From 8d48083ddfd04c647100ab0fd6aac0ebb60c5958 Mon Sep 17 00:00:00 2001
From: Katarzyna Streich <katarzyna.streich@r3.com>
Date: Wed, 20 Dec 2017 10:02:03 +0000
Subject: [PATCH 1/6] Fix startErrorFlowSimulation (#222)

---
 .../src/main/kotlin/net/corda/explorer/ExplorerSimulation.kt     | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/explorer/src/main/kotlin/net/corda/explorer/ExplorerSimulation.kt b/tools/explorer/src/main/kotlin/net/corda/explorer/ExplorerSimulation.kt
index edc0a0543e..7c8ef402dc 100644
--- a/tools/explorer/src/main/kotlin/net/corda/explorer/ExplorerSimulation.kt
+++ b/tools/explorer/src/main/kotlin/net/corda/explorer/ExplorerSimulation.kt
@@ -185,6 +185,7 @@ class ExplorerSimulation(private val options: OptionSet) {
     private fun startErrorFlowsSimulation() {
         println("Running flows with errors simulation mode ...")
         setUpRPC()
+        notary = aliceNode.rpc.notaryIdentities().first()
         val eventGenerator = ErrorFlowsEventGenerator(
                 parties = parties.map { it.first },
                 notary = notary,

From 246142173d84893fcbd9ff490e63fe4f30e91aa7 Mon Sep 17 00:00:00 2001
From: Shams Asari <shams.asari@r3.com>
Date: Wed, 20 Dec 2017 10:32:42 +0000
Subject: [PATCH 2/6] Shams os merge 191217 (#223)

* CORDA-876 MockNetwork no longer leaks serialization env if init fails (#2272)
* Removed all remaining special treatment of the X500 common name.
* Move unspecifiedCountry to internal. (#2274)
* Merge fixes, which includes fixing the doorman tests and updating the doorman to not set a CN in the CSR responses
---
 .ci/api-current.txt                           |   2 +-
 .../net/corda/core/identity/CordaX500Name.kt  |   8 +-
 .../net/corda/core/internal/InternalUtils.kt  |   8 ++
 .../corda/core/node/services/NotaryService.kt |  14 +-
 .../corda/core/crypto/CompositeKeyTests.kt    |  11 +-
 .../AttachmentSerializationTest.kt            |   2 +-
 docs/source/generating-a-node.rst             |   2 -
 docs/source/hello-world-running.rst           |   2 +-
 .../doorman/DoormanIntegrationTest.kt         |  19 +--
 .../persistence/PersistentNodeInfoStorage.kt  |  75 +++++-----
 .../doorman/signer/LocalSigner.kt             |  11 +-
 .../networkmanage/hsm/utils/X509Utils.kt      |   3 +-
 .../persistence/DBNetworkMapStorageTest.kt    |  68 ++++-----
 .../PersitenceNodeInfoStorageTest.kt          | 129 +++++++-----------
 .../doorman/NodeInfoWebServiceTest.kt         |  46 +++----
 ...ntityGenerator.kt => IdentityGenerator.kt} |  44 +++---
 .../nodeapi/internal/crypto/X509Utilities.kt  |  12 +-
 .../node/services/BFTNotaryServiceTests.kt    |   8 +-
 .../node/services/MySQLNotaryServiceTests.kt  |   8 +-
 .../node/services/RaftNotaryServiceTests.kt   |   7 +-
 .../services/messaging/P2PMessagingTest.kt    |   5 +-
 .../net/corda/node/internal/AbstractNode.kt   |  29 ++--
 .../node/services/config/ConfigUtilities.kt   |   9 +-
 .../identity/InMemoryIdentityService.kt       |   1 +
 .../identity/PersistentIdentityService.kt     |   1 +
 .../BFTNonValidatingNotaryService.kt          |  11 +-
 .../transactions/MySQLNotaryService.kt        |   6 -
 .../RaftNonValidatingNotaryService.kt         |  13 +-
 .../RaftValidatingNotaryService.kt            |  13 +-
 .../transactions/ValidatingNotaryService.kt   |   4 +-
 .../registration/NetworkRegistrationHelper.kt |   5 +-
 .../statemachine/FlowFrameworkTests.kt        |   2 +-
 .../NetworkRegistrationHelperTest.kt          | 111 +++++++--------
 .../net/corda/notarydemo/BFTNotaryCordform.kt |  12 +-
 .../corda/notarydemo/RaftNotaryCordform.kt    |  11 +-
 testing/node-driver/build.gradle              |   2 +-
 .../kotlin/net/corda/testing/node/MockNode.kt |  88 ++++++------
 .../testing/node/internal/DriverDSLImpl.kt    |  42 ++----
 .../corda/testing/node/MockNetworkTests.kt    |  18 +++
 .../kotlin/net/corda/testing/CoreTestUtils.kt |   5 +-
 .../corda/demobench/model/NodeController.kt   |   7 +-
 41 files changed, 401 insertions(+), 473 deletions(-)
 rename node-api/src/main/kotlin/net/corda/nodeapi/internal/{ServiceIdentityGenerator.kt => IdentityGenerator.kt} (53%)
 create mode 100644 testing/node-driver/src/test/kotlin/net/corda/testing/node/MockNetworkTests.kt

diff --git a/.ci/api-current.txt b/.ci/api-current.txt
index 5fd0e2262b..09b766e46d 100644
--- a/.ci/api-current.txt
+++ b/.ci/api-current.txt
@@ -1862,7 +1862,7 @@ public @interface net.corda.core.node.services.CordaService
   @org.jetbrains.annotations.NotNull public static final String ID_PREFIX = "corda.notary."
 ##
 public static final class net.corda.core.node.services.NotaryService$Companion extends java.lang.Object
-  @org.jetbrains.annotations.NotNull public final String constructId(boolean, boolean, boolean, boolean)
+  @kotlin.Deprecated @org.jetbrains.annotations.NotNull public final String constructId(boolean, boolean, boolean, boolean)
 ##
 public abstract class net.corda.core.node.services.PartyInfo extends java.lang.Object
   @org.jetbrains.annotations.NotNull public abstract net.corda.core.identity.Party getParty()
diff --git a/core/src/main/kotlin/net/corda/core/identity/CordaX500Name.kt b/core/src/main/kotlin/net/corda/core/identity/CordaX500Name.kt
index 0b6a3ddeb7..ad315c065e 100644
--- a/core/src/main/kotlin/net/corda/core/identity/CordaX500Name.kt
+++ b/core/src/main/kotlin/net/corda/core/identity/CordaX500Name.kt
@@ -2,7 +2,7 @@ package net.corda.core.identity
 
 import com.google.common.collect.ImmutableSet
 import net.corda.core.internal.LegalNameValidator
-import net.corda.core.internal.VisibleForTesting
+import net.corda.core.internal.unspecifiedCountry
 import net.corda.core.internal.x500Name
 import net.corda.core.serialization.CordaSerializable
 import org.bouncycastle.asn1.ASN1Encodable
@@ -36,7 +36,9 @@ data class CordaX500Name(val commonName: String?,
                          val locality: String,
                          val state: String?,
                          val country: String) {
-    constructor(commonName: String, organisation: String, locality: String, country: String) : this(commonName = commonName, organisationUnit = null, organisation = organisation, locality = locality, state = null, country = country)
+    constructor(commonName: String, organisation: String, locality: String, country: String) :
+            this(commonName = commonName, organisationUnit = null, organisation = organisation, locality = locality, state = null, country = country)
+
     /**
      * @param organisation name of the organisation.
      * @param locality locality of the organisation, typically nearest major city.
@@ -79,8 +81,6 @@ data class CordaX500Name(val commonName: String?,
         const val MAX_LENGTH_ORGANISATION_UNIT = 64
         const val MAX_LENGTH_COMMON_NAME = 64
         private val supportedAttributes = setOf(BCStyle.O, BCStyle.C, BCStyle.L, BCStyle.CN, BCStyle.ST, BCStyle.OU)
-        @VisibleForTesting
-        val unspecifiedCountry = "ZZ"
         private val countryCodes: Set<String> = ImmutableSet.copyOf(Locale.getISOCountries() + unspecifiedCountry)
         @JvmStatic
         fun build(principal: X500Principal): CordaX500Name {
diff --git a/core/src/main/kotlin/net/corda/core/internal/InternalUtils.kt b/core/src/main/kotlin/net/corda/core/internal/InternalUtils.kt
index 36022463ff..42145a2f26 100644
--- a/core/src/main/kotlin/net/corda/core/internal/InternalUtils.kt
+++ b/core/src/main/kotlin/net/corda/core/internal/InternalUtils.kt
@@ -5,6 +5,7 @@ package net.corda.core.internal
 import net.corda.core.cordapp.CordappProvider
 import net.corda.core.crypto.SecureHash
 import net.corda.core.crypto.sha256
+import net.corda.core.identity.CordaX500Name
 import net.corda.core.node.ServicesForResolution
 import net.corda.core.serialization.SerializationContext
 import net.corda.core.transactions.TransactionBuilder
@@ -118,6 +119,8 @@ fun Path.isDirectory(vararg options: LinkOption): Boolean = Files.isDirectory(th
 inline val Path.size: Long get() = Files.size(this)
 inline fun <R> Path.list(block: (Stream<Path>) -> R): R = Files.list(this).use(block)
 fun Path.deleteIfExists(): Boolean = Files.deleteIfExists(this)
+fun Path.reader(charset: Charset = UTF_8): BufferedReader = Files.newBufferedReader(this, charset)
+fun Path.writer(charset: Charset = UTF_8, vararg options: OpenOption): BufferedWriter = Files.newBufferedWriter(this, charset, *options)
 fun Path.readAll(): ByteArray = Files.readAllBytes(this)
 inline fun <R> Path.read(vararg options: OpenOption, block: (InputStream) -> R): R = Files.newInputStream(this, *options).use(block)
 inline fun Path.write(createDirs: Boolean = false, vararg options: OpenOption = emptyArray(), block: (OutputStream) -> Unit) {
@@ -316,3 +319,8 @@ fun ExecutorService.join() {
         // Try forever. Do not give up, tests use this method to assert the executor has no more tasks.
     }
 }
+
+@Suppress("unused")
+@VisibleForTesting
+val CordaX500Name.Companion.unspecifiedCountry
+    get() = "ZZ"
diff --git a/core/src/main/kotlin/net/corda/core/node/services/NotaryService.kt b/core/src/main/kotlin/net/corda/core/node/services/NotaryService.kt
index 0c928a7b59..8c6a160618 100644
--- a/core/src/main/kotlin/net/corda/core/node/services/NotaryService.kt
+++ b/core/src/main/kotlin/net/corda/core/node/services/NotaryService.kt
@@ -15,22 +15,16 @@ import java.security.PublicKey
 
 abstract class NotaryService : SingletonSerializeAsToken() {
     companion object {
+        @Deprecated("No longer used")
         const val ID_PREFIX = "corda.notary."
-        @JvmOverloads
-        fun constructId(
-                validating: Boolean,
-                raft: Boolean = false,
-                bft: Boolean = false,
-                custom: Boolean = false,
-                mysql: Boolean = false
-        ): String {
-            require(Booleans.countTrue(raft, bft, custom, mysql) <= 1) { "At most one of raft, bft, mysql or custom may be true" }
+        @Deprecated("No longer used")
+        fun constructId(validating: Boolean, raft: Boolean = false, bft: Boolean = false, custom: Boolean = false): String {
+            require(Booleans.countTrue(raft, bft, custom) <= 1) { "At most one of raft, bft or custom may be true" }
             return StringBuffer(ID_PREFIX).apply {
                 append(if (validating) "validating" else "simple")
                 if (raft) append(".raft")
                 if (bft) append(".bft")
                 if (custom) append(".custom")
-                if (mysql) append(".mysql")
             }.toString()
         }
     }
diff --git a/core/src/test/kotlin/net/corda/core/crypto/CompositeKeyTests.kt b/core/src/test/kotlin/net/corda/core/crypto/CompositeKeyTests.kt
index 734505498d..751037b1ee 100644
--- a/core/src/test/kotlin/net/corda/core/crypto/CompositeKeyTests.kt
+++ b/core/src/test/kotlin/net/corda/core/crypto/CompositeKeyTests.kt
@@ -9,8 +9,8 @@ import net.corda.core.serialization.serialize
 import net.corda.core.utilities.OpaqueBytes
 import net.corda.core.utilities.toBase58String
 import net.corda.nodeapi.internal.crypto.*
-import net.corda.testing.internal.kryoSpecific
 import net.corda.testing.SerializationEnvironmentRule
+import net.corda.testing.internal.kryoSpecific
 import org.junit.Rule
 import org.junit.Test
 import org.junit.rules.TemporaryFolder
@@ -24,6 +24,7 @@ class CompositeKeyTests {
     @Rule
     @JvmField
     val testSerialization = SerializationEnvironmentRule()
+
     @Rule
     @JvmField
     val tempFolder: TemporaryFolder = TemporaryFolder()
@@ -40,9 +41,9 @@ class CompositeKeyTests {
     private val secureHash = message.sha256()
 
     // By lazy is required so that the serialisers are configured before vals initialisation takes place (they internally invoke serialise).
-    val aliceSignature by lazy { aliceKey.sign(SignableData(secureHash, SignatureMetadata(1, Crypto.findSignatureScheme(alicePublicKey).schemeNumberID))) }
-    val bobSignature by lazy { bobKey.sign(SignableData(secureHash, SignatureMetadata(1, Crypto.findSignatureScheme(bobPublicKey).schemeNumberID))) }
-    val charlieSignature by lazy { charlieKey.sign(SignableData(secureHash, SignatureMetadata(1, Crypto.findSignatureScheme(charliePublicKey).schemeNumberID))) }
+    private val aliceSignature by lazy { aliceKey.sign(SignableData(secureHash, SignatureMetadata(1, Crypto.findSignatureScheme(alicePublicKey).schemeNumberID))) }
+    private val bobSignature by lazy { bobKey.sign(SignableData(secureHash, SignatureMetadata(1, Crypto.findSignatureScheme(bobPublicKey).schemeNumberID))) }
+    private val charlieSignature by lazy { charlieKey.sign(SignableData(secureHash, SignatureMetadata(1, Crypto.findSignatureScheme(charliePublicKey).schemeNumberID))) }
 
     @Test
     fun `(Alice) fulfilled by Alice signature`() {
@@ -337,7 +338,7 @@ class CompositeKeyTests {
         val ca = X509Utilities.createSelfSignedCACertificate(caName, caKeyPair)
 
         // Sign the composite key with the self sign CA.
-        val compositeKeyCert = X509Utilities.createCertificate(CertificateType.LEGAL_IDENTITY, ca, caKeyPair, caName.copy(commonName = "CompositeKey"), compositeKey)
+        val compositeKeyCert = X509Utilities.createCertificate(CertificateType.LEGAL_IDENTITY, ca, caKeyPair, caName, compositeKey)
 
         // Store certificate to keystore.
         val keystorePath = tempFolder.root.toPath() / "keystore.jks"
diff --git a/core/src/test/kotlin/net/corda/core/serialization/AttachmentSerializationTest.kt b/core/src/test/kotlin/net/corda/core/serialization/AttachmentSerializationTest.kt
index 940d959860..d72d7068d4 100644
--- a/core/src/test/kotlin/net/corda/core/serialization/AttachmentSerializationTest.kt
+++ b/core/src/test/kotlin/net/corda/core/serialization/AttachmentSerializationTest.kt
@@ -159,7 +159,7 @@ class AttachmentSerializationTest {
 
     private fun rebootClientAndGetAttachmentContent(checkAttachmentsOnLoad: Boolean = true): String {
         client.dispose()
-        client = mockNet.createNode(MockNodeParameters(client.internals.id), { args ->
+        client = mockNet.createNode(MockNodeParameters(client.internals.id, client.internals.configuration.myLegalName), { args ->
             object : MockNetwork.MockNode(args) {
                 override fun start() = super.start().apply { attachments.checkAttachmentsOnLoad = checkAttachmentsOnLoad }
             }
diff --git a/docs/source/generating-a-node.rst b/docs/source/generating-a-node.rst
index 4a721e304d..eee15b3d5d 100644
--- a/docs/source/generating-a-node.rst
+++ b/docs/source/generating-a-node.rst
@@ -92,7 +92,6 @@ nodes. Here is an example ``Cordform`` task called ``deployNodes`` that creates
         }
         node {
             name "O=PartyA,L=London,C=GB"
-            advertisedServices = []
             p2pPort  10005
             rpcPort  10006
             webPort  10007
@@ -103,7 +102,6 @@ nodes. Here is an example ``Cordform`` task called ``deployNodes`` that creates
         }
         node {
             name "O=PartyB,L=New York,C=US"
-            advertisedServices = []
             p2pPort  10009
             rpcPort  10010
             webPort  10011
diff --git a/docs/source/hello-world-running.rst b/docs/source/hello-world-running.rst
index 592cfee44c..4ac394d26c 100644
--- a/docs/source/hello-world-running.rst
+++ b/docs/source/hello-world-running.rst
@@ -22,7 +22,7 @@ service.
         directory "./build/nodes"
         node {
             name "O=Controller,L=London,C=GB"
-            advertisedServices = ["corda.notary.validating"]
+            notary = [validating : true]
             p2pPort 10002
             rpcPort 10003
             cordapps = ["net.corda:corda-finance:$corda_release_version"]
diff --git a/network-management/src/integration-test/kotlin/com/r3/corda/networkmanage/doorman/DoormanIntegrationTest.kt b/network-management/src/integration-test/kotlin/com/r3/corda/networkmanage/doorman/DoormanIntegrationTest.kt
index fe919f6114..5993cef210 100644
--- a/network-management/src/integration-test/kotlin/com/r3/corda/networkmanage/doorman/DoormanIntegrationTest.kt
+++ b/network-management/src/integration-test/kotlin/com/r3/corda/networkmanage/doorman/DoormanIntegrationTest.kt
@@ -3,7 +3,6 @@ package com.r3.corda.networkmanage.doorman
 import com.nhaarman.mockito_kotlin.doReturn
 import com.nhaarman.mockito_kotlin.whenever
 import com.r3.corda.networkmanage.common.persistence.configureDatabase
-import com.r3.corda.networkmanage.common.utils.buildCertPath
 import com.r3.corda.networkmanage.common.utils.toX509Certificate
 import com.r3.corda.networkmanage.doorman.signer.LocalSigner
 import net.corda.core.crypto.Crypto
@@ -30,7 +29,6 @@ import net.corda.testing.SerializationEnvironmentRule
 import net.corda.testing.common.internal.testNetworkParameters
 import net.corda.testing.internal.rigorousMock
 import org.bouncycastle.cert.X509CertificateHolder
-import org.junit.Ignore
 import org.junit.Rule
 import org.junit.Test
 import org.junit.rules.TemporaryFolder
@@ -78,7 +76,7 @@ class DoormanIntegrationTest {
 
         loadKeyStore(config.nodeKeystore, config.keyStorePassword).apply {
             assert(containsAlias(X509Utilities.CORDA_CLIENT_CA))
-            assertEquals(ALICE_NAME.copy(commonName = X509Utilities.CORDA_CLIENT_CA_CN).x500Principal, getX509Certificate(X509Utilities.CORDA_CLIENT_CA).subjectX500Principal)
+            assertEquals(ALICE_NAME.x500Principal, getX509Certificate(X509Utilities.CORDA_CLIENT_CA).subjectX500Principal)
             assertEquals(listOf(intermediateCACert.cert, rootCACert.cert), getCertificateChain(X509Utilities.CORDA_CLIENT_CA).drop(1).toList())
         }
 
@@ -120,13 +118,18 @@ class DoormanIntegrationTest {
 
         // Publish NodeInfo
         val networkMapClient = NetworkMapClient(config.compatibilityZoneURL!!, rootCertAndKey.certificate.cert)
-        val certs = loadKeyStore(config.nodeKeystore, config.keyStorePassword).getCertificateChain(X509Utilities.CORDA_CLIENT_CA)
-        val keyPair = loadKeyStore(config.nodeKeystore, config.keyStorePassword).getKeyPair(X509Utilities.CORDA_CLIENT_CA, config.keyStorePassword)
-        val nodeInfo = NodeInfo(listOf(NetworkHostAndPort("my.company.com", 1234)), listOf(PartyAndCertificate(buildCertPath(*certs))), 1, serial = 1L)
+
+        val keyStore = loadKeyStore(config.nodeKeystore, config.keyStorePassword)
+        val clientCertPath = keyStore.getCertificateChain(X509Utilities.CORDA_CLIENT_CA)
+        val clientCA = keyStore.getCertificateAndKeyPair(X509Utilities.CORDA_CLIENT_CA, config.keyStorePassword)
+        val identityKeyPair = Crypto.generateKeyPair()
+        val identityCert = X509Utilities.createCertificate(CertificateType.LEGAL_IDENTITY, clientCA.certificate, clientCA.keyPair, ALICE_NAME, identityKeyPair.public)
+        val certPath = X509CertificateFactory().generateCertPath(identityCert.cert, *clientCertPath)
+        val nodeInfo = NodeInfo(listOf(NetworkHostAndPort("my.company.com", 1234)), listOf(PartyAndCertificate(certPath)), 1, serial = 1L)
         val nodeInfoBytes = nodeInfo.serialize()
 
         // When
-        val signedNodeInfo = SignedNodeInfo(nodeInfoBytes, listOf(keyPair.sign(nodeInfoBytes)))
+        val signedNodeInfo = SignedNodeInfo(nodeInfoBytes, listOf(identityKeyPair.private.sign(nodeInfoBytes.bytes)))
         networkMapClient.publish(signedNodeInfo)
 
         // Then
@@ -137,7 +140,7 @@ class DoormanIntegrationTest {
         doorman.close()
     }
 
-    fun createConfig(): NodeConfiguration {
+    private fun createConfig(): NodeConfiguration {
         return rigorousMock<NodeConfiguration>().also {
             doReturn(tempFolder.root.toPath()).whenever(it).baseDirectory
             doReturn(ALICE_NAME).whenever(it).myLegalName
diff --git a/network-management/src/main/kotlin/com/r3/corda/networkmanage/common/persistence/PersistentNodeInfoStorage.kt b/network-management/src/main/kotlin/com/r3/corda/networkmanage/common/persistence/PersistentNodeInfoStorage.kt
index 7f1d331877..1d4af91246 100644
--- a/network-management/src/main/kotlin/com/r3/corda/networkmanage/common/persistence/PersistentNodeInfoStorage.kt
+++ b/network-management/src/main/kotlin/com/r3/corda/networkmanage/common/persistence/PersistentNodeInfoStorage.kt
@@ -1,65 +1,60 @@
 package com.r3.corda.networkmanage.common.persistence
 
-import com.r3.corda.networkmanage.common.persistence.entity.*
+import com.r3.corda.networkmanage.common.persistence.entity.CertificateDataEntity
+import com.r3.corda.networkmanage.common.persistence.entity.CertificateSigningRequestEntity
+import com.r3.corda.networkmanage.common.persistence.entity.NodeInfoEntity
 import com.r3.corda.networkmanage.common.utils.buildCertPath
 import net.corda.core.crypto.SecureHash
 import net.corda.core.crypto.sha256
-import net.corda.core.identity.CordaX500Name
-import net.corda.core.serialization.SerializedBytes
+import net.corda.core.internal.CertRole
 import net.corda.core.serialization.serialize
 import net.corda.nodeapi.internal.SignedNodeInfo
 import net.corda.nodeapi.internal.persistence.CordaPersistence
 import net.corda.nodeapi.internal.persistence.TransactionIsolationLevel
 import java.security.cert.CertPath
-import java.security.cert.X509Certificate
 
 /**
  * Database implementation of the [NetworkMapStorage] interface
  */
 class PersistentNodeInfoStorage(private val database: CordaPersistence) : NodeInfoStorage {
-    override fun putNodeInfo(signedNodeInfo: SignedNodeInfo): SecureHash = database.transaction(TransactionIsolationLevel.SERIALIZABLE) {
-        val nodeInfo = signedNodeInfo.verified()
-        val orgName = nodeInfo.legalIdentities.first().name.organisation
-        // TODO: use cert extension to identify NodeCA cert when Ross's work is in.
-        val nodeCACert = nodeInfo.legalIdentitiesAndCerts.first().certPath.certificates.map { it as X509Certificate }
-                .find { CordaX500Name.build(it.issuerX500Principal).organisation != orgName && CordaX500Name.build(it.subjectX500Principal).organisation == orgName }
+    override fun putNodeInfo(signedNodeInfo: SignedNodeInfo): SecureHash {
+        return database.transaction(TransactionIsolationLevel.SERIALIZABLE) {
+            val nodeInfo = signedNodeInfo.verified()
+            val nodeCaCert = nodeInfo.legalIdentitiesAndCerts[0].certPath.certificates.find { CertRole.extract(it) == CertRole.NODE_CA }
 
-        val request = nodeCACert?.let {
-            singleRequestWhere(CertificateDataEntity::class.java) { builder, path ->
-                val certPublicKeyHashEq = builder.equal(path.get<String>(CertificateDataEntity::publicKeyHash.name), it.publicKey.encoded.sha256().toString())
-                val certStatusValid = builder.equal(path.get<CertificateStatus>(CertificateDataEntity::certificateStatus.name), CertificateStatus.VALID)
-                builder.and(certPublicKeyHashEq, certStatusValid)
+            val request = nodeCaCert?.let {
+                singleRequestWhere(CertificateDataEntity::class.java) { builder, path ->
+                    val certPublicKeyHashEq = builder.equal(path.get<String>(CertificateDataEntity::publicKeyHash.name), it.publicKey.encoded.sha256().toString())
+                    val certStatusValid = builder.equal(path.get<CertificateStatus>(CertificateDataEntity::certificateStatus.name), CertificateStatus.VALID)
+                    builder.and(certPublicKeyHashEq, certStatusValid)
+                }
             }
-        }
-        request ?: throw IllegalArgumentException("Unknown node info, this public key is not registered with the network management service.")
-        /*
-         * Delete any previous [NodeInfoEntity] instance for this CSR
-         * Possibly it should be moved at the network signing process at the network signing process
-         * as for a while the network map will have invalid entries (i.e. hashes for node info which have been
-         * removed). Either way, there will be a period of time when the network map data will be invalid
-         * but it has been confirmed that this fact has been acknowledged at the design time and we are fine with it.
-         */
-        deleteRequest(NodeInfoEntity::class.java) { builder, path ->
-            builder.equal(path.get<CertificateSigningRequestEntity>(NodeInfoEntity::certificateSigningRequest.name), request.certificateSigningRequest)
-        }
-        val hash = signedNodeInfo.raw.hash
+            request ?: throw IllegalArgumentException("Unknown node info, this public key is not registered with the network management service.")
 
-        val hashedNodeInfo = NodeInfoEntity(
-                nodeInfoHash = hash.toString(),
-                certificateSigningRequest = request.certificateSigningRequest,
-                signedNodeInfoBytes = signedNodeInfo.serialize().bytes)
-        session.save(hashedNodeInfo)
-        hash
+            /*
+             * Delete any previous [NodeInfoEntity] instance for this CSR
+             * Possibly it should be moved at the network signing process at the network signing process
+             * as for a while the network map will have invalid entries (i.e. hashes for node info which have been
+             * removed). Either way, there will be a period of time when the network map data will be invalid
+             * but it has been confirmed that this fact has been acknowledged at the design time and we are fine with it.
+             */
+            deleteRequest(NodeInfoEntity::class.java) { builder, path ->
+                builder.equal(path.get<CertificateSigningRequestEntity>(NodeInfoEntity::certificateSigningRequest.name), request.certificateSigningRequest)
+            }
+            val hash = signedNodeInfo.raw.hash
+
+            val hashedNodeInfo = NodeInfoEntity(
+                    nodeInfoHash = hash.toString(),
+                    certificateSigningRequest = request.certificateSigningRequest,
+                    signedNodeInfoBytes = signedNodeInfo.serialize().bytes)
+            session.save(hashedNodeInfo)
+            hash
+        }
     }
 
     override fun getNodeInfo(nodeInfoHash: SecureHash): SignedNodeInfo? {
         return database.transaction {
-            val nodeInfoEntity = session.find(NodeInfoEntity::class.java, nodeInfoHash.toString())
-            if (nodeInfoEntity == null) {
-                null
-            } else {
-                nodeInfoEntity.signedNodeInfo()
-            }
+            session.find(NodeInfoEntity::class.java, nodeInfoHash.toString())?.signedNodeInfo()
         }
     }
 
diff --git a/network-management/src/main/kotlin/com/r3/corda/networkmanage/doorman/signer/LocalSigner.kt b/network-management/src/main/kotlin/com/r3/corda/networkmanage/doorman/signer/LocalSigner.kt
index cb6e253536..50a7b7f971 100644
--- a/network-management/src/main/kotlin/com/r3/corda/networkmanage/doorman/signer/LocalSigner.kt
+++ b/network-management/src/main/kotlin/com/r3/corda/networkmanage/doorman/signer/LocalSigner.kt
@@ -2,10 +2,10 @@ package com.r3.corda.networkmanage.doorman.signer
 
 import com.r3.corda.networkmanage.common.signer.Signer
 import com.r3.corda.networkmanage.common.utils.buildCertPath
-import com.r3.corda.networkmanage.common.utils.toX509Certificate
 import com.r3.corda.networkmanage.common.utils.withCert
 import net.corda.core.crypto.sign
 import net.corda.core.identity.CordaX500Name
+import net.corda.core.internal.cert
 import net.corda.core.internal.toX509CertHolder
 import net.corda.nodeapi.internal.crypto.CertificateType
 import net.corda.nodeapi.internal.crypto.X509Utilities
@@ -33,13 +33,14 @@ class LocalSigner(private val caKeyPair: KeyPair, private val caCertPath: Array<
         val nameConstraints = NameConstraints(
                 arrayOf(GeneralSubtree(GeneralName(GeneralName.directoryName, request.subject))),
                 arrayOf())
-        val clientCertificate = X509Utilities.createCertificate(CertificateType.NODE_CA,
+        val nodeCaCert = X509Utilities.createCertificate(
+                CertificateType.NODE_CA,
                 caCertPath.first().toX509CertHolder(),
                 caKeyPair,
-                CordaX500Name.parse(request.subject.toString()).copy(commonName = X509Utilities.CORDA_CLIENT_CA_CN),
+                CordaX500Name.parse(request.subject.toString()),
                 request.publicKey,
-                nameConstraints = nameConstraints).toX509Certificate()
-        return buildCertPath(clientCertificate, *caCertPath)
+                nameConstraints = nameConstraints)
+        return buildCertPath(nodeCaCert.cert, *caCertPath)
     }
 
     override fun sign(data: ByteArray): DigitalSignatureWithCert {
diff --git a/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/utils/X509Utils.kt b/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/utils/X509Utils.kt
index 671841746d..22e94ec1b5 100644
--- a/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/utils/X509Utils.kt
+++ b/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/utils/X509Utils.kt
@@ -7,7 +7,6 @@ import net.corda.core.internal.toX509CertHolder
 import net.corda.core.internal.x500Name
 import net.corda.nodeapi.internal.crypto.CertificateAndKeyPair
 import net.corda.nodeapi.internal.crypto.CertificateType
-import net.corda.nodeapi.internal.crypto.X509Utilities
 import net.corda.nodeapi.internal.crypto.getX509Certificate
 import org.bouncycastle.asn1.ASN1EncodableVector
 import org.bouncycastle.asn1.ASN1Sequence
@@ -184,7 +183,7 @@ object X509Utilities {
         val certificateType = CertificateType.NODE_CA
         val validityWindow = getCertificateValidityWindow(0, validDays, issuerCertificate.notBefore, issuerCertificate.notAfter)
         val serial = BigInteger.valueOf(random63BitValue(provider))
-        val subject = CordaX500Name.parse(jcaRequest.subject.toString()).copy(commonName = X509Utilities.CORDA_CLIENT_CA_CN).x500Name
+        val subject = CordaX500Name.parse(jcaRequest.subject.toString()).x500Name
         val subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(ASN1Sequence.getInstance(jcaRequest.publicKey.encoded))
         val keyPurposes = DERSequence(ASN1EncodableVector().apply { certificateType.purposes.forEach { add(it) } })
         val builder = JcaX509v3CertificateBuilder(issuerCertificate.subject, serial, validityWindow.first, validityWindow.second, subject, jcaRequest.publicKey)
diff --git a/network-management/src/test/kotlin/com/r3/corda/networkmanage/common/persistence/DBNetworkMapStorageTest.kt b/network-management/src/test/kotlin/com/r3/corda/networkmanage/common/persistence/DBNetworkMapStorageTest.kt
index 062d4c5c5a..b7d332a5fe 100644
--- a/network-management/src/test/kotlin/com/r3/corda/networkmanage/common/persistence/DBNetworkMapStorageTest.kt
+++ b/network-management/src/test/kotlin/com/r3/corda/networkmanage/common/persistence/DBNetworkMapStorageTest.kt
@@ -1,24 +1,21 @@
 package com.r3.corda.networkmanage.common.persistence
 
 import com.r3.corda.networkmanage.TestBase
-import com.r3.corda.networkmanage.common.utils.buildCertPath
-import com.r3.corda.networkmanage.common.utils.toX509Certificate
 import com.r3.corda.networkmanage.common.utils.withCert
 import net.corda.core.crypto.Crypto
 import net.corda.core.crypto.sign
 import net.corda.core.identity.CordaX500Name
-import net.corda.core.identity.PartyAndCertificate
 import net.corda.core.internal.cert
-import net.corda.core.node.NodeInfo
 import net.corda.core.serialization.serialize
-import net.corda.core.utilities.NetworkHostAndPort
 import net.corda.nodeapi.internal.SignedNodeInfo
 import net.corda.nodeapi.internal.crypto.CertificateType
+import net.corda.nodeapi.internal.crypto.X509CertificateFactory
 import net.corda.nodeapi.internal.crypto.X509Utilities
 import net.corda.nodeapi.internal.network.NetworkMap
 import net.corda.nodeapi.internal.network.SignedNetworkMap
 import net.corda.nodeapi.internal.persistence.CordaPersistence
 import net.corda.testing.common.internal.testNetworkParameters
+import net.corda.testing.internal.TestNodeInfoBuilder
 import net.corda.testing.node.MockServices.Companion.makeTestDataSourceProperties
 import org.assertj.core.api.Assertions.assertThat
 import org.junit.After
@@ -31,6 +28,7 @@ class DBNetworkMapStorageTest : TestBase() {
     private lateinit var requestStorage: CertificationRequestStorage
     private lateinit var nodeInfoStorage: NodeInfoStorage
     private lateinit var persistence: CordaPersistence
+
     private val rootCAKey = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
     private val rootCACert = X509Utilities.createSelfSignedCACertificate(CordaX500Name(commonName = "Corda Node Root CA", locality = "London", organisation = "R3 LTD", country = "GB"), rootCAKey)
     private val intermediateCAKey = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
@@ -53,18 +51,8 @@ class DBNetworkMapStorageTest : TestBase() {
     fun `signNetworkMap creates current network map`() {
         // given
         // Create node info.
-        val organisation = "Test"
-        val requestId = requestStorage.saveRequest(createRequest(organisation).first)
-        requestStorage.markRequestTicketCreated(requestId)
-        requestStorage.approveRequest(requestId, "TestUser")
-        val keyPair = Crypto.generateKeyPair()
-        val clientCert = X509Utilities.createCertificate(CertificateType.NODE_CA, intermediateCACert, intermediateCAKey, CordaX500Name(organisation = organisation, locality = "London", country = "GB"), keyPair.public)
-        val certPath = buildCertPath(clientCert.toX509Certificate(), intermediateCACert.toX509Certificate(), rootCACert.toX509Certificate())
-        requestStorage.putCertificatePath(requestId, certPath, emptyList())
-        val nodeInfo = NodeInfo(listOf(NetworkHostAndPort("my.company.com", 1234)), listOf(PartyAndCertificate(certPath)), 1, serial = 1L)
-        // Put signed node info data
-        val nodeInfoBytes = nodeInfo.serialize()
-        val nodeInfoHash = nodeInfoStorage.putNodeInfo(SignedNodeInfo(nodeInfoBytes, listOf(keyPair.sign(nodeInfoBytes))))
+        val signedNodeInfo = createValidSignedNodeInfo("Test")
+        val nodeInfoHash = nodeInfoStorage.putNodeInfo(signedNodeInfo)
 
         // Create network parameters
         val networkParametersHash = networkMapStorage.saveNetworkParameters(testNetworkParameters(emptyList()))
@@ -103,13 +91,11 @@ class DBNetworkMapStorageTest : TestBase() {
         // Create network parameters
         val networkMapParametersHash = networkMapStorage.saveNetworkParameters(createNetworkParameters(1))
         // Create empty network map
-        val keyPair = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
-        val intermediateCert = X509Utilities.createCertificate(CertificateType.INTERMEDIATE_CA, intermediateCACert, intermediateCAKey, CordaX500Name(organisation = "Corda", locality = "London", country = "GB"), keyPair.public)
 
         // Sign network map making it current network map
         val networkMap = NetworkMap(emptyList(), networkMapParametersHash)
         val serializedNetworkMap = networkMap.serialize()
-        val signatureData = keyPair.sign(serializedNetworkMap).withCert(intermediateCert.cert)
+        val signatureData = intermediateCAKey.sign(serializedNetworkMap).withCert(intermediateCACert.cert)
         val signedNetworkMap = SignedNetworkMap(serializedNetworkMap, signatureData)
         networkMapStorage.saveNetworkMap(signedNetworkMap)
 
@@ -126,36 +112,19 @@ class DBNetworkMapStorageTest : TestBase() {
     @Test
     fun `getValidNodeInfoHashes returns only valid and signed node info hashes`() {
         // given
-        // Create node info.
-        val organisationA = "TestA"
-        val requestIdA = requestStorage.saveRequest(createRequest(organisationA).first)
-        requestStorage.markRequestTicketCreated(requestIdA)
-        requestStorage.approveRequest(requestIdA, "TestUser")
-        val keyPairA = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
-        val clientCertA = X509Utilities.createCertificate(CertificateType.NODE_CA, intermediateCACert, intermediateCAKey, CordaX500Name(organisation = organisationA, locality = "London", country = "GB"), keyPairA.public)
-        val certPathA = buildCertPath(clientCertA.toX509Certificate(), intermediateCACert.toX509Certificate(), rootCACert.toX509Certificate())
-        requestStorage.putCertificatePath(requestIdA, certPathA, emptyList())
-        val organisationB = "TestB"
-        val requestIdB = requestStorage.saveRequest(createRequest(organisationB).first)
-        requestStorage.markRequestTicketCreated(requestIdB)
-        requestStorage.approveRequest(requestIdB, "TestUser")
-        val keyPairB = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
-        val clientCertB = X509Utilities.createCertificate(CertificateType.NODE_CA, intermediateCACert, intermediateCAKey, CordaX500Name(organisation = organisationB, locality = "London", country = "GB"), keyPairB.public)
-        val certPathB = buildCertPath(clientCertB.toX509Certificate(), intermediateCACert.toX509Certificate(), rootCACert.toX509Certificate())
-        requestStorage.putCertificatePath(requestIdB, certPathB, emptyList())
-        val nodeInfoA = NodeInfo(listOf(NetworkHostAndPort("my.companyA.com", 1234)), listOf(PartyAndCertificate(certPathA)), 1, serial = 1L)
-        val nodeInfoB = NodeInfo(listOf(NetworkHostAndPort("my.companyB.com", 1234)), listOf(PartyAndCertificate(certPathB)), 1, serial = 1L)
+        // Create node infos.
+        val signedNodeInfoA = createValidSignedNodeInfo("TestA")
+        val signedNodeInfoB = createValidSignedNodeInfo("TestB")
+
         // Put signed node info data
-        val nodeInfoABytes = nodeInfoA.serialize()
-        val nodeInfoBBytes = nodeInfoB.serialize()
-        val nodeInfoHashA = nodeInfoStorage.putNodeInfo(SignedNodeInfo(nodeInfoABytes, listOf(keyPairA.sign(nodeInfoABytes))))
-        val nodeInfoHashB = nodeInfoStorage.putNodeInfo(SignedNodeInfo(nodeInfoBBytes, listOf(keyPairB.sign(nodeInfoBBytes))))
+        val nodeInfoHashA = nodeInfoStorage.putNodeInfo(signedNodeInfoA)
+        val nodeInfoHashB = nodeInfoStorage.putNodeInfo(signedNodeInfoB)
 
         // Create network parameters
         val networkParametersHash = networkMapStorage.saveNetworkParameters(createNetworkParameters())
         val networkMap = NetworkMap(listOf(nodeInfoHashA), networkParametersHash)
         val serializedNetworkMap = networkMap.serialize()
-        val signatureData = keyPairA.sign(serializedNetworkMap).withCert(clientCertA.cert)
+        val signatureData = intermediateCAKey.sign(serializedNetworkMap).withCert(intermediateCACert.cert)
         val signedNetworkMap = SignedNetworkMap(serializedNetworkMap, signatureData)
 
         // Sign network map
@@ -167,4 +136,15 @@ class DBNetworkMapStorageTest : TestBase() {
         // then
         assertThat(validNodeInfoHash).containsOnly(nodeInfoHashA, nodeInfoHashB)
     }
+
+    private fun createValidSignedNodeInfo(organisation: String): SignedNodeInfo {
+        val nodeInfoBuilder = TestNodeInfoBuilder()
+        val requestId = requestStorage.saveRequest(createRequest(organisation).first)
+        requestStorage.markRequestTicketCreated(requestId)
+        requestStorage.approveRequest(requestId, "TestUser")
+        val (identity) = nodeInfoBuilder.addIdentity(CordaX500Name(organisation, "London", "GB"))
+        val nodeCaCertPath = X509CertificateFactory().generateCertPath(identity.certPath.certificates.drop(1))
+        requestStorage.putCertificatePath(requestId, nodeCaCertPath, emptyList())
+        return nodeInfoBuilder.buildWithSigned().second
+    }
 }
\ No newline at end of file
diff --git a/network-management/src/test/kotlin/com/r3/corda/networkmanage/common/persistence/PersitenceNodeInfoStorageTest.kt b/network-management/src/test/kotlin/com/r3/corda/networkmanage/common/persistence/PersitenceNodeInfoStorageTest.kt
index 1014cde074..e5b2e37699 100644
--- a/network-management/src/test/kotlin/com/r3/corda/networkmanage/common/persistence/PersitenceNodeInfoStorageTest.kt
+++ b/network-management/src/test/kotlin/com/r3/corda/networkmanage/common/persistence/PersitenceNodeInfoStorageTest.kt
@@ -3,31 +3,34 @@ package com.r3.corda.networkmanage.common.persistence
 import com.r3.corda.networkmanage.TestBase
 import com.r3.corda.networkmanage.common.utils.buildCertPath
 import com.r3.corda.networkmanage.common.utils.hashString
-import com.r3.corda.networkmanage.common.utils.toX509Certificate
 import net.corda.core.crypto.Crypto
 import net.corda.core.crypto.SecureHash
-import net.corda.core.crypto.sign
 import net.corda.core.identity.CordaX500Name
-import net.corda.core.identity.PartyAndCertificate
+import net.corda.core.internal.cert
 import net.corda.core.node.NodeInfo
 import net.corda.core.serialization.serialize
-import net.corda.core.utilities.NetworkHostAndPort
 import net.corda.nodeapi.internal.SignedNodeInfo
 import net.corda.nodeapi.internal.crypto.CertificateType
+import net.corda.nodeapi.internal.crypto.X509CertificateFactory
 import net.corda.nodeapi.internal.crypto.X509Utilities
 import net.corda.nodeapi.internal.persistence.CordaPersistence
+import net.corda.testing.internal.TestNodeInfoBuilder
+import net.corda.testing.internal.signWith
 import net.corda.testing.node.MockServices
+import org.assertj.core.api.Assertions.assertThat
 import org.junit.After
 import org.junit.Before
 import org.junit.Test
+import java.security.PrivateKey
 import kotlin.test.assertEquals
 import kotlin.test.assertNotNull
 import kotlin.test.assertNull
 
 class PersitenceNodeInfoStorageTest : TestBase() {
     private lateinit var requestStorage: CertificationRequestStorage
-    private lateinit var nodeInfoStorage: NodeInfoStorage
+    private lateinit var nodeInfoStorage: PersistentNodeInfoStorage
     private lateinit var persistence: CordaPersistence
+
     private val rootCAKey = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
     private val rootCACert = X509Utilities.createSelfSignedCACertificate(CordaX500Name(commonName = "Corda Node Root CA", locality = "London", organisation = "R3 LTD", country = "GB"), rootCAKey)
     private val intermediateCAKey = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
@@ -46,14 +49,13 @@ class PersitenceNodeInfoStorageTest : TestBase() {
     }
 
     @Test
-    fun `test get CertificatePath`() {
+    fun `test getCertificatePath`() {
         // Create node info.
         val keyPair = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
-        val clientCert = X509Utilities.createCertificate(CertificateType.NODE_CA, intermediateCACert, intermediateCAKey, CordaX500Name(organisation = "Test", locality = "London", country = "GB"), keyPair.public)
-        val certPath = buildCertPath(clientCert.toX509Certificate(), intermediateCACert.toX509Certificate(), rootCACert.toX509Certificate())
-        val nodeInfo = NodeInfo(listOf(NetworkHostAndPort("my.company.com", 1234)), listOf(PartyAndCertificate(certPath)), 1, serial = 1L)
+        val name = CordaX500Name(organisation = "Test", locality = "London", country = "GB")
+        val nodeCaCert = X509Utilities.createCertificate(CertificateType.NODE_CA, intermediateCACert, intermediateCAKey, name, keyPair.public)
 
-        val request = X509Utilities.createCertificateSigningRequest(nodeInfo.legalIdentities.first().name, "my@mail.com", keyPair)
+        val request = X509Utilities.createCertificateSigningRequest(name, "my@mail.com", keyPair)
 
         val requestId = requestStorage.saveRequest(request)
         requestStorage.markRequestTicketCreated(requestId)
@@ -61,104 +63,73 @@ class PersitenceNodeInfoStorageTest : TestBase() {
 
         assertNull(nodeInfoStorage.getCertificatePath(SecureHash.parse(keyPair.public.hashString())))
 
-        requestStorage.putCertificatePath(requestId, buildCertPath(clientCert.toX509Certificate(), intermediateCACert.toX509Certificate(), rootCACert.toX509Certificate()), listOf(CertificationRequestStorage.DOORMAN_SIGNATURE))
+        requestStorage.putCertificatePath(requestId, buildCertPath(nodeCaCert.cert, intermediateCACert.cert, rootCACert.cert), listOf(CertificationRequestStorage.DOORMAN_SIGNATURE))
 
         val storedCertPath = nodeInfoStorage.getCertificatePath(SecureHash.parse(keyPair.public.hashString()))
         assertNotNull(storedCertPath)
 
-        assertEquals(clientCert.toX509Certificate(), storedCertPath!!.certificates.first())
+        assertEquals(nodeCaCert.cert, storedCertPath!!.certificates.first())
     }
 
     @Test
-    fun `test getNodeInfoHash returns correct data`() {
+    fun `getNodeInfo returns persisted SignedNodeInfo using the hash of just the NodeInfo`() {
         // given
-        val organisationA = "TestA"
-        val requestIdA = requestStorage.saveRequest(createRequest(organisationA).first)
-        requestStorage.markRequestTicketCreated(requestIdA)
-        requestStorage.approveRequest(requestIdA, "TestUser")
-        val keyPairA = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
-        val clientCertA = X509Utilities.createCertificate(CertificateType.NODE_CA, intermediateCACert, intermediateCAKey, CordaX500Name(organisation = organisationA, locality = "London", country = "GB"), keyPairA.public)
-        val certPathA = buildCertPath(clientCertA.toX509Certificate(), intermediateCACert.toX509Certificate(), rootCACert.toX509Certificate())
-        requestStorage.putCertificatePath(requestIdA, certPathA, emptyList())
-        val organisationB = "TestB"
-        val requestIdB = requestStorage.saveRequest(createRequest(organisationB).first)
-        requestStorage.markRequestTicketCreated(requestIdB)
-        requestStorage.approveRequest(requestIdB, "TestUser")
-        val keyPairB = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
-        val clientCertB = X509Utilities.createCertificate(CertificateType.NODE_CA, intermediateCACert, intermediateCAKey, CordaX500Name(organisation = organisationB, locality = "London", country = "GB"), keyPairB.public)
-        val certPathB = buildCertPath(clientCertB.toX509Certificate(), intermediateCACert.toX509Certificate(), rootCACert.toX509Certificate())
-        requestStorage.putCertificatePath(requestIdB, certPathB, emptyList())
-        val nodeInfoA = NodeInfo(listOf(NetworkHostAndPort("my.company.com", 1234)), listOf(PartyAndCertificate(certPathA)), 1, serial = 1L)
-        val nodeInfoB = NodeInfo(listOf(NetworkHostAndPort("my.company.com", 1234)), listOf(PartyAndCertificate(certPathB)), 1, serial = 1L)
+        val (nodeInfoA, signedNodeInfoA) = createValidSignedNodeInfo("TestA")
+        val (nodeInfoB, signedNodeInfoB) = createValidSignedNodeInfo("TestB")
 
         // Put signed node info data
-        val nodeInfoABytes = nodeInfoA.serialize()
-        val nodeInfoBBytes = nodeInfoB.serialize()
-        nodeInfoStorage.putNodeInfo(SignedNodeInfo(nodeInfoABytes, listOf(keyPairA.sign(nodeInfoABytes))))
-        nodeInfoStorage.putNodeInfo(SignedNodeInfo(nodeInfoBBytes, listOf(keyPairB.sign(nodeInfoBBytes))))
+        nodeInfoStorage.putNodeInfo(signedNodeInfoA)
+        nodeInfoStorage.putNodeInfo(signedNodeInfoB)
 
         // when
-        val persistedNodeInfoA = nodeInfoStorage.getNodeInfo(nodeInfoABytes.hash)
-        val persistedNodeInfoB = nodeInfoStorage.getNodeInfo(nodeInfoBBytes.hash)
+        val persistedSignedNodeInfoA = nodeInfoStorage.getNodeInfo(nodeInfoA.serialize().hash)
+        val persistedSignedNodeInfoB = nodeInfoStorage.getNodeInfo(nodeInfoB.serialize().hash)
 
         // then
-        assertNotNull(persistedNodeInfoA)
-        assertNotNull(persistedNodeInfoB)
-        assertEquals(persistedNodeInfoA!!.verified(), nodeInfoA)
-        assertEquals(persistedNodeInfoB!!.verified(), nodeInfoB)
+        assertEquals(persistedSignedNodeInfoA?.verified(), nodeInfoA)
+        assertEquals(persistedSignedNodeInfoB?.verified(), nodeInfoB)
     }
 
     @Test
-    fun `same pub key with different node info`() {
+    fun `same public key with different node info`() {
         // Create node info.
-        val organisation = "Test"
-        val requestId = requestStorage.saveRequest(createRequest(organisation).first)
-        requestStorage.markRequestTicketCreated(requestId)
-        requestStorage.approveRequest(requestId, "TestUser")
-        val keyPair = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
-        val clientCert = X509Utilities.createCertificate(CertificateType.NODE_CA, intermediateCACert, intermediateCAKey, CordaX500Name(organisation = organisation, locality = "London", country = "GB"), keyPair.public)
-        val certPath = buildCertPath(clientCert.toX509Certificate(), intermediateCACert.toX509Certificate(), rootCACert.toX509Certificate())
-        requestStorage.putCertificatePath(requestId, certPath, emptyList())
+        val (nodeInfo1, signedNodeInfo1, key) = createValidSignedNodeInfo("Test", serial = 1)
+        val nodeInfo2 = nodeInfo1.copy(serial = 2)
+        val signedNodeInfo2 = nodeInfo2.signWith(listOf(key))
 
-        val nodeInfo = NodeInfo(listOf(NetworkHostAndPort("my.company.com", 1234)), listOf(PartyAndCertificate(certPath)), 1, serial = 1L)
-        val nodeInfoSamePubKey = NodeInfo(listOf(NetworkHostAndPort("my.company2.com", 1234)), listOf(PartyAndCertificate(certPath)), 1, serial = 1L)
-        val nodeInfoBytes = nodeInfo.serialize()
-        val nodeInfoHash = nodeInfoStorage.putNodeInfo(SignedNodeInfo(nodeInfoBytes, listOf(keyPair.sign(nodeInfoBytes))))
-        assertEquals(nodeInfo, nodeInfoStorage.getNodeInfo(nodeInfoHash)?.verified())
+        val nodeInfo1Hash = nodeInfoStorage.putNodeInfo(signedNodeInfo1)
+        assertEquals(nodeInfo1, nodeInfoStorage.getNodeInfo(nodeInfo1Hash)?.verified())
 
-        val nodeInfoSamePubKeyBytes = nodeInfoSamePubKey.serialize()
         // This should replace the node info.
-        nodeInfoStorage.putNodeInfo(SignedNodeInfo(nodeInfoSamePubKeyBytes, listOf(keyPair.sign(nodeInfoSamePubKeyBytes))))
+        nodeInfoStorage.putNodeInfo(signedNodeInfo2)
 
         // Old node info should be removed.
-        assertNull(nodeInfoStorage.getNodeInfo(nodeInfoHash))
-        assertEquals(nodeInfoSamePubKey, nodeInfoStorage.getNodeInfo(nodeInfoSamePubKeyBytes.hash)?.verified())
+        assertNull(nodeInfoStorage.getNodeInfo(nodeInfo1Hash))
+        assertEquals(nodeInfo2, nodeInfoStorage.getNodeInfo(nodeInfo2.serialize().hash)?.verified())
     }
 
     @Test
-    fun `putNodeInfo persists node info data with its signature`() {
+    fun `putNodeInfo persists SignedNodeInfo with its signature`() {
         // given
-        // Create node info.
-        val organisation = "Test"
+        val (_, signedNodeInfo) = createValidSignedNodeInfo("Test")
+
+        // when
+        val nodeInfoHash = nodeInfoStorage.putNodeInfo(signedNodeInfo)
+
+        // then
+        val persistedSignedNodeInfo = nodeInfoStorage.getNodeInfo(nodeInfoHash)
+        assertThat(persistedSignedNodeInfo?.signatures).isEqualTo(signedNodeInfo.signatures)
+    }
+
+    private fun createValidSignedNodeInfo(organisation: String, serial: Long = 1): Triple<NodeInfo, SignedNodeInfo, PrivateKey> {
+        val nodeInfoBuilder = TestNodeInfoBuilder()
         val requestId = requestStorage.saveRequest(createRequest(organisation).first)
         requestStorage.markRequestTicketCreated(requestId)
         requestStorage.approveRequest(requestId, "TestUser")
-        val keyPair = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
-        val clientCert = X509Utilities.createCertificate(CertificateType.NODE_CA, intermediateCACert, intermediateCAKey, CordaX500Name(organisation = organisation, locality = "London", country = "GB"), keyPair.public)
-        val certPath = buildCertPath(clientCert.toX509Certificate(), intermediateCACert.toX509Certificate(), rootCACert.toX509Certificate())
-        requestStorage.putCertificatePath(requestId, certPath, emptyList())
-
-        val nodeInfo = NodeInfo(listOf(NetworkHostAndPort("my.company.com", 1234)), listOf(PartyAndCertificate(certPath)), 1, serial = 1L)
-        val nodeInfoBytes = nodeInfo.serialize()
-        val signature = keyPair.sign(nodeInfoBytes)
-
-        // when
-        val nodeInfoHash = nodeInfoStorage.putNodeInfo(SignedNodeInfo(nodeInfoBytes, listOf(signature)))
-
-        // then
-        val persistedNodeInfo = nodeInfoStorage.getNodeInfo(nodeInfoHash)
-        assertNotNull(persistedNodeInfo)
-        assertEquals(nodeInfo, persistedNodeInfo!!.verified())
-        assertEquals(signature, persistedNodeInfo.signatures.firstOrNull())
+        val (identity, key) = nodeInfoBuilder.addIdentity(CordaX500Name(organisation, "London", "GB"))
+        val nodeCaCertPath = X509CertificateFactory().generateCertPath(identity.certPath.certificates.drop(1))
+        requestStorage.putCertificatePath(requestId, nodeCaCertPath, emptyList())
+        val (nodeInfo, signedNodeInfo) = nodeInfoBuilder.buildWithSigned(serial)
+        return Triple(nodeInfo, signedNodeInfo, key)
     }
 }
\ No newline at end of file
diff --git a/network-management/src/test/kotlin/com/r3/corda/networkmanage/doorman/NodeInfoWebServiceTest.kt b/network-management/src/test/kotlin/com/r3/corda/networkmanage/doorman/NodeInfoWebServiceTest.kt
index 096a05534f..26452d45a9 100644
--- a/network-management/src/test/kotlin/com/r3/corda/networkmanage/doorman/NodeInfoWebServiceTest.kt
+++ b/network-management/src/test/kotlin/com/r3/corda/networkmanage/doorman/NodeInfoWebServiceTest.kt
@@ -1,20 +1,18 @@
 package com.r3.corda.networkmanage.doorman
 
-import com.nhaarman.mockito_kotlin.any
 import com.nhaarman.mockito_kotlin.mock
 import com.nhaarman.mockito_kotlin.times
 import com.nhaarman.mockito_kotlin.verify
 import com.r3.corda.networkmanage.common.persistence.NetworkMapStorage
 import com.r3.corda.networkmanage.common.persistence.NodeInfoStorage
-import com.r3.corda.networkmanage.common.utils.buildCertPath
-import com.r3.corda.networkmanage.common.utils.toX509Certificate
 import com.r3.corda.networkmanage.common.utils.withCert
 import com.r3.corda.networkmanage.doorman.webservice.NodeInfoWebService
-import net.corda.core.crypto.*
+import net.corda.core.crypto.Crypto
+import net.corda.core.crypto.SecureHash
+import net.corda.core.crypto.sha256
+import net.corda.core.crypto.sign
 import net.corda.core.identity.CordaX500Name
-import net.corda.core.identity.PartyAndCertificate
 import net.corda.core.internal.cert
-import net.corda.core.node.NodeInfo
 import net.corda.core.serialization.deserialize
 import net.corda.core.serialization.serialize
 import net.corda.core.utilities.NetworkHostAndPort
@@ -25,6 +23,7 @@ import net.corda.nodeapi.internal.crypto.X509Utilities
 import net.corda.nodeapi.internal.network.NetworkMap
 import net.corda.nodeapi.internal.network.SignedNetworkMap
 import net.corda.testing.SerializationEnvironmentRule
+import net.corda.testing.internal.createNodeInfoAndSigned
 import org.bouncycastle.asn1.x500.X500Name
 import org.junit.Rule
 import org.junit.Test
@@ -41,31 +40,17 @@ class NodeInfoWebServiceTest {
     @JvmField
     val testSerialization = SerializationEnvironmentRule(true)
 
-    private val rootCAKey = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
-    private val rootCACert = X509Utilities.createSelfSignedCACertificate(CordaX500Name(locality = "London", organisation = "R3 LTD", country = "GB", commonName = "Corda Node Root CA"), rootCAKey)
-    private val intermediateCAKey = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
-    private val intermediateCACert = X509Utilities.createCertificate(CertificateType.INTERMEDIATE_CA, rootCACert, rootCAKey, X500Name("CN=Corda Node Intermediate CA,L=London"), intermediateCAKey.public)
-
     private val testNetwotkMapConfig =  NetworkMapConfig(10.seconds.toMillis(), 10.seconds.toMillis())
+
     @Test
     fun `submit nodeInfo`() {
         // Create node info.
-        val keyPair = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
-        val clientCert = X509Utilities.createCertificate(CertificateType.NODE_CA, intermediateCACert, intermediateCAKey, CordaX500Name(organisation = "Test", locality = "London", country = "GB"), keyPair.public)
-        val certPath = buildCertPath(clientCert.toX509Certificate(), intermediateCACert.toX509Certificate(), rootCACert.toX509Certificate())
-        val nodeInfo = NodeInfo(listOf(NetworkHostAndPort("my.company.com", 1234)), listOf(PartyAndCertificate(certPath)), 1, serial = 1L)
+        val (_, signedNodeInfo) = createNodeInfoAndSigned(CordaX500Name("Test", "London", "GB"))
 
-        // Create digital signature.
-        val digitalSignature = DigitalSignature.WithKey(keyPair.public, Crypto.doSign(keyPair.private, nodeInfo.serialize().bytes))
-
-        val nodeInfoStorage: NodeInfoStorage = mock {
-            on { getCertificatePath(any()) }.thenReturn(certPath)
-        }
-
-        NetworkManagementWebServer(NetworkHostAndPort("localhost", 0), NodeInfoWebService(nodeInfoStorage, mock(), testNetwotkMapConfig)).use {
+        NetworkManagementWebServer(NetworkHostAndPort("localhost", 0), NodeInfoWebService(mock(), mock(), testNetwotkMapConfig)).use {
             it.start()
             val registerURL = URL("http://${it.hostAndPort}/${NodeInfoWebService.NETWORK_MAP_PATH}/publish")
-            val nodeInfoAndSignature = SignedNodeInfo(nodeInfo.serialize(), listOf(digitalSignature)).serialize().bytes
+            val nodeInfoAndSignature = signedNodeInfo.serialize().bytes
             // Post node info and signature to doorman, this should pass without any exception.
             doPost(registerURL, nodeInfoAndSignature)
         }
@@ -73,6 +58,11 @@ class NodeInfoWebServiceTest {
 
     @Test
     fun `get network map`() {
+        val rootCAKey = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
+        val rootCACert = X509Utilities.createSelfSignedCACertificate(CordaX500Name(locality = "London", organisation = "R3 LTD", country = "GB", commonName = "Corda Node Root CA"), rootCAKey)
+        val intermediateCAKey = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
+        val intermediateCACert = X509Utilities.createCertificate(CertificateType.INTERMEDIATE_CA, rootCACert, rootCAKey, X500Name("CN=Corda Node Intermediate CA,L=London"), intermediateCAKey.public)
+
         val networkMap = NetworkMap(listOf(SecureHash.randomSHA256(), SecureHash.randomSHA256()), SecureHash.randomSHA256())
         val serializedNetworkMap = networkMap.serialize()
         val networkMapStorage: NetworkMapStorage = mock {
@@ -89,16 +79,12 @@ class NodeInfoWebServiceTest {
 
     @Test
     fun `get node info`() {
-        val keyPair = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
-        val clientCert = X509Utilities.createCertificate(CertificateType.NODE_CA, intermediateCACert, intermediateCAKey, CordaX500Name(organisation = "Test", locality = "London", country = "GB"), keyPair.public)
-        val certPath = buildCertPath(clientCert.toX509Certificate(), intermediateCACert.toX509Certificate(), rootCACert.toX509Certificate())
-        val nodeInfo = NodeInfo(listOf(NetworkHostAndPort("my.company.com", 1234)), listOf(PartyAndCertificate(certPath)), 1, serial = 1L)
+        val (nodeInfo, signedNodeInfo) = createNodeInfoAndSigned(CordaX500Name("Test", "London", "GB"))
 
         val nodeInfoHash = nodeInfo.serialize().sha256()
 
         val nodeInfoStorage: NodeInfoStorage = mock {
-            val serializedNodeInfo = nodeInfo.serialize()
-            on { getNodeInfo(nodeInfoHash) }.thenReturn(SignedNodeInfo(serializedNodeInfo, listOf(keyPair.sign(serializedNodeInfo))))
+            on { getNodeInfo(nodeInfoHash) }.thenReturn(signedNodeInfo)
         }
 
         NetworkManagementWebServer(NetworkHostAndPort("localhost", 0), NodeInfoWebService(nodeInfoStorage, mock(), testNetwotkMapConfig)).use {
diff --git a/node-api/src/main/kotlin/net/corda/nodeapi/internal/ServiceIdentityGenerator.kt b/node-api/src/main/kotlin/net/corda/nodeapi/internal/IdentityGenerator.kt
similarity index 53%
rename from node-api/src/main/kotlin/net/corda/nodeapi/internal/ServiceIdentityGenerator.kt
rename to node-api/src/main/kotlin/net/corda/nodeapi/internal/IdentityGenerator.kt
index 65b60433c7..97927e54db 100644
--- a/node-api/src/main/kotlin/net/corda/nodeapi/internal/ServiceIdentityGenerator.kt
+++ b/node-api/src/main/kotlin/net/corda/nodeapi/internal/IdentityGenerator.kt
@@ -13,42 +13,54 @@ import org.slf4j.LoggerFactory
 import java.nio.file.Path
 import java.security.cert.X509Certificate
 
-object ServiceIdentityGenerator {
+object IdentityGenerator {
     private val log = LoggerFactory.getLogger(javaClass)
 
+    const val NODE_IDENTITY_ALIAS_PREFIX = "identity"
+    const val DISTRIBUTED_NOTARY_ALIAS_PREFIX = "distributed-notary"
+
+    fun generateNodeIdentity(dir: Path, legalName: CordaX500Name, customRootCert: X509Certificate? = null): Party {
+        return generateToDisk(listOf(dir), legalName, NODE_IDENTITY_ALIAS_PREFIX, threshold = 1, customRootCert = customRootCert)
+    }
+
+    fun generateDistributedNotaryIdentity(dirs: List<Path>, notaryName: CordaX500Name, threshold: Int = 1, customRootCert: X509Certificate? = null): Party {
+        return generateToDisk(dirs, notaryName, DISTRIBUTED_NOTARY_ALIAS_PREFIX, threshold, customRootCert)
+    }
+
     /**
      * Generates signing key pairs and a common distributed service identity for a set of nodes.
      * The key pairs and the group identity get serialized to disk in the corresponding node directories.
      * This method should be called *before* any of the nodes are started.
      *
      * @param dirs List of node directories to place the generated identity and key pairs in.
-     * @param serviceName The legal name of the distributed service.
+     * @param name The name of the identity.
      * @param threshold The threshold for the generated group [CompositeKey].
-     * @param customRootCert the certificate to use a Corda root CA. If not specified the one in
-     *      certificates/cordadevcakeys.jks is used.
+     * @param customRootCert the certificate to use as the Corda root CA. If not specified the one in
+     *      internal/certificates/cordadevcakeys.jks is used.
      */
-    fun generateToDisk(dirs: List<Path>,
-                       serviceName: CordaX500Name,
-                       serviceId: String,
-                       threshold: Int = 1,
-                       customRootCert: X509Certificate? = null): Party {
-        log.trace { "Generating a group identity \"serviceName\" for nodes: ${dirs.joinToString()}" }
+    private fun generateToDisk(dirs: List<Path>,
+                               name: CordaX500Name,
+                               aliasPrefix: String,
+                               threshold: Int,
+                               customRootCert: X509Certificate?): Party {
+        log.trace { "Generating identity \"$name\" for nodes: ${dirs.joinToString()}" }
         val keyPairs = (1..dirs.size).map { generateKeyPair() }
-        val notaryKey = CompositeKey.Builder().addKeys(keyPairs.map { it.public }).build(threshold)
+        val key = CompositeKey.Builder().addKeys(keyPairs.map { it.public }).build(threshold)
 
         val caKeyStore = loadKeyStore(javaClass.classLoader.getResourceAsStream("certificates/cordadevcakeys.jks"), "cordacadevpass")
         val intermediateCa = caKeyStore.getCertificateAndKeyPair(X509Utilities.CORDA_INTERMEDIATE_CA, "cordacadevkeypass")
         val rootCert = customRootCert ?: caKeyStore.getCertificate(X509Utilities.CORDA_ROOT_CA)
 
         keyPairs.zip(dirs) { keyPair, dir ->
-            val serviceKeyCert = X509Utilities.createCertificate(CertificateType.SERVICE_IDENTITY, intermediateCa.certificate, intermediateCa.keyPair, serviceName, keyPair.public)
-            val compositeKeyCert = X509Utilities.createCertificate(CertificateType.SERVICE_IDENTITY, intermediateCa.certificate, intermediateCa.keyPair, serviceName, notaryKey)
+            val serviceKeyCert = X509Utilities.createCertificate(CertificateType.SERVICE_IDENTITY, intermediateCa.certificate, intermediateCa.keyPair, name, keyPair.public)
+            val compositeKeyCert = X509Utilities.createCertificate(CertificateType.SERVICE_IDENTITY, intermediateCa.certificate, intermediateCa.keyPair, name, key)
             val certPath = (dir / "certificates").createDirectories() / "distributedService.jks"
             val keystore = loadOrCreateKeyStore(certPath, "cordacadevpass")
-            keystore.setCertificateEntry("$serviceId-composite-key", compositeKeyCert.cert)
-            keystore.setKeyEntry("$serviceId-private-key", keyPair.private, "cordacadevkeypass".toCharArray(), arrayOf(serviceKeyCert.cert, intermediateCa.certificate.cert, rootCert))
+            keystore.setCertificateEntry("$aliasPrefix-composite-key", compositeKeyCert.cert)
+            keystore.setKeyEntry("$aliasPrefix-private-key", keyPair.private, "cordacadevkeypass".toCharArray(), arrayOf(serviceKeyCert.cert, intermediateCa.certificate.cert, rootCert))
             keystore.save(certPath, "cordacadevpass")
         }
-        return Party(serviceName, notaryKey)
+
+        return Party(name, key)
     }
 }
diff --git a/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt b/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt
index 70617daf76..563ddaa9f0 100644
--- a/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt
+++ b/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt
@@ -7,7 +7,8 @@ import net.corda.core.crypto.random63BitValue
 import net.corda.core.internal.CertRole
 import net.corda.core.identity.CordaX500Name
 import net.corda.core.internal.cert
-import net.corda.core.internal.read
+import net.corda.core.internal.reader
+import net.corda.core.internal.writer
 import net.corda.core.internal.x500Name
 import net.corda.core.utilities.days
 import net.corda.core.utilities.millis
@@ -48,8 +49,6 @@ object X509Utilities {
     const val CORDA_CLIENT_TLS = "cordaclienttls"
     const val CORDA_CLIENT_CA = "cordaclientca"
 
-    const val CORDA_CLIENT_CA_CN = "Corda Client CA Certificate"
-
     private val DEFAULT_VALIDITY_WINDOW = Pair(0.millis, 3650.days)
 
     /**
@@ -162,7 +161,7 @@ object X509Utilities {
      */
     @JvmStatic
     fun saveCertificateAsPEMFile(x509Certificate: X509Certificate, file: Path) {
-        JcaPEMWriter(file.toFile().writer()).use {
+        JcaPEMWriter(file.writer()).use {
             it.writeObject(x509Certificate)
         }
     }
@@ -174,9 +173,8 @@ object X509Utilities {
      */
     @JvmStatic
     fun loadCertificateFromPEMFile(file: Path): X509Certificate {
-        return file.read {
-            val reader = PemReader(it.reader())
-            val pemObject = reader.readPemObject()
+        return file.reader().use {
+            val pemObject = PemReader(it).readPemObject()
             val certHolder = X509CertificateHolder(pemObject.content)
             certHolder.isValidOn(Date())
             certHolder.cert
diff --git a/node/src/integration-test/kotlin/net/corda/node/services/BFTNotaryServiceTests.kt b/node/src/integration-test/kotlin/net/corda/node/services/BFTNotaryServiceTests.kt
index aaf2cb5e04..28a04fcbd7 100644
--- a/node/src/integration-test/kotlin/net/corda/node/services/BFTNotaryServiceTests.kt
+++ b/node/src/integration-test/kotlin/net/corda/node/services/BFTNotaryServiceTests.kt
@@ -13,7 +13,6 @@ import net.corda.core.identity.CordaX500Name
 import net.corda.core.identity.Party
 import net.corda.core.internal.deleteIfExists
 import net.corda.core.internal.div
-import net.corda.core.node.services.NotaryService
 import net.corda.core.transactions.SignedTransaction
 import net.corda.core.transactions.TransactionBuilder
 import net.corda.core.utilities.NetworkHostAndPort
@@ -24,7 +23,7 @@ import net.corda.node.services.config.BFTSMaRtConfiguration
 import net.corda.node.services.config.NotaryConfig
 import net.corda.node.services.transactions.minClusterSize
 import net.corda.node.services.transactions.minCorrectReplicas
-import net.corda.nodeapi.internal.ServiceIdentityGenerator
+import net.corda.nodeapi.internal.IdentityGenerator
 import net.corda.nodeapi.internal.network.NetworkParametersCopier
 import net.corda.nodeapi.internal.network.NotaryInfo
 import net.corda.testing.IntegrationTest
@@ -68,10 +67,9 @@ class BFTNotaryServiceTests : IntegrationTest() {
         (Paths.get("config") / "currentView").deleteIfExists() // XXX: Make config object warn if this exists?
         val replicaIds = (0 until clusterSize)
 
-        notary = ServiceIdentityGenerator.generateToDisk(
+        notary = IdentityGenerator.generateDistributedNotaryIdentity(
                 replicaIds.map { mockNet.baseDirectory(mockNet.nextNodeId + it) },
-                CordaX500Name("BFT", "Zurich", "CH"),
-                NotaryService.constructId(validating = false, bft = true))
+                CordaX500Name("BFT", "Zurich", "CH"))
 
         val networkParameters = NetworkParametersCopier(testNetworkParameters(listOf(NotaryInfo(notary, false))))
 
diff --git a/node/src/integration-test/kotlin/net/corda/node/services/MySQLNotaryServiceTests.kt b/node/src/integration-test/kotlin/net/corda/node/services/MySQLNotaryServiceTests.kt
index f1f467d24e..e36f7b35d0 100644
--- a/node/src/integration-test/kotlin/net/corda/node/services/MySQLNotaryServiceTests.kt
+++ b/node/src/integration-test/kotlin/net/corda/node/services/MySQLNotaryServiceTests.kt
@@ -14,7 +14,7 @@ import net.corda.core.transactions.TransactionBuilder
 import net.corda.core.utilities.getOrThrow
 import net.corda.node.internal.StartedNode
 import net.corda.node.services.config.NotaryConfig
-import net.corda.nodeapi.internal.ServiceIdentityGenerator
+import net.corda.nodeapi.internal.IdentityGenerator
 import net.corda.nodeapi.internal.network.NetworkParametersCopier
 import net.corda.nodeapi.internal.network.NotaryInfo
 import net.corda.testing.*
@@ -49,11 +49,7 @@ class MySQLNotaryServiceTests : IntegrationTest() {
     @Before
     fun before() {
         mockNet = MockNetwork(cordappPackages = listOf("net.corda.testing.contracts"))
-        notaryParty = ServiceIdentityGenerator.generateToDisk(
-                listOf(mockNet.baseDirectory(mockNet.nextNodeId)),
-                notaryName,
-                "identity"
-        )
+        notaryParty = IdentityGenerator.generateNodeIdentity(mockNet.baseDirectory(mockNet.nextNodeId), notaryName)
         val networkParameters = NetworkParametersCopier(testNetworkParameters(listOf(NotaryInfo(notaryParty, false))))
         val notaryNodeUnstarted = createNotaryNode()
         val nodeUnstarted = mockNet.createUnstartedNode()
diff --git a/node/src/integration-test/kotlin/net/corda/node/services/RaftNotaryServiceTests.kt b/node/src/integration-test/kotlin/net/corda/node/services/RaftNotaryServiceTests.kt
index 00f6124301..8110118362 100644
--- a/node/src/integration-test/kotlin/net/corda/node/services/RaftNotaryServiceTests.kt
+++ b/node/src/integration-test/kotlin/net/corda/node/services/RaftNotaryServiceTests.kt
@@ -11,7 +11,6 @@ import net.corda.core.internal.concurrent.map
 import net.corda.core.transactions.TransactionBuilder
 import net.corda.core.utilities.getOrThrow
 import net.corda.node.internal.StartedNode
-import net.corda.node.services.transactions.RaftValidatingNotaryService
 import net.corda.testing.*
 import net.corda.testing.contracts.DummyContract
 import net.corda.testing.driver.NodeHandle
@@ -31,15 +30,15 @@ class RaftNotaryServiceTests : IntegrationTest() {
         val databaseSchemas = IntegrationTestSchemas( "RAFTNotaryService_0", "RAFTNotaryService_1", "RAFTNotaryService_2",
                 DUMMY_BANK_A_NAME.toDatabaseSchemaName())
     }
-    private val notaryName = CordaX500Name(RaftValidatingNotaryService.id, "RAFT Notary Service", "London", "GB")
+    private val notaryName = CordaX500Name("RAFT Notary Service", "London", "GB")
 
     @Test
     fun `detect double spend`() {
         driver(
                 startNodesInProcess = true,
                 extraCordappPackagesToScan = listOf("net.corda.testing.contracts"),
-                notarySpecs = listOf(NotarySpec(notaryName, cluster = ClusterSpec.Raft(clusterSize = 3))))
-        {
+                notarySpecs = listOf(NotarySpec(notaryName, cluster = ClusterSpec.Raft(clusterSize = 3)))
+        ) {
             val bankA = startNode(providedName = DUMMY_BANK_A_NAME).map { (it as NodeHandle.InProcess).node }.getOrThrow()
             val inputState = issueState(bankA, defaultNotaryIdentity)
 
diff --git a/node/src/integration-test/kotlin/net/corda/services/messaging/P2PMessagingTest.kt b/node/src/integration-test/kotlin/net/corda/services/messaging/P2PMessagingTest.kt
index 5dfa2963b1..189506d02b 100644
--- a/node/src/integration-test/kotlin/net/corda/services/messaging/P2PMessagingTest.kt
+++ b/node/src/integration-test/kotlin/net/corda/services/messaging/P2PMessagingTest.kt
@@ -19,6 +19,9 @@ import net.corda.node.services.messaging.ReceivedMessage
 import net.corda.node.services.messaging.send
 import net.corda.node.services.transactions.RaftValidatingNotaryService
 import net.corda.testing.*
+import net.corda.node.services.messaging.*
+import net.corda.testing.ALICE_NAME
+import net.corda.testing.chooseIdentity
 import net.corda.testing.driver.DriverDSL
 import net.corda.testing.driver.NodeHandle
 import net.corda.testing.driver.driver
@@ -38,7 +41,7 @@ class P2PMessagingTest : IntegrationTest() {
         @ClassRule @JvmField
         val databaseSchemas = IntegrationTestSchemas(ALICE_NAME.toDatabaseSchemaName(), "DistributedService_0", "DistributedService_1")
 
-        val DISTRIBUTED_SERVICE_NAME = CordaX500Name(RaftValidatingNotaryService.id, "DistributedService", "London", "GB")
+        val DISTRIBUTED_SERVICE_NAME = CordaX500Name("DistributedService", "London", "GB")
     }
 
     @Test
diff --git a/node/src/main/kotlin/net/corda/node/internal/AbstractNode.kt b/node/src/main/kotlin/net/corda/node/internal/AbstractNode.kt
index b25bb1df9d..2a1b1292f1 100644
--- a/node/src/main/kotlin/net/corda/node/internal/AbstractNode.kt
+++ b/node/src/main/kotlin/net/corda/node/internal/AbstractNode.kt
@@ -60,8 +60,12 @@ import net.corda.node.services.vault.NodeVaultService
 import net.corda.node.services.vault.VaultSoftLockManager
 import net.corda.node.shell.InteractiveShell
 import net.corda.node.utilities.AffinityExecutor
+import net.corda.nodeapi.internal.IdentityGenerator
 import net.corda.nodeapi.internal.SignedNodeInfo
-import net.corda.nodeapi.internal.crypto.*
+import net.corda.nodeapi.internal.crypto.KeyStoreWrapper
+import net.corda.nodeapi.internal.crypto.X509CertificateFactory
+import net.corda.nodeapi.internal.crypto.X509Utilities
+import net.corda.nodeapi.internal.crypto.loadKeyStore
 import net.corda.nodeapi.internal.network.NETWORK_PARAMS_FILE_NAME
 import net.corda.nodeapi.internal.network.NetworkParameters
 import net.corda.nodeapi.internal.persistence.CordaPersistence
@@ -137,25 +141,19 @@ abstract class AbstractNode(val configuration: NodeConfiguration,
     protected val services: ServiceHubInternal get() = _services
     private lateinit var _services: ServiceHubInternalImpl
     protected var myNotaryIdentity: PartyAndCertificate? = null
-    protected lateinit var checkpointStorage: CheckpointStorage
+    private lateinit var checkpointStorage: CheckpointStorage
     private lateinit var tokenizableServices: List<Any>
     protected lateinit var attachments: NodeAttachmentService
     protected lateinit var network: MessagingService
     protected val runOnStop = ArrayList<() -> Any?>()
-    protected val _nodeReadyFuture = openFuture<Unit>()
+    private val _nodeReadyFuture = openFuture<Unit>()
     protected var networkMapClient: NetworkMapClient? = null
 
     lateinit var securityManager: RPCSecurityManager get
 
     /** Completes once the node has successfully registered with the network map service
      * or has loaded network map data from local database */
-    val nodeReadyFuture: CordaFuture<Unit>
-        get() = _nodeReadyFuture
-    /** A [CordaX500Name] with null common name. */
-    protected val myLegalName: CordaX500Name by lazy {
-        val cert = loadKeyStore(configuration.nodeKeystore, configuration.keyStorePassword).getX509Certificate(X509Utilities.CORDA_CLIENT_CA)
-        CordaX500Name.build(cert.subjectX500Principal).copy(commonName = null)
-    }
+    val nodeReadyFuture: CordaFuture<Unit> get() = _nodeReadyFuture
 
     open val serializationWhitelists: List<SerializationWhitelist> by lazy {
         cordappLoader.cordapps.flatMap { it.serializationWhitelists }
@@ -330,7 +328,7 @@ abstract class AbstractNode(val configuration: NodeConfiguration,
         )
         // Check if we have already stored a version of 'our own' NodeInfo, this is to avoid regenerating it with
         // a different timestamp.
-        networkMapCache.getNodesByLegalName(myLegalName).firstOrNull()?.let {
+        networkMapCache.getNodesByLegalName(configuration.myLegalName).firstOrNull()?.let {
             if (info.copy(serial = it.serial) == it) {
                 info = it
             }
@@ -756,13 +754,10 @@ abstract class AbstractNode(val configuration: NodeConfiguration,
 
         val (id, singleName) = if (notaryConfig == null || !notaryConfig.isClusterConfig) {
             // Node's main identity or if it's a single node notary
-            Pair("identity", myLegalName)
+            Pair(IdentityGenerator.NODE_IDENTITY_ALIAS_PREFIX, configuration.myLegalName)
         } else {
-            val notaryId = notaryConfig.run {
-                NotaryService.constructId(validating, raft != null, bftSMaRt != null, custom, mysql != null)
-            }
             // The node is part of a distributed notary whose identity must already be generated beforehand.
-            Pair(notaryId, null)
+            Pair(IdentityGenerator.DISTRIBUTED_NOTARY_ALIAS_PREFIX, null)
         }
         // TODO: Integrate with Key management service?
         val privateKeyAlias = "$id-private-key"
@@ -770,7 +765,7 @@ abstract class AbstractNode(val configuration: NodeConfiguration,
         if (!keyStore.containsAlias(privateKeyAlias)) {
             singleName ?: throw IllegalArgumentException(
                     "Unable to find in the key store the identity of the distributed notary ($id) the node is part of")
-            // TODO: Remove use of [ServiceIdentityGenerator.generateToDisk].
+            // TODO: Remove use of [IdentityGenerator.generateToDisk].
             log.info("$privateKeyAlias not found in key store ${configuration.nodeKeystore}, generating fresh key!")
             keyStore.signAndSaveNewKeyPair(singleName, privateKeyAlias, generateKeyPair())
         }
diff --git a/node/src/main/kotlin/net/corda/node/services/config/ConfigUtilities.kt b/node/src/main/kotlin/net/corda/node/services/config/ConfigUtilities.kt
index 7471d5d5ec..ed6028f13c 100644
--- a/node/src/main/kotlin/net/corda/node/services/config/ConfigUtilities.kt
+++ b/node/src/main/kotlin/net/corda/node/services/config/ConfigUtilities.kt
@@ -69,7 +69,7 @@ fun SSLConfiguration.configureDevKeyAndTrustStores(myLegalName: CordaX500Name) {
         val caKeyStore = loadKeyStore(javaClass.classLoader.getResourceAsStream("certificates/cordadevcakeys.jks"), "cordacadevpass")
         createKeystoreForCordaNode(sslKeystore, nodeKeystore, keyStorePassword, keyStorePassword, caKeyStore, "cordacadevkeypass", myLegalName)
 
-        // Move distributed service composite key (generated by ServiceIdentityGenerator.generateToDisk) to keystore if exists.
+        // Move distributed service composite key (generated by IdentityGenerator.generateToDisk) to keystore if exists.
         val distributedServiceKeystore = certificatesDirectory / "distributedService.jks"
         if (distributedServiceKeystore.exists()) {
             val serviceKeystore = loadKeyStore(distributedServiceKeystore, "cordacadevpass")
@@ -111,18 +111,17 @@ fun createKeystoreForCordaNode(sslKeyStorePath: Path,
     val (intermediateCACert, intermediateCAKeyPair) = caKeyStore.getCertificateAndKeyPair(X509Utilities.CORDA_INTERMEDIATE_CA, caKeyPassword)
 
     val clientKey = Crypto.generateKeyPair(signatureScheme)
-    val clientName = legalName.copy(commonName = null)
 
-    val nameConstraints = NameConstraints(arrayOf(GeneralSubtree(GeneralName(GeneralName.directoryName, clientName.x500Name))), arrayOf())
+    val nameConstraints = NameConstraints(arrayOf(GeneralSubtree(GeneralName(GeneralName.directoryName, legalName.x500Name))), arrayOf())
     val clientCACert = X509Utilities.createCertificate(CertificateType.NODE_CA,
             intermediateCACert,
             intermediateCAKeyPair,
-            clientName.copy(commonName = X509Utilities.CORDA_CLIENT_CA_CN),
+            legalName,
             clientKey.public,
             nameConstraints = nameConstraints)
 
     val tlsKey = Crypto.generateKeyPair(signatureScheme)
-    val clientTLSCert = X509Utilities.createCertificate(CertificateType.TLS, clientCACert, clientKey, clientName, tlsKey.public)
+    val clientTLSCert = X509Utilities.createCertificate(CertificateType.TLS, clientCACert, clientKey, legalName, tlsKey.public)
 
     val keyPass = keyPassword.toCharArray()
 
diff --git a/node/src/main/kotlin/net/corda/node/services/identity/InMemoryIdentityService.kt b/node/src/main/kotlin/net/corda/node/services/identity/InMemoryIdentityService.kt
index bac9ef6902..4654473ef1 100644
--- a/node/src/main/kotlin/net/corda/node/services/identity/InMemoryIdentityService.kt
+++ b/node/src/main/kotlin/net/corda/node/services/identity/InMemoryIdentityService.kt
@@ -24,6 +24,7 @@ import javax.annotation.concurrent.ThreadSafe
  *
  * @param identities initial set of identities for the service, typically only used for unit tests.
  */
+// TODO There is duplicated logic between this and PersistentIdentityService
 @ThreadSafe
 class InMemoryIdentityService(identities: Array<out PartyAndCertificate>,
                               trustRoot: X509CertificateHolder) : SingletonSerializeAsToken(), IdentityServiceInternal {
diff --git a/node/src/main/kotlin/net/corda/node/services/identity/PersistentIdentityService.kt b/node/src/main/kotlin/net/corda/node/services/identity/PersistentIdentityService.kt
index 6dd98d0c63..83e7b0b267 100644
--- a/node/src/main/kotlin/net/corda/node/services/identity/PersistentIdentityService.kt
+++ b/node/src/main/kotlin/net/corda/node/services/identity/PersistentIdentityService.kt
@@ -26,6 +26,7 @@ import javax.persistence.Entity
 import javax.persistence.Id
 import javax.persistence.Lob
 
+// TODO There is duplicated logic between this and InMemoryIdentityService
 @ThreadSafe
 class PersistentIdentityService(override val trustRoot: X509Certificate,
                                 vararg caCertificates: X509Certificate) : SingletonSerializeAsToken(), IdentityServiceInternal {
diff --git a/node/src/main/kotlin/net/corda/node/services/transactions/BFTNonValidatingNotaryService.kt b/node/src/main/kotlin/net/corda/node/services/transactions/BFTNonValidatingNotaryService.kt
index 780c4815c6..9f6ffe1d08 100644
--- a/node/src/main/kotlin/net/corda/node/services/transactions/BFTNonValidatingNotaryService.kt
+++ b/node/src/main/kotlin/net/corda/node/services/transactions/BFTNonValidatingNotaryService.kt
@@ -34,12 +34,13 @@ import kotlin.concurrent.thread
  *
  * A transaction is notarised when the consensus is reached by the cluster on its uniqueness, and time-window validity.
  */
-class BFTNonValidatingNotaryService(override val services: ServiceHubInternal,
-                                    override val notaryIdentityKey: PublicKey,
-                                    private val bftSMaRtConfig: BFTSMaRtConfiguration,
-                                    cluster: BFTSMaRt.Cluster) : NotaryService() {
+class BFTNonValidatingNotaryService(
+        override val services: ServiceHubInternal,
+        override val notaryIdentityKey: PublicKey,
+        private val bftSMaRtConfig: BFTSMaRtConfiguration,
+        cluster: BFTSMaRt.Cluster
+) : NotaryService() {
     companion object {
-        val id = constructId(validating = false, bft = true)
         private val log = contextLogger()
     }
 
diff --git a/node/src/main/kotlin/net/corda/node/services/transactions/MySQLNotaryService.kt b/node/src/main/kotlin/net/corda/node/services/transactions/MySQLNotaryService.kt
index 0bf810b2ab..adfe3e9744 100644
--- a/node/src/main/kotlin/net/corda/node/services/transactions/MySQLNotaryService.kt
+++ b/node/src/main/kotlin/net/corda/node/services/transactions/MySQLNotaryService.kt
@@ -35,9 +35,6 @@ class MySQLNonValidatingNotaryService(services: ServiceHubInternal,
                                       notaryIdentityKey: PublicKey,
                                       dataSourceProperties: Properties,
                                       devMode: Boolean = false) : MySQLNotaryService(services, notaryIdentityKey, dataSourceProperties, devMode) {
-    companion object {
-        val id = constructId(validating = false, mysql = true)
-    }
     override fun createServiceFlow(otherPartySession: FlowSession): FlowLogic<Void?> = NonValidatingNotaryFlow(otherPartySession, this)
 }
 
@@ -45,8 +42,5 @@ class MySQLValidatingNotaryService(services: ServiceHubInternal,
                                       notaryIdentityKey: PublicKey,
                                       dataSourceProperties: Properties,
                                       devMode: Boolean = false) : MySQLNotaryService(services, notaryIdentityKey, dataSourceProperties, devMode) {
-    companion object {
-        val id = constructId(validating = true, mysql = true)
-    }
     override fun createServiceFlow(otherPartySession: FlowSession): FlowLogic<Void?> = ValidatingNotaryFlow(otherPartySession, this)
 }
\ No newline at end of file
diff --git a/node/src/main/kotlin/net/corda/node/services/transactions/RaftNonValidatingNotaryService.kt b/node/src/main/kotlin/net/corda/node/services/transactions/RaftNonValidatingNotaryService.kt
index 1433e71f85..e672380398 100644
--- a/node/src/main/kotlin/net/corda/node/services/transactions/RaftNonValidatingNotaryService.kt
+++ b/node/src/main/kotlin/net/corda/node/services/transactions/RaftNonValidatingNotaryService.kt
@@ -8,14 +8,13 @@ import net.corda.core.node.services.TrustedAuthorityNotaryService
 import java.security.PublicKey
 
 /** A non-validating notary service operated by a group of mutually trusting parties, uses the Raft algorithm to achieve consensus. */
-class RaftNonValidatingNotaryService(override val services: ServiceHub,
-                                     override val notaryIdentityKey: PublicKey,
-                                     override val uniquenessProvider: RaftUniquenessProvider) : TrustedAuthorityNotaryService() {
-    companion object {
-        val id = constructId(validating = false, raft = true)
-    }
-
+class RaftNonValidatingNotaryService(
+        override val services: ServiceHub,
+        override val notaryIdentityKey: PublicKey,
+        override val uniquenessProvider: RaftUniquenessProvider
+) : TrustedAuthorityNotaryService() {
     override val timeWindowChecker: TimeWindowChecker = TimeWindowChecker(services.clock)
+    
     override fun createServiceFlow(otherPartySession: FlowSession): NotaryFlow.Service {
         return NonValidatingNotaryFlow(otherPartySession, this)
     }
diff --git a/node/src/main/kotlin/net/corda/node/services/transactions/RaftValidatingNotaryService.kt b/node/src/main/kotlin/net/corda/node/services/transactions/RaftValidatingNotaryService.kt
index 8fd3448512..3e4899ae0a 100644
--- a/node/src/main/kotlin/net/corda/node/services/transactions/RaftValidatingNotaryService.kt
+++ b/node/src/main/kotlin/net/corda/node/services/transactions/RaftValidatingNotaryService.kt
@@ -8,14 +8,13 @@ import net.corda.core.node.services.TrustedAuthorityNotaryService
 import java.security.PublicKey
 
 /** A validating notary service operated by a group of mutually trusting parties, uses the Raft algorithm to achieve consensus. */
-class RaftValidatingNotaryService(override val services: ServiceHub,
-                                  override val notaryIdentityKey: PublicKey,
-                                  override val uniquenessProvider: RaftUniquenessProvider) : TrustedAuthorityNotaryService() {
-    companion object {
-        val id = constructId(validating = true, raft = true)
-    }
-
+class RaftValidatingNotaryService(
+        override val services: ServiceHub,
+        override val notaryIdentityKey: PublicKey,
+        override val uniquenessProvider: RaftUniquenessProvider
+) : TrustedAuthorityNotaryService() {
     override val timeWindowChecker: TimeWindowChecker = TimeWindowChecker(services.clock)
+
     override fun createServiceFlow(otherPartySession: FlowSession): NotaryFlow.Service {
         return ValidatingNotaryFlow(otherPartySession, this)
     }
diff --git a/node/src/main/kotlin/net/corda/node/services/transactions/ValidatingNotaryService.kt b/node/src/main/kotlin/net/corda/node/services/transactions/ValidatingNotaryService.kt
index 6c7e36046b..5e687c3b6d 100644
--- a/node/src/main/kotlin/net/corda/node/services/transactions/ValidatingNotaryService.kt
+++ b/node/src/main/kotlin/net/corda/node/services/transactions/ValidatingNotaryService.kt
@@ -9,10 +9,8 @@ import java.security.PublicKey
 
 /** A Notary service that validates the transaction chain of the submitted transaction before committing it */
 class ValidatingNotaryService(override val services: ServiceHubInternal, override val notaryIdentityKey: PublicKey) : TrustedAuthorityNotaryService() {
-    companion object {
-        val id = constructId(validating = true)
-    }
     override val timeWindowChecker = TimeWindowChecker(services.clock)
+
     override val uniquenessProvider = PersistentUniquenessProvider()
 
     override fun createServiceFlow(otherPartySession: FlowSession): NotaryFlow.Service = ValidatingNotaryFlow(otherPartySession, this)
diff --git a/node/src/main/kotlin/net/corda/node/utilities/registration/NetworkRegistrationHelper.kt b/node/src/main/kotlin/net/corda/node/utilities/registration/NetworkRegistrationHelper.kt
index f24cf56f11..698420ca0a 100644
--- a/node/src/main/kotlin/net/corda/node/utilities/registration/NetworkRegistrationHelper.kt
+++ b/node/src/main/kotlin/net/corda/node/utilities/registration/NetworkRegistrationHelper.kt
@@ -103,10 +103,9 @@ class NetworkRegistrationHelper(private val config: NodeConfiguration, private v
             println("Generating SSL certificate for node messaging service.")
             val sslKey = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
             val caCert = caKeyStore.getX509Certificate(CORDA_CLIENT_CA).toX509CertHolder()
-            val sslCert = X509Utilities.createCertificate(CertificateType.TLS, caCert, keyPair, CordaX500Name.build(caCert.cert.subjectX500Principal).copy(commonName = null), sslKey.public)
+            val sslCert = X509Utilities.createCertificate(CertificateType.TLS, caCert, keyPair, CordaX500Name.build(caCert.cert.subjectX500Principal), sslKey.public)
             val sslKeyStore = loadOrCreateKeyStore(config.sslKeystore, keystorePassword)
-            sslKeyStore.addOrReplaceKey(CORDA_CLIENT_TLS, sslKey.private, privateKeyPassword.toCharArray(),
-                    arrayOf(sslCert.cert, *certificates))
+            sslKeyStore.addOrReplaceKey(CORDA_CLIENT_TLS, sslKey.private, privateKeyPassword.toCharArray(), arrayOf(sslCert.cert, *certificates))
             sslKeyStore.save(config.sslKeystore, config.keyStorePassword)
             println("SSL private key and certificate stored in ${config.sslKeystore}.")
             // All done, clean up temp files.
diff --git a/node/src/test/kotlin/net/corda/node/services/statemachine/FlowFrameworkTests.kt b/node/src/test/kotlin/net/corda/node/services/statemachine/FlowFrameworkTests.kt
index 1fe97568a8..2006c397bc 100644
--- a/node/src/test/kotlin/net/corda/node/services/statemachine/FlowFrameworkTests.kt
+++ b/node/src/test/kotlin/net/corda/node/services/statemachine/FlowFrameworkTests.kt
@@ -656,7 +656,7 @@ class FlowFrameworkTests {
     private inline fun <reified P : FlowLogic<*>> StartedNode<MockNode>.restartAndGetRestoredFlow() = internals.run {
         disableDBCloseOnStop() // Handover DB to new node copy
         stop()
-        val newNode = mockNet.createNode(MockNodeParameters(id))
+        val newNode = mockNet.createNode(MockNodeParameters(id, configuration.myLegalName))
         newNode.internals.acceptableLiveFiberCountOnStop = 1
         manuallyCloseDB()
         mockNet.runNetwork()
diff --git a/node/src/test/kotlin/net/corda/node/utilities/registration/NetworkRegistrationHelperTest.kt b/node/src/test/kotlin/net/corda/node/utilities/registration/NetworkRegistrationHelperTest.kt
index 50922e9fde..209153fdb8 100644
--- a/node/src/test/kotlin/net/corda/node/utilities/registration/NetworkRegistrationHelperTest.kt
+++ b/node/src/test/kotlin/net/corda/node/utilities/registration/NetworkRegistrationHelperTest.kt
@@ -1,5 +1,7 @@
 package net.corda.node.utilities.registration
 
+import com.google.common.jimfs.Configuration.unix
+import com.google.common.jimfs.Jimfs
 import com.nhaarman.mockito_kotlin.any
 import com.nhaarman.mockito_kotlin.doReturn
 import com.nhaarman.mockito_kotlin.eq
@@ -7,68 +9,61 @@ import com.nhaarman.mockito_kotlin.whenever
 import net.corda.core.crypto.Crypto
 import net.corda.core.crypto.SecureHash
 import net.corda.core.identity.CordaX500Name
-import net.corda.core.internal.*
+import net.corda.core.internal.cert
+import net.corda.core.internal.createDirectories
 import net.corda.node.services.config.NodeConfiguration
 import net.corda.nodeapi.internal.crypto.*
-import net.corda.nodeapi.internal.crypto.X509Utilities
-import net.corda.nodeapi.internal.crypto.getX509Certificate
-import net.corda.nodeapi.internal.crypto.loadKeyStore
 import net.corda.testing.ALICE_NAME
 import net.corda.testing.internal.rigorousMock
+import org.assertj.core.api.Assertions.assertThat
 import org.assertj.core.api.Assertions.assertThatThrownBy
+import org.junit.After
 import org.junit.Before
-import org.junit.Rule
 import org.junit.Test
-import org.junit.rules.TemporaryFolder
 import java.security.cert.Certificate
-import kotlin.test.assertEquals
+import java.security.cert.X509Certificate
 import kotlin.test.assertFalse
 import kotlin.test.assertTrue
 
 class NetworkRegistrationHelperTest {
-    @Rule
-    @JvmField
-    val tempFolder = TemporaryFolder()
-
+    private val fs = Jimfs.newFileSystem(unix())
     private val requestId = SecureHash.randomSHA256().toString()
+    private val nodeLegalName = ALICE_NAME
+    private val intermediateCaName = CordaX500Name("CORDA_INTERMEDIATE_CA", "R3 Ltd", "London", "GB")
+    private val rootCaName = CordaX500Name("CORDA_ROOT_CA", "R3 Ltd", "London", "GB")
+    private val nodeCaCert = createCaCert(nodeLegalName)
+    private val intermediateCaCert = createCaCert(intermediateCaName)
+    private val rootCaCert = createCaCert(rootCaName)
+
     private lateinit var config: NodeConfiguration
 
-    private val identities = listOf("CORDA_CLIENT_CA",
-            "CORDA_INTERMEDIATE_CA",
-            "CORDA_ROOT_CA")
-            .map { CordaX500Name(commonName = it, organisation = "R3 Ltd", locality = "London", country = "GB") }
-    private val certs = identities.map { X509Utilities.createSelfSignedCACertificate(it, Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)) }
-            .map { it.cert }.toTypedArray()
-
-    private val certService = mockRegistrationResponse(*certs)
-
     @Before
     fun init() {
+        val baseDirectory = fs.getPath("/baseDir").createDirectories()
         abstract class AbstractNodeConfiguration : NodeConfiguration
         config = rigorousMock<AbstractNodeConfiguration>().also {
-            doReturn(tempFolder.root.toPath()).whenever(it).baseDirectory
+            doReturn(baseDirectory).whenever(it).baseDirectory
             doReturn("trustpass").whenever(it).trustStorePassword
             doReturn("cordacadevpass").whenever(it).keyStorePassword
-            doReturn(ALICE_NAME).whenever(it).myLegalName
+            doReturn(nodeLegalName).whenever(it).myLegalName
             doReturn("").whenever(it).emailAddress
         }
     }
 
+    @After
+    fun cleanUp() {
+        fs.close()
+    }
+
     @Test
     fun `successful registration`() {
-        assertFalse(config.nodeKeystore.exists())
-        assertFalse(config.sslKeystore.exists())
-        config.trustStoreFile.parent.createDirectories()
-        loadOrCreateKeyStore(config.trustStoreFile, config.trustStorePassword).also {
-            it.addOrReplaceCertificate(X509Utilities.CORDA_ROOT_CA, certs.last())
-            it.save(config.trustStoreFile, config.trustStorePassword)
-        }
+        assertThat(config.nodeKeystore).doesNotExist()
+        assertThat(config.sslKeystore).doesNotExist()
+        assertThat(config.trustStoreFile).doesNotExist()
 
-        NetworkRegistrationHelper(config, certService).buildKeystore()
+        saveTrustStoreWithRootCa(rootCaCert)
 
-        assertTrue(config.nodeKeystore.exists())
-        assertTrue(config.sslKeystore.exists())
-        assertTrue(config.trustStoreFile.exists())
+        createRegistrationHelper().buildKeystore()
 
         val nodeKeystore = loadKeyStore(config.nodeKeystore, config.keyStorePassword)
         val sslKeystore = loadKeyStore(config.sslKeystore, config.keyStorePassword)
@@ -79,9 +74,8 @@ class NetworkRegistrationHelperTest {
             assertFalse(containsAlias(X509Utilities.CORDA_INTERMEDIATE_CA))
             assertFalse(containsAlias(X509Utilities.CORDA_ROOT_CA))
             assertFalse(containsAlias(X509Utilities.CORDA_CLIENT_TLS))
-            val certificateChain = getCertificateChain(X509Utilities.CORDA_CLIENT_CA)
-            assertEquals(3, certificateChain.size)
-            assertEquals(listOf("CORDA_CLIENT_CA", "CORDA_INTERMEDIATE_CA", "CORDA_ROOT_CA"), certificateChain.map { it.toX509CertHolder().subject.commonName })
+            val nodeCaCertChain = getCertificateChain(X509Utilities.CORDA_CLIENT_CA)
+            assertThat(nodeCaCertChain).containsExactly(nodeCaCert, intermediateCaCert, rootCaCert)
         }
 
         sslKeystore.run {
@@ -89,46 +83,55 @@ class NetworkRegistrationHelperTest {
             assertFalse(containsAlias(X509Utilities.CORDA_INTERMEDIATE_CA))
             assertFalse(containsAlias(X509Utilities.CORDA_ROOT_CA))
             assertTrue(containsAlias(X509Utilities.CORDA_CLIENT_TLS))
-            val certificateChain = getCertificateChain(X509Utilities.CORDA_CLIENT_TLS)
-            assertEquals(4, certificateChain.size)
-            assertEquals(listOf(CordaX500Name(organisation = "R3 Ltd", locality = "London", country = "GB").x500Name) + identities.map { it.x500Name },
-                    certificateChain.map { it.toX509CertHolder().subject })
-            assertEquals(CordaX500Name(organisation = "R3 Ltd", locality = "London", country = "GB").x500Principal,
-                    getX509Certificate(X509Utilities.CORDA_CLIENT_TLS).subjectX500Principal)
+            val nodeTlsCertChain = getCertificateChain(X509Utilities.CORDA_CLIENT_TLS)
+            assertThat(nodeTlsCertChain).hasSize(4)
+            // The TLS cert has the same subject as the node CA cert
+            assertThat(CordaX500Name.build((nodeTlsCertChain[0] as X509Certificate).subjectX500Principal)).isEqualTo(nodeLegalName)
+            assertThat(nodeTlsCertChain.drop(1)).containsExactly(nodeCaCert, intermediateCaCert, rootCaCert)
         }
 
         trustStore.run {
             assertFalse(containsAlias(X509Utilities.CORDA_CLIENT_CA))
             assertFalse(containsAlias(X509Utilities.CORDA_INTERMEDIATE_CA))
             assertTrue(containsAlias(X509Utilities.CORDA_ROOT_CA))
+            val trustStoreRootCaCert = getCertificate(X509Utilities.CORDA_ROOT_CA)
+            assertThat(trustStoreRootCaCert).isEqualTo(rootCaCert)
         }
     }
 
     @Test
     fun `missing truststore`() {
         assertThatThrownBy {
-            NetworkRegistrationHelper(config, certService).buildKeystore()
+            createRegistrationHelper()
         }.hasMessageContaining("This file must contain the root CA cert of your compatibility zone. Please contact your CZ operator.")
-                .isInstanceOf(IllegalArgumentException::class.java)
     }
 
     @Test
     fun `wrong root cert in truststore`() {
-        val someCert = X509Utilities.createSelfSignedCACertificate(CordaX500Name("Foo", "MU", "GB"), Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)).cert
-        config.trustStoreFile.parent.createDirectories()
-        loadOrCreateKeyStore(config.trustStoreFile, config.trustStorePassword).also {
-            it.addOrReplaceCertificate(X509Utilities.CORDA_ROOT_CA, someCert)
-            it.save(config.trustStoreFile, config.trustStorePassword)
-        }
+        saveTrustStoreWithRootCa(createCaCert(CordaX500Name("Foo", "MU", "GB")))
+        val registrationHelper = createRegistrationHelper()
         assertThatThrownBy {
-            NetworkRegistrationHelper(config, certService).buildKeystore()
+            registrationHelper.buildKeystore()
         }.isInstanceOf(WrongRootCertException::class.java)
     }
 
-    private fun mockRegistrationResponse(vararg response: Certificate): NetworkRegistrationService {
-        return rigorousMock<NetworkRegistrationService>().also {
+    private fun createRegistrationHelper(): NetworkRegistrationHelper {
+        val certService = rigorousMock<NetworkRegistrationService>().also {
             doReturn(requestId).whenever(it).submitRequest(any())
-            doReturn(response).whenever(it).retrieveCertificates(eq(requestId))
+            doReturn(arrayOf<Certificate>(nodeCaCert, intermediateCaCert, rootCaCert)).whenever(it).retrieveCertificates(eq(requestId))
+        }
+        return NetworkRegistrationHelper(config, certService)
+    }
+
+    private fun saveTrustStoreWithRootCa(rootCa: X509Certificate) {
+        config.trustStoreFile.parent.createDirectories()
+        loadOrCreateKeyStore(config.trustStoreFile, config.trustStorePassword).also {
+            it.addOrReplaceCertificate(X509Utilities.CORDA_ROOT_CA, rootCa)
+            it.save(config.trustStoreFile, config.trustStorePassword)
         }
     }
+
+    private fun createCaCert(name: CordaX500Name): X509Certificate {
+        return X509Utilities.createSelfSignedCACertificate(name, Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)).cert
+    }
 }
diff --git a/samples/notary-demo/src/main/kotlin/net/corda/notarydemo/BFTNotaryCordform.kt b/samples/notary-demo/src/main/kotlin/net/corda/notarydemo/BFTNotaryCordform.kt
index eb11a9b443..311a5c51b2 100644
--- a/samples/notary-demo/src/main/kotlin/net/corda/notarydemo/BFTNotaryCordform.kt
+++ b/samples/notary-demo/src/main/kotlin/net/corda/notarydemo/BFTNotaryCordform.kt
@@ -4,13 +4,11 @@ import net.corda.cordform.CordformContext
 import net.corda.cordform.CordformDefinition
 import net.corda.cordform.CordformNode
 import net.corda.core.identity.CordaX500Name
-import net.corda.core.node.services.NotaryService
 import net.corda.core.utilities.NetworkHostAndPort
 import net.corda.node.services.config.BFTSMaRtConfiguration
 import net.corda.node.services.config.NotaryConfig
-import net.corda.node.services.transactions.BFTNonValidatingNotaryService
 import net.corda.node.services.transactions.minCorrectReplicas
-import net.corda.nodeapi.internal.ServiceIdentityGenerator
+import net.corda.nodeapi.internal.IdentityGenerator
 import net.corda.testing.node.internal.demorun.*
 import net.corda.testing.ALICE_NAME
 import net.corda.testing.BOB_NAME
@@ -24,7 +22,7 @@ private val notaryNames = createNotaryNames(clusterSize)
 // This is not the intended final design for how to use CordformDefinition, please treat this as experimental and DO
 // NOT use this as a design to copy.
 class BFTNotaryCordform : CordformDefinition() {
-    private val clusterName = CordaX500Name(BFTNonValidatingNotaryService.id, "BFT", "Zurich", "CH")
+    private val clusterName = CordaX500Name("BFT", "Zurich", "CH")
 
     init {
         nodesDirectory = Paths.get("build", "nodes", "nodesBFT")
@@ -64,10 +62,10 @@ class BFTNotaryCordform : CordformDefinition() {
     }
 
     override fun setup(context: CordformContext) {
-        ServiceIdentityGenerator.generateToDisk(
+        IdentityGenerator.generateDistributedNotaryIdentity(
                 notaryNames.map { context.baseDirectory(it.toString()) },
                 clusterName,
-                NotaryService.constructId(validating = false, bft = true),
-                minCorrectReplicas(clusterSize))
+                minCorrectReplicas(clusterSize)
+        )
     }
 }
diff --git a/samples/notary-demo/src/main/kotlin/net/corda/notarydemo/RaftNotaryCordform.kt b/samples/notary-demo/src/main/kotlin/net/corda/notarydemo/RaftNotaryCordform.kt
index cfc21fa060..59384a412f 100644
--- a/samples/notary-demo/src/main/kotlin/net/corda/notarydemo/RaftNotaryCordform.kt
+++ b/samples/notary-demo/src/main/kotlin/net/corda/notarydemo/RaftNotaryCordform.kt
@@ -8,8 +8,7 @@ import net.corda.core.node.services.NotaryService
 import net.corda.core.utilities.NetworkHostAndPort
 import net.corda.node.services.config.NotaryConfig
 import net.corda.node.services.config.RaftConfig
-import net.corda.node.services.transactions.RaftValidatingNotaryService
-import net.corda.nodeapi.internal.ServiceIdentityGenerator
+import net.corda.nodeapi.internal.IdentityGenerator
 import net.corda.testing.node.internal.demorun.*
 import net.corda.testing.ALICE_NAME
 import net.corda.testing.BOB_NAME
@@ -24,7 +23,7 @@ private val notaryNames = createNotaryNames(3)
 // This is not the intended final design for how to use CordformDefinition, please treat this as experimental and DO
 // NOT use this as a design to copy.
 class RaftNotaryCordform : CordformDefinition() {
-    private val clusterName = CordaX500Name(RaftValidatingNotaryService.id, "Raft", "Zurich", "CH")
+    private val clusterName = CordaX500Name("Raft", "Zurich", "CH")
 
     init {
         nodesDirectory = Paths.get("build", "nodes", "nodesRaft")
@@ -60,9 +59,9 @@ class RaftNotaryCordform : CordformDefinition() {
     }
 
     override fun setup(context: CordformContext) {
-        ServiceIdentityGenerator.generateToDisk(
+        IdentityGenerator.generateDistributedNotaryIdentity(
                 notaryNames.map { context.baseDirectory(it.toString()) },
-                clusterName,
-                NotaryService.constructId(validating = true, raft = true))
+                clusterName
+        )
     }
 }
diff --git a/testing/node-driver/build.gradle b/testing/node-driver/build.gradle
index c50a027047..a13ec48018 100644
--- a/testing/node-driver/build.gradle
+++ b/testing/node-driver/build.gradle
@@ -29,7 +29,7 @@ dependencies {
     compile "net.corda.plugins:cordform-common:$gradle_plugins_version"
 
     // Integration test helpers
-    integrationTestCompile "org.assertj:assertj-core:${assertj_version}"
+    testCompile "org.assertj:assertj-core:$assertj_version"
     integrationTestCompile "junit:junit:$junit_version"
 
     // Jetty dependencies for NetworkMapClient test.
diff --git a/testing/node-driver/src/main/kotlin/net/corda/testing/node/MockNode.kt b/testing/node-driver/src/main/kotlin/net/corda/testing/node/MockNode.kt
index 34cd93d367..84fe07acc5 100644
--- a/testing/node-driver/src/main/kotlin/net/corda/testing/node/MockNode.kt
+++ b/testing/node-driver/src/main/kotlin/net/corda/testing/node/MockNode.kt
@@ -9,6 +9,7 @@ import net.corda.core.crypto.random63BitValue
 import net.corda.core.identity.CordaX500Name
 import net.corda.core.identity.Party
 import net.corda.core.identity.PartyAndCertificate
+import net.corda.core.internal.VisibleForTesting
 import net.corda.core.internal.createDirectories
 import net.corda.core.internal.createDirectory
 import net.corda.core.internal.uncheckedCast
@@ -37,7 +38,7 @@ import net.corda.node.services.transactions.BFTSMaRt
 import net.corda.node.services.transactions.InMemoryTransactionVerifierService
 import net.corda.node.utilities.AffinityExecutor
 import net.corda.node.utilities.AffinityExecutor.ServiceAffinityExecutor
-import net.corda.nodeapi.internal.ServiceIdentityGenerator
+import net.corda.nodeapi.internal.IdentityGenerator
 import net.corda.nodeapi.internal.config.User
 import net.corda.nodeapi.internal.network.NetworkParametersCopier
 import net.corda.nodeapi.internal.network.NotaryInfo
@@ -125,14 +126,14 @@ data class MockNodeArgs(
  * By default a single notary node is automatically started, which forms part of the network parameters for all the nodes.
  * This node is available by calling [defaultNotaryNode].
  */
-class MockNetwork(private val cordappPackages: List<String>,
-                  defaultParameters: MockNetworkParameters = MockNetworkParameters(),
-                  private val networkSendManuallyPumped: Boolean = defaultParameters.networkSendManuallyPumped,
-                  private val threadPerNode: Boolean = defaultParameters.threadPerNode,
-                  servicePeerAllocationStrategy: InMemoryMessagingNetwork.ServicePeerAllocationStrategy = defaultParameters.servicePeerAllocationStrategy,
-                  private val defaultFactory: (MockNodeArgs) -> MockNode = defaultParameters.defaultFactory,
-                  initialiseSerialization: Boolean = defaultParameters.initialiseSerialization,
-                  private val notarySpecs: List<NotarySpec> = defaultParameters.notarySpecs) {
+open class MockNetwork(private val cordappPackages: List<String>,
+                       defaultParameters: MockNetworkParameters = MockNetworkParameters(),
+                       private val networkSendManuallyPumped: Boolean = defaultParameters.networkSendManuallyPumped,
+                       private val threadPerNode: Boolean = defaultParameters.threadPerNode,
+                       servicePeerAllocationStrategy: InMemoryMessagingNetwork.ServicePeerAllocationStrategy = defaultParameters.servicePeerAllocationStrategy,
+                       private val defaultFactory: (MockNodeArgs) -> MockNode = defaultParameters.defaultFactory,
+                       initialiseSerialization: Boolean = defaultParameters.initialiseSerialization,
+                       private val notarySpecs: List<NotarySpec> = defaultParameters.notarySpecs) {
     /** Helper constructor for creating a [MockNetwork] with custom parameters from Java. */
     @JvmOverloads
     constructor(cordappPackages: List<String>, parameters: MockNetworkParameters = MockNetworkParameters()) : this(cordappPackages, defaultParameters = parameters)
@@ -141,7 +142,7 @@ class MockNetwork(private val cordappPackages: List<String>,
         // Apache SSHD for whatever reason registers a SFTP FileSystemProvider - which gets loaded by JimFS.
         // This SFTP support loads BouncyCastle, which we want to avoid.
         // Please see https://issues.apache.org/jira/browse/SSHD-736 - it's easier then to create our own fork of SSHD
-        SecurityUtils.setAPrioriDisabledProvider("BC", true)
+        SecurityUtils.setAPrioriDisabledProvider("BC", true) // XXX: Why isn't this static?
     }
 
     var nextNodeId = 0
@@ -159,6 +160,7 @@ class MockNetwork(private val cordappPackages: List<String>,
         throw IllegalStateException("Using more than one MockNetwork simultaneously is not supported.", e)
     }
     private val sharedUserCount = AtomicInteger(0)
+
     /** A read only view of the current set of nodes. */
     val nodes: List<MockNode> get() = _nodes
 
@@ -172,32 +174,29 @@ class MockNetwork(private val cordappPackages: List<String>,
      * Returns the single notary node on the network. Throws if there are none or more than one.
      * @see notaryNodes
      */
-    val defaultNotaryNode: StartedNode<MockNode>
-        get() {
-            return when (notaryNodes.size) {
-                0 -> throw IllegalStateException("There are no notaries defined on the network")
-                1 -> notaryNodes[0]
-                else -> throw IllegalStateException("There is more than one notary defined on the network")
-            }
+    val defaultNotaryNode: StartedNode<MockNode> get() {
+        return when (notaryNodes.size) {
+            0 -> throw IllegalStateException("There are no notaries defined on the network")
+            1 -> notaryNodes[0]
+            else -> throw IllegalStateException("There is more than one notary defined on the network")
         }
+    }
 
     /**
      * Return the identity of the default notary node.
      * @see defaultNotaryNode
      */
-    val defaultNotaryIdentity: Party
-        get() {
-            return defaultNotaryNode.info.legalIdentities.singleOrNull() ?: throw IllegalStateException("Default notary has multiple identities")
-        }
+    val defaultNotaryIdentity: Party get() {
+        return defaultNotaryNode.info.legalIdentities.singleOrNull() ?: throw IllegalStateException("Default notary has multiple identities")
+    }
 
     /**
      * Return the identity of the default notary node.
      * @see defaultNotaryNode
      */
-    val defaultNotaryIdentityAndCert: PartyAndCertificate
-        get() {
-            return defaultNotaryNode.info.legalIdentitiesAndCerts.singleOrNull() ?: throw IllegalStateException("Default notary has multiple identities")
-        }
+    val defaultNotaryIdentityAndCert: PartyAndCertificate get() {
+        return defaultNotaryNode.info.legalIdentitiesAndCerts.singleOrNull() ?: throw IllegalStateException("Default notary has multiple identities")
+    }
 
     /**
      * Because this executor is shared, we need to be careful about nodes shutting it down.
@@ -222,27 +221,31 @@ class MockNetwork(private val cordappPackages: List<String>,
     }
 
     init {
-        filesystem.getPath("/nodes").createDirectory()
-        val notaryInfos = generateNotaryIdentities()
-        // The network parameters must be serialised before starting any of the nodes
-        networkParameters = NetworkParametersCopier(testNetworkParameters(notaryInfos))
-        notaryNodes = createNotaries()
+        try {
+            filesystem.getPath("/nodes").createDirectory()
+            val notaryInfos = generateNotaryIdentities()
+            // The network parameters must be serialised before starting any of the nodes
+            networkParameters = NetworkParametersCopier(testNetworkParameters(notaryInfos))
+            @Suppress("LeakingThis")
+            notaryNodes = createNotaries()
+        } catch (t: Throwable) {
+            stopNodes()
+            throw t
+        }
     }
 
     private fun generateNotaryIdentities(): List<NotaryInfo> {
         return notarySpecs.mapIndexed { index, (name, validating) ->
-            val identity = ServiceIdentityGenerator.generateToDisk(
-                    dirs = listOf(baseDirectory(nextNodeId + index)),
-                    serviceName = name,
-                    serviceId = "identity")
+            val identity = IdentityGenerator.generateNodeIdentity(baseDirectory(nextNodeId + index), name)
             NotaryInfo(identity, validating)
         }
     }
 
-    private fun createNotaries(): List<StartedNode<MockNode>> {
-        return notarySpecs.map { spec ->
-            createNode(MockNodeParameters(legalName = spec.name, configOverrides = {
-                doReturn(NotaryConfig(spec.validating)).whenever(it).notary
+    @VisibleForTesting
+    internal open fun createNotaries(): List<StartedNode<MockNode>> {
+        return notarySpecs.map { (name, validating) ->
+            createNode(MockNodeParameters(legalName = name, configOverrides = {
+                doReturn(NotaryConfig(validating)).whenever(it).notary
             }))
         }
     }
@@ -299,7 +302,7 @@ class MockNetwork(private val cordappPackages: List<String>,
                     id,
                     serverThread,
                     myNotaryIdentity,
-                    myLegalName,
+                    configuration.myLegalName,
                     database).also { runOnStop += it::stop }
         }
 
@@ -457,8 +460,11 @@ class MockNetwork(private val cordappPackages: List<String>,
     }
 
     fun stopNodes() {
-        nodes.forEach { it.started?.dispose() }
-        serializationEnv.unset()
+        try {
+            nodes.forEach { it.started?.dispose() }
+        } finally {
+            serializationEnv.unset() // Must execute even if other parts of this method fail.
+        }
         messagingNetwork.stop()
     }
 
diff --git a/testing/node-driver/src/main/kotlin/net/corda/testing/node/internal/DriverDSLImpl.kt b/testing/node-driver/src/main/kotlin/net/corda/testing/node/internal/DriverDSLImpl.kt
index 308ac4fe5a..5833840bb4 100644
--- a/testing/node-driver/src/main/kotlin/net/corda/testing/node/internal/DriverDSLImpl.kt
+++ b/testing/node-driver/src/main/kotlin/net/corda/testing/node/internal/DriverDSLImpl.kt
@@ -19,7 +19,6 @@ import net.corda.core.internal.createDirectories
 import net.corda.core.internal.div
 import net.corda.core.messaging.CordaRPCOps
 import net.corda.core.node.services.NetworkMapCache
-import net.corda.core.node.services.NotaryService
 import net.corda.core.toFuture
 import net.corda.core.utilities.NetworkHostAndPort
 import net.corda.core.utilities.contextLogger
@@ -30,12 +29,9 @@ import net.corda.node.internal.NodeStartup
 import net.corda.node.internal.StartedNode
 import net.corda.node.services.Permissions
 import net.corda.node.services.config.*
-import net.corda.node.services.transactions.BFTNonValidatingNotaryService
-import net.corda.node.services.transactions.RaftNonValidatingNotaryService
-import net.corda.node.services.transactions.RaftValidatingNotaryService
 import net.corda.node.utilities.registration.HTTPNetworkRegistrationService
 import net.corda.node.utilities.registration.NetworkRegistrationHelper
-import net.corda.nodeapi.internal.ServiceIdentityGenerator
+import net.corda.nodeapi.internal.IdentityGenerator
 import net.corda.nodeapi.internal.addShutdownHook
 import net.corda.nodeapi.internal.config.User
 import net.corda.nodeapi.internal.config.parseAs
@@ -245,9 +241,9 @@ class DriverDSLImpl(
     }
 
     private enum class ClusterType(val validating: Boolean, val clusterName: CordaX500Name) {
-        VALIDATING_RAFT(true, CordaX500Name(RaftValidatingNotaryService.id, "Raft", "Zurich", "CH")),
-        NON_VALIDATING_RAFT(false, CordaX500Name(RaftNonValidatingNotaryService.id, "Raft", "Zurich", "CH")),
-        NON_VALIDATING_BFT(false, CordaX500Name(BFTNonValidatingNotaryService.id, "BFT", "Zurich", "CH"))
+        VALIDATING_RAFT(true, CordaX500Name("Raft", "Zurich", "CH")),
+        NON_VALIDATING_RAFT(false, CordaX500Name("Raft", "Zurich", "CH")),
+        NON_VALIDATING_BFT(false, CordaX500Name("BFT", "Zurich", "CH"))
     }
 
     internal fun startCordformNodes(cordforms: List<CordformNode>): CordaFuture<*> {
@@ -270,24 +266,15 @@ class DriverDSLImpl(
                 clusterNodes.put(ClusterType.NON_VALIDATING_BFT, name)
             } else {
                 // We have all we need here to generate the identity for single node notaries
-                val identity = ServiceIdentityGenerator.generateToDisk(
-                        dirs = listOf(baseDirectory(name)),
-                        serviceName = name,
-                        serviceId = "identity"
-                )
+                val identity = IdentityGenerator.generateNodeIdentity(baseDirectory(name), legalName = name)
                 notaryInfos += NotaryInfo(identity, notaryConfig.validating)
             }
         }
 
         clusterNodes.asMap().forEach { type, nodeNames ->
-            val identity = ServiceIdentityGenerator.generateToDisk(
+            val identity = IdentityGenerator.generateDistributedNotaryIdentity(
                     dirs = nodeNames.map { baseDirectory(it) },
-                    serviceName = type.clusterName,
-                    serviceId = NotaryService.constructId(
-                            validating = type.validating,
-                            raft = type in setOf(VALIDATING_RAFT, NON_VALIDATING_RAFT),
-                            bft = type == ClusterType.NON_VALIDATING_BFT
-                    )
+                    notaryName = type.clusterName
             )
             notaryInfos += NotaryInfo(identity, type.validating)
         }
@@ -369,20 +356,11 @@ class DriverDSLImpl(
     private fun generateNotaryIdentities(): List<NotaryInfo> {
         return notarySpecs.map { spec ->
             val identity = if (spec.cluster == null) {
-                ServiceIdentityGenerator.generateToDisk(
-                        dirs = listOf(baseDirectory(spec.name)),
-                        serviceName = spec.name,
-                        serviceId = "identity",
-                        customRootCert = compatibilityZone?.rootCert
-                )
+                IdentityGenerator.generateNodeIdentity(baseDirectory(spec.name), spec.name, compatibilityZone?.rootCert)
             } else {
-                ServiceIdentityGenerator.generateToDisk(
+                IdentityGenerator.generateDistributedNotaryIdentity(
                         dirs = generateNodeNames(spec).map { baseDirectory(it) },
-                        serviceName = spec.name,
-                        serviceId = NotaryService.constructId(
-                                validating = spec.validating,
-                                raft = spec.cluster is ClusterSpec.Raft
-                        ),
+                        notaryName = spec.name,
                         customRootCert = compatibilityZone?.rootCert
                 )
             }
diff --git a/testing/node-driver/src/test/kotlin/net/corda/testing/node/MockNetworkTests.kt b/testing/node-driver/src/test/kotlin/net/corda/testing/node/MockNetworkTests.kt
new file mode 100644
index 0000000000..10d9358243
--- /dev/null
+++ b/testing/node-driver/src/test/kotlin/net/corda/testing/node/MockNetworkTests.kt
@@ -0,0 +1,18 @@
+package net.corda.testing.node
+
+import net.corda.core.serialization.internal.effectiveSerializationEnv
+import org.assertj.core.api.Assertions.assertThatThrownBy
+import org.junit.Test
+
+class MockNetworkTests {
+    @Test
+    fun `does not leak serialization env if init fails`() {
+        val e = Exception("didn't work")
+        assertThatThrownBy {
+            object : MockNetwork(emptyList(), initialiseSerialization = true) {
+                override fun createNotaries() = throw e
+            }
+        }.isSameAs(e)
+        assertThatThrownBy { effectiveSerializationEnv }.isInstanceOf(IllegalStateException::class.java)
+    }
+}
diff --git a/testing/test-utils/src/main/kotlin/net/corda/testing/CoreTestUtils.kt b/testing/test-utils/src/main/kotlin/net/corda/testing/CoreTestUtils.kt
index 11e572e2d7..860af415ac 100644
--- a/testing/test-utils/src/main/kotlin/net/corda/testing/CoreTestUtils.kt
+++ b/testing/test-utils/src/main/kotlin/net/corda/testing/CoreTestUtils.kt
@@ -10,6 +10,7 @@ import net.corda.core.identity.CordaX500Name
 import net.corda.core.identity.Party
 import net.corda.core.identity.PartyAndCertificate
 import net.corda.core.internal.cert
+import net.corda.core.internal.unspecifiedCountry
 import net.corda.core.internal.x500Name
 import net.corda.core.node.NodeInfo
 import net.corda.core.utilities.NetworkHostAndPort
@@ -91,13 +92,13 @@ fun getTestPartyAndCertificate(party: Party): PartyAndCertificate {
     val trustRoot: X509CertificateHolder = DEV_TRUST_ROOT
     val intermediate: CertificateAndKeyPair = DEV_CA
 
-    val nodeCaName = party.name.copy(commonName = X509Utilities.CORDA_CLIENT_CA_CN)
+
     val nodeCaKeyPair = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
     val nodeCaCert = X509Utilities.createCertificate(
             CertificateType.NODE_CA,
             intermediate.certificate,
             intermediate.keyPair,
-            nodeCaName,
+            party.name,
             nodeCaKeyPair.public,
             nameConstraints = NameConstraints(arrayOf(GeneralSubtree(GeneralName(GeneralName.directoryName, party.name.x500Name))), arrayOf()))
 
diff --git a/tools/demobench/src/main/kotlin/net/corda/demobench/model/NodeController.kt b/tools/demobench/src/main/kotlin/net/corda/demobench/model/NodeController.kt
index 37e019b367..ee6b38fdb5 100644
--- a/tools/demobench/src/main/kotlin/net/corda/demobench/model/NodeController.kt
+++ b/tools/demobench/src/main/kotlin/net/corda/demobench/model/NodeController.kt
@@ -13,7 +13,7 @@ import net.corda.demobench.pty.R3Pty
 import net.corda.nodeapi.internal.network.NetworkParameters
 import net.corda.nodeapi.internal.network.NetworkParametersCopier
 import net.corda.nodeapi.internal.network.NotaryInfo
-import net.corda.nodeapi.internal.ServiceIdentityGenerator
+import net.corda.nodeapi.internal.IdentityGenerator
 import tornadofx.*
 import java.io.IOException
 import java.lang.management.ManagementFactory
@@ -153,10 +153,7 @@ class NodeController(check: atRuntime = ::checkExists) : Controller() {
 
     // Generate notary identity and save it into node's directory. This identity will be used in network parameters.
     private fun getNotaryIdentity(config: NodeConfigWrapper): Party {
-        return ServiceIdentityGenerator.generateToDisk(
-                dirs = listOf(config.nodeDir),
-                serviceName = config.nodeConfig.myLegalName,
-                serviceId = "identity")
+        return IdentityGenerator.generateNodeIdentity(config.nodeDir, config.nodeConfig.myLegalName)
     }
 
     fun reset() {

From c0e997c1dd9159d797d5f9d7edeb8bf067cb7184 Mon Sep 17 00:00:00 2001
From: Viktor Kolomeyko <viktor.kolomeyko@r3.com>
Date: Wed, 20 Dec 2017 12:01:32 +0000
Subject: [PATCH 3/6] Wave 3 of Business Network changes. (#193)

* R3NET-546: Re-arrange independent flows into separate packages. Functionally this is a NOP change.

* R3NET-546: Start BNO as a separate Corda node and improve GUI experience for IOU.

* R3NET-546: Move all the membership checks to the Business Network Owner node side, creating "InitiatedBy" flows as necessary.

* R3NET-546: Make MembershipViolationException AMQP serializable.

* R3NET-546: Improve GUI error reporting in case of membership violation.

* R3NET-546: Code changes following review by: @shamsasari

* R3NET-546: Code changes following review by: @shamsasari

* R3NET-546: Added a dedicated InvalidMembershipListNameException.
---
 .../{Contract.kt => iou/IOUContract.kt}       |  2 +-
 .../{Flow.kt => iou/IOUFlow.kt}               | 12 +++---
 .../IOUFlowResponder.kt}                      | 10 ++---
 .../{State.kt => iou/IOUState.kt}             |  2 +-
 .../membership/CheckMembershipFlow.kt         | 38 -----------------
 .../membership/MembershipAware.kt             | 26 ------------
 .../ObtainMembershipListContentFlow.kt        | 16 -------
 .../membership/flow/CheckMembershipFlow.kt    | 42 +++++++++++++++++++
 .../membership/flow/MembershipAware.kt        | 32 ++++++++++++++
 .../membership/{ => flow}/MembershipList.kt   |  2 +-
 .../flow/ObtainMembershipListContentFlow.kt   | 34 +++++++++++++++
 .../membership/internal/CsvMembershipList.kt  |  2 +-
 .../internal/MembershipListProvider.kt        |  4 +-
 .../net/corda/explorer/ExplorerSimulation.kt  | 18 ++++++--
 .../explorer/model/MembershipListModel.kt     |  4 +-
 .../net/corda/explorer/views/Network.kt       |  5 ++-
 .../corda/explorer/views/TransactionViewer.kt |  2 +-
 .../explorer/views/cordapps/iou/IOUViewer.kt  | 30 +++++++++++--
 .../views/cordapps/iou/NewTransaction.kt      | 12 +++++-
 19 files changed, 181 insertions(+), 112 deletions(-)
 rename samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/{Contract.kt => iou/IOUContract.kt} (96%)
 rename samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/{Flow.kt => iou/IOUFlow.kt} (88%)
 rename samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/{FlowResponder.kt => iou/IOUFlowResponder.kt} (72%)
 rename samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/{State.kt => iou/IOUState.kt} (85%)
 delete mode 100644 samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/CheckMembershipFlow.kt
 delete mode 100644 samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/MembershipAware.kt
 delete mode 100644 samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/ObtainMembershipListContentFlow.kt
 create mode 100644 samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/flow/CheckMembershipFlow.kt
 create mode 100644 samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/flow/MembershipAware.kt
 rename samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/{ => flow}/MembershipList.kt (90%)
 create mode 100644 samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/flow/ObtainMembershipListContentFlow.kt

diff --git a/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/Contract.kt b/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/iou/IOUContract.kt
similarity index 96%
rename from samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/Contract.kt
rename to samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/iou/IOUContract.kt
index 3bafcf3a03..b4f880d36f 100644
--- a/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/Contract.kt
+++ b/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/iou/IOUContract.kt
@@ -1,4 +1,4 @@
-package net.corda.sample.businessnetwork
+package net.corda.sample.businessnetwork.iou
 
 import net.corda.core.contracts.CommandData
 import net.corda.core.contracts.Contract
diff --git a/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/Flow.kt b/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/iou/IOUFlow.kt
similarity index 88%
rename from samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/Flow.kt
rename to samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/iou/IOUFlow.kt
index 068a8f9161..8c8765b24e 100644
--- a/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/Flow.kt
+++ b/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/iou/IOUFlow.kt
@@ -1,4 +1,4 @@
-package net.corda.sample.businessnetwork
+package net.corda.sample.businessnetwork.iou
 
 import co.paralleluniverse.fibers.Suspendable
 import net.corda.core.contracts.Command
@@ -9,19 +9,19 @@ import net.corda.core.identity.Party
 import net.corda.core.transactions.SignedTransaction
 import net.corda.core.transactions.TransactionBuilder
 import net.corda.core.utilities.ProgressTracker
-import net.corda.sample.businessnetwork.membership.MembershipAware
-import net.corda.sample.businessnetwork.membership.CheckMembershipFlow
-import net.corda.sample.businessnetwork.membership.CheckMembershipResult
+import net.corda.sample.businessnetwork.membership.flow.CheckMembershipFlow
+import net.corda.sample.businessnetwork.membership.flow.CheckMembershipResult
 import kotlin.reflect.jvm.jvmName
 
 @InitiatingFlow
 @StartableByRPC
 class IOUFlow(val iouValue: Int,
-              val otherParty: Party) : FlowLogic<SignedTransaction>(), MembershipAware {
+              val otherParty: Party) : FlowLogic<SignedTransaction>() {
 
     companion object {
+        // TODO: Derive membership name from CorDapp config.
         val allowedMembershipName =
-                CordaX500Name("AliceBobMembershipList", "AliceBob", "Washington", "US")
+                CordaX500Name("AliceBobMembershipList", "Oslo", "NO")
     }
 
     /** The progress tracker provides checkpoints indicating the progress of the flow to observers. */
diff --git a/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/FlowResponder.kt b/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/iou/IOUFlowResponder.kt
similarity index 72%
rename from samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/FlowResponder.kt
rename to samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/iou/IOUFlowResponder.kt
index b9e6a2ac06..8c59fcbecc 100644
--- a/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/FlowResponder.kt
+++ b/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/iou/IOUFlowResponder.kt
@@ -1,4 +1,4 @@
-package net.corda.sample.businessnetwork
+package net.corda.sample.businessnetwork.iou
 
 import co.paralleluniverse.fibers.Suspendable
 import net.corda.core.contracts.requireThat
@@ -7,14 +7,14 @@ import net.corda.core.flows.FlowSession
 import net.corda.core.flows.InitiatedBy
 import net.corda.core.flows.SignTransactionFlow
 import net.corda.core.transactions.SignedTransaction
-import net.corda.sample.businessnetwork.membership.MembershipAware
+import net.corda.sample.businessnetwork.membership.flow.CheckMembershipFlow
+import net.corda.sample.businessnetwork.membership.flow.CheckMembershipResult
 
 @InitiatedBy(IOUFlow::class)
-class IOUFlowResponder(val otherPartySession: FlowSession) : FlowLogic<Unit>(), MembershipAware {
+class IOUFlowResponder(val otherPartySession: FlowSession) : FlowLogic<Unit>() {
     @Suspendable
     override fun call() {
-
-        otherPartySession.counterparty.checkMembership(IOUFlow.allowedMembershipName, this)
+        check(subFlow(CheckMembershipFlow(otherPartySession.counterparty, IOUFlow.allowedMembershipName)) == CheckMembershipResult.PASS)
 
         subFlow(object : SignTransactionFlow(otherPartySession, SignTransactionFlow.tracker()) {
             override fun checkTransaction(stx: SignedTransaction) = requireThat {
diff --git a/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/State.kt b/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/iou/IOUState.kt
similarity index 85%
rename from samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/State.kt
rename to samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/iou/IOUState.kt
index 9cd8b888e4..b5add03b77 100644
--- a/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/State.kt
+++ b/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/iou/IOUState.kt
@@ -1,4 +1,4 @@
-package net.corda.sample.businessnetwork
+package net.corda.sample.businessnetwork.iou
 
 import net.corda.core.contracts.ContractState
 import net.corda.core.identity.Party
diff --git a/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/CheckMembershipFlow.kt b/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/CheckMembershipFlow.kt
deleted file mode 100644
index 0516a54628..0000000000
--- a/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/CheckMembershipFlow.kt
+++ /dev/null
@@ -1,38 +0,0 @@
-package net.corda.sample.businessnetwork.membership
-
-import co.paralleluniverse.fibers.Suspendable
-import net.corda.core.flows.FlowLogic
-import net.corda.core.flows.FlowSession
-import net.corda.core.flows.InitiatedBy
-import net.corda.core.flows.InitiatingFlow
-import net.corda.core.identity.CordaX500Name
-import net.corda.core.identity.Party
-import net.corda.core.serialization.CordaSerializable
-import net.corda.core.utilities.unwrap
-
-@CordaSerializable
-enum class CheckMembershipResult {
-    PASS,
-    FAIL
-}
-
-@InitiatingFlow
-class CheckMembershipFlow(private val otherParty: Party, private val membershipName: CordaX500Name) : FlowLogic<CheckMembershipResult>(), MembershipAware {
-    @Suspendable
-    override fun call(): CheckMembershipResult {
-        otherParty.checkMembership(membershipName, this)
-        // This will trigger CounterpartyCheckMembershipFlow
-        val untrustworthyData = initiateFlow(otherParty).sendAndReceive<CheckMembershipResult>(membershipName)
-        return untrustworthyData.unwrap { it }
-    }
-}
-
-@InitiatedBy(CheckMembershipFlow::class)
-class CounterpartyCheckMembershipFlow(private val otherPartySession: FlowSession) : FlowLogic<Unit>(), MembershipAware {
-    @Suspendable
-    override fun call() {
-        val membershipName = otherPartySession.receive<CordaX500Name>().unwrap { it }
-        otherPartySession.counterparty.checkMembership(membershipName, this)
-        otherPartySession.send(CheckMembershipResult.PASS)
-    }
-}
\ No newline at end of file
diff --git a/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/MembershipAware.kt b/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/MembershipAware.kt
deleted file mode 100644
index dd436b6d68..0000000000
--- a/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/MembershipAware.kt
+++ /dev/null
@@ -1,26 +0,0 @@
-package net.corda.sample.businessnetwork.membership
-
-import net.corda.core.flows.FlowException
-import net.corda.core.flows.FlowLogic
-import net.corda.core.identity.AbstractParty
-import net.corda.core.identity.CordaX500Name
-import net.corda.core.node.ServiceHub
-import net.corda.sample.businessnetwork.membership.internal.MembershipListProvider
-
-interface MembershipAware {
-    /**
-     * Checks that party has at least one common membership list with current node.
-     * TODO: This functionality ought to be moved into a dedicated CordaService.
-     */
-    fun <T> AbstractParty.checkMembership(membershipName: CordaX500Name, initiatorFlow: FlowLogic<T>) {
-        val membershipList = getMembershipList(membershipName, initiatorFlow.serviceHub)
-        if (this !in membershipList) {
-            val msg = "'$this' doesn't belong to membership list: ${membershipName.commonName}"
-            throw MembershipViolationException(msg)
-        }
-    }
-
-    fun getMembershipList(listName: CordaX500Name, serviceHub: ServiceHub): MembershipList = MembershipListProvider.obtainMembershipList(listName, serviceHub.networkMapCache)
-}
-
-class MembershipViolationException(msg: String) : FlowException(msg)
\ No newline at end of file
diff --git a/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/ObtainMembershipListContentFlow.kt b/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/ObtainMembershipListContentFlow.kt
deleted file mode 100644
index d44e3865fc..0000000000
--- a/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/ObtainMembershipListContentFlow.kt
+++ /dev/null
@@ -1,16 +0,0 @@
-package net.corda.sample.businessnetwork.membership
-
-import co.paralleluniverse.fibers.Suspendable
-import net.corda.core.flows.FlowLogic
-import net.corda.core.flows.StartableByRPC
-import net.corda.core.identity.AbstractParty
-import net.corda.core.identity.CordaX500Name
-
-/**
- * Flow to obtain content of the membership lists this node belongs to.
- */
-@StartableByRPC
-class ObtainMembershipListContentFlow(private val membershipListName: CordaX500Name) : FlowLogic<Set<AbstractParty>>(), MembershipAware {
-    @Suspendable
-    override fun call(): Set<AbstractParty> = getMembershipList(membershipListName, serviceHub).content()
-}
\ No newline at end of file
diff --git a/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/flow/CheckMembershipFlow.kt b/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/flow/CheckMembershipFlow.kt
new file mode 100644
index 0000000000..6f21a054d6
--- /dev/null
+++ b/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/flow/CheckMembershipFlow.kt
@@ -0,0 +1,42 @@
+package net.corda.sample.businessnetwork.membership.flow
+
+import co.paralleluniverse.fibers.Suspendable
+import net.corda.core.flows.FlowLogic
+import net.corda.core.flows.FlowSession
+import net.corda.core.flows.InitiatedBy
+import net.corda.core.flows.InitiatingFlow
+import net.corda.core.identity.CordaX500Name
+import net.corda.core.identity.Party
+import net.corda.core.serialization.CordaSerializable
+import net.corda.core.utilities.unwrap
+
+@CordaSerializable
+enum class CheckMembershipResult {
+    PASS,
+    FAIL
+}
+
+@InitiatingFlow
+class CheckMembershipFlow(private val otherParty: Party, private val membershipName: CordaX500Name) : FlowLogic<CheckMembershipResult>() {
+    @Suspendable
+    override fun call(): CheckMembershipResult {
+        val bnoParty = serviceHub.networkMapCache.getPeerByLegalName(membershipName)
+        return if (bnoParty != null) {
+            // This will trigger CounterpartyCheckMembershipFlow
+            val untrustworthyData = initiateFlow(bnoParty).sendAndReceive<CheckMembershipResult>(otherParty)
+            untrustworthyData.unwrap { it }
+        } else {
+            throw InvalidMembershipListNameException(membershipName)
+        }
+    }
+}
+
+@InitiatedBy(CheckMembershipFlow::class)
+class OwnerSideCheckMembershipFlow(private val initiatingPartySession: FlowSession) : FlowLogic<Unit>(), MembershipAware {
+    @Suspendable
+    override fun call() {
+        val partyToCheck = initiatingPartySession.receive<Party>().unwrap { it }
+        partyToCheck.checkMembership(ourIdentity.name, this)
+        initiatingPartySession.send(CheckMembershipResult.PASS)
+    }
+}
\ No newline at end of file
diff --git a/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/flow/MembershipAware.kt b/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/flow/MembershipAware.kt
new file mode 100644
index 0000000000..b55b4b475b
--- /dev/null
+++ b/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/flow/MembershipAware.kt
@@ -0,0 +1,32 @@
+package net.corda.sample.businessnetwork.membership.flow
+
+import net.corda.core.flows.FlowException
+import net.corda.core.flows.FlowLogic
+import net.corda.core.identity.AbstractParty
+import net.corda.core.identity.CordaX500Name
+import net.corda.core.node.ServiceHub
+import net.corda.sample.businessnetwork.membership.internal.MembershipListProvider
+import org.slf4j.LoggerFactory
+
+interface MembershipAware {
+    /**
+     * Checks that party is included into the specified membership list.
+     */
+    fun <T> AbstractParty.checkMembership(membershipName: CordaX500Name, initiatorFlow: FlowLogic<T>) {
+        LoggerFactory.getLogger(javaClass).debug("Checking membership of party '${this.nameOrNull()}' in membership list '$membershipName'")
+        val membershipList = getMembershipList(membershipName, initiatorFlow.serviceHub)
+        if (this !in membershipList) {
+            val msg = "'$this' doesn't belong to membership list: ${membershipName.organisation}"
+            throw MembershipViolationException(msg)
+        }
+    }
+
+    fun getMembershipList(listName: CordaX500Name, serviceHub: ServiceHub): MembershipList {
+        LoggerFactory.getLogger(javaClass).debug("Obtaining membership list for name '$listName'")
+        return MembershipListProvider.obtainMembershipList(listName, serviceHub.networkMapCache)
+    }
+}
+
+class MembershipViolationException(val msg: String) : FlowException(msg)
+
+class InvalidMembershipListNameException(val membershipListName: CordaX500Name) : FlowException("Business Network owner node not found for: $membershipListName")
\ No newline at end of file
diff --git a/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/MembershipList.kt b/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/flow/MembershipList.kt
similarity index 90%
rename from samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/MembershipList.kt
rename to samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/flow/MembershipList.kt
index a8cc101346..fa6253c8e4 100644
--- a/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/MembershipList.kt
+++ b/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/flow/MembershipList.kt
@@ -1,4 +1,4 @@
-package net.corda.sample.businessnetwork.membership
+package net.corda.sample.businessnetwork.membership.flow
 
 import net.corda.core.identity.AbstractParty
 
diff --git a/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/flow/ObtainMembershipListContentFlow.kt b/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/flow/ObtainMembershipListContentFlow.kt
new file mode 100644
index 0000000000..fba113c237
--- /dev/null
+++ b/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/flow/ObtainMembershipListContentFlow.kt
@@ -0,0 +1,34 @@
+package net.corda.sample.businessnetwork.membership.flow
+
+import co.paralleluniverse.fibers.Suspendable
+import net.corda.core.flows.*
+import net.corda.core.identity.AbstractParty
+import net.corda.core.identity.CordaX500Name
+import net.corda.core.utilities.unwrap
+
+/**
+ * Flow to obtain content of the membership lists this node belongs to.
+ */
+@StartableByRPC
+@InitiatingFlow
+class ObtainMembershipListContentFlow(private val membershipListName: CordaX500Name) : FlowLogic<Set<AbstractParty>>() {
+    @Suspendable
+    override fun call(): Set<AbstractParty> {
+        val bnoParty = serviceHub.networkMapCache.getPeerByLegalName(membershipListName) ?:
+                throw InvalidMembershipListNameException(membershipListName)
+        val untrustworthyData = initiateFlow(bnoParty).receive<Set<AbstractParty>>()
+        return untrustworthyData.unwrap { it }
+    }
+}
+
+@InitiatedBy(ObtainMembershipListContentFlow::class)
+class OwnerSideObtainMembershipListContentFlow(private val initiatingPartySession: FlowSession) : FlowLogic<Unit>(), MembershipAware {
+    @Suspendable
+    override fun call() {
+        // Checking whether the calling party is a member. If not it is not even in position to enquire about membership list content.
+        initiatingPartySession.counterparty.checkMembership(ourIdentity.name, this)
+
+        val membershipListContent: Set<AbstractParty> = getMembershipList(ourIdentity.name, serviceHub).content()
+        initiatingPartySession.send(membershipListContent)
+    }
+}
\ No newline at end of file
diff --git a/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/internal/CsvMembershipList.kt b/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/internal/CsvMembershipList.kt
index 5a98412c97..1e1186e552 100644
--- a/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/internal/CsvMembershipList.kt
+++ b/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/internal/CsvMembershipList.kt
@@ -4,7 +4,7 @@ import com.opencsv.CSVReaderBuilder
 import net.corda.core.identity.AbstractParty
 import net.corda.core.identity.CordaX500Name
 import net.corda.core.node.services.NetworkMapCache
-import net.corda.sample.businessnetwork.membership.MembershipList
+import net.corda.sample.businessnetwork.membership.flow.MembershipList
 import java.io.InputStream
 
 /**
diff --git a/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/internal/MembershipListProvider.kt b/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/internal/MembershipListProvider.kt
index b9ad6e1f92..98e215bcd4 100644
--- a/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/internal/MembershipListProvider.kt
+++ b/samples/business-network-demo/src/main/kotlin/net/corda/sample/businessnetwork/membership/internal/MembershipListProvider.kt
@@ -2,9 +2,9 @@ package net.corda.sample.businessnetwork.membership.internal
 
 import net.corda.core.identity.CordaX500Name
 import net.corda.core.node.services.NetworkMapCache
-import net.corda.sample.businessnetwork.membership.MembershipList
+import net.corda.sample.businessnetwork.membership.flow.MembershipList
 
 object MembershipListProvider {
     fun obtainMembershipList(listName: CordaX500Name, networkMapCache: NetworkMapCache): MembershipList =
-            CsvMembershipList(MembershipListProvider::class.java.getResourceAsStream("${listName.commonName}.csv"), networkMapCache)
+            CsvMembershipList(MembershipListProvider::class.java.getResourceAsStream("${listName.organisation}.csv"), networkMapCache)
 }
\ No newline at end of file
diff --git a/tools/explorer/src/main/kotlin/net/corda/explorer/ExplorerSimulation.kt b/tools/explorer/src/main/kotlin/net/corda/explorer/ExplorerSimulation.kt
index 7c8ef402dc..9bc750a772 100644
--- a/tools/explorer/src/main/kotlin/net/corda/explorer/ExplorerSimulation.kt
+++ b/tools/explorer/src/main/kotlin/net/corda/explorer/ExplorerSimulation.kt
@@ -14,8 +14,8 @@ import net.corda.core.messaging.FlowHandle
 import net.corda.core.messaging.startFlow
 import net.corda.core.utilities.OpaqueBytes
 import net.corda.core.utilities.getOrThrow
-import net.corda.sample.businessnetwork.IOUFlow
-import net.corda.sample.businessnetwork.membership.ObtainMembershipListContentFlow
+import net.corda.sample.businessnetwork.iou.IOUFlow
+import net.corda.sample.businessnetwork.membership.flow.ObtainMembershipListContentFlow
 import net.corda.finance.GBP
 import net.corda.finance.USD
 import net.corda.finance.contracts.asset.Cash
@@ -32,8 +32,14 @@ import net.corda.testing.driver.PortAllocation
 import net.corda.testing.driver.driver
 import java.time.Instant
 import java.util.*
+import kotlin.reflect.KClass
 
 class ExplorerSimulation(private val options: OptionSet) {
+
+    private companion object {
+        fun packagesOfClasses(vararg classes: KClass<*>): List<String> = classes.map { it.java.`package`.name }
+    }
+
     private val user = User("user1", "test", permissions = setOf(
             startFlow<CashPaymentFlow>(),
             startFlow<CashConfigDataFlow>(),
@@ -52,6 +58,7 @@ class ExplorerSimulation(private val options: OptionSet) {
     private lateinit var bobNode: NodeHandle
     private lateinit var issuerNodeGBP: NodeHandle
     private lateinit var issuerNodeUSD: NodeHandle
+    private lateinit var bnoNode: NodeHandle
     private lateinit var notary: Party
 
     private val RPCConnections = ArrayList<CordaRPCConnection>()
@@ -65,7 +72,8 @@ class ExplorerSimulation(private val options: OptionSet) {
 
     fun startDemoNodes() {
         val portAllocation = PortAllocation.Incremental(20000)
-        driver(portAllocation = portAllocation, extraCordappPackagesToScan = listOf("net.corda.finance", IOUFlow::class.java.`package`.name),
+        driver(portAllocation = portAllocation,
+                extraCordappPackagesToScan = packagesOfClasses(CashPaymentFlow::class, IOUFlow::class, ObtainMembershipListContentFlow::class),
                 isDebug = true, waitForAllNodesToFinish = true, jmxPolicy = JmxPolicy(true)) {
             // TODO : Supported flow should be exposed somehow from the node instead of set of ServiceInfo.
             val alice = startNode(providedName = ALICE_NAME, rpcUsers = listOf(user))
@@ -76,14 +84,16 @@ class ExplorerSimulation(private val options: OptionSet) {
                     customOverrides = mapOf("issuableCurrencies" to listOf("GBP")))
             val issuerUSD = startNode(providedName = usaBankName, rpcUsers = listOf(manager),
                     customOverrides = mapOf("issuableCurrencies" to listOf("USD")))
+            val bno = startNode(providedName = IOUFlow.allowedMembershipName, rpcUsers = listOf(user))
 
             notaryNode = defaultNotaryNode.get()
             aliceNode = alice.get()
             bobNode = bob.get()
             issuerNodeGBP = issuerGBP.get()
             issuerNodeUSD = issuerUSD.get()
+            bnoNode = bno.get()
 
-            arrayOf(notaryNode, aliceNode, bobNode, issuerNodeGBP, issuerNodeUSD).forEach {
+            arrayOf(notaryNode, aliceNode, bobNode, issuerNodeGBP, issuerNodeUSD, bnoNode).forEach {
                 println("${it.nodeInfo.legalIdentities.first()} started on ${it.configuration.rpcAddress}")
             }
 
diff --git a/tools/explorer/src/main/kotlin/net/corda/explorer/model/MembershipListModel.kt b/tools/explorer/src/main/kotlin/net/corda/explorer/model/MembershipListModel.kt
index 0c39bfe950..df0712a615 100644
--- a/tools/explorer/src/main/kotlin/net/corda/explorer/model/MembershipListModel.kt
+++ b/tools/explorer/src/main/kotlin/net/corda/explorer/model/MembershipListModel.kt
@@ -9,8 +9,8 @@ import net.corda.client.jfx.utils.map
 import net.corda.core.identity.AbstractParty
 import net.corda.core.messaging.startFlow
 import net.corda.core.utilities.getOrThrow
-import net.corda.sample.businessnetwork.IOUFlow
-import net.corda.sample.businessnetwork.membership.ObtainMembershipListContentFlow
+import net.corda.sample.businessnetwork.iou.IOUFlow
+import net.corda.sample.businessnetwork.membership.flow.ObtainMembershipListContentFlow
 
 class MembershipListModel {
     private val proxy by observableValue(NodeMonitorModel::proxyObservable)
diff --git a/tools/explorer/src/main/kotlin/net/corda/explorer/views/Network.kt b/tools/explorer/src/main/kotlin/net/corda/explorer/views/Network.kt
index 8970e7b1e1..9658b93a61 100644
--- a/tools/explorer/src/main/kotlin/net/corda/explorer/views/Network.kt
+++ b/tools/explorer/src/main/kotlin/net/corda/explorer/views/Network.kt
@@ -83,9 +83,10 @@ class Network : CordaView() {
                     .map { it.stateAndRef.state.data }.getParties()
             val outputParties = it.transaction.tx.outputStates.observable().getParties()
             val signingParties = it.transaction.sigs.map { it.by.toKnownParty() }
-            // Input parties fire a bullets to all output parties, and to the signing parties. !! This is a rough guess of how the message moves in the network.
+            // Input parties fire a bullets to all output parties, then to the signing parties and then signing parties to output parties.
+            // !! This is a rough guess of how the message moves in the network.
             // TODO : Expose artemis queue to get real message information.
-            inputParties.cross(outputParties) + inputParties.cross(signingParties)
+            inputParties.cross(outputParties) + inputParties.cross(signingParties) + signingParties.cross(outputParties)
         }
     }
 
diff --git a/tools/explorer/src/main/kotlin/net/corda/explorer/views/TransactionViewer.kt b/tools/explorer/src/main/kotlin/net/corda/explorer/views/TransactionViewer.kt
index 8d75aec165..b4e2ef1b21 100644
--- a/tools/explorer/src/main/kotlin/net/corda/explorer/views/TransactionViewer.kt
+++ b/tools/explorer/src/main/kotlin/net/corda/explorer/views/TransactionViewer.kt
@@ -28,7 +28,7 @@ import net.corda.core.identity.AbstractParty
 import net.corda.core.identity.CordaX500Name
 import net.corda.core.identity.Party
 import net.corda.core.utilities.toBase58String
-import net.corda.sample.businessnetwork.IOUState
+import net.corda.sample.businessnetwork.iou.IOUState
 import net.corda.explorer.AmountDiff
 import net.corda.explorer.formatters.AmountFormatter
 import net.corda.explorer.formatters.Formatter
diff --git a/tools/explorer/src/main/kotlin/net/corda/explorer/views/cordapps/iou/IOUViewer.kt b/tools/explorer/src/main/kotlin/net/corda/explorer/views/cordapps/iou/IOUViewer.kt
index 3dd6afa82b..51ab1c2c58 100644
--- a/tools/explorer/src/main/kotlin/net/corda/explorer/views/cordapps/iou/IOUViewer.kt
+++ b/tools/explorer/src/main/kotlin/net/corda/explorer/views/cordapps/iou/IOUViewer.kt
@@ -2,10 +2,17 @@ package net.corda.explorer.views.cordapps.iou
 
 import de.jensd.fx.glyphs.fontawesome.FontAwesomeIcon
 import de.jensd.fx.glyphs.fontawesome.FontAwesomeIconView
+import javafx.beans.binding.Bindings
+import javafx.geometry.Pos
 import javafx.scene.input.MouseButton
 import javafx.scene.layout.BorderPane
+import net.corda.client.jfx.model.TransactionDataModel
+import net.corda.client.jfx.model.observableList
+import net.corda.client.jfx.utils.map
 import net.corda.core.utilities.Try
 import net.corda.explorer.model.CordaView
+import net.corda.explorer.model.CordaWidget
+import net.corda.sample.businessnetwork.iou.IOUState
 import net.corda.explorer.model.MembershipListModel
 import tornadofx.*
 
@@ -13,6 +20,7 @@ class IOUViewer : CordaView("IOU") {
     // Inject UI elements.
     override val root: BorderPane by fxml()
     override val icon: FontAwesomeIcon = FontAwesomeIcon.CHEVRON_CIRCLE_RIGHT
+    override val widgets = listOf(CordaWidget(title, IOUWidget(), icon)).observable()
 
     // Wire up UI
     init {
@@ -28,8 +36,22 @@ class IOUViewer : CordaView("IOU") {
     }
 
     fun isEnabledForNode(): Boolean = Try.on {
-                // Assuming if the model can be initialized - the CorDapp is installed
-                val allParties = MembershipListModel().allParties
-                allParties[0]
-            }.isSuccess
+        // Assuming if the model can be initialized - the CorDapp is installed
+        val allParties = MembershipListModel().allParties
+        allParties[0]
+    }.isSuccess
+
+    private class IOUWidget : BorderPane() {
+        private val partiallyResolvedTransactions by observableList(TransactionDataModel::partiallyResolvedTransactions)
+        private val iouTransactions = partiallyResolvedTransactions.filtered { t -> t.transaction.tx.outputs.any({ ts -> ts.data is IOUState }) }
+
+        init {
+            right {
+                label {
+                    textProperty().bind(Bindings.size(iouTransactions).map(Number::toString))
+                    BorderPane.setAlignment(this, Pos.BOTTOM_RIGHT)
+                }
+            }
+        }
+    }
 }
\ No newline at end of file
diff --git a/tools/explorer/src/main/kotlin/net/corda/explorer/views/cordapps/iou/NewTransaction.kt b/tools/explorer/src/main/kotlin/net/corda/explorer/views/cordapps/iou/NewTransaction.kt
index b675b8d2a5..281eaa0c5c 100644
--- a/tools/explorer/src/main/kotlin/net/corda/explorer/views/cordapps/iou/NewTransaction.kt
+++ b/tools/explorer/src/main/kotlin/net/corda/explorer/views/cordapps/iou/NewTransaction.kt
@@ -1,6 +1,7 @@
 package net.corda.explorer.views.cordapps.iou
 
 import com.google.common.base.Splitter
+import com.sun.javafx.collections.ImmutableObservableList
 import javafx.beans.binding.Bindings
 import javafx.beans.binding.BooleanBinding
 import javafx.collections.FXCollections
@@ -15,13 +16,15 @@ import net.corda.client.jfx.model.*
 import net.corda.client.jfx.utils.isNotNull
 import net.corda.client.jfx.utils.map
 import net.corda.core.flows.FlowException
+import net.corda.core.identity.AbstractParty
 import net.corda.core.identity.Party
 import net.corda.core.identity.PartyAndCertificate
 import net.corda.core.messaging.FlowHandle
 import net.corda.core.messaging.startFlow
 import net.corda.core.transactions.SignedTransaction
 import net.corda.core.utilities.getOrThrow
-import net.corda.sample.businessnetwork.IOUFlow
+import net.corda.core.utilities.loggerFor
+import net.corda.sample.businessnetwork.iou.IOUFlow
 import net.corda.explorer.formatters.PartyNameFormatter
 import net.corda.explorer.model.MembershipListModel
 import net.corda.explorer.views.bigDecimalFormatter
@@ -46,7 +49,12 @@ class NewTransaction : Fragment() {
     fun show(window: Window) {
 
         // Every time re-query from the server side
-        val elementsFromServer = MembershipListModel().allParties
+        val elementsFromServer = try {
+            MembershipListModel().allParties
+        } catch (ex: Exception) {
+            loggerFor<NewTransaction>().error("Unexpected error fetching membership list content", ex)
+            ImmutableObservableList<AbstractParty>()
+        }
 
         partyBChoiceBox.apply {
             items = FXCollections.observableList(parties.map { it.chooseIdentityAndCert() }).filtered { elementsFromServer.contains(it.party) }.sorted()

From c2b10a18826c05c7752aa2ccf4fb4372db87ac2e Mon Sep 17 00:00:00 2001
From: Viktor Kolomeyko <viktor.kolomeyko@r3.com>
Date: Wed, 20 Dec 2017 12:07:42 +0000
Subject: [PATCH 4/6] Business Network design document (#204)

* Design doc (unfinished).

* Design doc, requirements completed.

* Design doc, more content and the diagram.

* Design doc, more content.

* Design doc, minor changes.

* Changes following review from @davidleeuk

* Changes following review from @gendal

* Changes following review from @shamsasari
---
 .../businessNetwork/businessNetwork.png       | Bin 0 -> 110806 bytes
 docs/source/design/businessNetwork/design.md  | 235 ++++++++++++++++++
 2 files changed, 235 insertions(+)
 create mode 100644 docs/source/design/businessNetwork/businessNetwork.png
 create mode 100644 docs/source/design/businessNetwork/design.md

diff --git a/docs/source/design/businessNetwork/businessNetwork.png b/docs/source/design/businessNetwork/businessNetwork.png
new file mode 100644
index 0000000000000000000000000000000000000000..3da68e37708e3b9ebe3e1f2ab4cecde278685ec8
GIT binary patch
literal 110806
zcmeFY^LJ!j)HRxPI!?#x*tTukwr$(#sAJo<ZFiE2opfy5xB7X%?~eC}`zPEpMvYT-
z>YUnRuf674bIr9YLP1Xa2MiVr2nfgzNeK}p5Rh-5ARwUOP~U)8#0UDlfG1FAC2=8;
znrWO9;D_(#g0g}jAoa1Z?}p&O&(IDMn$92~=%oK%ppr@?*B~HY#gZa|Djs_0*^oY{
z!|S6MLNK^!prZS=8i=9_3Y2q#0+CWz5=e1)0$x|NgotzAS49b8URM`%saxJqgx%zC
zpJqo+IQhROq5|IDcxW1#XOcG8*N-w+yLH13hNCd(^}0N6UT1!Z<NtfJI~=v_FTwMA
z4Se(Ot54zG+3^3lXZHagIhOB#?!l=2iu1VN`9F_;gbx)W{P#P%!)N>?c)tJr4)Ccj
z!kgp4|2qUi#Q#6U|1s2%mG3pbWJ~QQ@odWwt<>k&*=u5kZPo|>ugCQ*@3${plFd$z
zkMHup73u!|KMSxcu!&bQ{N;S&PqmiPCVH~3k5YcyWHom!_&~!Md+Nxi6m0kPmH+2a
z3po*$Z_HCfe&PtYmS4U9mg%f{A-HX$M%;Nw$WFS`5zk1zzLmsJTGaYf5C>14incye
zBf)D(D}py`I9&rlOIVMY)@MvmOQ%0rX`z@pL5zeGIahqKAF}ddvAAK_*ux{XIkj)C
z&56cvA$c-i(rWj28M(Tw(m)hOEe65A<@cg}SQetx!T;`59!D=HjZMDRF_fdZfQvJ~
zAr(C^5bRcl#JfOzn*;58{B^P0um&lEe8DHL0*SxYSp@E=Im(C<LG46}d>`-8R5$}B
zM`TO%V!+?jc?<L}(f>SEPnef2j*qZUs$p1AmujmOV;0AeZ;C{S#(wu)P{F?nPlZI9
zZbdr!ex?6c0PI2=99?3`FefhQBKW5xrZ}6pjtJ?arM$!~X9PCdk#S5TWX^7un+)N?
zKua_BR1$}@OogDG1c~5}^(`Vc)cEYae={TdZ)QJ4!Ky?g<^k)3y}B%KvjdMZk~FCr
z-i)@7<Fw8R6~n58{XLsQXvHxosrwaxM^4`J+c>;uVsL->F}$-E0GR~IK_p53&l*ul
zP~F1gV5R$Oh9@4HdUtO@?}8Y&7%_$xvX<s}?YZo0jb`9+t1}d}e24xIc->)EvCSlI
zEzJo6y7LoDd<MV5zt4zE<mo0Mb786%he`{~VCI~}F$9dT4Uh_iy)HpAi_M9Je)lOe
zf2$)6Rr2yMP*8?-ES*wnW@(N40EpeTi*%kDi*y{6m<)AFS4fjsQl^;jMVhfT$2ECG
zR`8;j1RE~1#JOcap9v@l7yWS54zGIjip7A4B}EYE^57N!hwf!-ilOmGg;gmc&PlP-
z<Yy7mM2gp6ahih-KLQfSurkLt!rHiEmJzVOxk+Ms$C{q4k)#$$z}AVcmmVMo3-eB*
zt1P|^mu`y3>P#2%A&#JAI`i{XqkfL<cc9Ol@sN!7tyQwKvKnfRCLpQR*`Srn{DS;J
zl*rNK{>nj!?OpjZTWnu7%zQhXdFtRjkWrR456RAB5eLr@1<O+V!uT&1`KDp`(Eg@7
zOmvU7JQiAOKXherv#dMOE<jN>(<3pLC{NxRwiV3dBYmhdS~*-*udD1o%&@9>myvz#
z;SV&%O9w>8<Nnyk4VjC!Vr$96GfYDf%!PCi=ogx(&~VGN{M&#%J$%7eW`UI5Exd_L
zajk*GUPFg`?HDDQ(|II>mntR)IY<ys-?7Z(zwCK+FLf$hvByu7OCaeAwI^w`x+qnG
zfh)u)Aw-T-smtKTbQ?YNjNggRF}s?n=HfN>$9qy%8xby~yMGospXfbY#$jERTHg3-
z%qco00d|>JJZ5UjHYSg5xvK-(o8G?HFwLbGDQ)aW&O4-dlfuTI%bo(~mlS<U_P^pJ
zH3CYpA})IJ7`$*mm?r!;(?tboZ0I;v8bSn`_%Om4Or3F3#OnB92Kl>kY$ijf8Fx)|
zLUc<G0(?~i2?I1}*4!lGk{;I$Djx;)-GC(!7>1$~s<rgW(^>zIWZ3C=3E}JB^Gu$j
zBDM+zhj=^?+rSn$NVpZ&W}8#IVi7wd2)-uzHC$YN57RqSVzi?%pJ_<h{2G_WCiFRn
z64kozfqBG2Xf)UgGk&f54`&zZ8%`M(%ND2Xq<fWapr#i;3Xs+a=1}bb@J#iQ7hDGT
zca<HmUgh?rzLH^rxPY}a*jIBJ9vID*@7`_63!;1<901~Xgf<v6iuIB@8_?9)P1s<0
z)@2n(YHau1?5?LsZ9x<@{CJPc>hj{^vL=#R0{+@OhSEI5NjG75``Fg3_pXLpC$H)_
zj9T&Ge|fGpNNfFcO+#cg>Nir0W=v%*=6VQhomH}4v&Q0M>12uagI#zM8<7F=Dfx2a
z8yruHE`#!or0aB<nk%&EF{@mg|BD+9CKTgamhxXI)u@Bzsp<BReNd5vOF#bwj|s}C
zN;W^J6-gTJ4L+Ay&0y1`ANC&5I|5`3yK}6<^R-^EZksGZu&|4E)Lw_t+y!Tf8$k}g
z+x)h;Jr5mmNf3uWBDMYJ-Sj;4><cSGm9-?1j^dVw@K_#nDr`Q(n|rl1E|d6G_B7bS
zO@*%-u@`XAby)O^ozB#pIK`mMm$O<dBbRS8B-bkIF1oC{RCQ)ku-T|<G&)fm>Dp~G
z7jZE38knRj1|KWdo;!z3jN@!^o{k}hwxOgDAaiwDw=WT&_9!=l*wEV&ry8^uXlgkj
z4ea+Ds$6Ymy-X($Qf1tKdWfn<IFgiA*?!2rsiyv+^B}Qrlw8Skh0F^kiW-_2UdBn$
zt6!-;Lse3V;msXxI8&vW-i8@7(VQWA?5YIN75gNHO>IPpQT3lZ6Ku?1`g+e@uREJ*
z|G*8Yw((*1ULdkK0UsnidRPcbV6<V0>h9kBW1rlC+W~PPVV7%lgcro8%DRXT_tKV_
z#Y4Ov8h;{^l5O&9+~x3s@N6T3=HTFGSbTi)huy}CS;H3)Cei=F1WiF(+M0JVa&2WC
zlGQwyk=K=*Z{IIdSnQ=vH#Jstqq)kURU=%MuMByz;U`V!-=aq<Q|$F~w&b{h@;Cb$
zRW@nERa~`r=b4NR(^X@!Y5pwMx-x?wcUpdYwbcjc$ohlRotMoT)MNCuNE(eYi;gV~
ziKc|sS;Kz*3U86>SZ#t+#709)QP?rv_N0fPVdzxr87Xy;Jo866v*2QVJ6-Z48;xe9
zG}!t}EOyJo#yREFq%;Hu_btlPFF*2fg*)W<a{x_a){Ig$IzHnjbAGCzlMpP8+ZXLU
z^L*1)X}l;pTxO*W`eHu;`*qTDTtC<&1=k$W@a?<m)&c8u-Ij@(&#Bz@cJoioQudo?
z8H{GVHD$@&R=7>~ZERxjP{PTpkjXBI6@_seg%~3Z{JHbJhv=b<rS<1ztk$HdAPjM0
z9y@8a>dgbN*|)3Jhw<}|<%jGj4Oy;I?unvl($JOYYPSb=)l+2oD@2`TRkdyv6cJi6
zQ7hY1!iPBu7=iSGd{%De_TYxw7351F_M59yuXZV#KT`Lo_*b2_m}}Vz!gOs=c_deF
z)Z9pY(Dj=&@=T5thK%k;@m0Eyv3{t5eWaPO%5zku%*)Uf@ka7VEV3<7-=9D9W8~Iy
zH@UBFT~t0^==FGyHt=$Lo*77^joWE<>N_4xSLfx*hx<a@TUz#7j76n3{pSzK3fey=
zgV07O^xB=cu>x^!y!T`?A4>cPX`&eL2OE^>wRGjmT&)ax*Sz@Z<8?v<*Tc@1fYE|j
zg}Q@;w#Sn@+tj^cji&1oryty2Kuk~;<=UuK^q#JgLj{_u>O<zHgn3e|p$hR=T)!Nj
z9ZcKobu@OZ2QHXEQ`pz8v{{KK4bkhy;4&*%s3uJ%vNrEo7Md8i#Opy4n^S;hK*WzV
zJM0)?z`}y=1l_nhsN^t>_aOJ-dbSkiOMYJG-i&4;eN!~y1q1A6xozz1bk`|}N5S&R
zeL@D`b`?zpIa;^%YWzAq1bT~+#0?F%VXc;dovjxbw_SLHJ83%LR+2u;`L7nvBm`T-
z-S5gHgD4m*aeK})#i@c-+KSesEa5s7KMw2mQMN}s_iC88oi|>p>4G_KO|<Qcp6Ct`
z*7FX}iQm-G11Oqq2dc`$+KemX1k&e6jHA(ZWUPjL)^-|M%?N#R3X^8xmrB1Yh~7|M
z?xwNzT;K(Ueer%$-@h}eY-dd<uG5D!C0y2_sSiq%;VFn-J<AAZ)}t*GM^Rz5Rl077
z$M^@})gh)-$Hc@qZFbJ+HPamH)fnp)INK!%%Qfi!{?!U^mYMylSlKYrSxe}MuRH9=
zThO_<-){Kw-hWk1ZNQpVhP5UeR=?ji>v9pYh=Rb#T&3B(-07cQlZN|(%ZbVn;ud{A
zB$X=NAvvA`aHz7QvBL!C=Q(FDNt(`0&HKa(XR@@C=xlc>`$tPKfiPVctZxk0Mwxzp
z>Gl|kaFHAM*UFg$hh6I%4(29H=H)WwIr3xyqr7hYn!*BLL@dYV<D@9v`&<su)^nRT
zy}6)679|ah^lJl#xj7$ly6Sl|A8JgH&Ks<jBdY2%YL9Q56ZOTi$s5%SmzwUQSG`Ch
z4ZZCL@cbrqGUGnk39AjTX7i6_=L(HvG)_yqN*a`yu)=ewOR^kA`V%pCa^T!|A!1&%
z<FOVdrBr%PGGl{gHEla>Gn|acXCG<hkjR3~=k(%>&emg#9o^{tjr6O*mTYD1I<C;t
z#;f(CvZ}_`0KOLRN?5uK>o@YuQM6A7A;^%Biy+(jNDT`_n5CDOuJHw9uBhZ{b&7PO
zT!d}Ui#B^YM95>$fdS%R)7oM-UuTJIz2(6kE!WN4rfiIi&Ap^1ohh(EHUwlDz9I<B
z0r>tgS?876PW%0Z_%}Zg2Y#HTd#UOEqX!V*v24Hw?P4{ptE;O(uH__pJ1UuFY1rAX
z0asDQ(*lQjQn6bx8Pu8-%&=lPtt3Gig89bLqg;g2&cy#WzXz<Xtsxfme@{f%a6#P<
z1OxdQMUQFE{`g2?_|Z5K#3U`cXyZa$nZ3c{muuxm4Si}51Ph-pJ$*`WdgUaYU1^g!
zIK@IB^k%ZC;}V14dob{#4Z1HC=Lm2!_J7`vl*Z2Ym?{f+_*4BfLxVtJ6J1H@jK-cV
zysXCt&KXF8Sa*~?HycSQs_aVBsk--QPquSfe*VW<4Reu@I8~P2KA(8V31kSmbst~#
z(xa&k1yz*@_N<Thc$10k$1%!qL+@I#48J+9TWZXoa;WJFNebJ^3bIyAuy#5~j6M`M
z<{qzeKiPX&yXy)QbNpor3(^<I>ht^V3c;TT5}Cyday*upeGQHBR$*uh!EE0uSHVY{
z8Y{;G1pQXX*^#kZ*F|)lVu$VCPvbsg(ySDqTENe5C&8Izdr2Bsz9AY)ap!^fqGN}F
z`3girRtxJkV1YSR)X5uBX$qpWFPl&P$b?<ulPHVK7`arZ-*3U_v{)q#rv44;N%Iyi
zeT$4{Zn73aD!Wz-Q&v%sso&?<s?OV*Q)OhM{HgGOXv!DFH?+2<Rbg#y+Ub_ru#XY`
zP7<?^C@c6Yg+Yg$QA>JA(}>1?NMv?Rl5tH^v7?+3LQzmA7B3e8ThN`HUN1KCp9rD%
zgSF0v2w<KYsjVc)=-ztEH@Hq+qfM+rd`#5$Muu+ERHt`v-l{z<wqZ-VYe%H#pyXZM
z@bj-(r|^J}>6uQ7YYftUbKI#=N;h)a*B&9-&}TE(Rws>+0+w&Cj$#8nF(D2JVVRjQ
zj5Si%Vm6q1&a6Nhq#~$3dJZ!nicYM_ZlvsVb+wenPw`39We|-wBdl0vyY#!fOCUrl
z<@#k0T6nztn&TD$0l4sRpPbg4Pv@Bu$t2aVO6+zegp>f;FLIhrt|LDbAHQ}Z?+s!!
zUr^NhMC?+WMLHX@yuZG=*<~J#jSbMEj#KAV{3?Y`)QXCLiD^#zjsXsj=HJ{E0lGn#
ziJH0Rk?3&9IL3I|Tsv*!=aX*g8wG&`m99SQ*x;ZK3aL7SYp#pjrEFzwmJ5%tJ36j#
zej7+12VsUQ-P(3*cC%eE-69{|36Tt1MeZAQJqE6j+*0h#wgY;LyK1+TdAn=U5LR|O
zD~})WK|i$c%7{9a?-#@7Yl=;n6>olN&moYz)T!5#`&N!0w3O{i`SirxC!*_L6D>`&
zEG;a$3gF{{3gXv88+#I`U{+H{&Z3E)lwKbXp3VFZ3lGrJ!a~AAY8<uY-9t_Nef+!Z
zr;-ZqOWA4d2%lBFd#iQ(jB3|6B~US&UQ5=qywmdaAbuO7qg=KPk3kr;R!y-#T&BO~
zHreknvSvGQvYc5<d|simqkeym@myv+Z_=UB;v>Z!q&dGog)h*9n^8cP$nll=^s~YV
zYE8{L&&Ep&)KstuK{O)hEJII$`Y*7=N8mRCHUg<<{&X6}0&*6I=-LdLL>4tkNzB9R
zN1FzhKiV@5l5m2^C@OHCB=`?$o=>7@S2op+0_knfYt{ew^I7{0^I!dPo@>HY2Mh5$
zzKqizfRQy90DEOZRQ2n;5VB-W7rUi1Be&<z)KQD6LBU!rU!N8;OCiM1S?=21*7Q~q
z)`&PAgRV3<y6n!<7rlG{kp{{1o4<WCIB-N;R)8BJ&CTx6|EN<vj_KQI$GBj#?#Krx
zST-`9#IIe^yO-KBMZTW`9n^RI_=}UG&TX4}O16hs{C7asYC7uo2I3M*#oI&Gp{KMv
zAV<w-F|8T{L}P{1Vt+YNi~V98bq#c~P8CCDmX)sxY@|mS;fxC0G}|Ex*ZXgnr_s+T
zc8Tgt2MyX>@AIN0sQV^|$%<F5bi41qIClw62_(lT<)j5md>?oEtr8bS6n0DG69iNN
zc?kafQOk+{v*ICI*zG^TX|Gm>Iu}_thLOHcmzh1bdEdkHK2_G-P{x=jfr4W8YcQ9b
zUuVnQ5k1~#@5fAxKn+fxJiPX6x^zg;Q+a3RkDBSK&p-P-Zy(Tg>bOKJIg{{P2q~~f
z&~N2mH7qY|l68NpyoQ#ZX@QG`a0=`LG)p=tNhqQ~73PQXz(c;A_Iq;0hbE0H0Ww-G
zIs?}!!}HR-Zi-NUi4b#G2d9K5xLZk}RidP&jc=Mp-)vmVZ54PQ{qn8yXVjh*({lb}
zkJbAo<VE~b+k>_8fVj$rP`8w&&P%V}9eXtr{hOy&jiKlw2|jUGwlYG|ucMlNL;ZuM
zIy2A#Z%iU~|DdnL49)XmK$lbW_m8j*(^#!%`&pMI82azm{h(;zw&&1C$D3Yw=n;#L
zt5vc>oFL%ns^fT_Xx*ZdA3@4CR?Mq7c?rTE4gOku88B4lu0F_A+T(lG)|yL{G`vKG
z-{1O)yC*11K+;!4j~57t@V#AolViOVo!ORgTU-+J$>H`={l5P=z_YwhZ*n0N#8>2S
z@26IQ@%2Di7e1bE#0JV#IYj@-WTYZ`0-**GV=%XQ{GWmW;y$9!-=PWd^DzXmNF1l9
zm$^zwBTa)f-2xlZYY@J%-{i{#V8*h<97_OjRK&5MB{R7C>LO)aVB~3L>BWS2$4P%q
z$H`}xBUAuXn}~IBD={NTa?uS{?uoE&<At#yZ)|!EeLmGd*dVh&+X4Ydk$;1i3|62m
z8uMdRFdEK@NGk_Zdj1lkHaprw3R6}n<ZG&k^p1thx{+i`zJ<=>&{%$ZnZju!5af-I
z?Px-hR2~ZvCVr~2TBFw`LMe8^P-I`DVM7nQfT66)tvd@6cZ6jk6)ygE?=T{jFAoC{
z7sedfJVP1RhMY$eb;Rfb)&~zq|AgCGbs?63NKt+3zNsH9gA}mMO-RuchO5|gpYv{6
zn(p&vpQ6FCRw-lUq?hzUGY7t~0zYgd#Bkr{11DQWhm*WX3b=zVVQrX@dl)IBVy$U7
z?c-L3EP_!DQ5QbzbDpqC+T<gN^O;gM-Sl*aN!!Y@FYwS;rQRzm?Bh<Bf(v5BkOlFl
zMDTp^jDecIm)n1W9W@OXyTG7{G&A&E%!Z55$cNd?^PhkwWG>S=fSP<MVp;e802C;c
zEU=JN!p+gV<)HD%D?w+g%%fr9Y)#1It=QWt{Jgazg*3s$X{l+eAY>qH58LY+{ej_$
z05G3G#`FCg`e%Ui{|vA!Xqz=;nbPG3)1RzYWoZWn-wZ_i>?9000(73*@|p-erlIiK
z=sV!MjIuIpI{(h0UtSp5H8PSQ#BZptWLn=f8YC$OGI(DG2QS^|Ki?vvxPO`K>C5T{
z+o%Ia+W221iT<iuum~t70*ZD3@%O4UbwSLkG#CbhB97OcFnRVkEoy=wOtxq&Oej|Y
zw2Ncm)@N{A7GDPjUsE#K<;BI-l@*;1mlI&;10EjU_8GCQ-oVh-zSQMz<b)a{Hiy@B
z_xz-CIjOm+X>NX=)RnZN+CJ%Q$@z3nRPLo*YaHn>9<AbN*$j3xkYdcx{fC0$PzFjg
zO3?2n$#SGk;eNk8uVama)I|-_&5Sm(8Rf<Cr`v>n`?Znm<UC%4cM}9^l>w<I2(NG$
z+{r?@axC8FNDO{qkqh|C_06pdKG!`;m|=%Y@`u~IdoPXV^<Y+dFhnnc{Li21gW(9u
z>}BQ9>r+dtEaUE1ytb>zsX;6kDmU`!Tq3?(2LEgMDd~!cCD@$Q<%ar^zh?DCoK5<E
zIs}ldSq5nPqlvHw=E1dRYB&5uo=wNIx&RsaAbIak>EQ@;)ymN3I49h2{(SfBoBG=y
zJoV?#>Dk#%KtBs>vxSAl_{3P(hnl{zaPY+2LG^w-xQgv;z2e=`jCl2UA~`z?3t*M_
zSMGzS*xqdTa%0qgJWSG&AmDgwY&Q0J4KbPzL2Teh7DnpfXQ50V>opbB-VvZQSvVJd
z&kyF+LHm{7hWr4}+S*!EQ`6zk$J^5|cot2yEoVczSM5EW+WMF>)j0WgtAPYRy3^Cs
zYe8ME1F%_dUyu72<-OS>)1~>#z&CbaNmu(7dA(VPT-!^wdn{m6Tc6{527>stwq;>y
zH$Faovf6m0uJ60JvO<yGF1UNS+3EXw|MI*Sdv<ynHy=q9BpEv!3X5T4V&dZJYN^Y0
z#tgJHo^Os_Ez4_w%P{_zHF-y1!jSa8DENUP+M8G#s5MpyKmJwscz;$d-uhcl*Gt8Q
zdKKFtPgQS)uir6r>*;EHyWRQd_}Id$NHPC@C<0~d>FzG^8nODJOo7Gc`P%Q}bv6P&
zl5akh{^07tv!lD?SQvh7S?j(p1?Po6_#XoBkv|}Wc3t&q8-{WZh><bAu)kH^U#z<i
zgh1~;JeH~H>+@Rx@@5Og=W!%>mdGXK<zo#o?d|QK?~d=HA0rD8c!h@W-_IyI(&tW6
z1%b};S_@U0*3r>1F)^W~R~uT9OW=3|t8Q#;3}jt#qQJxFk7H^_-Jhu`(NCZ~EXeLr
zUj;4Q+*+ce{{Y*9@g>L1&Wld}8HVV!sHkXVeVv<&%jo1j14cW%vBo1<9}5_a&U%Ty
zXVx2!_B<?ULs50<fw}qx4Gq(aI5{~PU}<Wu=J0wyUTymy1M)Q<?(b2RWjcj~gyQV2
zt)&q}GbHC@RfUCxbNPH<A1}Dw&Yx$ue;Z<^YgVdXKfUs7>WSWS`hW8L)_Bzc!y&9q
zuhV6TkBbY4@qK0d3IY-eU<-50@9iR%@6`gMc3Fr!2ROqhWUnlK|Iai=W3gDgm_k@`
zFANL}7<LtoYl_#uGx|lt?eags9v&V*C~;~A!+dWJ#%crknAK?Zau45KywPTlHrkyz
z7~p>V*xcOI)hFiU<~EMH7F}tz$N$&B`N$l=sCB>E!e+BUtiAIZ9=;hgCZY3FOt@qu
zCx`U!(eHGN`5glDvbwqo1)^S~gJkYlpo&NBwR65dp6H@lqdh|@jn1`CQW+(*_&q-l
zAM3nXWQe4`H~0i5!gb6i<^nDI;a}Vk6%F<HXijWyX8mte>w(sq;`U<oTD?lOYGm`9
z-G^Aw8K6Sp1;i52cx18}Avh5hv))(TPn+)B5se(P@1qkdE0~~z>+7A>$<;O0rB~Ol
zl^9)kqWE#3Dff2yqihAFJ{ElC!mzPy6yqc-f+(@Uv?m3ndsxlp8-4JPR0T6YpSTu0
zIy~h2@bC~_1ON;yEXMwc=U*9!i2;1w-cNenUd<f9w%QRDj<Lq&YGbMM(R6)%y~MmT
zuWk;PtCX17$o95=!n`2z(a6Zi4By-NMeFtm()!x%kT_PP<hME^sAV~*!V*fTS>!OQ
zhyhoT9izX09m4g<z;2F9hfhm}t%^j-qsE$<p&1GCiQz)?JIshQiK@v7!b&8pBX(Ye
z(%STu;-!g42^gjLDc2|{M<@uD=;`2u6Y8Rd!m;K~$A|t3M3wcUa2BONxel@>j3M(5
z#Kjd^QnGSUtwpufregaZ@5~Aw&E%#gCr^!!dzSk>e>{ckp-Z0_<1sNY{g?jyWuKRJ
z76$*h8~^OFs)7QbR6aMJSbVPZ77!3VSliTeAH%+d$>m}pDmrXz48n7w=ykrrC<6Q5
z9^Lfaw+P=-VxS9^T>=~Y+W?Ft5&?1=o@j1}0_JIu$3ht?GG>Cz9SGLF2ofrN(QNp&
z0{1IoqRTzQ5<z|{q8%az#QiL4NInLa+$otLewEUFyh^wtyXAep$zc3a@S-}dFWy@|
z(Cey|OXXBmRd*kj<$$(c5eO6@(DS$aFII;9i!R?p1~ZF`i-FMY^1PdvoTNmU^})u*
zW|(So+`GNIi+CC=;7g^`6)JmvIm&fxGkTCb28(7u{FM$?82|w!^J#icBr@coG(V7u
zqeGCsTO<(OCl*kGDZU2s8)olYp!PQ<5-W)E(_)3GGTjK9$8w+ui*Z{?#D!uxk(g0L
ziiulf6`);6D1lpACE$=0F-JId2RMQ7iWyLXY8EF7?1D=C92F>{YYA<7aVnJ8(pt+G
z4j+0NX+1lu?HwVkcRG+NI+1;?twBXYd%E0|#y_Oo;qhAnvNM0>=cRvPXt=Dt{^oSC
zGMn2S7!q26eOGB|X-htav7sRmJ-r?vblB}SC@3iMUKD(NyJKT#qJJ_YlK06ZCnqPR
z=Y;TiLGOqO-CVGu{}f77<zifK`d+!<(U^o;SVXZmB$0=}+UXJ~8`;M~iSF`kmr*LB
zSpr4F9EJiD)VHqb4|+z?C{aG4PaiKXApDVnae_`G$m5UFu8nf2+ew7QDg`A(x=Wb@
zvlKyISd$pCrqrnsn%GL{UEpjvt^-1zco5$lGjCF49D?w-m@eewc>v(=#YGH4YjB6#
z#agL6ejgplv{!OyHDG=o#h#h`|4jTJAuudJVFS8$I6^5QXao>{vvU9dfYEpa@IJ%;
z<@0)fvNsZQw%yCGhK7ntVy9wTjgWIl6T_!<lkZhPQ6$U!-5j?H&0cTY@8MR@^nh1N
z{Zpa4<n(esjgAFftnXY2Wm+@Sj?3F={siTyTIM3bh?WVN&Xe0#v7=7=B16vyN@J9R
zR*ZGX`tD&e{Le!)vym#epb4G?Y7G$8#7_qy#t&vqxsEV9*aC2Uu-({2Bc~-J7EpsA
zN_3tlSbBJ!wR*bs?pK%6sdgP4tL9{&jpw&Yt(N6IjHi|0{^yQ=<ke9^PD#YiN{2AX
zMh(j8VAN%y7$@a6@++6VI_=ePxNQ<i7a$QtAp_P0*g$X#lPuu&%)b2u29!9=ouot_
z-=jl3;xJqmK*Kny;;!fTEadIO!?5`I{=Uj0-3>8EWhHkNpXkEffr^F(CL2&|SLy1{
z0wQMkY#S9Ad-c*B>Sj5yX>f6Imuqynz3z{JfzJpHk`SC2A3s+%lPw09`*9F~ABWLs
z2$(roSy&<?BikVGjwO!^vk}7>YU5EY(`jG*rl`d90yScDWYj&yT43i(m))f?utq~x
zN`~m4joIgQb56)6T@sDGT(WzO8_gvTwGNnNuIywGLX$D%IM7Pci-+}GI)}&HU$&E=
zQ_{a}E>H|MVOHAY>y`kxctPLuvk`Z-lIrzde6}Nur@&`NB4!ORXbs!MgeclZsZ<&4
zXXr}Y?U^8cx-0~rthxR<MZ0#HmelrrByk#{)iFuUDI<nrmxyMPmj%IGEh0Y!4W2U!
z6vs}YW76%MdUwtC*2}PUD=?L+QWWBlkd{Y;@oJQcX_b=i>pNCuSUyjp_fMa6QC_L`
z8NNgl#P>ONSsLBk#0`f`Zj0tNC{oWQI(>1XA|necK+r7)JEZsM=Gf^HlB4bNkc8gm
z$^tSx&*X;*pT?7Z2!NoF&*tfl{u5w(Ktd$`xIRZ-2w#`*#TElFN=R?J)S>?qJhU8p
zDW{H!&!VF9@_oD}7=lr^<GsX1Z)ye?v9D|Otgb$#AOpD&5PGt@$V29F79$;91xHXm
z9}f0F{Bd!cK;OR3tc%u@#kk3+Z4yt)@C%mH*7jSAf@4#otTe+fXf;>&)3*mGF}=^G
z@_IiNsP;fEPAm%J-0b(ez-|zX68*33WcnQU2DOE**^_yMv>X`NCu)do`Yo6$MTN8`
zlX~BbJ`&0aLRE*=X{Xe=MU)YUjGfPsa>u2g5odJS#`^~;Hk+rI_}$`nBaF;okakNG
zGMJY1(Tcqn&*7)d)U8#2z~h%B8GoM)(EDc$x}3QQh`y*n2;wvStITYNM@FQ~eCwnj
z{}j$d%~LxE?LT}Awa1<2<9Y4MD%f5f^>=n`DSA|?O;w)bf4b;n5!wH7hX5Wd?u!@2
zcYld~i+#IKG5UW0vr>)8={A!t3%Z=9Jv*1orfSve9#g~Qy(3v{wja`UA=zG2d|{(I
zF@3@M+B@2YTskjyLeycVR6o|J!zJV9jq7Rdyz&x0x@zOtl39m2Q5B5mRsQ++AGGmF
zMqLxXSL0OYNQ1uPT1@cUCHNBa*iDEGvveW2J_b%PcA5asQvUhoQBq@+qYc!``w;Ho
z)zoa8rCdJ0ss0gS^5i`EWjlTv?aPep0(@MS^HKaXyiEWGmin{PF`@D%cd=(?5?$b8
zPa4O`RJ=X|?|ynsLn2#E^NdUrs+g=!GftAQS!2hzKZ9?A->+J8yEP2{k6)+WNkff%
z^!%>^39x$4fbt>m4J4xOS5(EBRAr#?2zY(aQNQ#RRE&(z47?}Dr?*zumZp~;Q$A?L
zxw#=p>Oxl6k)7+D-<1n<n$Ro0%5N_CH$Nrc=Eyz;>^WCf@->OPy}7NeC+mJ)qtglT
zsr^e$cTUi`XittimFq%wN4B;^(67aIUs{8K+DA;+we88aHl~>;TxePN&-{=P+=<BJ
zo)oEYnPyGeZ!J8!4#n6*AF;NfACk@F`LS-u?X!@TzroA-t8}LrvehUqSrD$-9`BYM
z+&r!(k)ng%D`3g(FiO_VqhySP4lkZRf*rTrPM=2Ry1Bby8rgLCCMm|K@c8+R=0r-u
zgF0d}TWTTaMcoz_PWr()2mQ&Msn+Fl?opw8K0Wb>>Ak1sgw|&RPc{=h?_wI&%rY4J
zu?8662C1Z7CI+BrUB1qZ|Hdl{wRtKvNowS|iu|&U1TfJJu+bVO-hu~AR~1hNM>>sG
z=}rTqmfI}-t013tO_q4aTX?X2DU5q%MZi`X`|G)yDxaz8pDylz6Ds%dRfv%;{_8?X
z6rIo;{);ULGp({V=6$`{U!r$Ac^<ka#iICGwp=2wV`CBm0tyO<k!61c77ZUL3v#|X
z7?5w&Bq{0W;IS=?jDnhm0>yKW=*J_(yGAZlou#cy8foSwf5)GVkGYs~Q8VavAQf6_
zkWXX2@Ux#vTIX{$PsgqV6ZL$AYnMFc9p^U7qp;-eD<qn8O)@h*8#m3r=lTm8_#_-_
z28-vWN<0rl&V+<`7tJ2^FK4{|>OFdXa>_$MnzCqxT)!nRK&vC9S(j)Fs~kSy(F1A(
zw(!1w8%==@!9Exzo!{nF1LJ|A{{Go-)u`~;AhC#Ie*bt94_+qsQbzp+4<Amgg$?Yr
zs@E&<WXpDPCm5?mExPNEI{y^w-IJk-iMV{`PD&cU_E<b1Id{2c-RE*4%`^(Loi3`?
z{!SX1(Y|}Ui+_xVY=eVWkeF18m2iki*yE1^q|Ji=9|~>5CQ+?-Net@4&7MEp_U<nZ
z*KhOWQULSEgaeCo&sc_-X<YW@4V6@v{yzFJCZ=p)S`P34j6LTb8QS!idNMCpnQ^&l
zxt^Ap+hx?OU-(X_yI1OD_xRBg(|_%C=nLz6-IrHZDyyjIG?<Lb^MA0|Z*}GRe|q-Q
z!;ZvYFPAHq*7kmS`E@Et{ojSFQ=Ckp1yUYFdj@hmU%j}s8LkU!TN`ENs0Ui|p#f$o
ztEDYMu}eWOy3f~EurfkgMqP9Mw3f-em=viuX)H#U6CfM4^zZSFkc=$)_!4{D4N1%m
zWR|qphF@^`vEclJq3go@a(De=%H99@hWw`fngfW+gvczo@uxIm%<<)RT?*f08%bR*
z58je3en8?Hd3pk>=8HG7J$+lLrqx*vlsqs8Rh!&$nB^fbncM12x}5O1ycRu>!^`XT
ze22Rq0m$3K8rdcoPbC&)H!4+!*0X<X#A2UJJe)xeFhoGDItfRdl+;;W<@`;^%6Bed
z=IyxRcK&@r^feWYk7Hbz_UW5G&1CP-)%0|2Xz%;B$c-{e!+jraEW$B=Woy<4GFV68
zFfz3-QQd^uD6@kGX<ed@(B2<RLo7_gv_}Wo5xw5!HSwA(^Hie?0beH{vtH!$JN|;n
zd|YXC46)=38%QO{1h-Ns>su)6@%`^uKP@=z?PLJrf_D8^nK*Y!I8F%|w(AoV6jgj~
z5_i9?uLy<HE_q*Lv0ffi^+Be|{$%1iwp#2DyhL|x@Fl0h`#R(VR#a2~*-&8IS3e{^
z93Btmq+l=vAtUe-0{=TAG}XSctA=l6*->vLp>UW1bTrs{1bZgRbC`H8Mt=B=;6)?f
zk{cYc_1Vufy~z>PCebb1Xe#T-p5<>*wD!rEkw!UI4snmAv^<+dA1{yitd?KBYduZF
zo92aAjYw!V&%SJ@c-Y!Y33}s?p7zIoJfpO7-lqmye*?j(gy0`b=<};?DV$GQ>pcWE
z13}%t#_QfhmisO9V|HZBM4p-bM%byXq-}VQ?K0w+m`HvqAE<Q<VwGfWj5v=LQcLs9
zhvdp+_uZe@i#V$P?H(Xb3Dc+5Y&+b)iJM4Rsqo&O$r=V`<$(o@))ok2>Q;+Uw%P$W
zQv~l4`71lHEmPEv*c{GzQbxVYM1-H5oYFJgjNmVqM1h(nb;?db<+be0dAWbM!R&{{
zGK)z!P(vyr1|F1+Y(yFNAI-sEn#JKe4och5iba<;9wg+B7oKDftND=c)4N?xvQYy!
zO23TvP3<^V+AxYbi^zLE#zzIRGVSEP`*uwDa$kwh6ws`+y%1oBZc?e2+G$KuxU4t1
z`&*d~AMTCzNh<qmA*yQKKLovC?tEHH-LsjmOa}95EG;flQc#?))Po)2WKc>Xma6Nx
zP;dD@ZJJJ|%;He_EggYFha<DzV702#+Fqnj-yYI!IUY=bhBh<wzFU0-W%RxKTUqQ=
zF7?0IYlK5^Yd{|L8scJ|8{lSrg}GYP1-m+YVm~?ryMDg>SO~hcHiD_>c>LN%;HTZ6
zJwij{!*$Y1`U{V|>q6a*x&#l7pnIIamB@GC?2j(F<{244aF3y(Qmu5-OK>0jBMytM
zrL3gA{bc7NVaa$F(om0@PlcOMhMsedklb@511;Jo^+5cqPBx-hGN$+Nu<!nKd~B?&
zjZ4R|1sHZg#Hv;*+f2^X((QQD<aAlOcv^In%}_gP);dQywfB|cn9iPJ_SK9u+jr(m
zU(k+ZHakE?m`pF_JJ6Sm{j%l{2K)B|1sIX`(Q!iU&SG(9uRD!1kj3qukixV}$#K{g
z$a>3Cld<0>yJEx<=(cX&xQWA=VRRw<zGAH9=0+;b8M?|RQ=gMeWVc%2lOBhYBG~O#
z-`gB{=c~`&3dOt*%&Yj^v*Hs$18sX9>}u!GZtpyPYVzVE1o7$ao4t2k$0Z;?HL|`C
z68E;m!hM~Vw#%f_LDuRw&d7Ybw163t|ImlH4|L#ARaXb|ZL!~`oA&A!VYKTD0F_Rq
zE9O)|^?hE?`q~cNl$ZUN8!hi|=qo~BP!aDv6I_4Q*1^Ni9cn*&oc$%U#l;GDb%<+$
zpOUHy&TMkEz**`ST;pP)u7|gqTgrFTfP}O>15^!hwMlA+j~L?O6v<XhK^_NFDT1@!
zf_<`|mFnl9@)P)+0qH%bD1Y-I8~S$;RNy}IV2*fu79sxe!2GfgxxDZYt%sQtGkg}M
z*&#Lu=+}7{lY%oU5SYm&sq9v4?NzIk6@AjY7PFT8P#49uKj_P?DXfjjG}=%5ZaG1G
zTtN=q`xZd{_`==F1ol?l?Xs)ZBEZhLQA}Wa((fzN+ZslfwiidY;VD~wM4lU`FX5_s
z%xCd8MVXxEj;Xa`+u-#<+kLmpH>Hn<R*QY1^({4*@v4j0>;Snm%S2gl$UO=J5mQOQ
zV9Ue!@o{SDCVnYmHVWaZzv~5JZPn+a!c~l@4H8Tt=Dt~0`dRp61Sru$^^CcL-jBh1
z`u7Lwz8dn$y^L!w&@o>jq`j_Vt=k0FQ}}G0lFA@}msH}Ue7${g)7Gxrh5n?b&obEZ
zwZ2S=`RKtCywvd8i*X%=?=*>&TT8ot-zR2D=&?Un>fm`i%1yi6L_gmQC1eEKei2q)
zB$5s2?gthF3yFa6uh3;!<nHeJkEAE^M!s0s+@YeVvXAn?`3w2VumA58ShHI=S0vvi
z1l)_`C;dkJwFfXkB3BfD3?K|=Go?I8OfW;q{7DrG?25#S3c%c7aH@Rnan2HsfpYzV
z2;!l_A+#JewVv5PT}ostXQ&twdknJ=GC$;HfVn6xj=7E$bct7V0gXGRhjyK9^H%%t
zLZdESc*~?O7f(^$P6TWbd(DB<%NiE3JvBh_Dkiy^^ttl4W*TlmL?FFN#*bJsiVZ+5
z0`=A&IV?v(1JsYQIOWzq@@wg*;*c7p<QBtWnB*f{_cshs2!N;`3%_sJ<s+Bi9u#3a
z3Q=&&h~ZeL2x1Ytb`M<Uw%)x0Iz_d*<b;07$;62|MMu`YnIe#9ry<s1h~jS+L8;Ww
zp#L2DuJ6>$YisYewW-EV2cY8a=b)V+pj9F!R3IIbWnNR4M+I%1M5XfX#A#sRxblM~
zF@d<2g6sWxQi*kLh>2l>iS4vDt2Dg4$i}TmOt`{AEy&GvT^7R_wv&)*g^CeL^l?lO
zgJ^HlU?&szJZusKS(|q>d-SEv5pRUO?faw)Eb?#_FFhS#_K}hACEJ#9R5W1kW-9$s
zeukE&6}{$ag-6a<;9_}3x|TghFXhLVYW(jDk1MCKc{7l}dWK|R88Hy2=o?Lds-vX<
z7#ws}B)MW6DJD^U(@sY7jBd)5=_=Sr4L;p=>24w%ev|U@2t+Bm%&MEvijY;lCXHgK
z+9(wRQCr??WcBjLBaYQrIHBNMF=vyw<kgs^*9w16o7-H@WZ+^E?5X~ALk;OUAcp)f
zcXs-aNn0DrQgqXp|NUZML0Qb<xK8(4Fu2L|#Agl3sR4VnU7VGrK-yX3u|s=hmwCCd
z?S1qVsF)B&h7oR^L5+Dg3-E-ED`o^CK0FiLE>$N<3`T1VR(V`3NPIMD+>X>le+TMv
zKoR6(AL=6sGk6H7(OCqyA$C6_UOWp3D;7z5RXIwrV9g?jT0;o~k_4?-;3_jB^79Zu
zV8lhgr5Q5i)9u}Vr#bQNX+jZVfS6yPn2*-ji?-NYfT}J+1a3#FPGV3M4Diz`l7sO~
z=dld$l4hNwVeY5V2Ek|fjr2`ZK-2;sEboIzpO;gIm~?=GdW(b^k0%^7j~J-SsDv{+
zNuYtULymO+Idc`w?G=ZcYtEr}zCOOYg7Rl`bmvaUrkLVYd7Q41F<;fb^h<xR5s^fp
zsi-1-)x&NsyX`ejIQ6%}rQ$1e{g+eocbT=q#d3`P*M(e7>HTgp8k7nRpI`ki4|y8D
zLjt&6Kfzu9;$af$%LuAIx$|Z5UYXwrUUTedj{;)@l94~<q*zibW#{m*I9jB}5^rHk
zSxU&4OiHs<HOCcI*Uvcg^**A<(bk4YGCyXyv}2gFxj;TMzPnnk=r3X3N4$2b5Gp>)
z;>O=)J44W8Aln>fYI@hmI<OKk)+Ch!6D_zYgeY<u8KrD(MJkb0lFM~%w_>$TPAY=1
zPp6u>`#uh6E5lsn_gU6(0IK{HT0x}Au!D`*3ZqRX>x(@nU)YQioFyo0L)f;SED=#f
z*{U;Mw@1xA{F%({i89bU5EsBXIKr$uhTT-RXJ?v6OL2Xb=iKI`p3p<U!U7pOrus+&
zA!jn9Yn3&U_XzPC0TpiHH?aP%Fzb~_=TlD_?SAAL%kV`OBBwxQ#F!r%Qs3tix_TBE
z=|zd5b&yLalk()7^oVvaZ`l-(3}I>7pL`SE^2(9OEc~aqeW58lKh%tp;^Sxp5z4@Y
z2P7o6;=tL04ACsLq}IQCN<^OpF&k2-J%ny#il7MnlI*@zIUh_XNyO?$owLN81Hq65
zZMXfUgc|)SK~(@79Rd$wTv*(sZ-d2XcNw0c=TziZ^kp5!Co5}Uc_XS35f|(OLzJ~A
zT#)VpjZb$Kh^Kw<GqeK{P&!Bt+?ep<uPDvT30qWTN>W+^D-r=M83A2DGOa{{PA%0_
zQZmJ$o5b>fBfKlyO+4jOU~t$o+tnR}4&4a%s~;J^z~0JI!jN~A_Xoq*JH&Pn1PEd{
zAKK>j2e7|IA0dEUlYXH5sJmHxRbp}2tF-KX>*s1{3H$9UUps#rcW%WNqf>0q^>jA#
z60ORdll!S^Jk3~a)W=Cl6J50?1QpL&Ue9+N&f=TS^*Bvt$5&XuU`b+%JK1M`!z7zg
zamiUxw^Y2TEokw166~XXb{*GQa=q}pWo`;_+&8F)&W_<B+aqLcs11%VQaVl_@D1k`
zKARE8sqQ7vOxI0w+(kF~zlZ7fIET3NdR|-ik-`!hXxx_ws@v#u%Sg(pi$_hfwbGQG
zIv<aMt^3s-cF7yQoSHP;Ukx8E+%L{axP5f)+N&|kG3Gf7d_LNB8sly|p51NeL7JV5
z=Z9Gfn|W95!(+xH{nVYT)r<`L^jxmWGyL#2BIMx;*5j_;Rdam-#Z8~6zAkO45vNd4
z>;U!}X8-`nw-1==ekg4SKMN0V-Q!-(0sj;R{n|&eL2NsBT!=O!3*W396{1^I&6|sj
zxlF(=X9ofM_>2D`J}=gUXY4&T4?*O2h<J`C1)aCX+{?m`zI%$-ca&K(&wEeDfl_wI
z+XXo$-84CdcF3jnO|EgK?ERmsc+ocOVl|M&^TF|F!()#m(p!3xgXF(r8?gDLWU*UA
zysHJlA3ob30z<3+0yq1dFkT0z^Sr*l5t(ZMMhYrNGU0fs+a!PU)(qrp)0?q2Ab~gQ
zUvznOrpuaXDoo><_d8v1|D^Grr8G%T;GEj1zVH~P#X5n8TzuHO`bP6@F4F8$Il^4?
zh{|nW?clE#Ta0O<#v{U6o-Nkzytt1`PJZfbI)l~q`u54+R(UKH$-31>JvysvbcLWz
zjtbj14Z;QzXm1ZK&UgnlgwkZLODA3*Mf<<-5Hh{|dOwt8cz;@nNKP&oYxUE3b1}F-
zDn8KA-MJBR>z|}plXgBw+o|EMawQIBw5#jF-LAfvPk{=%pRHQA`Y;~iq}Z&jpuDQ@
zT@u#I4*E^-9dOii0y<@h*>hVcje|AZ-Y;QS(Dq-|vD3AgW-POPL<;i+-%CBip`JYM
z3EL2-cD@PX2eC@dLcIVJ5Tk9AGf1>h*b0Xc$i2elj?5nv<a<G^V`1jzgb2ljV}m4#
zB6U)ipi`5qEJ+-L-Fipq7!szsN4)}rHOUR%2_1M_oetQwwl-M0+*|ava1b1G7i@j7
z`+R)fWR56qhK!7iB67dD2vVoA;3kW562VOp``?L4pS<~85X=sL1%Qf3h=W={%%|I*
zfPVa}4zG`W)x|xjg$0ArBvnK4nk^omP#Of?p1|+tA(3R1-Cl_uH;)zRr<$rU!@ag<
z``)J-n{rhK!LZoSuc)lRy#h`Z$+on_f1Q-M>#-bh?}I(~T~eK-P^^Dua4Fp!&IWul
zy?Q>|g6=)_jM?;NPBf+8zSZ<q#UB&m5Sx)4pGDv)%69PIn4XjnNn)AeEWn#?NDVo^
z=FLdmM6qiV-?~P!n|Dg<6i=^<@_vjwYn@e;B<|c#Q}dv<PEl(eTu`T^I0~`mNwb{g
z#C<x)n#xN$A$I{tqq#Gli7k9Ej>?D#P!K=Kvf~PnFVbM^u5o-MU5c5{riT9r)*g00
z^+0WOrq{^ZrE}$G{@UkB`B2?_Nb--jrF@%|6pjOYurZ|;VkA|cBYO@Io=1IXkrPca
z)>WUvcfxJ<3tRlWkl`uurmG+C3C(u77E@zwcYp}Y!kJvLf6^JRu<|??jo}vsb{jln
zJ6tmWRJ{EJ^}b>u)1eL!Sbs}YC4z*4L%aiEjne)G2s?#F6(A6%p&AwSi<5Z+J86ul
zVI3vovu2bVvYg-Teh~(i93$rxxq~tmQ9{ILEm#0~%Am<5S&j)K!fXm@7!H>TlMp2X
z(fadRK0=6C9gqK~j};X>DH|#2@ak&%p>&8UAiAfgCo>a!4!O9rbRGx#?C*m6-Qg4p
zxg0=M>&YH=@n3xS_SDo=pBwvrT8N~N!BT(HY-41aSk}Q=-@#g+k=(M+)quLt1Y<p}
zq%wH>c&a5w?LEJgu6SJNJ;{8DhphsTsC9e6V7vY27iAH+o!a9R<v9hx%B0*brIB?J
ztZ*{8?dry{+H01had&Q8M>s(&AIQ=g=v9qst57!a(+%ED7qwh(N6yTonYG$DEH|(<
z#-;d+QKqYVimJI6s@#W&KGP#-UDdq}zH!C!Hb|3r4oI{eR?5>zBj~D-zKVk<+~t4q
zW}Ms_d&2dxx!<Dk5KqJ0|8(7rP;O*%{Y7g&o^TYOs`naup7tZI6}r64x-Q6wf2)b*
zFlOFOYE~t*tP3-}LIwU;iLKAWMo7uMj2l+tF?{e8w7SX<o%=1sj&gEj+cwi##r{GT
zfwh(6BQDw=-YPeyN~CM8{Ny^E(h4Qy+pY|ExwDvt{pOI|O0AMYIB~)`wLqFR8n@G1
zd(oU#Bp-*Aq+n-`OD1#rmE`x2I8KD_vA^?6Wac(9vb#d#q2z{Tax!D}+K1-$>p!80
zSa*d2zztyc7C1ggZfjhN7Wags=TWMh5(E&mZu$cdoUEDK_cXFVY%NH>6aNs-*bs~9
z`JNACykouTh~FIou|r9o%SIsA4kO(xb?}?_Q+2s2fL*`rBnef;Us^`L<g`%Jxuhak
zq#~6Nx}4YkTnA+jKY+LcIV`SWT_A-F{lr&M_Q_B3O6)*9%q}~tBs(vbXtfZa8&Wul
z($hix>rEEmVN;Y8Ja%U4lix=~M|ZiLD9Oo9Ki}+O&}xO?$ji@EYqt{Z?Cj)MRKT?L
zJ0j!Y*ccf#m`<WYLP9G1&dI?WhUd6iZ>?=;V4|Ra+6QfIXlPI@6gxRRU0PcDmK+@u
zqlilrS^@*(VDZHYtS5y+?*y5p0p??4wI~y(1CgiicUO?;Dw1EP;f)=6yJU_XWhw7m
z8QvWT_O%7zsH)=XEV;}Lrd$tz2Et<$1pwUZ&1CJt>`^h=z)O=b7L{Rf-?uEa=J}P_
zRti#<y59r4@saF<?XcSI8#oBvk1lKPj~Qob<20}WtEFci!~Lln0)q*q_3|6VKGVGp
z)1pxnDcw19*NdNL1PCya0eIKnU)TJpy~-nf!ADsp+!I>TzS{wA>!xhP=zA+x@m-`p
zrvQ++nxjRsTpq$>u8|$3yv*cytRl+daJueg>&9hy@nr>T_V8spv1igjVT_Sd1yXY*
z+DLDcl)4NGj<B7t6V+g?$Zp3QVxqxKhnl7Lf{N@}!Q}YtzxPLC17o&IeK}ju6`ExS
zKbNsv#`;?Vu6x$KRjG4bMU9r*UEoqt)>^5>;+@=Fsk@zSQUT)JloJ$`hh^n>g#^I9
zPBo8HA0P892jd(8S<=b6w%ZWH{P$aFy6zB%GnRZ`vxJDaB2WP_%6fAh8-6_wdE&X5
z==bk5{|`s!7*J>5$MNMY+jh%t;iRRd<yy9F+qF8iY`3gsEZ3c}W!pOGr03f6wpXkD
z_50#;Wrm;!AsWFH8Np18V_8Yk2nKa#@&Ne-eWOf;fbU9<A45XrRDT3huJZ5>(Xro_
z<>+Rdul;lOOq<_hN|!pdZv22TN$gHZ@e<R@IhrB68!Y_P(txl@&QfNlH!<RA(eAnA
zSZtiaN{b^q3N9tOIwbCj(!~rnO?k#<W%`eW4)Fsj_5k8vEJG$=*6HEl;R7H%2jpv{
z3kwRio*!=jH$62ql^Xp1@%;S!<ZpFjW20`Hi@BQ{B*YNEwY60todc%I_2F`hgx}%!
zzw8!cyVq4=Ufzafo<HJsx`?lbw)SES9&=)&=`gyz{TUFGArlSgY-++yce&i`MIm6@
zJ=mE-bD85I8=4y|nnKYKg2ugr4y5tH<IO+qX+9ok&>$y?rOU(>-yDacWLXnCgW0@&
z&8ra)U3+)&X;y|uW*EA&^OePnX_&Tw)v1o+`Szc2<OpZvFMSl9mGQq6HEjv2mH7TW
zyk+sLy*F9rZkS_G&BifyU42)AAc>~)u=q#GiJI)y-bUq>^SE#lFW7PzQWbQC7o+~4
zA0q!0I-8g;{Y0vD;6}N&H`V{RR6>C2z6vXbXW5lJbkRek-dFnTU)QCz>m!O1$-Clf
zZI70kF-t&Qk;W%zwBu`=EpFJ*$JOp{->t{Nu+F`aL-Zn>tzUBP$3{Qo6fC>$$k96I
z!4g>c>1{hBXOA_ujNdSKug`8pneMVI^4R}}!4XA%vzE*d^ioGZ<cO8}ywuEWaj&!B
z;!&%ySSIwxQ=lZI-h;>s_%$R&>Z!_uyACsWtT$3P9GK~ua_^LxBt4_J&8--IdR#k`
z*|GfLF2sn3L_zVbuMQ^Si83Y?2$tAhpvQ<l8~<Svhd;ph`}p66OQ}bhtH#-X>2wa7
za`z=6>k*nHiY_f=tQ<JBKGEb}+hbpC;EBi3!notYmd4DDLirnyI*oio=PF$I{%qtO
zpst9a`qV4OXt}$qH#Bmg-brO`+v<X0h6-TNLkM}NR+Rb{f&LNKwTnE)o3jw}k}#Vd
zJN2e?ex$ew{QD2_@5b(I*USVxO?KPeh<Sc<j4x2r{illgx-Uavav7IB4nwBVK?*i+
z#*|cb_U!aNXl@I7M$Mg$<Iv+?UErhpE6ldr5S!!Bng?Via)X|`;|wTi7Df#GA>t_+
z+?GRwgTWHhlQsGs?-&757D2hZq9Vlce6<aZpLWyxdRMNPUBBJT!h+BCZ<XyrO|W$k
zS3yBRK9Ql}hX2!D0r>W0fd(z+%a<>(?}E!YI)S8~3t0n@`!e*uO^J*|()Y)oab*JL
zISBzGSqpy<F{fa2Q}pvup01=061_A9o8mM>ORh}bLZ6LE<zj5<U7P~DKM6*DLSO(+
z+j2M%d^OP2Xkdxj3bNe>YN|a)zJ|&sJ)$OwU)QzA8pQWbYx(W8^!dK|E<Kco2O{6Y
z-Nq4n+-i)`rLn4g(>`12wE$rS#rd3r3hYwXs_c8j2Wexo1Ykt%TOGP~8y;=&PT+>v
zGTiNhiZ6*hfI4F)4nKm%KwxC%EuO9@<_DubVeO{PVh;tf#~eT2G3c7DuFIg?BSPbz
zWjtGlw1pGMhpk&{T%VH<lCG)RvsY1H9uG;G>#GqcalqEXU;lls*}`N?YqzVh*nD1r
zAUMd^UaIBLW&Hh$psC(>!oM_cTBq8~hQ8G@cb)4ZE<;lKCgA2bYiWVd*>;+K+ppcG
zZc`UdE0#3#z#a#eQNDNan_&@q7N$Llhz3@P$Ls|ON?&O6KQArE9Z}z$59e_-=+oEg
z9Hk^%99~R7j+PuDTHmi`Hj^^4_&FSVq}F+_{$?>JkX|xP5;gh|&2<UU%!MD#nT}Lh
zk4J`T<_QIq@f-w2qu=!U>i0aT^B#WJuz4=uL&<nUn}2`ZezbFUg`t*iAVTP^v%ePL
z>hbD869uc{-|gfur40J^%M)Wx!{e-8Qa6FzRB((%w2r-1z;WqSWIU+F;(Wt6>2s@$
zDAhbj@iMaXBMmdR*Ff649GdoHhesw$ySR)R{m6t@d|@{|t^P(@-{gp-)dPy;VUhcz
z$EDQ_O7gP4rnV<f&NpArp^Fn}95m#JZ5WlP=@Du!M*i)ubr1MZLxw`#&f4Jv3d%}P
zplCUrsA%9yv%LU$XIB>z8ZrEUil*k@*;&|*D*X=pX!n!9e-;+lzcr2Yt(yF)(4fpc
zJw2VDpHEE0<VY+lD=RFdCWeRRPrxCe@9ysYegv}HDk>^gpBNdf0FT(JIsMuClAtv#
zSKb@)_%>VQIBM-+E)yUE-2rb5r2T@&=Y_K!N!G`FYt@$JWX!Jv!(y`D7JyVENY@Sc
zio*VTangT2?7L&Y$A+}o!9tD-EYH~DK@Y3IJDTYa;^+5OCS4VybgY}<{zO9FJ$zQB
z;2n$sFP5Kweu+YBW4P7f1E*zRsb6=VlrQilKvFn_n(|rER4{I0?mQu?ztO&c6TJ$t
zSgiGV5R{9pZRZm)C~O#0AdI6jA({oOzpbPM`pX%xFT*gJWBI;+CK}ssJXJy~3*GPj
zwEFRyQ|X(JP{Czn*Fy5Abopx2;nVh0_33Bj>4Sz6PMSIE-c&T2Qe|^oGxzK>vO;RW
zGWJb)Smmd2e<=u!t2*WH8DH>le{{G@P-t<GQM_ea)N!MDAfNj=784psI`hYDcTY4+
zm<eJq^CRANYkXw%d``nvPT35|U4OEwQ#1Q~vDN=hq~~<eM@*}0iZLj5_3zHGzbp58
z-nGcHIU*`ym&pts(uw=iJ$HkPkW!vtjR#Kg?NQYcU@GtKn~RqNPXv0&{BrM5aGGwz
zp68P1Moxo`l&p7e_L^>b%er=xGtHdhR#SJXhJpZhImL~1!cD34n8&Hu{(Y8aq$VEw
z;-iqa{7{z2Lf$9jA?n&Ouf{Z`AOi1M9#8x4dO^Oomj1N=O-!&dGQK;R|MLgN@L$Rk
z2t2O!1XA$8Ma}&EiwK$KQL=J&cHShcl8~jPqdPh|33XK0(3rs`7N3kK;ph0MrKKf?
z5hX*38I)X6;WYkg4!ld>nA&6O?C1;w2>)DS8N&FFBxjDIiMYQ?8IhTYBkV@A)B54_
zHj7@@(C1^qq_C8red_EAla6Aj6>NQ<N261+8X5-g53yeh0{yTB7E%TRF3@^<3Yb$d
zFB4;>*ur@FGv76fd3%K={Lz_A36jP3;t#-$svjCY_-?X|ovZu;RoVJtR1&hZMz7TD
z^GV3+s*}BPpvc-9dm3_s?2Zk7t6;6M$*v+ZsC#2Wtv-xqtyItA)O^e0T-)8Z(=Xe%
znt&W%{rSPvLPMS2vT=O7$B_s5!Ooy$(mqlx<e|Mb6L3GOCYGndOz=ps*U7s}Q|ha%
z&+b_p_v60%LG|t|pk>F@2ld4Za;oDP2$aqyNJc7`J4ULPnlvW*usdhpDzPp*)w2Cp
zKPP~-2%iVv*Q#S>ASb2h{_<^6wyv>M`TL(pOq^efV_^Cy<ou<#T!rler`SI?B|ibo
z(Ff9PQhOn`+HZkFDq}HVdF$yV{~2OH6A{2^yIhNO7i{<4w!EEo$hNg3n~$^A!LsY3
z4}s&aZ}M>1+Qi%0B}}RA!l-Q;QrhmrfdwkDXatZG64OOHl)Mm}#SQCJIt-OQbbP5B
zh(`Iqa?~YYMQXiEvo`&1p8&<W9oaI<Lc%FkY5s4>Vl;-mCiUcA2E64wFho3l=m;nF
zw{A2`A)X|+KV2y5d9<5f9QWbtj)|`_Dq>zrN9H>Rwb5`jck(u8$JZLQ!Plq9G#@^h
zG1-r7o$WP^_(ERYLaKRSP-ANSf<Ph2sS1y~{P0d%9e~;SAv~E`X=;zPs)h3Y$LLwV
z&v*Lu5AW~tVf^3|zUaj#hxr;M;4%4ROy(+MhhXz9{be8GV?=gFY^4#Wc;7+Y_`S<+
zZ;$F@yPXF~qWa_I>((+RiUyF~^BG+w>n4Tjaqyernn~Bb(wzpp-lGIsn01hL`L*3g
zzWKWDa+E!ci05IL3c6dY`-C1nA>Q0&jSKnre0#k)n-6=<3+Qt@a+#YLt>t(c{$)!<
zwA6Tf9G89inzhhlSZ{XOvO%h%37FxPheYIE0XauC96nd<=Q>OlOq^+Yj+`PsosV0X
zi4#c4-7-cUMpi~Sxj|diUsoqaM!@$qo?u@fhjurEwg0nzm)_jCT--zm%E)L3a=QF+
ztY|c`Wvi7j8Mp0T@{1vX3)!X2{g?iB;V`@YK<BN+0Suf^4?kg%kLNh!+v$8f((60!
z>Ncl=Py9z7sfR0jDCy@eS?syZU;O1P{ef6CRCyYy5D9J%kJgHwR&EZSlo8QA(G4$p
z^EvLGOH|5DT^K4XYTVLP{|7GxtH5|`3tT`27N;_<!&HJ1r=l|63I#npbSd}LT_XQ+
zMpN~?T5$O=?QvC9x_1gU*L9|h!;#74oKMfRcecl=$l~}!^dyY{&iKT2MZ;+g*<$l@
zUf^$&`SeduLk=vYTwG{MLJ{F9-_eUz`2T-$Bu+TFjdD`)m&kVZ1P%_=p43jqNWBQ#
z{bm$qZ4(BbX7K&^f~)U7$Z}CM5%RjlH9+!Ed;k>=16d3y)YfcN>2Ir~7w))cc{h5#
zC5Wb;EYvPsDz7E&h(37m1nno)G+WyJF!ieQPE63Tt26go3@XSAk>C+_eA>4p`>JBm
z?oJ_Ui#}JKr4+QVZ%dG|-Zea)KI(R6L4fNep+**Ty)_?AuESK*_A@QpUX03Llwv<E
z2V}NPD{XL|{(ZlC)hsQf$=uh2`+BXEU8lihfvq(5bo{nwRtIP?{mocKVApBe%L?ql
zBOQPotsMl0X7ED^k)Buu@<$+tr6vyDH>)}v)BLUnVWlPdbG$}^o{wI$50{-)?!I^#
zY&n+px(E8%=gE0@Tk{vepr`qouAxIX=Saz6I0NE{+yTycnUK$V+}p?MZd`Jm*976E
zz_#k{W0)b{JXt7FBe*Vu^Hyktm2(3lJaKbfD_DA$#=_2(kj#}ZcuU_D(a*iYTe8&0
zgqe-5$Xh+6r`HT59<IJ5*Uy=p^C1xYLE6&-598xv$5z__hru80r9Y6d=Q<GrxyfAi
zKh{6KkUD;29FOAv#0R3Hq#RjTVW;~Pe~$DU^T&_WBNFW0^OLjP{bT20W&r_hM%*tl
zT<~SU<NIGiQ}qY_eZEBFkJiQ^M1^~Y<N)2XMDS*2+Vfa9S)2sFw36}f7Q?6AV)n(3
zSn$bp|FOooii+-cGT*>c&knTtoQBW-An1Fe0<XtHd5O5(G@-eB)(EioPI3Yab6RIk
zdJS@vHr#N)Nh%u`D#RGt6`s9g!_Nx)B0c_umCogPV!<)zn>+;E49djEK+Q<#pp<2~
zJ|3KA7<j&$GycPXBH;b5Adqzy;Fe4HgCnJFf$U+uW@OgRV$d@q${%W!Ty@H@GmL<@
zH@VS~3_dFa9&AH2ks0J`!_Pb$AjZSk=;Yr9aMFHT_&9PF{(|mFMAOP^L)e5!cP8y)
z>kyYxWf{Mp4z5GSUv+g+AS&wWENpBZZf;GDjYU1=GGGYI>Cut3qoXngiL9g~4J+#e
zP?j7V4Br=XD$>Bl!2!Bp;PT2!ln)<zlbWRyh~#KSz{TLi$ucP(B(fQy;6x@W+Q7iK
z%S)$YOiWBMZz*c8FAUJzlNPTllT1lqeBZ#o6A-5$B5K>f!?4j=SLJGIH8CqNvnsVS
zDlK+I?<kcyt*AlZ6yc6$I>PQKlswJM-P5pVQ`^vM*gZ4n_G9}GaaZ!Q#Gl26izf=S
zM<2hwuD^*P(lMa!@PXnPhVxuP|L5yt;F{Nw>K@$Q4OG@Mvo6KQ!Qpk?kDJU9+L?d5
zTY0&Kpaz90vf9I{%r=-agJVSxq1|h?BZ(NmV~csrdMJ)4ilT{$wElCooxbE;5kcp_
zh78Eq=C@l)PMvwY|MzJY)^DPM`A=mO!L&Z{&{-BL31Bu26jd^99|dn%-X7lV^V8Hu
z`Yi25;h(K22Gsn~57-Kjs(p_0?0!R^=W-rw&<+17%`_tt893yYl2vbul0L-7Yh0UZ
zQ+B^j*MoKPG4f-7V6G`P)^2LDpwrOjQrooth~>W-uupa~?7kjcBDnixst~4$wK5N~
z$*!RQ1VO3<Bc+%+CWWPfN@Sai#sGaQjibV3qzr?#w6hHyb<KzV^NsosWvK4%=dGL<
zJ!24cBV4nxYF!bRSJG15w4b)Aj-u|_;3MJV$Rm;Uzyu>5{<gj0dtH~Fj6my|gT;E&
z4$q6%%}|Ve;O_|d9?Z<lMqkY7+KOIYU!ET97!)&`>{s}paLl;3r%N~rrna^uWMuKu
zVhl}DHWQh=0*OFf>x;bnhVO+)Q;@>L{K5i_^HyItFfIelmv_<AxPFN`8XDmmv_SLs
zr)YL%Wu;0*QPEtH494z{v@|Vs^{-GOK0EC)rJT)B1qiS2ogFGRo)k6K7b>2ps{`OV
zp6F?N`NT{)op3a-Gd1)xKLt;nkLG$%lXqB)mqGm(oqGK|JYID+6&0Vc6tlwDbwv59
zfd&M03EJhf&Mv!%sqk;AtXV4~0fIiKZ_<8nkPmF|(D^6|&Bu|df8vpM4Tk8+O%n3-
z-248(Gf#?5Gnq490(1@^ESUMZzGmx_qwTl^v5*G>g0!yzwIK@Ozv}N=viJ7dxpT}~
zE>`id$W(OH*5{WOr`0L4FkK%O3nul=(v{*;Q}LGzX5Rlg>;kE!u_fi+st|<FX&D9w
zs7rR<=^ipYb`X|GSA2j~<T7RV6(HqW5IQnJ*yoT-;8l!YaxCq5J#G_0Jbs523L&KY
z;cT+YshiCDZNVWTaYIfY;wE5KQAvJ^5V$sQDSv+F)Qz>Tm?%MrtUil+w_a1zY4G^W
zgoKjCQef@UB&RxWZCNRqifB`?E-j~GVO<YEKQV|;^sZba!1Wy4QPo!tC}e+R4WaKp
zv#LBySc#%449<-T&_R7#?+r{@t2qn>46ogn><isR9?&zp@DIB+?uW?L?8km+=NyVj
z;h-sswxG$Nb6o55WrHftcG}f$|8pjh%&LO77svcos)ta-Ql5ORny=jAuy%L82GmWp
z^HIOY194<x%iN8?H+?B7ggh2X8eZPpn<-Hw13#ck8Hqum^yLfmuqfd-V={v>8xzwf
ze<;s2*woT8k`L(5!N}#u16|or{X`6EofZc&FRS%VZx|SucU3@tEu<b8ZGk!1_x4yr
zQxg%%-rgQ)-J+WAj)0Yvl)iue?xfr5^pC*HN$d5UTtrYvh{SY=GT1~w5(<S13J5@s
z<}CXo&@wVI)Jhe^8wo!#9>=nGYhRARqP_y<ZHmBWPXF1a&w#5-g9QPDyKL-;d~0FA
zQ)T5tWl_(!QzGjv26ksHy<g(i2_*8)aR5n;m-O(W?ZME!t7$*Y@GMIUPg{?|xArL6
zaR|;IxEiA`ZnvfnfXX$wM4rU;jO(EqaHftGys<&QVwoAQu-I2Qw^N83!-gPp=`Oea
zti%7iF`Q>C7<fHe*9xx!*Op4R&Kl2(wkTC?XZyv6*anDQre|bO<-r%<>Ey}G$cTJW
z1rq6@z85Jv&0_4INLPze35&s`CYe~uxe?iT7z4pX76acbkgK>6v~7?jrlTxAYB6*7
za_L5u1gO$RA$_>kJ`m``5yOdP2?i|_L|C~xR*Erg4*ldnlh3RLW7;JVIp)ZauU6sX
z<R@dA<l@?=G4aSp!)ym-jJt*r_D_USdYRyTm>Bp9RHvv2rDP34j8n3ry63lHdznig
zqX`MIDY+~Curj6a;{FOMAF5>6Z*LluW}QwUd3vXseJdN*F&nZ*4jn<8U(Hf9RD$RL
zw1Ir_P~b?1>wer#R(^hY2}S{dK%4J&QNsILHUflbX!_UJ$r+1^inyJ(KjWeiaScpN
zRLdlg4-O7$qoJdhPK3B9WedOvwt1WpJHdm1{$jVw9&$dCz%R=w^68|G4xwrIrg&)x
z1hPM#5lRhFRZ)R~Cj$Ak0*YW~r*Pe9e?J^e*gHu=jx!VB-vP*lz)1Y|olIz&OkG{w
z?RcJvXC3%KQxnf+VqP8vA51@-e)YFsF`C7ITulLlexr`4eU}!A1J7w5oJC#s9iAwA
zRiEw1iE-&x0j82oz~gSIh4%AHYJyBW$@AXfq3XHZ#F-rsQJ6+C7-+?J;s|mpLJkH=
zT1@7#gCfZPW%z%{{wRBUS@=A4`kSl{<#kfJvmj$a&x(neIq>Q1l_KC$#aYD~<#A>~
zvaeT;1}J2Tykg3z%PT9FN#XjJvgk1S_sUD+DzY$Pqr&IDi!zc!Q-{f=#9>vvz~q&s
zbu=&g5u||$m%)w|*7uGLI7}i&cQr~!WSHE&=D&t_Z{v;^<PiT%Ax8+KK0}ccG6O|(
zFQZ&}FLHRXsC*VGly2XN;ZYqx=P)8_b4bBP;FgW&Q~Yk=yp4IY9)wVKuWLC}gc7GC
zTzse1)Yp{Uy3kW5P4pRoqpLmeYB0?WsoQAFwW_9uoWtn%L0%v_TYXcLo0HQ!`yVMO
zT~|XSK%>+s_GqpQj&j}Sg!Lg0@E~5FA3HqGV2$5-TTW(Mo0!0=_krQg3li3?tsP)w
z*IJ$7e*I=P41D1YlGD`0&kp|V=EkFB>wAA5&hQa7ZhB|BKr&d|^L!OR8!%)x)Yk(y
zReD9m@js7)Ur0y@6;b9Wl~uRy3$M*QBTxx%HTJsvoB+tf0>o1}LXq7`NlA$4r0=^w
zprH*$<Nirw)upcinlX8Sw0?_XdGhoCr5Rqrxx7DV92tnH9j}<q$Q<J^{M~8;DU0VV
z-Tdnhv!e_XzTzUbZYrA<AF-CRvJ~V=Mt-M6+*A$><MiQ~{fIrIz{tsomCLMIl@CHw
zoKP00APmR*(D3y<Sfws8AEN|65h)yT8jg4Ogh8s$3hbuFvHYEu0)%V(zN%QN?|rM2
zLlWZ8e$#l(NV#R&e%nAPVe4aKejCC92eTlH@&rx2pn!%}f@N4>u4-S+>U_`o;(HjH
zfSTuMZ_hf76xmy)(|8#9ehsK+7A1gS_fUzr;9G%RHwUbJpr%QMbIN5oNy^Mz3A_kk
zf?Ql(Vc0}pAUGW1>)N5Frob@^z|KGW+?_57B&4LJy*=Md<paH^eRDIje?*a&`;Doo
zDGJd5;c29tyQ4W76&0ZAj%5m928M<y0;?)30l0*q$-w(2L_XqAE@sZoSHQ6l5)#r1
z(@;(Vyhp8O3PX`FfFr(ErxCF(JcbaUymv+N42AxUz@R`k>U;la=p~{I$Wa^h!}(MC
z=g#402`=YBpxLS00@i=XtP*UK53uBikr86M({m!T{?N`(9;aTDC)S)n_*BJIM!@2u
zLW6)W)_t$H5imCPNzrhoT%B$hXMx&ybo33=FIn>>8CHg5icxtk3SMMJpc`L26Q&xg
zgxogtd06bJr0Z)@E@R;-UA&={CeTNw|H;fbYa|in{4GwLSP+@U?bb*swl9y+AM)7@
z`rn~p&Ta5VW@cZ=A<)hKucG3k&wc@gt%rw)o*pTB5<u^Wi9z=32JB<t_F{zX1{6Cy
zJiM7F@Yc@O7EBoRgfr~lY29KHVq#TQRjbn4T1Qn?Y<tq@u=8np;@*$x(UU^ki=iZ&
zaQ#7&N=oQl!JiKa@K6M(koqnGU<v0tx8QDIc_)6z7l$nl|J)PsqNk@<SXh{->?pi_
z91UDrq5$arjqD$%<b-yBFsxE3M-TxXo>CFx(>Gjv{2`8<_;^|Me4j6bV)_gW4Bp<4
zfCOE|$Jg=|0`6Xr`G=unM1L%mt1qR#Msx=X;MdC@F$APgBe?@vMyIdI9B5qeBOMz>
zL0HGsS1DX_KL;4^R~4vA!PFL5yZsdM>imlF;vqb*9MI|W;<m`|XwnreB<`t;rmh@_
zecFYX`50&67OIdf4_Vq)q=>8Z&me%a(J)0PB`X}elKh#B5qi4PlCUrKpg>oW@Wmxt
z3^F3VEjO8f{D*25jUkgMr!=W5#P`svoZLNmR~9kivzppmp;RpJwzXb^fkS*ZZO!y2
zc^YZseXy9AmLWN?t_V;Ih~=+q;;5YuUzC?zH!ca{K-0g2;Y1&Iak7(Wm&alkHj*CR
zZ8zoNa4{%lGt$sVUO1$t78FpyiYX|>dA)$W=ENUjNnhv6l(p1XJ6!L{muf_c9bM^b
z>tv&*u|8MOg^`rf={Ys)`aIXE=#^Wv)+(vjIoL7257K+VlCF?JERTc|4MmbL4BHGw
z64MV)XPGwP^wrr=M(KI(of=3gHjcw5!h3~u*XfIZWJT$a-3l=(FvAForETdWD(E7n
znTY-qakI`Ot=>Lr+8y7@0(aBOMAZzI3<yXUWI!^B#~JA|={HNkn5Z-@$aJnZ(yOeX
zk;no=!ZQR@$ptfq=#HiL@-9Nn9ARS#v-C$CTqphZ#C*L1+XXAxH`mviRodXBB<iID
z*=%8NV46s(k$8U=wFDg8g{b1L&(F`7Y1l8f0(jNsB_(tQ2gTLZ{@Vi|Xup0r(NtH5
zTx`7kqd;()z~`73JO(N^u`S$%O4DW}(GB9Z7Z)z*{w$t*(>uIc0<u#@Q`|>%dAH(C
zsoIf+3+sNawnk)JZ_!<{kOJssKL%Dt@t+KW+8(;>X}Uflilmg3!3N-3hrFU%1L=xF
z<Sx}q7C;J@vMul9jk^<?_}0}|LK(lRH{SJIUWjc~jL<X@I{}{CZKR4!cdbzssz}0b
zx`DoON^6An^*4*!!_5*+*KnXIE?Gq$W(@$DppD~FjN`=rOckt=g$o1NP(@lS4eYWA
zW`rMT#*+&t)J)^m3WLeQK5d8I!WRgBpj!Sw1!PsU5j=v_6}WbK*-C$Me$R;Zbu=)=
zH46geQ>(-5r56vwdTzc$=8R)-yx>xbEr^n=(KR+=;<UoIhW@Z5Y^R(byp_7>EG>cT
z+kR0p6J+3={gJg$@Ccs}q&Z62=;Tv0Wy<aa0~$)8$OD)!UJ8<24@OUSXGy+#jBJd|
z%<_i4)?53Rr3x9Uy1KF7w8Kf70LTuoIAe1Jas=INfD`>voM{2h8y~$D$%(^ZRe%(g
z$ME!J0l`KbMV5z$2QUVLE5CdK&p16==_OI(3A`kezo}dK{p-o3vWQDiCyJnJ;^5#E
z)9n;YPZdq&owOBT5YR+NyIRp;Ctv%ui_E|0B(64|&A>RtdMhJoj&hhcJsT}a*oe8)
zYI#-j)f3_k9=zSwp>QCfQ~vw7au+g#v>}<DaOqy1j6G=!z+})g<UhcCkoYb6Ft8-b
z#-;=Sc_awy8XG0M0WVD8<Y!+nF)?vWP(f*_rgKk4Ym<U>_eztwJW%mHDF$cxLXwJZ
zrRs-9ukMycHyl?O`LA8mAfJ)MQMt{gA6R?V|5K#Dp(td0DvTonJUqCkEU9pvC==GC
zo$SWsc<Ru&q7ZwvZShZhqxD^p7+FmLzwAAz4+lVsM)+hQswcSDlAejkP6I#+P6D?Y
zZ{L<at}`X&J-m3g&bKNJn@*oivKF@)A~^m1Gk#!%{RkZMV5<QHnB3{o0JlVA?I6jD
zpiV=5!Wg#1pE##Q6#J3z!oN&HQQ@~znTmOfTE7;BImPZ0)`1=L>OAx~65o@-L?l}0
z;F^+>TLHR6QZg(=Tp#Gh^4Nk?%9-BJ$zt{lhUne-G|LcgOZEof*E;o8(8>rZ773&#
zeN3W$Z~cwd;2^BO$Z{(8sTIXQeOBW&cUsEB<L>FAN7QD%{G$8GVLY7^LQe&dLcq-l
z{XlXF+j{htMX)n)-504qJO;GwuJmu15@Cl>&8U#l4^BmU8|mGO+Ha{ymZP&(By=w%
zeH{ela<q~kRSxFO&^p~{+kk(7Ofc>~oc&mQBY_$jBJ3?BYV~V2I|@XCK#zgO@)W-a
zqCpSX+X-dsUB0!tE$G(KBXR&Vr-$tdW<bs_vEEKy{YPA!LL>^c(<HE|)df6G(*;hZ
z;17>h+qk<vHT^76?DoANVosGayqv|8&U$a^4(Fc{;Ap4bb()#w!wmZ3ahPZ=#0Q8$
z^E;!q<JGRo2c&Dmemsjza;-92rk7RLHyBKJgfAt1X_7tqjpHm-eQZq4Qv`X6294L6
z5ntIsyC;8QeFM2AJRZtIEfh7;+D%ij;iz@WTnZK*YBw@3?Wbycv^|gF+)LkmF2vuw
zS|69YHpC#|vRzgk)E|F><E4K2x9xwxesPHK^6%bGGcfIusGcI2?D89)5ym^kgX2nm
zbFsQtF+|N3(qCE`WD>niEa~0MNIrP0k0rXJs_<)es%fK~rDPir6xs6RrE|0Y7&VQ4
z^=NgD+BPM6F1X!TtI5U{hw*C+mks3YG~0}pSF1C-_XMz;e)pEWwUQYILglu0eq&o(
zgYu=YDKh0mgraWfk_<|$KURfA?CtK-UR?UjAJoP)CnhD$R%+D(SeSggS39^p;IIci
zN)p>>F#)TQm5~9%1x!teU)9y&z0TG;v}m!7xm)a4?hd6E1F2Dg_Ub{^K?o?SR2(5b
zST7xw%?_2hCYsq%p~^1!!+*Nl7s(9ohc%iW_cXl^G@-l6k#vaoye^6A2YFg2X}UP-
zVzaV|8t2QJVw}$J*~<AK5UrN`O9dvnsAMh0y8Iyc)1YmO{CB)n&^@guf<M#&$?)C{
zCL+rP3vq|PH+OQhBz+=XmGq4q{J)Y*ubk$<y|p7vIqnW2N=h{aaXy)8Ib|u|y&I;8
z??zCBL6{&^mQ{&W){OU5vUfv>Z3<*-E);KI9-&n<rV$);81Nb~YOwu8!6nPXMlSrb
zk5kdu^l~lrw@JevgJ^H93B5Rf)4rIIR|b88zcamW_P)J`p@5GF@)s12_(y#zkBEo>
zy1tjm${=xK%fO?>=$?7!hZzzX+In$n;)o;c5(>Y|UO=e0S`gN(w6QVY?NHQvhy|G4
z?TqS*m=(aDmVe)ZKltLjBX}cyVH<o7XhP`G^<sHTPo9GK#jprLGN~ESv6Ez$AfG8-
zZtsKJN(KI<w~0)b!KHHyMUB#qRb?a(-@W3lt4GVmzc0tS=`S<vjho(m|2<@;jS0<l
zU-0=cY9B|Gq0GrU%#4N(Z3S1NQyBSt)a$fAFi3puExzdRe?6k}d@|LP?gG7}dq1)6
zz2kprvdT~B<{;JMIvi%A#6xrB-&?tZvrr(cx2RXPKK~cZpbAx5OkagKliclKto0Bc
zXM??_#bS@Bxvj=qVti~?+#NXd%~MXRPPuW6FO-S-olaYFiAM8FVAO_xdI{##bDD$5
zQ9q-6WX`^MqA%@uu1ksa$UHHLOpFZ*ywjsN)gD#-HUc&SWd;?`1%4EO^WWXu%Oilw
z9+#Gs0Gho0_CT~z4y$f+ej1P=A{X{@0-#7h_y<qI^6mBI=H>=KIYHNbFT%sZ#`8qq
z0HBzIgF`4HT2i;^Q67q<4^RR1^?wED(m<zwQy8pT9TPmRJ)0X&8Sq#^ihDPdNIto4
zZJ$NPb@dfq{CYUhf)Z#x?rVhO@&~#6mirO#9&J|>VP6w)QF?;}qUJUe7G3VTW;VEy
z9V-M8A~#II3A3B94+}6l@0Fcgsbr1D1N3%aq{`({L3R0^?VHa&gg)YUKKH0xG%=a|
zC|On@s02L>?xm(PjkJ`(v5qXcIvR4Yu~!gZD*_(B3hw4Z=_G##u_^jwb+^UI4rv-m
zw%SRu3Rb$j(RcJwp`QPkTas2pNe_$(_WmO7Ya~t3CUnsYgdj@BWPU~F=Q<7fC@ytk
z?yoCdaIuJBn^d_p4ZBV8yURT1{IbWAozNfC?%#y_22jid7HBAeX*^Vk>gxc^Tr0rN
z8y!7c{)JKrXbW09oD%w8+f(N4$Pkso8B6GO2~h5!dG9$Yr`xWpa^8<|`xy)I=M2yg
z70U}}KwsR8atq%*P|`f=`=d3<d2!#7^KsSxmP>3asWINx<BO5;<VfDZ$GGQlA)&Ks
z<Ghzn=OPU+jyYZ9o!eLgPgj+fm@JVw#n;Z@TzQjcMGS(QR;MCNQ8*0#Qsr7!{u=EM
zh3O8+zA3fsxRwG0CAFdfKaOggCi3zVJS5&v4})|eJrrf`FWYMV8$y87=kVz#z|jt3
zz?`j>!C3q9y+t8vzWr<fa_qdkyxUa5IoI_>WY4<MAbj#;aa~gM#d^#lEgSdtw-CS}
znrmPFPZM9^;yjJCT4fBx6c9U$u%FW+tcv}Q8UQ)6CM2;)Nrs>A2R*7myp8{n0lptf
z1{1=H0RY2=(NQL0VPQHtgzT5Q6-OFwPR^^H1kuvkzMvH#P7K62_~);$u806V7MNfT
z;evCE>OKMHt)<A6ufNNOcY~|;Gfl3R?U0ZzQIperuqoa;QOMW-+%9alDDd>xaouaB
zwZ|gT=8^Um-kFS;lU*Nn{<m3Z^8@*upDwlK{eLTo2~i|^i>H{mHd_P-8Jbw?t4Zo(
z^sBbtS#6`48Q4o;<%0=3T}MupcDqs^{?im!v{jJO{VJEE?D1)N*ywXg)nS0G3mpI(
zh&cbvQ$QClVW!zIs!>&*N#`eNu<(xF3UYuwQ!?Qc)v25JRcie!eT50l1ux7OF;U|Z
z#Xe&El6)K|$*%!YHgL8(WRoLZKOK%T7k-zj*Vo@?`ni7W^(YkN>#q0&aR}8?l2Vsb
zb73XXTn>Su)ohMB=SOCqMp;tWB*6R#Gy^lGvid4gtEBHT>(S=gR_;Yv726Hj8LMI5
z4Qe$IN)E5RYW*XZ)|Qki=dHK70!x(MdO)Ymh0Y`tn9$LsVm_0>2Leypu$ZMrOVgCU
z2v9eb!`G376`D2V#?qQ^SNmysx@I4mlKZQ|uyP__9V50cj0kcbIB-<rOr>X^MR7Ck
zH((eU4LaY=Pov**;Y4&;GEA)hYMZls>tK!X^&E&oAmJz8xH9q?A#356Q3EWf<*k5m
zlCC?$wrwWt@s%sz1g!pbqWiPNi*D0hvz7`bYb0;(>xQyh_i;5-V;LR?SpUN+jJA#p
zUp~kmAtlH7$4u|Q&7c{>iH+9|DZj9YTA{h3Cz3qB)srz}e`){6NzbD6;1_g4>*VNc
zejn?0K^^)*0gKpx<@S={Vad*G?!Wq<V!^&8G0l0RvEZKDGcCu2r_zIwDNe%u{`+wW
zSbV$n)q~h6me2JNM9Wjm%m+^Z*mvtUBcsaC%8E8Tb+t2G>x_*Yen`i|GrzP%Buk4O
zEjA7)9YA(?02~pDG`u*T!M#P}?J{+P9WhWe<@)zVf?`9Ds{~7Rnl!LQaq1PFX2J3_
z?(q>%F~j^;$I~`Yr#%9E)_n9Z*d%>d9x<7%sLQ+Nx5J$IJR6IDCfIB?6}_3=@DPJ2
zS-VNG;P?W0%HY;|sR<b4Z}`!v_52$z2Tv$LXz;+dY~#&&ZBpN|_EQ9%l3u67@vI^H
zp)RmvV5i?jC>^E;iUb}JGzKntY)N~mXneLNI~@4U>vg_N*3U4N(`Iv{Xsf*C&(~Sb
zMq6vMAQcbhCJ6Xs+Pk0pU-ywG%{iYMeNX`}9nL`>|9LZV+`5ORcVEb#F%Jq40&}GO
zwS<qhPH~F5%?BfwKV3`N4INL9^3)eRmge`9YkPqG`e?EmXD>7L)@l4?ZLd}ru4OaR
zxzRki(y-Ia2v=Ta;cI#BBjsN!JDruec9y~X*Pq8>x$2khtsX4S`7aY@rDNTxmDV{n
z%Io3yl{@_|>)p*sH`Vk8CmjR*Mn}El!i{@YRpH5hM9SGdV?;o-OCaV&wtUv_@Yvhm
zpQR=Z04SfptL}LD7xODyT4$L=;q$W}V8Czy_LsjDg|rM^#w|FYn98Kn)M0s^m)RGC
z!XlFx0aCA=a3Opex+NdzGA2J4k6y13b2B+X`s*^S#?bFLEvNfnRw^;l<B}|EUOORs
zmuTg$=c7rKZf5>QopCImJ>PYAKjhqFWOh^2p~2b)sF*X)Np5vE-$nFC0tl<`BuC$5
z!UVR*S34FQzZ{_T!vdzh7{!wvSijWijhC)8cAPhmzn|y2gEc=v(=JihIaS`L@S62x
zLpje3djI0JjuFw@9T(E~w`dr(OZW$=9gm1ZmNb0EP~-*wya}}H=gFQ!GF6>Ibl1`L
z@6OwZ;Jk%0(MiHa5AT7Oq-skgPW?T0?eucr*77xv`Kv3A4=9lTWHVZv`$_sEGZ+Ss
z>10BEM_!a`nV@1#(6tUvabYBMQUSL^O#hvq-@hx#$$j|FiH3$I5R?Vp+1{pZD<F51
zpa8%{d1)NEGBXTpZ0Gfdp$f0yh`^eINYEu!S}NuU8ksOrIA}v59h{_(pYnr%IFHYI
zC?PJc?~`PsUuw>;W35u#gtN5TV%}d+dUKBJu3ov2XRfl}vZbDZkDf?VdiBi*`2}%y
zd8V2BpC(Ry^AaosJr`Wju9aDV@YC2m8Hd^Y08CyyfF(m9C2U13{adGtkz=;oeoFzp
zB}lg5Y!HFLALV7G?>1JLYVn2m22RG@n(fP-PjC}kSUK(2>Sj!ebZ0_$(wBNDXWlBE
zUv<ob2Y<avQHFj~q3iG%7Kebm9$GHY-Xe}3@oDD#xBE0k@z7x8mK^<|bVD58lT&LO
z<iKTmL5d$JKBZ8j6&P^@oh+l_KNb3q5%PRldBJtO;;<~p&D9WB_3Z6m)W_%XpEC1w
zslV*1w?DUZjnG`zy_T9K=i2%}Ih$1mUj6Aj9?8sgkg_Ne&1=)Er&>M`?4(Go9<ToS
z=JKpwDqkx}Ouu#iP4M)t$Lt>nQeQ(?7m%vHWkZ6wfQHy=yL%<z_FMxV<v(6#;4e_X
z^Mn0LGa!v1hlM?ak$#;4S`mjECrxCB^*|j6*E}t`6SCQ@M1jhsOeae3IU<M1%(1r1
zwxZo?QPyTrYQV=0uu}-1PLOM#QMpd$+LE^?Y=Z~esKVR)WfGn@66S<m=i2?b%m6~)
zg;^;_=tf3eKuVy>cSGk%bYAn)j!vokjR(VkBN02R%{9M`K0B@_YW5Dvy%<YrE<&rV
zzZ?A@zdXyk3{T`uxg8a5`>zO#7^L}z6oNTSCXENj*gTB)20!54YmzTdK?3{b2v=SL
z-?AFKoYi%lN7f|#18X%bzb_RJUGUDE`FPBE^w{SThR57lhXmsc2k-~x_949q+1nof
zpld&Oi#?+6k$iL+Sfh@6uFKtb_+<<FbmYqC_~U6;a&CZd6Hts0--U?muy?*1-oAx_
zrWi*NxJbYK!&uqbor<2ms1)=9X`ikxky(Kt>oUNt1>P&kxdc$kDnz_QCLrH80lg#t
zjZmuAGAXiw==V-9UFkYD;Dz;Pp<q|3^^&7*Fw<}o&s=6EToP9X2(JD9jk2it+tn_e
zbm>V5T2{<S7LIESyLA@v+6Vj;e!ouvTvDWOyRdDbm#<n&zo~mt_3K|fd7hrG<U_WP
z*+e!DXAY_#=0kkrPebrd(kJ!xcarXzDq#}-+AV*Z86UF5)&I-WwughIt3KL!OHQ*f
zCdAX;SunAgIwt4tKegM51Q@;N!cLh-v!;uSqeS<%s}hA729DhR&=1%0cvIO(zt4o7
zS}O`}zXuXF+pc!fA)uX3jr}#+UFMrCsXmRWPZqrOl2li%_Z!Y#zd-l7-%$?GYh-I_
zKFXoW>v@_X09%JQz=6zmeYD%2@OkT?cMb|=H5Yzd!bQ#QGk@0z&m#L}p!B8h<(bvv
zS?i(wN#^qW_Tt-36-q85V_kSXJGp@#|HOP-7E(uJV`IQyIQTRp!>#rqybmb;WZM&b
zsUM(#yuQAcBgi2|4;Ll`e5<nen3Z#t+@HuzyAU8Q`<zuWP>!_jeUk+q*X=@_%0x76
z_aqZ=?(}HQ(=}MGVJ67P1&CKq7S9nH6bg9*oh$e0)zNB7E@@K{aZm2yz~Fab^JV;Z
zHx2#-MUMmB7fXi?(yxhKGE&h;KRMiH^cK^4#{FIAqt0m}*PLAS0*ol;G|nr{Q9#+B
z_JHR-O!Pdgu!5TDAsj0B!D>{`Vx&W@#WB0xT;!(rx7-TfD$|HSMcE+47uZ^&3M=)|
zk7iCi);o5MIQQu`+#<WR9gDi91H>`ZWY?;EjCnGl6bjIFE+%PqzQs?94>#*M3O)SY
z`fXmbL%$R@a=GvAZrT2ObsomwFX|nN-e#isPo$O^`mCV>1rT|q7u{kP0_Ckq2Q)kn
z#V7`pzQxv_PIGf}0A)P`@;qIZxysXDkWkRbPqWgs@VmFt^Gvt#?eJLiyFZ6Z+;|pT
za}LOGdJ(!)h^JurIEMds^tL*9^pifcd!u?IG9=q~Qk>J}1u2x(2c1yB@hUTGsAXIJ
z1pfZGCz}H;(Ri1L{D%(m`O)j-@4D03A2#^t3Tf+=ce!rpcpN!+f}<XRl>pfL1$4;r
zhB#O9B&R5OU{$ah6b!I33>@#WT8su2;j(sThXxvk@&Z>zM{Z37$NWLZ9U{Y1Pw!_D
z_5d(b3_`TV>AvW9(=gu}#<B%o`V>ucq8AaG1zrIr@AHZjKya(|T=#d~+-%u+NjzGu
z9`?;M*J`{;tu@ANH{@(!v@vfv7e&l$J0pQ!Etnou8?+b$ImOV(hXGoSxYOl{j^`pZ
z!qTVTQ$2X8^8+dK5tgZt!+Y}M2(x|m#e%5n6<?^IG!AoxeVc{d;0O~3vOZCU(uE%%
z%aMV(HdR|-dB4M({7}(UQQwE1Pg9CFQ2wyRxvkI2MOa&zG9j44bb&wRu^~}Xu!l4Y
z)dzs+E4X@M${5p(H^?Em{&e-54VQ>Ei2*5-R_ev)rLQGx;rm*rLnD;8EB$LSL_3RR
z>yDWqh>XB-MRBdie*1g;f!^7ny@(LRk-UYUUnvegJlm;>u*ZFEF~0KdsB)z=5$P=b
z1C8fVrQ%|n^XuqK>D884rB0-0o=0<g3e{>=4P>qK4~jDB^i@aWEfg<aRuoEU5g%p*
zXeEtyz0!&$j(jzwJ$nlqytTpO5cmSZA@6(LxqAnxL0*0~Li*%bwJ+l5J!`FY*aR`X
zfTeR1O%1`3NHYX^-!;ceNyB;*f2H=$oetpE=ed1pzI_^ZW8p^F>~#IE=^Mv`hCTWN
zLq>RJemY7;!KiFq1n^A7?{{MtdSXHB`Rs02w2)wc_D%*w0wW7*Yd3zXG1P%>y}co-
zg$Z%buAlQB8t6rkFo46gm13WOx2bf2_uy9p_~_B>yjb_*FuU`Sd4UVLD`mV&%~n?;
z$u(pB;=lVRN=7Q0mQq$mPSdGq?!0*7v5`BI-F3ak;pln6yV&SCv5yf31qDkb3N7Rp
zeo!4N18-GUPntTri#;KXwg{ATwl!$ieQz)h!96+1725D0o+6y>M%1b_A0?;h{fyd1
zT*e58K4Iy}F<Imsv+nh=_Kt2#;J5lzBN+yS(v7F@Ge4<FaUKZ%pj0f~`hMrUUPE71
zC(v9NAXs}k%=(~kZy??`@QGRLo&SEdwmal`ugH>}*_QYt$ud2@*5tQN*!e;ei!6;f
zJEMdDM%*?UO!Mrfx(|3!QL}|Jave`a0wRoedE%?P`oezy3djq<Gt?&1QpEtmyn&c=
zQXl~u-<cYJ1%mJwf*SfizXr8<E50oiO&Gu-ea{t40Vi*GJS%*$*OkS3tk#JXc{{x$
zgfP)5geqsqP(+hYJX&J6$h_gye*N`wn@qnd7msBBRb+WzlI-Q@z(jLp|M3p3h)d>q
zB25>x?r@r%j4Vy^qjQO@EdR9eFa4zE!<FT%Zv&(>y*c|4(njdm*aN{|W44T$oI?{!
zK?zb6@nK)}jf?%8t>R~aN>qy*4V)M`aUbSy`1F0vfK0{G5o%@?Q95a%3}Hg2p1+Ev
zZ@ND9y)DRUXDF(@k~Sem|MEYppD_`=*+1(gy62A2Gt4kCEO9XnY0HwIqh7y@UHwm)
zYKmd^+|c8r5(6ns%)3B=-I7JK_bi`hw38y)UD@-+8jlOV#tm@kTIDc_fi(oJDg2FT
z_diKMzWY`BfgNmcxzOfJ9QNo>29p;w6Vt4nE}k3MWceneN|b*{>#q$s-9WtJU?k~;
zX_2)OFt`-yl@$k+@((2)A>R5Iw~r)+BC~YgOAdtIHQmudbeipSHoE<f;vIl*AT~EQ
z|9fqOgi3sZ)Ju&Q)t_AyV8pGSsC^|-n=Q9I7<D_oJquep8ccEaF8L7d`A5+{-N8To
z+#h@F-0_nW>hF5Dm6~n*yQT{Cxwfo6Aqx0dE>@9e<)1e6DL*zGP4)dHGL+Vk0)#+q
z&BpU_6hzVnbA#M0Ewas1BwZUMr)esQ%fAigIe~|F&C^a@U0tzS!n%tiM3IS&+1l<`
z*G@H%L(5b(+s5`2@8_v5z6+o^*(Liu!svHB@z9!`<a!LXm^3htx0ACU%f>s&U|Xxr
z6dFux+}#qCy5+>PKf%bh*!4N@bfYUOU=r-u%qcJo*_HVG^Jz-o1lQ+O*rTE_e4<;c
z$i&EEk0e`v?zw+zj8Izq&wP7+FpxU|U+|Y}ZFp{a3rRT1B+}pP2LTU~)RVa>25OLC
zm)QB)Jq-SNfpbZ9RY9l_<pt0HkgcrJZ}KOgS@54~8;j<>y-MNbAGarLBX?b}mu2gy
zy}avK^hGzG;WXdX0h4(=HR{Shh+bL6^PUmW{Rb#S_}-GPSY2FG;+gNF4Gl!Rv$5Yr
z*}{No_Yl~LLDq%QjdzK%@|aYE(W&^?hXhPp@R84vO0KLJf4_#cuEZU`uV^x-#VnH(
zmNsDaEG+IeaVDdBDxm*~!5_o7On=Z{4SdVn-67o7nx1CYhsw72<c>2rI68~2%Sj~K
z77K^qS8dE&*$SIMiM$;~ro_VT^Y>)oVf<M_aV~JY#H3-xyGSWhk`;K#Zx!$DqxnNt
z1m$?2cOt^yvX+|hk6$k>oTOXQ&W%SsFu^K?;@4P4Xm8?XZ}QP*z4iWo%i5cByZhy#
zA!%k6{nU~Vui4h22U8sX#c0VROJQxjGcNv4Ns7q-Ku9-uI{Vcedf#<^faph+R&p3y
zA4I(BTMKEUvsM#Z_bkZ6bfBcnu=-*$kD~|6Z54>c<TWBD7T3KAI}u_r&4LZ-rm$&}
zv5}QWoTiFQS5KIg_AR5&p>a+m1il{jrG5BdU5MBZ*Z+_PEhi@jh&TZ-|0qbEaX+8^
zGA%Q6R(krw>eUIwafuAYRVDT-J(QA78vn2L%9^p@t%aG7=h>Ta8ce7;v}?-EKNNh{
zc0PRt$)wl!)hd0;GKv+a=?UfRdV&L)xXLT7PMfsf9dSd(N_6pL6f-AAZkOGleo7=y
z>rsxu;t>YDSO|1+ov?F7EtW0@UvMhDj)>=~@7a6o5hUzEUUA^FyP@I!p|^(gqra8+
z!-nr;N$w11EpZX=9-Ve)S$!jvpM$|C6<$yildBg43RF|v_3Q?tKT{{ooc`-)&|XWn
z87AY++|K3vj(F!^r-eC@L~Z<<WP+&%3#6G~We2UKvm-1jRK>}&o8E&sg{j)I318ch
zwER>NEe+SKMfVPLZhfd*z|#xs@TBFR#-f0SXz<13(35204KvPI7KoHL7kqTLeo&<L
zrDE<Q$$hq(h2ZTWpV3Hho+iiIhK1n0VBlO`y18Z5+W5%*>&x!oLj^S5S0fFLrT$O9
z<>ZvLk#glBhl^u?fX5d*?=@G6yygTM|EZ#c&pdwA7A63Mh=7{v8@0XJYkom|^??%e
z`<6d?Rfu|&#WaF6Ee$F5f!Rd=$$i+ua0n;1M&N8~LvSV<q(ifVBgV=rZ8b=AFeS-4
z-io`kZKVSHU17?ylwpythIXIV+c|UV#v1=hvH-t18Gio7;@bkQw%v{BlUpTRNLwr)
zK-hk3qqRovXSAjCU*N~7+8POm$m%B=u1HI-tUreybC6=7RolC-a-8$Fn2gWIr@H(C
zi%W~Oq|wU31Y-&CJ1LQUK2eo4Cww`jJpEH>Gg=n(vavYOyk6-zNFmG^f<g4Q1AhU`
z7Bx|wlM?*A(!eK2C_f%1mIOy|d=|;TrFvFlNmPg=j45>QhgH(fARY*Rr!$Z!Uccik
z3v*b&5vCEMqnEX<impamCxJ8TL<2(%<c4S;>(Ezk@|(Jfdh7vY-#cSha^EbV*O&u*
zo9S>!P*CvShjkz#(YXG_mV$5YUCoDZ=UY|ut@+CzDFcqL73;vFY*35Wn3<c@HxEeC
z>sio4Lqy&4lN=r^Qq76Kh$T~uLRY`msn93?iHp~t;q`;O3oQEGnJuSlGs%(4nSpwL
zII8NnN~;`pz_H0`4o&g0ea9HKe9xU4GyIjp1u+_)*SVd3{nq-81J@Dd+y6=0Kxr)4
zAKd;+h{eP3E!!R5u#aT{c*0)3<9%o^(h7v2ow9!ZTNC*TlZ(G?AGowmMP9bjGeV`6
zvz}JEbyb+^_o`t&X#_m}f$=1v`KUWZygaV`^rT^1Rz6!1_3SI}NuJSg%AfW>n$9sG
zvoGxW*_ez8lWk45&8a5a#)LcD=7h<16DK#>c9U)1={f)BdEak+>vYcEUDvhuTE8_s
z-z2w4M(O<T5<Wa8NAP55-}2thbd<0_{sbyHYLPzo-Q{4X`cN|zr}~>hj%Cfe{Z?^y
zB#xb(^_VQ`-0>JUu_jjxT}A9L#Zud()prn&C6zbn<5;cDfkXMey_IEcMQ;(#_Y_8b
z3WlsghAaS<M#Hkzd7h+eV*Xvscw?tJ{4a~HBM$iwTsTk?AfUo`wj9PCg_d!xOj3yo
z(H>3@(fMhk^E-&Y@=Mxx>J+PR^HdcQYkNs;)QMX6h*7u+rv(IXQ_H*o=|^*4PPMgh
zu)5r$;rz(IpI@9yf10|Q3V!L~Z|SAwBt{%LL;e<XV%FSVUL0c{&nv0;B0i#=5~|np
z31<n;k_o1oNOC{BHtU;Hvf?aSyy}Zz0Hsh*L{Ddl`=MJD1PiS+Gcf~?b0}p4h3i;M
zaERpjtEikc|2pOilDK9YF|X$oZ0Qk7mDn<^L&xxBKm9|6l8BfYl{Ayykj&S?gLXu@
zRo;X0oo$@lNXdmUWgsL{9V`lC_4mp|j&LbQBbwQvZ0~^^F+Lt)lgk}dAG_UCgtSkP
z{KmlpfQy(KhY)xgBNy*w`l+F}B|c?P59$^pySI7<sm<r#vcW|TK)z#k{W=P!Qs@(O
z!;yl7-6qdmP0Yy9UzMkFf<E2;!X~R9Im7mf1q`3C2-&x^U`k5L02j*moe*Vf>to=G
zi0^vp-V66lIA7WRhwPuaB*h9ExC)snlVls6khPvpxd2rwzvi+m0eRM%POgd~$l~(*
z2;2oSFHJVjY?uW`cFFy!{3@JD$Tl3rM_tKOI~6}g8Do1lFL5!=&jq#0S~%Vq3yJXP
z-o<$ExZh~z6D$#f$fm`#t<{~38~q(j#kf8j_DZF2N~UrRZaSjTS3Qg{qj$*j4MG&i
zWvLK))edsp3c<x!KQPtYGgTqcRp4qgg>6({k1-&R)_zeYWVENA6U)TGkc<riOr<0Y
zoyxh1_*(N27E$yz3N=Qi7r#UBc)|d7>g*`DU9`W2rjrsA1Qh5OHpYx_2c~?L3B<5$
zjfpB7W9_1FEnh(=szCTJ?|m&W-a-Mf1|>StD5T#)Kk6IYL6WqF=ko281JE8yts8zI
zgdoKBAmay7#nh0KTFVMW9+}yMyGKoFbrXjG0kh`*ZFaZa?v}*rqw>7)KPq0RS%iv%
zpOC(YpxG0J!MGU7<U8<=6+}sUFWkM+lc$9W_i?9LVNI4T&q`^rtjlKANfRLMO{>l<
z9(|cna)W&dEy!|)MD}anlB%n!N@YCGnE9soIa_mRQn1JvSVeymWl!Z^dJ=l*CnV_F
zlkX7vRdS-2d8OTNPKQZEx;aV1qC^;Crl)DZFZMLfv&Da8RwXD>WXQiSJL1%4mvWoU
zG1=Ql(s_sU!oR~Ro_*`iVO6daM}wuN)Y5NQE;<Q`4VuOfFm6)klgXkZK%d2cUD#qU
zK(#grENTLwAX>Y}KQ-gsxwc)4KOONSWCCLZYb*&PnI1p0M!L@&jf@z_b?<ipsv~h0
z)5zZ99KfPmfG&^-*m`@4X5cf|HCffZ5rSkW*11@8Lll4jCN%9?a@n{6tHc4y-H){g
z%z~-t?#0`wj@`JfAs(@468=-@(R$Vvk@7p3ct8vrF9e*2M+=F1nLvmkH!b#4d-znr
z;v}>Psvy%@h0J_al%Ii}-RW>{^KqooH%$=wIb)nabdz*To#8L!bqRBC?MYF)Nba~g
zN)ZNg$mo#Zx*MjevTrC8(<LP4Z8v{3#x_vtm4u4-c_Yy3CkH!aJJY-&pW^3VmuQ90
zv(`4VpkL+x6&L|6Y?V)hmwPP+9(Wr{)uL8+a+S1u%#<7EI=4?gha1T#eXi`f%SdUc
z6V*Cy8_r#`Ooz)R5WR$g-76Kj>dKiAhM$7}<zuJRYp-CsV}xNiRPV|&Z^bPj%Fu1^
zfVd8K(+vH4d1h4Hrl>ov!?E}fi4aqN)rJIdkj!Km^9BTGY5neu)kGW3^V2{k)@-VC
zD8N)@uw`kl-NW9`(#jcWh(tZR{{D{w9iMJ+VQ497MryHM&Tqt05T=E_LWaqKVN%z-
zy4xmgs9~A*<F26yZm}idj~~qfEoXcmWEhfV^ixtJ^Ys#FZno`LAFD-aRmClHB3$GG
z_25}dVVF*;nbEMPLWk#qpj5vwMh7f~v^2F}JwUvSwa{_fqiYY}IHIlKyQFWB>kQw>
zULCmbP$FtqezcIV-WJ3yesYzZpt&xvt<u+JB7|8tTdd!G++vk07hn2h1&_02?e*@k
z9S@U1-JGe3JlwgLWtFTV)q?gc$!LrF-DyPJ>Jx}3bS?Jj*7`=&zQtRMqFrM}{*(4>
zkf8YE6?*uBW^m(lN>l5$SjZh9-u)_eF_t(!B=Gv#5nnPd++{VV9OFk2bQx9oTY12C
z_5dy7+fnJj7c7fhW~WglE<B0PK%S5pf*rCNCoEaJ?4FPnAhKf+P4QAF1IYyevKwou
zPAM_gR(Lc3stllX0N>OXG=W~h;d;4P9{Gr6$1?Z9iA{0}$jMoO5T#=HSDrINX;NPs
zK)8*B1YA-5bWIRXXE7j7kWccnqo&O9L#mm11>pWM_-y1r_T6@bq@yb^oZ{AYuY;BI
z(Y354Bb!^qRRRWPgd3#=>GEZkC07%~tHryTRN-sMO+*TS0+z35aumwvBq#@`Fdf^^
zc%!S1hSy_^uA|Zm?K5lD#%auw#9ZV!@+B;U#mnb3cws1OAn<|QBW<<Pe*tg=Yv5aQ
zz|&eJ9-Dd^ESux{_AL9ChK+Rw+aMGeMGJy!IO2{kn&Na_Hr|K&E37A~#9dZ~`@vXK
zYh`@Wg*!>MEzK?~l388+v2PfW(K-*_3L~$TxDgF?ic9tfdE5eac<l!j&q;Hus$6zL
zV}$TDppNr(Esib0-=f`mY?<zVA&#IISBf2Y&bRM3TKe!d>+*c`I2zNMoO*>l59q`(
zx3gDB(JQN$ZZ@kuE#q^STE3^oV4e0=E(3hSuFcZ!Rn~c?(q6&y_bQ5t(<c3g<xr*f
z-HHa=uLu;G=7%I|%@Nd>NpRrT60`Q3&J_pfk8|&Lbr1SH*89E$c5RRF#cEz@hl@re
z-Cr)Y@2brJZ};md^`3v>59ivp_yYG~sGNY2p;%;HL>gk&+n?Tgrrn^YTAPRNpVLvh
zVHKBHq1QtVc9>%(@D5t_Yqm$-Lwptkj)&7e3LG7MlmI@_yW6&{)l#bihjZd<S(D_L
zbGPDANN^TSPN66bul-pWsN!#^8B3xySsEp7g_k`$Qh%2sLwU~c-F02X7U&0Oj(DqA
z<L#JgdGnR~Z;H73_3Nge|D08v_nDrw#oCQ;lw8BRrJaP>@gRd0*Sub982pM&`uLAN
zb!ZHde5J*RgN&>LYu|~+ls<_m@;!L6^10p?(TBvs{41ez*3u!5lB0!E?d=gEbSC4w
zHulIYP=C<MWBSR$Z=#*fA`G&f^&Df#t&@pv8O9`P;yU3wxg{|K)m-gQw{(9zbf7XQ
z^XsmfBgJA-1aghB<oP<ThKwn31MC8T(O05_Sh{WpH<fFGMcQ_7=4^5GA5#iAwDI=8
zI}H>{aRC(i8y$Fg+sFqb-s3Vflu47npp!k)iV{EW*wm+h@HIUxt=~W&4`d70R#!{n
z1d2f1v2kz|I<U08V;#+rNJqjt*Pa(uCaqvZeiTaC%JR#&M5xwTp)br+7AI-S>g(nl
z%w>|X^A0FJhwNeY|FF_$|NTmc-%@OH5h&X~lpIqK&j}%0I!L{MHVZ_|WU*N1Wi7XX
zOh3YaW>tH^_1|qc1wFlI!6z$u9WB*45(tc`2Hj((h=FZPqfcqJ3+F6f;VAz69skI;
z6$la}KRRJ(L1EY4(t0@En%Ww1kTKQSAMQZbbl9)2l9ZVZA;yy=(!~jcQzAHX{Zx=s
z?vqmEGtdjk=rVsZ`2;<x%2=7R_>faTSYgU~rQ<dC@3k7DDi@J1*H;^vC}FL~ukrNn
zCGHG9rS6&o;qUDVQ^>Kf)FwsY3Y>`r-5+{~O`$9S5T>^>wfOgI$0C#`E0-PyvSno1
za2YR}E8e|q`fjK^*=3!PYs{1lRZ4s>8yA&*eC&=P-3;kD>iiZvP$XF{a)+&!0`vuQ
zf=ZEFB-2t%wJ9B2m#UF4(N4dmZYSTr*AMd`VJisc$0P>$QD1bmE02*}rGzThq3Zie
z;lUiNj4Sb01(wu_`?Z<;o_RtmX3GW?u_YX;=BQ32ek!hM2HTEW|M<tDJu_h)xZ;Vt
z#=Voh6nMw}ny>%4zzy`Mi(bEMC~V0^HeSiceHe=^eLEc~G2Ux|!i=gIIeivd`LS=J
z&Fg{fG1F(e=wl~Vr#xNj<voTT-V}W@h!Gm{g^uh{XZnzC;7a@M*E6AP;z@y1GD`0P
zKl9M}c&wU<ds5*Dr?PLE5WL7X$xziEh)0tE_IV0#T-d6@e|`1G&2LnNT8FJ_?K6Xf
zu6M9xN$KlB<)Nq5miCXG9(Z8|3vbU49p`Y@s2(<s#2*i5LRPQ%FXIxsP5AlfUID+v
z@B}@-J$7=kPH&fE>CKKz9UL#P395#eE&H#%yWd&c*g$~+H=#9Ps@_@m*ZhJhDEJ3Z
zAOezVQz#lrz_s0BF_8u6?|~a<X=&;7^j#-h(m;Ru_E^C8B&9C=@yhZ0u5n5T83_px
z)j@(~F7CZX?nxy`F@GQ1$S|`-Q6$k5$KcBH3;cvG>QO_XJ<pu~+V`b0#7OKWLX`(`
zNCpnh9|b4)7j%hc(ez<pV~AML?I1NO`5ienEOC?gkT_#YE<Q1)<$RtNjc>mq^~?#Y
zt{jW|47qOT1JweBfA1-8WqElqQhjF_@ypOcM1#~PDYh})zk3RTZh}GPo=<ymLdI@_
zB5wWsCl$3$&p63k=}j1(ON3sRoVVo%%)J4WZlS2#*|$onu5o1mV^mjR9}`E~sb5Ea
z%23m8JKo~<`?7dk5NXQ#tB%K+2NlteVHmY#8r*ozPHgBD=drhognDnI8^v1u{hmA6
z^q6ly)ur|Gryk+wxAo@x;x=l_lV_1O#Snz|GX>vZGQT5@w!^DHM;P^BdC+?mYfjtR
zi$ux7bGqMZ-?DqW3N5T_vB$VM^$_&SD~053<EDK>l|tP0&huPA+wH}L#B+F(sN$=Q
z<qp48XPdI`oKoz;FX8g{AOA%8>jYEiI^n@O&(2-=pL=`;4$sEHPi}aRjF2b`;ts@^
zV8v(g1#ark%|Hz9RO@r8TR@Bh*I8BY67mV6QS7SE1Z^onPl%Fe=I(o|pL_x`CZV6U
zWt?%{&iR12QoS^>$s<3NpL?H4v?61LQFyp!!?(_zNnV&&;}bTI?sigm-%3qJf1z^c
z1&UFg4qOKuCkCrm?<MzcYWBHc{ie-f%ffQ>DAwFH&lR>cmP3sw(m<IX(sILI*q~3_
z#m>@vZ)LKD=n6XuGtvyaqtwFphtNJ-M31r7azuanB&mI1%oc}e>7;1p^8o+!0~pow
zrqQl3xoQqe&sCl0Coh}tdwfe{l7EMD=JDDZ?Z6bXx>Y&_)O3DC;(3GgvE0$y&h=+4
z5T~^mz)E=ApC&=s<m5Ui`oqhyZLf$YUCKBEi}$&N!RtH>@Ikakyi(@siTeDw^6!7w
z2cXUb!$yFI5I~^<K1f<Rx?h=7`pS;nEG(CR#9TZa4K_{$2u22!xP*O(k%7?g4@Wc5
z^Rs|dkAQ#x#eKd^74UqbA|P1V*<tfsM_9#UgMbVk{T?hWCMG6l14;h>vbckd%0Eia
zL0#VVGw_RXUv@MJC!vwDj70~TdJ$gR7K|lPMF$l(z1B~a*78!riSCY4)iJacN+M{H
z^07tn5HEvtr$tm`#bq$oPXyHEa>!>d5M0}Q{A^!uhm)L?9ZZc3)QueMMIHo8Gg8)^
zSN=&NJfwOe(RU&<w7sO;(rQ2LB|9ncC5_+hX<{;z-AvWqjny9PfG9j*{~`j|_lh7(
z4QFJ@mV5zryA<%=k~f}KbZs<7UD?BA?bT?<WsVQ2HOjbfE$)JGSDV?TtTs(u*$huD
z5?U_ZAoGm1fh;VB=Xb<wY|R(EZ{B#DLm9H!=v&v~sOPWtzzKnBGZ)qur&^Qlmt7kT
z#OHH#@?xLWKe8{il8t9@Lq+vNu{fyf%9-t?)7_xeoj7X|6q64)Q$xuy5fw4PG3E}d
z0v!D?2=t5$cZo+aiDF}tj=M1E>BES?IchFj3C{ooldCp<>stqJuK=Up43Y;+<Ovk`
z{D_x|n?6`aw`<jRj%fHKtk*&|M-AVmo?F{G++`SPCFnYR!5Gl5i3r(VdPDTll+)Y1
zwP%^73cVu0{UFDKA#BN0bN#L--E+y-U{BW9BK*p-isYfJl!iHUTa)Iv>|-5YIq4BP
zC}=5)UL8-%3-#VK2TwUek6rHH#NR{6nYuHY(^2}?mN8y5b1sv63u`2q0kE=4)F0n5
z$5+x5{^~+Bf-PQ~ZSPrnnSK`7VJqBRfn5mEzuIXz??Z}HcP^X}GdAmyS?+t@<kO{b
zIjt`)QmENWaCfTg!)363y~7I27>fCr)0XpOiv8s5N=8WFK@#oq!|Td&e|9CXYUY-m
zVB^^OHy+C8cF(?65Mdzd0AzNFGtCZ<X14Ro{9?t%q?wNIV3+U@!TiJoBDmj^(>~3)
z@O)4>ZJU+=%8rq~T<j|bDGYk$?=IEfw(-_uX#$8KO6q^vmTV_>IW#x5w7Q-<M*vpp
zk#3@SOrBdQnoR+B3&Jctz5Q$*u|%0g(9kiO6S9pc4c{S2!eI-TS;AHCX6_%Mx~!b1
zgqx-m&h7^-^OUmB43qf1H*OG5ztI_dgNm@)bpDe{MtO8Qxu%<2b09nO+ZyqP)c<Ms
z_k`Ap7(i;jz9r0$Z;B%oMmsnHXvTnf`|Ig*WbQNxG65SK8<6uYvSgI?uRk2HadR^=
z#&pey6{H>DenGoJkOXu;-+$XZpEXVeuo&S5%mAMIg2HPi-yXgu7RF=x3Lq8U|9WRo
zPuAAjnoc)=;ThS$UwsM#WHft3L7m-aVI-j<N+Cl<SxZmbjRc7=^DjqT{;9AmGdS3$
z4+)kFkQ%4pi|}sp4p*Vl*-Iok8ia!E;EpJNg>CrBh9AEk&=2lLYTC&->pQ73@o3I{
z0_3JYxA666ZMKPfhr4;rZj@Ec74tvUA;^#)IZ(9VzzoZLnQ}y6wnL+{LSZgLWrj#t
zc;1KVw0T2j5R(_7i8Y&~j_*v3VZ601i2i(maQl`lNA6-9C|X9MJ-ef?a+&$<SY72j
z=i6?oKCII<T^Y=q5#k=y`qO@pW9zr<8N|;)>;dt*F);mcwPwo4I_!=gj=d$IYaGTW
z7W^Z1?ThakBr0meD(lx4mNrTHZ#*&5c|%B|f}H?&{P8BIiryO}u|Q*dcEO-(gxCFA
zUOKMU`rY``jVg?`sK&eI)NQ^grwPZA@iCPvmg*qrLPrRVAQtHKHvDNkBTwuh22h9c
z2Q8a08joRXtEsyx?_WiDu{`uV<h$VEo5~MzxIHQx5I|nI6JPCvCHOo+s30;W3SC1q
z`b=jDbbovk_X}sm#uQ!P8hJa(^Y81eg%iRg{quDKdlpXJS<|0Ui(hn35U!L<^;-_z
zc7}tiDUEZFTf?@L%{`WtQ=iMehEB_-9KF5>pS2MVHQ<Sj9sFePO_=^7<qovSS~v~=
z3en04%(;wTd!kPfn+-3Q1`a;MQY!HlAP>my)~t}hhoR12$7VLf$57^)m!4@l%M1_7
z7}+@d63*$QgYnR4oO^Fg(~;NBc9Ot>h)83@{CO|!_~!@BJ#+iJuIeCT2kcAQ=6e7{
zgV=^cY$Uo+(7q)nFj1OvjKHX|@!LhasBo;1H>C}ldpDfb5%VY(-k8{|)W4*FY!QTw
zqqVF%>{;)6g~%F(QqS-Q<#iSmmAy|!3Xdpazb0{FPQ?jj1+i|-<L`gEbo4Xi2fdV#
zZN(=Oa5}C2j@@!F_%o+HN6&)+AnIngS7g;a?2I@4r})y=KgB)-3PDidV;&q|f7Tp4
zf;Iv+Y^l_$8Dh8oo%~X~@E!9gNweSc6%I0#+%25nBkJ^M3+LmGJ-@}3h&wtSv}mh-
z$yGEj$5tNag}Wr_@Z8)j;2wa(V$^Lqn(@3Bk2g=Z#GAC<!A_5hiqdT`Lwo`Z;|>53
zsD}`Wddjy^RZT4^D{FOcB)QFt+yd~;;2z+XDJkb-qV!=}gOOQecZcg+THw*GZEd?X
zrY^mb3|#Myt)5YZo?|0&f{<=(uj=}2jHwu^$hueHRs!(rP`a0(@-Y_c@kNY8HANg?
zwJE!@Vrgw-=p8ZVn@ScMM{(oEzX$uyA*mDUoT|*gf<A{&Kh<?`K}x0?4|3I;GezQ5
zl_kAu3wE~7FqI!Ql}Cq3|8P<j9H#3^L;bUc{e7f_CxJ9G9JeK?-M7&;QKrH)*=9KY
zFU2Ld_aSCPWVxMenGG_FT?CW8Y=xD4jai^AU?c!$46q-k$x>ux+r1q=4_)Z_&7?g7
zll9;2!m*X%hTj9;xS+uL)?=!muWUGs?J_myg_q5NroMxm>d{PtVU$aa>5Aw0E1T+g
zA5p#VdkJwcsj)#>2TxgP`C>OFpQ7Y2F9O}y`~3%h+#S>Y{JyIDc~!=3J>P`;<7fSx
z{vu`bd${Q;7TSgg!ea%w=g7}{Ib<v2bGc<$%NYG#*H6{{Jm^{egK&BLJ8wa^xZuQM
zqc78leXkgmJ))<~ENZt<9TK>UpzhrYm*tHsxJB+i?;RW8?n6@%{+%)tGPT)VsP^j~
zHn=K(R$i{m8gB4gILpWxr4gL#{H#;T{!m)D3dm(3qQ`n+u^u;y$b5I+E5l@QzTiXj
zdOZ#pGG~zel-}RSu74!&ffCGZzRL8`7;8=e&W1e++do`%vGTW<29(wc$!Tq+D6E`T
z=r)kkHp>w1uI1@68g?<K;lJ}a9Gc^7RV7F*eo21wIK(+kxHEA|3VUg~O*2Skd>9|7
zR3f$ilQh#;vY5107JT)Zt$q1&_L}T{fJl{3niG(5-NBO2<;G{cL^W53ErRGIckgla
zN&$1J$FM@zk=l4N{1neOq`+6>*%5(iZPc<hIR3Q+b?PUs$K9mu!7)>ka3<RUteloD
ziZAPpeMQ<Wi|!BZ#x$?9ozF_7AAagA!S18hZ^zSI+2efq8SYds=On00MIBEkpywB=
zDHkyxE1T+r^DUG=v=|kLqkaOlo{u9KSI0*b_1#fIU^*C(kUsav7?m*UlQ-q<WI$~?
z6aH_rcMC=H#wKm=u|{)?o!9=C3{UX)K?y>t!TdB;wUjQ_^)GCFU-v(j`H_1nVuj<v
z({NjUi4P^PnXww75b#Bzc)~%4*@=I&qI)jws8!AD(-vP`FwYxqY}|YpTyO~(ghGX?
z4yThI@4MuVZP46cwv>{Y+_l-i?HDAS#u}yb|8f9OQP3sti^f+Xl|@JI{*#yYFDTJ_
zN6}zig=BEHgMOQd#Xysz>uqSgO&QO$<@oHNqW{rEA$pl)#m`HlJT$P1*6`HSR-+}l
z6AT}~d(zb<97Jfp&lxO*m<;HjnsV$7f(3eYku)ybMV0XiLeU>tzk)ssamvZa4EF}Z
ze{XR>wSsP^qoccyfSyUf22rYute2J1`uh`UH;WkJgPkn!vR%&>=hQuO3B6(7U9Zj>
zh@~$GSK6uZOfc_dnA)z#{oa2EyK-OfmfCFRX6zE>nI2))ACA7gP%rY_8&<9QpA|H$
zdQ$vlz0Z1Y19fNpNze6}zUGhD96!s!Vi%abwd>pQFzk%x>=n;N^vbZyeI7jPsPvQE
z8l|W{`jt7BcH6RW2AUM&dUaj9_Gb}liXV58XAIH_rM~<FcG?7Qe2&-Wen7e%W~`4L
z`+6<mx^)ll!IJ!7(ADj|lz59i-<f=?2%^w(SQ#7Ud2`--n)B2o9_FebS{uMDO;J-E
z3fM>|snC9|SOwRv`@dg`AI3r#LaIGD^TrkEN$TI4cf?I@wK{%Gly39JSu~s_j8Rlm
z@uQKn`dy9(m&WK7>Wpc@7p46eIJDvQuIByW@?Me?ektG_Ga@2|;K($ZR76_-8^nM$
zEv<_$HQe!x&>WJ|@FCEY>n3Fxo3-YZUQ{l90U=!g2|oiXKSj^-_3cM5!NQ!BLq4R!
zU$Ckd2fD$Q+qD78*oBW>$z^uRP%%6N(uk#Hp2o_r1BqI;BY4Xx-dCsVYiWNX^>%AK
zC_czu81u$4<}w9A7sqFuiBk_2o{d@be>GY7aF*|WQD#k719Mn}56)D3-eC=vuk8#r
zGQz~e?wTu{)Oc;!^=INkb%N-M0W6y{K$iQu*GTctfrjvfb4wyW&eP>We+R2J^AvKO
zp2dQ~7RSt_@9t$YleQ;v)RRU~^Q#<u`+3QpP;!XenNk)kd@lZ*i2H4pTr4`FLHG%Y
zmKYs(6%XSSE$Mn%!n<iruVEKsjA|^q!+l<*x$k~Ey|Y+yH10XUZR@B4K_6XL0R~9m
z)6S$wLl{g^#O9n=4?Q202Iq03Z+Rg6WKn^Borj37(<*2lyq_xI+xA>Z_TH2bD36s9
zX*e=3UOgX^tsd9ztbH<Z%O(LO7p<Ql&fD$t?po{5gN^Vg&<A;Ht|P{dIxj3={d{_l
z!yDs;+w5>-q>yEpbp0O6ebCyl!;6%x)^gcA`bk6y-o5U2YWcl;@<;E;ro&f>4e_eW
zMAq(}Qo|oSiQl5#U1A*E5?lg4Kd!UMo?B;JPD*=bhTTuuT9?5;Cs^kFIm?4<-*TxJ
z%700b&hyb?A$j84Lid2?D2MlEHEhXj^NR&pm|PaS1_%L$vZ(^`zqKFP$20pWf7RO@
zw$@p>#D45?JxmE_J-ivb6|;De7S{G3x-EpGeH9>h0)v%)e#OuOV2op9=`1u<|Av2@
zXHD<}^v)mmCkxy3lwAPmCnE#@O9bUzK8nW9{gR~kY<9I<WCAU|hKh<4AjWXmXeZkT
z_!7s*$HrKsQYRJY8alXnC0&enqKt<FzSEI*w~GpeCFlP5^G&wOB@PrNvZreR5{LIJ
zu91hJtrma9Lb1blYM9%g`PN7R(ntISR=q{G7P9|@+j?r=R>){vyF^vI#83VC;9Pmb
zt6_IsvqbcE>tpki;dn)7-7~lY5=Fh%p)xMUH#v`b;vsfS!{^`dy#1p6Ky6~%+1A<v
z*~)=_x8v%52cP09yTWeb94-u{g$_8x@7~_AL^Yaw!<(()zWZcReQSdM3&mr0uP}%E
zDXPX(to3@3u^B;ISbCmSWyb1)^=eW%1<hR1eE^&KS;6qFh}N|ZNv7nGgP@67_5%T1
z`NpF#n|pTuTmLd$S7hcto#JTjGc&W#P#Guw8>!`Mt*6_nY40rkjZq(-M=0v0kQ7^G
z_ETLzwy4G4$&^lmn#S<vG-s0aJr~7RzHGW<;!DwBWhZ6>(Jn{z?p&250mK(p_%_II
zHHnpuP+*NOF=<4F%h6HxuEXLq7mSrhxlcpoJ{h8PW=6Jp7|-^+L>Y3%8EtG-{i0iE
z;pS|QN+vOC8CH;xoRs>KGMk?=N<?Z!dbYRUFz~AqGzLnrBO9fVI0X=@BVIIl@56fo
zO&|=7=3`BIwnZ*D&0CKvD*jA4`mjLCZO7{+d{L7cOjPpI!L9qL#{DNnLV~RfT@k60
zbskw>11n5XhJXq_p%=?xB&ml~9ve;wLH2tjp?xL!MKaznf;IUY%%mc`J2v`X^eb92
zvAzVf2`IEI<WZ@{Ff!tXcqG|pRWAGqG&BXSh#+#v+*hRKybsS49iou}cF@<mzzswX
z&G@_QW*_<8Ug0vSr=(NnE;QDxRbv08aG{!5fK>G`#sc@=HC51uLLTfE1oC?~6}r9u
zCX(mx@Y8bDxA^j(4JLsdHb&9Ee*yqTp~S1OvLq~wjqL5?=a%IRWAM>7jp)UwUk&Pu
z@8bkZ|6YfurmyiGZ4b`TZU4ON#@{$7@H(0cBsjsaEuG=t+A58Ezq}fLkb;6j80u#@
z1?$<Okz7F^0CDxCI8P>v*?F`~Wk81|@b>!p{{G_VgxKW!e3S5rNcobSQZus-M~8uq
zuGxMKcaQ{#Uuog_O9`cLr$b6u!hIs&aU#Bndi054tLC%?K-qtwkw%Zwt+#)CVlCdv
z7!fUp^>+|tJ$_7m*d&{w<5kr4O#7$^meyMYK_f$<Dg-li#C1E}Jw(NTFAm9K6a=vt
z!k5=)^(~p9wYcrJh?5i7KoBy;^*hkb343SP-L*zp?ybevc6OJ&^VZ8gdtX)kM$!b~
z30C0FyH0oUi4KT9tu~3{l{kpoyM9N-y1i~Zxa4yY;HowHm?@00+psU4k~+Y9{rd3j
z)6}w8_sak!39n~lqT|=ArIF#gWmrk0>CxB@F*PJRS#`7TgO)$c4{|!)^AfFTx7r&^
z%Bxd53^`Qd?8LG7dGzJsOAO}HwjLTDkwKYR)vTTvqn!>*LYL`m3dv~-Zx%MxX~wdd
z6x52QdwZ6Qx<QQIsGs|XxuzTIltx*=KBvqQ@F>q_*xG}|<SYreqIs=9U6@{Rsq>Y+
zaGZmQ4wNK`$1oTk@){9@?Q!^QcG*CeR_wB-2LtP4ig|<hDXlEVF2UrzaO2y9dmR|-
zj-lJC56wz2B^=Bjk#Hv?_EeQSob<_i+gfUJ1}6$aFmgAd^hRIUrNq{GB+5yD_eOoC
zs9a|#6-CreDkFkn<h|bxiNg|sr)Q>TqV4(XBDRR2uZ5A4SEBP<m%0f?tB0itMcX9R
zmLe#rm=>Mwm5BlWQ2k+rabO48u!n%@@YL(753XpenH4dh%9xWX3!_&lM1*_~lLUp#
z_-8UVzt%qpqiR8a&n?qAnHp#Mxo~k(OseT;gNQXYiiwGM2l`MiJ@oA^;geG*hMv?_
zXu~B}zAS}~-|pR~LKk_ONT0v)5I<1NT~y|vI~)&&GIskWS*v{<dNmHc-XA{B(TupA
z_BA=w|64Sla598Yd<1;&3g1{GP}`2pO9_tsC7vPYL~^ZlKaz^;UCPqs5~SZQ+ZDgJ
z=yJ_x7fjiIOzqiE;zaEr^F;;*_8!d?_A&qvDJ*J*A3&aqh6eWQu@*Dql1>}Hj$3nG
zT|#_Z@t;3$eWA#7cZ@m>d(eLv2)wSBegFiocv4{{ht-Ah|5A-QJ39fu0~E+=c(sfL
z8T4s`ue^s*Z@$9S^Vx!_I*2^D0Z9}t#;)*S1Kd7T)EY8G`p3oRVz#?<TxY({>$_7-
z@rS%Q)@LWFbP`ZM<}Gy6EtEP(2RiZS@bF5jm*hU4BR?oNv9kMZ>n$$#9Vjuz*^b1)
zyBk=;rt>9%k&`n7?P<&kIp9Bj1fP=)J8yer!^*oow*J+v2VI@L(v4}c-4l{_cr!4U
zicBoKP5jPj#APB8FoB_9>2{gg{F+8A<V8rab<_~%XN6|_`P0a}?Pi0|WnI&m`ci5}
z`$U?(5Pn*}u9SH&S=G)gX!a)3KL@VR;^UpYo05^oaeVz5g`%{|)NT7rl67&tdr@*9
z8@}|AzQU^Db+<%efvW{(E5N0X1Bt@5Eq-cjbjq-6l!sfg=AMUkZQ76~<|pTV_9nDS
z=wP<ziy58{jadejSteD0uFzji(y2QWw=kQ0<)tYI(D1U9g($meke>#z_@j__*L_V*
zjj|av750@989WpvYgjSV1;eo!XOW+q%@B;jVtxbD(-a6Vh8>DPf|pcG-sDbH#>RXH
zO2+s6XSA}E!3jOtF8g38JL!)I5Unisr(s&kCJi+>QoVv<Sbyl*Wp#9v1|-DCh{lxp
z%04G%iS2ha-(QmCLi2ew6k`ny&Y6A5462zkX<iepv$ND+F4(mKop(lc1HUR0#<?bC
zxn35)XsCXr=+Z#w2@S;K%KBP@-Tf3JPak$%^s8bPzVig@$b*02UaJoI=uowF>CLF+
zwCf?CbY}#FjN-Ahb#EOpWnOvMZNIh*0`J9PNylq<yf(E3%C%0-v0jRY*%U5SpK<tu
z10-GHm@|1iKPGQ2;3`!8czn-NU-h*%_`08Nu7`RrLabj$Tqkbh-(JQ_x@%jt%l<x*
zvZ<I7F7Q|1WcUTdbS|(SHG3*|XM=){#5>^sk^+aKX+VruHn+XaN(0puEDER7b`M}m
z71Z<tsD9ZgDU@DAQS>x4LkkP{05|53_r2JU0o@Ld>h5k~N%Hn8=U-(hepX&$;^II{
z7F`A0m26aKRw}<Cd8dMRriU<9Fmo2G#9RK_^YKYh!C2r5w%kL+HJxoPk$r7ARHndh
z`x`u@l-2!u88-2qqv3v{Q#`k;&J=%ztPuMZ^EStnL(dcw97BS<?qzZKDKWeI{7%Pi
zqx05qs>dl`ZL9{Q-<PZ}>E#e93CU|G16O&y9#_6q^*HQ&4SUvwg%=>59hZkTISvUP
z*J~zJasPL*EB{E6_@bB7rBi3OKV|xt>{>FrC7@DjDx-gR{+qY)VY;f_zn3KI^^$9z
zt<VxP;%}Wp!#sv<Z!#*>&m#D%L)^^$Jb$*wW8q^Ic6Iz6QAU~W#zu47ESRn&B`;Sl
zc1sDK|BkhsAx+Vv$c?p?mk-USer7WW%vat33&*{n7CQaVy5=n|EgK8M@$U#59Bn=x
z=d|PYTI{q&#+!OFeZD#W$n~k(Ps?)5PBF#EGsjRa+uzNfIu0jPAPy1|DzDO<XSn-i
zY`5E>w+m!JW0m@&9VM%0M0<S>NCGe|)rxz$ZGjZ&lZ|(L=qL`q%L3MUdwV3L)c9^v
z6|daZ_i8Mh8hJg5gEC;iMmiYa2rLS+Hf=LvD1wB6(P?<Jh#fJV)mkG2viiL*5J$l~
zPT#*Un-0(p)7YiU7R*7J_#irq3?~#)VJ22Nh1u&#Far-|GBcZqZN-RPnt)G-E*lb7
zDy1zwI@%g;3uR)?s|L>m!6N%uiJ+Ze*D4r{09#zt_c|}xMLHJR%g0qiJrI}!PmwKB
zmwF0qaDPp;^rPmPpBB6_N2(2}v%Re~xYZj#2mVS6+kPqmXB!T06$ZAFgoR4N2Ay5N
zwhExQ%tfNjMxt;=p!TXUtxNOHBU?k6lfbkIqTPDq@5FJA6big6wRE26b=}Q;g6)?U
zoV{GrN#=_qsUh8imMLiS-#nr)_!pvyB7H>Z<>dur1{i(mfichLTUY0Yh`#Lp@EcAb
z6Cp1%?Dj+b%$<^)++QLD0{`T5r|09#qK2B`q}t#jFH)`*xGs1{Cl#_=ZK9KFFd0NT
zQU82DD0rY?uz;1i-fqhhmgsMELmp^;DL4ZKz9Z!_xX*-Dm+tb}f;7TziO?=Fz$$To
zZaJdF;qZYNO)#YKqTJ^jD1oK4#1N}kn;vALr0)K)+q)a15R97bAxUZR`)D0n!sKK-
zReOM>)6Hi%B(p^m6_qh3vpp94#?DNZx8Z+7PO;_obhi>oWv8J9DNrxlziiSs9@;}q
zg<~I+%&_Pnwc@u`M-^#4q?8kS)#9co=BjNftsG`O-Q=^Cz9K1IyKY9<tbNl>JR@19
zsSu^(mSpbMU?}ykxT8WLr({m626>zjVSM!EKHgk}lu9wU<HS40E?Cr*X7B)~--C#M
zaCj-N#UwShMHrYXywXVwFq~zn0I89W>RhJ0R!E6C&&e!t)85JFB!hA9Au4OWAG&`O
zen*ehVeLD01fK<YZX(ZbLV?T(AwaKc+Sv`B90jJ+tRD3`7xhG7g>1SDaU8@UroW-e
zq##;}9!PP^eC6bx>(zuX*_@{YIxU;%5Gz8WIhm^Nng-TO24)OqijlpqJS`8abu0!<
zyAYGXxv1%bdto|}U!Bw{6>9DG8>)X>9m$b*+6W5GS0?O7X$&X|xJB{?Pl{WY6IfeY
z1AJKmolKZ`gfEFT8EJ_)*$G5Ua#683RFsrOB_$=LrFhubM#-&QqlAI}#lIZfrtcw2
zPrKssNz0!}9?*`&t9=KM=GrK(&DCY6ZvHw}Pxq)P_xq;j@%Q>}fP>0s=0uc#%o5c{
zqCZSNjBH+2sJOAH4-O10uddS5(>nkeUclAW?%&wmHp}HYV}@@v1JtCXq|<8V5#n<g
zwVf>q8leQeq}yEPqbY5!hf#lQesz7lb5>w<i&L@{&!uzNtawBp`+aT?L>H=;_Fl}T
zSNlR`f)z9Q?hmTh*5A^vQCHn9PB>prx70mR86o&U()2%yarmQLpy!ZZUfFZY*UX-Z
zbd)FT9&*3IB)&dREfzs}oX#}HC=}K}hcW9mW+vM9&D%N{ofnwy4-9jkyzZ)~3cXy?
z1qr!-Z~3r49*so)0Orz`i&cJ3A=8UI+a3jB6jEWw=hc$)j^2;TOSsM}G$Jm0G|aXF
zYofF<8_W=!)qGphkNH<*bj?6H_ceDN&{c+{Mv%Qrn!QPhvhKfyaBq}3v!kX^A?xRh
zNF6~bWf8R~`gX`jopUgX$q84^>(Hoh%egsWlSpDNerCAYo;!g+Q2EyDA>tg~n`4K<
zX<XS@D{pim(#pb1Ji9`F%^&|&-=`+Ka0i9T8gx5>oMdFX-6Q_b!X)5?&jt-5q|n_d
zvrE(Ar=N+y36>xs=)1rkBon<KhGdC^vZZ|9sY^rS_q%d>jTN@i79<WAqL#OJcSM5T
zO;uHPK$QhQUe*>AKz;NT_<lfatu$JUjg9Tjw>fTg0fJ6wI25amb}psDp?K2Eot?g7
z2??59ba2M4zsYuK^Aa<OhED;>h5wxVtBkuMPM60o<%I%Jd8ZXmA*K&V;yM!!9$sDA
zejYDe$fH1D?2GE{gWxKVO}F%H>!ROfyZYy{LQvWlv$2=cXKL$+(<sAk$lz2-&(GxG
zYNLz}nwq7(+;YxzZ$L8p(Yv@Iu0X7IuTOf482rIk`Rp0&$w03^%X%SX_PXinDb}dn
zJ>NG$gY%E&)_n>R>oCDE*1VpOJ6BNZjobZxG2QE|+me|r=B%NbpZfLMGRI>hp{t@z
zUdB5zQGPpN3zz$Bz2)(!94_wN-%fDZtF<rD$Ho@@=LMhJItUprzKLA?ahh421|_e1
zR*-G#+We;P-e>jxqj>3wz=8#<dS^ubr+#uY=@IV(*lV;wpJpQ&Nl;zh!v3}8_9~Lc
zjVY*6Tl{hRT7GHR?J3TB=}&DRqa=V|4k5anhhn1X?&_XQxx52CCMKhAs9k_>pSmA&
z9u%0IFwGtKz0OaC`Z3<KRn;f0ggh1KeqdytB!mbC{XJA{53O`u5G8#?K?Cg(ZZ5K3
z$us?q9IcO{p3;)fS4NX04Lxog1eKBhbE?KUq9{v?@?iDTQUR{J5)%`XlYtD4fWksk
z0I%%l=jW_i51?D#!1toOz>Rhfou7@34M2o*acSu2cmYE8PMt_`TR|_}VtrO>q~MCF
zp%(rw=Fwk5bsg)dTu<{~-h7pg)PK=_`e*@Tk6z`18>YiM*Lms3=;#}rPaRJ=ZEW!f
z4|7rS%(@vDg{U`VQ%;k0&(ac3KPB&{shuTH29f-flypF(swohN-!qB6vdb<L2+tr|
z3h{mVlA&l<0@90<*Q;@L!!20*YX&xNh^y!2PCTBx_Cl~AP7Kow5e+gJdG1g)v^e2<
z+xmx<2wVIcLly!%Z(gl(+AMxRjMD0beS%47i@zA=xxEORFUmy~e>y<j=2tT<a^%-R
zyjDsaGCY`DS!U5L1Z#}UzzQ7+^R*$|R;dH8zc~DVaWg_o5*LcpT2j;o8e&I0u=fj5
z7FCZ~b-7-S6jHW$+aMf<ju@Br#NsuQxS|v{A1Ow!6-{%<8=3mma+0I;W_6s<AA^n+
z5HGya|MaYV*SjxYyQ*o=^_TmlkNrFV|JY^Mz$5#|gk8XNF8lW-w{sSd7$$^RUS1w(
z1X$TgaB-!K5kR$db<@ks_|tP8o{sO|ChiE-HUqB;rD6g8FX-+FLs>O%OOsRs62cQ0
zZhh%f2_Hq-ZWQYuYsBoONppW4tDTKSc1MFrktBEIsg7&h|LcgEsi&9)Vy#y*6YU+2
zNG`JU?68!Dh9&(f6b+&kVoF$Y^#%=3DdX=}2eEqxD%X`ej@M$@AYGH$m=+iczn2?x
zvF2^Kosp||KR4*Vh~4TWB<nNEhVbyKk~nhWGC}Vo@vx_JLDAtnPI!Ua)GMtBV|?E?
z$dd4h%ney_{D)Eqt0i^xhrjh(fn>9Lc985Oifr7lP|(8hF*D%AAxCu&Qm^e_(6or}
zt|w>(Uqpfvt)DcOD5=x$6&ddoM;~SBu4I|X$5MiNQeLn2e&QN>X7c(7J!&)DtrmK9
zPIqK+*-8nw(a220tC^WmE}H}0Q(Ifxe7Hfktg^E7<0%ja48S}M3`l$d^buBfR$iX4
z+tD;2zLH2lkHFYJz+1GPKWl6|=~s`VJi5xgGz^`3uRxdJANMc#U_H%Rz<a7vu2<9s
zH&jboeEjJjFx>k&kTnz`tgjT~yBGa(13giHhJ45>Ca_I{2Kq|M_Nj-KcKYtwIvczB
zZ0wMAZGb#IW#@Cd#oWiLn`nOz7u6CUd$J!yGkx^0Jpc69<(JBaRAbcQPhY<tMKbRx
z68#|;H)1@tr;w9zOWl$X<n__aZRj*0=sqT{;yc<+A5^<LzR~}P1BExA3Rd+8V4Q<d
znHtH?U*297yL;VFxEy8*_T%5+oxp+bi5dVD-S72UnwPgtvr;RvBkPMOS9M=spJX&H
z8;W@CsZ4I+<#K%?z(og8W_NZZ0unNZ?qv9BKzN0WF;M!=nk7W?S{hj(K`?*1fzn<d
zMgEPeGYL7^Rr?eHLZaRr`#G({UEqi&T$(hxRRMtcc;@;H4D{>Y{EO|-?Z+u07Y{PG
zz)cM_%2)+)Xty+B-bQE;e&dTuQB{i^3vn(chvmTQML_(;S43wr0%Bkmxc<dS5vSdD
zT?JhjA^z>TT8-M_4`K63e!Md7*v6I3{Bg(o7JBy8`P6Rri{!7hx_UvscbrB0qgui6
zw^g6zuO)tS2ZqfAY$kgVa-4R{b%_+xNJkV$!SrlwKnQ8trbaQI5A8INE6Qm-Yj$@u
zLzys8&hanDCFtWPud9eKup9G8!97;0RPx9z|LxEJPWOBDknhNbF_W$FvO{$i8QG_(
z+n4D}5<0kpGc$Tn5uojiCx4+QAh>e0!p{lklv2&WV{5{KuRJ@-5))K)l&)b}$mfnd
z=g%ef4ze^DZD6eGB2Cdq97Z$FaKI7bX}{uOIA!pqIn<=Aq;}ZR_4gHLrOytM#GsS7
zQxskW|NH8aGtxCPSc1t%zG<6>H}VsY%5)*m#kg=qxS_=dJeSk<f7fAmgf!Z+cpSUz
zR@kqjfbU!Zd}jcI45>3dK3+%vEblHYJ>-3V0%RlLRSIBgQrj&oE=utMx!QSDU=1rS
zO+VlxYf2k#YLZTl2JGVCPV;6E`lm-ZDf?n55G8heX#N%4kr#yt*g>M_^wtk=z!(?G
z6;PER-A{D8?WJcmqpa7>EiS6sQ8drj+Eme@%e#>x4Czn7Q{Ce)2PE5jf+&&GaJ5jN
zY1HAzy;JVaQsbjMEiux{hUkf3VXM4<4}J_<Z~@TNo2E>+)iM<~Af!77IN)v*1#%<u
z0iGL>-%t%K)P4WEm#cr``7xE13|o?jyBg$nfL2oEsa(C3gx}j_s{3WQV@cTauAC0I
zPE>Kf3oSrzZg@_`&j~J%Yzwc!1pmv0q3<{#%Y8aVw)k2&1y13qJYuv-Q{5v(Kd^4K
z{ztXpTc^Beu#ja7vubkbC=<nf^LhF(k(*)-|7bVaK#V+!v<LH&uC7p8PpjX<QG~Pt
zsGW0pM97#L6iMmn((zCwDuF&(oYqMh8MGHp=IuU@%)j|~d1o}EzNR8V0s#eP=H?iZ
zQYFl|00qo(EDe7kY#oW(*OehZ=-UV4k+`A=sp!HCUaU}(RO#%ERLg3_uwJx@_FuD%
zA&bml=%b;cE|j~#8TPqTkpT3J*0@@p-R~>k3*zgQ`Q#hZ#7I3cB=e5<T%l5tljSP4
zst+cz(<x+BQ0aJhcsMvXxVUgyq5lJb-R%Mw@fWT?fd~a4p{R!q7(}&;ebt+Zh=@MD
z-|UYSw1!+o(5`r+4o&7!0L3g05$G@YFsBbwXI3<3x2*}1L)XuDZ+`CHzBWX?HX!>p
zMEf?#zcy%hD=Z2J-%puAH_~%|jAPpP5e(Ml6YYre$hJQl<rSFYz*=D5Dls|9kBajr
z7#1%m-O(}A1OK%KfnPc}7Y!_3`a3q@VZV$u+b&t9@8S>=0wEI}woA;;)AXTNz^RWo
z-)k&K8(i$rc=p>$=h9*Df2Fj70umH)&Ew3PJ&P>Rxk9;@T&opIJ+)P5IZG;E%J{5r
zeEk~f|0-lXv$N%AC}uaaLl^x~HjMlB`^eKK+20T$8$4vv`VT!BSk6MS-+NYeR{U$%
z-2dU?!yfe~!at5<J%_H^GCgZOB+kIoYyqlwYy)fBBWOh8Du90htX4tqyX|k~&>|c_
zdC{uY#lcRPYD)K?B{1IZcRbnr^8y3`$s2woCx830RX6gqg@<sYPW-=XlrlelnHBZB
zgt>Zfb~ssdt6h*#@AbN8Z3ftW&s>+i!QL$60L9V0t716=*ZeQ6xJ2tQHE_OR^ie+3
zry_oB&{%uI?!q2St$;jfOpH0O40%x>P35S*w{~TJPEm+XjSuW>&{tJoU_|?`{Zr22
zll=Bv+|||f^XGbrV)it;td$bc!>7olw!BEPnyRX*q$JE(hWx4Tng6}kLKZX-eTSmB
zj<mopm&$oNtebO5ois=`g<Xr=_gsREy)#VvgHPrr#5F_N6Y?8K6MTBnS(+Kt<J@ZS
z4%rCy8AaLX4_kzWtQnw`+#=pi-<dkl92rt_aHCF>fISuPY=}wNRQQa*1Y!tm`O;Bk
zx{hgE;b~ws5QMe;xF-M81dVa>PvYAz8s*&K;bB@@+N)eBaA)fOuE+nnP#0xhFq!Os
z-P|C~kD`Wm9Xl27`T!ymKOM${mw*Ai661d1#R+Beeu^8x{+o?HB)uQVEN(T^eMrP*
zp$BXI2Dtpa#0Gl^|9$y)Xa*<phtZ))ij`@m!D%MVEiT1$o_NZ}+IA4vPD{C8`LouH
z4mSU=`c(5t7~TQq|Gisn$Rl7LM<e7!xNCIY{R?Ch`q>&7Yy#n3qQXFs0Fb$}|5h$R
zJ_EdNp!NVs$_Z&{VQwLnLYGERV1$aet}l1L2E@DlG{b~;(qZ}nSLWG%Z|{L(L5B`!
z{KY@6&VZkA{%yK~!HM#o9;EzZ!;8cM-dB;f(hqrS^_P7Q{!@;-=RKk4@XU6_zdv4a
zH_>u~?ZKBZxFWL#_WN=XeU|~fe-6jNAWLqd*4FE=1J%bLSTu>h)q~Rh$Uw`Nn%O@N
z;2DDEe9QU<0%F8&f>}5>O7AinrF}gLYrEg<!6<1|>XPPtXXN?u`RKp~JsBP!*8`}s
zNAPMYD$6a7dD+>Yf8%0f+pRQ&zB_@|Tb*AXFS`LuH9))vJ{$_E)$wfcV6A_#8qiU&
z|6i>k0?QD_3u&+Z#rqysylB6WSpF@qoMmX<6yGbXJiZu(;#+v@{?}k-ipd#~KEgCt
z74dE5iK3{Xj?Wwl`X<7PPu#Q{i%bSvLb?+|N@H}QLv%VV0^sSlzUF@&+5c5<(_h`Z
ze0(*!%@w9YaYk8y38gRDB(|mH5xBkFMu#h?g|*pezXw(tG4M|h4)RAx(9zmY99$;s
z&C~z4H}698(V@E833KEF3(#d3seetg3#gW8uKi2)V{=mbR^M4{=dC_*Q&TZWtXbKi
z%;X@%`KQXnU2*WFqGAGv>${|;tz>I?Z}s2IqC*-}S`ND3%T+9{9vJfGr<J3NODWY3
zM&-u--^aiP(IoERk5xL#u}#6=X<ma$0q~P-0lG9<ZOiT2e;e_?KSs5e7zZcy=g)EB
zoqoe5Sp|i=>+4>vc6zURc#Pu;r-j36h5sua5ki!FkAfiz_=@l&tJHh^Ll&$|S<25K
z6N$u@Zx!X)!^^^h>%#qg{O6(44fU3z9G6XpT?8xw>aj)!<<y<Mc|5Wo%KZww$yc%*
z2jkNm8`B&UFbBC{#xHC1jAP{+==Xm3TXewN*DN|r$_F5&UqmmdRggd2IA9ikp}<@#
zh=aCE&^Gg;3~{Fa|3jtUXK<i2me?YB;TWq>d-?IwX5UZ!W6VaCnM`zCFnP$EE0li=
zx*-nYu<vsv5_7Q=bEyt$tQL1Y@4GqgN8UDt@27X99H+5u(;E27!^&JRjo}^`?->;c
zYRZyNs?o11F|A7T>HHtA-U6zsF6tU4r8_01L%I>TfOL14NGsCajdXWhLK^9kmM-ZI
zLAvu&m--LS`+k2p91e%W!P)2Rz2=^K?KS7BwNF%90bR~XQ63||f(!K1NB7VT?EiZh
zuel0G#JF!h?nW(**L@kRgDQ3({JeT2t~dnT$V3Nt63%YS(tLHA?L^wX97PnhjaRLD
z?oOOoy{x)fF2y>(ch5Cx+<P<;ny3sg#pAuR7j1)UI)OMXx{WvG=-=2Z;(l3CVJ}1s
z{w8v<7wbHVA!64S*+BMrE(dpL8d$6hQ+0oCou2$oh|?{%a4U|;su7u;ux*6sZQA;?
z_|8^chVD>04-iw;GOVTl8@~Xs=l<`!riFsO?<Dox2|K6QEXLb(i?l0(Ey9K!yQ-~a
zI|+t(%!bUyU4QNQ|I3RL?v44$aVTLn#SrSr&r2f4HCAHA_>E?>rOK6qaV6St8OKIo
zpzIgJ{sX;UiVWq0$A8aar~7}yz7My&yOE|j$wJ4?c3pl>WM@ZRY%r?g`b|XsADU|-
z_v^}(IVH*iy$a%GrXzjP$yy)enI@0CuTMkWP^zANy}!W+25WmtgYqa;re1tl*R~Wi
zOo^E}TvoDsqMVsRoU;j;RWWs;X;Yo`LgJzejhGKs9S+K~VS*8}OwfiC8Z5|#O0#3+
zjH~=)T@0{Q#^=500_7kxcF+&MPZ0#xU7N50jyDG!av3<H);v#9X(p`oL@>u4&XxU6
zbMIE)&!NY1d8=8P&oT7lzX`WLMEjB}M_*IdUEQPk+43c!gIQuJX}q{fZh{(Z&91`a
zQzi$00~V|=*(UFBmbYYP6}8A20vZ%(%^CKyUKUH%oMGBYcG6L9`dSt{_Zo+GUljX;
zizg%@^Rf)si~wLfJR1E-xsraIr|5RO^gfzwa*wLCU(k4zQ+rg<7ztZ7ABRhJGAP*i
zUEop_&nJSgz^R{ZwTIy3r2(9JIaRc=+V-0}#*TkGX*Ti-Xb{JUxocd#rW2#C_3E6W
zDrnxwX^$4Ac+fMN8YJN>t>Lw2{n~{);_WJ$Q|H+iAPDoyucZp(WHz}61u!10F(%{i
z-=7Z@qGNq%;`~x`X<B;m8^lzv^3F2t2Tr2Bv&6l?%=w%aW%^yYN_z@`FbKY1HYZD_
zs-prxfnwmV&zKAFVxr2;Cj58Fw~qyYpzysS)9iJAIO|M<+IpwxcLUY<JSV8Sy@w+}
zj6cg)LtAL$Gde#O>UeE9$W0f~4}?bcoJ;rme2|_R)c-*e|IP7w3P;))K&YTEfs;1Q
zmsbHGJU_4%8G*<8`bAY-uZT&>14tRG-GuwUCn^edV-({a7jN3>ltjEzk?FKpQ2NHn
zRySKp0hS6D0?x>{BKo(xW+d^5^gDX_YLHqvRlGu#r-jKuPUYYNm8`R)Cyq{qpC0q!
z#Q_{mj)K5m3pLd0Nj2Zw<+EKj-)vu!2C>DFv*a!slzz|`ZQ>@XY|nSBnXTbW`nFi}
zf+ZSBs`mPhPE#_2mr)XwE0V69P@dA0{Uj@#6b$aDacNHk2oB`!du|4aPBr+;=@_Uh
zrvvAuQ*<SZ#;t2o5=WVmN%HWV#o@f^;RuJT`3LuB>C2PFAOyKX1sO`N+o*;LNlI5@
zsqlqIyoiW3To3WJIeroazyu`0=l&DH@<ZN)(poR9pk>3O80Be7*gW_h)WhQY)Lv|H
ztv!i?XnG_g4`K*V)p>z$!G8}W1%lXDnc0-nJ`Fz=f17BR9OUM))x>(_W@pslI{MON
z|FWL?Q@zRW=zY>ML~3c^=gPj*N-TLAy9ptG(L3=Sh(*Cf5#a0+;`2vTJiH(d!T6o7
zMa@US;-H`S^0Yr$&@e!RV6;7tl-ZR6tVkrtugezgLah7eObNwQXP;aRIL_t}!}S(O
zv59*w*XuzB9M>(<ZwoYf#Ibm%i(|n2{K%AYm-Xp${t;T500K&RF_2Zbn6Pxu-kThh
zALeg77BoQ#O5hsZXTZ0XP1n^*?~ui)xN-b&<A@;H&A2V0^Ddv3mpBw<Tmyb`BiC{x
zvD}Q{VUhVJ-)L2%S<~q91UaDz<MxRqToMCSaRXN<A<U?qWHnYUlf#iZ;tR)~q|&8E
zoq(1=Hr^~5uI5Pu4y{w{UfnKg_uD^DDQf%quHyI<zCY|dF7`E+%*MemP-3V>vVI7C
z#=WH8y`=s_M*{>acnKk7<sp>s>x#JPbRT3kSyR~tSDsx%T3Y&Q_YWcjM^k~WI|ew%
z6tR=~PUl9kgEeD82;`Ch#J<gv5>TAU07d6&O}ubxqdOQGLk*Wc(XT41bOZeb`@MoN
zl!x=R%y}8zK4_OeXINIw$&kSK8flUejx5RIlAQ#oowWpI>M#WxAE%Ih53wJbX&p;3
zi&1V$1j<SJrK)TWd^JPC8%(U3K=GxHT<VoyjyC)nX45moYkJ5_O~3xVjAnwPZZ%xi
zSc4oz4d{`bk@8+A@-;6M1niX5*F}YK9kM<-VIKp2Tugo<{kfC%`GBrYo2&i#ER+?g
z+E$CZiz5EZL58iY1Hy4)pHY_Fq(iJfh7j@-ZM*`n9aETe=g8pcsj$<xy|SaWvvRQK
zF0_w(3jN(Cel@Cd>;lzox}+Cm1cNEyP9O8viPTWostNq3GKYl>*-hl&<B=W4Z(uwq
z!cI-xPvO0)wGM};T+bu-@ueEy@s}pH)tZwy41*&cyBnoj3P5$W{L5L$N>Yfn0ceZ{
zoX2>qCqFIKS!`C(%f<sQ)G6ybwZHX55BWXKradD%1N~S3ejU?Jq0>lSRGWDsI%i>l
zdcVw|yi;k+3~+>-aFGCO;!$1}yd#g5t(m=$=XO)!I#={0O#bSwwMBbxS1Np~r}2Yk
z0`k&$M9|oKiUMV$c1_bYO4F6#2zM_p0*I7B0f-oxsRfsU%R!FkLYDtl-e37qYMH~M
zr(Io1fcsjJ`{%hG(XsPK%IfWpB_ZwIEPU@e@QLwZMp-fbuttn9+5SDqDyz4OdQg>O
zW~Eb+Zm?Zaf5l5+a(b@&^W*HtzwVn6RZII<NKuI`OD@CU_%?@Mui$O!wYv`BU46yE
z7>~=H3%4106z(W-hjLf*NOTY4z3)e34yVjCbc*A@QSkql`^lQ3^m0~xif&o6_p~$h
zBzUEK50-2l)Ao93|B$zl=IZ6Gis*@-){dB1<}Z~??li{2mDat9_mnfvp7`;mCxj(i
zBt>QR{ws?Y5eAhz<iThQyec2UNT9`;LedAMZSTM8uDizgJ`WjQ%oa*av^PH1vm6k-
zi$|RhshN1=dul`MU7Wf&u(Q~|yC`L`)Ni>o0Q_ko5IMbShD+LbCJeMkF9(OfJRwg&
zk#T8(*@X4|8vue`(njM`{B+2bL==a?esexri#k&07{l>wwv}w=-gIxJn~n%n`Wj$4
zQI)*?l|A!S)4=R@kb2(g_b$r2tb_Li-EV{Oy==0CyAM^8I^&qnQO6r1#;=5ZEGhR(
z2IJ=gZTQ%Ia$TOwKyp7g<*fRv1Wg4A`NUPSeEu|?{I%{IgEiNXC|=2%-}O6u9-e<1
zaIw(m=(T+6_K{+vnLAV8>pXaS=0bBm0$AQ#(M=)+elxqOEU@V#n~XCv3^TBmFT7b-
z%;Z$~p9#f<NTcj)5I_YY8bt7vx=5FRFg4T`+)Xk2Mp9@;P_gxH8f&-_b+idZwvIxu
zLNwj-uV|OZt>&7;Hdc+oi;4Fj0TRn92V%%?p3mC0;6mu*uJ6x^XyL1^5M%MT$^g*;
zMeMqDTE?s_gqJAg-4qu_k^1)9eyHmcn(rJ9Q2uUx?7A+f-lZ4r#dsLai(34=+%--r
zUM2i3mqcS@-TRJTQKR^_B{s}XMdziB?0HR^|3Z;pGUI1q?sRyiC=rB7@If}I04vB5
zT=UMfQUGax&^URAB4?mu!78-{ON;uIPy&;OO`A7CIytChzUn@<peVB2`P(9`VUG~y
z&~3OC6UB>SI4tmhaMw6fkz2Zx*NoDdP-|oNt<`)@u&~46ebG{+(Ull+5@B@Idk9g=
z-MXqMme^aKvNZp?p9a|!H3KI_-?Au_GQy(spL!?pbug|B_D;`0{x2K1qW*Emc8BE7
z5nSaf**25%<Dg4Do}=6D{Wp<o_KIm~8KB@nh!mT=bXozbu<c{aQKMBlU$kR4{Dg~H
ztOw{lMDR&Bsca>_{g0s5BcIju`^`uJ=x}}9X#PI8#WG77e~zr&|IQ==Fp)sXNCc13
zW`jgs<>1)K;1GAo8AUXsV^g%>XYz{8ocmQ4*){gLzmrm-He)<5O@SIMMKam7_CW{y
zzWUs*Z=Kn%yIyjTD)ny9%Hs`*s(D7+yog}P;0ap8tOQ$R4nm6cNS7*xdCW-MKMD8#
zxy`-<`@Am}Hz+=<8E5?fSDfA^y|*T1DF${E$%N8p-4|z77>G(6pFnxgquq%)Dv88K
zRy7a>TcwHlpHodUx!(L$S=9hLh7xsM#Xp`t0nJKCGt2JKiV=K|Ki9ARcSH5T6{@%q
z(?Y66`~R6q2A1`k$!m;&^v=T8U;V;Z>@`u$j<fD<3k^ctKGG&=qU0I#(TWNKBYU2<
zfhFF3^_Jf(0zg$bVOc6qz*3z*GkI&cv7ce%XK*V#6Y`cTKaFvL0kl3NI`1^yZW4cN
z--UG%)s*-UDV|Vih>>_jjr7C?!z9ex_K)0tt_5QzkHGAxI#>13Q|EzMBkrL3{Ld&$
zoaxpZxVTg6TxG_KCdiz*K8K?BfUqXkzJwo^$~r-az7HSp*MI#+*AXN2(c==;@nT@I
z+r_Z~@>Zn`wK?{70AT*lVpW;rZ|5<>bs;y4ZpEaEd+-se`IC!xq;sY_TWLnFIuyz3
zTv)d@I6*FnZ28+9Lu2RHd-`4z)7`v9+y#HkKc7h8eN&N$7QL;~O>~4%^6tx>XOv#-
zbZdOP26IhJ8|8!sW)E^rlI46ceaDSNT0IxO2-MgdO{HM^0R?HJ!$X{?Gf3rc|K6GI
z-+n6d#~eqSa3>Y0W1lP;RLP+rT}{7TFgNG%@UpMw`HGZKWkhys*<Y9Te%=joAy*P7
z$lp<D3di3v$ig@AQS%cWHBN0q%&23`AG_K7!R@!sz*R9Wa8&tke+1sS{3B($QbVLw
z<}f#9%0-kPJ&_JcB12l1zlQtZ#oTj*8|-kZoA?Ja%NKNPSpQE)iwD8S@Yle(yea!3
z$7Z}zv|XTba-3oGIQRFj)^8cD-&*hwxm*pnw)QaR>RR4r+EJvNw_bER-Oq1Zh>9RJ
z3VDAu8MQx}wVx24Z(A+)O~TC4A2SvvR7;1B^&!%%;(=k6-bA0W&V*#NIWgCXd3wd(
z=}(;0nl!~Y7gV{<CUHTii2S|?LbsuoH6_WklMM90n+{Uv_SMBoK*%V3>HpvZ$HZ4Q
z)1e2P6aztrH`Kgr0byV30=*Bpqp+`K2-7I^3<G*;hG&`PvA=I5*dm8bx^<L6HrqQ_
zB)WJM;`*#^rbtpvM<$*qbP+^rW7J`#b)`!?kkxoEy(`bI&!zG*B^vVWTYs4pXS`+}
zf~u@8(TtiOuuQVuBIYng`0CL;KX1Dpg~pXX>ePK}Z8(ppov!P6a}~`GQJlY4=6TC;
z=`Ec)RqKDgdOHkXAJv58g-Pv;l)%Q?gaD1N4xal0fj!M`DM5k!Dl0$B8dx6OTcO=H
zh;XX>%w=1^y+2I@YBp}OXPC&;(cGzC0r=+Y4k;cV0Mg1=c`FjH68VAdYuk@~PfL;D
z-~ZBo9KD;C=Gddn8_<|QH#!^JJ1vuDLs{OQ3!?sZ9-@<(@6B~jjCen*Q{Jf%mix81
zQ>GYpv&T@~)lj{$M)K{kB#B)a^wh>{Ri;gIRlU)-E{0Wtx0_Lsd*Grd*FUVxzqr<S
z)=Va$4zSp$f?rNF@yN)=WN*4r<aShsxsC7nKKl4JKTgK!-~j1^VosR*90uG>WRB#o
z*o&o`0`$Rjo^%NoJ+COPEVsk^l}bTGsnAV3%>>|B^?%+fr64ZpJF)AGeN+&GVIuD*
zG1N9)+c`JfvXw!`-VJ!kcT~U5T7yYT9YG}9Z9i(6hekQ|$dPxlhfMKclS|wjRldo(
z;Eu7Xy`~BI^xsCb6cJ}4ik^sE9{o;gZ5?>qLU-8Ha?AU*r394K<fM5EHUKq#*h_%(
z_r1i?kQW97f5#H}Sj{H3pMMzK{jB^j0c|P52dht;Z<D+~A`UIyX&ba`9V~9^FZLLq
zZyTg*i&S6RQuj5}$ZS00G9AHpq%4;N4xaz<7+Enee?Hc&lIsdF^u)#D!NVZ}brK=E
z2T>KNOrWp4=Xg`|7kf}d*AnI`kY->=mN;ODMW~5lfRUWpo~Dxfy-u$mnx_>_|L)Cj
z5MMT~i)~?}p&7c!Ci>c@>#z2qubDs1=2VFn7Of~8>9=u?1=P`N(8Q~nCBQTm`-QRk
zKv^3u%Zd;C!r4MBzV9Uce5p}Tu~}jhX*fuN9>zD4)vT^Y14IJ#_~BH|Q@N5SH|qAS
z^I$H|$V#`PiJZi54Mn?4q;gcpsI_oHF_){Tp+R>whB@&ycK~el$heawk)+1i5e-ab
z*gT%0_#w8|Fn`rVlF(U{%Rg?hktDFE_aFzR+-t;A=~#Tiea@ajxaWyz`wS_=f(Y({
zEtDVeG>vfQL^c}(K_}4p7gL{-4Hj<z<uvN5G|DN)=%gk@ezy<vD}_Jvu`-79`ev{N
zg3juQJSqsG=5-~MUpVS63kRaJ1ieoimg-Gs_QrBJ-C=D%SZP>|>)j0|My0XW+sb8V
z{lC$^aZ+aas*5|<Y{U_(vH2sV!sbMNT!rkY=v4U(763-~d^~^t&@IohEl*PY9pe1G
zDEPNeaG+H#O*@!g*->Gn{`<&t`u<i*e_{nl(a7H3zK4gdf3+w_$3a8Chw!&S`<oQt
z0{TC|EeAr>{v%l5j-XHlemC<5Wu4{ggU4x3I5jVjiTAH_U7$1=<@uc1_;q#v=*^!_
zo7KER;Y!nRD8>rE#o_3!PC9P-D3C1oGlx*=_#O`F>FcMOVpL8y^99@YRXO4QFY<}Q
zL49iXoyYh`r$NR<5Hr%kUE&Hv$i3U-!k<pNG7jIH#e;gk9Byw&Wro@A7zw}k{Jvhj
zzfsGvKLfj`Ma{butU%D(o7nx;+Y(d?XXW>T*J3#d2@Lxh>ga%eC()}INl`;rSJzO}
z5b;**b!9`OP{MuY%!2aRwSi~n?>ifudFbZnz<avr57LRRup0Ao^tVbizX_&~CL*YZ
zJ?MYVpzF-&_tT?uxU<0brXy;l-(Hz=XB;F*K1sW+yWHQ()wHHzu8U>Qv%~|3+c{iz
zl1vWH&o><>Vl|>_UUP*1e9h$GYO1SWz^WUQk@|!cG)f4a+ldF!0trl@*Y0)3(c$1z
z(l;YBlf^C`hgcq$IIat#CH|x7hTBEQJhH5P^pzH}s8ZWWlzU#GTC%KkLwROOIN#0(
zn^}I*M|4O+>)}?WzRzYZb8AR&a4^EHrn`9>{u}Yv1PhAS7J({ozH~s@zmh756TW{8
zUDa`_W8FDyO0=JBG7i?hKIE;K7#e{<Eh_!>1C4A6mm?jp7Ocf6p;M|~8aV0J&MXu6
zXIwYVF@2HR=;Ie?<qP5r^oK9nRNfX>H8wWB29#WR2&?A_j(<djKpv&nNy%ZM6dCji
z_fV_T0=O}oO^XD%(oM+(FCO)sF9D_1@svKWzHG3*hn(<((dn%&OLv}VgMW<9kB;wA
zor#oln{B5bcMK*Ny^0Cb!x^%=#u{SZ*WeH=MqJvOU5%N2LR{sF<FouzFwq<=?enlT
z@q4M#g#IY4-#|_g#al@$Ji-2xz5RqM_J_o-(Y!EDwb$HEAanZ0DBHz%$C4l0-GROu
zR?h=VKbY#78`mwBABAm4q9ZhlRp{RgMn`a4s;s#?P=3P`4;ncF5@|1FZY#f{#3+9f
z-L}sdV?*RN6(8#zYzo;esygMQs>3>Zk`FU9A>~Tc+Ck;cL1F%3{d7B9(ZbFz_g85}
zl`7H+Dqa!(^haRv^j`j8S49?tBN%y>!mG+V6)jbn&>Jtbt`xZfl?kv6|IwoB-UV6~
z7Wl8n`CW0aOzDY`r{(TrKYH)ticn<RP@DYgtAsP&e$vy_heUeO`rQB$@zv%RcY$7;
zxmxinOs78|M);1X7b?+G>y(5>yE9$NCCHV87D62jzJ~L@NIzHD*V6Xet%?_`d1nle
ze=qc802G`@jr*!ydP2o({4wU+>B>eQ2<!X%Q(j0kC(|l{D^)nBMb?sWE~n_u`>k#s
z(mfCIW=Y?4fK4d0`*}Jm@c6t>ihM>P)}g(8SKs8GXeyaI+CRvU9yW%^>KkX<;J`Q3
z%N$88*2nU}z{f}?(!RXLDaOz@NesM6Dg8XcQ5S6sUu;aXS*jspi_Yo!3%XCd$#z)<
zV8o<V1#YZQi(Y3-z#}T|KKI7n*(O&|kR)5+g>omgP`XLGi2XAPCdc@R?)$ND{h$u}
z0{B!1@4*#BS|RT~eXj_Xjx827@fQyR(F7^U%!e9I_%^pQR34wSqu!uS7+)Y6oTgQ`
z1rd}Eo8ncwiEU`Wnsr9!3s^!r(y_**dV^c66VZW6L-53^)Qp>idP8W5hBnoRG1q`K
z<$^wS5mn#z7!bcM^-W@eZ2kk=ptR;Eyd*4%hxEbi@AhVLJxX)huc}bscI*e?EwMnQ
z3>X%N6NQT1%vgG$GddbGE^>hD*uuly+#C=o`uTOXM73AE=4kbh>jmk^oAUDBu{Xa1
z>np1n+o_qtMp?+o$$=@oo&_3oWGllJ;xlB@LluxY7gQDguJ%-ZN(6yh1j8f#FwF)D
z80!mmH8`O2-$eTV_C1kVr_){+`MXFn^^Rr6FS$o$t<{|>rhg3<pH^1hgc@oq;vJaq
zvv-L5@~3%v82U`Q@RdTU5_4U#y^Z?Ri?c*RrsEqK-|@hr%41Iq_~vN!(R7yc@Nc%T
z=*U64Pt}tp&R|&4C*gvYWLB0(RiaXW=0Wtn%YYN<6jEJ|SIflBJas$h`$+h{23Q1F
zZ##NPpwqx$-tSr{9Of0mx~hIv^Ny}oPzbZ>MNePs=N%tn(jH}1OY_m;6dx5-<7ON^
zESd84h8#0@V$#d13i|5p2fL6ZT~?FokL%StLL;>_be;uW@9Pfy*}%0v{j)oxC6%S!
zeg@BbUvKtMZM;PSG$GARJMW8>n8g~uUCJ+Vji;(+)j19K6)6-y-%r@TpFi>l)gLfd
zh5W0AK8Eklbi8bci(-f)F*5BARA6zK1Lu%^Zd}hvtMeLgy4ToaSILAf$PWtcQa0d>
zT~6L9EUqRIIs!X#YsY2X+z#1P_ysDNfYg_@qwgT!21ZOgvVMKp9@8qcsv;9I>rcP`
zO5eQCWKxZ{Me;BvGCV|OJfr->l&IP=tCS-7>+RJd2-q{qKbnw0;}7OpV;;R21=4g?
zm2DjONHcriSo9hNB3gFj$VvGNNxWs|Df={652I^W_9MRzs9*VA>WvB9<L)JW1P2ED
zkwjy@3j{%qn+AZ&jl2ojqJG;8m0qOVyIKXsK!58_XVq8<RZwlbaCkS_%B0U=4IGiK
zY!#l*N9Typy;;7|MsJJHDkVccx97HTeTnfVM4103_d<z%H|K0|XKfQ_;Z5@69GVqW
z`=Q&Dg9CqK%N|T8!?VhVvC=*}ljBC(ZuPMr)klof#f&#b?yj%hX6i{70dObfU*B)u
z4!l8iRl;(9vG%_Mw*)~$--wrz@1RZZs}S!N%2V|USRhxC)t6JXu-I80>h<$<GYJ;O
zu>`qS2L0e!0tvY8D)A5zN+7(aHEFL3mR(@eCROnGY(rUMMp?2$tS}}g3Gy}^ZxA)b
zBLaHUWHu>OR%tW@YC!7a75CJfAMhX%obD<<^uTv%o@NLK%{MhE8vUBVn(Nz_&_zm?
zh{?*@y3^Xc(hmDYs6eU)JDm@fui5MzgP{~)t|K$Q)ed9a!7b~-z9Uy;#<3|BzGx-r
z2KFbG!n)d!KytxTDrwU2uLiYhV61P|lMFxO^Csd0_hDA!)P`$JZpITAiUV#F0zi#&
ztBP?49q|@uEf%57Y;*>uQZ5~ElJ7c@V4Va;w-U=MMSoMm-f{SF92QsXORbtvg8~Fh
zbR#rxG^^o0mg0{D8(I&WCQ5D2>^ajGL@1Otq|bV6e+ReSo?xeJ5hUB}fo;g+Es)Sg
zT+UT!6m)^>LH||^mUq1*gvl0K<F>S{0vgLd;Mz;%=-4dO1L?*_Xr_i}rn*J+CPaq2
znUoh;f71$#`fX=-icvOOb3zxRW=Gb}y?*W>qHJCt<j3Xk(lGd+CX}mqp=^Y8OB&LT
z1rhh79TGky_Xd?$vV__mdA#d+Pbr6Fk8G9`Z$<#V)}~h*KTJ0_Dz{gU0E%bh6B-U5
z818Z{DY6jj<%VwM*^fCtO?Lkd?#tQe1<oMLbYuGIe}gxttE@9=FCE}bFyT-INZ`a6
zv%K}fXkot&$$a}IKo@GuL`7k@{GR#~PIj-c|G%IAvLLe{#v&&uZ0L7g?ctsk8fpsD
zcojc!IdLjn8nqe%xXh%qgLkH<m$a~uMCwEnQ#l)BSQMlQ>J1DvPR9TX*)U{vLrHA<
zGz$&A8!3mN@}Jd_F>&8K-e}jOGA<|M6B5xF{e1^n@%6q{PUkRPy}RH*3^g(BiX|7Z
z8!H{aI9jlOcQx~!@=eUK!QVGM(${SE!P44aM4za?sl(DLG3)*P5hRzXxmitW;)Lt8
z!M=_`vUF53^#e87?}Yn4?%xfLmt6$(h8p9PI@Q>r>Et}4gTy6Sn(_ew;B_5(U^3|9
z$_kh3;i}dG+5}zP_?;CV+8A4L?4@+Bby?FzE!>syRf5ZT7>7^IA*qr~&6i9QZ8--J
zsm9pNu_z#3^W5p}2vQUS>(ee{1fbjH7pyJhN)p!JuU_M_nC4-_Ahf{6&Xn&SRwcZ3
z`O1mb3WG(34kwm}uQ~-DJf+~jaTquCUvZM}$Js)a!ndI^CmvN^b&+42=gu;al4Y6s
zWLU?Dx2xVK1$Du5Ov8_oLn>mT!`C#FcbfPYA5KVsDJjXpf-^-IoYS!L!&4Vp-~B@_
zONEBpJY0zbo1j30A019KhElXs*(l7%zZle<Z1(-t^g*$sc$JygHnG7gB};S2oudq)
zNRj!R^k>gyFNwo5`b<q>wAqgcg?12jxQ~mVGC#}8X<9}Hsq4G_txQOCdz0}GX%=x2
zS{Z;x*-tWrg0??3H`P?q7`Q*q3clE`w7ERFE!JHd2(F+Tw3=2Vvp%dh9g<QWO~kCw
z`O=cNQ=wB<LZxSLj$^`_^e;r~oOK@Uj}CtdWj0vzdJIhl6`+><$b5}zS(i;Dei-~j
zUA~OAZg`OFC%rQ`zQ|r2ga9k*y$BfHVu#UgYQ9uwE2jmWWZREcXB~vSb&f0*dj$D4
zTek1gG(CUgWfh<NvfRKy<-e3l4#4I6-bRvaJVKaUcV9$nf!{3zj@heuLl@0XkcPAo
zN`X%MasI#%_4|HrBEBka9u{4`mJY9bxh^#->Pwe5{fps(#3%LjY1~U?it#^SxPTDp
z81k#@=5Lix(PNKuN<PU-9VsSv!j0!@+_&1i*V>+^_sPrL)g=?{VA)JHI(mZW<~`$S
zdV&D{|2{bf5WHQ$O>euWDCdPX@Y^|pkCgXTrkLD}$ZkK^d^<7kBr)%Zu=<5-!4Z<(
z3G8QH{Ju{6W>#h^1yTw?spi`^C4vIJFju2a(k90WYq(+c`M{S}kUr)84=j3-DmtfJ
z5WEYAhvpJ~+mP!kN*7o81WU(QjivXC?w?c90^K!m-T>A#-N+>Yr5ILru)JbaA98X0
z$vOldCL8Z%?AJN2U~^!&o;xZYx|z`N>yA=KM6v?b;uLo&Iz`UTT`SVjVN?Z1$5-9=
zVzsd28R4UQ>XI<mejVb%yL(cJbBsj8H}kB06k`R29)}q)U&R@jctD_457MTgAq_Ae
z_`$ze1^r%b&6<fQ)p#%zC4Y~<T_X4Vf}SjnDn{n|(Cy1lSvZz@A@!aeFz$A79r!((
zhE5(JzId2468jghh&J&#7-9(}Z~7Ol<HUK0*1$}k7Gs=`rDuu)ZFt(P*g!`Dv*6wG
zz&C69#^GOLdYwV6PUYUP$w8}z-&hn6W+{whDRKF@Dl$V!m6*L!q({yYFGmbDVt(_m
zM;Xyq-RTvJY!TaRvP>6FShV$N@0F_%otA^&i4*K6iBWo$Iu8nXirVN~N;`e=a`Mua
zm$v-kW%;2bn&<OQ%0(6K;2v#bW=aaL_xv$XAzB0|_&SQPcShBmoVZdmGB$l7;~(2h
zGr(Dc-~(Kw#>}MGMNf<o*#dMgsxs}W1YyIR%9$bo7E}2@?LUDkC~`$?pG?11e<zOr
z6Nps8`Z-9??J!rtj32Cxq3k|vwXmjY;&5C=`8klg$?!sjkRg4%ZpC$#i0M!#3>3&B
zbg{1R<&<iQMd++x`7BcZG^0|6u<fo63Vj&Zpo%N~A$Np%fMgX;P`{wKDs2xs>#4hy
zKnt@MAk_HCb`{_ObP#py@1{Z+s@t39BS!*%o~LH>o;L1xCj8B~*KcK4kF_oZ-Qd&2
zcHn#1=<v48eaG<8yWe78;>E$eOFE8h?%#^GU&JnujKsXid?bSRq-hSM6<yT%2G7|3
zN@ofIDzi!}+Ax+OoAnTy=_gw?b0_+S`zLYQ&|cLmnWF+0zl4_N$7o@-p@>Jj0wC`^
z)XZBZX>3B!Kk#8m2#_iffS=P$HyJ+sOSSE8ZkXQ0{qmV|nB|M|zAPMcmO9_eBBid?
zF2StX*u`wgRoaw${A&=a7;9c+<1NO#p%w}vG<#aaHe-9DZU%GhZ`l{pfx0}@lYkIM
zA@<f_Zn#K><1VlwltGR=%7Q>dod6RAW0g!K1-1z%;O(FmMqM<{swyq2#bJ3!w9t||
zK0hG}LLJKCHIMuR%BYmG{kQQmlG&z`VN`k9I}|QSjY|mPpC%!%=L&8CyP4GQRMAS+
z9XnptT!d2u{A&{BSay&RjU8o6dVi8x(HfqjwE3&T5K(G#Fxvzpimty<=6Sm8NC%)4
z9;df|rz>eJrXSTpJH{#P`O5a~dCK;+mXG!&kW~hmPI)1YQ42&s?NrP@UhBVp$^*^q
z9(MPO<}cn>a&$dy!w*~tS_X)SQZ{AV_?h<I?wrp^9octtnLw3Lqk;go_?uR{sV=*=
z?VdUXO_9`9zf_>ZF<yV2Rdlv?w$7W-F##)&Ri?ER3oEdP!zdpD49;lXn?M9#?4vyA
z%k4t>U#oxFEu(Or{2Z!!@`WH%WK4llLvw}j3y_Y&6OBdtc@qlfDf20dwf;TL;%pxt
zzca0ML%x>pYj;ClBMF0FtBxu)XAf#m8@xyY^Mgm|zuJ}F*B#q!#Um0yq*%Py#-76e
zq!lxgu(#(m?T;0f$xyNilmy0qWdp5Me+m1z>%a(X3__H`D_$~api&awfed8-KIzGl
z-sbAbL7-eq{D)D#qxt!pq&_sc!gDo%R9w)fu-L2r_DGUX<!91o=GMg9FC=9S1f8OU
z(LNo5c3A+zD}Qa1kEI&^Y>p4Do|I8nub9IDj}v_c%6~~gk3^0;>squ-C=tG2^=0({
z21dh$4ddIeMk52n)p*@|-j3%Mi|lSsIA6?C16HAHm{QKIpns;}_*SV#4$uoFZgvFO
z&w9KI=O}GeFut+g#qY^l5jUxroOGg35iOaI+oUKzy!nFffXN&QLS11$^z3gjuUq3c
zZc7{2Pp!d}s-zjEX5VhxySQ4972#y3uOPg)?K0xmOd3idJ^J3j*~Ye9f1F&u%x{PX
z%hUWv#DCT8>1_}}O>BQ9sryf4Cfm;PrrQXV0+^wA-j8-V(`!$vSPda?Vw-A6{-3tJ
zv@S~3dWBrRKJVnm5r%^>QN_Ti(as?#;UIGW#De~6fM<bfnh*|gr><ITP1av+ZCP1a
zy=uC5u>RRvG(g^1JAy1kkfq}6EwAN@h1eJ(IGf6#8lh$zGZ~1ERsXB@1PuYzt@d$>
z6<VFt9PiC%a_0&B(`F-miUhn{L+KjtspI{V$OO+#L2PuF`45N9!SXf^M0Iu-q3^J^
zKbpWHAWd5J#40e4i|4bfSUp@z*y%ZR^K31Cr6{9fX@j&M9u8uPar&pO-Llj?jm)$j
zY;P)YjgAYJ)Jrp9e+p63b;T#R(RJPxM~&hNudPhfDfV(Or5>fw=F=-IeLJc~)Nxq<
z_!wNTKcQyZt-54r<YxDK4QqF@q)cTRElm=W9hX^(GMD>Hqoc6o<RG20kno`C=H_o#
zea<R&rC+yDhjm7R1K0@Z@x#|TLU-V!5k$dFhPT~c3YInTys{sK{-SNTxLlpt{h!-m
zX+)#XXR%YO!TdL+x~#(07Y}9O|N6H}wlpyR3VtKPV7!0o-a(qk;SxBWY`D$oJV6l7
z(Ysk-P5asFtge8(^zL_;9f`eK6C#v$JNdcQtIO{bu5i>Z!NkAvS*`cUnH^Z)w>$lp
z&rj0aggF*p7Vj4RSSi2tHa+q!Nt4i~H1a;{&pi5o)R0pG)&v?S+*`=A<sD{AS>F~R
zVV15)I^!db2%7KnT2A~~QyFtxoqzduC5Ukwf{;3Q@m+n<4`=etDNgVFxbvI8rn-O9
zBq=vT<O(L7^RUu4u4KR->O^vo1e;-ja8ZA9-|W}y%{Z_`;7ntAczH$KPqRIYRO!l%
z3>g8oqK<N){|SfYr3GiT9t27I2Q|joYhazt8IGH%<*iR{#8SFZX8K*O;h<=)PAC<Y
zK5O{?OqB!s&Mc|m2G*iNcbr^(EOymPpFtRD40d+W$4F`Jfli82@<(%bWe1H3{mySZ
zo~<N(pQnueKYQA4Q%n#kak2MNH6aSiyOy0e4i6S}%Qt_S1h;pl6Z#pAtv%R&c}N&n
z4HbQQo9nUG{haX2N;fmzl^Sj7Vx`(9jF6hW5`-~AQh(*7iSi3sa<scF<e>;j99&0g
z3<ni<SK)$L6`=hh*pCJzM>+sHhS)>qdAwN5X*TeE0a1&Z2cOpXep?Q?A8)c`9vQ#e
zsO#5LkJ<5Veg3L5M*#ff8<_8{Humt&-F2gDcKtuXIX<Bc?q{zz<u(t~s%(>~aqD^>
z_~Gw?jfZl*zHDcyq4Ib93&j_wkXltiFB4<fAP~bMTa>IG>BeXo-i4z<tL&-&F7=^*
ziRFGoO1bmSjA)zSyCEw!1tJR@RTu)hFcx&H&ukX4kMC*n&&-4`HVoYcs(9ZoanbDX
zfdBF>Hm_Np4tx@l!_!mDL56V=;0~lwAuqC|={aehywz?aU3w~zHI%_h3=OJ`dhvi=
zj;*>?UONhHYlTi_Tw&#+46#aokwy3p|0OUYu#g2O@?BrjLoI>Sdy=q6`DkY|=^~JB
zIK1{4AyI9plr1MJlb;4W5&2u#S!9YSWCx<81@0=LhyDCtx2$*zN(;Gg{n(XGDbW;w
zvBRw;z##xlQ}JsS=XQF!NFf~kE!<$qi*3s*@1pCsb>n>C0$=Z(;;C_UQ*2Xo!5ibl
z@%Bx^nwO#b3h?zDr}fm?y)7C)s8nJ5Wz(;g>;aTj%7))=tyv@@)4E-ms+lL3$3O0T
zc9=lLMXDR!N{{ex_J@_&w$wu<%~j|ONWipjjVPr1f(xCVvYIaV?b`L(us7G67Pv4f
zwft{XfO1>i*4Eb4l!|;u)B;G|v}ukRrBJ0=?b9WxH!*_S5G6a$^kmt)lXV2`J~>}S
zC183!hqb{WVE^lEFjh{~?4=7r_o$G?-KTLQEY#e$?3d~fmAZF$hrKFzuNRo#d2!*$
zgL^3*bE&YjN_}HtTUXKSFDC0@%=ft+q|#Lml-<4(EmPphf&1xnr5`>Ts6{M@n&!s?
z^og)zoPOhwnll=^r#qK6UTxrwh5vh^K{;fVAcA^brlKygJuf@Gh5q#gZ%58w0TNaJ
zG|_yAOmM;YRV=K|&R2lp;_xu{<#qbg!^_T<lUsvHley!}fD&<WEP9ET({;%c-`ddm
zTMRKsx&Hr5RTv#$)86u1m8CW<ZzNQ^$MdJh&J1BBGXMk$vr{^FNQLP%<?JIA)yO|k
z^IdQ!$nqNiMJLdJ2XSU-baWzv`{;5f3edbSh6G#mhGC$W0CosqVb9B(lNF#vk4cMz
zDe$jvGd^4qj;Xv84cyC3Bdl;4TQvD_V|$uqdze_M)Pm$Jn!5A-Uw!Q*(3CyV5sm*^
zk<aBF<=~_X_Cc7r5OOsS{{N!Y_6MK4^LQ$WFQ2=g#zL<gqj#+t1wa?OA1_`JO*|xa
z;@Z~>nU;Y8i<kq(q2B++ujK$1?gh|a)tU|V_|KJVsi~>a28Cc>uERgnHUfSy$$lf6
zAHI-@Q-bk>KpPZ5&I0&Bx&J|9HsD~}>Uxw4K;upwpdp`~m5lO*F8KZTD5?853M2f7
zhljc;KBIzAibu|x$@q4M<4NxD_I6=%a`F&y)Xi_Szc)>!v0hreH702BN)Rx(26dht
zBPM!Ze?-34!=%iY**me1Z0&u<LCn*D>UtoC^fsbFouGf?<_ECHgYv9z+dQx67k5Td
z-m6bM9~~Wyj*Qp=a-dw=$?iufjn+P9m+M0<pyssA{mkhCTRj@|cX$HGYrpbPASo3Y
zYUmNs@l4Y(F^BJn2r?&7Z4U}!Hj%%q4G}Di%$)wIl*t1Nbx@)P#EfWbETW=a3TbS<
zPza8<<Hz-0PA>DI_@-|wksamu>1BW`RF06lwB%_4&aZ!StqSmYan98L{?8XH@8@sl
zkp6B&DdvJ+02o=gOjWLzpr7G2L!roe?P`!88S=+k%8RoFQc)J8sSyi^DCIVQrkoSq
z`Ckv>GC|n}B_ZLP7eJF50X(e7q|@i^zmATMe{5`Q#6o_WS@t9V=mD6Lss2-v(k~#-
z&g<jE12Qvvr=zum78S|yH?61dJZU8O{<Yz3@9~=8;`Ezr1uaJKO~ivh0iQpA9?ua%
zGQWU8XpQO>_x*qd1LypJYSUYbDa75~UB*L7s-LGI*|ZD&V6pxeQ0$)<CsC04Uz~cW
z%xOdNW9zLZs+eZJDEp@!RNu}pqeOIos#HUPLSMVpmJ48V8tTqic!-oG5|Ud$TJqVx
zjg4+6%hyK>G}Pa2_~prdN{6m4{4{WXg1UB^X#$(<M6QU1g~btY&kGw;g=lOunHMNa
zTVRxM77u}a2ZM3_Z(^PqA5KzI@*TM(U^|iU(;z&-6#58>u}b`3{J@#pBsErzqY&ZX
z0d&_t^y)2H^&0|$bu@snm9t8g=~M$Xe8uM%p(LgewblMF&zsAgN&BCc8^7uZ3JU7C
zWfJJ41p5KS)ujA(EH~xq4Q{;eX`{H%DTLGK)3n>$13-X**wg(U7>taoDWR^R;eEdG
zd#X_8)`3LCiwCn|Xh?Q>CqQ5}|HqFIv!$u2gsL7ek;q57P#8ezE>K6Wm|g>v5U;hl
zH+@?#2P%1H2D1URwwx7{_TAX4qKZ<#k;0c_etU0kF9lE76BzW*?Cfj^1oGp@kIG7x
zmKVIK&vC?@1wf1fBd_2{cRQN@21ww5aaQz(V^!-nG6RBE8X5^h2y<vWFB?Am>XkHv
ziG>A0wMw`4V>=tLq)`xp=@ys!`VhWfJ>EMXPTWd+dwb`hKTQ#0C=!?8npPwv;7r#x
zHSI2zdSv(PyRBuy_;OsV3^+Rb3mV>K|3AYlyxNNO*xrzYR|UpN<%pmxt9lG&mqdfF
z@t&vvH4qxLx?})uQa{Zw<hjt8FTzIXFm(z))&c!!puiU_%koMk8d++vnE^}!{#*Je
za&Cgz?67)-Y=(^YA1IMsFpsrWRr4x*@C8QDp0}@voScS-hYd>;0kgd#Q9IyR34Af$
z0{u9U*+6vuzJ|u84CPqzD${~LjeZ%>MC0~kCGGu!H_AS@=cT#hG%thWp%&cW;1mFr
zVVLBoG8S}!qL~eVUjY!_bW%jLrSu_HbaI0GW}m(S4RS<9MO)>c@`2zBj66O*E@epF
zq#YR^90a7JANETven-m0JQQ8svIc_Em;b|-$%i8i8A@~n7ddiG2Q$e4041fTkZ|oQ
z)Z}&^9BK8^)C#4q4`yWA)iJ2pSh+*AT0<sP0Xc8cDG5G!3Xm6hK8?w>t0!O+#RPNP
z|4RuA0+j;NdJ-OM4(rLh=xFp>qLRKo$#{O{k3j798CO#tV|&?XYtP@V`<ql7cYObj
zd<YMDD`+VhPVwii0<>*Fxa088`BehxYwdfu-@C4upY*|~NTJg0>@VQ)F}1p{I)|VL
zuW7PrZCK2+eyBiJ?}a<)DI(+57_lq#x$irmsElgXVk(o|&tN2*-CMEm$`SVDa@Aq2
z5||^<8PhRqUcBv<%?_6=qD4G?%VqxEqX;+O^z{PqU!S`s1_nl$DPRgQ7!Uw+7^j>C
z2HV@%pu7N}v$C?H;XizVq2TZD&!GWm#5J|FY9ornV#L6)B3a(_8J{+ZD4Yp_E98fx
zBxy=N!|v}KfW^Y|(?c*kpwvg%3@ii!fS86Oxf@m`n^~*a*q+I;;jBxhE`G5Yc!kO)
z>zEoz#FXUZePmf_Rl8YIL8om4qiaWZcghbg`vI`<@$aZV%C-a6MAnQz+#hN*V%I_o
zw6F(#MqAF_EgM=h`uh4hhK{~cqZdO+dQmvXlbjCV5IA3D^wq*5B|ctkLOMD+I+O2P
zWU%9KA{~%m1C}NL-4_=Z$n~yA+LD13!X9Et1qu|t!nol7foT#oR*!k4!7kuL8Xc{e
z#%6@{&!h|nrlwU+Qe1NY=;s2!CTI2l;K&I;7hp5c0|>pXZOavTe6HzY`P^6%L;E`C
zk_2{FkbSs)?i}>=mVm{nwk(lyP<q?6Z)Ry376uoX@2E=LsaLF+!38Y(!z%p-!a4kJ
zl#XM~_Iu3)%%R*iV;JtIt2jC>iU8Ar{s<Wl!)pTc+S4=KWGTSX?h(g$Nl#DT8BKGJ
z@BQ=@P;u9$RE_8It_%*!WFs&HXv)dqJcR+Fcjwp!?8RRs8{vId*VZ_t4ZHkus?=X5
zq)XK-E$NwC+|P_7L6ANi65cPf1|quvvkZg<atxc-6UyS^;-wn^TJ;}Uyp{=+FagC(
z@z7LO14SjJ+7ZfSDk>_K6tLajc29ts=>F~W%>unul7TTMCcCqGWg@^ft|TW0R{03{
zW8?eo4*@%eMNb9~^WDa8_zSO$R~jJ~AwhT{t91uuSRGa1s=<dkFu&zJCGzS8YT|)-
znEQ?ZxsQ{oNXpD)rlF~~UkA00EI0xoVSg>(J3-;=<Lf(xmz<p3_rD`#k%Ro6!ngoE
z{x<&gKLfx}5Cgxcn<H<RCnYB%K$g1vfzDuBR8Y++I4~!4QXhcS!hGPrYDV>u@BFwW
zBqUTvA}9hsKKlGMium6jaik#$20;B89ufEjEJI~wWic?|8J;wuzP&f2LOpAo|3zIC
zq@t+kg9H&*x2C2Ir6a)@1-v$>$VEg%mR%Y!zUI_K9pG+Ozs%^*G<Trzw<FA{17hA)
zfIAWV@2l2;1R=k(`GK_stgz{7BR&930QPx#d5PXTiRJM5X0uaIFKP~0Z*vtog>{ed
zGE;lqf$%OV3qY^E5&xkeI6V5xe2MU;uM3zbGcAs0JepC2tkx2yOYNS{%K@7#U$azc
zX3;Pj%?2^`zcPFE9s&E|<~3J7lbGmciu`K`smSAdmHz)m^f(Jh)B!B0)~kQxbG~5W
z|MYab4zw}T?eY`R)^QB7`bjux{&;s$%0zxyqbMs2Q<v;NUlKW(?d;?fAoOb1`EdRR
z?p0q6#3UM0D&QISBkN0!^}nNqYEi3kvW7S7EWn;?UCMqzWNZ!NSb`17`0i%Qe2!s7
z02Jc9E`tBQ4C7>-g#z@6#F#F-w9WQMX@3EGK4G<kyrN<yfX%%29%@A;C9nK)wIzWX
ze;uT|v(~6t3g_x_Fl}+V`fD~uK0ovC-@js%Wu(UENVk*h%{uwZF`$&vhL#YSf^vG5
zRMu^DRy6kuQV!t23d<~uXCUAIyrcB7y1IkSRzl9&lvXPCq^>Y4?BA$jp9L%5Ar;PZ
z%tz{WaV;51V*QV$K10nT$=dlXhUki;vn^}C(<<6u*H6iODKvb*ze44rTm>-S0G&;I
zbqBZraD?9^P)^BLA<*#!m^$DA@am6!0kxtf6HfjMfFFnVyzO7Sa%|r`_H8}zXFs>T
z^N%v=J)b`lZz;&{YZ}4Hn=3@hN1-a9Vk6r%{lI^I%aYYo_iI(rurGC&XqO5#4FQLm
zh%k+ikccRWXUN46DA3b{)8RyCRl&`djr2j2rEWk*j<oIj+aN3Hkb;jN&)SbHPqE7?
zsrHT~GHPf){ZF0XIYW^jUC2KiSSG7lTXoJXJ^jpZr;AS6AWgIwHF?771klnzn@3^K
z8^^U4Ef}OSBAiqo#)3rZ+00~Y#Eto1bSQMn**Z);j{Z}2KH|u6PU8jY(*g&EO8=x?
zzQ5_!rx>+#QfR;?G9>E&vN~mJ`w}-^Z?R=tMH%vSW-juZW`RI^0V)bLS;>T5yy7J(
zk)KVtpr6Y9c=>z!m5M$iF`x^FAP7|BvT-1y@zB$MI@(A#b5G`+iu@Po45Q64Y&JB)
zVtQqhXigJ7_Lhv%fkToD4(cFCP>0xW`-$W$Q3|4fSWq`pdTIQ1gfbHA)MYZ<8v!KY
z(#dDB_mMJ=WlIdFWp9f2@G##qiL-FV<_Q<kQlPiw+5U5U`6WSug#C`&aq4@*r30sN
z(S)22271v1i$%xh>0tFpWH*N}7HajnV7zHn4G^8O?8#gxhdej3?FNOTUT;t@f76c|
zTkg+}7E=8*xOFB27Vlt)B=oIW#U^OD&%RlmJw((Az|jg)Q)Rk3QF%i<Bh55%<z<_-
z0Tm4>yaFVQx8d>l*tY<DAot_|P$B@(Vw4}05_dOJ@xSz0YwW7*xvHWe5<RkiQn>#`
zSpQ)a@FQF%9Pig<r>l2TM#<7(&UNJU^e##P)n4?uU`{CzE=o>QzaT>=k7Zp>^@r#!
z9_-V|r_mL$VQX5@NDn)ixZREAWYjnyu-ccyCY|Um;=VwRp!-L5!pm{J9FB?hZ@#+{
zqGZ*Uk49X2^VGryrcazD_!lY6wt=E>pX4xVyA?zJ4oR0r#|YR)eqNGmV~bgI8}5j2
zYf=AL<(=bsdAwotv!U+277ya-ArT3_)E>37Kla@!ch}N`U0z7TDWY{Pt~zlg)vac#
zh>wZ;pW!wX!!PFu;sqWK8toEqU8p1d^xY3Tf9co~%8~!IejoW6Ijm{A=2~OXhxt3u
zxp@2`1v`5lK-+&|Iw#lzy3y0|9#44lfP|jlG%>EL0z?ieQ|=!PFSB&+aIT;(2mrND
zVsr4&rEYJ^+c62yd}!kVaZ}cF(O(BNz?C?t$$r6Hg>a$MFD!nX=jJoglr26l9ZS5!
z<->HWP3aBUR-YFtTQo{0(2*>VB&tiR3<5fCp#EW0W@VGA`@Tb%v+*_u8Oh&<fennv
z6GFQ~Q`V)q>i2kiF`I<-@z(*_ZyxH!2=CKK)FIp8bCml^Z^?2MA8piTc{Q5Obk`^)
z6y^8mOrHl&T1|6C2WFDdbkl}3yJkNlywQ3m{73}cv)qT;vm}0AI<Nd}{=`*3%iZ}d
zq8C$CE!EwSuZPA$P1;yGg1BC_V-|N_DCyd4DT9dj&1rkbMH#EQM3L&#Rym>2*`bs(
zqB5(6gvModuOxdtN^8Dn0`KD#$+#&BRp_zc-nL$eRs#D-Fqv;+l;P*P$z=x`ViMD?
z%PY}|3aL7lNC;OH?ItDoC@DTpJzuFne(^+FyeoJ1@{bu_%X_g1mLuYf&$nDm84B1K
zQSn{inZ=4NIHVEw3t?=-S)eBSiwG1SAD@_*xU{rX*zfVK>~dye8sMNtMn;_SW<LmY
z9`NS(B0$!@rC<2jhof96Wg5wSOPL|z489gPt_p(XOd<a7A%QP@PwCuJls$MXZP3U|
zH{OS`7vnBV>!_vM(uj$c4*utMh|54%8s?Wp85l3!8!5?~hBcjCuutpmZaw^Am4dPe
zirJF)^SyH{BNgHcy4%zN!xg*rlb^B0{O|W4{^9`LoO*9WDe4|h2ad|w_2#+Ka(uRT
zH}TwGgdZHB|GX!*hO?jgmfhzMN`M|V*$-z@FY0dnzESX)5#0DOH-`eI>ftt$wKG^E
zZ&m}kPd`M`pLAR`7YwXQ=;#<NKz1yByIkCE@=2YQMWK7G<DhS87Y~%W1T~B`<=$lS
zZFkwrV})2Ro#l9HvgKu@qp?d)RCV7u;v-63PA`y<X1_hF&5}3o{gu|b9i3+<BJ<@r
z*x1@hyN2Z{0TWks+#yggx#mnd>bo6f09PwQS9jW~r|bq3B%vkhmqLZ#8n<Hk^l83Z
zxQo<6zuorJ5ot-Eba*~y0L_!cuDXT%7E|jLCPWN<CmjBYwCU-@Oy+)ns1Dp(lxR*f
zo=U$w+rg8*u`XitVD8fOGM>w_h)G=XWYCH`@~Rf7;C;HAIY2rK+pT9e-o;w0fNoU{
z`sZq24t)YM)F)xBK5Rh>LkCle$vVIOHoEv2i}h45bJj{C0h>U<XdVF{;5{2Du|7fM
zJ4<(*@&bq~0fSticT4Z$^;-qN+wB<yuupfjm^`fii>R-Rs;cY4rMtUZO1ksVDWP<C
zNeD<tcQ?|Av^0{^(h`DjcmYX~=Fr`Bm*2f(+&}yR2JEx;TysA22`0fm-G>J+Ur<nw
zU8_Y`Wv-kcB)w+vExFk)u6BJXPXsN`Q}r+q%C#jm)uL?Q$$Y~eic-6JaV(UlKV}<f
z@VhwV@$FKg@e?xGk^5fHN>XTK|2f21sEkez7C)H>tKRT=_xoeZILV7ahkjmL)J!ki
zg=#Kd7B6R61Mkn4Bh5~BeH@sr{l1AAenBx|DuL7IZjsvT+4mWLN;>OATc;U*R!1b-
zEc6`ri0r1<6pTLI%)tX^Jf>=bJ`K?exS91&eOI^pZN-{2TIbda4bewmb-j>WoZH{F
z-83@C#o4r0F5(yj_fcf)j^O<9+|4xqDn8axe^A3up(LQ<>n(+u?X|8#@xgRZAnmZ}
zY6jlLUPqlX=kRLs$E9i}YyMk&ai5KEq^ZbBDhKu0_9k&?Ds&GwrgL>DL<oUF;+|s-
z+20*Wi|hAg;a<fBY7KZEBO;atukh{;Kbtm>T0TxCkaJ*I6MT%=rf$1kr#W}?5hHDq
z!>LyPZiS#}dki(BoUGbzQl4gwr|#M))-q6J9XkrNy4z9kLi#;n<Np-sy-(;rGl7mQ
zas$h5;rE8Rw}zQ(!a~z5P9FASF&l@1Zk47lTdi^7jAMV)IH8L>-rL5<$geVLP_!Xp
zVZMK<DP1s$6$rZ0H5d$bmQw{ndB!q1H<XSwO$u(YxkrVE&vDEEvlmQ$>lu71$ODdG
zxOx2=kLn|VYY<Cdn0_GipxI1kCQYn<(EU?RY?^O_rmdtnH}~Y+T-IQ)WMnI`6@a`o
zUTo4}jB!bL1^46%Qe}^{O7MR6R?w_VS6dlEJ{aHU&a7_x)N}y-WiP=ua!D{xOxSbU
zNeoY-FS{^x?;8FlU+ng|e(gW^<Ofm(8w!#JXOXcZUUaj74f5rccIQb>;UtvC+)9p-
zZB?cvmq$aqgev<R%}*1Z?#`)kqxV<m1Kj;QkF;8WygN6hYPXu}^P|zUgN+9+9+SLF
zTnO553>H~wLfpZk4`>GbZ_C%M=dwl+rp)DSaGw5-lFsja=J&Za4afRTmnb-5^@03O
zeeuI=mhJQF#^sX{_D`K}Y(GyjIAx{F4l0N-wweo~X~3t#F_s<mTtb=gY=kZcr>*UZ
zD(Z9{&OjDU=$-_eR`gL@SxOW|Fl>d(IygeA>@;A>)Me(w*Y$Y8pGgjh@=32UKhKF(
z**fJ+;LN|DYK)n|H)$LbaJ<1+*RdIp4EGgQ^Ey+eS3jF)(^uE4?u0w=W+Q*_HN*Cr
z8?^{tc|S^DN%jIB-Q`Wo<9)7>#r}Kg-R5bEUYWXx^`Kx{-+Z|%G``s}yZajP?F>Dv
zWtmD~;{3(=IFTw8g1niKqeOd$_a+j?h>dM?6imtFw{+slgCCmlGr+-&c<aWG^X8<0
z`mWUDm|>ywL*0z>y=W!aK!Cxnj(8a{um#2+c;^Y`HxUU*NzHr-70EB96&1>VG1acA
z8ol4Y7js`n`lE{Mvk34bFm~aE+|iL)zyiHbSO6ZR925kZmo+w~tOm;k{W`NRpM0hq
z&3b}N)zz`r)`keS_xAiw*A=?eD?l!EcvSJbj#$OD7sTCs^w}X0Ep|3Gggc9FK!n;p
zBsI&n;<bGCc;!Emzu!cR4Jy?AM)6{LnkMc-tWFae>y3RXOAs9SPp+x7D^o^NpMJy0
z5+rq=1(5IZIY=w8Kc5madHGx71TqyBANJ#87_;&Z2z%?!(5Id}ep4TnoyjqyCa(R-
z?!s-;-n~0{jfD^V35XOaeT(8{!)kK94BW5g--vTlf0*?7h|=6a89IpVY){h}O-_9-
zhG2fBOy#XMn`;~V$6IBNg@RDRVTf7GWpLuWjN`t}*lrS=6r`3tpNE~%?&y-{1$7-|
zqJ%h4eJ1tyl6*~5YLPpn0dZpyhz?0NW)pXx)QyIDmWGpLH$87NzTys9CI3``u0#W`
zjUyo_THzRG<panN%bp2ph%OF8Df@~^9R9z@orVz+Uyp5`D|TXqrHH^VX8#5Zd)76!
z2T6!qED^IDp|dythyN+UQt4ajHZ5s>(w+X>C)+gLEbL&ZTF7C|whVt*pg*mo@%ue|
zRi}@WNh@BnEG1~1;aV<l_~7q+nhtym@<x?tiz_sW-u5_4x*Drh!4dGWS=_sdT2p7l
zov@DgGhWjgcb4$@lDUnXLtqctO{0j@d7T|FIqHmT5i(7t2x5nHzEwO*?AIhU9eS2G
ze6;Rnu|@()<w%_FaHH(XrLX;`${Xo%V2l9c0I>6-EXpyR+A^@T>*SI8&VL6-2L{+C
zP||>{Ae(ks0<9EHf|b2}>$^W<c;f&Mfcujk{SSo!Q#d%kZyg-yPQcy+2VmhTDHiYE
z;bh0e#UXIgp8&w0fq?;zR#}LS&H}h5g00Jt9yRr6fG04rd0zay^CSK!OIvz^<LVJa
zd!h2`72=i4N*B48VVm1p1Ug{~1%=~q614+ZMkN(7b#!#FqEKK|&r<`RNCylZ+5iBs
z*tohT_fAbs0q8?v+O#`Bl!*!H1Yqo&`}^@0uWf8fK?V-M@GmbfcTZpcDnYnCgYkQ8
zt97dva-Z<pSN&)8eijwhbTjyfnhD8<tUdjeto=*;?V;V5B8^poH`(z^1ER3mdkuD#
z^?ugHh^L1h?aeApGV!R+z3>zso)jgq&fSjR7vJZ2J6-v)knZ60B(&%A_rE&Wq{5-0
zaP*qs_(9Ln3cAi!MTRj#s%BdglB96ulSULo>1^ji{aM0QnSlZ^vd{<Pc?AiNPS9C$
zmq=<oJri+^{h+J#;En*I{ELIxqj#uDk;DIIoyASQQw%bsmznH8)cM*jr*7R@8Z-pG
z`cWhywkW$)9-1#T{VmlkmZKvSwx4>Qlj6S7qK$vcrv7$)HSOblcj`aUKyCp^8E*cr
z|Hq0ih0gK2_K$#3>ZXmB)6RT@q91l_M(<vq7Q(_YxJ2tb3}%PKJ|DJTR@t(xai-hs
zH=PuSUfk|i?d3*qcbi}`+BRcBG1LQ<XU`^^k{{vhBR9)3?EQEd80uU;B<h(@$qss~
zETko~TOQw(6XCA7Eiz=4Vogt4-Mfe!rkQ-yQ{`&^HScdaFhqEt1;Ls?_Ye}KLL)B3
zW%e;3m+s;Ng2V{RjJs-ariza*`Y=r=nt!mx1fqF_DCZG)=B;Dr$t&8B*D2}6mZR9a
z=~#ZGkA*j>==)3m25~#P)P=JA9clG0;Hpy94Y;fiOcQxJa6+UmMn^_^M-Ks_IJp1K
zgsfoH%|y>ogvY(vVan=99C6nU%U7^8c#!)x_tn(6%ZK+hN<bntq8fagh2GWqxj3-Z
z1n6X+aCR4<tA?rsPUMNMt*wFOE-<n+`{qd80tzlQ4k{|D+M%AF-sAoCFcIYKe@y!N
zb3IRYW7E@w+GQmrjQxzHM0_G5H+!?y%BXJ~;H&DMN&fw+@Q#p`6a*vO#PAMUNk1YT
zcaRbcqCXG+_DBf`5G5kI$=FW4t|&`QodOD+d<ow$J>*|LK0b8CIXMdemkSICfYWq{
zt~G8g{)Rs_I*KliU^|c`?I|zQ#3(J8jDZ9Q8(lntR{xp$oZL}cv-}jJFry#%P1~aO
z;#@#vV?I!~dftTg=<X-Fy3=@{hT*}(#<h}54;oGzxru=Lvr8|qq9imGmx@!Z%15^r
z%In_@9Fzz+I#p68foG-;YP@O~cy*+tV#H->uUil<l^|(8G4IZs@Ja2=!23|}v-S|A
zT{=yRz;?j8iRM$?gSQ5u!A9CRj;a4%QLxambVOx&!9%ST?(3VK|Fp@p;3}Qlt4{|O
z8Mis^K{LEt_XtS9tXS`Rs?Nq|hS1&WmBt>EUy89xlZ-9e*Qd3ZUA^Ln=+UPacOOGu
zvcQi_Fa#7d@kqE>Swruvmh+TH+{{0`ee9|+R6B?I7wRKXlxWBrS|TT~ox@h#O3@G@
zt_7CF<$&4bPELpXejGF3@m_Hntc&Tg^YTN6)JAi7@$Hzi`3*;9r3Fz3SO;S>FkGJx
zpQG)JJFDlug76pw?Fnh|k6A{$imZJ$3egH(@?M@=3H%EO^Z4=7cW7#91ff>)_OH|P
zo>)mz#jYN9G#l!1q3#==WCA_QG2dvYyg<#Mpq8ve9{vXf*np{0Y6uNk-)9k1E8FGs
zxS*eaKumm}Zt4UtJor|0kepznKiv{rlf_j4yIfw-iU2kMs<{&8i`K+9P04y536bSQ
zchCzb$vYk91XBR_MdQ+v)Xf=9xf^t8G2bW`Yu>^Y6at44!wye2I%aluj84njv#t3E
zl{;{f{uR>#eqrHZu7687&~1QN`XtuuGu~-U5MT+<W!448V+UtvEW5_0rlopIM1&f{
zrlH@zNq8d2sl|yQpy!<~*HjXNV;qNJl5!2&s5J&tK1Rb3OM$un6<GiNJKogPiBXFH
zGzNW3J?=#~2^^h~krBfta58R)U3n?L5hC>3P6RGMxo>5KCc?(j5`I}GcNJY&xD{Lm
z@Zr5G^RW&U$e1LB3?RuVgtJZN)ya<PDGEJULu<)~6S*~Q$1%>m+cmI=`?dBpJ&&(G
zr|W(__a#Nov%l>|<b9v0ji1m(;^&U@y<-+#ZwViF<t6uthI=@iFCpU#_jQ&Xg6_DV
zoA%ewUKs_O3d`1ml9!#VUK|(n$0uO4DBeu8#+pL>Ipsgv^8A{P3L%d<Wa4NG8~Y7X
z{tx$WPw?DOUn~S^pXWBbbihLRjI`Y(<=P{%)~im09!e`RocO1#?VxKY%=-Gdz4%~E
zQgQ<?O)zLF(r}pe!S{6SNGXc{>HBJmqGRb1l~CZ$tu3ieW}dF0=WAX%F=X9oG;Z?F
zM^ytMm0vHzKR@-PL8dCfsw3ue$5!_Fn2$7~V~6u!Lq^hIn>clEl^>@1RPF1jF)&sp
zs7>Dy|GPDJBDRzyJ?ZUU+k1^_0|thZeW={@Zl`Nao0Z5GG&~LENSWtb#CKa_k@p*w
ze>GR0U%j#ZH9#6aAt{gk<|aJ%_r?d4r=7+t+UR%hzE=?C%1IyIFn*q8sbgS#JvHOP
z5=ii03Z~Xd;N#TO5<6YLzeea-vN=38LJvnVe>r&kYwlluu+UCQdd@L-;MGR|DZ>Ae
zwBW0&BaacQ@w|6^=oa&bc;$q>Q%(nktC#x!+FNBA1mcCqEB{d_Rn2s-<A*xEnR)R`
zROT1?2*ZEj_#|s+Wmu}EJYNV(md`2f;M~FeaEbPcepue7XvntwU*wZ(#H`sxA6>Y%
zQy!-^M%v7QVH2;3^=5%oFvKp=h%*njB#f6=L<Ub&*8l@{-tA|6k*Z^7x4ki(EW=5c
z0ThqDEPTKRd8s9PVs>T*CKwAEAFvCCH%CA~P)w$I+#DrLNy*R84-ZG&w$s+024n_f
zLqkhcMlpk*qoe;o0uZEQ!3MU6US3{Ez3Dx^=XQjIgj`Flzk_2S0=5D~Wca#h*w_k(
ztAsQ(D;-`=7R7OKKfz4}qAlTGP8LWN@LHodAYw-{BhVBDnwXldfp><{$k=%LmAFX#
z)N66?17$TelNM)khT<Xz!YK=;V@J$L05o**#95bNjdEzPt_Gp~`bc^**ihpkR!y1W
zOspM4PMszovF65Unb>4to~esDV&wU-@(QYgzMrMSV3mZ+VfQVpvB0mq%|1l{ANeAr
zR_M)W2xS|u3uVMMEYjwFD{ZDR6elL%B;>-qDphw7r8G0bDt|}Ez$8vUGTwmn2%b@G
ztrvMxLhqN<AC5BC{8zNi5j;T(H5xuix(vP+3*wOy<l*Y9A;Iv~<hiy~>Ifyd%1AXr
zwmZn!M{yb^Z2MUT*=DR|k_DT^=~nBCPcpIO?xG6HNcf!V?}Pu8z|7SC<6x)Hsu_t7
zK2tqwzlQ8&ee~C*8Fkj-LJyg#cO;ywy0e=vO+jEZC$kb|Y3KmnS_-9D`IX3UL_{=&
z8!_HE<IRcOUpP_XC%ACb$CU0Z2&BEFHKe)H*}sM)j*KXkD3CUAH=Rvoq#{^FrqOQM
zI-=Tkb1?g3V25q}Rh@ipw@>JYzLeOs{XKK3N?eqj?LV01)+_my_wMV|(ATN5uT#u}
z)YXR+)uZGJ3|450jB%p7Ub1H@f>)}7r>cVIs)ERfr!cvcFS#&A%a1TQ_n(|oQ1Qo{
z4^g4UA5knhjvP};-yBuW!VoQ&2gqh`yuJa0W6*OPF15OXNTg|_uVP+%z?Is^&(A7-
z8`T~dmFXXcL-1TaplQ3(vxx9~ww?wJcOQu-1qwa2xHlFAuCTO}>E?LlJ0%q!H8pm3
zXmU%7(ACS#6L@x88yk5A1xrV%fEymW>n@3Ly5p~)JE?$yoEENZl<y?impZp>aQI1J
zt9J0Wr(k8I6PU|W?13ITL<;SRwX~-v*uWsWy<L=IxVIOs58Ce_04(2`V$@M_Y2-O{
z;-rLDRAU$lH6s~%;MOzq!n;bysqyhb3`wGVNzVnCrx26BZJW+O$1G<F=F$D%NqD0n
z^3qA;TsyrTl;xqof0au?rKLD6PqvAc8`?*oDsE`S(zjYj7uKFPu{e)GTf>0Nq#&nN
z7Rn-cGc8|V3PHmX9{XNLURbzA!54VnE`7wZe^TySl*DtUv7>cHlD8~-CSEZw@tdd2
zp}*Tn>DwqVH4+zRvH5IqmX^czixJG6|BR+7POAYWwULhNvXY01Hrub?A-B1xJ}$3<
zg%(bcd!;utr2;eIHv&$4)-Hzl#G+jaQAMw0bJ>iDN(rtdK8`u-T}r1;s+dp^MN1G$
z=E@NFGPW}U)^~+%{Pv`;sU1Kp>)q$57ew(}CO4mL@^E8BkZeDTf&|`CW6h6?*NCgZ
zF_gTF-mqm-Quo^dZLZH--$7#(8)MO-w{1*#Plc^RCLcWyt!6DPh~{i0)B8l<d@?3(
zN;1vcd+Ck;*5YL`Vf^$(%-oeaZ@a7K)p4K)O?Li?>RfB`8yS<*-SonZT<6yyTA@74
zQSi<p7mf<*wD+<9CfqWSlo~qt@|!9!&z469?d2-T9C=`O{cGuhYb}6r{*jxB_7>TT
zg6W;Az9@#r(|S+59=M|YOngUYXl9`BeN{T^i}BR!8F<Y~=6+_RaF$FH=QAe}itk-`
z`COGue`bk_p$Nc&J_jnc+#F}ez}+1lek3900WvaObojFU&rWOPK7eTNaQ|L0;$>&~
z&W~jZRy+u(Go5)bJ-+z#t(Qr1fzZ&3BC>T(lb-=(N8Bo*-PKVaWei`Z#}g$+lx~Gq
zr$?Y*eV(fCvRaLxh@FNz4Y7kMNhl*Va&TB3J`~$M`+N07sZ-4%Y&uakcbR02K~V+d
z_1?aTEtmJ+#3k68{u12IjyIJeKqmO^<&Iq5`k7oFE<SBO^Q#0O4}XkE`umsP)Bgk-
zs{9a*S*MUc+xb}hHuHrs{T<$25p3hr>3YZSJ`&Tt8K*v;OA)6b&*%2biRoa}viT^x
zd1ujvHedZRm*cxAvt)^BweS4nb-UCqXV^`<&;t71%(ZqQ)u9~}^}Q$qHN>dONzc2=
z*}f&?2fms-1wR_LyNTG`7U0uK-by65BM*nyzP<SoDcJOrgCHG_(83U2w0~8qQzL#{
zL~V151!;i|<D|%+HiYuqXEh57eoD=8+)+V9efYqXFypv}SH<*N+ghxQ<&y}3uoT@K
z2a8kHT7qPV+q4nbg?7~eP(bP~MxO~uGbkwwW1w?)S<~KA?D9SQ4`W|crrl?pJ0fVb
zo}N|(-{AeUg@|EMHJ;wBt*?9Emz-F?IQ=S42sM158M@1fpWIm!qusP@ON7bxDnema
zI5A(Fzc3vQSpdu_Y$~MgkOuAPgkea1(hZtWA%*`(k3_Xg)$Sdc>6g$pmCwdo+N=7p
z;r(dn9D3xGv4m{#k;J75@3K(u*le}iqb+WFFZ^(`blu;&qsOWF#8orDV5%V)U#-cm
zCdh&itAzJ6>^!q8Im$D+Pqf8r3OF^gbBSkBkiK#zC_ZI>ZOFp~#|ej*67h?R#9Xns
zAE%#y(&0A`SKm))G#;En!I<VXqG4`prg7I*tCX<jo9t`;=?F^-Ui|{9#FuAgP4+a5
zV?6K22W<xsJwAt>n{roBDc)>78{>W6skCv+mrj=8cQ%^zLfxJ;5zOt?wzgaPfemjc
zH1b1GVT|p~FM7pkUcF%<qcQP~Nc-Gabt2`F`InEP64X}BfsJa9@5ed%XQ|h*zW?`2
zM!$u3vw?n6Uc2swl*`hO*YIfHn^UH-lZy-Yr_i|?2%$gE+S7X@23)1#Z7isJp*s<f
z^-K02iH_d@w<iD(2pz<m>HZ!WSlLU@C^@P|rQjdqqFzR{t=82tV9|d57^;))7?*rj
zG=(~KOH=`4zbr3)!kZM6*eYxk2$}iliiC#!(px1aDwKWMDDc!59X5cj{zmAJ)*B`A
z7jB9M5pffh*`~2PmjlsDKQ^m(H^bs>Wb@KqJ!MQCcDZ*y3^n#p`K7m4x~GXz<uR>i
ziZVf!x-#CC5$LDf^}^DBeBX@HUSRf#nJRbIV+=hlh{K%l&?LV*VX&-Jxf_uAlzNjg
z_+#OX=DM8Z=ys!lXU13(VQb<O{;U4c*mqlJUtrquQicU-Y2nu7#v`pqV_{P@mL}|0
z7pH1`?ix%|2Mn4+Zkib3xNz`6Id)kYxO`qYQ`W(%Y#8y}Cz`Bi#_g9M@W!hS&k0{4
z{ys8AyVn0Jfb6@>*F}`O6STJbrWcyaImXEU9Yyn?Prydc*%V7TZsdbc&VInnop(gK
z%fNipZaWKk8<W%0AS+^hi|IqtSd5)gM$2Pkz5Ztnwd+()+E1pZ>Vntmfv2mt?V;M8
zJTBzhPIl0l{A4qe%dz@14gTPh1FOHh)HaJeC3X+>umZ!vhCqG&=&dDVlxj_rTf*r`
z%SC=h(kF-YYMhkDor)v=&OOGfT6qDrLtutQEB_HTFg82u^($8}ds|&y{nqXaP7pEv
z?xwoEIt-*eS5;LR{0O)OF*bYXsiW<s@=OGlgKI27Y*RLGl|}FlKp+7ix|UYYV{Gm0
z&_V(X<m3<`fXD`JaRFiB=udG&U+61wk8ea^;e5c6Y0BRH2I=-}TGxz7ui_c7#*%0x
z9qsH|KoZcqjh8AyqzKa({pycjxbSnbv!UfbzC`rSt9mR0&@hMJzCwySmyZgtBxJQu
zm}{$A0*(4L(vQ53S+q8)_PM@iY(96G8y5XUX7rO}O`UQ4!p^3^K&SD=|N0Iz*=_C{
zT&5iy2K6D%YhqU$EV!sRRM0lVY2bGA;dr6MzRt{LvH9&n<JNI7$JNEv1b2Xfmx(t(
znS8Mf2Td9A-=c0Au~iXV>@HNFo6hbF>we8^^RC#(b?LcNR9v`G)%iNS7#QD2^_;&9
zf=uxxi{l^aDrxOEv$4hXZxt4Je*w!ua!l9Hz(A**j2f8T7L<~j`n6hZ=6qUYk&*Cj
z$Zg@J7_mKV8C63pQ?b8g8;iz$s(q>A;$uI^=h^+YkhuNb#dXj5(>xzG-HW+6-t%eC
z7#_#Pb}sFL+rSOiS3>Hp^NKW<S0*OZ+UxwDTISH%2hNRa)~}Hz_bE6>v6FwaF3~4v
z*)LM5Hg_igfw&G(2o)7kS|9mm095;0#@yWeRE*_cSD0PEG=-Xo))F!auK`$IfQ=7!
z1r9L4!UT}jg^;naaT_li1v$B7@KfGUe<PUH=jC#8a>T^M$U;_kcXmG9UmcQZ0DS_O
z`NJb4k+otH5}F$uWr>(#(&|r6PCf~{E-oz%u!xAv1Ne!m{{7a^x6@_x_`UKV`-}=m
z2||(qud9Ry1bdD+0ZRAD+{{cs)dSIJ@in6iQEWF&3imvSs1dgtC)+E_r(KUCCD@&B
zV7y7z#IE(+nV^2U)?+2p)7I9;hx6(RdK6nk{h?R}R1->;fYrEubfke;ShT*eaa#&4
z1w?OI<35+SZ)4jW<k~zuJV3V_-|L3xB+Ude2We<%4Aft}+7OmehCc$)wkDn4iFYTm
zT%LIN&}hQX@RjI(U-p{EoQ$WE*_%}dS-5O7FjU+>y^4QDutCVou9jk%z4E=goP_}F
z^yVW<EC5;#Ae&C_$Lrpw9d5Pnj{%?mnDB;xKy{?21hvl~{1a+Yzv&lvI>O5+cHuBo
zk}St?oyIDQzPYIRI{$}m2BOy{eipoUOf7`pzCFx5&s4tUUdo>|M05t5_W8RnvNo=?
zhu*>_3IbxF^Y=t)e)G$keImPcHa>XA`C(R6d&7j!Jb38&T}_g#b3<%qlMp>_*12~B
zsb7@!ERSF#0Uzpo&bO)e=ic`F$V-_AyTLP#)tI#Me1!@(2v|)0Y*+ReUJ(3nIYIvr
zlKNL^vt41^Un9R74zd*N)uf&R-`{$;I0M~ka7tg8i6q2V8{KSH!T^e~YQqA7J1G3m
z;bD8Q4IpE2XBW5Zj~Gp3v5tL1+UX90<2PQE($P1NvNX)Guo+bXt;>115RmZF%4@;G
zX?|B~vq<Bbeue~!ZOdMeB{2RCewOsc-9Er)RCNB+LEJ<Elh@ND>5Kr{t|B>5db<2B
z9l>m^lEz&03GmyoJ^37<bk^3^d3Lo%-!R}JM14R~tO)<W%+p4)lob|;JQBD1=CY)x
zsp$#;U2F;g5#O^-pc{dX3A?T&e2>?n$HdbD2N4yE46alfL!<!=(epsNz|&kbTw~h#
z8z8n@xBGQHAxaXz>A3!*6@EvhPtR~OccV+o5&A(S8Huz%QBB7AaPiwxqb+7G>Aw?C
zY=LTlBWVokDM${o!W!=VX7=5$y`!TT18n7xi;HBSBQY8I`5I|PV4VWMHl-x0_Mk^U
z0R)1+AQ`9Op`qeFQZ5s;7C92I7gYLWVItj#kB{%**o(&}C@iexQRL|GA1Hk1_wl59
zshFT_0!JYjLznI=m=dwki;rsN|E&~i3BBO0G(U!1Zf;I~7RAJ32r{8ntQ)e3d~5yu
z^ax7~&{8mQjYg0Q8&0G(SJK-atV|;y&q%uUvME3AK2zcKQlD~H`_EgISt{W@o#sP@
z_>XG8FXZf1N1*O~{l55Tw(|lQYggSBwFf66Y9@TX^6*R=e!k*Fa$FAbT;cwy(v3a+
z#dVA_c_K9Qw~M*uj{UfR6@|AI7<wMH&3u@4+lHzm?F_JKPN@;-KKD|+0`BtVKH(`Q
z<(JV}biZnc^`eQyZfp%6V|dOIyb6!fiRDs9cK7cGJPsMoKI7!C#D;s$P9T%g(8z~K
zJqwF7jfpk(x<7u^HIVdl`IPj?$b*MrQb#=?U=N#KU^#wwGR9NI36rz6vI@(!avsEs
zZommclrsU(!k3o4=8VAK9Y}CK_It*%{R<)laqfir*+BpLzf+n+b^#X^LWzxmGvEA{
z&;p?*oSf7IVWQ1r2dB^mY^OZmd3^W~jkv}uY27`XfR@xJ5b*SH`@7cI8Y<J%+|n{M
zez?7@_!k~K#Gu{+{y+I{@efCXClRoaQc;g>I?NOj0;I=6CK#-JnN)L)5TK%i@Ny!i
zh+dW&$enN$JayqrJm18{#EQ9CTZ)Sr__o9chkeJ%S#m45T`&^bS=sk+gn#f+c>#b(
zNs*3e72gQ=JBb>K^dNHz#`4qCQ^+T<u?Tm5_opKg<zFH%2-f<Djf1181ynL1Ex>`H
zncmU!_RRK#^{n3#E-%bjTbnQz4o}9&LGnPH2cth6xxqeFdAdw}tcMNm%Rg2&Wh7U>
z@wbQ|og!U^(Tf*{*zC5XoF*}5Rh4C286ru{YD{Dvus7(Zm2d8fCRx<)T=<FsjWfkQ
zBPK40T=HT6Nd0?SK|HO8#!RuB^b`x-@I@SjOac6W-w$GB1!7<3bf4%lk+DF9ce0|<
zWJe<1L>2B^S5q_p)pIK8^?EFCT8>!#`u!r69P;^I*q(xK=ZGfu<r$V*AbzS-wRK>%
z2IE=!g-0C=@YDdI4P3E9mdISs;vHD+aDid*htiaRL3bqbwnycnPM54Vv|^o{40F8f
zbGFm@J*j{8Oyj>wO5zOHe8D(LW^*&{@P_b-dAbbqlj_pxTz69^90+*U(i)2F8+AG@
zMaTT@HhB5YXG$iv7+2%G?GID;ee#PdZt~hT_k_5wTCv|nfb2=7h%1|6YikQ={ABk`
zm;skE2Kv_LLI$%~rswg>SS=?zf!nMLaGM`fQc_|GS;7?I$+HhZN@Ao65%3BjB_$pI
znXQVCIfai;7O_A&fIYGeSk$1D!ChFKmCXt9pdce5y$+GSR$v*@0CGJUc%DklTmkf3
zS$?~5X%!*oc_5JBX@eItP^eQNlTHB0%=cMjl(3-$^6)M^lwAN)3cgz=<AJ9g9h0D4
zGo<B6rWQwekBg0cd4B#%Qxi2NL=;Yp?h{zuA|ODC=IYE*;VxlQh`p%k@|DfszTIE$
zqnZ`HF8=xzNA1n)*V4HcC^-!cyjKVadEy^%APz6_a9Ii6d;x>LFC4YR5QkbUB6B!3
zL=S-{l)B-#mzRQq!of0yL>0#kiSg>_&!<d7tr1N8wF<)v8P7O~K;@*S4Qs9P`mek}
zvssc`;@M9%eD2AodKMWfz-o!<#a9#-42&73X;N1%mNPUB1-%@m=_~=2si4R({9GBW
zA1}%#)ojS@j=%mf;OrwBF<tJ9i7-SmCG|j@Baf{wl700{`MJug`uP4TlyVdhmlJNi
zN{N6yTS4a@q6ym1Zym+nWG7SK&GoItvE@Fo4E@%eduNQn^>(@F>xaCp#mCL4xkHwn
zety$s1~bpyX_8N?=aVfz&~HOgCtboi-8=p4>z?nIpLQ8*Uw-a!g;&h!v3swal<41>
z58R|Z!n)0)W^?7@b5O>A6YdYFnjTtR^z6=|R9{)%+0z`!9)(9;oM5-Qo$=oVS?Iq<
ze080WIv`iNT(+;jedOmI#LOuk9C_kDQF~6jAn;^_<M74ty)gTd>toN$?Pvbcam@wB
zsY34}T$JDgZLDy&5?nW92yIak+0YxAQ5IYJe}@rtgtCkXbczXNp|RMTmOv^(6Sd$3
zZnSxfiQX<CNQoDv6bR4BfaJW29=Sc=nT`%E)A)=b53<*gQh}Dl7HBPjNC70RDK*B%
z#>QY){SbKmcl+uMamoM7KDFvbO<e|XHb`<;#?}^r$}kZWk%3-t<OKvm(*{E5gaGf{
zCIZf)vRc0`?7cLB$M$%rCg?PGeti<Q=!LtBz?PJNTr@!h#GptD3Wq5%`S~<SlQQ8b
z>iH742MbN}7-Hl=ViyDdLaF=Y?|1)eFy7$ONW|#+fM%1l55VWpv0ZD;F1<RlL>qc(
z;^o3LkkmoPMTeUhwTDP}cyLgrS&%gJkM0SEk=HUdp|uX)2i#0aWr!wV8<kbZ!F>ab
zsxrI?4S@hX7;zm4%Y$CIHmgRM8WicWSK9biM^$A!q2e88t`jGDf%ed0u}wt-Ko@4|
znlumPb8t_0``lFZB6toy7jC0`uP8hXPucI<D|5(6+kh`8J~$YoCAc};FQCKR(+3A>
zk|9{9+K~6ljWp9mnoaS^I0{)lTq{EO<3$w#96Z06=?1Pop1rX^MR;gfYt1(KP(T(h
zCH#vX5)&!Em!`fEOuJ2By`FEgnknDyXGvH~l5O372Q`T>^mofK&lhwkQDGst$+=Do
z(HW~ekD9F<9uc;;$tBP%OfWC@Rn9#ujVw`ayv)IQ%>6(EB}uxBCRHN#$$KL<(o9!}
zUllD+!CON50AuF6qO;K!heiX*gxNogs1%A?jELH+&^6)3S9zsC#<4c=Jfh4FCqGb{
zC0Q?vsEykCIp(<g_V(65^$Xn8$w%Z>>X}4!7?K-ZCs;TFgc_G$^0LTs^%<YWLlJ`&
zJ>sCE57h_tG<I72174U4=Nk(SFvx}y1&}bcH(tRzXrT`J%eqb57x+#sS5mfXqy7vz
zo0iq0RXKeU3>v5glLu&^Nb7>Vi`8|^{$Bz4&ZYHDm$@?jMHl#L<C~V=Mv(_q@JUlM
z?`rR={~}v0|8e(~kuJOKmW^#z*8N+iI}dPf-5cSB%`w6E%Mr`R+DOlLJF$?~djbVy
z%U_`@H9*=)i7ha>q<1y&W;n*0xlj{?UUvn;CbkiUTWQ+9xlewZMSb_R-P*HXOlO*V
zpr2Fsx#)5?y!CgEpOkmPZ<JpmFJO5AXFVk!eoF|7Z=^Y*t)9GU(rN8%Fn9lz8`$(A
z-{@-QAk6-!$I;yOreOHU4_=J{NmHeP+lPkEeL*UsKU!XE9_o+1r^cUL24<JnF9QjF
z)m76z?ff--7H@$wWRxjgrLac|5_7X2_!-FWN?ri`-vbQZZZPg+(h=8PknZ8cQEG6S
zwS34e?!#}jAv}90ccc*WjVQ2GY{#B%1}LMGS;jTBzy@NqaJqa(&9FP;OF+e^0>2ju
z!c(F&vShg;$8rkcQ|g}Rv?3Kfo0ILS2$!40<mA4fAI>e@Ec<HOX@$4BAEths01?R`
zs?%qHkSbUCbp34QTuw<!N&=ltEhBa~QEAv4)Rr@BR<?-p995TMfV!t;5InpM$yJ~&
zjs5ziu+ZW<=VuE+tgr`xzpk;jkZa3N8`IeT|5-X8nCIBst^eAxaW!txWd`kuy4Kaz
z6^IxX8J(J*<`)v^c)!aB-HBTNW<_<mJf(QFkU_l)?zXaWW0T-?W}1~VOw2e{Rllpf
z*}C9h7Z(@Fz|Y6`fpd@1b-TK>e8Yr<CAc4=V**SVcqZ9-CWp8u#R_|eSjJ|AcSKWS
z5RrBNN)SHRkb-2M<pF`cqnyR3$RT>)GRRwC`A3Wd=hDVZ8L_#9WN#d`V-y;lNBHgY
z$8Rpyx+#p&5J#?2N1Do98Byl^(T*$LpBkrCp}TgL3qlj8V!!d(Cm1B3ImVy}#yx7_
zM-nLJkwd^sPLyp;p5mm^t(RIu`PyMEy~Y&;#J!q39}&RdYQ`S<b~WyIl=%)$GkWoA
z>nb@MGON<w&vR_ZBu@(6*+BQO^u4IWKV`)6Cg}0^(Oikfc!%UKsGK3{D6gd-SU5O1
z2v$qb;glD;f_DP%ma~;;jbumnPF@MHQGL{1)n5y#2w#$oP!F(JfmgA@pryh2=`BFI
z7v&&7YQrWwHB=7Ki5amqkVyhU&Z-6bK)>rF&X+Ia%Sf0i6eC1K#GstFUoUS?trsWX
z+D9?6vZBGmUe;8UZyIVx=8Cv8sFPG_XWd#F2p8f$x{Hrz8fO;a+EY2Yy*iCv7*l(Q
zvx)8fIL~DEVknR_;hg(?E#V<0pX|Dp>x^BYVXFM&TZSu!MEy)Su{Aj4*y%H6(#mo6
z1s&u3OJ08dft8}a4N<t40jL?Y#BUwDMs8Snc`~y$e^<%rnUCm$^Ii@d$ma>k95^^Q
zfaMF=*@CSvA0OY1N-hR`sW;i*P+0opAvAZPL@*LU<_Jc+L{E7J{6KE}p9j0Uqkm@x
zK5ip?u#JqC>WM{>`w2EEYO1Qm#trhA76*zXo`OtFgNuu~9ba<sKVI~uT01)@2+d7R
zq2uC~=QmpjkYxrO>3p180^;)~{lLXmSE+Z)B19@Fg%nd@I;|KO89~#gQzW~X1Y0;L
zmr^ti(5mJ<_2WaDrOrRGYlFcO`o+}5q{f8<73*p36Qq{y4r-srb{9hM^W=+GLdA?3
zCbwb%UjfEcbhjFe`0jNYmLZB{T@A-0NLt4ZWcu*|E0<1Q{|i#ESjvAdbZw755H^DN
z$_;e!CpnW#bR3+a6%e@!RDeTZjn2rx@ZQ6tAsT4j8;GYL!jLfo0s;WM)GG~#|74g6
zvcL24sM0YcE6c7N)QdEMKo1r!0%k0^!<pIHwWGPZg3wTS)lVrYAv`C%f`Xr=f`io5
zumWeI^vL0Ps0QFQWR*o;yEm%<C*|m9)DC}XX*d@Q=P<Atk7`(&n!-N<^Yy<L7Doqu
z^!?IknjGv=Ij)?X1I$?x7QG>0%2F$UJc8B*aP?10Eup3RziSZ(=@=r^N8*L}eoAX2
zR$ACkT~yX5Ltkq}GYELXUPF_CUYUN_?pN*`1EPP2HAsQlvrL9|;Ekx)p3Y)gB?}ec
zG%aRGWmaku_rpb6;~^r*{_7s8rK%2F6D0`>K!Rgh^NXpSjPFr=uC4-p3T$0TkoA|6
zT^Y#t|4l_-2fU=mAU-a`Sq!dl;4V%sP(^=CL@A`NWC`RV*<djZw5JC??~wd@ZmB_C
zTD47(JpN-vwiOPqkP@3x2&--S%d0FvO(>A`Cpj0R0?pEZPU2&9CDD#YA(Gnp#d~Ce
zBFTiZTS!%3HH0V-z*ExzY7Iq1E%pY};0HH1I4pI*<dFk@Jr~e=OF0hxTBAq`uvh-C
zzaL?|0Z<!21~NV-OBRbpUQBZG@pSp*&FKbEk}sAh;rjdEg9&7RcXui-oNRBdE_i#K
z9BF^1k`N<`ZxTR&XPcuV$fal<6r%5$KFTUSY>Zb_g8HtC+}q#K0FaJ!j06NY;4uH=
zlpm;>!4jMC?~iy=O<=YPrs<eScIagI%mFsHC+7vc4U-uV-)~1usIYvB#3ThoiZ!01
zYM7VjK4|Tx)&~0fVQPAjc&jIC1F#){W#%dE0)*`b*HGE?($^N;HCC`GFT7n3J>o}^
zp|`#4vb6I~P&sw0edGD8a0rYE#tx$tSr}kvrq<WjSJPBhRRxi5v70N|lbG$+L|drF
zXnj0Gd;9w(bKe_2eSf2@{=dQy0RcK>5z2kQ%VSnnn_rCr=fqMEw2$upg2CnF8aP;4
z4FDDOHKMj)JzQZ38;J+Il+Wx8O)c9+YF1V`%mehy-~+VM0^O>xWBJ#wD}dn&czfWV
z`fzu#yGkjo;_Q47gU<-AO_Ul@fJrslj%nme#PYwX$8W<kuy%Be<0B&{UwaKuGQm4u
z93iHp_v@^(cNP>jsLHY=fFY%>sv1V=64NGP@@58{7$znr5KY%RFc6+}4?1MUfqyyC
z0^uj~wP3Q3kBgHfqY|B`9{JPTTL{24z^4^S=#wTp3U!x$u^Dgl@8i$`eVz=h&PDMq
z;BW1+AATp3b3=*Tz}!Lilqf1TenE|ACqhLB`_J==os;v)_TmJ%LnuGBeJ}fGXEzKs
zTg<Y5xCdnaJY5kV4n&9&2!eg}?y&r**0|yzmG!rZ_7{7dOt60X6&<dv>xN0nK!<uz
zHbB%cAdrcOims(&S+hy-9)n2&6Bd51nJ_EzMc%cKDKbUm?VtcY6;%MhF!E9vctUmo
zIF{YT<GE2vG|=|#n_!fQhyxF}$TyLr0rnB~*O4Tdv>y|8etHoK9iE)TJ%8zk{$IIx
z8GvueN<rlcK`>}>{Y#S{{CG)Prg)%G_}^+@IIq2R=9jg<w8g%&M0Y1r@1*>%I3@%`
zsi}c(7M%PFT9+6^L}+;UCin;uQE}vdu&C!o)PO5vdprm6puVX|?h|w=Adyn|_tX>!
zp~lpJgg^?(-Tnh4=hw<QRIf^t`QN}1E@CSo5FjzpOF+wk4jXv6Tzrp2OBf)l9>HN%
zF)xTAup%A<bqsN0Rocnl&+lq~Zt}nX2zD<H76|k4RMAui%nCazhs@uy0%bKWCl$gc
zA(#FJ-=k&GN|_DtPn-;gq6_;mUT!KJJCuI;V!7Ej6NZ=;1%H=7#UIxFA0A<k3sug&
z6GmV!SIZlU?%m8}PHy45BvH=~CHi9T=?4d<ad~q^uBikZMj=K6hNU}rhy?#N#BV(i
zHV@J}^+WEfA!I_WE=wqG@OT?t?f`Lj`dxE+eT}N?;NY-YN~Da0((iyC&{yFEB>zoH
z<5pxH?soBMngGB}Xr1o>TKl}eR>}`xcyzl$YZ*F;pPm7O!J3+xuC5?6GfFs5qg-_9
zT-soyPZ}PG@CGfZFD)!83kc=?u(ZtTEkeV?2Y}<nF$@+{NqWvzSoDvrwb-yzpP|@C
z73+?%Y`P)dSO$%LjwIE<2O9%~;e1JdsCFMJnOPr01tyLLkmf^U+uLt}xZ*V<5~AhB
z-YjMk$Pa(K*+?Eij>e8bHAu_LOOX2lEP22?LKe1rkINetZsc|aSM<kC6@CUzHZ%_)
zF3<*RC8`dQhY)S>CjMZ~gF+X9y$7li$0F4xQnOKq=PoG4DHPc#{x$%HVP#4RPKOWu
zmn~mN4WlH&$BKyH@qFqfK;S6~6N#0%`-pH|*la?Pfzb!#-4|=}zMmod(F5?*USLWG
z-crqo+LmZxQbXia4rpqUzNiz6?#xkeB5(WH6Ip#{Q3<62KY1h;Y3Aj+4#nF;9LMLz
ze`AgfU{C{!TtL&W?|k{UHaR}_kaIO*CLI}v@B#ePeB<Jx;LP^m%r79XxK2m=7|WxT
z$lAF|=I*v@3N=0Cr~y2biV9ZwK8@jum^2sYBmk~>P`;Y96Fkk|pUCJ>0q-Xctjkr(
zyi^*gpa39@A`9ZB2zRb8O-3CDLwPv6&|021!0J!>3}3{cCIJr{@T4r=$|gVPX|sj{
z<W&<Sq0osr6{lGmeQRv&uO#lEP^=gqSL?t81$HgD8x3oCm6(JiN+W88xt-L>F*#F-
zwth~$5cfHoe<U`T4t+%P_$fCxcYUO^{a^X02$8BlhJ<_qRwy@eXyJrtBG5Ajj0=lq
zVi!Ux9+AsU*#>3WY72@~<%kqz)O-siDoTfe!oos$M3lk@I1aJ0>42#!5uCNyOeG9J
z<hz(J*)1<Gw<hG2=(i?}0k!+xJW>%;2zy>PRG0lVHHGTl>xf=sxo8~XIvoZZ`hPDZ
z%i_+IYr`OKSelowuP;@ph-B}AsAT$T@>}$2^atLqUfO85B>X(M1WI9?Cs=WI171Su
z2(YNxo=c_n7pil=a3^@%@!~C_)t&mm)pSA-ctL4KhiFvFf~j+-1J$OJ2KKoAN+B19
zr+A+_ZW_|2wtO0as@ptFPKla7>(nic*y#)6eifBCPWY*jg=7jJSYa<1X#g&4$cH1U
zA;k+kH8GL!!{v5<MQgmK>gtz@&OCS;5P&Nu^Sk9Ot{vcS&<|Mx4<R~14O?9u9l!!s
z4qipL=xd8(B};TKi(9~^i);f9B7JOJTPziKk@Cv_IvBU{V6+Qg<9}o|Pz&jpPVbDp
z_p5*(Mj?OE%K>%GOV~W>1Lz`X(cfqk;yp#p1uxAy90A{g{@b|C6i&8?B7!=7CN)G1
z42%c-$kLxBxZAh_GbKvNFr@I)ushtfZVxT5yLoo-gp-*)HPjNd%hXacG8D@H(dLhn
z7n00KiV=QU$GW?MdL;5~6^Dp{;t8<`w+%R8^3&}{ejI&UhF-FDF)#dQnPs-Lr(c*F
zwMC@7>v}W%v)2;;%MX*66FxFfmN&mR&BR$}?H>9=!5cKH^qj8`nX#6qEF<@Ln9u-`
zZCvP^{mGKoj<l6sE5EyuE{gh(hIW_1Wy`Z%WDQ-?J%K0r*Fg34!F%AL_~sFYrG<#E
zX4mGe;vUJs_sU7zGa>)%L+89fKLUarP`MI=d}E)`vNT@4zQl|LUUvZ!fef&78QnGP
zI?!*x-_lA2CFm}yH&8(WZh&u18{L0*o>0{F*yzlNi^uoH@a%*LtE;J4QF~cRv{bGl
zL{lNaIz^RcT)F_1w=)Rw|E(sc#FUgypmTC^dR4H!CN6rZud6#dJv~4*a6ix&Z%ka0
ztQp4^IDY#$75yH!w_oay<DU6ICzdOD_SQjxZP4mAMH&7E{w`VSKB4hu&+W*b;$NQp
zw`D|u(li~vuklwm!~ftbtgJ22d`jZ5r{EcyU<aw72zRe1_u`iZJW1oJbv`oEd+CTY
zPN{#yr?1i4$_y+=d$;FfOb^uXw3@(s0h%V|jBry@$Jkr(rsO6~fek!{@b^|(Z!Y=>
zsy{NI$_V}(iVj6=sGv;x`Oasy&YX7abYpm9q%;QybjlanUS|J09M2}O=;o3$)6b-m
zNe*!A?=A%|`lybxOHCPJ8|?pikQz20XuB@t8_I~{$g~TUkX+d1@=HbqOxwCu(+n&L
z?lMe&H7CrHCp?SyON}zm-8#~y%(hFgt?%#;v())Iwr%}t|AU1ILxDdN#N*WrDKuJa
zMagqM-Sf3>s)$g=@hd!P$~B+Xuz&n?TFrUm0)#v0c@u6a_>-sXpLpv^S`Ytpl79CF
z&GQ3eFJ5B57w4IzzPuq2l`MM>J`m}IA4cuzd(Z9wpFl9)eay&+`~(q}1onRaV0E^^
zHFkm);MoYX#*oxL!^)qK(-E;-!|h9x3VI8-r}?8c2=Bt3_-*?zr7;p2Pi;<#>Joy7
zGh$=yU4m;}y+iuPmD=fRToY}nN@qXgrL|D)yl#L`o7UJ#Xa0$E=@C8}X&Zw15A7@M
zw6TrT&bT_?7kU~e%a<f4Lm2HY-$74_@8*BZK`vy7I;LOTqbv)sb-Nalsvw6W=6{65
zAka&=&d|cIYG%!p11W58)&HJ>rTMBZ?Ois1;BUaJeh>67FgIW-RKnd<Zb?TG>AlVY
z!p1L1%>s^}CFHAP^Ity=9|GH!haxg+YT&?XBG3;`eTVm<7_g(NT7sYYXD;O~-}y3Q
ze%}<77YnvXNH4N176C+;EE%Hsj>2n^7u3JIFFE)21{Y+Hvvru!Ohl3KabXf0H5!u3
z8#xX`k4dJ}Vp@_ly<3xq=X))-2-D8%aT1BnGuh1J=AHJ6n@jCK_KhN?yg-Wdq<DM}
zvZ5OMU&lr965OJKDrou8kV=PfwPHbYGe8W!0slY4tiUVOR|#*(7Osx}Ci51c46swT
z`E-Z!bZMg^X|DX8nMr?wBZ)OOFzD@L#3A5jWnCrgW0w~`ovOs8MPbX6@cp>NKthWg
zX8dpN;3f<tXs2yG29WfXwX<K<Lo+b3gISg+CKg-zOvMz;G(iMk8c_=<*dAZ@6)DrY
zMd7-z`T%R6OsW2tL<s-vTsLC&Ypr6xujqo?)dCK)aMHuorR;@=%;nz{lj>FHG413Q
zUiBQQ)?dpX-u{_G+(do&y#nf@1k5r#e_ZCvtjw+VPi~@|x@`BJ>!kqa%Kn2le7~|^
z{q!$UJ-AnYTUp--=nRp8%|oct1)=Y2OQA}X0q4vYyGBV~RTQ)<s-CTSi4cIz_r@+f
z+@8Cmbb?A|a^xW?(u91$%Ekuv2*8k@0Yk!_B>H4EVSe5K%L-T@F)AftVPb}tM@L6*
za{q^lO%Wl$d&B4lY_iVI&v`X~E)XFjWd^9Jz>BeWe4L!(`|Nrwv0BaAAr#a{sv|$6
z`6CMZ2ZokBQaZb?7#aijmID0lcN8={S#>medh}2zVri;|-?1cpWQwZa@%PE=@rmza
zFPP}1rFqUDaK;V}#&Z@H+Wnu5-@DqrSnSsmh^}?R)CXunje?Dxo!z?CJ)j6ES~kCU
z@=jw---MlC%uGxv(M&cqHZrT{dOmkTYOKVSXiI-I^zZyzgo&`ZUHEzm=E^)*p<gmZ
zhB`XdL@cmp2<*SP+=R05jIp!+sa(qX=oS4;X}rCb=ImKLe;ToNwdT=HC2(8vtLhp1
zS0}!ijWy+0agSfUPTf^~x5ACeCtjL~?M{kc{|cLL%|KL0W4%@vQY6M++y_a%cQMt8
zwO0Om3BrTKuPobJCh_k=5W%yLJkM@yJi9;c2?i7ChrfXzz~&kb=L*{%(93_YISt0(
z1KrTj9uNV6h2+-${y!fwuo9spBP%4knAVgEHCn}cVo}S60$3n~$N}A6Vi0Zf;pzT3
zh6qq>M0&7+^&1RYRDs!nzyv(kEYcbpPRGglL$yy_?d_w-6mC#is72f?_GT*Q<BVct
zYL<$jR7wTqED5WRuyYeE+x=OpJ67;kcrg4Th`>eZtR5Y#s^5}|hiDf4$efDaLPM_P
zd403#0UoC%#}+P|v5QS@%7e_?8a?sUv<G+vqn1TSeNK&-vOJ02CMfDH!gYrI_tG?7
z=3Nw<l_g5OvlR)^Q3)xTi_w-C4mWbi9@oF<w1fILDE5X(b|%R$Jz`&ag#XCwyeXr+
zvn7k%GL+9+MBXyIv;Q<{Ds@ovMaxn5wWBXA*}CVpqV9y{dUwcO_o!9%bC*`aW_x)p
z)czqD^<jroC50$3f-i?;^;6Mw&)!)PuqKP2KhPg|uU5|;u5|shK9>I<etOlHz955!
zfknPMI6=t$K@*_S1V7#GL`6jbzzTR*nR|I%0`5u(+V=J~XmZ>=Jnq3<5+5HgC@2V=
z;cysaCV+u3F){HPNrXEvpVX9k)X~?^x<x9<g9PRVE*uQT5`tB83?Cht&dl6g0lz(t
z2uhB~Sgm;vjdSVOuSt43Iy!J_6*#T{BZ@{9h$G}s1tgopAEf3s=3=uI&jwrIXh-D0
z3!vQ9uUT)zqzvg5Bn`Gezm71-Dp6d+8y`;w6n2AU7l19|{(9izE-Wl$TLN(1&VSJa
zEz7mKxEKL8uyW}e0g)(!TBRk%`9~lTzC>?8s3ocn3-x=vob&SZOhME)_}R1X(PQ)u
z*;w>WfIcC|p?ID>%4DT9zVoBq+?Wrw4jomP9~Bpa<OSa(cH@8j-iC26Hs@@ue80Un
zP9dSJDxs43^V2J%R+b}rdn$kGZajy>oITSpnd6QY0~5U}SM{z1Vrr>7PhvzGSXh@l
zGl%vv5mG*{pyo4$S^a8ntomoQ(=KJ@e@Amu?~2rP1La<{MP-)PVloq+Ba}d#qLZI)
z!_DeOgX=UIFD$DQEtKspglD%r9wKQOh@rzAjZnqEx(a6<n>BwLR;j8B)uwxO&O?a!
zc~CLXUZ_9tCn7eghXG$}OzLeHifb+0(Q9j|$BGa7*^$@nPznFzi_VFq!CV>I;d&GQ
z)pX6MO7o5v{&PDS$xJeA6QQEQ5APf9i2@%y64qaKJ+oclZy--hiY%=%9j~u{%*>36
zJw0sw8z%Z1MLx{K2sk%`z878&Y(U`BX@ei|0}x%?uxNNJ-~wm>c2Ql|jqnrBWImi{
zM!{D}X&4+cM2OpC0zZB4kDos=L;>TIQ858JJ^hlEReBm=MNJJ2w<iO*`d>|AYeiCv
z^+T9u{tr=K9TnyGeN9P8NOyO4NlJH!bhjW#N_TfjgLEie(j8LLQX<`5Lk$S;_4EC$
z_5RCRvv}stb5HEE_dYZ8^W;3%Xxd3IIdQ<#4|H|6L)?`v5HIh(uVx4YZ2GhlRQm^*
zCB88kuCIK=qV)#-5yL)V-dCdeTuU1|=mFPHxbLQlX4YH%A*AZ!E`S9vhAQ!1GKKfZ
zc%x_z5WjB1cE(e^u(8`|pEZ)yws&^S@@rF`70l%Qof7dY{&3h^g#oZ$4(%5JIpE>p
zlm4-2<^XPl{DMODeNvGcPM>q4fQC5+#tWV%Ep6GK*5x&HcgisGiSSNeTL=s?67`rU
zUoH1x>vFg244dXq*%!pkQ)|h}3mFYPetw-C{Yh&A6C2I~xg$tLH$An$RZV_fDn@9u
zeCkA<EvNuhJ99+^g=JA(9j!`tIgnkwj*dIbFC9O$_`VVKZ$i~b_}9q99R1`43DmGJ
z*!n3Cq514Q`rWn=Sn9hmf8kCUh^;-?H=1rum~2tt;t<i5jcD~nd8^0mWrowFtTy*D
zLU=T+-tLB%s_g0OhsODGBXwlerkJ0u*CU*_<NWEj&v*0OP|uP~7(Z-gc-fz)3p-Lw
z(7WA?S|sDHrEnCh+z`3d=bo3g_j5zo!hU>S3lVHZg@sP&315SFC#*|KN&;iSPQprm
z5NwW*lvcfus+_leY)GR*?su~t0r&`J4r=)`AZ`N}$iv;;aGdoNCQYYgB;9;!Uf?##
zvmvM8tcal0`wY-5kW~19z2uF<T_ls>U-Q{=t%_Hv0Puk8dh=6K3Wla}bA25KF2uld
zc4kJ>fbsdDEU(b9a<8y<bb9XqrRWCy$IZkLvq7v!xp3^E8Nguvht?xu_&%I8bHQgA
z`<#3SR3^XkUL=@3U`0uT28x38bS1UnssrXyF?woi&QdYbYU9q=TwGZDU{*q|O_qmB
zD_y4_hX8qFWQbsCWyPnni-I!Fb!l+|2-fN({PsPAs6JbSeKtiP>k0n5Bo`o3f_Mv(
zB3|Ij3P%5AgI9{?i5K5MqihIxgd3U~8q)wdMA?>qDH=Ov5HF?@6^5`uA8pzfog#mV
znq51QFQLC%J;yKKO!-KYxXhqqh^#o4h=)WSi1(IdWG>J?k5!T66@OjT&w=?8b2MuE
zq}_$tXcjd><4ZLr*tV%`j(5Mh8%gmDtOT^BAz00$(md-bd$Q*m@B;G`mc8qIbj_Y2
z$##-&@Sw_Lb?9(4J$Pb!0xwA_rIPo*W4MHVgn5{`8e3rgCb#o$O21EqY`RukCazW?
z!HS=1=;Pf7{Rg|%^Le*(CA`<O@|El=jo5ynNXEDDiR!z#5$cqLnVHa1;?P}vS$ts`
zeBnE5!;7&F)ZfUXjRV?0L|v?dOLU^A$Kf6_-YzV1CrptFQ%35P+kQR~i(iQlgMR^W
z#-G~rmWbCgP17>hIzL~7cKwmUPTL@VYr6N@;W*V6`D%nWlI8l&c|aiV7K*^Y-0E5+
zSm;2x+ti9=EWh5zAs~=mwdsq23jA|=h0tyD5z~g{;t2)KEi9B271dudxZ@%U6`)l&
z0?TWSmki3<bZl&KTD^1J?RW^V#kvL(r1-IcZ;roPr9?<Ukorb&dV}Yzb^y$+n=?K#
zk`$1cg>p~oms`%u%gb5c6BAQ!q7pFL*9b4x{rvPGc&HBgbnD67xT)&ON;DXgI`cut
z?!Wv1-zOLK?x6IQ5gn!62C&HUKcHC(^O)y602Fl@rHmaeJBr$5)dTHfRZAa~-_z02
z{W@9gY!3?y<84-vDRbfx?cGDq=2UNK@&u`FIu3B5*5AUze+NoX&Qaib`ER176b-z9
z3nCVUQ-V0l?>rZO{~mq5wx+3*twVtJP|e)IG_3g{D4C6%K^wp6%D2Rb-9<<wa3)a3
zHL$89hA%1;Niqf^xHws}VWGa`O)Pwkt*NM*<xL}=m-roOOfj+iLUsfjwTPYFUrk8%
z=Fy_LREOEFw_zU^WgX6?R$4(YlqyJz3rWchD{P2y|HM@u?p@TNI#xKsV~=jvdsZBS
zOp0Q?ybYo#(I0ODJ}ejXn=8=PS43*MS-X&(kZbG7%&QeAeLL{?d8EfvUdzgQeFMb^
zrz^`59N7M2o48tTj$WrPBUy#Bi-9bR7c9`wvgy3cXMv1TL21$SP5(!FzU7zoXcUE5
z5;CVnse%LvDrzb9`H|Z9mavp0nbQo0L<@eiaegyszB3$9t3#TIE(nb;U&H%+^tAI4
zUX;;>V)4UVuv7vOweEa`v*c!RZHLD3wn(k4`K(aQvrbbtS5s1EN{z?6`!b1^dq|*g
zz{vA?WHI|`J_Ds3jp%yCLhRh`^cRvD&hl?KC?{i3EpxXe3Kx1EuM-jkX4Fh|G4EsV
zB0a0jUST4Qbv;6wIU5(w(+&q8NmYGcA%z#!=b}kXJVbUz#;?FZoDc%y=-|KrWdxbO
zy#I_y7f_VV^!D}wf|Hpuv@Fm6H2~gvNVBs(;2y`06jWD>Id4j9AMK=@7`M57^Sr8^
z7O{X+8tLA(2gNdBLYo9j8qHb-eke#}7%)t~z_5t@E>LSAnT}lUCkk!ppfBsnpFi|!
zxv}oTpAHdFL5(MOR4MV<Je>omJ&py4seD!EEA>J?;M(JTX>i8ZS<)ent^gd+;~SEP
z)`SSWM<<A_B%#rC@hqvK5<J(Yn;|?`9Gi<O%LwhZwW^9WTilLmSdXF$yT}S}0U8Bn
z=uM+{{TiKfOP}6Z%G+&wesr=Xoq%uEY=kciu8!oHsa&<<!cV4VA*$?@2!CKAcB4{t
zs4qKR4~$-Io5H==<;!pLa|ydY$q|%PU*Y=((bxUxhCYbVD6F{AS2v}f?(5RavLu|a
zF8LibR70(^)#g|3ZTD8nTU1A(;4r*7TGQ&%R3w|(ry*>YzwVjN%6bx1C3NeN!Or`a
zN?lm!1B|@0{3UQI@NcFz40dRV2zEm6taS?anntwtq#6njOL&X$a>R`<(4yabDz2`N
z@4C}`r_`r3LT1)IgW}wx>2hLS>LI2;%{xoUytU_$1?7@q;&ZcMI1%xhxyASao4y)h
zSX6c_97FakoPeGxh`i4UH%po#92q3@REHnR#T1E(^3^JatseH@5<0@Hg}nx{joh_w
zyQCc9f_(N}t4S@Mk6E7d7WytLAK%s>h1iC2FoeRo?Z>4VLaV}4K3U##@&-Ll`LYO_
z8JV9%+orUNUj?~~Lp$!`2gFx}L?#bp?|{jGkFnc~YE=vZv;$f<(06-?Ior*P@(YEz
z77iMUyO`mbb8zEcw(8f_$BU1ca(8zJNPFMDB1@@;X$G~o3$qIky1p!~sv4&jFc@r=
z2Tb|tLYdUmR92wcbsbG%0^IY(0T)8(x;I+-z_3{+W{R$|C9Z~fK9&Gg1j>Qzlb$lJ
zKwW4DajK)$t#pA1Xy2IKk)4l0ySFHs3gAzEZ|7o%FeyAjLP6ke#fucIS8s_Tc?pk6
z^(Dcj0eyO9X2zv26lI^27sx(HNU~+EGPb9YlyD_h0K8GRkfWD5U(wOw3u@2zSh#S=
z{d*f&Ie$3J&Pqfrg_K(ch+exf%KqE00TMY(hN3_tqZfmWj7&O*2_k2~B$&^^@PYLO
zn@$3D$abM(iyScX07i6DG#A38yW7~G4draR43{DEt3dpNlcXc;dUnt{R9!vA|HtO|
zwbc;Hts(IO$Gvpis@wann`^yt9h=jIIL2~JR(h$FxbBt0_J^GNFW&W+S!c4#p=)Zo
zKHD=7qCH_BG{Sh|GuhhKt2dKi1Y5KucPU!AZP#|J%1&e*1j|1X#M*8fDV8$YISM*9
zOAnd<-Wco7<9t_#{$w!gdDzP`dy}Ke>HxzSyX?q)5V~Cd`DRQ__p!rRWtk<u5Rb~I
z`nB30FT1enYd0AO2!0B@i+-iIb!zoa><YtoGGF-U;bOl%f;?wE_upoHZ8SP$aO)0x
zamzRu*)?;ny6$~Wzf{K^5LNdb44tnbCqs{RQ8q7#zTfYc^P~mXW}B<YIcQ%ivyW15
zd&*yMMDI;8lGN+Zz{o1Ff4uv&MRkUXEi+90eXN_JEwHrg<k!2Y=9o%`m%rGrmx{Th
zW?5Ul&i_@N$QU1@M!1o5r3!uQP#E7*Wg@JuH@;)x++d`H^w!=a?pwS$kdw&E4r@Xr
zKcsoy7k+<8u%>o;|2IV~!#3-f3o_-s<2n+Tc*O`m8ido0M)S-n#i_1d%H)HOSPCLN
z0z~~8hHT>$qtiCU0WU+TdyS}~%XR^Nw#vSL5?Ye2=tE7Jq?3i!t}&pU<mn4RQMrg5
z_Gs$*h6I`Rm{YArA>-O>|Cs02a_W50ZXyl`MIg|F_Y1zPjQjJ+*k^Ch(I-Gp(_m0F
z+~40H*gb=m_cKZw7|8-op^ZUZsA`^ACy;ksDB{@^#}IH(r^V>30Ml^^3jE7Vig2;B
zj;je!`X=^we3z|sGB(cDePJWhI2?&&KvicHxg)_Ccm#N-_HOiYcdl-38P`MxVf8c8
zMH9&1OJ3+RrR?ory`vL%DkvyGjzdn23>JhTT;nIz+Z|n7dj<ljeppbRvnIs!3tjbM
zKLkn_DWoMQ18)lcpYV62BA&H?wd)q59Cr$hL^0H=9q30T@960G$M6k;K3+}6#l{ws
zkQ<n<Q378gkf92qbWHrNfxzZ+GJJ`lNnxcs+nk!2*$#lQPLV-bytc{B&CR~9>NJp`
z#Bhn|nd=BFW*3NUNss7KXyq)wvHv5pE|M)B%`FH1SzQ%9Ir{b<pInti^wQs06{!1I
z<FzABeLs&Y#NThgrFPiGZ$Sma!+r4wSuHBu?fQE*VT;zW>k02MC#&X`_mWM<jZa%s
zR`1jX@w~){+GJ+ygYU3r0!l8$EIhV-ur9|HOZdF48DTOA>rTHWot>ab`U{!=9itk<
z-SCeJH<?Hv;nV10WwqMRl7jsN5kr4v*ErJ}0;~7l>XfSUoA4(|W~OSU!?g@|2y-BO
z9#=v}Wek5VW5+cA>CxQboBLnOaU$GKb5D!Rrh0!lmem$@aALS;e3qz6j#e*1X<yZE
z56pG{s(~qwk4RJd;~Kwm9mIL<tcRbe$>TQef84j^$!%J~><;V9R31voQwvMGG-!>k
zGlhyTdz@G|OMx^|jPjjxVt?7t%1A}Y5shp=B3F@f?IQ1(?{vN>!3INy;*8WaTnvRT
zw*up5QV0FL&+Q+pb{kgBoO<cnv3NPh9gszguhe)FSlwH+4snfki8VLk>4tx>3?l!;
z%5uar`beR(Lu_;!*=Q1u!dlrw-!{NjFvC$gD%`O+$S@+($^SS&H^|lSK)(QmD=1|7
zVqR`k#7x?&yf5JyMJDp6IzJOPME|eY6ae7znrZznnhJ#6heMwe4YM<_&o&w!Iv_#Y
z)}?aN-x?g_qjXBC{Fa2a^d&PHd=`*GBGfuL!>@ZN5B5j>nTX8GKGN<>jL}gxr7DOa
zp>WLtuGStq5E+_1h|W<kPA!715mkkS!HsEY^8kWOAf4yBpZ&JTI183b0K2RYIfq~w
zR^Jor%S`k3mOz_~K9|~1eL<mS)?fc{r~yO_Nqv!RV4p9zO88L%UOvZ4tP60x!H_XT
z>LqZI%k=Z1$N504^pm7c{PyKNBTaW|>JYYlb$R(H`4nJ;k(n9mONNV8M#;K1w}xlo
zq6(Bp_QJB~51w^D8=II=%qBVb@kVVW1eqr^8~fi|`Q9ihDo*7*#>YhAzx#AH=@UgE
zZ`j_$fWiLAp<65Q#K;N3YVQqgl2&NYX8<>Nwu5unW2iMHQCjk>H|Hu=)*i9l)9N#9
zHZL2BMhq3afNiGSPWu3U#@d9C{T7dZHuprZu;E+!(*>k`TzIz$VTY#ft#>lkr*rUH
z0}F{71_@rT>LKN4Vz;4AlKv}2olnUXUcO;g((`ePg}ny6slKkFC`2v0Uu~@U-XmK5
zV9M+C=6O*Ws5ap^x~H~^48#8T^?m+!68td?qvyNiGl2uBPO=f=#4Lu%wAxp$n29Ep
zZy6<4*UPp(>JvF3HmT!qQvnifw(^g+W4BDJ$gZmFNHH+GFbW?kEq3=8`|#RM43zwT
z`}VO^F_vb<{wdgzkK~%NDQUC8U-5&P{k~p|Me;6)gSpqr!XtMC$C?7pj?K1b$IJ8M
z_<2?N1aicV<pAO}dfURu=B1;6I&pvCqD)ELpVAFB5jO+ZQS~=#7#KlfoX5w9pTiA4
zp-n4P&WLA3*i7#aoo}2%@2s<DN!T*2qvpEA$L|i?xhVFMGlcQ{QM8PM?`hM#%1u@Z
ztvW;t2DbL^<Mtfl0T})9M;6wy8tauxJ<51Pr{4PyewvOO@pa<k2d$oao@EA5V6eg2
zey;SgS^3fIlA%F6p=Gy}NaxV?$MN}t$tS<tnDlt#Kbx;UX<YoOe>ovH^t|$%mEi4L
zvd0yovW0(3-no8613hxYUu<A-t}4iTn2LA`(~*z1(5<ctD6P|hY8~?-AMa(Z&D8KJ
zyTaMt?@V{w-;VG@l-qF)c5nKJ9mO6VEzrJrrhTpG*GQgl+SsN_ZHW$j{1(0w*~i=z
z{X#dm05k1YCm`Rc?l;g_{~L2E3j#u74$R8R%J}%W4FF$!ZjKup8v%~Tq2Kr(5dT`Z
z2{>+g@LLq6@pM0Z;$xRf2dY$HAcKNK59qyt5v#seDm*+5fPT+m)P{TC(lii7P-hAl
zg+HZ^!oF<oUroMjKz07xFe!F4RR9m;1=Nxk7cGRJC;0jQ$Tz&P8I$eP)+U5Ap(*Xd
zYqXmy-`=)NTg%CETO_u!v0-6mHouV=9UaZ6*@u5%e!+DkUY~U|2as)8^hG{az>iv7
zjS3rlV=CFz5=A#a=e@ta&gp)v+tOF&2FQR3z9!`g)8STqa%4zwMWNvXd8xfYKcezA
zA}I9UhZRl2(`Ktj&Qnf-yODR>^@S#1&B@=W`&0P>N#tAU9f2d&N->89<7Ll~>Wle?
zA4B8EK?Dzmvt^7%@G0t$X;*y*_alC)ms;q@+#jxKxCzKQqrZ0VcZ_{p2<6P56ze34
zsIF?=?@}Bx|K2q6d)69}YY;XxcF|2luo;^zSgG`E?o-$2h}Ia$wozLf#v6G|t(M~5
zY)oCIp|X~EG~Ixik_>x3rw6ZvOc?^B^xP(0*9n&cA|AZkW!wym9N4yA5_t?$vsY>L
z=b;yiMr~V7A2MaP;mi3~BaK`p@Tjm}bg%#d2eC2HAlG-xJACvAZ}YdR{<<};4Uwl}
z`i-&5B;WPeaQAVvh1_q21XJSh{cK;C=O6B&N1Q0h<5R&Nl#qNvFFT$6>l|_F-z=O@
zk-h&1aEf69oI@)Gy|ku>$&bS(#hIz=4Az{Nza8x}kn*pi1z|Gf%-|h9Qk_CAGreuH
zxFIOY%`K^W*Ec#}_8hZPmR^x-9+DgHOS4TLxOXiGn|Ne2n0vZ^x*Gyl<UnO4^hF4P
z{TFsGEpEr1Un$|QVrm<bZ)yF8{OcdKNBy_NAM*ni@^N*#5%xT~ylf#kPd;kZM51Mm
zL#NmgQ)9nnALwf2>3@<{Tlk(A_lk{-C3A##2!9+gy+vpUI|>NvPmOMPTIG|P(W_Vc
z@X0MKTL;4rC-Vsf+F3a}oF$zXDBV6q`XLtPukjGtY>SH{ppI|dyc-I%ho&Wfgmvy=
zyinT!W-h1KgJocS9$NYPTX{kFsKG4lA~^e0(R1&`cCp5~aKvAdxEb75(Iq8x)p0{{
zBuI_`@$Ox!0egY|k!@35!SJz1>K{}H#_t+f43_ynh0i*89Deh@LvYbEFz7z-d+F}(
zE;zT<*zJ4ol8?<!@B9PgHG%!@s^(Qi1qINye7&Q#Jql9=K)Loi4Gl9>(|<y}8&xiB
zpv$kT6Z|%_MN2`Ggikk)om*!9(TqHwy%C_RV9(RfvY`&)nVdzm9_*Cxk?8!VIUN%(
zAD>&mRuh#gQu`Qfnh*AZ0dy)tC_14Ru(WHlQc`GFSR<V?++^tIOTc<R&@UCdmOTI;
z9K?esRPE})dF$lF$sRJb0lw4p+8RZkmm!R(7!7y99;u)HH|`C(H50r>Ri8nsAd9nH
zjlXlF{jzh?JW;;gDtl>82FQ>^<_^2hvXRM}m$+6mPMDH+moHC`RA?^hez~=@{+O~D
z@p@3|N`b-8snc|e8Derh?BaPK#gRgO1B8q&!4#9s+~DJ;vP9ZRLZIzB8m27{663ka
z72d)|#H6_~Uf#*bp=#VTegmzUMy{Y!EX{Row0}f_wJ*^4^`cn@P(t-hlN2RgNcNRx
z-%qG{zI;gkE~nvAr6<UUjvMw7-Y?u?1~SGR^NqgSeil$K+Qlk<iEuNGn<7nmujMvg
z(TaRUNRRvDM=o?c*%GL7jtL=Zl^Ji1Z3@2JXJ#Xk5;G_v*H<9LRt#7z4I!VA{S?<^
z*!aUgb#7WbUdp_vI<=3;6%y2CV63)w(;G`5o{1SI7Kr$4uX*OSmB?z4o^74HKpWFM
z-m&TZc5-)^=t#=O0dozx^*GP;SrId8H}y+F)D4+&%FmozB}FZ1ZK<F8wjtejU2@7%
zHAdTWA>P8~my%Z_WJ8HZFvK5BimuZ1lhbL_a-l-s>uh(DycZIn1Nw_dNAP~EqSe;#
z)}CBvm1`%^9YY2VYYhhd879u^oV!zuaK0E&T+OzuT3BOvT0+dkEwNHe36dScuzF4(
zEHj2u?-i#R28Ade!Z}$X6@DGu=oX5iFCh0VL0wGj9Iv}vq#pLo%iefFycTh2?8Y;B
zkd$Y^Y+xN@LW!Q99uQ_1z(U4<s@5DAKoCPjCq`(_F9cjkuICo90p@CJ$CWlMeSKg<
zJqY-Z)D(LofWi(R%kS_zG`XhpMqg4APW8+*39!$v&(`uf2_fpi6!Bt{p-z;8T!U0g
zO%5bJEg|yv8xa%}Ib2tuVFB0`a;6|N@@gU2hBlEa8bfq`ImS`+2*&YUu6wFK$+^zQ
zy4B~yB^`JAn+gi39;owxyc;mzFBB#*ch?pcJiyp{^A<a(?VPCp8iAdlmI-utV9{Y-
zbZ{^nn!LLD)WK{S$f_?C`@e4TMCnbOevj^ykyLI@T~8!?nI=K8nA9gxm)DB*QY3yo
zv`DR?k1AETJd!Xh^tfvqQc;-egMLv#J9bU#<M@l0k^0SgLe-FmzFa807Rr+Q$aS&>
z^5!j7b8KGomv$pHs@=1()ruM~i`75OG~&mCLgvphxIKrl7SQ&bqGS|}?hWzxpGzJ1
zS`{K~->z_f{~$1}C`wdk+|N^hz+g++hdcOrcSC^^&2&CC#O7Lr28Nd=<tN~wZfGd*
zH0ur~EO~LIzp4=q^V1<0&8AIMLD$RwXqjvn0#Pn$_<hsM2!p@$sn?}Oi}N++>I}-*
zv(*ZaAoQi>d}73g?rO@&I*Jly8Q_`7_-l#m$w$ht-MhpcdP_~hNZxw?-e57{Sj@jF
zhn0bE+F!!Md5{bqJ#D4^9v^C{gQ-`uiSqkOUe9L~W2OI&F!i(Je0dlyR=P0VUw+$6
ztr=x2ob(q%)#fRIDuQP)6nhji3*S*-g0!@h&Y&X1(4JZa&(=lC@&Uc)9|{UKBNd|0
zS2GOB3*L&xf2C)xc}AvVmX9Cf0;S{4(%BbD(>fTrJlb(H&+v_o=RWiZcTbQbMmooF
zueo>*MiRkCs5}%*4o@22%Wo3-(NIorv}@#bK%IwLD@wDx4drVv)GAO#J-wy&JZQU`
z9g9=K(4f~>SUlbEGA~Mm|NL}$?cnQlx@O^@`*;#*yViZttE9v~8CQLtzfaR~_Y=C7
z!xtik!Iqz3Gw&KAb{rbc!&%MdjEyKunX_>S0m@W~G(gAqy&4zzOs@imNA>RCga8o!
z0FR`SeQ`eoQ%vIVcZU~Gwe=)01lD{_3XF7!cYqmul=}YG)@-Mb$4#`1n;Y*VsMZ><
zS8&3Z69UEL#U%~YOeU9%D3JT3X~s`yVOZhd;opd42;`$me;{5x!x;-WC`ku0*N<jq
zy<OOf<chg{1(Fd3V0$63+#oaM0#m*+A@LsfI}sqLwfXf`<Bk%RiPK|gofrE@IUu+0
z(>`4B+WH9<EUOjny;pjQq@}0d>`!=t(XES8Xgkpe`{)X>)fOzSFNzK-|B&y&ja~jm
zWTKnV$f(#NV3_azVO(E8aethAXgit6$8C?a<#DZFhkybY!D+yHpEJ{H;;N1>`Qs)T
zk8q!V{cd6wa(;dkJZ^1K1J}E;#&FHo>9~V4ii(O@y@fZ)s@@8HAa^ioH_eCHx0%PN
z%1?RwtMAZ6PEB~I7}ijNBnBgo8`7DHqBvE%WQyA*x!@gtxr8D-sW&v==U^r(bmVID
zsJe0=!7;v4(Qs976zimEcR|&8h0*n%J>k`Dao>{S>u$2w&*CZ}w(ao-(#3G)H+l$_
z;tsF~L18+{w#)CfE?G30M+{45#X@zpK5r=QP2Ue@EikZ{<hY)1R+)P@AGqlDMzZPi
zVCH>k*&8VKD=Yn|!{>sjz$#az8T5VInorO9kNs(G!?PwAVM%_`CSlZy!Z+$?(T^hb
zG2uprT{_-7!{fx$aE66fW}x=VvRGB1>!G~4o{9^;>Muw*9~>213U6jHbSE{s&J&=U
zND>e+cj$Cn_LMaclp`L%y=N@13fS7hxCk@OPIzqopcWMnttlTLqLzHGbf$o-B@jmI
z4d7zS^*dwcJr5EgBT_DlsrEH@l*#i*7D#*QmY-z6Gq^3Zj*3lWMrnE^d^S5Ad1$_(
zU7VcT@i<d<{nIiiTD|W#1G3AW_KZfNja(<Q$c3FX^e&UPzvj-IxNtx|{~aed3UGC&
zfTA5kcDs@M7NgkN*w7(hdKyIM0$x3*)YF|EK={JP!h)S&>hgO4<9nbBavqOupcu_Z
zG5isd2qtt+_uc@B3Jpa79!2(-=jT22p0jgvgWp!c4pqM-Uj1IH;);q7N9_!#S^#|q
zf|1=R8<1iC?@mxad9h{n-ue29SoZ)ode9o(j2!%Fbp@!N8f0>dLJ<^OU};^Sq1U6+
zle+mhpwA5c_^~PV!O}7`VG2}i&gif~J6!55sAg*xuyy*+`4|*pu}64r?JBR~8A$!I
zUWIG(rUg~Jyy^UrN?RN+jf|Q6>Q{v0G;(=CLbKCBpp~?{mL-1}dF5tN7#(XvZMiaK
zZsj4=ZYI#zR1Q}4wlB{i9W^0sooLVBa+T>@%ozJ5yQ3*bPl)&^f(|EcNS)R$k!7Hp
zH{GWUZ6!&bm<?Erjn<|hdh?hgntH_z9NTx6<mxZ*^o-u2jWHunFpc6f_c5SS_I8E7
zLLrRSLRN>nspp`va6br7Pi`snK4yxeWmH$=W>HY&Q@~>_%G#bwo@x7?9R3>Dlovi`
ztO`|ut>cS{jE7=m_j*G{W%;Hzsv6FX(bV~v#1UcV-y5!3OhYLdNPz-hl$a?pW#8ZZ
ztuMB!tyDv_g}=NWDa3D~8~vft`Rn$}iKOj;%40qDF~wPdBUf@5gcmZ}J5_bA&|9M0
zk(0}wNNf)a6QhwaY$ePPBfD%mBiiYE<4p7<6uN@v+nt!LUCbyJj5e(IPAroQRs6J_
z{J!&-C@W$|DTYK(JGG~?=}*bpcs4r@v<J)@?bU=@yJT4hFZh9A`)r9;teyR4ami1D
zg2geUR-|nGk)&5hdtY`e;OJ?1f9vxSH?%Qxk?6pg+*4FNkle6BNrzlEl2v!J5hd+#
zx%n&_k45*XAJyj<Ei|w#acTb=g%=8#2`-R(hA?MG+JkVL-9*#3fKwAZRdS>zb16lY
zm!@OzMwUeJQLJu=;NKukpU~7gm=hhyd~gi9Yc*K#Cc=tM5}5RzB-EA`(WhYQgUX5b
zeV8RsgGde!)eX<pHJQ-)=RRo-hiXjq(zjHUG*qW~mm$Za@+}&x1*j_BUB0hW-!?a)
zjnn^mzp^$GZ03zB&KSf$6?BN0X;XlPN<$$l%<-UY^&8u0iVxC|%)73M)c^V<j&g$|
z{~(UtuCYI5u}AAP%yOXoZ*%>qdUr>8kh{`v%tMWHR@8Qc=f-E{bB+`8)N>QjZ#X{?
zhpn=7h1@IjC5fU&E6BQ@zIwUveXS4@#f5rW83d9%y3`=;EOq>D*eVXA*<|j7clo)v
zaAiuQbqocK;&Z#5zMb9x3x$$(HJM+-08i<tPx`6LNCkGDr<_ViKV_<eT>!bjA3leB
zc?A!JvpNc4xy;V{lb9=hRsM@<(GNb5FI`49Rm6Gv1WyN33((k;18l3Jf`E6I(F4?v
z!2#6{mR$=B;vM%NyLBdYzgE4?xgAXOfYoA%!wB0Eyvc)3V4TQ+_(-_PYf~kiXU5ZY
z@_XyFT?}%)7k~w&ln}9w?LlH=V2JShvv^q$Dr$FHjmZsWM(j^>FLSn};~H4l50;q6
z0@AKIzzRUAwOyQxH7c|iL2lN#y5ziX!$|?>5LRR(yA)5}g4c3+NYN@N{J-cz4KLB4
z23wbp@OvpWt=q`AJfV_qL3(}k(VRXAzKOzHD7aDq(n?vF0|l~wXPM^J(Y0Tp7E*^0
z5MpP<xV?V+4z?>2($mxr+j)iQpWKJ^J_=4#wDfpIf#nfOFdk8iXRG(^<<eUG%SbxD
zg5p|fHr}`uR(jfwVzZdtuvlzf#$(oNDH*@0r)}v6R(ppOjz)zB+qV)FPN}&elQP0J
zn)nkoIlfn+(c=dILfg)G*wvqUpdc#UBEbB`sg1_rc0S2}J;o;`!|KPwR{A7*T$!pU
zoqMz>{_v$y8;z+piq#dk;q;$n{|Mh}3$<Kg*T}iK@%Zwf_M|*?n3y$P-St_lYyGS9
z+}~g8dTYL7g%1Qp?HroWafU&W`YF`~yUDWt)kP=E5xp^sS)F*~;ik*c7IKY4-*Kg@
zhY``WljqA0bPKZnns|fr{r~|r1gP7CJ{%<Kn;RZenZnk7KdnDDh1@ay6wTe6RQhQ-
z6_vP7DZqLBCxzvC*6q5UH+Za`6sP=&9a+K!xh#4{BS)#Lc#fQUeTS&TudY1YEq(#H
z-p&dKl$~283G|<`UPaiEp<+oRuh6E6Z3Lk^jD06q7lhLcdfauShrz2NW|cI57LrtW
z?TeK35o;wUGhC`@^7=v&`-uxCta_+u@H5}zz^x%S$Gq2Jf|;8!kW<M|Fr{QqlT;vr
zs2A<LUwf}Z1bsI~?qha)U_2YIBqKZuRkD>o%*;}+m)#dh{exK<U5<bHu0U50{u;B5
z8HX4<_jaU1{*%B8DU=hMR3Cg!V*K`Wq{t+1>&r*qh8{82wRrzM?om$tQT|(bo=&4v
zysV@BOmnzR6!u!wpG5+pj}7A*VwAJkte@Kdu+c8l)ladoPBPUG)3GM#zpr++EQkom
zvT#bfI#KkvyH(=B7_S2c*tcrUn2OCYtWJ^!`?+eR3QkXPU(Ih5Ss(VXn*qOvHHZd7
zBOOWQYy;PaNe~IawfX9nM2=$rf~@|t2zJ6Q>h~<4^*Nw=vy3O?f{Ox+WA5+nC{3jE
z_9UMt+QkeFZ(rtFf-{fljUWvkHg9%nKr9I9?0_Rq{FqpPW>Dn8dn#Ht6U|+oX3a;1
zo8RG5bK3MIXg3kFn1}!R$6?=;5Uf>}yUYuU+csGKy1vT*uIP%5^61g}&E&p5N$3M*
zuzF2>6ID&4NP8`9``54ejV<~4ft|7PNl7>7rve`v5&a0+)jv;87Q;~Cw=ifnDQFwt
zy<opr$<z*}GTX>An;XtxaZ)gCOAUacXPjG{l?Gz2k=``mZ6@@OvCdvb57jkbAoZcz
z>t5p@PfsyWB7Hibm>f#;`YU+2Jn7^2&ctM8lh)Ubt62?Nt!8jA4Gq_4>o~%pph!q)
z&COl?P}3Pc2h1u#Z@jFO#+rohy*oG^QPGL~->FmxLA-oL$9nUHzHdCGr=>A7GP(iM
zCJ>KBqVm}MM8Gyvu6?Ji{e$jOiK7$Ji$vjj4S*Zpix=7^{`Wgif4iH%*Ae8G8E=<G
zNK)MA%<Eq5)3~N81Z<`}Z3`<Q)29gFPelYJ$*7llNi;<TVEi?HLj=v3Azh*oBFty#
z7@m;3Q{eb^WgS~I*+6-$@p2!Bgk;QJh=t_?F!ejeB79)u(LN?3kfW%+q4uQ@61&=)
zOs{rz7A2aSo0pN3y9Lt53sXQi20oEsVtE`k3ozgt6`(T07{qfmHKnAMd;2yyFE6jK
z(0oCs&1@D(SPp1}HsZ0;Kxp>yEV*{a+!;QF46jn#O<3+rIX-d{f^n=Bf7_9T;u*Zc
zm=YW1&~Z?}62{j46)UpOuRk9qG8Qv7>{Cx#f`Z-vLf(=`k_drR?|&ysAs;VhsHPhG
zu16GDSLXRcnfl<@!yU}Qq27VvCt$_^>1&wQ4LPDxZD3M%Hc;{&|68#AyCcX!l3ptB
zR_yGCb_yw$x+=qVBl``75elOPYY}O2Nelevf>>OS0c99Pr?yY(rF5NNTqogce(YcM
zJc$0x^@9M*rs+L}X5?p;!b#wJWbC=|;zEZB7$$<9?29_DsK)t4$2Rx-=Zr%qx3e9)
zMy4Z<6k`6qiwBNe26!~RfMlPTaNa|y5J{l&exomp(HfMXL@c-!?G%0;<nVrk@$%p3
zmZ^a}fO7UV<t%;aAA+e@2B+AX2c&w(>#61lT__WEZAKfx++DU`sb8su%NUk8Du<P+
zG5;01m4K0pj{4B3@jkp$E}Cjs3d8RwNr4*6iI60PQ+Zq*x<P8d&=HgTA3j=3&7EA*
zdo6k=p)uPybuqAbCWQyE{?E^yD(fG?Pip2bD<}7oJsY3po;9WjQ>XovSRAQeOKxx=
zD>525%cKNYWFfGUBa#}3f6atgx%rr+rxL`U?p8e3*qE5itmK}!(e`nY&g7pXnI76q
zs`aw-F=OkM(&ol}brJ+C@D#ffa@TAi!8JOJY7Jdp?5u0Bf3}h=Yt=V&`~>3mxjoi+
zof5Pxla`@0&jwwN@jB&RfNCh8+Zq(1zmSWKlfaW?#a`boR(d>V?e6+j1Bv|o<O}F}
zM!m_$+sn&7=8%LkR_C)siGb5Jz3qI9!s6Co;wpZod`$OR@b!RG2^g&~WG4cT(u@&6
zeyJR!A1oLD?}uX#RihC*l*j{HN8}q?T7K(iSOaOwF|fXOcCLE`_f_{PN67URC)kOC
z#i{$t%pf}jI8{l;gFCT)jZ&y)+O#wd=hM!)b-LDhITzWi!#u8A7x06CW-YOUL&(9E
zw(Iv+eRlLVUR3G9^#0qkK;@%-mzr7rA=(;6S|eI*0gf<yVFYUfX}mTF(ch5-&911b
z8`$*x&(zSydZoByFRz86-rfQrqy<Xi0WPci=ai`+2*gb}18``85~J9p+aK_8PS?7h
zfl68&@EO5Y3$PWs|IZ&0TH0c;BnIrN=Og<e#tqSU`xZ=(u&~dgNP%)bTx`Z=vP=-_
z^!??u=gd?OcyUKia4Or{h_TFXj+b;_tWid2V8|o8I{wVys?>d%KK80SUxfX8I-7y)
zUoj2HNGrM4rij<bFgt}u<ixdn6{>vo4ahZ_t?rQCnCz``5s&wO>Aa*ieV1PgF6VZk
zr0m{lpQYnh=UuCwRV(iC|9IyG@3%QBs>ROieoA$r%!SVUYCp6|k|OS}!E^+ZkWee|
zUlH5{=3G|dSC5b|CZtUwVRu$~G(og4Z_*`1U?^F8B}Bo?IUm<0hFO5Ny8$_v?VSg9
zWtf(f;^N}JxcT{ia2mIJpTr5Q!a!gG*BO|Z52NBwKI8u{=&4^!lL7BUJOUk(5g`2j
z{TmAWkwNDOHr4=eMCL276)hIr(WM6MEtdtbHj(F{wR^)DLI<}PLE--uXtWCoo@{Fp
z#E-5prXs>`hWr=gRs+SNzKgles~$qS2E=>CI_YUk7ioBhFhp?E90@cxgq#mBR~|gN
zGS7$;Z8LRG9&RVZB}hD?gQ0PUTw9ZQI7)sY+$uDv_9`M1!HL!0<!h`>7bE!3@19KJ
z#a<0t%#~{i?o;@l2Z3+tdAF!dI{>jj&7eL*AAYN=`?b9MpOZ%;&}!7w7`6fiKfkbW
zHlC@ur6%C2q@;wlM(e$H{qeJT)%&FuWvyT!Vh$U=wPV2>R^YS{YYv7V=KkP)@qhm7
zu^m`<XGFnXy(e*88RQg<$;PhN(n4+`dG}tDfWtUNRXDS-sEF$Vbj^<vr$M@Sp>*z8
zYZosL8*cN}mJj)Cyx^gs1g{rENxGKL=GgP(OP_=+^KKMt?vA)hs-JArKu<`4aroNq
z%~}Sk<9VXWu-6Dna>#Gg)@!bAHZoDuZ3dLEr(Qk$jeGtHtkUFDY_cOitdg5ROt%?^
z5V+B9a=#1!HFVu=z9cOL(AHYprwViuJnI1?M~PRJaNZcCf<0YI=R*_$1HKmBvlt@;
zX#^GorP0x-rc*#{<HUrFdDit%4V)ut!#6P6)kbiMiK7)f0W<udjnc?y1$a;2Jv@x1
z`<@Pf^kXD17{m*xKf*Zl%IBM#b}zwL<^c*dAHg059<Q&>qrjoL{T=~vA^s7#+ckJC
z)~k~%8IA)<93d>dpkVFUt)JNa%?S{Ggo_2{^1q=7fXW%~ihU~;cuD$q*5USx@$=PB
zM-yM2nS0TZ7t0o0Vg3au)f}A+dI6SZlAlZ^oqIUCuOIB!vzzPxT3kxre)#BDB^MDW
zXaGZ0zKme>xr1i<`x1q*`NHZ{1eS!BRw{62f!_p>Bv7(7u@TjhF>!DJ39ui)@=ZK9
z!hkPHeRqY82yKd;<US%Q?@}f>2^yLrklceE0V`q$+$x~Q7?DaAfx^VDBcQ(l`_M9G
zDu22%gEV|1b2k8Naz24<HuH(Snm?IPC(-j_kU%bhd|Z3yMG6s+p~R4~y$svh+QM=H
zi<c9tD=NtE$7)aWI%b*xpn7DnoBokpZyQ@<lQ`qkmUfblxnBO6!!pHCz+ct8^i9-Y
z)-N^kuaz3dF^cEpa=0{-I%vHv;75G?OrYI0uR9?@(wFrEeOu=53SNrj)TyU-P;p%>
zV6e1NMTk{F@$()|THB9kny~Tkt^orDJ}{6TTxS(kRaxuLix;)P$YgGM+UuyQdHoTv
zbwOPB;ccc~;v_d0^>B730-BfnDiBXE*EVsmv4eLZ*Vjq13SP{?1Ba7E|Dq+qhGujH
z9gwYpdIT9U(ihps+1Z&@E*AZmkJ6C6K?|RMd+?H~7{rU1#I2JPHv4ZR{Fi0qCLQFt
zdp*XkrFG9@5Lk9~^TaXRB|<2I&GM7u!Y`TyT<j0QeJ&0bN`G7rKUQfOQhI5^K{Ui0
zOh9jZ-DGS3ZS7&rok(b_T}ie4w|2C?bu@9f4{ePC#-V+u)-kEhMw`Cvo90QnbNm#W
zgU=4i4>#u?1=2pJQ*yZdSR5QRVBzDsQ;5m)<CPk)4o~AKgg3A<=Xujc&2aHOdvnv=
z!Qlkt4+;z*#IyvyRX>|nICjwm=eh%)!Ehyxkc%1^c?tcqEKccFcm3<D`hS%!=()f-
zWSAmj9!vgP964-O5I<OZcjrlo6^zQpjJ%Use8epyD@$#;IZBQfcA|#hXDX35Y+kl;
z1(k18xXE35Pww=)=j86DC_vFTweruckF3$JpU-jr*E9-1W*`|hGVGSX->JDrVr)*J
zcbaH;^gN&b<;NsRtn|C2+2u9&-0$Yfpdix8((sX`kS`{spvVI(3OKTVCJ$ht*>DJl
zQX{2jPmadBca{mwz=)^+X(rkMk6w29Sf555gnOelH&_@lA(zn3U0?7{2N2y#fYRr8
z%=z@re*blGm~9hSkU2F8hG082mq}ty>oDevfY+~!p*R|os;r{&7hp*0th~G_FXY3;
zjs-e?<NKMe5``CdHC3eS1zh%LI|f|mJwHfZ-Yg_vM?6Qexk|Zyej<Hb&YGqYQl&sY
zsaJ4#I&l#=Q`Ssy!|67R+2_6$pa1*X`{s6puRxC75lLhzoH%?(xW`6VE>AW(E>25Z
z`{}Tvh7jHlGA(ztI}VUjU}Xl(ftcCZtu12@V5J;^q5>NSN5d3wa4Ag@d%+;@Ckd@G
z{<mVi1cvE^40%=6TwYu3-E(jQqQy+Qd|Ru2d%OP&cA$GP{`Z^89eWJ{r+McM_Hk?{
z8*na>jQ>o9qM~|3al=$zQIkIOTU_X{<}-wf1tVFU#eOKb*Y1g&auZ0G=h;L49B9en
z1Ztymwx8edVKe!SM|O=zN*Q;*d^}G2xSi^-o9%#chdklbk$JF@x6A6KR&RO)S$r$L
z#@o<i7~>uzcC22{D<~@x{7O3{B&1gYXcq%Oh~Yx&;nfXxb{+s0T_D^XpEczRta@62
zc^~jZE<{T6#K!iS_{dvNx=zqG4Q$Bs6V#)l9sUwTf|Aw;_^ACWY2#l>E_PB3@Edl~
z?1Gto!~S=RAq;8U?F145RX{N|nF5|#K<@Zqd+RmuA-h-=)Oo&&EMP0bH1aEM7fYe7
zuLe@{JDXaQ%X-W1PP&!Ra~TYC-S)-<<%aAR6UGYj6i;_Qrk2)Z@Y-J3=-ro$buO^#
z9GRU6$xz652^GsIG$7y+5XebO6A}||?sI^%-;K=#&KKmsr5xCC$;A<e;rs%T*wD~W
zQAw!;?@0(;pBvDPq0t&W6GZ*@O;rEAp}D0Uot?l=bpiOvajF9b&)_RUZ0vfcjlOgf
zf4vTf9NfO^_AnOyxvl~c3}2j>1j2@vRS+IInIHK?sPOAwi5M)6YX#rk4iA%hTdU3P
z-Gi2_#WLwRZ8zMb#4vH8@F=%;#g3D;B^{yEDvsV+=Ax{C_!Cfe!-4a^`YBcj>LmJN
zx`*zieh<NvGN2kbML3w>s{<btuq-Np@}iY+6J2RIwRpeZzx6ML9K{BEQk`QHRT?Cs
z&4sma)aY-+{$xt<JN0$;zW`e`cJm(|aN$(53(ZSS+~wyTHg<Vtc;I;TyZhvY4gLQT
z4~#2h!y6SF4nGdxJa`b(nJL9PP*>*7BrVjE1Zqj_WuuOGsVZ=zz*qQXgnws$wtk9&
z{s7u($NqevbiCa#ThfI0zh@8s_v~aSK_QB5?6ZG`s?>4z`(M2w_v@$!-uK8;G>&jE
z3TH4@Z>8$mF+0fnpRPUpa{W*~->!+c{VzBu?1JEsGKYV$r6)rngfm^H5?h41@W0Zs
zFaXidlEJt&f>fUWVYsNo;r8pNk}2p4&$H25)yJIzh-C*q+kF#x^GZaOiQ1uA!s4l@
zoU}2Urw`(ES*uFiCB-zzG@`c7kPSNyDAM%aYVEvzq6JCT>b!0h%O|z`&ZF!SORC3>
zPYDJZ+%+opcGaUr(QV+}|BVNcuNs~Us8z3zFTxya-E$yseH`NdccJzFd+uC*=<thH
zpMGKkoL3vU+`Rd#25(he=)yvODKzZpHT|*946w8R9{;N^R7<bmVW4S66RxV^Q-OGW
zRsAyw0?r_m)kKEZcAn;d9Ftpo*i4}<O7WwCQd@IuqUBSjLbImDvnVxm_`y<^4r<%G
z%o8m3GfOJ3iTD3Mz*A<sm`W(09-=VAOC>#g^lFuu7fN0@1I+wvDQ4MWeZj6wx13xM
zs$cppt_jk4oZk%S>s~L@f3D2qogOAm^_Avg2<|Owk^Q@7^x=(*)j)AA;>xU=-6kPw
z|8V7;`D(G4%m{J|9XLABl>hjzGlzgEiIz|=KSG<%mS?BODj_DQJUXD*SJQ}E_}!32
zvNSQ|MG*y}#HBgkc4BaAq3y;z#wQl}k1R^7HSPC5QL2^=m(m6fhvzI6^qx2HKR}v3
z8{QHt{C<sBfrf+sOF?w77y3Gl>7@AUk11Dyxq980%lX6d;9Mq%7x9n(@PL1pc3M1A
z%;ULR$2^F>i7%PgZZ&Sds+{ilJ1-qa0XM#6tWEBD_hSM>exW@chA!4T5*O8GvLQXo
zqWthT`p_qNnt?;^4~56@p{V=#h6)GLSq%A@N8+DYKKtq$*Zcm${qig6HKOQG%lk`n
zbTbQA|7@)2F%o<?`w~uO{VQ+`AhgH*m$UZ|iV}PqKd7?qMk(ojsf2sYn(FjfW^rCZ
zWzl$90wqw(UUlZsBP^0d{%iP)$l|xU)N$i|{LH^oDoH+F|0<SL3pIaF{M{4}y^&#&
zorOAGI>-*UAbv_wXsi#lK@P8@AMbihy0gIGE#!?(#o>#e=445HwA~)>B+c|pm~P*h
znjkc%_K;9f(6Grf(xuoeNx~JPiyy~NZAEH_Vo3>Wp*PCNCibP#&mlmkb~^Xr4cGsB
z_|*S_ET7kBWhgc<&|_@j>L`b)?9I`Ggz^$o6p8zK5r*IRGf^F+e%g^#w|DE3T?|t=
zD9ioGTtOup|3-mMGPYaoTw7A!9q(IZS%On>2d%um<i3<0y3mI$D~eY?pgo1$A3~im
zuPipPvGdZTno)u)3iVyaxj32gZl23al+5+n6$=%O$lQ~J@}G6zN6>70OVbewc~h6c
z+6No8*gTU<IvKpx3YeQ=V(NyATP54jKO}i(u*4^Rjb!0j5h}*F_G(nIqEPB<?1jJ;
zDth#IIW=u_?)I-F>Vmz+8vU6-(ebLURoIAm(BkKpS|tbCC|i?Gs7mi-&&=O8#2Lb)
zhV{P@{?!OV1BeS2{{@FWg<7_$h_JDF6dNOL!xqdWnMhYR=0aOoDmf!Z%#}*3boF@3
zxR#f9=i>}lH+DPk)b}pCvqKP!@IF4)a>gcRzBRtRT6<u{W**Zm@Cj2+5aISZy4bJe
z_MViLplIydWIqzmu%5GRj}lfh`Gk(U^|44WXffb7hgp5!MI-jFG<-NEtNBEVXYDp(
zgH)Bs=+n7Sh&?P1ai|HUWO7=FnzUQ<*X>6|sO8WijqX;K&<z>MG%C&qh?$nUUWNNA
zCw&6~+ejRzQ9ozfP;tCroj`dmMzDRr87d9R^nmDO_WK>61<+9!b{b)hOWY#=CSEOM
zovs^AGZ?Sxgmu3b#G{ATC_<tDF>z<vrwTosS;2><y*0c#!nmIG_sF_W`ly{!gb6}E
z|Nnaa9E4?jzjF#W-_}4Z<VLU`tuIkR4DE$FS_QvCs_RYOC=KoBS1*PJCbd7Pta|Wa
zWgpsdJs5I(AB_~hB~I=o9c0v&aj~-{{sfDT2gkF6nx;6cw){Qz?fweQeUq+&rT%X6
zn-2*QR@!DPh6U6T2;scZR6G%h6wNuU8Om=%N#FHyHwWQ=#m-6j^?5*%+dd}RR-dmk
zYDVJa_FPhjce3g*^5E5;rhM``QC$5S38Q&~%EBr_No%GY<jIOY_M-m94+x%~val(Z
z;mP(b#3wH<%~)Z(0_(Kg;87q*zryGfWo1~+z9K)fI|~(g*hb*M1^1p(;$%-TerV1Q
zawi-dVCFo=YV(Ll3}c8*RWUS2S+dJJUs8-?8YOUcQ%C#j#zME{@tz@Vsy7H}7Xc%)
zSEvnE$G$AXz<QDSl+v&Ozb%e8-dc-nCFzLidp|!#0!NuN-4|VtLGCPB3R&^D+W+0w
zBeVZX$*<_s5l=XQ^ff`GoEN!uw||&bUKT|LqwhK7G}wJciDG16QOi{MT_IrgZ1n>E
zw$U3~U;VkFT;nW`K|7B(wwxMuetImn(Au{3n7>5L1_r4~#xf;X)y<5ru*d}EUTMg#
zPqoU{NA-m7I-UT|4v}iP#wSkWwdid|m$k&9`k<?<Z3@H3)X!RFl?*3B0!KYEbU2ut
z=!*KdiT)J{NY?LqS_|uH!cEc&qi%n8mNBpxajI6ri8zScOndZyGr`EV6AYs{ukfK$
z5w#aI*6>KXw7pvPT1OO|ZhCpQb?$YJE-Coul>3IT!Dvs7FJu<>py<}5Gx5zwta`<V
zXdQF>ro$Jj_fji&w;|B0n>+ywg*SQWhL`v5slO>ACSMn)f5Djioqq-c{wNjy8-c<#
z?s==WxADvCJrRp~ggs+hx)?3?aZz85k<sTy$IAKwG8m;Xo~OVh0;?26Y)v)o4~B}&
zU)jDgRPZY2T%r89uXOwwOhfQ2=;qby{P`+~DIaxc@v$zV`UIUZ!*vt7E&BU`HFzrE
z*wGtagBz05p>!*-bM?VZ#aVEQXnkTSznBTNtn{qAZHUI_w{wNxF1b_t2s7mD$gKNd
z@vI5$4Hqfd9`@y!`}o~kRF;V)%dWPOpPk;Wsj3v5S3x+C=V+Z@7#7`r@ll^s*~bN)
z?qxAFni8_S&PUw_HJh4UVeJIpYG1r)xII$QX%n<vyPp+{T7rux@VUY`{L-@Vaxz2X
zw*32kzf;hEcUC+4U*6OpDZs?rA~$T$Yr?$u8lNU<9iU4W6Nhf9(KU!*D-6G*>wNz5
zskVke=W3+oug+p;=!tP=NJ_Q$u4cJ9XM5}T>)!GVGy|VM9G#>E)1@h~@229I3ML2r
zSA0HBzfhYbHa7`8Ocx-6QaT+9hN1t-x6V+?Q5=DOAYZH0;u$G(7+)-FUT^$t!B)pg
z1vnFnAJ#MEk@@|a55IcIa{bQoT>N^A_(dsc@U+D8o5rGA`$X9*Y;|eb<IX~SjT0Ru
zNPojarS@#A(UFE6@8hZO^R0gwT(ZRQ<6oP2189M`Q{fgi=ld0`7{g6H<tD=mm|4SN
zYN}8)lkUmCs;lGJmxJ|x8MdO7$b@j-wyaO-ttq;^&h%~GiPey_#l2bKcd49tp&k|;
zch;<QLwYWM!N`zhOeD2X9v+N~LezXetZKpWDqPm-rssPE!8aqoUuwtad~Ok{tw9yk
zl?kuZ#!zI2rA9L;v({549Uad96fyB*z6Gn0M2k=Jz}}ASLZ#xkQ`RBMw#5&nHTSK!
zX;rDeNN*q`af{j?kEN!ZmbuS6dpY=D_brfAuH?JF%l*IdzWT4KCVE#y4oIhT2?zpG
z0wU5Np`?-$($aD021)5|N$HYqkOt{)5D++Y9Y79sNBrJ<-}^V*`IQedd!Jcr&Fr<F
z^*n46@eQ$2+WWK1#Y)0v)X<bj9*9ng^+E+REph@ie4rSzFq06?iOz`M|J3)!QQa&1
zb)6ToE$d@|V4OTw=y9g1#kqmbjyCIDoUQ*JJ}LcJrnI;R?I};SXxip6VuS?L#l^Id
zhf_io>`EB<zkFLxHgM#0nIXna3kX|IFHC3?A+onxynRe41#qTXmaKPQ4wgYexOI$S
zktnFcETr{xNJ580`I0o;MKl`>hCdK7`wrY$$Z|sqrDW9_SV*U^!EN9*Nczx+vkrnL
zA)|xJV%TKPY<$j~0k}Kwxb#C*-v}Pbuw9#WJQQwYMBiCrC97Gx57S%8eCsCXfhVCP
z*c1!b$#KnzR9B7^GLL9fjo~o7-<8$xwPZsQmK+;-vlEWkB<$!j<azH+c!;tTYS)_~
z$GBR^G$^aw;LH;P80qphs>2d?z3;oUV}+6iveQ}kN<Xo9X-1wFu;I<>l~&g@KY_eL
zY9w|dvpiYoN=oSAsWJi&9S&ioYmVQ4->l-VZR`~4jp4X%*o$3~5?8fo`9l8*6=w$x
z#djO>+V_I;Fj*~1(u#dQB_X6?EUjwchJbxC-s>ErdWkiDeDmULuW1f;;t|G-fUAmY
z30*UWE1Y>x{8wlc7ghzUeL;`8e^T71Y{EZAu&F_day;%S-q<ea2kueAPx1znU2B;+
z-@tqout+OpI%<-4;nLK#w~v{}Xc-KDW0%l9@`PO&$KaAUo@JD8vKk3uws<^C%E(XC
z5~cpIqN_L3ZYHfundC6$8DsQdM5^njTjAKtP=W3@!t_SHk}7a?Q-C<+Oo>?R#5<R!
z%&|aI;|Se*=dldpJSWmfm52Sd-(K?J7a4}v)U-O4ZbB3ue-n50ciFq@X9$`Hj~9k!
zoDfw8B&Ca6F(Dtuyh^s$^|N9mTeLFEf7SJ6WhZP<Hw$e3x*%=jvBHBs&NBWyX5`0D
zxTLpRyI#mXX3Ar@pelD734I~fy)O{rZAoSGX?N&3T0BF05iLM={W2Cz=jW2zS|E)e
zAru)mJvHoA-LpfHc;yTKki##vK6b0j{!Ec4(c#yX1PafCKRY?!ZUg9$>KV{(pK}*G
z&MZh~{~)W>;?fe`k!SE&Gd#9x?(ZW+QGDI;l3x2v=x1~#_HE;%U4>ru6lLU?x4~%5
z$bN#8jv*3(qO?xTFs#B54f@ED7rLog&sQ`SUwPJj-mrhYcRDvM@D3gK)S57gdYU?%
zwGc(qqB@kyX@)C4@_NH6L_x>5LtpG&QQu(+e*(0xPXhjiplgIhw^QCA{X(i#k3Bvy
z;PyOLTU2mQU4-(&C@@@2|L7|}xGQe;&sJ^bHR*R-y#LyAJMhNR?mYI*ZnmZ@;*WMR
ziQq08<j{#|4eLep!b8&Uq6Pq1j4_FM%kOHs;&YPCTadC5x&Em9#9?pL#U3Jcg2O{c
zWG4)FFEWKWuF;6-NFoE+{vK@5oj7#NbFmYO__32}Jw_c^%Boi1@Sz_+(70KJ+ZEb5
zX1@Lu!~5x(*z$Ath6=WDJ^?qz&9FHeKD1a1ilfE&N{k57+X7e1AthhVd55X56_CU%
zqOxxboSHnJ&0!&;?Z_(Oz*g$givL;4O9VY0mq*!tA30J`T~I~sPnp}(o*`l-3exXN
zJ+C4_FOtOORIc*aJdUZKi65bYu*GMlkb7mitF3#<sHw`h`Xrji9lXu`E{0>Y*;SBL
z!X!ccq9^x--DYPwGHY&)wS_z7RgfvqO&+{ejwpKUF-7$%PF&t7#*=(f5W15cOg^IJ
zPTFUd@j@UJLuNUQ*;9kT#OdbgX0zi_29xu1c{*WBp(tg^?A@y71bEDrVCd}6JaCQ3
zdh{I<cB3}#TCKvGbs8ksBS?TTLSdo{;IeBqqPs)rBcFO32#CkFw9~&dR#|30pY=^q
z7ITjdar(+b-k{T0o~#}pH99|Gy*{m5v>I0TC2+up7?rg-0jAYT#~u4l)Ke?ZlQS@N
zke;r_TsM{@+NMHd*<opvCCcy0)Y&e#khJ>|gz(ZOCBEmY{_g0^VqREf4!Z_2`!2z;
zYN``;ofuDXq;p<u_;LY}j}pGlY?|$aO^kTO3tHh~wPwP2QdLPS;%GmyXpOfTpVm)%
zUFO1J4;?Agc{OBigIq+iY^G8Fpe%_sPU{C>T1~eoiaeoefv}zo=OfO_kX@rx3QpnQ
zZ*ui2yN@4r<6c(F_CJv42vuvg9#k9)pw<oZdNW$~YN9PDMAk|{x$+?kqf-5;w-JRX
z#Zx%$MpEJn&z^!2{x=OJ64YgvBdEn9azdN+JpVU;0kXR@$Ys@e0|`{)sJK7m>ld!f
z*4y5?boxe$7O9k2j|+zlp<s0y)k!UgAq{%NKc4G|<Ol3=AJ4l?qC^qVBblf}r}Scj
z*E>6&91+pC_+e_e!9KX71S63-YT=~1!^rfv=f>kPCQI*;;VNQ@?Yp<w-}+mK9egTQ
z<P94zT=<ou2&13~sbM|t{c$Sw8K6ZCM`bio#&Nm*dd=cS5BuZSwurcA6qNWJ7|N;c
zWm>FqS>`=i<xhTF%-Atqw7tNJfud)j)Ve`{jDxmGZePZ(TK@oY|DlF|-uaDPx+ugW
z^?b(>E1^^1cB09g3f_X39FX2dj`LNa(58eoo0md9KPw5{7;iixIkSW=mnvj}4f&V1
z$L!?qJck}k=obTqt!9(JPpU5i2!(nqCe?E-@%%k%!&0EXm>sdGxIdq?UYmRAN}}*T
zx7~c2BCwjIYP3Q5MW}}WUC)<yn{R;)ZK#l}@?z%MiV>?~S8BG}c|%SB0hj4!pI~<y
zOt`6w2w!uU2EO8_a5fS~qvD#_#3H@SAT?pN(7ElnmSLIjl~W5XCBI@fYv(X~!vKdo
z^L7f)^m?k$w_{||o8tI%S*m8HD{ENF`j4*r4@*A&>FcadyQ-)N-QuP-Xzm^#cBG(f
z<?$uY_7Rr-M~-ig+RBwkU*A)tsAg&5G^jP9M~m^f*?RQ>6bJt1cK+v%nuVi}|Cr@R
z7fUs|t!qo}#Z*79Ih++@p*XFO$z->*zQIl&Zq0i*?>uR+kn4+JTM7!|)tJ0i+g<wh
z$+hw`lh(<s=NaU>(PX6v+gdH!GsV8;L*}E8G6tE2a)*b{w&w>wtLoVQjk%`oDEDim
zptBL?5d*@OjawDt(J|APB`+OU92r*g)66FhtEHy2kCx2HuEv?yE5loYiic1Pf3%lG
zCBf4MZzr&v$Xp-$2+ilI-c*=b>o_3uM?_lK2Hv0gYR2W(x+LImA{U_Z{CuZ$lviX%
zlJKMF)wYm0F@zgQBMyXW_ObG1=Prk&npuS%WlRDyypp_9;nnnas|h+ndOJs54UUc0
z5<}D6UkmKHisL1?BR{^N{@SWA&08<u$LqM^>7m=X(*NRSCg))~O!kA);P+OilqZwk
z@ipnSAjmsZ`|MPN47C=JT;*6n$=#HsXJH5LYe@QXHU%Xu6i?)sd-EAPRCn!u(pe=L
zUd?sP6zWn6Ui+=vuVZMO(lZIU?IwFDRTGwQG@amlobg(Ff;fm(<b$pqwGQ!F@?fPF
z+lXCUIb`5?LlIWZvw@{nyqF)He_m`lBuj;QjMP%9HS?y`+(Rf&Ds^MAGhWxGZC9R=
z<TKTTV$K!|o%)^5u~-$c^IuuQF307coxJKQRNW6bOP3I5vfd}>G-~FW$^Y)-M^7lf
zY|lg{`_Ns$h}Y=c6lFZa$Q8TQLVz$fIl>@p!;zG)Y>cOe781eBaChL$so&*h=KzCb
z!Yq=;u|F#3+^CA$zA^-l3z`>hz}vh(T*k0(>VRtHNBzBdD^^2=-UeU4L`5t<-1p!s
zWHsgW!s@ZVb#Z2%v4lpCR+d-D5|h{!!JByI#0yH>FW4oyqj;0$ec9ej^M0lcl8a_E
z@n48m+6T#hBj3lKd;N4?s{Z!~TO0m%kc+OC9?!F1xapfos@*N~8}eA?m|w)5ONo|B
z!-}#{ywRM{UT&pjn5;PM8S@ur3yUzE{OUZ?RQ92fHpug~mfE!f^ZS|>uZ4{AKW=_&
z==x4cn~gS8<#*kuW2^p1fNm-0X{W)(kJWZKmh@KRJz}HBewbrJ9;Xw)470OD&Uvsi
z(g`zjC8qxpX<p!97L`LqgA<ZsUM2f0Mo6@uuJ8;m@9Ld3-fGf^80IDu3-Tn-qG)W4
z42d2Vk3gl!Tm`Yv!#9e?dT}Su5c_zSrIhELkJI61+<`X_5~2)BkKC;N7Npra(1-!Y
zTM?~U_~>PEd-Gc~1Zlj=+jEBW77J{?B5`*Ao_93Qu6woqi0+8SJ?L3ad}}De<6-7V
z%hbn`&G)!<?Aa5_k`d9NGMnHxT|@CNB17Bx15;#7uzfLyA(<M%xju{@(MaM<_l8N9
zj?l@bKgV#$z_in!i1GYC-y|VIK_O_yQ?xQ6+|S(oQQ3Z4*^Zx?Fw&(>#+W7U%4rgc
z>ybR>gnl;+xWAf!MCTLDL1yJIm)`}A6wx!Rc%*^dnB&86GC-!EqL@(Kbv50eES~HV
zKwGIKWXE)X1X)eW{pK`r#EXmM*O@FLGm2ZNp~tG>&<Rxyco|3=CdWbF+0KEW92Y~v
zy_cw4-JKKTV~XUBnc=;fv?CNX<0o0JvP%M0?@9bbV#nr)iCzBj-R<XcE>={AQNbzk
z-<7iT61Vy?HAJPLHU3YVD#<m~r%VzSc2&aWOzUFp8s_vzZfqYhzAD*<r?uQ-8az2W
z9p8oZf(q9E$;V~!w(j_fB&v&nbWd8vCfu4?jnV4WN}6)0VwfDO;TYPPK)N&Dn#XY;
zCQ6B>1{}3gcPw(@O1}L2qO0%Bxx|i}-&Mo<uiXyf?meOEokD`%d#+b?llk>eN;JxS
zXDS4XN758AZhal@uiE8VzCZ0P>A49OtS?jh_eD^Cch3{#LVQ=WFB@gI@8)sMIn-48
zlH<_U*X80s81SuqWAio^V=B{4P0@?7Ou5Oyme@Nv+QR*V5s3(5r%<;TGN))oS)Zij
z{;CYp>mNnvwYp=QmEdkSs8K0aiBlCwXpYwy8rA8XOBnxzNKFN;NZ;#sn99F=yyaa!
zK3{G$kc?t#f;M;*O?_TuJCcEj3-)s{bW^R}vz(D<*H(c%3n%m;rXROt*v$eznZDDc
zAD(e5sN>+1o3$kq@xw*jq`!pe-*Ti4BzDSWm2ZBOhTc^_YW`I}dSP?~VN$!E5!_sT
zp{1)2`k_X6Q6-#iEeuV&VjUbjyI8#vq0?aut<xptZk-i|$Y?8(g2u4B+2iaJG^^Yu
z^J_unA5gyP)Y+`8c7=d8(9V*lwhtR?_SCDKk8W=ec74$df2CE%yq;<2X1nEPp{G8L
zE4G%)z=;nVL9G+{BFeUT@t<3i4ZZ~dJgW5J2%W$^{QbAzMVOqDb8?K%n%*{G*dJ_p
zpkIiZ(Ay?xnmYMsnm<0bWoWQyOOA7v)#OOxXzXO_9|P<IfGN!r)Pw`EDH{Muj(CT8
zdoDkZN*pl*{!DLFN3F$jR*Bs^l~dR%gIDvl{Q0fDXTiCX$MyaDoSo4B7DUh(+iF|}
zNjKj~<U+hfEGe%wOWpQA2O*t$y0uIwZ?2~gbC*a~Q<<Ej?TDqCx$e-(*iU}uVX@!v
znF@_()ffY48bEyjB%a6gPqB7;>T9eQpF~M_M^I6cdRB@e0u;pMJRH8-2=A?~vn=X(
zt@+EdH@G-YP4HA5{s34@;0!%@e~Xe?yr4pQ6Bs0<-h9bgEOWQ`tW^!+@p@5J_debN
zdRod7LK<JYT6Zw`G|#9}jdi53puoo()T;xk;Mxobk=WGfSMvo1n?(Jp=tTqDep30T
z)u*RG=IqDUnLnN9Ztn1(MP&>*-}(@eqnnGvI(Ju?qLRP4TFR~JX&s;%k!HVcE1{65
z4>O#inuvE}#@0%4apxr@C&$=N0)T<fY|3hyJ;#9N6R>}B*~5k{RB*G?yMc^@zEh~7
zUZdV0So-p1lcq!qUD*E1+=1Vtfzh~kF|Xt<0iTteOqMa6?sfCj@0*lLGh7b)0ngU$
zp7hK*@B9uwboz#}odOxg3OFlZF^P%2Pzg#vd;|cTH#a_GryD9CKehrkM#AvmVEk0>
zP_pM&9qhMdc!+y=SI-NS{+oK%M*Ae<moxp*%LDM9jj^(o);!A907T+{^>OV1VMf0p
z5T{rMe}AU!5($vJKNNsLSvbIF@I=x9Op9#p`POrG$Ns>(?UDLh?{=g;``M*w-Taq|
z!<ns=F~iT#5AdtfgcKGsZ;&gJ+a}00Wo2an&~d3oC1h*rfx(2w`JxlxyGV(TS5=IB
z@q1HLu*JD~v=J2I?@oOxxxc5rzdG)H1kHU~K3m)BIKbWOEpytA!T!C#e-fy`>9&+V
z4P?lr&PTfdg5rAbl@g-|gNcBq*8QfoPl4gl*tbz|(uEkoL;e3<y?%+vU;|I9`VS|t
z8VPi702*e<#<n^Nv{DykXWIcmE8Vc@=rPa@^@F8Xs*}jS9-z|$u7EpL6wHvF0w!<(
zMgTv@o6B?0xt+D)RyTHmVWiQoV3nXBqj|647vEZ1;=_cA)#yMC3UU56R3y@wcBpIe
zNxOafH+`=@e|zAQ_eAX5`w9T|6kw?c808JS)Meu9J|3#7tD`9cjdaR>(pN_bPOgqd
zI8A&A0SMx%|0X$dXY?Pe2+v=p0Zb?<=5BO?-VcC0O=olFu}+5i7vp&f2LP7x`nA7$
z^pu4p1OgFZVqszVMozXZdBe5aJlyENK4%B7r}hww{)${#EF#c8E)pzM+n*vqjmdYr
zYbSHJg7iLpZ`bKJLw$YVzEXf{`(iqk*4o;7WB^Ef&ocYTsi>%o5xt}ZT(fD^o_}cP
zgZ~VU<^e?iI<ky(w75+`fi<G~hrsh?3W73<wM29U@PYUYI5QA-R+|SBT<Wg?g|1?F
zW#x02lzThMV45JgvZ0X?!!a(#fO_1pMvcWR278mPiAgWlOGK6Z^rpCsNri!WZjx7k
zsBS3=??c#{ptJpf&PVq*t%BR7;G9|nzy;98URt9hhjqOOIw$?WM)^WzWo0|B0Ej6%
zI@-GB0-|oW(vA|(&Mu-LD%u7jH3NQM02cZ0CG;$uCL!1<nH04PTn2Y!^E55G7qd2B
zt1*%yWTc7Qr(V^w{?U;Nl5qHT#{tNd(SY{>!?GA4s6gKbl74qMC1{?EjgD?l(=jqK
z!Xn|gcj1eQ10m_^>Y{C}s+t%cwg!+l>!u?JujO(JB?De1Xk5-1J{%Rk+YL$CgOi_b
z(IXG0M+`5$UrizP)p&lHTKb||Ylj>Vx;?!UqHthD308Fi`vcg|i}qBsw3+}h2k_Cq
zJrkimGhr0phX6T_8yw~{0Nl)Rd*b2SZ<zoo1Ec~fwxNZeU>!GgU!e-&1zwJq2-=V#
zYnjgkl;U>9NM4@x#z3>MPeqhq12ejb$)&(Nkhnn_z^^HFqU?9yB(OIHN5#4S>AM6T
znGC%B?+?xU$ZZISAHD~$F>C8Gz^+kRIz$y%esz2dH8(f^%?>o>05K0(`>*P8f}03k
zq329*Iv*kkMv!Pt8fog1H{dl9>&f0aXA88!yvnZJwvL5wb?WVBgBiZB7bUbQPbhC6
zTs*<}&r64avO8q4VUC|8>?&k{mG;d*y;ls4>vUcZ@$GclXx>|=zCrrUL-&*)0+ku}
zi+-@OWDLU!u7$6v8tp@8ydD(45A-p7Xgh!c9J7JtfA)|S!s$)rk}R5BvP2%8!!EV#
z79yr|+98F7ijertkAl8Dhq{k9D)kc`02AAmj8Xv2UbosGc`c6owW4Tm&G5E9M<JPw
zecN2B+Clw_>p%sP!y73=53>VtG9S17TOo0<&O5N+>guYi@uVVq#xQDnD{0amNvzRo
zx)oupDOse^c8ZL3SkPGz%&sg3RWo}Vr%G~C)3joHY0H?CXo-LrE3Szq%060}ALA@b
z;+U%%oBd5g>!l-QbI&;0f8J%d7)UAf*K21+c-7P^1h~k?9n|@YziMIDXw<s~hCWr6
z_ts>w8_WEKrQ-C6F5fsz^22*@);oX;UmX}}+LKWME3Ki<Wz#7uvqLmg>9PbzJ_${u
zpL8mOT@yagrQyo846Lcs)n@T9pD8}sM1rlQ8)3moPkS;-t(*O9P2eK9G`_L{&+RqG
zBQRe7_t8qtc6LzUF0WYUDVcu7Aklos?BzNi=8pLg@OnNG_B{$r*gMs0NoTIi*YTKR
zM^ZZ81F+WSFGC!6ZkPkIMoTDN;$3j>u!s8~sQ@C$bY)R;Lqk-y6dZP{W1(jvTka+M
zg`Kr#=0)j<l(CMbVOEFaRQ?Q|CSC1dQq|R-dqg5dS?b)()06Hdgz+@Lk0nfwik_<X
zrIyyS|C#YQ^BMNRFr8<-eXRS<wN(1`A=~bW&w=OBbz?K6>Ezz!&0cPaQn^%(q}6M4
z<y}14!;|&%1J9Sgt`8s{%v-EmXB*~Dx1k`?O&k0Rchk@FT;Jh{N0wRUt0*dx@Iq(2
zGp|vvCY*kav<PGRoKo}EE#G_DVV0e`xd_1`MZ45H#OaU<OMT&`*L<ZA1+^7S1JMmY
zXa()SAqGP&!h#new*6Gv$iA_k@jj{%h!rd*Q}N2E);XVUU#ci$B-}sJjSEATc(0`u
zLHp0dhf53%ZPZvdU22Ux>jR7Az=Z~cke!Q(>tdSplO}TFX@Y-F{nxJ@>Hqx`2yc7R
z|I7kd#$43DrvML9{r6Y{#tep;6fhnT;lP*-|2OO3*hC3VSFk@|sJ+6!ix&SMO#I^U
b?^~o<?BDNqUM_{+14HJuyhN#(?&tpnCkmHq

literal 0
HcmV?d00001

diff --git a/docs/source/design/businessNetwork/design.md b/docs/source/design/businessNetwork/design.md
new file mode 100644
index 0000000000..9667482ac8
--- /dev/null
+++ b/docs/source/design/businessNetwork/design.md
@@ -0,0 +1,235 @@
+![Corda](https://www.corda.net/wp-content/uploads/2016/11/fg005_corda_b.png)
+
+# Business Network design
+
+DOCUMENT MANAGEMENT
+---
+
+## Document Control
+
+| Title                |                                          |
+| -------------------- | ---------------------------------------- |
+| Date                 | 14-Dec-2017                              |
+| Authors              | David Lee and Viktor Kolomeyko           |
+| Distribution         | Design Review Board, Product Management, Services - Technical (Consulting), Platform Delivery |
+| Corda target version | Enterprise |
+| JIRA reference       | [Sample Business Network implementation](https://r3-cev.atlassian.net/browse/R3NET-546) |
+
+## Approvals
+
+#### Document Sign-off
+
+| Author            |                                          |
+| ----------------- | ---------------------------------------- |
+| Reviewer(s)       | David Lee, Viktor Kolomeyko, Mike Hearn and James Carlyle |
+| Final approver(s) | Richard G. Brown |
+
+
+HIGH LEVEL DESIGN
+---
+
+## Overview
+
+Business Networks are introduced in order to segregate Corda Nodes that do not need to transact with each other or indeed
+even know of each other existence. 
+
+The key concept of Business Network is **Business Network Operator ('BNO') node** as a mean for BNOs to serve reference data to members 
+of their business network(s), as required by CorDapp(s) specific to that business network. This includes allowing BNO 
+nodes to supplement the `NodeInfo`-vending capabilities of the global network map, serving network map entries which are
+not listed in the global network map. This allows BNOs to ensure strict privacy of their members and control which IP addresses are used in relation to which CorDapps.
+
+## Background
+
+Multiple prospective clients of Corda Connect expressed concerns about privacy of the nodes and CorDapps they are going to run.
+Ability to discover every node in Compatibility Zone through a global network map was not seen as a good design as it 
+will allow competing firms to have an insight into on-boarding of the new clients, businesses and flows.
+
+In order to address those privacy concerns Business Networks were introduced as a way to partition nodes into groups 
+based on a need-to-know principle. 
+
+This design document reflects on what was previously discussed on this Confluence page
+[Business Network Membership](https://r3-cev.atlassian.net/wiki/spaces/CCD/pages/131972363/Business+Network+Membership)
+
+## Scope
+
+### Goals
+
+* Allow Corda Connect participants to create private business networks and allow the owner of the network decide which
+parties will be included into it;
+
+* Not to allow parties outside of the Business Network to discover the content of the Business Network;
+
+* Provide a reference implementation for a BNO node which enables the node operator to perform actions stated above. 
+
+### Non-goals
+
+* To mandate Business Networks. Business Networks are offered as on optional extra which some of the CorDapps may chose to use;
+
+* To constrain all BNOs to adopt a single consistent CorDapp, for which the design (flows, persistence etc.) is controlled by R3;
+
+* To define inclusion/exclusion or authorisation criteria for admitting a node into a Business Network.  
+
+## Timeline
+
+This is a long-term solution initially aimed to support Project Agent go-live implementation in Q2 2018. 
+
+## Requirements
+
+See [Identity high-level requirements](https://r3-cev.atlassian.net/wiki/spaces/CCD/pages/131746442/Identity+high-level+requirements)
+for the full set of requirements discussed to date.
+
+Given the following roles:
+
+| Role name                   | Definition |
+| --------------------------- | ---------- |
+| Compatibility Zone Operator | Responsible for administering the overall Compatibility Zone. Usually R3. |
+| Business Network Operator   | Responsible for a specific business network within the Corda Connect Compatibility Zone. |
+| Node User                   | Uses a Corda node to carry out transactions on their own behalf. In the case of a self-owned deployment, the Node User can also be the Node Operator. |
+| Node Operator               | Responsible for management of a particular corda node (deployment, configuration etc.) on behalf of the Node User. |
+
+The following requirements are addressed as follows:
+
+| Role                        | Requirement                                                                                        | How design satisfies requirement |
+| --------------------------- | -------------------------------------------------------------------------------------------------- | -------------------------------- |
+| Compatibility Zone Operator | To support multiple business networks operating across the CZ.                                     | Current design supports any number of membership lists, each of which defines a business network. |
+| Compatibility Zone Operator | To permission a Business Network Operator to provision my services to its members.                 | Individual CordApps will be responsible for checking Business Network membership constrains. |
+| Compatibility Zone Operator | To revoke the ability for a specific Business Network Operator to operate within my CZ.            | The membership lists are configurable and business networks can have their membership lists removed when needed. |
+| Business Network Operator   | To be able to permission nodes to access my Business Network.                                      | The BNO will ensure that the CorDapp is designed to keep each node's copy of the membership list up-to-date on a timely basis as new members are added to the business network. |
+| Business Network Operator   | To revoke access to my business network by any member.                                             | The BNO will ensure that the CorDapp is designed to keep each node's copy of the membership list up-to-date on a timely basis as members are removed from the business network. The BNO will be able to decide, through the timing of the membership list checks in the CorDapp flow design, whether in-flight flows should be exited upon revocation, or simply to avoid starting new flows. |
+| Business Network Operator   | To protect knowledge of the membership of my Business Network from parties who don't need to know. | The BNO node upon receiving an enquiry to deliver membership list will first check identity of the caller against membership list. If the identity does not belong to the membership list the content of the membership will not be served. Optionally, Business Network membership list may be made available for discovery by the nodes outside of membership list. |
+| Business Network Operator   | To help members of my Business Network to discover each other.                                     | The BNO node will be able to serve the full list of membership participants at a minimum and may also have an API to perform the fuzzy matches. |
+| Node User                   | To request the termination of my identity within the CZ / business network.                        | A member may ask a BNO to exclude them from a business network, and it will be in the BNO's commercial interest to do so. They can be obliged to do so reliably under the terms of the R3Net agreement. |
+| Node Operator               | To control the IP address on which my node receives messages in relation to a specific CorDapp.    | Nodes may choose to publish different `NodeInfos` to different business networks. Business network-specific CorDapps will ensure that that the `NodeInfo` served by the business network is used for addressing that node. |
+
+## Design Decisions
+
+* Per [New Network Map](https://r3-cev.atlassian.net/wiki/spaces/AWG/pages/127710793/New+Network+Map):
+   * R3 will serve a file containing NetworkParameters to all members of the Corda Connect Compatibility Zone, made publicly available via CDN. 
+     *NetworkParameters are only served by the network map and cannot be overwritten by BNOs*.
+   * The network map file will continue to serve references to downloadable entries 
+   (Signed `NodeInfo` file with the node's certificate chain, IP addresses etc. for a given node) for any nodes which wish to be publicly discoverable by all CZ members.
+
+* Nodes **may individually choose** to publish to the global network map by posting their entry to an R3-provided endpoint, 
+but are **not required to do so**.
+
+* BNO nodes expose a range of services to their membership over normal Corda flows (via a custom BNO CorDapp deployed on their BNO node).
+The BNO is free to define whatever services apply in the context of their business network; these will typically include:     
+   * Managing requests to join/leave the business network;
+   * Accepting uploads of network map entries (signed `NodeInfos`) from business network members.
+   *A node may choose to publish different `NodeInfos` to different business networks in order to indicate that they want 
+   to be addressed on a given IP in relation to a given set of traffic.*
+   * Vending a membership list of distinguished names (DNs) that a given party within the business network is allowed 
+   to see / transact with, for use in 'address book' / 'drop-down' type UI functionality. 
+   *The structure of the membership list may be tailored according to the needs of the BNO and, according to the needs 
+   of the CorDapp, it may either be expressed as a subclass of the `NetworkMapCache` itself or as a standalone data structure in its own right.*
+   * Vending `NodeInfos` in response to lookup requests by a business network member for a particular DN 
+   (more sophisticated query options may also be offered), which are integrated into the node's local `NetworkMapCache`.
+   *A node may acquire multiple `NodeInfos` in relation to the same DN via its association with multiple business networks
+   and needs a mechanism to (a) retain distinctions between them, (b) when initiating a flow by a specific CorDapp, 
+   preferentially address messages to the IP(s) referenced in the `NodeInfo` served by the associated business network.* 
+
+* For each **Business Network-specific CorDapp**, the CorDapp developer will include features to restrict such that the
+CorDapp cannot be used to transact with non-members. Namely:
+   * any 'address-book' features in that CorDapp are filtered according to the membership list;
+   * any `InitiatedBy` flow will first check that the initiating party is on the membership list, and throw a `FlowException` if it is not.
+
+## Target Solution
+
+*Illustration of services exposed by both network map and BNO node. Interface names shown are indicative and may be changed as needed.*
+
+![Business Network diagram](businessNetwork.png)
+
+## Complementary solutions
+
+* No requirement to change the Network Map design currently proposed in
+[New Network Map](https://r3-cev.atlassian.net/wiki/spaces/AWG/pages/127710793/New+Network+Map);
+* Data model for `NetworkMapCache` needs to be able to manage potential conflicts between `NodeInfos` downloaded from different
+network maps, and supply the correct one when needed. 
+
+## Final recommendation
+
+* Proceed with reference implementation as detailed by [this Jira](https://r3-cev.atlassian.net/browse/R3NET-546).
+* Provision of mechanisms to bind accessibility of CorDapp flows to named parties on a membership list.
+
+TECHNICAL DESIGN (this section is WIP)
+---
+
+## Interfaces
+
+* No impact on Public APIs
+* Internal APIs impacted
+* Modules impacted
+
+    * Illustrate with Software Component diagrams
+
+## Functional
+
+* UI requirements
+
+    * Illustrate with UI Mockups and/or Wireframes
+
+* (Subsystem) Components descriptions and interactions)
+
+    Consider and list existing impacted components and services within Corda:
+
+    * Doorman
+    * Network Map
+    * Public API's (ServiceHub, RPCOps)
+    * Vault
+    * Notaries
+    * Identity services
+    * Flow framework
+    * Attachments
+    * Core data structures, libraries or utilities
+    * Testing frameworks
+    * Pluggable infrastructure: DBs, Message Brokers, LDAP
+
+* Data model & serialization impact and changes required
+
+    * Illustrate with ERD diagrams
+
+* Infrastructure services: persistence (schemas), messaging
+
+## Non-Functional
+
+* Performance
+* Scalability
+* High Availability
+
+## Operational
+
+* Deployment
+
+    * Versioning
+
+* Maintenance
+
+    * Upgradability, migration
+
+* Management
+
+    * Audit, alerting, monitoring, backup/recovery, archiving
+
+## Security
+
+* Data privacy
+* Authentication
+* Access control
+
+## Software Development Tools and Programming Standards to be adopted.
+
+* languages
+* frameworks
+* 3rd party libraries
+* architectural / design patterns
+* supporting tools
+
+## Testability
+
+* Unit
+* Integration
+* Smoke
+* Non-functional (performance)
+
+APPENDICES
+---

From d31f27571bf9b11673aaa12c20e54d309973b756 Mon Sep 17 00:00:00 2001
From: Ross Nicoll <jrn@jrn.me.uk>
Date: Wed, 20 Dec 2017 12:59:01 +0000
Subject: [PATCH 5/6] Switch from KRYO serialization to AMQP (#229)

---
 .../main/kotlin/com/r3/corda/networkmanage/doorman/Main.kt    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/network-management/src/main/kotlin/com/r3/corda/networkmanage/doorman/Main.kt b/network-management/src/main/kotlin/com/r3/corda/networkmanage/doorman/Main.kt
index ce34342627..1779dfcbab 100644
--- a/network-management/src/main/kotlin/com/r3/corda/networkmanage/doorman/Main.kt
+++ b/network-management/src/main/kotlin/com/r3/corda/networkmanage/doorman/Main.kt
@@ -23,7 +23,7 @@ import net.corda.core.utilities.loggerFor
 import net.corda.nodeapi.internal.crypto.*
 import net.corda.nodeapi.internal.network.NetworkParameters
 import net.corda.nodeapi.internal.persistence.CordaPersistence
-import net.corda.nodeapi.internal.serialization.KRYO_P2P_CONTEXT
+import net.corda.nodeapi.internal.serialization.AMQP_P2P_CONTEXT
 import net.corda.nodeapi.internal.serialization.SerializationFactoryImpl
 import net.corda.nodeapi.internal.serialization.amqp.AMQPClientSerializationScheme
 import org.bouncycastle.pkcs.PKCS10CertificationRequest
@@ -301,7 +301,7 @@ fun main(args: Array<String>) {
 }
 
 private fun initialiseSerialization() {
-    val context = KRYO_P2P_CONTEXT
+    val context = AMQP_P2P_CONTEXT
     nodeSerializationEnv = SerializationEnvironmentImpl(
             SerializationFactoryImpl().apply {
                 registerScheme(AMQPClientSerializationScheme())

From d48bc41a7ceaa303cbdf5ab3e0b6a5a4e6408a11 Mon Sep 17 00:00:00 2001
From: Shams Asari <shams.asari@r3.com>
Date: Wed, 20 Dec 2017 13:01:19 +0000
Subject: [PATCH 6/6] Revert "Shams os merge 191217 (#223)"

This reverts commit 2461421
---
 .ci/api-current.txt                           |   2 +-
 .../net/corda/core/identity/CordaX500Name.kt  |   8 +-
 .../net/corda/core/internal/InternalUtils.kt  |   8 -
 .../corda/core/node/services/NotaryService.kt |  14 +-
 .../corda/core/crypto/CompositeKeyTests.kt    |  11 +-
 .../AttachmentSerializationTest.kt            |   2 +-
 docs/source/generating-a-node.rst             |   2 +
 docs/source/hello-world-running.rst           |   2 +-
 .../doorman/DoormanIntegrationTest.kt         |  19 +--
 .../persistence/PersistentNodeInfoStorage.kt  |  75 ++++-----
 .../doorman/signer/LocalSigner.kt             |  11 +-
 .../networkmanage/hsm/utils/X509Utils.kt      |   3 +-
 .../persistence/DBNetworkMapStorageTest.kt    |  68 +++++---
 .../PersitenceNodeInfoStorageTest.kt          | 147 +++++++++++-------
 .../doorman/NodeInfoWebServiceTest.kt         |  46 ++++--
 ...nerator.kt => ServiceIdentityGenerator.kt} |  44 ++----
 .../nodeapi/internal/crypto/X509Utilities.kt  |  12 +-
 .../node/services/BFTNotaryServiceTests.kt    |   8 +-
 .../node/services/MySQLNotaryServiceTests.kt  |   8 +-
 .../node/services/RaftNotaryServiceTests.kt   |   7 +-
 .../services/messaging/P2PMessagingTest.kt    |   5 +-
 .../net/corda/node/internal/AbstractNode.kt   |  29 ++--
 .../node/services/config/ConfigUtilities.kt   |   9 +-
 .../identity/InMemoryIdentityService.kt       |   1 -
 .../identity/PersistentIdentityService.kt     |   1 -
 .../BFTNonValidatingNotaryService.kt          |  11 +-
 .../transactions/MySQLNotaryService.kt        |   6 +
 .../RaftNonValidatingNotaryService.kt         |  13 +-
 .../RaftValidatingNotaryService.kt            |  13 +-
 .../transactions/ValidatingNotaryService.kt   |   4 +-
 .../registration/NetworkRegistrationHelper.kt |   5 +-
 .../statemachine/FlowFrameworkTests.kt        |   2 +-
 .../NetworkRegistrationHelperTest.kt          | 111 +++++++------
 .../net/corda/notarydemo/BFTNotaryCordform.kt |  12 +-
 .../corda/notarydemo/RaftNotaryCordform.kt    |  11 +-
 testing/node-driver/build.gradle              |   2 +-
 .../kotlin/net/corda/testing/node/MockNode.kt |  88 +++++------
 .../testing/node/internal/DriverDSLImpl.kt    |  42 +++--
 .../corda/testing/node/MockNetworkTests.kt    |  18 ---
 .../kotlin/net/corda/testing/CoreTestUtils.kt |   5 +-
 .../corda/demobench/model/NodeController.kt   |   7 +-
 41 files changed, 482 insertions(+), 410 deletions(-)
 rename node-api/src/main/kotlin/net/corda/nodeapi/internal/{IdentityGenerator.kt => ServiceIdentityGenerator.kt} (53%)
 delete mode 100644 testing/node-driver/src/test/kotlin/net/corda/testing/node/MockNetworkTests.kt

diff --git a/.ci/api-current.txt b/.ci/api-current.txt
index 09b766e46d..5fd0e2262b 100644
--- a/.ci/api-current.txt
+++ b/.ci/api-current.txt
@@ -1862,7 +1862,7 @@ public @interface net.corda.core.node.services.CordaService
   @org.jetbrains.annotations.NotNull public static final String ID_PREFIX = "corda.notary."
 ##
 public static final class net.corda.core.node.services.NotaryService$Companion extends java.lang.Object
-  @kotlin.Deprecated @org.jetbrains.annotations.NotNull public final String constructId(boolean, boolean, boolean, boolean)
+  @org.jetbrains.annotations.NotNull public final String constructId(boolean, boolean, boolean, boolean)
 ##
 public abstract class net.corda.core.node.services.PartyInfo extends java.lang.Object
   @org.jetbrains.annotations.NotNull public abstract net.corda.core.identity.Party getParty()
diff --git a/core/src/main/kotlin/net/corda/core/identity/CordaX500Name.kt b/core/src/main/kotlin/net/corda/core/identity/CordaX500Name.kt
index ad315c065e..0b6a3ddeb7 100644
--- a/core/src/main/kotlin/net/corda/core/identity/CordaX500Name.kt
+++ b/core/src/main/kotlin/net/corda/core/identity/CordaX500Name.kt
@@ -2,7 +2,7 @@ package net.corda.core.identity
 
 import com.google.common.collect.ImmutableSet
 import net.corda.core.internal.LegalNameValidator
-import net.corda.core.internal.unspecifiedCountry
+import net.corda.core.internal.VisibleForTesting
 import net.corda.core.internal.x500Name
 import net.corda.core.serialization.CordaSerializable
 import org.bouncycastle.asn1.ASN1Encodable
@@ -36,9 +36,7 @@ data class CordaX500Name(val commonName: String?,
                          val locality: String,
                          val state: String?,
                          val country: String) {
-    constructor(commonName: String, organisation: String, locality: String, country: String) :
-            this(commonName = commonName, organisationUnit = null, organisation = organisation, locality = locality, state = null, country = country)
-
+    constructor(commonName: String, organisation: String, locality: String, country: String) : this(commonName = commonName, organisationUnit = null, organisation = organisation, locality = locality, state = null, country = country)
     /**
      * @param organisation name of the organisation.
      * @param locality locality of the organisation, typically nearest major city.
@@ -81,6 +79,8 @@ data class CordaX500Name(val commonName: String?,
         const val MAX_LENGTH_ORGANISATION_UNIT = 64
         const val MAX_LENGTH_COMMON_NAME = 64
         private val supportedAttributes = setOf(BCStyle.O, BCStyle.C, BCStyle.L, BCStyle.CN, BCStyle.ST, BCStyle.OU)
+        @VisibleForTesting
+        val unspecifiedCountry = "ZZ"
         private val countryCodes: Set<String> = ImmutableSet.copyOf(Locale.getISOCountries() + unspecifiedCountry)
         @JvmStatic
         fun build(principal: X500Principal): CordaX500Name {
diff --git a/core/src/main/kotlin/net/corda/core/internal/InternalUtils.kt b/core/src/main/kotlin/net/corda/core/internal/InternalUtils.kt
index 42145a2f26..36022463ff 100644
--- a/core/src/main/kotlin/net/corda/core/internal/InternalUtils.kt
+++ b/core/src/main/kotlin/net/corda/core/internal/InternalUtils.kt
@@ -5,7 +5,6 @@ package net.corda.core.internal
 import net.corda.core.cordapp.CordappProvider
 import net.corda.core.crypto.SecureHash
 import net.corda.core.crypto.sha256
-import net.corda.core.identity.CordaX500Name
 import net.corda.core.node.ServicesForResolution
 import net.corda.core.serialization.SerializationContext
 import net.corda.core.transactions.TransactionBuilder
@@ -119,8 +118,6 @@ fun Path.isDirectory(vararg options: LinkOption): Boolean = Files.isDirectory(th
 inline val Path.size: Long get() = Files.size(this)
 inline fun <R> Path.list(block: (Stream<Path>) -> R): R = Files.list(this).use(block)
 fun Path.deleteIfExists(): Boolean = Files.deleteIfExists(this)
-fun Path.reader(charset: Charset = UTF_8): BufferedReader = Files.newBufferedReader(this, charset)
-fun Path.writer(charset: Charset = UTF_8, vararg options: OpenOption): BufferedWriter = Files.newBufferedWriter(this, charset, *options)
 fun Path.readAll(): ByteArray = Files.readAllBytes(this)
 inline fun <R> Path.read(vararg options: OpenOption, block: (InputStream) -> R): R = Files.newInputStream(this, *options).use(block)
 inline fun Path.write(createDirs: Boolean = false, vararg options: OpenOption = emptyArray(), block: (OutputStream) -> Unit) {
@@ -319,8 +316,3 @@ fun ExecutorService.join() {
         // Try forever. Do not give up, tests use this method to assert the executor has no more tasks.
     }
 }
-
-@Suppress("unused")
-@VisibleForTesting
-val CordaX500Name.Companion.unspecifiedCountry
-    get() = "ZZ"
diff --git a/core/src/main/kotlin/net/corda/core/node/services/NotaryService.kt b/core/src/main/kotlin/net/corda/core/node/services/NotaryService.kt
index 8c6a160618..0c928a7b59 100644
--- a/core/src/main/kotlin/net/corda/core/node/services/NotaryService.kt
+++ b/core/src/main/kotlin/net/corda/core/node/services/NotaryService.kt
@@ -15,16 +15,22 @@ import java.security.PublicKey
 
 abstract class NotaryService : SingletonSerializeAsToken() {
     companion object {
-        @Deprecated("No longer used")
         const val ID_PREFIX = "corda.notary."
-        @Deprecated("No longer used")
-        fun constructId(validating: Boolean, raft: Boolean = false, bft: Boolean = false, custom: Boolean = false): String {
-            require(Booleans.countTrue(raft, bft, custom) <= 1) { "At most one of raft, bft or custom may be true" }
+        @JvmOverloads
+        fun constructId(
+                validating: Boolean,
+                raft: Boolean = false,
+                bft: Boolean = false,
+                custom: Boolean = false,
+                mysql: Boolean = false
+        ): String {
+            require(Booleans.countTrue(raft, bft, custom, mysql) <= 1) { "At most one of raft, bft, mysql or custom may be true" }
             return StringBuffer(ID_PREFIX).apply {
                 append(if (validating) "validating" else "simple")
                 if (raft) append(".raft")
                 if (bft) append(".bft")
                 if (custom) append(".custom")
+                if (mysql) append(".mysql")
             }.toString()
         }
     }
diff --git a/core/src/test/kotlin/net/corda/core/crypto/CompositeKeyTests.kt b/core/src/test/kotlin/net/corda/core/crypto/CompositeKeyTests.kt
index 751037b1ee..734505498d 100644
--- a/core/src/test/kotlin/net/corda/core/crypto/CompositeKeyTests.kt
+++ b/core/src/test/kotlin/net/corda/core/crypto/CompositeKeyTests.kt
@@ -9,8 +9,8 @@ import net.corda.core.serialization.serialize
 import net.corda.core.utilities.OpaqueBytes
 import net.corda.core.utilities.toBase58String
 import net.corda.nodeapi.internal.crypto.*
-import net.corda.testing.SerializationEnvironmentRule
 import net.corda.testing.internal.kryoSpecific
+import net.corda.testing.SerializationEnvironmentRule
 import org.junit.Rule
 import org.junit.Test
 import org.junit.rules.TemporaryFolder
@@ -24,7 +24,6 @@ class CompositeKeyTests {
     @Rule
     @JvmField
     val testSerialization = SerializationEnvironmentRule()
-
     @Rule
     @JvmField
     val tempFolder: TemporaryFolder = TemporaryFolder()
@@ -41,9 +40,9 @@ class CompositeKeyTests {
     private val secureHash = message.sha256()
 
     // By lazy is required so that the serialisers are configured before vals initialisation takes place (they internally invoke serialise).
-    private val aliceSignature by lazy { aliceKey.sign(SignableData(secureHash, SignatureMetadata(1, Crypto.findSignatureScheme(alicePublicKey).schemeNumberID))) }
-    private val bobSignature by lazy { bobKey.sign(SignableData(secureHash, SignatureMetadata(1, Crypto.findSignatureScheme(bobPublicKey).schemeNumberID))) }
-    private val charlieSignature by lazy { charlieKey.sign(SignableData(secureHash, SignatureMetadata(1, Crypto.findSignatureScheme(charliePublicKey).schemeNumberID))) }
+    val aliceSignature by lazy { aliceKey.sign(SignableData(secureHash, SignatureMetadata(1, Crypto.findSignatureScheme(alicePublicKey).schemeNumberID))) }
+    val bobSignature by lazy { bobKey.sign(SignableData(secureHash, SignatureMetadata(1, Crypto.findSignatureScheme(bobPublicKey).schemeNumberID))) }
+    val charlieSignature by lazy { charlieKey.sign(SignableData(secureHash, SignatureMetadata(1, Crypto.findSignatureScheme(charliePublicKey).schemeNumberID))) }
 
     @Test
     fun `(Alice) fulfilled by Alice signature`() {
@@ -338,7 +337,7 @@ class CompositeKeyTests {
         val ca = X509Utilities.createSelfSignedCACertificate(caName, caKeyPair)
 
         // Sign the composite key with the self sign CA.
-        val compositeKeyCert = X509Utilities.createCertificate(CertificateType.LEGAL_IDENTITY, ca, caKeyPair, caName, compositeKey)
+        val compositeKeyCert = X509Utilities.createCertificate(CertificateType.LEGAL_IDENTITY, ca, caKeyPair, caName.copy(commonName = "CompositeKey"), compositeKey)
 
         // Store certificate to keystore.
         val keystorePath = tempFolder.root.toPath() / "keystore.jks"
diff --git a/core/src/test/kotlin/net/corda/core/serialization/AttachmentSerializationTest.kt b/core/src/test/kotlin/net/corda/core/serialization/AttachmentSerializationTest.kt
index d72d7068d4..940d959860 100644
--- a/core/src/test/kotlin/net/corda/core/serialization/AttachmentSerializationTest.kt
+++ b/core/src/test/kotlin/net/corda/core/serialization/AttachmentSerializationTest.kt
@@ -159,7 +159,7 @@ class AttachmentSerializationTest {
 
     private fun rebootClientAndGetAttachmentContent(checkAttachmentsOnLoad: Boolean = true): String {
         client.dispose()
-        client = mockNet.createNode(MockNodeParameters(client.internals.id, client.internals.configuration.myLegalName), { args ->
+        client = mockNet.createNode(MockNodeParameters(client.internals.id), { args ->
             object : MockNetwork.MockNode(args) {
                 override fun start() = super.start().apply { attachments.checkAttachmentsOnLoad = checkAttachmentsOnLoad }
             }
diff --git a/docs/source/generating-a-node.rst b/docs/source/generating-a-node.rst
index eee15b3d5d..4a721e304d 100644
--- a/docs/source/generating-a-node.rst
+++ b/docs/source/generating-a-node.rst
@@ -92,6 +92,7 @@ nodes. Here is an example ``Cordform`` task called ``deployNodes`` that creates
         }
         node {
             name "O=PartyA,L=London,C=GB"
+            advertisedServices = []
             p2pPort  10005
             rpcPort  10006
             webPort  10007
@@ -102,6 +103,7 @@ nodes. Here is an example ``Cordform`` task called ``deployNodes`` that creates
         }
         node {
             name "O=PartyB,L=New York,C=US"
+            advertisedServices = []
             p2pPort  10009
             rpcPort  10010
             webPort  10011
diff --git a/docs/source/hello-world-running.rst b/docs/source/hello-world-running.rst
index 4ac394d26c..592cfee44c 100644
--- a/docs/source/hello-world-running.rst
+++ b/docs/source/hello-world-running.rst
@@ -22,7 +22,7 @@ service.
         directory "./build/nodes"
         node {
             name "O=Controller,L=London,C=GB"
-            notary = [validating : true]
+            advertisedServices = ["corda.notary.validating"]
             p2pPort 10002
             rpcPort 10003
             cordapps = ["net.corda:corda-finance:$corda_release_version"]
diff --git a/network-management/src/integration-test/kotlin/com/r3/corda/networkmanage/doorman/DoormanIntegrationTest.kt b/network-management/src/integration-test/kotlin/com/r3/corda/networkmanage/doorman/DoormanIntegrationTest.kt
index 5993cef210..fe919f6114 100644
--- a/network-management/src/integration-test/kotlin/com/r3/corda/networkmanage/doorman/DoormanIntegrationTest.kt
+++ b/network-management/src/integration-test/kotlin/com/r3/corda/networkmanage/doorman/DoormanIntegrationTest.kt
@@ -3,6 +3,7 @@ package com.r3.corda.networkmanage.doorman
 import com.nhaarman.mockito_kotlin.doReturn
 import com.nhaarman.mockito_kotlin.whenever
 import com.r3.corda.networkmanage.common.persistence.configureDatabase
+import com.r3.corda.networkmanage.common.utils.buildCertPath
 import com.r3.corda.networkmanage.common.utils.toX509Certificate
 import com.r3.corda.networkmanage.doorman.signer.LocalSigner
 import net.corda.core.crypto.Crypto
@@ -29,6 +30,7 @@ import net.corda.testing.SerializationEnvironmentRule
 import net.corda.testing.common.internal.testNetworkParameters
 import net.corda.testing.internal.rigorousMock
 import org.bouncycastle.cert.X509CertificateHolder
+import org.junit.Ignore
 import org.junit.Rule
 import org.junit.Test
 import org.junit.rules.TemporaryFolder
@@ -76,7 +78,7 @@ class DoormanIntegrationTest {
 
         loadKeyStore(config.nodeKeystore, config.keyStorePassword).apply {
             assert(containsAlias(X509Utilities.CORDA_CLIENT_CA))
-            assertEquals(ALICE_NAME.x500Principal, getX509Certificate(X509Utilities.CORDA_CLIENT_CA).subjectX500Principal)
+            assertEquals(ALICE_NAME.copy(commonName = X509Utilities.CORDA_CLIENT_CA_CN).x500Principal, getX509Certificate(X509Utilities.CORDA_CLIENT_CA).subjectX500Principal)
             assertEquals(listOf(intermediateCACert.cert, rootCACert.cert), getCertificateChain(X509Utilities.CORDA_CLIENT_CA).drop(1).toList())
         }
 
@@ -118,18 +120,13 @@ class DoormanIntegrationTest {
 
         // Publish NodeInfo
         val networkMapClient = NetworkMapClient(config.compatibilityZoneURL!!, rootCertAndKey.certificate.cert)
-
-        val keyStore = loadKeyStore(config.nodeKeystore, config.keyStorePassword)
-        val clientCertPath = keyStore.getCertificateChain(X509Utilities.CORDA_CLIENT_CA)
-        val clientCA = keyStore.getCertificateAndKeyPair(X509Utilities.CORDA_CLIENT_CA, config.keyStorePassword)
-        val identityKeyPair = Crypto.generateKeyPair()
-        val identityCert = X509Utilities.createCertificate(CertificateType.LEGAL_IDENTITY, clientCA.certificate, clientCA.keyPair, ALICE_NAME, identityKeyPair.public)
-        val certPath = X509CertificateFactory().generateCertPath(identityCert.cert, *clientCertPath)
-        val nodeInfo = NodeInfo(listOf(NetworkHostAndPort("my.company.com", 1234)), listOf(PartyAndCertificate(certPath)), 1, serial = 1L)
+        val certs = loadKeyStore(config.nodeKeystore, config.keyStorePassword).getCertificateChain(X509Utilities.CORDA_CLIENT_CA)
+        val keyPair = loadKeyStore(config.nodeKeystore, config.keyStorePassword).getKeyPair(X509Utilities.CORDA_CLIENT_CA, config.keyStorePassword)
+        val nodeInfo = NodeInfo(listOf(NetworkHostAndPort("my.company.com", 1234)), listOf(PartyAndCertificate(buildCertPath(*certs))), 1, serial = 1L)
         val nodeInfoBytes = nodeInfo.serialize()
 
         // When
-        val signedNodeInfo = SignedNodeInfo(nodeInfoBytes, listOf(identityKeyPair.private.sign(nodeInfoBytes.bytes)))
+        val signedNodeInfo = SignedNodeInfo(nodeInfoBytes, listOf(keyPair.sign(nodeInfoBytes)))
         networkMapClient.publish(signedNodeInfo)
 
         // Then
@@ -140,7 +137,7 @@ class DoormanIntegrationTest {
         doorman.close()
     }
 
-    private fun createConfig(): NodeConfiguration {
+    fun createConfig(): NodeConfiguration {
         return rigorousMock<NodeConfiguration>().also {
             doReturn(tempFolder.root.toPath()).whenever(it).baseDirectory
             doReturn(ALICE_NAME).whenever(it).myLegalName
diff --git a/network-management/src/main/kotlin/com/r3/corda/networkmanage/common/persistence/PersistentNodeInfoStorage.kt b/network-management/src/main/kotlin/com/r3/corda/networkmanage/common/persistence/PersistentNodeInfoStorage.kt
index 1d4af91246..7f1d331877 100644
--- a/network-management/src/main/kotlin/com/r3/corda/networkmanage/common/persistence/PersistentNodeInfoStorage.kt
+++ b/network-management/src/main/kotlin/com/r3/corda/networkmanage/common/persistence/PersistentNodeInfoStorage.kt
@@ -1,60 +1,65 @@
 package com.r3.corda.networkmanage.common.persistence
 
-import com.r3.corda.networkmanage.common.persistence.entity.CertificateDataEntity
-import com.r3.corda.networkmanage.common.persistence.entity.CertificateSigningRequestEntity
-import com.r3.corda.networkmanage.common.persistence.entity.NodeInfoEntity
+import com.r3.corda.networkmanage.common.persistence.entity.*
 import com.r3.corda.networkmanage.common.utils.buildCertPath
 import net.corda.core.crypto.SecureHash
 import net.corda.core.crypto.sha256
-import net.corda.core.internal.CertRole
+import net.corda.core.identity.CordaX500Name
+import net.corda.core.serialization.SerializedBytes
 import net.corda.core.serialization.serialize
 import net.corda.nodeapi.internal.SignedNodeInfo
 import net.corda.nodeapi.internal.persistence.CordaPersistence
 import net.corda.nodeapi.internal.persistence.TransactionIsolationLevel
 import java.security.cert.CertPath
+import java.security.cert.X509Certificate
 
 /**
  * Database implementation of the [NetworkMapStorage] interface
  */
 class PersistentNodeInfoStorage(private val database: CordaPersistence) : NodeInfoStorage {
-    override fun putNodeInfo(signedNodeInfo: SignedNodeInfo): SecureHash {
-        return database.transaction(TransactionIsolationLevel.SERIALIZABLE) {
-            val nodeInfo = signedNodeInfo.verified()
-            val nodeCaCert = nodeInfo.legalIdentitiesAndCerts[0].certPath.certificates.find { CertRole.extract(it) == CertRole.NODE_CA }
+    override fun putNodeInfo(signedNodeInfo: SignedNodeInfo): SecureHash = database.transaction(TransactionIsolationLevel.SERIALIZABLE) {
+        val nodeInfo = signedNodeInfo.verified()
+        val orgName = nodeInfo.legalIdentities.first().name.organisation
+        // TODO: use cert extension to identify NodeCA cert when Ross's work is in.
+        val nodeCACert = nodeInfo.legalIdentitiesAndCerts.first().certPath.certificates.map { it as X509Certificate }
+                .find { CordaX500Name.build(it.issuerX500Principal).organisation != orgName && CordaX500Name.build(it.subjectX500Principal).organisation == orgName }
 
-            val request = nodeCaCert?.let {
-                singleRequestWhere(CertificateDataEntity::class.java) { builder, path ->
-                    val certPublicKeyHashEq = builder.equal(path.get<String>(CertificateDataEntity::publicKeyHash.name), it.publicKey.encoded.sha256().toString())
-                    val certStatusValid = builder.equal(path.get<CertificateStatus>(CertificateDataEntity::certificateStatus.name), CertificateStatus.VALID)
-                    builder.and(certPublicKeyHashEq, certStatusValid)
-                }
+        val request = nodeCACert?.let {
+            singleRequestWhere(CertificateDataEntity::class.java) { builder, path ->
+                val certPublicKeyHashEq = builder.equal(path.get<String>(CertificateDataEntity::publicKeyHash.name), it.publicKey.encoded.sha256().toString())
+                val certStatusValid = builder.equal(path.get<CertificateStatus>(CertificateDataEntity::certificateStatus.name), CertificateStatus.VALID)
+                builder.and(certPublicKeyHashEq, certStatusValid)
             }
-            request ?: throw IllegalArgumentException("Unknown node info, this public key is not registered with the network management service.")
-
-            /*
-             * Delete any previous [NodeInfoEntity] instance for this CSR
-             * Possibly it should be moved at the network signing process at the network signing process
-             * as for a while the network map will have invalid entries (i.e. hashes for node info which have been
-             * removed). Either way, there will be a period of time when the network map data will be invalid
-             * but it has been confirmed that this fact has been acknowledged at the design time and we are fine with it.
-             */
-            deleteRequest(NodeInfoEntity::class.java) { builder, path ->
-                builder.equal(path.get<CertificateSigningRequestEntity>(NodeInfoEntity::certificateSigningRequest.name), request.certificateSigningRequest)
-            }
-            val hash = signedNodeInfo.raw.hash
-
-            val hashedNodeInfo = NodeInfoEntity(
-                    nodeInfoHash = hash.toString(),
-                    certificateSigningRequest = request.certificateSigningRequest,
-                    signedNodeInfoBytes = signedNodeInfo.serialize().bytes)
-            session.save(hashedNodeInfo)
-            hash
         }
+        request ?: throw IllegalArgumentException("Unknown node info, this public key is not registered with the network management service.")
+        /*
+         * Delete any previous [NodeInfoEntity] instance for this CSR
+         * Possibly it should be moved at the network signing process at the network signing process
+         * as for a while the network map will have invalid entries (i.e. hashes for node info which have been
+         * removed). Either way, there will be a period of time when the network map data will be invalid
+         * but it has been confirmed that this fact has been acknowledged at the design time and we are fine with it.
+         */
+        deleteRequest(NodeInfoEntity::class.java) { builder, path ->
+            builder.equal(path.get<CertificateSigningRequestEntity>(NodeInfoEntity::certificateSigningRequest.name), request.certificateSigningRequest)
+        }
+        val hash = signedNodeInfo.raw.hash
+
+        val hashedNodeInfo = NodeInfoEntity(
+                nodeInfoHash = hash.toString(),
+                certificateSigningRequest = request.certificateSigningRequest,
+                signedNodeInfoBytes = signedNodeInfo.serialize().bytes)
+        session.save(hashedNodeInfo)
+        hash
     }
 
     override fun getNodeInfo(nodeInfoHash: SecureHash): SignedNodeInfo? {
         return database.transaction {
-            session.find(NodeInfoEntity::class.java, nodeInfoHash.toString())?.signedNodeInfo()
+            val nodeInfoEntity = session.find(NodeInfoEntity::class.java, nodeInfoHash.toString())
+            if (nodeInfoEntity == null) {
+                null
+            } else {
+                nodeInfoEntity.signedNodeInfo()
+            }
         }
     }
 
diff --git a/network-management/src/main/kotlin/com/r3/corda/networkmanage/doorman/signer/LocalSigner.kt b/network-management/src/main/kotlin/com/r3/corda/networkmanage/doorman/signer/LocalSigner.kt
index 50a7b7f971..cb6e253536 100644
--- a/network-management/src/main/kotlin/com/r3/corda/networkmanage/doorman/signer/LocalSigner.kt
+++ b/network-management/src/main/kotlin/com/r3/corda/networkmanage/doorman/signer/LocalSigner.kt
@@ -2,10 +2,10 @@ package com.r3.corda.networkmanage.doorman.signer
 
 import com.r3.corda.networkmanage.common.signer.Signer
 import com.r3.corda.networkmanage.common.utils.buildCertPath
+import com.r3.corda.networkmanage.common.utils.toX509Certificate
 import com.r3.corda.networkmanage.common.utils.withCert
 import net.corda.core.crypto.sign
 import net.corda.core.identity.CordaX500Name
-import net.corda.core.internal.cert
 import net.corda.core.internal.toX509CertHolder
 import net.corda.nodeapi.internal.crypto.CertificateType
 import net.corda.nodeapi.internal.crypto.X509Utilities
@@ -33,14 +33,13 @@ class LocalSigner(private val caKeyPair: KeyPair, private val caCertPath: Array<
         val nameConstraints = NameConstraints(
                 arrayOf(GeneralSubtree(GeneralName(GeneralName.directoryName, request.subject))),
                 arrayOf())
-        val nodeCaCert = X509Utilities.createCertificate(
-                CertificateType.NODE_CA,
+        val clientCertificate = X509Utilities.createCertificate(CertificateType.NODE_CA,
                 caCertPath.first().toX509CertHolder(),
                 caKeyPair,
-                CordaX500Name.parse(request.subject.toString()),
+                CordaX500Name.parse(request.subject.toString()).copy(commonName = X509Utilities.CORDA_CLIENT_CA_CN),
                 request.publicKey,
-                nameConstraints = nameConstraints)
-        return buildCertPath(nodeCaCert.cert, *caCertPath)
+                nameConstraints = nameConstraints).toX509Certificate()
+        return buildCertPath(clientCertificate, *caCertPath)
     }
 
     override fun sign(data: ByteArray): DigitalSignatureWithCert {
diff --git a/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/utils/X509Utils.kt b/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/utils/X509Utils.kt
index 22e94ec1b5..671841746d 100644
--- a/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/utils/X509Utils.kt
+++ b/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/utils/X509Utils.kt
@@ -7,6 +7,7 @@ import net.corda.core.internal.toX509CertHolder
 import net.corda.core.internal.x500Name
 import net.corda.nodeapi.internal.crypto.CertificateAndKeyPair
 import net.corda.nodeapi.internal.crypto.CertificateType
+import net.corda.nodeapi.internal.crypto.X509Utilities
 import net.corda.nodeapi.internal.crypto.getX509Certificate
 import org.bouncycastle.asn1.ASN1EncodableVector
 import org.bouncycastle.asn1.ASN1Sequence
@@ -183,7 +184,7 @@ object X509Utilities {
         val certificateType = CertificateType.NODE_CA
         val validityWindow = getCertificateValidityWindow(0, validDays, issuerCertificate.notBefore, issuerCertificate.notAfter)
         val serial = BigInteger.valueOf(random63BitValue(provider))
-        val subject = CordaX500Name.parse(jcaRequest.subject.toString()).x500Name
+        val subject = CordaX500Name.parse(jcaRequest.subject.toString()).copy(commonName = X509Utilities.CORDA_CLIENT_CA_CN).x500Name
         val subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(ASN1Sequence.getInstance(jcaRequest.publicKey.encoded))
         val keyPurposes = DERSequence(ASN1EncodableVector().apply { certificateType.purposes.forEach { add(it) } })
         val builder = JcaX509v3CertificateBuilder(issuerCertificate.subject, serial, validityWindow.first, validityWindow.second, subject, jcaRequest.publicKey)
diff --git a/network-management/src/test/kotlin/com/r3/corda/networkmanage/common/persistence/DBNetworkMapStorageTest.kt b/network-management/src/test/kotlin/com/r3/corda/networkmanage/common/persistence/DBNetworkMapStorageTest.kt
index b7d332a5fe..062d4c5c5a 100644
--- a/network-management/src/test/kotlin/com/r3/corda/networkmanage/common/persistence/DBNetworkMapStorageTest.kt
+++ b/network-management/src/test/kotlin/com/r3/corda/networkmanage/common/persistence/DBNetworkMapStorageTest.kt
@@ -1,21 +1,24 @@
 package com.r3.corda.networkmanage.common.persistence
 
 import com.r3.corda.networkmanage.TestBase
+import com.r3.corda.networkmanage.common.utils.buildCertPath
+import com.r3.corda.networkmanage.common.utils.toX509Certificate
 import com.r3.corda.networkmanage.common.utils.withCert
 import net.corda.core.crypto.Crypto
 import net.corda.core.crypto.sign
 import net.corda.core.identity.CordaX500Name
+import net.corda.core.identity.PartyAndCertificate
 import net.corda.core.internal.cert
+import net.corda.core.node.NodeInfo
 import net.corda.core.serialization.serialize
+import net.corda.core.utilities.NetworkHostAndPort
 import net.corda.nodeapi.internal.SignedNodeInfo
 import net.corda.nodeapi.internal.crypto.CertificateType
-import net.corda.nodeapi.internal.crypto.X509CertificateFactory
 import net.corda.nodeapi.internal.crypto.X509Utilities
 import net.corda.nodeapi.internal.network.NetworkMap
 import net.corda.nodeapi.internal.network.SignedNetworkMap
 import net.corda.nodeapi.internal.persistence.CordaPersistence
 import net.corda.testing.common.internal.testNetworkParameters
-import net.corda.testing.internal.TestNodeInfoBuilder
 import net.corda.testing.node.MockServices.Companion.makeTestDataSourceProperties
 import org.assertj.core.api.Assertions.assertThat
 import org.junit.After
@@ -28,7 +31,6 @@ class DBNetworkMapStorageTest : TestBase() {
     private lateinit var requestStorage: CertificationRequestStorage
     private lateinit var nodeInfoStorage: NodeInfoStorage
     private lateinit var persistence: CordaPersistence
-
     private val rootCAKey = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
     private val rootCACert = X509Utilities.createSelfSignedCACertificate(CordaX500Name(commonName = "Corda Node Root CA", locality = "London", organisation = "R3 LTD", country = "GB"), rootCAKey)
     private val intermediateCAKey = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
@@ -51,8 +53,18 @@ class DBNetworkMapStorageTest : TestBase() {
     fun `signNetworkMap creates current network map`() {
         // given
         // Create node info.
-        val signedNodeInfo = createValidSignedNodeInfo("Test")
-        val nodeInfoHash = nodeInfoStorage.putNodeInfo(signedNodeInfo)
+        val organisation = "Test"
+        val requestId = requestStorage.saveRequest(createRequest(organisation).first)
+        requestStorage.markRequestTicketCreated(requestId)
+        requestStorage.approveRequest(requestId, "TestUser")
+        val keyPair = Crypto.generateKeyPair()
+        val clientCert = X509Utilities.createCertificate(CertificateType.NODE_CA, intermediateCACert, intermediateCAKey, CordaX500Name(organisation = organisation, locality = "London", country = "GB"), keyPair.public)
+        val certPath = buildCertPath(clientCert.toX509Certificate(), intermediateCACert.toX509Certificate(), rootCACert.toX509Certificate())
+        requestStorage.putCertificatePath(requestId, certPath, emptyList())
+        val nodeInfo = NodeInfo(listOf(NetworkHostAndPort("my.company.com", 1234)), listOf(PartyAndCertificate(certPath)), 1, serial = 1L)
+        // Put signed node info data
+        val nodeInfoBytes = nodeInfo.serialize()
+        val nodeInfoHash = nodeInfoStorage.putNodeInfo(SignedNodeInfo(nodeInfoBytes, listOf(keyPair.sign(nodeInfoBytes))))
 
         // Create network parameters
         val networkParametersHash = networkMapStorage.saveNetworkParameters(testNetworkParameters(emptyList()))
@@ -91,11 +103,13 @@ class DBNetworkMapStorageTest : TestBase() {
         // Create network parameters
         val networkMapParametersHash = networkMapStorage.saveNetworkParameters(createNetworkParameters(1))
         // Create empty network map
+        val keyPair = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
+        val intermediateCert = X509Utilities.createCertificate(CertificateType.INTERMEDIATE_CA, intermediateCACert, intermediateCAKey, CordaX500Name(organisation = "Corda", locality = "London", country = "GB"), keyPair.public)
 
         // Sign network map making it current network map
         val networkMap = NetworkMap(emptyList(), networkMapParametersHash)
         val serializedNetworkMap = networkMap.serialize()
-        val signatureData = intermediateCAKey.sign(serializedNetworkMap).withCert(intermediateCACert.cert)
+        val signatureData = keyPair.sign(serializedNetworkMap).withCert(intermediateCert.cert)
         val signedNetworkMap = SignedNetworkMap(serializedNetworkMap, signatureData)
         networkMapStorage.saveNetworkMap(signedNetworkMap)
 
@@ -112,19 +126,36 @@ class DBNetworkMapStorageTest : TestBase() {
     @Test
     fun `getValidNodeInfoHashes returns only valid and signed node info hashes`() {
         // given
-        // Create node infos.
-        val signedNodeInfoA = createValidSignedNodeInfo("TestA")
-        val signedNodeInfoB = createValidSignedNodeInfo("TestB")
-
+        // Create node info.
+        val organisationA = "TestA"
+        val requestIdA = requestStorage.saveRequest(createRequest(organisationA).first)
+        requestStorage.markRequestTicketCreated(requestIdA)
+        requestStorage.approveRequest(requestIdA, "TestUser")
+        val keyPairA = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
+        val clientCertA = X509Utilities.createCertificate(CertificateType.NODE_CA, intermediateCACert, intermediateCAKey, CordaX500Name(organisation = organisationA, locality = "London", country = "GB"), keyPairA.public)
+        val certPathA = buildCertPath(clientCertA.toX509Certificate(), intermediateCACert.toX509Certificate(), rootCACert.toX509Certificate())
+        requestStorage.putCertificatePath(requestIdA, certPathA, emptyList())
+        val organisationB = "TestB"
+        val requestIdB = requestStorage.saveRequest(createRequest(organisationB).first)
+        requestStorage.markRequestTicketCreated(requestIdB)
+        requestStorage.approveRequest(requestIdB, "TestUser")
+        val keyPairB = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
+        val clientCertB = X509Utilities.createCertificate(CertificateType.NODE_CA, intermediateCACert, intermediateCAKey, CordaX500Name(organisation = organisationB, locality = "London", country = "GB"), keyPairB.public)
+        val certPathB = buildCertPath(clientCertB.toX509Certificate(), intermediateCACert.toX509Certificate(), rootCACert.toX509Certificate())
+        requestStorage.putCertificatePath(requestIdB, certPathB, emptyList())
+        val nodeInfoA = NodeInfo(listOf(NetworkHostAndPort("my.companyA.com", 1234)), listOf(PartyAndCertificate(certPathA)), 1, serial = 1L)
+        val nodeInfoB = NodeInfo(listOf(NetworkHostAndPort("my.companyB.com", 1234)), listOf(PartyAndCertificate(certPathB)), 1, serial = 1L)
         // Put signed node info data
-        val nodeInfoHashA = nodeInfoStorage.putNodeInfo(signedNodeInfoA)
-        val nodeInfoHashB = nodeInfoStorage.putNodeInfo(signedNodeInfoB)
+        val nodeInfoABytes = nodeInfoA.serialize()
+        val nodeInfoBBytes = nodeInfoB.serialize()
+        val nodeInfoHashA = nodeInfoStorage.putNodeInfo(SignedNodeInfo(nodeInfoABytes, listOf(keyPairA.sign(nodeInfoABytes))))
+        val nodeInfoHashB = nodeInfoStorage.putNodeInfo(SignedNodeInfo(nodeInfoBBytes, listOf(keyPairB.sign(nodeInfoBBytes))))
 
         // Create network parameters
         val networkParametersHash = networkMapStorage.saveNetworkParameters(createNetworkParameters())
         val networkMap = NetworkMap(listOf(nodeInfoHashA), networkParametersHash)
         val serializedNetworkMap = networkMap.serialize()
-        val signatureData = intermediateCAKey.sign(serializedNetworkMap).withCert(intermediateCACert.cert)
+        val signatureData = keyPairA.sign(serializedNetworkMap).withCert(clientCertA.cert)
         val signedNetworkMap = SignedNetworkMap(serializedNetworkMap, signatureData)
 
         // Sign network map
@@ -136,15 +167,4 @@ class DBNetworkMapStorageTest : TestBase() {
         // then
         assertThat(validNodeInfoHash).containsOnly(nodeInfoHashA, nodeInfoHashB)
     }
-
-    private fun createValidSignedNodeInfo(organisation: String): SignedNodeInfo {
-        val nodeInfoBuilder = TestNodeInfoBuilder()
-        val requestId = requestStorage.saveRequest(createRequest(organisation).first)
-        requestStorage.markRequestTicketCreated(requestId)
-        requestStorage.approveRequest(requestId, "TestUser")
-        val (identity) = nodeInfoBuilder.addIdentity(CordaX500Name(organisation, "London", "GB"))
-        val nodeCaCertPath = X509CertificateFactory().generateCertPath(identity.certPath.certificates.drop(1))
-        requestStorage.putCertificatePath(requestId, nodeCaCertPath, emptyList())
-        return nodeInfoBuilder.buildWithSigned().second
-    }
 }
\ No newline at end of file
diff --git a/network-management/src/test/kotlin/com/r3/corda/networkmanage/common/persistence/PersitenceNodeInfoStorageTest.kt b/network-management/src/test/kotlin/com/r3/corda/networkmanage/common/persistence/PersitenceNodeInfoStorageTest.kt
index e5b2e37699..1014cde074 100644
--- a/network-management/src/test/kotlin/com/r3/corda/networkmanage/common/persistence/PersitenceNodeInfoStorageTest.kt
+++ b/network-management/src/test/kotlin/com/r3/corda/networkmanage/common/persistence/PersitenceNodeInfoStorageTest.kt
@@ -3,34 +3,31 @@ package com.r3.corda.networkmanage.common.persistence
 import com.r3.corda.networkmanage.TestBase
 import com.r3.corda.networkmanage.common.utils.buildCertPath
 import com.r3.corda.networkmanage.common.utils.hashString
+import com.r3.corda.networkmanage.common.utils.toX509Certificate
 import net.corda.core.crypto.Crypto
 import net.corda.core.crypto.SecureHash
+import net.corda.core.crypto.sign
 import net.corda.core.identity.CordaX500Name
-import net.corda.core.internal.cert
+import net.corda.core.identity.PartyAndCertificate
 import net.corda.core.node.NodeInfo
 import net.corda.core.serialization.serialize
+import net.corda.core.utilities.NetworkHostAndPort
 import net.corda.nodeapi.internal.SignedNodeInfo
 import net.corda.nodeapi.internal.crypto.CertificateType
-import net.corda.nodeapi.internal.crypto.X509CertificateFactory
 import net.corda.nodeapi.internal.crypto.X509Utilities
 import net.corda.nodeapi.internal.persistence.CordaPersistence
-import net.corda.testing.internal.TestNodeInfoBuilder
-import net.corda.testing.internal.signWith
 import net.corda.testing.node.MockServices
-import org.assertj.core.api.Assertions.assertThat
 import org.junit.After
 import org.junit.Before
 import org.junit.Test
-import java.security.PrivateKey
 import kotlin.test.assertEquals
 import kotlin.test.assertNotNull
 import kotlin.test.assertNull
 
 class PersitenceNodeInfoStorageTest : TestBase() {
     private lateinit var requestStorage: CertificationRequestStorage
-    private lateinit var nodeInfoStorage: PersistentNodeInfoStorage
+    private lateinit var nodeInfoStorage: NodeInfoStorage
     private lateinit var persistence: CordaPersistence
-
     private val rootCAKey = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
     private val rootCACert = X509Utilities.createSelfSignedCACertificate(CordaX500Name(commonName = "Corda Node Root CA", locality = "London", organisation = "R3 LTD", country = "GB"), rootCAKey)
     private val intermediateCAKey = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
@@ -49,13 +46,14 @@ class PersitenceNodeInfoStorageTest : TestBase() {
     }
 
     @Test
-    fun `test getCertificatePath`() {
+    fun `test get CertificatePath`() {
         // Create node info.
         val keyPair = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
-        val name = CordaX500Name(organisation = "Test", locality = "London", country = "GB")
-        val nodeCaCert = X509Utilities.createCertificate(CertificateType.NODE_CA, intermediateCACert, intermediateCAKey, name, keyPair.public)
+        val clientCert = X509Utilities.createCertificate(CertificateType.NODE_CA, intermediateCACert, intermediateCAKey, CordaX500Name(organisation = "Test", locality = "London", country = "GB"), keyPair.public)
+        val certPath = buildCertPath(clientCert.toX509Certificate(), intermediateCACert.toX509Certificate(), rootCACert.toX509Certificate())
+        val nodeInfo = NodeInfo(listOf(NetworkHostAndPort("my.company.com", 1234)), listOf(PartyAndCertificate(certPath)), 1, serial = 1L)
 
-        val request = X509Utilities.createCertificateSigningRequest(name, "my@mail.com", keyPair)
+        val request = X509Utilities.createCertificateSigningRequest(nodeInfo.legalIdentities.first().name, "my@mail.com", keyPair)
 
         val requestId = requestStorage.saveRequest(request)
         requestStorage.markRequestTicketCreated(requestId)
@@ -63,73 +61,104 @@ class PersitenceNodeInfoStorageTest : TestBase() {
 
         assertNull(nodeInfoStorage.getCertificatePath(SecureHash.parse(keyPair.public.hashString())))
 
-        requestStorage.putCertificatePath(requestId, buildCertPath(nodeCaCert.cert, intermediateCACert.cert, rootCACert.cert), listOf(CertificationRequestStorage.DOORMAN_SIGNATURE))
+        requestStorage.putCertificatePath(requestId, buildCertPath(clientCert.toX509Certificate(), intermediateCACert.toX509Certificate(), rootCACert.toX509Certificate()), listOf(CertificationRequestStorage.DOORMAN_SIGNATURE))
 
         val storedCertPath = nodeInfoStorage.getCertificatePath(SecureHash.parse(keyPair.public.hashString()))
         assertNotNull(storedCertPath)
 
-        assertEquals(nodeCaCert.cert, storedCertPath!!.certificates.first())
+        assertEquals(clientCert.toX509Certificate(), storedCertPath!!.certificates.first())
     }
 
     @Test
-    fun `getNodeInfo returns persisted SignedNodeInfo using the hash of just the NodeInfo`() {
+    fun `test getNodeInfoHash returns correct data`() {
         // given
-        val (nodeInfoA, signedNodeInfoA) = createValidSignedNodeInfo("TestA")
-        val (nodeInfoB, signedNodeInfoB) = createValidSignedNodeInfo("TestB")
+        val organisationA = "TestA"
+        val requestIdA = requestStorage.saveRequest(createRequest(organisationA).first)
+        requestStorage.markRequestTicketCreated(requestIdA)
+        requestStorage.approveRequest(requestIdA, "TestUser")
+        val keyPairA = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
+        val clientCertA = X509Utilities.createCertificate(CertificateType.NODE_CA, intermediateCACert, intermediateCAKey, CordaX500Name(organisation = organisationA, locality = "London", country = "GB"), keyPairA.public)
+        val certPathA = buildCertPath(clientCertA.toX509Certificate(), intermediateCACert.toX509Certificate(), rootCACert.toX509Certificate())
+        requestStorage.putCertificatePath(requestIdA, certPathA, emptyList())
+        val organisationB = "TestB"
+        val requestIdB = requestStorage.saveRequest(createRequest(organisationB).first)
+        requestStorage.markRequestTicketCreated(requestIdB)
+        requestStorage.approveRequest(requestIdB, "TestUser")
+        val keyPairB = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
+        val clientCertB = X509Utilities.createCertificate(CertificateType.NODE_CA, intermediateCACert, intermediateCAKey, CordaX500Name(organisation = organisationB, locality = "London", country = "GB"), keyPairB.public)
+        val certPathB = buildCertPath(clientCertB.toX509Certificate(), intermediateCACert.toX509Certificate(), rootCACert.toX509Certificate())
+        requestStorage.putCertificatePath(requestIdB, certPathB, emptyList())
+        val nodeInfoA = NodeInfo(listOf(NetworkHostAndPort("my.company.com", 1234)), listOf(PartyAndCertificate(certPathA)), 1, serial = 1L)
+        val nodeInfoB = NodeInfo(listOf(NetworkHostAndPort("my.company.com", 1234)), listOf(PartyAndCertificate(certPathB)), 1, serial = 1L)
 
         // Put signed node info data
-        nodeInfoStorage.putNodeInfo(signedNodeInfoA)
-        nodeInfoStorage.putNodeInfo(signedNodeInfoB)
+        val nodeInfoABytes = nodeInfoA.serialize()
+        val nodeInfoBBytes = nodeInfoB.serialize()
+        nodeInfoStorage.putNodeInfo(SignedNodeInfo(nodeInfoABytes, listOf(keyPairA.sign(nodeInfoABytes))))
+        nodeInfoStorage.putNodeInfo(SignedNodeInfo(nodeInfoBBytes, listOf(keyPairB.sign(nodeInfoBBytes))))
 
         // when
-        val persistedSignedNodeInfoA = nodeInfoStorage.getNodeInfo(nodeInfoA.serialize().hash)
-        val persistedSignedNodeInfoB = nodeInfoStorage.getNodeInfo(nodeInfoB.serialize().hash)
+        val persistedNodeInfoA = nodeInfoStorage.getNodeInfo(nodeInfoABytes.hash)
+        val persistedNodeInfoB = nodeInfoStorage.getNodeInfo(nodeInfoBBytes.hash)
 
         // then
-        assertEquals(persistedSignedNodeInfoA?.verified(), nodeInfoA)
-        assertEquals(persistedSignedNodeInfoB?.verified(), nodeInfoB)
+        assertNotNull(persistedNodeInfoA)
+        assertNotNull(persistedNodeInfoB)
+        assertEquals(persistedNodeInfoA!!.verified(), nodeInfoA)
+        assertEquals(persistedNodeInfoB!!.verified(), nodeInfoB)
     }
 
     @Test
-    fun `same public key with different node info`() {
+    fun `same pub key with different node info`() {
         // Create node info.
-        val (nodeInfo1, signedNodeInfo1, key) = createValidSignedNodeInfo("Test", serial = 1)
-        val nodeInfo2 = nodeInfo1.copy(serial = 2)
-        val signedNodeInfo2 = nodeInfo2.signWith(listOf(key))
-
-        val nodeInfo1Hash = nodeInfoStorage.putNodeInfo(signedNodeInfo1)
-        assertEquals(nodeInfo1, nodeInfoStorage.getNodeInfo(nodeInfo1Hash)?.verified())
-
-        // This should replace the node info.
-        nodeInfoStorage.putNodeInfo(signedNodeInfo2)
-
-        // Old node info should be removed.
-        assertNull(nodeInfoStorage.getNodeInfo(nodeInfo1Hash))
-        assertEquals(nodeInfo2, nodeInfoStorage.getNodeInfo(nodeInfo2.serialize().hash)?.verified())
-    }
-
-    @Test
-    fun `putNodeInfo persists SignedNodeInfo with its signature`() {
-        // given
-        val (_, signedNodeInfo) = createValidSignedNodeInfo("Test")
-
-        // when
-        val nodeInfoHash = nodeInfoStorage.putNodeInfo(signedNodeInfo)
-
-        // then
-        val persistedSignedNodeInfo = nodeInfoStorage.getNodeInfo(nodeInfoHash)
-        assertThat(persistedSignedNodeInfo?.signatures).isEqualTo(signedNodeInfo.signatures)
-    }
-
-    private fun createValidSignedNodeInfo(organisation: String, serial: Long = 1): Triple<NodeInfo, SignedNodeInfo, PrivateKey> {
-        val nodeInfoBuilder = TestNodeInfoBuilder()
+        val organisation = "Test"
         val requestId = requestStorage.saveRequest(createRequest(organisation).first)
         requestStorage.markRequestTicketCreated(requestId)
         requestStorage.approveRequest(requestId, "TestUser")
-        val (identity, key) = nodeInfoBuilder.addIdentity(CordaX500Name(organisation, "London", "GB"))
-        val nodeCaCertPath = X509CertificateFactory().generateCertPath(identity.certPath.certificates.drop(1))
-        requestStorage.putCertificatePath(requestId, nodeCaCertPath, emptyList())
-        val (nodeInfo, signedNodeInfo) = nodeInfoBuilder.buildWithSigned(serial)
-        return Triple(nodeInfo, signedNodeInfo, key)
+        val keyPair = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
+        val clientCert = X509Utilities.createCertificate(CertificateType.NODE_CA, intermediateCACert, intermediateCAKey, CordaX500Name(organisation = organisation, locality = "London", country = "GB"), keyPair.public)
+        val certPath = buildCertPath(clientCert.toX509Certificate(), intermediateCACert.toX509Certificate(), rootCACert.toX509Certificate())
+        requestStorage.putCertificatePath(requestId, certPath, emptyList())
+
+        val nodeInfo = NodeInfo(listOf(NetworkHostAndPort("my.company.com", 1234)), listOf(PartyAndCertificate(certPath)), 1, serial = 1L)
+        val nodeInfoSamePubKey = NodeInfo(listOf(NetworkHostAndPort("my.company2.com", 1234)), listOf(PartyAndCertificate(certPath)), 1, serial = 1L)
+        val nodeInfoBytes = nodeInfo.serialize()
+        val nodeInfoHash = nodeInfoStorage.putNodeInfo(SignedNodeInfo(nodeInfoBytes, listOf(keyPair.sign(nodeInfoBytes))))
+        assertEquals(nodeInfo, nodeInfoStorage.getNodeInfo(nodeInfoHash)?.verified())
+
+        val nodeInfoSamePubKeyBytes = nodeInfoSamePubKey.serialize()
+        // This should replace the node info.
+        nodeInfoStorage.putNodeInfo(SignedNodeInfo(nodeInfoSamePubKeyBytes, listOf(keyPair.sign(nodeInfoSamePubKeyBytes))))
+
+        // Old node info should be removed.
+        assertNull(nodeInfoStorage.getNodeInfo(nodeInfoHash))
+        assertEquals(nodeInfoSamePubKey, nodeInfoStorage.getNodeInfo(nodeInfoSamePubKeyBytes.hash)?.verified())
+    }
+
+    @Test
+    fun `putNodeInfo persists node info data with its signature`() {
+        // given
+        // Create node info.
+        val organisation = "Test"
+        val requestId = requestStorage.saveRequest(createRequest(organisation).first)
+        requestStorage.markRequestTicketCreated(requestId)
+        requestStorage.approveRequest(requestId, "TestUser")
+        val keyPair = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
+        val clientCert = X509Utilities.createCertificate(CertificateType.NODE_CA, intermediateCACert, intermediateCAKey, CordaX500Name(organisation = organisation, locality = "London", country = "GB"), keyPair.public)
+        val certPath = buildCertPath(clientCert.toX509Certificate(), intermediateCACert.toX509Certificate(), rootCACert.toX509Certificate())
+        requestStorage.putCertificatePath(requestId, certPath, emptyList())
+
+        val nodeInfo = NodeInfo(listOf(NetworkHostAndPort("my.company.com", 1234)), listOf(PartyAndCertificate(certPath)), 1, serial = 1L)
+        val nodeInfoBytes = nodeInfo.serialize()
+        val signature = keyPair.sign(nodeInfoBytes)
+
+        // when
+        val nodeInfoHash = nodeInfoStorage.putNodeInfo(SignedNodeInfo(nodeInfoBytes, listOf(signature)))
+
+        // then
+        val persistedNodeInfo = nodeInfoStorage.getNodeInfo(nodeInfoHash)
+        assertNotNull(persistedNodeInfo)
+        assertEquals(nodeInfo, persistedNodeInfo!!.verified())
+        assertEquals(signature, persistedNodeInfo.signatures.firstOrNull())
     }
 }
\ No newline at end of file
diff --git a/network-management/src/test/kotlin/com/r3/corda/networkmanage/doorman/NodeInfoWebServiceTest.kt b/network-management/src/test/kotlin/com/r3/corda/networkmanage/doorman/NodeInfoWebServiceTest.kt
index 26452d45a9..096a05534f 100644
--- a/network-management/src/test/kotlin/com/r3/corda/networkmanage/doorman/NodeInfoWebServiceTest.kt
+++ b/network-management/src/test/kotlin/com/r3/corda/networkmanage/doorman/NodeInfoWebServiceTest.kt
@@ -1,18 +1,20 @@
 package com.r3.corda.networkmanage.doorman
 
+import com.nhaarman.mockito_kotlin.any
 import com.nhaarman.mockito_kotlin.mock
 import com.nhaarman.mockito_kotlin.times
 import com.nhaarman.mockito_kotlin.verify
 import com.r3.corda.networkmanage.common.persistence.NetworkMapStorage
 import com.r3.corda.networkmanage.common.persistence.NodeInfoStorage
+import com.r3.corda.networkmanage.common.utils.buildCertPath
+import com.r3.corda.networkmanage.common.utils.toX509Certificate
 import com.r3.corda.networkmanage.common.utils.withCert
 import com.r3.corda.networkmanage.doorman.webservice.NodeInfoWebService
-import net.corda.core.crypto.Crypto
-import net.corda.core.crypto.SecureHash
-import net.corda.core.crypto.sha256
-import net.corda.core.crypto.sign
+import net.corda.core.crypto.*
 import net.corda.core.identity.CordaX500Name
+import net.corda.core.identity.PartyAndCertificate
 import net.corda.core.internal.cert
+import net.corda.core.node.NodeInfo
 import net.corda.core.serialization.deserialize
 import net.corda.core.serialization.serialize
 import net.corda.core.utilities.NetworkHostAndPort
@@ -23,7 +25,6 @@ import net.corda.nodeapi.internal.crypto.X509Utilities
 import net.corda.nodeapi.internal.network.NetworkMap
 import net.corda.nodeapi.internal.network.SignedNetworkMap
 import net.corda.testing.SerializationEnvironmentRule
-import net.corda.testing.internal.createNodeInfoAndSigned
 import org.bouncycastle.asn1.x500.X500Name
 import org.junit.Rule
 import org.junit.Test
@@ -40,17 +41,31 @@ class NodeInfoWebServiceTest {
     @JvmField
     val testSerialization = SerializationEnvironmentRule(true)
 
-    private val testNetwotkMapConfig =  NetworkMapConfig(10.seconds.toMillis(), 10.seconds.toMillis())
+    private val rootCAKey = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
+    private val rootCACert = X509Utilities.createSelfSignedCACertificate(CordaX500Name(locality = "London", organisation = "R3 LTD", country = "GB", commonName = "Corda Node Root CA"), rootCAKey)
+    private val intermediateCAKey = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
+    private val intermediateCACert = X509Utilities.createCertificate(CertificateType.INTERMEDIATE_CA, rootCACert, rootCAKey, X500Name("CN=Corda Node Intermediate CA,L=London"), intermediateCAKey.public)
 
+    private val testNetwotkMapConfig =  NetworkMapConfig(10.seconds.toMillis(), 10.seconds.toMillis())
     @Test
     fun `submit nodeInfo`() {
         // Create node info.
-        val (_, signedNodeInfo) = createNodeInfoAndSigned(CordaX500Name("Test", "London", "GB"))
+        val keyPair = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
+        val clientCert = X509Utilities.createCertificate(CertificateType.NODE_CA, intermediateCACert, intermediateCAKey, CordaX500Name(organisation = "Test", locality = "London", country = "GB"), keyPair.public)
+        val certPath = buildCertPath(clientCert.toX509Certificate(), intermediateCACert.toX509Certificate(), rootCACert.toX509Certificate())
+        val nodeInfo = NodeInfo(listOf(NetworkHostAndPort("my.company.com", 1234)), listOf(PartyAndCertificate(certPath)), 1, serial = 1L)
 
-        NetworkManagementWebServer(NetworkHostAndPort("localhost", 0), NodeInfoWebService(mock(), mock(), testNetwotkMapConfig)).use {
+        // Create digital signature.
+        val digitalSignature = DigitalSignature.WithKey(keyPair.public, Crypto.doSign(keyPair.private, nodeInfo.serialize().bytes))
+
+        val nodeInfoStorage: NodeInfoStorage = mock {
+            on { getCertificatePath(any()) }.thenReturn(certPath)
+        }
+
+        NetworkManagementWebServer(NetworkHostAndPort("localhost", 0), NodeInfoWebService(nodeInfoStorage, mock(), testNetwotkMapConfig)).use {
             it.start()
             val registerURL = URL("http://${it.hostAndPort}/${NodeInfoWebService.NETWORK_MAP_PATH}/publish")
-            val nodeInfoAndSignature = signedNodeInfo.serialize().bytes
+            val nodeInfoAndSignature = SignedNodeInfo(nodeInfo.serialize(), listOf(digitalSignature)).serialize().bytes
             // Post node info and signature to doorman, this should pass without any exception.
             doPost(registerURL, nodeInfoAndSignature)
         }
@@ -58,11 +73,6 @@ class NodeInfoWebServiceTest {
 
     @Test
     fun `get network map`() {
-        val rootCAKey = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
-        val rootCACert = X509Utilities.createSelfSignedCACertificate(CordaX500Name(locality = "London", organisation = "R3 LTD", country = "GB", commonName = "Corda Node Root CA"), rootCAKey)
-        val intermediateCAKey = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
-        val intermediateCACert = X509Utilities.createCertificate(CertificateType.INTERMEDIATE_CA, rootCACert, rootCAKey, X500Name("CN=Corda Node Intermediate CA,L=London"), intermediateCAKey.public)
-
         val networkMap = NetworkMap(listOf(SecureHash.randomSHA256(), SecureHash.randomSHA256()), SecureHash.randomSHA256())
         val serializedNetworkMap = networkMap.serialize()
         val networkMapStorage: NetworkMapStorage = mock {
@@ -79,12 +89,16 @@ class NodeInfoWebServiceTest {
 
     @Test
     fun `get node info`() {
-        val (nodeInfo, signedNodeInfo) = createNodeInfoAndSigned(CordaX500Name("Test", "London", "GB"))
+        val keyPair = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
+        val clientCert = X509Utilities.createCertificate(CertificateType.NODE_CA, intermediateCACert, intermediateCAKey, CordaX500Name(organisation = "Test", locality = "London", country = "GB"), keyPair.public)
+        val certPath = buildCertPath(clientCert.toX509Certificate(), intermediateCACert.toX509Certificate(), rootCACert.toX509Certificate())
+        val nodeInfo = NodeInfo(listOf(NetworkHostAndPort("my.company.com", 1234)), listOf(PartyAndCertificate(certPath)), 1, serial = 1L)
 
         val nodeInfoHash = nodeInfo.serialize().sha256()
 
         val nodeInfoStorage: NodeInfoStorage = mock {
-            on { getNodeInfo(nodeInfoHash) }.thenReturn(signedNodeInfo)
+            val serializedNodeInfo = nodeInfo.serialize()
+            on { getNodeInfo(nodeInfoHash) }.thenReturn(SignedNodeInfo(serializedNodeInfo, listOf(keyPair.sign(serializedNodeInfo))))
         }
 
         NetworkManagementWebServer(NetworkHostAndPort("localhost", 0), NodeInfoWebService(nodeInfoStorage, mock(), testNetwotkMapConfig)).use {
diff --git a/node-api/src/main/kotlin/net/corda/nodeapi/internal/IdentityGenerator.kt b/node-api/src/main/kotlin/net/corda/nodeapi/internal/ServiceIdentityGenerator.kt
similarity index 53%
rename from node-api/src/main/kotlin/net/corda/nodeapi/internal/IdentityGenerator.kt
rename to node-api/src/main/kotlin/net/corda/nodeapi/internal/ServiceIdentityGenerator.kt
index 97927e54db..65b60433c7 100644
--- a/node-api/src/main/kotlin/net/corda/nodeapi/internal/IdentityGenerator.kt
+++ b/node-api/src/main/kotlin/net/corda/nodeapi/internal/ServiceIdentityGenerator.kt
@@ -13,54 +13,42 @@ import org.slf4j.LoggerFactory
 import java.nio.file.Path
 import java.security.cert.X509Certificate
 
-object IdentityGenerator {
+object ServiceIdentityGenerator {
     private val log = LoggerFactory.getLogger(javaClass)
 
-    const val NODE_IDENTITY_ALIAS_PREFIX = "identity"
-    const val DISTRIBUTED_NOTARY_ALIAS_PREFIX = "distributed-notary"
-
-    fun generateNodeIdentity(dir: Path, legalName: CordaX500Name, customRootCert: X509Certificate? = null): Party {
-        return generateToDisk(listOf(dir), legalName, NODE_IDENTITY_ALIAS_PREFIX, threshold = 1, customRootCert = customRootCert)
-    }
-
-    fun generateDistributedNotaryIdentity(dirs: List<Path>, notaryName: CordaX500Name, threshold: Int = 1, customRootCert: X509Certificate? = null): Party {
-        return generateToDisk(dirs, notaryName, DISTRIBUTED_NOTARY_ALIAS_PREFIX, threshold, customRootCert)
-    }
-
     /**
      * Generates signing key pairs and a common distributed service identity for a set of nodes.
      * The key pairs and the group identity get serialized to disk in the corresponding node directories.
      * This method should be called *before* any of the nodes are started.
      *
      * @param dirs List of node directories to place the generated identity and key pairs in.
-     * @param name The name of the identity.
+     * @param serviceName The legal name of the distributed service.
      * @param threshold The threshold for the generated group [CompositeKey].
-     * @param customRootCert the certificate to use as the Corda root CA. If not specified the one in
-     *      internal/certificates/cordadevcakeys.jks is used.
+     * @param customRootCert the certificate to use a Corda root CA. If not specified the one in
+     *      certificates/cordadevcakeys.jks is used.
      */
-    private fun generateToDisk(dirs: List<Path>,
-                               name: CordaX500Name,
-                               aliasPrefix: String,
-                               threshold: Int,
-                               customRootCert: X509Certificate?): Party {
-        log.trace { "Generating identity \"$name\" for nodes: ${dirs.joinToString()}" }
+    fun generateToDisk(dirs: List<Path>,
+                       serviceName: CordaX500Name,
+                       serviceId: String,
+                       threshold: Int = 1,
+                       customRootCert: X509Certificate? = null): Party {
+        log.trace { "Generating a group identity \"serviceName\" for nodes: ${dirs.joinToString()}" }
         val keyPairs = (1..dirs.size).map { generateKeyPair() }
-        val key = CompositeKey.Builder().addKeys(keyPairs.map { it.public }).build(threshold)
+        val notaryKey = CompositeKey.Builder().addKeys(keyPairs.map { it.public }).build(threshold)
 
         val caKeyStore = loadKeyStore(javaClass.classLoader.getResourceAsStream("certificates/cordadevcakeys.jks"), "cordacadevpass")
         val intermediateCa = caKeyStore.getCertificateAndKeyPair(X509Utilities.CORDA_INTERMEDIATE_CA, "cordacadevkeypass")
         val rootCert = customRootCert ?: caKeyStore.getCertificate(X509Utilities.CORDA_ROOT_CA)
 
         keyPairs.zip(dirs) { keyPair, dir ->
-            val serviceKeyCert = X509Utilities.createCertificate(CertificateType.SERVICE_IDENTITY, intermediateCa.certificate, intermediateCa.keyPair, name, keyPair.public)
-            val compositeKeyCert = X509Utilities.createCertificate(CertificateType.SERVICE_IDENTITY, intermediateCa.certificate, intermediateCa.keyPair, name, key)
+            val serviceKeyCert = X509Utilities.createCertificate(CertificateType.SERVICE_IDENTITY, intermediateCa.certificate, intermediateCa.keyPair, serviceName, keyPair.public)
+            val compositeKeyCert = X509Utilities.createCertificate(CertificateType.SERVICE_IDENTITY, intermediateCa.certificate, intermediateCa.keyPair, serviceName, notaryKey)
             val certPath = (dir / "certificates").createDirectories() / "distributedService.jks"
             val keystore = loadOrCreateKeyStore(certPath, "cordacadevpass")
-            keystore.setCertificateEntry("$aliasPrefix-composite-key", compositeKeyCert.cert)
-            keystore.setKeyEntry("$aliasPrefix-private-key", keyPair.private, "cordacadevkeypass".toCharArray(), arrayOf(serviceKeyCert.cert, intermediateCa.certificate.cert, rootCert))
+            keystore.setCertificateEntry("$serviceId-composite-key", compositeKeyCert.cert)
+            keystore.setKeyEntry("$serviceId-private-key", keyPair.private, "cordacadevkeypass".toCharArray(), arrayOf(serviceKeyCert.cert, intermediateCa.certificate.cert, rootCert))
             keystore.save(certPath, "cordacadevpass")
         }
-
-        return Party(name, key)
+        return Party(serviceName, notaryKey)
     }
 }
diff --git a/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt b/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt
index 563ddaa9f0..70617daf76 100644
--- a/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt
+++ b/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt
@@ -7,8 +7,7 @@ import net.corda.core.crypto.random63BitValue
 import net.corda.core.internal.CertRole
 import net.corda.core.identity.CordaX500Name
 import net.corda.core.internal.cert
-import net.corda.core.internal.reader
-import net.corda.core.internal.writer
+import net.corda.core.internal.read
 import net.corda.core.internal.x500Name
 import net.corda.core.utilities.days
 import net.corda.core.utilities.millis
@@ -49,6 +48,8 @@ object X509Utilities {
     const val CORDA_CLIENT_TLS = "cordaclienttls"
     const val CORDA_CLIENT_CA = "cordaclientca"
 
+    const val CORDA_CLIENT_CA_CN = "Corda Client CA Certificate"
+
     private val DEFAULT_VALIDITY_WINDOW = Pair(0.millis, 3650.days)
 
     /**
@@ -161,7 +162,7 @@ object X509Utilities {
      */
     @JvmStatic
     fun saveCertificateAsPEMFile(x509Certificate: X509Certificate, file: Path) {
-        JcaPEMWriter(file.writer()).use {
+        JcaPEMWriter(file.toFile().writer()).use {
             it.writeObject(x509Certificate)
         }
     }
@@ -173,8 +174,9 @@ object X509Utilities {
      */
     @JvmStatic
     fun loadCertificateFromPEMFile(file: Path): X509Certificate {
-        return file.reader().use {
-            val pemObject = PemReader(it).readPemObject()
+        return file.read {
+            val reader = PemReader(it.reader())
+            val pemObject = reader.readPemObject()
             val certHolder = X509CertificateHolder(pemObject.content)
             certHolder.isValidOn(Date())
             certHolder.cert
diff --git a/node/src/integration-test/kotlin/net/corda/node/services/BFTNotaryServiceTests.kt b/node/src/integration-test/kotlin/net/corda/node/services/BFTNotaryServiceTests.kt
index 28a04fcbd7..aaf2cb5e04 100644
--- a/node/src/integration-test/kotlin/net/corda/node/services/BFTNotaryServiceTests.kt
+++ b/node/src/integration-test/kotlin/net/corda/node/services/BFTNotaryServiceTests.kt
@@ -13,6 +13,7 @@ import net.corda.core.identity.CordaX500Name
 import net.corda.core.identity.Party
 import net.corda.core.internal.deleteIfExists
 import net.corda.core.internal.div
+import net.corda.core.node.services.NotaryService
 import net.corda.core.transactions.SignedTransaction
 import net.corda.core.transactions.TransactionBuilder
 import net.corda.core.utilities.NetworkHostAndPort
@@ -23,7 +24,7 @@ import net.corda.node.services.config.BFTSMaRtConfiguration
 import net.corda.node.services.config.NotaryConfig
 import net.corda.node.services.transactions.minClusterSize
 import net.corda.node.services.transactions.minCorrectReplicas
-import net.corda.nodeapi.internal.IdentityGenerator
+import net.corda.nodeapi.internal.ServiceIdentityGenerator
 import net.corda.nodeapi.internal.network.NetworkParametersCopier
 import net.corda.nodeapi.internal.network.NotaryInfo
 import net.corda.testing.IntegrationTest
@@ -67,9 +68,10 @@ class BFTNotaryServiceTests : IntegrationTest() {
         (Paths.get("config") / "currentView").deleteIfExists() // XXX: Make config object warn if this exists?
         val replicaIds = (0 until clusterSize)
 
-        notary = IdentityGenerator.generateDistributedNotaryIdentity(
+        notary = ServiceIdentityGenerator.generateToDisk(
                 replicaIds.map { mockNet.baseDirectory(mockNet.nextNodeId + it) },
-                CordaX500Name("BFT", "Zurich", "CH"))
+                CordaX500Name("BFT", "Zurich", "CH"),
+                NotaryService.constructId(validating = false, bft = true))
 
         val networkParameters = NetworkParametersCopier(testNetworkParameters(listOf(NotaryInfo(notary, false))))
 
diff --git a/node/src/integration-test/kotlin/net/corda/node/services/MySQLNotaryServiceTests.kt b/node/src/integration-test/kotlin/net/corda/node/services/MySQLNotaryServiceTests.kt
index e36f7b35d0..f1f467d24e 100644
--- a/node/src/integration-test/kotlin/net/corda/node/services/MySQLNotaryServiceTests.kt
+++ b/node/src/integration-test/kotlin/net/corda/node/services/MySQLNotaryServiceTests.kt
@@ -14,7 +14,7 @@ import net.corda.core.transactions.TransactionBuilder
 import net.corda.core.utilities.getOrThrow
 import net.corda.node.internal.StartedNode
 import net.corda.node.services.config.NotaryConfig
-import net.corda.nodeapi.internal.IdentityGenerator
+import net.corda.nodeapi.internal.ServiceIdentityGenerator
 import net.corda.nodeapi.internal.network.NetworkParametersCopier
 import net.corda.nodeapi.internal.network.NotaryInfo
 import net.corda.testing.*
@@ -49,7 +49,11 @@ class MySQLNotaryServiceTests : IntegrationTest() {
     @Before
     fun before() {
         mockNet = MockNetwork(cordappPackages = listOf("net.corda.testing.contracts"))
-        notaryParty = IdentityGenerator.generateNodeIdentity(mockNet.baseDirectory(mockNet.nextNodeId), notaryName)
+        notaryParty = ServiceIdentityGenerator.generateToDisk(
+                listOf(mockNet.baseDirectory(mockNet.nextNodeId)),
+                notaryName,
+                "identity"
+        )
         val networkParameters = NetworkParametersCopier(testNetworkParameters(listOf(NotaryInfo(notaryParty, false))))
         val notaryNodeUnstarted = createNotaryNode()
         val nodeUnstarted = mockNet.createUnstartedNode()
diff --git a/node/src/integration-test/kotlin/net/corda/node/services/RaftNotaryServiceTests.kt b/node/src/integration-test/kotlin/net/corda/node/services/RaftNotaryServiceTests.kt
index 8110118362..00f6124301 100644
--- a/node/src/integration-test/kotlin/net/corda/node/services/RaftNotaryServiceTests.kt
+++ b/node/src/integration-test/kotlin/net/corda/node/services/RaftNotaryServiceTests.kt
@@ -11,6 +11,7 @@ import net.corda.core.internal.concurrent.map
 import net.corda.core.transactions.TransactionBuilder
 import net.corda.core.utilities.getOrThrow
 import net.corda.node.internal.StartedNode
+import net.corda.node.services.transactions.RaftValidatingNotaryService
 import net.corda.testing.*
 import net.corda.testing.contracts.DummyContract
 import net.corda.testing.driver.NodeHandle
@@ -30,15 +31,15 @@ class RaftNotaryServiceTests : IntegrationTest() {
         val databaseSchemas = IntegrationTestSchemas( "RAFTNotaryService_0", "RAFTNotaryService_1", "RAFTNotaryService_2",
                 DUMMY_BANK_A_NAME.toDatabaseSchemaName())
     }
-    private val notaryName = CordaX500Name("RAFT Notary Service", "London", "GB")
+    private val notaryName = CordaX500Name(RaftValidatingNotaryService.id, "RAFT Notary Service", "London", "GB")
 
     @Test
     fun `detect double spend`() {
         driver(
                 startNodesInProcess = true,
                 extraCordappPackagesToScan = listOf("net.corda.testing.contracts"),
-                notarySpecs = listOf(NotarySpec(notaryName, cluster = ClusterSpec.Raft(clusterSize = 3)))
-        ) {
+                notarySpecs = listOf(NotarySpec(notaryName, cluster = ClusterSpec.Raft(clusterSize = 3))))
+        {
             val bankA = startNode(providedName = DUMMY_BANK_A_NAME).map { (it as NodeHandle.InProcess).node }.getOrThrow()
             val inputState = issueState(bankA, defaultNotaryIdentity)
 
diff --git a/node/src/integration-test/kotlin/net/corda/services/messaging/P2PMessagingTest.kt b/node/src/integration-test/kotlin/net/corda/services/messaging/P2PMessagingTest.kt
index 189506d02b..5dfa2963b1 100644
--- a/node/src/integration-test/kotlin/net/corda/services/messaging/P2PMessagingTest.kt
+++ b/node/src/integration-test/kotlin/net/corda/services/messaging/P2PMessagingTest.kt
@@ -19,9 +19,6 @@ import net.corda.node.services.messaging.ReceivedMessage
 import net.corda.node.services.messaging.send
 import net.corda.node.services.transactions.RaftValidatingNotaryService
 import net.corda.testing.*
-import net.corda.node.services.messaging.*
-import net.corda.testing.ALICE_NAME
-import net.corda.testing.chooseIdentity
 import net.corda.testing.driver.DriverDSL
 import net.corda.testing.driver.NodeHandle
 import net.corda.testing.driver.driver
@@ -41,7 +38,7 @@ class P2PMessagingTest : IntegrationTest() {
         @ClassRule @JvmField
         val databaseSchemas = IntegrationTestSchemas(ALICE_NAME.toDatabaseSchemaName(), "DistributedService_0", "DistributedService_1")
 
-        val DISTRIBUTED_SERVICE_NAME = CordaX500Name("DistributedService", "London", "GB")
+        val DISTRIBUTED_SERVICE_NAME = CordaX500Name(RaftValidatingNotaryService.id, "DistributedService", "London", "GB")
     }
 
     @Test
diff --git a/node/src/main/kotlin/net/corda/node/internal/AbstractNode.kt b/node/src/main/kotlin/net/corda/node/internal/AbstractNode.kt
index 2a1b1292f1..b25bb1df9d 100644
--- a/node/src/main/kotlin/net/corda/node/internal/AbstractNode.kt
+++ b/node/src/main/kotlin/net/corda/node/internal/AbstractNode.kt
@@ -60,12 +60,8 @@ import net.corda.node.services.vault.NodeVaultService
 import net.corda.node.services.vault.VaultSoftLockManager
 import net.corda.node.shell.InteractiveShell
 import net.corda.node.utilities.AffinityExecutor
-import net.corda.nodeapi.internal.IdentityGenerator
 import net.corda.nodeapi.internal.SignedNodeInfo
-import net.corda.nodeapi.internal.crypto.KeyStoreWrapper
-import net.corda.nodeapi.internal.crypto.X509CertificateFactory
-import net.corda.nodeapi.internal.crypto.X509Utilities
-import net.corda.nodeapi.internal.crypto.loadKeyStore
+import net.corda.nodeapi.internal.crypto.*
 import net.corda.nodeapi.internal.network.NETWORK_PARAMS_FILE_NAME
 import net.corda.nodeapi.internal.network.NetworkParameters
 import net.corda.nodeapi.internal.persistence.CordaPersistence
@@ -141,19 +137,25 @@ abstract class AbstractNode(val configuration: NodeConfiguration,
     protected val services: ServiceHubInternal get() = _services
     private lateinit var _services: ServiceHubInternalImpl
     protected var myNotaryIdentity: PartyAndCertificate? = null
-    private lateinit var checkpointStorage: CheckpointStorage
+    protected lateinit var checkpointStorage: CheckpointStorage
     private lateinit var tokenizableServices: List<Any>
     protected lateinit var attachments: NodeAttachmentService
     protected lateinit var network: MessagingService
     protected val runOnStop = ArrayList<() -> Any?>()
-    private val _nodeReadyFuture = openFuture<Unit>()
+    protected val _nodeReadyFuture = openFuture<Unit>()
     protected var networkMapClient: NetworkMapClient? = null
 
     lateinit var securityManager: RPCSecurityManager get
 
     /** Completes once the node has successfully registered with the network map service
      * or has loaded network map data from local database */
-    val nodeReadyFuture: CordaFuture<Unit> get() = _nodeReadyFuture
+    val nodeReadyFuture: CordaFuture<Unit>
+        get() = _nodeReadyFuture
+    /** A [CordaX500Name] with null common name. */
+    protected val myLegalName: CordaX500Name by lazy {
+        val cert = loadKeyStore(configuration.nodeKeystore, configuration.keyStorePassword).getX509Certificate(X509Utilities.CORDA_CLIENT_CA)
+        CordaX500Name.build(cert.subjectX500Principal).copy(commonName = null)
+    }
 
     open val serializationWhitelists: List<SerializationWhitelist> by lazy {
         cordappLoader.cordapps.flatMap { it.serializationWhitelists }
@@ -328,7 +330,7 @@ abstract class AbstractNode(val configuration: NodeConfiguration,
         )
         // Check if we have already stored a version of 'our own' NodeInfo, this is to avoid regenerating it with
         // a different timestamp.
-        networkMapCache.getNodesByLegalName(configuration.myLegalName).firstOrNull()?.let {
+        networkMapCache.getNodesByLegalName(myLegalName).firstOrNull()?.let {
             if (info.copy(serial = it.serial) == it) {
                 info = it
             }
@@ -754,10 +756,13 @@ abstract class AbstractNode(val configuration: NodeConfiguration,
 
         val (id, singleName) = if (notaryConfig == null || !notaryConfig.isClusterConfig) {
             // Node's main identity or if it's a single node notary
-            Pair(IdentityGenerator.NODE_IDENTITY_ALIAS_PREFIX, configuration.myLegalName)
+            Pair("identity", myLegalName)
         } else {
+            val notaryId = notaryConfig.run {
+                NotaryService.constructId(validating, raft != null, bftSMaRt != null, custom, mysql != null)
+            }
             // The node is part of a distributed notary whose identity must already be generated beforehand.
-            Pair(IdentityGenerator.DISTRIBUTED_NOTARY_ALIAS_PREFIX, null)
+            Pair(notaryId, null)
         }
         // TODO: Integrate with Key management service?
         val privateKeyAlias = "$id-private-key"
@@ -765,7 +770,7 @@ abstract class AbstractNode(val configuration: NodeConfiguration,
         if (!keyStore.containsAlias(privateKeyAlias)) {
             singleName ?: throw IllegalArgumentException(
                     "Unable to find in the key store the identity of the distributed notary ($id) the node is part of")
-            // TODO: Remove use of [IdentityGenerator.generateToDisk].
+            // TODO: Remove use of [ServiceIdentityGenerator.generateToDisk].
             log.info("$privateKeyAlias not found in key store ${configuration.nodeKeystore}, generating fresh key!")
             keyStore.signAndSaveNewKeyPair(singleName, privateKeyAlias, generateKeyPair())
         }
diff --git a/node/src/main/kotlin/net/corda/node/services/config/ConfigUtilities.kt b/node/src/main/kotlin/net/corda/node/services/config/ConfigUtilities.kt
index ed6028f13c..7471d5d5ec 100644
--- a/node/src/main/kotlin/net/corda/node/services/config/ConfigUtilities.kt
+++ b/node/src/main/kotlin/net/corda/node/services/config/ConfigUtilities.kt
@@ -69,7 +69,7 @@ fun SSLConfiguration.configureDevKeyAndTrustStores(myLegalName: CordaX500Name) {
         val caKeyStore = loadKeyStore(javaClass.classLoader.getResourceAsStream("certificates/cordadevcakeys.jks"), "cordacadevpass")
         createKeystoreForCordaNode(sslKeystore, nodeKeystore, keyStorePassword, keyStorePassword, caKeyStore, "cordacadevkeypass", myLegalName)
 
-        // Move distributed service composite key (generated by IdentityGenerator.generateToDisk) to keystore if exists.
+        // Move distributed service composite key (generated by ServiceIdentityGenerator.generateToDisk) to keystore if exists.
         val distributedServiceKeystore = certificatesDirectory / "distributedService.jks"
         if (distributedServiceKeystore.exists()) {
             val serviceKeystore = loadKeyStore(distributedServiceKeystore, "cordacadevpass")
@@ -111,17 +111,18 @@ fun createKeystoreForCordaNode(sslKeyStorePath: Path,
     val (intermediateCACert, intermediateCAKeyPair) = caKeyStore.getCertificateAndKeyPair(X509Utilities.CORDA_INTERMEDIATE_CA, caKeyPassword)
 
     val clientKey = Crypto.generateKeyPair(signatureScheme)
+    val clientName = legalName.copy(commonName = null)
 
-    val nameConstraints = NameConstraints(arrayOf(GeneralSubtree(GeneralName(GeneralName.directoryName, legalName.x500Name))), arrayOf())
+    val nameConstraints = NameConstraints(arrayOf(GeneralSubtree(GeneralName(GeneralName.directoryName, clientName.x500Name))), arrayOf())
     val clientCACert = X509Utilities.createCertificate(CertificateType.NODE_CA,
             intermediateCACert,
             intermediateCAKeyPair,
-            legalName,
+            clientName.copy(commonName = X509Utilities.CORDA_CLIENT_CA_CN),
             clientKey.public,
             nameConstraints = nameConstraints)
 
     val tlsKey = Crypto.generateKeyPair(signatureScheme)
-    val clientTLSCert = X509Utilities.createCertificate(CertificateType.TLS, clientCACert, clientKey, legalName, tlsKey.public)
+    val clientTLSCert = X509Utilities.createCertificate(CertificateType.TLS, clientCACert, clientKey, clientName, tlsKey.public)
 
     val keyPass = keyPassword.toCharArray()
 
diff --git a/node/src/main/kotlin/net/corda/node/services/identity/InMemoryIdentityService.kt b/node/src/main/kotlin/net/corda/node/services/identity/InMemoryIdentityService.kt
index 4654473ef1..bac9ef6902 100644
--- a/node/src/main/kotlin/net/corda/node/services/identity/InMemoryIdentityService.kt
+++ b/node/src/main/kotlin/net/corda/node/services/identity/InMemoryIdentityService.kt
@@ -24,7 +24,6 @@ import javax.annotation.concurrent.ThreadSafe
  *
  * @param identities initial set of identities for the service, typically only used for unit tests.
  */
-// TODO There is duplicated logic between this and PersistentIdentityService
 @ThreadSafe
 class InMemoryIdentityService(identities: Array<out PartyAndCertificate>,
                               trustRoot: X509CertificateHolder) : SingletonSerializeAsToken(), IdentityServiceInternal {
diff --git a/node/src/main/kotlin/net/corda/node/services/identity/PersistentIdentityService.kt b/node/src/main/kotlin/net/corda/node/services/identity/PersistentIdentityService.kt
index 83e7b0b267..6dd98d0c63 100644
--- a/node/src/main/kotlin/net/corda/node/services/identity/PersistentIdentityService.kt
+++ b/node/src/main/kotlin/net/corda/node/services/identity/PersistentIdentityService.kt
@@ -26,7 +26,6 @@ import javax.persistence.Entity
 import javax.persistence.Id
 import javax.persistence.Lob
 
-// TODO There is duplicated logic between this and InMemoryIdentityService
 @ThreadSafe
 class PersistentIdentityService(override val trustRoot: X509Certificate,
                                 vararg caCertificates: X509Certificate) : SingletonSerializeAsToken(), IdentityServiceInternal {
diff --git a/node/src/main/kotlin/net/corda/node/services/transactions/BFTNonValidatingNotaryService.kt b/node/src/main/kotlin/net/corda/node/services/transactions/BFTNonValidatingNotaryService.kt
index 9f6ffe1d08..780c4815c6 100644
--- a/node/src/main/kotlin/net/corda/node/services/transactions/BFTNonValidatingNotaryService.kt
+++ b/node/src/main/kotlin/net/corda/node/services/transactions/BFTNonValidatingNotaryService.kt
@@ -34,13 +34,12 @@ import kotlin.concurrent.thread
  *
  * A transaction is notarised when the consensus is reached by the cluster on its uniqueness, and time-window validity.
  */
-class BFTNonValidatingNotaryService(
-        override val services: ServiceHubInternal,
-        override val notaryIdentityKey: PublicKey,
-        private val bftSMaRtConfig: BFTSMaRtConfiguration,
-        cluster: BFTSMaRt.Cluster
-) : NotaryService() {
+class BFTNonValidatingNotaryService(override val services: ServiceHubInternal,
+                                    override val notaryIdentityKey: PublicKey,
+                                    private val bftSMaRtConfig: BFTSMaRtConfiguration,
+                                    cluster: BFTSMaRt.Cluster) : NotaryService() {
     companion object {
+        val id = constructId(validating = false, bft = true)
         private val log = contextLogger()
     }
 
diff --git a/node/src/main/kotlin/net/corda/node/services/transactions/MySQLNotaryService.kt b/node/src/main/kotlin/net/corda/node/services/transactions/MySQLNotaryService.kt
index adfe3e9744..0bf810b2ab 100644
--- a/node/src/main/kotlin/net/corda/node/services/transactions/MySQLNotaryService.kt
+++ b/node/src/main/kotlin/net/corda/node/services/transactions/MySQLNotaryService.kt
@@ -35,6 +35,9 @@ class MySQLNonValidatingNotaryService(services: ServiceHubInternal,
                                       notaryIdentityKey: PublicKey,
                                       dataSourceProperties: Properties,
                                       devMode: Boolean = false) : MySQLNotaryService(services, notaryIdentityKey, dataSourceProperties, devMode) {
+    companion object {
+        val id = constructId(validating = false, mysql = true)
+    }
     override fun createServiceFlow(otherPartySession: FlowSession): FlowLogic<Void?> = NonValidatingNotaryFlow(otherPartySession, this)
 }
 
@@ -42,5 +45,8 @@ class MySQLValidatingNotaryService(services: ServiceHubInternal,
                                       notaryIdentityKey: PublicKey,
                                       dataSourceProperties: Properties,
                                       devMode: Boolean = false) : MySQLNotaryService(services, notaryIdentityKey, dataSourceProperties, devMode) {
+    companion object {
+        val id = constructId(validating = true, mysql = true)
+    }
     override fun createServiceFlow(otherPartySession: FlowSession): FlowLogic<Void?> = ValidatingNotaryFlow(otherPartySession, this)
 }
\ No newline at end of file
diff --git a/node/src/main/kotlin/net/corda/node/services/transactions/RaftNonValidatingNotaryService.kt b/node/src/main/kotlin/net/corda/node/services/transactions/RaftNonValidatingNotaryService.kt
index e672380398..1433e71f85 100644
--- a/node/src/main/kotlin/net/corda/node/services/transactions/RaftNonValidatingNotaryService.kt
+++ b/node/src/main/kotlin/net/corda/node/services/transactions/RaftNonValidatingNotaryService.kt
@@ -8,13 +8,14 @@ import net.corda.core.node.services.TrustedAuthorityNotaryService
 import java.security.PublicKey
 
 /** A non-validating notary service operated by a group of mutually trusting parties, uses the Raft algorithm to achieve consensus. */
-class RaftNonValidatingNotaryService(
-        override val services: ServiceHub,
-        override val notaryIdentityKey: PublicKey,
-        override val uniquenessProvider: RaftUniquenessProvider
-) : TrustedAuthorityNotaryService() {
+class RaftNonValidatingNotaryService(override val services: ServiceHub,
+                                     override val notaryIdentityKey: PublicKey,
+                                     override val uniquenessProvider: RaftUniquenessProvider) : TrustedAuthorityNotaryService() {
+    companion object {
+        val id = constructId(validating = false, raft = true)
+    }
+
     override val timeWindowChecker: TimeWindowChecker = TimeWindowChecker(services.clock)
-    
     override fun createServiceFlow(otherPartySession: FlowSession): NotaryFlow.Service {
         return NonValidatingNotaryFlow(otherPartySession, this)
     }
diff --git a/node/src/main/kotlin/net/corda/node/services/transactions/RaftValidatingNotaryService.kt b/node/src/main/kotlin/net/corda/node/services/transactions/RaftValidatingNotaryService.kt
index 3e4899ae0a..8fd3448512 100644
--- a/node/src/main/kotlin/net/corda/node/services/transactions/RaftValidatingNotaryService.kt
+++ b/node/src/main/kotlin/net/corda/node/services/transactions/RaftValidatingNotaryService.kt
@@ -8,13 +8,14 @@ import net.corda.core.node.services.TrustedAuthorityNotaryService
 import java.security.PublicKey
 
 /** A validating notary service operated by a group of mutually trusting parties, uses the Raft algorithm to achieve consensus. */
-class RaftValidatingNotaryService(
-        override val services: ServiceHub,
-        override val notaryIdentityKey: PublicKey,
-        override val uniquenessProvider: RaftUniquenessProvider
-) : TrustedAuthorityNotaryService() {
-    override val timeWindowChecker: TimeWindowChecker = TimeWindowChecker(services.clock)
+class RaftValidatingNotaryService(override val services: ServiceHub,
+                                  override val notaryIdentityKey: PublicKey,
+                                  override val uniquenessProvider: RaftUniquenessProvider) : TrustedAuthorityNotaryService() {
+    companion object {
+        val id = constructId(validating = true, raft = true)
+    }
 
+    override val timeWindowChecker: TimeWindowChecker = TimeWindowChecker(services.clock)
     override fun createServiceFlow(otherPartySession: FlowSession): NotaryFlow.Service {
         return ValidatingNotaryFlow(otherPartySession, this)
     }
diff --git a/node/src/main/kotlin/net/corda/node/services/transactions/ValidatingNotaryService.kt b/node/src/main/kotlin/net/corda/node/services/transactions/ValidatingNotaryService.kt
index 5e687c3b6d..6c7e36046b 100644
--- a/node/src/main/kotlin/net/corda/node/services/transactions/ValidatingNotaryService.kt
+++ b/node/src/main/kotlin/net/corda/node/services/transactions/ValidatingNotaryService.kt
@@ -9,8 +9,10 @@ import java.security.PublicKey
 
 /** A Notary service that validates the transaction chain of the submitted transaction before committing it */
 class ValidatingNotaryService(override val services: ServiceHubInternal, override val notaryIdentityKey: PublicKey) : TrustedAuthorityNotaryService() {
+    companion object {
+        val id = constructId(validating = true)
+    }
     override val timeWindowChecker = TimeWindowChecker(services.clock)
-
     override val uniquenessProvider = PersistentUniquenessProvider()
 
     override fun createServiceFlow(otherPartySession: FlowSession): NotaryFlow.Service = ValidatingNotaryFlow(otherPartySession, this)
diff --git a/node/src/main/kotlin/net/corda/node/utilities/registration/NetworkRegistrationHelper.kt b/node/src/main/kotlin/net/corda/node/utilities/registration/NetworkRegistrationHelper.kt
index 698420ca0a..f24cf56f11 100644
--- a/node/src/main/kotlin/net/corda/node/utilities/registration/NetworkRegistrationHelper.kt
+++ b/node/src/main/kotlin/net/corda/node/utilities/registration/NetworkRegistrationHelper.kt
@@ -103,9 +103,10 @@ class NetworkRegistrationHelper(private val config: NodeConfiguration, private v
             println("Generating SSL certificate for node messaging service.")
             val sslKey = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
             val caCert = caKeyStore.getX509Certificate(CORDA_CLIENT_CA).toX509CertHolder()
-            val sslCert = X509Utilities.createCertificate(CertificateType.TLS, caCert, keyPair, CordaX500Name.build(caCert.cert.subjectX500Principal), sslKey.public)
+            val sslCert = X509Utilities.createCertificate(CertificateType.TLS, caCert, keyPair, CordaX500Name.build(caCert.cert.subjectX500Principal).copy(commonName = null), sslKey.public)
             val sslKeyStore = loadOrCreateKeyStore(config.sslKeystore, keystorePassword)
-            sslKeyStore.addOrReplaceKey(CORDA_CLIENT_TLS, sslKey.private, privateKeyPassword.toCharArray(), arrayOf(sslCert.cert, *certificates))
+            sslKeyStore.addOrReplaceKey(CORDA_CLIENT_TLS, sslKey.private, privateKeyPassword.toCharArray(),
+                    arrayOf(sslCert.cert, *certificates))
             sslKeyStore.save(config.sslKeystore, config.keyStorePassword)
             println("SSL private key and certificate stored in ${config.sslKeystore}.")
             // All done, clean up temp files.
diff --git a/node/src/test/kotlin/net/corda/node/services/statemachine/FlowFrameworkTests.kt b/node/src/test/kotlin/net/corda/node/services/statemachine/FlowFrameworkTests.kt
index 2006c397bc..1fe97568a8 100644
--- a/node/src/test/kotlin/net/corda/node/services/statemachine/FlowFrameworkTests.kt
+++ b/node/src/test/kotlin/net/corda/node/services/statemachine/FlowFrameworkTests.kt
@@ -656,7 +656,7 @@ class FlowFrameworkTests {
     private inline fun <reified P : FlowLogic<*>> StartedNode<MockNode>.restartAndGetRestoredFlow() = internals.run {
         disableDBCloseOnStop() // Handover DB to new node copy
         stop()
-        val newNode = mockNet.createNode(MockNodeParameters(id, configuration.myLegalName))
+        val newNode = mockNet.createNode(MockNodeParameters(id))
         newNode.internals.acceptableLiveFiberCountOnStop = 1
         manuallyCloseDB()
         mockNet.runNetwork()
diff --git a/node/src/test/kotlin/net/corda/node/utilities/registration/NetworkRegistrationHelperTest.kt b/node/src/test/kotlin/net/corda/node/utilities/registration/NetworkRegistrationHelperTest.kt
index 209153fdb8..50922e9fde 100644
--- a/node/src/test/kotlin/net/corda/node/utilities/registration/NetworkRegistrationHelperTest.kt
+++ b/node/src/test/kotlin/net/corda/node/utilities/registration/NetworkRegistrationHelperTest.kt
@@ -1,7 +1,5 @@
 package net.corda.node.utilities.registration
 
-import com.google.common.jimfs.Configuration.unix
-import com.google.common.jimfs.Jimfs
 import com.nhaarman.mockito_kotlin.any
 import com.nhaarman.mockito_kotlin.doReturn
 import com.nhaarman.mockito_kotlin.eq
@@ -9,61 +7,68 @@ import com.nhaarman.mockito_kotlin.whenever
 import net.corda.core.crypto.Crypto
 import net.corda.core.crypto.SecureHash
 import net.corda.core.identity.CordaX500Name
-import net.corda.core.internal.cert
-import net.corda.core.internal.createDirectories
+import net.corda.core.internal.*
 import net.corda.node.services.config.NodeConfiguration
 import net.corda.nodeapi.internal.crypto.*
+import net.corda.nodeapi.internal.crypto.X509Utilities
+import net.corda.nodeapi.internal.crypto.getX509Certificate
+import net.corda.nodeapi.internal.crypto.loadKeyStore
 import net.corda.testing.ALICE_NAME
 import net.corda.testing.internal.rigorousMock
-import org.assertj.core.api.Assertions.assertThat
 import org.assertj.core.api.Assertions.assertThatThrownBy
-import org.junit.After
 import org.junit.Before
+import org.junit.Rule
 import org.junit.Test
+import org.junit.rules.TemporaryFolder
 import java.security.cert.Certificate
-import java.security.cert.X509Certificate
+import kotlin.test.assertEquals
 import kotlin.test.assertFalse
 import kotlin.test.assertTrue
 
 class NetworkRegistrationHelperTest {
-    private val fs = Jimfs.newFileSystem(unix())
-    private val requestId = SecureHash.randomSHA256().toString()
-    private val nodeLegalName = ALICE_NAME
-    private val intermediateCaName = CordaX500Name("CORDA_INTERMEDIATE_CA", "R3 Ltd", "London", "GB")
-    private val rootCaName = CordaX500Name("CORDA_ROOT_CA", "R3 Ltd", "London", "GB")
-    private val nodeCaCert = createCaCert(nodeLegalName)
-    private val intermediateCaCert = createCaCert(intermediateCaName)
-    private val rootCaCert = createCaCert(rootCaName)
+    @Rule
+    @JvmField
+    val tempFolder = TemporaryFolder()
 
+    private val requestId = SecureHash.randomSHA256().toString()
     private lateinit var config: NodeConfiguration
 
+    private val identities = listOf("CORDA_CLIENT_CA",
+            "CORDA_INTERMEDIATE_CA",
+            "CORDA_ROOT_CA")
+            .map { CordaX500Name(commonName = it, organisation = "R3 Ltd", locality = "London", country = "GB") }
+    private val certs = identities.map { X509Utilities.createSelfSignedCACertificate(it, Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)) }
+            .map { it.cert }.toTypedArray()
+
+    private val certService = mockRegistrationResponse(*certs)
+
     @Before
     fun init() {
-        val baseDirectory = fs.getPath("/baseDir").createDirectories()
         abstract class AbstractNodeConfiguration : NodeConfiguration
         config = rigorousMock<AbstractNodeConfiguration>().also {
-            doReturn(baseDirectory).whenever(it).baseDirectory
+            doReturn(tempFolder.root.toPath()).whenever(it).baseDirectory
             doReturn("trustpass").whenever(it).trustStorePassword
             doReturn("cordacadevpass").whenever(it).keyStorePassword
-            doReturn(nodeLegalName).whenever(it).myLegalName
+            doReturn(ALICE_NAME).whenever(it).myLegalName
             doReturn("").whenever(it).emailAddress
         }
     }
 
-    @After
-    fun cleanUp() {
-        fs.close()
-    }
-
     @Test
     fun `successful registration`() {
-        assertThat(config.nodeKeystore).doesNotExist()
-        assertThat(config.sslKeystore).doesNotExist()
-        assertThat(config.trustStoreFile).doesNotExist()
+        assertFalse(config.nodeKeystore.exists())
+        assertFalse(config.sslKeystore.exists())
+        config.trustStoreFile.parent.createDirectories()
+        loadOrCreateKeyStore(config.trustStoreFile, config.trustStorePassword).also {
+            it.addOrReplaceCertificate(X509Utilities.CORDA_ROOT_CA, certs.last())
+            it.save(config.trustStoreFile, config.trustStorePassword)
+        }
 
-        saveTrustStoreWithRootCa(rootCaCert)
+        NetworkRegistrationHelper(config, certService).buildKeystore()
 
-        createRegistrationHelper().buildKeystore()
+        assertTrue(config.nodeKeystore.exists())
+        assertTrue(config.sslKeystore.exists())
+        assertTrue(config.trustStoreFile.exists())
 
         val nodeKeystore = loadKeyStore(config.nodeKeystore, config.keyStorePassword)
         val sslKeystore = loadKeyStore(config.sslKeystore, config.keyStorePassword)
@@ -74,8 +79,9 @@ class NetworkRegistrationHelperTest {
             assertFalse(containsAlias(X509Utilities.CORDA_INTERMEDIATE_CA))
             assertFalse(containsAlias(X509Utilities.CORDA_ROOT_CA))
             assertFalse(containsAlias(X509Utilities.CORDA_CLIENT_TLS))
-            val nodeCaCertChain = getCertificateChain(X509Utilities.CORDA_CLIENT_CA)
-            assertThat(nodeCaCertChain).containsExactly(nodeCaCert, intermediateCaCert, rootCaCert)
+            val certificateChain = getCertificateChain(X509Utilities.CORDA_CLIENT_CA)
+            assertEquals(3, certificateChain.size)
+            assertEquals(listOf("CORDA_CLIENT_CA", "CORDA_INTERMEDIATE_CA", "CORDA_ROOT_CA"), certificateChain.map { it.toX509CertHolder().subject.commonName })
         }
 
         sslKeystore.run {
@@ -83,55 +89,46 @@ class NetworkRegistrationHelperTest {
             assertFalse(containsAlias(X509Utilities.CORDA_INTERMEDIATE_CA))
             assertFalse(containsAlias(X509Utilities.CORDA_ROOT_CA))
             assertTrue(containsAlias(X509Utilities.CORDA_CLIENT_TLS))
-            val nodeTlsCertChain = getCertificateChain(X509Utilities.CORDA_CLIENT_TLS)
-            assertThat(nodeTlsCertChain).hasSize(4)
-            // The TLS cert has the same subject as the node CA cert
-            assertThat(CordaX500Name.build((nodeTlsCertChain[0] as X509Certificate).subjectX500Principal)).isEqualTo(nodeLegalName)
-            assertThat(nodeTlsCertChain.drop(1)).containsExactly(nodeCaCert, intermediateCaCert, rootCaCert)
+            val certificateChain = getCertificateChain(X509Utilities.CORDA_CLIENT_TLS)
+            assertEquals(4, certificateChain.size)
+            assertEquals(listOf(CordaX500Name(organisation = "R3 Ltd", locality = "London", country = "GB").x500Name) + identities.map { it.x500Name },
+                    certificateChain.map { it.toX509CertHolder().subject })
+            assertEquals(CordaX500Name(organisation = "R3 Ltd", locality = "London", country = "GB").x500Principal,
+                    getX509Certificate(X509Utilities.CORDA_CLIENT_TLS).subjectX500Principal)
         }
 
         trustStore.run {
             assertFalse(containsAlias(X509Utilities.CORDA_CLIENT_CA))
             assertFalse(containsAlias(X509Utilities.CORDA_INTERMEDIATE_CA))
             assertTrue(containsAlias(X509Utilities.CORDA_ROOT_CA))
-            val trustStoreRootCaCert = getCertificate(X509Utilities.CORDA_ROOT_CA)
-            assertThat(trustStoreRootCaCert).isEqualTo(rootCaCert)
         }
     }
 
     @Test
     fun `missing truststore`() {
         assertThatThrownBy {
-            createRegistrationHelper()
+            NetworkRegistrationHelper(config, certService).buildKeystore()
         }.hasMessageContaining("This file must contain the root CA cert of your compatibility zone. Please contact your CZ operator.")
+                .isInstanceOf(IllegalArgumentException::class.java)
     }
 
     @Test
     fun `wrong root cert in truststore`() {
-        saveTrustStoreWithRootCa(createCaCert(CordaX500Name("Foo", "MU", "GB")))
-        val registrationHelper = createRegistrationHelper()
+        val someCert = X509Utilities.createSelfSignedCACertificate(CordaX500Name("Foo", "MU", "GB"), Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)).cert
+        config.trustStoreFile.parent.createDirectories()
+        loadOrCreateKeyStore(config.trustStoreFile, config.trustStorePassword).also {
+            it.addOrReplaceCertificate(X509Utilities.CORDA_ROOT_CA, someCert)
+            it.save(config.trustStoreFile, config.trustStorePassword)
+        }
         assertThatThrownBy {
-            registrationHelper.buildKeystore()
+            NetworkRegistrationHelper(config, certService).buildKeystore()
         }.isInstanceOf(WrongRootCertException::class.java)
     }
 
-    private fun createRegistrationHelper(): NetworkRegistrationHelper {
-        val certService = rigorousMock<NetworkRegistrationService>().also {
+    private fun mockRegistrationResponse(vararg response: Certificate): NetworkRegistrationService {
+        return rigorousMock<NetworkRegistrationService>().also {
             doReturn(requestId).whenever(it).submitRequest(any())
-            doReturn(arrayOf<Certificate>(nodeCaCert, intermediateCaCert, rootCaCert)).whenever(it).retrieveCertificates(eq(requestId))
+            doReturn(response).whenever(it).retrieveCertificates(eq(requestId))
         }
-        return NetworkRegistrationHelper(config, certService)
-    }
-
-    private fun saveTrustStoreWithRootCa(rootCa: X509Certificate) {
-        config.trustStoreFile.parent.createDirectories()
-        loadOrCreateKeyStore(config.trustStoreFile, config.trustStorePassword).also {
-            it.addOrReplaceCertificate(X509Utilities.CORDA_ROOT_CA, rootCa)
-            it.save(config.trustStoreFile, config.trustStorePassword)
-        }
-    }
-
-    private fun createCaCert(name: CordaX500Name): X509Certificate {
-        return X509Utilities.createSelfSignedCACertificate(name, Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)).cert
     }
 }
diff --git a/samples/notary-demo/src/main/kotlin/net/corda/notarydemo/BFTNotaryCordform.kt b/samples/notary-demo/src/main/kotlin/net/corda/notarydemo/BFTNotaryCordform.kt
index 311a5c51b2..eb11a9b443 100644
--- a/samples/notary-demo/src/main/kotlin/net/corda/notarydemo/BFTNotaryCordform.kt
+++ b/samples/notary-demo/src/main/kotlin/net/corda/notarydemo/BFTNotaryCordform.kt
@@ -4,11 +4,13 @@ import net.corda.cordform.CordformContext
 import net.corda.cordform.CordformDefinition
 import net.corda.cordform.CordformNode
 import net.corda.core.identity.CordaX500Name
+import net.corda.core.node.services.NotaryService
 import net.corda.core.utilities.NetworkHostAndPort
 import net.corda.node.services.config.BFTSMaRtConfiguration
 import net.corda.node.services.config.NotaryConfig
+import net.corda.node.services.transactions.BFTNonValidatingNotaryService
 import net.corda.node.services.transactions.minCorrectReplicas
-import net.corda.nodeapi.internal.IdentityGenerator
+import net.corda.nodeapi.internal.ServiceIdentityGenerator
 import net.corda.testing.node.internal.demorun.*
 import net.corda.testing.ALICE_NAME
 import net.corda.testing.BOB_NAME
@@ -22,7 +24,7 @@ private val notaryNames = createNotaryNames(clusterSize)
 // This is not the intended final design for how to use CordformDefinition, please treat this as experimental and DO
 // NOT use this as a design to copy.
 class BFTNotaryCordform : CordformDefinition() {
-    private val clusterName = CordaX500Name("BFT", "Zurich", "CH")
+    private val clusterName = CordaX500Name(BFTNonValidatingNotaryService.id, "BFT", "Zurich", "CH")
 
     init {
         nodesDirectory = Paths.get("build", "nodes", "nodesBFT")
@@ -62,10 +64,10 @@ class BFTNotaryCordform : CordformDefinition() {
     }
 
     override fun setup(context: CordformContext) {
-        IdentityGenerator.generateDistributedNotaryIdentity(
+        ServiceIdentityGenerator.generateToDisk(
                 notaryNames.map { context.baseDirectory(it.toString()) },
                 clusterName,
-                minCorrectReplicas(clusterSize)
-        )
+                NotaryService.constructId(validating = false, bft = true),
+                minCorrectReplicas(clusterSize))
     }
 }
diff --git a/samples/notary-demo/src/main/kotlin/net/corda/notarydemo/RaftNotaryCordform.kt b/samples/notary-demo/src/main/kotlin/net/corda/notarydemo/RaftNotaryCordform.kt
index 59384a412f..cfc21fa060 100644
--- a/samples/notary-demo/src/main/kotlin/net/corda/notarydemo/RaftNotaryCordform.kt
+++ b/samples/notary-demo/src/main/kotlin/net/corda/notarydemo/RaftNotaryCordform.kt
@@ -8,7 +8,8 @@ import net.corda.core.node.services.NotaryService
 import net.corda.core.utilities.NetworkHostAndPort
 import net.corda.node.services.config.NotaryConfig
 import net.corda.node.services.config.RaftConfig
-import net.corda.nodeapi.internal.IdentityGenerator
+import net.corda.node.services.transactions.RaftValidatingNotaryService
+import net.corda.nodeapi.internal.ServiceIdentityGenerator
 import net.corda.testing.node.internal.demorun.*
 import net.corda.testing.ALICE_NAME
 import net.corda.testing.BOB_NAME
@@ -23,7 +24,7 @@ private val notaryNames = createNotaryNames(3)
 // This is not the intended final design for how to use CordformDefinition, please treat this as experimental and DO
 // NOT use this as a design to copy.
 class RaftNotaryCordform : CordformDefinition() {
-    private val clusterName = CordaX500Name("Raft", "Zurich", "CH")
+    private val clusterName = CordaX500Name(RaftValidatingNotaryService.id, "Raft", "Zurich", "CH")
 
     init {
         nodesDirectory = Paths.get("build", "nodes", "nodesRaft")
@@ -59,9 +60,9 @@ class RaftNotaryCordform : CordformDefinition() {
     }
 
     override fun setup(context: CordformContext) {
-        IdentityGenerator.generateDistributedNotaryIdentity(
+        ServiceIdentityGenerator.generateToDisk(
                 notaryNames.map { context.baseDirectory(it.toString()) },
-                clusterName
-        )
+                clusterName,
+                NotaryService.constructId(validating = true, raft = true))
     }
 }
diff --git a/testing/node-driver/build.gradle b/testing/node-driver/build.gradle
index a13ec48018..c50a027047 100644
--- a/testing/node-driver/build.gradle
+++ b/testing/node-driver/build.gradle
@@ -29,7 +29,7 @@ dependencies {
     compile "net.corda.plugins:cordform-common:$gradle_plugins_version"
 
     // Integration test helpers
-    testCompile "org.assertj:assertj-core:$assertj_version"
+    integrationTestCompile "org.assertj:assertj-core:${assertj_version}"
     integrationTestCompile "junit:junit:$junit_version"
 
     // Jetty dependencies for NetworkMapClient test.
diff --git a/testing/node-driver/src/main/kotlin/net/corda/testing/node/MockNode.kt b/testing/node-driver/src/main/kotlin/net/corda/testing/node/MockNode.kt
index 84fe07acc5..34cd93d367 100644
--- a/testing/node-driver/src/main/kotlin/net/corda/testing/node/MockNode.kt
+++ b/testing/node-driver/src/main/kotlin/net/corda/testing/node/MockNode.kt
@@ -9,7 +9,6 @@ import net.corda.core.crypto.random63BitValue
 import net.corda.core.identity.CordaX500Name
 import net.corda.core.identity.Party
 import net.corda.core.identity.PartyAndCertificate
-import net.corda.core.internal.VisibleForTesting
 import net.corda.core.internal.createDirectories
 import net.corda.core.internal.createDirectory
 import net.corda.core.internal.uncheckedCast
@@ -38,7 +37,7 @@ import net.corda.node.services.transactions.BFTSMaRt
 import net.corda.node.services.transactions.InMemoryTransactionVerifierService
 import net.corda.node.utilities.AffinityExecutor
 import net.corda.node.utilities.AffinityExecutor.ServiceAffinityExecutor
-import net.corda.nodeapi.internal.IdentityGenerator
+import net.corda.nodeapi.internal.ServiceIdentityGenerator
 import net.corda.nodeapi.internal.config.User
 import net.corda.nodeapi.internal.network.NetworkParametersCopier
 import net.corda.nodeapi.internal.network.NotaryInfo
@@ -126,14 +125,14 @@ data class MockNodeArgs(
  * By default a single notary node is automatically started, which forms part of the network parameters for all the nodes.
  * This node is available by calling [defaultNotaryNode].
  */
-open class MockNetwork(private val cordappPackages: List<String>,
-                       defaultParameters: MockNetworkParameters = MockNetworkParameters(),
-                       private val networkSendManuallyPumped: Boolean = defaultParameters.networkSendManuallyPumped,
-                       private val threadPerNode: Boolean = defaultParameters.threadPerNode,
-                       servicePeerAllocationStrategy: InMemoryMessagingNetwork.ServicePeerAllocationStrategy = defaultParameters.servicePeerAllocationStrategy,
-                       private val defaultFactory: (MockNodeArgs) -> MockNode = defaultParameters.defaultFactory,
-                       initialiseSerialization: Boolean = defaultParameters.initialiseSerialization,
-                       private val notarySpecs: List<NotarySpec> = defaultParameters.notarySpecs) {
+class MockNetwork(private val cordappPackages: List<String>,
+                  defaultParameters: MockNetworkParameters = MockNetworkParameters(),
+                  private val networkSendManuallyPumped: Boolean = defaultParameters.networkSendManuallyPumped,
+                  private val threadPerNode: Boolean = defaultParameters.threadPerNode,
+                  servicePeerAllocationStrategy: InMemoryMessagingNetwork.ServicePeerAllocationStrategy = defaultParameters.servicePeerAllocationStrategy,
+                  private val defaultFactory: (MockNodeArgs) -> MockNode = defaultParameters.defaultFactory,
+                  initialiseSerialization: Boolean = defaultParameters.initialiseSerialization,
+                  private val notarySpecs: List<NotarySpec> = defaultParameters.notarySpecs) {
     /** Helper constructor for creating a [MockNetwork] with custom parameters from Java. */
     @JvmOverloads
     constructor(cordappPackages: List<String>, parameters: MockNetworkParameters = MockNetworkParameters()) : this(cordappPackages, defaultParameters = parameters)
@@ -142,7 +141,7 @@ open class MockNetwork(private val cordappPackages: List<String>,
         // Apache SSHD for whatever reason registers a SFTP FileSystemProvider - which gets loaded by JimFS.
         // This SFTP support loads BouncyCastle, which we want to avoid.
         // Please see https://issues.apache.org/jira/browse/SSHD-736 - it's easier then to create our own fork of SSHD
-        SecurityUtils.setAPrioriDisabledProvider("BC", true) // XXX: Why isn't this static?
+        SecurityUtils.setAPrioriDisabledProvider("BC", true)
     }
 
     var nextNodeId = 0
@@ -160,7 +159,6 @@ open class MockNetwork(private val cordappPackages: List<String>,
         throw IllegalStateException("Using more than one MockNetwork simultaneously is not supported.", e)
     }
     private val sharedUserCount = AtomicInteger(0)
-
     /** A read only view of the current set of nodes. */
     val nodes: List<MockNode> get() = _nodes
 
@@ -174,29 +172,32 @@ open class MockNetwork(private val cordappPackages: List<String>,
      * Returns the single notary node on the network. Throws if there are none or more than one.
      * @see notaryNodes
      */
-    val defaultNotaryNode: StartedNode<MockNode> get() {
-        return when (notaryNodes.size) {
-            0 -> throw IllegalStateException("There are no notaries defined on the network")
-            1 -> notaryNodes[0]
-            else -> throw IllegalStateException("There is more than one notary defined on the network")
+    val defaultNotaryNode: StartedNode<MockNode>
+        get() {
+            return when (notaryNodes.size) {
+                0 -> throw IllegalStateException("There are no notaries defined on the network")
+                1 -> notaryNodes[0]
+                else -> throw IllegalStateException("There is more than one notary defined on the network")
+            }
         }
-    }
 
     /**
      * Return the identity of the default notary node.
      * @see defaultNotaryNode
      */
-    val defaultNotaryIdentity: Party get() {
-        return defaultNotaryNode.info.legalIdentities.singleOrNull() ?: throw IllegalStateException("Default notary has multiple identities")
-    }
+    val defaultNotaryIdentity: Party
+        get() {
+            return defaultNotaryNode.info.legalIdentities.singleOrNull() ?: throw IllegalStateException("Default notary has multiple identities")
+        }
 
     /**
      * Return the identity of the default notary node.
      * @see defaultNotaryNode
      */
-    val defaultNotaryIdentityAndCert: PartyAndCertificate get() {
-        return defaultNotaryNode.info.legalIdentitiesAndCerts.singleOrNull() ?: throw IllegalStateException("Default notary has multiple identities")
-    }
+    val defaultNotaryIdentityAndCert: PartyAndCertificate
+        get() {
+            return defaultNotaryNode.info.legalIdentitiesAndCerts.singleOrNull() ?: throw IllegalStateException("Default notary has multiple identities")
+        }
 
     /**
      * Because this executor is shared, we need to be careful about nodes shutting it down.
@@ -221,31 +222,27 @@ open class MockNetwork(private val cordappPackages: List<String>,
     }
 
     init {
-        try {
-            filesystem.getPath("/nodes").createDirectory()
-            val notaryInfos = generateNotaryIdentities()
-            // The network parameters must be serialised before starting any of the nodes
-            networkParameters = NetworkParametersCopier(testNetworkParameters(notaryInfos))
-            @Suppress("LeakingThis")
-            notaryNodes = createNotaries()
-        } catch (t: Throwable) {
-            stopNodes()
-            throw t
-        }
+        filesystem.getPath("/nodes").createDirectory()
+        val notaryInfos = generateNotaryIdentities()
+        // The network parameters must be serialised before starting any of the nodes
+        networkParameters = NetworkParametersCopier(testNetworkParameters(notaryInfos))
+        notaryNodes = createNotaries()
     }
 
     private fun generateNotaryIdentities(): List<NotaryInfo> {
         return notarySpecs.mapIndexed { index, (name, validating) ->
-            val identity = IdentityGenerator.generateNodeIdentity(baseDirectory(nextNodeId + index), name)
+            val identity = ServiceIdentityGenerator.generateToDisk(
+                    dirs = listOf(baseDirectory(nextNodeId + index)),
+                    serviceName = name,
+                    serviceId = "identity")
             NotaryInfo(identity, validating)
         }
     }
 
-    @VisibleForTesting
-    internal open fun createNotaries(): List<StartedNode<MockNode>> {
-        return notarySpecs.map { (name, validating) ->
-            createNode(MockNodeParameters(legalName = name, configOverrides = {
-                doReturn(NotaryConfig(validating)).whenever(it).notary
+    private fun createNotaries(): List<StartedNode<MockNode>> {
+        return notarySpecs.map { spec ->
+            createNode(MockNodeParameters(legalName = spec.name, configOverrides = {
+                doReturn(NotaryConfig(spec.validating)).whenever(it).notary
             }))
         }
     }
@@ -302,7 +299,7 @@ open class MockNetwork(private val cordappPackages: List<String>,
                     id,
                     serverThread,
                     myNotaryIdentity,
-                    configuration.myLegalName,
+                    myLegalName,
                     database).also { runOnStop += it::stop }
         }
 
@@ -460,11 +457,8 @@ open class MockNetwork(private val cordappPackages: List<String>,
     }
 
     fun stopNodes() {
-        try {
-            nodes.forEach { it.started?.dispose() }
-        } finally {
-            serializationEnv.unset() // Must execute even if other parts of this method fail.
-        }
+        nodes.forEach { it.started?.dispose() }
+        serializationEnv.unset()
         messagingNetwork.stop()
     }
 
diff --git a/testing/node-driver/src/main/kotlin/net/corda/testing/node/internal/DriverDSLImpl.kt b/testing/node-driver/src/main/kotlin/net/corda/testing/node/internal/DriverDSLImpl.kt
index 5833840bb4..308ac4fe5a 100644
--- a/testing/node-driver/src/main/kotlin/net/corda/testing/node/internal/DriverDSLImpl.kt
+++ b/testing/node-driver/src/main/kotlin/net/corda/testing/node/internal/DriverDSLImpl.kt
@@ -19,6 +19,7 @@ import net.corda.core.internal.createDirectories
 import net.corda.core.internal.div
 import net.corda.core.messaging.CordaRPCOps
 import net.corda.core.node.services.NetworkMapCache
+import net.corda.core.node.services.NotaryService
 import net.corda.core.toFuture
 import net.corda.core.utilities.NetworkHostAndPort
 import net.corda.core.utilities.contextLogger
@@ -29,9 +30,12 @@ import net.corda.node.internal.NodeStartup
 import net.corda.node.internal.StartedNode
 import net.corda.node.services.Permissions
 import net.corda.node.services.config.*
+import net.corda.node.services.transactions.BFTNonValidatingNotaryService
+import net.corda.node.services.transactions.RaftNonValidatingNotaryService
+import net.corda.node.services.transactions.RaftValidatingNotaryService
 import net.corda.node.utilities.registration.HTTPNetworkRegistrationService
 import net.corda.node.utilities.registration.NetworkRegistrationHelper
-import net.corda.nodeapi.internal.IdentityGenerator
+import net.corda.nodeapi.internal.ServiceIdentityGenerator
 import net.corda.nodeapi.internal.addShutdownHook
 import net.corda.nodeapi.internal.config.User
 import net.corda.nodeapi.internal.config.parseAs
@@ -241,9 +245,9 @@ class DriverDSLImpl(
     }
 
     private enum class ClusterType(val validating: Boolean, val clusterName: CordaX500Name) {
-        VALIDATING_RAFT(true, CordaX500Name("Raft", "Zurich", "CH")),
-        NON_VALIDATING_RAFT(false, CordaX500Name("Raft", "Zurich", "CH")),
-        NON_VALIDATING_BFT(false, CordaX500Name("BFT", "Zurich", "CH"))
+        VALIDATING_RAFT(true, CordaX500Name(RaftValidatingNotaryService.id, "Raft", "Zurich", "CH")),
+        NON_VALIDATING_RAFT(false, CordaX500Name(RaftNonValidatingNotaryService.id, "Raft", "Zurich", "CH")),
+        NON_VALIDATING_BFT(false, CordaX500Name(BFTNonValidatingNotaryService.id, "BFT", "Zurich", "CH"))
     }
 
     internal fun startCordformNodes(cordforms: List<CordformNode>): CordaFuture<*> {
@@ -266,15 +270,24 @@ class DriverDSLImpl(
                 clusterNodes.put(ClusterType.NON_VALIDATING_BFT, name)
             } else {
                 // We have all we need here to generate the identity for single node notaries
-                val identity = IdentityGenerator.generateNodeIdentity(baseDirectory(name), legalName = name)
+                val identity = ServiceIdentityGenerator.generateToDisk(
+                        dirs = listOf(baseDirectory(name)),
+                        serviceName = name,
+                        serviceId = "identity"
+                )
                 notaryInfos += NotaryInfo(identity, notaryConfig.validating)
             }
         }
 
         clusterNodes.asMap().forEach { type, nodeNames ->
-            val identity = IdentityGenerator.generateDistributedNotaryIdentity(
+            val identity = ServiceIdentityGenerator.generateToDisk(
                     dirs = nodeNames.map { baseDirectory(it) },
-                    notaryName = type.clusterName
+                    serviceName = type.clusterName,
+                    serviceId = NotaryService.constructId(
+                            validating = type.validating,
+                            raft = type in setOf(VALIDATING_RAFT, NON_VALIDATING_RAFT),
+                            bft = type == ClusterType.NON_VALIDATING_BFT
+                    )
             )
             notaryInfos += NotaryInfo(identity, type.validating)
         }
@@ -356,11 +369,20 @@ class DriverDSLImpl(
     private fun generateNotaryIdentities(): List<NotaryInfo> {
         return notarySpecs.map { spec ->
             val identity = if (spec.cluster == null) {
-                IdentityGenerator.generateNodeIdentity(baseDirectory(spec.name), spec.name, compatibilityZone?.rootCert)
+                ServiceIdentityGenerator.generateToDisk(
+                        dirs = listOf(baseDirectory(spec.name)),
+                        serviceName = spec.name,
+                        serviceId = "identity",
+                        customRootCert = compatibilityZone?.rootCert
+                )
             } else {
-                IdentityGenerator.generateDistributedNotaryIdentity(
+                ServiceIdentityGenerator.generateToDisk(
                         dirs = generateNodeNames(spec).map { baseDirectory(it) },
-                        notaryName = spec.name,
+                        serviceName = spec.name,
+                        serviceId = NotaryService.constructId(
+                                validating = spec.validating,
+                                raft = spec.cluster is ClusterSpec.Raft
+                        ),
                         customRootCert = compatibilityZone?.rootCert
                 )
             }
diff --git a/testing/node-driver/src/test/kotlin/net/corda/testing/node/MockNetworkTests.kt b/testing/node-driver/src/test/kotlin/net/corda/testing/node/MockNetworkTests.kt
deleted file mode 100644
index 10d9358243..0000000000
--- a/testing/node-driver/src/test/kotlin/net/corda/testing/node/MockNetworkTests.kt
+++ /dev/null
@@ -1,18 +0,0 @@
-package net.corda.testing.node
-
-import net.corda.core.serialization.internal.effectiveSerializationEnv
-import org.assertj.core.api.Assertions.assertThatThrownBy
-import org.junit.Test
-
-class MockNetworkTests {
-    @Test
-    fun `does not leak serialization env if init fails`() {
-        val e = Exception("didn't work")
-        assertThatThrownBy {
-            object : MockNetwork(emptyList(), initialiseSerialization = true) {
-                override fun createNotaries() = throw e
-            }
-        }.isSameAs(e)
-        assertThatThrownBy { effectiveSerializationEnv }.isInstanceOf(IllegalStateException::class.java)
-    }
-}
diff --git a/testing/test-utils/src/main/kotlin/net/corda/testing/CoreTestUtils.kt b/testing/test-utils/src/main/kotlin/net/corda/testing/CoreTestUtils.kt
index 860af415ac..11e572e2d7 100644
--- a/testing/test-utils/src/main/kotlin/net/corda/testing/CoreTestUtils.kt
+++ b/testing/test-utils/src/main/kotlin/net/corda/testing/CoreTestUtils.kt
@@ -10,7 +10,6 @@ import net.corda.core.identity.CordaX500Name
 import net.corda.core.identity.Party
 import net.corda.core.identity.PartyAndCertificate
 import net.corda.core.internal.cert
-import net.corda.core.internal.unspecifiedCountry
 import net.corda.core.internal.x500Name
 import net.corda.core.node.NodeInfo
 import net.corda.core.utilities.NetworkHostAndPort
@@ -92,13 +91,13 @@ fun getTestPartyAndCertificate(party: Party): PartyAndCertificate {
     val trustRoot: X509CertificateHolder = DEV_TRUST_ROOT
     val intermediate: CertificateAndKeyPair = DEV_CA
 
-
+    val nodeCaName = party.name.copy(commonName = X509Utilities.CORDA_CLIENT_CA_CN)
     val nodeCaKeyPair = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
     val nodeCaCert = X509Utilities.createCertificate(
             CertificateType.NODE_CA,
             intermediate.certificate,
             intermediate.keyPair,
-            party.name,
+            nodeCaName,
             nodeCaKeyPair.public,
             nameConstraints = NameConstraints(arrayOf(GeneralSubtree(GeneralName(GeneralName.directoryName, party.name.x500Name))), arrayOf()))
 
diff --git a/tools/demobench/src/main/kotlin/net/corda/demobench/model/NodeController.kt b/tools/demobench/src/main/kotlin/net/corda/demobench/model/NodeController.kt
index ee6b38fdb5..37e019b367 100644
--- a/tools/demobench/src/main/kotlin/net/corda/demobench/model/NodeController.kt
+++ b/tools/demobench/src/main/kotlin/net/corda/demobench/model/NodeController.kt
@@ -13,7 +13,7 @@ import net.corda.demobench.pty.R3Pty
 import net.corda.nodeapi.internal.network.NetworkParameters
 import net.corda.nodeapi.internal.network.NetworkParametersCopier
 import net.corda.nodeapi.internal.network.NotaryInfo
-import net.corda.nodeapi.internal.IdentityGenerator
+import net.corda.nodeapi.internal.ServiceIdentityGenerator
 import tornadofx.*
 import java.io.IOException
 import java.lang.management.ManagementFactory
@@ -153,7 +153,10 @@ class NodeController(check: atRuntime = ::checkExists) : Controller() {
 
     // Generate notary identity and save it into node's directory. This identity will be used in network parameters.
     private fun getNotaryIdentity(config: NodeConfigWrapper): Party {
-        return IdentityGenerator.generateNodeIdentity(config.nodeDir, config.nodeConfig.myLegalName)
+        return ServiceIdentityGenerator.generateToDisk(
+                dirs = listOf(config.nodeDir),
+                serviceName = config.nodeConfig.myLegalName,
+                serviceId = "identity")
     }
 
     fun reset() {