ࡱ> E@ jbjbj <R::: : n=n=n=$=wwwPw,{ =}L`}`}`}`}:9M \^^^^^^$ R"9n=އ^އއ::`}`}Aއ:`}n=`}\އ\(T<n=x `}} 0qw<Zd0##x ==::::x `#n=  Y1˄|GYYY=8>!_t"=8>_Binder, a logic-based security language John DeTreville March 1, 2002 Technical Report MSR-TR-2002-21 Microsoft Research Microsoft Corporation One Microsoft Way Redmond, WA 98052 Binder, a Logic-Based Security Language John DeTreville Microsoft Research johndetr@microsoft.com Abstract We introduce the concept of a security language, used to express security statements in a distributed system. Most existing security languages encode security statements as schematized data structures, such as ACLs and X.509 certificates. In contrast, Binder is an open logic-based security language that encodes security statements as components of communicating distributed logic programs. Binder programs can be more expressive than statements in standard security languages, and the meanings of standard security constructs and operations such as certificates and delegation are simplified and clarified by their formulation in Binder. Translation into Binder has been used to explore the design of other new and existing security languages. 1. Security languages Access control decisions in a loosely-coupled distributed environment are driven by distributed security statements. As shown in the example in Figure1, these statements can be stored in a variety of places: in signed certificates that can flow among the parties; in policies local to the services; in access control lists (ACLs) associated with the individual resources; and perhaps elsewhere. When a client requests an operation on a resource, the service controlling that resourcehere, service S controls resource Ruses the security statements available to it to determine whether to grant or deny the requested access. In this example, service S would presumably allow John Smith to read resource R. Traditional systems store security statements in a variety of data structures. The certificate shown here might be an X.509 certificate that attests to an identity [12]; the local policy might enumerate the X.509 roots that the service will trust to certify identities; and the ACL might be an ordered list of pairs that map users identities to their access rights. A predefined decision procedure matches these data structures against the identity of any client requesting an operation, thereby verifying the clients access rights. However these security statements are encoded, they must necessarily obey some formal schema. We can say that this schema and its accompanying decision procedure define a security language, and that our certificates, policies, ACLs, etc., are formed from security statements written in our security language and interpreted by its decision procedure. For example, since X.509 specifies the form and meaning of X.509 certificates, X.509 is a security language. SDSI and SPKI are other security languages, as are PolicyMaker and KeyNote, and so on. Many existing security languages are designed for very specific domainslike X.509, meant to control access to an X.500 databaseand each can express some statements more readily than others. X.509 excels at building chains of Certification Authorities (CAs). SDSI lets us define and refer to principals and groups of principals (e.g., the group of all company employees). PolicyMaker is a language for encoding a services local security policy. Inevitably, in any given domain, some security languages are more expressive than others. If we are designing a closed system with known requirements, we may be able to choose a minimalist security language, closely matching its design to our needs. Conversely, if we are designing an open system that will be used in unexpected ways and that will evolve in unknown directions, then it might be better to make our language more expressive than currently needed. This paper presents the design of a new logic-based security language for open systemscalled Binderthat is intended to be more expressive than most existing security languages, while remaining practical. Binder does not directly implement higher-level security concepts like delegation, but provides flexible low-level programming tools to do so. Our experience with Binder suggests that logic programming can be a useful foundation for a practical security language, and that it can also help us explore new and existing security languages. The section below on related work draws more specific comparisons with existing security languages. 2. Datalog for authorization Binder is an extension of the datalog logic-programming language, which can be decided in polynomial time [17]. (Datalog is a restricted subset of the well-known Prolog logic-programming language [15].) An EBNF grammar of Binder may be found in Appendix A. Binder extends datalog with constructs for communicating securely across a distributed environment, but we use the datalog subset of Binder in this section to write local security programs that do not communicate. Let us imagine that John Smith wishes to read resource R. By convention, we will grant this access if and only if we can derive the authorization atom can(john_smith, read, resource_r) (An atom combines a predicate and one or more terms. Here, can is a predicate and john_smith, read, and resource_r are constant terms.) A simple ACL for resource R might be represented by the (tedious) datalog program can(john_smith, read, resource_r). can(john_smith, write, resource_r). can(fred_jones, read, resource_r). at service S. (Statements of this form, with a single atoma single predicate applied to zero or more termsare called facts.) Since our authorization atom is part of this program, it is trivially derivable and access is granted. To raise the level of allowable abstraction, existing security languages like SDSI also let us define groups of principals (like John Smith and Fred Jones). We can also model groups in datalog, as in the different datalog program can(X, read, resource_r) :- employee(X, bigco). employee(john_smith, bigco). The first statement is a rule stating that principal Xa variable termcan read resource R if X is a BigCo employee; the atom on the left is derivable if the atom or atoms to the right also are. (Variables begin with upper-case letters, while constants begin with lower-case letters.) The second statement is a fact, stating that John Smith is a BigCo employee. Again, our authorization atom is derivable with X=john_smith, and access is granted. While datalog can express abstractions that are also expressible in existing security languages, like groups, it can express more powerful and more general concepts too. Consider the following datalog program. can(X, read, resource_r) :- employee(X, bigco), boss(Y, X), approves(Y, X, read, resource_r). employee(john_smith, bigco). boss(fred_jones, john_smith). approves(fred_jones, john_smith, read, resource_r). The first statement is a rule stating that principal X can read resource R if X is a BigCo employee and Xs boss (Y) approves. Using new predicates, datalog lets us define and use new relations as needed to express our desired security policies. In contrast, SDSIs existing mechanism for defining groups is not powerful enough to model this example policy. Datalog programs can encode a wide range of security policies, but an open distributed system with multiple administrative domains will have multiple interoperating policies. It is no more practical to encode these various interoperating policies in a single datalog program than it would be to encode them in a single global database. (What single party could maintain the program or the database? How would everyone agree?) Instead, Binder lets separate programs (separate databases) interoperate correctly and securely. 3. Communicating contexts Each component of a distributed environment has its own local Binder context with its own Binder program, where certain local Binder atoms are derivable. A service uses its local Binder context to make its local authorization decisions, and Binder provides extensions to datalog for these distributed contexts to work together. Binder contexts communicate via signed certificates, as shown in Figure 2. Each Binder context has its own cryptographic key pair; the exporting context uses the private key (which it keeps secret) to sign statements, and the corresponding public keyused to verify the signature at the importing contextalso serves to name the context, as in SDSI/SPKI. A statement from one Binder contextfact, rule, or derivable atommay be exported into a signed certificate, and later imported from the certificate into another context. Imported statements are automatically quoted using says to distinguish them from local assertions. If the public key rsa:3:c1ebab5d belongs to BigCo HRreal keys are much longer, of coursethen the statement employee(john_smith, bigco) exported by BigCo HR would be imported as rsa:3:c1ebab5d says employee(john_smith, bigco). (Appendix B contains a more precise explanation of the rules for importing statements.) If the importing context has a rule like employee(X, bigco) :- rsa:3:c1ebab5d says employee(X, bigco). then employee(john_smith, bigco) is also derivable there. In the absence of any such rule, the imported statement will by default be inert and will not take further part in the decision procedure. 4. Delegation and trust In Binder, statements from any Binder context may be exported and later imported. Since imported statements are automatically quoted with says, the local context can treat imported statements differently from local statements. The controlled importation of signed statements is Binders mechanism for trust (as in, Service S trusts BigCo HR) or delegation (Service S delegates the identification of BigCo employees to BigCo HR) or speaks-for (BigCo HR speaks for service S); Binder lets us implement an unambiguous logic-based policy with the same effect. Lets extend the example from Figure 1 by adding an additional level of indirection. In Figure 3, BigCo HR has delegated the identification of BigCo Labs (BCL) employees to BCL HR, and all BCL employees are BigCo employees. Our goal is still to convince service S that John Smith is a BigCo employee, but the necessary information can flow along multiple distinct paths in different scenarios. In one scenario, BCL HR exports certificate c1 to BigCo HR, whose local policy allows its import. BigCo HR now concludes that John Smith is a BigCo employee, and exports certificate c2 to service S, whose local policy allows its import. Service S now concludes that John Smith is a BigCo employee. Alternatively, BCL HR can export certificate c1 directly to service S, and BigCo HR can export certificates c3 and c4 also directly to service S, which can now conclude, as above but on its own, that John Smith is a BigCo employee. Here, we model a traditional chain of trust: service S trusts BigCo HR to establish a policy, while BigCo HR trusts BCL HR. 5. Example of Binder programs This section shows the complete Binder programs for the examples from Figures 1 and 3. Here, BigCo HRs public key is rsa:3:c1ebab5d, while BCL HRs public key is rsa:3:8e72145b. 5.1 Example from Figure 1 Program 1 shows the English security statements from Figure 1 and their translations into Binder. #English statementBinder statement1aJohn Smith is a full-time BigCo employeeemployee(john_smith, bigco, full_time). (original form, in the context of BigCo HR)1brsa:3:c1ebab5d says employee(john_smith, bigco, full_time). (as imported into the context of service S)2I trust BigCo HR to say who is a BigCo employeeemployee(X, bigco, S) :- rsa:3:c1ebab5d says employee(X, bigco, S).3Full-time BigCo employees can read resource Rcan(X, read, resource_r) :- employee(X, bigco, full_time).4John Smith can read resource Rcan(john_smith, read, resource_r).Program 1. English statements from Figure 1 and their translations into BinderStatement 1a John Smith is a full-time BigCo employeeis shown in the context of BigCo HR; while statement 1b is shown after it has been imported into the context of service S. Statement 1b is explicitly quoted as coming from BigCo HR (rsa:3:c1ebab5d). Statement 2 shows the establishment of trust in statements from BigCo HR; variable S stands for the employment status (e.g., full_time). If BigCo HRs public key appears often in our program, we might choose to write employee(X, bigco, full_time) :- Y says employee(X, bigco, full_time), bound(bigco_hr, Y). bound(bigco_hr, rsa:3:c1ebab5d). and bind the local name bigco_hr to a public key. We can even refer to local names elsewhere on the distributed system, simulating the linked name spaces of SDSI/SPKI, but without built-in language support. In this example, names like john_smith, bigco, and full_time pass unchanged from BigCo HR to service S; more complex mappings can be implemented by additional rules, perhaps carrying along extra public keys to root these names as in SDSI/SPKI. For example, we might explicitly write employee( rsa:3:c1ebab5d, john_smith, rsa:3:c1ebab5d, bigco, rsa:3:c1ebab5d, full_time) to associate these names with a particular name space, while modifying the other rules accordingly. Finally, statement 3 shows the statement Full-time BigCo employees can read resource R, while statement 4 shows the derived atom at service S that gives John Smith access to resource R. 5.2 Example from Figure 3 Program 2 shows the English security statements from Figure 3 and their translations into Binder. #English statementBinder statement1aJohn Smith is a BCL employeeemployee(john_smith, bcl). (original form, in the context of BCL HR)1brsa:3:8e72145b says employee(john_smith, bcl). (as imported into the context of BigCo HR or service S)2aI trust BCL HR to say who is a BCL employeeemployee(X, bcl) :- rsa:3:8e72145b says employee(X, bcl). (original form, in the context of BigCo HR)2brsa:3:c1ebab5d says employee(X, bcl) :- rsa:3:8e72145b says employee(X, bcl). (as imported into the context of service S)3aAll BCL employees are BigCo employeesemployee(X, bigco) :- employee(X, bcl). (original form, in the context of BigCo HR)3brsa:3:c1ebab5d says employee(X, bigco) :- rsa:3:c1ebab5d says employee(X, bcl). (as imported into the context of service S)4I trust BigCo HR to say who is a BigCo employeeemployee(X, bigco) :- rsa:3:c1ebab5d says employee(X, bigco).5aJohn Smith is a BigCo employeeemployee(john_smith, bigco). (in the context of BigCo HR)5brsa:3:c1ebab5d says employee(john_smith, bigco). (in the context of service S, after certificate import or local derivation)5cemployee(john_smith, bigco) (in the context of service S, after further local derivation)Program 2. Security statements from Figure 3 and their translations into BinderStatement 1John Smith is a BCL employeeis shown in its original form at BCL HR and as imported into either BigCo HR or service S. Statement 2 shows the establishment of trust in statements from BCL HR, both at BigCo HR and as imported into service S. Note that statement 2b has been rewritten from its expected form; this is discussed in detail in Appendix B. Statement 3 is shown at BigCo HR and at service S. Statement 4 is shown at service S. Statement 5 is shown in multiple forms because of the different certificate flows possible. Statement 5a can be derived at BigCo HR and imported into service S as statement 5b; statement 5b can also be derived directly at service S using statements 1b and 2b; statement 5c can be derived at service S using statements 4 and 5b. 6. Proofs, monotonicity, and revocation A service grants access to a resource in Binder only when it can derive an atom saying it should; otherwise, by default, access is denied. The derivation steps form a proof that access should be granted. A proof can be generated at the serviceas traditionallyor we can require that the client generate the proof and transmit it with the request. If so, the service need only check the proof; this optimization can offload work from a heavily loaded service onto its less busy clients, while also helping avoid denial-of-service attacks. (This approach is also used by Jim [13] and by Appel and Felten [3].) Since the services policy is stored as a Binder program, and since Binder statements can be passed in certificates, the service can pass its policy to the client in preparation for the construction of such a proof. Binder is monotonicif an atom is derivable, its still derivable if we add more statements [15]. Monotonicity is appropriate in a distributed environment, since withholding some statements from a service will not cause it to grant greater access rights. Moreover, a proof generated on a client with little information available will still check on a service with more information. One consequence of monotonicity is that traditional certificate revocation cannot be modeled from inside Binder; it requires additional mechanism. We have studied three ways to extend Binder to support revocation reliably. One is through short-lived statements. We can attach validity intervals to each Binder statement, as with traditional certificates, and constrain the validity intervals of derived atoms accordingly. Once a statement expires, it can be removed from all contexts, along with all atoms that cannot be derived without it. A second approach is through a language extension allowing freshness constraints on statements. If a derivation rule depends on fresh P(X, Y), say, instead of just P(X, Y), then a new P(X, Y) must be derived for each use. This may involve contacting the exporters of old certificates to obtain fresher ones. A generalization of this mechanism is to allow each use of a certificate to specify how fresh it must be. The final approach is to reference distributed state. For example, a statement could have an associated Boolean state valid that turns from true to false if it is revoked. This state could be explicitly referenced from Binder, perhaps with a freshness constraint. Such support for state, while problematical, might also be needed for Binder to emulate features of digital rights management languages as discussed below. If the validity of a proof can vary with time, a proof that checks at a client may not check at the service. If so, the client can be informed of its errore.g., that a particular statement is no longer fresh enoughand asked to regenerate the proof. 7. Taxonomy and related work The Binder security language has five key properties. A statement in Binder can be translated into a declarative, stand-alone English sentence. This is known good practice for messages in a security protocol [1] and we propose that it is even better practice for statements in a security language. Binder programs can explicitly define new, application-specific predicates, which can act as lemmas in proofs. Predicates can be defined recursively. Rich proofs are allowed. Certificates can contain arbitrary statements, including definitions and uses of new application-specific predicates. These certificates can be safely interpreted outside their exporting context. Binder statements can appear in certificates, in policies, in ACLs, and elsewhere, and these statements can interoperate freely. Queries in Binder are decidable in polynomial time, as outlined in Appendix C. None of the existing languages compared belowX.509, SDSI/SPKI, PolicyMaker and KeyNote, SD3 and other logic-based security languages, and various digital rights management (DRM) languagesshares all of these properties. With a few exceptions, we believe that Binder provides functionality as great as any of these languages and is more appropriate for use in open systems. 7.1 X.509 An X.509 certificate is a signed n-tuple, where n is large and most of the fields are optional. This n-tuple can be thought of as asserting a predicate P(x1, x2, x3, , xn) over the values it contains, but X.509 certificates have no straightforward way to say which P is being used. (Thus, the translation of an X.509 certificate into English has no verb. Perhaps the predicate is best thought of as the constant is_an_X509_certificate.) X.509 thus does not share properties 13. X.509 also fails property 4; it can be used only in certificates, not in policies or ACLs. A complex X.509 certificate may often be factored into a number of smaller Binder certificates, rather like a translation from a CISC architecture to a RISC architecture; the operations may require more steps but these individual steps can combine in more ways. The access control decisions in Binder programs are more explicit than in X.509, and perhaps more understandable in many cases. In X.509 it is easy to talk about a security decision requiring the approval of one of a certain class of CAs, but hard to talk about the approval of k-out-of-n CAs. This is because X.509 depends so directly on the construction of linear chains of certificates. Much of the difficulty in using X.509 comes from its great complexity and many implicit mechanisms [9]. We can expect that a simpler, more explicit language like Binder might be easier to use as well as more expressive. 7.2 SDSI and SPKI SDSI/SPKI programs do not explicitly encode the predicate being defined. Instead, SDSI statements build their meaning from an implicit speaks-for predicate [16, 2], while SPKI also encodes the predicate into the tags in SPKI statements [8]. Nevertheless, SDSI/SPKI statements can be translated directly into English. While SPKI programs can define multiple predicates, SDSI programs can define only the speaks-for predicate, and thus SDSI does not share properties 2 and 3. Even SPKI cannot define arbitrary predicates: the boss example in Section 2 cannot easily be defined in SPKI, since the tags cannot contain (i.e., be parameterized by) constrained variables like Y. Formalizing SDSIs speaks-for relationship is difficult [10], and Binder does not attempt to do so. Instead, much the same effect is achieved using explicit rules in the Binder language, as in the trust statements in Programs 1 and 2. Delegation is represented clumsily in SPKI. If the local Department of Motor Vehicles (DMV) is to be authorized to license drivers, then the DMV must itself be a licensed driver. Binders explicit handling of delegation avoids such problems. Although SDSI/SPKI let us talk about k-out-of-n principals from a group, it does not let us talk about principals from different groups. There is no easy way, as in the following Binder rule can(read, P, resource_r) :- vouched-for(P, D), vouched-for(P, R), senator(D, democrat), senator(R, republican). to talk about access being vouched for by any one Democrat and any one Republican from the U.S. Senate. 7.3 PolicyMaker and KeyNote Statements in PolicyMaker [4] and KeyNote [5] express conditions for granting access. This can be thought of as defining some abstract can predicate. PolicyMaker and KeyNote programs can state various conditions on the can predicate but cannot define additional lemma predicates, so they violate properties 2 and 3. For example, the boss example in Section 2 is difficult for PolicyMaker or KeyNote to encode. Binder lets us express the boss relation separately from can, while PolicyMaker and KeyNote require us to collapse their definitions into its single can predicate. PolicyMaker and KeyNote each construct a proof chain for a request, starting from the local policy, where each link of the chain can assert a filter (condition) on the requests parameters. One limitation of PolicyMaker and KeyNote is that this chain must be linear, while a Binder proof can be a directed acyclic graph (DAG). PolicyMaker and KeyNote also limit themselves to rules that state conditions on the request itself, and they cannot state conditions on other relations which may be lemmas to the request. Binder, in contrast, allows lemma predicates to be stated and composed. Because PolicyMaker allows any programming language to be used to state policies, it fails property 5. Additionally, we cannot easily reason about PolicyMaker programs 7.4 SD3 and other logic-based security languages Like Binder, SD3 is a security language based on datalog [13]. SD3 does not allow the transmission of rules in certificates, however; SD3 certificates can contain only facts. SD3 thus violates property 3. D1LP [14] is also based on predicate calculus. It has a built-in treatment of speaks-for for delegation, but allows for the definition of other predicates that can be used in lemmas. D1LP does not allow the explicit construction of rules defining variants of delegation or for passing these rules in certificates; it therefore violates properties 2 and 3. Appel and Felten have defined a security language based on a higher-order logic. Their system is more powerful than Binder but it has no decision procedure, and thus it violates property 4. Although undecidability is not a problem for a service if proofs come from the clients, where a given request might be more constrained and perhaps more decidable, we believe it would be impractical to require each request site to contain a significant amount of hand-crafted custom code to generate proofs. 7.5 DRM languages Digital Rights Management languages (DRM languages) model consumers access rights for digital media; XrML and ODRL are two examples [7, 11]. A DRM rule might give permission to play a movie two times, after paying $5. DRM rules can therefore talk about action (paying $5) as well as state (the number of plays remaining), while Binder cannot. Actions and state are difficult to discuss in a logic-based language, but we are currently investigating ways to extend Binder to handle these features of DRM languages. Note that if multiple proofs are possible for an access request, but with different side-effectsfor example, if different proofs draw on different accountsthen only the client may be in a situation to know which proof is preferable. 8. Experience with Binder Most experience with Binder to date has involved writing small Binder programs, either to compare Binder with other security languages or using Binder as a language for expressing and comparing sample security policies. In particular, Binder has been used as a target for translating proposed security languages, in order to understand what statements Binder can express but these languages cannot, or vice versa. This work has included the prototyping of automated translators from these proposed languages to Binder, as well as the hand-translation of many examples. Some features originally considered for Binder have been left out because they were not needed in our experience to date. This has resulted in a relatively simple language that is nevertheless as expressive as needed in our experience. Further experience is needed with the construction of large Binder programs to understand, for example, whether Binders current limited mechanisms for the composition of rules are adequate or whether extending them could make large Binder programs easier to write or to understand. Because Binder is close in form to Prolog, Binder programs can be translated into Prolog; we can simulate Binders extra proof rules in a straightforward way. Binder programs have thereby been executed in an existing Prolog environment. 9. Future work Is Binder strong enough? Binder may be too weak a language to model some real authorization problems; it might not be expressive enough to write certain security programs, or to write them well. For example, the wordiness caused by expressing all trust relations explicitly might complicate writing large security programs in Binder. Alternatively, Binders current inability to talk about actions and state might become a problem. Further experience with writing large Binder programs will help us understand such possible problems. Strengthening Binder might involve strengthening the Binder logic, presumably by adding additional modal proof rules, such as direct support for predicates like speaks-for. It is also possible that Binder is already too strong a language. Although Binder provides powerful constructs, it may be too easy to misuse them and build a complex, incorrect security policy. It is possible that a simpler language might be easier to use and yet still be expressive enough in practice. Again, further experience will help us decide. Although an open security language must be highly expressive, most of its uses will be application-specific and perhaps constrained. We might use Binder to define families of application-specific predicates that would be less powerful and less flexible, but easier for non-specialists to apply. While each application-specific family would be restricted in expressiveness, there would be no such restriction in the core language, and programs in these various families would interoperate via their ultimate definition in Binder. Again, more experience is needed to validate such an approach. Acknowledgements The author would like to thank Martn Abadi for his many helpful comments and insights on earlier drafts of this paper. The author would also like to thank Tony Hoare and the anonymous referees of the 2002 IEEE Symposium on Security and Privacy for their advice on improving the papers presentation. References [1]M. Abadi and R. Needham. 1996. Prudent engineering practices for cryptographic protocols, IEEE Transactions on Software Engineering, January 1996, pp. 615. [2]M. Abadi, On SDSIs linked local name spaces, Proceedings of the 10th IEEE Computer Security Foundations Workshop, Rockport, Mass., June 1997, pp. 98108. [3]A. Appel and E. Felten. Proof-carrying authentication, Proceedings of the 6th ACM Conference on Computer and Communications Security, Singapore, November 1999, pp. 5262. [4]M. Blaze, J. Feigenbaum, and J. Lacy. Decentralized trust management, Proceedings of the 17th IEEE Symposium on Security and Privacy, Oakland, Calif., May 1996, pp. 164173. [5]M. Blaze, J. Feigenbaum, J. Ioannidis, and A. Keromyrtis. The KeyNote Trust Management System Version 2, IETF RFC 2704, September 1999. [6]Clocksin, W., and C. Mellish. Programming in Prolog (3rd ed.), Springer-Verlag, 1987. [7]ContentGuard, Inc., eXtensible rights Markup Language (XrML) 2.0 Specification, available at  HYPERLINK "http://www.xrml.org" http://www.xrml.org. [8]C. Ellison, B. Frantz, B. Lampson, R. Rivest, B. Thomas, and T. Ylonen, SPKI certificate theory, IETF Network Working Group RFC 1693, September 1999. [9]P. Gutmann, X.509 style guide, available at  HYPERLINK "http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt" http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt, October 2000. [10]J. Halpern, and R. van der Meyden, A logic for SDSIs linked local name spaces, Proceedings of the 12th IEEE Computer Security Foundations Workshop, 1999, pp. 111122. [11]Iannella, R., editor, Open Digital Rights Language (ODRL), available at  HYPERLINK "http://odrl.net" http://odrl.net. [12]ITU-T Recommendation X.509, The directory: public-key and attribute certificate frameworks, March 2000. [13]T. Jim, SD3: a trust management system with certified evaluation, Proceedings of the 22nd IEEE Symposium on Security and Privacy, Oakland, Calif., May 2001. [14]N. Li, B. Grosof, and J. Feigenbaum, A practically implementable and tractable delegation logic, Proceedings of the 21st IEEE Symposium on Security and Privacy, Oakland, Calif., May 2000, pp. 2742. [15]D. McDermott and J. Doyle, Nonmonotonic logic I, Artificial Intelligence, 1980, pp. 4172. [16]R. Rivest and B. Lampson, SDSIa simple distributed security infrastructure, available at  HYPERLINK "http://theory.lcs.mit.edu/~cis/sdsi.html" http://theory.lcs.mit.edu/~cis/ sdsi.html. [17]J. Ullman, Database and Knowledge-Base Systems, volume 2, Computer Science Press, Rockville, Maryland, 1989. Appendix A. EBNF grammar for Binder ::= ::= [ :- ] . ::= ::= [ (, )* ] ::= [ says ] [ ( ) ] ::= ::= (, )* ::= | ::= ::= * | " * " ::= * | _ Here, is an upper-case letter; is a lower-case letter; is any character; is any character that can appear in an identifier; is any character that can appear in a string. The Binder grammar differs from a datalog grammar only in the optional quoting of atoms via says. Quoting can appear only to depth 1; a quoted atom cannot be quoted again. Terms cannot be quoted at all. These restrictions are designed to interoperate with the rules for importing Binder statements, discussed below. Appendix B. Semantics of Binder The semantics of Binder are based on the semantics of datalog. We can transliterate a Binder program into datalog by moving the says quoting into an ex- tra argument in every atom; C says pred(args) becomes pred(C, args), while pred(args) becomes pred(null, args) where null is a new term that appears nowhere else in the program. After such a rewriting, we can adopt datalogs proof rules directly for Binder. Under certain circumstances, a Binder statement from a context Ca fact, a rule, or a derivable atomcan be exported in a certificate signed by C, and imported into another context quoted by C. Below, we consider derivable atoms separately from facts and rules, as we extend datalogs standard proof rules with two additional proof rules for Binder (stated here informally). B.1. Proof Rule 1 A certificate signed by C and containing a derivable atom that is not quoted with says (i.e., an atom of the form pred(args)) can be imported into any context, quoted with C. For example, the atom-bearing certificate member(john_smith, bcl). (signed: C) can be imported as C says member(john_smith, bcl). An atom that is already quoted cannot be imported. B.2 Proof Rule 2 A rule can be imported if the atom in its head is not quoted. A fact is equivalent to a rule with an empty body. When a rule in a certificate from context C is imported, its head will be quoted with C, and all unquoted atoms in its body will be quoted with C. For example, the rule-bearing certificate member(X, bigco) :- member(X, bcl). (signed: C) can be imported as C says member(X, bigco) :- C says member(X, bcl). while the certificate member(X, bigco) :- C2 says member(X, bigco). (signed: C) can be imported as C says member(X, bigco) :- C2 says member(X, bigco). Since an imported rule will have quoting in its head, an imported rule cannot be exported and imported again. Instead, the original certificate must be reused. Appendix C. Time complexity of Binder At any point in the execution of a Binder program at some context, the current rules and derivable atoms can be translated into datalog as described in Appendix B. Since datalog is decidable in polynomial time, there is a local polynomial-time decision procedure for Binder that ignores future communication. While the restrictions on statement import in Binder may seem onerous, we suspect they may not be very significant in practice. We can imagine removing these restrictions, while at the same time generalizing Binder so that each atom can be quoted by zero or more terms, constant or variable, and terms can themselves be quoted by contexts to provide namespacesas a generalization of SDSIbut so generalized a language would soon be no longer decidable. We suspect that there are lesser generalizations to Binder that retain a polynomial-time decision procedure, and we are currently exploring possible alternatives. Lnq    " # $ ƸƪƸƸƙ}si_}iUQh BhR;h^o6CJhR;h}~6CJhR;h46CJhR;h *6CJhR;heM[6CJhR;h9CJhR;h *CJ h4hCJOJQJ^JaJh]qCJOJQJ^JaJh4CJOJQJ^JaJ h4h}7CJOJQJ^JaJ h4hjCJOJQJ^JaJh$:eCJOJQJ^JaJ h$:eCJh$:e*+;<=KL]lmnopq# $ &&s&&s&s&s&s&&&&&s&s&s&&&&&sgdD$[$\$a$gd,$ & Fx[$\$a$gdd$a$gd$:eIgd$:e$a$gd$:eJgd$:eRWi$ -  3 Bbb[s$xx[$\$a$gd,$h[$\$`ha$gd & F[$\$gd$h[$\$`ha$gd~A$h[$\$`ha$gd$h[$\$`ha$gdR; & FgdR;$h\$`ha$gdd $ & Fa$gdR; $ - K ]  ) * 0 1 4 5 ; < H I    ] ^ c g n r      㯣|shfm6CJaJh)6CJaJh{6CJaJh/6CJaJhihd6CJaJhihR;6CJaJhi6CJaJh4hR;6CJNHaJhd6CJaJh9C6CJaJh4hR;CJaJh4hR;6CJaJ hR;hR;CJOJQJ^JaJ-   1 2 3 K L Q a h i n y кwowdYK=h4hCW6CJKHaJh4h'6CJKHaJh4hCJaJh4h~CJaJh9CCJaJh4h?PCJaJh4hmPCJaJh4h'CJaJh4h%CJaJh4h'CJaJmHnHu h4hj*jhh0JB*CJUaJph hR;h'CJOJQJ^JaJ hR;hR;CJOJQJ^JaJjhj=UmHnHu      Ƚ~sh]hPh]h]Eh4hqCJaJh4hPCJNHaJh4hCJaJh4hPCJaJh4h#!=CJaJh4h{CJaJh4hJCJaJh*WCJaJh4hCWCJaJh4hQCJaJh4hPzCJaJh4h'CJaJh4h'6CJKHaJh4hCW6CJKHaJh9C6CJKHaJh4hCW6CJKHNHaJ     & ' ) 8 > ? @ D L V b c d g } ʿ㴩}ooaTEh4hmPCJKHNHaJh4hmPCJKHaJh4hmP6CJKHaJh4hPz6CJKHaJh4hJCJaJh4h'CJaJh4hCJaJh4hw^CJaJh4hmPCJaJh4hI%CJaJh4hACJaJh4h)CJaJh4h~6CJKHaJh4h'6CJKHaJh4hq6CJKHaJ $-789:CGU_i³¦™}si\Oh4hCWCJKHaJh4hCJKHaJh/`CJKHaJh=CJKHaJh4h6CJKHaJh4h>fCJKHNHaJh4h>fCJKHaJh4hCJKHaJh4h'CJKHNHaJh4h'CJKHaJh4hJCJKHaJh4hI%CJKHaJh4hmPCJKHaJh9CCJKHaJiowxʽ棖ʖre[QreGhj=CJKHaJhYAtCJKHaJhiCJKHaJh4hT@CJKHaJh4h>fCJKHaJh=CJKHaJh4h<5sCJKHaJh4hCJKHaJh4h?PCJKHaJh4h7CJKHaJh4h6CJKHaJh4hPzCJKHaJh4h'CJKHNHaJh4h'CJKHaJh4hneCJKHaJ *+1245;<KMN]hqrstzyl__REREh4hNCJKHaJh4htLCJKHaJh4h6CJKHaJh4hPCJKHaJh4h+CJKHaJhCJKHaJh`^CJKHNHaJh`^CJKHaJh4hCWCJKHaJh4hjDCJKHaJh4hCJKHaJh4hCJKHaJh4h>fCJKHaJh4h>fCJKHNHaJh/`CJKHaJ "%¸«ž‘„wmcWcJJh4hJCJKHaJh=CJKHNHaJh=CJKHaJh`^CJKHaJh4h>fCJKHaJh4hCJKHaJh4hCJKHaJh4h=CJKHaJh4h+CJKHaJhPRCJKHaJh4hjDCJKHaJhQCJKHaJh4hv)CJKHaJh4hNCJKHaJh4hR>CJKHaJ%&+?BCIU]`anopzʽ׽צreVeIh4hcCJKHaJh4hy`CJKHNHaJh4hy`CJKHaJh4h+CJKHaJh4h~hCJKHaJh4h)CJKHaJh4hZCJKHaJh9CCJKHaJh4hS(CJKHaJh4h=CJKHaJh4h:CJKHaJh4hjDCJKHaJh4hJCJKHaJh4hJCJKHNHaJ     ':FGQ̵ٔxk^Q^k^h4h6CJKHaJh4h-\CJKHaJh4hCJKHaJh4hGCJKHaJh4h=CJKHNHaJhCJKHaJh`^CJKHaJh4h'{pCJKHaJh4h+CJKHaJh9CCJKHaJh4h)CJKHaJh4hbCJKHaJh4h=CJKHaJh4h3CJKHaJQcgwx 123Ocfklstz̰̦̘̦̰̿̎wjww[wjh4hZ}CJKHNHaJh4hr'CJKHaJh4hZ}CJKHaJh*WCJKHaJh`^CJKHaJh4hG6CJKHaJh9CCJKHaJh4hGCJKHNHaJh4h4CJKHaJh4hGCJKHaJh4hCJKHaJh4hCJKHaJh4hCCJKHaJ!0125@ABHOtyvi\RvEh4h CJKHaJhv CJKHaJh4he\CJKHaJh4h0dCJKHaJhfmCJKHaJh4h,wCJKHaJh4htLCJKHaJh4h4CJKHNHaJh4h{[CJKHaJh9CCJKHaJh4h4CJKHaJh4hGCJKHNHaJh*WCJKHaJh4hGCJKHaJh4hCJKHaJ<=NQR`aijȾȯȢȕ╈yl_U_ՈhWdCJKHaJh4hgdCJKHaJh4hCJKHaJh4hCJKHNHaJh4hCJKHaJh4hoCJKHaJh4h]jCJKHaJh4hUCJKHNHaJh9CCJKHaJh4hUCJKHaJh4he\CJKHaJh,CJKHaJhv CJKHaJh1tCJKHaJ!)*\{ndnWJh4h~CJKHaJh4h,wCJKHaJhCJKHaJh4hgdCJKHaJh4he\CJKHaJh4h7CJKHaJh4hCJKHaJh,CJKHaJh4h?@CJKHNHaJh4hCJKHaJh9CCJKHaJh%hYCJKHaJh)CJKHaJh4h]jCJKHaJh4h?@CJKHaJ\]abrs 129?@Eʱʧʱʝʆ|ncXh4hCJaJh6CJKHaJh4h6CJKHaJhCJKHaJh4hCJKHaJh'CJKHaJhiCJKHaJh`^CJKHaJh~Ah~ACJKHNHaJh9CCJKHaJh~Ah~ACJKHaJh4htLCJKHaJh4h~CJKHaJh4h~CJKHNHaJEWfklp~ :CDTU]ļĴ}rgrgZggrh4hK`CJNHaJh4hK`CJaJh4hNCJaJh4hJCJNHaJh4hJCJaJhwCJaJh4hCJNHaJhCJNHaJhCJaJh9CCJaJh4h/`CJaJhBCJaJh/`h/`CJaJh/`CJaJh4hCJaJh4hCJaJ  &+?YZ`be~躯证ndZdZPZh9CCJKHaJhRzCJKHaJhCJKHaJ%hdACJOJQJ^JaJmHnHu+h\ZhCJOJQJ^JaJmHnHuh4h]aCJaJh4hCJNHaJh4hCJaJh4hqCJaJh/`CJaJhPRCJaJh`^CJaJh4hCJaJh4hNCJaJh4hNCJNHaJ CDHJKWX )/0134GPQYZ[¸¢˜¢®˜‚¢xxnhdACJKHaJh=CJKHaJhCJKHaJh/CJKHNHaJh/CJKHaJh?CJKHNHaJh9CCJKHaJh#CJKHaJh?CJKHaJh6ACJKHaJhQCJKHaJhRzCJKHNHaJhRzCJKHaJhJCJKHaJ+TWjkuw{ɹɯ웑{q{dQ$hG{&hG{&CJKHOJQJ^JaJh4hG{&CJKHaJhWdCJKHaJh,uCJKHaJhG{&CJKHNHaJh,CJKHaJhG{&CJKHaJhJCJKHaJhCJKHaJhJCJKHOJQJ^JaJ$hG{&h?CJKHOJQJ^JaJh,CJKHOJQJ^JaJh1tCJKHaJh?CJKHaJ`G0D!""^$k&|mZ$h[$\$`ha$gd C$[$\$a$gd?hxx[$\$^hgd?$h[$\$`ha$gd6$[$\$a$gd,uhxx[$\$^hgd,u$h[$\$`ha$gd,u$[$\$a$gdG{&hxx[$\$^hgd=$[$\$a$gd1t ',/0:RS^_`npzݸͦ͜~tjt`tV~H~~~hdAhdA6CJKHaJhCJKHaJh9CCJKHaJh1tCJKHaJhJCJKHaJhdACJKHaJhPRCJKHaJh=CJKHaJh6CJKHaJ"h=CJKHNHOJQJ^JaJ(hG{&hG{&CJKHNHOJQJ^JaJh=CJKHOJQJ^JaJ$hG{&hG{&CJKHOJQJ^JaJhG{&CJKHOJQJ^JaJ &56FGuxy"#)*+/0ֶ̬̀v̬̬lh,CJKHaJh 9CJKHaJhPRCJKHNHaJhCJKHaJh9CCJKHaJh,uCJKHNHaJh,uCJKHaJh.CJKHaJh=CJKHNHaJhPRCJKHaJh=CJKHaJh1tCJKHaJhdACJKHaJhdACJKHNHaJ#04>?OPcd  $ ( - C m ||p|||f\hA8CJKHaJh1tCJKHaJhS?CJKHNHaJhS?CJKHaJh,CJKHaJhCJKHaJh,uCJKHNHaJh6h,u6CJKHaJh,uh,uCJKHaJh,uCJKHaJ"h,uCJKHNHOJQJ^JaJh,uCJKHOJQJ^JaJ$hG{&h,uCJKHOJQJ^JaJ" ! !!!!!+!,!2!3!C!D!^!j!{!|!!!!!!zppfp\pRph;uLCJKHaJh`^CJKHaJhCJKHaJh?CJKHaJh6CJKHNHaJ$hhCJKHOJQJ^JaJhCJKHaJh,CJKHaJh6CJKHaJh1tCJKHaJhdACJKHaJhS?CJKHaJhPRCJKHaJhdAhPRCJKHaJh,uCJKHaJh9CCJKHaJ !! " """"$"."n"x""""""##X#r#t#z#~####ósi_U_KAhCJKHaJh6ACJKHaJh`^CJKHaJh/CJKHaJh;uLCJKHaJh6h?6CJKHaJh?CJKHOJQJ^JaJ"h;uLCJKHNHOJQJ^JaJhjm=CJKHOJQJ^JaJh;uLCJKHOJQJ^JaJ$hG{&h?CJKHOJQJ^JaJh6CJKHaJh?CJKHNHaJh?CJKHaJhNCJKHaJ############$$M$P$Q$R$V$]$^$$$$$%%0%5%F%G%q%%%%%ظظخؤ؎xndxnnXh 9CJKHNHaJhS?CJKHaJh 9CJKHaJhl{CJKHNHaJhl{CJKHaJh?CJKHaJh4CJKHNHaJh4CJKHaJh9CCJKHaJhCJKHaJhCJKHaJhsCJKHNHaJhsCJKHaJhPRCJKHaJh/CJKHaJh6ACJKHaJ"%%%%& &S&U&V&a&j&k&l&&&&&&&&&&&&ظ{o{bX{b{Jh4h6CJKHaJh"fCJKHaJh4hCJKHaJhC9CJKHNHaJhC9CJKHaJhK'CJKHaJ+h\ZhCJOJQJ^JaJmHnHu%hCJOJQJ^JaJmHnHuh CCJKHaJhS?CJKHNHaJhS?CJKHaJhl{CJKHaJh4CJKHaJh9CCJKHaJh 9CJKHaJk&&'5)**+7++,,,(/01z & F[$\$gdml$[$\$a$gd i$[$\$a$gdyhxx[$\$^hgdFBO$h[$\$`ha$gd$h[$\$`ha$gd$h[$\$`ha$gd & F[$\$gd'&&&&&& '''''' '!'('.'1'8'?'F'G'O'X'Y'`'a'c'd'h'l'm'q'r't'w''־ƴάάΤ֜wog_hC9CJaJhKCJaJh`^CJaJh4hCJNHaJhXCJaJh1CJaJh#(CJaJh"fCJaJhzDCJaJhK'CJaJh CCJNHaJh3CJaJh CCJaJhNCJaJh4hCJaJh4h6CJKHaJh4h6CJKHNHaJ#''''''''''''''''((((((/(seXKXAh1CJKHaJh4hSCJKHaJh4hWCJKHaJhi<hW6CJKHaJhC9hW6CJKHNHaJhC9hW6CJKHaJhC9hC96CJKHaJhC9CJKHaJhi<CJKHaJjh1UmHnHuh4hCJKHaJhzDCJaJhe^CJNHaJhe^CJaJh $CJaJhC9CJaJhT{CJaJ/(2(;(A(B(J(T(o(u(v((((((()))))").)/)5)6)A)E)J)Q)X)j)k)s)w)x)쫞⑄wjj]jh3CJaJmHnHuhhzDCJKHaJh4hpCJKHaJh4hSCJKHaJh4hM{CJKHaJh4hSCJKHaJh4hWCJKHaJhjm=CJKHaJhC9CJKHNHaJh ~CJKHaJh1CJKHaJhzDCJKHaJhC9CJKHaJh $CJKHaJ#x)))))))))))))))))))))))))))ؿزإ~qdZdPCCh4hl]-CJKHaJhi<CJKHaJh,CJKHaJh4hpCJKHaJh4hE_CJKHaJh4hzCJKHaJh4hSCJKHaJh4hFCJKHaJhWdhFCJKHaJhWdhE_CJKHaJh1CJKHaJhWdhSCJKHNHaJhWdhSCJKHaJhhS6CJKHaJhhSCJKHaJ)*********#*$*=*B*C*H*I*J*K*S*T*U*]*Ͱ䙏xndXNdh,CJKHaJhCJKHNHaJhCJKHaJh=CJKHaJh/CJKHaJh4hcCJKHaJh9CCJKHaJhWdCJKHaJh4hoCJKHaJ$hZ%3hl]-CJKHOJQJ^JaJh#CJKHaJh4h CJKHaJh1CJKHaJh4hl]-CJKHaJh4hl]-CJKHNHaJ]*k*l*v*************++++++²|iVC%hyCJKHOJQJaJmHnHu%h $CJKHOJQJaJmHnHu%hCJKHOJQJaJmHnHu%h1CJKHOJQJaJmHnHuhyCJKHOJQJ^JaJ$hhCJKHOJQJ^JaJh1CJKHOJQJ^JaJhyCJKHaJhCJKHNHaJhK'CJKHaJhCJKHaJ%hj=CJKHOJQJaJmHnHu++++"+#+.+/+5+6+7+A+B+[+f+t++++++++ٴ٤ٚ|rh\RBhy:CJKHOJQJ^JaJhzCJKHaJhyCJKHNHaJh&2CJKHaJh`^CJKHaJhr%CJKHaJhi<CJKHaJhyCJKHaJhCJKHaJh1CJKHOJQJ^JaJh $CJKHOJQJ^JaJ(hhCJKHNHOJQJ^JaJ$hhCJKHOJQJ^JaJ%hFBOCJKHOJQJaJmHnHu++++++++++++++++++ͽݨ{fQ<(h $h $CJKHNHOJQJ^JaJ)hFBOCJKHOJQJ^JaJmHnHu)hy:CJKHOJQJ^JaJmHnHu/h $h $CJKHOJQJ^JaJmHnHu)h1CJKHOJQJ^JaJmHnHu)hj=CJKHOJQJ^JaJmHnHuhFBOCJKHOJQJ^JaJhy:CJKHOJQJ^JaJh $CJKHOJQJ^JaJ$h $h $CJKHOJQJ^JaJ++,,, ,%,&,/,0,3,4,8,>,@,R,V,[,_,`,g,h,t,u,,,,,,,,yyoe[O[ohFBOCJKHNHaJhFBOCJKHaJh`^CJKHaJhCJKHaJh/CJKHaJh $CJKHaJh9CCJKHaJhyCJKHNHaJ$hhy:CJKHOJQJ^JaJhyCJKHaJhy:CJKHaJ$h $hyCJKHOJQJ^JaJ$h $h $CJKHOJQJ^JaJh1CJKHOJQJ^JaJ,,,,,,,,,,--- ---- -2-3-4-Y-a-Ȳ{nannnRHn;hhy#tCJKHaJh9CCJKHaJhhr+CJKHNHaJhha#PCJKHaJhhr+CJKHaJh`^CJKHaJhh7_CJKHaJhXCJKHaJ+h\ZhCCJOJQJ^JaJmHnHu+h\Zh\ZCJOJQJ^JaJmHnHu%hCJOJQJ^JaJmHnHujh1UmHnHuhh^CJKHaJhFBOCJKHaJa-b-g-n-t-x--------------...}.~..........ͺ׭ͣyoe[h'CJKHaJhWpCJKHaJh1CJKHaJhjlVCJKHaJh1CJKHaJh9CCJKHaJhKCJKHNHaJhKCJKHaJhh7_CJKHaJ$hXhXCJKHOJQJ^JaJhXCJKHaJhhr+CJKHaJhhy#tCJKHaJhhy#tCJKHNHaJ ... /&/./5/8/@/H/I/J/O/[/_/`/i/y/z///////////////////000ƼӼӜӼӃyyoyyӒyeyyӃhWbCJKHaJhiCJKHaJhYAtCJKHaJhhCCJKHNHaJh*WCJKHaJh CJKHaJh,CJKHaJhyCJKHNHaJhyCJKHaJhhCJKHaJhhCCJKHaJh`^CJKHaJh'CJKHaJh'CJKHNHaJ'000$0%0+040:0?0D0J0O0R0X0b0l0m0n0s0t000000000000000 1 1111!1"1%1112181=1Ⱦ󱾱~thWbCJKHaJhhCJKHaJh*WCJKHaJhhCCJKHNHaJhh4lvCJKHaJhhuepCJKHaJhYAtCJKHaJhiCJKHaJh=CJKHaJhyCJKHaJhh1CJKHaJhhCCJKHaJ-=1B1H1M1O1P1V1\1^1_1c1d1s1w11111111111111111111111 22222#2,22272;2>2L2M2U2驟驕驁h9CCJKHaJhiCJKHaJhWbCJKHaJh=CJKHaJhhCJKHaJhh" CJKHaJhyCJKHaJhhuepCJKHaJhhCCJKHNHaJhhCCJKHaJhYAtCJKHaJ1U2\2]2n2w222222222222222222223 3 3333/373<3G3J3N3O3P3º||tc!hCJKHOJQJ\^JaJhCCJaJhh4lvCJaJh%5CJaJh=f9CJaJhh1CJaJhyCJaJhYAtCJaJhiCJaJh`^CJaJhh" CJaJh9CCJaJhhCCJNHaJh=CJaJhhl)CJaJhhCCJaJ%1O3m3 4:44444 $$Ifa$gdK$hx[$\$`ha$gd$h[$\$`ha$gdj= & F[$\$gd\Z$h[$\$`ha$gdP3R3Z3f3g3l3m33333333344 4տ՚yo\O?hj=CJKHOJQJ^JaJhj=hz~CJKHaJ%hj=CJKHOJQJaJmHnHuhz~CJKHaJh9CCJKHaJh`"ha=CJKHaJhWbCJKHaJh`"hCJKHaJ/h\Zh'CJNHOJQJ^JaJmHnHu+h\Zh'CJOJQJ^JaJmHnHu+h\ZhCACJOJQJ^JaJmHnHu'h\Zh\ZCJKHOJQJ\^JaJ 4!4$4:4A4B4C4N4U4V4x4{4444444444xi\N@5Nh9C5CJKHaJhj=hj=5CJKHaJhj=hK5CJKHaJh`"hCJKHaJh`"hCACJKHNHaJh`"h CJKHaJh`"hl?CJKHaJhj=CJKHaJh9CCJKHaJh`"hCACJKHaJh`"hv@CJKHaJ+h\ZhICJOJQJ^JaJmHnHu+h\Zh\ZCJOJQJ^JaJmHnHu%hCJOJQJ^JaJmHnHu44444444444455 55555ȶl\L9L$hj=h &;CJKHOJQJ^JaJhj=CJKHOJQJ^JaJh9CCJKHOJQJ^JaJ$hj=hYAtCJKHOJQJ^JaJ$hj=hKCJKHOJQJ^JaJ#hj=hYAtCJKHaJmHnHu#hj=hiCJKHaJmHnHu#hj=hKCJKHaJmHnHuhj=hKCJKHaJhj=hs5KHaJhj=hK5CJKHaJhj=hK5CJKHNHaJ4444V5aUUL $IfgdD $$Ifa$gdKkd$$IfTlF<3 t0    2:2 s2+44 laT5'5)5*5L5Q5U5V5W5Z5[5i5j5n5r5s5z55ǹڠn[F3$hj=hYAtCJKHOJQJ^JaJ(hj=hKCJKHNHOJQJ^JaJ$hj=hzDCJKHOJQJ^JaJ$hj=hj=CJKHOJQJ^JaJ#hj=hKCJKHaJmHnHuhj=hKCJKHaJhj=hsKHaJhj=hYAt6CJKHaJhj=hK6CJKHaJ$hj=hWbCJKHOJQJ^JaJ$hj=hKCJKHOJQJ^JaJ$hj=h<CJKHOJQJ^JaJV5W5Z5[55`TTK $IfgdD $$Ifa$gdKkd$$IfTl4F<3 t0    2:2 s2+44 laT55555555555555555ʷ{h]P>,#hj=hYAtCJKHaJmHnHu#hj=hKCJKHaJmHnHuhj=hKCJKHaJhj=hsKHaJ$hj=hKCJKHOJQJ^JaJh16CJKHaJhj=hK6CJKHNHaJhj=hK6CJKHaJ$hj=hWbCJKHOJQJ^JaJ$hj=hKCJKHOJQJ^JaJ$hj=h<CJKHOJQJ^JaJ$hj=h &;CJKHOJQJ^JaJhj=CJKHOJQJ^JaJ5556o6`TTK $IfgdD $$Ifa$gdKkd6$$IfTl4F<3 t0    2:2 s2+44 laT5666666!6"6+6,6-6.6/646B6C6G6M6N6U6V6W6ȵȵȒo\Gȵ(hj=hKCJKHNHOJQJ^JaJ$hj=hzDCJKHOJQJ^JaJ$hj=hj=CJKHOJQJ^JaJh`^CJKHOJQJ^JaJhj=CJKHOJQJ^JaJ$hj=haoCJKHOJQJ^JaJ$hj=h &;CJKHOJQJ^JaJ$hj=hKCJKHOJQJ^JaJ#hj=hYAtCJKHaJmHnHu#hj=hKCJKHaJmHnHuW6X6]6^6j6k6l6m6n6o6p6r6}666ǷncVD2D#hj=hYAtCJKHaJmHnHu#hj=hKCJKHaJmHnHuhj=hKCJKHaJhj=h{gBKHaJ$hj=hKCJKHOJQJ^JaJ$hj=haoCJKHOJQJ^JaJ$hj=hvnCJKHOJQJ^JaJh`^CJKHOJQJ^JaJhj=CJKHOJQJ^JaJ$hj=hKCJKHOJQJ^JaJ$hj=h &;CJKHOJQJ^JaJ$hj=hz~CJKHOJQJ^JaJo6p6r666aUUL $IfgdD $$Ifa$gdKkd$$IfTlF<3  t0    2:2 s2+44 laT666666666666666666666޼n[n[H$hj=h<CJKHOJQJ^JaJ$hj=hvnCJKHOJQJ^JaJ$hj=h &;CJKHOJQJ^JaJ$hj=hKCJKHOJQJ^JaJ(hj=h=*CJKHNHOJQJ^JaJ$hj=h=*CJKHOJQJ^JaJh9CCJKHOJQJ^JaJ#hj=h/`CJKHaJmHnHu#hj=hKCJKHaJmHnHuh9CCJKHaJmHnHu666666666777777"7$7%7+7°}k[H5[5[$hj=hh/CJKHOJQJ^JaJ$hj=hYAtCJKHOJQJ^JaJh9CCJKHOJQJ^JaJ#hj=h/`CJKHaJmHnHuh9CCJKHaJmHnHu#hj=hYAtCJKHaJmHnHu#hj=hiCJKHaJmHnHu#hj=hh/CJKHaJmHnHuhj=hh/CJKHaJhj=h{gBKHaJ$hj=hKCJKHOJQJ^JaJ$hj=hbCJKHOJQJ^JaJ666787aUUL $IfgdD $$Ifa$gdKkdz$$IfTlF<3  t0    2:2 s2+44 laT+757778797@7A7B7D7K7d7e7u7v7777777Ǽj_RHR;h`"hT*CJKHaJh1CJKHaJh`"hCJKHaJhj=hKKHaJ+hg2hK5CJKHNHOJQJ^JaJ'hg2h9C5CJKHOJQJ^JaJ'hg2hK5CJKHOJQJ^JaJ'hg2hv@5CJKHOJQJ^JaJhj=hsKHaJ$hj=hh/CJKHOJQJ^JaJ$hj=hh/CJKHOJQJ^JaJ$hj=h=*CJKHOJQJ^JaJ87977aN$xx$If[$\$a$gdkd$$IfTlF<3  t0    2:2 s2+44 laT778e99:;ttdUB$h[$\$`ha$gdk!$[$\$a$gd:ohxx[$\$^hgd:o$h[$\$`ha$gdwkd$$IfTl t02:2 s2+44 laT77777777777777778/838:8<8>8J8O8P8n8y888888߼߯쯥~oeR~~%h9CCJKHOJQJaJmHnHuhcCJKHaJh`"hPCJKHNHaJh`"hh/CJKHaJh`"hCACJKHaJh`"hPCJKHaJh9CCJKHaJh`"hCJKHaJh1CJKHaJhCJKHaJh`"hT*CJKHNHaJh`"hT*CJKHaJhYAtCJKHaJhiCJKHaJ8888888888888 9 99999969;9E9F9L9U9^9e9w9Ⱦ鴨{qqeq[H$hj=h:oCJKHOJQJ^JaJhBt*CJKHaJhwCJKHNHaJhwCJKHaJh1CJKHOJQJ^JaJ$h1h1CJKHOJQJ^JaJhCJKHaJh1CJKHNHaJh1CJKHaJh*WCJKHaJh`"hQ CJKHaJhg>CJKHaJh0CJKHaJh:oCJKHaJh`"h(CJKHaJw9x999999999999999999999999999999ݸ͕͈ͨͨ~qgq~qZgh,\hwCJKHaJhk!CJKHaJhwhwCJKHaJh1CJKHaJhwh:oCJKHaJ%hwCJKHOJQJaJmHnHuhk!CJKHOJQJ^JaJ(hj=h:oCJKHNHOJQJ^JaJhwCJKHOJQJ^JaJ$hj=h:oCJKHOJQJ^JaJh:oCJKHOJQJ^JaJ9:::#:+:,:.:/:2:3:7:8:9:>:P:Q:\:d:e:f:::::::::̛̿̿{oe{{RHRHhkCJKHaJ$hk!hkCJKHOJQJ^JaJh*WCJKHaJhwCJKHNHaJhwCJKHaJhACJKHNHaJhACJKHaJh,\hACJKHaJh,\CJKHaJh,\h*WCJKHaJh,\h CJKHaJh,\hwCJKHaJhk!CJKHaJh1CJKHaJ$h1h1CJKHOJQJ^JaJ::;;;d;;;;;;;;;;;;; < <<<<#<%<0<3<<<@<B<I<M<<<<<<㹦yyyl_h`"h*CJKHaJh`"h\>CJKHaJhkCJKHaJ$hj=hOCJKHOJQJ^JaJhOCJKHOJQJ^JaJ$hk!hk!CJKHOJQJ^JaJh:oCJKHaJhOCJKHaJhCJKHaJhk!CJKHNHaJhk!CJKHaJ$hk!hkCJKHOJQJ^JaJ$;0<<Q=k===== $$Ifa$gda=$hx[$\$`ha$gd & F[$\$gd\Z$h[$\$`ha$gd$[$\$a$gdk!hxx[$\$^hgdO<<<<< ====#=/=4=9=<===E=F=O=P=Q=R=U=ȾȴȪȖȌȂubL+h\Zh\ZCJOJQJ^JaJmHnHu%hCJOJQJ^JaJmHnHuh`"h*CJKHaJhg2CJKHaJh/`CJKHaJh,CJKHaJhYAtCJKHaJhiCJKHaJh=CJKHaJh3CJKHaJh`"ha=CJKHaJh CJKHaJmHnHu#hj=h CJKHaJmHnHuh CJKHaJU=k=s=t================>>ܹܫzm[L=[hYAtCJKHaJmHnHuhiCJKHaJmHnHu#h T)h CJKHaJmHnHuh T)h CJKHaJhy5CJKHaJh T)ha=5CJKHNHaJh9C5CJKHaJhj=5CJKHaJh T)ha=5CJKHaJh`"h CJKHNHaJhg2CJKHaJh1CJKHaJh`"h CJKHaJ+h\ZhICJOJQJ^JaJmHnHu===>d>RFF= $Ifgda= $$Ifa$gda=kdY$$IfTlF4xfy t06    2:2+2:2+2:2+44 laT>> >>>)>5>7>:>\>_>c>d>e>h>i>̹rdrQD7h T)h CJKHaJhg2h CJKHaJ$hg2h CJKHOJQJ^JaJhg2hYAt6CJKHaJhg2h 6CJKHaJ$hg2h &;CJKHOJQJ^JaJ$hg2hg2CJKHOJQJ^JaJ$hg2hYAtCJKHOJQJ^JaJ$hg2h CJKHOJQJ^JaJ#h T)h CJKHaJmHnHuhYAtCJKHaJmHnHu#h T)h`/JCJKHaJmHnHud>e>h>i>>QEE< $Ifgda= $$Ifa$gda=kd$$IfTl4F4xfy t06    2:2+2:2+2:2+44 laTi>|>>>>>>>>>>>>>>>>>>ݵݔxjWJ=h T)hG#CJKHaJhg2h CJKHaJ$hg2h CJKHOJQJ^JaJhg2h=6CJKHaJhg2hG#6CJKHaJhg2hYAt6CJKHaJhg2h 6CJKHaJ$hg2h &;CJKHOJQJ^JaJ$hg2hYAtCJKHOJQJ^JaJ(hg2h CJKHNHOJQJ^JaJ$hg2h CJKHOJQJ^JaJhg2CJKHOJQJ^JaJ>>>?{?QEE< $Ifgda= $$Ifa$gda=kd$$IfTl4F4xfy t06    2:2+2:2+2:2+44 laT>>>>???????%?8?>???F?G?I?L?M?O?q?v?z?{?|?sesREhg2hG#CJKHaJ$hg2hG#CJKHOJQJ^JaJhg2hYAt6CJKHaJhg2hG#6CJKHaJ(hg2hG#CJKHNHOJQJ^JaJhg2CJKHOJQJ^JaJ$hg2h &;CJKHOJQJ^JaJ$hg2hG#CJKHOJQJ^JaJ#h T)h`/JCJKHaJmHnHuhYAtCJKHaJmHnHu#h T)hG#CJKHaJmHnHu{?|???@QEE< $Ifgda= $$Ifa$gda=kd$$IfTl4F4xfy  t06    2:2+2:2+2:2+44 laT|???????????????????????????λp`p`pppRhg2hG#6CJKHaJh+TCJKHOJQJ^JaJhg2CJKHOJQJ^JaJ$hg2h &;CJKHOJQJ^JaJ(hg2hG#CJKHNHOJQJ^JaJ$hg2hzDCJKHOJQJ^JaJ$hg2hG#CJKHOJQJ^JaJ$hg2hj=CJKHOJQJ^JaJ#h T)hG#CJKHaJmHnHuh T)hG#CJKHaJ??@@@@ @ @@!@-@W@@@@@@@@@ötaT?(hg2hjlVCJKHNHOJQJ^JaJhg2hjlVCJKHaJ$hg2hjlVCJKHOJQJ^JaJhg2hjlV6CJKHaJ$hg2hjlVCJKHOJQJ^JaJhjlVCJKHaJmHnHu#h T)hjlVCJKHaJmHnHuh T)hjlVCJKHaJhg2hG#CJKHaJ$hg2hG#CJKHOJQJ^JaJhg2hG#6CJKHaJhg2h=6CJKHaJ@@@-@@QEE< $Ifgda= $$Ifa$gda=kdo$$IfTl4F4xfy  t06    2:2+2:2+2:2+44 laT@@@@AL@@5 $$Ifgd+T $$Ifa$gda=kd:$$IfTl4F4xfy  t06    2:2+2:2 s2+2:2+44 laT@@@@@@@AA A A A AAAA-A2A=AFAݺn\nMnMn:$hg2hCJKHOJQJ^JaJhYAtCJKHaJmHnHu#h T)hCJKHaJmHnHu#h T)ha=CJKHaJmHnHuh T)ha=CJKHaJh T)hCJKHaJhg2hjlVCJKHaJ$hg2hjlVCJKHOJQJ^JaJhg2hjlV6CJKHaJ(hg2hjlVCJKHNHOJQJ^JaJ$hg2hjlVCJKHOJQJ^JaJhjlVCJKHOJQJ^JaJA A A=AAL@@7 $Ifgda= $$Ifa$gda=kd $$IfTl4F4xfy  t06    2:2+2:2 s2+2:2+44 laTFAGAIANAUAcAdAhAnAoAvAwAxAyA~AAAAAAAAڴڟڏ|obPAhiCJKHaJmHnHu#h T)hTCJKHaJmHnHuh T)hTCJKHaJhg2ha=CJKHaJ$hg2ha=CJKHOJQJ^JaJhg2CJKHOJQJ^JaJ(hg2hCJKHNHOJQJ^JaJ$hg2hzDCJKHOJQJ^JaJ$hg2hj=CJKHOJQJ^JaJ$hg2hCJKHOJQJ^JaJ$hg2h &;CJKHOJQJ^JaJAAAAARFF= $Ifgda= $$Ifa$gda=kd $$IfTlF4xfy  t06    2:2+2:2+2:2+44 laTAAAAAAAAAAAAAAAAAAB˸˨ˇyfYL9$hg2hC'CJKHOJQJ^JaJh T)hTCJKHaJhg2hTCJKHaJ$hg2hTCJKHOJQJ^JaJhg2hYAt6CJKHaJhg2hT6CJKHaJ$hg2h &;CJKHOJQJ^JaJhg2CJKHOJQJ^JaJ$hg2hYAtCJKHOJQJ^JaJ$hg2hTCJKHOJQJ^JaJ#h T)hTCJKHaJmHnHuhYAtCJKHaJmHnHuAAAA{BQEE< $Ifgda= $$Ifa$gda=kd $$IfTl4F4xfy  t06    2:2+2:2+2:2+44 laTBBBBBBBBB%B*B.BMBNBnBqBrBtBuByBzBݵݥ݄tfVfHfhg2hy6CJKHaJhg2hb6CJKHNHaJhg2hb6CJKHaJhg2hT6CJKHNHaJhg2hT6CJKHaJ$hg2h &;CJKHOJQJ^JaJhg2CJKHOJQJ^JaJ$hg2hYAtCJKHOJQJ^JaJ(hg2hTCJKHNHOJQJ^JaJ$hg2hTCJKHOJQJ^JaJhC'CJKHOJQJ^JaJzB{B|BBBBBBBBBBBBBBBBBBxjZjL$xx$If[$\$a$gdkds $$IfTl4F4xfy  t06    2:2+2:2+2:2+44 laTBBBCC"C#C4C5C6CACBCCCHCMCQCSCVC`CiCuCvCC뚍vlbUbvFhhI CJKHNHaJhh`/JCJKHaJhYAtCJKHaJhiCJKHaJhjlVCJKHaJhhI CJKHaJhvnha=CJKHaJ$hha=CJKHOJQJ^JaJ+hha=5CJKHNHOJQJ^JaJ'hh 5CJKHOJQJ^JaJ'hh=*5CJKHOJQJ^JaJ'hha=5CJKHOJQJ^JaJ5C6CCDDHFpF=Gs``sQ>$h[$\$`ha$gdTe & F[$\$gd\Z$h[$\$`ha$gdg>$h[$\$`ha$gdykd> $$IfTl t062:2 s2+44 laTCCCCCCCCCCCCCD DDDD D,D7DDDDDDDDDDDDDȻukahr%CJKHaJhCJKHaJhg>CJKHNHaJhZCJKHaJhhg>CJKHNHaJh*WCJKHaJhg>CJKHaJhhg>CJKHaJhhxHLCJKHaJh 6CJKHaJh=CJKHaJhYAtCJKHaJhhI CJKHaJhhc CJKHaJ DDDDDDDDDDEeEhEwE|EEEEEEEEEEEEEEEEEEEEEEʳʦ~~oe[h1CJKHaJh*WCJKHaJhhbCJKHNHaJh,\CJKHaJhyCJKHaJhYAtCJKHaJhC'CJKHaJhhbCJKHaJhhVCJKHaJh=CJKHaJhhfACJKHaJhhCJKHaJhh|CJKHNHaJhh|CJKHaJ#EEFFFF F#F,FGFHFIFKFTF_F`FoFpFFFFF鯡wwf\OBOhh9CJKHaJhhVCJKHaJh,\CJKHaJ hh?>CJOJQJ^JaJhsCJOJQJ^JaJh^CJOJQJ^JaJh\ZCJOJQJ^JaJhCJOJQJ^JaJhhfACJKHaJh=CJKHaJh*WCJKHaJhhbCJKHNHaJhC'CJKHaJhhbCJKHaJh1CJKHaJFFFFFFFFFFFG GGGGG;GGPGQGVGXGmGnGrGsG՞ՑՆynaRaaaHhPCJKHaJhvnhB.CJKHNHaJhvnhB.CJKHaJhhTeCJaJhh7CJKHaJh8~6CJKHaJhhJqCJKHaJhhSOCJKHaJh,CJKHaJh*WCJKHNHaJh*WCJKHaJhB.CJKHaJh8~CJKHaJh3CJKHaJh,\CJKHaJhh*WCJKHaJsG{GGGGGGGGGGGGGGGGHH8H9HTHUHYHaHfHsHHHHHHHHHHHHHHHSITIhIiIIIIIhh?CJKHaJhK CJKHaJhQCJKHaJh4CJKHaJhPCJKHaJhvnhB.CJKHNHaJhjlVCJKHaJhB.CJKHaJh^CJKHaJhsCJKHaJhvnhB.CJKHaJ0=GI4KLYMNPQQQRSeTT7UVV [$\$gd}$ & F[$\$a$gd5$ & F[$\$a$gd & F[$\$gd\Z$h[$\$`ha$gd$h[$\$`ha$gdB.IIIIIII J JJJJJ0J2JDJEJXJYJ]J^J{J|JJJJJ̵}ndnZPChvnh~(5CJKHaJh^CJKHaJhCJKHaJh,CJKHaJhh9CJKHNHaJh+TCJKHaJhPCJKHaJhh9CJKHaJhh?CJKHaJhQCJKHaJhhsCJKHaJh3CJKHaJh@h@CJKHaJh@h?CJKHaJhy6CJKHaJhh?6CJKHaJJJJJJJJJKKK!K-K.K2K3K4K8KCKGKaKbKlKmKKKKKKKKKLLߥxkah5dCJKHaJhh-cCJKHaJhpCJKHNHaJhpCJKHaJh*WCJKHaJhhXmCJKHaJhh^+,CJKHaJh!!CJKHaJhPCJKHaJhjlVCJKHaJhvnh~(5CJKHNHaJhTeCJKHaJhvnh~(5CJKHaJhyCJKHaJ!LL LL%LOIOfOgOrOsOxOzOOOOOOOOOOOOOOOOOOPPP PP3P:PIPTPWPYP䜒{{qqhTeCJKHaJh.$CJKHaJhhpCJKHaJhPCJKHaJhh<CJKHNHaJhh-cCJKHaJh!!6CJKHaJhhyuCJKHaJh!!CJKHaJhyCJKHaJhh<CJKHaJhh<6CJKHaJ'YPZP]P^PPPPPPPPPPQQQ*Q2Q6Q9Q@QDQMQOQPQTQUQYQuQ|QQQQQQQQö䶬wm_h+TCJOJQJ^JaJhyuCJKHaJhhyuCJKHNHaJhPCJKHaJhhpCJKHNHaJhhpCJKHaJh!!CJKHaJhhyuCJKHaJhh<CJKHaJhyCJKHaJhTeCJKHaJhh-cCJKHaJhh-cCJKHNHaJ$QQQQQQQQQQQQQR!R"R$R%R.R;R\϶Ϭϟϑϑ϶϶}sh2lCJKHaJhK CJKHaJhJiCJKHaJh}h6CJKHaJh}h["CJKHaJhjlVCJKHaJh}hCJKHNHaJhyCJKHaJh}hCJKHaJhT{CJKHaJh}h%,CJKHaJh}hXHCJKHaJ+>\?\f\j\x\\\\\\\]]]]]]+]0]V]j]k]]]]ӿsi_UH_H>HhCJKHaJh}hsCJKHaJh)^CJKHaJhK CJKHaJhQCJKHaJh}hQCJKHNHaJh}hQCJKHaJhCJKHaJh}hCJKHNHaJhyCJKHaJh}hCJKHaJ'hhXH6CJKHOJQJ^JaJ!h.$6CJKHOJQJ^JaJh}h%,CJKHaJh}h%,CJKHNHaJ]]]]]]^^^^D^N^V^k^l^^^^^^^^^^^^^^^^__ʩxlx]ShjlVCJKHaJh}hQCJKHNHaJh>9#CJKHNHaJh>9#CJKHaJhyCJKHaJh.MBCJKHaJ$hA hA CJKHOJQJ^JaJhCJKHaJh}h^oCJKHaJh$CJKHaJh}ha]CJKHaJh}hsCJKHNHaJh}hsCJKHaJh}hQCJKHaJ__ _!_"_-_>_S_T_U_[_]_|__________````` `+`G`H`N`O````````ֿ̿̿̿̿̆̿yyyoyyeh,CJKHaJhyCJKHaJh}hQCJKHaJh$CJKHNHaJhM?CJKHaJhK CJKHaJhCJKHaJh}hCJKHNHaJh}hCJKHaJh$CJKHaJh}ha]CJKHaJhjlVCJKHaJ$hjlVhjlVCJKHOJQJ^JaJ'`aaaa'a-a.a6a7a>a?asatavawaaaaaaaaaʽʯ|t|fXG h=*hCJKHOJQJaJhCJKHOJQJaJh.W]CJKHOJQJaJhjlVCJaJhCJaJh}hCJaJh}h6fuCJNHaJhyCJaJh}h6fuCJaJh}h6fu6CJKHaJh}hXgCJKHaJh}h6fuCJKHaJh}h'1 CJKHaJh}hCJKHNHaJh}hCJKHaJaaaaaaaaabbbbbbbb!b(b)b*b,b-b7b;b=bDbEbFbHbIbTbUbpb{bbbbbbbbbbbb·s!h.$6CJKHOJQJ^JaJh}h'1 CJaJhyCJaJhCJaJh}h6fuCJNHaJh}hQCJaJh}h6fuCJaJhCJKHOJQJaJh.W]CJKHOJQJaJ h=*hCJKHOJQJaJ hZ%3hCJKHOJQJaJ-bbbbbbbccccc c c c cc*cVcZcdcgcmcncyczcccccccccccǽԳǽԤԐԃpԚԤԳԃ]$hZ%3h|CJKHOJQJ^JaJ$hZ%3hsCJKHOJQJ^JaJh}h|CJKHaJhCJKHaJhPCJKHaJh}hsCJKHNHaJhyCJKHaJhK CJKHaJh}hUOCJKHaJh}hsCJKHaJhhXH6KH'hhXH6CJKHOJQJ^JaJ#ccc ddddd*d.d2dJdPdQdddddddddddddڶУ|reTEh}hMCJKHNHaJ hZ%3hBCJKHOJQJaJh}hBCJKHaJhyCJKHaJ$hjlVhMCJKHOJQJ^JaJhPCJKHaJhACJKHaJh}h1dCJKHaJh}hsCJKHaJh}hMCJKHNHaJ$hx hCJKHOJQJ^JaJhCJKHaJh}hMCJKHaJh}h4QCJKHaJb"eoghKhijzllnooqstt$h[$\$`ha$gd+T & F[$\$gd+T$h[$\$`ha$gd.$$h[$\$`ha$gd} [$\$gd}$h[$\$`ha$gdx $h[$\$`ha$gdA ofpfffffffffggg%gCgHgRgSggghgngogggggggghhhҮҡ~rh~\hjlVCJKHNHaJhCJKHaJhL*CJKHNHaJhL*CJKHaJhCJKHaJh}hSCJKHNHaJh}hSCJKHaJh}h{CJKHaJh}h0 CJKHaJhyCJKHaJh}hr$CJKHaJhjlVCJKHaJh}h e+CJKHaJhCJKHaJhhh!h;hpOpPpvpwpppppp#q$q-q.q1q@qqqqqHrIrJrOrVrzrrrrrrrrr,s-sYsZsssssttAtJtPtQtRtqttttttttмв!hs6CJKHOJQJ^JaJhjlVCJKHaJhCJKHaJh,mCJKHaJhh+TCJKHNHaJh+TCJKHaJhCJKHaJhh+TCJKHaJ:tttttu uuu!uOuuuuuuuuuuuuuuuuuƼte[tNtDtNtthCJKHaJh}hXACJKHaJhCJKHaJh}h RCJKHNHaJh}h RCJKHaJh}h?IaǼǼǼǼǼǼǼǼǼǼǼǼǼǼǼϣh%56CJaJh,h_=i6CJNHaJh,h_=i6CJaJh,h_=iCJNHaJh,h_=iCJaJh_=iCJaJh_=i6CJaJhlh_=i6CJNHaJhlh_=i6CJaJhlh_=i6CJH*aJ7abegijovy ./0137:KOQjޘohdvh_=i6CJNH\aJhdvh_=i6CJ\aJh_=i6CJ\aJh,h_=iCJH*aJmHsHh_=i6CJaJmHsHh,h_=i6CJaJmHsHh,h_=iCJNHaJh_=iCJaJmHsHh,h_=iCJaJmHsHh_=iCJaJh,h_=iCJaJ+Հր׀  #&'039<SV^_ghz~#jh}h_=iCJUaJh}h_=iCJaJjh}h_=iCJUaJh,h_=iCJNHaJh,h_=iCJaJhK h_=iCJaJh&+2h_=i0JCJaJ#j h&+2h_=iCJUaJjh_=iCJUaJh_=iCJaJ.@AOQZgjx{ȂɂAOP\kĵܕ{mb܉ܕWKWjh_=iCJUaJhK h_=iCJaJh,h_=iCJaJhHh_=i6CJNHaJhHh_=i6CJH*aJhHh_=i6CJaJh_=i6CJaJhHh_=iCJaJh_=iCJaJmHsHhHh_=iCJaJmHsHh_=i:CJaJmHsHh}h_=iCJaJh_=iCJaJjh}h_=iCJUaJh}h_=i0JCJaJkmno~݃ރ*+56:=ART_`}„ńʄ{hHh_=iCJ]aJh@lh_=i6CJH*aJh_=i6CJaJhHh_=i6CJaJhHh_=iCJNHaJhHh_=iCJaJhK h_=iCJaJh&+2h_=i0JCJaJjh_=iCJUaJ#jh&+2h_=iCJUaJh_=iCJaJ0ʄ˄ BEFLdegir{Džȅ˅̅Յ-.ƽڗҌҌҌҌҀrҌҌڗh,h_=i6CJNHaJh,h_=i6CJaJh,h_=iCJaJhHh_=iCJNHaJhmlh_=i6CJH*aJh_=i6CJNHaJh_=i6CJaJhHh_=i6CJaJh_=iCJaJhHh_=iCJaJhHh_=iCJ]aJhHh_=iCJNH]aJ+i̅+ӈ#5 [$\$gd}Dc$h[$\$`ha$gd3$h[$\$`ha$gd1g & F[$\$gd}Dc$h[$\$`ha$gdXd3xx7$8$H$[$\$gd, & F[$\$gd}Dc$[$\$a$gd, ./efgȆ҆ۆ܆*+徳vhvZhhf_CJOJQJ^JaJh. VCJOJQJ^JaJ hzi.h. VCJOJQJ^JaJh,CJOJQJ^JaJh_=iCJNHaJh%5CJaJhOh_=i6CJaJhOh_=iCJaJh_=iCJaJhHh_=i0JCJaJ#jhHh_=iCJUaJhHh_=iCJaJjhHh_=iCJUaJ+DRVXZ[]^_`defhijйХvйbJ5J5)h>7CJOJPJQJ\^JaJnH tH /h>7h>7CJOJPJQJ\^JaJnH tH &h/yCJOJPJQJ^JaJnH tH /h>7hueCJOJPJQJ\^JaJnH tH ,h>7hueCJOJPJQJ^JaJnH tH &h- CJOJPJQJ^JaJnH tH ,h>7h>7CJOJPJQJ^JaJnH tH ,h>7h. VCJOJPJQJ^JaJnH tH /h>7h. VCJOJPJQJ\^JaJnH tH ͇ҺҺw`I`,h>7h>7CJOJPJQJ^JaJnH tH ,h>7hdiCJOJPJQJ^JaJnH tH &h,dCJOJPJQJ^JaJnH tH ,h>7h,dCJOJPJQJ^JaJnH tH /h>7hcCJOJPJQJ\^JaJnH tH /h>7h. VCJOJPJQJ\^JaJnH tH )h/yCJOJPJQJ\^JaJnH tH /h>7h>7CJOJPJQJ\^JaJnH tH "#9:HI^_gvx~ҾҾҧ{f{N9N)hzCJOJPJQJ\^JaJnH tH /h>7hVsECJOJPJQJ\^JaJnH tH )h29CJOJPJQJ\^JaJnH tH /h>7h. VCJOJPJQJ\^JaJnH tH &h29CJOJPJQJ^JaJnH tH ,h>7h. VCJOJPJQJ^JaJnH tH &h>7CJOJPJQJ^JaJnH tH ,h>7hdiCJOJPJQJ^JaJnH tH ,h>7hVsECJOJPJQJ^JaJnH tH ӈو 13;hioϺϢ{j{{[C[2[!hzCJNHPJ\aJnH tH /h29hzCJOJPJQJ\^JaJnH tH hzCJPJ\aJnH tH !h- CJNHPJ\aJnH tH /h29h- CJOJPJQJ\^JaJnH tH h- CJPJ\aJnH tH /h>7h>7CJOJPJQJ\^JaJnH tH )h29CJOJPJQJ\^JaJnH tH /h>7h. VCJOJPJQJ\^JaJnH tH /h>7hueCJOJPJQJ\^JaJnH tH osxɉщ +.@DU[]t{ôsaRRCRCh1gCJPJ\aJnH tH hCJPJ\aJnH tH #h=3h- CJPJ\aJnH tH 3h29h- CJNHOJPJQJ\^JaJnH tH /h29h- CJOJPJQJ\^JaJnH tH h|CJPJ\aJnH tH h- CJPJ\aJnH tH hzCJPJ\aJnH tH /h29hzCJOJPJQJ\^JaJnH tH )hzCJOJPJQJ\^JaJnH tH Š݊89ACKmn߲|m|cWcHh :h}DcCJaJnH tH h}DcCJKHNHaJh}DcCJKHaJh1gh1gCJKHNHaJhr%CJKHaJh1gh1gCJKHaJh}DcCJOJQJ^JaJ hi<h}DcCJOJQJ^JaJh- CJPJ\aJnH tH hCJPJ\aJnH tH h}DcCJPJ\aJnH tH h1gCJPJ\aJnH tH !h1gCJNHPJ\aJnH tH ‹ċŋƋʋˋϋЋԋՋ׋؋ދܸܣ܎xxgQx+h,h}Dc6CJOJQJ^JaJnH tH  h :h}DcCJNHaJnH tH +h :h}Dc6CJOJQJ^JaJnH tH (h :h}DcCJOJQJ^JaJnH tH (h1gh}DcCJOJQJ^JaJnH tH hCJaJnH tH h<CJaJnH tH h}DcCJaJnH tH h :h}DcCJaJnH tH (h,h}DcCJOJQJ^JaJnH tH !678YnjȌʌҽҽ蒽xnaTJThr%CJKHaJh1gh3CJKHaJh1gh&2CJKHaJh1gCJKHaJhCJaJnH tH h}DcCJNHaJnH tH +h,h}Dc6CJOJQJ^JaJnH tH (h,h}DcCJOJQJ^JaJnH tH (h :h}DcCJOJQJ^JaJnH tH +h :h}Dc6CJOJQJ^JaJnH tH h}DcCJaJnH tH hr%CJaJnH tH ;<gijklmu"#$ıĤıė~th^M!hr%6CJKHOJQJ^JaJh3CJKHaJh1gCJKHNHaJhCJKHaJh1gh&2CJKHNHaJh1gCJKHaJh1gh&2CJKHaJh1ghO2CJKHaJ$h1gh1tCJKHOJQJ^JaJh1gh1tCJKHaJ$h1gh3CJKHOJQJ^JaJh1gh3CJKHaJh1gh3CJKHNHaJ$5MNaboΎώ܎޼ޯޒ~k~[OޒEhhWdCJKHaJh&2CJKHNHaJh&2CJKHOJQJ^JaJ$h3h&2CJKHOJQJ^JaJ'h3h&26CJKHOJQJ^JaJh&2CJKHaJ$h1ghbCJKHOJQJ^JaJh1ghbCJKHaJh1gh&2CJKHNHaJ$h1gh&2CJKHOJQJ^JaJh1gh&2CJKHaJ'h}Dch}Dc6CJKHOJQJ^JaJ #%(+;NRSYdjloqrstóóß{kóóó\M\hbCJPJ\aJnH tH hhWdCJPJ\aJnH tH hhWdCJKHOJQJ^JaJ$h1gh1gCJKHOJQJ^JaJ!h6CJKHOJQJ^JaJ'hhWdhhWd6CJKHOJQJ^JaJhCJKHOJQJ^JaJ$hhWdhhWdCJKHOJQJ^JaJh&2CJKHaJhhWdCJKHNHaJhhWdCJKHaJh :CJKHaJ;Nr/kRx$[$\$a$gdr% xx[$\$gd, xx[$\$gdb$h[$\$`ha$gdb [$\$gd}Dc$[$\$a$gdb xx[$\$gd$[$\$a$gdhWd xx[$\$gd ,-3S}~ǐːؐސ̵xixixiViViLBLh :CJKHaJhbCJKHaJ$h1gh1gCJKHOJQJ^JaJhbCJPJ\aJnH tH hr%CJPJ\aJnH tH 'h}Dch}Dc6CJKHOJQJ^JaJ2h}Dch}Dc6CJOJPJQJ\^JaJnH tH ,hr%6CJOJPJQJ\^JaJnH tH $hhWdhO2CJKHOJQJ^JaJhhWdCJPJ\aJnH tH !hhWdCJNHPJ\aJnH tH ސߐ /]^k02Rx׳ǡǒkX׳G!hb6CJKHOJQJ^JaJ$hbhbCJKHOJQJ^JaJ'hahb6CJKHOJQJ^JaJ$h1gh1gCJKHOJQJ^JaJhbCJPJ\aJnH tH "hbCJKHNHOJQJ^JaJ'hhWdhb6CJKHOJQJ^JaJhbCJKHOJQJ^JaJ$hhWdhbCJKHOJQJ^JaJhbCJKHaJhbCJKHNHaJ’ĒƒʒГ$%'A͹vgVHV:h=oCJOJQJ^JaJhr%CJOJQJ^JaJ hi<h=oCJOJQJ^JaJhr%CJPJ\aJnH tH !h}DcCJNHPJ\aJnH tH h}DcCJPJ\aJnH tH hbCJKHOJQJ^JaJ$hbhaCJKHOJQJ^JaJ'haha6CJKHOJQJ^JaJ$h1gh1gCJKHOJQJ^JaJhaCJKHOJQJ^JaJhzCJKHOJQJ^JaJAvQRSTUVWXYZ[\]^_`abcd&s&sgdR;gdR;$a$gdi$h[$\$`ha$gd & F[$\$gd=oAmnrȔ%Ropuv|Ǖ͕ЕՕݕߕ<=ĖŖ!)=cdiԼ԰ȰȰ|h.CJNHaJnH tH h.CJaJnH tH hXCJaJnH tH h%5CJNHaJnH tH h%5CJaJnH tH hCJaJnH tH hr%CJaJnH tH h :CJaJnH tH  h :h :CJNHaJnH tH h :h :CJaJnH tH 0ijٗڗQRPQRSTUVWhijɵhh3 hR;h3h<ƧG`-k`+NJoGzuo=^(/Gzy<[h/0 ׌I7p兑1:1{vtu2Fzm8kE{üs{w?M.:7|zw7B~ĿsYϹ;-Vw٭@-8Ɓ@={|oyJc |L[ThgN.psQ=k\7SpRy$Tؗ6jh1'F]/x}VJZ(`~[Wr%_һ.v;t aN!zp:|';8ʙ#$ü.\}5E9&+tӉCtqsm29mfe"8-ءϙ&^g>MxV1a}Ȭ_ ܇t5fUVc+w -ߐjl}X//Ajُr.r =M+͘)19ʛ#9bgKeii n4A\<(I\q̟I[OBgG]Zs0\at_v"IJJ9å|aԗxL}H_yZ~M/w[a?q4>2ilafc0Z1&Z#$qh:jk#v^1 xGJᏎcbcґ$.wL98ć:sltGx^xQ88бC(bǻb{}Pt;>'T8jį/cGOQcBGCN 9--䌸%bAȿħB|# ‡ BC(!z!PHT3U.SǭCCaZa7krFkzhueRYֿNN:Һ?t֣wZφv~j5abs[:nk4[u-ĺf>e?gb;o?f`/y+KV83(%).rװ`x+I%mX&kX}iz҈?#g$_4wl\`-d|.\Ao&m{̚<~^1Tr|g.ab!$=HB֚|ߌzI{\q!f%GDžJ/\r-瞠` _$FSw;yhoһIy_]]}Oy{J?g?39Ci5}Nxl g<`(Z@{ t6,1`=3vd $:ƘJk?qca,3'ZJۢ?WhU2vN_5H|Lfcv{1^ 5FkI)t~{GgWmضX6jh2 ӼUZj-֕Żv?]WSo֪XA oGبurޤvezIɦT3%μbz(3B1RO4l-3ofW1_z,l&I;I^~CsTk.>3WKg$d,)2'RKi)+ɝ.|O{zfy뽁f5cCԔRD#/N[HѴ䥷HvQ"tzJu_:w Ib_*y3TzVKiY/KӠLJ}4$ǃK E6cp= /#9~9}n.$ SK}Q-оV-[{.4`,p%Y-|Kg~|,`M.Y^<^pսp?ً/^\\UYͮκ=x/[k9}b}L={iɾɳ&L8>-ٗ2m\x;!YXBN[-bfkZɨע Zk[Y5lilfHkFXkME5 u"Ԭfc5%kb䭥x/ox߇_x?'j<ZF¸Zq5AU㷖CxR_Zn-pزj-e+l3BR,y%B1||ȯj>j<8IK~+7NWo= $kYπz4@uBFk,fDšB[Zi+2ښEQAo4eԃԼIMMj5QO.S'W(׾*3\9נ}Y4I. s1x:.k$<̥\\e~.p7WoqXƕn7n\%nLJԒT Wٍ jAvR}In$sב|%٘C2)'ibI$%qb +>D^G*H6k$q F K $#|N")tIx%$>J" "U<*Lť,\,Džb|PXs8[BNc [p c:Bvb[ %DPPp-:c!uXͨld9 XNcQ{*x/U8;o+0WP 7yn=6pySj<ƭZn1rg1˝,w"V2k~3=c`Jzi%N?BSp; )8wBSyn~,r_ *_n"p_X̯8>upexSYDNc,`,gT@5X"$Y aHB>(z%Aka3E(B)vB {`p !Yu0]80W](B8]*Q!.ZB;΍\UI]M꺺~ڵW̓sk=z!MNKM)$,>?]y=~W͂㞶jqߌi%'ٓػXq1҃L |oqp~Jpԓ!;8_V__qՂbkǡQX@~ 1xcH*H!߇4,}{!wC>EXŸJq;᫰anJ,C`'W7[7)RKCX,UfiIP*R\'cT9R>>)ecIpJDJR.!)IQ8W0]bԠ͖굙R6C*gkӥLI:]`R!#ΔR:MRhHJtKB).DyX)Ǥ:ȔIH+u6xN &( aTRHP*RX 9$a\cP`3lbN@T[P PA?hZc!~ )i,EA!=% zp=VMjjRjj r\(6ɕZ\m?V|^p,Y9$̕S1GNçdWJ 9WET.Er).pp\C*W$k0Irj1[-.##Vlpg4nL$[)h[kallm.[b[%`[v(ifl ڭzR`+blZ{[&$mo`[!`ˢm譶tz-v%X[<Kۢi[eSh@]3p۪`kѶ0ζ &ٶBmLL[̱<[.,Gllx1H΁HsaH a f[a ;a\Trdg`rLYO ͑#hMXO D^NtY΢BZ$Mr;'>IMMj\M7Z~Zsc^lCI8>ۧX,e#q}ƻߞ}1ξڷWvle7ѴW "G^ ;ª>0~v+jpOX-6ƖF&D:БEn,anƖ( [{r2l-|ᳰBOX@ŀ0V]p}j?]! A)~ؿvBGC({8kx{`oI'1p=MjR/V nw< j/W ~m~q bpk:*ż+v,p]aiBp8hVWk?x3gŌr-[=x>'1U|̛+ܛKp7zq7zpgxKq SqwV(!LVL`o-aFbgy}j9<8γGyvO=bS| Y]=iٓz0ƓɁtƃ]̓!H(& ջy+`V\o+Х^.FЕh7Lo"}›Bl2͢kio VFoRS.Wӵ ƘXm3*Qfd6h#M+05L4pC8d&`wL>"ef`|ba'cR,nlaCY3۬F4ìA0k1ԬCnZ#]m܇};nt.E]a"(@{~JTʕ _>B+>pFJ`R}o . }` d>}u;k}g!5g|tϠ[}%Me_;΍\A꺡uW뻼=M Y}:?{J0ژK\Nk3z wf%_LC{.￶ߋKG؃K|?q{~}\x<}|0r#LmViZQ=5hOkV\iEaOjq%*- Rqjp4fZ>ӊ0]+YZ)ޯm7hpVcCxVô#8HZaF(RiTT(8Aهc8R)J)V1A)J>UV"즤a)IQI%)1V6+ޤ4h-zR5SZ8I F m2hsemӛZImxVhDЎBoSn [))uKT@+`F*`RHQ` ӕ5^Z]Z. `Vj0Fm)N_YHת`%,-fkt>egBV+aT<-cߤ&5]kCS3qj1\VjczmڠRjxj Sp$LPSq"f`O5Pv;Q-jUwc+u6W+ѧBSFC=Zv%CsbWG vrG5uVJl؇>n4eh8JQsQԑ6G6 8T<_qx6<5<nS ډzxxv,\;^Շg2N F =^Hgtz*<O/chz.\]y 3;@pTq9 cQy֑ 15ɑ]q5$u \P<00B𩛠Z۠ګQ=*];3S=Uƫ F5Rc5SiBUiRhQKX\Ԥ&5]ZhuGCtuF/n ` aF1& c*&p1ngՍL5W2\ |@]8]SթNdf!8^^L -xNpҩ*կazPO%'R=L9xV3nQKaZoŰG EpuHXd-]}Xz.dk@_/P2Ջ࠾jb8@^ whtD 5ꠃq g52kF8M0t:ȈCtюs#ףѤ&unh"Jӎ3PK5gv|i}ϛC!z$V 4'~}M]ӿņƻ&w*v^;7;+9W&/hZg[n!?UЏRz/|"rz)O)'yB'8^qЌF:O ]!NOLaGaR'>*SŅq0_)<,N)rq!VÅ'{,#)݅mBNxVl-Q LdYq'׊\N>Gg'~g-墏_"zE'?_tsD৊V>E$8[n7Tlg.N":'61x('\)% (֑\9eϸ " \:fy !|2# ÉD@㉏MZ=H4ߝ]Ig3w"wI> ۓ|;2B1PhGLFОbH;#MD ɝBW_NzBo2J'ㅁ$ED La$#$0<*C)$O$K!9:򴰁 /KRv)RҤ&5TM>np/brkjkw][tx)N!%:Pܰ/*eZ→XOIo>}2S|g uzm*yW7?S6K`N@ mo 58꥞qZr&p;^Frw#ݱb;N4}E{tUH'QpO9 ;Wx5_zV|֕/0V dޜ18̹N\+v(\#vrf8or#ǹ\ԜK0bs9pNs'đb=kp ?8C?b%('7:R9$J.!CI= 'q*ɗ8|I;N8 HœM<$ٝJnqv&C;;d=lGF31ڑՌW{yՑlqu":-WwՃM#k9Nκ98+pDp ;ս8+˝ILwp# $i~4w2=7rKvu5u|+Űo[]j]_x}+]{\c؃cf kcUe/cட뿔m^ԻS;ߙa/w}T0;쥜Nf?cvӫ̮}mtqa\"fr13?jq)>!.,q.gb8׊q8cb\#s|>F8VY'P֊\FS)O)JFY.6W>aѭQIÕ2N)~*~(68gqGxFsd3c ipcTGiE0NEa3Udg? C1- gxn׌0?Ըo1bNz)V~ =y}?T#6v:#N{jO;2_voRcRoU[ժϿRN5*gV"'_E&ER#U?LTEWߎdƸ3TMfa$zw{xϽj(53V虠$-=H3[Eݳ@F1Hf46MjRumQ*2ע=ˢTc gԏh][Z.f/t&y^k^2t5S=[b]`C_*\)xet'petH}C ٳ? .={zC`!kί6T, GD?@Tx}\Uܹps{|HC3*|(5M4e3SAQ@V!pu qET\$i?u+ʴ!lO g|?w̜{U%Du;!NrFTIj[|{潥Dػ= G8W^F!ā76kUj{ߡ{ G)6 nGIR$eAꄒP[uN yvV\Bp.+VmaV3j8}&$$NZT%s[lD wvm1P1.rm *88 \q= OsfWu+NT;Why±K\Sh[}K7:9΃O;yJt v׽Zkvu^b "Fx/'^~:[史*~o4ľ9~?jH@ɀBtJL 㓀<|@y@EƗ0d,gd1.S : 8>w - Ĩ@ ܂[a+l]p\cQGQdLӍBcҘc0^0#cȘ怙 d='D荅X1 mxI13cC#ZqЌ0 Ca 8D4c*}q-hXd ++<#<0ct|81 m6B{&OF?R1>:) ݱЯ#mM}, ˜FˠAE鄶1@L'bSx^C屻JA9CNBO#i'bFp ^N x{Ax>#J]h@ ݈1BhC11xx^S)m x}l]#)T0.ИҘ3r/A/yƌ9`&Y 'Dq荅X1m#@<ĢSFhf# 3 CxOOS ` G`j#"BIJi yp28׸+8h"g fl2q|2MD)`XEF#qB's||.#K"|.""|.#oU£^]{<|Sc ݎ|B>g?y|E>As|E> V ovx~T rPVO)^O1ƘU24Ak)4B;1+1"RxX//*x[ *xK߯߿.LnsuכzkݮH~zDP p|%XKtLND @-׉1~k-Mmb*m?xq7U7{V&{c004B}hVC11}x8 / c%7䰭-`YcQBh@1 1 K1< X呠ՑFi1`C=O"Zo}ON{\Т  bў#/ b\ƧCg&@w"C>7 c`l/h HĈD?"f/}%  x| ^XZCz~ ԛz3O=7g`~'{ ۡ  8>,ƥa|:tPS@g_M}F>ϗssG>g<9|. ϑϗ"xT8ٵ<^l2 }"-E>gه|!JA>o!g+e )kжcal.4@+9AA e)< o^׀8# `(DdO?|x G_Ÿ4Oj DЯ# ;0kJbh;!Yvߝ~+yco:Sx7\iǥćk=>%-1!16&->G'&bąt+5D|Ib;Dc/m>Flh_ߺr }rQl&'\V;\Oo;Yt'O)22DZSsI֟ B.Yr%{ͥ\E֚#yz2Ǭ S̷HYM/I+^BHC9J/)zeV"l26T=*g:ͶV+oS9[;ԏ7iq}XkW-{[ G Zd,׈"[:yVrb,rdk`Eϑx{Yse!_(s"ŗ4'2ٟ<_قI_#9/ Mְyacelvr[}E=ώe\NɅC>AʭlV>gV1{*aGrvNZV;c`XggV Rx%ÿZ+VW\u~8pq;3w!2Fj>|5㗭*=Y]7TYh:hZZkv};f H,|I,fk*<%v6bjri2,5Cf|!ךe9P4f\bfo˹$9Ӝ"2̔Ϛz^Xdȿ)r$WtD\1Z r"g2[DϊP9Q4ㄅZd"F b8%*/vaT bxI YI"1O,Ek`Ex{D(OE"Pџ<^)<|$1/E)oVjc3Faev>s=;hʎk)TܿUsePf-f"WneσEE,߳ele˳Ãg-;yӳ}Ⱦla_yv0o3}z=ŚxϲۼXs%Kx{-v7jooVQuh>lOu^oe+R=%9n6iI!wOI2WO:d<~.ymֽW_@'==:yb||jHl̘Ϩ_XUFtF\1)߭})^9^.c- n{k1Oc@Hg$Kb@DN1^%01~E k %ڛP.޲}f"d} t>IOw3d=SzӤYO_[eːئIA[ 0hޖ چVlj!oK-TZf2fIæIvEh N [v V**F_+)#.)}@gqQi ,sR KJ(䗕ſQ%_Us0okq皍sݦpVÂmge;*v5mgm嬕"fgeAݶ=be@_`s׾ؗ;XK{>kc/b,^嬋};fd=U,~=j?kX9-P{fq|='H{mIBl/Oj>~jq_}nVWׯY Zt}=jhvjUsD[@QKEkuhV;ӢzA4U[U&tͤTCeQ6R#$S{K:P! [Ur1#T)Tq4y`%S6R2L$iS$E^&I$ d gIo'IGyʣtIk`EH夌o"|3$o%i Ƿ|'o0! "509ˎ8b'I%lggI9 Ր"vo2fS0e!Ӕ\#㨴SPyϣDE^Be~ %vfW+SbL=gYZäpycoU[joF;[i۪99{zV2]^_ZWIH]﷑ ʹUrEK1h#KtVM+dD%욥,I9Y ǫd2Q.cq6V;h.ghoTeOUT|P,:E_=&ԃ^uf`*/x߫va=~WCx':,U[S?`q6X=b,QÒlZ&e,K-aW|u [j>[.g%RY]v~u!;g8G.XȲlc)w,gkQ69ְWXt vұqa9a8S0Lsְ,-;M~37u͜μa0>ެu1t<ۢv=o}UsizwEA@?F_?st~fW45U\z+E7]IǕ{]q`H=ו<͂],5i5]%dŎ cPVAu d?IIK`zGXړ14ڍ}8blX<Ȳ8! *]كJ7VΚ(+=q"qwՋMm/+!Y!'\2e,ı$2őQlIfH EƳ2=Dddd6kGg$M!z(ۑDI#):MÛЉ M]xޛ4'ѧ$gQhm͵vުUԭR͠$jhI6r7մ.jmCkB5ڵvrڴ`Sl U]vݢ84]ڷD'ж`m=Z!qkIcm.U$k餹DZjq6{^-t"]$BDjHo駅IДi;P~;C3 ]y/<#ȣgݬuHtޝrU.yؘuڟMk6;u^kr#FЏCc-5#f̢XA5t.7*MO_0qm|H3O$ :θLtaw5e" p sh캥 \םۥnŹ4jnwsk?Lw/6)?8}k~Zߤ+pn4 <_@gYtϠxGL>>ѩ:wy(hhTe DOs$H$d/%Z< I.GtO&|Y|'R>ld"Q=ލT.4'B_@_퉂k`[ F;hOŒq0I/ ot#Iы0HMC$#dI$Gf tG reXKRx5)1NRD Uh4gڛunT]5כi精i.JoM!i)RӾ{2IKYڧ?lޱ]bߊ@jĐu V EǯEm}K?ީ\pUixwz$$If!vh555 #v#v#v :Vl t,5553 2:2 s2+T$$If!vh555 #v#v#v :Vl4 t+,5553 2:2 s2+T$$If!vh555 #v#v#v :Vl4 t+,5553 2:2 s2+T$$If!vh555 #v#v#v :Vl t,5553 / 2:2 s2+T$$If!vh555 #v#v#v :Vl t,5553 / 2:2 s2+T$$If!vh555 #v#v#v :Vl t,5553 / / 2:2 s2+T$$If!vh5.#v.:Vl t,5/ / 2:2 s2+T$$If!vh55D5< #v#vD#v< :Vl t6,55f5y 2:2+2:2+2:2+T$$If!vh55D5< #v#vD#v< :Vl4 t6+,55f5y 2:2+2:2+2:2+T$$If!vh55D5< #v#vD#v< :Vl4 t6+,55f5y / 2:2+2:2+2:2+T$$If!vh55D5< #v#vD#v< :Vl4 t6+,55f5y / / 2:2+2:2+2:2+T$$If!vh55D5< #v#vD#v< :Vl4 t6+,55f5y / 2:2+2:2+2:2+T$$If!vh55D5< #v#vD#v< :Vl4 t6+,55f5y / / 2:2+2:2 s2+2:2+T$$If!vh55D5< #v#vD#v< :Vl4 t6+,55f5y / 2:2+2:2 s2+2:2+T$$If!vh55D5< #v#vD#v< :Vl t6,55f5y / 2:2+2:2+2:2+T$$If!vh55D5< #v#vD#v< :Vl4 t6+,55f5y / / / 2:2+2:2+2:2+T$$If!vh55D5< #v#vD#v< :Vl4 t6+,55f5y / / 2:2+2:2+2:2+T$$If!vh55D5< #v#vD#v< :Vl4 t6+,55f5y / 2:2+2:2+2:2+T$$If!vh5 #v :Vl t6,5/ / 2:2 s2+TDyK http://www.xrml.orgyK *http://www.xrml.org/YDyK 9http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txtyK rhttp://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txtDyK http://odrl.netyK "http://odrl.net/DyK )http://theory.lcs.mit.edu/~cis/sdsi.htmlyK Rhttp://theory.lcs.mit.edu/~cis/sdsi.htmlLR@R ?Normaldd[$\$CJ_HaJmH nHsH tHZ@Z D Heading 1$ & F@&5CJ KH OJQJ\^JaJ \@\ # Heading 2$<@& 56CJOJQJ\]^JaJDA@D Default Paragraph FontRi@R  Table Normal4 l4a (k(No List$L@$ #Datee@ #HTML Preformatted7 2( Px 4 #\'*.25@9CJOJQJ^JaJhOh #HTML Preformatted Char$OJPJQJ^J_HmH nHsH tH4@"4 #Header  !4 @24 #Footer  !J^@BJ # Normal (Web)dd[$\$PJtH 4U@Q4 # Hyperlink >*phT@bT # Footnote Textdd[$\$CJPJaJtH @&@q@ #Footnote ReferenceH*Ng@N #HTML TypewriterCJOJPJQJ^JaJ*W@* #Strong5\.X@. #Emphasis6]j@j # Table Grid7:V0RYR rF Document Map-D M OJQJ^J WTable 3D effects 1m:Vj#j#j#j#j.j.j.j. 55\5B* \`J phB* `J ph66 WTable 3D effects 2:Vj.@j#j9jj 45\5\tt WTable 3D effects 3:Vj.@j j j#j9jj44:B*`Jph B*`Jph5\5\brb WTable Classic 1:V 0  j#j#j#jj  9B*`Jph6]5\56\]s VTable Classic 2#:V!0  j% j#j0 jjj%  !:5\B*`JphB* `J ph5\Tt#T VTable Classic 3:V"0    jj0  j0  "QB* ph5B*\`JphB* `J ph56B*\]`Jphu3 VTable Classic 4:V#0  jj0 j0 jj #X5\B* `J ph56B*\]`JphB* `J ph5\RvCR VTable Colorful 1:V$0    j% j% jj%  $<B*ph56\]56\]56\]TwST VTable Colorful 2:V%0 j% jj0  j %@56\]56B*\]`Jph56\]4xc4 VTable Colorful 3:V&0j;$ j0 j%  &5B*\`Jphys VTable Columns 1 :V'0    j j jjjj#jj4'l5\B*`Jph B*`Jph5\5\5\5\5\5\z VTable Columns 2:V(j j jjjj% jj4(5\B*`Jph B*`Jph5\5B*\`Jph5\B*`Jph5\5\{ VTable Columns 3:V)0j j jjj#j% j4)h5\B*`Jph B*`Jph5\5\5\B*`Jph5\| VTable Columns 4:V*j j jjj% 4*LB*`Jph B*`Jph5\5\B*`Jph`}` VTable Columns 5:V+0    j jjj#j#4+VB*`Jph B*`Jph5\5\5\56\]00 VTable Contemporary:V,0j%@ j% j% 4,<@B*`JphB*`Jph5B*\`Jph V Table Elegant_:V-0j -;B*`Jph~ V Table Grid 1z:V.0jj .6]6] V Table Grid 2:V/0jjj#j /,5\5\5\5\ V Table Grid 3:V00  jjj0  05\5\>> V Table Grid 4:V10  jj0 j0  1B5B*\`Jph5B*\`JphB*`Jph# V Table Grid 5:V20    jjj# j 25\5\$3$ V Table Grid 6:V30    jj#j#j 3(5\B*`Jph5\JCJ V Table Grid 7:V40    jjj#j# j 425\5\5\5\5\ S  V Table Grid 8:V50jjj%  5H5B*\`Jph5B*\`Jph5B*\`Jphvcv V Table List 1:V60  j%@ jj#j0 j46M@B*`JphB*`Jph56B* \]`J ph5\psp V Table List 2:V70 j%@ jj#j0 j47G@B*`JphB*`Jph5B*\`Jph5\ V Table List 3:V80  j# j# j 805B* \`J ph6B* ]`J ph V Table List 4w:V90    j0   95B*\`Jph V Table List 5:V:0jj#  :5\5\ V Table List 6:V;0j%@ j# j#  4;5\5\ V Table List 7:V<0  j%@ j% jjj# j0  4<>@B*`Jph5\5\5\5\ V Table List 8:V=0j%@ j% jjj#j0 4=D@B*`Jph5\5\5\56\] VTable Professionall:V>0j%  >5B*\`Jpho VTable Simple 1:V?0  j#j# ?rpr VTable Simple 2:V@j#j# j#j# j#j#@O5\5\5B*\`Jph5\5\5\q VTable Simple 3l:VA0    j%  A5B*\`Jphp#p VTable Subtle 1 :VBj0@ j# j# j0  j. jj4B5\5\p3p VTable Subtle 2:VC0j0  j0  j# j# jjC5\5\lCl V Table Theme7:VD0DS V Table Web 1h:VE03j EB*`Jphc V Table Web 2h:VF03j FB*`Jphs V Table Web 3h:VG03j GB*`JphFV@F FollowedHyperlink >*B* phLOL $:eAuthorI$[$\$a$CJPJaJtH ROR $:eStyle1 J@& [$\$CJOJPJQJ\^JaJtH V>@V $:eTitleK$<@&a$5CJ KHOJQJ\^JaJ 1QTT             $/u|i}@0R@0w@0w0R*+;<=KL]lmnopq#$-3 B b b[`G0D^k5!""#7##$$$('()O+m+ ,:,,,,,,,,V-W-Z-[----.o.p.r...../8/9///0e1123044Q5k55555556d6e6h6i66667{7|777888-888889 9 9=999999999{:|:::::5;6;;<<H>p>=?A4CDYEFHIIIJKeLL7MNNPRSfTxT!WXYYUZZZ"]o_`K`abzddfggiklloqhsysttYuuvgwwQxxyQz{{{|i}}~+Ӏ#5;Nr/kɉ܉ԏՏ֏׏؏ُڏۏ܏ݏޏߏJ00I0000000000000000000`000$000000000b0b0b0b0b0b0b0b0b0b0b0b0b00k0k0k0k0k0k0k0k0k00$0$0$0$00O+00 ,0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,00Q50Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q5 0Q50Q50Q50Q500H>0H>0H>0H>0H>0H>0H>0H>00I 0I 0I 0I 0I 0I000000000000000000000000000000000000000000000000000000000000000000000000000000@00<@0@0@0@0000000000000000000:0*+;<=KL]lmnopq#$-3 B b b0Dk5!"7##$$$('():,,,,,,,V-Z-[----.o.p.r..../8/9///0Q5k5555556d6e6h6i66667{7|777888-88889 9=999999999{:|:::::5;6;;H>p>IKPSfTxT!WYZZ"]`K`zddgglohsttYuuvgwwQxyQz{{{|i}}~+Ӏ5;Nr/kɉ܉ԏz0z0z0z0z0z0z0z0z0z0z0z0z0z0z0z0z0z0z0 0@0:0 @0@0 @0@0@0@0@0_y0 0_y0 0 @0:0 0X, o:0 0Wy0 0Wy0 0@0:00@0@0@0 @0Wy0 0:00z00 5z00 @0@0@0 @0@0@0@ 0_y00t_y00t_y00_y00_y00_y00_y00_y00_y0 0_y00_y00_y00_y00_y00_y00_y00_y00_y00_y00_y0-0@0_y0-0_y0-0tD _y00@0@ 0W90(0 @0_y00_y00_y00_y00_y00_y00_y00_y0 0_y0 0_y00_y00_y00_y00_y00_y00_y00_90D0_90D0_90D0_y00_y0H0_y0H0_y0H0_y0L0_y0L0_y0L0_y0-0@0_y0-0_y00_y0T0@0_y0T0_y0X0_y0X0_y0X0_y0X0_y0\0_y0\0_y0\0_y0\0_y00_y00@0@ 0@ 0 @0 @0z0q0xt@0_900XU_900_900_y00_900 c_900_y00_y00_900@0_y00@0_y00 @0 @0@0:00 @0 @0z00@0P@0@0@0z00z00@0P_y00z0=1_y00@0@0@0Pz0=1z0=1z0b1:00:00:00z00_y00:00:00z00:00_y00z00z00z00:00z00z00z00z00z00 0z00 0$   i%Q\E0 !#%&'/(x))]*+++,a-.0=1U2P3 44555W666+778w99:<U=>i>>|??@FAABzBBCDEFsGIJLM)OYPQRSSTBUVWXY>\]_`abcdofhhjlsn5ptuPx_zj|}akʄ.+o$ސAijLPQRSTUVWXYZ[\]^_`abdefghijlmnopqrstuvwxyz|}~$ k&14V55o66877;=d>>{?@@AAA{BB5C=GVbtdjMOck{iNxxxyz@zO{n{~{.~f~~XXXX|<"$v'f&յD:c 2$Švva$1]4 f2$=L&;3 YMk2$+o++B ?(2$K|#~WC$0Ju(2$kί6T, 2$NH "Φxa\(2$PvUp<`1s 2$]#*{ *zlhs 2$ME;7%IZ:ehq 2$$*s 2$4z7Т|{))2$'\O0pܝInf(@R(  ~  S 4AFigure%2023"`&  c A~ Figure%203/? @U@UT ?Tm?;>;J;`T9`T' S'0<k&;//S"` ~  C .AFigure%201C"` B S  ?$2$ %"D _Hlt1811655 _Hlt529003041z~@@ z~qqq4,[,lxtLN_8e=vv?w?wHw~|~||     JvvFwNwNw|||   > *urn:schemas-microsoft-com:office:smarttags PostalCode: *urn:schemas-microsoft-com:office:smarttagsStreet;*urn:schemas-microsoft-com:office:smarttagsaddress8*urn:schemas-microsoft-com:office:smarttagsdateB*urn:schemas-microsoft-com:office:smarttagscountry-region8 *urn:schemas-microsoft-com:office:smarttagsCity9 *urn:schemas-microsoft-com:office:smarttagsState9 *urn:schemas-microsoft-com:office:smarttagsplace 120023DayMonthYear   ku %.8?IQ[=GZ_kuw|!+$.AFnxJOw"|"""""""##-#/#4####$$$$$$>&C&&&&&&&'''''(J(O((()!)H)M)))2*7***++7+<++++++,,----'-L-Q-z------.!.X.].......//+/5/////o0t000 11111"1q1v1x1111111111122222223 333 44%4.46)6467666666677I7L7q7v7777798>8Q8T8y8~88888I9N9y9~9999999::%:*:::::;; <<<<w=|=aOcOYYvvywwwwx.x0x3x4x7xjxtx3y9yyyRzTzWzxz{{||||~~v|4:pw˃σЃԃރ #%(`jlo DIehՏُڏ;?04bk!,{ )""""#####$ $,,,,[-_-....//e1n1111133042466i6m67777-86888=9F99999\O`OvQ|Q VVYYUZWZbbttuvvvvvjwmwwwwxx:xPxTxbxyyQzz{{{{{{{m}p}}},506;>Y`ILkpĉɉ̉Տُڏ3333333333333333333333333333333333333333333333333333333333333333333333333@DU[t{ӏӏՏՏُڏՏُڏJohn DeTreville*1.2K̲skxi(YmpY2yV}z-2a PE 21"S, 6q!F3Z rw"v*O+",2LV$2cGR&2jU&2? >/~^_12#208.3C42u55`352wqIG4Q2_TVDTV%nU2UD\5^V%\a2UdaRT$Lj2k=m2zqJvsN :g~7u$ILu2ou8"y2 k!{!Ie ~nh^`OJQJo(hHh^`OJQJ^Jo(hHohpp^p`OJQJo(hHh@ @ ^@ `OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohPP^P`OJQJo(hHh#^`56CJOJQJaJo(hH.h ^`hH.h pLp^p`LhH.h @ @ ^@ `hH.h ^`hH.h L^`LhH.h ^`hH.h ^`hH.h PLP^P`LhH.hhh^h`OJQJo(hHh88^8`OJQJo(hHh L^`LhH.h   ^ `hH.h   ^ `hH.h xLx^x`LhH.h HH^H`hH.h ^`hH.h L^`LhH.^`OJPJQJ^Jo(   ^ `OJQJ^Jo(hHo  ^ `OJQJo(hHxx^x`OJQJo(hHHH^H`OJQJ^Jo(hHo^`OJQJo(hH^`OJQJo(hH^`OJQJ^Jo(hHo^`OJQJo(hH ^`OJQJo(n ^`OJQJo(n pp^p`OJQJo(n @ @ ^@ `OJQJo(n ^`OJQJo(n ^`OJQJo(n ^`OJQJo(n ^`OJQJo(n PP^P`OJQJo(nh#^`56CJOJQJaJo(hH.h ^`hH.h pLp^p`LhH.h @ @ ^@ `hH.h ^`hH.h L^`LhH.h ^`hH.h ^`hH.h PLP^P`LhH.h#^`56CJOJQJaJo(hH.h ^`hH.h pLp^p`LhH.h @ @ ^@ `hH.h ^`hH.h L^`LhH.h ^`hH.h ^`hH.h PLP^P`LhH.h^`OJQJo(hHh^`OJQJ^Jo(hHohpp^p`OJQJo(hHh@ @ ^@ `OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohPP^P`OJQJo(hHh#^`56CJOJQJaJo(hH.h ^`hH.h pLp^p`LhH.h @ @ ^@ `hH.h ^`hH.h L^`LhH.h ^`hH.h ^`hH.h PLP^P`LhH.h#^`56CJOJQJaJo(hH.h ^`hH.h pLp^p`LhH.h @ @ ^@ `hH.h ^`hH.h L^`LhH.h ^`hH.h ^`hH.h PLP^P`LhH.h ^`hH.h ^`hH.h pLp^p`LhH.h @ @ ^@ `hH.h ^`hH.h L^`LhH.h ^`hH.h ^`hH.h PLP^P`LhH.h^`OJQJo(hHh^`OJQJ^Jo(hHohpp^p`OJQJo(hHh@ @ ^@ `OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohPP^P`OJQJo(hH ^`OJQJo(n ^`OJQJo(n pp^p`OJQJo(n @ @ ^@ `OJQJo(n ^`OJQJo(n ^`OJQJo(n ^`OJQJo(n ^`OJQJo(n PP^P`OJQJo(nh^`OJQJo(hHh^`OJQJ^Jo(hHohpp^p`OJQJo(hHh@ @ ^@ `OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohPP^P`OJQJo(hHh#^`56CJOJQJaJo(hH.h ^`hH.h pLp^p`LhH.h @ @ ^@ `hH.h ^`hH.h L^`LhH.h ^`hH.h ^`hH.h PLP^P`LhH.h#^`56CJOJQJaJo(hH.h ^`hH.h pLp^p`LhH.h @ @ ^@ `hH.h ^`hH.h L^`LhH.h ^`hH.h ^`hH.h PLP^P`LhH.h#^`56CJOJQJaJo(hH.h ^`hH.h pLp^p`LhH.h @ @ ^@ `hH.h ^`hH.h L^`LhH.h ^`hH.h ^`hH.h PLP^P`LhH. ^`OJQJo(n ^`OJQJo(n pp^p`OJQJo(n @ @ ^@ `OJQJo(n ^`OJQJo(n ^`OJQJo(n ^`OJQJo(n ^`OJQJo(n PP^P`OJQJo(nh#^`56CJOJQJaJo(hH.h ^`hH.h pLp^p`LhH.h @ @ ^@ `hH.h ^`hH.h L^`LhH.h ^`hH.h ^`hH.h PLP^P`LhH.^`.^`.pp^p`.@ @ ^@ `.^`.^`.^`.^`.PP^P`.h#^`56CJOJQJaJo(hH.h ^`hH.h pLp^p`LhH.h @ @ ^@ `hH.h ^`hH.h L^`LhH.h ^`hH.h ^`hH.h PLP^P`LhH. ^`OJQJo(n ^`OJQJo(n pp^p`OJQJo(n @ @ ^@ `OJQJo(n ^`OJQJo(n ^`OJQJo(n ^`OJQJo(n ^`OJQJo(n PP^P`OJQJo(nh#^`56CJOJQJaJo(hH.h ^`hH.h pLp^p`LhH.h @ @ ^@ `hH.h ^`hH.h L^`LhH.h ^`hH.h ^`hH.h PLP^P`LhH.h^`OJQJo(hHh^`OJQJ^Jo(hHohpp^p`OJQJo(hHh@ @ ^@ `OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohPP^P`OJQJo(hHh#^`56CJOJQJaJo(hH.h ^`hH.h pLp^p`LhH.h @ @ ^@ `hH.h ^`hH.h L^`LhH.h ^`hH.h ^`hH.h PLP^P`LhH.^`CJOJQJo(^`CJOJQJo(opp^p`CJOJQJo(@ @ ^@ `CJOJQJo(^`CJOJQJo(^`CJOJQJo(^`CJOJQJo(^`CJOJQJo(PP^P`CJOJQJo(^`o() ^`hH. pLp^p`LhH. @ @ ^@ `hH. ^`hH. L^`LhH. ^`hH. ^`hH. PLP^P`LhH.h#^`56CJOJQJaJo(hH.h ^`hH.h pLp^p`LhH.h @ @ ^@ `hH.h ^`hH.h L^`LhH.h ^`hH.h ^`hH.h PLP^P`LhH.h#^`56CJOJQJaJo(hH.h ^`hH.h pLp^p`LhH.h @ @ ^@ `hH.h ^`hH.h L^`LhH.h ^`hH.h ^`hH.h PLP^P`LhH.^`o() ^`hH. pLp^p`LhH. @ @ ^@ `hH. ^`hH. L^`LhH. ^`hH. ^`hH. PLP^P`LhH.h#^`56CJOJQJaJo(hH.h ^`hH.h pLp^p`LhH.h @ @ ^@ `hH.h ^`hH.h L^`LhH.h ^`hH.h ^`hH.h PLP^P`LhH. ^`OJQJo(n ^`OJQJo(n pp^p`OJQJo(n @ @ ^@ `OJQJo(n ^`OJQJo(n ^`OJQJo(n ^`OJQJo(n ^`OJQJo(n PP^P`OJQJo(nh#^`56CJOJQJaJo(hH.h ^`hH.h pLp^p`LhH.h @ @ ^@ `hH.h ^`hH.h L^`LhH.h ^`hH.h ^`hH.h PLP^P`LhH.h#^`56CJOJQJaJo(hH.h ^`hH.h pLp^p`LhH.h @ @ ^@ `hH.h ^`hH.h L^`LhH.h ^`hH.h ^`hH.h PLP^P`LhH.h#^`56CJOJQJaJo(hH.h ^`hH.h pLp^p`LhH.h @ @ ^@ `hH.h ^`hH.h L^`LhH.h ^`hH.h ^`hH.h PLP^P`LhH.^`OJPJQJ^Jo(-^`OJQJ^Jo(hHo^`OJQJo(hHP P ^P `OJQJo(hH  ^ `OJQJ^Jo(hHo^`OJQJo(hH^`OJQJo(hH^`OJQJ^Jo(hHo``^``OJQJo(hH^`CJOJQJo(^`CJOJQJo(opp^p`CJOJQJo(@ @ ^@ `CJOJQJo(^`CJOJQJo(^`CJOJQJo(^`CJOJQJo(^`CJOJQJo(PP^P`CJOJQJo(h#^`56CJOJQJaJo(hH.h ^`hH.h pLp^p`LhH.h @ @ ^@ `hH.h ^`hH.h L^`LhH.h ^`hH.h ^`hH.h PLP^P`LhH. ^`OJQJo(n ^`OJQJo(n pp^p`OJQJo(n @ @ ^@ `OJQJo(n ^`OJQJo(n ^`OJQJo(n ^`OJQJo(n ^`OJQJo(n PP^P`OJQJo(nh#^`56CJOJQJaJo(hH.h ^`hH.h pLp^p`LhH.h @ @ ^@ `hH.h ^`hH.h L^`LhH.h ^`hH.h ^`hH.h PLP^P`LhH.hhh^h`OJQJo(hHh88^8`OJQJo(hHh L^`LhH.h   ^ `hH.h   ^ `hH.h xLx^x`LhH.h HH^H`hH.h ^`hH.h L^`LhH.h^`OJQJo(hHh^`OJQJ^Jo(hHohpp^p`OJQJo(hHh@ @ ^@ `OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohPP^P`OJQJo(hH1_T#2e ~+"-K k!{g~7uskq!(Y rw"u55ou? >/Uda1wqIDTk=m, k=mUD\1"Szqk=myk=mmpY_1\aLu$LjnULV$cGR&"y3C44QjU&`35E k=msk=mk=mk=m5^ZZ**                  ܭD        d gX| nq4T2NVFVjC                  r/` 'tbj%64p$b!@         nJlv֚c  WudTӜ$ɂ/x9jNԢ -bP(ܓ<<7HA*                  ~ڦ&*6"2$6m"-.        t        X&xO6:(Cn@FzJ                   'Dox0gk{\ cm_cmuxO/Pon} $=F\WNbcmn}3xWNbfua+/)U./kA00xx2^5 E L;Q/M/Po*hNF\,ScmK)W/PokWF\&=ZF\o[{\F\F\/kA0X\La/Po^5(=ocm|qF\_!t/PoF/OucmFyKvF\vcF\QzDnpSO443!4LuTFJSO~|&ogl{ `"-i  '1 7 - 9 Q  \ f x A 123RZ?pJq%u&X )s`G/e@M} z~bB ,47]/s^N o ~Bh j(05I{ ('M{D(/7?A6Zc1g|~jtu"+i<LWMnxy- K U ] ~! ""Q9"["?##>9#I# $$.$c<$3I%r%X%%&G{&''K'L'r'(#(-=(S(B{( ))>) T)l)dq)*~)**Bt*++ e+r+ ,,%,^+,7,-?-T\-l]-^-).zi./h/s/|v/}/1141I1U_1`1b1v1L 2&2.2L2 3Z%313'8393F3G3Xd3m34,K4L4%5~(515F:5 60d677 t7}78 929 K9=f9 :/:CA:y: &;b6;R;<@<b~<5=#!=P=a=jm=_>+>?>N>R>aS>U>\>g>kz>M?S?l?@T@pU@V@[@Mb@o@~A`-A/A6AXAE^AdAB B^KB.MB{gB)CC9CC/CEVsE9FCFmFgyFG*G kG*MHXH`/J1KJK%qK9vK|K LxHL;uL|LM"M\HMVMzMNN4N2OOFBO[COUOPPa#P])P?PGPFLP?sP6Q-tQ R;/RPR "S:7SBOS6tSZT+T01T;TjT5FURUnU. Vk*VMVjlV^tVyxWXl5XbX5YdY%hYZ\ZQkZXM[eM[}[,\-\-\e\o%].W]B^6M^oR^GT^[^e^w^`_: _7_^_f_/`@`K` 'a>?a=Ca]a6b_BbWb-c}Dc,d&d0d21d;dhWdWdfdgdRydue$:eweN{e"fw1f>f[f g}gXgAqzIq ]qE(r.r/rs s%s<5s=sXsesL ty#t1t3tYAtGtXtWut%|tH u,u6fuyuJ"v\v4lv,w:/wH6w=wSxl y/ykKydlysyz^JzQzT{{{){T@{T{{{| '|}4/}%H}Z}}~ ~[&~w~v):otY(X`^s^j=$9:D{[a]`~hl(f0 0;> -/CA9M*YbIZ@l2X" & Cb=+g2{HUTbmlwy;F$BmPb6']5dz_4 G#6|[^bd}qO=3?@N]VV[z~!!c0)37@S8~;*QP;f#&6:Nd<*Q7;nLU[cL*B5Xl 7?@FcsK)^JqG# i tLOcge~ C'3=Mi(! C_gB61B=*)3A'"e{)9<GLz }#&5wA8=w^FnL%e/13;U'}T^oD  Je6*@xP;p}6=]IQk# S4T4l''037=CWYd|4QC *RRfj6XcQ;r$5Swdo 3`fhF1A%jbY/k""1 * m>_Gw9H?ZgzQcg>IDWKI "%*D EXd.J8L ^dn*O S <Vu[aWesfZ.qhe I 1*Wf7OOmk!KV,<?AC6jI{Kk.HbcXmAoW[XUdfh?B$[#rwr ;"Ve!&Z6] a(/v@=\ls.*0oRz 1?Wn.9>7N&6T_{v 'Lb= 7jkyK-M\ednE1dof/056I%Q'B.w6L:irZZwPz 1K{:">]jhcneL|'-WX.HYap>f,h-Y6?m{C9N]p@*y ? d}#T*:7*:ACS_y`Kc8 =>,D_u*/?rF E_q7i"STefAl"ZWwTI%O2]qae?txy,,,,,,,V-W-Z-[----.o.p.r...../8/9///5555556d6e6h6i66667{7|777888-888889 9 9=999999999{:|:::::5;6;i0@Lj:4`@``(@`@UnknownGz Times New Roman5Symbol3& z Arial?5 z Courier New;SimSun[SO5& z!Tahoma;Wingdings"qh*cF*cF*cFE>yHE>yHI4d;; 3QHRf'Binder, a logic-based security languageJohn DeTrevilleJohn DeTreville*                           ! " # $ % & ' ( ) Oh+'0  (4 P \ h t(Binder, a logic-based security languageindJohn DeTrevilleohnNormalTJohn DeTreville2hnMicrosoft Word 10.0@Ik@p@q@qE>yG VT$m /   ."System ra0 L  -@Times New Roman-  2   ' 2   '@Times New Roman-#2  Binder, a logic'  2 | -/2  based security language    2  - 2  @Times New Roman-"2 [ John DeTreville $   2  - 2   2 i 2 u  March 1, 2002)   2   2 G -#2 O Technical Report  ! 2  2 -C MSR,! 2 - -2 - TR! 2 - -2 - 2002 2 -r -2 - 21 2 -  2   2  - 2   2   2 d -&2 8 Microsoft Research-  ! 2  +2 J Microsoft Corporation-    2 J %2 5 One Microsoft Wayt$ -  . 2  &2 1  Redmond, WA 98052!% /#  2 1  - 2  -                           ՜.+,D՜.+,P px  /Microsoft ResearchH; (Binder, a logic-based security language(Binder, a Logic-Based Security Language Abstract1. Security languages 2. Datalog for authorization3. Communicating contexts4. Delegation and trust5. Example of Binder programs5.1 Example from Figure 15.2 Example from Figure 3(6. Proofs, monotonicity, and revocation7. Taxonomy and related work 7.1 X.509 7.2 SDSI and SPKI 7.3 PolicyMaker and KeyNote5 7.4 SD3 and other logic-based security languages 7.5 DRM languages8. Experience with Binder 9. Future workAcknowledgements References$Appendix A. EBNF grammar for Binder Appendix B. Semantics of Binder B.1. Proof Rule 1 B.2 Proof Rule 2&Appendix C. Time complexity of Binder Title Headings4 8@ _PID_HLINKSAQ )http://theory.lcs.mit.edu/~cis/sdsi.htmlRhttp://odrl.net/]9http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txtFMhttp://www.xrml.org/  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&')*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~Root Entry F2qData 1Table(_$WordDocument<SummaryInformation(DocumentSummaryInformation8CompObjj  FMicrosoft Word Document MSWordDocWord.Document.89qRoot Entry F,{qData 1Table(_$WordDocument<  !age Abstract1. Security languages 2. Datalog for authorization3. Communicating contexts4. Delegation and trust5. Example of Binder programs5.1 Example from Figure 15.2 Example from Figure 3(6. Proofs, monotonicity, and revocation7. Taxonomy and related work 7.1 X.509 7.2 SDSI and SPKI 7.3 PolicyMaker and KeyNote5 7.4 SD3 and other logic-based security languages 7.5 DRM languages8. Experience with Binder 9. Future workAcknowledgements References$Appendix A. EBNF grammar for Binder Appendix B. Semantics of Binder B.1. Proof Rule 1 B.2 Proof Rule 2&Appendix C. Time complexity of Binder Title Headings\@4 _PID_HLINKS_AdHocReviewCycleID_EmailSubject _AuthorEmail_AuthorEmailDisplayNameAQ )http://theory.lcs.mit.edu/~cis/sdsi.htmlRhttp://odrl.net/]9http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txtFMhttp://www.xrml.org/?Technical report numberjohndetr@microsoft.comJohn DeTrevilleSummaryInformation(DocumentSummaryInformation8CompObjj  FMicrosoft Word Document MSWordDocWord.Document.89q՜.+,D՜.+,P px  /Microsoft ResearchH; (Binder, a logic-based security language(Binder, a Logic-Based Security Langu