Device Identity as Yet Untold

406ea2cac59924cedae4629c3c6c84fb?s=47 Kengo Suzuki
January 24, 2020

Device Identity as Yet Untold

社会のニーズが変化し、企業規模と分野を超えた横断的なビジネス(例: 新興Fintech企業と銀行の連携)が増えています。

それに伴い、ユーザーをエンティティとしたIdentityの活用事例の増加や仕様の拡張が着目されるのは、OpenID Summit Tokyo 2020の開催概要に記載がある通りです。

そんな、ユーザーIdentityの進歩に伴い、増える機微なデータや多様化するトランザクション経路を、エンタープライズはスピーディに且つ安全に管理していく必要があります。
ビジネスの変化とともに、エンタープライズのセキュリティも変化していかなければなりません。

変わるニーズに対応するかの如く、昨今は「ゼロトラスト」などの設計手法が話題になっていますが、セキュリティ対策の中心をネットワークから、各種エンティティ(とIdentity)によせるものです。

その際に無視できないのはデバイスIdentityです。
デバイスもエンティティの1つに違いはないのですが、
ユーザーIdentityに比較して、その管理方法や仕様について語られる機会はそう多くありません。ましてや、エンタープライズ向けでの話は、ほとんど皆無です。

そこで、本セッションでは、エンタープライズにおけるデバイスのIdentity Managementについてお話していきたいと思います。
それにより、参加者の皆様、特にIdentity技術がエンタープライズ・セキュリティのコアになると考えられる方々に、どのようなアプローチ方法があるかお話しします。

具体的には、デバイスの登録、認証方法、検証方法などをアイデンティティ・マネジメントの観点から解説します。
その際に、理想像と事例を紹介することで、既存製品でどこからどこまでのマネジメントが可能かも、明確にしたいと思います。

406ea2cac59924cedae4629c3c6c84fb?s=128

Kengo Suzuki

January 24, 2020
Tweet

Transcript

  1. %FWJDF*EFOUJUZ:FU6OUPME  ΤϯλʔϓϥΠζɾηΩϡϦςΟͱσόΠε*EFOUJUZ

  2. “時代の変化に伴い、(中略) 周辺の技術・ビジネスも⼤きく変化” IUUQTXXXPQFOJEPSKQTVNNJU

  3.  *EFOUJUZ'PS&OUFSQSJTF4FDVSJUZ NJO   %FWJDF*EFOUJUZ.BOBHFNFOU NJO   $IBMMFOHFT

    NJO   $PODMVTJPO NJO ໨࣍
  4. *EFOUJUZ'PS &OUFSQSJTF4FDVSJUZ

  5. Ϗδωεͷ มԽ ओ࣠Λ&OUJUZʹͨ͠ ΤϯλʔϓϥΠζ ηΩϡϦςΟઃܭ ͷมԽ ڴҖͷ มԽ

  6. Ϗδωε؀ڥͷมԽ

  7. 業務データの分散 σʔλ ॏཁͳ σʔλ ॏཁͳ σʔλ ۀ຿ ΞϓϦ ۀ຿ ΞϓϦ

    ॏཁͳ σʔλ ॏཁͳ σʔλ جװ σʔλ جװ σʔλ ॏཁͳσʔλ 0Oαʔόʔ σʔλ PO ֎෦αʔϏε σʔλ 0O୺຤ σʔλ PO جװγεςϜ
  8. ڥքͷ࠷దԽ ॏཁͳσʔλ 0Oαʔόʔ σʔλ PO ֎෦αʔϏε σʔλ 0O୺຤ σʔλ PO

    جװγεςϜ
  9. 業務データの分散の多様化に伴う技術標準

  10. ڴҖͷมԽ

  11. 71/τϯωϧ ॏཁͳσʔλ 0Oαʔόʔ ॏཁͳσʔλ 0Oαʔόʔ ۀ຿Ξ ϓϦ ۀ຿Ξ ϓϦ ۀ຿Ξ

    ϓϦ ۀ຿Ξ ϓϦ ॏཁͳσʔλ 0Oαʔόʔ σʔλ PO ֎෦αʔϏε σʔλ 0O୺຤ σʔλ PO جװγεςϜ ڴҖͷ഑ૹख๏ͷଟ༷Խ
  12. ࣌ؒܦաʹΑΔ৴པੑͷ௿Լ ॏཁͳσʔλ 0O σʔλ ॏཁͳσʔλ 0Oαʔόʔ σʔλ

  13. ηΩϡϦςΟઃܭͷมԽ

  14. ࣮૷ͷมԽ ॏཁͳσʔλ 0Oαʔόʔ σʔλ PO ֎෦αʔϏε σʔλ 0O୺຤ σʔλ PO

    جװγεςϜ w ΤϯςΟςΟݕূͱ૊Έ߹Θͤʮ*EFOUJUZ$FOUSJDʯ ʮ"MXBZT7FSJGZʯ w ࠷খݖݶͷݪଇʮ-FBTU1SJWJMFHF"DDFTTʯ w ৵֐ͷ૝ఆͱ෧͡ࠐΊʮ#SFBDI$POUBJONFOUʯ
  15. ຊ೔ͷϑΥʔΧε ॏཁͳσʔλ 0Oαʔόʔ σʔλ PO ֎෦αʔϏε σʔλ 0O୺຤ σʔλ PO

    جװγεςϜ ͪ͜Β͸ྑ͘࿩͞ΕΔ
  16. ຊ೔ͷϑΥʔΧε ॏཁͳσʔλ 0Oαʔόʔ σʔλ PO ֎෦αʔϏε σʔλ 0O୺຤ σʔλ PO

    جװγεςϜ σόΠε*EFOUJUZ *O&OUFSQSJTF
  17.  *NQMFNFOUBUJPOPG%FWJDF*EFOUJUZ.BOBHFNFOU  %FWJDF*EFOUJUZ*O3FBM-JGF  $IBMMFOHFJO%FWJDF*EFOUJUZ ,FZ5BLFBXBZ

  18.  !LFOTDBM ,FOHP4V[VLJ   $BSFFS  4FDVSJUZ7FOEPSʢ.44ʣ  'JOUFDI4UBSUVQY

     8PSLT  4FDVSJUZ *OGP4ZTUFN 43&  'PDVT  %JHJUBM*EFOUJUZ  #MPDLDIBJO 8IPBN* 09:44~10:00
  19. %FWJDF*EFOUJUZ.HNU

  20.  *40*&$"GSBNFXPSLGPSJEFOUJUZ NBOBHFNFOU 8IJDIQBSUPG%FWJDF*EFOUJUZ.HNU IUUQTTUBOEBSETJTPPSHJUUG1VCMJDMZ"WBJMBCMF4UBOEBSETJOEFYIUNM*40*&D

  21. IUUQTTUBOEBSETJTPPSHJUUG1VCMJDMZ"WBJMBCMF4UBOEBSETJOEFYIUNM*40*&D -JGFDZDMF

  22. IUUQTTUBOEBSETJTPPSHJUUG1VCMJDMZ"WBJMBCMF4UBOEBSETJOEFYIUNM*40*&D w BUUSJCVUF w BUUSJCVUF w BUUSJCVUF w BUUSJCVUF w

    BUUSJCVUF w BUUSJCVUF w BUUSJCVUF w BUUSJCVUF *EFOUJUZ3FHJTUFS *OWFOUPSZ
  23.  lUIFDSFBUJPOPGPOFPSNPSFJEFOUJUJFTGPSUIFFOUJUZz  UZQJDBMMZDPNQSJTFTUIFDPMMFDUJPOBOEWBMJEBUJPOPG JEFOUJUZJOGPSNBUJPO &OSPMMNFOU IUUQTTUBOEBSETJTPPSHJUUG1VCMJDMZ"WBJMBCMF4UBOEBSETJOEFYIUNM*40*&$

  24. IUUQTTUBOEBSETJTPPSHJUUG1VCMJDMZ"WBJMBCMF4UBOEBSETJOEFYIUNM*40*&D w 3FHJTUSBUJPO w *EFOUJUZ1SPPpOH

  25. 4JNQMF3FHJTUSBUJPO %FWJDF7FOEPS *5BENJO 1VSDIBTF FOSPMM SFHJTUSBUJPO %FMJWFS w BUUSJCVUF 

    w BUUSJCVUF w BUUSJCVUF  w BUUSJCVUF w BUUSJCVUF  w BUUSJCVUF
  26. #FUUFS3FHJTUSBUJPO1SPDFTT 7FOEPS 1VSDIBTF FOSPMM SFHJTUSBUJPO %FMJWFS w BUUSJCVUF  w

    BUUSJCVUF w BUUSJCVUF  w BUUSJCVUF w BUUSJCVUF  w BUUSJCVUF *OJUJBM#PPU 3FHJTUSBUJPO 4FSWJDF OPUJGZ
  27. &YBNQMFT

  28. ⾒出し IUUQTXXXKBNGDPNCMPHBQQMFEFWJDFFOSPMMNFOUQSPHSBNBQQMFJUJOOPWBUJPO Registration in Mac (DEP)

  29. Registration in Microsoft (Autopilot) IUUQTNZJHOJUFUFDIDPNNVOJUZNJDSPTPGUDPNTFTTJPOT

  30. *EFOUJUZ1SPPpOH %FWJDF7FOEPS *5BENJO 1VSDIBTF FOSPMM SFHJTUSBUJPO %FMJWFS w BUUSJCVUF 

    w BUUSJCVUF w BUUSJCVUF  w BUUSJCVUF w BUUSJCVUF  w BUUSJCVUF 1SPPG*EFOUJUZBUIFSF
  31.  *EFOUJUZ"TTVSBODF-FWFM *"- JO/*4541  FOUJUZͷΞΠσϯςΟςΟ৘ใ͕ਖ਼͔֬ *EFOUJUZ1SPPpOH3FRVJSFNFOU

  32. 51. NBZCF5&& - セキュアな暗号プロセッ サーの国際標準 - ブート時のソフトウェア 監査(pltaform integrity) -

    機密データの保管、暗号 鍵の管理
  33. 51. NBZCF5&&

  34.  &OEPSTFNFOU,FZ  SPPUPG5SVTU  OFWFSMFBWFT51.  *EFOUJGZVOJRVF51. 51.BOE&OEPSTFNFOU,FZ

  35. &YBNQMFJO.JDSPTPGU

  36. IUUQTEPDTNJDSPTPGUDPNKBKQB[VSFJPUEQTDPODFQUTUQNBUUFTUBUJPO

  37. /*4541BIUUQTQBHFTOJTUHPWTQBIUNM

  38. /*4541BIUUQTQBHFTOJTUHPWTQBIUNM *5BENJO0S 1SPWJTJPOJOH4FSWJDF

  39. /*4541BIUUQTQBHFTOJTUHPWTQBIUNM *5BENJO0S 1SPWJTJPOJOH4FSWJDF &OEPSTFNFOU 1VCMJD,FZ

  40. /*4541BIUUQTQBHFTOJTUHPWTQBIUNM *5BENJO0S 1SPWJTJPOJOH4FSWJDF $PNQBSFQSFSFHJTUFSFE QVCLFZTJHOFECZWFOEPS &OEPSTFNFOU 1VCMJD,FZ 7BMJEBUFEVTJOH QVCLFZDFSUJpDBUF

  41. /*4541BIUUQTQBHFTOJTUHPWTQBIUNM *5BENJO0S 1SPWJTJPOJOH4FSWJDF $IBMMFOHFBOE3FTQPOTF &OEPSTFNFOU 1VCMJD,FZ $IBMMFOHFBOE3FTQPOTF

  42. <?xml version="1.0"?> <HardwareReport> <HardwareInventory> (தུ) <p n="TPMVersion" v="TPM- Version:2.0 -Level:0-Revision:1.16-VendorID:'MSFT'-

    Firmware:538247443.1394722" /> <p n="TPM EkPub" v="s7+hJsgnlFQ+Jf4O7WZEh9AcZcJ9EXIBGeUSkzRXDkrSt2UBJ0P 1FmA8V8PTp/ TbY3dmn5IG1Z2spHlrGmu1AshGHlZyIMFPUeMN91/+mM3lqWsHOrOM HjGvZrdMCJxi3sXAqs16bo5BFoNWXHXZyCwWQ3204chGlOzm309hKV +l90t7ciqzfpaA2D7UcyYy8xHm0qbuI1pNaHYkP5mmdyKn5eoHtpNT Y0zjVf+ZtZIJ6N2/ VydcZ5olmSG2BRe5xxZhbYILkprzyit5ayPXmUlTYm5MV6zbuZYMeU 0hu4HetDAL6G0XZQz+UH/ufuvEBCe44Q/uz2UdXlgQ0cfpTQ==" /> (தུ) https://www.anoopcnair.com/windows-autopilot-behind-the-scenes-secrets/ .JDSPTPGU*OUVOF"VUPQJMPU
  43. &YBNQMFJO"QQMF

  44.  /PUFYBDUMZ51.CVUTIBSFT TJNJMBSGVODUJPOBMJUJFT  lUIFIBSEXBSFSPPUPGUSVTU GPSTFDVSFCPPUl  lUIFMPXFTUMFWFMPGTPGUXBSF BSFO`UUBNQFSFEXJUIz "QQMF54FDVSJUZ5JQ

    IUUQTXXXBQQMFDPNFVSPNBDTIBSFEEPDT"QQMF@5@4FDVSJUZ@$IJQ@0WFSWJFXQEG
  45. "QQMF54FDVSJUZ5JQ IUUQTXXXBQQMFDPNFVSPNBDTIBSFEEPDT"QQMF@5@4FDVSJUZ@$IJQ@0WFSWJFXQEG NBJOUBJOTUIFJOUFHSJUZ PGJUTTFDVSJUZ GVODUJPOTFWFOJGUIF NBD04LFSOFMIBT CFFODPNQSPNJTFE

  46. "QQMF54FDVSJUZ5JQ IUUQTXXXBQQMFDPNFVSPNBDTIBSFEEPDT"QQMF@5@4FDVSJUZ@$IJQ@0WFSWJFXQEG .BDVOJRVF*% 6*% "&4CJU LFZCVSOFEBUNBOVGBDUVSF

  47. ⾒出し IUUQTXXXKBNGDPNCMPHBQQMFEFWJDFFOSPMMNFOUQSPHSBNBQQMFJUJOOPWBUJPO Not quite sure how DEP uses UID

  48. .BJOUFOBODF  lBOVQEBUFPGUIFJOGPSNBUJPOJOUIFJEFOUJUZSFHJTUFS GPSBOFOUJUZz

  49. IUUQTTUBOEBSETJTPPSHJUUG1VCMJDMZ"WBJMBCMF4UBOEBSETJOEFYIUNM*40*&D

  50. - repository of identities - more like inventory - continuously

    monitor and record state of the device Identity Register (Inventory) w BUUSJCVUF w BUUSJCVUF w BUUSJCVUF w BUUSJCVUF w BUUSJCVUF w BUUSJCVUF w BUUSJCVUF w BUUSJCVUF
  51. Different characteristics from human!

  52. Different characteristics from human!

  53. Different characteristics from human!

  54. Different characteristics from human!

  55. Different characteristics from human!

  56. - Observed attributes - Manually configured attributes Two types of

    attributes
  57. - Observed attributes - automatically collected/programmatically generated attributes - Manually

    Configured attributes Two types of attributes
  58. - Enrolled time - last time checked in - logged

    in users - HW Info - OS version - installed SW and its version - Disk Encryption Recovery Key Examples of Observed Attributes
  59. - Observed data - Manually configured attributes Two types of

    attributes
  60. - type of device - personally assigned, kiosk, special-case -

    owner of the device - vendor/OEM - purchased data (asset management related data) - device name Examples of Manually Configured Attributes
  61. Data Sources IUUQTTUPSBHFHPPHMFBQJTDPNQVCUPPMTQVCMJDQVCMJDBUJPOEBUBQEGQEG

  62. &YBNQMFT

  63. Observed Attributes Collection from Agent IUUQTTUPSBHFHPPHMFBQJTDPNQVCUPPMTQVCMJDQVCMJDBUJPOEBUBQEGQEG

  64. - リスト - リスト - リスト - リストの強調⽂字 - リスト

    Intune (HW Observed Attributes)
  65. Intune (SW Observed Attributes)

  66. Jamf (HW Observed Attributes)

  67. Jamf (SW Observed Attributes)

  68. Manually Configured Attributes(JAMF)

  69. - リスト - リスト - リスト - リストの強調⽂字 - リスト

    Attributes From EDR IUUQTTUPSBHFHPPHMFBQJTDPNQVCUPPMTQVCMJDQVCMJDBUJPOEBUBQEGQEG
  70. - リスト - リスト - リスト - リストの強調⽂字 - リスト

    Attributes from Asset Mgmt IUUQTTUPSBHFHPPHMFBQJTDPNQVCUPPMTQVCMJDQVCMJDBUJPOEBUBQEGQEG
  71. *EFOUJUZ"EKVTUNFOU  lBOVQEBUFPGUIFJOGPSNBUJPOJOUIFJEFOUJUZSFHJTUFS GPSBOFOUJUZ XIFSFUIFOFXJOGPSNBUJPOHJWFTSJTF UPUIFNPEJpDBUJPOPGBDUJWBUJPOJOGPSNBUJPOz

  72. IUUQTTUBOEBSETJTPPSHJUUG1VCMJDMZ"WBJMBCMF4UBOEBSETJOEFYIUNM*40*&D

  73. *T%FWJDF4UJMM5SVTUGVM ॏཁͳσʔλ 0O 5SVTUPWFSFMBQTFEUJNF 5SVTUQIZTJDBMMPDBUJPO

  74. %FWJDF)FBMUI$IFDLJOH - Verified Boot - Measured Boot QTEPDTNJDSPTPGUDPNFOVTXJOEPXTTFDVSJUZJOGPSNBUJPOQSPUFDUJPOTFDVSFUIFXJOEPXTCPPUQSPDFTT

  75. - Secure Boot - Trusted Boot - ELAM Verified Boot

    IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXT TFDVSJUZJOGPSNBUJPOQSPUFDUJPOTFDVSFUIF XJOEPXTCPPUQSPDFTT
  76. - Secure Boot - Check integrity of OS Bootloader -

    Check certificate signed to Bootloader - Trusted Boot - ELAM Verified Boot IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXT TFDVSJUZJOGPSNBUJPOQSPUFDUJPOTFDVSFUIF XJOEPXTCPPUQSPDFTT
  77. - Secure Boot - Trusted Boot - a series of

    signature checking - ELAM Verified Boot IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXT TFDVSJUZJOGPSNBUJPOQSPUFDUJPOTFDVSFUIF XJOEPXTCPPUQSPDFTT
  78. - Secure Boot - Trusted Boot - ELAM - Early

    Launch Anti-Malware - examine every boot driver - “determine it is on the list of trusted drivers” Verified Boot IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXT TFDVSJUZJOGPSNBUJPOQSPUFDUJPOTFDVSFUIF XJOEPXTCPPUQSPDFTT
  79. - Secure Boot - Trusted Boot - ELAM Verified Boot

    IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXT TFDVSJUZJOGPSNBUJPOQSPUFDUJPOTFDVSFUIF XJOEPXTCPPUQSPDFTT $IBJOPG5SVTU $IBJOPG5SVTU $IBJOPG5SVTU
  80. Measured Boot - Generates “measurable” artifacts while booting - Can

    be remotely verified IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXTTFDVSJUZUISFBUQSPUFDUJPOQSPUFDUIJHIWBMVFBTTFUTCZ DPOUSPMMJOHUIFIFBMUIPGXJOEPXTCBTFEEFWJDFT
  81. Measured Boot - Each boot components takes the hash of

    the next component - store the hash in Platform Configuration Registers (PCRs) - this “measurement” is recorded by Trusted Computing Group(TCG) log - Send PCR and TCG logs to verification component (remote health attestation) IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXTTFDVSJUZUISFBUQSPUFDUJPOQSPUFDUIJHIWBMVFBTTFUTCZ DPOUSPMMJOHUIFIFBMUIPGXJOEPXTCBTFEEFWJDFT
  82. Measured Boot - Each boot components takes the hash of

    the next component - store the hash in Platform Configuration Registers (PCRs) - this “measurement” is recorded by Trusted Computing Group(TCG) log - Send PCR and TCG logs to verification component (remote health attestation) IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXTTFDVSJUZUISFBUQSPUFDUJPOQSPUFDUIJHIWBMVFBTTFUTCZ DPOUSPMMJOHUIFIFBMUIPGXJOEPXTCBTFEEFWJDFT
  83. Measured Boot - Each boot components takes the hash of

    the next component - store the hash in Platform Configuration Registers (PCRs) - this “measurement” is recorded by Trusted Computing Group(TCG) log - Send PCR and TCG logs to verification component (remote health attestation) IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXTTFDVSJUZUISFBUQSPUFDUJPOQSPUFDUIJHIWBMVFBTTFUTCZ DPOUSPMMJOHUIFIFBMUIPGXJOEPXTCBTFEEFWJDFT
  84. Measured Boot - Each boot components takes the hash of

    the next component - store the hash in Platform Configuration Registers (PCRs) - this “measurement” is recorded by Trusted Computing Group(TCG) log - Send PCR and TCG logs to verification component (remote health attestation) - PCR is digitally signed (PCR Quote) IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXTTFDVSJUZUISFBUQSPUFDUJPOQSPUFDUIJHIWBMVFBTTFUTCZ DPOUSPMMJOHUIFIFBMUIPGXJOEPXTCBTFEEFWJDFT
  85. &YBNQMFT

  86. Microsoft (TPM and Intune) - Secure Boot (Verified Boot) -

    Just like normal secure boot - Measured Boot - integrate with Windows 10 Device Guard - Uses AIK(Attestation Identity Key)/AK(Attestation Key) certificate to form PCR quote - certificate is issued by Microsoft Cloud - Intune(UEM/MDM) has own remote health attestation service - Parses the properties of TCG logs and compare to signed PCR values IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXTTFDVSJUZUISFBUQSPUFDUJPOQSPUFDUIJHIWBMVFBTTFUTCZ DPOUSPMMJOHUIFIFBMUIPGXJOEPXTCBTFEEFWJDFT
  87.  7FSJGZJOUFHSJUZPGOFYU CPPUJOHDPNQPOFOUT  NPSFMJLFUSVTUFECPPU  TPGBSOPTJHOPGNFBTVSFE CPPU "QQMF 5DIJQ

    IUUQTXXXBQQMFDPNFVSPNBDTIBSFEEPDT"QQMF@5@4FDVSJUZ@$IJQ@0WFSWJFXQEG
  88. 4VNNBSZ  %FWJDF*EFOUJUZ.BOBHFNFOUVTJOH*40*&$  &OSPMMNFOU  3FHJTUSBUJPOTFSWJDFT  51.GPSJEFOUJUZQSPPpOH 

    .BJOUFOBODF  "UUSJCVUFTGPSNBJOUFOBODF  *EFOUJUZ"EKVTUNFOU  4FDVSF#PPU  .FBTVSF#PPU
  89. $IBMMFOHFT

  90.  -BDLPGTUBOEBSEHVJEFMJOFT  -BDLPG"1*DPOOFDUJOHEBUBGSPNTPVSDFTBOE JOWFOUPSZ  6ONBUDIFE4PGUXBSF-JGFDZDMFBOE)BSEXBSF -JGFDZDMF  .BOBHJOHGSFFMBODFS`TEFWJDFTCFMPOHJOHUPNVMUJQMF

    PSHDPNNVOJUJFT $IBMMFOHFT
  91.  -BDLPGTUBOEBSEHVJEFMJOFT  -BDLPG"1*DPOOFDUJOHEBUBGSPNTPVSDFTBOE JOWFOUPSZ  6ONBUDIFE4PGUXBSF-JGFDZDMFBOE)BSEXBSF -JGFDZDMF  .BOBHJOHGSFFMBODFS`TEFWJDFTCFMPOHJOHUPNVMUJQMF

    PSHDPNNVOJUJFT $IBMMFOHFT
  92.  -BDLPGTUBOEBSEHVJEFMJOFT  -BDLPG"1*DPOOFDUJOHEBUBGSPNTPVSDFTBOE JOWFOUPSZ  6ONBUDIFE4PGUXBSF-JGFDZDMFBOE)BSEXBSF -JGFDZDMF  .BOBHJOHGSFFMBODFS`TEFWJDFTCFMPOHJOHUPNVMUJQMF

    PSHDPNNVOJUJFT $IBMMFOHFT
  93.  -BDLPGTUBOEBSEHVJEFMJOFT  -BDLPG"1*DPOOFDUJOHEBUBGSPNTPVSDFTBOE JOWFOUPSZ  6ONBUDIFE4PGUXBSF-JGFDZDMFBOE)BSEXBSF -JGFDZDMF  .BOBHJOHGSFFMBODFS`TEFWJDFTCFMPOHJOHUPNVMUJQMF

    PSHDPNNVOJUJFT $IBMMFOHFT
  94.  -BDLPGTUBOEBSEHVJEFMJOFT  -BDLPG"1*DPOOFDUJOHEBUBGSPNTPVSDFTBOE JOWFOUPSZ  6ONBUDIFE4PGUXBSF-JGFDZDMFBOE)BSEXBSF -JGFDZDMF  .BOBHJOHGSFFMBODFS`TEFWJDFTCFMPOHJOHUP

    NVMUJQMFPSHDPNNVOJUJFT $IBMMFOHFT
  95. $PODMVTJPO

  96.  5IF$IBOHFEFNBOETVTUPGPDVTPO*EFOUJUZ  JODMVEJOHUIF%FWJDF  EFWJDFJEFOUJUZJOFOUFSQSJTFTFDVSJUZOFFETUPCF NBOBHFEUIPSPVHIMZBOEGSFRVFOUMZ  FTQFDJBMMZEVSJOHFOSPMMNFOUBOENBJOUFOBODF 

    %FWFMPQJOHTUBOEBSETJTUIFOFYUTUFQ -FUNFLOPX $PODMVTJPO
  97. 5IBOLZPV

  98. None