLINK \l "_Toc51662258" 3.1 SAML Authorization Model  PAGEREF _Toc51662258 \h 4  HYPERLINK \l "_Toc51662259" 3.2 Action Element  PAGEREF _Toc51662259 \h 5  HYPERLINK \l "_Toc51662260" 3.3 Resource Element  PAGEREF _Toc51662260 \h 5  HYPERLINK \l "_Toc51662261" 3.4 Subject and NameIdentifier Elements  PAGEREF _Toc51662261 \h 5  HYPERLINK \l "_Toc51662262" 3.5 AuthorizationDecisionStatement Element  PAGEREF _Toc51662262 \h 5  HYPERLINK \l "_Toc51662263" 3.6 AttributeStatement Element  PAGEREF _Toc51662263 \h 5  HYPERLINK \l "_Toc51662264" 3.7 Assertion Element  PAGEREF _Toc51662264 \h 5  HYPERLINK \l "_Toc51662265" 3.8 Conditions Elements  PAGEREF _Toc51662265 \h 5  HYPERLINK \l "_Toc51662266" 3.9 AuthorizationDecisionQuery Element  PAGEREF _Toc51662266 \h 5  HYPERLINK \l "_Toc51662267" 3.10 Evidence Elements  PAGEREF _Toc51662267 \h 6  HYPERLINK \l "_Toc51662268" 3.11 ReferenceStatement Element  PAGEREF _Toc51662268 \h 6  HYPERLINK \l "_Toc51662269" 3.12 RespondWith Element  PAGEREF _Toc51662269 \h 6  HYPERLINK \l "_Toc51662270" 4. Overview of Extensions  PAGEREF _Toc51662270 \h 6  HYPERLINK \l "_Toc51662271" 4.1 Simple Authorization Query Response  PAGEREF _Toc51662271 \h 6  HYPERLINK \l "_Toc51662272" 4.2 Multi-Stage Authorization  PAGEREF _Toc51662272 \h 6  HYPERLINK \l "_Toc51662275" 5. SAML Extensions  PAGEREF _Toc51662275 \h 7  HYPERLINK \l "_Toc51662276" 5.1 Element  PAGEREF _Toc51662276 \h 7  HYPERLINK \l "_Toc51662277" 5.2 Element  PAGEREF _Toc51662277 \h 7  HYPERLINK \l "_Toc51662278" 6. SAML Authorization Element Usage in OGSA  PAGEREF _Toc51662278 \h 8  HYPERLINK \l "_Toc51662279" 6.1 AuthorizationDecisionQuery Element  PAGEREF _Toc51662279 \h 8  HYPERLINK \l "_Toc51662280" 6.2 Assertion Element  PAGEREF _Toc51662280 \h 11  HYPERLINK \l "_Toc51662281" 7. SAML Authorization Service PortType  PAGEREF _Toc51662281 \h 13  HYPERLINK \l "_Toc51662282" 8. Commentary  PAGEREF _Toc51662282 \h 13  HYPERLINK \l "_Toc51662283" 8.1 Proposed SAML 1.1 specification  PAGEREF _Toc51662283 \h 13  HYPERLINK \l "_Toc51662284" 9. Security Considerations  PAGEREF _Toc51662284 \h 13  HYPERLINK \l "_Toc51662285" Author Information  PAGEREF _Toc51662285 \h 13  HYPERLINK \l "_Toc51662286" Glossary  PAGEREF _Toc51662286 \h 14  HYPERLINK \l "_Toc51662287" Intellectual Property Statement  PAGEREF _Toc51662287 \h 14  HYPERLINK \l "_Toc51662288" Full Copyright Notice  PAGEREF _Toc51662288 \h 14  HYPERLINK \l "_Toc51662289" References  PAGEREF _Toc51662289 \h 15  HYPERLINK \l "_Toc51662290" ChangeLog  PAGEREF _Toc51662290 \h 15 Introduction  TOC \o "1-3" \h \z  HYPERLINK \l "_Toc42417435" Abstract  PAGEREF _Toc42417435 \h 1  HYPERLINK \l "_Toc42417436" 1. Introduction  PAGEREF _Toc42417436 \h 2  HYPERLINK \l "_Toc42417437" 2. Conventions use in this Specification  PAGEREF _Toc42417437 \h 3  HYPERLINK \l "_Toc42417438" 3. SAML Authorization Overview  PAGEREF _Toc42417438 \h 3  HYPERLINK \l "_Toc42417439" 3.1 SAML Authorization Model  PAGEREF _Toc42417439 \h 4  HYPERLINK \l "_Toc42417440" 3.2 Action Element  PAGEREF _Toc42417440 \h 4  HYPERLINK \l "_Toc42417441" 3.3 Resource Element  PAGEREF _Toc42417441 \h 4  HYPERLINK \l "_Toc42417442" 3.4 Subject and NameIdentifier Elements  PAGEREF _Toc42417442 \h 5  HYPERLINK \l "_Toc42417443" 3.5 AuthorizationDecisionStatement Element  PAGEREF _Toc42417443 \h 5  HYPERLINK \l "_Toc42417444" 3.6 AttributeStatement Element  PAGEREF _Toc42417444 \h 5  HYPERLINK \l "_Toc42417445" 3.7 Assertion Element  PAGEREF _Toc42417445 \h 5  HYPERLINK \l "_Toc42417446" 3.8 Conditions Elements  PAGEREF _Toc42417446 \h 5  HYPERLINK \l "_Toc42417447" 3.9 AuthorizationDecisionQuery Element  PAGEREF _Toc42417447 \h 5  HYPERLINK \l "_Toc42417448" 3.10 Evidence Elements  PAGEREF _Toc42417448 \h 5  HYPERLINK \l "_Toc42417449" 3.11 ReferenceStatement Element  PAGEREF _Toc42417449 \h 6  HYPERLINK \l "_Toc42417450" 3.12 RespondWith Element  PAGEREF _Toc42417450 \h 6  HYPERLINK \l "_Toc42417451" 3.13 Changes in proposed SAML 1.1 specification  PAGEREF _Toc42417451 \h 6  HYPERLINK \l "_Toc42417452" 4. SAML Extensions  PAGEREF _Toc42417452 \h 6  HYPERLINK \l "_Toc42417453" 4.1 Element  PAGEREF _Toc42417453 \h 6  HYPERLINK \l "_Toc42417454" 4.2 Element  PAGEREF _Toc42417454 \h 6  HYPERLINK \l "_Toc42417455" 5. SAML Authorization Element Usage in OGSA  PAGEREF _Toc42417455 \h 7  HYPERLINK \l "_Toc42417456" 5.1 AuthorizationDecisionsQuery Element  PAGEREF _Toc42417456 \h 7  HYPERLINK \l "_Toc42417457" 5.1.1 Subject Element  PAGEREF _Toc42417457 \h 7  HYPERLINK \l "_Toc42417458" 5.1.2 Resource Element  PAGEREF _Toc42417458 \h 8  HYPERLINK \l "_Toc42417459" 5.1.3 Action Elements  PAGEREF _Toc42417459 \h 8  HYPERLINK \l "_Toc42417460" 5.1.4 Evidence Elements  PAGEREF _Toc42417460 \h 9  HYPERLINK \l "_Toc42417461" 5.1.5 ReferenceStatement Element  PAGEREF _Toc42417461 \h 10  HYPERLINK \l "_Toc42417462" 5.1.6 RespondWith Element  PAGEREF _Toc42417462 \h 10  HYPERLINK \l "_Toc42417463" 5.2 Assertion Element  PAGEREF _Toc42417463 \h 10  HYPERLINK \l "_Toc42417464" 5.2.1 Conditions Element  PAGEREF _Toc42417464 \h 11  HYPERLINK \l "_Toc42417465" 5.2.2 Advice Element  PAGEREF _Toc42417465 \h 11  HYPERLINK \l "_Toc42417466" 5.2.3 AuthorizationDecisionStatement Element  PAGEREF _Toc42417466 \h 11  HYPERLINK \l "_Toc42417467" 5.2.4 AttributeStatement Element  PAGEREF _Toc42417467 \h 11  HYPERLINK \l "_Toc42417468" 5.2.5 Signature Element  PAGEREF _Toc42417468 \h 12  HYPERLINK \l "_Toc42417469" 6. SAML Authorization Service PortType  PAGEREF _Toc42417469 \h 12  HYPERLINK \l "_Toc42417470" 7. Security Considerations  PAGEREF _Toc42417470 \h 12  HYPERLINK \l "_Toc42417471" Author Information  PAGEREF _Toc42417471 \h 12  HYPERLINK \l "_Toc42417472" Glossary  PAGEREF _Toc42417472 \h 12  HYPERLINK \l "_Toc42417473" Intellectual Property Statement  PAGEREF _Toc42417473 \h 13  HYPERLINK \l "_Toc42417474" Full Copyright Notice  PAGEREF _Toc42417474 \h 13  HYPERLINK \l "_Toc42417475" References  PAGEREF _Toc42417475 \h 13 Introduction There are a number of authorization systems currently available for use on the Grid as well as in other areas of computing, such as Akenti [Akenti], CAS [CAS], PERMIS [PERMIS], VOMS [VOMS]. Some of these systems are normally used in decision push mode by the application [RFC2904] - they act as services and issue their authorization decisions in the form of authorization assertions that are conveyed, or pushed, to the target resource by the initiator. Others are used in decision pull mode by the application - they are normally linked with an application or service and act as a policy decision maker for that application, which pulls a decision from them. On the abstract level both of these types of authorization services have similar semantics - they are given a description of the initiator (which might include the initiators privileges), a description of an action being requested (including its argument), details about the target resource to be accessed, and any contextual information such as time of day, and they provide an authorization decision whether the action should be processed or rejected. These authorization services can themselves act in credential push or pull mode [RFC3281]. In credential push mode, the client provides all the information necessary for a decision to be made. In credential pull mode, the client provides everything except the initiators privileges, and the authorization service then pulls these privilege tokens (or credentials) from some other authority, and bases its decision on them. The client may provide a pointer to the authorization service, giving it a hint where to find the privileges, or the authorization service may be pre-configured with knowledge about where to locate them. With the emergences of OGSA and Grid Services, it is expected that some of these systems will become OGSA authorization services as mentioned in the OGSA Security Roadmap [Roadmap]. OGSA authorization services are Grid Services providing authorization functionality over an exposed Grid Service portType. A client sends a request for an authorization decision to the authorization service and in return receives an authorization assertion or a decision. A client may be the resource itself, an agent of the resource, or an initiator or a proxy for an initiator who passes the assertion on to the resource. This specification defines the use of SAML as a message format for requesting and expressing authorization assertions and decisions from an OGSA authorization service. This process can be single or multi-step. In single step authorization, all the information about the requested access is passed in one SAML request to the authorization service. In multi-step authorization, the initial SAML request passes information about the initiator, and subsequent SAML requests pass information about the actions and targets that the initiator wants to access. The SAML AuthorizationDecisionQuery element is defined as the message to request an authorization assertion or decision, the DecisionStatement element is defined as the message to return a simple decision, and the AuthorizationDecisionStatement the method for expressing an authorization assertion. By defining standard message formats the goal is to allow these different authorization services to be pluggable to allow different authorization systems to be used interchangeably in OGSA services and clients. Section  REF _Ref32202492 \r \h  21 describes the conventions and namespaces used in this document. Section  REF _Ref42417020 \r \h  32 contains a non-normative overview of the authorization portions of the SAML specification. Section  REF _Ref42574737 \r \h  4 contains an non-normative description of SAML extensions defined in this document and Section  REF _Ref32927787 \r \h  53 is a normative and definesition of those new extensions to the SAML elements. Section  REF _Ref42417114 \r \h  64 is normative and defines how SAML elements should be used to form OGSA authorization assertions and requests. Section  REF _Ref42417137 \r \h  75 contains the WSDL for the authorization service portType. Section  REF _Ref42481321 \r \h  8 contains non-normative Thecommentary. The specification concludes with GGF copyright and intellectual property statements, author affiliation and contact information and a glossary. Conventions use in this Specification The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119 [RFC2119]. This specification uses namespace prefixes throughout; they are listed in  REF _Ref42415853 \h Table 1Table 1. Note that the choice of any namespace prefix is arbitrary and not semantically significant. Table  SEQ Table \* ARABIC 1: Namspaces used in this specification. PrefixNamespaceogsa-samlhttp://www.gridforum.org/namespaces/2003/06/ogsa-authz/saml/operationhttp://www.gridforum.org/namespaces/2003/06/ogsa-authz/saml/action/operationsde-readhttp://www.gridforum.org/namespaces/2003/06/ogsa-authz/saml/action/sde/readsde-modifyhttp://www.gridforum.org/namespaces/2003/06/ogsa-authz/saml/action/sde/modifywildcardhttp://www.gridforum.org/namespaces/2003/06/ogsa-authz/saml/action/wildcardsamlurn:oasis:names:tc:SAML:1.0:assertionsamlpurn:oasis:names:tc:SAML:1.0:protocol SAML Authorization Overview The SAML specification [SAML] defines a number of elements for making assertions and queries regarding authentication, authorization decisions and attributes. It also supports extensibility by allowing applications to define their own elements. In this section we give a brief non-normative overview of the elements related to authorization, and the additional elements needed for Grid authorization. Readers are encouraged to review the SAML specification for more details. SAML Authorization Model As shown in  REF _Ref32901461 \h Figure 1Figure 1, SAML defines a message exchange between a policy enforcement point (PEP) and a policy decision point (PDP) consisting of an AuthorizationDecisionQuery (2) flowing from the PEP to the PDP, with an Assertion returned containing some number of AuthorizationDecisionStatements (3). We also define extensions to SAML to support exchanges in which a client can issue an AuthorizationDecisionQuery to a server, and have Assertions returned containing either an AttributeStatement or a simple AuthorizationDecision.  Figure  SEQ Figure \* ARABIC 1: SAML message flow. (1) A request arrives at the target resource. (2) The Grid Service generates and sends a SAML AuthorizationDecisionQuery to an Authorization Service. (3) The service evaluates the request against policy and returns a response encoded as a SAML Assertion. In the following sections we describe the AuthorizationDecisionQuery and the Assertion element, and the elements that are used to compose these. Action Element The Action elements allows for the expression of actions that may be attempted by entities and expressed in policy. This element consists of a string and a URI defining a namespace for the action described in the string. For example the SAML specification defines a namespace for HTTP operations that defines actions of GET, HEAD, PUT, POST. Resource Element The Resource element is used to identify the target on which the policy is being asserted or requested. This element is simply a URI. Subject and NameIdentifier Elements The Subject element contains a NameIdentifier element as well as some elements outside the scope of this document. In SAML authorization assertions, the NameIdentifer element serves to identify the initiator of the action being authorized. The NameIdentifer element contains a string to hold an identity that has two attributes: The NameQualifier attribute is a string expressing the security or administrative domain that defined the name (e.g. Kerberos realm, CA name). The Format attribute is a URI identifying the format of the name (e.g. X509 subject name). AuthorizationDecisionStatement Element The AuthorizationDecisionStatement element contains statements regarding authorization policy. Each of these statements contains a Subject element, identifying the entity whose rights are being expressed, a Resource element, identifying the resource(s) the rights apply to, an optional Evidence element holding the assertions the issuer relied upon in making its decision, any number of Action elements (expressing the allowed or denied operations) and the Decision attribute containing the authorization decision. The assertion may also have a Conditions element present expressing the conditions that must be fulfilled before the authorization can be permitted. AttributeStatement Element This element supplies a statement by the issuer that the specified subject is associated with the specified attribute(s). Assertion Element The Assertion element specifies the basic information that is common to all SAML assertions, and optionally it may be signed. It can contain any number of Statements, for example, AuthorizationDecisionsStatements and AttributeStatements. It is also capable of containing statements related to authentication, but for the purposes of this document we only consider Assertions containing AttributeStatements, AuthorizationDecisions and AuthorizationDecisionStatements. Conditions Elements Each Assertion element can also contain any number of Conditions elements. Conditions elements are specified to express policy restrictions on the assertion such as a validity time of the Assertion, however they are extendable to express arbitrary conditions on the use of the assertion. Condition elements might typically be added to assertions if the decision engine had insufficient information to be able to evaluate the policy locally. AuthorizationDecisionQuery Element The AuthorizationDecisionQuery element allows for the request of AttributeStatements, AuthorizationDecisionStatements and simple AuthorizationDecision responses. It contains a Subject, Resource, optional Evidence, and any number of Action elements that identify the decisions that the initiator wants to be made; as well as a RespondWith element that identifies the type of response that the client wishes to be returned. Evidence Elements Evidence elements allow for queries to provide information to the PDP that may be useful for its decision-making. They are used to hold the credentials of the initiator, as well as contextual and environmental information. The initiators credentials may be either included directly in the evidence element (as AttributeStatements), or may be included indirectly via a pointer (as ReferenceStatements). This allows the PDP to support both the credential push and pull mode of operation. In responses, they also allow the PDP to express what information it used to make its decision. Each AuthorizationDecisionStatement and AuthorizationDecisionQuery element can contain any number of Evidence elements. Each Evidence element can contain any number of Assertions elements (or references to Assertion elements) that affect the policy decision process. ReferenceStatement Element This element allows Authorization Decision Queries to contain a pointer to an external resource, which may contain credentials for the initiator. This is used to flag the credential pull mode of operation. RespondWith Element This element is used in queries to tell the service what type of response to provide. It is used by the client to signal if the first step of multi-step authorization is required (RespondWith an Attribute statement), or if a simple decision response should be returned (RespondWith a Decision response), or if an authorization assertion should be returned (RespondWith an Authorization decision statement). Overview of Extensions This section provides non-normative discussion of the extensions in this specification. VW: Both of these extensions rely on the RespondWith element that is deprecated in the proposed SAML 1.1 protocol. We need to explore how we would implement these features without this element. Simple Authorization Query Response In the SAML authorization query protocol, a resource normally sends a query to the decision service with an enumeration of the actions being attempted by a requestor. The decision service responds with an assertion containing the set of actions that the requestor is authorized to perform. While this functions well for situations where the resource may be interested in knowing what subset of the actions the requestor is allowed to perform, in "all or nothing" situations where the resource is only interested in knowing if the requestor can perform all the enumerated actions, it requires the resource to process the entire list to verify all the actions originally requested are listed. This specification defines an AuthorizationDecision element which contains a reference to an AuthorizationDecisionQuery and a decision in regards to that query as a whole. Allowing an easy-to-parse decision to be rendered on the query as a whole. VW: Maybe we just want to define a separate type of query to get a AuthorizationDecision instead of overloading AuthorizationDecisionQuery? SimpleAuthorizationDecisionQuery? Multi-Stage Authorization As discussed in [Authz], some Grid authorization scenarios involve the establishment of a session between a requestor and a resource in which the resource may need multiple, different, authorization decisions regarding the same requestor. To optimize processing for both the resource and the authorization decision service, it is helpful to allow the resource and decision service to establish state. The decision service can then process the request's credentials once and maintain state about the user so that subsequent queries can be responded to without reprocessing the user's credentials. VW: I suggest we explore using stateful OGSA service instances for this instead of a context state in an attribute. Changes in proposed SAML 1.1 specification XXX Talk about changes in 1.1 SAML specification that effect this draft SAML Extensions This section is normative. It defines the SAML extensions used by OGSA. Element The element specifies the decision made about the corresponding SAML AuthorisationDecisionQuery request. Its purpose is to allow the responses of "permitted or denied" without enumeration of the rights in the response. It has the complex type AuthorizationDecisionType, which extends the ResponseAbstractType by adding the Decision attribute to it. Note that Decision is in response to the SAML request identified in the InResponseTo attribute, so this attribute MUST be present in the response. Element The element supplies a statement by the issuer that the designated attributes associated with the specified subject may be obtained from the referenced URI. Its purpose is to advise the PDP where it may find attributes associated with the subject, and it is used to support the credential pull mode of operation. is of type ReferenceStatementType, which extends the SubjectStatementAbstractType with the addition of the following: Element [Any number] lists the attributes that may be located at the referenced URI. If this component is absent, then it implies that all attributes can be found at the referenced URI. Attribute [Required] provides the URI from which the attributes may be obtained. SAML Authorization Element Usage in OGSA This section is normative. It describes how SAML Authorization elements are used to meet OSGA requirements for authorization assertions and decisions as described in [Authz]. It first describes the use of the AuthorizationDecisionQuery element, which is used by entities to request authorization assertions and decisions from an authorization service. This is followed by a description of the Attribute Statement, which is used in multi-step authorization to return that the validated credentials of the initiator. Finally, the use of the Assertion element that carries the authorization assertion and decision from the authorization service to the resource is described. AuthorizationDecisionsQuery Element The SAML AuthorizationDecisionQuery element MUST be used by a client to request an authorization service. Eight different types of authorization service are defined, namely: single step authorization, in either credential pull or push mode, returning either a simple AuthorizatonDecision response, or an AuthorizationDecisionStatement assertion; the first step of multi-step authorization in credential push or pull mode, returning an Attribute Statement; and the second step of multi-step authorization, returning either a simple AuthorizatonDecision response or an AuthorizationDecisionStatement assertion. This element MUST includes the following elements: A Subject element containing a NameIdentifier element specifying the identity of the initiator. A Resource element specifying the resource (or domain of resources) to which the request to be authorized is being made. One or more Action elements specifying the action(s) being requested on the resource(s). A RespondWith element indicating the type of authorization service that is being requested. The query MAY include the following element: Optionally an Evidence element containing one or more supporting credentials about the initiator (or pointers to them), plus any contextual information. The following subsections describe the use of and extensions to these elements for OGSA. Subject Element This element contains the name of the initiator. The Subject and contained NameIdentifer elements are unchanged from the SAML specification. The exact use of these elements is driven by the authentication mechanism used by the client. In some scenarios, the authorization service (PDP) MAY require the initiator and client names to be the same. In other scenarios, the authorization service MAY allow trusted clients to request authorization decisions on behalf of any initiator. The SAML specification defines how some common identity types are asserted. The Grid Security Infrastructure (GSI) is a common Grid authentication mechanism that uses X.509 based identities. The SAML specification defines a URI for X.509 subject names (#X509SubjectName) that SHOULD be used for GSI authenticated identities. This document defines one wildcard value for the X509SubjectName of i.e. an empty string, which has the special meaning of anyone (i.e. a decision about public rights is being requested). This wildcard MUST be used in order to obtain public rights. Resource Element The Resource element is defined as a URI. In the first step of multi-step authorization, the value of this element SHOULD be ignored by the PDP, and the client MAY put any value, including null, into this element. The following text refers to either single step authorization or the second and subsequent steps of multi-step authorization. If the resource being referred to is a Grid service the resource element MUST contain the Grid Service Handle (GSH) of the service as described in [OGSI]. It is also possible that this element could contain a URI referring to things other than GSHs in an OGSA context. For example, a URI could be used to refer to a group of services. However such usage is determined by prior agreement between authorization services, policy makers and resources in a particular domain and is beyond the scope of this document. This specification also defines a wildcard resource. This has two different meanings depending on whether it is in a query (request to a PDP) or a statement (response from a PDP): In an AuthorizationDecisionQuery, it states a desire to learn the initiators rights on all the resource of which the authorization service is aware. Typically such a query will be used by an initiator who will cache the results and present them to resources later in a decision push mode of authorization. In an AuthorizationDecisionResponse, it states the initiator has the given privileges on all resources that accept the authorization service as authoritative. This statement may be used when the authorization service is the authority for a group of resources with identical policy. This wildcard URI MUST be specified as follows: http://www.gridforum.org/ogsa-authz/saml/2003/06/resource/any Action Elements The Action element describes the operation or method to be authorized. The Action element is composed of a string describing the operation and a URI specifying the namespace of the action. In the first step of multi-step authorization, the value of this element SHOULD be ignored by the PDP, and the client MAY put any value, including null, into this element. The following text refers to either single step authorization or the second and subsequent steps of multi-step authorization. This specification defines the following namespaces: http://www.gridforum.org/namespaces/2003/06/ogsa-authz/saml/action/operation This namespace is used to define an operation invocation on the specified Resource by the specified Subject. The action string should contain the namespace and name of the operation being invoked. http://www.gridforum.org/namespaces/2003/06/ogsa-authz/saml/action/sde/read This namespace is used to define the reading of a ServiceDataElement. The action string should contain the QName of the Service Data element being accessed. http://www.gridforum.org/namespaces/2003/06/ogsa-authz/saml/action/sde/modify This namespace is used to define the modification of a ServiceDataElement. The action string should contain the QName of the Service Data element being modified. This specification also defines a wildcard action. This action has two different meanings depending on whether it is in a query or an assertion: In an AuthorizationDecisionQuery, it states a desire to learn all of the initiators rights on the specified resource. An example of where this might be used, is by a policy enforcement point co-located with a resource, that after an intiator has set up a session, will cache the results, and do further policy processing without the authorization service. In an AuthorizationDecisionStatement, it states the initiator has all privileges on the resource. This will often be the case where the initiator is the policy authority for the resource in question. This wildcard action MUST be specified as follows. The namespace URI MUST be: http://www.gridforum.org/namespaces/2003/06/ogsa-authz/saml/action/wildcard The Action sting must be "*", i.e., an asterisk. Evidence Elements Evidence elements are assertions used to hold, either directly or by reference, supporting credentials regarding the initiator, as well as environmental parameters. In one step authorization the AuthorizationDecisionQuery MAY contain Evidence Elements holding environmental parameters. In the second and subsequent steps of multi-step authorization, the AuthorizationDecisionQuery MUST contain an Evidence element holding the Attribute Assertion returned by the PDP in response to the first step of authorization and MAY contain Evidence Elements holding environmental parameters. In one step authorization and the first step of multi-step authorization, the AuthorizationDecisionQuery MAY contain Evidence elements regarding the credentials of the initiator as follows. In the credential push mode of operation this element SHOULD contain the credentials of the initiator. If the initiator does not have any credentials (for example, if default or public access rights are being requested) then there will be no evidence assertions in which the subject name is that of the initiator. In the credential pull mode of operation this element MAY contain a Reference Statement. If the client wishes the PDP to operate in both credential push and pull mode, then it MAY include initiator credentials and Reference Statements in the Evidence element. If neither is present, then it is at the discretion of the PDP how to behave (e.g. it may be pre-configured with a resource from which to pull initiator credentials, or it may assume the initiator has no credentials). This specification makes no further constraints on the use of this element for specifying credentials. It is expected that specifications for different types of supporting credentials will be developed. ReferenceStatement Element Reference statements MAY be included within Evidence elements, in order to signal the credential pull mode of operation to the PDP. Reference statements MAY be included instead of, or as well as, credentials in Evidence elements, and it is a local matter for the PDP to determine how to handle the presence of one, both or neither elements. The value of the Reference URI is not further constrained by this specification. RespondWith Element This element MUST be used by the client to signal the type of authorization decision service being requested from the PDP. One of the following values MUST be used: saml:AttributeStatement the authorization service is required to perform the first step of multi-stage authorization and return an assertion containing an saml:Attribute Statement. ogsa-saml:AuthorizationDecision The authorization service is required to return a simple Authorization Decision Response to this Authorization Decision Query. saml:AuthorizationDecisionStatement The authorization service is required to return an assertion containing an Authorization Decision Statement. For single-step authorization or the second step of multi-step authorization If single step authorization is being requested, and the client wants an AuthorizationDecisionStatement to be returned, then it MUST set the value to saml:AuthorizationDecisionStatementAuthorization. If single step authorization is being requested, and the client wants a simple AuthorizationDecision Response to be returned, then it MUST set the value to ogsa-saml:AuthorizationDecisionDecision. If the first step of multi-step authorization is required, then the client MUST set the value to saml:AttributeStatementAttribute. For second and subsequent steps in multi-step authorization, the client SHOULD set the value to either ogsa-saml:AuthorizationDecisionDecision or saml:AuthorizationDecisionStatementAuthorization dependent upon the type of response that is required. If a client follows an AuthorizationDecisionQuery with RespondWith set to Attribute with another AuthorizationDecisionQuery with RespondWith set to saml:AttributeStatementAttribute and the subject elements are identical in the two queries, then the Attribute Statement returned on first request is effectively superceded by the Attribute Statement returned in the subsequent request. Assertion Element The SAML Assertion element is used by one entity to assert the capabilities of another. While an Assertion element can contain a variety of SAML statements, for the purposes of this document we consider only AuthorizationDecisionStatements and AttributeStatements. The former are returned in one-step authorization or the second and subsequent steps of multi-step authorization, whilst the latter are returned in the first step of multi-step authorization. When returned by an authorization service to an entity, the Assertion element will be enveloped in a SAML Response element as described in the SAML specification. The Assertion element includes the following elements: An optional Conditions element specifying the conditions for use of the assertion. An optional Advice element specifying advice for use of the element. Any number of AuthorizationDecisionsStatements or AttributeStatements specifying capabilities. An optional Signature element allowing the Assertion to be verified. The following subsections describe the use and extensions to these elements for OGSA. Conditions Element Implementations are advised to be conservative in their use of this element and only include it when they are confident it will be understood. The Conditions element contains optional time constraints and any number of Condition elements (note difference in plurality between element names) on the returned assertion. Condition elements serve as an abstract element for extension, and should be used to express the policy conditions on operands and context/environment that the authorization service was unable to evaluate due to insufficient information being provided by the client. It is envisioned that future specification will be able to extend the Condition element to return fine-grained policies for parameters on operation invocation and service data access, using for example elements of XACML. Advice Element This specification recommends against the use of the Advice element. Implementations SHOULD NOT use this element and MAY only include it when they are confident it will be understood. AuthorizationDecisionStatement Element The AuthorizationDecisionStatement element contains the same elements as the AuthorizationDecisionQuery, and also includes a Decision attribute. The Decision attribute can take the value of Permit, Deny or Indeterminate. If a value of Indeterminate is returned, then the encapsulating assertion MUST also have a Conditions element present expressing the conditions that MUST be fulfilled before the authorization can be permitted. Comment from Mary Thompson: Conditions need to be associated with specific actions not just with an Authorization Decision Statement (ADS) as section 6.2.3 seems to imply. Actually going back through the SAML schema, a SAML response can contain 0 to unbounded assertions, and the assertion contains the conditions and the ADS which in turn contains the actions and permission. So if in section 6.2 you point out that the SAML response element may contain one or more assertions, then in 6.2.3 you can mention that if some actions have different conditions than others, they should be returned in different assertions, and not just different ADS's. If they have the same (or all null conditions) but different Decisions they can be in the same assertion but different ADS's. AttributeStatement Element The AttributeStatement element MUST be sent in a reply to an AuthorizationDecisionQuery in which the RespondWith element value was set to Attribute i.e. to the first step of multi-step authorization. The returned Attribute Statement SHOULD contain a PDP encoded cookie that is associated with the initiator (subject element of the AuthorizationDecisionQuery). For example, when RBAC is being used, the attribute statement could contain the list of validated roles of the initiator. Whether the cookie is opaque or understandable by the client is currently out of the scope of this document. However, the returned attribute statement MUST be usable multiple times by the client in subsequent AuthorizationDecisionQueries concerning the same initiator. When the assertion encapsulating the Attribute Statement is returned across an insecure network, it SHOULD be signed by the PDP. The client SHOULD use the returned attribute assertion and insert it into the Evidence element of all subsequent AuthorizationDecisionQueries sent to the same PDP for the same subject/initiator. In subsequent queries the RespondWith element SHOULD be set to Decision or Authorization. Signature Element This specification places no constrains on the Signature elements. Implementations SHOULD sign assertions when they do not have an authenticated connection to the evaluator of the assertion. SAML Authorization Service PortType XXX To be defined Commentary This section contains non-normative commentary. Proposed SAML 1.1 specification The OASIS Security Services Technical Committee (SSTC) [SSTC] has ratified a new version, version 1.1, of SAML. That document contains changes which affect the contents of this document. A document describing differences can be found at: http://www.oasis-open.org/committees/download.php/2247/sstc-saml-diff-1.1-draft-01.doc The new SAML 1.1 specification contains the following changes, which need to be integrated into this document: The URI to identify X.509 subject names is changed. This specification recommends this URI for GSI subject identities. The RepondWith element is deprecated. This specification uses this element to request an attribute for multi-step authorization and needs to find a different way to accomplish this. Security Considerations This specification defines an authorization service based on the SAML specification for OGSA and is completely about security. Implementers of this specification need to take be aware that errors in implementation could lead to denial of service or improper granting of service to unauthorized users. In particular, implementations should verify versions of assertions they are relying on and discount any version their software is not familiar with. XXX Need to be more specific here. Author Information Von Welch Univserity of ChicagoNational Center for Supercomputing Applications vwelch@mcs.anl.govncsa.uiuc.edu Frank Siebenlist Argonne National Laboratory franks@mcs.anl.gov Sam Meder University of Chicago meder@mcs.anl.gov Laura Pearlman Information Sciences Institute University of Southern California laura@isi.edu David Chadwick Information Systems Institute University of Salford d.w.Chadwick@salford.ac.uk Glossary The following terms are abbreviations are used in this document. ACI Access Control Information (from ISO 10181-3). Any information used for access control purposes, including contextual information. ADF Access control Decision Function (from ISO 10181-3). A specialized function that makes access control decisions by applying access control policy rules to an access request, ADI (of initiators, targets, access requests, or that retained from prior decisions), and the context in which the access request is made. ADI Access control Decision Information (from ISO 10181-3). The portion (possibly all) of the ACI made available to the ADF in making a particular access control decision. AEF Access control Enforcement Function (from ISO 10181-3). A specialized function that is part of the access path between an initiator and a target on each access request and enforces the decision made by the ADF. Client the entity making a decision request to the ADF (it could be the target, the initiator, or a proxy acting on behalf of the initiator) Contextual information Information about or derived from the context in which an access request is made (e.g. time of day). Environmental parameters same as contextual information. Initiator An entity (e.g. human user or computer-based entity) that attempts to access other entities (from ISO 10181-3). PDP same as ADF PEP same as AEF Privilege An attribute or property assigned to an entity by an authority Target An entity, usually a resource, to which access may be attempted (from ISO 10181-3). Intellectual Property Statement The GGF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the GGF Secretariat. The GGF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this recommendation. Please address the information to the GGF Executive Director. Full Copyright Notice Copyright (C) Global Grid Forum (date). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the GGF or other organizations, except as needed for the purpose of developing Grid Recommendations in which case the procedures for copyrights defined in the GGF Document process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the GGF or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE GLOBAL GRID FORUM DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." References [Akenti] Thompson, M., et al., "Certificate-based Access Control for Widely Distributed Resources," in Proc. 8th Usenix Security Symposium. 1999. [Authz] Welch, V., et al, OGSA Authorization Requirments, June, 2003. [CAS] Pearlman, L., V. Welch, I. Foster, C. Kesselman, S. Tuecke, "A Community Authorization Service for Group Collaboration," Proceedings of the IEEE 3rd International Workshop on Policies for Distributed Systems and Networks, 2002. [OGSI] Foster, I., C. Kesselman, J. Nick, S. Tuecke, "The Physiology of the Grid: An Open Grid Services Architecture for Distributed Systems Integration," Open Grid Service Infrastructure WG, Global Grid Forum, June 22, 2002. [PERMIS] Chadwick, D.W., O.Otenko, " The PERMIS X.509 Role Based Privilege Management Infrastructure", Proceedings of 7th ACM Symoisium on Access Control Models and Technologies (SACMAT 2002). [Roadmap] Siebenlist, F., et al, "OGSA Security Roadmap," OGSA Security WG, Global Grid Forum, July, 2002. [RFC2904] Vollbrecht, J., et al, " AAA Authorization Framework," RFC 2904, August 2000. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels," BCP 14, RFC 2119, March 1997. [RFC3281] Farrell, S., Housley, R. An Internet Attribute Certificate Profile for Authorization, RFC 3281, May 2002. [SSTC] OASIS Security Services Technical Committee, http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security, June, 2003. [VOMS] "VOMS Architecture v1.1," http://grid-auth.infn.it/docs/VOMS-v1_1.pdf, February 2003. ChangeLog Version 02, September 2003: Minor editorial corrections from Mary Thompson. Comment in 6.2.3 from Mary Thompson. 8.1: SAML 1.1 is now an official OASIS standard. Version 01, June 2003: Initial Revision  GIJK_aj     @ A B D F V u v x z  ׬ᬚᬚᬚᬚÄvHh3vhxi0JdaJ*Hh3vhxi0Jd>*CJOJQJaJ#Hh3vhxi0JdOJQJaJ,Hh3vhxi0JdB* OJQJaJph'Hh3vhxi0JdCJOJQJaJHh3vhxi#Hh3vhxiOJPJQJ^JHh3vhxi0Jd(HIPckd$$If!f0634abL$$C$Eƀ3vIfa$}**IK`jL$$C$Eƀ3vIfa$I$C$Eƀ3vIf`a>I$C$Eƀ3vIfxkd$$If0!  0634ab;xkdN$$If0!  0634abL$$C$Eƀ3vIfa$jL$$C$Eƀ3vIfa$I$C$Eƀ3vIf >I$C$Eƀ3vIfxkd$$If0!  0634ab   ;xkd$$If0!  0634abL$$C$Eƀ3vIfa$ B E jL$$C$Eƀ3vIfa$I$C$Eƀ3vIfE F v >I$C$Eƀ3vIfxkdd$$If0!  0634abv y z ;xkd$$If0!  0634abL$$C$Eƀ3vIfa$z m!L$$C$Eƀ3vIfa$I$C$Eƀ3vIfI$C$Eƀ3vIf  >I$C$Eƀ3vIfxkd$$If0!  0634ab M N . / 2 3 qrz{zznznHh"vfhxi>* hxi>* hxi5hxiHh˓yhT,Hh̓yh;Hh˓yh_#Hh3vhxiOJPJQJ^JHh3vhxi'Hh3vhxi0JCJOJQJaJ,jHh3vhxiCJOJQJUaJ#Hh3vhxiCJOJQJaJ% jL$$C$Eƀ3vIfa$I$C$Eƀ3vIf BDC$Eƀ3vxkdz$$If0!  0634ab  , N  iiiiH C$Eƀ3vNC$Eƀ3vgd;o̓yd& q !q & FNC$Eƀ3vgdT,o˓yd& q{*s))JU X! C$EƀܓyHU ! C$EƀܓyCEƀ"vf{|{jTjC4jhUmHnHu jh (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu?j,Hhܓyhh>*B*UmHnHphuHhܓyhmHnHu(Hhܓyhh0JmHnHu1jHhܓyhh0JUmHnHujhxi>*UHh"vfhxi>*jHh"vfhxi>*U   $%&'ؿdSSB3jhUmHnHu jh (UmHnHu!HhܓyhmHnHu?j"Hhܓyhh>*B*UmHnHphuHhܓyhmHnHu(Hhܓyhh0JmHnHu*HhܓyhCJOJQJmHnHu1jHhܓyhh0JUmHnHu*jHhܓyhUmHnHu!Hhyh (mHnHu'()*+,GHIJLMrstѻѦvѦeeTE4!Hhyh (mHnHujhUmHnHu jh (UmHnHu!HhܓyhmHnHu?jHhܓyhh>*B*UmHnHphuHhܓyhmHnHu(Hhܓyhh0JmHnHu*HhܓyhCJOJQJmHnHu1jHhܓyhh0JUmHnHu*jHhܓyhUmHnHuѼѼ{e{TE4e!Hhyh (mHnHujhUmHnHu j h (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu?j Hhܓyhh>*B*UmHnHphuHhܓyhmHnHu(Hhܓyhh0JmHnHu1jHhܓyhh0JUmHnHu*HhܓyhCJOJQJmHnHuO_)>kkkkkkkkkJV  ! C$EƀܓyJU X! C$Eƀܓy ./0IJKLMNOPQl뻢{e{TE4e!Hhyh (mHnHujhUmHnHu j h (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu*HhܓyhCJOJQJmHnHu1jHhܓyhh0JUmHnHu?j Hhܓyhh>*B*UmHnHphuHhܓyhmHnHu(Hhܓyhh0JmHnHulmnors˲udUDu4HhܓyhmHnHu!Hhyh (mHnHujhUmHnHu ju h (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu*HhܓyhCJOJQJmHnHu1jHhܓyhh0JUmHnHu?j Hhܓyhh>*B*UmHnHphu(Hhܓyhh0JmHnHuƱtcTCtƛƱ3HhܓyhmHnHu!Hhyh (mHnHujhUmHnHu jk h (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu*HhܓyhCJOJQJmHnHu(Hhܓyhh0JmHnHu1jHhܓyhh0JUmHnHu?j Hhܓyhh>*B*UmHnHphu>?@YZ[\]^_`a|}ƱtcTCtƛƱ3HhܓyhmHnHu!Hhyh (mHnHujhUmHnHu ja h (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu*HhܓyhCJOJQJmHnHu(Hhܓyhh0JmHnHu1jHhܓyhh0JUmHnHu?j Hhܓyhh>*B*UmHnHphu}~ƱtcTCtƛƱ3HhܓyhmHnHu!Hhyh (mHnHujhUmHnHu jWh (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu*HhܓyhCJOJQJmHnHu(Hhܓyhh0JmHnHu1jHhܓyhh0JUmHnHu?j Hhܓyhh>*B*UmHnHphu  #$%&'()*+FGƱtcTCtƛƱ3HhܓyhmHnHu!Hhyh (mHnHujhUmHnHu jMh (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu*HhܓyhCJOJQJmHnHu(Hhܓyhh0JmHnHu1jHhܓyhh0JUmHnHu?jHhܓyhh>*B*UmHnHphuGHILM^_`yz{|}~ƱtcTCtƛƱ3HhܓyhmHnHu!Hhyh (mHnHujhUmHnHu jCh (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu*HhܓyhCJOJQJmHnHu(Hhܓyhh0JmHnHu1jHhܓyhh0JUmHnHu?jHhܓyhh>*B*UmHnHphuƱtcTCtƛƱ3HhܓyhmHnHu!Hhyh (mHnHujhUmHnHu j9h (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu*HhܓyhCJOJQJmHnHu(Hhܓyhh0JmHnHu1jHhܓyhh0JUmHnHu?jHhܓyhh>*B*UmHnHphu89:;<=>?@[\ƱtcTCtƛƱ3HhܓyhmHnHu!Hhyh (mHnHujhUmHnHu j/h (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu*HhܓyhCJOJQJmHnHu(Hhܓyhh0JmHnHu1jHhܓyhh0JUmHnHu?jHhܓyhh>*B*UmHnHphu\]^bctuvƱtcTCtƛƱ3HhܓyhmHnHu!Hhyh (mHnHujhUmHnHu j%h (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu*HhܓyhCJOJQJmHnHu(Hhܓyhh0JmHnHu1jHhܓyhh0JUmHnHu?jHhܓyhh>*B*UmHnHphu>NkJU X! C$EƀܓyJV ! C$EƀܓyƱtcTCtƛƱ3HhܓyhmHnHu!Hhyh (mHnHujhUmHnHu jh (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu*HhܓyhCJOJQJmHnHu(Hhܓyhh0JmHnHu1jHhܓyhh0JUmHnHu?jHhܓyhh>*B*UmHnHphu-./HIJKLMNOPklƱtcTCtƛƱ3HhܓyhmHnHu!Hhyh (mHnHujhUmHnHu jh (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu*HhܓyhCJOJQJmHnHu(Hhܓyhh0JmHnHu1jHhܓyhh0JUmHnHu?jHhܓyhh>*B*UmHnHphulmnpqƱtcTCtƛƱ3HhܓyhmHnHu!Hhyh (mHnHujhUmHnHu jh (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu*HhܓyhCJOJQJmHnHu(Hhܓyhh0JmHnHu1jHhܓyhh0JUmHnHu?jHhܓyhh>*B*UmHnHphu    -.ƱtcTCtƛƱ3HhܓyhmHnHu!Hhyh (mHnHujhUmHnHu jh (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu*HhܓyhCJOJQJmHnHu(Hhܓyhh0JmHnHu1jHhܓyhh0JUmHnHu?jHhܓyhh>*B*UmHnHphun%Yg(kkkkkJU X! C$EƀܓyJV  ! C$Eƀܓy ./034MNOhijklmnopƱtcTCtƛƱ3HhܓyhmHnHu!Hhyh (mHnHujhUmHnHu jh (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu*HhܓyhCJOJQJmHnHu(Hhܓyhh0JmHnHu1jHhܓyhh0JUmHnHu?jxHhܓyhh>*B*UmHnHphuƱtcTCtƛƱ3HhܓyhmHnHu!Hhyh (mHnHujhUmHnHu jh (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu*HhܓyhCJOJQJmHnHu(Hhܓyhh0JmHnHu1jHhܓyhh0JUmHnHu?jnHhܓyhh>*B*UmHnHphu !"#$%&'BCƱtcTCtƛƱ3HhܓyhmHnHu!Hhyh (mHnHujhUmHnHu jh (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu*HhܓyhCJOJQJmHnHu(Hhܓyhh0JmHnHu1jHhܓyhh0JUmHnHu?jdHhܓyhh>*B*UmHnHphuCDEHIefgƱtcTCtƛƱ3HhܓyhmHnHu!Hhyh (mHnHujhUmHnHu jh (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu*HhܓyhCJOJQJmHnHu(Hhܓyhh0JmHnHu1jHhܓyhh0JUmHnHu?jZHhܓyhh>*B*UmHnHphuƱtcTCtƛƱ3HhܓyhmHnHu!Hhyh (mHnHujhUmHnHu jh (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu*HhܓyhCJOJQJmHnHu(Hhܓyhh0JmHnHu1jHhܓyhh0JUmHnHu?jPHhܓyhh>*B*UmHnHphu89:STUVWXYZ[vwƱtcTCtƛƱ3HhܓyhmHnHu!Hhyh (mHnHujhUmHnHu jh (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu*HhܓyhCJOJQJmHnHu(Hhܓyhh0JmHnHu1jHhܓyhh0JUmHnHu?jFHhܓyhh>*B*UmHnHphuwxy|}ƱtcTCtƛƱ3HhܓyhmHnHu!Hhyh (mHnHujhUmHnHu jh (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu*HhܓyhCJOJQJmHnHu(Hhܓyhh0JmHnHu1jHhܓyhh0JUmHnHu?j<Hhܓyhh>*B*UmHnHphu56ƱtcTCtƛƱ3HhܓyhmHnHu!Hhyh (mHnHujhUmHnHu jh (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu*HhܓyhCJOJQJmHnHu(Hhܓyhh0JmHnHu1jHhܓyhh0JUmHnHu?j2Hhܓyhh>*B*UmHnHphu678:;EFG`abdefghiƱtcTCtƛƱ3HhܓyhmHnHu!Hhyh (mHnHujhUmHnHu jh (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu*HhܓyhCJOJQJmHnHu(Hhܓyhh0JmHnHu1jHhܓyhh0JUmHnHu?j(Hhܓyhh>*B*UmHnHphuƱtcTCtƛƱ3HhܓyhmHnHu!Hhyh (mHnHujhUmHnHu j h (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu*HhܓyhCJOJQJmHnHu(Hhܓyhh0JmHnHu1jHhܓyhh0JUmHnHu?j Hhܓyhh>*B*UmHnHphu!"#%&'()*EFƱtcTCtƛƱ3HhܓyhmHnHu!Hhyh (mHnHujhUmHnHu j!h (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu*HhܓyhCJOJQJmHnHu(Hhܓyhh0JmHnHu1jHhܓyhh0JUmHnHu?j!Hhܓyhh>*B*UmHnHphuFGHZ[\uvwyz{|}~ƱyjYCƱ3HhܓyhmHnHu*HhܓyhCJOJQJmHnHu!Hhyh (mHnHujhUmHnHu j"h (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu(Hhܓyhh0JmHnHu1jHhܓyhh0JUmHnHu?j "Hhܓyhh>*B*UmHnHphu(|'~#qDC$Eƀh"vfHU ! C$EƀܓyƱyjYCƱ3HhܓyhmHnHu*HhܓyhCJOJQJmHnHu!Hhyh (mHnHujhUmHnHu j{#h (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu(Hhܓyhh0JmHnHu1jHhܓyhh0JUmHnHu?j#Hhܓyhh>*B*UmHnHphu !"$%&'()DEƱyjYCƱ3HhܓyhmHnHu*HhܓyhCJOJQJmHnHu!Hhyh (mHnHujhUmHnHu jq$h (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu(Hhܓyhh0JmHnHu1jHhܓyhh0JUmHnHu?j#Hhܓyhh>*B*UmHnHphuEFG\]^wxy{|}~ƱyjYCƱ3HhܓyhmHnHu*HhܓyhCJOJQJmHnHu!Hhyh (mHnHujhUmHnHu jg%h (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu(Hhܓyhh0JmHnHu1jHhܓyhh0JUmHnHu?j$Hhܓyhh>*B*UmHnHphuƱyjYCƱ3HhܓyhmHnHu*HhܓyhCJOJQJmHnHu!Hhyh (mHnHujhUmHnHu j]&h (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu(Hhܓyhh0JmHnHu1jHhܓyhh0JUmHnHu?j%Hhܓyhh>*B*UmHnHphu#ƱyjYC3'HhۓyhT>*jHh"vfhxi>*U*HhܓyhCJOJQJmHnHu!Hhyh (mHnHujhUmHnHu jS'h (UmHnHu*jHhܓyhUmHnHu!HhܓyhmHnHu(Hhܓyhh0JmHnHu1jHhܓyhh0JUmHnHu?j&Hhܓyhh>*B*UmHnHphu#$<Ks( wpppiiiiiiiV  ! U X! CEƀ"vfDC$Eƀۓy #$%9:;<WXYZbc٭\B+-hxicHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHuEj'hxi>*B*UcHdhdhdh"vfmHnHphu*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHuhxicHdhdhdh"vf(jhxiUcHdhdhdh"vf"hxi>*cHdhdhdh"vf cd}~Ͱx`J`'Ej(hxi>*B*UcHdhdhdh"vfmHnHphu*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHu9jI(hxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu泗z^^F0F*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHu9j?)hxiUcHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu6789:;<=sWs:WsW9j5*hxiUcHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHuEj)hxi>*B*UcHdhdhdh"vfmHnHphu=>YZ[\^_z{|诓y]yF*F6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHuEj*hxi>*B*UcHdhdhdh"vfmHnHphu*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu ƯƓw_I_&Ej+hxi>*B*UcHdhdhdh"vfmHnHphu*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu9j++hxiUcHdhdhdh"vfmHnHu 泗z^^F0F*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHu9j!,hxiUcHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu*+,EFGHIJKLsWs:WsW9j-hxiUcHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHuEj,hxi>*B*UcHdhdhdh"vfmHnHphuLMhijkno诓y]yF*F6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHuEj-hxi>*B*UcHdhdhdh"vfmHnHphu*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu ƯƓw_I_&Ej.hxi>*B*UcHdhdhdh"vfmHnHphu*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu9j .hxiUcHdhdhdh"vfmHnHu   %&泗z^^F0F*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHu9j/hxiUcHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu&'(+,RSTmnopqrstsWs:WsW9j/hxiUcHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHuEj~/hxi>*B*UcHdhdhdh"vfmHnHphutu诓y]yF*F6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHuEjt0hxi>*B*UcHdhdhdh"vfmHnHphu*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu ƯƓw_I_&Ejj1hxi>*B*UcHdhdhdh"vfmHnHphu*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu9j0hxiUcHdhdhdh"vfmHnHu   " # $ % & ' ( ) * E F 泗z^^F0F*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHu9j1hxiUcHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHuF G H K L _ ` a z { | } ~  sWs:WsW9j2hxiUcHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHuEj`2hxi>*B*UcHdhdhdh"vfmHnHphu( >!!!g""###S$$%V%%&k&&'r''B(()_)W ! U X! V ! V  !  诓y]yF*F6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHuEjV3hxi>*B*UcHdhdhdh"vfmHnHphu*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu !!!!ƯƓw_I_&EjL4hxi>*B*UcHdhdhdh"vfmHnHphu*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu9j3hxiUcHdhdhdh"vfmHnHu ! ! !!!!8!9!:!;!!?!@![!\!泗z^^F0F*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHu9j4hxiUcHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu\!]!^!b!c!}!~!!!!!!!!!!sWs:WsW9j5hxiUcHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHuEjB5hxi>*B*UcHdhdhdh"vfmHnHphu!!!!!!!!!!!!诓y]yF*F6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHuEj86hxi>*B*UcHdhdhdh"vfmHnHphu*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu !!!!!!!!!""""ƯƓw_I_&Ej.7hxi>*B*UcHdhdhdh"vfmHnHphu*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu9j6hxiUcHdhdhdh"vfmHnHu """F"G"H"a"b"c"d"e"f"g"h"i"""泗z^^F0F*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHu9j7hxiUcHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu""""""""""""""""sWs:WsW9j8hxiUcHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHuEj$8hxi>*B*UcHdhdhdh"vfmHnHphu"""""""""""#诓y]yF*F6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHuEj9hxi>*B*UcHdhdhdh"vfmHnHphu*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu ######## #;#<#=#>#ƯƓw_I_&Ej:hxi>*B*UcHdhdhdh"vfmHnHphu*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu9j9hxiUcHdhdhdh"vfmHnHu >#A#B#^#_#`#y#z#{#|#}#~######泗z^^F0F*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHu9j:hxiUcHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu################sWs:WsW9j;hxiUcHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHuEj;hxi>*B*UcHdhdhdh"vfmHnHphu##$ $ $ $$$2$3$4$M$诓y]yF*F6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHuEj;hxi>*B*UcHdhdhdh"vfmHnHphu*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu M$N$O$P$Q$R$S$T$U$p$q$r$s$ƯƓw_I_&Ej<hxi>*B*UcHdhdhdh"vfmHnHphu*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu9jw<hxiUcHdhdhdh"vfmHnHu s$x$y$$$$$$$$$$$$$$$泗z^^F0F*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHu9jm=hxiUcHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu$$$$$$$$$$$$$$%%sWs:WsW9jc>hxiUcHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHuEj=hxi>*B*UcHdhdhdh"vfmHnHphu%%%%% %%%&%5%6%7%P%诓y]yF*F6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHuEj>hxi>*B*UcHdhdhdh"vfmHnHphu*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu P%Q%R%S%T%U%V%W%X%s%t%u%v%ƯƓw_I_&Ej?hxi>*B*UcHdhdhdh"vfmHnHphu*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu9jY?hxiUcHdhdhdh"vfmHnHu v%{%|%%%%%%%%%%%%%%%泗z^^F0F*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHu9jO@hxiUcHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu%%%%%%%% & & & &&&&&sWs:WsW9jEAhxiUcHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHuEj@hxi>*B*UcHdhdhdh"vfmHnHphu&&-&.&/&0&5&6&I&J&K&d&诓y]yF*F6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHuEjAhxi>*B*UcHdhdhdh"vfmHnHphu*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu d&e&f&h&i&j&k&l&m&&&&&ƯƓw_I_&EjBhxi>*B*UcHdhdhdh"vfmHnHphu*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu9j;BhxiUcHdhdhdh"vfmHnHu &&&&&&&&&&&&&&&&&泗z^^F0F*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHu9j1ChxiUcHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu&&&&&&&&''''''''sWs:WsW9j'DhxiUcHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHuEjChxi>*B*UcHdhdhdh"vfmHnHphu''9':';'<'A'B'P'Q'R'k'诓y]yF*F6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHuEjDhxi>*B*UcHdhdhdh"vfmHnHphu*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu k'l'm'o'p'q'r's't'''''ƯƓw_I_&EjEhxi>*B*UcHdhdhdh"vfmHnHphu*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu9jEhxiUcHdhdhdh"vfmHnHu '''''''''''''''''泗z^^F0F*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHu9jFhxiUcHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu''((( (!("(;(<(=(?(@(A(B(C(sWs:WsW9j GhxiUcHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHuEjFhxi>*B*UcHdhdhdh"vfmHnHphuC(D(_(`(a(b(g(h(y(z({((诓y]yF*F6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHuEjGhxi>*B*UcHdhdhdh"vfmHnHphu*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu (((((((((((((ƯƓw_I_&EjzHhxi>*B*UcHdhdhdh"vfmHnHphu*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu9jGhxiUcHdhdhdh"vfmHnHu ((((((((()))))) )!)泗z^^F0F*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHu9jHhxiUcHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu!)")#)%)&)=)>)?)X)Y)Z)\)])^)_)`)sWs:WsW9jIhxiUcHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHuEjpIhxi>*B*UcHdhdhdh"vfmHnHphu`)a)|)})~)))))))))))诓ybFb)FbF9jJhxiUcHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHuEjfJhxi>*B*UcHdhdhdh"vfmHnHphu*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu_)))^**++-l/1?4i68K & FC$Eƀh"vfgdTU ! ))))))))))))Ȱw]F*F6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHuEj\Khxi>*B*UcHdhdhdh"vfmHnHphu*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu )))))))))****ƯƓw_I_&EjRLhxi>*B*UcHdhdhdh"vfmHnHphu*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu9jKhxiUcHdhdhdh"vfmHnHu *<*=*>*W*X*Y*[*\*]*^*_*`*{*|*ϳϖϳz^zF0F*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu6hxiCJOJQJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHu9jLhxiUcHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu|*}*~************sVss:6hxiCJOJQJcHdhdhdh"vfmHnHu9jMhxiUcHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHuEjHMhxi>*B*UcHdhdhdh"vfmHnHphu **************+诓ybFb)FbF9jNhxiUcHdhdhdh"vfmHnHu6jhxiUcHdhdhdh"vfmHnHu-hxicHdhdhdh"vfmHnHu2hxi0JaJcHdhdhdh"vfmHnHu7jhxi0JUcHdhdhdh"vfmHnHuEj>Nhxi>*B*UcHdhdhdh"vfmHnHphu*hxicHdhdhdh"vfmHnHu.hxi0JcHdhdhdh"vfmHnHu++++++ ,,,////00D0118888899999ϼqi^iRHHhyh (Hhyh (j4OhxiUjhxiUhxicHdhdhdh*vHh"vfhxi%hxihLKcHdhdhdh֓y hxi6]hxi%hxih.*cHdhdhdhۓy%hxihTcHdhdhdhۓy(jhxiUcHdhdhdh"vf6hxiCJOJQJcHdhdhdh"vfmHnHu88@B@AA$B+B5Bumhbb$If$a$7$8$H$CEƀI"vf.DC$Eƀ"vf999T9r9999999999:::::::::;;;;;;;;;;;;<< <$<B<L<`<<<<<¸٩¸¸yyyyhxicHdhdhdh*vjPhxiUj*PhxiUHh*vhxijHh*vhxiUHhyh (Hhyh (jOhxiUHh*vhxihxijhxiUhxicHdhdhdh"vf-<<<<<<<====>>>>>~>>>>>>>>>>??AXAYAnA·­֞ym]mjhxiCJOJQJUaJhxiCJOJQJaJHh*vhxihxicHdhdhdh*vjRhxiUjHhM"vfhxiUHhM"vfhxijQhxiUhxihxicHdhdhdh"vfHhyh (Hhyh (jhxiUj QhxiUnAoApAvAwA}A~AAAAAAAAA$B5BBBCCDD4D5DfE|ERFSFhFiFjFqFrFyFzF{FyHzH²ܐ{ttttti²aj/XhxiUjWhxiU hxi5\h (mHnHujhxiUhxihxiCJOJQJaJ*hxicHdhdhdh"vfmHnHuhxicHdhdhdh"vfHhyh (mHnHuHhyh (jhxiCJOJQJUaJ%jRhxiCJOJQJUaJ&5B6B@B}B$Ifnkd S$$Ifl0,"X@064 la}B~BBB$IfnkdS$$Ifl0,"X@064 laBBB+C$Ifnkd6T$$Ifl0,"X@064 la+C,C7CC$IfnkdT$$Ifl0,"X@064 laCCCC$Ifnkd`U$$Ifl0,"X@064 laCCCD$IfnkdU$$Ifl0,"X@064 laDDD3D$IfnkdV$$Ifl0,"X@064 la3D4D5DQD,FFDCEƀI"vf.7$8$H$nkdW$$Ifl0,"X@064 la,FFFyH{HIAJPJ-KKlCEƀI"vf.$a$$$a$CEƀI"vf.zHHHHHHH>OEOOOOO>PDPPPPPVRWR[[\\\\<]I]_]]]]]]^^^^^^^_W`йЗyyoHht"vfhxiHhs"vfhxiHhr"vfhxiHhq"vfhxiHhp"vfhxiHh"vf *hxiHh*v *hxiHh"vfhxiHhm"vfhxi5\Hhm"vfhxihxiOJQJaJ hxi6]h (mHnHujhxiUhxi+KK=LaLM9Nw0F & F.EƀI"vfCEƀI"vf.CEƀI"vf.9NNNSQnQQus0sCEƀI"vf.CEƀI"vf.F & F.EƀI"vfQQSSUUw4CEƀI"vf .CEƀI"vf.CEƀI"vf.UfWxWYZZ[wCEƀI"vf .CEƀI"vf .[[_]v]]u0DC$Eƀm"vfDC$Eƀl"vfCEƀI"vf .]^^_u0DC$Eƀq"vfDC$Eƀp"vfDC$Eƀ"vfW`agaaaab;b]b^b c c%c(cccc9deyezeeeeeeù{q{qg]QQGHhl"vfhxiHh*v *hxiHh"vfhxiHh"vfhxiHh"vfhxiHh"vfhxiHh"vfhxiHhp"vfhxiHh"vfhxiHh*v *hxiHh*vhxiHh"vfhxiHh"vfhxiHh"vfhxiHh֓yhi\Hhw"vfhi\Hhw"vfhxiHhu"vfhxi_ga^b cu0DC$Eƀ*vDC$Eƀw"vfDC$Eƀt"vf c&czeeu0DC$Eƀ*vDC$Eƀ"vfDC$Eƀp"vfefafqfffwu2CEƀI"vf.CEƀI"vf.CEƀI"vf .ef`fafffkknnooRrSrs)s5sQssttuu$uYuauuu+v6vvvqՒgluvٳ٩ٌٟ|hxicHdhdhdh*v%hxih;,]cHdhdhdhדyHhדyh;,]jhxi0JcUhxicHdhdhdh*vhxiOJQJ hxi6] hxi5\hxi" *hxicHdhdhdhL"vfhxicHdhdhdhL"vf0fgQhiidjjk[l+mmsotoouCEƀI"vf.CEƀI"vf.e o=rarsssF & F.EƀI"vf-CEƀI"vf.s.tttWuqo(F & F"EƀI"vfF & F.EƀI"vf-F & F.EƀI"vf-Wuu)vvvq*(F & F"EƀI"vfF & F"EƀI"vfF & F"EƀI"vfvLwwwyz{sCEƀI"vf..F & F"EƀI"vf{{||B}}B)sF & F#EƀI"vfCEƀI"vf..)Cs~+ބ+=چ(qCEƀI"vf..eF & F#EƀI"vf (ʇ[֊"SomeF & F#EƀI"vfF & F#EƀI"vfSe jPkwCEƀI"vf..CEƀI"vf.. %ʔ#s,F & F4EƀI"vfF & F4EƀI"vfCEƀI"vf..#͗uOsCEƀI"vf.F & F4EƀI"vf ʗj љޙĚ͚[e,R[BL֥ὭὭὭ}h)Hhѓyh\yhStғy* *)HhГyh\yhStғy* *HhГyhxijhxi0JcU hxi6]hxicHdhdhdh*vHh*vhxihxicHdhdhdh*vHh*vhxihxihxicHdhdhdh*vHh*vhxi#OFq*F & F"EƀI"vfF & F"EƀI"vfF & F"EƀI"vfFsCEƀI"vf..F & F"EƀI"vf + wCEƀI"vf..CEƀI"vf..(23duvѮ%CEOW`eflɴɴzpfp\fpfpfpfpRHHhQ"vfhxiHhP"vfhxiHh["vfh HHhؓyh HHh["vfhxi#HhL"vfhxi5\L"vfHhL"vfhxi *hxihxihSt Hhғy *h(:ғy)Hhғyh\yh\yғy* *Hhғy *h\y)Hhѓyh\yhStғy* *)Hhѓy *h\yh\yғy*3ܨc CEƀI"vf..NC$EƀГygd\yoғyd&NC$Eƀғygd\yoғyd&ܨͫNo@dvwCEƀI"vf.CEƀI"vf..vѮu0DC$EƀL"vfDC$EƀL"vfDC$EƀL"vfѮl'DC$EƀP"vfDC$EƀQ"vfNC$EƀL"vfgd Hoؓyd&5=Sv!4ty~ͳùͯ}}}k[H%hxihyjcHdhdhdh̓yhxicHdhdhdh3v" *hxicHdhdhdh3vHh3vhxiHh3vhxihxicHdhdhdh3vhxiHhL"vfhxiHhY"vfhxiHhV"vfhxiHhU"vfhxiHhX"vfhxiHhS"vfhxiHhyhuHhT"vfhxiHhP"vfhxii!H & F5C$EƀU"vfH & F5C$EƀS"vfNC$EƀT"vfgduoyd&ʱóͳ23Dupll_ll gdyjo̓yd& & FDC$Eƀ3vCEƀI"vf. $1~H !$%QŻ񱧔vlvbXbHhyhCHhړyh!v/HhyhbHhyhed&Hhٓyh!v/h!v/ٓy*%Hhٓyh!v/5KH\^JaJHhٓyh!v/HhٓyhxiHh["vfhxiHhZ"vfhxihxiPJnHtH hxi\%hxihyjcHdhdhdh̓yhxiHh̓yhyjD`st~մ3Idm7v$ EӺ & F0c~ѿKDtWN 0^`0 & FIL[0C$Eƀٓy^`0gd!v/oٓyd&F & F 0^`0L0C$EƀZ"vf^`0GY0C$Eƀܓy^`0gdxioܓyd& & F7^0C$Eƀٓy^`0gdxioܓyd&^`!RKY0C$Eƀܓy^`0gdxioܓyd& & F7Y0C$Eƀy^`0gdxioܓyd& & F7QRhz{|}~(((**1*3*D*X*Y*Z*[*ԾukaG2jhxihG9V0JUcHdhdhdh͓yHh̓yhxiHhΓyhxi@h!Ohxih{B0JcHdhdhdhΓy̓y*0J hxicHdhdhdh3vh (hxiUjhxi0JcUh$A*jfhh (5<KH U\^JaJ HhړyhxiHhۓyhg:Hhړyh$Ah!v/h!v/ٓy*RS{}(**2*3*a_\ZXZ)C$)DC$Eƀړy gdxioܓyd&NC$Eƀړygdxioܓyd& Editors Note. Alternatively we can indicate that the initiator has no credentials, by setting this element to , and the value of the string to null.  We have to decide on the best way of returning a conditional response. There are a couple of possibilities. I) return Permit with Conditions (but the conditions have to be evaluated to true before the permit is valid) II) return Indeterminate with Conditions (and the decision then depends upon the evaluation of the conditions). II) has been chosen above. GWD-R (proposed) June 2003 welch@mcs.anl.govvwelch@ncsa.uiuc.edu  PAGE 1 welch@mcs.anl.govvwelch@ncsa.uiuc.edu  PAGE 2  PAGE 1 [*a*b*c*d*f*w***************ебui_R@6еHh̓yhxi#jHhΓyhxi0JU*h (0JmHnHu*jhxi0JUHhΓyhxi0J jHhΓyhxi0JUHhΓyhxi@h!Ohxih{B0JcHdhdhdhΓy̓y*0J hxi4hxihG9V0JcHdhdhdh͓ymHnHu2jhxihG9V0JUcHdhdhdh͓y)hxihG9V0JcHdhdhdh͓y3*e*f*****DC$Eƀړy gdG9Vo͓yd&****h$Ah (hxi#0P/ =!"#$%,00P:p!O/ =!"#$%$$If!vh58"#v8":V 06,5f/ 34$$If!vh55j#v#vj:V 06,5 5 / 34$$If!vh55j#v#vj:V 06,5 5 / 34$$If!vh55j#v#vj:V 06,5 5 / 34$$If!vh55j#v#vj:V 06,5 5 / 34$$If!vh55j#v#vj:V 06,5 5 / 34$$If!vh55j#v#vj:V 06,5 5 / 34$$If!vh55j#v#vj:V 06,5 5 / 34$$If!vh55j#v#vj:V 06,5 5 / 34{DyK  _Toc51662254{DyK  _Toc51662254{DyK  _Toc51662255{DyK  _Toc51662255{DyK  _Toc51662256{DyK  _Toc51662256{DyK  _Toc51662257{DyK  _Toc51662257{DyK  _Toc51662258{DyK  _Toc51662258{DyK  _Toc51662259{DyK  _Toc51662259{DyK  _Toc51662260{DyK  _Toc51662260{DyK  _Toc51662261{DyK  _Toc51662261{DyK  _Toc51662262{DyK  _Toc51662262{DyK  _Toc51662263{DyK  _Toc51662263{DyK  _Toc51662264{DyK  _Toc51662264{DyK  _Toc51662265{DyK  _Toc51662265{DyK  _Toc51662266{DyK  _Toc51662266{DyK  _Toc51662267{DyK  _Toc51662267{DyK  _Toc51662268{DyK  _Toc51662268{DyK  _Toc51662269{DyK  _Toc51662269{DyK  _Toc51662270{DyK  _Toc51662270{DyK  _Toc51662271{DyK  _Toc51662271{DyK  _Toc51662272{DyK  _Toc51662272{DyK  _Toc51662275{DyK  _Toc51662275{DyK  _Toc51662276{DyK  _Toc51662276{DyK  _Toc51662277{DyK  _Toc51662277{DyK  _Toc51662278{DyK  _Toc51662278{DyK  _Toc51662279{DyK  _Toc51662279{DyK  _Toc51662280{DyK  _Toc51662280{DyK  _Toc51662281{DyK  _Toc51662281{DyK  _Toc51662282{DyK  _Toc51662282{DyK  _Toc51662283{DyK  _Toc51662283{DyK  _Toc51662284{DyK  _Toc51662284{DyK  _Toc51662285{DyK  _Toc51662285{DyK  _Toc51662286{DyK  _Toc51662286{DyK  _Toc51662287{DyK  _Toc51662287{DyK  _Toc51662288{DyK  _Toc51662288{DyK  _Toc51662289{DyK  _Toc51662289{DyK  _Toc51662290{DyK  _Toc51662290{DyK  _Toc42417435{DyK  _Toc42417435{DyK  _Toc42417436{DyK  _Toc42417436{DyK  _Toc42417437{DyK  _Toc42417437{DyK  _Toc42417438{DyK  _Toc42417438{DyK  _Toc42417439{DyK  _Toc42417439{DyK  _Toc42417440{DyK  _Toc42417440{DyK  _Toc42417441{DyK  _Toc42417441{DyK  _Toc42417442{DyK  _Toc42417442{DyK  _Toc42417443{DyK  _Toc42417443{DyK  _Toc42417444{DyK  _Toc42417444{DyK  _Toc42417445{DyK  _Toc42417445{DyK  _Toc42417446{DyK  _Toc42417446{DyK  _Toc42417447{DyK  _Toc42417447{DyK  _Toc42417448{DyK  _Toc42417448{DyK  _Toc42417449{DyK  _Toc42417449{DyK  _Toc42417450{DyK  _Toc42417450{DyK  _Toc42417451{DyK  _Toc42417451{DyK  _Toc42417452{DyK  _Toc42417452{DyK  _Toc42417453{DyK  _Toc42417453{DyK  _Toc42417454{DyK  _Toc42417454{DyK  _Toc42417455{DyK  _Toc42417455{DyK  _Toc42417456{DyK  _Toc42417456{DyK  _Toc42417457{DyK  _Toc42417457{DyK  _Toc42417458{DyK  _Toc42417458{DyK  _Toc42417459{DyK  _Toc42417459{DyK  _Toc42417460{DyK  _Toc42417460{DyK  _Toc42417461{DyK  _Toc42417461{DyK  _Toc42417462{DyK  _Toc42417462{DyK  _Toc42417463{DyK  _Toc42417463{DyK  _Toc42417464{DyK  _Toc42417464{DyK  _Toc42417465{DyK  _Toc42417465{DyK  _Toc42417466{DyK  _Toc42417466{DyK  _Toc42417467{DyK  _Toc42417467{DyK  _Toc42417468{DyK  _Toc42417468{DyK  _Toc42417469{DyK  _Toc42417469{DyK  _Toc42417470{DyK  _Toc42417470{DyK  _Toc42417471{DyK  _Toc42417471{DyK  _Toc42417472{DyK  _Toc42417472{DyK  _Toc42417473{DyK  _Toc42417473{DyK  _Toc42417474{DyK  _Toc42417474{DyK  _Toc42417475{DyK  _Toc42417475{DyK  _Ref32202492{DyK  _Ref42417020{DyK  _Ref42574737{DyK  _Ref32927787{DyK  _Ref42417114{DyK  _Ref42417137{DyK  _Ref42481321{DyK  _Ref42415853$$If!vh5X5@#vX#v@:V l065X5@4$$If!vh5X5@#vX#v@:V l065X5@4$$If!vh5X5@#vX#v@:V l065X5@4$$If!vh5X5@#vX#v@:V l065X5@4$$If!vh5X5@#vX#v@:V l065X5@4$$If!vh5X5@#vX#v@:V l065X5@4$$If!vh5X5@#vX#v@:V l065X5@4$$If!vh5X5@#vX#v@:V l065X5@4{DyK  _Ref32901461Dd@80*XXF  C "A Fig12*4̻0C&sX[`! 4̻0C&#h xZ{xUձf^;DCKb i D EĤ!C0(by6JApjOjcHSsSE,}B?=盬^kfofϚN$0f`bt?N}*¦!ck@'Qa0̜a?$r*CXі? @ϔ3y*ក?JHa]4$[>U#!Q߫o-_ʞv)'òM:xqfvOˏ;v1KW?w.+KCyut|^tE:[)'/D"İ߅Uh0& *94“n#x# A2H>}joR7eDuo&cS/ޞoDzʕpt<'y=i_b9/722U􃨒`i/i Fpm\u|:-e$ރ9Ya^!ʳ>̲Գ(|CdmSO{ۖ|W>Nfi\Eߤ+J{G*_>X| BvrKT6t(aʟ#QVFE Xb]u0XT珪|:&1Z2_iR}c3 ǎ9 8w(D^!OQNc-R'8!6TYȄr=kf(|1{CߢO+}r"\iy͛|MrzfžarS;MJ2O( %Z!GPCGu{^Rj!Qs j6:NDDrE!Z U[9i ֿ}SL3ބs8y!/ yzVWԟe7{L[R哭Ѽ*B,ϸ'nCgZ~䱰:BgY-t1>9m1hN*jZQSlM̌af[`&b3)^`])b&SC,yjf=fh4 EY"tknebU!VZe,ݎ".ivvoسz{d;E'EąE]N:}ّZب$뜍zw#uhFY:[_`%~q9}R}oOشNCJ]M<$'sKCU} !"t/gf3B煢y:'t߫9~1σJ/ e_t~G˵/_EeK?_ܰ%R\T{{yNV=ڈ qpI5y܂v12%8Lem;Χ:_MՏ>g:9ȻѠ㷂sߨDnC7[Пwpc!VO 嗤7[6|5O ַ%v a_Aڎ?ٱ ?8% <#N$2^G$rQ~ꑌF*~y?N{-E, !wvQ9LO4K7zk=BNd>t [Agw:v;=}t Ӱ~݂ϖgdw\v?lkh=LIw DFi_A/R'OXn?Mu: ~g-Y,';i'99Eg8y͹wf4ٍ^mCdNZ }طcp+8%焽 y=  # A"@@b2犝嫲Zn犝嫲PNG  IHDRh6sRGBIDAT8Ocr X"p)8SD?;vh6@!l]*Ȇ2f#YFO5%r` X5`QF AXh]4N**b""8|tm$y:tH "3u"F׀l zfCp|A,5_[IENDB`fH@H NormalxOJQJ_HaJmH sH tH V@V Heading 1$ & Fx<@&5KH \^JaJ J@J Heading 2$ & F@&\]^JaJP@P Heading 3$ & F@&OJQJ\^JaJZ@Z Heading 4$ & F<@&5CJOJQJ\aJT@T Heading 5 & F<@&56CJ\]aJV@V Heading 6 & F<@&5CJOJQJ\aJL@L Heading 7 & F<@& CJOJQJR@R Heading 8 & F<@&6CJOJQJ]L @L Heading 9 & F<@& CJ^JaJDA@D Default Paragraph FontVi@V  Table Normal :V 44 la (k@(No List .O. nobreak$XOX HTML Body 7$8$H$ CJOJQJ_HaJmH sH tH 8@8 Header !4 @"4 Footer  !6U@16 Hyperlink >*B*ph.)@A. Page NumberLT@RL Block Texth]^h CJOJ QJ <"@< Caption xx 5\aJ@^@r@ Normal (Web) CJOJQJHZ@H Plain Text ^OJ QJ ^JaJ2B@2 Body Textx<P@< Body Text 2 dx>Q@> Body Text 3xCJaJPM@P Body Text First Indent `HC@H Body Text Indenthx^hTN@T Body Text First Indent 2 `RR@R Body Text Indent 2hdx^hTS@T Body Text Indent 3 hx^hCJaJ2?@2 Closing !^8@"8  Comment Text"aJ$L@$ Date#RY@BR  Document Map$-D M OJ QJ ^J <[@R< E-mail Signature%8+@b8  Endnote Text&aJd$@rd Envelope Address!'@ &+D/^@ CJ^JB%@B Envelope Return(^JaJ:@:  Footnote Text)aJ:`@: HTML Address*6]Ne@N HTML Preformatted+OJ QJ ^JaJ: @: Index 1,8^`8: @: Index 2-8^`8: @: Index 3.X8^X`8: @: Index 4/ 8^ `8:@: Index 508^`8:@: Index 618^`8:@: Index 72x8^x`8:@: Index 83@8^@`8:@: Index 948^`8@!@@  Index Heading5 5\^J4/@b4 List6h^h`82@r8 List 27^`83@8 List 388^8`84@8 List 49^`85@8 List 5:^`:0@: List Bullet ; & F>6@> List Bullet 2 < & F>7@> List Bullet 3 = & F >8@> List Bullet 4 > & F >9@> List Bullet 5 ? & F BD@B List Continue@hx^hFE@F List Continue 2Ax^FF@"F List Continue 3B8x^8FG@2F List Continue 4Cx^FH@BF List Continue 5Dx^:1@R: List Number E & F >:@b> List Number 2 F & F >;@r> List Number 3 G & F><@> List Number 4 H & F>=@> List Number 5 I & Fl-@l  Macro Text"J  ` @ OJ QJ ^J_HmH sH tH I@ Message HeadergK8$d%d&d'd-DM NOPQ^8`CJ^J>@> Normal Indent L^4O@4 Note HeadingM0K@0 SalutationN6@@6 Signature O^BJ@B SubtitleP$<@&a$CJ^JT,@T Table of AuthoritiesQ8^`8L#@L Table of FiguresRp^`pN>@2N TitleS$<@&a$5CJ KH\^JaJ D.@D  TOA HeadingTx5CJ\^J*@* TOC 1U2@2 TOC 2V^2@2 TOC 3W^.@. TOC 4 XX^X.@. TOC 5 Y ^ .@. TOC 6 Z^.@. TOC 7 [^.@. TOC 8 \x^x.@. TOC 9 ]@^@FV@F FollowedHyperlink >*B* phH@H  Balloon Text_CJOJ QJ ^J aJ@j@!"@ Comment Subject`5\<O< Appendix a & F!CJ B'!B Comment ReferenceCJaJ@&@1@ Footnote ReferenceH**W@A* Strong5\XORX wsdl5e$d&d-DM NP$$2%2HIK`aBEFvyz,Nq!q{*O _ )  > N n%Yg(|'~#$<Ks(>gSVkrB !_!!!^""##%l')?,i.g0h04B455$6+65666@6}6~66666+7,777777777888384858Q8,:F:y<{<=A>P>-???=@a@A9BBBSEnEEEGGIIfKxKMNNOO_QvQQRRSgU^V W&WzYYZaZqZZZ[Q\]]d^^_[`+aasctcc=fafgg.hhhWii)jjjLkkkmnooppBqqBss)uCvsvvv~w+xxx+yy=zz({{[|}~~"Se jPk%ʈ#͋uOF+ 3ܜ͟No@dvѢʥçͧ23D`st~ը3Idm7v$ EӮ0c~ѳֶKDtWݼNĽI̾!RS{}+!"%000000000000000000000000000000000000000000000000000000000000000000000000U0U0U0U0V0V0V0V0V0V0V0V0V0V0V0V0U0V0V0U0V0V0U0V0V0U0U0V0U0U0U0U0U0U0U0 0000000000000000000000000000000000000000000000000000 004040404 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 0058 0585800,:00,: 058580A>0A> 058580? 058580=@. 0=@. 0=@ 058580B 058580SE 058580E 058580G 058580I 0 58580fK0fK 0 58580N 0 58580O 00_Q0_Q 0_Q_Q0R0R0R0R 0_Q_Q0 W0 W 0 0 00aZ 0aZaZ0Z0Ze0Z0Z0Z 0aZaZ0d^0d^0d^0d^e0d^0d^ 00tc 0tctc0=f. 09B=f. 09B=f. 09B=f0=f" 0=f" 0=f" 0=f" 0=f0=f" 0=f0=f( 0=f=f0k0k0k( 0=f=f0o0o0o0o0o0o# 0o# 0o0oe0o( 0=f=f0v0v0v0ve0v0ve0v0ve0v0v0v# 0v# 0v0ve0v0v( 0=f=f0S0S0S0S0S0S0S0S( 0=f=f0P0P( 0=f=f04 04 04 0000000 0tctc000" 0" 0" 0" 00( 000( 00( 00000( 00000( 00o 00@ 00v 0vv00005 05 0 0000000000000000000000000000d0d0d0d0d0d0d0d0d0d0d0d0d00000~0~0~0~000000000000007 07 07 0000@)0@)0 0&@0@0@0@0@0@0 0hHIK`aBEFvyz,Nq!q{#$<Ks(>gSVkrB !_!!!^""##%l')?,i.g0h04B455$6+65666@6}6~66666+7,777777777888384858Q8,:F:y<{<=A>P>-???=@a@A9BBBSEnEEEGGIIfKxKMNNOO_QvQQRRSgU^V W&WzYYZaZqZZZ[Q\]]d^^_[`+aasctcc=fafgg.hhhWii)jjjLkkkmnooppBqqBss)uCvsvvv~w+xxx+yy=zz({{[|}~~"Se jPk%ʈ#͋uOF+ 3ܜ͟No@dvѢ}%0000000000000000000000000000000000000000000000 0@00U0U0U0V0V0V0V0V0V0V0V0V0V0V0V0V0U0V0V0U0V0W0W0W0W0W0W0V0W0W0W0W0W0U0U0U0U0U0U0U0 00"0"0"0"0"0"0"0" 003030303 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 007 07709090909 0770=0= 0770S? 0770?. 0?. 0? 0770AB 0770E 0770E 0770zG 0770GI 0 770K0K 0 770xN 0 770aO 00 Q0 Q 0 Q Q0=R0=R0=R0=R 0 Q Q0V0V 0 Q0Y 00Z 0ZZ0fZ0fZe0fZ0fZ0fZ 0ZZ0^0^0^0^e0^0^ 00!c 0!c!c0e. 0Ae. 0Ae. 0Ae0e" 0e" 0e" 0e" 0e0e" 0e0e( 0ee0Rk0Rk0Rk( 0ee0o0o0o0o0o0o# 0o# 0o0oe0o( 0ee0^v0^v0^v0^ve0^v0^ve0^v0^ve0^v0^v0^v# 0^v# 0^v0^ve0^v0^v( 0ee00000000( 0ee00( 0ee04 04 04 0000000 0!c!c0G0G0G" 0G" 0G" 0G" 0G0G( 0GG00( 0GG0ɖ( 0GG0000( 0GG0n0n0n0n( 0GG0 00 00# 0##M9004M90LM90 PPPPPP {'l}G\l.Cw6FE#c=L&tF !\!!!"""#>###M$s$$%P%v%%&d&&&'k'''C(((!)`)))*|**+9<nAzHW`eQ[***ftz{|} I`  E v z   q>(#( _)85B}BB+CCCD3D,FK9NQU[]_ cefosWuv{)(S#OFܨvѮDR3**gijklmnopqrsuvwxy~    *hM.2{ %'(*Is / J L M O n  ? Z \ ] _ ~ $ & ' ) H _ z | }   9 ; < > ] u  . I K L N m  /Nikln "#%Df9TVWYx7Fadeg"%&(G[vyz|!$%'F]x{|~$9:Yc~79:<[{+FHIKj'Snpqs#%&(G`{}~9;<>]~Gbdeg=_z|} 3NPQSr6QSTVu  /Jehik;Qlopr! < ? @ B a z !!!"!>!Y!\!]!_!~!!!!!!!!!!!!"="X"["\"^"}"""""""""""#p000000[1u1x1111O2i2m2223G3a3d3X5o5~5555R:i:z:<<<$XXX X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%̕ tX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕX%tĕ̕ttttt t DKMw~!!!8@0(  B S  ? _Ref525097868 _Toc42417218 _Toc42417435 _Toc51662254 _Toc51662255 _Toc33071290 _Toc33071885 _Toc33072048 _Toc33072374 _Toc42414270 _Toc42417219 _Toc42417436 _Ref32202492 _Toc33071291 _Toc33071886 _Toc33072049 _Toc33072375 _Toc42414271 _Toc42417220 _Toc42417437 _Toc51662256 _Ref42415853 _Ref32914423 _Toc33071295 _Toc33071890 _Toc33072053 _Toc33072379 _Toc42414283 _Toc42417221 _Toc42417222 _Toc42417223 _Toc42417224 _Toc42417225 _Toc42417226 _Toc42417227 _Toc42417228 _Toc42417229 _Toc42417230 _Toc42417231 _Toc42417232 _Toc42417233 _Toc42417234 _Toc42417235 _Toc42417236 _Ref42417020 _Toc42417237 _Toc42417438 _Toc51662257 _Toc33071296 _Toc33071891 _Toc33072054 _Toc33072380 _Toc42414284 _Toc42417238 _Toc42417439 _Toc51662258 _Hlt36127421 _Hlt36127422 _Ref32901461 _Toc33071297 _Toc33071892 _Toc33072055 _Toc33072381 _Toc42414285 _Toc42417239 _Toc42417440 _Toc51662259 _Toc33071298 _Toc33071893 _Toc33072056 _Toc33072382 _Toc42414286 _Toc42417240 _Toc42417441 _Toc51662260 _Toc33071299 _Toc33071894 _Toc33072057 _Toc33072383 _Toc42414287 _Toc42417241 _Toc42417442 _Toc51662261 _Toc33071300 _Toc33071895 _Toc33072058 _Toc33072384 _Toc42414288 _Toc42417242 _Toc42417443 _Toc51662262 _Toc42414289 _Toc42417243 _Toc42417444 _Toc51662263 _Toc33071301 _Toc33071896 _Toc33072059 _Toc33072385 _Toc42414290 _Toc42417244 _Toc42417445 _Toc51662264 _Toc33071302 _Toc33071897 _Toc33072060 _Toc33072386 _Toc42414291 _Toc42417245 _Toc42417446 _Toc51662265 _Toc33071303 _Toc33071898 _Toc33072061 _Toc33072387 _Toc42414292 _Toc42417246 _Toc42417447 _Toc51662266 _Toc33071304 _Toc33071899 _Toc33072062 _Toc33072388 _Toc42414293 _Toc42417247 _Toc42417448 _Toc51662267 _Toc42414294 _Toc42417248 _Toc42417449 _Toc51662268 _Toc42414295 _Toc42417249 _Toc42417450 _Toc51662269 _Toc42417250 _Toc42417451 _Ref42574737 _Toc51662270 _Toc51662271 _Toc51662272 _Toc42487583 _Toc51662226 _Toc51662273 _Toc51662227 _Toc51662274 _Ref32927787 _Toc33071305 _Toc33071900 _Toc33072063 _Toc33072389 _Toc42414296 _Toc42417251 _Toc42417452 _Toc51662275 _Toc42414297 _Toc42417252 _Toc42417453 _Toc51662276 _Toc42414298 _Toc42417253 _Toc42417454 _Toc51662277 _Toc42414299 _Ref42417114 _Toc42417254 _Toc42417455 _Toc51662278 _Toc33071306 _Toc33071901 _Toc33072064 _Toc33072390 _Toc42414300 _Toc42417255 _Toc42417456 _Toc51662279 _Toc42414301 _Toc42417457 _Toc42414302 _Toc42417458 _Toc42414303 _Toc42417459 _Toc42414304 _Toc42417460 _Toc42414305 _Toc42417461 _Toc42414306 _Toc42417462 _Toc33071307 _Toc33071902 _Toc33072065 _Toc33072391 _Toc42414307 _Toc42417256 _Toc42417463 _Toc51662280 _Toc42414308 _Toc42417464 _Toc42414309 _Toc42417465 _Toc42414310 _Toc42417466 _Toc42414311 _Toc42417467 _Toc42414312 _Toc42417468 _Toc20156277 _Ref42417137 _Toc42417257 _Toc42417469 _Toc51662281 _Toc42417258 _Toc42417470 _Ref42481321 _Toc51662282 _Toc51662283 _Toc51662284 _Toc42417259 _Toc42417471 _Toc51662285 _Toc42417260 _Toc42417472 _Toc51662286 _Toc526008660 _Toc42417261 _Toc42417473 _Toc51662287 _Toc526008661 _Toc42417262 _Toc42417474 _Toc51662288 _Toc42417263 _Toc42417475 _Toc51662289 _Toc51662290_PictureBullets#######4444444445$6$6$6$6$6$6$6+666@6~6666,77777778858585858,:,:,:,:,:,:,:,:R:R:{<A>A>A>A>A>A>A>A>????????=@=@=@=@=@=@=@=@BBBBBBBBSESESESEEEEEEEEEGGGGGGGGIIIIIIIIfKfKfKfKfKfKfKfKNNNNOOOO_Q_Q_Q_QR WZZZ`Z`ZaZaZaZaZaZaZaZaZaZZZZZd^d^d^d^tctctctctc=f=f=f=f=f=f=f=fkkoovvSSPPoo@@@@@vvvvddd~~~~{% &'()*+ !"#$%,-./012345678@9@:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~    "#######A4A4A4A4A4A4A4A4A45*646?6|6666*76777778 828P8P8P8P8P8P8P8P8P8P8D:D:D:D:D:D:D:D:{:{:<O>O>O>O>O>O>O>O>????????`@`@`@`@`@`@`@`@BBBBBBBBmEmEmEmEEEEEEEEEGGGGGGGGIIIIIIIIwKwKwKwKwKwKwKwKNNNNOOOOuQuQR%WZZZZZ`Z`ZpZpZpZpZZZZZ^^^^cccccccccc`f`f`f`f`f`f`f`fkkoovvddjj$$** ۜۜccccТɥɥɥɥ§§§lll|% T; ;  cT<` |?܌4 / t!!$!%4%t%% %!;$88FD~~ըը33AH%      ++BMMKߨ=HHʹU%  8*urn:schemas-microsoft-com:office:smarttagsdate=*urn:schemas-microsoft-com:office:smarttags PlaceType=*urn:schemas-microsoft-com:office:smarttags PlaceName9*urn:schemas-microsoft-com:office:smarttagsplace 2002226DayMonthYear-27<$+165A####++r....?/]/0000v1w111j2k23353=3b3c35666?666,7/7778 8:;n;;;<C<U<b<w<=)===I@W@@@@AUAbAAABBBBSEeEFFFF|GGGGGGIIIIIJJ2J>JSJKKLLLMMMMNNNOO|PPPP-Q8QQRUUUUVVVVV W7WP>??@a@BBSEnEEEGGIIfKxKNNOO_QvQRRV&WaZqZZZd^^=faffgkkoovvSePk%ʈ+ ܜo@Ѣʥ̾{|}x "%{|}"% Von Welch Von Welch Von Welch Von Welch Von Welch Von Welch Von Welch Von Welch Von Welch Von Welch6|<~I}#H~OGjFԁnb?.6z>*=d< *Eh ;Z!T,O SJŠ7} j\g n7-hk8ɸ?y8(N2!ʰ.#~Yhyg$`N$h6&hb; 4/rJp/H@B0R0pnrSV 1n2 Z-4&R%[c7$?::a`Z4( kj$afQkn7-mo^!`hRoz G\p> r=!_ri/.3sr#TStZ,yb/*{l -|hB5z}huz^`.^`.88^8`.^`. ^`OJQJo( ^`OJQJo( 88^8`OJQJo( ^`OJQJo(hh^h`. hh^h`OJQJo(h^`.h^`.hpLp^p`L.h@ @ ^@ `.h^`.hL^`L.h^`.h^`.hPLP^P`L.h^`QJ o(oh^`.hpLp^p`L.h@ @ ^@ `.h^`.hL^`L.h^`.h^`.hPLP^P`L.h ^`OJQJo(h ^`OJ QJ o(oh pp^p`OJ QJ o(h @ @ ^@ `OJQJo(h ^`OJ QJ o(oh ^`OJ QJ o(h ^`OJQJo(h ^`OJ QJ o(oh PP^P`OJ QJ o(hh^h`o(.0^`0o(..0^`0o(...88^8`o(.... `^``o( ..... `^``o( ...... ^`o(....... pp^p`o(........ pp^p`o(.........h^`.h^`.hpLp^p`L.h@ @ ^@ `.h^`.hL^`L.h^`.h^`.hPLP^P`L.h88^8`.h^`.h L ^ `L.h  ^ `.hxx^x`.hHLH^H`L.h^`.h^`.hL^`L.h ^`OJQJo(h ^`OJ QJ o(oh pp^p`OJ QJ o(h @ @ ^@ `OJQJo(h ^`OJ QJ o(oh ^`OJ QJ o(h ^`OJQJo(h ^`OJ QJ o(oh PP^P`OJ QJ o(h ^`OJQJo(h ^`OJ QJ o(oh pp^p`OJ QJ o(h @ @ ^@ `OJQJo(h ^`OJ QJ o(oh ^`OJ QJ o(h ^`OJQJo(h ^`OJ QJ o(oh PP^P`OJ QJ o(h ^`OJQJo(h ^`OJ QJ o(oh pp^p`OJ QJ o(h @ @ ^@ `OJQJo(h ^`OJ QJ o(oh ^`OJ QJ o(h ^`OJQJo(h ^`OJ QJ o(oh PP^P`OJ QJ o(h   ^ `OJQJo(h ^`OJ QJ o(oh ^`OJ QJ o(h | | ^| `OJQJo(h LL^L`OJ QJ o(oh ^`OJ QJ o(h ^`OJQJo(h ^`OJ QJ o(oh ^`OJ QJ o(hL^`Lo(.h^`.hpLp^p`L.h@ @ ^@ `.h^`.hL^`L.h^`.h^`.hPLP^P`L.hh^h`o(.@@^@`o(.0^`0o(..``^``o(... ^`o( .... ^`o( ..... ^`o( ...... `^``o(....... 00^0`o(........h ^`OJQJo(h ^`OJ QJ o(oh pp^p`OJ QJ o(h @ @ ^@ `OJQJo(h ^`OJ QJ o(oh ^`OJ QJ o(h ^`OJQJo(h ^`OJ QJ o(oh PP^P`OJ QJ o(h ^`OJQJo(h ^`OJ QJ o(oh pp^p`OJ QJ o(h @ @ ^@ `OJQJo(h ^`OJ QJ o(oh ^`OJ QJ o(h ^`OJQJo(h ^`OJ QJ o(oh PP^P`OJ QJ o(h^`.h^`.hpLp^p`L.h@ @ ^@ `.h^`.hL^`L.h^`.h^`.hPLP^P`L.h ^`OJQJo(h ^`OJ QJ o(oh pp^p`OJ QJ o(h @ @ ^@ `OJQJo(h ^`OJ QJ o(oh ^`OJ QJ o(h ^`OJQJo(h ^`OJ QJ o(oh PP^P`OJ QJ o(h^`OJQJo(hHh^`OJ QJ ^J o(hHohpp^p`OJ QJ o(hHh@ @ ^@ `OJQJo(hHh^`OJ QJ ^J o(hHoh^`OJ QJ o(hHh^`OJQJo(hHh^`OJ QJ ^J o(hHohPP^P`OJ QJ o(hHh ^`OJQJo(h ^`OJ QJ o(oh pp^p`OJ QJ o(h @ @ ^@ `OJQJo(h ^`OJ QJ o(oh ^`OJ QJ o(h ^`OJQJo(h ^`OJ QJ o(oh PP^P`OJ QJ o(h^`OJQJo(hHh^`OJ QJ ^Jo(hHohpp^p`OJ QJ o(hHh@ @ ^@ `OJQJo(hHh^`OJ QJ ^Jo(hHoh^`OJ QJ o(hHh^`OJQJo(hHh^`OJ QJ ^Jo(hHohPP^P`OJ QJ o(hH0^`0o(.0^`0o(..0^`0o(...``^``o(... ^`o( .... ^`o( ..... ^`o( ...... `^``o(....... 00^0`o(........h^`.h^`.hpLp^p`L.h@ @ ^@ `.h^`.hL^`L.h^`.h^`.hPLP^P`L.h ^`OJQJo(h   ^ `OJ QJ o(oh \ \ ^\ `OJ QJ o(h ,,^,`OJQJo(h ^`OJ QJ o(oh ^`OJ QJ o(h ^`OJQJo(h ll^l`OJ QJ o(oh <<^<`OJ QJ o(^`OJPJQJ^Jo(-^`OJ QJ ^Jo(hHopp^p`OJ QJ o(hH@ @ ^@ `OJQJo(hH^`OJ QJ ^Jo(hHo^`OJ QJ o(hH^`OJQJo(hH^`OJ QJ ^Jo(hHoPP^P`OJ QJ o(hHh ^`OJQJo(h ^`OJ QJ o(oh pp^p`OJ QJ o(h @ @ ^@ `OJQJo(h ^`OJ QJ o(oh ^`OJ QJ o(h ^`OJQJo(h ^`OJ QJ o(oh PP^P`OJ QJ o(P^`Po(@@^@`o(.0^`0o(..``^``o(... ^`o( .... ^`o( ..... ^`o( ...... `^``o(....... 00^0`o(........h88^8`.h^`.h L ^ `L.h  ^ `.hxx^x`.hHLH^H`L.h^`.h^`.hL^`L.^`OJPJQJ^Jo(-^`OJ QJ ^Jo(hHopp^p`OJ QJ o(hH@ @ ^@ `OJQJo(hH^`OJ QJ ^Jo(hHo^`OJ QJ o(hH^`OJQJo(hH^`OJ QJ ^Jo(hHoPP^P`OJ QJ o(hHP^`P@@^@`.0^`0..``^``... ^` .... ^` ..... ^` ...... `^``....... 00^0`........^`o(. ^`hH. pLp^p`LhH. @ @ ^@ `hH. ^`hH. L^`LhH. ^`hH. ^`hH. PLP^P`LhH.h^`OJQJo(hHh^`OJ QJ ^Jo(hHohpp^p`OJ QJ o(hHh@ @ ^@ `OJQJo(hHh^`OJ QJ ^Jo(hHoh^`OJ QJ o(hHh^`OJQJo(hHh^`OJ QJ ^Jo(hHohPP^P`OJ QJ o(hHh ^`OJQJo(h ^`OJ QJ o(oh pp^p`OJ QJ o(h @ @ ^@ `OJQJo(h ^`OJ QJ o(oh ^`OJ QJ o(h ^`OJQJo(h ^`OJ QJ o(oh PP^P`OJ QJ o( P^`Po( Appendix .@@^@`o(.0^`0o(..``^``o(... ^`o( .... ^`o( ..... ^`o( ...... `^``o(....... 00^0`o(........h^`QJ o(oh^`.hpLp^p`L.h@ @ ^@ `.h^`.hL^`L.h^`.h^`.hPLP^P`L.h^`.h^`.hpLp^p`L.h@ @ ^@ `.h^`.hL^`L.h^`.h^`.hPLP^P`L.h   ^ `OJQJo(^`OJPJQJ^Jo(-h ^`OJ QJ o(h | | ^| `OJQJo(h LL^L`OJ QJ o(oh ^`OJ QJ o(h ^`OJQJo(h ^`OJ QJ o(oh ^`OJ QJ o(h ^`OJQJo(h ^`OJ QJ o(oh pp^p`OJ QJ o(h @ @ ^@ `OJQJo(h ^`OJ QJ o(oh ^`OJ QJ o(h ^`OJQJo(h ^`OJ QJ o(oh PP^P`OJ QJ o(h^`OJQJo(hH^`OJ QJ ^Jo(hHopp^p`OJ QJ o(hH@ @ ^@ `OJQJo(hH^`OJ QJ ^Jo(hHo^`OJ QJ o(hH^`OJQJo(hH^`OJ QJ ^Jo(hHoPP^P`OJ QJ o(hH^`o(.^`o(.pLp^p`L.@ @ ^@ `.^`.L^`L.^`.^`.PLP^P`L.h^`.h^`.hpLp^p`L.h@ @ ^@ `.h^`.hL^`L.h^`.h^`.hPLP^P`L.h^`OJQJo(hHh^`OJ QJ ^J o(hHohpp^p`OJ QJ o(hHh@ @ ^@ `OJQJo(hHh^`OJ QJ ^J o(hHoh^`OJ QJ o(hHh^`OJQJo(hHh^`OJ QJ ^J o(hHohPP^P`OJ QJ o(hH^`o(.^`.pLp^p`L.@ @ ^@ `.^`.L^`L.^`.^`.PLP^P`L.h ^`OJQJo(h ^`OJ QJ o(oh pp^p`OJ QJ o(h @ @ ^@ `OJQJo(h ^`OJ QJ o(oh ^`OJ QJ o(h ^`OJQJo(h ^`OJ QJ o(oh PP^P`OJ QJ o( P^`Po(hH @@^@`o(hH. 0^`0o(hH.. ``^``o(hH... ^`o(hH .... ^`o(hH ..... ^`o(hH ......  `^``o(hH.......  00^0`o(hH........PP^P`QJ o(o ^`OJ QJ o(o pp^p`OJ QJ o( @ @ ^@ `OJQJo( ^`OJ QJ o(o ^`OJ QJ o( ^`OJQJo( ^`OJ QJ o(o PP^P`OJ QJ o(76&!_r::<,y`N$=~}|?\[c7lnPm)@ r0MoY17=5z}.3sI2Pg fQkJhk.#mo4( k-4yg$0R0!)L7} 4( k  iHX*{4/>a`G\pSV 1hRo2!Jp/-|IOyZ!T2#TSt66         b                                                                                                                                                                 2                  D                                           2        ('ed/ H.*T,0a/!v/ BG9V;,]m]tlSt\y!Ou|v_W(:uLK{B (TyjYjli\`g:bxi&[;C_$ADHIK`aBEFvyz$6+65666@6}6~66666+7,7777777778883848P8D:>R}%UU9}@nn nnL0124~$`@`8`:`<`@`P@Unknown Von Welchbyurcik Gz Times New Roman5Symbol3& z ArialIArial Unicode MS7&  Verdana7 ArialMTG  MS Mincho-3 fg;& z HelveticaCFComic Sans MS?5 z Courier New5& zaTahoma;Wingdings"1h"vFyy%a[a[!4d 2qH?_GGF Management - GFD-C.3Charlie Catlett Von Welch6                           ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 Oh+'0 $0 L X d p|GGF Management - GFD-C.3.GF Charlie CatlettharharNormal  Von Welchtl196Microsoft Word 10.0@(@8`x$~@4YQ)@~#$~՜.+,D՜.+,l( px  Argonne National Laboratoryn[aA GGF Management - GFD-C.3 Title 8@ _PID_HLINKSA0 _Toc424174750 _Toc424174740 _Toc424174730 _Toc424174720 _Toc424174710 _Toc424174701 _Toc424174691 _Toc424174681 _Toc424174671 _Toc424174661 _Toc424174651 _Toc424174641 _Toc424174631 _Toc424174621| _Toc424174611v _Toc424174602p _Toc424174592j _Toc424174582d _Toc424174572^ _Toc424174562X _Toc424174552R _Toc424174542L _Toc424174532F _Toc424174522@ _Toc424174512: _Toc4241745034 _Toc424174493. _Toc424174483( _Toc424174473" _Toc424174463 _Toc424174453 _Toc424174443 _Toc424174433  _Toc424174423 _Toc424174413 _Toc424174404 _Toc424174394 _Toc424174384 _Toc424174374 _Toc424174364 _Toc424174358 _Toc516622909 _Toc516622899 _Toc516622889 _Toc516622879 _Toc516622869 _Toc516622859 _Toc516622849 _Toc516622839 _Toc516622829 _Toc516622819 _Toc516622806 _Toc516622796 _Toc516622786 _Toc516622776 _Toc516622766} _Toc516622756w _Toc516622726q _Toc516622716k _Toc516622707e _Toc516622697_ _Toc516622687Y _Toc516622677S _Toc516622667M _Toc516622657G _Toc516622647A _Toc516622637; _Toc5166226275 _Toc516622617/ _Toc516622604) _Toc516622594# _Toc516622584 _Toc516622574 _Toc516622564 _Toc516622554  _Toc516622546http://www.ggf.org/documents/formats/gwd-template.pdf 6http://www.ggf.org/documents/formats/gwd-template.rtf6http://www.ggf.org/documents/formats/gwd-template.doc  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ Root Entry F $~Data h1TableO1@WordDocumentS2SummaryInformation(DocumentSummaryInformation8XCompObjj  FMicrosoft Word Document MSWordDocWord.Document.89q