My OpenPGP Key & X.509 Certificate

My PKI Fingerprints

Currently in active use:
OpenPGP: 1DEE C9C2 6B38 36BD B6FE  6EFD 5F4C B920 06B4 DE19
OpenPGP: DFB9 A806 8605 9B60 A480  66B8 4533 630A 6B45 1035 REVOKED
X.509: BF:9F:40:50:45:AF:CF:2F:25:D7:B5:DD:7C:2C:8F:ED:98:9D:D3:51 COMODO Free e-mail
New, self-generated X.509 certificates under usability testing:
(if testing is favorable, these will be adopted for ongoing use)
X.509: EC:09:5A:98:7B:83:A2:7A:73:7F:C6:46:CA:EB:01:66:A5:A5:78:6A Issuer CA
X.509: F0:A4:38:38:B1:BA:1F:D0:DA:C7:FA:61:1A:A5:10:2B:D5:38:DE:2B Signing
X.509: EA:15:78:AB:22:23:4D:DC:74:A1:D9:FD:86:4D:C3:FA:AD:56:47:D2 Encryption

These test certificates were personally generated and issued by me. If you import the certificate for my issuer CA into a certificate store, and assign it some trust, any application using that store will automatically accept any certificates issued under that CA. The two following entries, for example, are issued by this CA and these certificates ought to accompany any signed test email traffic you might receive from me. Further developments with this process will eventually appear somewhere on this page.
Retired CACert.org issued X.509 certificates, formerly in use (provided for continued signature validation):
Expired 20100627: 46:CA:4B:96:09:CA:39:EF:C0:7E:73:2B:B3:A7:E4:0D:33:2D:75:0D
Expired 20101213: DC:C9:67:B1:CD:86:84:76:56:67:9D:B6:C9:9A:66:68:D0:0A:EB:DE
Expired 20110609: D1:23:F6:E9:18:36:37:01:8C:2B:D7:2D:0F:0D:4E:0C:E2:D5:31:74
Expired 20111124: 70:3B:55:AE:EB:A1:7A:69:FF:AB:98:DE:14:03:F2:BE:C6:44:EA:F2
Expired 20120413: 8A:F9:D9:B0:03:18:87:C7:67:D0:12:5B:06:0C:BF:54:BE:9C:01:9F
Expired 20121004: 78:1B:01:49:27:4B:C8:FD:FF:E3:19:04:0B:5A:B2:FB:BC:5C:D4:39
As of 20121004, all my X.509 certificates issued by CACert.org have expired; I currently have no plans to issue any more. Future X.509 needs will be satisfied using my own private CA issuer and its issued certificates (see above *experimental* fingerprints). As I rely primarily on the OpenPGP infrastructure, statements of ownership cross-signed with both sets of keys (OpenPGP and X.509) will demonstrate my control of the X.509 hierarchy that I establish to anyone accepting my OpenPGP key.
I hereby repudiate, revoke, or otherwise disavow any keys claiming to represent me, whose fingerprints are not listed above.

My OpenPGP key is available from this keyserver ([ldap://keyserver.pgp.com] if you'd like to configure your OpenPGP client). And also below.

You will automatically receive my X.509 certificate if you receive S/MIME-signed e-mail from me. If you need to send encrypted data to me directly, without a prior signed message from me first, click here to download my public X.509 certificate directly. Additional notes for this.

Assurance of X.509 certificate ownership.


If you received a business card from me with my OpenPGP key's fingerprint, you can compare the fingerprint on the card with the fingerprint on this page and that of your own imported copy of the key. They will all match. If they do not, then the key you imported was either bad, damaged, or does not actually represent me. In that case be careful! If all fingerprints match, then you are assured of actually having my key, and that it is undamaged and secure for your use. Yay!

My X.509 certificate expires every six months and is replaced by a new one. The retired certificates remain valid for verifying signatures made with them during their lifetime (unless I revoke the certificate due to loss of control). I list fingerprints of the retired certificates, for this reason.

Early business cards also included my X.509 certificate's fingerprint, but that key has since expired. Consider the fingerprints specified here authoritative. As assurance, I provide here a statement of ownership, and the fingerprint of my X.509 certificate, signed with my OpenPGP key. Verifying the OpenPGP signature validates my assertion that I am represented by that X.509 certificate so fingerprinted.


If you use OpenPGP, I am available to verify and sign your public key, and would request reciprocal service. Send me your request via encrypted mail with your public key attached, and I will contact you to initiate a remote verification procedure and exchange of signed keys.

My public key, listed below, is updated here as necessary.

Never trust using a public key for secure communications or signature validation, which you have not first verified here as actually representing me.

I hereby repudiate, revoke, or otherwise disavow any keys claiming to represent me, whose fingerprints are not listed on this webpage.


24JUN09Assigned new expiration date.
Revised key prefs to prefer RIPEMD160 hashes, AES cipher, and BZIP2 compression.

With FireGPG release 0.7.6, this Firefox plug-in's author advised deprecating SHA1 use, given that the security of SHA1 has been weakened and may soon break the same way that MD5 has now been badly compromised. I could confirm that at least as of 2005, a high-resource attack seemed to have reduced SHA1 security to 2^63 from 2^80. A BOINC project is searching for SHA1 collisions. According to Wikipedia, NIST has plans to phase-out SHA1 use by 2010.
23NOV09Updated to include new signature.
16JUN10Updated to extend expiration another year.
24JUN11Expiration extended one year.
05APR12Established new OpenPGP key, cross-signed with previous key, and retired the previous key from use, publishing revocation. See below for explanation.
10OCT12Expiration of subkeys extended 6 months.


pub   2048D/06B4DE19 2012-04-04 [expires: 2014-04-05]
      Key fingerprint = 1DEE C9C2 6B38 36BD B6FE  6EFD 5F4C B920 06B4 DE19
uid                  Andrew Skretvedt (Google)
uid                  Andrew Skretvedt (attached to ISP: Midco)
uid                  [jpeg image of size 5081]
sub   1024D/1AC16690 2012-04-05 [expires: 2013-04-08]
sub   2048g/71794A73 2012-04-05 [expires: 2013-04-08]

pub   1024D/6B451035 2008-07-22 [revoked: 2012-04-05]
      Key fingerprint = DFB9 A806 8605 9B60 A480  66B8 4533 630A 6B45 1035
uid                  Andrew Skretvedt (Google)
uid                  Andrew Skretvedt (Midco)
uid                  [jpeg image of size 5081]

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.17 (MingW32)

mQMuBE98CJgRCADhL5Z8kxd7FHQDgxAWVTYgEQw4Jjs1wxH/r8h6KR0z6H3iWTGs
kMvymgacJ0SG7eDGJGGJSG16LdxaFgf9XkeZ76XIA+Kkup1FcZ7lbveHqdgxqkl8
tB+y3os49eB7Lf82mrJOY2qeVcd5NYyDgp1il/wdATZjkH1IAPYBF3wQxrAMje1m
qwocQBERbQVc1Ag5BTNzEUAe49gVEhmbwc9m+dDHgksm/ECBVL1/M2Io2mrGG001
WEyr3r+NvagOdPGIC3vO1j6rVE1f1Cs5dhbHzOtesvM52ORvwvx52DpObp2HOZ/g
6pWF3GX+3oqEYjn/TKktE2hqcR+8g3azo5E7AQCRT/vWutlJXZE374W8YTUEgKw8
bpPaZU2VLmVVzRoTgwf6AvDtVafUt0BvI9ipshDRUrlXD4uO47a7ohn1APwSWgns
XDkxqWMtuqjApSUws4tn7bdYOYromzRlRWxE5zIPJdI7OIvdYxNUuS/T6AlqPHst
htZb/yO8HO/0XFQyktCvM3WRFhePJKi9uSZv4d0MfGo7jGtj4/HGT3dXRmcnbsbl
YXGMhxzHqGDfCwNxJsbXxaYIJfXNeeuJ3JwIsWcQAfMld77v4jxJsaUTtt0RKz2U
lK9pg29g9KY0eS0Pxg0cKo1sMItSEVKq9M5qg+CGn5MRXY5mRIXNAKIC2D0MtAbz
CLxKuyu85G0Z45zuCKe4pyQ60BuqkpFmEgK60jawJgf/ft5EKmRNb6QUSWC0Qruw
EQ+AW7Zw4ssDAfmD1pzdO/ioVvPoQwuUdDPqZkbgbwXawEIhA/sxz0mFRoK/Y39v
/4eKrQXq+q/SZxo/bEkVh4CMETGtc/wrkieR+lmn4haOGSs38mXKvaF3ZSz0KGXn
xShlBYit9HotQEMp0zmIIUFatARYSxLS9pbDnMp9cdJXzkZ4KHSRg0hEnY+VEa8a
FkSe8wgYhiU6xoY8SQhGkLZLMKJ+OF7x8VsIdBf+b6mLlPgt+6AXs0uJU11KaQ0q
wqvHaYY8jN8MilEDn5MaYQDaa91WEC8TgIyJR7BLa5vtstQ1pulcb96r2JQIL17G
P4h4BB8RCAAhBQJPfBF7FwyAETu94NSkeX7y0D2Hz1vA3yM3lQiVAgcAAAoJEF9M
uSAGtN4Zl0YA/AiCl10ONT1dI8DLTcByVDrQfNzh/qzuTQd5Kpe+eRjAAPd0UPMZ
5ExCOt8QPEz6onEawLbvVggEAYrpuHfFimVZtDZBbmRyZXcgU2tyZXR2ZWR0IChH
b29nbGUpIDxhbmRyZXcuc2tyZXR2ZWR0QGdtYWlsLmNvbT6ImwQTEQgAQwIbAwIe
AQIZAQULBwgJAwcVAwgJCgsCBRYDAgEABQkDw0RaBQJPfOehGRhsZGFwOi8va2V5
c2VydmVyLnBncC5jb20ACgkQX0y5IAa03hk3SwD+PDPEbKeCGk1KeRaK6oAjhVur
WGeR72tK5eMRrNCgk/oA/ioIJqAuUQR7zgpwbPDK/QEXnmWJWn3LVUed2pkkd6+O
iEkEExECAAkFAk9892MCBwAACgkQRTNjCmtFEDUjtACguxbNnLbVEEUjc+gUJZdU
uxDntKUAoLygQOoSjsxkPAGCIy6Rd4TSCS6niQEiBBABAgAMBQJPfgDfBQMAEnUA
AAoJEJcQuJvKV618fd4H/RJ/WbV2oslRj8dTMtkWkEILWODjDhNaFHvz8GcABTpH
tJl1ZVNk71OtdZIlktXrOZSRDtonEHaSqlxoYUyO7KojYOmWfya+2sT36gpHUQDP
on18SswvQ5P4jfSQ57c6Eu95H3OiG7MgVcfi7QIRZ36RYPTjsThWEx/1KQzv4KH0
PENXv9lHaUZ9n5C1IJRZAGDeYD/UOC4SDldxOa7mmJ+/XJXbqLZ4K9tkhmhJrH8p
AoEhvsMwsYhsLqhZtFTqLlTCKdMPC1+umLTxbb50FBFeX6OurPeT9h6TLKkFCHBR
15eB8akgvlMSG9YjyBm4lxqIczUToqhkNfyjFXtVQtC0QkFuZHJldyBTa3JldHZl
ZHQgKGF0dGFjaGVkIHRvIElTUDogTWlkY28pIDxhdHNkcm9pZEBncmEubWlkY28u
bmV0PoiYBBMRCABAAhsDAh4BBQsHCAkDBxUDCAkKCwIFFgMCAQAFCQPDRFoFAk98
56IZGGxkYXA6Ly9rZXlzZXJ2ZXIucGdwLmNvbQAKCRBfTLkgBrTeGe10APwIVR8Q
JsDfeSTem5Xxrx3gYOub5AJyvU890jse6kNT0AD9FdZO9PUiR1+gZBBayZF8ZdP9
FK57//VZGgOSwIZU7LuISQQTEQIACQUCT3z3bAIHAAAKCRBFM2MKa0UQNeohAKCd
RcMLNXB4BiyplaWpOjBrOkAspwCgluuuLnUQg8fgd9f6Y2RXDQEa6MyJASIEEAEC
AAwFAk9+AN8FAwASdQAACgkQlxC4m8pXrXwjNQf/WlSir3Q6KH9rmHopb/GKFwC9
/+7N/3InO1rS25hdjM99uEeZqMoux7JxXZI9fJhcgwLkHYZrhKyEk/I63w+kfwEM
h6TNIZ6jLk+wkSOOdiFa8oG7vEftMWd05f4KOQX80mlmIO/GxApBNJc7KFzgJQD1
bTUNpHelfIaUnvzffK51H6FlHxIgdFbr9Q8g7AZlVUvYNuigUhxJRrsvq1ULQhmK
ePlCyJ2EXu7kqkYTTYsDSwWEh4//DfacyPDxP7sFG9/NBFw/VeKXVw3hlxV2V4JX
iHKUMsRiU2ZGn3b2tHEahXfGJY5yhwA82RrzgtDB0799AyTTzp2sUzv3455mktHT
LNMqARAAAQEAAAAAAAAAAAAAAAD/2P/gABBKRklGAAECAABkAGQAAP/sABFEdWNr
eQABAAQAAAAyAAD/7gAOQWRvYmUAZMAAAAAB/9sAhAAIBgYGBgYIBgYIDAgHCAwO
CggICg4QDQ0ODQ0QEQwODQ0ODBEPEhMUExIPGBgaGhgYIyIiIiMnJycnJycnJycn
AQkICAkKCQsJCQsOCw0LDhEODg4OERMNDQ4NDRMYEQ8PDw8RGBYXFBQUFxYaGhgY
GhohISAhIScnJycnJycnJyf/wAARCACAAGcDASIAAhEBAxEB/8QAnQAAAgMBAQEB
AAAAAAAAAAAABQYAAwQHAgEIAQACAwEAAAAAAAAAAAAAAAADBAECBQAQAAIBAgQD
BgQDBgUFAAAAAAECAxEEACESBTEiE0FRYXEyBoGRIxSxQhWhUmJyogfB0eEzJJJj
NCUWEQABAwMCBAUCBQUBAAAAAAABABECITEDQRJRYYEEcZGhIhOxMvDB0eEU8UJS
0iMF/9oADAMBAAIRAxEAPwAe25bddJL+n7lDH0SrPcmN7mNVbI6kiKsfArXxxlup
L9obi7sNztbq2sIlm3F2he3IBdYwIhcUrqPDuxjMY0lL26tYMm0hpyW1BaqoGs+o
gCmMLC2kQx39tGQ5Uxgg6tf7o1uanFiAGPtrw4j8cFQCUpMCwpcceav2D3BNBcvH
HcIkkbtJAyvqUg5aXZQNOqtKjgadmHK39z2EcSKs66lcNVYW1hjzANy8Qe2tMc9L
bTFN/wAasLRHlaOMSMAaV1GM0pXzONCbg3U+ookANSUJAIORFGFV78XhmlCkT5gq
cnb2Mmr/AIyiTydnbqnZN4t7a9uL/aNya3uLtFjvILuw60cpWrxyNoljGtcwCvYc
YN23aLdunFuN5brdLqFnPHaPbASAGqSnryrIjCo08RxwHh3BeokqprFCr1PEdzEA
V86ZHHme7TTLpX6btUQtRgDlQjvoccMgEb62r+qg43LtXjQfkvW27Ptm4MbW5ujY
wTMnVljZfo9MlhVW7M8N+z7Ps9rAg+/dZmhkY9aMJVIDSQEas9JwkwOrTDXGGjkC
owA4MK8wPj2jG8SNFFEko16WHMwqrK3qDYHHIAXjQ+HRTLAJNuFuibd1bafb6PuN
u9v9yynq3BYxk6SqqrNEc+PacDbXc9tu3uZd5tLWBI4+rFcCOcTPMzKigS1avLXs
wPlsILzbJbIBtLhSUjCksUlExoGHGQ1X448bhaSRNKslxqAYJInM4JAz0uXBUd4X
LEyz+0Fx7ixprwoo+FiQ1g4qskW8PAshvI6OqSPDLFmpGlilc888qr8sW+01Nt7b
2+NuLCSRv5nkNfwwH3eGC32XcJWYkrHSPlQUZmVQK0LU+ODu2wLY7dZWS8IYUBr+
8w1v/U2KuGopY6o2rDQfLExQr/TPkcTEuoZIb7XZbXALmSGCBVYKJAj3UxcgnlCi
MD41piWdxtt5ex2ETSw/dAQowij0s3M1HaaSaQaqcRTGnfIrsbRb3lSIpwbiN89J
QpqQgdxFa4ANucMslr9shEitEqMKKomVgVYVHp78VuLqzkaLTeqIpo5UJ6hhVGyV
dLIxXhGqDPTXhjxbJLPcKvMzE0BXjghvUevcZT2F2Cdo0cRT4k4I7BZKkhnbMrwx
QyaLowjumAOX0W622R449TNpc8UJqD5jFybZI5CsooMwP8sEVJIrjRC2E55ZJ+GG
HBYLfZirgCrKTULwpT/XBq32dQyFk1qCGoc60OLrdgrCuDVv0zTIE4V/lTjNwUU4
ImLMhze0b1IpN12tHdErJJERw0itEUd37cKe5HWpuRUI7LoI1MGAWmrUQBjuPt7c
NUP2z0oma04gY5b/AHA2Sy2Ez7gIpBZ3MoMIhz6bzHnQAmgAbPyONiIjlgMkAzjd
eji/ksvKJQkYy0LA8jZc638iXbEte27uoIQO+rFj+GGd2HWIHAEgeQywpXEy3d5s
aLXTJM9zRqV0xqNNcMsT6mrXHCwCCUQU8p8jiYq6gC+J4YmOXLmk93dz2yQS3Ez2
0Q6aWxdjGij8qKch6qjGHooGiUEczqa17AcE9tsLm4S3mZ440vmdIg9TToirykd2
dKVzxs3LbP06SzNvJHci66gAQadDREdTqeoACta4lTzXu3mkuZS8xrpOkGgzoAM/
lhl2sgDSOFK1phasSrPLFGjL0zT6gKu4bPXpPAZ0GGDbtS8OyoPhgcxQhMYvudHE
4U449xtpNMZ43zxoWnEjCWQM4WhjRKFuFME7aU1GBVqQSB3426umTjMyj3MmoiiZ
dsuGSXUBXxwP/ulE91/b7cJEP1rSa2uIie8SqtP6sW7XPRlPzHbj1/cNZJvY27Q2
ql5Lg20KqBmC86Zjh3ccaf8A5cpH2AvX7fFId/ECEiQzC/gVwyGRJr7b7uReiYLe
eGaMDkWYMOZT2KySKfDDBbvmcHfavsr2VvYk25d63S23wLI72tzFFC/TKqknSRkk
SRRQVKuTgXvOzbj7Tu1st0QOslfsruKvSuEH7pPpcD1Icx5Y0jE3WWC5ZfEdXlZG
qSqVQg0GqoOfwxMCrS8VpLqcJocvzx6i2aigbP06qYmI5LmS5t08ZsLYaCJITNHK
c1RUlAjWRXNVBTjTLBDcbw3ZtLdFjFrIywjmqWiEqmWZwmQ1uoGf7uMPtqyW/guF
fqyAXEQTprrqpDaiCVYilOzBT/57fJ5XdbDowAKkLXUiRkKgGnldtWXljgJSJAiS
3AK0pRjEWc8T+SJSR/qUMf31ZHV3ET5hkK9modndi+wjESGEZMxLKrcWUZFh8eOM
88MzXUCTsVtoJALnpNkJQ1RUjirHtxt0xXACzIHAOpQ3FW71IzB8sBPCzfVaMwJZ
N41FOY0qrFmkU6IYy8jZKor+AqcVTXl9bt9S6toKcUmkCt8qjENrcRtLLBcyAOgi
aB6OjRsefMjWOzg2ByWdrbSWUhgrLYv1EkGTOa6vqNQl88BIjJy9uVyoeYoB6sjl
luzMNTvHIP34WDj+k4P20v3K6wcu/wAMI8iTiabcoLVEmmkDiJqBCWbNioyy44cf
bm1XNzalDf3FdZnjiMiqhYVZEJVNQXVStOzCfcdvFoyBAMiB1KZx5ZtIGJO0O4/d
V3N/cNert1nPOJ5KmOK3WPXQDioc6z8sG9d5uvs3e4tuuH3OaOFZIUhA+6FxBKjl
CgFdQz5aYX7DaNytN6j3O5jU7glWW+Gbh5F0yNmBnxzIrh8/9Nse03W77lcNZ2ce
m4up45GikkkWukK4ozu78B2nBe02wzREJViHkKB7vppRA7kSlimcgBEvtZz5uln+
2VjYXLH3jc7kdz3mQS2yR06a2isdGmVG5tbqtBlpHAYe91tbbebWTat5tlmsJsyi
V1q/5ZY3OauvYRjn/tOH3VJsUc6aov1AyXhmjiDERSsWjhmk+ivL6vUc2J41x0Xa
7XcbW06d7fLcyliwkjUKUVs9Grg1O+mNmPAxJcPWixjdwRQtSq4dvHsa/wBj9zWG
2XU8h2/crmK2tN4iUVaOV1jZJF4CVA3pOR4jEx3G+tZZ4IoYBE4WeGWRLkE8qSK7
PEw9MqgVXxxMR8Jd6eCv8wa1eK4g27XDimvSBl005VHgAtMsVte56WetR+H+uFxr
wJmzAAZivd3YNrty2iQ3G6us0zp1/wBKGoFEpl93JUEVrXQvxOIOSRqTQXJXbALC
6u+7iCyTM1ARV9VKkUqDiRSEaTwqOH7cBzdfqEl6Z1VVuX0lEUKiqylAqqMgBjRt
dw09lF1TSeIdGYduuM6D86YXk1TxT2LKSIQI+0M/H+iYIZaUIyIxdyerpRg9+k/5
4FxT6csWy3mlNINC2QJ7MKZY19uqfxmJDy0Vkk4lkaKldHq0igFeAOG/2i2tgh40
IFfLhjnT7nHtxblMwlIJ0eqtMHvb+/xQSRzvqiT10IJY0/LQduKZoNjidu7aQWFy
11MMkN0o7gCQeifp73pbi9jMDG6hWVW0sCrZqymnA4YLWzg3GMfdxJcwwlXSKUBl
6imqtpI/Lxwg3O5LvF3Z3IUxXA+kqilKFidJPbmeODPtn3lBN7h3D2xcxMr20jfY
OqsskojUfccrZllPMAfUma+M9puPczM90oxcgyHNgEv3s4jtwINukwLeqdwZuDmh
UUoRyhT/AA+GKlgmh1GMAquZFQFI71rwPhwwFvPevty1uHtLW4O4XSEqYLZWlYPW
hpo8fHGKbdve260Xadg+yiNSLncWWMD+LQ+o/wBGNeUomgvp/b5PfosYOL/7ebWR
LePcS7XJYFNsury3vLmK1kv4tKW8DSusYaQtzsBqryrTxxMU2+078bK4bedwgu91
NJNsaIyxxW8ig6S71q/ORXlpTsxMd/0a/VizeF/Rd7HtRur/AEXD5NFsA1tDboie
mSFAS1e9n1NUeeM8zSO01wzFhMAqse2nMc+3EuVJLvEmhlr1IBwy4soqfljAruY3
RGJCkOnl+YDCe4mrk+KZZtF9hoEav5s/lj1ayNFcykcJgJAPGgDYp1Dp6lzyNKeO
Nf2pjEZIzQAH4jPESLdVbG+4NoiEcocBlOPlxAbqh10IpRTwr40xnAeM1QcezFiS
jWK5efHAr2TZOkh4qsQyQuOpaRlgeV1cgHxqw/Zhm2UzSFKWlvXVpRnOoBD6iyrq
qe7AOSSTpHpvRsjnwwY9sS3NxuCRTTiK2UF3MagEnuy78CzjdCw8ymMOTHAtsckU
t6p0NpbWTW11dsGkBC0agQMTVI0RchSmN26SUmg3ixhjn3GBXe2gcKVuUK1ms9fE
GRM4j+Vx4kYHbnaLebHLcpUvbTB4wMj06aGYeNTUHFFvcG920QyUNwgJib065Ivq
LTucrXF+3PxRMdgByD5ANDptSfcS+WbvSJ20+qd/b+4bRe2NvuWylI9vvQZEkWNY
2Z688U+gArNG+WfqwTkurc6UkuaynMaKsx81UNjgC7pfe1/dN61lNLFtO6f8yS3B
rFrnj1anidXRtMlezH2/92e6dys7ue3muZLO1i6l1JHSKPQtAa9IL8q4ex5AwEJf
dVmMpV4CgbqkpYy5Molhq4EfP9l2e79zbDYXENpcXQS6uZUhigVKlmkYItVrlmcT
H5vKfcFL/rGO6hDSrUakYaTqSlRQnvxMG3z27qeYQ9sN21/Qo9e2jxJ91DWRYhUn
tKePiv4YEXLQwsszVWNuaOROFfzI344O2dxMljG0x+vZu1pdfxUzR/iMVXO3W09E
ACW12KcvCOb1Kw7ge7zxlxybSRLQ3Gv4unZRcU14oDtliZ70zMR9lGeoFrkz9iLT
sBzOGVLbrkqF5mBAHeTwwH2+XpsYCojeFmheMCgDIdJUDuwx2poUdfUpqPhniM8i
T0opxAAfVC9quNt3VQIZ0WcCkltKwjkUjiKMRX4YLTbTaRxF7xo4kp65JVSniDXC
D7m2s2G93OqKlvdO1zaN6gUc1Ir3qxoR2YHRxwswrxGRBGfzbFv429pwymMSAWZz
5urnuyAYyxgkUd29E17hc7bZsv6ddtuKn/cIGhFP7qOfX4mmK9v9wXMk0m32MYtJ
AgIuXPUehIHKKBRgVQNGqrlp4f54m2Bo9+iPASxsBXgSudMHlijsY+4gXlq3EWQB
mmZUO0E2Gngbrsvta8L7e20Xh5jGwgYmtdS/7ZPdqzU49wwhI4buNSYknhkkQ5FT
rCMGHZyscAbZ0VVdi8YiVayR+pDUAMPDLGlZr2K++xmmFwLuAtbyjkqC/TUMENCd
S14YTjmeIjMOYvtPAH9EYwqSDe4Qb3NC9tu1orrqiaBkt2bNXMUj61I7GUMDTtGe
D23X9tudk1tKo6RjaGe3QBVMbjQ2lVyGR7PPhhf92mSZt7kkYIqWlrue1sT+e1mN
tKQP+4srDxpgTte5lyl5btzUAkjHAfxD5/tp25aPa5ThantIAkEvlgMgI1BJCHNt
M1pup9t3cnTLusMVzTJoZTojnXv5Tn45YmHW6Ww3W3gvJV+tYOs8Ei+pNJ1tGe0x
yacx/iMTDOwO7j47304ILGzVt1QgmJl3Kjc00S3GnwA4/iMeLRxNH9q3HSpT+ZKM
v7ceLYRSWz9U6ZrdJIwf34pBQxn4moxn2+QrNqJzTI4x9tJcm9KBOvUc3XjcbC4/
VHubUAvdlZhG2QMhUahXsqRibf7h29LYPeSNbaW0N1EdgrDiCYw3bgveofpyrwVt
Snz5h8qnChutuI7q5V1KxzsJJUXjQkOSB88WxtkGyego16fsqyeBcanVPW77Ed/2
dFtv/Ogja824EU6gpz27A5jqKOX+KmOZqkU6B1/NmK8RjuUEsBu7W8tGBhm0yI68
CrAENjkm/WUVvv8AvFpCvSkgvJtMXAFGbWun/qwfAGjt4IeW7oQOtFTOqjsxt2+Q
Num3OM/qlWPgykYz6qVSQeFcWPdSC7sBGFSFZVL6RTVIF06z5gYJJyCBqDVUizuS
zcnXSttlUPpkFQwETj59/niXVbP3Dt9KtHHanp07WaR+PkOOMdtNSWULQl21BG4M
CAD+3F26bobTfdpslj6n3MLh5T6ggdtPwyz78ZkYncWFdpPRqpwkUrqFr9zWED+z
d7kjUuzQxzdQ1eVmhlRud+JC93ADsxyXar+S2lV1PqyIPDPs8mx3fbjC8bwzLrhn
Vkli7GSRdDinkccH3raZtg3i82qWp+2kKxsfzxNzRv8AFcOdrk3CUJVJ936/khZY
GIjkFnZOltehbV5oyxieOQkfmoFOpf5hT/HsNZhSsdzKWlxbNUh4n8zy5N/MMTBv
f9j+17Lt0Nu/VmX/2YiYBBMRCABAAhsDAh4BBQsHCAkDBxUDCAkKCwIFFgMCAQAF
CQPDRFoFAk9856IZGGxkYXA6Ly9rZXlzZXJ2ZXIucGdwLmNvbQAKCRBfTLkgBrTe
Ge7NAP4lPsupns9/nBQueorriQ9LQVItGwx+kdtnNrxVyy6wvwEAiAPmCmSwwp89
+P45ma/scGdIPWZsupnpaNIy4XUVHWmISQQTEQIACQUCT3z3bAIHAAAKCRBFM2MK
a0UQNeD/AKDHVidcbBTCF64eTu7hf0iSRrlmRwCfVtj/7jJLndUdZg0K+5siGEMQ
TSG5AaIET3zmhxEEAMSI5mM/p3cQLFqSXh273PPQFT3Ix9m00v2ZUZBESPLadlkn
9sN/KAPmpB2uj6nNyYeNo60Pc6MlbXveNAzCXK4yf9q90tYVRgGo2tEgmMjmT4Uc
8E45CpMzV9gUmpE+ePGOo4IW4vLj8cgCjMZ85pTa/zYp7oelfwvljpFe4wgnAKDl
PiQ2CalSlg0v2XcOXJNWKNgPiQQAnZT8c6Jr6apSV0Qi5MOV7RWRqrXnhD2cqAqc
UffVQQVr8rT/MZEvCGLRoazWpkbe/kOlLSfeTSTJoKYVjy0jdytMGBn26qqii/Cy
c+SfUlaobWDNhVKzaWNNrh6oqCUyauiPsR7C8xZtjflcTZ5bTdrMRFWKee6X7Icn
WqP43ycD/2zk0Eo5kH4Nzu5+lVhhxH9D0OydZTEyv57sV4JG8gfYgLyKya2dYd2v
+VJ65/ebfRzgMqki4K7OqfBpsjeMWueAlem/nUvVQJ5AF/pWdkiqZHNTkwkgtoNB
mM1TpZPh1guMEPYJ5AjQTGl2I8YtswHGWnPmrpx/fz9ZoYcjOIvhiK8EGBEIAA8F
Ak985ocCGwIFCQDtTgAAUgkQX0y5IAa03hlHIAQZEQIABgUCT3zmhwAKCRATlfrW
GsFmkLAIAKDXtZv2UtDTR/ntT8CaFJm9I8XR8ACcD/MVbnehiegPZVP+wAYm7HTC
1aF15AD+LkVHJDvBelGSuU1HDK/z1rf56w9qpPNdyeO58idx6AAA/A1rQRQGnMcS
YxzOWXTrh+6fWg3gFIiIq2OJED1l0qZ7iK8EGBEIAA8CGwIFAlB1HioFCQHlhaMA
UkcgBBkRAgAGBQJPfOaHAAoJEBOV+tYawWaQsAgAoNe1m/ZS0NNH+e1PwJoUmb0j
xdHwAJwP8xVud6GJ6A9lU/7ABibsdMLVoQkQX0y5IAa03hmp/wD/V6y/ksG9nTFf
twvXe/P5sLh4KE7gcZwz1s5OYuxBx80A/1dwLle9Vdo/9sRHNYrw/5gkfgh/6XAW
7cHxz8dNu7TruQINBE985vUQCAC9eCmly4UJlR8EJS8BuxBr+5OGb5rOF+BwsEDd
uSakhVZzGY194u3eczf5rAyfThIh8LQxTMHTvTFu8qmc18MPIsKOATMlvecn4z7Z
AwJIZ8E7qm9XlHN7Xrq1xTnfvmwrEoFzryY0+vDscqEZjWXx6tqSzl1/Ckt5UThf
FOrx7dVSRxbdkWjfYUYHv0F5LvcOqFJE23K9MfU+PZnx8Ko1tAZULtwrrUENyzV/
ymRH0pf3c9kJh8uyaTRFDNfya+UUf9myJNanD/upWPplMAp8NWbAFmn+b7YyTqC3
NDGrBSR1TXQtXOEo9oLTFxy7ZMTED4/PHmGGciKiGzbuZ1hjAAMFB/9/QoniJ33v
LP8A3fnf97LQVhhsOPNswntwZv3KLmJuF8DeneaGzYEwHLn6OSQSWtsgYlFImpNc
FONcWANT0EMcA50BSJ8BNdo3/kzRzhFp1Z/WCkhJinmP+AYQ8f8Ki2CTpdA/evAh
gL9RzzTSvOY2l4MfNvSVLhkekx9bgCoVIeKCekWGSvu6jK27nILBx9xU62Jj+4sl
or7WZLXRFSpRn79QFnKroK5V3tz6UnRry6MTq5yHvtW/gSneQ7D/xthv61xuiw21
h9tya5NPpHOr5XVxGGe4SfCftdXoYJJDNhYTYrVI60Y2pG5ncF8bsgbEFSBO+dXR
DunzmGoW8yBfiGcEGBEIAA8FAk985vUCGwwFCQDtTgAACgkQX0y5IAa03hnK/gD/
d7AA0Px4CKiiPgWL+kFwnzwr9/svTM3e7yizTLU4XiwA/2a1emXhZph1SDSfNYQn
WsumxaUZhD3PQIO5qcT74p3siGcEGBEIAA8CGwwFAlB1HkYFCQHlhVEACgkQX0y5
IAa03hn7jgD8Cf1zOP4LmeSSrhIRNLtQehL+EYaLgxGVwtZaDYlSwNQA/jfMXzGa
auuO7nKVOwwQpo5IK/Nea+Y0pJK181+OnqRJmQGiBEiGUb4RBADhFKxdAy/XLRVm
mluRg3xIIPM9ooVyEFX3Q/OoL7wpjEYi4nvaILz3tLsKkWywpdFyrfLzoNBrw3+U
hI18ba8/uMmMtEkN3DxL4kjlqBtbwCV2IksVeflqDfOAt2TvX23O0MpueTio2SuD
qr2KtJ9DiOHKLKz+b4XLDrk90sD6jwCg9gONKH+sxwpLAC2tNsk3RKzpGWkD/jwG
88FOhPEEL9payQVov1mMGO+DI8g0DKmmGODIa3/8hvR43OXVPEZcrjsPh9d+nMvS
kVks2bJqNvnRW1xaInaMQ5FnxSI360tW7Y3VCLiMQ7ObBRS9BG5rdJ4kXhLNuVTV
rQxcFcH2brNsnoNQRxGyDx2DMysWQzgC9pnfZ/NRA/4gNbp90R9PNkOF4Gc8s8EL
sKvuBrzUDYBWUzcWOX1nPzADNX+BFlXKnGl3OyBEj+WBfYVSaHdELk9YpEtxvdyV
yk0yUnWjGZioCOShajH7tyMBOD8YcAS61Up4ZLhOv1rsB/M0syZciyNmT6tc62Ku
iJxCI7UzeP6wnsGyI5Z0aokBdgQgEQIBNgUCT30F+MBuHQNBcyBhIHJlc3VsdCBv
ZiBhbiBhY2NpZGVudGFsIGluc2VjdXJlIHN0b3JhZ2Ugb3BlcmF0aW9uLCBJIGhh
dmUgZGVjaWRlZCB0bwpyZXRpcmUgdGhpcyBrZXkuIEFsdGhvdWdoIEkgaGF2ZSBO
TyByZWFzb24gdG8gYmVsaWV2ZSB0aGUga2V5IGhhcyBiZWVuCmNvbXByb21pc2Vk
LCBJIGFtIGxlc3MgY2VydGFpbiBhYm91dCBpdHMgZnV0dXJlIHNlY3VyaXR5LgpE
ZXRhaWxzIGRpc2N1c3NlZCBhdCB0aGUgVVJMIGJlbG93OgpodHRwOi8vYW5kcmV3
c2tyZXR2ZWR0LmJsb2dzcG90LmNvbS9wL215LXBncC1wdWJsaWMta2V5Lmh0bWwA
CgkQRTNjCmtFEDVVwwCeJxczVk6hHmiMOI+O/SMd8qb3veYAnifvnUVPrqssGgPq
MZpzDDn531+NiGEEHxECACEFAksKbjcXDIARO73g1KR5fvLQPYfPW8DfIzeVCJUC
BwAACgkQRTNjCmtFEDXWLACgia5VJ4mRKBgmMoGGQSk7X1zs/m8An0hnNgy4ccKW
SAEdFQcpO8YpcK8AtDZBbmRyZXcgU2tyZXR2ZWR0IChHb29nbGUpIDxhbmRyZXcu
c2tyZXR2ZWR0QGdtYWlsLmNvbT6IRgQQEQIABgUCSP/5xAAKCRBKEXuPDemMbIc9
AJ9vql9hEXupIuUUERuh3mbsAM7S3ACfR2GKprqELwUfY7+strKLFpkYM6iISgQQ
EQIACgUCSwpqpQMFAngACgkQW8DfIzeVCJWMyACgs1H5XBe0cWOJy+vrJIDsdhbj
JTEAoMzW4am/zw8Dkmo9tE0DhdvAXEqYiQEiBBABAgAMBQJPcriyBQMAEnUAAAoJ
EJcQuJvKV618B9AIALzatQMk7vFJi8Vv8YkV0oA+vpLESWQUZBjNaAOZzcN2Szvd
aB/1kh/Dst3HuGA5dem/sspaqnzpJVzlJl+ye3slJru8DpGaCt9gxDckObcojGxq
arRJwXHao9q8Re/uG/hVYAfuDpidJnfVV6ZeW9WuJbWvRVcikYmLoICAH8LiU4AL
BPnCtj2EnpAM1W3SJ+PAHTCEIXUPKV8kg3t1GF+oLoiCeJnvswIYcZ2FI2ngCU8x
g5etTDgWc67dbntACbbAWrJKz8x/aZ7PrZMcICJTXcuuDRHSg9AXa/IzpYuqQ1/1
gVmv6GFtH+hjXdKgPQmioL9h8DxPuZHBvEH4/BKIggQTEQIAQgIbAwIeAQIZAQUJ
B1+OnwcLBwgJCgMCBBUDCAIFFgMCAQAFAk9wsvUZGGxkYXA6Ly9rZXlzZXJ2ZXIu
cGdwLmNvbQAKCRBFM2MKa0UQNZLXAJwKcmGxSOyB8N6Jnx8A4BoYYlLL2ACgixVx
lMnMqY5YeqU15ELPLCjTr8iIYQQTEQgACQUCT30CUgIHAAAKCRBfTLkgBrTeGU7K
APoDaE/GCQscZAIkjS+tOCaHQNDnJYrtrqRkiDEQnjfkhwD+JZ0vPy2nck5TdTGy
dcg1TnXKOtOc0scaEpnBCKi4nOq0MUFuZHJldyBTa3JldHZlZHQgKE1pZGNvKSA8
YXRzZHJvaWRAZ3JhLm1pZGNvLm5ldD6IRgQQEQIABgUCSP/5xAAKCRBKEXuPDemM
bK3BAJ99PtEcDvLa8dkWRu+k3XmATukd4ACeNnWwF/sJ4rzCAZ7BiHeHzrmpJ3eI
SgQQEQIACgUCSwpqpQMFAngACgkQW8DfIzeVCJXSyQCfc+XJokCqqXA1WdspIigL
/03gK7AAoNFp1YvWeleFFs2RmqbAte0yuxIaiQEiBBABAgAMBQJPcriyBQMAEnUA
AAoJEJcQuJvKV6188FoIAJUrRjEy8zcHfrS44L5n+COoKTbVebelJP0mSMfIDwaQ
eogO7l1NY6hVry34EFHLSpygSStQOCE5CmVlv827OkFFgLkLiWup7dgIvihegUes
J/A9l0L+jMd7LZJd2zVcTmYYmXfHOVm2QDcu4/LS9CM67ATdO4K43UPtNwoiorWY
rQemrqx8hTBuSGZPopVFAzGyh1nhjo2+zhOT4EvHO+ZbO9Gdib+oTqJMTB48OCx3
WmcOCMzPQktp2TOin24vGNp8tbA6Mi5L4tPQX8h4ViNxxNCxJqXgQyZoIr6gv4Wi
0Z9oxXPF9cHfn3ebgkcDt8VATrIR2F9RHNpGieMOqCqIfwQTEQIAPwIbAwIeAQUJ
B1+OnwcLBwgJCgMCBBUDCAIFFgMCAQAFAk9wsvUZGGxkYXA6Ly9rZXlzZXJ2ZXIu
cGdwLmNvbQAKCRBFM2MKa0UQNT5JAJsFZsZ2TQCKXuKdDaiIPP4a/Bx8zwCgg4l5
I35Z4u42bVqrkTTgHxZ4lVWIYQQTEQgACQUCT30CXQIHAAAKCRBfTLkgBrTeGY5B
APwJlsI4mwEQuK23zFcivP3UwA1AUWivyniFur33WQkznQD/TQzf0jqslhHgGKrb
/xKWfeJhU4raqKoAl9KQ0KwVY5rR0yzTKgEQAAEBAAAAAAAAAAAAAAAA/9j/4AAQ
SkZJRgABAgAAZABkAAD/7AARRHVja3kAAQAEAAAAMgAA/+4ADkFkb2JlAGTAAAAA
Af/bAIQACAYGBgYGCAYGCAwIBwgMDgoICAoOEA0NDg0NEBEMDg0NDgwRDxITFBMS
DxgYGhoYGCMiIiIjJycnJycnJycnJwEJCAgJCgkLCQkLDgsNCw4RDg4ODhETDQ0O
DQ0TGBEPDw8PERgWFxQUFBcWGhoYGBoaISEgISEnJycnJycnJycn/8AAEQgAgABn
AwEiAAIRAQMRAf/EAJ0AAAIDAQEBAQAAAAAAAAAAAAUGAAMEBwIBCAEAAgMBAAAA
AAAAAAAAAAAAAwQBAgUAEAACAQIEAwYEAwYFBQAAAAABAgMRBAAhEgUxIhNBUWFx
MgaBkSMUsUIVoVJicqIHwdHhMySSYzQlFhEAAQMDAgQFAgUFAQAAAAAAAQARAiEx
A0ESUWGBBHGRoSITsTLwwdHhFPFCUtIjBf/aAAwDAQACEQMRAD8AHtuW3XSS/p+5
Qx9Eqz3Jje5jVWyOpIirHwK18cZbqS/aG4u7Dc7W6trCJZtxdoXtyAXWMCIXFK6j
w7sYzGNJS9urWDJtIacltQWqqBrPqIApjCwtpEMd/bRkOVMYIOrX+6NbmpxYgBj7
a8OI/HBUAlKTAsKXHHmr9g9wTQXLxx3CJJG7SQMr6lIOWl2UDTqrSo4GnZhyt/c9
hHEirOupXDVWFtYY8wDcvEHtrTHPS20xTf8AGrC0R5WjjEjAGldRjNKV8zjQm4N1
PqKJADUlCQCDkRRhVe/F4ZpQpE+YKnJ29jJq/wCMok8nZ26p2TeLe2vbi/2jcmt7
i7RY7yC7sOtHKVq8cjaJYxrXMAr2HGDdt2i3bpxbjeW63S6hZzx2j2wEgBqkp68q
yIwqNPEccB4dwXqJKqaxQq9TxHcxAFfOmRx5nu00y6V+m7VELUYA5UI76HHDIBG+
tq/qoONy7V40H5L1tuz7ZuDG1ubo2MEzJ1ZY2X6PTJYVVuzPDfs+z7PawIPv3WZo
ZGPWjCVSA0kBGrPScJMDq0w1xho5AqMAODCvMD49oxvEjRRRJKNelhzMKqyt6g2B
xyAF40Ph0UywCTbhbom3dW2n2+j7jbvb/csp6twWMZOkqqqzRHPj2nA213Pbbt7m
XebS1gSOPqxXAjnEzzMyooEtWry17MD5bCC82yWyAbS4UlIwpLFJRMaBhxkNV+OP
G4WkkTSrJcagGCSJzOCQM9LlwVHeFyxMs/tBce4saa8KKPhYkNYOKrJFvDwLIbyO
jqkjwyxZqRpYpXPPPKq/LFvtNTbe29vjbiwkkb+Z5DX8MB93hgt9l3CVmJKx0j5U
FGZlUCtC1Pjg7tsC2O3WVkvCGFAa/vMNb/1NirhqKWOqNqw0HyxMUK/0z5HExLqG
SG+12W1wC5khggVWCiQI91MXIJ5QojA+NaYlncbbeXsdhE0sP3QEKMIo9LNzNR2m
kmkGqnEUxp3yK7G0W95UiKcG4jfPSUKakIHcRWuADbnDLJa/bIRIrRKjCiqJlYFW
FR6e/Fbi6s5Gi03qiKaOVCeoYVRslXSyMV4Rqgz014Y8WySz3CrzMxNAV44Ib1Hr
3GU9hdgnaNHEU+JOCOwWSpIZ2zK8MUMmi6MI7pgDl9FuttkeOPUzaXPFCag+Yxcm
2SOQrKKDMD/LBFSSK40QthOeWSfhhhwWC32Yq4Aqyk1C8KU/1wat9nUMhZNaghqH
OtDi63YKwrg1b9M0yBOFf5U4zcFFOCJizIc3tG9SKTddrR3RKySREcNIrRFHd+3C
nuR1qbkVCOy6CNTBgFpq1EAY7j7e3DVD9s9KJmtOIGOW/wBwNksthM+4CKQWdzKD
CIc+m8x50AJoAGz8jjYiI5YDJAM43Xo4v5LLyiUJGMtCwPI2XOt/Il2xLXtu7qCE
DvqxY/hhndh1iBwBIHkMsKVxMt3ebGi10yTPc0aldMajTXDLE+pq1xwsAglEFPKf
I4mKuoAvieGJjly5pPd3c9skEtxM9tEOmlsXYxoo/KinIeqoxh6KBolBHM6mtewH
BPbbC5uEt5meONL5nSIPU06Iq8pHdnSlc8bNy2z9OkszbyR3IuuoAEGnQ0RHU6nq
AArWuJU817t5pLmUvMa6TpBoM6ADP5YZdrIA0jhStaYWrEqzyxRoy9M0+oCruGz1
6TwGdBhg27UvDsqD4YHMUITGL7nRxOFOOPcbaTTGeN88aFpxIwlkDOFoY0ShbhTB
O2lNRgVakEgd+Nurpk4zMo9zJqIomXbLhkl1AV8cD/7pRPdf2+3CRD9a0mtriInv
EqrT+rFu1z0ZT8x249f3DWSb2Nu0NqpeS4NtCqgZgvOmY4d3HGn/AOXKR9gL1+3x
SHfxAhIkMwv4FcMhkSa+2+7kXomC3nhmjA5FmDDmU9iskinwwwW75nB32r7K9lb2
JNuXet0tt8CyO9rcxRQv0yqpJ0kZJEkUUFSrk4F7zs24+07tbLdEDrJX7K7ir0rh
B+6T6XA9SHMeWNIxN1lguWXxHV5WRqkqlUINBqqDn8MTAq0vFaS6nCaHL88eotmo
oGz9OqmJiOS5kubdPGbC2GgiSEzRynNUVJQI1kVzVQU40ywQ3G8N2bS3RYxayMsI
5qlohKplmcJkNbqBn+7jD7aslv4LhX6sgFxEE6a66qQ2oglWIpTswU/+e3yeV3Ww
6MACpC11IkZCoBp5XbVl5Y4CUiQIktwCtKUYxFnPE/kiUkf6lDH99WR1dxE+YZCv
ZqHZ3YvsIxEhhGTMSyq3FlGRYfHjjPPDM11Ak7FbaCQC56TZCUNUVI4qx7cbdMVw
AsyBwDqUNxVu9SMwfLATws31WjMCWTeNRTmNKqxZpFOiGMvI2SqK/gKnFU15fW7f
UuraCnFJpArfKoxDa3EbSywXMgDoImgejo0bHnzI1js4Ngclna20llIYKy2L9RJB
kzmur6jUJfPASIycvblcqHmKAerI5ZbszDU7xyD9+Fg4/pOD9tL9yusHLv8ADCPI
k4mm3KC1RJppA4iagQlmzYqMsuOHH25tVzc2pQ39xXWZ44jIqoWFWRCVTUF1UrTs
wn3HbxaMgQDIgdSmceWbSBiTtDuP3Vdzf3DXq7dZzzieSpjit1j10A4qHOs/LBvX
ebr7N3uLbrh9zmjhWSFIQPuhcQSo5QoBXUM+WmF+w2jcrTeo9zuY1O4JVlvhm4eR
dMjZgZ8cyK4fP/TbHtN1u+5XDWdnHpuLqeORopJJFrpCuKM7u/AdpwXtNsM0RCVY
h5Cge76aUQO5EpYpnIARL7Wc+bpZ/tlY2Fyx943O5Hc95kEtskdOmtorHRplRubW
6rQZaRwGHvdbW23m1k2rebZZrCbMoldav+WWNzmrr2EY5/7Th91SbFHOmqL9QMl4
Zo4gxEUrFo4ZpPory+r1HNieNcdF2u13G1tOne3y3MpYsJI1ClFbPRq4NTvpjZjw
MSXD1osY3cEULUquHbx7Gv8AY/c1htl1PIdv3K5itrTeIlFWjldY2SReAlQN6Tke
IxMdxvrWWeCKGAROFnhlkS5BPKkiuzxMPTKoFV8cTEfCXengr/MGtXiuINu1w4pr
0gZdNOVR4ALTLFbXuelnrUfh/rhca8CZswAGYr3d2Da7ctokNxurrNM6df8AShqB
RKZfdyVBFa10L8TiDkkak0FyV2wCwurvu4gskzNQEVfVSpFKg4kUhGk8Kjh+3Ac3
X6hJemdVVbl9JRFCoqspQKqjIAY0bXcNPZRdU0niHRmHbrjOg/OmF5NU8U9iykiE
CPtDPx/omCGWlCMiMXcnq6UYPfpP+eBcU+nLFst5pTSDQtkCezCmWNfbqn8ZiQ8t
FZJOJZGipXR6tIoBXgDhv9otrYIeNCBXy4Y50+5x7cW5TMJSCdHqrTB72/v8UEkc
76ok9dCCWNPy0HbimaDY4nbu2kFhctdTDJDdKO4AkHon6e96W4vYzAxuoVlVtLAq
2asppwOGC1s4NxjH3cSXMMJV0ilAZeopqraSPy8cINzuS7xd2dyFMVwPpKopShYn
ST25njgz7Z95QTe4dw9sXMTK9tI32DqrLJKI1H3HK2ZZTzAH1JmvjPabj3MzPdKM
XIMhzYBL97OI7cCDbpMC3qncGbg5oVFKEcoU/wAPhipYJodRjAKrmRUBSO9a8D4c
MBbz3r7ctbh7S1uDuF0hKmC2VpWD1oaaPHxxim3b3tutF2nYPsojUi53FljA/i0P
qP8ARjXlKJoL6f2+T36LGDi/+3m1kS3j3Eu1yWBTbLq8t7y5itZL+LSlvA0rrGGk
Lc7Aaq8q08cTFNvtO/GyuG3ncILvdTSTbGiMscVvIoOku9avzkV5aU7MTHf9Gv1Y
s3hf0Xex7Ubq/wBFw+TRbANbQ26InpkhQEtXvZ9TVHnjPM0jtNcMxYTAKrHtpzHP
txLlSS7xJoZa9SAcMuLKKn5YwK7mN0RiQpDp5fmAwnuJq5PimWbRfYaBGr+bP5Y9
WsjRXMpHCYCQDxoA2KdQ6epc8jSnjjX9qYxGSM0AB+IzxEi3VWxvuDaIhHKHAZTj
5cQG6oddCKUU8K+NMZwHjNUHHsxYko1iuXnxwK9k2TpIeKrEMkLjqWkZYHldXIB8
asP2YZtlM0hSlpb11aUZzqAQ+osq6qnuwDkkk6R6b0bI58MGPbEtzcbgkU04itlB
dzGoBJ7su/As43QsPMpjDkxwLbHJFLeqdDaW1k1tdXbBpAQtGoEDE1SNEXIUpjdu
klJoN4sYY59xgV3toHClblCtZrPXxBkTOI/lceJGB252i3mxy3KVL20weMDI9Omh
mHjU1BxRb3BvdtEMlDcICYm9OuSL6i07nK1xftz8UTHYAcg+QDQ6bUn3Evlm70id
tPqnf2/uG0Xtjb7lspSPb70GRJFjWNmevPFPoAKzRvln6sE5Lq3OlJLmspzGirMf
NVDY4Au6X3tf3TetZTSxbTun/Mktwaxa549Wp4nV0bTJXsx9v/dnuncrO7nt5rmS
ztYupdSR0ij0LQGvSC/KuHseQMBCX3VZjKVeAoG6pKWMuTKJYauBHz/Zdnu/c2w2
FxDaXF0EurmVIYoFSpZpGCLVa5ZnEx+byn3BS/6xjuoQ0q1GpGGk6kpUUJ78TBt8
9u6nmEPbDdtf0KPXto8SfdQ1kWIVJ7Snj4r+GBFy0MLLM1VjbmjkThX8yN+ODtnc
TJYxtMfr2btaXX8VM0f4jFVzt1tPRAAltdinLwjm9SsO4Hu88Zccm0kS0Nxr+Lp2
UXFNeKA7ZYme9MzEfZRnqBa5M/Yi07AczhlS265KheZgQB3k8MB9vl6bGAqI3hZo
XjAoAyHSVA7sMdqaFHX1Kaj4Z4jPIk9KKcQAH1Qvarjbd1UCGdFnApJbSsI5FI4i
jEV+GC0202kcRe8aOJKeuSVUp4g1wg+5trNhvdzqipb3Ttc2jeoFHNSK96saEdmB
0ccLMK8RkQRn82xb+NvacMpjEgFmc+bq57sgGMsYJFHdvRNe4XO22bL+nXbbip/3
CBoRT+6jn1+Jpivb/cFzJNJt9jGLSQICLlz1HoSByigUYFUDRqq5aeH+eJtgaPfo
jwEsbAV4ErnTB5Yo7GPuIF5atxFkAZpmVDtBNhp4G67L7WvC+3ttF4eYxsIGJrXU
v+2T3as1OPcMISOG7jUmJJ4ZJEORU6wjBh2crHAG2dFVXYvGIlWskfqQ1ADDwyxp
Wa9ivvsZphcC7gLW8o5Kgv01DBDQnUteGE45niIzDmL7TwB/RGMKkg3uEG9zQvbb
taK66omgZLdmzVzFI+tSOxlDA07Rng9t1/bbnZNbSqOkY2hnt0AVTG40NpVchkez
z4YX/dpkmbe5JGCKlpa7ntbE/ntZjbSkD/uLKw8aYE7XuZcpeW7c1AJIxwH8Q+f7
aduWj2uU4Wp7SAJBL5YDICNQSQhzbTNabqfbd3J0y7rDFc0yaGU6I517+U5+OWJh
1ulsN1t4LyVfrWDrPBIvqTSdbRntMcmnMf4jEwzsDu4+O99OCCxs1bdUIJiZdyo3
NNEtxp8AOP4jHi0cTR/atx0qU/mSjL+3Hi2EUls/VOma3SSMH9+KQUMZ+JqMZ9vk
Kzaic0yOMfbSXJvSgTr1HN143GwuP1R7m1AL3ZWYRtkDIVGoV7KkYm3+4dvS2D3k
jW2ltDdRHYKw4gmMN24L3qH6cq8FbUp8+YfKpwobrbiO6uVdSsc7CSVF40JDkgfP
FsbZBsnoKNen7KsngXGp1T1u+xHf9nRbb/zoI2vNuBFOoKc9uwOY6ijl/ipjmapF
OgdfzZivEY7lBLAbu1vLRgYZtMiOvAqwBDY5Jv1lFb7/ALxaQr0pILybTFwBRm1r
p/6sHwBo7eCHlu6EDrRUzqo7MbdvkDbptzjP6pVj4MpGM+qlUkHhXFj3Ugu7ARhU
hWVS+kU1SBdOs+YGCScggag1VIs7ks3J10rbZVD6ZBUMBE4+ff54l1Wz9w7fSrRx
2p6dO1mkfj5DjjHbTUllC0JdtQRuDAgA/txdum6G033abJY+p9zC4eU+oIHbT8Ms
+/GZGJ3FhXaT0aqcJFK6ha/c1hA/s3e5I1Ls0Mc3UNXlZoZUbnfiQvdwA7Mcl2q/
ktpVdT6siDwz7PJsd324wvG8My64Z1ZJYuxkkXQ4p5HHB962mbYN4vNqlqftpCsb
H88Tc0b/ABXDna5NwlCVSfd+v5IWWBiI5BZ2TpbXoW1eaMsYnjkJH5qBTqX+YU/x
7DWYUrHcylpcWzVIeJ/M8uTfzDEwb3/Y/tey7dDbv1Zl/9mIRgQQEQIABgUCSP/5
xAAKCRBKEXuPDemMbNZNAJ4mZH0/LmRHRj98/Eb6qTBueag2ywCfcrpxti0H85+F
J+MDrQ82qkfOXdyISgQQEQIACgUCSwpqpQMFAngACgkQW8DfIzeVCJX+JQCgrCza
EWTrJkDPAWLvdwENPL+XRe4AoIOOltVROA7jCQmFEc7neuR+elrTiH8EExECAD8C
GwMCHgEFCQdfjp8HCwcICQoDAgQVAwgCBRYDAgEABQJPcLL1GRhsZGFwOi8va2V5
c2VydmVyLnBncC5jb20ACgkQRTNjCmtFEDWvsgCglA2KhtSnw0/DR7LbfW8fN6Ud
f8cAni3G9tLg0Fc27UpCDDyoE7u6l/k1iGEEExEIAAkFAk99Al0CBwAACgkQX0y5
IAa03hkHKgEAkHljsfQfzpr6XvOpezM0RmDB6G03vJEz57BcC33CwJsA/34KBLOD
mruryyV/QCoAMYSmAWSxEqDctHhr8vMBDSNquQINBEiGUcwQCACI1y3O6a0HIOwU
IoODwC5Q7CKtaOXUawgkMjVXoLoBHA5/V/ovbdDFX3RP0eUUaUI5EgNJLclFMLcp
5XEHVda1xutXMdfekngCaRUfp3i+4ntibb4zZT86tbuY3kGZbB0VbXxnVzpGjcAk
KTEJmSt8mEqf5qUA2AFIJ3jE8TtcBTfQV3EKak9DYjrialfFjclhUQJ4Fn66oD+F
RvBGcIkmV7BXg/Ogmw9tEcm0k3PqugnlwRYtJClgGWhSnS3Yw2E0qwKGB2bs3+HU
08qyq5cihURJDXE45Qm1+f8EHCR3t7jsGMdVtKs8DpjrEkkkYm5YciE22PxdAuFn
PcWCZOGfAAMHB/96ipWsvMriB5qJ++YMYGQ7/m8vz1iQAJ5jCK+xK7TdG4qiJH7B
PlTsF4x4wLYVggcsbThWRMDW+mva4A525KajL2b6nQM31frlcrQFY2RlZajE3Kem
sU9REWPulSlFGNnkAS3Y/FN7iPaO3755wNpMpxVcceNTsdq9+INvNPGLNGKZcXei
/t1vnX7Vbrj33rmxDoYOnRZe+8C+Tewdy0pX18TVkV2oZscXfSwMJGq3obJkCIOc
lB28kx/BNSUfzkIzNBNiGKcaJfBREks0dYEjvj2O3jDtI4Y42MWkR7EnMRxDbDF8
UHddrGA+uDd/UjluWRVkN+uvP06kI0/PUnEviE8EGBECAA8CGwwFAk4ErPsFCQdf
jq8ACgkQRTNjCmtFEDV67gCfa4k1HBDR7v57kxl/3Bq/ZB6oEE4AoJnn2mB7SqW/
8qdzjvHreNRAGI2D
=meqM
-----END PGP PUBLIC KEY BLOCK-----

Using an X.509 certificate (perhaps in lieu of my OpenPGP key)
this section *OBSOLETE as of 20121004* revision to be made later

You will need to import the certificate into your X.509 store. If your client uses the Windows store (at the moment, Google Chrome for Windows would be an example), right-clicking on the file ought to present you with an option to import the certificate. In Thunderbird, the click chain goes like this:

Tools -> Options -> Advanced -> Certificates -> View Certificates -> People -> Import

You can browse to the .pem or .crt file and import it. Now you will have the ability to encrypt a message to me using S/MIME (this has the advantage of being built into the client, whereas using OpenPGP keys in Thunderbird requires separate installation of OpenPGP software appropriate to your platform, and the "enigmail" add-on). The import process for Firefox is similar (though the only typical use case would be in which you were to visit a website I secured using this certificate, and I am not doing anything like that presently).

Finally, my X.509 certificate is signed by the Root CA, CACert.org. They are a project aimed at breaking the traditional model of hierarchical trust in X.509 certificates in favor of a web-of-trust model (there are good reasons why this would be preferable). This makes them unique in the X.509 world; as a result they are not trusted as a CA by default in most web and e-mail clients. To successfully import an X.509 certificate signed by CACert.org, you'll need to import and trust their root certificates if you haven't previously. This is explained here.

Their automated platform by itself only verifies control of the e-mail addresses specified in the certificate presented, and does not verify identity (so these certificates have the identity data stripped out and replaced with "CACert WoT user"). An optional process of assurance is used to have one's identity verified by other trusted individuals in the web-of-trust framework. Once that happens, identity data is restored to the certificate, and its signing by CACert's root certificate then indicates you've proven to the web-of-trust that you are who you claim to be, and control the e-mail addresses you specified.

My focus is on developing the web-of-trust around my OpenPGP key, so I have not yet gone through the assurance process on my X.509 certificate. People using OpenPGP can currently get more assurance of my identity with that key. If you trust that key, then you can use it to check the signature on my X.509 assurance statement.

As convenience and circumstance allow, I will build out the web-of-trust on both of my keys, which will provide even greater assurance, through multiple independent 3rd party verifications of my identity and my claim to own and control these listed keys.

Discussion concerning my revoked OpenPGP key

During some routine housecleaning concerning various stored credentials I use, I discovered that I had inadvertently attached an unencrypted archive of my GnuPG keyrings to an email which I'd sent to myself for safekeeping (a crude form of cloud storage). Normally, such an archive is encrypted with a strong symmetric key. This provides me a backup I don't have to worry about misplacing or physically looking after. It also serves as a means of bootstrapping/syncronizing the GnuPG installation I use on my laptop computer. If I am ever in a remote location, but have a computer I control and internet access, in short order I can bootstrap up a virgin GnuPG install and be ready to transact business, without being in physical possession of any backup media. So this is why I do this.

Well the message to myself was sent from within a secure gmail session to the same account I was working in, so it is unlikely it could have been snooped in transit. Further it existed behind my account, so an attacker would need to break into my gmail account to access the message (and know it existed or have been lucky with a search). How secure the mail is on the Google hardware, behind the web interface, I cannot say. Obscurity may be the only thing which protected this archive there.

This insecure archive was rather old. I have since deleted the message to which this archive was attached (though it may still exist on hardware somewhere behind the gmail interface), and there has been nothing to indicate the key was or is compromised. Prudently, should just this sort of mistake happen, it was protected when generated with a very strong password, so even if an attacker managed to get a copy of the archive, to use the key he'd have to first brute search a rather large keyspace for the correct password. Helping multiply the required effort is GnuPG's smart choice of cypher protecting the secret keys, one with a computationally expensive key setup process, which effectively clamps down hard on the rate of password guessing.

These things all work very much in my favor, despite my careless key handling in this case. I've been tempted to continue to use the key normally until it expires in June, 2012, and then this time just not bother to update the expiration date. But, if in the future someone did manage to succeed in accessing the key, nothing would bar them from updating the expiration themselves and returning the key to service (so far as anyone searching for my key on a public keyserver would know).

So unlikely as I believe future compromise of the key to be, the fact remains that I allowed the private side of the key to slip out from my confident control, and I need to use a key of which I am absolutely certain is under my control alone. So therefore I decided to retire the key, and issue a revocation to communicate non-use henceforth.

Above, I have issued a replacement key, cross-signed against my now retired key to demonstrate chain of ownership. I will start soliciting certifications on this new key to establish its validity for users, and this very page also serves as my attestation that I own, control, and will now use this new key (as identified above).

My new key management scheme

To help make this mistake harder to make in the future, and to minimize the impact of any future key loss, I have adopted a new strategy for managing this key. It is what many Debian developers do, and is in theory a better practice. There are three common activities done with my OpenPGP key.
  1. Certifying the keys of others (and having mine certified by others)
  2. Signing documents and files
  3. Receiving data encrypted to me
By default, GnuPG generates one DSA primary key that can both sign things and certify keys, and generates an attached ElGamal subkey for handling encryption. Normally you consider the whole blob as one entity, so in a practical sense, if you lose control of one part of this key, you likely lost the whole thing. But in principle, you can store the subkey apart from the primary. This would allow you to keep the primary key offline where it presumably would be more secure. If you later lost the ElGamal encryption subkey, it's easily revoked and replaced and this won't affect signing and certifying. The benefit is better forward security for encryption, and the important certification work your primary key has done remains unharmed (which for some individuals represents a significant investment of time and trouble, especially if you have ever participated in a key signing party).

The downside is that whenever you wanted to sign something or certify another user's key, you would have to retrieve the primary key from your secure offline storage (or otherwise bring the materials to be signed/certified to your hardened offline system whereupon your primary key rests).

For small groups and individuals, certifying other keys may be a relatively infrequent thing, such that this imposition is not unjustified and a bonus for protecting your key-certification work. But it is more likely that signing various data is a far more routine task, perhaps much more so than even utilizing encryption to others (e.g. I sign all my email, but I don't have many private exchanges needing the added security of encryption).

To extract more safety and convenience, as you can see I've added a second subkey to my primary key for signing data, and I now use the primary key solely for UID and key certification. Only the signing subkey and the encryption subkey will be available to my active systems, making a loss of control situation a less serious affair. The big bonus is that it should become easier to protect the certification work, as this key will stay offline.

The process is detailed here.

So I will use my new primary key only to certify the UIDs of other's keys and to likewise present for UID certification by others. The key then rests in secure storage offline. It also carries a longer 2-year window between expiration-and-renewal periods.

The subkeys will be active on my normal systems, and allow me to sign (the bulk of my activity) and decrypt data sent to me. I'm experimenting with a shorter, 6-month, expiration/renewal period for these keys. The idea is to prompt users to check up on my public key material more frequently when they're actively using it, so that the material they have is more likely to be authoritative, especially when encrypting (the most sensitive communications should always start with a check of this page or other published sources I designate (e.g. keyservers, listings here or in my key preferences) to ensure your use of authoritative and current key material).

Unless I have a reason to change keys, the expiration dates of all these keys will be simply extended at some point close to their current expiration date. This way keys will naturally age-out if I fail to maintain my active role in looking after them, which seems like a smart thing to have set.